# NcN CTF Quals 2k13


Access Level 1

# curl http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/index.html
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
                <link rel="stylesheet" href="../res/main.css" type="text/css" media="screen"/>
    <link href='../res/UbuntuMono.css' rel='stylesheet' type='text/css'>
    <meta content="Javier Marcos @javutin" name="author" />
        <script type="text/javascript" src="crypto.js"></script>
        </head>
<body>
        <div id="level">
        <center>
                <h2 style="color: white">Discover the buried valid key:</h2>
    <form action="login.php" method="POST" onsubmit="return encrypt(this);">
    <table border=0 align="center">
     <tr>
        <td><label style="color: white" for="key"><b>Key: </b></label></td>
        <td><input type="text" name="password" id="password" class="input"></td>
                                        <input type="hidden" name="key" id="key" value="">
                                        <input type="hidden" name="verification" id="verification" value="yes">
     </tr>
     <tr>
        <td colspan="2" align="center"><p><input type="submit" name="send" class="button" value="Send"></p></td>
     </tr>
    </table>
    </form>
        </center>
        </div>
</body>
</html>
# curl --silent http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/crypto.js | sed 's/eval/console.log/'
var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69\x2C\x6A\x3D\x30\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x69\x2B\x2B\x29\x7B\x6A\x2B\x3D\x28\x38\x5B\x69\x5D\x2E\x73\x28\x29\x2A\x28\x69\x2B\x31\x29\x29\x7D\x67\x20\x74\x2E\x75\x28\x6A\x29\x25\x76\x7D\x66\x20\x70\x28\x68\x29\x7B\x68\x3D\x68\x2E\x71\x28\x30\x29\x3B\x63\x20\x69\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x77\x3B\x2B\x2B\x69\x29\x7B\x63\x20\x35\x3D\x69\x2E\x78\x28\x79\x29\x3B\x6D\x28\x35\x2E\x6C\x3D\x3D\x31\x29\x35\x3D\x22\x30\x22\x2B\x35\x3B\x35\x3D\x22\x25\x22\x2B\x35\x3B\x35\x3D\x7A\x28\x35\x29\x3B\x6D\x28\x35\x3D\x3D\x68\x29\x41\x7D\x67\x20\x69\x7D\x66\x20\x6E\x28\x38\x29\x7B\x63\x20\x69\x2C\x61\x3D\x30\x2C\x62\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x2B\x2B\x69\x29\x7B\x62\x3D\x70\x28\x38\x2E\x71\x28\x69\x29\x29\x3B\x61\x2B\x3D\x62\x2A\x28\x69\x2B\x31\x29\x7D\x67\x20\x61\x7D\x66\x20\x42\x28\x39\x29\x7B\x63\x20\x32\x3B\x32\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x32\x3D\x32\x2A\x28\x33\x2B\x31\x2B\x33\x2B\x33\x2B\x37\x29\x3B\x32\x3D\x32\x3E\x3E\x3E\x36\x3B\x32\x3D\x32\x2F\x34\x3B\x32\x3D\x32\x5E\x43\x3B\x6D\x28\x32\x21\x3D\x30\x29\x7B\x72\x28\x27\x44\x20\x64\x21\x27\x29\x7D\x45\x7B\x72\x28\x27\x46\x20\x64\x20\x3A\x29\x27\x29\x7D\x39\x2E\x47\x2E\x65\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x39\x2E\x48\x2E\x65\x3D\x22\x49\x22\x2B\x6F\x28\x39\x2E\x64\x2E\x65\x29\x3B\x67\x20\x4A\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x72\x65\x73\x7C\x7C\x7C\x68\x65\x78\x5F\x69\x7C\x7C\x7C\x73\x74\x72\x7C\x66\x6F\x72\x6D\x7C\x7C\x7C\x76\x61\x72\x7C\x70\x61\x73\x73\x77\x6F\x72\x64\x7C\x76\x61\x6C\x75\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x6F\x6F\x7C\x7C\x68\x61\x73\x68\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x69\x66\x7C\x6E\x75\x6D\x65\x72\x69\x63\x61\x6C\x5F\x76\x61\x6C\x75\x65\x7C\x73\x69\x6D\x70\x6C\x65\x48\x61\x73\x68\x7C\x61\x73\x63\x69\x69\x5F\x6F\x6E\x65\x7C\x63\x68\x61\x72\x41\x74\x7C\x61\x6C\x65\x72\x74\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x4D\x61\x74\x68\x7C\x61\x62\x73\x7C\x33\x31\x33\x33\x37\x7C\x32\x35\x36\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x31\x36\x7C\x75\x6E\x65\x73\x63\x61\x70\x65\x7C\x62\x72\x65\x61\x6B\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x34\x31\x35\x33\x7C\x49\x6E\x76\x61\x6C\x69\x64\x7C\x65\x6C\x73\x65\x7C\x43\x6F\x72\x72\x65\x63\x74\x7C\x6B\x65\x79\x7C\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x7C\x79\x65\x73\x7C\x74\x72\x75\x65","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];console.log(function (_0x7038x1,_0x7038x2,_0x7038x3,_0x7038x4,_0x7038x5,_0x7038x6){_0x7038x5=function (_0x7038x3){return (_0x7038x3<_0x7038x2?