M4ndU의 만두만두한 블로그

Forensic

Clang

oBfsC4t10n

open it!

download it!

rename .xlsm to .xls

open and recover it!

go to this location

this is vbscript

hmm

web

BonechewerCon

just input {{config}}

crypto

Broken RSA

e is very big

https://github.com/pablocelayes/rsa-wiener-attack.git

RSAwienerHacker.py

layers.txt

bin2ascii

oct2ascii

hex2ascii

base64decode

base85decode

Chimera

Open chimera.bin.img using FTK Imager.

I found key.docx.

extract it and rename key.docx to key.zip

hmm __main__.py ?

zip password key...

but i couldn't find any zip file.

so, i opened chimera.bin.img with HxD.exe. Then i searched "flag".

flag.png in flag.zip

good

it is in pdf file stream, but i couldn't find any pdf file. so i just carved it.

it says the file is corrupted, but i can get 61% unziped flag.png

it is half of flag, but we can read flag :)

Glitch in the matrix

DQT : en.wikibooks.org/wiki/JPEG_-_Idea_and_Practice/The_header_part#The_Quantization_table_segment_DQT

The DQT area is intentionally covered with 0xFF.

To recover DQT area, I copied and pasted the DQT area of other normal jpg files downloaded from the google.

After many attempts, I could read a flag.

we_need_bits_lots_of_bits

Net Matroyshka

8.pcap

7.pcap

6.pcap

copy&paste rsync data and sum data

5.pcap

follow > udp stream

make 4.zip

no footer signature in 5.pcap.

i think i extracted 5.zip wrong because 5.zip said zip file is corrupted.

i couldn't extract 5.zip correctly..

Tapesplice

BZh91AY&SY is bz2 header signature

denouement.png

use zsteg

Résumé

just copy and paste

Charge Tracker

dex2jar sourceforge.net/projects/dex2jar/

open .jar using jd-gui java-decompiler.github.io/

part1 is here.

done.

Hashcrack 101

www.tunnelsup.com/hash-analyzer/

1~4 : DES (Unix)

5~9 : md5crypt, MD5 (Unix)

10~13 : sha512crypt $6$, SHA512 (Unix)

use hashcat

hashcat.net/wiki/doku.php?id=example_hashes

combination bruteforce attack

dictonary attack

비트에 몸을 맡겨라!

브포 때려서 말이 되는거 찾아서 넣으면 된다.

blank

whitespace -> directory indexing -> whitespace

vii5ard.github.io/whitespace/

TRUST's math class

Listen PIZ!!

pptx 파일을 zip으로 바꾸고

slide23.xml을 보면

base64 문자열이 있다.

ultimate hacking defense

vmdk 파일이 주어진다.

ftk imager로 열자

필요한 파일들은 뭘까 문제 지문을 잘 읽어보자.

해커가 가장 마지막으로 접속했던 웹사이트에서 해킹툴을 다운받았고, 터미널에서 TRUST 서버를 공격하기 위해 여러 명령어들을 썼다는 정보를 입수했다

마지막으로 접속한 웹사이트, 터미널

인터넷 접속 기록과 터미널 입력 기록을 살펴보면 되겠다.

크롬, 파폭, 웨일등의 브라우저가 설치되지 않았다.

바로 ie를 보면 되겠다.

ie 히스토리 (C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{7A1FA2C8-7768-11EB-94AC-001A7DDA7113}.dat)를 직접 봐도 되겠지만

ie에 마지막으로 입력한 url 기록은 NTUSER.DAT에서도 찾아볼 수 있다.

해당 파일을 추출하여 regripper을 돌려준다.

forensic.korea.ac.kr/DFWIKI/index.php/RegRipper

해당 페이지에 들어가면 플래그 뒷부분을 얻을 수 있다.

이어서, 최근 문서에서 consolehost_history.txt를 볼 수 있다.

파워쉘을 사용했다는 것을 알 수 있다.

해당 파일을 찾아 추출하자

C:\Users\Devleo\AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\ConsoleHost_history.txt

플래그 앞부분 TRUST{ 를 검색하면 된다.

