├── 020-easyctf_survey.md
├── 030-linux-basics-1.md
├── 030-python-basics-1.md
├── 035-a-simple-cipher.md
├── 035-linux-basics-2.md
├── 035-python-basics-2.md
├── 040-lines-dots-shift-keys.md
├── 040-linux-basics-3.md
├── 040-networking.md
├── 040-python-basics-3.md
├── 040-qr.md
├── 045-linux-basics-4.md
├── 045-python-basics-4.md
├── 050-pointless-keys.md
├── 050-post-it.md
├── 050-python-basics-5.md
├── 050-reversing-1.md
├── 055-python-basics-6.md
├── 060-a000045-txt.md
├── 060-cookiezi-fanpage.md
├── 060-flowchart.md
├── 060-format_deception.md
├── 060-python-basics-7.md
├── 060-stegosaurus.md
├── 065-python-basics-8.md
├── 070-The_Raven.md
├── 070-brutus.md
├── 070-format.md
├── 070-hashing.md
├── 070-just-sum-numbers.md
├── 070-python-basics-9.md
├── 075-corruption.md
├── 075-golden-ratio-obsession.md
├── 075-python-basics-10.md
├── 080-easy-as-ctf-gets.md
├── 080-injection.md
├── 090-obfuscation-1.md
├── 090-pixelated.md
├── 095-brachiosaurus.md
├── 1.png
├── 100-palindrama.md
├── 100-project-eratosthenes.md
├── 120-fast-math.md
├── 130-reversing-2.md
├── 150-ghoti.md
├── 160-obfuscation-2.md
├── 180-evil-guess.md
├── 180-rsa.md
├── 180-the-door.md
├── 2.png
├── 200-guessing-is-hard.md
├── 230-failedxyz.md
├── README.md
├── SUMMARY.md
├── code.png
├── completed.png
├── flowchart.png
├── format1.c
├── ghoti.jpg
├── hash1.py
├── injection.phps
├── mystery.pcap
├── mz1.jpg
├── obfuscate.js
├── pipe.c
├── stegosaurus.jpg
└── writeups.md
/020-easyctf_survey.md:
--------------------------------------------------------------------------------
1 | # 20 - EasyCTF Survey
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Free points guyz.
8 |
9 | Since this is the first time we're holding this competition, we'd like some feedback on how we can improve. Come on, it's just ~5 minutes or so for 20 free points.
10 |
11 | [EasyCTF Feedback Survey](https://docs.google.com/forms/d/1VmReUSHT4vDdUJgyymzJzPJM5r59iyn4VpgBBDadvnU/viewform)
12 |
13 | ## Hint
14 |
15 | Just click the link and complete the survey! No tricks here!
16 |
17 | ## Solution
18 |
19 | Complete the survey.
20 |
21 | ## Flag
22 |
23 | `hellllyeah`
--------------------------------------------------------------------------------
/030-linux-basics-1.md:
--------------------------------------------------------------------------------
1 | # 30 - Linux Basics 1
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Many servers (including web servers) are run on machines that use an operating system called Linux. Most of you are familiar with an operating system such as Windows or Mac OS X, or maybe a mobile operating system such as Android or iOS.
8 |
9 | Linux has a shell, or a command-line interface, which is similar to an interface you may see when you open Command Prompt on Windows or Terminal on Mac. In a shell, you type commands to the machine and it executes your command.
10 |
11 | Before you can learn how to hack, you have to learn how Linux works. Some basics for using linux:
12 |
13 | - `echo` - similar to `print` in most programming languages. Typing `echo "hi"` will literally print the word "hi" to the screen.
14 | - `cd` - stands for change directory. When you execute a command, you are always doing so from a specific directory. To change the directory, type cd and whichever directory you want to go to.
15 |
16 | In the first problem, we'll learn about a function called `ls`. Log in to the web shell, and type `cd /problems/ls` to get started.
17 |
18 | ## Hint
19 |
20 | If you're still unsure how to solve this problem, ask for help on the [chat](http://easyctf.com/irc) or take a look on our Learn page.
21 |
22 | ## Solution
23 |
24 | ```bash
25 | login as: user37142
26 | user37142@shell.easyctf.com's password:
27 |
28 | user37142@easyctf:~$ cd /problems/ls
29 | user37142@easyctf:/problems/ls$ ls
30 | look_i_am_a_flag.txt
31 | ```
32 |
33 | ## Flag
34 |
35 | `look_i_am_a_flag` or `look_i_am_a_flag.txt`
--------------------------------------------------------------------------------
/030-python-basics-1.md:
--------------------------------------------------------------------------------
1 | # 30 - Python Basics 1
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Welcome to Python crash course! To get started, head over to the [Python Editor](http://easyctf.com/exec) and print the string `Hello, EasyCTF!` exactly like that to the console.
8 |
9 | ## Hint
10 |
11 | Not sure how to print in Python? Look it up (maybe on our Learn page?)! It probably uses the `print` function.
12 |
13 | ## Solution
14 |
15 | ```python
16 | print "Hello, EasyCTF!"
17 | ```
18 |
19 | ## Flag
20 |
21 | `don't_worry_it's_gonna_get_harder_for_all_you_pros`
--------------------------------------------------------------------------------
/035-a-simple-cipher.md:
--------------------------------------------------------------------------------
1 | # 35 - A Simple Cipher
2 |
3 | *Written by Devin Deng*
4 |
5 | ## Problem
6 |
7 | Cryptography is hiding messages in plain sight. Although they can be viewed, they are usually unreadable without the use of a special key. Messages can be encrypted and then sent to another person who then decrypts the ciphertext (encrypted message) using their special key into plaintext (readable text). Try your hand at this [Caesar cipher](http://en.wikipedia.org/wiki/Caesar_cipher):
8 |
9 | IGKYGX HKIGSK ZNK LOXYZ XUSGT MKTKXGR ZU IXUYY HUZN CNKT NK HAORZ G HXOJMK GIXUYY ZNK XNOTK GTJ IUTJAIZKJ ZNK LOXYZ OTBGYOUT UL HXOZGOT.ZNKYK GINOKBKSKTZY MXGTZKJ NOS ATSGZINKJ SOROZGXE VUCKX GTJ ZNXKGZKTKJ ZU KIROVYK ZNK YZGTJOTM UL VUSVKE, CNU NGJ XKGROMTKJ NOSYKRL COZN ZNK YKTGZK GLZKX ZNK JKGZN UL IXGYYAY OT 53 HI. COZN ZNK MGRROI CGXY IUTIRAJKJ, ZNK YKTGZK UXJKXKJ IGKYGX ZU YZKV JUCT LXUS NOY SOROZGXE IUSSGTJ GTJ XKZAXT ZU XUSK. IGKYGX XKLAYKJ, GTJ SGXQKJ NOY JKLOGTIK OT 49 HI HE IXUYYOTM ZNK XAHOIUT COZN G RKMOUT, RKGBOTM NOY VXUBOTIK GTJ ORRKMGRRE KTZKXOTM XUSGT ZKXXOZUXE ATJKX GXSY. IOBOR CGX XKYARZKJ, LXUS CNOIN NK KSKXMKJ GY ZNK ATXOBGRKJ RKGJKX UL XUSK. ZNK LRGM OY IGKYGX_OY_NUSK.
10 |
11 | ## Hint
12 |
13 | Don't worry, it'll get harder. ;)
14 |
15 | ## Solution
16 |
17 | In a caesar cipher all the letters are shifted by the same amount. Use [this tool](http://www.xarg.org/tools/caesar-cipher/) to solve this cipher. This website has an algorithm that can guess the key, which turns out to be 20. The final text is:
18 |
19 | CAESAR BECAME THE FIRST ROMAN GENERAL TO CROSS BOTH WHEN HE BUILT A BRIDGE ACROSS THE RHINE AND CONDUCTED THE FIRST INVASION OF BRITAIN.THESE ACHIEVEMENTS GRANTED HIM UNMATCHED MILITARY POWER AND THREATENED TO ECLIPSE THE STANDING OF POMPEY, WHO HAD REALIGNED HIMSELF WITH THE SENATE AFTER THE DEATH OF CRASSUS IN 53 BC. WITH THE GALLIC WARS CONCLUDED, THE SENATE ORDERED CAESAR TO STEP DOWN FROM HIS MILITARY COMMAND AND RETURN TO ROME. CAESAR REFUSED, AND MARKED HIS DEFIANCE IN 49 BC BY CROSSING THE RUBICON WITH A LEGION, LEAVING HIS PROVINCE AND ILLEGALLY ENTERING ROMAN TERRITORY UNDER ARMS. CIVIL WAR RESULTED, FROM WHICH HE EMERGED AS THE UNRIVALED LEADER OF ROME. THE FLAG IS CAESAR_IS_HOME.
20 |
21 | ## Flag
22 |
23 | `CAESAR_IS_HOME`
--------------------------------------------------------------------------------
/035-linux-basics-2.md:
--------------------------------------------------------------------------------
1 | # 35 - Linux Basics 2
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Now that you're somewhat familiar with how the Linux shell works, we'll move on to another command that is useful: [cat](http://linux.die.net/man/1/cat).
8 |
9 | To solve this problem, log into the shell server, and try to find out what's inside `/problems/cat/flag.txt`!
10 |
11 | ## Hint
12 |
13 | There are multiple ways to solve this problem; kudos to you if you find them all!
