Internetwache CTF 2016 Quick Run (Misc 60) Writeup

Problem Someone sent me a file with white and black rectangles. I don’t know how to read it. Can you help me? Attachment: https://ctf.internetwache.org/files/misc60.zip Solved by 269 teams Solution We get a text file with a lot of base64, we dump it to a file: cat README.txt | base64 -d > out and see what’s inside: There were 24 ASCII QR Codes in the file, no python magic here, just a quick scan with a mobile app and we get the message letter-by-letter: Flagis:IW{QR_C0DES_RUL3}.
Read On →

Internetwache CTF 2016 The Hidden Message (Misc 50) Writeup

Problem My friend really can’t remember passwords. So he uses some kind of obfuscation. Can you restore the plaintext? Attachment: https://ctf.internetwache.org/files/misc50.zip Solved by 347 teams Solution We get a text file with the following contents: 0000000 126 062 126 163 142 103 102 153 142 062 065 154 111 121 157 113 0000020 122 155 170 150 132 172 157 147 123 126 144 067 124 152 102 146 0000040 115 107 065 154 130 062 116 150 142 154 071 172 144 104 102 167 0000060 130 063 153 167 144 130 060 113 012 0000071 Looks like a hex dump but with decimals instead of hex numbers, right?
Read On →

Internetwache CTF 2016 Eso Tape (Rev 80) Writeup

Problem I once took a nap on my keyboard. I dreamed of a brand new language, but I could not decipher it nor get its meaning. Can you help me? Hint: Replace the spaces with either ‘{’ or ‘}’ in the solution. Attachment: https://ctf.internetwache.org/files/rev80.zip Solved by 95 teams Solution We unpack and get a priner.tb file looking like this: ## %% %++ %++ %++ %# *&* @** %# **&* ***-* ***-* %++ %++ @*** *-* @*** @** *+** @*** ***+* @*** **+** ***+* %++ @*** #% %% %++ %++ %++ %++ @* %# %++ %++ %++ %% *&** @* @*** *-** @* %# %++ @** *-** *-** **-*** **-*** **-*** @** @*** #% %% %++ %++ %++ %++ %# *+** %++ @** @* %# *+** @*** ## %% @*** Looks like an esoteric language, the name of the challenge supports the assumption.
Read On →

InternetWache 2016 Eso Taaape (Reverse 80) Writeup

Problem Description: I once took a nap on my keyboard. I dreamed of a brand new language, but I could not decipher it nor get its meaning. Can you help me? Hint: Replace the spaces with either ‘{’ or ‘}’ in the solution. Hint: Interpreters don’t help. Operations write to the current index. (rev80, solved by 95) Attachment: rev80.zip Solution $ cat task/priner.tb ## %% %++ %++ %++ %# *&* @** %# **&* ***-* ***-* %++ %++ @*** *-* @*** @** *+** @*** ***+* @*** **+** ***+* %++ @*** #% %% %++ %++ %++ %++ @* %# %++ %++ %++ %% *&** @* @*** *-** @* %# %++ @** *-** *-** **-*** **-*** **-*** @** @*** #% %% %++ %++ %++ %++ %# *+** %++ @** @* %# *+** @*** ## %% @*** It took some time to find out what language this is, but since the title of the challenge is Eso Taaape, you could see this as a hint towards esoteric languages and something tape based.
Read On →

InternetWache 2016 ServerfARM (Reverse 70) Writeup

Problem Description: Someone handed me this and told me that to pass the exam, I have to extract a secret string. I know cheating is bad, but once does not count. So are you willing to help me? (rev70, solved by 184) Attachment: rev70.zip Solution The zip contains an ARM binary that seems to be compiled in a pretty nice way, no -O3 here. I reversed the binary and could rebuild the flag from the execution paths.
Read On →

InternetWache 2016 File Checker (Reverse 60) Writeup

Problem Description: My friend sent me this file. He told that if I manage to reverse it, I’ll have access to all his devices. My misfortune that I don’t know anything about reversing :/ (rev60, solved by 220) Attachment: rev60.zip Solution Looking at the provided binary we quickly see that it is reading a file .password and compares its contents to a set of values. v4 = 4846; v5 = 4832; ...
Read On →

InternetWache 2016 Remote Printer (Exploit 80) Writeup

Problem Description: Printer are very very important for offices. Especially for remote printing. My boss told me to build a tool for that task. (exp80, solved by 125) Attachment: exp80.zip Service: 188.166.133.53:12377 Solution This one was a bit harder. We are provided with a binary that listens on a port for incoming connections. When it gets a connection it reads an ip address and a port from the socket and connects to it.
Read On →

InternetWache 2016 FlagStore (Exploit 70) Writeup

Problem Description: Here’s the ultimate flag store. Store and retrieve your flags whenever you want. (exp70, solved by 244) Attachment: exp70.zip Service: 188.166.133.53:12157 Solution The zip contains c-code for the challenge. Looking at it I immediately see an overflow and an interesting location for the admin flag. char username[500]; int is_admin = 0; // <-- can be overwritten char password[500]; ... printf("Enter an username:"); scanf("%s", username); // scanf will overwrite username and is_admin The exploit is to simply send a long username and a \x01 byte.
Read On →

InternetWache 2016 EquationSolver (Exploit 60) Writeup

Problem Description: I created a program for an unsolveable equation system. My friend somehow forced it to solve the equations. Can you tell me how he did it? (exp60, solved by 252) Service: 188.166.133.53:12049 Solution Interacting with the server, we see the following: $ nc 188.166.133.53 12049 Solve the following equations: X > 1337 X * 7 + 4 = 1337 Enter the solution X: 190 You entered: 190 190 is not bigger than 1337 WRONG!!!
Read On →

InternetWache 2016 Ruby's count (Exploit 50) Writeup

Problem Description: Hi, my name is Ruby. I like converting characters into ascii values and then calculating the sum. (exp50, solved by 217) Service: 188.166.133.53:12037 Solution We have to send characters where the sum adds upp to over 1020. $ nc 188.166.133.53 12037 Let me count the ascii values of 10 characters: ffffffffff Sum is: 1020 That's not enough (1020 < 1020) :( $ nc 188.166.133.53 12037 Let me count the ascii values of 10 characters: qqqqqqqqqq WRONG!!!!
Read On →