Tenable

The ultimate mutant marvel team-up

install nessus essentials

import it

export it

open with xml

Forensics

H4ck3R_m4n exp0sed! 1

extract butter.jpg

H4ck3R_m4n exp0sed! 2

extract it

H4ck3R_m4n exp0sed! 3

use dataz

hex -> ascii -> base64 -> hex -> jpg file

Cat Taps

usb keyboard packet capture file

github.com/TeamRocketIst/ctf-usb-keyboard-parser

hmm

abawazeeer.medium.com/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4

Fix Me

There are dummy bytes between chunks.

Check position of dummy bytes using tweakPNG.exe

and then remove dummy bytes using HxD.

repeat.

Stego

Easy Stego

stegsolve.jar

stegsolve.jar

Hackerman

Numerological

3637 3639 3734 3265 3639 3666 3266 3461 3734 3461 3631 3538

Weird Transmission

ourcodeworld.com/articles/read/956/how-to-convert-decode-a-slow-scan-television-transmissions-sstv-audio-file-to-images-using-qsstv-in-ubuntu-18-04

Reverse Engineering

The only tool you'll ever need

Pwntown 1

i just ran the corrdior in normal then flag was out. hmm

Crypto

Easy Peasy

base64 -> hex2ascii -> caesar cipher

Web App

Stay Away Creepy Crawlers

at ./robots.txt

Can't find it

flag is at a 404 not found page.

Source of All Evil

Show me what you got

directory indexing

flag is at ./images/alidi3sd.txt

Certificate of Authenticity

go to https://

get a certificate

Ripper Doc

./certified_rippers.php

edit cookie false to true

Headers for you inspiration

Spring MVC 1

Spring MVC 2

Spring MVC 3

Spring MVC 4

Spring MVC 5

Spring MVC 6

Spring MVC 7 (Hiding in Plain Sight)

./?name=please

Spring MVC 8 (Sessionable)

./other?name=admin

and go ./

Follow The Rabbit Hole

output -> hex -> png file

Misc

Esoteric

--[----->+<]>.++++++.-----------.++++++.[----->+<]>.----.---.+++[->+++<]>+.-------.++++++++++.++++++++++.++[->+++<]>.+++.[--->+<]>----.+++[->+++<]>++.++++++++.+++++.--------.-[--->+<]>--.+[->+++<]>+.++++++++.>--[-->+++<]>.

brainfuck

www.dcode.fr/brainfuck-language

Quit messing with my flags

Find the encoding

base58

One Byte at a Time

we know flag starts with "flag{"

then we can get xor key "0x77", "0x10", "0x02"

brute force it!

Not JSON

base64 to hex

abcdefghjiklmnopqrstuvwxyz_{} is table

index : dummy 1byte : data

05 0B 00 06 1B 12 0E 0d 1A 0E 05 1A 00 1A 01 12 0E 0D 1C

to dec

and +1

Forwards from Grandma

we can find { and } in title

morse code!

FWD: -> .

RE: -> -

# -> _

Broken QR

fix using Microsoft Paint

Web

Meet the Union Committee

./?id=1 or 1=1

./?id=;

./id=1 union select 1,2,3

./?id=1 union select 1,password,3 from users

GEOINT

Where in the World? (2)

i could see tram and high tower/building.

i searched tram in bing image search and i found a simillar one.

The content was completely different from the tram, but it was written in Polish.

Then I searched poland tram and i found a simillar one agian.

So, i was sure that the image was from poland.

I searched for Polish landmarks to find what the tall buildings in the picture were, and I could find something similar.

bingo!

Where in the World? (3)

bing image search

i found simillar image and "San Francisco Armory"

same

mission street, San Francisco, USA

Where in the World? (5)

google image search

Forensics/Figuring Out The Past

 need decryption key to download file via this mega link

it needs password

firefox

nothing :(

nothing in lastpass

hmm

왜 내가 하면 iehistory에서 안나오지..

defuse.ca를 찾아볼걸 그랬네

Forensics/Scattered Pieces

a pcapng file

mega link decryption key

in sus.pcapng, mega.nz 접속 흔적

ssl key log

log file IN

decrypt

reveal link

download it

open with hex editor and fix signature

dictionary attack (rockyou.txt)

Forensics/Do you know them ?

extract NTUSER.DAT

use regripper

Forensics/Mr.Wolf Darkest Secret

hmm

forensic

Misplaced

hmm what is it?

