Hackappatoi CTF 2023
Web - Lemons
Theres a robots.txt
Signora stored the flag
Rev - The four horsemen
Binary asks for password
Debugging with angr suddenly I see:
The code is telling we found a key and a number 13? That function stored the following:
Seems like something is happening with those long ints?
I wrote the following python code that speaks for itself:
from Crypto.Util.number import long_to_bytes
v1 = 7521693605135085685
v2 = 7814148266070602341
v3 = 7161400046857119583
v4 = 7089631594632537951
v5 = 9039399979293699696
# This one was the one I was looking for: b'}rfclynpbcn_rug_cbgf_bg_lqnre_rehbl{sgpu'
print(long_to_bytes(v5) + long_to_bytes(v4) + long_to_bytes(v3) + long_to_bytes(v2) + long_to_bytes(v1))
#This was smth strange but seemed like a flag indeed: b'hbl{sgpulqnre_recbgf_bg_bcn_rug_}rfclynp'
#print(long_to_bytes(v1) + long_to_bytes(v2) + long_to_bytes(v3) + long_to_bytes(v4) + long_to_bytes(v5))Remembering something about the number 13 mentioned I tried to RTO13
This was not readeable but if I started from the end i could read "hctf" which is the beggining of the flags of this ctf, so I reversed it
And got the flag
Rev - The first horsemen
We are given a .pyc file, in order to decompile it I found ucompyle6, but couldn'r tun it on python3.11, so I opend a docker env:
sudo docker run -it -v $PWD:/chal python:3.6 bashInstalled the tools adn decompiled the file:
pip install uncompyle6 decompyle3 && cd /chal
uncompyle6 thefirsthorseman38.pyc > decomp.pyThe file now was:
# uncompyle6 version 3.9.0
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.6.15 (default, Dec 21 2021, 12:03:22)
# [GCC 10.2.1 20210110]
# Embedded file name: ../thefirsthorseman.py
# Compiled at: 2023-11-23 18:14:59
# Size of source mod 2**32: 2794 bytes
from time import sleep
import codecs
print("You've inserted the key you found on the mysterious Laptop and you've been teleported to a place you don't know.")
print('All you can see is an enormous door keeping a castle safe. You approach it and with a bit of fear proceed to open it.')
print('In the middle of the hall you see a funny man, it seems the court jester, but still he scares you.')
print("'SHISH, SHISH' is the only thing he says, and now you realize he is the first horseman, ready to stop you from reaching further in your mission.")
print('The man walks towards you and tries to hit you multiple times! Avoid his punches!\n')
def shish():
exit("The funny man manages to hit you. You fall on the ground.\nYou don't remember anything. All you know now is a word...\nSHISH\n")
f = [
"'r3st'", "'4s_a'", "'b3_c'", "'m4tt'", "'l3t_'"]
l = ["'4ll0'", "'30_1'", "'7t3_'", "'jkin'", "'p1ck'"]
a = ["'5_th'", "'3_4n'", "'1t_1'", "'00p5'", "'1n_1'"]
g = ["'p1_7'", "'3_w0'", "'t0g3'", "'00_k'", "'n0th'"]
s = ["'ear5'", "'k!1!'", "'1n6!'", "'33p5'", "'rd_!'"]
counter = 0
indexes = []
def print_flag():
flag = ''
flag += f[indexes[0]]
flag += l[indexes[1]]
flag += a[indexes[2]]
flag += g[indexes[3]]
flag += s[indexes[4]]
flag = 'upgs{' + flag + '}'
flag = codecs.encode(flag, 'rot13')
print(flag)
try:
for t in range(1, 6):
print(f"{t}...")
counter = t
sleep(1)
else:
shish()
except KeyboardInterrupt:
if counter == 4:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f"{t}...")
counter = t
sleep(1)
else:
shish()
except KeyboardInterrupt:
if counter == 2:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f"{t}...")
counter = t
sleep(1)
else:
shish()
except KeyboardInterrupt:
if counter == 1:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f"{t}...")
counter = t
sleep(1)
else:
shish()
except KeyboardInterrupt:
if counter == 2:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
else:
try:
for t in range(1, 6):
print(f"{t}...")
