Posted: 6 Feb 2022 by Codehead
6 minute read
It’s been a while since I did any CTFs. I figured it would be fun to revisit the scene and see if I could learn something new.
Here’s a Web challenge from DiceCTF 2022. I really need to brush up and my web skills and I’ve never even looked at NodeJS before.
Challenge
web/knock-knock
BrownieInMotion
107 points
Knock knock? Who’s there? Another pastebin!!
https://knock-knock.mc.ax
Posted: 6 Feb 2022 by Codehead
6 minute read
Intro
Following on from breaking Wordle in my earlier post, I decided to use the data extracted from the app to try and work out the best starting words for the game.
I’ve seen a few articles about people’s chosen starter which is often based on vowel-heavy words. However, I have all the solutions and the valid words, so I can run some analysis and select a statistically accurate answer rather than guessing a word.
There is a lot of analysis, charts and statistical calculation below. The idea is to walk through the process so you understand why the words were selected. However, if you just want the results, scroll to the bottom of the page.
The solution list contains 2315 words. This means that Wordle has enough daily answers to run until Oct 21, 2027. The recent news that the game has been bought by the New York Times had people rushing to save a local copy of the game to play for free ‘forever’. Looks like we only have 5 years worth of games unless the answer list is extended.
The valid word list is much bigger at 10657 words. Some of the entries are pretty bizarre, so it wouldn’t be a good idea to use those as an extended solution list. However, if this was the answer list, the game could run until Aug 23, 2050. Only really an option if you’re happy with answers like: “aiyee”, “akkas”, “buhls”, “dzhos” and “thagi”.
Posted: 28 Jan 2022 by Codehead
3 minute read
Intro
The year is 2022 and EVERYONE is playing Wordle.
Wordle is a fun little word game that anyone can pick up and play. Six guesses to find a five letter word. It is surprisingly addictive.
However, after solving the daily puzzle I found I had to wait 24 hours for the next one. Like any self respecting hacker I wasn’t having that so I smashed F12 to have a dig around in the guts of the game.
Posted: 4 Mar 2019 by Codehead
6 minute read
I’ve been out of the CTF circuit for a while as I’ve been busy with work and life in general. However, I decided to get back into playing and TAMUCTF just happened to be running when I found some spare time.
I wanted to to do a quick write up to draw people’s attention to CyberChef. This is a tool developed by the folks at GCHQ, the UK’s communication intelligence and security agency.
CyberChef is incredibly useful for messing around with data in a visual manner. Sometimes you don’t have a Linux box or Python handy when you’re trying to solve a problem. However, if you have a browser, you can use CyberChef from just about anywhere.
Here’s a couple of solves from TAMUCTF’s easier crypto challenges as a demo:
Posted: 19 Feb 2018 by Codehead
3 minute read
Problem
Easy and Peasy
nc 35.200.197.38 8003
Europe: nc 35.205.196.143 8003
Like many of the EvlzCTF challenges, this one was a little light on detail, but good fun to complete.
Posted: 28 Jan 2018 by Codehead
2 minute read
Problem
Description: this chall sucks, you should watch VIE vs UZB match. :)
VIET NAM VO DICH!
Author: kad96
Website: Link
Visiting the website gave me a blank page. There had to be something more hidden here.
Posted: 23 Jan 2018 by Codehead
2 minute read
Challenge
Aalekh joined IIIT in 2014. Soon, he started selling T-shirts and hoodies. One day, Aalekh got a big order and trusted his childhood friend to handle the order. But his friend betrayed him and sold bad pieces. College students got angry and tried to beat Aalekh up. His good friend, Anshul, wanted to save him. To prevent Aalekh from going under loss, he has to sell 500 T-shirts on the market, the only condition being, customers have to be unique.
Can you help Anshul sell 500 T-shirts?
https://felicity.iiit.ac.in/contest/breakin/questions/uuid/
Flag Format: BREAKIN{[0-9A-Za-z_]+}
Posted: 13 Jan 2018 by Codehead
5 minute read
TL:DR
Command Files allow you to start up gdb in a way that saves you typing the same commands over and over, even doing some of the ‘driving’ for you. I’m not suggesting that this is the best way to use gdb but I found it really helpful and I saved a bunch of time. I’m blogging it for my own reference and to help others find a lesser known, but very useful feature of the tool.
Background
While working on the SLAE64 course assessments, I found myself jumping in and out of gdb a lot. Constantly rebuilding and refining my shellcode test binaries meant that I ended up in constant cycle of doing a whole heap of setup in gdb to get things the way I wanted them, only to spend a few seconds debugging the target, then quitting, tweaking the code, rebuilding and repeating the whole process again.
I’m not a great typist, but I keyed in this sequence so many times that I could probably do it in my sleep:
layout asm
layout reg
break _start
run
There has to be a better way.
Posted: 28 Nov 2017 by Codehead
12 minute read
After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the seventh and final assignment; build a payload encrypter/decrypter.
We have used payload encoders in previous assignments, but this time we will build a hidden payload that requires a key to decrypt.
The choice of encryption method is left to the student and I spent a good while looking at the various encryption methods:
- AES - A modern and widely used block cipher scheme. Very complex to implement and would probably require a 3rd party library, making the assignment pretty pointless.
- RC4 - A fast and relatively easy to implement stream cipher. Unfortunately, Vivek used RC4 in his demo, I didn’t want to repeat his work.
- FISH, Scream, MUGI, etc - Complex, limited implementation documentation (my maths isn’t up to scratch).
While researching these schemes I stumbled onto some of the more classical cryptography schemes.
While modern crypto schemes produce streams or blocks of pseudo-random noise which is generally XORed against the cleartext, classical ciphers tended to use relocation or shifting of characters. Simple rotational schemes such as Caesar’s cipher or ROT13 barely qualify as encryption, the encoding operation is either fixed or easily brute forced. However, a Substitution Cipher requires a mapping table and
this can be varied, forming a kind of key, although a large and cumbersome one.
The Vigenère cipher is a hybrid of substitution and rotation using a table built on an ascending rotation factor. However, it also makes use of a variable length key and so it is suitable for our needs.
Posted: 24 Nov 2017 by Codehead
11 minute read
After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the sixth assignment; take three x64 payloads from ShellStorm and create new, polymorphic versions which have the same functionality.
While this sounds super cool, what we’re actually doing is simply changing the content of the shellcode to try to evade detection by basic security tools that use signature based matching to recognise threats. A limitation of the assignment is to stay within 150% of the original payload size.