This article regroups writeups for several challenges which did not deserve a full article.

for200 (1)

When you decode the chunks of the PNG file individually only one has a CRC error. It contains text which is the key to submit.

for200 (2)

When you decode the chunks of the PNG file individually only one text chunk has no CRC error. It contains text which is the key to submit.

for500

strings

net100

Open with Wireshark, “Follow TCP Stream” and notice a password being sent to a telnet server. This is the key.

net200

Find the POST request to a <form> on the New York bar website. The text sent with that form contains the key.

re100

Open the executable with IDA, notice a function that does c XOR 0xFF on every byte of a string, locate the string, apply the xor, get the key.

re200

Open the executable with Reflector, notice a function that does a XOR once again, reverse the operation, get the key.

re300

A bit more complicated this time: the decryption function needs a key, and the only thing we know is that the MD5 of the key is ff97a9fdede09eaf6e1c8ec9f6a61dd5. A Google Search tells us that this is MD5(Intel). This is still not the final key: the program uses that to decrypt a buffer using AES. Doing the same gives us the key to submit.

re400

Open the binary with IDA, notice a decrypt function that does NOT c, locate the string, apply the NOT, get the key.

web100

The auth is done through a cookie. Modify it (set username to admin), done.

web200

The SQL query allows us to inject something mysqli_real_escape’d in a LIKE clause, including % and _. We can use that to select multiple users and have one matching the $auth condition (valid password, we register him) and one matching the $admin condition (username == Administrator).

web300

There is an SQL injection on the horses.php page. You can’t normally use the select or union keywords (blacklisted), but if there is an equal sign before the keyword in the request it somehow works. From there we listed the tables in INFORMATION_SCHEMA, found a sessions table containing a session for the admin user, used it to get the key. This was not the way the author expected people to solve his exercise and this bug was fixed during CTF.

web600

In PHP strcmp/strcasecmp with an array fails and returns 0. We can use that to bypass the check and get the key to be printed.