Hackfest{2k17_online_Quals_writeUps}
4b4241494f4c5e594251471a67196e1e751958495a531a1d58135a1e73621b757559191319641e5866467
5731a411f646e1b78196e191d75751a19686775581a7519787a441a75191a1d4875137f0b590b0b7d
It is encrypted using a homemade cryptographic algorithm! He managed also to find which server encrypted the message!
You can access it from: nc challenge.hackfest.tn 3001 Can you decrypt the message for us?
The server reads the user input , encrypt it and return a hex string.We have generated it all the possible characters and then wrote another script to decrypt the script , this makes the process more faster than using nc to guess the next hex !
#!/bin/python #Crypto 1 ch = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}" secret=["41","49","4f","4c","5e","59","42","51","47","1a","67","19","6e","1e","75","19","58","49","5a","53","1a","1d","58","13","5a","1e","73","62","1b","75","75","59","19","13","19","64","1e","58","66","46","75","73","1a","41","1f","64","6e","1b","78","19","6e","19","1d","75","75","1a","19","68","67","75","58","1a","75","19","78","7a","44","1a","75","19","1a","1d","48","75","13","7f","0b","59","0b","0b","7d"] c=['0b', '08', '09', '0e', '0f', '0c', '0d', '02', '03', '00', '01', '06', '07', '04', '05', '1a', '1b', '18', '19', '1e', '1f', '1c', '1d', '12', '13', '10', '11', '16', '17', '14', '15', '6a', '6b', '68', '69', '6e', '6f', '6c', '6d', '62', '63', '60', '61', '66', '67', '64', '65', '7a', '7b', '78', '79', '7e', '7f', '7c', '7d', '72', '73', '70', '71', '76', '77', '74', '75', '4a', '4b', '48', '49', '4e', '4f', '4c', '4d', '42', '43', '40', '41', '46', '47', '44', '45', '5a', '5b', '58', '59', '5e', '5f', '5c', '5d', '52', '53', '50', '51', '56', '7d'] flag="" print ch[c.index("49")-1] for j in range(0,100,2): flag+=ch[c.index(secret[j+1])] flag+=ch[c.index(secret[j])] print flag
Web ,1 pt
Now we are sure , the vulnerability is in the DB and the username is "admin" , trying some tricks then test the NoSQL injection ! ! and here we go we got the flag! [this reminds me of the IceCTF task ]
Rev ,1 pt
#!/usr/bin/env python # -*- coding: rot13 -*- #import sys o = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'.qrpbqr("rot13") vs olgrf == fge: vd = ynzoqn f: znc(beq, f) od = ynzoqn f: ''.wbva(znc(pue, f)) ohssre = ynzoqn f: f qrs r(i): by = yra(i) i = i.yfgevc(o'\0') ay = yra(i) c, k = 1, 0 sbe p va vd(i[::-1]): k += c * p c = c << 8 e = '' juvyr k > 0: k, z = qvizbq(k, 58) e += o[z] erghea (e + o[0] * (by - ay))[::-1] cevag 'Flag:', synt = enj_vachg() vs r(synt) == "2GYhdiSLoJTRvASGXjIHtatb9Kdr": cevag ":)" ryfr: cevag ":("
Decrypt the code with ROT13 and now we can read the script !
#!/hfe/ova/rai clguba # -*- pbqvat: ebg13 -*- #vzcbeg flf b = '123456789NOPQRSTUWXYZACDEFGHIJKLMnopqrstuvwxzabcdefghijklm'.decode("ebg13") if bytes == str: iq = lambda s: map(ord, s) bq = lambda s: ''.join(map(chr, s)) buffer = lambda s: s def e(v): ol = len(v) v = v.lstrip(b'\0') nl = len(v) p, x = 1, 0 for c in iq(v[::-1]): x += p * c p = p << 8 r = '' while x > 0: x, m = divmod(x, 58) r += b[m] return (r + b[0] * (ol - nl))[::-1] print 'Synt:', flag = raw_input() if e(flag) == "2TLuqvFYbWGEiNFTKwVUgngo9Xqe": print ":)" else: print ":("
example !
Google it a while and we got this script to decrypt the msg
import sys val='i' from hashlib import sha256 # 58 character alphabet used alphabet = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'.encode("rot13") if bytes == str: # python2 iseq = lambda s: map(ord, s) bseq = lambda s: ''.join(map(chr, s)) buffer = lambda s: s def b58encode(v): origlen = len(v) v = v.lstrip(b'\0') newlen = len(v) p, acc = 1, 0 for c in iseq(v[::-1]): acc += p * c p = p << 8 result = '' while acc > 0: acc, mod = divmod(acc, 58) result += alphabet[mod] return (result + alphabet[0] * (origlen - newlen))[::-1] def b58decode(v): if not isinstance(v, str): v = v.decode('ascii') origlen = len(v) v = v.lstrip(alphabet[0]) newlen = len(v) p, acc = 1, 0 for c in v[::-1]: acc += p * alphabet.index(c) p *= 58 result = [] while acc > 0: acc, mod = divmod(acc, 256) result.append(mod) return (bseq(result) + b'\0' * (origlen - newlen))[::-1] print 'Input:\t',val print 'encode' ,b58encode(val) print 'Base58:\t',b58decode("2GYhdiSLoJTRvASGXjIHtatb9Kdr")
The flag is : hackfest{it_was_b58}
PWN , 1 pt
,If we could write something with []()! then we can read the flag , we have used an online tool called Jsfuck http://www.jsfuck.com/
and the flag is !
Web, 10pt
URL encode of the the request ! . Our request was for ! /etc/passwd
Let's now read the flag !
hackfest{XML_1s_l1k3_vi0l3nc3_1f_1t_d0e5n_T_s0lv3_y0ur_prOblem_y0U_re_n0t_us1n9_en0uGh_0f_iT}
Misc, 1pt
For 10
0 comments: