From c317ebf7aadeb209a3b58552bb455be8acb90bf3 Mon Sep 17 00:00:00 2001 From: Jack Crowley <98288502+Jack-Crowley@users.noreply.github.com> Date: Sat, 26 Aug 2023 18:11:15 -0400 Subject: [PATCH 1/8] rev/java-rev-3 (#22) * init * code finish * chall * yaml fix * make easier * yaml tweak --------- Co-authored-by: mud-ali <96320211+mud-ali@users.noreply.github.com> --- java-rev-three/RevThree.java | 34 ++++++++++++++++++++++++++++++++++ java-rev-three/chall.yaml | 12 ++++++++++++ java-rev-three/gen.py | 17 +++++++++++++++++ java-rev-three/solve.md | 19 +++++++++++++++++++ 4 files changed, 82 insertions(+) create mode 100644 java-rev-three/RevThree.java create mode 100644 java-rev-three/chall.yaml create mode 100644 java-rev-three/gen.py create mode 100644 java-rev-three/solve.md diff --git a/java-rev-three/RevThree.java b/java-rev-three/RevThree.java new file mode 100644 index 0000000..b2b9272 --- /dev/null +++ b/java-rev-three/RevThree.java @@ -0,0 +1,34 @@ +import java.util.Scanner; + +public class RevThree { + public static void main(String[] args) { + System.out.println("Enter the password: "); + Scanner scanner = new Scanner(System.in); + + String line = scanner.nextLine(); + + if (checkPassword(line)) { + System.out.println("That's the right password!"); + } else { + System.out.println("That's the incorrect password!"); + } + + scanner.close(); + } + + public static boolean checkPassword(String passwordGuess) { + int[] distanceBetweenChars = {-14, -23, -10, 10, 9, 46, -64, -3, 21, 10, 37, 35, 1, 22, -61, -11, 9, 4, -9, 26, -16, 14, -27, 66, -27, 7, 10, 38, 48, 5, 2, -51, 1, 13, -83, -37, 20}; + String encryptString = "qxwfrKpXJeAChMnLCHbERWO2zc701ZPxURtFi"; + + for (int i = 0; i < passwordGuess.length()-1; i++) { + int firstChar = passwordGuess.charAt(i); + int secondChar = encryptString.charAt(i); + + if (firstChar-secondChar != distanceBetweenChars[i]) { + return false; + } + } + + return true; + } +} \ No newline at end of file diff --git a/java-rev-three/chall.yaml b/java-rev-three/chall.yaml new file mode 100644 index 0000000..b983298 --- /dev/null +++ b/java-rev-three/chall.yaml @@ -0,0 +1,12 @@ +name: Java Rev III +categories: + - rev +value: 150 +flag: camp{y0U_offic1ALLY_Be4t_jAVa_REV_!!} +description: |- + That's it. Here is a truly unbreakable password checker. But if you want to waste your time go ahead! +files: + - src: RevThree.java +authors: + - Jack Crowley +visible: true \ No newline at end of file diff --git a/java-rev-three/gen.py b/java-rev-three/gen.py new file mode 100644 index 0000000..d55bfdc --- /dev/null +++ b/java-rev-three/gen.py @@ -0,0 +1,17 @@ + +flag = "camp{y0U_offic1ALLY_Be4t_jAVa_REV_!!}" +encryptString = "qxwfrKpXJeAChMnLCHbERWO2zc701ZPxURtFi" + +guess = "" + +length = len(flag) + +nums = [] + +avgs = [] + +for i in range(length): + num1, num2 = ord(flag[i]), ord(encryptString[i]) + nums.append(num1-num2) + +print(nums) \ No newline at end of file diff --git a/java-rev-three/solve.md b/java-rev-three/solve.md new file mode 100644 index 0000000..21e8d3d --- /dev/null +++ b/java-rev-three/solve.md @@ -0,0 +1,19 @@ +# Java Rev Three + +This Java Rev challenge compares the chars of each of the strings against each other, and compares them to the difference located in the `distanceBetweenChars` array. + +To solve this problem, you must first delete the `return False;` in the `checkPassword`, which enables the program to keep going even if the first character is wrong. + +Then you must put a print statement inside the for loop which prints the correct character of the flag, such as: + +``` +System.out.print((char) (secondChar+distanceBetweenChars[i])); +``` + +and once running the program, input a random input such as: + +``` +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +``` + +producing the correct flag in the terminal. \ No newline at end of file From 11f0b535e88ae6b2dc2aac236403962ba967ee90 Mon Sep 17 00:00:00 2001 From: Jack Crowley <98288502+Jack-Crowley@users.noreply.github.com> Date: Sun, 27 Aug 2023 11:14:26 -0400 Subject: [PATCH 2/8] crypto/XylOphoneR (#19) * lots of commits --------- Co-authored-by: mud-ali <96320211+mud-ali@users.noreply.github.com> --- XylophOneR/Dockerfile | 24 ++++++++++++++++++++++++ XylophOneR/chall.yaml | 20 ++++++++++++++++++++ XylophOneR/deploy.py | 31 +++++++++++++++++++++++++++++++ XylophOneR/given.py | 34 ++++++++++++++++++++++++++++++++++ XylophOneR/solve.md | 32 ++++++++++++++++++++++++++++++++ 5 files changed, 141 insertions(+) create mode 100644 XylophOneR/Dockerfile create mode 100644 XylophOneR/chall.yaml create mode 100644 XylophOneR/deploy.py create mode 100644 XylophOneR/given.py create mode 100644 XylophOneR/solve.md diff --git a/XylophOneR/Dockerfile b/XylophOneR/Dockerfile new file mode 100644 index 0000000..52a784a --- /dev/null +++ b/XylophOneR/Dockerfile @@ -0,0 +1,24 @@ +FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build + +RUN apt-get update -y && apt-get install -y gcc && apt-get install -y wget && apt-get install -y unzip && rm -rf /var/lib/apt/lists/* + +RUN wget -Oynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \ + && gcc -o ynetd ynetd.c \ + && rm -f /tmp/ynetd.zip + +FROM --platform=linux/amd64 python:3.8-slim-buster + +RUN useradd -m -d /home/ctf -u 12345 ctf +WORKDIR /home/ctf + +COPY deploy.py ./ +COPY --from=build ynetd ynetd +RUN chmod +x ynetd + +RUN chown -R root:root /home/ctf + +USER ctf +EXPOSE 8889 +CMD ["./ynetd", "-p", "8889", "python3 deploy.py"] + + diff --git a/XylophOneR/chall.yaml b/XylophOneR/chall.yaml new file mode 100644 index 0000000..09971f0 --- /dev/null +++ b/XylophOneR/chall.yaml @@ -0,0 +1,20 @@ +name: XylophOneR +categories: + - crypto +value: 150 +flag: camp{Y0u_4Re_4_X0R_Ch4mp1On_!!} +description: |- + I found this weird program that outputs numbers, but I can't make left + xor right of it. Can you help me? +hints: + - Look at the name of the challenge +files: + - src: ./given.py + dest: XylophOneR.py +authors: + - Jack Crowley +visible: true +deploy: + nc: + build: . + expose: 8889/tcp \ No newline at end of file diff --git a/XylophOneR/deploy.py b/XylophOneR/deploy.py new file mode 100644 index 0000000..5e43269 --- /dev/null +++ b/XylophOneR/deploy.py @@ -0,0 +1,31 @@ +def hexify(string): + out = "" + + for i in string: + out+=f"{ord(i):2x}" + + return out + +flag = hexify("camp{Y0u_4Re_4_X0R_Ch4mp1On_!!}") + +inp = hexify(input("Tell me something: ")) + +outBits = "" + +for index in range(0, len(inp), 2): + flagIndex = index%len(flag) + + flagBits = format(int(flag[flagIndex:flagIndex+2], 16), '08b') + inputBits = format(int(inp[index:index+2], 16), '08b') + + for bitIndex in range(8): + result = int(flagBits[bitIndex]) ^ int(inputBits[bitIndex]) + outBits += str(result) + +out = "" + +for i in range(0, len(outBits), 8): + value = int(outBits[i:i+8], 2) + out+=f"{value:02x}" + +print(out) \ No newline at end of file diff --git a/XylophOneR/given.py b/XylophOneR/given.py new file mode 100644 index 0000000..8f2f066 --- /dev/null +++ b/XylophOneR/given.py @@ -0,0 +1,34 @@ +def hexify(string): + out = "" + + for i in string: + out+=f"{ord(i):2x}" + + return out + +flag = hexify("REDACTED") +inp = hexify(input("Tell me something: ")) + +outBits = "" + +for index in range(0, len(inp), 2): + # if input is longer than flag, wrap around + flagIndex = index%len(flag) + + # get bits out of the flag and the input + flagBits = format(int(flag[flagIndex:flagIndex+2], 16), '08b') + inputBits = format(int(inp[index:index+2], 16), '08b') + + # iterate over each bit in the byte + for bitIndex in range(8): + result = int(flagBits[bitIndex]) ^ int(inputBits[bitIndex]) + outBits += str(result) + +out = "" + +for i in range(0, len(outBits), 8): + value = int(outBits[i:i+8], 2) + # print(value) + out+=f"{value:02x}" + +print(out) \ No newline at end of file diff --git a/XylophOneR/solve.md b/XylophOneR/solve.md new file mode 100644 index 0000000..f518c51 --- /dev/null +++ b/XylophOneR/solve.md @@ -0,0 +1,32 @@ +# XylophOner Solvepath + +The challenge name alludes to XOR, a type of boolean logic that is true only if one of the values is true, not both. The code provided turns every letter of the flag into hex and then into binary, and the XORs the corresponding digits. + +XOR is commonly used in cryptology with a key, or in this case the `flag`, where every string is XORed against the key. + +Something notable about using XOR with a key is that is predictable. For example, we have a key `key`, and input `in`, and the output of XORing `key` and `in`, `out`. Using XOR of any two of them will produce the other one, for example, `key` and `out` will produce `in`, and most importantly `out` and `in` will produce `key`. + +Using this in the challenge, we have our input `inp` and our key `flag`. If we try using a test input (Something random) like 50 of the same