Merge branch 'master' of https://github.com/failedxyz/easyctf

diffie-cult/grader.py

@@ -1,4 +1,4 @@
 def grade(autogen, answer):
-	if answer == ("421049228295820"):
+	if answer == ("906730649345"):
 		return True, "Correct!"
 	return False, "Nope, try again."

diffie-cult/messages.txt

@@ -1,3 +1,4 @@
-g^a mod p = 421049228295820
-g^b mod p = 105262307073955
-p=442101689710611
+g^a mod p = 791868216278
+g^b mod p = 722955066776
+
+p = 986314922069

diffie-cult/problem.yml

@@ -1,9 +1,9 @@
 title: Diffie-cult
-author: nicebowlofsoup
-hint: Wikipedia explains Diffie-hellman pretty well. There is a also a very easy way to do this.
+author: arxenix
+hint: Wikipedia explains Diffie-hellman pretty well.
 category: Cryptography
 autogen: false
 programming: false
-value: 50
+value: 140
 files:
   - messages.txt

doubly-dangerous/description.md

@@ -0,0 +1 @@
+There seems to be an issue with this binary. Can you exploit it? View the problem in the shell server /problems/ directory.

doubly-dangerous/doubly_dangerous.c

@@ -1,6 +1,8 @@
 //compile with:
 //gcc -m32 -std=c99 -Wall -fno-stack-protector doubly_dangerous.c -o doubly_dangerous
 
+//sol: input "A"*40+"\x00\x80\x34\x41"
+
 #define _GNU_SOURCE
 #include <stdlib.h>
 #include <unistd.h>

doubly-dangerous/grader.py

@@ -0,0 +1,4 @@
+def grade(random, key):
+    if key.find("bofs_and_floats_are_d0uble_tr0uble!") != -1:
+        return True, "Correct!"
+    return False, "Nope :("

doubly-dangerous/problem.yml

@@ -4,6 +4,6 @@ hint: How are floating-point numbers represented?
 category: Binary Exploitation
 autogen: false
 programming: false
-value: 75
+value: 110
 files:
   - doubly_dangerous

easy-re/description.md

@@ -1 +0,0 @@
-This binary has a rather unhelpful message, can you find what it's hiding? [easy-re](easy_re)

easy-re/grader.py

@@ -1,4 +0,0 @@
-def grade(autogen, key):
-    if key.find("1f_0nly_4ll_r3_w4s_34sy") != -1:
-        return True, "Correct!"
-    return False, "Nope!"

easy-re/problem.yml

@@ -1,9 +0,0 @@
-author: GenericNickname
-title: Easy RE
-hint: There's only one place the flag could be.
-category: Reverse Engineering
-autogen: false
-programming: false
-value: 25
-files:
-  - easy-re

