SHC 2024 - Serverless Login

#web 

In this web chall, we have a simple login portal in which we’re asked to enter our username and password. Looking a bit at the code, we see two interesting things : first, this link in an undisplayed div : http://tinyurl.com/47vu98x9 (i’ve been rickrolled, you will too.). Second, at the bottom we have the link to the script that manages the input :

<script type="py" src="./main.py" config="./pyscript.json"></script>

The main.py file is, as expected, what handles our input. It looks in a database and compares the hashed input to the password. In the pyscript.json file, we have a link pointing to the database, that we can simply use to download it and check the values stored in it.

Read more

Shc 2024 - farm Life

#SHC-2024  #crypto 

Nice challenge, had a pretty hard time with it as i didn’t see a tiny detail.

We’re given the source python code of what’s on the server. Here’s what it looks like, commented :

#!/usr/bin/env python3
import secrets

FLAG = "FAKE_FLAG"

# the encrypt function takes two parameters, sends back the xor of them two. 
def encrypt(key, plaintext):
    return ''.join(str(int(a) ^ int(b)) for a, b in zip(key, plaintext))


def main():
    # keygen
    key = format(secrets.randbits(365), 'b')
    print("Welcome to the CryptoFarm!")
    while True:
        command = input('Would you like to encrypt a message yourself [1], get the flag [2], or exit [3] \n>').strip()
        try:
            if command == "1":
                data = input('Enter the binary string you want to encrypt \n>')
								# Will allow us to know the key if we feed it a 365 bits long string of 1s. 
                print("Ciphertext = ", encrypt(key, data))
								# THIS !!!! THE KEY VARIABLES IS UNCHANGED AS LONG AS WE DON'T DO COMMAND 1 
                key = format(secrets.randbits(365), 'b')
            elif command == "2":
								# Encrypts the flag and sends it back to us
                print("Flag = ", encrypt(key, format(int.from_bytes(FLAG.encode(), 'big'), 'b')))
            elif command == "3":
                print("Exiting...")
                break
            else:
                print("Please enter a valid input")
        except Exception:
            print("Something went wrong.")

if __name__ == "__main__":
    main()

First thing to do : get the encrypted flag. If we encrypt a message first, the key will be regenerated, as commented in the code.

Read more

Shc 2024 - Office program

#SHC-2024  #pwn  #reverse-engineering 

This was the easiest pwn challenge of the ctf. It didn’t require any overflow or anything.

Here’s the most interesting part of the program :

puts("\nSelect an action:");
puts("0 - Exit (like leaving the offic…");
puts("1 - Print favourite excel column");
puts("2 - Call Rebecca from front desk");
puts("3 - Get secret sauce (only for f…");
printf("Enter your choice: ");
int32_t input; // Lost a lot of time trying to figure out if this was overflowable
__isoc99_scanf("%d", &input);
important_work_or_attend_a_meeting();
if (input == 3)
{
    break;
}
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    input = -(input);
}
input = (input + 5);
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    print_flag();
}

The goal is to reach the print_flag function. To do so, we have to send the program a value that will be transformed in its negative value. After, 5 will be added to that value, and after this that number has to be less than zero to call the function. At first I thought that sending any negative number less than 5 would make the cut, but it did not, simply because the scanf function expects a %d, thus an integer.

Read more

SHC 2024 Printer Destroyer Format

#SHC-2024  #reverse-engineering  #CVE-2018-9958 

I received a todo list from IT which I really need to complete.
Clippy is telling lies and says it is not safe to open this PDF :(
Stupid Clippy

This one of my favourites challenges of this year’s SHC. We got an apparently simple PDF file in which we can expect some sort of macro if we believe what we’re told in the intro.

The tool pdfextract from the origami repository is incredibly helpful, as it extracts everything we might be interested in for a ctf challenge : images, streams, scripts and attachments, and creates a directory in which it puts everything.

Read more

Hackappatoi 23 - The first horseman

#ctf  #reverse-engineering 

For this reverse engineering challenge, we’re given a pyc file. I had never encountered this filetype before, but after some research, it appears to be a compiled python file. We can decompile it with https://www.toolnb.com/tools-lang-en/pyc.html. Here’s what the decompiled code looks like :

# uncompyle6 version 3.5.0
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.7.2 (default, Dec 29 2018, 06:19:36) 
# [GCC 7.3.0]
# Embedded file name: ../thefirsthorseman.py
# Size of source mod 2**32: 2794 bytes
from time import sleep
import codecs
print("You've inserted the key you found on the mysterious Laptop and you've been teleported to a place you don't know.")
print('All you can see is an enormous door keeping a castle safe. You approach it and with a bit of fear proceed to open it.')
print('In the middle of the hall you see a funny man, it seems the court jester, but still he scares you.')
print("'SHISH, SHISH' is the only thing he says, and now you realize he is the first horseman, ready to stop you from reaching further in your mission.")
print('The man walks towards you and tries to hit you multiple times! Avoid his punches!\n')

def shish():
    exit("The funny man manages to hit you. You fall on the ground.\nYou don't remember anything. All you know now is a word...\nSHISH\n")


f = ['r3st', '4s_a', 'b3_c', 'm4tt', 'l3t_']
l = ['4ll0', '30_1', '7t3_', 'jkin', 'p1ck']
a = ['5_th', '3_4n', '1t_1', '00p5', '1n_1']
g = ['p1_7', '3_w0', 't0g3', '00_k', 'n0th']
s = ['ear5', 'k!1!', '1n6!', '33p5', 'rd_!']
counter = 0
indexes = []


def print_flag():
    flag = ''
    flag += f[indexes[0]]
    flag += l[indexes[1]]
    flag += a[indexes[2]]
    flag += g[indexes[3]]
    flag += s[indexes[4]]
    flag = 'upgs{' + flag + '}'
    flag = codecs.encode(flag, 'rot13')
    print(flag)


try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 4:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()

try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 2:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()

try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 1:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()

try:
    for t in range(1, 6):
        print(f"{t}...")
        counter = t
        sleep(1)

    shish()
except KeyboardInterrupt:
    if counter == 2:
        print('\nYou dodged it\n')
        indexes.append(counter - 1)
    else:
        shish()
else:
    try:
        for t in range(1, 6):
            print(f"{t}...")
            counter = t
            sleep(1)

        shish()
    except KeyboardInterrupt:
        if counter == 5:
            print('\nYou dodged it\n')
            indexes.append(counter - 1)
        else:
            shish()
    else:
        print('The man is tired, he just hands you a slip of paper, to open the next door.\nThis is what you read')
        print_flag()
        print("The man then says his last words...\n 'https://youtu.be/XH0CSzdHwg0?si=DOwRhOnorrc-WWIx'")

Get the index from the print_flag function, ROT13 cipher and can easily find the index passed to the array and there we are !

Read more