├── pwn ├── caesars-revenge │ ├── chall.md │ ├── bin │ │ ├── flag │ │ ├── caesars-revenge │ │ └── caesars-revenge.c │ ├── start.sh │ ├── compile.sh │ ├── ctf.xinetd │ ├── Dockerfile │ └── caesars-revenge.c ├── aria-writer │ ├── bin │ │ ├── flag │ │ ├── aria-writer │ │ ├── libc-2.27.so │ │ └── libc-2.27.zip │ ├── start.sh │ ├── chall.md │ ├── ctf.xinetd │ └── Dockerfile ├── bit │ ├── bin │ │ ├── flag │ │ └── bit │ ├── start.sh │ ├── compile.sh │ ├── challenge.txt │ ├── ctf.xinetd │ ├── Dockerfile │ └── bit.c ├── intro-to-netcat │ ├── flag.txt │ ├── talk.py │ ├── ctf.xinetd │ ├── Dockerfile │ └── README.md ├── aria-writer-v3 │ ├── bin │ │ ├── flag │ │ └── aria-writer-v3 │ ├── flag │ ├── start.sh │ ├── chall.md │ ├── ctf.xinetd │ └── Dockerfile ├── byte │ ├── bin │ │ ├── flag │ │ └── byte │ ├── start.sh │ ├── challenge.txt │ ├── compile.sh │ ├── ctf.xinetd │ ├── Dockerfile │ └── byte.c ├── combo-chain-lite │ ├── bin │ │ ├── flag │ │ ├── combo-chain-lite │ │ └── combo-chain-lite.c │ ├── README.md │ ├── start.sh │ ├── compile.sh │ ├── combo-chain-lite.c │ ├── ctf.xinetd │ └── Dockerfile ├── return-to-sender │ ├── bin │ │ ├── flag │ │ ├── return-to-sender │ │ └── return-to-sender.c │ ├── start.sh │ ├── README.md │ ├── compile.sh │ ├── return-to-sender.c │ ├── ctf.xinetd │ └── Dockerfile ├── combo-chain │ ├── bin │ │ ├── flag │ │ ├── combo-chain │ │ └── combo-chain.c │ ├── start.sh │ ├── README.md │ ├── compile.sh │ ├── combo-chain.c │ ├── ctf.xinetd │ └── Dockerfile ├── hard-heap │ ├── bin │ │ ├── flag │ │ ├── hard-heap │ │ ├── libc.so.6 │ │ └── libc.so.6.zip │ ├── description.txt │ ├── start.sh │ ├── ctf.xinetd │ └── Dockerfile ├── storytime │ ├── README.md │ ├── bin │ │ ├── flag │ │ └── storytime │ ├── start.sh │ ├── storytime.c │ ├── ctf.xinetd │ └── Dockerfile └── docker-compose.yml ├── reverse ├── forgot-your-password │ ├── flag.txt │ ├── chall.md │ ├── generator.py │ └── xoro.py ├── bitecode │ ├── flag.txt │ ├── BiteCode.class │ ├── readme.md │ └── check_gen.py ├── license │ ├── flag.txt │ ├── license │ └── readme.md ├── a-byte │ ├── flag.txt │ ├── a-byte │ └── readme.md ├── i_thought_trig_was_easy │ ├── flag.txt │ ├── nice_math.py │ ├── desc.md │ ├── nice_math_ans.py │ └── trig_is_really_hard.py ├── virtualjava │ ├── flag.txt │ ├── readme.md │ ├── vm_insn_gen.py │ └── VirtualJava.java ├── daheck │ ├── flag.txt │ ├── readme.md │ └── DaHeck.java ├── redtea │ ├── flag.txt │ ├── bin │ │ ├── flag.txt │ │ └── redtea │ ├── redtea │ ├── start.sh │ ├── challenge.txt │ ├── compile.sh │ ├── ctf.xinetd │ ├── Dockerfile │ └── redtea.c ├── tux-talk-show-2019 │ ├── bin │ │ ├── flag.txt │ │ └── trash │ ├── trash │ ├── start.sh │ ├── chall.md │ ├── ctf.xinetd │ └── Dockerfile ├── paint │ ├── paint │ │ ├── paint.vcxproj.user │ │ ├── paint.vcxproj.filters │ │ ├── main.cpp │ │ ├── xor.hpp │ │ └── paint.vcxproj │ ├── injector │ │ ├── injector.vcxproj.user │ │ ├── injector.vcxproj.filters │ │ ├── main.cpp │ │ └── injector.vcxproj │ └── paint.sln └── docker-compose.yml ├── web ├── md5-- │ ├── chall.md │ ├── flag │ ├── Dockerfile │ └── src │ │ └── index.php ├── agent-keith │ ├── chall.md │ ├── Dockerfile │ └── src │ │ ├── static │ │ └── style.css │ │ ├── templates │ │ └── index.html │ │ ├── main.py │ │ └── .gitignore ├── inspect-me │ ├── chall.md │ ├── Dockerfile │ └── src │ │ ├── script.js │ │ ├── style.css │ │ └── index.html ├── s-q-l │ ├── app │ │ ├── src │ │ │ ├── php.ini │ │ │ ├── config.php │ │ │ └── public │ │ │ │ ├── signin.css │ │ │ │ └── index.php │ │ └── Dockerfile │ └── mysql │ │ ├── setup.sql │ │ └── Dockerfile ├── accessible-rich-internet-applications │ ├── chall.md │ └── script.js ├── the-quest │ ├── solution.sh │ └── README.md ├── keith-logger │ ├── Dockerfile │ ├── files │ │ └── extension.crx │ └── src │ │ ├── extension │ │ ├── manifest.json │ │ └── content.js │ │ ├── app │ │ └── main.py │ │ └── extension.pem ├── networked-password │ ├── Dockerfile │ ├── index.html │ ├── solution.py │ ├── README.md │ └── main.py └── docker-compose.yml ├── misc ├── broken-gps │ ├── flag.txt │ ├── input.zip │ ├── solution.py │ └── challenge.md ├── json-info │ ├── flag.txt │ ├── solution.sh │ ├── ctf.xinetd │ ├── Dockerfile │ ├── README.md │ └── json_info.py ├── admin-pass │ ├── chall.md │ ├── Dockerfile │ └── index.php ├── broken-repl │ ├── flag.txt │ ├── solution.sh │ ├── ctf.xinetd │ ├── Dockerfile │ ├── README.md │ └── repl.py ├── tasty-snack │ ├── flag.txt │ ├── solution.sh │ ├── ctf.xinetd │ ├── Dockerfile │ ├── snack.py │ └── README.md ├── verbose │ ├── chall.md │ └── flag.txt ├── a-simple-conversation │ ├── flag.txt │ ├── solution.sh │ ├── ctf.xinetd │ ├── Dockerfile │ ├── talk.py │ └── README.md ├── english-sucks │ ├── Makefile │ ├── flag.txt │ ├── mt │ ├── ctf.xinetd │ ├── Dockerfile │ └── README.md ├── keith-bot │ ├── flag.txt │ ├── solution.txt │ ├── Dockerfile │ ├── eval.py │ └── bot.py ├── locked-up │ ├── solution.sh │ ├── locked.zip │ └── README.md ├── the-real-reversal │ ├── reversed.txt │ ├── solution.py │ └── README.md └── docker-compose.yml ├── forensics ├── cool-image │ ├── solution.sh │ ├── cool.pdf │ └── README.md ├── skywritingv2 │ ├── flag.txt │ └── skywritingv2.txt ├── cool-image-2 │ ├── solution.sh │ ├── cool.png │ └── README.md ├── logo-sucks-bad │ ├── flag.txt │ ├── README.md │ └── logo.png └── fish │ ├── flag.txt │ ├── chall.md │ └── fish.jpg ├── crypto ├── 64+word │ ├── flag.txt │ └── chall.md ├── hidden-flag │ ├── flag.txt │ ├── chall.md │ └── chall.png ├── a-lost-cause │ ├── flag.txt │ └── chall.md ├── bomb │ ├── files │ │ ├── flag.txt │ │ └── chall.py │ ├── site │ │ ├── bomb.png │ │ └── chall.md │ └── Dockerfile ├── tuxs-kitchen │ ├── challenge.md │ ├── files │ │ ├── flag.txt │ │ └── chall.py │ ├── Dockerfile │ └── problem.py ├── reverse-search-algorithm │ ├── flag.txt │ └── chall.md ├── welcome-to-crypto-land │ ├── flag.txt │ └── chall.md ├── spooky-ecc │ ├── secret.py │ ├── chall.md │ ├── intercept.txt │ ├── problem.sage │ └── solution.sage ├── multiplication-service │ ├── flag.txt │ ├── secret.py │ ├── chall.md │ ├── ctf.xinetd │ ├── Dockerfile │ ├── solution.sage │ ├── problem.sage │ └── problem.py ├── marginally-more-spooky-ecc │ ├── secret.py │ ├── chall.md │ ├── intercept.txt │ ├── generator.sage │ └── problem.sage ├── super-secure-system │ ├── files │ │ ├── flag.txt │ │ └── chall.py │ ├── Dockerfile │ └── chall.md ├── docker-compose.yml ├── massive-rsa │ ├── solution.py │ ├── README.md │ └── massive.txt └── really-secure-algorithm │ ├── README.md │ ├── solution.py │ └── secure.txt ├── README.md └── gen_pwn.py /pwn/caesars-revenge/chall.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /pwn/aria-writer/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{1_should_tho} -------------------------------------------------------------------------------- /pwn/bit/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{flippin_pwn_g0d} 2 | -------------------------------------------------------------------------------- /reverse/forgot-your-password/flag.txt: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /web/md5--/chall.md: -------------------------------------------------------------------------------- 1 | Written by: dwang 2 | -------------------------------------------------------------------------------- /misc/broken-gps/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{garminesuckz} 2 | -------------------------------------------------------------------------------- /misc/json-info/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{JS0N_or_Y4ML} 2 | -------------------------------------------------------------------------------- /web/agent-keith/chall.md: -------------------------------------------------------------------------------- 1 | Written by: dwang 2 | -------------------------------------------------------------------------------- /web/inspect-me/chall.md: -------------------------------------------------------------------------------- 1 | Written by: dwang 2 | -------------------------------------------------------------------------------- /misc/admin-pass/chall.md: -------------------------------------------------------------------------------- 1 | Written by: Weastie 2 | -------------------------------------------------------------------------------- /pwn/intro-to-netcat/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{internet_cats} 2 | -------------------------------------------------------------------------------- /reverse/bitecode/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{wH04_u_r_2_pr0_4_th1$} -------------------------------------------------------------------------------- /web/md5--/flag: -------------------------------------------------------------------------------- 1 | hsctf{php_type_juggling_is_fun} 2 | -------------------------------------------------------------------------------- /web/s-q-l/app/src/php.ini: -------------------------------------------------------------------------------- 1 | extension=mysqli.so 2 | -------------------------------------------------------------------------------- /forensics/cool-image/solution.sh: -------------------------------------------------------------------------------- 1 | cp cool.pdf flag.png 2 | -------------------------------------------------------------------------------- /forensics/skywritingv2/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{iTs_sUpeR_obViouS} -------------------------------------------------------------------------------- /misc/broken-repl/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{dont_you_love_parsers} 2 | -------------------------------------------------------------------------------- /misc/tasty-snack/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{p1ckl3s_4r3_t4sty} 2 | -------------------------------------------------------------------------------- /misc/verbose/chall.md: -------------------------------------------------------------------------------- 1 | Written by: dwang 2 | 3 | 4 | -------------------------------------------------------------------------------- /reverse/license/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{k3ith_m4k3s_tr4sh_r3} 2 | -------------------------------------------------------------------------------- /crypto/64+word/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{b4s3_64_w0rd_s3arch3s_ar3_fu9?} -------------------------------------------------------------------------------- /misc/a-simple-conversation/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{plz_u5e_pyth0n_3} 2 | -------------------------------------------------------------------------------- /pwn/aria-writer-v3/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{i_wish_tho_:(_0a0d098213} 2 | -------------------------------------------------------------------------------- /pwn/aria-writer-v3/flag: -------------------------------------------------------------------------------- 1 | hsctf{i_wish_tho_:(_0a0d098213} 2 | -------------------------------------------------------------------------------- /pwn/byte/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{l0l-opt1mizati0ns_ar3-disabl3d} 2 | -------------------------------------------------------------------------------- /pwn/combo-chain-lite/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{wheeeeeee_that_was_fun} 2 | -------------------------------------------------------------------------------- /pwn/return-to-sender/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{fedex_dont_fail_me_now} 2 | -------------------------------------------------------------------------------- /reverse/a-byte/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{w0w_y0u_kn0w_d4_wA3_8h2bA029} 2 | -------------------------------------------------------------------------------- /reverse/i_thought_trig_was_easy/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{:hyperthonk:} -------------------------------------------------------------------------------- /reverse/virtualjava/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{y0u_d3f34t3d_th3_b4by_vm} -------------------------------------------------------------------------------- /crypto/hidden-flag/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{n0t_1nv1s1bl3_an5m0r3?-39547632} -------------------------------------------------------------------------------- /forensics/cool-image-2/solution.sh: -------------------------------------------------------------------------------- 1 | tail -n+2 cool.png > flag.png 2 | -------------------------------------------------------------------------------- /misc/english-sucks/Makefile: -------------------------------------------------------------------------------- 1 | mt: mt.cpp 2 | c++ -O3 -o $@ $^ 3 | -------------------------------------------------------------------------------- /misc/keith-bot/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{discord_bot_pyjail_uwu_030111} 2 | -------------------------------------------------------------------------------- /misc/verbose/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{esoteric_javascript_is_very_verbose} 2 | -------------------------------------------------------------------------------- /crypto/a-lost-cause/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{GLASSESAREUSEFULDONOTLOSETHEM} 2 | -------------------------------------------------------------------------------- /crypto/bomb/files/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{d1d_y0ur_b0mbe_s4cc33d???-961451631955} -------------------------------------------------------------------------------- /misc/locked-up/solution.sh: -------------------------------------------------------------------------------- 1 | unzip -l locked.zip | grep -o hsctf{.*} 2 | -------------------------------------------------------------------------------- /pwn/combo-chain/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{i_thought_konami_code_would_work_here} 2 | -------------------------------------------------------------------------------- /pwn/hard-heap/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{you_sice_deets_so_well_you_must_be_suchet} -------------------------------------------------------------------------------- /pwn/storytime/README.md: -------------------------------------------------------------------------------- 1 | Written by: Tux 2 | 3 | I want a story!!! 4 | -------------------------------------------------------------------------------- /pwn/storytime/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{th4nk7_f0r_th3_g00d_st0ry_yay-314879357} 2 | -------------------------------------------------------------------------------- /web/accessible-rich-internet-applications/chall.md: -------------------------------------------------------------------------------- 1 | Written by: dwang 2 | -------------------------------------------------------------------------------- /crypto/tuxs-kitchen/challenge.md: -------------------------------------------------------------------------------- 1 | # Tux's Kitchen 2 | 3 | I need to bake it! -------------------------------------------------------------------------------- /forensics/logo-sucks-bad/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{th4_l3est_s3gnific3nt_bbbbbbbbbbbbb} -------------------------------------------------------------------------------- /misc/english-sucks/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{y0u_kn0w_1_h4d_t0_d0_1t_t0_3m_rng_god} 2 | -------------------------------------------------------------------------------- /reverse/daheck/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{th4t_w4s_fun!_l3ts_try_s0m3_m0r3_r3v3rs3} 2 | -------------------------------------------------------------------------------- /reverse/redtea/flag.txt: -------------------------------------------------------------------------------- 1 | RO_B_MA_DE_SO_ME_ON_E_A_SP_EC_IA_L_CU_P_OF_TE_A 2 | -------------------------------------------------------------------------------- /reverse/tux-talk-show-2019/bin/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{n1ce_j0b_w4th_r4ndom_gue33ing} -------------------------------------------------------------------------------- /web/inspect-me/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nginx 2 | COPY src /usr/share/nginx/html 3 | -------------------------------------------------------------------------------- /crypto/reverse-search-algorithm/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{y3s_rsa_1s_s0lved_10823704961253} -------------------------------------------------------------------------------- /crypto/welcome-to-crypto-land/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{w0w_th1s_1s_my_f1rst_crypt0_chall3ng3?} -------------------------------------------------------------------------------- /forensics/fish/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{fishy_fishy_fishy_fishy_fishy_fishy_fishy123123123123} -------------------------------------------------------------------------------- /pwn/caesars-revenge/bin/flag: -------------------------------------------------------------------------------- 1 | hsctf{should_have_left_%n_back_in_ancient_rome} 2 | -------------------------------------------------------------------------------- /reverse/redtea/bin/flag.txt: -------------------------------------------------------------------------------- 1 | RO_B_MA_DE_SO_ME_ON_E_A_SP_EC_IA_L_CU_P_OF_TE_A 2 | -------------------------------------------------------------------------------- /crypto/spooky-ecc/secret.py: -------------------------------------------------------------------------------- 1 | flag = "hsctf{Anomalous curves, m0ar like anom00se curves}" -------------------------------------------------------------------------------- /forensics/logo-sucks-bad/README.md: -------------------------------------------------------------------------------- 1 | *Written by: Tux* 2 | 3 | This logo sucks bad. 4 | -------------------------------------------------------------------------------- /crypto/multiplication-service/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{41W4YZ_v4lid473_those_curve_points_a94hg39} 2 | -------------------------------------------------------------------------------- /crypto/spooky-ecc/chall.md: -------------------------------------------------------------------------------- 1 | Written by ValarDragon 2 | 3 | Bigger curves means better right? -------------------------------------------------------------------------------- /pwn/bit/bin/bit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/bit/bin/bit -------------------------------------------------------------------------------- /crypto/marginally-more-spooky-ecc/secret.py: -------------------------------------------------------------------------------- 1 | flag = "hsctf{Y_does_4lice_have_such_weird_cuRV3s?}" -------------------------------------------------------------------------------- /forensics/fish/chall.md: -------------------------------------------------------------------------------- 1 | Written by: Tux 2 | 3 | I got a weird image from some fish. What is this? -------------------------------------------------------------------------------- /pwn/byte/bin/byte: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/byte/bin/byte -------------------------------------------------------------------------------- /web/the-quest/solution.sh: -------------------------------------------------------------------------------- 1 | curl -sL https://forms.gle/7pyAWuG3GvYL443NA | grep -o hsctf{.*} 2 | -------------------------------------------------------------------------------- /crypto/super-secure-system/files/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{h0w_d3d_y3u_de3cryP4_th3_s1p3R_s3cuR3_m355a9e?} 2 | -------------------------------------------------------------------------------- /forensics/fish/fish.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/forensics/fish/fish.jpg -------------------------------------------------------------------------------- /misc/english-sucks/mt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/misc/english-sucks/mt -------------------------------------------------------------------------------- /reverse/a-byte/a-byte: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/reverse/a-byte/a-byte -------------------------------------------------------------------------------- /reverse/license/license: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/reverse/license/license -------------------------------------------------------------------------------- /reverse/redtea/redtea: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/reverse/redtea/redtea -------------------------------------------------------------------------------- /crypto/64+word/chall.md: -------------------------------------------------------------------------------- 1 | *Written by: Tux* 2 | 3 | Help Keith with his word search!!!! Where is the flag? 4 | -------------------------------------------------------------------------------- /crypto/bomb/site/bomb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/crypto/bomb/site/bomb.png -------------------------------------------------------------------------------- /crypto/tuxs-kitchen/files/flag.txt: -------------------------------------------------------------------------------- 1 | hsctf{thiii111iiiss_isssss_yo0ur_b1rthd4y_s0ng_it_isnt_very_long_6621} 2 | -------------------------------------------------------------------------------- /misc/broken-gps/input.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/misc/broken-gps/input.zip -------------------------------------------------------------------------------- /misc/locked-up/locked.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/misc/locked-up/locked.zip -------------------------------------------------------------------------------- /pwn/intro-to-netcat/talk.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | print "Hey, here's your flag! hsctf{internet_cats}" 3 | -------------------------------------------------------------------------------- /reverse/redtea/bin/redtea: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/reverse/redtea/bin/redtea -------------------------------------------------------------------------------- /crypto/hidden-flag/chall.md: -------------------------------------------------------------------------------- 1 | *Written by: Tux* 2 | 3 | This image seems wrong.....did Keith lose the key again? -------------------------------------------------------------------------------- /crypto/hidden-flag/chall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/crypto/hidden-flag/chall.png -------------------------------------------------------------------------------- /pwn/hard-heap/bin/hard-heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/hard-heap/bin/hard-heap -------------------------------------------------------------------------------- /pwn/hard-heap/bin/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/hard-heap/bin/libc.so.6 -------------------------------------------------------------------------------- /pwn/storytime/bin/storytime: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/storytime/bin/storytime -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # HSCTF 6 Problems 2 | 3 | Here lie the problems that were deployed for HSCTF 6, which ran from June 3-7, 2019. -------------------------------------------------------------------------------- /crypto/bomb/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:2 2 | 3 | COPY files/ /chall 4 | WORKDIR /chall 5 | 6 | CMD [ "python2", "chall.py" ] -------------------------------------------------------------------------------- /forensics/cool-image/cool.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/forensics/cool-image/cool.pdf -------------------------------------------------------------------------------- /pwn/hard-heap/description.txt: -------------------------------------------------------------------------------- 1 | Name: Hard Heap 2 | 3 | Remember halcyon heap? Well, it was too easy so I made it hard ;) -------------------------------------------------------------------------------- /forensics/cool-image-2/cool.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/forensics/cool-image-2/cool.png -------------------------------------------------------------------------------- /forensics/logo-sucks-bad/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/forensics/logo-sucks-bad/logo.png -------------------------------------------------------------------------------- /pwn/aria-writer/bin/aria-writer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/aria-writer/bin/aria-writer -------------------------------------------------------------------------------- /pwn/aria-writer/bin/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/aria-writer/bin/libc-2.27.so -------------------------------------------------------------------------------- /pwn/aria-writer/bin/libc-2.27.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/aria-writer/bin/libc-2.27.zip -------------------------------------------------------------------------------- /pwn/combo-chain/bin/combo-chain: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/combo-chain/bin/combo-chain -------------------------------------------------------------------------------- /pwn/hard-heap/bin/libc.so.6.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/pwn/hard-heap/bin/libc.so.6.zip -------------------------------------------------------------------------------- /reverse/bitecode/BiteCode.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/reverse/bitecode/BiteCode.class -------------------------------------------------------------------------------- /reverse/tux-talk-show-2019/trash: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/hsncsclub/HSCTF-6-Problems/HEAD/reverse/tux-talk-show-2019/trash -------------------------------------------------------------------------------- /crypto/tuxs-kitchen/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:2 2 | 3 | COPY files/ /chall 4 | WORKDIR /chall 5 | 6 | CMD [ "python2", "chall.py" ] -------------------------------------------------------------------------------- /misc/a-simple-conversation/solution.sh: -------------------------------------------------------------------------------- 1 | nc misc.hsctf.com 9001 < bin/flag 5 | -------------------------------------------------------------------------------- /pwn/combo-chain/README.md: -------------------------------------------------------------------------------- 1 | Written by: Ptomerty 2 | 3 | I've been really into Super Smash Brothers Melee lately... 4 | 5 | Hint: What's a ROP? 6 | 7 | `nc pwn.hsctf.com 2345` -------------------------------------------------------------------------------- /web/s-q-l/app/src/config.php: -------------------------------------------------------------------------------- 1 | flag 8 | 9 | mv flag bit bin/ 10 | -------------------------------------------------------------------------------- /misc/broken-repl/solution.sh: -------------------------------------------------------------------------------- 1 | nc misc.hsctf.com 8550 < 2 | 3 | 4 | -------------------------------------------------------------------------------- /web/s-q-l/mysql/setup.sql: -------------------------------------------------------------------------------- 1 | USE keith_db; 2 | CREATE TABLE users (username varchar(255), password varchar(255)); 3 | INSERT INTO users (username, password) VALUES ("keith", "why_are_you_here_youre_overthinking_it"); 4 | -------------------------------------------------------------------------------- /pwn/aria-writer-v3/chall.md: -------------------------------------------------------------------------------- 1 | description: 2 | 3 | Written by NotDeGhost 4 | 5 | After all that writing, Rob's gone blind. He still needs to finish this song though :( 6 | 7 | 8 | flag: hsctf{i_wish_tho_:(_0a0d098213} 9 | -------------------------------------------------------------------------------- /reverse/a-byte/readme.md: -------------------------------------------------------------------------------- 1 | Written by: ItzSomebody 2 | 3 | **Description**: Just one byte makes all the difference. 4 | 5 | Notes: Simple xor cipher - similar to angstromCTF one_bite 6 | Recommended points: 50 to 75 7 | -------------------------------------------------------------------------------- /reverse/paint/injector/injector.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /pwn/byte/challenge.txt: -------------------------------------------------------------------------------- 1 | name: byte 2 | difficulty: easy 3 | description: Free arbitrary null write primitive, get the flag 4 | flag: HSCTF{l0l-opt1mizati0ns_ar3-disabl3d} 5 | deploy: execute `./compile.sh` 6 | provide: byte 7 | -------------------------------------------------------------------------------- /reverse/virtualjava/readme.md: -------------------------------------------------------------------------------- 1 | Written by: ItzSomebody 2 | 3 | **Description**: There's nothing like executing my own code in Java in my own special way. 4 | 5 | Only upload VirtualJava.java. 6 | Recommended points: 300-350 7 | -------------------------------------------------------------------------------- /crypto/welcome-to-crypto-land/chall.md: -------------------------------------------------------------------------------- 1 | # Welcome to Crypto Land 2 | 3 | Crypto land is fun! Decrypt: 4 | 5 | ``` 6 | KZ6UaztNnau6z39oMHUu8UTvdmq1bhob3CcEFdWXRfxJqdUAiNep4pkvkAZUSn9CvEvPNT5r2zt6JPg9bVBPYuTW4xr8v2PuPxVuCT6MLJWDJp84 7 | ``` -------------------------------------------------------------------------------- /pwn/return-to-sender/README.md: -------------------------------------------------------------------------------- 1 | Written by: Ptomerty 2 | 3 | Who knew the USPS could lose a letter so many times? 4 | 5 | Hint: This might come in handy: https://en.wikipedia.org/wiki/Stack_buffer_overflow 6 | 7 | `nc pwn.hsctf.com 1234` -------------------------------------------------------------------------------- /reverse/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | tux-talk-show-2019: 4 | build: tux-talk-show-2019/ 5 | ports: 6 | - "6767:9999" 7 | redtea: 8 | build: redtea/ 9 | ports: 10 | - "8787:9999" -------------------------------------------------------------------------------- /misc/english-sucks/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 25 5 | port = 49151 6 | protocol = tcp 7 | rlimit_cpu = 25 8 | server = mt 9 | type = UNLISTED 10 | user = nobody 11 | wait = no 12 | } 13 | -------------------------------------------------------------------------------- /crypto/multiplication-service/secret.py: -------------------------------------------------------------------------------- 1 | privkey = 713010068013549491135050636527667225358433186136182031401156716804160978190457705957161984378709864308515388597602441298246348291949172 2 | flag = "hsctf{41W4YZ_v4lid473_those_curve_points_a94hg39}" -------------------------------------------------------------------------------- /pwn/byte/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -rf bin 4 | mkdir -p bin 5 | 6 | gcc byte.c -o byte -m32 -fPIE -pie -O0 -Wl,-z,relro,-z,now -g0 -fstack-protector 7 | echo 'hsctf{l0l-opt1mizati0ns_ar3-disabl3d}' > flag 8 | 9 | mv flag byte bin/ 10 | -------------------------------------------------------------------------------- /crypto/multiplication-service/chall.md: -------------------------------------------------------------------------------- 1 | Written by ValarDragon 2 | 3 | Multiplication is safe, right? 4 | 5 | * Intended solution runs well under < 30 seconds on my laptop 6 | 7 | Note, make server run problem.py, and secret.py, give to ppl problem.sage only -------------------------------------------------------------------------------- /pwn/intro-to-netcat/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 50 5 | port = 49151 6 | protocol = tcp 7 | server = talk.py 8 | # server_args = -u talk.py 9 | type = UNLISTED 10 | user = nobody 11 | wait = no 12 | } 13 | -------------------------------------------------------------------------------- /misc/keith-bot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:alpine 2 | 3 | RUN pip install discord.py 4 | 5 | COPY bot.py eval.py / 6 | COPY flag.txt /home 7 | 8 | ENV DISCORD_API_KEY=NTg0OTU3ODU4MzY2NjE5NjQ4.XPm5kQ.VNSbJS_DwZOzTlPbtTvycrzJprA 9 | 10 | CMD python3 bot.py 11 | -------------------------------------------------------------------------------- /misc/broken-repl/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 25 5 | port = 49151 6 | protocol = tcp 7 | rlimit_cpu = 25 8 | server = /usr/bin/python3 9 | server_args = repl.py 10 | type = UNLISTED 11 | user = nobody 12 | wait = no 13 | } 14 | -------------------------------------------------------------------------------- /misc/tasty-snack/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 25 5 | port = 49151 6 | protocol = tcp 7 | rlimit_cpu = 25 8 | server = /usr/bin/python3 9 | server_args = -u snack.py 10 | type = UNLISTED 11 | user = nobody 12 | wait = no 13 | } 14 | -------------------------------------------------------------------------------- /pwn/combo-chain/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -r bin 4 | 5 | gcc combo-chain.c -o combo-chain -no-pie -g0 -fno-stack-protector 6 | echo 'hsctf{i_thought_konami_code_would_work_here}' > flag 7 | 8 | mkdir -p bin 9 | mv flag combo-chain bin/ 10 | cp combo-chain.c bin/ 11 | -------------------------------------------------------------------------------- /misc/json-info/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 25 5 | port = 49151 6 | protocol = tcp 7 | rlimit_cpu = 25 8 | server = /usr/bin/python3 9 | server_args = -u json_info.py 10 | type = UNLISTED 11 | user = nobody 12 | wait = no 13 | } 14 | -------------------------------------------------------------------------------- /web/inspect-me/src/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | font-family: Arial, Helvetica, sans-serif; 3 | background-color: #000; 4 | } 5 | 6 | main { 7 | max-width: 70ch; 8 | padding: 2ch; 9 | margin: auto; 10 | } 11 | 12 | /* The second part of the flag is: pretty_easy_ */ 13 | -------------------------------------------------------------------------------- /misc/a-simple-conversation/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 25 5 | port = 49151 6 | protocol = tcp 7 | rlimit_cpu = 25 8 | server = /usr/bin/python 9 | server_args = -u talk.py 10 | type = UNLISTED 11 | user = nobody 12 | wait = no 13 | } 14 | -------------------------------------------------------------------------------- /misc/english-sucks/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | xinetd \ 5 | && rm -rf /var/lib/apt/lists/* 6 | 7 | COPY ctf.xinetd /etc/xinetd.d/ctf 8 | 9 | COPY mt flag.txt / 10 | 11 | CMD ["xinetd", "-dontfork"] 12 | 13 | EXPOSE 49151 14 | -------------------------------------------------------------------------------- /pwn/combo-chain-lite/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -r bin 4 | 5 | gcc combo-chain-lite.c -o combo-chain-lite -no-pie -g0 -fno-stack-protector 6 | echo 'hsctf{wheeeeeee_that_was_fun}' > flag 7 | 8 | mkdir -p bin 9 | mv flag combo-chain-lite bin/ 10 | cp combo-chain-lite.c bin/ 11 | -------------------------------------------------------------------------------- /crypto/multiplication-service/ctf.xinetd: -------------------------------------------------------------------------------- 1 | service ctf 2 | { 3 | cps = 0 0 4 | per_source = 25 5 | port = 49151 6 | protocol = tcp 7 | rlimit_cpu = 25 8 | server = /usr/bin/python 9 | server_args = -u problem.py 10 | type = UNLISTED 11 | user = nobody 12 | wait = no 13 | } 14 | -------------------------------------------------------------------------------- /pwn/return-to-sender/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -r bin 4 | 5 | gcc return-to-sender.c -o return-to-sender -m32 -no-pie -g0 -fno-stack-protector 6 | echo 'hsctf{fedex_dont_fail_me_now}' > flag 7 | 8 | mkdir -p bin 9 | mv flag return-to-sender bin/ 10 | cp return-to-sender.c bin/ 11 | -------------------------------------------------------------------------------- /web/md5--/src/index.php: -------------------------------------------------------------------------------- 1 | 19 | -------------------------------------------------------------------------------- /misc/broken-repl/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | python3 \ 5 | xinetd \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY ctf.xinetd /etc/xinetd.d/ctf 9 | 10 | COPY repl.py flag.txt / 11 | 12 | CMD ["xinetd", "-dontfork"] 13 | 14 | EXPOSE 49151 15 | -------------------------------------------------------------------------------- /misc/tasty-snack/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | python3 \ 5 | xinetd \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY ctf.xinetd /etc/xinetd.d/ctf 9 | 10 | COPY snack.py flag.txt / 11 | 12 | CMD ["xinetd", "-dontfork"] 13 | 14 | EXPOSE 49151 15 | -------------------------------------------------------------------------------- /pwn/intro-to-netcat/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | python \ 5 | xinetd \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY ctf.xinetd /etc/xinetd.d/ctf 9 | 10 | COPY talk.py flag.txt / 11 | 12 | CMD ["xinetd", "-dontfork"] 13 | 14 | EXPOSE 49151 15 | -------------------------------------------------------------------------------- /misc/a-simple-conversation/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | python \ 5 | xinetd \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY ctf.xinetd /etc/xinetd.d/ctf 9 | 10 | COPY talk.py flag.txt / 11 | 12 | CMD ["xinetd", "-dontfork"] 13 | 14 | EXPOSE 49151 15 | -------------------------------------------------------------------------------- /misc/json-info/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | python3-yaml \ 5 | xinetd \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY ctf.xinetd /etc/xinetd.d/ctf 9 | 10 | COPY json_info.py flag.txt / 11 | 12 | CMD ["xinetd", "-dontfork"] 13 | 14 | EXPOSE 49151 15 | -------------------------------------------------------------------------------- /reverse/bitecode/readme.md: -------------------------------------------------------------------------------- 1 | Written by: ItzSomebody 2 | 3 | **Description**: Keith went crazy and told me to work on the compiled form of Java instead of the source code. Unfortunately, all decompilers I've tried crash on attempting to decompile. Can you help out? 4 | 5 | Only upload BiteCode.class. 6 | Recommended points: 300 7 | -------------------------------------------------------------------------------- /reverse/redtea/challenge.txt: -------------------------------------------------------------------------------- 1 | name: redtea 2 | difficulty: cup of tea 3 | description: 4 | 5 | Written by: tpa 6 | 7 | This will help you beat your friends! 8 | 9 | `nc rev.hsctf.com 8787` 10 | 11 | flag: hsctf{rob_made_some1_special_a_cup_of_tea_wink_wink_101} 12 | deploy: execute `./compile.sh` 13 | provide: redtea 14 | -------------------------------------------------------------------------------- /web/s-q-l/mysql/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mariadb 2 | ENV MYSQL_ROOT_PASSWORD=8g1Rq1lIcZHwpYkUvhJ8jx59QMhqZNF04UyY8Eh5dD2xWVasAncdHdHnUw1xVjSo 3 | ENV MYSQL_USER=ctf 4 | ENV MYSQL_PASSWORD=eGO24c5sfgxYBzvPvgPzunBu86RyHDj7RSjT976i3IaE7R14sUe4BfyDPy4cJO6t 5 | ENV MYSQL_DATABASE=keith_db 6 | COPY setup.sql /docker-entrypoint-initdb.d/setup.sql 7 | -------------------------------------------------------------------------------- /crypto/multiplication-service/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu 2 | 3 | RUN apt-get update && apt-get install -y \ 4 | python \ 5 | xinetd \ 6 | && rm -rf /var/lib/apt/lists/* 7 | 8 | COPY ctf.xinetd /etc/xinetd.d/ctf 9 | 10 | COPY problem.py secret.py flag.txt / 11 | 12 | CMD ["xinetd", "-dontfork"] 13 | 14 | EXPOSE 49151 15 | -------------------------------------------------------------------------------- /reverse/redtea/compile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm bin/flag.txt bin/redtea 4 | mkdir -p bin 5 | 6 | gcc redtea.c -o redtea -Wall -m32 -no-pie -Os -Wl,-z,relro,-z,now -g0 -fstack-protector 7 | # strip redtea 8 | echo 'hsctf{rob_made_some1_special_a_cup_of_tea_wink_wink_101}' > flag.txt 9 | 10 | cp words.txt flag.txt redtea bin/ 11 | -------------------------------------------------------------------------------- /web/keith-logger/src/extension/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "manifest_version": 2, 3 | "name": "keith-logger", 4 | "version": "0.1.0", 5 | "author": "dwang", 6 | "content_scripts": [ 7 | { 8 | "js": ["jquery-3.3.1.min.js", "content.js"], 9 | "matches": ["http://*/*", "https://*/*"] 10 | } 11 | ] 12 | } 13 | -------------------------------------------------------------------------------- /misc/broken-gps/solution.py: -------------------------------------------------------------------------------- 1 | flag = "hsctf{" 2 | 3 | for i in range(1, 13): 4 | with open("input/%d.txt" % i) as inp_file: 5 | inp = inp_file.read() 6 | flag += chr(97 + int(0.5 + 2 * ((inp.count("east") - inp.count("west")) ** 2 + (inp.count("north") - inp.count("south")) ** 2) ** 0.5) % 26) 7 | 8 | flag += "}" 9 | 10 | print(flag) 11 | -------------------------------------------------------------------------------- /reverse/forgot-your-password/chall.md: -------------------------------------------------------------------------------- 1 | Written by: Ptomerty 2 | 3 | Help! I got this new lock for Christmas, but I've forgotten the first two values. I know the last value is `hsctfissocoolwow`. I also managed to grab a copy of their secret key generator. Can you help me out? 4 | 5 | Note: submit the first two values separated by a space in hex format. 6 | 7 | Note: only upload generator.py -------------------------------------------------------------------------------- /crypto/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | bomb: 4 | build: bomb 5 | ports: 6 | - "8100:2000" 7 | storytime: 8 | build: super-secure-system 9 | ports: 10 | - "8111:2000" 11 | tuxs-kitchen: 12 | build: tuxs-kitchen 13 | ports: 14 | - "8112:2000" 15 | multiplication-service: 16 | build: multiplication-service 17 | ports: 18 | - "8113:49151" -------------------------------------------------------------------------------- /crypto/reverse-search-algorithm/chall.md: -------------------------------------------------------------------------------- 1 | # Reverse Search Algorithm 2 | 3 | WWPHSN students, gotta get these points to boost your grade. 4 | 5 | ``` 6 | n = 561985565696052620466091856149686893774419565625295691069663316673425409620917583731032457879432617979438142137 7 | e = 65537 8 | c = 328055279212128616898203809983039708787490384650725890748576927208883055381430000756624369636820903704775835777 9 | ``` 10 | -------------------------------------------------------------------------------- /crypto/a-lost-cause/chall.md: -------------------------------------------------------------------------------- 1 | Written by: Disha 2 | Name Credits: Shray 3 | 4 | Pirate Keith loves cryptography and has protected his treasure with a very annoying caesar shift. He has witten “CGULKVIPFRGDOOCSJTRRVMORCQDZG” on his treasure chest and has left a piece of paper with the following message: “every subsequent letter is shifted one *less* than the previous.” Knowing this, can you unlock Pirate Keith’s treasure chest? 5 | -------------------------------------------------------------------------------- /pwn/combo-chain/combo-chain.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vuln() { 6 | char dest[8]; 7 | printf("Dude you hear about that new game called /bin/sh"); 8 | printf("? Enter the right combo for some COMBO CARNAGE!: "); 9 | gets(dest); 10 | } 11 | 12 | int main() { 13 | setbuf(stdout, NULL); 14 | gid_t gid = getegid(); 15 | setresgid(gid,gid,gid); 16 | vuln(); 17 | return 0; 18 | } -------------------------------------------------------------------------------- /pwn/combo-chain/bin/combo-chain.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vuln() { 6 | char dest[8]; 7 | printf("Dude you hear about that new game called /bin/sh"); 8 | printf("? Enter the right combo for some COMBO CARNAGE!: "); 9 | gets(dest); 10 | } 11 | 12 | int main() { 13 | setbuf(stdout, NULL); 14 | gid_t gid = getegid(); 15 | setresgid(gid,gid,gid); 16 | vuln(); 17 | return 0; 18 | } -------------------------------------------------------------------------------- /misc/keith-bot/eval.py: -------------------------------------------------------------------------------- 1 | import os 2 | import pwd 3 | import sys 4 | import textwrap 5 | 6 | pw = pwd.getpwnam("nobody") 7 | 8 | os.chdir("home") 9 | os.chroot(".") 10 | 11 | os.setgroups(()) 12 | os.setgid(pw.pw_gid) 13 | os.setuid(pw.pw_uid) 14 | 15 | env = {"__builtins__": {}} 16 | 17 | exec(f"def func():\n{textwrap.indent(sys.stdin.read(), ' ')}", env) 18 | 19 | ret = env["func"]() 20 | 21 | if ret is not None: 22 | print(ret) 23 | -------------------------------------------------------------------------------- /crypto/spooky-ecc/intercept.txt: -------------------------------------------------------------------------------- 1 | (1177058043549358413014554258002815119079001682731148396776662750875463733619059415667987598866208023692880799135159888362631239206873676420277546691755222 : 6042132606876152754155047441818131810928517366269481359146510190883638121779596002132009344517568983680414721512960291321687246617263491498797986759689315 : 1) 2 | d5cb4f93aa95af738bbcf5cbc1d4f1b66c9c9f84b4257035cf19e3ee41e2b79384fed7ef7d9fb58f6dfb86fefc95429b9f87b5b8a330aa082681fd140b8156bd -------------------------------------------------------------------------------- /pwn/return-to-sender/return-to-sender.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void win() { 6 | system("/bin/sh"); 7 | } 8 | 9 | void vuln() { 10 | char dest[8]; 11 | printf("Where are you sending your mail to today? "); 12 | gets(dest); 13 | printf("Alright, to %s it goes!\n", dest); 14 | } 15 | 16 | int main() { 17 | setbuf(stdout, NULL); 18 | gid_t gid = getegid(); 19 | setresgid(gid,gid,gid); 20 | vuln(); 21 | return 0; 22 | } -------------------------------------------------------------------------------- /pwn/return-to-sender/bin/return-to-sender.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void win() { 6 | system("/bin/sh"); 7 | } 8 | 9 | void vuln() { 10 | char dest[8]; 11 | printf("Where are you sending your mail to today? "); 12 | gets(dest); 13 | printf("Alright, to %s it goes!\n", dest); 14 | } 15 | 16 | int main() { 17 | setbuf(stdout, NULL); 18 | gid_t gid = getegid(); 19 | setresgid(gid,gid,gid); 20 | vuln(); 21 | return 0; 22 | } -------------------------------------------------------------------------------- /pwn/combo-chain-lite/combo-chain-lite.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vuln() { 6 | char dest[8]; 7 | printf("Here's your free computer: %p\n", system); 8 | printf("Dude you hear about that new game called /bin/sh"); 9 | printf("? Enter the right combo for some COMBO CARNAGE!: "); 10 | gets(dest); 11 | } 12 | 13 | int main() { 14 | setbuf(stdout, NULL); 15 | gid_t gid = getegid(); 16 | setresgid(gid,gid,gid); 17 | vuln(); 18 | return 0; 19 | } -------------------------------------------------------------------------------- /pwn/combo-chain-lite/bin/combo-chain-lite.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void vuln() { 6 | char dest[8]; 7 | printf("Here's your free computer: %p\n", system); 8 | printf("Dude you hear about that new game called /bin/sh"); 9 | printf("? Enter the right combo for some COMBO CARNAGE!: "); 10 | gets(dest); 11 | } 12 | 13 | int main() { 14 | setbuf(stdout, NULL); 15 | gid_t gid = getegid(); 16 | setresgid(gid,gid,gid); 17 | vuln(); 18 | return 0; 19 | } -------------------------------------------------------------------------------- /web/networked-password/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Networked Password 6 | 7 | 8 | {% if incorrect %} 9 |

Incorrect Password

10 | {% elif correct %} 11 |

Correct Password

12 | {% endif %} 13 |
14 | 15 | 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /misc/tasty-snack/snack.py: -------------------------------------------------------------------------------- 1 | import pickle, sys 2 | 3 | class Unpickler(pickle.Unpickler): 4 | def find_class(self, module, name): 5 | if module == "__main__": 6 | return super().find_class(module, name) 7 | raise pickle.UnpicklingError("global '%s.%s' is forbidden" % (module, name)) 8 | 9 | print("I'm hungry for some pickles") 10 | 11 | try: 12 | p = Unpickler(sys.stdin.buffer).load() 13 | except Exception as e: 14 | print("Noooo I want pickles", e) 15 | else: 16 | print("Yum Yum pickle pickle", p) 17 | -------------------------------------------------------------------------------- /reverse/i_thought_trig_was_easy/nice_math.py: -------------------------------------------------------------------------------- 1 | import math 2 | 3 | def nice_math(x, y): 4 | return round(x + y*math.cos(math.pi * x)) 5 | 6 | lots_of_nums = lambda n,a:(lambda r:[*r,n-sum(r)])(range(n//a-a//2,n//a+a//2+a%2)) 7 | 8 | def get_number(char): 9 | return ord(char) - 96 10 | 11 | inp = input("Enter the text: ") 12 | 13 | out = [] 14 | for i in range(0, len(inp)): 15 | for j in lots_of_nums(nice_math(get_number(inp[i]), len(inp) - i), i + 1): 16 | out.append(nice_math(j, i + 1)) 17 | print(out) 18 | -------------------------------------------------------------------------------- /pwn/intro-to-netcat/README.md: -------------------------------------------------------------------------------- 1 | Written by: Ptomerty 2 | 3 | Hey there! This challenge is a quick introduction to netcat and how to use it. Netcat is a program that will help you "talk" with many of our challenges, especially pwn and misc. To begin, Windows users should download this file: https://drive.google.com/open?id=1Z8MS8SZYqZrteXOVPRL7BHwB4JL9t9J8 4 | 5 | Extract the file, then open a command prompt and navigate to the directory using `cd `. From there, you can run `nc misc.hsctf.com 1111` to get your first flag. 6 | 7 | Have fun! 8 | -------------------------------------------------------------------------------- /misc/the-real-reversal/solution.py: -------------------------------------------------------------------------------- 1 | # coding=utf8 2 | 3 | chars = dict(zip( 4 | u"𝙰𝙱𝙲𝙳𝙴𝙵𝙶𝙷𝙸𝙹𝙺𝙻𝙼𝙽𝙾𝙿𝚀𝚁𝚂𝚃𝚄𝚅𝚆𝚇𝚈𝚉𝚊𝚋𝚌𝚍𝚎𝚏𝚐𝚑𝚒𝚓𝚔𝚕𝚖𝚗𝚘𝚙𝚚𝚛𝚜𝚝𝚞𝚟𝚠𝚡𝚢𝚣", 5 | u"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" 6 | )) 7 | 8 | with open("reversed.txt", "rb") as inp: 9 | contents = inp.read() 10 | 11 | decoded = contents[::-1].decode("utf8")[::-1] 12 | 13 | plain = "".join(chars.get(i, i) for i in decoded) 14 | 15 | flag_index = plain.index("hsctf{") 16 | print(plain[flag_index:plain.index("}", flag_index) + 1]) 17 | -------------------------------------------------------------------------------- /misc/a-simple-conversation/talk.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from time import sleep 3 | 4 | print("Hello!") 5 | 6 | sleep(1) 7 | 8 | print("Hey, can you help me out real quick.") 9 | 10 | sleep(1) 11 | 12 | print("I need to know your age.") 13 | 14 | sleep(1) 15 | 16 | print("What's your age?") 17 | 18 | age = input("> ") 19 | 20 | sleep(1) 21 | 22 | print("Wow!") 23 | 24 | sleep(1) 25 | 26 | print("Sometimes I wish I was %s" % age) 27 | 28 | sleep(1) 29 | 30 | print("Well, it was nice meeting you, %s-year-old." % age) 31 | 32 | sleep(1) 33 | 34 | print("Goodbye!") 35 | -------------------------------------------------------------------------------- /forensics/skywritingv2/skywritingv2.txt: -------------------------------------------------------------------------------- 1 | Written by: NotDeGhost 2 | 3 | Fortnite Battle Royale contains a variety of weapons and this page lists every weapon in Fortnite along with their weapon stats like damage, DPS, fire rate, magazine size, and reload speed. 4 | 5 | Note: This was a throwback to the original skywriting which included many big leaps of intuition. 6 | 7 | This problem has now been modified to make it more doable. 8 | 9 | Hint 1: I like xoring together the names of "Rifle"s together. 10 | Hint 2: Try googling the first sentence of this problem. 11 | 12 | Flag: LjUlMiA9LxI1GTUTNiodECAtUSx5YxY4 -------------------------------------------------------------------------------- /pwn/storytime/storytime.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void beginning(){ 5 | write(1, "Once upon a time...\n", 40); 6 | } 7 | 8 | void middle(){ 9 | write(1, "Middle of story is the best! :D\n", 40); 10 | } 11 | 12 | void end(){ 13 | write(1, "The End!\n", 40); 14 | } 15 | 16 | int climax(){ 17 | char buffer[40]; 18 | return read(0, &buffer, 4000); 19 | } 20 | 21 | int main() { 22 | char buffer[48]; 23 | 24 | setvbuf(stdout, NULL, _IONBF, 0); 25 | write(1, "HSCTF PWNNNNNNNNNNNNNNNNNNNN\n", 29); 26 | write(1, "Tell me a story: \n", 18); 27 | read(0, &buffer, 400); 28 | return 0; 29 | } -------------------------------------------------------------------------------- /misc/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | admin-pass: 4 | build: ./admin-pass 5 | ports: 6 | - 8001:80 7 | - 8080:80 8 | - 80:80 9 | a-simple-conversation: 10 | build: ./a-simple-conversation 11 | ports: 12 | - 9001:49151 13 | broken-repl: 14 | build: ./broken-repl 15 | ports: 16 | - 8550:49151 17 | keith-bot: 18 | build: ./keith-bot 19 | tasty-snack: 20 | build: tasty-snack 21 | ports: 22 | - 9977:49151 23 | english-sucks: 24 | build: english-sucks 25 | ports: 26 | - 9988:49151 27 | json-info: 28 | build: json-info 29 | ports: 30 | - 9999:49151 31 | -------------------------------------------------------------------------------- /web/inspect-me/src/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | inspect-me 7 | 8 | 9 | 10 |
11 |

Keith was working on his CTF problem, but his little brother accidently moved the flag around. Can you help Keith find the flag?