14 |
15 | ## Solution
16 |
17 | ```bash
18 | login as: user37142
19 | user37142@shell.easyctf.com's password:
20 |
21 | user37142@easyctf:~$ cat /problems/cat/flag.txt
22 | see_linux_isn't_so_scary_after_all
23 | ```
24 |
25 | ## Flag
26 |
27 | `see_linux_isn't_so_scary_after_all`
--------------------------------------------------------------------------------
/035-python-basics-2.md:
--------------------------------------------------------------------------------
1 | # 35 - Python Basics 2
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | You're faced with a control panel. There are some instructions left on a sign nearby on the wall: This machine generates random numbers that you can access through the variable `args[0]`. If the number is greater than or equal to 0 and less than 100, print `hacks`. If the number is greater than or equal to 100, print `haxx`. If the number is negative, print `hakz`. Use the IDE (Python Editor) to complete this problem.
8 |
9 | ## Hint
10 |
11 | What are [conditionals](http://learn.easyctf.com/content/python-conditional.html)?
12 |
13 | ## Solution
14 |
15 | ```python
16 | x = args[0]
17 | if x >= 100:
18 | print "haxx"
19 | elif x >= 0:
20 | print "hacks"
21 | else:
22 | print "hackz"
23 | ```
24 |
25 | ## Flag
26 |
27 | `just-simple-logic-no-haxx-involved`
--------------------------------------------------------------------------------
/040-lines-dots-shift-keys.md:
--------------------------------------------------------------------------------
1 | # 40 - Lines, Dots, and Shift Keys
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | .... - - .--. ---... -..-. -..-. - .. -. -.-- ..- .-. .-.. .-.-.- -.-. --- -- -..-. .-.. .. -. . ... .- -. -.. -.. --- - ...
8 |
9 | ## Hint
10 |
11 | Haven't you already used a Shift Key in a previous problem?
12 |
13 | ## Solution
14 |
15 | By [translating the code](http://morsecode.scphillips.com/jtranslator.html) we get
16 |
17 | > HTTP://TINYURL.COM/LINESANDDOTS
18 |
19 | We are redirected to [this document](https://docs.google.com/document/d/1KYO5ssmLlGDqtBHlumY63IyFbRNKLZ-vdQNh0PGSz7w/edit) and get a caesar cipher. Decoding it yeilds the key.
20 |
21 | ```
22 | $ echo "snhj btwp! ymnx hnumjw xmtzqi gj kfrnqnfw yt dtz, tw rfdgj sty. fsdbfd, fx f wjbfwi, mfaj ymnx kqfl. q1s3x_fsi_i0yx_y0_b0wie"|caesar
23 | nice work! this cipher should be familiar to you, or maybe not. anyway, as a reward, have this flag. l1n3s_and_d0ts_t0_w0rdz
24 | ```
25 |
26 | ## Flag
27 |
28 | `l1n3s_and_d0ts_t0_w0rdz`
29 |
--------------------------------------------------------------------------------
/040-linux-basics-3.md:
--------------------------------------------------------------------------------
1 | # 40 - Linux Basics 3
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Ok, so now you know how to list files and read files... this is starting to sound more like a file manager you are familiar with, right? So what's left now? Searching.
8 |
9 | Luckily, there's also a command for that: `grep`. You know the drill, read up on the command, and then solve the problem in `/problems/grep`.
10 |
11 | The flag is the filename of the file containing the string `yep!`. All other files will contain the string `nope!`.
12 |
13 | ## Hint
14 |
15 | What character stands for "all files"?
16 |
17 | ## Solution
18 |
19 | ```
20 | login as: user37142
21 | user37142@shell.easyctf.com's password:
22 |
23 | user37142@easyctf:~$ cd /problems/grep
24 | user37142@easyctf:/problems/grep$ grep "yep!" *
25 | 27054997:yep!
26 | ```
27 |
28 | ## Flag
29 |
30 | `27054997`
31 |
--------------------------------------------------------------------------------
/040-networking.md:
--------------------------------------------------------------------------------
1 | # 40 - Networking
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Networking covers everything that is related to our computer's interactions with other computers over the Internet or through some other connection. Sometimes we can trace these interactions and analyze them in order to acquire information.
8 |
9 | You might need to install a piece of software called WireShark for this problem. Analyze the input file and look through all packets for information that might be related to a flag.
10 |
11 | Here is the file in an online viewer, CloudShark:
12 |
13 | https://www.cloudshark.org/captures/1c66eb3587a1
14 |
15 | Alternatively, here is the source file if you like to download it and view it in WireShark:
16 |
17 | [Input File](mystery.pcap)
18 |
19 | ## Hint
20 |
21 | It seems like information is being recorded as a form is submitted, through a POST request.
22 |
23 | ## Solution
24 | Looking through the network packets, there is a HTTP POST request with the following values:
25 |
26 | ```
27 | username=ctf&password=flagisnetworkingispowerful&submit=Login
28 | ```
29 |
30 | ## Flag
31 | `networkingispowerful`
32 |
33 |
--------------------------------------------------------------------------------
/040-python-basics-3.md:
--------------------------------------------------------------------------------
1 | # 40 - Python Basics 3
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | How can you add strings in print statements? `args` is an array of 5 variables than can be accessed with `args[0]`, `args[1]` etc. Write some python code in the IDE to concatenate the variables together before printing.
8 |
9 | ## Hint
10 |
11 | Hmmm... how can you turn that pesky integer into a string?
12 |
13 | ## Solution
14 |
15 | ```python
16 | tmp = ""
17 | for i in range(len(args)):
18 | tmp += str(args[i])
19 | print tmp
20 | ```
21 |
22 | ## Flag
23 | `stupid_ints_causing_those_annoying_type_errorz`
24 |
--------------------------------------------------------------------------------
/040-qr.md:
--------------------------------------------------------------------------------
1 | # 40 - QR
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Something appears to be wrong with this QR. Can you fix it?
8 |
9 | 
10 |
11 | ## Hint
12 |
13 | The QR looks like it's missing some pixels...
14 |
15 | ## Solution
16 |
17 | The QR is missing some pixels at the top and the right sides. Luckily, reading an image through a camera is almost always extremely inaccurate, so most optical QR scanners are able to compensate.
18 |
19 | Just scan the QR using Google Goggles.
20 |
21 | ## Flag
22 |
23 | `QRs_r_2D_baRcoDEz`
24 |
--------------------------------------------------------------------------------
/045-linux-basics-4.md:
--------------------------------------------------------------------------------
1 | # 45 - Linux Basics 4
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Alright time to get to some fun stuff: binaries. A **binary** is just a really fancy word that means a file (or in this case, a program) that contains some bits that are not text.
8 |
9 | The binary in this problem is a program. When you run it, it'll ask you for an input, but not just any input: a special character. To run this binary, navigate to the folder `/problems/pipe` and run `./pipe`.
10 |
11 | The source code is available for download [here](pipe.c), or you can find it at `/problems/pipe/pipe.c` on the shell server. The flag has been redacted.
12 |
13 | ## Hint
14 |
15 | A pipe can refer to a number of things, but the one you are probably most concerned about is this `|` symbol.
16 |
17 | ## Solution
18 |
19 | ```
20 | $ echo -e "\\x7" | ./pipe
21 | Please enter the character \x07 to get the flag!
22 | Wow! Your flag is: thats_so_nice
23 | ```
24 |
25 | ## Flag
26 | `thats_so_nice`
--------------------------------------------------------------------------------
/045-python-basics-4.md:
--------------------------------------------------------------------------------
1 | # 45 - Python Basics 4 (TODO)
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | `args` is an array of 5 variables than can be accessed with `args[0]`, `args[1]` etc. Write some python code in the IDE to concatenate `args[0]`, `args[1]`'s type (`string` or `integer`), `args[2]`'s length, `args[3]`'s square root as an integer (will be a perfect square), and `args[4]` in reverse.
8 |
9 | Clarification: for `args[0]`, concatenate its value, not its type.
10 |
11 | ## Hint
12 |
13 | I hope you're taking notes; this stuff will be on the harder problems :)
14 |
15 | ## Solution
16 | This was the intended solution, but it turns out Skulpt does not implement the type method very well, but since you know `args[3]` is either a string or an integer, it is pretty easy to obtain the flag.
17 |
18 | ```python
19 | import math
20 | print args[0]+str(type(args[1]))+str(len(args[2]))+str(math.sqrt(args[3]))+str(args[4][::-1])
21 | ```
22 |
23 | ## Flag
24 |
25 | `combine_all_y0ur_kn0wledge`
26 |
--------------------------------------------------------------------------------
/050-pointless-keys.md:
--------------------------------------------------------------------------------
1 | # 50 - Pointless Keys
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Well this sure is a useless looking website. Still, I wonder if something is hidden in it.
8 |
9 | [Pointless website](http://www.easyctf.com/sites/pointless-keys/index.php)
10 |
11 | ## Hint
12 |
13 | You may want to look at some of the *JavaScript* source code.
14 |
15 | ## Solution
16 |
17 | ```javascript
18 | // konami
19 | Array.prototype.compare = function(o) {
20 | if (this.length != o.length) return false;
21 | for (var i = 0; i < this.length; i++) {
22 | if (this[i] != o[i]) return false
23 | }
24 | return true
25 | };
26 | if (window.addEventListener) {
27 | var kkeys = [],
28 | tkeys = [38, 38, 40, 40, 37, 39, 37, 39, 66, 65, 66, 65, 13];
29 | window.addEventListener("keydown", function(e) {
30 | kkeys.push(e.keyCode);
31 | var k = kkeys.join(",");
32 | var t = tkeys.join(",");
33 | if (k.indexOf(t) >= 0) {
34 | $.ajax({
35 | url: "/sites/pointless-keys/flag.php",
36 | type: "POST",
37 | data: {
38 | keys: kkeys,
39 | target: tkeys
40 | },
41 | dataType: "html",
42 | success: function(content) {
43 | console.log(content);
44 | },
45 | });
46 | kkeys = [];
47 | }
48 | }, true)
49 | }
50 | ```
51 |
52 | The comment `konami` implies that you have to perform a konami code sequence on the page. However, closely examine the source code, and you'll notice that the sequence in `tkeys` doesn't exactly match the konami code.