character. + +``` +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa +``` + +And we will get an output such as + +``` +02000c111a3851143e5533043e553e3951333e2209550c11502e0f3e40401c02000c111a3851143e5533043e553e3951333e +``` + +And using our above logic, we now have a `in` and `out`, and XORing them against each other in `XylOphoneR.py` like this, + +``` +flag = "02000c111a3851143e5533043e553e3951333e2209550c11502e0f3e40401c02000c111a3851143e5533043e553e3951333e" # The output +inp = hexify("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") # the same input as above +``` + +will produce our flag in hex, and using a hex to ascii converter like [RapidTables](https://www.rapidtables.com/convert/number/hex-to-ascii.html), we can get our flag. + +``` +camp{Y0u_4Re_4_X0R_Ch4mp1On_!!} +``` \ No newline at end of file From 71e70a3571c6ce02f36cf580f5069718e17e7d54 Mon Sep 17 00:00:00 2001 From: awt-256 <68395886+awt-256@users.noreply.github.com> Date: Sun, 27 Aug 2023 14:50:00 -0400 Subject: [PATCH 3/8] rev/simple-asm (#16) * t * deployment fixes and some yaml + sol tweaks --------- Co-authored-by: mud-ali <96320211+mud-ali@users.noreply.github.com> --- no-asm-required/Dockerfile | 29 +++++++++++++++++++++++++++++ no-asm-required/chall.yaml | 23 +++++++++++++++++++++++ no-asm-required/flag.txt | 1 + no-asm-required/main.c | 36 ++++++++++++++++++++++++++++++++++++ no-asm-required/solve.md | 9 +++++++++ 5 files changed, 98 insertions(+) create mode 100644 no-asm-required/Dockerfile create mode 100644 no-asm-required/chall.yaml create mode 100644 no-asm-required/flag.txt create mode 100644 no-asm-required/main.c create mode 100644 no-asm-required/solve.md diff --git a/no-asm-required/Dockerfile b/no-asm-required/Dockerfile new file mode 100644 index 0000000..7bbc332 --- /dev/null +++ b/no-asm-required/Dockerfile @@ -0,0 +1,29 @@ +FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build + +RUN apt-get update -y && apt-get install -y gcc wget unzip && rm -rf /var/lib/apt/lists/* + +RUN wget -O ynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \ + && gcc -o ynetd ynetd.c \ + && rm -f /tmp/ynetd.zip + +COPY main.c . + +RUN gcc -o chall main.c + +FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 + +RUN useradd -m -d /home/ctf -u 12345 ctf +WORKDIR /home/ctf + +COPY --from=build chall chall +COPY --from=build ynetd ynetd + +RUN chmod +x ./ynetd + +COPY flag.txt . + +RUN chown -R root:root /home/ctf + +USER ctf +EXPOSE 9999 +CMD ./ynetd -p 9999 ./chall \ No newline at end of file diff --git a/no-asm-required/chall.yaml b/no-asm-required/chall.yaml new file mode 100644 index 0000000..d4735da --- /dev/null +++ b/no-asm-required/chall.yaml @@ -0,0 +1,23 @@ +name: No Assembly Required +categories: + - rev +value: 50 +flag: + file: ./flag.txt +description: >- + That's right! This challenge works right out of the box! + No need to assemble anything, all totally preassembled. +hints: + - If it comes pre-assembled, all you can do is disassemble right? + - Have you heard of Ghidra? +files: + - src: /home/ctf/chall + dest: chall + container: nc +authors: + - Andrew +visible: true +deploy: + nc: + build: . + expose: 9999/tcp diff --git a/no-asm-required/flag.txt b/no-asm-required/flag.txt new file mode 100644 index 0000000..f0a795c --- /dev/null +++ b/no-asm-required/flag.txt @@ -0,0 +1 @@ + camp{FACT:CPUs_arE_pRe_A5SEmbLed_too..._0caec8a70f9a2} \ No newline at end of file diff --git a/no-asm-required/main.c b/no-asm-required/main.c new file mode 100644 index 0000000..3efc0ae --- /dev/null +++ b/no-asm-required/main.c @@ -0,0 +1,36 @@ +#include +#include + +static int NO_ONE_WILL_EVER_FIND_THIS_mwahahahahaha = 0x6FED; + +int main(int argv, char **argc) { + + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + int lol = 0xf00d; + + puts("Hey."); + sleep(1); + printf("Password? "); + int password = 0; + scanf("%d", &password); + + int actual_password = lol | (NO_ONE_WILL_EVER_FIND_THIS_mwahahahahaha << 16); + + if (actual_password == password) { + system("/bin/sh"); + } else { + puts("Cool"); + sleep(1); + puts("Yeah thats wrong!"); + } + + return 0; +} + +// +// Hello people who solved this +// How does it feel to have shell haha +// \ No newline at end of file diff --git a/no-asm-required/solve.md b/no-asm-required/solve.md new file mode 100644 index 0000000..234947d --- /dev/null +++ b/no-asm-required/solve.md @@ -0,0 +1,9 @@ +Decompile with