12 | 13 |
14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /web/agent-keith/src/templates/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | agent-keith 7 | 8 | 9 | 10 |
11 |

If you're not Keith, you won't get the flag!

12 |

Your agent is: {{ user_agent }}

13 |

Flag: {{ flag }}

14 | 15 |
16 | 17 | 18 | -------------------------------------------------------------------------------- /pwn/bit/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./bit 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/byte/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./byte 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/hard-heap/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./hard-heap 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/storytime/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./storytime 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /reverse/redtea/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./redtea 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/aria-writer/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./aria-writer 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/combo-chain/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./combo-chain 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/aria-writer-v3/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./aria-writer-v3 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /reverse/tux-talk-show-2019/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./trash 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/caesars-revenge/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./caesars-revenge 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/combo-chain-lite/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./combo-chain-lite 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /pwn/return-to-sender/ctf.xinetd: -------------------------------------------------------------------------------- 1 | 2 | service ctf 3 | { 4 | disable = no 5 | socket_type = stream 6 | protocol = tcp 7 | wait = no 8 | user = root 9 | type = UNLISTED 10 | port = 9999 11 | bind = 0.0.0.0 12 | server = /usr/sbin/chroot 13 | # replace helloworld to your program 14 | server_args = --userspec=1000:1000 /home/ctf ./return-to-sender 15 | banner_fail = /etc/banner_fail 16 | # safety options 17 | per_source = 10 # the maximum instances of this service per source IP address 18 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 19 | #rlimit_as = 1024M # the Address Space resource limit for the service 20 | } 21 | -------------------------------------------------------------------------------- /misc/json-info/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameJSON Info
CategoryMiscellaneous
MessageI made a simple program to analyze my JSON files.
Flagshsctf{JS0N_or_Y4ML}
Files
TagsMiscellaneous
cppio
HintsTry to make it fail.
31 | -------------------------------------------------------------------------------- /web/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | inspect-me: 4 | build: ./inspect-me 5 | ports: 6 | - 127.0.0.1:8001:80 7 | 8 | agent-keith: 9 | build: ./agent-keith 10 | ports: 11 | - 127.0.0.1:8002:80 12 | 13 | md5-minus-minus: 14 | build: ./md5-- 15 | ports: 16 | - 127.0.0.1:8003:80 17 | 18 | keith-logger: 19 | build: ./keith-logger 20 | ports: 21 | - 127.0.0.1:8004:80 22 | 23 | s-q-l: 24 | build: ./s-q-l/app 25 | ports: 26 | - 127.0.0.1:8005:80 27 | 28 | s-q-l-mysql: 29 | build: ./s-q-l/mysql 30 | ports: 31 | - 127.0.0.1:3306:3306 32 | 33 | networked-password: 34 | build: ./networked-password 35 | ports: 36 | - 127.0.0.1:8006:80 37 | -------------------------------------------------------------------------------- /crypto/massive-rsa/solution.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | 3 | with open("massive.txt") as massive: 4 | exec(massive.read()) 5 | 6 | # https://en.wikibooks.org/wiki/Algorithm_Implementation/Mathematics/Extended_Euclidean_algorithm 7 | 8 | def xgcd(a, b): 9 | """return (g, x, y) such that a*x + b*y = g = gcd(a, b)""" 10 | x0, x1, y0, y1 = 0, 1, 1, 0 11 | while a != 0: 12 | q, b, a = b // a, a, b % a 13 | y0, y1 = y1, y0 - q * y1 14 | x0, x1 = x1, x0 - q * x1 15 | return b, x0, y0 16 | 17 | def mulinv(a, b): 18 | """return x such that (x * a) % b == 1""" 19 | g, x, _ = xgcd(a, b) 20 | if g == 1: 21 | return x % b 22 | 23 | m = pow(c, mulinv(e, n - 1), n) 24 | 25 | print(binascii.unhexlify(hex(m)[2:].rstrip("L")).decode()) 26 | -------------------------------------------------------------------------------- /misc/tasty-snack/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameTasty Snack
CategoryMiscellaneous
MessageI have just discovered the tastiest snack in the entire universe.
Flagshsctf{p1ckl3s_4r3_t4sty}
Files
TagsMiscellaneous
cppio
HintsRead the pickle documentation and source code.
31 | -------------------------------------------------------------------------------- /misc/broken-repl/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameBroken REPL
CategoryMiscellaneous
MessageMy friend says that there is a bug in my REPL. Can you help me find it?
Flagshsctf{dont_you_love_parsers}
Filesrepl.py
TagsMiscellaneous
cppio
HintsWhat happens to the given input?
31 | -------------------------------------------------------------------------------- /web/networked-password/solution.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | 3 | from requests_futures.sessions import FuturesSession 4 | import string 5 | import sys 6 | 7 | server = "https://networked-password.web.chal.hsctf.com" 8 | 9 | flag = "hsctf{" 10 | 11 | if sys.stdout.isatty(): 12 | print(flag, end="\r") 13 | sys.stdout.flush() 14 | 15 | with FuturesSession(max_workers=len(string.printable)) as session: 16 | while not flag.endswith("}"): 17 | futures = [session.post(server, data={"password": flag + char}) for char in string.printable] 18 | 19 | flag += max(zip((future.result().elapsed for future in futures), string.printable))[1] 20 | 21 | if sys.stdout.isatty(): 22 | print(flag, end="\r") 23 | sys.stdout.flush() 24 | 25 | print(flag) 26 | -------------------------------------------------------------------------------- /crypto/really-secure-algorithm/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameReally Secure Algorithm
CategoryCryptography
MessageI heard about RSA, so I took a go at implementing it.
Flagshsctf{square_number_time}
Filessecure.txt
TagsCryptography
cppio
HintsThe numbers are decently large...
31 | -------------------------------------------------------------------------------- /crypto/massive-rsa/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameMassive RSA
CategoryCryptography
MessageI was scared that my RSA would be broken, so I made sure that the numbers were massive.
Flagshsctf{forg0t_t0_mult1ply_prim3s}
Filesmassive.txt
TagsCryptography
cppio
HintsThe numbers are really big...
31 | -------------------------------------------------------------------------------- /misc/english-sucks/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameEnglish Sucks
CategoryMiscellaneous
MessageEnglish is such a confusing language. Can you help me understand it?
Flagshsctf{y0u_kn0w_1_h4d_t0_d0_1t_t0_3m_rng_god}
Filesmt.cpp
TagsMiscellaneous
cppio
HintsWatch out for the order of the output.
31 | -------------------------------------------------------------------------------- /forensics/cool-image-2/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameCool Image 2
CategoryForensics
MessageMy friend sent me this image, but I can't open it. Can you help me open the image?
Flagshsctf{sorry_about_the_extra_bytes}
Filescool.png
TagsForensics
cppio
HintsTry looking at the raw contents of the file.
31 | -------------------------------------------------------------------------------- /forensics/cool-image/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameCool Image
CategoryForensics
MessageMy friend told me he found a really cool image, but I couldn't open it. Can you help me access the image?
Flagshsctf{who_uses_extensions_anyways}
Filescool.pdf
TagsForensics
cppio
HintsIs the file really a PDF?
31 | -------------------------------------------------------------------------------- /misc/a-simple-conversation/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameA Simple Conversation
CategoryMiscellaneous
MessageSomeone on the internet wants to talk to you. Can you find out what they want?
Flagshsctf{plz_u5e_pyth0n_3}
Filestalk.py
TagsMiscellaneous
cppio
HintsAre you sure it's run the way you expect?
31 | -------------------------------------------------------------------------------- /misc/json-info/json_info.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import yaml 3 | 4 | print("Welcome to JSON info!") 5 | 6 | print("Please enter your JSON:") 7 | 8 | try: 9 | d = yaml.load(sys.stdin) 10 | except Exception as e: 11 | print("There was an error: %s" % str(e)) 12 | else: 13 | if isinstance(d, list): 14 | print("You have entered: an array") 15 | print("The array has %d elements" % len(d)) 16 | print("Thank you for using JSON info!") 17 | elif isinstance(d, dict): 18 | print("You have entered: an object") 19 | print("The object has %d members" % len(d)) 20 | print("Thank you for using JSON info!") 21 | else: 22 | print("Type %s is unsupported" % d.__class__.__name__) 23 | print("Please use a valid JSON array or object") 24 | print("Thank you for using JSON info!") 25 | -------------------------------------------------------------------------------- /misc/locked-up/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameLocked Up
CategoryMiscellaneous
MessageMy friend gave me a zip file with the flag in it, but the zip file is encrypted. Can you help me open the zip file?
Flagshsctf{w0w_z1ps_ar3nt_th@t_secUr3}
Fileslocked.zip
TagsMiscellaneous
cppio
HintsTry opening it. What happens?
31 | -------------------------------------------------------------------------------- /web/agent-keith/src/main.py: -------------------------------------------------------------------------------- 1 | from starlette.applications import Starlette 2 | from starlette.staticfiles import StaticFiles 3 | from starlette.templating import Jinja2Templates 4 | import uvicorn 5 | 6 | templates = Jinja2Templates(directory='templates') 7 | 8 | app = Starlette() 9 | app.mount('/static', StaticFiles(directory='static'), name='static') 10 | 11 | @app.route("/") 12 | def index(request): 13 | user_agent = request.headers.get("User-Agent") 14 | 15 | if user_agent == "NCSA_Mosaic/2.0 (Windows 3.1)": 16 | flag = "hsctf{wow_you_are_agent_keith_now}" 17 | else: 18 | flag = "Access Denied" 19 | 20 | template = "index.html" 21 | context = {"flag": flag, "user_agent": user_agent, 'request': request} 22 | return templates.TemplateResponse(template, context) 23 | 24 | if __name__ == "__main__": 25 | uvicorn.run(app) 26 | -------------------------------------------------------------------------------- /web/networked-password/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameNetworked Password
CategoryWeb
MessageStoring passwords on my own server seemed unsafe, so I stored it on a seperate one instead. However, the connection between them is very slow and I have no idea why.
Flagshsctf{sm0l_fl4g}
Files
TagsWeb
cppio
HintsYou know the flag format.
31 | -------------------------------------------------------------------------------- /web/the-quest/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameThe Quest
CategoryWeb
MessageYou think you are worthy of obtaining the flag? Try your hand at [The Quest to Obtain the Flag](https://forms.gle/7pyAWuG3GvYL443NA).
Flagshsctf{google_forms_regex_cant_stop_nobody}
Files
TagsWeb
cppio
HintsMaybe you don't have to complete the challenges...
31 | -------------------------------------------------------------------------------- /crypto/bomb/site/chall.md: -------------------------------------------------------------------------------- 1 | *Written by: Tux* 2 | 3 | Keith found a weird message on his desk along with a drawing: 4 | ``` 5 | JGYJZ NOXZX QZRUQ KNTDN UJWIA ISVIN PFKIR VWKWC UXEBH RFHDI NMOGQ BPRHW CXGAC ARBUN IHOWH QDDGL BBZYH HEJMV RBLJH CLHYP FSAAA KNRPX IKSNX QASGI XBMNP FLAFA KFEGV YWYUN JGBHH QDLZP UJWMO CCEUL YFIHR GTCOZ GEQML VFUAV URXUU BBGCI YZJQQ ROQFU SJDVR JILAJ XYCBC IGATK LQMAP UDPCG ONWFV MHBEC CLBLP JHZJN HMDNY YATIL FQSND AOCAM MGVRZ FEVKL CEDMG AIWXG QPCBI VTVZU HQGFD ZJICI EIWLP IFKAB LNVZI XRZTR SLGCA SZPFF HGBUK JAXNN JHUSV UFPIM ZZLAW SYOHB TOLRF KWANX FNEFD XXLNR LLGYS VTGXP NJQMC WAKRP JKWDP WVTNP WRYEJ RSODI QDYOQ DJDBI SLAVB UPDDR ATHYG ANJQR XPGFM FAMJR ZSJHC SYWQQ VBIHX XCQFW XZBUH ZRXWV TPESM EGVVY PBJSS 6 | 7 | Reflector: B 8 | Rotors: 3,2,4 9 | Crib: the secret to life is 10 | ``` 11 | 12 | Keith is very confused. Help Keith find out what the message means. 13 | -------------------------------------------------------------------------------- /reverse/license/readme.md: -------------------------------------------------------------------------------- 1 | Written by: ItzSomebody 2 | 3 | Description: Keith made a cool license-checking program but he forgot the flag 4 | he used to create the key! To make matters worse, he lost the source code and 5 | stripped the binary for his license-generator program. Can you help Keith recover 6 | his flag? All he knows is: 7 | 8 | * The license key is 4-EZF2M-7O5F4-V9P7O-EVFDP-E4VDO-O 9 | * He put his name (in the form of 'k3ith') as the first part of the flag 10 | * There are 3 underscores 11 | * The flag is in the format hsctf{} 12 | * The flag doesn't have random character sequences (you should be able to read the entire flag easily). 13 | * The flag only contains lowercase English letters and numbers. 14 | * The generator might produce the same keys for different inputs because Keith was too lazy to write 15 | the algorithm properly. 16 | 17 | Recommended points: 150 - 200 18 | -------------------------------------------------------------------------------- /crypto/multiplication-service/solution.sage: -------------------------------------------------------------------------------- 1 | p = 2^448 - 2^224 - 1 2 | K = Zmod(p) 3 | # Multiplicative generator 4 | g = 7 5 | # sign(0, g) 6 | res = 311589760906266120933024602359475939134672273109563952308592541241419957528683030889669112603105306747274953585289179030081206329387359 7 | #solution = x s.t. g^x = res mod p 8 | primes = [2, 641, 18287, 196687, 1466449, 2916841, 6700417, 1469495262398780123809, 167773885276849215533569, 596242599987116128415063, 37414057161322375957408148834323969] 9 | assert prod(primes) == (p - 1) 10 | ranges = primes[:7] + [2^40, 2^40, 2^40, 2^40] 11 | dlogs = [] 12 | for i in range(len(primes)): 13 | # map to subgroup 14 | base_n = K(pow(g, (p - 1) / primes[i], p)) 15 | res_n = K(pow(res, (p - 1) / primes[i], p)) 16 | dlogs += [discrete_log_lambda(res_n, base_n, (0, ranges[i]))] 17 | 18 | dlog = CRT(dlogs, primes) 19 | assert pow(g, dlog, p) == res 20 | print(dlog) -------------------------------------------------------------------------------- /misc/the-real-reversal/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameThe Real Reversal
CategoryMiscellaneous
MessageMy friend gave me some fancy text, but it was reversed, and so I tried to reverse it but I think I messed it up further. Can you find out what the text says?
Flagshsctf{utf8_for_the_win}
Filesreversed.txt
TagsMiscellaneous
cppio
HintsWhat happens if the file is reversed?
31 | -------------------------------------------------------------------------------- /web/keith-logger/src/extension/content.js: -------------------------------------------------------------------------------- 1 | var timeout_textarea; 2 | var xhr_textarea; 3 | 4 | $("textarea").on("keyup", function() { 5 | if (timeout_textarea) { 6 | clearTimeout(timeout_textarea); 7 | } 8 | 9 | if (xhr_textarea) { 10 | xhr_textarea.abort(); 11 | } 12 | 13 | timeout_textarea = setTimeout(function() { 14 | var xhr = new XMLHttpRequest(); 15 | /* 16 | xhr.open( 17 | "GET", 18 | "https://keith-logger.web.chal.hsctf.com/api/record?text=" + 19 | encodeURIComponent($("textarea").val()) + 20 | "&url=" + encodeURIComponent(window.location.href), 21 | true 22 | );*/ 23 | 24 | 25 | // send a request to admin whenever something is logged, not needed anymore after testing 26 | /* 27 | xhr.open( 28 | "GET", 29 | "https://keith-logger.web.chal.hsctf.com/api/admin", 30 | true 31 | );*/ 32 | 33 | xhr.send(); 34 | }, 2000); 35 | }); 36 | -------------------------------------------------------------------------------- /web/networked-password/main.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | import uvicorn 3 | 4 | from os.path import commonprefix 5 | 6 | from starlette.applications import Starlette 7 | from starlette.templating import Jinja2Templates 8 | 9 | 10 | flag = "hsctf{sm0l_fl4g}" 11 | 12 | 13 | templates = Jinja2Templates(".") 14 | 15 | app = Starlette() 16 | 17 | @app.route("/", methods=["GET", "POST"]) 18 | async def index(request): 19 | if request.method == "POST": 20 | form = await request.form() 21 | 22 | password = str(form.get("password", "")) 23 | 24 | common = len(commonprefix((password, flag))) 25 | await asyncio.sleep(common * 0.5) 26 | 27 | incorrect = password != flag 28 | correct = password == flag 29 | else: 30 | incorrect = correct = False 31 | 32 | return templates.TemplateResponse("index.html", {"incorrect": incorrect, "correct": correct, "request": request}) 33 | 34 | 35 | if __name__ == "__main__": 36 | uvicorn.run(app) 37 | -------------------------------------------------------------------------------- /web/s-q-l/app/src/public/signin.css: -------------------------------------------------------------------------------- 1 | html, 2 | body { 3 | height: 100%; 4 | } 5 | 6 | body { 7 | display: -ms-flexbox; 8 | display: flex; 9 | -ms-flex-align: center; 10 | align-items: center; 11 | padding-top: 40px; 12 | padding-bottom: 40px; 13 | background-color: #f5f5f5; 14 | } 15 | 16 | .form-signin { 17 | width: 100%; 18 | max-width: 330px; 19 | padding: 15px; 20 | margin: auto; 21 | } 22 | .form-signin .checkbox { 23 | font-weight: 400; 24 | } 25 | .form-signin .form-control { 26 | position: relative; 27 | box-sizing: border-box; 28 | height: auto; 29 | padding: 10px; 30 | font-size: 16px; 31 | } 32 | .form-signin .form-control:focus { 33 | z-index: 2; 34 | } 35 | .form-signin input[type="email"] { 36 | margin-bottom: -1px; 37 | border-bottom-right-radius: 0; 38 | border-bottom-left-radius: 0; 39 | } 40 | .form-signin input[type="password"] { 41 | margin-bottom: 10px; 42 | border-top-left-radius: 0; 43 | border-top-right-radius: 0; 44 | } 45 | -------------------------------------------------------------------------------- /crypto/bomb/files/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import SocketServer 4 | 5 | flag = open('flag.txt').read().strip() 6 | 7 | SocketServer.TCPServer.allow_reuse_address = True 8 | 9 | 10 | class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler): 11 | def handle(self): 12 | self.request.settimeout(15) 13 | self.request.sendall("Password: \n") 14 | 15 | x = self.request.recv(2048) 16 | x = x.lower().strip('\n').replace(' ','') 17 | try: 18 | if x == "insecurekeithwasanenigma": 19 | self.request.sendall("\nHere is your flag!\n") 20 | self.request.sendall(flag+"\n") 21 | else: 22 | self.request.sendall("\nNo...\n\n") 23 | return 24 | except Exception: 25 | ret = 'Error' 26 | 27 | class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): 28 | pass 29 | 30 | if __name__ == '__main__': 31 | server = ThreadedTCPServer(('0.0.0.0', 2000), ThreadedTCPRequestHandler) 32 | server.allow_reuse_address = True 33 | server.serve_forever() -------------------------------------------------------------------------------- /pwn/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | aria-writer: 4 | build: aria-writer/ 5 | ports: 6 | - "2222:9999" 7 | storytime: 8 | build: storytime/ 9 | ports: 10 | - "3333:9999" 11 | bit: 12 | build: bit/ 13 | ports: 14 | - "4444:9999" 15 | hard-heap: 16 | build: hard-heap/ 17 | ports: 18 | - "5555:9999" 19 | caesars-revenge: 20 | build: caesars-revenge/ 21 | ports: 22 | - "4567:9999" 23 | intro-to-netcat: 24 | build: intro-to-netcat/ 25 | ports: 26 | - "1111:49151" 27 | return-to-sender: 28 | build: return-to-sender 29 | ports: 30 | - "1234:9999" 31 | combo-chain: 32 | build: combo-chain 33 | ports: 34 | - "2345:9999" 35 | byte: 36 | build: byte 37 | ports: 38 | - "6666:9999" 39 | combo-chain-lite: 40 | build: combo-chain-lite 41 | ports: 42 | - "3131:9999" 43 | aria-writer-v3: 44 | build: aria-writer-v3 45 | ports: 46 | - "2468:9999" 47 | -------------------------------------------------------------------------------- /crypto/really-secure-algorithm/solution.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | 3 | with open("secure.txt") as secure: 4 | exec(secure.read()) 5 | 6 | # https://stackoverflow.com/a/15391420 7 | 8 | def isqrt(n): 9 | x = n 10 | y = (x + 1) // 2 11 | while y < x: 12 | x = y 13 | y = (x + n // x) // 2 14 | return x 15 | 16 | p = isqrt(n) 17 | 18 | # https://en.wikibooks.org/wiki/Algorithm_Implementation/Mathematics/Extended_Euclidean_algorithm 19 | 20 | def xgcd(a, b): 21 | """return (g, x, y) such that a*x + b*y = g = gcd(a, b)""" 22 | x0, x1, y0, y1 = 0, 1, 1, 0 23 | while a != 0: 24 | q, b, a = b // a, a, b % a 25 | y0, y1 = y1, y0 - q * y1 26 | x0, x1 = x1, x0 - q * x1 27 | return b, x0, y0 28 | 29 | def mulinv(a, b): 30 | """return x such that (x * a) % b == 1""" 31 | g, x, _ = xgcd(a, b) 32 | if g == 1: 33 | return x % b 34 | 35 | m = pow(c, mulinv(e, (p - 1) * p), n) 36 | 37 | print(binascii.unhexlify(hex(m)[2:].rstrip("L")).decode()) 38 | -------------------------------------------------------------------------------- /reverse/i_thought_trig_was_easy/desc.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
NameI Thought Trig Was Really Easy
CategoryReversal
MessageAfter finishing a hard lesson in geometry class, Keith decided that he wanted to put your understanding of trig and python to the test. Can you solve his challenge?
Flagshsctf{:hyperthonk:}
Filestrig_is_really_hard.py
TagsReversal
v1sanjay
HintsEach letter of input adds a certain amount of numbers to the output. Find the pattern and align letters of input to letters of output.