hexable-autogen/char.inc

@@ -0,0 +1,84 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Character defines
+	NULL	equ 0x00
+	BELL	equ 0x07
+	BSPC	equ 0x08
+	TAB		equ 0x09
+	ENDL 	equ 0x0A
+	CRET	equ 0x0D
+	
+	CHAR_0	equ 0x30
+	CHAR_1	equ 0x31
+	CHAR_2	equ 0x32
+	CHAR_3	equ 0x33
+	CHAR_4	equ 0x34
+	CHAR_5	equ 0x35
+	CHAR_6	equ 0x36
+	CHAR_7	equ 0x37
+	CHAR_8	equ 0x38
+	CHAR_9	equ 0x39
+	CHAR_A	equ 0x41
+	CHAR_B	equ 0x42
+	CHAR_C	equ 0x43
+	CHAR_D	equ 0x44
+	CHAR_E	equ 0x45
+	CHAR_F	equ 0x46
+	CHAR_G	equ 0x47
+	CHAR_H	equ 0x48
+	CHAR_I	equ 0x49
+	CHAR_J	equ 0x4a
+	CHAR_K	equ 0x4b
+	CHAR_L	equ 0x4c
+	CHAR_M	equ 0x4d
+	CHAR_N	equ 0x4e
+	CHAR_O	equ 0x4f
+	CHAR_P	equ 0x50
+	CHAR_Q	equ 0x51
+	CHAR_R	equ 0x52
+	CHAR_S	equ 0x53
+	CHAR_T	equ 0x54
+	CHAR_U	equ 0x55
+	CHAR_V	equ 0x56
+	CHAR_W	equ 0x57
+	CHAR_X	equ 0x58
+	CHAR_Y	equ 0x59
+	CHAR_Z	equ 0x5a
+	CHAR_a	equ 0x61
+	CHAR_b	equ 0x62
+	CHAR_c	equ 0x63
+	CHAR_d	equ 0x64
+	CHAR_e	equ 0x65
+	CHAR_f	equ 0x66
+	CHAR_g	equ 0x67
+	CHAR_h	equ 0x68
+	CHAR_i	equ 0x69
+	CHAR_j	equ 0x6a
+	CHAR_k	equ 0x6b
+	CHAR_l	equ 0x6c
+	CHAR_m	equ 0x6d
+	CHAR_n	equ 0x6e
+	CHAR_o	equ 0x6f
+	CHAR_p	equ 0x70
+	CHAR_q	equ 0x71
+	CHAR_r	equ 0x72
+	CHAR_s	equ 0x73
+	CHAR_t	equ 0x74
+	CHAR_u	equ 0x75
+	CHAR_v	equ 0x76
+	CHAR_w	equ 0x77
+	CHAR_x	equ 0x78
+	CHAR_y	equ 0x79
+	CHAR_z	equ 0x7a
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+macro resv c_size
+{
+	db c_size dup (0)
+}
+
+macro resv_stuff c_size
+{
+	repeat c_size
+		db % and 0xff
+	end repeat
+}

hexable-autogen/description.md

@@ -0,0 +1,2 @@
+I tried to hide a flag sneakily, can you find it?
+[Download](${hexable})

hexable-autogen/elf.inc

@@ -0,0 +1,45 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; ELF header for stuff
+
+	RLIMIT_AS equ 0x09
+
+macro reserve name,size
+{
+	name db 0
+	repeat size-1
+		db 0
+	end repeat
+}
+
+macro print message
+{
+	mov eax, message
+@@:
+	cmp byte [eax], 0
+	jz @f
+	inc eax
+	jmp @b
+@@:
+	mov edx, eax
+	sub edx, message
+	mov eax, 4
+	mov ebx, 1
+	mov ecx, message
+	int 0x80
+}
+
+macro read out_buff, cnt
+{
+	mov ebx, 0
+	mov eax, 3
+	mov ecx, out_buff
+	mov edx, cnt
+	int 0x80
+}
+
+macro exit exitcode
+{
+	mov ebx, exitcode
+	mov eax, 1
+	int 0x80
+}

hexable-autogen/grader.py

@@ -0,0 +1,22 @@
+from cStringIO import StringIO
+
+def gen_flag(random, length):
+    x = ''
+    for i in range(0, length):
+        x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789'))
+    return x
+
+
+def grade(random, key):
+    if key.find(gen_flag(random, 14)) != -1:
+        return True, "Correct!"
+    return False, "Nope."
+
+
+def generate(random):
+    dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00'
+    output = bytearray(dat[:0xdb])
+    flag = gen_flag(random, 14)
+    output.extend(flag.encode('utf-8'))
+    output.extend(dat[0xdb + 14:])
+    return dict(files={"hexable": (lambda r: StringIO(output))})

hexable-autogen/hexable.asm

@@ -0,0 +1,35 @@
+format ELF executable 3
+entry start
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Buffer macros
+	BUFF_SIZE equ 32
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Includes of macros
+include 'elf.inc'
+include 'char.inc'
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Code
+segment executable writeable readable
+put:
+	print ecx
+	ret
+
+start:
+	mov ecx, msg
+	call put
+	exit 0
+reserve no_code,20
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Data
+segment readable writeable
+msg db 'Can you find the flag?',ENDL,0
+flag db 'easyctf{abcdef__123456}'
+reserve temp,1
+;;;;;;;;;;;;;;;;;;;;;;;;;;;

hexable-autogen/problem.yml

@@ -0,0 +1,6 @@
+title: Hexable
+category: Reverse Engineering
+value: 25
+author: r3ndom
+autogen: true
+hint: Try using a hex editor.

