1 of 27

csictf

csictf ran from 17/07/2020 to 21/07/2020.

Crypto

Mein Kampf

Googling M4 UKW, we find out this is a type of enigma. M4 means there are 4 rotors; Gamma is the setting for the first rotor; the preceding 4 pairs of numbers are position and ring values respectively and the string of letters at the end are the plugboard values.

This leaves us with almost everything needed to decrypt the ciphertext. However, we are not given the values for rotors 2, 3 or 4; they can be in any position from I to VIII, so bruteforcing this we get the following:

Rotor 2 = I
Rotor 3 = IV
Rotor 4 = VII

Using this website, we get the flag:

Flag: csictf{no_shit_sherlock}

Rivest-Shamir-Adleman

These 3 guys encrypted my flag, but they didn't tell me how to decrypt it.

The source is as follows:

n = 408579146706567976063586763758203051093687666875502812646277701560732347095463873824829467529879836457478436098685606552992513164224712398195503564207485938278827523972139196070431397049700119503436522251010430918143933255323117421712000644324381094600257291929523792609421325002527067471808992410166917641057703562860663026873111322556414272297111644069436801401012920448661637616392792337964865050210799542881102709109912849797010633838067759525247734892916438373776477679080154595973530904808231
e = 65537
c = 226582271940094442087193050781730854272200420106419489092394544365159707306164351084355362938310978502945875712496307487367548451311593283589317511213656234433015906518135430048027246548193062845961541375898496150123721180020417232872212026782286711541777491477220762823620612241593367070405349675337889270277102235298455763273194540359004938828819546420083966793260159983751717798236019327334525608143172073795095665271013295322241504491351162010517033995871502259721412160906176911277416194406909

Rivest-Shamir-Adleman is the full name for RSA, a public-key cryptosystem widely used. You'll come across it many times in CTFs.

Now you can either try to break it manually, or use the great tool RsaCtfTool.

I decided to cheese it and use RsaCtfTool.

Simply inputting the values as so, we get our flag:

./RsaCtfTool.py -n 408579146706567976063586763758203051093687666875502812646277701560732347095463873824829467529879836457478436098685606552992513164224712398195503564207485938278827523972139196070431397049700119503436522251010430918143933255323117421712000644324381094600257291929523792609421325002527067471808992410166917641057703562860663026873111322556414272297111644069436801401012920448661637616392792337964865050210799542881102709109912849797010633838067759525247734892916438373776477679080154595973530904808231 -e 65537 --uncipher 226582271940094442087193050781730854272200420106419489092394544365159707306164351084355362938310978502945875712496307487367548451311593283589317511213656234433015906518135430048027246548193062845961541375898496150123721180020417232872212026782286711541777491477220762823620612241593367070405349675337889270277102235298455763273194540359004938828819546420083966793260159983751717798236019327334525608143172073795095665271013295322241504491351162010517033995871502259721412160906176911277416194406909

csictf{sh0uld'v3_t4k3n_b1gg3r_pr1m3s}

Linux

AKA

Netcat into the given domain an port. Trying a bunch of different commands it appears that none of them do what you'd expect.

Running alias shows that there are different aliases for commands which let you open files. Instead of trying to figure them all out I converted the flag.txt file to base64 with base64 flag.txt. Then it was a simple matter of copying the output and decoding it (I used ).

Miscellaneous

No DIStractions

Very easy misc challenge.

Join the discord server
Run .flag
Bot says to dm and then deletes your message
Simply message the bot with .flag and you get the flag from the bot.

OSINT

Pirates of the Memorial

The original photographer of this picture commented the flag on his post. Find the flag.

Good old Ironstone found the picture in . The comments mention that Arunopal Banerjee is the actual photographer; visiting the we find the picture posted, and the flag is in the .

Flag: csictf{pl4g14r1sm_1s_b4d}

Commitment

Hoshimaseok is up to no good. Track him down.

A quick google of the user hoshimaseok leads us to a GitHub page, found here.

We see two repositories, one called SomethingFishy. Fishy it looks indeed.

