undo del

XylophOneR/Dockerfile

@@ -0,0 +1,24 @@
+FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build
+
+RUN apt-get update -y && apt-get install -y gcc && apt-get install -y wget && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
+
+RUN wget -Oynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
+  && gcc -o ynetd ynetd.c \
+  && rm -f /tmp/ynetd.zip
+
+FROM --platform=linux/amd64 python:3.8-slim-buster
+
+RUN useradd -m -d /home/ctf -u 12345 ctf
+WORKDIR /home/ctf
+
+COPY deploy.py ./
+COPY --from=build ynetd ynetd
+RUN chmod +x ynetd
+
+RUN chown -R root:root /home/ctf
+
+USER ctf
+EXPOSE 8889
+CMD ["./ynetd", "-p", "8889", "python3 deploy.py"]
+
+

XylophOneR/chall.yaml

@@ -0,0 +1,20 @@
+name: XylophOneR
+categories:
+  - crypto
+value: 150
+flag: camp{Y0u_4Re_4_X0R_Ch4mp1On_!!}
+description: |-
+  I found this weird program that outputs numbers, but I can't make left
+  xor right of it. Can you help me?
+hints:
+  - Look at the name of the challenge
+files:
+  - src: ./given.py
+    dest: XylophOneR.py 
+authors:
+  - Jack Crowley
+visible: true
+deploy:
+  nc:
+    build: .
+    expose: 8889/tcp

XylophOneR/deploy.py

@@ -0,0 +1,31 @@
+def hexify(string):
+    out = ""
+
+    for i in string:
+        out+=f"{ord(i):2x}"
+
+    return out
+
+flag = hexify("camp{Y0u_4Re_4_X0R_Ch4mp1On_!!}")
+
+inp = hexify(input("Tell me something: "))
+
+outBits = ""
+
+for index in range(0, len(inp), 2):
+    flagIndex = index%len(flag)
+
+    flagBits = format(int(flag[flagIndex:flagIndex+2], 16), '08b')
+    inputBits = format(int(inp[index:index+2], 16), '08b')
+
+    for bitIndex in range(8):
+        result = int(flagBits[bitIndex]) ^ int(inputBits[bitIndex])
+        outBits += str(result)
+
+out = ""
+
+for i in range(0, len(outBits), 8):
+    value = int(outBits[i:i+8], 2)
+    out+=f"{value:02x}"
+
+print(out)

XylophOneR/given.py

@@ -0,0 +1,34 @@
+def hexify(string):
+    out = ""
+
+    for i in string:
+        out+=f"{ord(i):2x}"
+
+    return out
+
+flag = hexify("REDACTED")
+inp = hexify(input("Tell me something: "))
+
+outBits = ""
+
+for index in range(0, len(inp), 2):
+    # if input is longer than flag, wrap around
+    flagIndex = index%len(flag)
+
+    # get bits out of the flag and the input
+    flagBits = format(int(flag[flagIndex:flagIndex+2], 16), '08b')
+    inputBits = format(int(inp[index:index+2], 16), '08b')
+
+    # iterate over each bit in the byte
+    for bitIndex in range(8):
+        result = int(flagBits[bitIndex]) ^ int(inputBits[bitIndex])
+        outBits += str(result)
+
+out = ""
+
+for i in range(0, len(outBits), 8):
+    value = int(outBits[i:i+8], 2)
+    # print(value)
+    out+=f"{value:02x}"
+
+print(out)

XylophOneR/solve.md

@@ -0,0 +1,32 @@
+# XylophOner Solvepath
+
+The challenge name alludes to XOR, a type of boolean logic that is true only if one of the values is true, not both. The code provided turns every letter of the flag into hex and then into binary, and the XORs the corresponding digits.
+
+XOR is commonly used in cryptology with a key, or in this case the `flag`, where every string is XORed against the key.
+
+Something notable about using XOR with a key is that is predictable. For example, we have a key `key`, and input `in`, and the output of XORing `key` and `in`, `out`. Using XOR of any two of them will produce the other one, for example, `key` and `out` will produce `in`, and most importantly `out` and `in` will produce `key`.
+
+Using this in the challenge, we have our input `inp` and our key `flag`. If we try using a test input (Something random) like 50 of the same character.
+
+```
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+```
+
+And we will get an output such as 
+
+```
+02000c111a3851143e5533043e553e3951333e2209550c11502e0f3e40401c02000c111a3851143e5533043e553e3951333e
+```
+
+And using our above logic, we now have a `in` and `out`, and XORing them against each other in `XylOphoneR.py` like this,
+
+```
+flag = "02000c111a3851143e5533043e553e3951333e2209550c11502e0f3e40401c02000c111a3851143e5533043e553e3951333e" # The output
+inp = hexify("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") # the same input as above
+```
+
+will produce our flag in hex, and using a hex to ascii converter like [RapidTables](https://www.rapidtables.com/convert/number/hex-to-ascii.html), we can get our flag.
+
+```
+camp{Y0u_4Re_4_X0R_Ch4mp1On_!!}
+```