Ghidra + +Read the source code + +figure out the password + +enter it into the netcat, gaining shell access. + +Run `ls`, followed by `cat flag.txt` to get the flag. \ No newline at end of file From 35606ba9b749d4bd689a44c3c7c1b566f319cbb9 Mon Sep 17 00:00:00 2001 From: mudasir <96320211+mud-ali@users.noreply.github.com> Date: Sun, 27 Aug 2023 15:13:03 -0400 Subject: [PATCH 4/8] anagrams fix (#17) * remove segfault * docker fix * update desc --- anagrams/Dockerfile | 8 ++++---- anagrams/chall.yaml | 6 +++--- anagrams/main.c | 37 ++++++++++++++++++++++++++----------- anagrams/solve.md | 4 ++-- 4 files changed, 35 insertions(+), 20 deletions(-) diff --git a/anagrams/Dockerfile b/anagrams/Dockerfile index ace9b3d..b7f4446 100644 --- a/anagrams/Dockerfile +++ b/anagrams/Dockerfile @@ -1,16 +1,16 @@ FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build -RUN apt-get update -y && apt-get install -y gcc && apt-get install -y wget && apt-get install -y unzip && rm -rf /var/lib/apt/lists/* +RUN apt-get install -y && apt-get update -y && \ + apt-get upgrade -y && apt-get install -y gcc wget unzip && rm -rf /var/lib/apt/lists/* COPY main.c . RUN gcc -o anagrams main.c -RUN wget -Oynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \ +RUN wget -O ynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \ && gcc -o ynetd ynetd.c \ && rm -f /tmp/ynetd.zip - -FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 +FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS deploy RUN useradd -m -d /home/ctf -u 12345 ctf WORKDIR /home/ctf diff --git a/anagrams/chall.yaml b/anagrams/chall.yaml index f077f14..86739ab 100644 --- a/anagrams/chall.yaml +++ b/anagrams/chall.yaml @@ -5,10 +5,10 @@ value: 100 flag: camp{7o0_m@nY_ch@RacteR5_buf349nrf} description: |- My friend sent this game to me, but he said the code isn't quite finished yet. - He also said to be careful because “The cardinality of one of the buffer constructs is delimited - by a determinate measure." and "not to exceed the moral constructs of the space in this world - thou hath been given". I don't really know what that means, but maybe you'll enjoy the game. + He also said to be careful because of limited memory and stuff, but I know I + can just download more RAM. Can you beat the game? hints: + - What marks the end of a string? - Have you heard of a buffer overflow? files: - src: /home/ctf/anagrams diff --git a/anagrams/main.c b/anagrams/main.c index d495444..8154af6 100644 --- a/anagrams/main.c +++ b/anagrams/main.c @@ -3,17 +3,19 @@ #include #include -#define FLAG_SIZE 37 -#define SPACE 12 +#define FLAG_SIZE 37 // with null terminator +#define SPACE 12 // a little extra space int isAnagramOfSize(char* word, int n) { if (strlen(word) != n) { + printf("Your word is not the right length!\n"); return 0; } else { // check if word is an anagram by looping over it and checking if each character is at the end of the word for (int i = 0; i < n; i++) { if (!(word[i] == word[n - i - 1])) { + printf("%c != %c", word[i], word[n - i - 1]); return 0; } } @@ -23,26 +25,39 @@ int isAnagramOfSize(char* word, int n) { int main(int argv, char **argc) { + // netcat config (don't worry about this) + setvbuf(stdout, NULL, _IONBF, 0); + setvbuf(stdin, NULL, _IONBF, 0); + setvbuf(stderr, NULL, _IONBF, 0); + + printf("Welcome to bofed!\n"); printf("The game is simple: I'll tell you a number, and you have to tell me an anagram of that length.\n"); printf("Let's see how far you can get!\n"); int count = 0; - char* flagCopy; + char flagCopy[FLAG_SIZE+1]; - while (count < 100000) { - srand(time(NULL)); - int n = rand() % 7 + 1; - char word_flag[FLAG_SIZE+12+SPACE]; + while (count < 100000) { + + srand(time(NULL)); //seed the random number generator with the time + int n = rand() % 7 + 1; //random number between 1 and 7 + char word_flag[FLAG_SIZE+SPACE+n+1]; //space for the flag and the anagram + + //reset word_flag to an empty string + for (int i = 0; i < FLAG_SIZE+SPACE+n+1; i++) { + word_flag[i] = 32; + } + // Load the flag into the string word_flag, and also into flagCopy (for ✨redundancy✨) FILE* f = fopen("flag.txt", "r"); fgets(word_flag+n+1+SPACE, FLAG_SIZE, f); + fseek(f, 0, SEEK_SET); + fgets(flagCopy, FLAG_SIZE, f); fclose(f); - strcpy(flagCopy, word_flag+n+1+SPACE); // We already know where the string will end, so we can place a null terminator there - *(word_flag + n+1) = '\0'; - + word_flag[n+SPACE] = '\0'; printf("Give me an anagram of length %d: ", n); //load the input into the string word @@ -55,7 +70,7 @@ int main(int argv, char **argc) { printf("Checking the validity of the anagram... %s\n", word_flag); int correct = isAnagramOfSize(word_flag, n); - + if (correct) { printf("Correct!