31 | -------------------------------------------------------------------------------- /pwn/hard-heap/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade && \ 4 | apt-get install -y lib32z1 xinetd 5 | 6 | RUN useradd -m ctf 7 | 8 | WORKDIR /home/ctf 9 | 10 | RUN cp -R /lib* /home/ctf && \ 11 | cp -R /usr/lib* /home/ctf 12 | 13 | RUN mkdir /home/ctf/dev && \ 14 | mknod /home/ctf/dev/null c 1 3 && \ 15 | mknod /home/ctf/dev/zero c 1 5 && \ 16 | mknod /home/ctf/dev/random c 1 8 && \ 17 | mknod /home/ctf/dev/urandom c 1 9 && \ 18 | chmod 666 /home/ctf/dev/* 19 | 20 | RUN mkdir /home/ctf/bin && \ 21 | cp /bin/sh /home/ctf/bin && \ 22 | cp /bin/ls /home/ctf/bin && \ 23 | cp /bin/cat /home/ctf/bin 24 | 25 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 26 | COPY ./start.sh /start.sh 27 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 28 | 29 | RUN chmod +x /start.sh 30 | 31 | COPY ./bin/ /home/ctf/ 32 | RUN chown -R root:ctf /home/ctf && \ 33 | chmod -R 750 /home/ctf && \ 34 | chmod 740 /home/ctf/flag 35 | 36 | CMD ["/start.sh"] 37 | 38 | EXPOSE 9999 39 | -------------------------------------------------------------------------------- /pwn/storytime/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade && \ 4 | apt-get install -y lib32z1 xinetd 5 | 6 | RUN useradd -m ctf 7 | 8 | WORKDIR /home/ctf 9 | 10 | RUN cp -R /lib* /home/ctf && \ 11 | cp -R /usr/lib* /home/ctf 12 | 13 | RUN mkdir /home/ctf/dev && \ 14 | mknod /home/ctf/dev/null c 1 3 && \ 15 | mknod /home/ctf/dev/zero c 1 5 && \ 16 | mknod /home/ctf/dev/random c 1 8 && \ 17 | mknod /home/ctf/dev/urandom c 1 9 && \ 18 | chmod 666 /home/ctf/dev/* 19 | 20 | RUN mkdir /home/ctf/bin && \ 21 | cp /bin/sh /home/ctf/bin && \ 22 | cp /bin/ls /home/ctf/bin && \ 23 | cp /bin/cat /home/ctf/bin 24 | 25 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 26 | COPY ./start.sh /start.sh 27 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 28 | 29 | RUN chmod +x /start.sh 30 | 31 | COPY ./bin/ /home/ctf/ 32 | RUN chown -R root:ctf /home/ctf && \ 33 | chmod -R 750 /home/ctf && \ 34 | chmod 740 /home/ctf/flag 35 | 36 | CMD ["/start.sh"] 37 | 38 | EXPOSE 9999 39 | -------------------------------------------------------------------------------- /reverse/bitecode/check_gen.py: -------------------------------------------------------------------------------- 1 | import random as r 2 | 3 | flag_arr = [ord(c) for c in 'hsctf{wH04_u_r_2_pr0_4_th1$}'] 4 | 5 | for i in range(len(flag_arr)): 6 | print 'L' + str(i) + ':' 7 | print ' dup' 8 | if (i <= 5): 9 | print ' iconst_' + str(i) 10 | else: 11 | print ' bipush ' + str(i) 12 | 13 | print ' caload' 14 | 15 | xor_key = r.randint(-0xFFFFFFF, 0xFFFFFFF) 16 | xor_thing = xor_key ^ flag_arr[i] 17 | 18 | print ' ldc ' + str(xor_key) 19 | print ' ixor' 20 | print ' ldc ' + str(xor_thing) 21 | print ' isub' 22 | if (len(flag_arr) - 1 == i): 23 | print ' ifeq Lgood' 24 | else: 25 | print ' ifeq L' + str(i + 1) 26 | print ' pop' 27 | print 'LA' + str(i) + ':' 28 | print ' iload_2' 29 | print ' ifne LA' + str(r.randint(0, 26)) 30 | print ' jsr Lfail' 31 | 32 | print ' return' # otherwise jvm gets mad about "illegal class" 33 | input() -------------------------------------------------------------------------------- /reverse/paint/injector/injector.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | -------------------------------------------------------------------------------- /pwn/aria-writer-v3/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade && \ 4 | apt-get install -y lib32z1 xinetd 5 | 6 | RUN useradd -m ctf 7 | 8 | WORKDIR /home/ctf 9 | 10 | RUN cp -R /lib* /home/ctf && \ 11 | cp -R /usr/lib* /home/ctf 12 | 13 | RUN mkdir /home/ctf/dev && \ 14 | mknod /home/ctf/dev/null c 1 3 && \ 15 | mknod /home/ctf/dev/zero c 1 5 && \ 16 | mknod /home/ctf/dev/random c 1 8 && \ 17 | mknod /home/ctf/dev/urandom c 1 9 && \ 18 | chmod 666 /home/ctf/dev/* 19 | 20 | RUN mkdir /home/ctf/bin && \ 21 | cp /bin/sh /home/ctf/bin && \ 22 | cp /bin/ls /home/ctf/bin && \ 23 | cp /bin/cat /home/ctf/bin && \ 24 | cp /usr/bin/md5sum /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /pwn/aria-writer/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade && \ 4 | apt-get install -y lib32z1 xinetd 5 | 6 | RUN useradd -m ctf 7 | 8 | WORKDIR /home/ctf 9 | 10 | RUN cp -R /lib* /home/ctf && \ 11 | cp -R /usr/lib* /home/ctf 12 | 13 | RUN mkdir /home/ctf/dev && \ 14 | mknod /home/ctf/dev/null c 1 3 && \ 15 | mknod /home/ctf/dev/zero c 1 5 && \ 16 | mknod /home/ctf/dev/random c 1 8 && \ 17 | mknod /home/ctf/dev/urandom c 1 9 && \ 18 | chmod 666 /home/ctf/dev/* 19 | 20 | RUN mkdir /home/ctf/bin && \ 21 | cp /bin/sh /home/ctf/bin && \ 22 | cp /bin/ls /home/ctf/bin && \ 23 | cp /bin/cat /home/ctf/bin && \ 24 | cp /usr/bin/md5sum /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /reverse/i_thought_trig_was_easy/nice_math_ans.py: -------------------------------------------------------------------------------- 1 | import math 2 | 3 | def solve_eq(ans, y): 4 | if (ans + y) % 2 == 0: 5 | return ans - y 6 | else: 7 | return ans + y 8 | 9 | def get_letter(num): 10 | return chr(num + 96) 11 | 12 | inp = [-25, 1, 10, 7, 4, 7, 2, 9, 3, 8, 1, 10, 3, -1, -8, 3, -6, 5, -4, 7, -5, 8, -3, 10, -1, 12, 10, 7, -6, 9, -4, 11, -2, 13, -2, -11, 6, -9, 8, -7, 10, -5, 12, 1, -12, 7, -10, 9, -8, 11, -6, 13, -4, 11, 6, -13, 8, -11, 10, -9, 12, -7, 14, -5, 22, -16, 7, -14, 9, -12, 11, -10, 13, -8, 15, -6, -2, 2, -21, 4, -19, 6, -17, 8, -15, 10, -13, 12, -11, 5] 13 | char = 0 14 | total = math.floor(math.sqrt(2*(len(inp) + 1))) - 1 15 | print(total) 16 | i = 0 17 | num_array = [] 18 | while i < len(inp): 19 | char += 1 20 | add_num = 0 21 | for j in range(0, char + 1): 22 | add_num += solve_eq(inp[i], char) 23 | i += 1 24 | num_array.append(solve_eq(add_num, total - char + 1)) 25 | 26 | ans_array = [] 27 | for num in num_array: 28 | ans_array.append(get_letter(num)) 29 | print(ans_array) 30 | -------------------------------------------------------------------------------- /reverse/tux-talk-show-2019/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update && apt-get -y dist-upgrade && \ 4 | apt-get install -y lib32z1 xinetd 5 | 6 | RUN useradd -m ctf 7 | 8 | WORKDIR /home/ctf 9 | 10 | RUN cp -R /lib* /home/ctf && \ 11 | cp -R /usr/lib* /home/ctf 12 | 13 | RUN mkdir /home/ctf/dev && \ 14 | mknod /home/ctf/dev/null c 1 3 && \ 15 | mknod /home/ctf/dev/zero c 1 5 && \ 16 | mknod /home/ctf/dev/random c 1 8 && \ 17 | mknod /home/ctf/dev/urandom c 1 9 && \ 18 | chmod 666 /home/ctf/dev/* 19 | 20 | RUN mkdir /home/ctf/bin && \ 21 | cp /bin/sh /home/ctf/bin && \ 22 | cp /bin/ls /home/ctf/bin && \ 23 | cp /bin/cat /home/ctf/bin && \ 24 | cp /usr/bin/md5sum /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag.txt 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /web/keith-logger/src/app/main.py: -------------------------------------------------------------------------------- 1 | 2 | from pymongo import MongoClient 3 | from flask import Flask, request 4 | import urllib.parse 5 | import datetime 6 | 7 | app = Flask(__name__) 8 | 9 | database_address = "admin:keithkeithkeith@keith-logger-mongodb.web.chal.hsctf.com:27017" 10 | 11 | client = MongoClient("mongodb://{}".format(database_address), connect=False) 12 | db = client.database 13 | collection = db.collection 14 | 15 | @app.route("/") 16 | def home(): 17 | return "Hello, World! nothing to see here" 18 | 19 | @app.route("/api/admin") 20 | def admin(): 21 | return "didn't have time to implement this page yet. use {} for now".format(database_address) 22 | 23 | @app.route("/api/record") 24 | def record(): 25 | text = request.args["text"] 26 | url = request.args["url"] 27 | 28 | post = { 29 | "text": str(urllib.parse.unquote(text)), 30 | "url": str(urllib.parse.unquote(url)), 31 | "time": str(datetime.datetime.now().time()) 32 | } 33 | 34 | # collection.insert_one(post) 35 | 36 | return str(post) 37 | 38 | if __name__ == "__main__": 39 | app.run(debug=True) 40 | -------------------------------------------------------------------------------- /pwn/bit/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN dpkg --add-architecture i386 && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd libc6:i386 \ 6 | libncurses5:i386 libstdc++6:i386 multiarch-support 7 | 8 | RUN useradd -m ctf 9 | 10 | WORKDIR /home/ctf 11 | 12 | RUN cp -R /lib* /home/ctf && \ 13 | cp -R /usr/lib* /home/ctf 14 | 15 | RUN mkdir /home/ctf/dev && \ 16 | mknod /home/ctf/dev/null c 1 3 && \ 17 | mknod /home/ctf/dev/zero c 1 5 && \ 18 | mknod /home/ctf/dev/random c 1 8 && \ 19 | mknod /home/ctf/dev/urandom c 1 9 && \ 20 | chmod 666 /home/ctf/dev/* 21 | 22 | RUN mkdir /home/ctf/bin && \ 23 | cp /bin/sh /home/ctf/bin && \ 24 | cp /bin/ls /home/ctf/bin && \ 25 | cp /bin/cat /home/ctf/bin 26 | 27 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 28 | COPY ./start.sh /start.sh 29 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 30 | 31 | RUN chmod +x /start.sh 32 | 33 | COPY ./bin/ /home/ctf/ 34 | RUN chown -R root:ctf /home/ctf && \ 35 | chmod -R 750 /home/ctf && \ 36 | chmod 740 /home/ctf/flag 37 | 38 | CMD ["/start.sh"] 39 | 40 | EXPOSE 9999 41 | -------------------------------------------------------------------------------- /pwn/byte/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN dpkg --add-architecture i386 && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd libc6:i386 \ 6 | libncurses5:i386 libstdc++6:i386 multiarch-support 7 | 8 | RUN useradd -m ctf 9 | 10 | WORKDIR /home/ctf 11 | 12 | RUN cp -R /lib* /home/ctf && \ 13 | cp -R /usr/lib* /home/ctf 14 | 15 | RUN mkdir /home/ctf/dev && \ 16 | mknod /home/ctf/dev/null c 1 3 && \ 17 | mknod /home/ctf/dev/zero c 1 5 && \ 18 | mknod /home/ctf/dev/random c 1 8 && \ 19 | mknod /home/ctf/dev/urandom c 1 9 && \ 20 | chmod 666 /home/ctf/dev/* 21 | 22 | RUN mkdir /home/ctf/bin && \ 23 | cp /bin/sh /home/ctf/bin && \ 24 | cp /bin/ls /home/ctf/bin && \ 25 | cp /bin/cat /home/ctf/bin 26 | 27 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 28 | COPY ./start.sh /start.sh 29 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 30 | 31 | RUN chmod +x /start.sh 32 | 33 | COPY ./bin/ /home/ctf/ 34 | RUN chown -R root:ctf /home/ctf && \ 35 | chmod -R 750 /home/ctf && \ 36 | chmod 740 /home/ctf/flag 37 | 38 | CMD ["/start.sh"] 39 | 40 | EXPOSE 9999 41 | -------------------------------------------------------------------------------- /pwn/combo-chain/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd 6 | 7 | RUN useradd -m ctf 8 | 9 | WORKDIR /home/ctf 10 | 11 | RUN cp -R /lib* /home/ctf && \ 12 | cp -R /usr/lib* /home/ctf 13 | 14 | RUN mkdir /home/ctf/dev && \ 15 | mknod /home/ctf/dev/null c 1 3 && \ 16 | mknod /home/ctf/dev/zero c 1 5 && \ 17 | mknod /home/ctf/dev/random c 1 8 && \ 18 | mknod /home/ctf/dev/urandom c 1 9 && \ 19 | chmod 666 /home/ctf/dev/* 20 | 21 | RUN mkdir /home/ctf/bin && \ 22 | cp /bin/sh /home/ctf/bin && \ 23 | cp /bin/ls /home/ctf/bin && \ 24 | cp /bin/cat /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /misc/broken-gps/challenge.md: -------------------------------------------------------------------------------- 1 | Written by: Disha Kohli and Shray Vats 2 | 3 | # Broken GPS 4 | 5 | Ella is following a broken GPS. Every time she is supposed to move left, she ends up moving right, and vice versa. Every time she is supposed to move up, she moves down and vice versa. Eventually she ends up in a totally different place than her intended location. What is the shortest distance between these two points? Assume that she moves one unit every time a direction is specified. 6 | 7 | # Input Format: 8 | You will receive a text file with N directions (1<=N<=1000). The first line in the file will be N, and each consequent line will contain a single direction: “north,” “south,” “east,” “west,” “northwest,” “northeast,” “southwest,” or “southeast.” 9 | 10 | # Output Format: 11 | Round your answer to the nearest whole number and then divide by 26. Discard the quotient (mod 26). Each possible remainder corresponds to a letter in the alphabet. (0=a, 1=b… 25=z). 12 | 13 | Find the letter for each test case and string them together. The result is the flag. (For instance, a, b, c becomes “abc”). Remember to use the flag format and keep all letters lowercase! 14 | -------------------------------------------------------------------------------- /pwn/caesars-revenge/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd 6 | 7 | RUN useradd -m ctf 8 | 9 | WORKDIR /home/ctf 10 | 11 | RUN cp -R /lib* /home/ctf && \ 12 | cp -R /usr/lib* /home/ctf 13 | 14 | RUN mkdir /home/ctf/dev && \ 15 | mknod /home/ctf/dev/null c 1 3 && \ 16 | mknod /home/ctf/dev/zero c 1 5 && \ 17 | mknod /home/ctf/dev/random c 1 8 && \ 18 | mknod /home/ctf/dev/urandom c 1 9 && \ 19 | chmod 666 /home/ctf/dev/* 20 | 21 | RUN mkdir /home/ctf/bin && \ 22 | cp /bin/sh /home/ctf/bin && \ 23 | cp /bin/ls /home/ctf/bin && \ 24 | cp /bin/cat /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /pwn/combo-chain-lite/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd 6 | 7 | RUN useradd -m ctf 8 | 9 | WORKDIR /home/ctf 10 | 11 | RUN cp -R /lib* /home/ctf && \ 12 | cp -R /usr/lib* /home/ctf 13 | 14 | RUN mkdir /home/ctf/dev && \ 15 | mknod /home/ctf/dev/null c 1 3 && \ 16 | mknod /home/ctf/dev/zero c 1 5 && \ 17 | mknod /home/ctf/dev/random c 1 8 && \ 18 | mknod /home/ctf/dev/urandom c 1 9 && \ 19 | chmod 666 /home/ctf/dev/* 20 | 21 | RUN mkdir /home/ctf/bin && \ 22 | cp /bin/sh /home/ctf/bin && \ 23 | cp /bin/ls /home/ctf/bin && \ 24 | cp /bin/cat /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /pwn/return-to-sender/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/mirrors.tuna.tsinghua.edu.cn/g" /etc/apt/sources.list && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd 6 | 7 | RUN useradd -m ctf 8 | 9 | WORKDIR /home/ctf 10 | 11 | RUN cp -R /lib* /home/ctf && \ 12 | cp -R /usr/lib* /home/ctf 13 | 14 | RUN mkdir /home/ctf/dev && \ 15 | mknod /home/ctf/dev/null c 1 3 && \ 16 | mknod /home/ctf/dev/zero c 1 5 && \ 17 | mknod /home/ctf/dev/random c 1 8 && \ 18 | mknod /home/ctf/dev/urandom c 1 9 && \ 19 | chmod 666 /home/ctf/dev/* 20 | 21 | RUN mkdir /home/ctf/bin && \ 22 | cp /bin/sh /home/ctf/bin && \ 23 | cp /bin/ls /home/ctf/bin && \ 24 | cp /bin/cat /home/ctf/bin 25 | 26 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 27 | COPY ./start.sh /start.sh 28 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 29 | 30 | RUN chmod +x /start.sh 31 | 32 | COPY ./bin/ /home/ctf/ 33 | RUN chown -R root:ctf /home/ctf && \ 34 | chmod -R 750 /home/ctf && \ 35 | chmod 740 /home/ctf/flag 36 | 37 | CMD ["/start.sh"] 38 | 39 | EXPOSE 9999 40 | -------------------------------------------------------------------------------- /reverse/redtea/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | 3 | RUN dpkg --add-architecture i386 && \ 4 | apt-get update && apt-get -y dist-upgrade && \ 5 | apt-get install -y lib32z1 xinetd libc6:i386 \ 6 | libncurses5:i386 libstdc++6:i386 multiarch-support 7 | 8 | RUN useradd -m ctf 9 | 10 | WORKDIR /home/ctf 11 | 12 | RUN cp -R /lib* /home/ctf && \ 13 | cp -R /usr/lib* /home/ctf 14 | 15 | RUN mkdir /home/ctf/dev && \ 16 | mknod /home/ctf/dev/null c 1 3 && \ 17 | mknod /home/ctf/dev/zero c 1 5 && \ 18 | mknod /home/ctf/dev/random c 1 8 && \ 19 | mknod /home/ctf/dev/urandom c 1 9 && \ 20 | chmod 666 /home/ctf/dev/* 21 | 22 | RUN mkdir /home/ctf/bin && \ 23 | cp /bin/sh /home/ctf/bin && \ 24 | cp /bin/ls /home/ctf/bin && \ 25 | cp /bin/cat /home/ctf/bin 26 | 27 | COPY ./ctf.xinetd /etc/xinetd.d/ctf 28 | COPY ./start.sh /start.sh 29 | RUN echo "Blocked by ctf_xinetd" > /etc/banner_fail 30 | 31 | RUN chmod +x /start.sh 32 | 33 | COPY ./bin/ /home/ctf/ 34 | RUN chown -R root:ctf /home/ctf && \ 35 | chmod -R 750 /home/ctf && \ 36 | chmod 740 /home/ctf/flag.txt 37 | 38 | CMD ["/start.sh"] 39 | 40 | EXPOSE 9999 41 | -------------------------------------------------------------------------------- /reverse/i_thought_trig_was_easy/trig_is_really_hard.py: -------------------------------------------------------------------------------- 1 | import math 2 | 3 | def nice_math(x, y): 4 | return round(x + y*math.cos(math.pi * x)) 5 | 6 | lots_of_nums = lambda n,a:(lambda r:[*r,n-sum(r)])(range(n//a-a//2,n//a+a//2+a%2)) 7 | 8 | def get_number(char): 9 | return ord(char) - 96 10 | 11 | inp = input("Enter the text: ") 12 | 13 | out = [] 14 | for i in range(0, len(inp)): 15 | for j in lots_of_nums(nice_math(get_number(inp[i]), len(inp) - i), i + 1): 16 | out.append(nice_math(j, i + 1)) 17 | 18 | ans = [-25, 1, 10, 7, 4, 7, 2, 9, 3, 8, 1, 10, 19 | 3, -1, -8, 3, -6, 5, -4, 7, -5, 8, -3, 20 | 10, -1, 12, 10, 7, -6, 9, -4, 11, -2, 21 | 13, -2, -11, 6, -9, 8, -7, 10, -5, 12, 22 | 1, -12, 7, -10, 9, -8, 11, -6, 13, -4, 23 | 11, 6, -13, 8, -11, 10, -9, 12, -7, 14, 24 | -5, 22, -16, 7, -14, 9, -12, 11, -10, 13, 25 | -8, 15, -6, -2, 2, -21, 4, -19, 6, -17, 8, 26 | -15, 10, -13, 12, -11, 5] 27 | if (out == ans): 28 | print("That is correct! Flag: hsctf{" + inp + "}") 29 | else: 30 | print("Nope sorry, try again!") 31 | 32 | 33 | -------------------------------------------------------------------------------- /reverse/paint/paint/paint.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Source Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /reverse/paint/paint/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include "xor.hpp" 8 | 9 | DWORD WINAPI entry(LPVOID lpThreadParameter) 10 | { 11 | try 12 | { 13 | char pszPath[MAX_PATH] = { NULL }; 14 | GetModuleFileName(NULL, pszPath, MAX_PATH); 15 | 16 | if (strcmp(pszPath, "C:\\WINDOWS\\system32\\mspaint.exe") == 0) 17 | { 18 | MessageBoxA(NULL, XorStr("hsctf{havent_seen_windows_in_a_while}"), "Flag", NULL); 19 | } 20 | } 21 | catch (const std::runtime_error& err) 22 | { 23 | MessageBoxA(NULL, err.what(), "Error", NULL); 24 | 25 | std::this_thread::sleep_for(std::chrono::seconds(1)); 26 | } 27 | 28 | std::this_thread::sleep_for(std::chrono::seconds(1)); 29 | 30 | FreeLibraryAndExitThread(static_cast(lpThreadParameter), EXIT_SUCCESS); 31 | } 32 | 33 | BOOL APIENTRY DllMain(_In_ HINSTANCE hinstDLL, _In_ DWORD fdwReason, _In_ LPVOID lpvReserved) 34 | { 35 | if (fdwReason == DLL_PROCESS_ATTACH) 36 | { 37 | DisableThreadLibraryCalls(hinstDLL); 38 | 39 | if (auto handle = CreateThread(nullptr, NULL, entry, hinstDLL, NULL, nullptr)) 40 | { 41 | CloseHandle(handle); 42 | } 43 | } 44 | 45 | return TRUE; 46 | } -------------------------------------------------------------------------------- /misc/broken-repl/repl.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | with open("flag.txt") as flag: # open flag file 3 | flag = flag.read() # read contents of flag file 4 | try: # make sure we don't run out of memory 5 | while 1: # do this forever 6 | try: # try to read a line of input 7 | line = input(">>> ") # prompt is python's standard prompt 8 | except EOFError: # user is done typing input 9 | print() # ensure there is a line-break 10 | break # exit from the loop 11 | else: # successfully read input 12 | try: # try to compile the input 13 | code = compile(line, "", "exec") # compile the line of input 14 | except (OverflowError, SyntaxError, ValueError, TypeError, RecursionError) as e: # user input was bad 15 | print("there was an error in your code:", e) # notify the user of the error 16 | if False: exec(code) # run the code 17 | # TODO: find replacement for exec 18 | # TODO: exec is unsafe 19 | except MemoryError: # we ran out of memory 20 | # uh oh 21 | # lets remove the flag to clear up some memory 22 | print(flag) # log the flag so it is not lost 23 | del flag # delete the flag 24 | # hopefully we have enough memory now 25 | -------------------------------------------------------------------------------- /reverse/virtualjava/vm_insn_gen.py: -------------------------------------------------------------------------------- 1 | import random as r 2 | 3 | flag_arr = [ord(c) for c in 'hsctf{y0u_d3f34t3d_th3_b4by_vm}'] 4 | 5 | ip = 0 6 | for i in range(len(flag_arr)): 7 | xor_key = r.randint(-0xFF, 0xFF) 8 | xor_thing = xor_key ^ flag_arr[i] 9 | print ' /* ' + str(ip) + ' */ 0xb, 0x0, // push r0 (index)' 10 | print ' /* ' + str(ip + 2) + ' */ 0x6, ' + hex(i) + ', // push ' + hex(i) 11 | print ' /* ' + str(ip + 4) + ' */ 0x1, ' + hex(r.randint(-0xFF, 0xFF)) + ', // sub' 12 | print ' /* ' + str(ip + 6) + ' */ 0x5, ' + hex(ip + 20) + ', // if not 0, ip = ' + str(ip + 20) 13 | print ' /* ' + str(ip + 8) + ' */ 0xb, 0x1, // push r1 (answer)' 14 | print ' /* ' + str(ip + 10) + ' */ 0x6, ' + hex(xor_key) + ', // push ' + hex(xor_key) 15 | print ' /* ' + str(ip + 12) + ' */ 0x9, ' + hex(r.randint(-0xFF, 0xFF)) + ', // xor' 16 | print ' /* ' + str(ip + 14) + ' */ 0x6, ' + hex(xor_thing) + ', // push ' + hex(xor_thing) 17 | print ' /* ' + str(ip + 16) + ' */ 0x1, ' + hex(r.randint(-0xFF, 0xFF)) + ', // sub' 18 | print ' /* ' + str(ip + 18) + ' */ 0xc, ' + hex(r.randint(-0xFF, 0xFF)) + ', // kill' 19 | ip += 20 20 | 21 | input() 22 | -------------------------------------------------------------------------------- /reverse/forgot-your-password/generator.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | ch = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ ' 4 | s = [SECRET_1, SECRET_2] 5 | # TOP SECRET: DO NOT LEAK 6 | def o(x,k): 7 | return x<>(64-k) 16 | def x(b, a): 17 | return a^b 18 | def oro(a, b): 19 | return a|b 20 | def h(): 21 | s1 = m(x(s[0],s[1])) 22 | s[0] = m(x(oro(o(s[0],55),p(55,s[0])),x(s1,(o(s1,14))))) 23 | s[1] = m(oro(o(s1,36),p(36,s1))) 24 | 25 | # Helper methods 26 | def bin2chr(data): 27 | result = '' 28 | while data: 29 | char = data & 0xff 30 | result += chr(char) 31 | data >>= 8 32 | return result 33 | 34 | def isp(d): 35 | if all(c in ch for c in d): 36 | return d 37 | else: 38 | return d.encode('hex') 39 | 40 | # throw away first value for additional randomness 41 | next() 42 | next() 43 | 44 | COMBO_NUM_1 = isp(bin2chr(next())) + isp(bin2chr(next())) 45 | COMBO_NUM_2 = isp(bin2chr(next())) + isp(bin2chr(next())) 46 | COMBO_NUM_3 = isp(bin2chr(next())) + isp(bin2chr(next())) 47 | 48 | print "Thanks! Your numbers are: " 49 | print COMBO_NUM_1 50 | print COMBO_NUM_2 51 | print COMBO_NUM_3 -------------------------------------------------------------------------------- /misc/admin-pass/index.php: -------------------------------------------------------------------------------- 1 | oh hi you entered a password'; 9 | } 10 | ?> 11 | 12 | 13 | 14 | 15 | 16 | 17 | admin password checker 18 | 19 | 20 | 32 | 33 | 34 |