A quick glance inside this repo reveals nothing. However considering the title, Commitment, maybe there is a commit somewhere with the flag.

We can see that there are two branches - master and dev. Upon clicking compare, we see that there have indeed been many changes to this repo.

Scrolling through these, you will find the flag in index.js, which was deleted.

The contents of index.js are as follows:

Flag: csictf{sc4r3d_0f_c0mm1tm3nt}

Flying Places

A reporter wanted to know where this flight is headed. Where does he (the reporter) live?

Google image search reveals a screenshot of a tweet by Jack Ma containing the image. If we go onto his profile and find the tweet. Using Ctrl-F through the replies, we find this comment of a reporter asking where the flight is headed, mentioning they're from San Francisco.

Flag: csictf{san_francisco}

Shaken

I love this watch. It's been with me all over the world, from Istanbul to Shanghai
to Macau. I wear it with suits quite a lot. My boss liked it too. I remember
wearing it when she died. What is her successor's name?

I googled some of the keywords from the challenge brief

istanbul shanghi macau suits

In the results pictures of James Bond showed up, James Bond's most recent boss (known as M) is called Gareth Mallory.

Flag: csictf{gareth_mallory}

Pwn

Pwn Intended 0x1

I really want to have some coffee!

Smash the keyboard.

Flag: csictf{y0u_ov3rfl0w3d_th@t_c0ff33_l1ke_@_buff3r}

Scripting it

I guess if you really want to, you could...

python -c 'print "A" * 200' | nc chall.csivit.com 30001

Pwntools

Ok this is pushing it a bit

Pwn Intended 0x2

Travelling through spacetime!

Analysis

Sadly, we can't just smash the keyboard. Let's check what protections are enabled.

NX is enabled, so unfortunately no shellcode, but no other protections. Let's perhaps decompile it in GHidra.

So we have a 44-byte-long buffer storing our input, which is read by gets() - a clear buffer overflow vulnerability. Interestingly, the program seems to also return the flag if the if condition is met. I've known GHidra to make mistakes with numbers, so I check the disassembly in radare2.

Exploitation

As we can see, the buffer our input is stored in is lower down the stack to the variable that is compared, so if we overflow the buffer we will overflow into the other variable. From the decompilation we know the buffer is 44 bytes long, so we need 44 bytes of padding before we reach the checked variable and write 0xcafebabe.

Flag: csictf{c4n_y0u_re4lly_telep0rt?}

Pwn Intended 0x3

Again, smashing the keyboard doesn't work. Sadly. Let's check out the protections:

Analysis

Again, smashing the keyboard doesn't work. Sadly. Let's check out the protections.

Same thing again, GHidra decompilation time.

Again, gets() shows a clear buffer overflow vulnerability. Among other functions there is a flag() function.

So, calling flag() returns the flag. Unsurprisingly.

Exploitation

We'll be using the buffer overflow vulnerability to redirect code execution to the flag() function. Some experimenting shows a padding of 40 bytes is needed to overwrite RIP.

Flag: csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}

Global Warming

Greta Thunberg 1 Administration 0

Analysis

This was a different type of binary exploitation challenge. First, check the protections.

Much like the others. Let's run it.

So our input is sent back to us, along with the notice that we cannot log in with input. As we control the print, let's check if there's a format string bug.

And indeed there is. Interestingly, there's no buffer overflow. Let's decompile it to see what's going on.

main is very simple - takes in input (using a secure fgets(), explaining why there was no BoF) and passes the input to the login() function.

Input it printed back to us, as we saw, with printf. This causes the format string. The interesting part is it checks the global admin variable before printing the flag.

Clearly, we have to overwrite the admin variable somehow. To do this, we're going to have to leverage the format string %n specifier for an arbitrary write.

%n takes a pointer to a signed int, where the number of characters written so far is stored. Because we can control certain aspects of the stack (as the buffer is on the stack) we can tell it where to write the data. As we can control the input, we can tell it how much. This gives us an arbitrary write. If we want to write 20 bytes somewhere, we input 20 characters and then call %n. We can even use other fancy format string specifiers to shorten it enough,

I would explain how to leverage this in detail, but frankly, others have done so much, much better than me :)

There are plenty more resources online.

