One day I spied out my friend accessing some google form to enter his secret combination lock. Afterwards, I kept bothering him about it, and he finally decided to give the link to me. Maybe you can figure out his combo for me and get a tasty flag in return: link We’re given a google form that’s doing all checking entirely on the client side. Inspecting the source code quickly show us the interesting data used to drive the form interactions: FB_PUBLIC_LOAD_DATA_.

Rails is secure by default so it’s perfect for my amazing notes app https://r0bynotes.chal.perfect.blue - source Note: If you find the flag, please remove the flag{..} wrapper and wrap it with pbctf{…} instead We’re presented with a ruby-on-rails application, which always comes with a lot of files, directory and other kinds of cruft, so let’s get down to the files that normally really matter: the controllers. (On the way to opening that folder, also note that there’s a read_flag binary, so we’ll need to get RCE.

I wanted to make my own URL scraper, but parsing HTML is hard, so I used some random open source scraping project instead. http://sploosh.chal.perfect.blue/ - links to the source When first opening the webpage, we’re also given the source. Looking at that, we find that the urls are submitted to a splash service, and we’re then just shown the (seemingly useless and constant) geometry information. Our target is to access flag.

I know there’s a famous attack on biased nonces. Then, how about this? source output Being aware of this paper early on, already when first seeing the challenge, we incorrectly conclude that the bounds for the lattice with 2 unknowns don’t match what we need for this challenge. After postponing trying to deal with lattice-induced headaches for a while, we eventually decide to implement the extended HNP based approach as described e.

The secret mainframe for a distributed hacker group has been discovered. We have managed to exfiltrate some of the code that it runs, but we don’t have a physical copy of their access badges. Can you still get the flag? source Remote: nc queensarah2.chal.perfect.blue 1 Note: enter flag as pbctf{lower_case_flag_text} Looking at the provided source, the cipher procedes in $2\lceil\log_2 |m|\rceil$ rounds to encrypt a message $m$. Each round replaces each bigram through the sbox (which is unknown and the key) $S$, and reorganizes the message such that all bigrams are broken up.

We are greeted with a binary file download and an initial investigation with file reveals a 32-bit ELF binary (stripped, of course): ➜ file happy_tree happy_tree: ELF 32-bit LSB pie executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=fd7f1b2d769e389444cc6eea0f801be7ebc6a7e4, stripped Upon opening the binary with my favourite disassembler, some unusual things reveal themselves: IDA is unable to find the main entrypoint (not that unusual, but more on that later) Address calculations seemed to be done in some sort of relative manner.

In this challenge, we’re looking at a modern type of pyjail escape. Upon first connecting, we’re informed about the source code of the challenge being available, so we can have a look at that first. #!/usr/bin/env python3 import pathlib import re import signal import sys import audit_sandbox if sys.version_info[:3] < (3, 8, 2): raise RuntimeError('Python version too old') WELCOME = f'''\ Welcome to PyAuCalc, an awesome calculator based on Python {'.

Babycrypt Challenge In this challenge, we’re given a stripped ELF 64-bit executable ‘bcry’ (redistributed in this repo) and ‘note.dat’: key: %key% text: test_test_test_test_test Encoded: 7685737a9f7895737a9f84857b769f7a657b769f78898378 key: %key% text: qwertyuiopasdfgh Encoded: 717785747885858d6f7e917364686776 key: %key% text: skIllaoInasJjklqo19akq9k13k45k69alq1 Encoded: 7393a992708d8fad708d83aa7273707d6f3939856b7d398bb53b8b34b573b6c5618e7135 key: %key% text: %flag% Encoded: 8185748f7b3b3a3565454584b8babbb8b441323ebc8b3a86b5899283b9c2c56d64388889b781 Note: in all three cases used one key It looks like the program they gave us was used to encode some text using the same key, including the flag.

This challenge seemed simple (it was also tagged easy, but not many teams solved it): You have a “game” server you connect to and can move your character around. The game server then tells you whether you fell into a pit, smelled a flag character, were next to a pit or if you “caught” a flag character. All of the source code was available to download, including a docker file for launching your own instance.

We start off with a single apk given. Running this through jadx-gui, we quickly find a list of API endpoints (some without the actual URL) in APIInterface and a base URL of http://66.172.33.148:5000/ (found in Utils): PostUserProf: no url yet getConf: api/get_config/{rolid} getDex: api/get_dex/{dex} getReg: api/userClass/register/{name} getShopItem: no url yet getShopOrder: no url yet getShopOrderD: no url yet getUserProf: no url yet Following through the logic for SplashScreen, we register a user for ourselves, and receive an encryption key, a role id and a uuid which serves as our authentication token.