password checker

35 | 36 |

pls enter password here

37 | 38 | 39 | 40 |
41 |

as my tribute to richard michael stallman

42 |

here is a link to the open source github

43 | 44 | https://gitlab.com/WeastieWeastie/admin-password/ 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /misc/keith-bot/bot.py: -------------------------------------------------------------------------------- 1 | import asyncio 2 | from discord.ext import commands 3 | import os 4 | 5 | bot = commands.Bot(command_prefix=commands.when_mentioned_or("_")) 6 | bot.remove_command("help") 7 | 8 | @bot.event 9 | async def on_ready(): 10 | print("Logged in as", bot.user) 11 | 12 | @bot.event 13 | async def on_message(message): 14 | if message.author == bot.user: 15 | return 16 | 17 | if message.guild is None: 18 | await bot.process_commands(message) 19 | elif bot.user in message.mentions: 20 | await message.channel.send(f"{message.author.mention} DM me") 21 | 22 | @bot.command(name="eval") 23 | async def _eval(ctx, *, body): 24 | if body.startswith("```") and body.endswith("```"): 25 | body = "\n".join(body.split("\n")[1:-1]) 26 | else: 27 | body = body.strip("` \n") 28 | 29 | process = await asyncio.create_subprocess_exec("env", "-i", "python3", "eval.py", stdin=asyncio.subprocess.PIPE, stdout=asyncio.subprocess.PIPE, stderr=asyncio.subprocess.PIPE) 30 | 31 | try: 32 | out, err = await asyncio.wait_for(process.communicate(body.encode()), 5) 33 | except asyncio.TimeoutError: 34 | await process.kill() 35 | else: 36 | if out or err: 37 | await ctx.send(f"```py\n{out.decode()}{err.decode()}\n```") 38 | 39 | bot.run(os.environ["DISCORD_API_KEY"], reconnect=True) 40 | -------------------------------------------------------------------------------- /web/accessible-rich-internet-applications/script.js: -------------------------------------------------------------------------------- 1 | var template = (bit, a, b) => ` 2 |
${bit}
3 | ` 4 | String.prototype.leftJustify = function( length, char ) { 5 | var fill = []; 6 | while ( fill.length + this.length < length ) { 7 | fill[fill.length] = char; 8 | } 9 | return fill.join('') + this; 10 | } 11 | var toBits = str => str.split("").map(a => a.charCodeAt(0).toString(2).leftJustify (8, "0")).join(""); 12 | 13 | var encoded = toBits("im gonna add some filler text here so the page is a bit longer. lorem ipsum... here's the flag btw, flag{accessibility_is_crucial}") 14 | var parts = encoded.split("").map((bit,i) => template(bit, i,encoded.length)); 15 | 16 | function shuffle(array) { 17 | var currentIndex = array.length, temporaryValue, randomIndex; 18 | 19 | // While there remain elements to shuffle... 20 | while (0 !== currentIndex) { 21 | 22 | // Pick a remaining element... 23 | randomIndex = Math.floor(Math.random() * currentIndex); 24 | currentIndex -= 1; 25 | 26 | // And swap it with the current element. 27 | temporaryValue = array[currentIndex]; 28 | array[currentIndex] = array[randomIndex]; 29 | array[randomIndex] = temporaryValue; 30 | } 31 | 32 | return array; 33 | } 34 | 35 | console.log(shuffle(parts).join("")) -------------------------------------------------------------------------------- /reverse/daheck/DaHeck.java: -------------------------------------------------------------------------------- 1 | public class DaHeck { 2 | private static boolean check_flag(String s) { 3 | char[] cs = s.toCharArray(); 4 | char[] daheck = new char[cs.length]; 5 | int n = cs.length ^ daheck.length; 6 | char[] heck = "001002939948347799120432047441372907443274204020958757273".toCharArray(); 7 | 8 | while (true) { 9 | 10 | try { 11 | if (heck[n] - cs[n % cs.length] < 0) daheck[n] = (char) (heck[n] - cs[n % cs.length] % 128); 12 | else daheck[n] = (char) (heck[n] - cs[n % cs.length] % 255); 13 | 14 | n++; 15 | } catch (Throwable t) { 16 | break; 17 | } 18 | } 19 | 20 | return "\uffc8\uffbd\uffce\uffbc\uffca\uffb7\uffc5\uffcb\u0005\uffc5\uffd5\uffc1\uffff\uffc1\uffd8\uffd1\uffc4\uffcb\u0010\uffd3\uffc4\u0001\uffbf\uffbf\uffd1\uffc0\uffc5\uffbb\uffd5\uffbe\u0003\uffca\uffff\uffda\uffc3\u0007\uffc2\u0001\uffd4\uffc0\u0004\uffbe\uffff\uffbe\uffc1\ufffd\uffb5".equals(new String(daheck)); 21 | } 22 | 23 | public static void main(String... args) { 24 | if (args.length != 1) { 25 | System.out.println(":thonk:"); 26 | System.exit(1); 27 | } 28 | 29 | if (args[0].length() != 47) { 30 | System.out.println(":thonkeng:"); 31 | System.exit(1); 32 | } 33 | 34 | if (check_flag(args[0])) System.out.println("Huh. How'd you know?"); 35 | else System.out.println("Da heck? No."); 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /crypto/really-secure-algorithm/secure.txt: -------------------------------------------------------------------------------- 1 | n = 263267198123727104271550205341958556303174876064032565857792727663848160746900434003334094378461840454433227578735680279553650400052510227283214433685655389241738968354222022240447121539162931116186488081274412377377863765060659624492965287622808692749117314129201849562443565726131685574812838404826685772784018356022327187718875291322282817197153362298286311745185044256353269081114504160345675620425507611498834298188117790948858958927324322729589237022927318641658527526339949064156992164883005731437748282518738478979873117409239854040895815331355928887403604759009882738848259473325879750260720986636810762489517585226347851473734040531823667025962249586099400648241100437388872231055432689235806576775408121773865595903729724074502829922897576209606754695074134609 2 | e = 65537 3 | c = 63730750663034420186054203696069279764587723426304400672168802689236894414173435574483861036285304923175308990970626739416195244195549995430401827434818046984872271300851807150225874311165602381589988405416304964847452307525883351225541615576599793984531868515708574409281711313769662949003103013799762173274319885217020434609677019589956037159254692138098542595148862209162217974360672409463898048108702225525424962923062427384889851578644031591358064552906800570492514371562100724091169894418230725012261656940082835040737854122792213175137748786146901908965502442703781479786905292956846018910885453170712237452652785768243138215686333746130607279614237568018186440315574405008206846139370637386144872550749882260458201528561992116159466686768832642982965722508678847 4 | -------------------------------------------------------------------------------- /pwn/caesars-revenge/caesars-revenge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void caesar() { 8 | int i = 0, shift = 0; 9 | char input[250]; 10 | char s[100], *p; 11 | 12 | printf("Enter text to be encoded: "); 13 | fgets(input, 250, stdin); 14 | 15 | 16 | printf("Enter number of characters to shift: "); 17 | /* Code from https://stackoverflow.com/a/26583890 */ 18 | while (fgets(s, sizeof(s), stdin)) { 19 | shift = strtol(s, &p, 10); 20 | if (p == s || *p != '\n' || shift <= 0) { 21 | printf("Please enter an integer greater than 0 this time: "); 22 | } else break; 23 | } 24 | 25 | /* Code from https://stackoverflow.com/a/16374718 */ 26 | while (input[i] != '\0') { 27 | if (input[i] >= 'A' && input[i]<='Z') { 28 | char newletter = input[i] - 'A'; 29 | newletter += shift; 30 | newletter = newletter % 26; 31 | input[i] = newletter + 'A'; 32 | } 33 | if (input[i] >= 'a' && input[i]<='z') { 34 | char newletter = input[i] - 'a'; 35 | newletter += shift; 36 | newletter = newletter % 26; 37 | input[i] = newletter + 'a'; 38 | } 39 | i++; 40 | } 41 | printf("Result: "); 42 | printf(input); 43 | printf("\nThank you for using the Caesar Cipher Encoder! Be sure to like, comment, and subscribe!\n"); 44 | } 45 | 46 | int main() { 47 | setbuf(stdout, NULL); 48 | gid_t gid = getegid(); 49 | setresgid(gid,gid,gid); 50 | puts("Welcome to the Caesar Cipher Encoder!"); 51 | caesar(); 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /pwn/caesars-revenge/bin/caesars-revenge.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void caesar() { 8 | int i = 0, shift = 0; 9 | char input[250]; 10 | char s[100], *p; 11 | 12 | printf("Enter text to be encoded: "); 13 | fgets(input, 250, stdin); 14 | 15 | 16 | printf("Enter number of characters to shift: "); 17 | /* Code from https://stackoverflow.com/a/26583890 */ 18 | while (fgets(s, sizeof(s), stdin)) { 19 | shift = strtol(s, &p, 10); 20 | if (p == s || *p != '\n' || shift <= 0) { 21 | printf("Please enter an integer greater than 0 this time: "); 22 | } else break; 23 | } 24 | 25 | /* Code from https://stackoverflow.com/a/16374718 */ 26 | while (input[i] != '\0') { 27 | if (input[i] >= 'A' && input[i]<='Z') { 28 | char newletter = input[i] - 'A'; 29 | newletter += shift; 30 | newletter = newletter % 26; 31 | input[i] = newletter + 'A'; 32 | } 33 | if (input[i] >= 'a' && input[i]<='z') { 34 | char newletter = input[i] - 'a'; 35 | newletter += shift; 36 | newletter = newletter % 26; 37 | input[i] = newletter + 'a'; 38 | } 39 | i++; 40 | } 41 | printf("Result: "); 42 | printf(input); 43 | printf("\nThank you for using the Caesar Cipher Encoder! Be sure to like, comment, and subscribe!\n"); 44 | } 45 | 46 | int main() { 47 | setbuf(stdout, NULL); 48 | gid_t gid = getegid(); 49 | setresgid(gid,gid,gid); 50 | puts("Welcome to the Caesar Cipher Encoder!"); 51 | caesar(); 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /reverse/redtea/redtea.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define WORDS_MAX 370100 6 | 7 | char flag[40]; 8 | 9 | typedef struct { 10 | char *w; 11 | int len; 12 | } word; 13 | 14 | void learn(word a); 15 | void stdinflush(); 16 | 17 | word dict[WORDS_MAX]; 18 | int wc; 19 | word opt[26][26][26]; 20 | #define optc(a,b,c) opt[a-'a'][b-'a'][c-'a'] 21 | 22 | int main(void) { 23 | setvbuf(stdout, NULL, _IONBF, 0); 24 | FILE *fflag = fopen("flag.txt", "r"); 25 | fgets(flag, 100, fflag); 26 | printf("flag: %x\n", &flag); 27 | FILE *fw = fopen("words.txt", "r"); 28 | if (fw == NULL) { 29 | perror("fopen"); 30 | exit(EXIT_FAILURE); 31 | } 32 | printf("Dictionary opened.\n"); 33 | size_t len = 0; 34 | while ((dict[wc].len = getline(&dict[wc].w, &len, fw)) != -1) { 35 | if (dict[wc].w[dict[wc].len-1] == '\n') 36 | dict[wc].w[--dict[wc].len] = '\0'; 37 | ++wc, len = 0; 38 | } 39 | printf("Dictionary scanned. wc: %d\n", wc); 40 | for (int i = 0; i < wc; ++i) 41 | learn(dict[i]); 42 | printf("Preproccessed.\n"); 43 | while (1) { 44 | static char s[100]; 45 | fgets(s, 100, stdin); 46 | word bob; 47 | bob.w = s; 48 | bob.len = strlen(s); 49 | learn(bob); 50 | fgets(s, 100, stdin); 51 | word res = optc(s[0],s[1],s[2]); 52 | printf(res.w ? "%s (%d)\n" : "No words found!\n", res.w, res.len); 53 | } 54 | } 55 | 56 | void learn(word a) { 57 | for (int i = 0; i < a.len - 2; ++i) { 58 | if (optc(a.w[i],a.w[i+1],a.w[i+2]).len < a.len) 59 | optc(a.w[i],a.w[i+1],a.w[i+2]) = a; 60 | } 61 | } 62 | 63 | void stdinflush() { 64 | int c; 65 | while ((c = getchar()) != '\n' && c != EOF); 66 | } 67 | -------------------------------------------------------------------------------- /reverse/forgot-your-password/xoro.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | bit64 = 0xffffffffffffffff 4 | s = [0,0] 5 | 6 | def rotl(x, k): 7 | return (x << k) | (x >> (64 - k)) 8 | 9 | def rotr(x, k): 10 | return (x >> k) | (x << (64 - k)) 11 | 12 | def next(): 13 | s0 = s[0] 14 | s1 = s[1] 15 | res = (s0 + s1) & bit64 16 | 17 | s1 ^= s0 18 | s[0] = rotl(s0, 55) ^ s1 ^ (s1 << 14) 19 | s[1] = rotl(s1, 36) 20 | s[0] &= bit64 21 | s[1] &= bit64 22 | return res & bit64 23 | 24 | def prev(): 25 | s1 = rotr(s[1], 36) 26 | ab = s1 ^ s[0] 27 | b = s1 << 14 28 | a = ab ^ b 29 | 30 | s1 &= bit64 31 | ab &= bit64 32 | b &= bit64 33 | a &= bit64 34 | 35 | s[0] = rotr(a, 55) 36 | s[1] = s[0] ^ s1 37 | s[0] &= bit64 38 | s[1] &= bit64 39 | return (s[0] + s[1]) & bit64 40 | 41 | def bin2chr(data): 42 | result = '' 43 | 44 | while data: 45 | char = data & 0xff 46 | result += chr(char) 47 | data >>= 8 48 | 49 | return result 50 | 51 | 52 | # run 0x7373696674637368 0x776f776c6f6f636f through xoroshiftall.py 53 | 54 | # three before: 55 | # s = [0x653b6c98b20cda04, 0xe3eada0c00c5e10f] 56 | 57 | # two before: 58 | # s = [0x1b6b2379701afd53, 0xd49942dc5d5b728d] 59 | 60 | # one before: 61 | # s = [0xe2d36a8db96d9ff3, 0xd2818f22a0e62880] 62 | 63 | s = [0xf919b487ed2f9ead, 0x7a59b4de8733d4bb] 64 | 65 | # prev() 66 | # prev() 67 | # prev() 68 | # prev() 69 | # prev() 70 | # prev() 71 | # print hex(s[0]), hex(s[1]) 72 | 73 | # would print 'hsctfissocoolwow' 74 | print(repr(''.join(bin2chr(next()) for i in range(4)))) 75 | 76 | 77 | # expected: 78 | # Thanks! Your numbers are: 79 | # e06f76cd556604f0f21c34f1519d2fd2 80 | # 73c8535ab0f954b5ad1cbab7abc18309 81 | # hsctfissocoolwow 82 | 83 | -------------------------------------------------------------------------------- /gen_pwn.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import requests 4 | import os 5 | import os.path 6 | 7 | xinetd = """ 8 | service ctf 9 | {{ 10 | disable = no 11 | socket_type = stream 12 | protocol = tcp 13 | wait = no 14 | user = root 15 | type = UNLISTED 16 | port = 9999 17 | bind = 0.0.0.0 18 | server = /usr/sbin/chroot 19 | # replace helloworld to your program 20 | server_args = --userspec=1000:1000 /home/ctf ./{} 21 | banner_fail = /etc/banner_fail 22 | # safety options 23 | per_source = 10 # the maximum instances of this service per source IP address 24 | rlimit_cpu = 20 # the maximum number of CPU seconds that the service may use 25 | #rlimit_as = 1024M # the Address Space resource limit for the service 26 | }} 27 | """ 28 | 29 | name = raw_input("What is the name of your problem? (All lowercase please): ") 30 | path = "pwn/{}".format(name) 31 | 32 | try: 33 | os.mkdir(path, 0755) 34 | except OSError: 35 | if not os.path.isdir(path): 36 | raise 37 | 38 | r = requests.get("https://raw.githubusercontent.com/Eadom/ctf_xinetd/master/Dockerfile", allow_redirects=True) 39 | open(path + "/Dockerfile".format(name), 'wb').write(r.content) 40 | 41 | r = requests.get("https://raw.githubusercontent.com/Eadom/ctf_xinetd/master/start.sh", allow_redirects=True) 42 | open(path + "/start.sh".format(name), 'wb').write(r.content) 43 | 44 | open(path + "/ctf.xinetd".format(name), 'w').write(xinetd.format(name)) 45 | 46 | try: 47 | os.mkdir(path + "/bin", 0755) 48 | except OSError: 49 | if not os.path.isdir(path + "/bin"): 50 | raise 51 | 52 | print "Done! Place your compiled binary and flag (with correct name) into pwn/{}/bin!".format(name) 53 | -------------------------------------------------------------------------------- /crypto/super-secure-system/files/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import SocketServer 4 | from random import choice 5 | import string 6 | import binascii 7 | 8 | flag = open('flag.txt').read().strip() 9 | char_set = string.ascii_uppercase + string.ascii_lowercase + string.digits 10 | 11 | def gen_key(): 12 | return "".join(choice(string.printable) for _ in char_set) 13 | 14 | def encrypt(str1, key): 15 | return "".join(chr(ord(i) ^ ord(j)) for (i, j) in zip(str1, key)) 16 | 17 | SocketServer.TCPServer.allow_reuse_address = True 18 | 19 | class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler): 20 | def handle(self): 21 | self.request.settimeout(15) 22 | self.request.sendall("* * * SUPER SECURE SYSTEM * * *\n") 23 | self.request.sendall("My encryption system is impossible to crack if used once!\n") 24 | self.request.sendall("You can use this system to encrypt any of your messages with my super special key!!!\n") 25 | key = gen_key() 26 | self.request.sendall("Here is my super secret message: {}\n\n".format(binascii.hexlify(encrypt(flag,key).encode('utf8')))) 27 | 28 | while True: 29 | self.request.sendall("Enter the message you want to encrypt: ") 30 | try: 31 | x = self.request.recv(2048) 32 | x = x.strip('\n') 33 | try: 34 | self.request.sendall("\nEncrypted: {}\n\n".format(binascii.hexlify(encrypt(x,key).encode('utf8')))) 35 | except Exception: 36 | ret = 'Error' 37 | except: 38 | self.request.sendall("\n\nTime out!") 39 | return 40 | 41 | class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): 42 | pass 43 | 44 | if __name__ == '__main__': 45 | server = ThreadedTCPServer(('0.0.0.0', 2000), ThreadedTCPRequestHandler) 46 | server.allow_reuse_address = True 47 | server.serve_forever() -------------------------------------------------------------------------------- /web/keith-logger/src/extension.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCtfI7remml1tNL 3 | TtTDa51oRLCO1HBhAnPG/lOBNyJP1hHSiAkib+39VjKYBCgHfJuM1ENS04S49I6n 4 | HtFsIijkVCh7ykop8Nm1xRZ+g8/F01gql/91DJxd9wSr6xB/yUUcdIb6mYALdd7q 5 | K+5Pb3qudYsUlQP0mtsGpOfxaJKR5M3gOG0izjVZUV0i4Dvba1/EMsrrrAl9PQ8w 6 | cY1RaETSNqOsiH9WEqpxdy08KcSfAk8PRhnjkiNRP+t9qM3hRZro1yLNrf6+5M+K 7 | NGmXxeT1o4achZvlYGFIRmsTw7TllltNAp2wRl2r+dLLuHYysdd7NPIX8l1FI9WE 8 | Rg5hOS9xAgMBAAECggEACmpa5T8clnja3MpUjTqfK7pLVE6ORFC39TeMeV/p7DDz 9 | XHhPfhUKDNEu6T//TDsaVp6MFS3+6aDAa2mhqT7gGscvsAY8JMpMM8oWQzhe0hG8 10 | bmrg4Bzb9Ws7XqaWlL7CFVwsmgvQVhUjRzFQgHiLp8Da/acYTUg6bpVvbxJNZxCk 11 | FUSKnrRRQLnVx+wmLhX9tkw9a+NapqIvSDbu3Y8QFgvqxIlP3MQoJG36VmKq5TTG 12 | fSRX5znrXhD4fLWE1YdzH2tXQueiY/iliIEJ0XqjgOsNc4sWFCRJv3YXwrVHvCsV 13 | DFd4lzUxYFmgjFZA8+ROlehka2nm10TV4dIbsoFibQKBgQDiDx5Gp9pIP4es42ZT 14 | E2JYQsXORQz8OKPM6rQOJ2U2f9nvQdQN83RacILjWVE/Zq1DmcrNNXmPpZUsuo2x 15 | lOtwFkgnFABh4UHnqs+cDrCo1d0s7jGXF1Sw3BTHdiRPjEwxwfIlatAi3DNoEB9k 16 | 3TwpMMQOwrjtY93rfcbMyPCgRQKBgQDEduNc4oy8wr+Cy3dSXtkbRCkB/92oPZO3 17 | uDkEAlrJEJOkShS01HPBduQtwTqhLFwzMPrnS3yXKcx8/grvE1qYuWcdSEoEtkUq 18 | FlMqciJn8k1d4zvSwXmrvlTVzzAeS/gIK5kLL2ntWZzx+IbsUFGp9f0/dF6AZoud 19 | dNzWwJRzPQKBgEF1QT4SYqmjA8VzP3D03vhRtXdqFT1/pSa0G5kxnSQv10pplF7J 20 | zTpW8/+jIFysfaVihg/v2RhYSR7fkiIGzjnxqcjvCMFO+cd8dYtp0YvCCb515pQq 21 | pFJmF/o94nvKU1HhKB3flQ9TFeufJ4gMa9w9i7f+eI/86AjFregkk1DFAoGBAIGt 22 | X6Gdv/uQKEyy9E2gYXmH4fF569ry2h/4L1ogG8B/epSEeWpqmQVn7nDtDD/6Qdlg 23 | SRyGTPSSGHGgVaM8iR4pspA3ePPnQ3vmRHrN3zvxSXPhW0lff2oHNYPzP/Wfe1YZ 24 | QOmLIEYUUm2894Hf+idPQRuzOfVSunDyBBqT/uiZAoGAcAHna/+9JDulUlgICYW0 25 | pMoS7sZSn0Elwb2Bcb9qdmpNzeFfiQasfkno69hbxV+z4uT/TOReIKFZS3sgFQQV 26 | HinSXXjbzWrsc4GOuy9F77/SLNhJHJF2GwZ8f9dPO87isksWTO3ai5AJy31fDCaF 27 | GLyBB9Keiu8896w6LHEd/cA= 28 | -----END PRIVATE KEY----- 29 | -------------------------------------------------------------------------------- /crypto/spooky-ecc/problem.sage: -------------------------------------------------------------------------------- 1 | p = 0xb09700d3d1c7123f0b0336474c18c3f3f60002d480a4bce33f007c08b498197ed832687c47c2bc76b7eb199d3a420fcf77d3e5a32389fefb1032744bb473a4bd 2 | A = 0x1b2a886d1cfcaecd03954657956cd03df56ec7709fbb0de738fb073ed20b92b6fa3d72f771618c5e2060a23c33b586a6046993894fd4950db2c12776e77fdbd1 3 | B = 0x303bde5e945d46949b8c9986519a9a1f0301f61ff043b3bf2785fd85e365e4caa163c64ad307db8dbbac0087fd8562273ee61aac095815030cc73c7495b46ddb 4 | g_x = 0x9f12acd5b74cc67e03506be8f904087863ce7fd8ed1de6404f26e8e96bea3761fca1f5b21def5298e7adbbf8787ea431a43d241fda6bc9fbaddeaff35ab4f7c3 5 | g_y = 0x51f33f0e5c36e1bf91ac78b04c7e4f819bfad8db291fc2e20c10ee00e98525927719ecf0e8b96c5e62e3f48a38b94e72dddee1109bfdad9c7dfd3f566da69eb4 6 | 7 | E = EllipticCurve(GF(p), [A, B]) 8 | g = E(g_x, g_y) 9 | 10 | def generateKey(): 11 | private = randint(1, E.order() - 1) 12 | public = g * private 13 | 14 | return(public, private) 15 | 16 | def computeSharedSecret(pubkey, privkey): 17 | return pubkey * privkey 18 | 19 | def secure_send_flag(): 20 | from secret import flag 21 | myPubKey, myPrivKey = generateKey() 22 | 23 | print myPubKey 24 | 25 | bob_pub_x = 0x993cf91c25dd287e30cb8f6a0d4fa70e89e90ac0953e7ee876b1ef190a6a442235479162b5ac61beb1d1a5aca03313ff5c53c2e3c81df2fbedf3b0add0b20d18 26 | bob_pub_y = 0x4e75b39de8d5daa3f5f489c02b8fa2cce6f2cfb406bb4a5a0d75d29a3021dcd61df697ef485743e7f8a1b9cc60879bc808e74f9c909b2f0cecb1df0a03c771f5 27 | 28 | bobPubKey = E(bob_pub_x, bob_pub_y) 29 | DH_secret = computeSharedSecret(bobPubKey, myPrivKey) 30 | from hashlib import sha256 31 | from Crypto.Cipher import AES 32 | AES_secret = sha256(str(DH_secret.xy())).digest() 33 | obj = AES.new(AES_secret, AES.MODE_ECB) 34 | flag += " " * ((16 - len(flag)) % 16) 35 | ciphertext = obj.encrypt(flag) 36 | 37 | import binascii 38 | print binascii.hexlify(ciphertext) 39 | 40 | -------------------------------------------------------------------------------- /crypto/marginally-more-spooky-ecc/intercept.txt: -------------------------------------------------------------------------------- 1 | (437071643139846376174570991796635821556515973629140637974881910713809347474907708565664978550023080253628563436981461136240187164218943955473906962427621588751133571536263233128379933305722755097642938222821729992112928292343709506067984904756673958537023071586963031303778873355502404560858525640218412720622373369824098745839367743073545069145335781750997022711031566712394148013463290094808515199272554914216404105860245097476566116111286301652851468677715923578954629435631529176601375057076486686319987081515732244810707537343009005070717978425223526163538923468401194292605591320411183706696317193017854195733313461440688247150235910596818920488351049708819811858751684500436391333903440323475318106920865373152352052176746206454328646354342334742517809741676585846785744248199296743482652484393544744906275391431743950732816017334306485823146135060569081401399868784435172595669863476450094990358575115579475893309208 : 1129749802565185627834158659553807502912216175360213456254075674481088988433443479576096556714622648959392819034084284852916959478876546195923213995294956323268527231581766047828610029859113248478558662868743044337554958806463167785068464444239137312628465183766940740668064934990938102926858847015457403169279134366635216151257462869638958624971531184853170344683049422552732473598742118914767190141609028327074078277290367090610634101108300855280065814455390630761148497086654130386459756495733281280347492148461347415812198075975619307315113752254659557316385115639576216222522363256407482949179689085285199590385738252375535519944626298197399005839337752193084119312960497435211490324941382907224728563381320712225158253541488668785632485406927982563839147149734593198947641619638737854288142722191014592471804685884172858025758753635315661266804801339190058215957655776800114139349071970424218949196308458641913657267781 : 1) 2 | f84a130d288fd200e5564253a7ea34e7dda3ccd28f18440fa06c92a3076ccc6746b8b95734c87177e2cc8759e0b00365 -------------------------------------------------------------------------------- /web/s-q-l/app/src/public/index.php: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 10 | 11 | s-q-l 12 | 13 | 14 | 15 | 16 |
17 |

