Posts for: #SHC-2024

Shc 2024 - farm Life

#SHC-2024  #crypto 

Nice challenge, had a pretty hard time with it as i didn’t see a tiny detail.

We’re given the source python code of what’s on the server. Here’s what it looks like, commented :

#!/usr/bin/env python3
import secrets

FLAG = "FAKE_FLAG"

# the encrypt function takes two parameters, sends back the xor of them two. 
def encrypt(key, plaintext):
    return ''.join(str(int(a) ^ int(b)) for a, b in zip(key, plaintext))


def main():
    # keygen
    key = format(secrets.randbits(365), 'b')
    print("Welcome to the CryptoFarm!")
    while True:
        command = input('Would you like to encrypt a message yourself [1], get the flag [2], or exit [3] \n>').strip()
        try:
            if command == "1":
                data = input('Enter the binary string you want to encrypt \n>')
								# Will allow us to know the key if we feed it a 365 bits long string of 1s. 
                print("Ciphertext = ", encrypt(key, data))
								# THIS !!!! THE KEY VARIABLES IS UNCHANGED AS LONG AS WE DON'T DO COMMAND 1 
                key = format(secrets.randbits(365), 'b')
            elif command == "2":
								# Encrypts the flag and sends it back to us
                print("Flag = ", encrypt(key, format(int.from_bytes(FLAG.encode(), 'big'), 'b')))
            elif command == "3":
                print("Exiting...")
                break
            else:
                print("Please enter a valid input")
        except Exception:
            print("Something went wrong.")

if __name__ == "__main__":
    main()

First thing to do : get the encrypted flag. If we encrypt a message first, the key will be regenerated, as commented in the code.

Read more

Shc 2024 - Office program

#SHC-2024  #pwn  #reverse-engineering 

This was the easiest pwn challenge of the ctf. It didn’t require any overflow or anything.

Here’s the most interesting part of the program :

puts("\nSelect an action:");
puts("0 - Exit (like leaving the offic…");
puts("1 - Print favourite excel column");
puts("2 - Call Rebecca from front desk");
puts("3 - Get secret sauce (only for f…");
printf("Enter your choice: ");
int32_t input; // Lost a lot of time trying to figure out if this was overflowable
__isoc99_scanf("%d", &input);
important_work_or_attend_a_meeting();
if (input == 3)
{
    break;
}
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    input = -(input);
}
input = (input + 5);
if (input < 0)
{
    puts("\nInput out of range. You confus…");
    print_flag();
}

The goal is to reach the print_flag function. To do so, we have to send the program a value that will be transformed in its negative value. After, 5 will be added to that value, and after this that number has to be less than zero to call the function. At first I thought that sending any negative number less than 5 would make the cut, but it did not, simply because the scanf function expects a %d, thus an integer.

Read more

SHC 2024 Printer Destroyer Format

#SHC-2024  #reverse-engineering  #CVE-2018-9958 

I received a todo list from IT which I really need to complete.
Clippy is telling lies and says it is not safe to open this PDF :(
Stupid Clippy

This one of my favourites challenges of this year’s SHC. We got an apparently simple PDF file in which we can expect some sort of macro if we believe what we’re told in the intro.

The tool pdfextract from the origami repository is incredibly helpful, as it extracts everything we might be interested in for a ctf challenge : images, streams, scripts and attachments, and creates a directory in which it puts everything.

Read more