This article regroups writeups for several challenges which did not deserve a full article.
When you decode the chunks of the PNG file individually only one has a CRC error. It contains text which is the key to submit.
When you decode the chunks of the PNG file individually only one text chunk has no CRC error. It contains text which is the key to submit.
Open with Wireshark, “Follow TCP Stream” and notice a password being sent to a telnet server. This is the key.
Find the POST request to a
<form> on the New York bar website. The text sent
with that form contains the key.
Open the executable with IDA, notice a function that does
c XOR 0xFF on every
byte of a string, locate the string, apply the xor, get the key.
Open the executable with Reflector, notice a function that does a XOR once again, reverse the operation, get the key.
A bit more complicated this time: the decryption function needs a key, and the
only thing we know is that the MD5 of the key is
ff97a9fdede09eaf6e1c8ec9f6a61dd5. A Google Search tells us that this is
MD5(Intel). This is still not the final key: the program uses that to decrypt
a buffer using AES. Doing the same gives us the key to submit.
Open the binary with IDA, notice a
decrypt function that does
NOT c, locate
the string, apply the NOT, get the key.
The auth is done through a cookie. Modify it (set username to admin), done.
The SQL query allows us to inject something mysqli_real_escape’d in a LIKE
_. We can use that to select multiple users and
have one matching the
$auth condition (valid password, we register him) and
one matching the
$admin condition (username == Administrator).
There is an SQL injection on the
horses.php page. You can’t normally use the
union keywords (blacklisted), but if there is an equal sign
before the keyword in the request it somehow works. From there we listed the
INFORMATION_SCHEMA, found a
sessions table containing a session
for the admin user, used it to get the key. This was not the way the author
expected people to solve his exercise and this bug was fixed during CTF.
In PHP strcmp/strcasecmp with an array fails and returns 0. We can use that to bypass the check and get the key to be printed.