53 |
54 | ```
55 | [38, 38, 40, 40, 37, 39, 37, 39, 66, 65, 66, 65, 13]
56 | ```
57 |
58 | is actually: UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A **B A** ENTER
59 |
60 | If you perform this sequence on the page, then check the console (since it prints the flag to the console), then you would find your flag.
61 |
62 | ## Flag
63 |
64 | `konami_c0dez`
--------------------------------------------------------------------------------
/050-post-it.md:
--------------------------------------------------------------------------------
1 | # 50 - POST-it
2 |
3 | *Written by Michael Zhang*
4 | *Writeup by Sean Anderson*
5 |
6 | ## Problem
7 |
8 | You need to gain access to this site, but it looks like you have the wrong POST values! Hmm..
9 |
10 | http://easyctf.com/sites/post-it
11 |
12 | ## Hint
13 |
14 | It may be helpful to look into what POST requests *are*. How can you use this?
15 |
16 | ## Solution
17 |
18 | Using curl, you can manually specify POST values
19 |
20 | ```
21 | $ curl --data "user=admin&request=flag" http://www.easyctf.com/sites/post-it
22 | flag: p0st_is_moar_secure_than_g3t$
23 | ```
24 |
25 | ## Flag
26 |
27 | `p0st_is_moar_secure_than_g3t`
28 |
--------------------------------------------------------------------------------
/050-python-basics-5.md:
--------------------------------------------------------------------------------
1 | # 50 - Python Basics 5
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Given an list of unknown length of strings stored in `args`, for each string, take the first two characters and concatenate them into another string variable. Print the final variable.
8 |
9 | ## Hint
10 |
11 | Strings are very similar to lists...
12 |
13 | ## Solution
14 | The indexes of letters in a string can referred to like the indexes of items in an array or a list. The notation for this is `string[start,end,increment]`. If you leave the first part of the notation blank, the start value will default to zero. If you leave the second part blank, the end value will be the length of the string but exclusive (so think length -1), and if the increment is left blank, then it will default to 1.
15 |
16 | ```python
17 | s = ""
18 | for x in args:
19 | s += x[:2]
20 |
21 | print s
22 | ```
23 |
24 | ## Flag
25 | `its_string_slicing_not_pi(e)_slicing`
26 |
--------------------------------------------------------------------------------
/050-reversing-1.md:
--------------------------------------------------------------------------------
1 | # 50 - Reversing 1
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Looks like you need to find the password that is the flag from this binary.
8 |
9 | `/problems/reversing1`
10 |
11 | ## Hint
12 |
13 | I bet the flag is stored as a string... how can we see all the strings in a binary?
14 |
15 | ## Solution
16 |
17 | ```bash
18 | login as: user37142
19 | user37142@shell.easyctf.com's password:
20 |
21 | user37142@easyctf:~$ cd /problems/reversing1
22 | user37142@easyctf:/problems/reversing1$ strings reversing1
23 | /lib64/ld-linux-x86-64.so.2
24 | CyIk
25 | libstdc++.so.6
26 | __gmon_start__
27 | _Jv_RegisterClasses
28 | _ITM_deregisterTMCloneTable
29 | _ITM_registerTMCloneTable
30 | __pthread_key_create
31 | _ZNSsD1Ev
32 | _ZNSt8ios_base4InitD1Ev
33 | _ZNSsC1EPKcRKSaIcE
34 | _ZNSaIcEC1Ev
35 | _ZSt3cin
36 | _ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E
37 | _ZNKSs7compareERKSs
38 | __gxx_personality_v0
39 | _ZSt4cout
40 | _ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
41 | _ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
42 | _ZNSaIcED1Ev
43 | _ZNSsC1Ev
44 | _ZNSolsEPFRSoS_E
45 | _ZNSt8ios_base4InitC1Ev
46 | libgcc_s.so.1
47 | _Unwind_Resume
48 | libc.so.6
49 | __cxa_atexit
50 | __libc_start_main
51 | GCC_3.0
52 | GLIBC_2.2.5
53 | CXXABI_1.3
54 | GLIBCXX_3.4
55 | []A\A]A^A_
56 | eeeeeeeeeeeeeEeesy_ctf
57 | Enter the password to continue.
58 | Yay, you got the right flag!
59 | Darn, you didn't get the right flag.
60 | ;*3$"
61 | zPLR
62 | ```
63 |
64 | One of those strings looks really suspicious.
65 |
66 | ## Flag
67 |
68 | `eeeeeeeeeeeeeEeesy_ctf`
69 |
70 |
71 |
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/055-python-basics-6.md:
--------------------------------------------------------------------------------
1 | # 55 - Python Basics 6
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Given an integer value stored in `args[0]`, find the sum of all numbers less than or equal to `args[0]` and greater than zero that are divisible by 7. Then, print the sum of all the digits of the original sum to get your answer.
8 |
9 | ## Hint
10 |
11 | What is a math operation to check divisibility?
12 |
13 | ## Solution
14 |
15 | ```python
16 | tmp = 0
17 | for i in range(7, args[0]):
18 | if i % 7 == 0:
19 | tmp += i
20 |
21 | digits = 0
22 | while tmp:
23 | digits += tmp % 10
24 | tmp /= 10
25 |
26 | print digits
27 | ```
28 |
29 | ## Flag
30 |
31 | `beginner_math_loops_5_e_z_3_me`
32 |
--------------------------------------------------------------------------------
/060-a000045-txt.md:
--------------------------------------------------------------------------------
1 | # 60 - A000045.txt
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | A friend has created a code for you to guess because he has no life and spends all his time making this kind of stuff.
8 |
9 | Anyways, here it is: [A000045.txt](http://www.easyctf.com/problem_data/A000045/A000045.txt)
10 |
11 | ## Hint
12 |
13 | Ask Google what A000045 might mean.
14 |
15 | ## Solution
16 |
17 | A quick Google search for A000045 would bring up the fibonacci numbers. Just use the fibonacci numbers as array indices for the characters in A000045.txt.
18 |
19 | ```python
20 | fib = [0,1,1,2,3,5,8,13,21,34,55,89,144,233,377,610,987,1597,2584,4181,6765,10946,17711,28657,46368,75025,121393,196418,317811,514229,832040,1346269,2178309,3524578,5702887,9227465,14930352,24157817,39088169];
21 | f = open('A000045.txt', 'r')
22 | stuff = f.read().strip()
23 | result = ''
24 | for x in fib:
25 | if x >= len(stuff):
26 | break
27 | result += stuff[x]
28 | print result
29 | ```
30 |
31 | The result printed is `pffibonacciiscoolandtheflagisrecursion`
32 |
33 | ## Flag
34 |
35 | `recursion`
36 |
--------------------------------------------------------------------------------
/060-cookiezi-fanpage.md:
--------------------------------------------------------------------------------
1 | # 60 - Cookiezi Fanpage
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | Cookiezi has been banned from osu! forever, but we'll never forget him!
8 |
9 | Only those who truly believe in the return of Cookiezi can enter this [site](http://easyctf.com/sites/cookiezi).
10 |
11 | ## Hint
12 |
13 | Yum yum yum what could be more delicious than chocolate chip cookies? HTTP cookies, of course!
14 |
15 | ## Solution
16 |
17 | The flag is stored in a cookie when you visit the webpage. Just open the developer console (ctrl+shift+c in most browsers) and type `alert(document.cookie)` into the Javascript console. The flag will appear in an alert box.
18 |
19 | ## Flag
20 |
21 | `osu_is_love_osu_is_l1fe`
22 |
--------------------------------------------------------------------------------
/060-flowchart.md:
--------------------------------------------------------------------------------
1 | # 60 - Flowchart
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | How do loops work? Examine the [flowchart](flowchart.png) left for you, then match the letter choices to the correct loop. Submit the result of the loops in the order the diagrams are drawn (without line breaks or spaces) as your solution.
8 |
9 | Clarification: the "flag" should be the output of the loops in the order they are shown (without line breaks or spaces), not the letter choices.
10 |
11 | ## Hint
12 |
13 | Java has several types of loops - `for`, `for each`, `while`, `do-while` - how do they differ from each other? And how do flow controls like breaks or switch statements affect how code runs?
14 |
15 | ## Solution
16 |
17 | The multiple choices for the loops in the order as drawn are:
18 |
19 | >
20 | 1. B
21 | 2. A
22 | 3. C
23 | 4. E
24 | 5. F
25 | 6. D
26 |
27 | Their corresponding outputs (without line breaks or spaces) can be logically thought out, run in java, or translated to another language and then run if you don't like java. Anyway, you end up with these:
28 |
29 | >
30 | 1. 024024024
31 | 2. 01234
32 | 3. 07325
33 | 4. 01234
34 | 5. 020202
35 | 6. 0297499161411161614111616131818
36 |
37 |
38 |
39 | ## Flag
40 |
41 | `0240240240123407325012340202020297499161411161614111616131818`
42 |
--------------------------------------------------------------------------------
/060-format_deception.md:
--------------------------------------------------------------------------------
1 | # 60 - Format Deception
2 |
3 | *Written by Michael Zhang and Sean Anderson, Writeup by MegaAbsol*
4 |
5 | ## Problem
6 |
7 | What kind of file is this (format_deception.nds)?
8 |
9 | ## Hint
10 |
11 | After you manage to open the .nds file, (if you don't know how, Google is your best friend), look around for your flag. Maybe go against your first instinct.
