A note for 0CTF 2015

web / mislead

Padding Oralcle Attack in Cookie

web / golden mac 1

Download .DS_Store file from http://202.112.26.102/g0ldenM4c/.DS_Store.
It tells the flag is in http://202.112.26.102/g0ldenM4c/u_can_not_guess_this_haha.
Then, upload a .docx files which contains XXE to read the flag. 

php://filter/convert.base64-encode/resource=u_can_not_guess_this_haha.php

web /forward

forward the MySQL connection to your MySQL Server and look at the network traffic.
u will see the flag leaked. 

mysql_native_password  
forward  
SELECT flag FROM forward.flag  
def.forward.flag.flag.flag.flag....  
0ctf{w3ll_d0ne_guY}

crypto / GREBeginner

crypto / RSA Quine

mobile / dataraidar

mobile / simpleapk

08:39 < KT_SaH> wytshadow: simpleapk: reversed the lib and saw some xoring, so I xored the flag.txt => win  
08:39 < riatre> wytshadow: simpleapk: reverse the elf  
08:39 < niklasb> yeah and maybe realize that they used adi  
08:39 < niklasb> *adbi  
08:40 < Zzzzzzzzzz> wytshadow: simpleapk: inject logger in smali, recompile, dump variable with flag ;]  
08:44 < niklasb> the XOR key had 0 bytes at the first 5 and the last position  
08:45 < KT_SaH> 0ctf{Too_Simple_Sometimes_Naive!!!} -> 0ctf{It's_More_Than_Meets_The_Eye!}

mobile / VEZEL

08:39 < niklasb> wytshadow: tl;dr for vezel you could just compute the values from another app  
08:39 < KT_SaH> vezel: IDA + adb + print flag value :D  
08:39 < KT_SaH> + bluestacks

Pwn Challenges

Misc

Share

Donation

如果覺得這篇文章對你有幫助, 除了留言讓我知道外, 或許也可以考慮請我喝杯咖啡, 不論金額多寡我都會非常感激且能鼓勵我繼續寫出對你有幫助的文章。

If this blog post happens to be helpful to you, besides of leaving a reply, you may consider buy me a cup of coffee to support me. It would help me write more articles helpful to you in the future and I would really appreciate it.

Related Posts