# DiceCTF 2023 Author Writeups ## Challenges ### Crypto | Challenge name | Author | Writeup | |---|---|---| | crypto/bbbb | willwam | TODO | | crypto/inversion | ireland | TODO | | crypto/membrane | ireland | TODO | | crypto/Provably Secure | jyu | TODO | | crypto/Provably Secure 2 | jyu | TODO | | crypto/rSabin | ireland | TODO | | crypto/seaside | defund | [link](https://priv.pub/posts/dicectf-2023) | | crypto/vinaigrette | defund | [link](https://priv.pub/posts/dicectf-2023) | ### Misc | Challenge name | Author | Writeup | |---|---|---| | misc/geminiblog | arxenix | [link](https://blog.ankursundara.com/dicectf23-writeups/#geminiblog) | | misc/insecure-shell | kfb | TODO | | misc/mlog | jim & asphyxia | TODO | | misc/Pike | clubby789 | [link](https://gist.github.com/clubby789/b681e7a40da070713c3760953d8df1c3) | | misc/Prison Reform | kmh | TODO | ### Pwn | Challenge name | Author | Writeup | | ------------------------- | ------------ | ---------------------- | | pwn/Baby Solana | NotDeGhost | TODO | | pwn/bop | kfb | TODO | | pwn/chess.rs | strellic | [link](https://brycec.me/posts/dicectf_2023_challenges#chessrs) | | pwn/dicer-visor | SmoothHacker | TODO | | pwn/disc-pwn | hgarrereyn | TODO | | pwn/OtterWorld | NotDeGhost | TODO | | pwn/Sice Supervisor | poortho & triacontakai | TODO | | pwn/zelda | pepsipu | TODO | ### Rev | Challenge name | Author | Writeup | |---|---|---| | rev/disc-rev | hgarrereyn | TODO | | rev/macroscopic | clubby | TODO | | rev/not-baby-parallelism | jyu | TODO | | rev/parallelism | infuzion | [jump](#rev/parallelism) | | rev/raspberry | hgarrereyn | TODO | | rev/super qomputer | ireland | TODO | | rev/time-travel | infuzion | [jump](#rev/time-travel) | ### Web | Challenge name | Author | Writeup | |---|---|---| | web/codebox | EhhThing | TODO | | web/gift | BrownieInMotion | TODO | | web/impossible-xss | arxenix | [link](https://blog.ankursundara.com/dicectf23-writeups/#impossible-xss) | | web/jnotes | arxenix | [link](https://blog.ankursundara.com/dicectf23-writeups/#jnotes) | | web/recursive-csp | strellic | [link](https://brycec.me/posts/dicectf_2023_challenges#recursive-csp) | | web/scorescope | BrownieInMotion | TODO | | web/unfinished | strellic | [link](https://brycec.me/posts/dicectf_2023_challenges#unfinished) | | web/jwtjail | strellic | [link](https://brycec.me/posts/dicectf_2023_challenges#jwtjail) | ## Writeups ### rev/time-travel ```python import struct import numpy as np with open("handout/input.bin", "rb") as enc_f: enc = enc_f.read() offset = 0 SIZE = struct.unpack_from("<i", enc, offset)[0] offset += 4 for i, c in enumerate(range(64)): vals = [] for _ in range(SIZE * SIZE): vals.append(struct.unpack_from("<q", enc, offset)[0]) offset += 8 det = round(np.linalg.det(np.asarray(vals, dtype=np.int64).reshape((SIZE, SIZE)))) flag_diff = struct.unpack_from("<q", enc, offset)[0] offset += 8 print(chr(flag_diff - det + i), end='') print() ``` ### rev/parallelism ```python import copy processed = "m_ERpmfrNkekU4_4asI_Tra1e_4l_c4_GCDlryidS3{Ptsu9i}13Es4V73M4_ans" size = 8 thread_buffers = [] for i in range(8): thread_buffers.append(list(processed[i * 8:(i + 1) * 8])) for iteration in range(10000 - 1, -1, -1): new_thread_buffers = copy.deepcopy(thread_buffers) slot = iteration % 8 for rank, buffer in enumerate(thread_buffers): destination = ((rank - iteration) % size + size) % size source = ((rank + iteration) % size + size) % size new_thread_buffers[source][slot] = thread_buffers[rank][slot] new_thread_buffers[rank][slot] = thread_buffers[destination][slot] thread_buffers = new_thread_buffers swaps = [26, 32, 14, 11, 3, 1, 32, 24, 13, 17, 3, 17, 2, 13, 19, 6, 12, 22, 3, 30, 10, 6, 8, 26, 6, 22, 13, 1, 19, 1, 1, 29] permuted = [] for x in thread_buffers: permuted += x for i in range(32 - 1, -1, -1): permuted[i], permuted[swaps[i] + 31] = permuted[swaps[i] + 31], permuted[i] print(''.join(permuted)) ```