175 questions
0
votes
1
answer
70
views
Does flask dev server normalize paths?
I was playing a CTF which was about path traversal. The server code was like below:
import flask
import os
app = flask.Flask(__name__)
@app.route("/docs/<path:path>", methods=["...
- 2,470
-2
votes
2
answers
237
views
How to write a regex to match strings where every distinct character occurs the same number of times?
I have a challenge where I need to write a single regex pattern to match strings that satisfy the following property:
Every distinct character in the string appears exactly the same number of times.
...
- 29
0
votes
1
answer
259
views
How would I decrypt a base64 string using a symmetric key with an Initializator Vector?
I'm doing a CTF and the task is to decrypt a base64 string with a symmetric key and an IV. However, I always get an error saying ValueError: Incorrect IV length (it must be 16 bytes long).
The ...
0
votes
0
answers
52
views
Decryption Issue with XOR and Memory Swaps in Reverse Engineering Challenge
I'm working on a reverse engineering challenge where I need to decrypt some data that involves XOR decryption followed by memory swaps. After performing both steps, the output still seems incorrect. ...
- 1
0
votes
0
answers
115
views
Reference Error when exploiting buffer overflow
In the code below when I try to overwrite the stack by exploiting the buffer overflow in the line below.
memcpy(&local_1d,*(void **)local_10[1],(ulong)*(uint *)(local_10[1] + 8));
I also ...
- 17
0
votes
1
answer
180
views
How to write data to a specific fd using Python Pwntools
I'm trying to use pwntools's process and to write a string to a specific fd
In the documentation, there is a parameter to process of stdin and stdout but I do not understand how to use it correctly.
I ...
- 59
1
vote
0
answers
70
views
Efficiently Solving x in g^x mod p for Large Primes
I have a challenge where I need to solve for x in the following equation: y = gx mod p
The goal is to recover x from y within 10 seconds.
import random
import ans
import time
for i in range(10):
...
- 23
0
votes
0
answers
83
views
Add repeated strings in burp suite intruder
I am working on a CTF.
I need to do a SQL injection into a dummy website. In this website when signing up there is not input clean up of any sorts for the username field, and as a friend confirmed it ...
- 222
0
votes
1
answer
84
views
pwntools - what is the best way to fix byte order in output data
I've been learning the pwntools python library and using it to build solutions to CTF challenges. One thing I keep running into is that, after a successful exploit (say of a format string ...
- 98
0
votes
0
answers
77
views
Decoding Base64-URL Ciphertext to Retrieve Expected Flag Format
I'm working on a challenge where I was given an encoded string:
VFRJZ2NuM2ROZU1fTFNNQ0Z6R0Bfbk8xR2RwTlMwX2hfdUJSb19JM31Ve1ozZF8zXzdORWZu
I know this is Base64-URL encoded because it contains ...
0
votes
1
answer
95
views
How to properly load and pass a file path to open syscall in x86_64 assembly?
I'm trying to write a shellcode in x86_64 assembly that opens a file located at /challenge/flag using the open syscall. However, my implementation doesn't seem to work as intended. The path seems to ...
1
vote
1
answer
202
views
Angr unconstrained state has the same address as a found state
I am working on a simple symbolic execution problem. The code is as follows
// odd_even.c
#include <stdio.h>
int main(void)
{
int x; //yes x is uninitialized here, but that won't matter ...
- 722
0
votes
1
answer
124
views
Exception: model is not available
I'm getting a Model is not available error message with z3 using symbolic execution model.
The initial code has v1 and v2 added and it works but once I substitute v1 and v2 values, I get a model is ...
- 122
-5
votes
1
answer
213
views
RSA decryption python [closed]
How to find p,q,a if they random?
i have this script
from Crypto.Util.number import getPrime
p,q = getPrime(256), getPrime(256)
n = p*q
a = getPrime(128)
c1 = (p-a)**2>>128
c2 = (q+a)**2>>...
- 1
0
votes
1
answer
35
views
Convenience variable for locals pointer in gdb
currently I am doing a CTF challenge and I use gdb a lot. For overflows (getting information via printf or overwriting the RET pointer with puts) it is very helpful to get the locals pointer from the ...
- 63
-1
votes
1
answer
877
views
How to buffer overflow to exploit and get the flag?
This is my CTF challenge
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
int setup() {
setbuf(stdin, 0);
setbuf(stdout, 0);
}
int win() ...
- 23
1
vote
1
answer
152
views
"Not enough data for store" while solving Angr CTF example
I am trying to solve the CTF example as given at 04_angr_symbolic_stack. As per the instructions, we have to setup the stack before proceeding with symbolic execution. Using binary ninja for ...
