{"id":764,"date":"2023-03-13T19:12:07","date_gmt":"2023-03-13T19:12:07","guid":{"rendered":"https:\/\/putrequest.put.poznan.pl\/?p=764"},"modified":"2023-03-13T20:12:12","modified_gmt":"2023-03-13T20:12:12","slug":"764","status":"publish","type":"post","link":"https:\/\/putrequest.put.poznan.pl\/index.php\/2023\/03\/13\/764\/","title":{"rendered":"hike to where, discord l34k and 3 more writeups"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"764\" class=\"elementor elementor-764\">\n\t\t\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6f79f779 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6f79f779\" data-element_type=\"section\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-74d0bed1\" data-id=\"74d0bed1\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1ccb83c elementor-widget elementor-widget-text-editor\" data-id=\"1ccb83c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<style>\/*! elementor - v3.15.0 - 20-08-2023 *\/\n.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#69727d;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#69727d;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}<\/style>\t\t\t\t<h3>hike to where?<\/h3><p><span lang=\"en-GB\">In this challenge we have to find a location where the photo in attachment was taken. Unfortunately, exiftool doesn&#8217;t help us here, so we have to do some research. The name of person is easy to find &#8211; he&#8217;s one of the speakers on our ctf event! As we know the name &#8211; Carey Nachenberg &#8211; we can continue our research and google it. I focused on finding a photo on which the man is wearing the same clothes. I found one on the following website: https:\/\/www.picuki.com\/profile\/peaksandprofessors.ucla<\/span><\/p><p><span lang=\"en-GB\">(I&#8217;ve searched for &#8220;carey nachenberg ucla climbing&#8221; in google)<\/span><\/p><p><span lang=\"en-GB\">After scrolling down a little there was a photo with description:<\/span><\/p><p><img decoding=\"async\" class=\"alignnone size-medium wp-image-765\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/lol-219x300.png\" alt=\"\" width=\"219\" height=\"300\" srcset=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/lol-219x300.png 219w, https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/lol.png 372w\" sizes=\"(max-width: 219px) 100vw, 219px\" \/><\/p><p><span lang=\"en-GB\">And skull rock is what we&#8217;re looking for!<\/span><\/p><p><span lang=\"en-GB\">flag: lactf{skull_rock}<\/span><\/p><h3><span lang=\"en-GB\">discord l34k<\/span><\/h3><p><span lang=\"en-GB\">In this challenge we have a link to a discord server, but we can&#8217;t really see what&#8217;s inside. I assumed that the last part of the link is a server id. I&#8217;ve found a site where we can search for information about a server when we provide an id of it:<\/span><\/p><p><span style=\"color: #0563c1;\"><u><a href=\"https:\/\/discord-avatar.com\/en\/server\"><span lang=\"en-GB\">https:\/\/discord-avatar.com\/en\/server<\/span><\/a><\/u><\/span><\/p><p><img decoding=\"async\" class=\"alignnone size-medium wp-image-766\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/discordo1-300x31.png\" alt=\"\" width=\"300\" height=\"31\" srcset=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/discordo1-300x31.png 300w, https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/discordo1.png 393w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p><p><span lang=\"en-GB\">We can see a button &#8220;Join now&#8221; after a search. We can click on it and that&#8217;s it!.<\/span><\/p><p><img decoding=\"async\" class=\"alignnone size-full wp-image-767\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/discordo2.png\" alt=\"\" width=\"294\" height=\"173\" \/><\/p><p><span lang=\"en-GB\">On the server we have our flag:<\/span><\/p><p><span lang=\"en-GB\">lactf{D15C0rD_W1D6375_134K_1NV1735}<\/span><\/p><h3><span lang=\"en-GB\">string cheese<\/span><\/h3><p><span lang=\"en-GB\">It&#8217;s a simple warmup reversing challenge. When we run our program, it asks us about his favorite flavor of string cheese. After decompilation in ghidra we can simply figure out that answer we need is &#8220;blueberry&#8221;. We can connect to the service with provided command and type in the answer, then we get the flag.