Archived Challenges - November 2021

Copy Pasta

ictf{cute_flag_anyways_welcome_to_round_16}

./lol | grep 'ictf{.*}' -o | uniq

ictf{puzzler_the_goat}

from PIL import Image, ImageDraw
import json

with open('image.json') as f:
    image_json = json.load(f)['image']

im = Image.new('RGB', (image_json['width'], image_json['height']))
draw = ImageDraw.Draw(im)

for line in image_json['lines']:
    fx = line['from']['x']
    fy = line['from']['y']
    tx = line['to']['x']
    ty = line['to']['y']
    draw.line([fx,fy,tx,ty], width=image_json['lineThickness'])

im.save('out.png')```

ictf{budg3t_v3ct0r_graph1c5}

https://libraryofbabel.info/bookmark.cgi?escispmja288288

ictf{wow_this_place_really_does_have_everything}

Reverse the numberguess command to farm infinite clout.

ictf{h@ck1ng_1s_th3_w@y_t0_g0}

Text color super close to background, use randomize color palette on CyberChef. https://gchq.github.io/CyberChef/#recipe=Randomize_Colour_Palette('')

ictf{n1c3_l@wn}

Stars and bars to get that the answer is (42 - 2 - 1*9 + 9) choose 9 --> (40 choose 9) --> 273438880

Use OpenPuff as the title says, set to mp3, maximum bits, get flag!

ictf{lol_bad_forensics_chall}

Use tshark to extract the usb hid data tshark -r capture.pcapng -T fields -e usbhid.data '(usb.transfer_type == 0x01) && (frame.len == 33)' > out and then plot the location of the mouse clicks.

Overlay the plot over a keyboard (https://upload.wikimedia.org/wikipedia/commons/thumb/d/da/KB_United_States.svg/1920px-KB_United_States.svg.png) to find which keys were pressed.

Plot script: https://imaginaryctf.org/f/XiUJ3#solve.py Overlay: https://imaginaryctf.org/f/uZP2m#overlay.png

ictf{on-screen_keyboard_spying}

There are a few bits hidden in the final characters of each base64 stage, due to how padding works

with open("dist.txt") as f:
    cur = f.read().strip()

recovered = ""
alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
while cur != "42":
    bits = ''.join(f"{alphabet.index(c):06b}" for c in cur.strip("="))
    extra = (len(bits)) % 8
    if extra:
        recovered = bits[-extra:] + recovered
        bits = bits[:-extra]
    assert len(bits) % 8 == 0
    cur = ''.join(chr(int(bits[i:i+8], 2)) for i in range(0, len(bits), 8))
print(int(recovered, 2).to_bytes(len(recovered)//8, "big"))

ictf{3xtr4_b1t5}

curl "https://s1.fdow.nl/u6Zjm-MYSTERY_CAKE.pdf" -o "MYSTERY_CAKE.pdf"

ictf{cake_15_liee_u8it}

From the flag.zip will output the secret.rar and in secret.rar there is a png file called extension.png that hide the flag.txt inside of it. but you can't solve with steghide or something because it is not a real png file. Actually it is a zip file so the player need to unzip or change the file extension to .zip from png and got flag. Simple and not easy.

ictf{n0_1dea_h0w_t0_ge1_g1rL_fr1end!!}

rand() always returns 4, so enc() just XORs with a static string. enc() it again to get the flag:

from r import target, enc
print(enc(target))

ictf{get_a_real_rng_pls}

Decompile the jar (using jd or similar) to see that for each character of the flag it's downloading a lua script and calling the check function in the script with the index as a parameter, if all check functions return true then the flag is correct.

Notice that a request for anything other than a single only character (lowercase, numbers or _) returns a fail script.

Download all the lua scripts, and for each one call the check function with values 0 to 35 (length of the flag) to find the valid positions for that letter, then arrange the letters in order.