- 722
1
vote
0
answers
681
views
How to solve this CTF buffer overflow exploit in C, that takes user input with gets(), but the secret needs to contain a newline?
I am a total beginner in CTF challenges (and not much of an expert in programming in general if I'm being honest) and I've been playing around with gerasdf's InsecureProgramming exercises as a way to ...
- 27
-1
votes
1
answer
424
views
Crypto RSA find p and q with a bitmask
Im new to Crypto and I am stuck in this challenge where I need to be able to somehow extract p and q.
You are given a python script and an output.txt with the ecnrypted flag and other relevant elemnts
...
1
vote
0
answers
88
views
ctf syscall execve problem will \0 null terminated array argv[]
Here's my CTF challenge code. I'm still able to spawn a /bin/sh shell but without the -c whoami command
getting this error: whoami: 0: cannot open : No such file, so the 0 termination isn't ...
1
vote
0
answers
203
views
how to write a large value > 32 bits with a format string exploit %n
I'm working on a challenge that requires me to overwrite a memory address with a libc address, which is usually around 48 bits.
I can write a 32-bit number into an address but with anything larger ...
- 11
0
votes
1
answer
271
views
How can I send a specific request body to an end point (CTF Web)
I have this ctf problem that gives me a site that randomly gives me a motivational quote each time I reload page, I also got this php file attached to it.
<?php
function random(int $length = 60): ...
- 1
1
vote
1
answer
756
views
Stack alignment in x64 is not 16-bytes?
I tried this code:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pwn import *
elf = context.binary = ELF(args.EXE or 'callme')
libc = elf.libc
rop = ROP([elf, libc])
pop_rdi = p64(...
- 58
-2
votes
1
answer
319
views
how do I make a "local server" that can recieve messages from outside my computer?
I have a telnet server that when provided with ip and port sends a message to the destination.. how do i make it send it to my server program if it runs locally? is there maybe a way that I can ...
- 3
1
vote
0
answers
130
views
Binary executed automatically when connecting to a server using netcat
These days I am doing CTFs in pwnable.kr, and was curious about how they implemented this.
Basically some CTFs in that site require me to SSH into the server, and run the binary manually from there.
...
- 167
0
votes
1
answer
198
views
How to restore symbol table on glibc 2.31 or newer version with .build-id folder?
There's no direct file like libc-2.31-0ubuntu9.9.so that with symbols, There's only .build-id folder inside the archive file.
.build-id folder
How can i restore the symbol table ? Searched on google ...
- 21
0
votes
1
answer
608
views
CTFD Server -- ctfd-cli bulk challenge import
I've built a script that automates the building of a CTFd sever and I've installed the ctfd-cli. I am a bit confused on how exactly I can import all of my challenges into the CTFd server. This was my ...
- 101
0
votes
1
answer
181
views
Buffer Overflow 2 picoCTF
I would be happy if someone explain me how are the arguments of the win function passed to the win function by overwriting the stack after the return address of the current stack frame, what does ...
0
votes
1
answer
145
views
stuck on jpg image forensics task
I am trying to understand a jpg forensics problem, the organizers mentioned that i need to change 1 or a few bytes in the ff c0 segment, i can't seem to figure it out at all, the name of the challenge ...
0
votes
1
answer
246
views
Volatility3: AttributeError: function/symbol 'ARC4_stream_init' not found in library
I am attempting to get hashes from a memory dump using volatility3's hashdump.Hashdump module, and I keep running into this error:
AttributeError: function/symbol 'ARC4_stream_init' not found in ...
3
votes
1
answer
131
views
How does U16 function of pwn (CTF) library works?
I am trying to solve uni challenge in Python, the challenge is located in CTF server (using pwn library to connect). I can interact with the server by sending keys, for example: 1-help, 2-read info ...
- 41
4
votes
1
answer
732
views
Type-juggling in php: bypass a comparison with non-empty array
On an CTF for my web-security-class I was able to find following php-code on the server
<?php
$user = array("user" => "admin");
$secret = random_bytes(20);
...
- 53
0
votes
0
answers
491
views
SQL Injection PHP CTF
Is there something I can do with this information?
$employee_id = explode(' ', $_POST['employee_id'])[0];
$query = 'SELECT name FROM employees WHERE id = CAST('.$employee_id.' AS INT)';
Any SQL ...
6
votes
2
answers
6k
views
Flask Session Cookie Tampering
I was competing in a CTF contest and faced an issue while trying to manipulate a Flask session cookie.
Specifically, I was able to decode it successfully (without having its secret key) using Flask ...