12 |
13 | ## Solution
14 |
15 | ```
16 | $ file format_deception.nds
17 | format_deception.nds: OpenDocument Text
18 | $ libreoffice format_deception.nds
19 | ```
20 |
21 | A document with the flag inside.
22 |
23 | ## Flag
24 |
25 | `d0nt_judg3_a_file_by_1ts_ext3nsi0n`
26 |
--------------------------------------------------------------------------------
/060-python-basics-7.md:
--------------------------------------------------------------------------------
1 | # 60 - Python Basics 7
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Given an list of integers stored in `args[0]` and an integer k stored in `args[1]`, sort them in descending order, then print the value at array index k from the sorted list.
8 |
9 | ## Hint
10 |
11 | I wonder if there's a built in sort function?
12 |
13 | ## Solution
14 | Python has a handy built in sort function! And, the indexes of strings can be referred to like the indexes in arrays or lists.
15 |
16 | ```python
17 | a = args[0]
18 | a.sort(reverse = True)
19 | print a[args[1]]
20 | ```
21 |
22 | ## Flag
23 | `arrays_aren't_hard_because_python_rocks`
--------------------------------------------------------------------------------
/060-stegosaurus.md:
--------------------------------------------------------------------------------
1 | # 60 - Stegosaurus
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Try your hand at some [stego](http://en.wikipedia.org/wiki/Steganography).
8 |
9 | 
10 |
11 | ## Hint
12 |
13 | Open up the problem in a hex editor and take a look around.
14 |
15 | ## Solution
16 |
17 | Open stegosaurus.jpg in hexdump in the Linux terminal.
18 |
19 | `$ hd stegosaurus.jpg`
20 |
21 | At the bottom, you will see:
22 | ```
23 | 000144e0 54 48 49 53 20 57 41 53 20 45 41 53 59 20 00 00 |THIS WAS EASY ..|
24 | 000144f0 4e 45 58 54 20 54 49 4d 45 20 57 49 4c 4c 00 00 |NEXT TIME WILL..|
25 | 00014500 42 45 20 48 41 52 44 45 52 0d 0a ae 28 44 76 94 |BE HARDER...(Dv.|
26 | 00014510 46 4c 41 47 20 49 53 20 5c b0 c8 1b b9 35 2c 4c |FLAG IS \....5,L|
27 | 00014520 68 33 78 5f 31 73 5f 63 30 30 6c 20 4f e0 3a 57 |h3x_1s_c00l O.:W|
28 | ```
29 |
30 | ## Flag
31 |
32 | `h3x_1s_c00l`
33 |
--------------------------------------------------------------------------------
/065-python-basics-8.md:
--------------------------------------------------------------------------------
1 | # 65 - Python Basics 8
2 |
3 | *Written by Emily Leng, Writeup by Tim Winters*
4 |
5 | ## Problem
6 | A boolean is a value that is either True or False. Given an list of arrays of integers as `[a,b]` stored in `args`, for each array, if the sum of `a + b <= 25` then concatenate the value "1" to represent the value `True` to a string. Otherwise, concatenate "0" to represent the value `False`.
7 | ## Hint
8 |
9 | Use your knowledge from previous problems and apply it here!
10 |
11 | ## Solution
12 | Python allows you to store an array as individual values in a for loop.
13 |
14 | ```Python
15 | x=""
16 | for a,b in args:
17 | if a+b<=25:
18 | x+="1"
19 | else:
20 | x+="0"
21 | print x
22 | ```
23 |
24 | ## Flag
25 |
26 | `b0ole4n_l0g1c_011000100110100101101110011000010111001001111001`
27 |
--------------------------------------------------------------------------------
/070-The_Raven.md:
--------------------------------------------------------------------------------
1 | # 70 - The Raven
2 |
3 | *Written by Michael Zhang, Writeup by MegaAbsol*
4 |
5 | ## Problem
6 |
7 | Once upon a midnight dreary, while I pondered, weak and weary,
8 | Over many a quaint and curious volume of forgotten lore –
9 | While I nodded, nearly napping, suddenly there came a tapping,
10 | As of some one gently rapping, rapping at my chamber door –
11 | "'Tis some visitor," I muttered, "tapping at my chamber door –
12 | Only this and nothing more."
13 |
14 | Ah, distinctly I remember it was in the bleak December;
15 | And each separate dying ember wrought its ghost upon the floor.
16 | Eagerly I wished the morrow; – vainly I had sought to borrow
17 | From my books surcease of sorrow – sorrow for the lost Lenore –
18 | For the rare and radiant maiden whom the angels name Lenore –
19 | Nameless here for evermore.
20 |
21 |
22 |
23 | ciphertext: 6 11 22 28 66 uooy htue mghn salc mria rrop clns pggl eoie nioo ifdt iwtd eres atau odgh dfgr doti dwii sbsc eato eorf gjgr sron owud sefe
24 |
25 | ## Hint
26 |
27 | Poems were used in cryptography in WW2 to encrypt messages, but were regarded as extremely insecure. Those first five numbers look important - what could they be referring to in the poem?
28 |
29 | ## Solution
30 |
31 | Searching up "poem code" on google, we get some idea of how poem codes work. It seems that the key is the 6th, 11th, 22nd, 28th, and 66th words. This means while, weary, while, there, and bleak. So our key is whilewearywhiletherebleak. Then, this means that the "ordering" is 22 10 13 16 4 23 5 1 19 25 24 11 14 17 6 20 12 7 20 8 3 18 9 2 15, where the 1 corresponds with the first "a" in our key, the 2 corresponds with the second "a", and so on. What this means is that uooy, the first block of text, corresponds with the 22nd column of plaintext.
32 |
33 | Putting it together, we get:
34 |
35 | poemcodeshidmessagesdurin
36 | gworldwartwogreatjobforfi
37 | guringitouttheflagisgoodo
38 | ldfashionedinsecurecrypto
39 | ## Flag
40 |
41 | `goodoldfashionedinsecurecrypto`
42 |
--------------------------------------------------------------------------------
/070-brutus.md:
--------------------------------------------------------------------------------
1 | # 70 - Brutus
2 |
3 | *Written by Emily Leng*
4 |
5 | *Writeup by Jester*
6 |
7 | ## Problem
8 |
9 | It appears the only thing you know about the flag is its MD5 hash f54f10fd6e38929084d505d0c2e9c997, and that the flag is formatted in this way: [number][adjective][color][animal] without the brackets.
10 |
11 | Luckily, you have found some [lists of the words](http://www.easyctf.com/problem_data/brutus/brutus.zip) that may have been used.
12 |
13 | Tribute to http://hsctf.com
14 |
15 | ## Hint
16 |
17 | As the title suggests, brute forcing the answer is necessary.
18 |
19 | ## Solution
20 |
21 | The easiest way to brute force a problem, of course, is writing a script. For this solution, the script will be written in python.
22 |
23 | To encrypt a string in md5 in python, we need to first write a function that returns the encrypted string given a string.
24 | To do this in python, we can import hashlib, then write a function that looks like:
25 |
26 | Code:
27 |
28 | ```python
29 | import hashlib
30 | def MD5hash(string):
31 | m = hashlib.md5()
32 | m.update(string.encode('utf-8'))
33 | return m.hexdigest()
34 | ```
35 |
36 | Then, we can make lists in python that contain the various strings given, then use a while loop to connect them in order such that we will inevitably get the right string, which it will print it if it is.
37 |
38 | So, our final code looks like:
39 |
40 | ```python
41 | import hashlib
42 | def MD5hash(string):
43 | m = hashlib.md5()
44 | m.update(string.encode('utf-8'))
45 | return m.hexdigest()
46 |
47 | numbers = ['1','2','3','4','5','6','7','8','9','10']
48 | colors = ['red','orange','yellow','green','blue','purple','pink','white','black']
49 | animals = ['cats','dog','mice','birds','fish','turtles','elephants','snakes','pigs','cows','goats']
50 | adjectives = ['cool','smart','funny','happy','weird','strange','normal','big','small','angry']
51 | c1 = 0
52 | while c1 < len(numbers):
53 | c2 = 0
54 | while c2 < len(adjectives):
55 | c3 = 0
56 | while c3 < len(colors):
57 | c4 = 0
58 | while c4 < len(animals):
59 | if str(MD5hash(str(numbers[c1]+adjectives[c2]+colors[c3]+animals[c4]))) == 'f54f10fd6e38929084d505d0c2e9c997':
60 | print(numbers[c1]+adjectives[c2]+colors[c3]+animals[c4])
61 | c4 += 1
62 | c3 += 1
63 | c2 += 1
64 | c1 += 1
65 | ```
66 |
67 | And it prints out the flag!
68 |
69 | ## Flag
70 |
71 | `5happypurpleturtles`
72 |
--------------------------------------------------------------------------------
/070-format.md:
--------------------------------------------------------------------------------
1 | # 70 - Format
2 |
3 | *Written by Michael Zhang and Sean Anderson*
4 |
5 | ## Problem
6 |
7 | The function printf can do a lot of great things, but depends on how you use it. Try to exploit this very irresponsible use of printf.
8 |
9 | Problem can be found at `/problems/format1` and source can be downloaded [here](format1.c).
10 |
11 | ## Hint
12 |
13 | This line might interest you... `printf(argv[1]);`. What happens if no format arguments are provided?
14 |
15 | ## Solution
16 |
17 | This program does not use printf correctly, using user input as a format string. This allows the user to view and modify the stack of the program. For example, to view some data on the stack, simply put a valid format string as the program's first argument:
18 |
19 | ```bash
20 | $ ./format1 %x
21 | 1bc3be08$
22 | ```
23 |
24 | At first glance, it seems that all printf can do is print data, however it can also write abitrary values using the `%n` format string. From the man page:
25 |
26 | > The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted.
