March 02 - March 07, 2017
Question: "p xasc. a zdmik qtng. yiy uist. easc os iye iq trmkbumk. gwv wolnrg kaqcs vi rlr."
Solution: The problem appears to be a substitution cipher. I tried using various cipher methods such as rotation cipher and then kamasutra cipher (which I've never seen before this). I then continued looking at more "classical" ciphers and tried applying the Vigenere Cipher. The Vigenere Cipher requires a key to encrypt and decrypt though. I tried using the CTF's name and out came: AGAMEAMOVIESTARHISWIFENAMEOFTHECSTEXTBOOKTHEWINNERTAKESITALL.
public static String decrypt(String s, String key){
String decoded = "";
s = s.toUpperCase();
for(int i = 0, j = 0; i < s.length(); i++){
char c = s.charAt(i);
if(c < 'A' || c > 'Z'){
continue;
}
decoded += (char) ((c - key.charAt(j) + 26) % 26 + 'A');
j = ++j % key.length();
}
return decoded;
}
Flag: pragyanctf{algorithms}
September 16 - September 18, 2016
Question:"Hey, I made my first website today. It's pretty cool and web7.9."
Solution:Remote code execution through URL. Attached Burp as a proxy to my browser. Inspected the HTML, and notice possible ?/page=flag.
The site also points out how it is built with git http://web.chal.csaw.io:8000/.git/config is accessible.
I utilized a DVCS-ripper to download the repository. Attempted file inclusion, but like the code shows it is not feasible.
After anaylzing the code I ran it locally and tried many different URLs.
The php code has seemingly interesting defense built into it to distract someone at first through defeating a local file inclusion assert("strpos('$file', '..') === false").
But assert() will execute PHP code, and thus that is it's weak point.
I added a debug line of echo("%3cscript>console.log( 'Debug Objects: " . assert("file_exists('$file')") . "' );%3c/script>"); I then ran the following urls:
Flag: flag{3vald_@ss3rt_1s_best_a$$ert}
Solution: File is a corrupted .pcapng. It will not open in Wireshark or tcpdump. File is readable through python. I created a python script to find the flag.
import re
pattern = 'flag\{.*\}'
for i, line in enumerate(open('kill.pcapng')):
for match in re.finditer(pattern, line):
print 'Found on line %s: %s' % (i+1, match.group(0))
Flag: flag{roses_r_blue_violets_r_r3d_mayb3_harambae_is_not_kill}
October 02 - October 04, 2015
Question: 11 short texts have been encrypted with the same stream cipher. No no! Figure out the 11th plaintext!
Solution: I originally attempted just xor-ing cipher 11 to the other ciphers. I then realized that crib dragging was necessary due to "same stream cipher" description in the problem. I quickly coded up a crib dragging xor solution (xor.py). Guessed at the key quite a few times more than I'd like to admit and then guessed cipher which started to decrypt. And repeated this process a few time.
from binascii import unhexlify
def strxor(a, b): # xor two strings of different lengths
if len(a) > len(b):
return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a[:len(b)], b)])
else:
return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b[:len(a)])])
def main(idx):
x = strxor(unhexlify(ciphertexts[idx]), unhexlify(target))
print "Ciphertext[%s] xor Target\n" % str(idx)
# crib = raw_input("Enter Crib:>")
crib = "when using "
print "Crib\n~%s~" % crib
# Crib Drag
for i in range(len(x)):
z = x[i:]
print "\n[%d]" % i
print "%s" % strxor(z, crib)
if __name__ == "__main__":
for idx, cipher in enumerate(ciphertexts):
main(idx)
Flag: When using a stream cipher, never use the key more than once!
Problem: Web site with simple input box, adds a cookie that keep track of your "money". You only gain $10 with the provided code but need to reach enough to 'buy' the flag
Solution: Full path disclosure by setting the cookie value to null. Ran document.cookie="PHPSESSID=" in the JavaScript console.
Flag: DCTF{3a9bad36a0fb1edcaa83b6669d667061}
Problem: Broken .png file (m100.png)
Solution: I utilized a bunch of tools on this problem. First I ran pngcheck to see what the problem was. I then did some research and found out this is a checksum error. So I then utilized PNGCSum to fix it. After that the picture was finally "fixed." But something appeared to be cut off. I then edited the headers to resize it from 666x519 to 666x666. This revealed the text, which was crooked. I opened the image in GNU Image Processor to change the perspective of the text.
Flag: s1z3_d03s_ma773r_baby
September 18 - September 20, 2015
Solution:Utilized Wireshark. Applied the filter http and !http.host==google.com and !http.host==www.google.com. Revealed packet 60. Upon further investigating of that packet it's a python script. If you analyze the python script you see that they're randomly choosing an encryption method. If you reverse the steps you can easily reveal the flag.
Flag: flag{li0ns_and_tig3rs_4nd_b34rs_0h_mi}
Question:This family of malware has gained notoriety after anti-virus and threat intelligence companies claimed that it was being used by several Chinese military groups.
Solution: PlugX