SharifCTF: Universal ReEncryption

This was the 100 point crypto challenge from SharifCTF dealing with a homomorphic encryption scheme based on the idea of Universal ReEncryption (URE) (hence the name of the challenge). It’s a pretty straightforward concept that made for a fun little crypto challenge that was excellently presented by the people at SharifCTF.

»
Author's profile picture Peter

SharifCTF: SRM

This was the second reverse engineering challenge from SharifCTF. It was a little harder than the last one, but over all pretty easy. A few simple calculations and we get a flag.

»
Author's profile picture Peter

SharifCTF: dMd

This was the first reverse engineering challenge from SharifCTF. It was a pretty straightforward 64-bit ELF binary, and despite being decently easy, was still pretty fun and a great first-level RE challenge.

»
Author's profile picture Peter

TUMCTF Teaser 2015: Webshop

This challenge required us to find a flag in a sql table using a time-based blind sql injection over a POST parameter. This writeup will be a little sparse because the server was taken offline before I could do this writeup, but I’ll provide server-side concept code where I can as well as my hastily written and hacked-together scripts.

»
Author's profile picture Peter

MMACTF 2015 1st: Signer and Verifier

We are given two ports on a server, Sign and Verify. Sign will sign an integer using the RSA signature scheme and Verify asks us to sign an integer providing the the public modulus and exponent. Sign it correctly and the server will give us the flag. The tricky part is that Sign won’t sign any of the messages given to us by Verify, so we need to trick it into signing our message using an RSA blinding attack.

»
Author's profile picture Peter

Protostar: Format 4

This is the fifth and final uncontrolled format string vulnerability exercise from the Protostar image at Exploit Exercises. In this one we are seizing control of the program execution to redirect to a specified function; however, in an attack scenario this could easily be the memory location of a piece of shellcode instead.

»
Author's profile picture Peter

Protostar: Format 3

This is the fourth uncontrolled format string vulnerability exercise from the Protostar image from Exploit Exercises. This one again requires writing to a variable using a format string, but this time we are writing 4 bytes instead of one. I’ll be showing two methods to solve it, each writting the the integer’s address using %n.

»
Author's profile picture Peter

Protostar: Format 2

This is the third uncontrolled format string vulnerability exercise from the Protostar image at Exploit Exercises. It is very similar to the last exercise except now we have to control the value we are writing with our exploit.

»
Author's profile picture Peter

Protostar: Format 1

This is the second uncontrolled format string vulnerability exercise from the Protostar image from Exploit Exercises. It asks us to write any value to an int using pure format string vulnerabilities. Let’s get to it!

»
Author's profile picture Peter

Protostar: Format 0

A while back I went through the uncontrolled format string vulnerability exercises in the Protostar image from Exploit Exercises and I have decided to go through them again, this time with writeups. I’ll do these without recompiling the source with debug messages, extracting information from standard fuzzing techniques and calculations to align the attacks. Let’s get started on Format 0.

»
Author's profile picture Peter

HSCTF 2015: Keith the Comedian Writeup

Easy classical cryptograghy using known plaintext and small block sizes to break a simple Hill cipher. Required knowledge of linear algebra and modular arithmatic.

»
Author's profile picture Peter

HSCTF 2015: Revenge of Cooley-Tukey Writeup

This was a fun little challenge that used a discrete transform algorithm as a custom encryption scheme. It required some basic knowledge on Fourier-related transforms to solve.

»
Author's profile picture Peter

TUMCTF Teaser 2015: T9

This was a fun little misc. problem dealing with a T9 cipher. It didn’t require much to solve, just a quick read over the T9 Cipher and some way to parse a long text file. I probably did a little too much work by solving it with a whole python script when grep would have worked just fine, but here is my work anyway.

»
Author's profile picture Peter

TJCTF 2015: Curvature Writeup

We are given a server that acts as an oracle doing elliptic curve scalar point multiplication (ECSPM) with a given point. Using this oracle we must solve the elliptic curve discrete logarithm problem (ECDLP) for a constant , which is our flag.

»
Author's profile picture Peter