27 |
28 | Therefore, all we need to do is write more than 9000 characters, and `vuln()` will execute. To do this, we need to find out what pointer the program uses to refer to `key`. First, lets load up get a disassembly with `objdump -d format1`
29 |
30 | ```
31 | 000000000040064e :
32 | 40064e: 55 push %rbp
33 | 40064f: 48 89 e5 mov %rsp,%rbp
34 | 400652: 48 83 ec 20 sub $0x20,%rsp
35 | 400656: 89 7d ec mov %edi,-0x14(%rbp)
36 | 400659: 48 89 75 e0 mov %rsi,-0x20(%rbp)
37 | 40065d: 48 c7 45 f8 50 10 60 movq $0x601050,-0x8(%rbp)
38 | 400664: 00
39 | 400665: 48 8b 45 e0 mov -0x20(%rbp),%rax
40 | 400669: 48 83 c0 08 add $0x8,%rax
41 | 40066d: 48 8b 00 mov (%rax),%rax
42 | 400670: 48 89 c7 mov %rax,%rdi
43 | 400673: b8 00 00 00 00 mov $0x0,%eax
44 | 400678: e8 63 fe ff ff callq 4004e0
45 | 40067d: 8b 05 cd 09 20 00 mov 0x2009cd(%rip),%eax # 601050 <__TMC_END__>
46 | 400683: 3d 28 23 00 00 cmp $0x2328,%eax
47 | 400688: 7e 0a jle 400694
48 | 40068a: b8 00 00 00 00 mov $0x0,%eax
49 | 40068f: e8 82 ff ff ff callq 400616
50 | 400694: b8 00 00 00 00 mov $0x0,%eax
51 | 400699: c9 leaveq
52 | 40069a: c3 retq
53 | 40069b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
54 | ```
55 |
56 | We can see that in `40065d`, `0x601050` is stored onto the stack as a local variable. Next, lets see where on the stack the local variable is when we run printf:
57 |
58 | ```
59 | $ ./format1 %x-%x-%x-%x-%x-%x-%x-%x-%x-%x
60 | 42d3038-42d3050-4006a0-e1bdce80-e1bdce80-42d3038-400520-42d3030-601050-4006a0$
61 | ```
62 |
63 | We can see that the pointer `601050` is the 9th value on the stack. (In the competition it was the 7th, but this is a different compile). Based on this information, the input of the program should be
64 |
65 | ```
66 | $ ./format1 garbagedata%x%x%x%x%x%x%x%x%n
67 | ```
68 |
69 | It is very tedious to type out over 9000 characters of garbage, so we will create a file with this data.
70 |
71 | ```
72 | $ for i in `seq 1 9000`; do echo -n "x"; done > ~/xs.txt
73 | $ echo "%x%x%x%x%x%x%x%x%n" | cat ~/xs.txt - > ~/arg.txt
74 | ```
75 |
76 | Now that we have the garbage, all we have to do is feed it into the program and get the flag.
77 |
78 | ```
79 | $ xargs -a ~/arg.txt ./format1
80 | xxxxxxxxxxxxxxxxxxxxxxxx ... xxxxxxxx$ whoami
81 | format1
82 | $ cat flag.txt
83 | it's over 9000!!11!1one1!
84 | $ exit
85 | ```
86 |
87 | ## Flag
88 |
89 | `it's over 9000!!11!1one1!`
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
--------------------------------------------------------------------------------
/070-hashing.md:
--------------------------------------------------------------------------------
1 | # 70 - Hashing
2 |
3 | *Written by Austin Zhou*
4 |
5 | ## Problem
6 |
7 | I found this hashed password `dqcxxkgegmrunaue` and its hashing algorithm [hash1.py.](hash1.py) Can you find the password?
8 |
9 | ## Hint
10 |
11 | Maybe there's more than 1 password that works...
12 |
13 | ## Solution
14 |
15 | When inspecting the algorithm we can see that each letter is generated one at a time. So the first letter affects the first letter in the hash and the second letter affects the second letter in the hash etc. So an easy brute force algorithm can be written.
16 |
17 | ```python
18 | text = "dqcxxkgegmrunaue"
19 | flag= ""
20 | for a in range(len(text)):
21 | for b in [chr(i) for i in range(97,97+26)]:
22 | if hash1(b)[0] == text[a]:
23 | flag += b
24 | break
25 | print flag
26 | ```
27 |
28 | One possible answer then would be `kxjeernlntybuhbl`
29 |
30 | But the original string was actually `xxxXXX_nobody123will123evar123know234this345flag_XXXxxx`
31 |
32 | ## Flag
33 |
34 | (Several possible answers)
35 |
36 | - `kxjeernlntybuhbl`
37 | - `xxxXXX_nobody123will123evar123know234this345flag_XXXxxx`
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/070-just-sum-numbers.md:
--------------------------------------------------------------------------------
1 | # 70 - Just Sum Numbers
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Algorithmic problems require you to write a program to solve the problem in the online python editor. Data will be generated randomly, as well as the solutions. If your program produces the required answer, the flag will be given to you. You can find this using the python link in the navigation menu above.
8 |
9 | Given positive integers A, B, C, and L, find the sum of all the distinct multiples of A, B, and C under L.
10 |
11 | The variables A, B, C, and L are passed through an array of variables called args. You don't have to create this; it's already there for you. This is how the generated data is passed to your program:
12 |
13 | `args = [A, B, C, L];`
14 |
15 | ## Hint
16 |
17 | If you don't know how to do this problem just yet, try the Python Basics problem series first.
18 |
19 | ## Solution
20 |
21 | ```python
22 | s = 0
23 | for x in range(0,args[3]):
24 | if x%args[0]==0 or x%args[1]==0 or x%args[2]==0:
25 | s += x
26 |
27 | print s
28 | ```
29 |
30 | ## Flag
31 |
32 | `is_this_pr0jekt_o1ler?`
33 |
--------------------------------------------------------------------------------
/070-python-basics-9.md:
--------------------------------------------------------------------------------
1 | # 70 - Python Basics 9
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Head over to the Python Editor and print the greatest common factor between `args[0]` and `args[1]`.
8 |
9 | ## Hint
10 |
11 | Defining a *function* that finds a GCF will be of use.
12 |
13 | ## Solution
14 |
15 | ```python
16 | def gcd(x, y):
17 | while y != 0:
18 | (x, y) = (y, x % y)
19 | return x
20 |
21 | print gcd(args[0],args[1])
22 | ```
23 |
24 | ## Flag
25 |
26 | `programming_beats_calculating_by_hand_any_day`
27 |
--------------------------------------------------------------------------------
/075-corruption.md:
--------------------------------------------------------------------------------
1 | # 75 - Corruption
2 |
3 | *Written by Michael Zhang, Writeup by Tim Winters*
4 |
5 | ## Problem
6 | You revieved a zip file but find that it is orrupted! You're given that it's missing a couple of bytes at the beginning. Replace these bytes and find the flag
7 |
8 | ## Hint
9 |
10 | No clue what bytes to insert? Perhaps looking into file headers would be helpful. Also, you might want to download a hex editor, such as HxD.
11 |
12 | ## Solution
13 | A google seach of .zip file headers will lead you to [this website](http://www.garykessler.net/library/file_sigs.html). `Ctrl-F` ".zip" shows that the file header for a .zip file is `50 4B 03 04`
14 |
15 | If we open the file in a hex editor program, it shows the first byte as `03 04 14 00`. We need it to be `50 4B 03 04`, and we have `03 04`, so by adding `50 4B` the first byte is `50 4B 03 04` and the file will extract.
16 |
17 | In the extracted folder, we see a number of files (3000). Opening a file in a text editor reveals a series of characters. To find the flag, use the `findstr` (`grep` for mac) and search for "flag" in all files. To search all files, use a '\*'. The final command will be `grep flag *`. The flag is hidden in file `f2590`.
18 |
19 | ## Flag
20 |
21 | `ph1l_k4tz`
22 |
--------------------------------------------------------------------------------
/075-golden-ratio-obsession.md:
--------------------------------------------------------------------------------
1 | # 75 - Golden Ratio Obsession
2 |
3 | *Written by Austin Zhou*
4 |
5 | ## Problem
6 |
7 | Find the Number of Digits in the 16th Fibonacci Number that Contains 1618 and is Divisible by 1618.
8 |
9 | ## Hint
10 |
11 | Use your knowledge from the previous basic python problems! (You are not, however, limited to python for this problem - you can compute the answer in any language you'd like.)
12 |
13 | ## Solution
14 |
15 | Using your python knowledge from python basics it should be easy to write a brute force algorithm.
16 |
17 | ```python
18 | def fib():
19 | a = 1
20 | b = 1
21 | while True:
22 | a,b = a+b,a
23 | yield a
24 | count = 0
25 | for i in fib():
26 | if "1618" in str(i) and i%1618==0:
27 | count+=1
28 | if count == 16:
29 | print len(str(i))
30 | break
31 | ```
32 |
33 | This should yield the number `7092` and that is your flag.
34 |
35 | ## Flag
36 |
37 | `7092`
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/075-python-basics-10.md:
--------------------------------------------------------------------------------
1 | # 75 - Python Basics 10
2 |
3 | *Written by Emily Leng*
4 |
5 | ## Problem
6 |
7 | `args[0]` is a result of XOR encryption on two hexadecimal strings. You only know one of the two original strings, `args[1]`, can you find the other?
8 |
9 | Clarification: after finding the second string you should print the ascii representation of it as the answer in the Python Editor.
10 |
11 | ## Hint
12 |
13 | The operation `^` in python only works on numbers. The built in functions `ord()` and `chr()` convert between characters and numbers.