hexable-autogen/simple_gen.py

@@ -0,0 +1,19 @@
+import random
+
+dat = b'\x7fELF\x01\x01\x01\x03\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x03\x00\x01\x00\x00\x00\x91\x80\x04\x084\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x004\x00 \x00\x02\x00(\x00\x00\x00\x00\x00\x01\x00\x00\x00t\x00\x00\x00t\x80\x04\x08t\x80\x04\x08G\x00\x00\x00G\x00\x00\x00\x07\x00\x00\x00\x00\x10\x00\x00\x01\x00\x00\x00\xbb\x00\x00\x00\xbb\x90\x04\x08\xbb\x90\x04\x080\x00\x00\x000\x00\x00\x00\x06\x00\x00\x00\x00\x10\x00\x00\x89\xc8\x808\x00t\x03@\xeb\xf8\x89\xc2)\xca\xb8\x04\x00\x00\x00\xbb\x01\x00\x00\x00\x89\xc9\xcd\x80\xc3\xb9\xbb\x90\x04\x08\xe8\xd9\xff\xff\xff\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00Can you find the flag?\n\x00easyctf{abcdef__123456}\x00'
+
+def gen_flag(length):
+	x = ''
+	for i in range(0,length):
+		x += random.choice(list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQSTUVWXYZ0123456789'))
+	return x
+
+output = bytearray(dat[:0xdb]) 
+flag = gen_flag(14)
+output.extend(flag.encode('utf-8'))
+output.extend(dat[0xdb+14:])
+
+print(output)
+#o = open(flag, 'wb')
+#o.write(output)
+#o.close()

hexable-autogen/std.inc

@@ -0,0 +1,32 @@
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Standard Includes of my
+; code
+include 'char.inc'
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; File descriptor macros
+	STDIN	equ 0
+	STDOUT 	equ 1
+	STDERR	equ 2
+;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+
+; Standard prologue of a function
+macro prologue
+{
+	push ebp
+	mov ebp, esp
+}
+
+; Standard epilogue of a function
+macro epilogue
+{
+	mov esp, ebp
+	pop ebp
+}
+
+; Allocates space on the stack for something
+macro local_alloc size
+{
+	sub esp,size
+}

r3ndom-67k/problem.yml

@@ -3,5 +3,6 @@ category: Reverse Engineering
 value: 450
 author: r3ndom
 autogen: false
+hint: Maybe write a script.
 files:
   - _67k.zip

risky-business/description.md

@@ -1 +1,3 @@
-We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](casino) (MZ SHELL SERVER THING)
+We wanted to branch into the casino business, but human employees are too expensive so we decided to automate it. I feel like we missed something obvious though... Oh well! Here's the binary: [casino](${casino})
+
+Solve this problem by logging into the shell server and navigating to `/problems`.

rsa1/grader.py

@@ -39,7 +39,7 @@ def generate_ciphertext(random):
 
 def generate(random):
     return dict(files={
-        "ciphertext_rsa1.txt": generate_ciphertext
+        "ciphertext.txt": generate_ciphertext
     })
 
 def grade(random, key):

rsa2/grader.py

@@ -38,7 +38,7 @@ def generate_ciphertext(random):
 
 def generate(random):
     return dict(files={
-        "ciphertext_rsa2.txt": generate_ciphertext
+        "ciphertext.txt": generate_ciphertext
     })
 
 def grade(random, key):

simple-rop/description.md

@@ -1,3 +1,5 @@
 On the shell there is a folder `<insert location>`.
+
 Read flag.txt
+
 [Source](${simple-rop.c})