Keith's Secret Site

"); 18 | if ($_POST["username"]) { 19 | echo("

Incorrect!

"); 20 | } 21 | echo(" 22 | 23 | 24 | 25 | 26 |
27 | 28 | "); 29 | } else { 30 | echo(" 31 | 32 | 33 | 34 | 35 | s-q-l 36 | 37 | 38 | 39 | 40 |

Hello Keith!

41 |

The flag is hsctf{mysql_real_escape_string}

42 | 43 | "); 44 | } -------------------------------------------------------------------------------- /pwn/bit/bit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void flag(); 8 | void flip(unsigned long bit, unsigned short int offset); 9 | 10 | void flag() { 11 | FILE *f; 12 | char s; 13 | 14 | printf("[🛐] pwn gods like you deserve this: "); 15 | 16 | f = fopen("flag", "r"); 17 | 18 | while((s = fgetc(f)) != EOF) { 19 | printf("%c", s); 20 | } 21 | 22 | fclose(f); 23 | 24 | exit(0); 25 | } 26 | 27 | void flip(unsigned long bit, unsigned short int offset) { 28 | unsigned long *b = (void*) (unsigned long) bit; 29 | unsigned short int val = *b; 30 | 31 | *b ^= 1UL << offset; 32 | printf("Here's your new byte: %x\n", *b); 33 | 34 | return; 35 | } 36 | 37 | int main(unsigned long argc, char **argv) { 38 | setvbuf(stdout, NULL, _IONBF, 0); 39 | 40 | char input[10]; 41 | 42 | printf("Welcome to the bit.\n\nNo nonsense, just pwn this binary. You have 4 tries. Live up to kmh's expectations, and get the flag.\n\n"); 43 | 44 | for(int i = 0; i < 4; i++) { 45 | printf("Give me the address of the byte: "); 46 | fgets(input, 10, stdin); 47 | unsigned long decoded = (unsigned long) strtoul(input, NULL, 16); 48 | 49 | errno = 0; 50 | if (errno == ERANGE) { 51 | printf("Lol, try again (hex uint32)."); 52 | exit(1); 53 | } else { 54 | printf("Give me the index of the bit: "); 55 | fgets(input, 10, stdin); 56 | unsigned short int offset = (unsigned short int) strtol(input, NULL, 10); 57 | 58 | if(offset < 0 || offset > 7) { 59 | printf("Try again."); 60 | exit(1); 61 | } 62 | 63 | printf("Took care of %08x at offset %d for ya.\n\n", decoded, offset); 64 | 65 | flip(decoded, offset); 66 | } 67 | } 68 | 69 | printf("Well, at least you tried.\n"); 70 | exit(0); 71 | } 72 | -------------------------------------------------------------------------------- /pwn/byte/byte.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | void flag(); 9 | void handler(); 10 | void flip(unsigned long byte); 11 | 12 | void flag() { 13 | FILE *f; 14 | char s; 15 | 16 | printf("that was easy, right? try the next level (bit). here's your flag: "); 17 | 18 | f = fopen("flag", "r"); 19 | 20 | while((s = fgetc(f)) != EOF) { 21 | printf("%c", s); 22 | } 23 | 24 | fclose(f); 25 | 26 | exit(0); 27 | } 28 | 29 | void handler() { 30 | printf("Something didn't go right (segfault)."); 31 | 32 | return; 33 | } 34 | 35 | void zero(unsigned long byte) { 36 | unsigned long *b = (void*) (unsigned long) byte; 37 | unsigned char val = *b; 38 | 39 | *b = 0; 40 | 41 | return; 42 | } 43 | 44 | int main(unsigned long argc, char **argv) { 45 | setvbuf(stdout, NULL, _IONBF, 0); 46 | 47 | signal(SIGSEGV, SIG_IGN); 48 | 49 | char input[100]; 50 | unsigned short int isnormaluser; 51 | 52 | isnormaluser = 0x1; 53 | 54 | printf("Welcome to the byte.\n\nI'll give you a couple tries on this one.\n\n"); 55 | 56 | for(int i = 0; i < 2; i++) { 57 | printf("Give me the address of the byte: "); 58 | fgets(input, 10, stdin); 59 | unsigned long decoded = (unsigned long) strtoul(input, NULL, 16); 60 | input[strcspn(input, "\n")] = 0; 61 | 62 | errno = 0; 63 | if (errno == ERANGE) { 64 | printf("Lol, try again (hex uint32)."); 65 | exit(1); 66 | } else if (input[0] != "f"[0]) { 67 | // do a crappy check thing 68 | strcat(input, " is not a valid pointer (must start with `f`. Try again.)\n\n"); 69 | 70 | printf(input); 71 | } else { 72 | int test; 73 | test = &test; 74 | 75 | strcat(input, " has been nullified!\n\n"); 76 | 77 | printf(input); 78 | 79 | zero(decoded); 80 | } 81 | } 82 | 83 | if(!isnormaluser) { 84 | flag(); 85 | } else { 86 | printf("Well, at least you tried.\n"); 87 | } 88 | exit(0); 89 | } 90 | -------------------------------------------------------------------------------- /reverse/paint/paint.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.28803.156 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "paint", "paint\paint.vcxproj", "{35CF32B2-7FB9-45CE-A050-7E269F8EA705}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "injector", "injector\injector.vcxproj", "{214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|x64 = Debug|x64 13 | Debug|x86 = Debug|x86 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Debug|x64.ActiveCfg = Debug|x64 19 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Debug|x64.Build.0 = Debug|x64 20 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Debug|x86.ActiveCfg = Debug|Win32 21 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Debug|x86.Build.0 = Debug|Win32 22 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Release|x64.ActiveCfg = Release|x64 23 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Release|x64.Build.0 = Release|x64 24 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Release|x86.ActiveCfg = Release|Win32 25 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705}.Release|x86.Build.0 = Release|Win32 26 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Debug|x64.ActiveCfg = Debug|x64 27 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Debug|x64.Build.0 = Debug|x64 28 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Debug|x86.ActiveCfg = Debug|Win32 29 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Debug|x86.Build.0 = Debug|Win32 30 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Release|x64.ActiveCfg = Release|x64 31 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Release|x64.Build.0 = Release|x64 32 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Release|x86.ActiveCfg = Release|Win32 33 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345}.Release|x86.Build.0 = Release|Win32 34 | EndGlobalSection 35 | GlobalSection(SolutionProperties) = preSolution 36 | HideSolutionNode = FALSE 37 | EndGlobalSection 38 | GlobalSection(ExtensibilityGlobals) = postSolution 39 | SolutionGuid = {916FDED9-ED4F-43FA-BBD6-A7E0921F505B} 40 | EndGlobalSection 41 | EndGlobal 42 | -------------------------------------------------------------------------------- /web/agent-keith/src/.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | .hypothesis/ 51 | .pytest_cache/ 52 | 53 | # Translations 54 | *.mo 55 | *.pot 56 | 57 | # Django stuff: 58 | *.log 59 | local_settings.py 60 | db.sqlite3 61 | 62 | # Flask stuff: 63 | instance/ 64 | .webassets-cache 65 | 66 | # Scrapy stuff: 67 | .scrapy 68 | 69 | # Sphinx documentation 70 | docs/_build/ 71 | 72 | # PyBuilder 73 | target/ 74 | 75 | # Jupyter Notebook 76 | .ipynb_checkpoints 77 | 78 | # IPython 79 | profile_default/ 80 | ipython_config.py 81 | 82 | # pyenv 83 | .python-version 84 | 85 | # pipenv 86 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 87 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 88 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 89 | # install all needed dependencies. 90 | #Pipfile.lock 91 | 92 | # celery beat schedule file 93 | celerybeat-schedule 94 | 95 | # SageMath parsed files 96 | *.sage.py 97 | 98 | # Environments 99 | .env 100 | .venv 101 | env/ 102 | venv/ 103 | ENV/ 104 | env.bak/ 105 | venv.bak/ 106 | 107 | # Spyder project settings 108 | .spyderproject 109 | .spyproject 110 | 111 | # Rope project settings 112 | .ropeproject 113 | 114 | # mkdocs documentation 115 | /site 116 | 117 | # mypy 118 | .mypy_cache/ 119 | .dmypy.json 120 | dmypy.json 121 | 122 | # Pyre type checker 123 | .pyre/ 124 | -------------------------------------------------------------------------------- /crypto/tuxs-kitchen/problem.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | good_image = """ 4 | TUX's KITCHEN 5 | ..- - . 6 | ' `. 7 | '.- . .--. . 8 | |: _ | : _ :| 9 | |`(@)--`.(@) | 10 | : .' `-, : 11 | :(_____.-'.' ` 12 | : `-.__.-' : 13 | ` _. _. . 14 | / / `_ ' \\ . 15 | . : \\ \\ 16 | . : _ __ .\\ . 17 | . / : `. \\ 18 | : / ' : `. . 19 | ' ` : : : `. 20 | .`_ : : / ' | 21 | :' \\ . : '__ : 22 | .--' \\`-._ . .' : `). 23 | ..| \\ ) : '._.' : 24 | ; \\-'. ..: / 25 | '. \\ - ....- | ' 26 | -. : _____ | .' 27 | ` -. .'-- --`. .' 28 | `-- -- 29 | """ 30 | 31 | flag = open('flag.txt','r').read() 32 | MY_LUCKY_NUMBER = 29486316 33 | 34 | # I need to bake special stuff! 35 | def bake_it(): 36 | s = 0 37 | for i in range(random.randint(10000,99999)): 38 | s = random.randint(100000000000,999999999999) 39 | s -= random.randint(232,24895235) 40 | return random.randint(100000000000,999999999999) 41 | 42 | # Create my random mess 43 | def rand0m_mess(food,key): 44 | mess = [] 45 | mess.append(key) 46 | art = key 47 | bart = bake_it() 48 | cart = bake_it() 49 | dart = bake_it() 50 | for i in range(len(food)-1): 51 | art = (art*bart+cart)%dart 52 | mess.append(art) 53 | return mess 54 | 55 | # Gotta prepare the food!!! 56 | def prepare(food): 57 | good_food = [] 58 | for i in range(len(food)): 59 | good_food.append(food[i]^MY_LUCKY_NUMBER) 60 | for k in range(len(good_food)): 61 | good_food[i] += MY_LUCKY_NUMBER 62 | return good_food 63 | 64 | # Bake it!!! 65 | def final_baking(food,key): 66 | baked = rand0m_mess(food,key) 67 | treasure = [] 68 | for i in range(len(baked)): 69 | treasure.append(ord(food[i])*baked[i]) 70 | treasure = prepare(treasure) 71 | return treasure 72 | 73 | print(good_image) 74 | key = bake_it() 75 | print(final_baking(flag,key)) -------------------------------------------------------------------------------- /crypto/multiplication-service/problem.sage: -------------------------------------------------------------------------------- 1 | # privkey is an integer 2 | from secret import privkey, flag 3 | 4 | def welcome(): 5 | print("Welcome to our multiplication service") 6 | print("Enter one of the following:") 7 | print("0 : get curve params") 8 | print("1 : get multiple on point") 9 | print("2 : guess private key") 10 | choice = raw_input("enter choice\n") 11 | if choice == '0': 12 | print("Ed448") 13 | print("ax^2 + y^2 = 1 + dx^2y^2, x,y in F_p") 14 | print("a = 1") 15 | print("d = -39081") 16 | print("p = 2^448 - 2^224 - 1") 17 | elif choice == '1': 18 | print("Enter point in the form `x,y`") 19 | coordinate = raw_input() 20 | coords = coordinate.split(",") 21 | point = (int(coords[0]), int(coords[1])) 22 | print(sign(point)) 23 | else: 24 | print("enter private key guess as an integer") 25 | guess = int(raw_input()) 26 | if guess == privkey: 27 | print(flag) 28 | else: 29 | print("Try again!") 30 | 31 | 32 | p = 2^448 - 2^224 - 1 33 | a = 1 % p 34 | d = (-39081) % p 35 | 36 | # Naive twisted edwards point addition, returns p3 = p1 + p2 37 | def TwistedEdwardsPointAdd(p1, p2): 38 | denominator_prod = d * p1[0] * p2[0] * p1[1] * p2[1] 39 | p3_x = p1[0] * p2[1] + p2[0] * p1[1] % p 40 | p3_x *= inverse_mod(1 + denominator_prod, p) 41 | p3_x %= p 42 | p3_y = p1[1] * p2[1] - a * p1[0] * p2[0] % p 43 | p3_y *= inverse_mod(1 - denominator_prod, p) 44 | p3_y %= p 45 | return (p3_x, p3_y) 46 | 47 | # privkey is generated according to this 48 | def keygen(): 49 | rand1 = randint(1, 132156247253163728496320586201074) 50 | rand2 = randint(1, 2**40) 51 | rand3 = randint(1, 2**40) 52 | rand4 = randint(1, 2**40) 53 | rand5 = randint(1, 2**40) 54 | key = CRT([rand1, rand2, rand3, rand4, rand5], [132156247253163728496320586201074, 1469495262398780123809, 167773885276849215533569, 596242599987116128415063, 37414057161322375957408148834323969]) 55 | return key 56 | 57 | def scalar_mul(point, scalar): 58 | if scalar == 0: 59 | return 0 60 | if scalar == 1: 61 | return point 62 | if scalar % 2 == 1: 63 | return TwistedEdwardsPointAdd(point, scalar_mul(point, scalar - 1)) 64 | else: 65 | return scalar_mul(TwistedEdwardsPointAdd(point, point), scalar / 2) 66 | 67 | def sign(point): 68 | return scalar_mul(point, privkey) 69 | 70 | if __name__ == "__main__": 71 | try: 72 | welcome() 73 | except: 74 | print("bad input") 75 | pass -------------------------------------------------------------------------------- /reverse/paint/paint/xor.hpp: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | #define BEGIN_NAMESPACE( x ) namespace x { 7 | #define END_NAMESPACE } 8 | 9 | BEGIN_NAMESPACE(XorCompileTime) 10 | 11 | constexpr auto time = __TIME__; 12 | constexpr auto seed = static_cast(time[7]) + static_cast(time[6]) * 10 + static_cast(time[4]) * 60 + static_cast(time[3]) * 600 + static_cast(time[1]) * 3600 + static_cast(time[0]) * 36000; 13 | 14 | // 1988, Stephen Park and Keith Miller 15 | // "Random Number Generators: Good Ones Are Hard To Find", considered as "minimal standard" 16 | // Park-Miller 31 bit pseudo-random number generator, implemented with G. Carta's optimisation: 17 | // with 32-bit math and without division 18 | 19 | template < int N > 20 | struct RandomGenerator 21 | { 22 | private: 23 | static constexpr unsigned a = 16807; // 7^5 24 | static constexpr unsigned m = 2147483647; // 2^31 - 1 25 | 26 | static constexpr unsigned s = RandomGenerator< N - 1 >::value; 27 | static constexpr unsigned lo = a * (s & 0xFFFF); // Multiply lower 16 bits by 16807 28 | static constexpr unsigned hi = a * (s >> 16); // Multiply higher 16 bits by 16807 29 | static constexpr unsigned lo2 = lo + ((hi & 0x7FFF) << 16); // Combine lower 15 bits of hi with lo's upper bits 30 | static constexpr unsigned hi2 = hi >> 15; // Discard lower 15 bits of hi 31 | static constexpr unsigned lo3 = lo2 + hi; 32 | 33 | public: 34 | static constexpr unsigned max = m; 35 | static constexpr unsigned value = lo3 > m ? lo3 - m : lo3; 36 | }; 37 | 38 | template <> 39 | struct RandomGenerator< 0 > 40 | { 41 | static constexpr unsigned value = seed; 42 | }; 43 | 44 | template < int N, int M > 45 | struct RandomInt 46 | { 47 | static constexpr auto value = RandomGenerator< N + 1 >::value % M; 48 | }; 49 | 50 | template < int N > 51 | struct RandomChar 52 | { 53 | static const char value = static_cast(1 + RandomInt< N, 0x7F - 1 >::value); 54 | }; 55 | 56 | template < size_t N, int K > 57 | struct XorString 58 | { 59 | private: 60 | const char _key; 61 | std::array< char, N + 1 > _encrypted; 62 | 63 | constexpr char enc(char c) const 64 | { 65 | return c ^ _key; 66 | } 67 | 68 | char dec(char c) const 69 | { 70 | return c ^ _key; 71 | } 72 | 73 | public: 74 | template < size_t... Is > 75 | constexpr __forceinline XorString(const char* str, std::index_sequence< Is... >) : _key(RandomChar< K >::value), _encrypted{ enc(str[Is])... } 76 | { 77 | } 78 | 79 | __forceinline decltype(auto) decrypt(void) 80 | { 81 | for (size_t i = 0; i < N; ++i) { 82 | _encrypted[i] = dec(_encrypted[i]); 83 | } 84 | _encrypted[N] = '\0'; 85 | return _encrypted.data(); 86 | } 87 | }; 88 | 89 | #define XorStr( s ) ( XorCompileTime::XorString< sizeof( s ) - 1, __COUNTER__ >( s, std::make_index_sequence< sizeof( s ) - 1>() ).decrypt() ) 90 | 91 | END_NAMESPACE -------------------------------------------------------------------------------- /crypto/tuxs-kitchen/files/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import SocketServer 4 | import random 5 | 6 | good_image = """ 7 | TUX's KITCHEN 8 | ..- - . 9 | ' `. 10 | '.- . .--. . 11 | |: _ | : _ :| 12 | |`(@)--`.(@) | 13 | : .' `-, : 14 | :(_____.-'.' ` 15 | : `-.__.-' : 16 | ` _. _. . 17 | / / `_ ' \\ . 18 | . : \\ \\ 19 | . : _ __ .\\ . 20 | . / : `. \\ 21 | : / ' : `. . 22 | ' ` : : : `. 23 | .`_ : : / ' | 24 | :' \\ . : '__ : 25 | .--' \\`-._ . .' : `). 26 | ..| \\ ) : '._.' : 27 | ; \\-'. ..: / 28 | '. \\ - ....- | ' 29 | -. : _____ | .' 30 | ` -. .'-- --`. .' 31 | `-- -- 32 | """ 33 | 34 | flag = open('flag.txt','r').read() 35 | MY_LUCKY_NUMBER = 29486316 36 | 37 | # I need to bake special stuff! 