<\/span><\/p><p><img decoding=\"async\" class=\"size-full wp-image-768 aligncenter\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/cheese.png\" alt=\"\" width=\"523\" height=\"377\" srcset=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/cheese.png 523w, https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/cheese-300x216.png 300w\" sizes=\"(max-width: 523px) 100vw, 523px\" \/><\/p><p><span lang=\"en-GB\">lactf{d0n7_m4k3_fun_0f_my_t4st3_1n_ch33s3}<\/span><\/p><h3><span lang=\"en-GB\">Finals simulator<\/span><\/h3><p><span lang=\"en-GB\">Here\u2019s the decompiled code from program in this challenge:<\/span><\/p><p><img decoding=\"async\" class=\"size-full wp-image-769 aligncenter\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/cheese2.png\" alt=\"\" width=\"664\" height=\"680\" srcset=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/cheese2.png 664w, https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/cheese2-293x300.png 293w\" sizes=\"(max-width: 664px) 100vw, 664px\" \/><\/p><p><span lang=\"en-GB\">Value inside mod:<\/span><\/p><p><img decoding=\"async\" class=\"alignnone size-full wp-image-770\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/sim.png\" alt=\"\" width=\"142\" height=\"36\" \/><\/p><p><span lang=\"en-GB\">We can see that we have to answer 3 mathematical questions to receive the flag. <\/span><\/p><ul><li><span lang=\"en-GB\">First question is: What is sin(x)\/n. It\u2019s obviously a mathematical joke, the answer is simply six. <\/span><\/li><li><span lang=\"en-GB\">Second question is about the prettiest number. <\/span> <img decoding=\"async\" class=\"alignnone size-full wp-image-771\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/intext.png\" alt=\"\" width=\"263\" height=\"15\" \/> <span lang=\"en-GB\">All we have to do is to transform and evaluate expression in if condition. The answer is 13371337.<\/span><\/li><li><span lang=\"en-GB\">Last question is definitely the most challenging. The answer should have something in common with logarithm of cabin, but we need to find the exact answer. I wrote following script in python to decrypt the answer:<\/span><\/li><\/ul><p><a name=\"_GoBack\"><\/a><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-654c46b elementor-widget elementor-widget-code-highlight\" data-id=\"654c46b\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>import string\n\nmod = 0xfd\ndict = {}\nfor i in string.printable:\n    x = (ord(i)*0x11)%mod \n    dict[x] = i\n\nenc = [0x0e, 0xb8, 0x9d, 0xb8,0x26,0x83,0x26,0x41,0x74,0xe9,0x26, 0xa5, 0x83, 0x94, 0x0e, 0x63, 0x37, 0x37, 0x37]\n\nfor i in enc:\n    print(dict[i], end='')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9b468c6 elementor-widget elementor-widget-text-editor\" data-id=\"9b468c6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span lang=\"en-GB\">How does it work?<\/span><\/p><p><span lang=\"en-GB\">In <\/span> <img decoding=\"async\" class=\"alignnone size-full wp-image-772\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/wer2.png\" alt=\"\" width=\"282\" height=\"19\" \/> <span lang=\"en-GB\">we are comparing our input (that was changed in for loop) to enc.\u00a0<\/span><\/p><p><span lang=\"en-GB\">Here\u2019s what enc contains:<\/span><\/p><p><span lang=\"en-GB\">\u00a0<\/span><\/p><p><img decoding=\"async\" class=\"alignnone size-full wp-image-773\" src=\"https:\/\/putrequest.put.poznan.pl\/wp-content\/uploads\/2023\/03\/dom2.png\" alt=\"\" width=\"88\" height=\"277\" \/><\/p><p>\u00a0<\/p><p style=\"font-size: 16px; font-style: normal; font-weight: 300; letter-spacing: 0.3px;\">\u00a0<\/p><h3>\u00a0<\/h3><p style=\"font-size: 16px; font-style: normal; font-weight: 300; color: #ffffff; font-family: Rubik, sans-serif; letter-spacing: 0.3px; text-transform: none;\"><span lang=\"en-GB\">\u00a0<\/span><\/p><p style=\"font-size: 16px; font-style: normal; font-weight: 300; color: #ffffff; font-family: Rubik, sans-serif; letter-spacing: 0.3px; text-transform: none;\"><span lang=\"en-GB\">Thus, we have to obtain this string of bytes. In my script I\u2019m calculating value of expression in for loop in our code for every possible printable character and I have a dictionary with this value as key and corresponding character as value. Then we can just print our last answer and get the flag.