Showing posts from November, 2017

[hxp-2017 CTF] Babyish - Writeup by j0nathanj

HXP CTF- 2017:BabyishSolved by :@j0nathanj on twitter and github.In this challenge, we’re given a 32 bit ELF executable(DEP enabled), a “custom”libc, and a C source.The source code looks like this:This is a fairly short code.The vulnerability’s cause is due to line 33. In line 33, the user is asked to enter a length, which will be used as the length of the input that will be written to a 0x40 sized buffer name ‘buf’.
Line 33 checks if the size is greater than or equals to 0x40, and if so, it exits with an appropriate message.The bug occurs when the user inputs a negative number as an input. The size satisfies the constraint that it has to be less than 0x40, and also when using the function ‘read’ the len is considered an unsigned integer, hence -1 is a considered to be 4294967295.This way we can overwrite stuff, and get an overflow.The question that comes next is, because DEP is enabled, how do we leak some addresses?Well, it tur…

[RC3-2017 CTF] Science Class - Writeup by Ninjailbreak

The mission This is going to be a great year!
Barely five minutes into chemistry and your friend passes you this note inviting you to a party!
What do they want you to bring?

We easily can recognize the "Periodic Table" in the PDF file,
so we combine the table with the PDF and got a list of elements

Be, S, Ga, Se, Er. after some combinations we guess the string "BeErGaSeS"
changing the cases and submit the flag
>> RC3-2017{BeerGases} <<

[RC3-2017 CTF] An Affinity for Caesar Salad - Writeup by Ninjailbreak

The mission >> Decrypt me! RC3-2017{GUPNCH_AITIL} <<

We understand that we need to use two common ciphers

Affine and Caesar.

We brute forcing the string! GUPNCH ---affine--> GARDEN
AITIL ----Caesar--> SALAD

together we got a great salad :)

>> RC3-2017{GARDEN_SALAD} <<

[RC3–2017 CTF] knocker - Writeup by WelloWorld

‘knocker’ challenge
At first, you get an IP and a port – ("",7747). I first tried to connect it with nc, they wrote that I need to solve their challenge and every challenge is a letter I get with the mission. I saw three types of missions they want me to do: 1. A text of numbers (e.g. “Two thousand, one hundred and seven”) - and I needed to translate it t number (e.g. 2107). 2. A math function ,to be ran on python like:“floor(((109 << 31) - 38) % -148) % 65535” (Answer is 65453). 3. A number to be translated to Text(what I thought in first sight). Then, I tried to send the answer to the server in the same connection, and it didn’t work. After a bit of thinking and friend’s helping, I suddenly remember what ‘knocker’ means. Port knocking is way of checking ports on the server by sending them some data and wait for them to answer, So in this case, the ports are the numbers we get, so after translating by our format (text of numbers = port, math function=port, and nu…

[RC3-2017 CTF] Catastrophe - Writeup by WelloWorld

In the beginning, you get a Pcap file that contains 3200 packets of data. The description told us that while one friend went to somewhere and forgot his computer open, his friend took his computer and entered to sites of cat pics. He want to know more about what his friend did and luckily for him, he forgot his Wireshark on. So we know we’re searching for cat pics right now. The first thing I did was to search if some packets contain cat.png or cat.jpg: 
Oh, look at these two packets, Now lets look on their ‘follow tcp-stream’:

Now, which one is more relevant to us? Of course the second one, Lets have a look on this after converting it to ‘Raw’ bytes.

You can see there are a start of jpg file (‘ffd8’) right in the start of the second blue packet. Now let’s find where it ends('ffd9'):

Right in the end of the conversation.  OK, lets filter it only for what the server sent to me, stay in ‘Raw’ mode and copy all the data from the screen and paste it in a local file on my computer. Now,…