#./keygen 4 "{a..z}" | xargs -I {} steghide extract -sf stega4.wav -p {}#fcrackzip -u -c aA1! -p aaaaa flag.zip#unzip -P 3L33t flag.zip && cat flag.txt
# CSCamp CTF Quals 2k13: Steganography - stega4.wav
Labels:
bruteforce,
crack,
cscamp,
ctf,
steganography
# rwthCTF 2k13 - smartgrid
#Referencescat grid.pub#openssl rsa -pubin -inform PEM -text -noout < grid.pub | grep '('#ipython:import gmpy:message = 2**1024:modulus = gmpy.mpz(2**4096):cube_root = modulus.root(3)[0]:if message < cube_root:print "Go!"#cat netlib.py#cat smartgrid.py#./smartgrid.py 10.22.x.1 21721 tcp
http://h4des.org/blog/index.php?/archives/339-rwthCTF-2013-smartgrid-write-up.html
# Connecting two private hosts through a public pivot
METHOD 1 (ssh)
A reverse ssh tunnel, from host1 to pivot
host1#ssh -R localhost:1337:localhost:1234 -f -N root@pivothost1#nc -l localhost 1234
A proxy ssh tunnel, from host2 to pivot
host2#ssh -L localhost:1234:localhost:1337 -f -N root@pivothost2#nc localhost 1234
Diagram
host2:r ---> host2:1234 --- pivot:1337 --- host1:1234 host2:r ---> host1:1234
METHOD 2 (netcat)
Two listeners at pivot
pivot#mkfifo ppivot#nc -nvlp 1111 0<p | nc -nvlp 2222 1>p
A running service and a pipe between the local port at host1 and the pivot
host1#nc -nvlp 1234host1#mkfifo phost1#nc -nv pivot 1111 0<p | nc -nv localhost 1234 1>p
A connection from host2 to pivot/host1
host2# nc -nv pivot 2222Diagram
host2:r --> pivot:2222 --- pivot:1111 --- host1:1234 host2:r --> host1:1234
# CSCamp CTF Quals 2k13: Reversing - Challenge (dotnet)
# file challenge.exe
Run challenge.exe:. Username = Cookie
. Serial Number = Monsters
. Check
> Authentication failed!
Attach to the process using windbg:
>. Username = Cookie* Load SOS and symbols>.loadby sos mscorwks; .symfix; .reload>* Show all threads>~>* Show all managed threads>!threads>* Switch to thread 0 (new current thread)>~0s>* View the stack>!clrstack>* Show objects on the heap (MT = MethodTable)>!dumpheap -type StarwareCTF_DotNetChall>* Show what methods the object exposes>!dumpmt -md 00a0732c>* Method disassemble>!U 00a072ac>* Display one dword (4b)>dd 0BF1464h L1>* Method disassemble>!U 00de5960>* Set breakpoint at address>bp 00de5987>* Go>g
. Serial Number = Monsters
. Check
>> Authentication failed!* Display Unicode chars>du eax+c>* Clear all breakpoints>bc *>* Go>g
. Username = Cookie
. Serial Number = 0C81B9E71D6397203F2B7C73233FC5A4D9C6450D8037BB12BE9415B950AC3E521EA1B1C42B4ACD482C83FFBBA8212BE228A71FE544E463B59C344F1A41A55262
. Check
> Authentication successful. Waiting for flag
Reference
http://blog.botbie.com/2013/11/21/cscamp-ctf-quals-2013-reversing-150-write-up/
# NcN CTF 2k13: Canada (Base - 1200 pts)
#gunzip howtobasic.gz#file howtobasic#chmod +x howtobasic#gdb --quiet ./howtobasic(gdb)set disassembly-flavor intel(gdb)info file(gdb)run(gdb)finish1234567890(gdb)finish(gdb)finish(gdb)finish(gdb)finish(gdb)finish(gdb)finish(gdb)finish(gdb)b *0x080483b6(gdb)run1234567890(gdb)x/2i 0x080483b6(gdb)x/s $eax(gdb)b *0x80483f5(gdb)continue(gdb)x/3i 0x080483f5(gdb)b *0x80483fd(gdb)continue(gdb)x/2i 0x080483fd(gdb)b *0x8048486(gdb)continue(gdb)x/4i 0x08048486(gdb)x/xw $esp+0x14(gdb)x/xw $esp+0x1c(gdb)b *0x8048403(gdb)continue(gdb)x/20i 0x08048403(gdb)x/5i 0x8048481(gdb)quit#cat canada.py#./canada.py#./howtobasic