_0x52ae[4]:_0x7038x5(parseInt(_0x7038x3/_0x7038x2)))+((_0x7038x3=_0x7038x3%_0x7038x2)>35?String[_0x52ae[5]](_0x7038x3+29):_0x7038x3.toString(36));} ;if(!_0x52ae[4][_0x52ae[6]](/^/,String)){while(_0x7038x3--){_0x7038x6[_0x7038x5(_0x7038x3)]=_0x7038x4[_0x7038x3]||_0x7038x5(_0x7038x3);} ;_0x7038x4=[function (_0x7038x5){return _0x7038x6[_0x7038x5];} ];_0x7038x5=function (){return _0x52ae[7];} ;_0x7038x3=1;} ;while(_0x7038x3--){if(_0x7038x4[_0x7038x3]){_0x7038x1=_0x7038x1[_0x52ae[6]]( new RegExp(_0x52ae[8]+_0x7038x5(_0x7038x3)+_0x52ae[8],_0x52ae[9]),_0x7038x4[_0x7038x3]);} ;} ;return _0x7038x1;} (_0x52ae[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));
# node
> var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69\x2C\x6A\x3D\x30\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x69\x2B\x2B\x29\x7B\x6A\x2B\x3D\x28\x38\x5B\x69\x5D\x2E\x73\x28\x29\x2A\x28\x69\x2B\x31\x29\x29\x7D\x67\x20\x74\x2E\x75\x28\x6A\x29\x25\x76\x7D\x66\x20\x70\x28\x68\x29\x7B\x68\x3D\x68\x2E\x71\x28\x30\x29\x3B\x63\x20\x69\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x77\x3B\x2B\x2B\x69\x29\x7B\x63\x20\x35\x3D\x69\x2E\x78\x28\x79\x29\x3B\x6D\x28\x35\x2E\x6C\x3D\x3D\x31\x29\x35\x3D\x22\x30\x22\x2B\x35\x3B\x35\x3D\x22\x25\x22\x2B\x35\x3B\x35\x3D\x7A\x28\x35\x29\x3B\x6D\x28\x35\x3D\x3D\x68\x29\x41\x7D\x67\x20\x69\x7D\x66\x20\x6E\x28\x38\x29\x7B\x63\x20\x69\x2C\x61\x3D\x30\x2C\x62\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x2B\x2B\x69\x29\x7B\x62\x3D\x70\x28\x38\x2E\x71\x28\x69\x29\x29\x3B\x61\x2B\x3D\x62\x2A\x28\x69\x2B\x31\x29\x7D\x67\x20\x61\x7D\x66\x20\x42\x28\x39\x29\x7B\x63\x20\x32\x3B\x32\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x32\x3D\x32\x2A\x28\x33\x2B\x31\x2B\x33\x2B\x33\x2B\x37\x29\x3B\x32\x3D\x32\x3E\x3E\x3E\x36\x3B\x32\x3D\x32\x2F\x34\x3B\x32\x3D\x32\x5E\x43\x3B\x6D\x28\x32\x21\x3D\x30\x29\x7B\x72\x28\x27\x44\x20\x64\x21\x27\x29\x7D\x45\x7B\x72\x28\x27\x46\x20\x64\x20\x3A\x29\x27\x29\x7D\x39\x2E\x47\x2E\x65\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x39\x2E\x48\x2E\x65\x3D\x22\x49\x22\x2B\x6F\x28\x39\x2E\x64\x2E\x65\x29\x3B\x67\x20\x4A\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x72\x65\x73\x7C\x7C\x7C\x68\x65\x78\x5F\x69\x7C\x7C\x7C\x73\x74\x72\x7C\x66\x6F\x72\x6D\x7C\x7C\x7C\x76\x61\x72\x7C\x70\x61\x73\x73\x77\x6F\x72\x64\x7C\x76\x61\x6C\x75\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x6F\x6F\x7C\x7C\x68\x61\x73\x68\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x69\x66\x7C\x6E\x75\x6D\x65\x72\x69\x63\x61\x6C\x5F\x76\x61\x6C\x75\x65\x7C\x73\x69\x6D\x70\x6C\x65\x48\x61\x73\x68\x7C\x61\x73\x63\x69\x69\x5F\x6F\x6E\x65\x7C\x63\x68\x61\x72\x41\x74\x7C\x61\x6C\x65\x72\x74\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x4D\x61\x74\x68\x7C\x61\x62\x73\x7C\x33\x31\x33\x33\x37\x7C\x32\x35\x36\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x31\x36\x7C\x75\x6E\x65\x73\x63\x61\x70\x65\x7C\x62\x72\x65\x61\x6B\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x34\x31\x35\x33\x7C\x49\x6E\x76\x61\x6C\x69\x64\x7C\x65\x6C\x73\x65\x7C\x43\x6F\x72\x72\x65\x63\x74\x7C\x6B\x65\x79\x7C\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x7C\x79\x65\x73\x7C\x74\x72\x75\x65","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];console.log(function (_0x7038x1,_0x7038x2,_0x7038x3,_0x7038x4,_0x7038x5,_0x7038x6){_0x7038x5=function (_0x7038x3){return (_0x7038x3<_0x7038x2?_0x52ae[4]:_0x7038x5(parseInt(_0x7038x3/_0x7038x2)))+((_0x7038x3=_0x7038x3%_0x7038x2)>35?String[_0x52ae[5]](_0x7038x3+29):_0x7038x3.toString(36));} ;if(!_0x52ae[4][_0x52ae[6]](/^/,String)){while(_0x7038x3--){_0x7038x6[_0x7038x5(_0x7038x3)]=_0x7038x4[_0x7038x3]||_0x7038x5(_0x7038x3);} ;_0x7038x4=[function (_0x7038x5){return _0x7038x6[_0x7038x5];} ];_0x7038x5=function (){return _0x52ae[7];} ;_0x7038x3=1;} ;while(_0x7038x3--){if(_0x7038x4[_0x7038x3]){_0x7038x1=_0x7038x1[_0x52ae[6]]( new RegExp(_0x52ae[8]+_0x7038x5(_0x7038x3)+_0x52ae[8],_0x52ae[9]),_0x7038x4[_0x7038x3]);} ;} ;return _0x7038x1;} (_0x52ae[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));