counter = t
sleep(1)
else:
shish()
except KeyboardInterrupt:
if counter == 5:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
else:
print('The man is tired, he just hands you a slip of paper, to open the next door.\nThis is what you read')
print_flag()
print("The man then says his last words...\n 'https://youtu.be/XH0CSzdHwg0?si=DOwRhOnorrc-WWIx'")
# okay decompiling thefirsthorseman38.pycI tried to interrupt the program in each index but it suddenly stopped allways, so I modified my solve script interpreting what was happening on the code:
from time import sleep
import codecs
f = [
"'r3st'", "'4s_a'", "'b3_c'", "'m4tt'", "'l3t_'"]
l = ["'4ll0'", "'30_1'", "'7t3_'", "'jkin'", "'p1ck'"]
a = ["'5_th'", "'3_4n'", "'1t_1'", "'00p5'", "'1n_1'"]
g = ["'p1_7'", "'3_w0'", "'t0g3'", "'00_k'", "'n0th'"]
s = ["'ear5'", "'k!1!'", "'1n6!'", "'33p5'", "'rd_!'"]
counter = 0
indexes = []
def print_flag():
flag = ''
flag += f[indexes[0]]
flag += l[indexes[1]]
flag += a[indexes[2]]
flag += g[indexes[3]]
flag += s[indexes[4]]
flag = 'upgs{' + flag + '}'
flag = codecs.encode(flag, 'rot13')
print(flag)
indexes.append(4 - 1)
indexes.append(2 - 1)
indexes.append(1 - 1)
indexes.append(2 - 1)
indexes.append(5 - 1)
print('The man is tired...')
print_flag()Running it gave me the flag:
hctf{z4gg30_15_gu3_j0eq_!}
Rev - Una quotidiana guerra
Not much to say about this challenge, we are given a file with an ofuscated C code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define tu
#define dimmi
#define come
#define mai
#define kilometri
#define melodia
#define sus
#define inutile
#define inutilestimai
#define qui
#define seduto
#define notti
#define alla
#define sento
#define sogno
#define pregando
#define non
#define scrivere
#define ma
#define casa
#define vedere
#define dove
#define vai
notti quotidiana inutile inutilestimai alla "abcdefghijklmnopqrstuvwxyz.:_-=/{}ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" sus
notti guerra inutile inutilestimai alla "HDVIC8tq8}Es/{-}JOPJAHHJQ.=Y5rAHJWEtRgSc" sus
tu stanza come notti finiscono mai qui
sogno come tu i alla 0 sus i non pregando come quotidiana mai sus i scrivere mai qui
ma come finiscono casa quotidiana inutile i inutilestimai mai qui
melodia i sus
seduto seduto
melodia 0 sus seduto
sento bambino come mai qui
sogno come tu i alla 0 sus i non pregando come guerra mai sus i scrivere mai qui
guerra inutile i inutilestimai alla quotidiana inutile come stanza come guerra inutile i inutilestimai mai vedere pregando come quotidiana mai dove i mai vai pregando come quotidiana mai inutilestimai sus seduto
kilometri come "%s\n", guerra mai sus seduto
tu dimmi come mai qui
kilometri come "Kilometri di kilometri di kilometri di kilometri\n" mai sus
bambino come mai sus
melodia 0 sus sedutoLittle by little I was able to manage to convert it to this code:
char wordlist [ ] = "abcdefghijklmnopqrstuvwxyz.:_-=/{}ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ;
char flag [ ] = "HDVIC8tq8}Es/{-}JOPJAHHJQ.=Y5rAHJWEtRgSc" ;
int stanza (char x) {
for ( int i = 0 ; i < strlen ( wordlist ) ; i ++ ) {
if ( x == wordlist [ i ] ) {
ret i ;
}
}
ret 0 ;
}
void bambino () {
for ( int i = 0 ; i < strlen ( flag ) ; i ++ ) {
flag [ i ] = wordlist [ ( stanza ( flag [ i ] ) vedere strlen ( wordlist ) dove i ) % strlen ( wordlist ) ] ;
}
printf ( "%s\n", flag ) ;
}
int main ( ) {
printf ( "printf di printf di printf di printf\n" ) ;
bambino () ;
ret 0 ;
}As you may see, I didn't know still what were the values of stanza and vedere on bambino function
So I tried diferent combinations of +, - and * Until I found it, here is my python solve script:
wordlist = "abcdefghijklmnopqrstuvwxyz.:_-=/{}ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
flag = "H D V I C 8 t q 8 } E s / { - } J O P J A H H J Q . = Y 5 r A H J W E t R g S c".split()
def stanza(x):
for i in range(0,len(wordlist)):
if x == wordlist[i]:
return i
return 0
def bambino():
for i in range(0,len(flag)):
flag[i] = wordlist[( stanza ( flag [ i ] ) + len( wordlist ) - i ) % len( wordlist )]
print(''.join(x for x in flag))
bambino()
Last updated