Exploitation

Luckily for us, pwntools contains a feature to automate %n exploitation.

You should understand how the exploit works before you use tools to do it for you.

The pwntools module is fmtstr_payload, and takes in two values: the offset for the format string and a dictionary. The keys in the dictionary are the location to write to, and the values are the data to write there.

Flag: csictf{n0_5tr1ng5_@tt@ch3d}

Smash

My first C program that says hello, do you want to try it?

Smash was a very cool challenge where you were given the libc version used by the binary. You had to bypass ASLR and then execute a ret2libc attack.

Analysis

As per usual, run a quick checksec

Luckily for us, PIE is disabled and there is no canary. That makes our job much easier. Let's run it and see what happens.

Hmm, our input is printed back to us again. Is there another format string bug?

Indeed there is! Is a BoF possible this time?

Awesome.

There's nothing particularly interesting in the decompilation - main takes input and calls say_hello, which prints back to you.

No interesting strings either. As we are given the libc, everything points to a good old ret2libc attack.

Exploitation

As we only had one input, the logical approach would be to use a ret2plt to leak the address of puts in libc from the and call main again to let us have another input.

Flag: csictf{5up32_m4210_5m45h_8202}

Secret Society

Wanna enter the Secret Society? Well you have to find the secret code first!

Again, smash the keyboard.

Flag: csivit{Bu!!er_e3pl01ts_ar5_5asy}

Reversing

Blaise

I recovered a binary from my teacher's computer. I tried to reverse it but I couldn't.

Analysis

File Info

RicknMorty

Rick has been captured by the council of ricks and in this dimension Morty has to save him, the chamber holding Rick needs a key . Can you help him find the key?

Analysis

First, let's see what running the program does.

The pairs of numbers are the program, the singular numbers are me typing back to it.

There's nothing particularly clear here, so let's disassemble it in GHidra.

It looks very complicated, but we can ignore the bulk of it. What we need to focus on is the random number generation and what happens to it.

Two random numbers are generated. They are passed into function1, then we +3 to the result and pass it through function2. The result of that is then compared with the number we input. If they are not the same, the check is set to 0.

At the end, if it's not 1 (and if takes under 30 seconds) the flag is read. So clearly we have to receive the numbers, work out what it does and then return the values (repeatedly) to get the flag.

Let's check what the two functions do.

function1

We have a counter that loops until it is greater than a number; if both numbers are divisible by the counter the answer gets set to counter - this is clearly some sort of highest common factor function.

function2

This looks like a weird function, but if you write it in, say, python, it's much clearer what it does:

This is a factorial function.

Now we know what it does, the flow is simple:

And we can write a script that does this for us.

Solution

Flag: csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}

Web

Oreo

My nephew is a fussy eater and is only willing to eat chocolate oreo. Any other flavour and he throws a tantrum.

Nice and simple web challenge.

Looking at the cookie of the webpage it appears to base64 encoded.

Encode the word "chocolate" into base64 then replace the current base64 in the cookie. The only thing to note is make sure that the base64 is also url encoded.

Mr. Rami

"People who get violent get that way because they can’t communicate."

Navigating to /robots.txt, we see:

# Hey there, you're not a robot, yet I see you sniffing through this file.
# SEO you later!
# Now get off my lawn.

Disallow: /fade/to/black

Navigating to /fade/to/black, we get the flag.

Flag: csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}

The Confused Deputy

Looking at the source you can see that a request is made to http://chall.csivit.com:30256/view by the admin to view your colour. You can then specify a URL and a colour for the admin to use.

I set up a request bin at https://ennfyqj04serj.x.pipedream.net so that I easily could monitor requests made to that URL. But setting the URL that the admin visits to anything outside of http://chall.csivit.com:30256/view seemed to throw an error. However I can set the colour to anything I like.

Looking at the source of http://chall.csivit.com:30256/ it is clear that the only form of sanitising is that "<" or ">" are replaced with "". This means that later on I could use ">>" in the place of ">" and "<<" in the place of "<".