VIRSECCON CTF
Polybius
Points: 70
Description:
Polybius is hosting a party, and you’re invited. He gave you his number; be there o be square!
Note, this flag is not in usual flag format.
Solution:
We get these numbers,
413532551224514444425111431524443435454523114523114314
These are in-fact kinda like coordinates to a square filled with letter, Polybius here is the hint!
Go to dcode.fr and then polybius square cipher!…
POLYBIUSSQUAREISNOTTHATHARD is the flag!
Classic
Crypto
Points: 80
Description:
My friend told me this “was a classic”, but these letters and numbers dont make any sense to me. I didn’t know this would be a factor in our friendship!
Solution:
n:77627938360345301510724699969247652387657633828943576274039402978346703944383
e:65537
c:62899945974090753231979111677615029855602721049941681356856158761811378918268
Classic RSA stuff, one can easily tell! I used my own D3crypt0r. Give it a nice look :)
Ezy Pzy right?! LLS{just_another_rsa_chal} is the flag!
Chief Executive Officer
Crypto
Points: 70
Description:
I found this weird file a while ago… I’ve tried to operate with it but can’t seem to get it to work. I’ve tried the whole range of possibilities!
Solution:
I found this a bit weird but this chall had a lot less solves than even the RSA ones… Anyway, the file contained an entire junk of non-printable characters… hmm maybe just maybe we can bruteforce XOR them…!
f=open('chief_executive_officer','rb')
data=f.read()
n=''
for j in data:
n+=chr(137^ord(j))
print(n)
Yup that’s all you needed, I brute-forced the contents of the file with single-byte ascii characters from 1 to 256 and found that there were readable English words on the 137th character…
You get a lot of text but just grep LLS{.*} and you will have your flag!
LLS{you_are_the_ceo_of_xor} Measly meh~
Hot Dog
Crypto
Points: 100
Description:
This isn’t a problem with the grill.
Solution:
The decription doesn’t say much but opening the file gives us a lot. The size of e
by the look of it is very close to that of n
. So this must solved by a Weiner’s attack on RSA…
n:609983533322177402468580314139090006939877955334245068261469677806169434040069069770928535701086364941983428090933795745853896746458472620457491993499511798536747668197186857850887990812746855062415626715645223089415186093589721763366994454776521466115355580659841153428179997121984448771910872629371808169183
e:387825392787200906676631198961098070912332865442137539919413714790310139653713077586557654409565459752133439009280843965856789151962860193830258244424149230046832475959852771134503754778007132465468717789936602755336332984790622132641288576440161244396963980583318569320681953570111708877198371377792396775817
c:387550614803874258991642724003284418859467464692188062983793173435868573346772557240137839436544557982321847802344313679589173157662615464542092163712541321351682014606383820947825480748404154232812314611063946877021201178164920650694457922409859337200682155636299936841054496931525597635432090165889554207685
Once again using my tool D3crypt0r… it has quite a bunch of crypto-related stuff!
LLS{looks_like_weiners_on_the_barbecue} is the dish!
Old Monitor
Crypto
Points: 135
Description:
I have this old CRT monitor that I use for my desktop computer. It crashed on me and spit out all these weird numbers…
Solution:
A image file with huge no.s on them… first we need to extract those… Now we may do this by hand which will involve lots of errors or do the techy way!
First scale up the file so that the pixels are better readable…
convert old_monitor.png -scale 300% pc.png
Then let’s use the Tesseract no not the one with the time-stone… It’s a Linux tool… Install it in Kali using sudo apt-get install tesseract-orc!
Now let’s extract the data…
tesseract pc.png chinese
As you can see…,
It did quite well apart from one or two characters which we can do manually… Now the important it seems like we have to perform a Hastad-Broadcast attack or use the Chinese Remainder theorem to solve this!
from sympy import mod_inverse
import binascii
def root3rd(x):
y, y1 = None, 2
while y!=y1:
y = y1
y3 = y**3
d = (2*y3+x)
y1 = (y*(y3+2*x)+d//2)//d
return y
def hastad(n1,n2,n3,c1,c2,c3):
N=n1*n2*n3
N1=n2*n3
N2=n3*n1
N3=n1*n2
#print(N1,N2,N3)
b1=mod_inverse(N1,n1)
b2=mod_inverse(N2,n2)
b3=mod_inverse(N3,n3)
#print(b1,b2,b3)
t1=c1*N1*b1
t2=c2*N2*b2
t3=c3*N3*b3
C=(t1+t2+t3)%N
M=root3rd(C)
m=binascii.unhexlify(hex(M)[2:].rstrip('L'))
return m
n1=REDACTED
n2=REDACTED
n3=REDACTED
c1=REDACTED
c2=REDACTED
c3=REDACTED
print(hastad(n1,n2,n3,c1,c2,c3))
I used this code… pretty long right… you will soon find it in my D3crypt0r too!
LLS{the_chinese_remainder_theorem_is_so_cool} is the sweet flag!