function simpleHash(str){var i,hash=0;for(i=0;i<str.length;i++){hash+=(str[i].charCodeAt()*(i+1))}return Math.abs(hash)%31337}function ascii_one(foo){foo=foo.charAt(0);var i;for(i=0;i<256;++i){var hex_i=i.toString(16);if(hex_i.length==1)hex_i="0"+hex_i;hex_i="%"+hex_i;hex_i=unescape(hex_i);if(hex_i==foo)break}return i}function numerical_value(str){var i,a=0,b;for(i=0;i<str.length;++i){b=ascii_one(str.charAt(i));a+=b*(i+1)}return a}function encrypt(form){var res;res=numerical_value(form.password.value);res=res*(3+1+3+3+7);res=res>>>6;res=res/4;res=res^4153;if(res!=0){alert('Invalid password!')}else{alert('Correct password :)')}form.key.value=numerical_value(form.password.value);form.verification.value="yes"+simpleHash(form.password.value);return true}
> function simpleHash(str){
...      var i,hash=0;
...      for(i=0;i<str.length;i++){
.....           hash+=(str[i].charCodeAt()*(i+1))
.....      }
...      return Math.abs(hash)%31337
... }
> function ascii_one(foo) {
...     foo = foo.charAt(0);
...     var i;
...     for (i = 0; i < 256; ++i) {
.....         var hex_i = i.toString(16);
.....         if (hex_i.length == 1) hex_i = "0" + hex_i;
.....         hex_i = "%" + hex_i;
.....         hex_i = unescape(hex_i);
.....         if (hex_i == foo) break
.....     }
...     return i
... }
> function numerical_value(str) {
...     var i, a = 0, b;
...     for (i = 0; i < str.length; ++i) {
.....         b = ascii_one(str.charAt(i));
.....         a += b * (i + 1)
.....     }
...     return a
... }
> function encrypt(form) {
...     var res;
...     res = numerical_value(form.password.value);
...     res = res * (3 + 1 + 3 + 3 + 7);
...     res = res >>> 6;
...     res = res / 4;
...     res = res ^ 4153;
...     if (res != 0) {
.....         alert('Invalid password!')
.....     } else {
.....         alert('Correct password :)')
...     }
...     form.key.value = numerical_value(form.password.value);
...     form.verification.value = "yes" + simpleHash(form.password.value);
...     return true
... }
> var max=700000; var total=0; for (var i = 0; i < max; ++i) { total=(((i*17)>>>6)/4)^4153; if(total==0){console.log(i);}; };
62540
62541
62542
62543
62544
62545
62546
62547
62548
62549
62550
62551
62552
62553
62554
> function init(dec,len){
...  var deckey=new Array();
...  for(var i=1; i<=len; i++){ deckey[i]=dec; }
...  return deckey;
... }
> function add(deckey,len){
...  var counter=0;
...  for(var i=1; i<=len; i++){ counter+=deckey[i]*i; }
...  return counter;
... }
> var len, dist, deckey, count, key;
> len=100;
> for(var dec=32; dec<=126; dec++){
...  dist=126-dec;
...  for(var i=1; i<=len; i++){
.....   deckey=init(dec,i);
.....   count=add(deckey,i);
.....   diff=62540-count;
.....   if((0<=diff)&&(diff<=dist)){
.......    key=String.fromCharCode(dec+diff);
.......    char=String.fromCharCode(dec);
.......    for(var j=1; j<=i-1; j++){
.........     key+=char;
.........    }
.......    console.log("key = '"+key+"'");
.......   }
.....  }
... }
key = 'L                                                             '
key = 'r1111111111111111111111111111111111111111111111111'
key = 't333333333333333333333333333333333333333333333333'
> simpleHash('r1111111111111111111111111111111111111111111111111');
31203
# curl --silent --request POST --data 'password=r1111111111111111111111111111111111111111111111111&key=62540&verification=yes31203' http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/login.php
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
 </head>
<body>
<b>Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8</b></body>
</html>

