[MagTF] Tux_is_on_fire - Challenge by WelloWorld

Tux_is_on_fire is an easy-medium misc task. You get a port and an ip, You can connect with netcat and see the following: Dear friend, let's start with an easy task. All you need to do is to do the next steps: Atbash(Book('elixir-electrons/linux/v?.?/source/kernel', 'W1snZm9yay5jJyw3XSxbJ21vZHVsZS5jJyw1Nl0sWydleGl0LmMnLDg2XSxbJ3Jlc291cmNlLmMnLDI5XSxbJ2t0aHJlYWQuYycsNV0sWydzaWduYWwuYycsMTQxXSxbJ2dyb3Vwcy5jJywyNDAwNF0sWydjcHUuYycsMjhdLFsnZnJlZXplci5jJyw0NzJdLFsnc21wLmMnLDg2XSxbJ2NyYXNoX2R1bXAuYycsNF0sWydkbWEuYycsOF0sWydNYWtlZmlsZScsMV0sWydkbWEuYycsOV0sWydzbXAuYycsMjc2Ml0sWydtb2R1bGUuYycsM10sWydleGl0LmMnLDYzMF0sWydjcHUuYycsOV0sWydmb3JrLmMnLDI0NzY3Nl0sWydrdGhyZWFkLmMnLDJdLFsna3RocmVhZC5jJywyOF0sWydyZXNvdXJjZS5jJywzMDRdLFsnTWFrZWZpbGUnLDg2XSxbJ2V4aXQuYycsMjldLFsnZm9yay5jJyw1XSxbJ3Jlc291cmNlLmMnLDEyMTkyMV0sWydyZXNvdXJjZS5jJyw4NjBdLFsnY3Jhc2hfZHVtcC5jJywxNzY0XSxbJ3Jlc291cmNlLmMnLDUyOF0sWydtb2R1bGUuYycsMTc1OV0sWydtb2R1bGUuYycsMzE0OTQzXSxbJ2NyYXNoX2R1bXAuYycsNzU5OV1d'))Oh s…

[MagTF] ValleyOfDeath - Challenge By WelloWorld and Shahar Snitovski

So this challenge is meant to be a regex challenge with some trolling and make it more harder. At the beginning, the user get a file named P. This file is a XZ compressed data by tar.xz. After user decompressed the file, he will get a folder about 550 subfolders depth(e.g. subfolder 1 is inside P and subfolder 2 is inside 1 and so on). When he gets the last file named con (zip file), he will need to open it and see that it is another folder contains 550 subfolders, So he should make a code that does it. In the end (after 1100 and something folders) he will see a file named TOPSECRET.txt (TROLLING). He will be open it and see this base64:  LS0gLi0gLS0uIC0gLi4tLiAjIC0gLi4uLiAuLS0tLSAtLiAtLi0gIyAuLi4gLS0gLi0gLi0uIC0gLiAuLS4gIw== When he decodes it he should see that:
-- .- --. - ..-. # - .... .---- -. -.- # ... -- .- .-. - . .-. #
This is a corrupt morse code and if he will delete every # and than translate he will see that: MAGTFTH1NKSMARTER And by the #'s, he should think the flag…

[MagTF] rEVEenge! - Challenge by WelloWorld

Hey there. The solvers start the challenge as they open the folder contains pcap file, and an ELF file. IMPORTANT NOTE: This ELF is not to be reversed although I made some encryptions to the strings and even then it would be hard to deal with.
As the run the ELF they see the next lines written by Eve, Bob first love (before Alice): 
Hey Bob, Its EVE. Do you remember me? your first love, your first girlfriend 'til Alice came.. If you ever want to see her again you'll need to get my special eve-serie inorder to free the flag. By the way, if you don't believe - I'm sending you the pcap of me malformed her. Have fun! PLEASE ENTER TO CONTINUE:
They understand that Eve has kidnapped Alice and Bob need to put some serie to get the flag. Then comes the first clue says that 'malformed her' (maybe will help). Then when they press the Enter button the fun begins.. their screen started to get filled with more characters you can imagine (They can wait it to be stopped but …

[MagTF] Crypto1sFun - Challenge by WelloWorld

So, this is a medium-hard crypto challenge with a little bit of forensic. The solver gets a server and port and a description says:  "Today you will learn to work with two important mechanisms: The first one is very known today as a good mechanism, and the second one is old and not used today as normal mechanism." The mechanisms are: Deffie-Hellman key exchange and the WEP for wifi authentication(wifi is not really here). If they try to connect through sockets to the server, they will find out it sends to them the string: "Wello Bob!\ng=<num>\np=<num>\n"  With replacing with real random numbers so now they have g and p values. They will try some things but at the end when Alice sends g and p to Bob she expects to get her b(actually B but it gets it too) value. So when the user sends b= the server will send him the A of him and each one of them need to calculate the key by the values they got.
After that the server will send to the socket a little clue …

[MagTF] MommyTeachMeSlicing - Challenge by WelloWorld

MommyTeachMeSlicing is a medium Steganography challenge. At first, you get a zip includes 100 files named <number>.png . You should try open and them and you will see you can't. We know that '8950' is the magic numbers of the PNG, let's see what is wrong with that.
We can see a very little changes between every two close numbers such as 1.png and 2.png. You should research and understand that every picture was XORed with the number of the name (1.png with 1, 2.png with 2). Then you should make a script to 'translate' these files to PNGs. After that you can't really see something in the pictures, just some weird black and white lines in very wide picture without height at all. You understand that every picture symbolizes part of a big picture, So you try to merge them all: 
And you will get a qr code contains the flag: MagTF{I_L0VE_5LICING}

[MagTF] NothingToSee - Challenge by WelloWorld

NothingToSee is an easy-medium steganography task I have wrote in-order to show a method of using visual way to see things.  You get one PNG file, with nothing you can see.  To solve that, you must to look on the alpha channels in the picture, you can see that all the alphas are 0 or 1 so you save it all as a string in case it's related to binary data. Then some solvers may think that it's something with the real binary data but not, you might want to change all the alphas to 255 to see the real picture and then you can see that what is written there is that the height is 5 and the weight is 61.

Then, you have a rule for something but you don't know how it's connected to the long binary raw. Like other steganographic CTFs, the alphas somewhere repeated itself. Because it's 0's and 1's you can't just read it, so either you understand you need (5*61) characters or make a script calculating where it begins to repeat itself. After get the repeated string y…

[hxp-2017 CTF] Babyish - Writeup by j0nathanj

HXP CTF- 2017:BabyishSolved by :@j0nathanj on twitter and github.In this challenge, we’re given a 32 bit ELF executable(DEP enabled), a “custom”libc, and a C source.The source code looks like this:This is a fairly short code.The vulnerability’s cause is due to line 33. In line 33, the user is asked to enter a length, which will be used as the length of the input that will be written to a 0x40 sized buffer name ‘buf’.
Line 33 checks if the size is greater than or equals to 0x40, and if so, it exits with an appropriate message.The bug occurs when the user inputs a negative number as an input. The size satisfies the constraint that it has to be less than 0x40, and also when using the function ‘read’ the len is considered an unsigned integer, hence -1 is a considered to be 4294967295.This way we can overwrite stuff, and get an overflow.The question that comes next is, because DEP is enabled, how do we leak some addresses?Well, it tur…