devme
an ex-google, ex-facebook tech lead recommended me this book!
No source code attached, so i try to test the feature one by one. After few second, i’ve found that the sign up (located at bottom home page) is sending graphql query into https://devme.be.ax/graphql. Since we know that graphql is provided of introspection query by default (cmiiw), we can use GraphiQL tools Here.
After inserting endpoint, check the documentation explorer for the query and mutation. In query section you will find out users and flag field. Lets check user first.
Request
Response
Now lets use the token to retreive flag from user admin.
Request
Response
FLAG: corctf{ex_g00g13_3x_fac3b00k_t3ch_l3ad_as_a_s3rvice}
babyrev
well uh… this is what you get when you make your web guy make a rev chall
given 1 ELF binary file, lets open it on IDA.
main()
| |
From the code above, we know that the flag length is 28, start with corctf{ and end with }. The program create loop and check the iterator is prime or not using is_prime() function and if some condition are true our input will be passed into rot_n() function.
I very curious about the this code below, so i decided to debug it with gdb
We got encoded flag here, ujp?_oHy_lxiu_zx_uve. Now lets explore another function in IDA
rot_n()
is_prime()
At the first place, i dont know what the result of this loop at main()
so i decided to create c source code that implement the code all above.
loop.c
| |
After knew what those loop does, i create python script to reverse the rot value.
solver.py
| |
FLAG: corctf{see?_rEv_aint_so_bad}
Chainblock
I made a chain of blocks!
nc pwn.be.ax 5000
There are few files that we get, library, binary and source code of binary itself.
| |
As you can see above, this is a classic buffer overflow vulnerability because of using malicious function gets().
Now lets checksec the binary
| |
With minimal security mechanism in binary, we can do technique called ret2libc. The idea is, first we need to leak the base address and send one gadget payload into that binary.
solver.py
| |
| |
FLAG: corctf{mi11i0nt0k3n_1s_n0t_a_scam_r1ght}
Fibinary
Warmup your crypto skills with the superior number system!
Given 2 files, enc.py and flag.enc. From the name we know that the flag is encrypted using python script. So, lets look into enc.py and flag.enc
flag.enc
| |
enc.py
| |
The interesting code is
By looking at the piece above, we know that our flag is encrypted using c2f() per character. Therefore, we dont need to understanding what the c2f() function does. We just need brute force the flag by generating all ascii character and pass it into c2f() function. And then we can replace encrypted flag with our ascii value.
solver.py
| |
FLAG: corctf{b4s3d_4nd_f1bp!113d}
4096
I heard 4096 bit RSA is secure, so I encrypted the flag with it.
Given 2 files source.py and output.txt
output.txt
| |
source.py
| |
From the code above, we know that this is classic RSA task. And the first line of output.txt is n and the second line is c. After doing some google search, i’ve found that this is multi prime RSA task and ive found solver script as well in Here. We just need to find the factor n using sage from valorant sagemath
| |
then copy the list of factor into solver script.
solver.py
| |
FLAG: corctf{to0_m4ny_pr1m3s55_63aeea37a6b3b22f}