GPN CTF 2024

Oh no! Something awfull happened and we let too many cooks cook up this challenge. I hope you can still get something edible out of it… Category: pwn Solver: computerdores, hack_the_kitty Flag: GPNCTF{4aahhh_th3_l33k_t4st3_0f_v1ct0ry!} Writeup The challenge binary presents you with a menu to select from. One can select a main dish and a desert. Welcome to our dining hall! Please select a dish: -[pizza] A nice and fresh pizza -[gulasch] It's GPN, it's night and I'm programming. The only thing missing is a hot plate of gulasch! -[burger] Borgir! -[leek_soup] A deliciously hearty leek soup. Yum! -[desert] Give me my dessert! \o/ Selecting pizza, for example, you’ll be greeted by a nice ASCII art pizza: ...

I have no clue of rust and no clue of crypto, but then with no challenge I stood crying in the rain and rusted. Category: Crypto Solver: SchizophrenicFish2nds, Greenscreen23 Flag: GPNCTF{backp4ck_r4p_crap,_yap-yap,_yack1ty-yack} Writeup Context We are given a file with Rust source code and an output file. To get around my limited Rust knowledge, I asked ChatGPT to translate the challenge source doe into Python [4]. Here we can more easily see that the output consists of a subset sum problem, more precisely it closely resembles a Merkle-Hellman scheme. ...

Exciting news! Our chief scientists found a way to do frequency analysis on binary files. Surprinsingly it isn’t just changing the file ending to .mp3 and putting it into Audacity. Have a try for yourself below! Note: The binary /catflag prints the flag Category: misc Solver: linaScience, MarDN, t0b1 Flag: GPNCTF{L00ks_l1k3_y0u_h1t_th3_r1ght_tun3} Writeup In this challenge we have no source code :( and are only presented with the following simple website: ...

There’s this cool new forward compatible ISA. I created an online emulator so that you can try it out! Category: pwn Solver: t0b1 Flag: GPNCTF{Ar3_y0u_Re4dy_for_th3_re4l_Chal1eng3?_ee9d22353e82} Writeup In this challenge, we are provided with a Dockerfile, an app.py, a forw binary and an instruction_list.csv. It is primarily a warm-up challenge to play with the ForwardCom ecosystem. Overview We first look at the Dockerfile to find out more about the setup of the challenge: ...

You know when they say the preimages of a hashfunction should be hard to compute and than they choose some weak primitive recursive function. I present to you a revolutionary solution that builds upon (quite literally) one of the largest problems of computer science. Try bruteforcing this. Category: Crypto Solver: SchizophrenicFish2nds, Greenscreen23 Flag: GPNCTF{I_H0pe_y0u_d1d_N0T_BrUT3F0RC3_Th15?_D1d_Y0U!!_3s2l1j} Writeup Context In this challenge, we are given the source code to generate “hashes” of the secret flag, and the outputs of several execution of this code. The flag is split into 4 byte chunks, then processed using the chain() and keyedAck() functions. ...

You read the title and thought Blockchain? You were successfully baited. Like the people before you, you now have to solve this challenge. Category: Crypto Solver: SchizophrenicFish2nds Flag: GPNCTF{One_T1me_p4ds_m4y_n3v3r_b3_r3u53d!!!} Writeup We are given a ciphertext that was produced as $ C = P \oplus K $ for some random, repeating 5 byte key $K$. Since we know several letters of the plaintext, we can compute the key as $ K = P \oplus C $ for the first 5 bytes, then perform the encryption operation to get $ C \oplus K = P \oplus K \oplus K = P \oplus 0 = P$ ...

Now you have two problems. Category: pwn Solver: c0mpb4u3r, t0b1 Flag: GPNCTF{On3_d0es_Not_s1mply_Jump_int0_th3_m1ddle_of_4n_instruct1ion!!1} Introduction Imagine you want to allow users to execute their code on your server. There are a few reasonable options, like WebAssembly for instance. However, you could just write a Perl program that reads arbitrary bytes from stdin and tries to execute them directly on the host CPU. So let’s write some Perl… # Assume we have our code in $p # Mark memory as executable. syscall(10, $p, $s, 4); # Execute this memory region. &{DynaLoader::dl_install_xsub("", $p)}; Looks sketchy, doesn’t it? ...

