Thursday, July 25, 2019

CyBRICS CTF Quals 2019 - Telegram


Author: Alexander Menshchikov (n0str)

This Telegram bot really loves live face-to-face communication! And it also seems to have some covert channel!


The Jurandir Solver

So basically this is a Telegram bot that sends and receives TVN (Telegram Video Note). You can simply upload this type of video using your mobile phone or Telegram API. The bot does not receive normal or larger videos than 150 KB TVN.

When we sent a small TVN, the bot checks to see if the file is correct, but does not recognize a value secrets sign.

BTW, let’s check out these bot videos… So that you can inspect the page and see the thumbnail, there is some corner information you can download by copying the video while playing, opening the tab and saving.

The text in the video is: send video note to the bot with four green circles in the corners like the one above.

So, let’s do it :D

We can use Gimp to create a png file with each green(0, 255, 0) circle in the corners and OpenShot to mount.

To create a TVN, we can use the Telegram API, written in C#. Following the documentation we get this and this is the script below:

using System;
using System.Threading;
using Telegram.Bot;
using Telegram.Bot.Args;

namespace Awesome {
  class Program {
    static ITelegramBotClient botClient;

    static void Main() {
      botClient = new TelegramBotClient("token");

      var me = botClient.GetMeAsync().Result;
        $"Hello, World! I am user {me.Id} and my name is {me.FirstName}."

      botClient.OnMessage += Bot_OnMessage;

    static async void Bot_OnMessage(object sender, MessageEventArgs e) {
      if (e.Message.Text != null)
        Console.WriteLine($"Received a text message in chat {e.Message.Chat.Id}.");

        await botClient.SendTextMessageAsync(
          chatId: e.Message.Chat,
          text:   "You said:\n" + e.Message.Text
        using (var stream = System.IO.File.OpenRead("video.mp4")) {
          await botClient.SendVideoNoteAsync(
            chatId: e.Message.Chat,
            videoNote: stream,
            duration: 47,
            length: 360

This will create a bot that mounts and sends the video, you can get the token with @BotFather.

After that, just run the script, access your bot, send anything to it, receive the video and forward to @cybrics_facetoface_bot, and get the flag :D

Flag: cybrics{1_H47e_V1de0_n07e2}


Capture the Flag , Steganography , Writeup