\n"); count++; diff --git a/anagrams/solve.md b/anagrams/solve.md index 0af1926..7e2dad3 100644 --- a/anagrams/solve.md +++ b/anagrams/solve.md @@ -18,8 +18,8 @@ With the right length string, we can overwrite the `\0` (null terminator) and re Welcome to bofed! The game is simple: I'll tell you a number, and you have to tell me an anagram of that length. Let's see how far you can get! -Give me an anagram of length 3: aaaaaaaaaaaaaaaa -Checking the validity of the anagram... aaaaaaaaaaaaaaaacamp{7o0_m@nY_ch@RacteR5_buf349nrf} +Give me an anagram of length 5: aaaaaaaaaaaaaaaaaa +Checking the validity of the anagram... aaaaaaaaaaaaaaaaaacamp{7o0_m@nY_ch@RacteR5_buf349nrf} Incorrect! You got 0 correct! ``` \ No newline at end of file From 7eb3745efe12827396ea735057fcbd86e34dba94 Mon Sep 17 00:00:00 2001 From: glacialcascade <11969863+glacialcascade@users.noreply.github.com> Date: Sun, 27 Aug 2023 20:33:38 -0400 Subject: [PATCH 5/8] wireshark foren (#32) wireshark foren Co-authored-by: mud-ali <96320211+mud-ali@users.noreply.github.com> --- shark-fin/chall.yaml | 15 +++++++++++++++ shark-fin/shark-fin.pcapng | Bin 0 -> 3464 bytes 2 files changed, 15 insertions(+) create mode 100644 shark-fin/chall.yaml create mode 100644 shark-fin/shark-fin.pcapng diff --git a/shark-fin/chall.yaml b/shark-fin/chall.yaml new file mode 100644 index 0000000..55ff56a --- /dev/null +++ b/shark-fin/chall.yaml @@ -0,0 +1,15 @@ +name: Shark Fin +categories: + - foren +value: 75 +flag: camp{sH4rK_go_nOM_9f2f44f4735528} +description: |- + I bugged another CTF team's network and managed to capture these packets. + Circumstantial evidence suggests they were trying to find a flag online -- can you help? +hints: + - Wireshark is a helpful program to analyze network traffic. +files: + - src: ./shark-fin.pcapng +authors: + - Marvin +visible: true diff --git a/shark-fin/shark-fin.pcapng b/shark-fin/shark-fin.pcapng new file mode 100644 index 0000000000000000000000000000000000000000..e35814f4bb3313821696345ad55c0f016651058a GIT binary patch literal 3464 zcmaKv3v5$m6vw~YmeLk##$rZA*zO?e9(}iKw=!U3luq_w?_rq0U3<3`y0-Q)x`9xl zA}>K;>Rgb=j4+39QPd%#i5n88F)EH2m1vguh>8mv;v#s??Y4I9wlDkE?>_eZ{^x(r zxwn%@rIK@mkfQALc@%u!867;5O*9%`18rfQ^n*?x>qsd}rSn`KHl?B{m9`rd8jT^t zVx)6utuj+>$#0=kHrwI;@^Z6YsZHgR1X5^s`UA85K5 zH@dBin@*{=dsuG+)}o#ono>3=%&!x%~&@v^{kC%yrHWKO)7|lftpco;pivs z$|GX3+2K}uwdy(@oEO6#V)&drjTX4f?IDEEeRu$)^Wp7tuf5$p-wtb>`41azZtTC7 z{_9e?SVYW(tgYIXLvn=k+AefbZHqqmdEebAp;Uj$`hwnG!ra#tX^HN7jblGC#9XqqN@ zN!R+{s*0I)&*oge;xA}jyDF>e59!=HjjC@f`6&@vY_P_GzUZ1aELaX}oFPX-?tm{F zh<>1ykY?ebz32(*p}J2Oq9@=@XE2UxJO5-zi+roA0lgsv_l}PDxt0wJ#=MVVtQ{!h z7}iM{GO8`(v55>W-oFPlhd$X@Etox180S64dbjMU{CxR}->bhJG`|>sNZC=i6?9DI z{pG2(KpkA=<&aEa@4M)GDBgiY^d0;!3Cf7*1=tnqAiYaF6aDA3yk0M^-qp3}nf}B~ ze%Z$>pVGJ936j*}ACD^E8SX3H{@(#ngqBF}zt=P4-pACW{?;k34l<+apak>`2jid) zB;$2(4E2P)k7PVC_+8Rieq$L`+qt?wkBo@A?_4}`fIxnSK6^F9fZPsZj>8OCasz9q z_l7DpAC9;g-CL%tCBT^TC|5tgq5AG28RY)QlP{^E-?8Okh}?|V$JW}Ne5#R~(ploHyb4mAr*rs0ZW6=OPZ&^~f??+7Vde zjM24!{ZZ6a_3Z>*EpIF<&`hZd;s+h@8#cU5;_eq(2#JF=j8TnKT;udkdJVOsX4LM$ zjbNbmmX^k}Rj|exQ-|5Imq5GlZ5{fF}=`pJpsJlckvoO$~*RlojIylA|&7jtteHt0} z$|q&OGrjhqaYj2b#@wKFY7JfFYJzVoC9J2Bae@PmW~pQa<6}*9x!)jt0C?KP=X zk=dM(cd4YD^)#^_kmhjtZFLUDgDO@k%5onv(Z)KPvDT>8veqnJrqy6on5)Y$&!7d9 zjs8dH`tW&ye41Y96oDp45M1S@mSF@`p*3-ovsM)0893nD|zB6I}lTc4JlgDv2@56CM zOi$}&U0fW7s5p|qt6qFBN5oN&oG@ces4cj@kk_u!7~mKuMb;6L5Q;`bR$d?}1fGKw zFZX?9T!U+^0zwv&5gy)*zu?>mA-G?3o*8$&Z8@CB8LNF|25P^(0ryR@%sSQCL3L-f zz7-G;9lS3X$A53QBGhktlGhnZZ?uCr%x^TqoW!zYjMyCXSLP6p(3FGwBZunl?7;nj z(;SS;;r&?