la ctf
Radha Mounika Radha Mounika
web
terms and conditions
- here the description is
- this is how the endpoint is
- when we try to place our cursor on it it moves
- so there is frontend scirpt which stops us
- so try it in mobile
- there is a condition to stop touching as well
- then we see there is no form to submit as well
- so the element is getted by id by the server and the corresponding function to get the flag is called
- we dont even have access to the function either
- but we can get the element by id and try to click it
- so the flag is lactf{that_button_was_definitely_not_one_of_the_terms}
- document get element by id https://www.w3schools.com/jsref/met_document_getelementbyid.asp
rev/shattered-memories
- now we use ghidra to analyse the code
- we see the main funciton
- here we see case 5 is the win
- we see the flag but not in order
- so we order them and get the flag
- lactf{not_what_forgive_and_forget_means}
crypto/valentines-day
- given cipher text is like this
- and this is the first line of the decoded part as given
- veniger cipher is like ceaser cipher but for each letter it has different move for the lenght of the key
- here the as part of hint it was told the key length is 161
- so for each 161 chars of the cipher text the key will be repeated
- so as in the given cipher text we do see the flage but it is encrypted (can be found by {} as these are not encrypted)
- the veniger cipher only encryptes alphabets and not special symbols and numbers
- so we divide the cipher text such that we remove all non alphbet chars
- then we splice the string to reach the flag i.e [:161] then [161:161*2] like this
- we get the part where the flag lies
part1 of code
cipher='''Br olzy Jnyetbdrc'g xun, V avrkkr gb sssp km frja sbv kvflsffoi Jnuc Sathrg. Wkmk gytjzyakz mj jsqvcmtoh rc bkd. Canjc kns puadlctus! L xyw fmoxztu va tai szt, dbiazb yiff mt Zzhbo 1178 gyfyjhuzw vhtkqfy sniu eih vbsel edih tpcvftz, xcie ysnecsmge hbucqtu qt wcorr crzhg-olhm srr gkh gdsjxqh gnxxl rtr guez jewr klkkgak dx uuka nnv hmvwbj gmv glz fvyh, jueg eww oq i wuqglh Z lrigjsss ynch xun esivmpwf: "oof hvrb frtbrq it Kcmlo?" C ltzihfvxsq ghp abqs qrfzf glvx de HN bnty gocr gr: Eiaj zek rvocf vnriiu ob Puiza. Xegjy webrvbvrj. Frat s vgxhidm kepldrv gbq phxgv. Ehlb'w wuhu C ixyzchlr, ilc srez foq e wxzb sdz nrbrb. Eej W und siieesx nd pvvgb zvr pooi. B fox wc nrax v pedgei aex phvqe. Hqdru pc tvvtrv, C zyoxvxsq ghq wyvbg yzgmex KEKN=/ife/lgcyr/qg/ejl:$TNXC, eej hurn mlp qowtswvqn: wrm ~cuamyh/umlofikjayrvplzcwm.gdg | pzwj ropgf{qvjal_dfuxaxzbk_gbq_jeci_hdt_nr_hdr_eexij} ''' c="" for i in cipher: if i.isalpha(): c+=i c1=c[:161] c2=c[161:322] c3=c[322:483] c4=c[483:644] c5=c[644:] print(c5) # print(c) print(len(c5)) print("eexij" in c5) p='''On this Valentine's day, I wanted to show my love for professor Paul Eggert. This challenge is dedicated to him. Enjoy the challenge! ''' plain="" for i in p: if i.isalpha(): plain+=i print(plain[:44]) print(c[:44]) - now we go to part2 of solving
- now the last part has just 44 chars
- in p we store the plain text relvent length
- in c we store the corresponding cipher text of the same length
- we convert both of them to lower chars
- in x we store what should be decrypted
#c=p+k #k=c-p #p=c-k - as this is the rule we find the keys
- then using cyclic manner we get the x decrypted by the same rules
part2 code
p='''OnthisValentinesdayIwantedtoshowmyloveforpro''' c='''BrolzyJnyetbdrcgxunVavrkkrgbssspkmfrjasbvkvf''' x='''gpzwjropgfqvjaldfuxaxzbkgbqjecihdtnrhdreexij''' p=p.lower() c=c.lower() #c=p+k #k=c-p #p=c-k keys=[] for i,j in zip(p,c): i=ord(i) j=ord(j) k=j-i keys.append(k) # print(k,end=" ") for a,b in zip(x,keys): a=ord(a) p=a-b if(p<97): p=123-(97-p) if(p>122): p=96+(p-122) print(chr(p),end=" ") # ropgf{qvjal_dfuxaxzbk_gbq_jeci_hdt_nr_hdr_eexij} # lactf{known_plaintext_and_were_off_to_the_races} - we remove the whitespacces
web
terms and conditions
- here the description is
- this is how the endpoint is
- when we try to place our cursor on it it moves
- so there is frontend scirpt which stops us
- so try it in mobile
- there is a condition to stop touching as well
- then we see there is no form to submit as well
- so the element is getted by id by the server and the corresponding function to get the flag is called
- we dont even have access to the function either
- but we can get the element by id and try to click it
- so the flag is lactf{that_button_was_definitely_not_one_of_the_terms}
- document get element by id https://www.w3schools.com/jsref/met_document_getelementbyid.asp
rev/shattered-memories
- now we use ghidra to analyse the code
- we see the main funciton
- here we see case 5 is the win
