Carbonara We are given the following ciphertext: %96 7=28 7@C E9:D 492= :D iQx>A6C2E@C xF=:FD r26D2C s:GFDQ] A simple shift shows interesting results: ciphertext = "%96 7=28 7@C E9:D 492= :D iQx>A6C2E@C xF=:FD r26D2C s:GFDQ]" size = len(ciphertext) for i in range(0,100): result="" for c in ciphertext: if ord(c) > 126 or ord(c) < 33: result += c else: first = ord(c)+i if first > 90: first = 64 + (first - 90) result += chr(first) print(result) Here is were the history classes prove valuable, flag is:

Web 100: Abitol This is a simple web app where you can register and login to see an articles page, a photo gallery, a flag page and an admin contact page. Visiting the flag page give us a Nice try, did you really think it would be that easy? ;) but the photo gallery is vulnerable to XSS: http://abitbol.nuitduhack.com/zoom.php?image=1%3E%3Cscript%3Ealert%281%29%3C/script%3E Now, we dont know how the admin contact will be visualized in the viewer page, but we can try to send him a message with an iframe pointing to the vulnerable page so we can send his session ID to our cookie catcher or use XHR to request the flag.

In this level we are presented with a connect 4 game written with ncurses. After playing a couple of times we find a combination to win: DHHDLLDHDDDLDD Nothing happens though so lets fire up Hopper and take a look at the code. A good place to start is by analyzing the code around the you win and you lose exit strings and actually, after priting the you win string we can find an interesting piece of code before the call to exit()

In this level we were presented with an ELF 64bits executable, a good oportunity to exercise linux exploiting on 64bits systems and try Hopper for the first time :) When you run the binary, it begins listening in port 31415 (pi!) but if we try to connect, it complains about a missing user “gambino”. So we have to create the user. Once created, if we try to connect to the service we get nothing.

We didnt have time to finish this task during the game since we decided to finish Freestyle 400 (scored in the last minute) but as I foound out later, we were close to finish it. In this level we were presented with a login form vulnerable to user enumeration. It was easy to see that admin was a valid user but we could not guess the password. After trying with other “normal” accounts like guest, dev and so on, we found that debug was a valid account and the password was debug.

I had the honour to participate with int3pids in the #Olympic CTF and these are the write ups of the Web tasks we solved. CURLing 200: Xnginx In this level we were presented with a simple web site where we could check some news First thing to notice is that the news URL is vulnerable to path transversal: http://109.233.61.11:27280/news/?f=31-12-2013 http://109.233.61.11:27280/news/?f=../../../../../etc/passwd Since the name of the task was xnginx I looked for the nginx configuration file:

In this level we are said that: We have intercepted communication in a private network. It is used a strange protocol based on RSA cryptosystem. Can you still prove that it is not secure enough and get the flag? We are given a pcap file with a bunch of transmissions generated with this script: #!/usr/bin/python import sys import struct import zlib import socket class Client: def __init__(self, ip): #init self.

I did not solve this level during the CTF, but found it so interesting reading Xelenonz write-up that I couldnt help trying it myself just for the fun and since this blog is my personal notes, I decided to write it here for future reference, but all credits go to Xelenonz. We are given the code of a Image hostig web app. Reading the code we see how it handle the requests:

In this level we are presented with a crypto system based on Matrix operations: #!/usr/bin/python import random from struct import pack def Str2matrix(s): #convert string to 4x4 matrix return [map(lambda x : ord(x), list(s[i:i+4])) for i in xrange(0, len(s), 4)] def Matrix2str(m): #convert matrix to string return ''.join(map(lambda x : ''.join(map(lambda y : pack('!H', y), x)), m)) def Generate(password): #generate key matrix random.seed(password) return [[random.randint(0,64) for i in xrange(4)] for j in xrange(4)] def Multiply(A,B): #multiply two 4x4 matrix C = [[0 for i in xrange(4)] for j in xrange(4)] for i in xrange(4): for j in xrange(4): for k in xrange(4): C[i][j] += A[i][k] * B[k][j] return C def Encrypt(fname): #encrypt file key = Generate('') data = open(fname, 'rb').

In this level we are said that our challange is login with administrator role in a service listening on hackyou2014tasks.ctf.su 7777 We are given the following source code: #!/usr/bin/python from math import sin from urlparse import parse_qs from base64 import b64encode from base64 import b64decode from re import match SALT = '' USERS = set() KEY = ''.decode('hex') def xor(a, b): return ''.join(map(lambda x : chr(ord(x[0]) ^ ord(x[1])), zip(a, b * 100))) def hashme(s): #my secure hash function def F(X,Y,Z): return ((~X & Z) | (~X & Z)) & 0xFFFFFFFF def G(X,Y,Z): return ((X & Z) | (~Z & Y)) & 0xFFFFFFFF def H(X,Y,Z): return (X ^ Y ^ Y) & 0xFFFFFFFF def I(X,Y,Z): return (Y ^ (~Z | X)) & 0xFFFFFFFF def ROL(X,Y): return (X << Y | X >> (32 - Y)) & 0xFFFFFFFF A = 0x67452301 B = 0xEFCDAB89 C = 0x98BADCFE D = 0x10325476 X = [int(0xFFFFFFFF * sin(i)) & 0xFFFFFFFF for i in xrange(256)] for i,ch in enumerate(s): k, l = ord(ch), i & 0x1f A = (B + ROL(A + F(B,C,D) + X[k], l)) & 0xFFFFFFFF B = (C + ROL(B + G(C,D,A) + X[k], l)) & 0xFFFFFFFF C = (D + ROL(C + H(D,A,B) + X[k], l)) & 0xFFFFFFFF D = (A + ROL(D + I(A,B,C) + X[k], l)) & 0xFFFFFFFF return ''.