nc 18.104.22.168 1025 < hello_world.gbc
We are given a GameBoy (Color) ROM file and a server address + port.
When sending the original hello_world.gbc to the server we are greeted with some output:
$ nc -vvv 22.214.171.124 1025 < hello_world.gbc Connection to 126.96.36.199 1025 port [tcp/*] succeeded! Insert Cartridge... Loaded: CSAW CTF 2013 OK OK OK Hello World!
My friend is in my D&D campaign – could you get me his character name? He administrates this site.
This challenge is a very simple SQL injection, asking for the character name.
I can’t figure out how to read the flag 🙁 ssh to 188.8.131.52
The secure_reader program can read the flag, but can only be invoked from the reader program.
Question: Where does The Plague hide his money?
This question is clearly a reference to the movie Hackers, we’ve immediately watched the movie on youtube and skipped to the referenced part in the NSA interview room scene.
This is a very simple network service which will overflow a stack buffer if you send it too much data. The stack is non-executable, which we can get around using Return-Oriented Programming (which is pretty much given away by the challenge name of course). Then the only tricky bit is that ASLR is enabled, which means that libc (which contains all of the interesting functions like system()) will be at a different address each time we connect.
Cone is an obfuscated binary which reads a key from stdin and either approves
it or denies it. After reading our magic instruction trace we found out that
the underlying algorithm of this binary consists of only a few operations. The
following is a representation of the algorithm in Python.
We’ve been reading about bitcoins.
We were given a service that asked us to provide an input that would result in an md5 with a given prefix of 52-bits. At first we were looking at modifying an existing GPU cracker to find input resulting in the given prefix. Luckily one of our team members tried a few hashes against a wordlist and noticed he could find some of the in the wordlist.
You get arbitrary code execution…. as long as it’s code we approve of.
This challenge consisted of a service which allowed running arbitrary python code, as long as you had a valid RSA signature for it…
For those who didn’t play plaidCTF 2012: “supercomputer” was a reversing
challenge that computed flags using really silly math (like adding in a loop
instead of mulitplication). hypercomputer is easier… if you do it right 😛
We remembered the supercomputer challenge from last year, when we solved parts of it using a hex editor. Since at some point that got really tricky we decided to use a different approach this year. With this new approach we had more luck and
awesomeness this year!