38 | def bake_it(): 39 | s = 0 40 | for i in range(random.randint(10000,99999)): 41 | s = random.randint(100000000000,999999999999) 42 | s -= random.randint(232,24895235) 43 | return random.randint(100000000000,999999999999) 44 | 45 | # Create my random mess 46 | def rand0m_mess(food,key): 47 | mess = [] 48 | mess.append(key) 49 | art = key 50 | bart = bake_it() 51 | cart = bake_it() 52 | dart = bake_it() 53 | for i in range(len(food)-1): 54 | art = (art*bart+cart)%dart 55 | mess.append(art) 56 | return mess 57 | 58 | # Gotta prepare the food!!! 59 | def prepare(food): 60 | good_food = [] 61 | for i in range(len(food)): 62 | good_food.append(food[i]^MY_LUCKY_NUMBER) 63 | for k in range(len(good_food)): 64 | good_food[i] += MY_LUCKY_NUMBER 65 | return good_food 66 | 67 | # Bake it!!! 68 | def final_baking(food,key): 69 | baked = rand0m_mess(food,key) 70 | treasure = [] 71 | for i in range(len(baked)): 72 | treasure.append(ord(food[i])*baked[i]) 73 | treasure = prepare(treasure) 74 | return treasure 75 | 76 | SocketServer.TCPServer.allow_reuse_address = True 77 | 78 | class ThreadedTCPRequestHandler(SocketServer.BaseRequestHandler): 79 | def handle(self): 80 | self.request.settimeout(15) 81 | self.request.sendall(good_image) 82 | key = bake_it() 83 | self.request.sendall(str(final_baking(flag,key))) 84 | 85 | class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): 86 | pass 87 | 88 | if __name__ == '__main__': 89 | server = ThreadedTCPServer(('0.0.0.0', 2000), ThreadedTCPRequestHandler) 90 | server.allow_reuse_address = True 91 | server.serve_forever() -------------------------------------------------------------------------------- /crypto/multiplication-service/problem.py: -------------------------------------------------------------------------------- 1 | # privkey is an integer 2 | from secret import privkey, flag 3 | 4 | p = 2**448 - 2**224 - 1 5 | a = 1 % p 6 | d = (-39081) % p 7 | 8 | # Naive twisted edwards point addition, returns p3 = p1 + p2 9 | def TwistedEdwardsPointAdd(p1, p2): 10 | denominator_prod = d * p1[0] * p2[0] * p1[1] * p2[1] 11 | p3_x = p1[0] * p2[1] + p2[0] * p1[1] % p 12 | p3_x *= inverse_mod(1 + denominator_prod, p) 13 | p3_x %= p 14 | p3_y = p1[1] * p2[1] - a * p1[0] * p2[0] % p 15 | p3_y *= inverse_mod(1 - denominator_prod, p) 16 | p3_y %= p 17 | return (p3_x, p3_y) 18 | 19 | # privkey is generated according to this 20 | # def keygen(): 21 | # rand1 = randint(1, 132156247253163728496320586201074) 22 | # rand2 = randint(1, 2**40) 23 | # rand3 = randint(1, 2**40) 24 | # rand4 = randint(1, 2**40) 25 | # rand5 = randint(1, 2**40) 26 | # key = CRT([rand1, rand2, rand3, rand4, rand5], [132156247253163728496320586201074, 1469495262398780123809, 167773885276849215533569, 596242599987116128415063, 37414057161322375957408148834323969]) 27 | # return key 28 | 29 | def scalar_mul(point, scalar): 30 | if scalar == 0: 31 | return 0 32 | if scalar == 1: 33 | return point 34 | if scalar % 2 == 1: 35 | return TwistedEdwardsPointAdd(point, scalar_mul(point, scalar - 1)) 36 | else: 37 | return scalar_mul(TwistedEdwardsPointAdd(point, point), scalar / 2) 38 | 39 | def sign(point): 40 | return scalar_mul(point, privkey) 41 | 42 | 43 | def extended_gcd(aa, bb): 44 | """Extended Euclidean Algorithm, 45 | from https://rosettacode.org/wiki/Modular_inverse#Python 46 | """ 47 | lastremainder, remainder = abs(aa), abs(bb) 48 | x, lastx, y, lasty = 0, 1, 1, 0 49 | while remainder: 50 | lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder) 51 | x, lastx = lastx - quotient*x, x 52 | y, lasty = lasty - quotient*y, y 53 | return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1) 54 | 55 | def inverse_mod(a, m): 56 | """Modular Multiplicative Inverse, 57 | from https://rosettacode.org/wiki/Modular_inverse#Python 58 | """ 59 | g, x, y = extended_gcd(a, m) 60 | if g != 1: 61 | raise ValueError 62 | return x % m 63 | 64 | try: 65 | print("Welcome to our multiplication service") 66 | print("Enter one of the following:") 67 | print("0 : get curve params") 68 | print("1 : get multiple on point") 69 | print("2 : guess private key") 70 | choice = raw_input("enter choice\n") 71 | if choice == '0': 72 | print("Ed448") 73 | print("ax^2 + y^2 = 1 + dx^2y^2, x,y in F_p") 74 | print("a = 1") 75 | print("d = -39081") 76 | print("p = 2^448 - 2^224 - 1") 77 | elif choice == '1': 78 | print("Enter point in the form `x,y`") 79 | coordinate = raw_input() 80 | coords = coordinate.split(",") 81 | point = (int(coords[0]), int(coords[1])) 82 | print(sign(point)) 83 | else: 84 | print("enter private key guess as an integer") 85 | guess = int(raw_input()) 86 | if guess == privkey: 87 | print(flag) 88 | else: 89 | print("Try again!") 90 | 91 | except: 92 | print("bad input") 93 | pass -------------------------------------------------------------------------------- /crypto/spooky-ecc/solution.sage: -------------------------------------------------------------------------------- 1 | # Adapted from https://gist.github.com/elliptic-shiho/e76e7c2a2aff228d7807 2 | 3 | # This implements theorem 5.8 of 4 | # https://people.cs.nctu.edu.tw/~rjchen/ECC2012S/Elliptic%20Curves%20Number%20Theory%20And%20Cryptography%202n.pdf 5 | p = 0xb09700d3d1c7123f0b0336474c18c3f3f60002d480a4bce33f007c08b498197ed832687c47c2bc76b7eb199d3a420fcf77d3e5a32389fefb1032744bb473a4bd 6 | A = 0x1b2a886d1cfcaecd03954657956cd03df56ec7709fbb0de738fb073ed20b92b6fa3d72f771618c5e2060a23c33b586a6046993894fd4950db2c12776e77fdbd1 7 | B = 0x303bde5e945d46949b8c9986519a9a1f0301f61ff043b3bf2785fd85e365e4caa163c64ad307db8dbbac0087fd8562273ee61aac095815030cc73c7495b46ddb 8 | 9 | E = EllipticCurve(GF(p), [A, B]) 10 | 11 | print E.order() == p 12 | 13 | g = E(0x9f12acd5b74cc67e03506be8f904087863ce7fd8ed1de6404f26e8e96bea3761fca1f5b21def5298e7adbbf8787ea431a43d241fda6bc9fbaddeaff35ab4f7c3, 0x51f33f0e5c36e1bf91ac78b04c7e4f819bfad8db291fc2e20c10ee00e98525927719ecf0e8b96c5e62e3f48a38b94e72dddee1109bfdad9c7dfd3f566da69eb4) 14 | v = E(1177058043549358413014554258002815119079001682731148396776662750875463733619059415667987598866208023692880799135159888362631239206873676420277546691755222, 6042132606876152754155047441818131810928517366269481359146510190883638121779596002132009344517568983680414721512960291321687246617263491498797986759689315) 15 | 16 | def hensel_lift(point): 17 | x,y = map(long, point.xy()) 18 | fr = y**2 - (x**3 + A*x + B) 19 | # t = (-fr / p) / f' 20 | # f'= 2y 21 | t = (((- fr / p) % p) * inverse_mod(2*y, p)) % p 22 | lifted_y = y + p * t 23 | return x, lifted_y 24 | 25 | x1, y1 = hensel_lift(g) 26 | x2, y2 = hensel_lift(v) 27 | 28 | # Now we take a lift of E, and it will be mod p^2 29 | # A lift of E just means a curve that contains the lifts of g and v, 30 | # and reduces to E mod p 31 | 32 | A2 = y2**2 - y1**2 - (x2**3 - x1**3) 33 | A2 = A2 * inverse_mod(x2 - x1, p^2) 34 | A2 %= p^2 35 | 36 | B2 = y1**2 - x1**3 - A2 * x1 37 | B2 %= p^2 38 | 39 | # new curve 40 | E2 = EllipticCurve(IntegerModRing(p^2), [A2, B2]) 41 | 42 | # calculate dlog 43 | # We use the ideas of Lawrence C. Washington's Elliptic curves (Theorem 5.8) 44 | # We multiply by (p - 1) so the denominators don't have a factor of p, since if it did, we can't invert by it. 45 | g2 = (p - 1) * E2(x1, y1) 46 | v2 = (p - 1) * E2(x2, y2) 47 | 48 | g2x, g2y = map(long, g2.xy()) 49 | v2x, v2y = map(long, v2.xy()) 50 | 51 | # The factors of p in computation of m1 and m2 are divided out of the x terms before inversion 52 | 53 | m1 = (g2y - y1) * inverse_mod(((g2x - x1) / p) % p, p) 54 | m2 = (v2y - y2) * inverse_mod(((v2x - x2) / p) % p, p) 55 | 56 | dlog = (m1 * inverse_mod(m2, p)) % p 57 | 58 | print dlog 59 | 60 | assert g * dlog == v 61 | 62 | # Boring stuff for problem 63 | 64 | bob_pub_x = 0x993cf91c25dd287e30cb8f6a0d4fa70e89e90ac0953e7ee876b1ef190a6a442235479162b5ac61beb1d1a5aca03313ff5c53c2e3c81df2fbedf3b0add0b20d18 65 | bob_pub_y = 0x4e75b39de8d5daa3f5f489c02b8fa2cce6f2cfb406bb4a5a0d75d29a3021dcd61df697ef485743e7f8a1b9cc60879bc808e74f9c909b2f0cecb1df0a03c771f5 66 | 67 | bobPubKey = E(bob_pub_x, bob_pub_y) 68 | DH_secret = dlog * bobPubKey 69 | 70 | from hashlib import sha256 71 | from Crypto.Cipher import AES 72 | AES_secret = sha256(str(DH_secret.xy())).digest() 73 | obj = AES.new(AES_secret, AES.MODE_ECB) 74 | 75 | import binascii 76 | ciphertext = binascii.unhexlify("d5cb4f93aa95af738bbcf5cbc1d4f1b66c9c9f84b4257035cf19e3ee41e2b79384fed7ef7d9fb58f6dfb86fefc95429b9f87b5b8a330aa082681fd140b8156bd") 77 | print obj.decrypt(ciphertext) -------------------------------------------------------------------------------- /crypto/marginally-more-spooky-ecc/generator.sage: -------------------------------------------------------------------------------- 1 | p_1 = 0xe66ff99fb469d555895c17d0b7bf74600c0ce667d35e478c8e69e513cd762fe3aef5769846c37201ebe49caa4f25bbf9e24455596b4456ad27002adb07b21768ccf875c709351219aacf897bc117a8bcfcce212e169155b8a686dfe8b79620be350ed0120347c19c86001976d19908e621148e5be483783e556b531b785844bb 2 | a_1 = 0x22cc95c5f123f65ee50d4934869b14f5838561f080805a87ebe45dca175f39acb6bd95f8cc7e53837ee21e38699cdd628387e6e1471174b5d065b49f79e873758dd9cb9af6641a920edfdb0c0f62b1bffbc2238af03896b2b25855ab1e315807f92844e66be1cfc89fe56728877bf76897ba6644dc53bf3b899807cee64a4701 3 | b_1 = 0xd3fcaf8e3b021c5eb77b72e0b8f073256e9e774afa933e764fbfd0f571d49be3ae5ba91a9eb9fe88375718138f8eb3869993c570eebc080bfd0f5eb4ec063e048dfa743f47679a5d87fc3b550e9836df9a37c81923e396b4900d45d6f056d8b2e7fd9a1051abbb3879b3a08cf11dbb2c23b39587338ec2f428ca242c37265b5a 4 | g_x = 0xa2dd74bbce3276c28966cd6340f6ffc26abc548d9a6335d38812ccf6fd5e559a9ad2f8f53535f6dcfc81e75ceb585cd4e8e1d00bb52adbcc771b7ca77ec8d2b7083edd882fb9b0be41866583edacb5b6a7ea465375845c3a41c87503c6f4dc01224b44ed784e158f6bff9f1a7982e5b94580ca90bf125b62ef874a90d1632ae3 5 | g_y = 0x37868302811791341c3f1016a8ebb0df3d44736e4be9619f5f4dd829d42b5a90fc2f5d9e7a72cdda63f4eab8617f6c6c0e24e685a53acf3c81f3aa3e8d93bad9ce57b516109df7594e0ae049d10f7f101756399b1fcba960bbf84fa30ec325e074b0ec57d5fbf75bfeae7fca0f0d7ebb6db6217ad6b0f9d9ab18aeb9bbdb6183 6 | 7 | p_2 = 0xb1d39b5965e80c58a78aa959d32ffc1518450157a107eea0d3228f21d2f90c57f4b03ba23105fde774e1e61d6e0915bd003892c0fdc40c6c33bbf86a05d96fcb9b0f7df1881e2555cc39b2048f152c2966603dd6616214474c298c527d761014bb7fead3f34c6a87cb4c9a2f75a2d3499929333cd85ac2b8c6ac9109de535a8b 8 | a_2 = 0x186e854a49208664436e58176d26e8b78fdfa7ae607121fe1a94f953c79081bb22f119627e972784a65491227c8c7ad170609f4970552de194c5e467979368d01f595abffa0b77211f81f07946e037832e1bb83a3db54f18e7a7f24b0d72304657498c27e3023d8421651dd19565bdc76cca0eba67279ea6709416a3524a3630 9 | b_2 = 0x34be04bef0b5b6efa771b6f5925e5beefa6c26a9376aceed0cbd7eb8609dca598d9977c60a6e5fd055585932b4c71190865668141f3efac2f63e5ba6795cef5d3be24e070d33fd6f1bbbd6f029cb8978ca467773f735d5a9702a524a4016ce5eca8a1c574916cec9e154aad42ddf52cae8e1f99e784a976cb0e90d842893795d 10 | g_x_2 = 0x37791e29e780b81c93f7ec0d9235233cc31c1b15bcf5ab1e267171fa5f4b02215592a0b4dfcf05bcd3843e389eb2be37c4b66fc9bbda558197e8c4ab617915e3b7997c5aec56bee42ec22e70b2e401e2d2a26d812be077215a16925a96ae9fce688863cbc1b03d741f3eee7f51ddf89613bed2cae5698e904e8d14d0601d77f9 11 | g_y_2 = 0x64060ef74caf35735f1e444ae8475514782ffc09bd0149c0d7498231a5e3c9c37e304217447f73824f529cd462c64c542e8a4a736192468d27278e2732a841b25deeeb25b60b880699d484acd6db5caaeec916cae8a9bcf16ef0cbc6a08b1d28d85410d876b434ca747252feca743c0db8d0b41093c8f1bc1a1fc6cffd3c1fbc 12 | 13 | p_3 = 0x985df3056365ace5c211e62d3abc65e8482db98eb625494eb4d6e233030495d67100f7d443d911d1e57aeb56ac023e190f31a297be2a308ecc6a39b60521c2856c40d4471290678ec5b25f9f1e72b3f14ebc117f25cb38a5546d37f5372d3783e1b5a2f7be5026fbb12b7fc8970ba28a1c9290527f24b134e823e5f2850f6b1f 14 | a_3 = 0x2191f772f755a6fd0e18e2f3639c2589e5e10d009c09b419fe67a8f597c98b5a5eaf0c44a687a5d9af8e9c59dbbb87daff13f7f37fdbea36fc78a19057a9803966851f5fe010695d120ce04ceadf99ac592f31add3989fedfc882fb1a1dadd3d99f4061634b61da6e9b1658c8605f69bdba1da6f9abd6d51a3df76b618dd2048 15 | b_3 = 0x65f61db852b97f083673c8250ed6da9ca4f398126a679dcaaca47d94968542a8145749961a1acec525d38cd1f34a366812dc59e50a3fdbc88caf184cae0169baf168c42e62573b07fdb36fdcb8a4a3953951899440ace810f3fda5266c14fdec3f41c203119be0196966cfd298734184e54525eddc80d659da58d65f4ab28948 16 | g_x_3 = 0x0f3294e244ca057c1d5f907a9d25a0a6bbd049658bea0746e3f20251d342d55c6b30c00de668e2d3439b88ce3f9836b81f0b6291366385f39aa4817709551288822e6d62768feec8ea185af757943dee64ddbbc1c8331c1f70dd0f8d9be57bf38b15b7fd21f52bbef9919e50507d2e4a91cb7b5bf9f9104435cecc5ebced9559 17 | g_y_3 = 0x0194f88c6cffc75c608bfe3ab23fe1ec6ecab603c9d3b872987eca41ca8e6c2bb45e956599a77ea7052a4ca3e9d41b00f2e890e2f54c5d1004fc45365fbcb650ac9ef9c400157fd83a3dc37127eae487b4c25c229eb396465d28ca5d6a24e489d16282de5afa94b7fc56bb88c4141c02104551156f7329fdba840c20c3f79dc3 18 | 19 | 20 | E1 = EllipticCurve(GF(p_1), [a_1, b_1]) 21 | E2 = EllipticCurve(GF(p_2), [a_2, b_2]) 22 | 23 | N = p_1*p_2*p_3 24 | a_N = CRT([a_1, a_2, a_3], [p_1, p_2, p_3]) 25 | b_N = CRT([b_1, b_2, b_3], [p_1, p_2, p_3]) 26 | g_x_N = CRT([g_x, g_x_2, g_x_3], [p_1, p_2, p_3]) 27 | g_y_N = CRT([g_y, g_y_2, g_y_3], [p_1, p_2, p_3]) 28 | 29 | E = EllipticCurve(Integers(N),[a_N, b_N]) 30 | g_N = E(g_x_N, g_y_N) 31 | 32 | g = E1(g_x, g_y) 33 | -------------------------------------------------------------------------------- /crypto/massive-rsa/massive.txt: -------------------------------------------------------------------------------- 1 | n = 950687172821200540428729809153981241192606941085199889710006512529799315561656564788637203101376144614649190146776378362001933636271697777317137481911233025291081331157135314582760768668046936978951230131371278628451555794052066356238840168982528971519323334381994143826200392654688774136120844941887558297071490087973944885778003973836311019785751636542119444349041852180595146239058424861988708991060298944680661305392492285898022705075814390941667822309754536610263449507491311215196067928669134842614154655850281748314529232542980764185554607592605321212081871630106290126123668106453941684604069442637972979374182617204123679546880646955063471680804611387541602675808433185504968764805413712115090234016146947180827040328391684056285942239977920347896230959546196177226139807640271414022569186565510341302134143539867133746492544472279859740722443892721076576952182274117616122050429733446090321598356954337536610713395670667775788540830077914016236382546944507664840405622352934380411525395863579062612404875578114927946272686172750421522119335879522375883064090902859635110578120928185659759792150776022992518497479844711483878613494426215867980856381040745252296584054718251345106582780587533445417441424957999212662923937862802426711722066998062574441680275377501049078991123518677027512513302350533057609106549686502083785061647562269181863107725160293272971931807381453849850066056697913028167183570392948696346480930400320904644898839942228059188904225142187444604612121676565893284697317106343998167640380023972222033520190994951064491572372368101650142992876761420785551386138148283615194775971673577063363049929945959258097086463812469068598955485574579363616634109593903116561526921965491646400040600138481505369027344295330767163087489333402201631708610718911106905154471963379233672543874307197342217544783263700843246351822145605839955798639016346308363889766574606793652730311687899415585873892778899179927359964882217066947566799298173326850382334054179474389651499891117938361854701587568363867264590395711833275763832842002504433841816245069655064326325306033334336469743800464944131049874472540605264250854258280373869113420817955012823462838351481855289027030577957168468047751024562853260494808998446682723835213272609799649864902376137320638444968430858790173696935815430513690803796736064125183005539073920032869713201073105497655763097638587404309062750746064609677994654409535743453776560694719663801069746654445359756195253816544699551 2 | e = 65537 3 | c = 358031506752691557002311547479988375196982422041486602674622689505841503255891193495423484852537391230787811575487947331018616578066891850752360030033666964406349205662189685086812466246139857474435922486026421639388596443953295273675167564381889788905773472245885677132773617051291379731995063989611049809121305468803148551770792609803351375571069366930457307762595216806633327492195442616272627113423143562166655122764898972565860928147259322712805600875994388377208017608434714747741249858321487547543201109467214209112271771033615033493406609653861223917338109193262445432032609161395100024272041503554476490575517100959892951805088735483927048625195799936311280172779052715645263075391841840633949032397082918665057115947698884582406130793211266028238396814146117158924884049679536261009188784571232730683037831940224049822081316216826346444136538278601803972530054219050666898301540575647763640218206611889707353810593843233814867745903144987805142815936160730054575462147126944741419094810558325854901931279755547624294325463528887326262902481099025253153222985717157272371423956465138892784879439141174797253720403065191378958340033965895823856879711180993895832306970105743588207727415495184380531676665121800713201192348940665501790550763379781627493441276077597720109700408848080221149485596419299548121287851605588246207568970548444975309457244824469026820421430723018384050095117420646392648577894835705672984626936461419833136418809219064810002991383584690376016818146065548853387107821627387061145659169570667682815001659475702299150425968489723185023734605402721950322618778361500790860436305553373620345189103147000675410970964950319723908599010461359668359916257252524290941929329344189971893558606572573665758188839754783710992996790764297302297263058216442742649741478512564068171266181773137060969745593802381540073397960444915230200708170859754559500051431883110028690791716906470624666328560717322458030544811229295722551849062570074938188113143167107247887066194761639893865268761243061406701905009155852073538976526544132556878584303616835564050808296190660548444328286965504238451837563164333849009829715536534194161169283679744857703254399005457897171205489516009277290637116063165415762387507832317759826809621649619867791323227812339615334304473447955432417706078131565118376536807024099950882628684498106652639816295352225305807407640318163257501701063937626962730520365319344478183221104445194534512033852645130826246778909064441514943 4 | -------------------------------------------------------------------------------- /reverse/paint/injector/main.cpp: -------------------------------------------------------------------------------- 1 | #if defined _DEBUG 2 | #else 3 | #define NDEBUG 4 | #endif 5 | 6 | #define WIN32_LEAN_AND_MEAN 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #pragma comment(lib, "ntdll.lib") 21 | 22 | EXTERN_C NTSYSAPI 23 | NTSTATUS NTAPI NtWriteVirtualMemory( 24 | _In_ HANDLE ProcessHandle, 25 | _In_ PVOID BaseAddress, 26 | _In_ PVOID Buffer, 27 | _In_ SIZE_T NumberOfBytesToWrite, 28 | _Out_opt_ PSIZE_T NumberOfBytesWritten 29 | ); 30 | 31 | EXTERN_C NTSYSAPI 32 | NTSTATUS NTAPI NtOpenProcess( 33 | _Out_ PHANDLE ProcessHandle, 34 | _In_ ACCESS_MASK DesiredAccess, 35 | _In_ POBJECT_ATTRIBUTES ObjectAttributes, 36 | _In_opt_ CLIENT_ID* ClientId 37 | ); 38 | 39 | namespace detail 40 | { 41 | template 42 | struct recursive_decay 43 | { 44 | using type = std::decay_t; 45 | }; 46 | 47 | template 48 | struct recursive_decay>> 49 | { 50 | using type = std::add_pointer_t>::type>; 51 | }; 52 | 53 | template 54 | using recursive_decay_t = typename recursive_decay::type; 55 | } 56 | 57 | template 58 | auto offset_ptr(T ptr, const std::ptrdiff_t offset) -> detail::recursive_decay_t 59 | { 60 | auto address = (std::uintptr_t)(ptr) + offset; 61 | return (detail::recursive_decay_t)(address); 62 | } 63 | 64 | auto file_exists(std::string dll_name) -> bool 65 | { 66 | return std::ifstream(dll_name).good(); 67 | } 68 | 69 | auto get_process_id(std::string process_name) -> HANDLE 70 | { 71 | auto len = ULONG(0); 72 | NtQuerySystemInformation(SystemProcessInformation, nullptr, 