14 |
15 | ## Solution
16 |
17 | ```python
18 | def xor_strings(xs, ys):
19 | return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
20 | a = ''.join([chr(int(''.join(c), 16)) for c in zip(args[0][0::2], args[0][1::2])])
21 | b = ''.join([chr(int(''.join(c), 16)) for c in zip(args[1][0::2], args[1][1::2])])
22 | c = xor_strings(a,b)
23 | print c
24 | ```
25 |
26 | ## Flag
27 |
28 | `x0r_encrypti0n_is_be_e4sy_t0_crack`
29 |
--------------------------------------------------------------------------------
/080-easy-as-ctf-gets.md:
--------------------------------------------------------------------------------
1 | # 80 - Easy As CTF Gets
2 |
3 | *Written by Emily Leng*
4 |
5 | *Writeup by Jester*
6 |
7 | ## Problem
8 |
9 | What could this possibly mean?
10 |
11 | xhwdlsibxnmwvinalpdcbsymzzx
12 |
13 | ## Hint
14 |
15 | Perhaps you could try one of these [ciphers.](http://rumkin.com/tools/cipher/)
16 |
17 | ## Solution
18 |
19 | At first glance, this problem seems remarkably easy, even for an 80 point problem. However, as you try all the ciphers in the given link, you find that none of them work (unless you got it instantly, of course).
20 |
21 | Eventually, the realization that a key is needed pops into your head. But what is the key?
22 |
23 | To decipher the ciphertext, go to vigenere on the site given, and the key is... "easyasctfgets"
24 |
25 | And voila! You get the flag!
26 |
27 | ## Flag
28 |
29 | `hiddeninplainsight`
30 |
--------------------------------------------------------------------------------
/080-injection.md:
--------------------------------------------------------------------------------
1 | # 80 - Injection
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | This site seems to have some information we need. Unfortunately, it's protected by a login page. Help us get through the login system!
8 |
9 | [Website](http://www.easyctf.com/sites/injection) - [Source](injection.phps)
10 |
11 | ## Hint
12 |
13 | You might want to study up on some SQL syntax. How can we modify the query so it will always return true?
14 |
15 | ## Solution
16 |
17 | Examine this bit of injection.phps carefully:
18 |
19 | ```php
20 | | username | message |
|---|
";
26 | $username = $_POST['username'];
27 | $password = $_POST['password'];
28 | mysql_connect("xxxxxxxxx", "xxxxxxxxx", "xxxxxxxxx");
29 | @mysql_select_db("xxxxxxxxx") or die("can't select database");
30 |
31 | $query = "SELECT * FROM `xxxxxxxxx` WHERE username='$username' AND password='$password'";
32 | $result = mysql_query($query);
33 | while($row = mysql_fetch_array($result)) {
34 | echo "| ".$row['username']." | ".$row['message']." |
";
35 | }
36 | echo "";
37 | }
38 |
39 | ?>
40 | ```
41 |
42 | Notice the query string that fetches the data from the database.
43 |
44 | ```
45 | $query = "SELECT * FROM `xxxxxxxxx` WHERE username='$username' AND password='$password'";
46 | ```
47 |
48 | If we set username to `' OR 1=1 OR '`, then the query string would look like
49 |
50 | ```
51 | $query = "SELECT * FROM `xxxxxxxxx` WHERE username='' OR 1=1 OR '' AND password='whatever'";
52 | ```
53 |
54 | Since 1 always equals 1, the condition will always be satisfied, so the script pulls all rows out of the database.
55 |
56 | |username|message|
57 | |---|---|
58 | |admin|hi|
59 | |flag|kids_dont_code_like_this_at_home|
60 |
61 | ## Flag
62 |
63 | `kids_dont_code_like_this_at_home`
--------------------------------------------------------------------------------
/090-obfuscation-1.md:
--------------------------------------------------------------------------------
1 | # 90 - Obfuscation 1
2 |
3 | *Written by Emily Leng, Writeup by MegaAbsol*
4 |
5 | ## Problem
6 |
7 | Free points guyz.
8 |
9 | Obfuscation is changing variables and statements in a code so that it still performs the desired functions but is harder to read by humans. This makes it harder for people who are not supposed to see your code to understand your code. Try your hand at the following Python deobfuscation exercise:
10 |
11 | [Input file](http://www.easyctf.com/problem_data/obfuscation/obfuscated.py)
12 |
13 | ## Hint
14 |
15 | Think backwards, reverse the encryption.
16 |
17 | ## Solution
18 |
19 | Actually, there's no need to "think backwards." We only need to look at a little bit of the code to get the gist of it.
20 |
21 |
22 | def enc(c,k): return chr(((ord(k) + ord(c)) % 26) + ord('A'))
23 | It seems scary, but it looks to me like it's cycling through characters. Wait... cycling? Then what happens if we repeatedly encrypt our data? Let's edit the code a bit:
24 |
25 |
26 | from itertools import starmap, cycle
27 |
28 | def mystery(a, b):
29 | a = filter(lambda _: _.isalpha(), a.upper())
30 | def enc(c,k): return chr(((ord(k) + ord(c)) % 26) + ord('A'))
31 |
32 | return "".join(starmap(enc, zip(a, cycle(b))))
33 |
34 | text = "SWQHRGZZUSSWWBJWMRQTMRYVWVXJMADMKICSVBZCZXMENGJLVWEUDUQYVSEMKRWUBFJF"
35 | apple = "FOODISYUMMY"
36 | for i in range(26):
37 | text = mystery(text, apple)
38 | print (text)
39 |
40 | On the second-last line of output, look what we get:
41 |
42 | NICEJOBFIGURINGOUTWHATTHISPROGRAMDOESTHEFLAGISVINEGARISTHEBESTCIPHER
43 |
44 | ## Flag
45 |
46 | `VINEGARISTHEBESTCIPHER`
47 |
--------------------------------------------------------------------------------
/090-pixelated.md:
--------------------------------------------------------------------------------
1 | # 90 - Pixelated
2 |
3 | *Written by Emily Leng, Writeup by Jester*
4 |
5 | ## Problem
6 |
7 |  |  |
8 |
9 | ## Hint
10 |
11 | Did you know you can do [arithmetic with images](http://homepages.inf.ed.ac.uk/rbf/HIPR2/arthops.htm) too?
12 |
13 | ## Solution
14 |
15 |
16 | This problem is quite simple. The hint gives us an extremely useful website that allows us to perform "arithmetic" on the images provided.
17 |
18 | After converting the pngs to the needed format on the website, you can simply try it out until you get a QR code. (Upload the images on a website) After trying all of them, we find that the correct QR code is actually XOR. Afterwards, you can scan the QR code, which links you to the flag.
19 |
20 | 
21 |
22 | ## Flag
23 |
24 | `pixelsmatterinQRs`
--------------------------------------------------------------------------------
/095-brachiosaurus.md:
--------------------------------------------------------------------------------
1 | # 95 - Brachiosaurus
2 |
3 | *Written by Emily Leng, Writeup by MegaAbsol*
4 |
5 | ## Problem
6 |
7 | Here's something a bit harder.
8 |
9 | 
10 |
11 | ## Hint
12 |
13 | Is this jpg really a jpg?
14 |
15 | ## Solution
16 |
17 | Since this seems to be a steg problem, we open it in a hex editor. I used HxD. Scroll to the bottom of the file, and we see lots of "not suspicious" strings, as well as PK's (50 4B). PK is a zip file. We find the first instance of "PK" in the plaintext, and copy everything from there. We take the copied text and make it into a zip file. Looking into our new zip file, we see a "not suspicious" folder filled with .SHORT.OUT files, from 1-25. There also is a "whatAFineKeyThisIs" file. This seems like something, so we look into it.
18 |
19 | In this file, it says:
20 |
21 | my favorite numbers are seven and three.
22 | gaf cnrvp qnjkfs hz zfufqgffq
23 |
24 | The bottom seems suspicious, and looks like some kind of cipher. Plugging it into [quipqiup](http://quipqiup.com/), we get:
25 |
26 | the lucky number is seventeen
27 |
28 | We then look into file 17. It seems like a bunch of meaningless text, but when we CTRL+F "answer," we find:
29 |
30 | ANSWER4Y0UREFF0RTSISC1PH3RSANDKRYPT0
31 |
32 | ## Flag
33 |
34 | `C1PH3RSANDKRYPT0`
35 |
--------------------------------------------------------------------------------
/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/easyctf/writeups-2014/ece932817bdddca49b2fcb020f522afc0243f37f/1.png
--------------------------------------------------------------------------------
/100-palindrama.md:
--------------------------------------------------------------------------------
1 | # 100 - Palindrama
2 |
3 | *Written by Michael Zhang, Writeup by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Given a string stored in `args[0]`, find the longest palindrome inside the string, ignoring the punctuation and spacing during calculations, but including them in the final result.
8 |
9 | For example, `I did roar again, Niagara! ... or did I?` returns `I did roar again, Niagara! ... or did I`
10 |
11 | Notice how the question mark was not part of the palindromic string, so it was not included in the answer (and neither should trailing spaces or new lines).
12 |
13 | ## Hint
14 |
15 | Python makes palindrome testing easy (after you remove punctuation, that is) with its ability to reverse strings!
