ImaginaryCTF Round 12 Writeup

July 22nd 2021

ImaginaryCTF Round 12 Writeups

A short month this time around

Sanity Check Round 12

You copy and paste the flag:

ictf{Round_12_Sanity_Check}

smth here

We get :4E7L6oD*049p==b?8b=D07EHN and due to the fact that there are only printable characters (and also because it was a day 2 challenge) I guessed it was just a ROT47, which was in fact correct, so doing a rot47 again gives us the flag:

ictf{e@sY_chAll3ng3ls_ftw}

Slow Internet

We get the site router, and a hint that it is a default "default business router"

We visit the webpage and see a loginpage, so a quick google for Business Wireless Gateway default admin yields us the default credentials for cusadmin here.

So we try both passwords and with CantTouchThis we get the flag ictf{w3b_and_0s1nt???_gr3at_c0mb0!}

Quintessentially Quick Quiche

We get the site quiche and when we visit it tells us to use http/3. My first solution was with a python script which was way too complicated, you can just reload the page in firefox (Because after the initial load a header is set that firefox should use HTTP/3 for it).

So we get the flag ictf{who_knew_http_over_udp_could_be_so_quic(k)}

Caesar Tart

We see that there's a function caesar which applies a key to a character, we also see that the key is 5 to 10 characters long and we just loop over that. This encryption is called vigenere and there exist online solvers for it. I used dcode and told it to find something containing the word ICTF. It then pretty quickly found a solution, but I had to copy the recovered key to another website to get the full plaintext:

(I added spaces for your convenience)

HEY IF YOURE READING THIS MESSAGE I SUPPOSE THIS MEANS YOUVE SUCCESSFULLY DECRYPTED IT EH NEAT TODAY I WANNA TALK ABOUT APPLE TARTS DID YOU KNOW APPLE TARTS WERE MADE OUT OF APPLES BONKERS RIGHT I HEARD PEOPLE EVEN PUT SUGAR INTO IT SUGAR THIS ISR EALLY CRAZY ANYWAY EVEN THOUGH THERE ARE APPLES IN APPLE TARTS THEY ARE STILL DELICIOUS ENOUGH THIS MADE MEH UNGRY I WANNA EAT ONE NOW THINK ABOUT THES MELL THAT WAFTS THROUGH THE AIR INTO YOUR NOSE IMAGINE THE DELIGHTFUL GOLDEN COLORATION OF THE TART IM SERIOUSLY RUNNING OUT OF THINGS TO TELL IN HERE SO I GUESS WITHOUT FURTHER ADO HERES YOUR FLAG ICTFMORELIKEVIGENERETART

thus we get ictf{MORELIKEVIGENERETART}

Glitchy Video

We get a .wav file together with a pretty explicit hint to look at it, so I opened the file in audacity and switch to the spectrogram view. There is the a string, which looks like rot encoded text, so I just try all rotations on the string nhyk{34xd_4zi10_xy3l4s0lw4umd} and with a rotation of 21, I get the flag:

ictf{34sy_4ud10_st3g4n0gr4phy}

Web Flagchecker

We get the site flagchecker. There we get the sourcecode. The first line which catches the eye is actually just there to print the code, but that's fairly quickly discovered once we decoded \x3cpre\x3e\x3ccode\x3e%s\x3c/code\x3e\x3c/pre\x3e to be <pre><code>%s</code></pre>. So we look at the other function and see that we format the string which is then passed into the render_template_string function, which means we can make the query be something which will be interpreted by that function. But first we need to pass all the previous conditions, so our query must start with "ictf" and end with "}", also we need to have the exact same length as the flag, so we first try a few lengths (I just did a quick 3 lines script to get the check page with a few "a"s) to find the correct length. Then we put in the stuff to make the other check happy and finally we put a "}}{{flag}} somewhere in there to include the flag variable, so our final payload looks like this: /check?flag=ictf{"}}aaaa{{flag}} and this gives us the flag (After the inital Falseaaaa:

ictf{@llth3br@ck3t5}

overflowwwwwwwww

We get a binary and a libc, we open the binary and see that main just reads a string and then compares a value with a constant (But that value is initialized to another variable and we never write to it, so binja actually optimized that code out), anyway, there is a heap bufferoverflow because the variable is also on the heap. So all we need to do is to overflow enough memory with the correct bytes and that value will be set. I am rather lazy, so I did not calculate any offsets, but just ran python -c "print('\x37\x13\x37\x13\x00\x00\x00\x00'*32+'cat flag.txt')" | ./overflowwwwwwwww with different values (instead of 32) until it worked. Then I switched to remote and hurray, we get the flag

ictf{aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa_h34p_c4n_b3_0v3rfl0w3d_t00}

how r u

We see python 2 and input (But not raw_input), we know we can just input code, which then will be eval'd. So we have one line to do anything. So we just launch a shell by doing __import__("os").system("sh") and get our shell and flag.

ictf{n3v3r_3v3r_3v3r_3v3r_u53_1npu7_1n_pyth0n2}

Arabica

We need to reverse engineer a java class. JD-GUI didn't support the java version, so I ended up using this online decompiler. After decompilation, we see that there are three phases. Other people realized you could skip the first two by just copying the code of phase 3, I however solved all the phases. Also I needed to install a java16 jvm and had to rename the file from Coffe.class to Arabica.class (Else it would complain that the classname and filename didn't match)

Phase 1: you enter a string and it needs to match ascii codes which are hardcoded, so just convert the ascii codes to text and you get hotcupofcoffee

Phase 2: We read an int and that int divided by the last int we gave it (or one in the first iteration) needs to be equal to the current iteration, so we just have to multiply the last input by the iteration number (which results in the factorials) So we just need to enter 1 2 6 24 120

Phase 3: We need this to return not zero, so we need to input a number which is not -1 and which when doubled and added 1 gives -1, so we first convert -1 into it's hex form, 0xFFFFFFFF then subtract one and shift one to the right to get 0x7FFFFFFF convert that back into decimal to get 2147483647 and use that to finally get our flag:

flag{i_4ctU411y_l1k3_T34_m0R3!}

Password recovery Pt. 1

We get a file of email transcript. The first email tells us that in each email following it, there is a password generated in python like this: b64encode(getrandbits(32).to_bytes(4, 'big') + getrandbits(32).to_bytes(4, 'big')).decode() also we need to generate the next 10 getrandbits(32) to get the flag. Luckily there's already pre-made solutions for that (Like randcrack) which takes 624 32-bit integers and then is able to predict following values. So I simply parsed the file, extracted all the passwords, fed them into randrcrack and got the flag:

from randcrack import *
from base64 import b64decode

with open("out.txt") as f:
    d=[b64decode(x.strip()) for x in f.read().split("\n")[3:] if x.strip() != ""]

rc = RandCrack()
for x in d:
    try:
        rc.submit(int.from_bytes(x[:4], 'big'))
    except ValueError:
        rc.predict_getrandbits(32)
    try:
        rc.submit(int.from_bytes(x[4:], 'big'))
    except ValueError:
        rc.predict_getrandbits(32)
print(hex(rc.predict_getrandbits(32*11)))

where out.txt was simply contained the passwords in correct order (Sorted them, just to make sure) Then I needed to swap the endianess and reverse the string, to get the flag:

ictf{Pr3d1ct_M3rs3nn3_By_S3tt1ng_St4t3}

ICICLE Jail

We get a new interpreter and a new spec and we need to read a file, but we can't use "read" and certain other strings in the icicle code (Which needs to be one single line long). Luckily there's also a new "exec" instruction. And by sheer coincidence, that will convert an int to a string if it's given an int as parameter. So we just use

readf r0, "flag.txt"
pr r0

convert the character to hex, then convert that into decimal to get exec 47059791966767526693337926357987238923915048615978680990013992970

and by inputting that on the remote we get:

