Too Many Cooks

Oh no! Something awfull happened and we let too many cooks cook up this challenge. I hope you can still get something edible out of it… Category: pwn Solver: computerdores, hack_the_kitty Flag: GPNCTF{4aahhh_th3_l33k_t4st3_0f_v1ct0ry!} Writeup The challenge binary presents you with a menu to select from. One can select a main dish and a desert. Welcome to our dining hall! Please select a dish: -[pizza] A nice and fresh pizza -[gulasch] It's GPN, it's night and I'm programming. The only thing missing is a hot plate of gulasch! -[burger] Borgir! -[leek_soup] A deliciously hearty leek soup. Yum! -[desert] Give me my dessert! \o/ Selecting pizza, for example, you’ll be greeted by a nice ASCII art pizza: ...

June 15, 2024 · 8 min · computerdores, hack_the_kitty

Out of the ordinary

On your never ending search for flags you stumle into a deep swamp. Suddenly, in front of you, you find a weird little green stanger standing. “I am wondering, why are you here”, the creature asks you. “I am looking flags” you answer. “Looking for flags? Found something else, you have, I would say, hmmm?” “Look, I’m really sorry but I need to get back to solving challenges or I’ll never get my full solve”, you say as you try to push the creature out of your way. “No! No, no! Stay and help you, I will. Find your banner, hmm?”, the creature says and won’t get out of your way. “I’m not looking for a banner, I’m looking for a flag!” you dement. “Oohhh, Flag. Challenge. Solve. You need to solve a challenge”. “Do you have a flag?” “A flag? Perhaps… Hmmm, give you a challenge, I can. Solve it you must” and with that the little creature scurries away and returns after a while with a mysterious little box. ...

June 9, 2024 · 5 min · jogius, lukasrad02

Electric

from longnight import nosleep When I run it I get b"m'7Y\xcaZ\xb4\x06\xbd\x92\xae\xf1B\x15\xd1IP1a\xdcs\xde&\xadWz\xb4\x12\xab\xa5]\x1e\x83\x98\xc6\xa9\x89\t\xa9\tNW\x9c\xe0\n\x9f\x11\x83\xa1\xd1\x03\xad" Category: Reversing Solver: MarDN, Liekedaeler Flag: GPNCTF{wHy_1s_th3re_pyTHon_in_my_c_ahHh1!} Writeup The challenge consists of a simple python script which imports an encoding function enc from a library called script. A dummy flag gets read in and encoded with the enc function and there is a comment which contains the encoded real flag. Additionally, script is given as a shared object compiled with CPython for x86-64 with debug information. ...

June 9, 2024 · 4 min · MarDN, Liekedaeler

Archventure time

I found this funny multi-arch music software but I can’t remember my license key. Can you recover it for me? Category: rev Solver: computerdores Flag: GPNCTF{W0nd3rful!_Y0u're_2_cl3ver_f0r_th4t_l1cens3_ch3ck!_W3ll_d0ne_<3} Writeup For this Challenge we got a binary called chal and a Dockerfile. Loading the binary into Ghidra and taking a look at the main function, we can see that it asks for a license key, reads 24 characters of input and passes it to a function. ...

June 5, 2024 · 5 min · computerdores

Never gonna run around and reverse you

I thought of this really cool collision free hash function and hashed the flag with it. Theoretically you shouldn’t be able to reverse it… Category: rev Solver: computerdores Flag: GPNCTF{W41t,_h0w_d1d_y0u_s0lv3_th1s?_I_th0ught_1t_w45_4_g00d_h45h} Writeup For this Challenge we got a file called hash that contains a hex string and a binary called hasher. Opening the hasher binary in ghidra, we can see that the main method accepts a string as a parameter to the binary and “hashes” it with the following loop: ...

