28
Apr
2013

pCTF 2013 – cone (binary 250)

Cone is an obfuscated binary which reads a key from stdin and either approves
it or denies it. After reading our magic instruction trace we found out that
the underlying algorithm of this binary consists of only a few operations. The
following is a representation of the algorithm in Python.
{Read More}

28
Apr
2013

pCTF 2013 – prove it (misc 150)

We’ve been reading about bitcoins.

We were given a service that asked us to provide an input that would result in an md5 with a given prefix of 52-bits. At first we were looking at modifying an existing GPU cracker to find input resulting in the given prefix. Luckily one of our team members tried a few hashes against a wordlist and noticed he could find some of the in the wordlist.
{Read More}

27
Apr
2013

pCTF 2013 – blech (crypto 200)

You get arbitrary code execution…. as long as it’s code we approve of.

This challenge consisted of a service which allowed running arbitrary python code, as long as you had a valid RSA signature for it…
{Read More}

27
Apr
2013

pCTF 2013 – hypercomputer-1 (bin 100)

hypercomputer-1

For those who didn’t play plaidCTF 2012: “supercomputer” was a reversing
challenge that computed flags using really silly math (like adding in a loop
instead of mulitplication). hypercomputer is easier… if you do it right 😛

We remembered the supercomputer challenge from last year, when we solved parts of it using a hex editor. Since at some point that got really tricky we decided to use a different approach this year. With this new approach we had more luck and
awesomeness this year!
{Read More}

26
Apr
2013

pCTF 2013 – pyjail (misc 400)

We did not solve this challenge in time, despite spending a lot of time on it. If we had we would have taken 1st place, but of course there’s always that one challenge you wish you had solved…

Still, it was a really cool challenge and we solved the first part pretty well before getting stuck. And that part deserves a writeup at least.

This challenge consisted of a server that read a string from the user, removed most interesting characters from it, and then ran it through python’s eval and exec. The goal was to get a shell using only the very limited remaining character set and a maximum of 1900 characters, and while having a very stripped down environmen.

{Read More}

26
Apr
2013

pCTF 2013 – dynrpn (pwnable 250)

`dc` runs too slowly for my tastes.

Dynrpn is a calculator program which uses Reverse Polish Notation as syntax which is somewhat compatible with the syntax used by the dc calculator program. However, this version compiles every expression to native FPU code and then runs that code to get the answer.

{Read More}

26
Apr
2013

pCTF 2013 – cheap (misc 100)

What could this mysterious architecture be?

For this challenge we had access to a remote service without any additional information on what to do or what to look for.

{Read More}

26
Apr
2013

pCTF 2013 – servr (web 400)

The challenge description is:

We got a shell on this crazy guy’s web server, but he’s running some really weird software 🙁 Help me get higher privileges please?

As it turns out, this guy is really crazy, since his web server is implemented as a kernel module, and this “web” challenge is actually a kernel pwning challenge.

{Read More}

26
Apr
2013

pCTF 2013 – cat_rar (forensics 150)

So, among all the binaries Plaidctf also followed the tradition in CTF to hide a stego as a forensics challenge. We had a challenge with this description:

cat_rar
150
forensics
“Meow meow mw mw m.
cat.rar

In the cat.rar file we found two files:

  • a cat.rar.jpg which seems to be an image of a cat.
  • a cat.rar.bin which seems to be an x64 ELF binary

{Read More}

26
Apr
2013

pCTF 2013 – giga (crypto 250)

In this challenge we get a network service which generates a RSA keypair, encrypts a flag with it and shows you the ciphertext, and then allows you to encrypt a bunch of different plaintexts and view the corresponding ciphertexts. The goal is to decrypt the encrypted flag somehow.

Normally this should not be possible with RSA, so there have to be some bugs. Let’s look at the code:
{Read More}