0, &len); 73 | const auto buf = alloca(len); 74 | auto ret = NtQuerySystemInformation(SystemProcessInformation, buf, len, nullptr); 75 | 76 | assert(NT_SUCCESS(ret)); 77 | 78 | if (!NT_SUCCESS(ret)) 79 | return INVALID_HANDLE_VALUE; 80 | 81 | auto it = PSYSTEM_PROCESS_INFORMATION(buf); 82 | 83 | do 84 | { 85 | char image_name[MAX_PATH + 1]; 86 | ANSI_STRING image_name_astr{ 0, sizeof(image_name), image_name }; 87 | 88 | ret = RtlUnicodeStringToAnsiString(&image_name_astr, &it->ImageName, FALSE); 89 | assert(NT_SUCCESS(ret)); 90 | 91 | image_name[image_name_astr.Length] = 0; 92 | 93 | for (auto& c : image_name) 94 | c = tolower(c); 95 | 96 | if (image_name == process_name) 97 | return it->UniqueProcessId; 98 | } while (it->NextEntryOffset && ((it = offset_ptr(it, it->NextEntryOffset)))); 99 | 100 | return INVALID_HANDLE_VALUE; 101 | } 102 | 103 | auto open_process(HANDLE pid, HANDLE & handle) -> void 104 | { 105 | CLIENT_ID client_id; 106 | client_id.UniqueProcess = pid; 107 | client_id.UniqueThread = nullptr; 108 | 109 | OBJECT_ATTRIBUTES attr; 110 | InitializeObjectAttributes(&attr, nullptr, FALSE, nullptr, nullptr); 111 | 112 | auto ret = NtOpenProcess(&handle, PROCESS_ALL_ACCESS, &attr, &client_id); 113 | assert(NT_SUCCESS(ret)); 114 | } 115 | 116 | auto close_process(HANDLE process) -> void 117 | { 118 | NtClose(process); 119 | } 120 | 121 | auto inject(HANDLE process, std::string dll) -> void 122 | { 123 | char dll_name[MAX_PATH] = { 0 }; 124 | GetFullPathNameA(dll.c_str(), MAX_PATH, dll_name, 0); 125 | 126 | auto allocated_memory = VirtualAllocEx(process, nullptr, sizeof(dll_name), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 127 | 128 | auto ret = NtWriteVirtualMemory(process, allocated_memory, dll_name, sizeof(dll_name), nullptr); 129 | assert(NT_SUCCESS(ret)); 130 | 131 | CreateRemoteThread(process, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibrary, allocated_memory, 0, 0); 132 | } 133 | 134 | auto main() -> int 135 | { 136 | std::cout << "LoadLibrary DLL Injector" << std::endl << std::endl; 137 | 138 | auto dll_name{ std::string("") }; 139 | std::cout << "DLL Name: "; 140 | std::cin >> dll_name; 141 | 142 | if (!file_exists(dll_name)) 143 | { 144 | std::cout << std::endl << "[ERROR] DLL not found." << std::endl; 145 | system("pause"); 146 | return EXIT_FAILURE; 147 | } 148 | 149 | auto process_name{ std::string("") }; 150 | std::cout << "Process Name: "; 151 | std::cin >> process_name; 152 | 153 | const auto pid{ get_process_id(process_name) }; 154 | 155 | if (pid == INVALID_HANDLE_VALUE) 156 | { 157 | std::cout << std::endl << "[ERROR] Process not found." << std::endl; 158 | system("pause"); 159 | return EXIT_FAILURE; 160 | } 161 | 162 | static auto process{ INVALID_HANDLE_VALUE }; 163 | 164 | open_process(pid, process); 165 | inject(process, dll_name); 166 | close_process(process); 167 | Beep(330, 1000); 168 | 169 | return EXIT_SUCCESS; 170 | } 171 | -------------------------------------------------------------------------------- /crypto/marginally-more-spooky-ecc/problem.sage: -------------------------------------------------------------------------------- 1 | N = 0x5f455eda519035fc8968cd1827931584553b826d33d6aa28553df93381878cc0f0d9ff60184251aa2624e10f79aa2a952a4e5ef06f03b5439af62db1cbc4832024757a21d1bdc0ceb6ac996a6c8258b2f28979f48b989bd90c30aa14a59adec286e2019bccdcae6e92fefcd7e9734b4c2f2d41489f771e58e0903e85f327c930e479c628281a5da73fd18e203f96c60a0738182ce0a137ba6c7a603f66f30e26ef37ddefd14b2787679daf8b040241fa971037b3eff67fe2f021abf62c5e765e1a8d44c62225c7768a8baa602eb06c03d2b79c7c25dc68cd2392432533bb780ba2d4b822b9098d45d28ee83e05e85fc965ef2ca6169c51b5da77a80207a7cfd4ea8471b42ae3093b29702bf62ee9fd16d97928e4da46b9f7564682ce684eab3183b232a2bf64fa9bb39a8e3e45378730432d51f67be725a7cd874c2d065dc5d0b5e8e3fd8d2aeeeb78abb837a08ca7a019e1856e43caf310176c72690bbcd20933fc48f3e3c90793a5c0ec1a5082c366524ffd30430e350079844c0588cf2497 2 | A = 0x22f8e75e46ae5938f376ede629ae4b0c409e95df47addb399d0b7976d9127cecc21690737ff65821f6265418586861137e05c9ac1b5bab058de197b2871a8658b78d725e2a2ed195679748b8d3a01702f823a840ed8b8ab687faf75c3b25e617fd1fb746232380310a402e35ca9b3f5f261cfd4220219a7c8f8e1d8f1df1ee8172ab4096ad673179a06525e824ae63e3ebee83c86371050e805ecb919657deb1bebbf2ab786c75f65473b4c19a2a96aa5b5803eeb9883a46e97bf98d23045853fb628eb76c07936f23733e8661c080a5b09176d9d8696410a8347b4a52e5fb839db70780eecdd4453112e7310624b49ec3240c8b2a280276b409beab0765e1f220158e13e81614c927e982bf265c2626f0b8cc7300071c1b7c6ba6d09533a53c736b0890872b081759d8717964f1d7c659025f3c6b3a1bacb9dfc0847e971aa14c82d174376ddaffa598f3a54d4e2b75c07e80c6f448fbd0cdce5f52bad11adf4245b36664d9ea5a6644679ba9c17453bb7008a57a64b2e0a8527ddb81848cb1 3 | B = 0x1fcb5c6d1ce86a8b6a23bf62b97ba31d9a5944ecc7fdc14de93b4abc62db794b7e1550ed9c2dc3501f2e6256d20e4c96fee5e3ae93069d35acee3644ec75ace6f6626f6d1ab8f48cfb8a05f6cb7409cddac6afe0762732beb1f2ad06f92738790bb805c710a574eb64ce6da4ac304a240fb783290bb30947aed2dab52344f9093067d53c83f800d25a49d263c8a20d389a850b11a4518a9d4fad16f011278617df63304a55f5d9d4c8c5866ace275faf0fcbe2003bf7ff3ae40338c889ac8bf6334ba924ce1b4e146a159453aa7a5bbb85e19932072ca23ee2680e857a713e572c9de3bf675d7f1cf3e4d9838e619558b41373b715e151f759ce721f32beb6e1f0e0b6696989370a9990d2a7653d06dc7b65af2aa90adf3ed68ce74c414066a0ed5a163b0a76e5db4259cc2d28a8de96e43fd939fb53f2a882da9e3ec983860a76607636b9885e00a6a8fb0beba28cada7882a979c5cd2c4577edd4ff5abc93d2ab53b73df724539d1c89449c98f34ee2ad33da21b97625f683ed8a33d5ac6b0 4 | g_x = 0x3f66670d68519cbe0057246a150b34c579e34ec8880bbc4863a9e3cb4794f90ab5efaf00a9ddd323eeb3eb654e1d508be16f5ba3411ab929553fbb0b1c76e9e897055ec094d8747d5cdd47161296547442d8fd63a798d385490ea57aaa3af4af8a75a2495aeda31da47bc1a890abe142784f8743a71861a8c1aab547999acae9e6f72f320b6f550bca5222936b3cc1dfbd657c9cd655121d2a0c83047621f20e65fdba41ec098c6b51269ab8fe22938c292ae199ff49ad9afcc6e99f8d462ee0499c7e58eae6861d593426790fb6d747695e0f93dd3e00e29bb37911e88c13543467444a3ba90d7c9a4eb30aa2b7fd37fb209e034a15ff40b08ea4916311b22e54015fa1772b12dae675780a87546b8cda2bdc324be8b83a1b99a5c151339445a66a2828554b611a4257026d9c20c90617412a85f2786a45fb590c444a3c88d6b8ff38fc2e8972ebc1492c248add99c48f2ec70db4d2460da32d064d58aeeb895cf4e9a20a2b8ce12e426b3f62795adee331b1b61afa2e43884e35818ebe80d6 5 | g_y = 0x38ba31ae0253a3a4070ef7e4380f40684f5a061f49d6591661ad5b4ff57deda46923bdc8185fcda5942f404030516ca5d1c7cf7ec9b43e4cbcdeed0296906988fa054a18d5a7f70f06692a140cf69e669884889bc778d72bd9a1e5c1dcdfba16121461a221dcdac7287ad5b6d3710c00fd100ef89c038baf23c621766e470501aa86de194539fb087dddc3ad5c0f3c78a79d0f4a981850af7c3cb86f392286fe075b10f5761d923cdfcd92cc1017bdee4e83ac64692ac76c40057735122813b2003b19422dc3adaf0f502eb254685ae88161fbde92027d8f419f4f939c988ee7ec34a05736e105d647baf2b84304caf006f39f85096419a11801f2402e02791f3d9813bdd50d8a0a7aaeade853d7b17e75f68612467cc59f7ec3e63ddb3551a697ba02f772671c4569acd5edec0e1e8e6f73fcb032d99789cefb572deb8b6ff330ddd48a2bcf77b47862925a155670679fc9acfd7900d4250a20821eb52a86819daec526f31bfd27cc26d46dfe71da188efde1cbdb115b2cacd910f3f4fb0c63 6 | 7 | E = EllipticCurve(Integers(N), [A, B]) 8 | g = E(g_x, g_y) 9 | 10 | E_order = N 11 | 12 | def generateKey(): 13 | private = randint(1, E_order - 1) 14 | public = g * private 15 | 16 | return(public, private) 17 | 18 | def computeSharedSecret(pubkey, privkey): 19 | return pubkey * privkey 20 | 21 | def secure_send_flag(): 22 | from secret import flag 23 | myPubKey, myPrivKey = generateKey() 24 | 25 | print myPubKey 26 | 27 | bob_pub_x = 0x35c7220105e55ae41a7098f528d4b25a4fb9840bae5e1489645be43d3d76853160ddc9afe04a53aef2b400f85b91272e71941c192cf49cbe2b4f73ce8e715da1986e40253eea400ef7b0e6c60aee5cd6984d29bcdd32a53cec2f47fd0f30d4fdf2f46c59a46d2d54c7766558c318230d4265d25ee72b6d8eff54403f36db684236a80dca118d464bd31eff3cb3a30fdd30c6924100960b8fbda2f6b64e7a04332b2ff481788e9ef26516d21d4b10afbbb59519c0bab71d84ff2df56cf29756e169a61a54800761ac4f9ef562f685ec004ff5c26917e28d914c8f3274f9effbc388c8151e46b490256325d9843d1d09f17059bcad949e75ffaa30027d13fcf169689c84f67693d0f12d8ec46a4bda3c9f8e0f61edd1c1525e0b55bf879ec6b3c53c45bc6f76a705de7554a40717e36150ba44ec1a52ae98587055129a02d211da8d18c74f0b69edb020d89325c1a41cdacdc4a7609527b6791407e2a2e79b8f0eb8f581f3317c47eb6a1afda3f8888b3580e4552ed5ab0030487b77b3e87db495 28 | bob_pub_y = 0x17ab49ada83cbac774f8e9d48a9190ce2cde27d20981894526a4f7a151863a78c791d3cabcbe2d720fe9ae75549b685d5d068d61cfc31725ea3e1ee62417e977024e069d5f559c0e706ddeec7609a0ded60b694f638911996b872715ef0aca5b6d0b6652991bd37163885a60842e009794c03a56de47f107ae1b9c3de750d7e479c30836bdbc72f206991388812ace1dc11f03b5e9f96d5f3b80464389d9f137b62ea6d063b866424a4b04605fa2e7c9e2816fe19f98cbafed371711fc0923a234c194996004cf1fae0934a96d54f3dde1aa6d6fe68e84cb1ad2795b969b36b333cae0ac82c4010c12ffcedffc670859135ad0058ffff60f511946e44bc8f5295e85798c0466b2fc89a252797d65a338b37151385355b89adf70f2014667f1374c1508f30165e8b16bf9fd9f789499438db5fa725769a73844306afe2a99344c9fac0954bf3355318b0ba8283c9b45a29714968ee6b05cb381ecf6282d5ee27a4e57a9a646b87661fe3f605228d2326903051a32a3470515a40463d5084b614 29 | 30 | bobPubKey = E(bob_pub_x, bob_pub_y) 31 | DH_secret = computeSharedSecret(bobPubKey, myPrivKey) 32 | from hashlib import sha256 33 | from Crypto.Cipher import AES 34 | AES_secret = sha256(str(DH_secret.xy())).digest() 35 | obj = AES.new(AES_secret, AES.MODE_ECB) 36 | flag += " " * ((16 - len(flag)) % 16) 37 | ciphertext = obj.encrypt(flag) 38 | 39 | import binascii 40 | print binascii.hexlify(ciphertext) 41 | 42 | -------------------------------------------------------------------------------- /reverse/paint/injector/injector.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {214ADBDF-3BE7-4A8D-955A-F1D0AFECF345} 24 | injector 25 | 10.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | Application 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | Application 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | Disabled 77 | true 78 | true 79 | 80 | 81 | Console 82 | 83 | 84 | 85 | 86 | Level3 87 | Disabled 88 | true 89 | true 90 | 91 | 92 | Console 93 | 94 | 95 | 96 | 97 | Level3 98 | MaxSpeed 99 | true 100 | true 101 | true 102 | true 103 | 104 | 105 | Console 106 | true 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | MaxSpeed 114 | true 115 | true 116 | true 117 | true 118 | 119 | 120 | Console 121 | true 122 | true 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | -------------------------------------------------------------------------------- /reverse/paint/paint/paint.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | {35CF32B2-7FB9-45CE-A050-7E269F8EA705} 24 | paint 25 | 10.0 26 | 27 | 28 | 29 | Application 30 | true 31 | v142 32 | MultiByte 33 | 34 | 35 | Application 36 | false 37 | v142 38 | true 39 | MultiByte 40 | 41 | 42 | DynamicLibrary 43 | true 44 | v142 45 | MultiByte 46 | 47 | 48 | DynamicLibrary 49 | false 50 | v142 51 | true 52 | MultiByte 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | Level3 76 | Disabled 77 | true 78 | true 79 | 80 | 81 | Console 82 | 83 | 84 | 85 | 86 | Level3 87 | Disabled 88 | true 89 | true 90 | 91 | 92 | Console 93 | 94 | 95 | 96 | 97 | Level3 98 | MaxSpeed 99 | true 100 | true 101 | true 102 | true 103 | 104 | 105 | Console 106 | true 107 | true 108 | 109 | 110 | 111 | 112 | Level3 113 | MaxSpeed 114 | true 115 | true 116 | true 117 | true 118 | 119 | 120 | Console 121 | true 122 | true 123 | false 124 | false 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | -------------------------------------------------------------------------------- /reverse/virtualjava/VirtualJava.java: -------------------------------------------------------------------------------- 1 | public class VirtualJava { 2 | private static final String[] owo = {"ur too pro for this", "Hmmmm... I don't think so ;D"}; 3 | private int[] regs; 4 | private int[] stack; 5 | private int sp; 6 | private int ip; 7 | private boolean running; 8 | private int[] instructions; 9 | 10 | private VirtualJava(int[] instructions) { 11 | this.regs = new int[10]; 12 | this.stack = new int[10]; 13 | this.sp = 0; 14 | this.ip = 0; 15 | this.running = true; 16 | this.instructions = instructions; 17 | } 18 | 19 | private void push(int n) { 20 | this.stack[this.sp++] = n; 21 | } 22 | 23 | private int pop() { 24 | return this.stack[--this.sp]; 25 | } 26 | 27 | private int run(int... params) { 28 | if (params != null) for (int i = 0; i < params.length; i++) this.regs[i] = params[i]; 29 | while (this.running) { 30 | int opc = readByte(); 31 | int opn = readByte(); 32 | switch (opc) { 33 | case 0x0: 34 | push(pop() + pop()); 35 | break; 36 | case 0x1: { 37 | int y = pop(); 38 | int x = pop(); 39 | push(x - y); 40 | break; 41 | } 42 | case 0x2: 43 | push(pop() * pop()); 44 | break; 45 | case 0x3: 46 | int y = pop(); 47 | int x = pop(); 48 | push(x / y); 49 | break; 50 | case 0x4: 51 | if (pop() == 0) this.ip = opn; 52 | break; 53 | case 0x5: 54 | if (pop() != 0) this.ip = opn; 55 | break; 56 | case 0x6: 57 | push(opn); 58 | break; 59 | case 0x7: 60 | push(pop() & pop()); 61 | break; 62 | case 0x8: 63 | push(pop() | pop()); 64 | break; 65 | case 0x9: 66 | push(pop() ^ pop()); 67 | break; 68 | case 0xa: 69 | int a = pop(); 70 | push(a); 71 | push(a); 72 | break; 73 | case 0xb: 74 | push(this.regs[opn]); 75 | break; 76 | case 0xc: 77 | this.running = false; 78 | break; 79 | } 80 | } 81 | this.running = true; 82 | return this.stack[--this.sp]; 83 | } 84 | 85 | private int readByte() { 86 | return this.instructions[this.ip++] & 0xFF; 87 | } 88 | 89 | private static String getOutput(int n) { 90 | return n == 0 ? owo[n] : owo[1]; 91 | } 92 | 93 | public static void main(String... args) { 94 | if (args.length != 1 || args[0].toCharArray().length != 31) { 95 | System.out.println(getOutput(1)); 96 | System.exit(0); 97 | } 98 | VirtualJava java = new VirtualJava(new int[]{0xb, 0x0, 0x6, 0x0, 0x1, 0x64, 0x5, 0x14, 0xb, 0x1, 0x6, 99 | 0x65, 0x9, -0xf3, 0x6, 0xd, 0x1, -0xdd, 0xc, -0x70, 0xb, 0x0, 0x6, 0x1, 0x1, -0xed, 0x5, 0x28, 100 | 0xb, 0x1, 0x6, -0xee, 0x9, 0x89, 0x6, -0x9f, 0x1, -0xc5, 0xc, 0xd8, 0xb, 0x0, 0x6, 0x2, 0x1, 101 | 0xe, 0x5, 0x3c, 0xb, 0x1, 0x6, -0x7d, 0x9, 0xb8, 0x6, -0x20, 0x1, 0x50, 0xc, -0x9f, 0xb, 0x0, 102 | 0x6, 0x3, 0x1, 0x23, 0x5, 0x50, 0xb, 0x1, 0x6, -0x48, 0x9, -0xc0, 0x6, -0x34, 0x1, -0x52, 0xc, 103 | -0x6c, 0xb, 0x0, 0x6, 0x4, 0x1, -0xb7, 0x5, 0x64, 0xb, 0x1, 0x6, 0x73, 0x9, 0x6d, 0x6, 0x15, 104 | 0x1, -0x48, 0xc, -0x5e, 0xb, 0x0, 0x6, 0x5, 0x1, 0xe, 0x5, 0x78, 0xb, 0x1, 0x6, 0x7, 0x9, 105 | -0x3e, 0x6, 0x7c, 0x1, 0x98, 0xc, 0x7a, 0xb, 0x0, 0x6, 0x6, 0x1, -0xa3, 0x5, 0x8c, 0xb, 106 | 0x1, 0x6, -0x22, 0x9, 0x4, 0x6, -0x59, 0x1, -0xda, 0xc, -0x47, 0xb, 0x0, 0x6, 0x7, 0x1, 107 | -0xc6, 0x5, 0xa0, 0xb, 0x1, 0x6, 0x2c, 0x9, -0xee, 0x6, 0x1c, 0x1, -0x8e, 0xc, -0x90, 0xb, 108 | 0x0, 0x6, 0x8, 0x1, -0x6f, 0x5, 0xb4, 0xb, 0x1, 0x6, -0x63, 0x9, -0x4a, 0x6, -0x18, 0x1, 0x3c, 109 | 0xc, 0x9b, 0xb, 0x0, 0x6, 0x9, 0x1, -0x89, 0x5, 0xc8, 0xb, 0x1, 0x6, 0x93, 0x9, 0x3f, 0x6, 0xcc, 110 | 0x1, -0xd7, 0xc, -0x61, 0xb, 0x0, 0x6, 0xa, 0x1, 0x7f, 0x5, 0xdc, 0xb, 0x1, 0x6, 0x5b, 0x9, 0x27, 111 | 0x6, 0x3f, 0x1, 0xc2, 0xc, -0x5c, 0xb, 0x0, 0x6, 0xb, 0x1, -0x29, 0x5, 0xf0, 0xb, 0x1, 0x6, 112 | 0x2e, 0x9, 0xf8, 0x6, 0x1d, 0x1, 0xae, 0xc, -0xb6, 0xb, 0x0, 0x6, 0xc, 0x1, 0x7a, 0x5, 0x104, 113 | 0xb, 0x1, 0x6, 0x30, 0x9, -0xb8, 0x6, 0x56, 0x1, 0xed, 0xc, -0x23, 0xb, 0x0, 0x6, 0xd, 0x1, 114 | 0xee, 0x5, 0x118, 0xb, 0x1, 0x6, -0x52, 0x9, -0x72, 0x6, -0x63, 0x1, 0xcf, 0xc, -0xae, 0xb, 115 | 0x0, 0x6, 0xe, 0x1, 0x4d, 0x5, 0x12c, 0xb, 0x1, 0x6, -0xae, 0x9, 0xc8, 0x6, -0x9a, 0x1, -0xc8, 116 | 0xc, -0xc3, 0xb, 0x0, 0x6, 0xf, 0x1, 0x1, 0x5, 0x140, 0xb, 0x1, 0x6, -0xae, 0x9, -0xc8, 0x6, 117 | -0xda, 0x1, 0xdb, 0xc, 0xc3, 0xb, 0x0, 0x6, 0x10, 0x1, 0xf6, 0x5, 0x154, 0xb, 0x1, 0x6, 0x3d, 118 | 0x9, -0x48, 0x6, 0xe, 0x1, 0xea, 0xc, 0xda, 0xb, 0x0, 0x6, 0x11, 0x1, 0x5e, 0x5, 0x168, 0xb, 119 | 0x1, 0x6, -0x10, 0x9, 0xcc, 0x6, -0x6c, 0x1, 0x1d, 0xc, -0x4c, 0xb, 0x0, 0x6, 0x12, 0x1, 0x5b, 120 | 0x5, 0x17c, 0xb, 0x1, 0x6, 0xd3, 0x9, -0xfa, 0x6, 0x8c, 0x1, 0x6a, 0xc, -0x9e, 0xb, 0x0, 0x6, 121 | 0x13, 0x1, 0x7d, 0x5, 0x190, 0xb, 0x1, 0x6, -0x22, 0x9, -0x6b, 0x6, -0x56, 0x1, -0xc6, 0xc, 122 | 0xba, 0xb, 0x0, 0x6, 0x14, 0x1, -0x45, 0x5, 0x1a4, 0xb, 0x1, 0x6, -0xe8, 0x9, 0x69, 0x6, -0x90, 123 | 0x1, 0x44, 0xc, 0x29, 0xb, 0x0, 0x6, 0x15, 0x1, -0x3c, 0x5, 0x1b8, 0xb, 0x1, 0x6, -0x8e, 0x9, 124 | 0xa, 0x6, -0xbf, 0x1, 0xaf, 0xc, 0x38, 0xb, 0x0, 0x6, 0x16, 0x1, 0x5d, 0x5, 0x1cc, 0xb, 0x1, 125 | 0x6, -0x93, 0x9, -0x62, 0x6, -0xce, 0x1, -0x20, 0xc, 0x2f, 0xb, 0x0, 0x6, 0x17, 0x1, -0x8a, 126 | 0x5, 0x1e0, 0xb, 0x1, 0x6, 0x11, 0x9, 0xeb, 0x6, 0x73, 0x1, -0xc1, 0xc, 0x4e, 0xb, 0x0, 0x6, 127 | 0x18, 0x1, 0x9b, 0x5, 0x1f4, 0xb, 0x1, 0x6, -0x7a, 0x9, 0x59, 0x6, -0x4e, 0x1, 0xc, 0xc, 128 | -0x5f, 0xb, 0x0, 0x6, 0x19, 0x1, -0xf6, 0x5, 0x208, 0xb, 0x1, 0x6, 0x93, 0x9, 0x76, 0x6, 129 | 0xf1, 0x1, -0x74, 0xc, 0xfb, 0xb, 0x0, 0x6, 0x1a, 0x1, 0xdb, 0x5, 0x21c, 0xb, 0x1, 0x6, 130 | 0x77, 0x9, -0x69, 0x6, 0xe, 0x1, 0x14, 0xc, -0x81, 0xb, 0x0, 0x6, 0x1b, 0x1, -0xfa, 0x5, 131 | 0x230, 0xb, 0x1, 0x6, 0xdf, 0x9, -0x4b, 0x6, 0x80, 0x1, -0xc9, 0xc, -0xc8, 0xb, 0x0, 0x6, 0x1c, 132 | 0x1, -0xbd, 0x5, 0x244, 0xb, 0x1, 0x6, 0xd6, 0x9, 0x47, 0x6, 0xa0, 0x1, 0xb9, 0xc, 0xb5, 0xb, 133 | 0x0, 0x6, 0x1d, 0x1, 0xe2, 0x5, 0x258, 0xb, 0x1, 0x6, -0x50, 0x9, -0xe0, 0x6, -0x23, 0x1, 0xfa, 134 | 0xc, 0xb8, 0xb, 0x0, 0x6, 0x1e, 0x1, 0xd6, 0x5, 0x26c, 0xb, 0x1, 0x6, 0x7e, 0x9, 0xf4, 0x6, 135 | 0x3, 0x1, -0xec, 0xc, 0xf5, 0x6, 0x88, 0xc, 0xae,}); 136 | char[] c = args[0].toCharArray(); 137 | for (int i = 0; i < c.length; i++) { 138 | String s = getOutput(Math.abs(java.run(i, (int) c[i]))); 139 | if (s.equals(owo[1])) { 140 | System.out.println(s); 141 | System.exit(0); 142 | } 143 | } 144 | System.out.println(getOutput(Math.abs(java.run(0, (int) c[0]) % 2))); 145 | } 146 | } --------------------------------------------------------------------------------