faleval

My friend makes ymmuy faleval, but sometimes he mixes up things… but what can you do? Author: @gehaxelt Category: Web Solver: lukasrad02, aes Flag: ENO{YummY_YummY_Falafel_Expl01tz} Scenario Similar to the other web challenges of this CTF, the challenge consists of a single PHP file. When visiting the web site, we can access the PHP source code via a link. Stripping things like the link to the source code, we are left with the following code: ...

April 4, 2024 · 3 min · lukasrad02, aes

cursedPower

AHHH The field is full of mines! Screw it! I am going in! Authors: @moaath, @Liikt Category: Reversing Solver: lukasrad02 Flag: ENO{H0p3fully_Y0ur_M1ND_D1D_G3t_scr3w3D} Scenario The challenge only consists of a single PowerShell script: ( 'wcyd'|%{${#/~} =+ $()}{ ${@}=${#/~}} { ${/.} = ++${#/~}}{ ${*~}=(${#/~} =${#/~} +${/.})} {${$./} =(${#/~}= ${#/~} + ${/.} )}{${)@}=( ${#/~}=${#/~}+${/.} )} { ${'} =(${#/~} =${#/~}+ ${/.}) } { ${;} = ( ${#/~}=${#/~} + ${/.}) } {${ *-}= ( ${#/~}=${#/~}+${/.})} {${``[+} = ( ${#/~} =${#/~} +${/.} ) } { ${#~=}= ( ${#/~}= ${#/~}+ ${/.} )} { ${``@} ="[" +"$(@{ } ) "[${ *-} ] + "$(@{})"[ "${/.}" +"${#~=}" ]+ "$(@{ })"["${*~}"+"${@}"]+"$? "[${/.} ]+"]" }{${#/~} = "".("$( @{} )"[ "${/.}${)@}" ]+"$(@{ }) "["${/.}${;}"] + "$( @{ } ) "[ ${@}]+ "$(@{} ) "[ ${)@}]+ "$?"[${/.}] + "$( @{ } ) "[${$./} ])}{${#/~} ="$( @{} ) "[ "${/.}${)@}"] + "$( @{ } )"[${)@}] +"${#/~}"[ "${*~}${ *-}"]} ); & ${#/~} ("${#/~} ( ${``@}${/.}${@} +${``@}${/.}${/.}${'}+${``@}${/.}${@}${/.}+ ${``@}${/.}${/.}${;} +${``@}${)@}${'} + ${``@}${/.}${/.}${*~} + ${``@}${/.}${/.}${'} + ${``@}${/.}${@}${@} + ${``@}${/.}${@}${/.} + ${``@}${#~=}${``[+} +${``@}${/.}${/.}${ *-} +${``@}${/.}${@}${$./}+ ${``@}${$./}${*~} + ${``@}${)@}${'} + ${``@}${/.}${/.}${;} + ${``@}${/.}${/.}${)@} + ${``@}${#~=}${ *-} + ${``@}${#~=}${#~=} +${``@}${/.}${@}${/.} + ${``@}${$./}${*~} +${``@}${)@}${``[+}+ ${``@}${/.}${@} )"); . ${#/~} ("${#/~} ( ${``@}${$./}${;} +${``@}${;}${``[+} + ${``@}${/.}${@}${/.} + ${``@}${#~=}${``[+}+ ${``@}${/.}${/.}${ *-} + ${``@}${/.}${@}${$./} + ${``@}${``[+}${@} + ${``@}${/.}${/.}${)@} + ${``@}${/.}${@}${/.} + ${``@}${/.}${@}${*~} +${``@}${/.}${@}${/.} + ${``@}${/.}${/.}${)@}+ ${``@}${/.}${@}${/.}+ ${``@}${/.}${/.}${@}+ ${``@}${#~=}${#~=}+${``@}${/.}${@}${/.}+${``@}${$./}${*~} + ${``@}${;}${/.} +${``@}${$./}${*~} +${``@}${$./}${)@} + ${``@}${``[+}${$./}+ ${``@}${/.}${@}${'} +${``@}${/.}${@}${``[+} + ${``@}${/.}${@}${/.} + ${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${;} + ${``@}${/.}${@}${``[+} +${``@}${/.}${*~}${/.} +${``@}${;}${ *-}+ ${``@}${/.}${/.}${/.}+ ${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${;}+ ${``@}${/.}${@}${'} +${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${ *-}+ ${``@}${/.}${@}${/.}+ ${``@}${$./}${)@} + ${``@}${'}${#~=}+ ${``@}${$./}${;}+${``@}${/.}${*~}${@} + ${``@}${$./}${*~} +${``@}${;}${/.} + ${``@}${$./}${*~} + ${``@}${$./}${;}+ ${``@}${/.}${/.}${;}+ ${``@}${/.}${/.}${)@} + ${``@}${/.}${/.}${ *-} + ${``@}${/.}${@}${/.