# NcN CTF 2k13: Algeria (Base - 900 pts)
#echo -n '425a6839314159265359d77d47c600ca357b84e810004070edfd1a082a7fffff2b0000800860083deaf9428555294ad51a5512b4c5365ef11200000000000003410a8cca604668004600000261800068000c9a00000d008554432680d00680034000009a95289ea651a6046d09b4098200c4c01494a6a6940007a806806400007b7b65fec32018b455437f94574ce0c6e89aa40860733f66a6430f6393e3b9dd7cfcbb7d5d7d1cba38eae3a82257a278eb6d36b6b28894a68696858a96a82a95b028c2e26db6844d60d3359ab6b69ad8d95c5ca5aa71a6138a63566da9031018a2d34d929b52b6663260db6aada6cb30cd0438b1049b5559f0299840c94ca9b2ca6ad121a2c26aacd0acc451b4954d343480cb6a9acc622b8ec413d4efdfbff7bbc52354d0a17286a4abf2db616465828b89b10187a3f6f2a9d9bd3a191caa1e2ef2e101cc8b534a8e25354754d491e1f8fa3b97878d4e5324e34bfcf36e240bb2ad09d66db136ccad904b652862d0952ccae96e1616b0b8a5ac8d36d444d81b3656c0352b232b22cd2ad5b6b012b2b22b6d4a62336ab29b0d52c62cc593068b65616b48b26db6d56a9b66d59b5b034b2526616c555caab394495db006d990aeccb0b4a25c615c7358e01cd85b2d956d4660a198a16c50da27246900e2ca90b8c9473556d0a2ada2bb95288c24985cf60d6b32d6a9a594dac406436b6ac11954a30b4c834cab699298db4a564c4dad6b588da9b26a018a6aa985b199a992d531294932d44910814b304c80d02936564866881acda0c6698a81294a02cc44030af363c9b3eb97ab8f8c1cfb83aeb75e7ebae9e7faf77ebeade3ce77edbc7cdeef967acf65d787c20f0536454b36c0d998ab35503686ccd84795550e50f22034b0b5511cd49aa33446c09a8d66a24ca321598596cb535880d890d95b4226cdac8a971252c9153c38054b06a6aab416b22a58a29ad121d2a34924728aae0918ba701570495855cd785550e2205c06a5266ab9491ca1c35550d5017800ec6da6c98aa5649a24334a3166a84b96d8a970256d22534c852cdadac284b5052b56a922d0c4a596a36998c46a98ad98d532d25acb2ad1416916a98165491a14856aa942205002a61668566162d69534ad0c2d16295aca455b0616126c36141929ab5325986832159223101859252c2329b42c9332a8d0834daab4b02c84ad858b16d3584ac8d6b55a180655a86d5546b150655894d2d06d294c90306696ca505050c2b2a349144a4c440aa56ac064d16cb62b2daa1a2d628c5915ad5604cacc952d9828955408519500071631e1f7c1f867f11d2f076331f1821e0db0604cc0a51e54cd10fe906c2531dc02045520201c25547cd09fa1369c5c29564c3d13b3241deef406acc8c633fe8d450b21c001007e2ee48a70a121aefa8f8c' | xxd -p -r | tar xvjf -#grep 'var loginScript' main.js | sed 's/var /exports./' > variable.js#nodejs>ls = require('./variable.js');>eval(ls.loginScript.slice(2,-2));
Labels:
ctf,
deobfuscation,
javascript,
ncn,
nodejs
# SecurityArtWork: Reversing challenge
#- Breakpointswget --quiet http://www.securityartwork.es/wp-content/uploads/2013/11/serial.exe#file serial.exe
004019B5 |. E8 F6FCFFFF CALL serial.004016B0 00401776 . 83E8 0F SUB EAX,0F 004018FA . 39C2 CMP EDX,EAX- Key function
004018D2 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 004018D5 . 83C0 01 ADD EAX,1 004018D8 . 8B0485 00404000 MOV EAX,DWORD PTR DS:[EAX*4+404000] 004018DF . 8B1485 40704000 MOV EDX,DWORD PTR DS:[EAX*4+407040] 004018E6 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 004018E9 . 83C0 02 ADD EAX,2 004018EC . 8B0485 00404000 MOV EAX,DWORD PTR DS:[EAX*4+404000] 004018F3 . 8B0485 40704000 MOV EAX,DWORD PTR DS:[EAX*4+407040] 004018FA . 39C2 CMP EDX,EAX 004018FC . 75 0C JNZ SHORT serial.0040190A
#cat serial.py#./serial.py#cat serials.pyC:\>serial.exe 0430400527053331
# CSCamp CTF Quals 2k13: Steganography - PNG
#file enc.png#cat png.py#./png.py#file dec.png
Labels:
cscamp,
ctf,
steganography