I picked the wrong path at Cyber Security Rumble 2024’s polypwn challenge and failed. Can you do it with more time and a win function? NOTE: Knowledge of polypwn is not required! Credit to @LevitatingLion for the original challenge and part of the code. Category: pwn Solver: nh1729 Flag: GPNCTF{you_re_lucky_that_i_scr4pped_one_arch_11dda4} Writeup Challenge Setup This is the hard version of polyrop-warmup. To summarize: It is a binary exploitation challenge. We get the source of the program to pwn composer.c and a python wrapper composer.py. The program prints a menu to either echo back a line or exit. The program has been compiled for 5 different architectures: s390x, aarch64, arm, riscv64 and x86_64. ...

Maybe using Inspect Element will help you! Small hint: If you’re struggling with reproducing it on remote, you can use socat to proxy the remote instance to localhost:1337 like this: socat TCP-LISTEN:1337,fork OPENSSL:xxx--xxx-1234.ctf.kitctf.de:443 and it should behave exactly like a locally running docker container. Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{D4NG3R0U5_D3BUGG3R} Writeup In this challenge, all we get is a Dockerfile. Given what the other web challenges looked like, this is quite strange. However, after taking a look at the Dockerfile, it’s quite clear why this is the case. It has one very interesting line, which is this one: google-chrome --remote-debugging-port=13370 --disable-gpu --headless=new --no-sandbox google.com This starts google chrome with a remote debugging port. We’ve seen chrome used in other challenges, but the remote debugging port thing is new. So the challenge has to somehow revolve around it. ...

I heard you like flags, so I launched Chrome with a lot of flags again so you can get your flag! This time the flag is localhost:1337/flag, and the bot will visit your URL! Category: Web Solver: lukasrad02, Liekedaeler Flag: GPNCTF{WHY_D0_50M3_0F_TH353_FL4G5_3V3N_3X15T} Scenario As the name of the challenge suggests, this challenge is a follow-up on So many flags, so it might make sense to read the writeup for that challenge first. As a quick wrap-up: ...

I heard supply-chain security is all the rage now, after a weird XY problem. Not sure what they were up about, but I was probably not asking the correct questions… Undeterred, I went shopping in some poor PhD student’s lab and found this lovely contraption, ending this problem once and for all: As soon as evil code will be executed, your VM will be killed mercilessly. I even built a really cute application for cooking up your cyber recipes to try it out! ...

On your never ending search for flags you stumle into a deep swamp. Suddenly, in front of you, you find a weird little green stanger standing. “I am wondering, why are you here”, the creature asks you. “I am looking flags” you answer. “Looking for flags? Found something else, you have, I would say, hmmm?” “Look, I’m really sorry but I need to get back to solving challenges or I’ll never get my full solve”, you say as you try to push the creature out of your way. “No! No, no! Stay and help you, I will. Find your banner, hmm?”, the creature says and won’t get out of your way. “I’m not looking for a banner, I’m looking for a flag!” you dement. “Oohhh, Flag. Challenge. Solve. You need to solve a challenge”. “Do you have a flag?” “A flag? Perhaps… Hmmm, give you a challenge, I can. Solve it you must” and with that the little creature scurries away and returns after a while with a mysterious little box. ...