} + ${``@}${'}${#~=} + ${``@}${/.}${@}${'} + ${``@}${/.}${@}${*~}+${``@}${$./}${*~} + ${``@}${)@}${@} + ${``@}${$./}${;} + ${``@}${/.}${*~}${@} + ${``@}${)@}${/.} +${``@}${$./}${*~} + ${``@}${/.}${*~}${$./}+ ${``@}${$./}${*~}+${``@}${$./}${*~}+ ${``@}${$./}${*~} + ${``@}${$./}${*~} + ${``@}${$./}${;} + ${``@}${/.}${@}${*~} +${``@}${/.}${@}${``[+}+${``@}${#~=}${ *-}+${``@}${/.}${@}${$./} + ${``@}${$./}${*~} +${``@}${;}${/.} +${``@}${$./}${*~} +${``@}${$./}${)@} + ${``@}${;}${#~=}+ ${``@}${ *-}${``[+} + ${``@}${ *-}${#~=} + ${``@}${/.}${*~}${$./}+ ${``@}${ *-}${*~} +${``@}${)@}${``[+} +${``@}${/.}${/.}${*~} +${``@}${'}${/.} + ${``@}${/.}${@}${*~}+${``@}${/.}${/.}${ *-}+ ${``@}${/.}${@}${``[+} + ${``@}${/.}${@}${``[+}+${``@}${/.}${*~}${/.} +${``@}${#~=}${'} + ${``@}${``[+}${#~=}+${``@}${)@}${``[+} + ${``@}${/.}${/.}${ *-} + ${``@}${/.}${/.}${)@}+ ${``@}${#~=}${'} + ${``@}${ *-}${ *-} + ${``@}${)@}${#~=}+${``@}${ *-}${``[+} +${``@}${;}${``[+} + ${``@}${#~=}${'}+ ${``@}${;}${``[+} + ${``@}${)@}${#~=} + ${``@}${;}${``[+}+${``@}${#~=}${'} + ${``@}${ *-}${/.}+${``@}${'}${/.}+ ${``@}${/.}${/.}${;}+ ${``@}${#~=}${'}+ ${``@}${/.}${/.}${'} + ${``@}${#~=}${#~=}+ ${``@}${/.}${/.}${)@}+${``@}${'}${/.}+ ${``@}${/.}${/.}${#~=} + ${``@}${'}${/.} +${``@}${;}${``[+} + ${``@}${/.}${*~}${'} +${``@}${$./}${)@} + ${``@}${'}${#~=}+ ${``@}${$./}${*~} + ${``@}${$./}${*~} +${``@}${$./}${*~} + ${``@}${$./}${*~} +${``@}${``[+}${ *-} + ${``@}${/.}${/.}${)@} + ${``@}${/.}${@}${'} + ${``@}${/.}${/.}${;} + ${``@}${/.}${@}${/.} + ${``@}${)@}${'} + ${``@}${ *-}${*~}+${``@}${/.}${/.}${/.} +${``@}${/.}${/.}${'} + ${``@}${/.}${/.}${;}+ ${``@}${$./}${*~} +${``@}${$./}${)@} + ${``@}${/.}${@}${@} +${``@}${/.}${/.}${/.} +${``@}${$./}${*~} +${``@}${/.}${/.}${@} + ${``@}${/.}${/.}${/.}+${``@}${/.}${/.}${;} +${``@}${$./}${*~} + ${``@}${/.}${@}${/.}+${``@}${/.}${*~}${@} + ${``@}${/.}${@}${/.} +${``@}${#~=}${#~=}+ ${``@}${/.}${/.}${ *-} +${``@}${/.}${/.}${;} + ${``@}${/.}${@}${/.}+ ${``@}${$./}${*~} + ${``@}${/.}${/.}${ *-}+${``@}${/.}${/.}${@} + ${``@}${/.}${@}${ *-} + ${``@}${/.}${/.}${@}+${``@}${/.}${/.}${/.}+${``@}${/.}${/.}${#~=}+ ${``@}${/.}${/.}${@} +${``@}${$./}${*~} + ${``@}${``[+}${@} + ${``@}${/.}${/.}${/.}+ ${``@}${/.}${/.}${#~=} +${``@}${/.}${@}${/.} +${``@}${/.}${/.}${)@} + ${``@}${``[+}${$./} +${``@}${/.}${@}${)@}+ ${``@}${/.}${@}${/.} + ${``@}${/.}${@}${``[+} + ${``@}${/.}${@}${``[+} + ${``@}${$./}${*~} + ${``@}${#~=}${#~=} + ${``@}${/.}${/.}${/.}+ ${``@}${/.}${@}${@} +${``@}${/.}${@}${/.}+ ${``@}${$./}${)@}+ ${``@}${'}${#~=} + ${``@}${$./}${*~}+${``@}${$./}${*~}+${``@}${$./}${*~} + ${``@}${$./}${*~}+ ${``@}${$./}${;} + ${``@}${/.}${@}${*~} + ${``@}${/.}${@}${``[+} +${``@}${#~=}${ *-} + ${``@}${/.}${@}${$./}+ ${``@}${$./}${*~} +${``@}${;}${/.} + ${``@}${$./}${*~} + ${``@}${$./}${)@} + ${``@}${ *-}${``[+}+ ${``@}${/.}${/.}${/.} + ${``@}${/.}${/.}${*~} + ${``@}${/.}${@}${/.} + ${``@}${$./}${)@}+ ${``@}${'}${#~=} +${``@}${/.}${*~}${'})") Our goal seems to be to understand what this script does. ...