# cat level_1.c
#include <stdio.h>
#include <stdlib.h>

int level1(int *key,int partial,int pos,int max,int len){
        int i,j,total;
        if(pos==1){
                for(i=126;i>=32;i--){
                        total=partial+i;
                        if((max<=total)&&(total<=max+14)){
                                key[pos-1]=i;
                                printf("key '\t");
                                for(j=0;j<len;j++){ printf("%c",key[j]); }
                                printf("'\t%d <= (%d) <= %d\n",max,total,max+14);

                        }
                }
        }else{
                for(i=126;i>=32;i--){
                        total=partial+pos*i;
                        if(total<=max){
                                key[pos-1]=i;
                                level1(key,total,pos-1,max,len);
                        }
                }
        }
}
int main(int argc, char *argv[]){
        int *key,len,i,j,total,max;
        max=atoi(argv[1]);
        len=atoi(argv[2]);
        for(i=0;i<len;i++){
                total=0;
                for(j=0;j<=i;j++){ total+=126*(j+1); }
                if(max<=total){
                        key=malloc(sizeof(int)*i+1);
                        printf("Trying key length = %d, total = %d and >= %d\n",i+1,total,max);
                        level1(key,0,i+1,max,i+1);
                        free(key);
                }
        }
}
# gcc -o level_1 level_1.c
# ./level_1 62540 50
Trying key length = 32, total = 66528 and >= 62540
key     '   !    <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '! !     <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '  !     <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     ' "      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '"!      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '!!      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     ' !      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62552) <= 62554
key     '$       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '#       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     '"       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62552) <= 62554
key     '!       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62551) <= 62554
key     '        <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62550) <= 62554
...
> simpleHash('   !    <~~~~~~~~~~~~~~~~~~~~~~~');
31217
# curl --silent --request POST --data 'password=   !    <~~~~~~~~~~~~~~~~~~~~~~~&key=62554&verification=yes31217' http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/login.php
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
 </head>
<body>
<b>Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8</b></body>
</html>
Access Level 2

# curl --silent --output level.apk http://ctf.noconname.org/ad4d4084729af5c8faef2df8636c450e/level.apk
# unzip level.apk
# dex2jar classes.dex
# jd-gui classes_dex2jar.jar # and code review
# cd res/raw
# mv i.png qr-f.png
# mv j.png qr-e.png
# mv d.png qr-d.png
# mv h.png qr-c.png
# mv e.png qr-3.png
# mv l.png qr-2.png
# mv o.png qr-7.png
# mv n.png qr-b.png
# mv p.png qr-8.png
# mv m.png qr-1.png
# mv f.png qr-0.png
# mv c.png qr-4.png
# mv k.png qr-5.png
# mv g.png qr-6.png
# mv a.png qr-9.png
# mv b.png qr-a.png
# montage *.png -tile 4x4 -geometry +0+0 qr.png
# zbarimg --raw --quiet qr.png
788f5ff85d370646d4caa9af0a103b338dbe4c4bb9ccbd816b585c69de96d9da
Access Level 3

# curl --silent --output level.elf http://ctf.noconname.org/94999ecd63b3764ac334bcab4c4960d5/level.elf
# file level.elf
level.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xb589d432799bf15343387fea63d4bdc00faa177c, not stripped
# chmod +x level.elf
# gdb -q level.elf
(gdb) set disassembly-flavor intel
(gdb) x/s 0x4024a8
0x4024a8:        "Type to win, only what I want to read... "
(gdb) x/25i 0x00000000004010f3
   0x4010f3 <main+212>: call   0x400fef <getch>
   0x4010f8 <main+217>: movsx  eax,al
   0x4010fb <main+220>: mov    DWORD PTR [rbp-0x4],eax
   0x4010fe <main+223>: mov    eax,DWORD PTR [rbp-0x8]
   0x401101 <main+226>: cdqe
   0x401103 <main+228>: mov    eax,DWORD PTR [rax*4+0x6033a0]
   0x40110a <main+235>: cmp    eax,DWORD PTR [rbp-0x4]
   0x40110d <main+238>: jne    0x40111e <main+255>
   0x40110f <main+240>: mov    DWORD PTR [rbp-0xc],0x1
   0x401116 <main+247>: cmp    DWORD PTR [rbp-0x4],0x51
   0x40111a <main+251>: je     0x40112d <main+270>
   0x40111c <main+253>: jmp    0x401127 <main+264>
   0x40111e <main+255>: mov    DWORD PTR [rbp-0xc],0x0
   0x401125 <main+262>: jmp    0x401154 <main+309>
   0x401127 <main+264>: cmp    DWORD PTR [rbp-0x4],0x71
   0x40112b <main+268>: jne    0x401136 <main+279>
   0x40112d <main+270>: mov    DWORD PTR [rbp-0x10],0x1
   0x401134 <main+277>: jmp    0x401154 <main+309>
   0x401136 <main+279>: mov    rax,QWORD PTR [rip+0x2022a3]        # 0x6033e0 <stdout@@GLIBC_2.2.5>
   0x40113d <main+286>: mov    rsi,rax
   0x401140 <main+289>: mov    edi,0x2a
   0x401145 <main+294>: call   0x400610 <fputc@plt>
   0x40114a <main+299>: add    DWORD PTR [rbp-0x8],0x1
   0x40114e <main+303>: cmp    DWORD PTR [rbp-0x8],0x9
   0x401152 <main+307>: jle    0x4010f3 <main+212>
(gdb) x/30s 0x6033a0
0x6033a0 <facebookctf_rocks>:    " "
0x6033a2 <facebookctf_rocks+2>:  ""
0x6033a3 <facebookctf_rocks+3>:  ""
0x6033a4 <facebookctf_rocks+4>:  "S"
0x6033a6 <facebookctf_rocks+6>:  ""
0x6033a7 <facebookctf_rocks+7>:  ""
0x6033a8 <facebookctf_rocks+8>:  "U"
0x6033aa <facebookctf_rocks+10>:         ""
0x6033ab <facebookctf_rocks+11>:         ""
0x6033ac <facebookctf_rocks+12>:         "R"
0x6033ae <facebookctf_rocks+14>:         ""
0x6033af <facebookctf_rocks+15>:         ""
0x6033b0 <facebookctf_rocks+16>:         "P"
0x6033b2 <facebookctf_rocks+18>:         ""
0x6033b3 <facebookctf_rocks+19>:         ""
0x6033b4 <facebookctf_rocks+20>:         "R"
0x6033b6 <facebookctf_rocks+22>:         ""
0x6033b7 <facebookctf_rocks+23>:         ""
0x6033b8 <facebookctf_rocks+24>:         "I"
0x6033ba <facebookctf_rocks+26>:         ""
0x6033bb <facebookctf_rocks+27>:         ""
0x6033bc <facebookctf_rocks+28>:         "S"
0x6033be <facebookctf_rocks+30>:         ""
0x6033bf <facebookctf_rocks+31>:         ""
0x6033c0 <facebookctf_rocks+32>:         "E"
0x6033c2 <facebookctf_rocks+34>:         ""
0x6033c3 <facebookctf_rocks+35>:         ""
0x6033c4 <facebookctf_rocks+36>:         "!"
0x6033c6 <facebookctf_rocks+38>:         ""
0x6033c7 <facebookctf_rocks+39>:         ""
# echo ' SURPRISE!' | ./level.elf
|  >  Type to win, only what I want to read...
|  >  **********
|
|  -> Congratulations! The key is:
|  9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb
# gdb -q level.elf
(gdb) set disassembly-flavor intel
(gdb) break main
(gdb) run
(gdb) x/2i 0x40117b
   0x40117b <main+348>: call   0x400b38 <success>
   0x401180 <main+353>: call   0x40077c <no_me_jodas_manolo>
(gdb) set $rip = 0x40117b
(gdb) continue 
Continuing.
|
|  -> Congratulations! The key is:
|  9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb
Posted by t0n1 0 comments
Labels: , , ,

