Sign in

some chaos for you

Challenge: Holiday Hack Objective 11b

Category: pwn?? blockchain??

We are given part of a blockchain and told there is an altered block somewhere. The goal was to find the four altered bytes in the new block and change it back to their original values, or essentially, reproduce the original block. In the objective description, there was a SHA256 of the changed block which is the only indication of what block we should be looking at.

I ran a Python script to iterate through all the blocks until I found the one with the matching SHA256. I found that the altered…


Challenge: Holiday Hack Objective 11a

Category: pwn?? blockchain??

We are given a part of a blockchain and told to predict the nonce of block 130000. Since every block prior to the 130000th has a nonce, we can use the pseudo-randomness of these numbers to predict the future ones. With the PRNG predictor Python module (mersenne-twister-predictor or mt19937predictor), you can do this easily for both 32 and 64 bit numbers.

Using predictor.setrandbits() you can insert previous nonce values and the type of integer to generate new ones afterwards. Since the part of the blockchain given had 1548 blocks, I repeated this process 1548 times so that…


Challenge: Phonebook

Category: web security

We are given an instance of a website that requires us to login when we navigate to it. There is a message indicating that there is a new update with how users can login and it is posted by someone who is likely an admin of the website.

After scanning the website, I first noticed that there is a reflected XSS vulnerability that exists with the message parameter in the URL leading to the login page. You could enter an img tag with JavaScript in the onerror attribute and the JavaScript would execute, which means there is…


Challenge: Impossible Password

Category: reverse engineering

We are given a file called “impossible_password.bin”. Using xxd, I looked at the header of the file and found out that it was actually an ELF which meant that it could be executed. When I set executing permissions and ran the file, it prompted me for an input, which I guessed would be a password.

Since there seemed to be no other features to the program, I opened it in IDA to try to discern what the first input should be. The first thing you see after entering main is a string called “SuperSeKretKey” being stored in…


Challenge: WebNet0

Category: Forensics

We are given a Wireshark packet capture file called “capture.pcap” and an RSA key called “picopico.key”. When you open capture.pcap in Wireshark you see a TLS stream that is likely to hold the flag somewhere in it.

When you follow the TLS stream, you can tell that it’s obviously encrypted since that is the job of the protocol. You can still make out a few headers, but none of these contain relevant information to find the flag. Using the given key file, we can decrypt the TLS stream by setting an RSA key in Wireshark’s TLS preferences.

To…


Challenge: Investigative Reversing 3

Category: reverse engineering and forensics

We are given a binary called “mystery” and an image named “encoded.bmp”. When I opened mystery in IDA, I saw that three files were being opened, two that are being read from (flag.txt and original.bmp) and one that is being appended to (encoded.bmp). I renamed the streams that were returned after each fopen call with the name of the file it referenced.

The next few blocks of assembly dealt with error handling in case these files are not found. If this is the case, the program prints an output message telling you to run mystery…


Challenge: messy-malloc

Category: binary exploitation

We are given a binary and it’s source code called “auth” and “auth.c”. By looking at auth.c, you can tell that this program is essentially a simple authentication program. There are a few important features of the source code that show us how everything works, which are the functions login, logout, print_flag, as well as the user struct that looks like the following.

In order to get the flag, a user needs to have the correct access code. …


Challenge: OTP Implementation

Category: reverse engineering

We are given a binary called “otp” and a text file called “flag.txt”. If you execute otp, you will notice that you need to pass a key as an argument in order for the program to run. When I opened otp in IDA, I saw that this key is scrambled with unknown logic, then compared to another string. If these strings match, the program prints “You got the key, congrats! Now xor it with the flag!”

This indicates that flag.txt does not contain any part of the actual flag, and finding the key is likely the only…


Challenge: vault-door-6

Category: reverse engineering

We are given java source code called “VaultDoor6.java”. Inside this file there is a password system, where if you input the correct password (or the flag) an “Access granted” message will be printed. There is only one significant method that we need to pay attention to called checkPassword.

In order for access to be granted, the function must return true. If the password passed to the function is less than 32 characters, false is returned. If any character of the inputted password does not match the condition specified in the if statement, false is returned as well…


Challenge: Need For Speed

Category: reverse engineering

We are given a binary called “need-for-speed”. When you first run the program, there is no needed input from the user. The program simply starts generating a key, but exits before the process is finished with the message “Not fast enough. BOOM!”. When I opened the program in IDA, I saw that there were four main functions that controlled the program logic.

The header function is only responsible for printing the banner when the program is first fun. If you look inside set_timer, you will see that there is a signal set up to terminate the program…

9710810511512197

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store