A full solve's what I'm thinking of

Exciting news! Our chief scientists found a way to do frequency analysis on binary files. Surprinsingly it isn’t just changing the file ending to .mp3 and putting it into Audacity. Have a try for yourself below! Note: The binary /catflag prints the flag Category: misc Solver: linaScience, MarDN, t0b1 Flag: GPNCTF{L00ks_l1k3_y0u_h1t_th3_r1ght_tun3} Writeup In this challenge we have no source code :( and are only presented with the following simple website:...

June 13, 2024 · 5 min · linaScience, MarDN, t0b1

Knitted Flag

I got a bit too excited when I started my newest knitting project and accidentally turned my challenge flag into a knitting pattern. Category: misc Solver: MarDN, linaScience Flag: GPNCTF{Congr4tulati0ns-Y0u-h4v3-Fr0gged-H0urs-Of-My-W0rk-for-Th1s-Fl4g!} Writeup This challenge consists of a description of a knitting project, indicating a pattern of knit and purl stitches. There is also a note that the piece is knitted flat and that odd rows show the right side of the project....

June 8, 2024 · 4 min · MarDN, linascience

You know the GPNCTF{<full_text_without_newlines>} and so do I

https://www.letras.com/rick-astley/2341/ Category: misc Solver: MarDN, linaScience Flag: GPNCTF{We're no strangers to loveYou know the rules and so do IA full commitment's what I'm thinking ofYou wouldn't get this from any other guyI just wanna tell you how I'm feelingGotta make you understandNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youWe've known each other for so longYour heart's been achingBut you're too shy to say itInside we both know what's been going onWe know the game and we're gonna play itAnd if you ask me how I'm feelingDon't tell me you're too blind to seeNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youOoh (give you up)Ooh (give you up)Never gonna give, never gonna give (ooh, give you up)Never gonna give, never gonna give (ooh, give you up)We've known each other for so longYour heart's been achingBut you're too shy to say itInside we both know what's been going onWe know the game and we're gonna play itI just wanna tell you how I'm feelingGotta make you understandNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt you}...

June 8, 2024 · 3 min · MarDN, linascience

No crypto

I swear this isn’t crypto. Pinky promise. And you don’t have to bruteforce anything. Category: misc Solver: linaScience, MarDN, t0b1, Liekedaeler Flag: GPNCTF{TH3_S_1N_S3TU1D_5T4ND5_F0R_S3CUR1TY} Writeup Guessing the date On the server, we have the following files: ctf@sweet-dreams-are-made-of-this--micar-7714:/app$ ls -liash ls -liash total 32K 100824878 0 drwxr-xr-x 1 root root 45 May 29 01:31 . 101555908 0 dr-xr-xr-x 1 root root 28 Jun 8 14:26 .. 100824879 20K -rwsr-xr-x 1 root root 17K May 29 01:31 cli 68506109 4....

June 8, 2024 · 7 min · linaScience, MarDN, t0b1, Liekedaeler

The root of all evil

We want this CTF to be perfect! As we hope you all know this requires us, as good software engineers, to design a specification we can devolop challenges against. So we started meticulously crafting documents for our scope statements and product requirements. Somehow this got a little out of hand (we really don’t know how. We set a timeline and used a strict waterfall model. Theoretically this should have worked out perfectly…) so we need your help to finish the requirements document before it’s to late… Specifically I have a problem with the The root of all evil challenge....

June 7, 2024 · 5 min · Liekedaeler, MarDN, linaScience, tn1088, abc013

A fuller solve's what I'm thinking of

I wanted to build an intro rev challenge but it didn’t work as intended when I deployed it to my Rocky 9 server. Maybe you can work around the issue and leak the flag in /flag Category: misc Solver: rgw, aes Flag: GPNCTF{D1d_y0u_st4rt_4_vm_0r_4_b4r3_m3t4l_r0cky_k3rn3l?} Writeup The setup is similar to “A full solve is what I’m thinking of”. However, there is no /catflag binary. Therefore, we don’t have a binary that we can use as the interpreter for an uploaded ELF binary....

June 3, 2024 · 3 min · rgw, aes

Dreamer

It would be a shame if you could exploit this sleepy binary. Category: pwn, misc Solver: rgw, abc013, Liekedaeler, MarDN Flag: GPNCTF{sh0rt_she11c0de_1s_c00l} Writeup We are given a compiled binary dream and its source code dream.c: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/mman.h> #include <string.h> #define ROTL(X, N) (((X) << (N)) | ((X) >> (8 * sizeof(X) - (N)))) #define ROTR(X, N) (((X) >> (N)) | ((X) << (8 * sizeof(X) - (N)))) unsigned long STATE; unsigned long CURRENT; char custom_random(){ STATE = ROTL(STATE,30) ^ ROTR(STATE,12) ^ ROTL(STATE,42) ^ ROTL(STATE,4) ^ ROTR(STATE,5); return STATE % 256; } void* experience(long origin){ char* ccol= mmap (0,1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); size_t k = 0; while(k<106){ *(ccol+k) = 0x90; //nop just in case; k++; } k=16; *((int*)ccol) = origin; while(k<100){ *(ccol+k)=custom_random(); k++; } return ccol; } void sleepy(void * dream){ int (*d)(void) = (void*)dream; d(); } void win(){ execv("/bin/sh",NULL); } void setup(){ setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); } int main(){ setup(); long seed=0; printf("the win is yours at %p\n", win); scanf("%ld",&seed); STATE = seed; printf("what are you thinking about?...

