Merge branch 'master' of https://github.com/failedxyz/easyctf
This commit is contained in:
commit
f37d91600f
25 changed files with 270 additions and 26 deletions
|
@ -1,4 +1,4 @@
|
||||||
def grade(autogen, answer):
|
def grade(autogen, answer):
|
||||||
if answer == ("421049228295820"):
|
if answer == ("906730649345"):
|
||||||
return True, "Correct!"
|
return True, "Correct!"
|
||||||
return False, "Nope, try again."
|
return False, "Nope, try again."
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
g^a mod p = 421049228295820
|
g^a mod p = 791868216278
|
||||||
g^b mod p = 105262307073955
|
g^b mod p = 722955066776
|
||||||
p=442101689710611
|
|
||||||
|
p = 986314922069
|
||||||
|
|
|
@ -1,9 +1,9 @@
|
||||||
title: Diffie-cult
|
title: Diffie-cult
|
||||||
author: nicebowlofsoup
|
author: arxenix
|
||||||
hint: Wikipedia explains Diffie-hellman pretty well. There is a also a very easy way to do this.
|
hint: Wikipedia explains Diffie-hellman pretty well.
|
||||||
category: Cryptography
|
category: Cryptography
|
||||||
autogen: false
|
autogen: false
|
||||||
programming: false
|
programming: false
|
||||||
value: 50
|
value: 140
|
||||||
files:
|
files:
|
||||||
- messages.txt
|
- messages.txt
|
||||||
|
|
1
doubly-dangerous/description.md
Normal file
1
doubly-dangerous/description.md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
There seems to be an issue with this binary. Can you exploit it? View the problem in the shell server /problems/ directory.
|
|
@ -1,6 +1,8 @@
|
||||||
//compile with:
|
//compile with:
|
||||||
//gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous
|
//gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous
|
||||||
|
|
||||||
|
//sol: input "A"*40+"\x00\x80\x34\x41"
|
||||||
|
|
||||||
#define _GNU_SOURCE
|
#define _GNU_SOURCE
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
|
4
doubly-dangerous/grader.py
Normal file
4
doubly-dangerous/grader.py
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
def grade(random, key):
|
||||||
|
if key.find("bofs_and_floats_are_d0uble_tr0uble!") != -1:
|
||||||
|
return True, "Correct!"
|
||||||
|
return False, "Nope :("
|
|
@ -4,6 +4,6 @@ hint: How are floating-point numbers represented?
|
||||||
category: Binary Exploitation
|
category: Binary Exploitation
|
||||||
autogen: false
|
autogen: false
|
||||||
programming: false
|
programming: false
|
||||||
value: 75
|
value: 110
|
||||||
files:
|
files:
|
||||||
- doubly_dangerous
|
- doubly_dangerous
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](easy_re)
|
|
BIN
easy-re/easy-re
BIN
easy-re/easy-re
Binary file not shown.
|
@ -1,4 +0,0 @@
|
||||||
def grade(autogen, key):
|
|
||||||
if key.find("1f_0nly_4ll_r3_w4s_34sy") != -1:
|
|
||||||
return True, "Correct!"
|
|
||||||
return False, "Nope!"
|
|
|
@ -1,9 +0,0 @@
|
||||||
author: GenericNickname
|
|
||||||
title: Easy RE
|
|
||||||
hint: There's only one place the flag could be.
