Details Users are provided with file evidence.flac The challenge description reads: "There's been a murder, and we need to solve it. We've just received a critical communication... from the PAST?! Help us decode this. We know the killer is from the mid 19th century, but somehow he got a hold of a Bell 202! We need to know what it says to crack this case!" Armed with this information we gather what we can about Bell 202. Wikipedia lets us know it useds AFSK1200 / AFSK2400 ...
Details Crystal Clear was a reversing CTF where we had to reverse a program compiled in Crystal, a completely unknown language to me. Anyways we find two separate arrays of bytes in memory that are xorโd against our input, byte by byte the result of the xor is stored in some cpu register and if != 0 at the end of the check the โpasswordโ was no good So, we throw those byte arrays into z3 and solve away: ...
description pinkponyhash is a simple php web application that tests your cookie to see if you are in the pink_pony club or not. the overall goal of the ctf is the forge your own hash that passes the check. we are able to accomplish this with a SHA-1 length extension attack. there is a repo i found: hlextend which makes this attack trivial source code <!DOCTYPE html> <?php $secret = "testing_testing_123"; assert(strlen($secret) == 19); //make a new cookie for the user function make_cookie() { global $secret; $payload = "kitty_cat"; setcookie("token", base64_encode($payload) . "." . sha1($secret . $payload)); header("Location: /"); //reload page exit(); //we're done } //if no cookie token, set it if(!isset($_COOKIE["token"])) { echo "no cookie, setting!\n"; make_cookie(); } //if there is a cookie, parse it echo "parsing cookie\n\n"; $parsed = explode(".", $_COOKIE["token"]); //check sanity if(count($parsed) !== 2) { make_cookie(); } //verify the hash is sane //also make sure the payload is base64 encoded $payload = base64_decode($parsed[0]); $hash = $parsed[1]; if($payload === false) { make_cookie(); } if(sha1($secret . $payload) !== $hash) { make_cookie(); } //check if we're in the pink pony club if(strstr($payload, "pink_pony")) { $flag = "FFCTF{Th!\$_iS_4_Fl@g}"; echo "<h1>OMG A MEMBER OF THE PINK PONY CLUB?! HERES UR FLAG: $flag</h1>"; }else{ echo "<h1>sry we only give flags to members of the pink pony club, not $payload :c</h1>"; } ?> writeup solve.py ...
this writeup is created months after the ctf, so bare with me description this writeup is very similar to my cache money writeup, except for starters it is not very pretty to look at. this was done during the CTF and i havent cleaned it up, and i dont plan on cleaning it up. anyways the main differences from this challenge and cache money is: we can only allocate 4 chunks, this time up to 64 bytes in size we can overflow into the next chunk by creating a chunk of size X and writing >X into the chunk this uses glibc 2.27 we use a one_gadget in glibc 2.27 to pop the shell instead of calling system with sh writeup when running the program we are greeted with an interesting string: ...
i am writing this a few months after the CTF ended, so bare with me description dynamic allocated misuse vulnerability using glibc version 2.31 full exploitation is achieved using tcache poisioning, overwriting __free_hook with a pointer to system writeup without dropping the entire source code of the challenge, users have the option to: allocate a chunk (0-10) of size 0x10 free a chunk edit the contents of a chunk view a chunk exit the program here we see free_chunk(): ...