ictf{3x3cut!v3_3x3cu+0r_3x3cut3s_3x3c}

Too Old

We see that we generate a random number between 10^7 and 10^8, which means that we have 24 to 27 bits, which is totally bruteforcable, so that's what I did:

from multiprocessing import Pool
def brute(a):
    for key in range(a&(~0xFF)|(0xe6^ord('i')), a+10**8//16,256):
        ok=key
        f = bytes.fromhex("e649fd7458fb36acb341346324635da87427d8d25f5c8b7665b921052727bf730f1c0273d00c23217873")
        out = b""
        for c in f:
            out += bytes([c ^ (key&0xff)])
            key = int("{:016d}".format(key**2)[4:12])
        if b"ictf" in out:
            print(ok)
            print(out)
with Pool(16) as p:
    p.map(brute, [10**8//16*i+10**7 for i in range(16)])

the script runs for about 2 second on my machine and gives me the flag. The intended solution is a bit smarter than this and also looks at the second character before fully decrypting, but meh, good enough.

ictf{f0r_l00p5_r1ght_th3r3_4nd_3v3ryWh3r3}

smells Like Stereo Bits

So we get the hint of stereo bits and LSB in the title. To view the distorted image, I used this. (Just googled magic eye solver, because I can't see those damn things). After doing that we get G1R12B0, which I first thought was a password until I remembered the hint that LSB is involved, so I opened up stegsolve and opened the file, went to extract data and set the bit plane order to GRB, and check the indicated bits, bit 1 for G, bit 1 and 2 for R and bit 0 for B.

I then saw that there was a JFIF in the output, so I exported it as a .jpg and looking at that gave us the flag:

ictf{90s_st3r30grams_r_k3wl}

ovvvvvvvvvverflow

We open the binary, see it's a bufferoverflow and enter a lot of a's, then it tells us that the command aaaaaaaaa was not found, so we play a bit around until we see that after 10 characters we overwrite the command that is run. So we enter aaaaaaaaaash to get a shell and read the flag file.

ictf{aAAaAAaaaAAAaaAAAaaAaaAaAAaaAAaAaAaaAAaaaAaAAAAAaAAaAAaAAAaAAAaash}

Regular Reversing

I can't say too much about this challenge, except that it's just tedious work and going through the "hints" again and again (I called each look ahead a hint and went through each one until I found something I could do; Solving it on paper was easier than on the computer)

There may or may not have been a lot of guessing involved towards the end (When I had the end of the string but didn't have the kn0w yet)

ictf{C4N'7_kn0w_2_much_4b0u+_R3Gul4r_3xpr3ss10n5}

Password recovery Pt.2

Again we are given passwords generated like in part 1, but this time we're missing pieces of it and need to get some part in the middle. The intended solution actually uses math to compute everything, I just asked z3 to solve it for me:

from base64 import b64decode
from z3 import *
from pwn import u32

with open("password.recovery.mbox") as f:
    d = [x.strip() for x in f.readlines() if x.strip() != ""]
lastnum = -1
nextpw = False
pws={}
minnum = -1
maxnum = -1
for l in d:
    if "Subject: " in l:
        lastnum = int(l.split("#")[-1])
        if lastnum < minnum or minnum == -1:
            minnum = lastnum
        maxnum = max(maxnum, lastnum)
    elif "We have assigned you" in l:
        nextpw = True
    elif nextpw:
        nextpw = False
        pws[lastnum] = b64decode(l)

