From ae55611a3ecf912c144ccbefc6976958a41291bc Mon Sep 17 00:00:00 2001 From: 54toshi Date: Tue, 17 Dec 2024 02:55:34 +0100 Subject: [PATCH] 2024 htb university ctf --- 2024_htb_universityctf/warmup | Bin 0 -> 15840 bytes 2024_htb_universityctf/writeup.md | 68 ++++++++++++++++++++++++++++++ README.md | 5 ++- 3 files changed, 71 insertions(+), 2 deletions(-) create mode 100755 2024_htb_universityctf/warmup create mode 100644 2024_htb_universityctf/writeup.md diff --git a/2024_htb_universityctf/warmup b/2024_htb_universityctf/warmup new file mode 100755 index 0000000000000000000000000000000000000000..35197f62b6cd012fa4787107b0d8db67af9bf16a GIT binary patch literal 15840 zcmeHOe{39A5q@{E8;3Tr6B6PikSwK%+*Y~RiQ_n_OwUQqS(p4UiBnXdtj~9A`-pw# z-klStqQ%Ihs_R;$5-J7tkAOe~q)G*vXuZSls2JCj&I)1 zY}TtY6of!RJJ#;^=9`)K-p=mrz4gw0HnzJZ911CsdFsQ8v=dbh6Jh`a$bfQC5}{zo8q`Bj&qU6n_`rF zQch@V-prrGhQ3VMGf7J@?*V2D?u6Wqllxt zyjzjeyr0LL>pawQ{slR$YC~_Tv!Q-NZ*qNaDm^f`ez37&eM5aDmx*lDQ=oa(Vxwzn z*WQCFJfsT5Nqk6!X6a$p;i83nmtv!|Q~Y->j{iKp^b6nk%!%tOp04@*h47^<>&SV} zTYd2qF^R#r)s;%edsC0vsy~}b=exkBa+$=|tyV4(Pj~6A`}!5d(goF^cI|H6zQfuW z+2Xe9-PXp)X1BemURkZ}d#t3LwYyWfyq#^|v!geYw%g;Ky*7sF?#rZkI+o*F(hk-!;{gvr`2v;&OA?OL%<@2*VmBJ}2SAEPa)q0sa!ur6<)B?JSKgaq@&peBdX;_Ux zCz1P}+;5IAcKAuYuL&PzJ{ooGF3)=5eut-f09}hBuX=d?C~MP%hsOk6ne_0tyDaXv z9{vswucD4ZUn_iz)I^1c_kJF$JiPwC(cbu;^YC;GB1Y6{QUCnarHL93FS#H?t%rXP z5rG652r>|4Ajm+Ffgl4x2L8ni{H1dB-^}4F73OI9nGH&r#|rsyal#z_Nd>K#l`3w& z0J^yLXV_P+iK0b%51D4BijcKGCY_dKGZR|>0qL|9n<;4hyQI_7Y34<(f17k#GR>UO z`qxOOrP9oCt$&4dS|ZI1L8tlE{h@W_wNIHNzcYs~U2SWR)fMW_n`2F|>Sq*GDXbv|$MNM<$_54C} zw28(oE*r#tI)Q^ZTYeGE(8J@m<~!bXt4;Z({${%2dk}pbz?rErM;@Cz7rR1}zI^X! z?24I~Fh^sPW@w`Flp4Nz&zM<0iygV}WYuu&N=TEF+I8gIbn<4gXl@=k8>9z1D|#R}%guS|6I z_6>BV)pOJBn5#K<@U+KVgRzbkD!*8$JXJvCwWN9PQr&&NeEJGP-NB>&fyc`G@w9;< zUZ%sH{)IcvSvsL!(?!>GZn_Rrz{y<BbPD?vQKL^}xGseeMBfZ_bO&b$5` zxK}>SAdnyfK?Z^h1Q`f25M&_8K#+kT13?CY4E+COAcS`{u{7Q!8TlUD=#S@eM>5&u zHbbqg-QBWY{b!)#YO&Y`eCUm0 z@i_4NKzd)-@aJOjB9LUM11j|Beia(53az?he#LP-&=XJZ{43DMI`Y{$U%!gF3(b0L z{TO2is1{YVEUJE>^7bPYL+bvO_uaGUt~-e~u+cliGl=g1s^&#iPlR_Yye&37FZ>_| z0Y&`}VY>mJ$AGR+cu+f#{RFm;W8TjIZ`q%AIv_5PAOk@Lf(!&12r>|4Ajm+Ffgl4x z27(Oyk24_kby81G2XAX1Z8?Wk%QqX37gX|C6!7tJIm9dMs3rIv0v z^9B>bcko1H-UarPT0t5AouYF*Fl$%5+SJEa#qoIcsCCIR9x1i{79a0*)@9y2%zquE ze%wEB178O%j1Mw)F&<`og7H~K=_eX>TDx}a*k;tAO8IW1u0FCcQfF+e-B@4SSc~e_ z(x$C-wbDrmq)I*|~!?r{%QrEezRsWv>+%e5#=ac84mm2q5;Hy-%GNZEtUL^l;rIOFB zSWgiziU-fn!C#t#e;YiF>p!kCoS0JmF9&ZR#xLu@FAi5LxlY8siFm3qHXNpm4coy} z-oDIv>tKE#_$swRwMCg=xB(>p6MS9j{~3X6XMca*I=KJCd=UEoJMgzP&z*YUaqu*M ze?L!wH#~mQ{5p93k0>D+Uje@)jJq$-(=}7scqE~$oe%A8-qX4RMcnuhSuxXU+26b; zW|=$pD{I&8ecPLNTl-pC4#e86_U7%oV<_+T7oSI^jQpRJi62I7dNQ83E%|RB*Sfp$ zRB}#r@3RQYMoe5$ZF`FA-)Gx>HS(^po~z(pg1WaX>dh%t=X!XbeRe6kmCR+Vo_IP* zW$vx}5SUD*t%01KRNZ#k&eGu=vX3guPAAcMXD-Kmb5*{#{@xvE3p`OkZ^icRwEj`K z{OqEBH(VbFvXNIRk~`X$k9Pv|SqFQhg&zRe*?tvCXYzKWJ3SET&u04VZ2qW+>KsVn zhbE~cQ_b63*XQHiO1t;Ob3H1OJetN34(79t<*=R2r84PRiUnKN?u}CbxB7eYDx#+u z$=icy>oXY1X7u@t*gaNPHr{7jJxRoh=0sTWY&MRGQiQb8al9{;z^EDYgl=TOjwXd`ZKZK3G^CiBK;{~Izc}3O(!qLy( zyzzq^FG$}bUXlBlaII)~rF{qgj@^A^?