16 |
17 | ## Solution
18 |
19 | ```python
20 | import string
21 | exclude = set(string.punctuation)
22 | longest = ''
23 | xindex, yindex = 0,0
24 | for x in xrange(0,len(args[0])):
25 | for y in xrange(0,len(args[0])):
26 | origStr = args[0][x:y]
27 | if origStr[0:1] in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ":
28 | newStr = ''.join(ch for ch in origStr if ch not in exclude).replace(" ","").lower()
29 | if newStr == newStr[::-1] and len(newStr) > len(longest):
30 | longest = newStr
31 | yindex = y
32 | xindex = x
33 | print args[0][xindex:yindex].strip(),
34 |
35 | ```
36 |
37 | ## Flag
38 |
39 | `did_you_use_python's_[::-1]_notation?`
40 |
--------------------------------------------------------------------------------
/100-project-eratosthenes.md:
--------------------------------------------------------------------------------
1 | # 100 - Project Eratosthenes
2 |
3 | *Written by Michael Zhang, Writeup by Emily Leng*
4 |
5 | ## Problem
6 |
7 | The first 5 primes are 2, 3, 5, 7, and 11. The 2nd, 3rd, 5th, 7th, and 11th primes are (respectively) 3, 5, 11, 17, and 31. The sum of these primes is 67. Let `Q(n)` be the sum of the `k`th prime where `k` is the first `n` prime numbers, as shown above. Then `Q(5) = 67`.
8 |
9 | It can be confirmed that `Q(35) = 11735` and `Q(85) = 107591`.
10 |
11 | If `args = [M,N]`, find `Q(M)` + `Q(N)`, using the python editor.
12 |
13 | ## Hint
14 |
15 | Find an efficient way to generate primes.
16 |
17 | ## Solution
18 |
19 | ```python
20 | def isPrime(num):
21 | # Checks for primality & returns a boolean.
22 | if num == 2:
23 | return True
24 | elif num < 2 or not num % 2: # even numbers > 2 not prime
25 | return False
26 | # factor can't be larger than the square root of num
27 | for i in range(3, int(num ** .5 + 1), 2):
28 | if not num % i: return False
29 | return True
30 |
31 | def generatePrimes(n):
32 | # Returns a list of prime numbers with length n
33 | primes = [2,]
34 | noOfPrimes = 1
35 | testNum = 3 # number to test for primality
36 |
37 | while noOfPrimes < n:
38 | if isPrime(testNum):
39 | primes.append(testNum)
40 | noOfPrimes += 1
41 | testNum += 2
42 | return primes
43 |
44 | l = generatePrimes(10000)
45 |
46 | def q(n):
47 | tot = 0
48 | l2 = l[:n]
49 | for x in l2:
50 | tot+= l[x-1]
51 | return tot
52 |
53 | print (q(args[0]) + q(args[1]))
54 |
55 | ```
56 |
57 | ## Flag
58 |
59 | `n0t_pr0jekt_o1ler_but_s1mil4r`
60 |
--------------------------------------------------------------------------------
/120-fast-math.md:
--------------------------------------------------------------------------------
1 | # 120 - Fast Math
2 |
3 | *Written by Michael Zhang, Writeup by Emily Leng*
4 |
5 | ## Problem
6 |
7 | Can you beat the Jung? Try your hand at some fast math at `python.easyctf.com:10660`!
8 |
9 | ## Hint
10 |
11 | How can you solve problems quickly?
12 |
13 | ## Solution
14 |
15 | ```python
16 | import socket
17 |
18 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
19 | s.connect(("python.easyctf.com", 10660))
20 | response = s.recv(1024)
21 | response = response.translate(None, "abcdefghijklmnopqrstuvwxyz ")
22 | while s:
23 | s.send(str(eval(response)))
24 | response2 = s.recv(1024)
25 | print response2
26 | break
27 |
28 | ```
29 |
30 | ## Flag
31 |
32 | `congratz_u_just_beat_the_jung!!1!`
33 |
--------------------------------------------------------------------------------
/130-reversing-2.md:
--------------------------------------------------------------------------------
1 | # 130 - Reversing 2 (TODO)
2 |
3 |
--------------------------------------------------------------------------------
/150-ghoti.md:
--------------------------------------------------------------------------------
1 | # 150 - Ghoti
2 |
3 | *Written by Michael Zhang*
4 |
5 | *Writeup by Jester*
6 |
7 | ## Problem
8 |
9 | Haaaalppp I can't pronounce this word. What could this image mean?
10 |
11 | 
12 |
13 | ## Hint
14 |
15 | Look for clues in the file. The file appears corrupted, but maybe it still contains some important information.
16 |
17 | ## Solution
18 |
19 | First, to solve this problem, we need to find clues (notice the s). There are 2 clues needed to solve the problem.
20 |
21 | We can obtain both clues quite easily. The first one is to simply open the picture as a rar file.
22 | Inside the rar file, we find a file called sh58, which, if we open with notepad, contains the ciphertext `1e95153b6c941098227a4b08d9d74cb9d7b9387f83c74097`.
23 |
24 | To obtain the second clue, we must open the jpg with a hex editor (I used HxD). Then, Ctrl+F "flag", in which it says "here's a hint at the flag: tetraodontidae"
25 |
26 | Given these two clues, we can now decrypt the ciphertext. A quick google of "tetraodontidae" reveals a type of encryption called "blowfish," which requires a key and ciphertext. Perfect!
27 | After using many different websites, the one that worked for me was http://webnet77.com/cgi-bin/helpers/blowfish.pl
28 |
29 | Enter "tetraodontidae" as the key and "1e95153b6c941098227a4b08d9d74cb9d7b9387f83c74097" as the ciphertext, and you get the flag!
30 |
31 | ## Flag
32 |
33 | `bl0w_fish_so_s3cret_`
34 |
--------------------------------------------------------------------------------
/160-obfuscation-2.md:
--------------------------------------------------------------------------------
1 | # 160 - Obfuscation 2
2 |
3 | *Written by Austin Zhou*
4 |
5 | *Writeup by Jester*
6 |
7 | ## Problem
8 |
9 | This jumbled mess has been left for you... [source](obfuscate.js)
10 |
11 | ## Hint
12 |
13 | Are there any ways to make this code more readable?
14 |
15 | ## Solution
16 |
17 | Go to http://jsbeautifier.org/
18 | Copy paste the code into the box, then "beautify" it.
19 | Copy the "beautified" code.
20 |
21 | Open up a web browser (tested on google chrome) and open up console. (F12 then click on "Console")
22 | Copy paste the code into the console and press enter. It should say "The flag is near."
23 | On the right side of the line, however, there is something that says "VMXXX:X" (X is an arbitrary number, can vary)
24 |
25 | Click it and it shows a list of variables and their values, and you get the flag!
26 |
27 | ## Flag
28 |
29 | `0bfuscaTion fTw`
30 |
--------------------------------------------------------------------------------
/180-evil-guess.md:
--------------------------------------------------------------------------------
1 | # 180 - Evil Guess (TODO)
2 |
3 |
--------------------------------------------------------------------------------
/180-rsa.md:
--------------------------------------------------------------------------------
1 | # 180 - RSA
2 |
3 | *Written by Austin Zhou, Writeup by Jester*
4 |
5 | ## Problem
6 |
7 | You stumble upon a RSA encrypted message that looks different... All you know is the public key. Can you decrypt the message? [Data](http://www.easyctf.com/problem_data/rsa/rsa.txt)
8 |
9 | ## Hint
10 |
11 | The message is about RSA.
12 |
13 | ## Solution
14 |
15 | To solve this problem, we must (obviously) first understand RSA. RSA encryption utilizes extremely large numbers to encrypt messages. A message, m, is converted to hex/decimal, then modular arithmetic is performed using a public key and public exponent.
16 |
17 | To decrypt, we must obtain the private key.To do this, we must factor the public key. Normally, this would be impossible, but since the public key is relatively small, it can be done.
18 |
19 | So, we get factors p and q:
20 |
21 | p = 1398023584459
22 | q = 29065965967667
23 |
24 | We also need the totient, which is (p-1) * (q-1).
25 |
26 | totient = 40634905927850661848135028
27 |
28 | The private key, d, is equivalent to the inverse mod of the public key and the totient.
29 |
30 | Then, we also need the public exponent. But wait! That's not provided in the problem.
31 |
32 | Even after writing a script to brute force it, it would be nearly impossible to find the flag among the huge piles of ascii text... or is it?
33 |
34 | This is where the hint comes in. It says "The message is about RSA." Clearly, it is quite an obvious (and worthless) hint at first glance.
35 |
36 | Using this surprisingly useful hint, we can write a python script that brute forces the public key, and if the outputted string has "rsa" in it, then it will print it out.
37 |
38 | Our code:
39 |
40 | def egcd(a, b): #inverse mod function (its not built in :O)
41 | if a == 0:
42 | return (b, 0, 1)
43 | else:
44 | g, y, x = egcd(b % a, a)
45 | return (g, x - (b // a) * y, y)
46 |
47 | def modinv(a, m): #inverse mod function
48 | g, x, y = egcd(a, m)
49 | if g != 1:
50 | return -1
51 | else:
52 | return x % m
53 | c = int("ac470f7350ea67d7a0696",16)
54 | p = 1398023584459
55 | q = 29065965967667
56 | while 1: #loops infinitely until flag is found
57 | d = modinv(i,(p-1)*(q-1)) #uses inverse mod
58 | if(d!=-1):
59 | answer = (hex(pow(c,d,p*q))) #turns into hex after powmod
60 | answer = answer[2:-1]
61 | if(len(answer)%2==1):
62 | answer = '0' + answer
63 | xyzwhatever = answer.decode("hex") #turns hex to ascii
64 | if("rsa" in xyzwhatever.lower()): #prints flag if "rsa" is in it (.lower() prevents case sensitivity)
65 | print(i) #prints public exponent used
66 | print xyzwhatever #prints possible flags
67 |
68 | After running the code, we get the flag!
69 |
70 | ## Flag
71 |
72 | `rsa_2_easy`
73 |
--------------------------------------------------------------------------------
/180-the-door.md:
--------------------------------------------------------------------------------
1 | # 180 - The Door
2 |
3 | ```
4 | Step 1.