June 5, 2024 · 1 min · computerdores

XZ safe

Category: rev Solver: rgw, 3mb0, Greenscreen23, SchizophrenicFish2nds Flag: GPNCTF{B4CKD00R3D_4G41N_d2d4ebde} Writeup This challenge is about a modified version of the XZ backdoor. There is a remote server with its SSH port exposed. We get a modified version of xz version 5.6.0. We first check which files are different between the original xz and the modified version: $ diff -r xz-old/xz-5.6.0/ xz-safe/xz-5.6.0/ Binary files xz-old/xz-5.6.0/tests/files/good-large_compressed.lzma and xz-safe/xz-5.6.0/tests/files/good-large_compressed.lzma differ We follow the writeup at [1] to reverse engineer the backdoor. ...

June 3, 2024 · 4 min · rgw, 3mb0, Greenscreen23, SchizophrenicFish2nds

cursedPower

AHHH The field is full of mines! Screw it! I am going in! Authors: @moaath, @Liikt Category: Reversing Solver: lukasrad02 Flag: ENO{H0p3fully_Y0ur_M1ND_D1D_G3t_scr3w3D} Scenario The challenge only consists of a single PowerShell script: ( 'wcyd'|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${'} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${``[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${``@} ="[" +"$(@{ } ) "[${ *-} ] + "$(@{})"[ "${/.}" +"${#~=}" ]+ "$(@{ })"["${*~}"+"${@}"]+"$? "[${/.} ]+"]" }{${#/~} = "".("$( @{} )"[ "${/.}${)@}" ]+"$(@{ }) "["${/.}${;}"] + "$( @{ } ) "[ ${@}]+ "$(@{} ) "[ ${)@}]+ "$?"[${/.}] + "$( @{ } ) "[${$./} ])}{${#/~} ="$( @{} ) "[ "${/.}${)@}"] + "$( @{ } )"[${)@}] +"${#/~}"[ "${*~}${ *-}"]} ); & ${#/~} ("${#/~} ( ${``@}${/.}${@} +${``@}${/.}${/.}${'}+${``@}${/.}${@}${/.}+ ${``@}${/.}${/.}${;} +${``@}${)@}${'} + ${``@}${/.}${/.}${*~} + ${``@}${/.}${/.}${'} + ${``@}${/.}${@}${@} + ${``@}${/.}${@}${/.} + ${``@}${#~=}${``[+} +${``@}${/.}${/.}${ *-} +${``@}${/.}${@}${$./}+ ${``@}${$./}${*~} + ${``@}${)@}${'} + ${``@}${/.}${/.}${;} + ${``@}${/.}${/.}${)@} + ${``@}${#~=}${ *-} + ${``@}${#~=}${#~=} +${``@}${/.}${@}${/.} + ${``@}${$./}${*~} +${``@}${)@}${``[+}+ ${``@}${/.}${@} )"); . ${#/~} ("${#/~} ( ${``@}${$./}${;} +${``@}${;}${``[+} + ${``@}${/.}${@}${/.} + ${``@}${#~=}${``[+}+ ${``@}${/.}${/.}${ *-} + ${``@}${/.}${@}${$./} + ${``@}${``[+}${@} + ${``@}${/.}${/.}${)@} + ${``@}${/.}${@}${/.} + ${``@}${/.}${@}${*~} +${``@}${/.}${@}${/.} + ${``@}${/.}${/.}${)@}+ ${``@}${/.}${@}${/.}+ ${``@}${/.}${/.}${@}+ ${``@}${#~=}${#~=}+${``@}${/.}${@}${/.}+${``@}${$./}${*~} + ${``@}${;}${/.} +${``@}${$./}${*~} +${``@}${$./}${)@} + ${``@}${``[+}${$./}+ ${``@}${/.}${@}${'} +${``@}${/.}${@}${``[+} + ${``@}${/.}${@}${/.} + ${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${;} + ${``@}${/.}${@}${``[+} +${``@}${/.}${*~}${/.} +${``@}${;}${ *-}+ ${``@}${/.}${/.}${/.}+ ${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${;}+ ${``@}${/.}${@}${'} +${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${ *-}+ ${``@}${/.}${@}${/.}+ ${``@}${$./}${)@} + ${``@}${'}${#~=}+ ${``@}${$./}${;}+${``@}${/.}${*~}${@} + ${``@}${$./}${*~} +${``@}${;}${/.} + ${``@}${$./}${*~} + ${``@}${$./}${;}+ ${``@}${/.}${/.}${;}+ ${``@}${/.}${/.}${)@} + ${``@}${/.}${/.