anagrams/Dockerfile

@@ -1,16 +1,16 @@
 FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build
 
-RUN apt-get update -y && apt-get install -y gcc && apt-get install -y wget && apt-get install -y unzip && rm -rf /var/lib/apt/lists/*
+RUN apt-get install -y && apt-get update -y && \
+  apt-get upgrade -y && apt-get install -y gcc wget unzip && rm -rf /var/lib/apt/lists/*
 
 COPY main.c .
 RUN gcc -o anagrams main.c
 
-RUN wget -Oynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
+RUN wget -O ynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
   && gcc -o ynetd ynetd.c \
   && rm -f /tmp/ynetd.zip
 
-
-FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9
+FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS deploy
 
 RUN useradd -m -d /home/ctf -u 12345 ctf
 WORKDIR /home/ctf

anagrams/chall.yaml

@@ -5,10 +5,10 @@ value: 100
 flag: camp{7o0_m@nY_ch@RacteR5_buf349nrf}
 description: |-
   My friend sent this game to me, but he said the code isn't quite finished yet.
-  He also said to be careful because “The cardinality of one of the buffer constructs is delimited 
-  by a determinate measure." and "not to exceed the moral constructs of the space in this world 
-  thou hath been given". I don't really know what that means, but maybe you'll enjoy the game.
+  He also said to be careful because of limited memory and stuff, but I know I
+  can just download more RAM. Can you beat the game?
 hints:
+  - What marks the end of a string?
   - Have you heard of a buffer overflow?
 files:
   - src: /home/ctf/anagrams

anagrams/main.c

@@ -3,17 +3,19 @@
 #include <string.h>
 #include <time.h>
 
-#define FLAG_SIZE 37
-#define SPACE 12
+#define FLAG_SIZE 37 // with null terminator
+#define SPACE 12 // a little extra space
 
 int isAnagramOfSize(char* word, int n) {
     if (strlen(word) != n) {
+        printf("Your word is not the right length!\n");
         return 0;
     }
     else {
         // check if word is an anagram by looping over it and checking if each character is at the end of the word
         for (int i = 0; i < n; i++) {
             if (!(word[i] == word[n - i - 1])) {
+                printf("%c != %c", word[i], word[n - i - 1]);
                 return 0;
             }
         }
@@ -23,26 +25,39 @@ int isAnagramOfSize(char* word, int n) {
 
 int main(int argv, char **argc) {
 
+    // netcat config (don't worry about this)
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+
+
     printf("Welcome to bofed!\n");
     printf("The game is simple: I'll tell you a number, and you have to tell me an anagram of that length.\n");
     printf("Let's see how far you can get!\n");
 
     int count = 0;
-    char* flagCopy;
+    char flagCopy[FLAG_SIZE+1];
 
-    while (count < 100000) {    
-        srand(time(NULL));
-        int n = rand() % 7 + 1;
-        char word_flag[FLAG_SIZE+12+SPACE];
+    while (count < 100000) {   
+
+        srand(time(NULL)); //seed the random number generator with the time 
+        int n = rand() % 7 + 1; //random number between 1 and 7
+        char word_flag[FLAG_SIZE+SPACE+n+1]; //space for the flag and the anagram
+
+        //reset word_flag to an empty string
+        for (int i = 0; i < FLAG_SIZE+SPACE+n+1; i++) {
+            word_flag[i] = 32;
+        }
 
+        // Load the flag into the string word_flag, and also into flagCopy (for ✨redundancy✨)
         FILE* f = fopen("flag.txt", "r");
         fgets(word_flag+n+1+SPACE, FLAG_SIZE, f);
+        fseek(f, 0, SEEK_SET);
+        fgets(flagCopy, FLAG_SIZE, f);
         fclose(f);
 
-        strcpy(flagCopy, word_flag+n+1+SPACE);
         // We already know where the string will end, so we can place a null terminator there
-        *(word_flag + n+1) = '\0';
-
+        word_flag[n+SPACE] = '\0';
         printf("Give me an anagram of length %d: ", n);
 