`Vw4UQXYWZGE)Fqf0B7u-^cP=9YJRZ@D0uzlx%}`Ck;hBBJ+3CZ4H~|- knYM-gq2Un`!Fx+TiWl%l*LT6+31F>&{cy~Hb>u+C|1+nce*gdg literal 0 HcmV?d00001 From 054a952859cd9ab8ab50f7dc057acab3bf5d72a6 Mon Sep 17 00:00:00 2001 From: ParJai <98178425+ParJai@users.noreply.github.com> Date: Mon, 28 Aug 2023 07:52:59 -0400 Subject: [PATCH 6/8] crypto/space-trek (#26) * Created chall * updated flag format Co-authored-by: mud-ali <96320211+mud-ali@users.noreply.github.com> --- space-trek/chall.yaml | 17 +++++++ space-trek/flag.txt | 1 + space-trek/make.py | 86 ++++++++++++++++++++++++++++++++ space-trek/mission.txt | 35 +++++++++++++ space-trek/mission_logs.txt | 98 +++++++++++++++++++++++++++++++++++++ space-trek/solve.txt | 3 ++ 6 files changed, 240 insertions(+) create mode 100644 space-trek/chall.yaml create mode 100644 space-trek/flag.txt create mode 100644 space-trek/make.py create mode 100644 space-trek/mission.txt create mode 100644 space-trek/mission_logs.txt create mode 100644 space-trek/solve.txt diff --git a/space-trek/chall.yaml b/space-trek/chall.yaml new file mode 100644 index 0000000..bfb6daa --- /dev/null +++ b/space-trek/chall.yaml @@ -0,0 +1,17 @@ +name: Space Trek +categories: + - rev + - crypto +value: 75 +flag: + file: ./flag.txt +description: |- + NASA has been cleaning up their files, and something seems wrong with this transcript of one of their missions. Can you find the flag and report back? +hints: + - Explore the space. + - Believe it or not, there is a programming language that doesn't use text. +files: + - src: ./mission_logs.txt +authors: + - Parth +visible: true diff --git a/space-trek/flag.txt b/space-trek/flag.txt new file mode 100644 index 0000000..cc69fb5 --- /dev/null +++ b/space-trek/flag.txt @@ -0,0 +1 @@ +camp{5h0Ot_f0R_Th3_5t@rs_712894} \ No newline at end of file diff --git a/space-trek/make.py b/space-trek/make.py new file mode 100644 index 0000000..6ea4109 --- /dev/null +++ b/space-trek/make.py @@ -0,0 +1,86 @@ +encoded = ''' + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + '''.split('\n') + +final = '''''' + +f = open('mission.txt').readlines() + +i = 0 +j = 0 + +while i < len(f) and j < len(encoded): + final += f[i] + encoded[j] + '\n' + encoded[j+1] + '\n' + i += 1 + j += 2 + +final += 'CMP: 1:50.\n ' + +f = open('mission_logs.txt', 'w') +f.write(final) +f.close() \ No newline at end of file diff --git a/space-trek/mission.txt b/space-trek/mission.txt new file mode 100644 index 0000000..6087ddc --- /dev/null +++ b/space-trek/mission.txt @@ -0,0 +1,35 @@ +LCC: 10, 9, 8, 7, 6, 5 - +LCC: IGNITION, 3, 2, 1 - +LCC: LIFT-OFF! +CDR: And the clock is running. +CMP: Okay. ... lift-off ... +CC: Clear the tower! +CDR: Roger dede [sic]. Clear the tower, and we have a roll program. ... +CC: You have good thrust on all five engines. +CDR: Thanks, Gordo. Roll's complete. and we have a pitch program. +CC: Pitch. +CC: Stand by for Mode I Bravo. +CC: MARK. I Bravo. +CDR: Roger. I Bravo. +CMP: PROPELLANT DUMP, RCS COMMAND, DAVE. +CDR: Okay. +CDR: Okay. Going through the air. (Laughter) +CC: ... 15 ... +CMP: Cabin pressure decreasing. +CDR: Okay. Good. +LMP: Looks good over here. +CMP: High at 20,000. +LMP: Dead air. +CMP: One minute. +LMP: Here ... +CC: ..., Houston. Everything looks perfect down here. +CDR: Okay. Looks smooth up here, Gordo. Okay, the altimeter is six zero. +CMP: Well, how about that? +LMP: Exciting! +CDR: Okay. We're through MAX q. +CMP: Okay. 1:32. Program looks good,Dave. Out at 11 miles. +CDR: Okay. Good shot. Two and 1/2g. +LMP: Roger. +CDR: Pitch profile looks good. +LMP: Roger. +CMP: 1:50. \ No newline at end of file diff --git a/space-trek/mission_logs.txt b/space-trek/mission_logs.txt new file mode 100644 index 0000000..7df9c4b --- /dev/null +++ b/space-trek/mission_logs.txt @@ -0,0 +1,98 @@ +LCC: 10, 9, 8, 7, 6, 5 - + + +LCC: IGNITION, 3, 2, 1 - + + +LCC: LIFT-OFF! + + +CDR: And the clock is running. + + +CMP: Okay. ... lift-off ... + + +CC: Clear the tower! + + +CDR: Roger dede [sic]. Clear the tower, and we have a roll program. ... + + +CC: You have good thrust on all five engines. + + +CDR: Thanks, Gordo. Roll's complete. and we have a pitch program. + + +CC: Pitch. + + +CC: Stand by for Mode I Bravo. + + +CC: MARK. I Bravo. + + +CDR: Roger. I Bravo. + + +CMP: PROPELLANT DUMP, RCS COMMAND, DAVE. + + +CDR: Okay. + + +CDR: Okay. Going through the air. (Laughter) + + +CC: ... 