### randrack inspired, but modified

MT = [BitVec(f"vec_{i}", 32) for i in range(624)] # initial state unknown
MTO = [x for x in MT]
index = 625 # initial state is to do regen

def regen():
    global MT
    global index

    N, M = 624, 397
    A = 0x9908b0df
    LO, HI = 0x7FFFFFFF, 0x80000000

    for kk in range(0, N-M):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+M] ^ LShR(y,1) ^ ((y&1)*A)
    for kk in range(N-M-1, N-1):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+(M-N)] ^ LShR(y,1) ^ ((y&1)*A)
    y = (MT[N-1]&HI)|(MT[0]&LO)
    MT[N-1] = MT[M-1] ^ LShR(y,1) ^ ((y&1)*A)
    index = 0

def extract():
    global index
    if index >= 624:
        regen()
    r = MT[index]
    r = r ^ LShR(r, 11)
    r = r ^ ((r << 7) & 0x9d2c5680)
    r = r ^ ((r << 15) & 0xefc60000)
    r = r ^ LShR(r, 18)
    index += 1
    return r&0xFFFFFFFF


def regen_int():
    global MT
    global index

    N, M = 624, 397
    A = 0x9908b0df
    LO, HI = 0x7FFFFFFF, 0x80000000

    for kk in range(0, N-M):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+M] ^ (y>>1) ^ ((y&1)*A)
    for kk in range(N-M-1, N-1):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+(M-N)] ^ (y>>1) ^ ((y&1)*A)
    y = (MT[N-1]&HI)|(MT[0]&LO)
    MT[N-1] = MT[M-1] ^ (y>>1) ^ ((y&1)*A)
    index = 0


def extract_int():
    global index
    r = MT[index]
    r = r ^ (r >> 11)
    r = r ^ ((r << 7) & 0x9d2c5680)
    r = r ^ ((r << 15) & 0xefc60000)
    r = r ^ (r >> 18)
    index += 1
    return r&0xFFFFFFFF

### Now solve it

solver = Solver()

start = minnum-(minnum%312)
for i in range(start, maxnum+1):
    x1 = extract()
    x2 = extract()

    expected = pws.get(i, None)
    if expected != None:
        solver.add(int.from_bytes(expected[:4],'big') == x1)
        solver.add(int.from_bytes(expected[4:],'big') == x2)

if solver.check() == sat:
    model = solver.model()
    MT = [model[x].as_long() if model[x] != None else 0 for x in MTO]
    solver.add(Or([MT[i] != MTO[i] for i in range(624)]))
    regen_int() # initial one
    regen_int() # the second one to get to the second state
    index = 0
    for i in range(2*9):
        extract_int()
    print(b"".join([bytes.fromhex(hex(extract_int())[2:].rjust(8,'0')) for i in range(9)]))
else:
    print("Nay")

This runs for about two minutes, but then finds the correct flag:

{St4t3_i+397_is_7rivi4lly_c0mpu73d}

Reversing Some Algorithms

Thanks to implementing a powermod function a few times, I recognized the method f immediatly to just be the python pow method, but recursive. Then in the main function we convert the flag into a number by just doing the same as converting to hex and then reading the number. Then we choose ten integers and they need to be equal to themselves when raised to flag*y, so we know that flag and y need to be modular inverse modulo phi(n), which is trivially computed to be 96933099098818028735695816363963142716310037576504750007863794238150071327948258222722982318041571631903896405924017042636201556382459909420519737582821842523796669050908979263786208808450207855351074945914505034111693323560346396010640647631560540364278925789581677681912012172605890035796657063975789700396 Then we can compute pow(y,-1,phi(n)) and get the flagnum. We just need to convert that to hex and then to characters again.

ictf{the_abuse_of_the_initials_of_rivest_shamir_and_adelman_is_criminal}

Puzzle

We get a unity game and need to somehow get the flag. We can either open the Csharp assembly file in a program like ILSpy and export the code, patch the code and build the dll in Visual studio to stop the pillars from rising. Alternatively we can extract the objects using something like AssetStudio and then we get a folder for each cube with a letter, with the letter in the folder. Unluckily using that method the letter y was duplicated (Because the cube exists twice but you can only see one of course)

ICTF{ARE_YOU_WINNING_SON_GGGGG}

ICICLE Golf

We had to implement some algorithms in ICICLE

my cat program (very quickly done and not optimized at all) looks like this:

loop:
    readstr r0
    strint r1, r0
    sub r1, r1, 1702390132
    jz r1, exit
    pr r0
    mov r1, 10
    intstr r1, r1
    pr r1
    j loop
exit:

My gcd looks like this

readint r0
readint r1
loop:
    jz r1, exit

    mov r3, r1
    mod r1, r0, r1
    mov r0, r3
    j loop
exit:
pr r0

And for the sort, I implemented a bubble sort in around 20 lines, sadly I don't have the code for that anymore. The code for the new insertion code will be pasted when the month is over :P

Converting those to base64 and inserting them online results in

ictf{wh@ts_c00l3r_th@n_b3!ng_c00l?_ICICLE!}

Password recover Pt. 3

Again we are given passwords, but this time we need to go back in time to get the flag. Luckily my z3 script was almost good to go, I had to fix a few things (Only related to the password reading and then the flag printing actually)

from base64 import b64decode
from z3 import *

with open("password.recovery.pt3.mbox") as f:
    d = [x.strip() for x in f.readlines() if x.strip() != ""]
lastnum = -1
nextpw = False
pws={}
minnum = -1
maxnum = -1
for l in d:
    if "Subject: " in l:
        lastnum = int(l.split("#")[-1]) // 2
        if lastnum < minnum or minnum == -1:
            minnum = lastnum
        maxnum = max(maxnum, lastnum)
    elif "We have assigned you" in l:
        nextpw = True
    elif nextpw:
        nextpw = False
        pws[lastnum] = b64decode(l)

#print(pws)

### randrack inspired, but modified

MT = [BitVec(f"vec_{i}", 32) for i in range(624)] # initial state unknown
MTO = [x for x in MT]
index = 625 # initial state is to do regen

def regen():
    global MT
    global index

    N, M = 624, 397
    A = 0x9908b0df
    LO, HI = 0x7FFFFFFF, 0x80000000

    for kk in range(0, N-M):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+M] ^ LShR(y,1) ^ ((y&1)*A)
    for kk in range(N-M-1, N-1):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+(M-N)] ^ LShR(y,1) ^ ((y&1)*A)
    y = (MT[N-1]&HI)|(MT[0]&LO)
    MT[N-1] = MT[M-1] ^ LShR(y,1) ^ ((y&1)*A)
    index = 0

def extract():
    global index
    if index >= 624:
        regen()
    r = MT[index]
    r = r ^ LShR(r, 11)
    r = r ^ ((r << 7) & 0x9d2c5680)
    r = r ^ ((r << 15) & 0xefc60000)
    r = r ^ LShR(r, 18)
    index += 1
    return r&0xFFFFFFFF


def regen_int():
    global MT
    global index

    N, M = 624, 397
    A = 0x9908b0df
    LO, HI = 0x7FFFFFFF, 0x80000000

    for kk in range(0, N-M):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+M] ^ (y>>1) ^ ((y&1)*A)
    for kk in range(N-M-1, N-1):
        y = (MT[kk] & HI) | (MT[kk+1] & LO)
        MT[kk] = MT[kk+(M-N)] ^ (y>>1) ^ ((y&1)*A)
    y = (MT[N-1]&HI)|(MT[0]&LO)
    MT[N-1] = MT[M-1] ^ (y>>1) ^ ((y&1)*A)
    index = 0


def extract_int():
    global index
    r = MT[index]
    r = r ^ (r >> 11)
    r = r ^ ((r << 7) & 0x9d2c5680)
    r = r ^ ((r << 15) & 0xefc60000)
    r = r ^ (r >> 18)
    index += 1
    return r

### Now solve it

solver = Solver()

start = minnum-(minnum%312) # align min num
end = maxnum
for i in range(start, end):
    x1 = extract()
    x2 = extract()

    expected = pws.get(i, None)
    if expected != None:
        solver.add(int.from_bytes(expected[:4],'big') == x1)
        solver.add(int.from_bytes(expected[4:],'big') == x2)

if solver.check() == sat:
    model = solver.model()
    MT = [model[x].as_long() if model[x] != None else 0 for x in MTO]
    #regen_int()
    #regen_int()
    index = 0
    x = b"".join([bytes.fromhex(hex(extract_int())[2:].rjust(8,'0')) for i in range(624)])
    print(x)
    flag = x[x.find(b"ictf"):]
    flag = flag[:flag.find(b"}")+1]
    print(flag)
else:
    print("Nay")

and after only 40 seconds this prints the flag.... Or rather almost the flag, it prints ictf{m3rs3nn3_tw1st3rs_c4n_b\xe8\x06\x02Pck_g3N3r4t3d}