June 3, 2024 · 4 min · rgw, abc013, Liekedaeler, MarDN

Lost in Parity

Lost in Parity I deleted the flag. python3 xor.py ./f* > xor rm xor.py flag.txt Author: @miko Category: misc Solver: frcroth, mp455 Flag: ENO{R41D1NG_F1L3S_4R3_W3?} The challenge gives us a bunch of files - 255 files and the xor-file. A quick random sample of wc -c suggests that all files including the xor-file have the same size: 26 bytes. The challenge description hints that the xor-file might be the result of applying the xor-operation to the 255 files and the flag....

March 21, 2024 · 2 min · frcroth, mp455

Itchy Route

Itchy Route Get straight to the point and list your options! Category: misc Solver: frcroth, mp455 Flag: ENO{4NY_M0R3_QU35T10N5M4RK5_0C?N?} When connecting to this challenge, nothing greets us and if we are polite and ask “hello”, it responds with: Request contained some illegal characters: “hello” Also, when we take too long, we get different errors, e.g.: Request timeout: firewall getting suspicious. This already tells us that we probably need to use a script to interact here, since we won’t be able to type quickly enough....

March 20, 2024 · 3 min · frcroth, mp455

missingcat

missingcat Where is my cat? 😿 Category: misc Solver: frcroth, mp455 Flag: ENO{0xCAT_BUT_H4PP1_THANK_Y0U!} We were given the following script: import subprocess cmd = input("Give me your command: ") if len(cmd) > 2: print("Command is too long!") try: cmdstring = [cmd, "flag.txt"] print(f"Executed command: {cmdstring}") result = subprocess.check_output(cmdstring, timeout=1) except: result = b"No 😿" print(result.decode()) So we need to find a command that gives us the flag and whose name is only 2 letters long....

March 20, 2024 · 2 min · frcroth, mp455

Timecode

Timecode Times change you, and numbers. Category: misc Solver: frcroth, mp455 Flag: ENO{S0M3_J4V4_1NT3G3R5_4R3_C4CH3D} When we connect to the host, we get a challenge: Registered as user b6ee888b-6f24-4049-b0e2-ee227233973f New Challenge (2024-03-20T19:57:49.535Z) 69 51 97 43 01 65 After trying out some values, sending the same numbers gives a cryptic response: 69 51 97 43 01 65 ‘85’ is not equal to ‘69’ ‘66’ is not equal to ‘51’ ‘79’ is not equal to ‘97’ ‘86’ is not equal to ‘43’ ‘127’ is not equal to ‘01’ ‘95’ is not equal to ‘65’ Challenge failed....

March 20, 2024 · 4 min · frcroth, mp455

Insane Bolt

his insane scientist wants to craft the most powerful android in the world! Help him collect many 🔩 to achieve his goal. Also, he needs many 💎 to make it even more strong and pwoerful than any other android. Good luck adventurer! Category: misc Solver: 3mb0, nh1729 Flag: HTB{w1th_4ll_th353_b0lt5_4nd_g3m5_1ll_cr4ft_th3_b35t_t00ls} Writeup When connecting to the port and ip with netcat, we get a menu: 1. Instructions 2. Play > If we enter 1, we get the rules of the game:...

December 2, 2021 · 6 min · 3mb0, nh1729

Sigma Technology

On a path to avenging his father, Tex Chance manufactured steam-powered robots to capture all the animals of your island to build a powerful army of fused mutated organisms using his powerful Sigma technology. You can’t let them take away your loyal doggo Julius. The robots have been trained to classify all the objects they encounter using the SigmaNet network. Can you use your laser pointer to change some of the robot’s vision pixels forcing it to misclassify your dog’s image as a non-animal object?...

December 2, 2021 · 4 min · 3mb0, nh1729

Tree of danger

As you approach SafetyCorp’s headquarters, you come across an enormous cogwork tree, and as you watch, a mechanical snake slithers out of a valve, inspecting you carefully. Can you build a disguise, and slip past it? Category: misc Solver: 3mb0, lmarschk Flag: HTB{45ts_4r3_pr3tty_c00l!} Writeup For this challenge, we can download the python code (python 3.10 to be able to use the new match-case statement) for a server that offers python remote code execution via eval....

December 2, 2021 · 3 min · 3mb0, lmarschk

mathemoji

Time for an emoji-test! No need to worry.. You have 500 seconds to answer 100 questions. Five seconds for each question is more than enough! You need to score 100/100 in order to win an amazing prize! Good luck! Category: misc Solver: lmarschk Flag: HTB{3m0j1s_R_fUn_4nd_m4k3_m3_c0d3_f4st} Writeup Starting with a telnet connection to the server, we are given a set of questions: Trying 139.59.202.58... Connected to docker.hackthebox.eu. Escape character is '^]'....

March 24, 2021 · 6 min · lmarschk

Arcade

If you are not strong enough to beat the boss, you need to find another way to win the game! Category: Misc Solver: t0b1 Writeup In this challenge we get a binary. As the description says, we need to find another way to win the game!. Running the binary shows that its a little game. At first we can choose between two game modes. Obviously the Izi! mode is not available ;)....

7 min · t0b1

HTBxUni AI

We added a new AI to our server (discord.gg/hackthebox) called “HTB × Uni AI”, in order to help our members with data analysis. However, the bot has now gone rogue and is trying to deactivate the server itself, as it perceives it as a threat. We can’t get in contact with the server administrator and the bot has disabled interactions with it, can you help us deactivate the AI bot and save the server by using the !...

2 min · t0b1

Rigged Lottery

Is everything in life completely random? Are we unable to change our fate? Or maybe we can change the future and even manipulate randomness?! Is luck even a thing? Try your “luck”! Category: Misc Solvers: t0b1, lmarschk Writeup In this challenge we get a binary and can spawn a docker container. Downloading and running the binary yields the following output. 💎 Cosy Casino 💎 Current cosy coins: 69.69 1. Generate lucky number....

4 min · t0b1, lmarschk