1. Codegate 2017 Prequals - Meow writeup

    We're given a binary which won't lauch without, and when launched asks for a password. Upon examination, turns out that the password should be at most 10 characters long, with its md5 hash equal to 9f46a92422658f61a80ddee78e7db914 (that's where the OpenSSL import comes in, but the implementation …

    read more

  2. BITSCTF 2017 - Woodstock 1/2 writeup

    In this double challenge, we're provided with a pcap of some sort of TCP communication between two hosts. Opening the first TCP stream (of three), we see this:

    TCP stream 0

    ...well that was fast. Still, it's just the first flag. The second one is got to be buried a bit deeper.

    So …

    read more

  3. hack you spb CTF 2016 - Crypto300 Mountain writeup

    We have on our hands an encrypted file, which is supposed to be a PDF judging from the challenge's description, and the python script which was used to perform the encryption. It reads chunks of 9 bytes from the source file (padding it with zeroes if necessary), interprets them as …

    read more

  4. hack you spb CTF 2016 - Rev300 Serious Business writeup

    There is an ELF binary, and we need to get an RCE from it. Shouldn't this be in the pwn category? Anyway, a quick check with radare2 shows us that the binary accepts incoming socket connections and processes them this way:

    [0x080488f0]> pdf @ sym._Z7handleri 
                ; CODE (CALL) XREF from 0x08048db5 …
    read more

  5. hack you spb CTF 2016 - Web200 Decoder writeup

    In this challenge, we are presented with a simple login page and its source code, which is easily injectable:

    The login page

      if (isset($_POST['login'])) {
        $login = $_POST['login'];
        $password = $_POST['password'];
        $res = mysql_query("SELECT * FROM users WHERE login = '$login' AND password = '$password'");
        if (mysql_num_rows($res) == 0) {
          <div class="bg-danger col-lg-12" style …
    read more

  6. Hackover CTF 2016 - thecard writeup

    Okay, this has been a simple one, but worth describing nevertheless.

    We've got presumably an SD card image, thecard.img, which isn't readily mountable or susceptible to binwalk, so let's strings it and see what's in there:

    (ctf)$ strings thecard.img | head 
    htree_dirblock_to_tree …
    read more

  7. Hackover CTF 2016 - tiny_backdoor writeup

    This challenge was split in two parts; in both of them we get a tiny binary (680 and 720 bytes long, respectively). Let's look at the first one with radare2:

    (ctf)$ radare2 tiny_backdoor_v1 
    [0x004000b0]> pd 70
       ;      [0] va=0x004000b0 pa=0x000000b0 sz=134 vsz …
    read more

  8. Hackover CTF 2016 - imgenc writeup

    This time, we get some 'encrypted' grayscale image and a .pyc file that doesn't want to be decompiled. Decompyle++ gives us the following output:$ pycdc imgenc.pyc
    # Source Generated with Decompyle++
    # File: imgenc.pyc (Python 2.7)
    import sys
    import numpy as np
    from …
    read more

  9. Hackover CTF 2016 - vigenere writeup

    We've got a message encrypted with the Vigenere cipher after being compressed with zlib, which of course makes a usual dictionary attack unviable. The key is random but its length is known beforehand, from the original source code, and equals 10.

    From the ZLIB RFC 1950 we know that, when …

    read more

« Page 2 / 2