}${ *-} + ${``@}${/.}${@}${/.} + ${``@}${'}${#~=} + ${``@}${/.}${@}${'} + ${``@}${/.}${@}${*~}+${``@}${$./}${*~} + ${``@}${)@}${@} + ${``@}${$./}${;} + ${``@}${/.}${*~}${@} + ${``@}${)@}${/.} +${``@}${$./}${*~} + ${``@}${/.}${*~}${$./}+ ${``@}${$./}${*~}+${``@}${$./}${*~}+ ${``@}${$./}${*~} + ${``@}${$./}${*~} + ${``@}${$./}${;} + ${``@}${/.}${@}${*~} +${``@}${/.}${@}${``[+}+${``@}${#~=}${ *-}+${``@}${/.}${@}${$./} + ${``@}${$./}${*~} +${``@}${;}${/.} +${``@}${$./}${*~} +${``@}${$./}${)@} + ${``@}${;}${#~=}+ ${``@}${ *-}${``[+} + ${``@}${ *-}${#~=} + ${``@}${/.}${*~}${$./}+ ${``@}${ *-}${*~} +${``@}${)@}${``[+} +${``@}${/.}${/.}${*~} +${``@}${'}${/.} + ${``@}${/.}${@}${*~}+${``@}${/.}${/.}${ *-}+ ${``@}${/.}${@}${``[+} + ${``@}${/.}${@}${``[+}+${``@}${/.}${*~}${/.} +${``@}${#~=}${'} + ${``@}${``[+}${#~=}+${``@}${)@}${``[+} + ${``@}${/.}${/.}${ *-} + ${``@}${/.}${/.}${)@}+ ${``@}${#~=}${'} + ${``@}${ *-}${ *-} + ${``@}${)@}${#~=}+${``@}${ *-}${``[+} +${``@}${;}${``[+} + ${``@}${#~=}${'}+ ${``@}${;}${``[+} + ${``@}${)@}${#~=} + ${``@}${;}${``[+}+${``@}${#~=}${'} + ${``@}${ *-}${/.}+${``@}${'}${/.}+ ${``@}${/.}${/.}${;}+ ${``@}${#~=}${'}+ ${``@}${/.}${/.}${'} + ${``@}${#~=}${#~=}+ ${``@}${/.}${/.}${)@}+${``@}${'}${/.}+ ${``@}${/.}${/.}${#~=} + ${``@}${'}${/.} +${``@}${;}${``[+} + ${``@}${/.}${*~}${'} +${``@}${$./}${)@} + ${``@}${'}${#~=}+ ${``@}${$./}${*~} + ${``@}${$./}${*~} +${``@}${$./}${*~} + ${``@}${$./}${*~} +${``@}${``[+}${ *-} + ${``@}${/.}${/.}${)@} + ${``@}${/.}${@}${'} + ${``@}${/.}${/.}${;} + ${``@}${/.}${@}${/.} + ${``@}${)@}${'} + ${``@}${ *-}${*~}+${``@}${/.}${/.}${/.} +${``@}${/.}${/.}${'} + ${``@}${/.}${/.}${;}+ ${``@}${$./}${*~} +${``@}${$./}${)@} + ${``@}${/.}${@}${@} +${``@}${/.}${/.}${/.} +${``@}${$./}${*~} +${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${/.}+${``@}${/.}${/.}${;} +${``@}${$./}${*~} + ${``@}${/.}${@}${/.}+${``@}${/.}${*~}${@} + ${``@}${/.}${@}${/.} +${``@}${#~=}${#~=}+ ${``@}${/.}${/.}${ *-} +${``@}${/.}${/.}${;} + ${``@}${/.}${@}${/.}+ ${``@}${$./}${*~} + ${``@}${/.}${/.}${ *-}+${``@}${/.}${/.}${@} + ${``@}${/.}${@}${ *-} + ${``@}${/.}${/.}${@}+${``@}${/.}${/.}${/.}+${``@}${/.}${/.}${#~=}+ ${``@}${/.}${/.}${@} +${``@}${$./}${*~} + ${``@}${``[+}${@} + ${``@}${/.}${/.}${/.}+ ${``@}${/.}${/.}${#~=} +${``@}${/.}${@}${/.} +${``@}${/.}${/.}${)@} + ${``@}${``[+}${$./} +${``@}${/.}${@}${)@}+ ${``@}${/.}${@}${/.} + ${``@}${/.}${@}${``[+} + ${``@}${/.}${@}${``[+} + ${``@}${$./}${*~} + ${``@}${#~=}${#~=} + ${``@}${/.}${/.}${/.}+ ${``@}${/.}${@}${@} +${``@}${/.}${@}${/.}+ ${``@}${$./}${)@}+ ${``@}${'}${#~=} + ${``@}${$./}${*~}+${``@}${$./}${*~}+${``@}${$./}${*~} + ${``@}${$./}${*~}+ ${``@}${$./}${;} + ${``@}${/.}${@}${*~} + ${``@}${/.}${@}${``[+} +${``@}${#~=}${ *-} + ${``@}${/.}${@}${$./}+ ${``@}${$./}${*~} +${``@}${;}${/.} + ${``@}${$./}${*~} + ${``@}${$./}${)@} + ${``@}${ *-}${``[+}+ ${``@}${/.}${/.}${/.} + ${``@}${/.}${/.}${*~} + ${``@}${/.}${@}${/.} + ${``@}${$./}${)@}+ ${``@}${'}${#~=} +${``@}${/.}${*~}${'})") Our goal seems to be to understand what this script does. ...

