CSCTF 2024: Notes
Table of Contents
These are less writeups, more informal notes for myself to remind myself how I solved certain things in CTFs. For this one, it’s CSCTF’24. Formal writeups for official events can be found under Liminova’s blog instead. We ended up not placing very high, but certainly going through these in 6 hours is something :D
beginner/encryptor
Categories: rev, mobile
My friend sent me this app with an encoded flag, but he forgot to implement the decryption algorithm! Can you help me out?
Challenge file: encryptor.apk
- Decompile the code. It’s Blowfish. The key is
encryptorencryptor
, encoded in Base64. flag.txt
is in the assets.- Plug it in this code:
;
;
;
;
beginner/key
Categories: rev
GDB is cool! Ghidra or IDA is helpful
Challenge file: key
- Decompile the code using Ghidra.
- This block of code is the correct values that are used to check the input:
local_b8= 0x43;
local_b8= 0xa4;
local_b8= 0x41;
local_b8= 0xae;
local_a8 = 0x42;
local_a4 = 0xfc;
local_a0 = 0x73;
local_9c = 0xb0;
local_98 = 0x6f;
local_94 = 0x72;
local_90 = 0x5e;
local_8c = 0xa8;
local_88 = 0x65;
local_84 = 0xf2;
local_80 = 0x51;
local_7c = 0xce;
local_78 = 0x20;
local_74 = 0xbc;
local_70 = 0x60;
local_6c = 0xa4;
local_68 = 0x6d;
local_64 = 0x46;
local_60 = 0x21;
local_5c = 0x40;
local_58 = 0x20;
local_54 = 0x5a;
local_50 = 0x2c;
local_4c = 0x52;
local_48 = 0x2d;
local_44 = 0x5e;
local_40 = 0x2d;
local_3c = 0xc4;
- Input needs to be 32 characters long, with each character matching this transformation step:
aiStack_138= * ;
- Solver:
=
=
= //
=
=
beginner/Modulus RSA
Categories: crypto
Modulus tells you everything
Challenge file: chall.py
- Method derived by pure magic by NamSPro.
- Solver:
= 115017953136750842312826274882950615840
= 16700949197226085826583888467555942943
= 20681722155136911131278141581010571320
= + -
=
=
= +
= + +
= * *
= 2246028367836066762231325616808997113924108877001369440213213182152044731534905739635043920048066680458409222434813
= 18856566978629040151892287870666377555281871836968411186744228839975255760844186581692559347083345007851203866545
beginner/Baby Pybash
Categories: jail
I made a very secure bash terminal in Python. I don’t think anyone can break in!
Challenge files: handout_baby_pybash.zip
- The environment is executed in context of
run.sh
, which has the shebang#!/bin/bash
$0
expands to the first argument in bash - in this case/bin/bash
.- Inputting
$0
into the thing bypasses the regex, expanding into/bin/bash
. Now you’re in. cat flag.txt
, gg ez.
beginner/cipher block clock
Categories: crypto
Liquid IV is a lifesaver the next morning.
Challenge files: chall.py, out.txt
- The encryption is wrongly used:
AES.new(iv, AES.MODE_CBC, k)
- the IV is passed as the key, and the key is used as the IV instead; this means the key is returned inout.txt
. - IV only affects the first
len(iv) // 2
bytes, and XOR is a symmetrical operation.
forensics/Geometry Dash 2.1
I would give you the flag but I can’t let go (haha get it). use GDBrowser for the last step btw.
Note: You do NOT need Geometry Dash purchased to solve this challenge.
Challenge file: CCLocalLevels.dat
- Use Geometry Dash Save Explorer to open the file.
- Inspect the level text. There’s a lot of Base64-encoded text. extract each of them.
- This gives you a level ID, plug it into GDBrowser and check the comments.
crypto/flagprinter
Instead of a challenge, here’s a solution. Hope you have plenty of RAM!
Challenge files: chall.py, out.py.
- Method derived by magic by NamSPro (again), citing https://oeis.org/A053735.
- Solver:
return
=
//= 3
return
=
= 0
+=
return
=
+=