5 | As with all reverse engineering questions, the first question you need to ask yourself is what do I want this program to do that it currently isn't.
6 | In the case of door.c, we need to run this line of code:
7 | printf("Good detective work, your flag is: %d_%d\n",flagFunc(4407091,(int)(137.0*(secretKey)/15.2)),flagFunc(1992,197));
8 | Specifically, we need to call the function "flagFunc", so the next step is finding out where flagFunc is defined:
9 | twochainz flagFunc=generateFlagFunc(secretKey);
10 |
11 | Step 2.
12 | Ok, so what exactly is this 'twochainz' type (not Tauheed Epps)-- at the top of our c code we see this typedef:
13 | typedef int (*twochainz)(int,int);
14 | So now we know that flagFunc is a pointer to a function which takes two integer arguments and returns an integer (type twochainz), which makes sense since our printf format string id '%d', the integer format type.
15 |
16 | Step 3.
17 | Next on the list we have got to see where the point has come from, so lets go into 'generateFlagFunc' to find out.
18 | Before we enter into generateFlagFunc, we must look at the argument that is passed, 'secretKey', which is passed to generateDouble as the double 'seed'.
19 | Many (inexperienced) reverse engineers would start at the top and work their way down, but this is foolish in reverse engineering. We only need to focus on what we care about, and we care about the return value so lets jmp there (but not xret).
20 | Alrighty, so the looks like this:
21 | return (twochainz)buf;
22 | Now we know that buf must contain a pointer to our magic function, so lets find where buf is first defined to see where our code is coming from:
23 | unsigned short * buf=(unsigned short *)malloc(len+1);
24 | Step 4.
25 | Sweet, so now we know that the code between the definition of buf and its return must transform and empty buffer of unsigned shorts into x86 assembly which can be executed, so lets focus our energy on that for now:
26 | int len=sizeof(secretMsg)/4;//this is on the first line, but we need it for the loop
27 | for(int i=0;idoor
73 | --- DOOR! DOOR! WHO STOLE THE DOOR? ---
74 | In order to identify who stole the door, please enter the secret key below
75 |
76 | Secret key: 44.7927682909
77 | Good detective work, your flag is: 1992_-2
78 |
79 | C:\Users\Carter\Desktop\tcc\door>
80 |
81 | Step 9:
82 | WE GOT THE FLAG!@#%!#@%!@%@%!@#%!@%!%!!!!!
83 |
84 | Step 10 - Regret:
85 | As you are probably guessing, there is an easier way to do this, and to do this we must look at the question - "Who stole the door". If you've read Surely You're Joking Mr. Feynman (BEST BOOK EVER), you know that Feynman stole the door.
86 | So, the secret key is the double value represented by the 8 bytes below:
87 | 40 46 65 79 6E 6D 61 6E
88 | Or in ascii as: @Feynman
89 |
90 | yup, it was pretty damn easy.
91 |
92 | -- Addenda: Revised Step 1 --
93 |
94 | Step 1: You make your console cost the most, you beat your chest and proudly boast--despite no good exclusive games, you make a bunch ridiculous claims.
95 |
96 | Then ignore our need to play online
97 | Don't make it fun like Xbox Live
98 | Use Blue Ray, Which I don't need
99 | Now you're getting your ass kicked by the Wii
100 |
101 | Sony, you went wrong, with your PS3
102 | I'll just keep playing my 360
103 | Hope this song has helped, you understand
104 | Now you know, How You Killed Your Brand.
105 | Shouts to my fave pen pal Marc E. Mayer (http://www.msk.com/attorneys/Marc_Mayer)
106 | ```
107 |
108 |
--------------------------------------------------------------------------------
/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/easyctf/writeups-2014/ece932817bdddca49b2fcb020f522afc0243f37f/2.png
--------------------------------------------------------------------------------
/200-guessing-is-hard.md:
--------------------------------------------------------------------------------
1 | # 200 - Guessing is hard
2 | *Written by Jacob Edelman, Writeup by MegaAbsol*
3 |
4 | ## Problem
5 |
6 | We really love guessing games. Try and get the flag at python.easyctf.com:10663!
7 |
8 | [source](http://www.easyctf.com/problem_data/guessing-is-hard/guessing-is-hard.py)
9 |
10 | ## Hint
11 |
12 | No hint for this problem. :P
13 |
14 | ## Solution
15 |
16 | We wrote the program on the shell, and I forgot the code, so rewrote it here to the best of my ability...
17 |
18 | At first glance, this problem seems unsolvable. After all, it's "truly random..." or is it? Taking a quick look into how random works, we note that if no seed is provided random will use long(time.time()*256) as seed (int or long, depending on your version). We also note that, since this finds integer amount of seconds, the ping time and code run time is irrelevant. I don't know if our system has os.urandom or not, but I don't really care and I can just seed random manually.
19 |
20 | Using this, we have our preliminary code:
21 |
22 | Planning it out:
23 |
24 | import random, time
25 | random.seed(long(time.time()*256))
26 | print(random.random())
27 |
28 | We also need to connect to the server, so we have:
29 |
30 | Almost there:
31 |
32 | import random, time
33 | import os
34 | random.seed(long(time.time()*256))
35 | os.system('echo '+str(random.random())+' | nc python.easyctf.com 10663')
36 |
37 | But it doesn't work!!? Why not?
38 | After closer inspection, we note that random.random is a float. Float outputs only a few decimal points, but we need an exact time. After searching it up on the internet, we find a format string which can show more decimal points. I chose 60.
39 |
40 | Final Code:
41 |
42 | import random, time
43 | import os
44 | random.seed(long(time.time()*256))
45 | os.system('echo '+str('%.60f'%random.random())+' | nc python.easyctf.com 10663')
46 |
47 | We run it, and get the flag!
48 |
49 |
50 | ## Flag:
51 |
52 | `wow_the_random_module_in_python_is_pretty_easy_to_hax`
53 |
54 | Note: Since the shell is down you probably won't be able to do it.
55 |
--------------------------------------------------------------------------------
/230-failedxyz.md:
--------------------------------------------------------------------------------
1 | # 230 - failedxyz
2 |
3 | *Written by Michael Zhang*
4 |
5 | ## Problem
6 |
7 | My name is Michael Zhang.
8 |
9 | ## Hint
10 |
11 | This is a recon problem. Clues are scattered over the internet, and you have to piece them together to solve the problem. THIS IS INSANELY HARD. If you solve this problem, you are required to write a write-up and send it (using the email you signed your team up with) to failed.down@gmail.com.
12 |
13 | ## Solution
14 |
15 | This problem had 4 parts. These 4 parts could be found by scouring all of my accounts and looking for flag-related clues. Obtaining my phone number and address didn't get you anywhere as far as solving the problem.
16 |
17 | ### Part 1
18 |
19 | On my YouTube channel at http://youtube.com/user/failedxyz, one of the videos is called [**ice - L (Cytus)**](https://www.youtube.com/watch?v=eUSQBqGZwH4). In the description of the video you'll find these lines:
20 |
21 | ```
22 | Part One
23 | If you're looking for something, "failed_up_".
24 | ```
25 |
26 | Another way to reach this video is from my MuseScore profile, which is linked on multiple sites across the internet. [One of my transcriptions](http://musescore.com/user/133763/scores/213861) links to the above video.
27 |
28 | ### Part 2
29 |
30 | My [personal site](http://failedxyz.github.io) would be a good place to look for clues. In this case, the source code was publicly available on GitHub, so instead, the clue was hidden inside the profile image on the top right.
31 |
32 | 
33 |
34 | The file end signature for JPEG files is `FF D9`, so anything after this signature will not be a part of the JPEG. Moving everything after `FF D9` to a new `.rar` file (notice the `Rar!` file signature indicating that this is a rar archive), we find a file called `sh58` inside. This file contained the following contents:
35 |
36 | ```
37 | check out puffdonut's dulles airport rendition in minecraft! fehxNkfgzX96S1P7vwDtew==
38 | ```
39 |
40 | It turns out that this hash was incorrect, so it was replaced with `dE+0bYbrewc=`, which can be found on the clarification page. A quick Google on `puffdonut dulles airport minecraft` produces the following URL:
41 |
42 | ```
43 | http://www.minecraftforum.net/forums/mapping-and-modding/maps/1528032-dulles-airport-v6
44 | ```
45 |
46 | On page 2 of the comments, notice a post by failedxyz that says
47 |
48 | ```
49 | Nice job! Your video was amazing.Will you do any more maps of real places?
50 |
51 | key: sonicetherunbelievableshader
52 | ```
53 |
54 | We now have a key and a ciphertext. What is the algorithm? That's not too hard to find. Under my Minecraft Forum profile (the same site as before), my interests are DES encryption.
55 |
56 | At this point, any online decrypting service would work. Using the key `sonicetherunbelievableshader` and the ciphertext `dE+0bYbrewc=`, we get `is_the_` as the second part of the flag.
57 |
58 | ### Part 3
59 |
60 | This one is simple. You can reach http://projectnebula.org/failosu through many methods including:
61 |
62 | * a link on my [Twitter](http://twitter.com/fdetzl) (which I never use)
63 | * a link from my [osu! profile](http://osu.ppy.sh/u/IOException)
64 |
65 | Click on any of the songs listed and browse the source code. Close inspection of [this site](http://projectnebula.org/failosu/play.php?folder=39804+xi+-+FREEDOM+DiVE&map=xi+-+FREEDOM+DiVE+%28Nakagawa-Kanon%29+%5BFOUR+DIMENSIONS%5D.osu) reveals:
66 |
67 | ```
68 |
83 |
84 |
85 |
86 |
87 |