March 25, 2024 · 6 min · lukasrad02

The Vault

After following a series of tips, you have arrived at your destination; a giant vault door. Water drips and steam hisses from the locking mechanism, as you examine the small display - “PLEASE SUPPLY PASSWORD”. Below, a typewriter for you to input. You must study the mechanism hard - you might only have one shot… Category: Reversing Solver: s3rpentL0ver Flag: HTB{vt4bl3s_4r3_c00l_huh} Writeup The challenge is downloaded via a zip file. After unpacking it, we get a single executable file named “vault”. The first thing we do when we download a potentially malicious executable is, of course, to execute it. The output looks like this: ...

December 2, 2021 · 5 min · s3rpentL0ver

Upgrades

We received this strange advertisement via pneumatic tube, and it claims to be able to do amazing things! But we there’s suspect something strange in it, can you uncover the truth? Category: reversing Solver: rgw, 3mbo Flag: HTB{33zy_VBA_M4CR0_3nC0d1NG} Writeup For this challenge, we can download a zip file. When unpacking it, we see a single file Upgrades.pptm. When opening the presentation in LibreOffice, we immediately find that it contains macros: ...

December 2, 2021 · 3 min · rgw, 3mb0

Confirmation of Identity

I wrote this advanced program to only work on my computer but I think I might have made a mistake somewhere, as I can’t even confirm my own identity. Category: reversing Solver: t0b1 Flag: HTB{Id3nt1ty_c0nf1rmat1on} Writeup In this challenge we get a Windows executable. We open it up in Ghidra to see what it does. The main function is printing Starting to confirm identity... and then calls the RegOpenKeyExA function with Control Panel\Desktop as the argument. ...

March 24, 2021 · 4 min · t0b1

Patch of the Ninja

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will they be able to overcome this enemy? Category: reversing Solver: 3mb0, HTTP418, mp455 Flag: HTB{Retr0_Kunai} Writeup We found ourself here in a reversing challenge. So - as we were used to - we prepare for a static binary analysis. Open Ghidra and install the GhidraBoy [1] to inspect the Game Boy ROM. ...

March 24, 2021 · 2 min · 3mb0, HTTP418, mp455

Synchronous Keypad

During your usual crop field stroll you were abducted by aliens. Luckily you were able to escape their grip and flee to an escape pod, but alas starting it requires a key code. Figure out how this strange mechanism works and return to earth. Category: reversing Solver: t0b1 Flag: HTB{_3st3r31K3yP4d_} Writeup In this challenge we get a binary. We start by analyzing it in Ghidra and find the following main function (we already renamed the functions to be more readable). ...

