Neg9.org
Neg9.org
Negative Nine Security — Neg9
Neg9
✍️Write rieview ✍️Rezension schreiben 🏷️Get Badge! 🏷️Abzeichen holen! ⚙️Edit entry ⚙️Eintrag bearbeiten 📰News 📰Neuigkeiten
Tags:
TAMUctf 2021 Ring Of Fire - 100 points For none and none, there is always none For none and one, there can be only one For one and one, there is nothing but none codeFile.txt Sometimes, I sing to myself Love is a burning thing And it makes a firery ring Bound by wild desire I fell in to a ring of fire Ring Of Fire is a fairly straightforward crypto problem.
26.4.2021 12:54TAMUctf 2021 Ring Of Fire SolutionTAMUctf 2021 simple_cipher - 150 points We have a flag encrypted using this program. Can you figure out what it is? simple_cipher flag.enc This is a very interesting cipher. By testing values you can understand how to attack it correctly. This is the tactic I used after Angr refused to give me a good answer. ./simple_cipher gigem{zbcdefghijklmnopqrst} |hexdump -C 00000000 61 9e df d4 f7 3d 62 31 f0 79 |a.
26.4.2021 12:33TAMUctf 2021 simple_cipher SolutionTAMUctf 2021 Unzip - 100 points Hey, can you unzip this for me? chall.zip Step 1: Convert the zip file to a file that John can crack. Note that this is a pretty standard tool… zip2john ~/Downloads/chall.zip >~/altsci/tamuctf/chall.txt chall.txt: chall.zip/flag.txt:$pkzip2$1*2*2*0*30*24*75c0f8c7*0*42*0*30*75c0*b004*e980ad8b1ffd804291d329b24794613bf3484fa6292fd97a57836440dfce9ce753a89d0ad9a8b16b042ecee459ed1274*$/pkzip2$:flag.txt:chall.zip::/home/jvoss/Downloads/chall.zip Step 2: Crack the password. john --format=raw-sha256 --rules --wordlist=crack/ai3words_order.txt ~/altsci/tamuctf/chall.txt John cracks it pretty quickly with a simple wordlist but I chose to use the AI3 wordlist which you can download with my DNSSEC research.
26.4.2021 12:02TAMUctf 2021 Unzip SolutionTAMUctf 2021 Spectral Imaging - 100 points Some things are meant to be heard but not seen. This sounds like it’s meant to be seen, not heard. audio.wav Spectral Imaging is just a simple spectrogram problem which I’ve seen many times before. Open the file in Audacity, switch to spectrogram. Set the settings to high top frequency and that’s all. This can probably also be solved with sox.
26.4.2021 11:54TAMUctf 2021 Spectral Imaging SolutionTAMUctf 2021 Encoding - 100 points This is literally the flag but obfuscated through tons of different encoding schemes. data.txt Step 1: Convert from a string of integers separated by spaces to a list of integers. a = open('encoding_data.txt', 'r').read() b = [chr(int(x)) for x in a.split()] b = [int(x) for x in a.split()] c = bytes(b) Step 2: Try to see if it’s using UTF-16. c.decode('utf-16') 'ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿' c.
26.4.2021 11:39TAMUctf 2021 Encoding SolutionTAMUctf 2021 Handshake - 150 points Attack this binary and get the flag! handshake openssl s_client -connect tamuctf.com:443 -servername handshake -quiet Handshake is a standard i686 Linux binary with NX but no PIE. There’s a stack buffer overflow which is easy enough to exploit. Without PIE, ROP is available. Because Handshake provides a win function, it makes sense that is the way to get the flag without getting full code execution with a ROP chain.
26.4.2021 11:39TAMUctf 2021 Handshake SolutionTAMUctf 2021 Pancake - 100 points Attack this binary to get the flag! pancake openssl s_client -connect tamuctf.com:443 -servername pancake -quiet Pancake is an easy exploitation challenge I think. I decided to use angr and was pleasantly surprised that it solved it quite rapidly. It uses the standard format for angr solutions that I’ve been using for years. I don’t know what the exploit payload does. It’s not clear at all to me what is going on except that the exploit must have been pretty straightforward.
26.4.2021 11:39TAMUctf 2021 Pancake SolutionTAMUctf 2021 TicTacToe - 150 points Hey, I made a tic tac toe game! If you can beat me enough times I’ll give you a flag. tictactoe openssl s_client -connect tamuctf.com:443 -servername tictactoe -quiet I tried to solve this without looking at the source code for a while. Spoiler, this is not easy to solve without looking at the source code or at least knowing the vulnerability involved.
26.4.2021 11:39TAMUctf 2021 TicTacToe SolutionTAMUctf 2021 NX Oopsie - 100 points Attack this binary and get the flag! nx-oopsie openssl s_client -connect tamuctf.com:443 -servername nx-oopsie -quiet I spent way too much time on this problem, stopping to work on other problems and coming back time and time again. This is a simple stack overflow on x86-64 with NX and PIE. How do you exploit it? It uses musl libc so running it on a normal Linux machine doesn’t work.
26.4.2021 11:03TAMUctf 2021 NX Oopsie SolutionTAMUctf 2021 pybox - 150 points We spun up a server for you to execute your python code! For security reasons, we’ve disabled a few syscalls, but you can do all the computation you’d like! restricted_python/src/main.rs openssl s_client -connect tamuctf.com:443 -servername pybox -quiet This challenge was remarkably easy. They use seccomp to disable reading from a file. That’s not nearly enough to stop a hacker from accessing a flag.
26.4.2021 10:56TAMUctf 2021 pybox Solution