--- tags: 'ctf' --- ctf.synk.io === <i class="fa fa-file-pdf-o" aria-hidden="true"></i> **ctf.synk.io** <i class="fa fa-user-circle-o" aria-hidden="true"></i> Johnny Pan <i class="fa fa-clock-o" aria-hidden="true"></i> 2021-10-05 <i class="fa fa-external-link" aria-hidden="true"></i> https://ctf.snyk.io [TOC] ## magician ![](https://i.imgur.com/cgajyew.png) Analizamos que tipo de hash es ![](https://i.imgur.com/jnpfhUF.png) Vemos que el reto es sobre la vulnerabilidad de PHPMagicTricks https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf https://github.com/intadd/php_magic_hash https://www.whitehatsec.com/blog/magic-hashes/ https://offsec.almond.consulting/super-magic-hash.html https://github.com/ryanking13/ctf-cheatsheet/blob/master/Cryptography/Useful_Hashes.md https://grocid.net/2019/08/03/finding-magic-hashes-with-hashcat/ https://github.com/spaze/hashes/blob/master/md5.md Usando este string `GGHMVOE` ![](https://i.imgur.com/bTuh859.png) :::success SNYK{5fcde70181e9a9e3b26d014635e125a62899f337b84bb5ac8b7370efdf5bb506} ::: ## not-hot-dog ``` python RsaCtfTool.py -n 609983533322177402468580314139090006939877955334245068261469677806169434040069069770928535701086364941983428090933795745853896746458472620457491993499511798536747668197186857850887990812746855062415626715645223089415186093589721763366994454776521466115355580659841153428179997121984448771910872629371808169183 -e 387825392787200906676631198961098070912332865442137539919413714790310139653713077586557654409565459752133439009280843965856789151962860193830258244424149230046832475959852771134503754778007132465468717789936602755336332984790622132641288576440161244396963980583318569320681953570111708877198371377792396775817 --uncipher 580087704654652718548072347767087713441678375071000498564963353235374511777098333485190394366859651200453688757231829505858552725280311870462095017761444727880100748324874906835296769310122754627620933554008332091299159978573396458947155647454747215038440028347688779707172885517390987973184407689583941483511 private argument is not set, the private key will not be displayed, even if recovered. [*] Testing key /tmp/tmpvimczhe3. Can't load roca because sage is not installed Can't load ecm2 because sage is not installed Can't load ecm because sage is not installed Can't load smallfraction because sage is not installed Can't load boneh_durfee because sage is not installed Can't load qicheng because sage is not installed [*] Performing noveltyprimes attack on /tmp/tmpvimczhe3. [*] Performing comfact_cn attack on /tmp/tmpvimczhe3. [*] Performing siqs attack on /tmp/tmpvimczhe3. [!] Warning: Modulus too large for SIQS attack module [*] Performing factordb attack on /tmp/tmpvimczhe3. Results for /tmp/tmpvimczhe3: Unciphered data : HEX : 0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000534e594b7b623665303463653530306639643939386238616334313264376138356533353963613862376663333132363763643666373138326435376536633339613265617d INT (big endian) : 1228101181947026162229875232442124938326002033883180155805050744425091298519878537357492886665975977820339730806333575847563795496889152878139691087102629007696337396093 INT (little endian) : 22539557491306234317840645219898544041354010354539154858227091748755745432448816140550642175049144146305394712350794164123394991970597487029931233718241153641452995002484996458284970713295507696794759015271008814071186574395425795685377395299779789279633852923213674685740604307535879160982299030848141103464448 STR : b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00SNYK{b6e04ce500f9d998b8ac412d7a85e359ca8b7fc31267cd6f7182d57e6c39a2ea}' ``` :::success SNYK{b6e04ce500f9d998b8ac412d7a85e359ca8b7fc31267cd6f7182d57e6c39a2ea} ::: ## qrrr ``` zbarimg flag.png QR-Code:5ff8d4e4958d8007a3897} scanned 1 barcode symbols from 1 images in 0.03 seconds ``` Stegosolve Green plane 6 ![](https://i.imgur.com/DZgvOW4.png) Red plane 7 ![](https://i.imgur.com/3h5zLs3.png) Red plane 6 ![](https://i.imgur.com/nxJTNVq.png) ``` zbarimg * QR-Code:5ff8d4e4958d8007a3897} QR-Code:SNYK{6947bd4818ffc1768f2 QR-Code:12d99aa3a92f1abbb7d40786 QR-Code:5ff8d4e4958d8007a3897} ``` :::success SNYK{6947bd4818ffc1768f212d99aa3a92f1abbb7d407865ff8d4e4958d8007a3897} ::: ## Russian doll ``` Esp qwlr td DOKnGoIgKSsVvizaEAJmEgxiEShQKjjgyfeLhdutuIhObpZr IIEPL pyncjaepo. Alddhzco stye: iiii. ``` ![](https://i.imgur.com/txwFMzQ.png) ``` The flag is SDZcVdXvZHhKkxopTPYbTvmxTHwFZyyvnutAwsjijXwDqeOg XXTEA encrypted. Password hint: xxxx ```