You get arbitrary code execution…. as long as it’s code we approve of.
Source available at blech.py
Service running on 188.8.131.52 port 1234
Summary: RSA cube root attack
Hensel and Gretel are looking for their new house, but the twisted seller who sold it to them decided to provide the coordinates to their new love nest only after ensuring that the couple is Smart enough to earn them.
Thus, the seller provides them with the following map and leaves Hensel and Gretel to their sorry fate.
Can you help Hensel and Gretel to reach their house providing them with the street number?
(submit the street number as a large decimal number,plain ASCII encoded so Hensel and Gretel won’t get mad trying to figure out where they should head to :) )
Summary: ECDLP on anomalous curve
Since I needed to sign a document I thought about doing it with a Chinese paintbrush… Too bad my hand is not that steady, so just in case, I re-signed it with a common pen.
Sadly I keep being forgetful, so I actually forgot where I left the two halves of the sigil I used to sign the documents, can you help me and retrieve them from the two signatures?
Please, once you got them, write them as
replace _____ with actual numbers, in decimal.
sha1 hex-encoded with lowercase letters
smallest one is part1, biggest one is part2
Summary: RSA-CRT fault attack
The Dobbertin Challenge is issued every two years since 2006, in honor and memory of Prof. Hans Dobbertin.
A simple JSON Web Service is provided, which processes PIN codes of users. A user can send his encrypted PIN to the Web Service, which decrypts and stores the PIN. The Web Service allows to use cryptographically strong algorithms (RSA-OAEP and AES in GCM-mode) as well as algorithms with known weaknesses (RSA-PKCS#1 v1.5 and AES in CBC-mode). To create a ciphertext, a sender may choose among these algorithms.
In order to protect the confidentiality of PINs, encryption based on the JSON Web Encryption standard (link) is used. This standard allows to apply symmetric and asymmetric encryption algorithms.
You are the attacker who wants to learn the secret PIN of user Bob. You have already eavesdropped a ciphertext which contains Bob’s PIN:
Summary: RSA-PKCS#1 v1.5 and AES-CBC padding oracles attacks
The famous zombie researcher “Donn Beach” almost created an immunization against the dipsomanie virus. This severe disease leads to the inability to defend against Zombies, later causes a complete loss of memory and finally turns you into one of them.
Inexplicably Donn forgot where he put the license key for his centrifuge. Provide him a new one and humanity will owe you a debt of gratitude for fighting one of the most wicked illnesses today.
Summary: reverse engineering, VM, MiTM attack, AES
Heading up the steeple gave you and your companion a nice view over the outbreak situation in your city. But it also attracted a lot of unwanted attention. Zombies are surrounding your spot and are looking for an entrance to the building. You obviously need some bait to lure them away so you can flee safely. Solve this challenge to find out which human bodypart zombies like the most. https://ctf.fluxfingers.net/challenges/mealtime.exe
Summary: reverse engineering, TEA crypto, anti -debuging
3 – Zombies like PPTP
Our intel shows us that the Zombies use a MS-PPTP like protocol and luckily we could intercept a challenge-response transmission of one of the Zombie outposts. The important thing for Zombies in this war is mass! Not only brain mass but their mass. So they built their PPTP protocol compatible to all older Zombie soldiers. Luckily our science team could extract the algorithm of the challenge-response system out of a captured Zombie brain â€¦ I spare you the details, let’s just say it was not a pretty sight. And here comes your part soldier: we need the password of this intercepted transmission. With this password we were finally able to turn this war to our favor. So move your ass soldier and good luck!
Summary: bruteforce LM response
17 – Zombieshop
A new company offers a lot of anti zombie equipment to protect yourself. Unfortunately not everyone can buy the good stuff. Only privileged users may do so. We managed to create an account, but it is not privileged. Your mission is to buy “Anti zombie Spray”.
Summary: bruteforce DES
14 – Safehouse
It’s the middle of the night. Nothing but complete darkness and the moaing of approaching zombies surrounds you. You need to escape. Fast. There seems to be nothing to hide and nowhere to run. But then – a small dancing gleam appears while you are running through the blackness. Could it be? Yes – it looks like the light of a safehouse, now a few meters away. You need to get in, you need to survive. But it’s locked. Looks like you need a special knocking sequence to enter. But how to get it? You have to be fast to get into safety. The Zombies are getting closer …
15 – Secure Safehouse
It’s past midnight now. The zombies managed to invade your safehouse and you needed to escape. Again. Seems like the imprudent security measures had their price. But there is hope! Rumor has it there’s another safehouse which proves to be more secure, employing security measures no zombie would ever figure out. But can you?
Summary: x64 shellcoding
7 – python jail
You are surrounded by zombies. You heard there’s a safe house nearby, but climbing fences is hard with a beer belly. Thank god, there’s another surviver over there. “Hey! Help me!”, you shout. He just laughs and shakes you off the fence. Asshole.
Later, you see his dead body lying in front of a high security door secured by automated weapons. Heh… karma is a bitch. But that means you’ll have to find another way in. In this nerd area, all the doors are secured with stupid computer puzzles. So, what the heck. Better try this one:
You’ll find the entrance in “./key”
This challenge is a tribute to PHDays Finals 2012 challenge ‘ndevice’.
Thanks again, I had fun solving it.
I’m fairly certain that this challenge avoids being exploitable by
the tricks we could use in PHDays (the module “os” was imported…).
So, no advantage for people who did not attend PHDays.
Summary: python eval tricks
4 – Reduced Security Agency
Some of our guys broke into the Reduced Security Agency and stole the source of their highly secure login system. Unfortunately no one of them made it uninfected back and so we only have a part of the source. Now it’s your turn to break their system and login to the agency.
Summary: weak RSA private key generation