CALC-UL8R
Scripting
Points: 150
Description:
Texas Instruments latest new product: you! Connect with: nc jh2i.com 50003
Solution:
This is pretty simple is you are asked to do say ten such problems by hand but its not ten, probably a hundred or so. We are given simple one-variate maths equation and we have to return the value of the variable. At first I thought of getting the variables and constants and then operating some-how but that would be too much of a hassle. Then I remembered about the Python Module Sympy
. It’s the best for solving equation which are written in human-readable format.
rom sympy.solvers import solve
from sympy import Symbol,sympify
from pwn import *
import re
import time
s=remote('jh2i.com',50003)
data=s.recvuntil('\n\n')
while True:
time.sleep(1)
data=s.recv()
print(data)
if 'LLS' in data:
break
data=data.split(' ')
data=data[:-2]
data[-1]=data[-1][:-2]
eq=''.join(data)
sym_eq=sympify("Eq("+eq.replace("=",",")+")")
val=solve(sym_eq)[0]
print(val)
s.sendline(str(val))
That’s the script I used… It takes the equation and sends the result.
LLS{sympy_to_solve_equations} also nods to using Sympy
Gammer
Scripting
Points: 125
Description:
It’s only one letter away! Connect with: nc jh2i.com 50012
Solution:
This netcat server checks for each pos of the input flag… if that position has the correct letter the its returns Correct else Wrong… so we just need to build up the flag from the ground up!
from pwn import *
import re
import time
printable='LS}_{abcdefghijLklmnopqrstuvwxyzABCDEFGHIJKMNOPQRSTUVWXYZ0123456789'
flag='LLS{'
while 1:
for i in printable:
s=remote('jh2i.com',50012)
s.recv()
s.sendline(flag+str(i))
#time.sleep(5)
data=s.recvuntil('it!')
#print(i,data)
if 'WRONG' not in data:
flag+=i
print(flag)
break
else:
print('0')
For some reason, my script was detecting the Wrong return messsage on the same connection, so I had to reset the connection everytime and start a new one…
It took some time but we finally we get the flag LLS{bruteforce_with_a_hammer}
2xPAD
Scripting
Points: 100
Description:
The latest and greatest encryption scheme, “two-time pad” is twice as secure as one time pads. Check it out!
Solution:
This challenge gives us two .png files to work with. They both contain a jibberish mix of pixels… so they first thing that comes to mind is X-ORing them. Now, I know this is a scripting challenges but sometimes other tools are already there. Use stegsolve here…!
LLS{dont_reuse_your_keys} is the flag!
Pincode
Scripting
Points: 75
Description:
This service needs a 4 digit pincode to authenticate… can you help me figure it out!?? Connect with: nc jh2i.com 50031
Solution:
Now this was albiet, quite a easy challenge which took me an unfathomable amount of time. The server needed a 4-digit pass code, which when would give us the flag! Now at first I thought about a no. from the range 1000-9999, normal right?! But even after iterating through it, I couldn’t get the flag. Then something clicked and it tried from 0000-0999 and ho and behold it was just 0037 :C
from pwn import *
i=9999
while i>=0:
s=remote('jh2i.com',50031)
print(s.recv())
e=str(i).zfill(4)
s.sendline(e)
a=s.recv()
print(e,a)
if 'LLS' in a:
break
i-=1
LLS{for_i_in_0000_to_9999} is the shitty result!
Quick Run
Scripting
Points: 75
Description:
You gotta go fast!
Solution:
The challenge gives us a zip file which has many QR-codes… now we can to it the oldfashioned way or use zbarimg
I unzipped the file, removed it and used… zbarimg * -q
We get a bunch of ascii codes, convert them to characters and we get the flag.
LLS{zbarimg_makes_qrcodes_easy}
2048
Scripting
Points: 75
Description:
cGx6aGVscG1l
Solution:
This chall gives us a text file which contains base64 encoded text decoding it once doesn’t help so there must be multiple layers of base64 encodings
import base64
f=open('2048','r')
data=f.read()
f.close()
for i in range(100):
try:
data=base64.b64decode(data)
except:
print(data)
break
Quickly put up this scipt… LCSC{i_hope_you_didnt_use_asciitohex.com} is the flag~
Whitepages
Stego
Points: 80
Description:
I stopped using yellow pages and moved onto white-pages… but the book they gave me is all blank.
Solution:
Oh, Nostalgia is hard! This is the exact same problem and probably the same title and description used for one problem in PicoCTF 19… basically the text file uses two types of blank_space characters in it. So we take either as 0 or 1 and we should get the answer, after converting the binary to decimal
from pwn import *
f=open('white.txt','rb')
data=f.read()
data = data.replace('e28083'.decode('hex'), '0').replace(' ', '1')
print(unbits(data))
See, its that simple… LLS{whitespace_steganography_in_the_empty_space} is the flag!
Stegosaurus
Stego
Points: 70
Description:
Scientists are struggling with a new mystery: we thought the dinosaurs were gone, but this one has returned! Hmm… can you solve this mystery?
Solution:
Simple stegsolve
problem that’s it!
LLS{you_stegsolved_the_mystery}
Winter Wonderland
Stego
Points: 80
Description:
It’s the holiday season! But hmm… they must be hiding something under all that cheer!
Solution:
A bit misleading… at first I thought of rockstar but then after opening the file in sublime text… I saw all the trailing whitespaces and tabspaces… this could mean only stegsnow was used!
Just use stegsnow winter_wonderland.txt
and we were done!
LLS{let_it_snow_baby_let_it_reindeer}