/* 404CTF */

404CTF Writeup - Introduction

Jun 20, 2023 · 10 min read

Introduction to the contest

Co-organized by the Direction Générale de la Sécurité Extérieure (DGSE) and Télécom SudParis, the 404 CTF is France’s biggest cybersecurity competition. Following the success of the 2022 edition, which celebrated the double anniversary of the BCRA and the DGSE, this second edition will honor the great figures of French literature.
For one month, take on challenges designed by Télécom SudParis’ HackademINT cybersecurity club. Whether you’re an expert or a beginner, don’t hesitate to put your skills to the test during this individual CTF!

First challenges:

Bienvenue !

Looking at the challenge description:

Maintenant, si vous souhaitez accéder au reste du 404 CTF, nous vous invitons à lire la page des règles. Le premier flag s’y trouve afin que vous puissiez valider la présente épreuve et débloquer les autres énoncés.

When visiting the rules page, we find the first flag.

Mais nous vous donnons le premier flag ici : 404CTF{c'est parti}.

Exemple de connexion distante

Again in the challenge description:

Le présent exemple vous demande simplement de vous connecter, et le flag vous sera donné immédiatement.
nc challenges.404ctf.fr 30076

Doing exactly that, we get the flag: 404CTF{I_<3_nc}

Discord

For the flag, you have to search the discord. There are two clues: the CTF opening date and the challenge description. We land on this post in the announces channel on the discord server:

Ça y est, le 404 CTF est enfin ouvert 🎉
Vous aurez jusqu’au 4 juin 2023 pour découvrir tous nos challenges et marquer autant de points que possible !
Rendez-vous sur ctf.404ctf.fr pour l’ouverture 💻
Les inscriptions restant ouvertes, vous pourrez vous inscrire tout du long de la compétition au même lien !
404CTF{Un_bon_pour_un_cafe_gratuit}

Desiré Dubois

This one is a very interesting challenge.

The following audio clip features an amusing conversation between two individuals planning to call “Désirée Dubois” as part of an organized scam. Here is the audio for the challenge:

I plugged this file in Audacity to thourougly analyze it; in reality I was hoping to find a flag in the spectrogram (classic steganography challenge) but that wasn’t the right approach. Looking at the challenge statement, I found this line that suggested a new approach:

....
Clearly, the person on the other end of the line is the victim of a bad move. They should be warned !
....

You can hear the scammers using a rotary dial phone to call the victim, so maybe we can use the audio to call the same number they did ? I measured the time took to dial each number in Audacity, because it’s actually better than relying on my reaction time. The summarized results were recorded in the following array:

measurements = [
  [1.6680000000000001, 0.9100000000000001, 0.9630000000000001, 1.4049999999999994, 0.46499999999999986, 1.6489999999999991, 0.9980000000000011, 0.6159999999999997, 0.9869999999999983, 0.8930000000000007],
]

The length checks out, the number of digits a phone number in France is usually 10 and we do have extra information:

Phone numbers in France usually start with a zero
In a rotary dial, 0 is the last number, it means it takes more time to dial (which agrees with the measurements)

Now the idea is to predict the phone numbers from the recorded dialing times by fitting pairs of (time, number) on a line. However, since we only had the dialing time for the zero, we lacked the second point to draw a line accurately. Despite this limitation, I managed to solve the challenge by making educated guesses and evaluating them using an error function. There might be a better solution though, i don’t know.

Here is a script that does just that:

err_fn = lambda x: abs(x - round(x))

def eval(pointA, pointB):
  a = (pointB[1] - pointA[1]) / (pointB[0] - pointA[0])
  b = pointA[1] - pointA[0]*a

  print(f"Found line parameters: {a=}, {b=}")

  err = 0
  result = []
  for d in measurements:
    x = (d - b)/a
    result.append(round(x))
    err += err_fn(x)
  return err, result

for i in range(1, 10):
  print(eval(
    [10, max(measurements)],
    [i, min(measurements)]
  ))

It appears that: min(measurements) -> 1 is the best guess. This yields the phone number [10, 4, 5, 8, 1, 10, 5, 2, 5, 4] -> 0458105254. Upon calling the number, I received a reply that followed the same theme as the audio, leading to the discovery of a message containing the flag.

In the challenge format, the flag is: 404CTF{justeleflag}