CSAW 2014 – Saturn – Exploitable 400

This challenge had a binary running on a server that would send a challenge and expect a response.

You have stolen the checking program for the CSAW Challenge-Response-Authentication-Protocol system. Unfortunately you forgot to grab the challenge-response keygen algorithm (libchallengeresponse.so). Can you still manage to bypass the secure system and read the flag?

Part of the binary was provided and some RE was required. On first inspection, the run() function accepts three commands of:

  • 160 – send challenge
  • 224 – check response
  • 128 – print key

Continue reading CSAW 2014 – Saturn – Exploitable 400

ebCTF 2013 Teaser – Wooden Shoes

We’re presented with a nice simple webstore-style site, stocking the finest examples of wooden shoes:

Main page

When we do a search, eg for “modern” sorted by price, the query goes out as:

The server responds with a redirection code, sending us to this URL for the actual page:

A quick attempt at some SQL shenanigans reveals that the first step filters out special characters, eg searching for ‘ takes us here:


Whether or not this involves SQL injection, it looks like there’s a filtering step we should try to defeat. Modifying the end of the hex “what” string gives a 500 Internal Server Error result, which is a nice start.

Continue reading ebCTF 2013 Teaser – Wooden Shoes

Eindbazen Teaser 2013 – Espionage

I was really excited to see what Eindbazen had up their sleeve for the preview to their first CTF, and I have to say I really enjoyed their challenges. “Espionage” was a nice little crypto teaser that took a little thought but we got there fairly quickly, which sounds about right for a 100 point challenge!

The challenge was presented as two encrypted messages, a crypt/decrypt python script, and a README that told us:

We suspect an employee of one of the embassies has leaked confidential information to a foreign intelligence agency. We’ve managed to capture an individual whom we assume to be the recipient of the info. Our forensics department has managed to recover two messages from his outbox, which appear to be encrypted using some crypto tool. Along with each email our suspect also received an SMS message containing a password, however we were only able to recover one – “SieR1mephad7oose”.
Could you help us decrypt both messages?

Sure enough, we were able to decrypt the first message with the crypto.py utility and the supplied password, which gave us this message:

I don’t suppose they would be so kind as to use the same password for both messages? Of course not! Oh well, time to have a better look at the algorithm.
Continue reading Eindbazen Teaser 2013 – Espionage

GitS 2013 – Kiss

Well this was a mere 50pt challenge, the first to open, yet only 18 teams solved it by the end of the competition!

We start with an html file containing Bryan Cantrill’s famous “Have you ever kissed a girl?” post. Diffing this against the original shows that the only differences are in whitespace at the ends of the lines. Every line has 0-9 spaces added to the end of them.

Then all you have to do is try a whole bunch of data manipulation to figure out the answer.

Whitespace was my first thought, but that needs tabs as well as spaces for any kind of IO. Number of spaces = character index on line? No. Number of spaces = index into alphabet? Nooope.

Continue reading GitS 2013 – Kiss

CSAW 2012 Web 400 – CryptoMat

CryptoMat is a site where you can send encrypted messages to other users. Dog is a user on the site and has the key. Figure out how to get into his account and obtain it.

Web and crypto in one challenge! Sounds fun.

Essentially, we have a web site which allows users to send messages to one another, encrypted using an unknown algorithm. We can control the key and the plaintext, and see the ciphertext. The receiving user is shown the encoded data, which can include non-html-safe characters.

Our aim is to send a message which is encrypted to something with javascript which allows us to steal the session cookie from a target user.

We’re told in the description that Dog has the key. Let’s get it.

Continue reading CSAW 2012 Web 400 – CryptoMat