# chatroom: Encrypted conversations using ncat 


# cat chatroom
#!/bin/bash

basename=`which basename`
cat=`which cat`
nc=`which ncat`
tput=`which tput`

function client {
        $nc --ssl $ip $port > >(while read line; do
                prompt=`echo $line | awk '{print $1}'`
                message=`echo $line | sed "s/$prompt//"`
                if [ "$prompt" == "<user0>" ] || [ "$prompt" == "<announce>" ]; then
                        echo -e "\e[35m<announce>\e[0m\e[90m$message\e[0m"
                else
                        echo -e "\e[32m$prompt\e[0m\e[36m$message\e[0m"
                fi
                $tput setaf 3
        done)
        echo -e "\e[35m<announce>\e[0m \e[90moperator closes the chatroom.\e[0m"
        reset
}

function reset { $tput sgr0; }

function server {
        $nc --listen --chat --ssl $ip $port
}

function usage {
$cat << eof
Usage:
        `$basename $0` [-h] {-m c|s} {-i ip} {-p port}
Options:
        -m: Mode
                c: Client
                s: Server
        -i: IP
        -p: Port
eof
}

conns=''
ip=''
port=''

while getopts "hm:i:p:" option; do
        case $option in
                h)      usage && exit   ;;
                m)      mode=$OPTARG    ;;
                i)      ip=$OPTARG      ;;
                p)      port=$OPTARG    ;;
        esac
done

if [ -z $ip ] || [ -z $port ] ; then
        usage && exit
fi

trap reset SIGINT

case $mode in
        c)      client                  ;;
        s)      server                  ;;
        *)      usage && exit
esac
Server mode

remote# chatroom -m s -i 192.168.1.10 -p 1234
Client mode

local# chatroom -m c -i 192.168.1.10 -p 1234
Posted by t0n1 0 comments
Labels: , ,

# sharefile: Share encrypted files using nc 


# cat sharefile
#!/bin/bash

basename=`which basename`
cat=`which cat`
fi=`which file`
kill=`which kill`
mcrypt=`which mcrypt`
mv=`which mv`
nc=`which nc`
rm=`which rm`
sleep=`which sleep`
tput=`which tput`

function color {
        normal=`$tput sgr0`
        green=`$tput setaf 2`
        yellow=`$tput setaf 3`
        cyan=`$tput setaf 6`
        case $1 in
                green)  echo -ne "$green$2$normal"      ;;
                yellow) echo -ne "$yellow$2$normal"     ;;
                cyan)   echo -ne "$cyan$2$normal"       ;;
                *)      echo -ne "$2$normal"            ;;
        esac
}

function info {
        color yellow "[$1]: " && $fi --brief "$file"
}

function clean {
        if [ -e "$file.nc" ]; then $rm "$file.nc"; fi
}

function bar {
        color cyan $1; $sleep 0.1; printf "\b"
}

function progress {
        if [ "$1" == "s" ]; then
                color green "$2 "
                while [ true ]; do
                        bar '-'; bar '\'; bar '|'; bar '/'
                done
        elif [ "$1" == "e" ]; then
                $kill $2 && echo ''
        fi
}