# CSCamp CTF Quals 2k13: Crypto - public is enough! (400 points)
#grep -v - public.pem | tr -d '\n' | base64 -d | openssl asn1parse -inform DER -i#grep -v - public.pem | tr -d '\n' | base64 -d | openssl asn1parse -inform DER -i -strparse 17#openssl rsa -pubin -inform PEM -text -noout < public.pem## Find p and q using this URL http://www.factordb.com/index.php#ipython:import gmpy:p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489:q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917:totien = (p-1) * (q-1):e = 65537:d = hex(gmpy.invert(e,totien)):d#cat rsatool.py#./rsatool.py -p 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489 -q 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917 -n 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413 -e 65537#ipython:from Crypto.PublicKey import RSA:keypair = RSA.generate(1024):keypair.n = 1230186684530117755130494958384962720772853569595334792197322452151726400507263657518745202199786469389956474942774063845925192557326303453731548268507917026122142913461670429214311602221240479274737794080665351419597459856902143413:keypair.e = 65537:keypair.d = 703813872109751212728960868893055483396831478279095442779477323396386489876250832944220079595968592852532432488202250497425262918616760886811596907743384527001944888359578241816763079495533278518938372814827410628647251148091159553:keypair.p = 33478071698956898786044169848212690817704794983713768568912431388982883793878002287614711652531743087737814467999489:keypair.q = 36746043666799590428244633799627952632279158164343087642676032283815739666511279233373417143396810270092798736308917:private = open('private.pem','w'):private.write(keypair.exportKey()):private.close():exit#openssl rsautl -decrypt -in message.enc -out /dev/tty -inkey private.pem#cat RSAcrack.py#cat message.enc | ./RSAcrack.py -d 740de48760442835baad5e1990453a9d16db7976d3f8bb98bf99c0c01cbe9b9c12b808c80683d1e346c16c79ac162874f28ca610c1b97e5e1ffae95725ce0c6b031c3e188b17187a793b322cc4004c568e76c9b258542ea2a2d6ecd462fff401 cad984557c97e039431a226ad727f0c6d43ef3d418469f1b375049b229843ee9f83b1f97738ac274f5f61f401f21f1913e4b64bb31b55a38d398c0dfed00b1392f0889711c44b359e7976c617fcc734f06e3e95c26476091b52f462e79413db5 | strings
# CSCamp CTF Quals 2k13: Steganography - Stego 3
Sam says "I love you, no really."
Mike says "Hot steamy grits!"
Mike says "Hot steamy grits!"
Mike says "No."
Sam says "Get off my colon"
Harold says "Who said OJ?"
Sam says "Who said OJ?"
JYA says "Jason paid me for it."
Harold says "Jason paid me for it."
Kenny says "Jason paid me for it."
Jason says "But I read slash-dot"
Phil says "Well smother me in curry sauce and lick me."
Adam says "Did he mean to die just then?"
Phil says "Mike - you ladyboy!"
Mike says "I said, you've got beautiful eyes."
Andy says "Mine's a pint"
Adam says "I'm so excited"
Adam says "I said, you've got beautiful eyes."
Adam says "So avoid that then!"
Harold says "Did he mean to die just then?"
JYA says "But I read slash-dot"
Phil says "Show me the fish!"
Sam says "Okay, now think of a funny line"
Mike says "Well smother me in curry sauce and lick me."
Adam says "Who said OJ?"
Mike says "Mike - you ladyboy!"
JYA says "Okay, now think of a funny line"
Adam says "Jason paid me for it."
Sam says "I never talk politics."
Mike says "Mmmm ... "
Harold says "Okay, now think of a funny line"
Mike says "Mine's a pint"
JYA says "Mike - you ladyboy!"
Kenny says "Who said OJ?"
Andy says "Alive"
Jason says "I'm so excited"
Kenny says "No."
Kenny says "No."
