Project Sekai - ✅-misc-beheeyems-password

Project Sekai

🔒 UMDCTF 2023 / ✅-misc-beheeyems-password

Beheeyem's Password - 500 points

Category: Misc Description: Beheeyem unfortunately lost his UFO password. Thankfully, it was scanned by some weird sensor before he lost it. Can you recover his password? Author: Segal Files:

https://umdctf.io/files/91620a82b39538c76d8cf1c662862e48/password.ply?token=eyJ1c2VyX2lkIjoxNDcsInRlYW1faWQiOjY4LCJmaWxlX2lkIjo1MH0.ZExCKg.fkp1Sv60w37xAFwHSugMg1FwpHQ

Tags: No tags.

Sutx pinned a message to this channel. 04/28/2023 3:01 PM

@Violin wants to collaborate

@Legoclones wants to collaborate

lol file doesn't know what it is, binwalk doesn't have anything, and there's nothing in strings afaik

17:22

http://paulbourke.net/dataformats/ply/ ?

17:23

https://github.com/introlab/rtabmap_ros/issues/805 ?

Polygon File Format?

yeah looks like it

17:25

not sure if that github link I sent is the same type of ply file, but worth looking into polygon file format first

i tried to upload ply to load but none works

17:26

format maybe not correct

17:26

or its sth else

17:26

no tool can load model

well header should contain ply so maybe they stripped magic bytes?

17:26

and ASCII headers?

17:27

"The file format has two sub-formats: an ASCII representation for easily getting started, and a binary version for compact storage and for rapid saving and loading."

header is missing even in binary file

maybe we gotta guess headers?

Guessing headers would absolutely SUCK

how do you even guess it

The headers specify how much data belongs to each element type, and what each number in the element is

maybe open a ticket and confirm file header needs to be added manually?

Elements don't have a fixed size length

17:40

good idea

17:42

frick

17:43

they said yes, we have to manually reconstruct the header

bruh

17:43

so header is all missing?

yup

whats sample header format?

format ascii 1.0           { ascii/binary, format version number }
comment made by Greg Turk  { comments keyword specified, like all lines }
comment this file is a cube
element vertex 8           { define "vertex" element, 8 of them in file }
property float x           { vertex contains float "x" coordinate }
property float y           { y coordinate is also a vertex property }
property float z           { z coordinate, too }
element face 6             { there are 6 "face" elements in the file }
property list uchar int vertex_index { "vertex_indices" is a list of ints }
end_header                 { delimits the end of the header }
0 0 0                      { start of vertex list }
0 0 1
0 1 1
0 1 0
1 0 0
1 0 1
1 1 1
1 1 0
4 0 1 2 3                  { start of face list }
4 7 6 5 4
4 0 4 5 1
4 1 5 6 2
4 2 6 7 3
4 3 7 4 0

17:44

So the data is split into 2 sections - vertex, and face

17:44

Since thsoe are the 2 defined elements

17:44

you can have more

17:44

including custom-defined ones

17:44

Then each element has a number of properties

17:44

And the number of properties for each element can also vary

header is this long?

17:44

how many bytes lmao

only

format ascii 1.0           { ascii/binary, format version number }
comment made by Greg Turk  { comments keyword specified, like all lines }
comment this file is a cube
element vertex 8           { define "vertex" element, 8 of them in file }
property float x           { vertex contains float "x" coordinate }
property float y           { y coordinate is also a vertex property }
property float z           { z coordinate, too }
element face 6             { there are 6 "face" elements in the file }
property list uchar int vertex_index { "vertex_indices" is a list of ints }
end_header                 { delimits the end of the header }

17:45

then after it is bytes

oh

example was ASCII, ours is binary

are they 1-1 convert?

17:45

from ascii to bytes for header

In this example, a vertex has 3 properties, and there are 8 vertexes defined. A different application could define vertexes as having 23 properties of different types, with 100 vertexes. So all the data is defined by the header, having just the data gives absolutely no indication of how many elements there are, how many of each element, how many properties each element has, and what the properties mean

17:47

So straight guessing is very improbable

sahuang

are they 1-1 convert?

Not sure how headers in binary files look

17:47

Only have found examples in ASCII versions

17:48

My guess is we have to find programs that use PLY files, use common headers they give them, and try loading it in that program

17:48

We know it's from a sensor

17:48

https://github.com/introlab/rtabmap_ros/issues/805

17:48

This Github link shows that an Azure Kinect sensor can make PLY files

17:48

So we if use this tool, find common PLY headers generated by Azure Kinect sensors, and load it and see if it works??

17:54

gonna come back to this later

@fleming wants to collaborate

Here's positive update (not confirmed by admin but I think it's correct)

http://paulbourke.net/dataformats/ply/ spec is here
inspect data, we see repeating bytes

Image attachment

22:09

However, data spec can change later, but most of the time it's the same so let's assume there's only 1 set of rules (otherwise chall too hard to brute)

Image attachment

22:10

So, we have a format guess

ply
format binary_little_endian 1.0
element vertex ?
property float x 
property float y 
property float z
property char ?
property char ?
property char ?
end_header

22:10

Most bytes are like le-float, le-float, le-float, char, char, char in this order

22:10

so, we can try brute vertex count. for char, its probably color but i am not sure. i tried brute vertex 1-10 with random colors, didnt manage to open it

what tool are you using? to open/read it?

just hex editor

1

sahuang

used /ctf solve

✅ Challenge solved.

Image attachment

What did u do?

eana did it

09:44

he used python to plot it

09:44

instead of fixing header

Ahh nice!

09:44

import pydeck
import pandas as pd
import struct

raw_file = open("password.ply", "rb").read()
data = [["x", "y", "z", "r", "g", "b"]]
def load_data(offset, end, data):
    i = offset
    while i < end:
        x, y, z, r, g, b = struct.unpack("<fffBBB", raw_file[i:i + 15])
        # zoom into the flag
        if -1.1 < x < -0.1 and -0.09 < z < -0.04 and -1 < y < -0.7:
            data.append([x, y, z, r, g, b])
        i += 15

load_data(0, 36090, data)
load_data(36089, 491384, data)
load_data(491383, 992147, data)
load_data(1159886, 1267901, data)
load_data(1267915, 1607529, data)
load_data(1607529, 1607529, data)
load_data(1791383, 1966447, data)
starters = [1966447, 2689266, 2883455, 2953759, 3247502, 3673276, 3705180, 3760004, 4075693, 4305672, 4479161]
for i in range(len(starters) - 1):
    load_data(starters[i], starters[i + 1], data)


df = pd.DataFrame(data[1:], columns=data[0])
target = [df.x.mean(), df.y.mean(), df.z.mean()]

point_cloud_layer = pydeck.Layer(
    "PointCloudLayer",
    data=df,
    get_position=["x", "y", "z"],
    get_color=["r", "g", "b"],
    get_normal=[0, 0, 1],
    auto_highlight=True,
    pickable=True,
    point_size=3,
)

view_state = pydeck.ViewState(target=target, controller=True, rotation_x=00, rotation_orbit=210, zoom=11)
view = pydeck.View(type="OrbitView", controller=True)

r = pydeck.Deck(point_cloud_layer, initial_view_state=view_state, views=[view])
r.to_html("point_cloud_layer.html", css_background_color="#add8e6")

09:44

too good

Exported 74 message(s)