March 24, 2021 · 4 min · t0b1

Coffee Invocation

Our new conspiracy theorist intern has blocked everyone from the coffee machine because he saw that aliens were trying to steal the “out of the world” secret recipe. Your mission is to unveil the secrets that lie behind his profound madness and teach him a javaluable lesson. Category: Reversing Solvers: t0b1, lmarschk TL;DR This challenges was very nice but also hell of a ride. The main thing being done here is to use the Java Native Interface (JNI) to run a JVM from native C++ code. Then the behaviour of functions like Character.valueOf or System.exit is altered to obfuscate what is being done. In the end it uses several mappings to encode the flag in the binary. ...

March 1, 2021 · 13 min · t0b1, lmarschk

ircware

During a routine check on our servers we found this suspicious binary, but when analyzing it we couldn’t get it to do anything. We assume it’s dead malware but maybe something interesting can still be extracted from it? HTB{m1N1m411st1C_fL4g_pR0v1d3r_b0T} Category: Reversing Solver: Pandoron Writeup We start by trying to execute this binary on a linux system, since this is an ELF64 binary, which immediately returns with an exception: “EXCEPTION! ABORT”: pandoron@kali:~/Desktop/CTF$ ./ircware.file EXCEPTION! ABORT So let us just dive into the static analysis of this challenge and find where the error message is referenced. I used the program “binary ninja” to disassemble and also partially decompile it. All symbols where stripped from the binary, so all symbols you will see here are manually annotated by me using binary ninja. ...

March 1, 2021 · 5 min · Pandoron

my name is

I’ve been once told that my name is difficult to pronounce and since then I’m using it as a password for everything. Category: Reversing Solver: t0b1 Writeup We get a binary called my_name_is. Running the file command tells us that it is a 32-bit, dynamically linked executable. It also shows that the binary is not stripped, which is useful when decompiling it. $ file my_name_is my_name_is: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c8d536794885d0c91e2270d7c6b9a9f14dda9739, not stripped Running the binary itself gives us the following output. ...

March 1, 2021 · 3 min · t0b1

Patch of the Ninja

A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy?A brave warrior stands in front of the harshest enemy, a untouchable evil spirit who possesses his allies. Will he be able to overcome this enemy? Category: Reverse Solver: t0b1, lmarschk For this challenge, the gameboy rom was supplied. Walkthrough Download the binary Find out it is a gameboy rom apt install visualboyadvance VisualBoyAdvance Patchofthe_Ninja.gb GameBoy game runs, there is a Dojo that can’t be entered It says: I need to patch the evil spirits away Lets use GhidraBoy for Ghidra and sameboy to debug and patch the binary. Find out that all prior steps were not needed, just use the simple, old stuff: Use strings Patchofthe_Ninja.gb | grep HTB to get the flag HTB{C00l_Shurik3n} lmm@lmm-think-05:~/Documents/htb/ctf_2020$ strings -n 10 Patch_of_the_Ninja.gb 3>PATCHOFTHENINJA #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#2^#V!b0 9^#V#~#foDM! 9V+^+~+ngDM 9V+^+~+ngDM 9V+^+~+ngDM 9V+^+~+ngDM V+^+F+N+:ng #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#"^#V! #2*#2*#"^#V! ~++2^#V!b> You have retrieved Congratulations! This is not the Flag you're looking for. Where am i? What For a second I felt really weird, what happened? My head hurts a lot, what was Ninjas don't run away from a challenge... The water seems very calm. Hey you shouldn't be in here! This is the "Hack the box" server room. Staff only! He's stuck in some trance-like I need to patch the evil spirits HTB{C00l_Shurik3n} ` ` ` p h ` ` ` ` d j ` ` ` p ` ()*+,-./0123456( 789:;<=>?@ABCDE7 **much more content** ...

March 1, 2021 · 2 min · lmarschk, t0b1