LaCTF 2024

Write Ups for LaCTF 2024

Shattered-memories - Rev

The binary asked for the flag, inspecting with ghidra, we see it plaintext: 

lactf{not_what_forgive_and_forget_means}

Java-Island

Oppening the .jar with jadx-gui we saw that the game consisted on reaching state5:

I couldnt connect to netcat directly, so I had to play, there where 2 things to understand.

  • Button1 added 1 to the state, button2 added 2

  • We needed to set hasGlove variable to true entering case 6

And to enter case 6, we had to get a combination of 'd's and 'p's that converted to sha256 was equal to: 

69, 70, -81, -117, -10, 109, 15, 29, 19, 113, 61, -123, -39, 82, -11, -34, 104, -98, -111, 9, 43, 35, -19, 22, 52, -55, -124, -45, -72, -23, 96, -77

or in hex:

4546af8bf66d0f1d13713d85d952f5de689e91092b23ed1634c984d3b8e960b3

To get this combination, i wrote a brute force python script:

#!/usr/bin/env python
from itertools import product
import hashlib

def generar_combinaciones(longitud):
    caracteres = ['p', 'd']
    todas_combinaciones = list(product(caracteres, repeat=longitud))
    return todas_combinaciones

longitud_deseada = 8
combinaciones = generar_combinaciones(longitud_deseada)

a_tu_casa = []
for combinacion in combinaciones:
    a_tu_casa.append(''.join(combinacion))
for x in a_tu_casa:
	m = hashlib.sha256()
	m.update(x.encode())
	if str(m.hexdigest()) == '4546af8bf66d0f1d13713d85d952f5de689e91092b23ed1634c984d3b8e960b3':
		print(m.hexdigest(), x)


sha = '4546af8bf66d0f1d13713d85d952f5de689e91092b23ed1634c984d3b8e960b3'
print(sha)

which resulted in:

dpddpdpp

Now we could go back to state 0 with button1, then to state 2 with button 2, state 3 with button 1, here, as we setted hasGolve to true, we could enter state 5 with right read_flag button:

Aplet321

Understanding with ghidra:

First Comparison:

pretty = strncmp(pcVar1, "pretty", 6);
iVar3 = iVar3 + (uint)(pretty == 0);

  • Compares the first 6 characters of the string pointed to by pcVar1 with the string literal "pretty".

  • The strncmp function returns 0 if the strings are equal.

  • Increments iVar3 if the comparison is successful (if pretty is equal to 0). Second Comparison:

pretty = strncmp(pcVar1, "please", 6);
iVar2 = iVar2 + (uint)(pretty == 0);

  • Similar to the previous step, it compares the first 6 characters of the string pointed to by pcVar1 with the string literal "please".

  • Increments iVar2 if the comparison is successful. Pointer Increment:

pcVar1 = pcVar1 + 1;

  • Increments the pcVar1 pointer by 1, moving to the next character in the string. Loop Exit Condition:

} while (pcVar1 != char[519] + ((int)len-input - 6));

  • The loop will continue as long as pcVar1 is not equal to the pointer pointing to the end of a string (calculated from the total length minus 6).

After our payload, the next word gotta be flag:

Flag:

That was all for today´s write up, Hope you´ve enjoyed it.

I will be uploading a new write up every weekend, so don´t forget to stay up to the blog 😄

You can use my social media to leave me your thoughts about the write ups 👍

Twitter: https://twitter.com/KrakenEU_
Linkedin: https://www.linkedin.com/in/i%C3%B1aki-tornos-572580177/
Github: https://github.com/KrakenEU/
Previousroot2victory Hack0n-URJC 2024NextGuess the password (Rev) - SquareCTF2023

Last updated