I changed file extension. (file.what to file.zip)

oh i got something but i don't know the password.

when i opened it using 7 zip file manager, i could get a password!

i thought it is ppt file.

then i found a flag.

Nice Duck!

mp4 file

Splitted flag

split file

fix file

done.

web

Flag Script

I googled 'BZh9' and i found it is bzip2 file

s3cr3t

interesting

export!

bitlocker.

same with 'little tricks' at starctf mandu-mandu.tistory.com/416

try harder

802.11 wpa

2020?

Reversing

That's not crypto

decompile it

bruteforce!

blockchain

sanity check

remix.ethereum.org/

code copy&paste

compile

connect metamask rinkeby wallet, load contract address and call welcome func. done.

secure enclave

It can store text and return text

I thought constroctor of this contract store the flag in this contract.

When you call set_secret to store some string, transaction occurs.

I could find a transaction at etherscan

crackme.sol

"arg3 is a overflow" is a hint in line 6.

uint MaxValue + 1 = 0

so, i can pass line 7 and 11 condition.

uint is short for uint256, so maximum value is 2**256-1

arg3 = 115792089237316195423570985008687907853269984665640564039457584007913129639935

arg1 = 20 ^ 0x70 = 100

decrypt(arg2) = "offshift ftw"

ah just brute force a-z :)

arg2 = evvixyvj vjm

"100","evvixyvj vjm","115792089237316195423570985008687907853269984665640564039457584007913129639935"

compile error

To find correct uint array size, brute force all value.

if size is over 26 :

if size is equal 26:

got a flag.

crypto casino

Edit code to get ouput value correctly.

To get a flag, need guessing and correct two times.

seed = b37c910f4e0df0efafb35a55489604369808b6de642ff1dbab5062680afaddcd

the block.number is the number of the mined block containing the transaction.

deploy a contract that returning result of uint(keccak256(abi.encodePacked(seed, block.number+3))) ^ 0x539

get block.number and hash

hash <= block.number <= 7956519 + 3

Then pend transaction that call bet(60284626633715439770582715312106605696128214001910194886489589200393495573074) before #7956522 block mined.

hmm out of gas

increase gas price and gas limit.

done.

RICH CLUB

hmm

for line 21, swap eth to uniswap app.uniswap.org/#/swap

hmm

grant_membership() function에 pubkey를 넘겨주면 encoded flag를 넘겨준다고 한다.
그럼 그걸 decrypt 하면 된다고 하는데

그럼 solidity 코드는 어떻게 수정해서 써먹어야되는거야 :(

crypto

factorize

p와 q의 상위 512비트는 base로 동일함.

따라서 sqrt(n)의 상위 512비트와 동일.

hmm

엥 그냥 factorize 돌리면 됐었던 문제였넹

optimizer

별거 없다. simple.

주어진 배열 정렬할 때 이동 횟수 구해서 입력해주면 된다.

pyjail

hmm

0x414141

go to www.offshift.io/

go to github

github.com/offshift-dev

There are two commits in january 2021

interesting

click

download pyc file.

decompile pyc using uncompyle6

decrypt

a link!

download a smashing.pdf via mega link.

hmm is it xor?

correct!

bitcoin paper..?

compare with smashing.pdf and original bitcoin paper pdf.

smashing.pdf is a little bigger.

a zip file is here :)

is locked.

dictionary attack

dictionary file i used : rockyou.txt

file reader

it filters "/flag.txt"

but we can get all .txt files using glob.glob("*.txt").

Shjail

eval eval py{r..u}hon\\ -m\\ S{h..j}mpleHTTPServer\\;

hmm

perl flag.[a-z][a-z][a-z]

web

graphed 2.0

there is a input form

There is a code send graphql query.

gist.github.com/craigbeck/b90915d49fda19d5b2b17ead14dcd6da

i found a fake flag :(

no flag in users

no flag in coolnotes

hmm

아 역시 getNote를 사용하는 것이었다.
하나 남은게 getNote였는데, q에 뭐가 들어가는지 몰라서 포기했는데..
쿼리문을 넣어버리는 거였넹.

maze

./robots.txt

./sup3r_secr37_@p1

good.

hmm

아 username이 pop_eax가 아니라 XFT였다.

hackme

?cmd=help

?cmd=123456

hmm

nl /*
nl *

>cat
* /f*