function receive {
        listen=$1
        if [ -e "$file" ]; then $rm --interactive "$file"; fi
        exec 2> /dev/null
        progress s 'receiving' &
        pid=$!
        $nc $listen $ip $port > "$file"
        progress e $pid
        if $encrypt ; then
                $mv "$file" "$file.nc"
                progress s 'decrypting' &
                pid=$!
                $mcrypt --decrypt               \
                        --hash $hash            \
                        --bare                  \
                        --quiet                 \
                        --unlink                \
                        --key $password         \
                        --algorithm $algorithm  \
                        "$file.nc"
                progress e $pid
                clean
        fi
        info "$file"
}

function send {
        listen=$1
        exec 2> /dev/null
        info "$file"
        if $encrypt ; then
                clean
                progress s 'encrypting' &
                pid=$!
                $mcrypt --hash $hash            \
                        --bare                  \
                        --quiet                 \
                        --key $password         \
                        --algorithm $algorithm  \
                        "$file"
                progress e $pid
        fi
        progress s 'sending' &
        pid=$!
        if $encrypt ; then filename="$file.nc"; else filename="$file"; fi
        $cat "$filename" | $nc $listen $ip $port
        progress e $pid
        clean
}

function usage {
$cat << eof
Usage:
        `$basename $0` [-h] {-m cr|cs|lr|ls} {-i ip} {-p port} [-n] {-f file}
Options:
        -m: Mode
                cs: Connect and receive
                cs: Connect and send
                lr: Listen and receive
                ls: Listen and send
        -i: IP
        -p: Port
        -f: File
        -n: No encrypt
eof
}

password='p@ssw0rd!'
algorithm='rijndael-192'
hash='sha1'

mode=''
ip=''
port=''
file=''
encrypt=true

while getopts "hm:i:p:f:n" option; do
        case $option in
                h)      usage && exit   ;;
                m)      mode=$OPTARG    ;;
                i)      ip=$OPTARG      ;;
                p)      port=$OPTARG    ;;
                f)      file=$OPTARG    ;;
                n)      encrypt=false   ;;
        esac
done

if [ -z $ip ] || [ -z $port ] || [ -z $file ]; then
        usage && exit
fi

case $mode in
        cr)     receive                 ;;
        cs)     send                    ;;
        lr)     receive -l              ;;
        ls)     send -l                 ;;
        *)      usage && exit
esac
Listen and receive + connect and send

remote# sharefile -m lr -i 192.168.1.10 -p 1234 -f file.mp3
receiving \
decrypting |
[file.mp3]: Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1,  32 kbps, 44.1 kHz, Stereo
local# sharefile -m cs -i 192.168.1.10 -p 1234 -f file.mp3
[file.mp3]: Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1,  32 kbps, 44.1 kHz, Stereo
encrypting -
sending /
Listen and send + connect and receive

remote# sharefile -m ls -i 192.168.1.10 -p 1234 -f file.mp3
[file.mp3]: Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1,  32 kbps, 44.1 kHz, Stereo
encrypting \
sending /
local# sharefile -m cr -i 192.168.1.10 -p 1234 -f file.mp3
receiving \
decrypting /
[file.mp3]: Audio file with ID3 version 2.4.0, contains: MPEG ADTS, layer III, v1,  32 kbps, 44.1 kHz, Stereo
Posted by t0n1 0 comments
Labels: , , ,

# find: Search for files in a directory hierarchy


Syntax

# find [-H] [-L] [-P] [-D debugopts] [-Olevel] [path...] [expression]
-H: Do not follow symbolic links, except while processing the command line arguments.
-L: Follow symbolic links.
-P: Never follow symbolic links (default).
-D: Print diagnostic information. debugopts = help,tree,stat,opt,rates
-O: Enables query optimization. level = 1 | 2 | 3

The expression is made up of options (return true), tests (return true or false) and actions (return true or false), all separated by operators (-and is assumed where the operator is omitted).

Tests

+n for greater than n
-n for less than n
n for exactly n

-amin n: File was last accessed n minutes ago.
-anewer file: File was accessed more recently than file was modified.
-atime n: File was last accessed n*24 hours ago.
-cmin n: File's status was last changed n minutes ago.
-cnewer file: File's status was last changed more recently than file was modified.
-ctime n: File's status was last changed n*24 hours ago.
-empty: File (regular file or directory) is empty.
-executable: Executable files and searchable directories.
-false: Always false.
-fstype type: File is on a filesystem of type ufs | nfs | tmp | ...
-gid n: File's numeric gid ID is n.
-group gname: File belongs to group gname.
-ilname pattern: File is a symbolic link (insensitive).
-inum n: File has inode number n.
-iregex pattern: Case insensitive match.
-links n: File has n links.
-lname pattern: File is a symbolic link.
-mmin n: File's data was last modified n minutes ago.
-mtime n: File's data was last modified n*24 minutes ago.
-name pattern: Base of the file name.
-newer file: File was modified more recently than file.
-newerxY reference: Compares the timestammp of the current file with reference.
-nogroup: No group corresponds to file's numeric group ID.
-nouser: No user corresponds to file's numeric user ID.
-path pattern: File name matches shell pattern.
-perm mode: File's permission bits are exactly mode.
-perm -mode: All of the permission bits mode are set for the file.
-perm /mode: Any of the permission bits mode are set for the file.
-readable: Matches files which are readable.
-regex pattern: Filename matches regular expression pattern.
-samefile name: File refers to the same inode as name.
-size n[cwbkMG]: File uses n units of space.
-true: Always true.
-type c: File is of type b (block) | c (character) | d (directory) | p (named pipe) | f (regular file) | l (symbolic link) | s (socket)
-uid n: File's numeric user ID is n.
-used n: File was last accessed n days after its status was last changed.
-user uname: File is owned by user uname.
-writable: Matches files which are writable.

