Posts Tagged “CTF”

For this challenge of crypto, we got a ciphered message and a python script. We knew from precedent challenge that flag are always of the form flag{XXXX}, so we make the assumption that it was the same here, so we got the first 5 chars of the ciphered so we got first part of the…

Littlequery is a web challenge with a login page : The behaviour is interesting, when we tried to login, the html password input is replaced by the sha1 of the input with this javascript code : $(“.form-signin”).submit(function () { var $password = $(this).find(“input[type=password]”); $password.val(CryptoJS.SHA1($password.val()).toString()); }); So there is a chance that when someone login the…

For this challenge we have an archive containing a large img file which is a dump of an sd card from a Rasperry Pi. so after extracting it and mounting it we are able to navigate through the files. Nothing in home directory, /etc folder told us that’s there is an apache server on this…

Here is a crypto challenge, we got a ciphered message and the script used, source are available on my github. From the script we can clearly see that : message = flag+key+md5(message) ciphered = xor(message, key) The interesting point is that the key have been xored with itself with an offset, but i will help…

This is one of the web challenge of CSAW17 event. I wrote a little proxy program in NodeJS for my poems folder. Everyone wants to read flag.txt but I like it too much to share. http://web.chal.csaw.io:7311/?path=orange.txt Looks like we have to find a LFI (Local File Inlcusion), we were able to get the index of…

In this challenge we were asked to give card number, there are different steps, firstly we are asked card number for Visa, Master Card, Discovery, American Express they must be sent only once. The next step is to give cards numbers which start with 4 given digits, next card number finish with one given number…

For this challenge we got a pcap containing lot of post request, we opened it with wireshark an apply this filter : http.request.method == “POST” Next we extracted all data from POST requests. name=Amy&lname=Smith&school=University+of+Maine+at+Machias&major=Biological+and+Biomedical+Sciences&c=Italian+Self-Actualization+Music+In+The+Postmodern+Era&s=B&text=Minima+dolor+rerum+ipsam+doloremque+beatae+dolore+autem+minima.+Dolorum+optio+illo+dicta+dolore+eum.+Quidem+repudiandae+labore+officiis+consectetur+excepturi+repudiandae+accusantium.&n=ed51f867229913f8d65128d4d371e9a1e2db71de69aadbd3cc0aaa4725f97e358419798dab291a263936f07b235a89ca173d24dfe149d5b5889de5a6c97a514a30134dda9042eb0eaf5c56c8b78e5119cc69f3d6565897a809a18d94a3d6b4eb99 But some of the paquets got an extra x parameter: name=Tonya&lname=Bush&school=Limestone+College&major=Personal+and+Culinary+Services&c=Populist+Political+Correctness+In+Modern+Paintings&s=F&text=Dolores+consectetur+consequuntur+est+aperiam.+Nesciunt+impedit+tempore+inventore+nulla+iste+libero+earum.+Nam+quae+cum+molestias+similique+consequuntur+omnis.&n=c689fda2a036f389c03ed744078058fe6e3e42d1cd6d4b71475e31691cd3855405d1439b94bff7f25505bbd7f294f91a5284b01602f8f3dc86aac39ab40553a92a0bab3868e4397b57ab2ecb89fdffbfaf629c923705457ef0fa752f529e5ec56f20c87592867d103b758977cf2724fbdc2ec8379768cb312bcabb03e27b5c0d72197bba39f74d195573696e32ab2e7e16675618ff67fc4420c1&x=424d36190000000000003604000028000000e000000018000000010008000000000000000000c40e0000c40e00000001000000010000010203ff0c1416ff10191bff192729ff1c2e32ff1c353aff212a2cff232e31ff273639ff303d3fff253d41ff2a454bff33474bff2c4b53ff So x seems interesting, so we extracted all values of…