|
|
||||||
category: Reverse Engineering
|
|
||||||
autogen: false
|
|
||||||
programming: false
|
|
||||||
value: 25
|
|
||||||
files:
|
|
||||||
- easy-re
|
|
84
hexable-autogen/char.inc
Normal file
84
hexable-autogen/char.inc
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Character defines
|
||||||
|
NULL equ 0x00
|
||||||
|
BELL equ 0x07
|
||||||
|
BSPC equ 0x08
|
||||||
|
TAB equ 0x09
|
||||||
|
ENDL equ 0x0A
|
||||||
|
CRET equ 0x0D
|
||||||
|
|
||||||
|
CHAR_0 equ 0x30
|
||||||
|
CHAR_1 equ 0x31
|
||||||
|
CHAR_2 equ 0x32
|
||||||
|
CHAR_3 equ 0x33
|
||||||
|
CHAR_4 equ 0x34
|
||||||
|
CHAR_5 equ 0x35
|
||||||
|
CHAR_6 equ 0x36
|
||||||
|
CHAR_7 equ 0x37
|
||||||
|
CHAR_8 equ 0x38
|
||||||
|
CHAR_9 equ 0x39
|
||||||
|
CHAR_A equ 0x41
|
||||||
|
CHAR_B equ 0x42
|
||||||
|
CHAR_C equ 0x43
|
||||||
|
CHAR_D equ 0x44
|
||||||
|
CHAR_E equ 0x45
|
||||||
|
CHAR_F equ 0x46
|
||||||
|
CHAR_G equ 0x47
|
||||||
|
CHAR_H equ 0x48
|
||||||
|
CHAR_I equ 0x49
|
||||||
|
CHAR_J equ 0x4a
|
||||||
|
CHAR_K equ 0x4b
|
||||||
|
CHAR_L equ 0x4c
|
||||||
|
CHAR_M equ 0x4d
|
||||||
|
CHAR_N equ 0x4e
|
||||||
|
CHAR_O equ 0x4f
|
||||||
|
CHAR_P equ 0x50
|
||||||
|
CHAR_Q equ 0x51
|
||||||
|
CHAR_R equ 0x52
|
||||||
|
CHAR_S equ 0x53
|
||||||
|
CHAR_T equ 0x54
|
||||||
|
CHAR_U equ 0x55
|
||||||
|
CHAR_V equ 0x56
|
||||||
|
CHAR_W equ 0x57
|
||||||
|
CHAR_X equ 0x58
|
||||||
|
CHAR_Y equ 0x59
|
||||||
|
CHAR_Z equ 0x5a
|
||||||
|
CHAR_a equ 0x61
|
||||||
|
CHAR_b equ 0x62
|
||||||
|
CHAR_c equ 0x63
|
||||||
|
CHAR_d equ 0x64
|
||||||
|
CHAR_e equ 0x65
|
||||||
|
CHAR_f equ 0x66
|
||||||
|
CHAR_g equ 0x67
|
||||||
|
CHAR_h equ 0x68
|
||||||
|
CHAR_i equ 0x69
|
||||||
|
CHAR_j equ 0x6a
|
||||||
|
CHAR_k equ 0x6b
|
||||||
|
CHAR_l equ 0x6c
|
||||||
|
CHAR_m equ 0x6d
|
||||||
|
CHAR_n equ 0x6e
|
||||||
|
CHAR_o equ 0x6f
|
||||||
|
CHAR_p equ 0x70
|
||||||
|
CHAR_q equ 0x71
|
||||||
|
CHAR_r equ 0x72
|
||||||
|
CHAR_s equ 0x73
|
||||||
|
CHAR_t equ 0x74
|
||||||
|
CHAR_u equ 0x75
|
||||||
|
CHAR_v equ 0x76
|
||||||
|
CHAR_w equ 0x77
|
||||||
|
CHAR_x equ 0x78
|
||||||
|
CHAR_y equ 0x79
|
||||||
|
CHAR_z equ 0x7a
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
macro resv c_size
|
||||||
|
{
|
||||||
|
db c_size dup (0)
|
||||||
|
}
|
||||||
|
|
||||||
|
macro resv_stuff c_size
|
||||||
|
{
|
||||||
|
repeat c_size
|
||||||
|
db % and 0xff
|
||||||
|
end repeat
|
||||||
|
}
|
2
hexable-autogen/description.md
Normal file
2
hexable-autogen/description.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
I tried to hide a flag sneakily, can you find it?
