Trudi week 1. Write-ups

# Trudi week 1. Write-ups [TOC] ## Web ### Login problem All sql statements are done using prepared statements and have no sql injection. Only one INSERT statement is unsafe and allows injection. ```SQL INSERT INTO users (username, password, is_administrator) VALUES ('$username', '$password', false) ``` Easy way is to append new user value and set is_administrator to *true*: name: `new_login` passwd: `passwd', true), ('trashlogin1', 'trashpasswd1` ```SQL INSERT INTO users (username, password, is_administrator) VALUES ('new_login', 'passwd', true), ('trashlogin1', 'trashpasswd1', false) ``` ## Admin ### Hermes 1. First of all, we understand that this an image with ```EXIF``` . ```Exiftool``` prints us some strange string: 2. ![1](https://i.ibb.co/w0bptj4/1.jpg) 3. After some other investigations we can find archive in the end of the image file: 4. ![2](https://i.ibb.co/j5DsQqz/2.jpg) 4. If we sum up random string and encrypted archive, we can guess, that we can decrypt our archive: 5. ![3](https://i.ibb.co/BPpcGYX/3.jpg) 7. Seems like that this is a ```Brainfuck``` language. We can find any online interpreter, and get the flag: 8. ```CTF{f0R3N51c5_15_345y_TRU57_m3_kUn}``` ### Apache Admin 1. First of all, we need to scan site with ```dirb```: 2. ![1](https://i.ibb.co/JHtJskb/1.jpg) 3. Now we find htpasswd and secret files. So, let's bruteforce htpasswd: 4. ![2](https://i.ibb.co/3WcsHgF/2.jpg) 5. Then we can login and download secret file. 6. Directory new is a git repository, and we have two branches. 7. We can use ```gittools``` to extract all files: 8. ![3](https://i.ibb.co/QrCJGsG/3.jpg) 9. And finally get the flag from secret branch: 10. ```CTF{u53_617_N07_Ju57_C0py_F0ld3R5}``` ### ctfOS 1.First of all find packets with ClientHello and ServerHello, next look at sid field, it is unusual( "vigenere" and "your_secret_key"). 2 .Find packets with the same src and dst ip's as packets in previous step 3.Check parameter of requests.Its structure seems like base64-encoded string - decode it and see message "if you read this message,it means that you find right way your flag is here but it needs some transform" and last string doesn't decode.Now let's return to serverhello and client hello. Use vigenere cipher with key "your_secret_key" with string from previous step. As a result you get a flag ## PPC ### New laptop To solve this task, you need simply to implement [binary search](https://en.wikipedia.org/wiki/Binary_search_algorithm) algorithm. Price limits were from 10 to 1000. ## Reverse ### Just reverse Some string is generated and compared with entered password using strcmp function. Easiest solution is to set brekpoint in debugger and see generated string before comparison. `CTF{Ju57_r3V3r53}` ### Linear 1. Let's open binary ```work``` with Ghidra: 2. ![1](https://i.ibb.co/SNC8711/1.jpg) 3. After the program receives a string, it composes a matrix n*n (n=len(string)) and fills it with zeros. After that, on the diagonal of the matrix, assign the values of the letters, adding them with each iteration to the sum of previous ones. 4. Then program compose another matrix, in which every value is random, not greater than ```1337 (0x539)```. 5. And finally program perform matrix multiplication and print the final matrix: 6. ![2](https://i.ibb.co/QkmfBSb/2.jpg) 7. So we know, that the program compose two matrices: M - random matrix, that depend on length of source string, and X - with values of the letters summation. Time to remain Linear Algebra: 8. ```X x M = C => C x M^(-1) = X``` 9. So, we just need to find inverse of the second matrix and multiple by final matrix: 10. ![3](https://i.ibb.co/ySJt4Lp/3.jpg) 11. After that we can subtract values in matrix A, and get the flag: ```CTF{l1n34R_ALG3br4_c4n_h3lp_y0u_N07_0n1y_1n_Un1V3r517Y}``` ## Stegano ### Nokia ![keypad](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.maxbhi.com%2Fimages%2Fthumbnails%2F500%2F500%2Fdetailed%2F431%2Fkeypad_for_nokia_e51_black_maxbhi_com_43802.jpg&f=1&nofb=1) Message was written on old nokia phone. To solve this task, you need to find nokia keypad sounds and decode written message. Another possible solution is to write all possible symbols for each button sequence pressed and try to guess correct ones. For example, for three sequential presses it could be letters C, F, I, L, O, R, V, Y. `CTF{oldschool}` ## Crypto ### Interception This is xorshift encryption. In source code we can see that all operations are done with modular 65536. Means key has only 65536 possible options. It is possible to brute them all and find correct message by regular encryption. Only lowercase english letters were used. Decryption works absolutely same as encryption - xor ciphertext with same byte sequence to get plaintext. `CTF{yourciphermightbestrongbutkeylengthshouldnotallowbruteforce}` ### Stupido There are only three operation used - xor, replace and split. All three are reversible. To solve this task, you need to make all operations in reverse order. In split operation we need to change indexes to retrieve original data. ```python from base64 import b64decode msg = list(b64decode("lLzHWxfMf71FxFYMGRH392l8")) def xor(s, ind, b): ind %= len(s) s[ind] = s[ind] ^ b return s def replace(s, a, b): a %= len(s) b %= len(s) s[a], s[b] = s[b], s[a] return s def split_ind(s, ind): ind %= len(s) s = s[-ind:] + s[:-ind] return s msg = xor(msg, 19, 61) msg = replace(msg, 8, 79) ... msg = replace(msg, 83, 7) msg = xor(msg, 46, 9) print(msg) print(''.join([chr(x) for x in msg])) ```