15 ... + + +CMP: Cabin pressure decreasing. + + +CDR: Okay. Good. + + +LMP: Looks good over here. + + +CMP: High at 20,000. + + +LMP: Dead air. + + +CMP: One minute. + + +LMP: Here ... + + +CC: ..., Houston. Everything looks perfect down here. + + +CDR: Okay. Looks smooth up here, Gordo. Okay, the altimeter is six zero. + + +CMP: Well, how about that? + + +LMP: Exciting! + + +CDR: Okay. We're through MAX q. + + +CMP: Okay. 1:32. Program looks good,Dave. Out at 11 miles. + + +CDR: Okay. Good shot. Two and 1/2g. + + +LMP: Roger. + + +CMP: 1:50. + \ No newline at end of file diff --git a/space-trek/solve.txt b/space-trek/solve.txt new file mode 100644 index 0000000..9331b40 --- /dev/null +++ b/space-trek/solve.txt @@ -0,0 +1,3 @@ +1. Extract the whitespace lines between each line of text in the provided file. +2. Combine the whitespace lines into text of ~70 whitespace lines. +3. Run this whitespace text through a "Whitespace" language decompiler. \ No newline at end of file From 23a461a52c12c9ba01cf75d9f4f9a7c737a1337e Mon Sep 17 00:00:00 2001 From: mudasir <96320211+mud-ali@users.noreply.github.com> Date: Mon, 28 Aug 2023 08:04:54 -0400 Subject: [PATCH 7/8] web/not-connected (#31) * not connected * solvepath!!1 Co-authored-by: mud-ali <96320211+mud-ali@users.noreply.github.com> Co-authored-by: Jack-Crowley Co-authored by: ParJai Co-authored by: glacialcascade <11969863+glacialcascade@users.noreply.github.com> Co-authored by: yusufsallam64 Co-authored by: awt-256 <68395886+awt-256@users.noreply.github.com> Co-authored by: TKDPenguin Co-authored by: jerlee25 --- no-connection/Dockerfile | 4 ++++ no-connection/chall.yaml | 16 ++++++++++++++++ no-connection/index.html | 20 ++++++++++++++++++++ no-connection/main.js | 13 +++++++++++++ no-connection/solve.md | 10 ++++++++++ no-connection/style.css | 39 +++++++++++++++++++++++++++++++++++++++ 6 files changed, 102 insertions(+) create mode 100644 no-connection/Dockerfile create mode 100644 no-connection/chall.yaml create mode 100644 no-connection/index.html create mode 100644 no-connection/main.js create mode 100644 no-connection/solve.md create mode 100644 no-connection/style.css diff --git a/no-connection/Dockerfile b/no-connection/Dockerfile new file mode 100644 index 0000000..03f9259 --- /dev/null +++ b/no-connection/Dockerfile @@ -0,0 +1,4 @@ +FROM nginx:latest AS run + +COPY . /usr/share/nginx/html + diff --git a/no-connection/chall.yaml b/no-connection/chall.yaml new file mode 100644 index 0000000..26bd21b --- /dev/null +++ b/no-connection/chall.yaml @@ -0,0 +1,16 @@ +name: No Connection +categories: + - webex +value: 25 +flag: camp{d0n7_aUth_oN_C!i3n7_51d3_bhiwsdwflowld} +description: |- + My internet sucks, so I decided to move my login page to work offline. +hints: + - No need to contact any servers! Everything happens right at home. +authors: + - Mudasir +visible: true +deploy: + web: + build: . + expose: 80/tcp \ No newline at end of file diff --git a/no-connection/index.html b/no-connection/index.html new file mode 100644 index 0000000..e45caa3 --- /dev/null +++ b/no-connection/index.html @@ -0,0 +1,20 @@ + + + + + + Login Page | CTF + + + + +

Login

+ +
+ + + + +
+ + \ No newline at end of file diff --git a/no-connection/main.js b/no-connection/main.js new file mode 100644 index 0000000..edcfa57 --- /dev/null +++ b/no-connection/main.js @@ -0,0 +1,13 @@ +const form = document.getElementById('login_page'); + +form.addEventListener('submit', (e) => { + e.preventDefault(); + const username = document.getElementById('username').value; + const password = document.getElementById('password').value; + + if (username === 'dewoirf239bf3n9ddks' && password === '923nfr8idj91ws1m8dumnfed') { + alert(getFlag()); + } +}); + +function getFlag() {let fr = ['\x82', 'i', 'q', '|', 't', 'q','k', '|', 'i', 'x', '|', 'n','m', 'g', 'd', '8', 'i', '6',':', 'd', '<', 's', '8', 'n','&', 'H', 'd', 'S', 't', 'd','m', 'y', 'Z', 'f', 'd', '<','s', '5', 'i', '\x80', 'u', 'r','f', 'h'];let rf = fr.reverse();let o = rf.map((c) => {return String.fromCharCode(c.charCodeAt(0) - 5);});return o.join('');} \ No newline at end of file diff --git a/no-connection/solve.md b/no-connection/solve.md new file mode 100644 index 0000000..5d3f506 --- /dev/null +++ b/no-connection/solve.md @@ -0,0 +1,10 @@ +open up inspect element + +read JS + +go to console + +run `getFlag()` + + +or you could steal the username and password from the javascript, up to you. \ No newline at end of file diff --git a/no-connection/style.css b/no-connection/style.css new file mode 100644 index 0000000..1eca6d9 --- /dev/null +++ b/no-connection/style.css @@ -0,0 +1,39 @@ +@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300&display=swap'); + +body { + background-color: #3f3f3f; + color: white; + font-family: "Inter", sans-serif; + font-weight: 200; + /* padding: 2rem 30vw; */ +} + +h1 { + font-size: 2rem; + font-weight: 300; + margin-bottom: 1rem; + text-align: center; +} + +form { + margin: auto; + display: flex; + flex-direction: column; + justify-content: space-around; + margin: 0 