|
||||||
|
[Download](${hexable})
|
45
hexable-autogen/elf.inc
Normal file
45
hexable-autogen/elf.inc
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; ELF header for stuff
|
||||||
|
|
||||||
|
RLIMIT_AS equ 0x09
|
||||||
|
|
||||||
|
macro reserve name,size
|
||||||
|
{
|
||||||
|
name db 0
|
||||||
|
repeat size-1
|
||||||
|
db 0
|
||||||
|
end repeat
|
||||||
|
}
|
||||||
|
|
||||||
|
macro print message
|
||||||
|
{
|
||||||
|
mov eax, message
|
||||||
|
@@:
|
||||||
|
cmp byte [eax], 0
|
||||||
|
jz @f
|
||||||
|
inc eax
|
||||||
|
jmp @b
|
||||||
|
@@:
|
||||||
|
mov edx, eax
|
||||||
|
sub edx, message
|
||||||
|
mov eax, 4
|
||||||
|
mov ebx, 1
|
||||||
|
mov ecx, message
|
||||||
|
int 0x80
|
||||||
|
}
|
||||||
|
|
||||||
|
macro read out_buff, cnt
|
||||||
|
{
|
||||||
|
mov ebx, 0
|
||||||
|
mov eax, 3
|
||||||
|
mov ecx, out_buff
|
||||||
|
mov edx, cnt
|
||||||
|
int 0x80
|
||||||
|
}
|
||||||
|
|
||||||
|
macro exit exitcode
|
||||||
|
{
|
||||||
|
mov ebx, exitcode
|
||||||
|
mov eax, 1
|
||||||
|
int 0x80
|
||||||
|
}
|
22
hexable-autogen/grader.py
Normal file
22
hexable-autogen/grader.py
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
from cStringIO import StringIO
|
||||||
|
|
||||||
|
def gen_flag(random, length):
|
||||||
|
x = ''
|
||||||
|
for i in range(0, length):
|
||||||
|
x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789'))
|
||||||
|
return x
|
||||||
|
|
||||||
|
|
||||||
|
def grade(random, key):
|
||||||
|
if key.find(gen_flag(random, 14)) != -1:
|
||||||
|
return True, "Correct!"
|
||||||
|
return False, "Nope."
|
||||||
|
|
||||||
|
|
||||||
|
def generate(random):
|
||||||
|
dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00'
|
||||||
|
output = bytearray(dat[:0xdb])
|
||||||
|
flag = gen_flag(random, 14)
|
||||||
|
output.extend(flag.encode('utf-8'))
|
||||||
|
output.extend(dat[0xdb + 14:])
|
||||||
|
return dict(files={"hexable": (lambda r: StringIO(output))})
|
BIN
hexable-autogen/hexable
Normal file
BIN
hexable-autogen/hexable
Normal file
Binary file not shown.
35
hexable-autogen/hexable.asm
Normal file
35
hexable-autogen/hexable.asm
Normal file
|
@ -0,0 +1,35 @@
|
||||||
|
format ELF executable 3
|
||||||
|
entry start
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Buffer macros
|
||||||
|
BUFF_SIZE equ 32
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Includes of macros
|
||||||
|
include 'elf.inc'
|
||||||
|
include 'char.inc'
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Code
|
||||||
|
segment executable writeable readable
|
||||||
|
put:
|
||||||
|
print ecx
|
||||||
|
ret
|
||||||
|
|
||||||
|
start:
|
||||||
|
mov ecx, msg
|
||||||
|
call put
|
||||||
|
exit 0
|
||||||
|
reserve no_code,20
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Data
|
||||||
|
segment readable writeable
|
||||||
|
msg db 'Can you find the flag?',ENDL,0
|
||||||
|
flag db 'easyctf{abcdef__123456}'
|
||||||
|
reserve temp,1
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
6
hexable-autogen/problem.yml
Normal file
6
hexable-autogen/problem.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
title: Hexable
|
||||||
|
category: Reverse Engineering
|
||||||
|
value: 25
|
||||||
|
author: r3ndom
|
||||||
|
autogen: true
|
||||||
|
hint: Try using a hex editor.