But I just guessed the four missing characters to be 3_b4 because that made the most sense (And since almost all e are 3 and a are 4 I just guessed this first and it was actually correct).

I have no idea what's wrong with my solve script, but too lazy to debug that now.

ictf{m3rs3nn3_tw1st3rs_c4n_b3_b4ck_g3N3r4t3d}

Bullet Time

We get a C++ binary and there are ton's of functions calls to functions which seemingly do nothing. So I instead searched for strings and found that we have two functions which tell us what they are (A matrix times matrix method and a matrix times a vector method). And after staring at some functions for enough, I figured out that all elements are calculated modulo 0xFB and that we generate two matrices using random elements (After seeding with 0x1337), and then multiply the flag with that matrix and then write the output to a file. So I wrote a quick C file to print me the matrices:

#include <stdio.h>
#include <stdlib.h>

int main() {
    srand(0x1337);
    //for(int i = 0; i < 24*24; i++) {rand();} // if uncommented, we want to print the second matrix
    for(int i = 0; i < 24; i++) {
        printf("[");
        for(int j = 0; j < 24; j++) {
            printf("gf(0x%x),", ((rand()%0xfb)+0xfb)%0xfb);
        }
        printf("],\n");
    }
}

and then I went to sage and put everything into a Matrix:

gf=GF(0xFB)
m1=Matrix([<first_run>])
m2=Matrix([<second_run>])
x=Matrix([gf(i) for i in [0x81,0xa3,0x97,0xd3,0xb8,0xcd,0xb3,0x24,0x4e,0xc7,0x33,0x23,0x19,0x20,0xf1,0xe9,0xa8,0x27,0x6f,0x21,0x4e,0xe1,0x2c,0xc7]])
y=x*(m1*m2).inverse().transpose()
print("".join([chr(i) for i in y[0]]))

which gives us the flag:

ictf{r4nd0m_m4tr1x_mul+}

Ay Yi Yi

We are given a file to encode pngs into some custom format and also embed a string into the png. So we look at the icicle code and see that it first skips the first eight bytes then inserts one bit of the flag into the next byte (red) then skips a byte, inserts another bit into the next byte, then skips three bytes and repeats the process until the flag is zero.

So we just need to reverse that by extracting the bits and reading them. For that I modified the convertion function which takes the .iii file and converts it to a png like this:

def iii_to_png(fname):
    assert fname[-4:] == ".iii"
    iii = open(fname, 'rb').read()
    assert iii[:4] == b"\x7fIiI"
    iii = iii[4:]
    w = bytes_to_long(iii[:2])
    h = bytes_to_long(iii[2:4])
    iii = iii[4:]
    assert len(iii)%3 == 0
    png = Image.new("RGB", (w, h))
    bitstring = ""
    curstr = ""
    now = True
    for i in range(0, len(iii), 3):
        idx = i//3
        if now:
            curstr += str(iii[i+0]&0x1)+str((iii[i+2]>>2)&1)
            now = False
        else:
            now = True
        if len(curstr) == 8:
            bitstring += curstr[::-1]
            curstr = ""
        png.putpixel((idx//h, idx%h), (iii[i], iii[i+1], iii[i+2]))
    print(bitstring)
    png.save(fname[:-4] + ".png")

Then renaming the chall.iii.enc to chall.iii and then converting that to a png prints a binary string, which decoded yields the flag:

ictf{idky_yall_asked_for_this_but_here_you_go_have_fun}


< ImaginaryCTF Round 11 Writeup | PolyRing >