Actions

-delete: Delete files.
-exec command {} \; : Execute command (one command execution for each file).
-exec command {} + : Execute command (one command execution with all files as arguments).
-execdir command {} \; : Execute command from the subdirectory containing the matched file (more secure than exec).
-execdir command {} + : Execute command from the subdirectory containing the matched file (more secure than exec).
-fls file: Like -ls but write to file.
-fprint file: Like print but write to file.
-fprint0 file: Like print0 but write to file.
-fprint file format: Like fprint format but write to file.
-ls: List in ls -dils format on standard output.
-ok command: Like -exec but ask the user first.
-okdir command: Like -execdir but ask the user first.
-print: Print the full file name on standard output, followed by a newline.
-print0: Print the full file name on standard output, followed by a null character.
-print format: Print format on standard output.
-prune: If the file is a directory, do not descend into it.
-quit: Exit immediately.

Operators

( expr ): Force precedence.
! expr: Negate expr.
expr1 -a expr2: And operator.
expe1 -o expr2: Or operator.

Examples

# find / -iname '*key*'
# find / \( -amin -5 -o -cmin -5 -o -mmin -5 \) -a \! \( -path "/proc/*" -o -path "/dev/*" \) -execdir file '{}' \;
# find / -perm -4000 -fprint /root/suid.txt
# find / -perm -0002 -a \! -type l -print
# find / -type d -empty
# find / -user www-data -o -group www-data
# find / -size +50M
# find / -type f -a -size -10c -a \! -empty
Posted by t0n1 0 comments
Labels: , ,

# Codecademy: Python


1. Python Syntax

print "Welcome to Python!"
my_int = 7
my_float = 1.23
my_bool = True

my_int = 7
my_int = 3
print my_int

def spam():
    eggs = 12
    return eggs
print spam()

# just a comment
"""
first comment
second comment
third comment
"""

count_to = 1 + 2
count_to = 5 - 2
ni = 2 * 10
ni = 20 / 4
eggs = 10 ** 2
spam = 3 % 2
2. Strings and Console Output

'Help! Help! I\'m being repressed!'

fifth_letter = "MONTY"[4]

parrot = "Norwegian Blue"
print len(parrot)
print parrot.lower()
print parrot.upper()

pi = 3.14
print str(pi)

print "Spam " + "and " + "eggs"
print "The value of pi is around " + str(3.14)

string_1 = "Camelot"
string_2 = "place"
print "Let's not go to %s. 'Tis a silly %s." % (string_1, string_2)

name = raw_input("What is your name?")
quest = raw_input("What is your quest?")
color = raw_input("What is your favorite color?")
print "Ah, so your name is %s, your quest is %s, and your favorite color is %s." % (name, quest, color)
3. Conditionals and Control Flow

# / and * are evaluated before + and -
bool_one = 17 < 118 % 100
bool_two = 100 == (33 * 3) + 1
bool_three = 19 <= 2**4
bool_four = -22 >= -18
bool_five = 99 != 98 + 1

# not is evaluated first, and is evaluated next, or is evaluated last
"""
True and True is True
False or False is False
Not True is False
Not False is True
"""

answer=7
if 5 <= answer:
    print 1
elif answer < 5:
    print -1
else:
    print 0
4. Functions

def square(n):
    """Returns the square of a number."""
    squared = n**2
    print "%d squared is %d." % (n, squared)
    return squared

def favorite_actors(*args):
    """Prints out your favorite actorS (plural!)"""
    print "Your favorite actors are:" , args
favorite_actors("Michael Palin", "John Cleese", "Graham Chapman")

def cube(number):
    return number**3
def by_three(number):
    if number%3 == 0:
        return cube(number)
    else:
        return False
by_three(9)

import math
print math.sqrt(25)
from math import sqrt
print sqrt(25)
from math import *
print sqrt(25)

print max(-10, -5, 5, 10)
print min(-10, -5, 5, 10)
print abs(-10)

print type(42) # => integer
print type(4.2) # => float
print type('spam') # => unicode
print type({'Name':'John Cleese'}) # => dict
print type((1,2)) # => tuple
5. Lists and Dictionaries

zoo_animals = ["pangolin", "cassowary", "sloth", "tiger"]
print zoo_animals[0]

suitcase = []
suitcase.append("sunglasses")
list_length = len(suitcase)

suitcase = ["sunglasses", "hat", "passport", "laptop", "suit", "shoes"]
first = suitcase[0:2]
middle = suitcase[2:4]
last = suitcase[4:6]

animals = "catdogfrog"
cat = animals[:3]
dog = animals[3:6]
frog = animals[6:]

animals = ["aardvark", "badger", "duck", "emu", "fennec fox"]
duck_index = animals.index("duck")
animals.insert(duck_index,"cobra")

my_list = [1,9,3,8,5,7]
for number in my_list:
    print number * 2

start_list = [5, 3, 1, 2, 4]
square_list = []
for number in start_list:
    square_list.append(number**2)
square_list.sort()
print square_list

residents = {'Puffin' : 104, 'Sloth' : 105, 'Burmese Python' : 106}
print residents['Puffin']
print residents['Sloth']
print residents['Burmese Python']