Andy says "I'd say Thursday"
JYA says "I'll be your private dancer, a dancer for money, I'll do what you want me to do."
Mr Hanky says "Mine's a pint"
JYA says "What does MPEG mean?"
Andy says "Has anyone noticed the plot is straying from ... well reason, really... "
JYA says "Mike - you ladyboy!"
Mike says "Mike - you ladyboy!"
Mike says "I said, you've got beautiful eyes."
Jason says "Has anyone noticed the plot is straying from ... well reason, really... "
Mr Hanky says "What does MPEG mean?"
Sam says "I'll be your private dancer, a dancer for money, I'll do what you want me to do."
Harold says "Who said OJ?"
Mike says "I'd say Thursday"
Sam says "So avoid that then!"
Harold says "What does MPEG mean?"
Mike says "Hot steamy grits!"
Kenny says "Did he mean to die just then?"
Kenny says "Well smother me in curry sauce and lick me."
Harold says "Did he mean to die just then?"
Adam says "But I read slash-dot"
Phil says "So avoid that then!"
Sam says "Mine's a pint"
Andy says "So avoid that then!"
end of scene
#wget --quiet http://web.archive.org/web/20100826055053/http://www.scramdisk.clara.net/play/playmaker.zip## Use playmaker to get the URL#wget --quiet http://www.mediafire.com/download/5fppbkaujddijuk/bruteme.rar#while read line; do result=`unrar x bruteme.rar -p$line 2> /dev/null | grep OK`; if [ "$result" != "" ]; then echo "Password = '$line'"; break; fi; done < dic.txt && cat Flag.txt
Labels:
cscamp,
ctf,
steganography
# CSCamp CTF Quals 2k13: Forensics - Forensics 1 (200 points)
#cat dataNov-8-2013.sql#names=$(while read line; do hex=`echo "$line" | xxd -p | tr -d '\n'`; if [ "`echo $hex | grep 0d`" != "" ]; then echo "`grep -A 1 "$line" dataNov-8-2013.sql | tail -n 1 | awk -F '"' '{print $2}'`"; fi; done < dataNov-8-2013.sql | tr '\n' ',')#echo -n ${names:0:-1} | md5sum
# RSA operation
Key generation
p # prime number q # prime number n # modulus n = p * q totien(n) = (p - 1) * (q - 1) e # public key exponent 1 < e < totien(n) and gcd(e, n) = 1 d # private key exponent # Method 1 d = gmpy.invert(e, totien(n)) # Method 2 def egcd(a, b): if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y) def modinv(a, m): g, x, y = egcd(a, m) if g != 1: return None # modular inverse does not exist else: return x % m d = modinv(e, totien(n)) # Method 3 d = 1 while True: if (e * d - 1) % totien_n == 0: print d break else: d += 1 (e, n) # public key (d, n) # private key
Example
p = 61 q = 53 n = 53 * 61 = 3233 totien(3233) = (53 - 1) * (61 - 1) = 3120 e = 17 d = modinv(e, totien(3233)) = 2753 (17, 3233) # public key (2753, 3233) # private key m = 65 # message c # ciphertext
Encryption
c = m**e % n = pow(m, e, n) c = 65**17 % 3233 = pow(65, 17, 3233) = 2790
Decryption
m = c**d % n = pow(c, d, n) m = 2790**2753 % 3233 = pow (2790, 2753, 3233) = 65 # CRT (to speed up calculation) dp = d % (p - 1) = 2753 % (61 - 1) = 53 dq = d % (q - 1) = 2753 % (53 - 1) = 49 qinv = modinv(q, p) = modinv(53, 61) = 38 m1 = c**dp % p = 2790**53 % 61 = 4 m2 = c**dq % q = 2790**49 % 53 = 12 h = (qinv * (m1 - m2)) % p = (38 * (4 - 12)) % 61 = 1 m = m2 + (h * q) = 12 + (1 * 53)= 65
References
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
https://en.wikipedia.org/wiki/Chinese_remainder_theorem
https://factordb.com
Labels:
chinese_remainder_theorem,
key,
prime,
rsa
# Codecademy: Ruby
1. Introduction to Ruby
my_num = 25
my_boolean = true
my_string = "Ruby"
3+3
3-3
3*3
3/3
3**3
3%3
puts "What's up" # newline
print "Montalvo"
"I love espresso".length
"Eric".reverse
puts "eric".upcase
puts "ERIC".downcase
puts "Eric".downcase.reverse.upcase
=begin
I'm a comment!