+GJjcD3Ci)yy2?NQIO1tdCGoQE z5|rPq(Htqy5-;nY6gZl)#LGHPP}Xg5(L#NAub zo8ZVr;^lW#g$?AbRE-1fUg8C5ed~>v=dNjvZ*wD^hQtYm5$uhZ^<-nM<1h1+ZY0jt z5lo!SU)EtJ$NT+hEUzr&@!8!qNxbK0&DtjMUX*Lk4Mt-~I^>DbeVERZ%t!8@3&6?T f(R5{KlhgdE48#_niZycS_}FGA;C;RTpQ`>2h&H!b literal 0 HcmV?d00001 diff --git a/2024_htb_universityctf/writeup.md b/2024_htb_universityctf/writeup.md new file mode 100644 index 0000000..fc78cbe --- /dev/null +++ b/2024_htb_universityctf/writeup.md @@ -0,0 +1,68 @@ +# rev + +## warmup + +```c +// PSEUDOCODE -> IDA DECOMPILER + +int __fastcall main(int argc, const char **argv, const char **envp) +{ + char v4[56]; // [rsp+0h] [rbp-40h] BYREF + unsigned __int64 v5; // [rsp+38h] [rbp-8h] + + v5 = __readfsqword(0x28u); + printf("Enter the password: "); + __isoc99_scanf("%49s", v4); + if ( validate_password(v4) ) + puts("Access granted!"); + else + puts("Access denied!"); + return 0; +} + +_BOOL8 __fastcall validate_password(const char *a1) +{ + char s2[8]; // [rsp+17h] [rbp-49h] BYREF + char v3; // [rsp+1Fh] [rbp-41h] + char dest[56]; // [rsp+20h] [rbp-40h] BYREF + unsigned __int64 v5; // [rsp+58h] [rbp-8h] + + v5 = __readfsqword(0x28u); + *(_QWORD *)s2 = 'b_I\x1ESS G'; + v3 = 0; + strcpy(dest, a1); + generate_key(dest); + return strcmp(dest, s2) == 0; +} + +// keygen +size_t __fastcall generate_key(const char *input) +{ + size_t result; // rax + int i; // [rsp+1Ch] [rbp-14h] + + for ( i = 0; ; ++i ) + { + result = strlen(input); + if ( i >= result ) + break; + input[i] = (input[i] ^ 0x2A) + 5; + } + return result; +} +``` + +solution + +```py +solution = bytes.fromhex("625F491E53532047")[::-1] # [::-1] wegen LE + +key = str() +for i in range(len(solution)): + for j in range(128): + if solution[i] == (j ^ 0x2A) + 5: + key += chr(j) +print(f"key: {key}") +``` + +`echo 'h1dd3npw' | ltrace ./warmup` diff --git a/README.md b/README.md index f7c294c..33f43bf 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## writeups -Writeups for ctfs in which I participate.
+Writeups for [ctfs](https://en.wikipedia.org/wiki/Capture_the_flag_\(cybersecurity\)) in which I participate.
### CTFs @@ -14,6 +14,7 @@ Writeups for ctfs in which I participate.
| [openECSC 2024 round 2](https://open.ecsc2024.it/) | 2024-04-22 | solo | 129 | - | 2700 | [writeups](2024_OpenECSC/round2.md) | | [justctf 2024](https://https://2024.justctf.team/) | 2024-06-05 | TeamAustria | 3 | 437 | - | [writeups](2024_justctf/writeup.md) | | [uiuctf 2024](https://2024.uiuc.tf/) | 2024-06-29 | TeamAustria | 4 | 959 | - | [writeups](2024_uiuctf/writeup.md) | +| [HTB University ctf 2024](https://www.hackthebox.com/universities/university-ctf-2024) | 2024-12-15 | - | - | - | - | [writeups](2024_htb_universityctf/writeup.md) | ### other writeups @@ -22,7 +23,7 @@ hackthebox writeups: [HTB](HTB) ### Profiles -tryhackme profile: https://tryhackme.com/p/53toshi
+tryhackme profile: https://tryhackme.com/p/54toshi
hackthebox profile: https://app.hackthebox.com/profile/1743550
ctftime: https://ctftime.org/user/179019
ctftime P01s0n3d_Fl4g: https://ctftime.org/team/273774