menu = {}
menu['Chicken Alfredo'] = 14.50
menu['Spam'] = 2.50
print "There are " + str(len(menu)) + " items on the menu."
zoo_animals = { 'Unicorn' : 'Cotton Candy House','Rockhopper Penguin' : 'Arctic Exhibit'}
del zoo_animals['Unicorn']
zoo_animals['Rockhopper Penguin'] = 'Anything other'

beatles = ["john","paul","george","ringo","stuart"]
beatles.remove("stuart")
6. Lists and Functions

n = [1, 3, 5]
n.pop(0)

n = [3, 5, 7]
def print_list(x):
    for i in range(0, len(x)):
        print x[i]
print_list(n)

n = [[1, 2, 3], [4, 5, 6, 7, 8, 9]]
def flatten(x):
    r=[]
    for i in x:
        for j in i:
            r.append(j)
    return r
print flatten(n)
7. Loops

while count < 10:
    print "Hello, I am a while and count is", count
    count += 1

choice = raw_input('Enjoying the course? (y/n)')
while choice != 'y' and choice != 'n':
    choice = raw_input("Sorry, I didn't catch that. Enter again: ")

from random import randrange
random_number = randrange(1, 10)
count = 0
while count < 3:
    guess = int(raw_input("Enter a guess:"))
    if guess == random_number:
        print 'You win!'
        break
    count += 1
else:
    print 'You lose.'

for i in range(20):
    print i

word = "eggs!"
for c in word:
    print c

d = {'x': 9, 'y': 10, 'z': 20}
for key in d:
    print key,d[key]

choices = ['pizza', 'pasta', 'salad', 'nachos']
for index, item in enumerate(choices):
    print index+1, item

list_a = [3, 9, 17, 15, 19]
list_b = [2, 4, 8, 10, 30, 40, 50, 60, 70, 80, 90]
for a, b in zip(list_a, list_b):
    print max(a,b)

for i in range(1,10):
    print i
else:
    print i+1
8. Advanced Topics in Python

my_dict = {"Name": "Guido", "Age": 56, "BDFL": True}
print my_dict.items()
print my_dict.keys()
print my_dict.values()
for i in my_dict:
    print i, my_dict[i]

even_squares = [i ** 2 for i in range(1,11) if i ** 2 % 2 == 0]
print even_squares

l = [i ** 2 for i in range(1, 11)]
print l[2:9:2]

my_list = range(1, 11)
print my_list[::2]

to_one_hundred = range(101)
backwards_by_tens = to_one_hundred[::-10]
print backwards_by_tens

languages = ["HTML", "JavaScript", "Python", "Ruby"]
print filter(lambda l: l == "Python", languages)

squares=[i ** 2 for i in range(1,11)]
print filter(lambda s: 30 <= s <= 70, squares)

garbled = "IXXX aXXmX aXXXnXoXXXXXtXhXeXXXXrX sXXXXeXcXXXrXeXt mXXeXsXXXsXaXXXXXXgXeX!XX"
message = filter(lambda g: g != "X" , garbled[::])
print message
9. Introduction to Bitwise Operators

print 5 >> 4  # Right Shift
print 5 << 1  # Left Shift
print 8 & 5   # AND
print 9 | 4   # OR
print 12 ^ 42 # XOR
print ~88     # NOT

print 0b11 * 0b11 # 9

print bin(2) # 0b10

print int("0b11001001", 2) # 201

print bin(0b1110 & 0b101) # 0b100
print bin(0b1110 | 0b101) # 0b1111
print bin(0b1110 ^ 0b101) # 0b1011

def check_bit4(number):
    if number & 0b1000 == 0b1000:
        return "on"
    else:
        return "off"

a = 0b11101110
def flip(number):
    i = 0
    while 2**i-1 < number:
        i+=1
    return number^2**i-1
print bin(flip(a))
10. Introduction to Classes

class ShoppingCart(object):
    items_in_cart = {}
    def __init__(self, customer_name):
        self.customer_name = customer_name
    def add_item(self, product, price):
        if not product in self.items_in_cart:
            self.items_in_cart[product] = price
            print product + " added."
        else:
            print product + " is already in the cart."
    def remove_item(self, product):
        if product in self.items_in_cart:
            del self.items_in_cart[product]
            print product + " removed."
        else:
            print product + " is not in the cart."
my_cart = ShoppingCart("John")
my_cart.add_item("Aquarius",1)

class Employee(object):
    def __init__(self, employee_name):
        self.employee_name = employee_name
    def calculate_wage(self, hours):
        self.hours = hours
        return hours * 20.00
class PartTimeEmployee(Employee):
    def calculate_wage(self, hours):
        self.hours = hours
        return hours * 12
    def full_time_wage(self, hours):
        return super(PartTimeEmployee, self).calculate_wage(hours)
milton = PartTimeEmployee("Milton")
print milton.full_time_wage(10)
11. File Input and Output

my_list = [i**2 for i in range(1,11)]

f = open("output.txt", "w")
for item in my_list:
    f.write(str(item) + "\n")
f.close()

f = open("output.txt", "r")
print f.read()
f.close()

f = open("output.txt", "r")
print f.readline()
print f.readline()
f.close()

with open("text.txt", "w") as my_file:
    my_file.write("Success!")   
print my_file.closed # True
Posted by t0n1 0 comments
Labels: , ,
Subscribe to: Posts (Atom)