I don't need any # symbols.
=end
print "What's your first name?"
first_name = gets.chomp
first_name.capitalize!
puts "Your name is #{first_name}"2. Control Flow in Rubyx = 1 y = 2 if x < y puts "x is less than y!" elsif x > y puts "x is greater than y!" else puts "x equals y!" end hungry = false unless hungry puts "I'm writing Ruby programs!" else puts "Time to eat!" end is_true = 2 != 3 is_false = 2 == 3 test_1 = 17 > 16 test_2 = 21 < 30 test_3 = 9 >= 9 test_4 = -11 <= 4 true && true # => true false || false # => false !true # => false (3 < 4 || false) && (false || true)3. Looping with Ruby
counter = 1
while counter < 11
puts counter
counter += 1
end
counter = 1
until counter > 11
puts counter
counter += 1
end
for num in 1...10 # 1-9
puts num
end
for num in 1..10 # 1-10
puts num
end
i = 20
loop do
i -= 1
next if i % 2 != 0
print "#{i}"
break if i <= 0
end
my_array = [1,2,3,4,5]
array = [1,2,3,4,5]
array.each do |x|
x += 10
print "#{x}"
end
odds = [1,3,5,7,9]
odds.each do |n|
print n*2
end
10.times { print "Chunky bacon!" }4. Arrays and Hashesdemo_array = [100, 200, 300, 400, 500]
print demo_array[2]
multi_d_array = [[0,0,0,0],[0,0,0,0],[0,0,0,0],[0,0,0,0]]
multi_d_array.each { |x| puts "#{x}\n" }
my_hash = {
"name" => "Eric",
"age" => 26,
"hungry?" => true
}
puts my_hash["name"]
puts my_hash["age"]
puts my_hash["hungry?"]
pets = Hash.new
pets["Stevie"] = "cat"
pets["John"] = "dog"
pets.each { |x, y| puts "#{x}: #{y}" }5. Blocks and Sortingdef puts_1_to_10
(1..10).each { |i| puts i }
end
puts_1_to_10
def cubertino(n)
puts n ** 3
end
cubertino(8)
def what_up(greeting, *bros)
bros.each { |bro| puts "#{greeting}, #{bro}!" }
end
what_up("What up", "Justin", "Ben", "Kevin Sorbo")
my_array = [3, 4, 8, 7, 1, 6, 5, 9, 2]
my_array.sort!
book_1 = "A Wrinkle in Time"
book_2 = "A Brief History of Time"
c = book_1 <=> book_2 # -1 (>), 0 (=), 1 (<)6. Hashes and Symbolssymbol_hash = {
:symbol1 => 1, # symbol1: 1,
:symbol2 => 2, # symbol2: 2,
:symbol3 => 3 # symbol3: 3
}
strings = ["HTML", "CSS", "JavaScript", "Python", "Ruby"]
symbols = Array.new
strings.each do |string|
symbols.push(string.to_sym) # or string.intern
end
movie_ratings = {
memento: 1,
primer: 2,
the_matrix: 3,
}
good_movies = movie_ratings.select { |m, r| r > 2 }
movie_ratings.each_key { |k| puts k }
movie_ratings.each_value { |v| puts v }7. Refactoringruby_is_eloquent = true
ruby_is_ugly = false
puts "Ruby is eloquent!" if ruby_is_eloquent
puts "Ruby's not ugly!" unless ruby_is_ugly
puts 1>0 ? "True" : "False" # Ternary conditional expression
case greeting
when "English" then puts "Hello!"
when "French" then puts "Bonjour!"
when "German" then puts "Guten Tag!"
when "Finnish" then puts "Haloo!"
else puts "I don't know that language!"
end
favorite_book = nil
favorite_book ||= "Guide to Ruby" # set
favorite_book ||= "Guide to Perl" # not set
def add(a,b)
return a + b # a + b (without return)
end
"L".upto("P") { |l| puts l }
age = 26
age.respond_to?(:next) # true (27)
alphabet = ["a", "b", "c"]
alphabet << "d" # alphabet.push("d")
caption = "A giraffe surrounded by "
caption << "weezards!" # caption += "weezards!"
age = 26
I am " + age.to_s + " years old."
I am " << age.to_s << " years old."