For example I created a lua snippet saved as print.lua with the contents for i=0,35 do if check(i) then print(string.format("%02d",i), debug.getinfo(1,"S").source:sub(11)) end end and used this bash oneliner to append it to each script and print out the valid indices:

for f in $(ls downloaded_lua); do cat downloaded_lua/$f print.lua > test_lua/$f; lua test_lua/$f; done | sort -u | cut -f2 | tr -d '\n'

ictf{r3ver51n9_w17h0u7_full_s0urc3}

https://imaginaryctf.org/f/ws5UC

ictf{N0_Me3}

Unpickling the provided pickle gives a dictionary containing the pickle of the initial object, and the marshalled code of all of its functions. You can unpickle the object if the tree.Tree class exists at all (class Tree: pass in tree.py in the same directory will suffice). You can set the __code__ attribute of each of the attributes on the object and the Tree class, and you've recreated the original object/class.

Now, you need to figure out how the tree was actually encoded. Using dir() will show that there are left, right, and data fields. You can either disassemble the __init__ function and reverse it, or you can make another tree of the same length (using the builtin length method, or a custom one) with unique characters, and map the location of the characters in the new tree to the location of the characters in the flag tree.

I've done the second method here:

#!/usr/bin/env python3.9

import pickle
import marshal
from dis import dis
from copy import deepcopy

from tree import Tree

def unpick(b, clss):
    d = pickle.loads(b)
    obj = pickle.loads(d["__"])
    for key in d:
        if key != "__":
            obj.__setattr__(key, lambda x:x)
            obj.__getattribute__(key).__setattr__("__code__", marshal.loads(d[key]))
            setattr(clss, key, lambda x,y:x)
            setattr(getattr(clss, key), "__code__", marshal.loads(d[key]))

    return obj

def tree_map(d, a, b):
    if a.data == None:
        return
    d[a.data] = b.data
    tree_map(d, a.left, b.left)
    tree_map(d, a.right, b.right)

flag = unpick(open("pick", "rb").read(), Tree)
x = Tree(''.join(chr(i) for i in range(32,32+len(flag))))

d = {}
tree_map(d, x, flag)
out = ['~']*len(flag)
for key in d:
    out[ord(key)-32] = d[key]
print(''.join(out))

ictf{didyouknowthatpicklesgrowontreeswellnowyoudo}

from pwn import *

ct = b'\xf2\xa3\x91lT=\r\xed\x9c\x9ahS;\x10\xd8\x99\x85\x7fA\x05\r\xd7\xa8\xb1\x7fW1\xff'
m = []

a = xor(ct,"ictf{")[0]
b = (xor(ct,"ictf{")[1] - a) % 256

for c in ct:
  m.append(a ^ c)
  a = (a + b) % 256

print(bytes(m))

ictf{its_really_not_rsa_lol}

https://imaginaryctf.org/f/aYqRn

ictf{streeeeeeeeeem_ciphers_are_cooooooooooool}

e = lambda(n) + 1, as can be seen from the fact that the message remains unencrypted. From there, we can apply standard techniques to factor n, given n and phi(n)

https://imaginaryctf.org/f/8D0lp

ictf{dumb_3xp0nent_but_you_g0tt4_fl4gt0r_1t_t0o}

https://imaginaryctf.org/f/Fw7LO

flag{math_ftw_rooYay_rooPOG_rooHeart}

The key is ictf

ictf{guess_the_key_lol}

Find the comment on the login page and rot13 → secretalong.txt Note the admin email + password Login to the site making sure to tick "Remember Me" Base64 decode the flag cookie to find the flag

ictf{c0ookie_sTealing_is_Nice!!!_1587}

Get the shadow file by curling file:///etc/shadow then john the hash with rockyou to get the password

ictf{ripcurlgurl}

https://imaginaryctf.org/f/YmBfb

ictf{j4v4scr1pt_d3bugg1ng_ftw!}

Create a new note with your own jwk in the content, then craft a jwt with jku pointing to the note and the admins id in the claim. Solve script: https://imaginaryctf.org/f/WRbkN#solve.py

ictf{why_steal_keys_when_you_can_upload_your_own?}

Change your system time to next year.

ictf{if_only_I_could_time_travel_back_and_release_this_chall_at_noon}

Search the challenge.jpg with google image search and as a description need to find a phone number of CN Tower. (Can find phone number in google map)

ictf{+14168686937}

https://imaginaryctf.org/f/HzRgL

ictf{br41nfr1gg1ng_0verfl0ws}