- 61
-1
votes
1
answer
795
views
My flag is not displaying via terminal after completing an exploit in a ctf
To be as concise as possible, I am running a python exploit that passes all the checks that it needs to, but when the original ELF is supposed to write the flag to flag.txt, nothing gets displayed. I ...
- 19
5
votes
1
answer
2k
views
RNG Challenge Python
I am trying to solve a CTF challenge in which the goal is to guess the generated number. Since the number is huge and you only have 10 attempts per number, I don't think you can apply binary search or ...
- 823
1
vote
1
answer
6k
views
Objdump for ARM64 Architecture
I’ve encountered this error in Ubuntu with ARM64 (aarch64) architecture where Objdump doesnt wan’t to run.
The error message for the following command «objdump -d filename»:
filename: file format ...
- 95
-1
votes
1
answer
2k
views
No password hashes loaded in JohnTheRipper
I'm trying to crach ssh password with john, but there's an error, and I can't find the answer to solve it
firstly I use ssh2john.py:
python3 ssh2john.py id_rsa > id_rsa.hash
then john:
john --...
- 9
0
votes
0
answers
3k
views
RSA Oracle - Getting the flag by using chosen ciphertext attack
I am trying to solve a simple RSA CTF challenge, but I am facing problems that go beyond the theory behind the attack (or at least I guess so). Basically, I have an oracle at disposal that will first ...
- 823
1
vote
1
answer
3k
views
RSA - CTF Encrypt and Decrypt
I am currently trying to solve a practice CTF challenge on RSA. The source code of the challenge is the following:
from Crypto.Util.number import getStrongPrime, bytes_to_long
from secret import flag
...
- 823
1
vote
2
answers
1k
views
Getting an IllegalBlockSizeException: Data must not be longer than 512 bytes while using RSA
I am trying to decrypt a readme file given for a CTF. I have the public and private keys
-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAgBqs0zu5mQ8XcsZ1yYGR1Pg75Lwk5GU4hoJmDVvlSjsV4L/X
ol9Gc+...
- 11
0
votes
0
answers
74
views
What exactly does AndroidManifest.XML show in my .apk file? My current assignment is to obtain 2 flags
screenshot of the AndroidManifest.XML file
I've tried downloading APKtool package to decompile the apk file however I am unable to download any packages due to the restriction of my assignment. Im not ...
- 1
0
votes
0
answers
921
views
Regular expression bypassing
I am solving the ctf challenge. Is it possible to bypass this RE and execute JS injection?
<script>
s=decodeURIComponent(location.search.substr(1));
if(/^[".=acdeimnotu]*$/.test(s))
eval(s)...
- 1
0
votes
1
answer
103
views
What techniques can I use to determine the number generated by srand() in C?
How to know the secret number from srand((uint32_t)timer) where time_t timer = time(NULL)
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
void ...
- 11
0
votes
0
answers
618
views
How to use netcat or socat to execute an elf type file that compiled from C language like CTF
Like the title saying.
I have a C program and I compile it to an ELF by using gcc.
Now I want to run this ELF up and using netcat to proxy it.
Let client can netcat to service then send message and ...
0
votes
0
answers
79
views
On-demand Pods for a training platform
I'm trying to create a training/labs platform that would allow anyone to have an isolated pod/container to connect to and play with it. I was initially planning to do it in two steps:
Have the user ...
- 1
1
vote
0
answers
3k
views
How to extract Zlib from JPG
I'm currently doing a forensics CTF challenge, where the flag is hidden inside a .jpg file. When I do binwalk on the file, I see the following:
DECIMAL HEXADECIMAL DESCRIPTION
---------------...
0
votes
0
answers
912
views
x86 Assembly: Creating a shellcode to write to a file after successful buffer overflow
Hi Stack Overflow community,
I am currently working on a CTF challenge, where I need to perform a buffer overflow on a C program and then execute a shellcode to create and write to a file. The given C ...
- 63
0
votes
0
answers
919
views
OpenSSL decrypt AES-ECB-256 encrypted password - can't figure out the right syntax
I am trying to decrypt aes-256-ecb encoded password using OpenSSL with the following (captured during a ctf only) informations:
##PASS_16##
oRnS7llE9q3utIvyP1rbK4OPVDjOPdEss36jsgu/...
- 13
4
votes
1
answer
5k
views
Jinja2 SSTI filter bypasses
I'm doing a Capture The Flag (CTF) and I'm trying to exploit a server vulnerable to Jinja2 Server Side Template Injection (SSTI).
I can't use the following characters: \, |, ,, . and _.
I'm trying to ...
- 41