I am #{age} years old."8. Blocks, Procs, and Lambdasfibs = [1, 1, 2, 3, 5, 8, 13, 21, 34, 55]
doubled_fibs = fibs.collect { |f| f*2 }
def double(p)
yield p
end
double(1){ |x| x*2 }
floats = [1.2, 3.45, 0.91, 7.727, 11.42, 482.911]
round_down = Proc.new { |x| x.floor }
ints = floats.collect(&round_down)
hi = Proc.new { puts "Hello!" }
hi.call
numbers_array = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
strings_array = numbers_array.collect(&:to_s)
strings = ["leonardo", "donatello", "raphael", "michaelangelo"]
symbolize = lambda { |s| s.to_sym }
symbols = strings.collect(&symbolize)9. Object-Oriented Programming, Part Iclass Person
def initialize(name)
@name = name
end
end
me = Person.new("Eric")
class MyClass
$my_variable = "Hello!" # global var
end
puts $my_variable
class Person
@@people_count = 0 # class variable
def initialize(name,age,profession)
@name = name # instance var
@age = age
@profession = profession
end
end
class ApplicationError
def display_error
puts "Error! Error!"
end
end
class SuperBadError < ApplicationError # inheritance
def display_error # override
puts "SuperError! SuperError!"
super # call parent method
end
end
err = SuperBadError.new
err.display_error10. Object-Oriented Programming, Part IIclass Dog
def initialize(name,breed)
@name = name
@breed = breed
end
public
def bark
puts "Woof!"
end
private
def id
@id_number = 12345
end
end
module Circle
PI = 3.141592653589793
def Circle.area(radius)
PI * radius**2
end
def Circle.circumference(radius)
2 * PI * radius
end
end
puts Math::PI
require 'date'
puts Date.today
module Action
def jump
@distance = rand(4) + 2
puts "I jumped forward #{@distance} feet!"
end
end
class Rabbit
include Action
attr_reader :name
def initialize(name)
@name = name
end
end
peter = Rabbit.new("Peter")
peter.jump
module ThePresent
def now
puts "Time"
end
end
class TheHereAnd
extend ThePresent
end
TheHereAnd.now
Labels:
codecademy,
course,
ruby
# NcN CTF 2k13: Australia (Base - 500 pts)
#file derp#chmod +x derp#echo 0 > /proc/sys/kernel/randomize_va_space#gdb --quiet ./derp(gdb)set disassembly-flavor intel(gdb)break main(gdb)run(gdb)disassemble main(gdb)x/6i 0x080483a4(gdb)x/xw 0x80d1088(gdb)break *0x80483b7(gdb)continue(gdb)info registers eax(gdb)x/s 0x80d5298(gdb)break *0x804841a(gdb)continue(gdb)disassemble(gdb)x/3i 0x0804849c(gdb)break *0x0804849c(gdb)continue(gdb)x/xb $ebp-0x4(gdb)x/xb $ebp+0xc(gdb)x/64xb 0x080b2224(gdb)x/3i 0x0804848b(gdb)break *0x0804848b(gdb)continue(gdb)info registers eax(gdb)info registers ecx(gdb)info registers edx(gdb)quit#python -c 'list=[0xeb,0xe8,0xbf,0xe4,0xea,0xbe,0xba,0xe4,0xe5,0xea,0xe8,0xea,0xe8,0xee,0xe9,0xba,0xea,0xe8,0xeb,0xba,0xbf,0xba,0xeb,0xea,0xe8,0xef,0xbd,0xba,0xed,0xe9,0xba,0xee,0xe9,0xed,0xbe,0xed,0xe4,0xea,0xbe,0xba,0xe9,0xe4,0xbd,0xea,0xb8,0xe9,0xb8,0xbf,0xeb,0xb9,0xbe,0xe4,0xbe,0xba,0xe5,0xbf,0xba,0xbf,0xe5,0xb8,0xec,0xe8,0xbf,0xb8]; print "".join(chr(i^0xdc) for i in list)' | ./derp
# NcN CTF 2k13: USA (Flag)
#tcpflow -C -r traffic.pcap#tshark -n -q -r traffic.pcap -z "follow,tcp,ascii,0"#scapy>>>us=rdpcap("traffic.pcap")>>>us[0]>>>exit()#iptables --table mangle --append PREROUTING --dport 6969 --jump TOS --set-tos 0x90#nc --source-port 45887 192.168.69.5 6969$echo 'CookieMonsters' > /tmp/SCORE_POINTS
Subscribe to:
Posts (Atom)