TUCTF 2024 writeup

TUCTF 2024 writeup === [TOC] >My score and place: ![image](https://hackmd.io/_uploads/S1LDqH4uJg.png) >I just solved a few challenge, but I enjoyed! +_+ > ![image](https://hackmd.io/_uploads/rJBfq6XO1e.png) ![image](https://hackmd.io/_uploads/SysQ9Tmu1x.png) ## My First Secret(Web) There is a page for log in, and I use SQL injection **admin' or 1=1- -** to bypass,and get a picture(left). ![image](https://hackmd.io/_uploads/B1fxYlz_kx.png) After decrypt the **Steel alphabet**,I get the flag. ```TUCTF{THERE_IS_ALWAYS_ANOTHER_SECRET}``` ## Mystery Box(RE) Use IDA to get the code,and I found a **ReverseMe** in there. ![image](https://hackmd.io/_uploads/r1-VNIMdkx.png) In put secret code and get the flag. ![image](https://hackmd.io/_uploads/SJ_BNLfuke.png) ## My First Encryption(Crypto) After matching the file signature,I found out that need to XOR the flag with **0x30** ``` key =0x30 fin = open("./flag.jpeg", 'rb') # storing image data in variable "image" image = fin.read() fin.close() # converting image into byte array to # perform encryption easily on numeric data image = bytearray(image) # performing XOR operation on each value of bytearray for index, values in enumerate(image): image[index] = values ^ key # opening file for writing purpose fin = open("./real.jpeg", 'wb') # writing encrypted data in image fin.write(image) fin.close() print('Encryption Done...') ``` >So I get the picture with flag ![image](https://hackmd.io/_uploads/BkGucPM_kx.png) ```TUCTF{kn0wn_pl@1nt3xt_15_dang3r0us}``` ## Packet Detective(Forensics) >After finding the package, I found the flag at the last package. ![image](https://hackmd.io/_uploads/SJAUFe7_kl.png) ```Text: TUCTF{N3tw0rk_M4st3r}``` ## Mystery Presentation(Forensics) After seeing the file signature, I changing the file name from **quantum_propulsion_via_dank_memes.pptx** into **quantum_propulsion_via_dank_memes.zip** and get a **secret data** that have **flag.txt** ```TUCTF{p01yg10+_fi1e5_hiddin9_in_p1@in_5i9h+} ``` ## Simpler Cipher (Crypto) If I get the key, I can decrypt the flag, because we have the encrypted flag. From the code, we know that it will **take 6 char(48bytes) and xor with key**, and put it in the special function called expand. ![image](https://hackmd.io/_uploads/rkbj6vXuye.png) If I know the xor result and plaintext, I can get the key, and the first 6 plaintext is **TUCTF{**. Unfortunately,It used the expand function to change the result. ![image](https://hackmd.io/_uploads/Sk44kOQOJl.png) We didn't have the **exptables**,which is an array 4*4. I **input 6 char as plaintext and key=000000000000** the output will be the 6char to expand function. I can get the **6 char's binary and compare it with expand function's output**.After that,I make the table of the exptables ![image](https://hackmd.io/_uploads/HyDOZdQdJl.png) ``` Get the first 6 char flag result: 111100 010001 010001 101000 000101 110001 010001 100001 100001 100001 000101 101010... flag result: (real xor result) 1100 0100 0100 1000 0101 1101 0100 0110 0110 0110 0101 1111 ``` The last step,xor the flag binary and the real xor result,that is the key. --- ![image](https://hackmd.io/_uploads/HJce7umd1l.png) --- Use the key to decrypt and get the flag ```TUCTF{tr@ck_th3_exp@nsi0ns_and_r3v3rs3}``` ## XOR-Dinary(Crypto) ``` def xor_decrypt(hex_string): hex_bytes = bytes.fromhex(hex_string) possible_plaintexts = [] for key in range(256): decoded_chars = [chr(byte ^ key) for byte in hex_bytes] plaintext = ''.join(decoded_chars) possible_plaintexts.append((key, plaintext)) return possible_plaintexts hex_string = '4e4f594e5c617763457c2e6c2a282b2d29456d2a287e452b2f45772a2b2f2d67 ' decoded_strings = xor_decrypt(hex_string) for key, plaintext in decoded_strings: print(f'Key: {key} -> {plaintext}') ``` ``` key=26 TUCTF{my_f4v02173_w02d_15_m0157} ``` ## Shopping Time(Web) We just need to match the **first 6 md5 hash value** as the Flag's hash, and we can get the flag. ![image](https://hackmd.io/_uploads/H1b6857ukx.png) ``` # The code is from https://www.dr0n.top/posts/ad669f62/ import multiprocessing import hashlib import random import string import sys CHARS = string.letters + string.digits def cmp_md5(substr, stop_event, str_len, start=0, size=20): global CHARS while not stop_event.is_set(): rnds = ''.join(random.choice(CHARS) for _ in range(size)) md5 = hashlib.md5(rnds) if md5.hexdigest()[start: start+str_len] == substr: print(rnds) stop_event.set() if __name__ == '__main__': substr = sys.argv[1].strip() start_pos = int(sys.argv[2]) if len(sys.argv) > 1 else 0 str_len = len(substr) cpus = multiprocessing.cpu_count() stop_event = multiprocessing.Event() processes = [multiprocessing.Process(target=cmp_md5, args=(substr, stop_event, str_len, start_pos)) for i in range(cpus)] for p in processes: p.start() for p in processes: p.join() ``` ![image](https://hackmd.io/_uploads/r1PGvcX_Jx.png) **0XF8xp81lHI09LNTt61y** this value match the value of **Flag** ![image](https://hackmd.io/_uploads/B1FFLqmOJx.png) ```TUCTF{k1nd_0f_an_1d0r_vu1n!}``` ## Techno Oracle(Web) I use burpsuite to catch package and change my command **s** to flag,and I got this. I don't know is there any relationship between burpsuite. ![image](https://hackmd.io/_uploads/HJZ4p3m_kg.png) ```TUCTF{5P00ky_0r4CL3}```