/ BUCKEYECTF  MISC

spelunk

All of these challenges are too hard for me. Wait… is that Minecraft???

Last weekend, I got to participate in BuckeyeCTF as an official member of squ1rrel! It was my very first time ever ctf’ing, let alone delving into any type of code or anything similar. Honestly, it was pretty overwhelming, as a lot of the challenges were pretty math or computer science heavy, and my skills lie mostly in the OSINT world, but I still managed to get this flag all on my own! Let’s see how a non-cs major tackles “Spelunk!”

I wrote the flag on a sign somewhere, but I lost it. Only a REAL spelunker can find it!

The link goes to Google Drive with a file called spelunk.zip!

Let’s unzip it!

🗀 Spelunk
 ⤷🗀 World
    ⤷🗀 advancements
   ⤷🗀 data
      ⤷ no files found!
    ⤷🗀 datapacks
    ⤷🗀 DIM1
    ⤷🗀 DIM-1
   ⤷🗀 playerdata
      ⤷ no files found!
    ⤷🗀 poi
    ⤷🗀 region
    ⤷🗀 stats
    ⤷🖻 icon
    ⤷🗋 level.dat
    ⤷🗋 level.dat_old

Cool! What does any of this mean? I’ve gone ahead and highlighted the folders and files that’ll probably help us the most.

It’ll be important to know later on that the level.dat file refers to the actual world and level.dat_old is a backup. (thanks Google)

Good start, right? Only… They’re all empty! What else did I expect? Can’t be that easy.

Clicking through the rest of the files, we find that only the poi and region folders were left intact. Everything else was wiped! According to the minecraft wiki, poi is points of interest and villager stuff, and region contains region files, including information on chunks and what’s in them. Bingo!

Since we’re looking for a flag, there has to be some way to just… search the world, right? It’s not like they could’ve generated that many chunks, right? Let’s check.

🗀 Region
    ⤷🗋 r.0.0.mca
    ⤷🗋 r.0.1.mca
    ⤷🗋 r.0.-1.mca
    ⤷🗋 r.0.2.mca
    ⤷🗋 r.0.-2.mca
    ⤷🗋 r.X.X.mca...

What the hell is a .mca file? Why are there so many of them? Oh no. One more google search later, I quickly learned that all of minecraft’s data files are in a proprietary file format called NBT (named binary tag) and that the best way to edit them is using a program called NBTExplorer.

One quick sketchy download later, we’re greeted with this wonderful page.

NBTExplorer showing the basic world file structure

Hmm. Well, maybe there’s more info now! Let’s go back to the region file.

NBTExplorer showing a ton of region files

Seems about right.

NBTExplorer showing a ton of chunks

Oh no. I’ve severely underestimated the amount of spelunking I’ve gotten myself into.

There’s got to be an easier way to do this, right? That spyglass icon looks interesting. 🤔

NBTExplorer name/value search field

Ah. What do I search? … Ah, yeah, the flag. buckeye{ should work, yeah?

NBTExplorer Searching...

This might take a while.

NBTExplorer shows no results

No results. Damn. What now? Let’s check the world data.

NBTExplorer play data folder

Oh, playerdata! I knew the world file would be important!

More NBTExplorer play data, including position

Position? Maybe they logged out right after placing the flag.

NBTExplorer position: 0.5, 80, 0.5

Ah. Seems to be spawn. Huh. What now?

At this point, I switched gears. If I wasn’t going to be able to find it in the files, I might be able to use a world editor, right? What’s the one I always see the YouTubers using? MCEdit?

I then spent 20 minutes installing and troubleshooting MCEdit and browsing Reddit, only to learn that MCEdit doesn’t work for worlds above 1.12. Crap. However, that insightful Reddit post also linked another world editor, called Amulet. Thanks Reddit!

Once that was up and running, I realized I couldn’t search the world for a signpost, and if I could, it would take hours. Ugh. There had to be a simpler way to do this, right?

I went back to the files.

Windows Explorer showing file modified times I’m showing you a screenshot this time for a reason. Look at the times! They’re important now. Sorting region by size seemed to be useless. There were too many reasons one region might be bigger than the other, but by date? Most of the regions were generated by on 09/25/22, but only a few had been updated after that date.

Well, it obviously had to be able to be found in the region folder somewhere. I tried sorting them by size. Unfortunately, in both POI and Regions had different files sorted as biggest, so that wasn’t going to help.

🗀 Region
    ⤷🗋 r.0.0.mca
    ⤷🗋 r.0.-1.mca
    ⤷🗋 r.-1.0.mca
    ⤷🗋 r.1.-4.mca
    ⤷🗋 r.1.-5.mca
    ⤷🗋 r.2.-4.mca
    ⤷🗋 r.2.-5.mca
    ⤷🗋 r.0.-3.mca
    ⤷🗋 r.0.-4.mca
    ⤷🗋 r.0.-5.mca
    ⤷🗋 r.1.-3.mca
    ⤷🗋 r.2.-3.mca

Damn. Still too many. Well, if time is important, maybe there’s something in the backup world file? Back to NBTExplorer!

NBTExplorer showing a position in the backup world at 780, 15, -1715

pog. Maybe Amulet will finally have a use and let me see the flag?

Amulet showing an empty sign at the position

malding. At least we know the actual flag is there. Let’s boot up Minecraft, download the proper version (1.14.2) and…

Minecraft client failing to run /tp command

Wait, shit, how do I give myself creative? StackExchange please don’t fail me now I’m too close

StackExchange post explaining how to enable creative even when cheats aren't enabled, using Open to LAN

I love StackExchange. I used the Open to LAN method. And one /tp later:

The flag on a sign: buckeye{700_m4ny_chunk5_70_5p31unk}

ez dubs, gg no re!

honeyedfox

Maya

non-cs major. in fact, anti-cs major. professional cs hater. was attracted by the promise of osint and puzzles.

Read More