InternetWache 2016 Bank (Crypto 90) Writeup

Problem Description: Everyone knows that banks are insecure. This one super secure and only allows only 20 transactions per session. I always wanted a million on my account. (crypto90, solved by 104) Attachment: crypto90.zip Service: 188.166.133.53:10061 Solution The challenge file contains a python script that is also running on the challenge server. Running it shows us an interface to do transactions. We can put money into our account by creating a transaction and then signing it using a signature that we get from the server.
Read On →

InternetWache 2016 A numbers game II (Crypto 70) Writeup

Problem Description: There was this student hash design contest. All submissions were crap, but had promised to use the winning algorithm for our important school safe. We hashed our password and got ‘00006800007d’. Brute force isn’t effective anymore and the hash algorithm had to be collision-resistant, so we’re good to go, aren’t we? (crypto70, solved by 86) Attachment: crypto70.zip Service: 188.166.133.53:10009 Solution Connecting to the service we are faced with a bruteforce blocker / challenge.
Read On →

InternetWache 2016 Oh Bob! (Crypto 60) Writeup

Problem Description: Alice wants to send Bob a confidential message. They both remember the crypto lecture about RSA. So Bob uses openssl to create key pairs. Finally, Alice encrypts the message with Bob’s public keys and sends it to Bob. Clever Eve was able to intercept it. Can you help Eve to decrypt the message? (crypto60, solved by 167) Attachment: crypto60.zip Solution The challenge zip file contains 3 public keys and a file with three encrypted strings.
Read On →

SharifCTF 2016 Hack By The Sound (Misc 200) Writeup

Problem A well known blogger has came to a hotel that we had good relationships with its staffs. We tried to capture the sound of his room by placing a microphone inside the desk. We have recorded the sound about the time that he has typed a text in his blogg. You could find the text he typed in “Blog Text.txt”. We reduce noises somehow and found that many characters may have the same keysound.
Read On →

SharifCTF 2016 Sec-Coding 2 (Misc 300) Writeup

Problem You should fix vulnerabilities of the given source code, WITHOUT changing its normal behaviour. Link Points: 300 Solved by 83 team(s) Solution Just like the previous Sec-Coding 1, we get a link to a web UI where we should upload patched C++ code. We are provided with windows C++ code that prints a repeated message based on the input. The original code was pretty bad so I simply rewrote it completely and this solved all the security issues.
Read On →

SharifCTF 2016 Login to System (PWN 200) Writeup

Problem Can you login to this system without username and password? telnet ctf.sharif.edu 27515 Run and capture the flag! Download Points: 200 Solved by 106 team(s) Solution We are provided with a x86-64 linux executable: Question: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=76aad63504451c70d8aa4e72299d2821fcf1b9f1, stripped It is a server that starts a new handler thread for each incoming TCP connection on port 27515.
Read On →

SharifCTF 2016 Serial (RE 150) Writeup

Problem Run and capture the flag! Points: 150 Solved by 110 team(s) Solution We are provided with a x86-64 linux executable: rgg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.26, BuildID[sha1]=77e92e8b1bd4f26641bab4dbf563037a7b9538d2, not stripped The binary isn’t very big but looks funny in various decompilers and disassemblers. The code does a lot of unaligned jumps and fills the section in between with junk, so disassemblers get really confused.
Read On →

SharifCTF 2016 SRM (RE 50) Writeup

Problem The flag is : The valid serial number Points: 50 Solved by 176 team(s) Solution We are provided with a PE32 windows executable: RM.exe: PE32 executable (GUI) Intel 80386, for MS Windows The binary has a lot of code, so I started to look for how it interacts with the user. sub_401280() calls message box APIs so it looks interesting. It turns out that this is where all the magic happens.
Read On →

SharifCTF 2016 dMd (RE 50) Writeup

Problem Attachment: A data blob Flag is : The valid input Points: 50 Solved by 243 team(s) Solution We are provided with a x86-64 linux binary: dMd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=2643fecd383362fe9593ef8605a9ce882a85a38a, not stripped After looking at the disassembly, we find a series of hard coded checks. It’s simply checking the md5 sum of the input for a hard coded value.
Read On →

SharifCTF 2016 Blocks (Forensics 400) Writeup

Problem I recovered as much data as I could. Can you recover the flag? Attachment: A data blob Solution To start with, file tells us nothing about the file, so we pop it into a hex editor and we can see familiar things: ...snip... 0000230: 8114 0407 1715 1501 820b 7461 626c 6564 ..........tabled 0000240: 6174 6164 6174 6105 4352 4541 5445 2054 atadata.CREATE T 0000250: 4142 4c45 2022 6461 7461 2220 280a 0960 ABLE "data" (..` 0000260: 4944 6009 494e 5445 4745 5220 4e4f 5420 ID`.INTEGER NOT 0000270: 4e55 4c4c 2050 5249 4d41 5259 204b 4559 NULL PRIMARY KEY 0000280: 2041 5554 4f49 4e43 5245 4d45 4e54 2055 AUTOINCREMENT U 0000290: 4e49 5155 452c 0a09 6044 6174 6160 0942 NIQUE,..`Data`.B ...snip...
Read On →