auto; + min-width: max-content; + width: 25%; + align-items: center; + background-color: #3c583a; + height: 35vh; + min-height: max-content; + border-radius: 3rem; + padding: 2rem; +} + +form input { + min-width: max-content; + width: 40%; + padding: 0.25rem; + border-radius: 0.35rem; +} \ No newline at end of file From 2b171ca97d486acb3cdd276cc52e4d104ad360cc Mon Sep 17 00:00:00 2001 From: mudasir <96320211+mud-ali@users.noreply.github.com> Date: Mon, 28 Aug 2023 08:05:42 -0400 Subject: [PATCH 8/8] Revert "web/not-connected (#31)" This reverts commit 23a461a52c12c9ba01cf75d9f4f9a7c737a1337e. --- no-connection/Dockerfile | 4 ---- no-connection/chall.yaml | 16 ---------------- no-connection/index.html | 20 -------------------- no-connection/main.js | 13 ------------- no-connection/solve.md | 10 ---------- no-connection/style.css | 39 --------------------------------------- 6 files changed, 102 deletions(-) delete mode 100644 no-connection/Dockerfile delete mode 100644 no-connection/chall.yaml delete mode 100644 no-connection/index.html delete mode 100644 no-connection/main.js delete mode 100644 no-connection/solve.md delete mode 100644 no-connection/style.css diff --git a/no-connection/Dockerfile b/no-connection/Dockerfile deleted file mode 100644 index 03f9259..0000000 --- a/no-connection/Dockerfile +++ /dev/null @@ -1,4 +0,0 @@ -FROM nginx:latest AS run - -COPY . /usr/share/nginx/html - diff --git a/no-connection/chall.yaml b/no-connection/chall.yaml deleted file mode 100644 index 26bd21b..0000000 --- a/no-connection/chall.yaml +++ /dev/null @@ -1,16 +0,0 @@ -name: No Connection -categories: - - webex -value: 25 -flag: camp{d0n7_aUth_oN_C!i3n7_51d3_bhiwsdwflowld} -description: |- - My internet sucks, so I decided to move my login page to work offline. -hints: - - No need to contact any servers! Everything happens right at home. -authors: - - Mudasir -visible: true -deploy: - web: - build: . - expose: 80/tcp \ No newline at end of file diff --git a/no-connection/index.html b/no-connection/index.html deleted file mode 100644 index e45caa3..0000000 --- a/no-connection/index.html +++ /dev/null @@ -1,20 +0,0 @@ - - - - - - Login Page | CTF - - - - -

Login

- -
- - - - -
- - \ No newline at end of file diff --git a/no-connection/main.js b/no-connection/main.js deleted file mode 100644 index edcfa57..0000000 --- a/no-connection/main.js +++ /dev/null @@ -1,13 +0,0 @@ -const form = document.getElementById('login_page'); - -form.addEventListener('submit', (e) => { - e.preventDefault(); - const username = document.getElementById('username').value; - const password = document.getElementById('password').value; - - if (username === 'dewoirf239bf3n9ddks' && password === '923nfr8idj91ws1m8dumnfed') { - alert(getFlag()); - } -}); - -function getFlag() {let fr = ['\x82', 'i', 'q', '|', 't', 'q','k', '|', 'i', 'x', '|', 'n','m', 'g', 'd', '8', 'i', '6',':', 'd', '<', 's', '8', 'n','&', 'H', 'd', 'S', 't', 'd','m', 'y', 'Z', 'f', 'd', '<','s', '5', 'i', '\x80', 'u', 'r','f', 'h'];let rf = fr.reverse();let o = rf.map((c) => {return String.fromCharCode(c.charCodeAt(0) - 5);});return o.join('');} \ No newline at end of file diff --git a/no-connection/solve.md b/no-connection/solve.md deleted file mode 100644 index 5d3f506..0000000 --- a/no-connection/solve.md +++ /dev/null @@ -1,10 +0,0 @@ -open up inspect element - -read JS - -go to console - -run `getFlag()` - - -or you could steal the username and password from the javascript, up to you. \ No newline at end of file diff --git a/no-connection/style.css b/no-connection/style.css deleted file mode 100644 index 1eca6d9..0000000 --- a/no-connection/style.css +++ /dev/null @@ -1,39 +0,0 @@ -@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300&display=swap'); - -body { - background-color: #3f3f3f; - color: white; - font-family: "Inter", sans-serif; - font-weight: 200; - /* padding: 2rem 30vw; */ -} - -h1 { - font-size: 2rem; - font-weight: 300; - margin-bottom: 1rem; - text-align: center; -} - -form { - margin: auto; - display: flex; - flex-direction: column; - justify-content: space-around; - margin: 0 auto; - min-width: max-content; - width: 25%; - align-items: center; - background-color: #3c583a; - height: 35vh; - min-height: max-content; - border-radius: 3rem; - padding: 2rem; -} - -form input { - min-width: max-content; - width: 40%; - padding: 0.25rem; - border-radius: 0.35rem; -} \ No newline at end of file