[pbctf 2020] Gcombo

One day I spied out my friend accessing some google form to enter his secret combination lock. Afterwards, I kept bothering him about it, and he finally decided to give the link to me. Maybe you can figure out his combo for me and get a tasty flag in return: link We’re given a google form that’s doing all checking entirely on the client side. Inspecting the source code quickly show us the interesting data used to drive the form interactions: FB_PUBLIC_LOAD_DATA_.

[pbctf 2020] R0bynotes

Rails is secure by default so it’s perfect for my amazing notes app https://r0bynotes.chal.perfect.blue - source Note: If you find the flag, please remove the flag{..} wrapper and wrap it with pbctf{…} instead We’re presented with a ruby-on-rails application, which always comes with a lot of files, directory and other kinds of cruft, so let’s get down to the files that normally really matter: the controllers. (On the way to opening that folder, also note that there’s a read_flag binary, so we’ll need to get RCE.

[pbctf 2020] Sploosh

I wanted to make my own URL scraper, but parsing HTML is hard, so I used some random open source scraping project instead. http://sploosh.chal.perfect.blue/ - links to the source When first opening the webpage, we’re also given the source. Looking at that, we find that the urls are submitted to a splash service, and we’re then just shown the (seemingly useless and constant) geometry information. Our target is to access flag.

[pbctf 2020] LeaK

I know there’s a famous attack on biased nonces. Then, how about this? source output Being aware of this paper early on, already when first seeing the challenge, we incorrectly conclude that the bounds for the lattice with 2 unknowns don’t match what we need for this challenge. After postponing trying to deal with lattice-induced headaches for a while, we eventually decide to implement the extended HNP based approach as described e.

[pbctf 2020] Queensarah2

The secret mainframe for a distributed hacker group has been discovered. We have managed to exfiltrate some of the code that it runs, but we don’t have a physical copy of their access badges. Can you still get the flag? source Remote: nc queensarah2.chal.perfect.blue 1 Note: enter flag as pbctf{lower_case_flag_text} Looking at the provided source, the cipher procedes in $2\lceil\log_2 |m|\rceil$ rounds to encrypt a message $m$. Each round replaces each bigram through the sbox (which is unknown and the key) $S$, and reorganizes the message such that all bigrams are broken up.