         //load the input into the string word
@@ -55,7 +70,7 @@ int main(int argv, char **argc) {
         printf("Checking the validity of the anagram... %s\n", word_flag);
 
         int correct = isAnagramOfSize(word_flag, n);
-
+        
         if (correct) {
             printf("Correct!\n");
             count++;

anagrams/solve.md

@@ -18,8 +18,8 @@ With the right length string, we can overwrite the `\0` (null terminator) and re
 Welcome to bofed!
 The game is simple: I'll tell you a number, and you have to tell me an anagram of that length.
 Let's see how far you can get!
-Give me an anagram of length 3: aaaaaaaaaaaaaaaa
-Checking the validity of the anagram... aaaaaaaaaaaaaaaacamp{7o0_m@nY_ch@RacteR5_buf349nrf}
+Give me an anagram of length 5: aaaaaaaaaaaaaaaaaa
+Checking the validity of the anagram... aaaaaaaaaaaaaaaaaacamp{7o0_m@nY_ch@RacteR5_buf349nrf}
 Incorrect!
 You got 0 correct!
 ```

java-rev-three/RevThree.java

@@ -0,0 +1,34 @@
+import java.util.Scanner;
+
+public class RevThree {
+    public static void main(String[] args) {
+        System.out.println("Enter the password: ");
+        Scanner scanner = new Scanner(System.in);
+
+        String line = scanner.nextLine();
+
+        if (checkPassword(line)) {
+            System.out.println("That's the right password!");
+        } else {
+            System.out.println("That's the incorrect password!");
+        }
+
+        scanner.close();
+    }
+
+    public static boolean checkPassword(String passwordGuess) {
+        int[] distanceBetweenChars = {-14, -23, -10, 10, 9, 46, -64, -3, 21, 10, 37, 35, 1, 22, -61, -11, 9, 4, -9, 26, -16, 14, -27, 66, -27, 7, 10, 38, 48, 5, 2, -51, 1, 13, -83, -37, 20};        
+        String encryptString = "qxwfrKpXJeAChMnLCHbERWO2zc701ZPxURtFi";
+
+        for (int i = 0; i < passwordGuess.length()-1; i++) {
+            int firstChar = passwordGuess.charAt(i);
+            int secondChar = encryptString.charAt(i);
+
+            if (firstChar-secondChar != distanceBetweenChars[i]) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+}

java-rev-three/chall.yaml

@@ -0,0 +1,12 @@
+name: Java Rev III
+categories:
+  - rev
+value: 150
+flag: camp{y0U_offic1ALLY_Be4t_jAVa_REV_!!}
+description: |-
+  That's it. Here is a truly unbreakable password checker. But if you want to waste your time go ahead!
+files:
+  - src: RevThree.java
+authors:
+  - Jack Crowley
+visible: true

java-rev-three/gen.py

@@ -0,0 +1,17 @@
+
+flag = "camp{y0U_offic1ALLY_Be4t_jAVa_REV_!!}"
+encryptString = "qxwfrKpXJeAChMnLCHbERWO2zc701ZPxURtFi"
+
+guess = ""
+
+length = len(flag)
+
+nums = []
+
+avgs = []
+
+for i in range(length):
+    num1, num2 = ord(flag[i]), ord(encryptString[i])
+    nums.append(num1-num2)
+
+print(nums)

java-rev-three/solve.md

@@ -0,0 +1,19 @@
+# Java Rev Three
+
+This Java Rev challenge compares the chars of each of the strings against each other, and compares them to the difference located in the `distanceBetweenChars` array.
+
+To solve this problem, you must first delete the `return False;` in the `checkPassword`, which enables the program to keep going even if the first character is wrong.
+
+Then you must put a print statement inside the for loop which prints the correct character of the flag, such as:
+
+```
+System.out.print((char) (secondChar+distanceBetweenChars[i]));
+```
+
+and once running the program, input a random input such as:
+
+```
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+```
+
+producing the correct flag in the terminal.

no-asm-required/Dockerfile

@@ -0,0 +1,29 @@
+FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9 AS build
+
+RUN apt-get update -y && apt-get install -y gcc wget unzip && rm -rf /var/lib/apt/lists/*
+
+RUN wget -O ynetd.c https://raw.githubusercontent.com/johnsonjh/ynetd/master/ynetd.c \
+  && gcc -o ynetd ynetd.c \
+  && rm -f /tmp/ynetd.zip
+
+COPY main.c .
+
+RUN gcc -o chall main.c
+
+FROM --platform=linux/amd64 ubuntu@sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673fd5b4f2e9
+
+RUN useradd -m -d /home/ctf -u 12345 ctf
+WORKDIR /home/ctf
+
+COPY --from=build chall chall
+COPY --from=build ynetd ynetd
+
+RUN chmod +x ./ynetd
+
+COPY flag.txt .
+
+RUN chown -R root:root /home/ctf
+
+USER ctf
+EXPOSE 9999
+CMD ./ynetd -p 9999 ./chall