|
19
hexable-autogen/simple_gen.py
Normal file
19
hexable-autogen/simple_gen.py
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
import random
|
||||||
|
|
||||||
|
dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00'
|
||||||
|
|
||||||
|
def gen_flag(length):
|
||||||
|
x = ''
|
||||||
|
for i in range(0,length):
|
||||||
|
x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789'))
|
||||||
|
return x
|
||||||
|
|
||||||
|
output = bytearray(dat[:0xdb])
|
||||||
|
flag = gen_flag(14)
|
||||||
|
output.extend(flag.encode('utf-8'))
|
||||||
|
output.extend(dat[0xdb+14:])
|
||||||
|
|
||||||
|
print(output)
|
||||||
|
#o = open(flag, 'wb')
|
||||||
|
#o.write(output)
|
||||||
|
#o.close()
|
32
hexable-autogen/std.inc
Normal file
32
hexable-autogen/std.inc
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; Standard Includes of my
|
||||||
|
; code
|
||||||
|
include 'char.inc'
|
||||||
|
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
; File descriptor macros
|
||||||
|
STDIN equ 0
|
||||||
|
STDOUT equ 1
|
||||||
|
STDERR equ 2
|
||||||
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
||||||
|
|
||||||
|
; Standard prologue of a function
|
||||||
|
macro prologue
|
||||||
|
{
|
||||||
|
push ebp
|
||||||
|
mov ebp, esp
|
||||||
|
}
|
||||||
|
|
||||||
|
; Standard epilogue of a function
|
||||||
|
macro epilogue
|
||||||
|
{
|
||||||
|
mov esp, ebp
|
||||||
|
pop ebp
|
||||||
|
}
|
||||||
|
|
||||||
|
; Allocates space on the stack for something
|
||||||
|
macro local_alloc size
|
||||||
|
{
|
||||||
|
sub esp,size
|
||||||
|
}
|
|
@ -3,5 +3,6 @@ category: Reverse Engineering
|
||||||
value: 450
|
value: 450
|
||||||
author: r3ndom
|
author: r3ndom
|
||||||
autogen: false
|
autogen: false
|
||||||
|
hint: Maybe write a script.
|
||||||
files:
|
files:
|
||||||
- _67k.zip
|
- _67k.zip
|
|
@ -1 +1,3 @@
|
||||||
We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](casino) (MZ SHELL SERVER THING)
|
We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](${casino})
|
||||||
|
|
||||||
|
Solve this problem by logging into the shell server and navigating to `/problems`.
|
|
@ -39,7 +39,7 @@ def generate_ciphertext(random):
|
||||||
|
|
||||||
def generate(random):
|
def generate(random):
|
||||||
return dict(files={
|
return dict(files={
|
||||||
"ciphertext_rsa1.txt": generate_ciphertext
|
"ciphertext.txt": generate_ciphertext
|
||||||
})
|
})
|
||||||
|
|
||||||
def grade(random, key):
|
def grade(random, key):
|
||||||
|
|
|
@ -38,7 +38,7 @@ def generate_ciphertext(random):
|
||||||
|
|
||||||
def generate(random):
|
def generate(random):
|
||||||
return dict(files={
|
return dict(files={
|
||||||
"ciphertext_rsa2.txt": generate_ciphertext
|
"ciphertext.txt": generate_ciphertext
|
||||||
})
|
})
|
||||||
|
|
||||||
def grade(random, key):
|
def grade(random, key):
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
On the shell there is a folder `<insert location>`.
|
On the shell there is a folder `<insert location>`.
|
||||||
|
|
||||||
Read flag.txt
|
Read flag.txt
|
||||||
|
|
||||||
[Source](${simple-rop.c})
|
[Source](${simple-rop.c})
|
Loading…
Reference in a new issue