Can you get this program to do what you want? Category: pwn Solver: jogius Flag: GPNCTF{G00d_n3w5!_1t_l00ks_l1ke_y0u_r3p41r3d_y0ur_disk...} This challenge provides us with four files: song_rater.c and a corresponding binary song_rater, as well as a run.sh script and the Dockerfile used for the server. Let’s take a look at the Dockerfile first. Dockerfile At first glance, this doesn’t really do anything interesting - the file simply defines two containers, one for compiling song_rater.c and one for serving the binary. Nothing about the package installation and serving really jumps out to me, so let’s take a look at the gcc line for compilation. ...

from longnight import nosleep When I run it I get b"m'7Y\xcaZ\xb4\x06\xbd\x92\xae\xf1B\x15\xd1IP1a\xdcs\xde&\xadWz\xb4\x12\xab\xa5]\x1e\x83\x98\xc6\xa9\x89\t\xa9\tNW\x9c\xe0\n\x9f\x11\x83\xa1\xd1\x03\xad" Category: Reversing Solver: MarDN, Liekedaeler Flag: GPNCTF{wHy_1s_th3re_pyTHon_in_my_c_ahHh1!} Writeup The challenge consists of a simple python script which imports an encoding function enc from a library called script. A dummy flag gets read in and encoded with the enc function and there is a comment which contains the encoded real flag. Additionally, script is given as a shared object compiled with CPython for x86-64 with debug information. ...

I got a bit too excited when I started my newest knitting project and accidentally turned my challenge flag into a knitting pattern. Category: misc Solver: MarDN, linaScience Flag: GPNCTF{Congr4tulati0ns-Y0u-h4v3-Fr0gged-H0urs-Of-My-W0rk-for-Th1s-Fl4g!} Writeup This challenge consists of a description of a knitting project, indicating a pattern of knit and purl stitches. There is also a note that the piece is knitted flat and that odd rows show the right side of the project. ...

https://www.letras.com/rick-astley/2341/ Category: misc Solver: MarDN, linaScience Flag: GPNCTF{We're no strangers to loveYou know the rules and so do IA full commitment's what I'm thinking ofYou wouldn't get this from any other guyI just wanna tell you how I'm feelingGotta make you understandNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youWe've known each other for so longYour heart's been achingBut you're too shy to say itInside we both know what's been going onWe know the game and we're gonna play itAnd if you ask me how I'm feelingDon't tell me you're too blind to seeNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youOoh (give you up)Ooh (give you up)Never gonna give, never gonna give (ooh, give you up)Never gonna give, never gonna give (ooh, give you up)We've known each other for so longYour heart's been achingBut you're too shy to say itInside we both know what's been going onWe know the game and we're gonna play itI just wanna tell you how I'm feelingGotta make you understandNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt you} ...

I swear this isn’t crypto. Pinky promise. And you don’t have to bruteforce anything. Category: misc Solver: linaScience, MarDN, t0b1, Liekedaeler Flag: GPNCTF{TH3_S_1N_S3TU1D_5T4ND5_F0R_S3CUR1TY} Writeup Guessing the date On the server, we have the following files: ctf@sweet-dreams-are-made-of-this--micar-7714:/app$ ls -liash ls -liash total 32K 100824878 0 drwxr-xr-x 1 root root 45 May 29 01:31 . 101555908 0 dr-xr-xr-x 1 root root 28 Jun 8 14:26 .. 100824879 20K -rwsr-xr-x 1 root root 17K May 29 01:31 cli 68506109 4.0K -rw------- 1 root root 1.3K May 28 20:43 cli.c 68506110 4.0K -rw------- 1 root root 98 May 28 20:43 encrypt.sh 100824881 4.0K -rwx------ 1 root root 90 May 29 01:31 flag.enc Oddly enough, we only have read and execute rights for the cli binary as we are the user ctf and not root. So, let’s have a look at the no-crypto.tar.gz that was provided before we take a further look at the server. In the tar, we get a Dockerfile, an encrypt.sh as well as the cli.c for the server. ...

All my friends warned me about xss, so I created this note taking app that only accepts “refined” Notes. Category: Web Solver: lukasrad02, aes Flag: GPNCTF{3nc0d1ng_1s_th3_r00t_0f_4ll_3v1l} Scenario This challenge features a minimalistic note-taking app. We can enter a note into a text box, click a button to save it and it becomes available under an URL with the UUID of the note. ...

