This was the 100 point crypto challenge from SharifCTF dealing with a homomorphic encryption scheme based on the idea of Universal ReEncryption (URE) (hence the name of the challenge). It’s a pretty straightforward concept that made for a fun little crypto challenge that was excellently presented by the people at SharifCTF.
This was the first reverse engineering challenge from SharifCTF. It was a pretty straightforward 64-bit ELF binary, and despite being decently easy, was still pretty fun and a great first-level RE challenge.
This challenge required us to find a flag in a sql table using a time-based blind sql injection over a POST parameter. This writeup will be a little sparse because the server was taken offline before I could do this writeup, but I’ll provide server-side concept code where I can as well as my hastily written and hacked-together scripts.
We are given two ports on a server, Sign and Verify. Sign will sign an integer using the RSA signature scheme and Verify asks us to sign an integer providing the the public modulus and exponent. Sign it correctly and the server will give us the flag. The tricky part is that Sign won’t sign any of the messages given to us by Verify, so we need to trick it into signing our message using an RSA blinding attack.
This is the fourth uncontrolled format string vulnerability exercise from the Protostar image from Exploit Exercises. This one again requires writing to a variable using a format string, but this time we are writing 4 bytes instead of one. I’ll be showing two methods to solve it, each writting the the integer’s address using %n.
A while back I went through the uncontrolled format string vulnerability exercises in the Protostar image from Exploit Exercises and I have decided to go through them again, this time with writeups. I’ll do these without recompiling the source with debug messages, extracting information from standard fuzzing techniques and calculations to align the attacks. Let’s get started on Format 0.
This was a fun little misc. problem dealing with a T9 cipher. It didn’t require much to solve, just a quick read over the T9 Cipher and some way to parse a long text file. I probably did a little too much work by solving it with a whole python script when grep would have worked just fine, but here is my work anyway.
We are given a server that acts as an oracle doing elliptic curve scalar point multiplication (ECSPM) with a given point. Using this oracle we must solve the elliptic curve discrete logarithm problem (ECDLP) for a constant , which is our flag.