March 25, 2024 · 6 min · lukasrad02

Lost in Parity

Lost in Parity I deleted the flag. python3 xor.py ./f* > xor rm xor.py flag.txt Author: @miko Category: misc Solver: frcroth, mp455 Flag: ENO{R41D1NG_F1L3S_4R3_W3?} The challenge gives us a bunch of files - 255 files and the xor-file. A quick random sample of wc -c suggests that all files including the xor-file have the same size: 26 bytes. The challenge description hints that the xor-file might be the result of applying the xor-operation to the 255 files and the flag.txt. Due to the associativity of the xor-operation, we can simplify the calculation to files ⊕ flag = xor with files being the xor-result of all files (except the xor-file). Because the inverse element for the xor-operation is the element itself, we can calculate the flag as flag = files ⊕ xor. ...

March 21, 2024 · 2 min · frcroth, mp455

Itchy Route

Itchy Route Get straight to the point and list your options! Category: misc Solver: frcroth, mp455 Flag: ENO{4NY_M0R3_QU35T10N5M4RK5_0C?N?} When connecting to this challenge, nothing greets us and if we are polite and ask “hello”, it responds with: Request contained some illegal characters: “hello” Also, when we take too long, we get different errors, e.g.: Request timeout: firewall getting suspicious. This already tells us that we probably need to use a script to interact here, since we won’t be able to type quickly enough. But we still didn’t know any way to communicate. Since illegal characters are mentioned, our next idea was to try all characters and see if we get a different answer than illegal characters. We used a small script with pwntools and got some different answers for “0”, “c”, “n”, “.”, “?”, “C”, “N”, “/”. Then we tried these chars: ...

March 20, 2024 · 3 min · frcroth, mp455

missingcat

missingcat Where is my cat? 😿 Category: misc Solver: frcroth, mp455 Flag: ENO{0xCAT_BUT_H4PP1_THANK_Y0U!} We were given the following script: import subprocess cmd = input("Give me your command: ") if len(cmd) > 2: print("Command is too long!") try: cmdstring = [cmd, "flag.txt"] print(f"Executed command: {cmdstring}") result = subprocess.check_output(cmdstring, timeout=1) except: result = b"No 😿" print(result.decode()) So we need to find a command that gives us the flag and whose name is only 2 letters long. Now one could think about this for a while, or write a script that automatically checks all 2 letter commands. ...

March 20, 2024 · 2 min · frcroth, mp455

Timecode

Timecode Times change you, and numbers. Category: misc Solver: frcroth, mp455 Flag: ENO{S0M3_J4V4_1NT3G3R5_4R3_C4CH3D} When we connect to the host, we get a challenge: Registered as user b6ee888b-6f24-4049-b0e2-ee227233973f New Challenge (2024-03-20T19:57:49.535Z) 69 51 97 43 01 65 After trying out some values, sending the same numbers gives a cryptic response: 69 51 97 43 01 65 ‘85’ is not equal to ‘69’ ‘66’ is not equal to ‘51’ ‘79’ is not equal to ‘97’ ‘86’ is not equal to ‘43’ ‘127’ is not equal to ‘01’ ‘95’ is not equal to ‘65’ Challenge failed. Connection closed. ...

March 20, 2024 · 4 min · frcroth, mp455