- we see the flag but not in order
- so we order them and get the flag
- lactf{not_what_forgive_and_forget_means}
crypto/valentines-day
- given cipher text is like this
- and this is the first line of the decoded part as given
- veniger cipher is like ceaser cipher but for each letter it has different move for the lenght of the key
- here the as part of hint it was told the key length is 161
- so for each 161 chars of the cipher text the key will be repeated
- so as in the given cipher text we do see the flage but it is encrypted (can be found by {} as these are not encrypted)
- the veniger cipher only encryptes alphabets and not special symbols and numbers
- so we divide the cipher text such that we remove all non alphbet chars
- then we splice the string to reach the flag i.e [:161] then [161:161*2] like this
- we get the part where the flag lies
part1 of code
cipher='''Br olzy Jnyetbdrc'g xun, V avrkkr gb sssp km frja sbv kvflsffoi Jnuc Sathrg. Wkmk gytjzyakz mj jsqvcmtoh rc bkd. Canjc kns puadlctus! L xyw fmoxztu va tai szt, dbiazb yiff mt Zzhbo 1178 gyfyjhuzw vhtkqfy sniu eih vbsel edih tpcvftz, xcie ysnecsmge hbucqtu qt wcorr crzhg-olhm srr gkh gdsjxqh gnxxl rtr guez jewr klkkgak dx uuka nnv hmvwbj gmv glz fvyh, jueg eww oq i wuqglh Z lrigjsss ynch xun esivmpwf: "oof hvrb frtbrq it Kcmlo?" C ltzihfvxsq ghp abqs qrfzf glvx de HN bnty gocr gr: Eiaj zek rvocf vnriiu ob Puiza. Xegjy webrvbvrj. Frat s vgxhidm kepldrv gbq phxgv. Ehlb'w wuhu C ixyzchlr, ilc srez foq e wxzb sdz nrbrb. Eej W und siieesx nd pvvgb zvr pooi. B fox wc nrax v pedgei aex phvqe. Hqdru pc tvvtrv, C zyoxvxsq ghq wyvbg yzgmex KEKN=/ife/lgcyr/qg/ejl:$TNXC, eej hurn mlp qowtswvqn: wrm ~cuamyh/umlofikjayrvplzcwm.gdg | pzwj ropgf{qvjal_dfuxaxzbk_gbq_jeci_hdt_nr_hdr_eexij} ''' c="" for i in cipher: if i.isalpha(): c+=i c1=c[:161] c2=c[161:322] c3=c[322:483] c4=c[483:644] c5=c[644:] print(c5) # print(c) print(len(c5)) print("eexij" in c5) p='''On this Valentine's day, I wanted to show my love for professor Paul Eggert. This challenge is dedicated to him. Enjoy the challenge! ''' plain="" for i in p: if i.isalpha(): plain+=i print(plain[:44]) print(c[:44]) - now we go to part2 of solving
- now the last part has just 44 chars
- in p we store the plain text relvent length
- in c we store the corresponding cipher text of the same length
- we convert both of them to lower chars
- in x we store what should be decrypted
#c=p+k #k=c-p #p=c-k - as this is the rule we find the keys
- then using cyclic manner we get the x decrypted by the same rules
part2 code
p='''OnthisValentinesdayIwantedtoshowmyloveforpro''' c='''BrolzyJnyetbdrcgxunVavrkkrgbssspkmfrjasbvkvf''' x='''gpzwjropgfqvjaldfuxaxzbkgbqjecihdtnrhdreexij''' p=p.lower() c=c.lower() #c=p+k #k=c-p #p=c-k keys=[] for i,j in zip(p,c): i=ord(i) j=ord(j) k=j-i keys.append(k) # print(k,end=" ") for a,b in zip(x,keys): a=ord(a) p=a-b if(p<97): p=123-(97-p) if(p>122): p=96+(p-122) print(chr(p),end=" ") # ropgf{qvjal_dfuxaxzbk_gbq_jeci_hdt_nr_hdr_eexij} # lactf{known_plaintext_and_were_off_to_the_races} - we remove the whitespacces
-
- we rearrange the underscores and get the flag
# ropgf{qvjal_dfuxaxzbk_gbq_jeci_hdt_nr_hdr_eexij} # lactf{known_plaintext_and_were_off_to_the_races}rev/aplet321
- so by analyzing the code we see
- that there must be a stirng pretty and please in the input
- it compares the user input string and counts the occurences and adds the occurences
prettycount is in ivar5 andpleasecount is in ivar4- then it checks whetehr user input has the word flag
- if flag word does not exist it sasy sorry i did not understand and returns
- so we must have flag as well in our input
- then it checks whether the count of ivar5,ivar4 for a few conditions
- their sum must be 0x36 and their diff must be 0x16
- then it gives the flag
conditions analysis
x+y=54 x-y=-24 ===== y=x+24 y=54-x ======== x+24=54-x 2x=30 x=15 ====== x+y=54 y=54-15 y=39,x=15 var5=x=pretty=15 var4=y=please=39python to generate user input
>>> int('0x36',16) 54 >>> int('0x18',16) 24 >>> 54015 54015 >>> 54-5 49 >>> 54-15 39 >>> ans='pretty'*15+'please'*39 >>> ans 'prettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettypleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleaseplease' >>> - so now we give this input and append the word flag as it is required (a check satisfaction)
solution
C:\home\radha\Downloads\la ctf\rev3> nc chall.lac.tf 31321 hi, i'm aplet321. how can i help? prettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettyprettypleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleasepleaseflag ok here's your flag lactf{next_year_i'll_make_aplet456_hqp3c1a7bip5bmnc} C:\home\radha\Downloads\la ctf\rev3>