23
Sep
2013

CSAW CTF 2013 – Exploitation 400 – GameMan

nc 128.238.66.223 1025 < hello_world.gbc

We are given a GameBoy (Color) ROM file and a server address + port.

When sending the original hello_world.gbc to the server we are greeted with some output:

$ nc -vvv 128.238.66.223 1025 < hello_world.gbc
Connection to 128.238.66.223 1025 port [tcp/*] succeeded!
Insert Cartridge... 
Loaded: CSAW CTF 2013
OK
OK
OK
Hello World!

{Read More}

05
May
2013

pCTF 2013 – usbdude (for 350)

For this challenge we’re given a pcap file containing USB traffic. Initial inspection learns us this is a dump of an AVRISP mkII USB programmer for 8-bit AVR microcontrollers.
{Read More}

04
May
2013

pCTF 2013 – charsheet (web 150)

My friend is in my D&D campaign – could you get me his character name? He administrates this site.

This challenge is a very simple SQL injection, asking for the character name.

{Read More}

04
May
2013

pCTF 2013 – secure_reader (pwn 150)

I can’t figure out how to read the flag πŸ™ ssh to 54.224.109.162

The secure_reader program can read the flag, but can only be invoked from the reader program.

{Read More}

04
May
2013

pCTF 2013 – unnnnlucky (misc 20)

Question: Where does The Plague hide his money?

This question is clearly a reference to the movie Hackers, we’ve immediately watched the movie on youtube and skipped to the referenced part in the NSA interview room scene.

{Read More}

02
May
2013

pCTF 2013 – ropasaurusrex (pwn 200)

This is a very simple network service which will overflow a stack buffer if you send it too much data. The stack is non-executable, which we can get around using Return-Oriented Programming (which is pretty much given away by the challenge name of course). Then the only tricky bit is that ASLR is enabled, which means that libc (which contains all of the interesting functions like system()) will be at a different address each time we connect.

{Read More}

28
Apr
2013

pCTF 2013 – cone (binary 250)

Cone is an obfuscated binary which reads a key from stdin and either approves
it or denies it. After reading our magic instruction trace we found out that
the underlying algorithm of this binary consists of only a few operations. The
following is a representation of the algorithm in Python.
{Read More}

28
Apr
2013

pCTF 2013 – prove it (misc 150)

We’ve been reading about bitcoins.

We were given a service that asked us to provide an input that would result in an md5 with a given prefix of 52-bits. At first we were looking at modifying an existing GPU cracker to find input resulting in the given prefix. Luckily one of our team members tried a few hashes against a wordlist and noticed he could find some of the in the wordlist.
{Read More}

27
Apr
2013

pCTF 2013 – blech (crypto 200)

You get arbitrary code execution…. as long as it’s code we approve of.

This challenge consisted of a service which allowed running arbitrary python code, as long as you had a valid RSA signature for it…
{Read More}

27
Apr
2013

pCTF 2013 – hypercomputer-1 (bin 100)

hypercomputer-1

For those who didn’t play plaidCTF 2012: “supercomputer” was a reversing
challenge that computed flags using really silly math (like adding in a loop
instead of mulitplication). hypercomputer is easier… if you do it right πŸ˜›

We remembered the supercomputer challenge from last year, when we solved parts of it using a hex editor. Since at some point that got really tricky we decided to use a different approach this year. With this new approach we had more luck and
awesomeness this year!
{Read More}