These XSS vectors are getting ridiculous! So I made a secure note app. The only NPM dependency is DOMPurify, and I directly store the output of DOMPurify.sanitize and serve that back, so it has to be secure, right? It’s barely 16 LoC! Category: Web Solver: aes, lukasrad02 Flag: GPNCTF{UN1C0D3_15_4_N34T_4TT4CK_V3CT0R} Writeup As the challenge description suggests, the code for this challenge is indeed pretty compact. Thus, we can even take a look at it here in this writeup: ...

We want this CTF to be perfect! As we hope you all know this requires us, as good software engineers, to design a specification we can devolop challenges against. So we started meticulously crafting documents for our scope statements and product requirements. Somehow this got a little out of hand (we really don’t know how. We set a timeline and used a strict waterfall model. Theoretically this should have worked out perfectly…) so we need your help to finish the requirements document before it’s to late… Specifically I have a problem with the The root of all evil challenge. I designed a beautiful solve script sequence diagram to prove this challenge is solvable. Since I didn’t want to type the flag out I just shoved a piece of paper into the disk drive and somehow this mess appeared in my diagram… Tragically, before I could save it, my cat ate the original piece of paper with the flag I need. But I have a feeling this weird assortment of symbols contains some info about the flag. Could you please recover it for me? I desperately need it to check the solutions to the challenge. If it helps: I used PlantUML for my diagram Please help me!!!! ...

I have developed a new, revolutionary cipher that is not constrained to one block cipher. It is safe and secure. If you are not convinced, I will provide a flag to anyone who manages to win the ‘In No Desirable Case Attacks Possible’ (IND-CPA) mode. Category: Crypto Solver: Greenscreen23, SchizophrenicFish2nds Flag: GPNCTF{stop_breaking_it_It_is_even_called_safe} Writeup Context We are presented with an IND-CPA game for an AES cipher with a custom block mode. ...

Somewhere under a big pile of paper I found some notes about this really cool encryption algorithm. I updated it to the digital age in the hope that it is much safer now. Category: Crypto Solver: Greenscreen23 Flag: GPNCTF{itturnsoutthatbitsdonotmakecolumnartransposedifficultenoughatleastifyouencodeitwithasciigjnogoandbreakdoppelwuerfeltheflagendshereenjoyreadingsomemoretextihopeyoulikedthechallenge} Writeup Context We are given a rust file that encrypts the bits of the flag using a transposition cipher with a random key. The flag bits are split into blocks of an unknown key length, which are arranged as rows in a table, without any padding in the last row. The columns of the table are then permuted according to the key and concatinated column by column. This ciphertext is given. ...

Okay honestly I don’t know how I can possibly justify this. Either this is hard or I fucked up spectacular. No this challenges has not been playtested. But a solve script exists. Note from the infra team: No authors were hurt in the making of this CTF. They were insane already… Category: Crypto Solver: Greenscreen23, SchizophrenicFish2nds, 3mb0 Flag: GPNCTF{F1eLd_Th30ry_is_fun!11_05ba} Writeup Disclaimer: We are not mathematicians and many of these terms were new to us. This writeup therefore will include no proof but rather observations we had. We will also try to explain concepts we feel are beneficial to understanding the challenge (and sage code). ...

I found this funny multi-arch music software but I can’t remember my license key. Can you recover it for me? Category: rev Solver: computerdores Flag: GPNCTF{W0nd3rful!_Y0u're_2_cl3ver_f0r_th4t_l1cens3_ch3ck!_W3ll_d0ne_<3} Writeup For this Challenge we got a binary called chal and a Dockerfile. Loading the binary into Ghidra and taking a look at the main function, we can see that it asks for a license key, reads 24 characters of input and passes it to a function. ...

I thought of this really cool collision free hash function and hashed the flag with it. Theoretically you shouldn’t be able to reverse it… Category: rev Solver: computerdores Flag: GPNCTF{W41t,_h0w_d1d_y0u_s0lv3_th1s?_I_th0ught_1t_w45_4_g00d_h45h} Writeup For this Challenge we got a file called hash that contains a hex string and a binary called hasher. Opening the hasher binary in ghidra, we can see that the main method accepts a string as a parameter to the binary and “hashes” it with the following loop: ...