<\/span><\/p><p style=\"font-size: 16px; font-style: normal; font-weight: 300; color: #ffffff; font-family: Rubik, sans-serif; letter-spacing: 0.3px; text-transform: none;\"><span lang=\"en-GB\">Flag: currently server is not responding<\/span><\/p><p style=\"font-size: 16px; font-style: normal; font-weight: 300; color: #ffffff; font-family: Rubik, sans-serif; letter-spacing: 0.3px; text-transform: none;\"><span lang=\"en-GB\">\u00a0<\/span><\/p><h3><span lang=\"en-GB\">UNIVERSAL<\/span><\/h3><p><span lang=\"en-GB\">It was my first solved SAT challenge. I wasn\u2019t familiar with z3 module, something wasn\u2019t working for me, so I wrote my own script. I found out that we can always find an expression with 1 unknown variable, so we can calculate it and update the rest of the expressions.<\/span><\/p><p><span lang=\"en-GB\">I assumed that flag starts and ends as usual: lactf{&#8230;} so the first 6 and the last character is known from start. Here\u2019s my code:<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4eac101 elementor-widget elementor-widget-code-highlight\" data-id=\"4eac101\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-python line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-python\">\n\t\t\t\t\t<xmp>import string\r\n\r\nfile_name = \"java_input\"\r\ndict = {}\r\nstripped = []\r\ntable_name= \"bytes\" #what's the name of table in input file\r\n#for lactf\r\ndict[f\"{table_name}[0]\"] = str(ord('l'))\r\ndict[f\"{table_name}[1]\"] = str(ord('a'))\r\ndict[f\"{table_name}[2]\"] = str(ord('c'))\r\ndict[f\"{table_name}[3]\"] = str(ord('t'))\r\ndict[f\"{table_name}[4]\"] = str(ord('f'))\r\ndict[f\"{table_name}[5]\"] = str(ord('{'))\r\ndict[f\"{table_name}[37]\"] = str(ord('}'))\r\nflag_len = 38\r\n\r\ndef two_assigned(l:list):\r\n    counter = 0\r\n    for i in l:\r\n    if len(i)>len(table_name) and i[:len(table_name)] ==table_name:\r\n        counter+=1\r\n    if counter == 1:\r\n        return True\r\n    return False\r\n\r\ndef update(to_replace):\r\n    for x in range(len(stripped)):\r\n        for y in range (len(stripped[x])):\r\n            if stripped[x][y] == to_replace:\r\n                stripped[x][y]= dict[to_replace]\r\n\r\ndef evaluate(l: list):\r\n    to_replace = \"\"\r\n    index = 0\r\n    for i in range(len(l)):\r\n        if l[i][:len(table_name)]==table_name:\r\n            to_replace = l[i]\r\n            l[i] = \"{}\"\r\n            index = i\r\n            break\r\n    x = \"-1\"\r\n    for bytes in string.printable:\r\n        put = ord(bytes)\r\n        expr = \" \".join(l)\r\n        expr = expr.format(put)\r\n        \r\n        if eval(expr) == 1:\r\n            x = str(put)\r\n            break\r\n    #update with x\r\n    if x == \"-1\":\r\n        print(\"No characters found\")\r\n        exit(1)\r\n    l[index] = x\r\n    dict[to_replace] = x\r\n    update(to_replace)\r\n\r\ndone_counter = 0\r\nwith open(file_name) as file:\r\n    lines = [line.rstrip() for line in file]\r\nfor l in lines:\r\n    stripped.append(l.split(\" \"))\r\n\r\nassumptions = len(dict.keys())\r\nfor i in dict.keys():\r\n    update(i)\r\n\r\nwhile done_counter + assumptions < flag_len:\r\n    for i in range(len(lines)):\r\n        if two_assigned(stripped[i]):\r\n            evaluate(stripped[i])\r\n            done_counter+=1\r\n    \r\nfor i in range(done_counter+assumptions):\r\n    print(chr(int(dict[\"{}[{}]\".format(table_name, i)])), end='')<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-412943a elementor-widget elementor-widget-text-editor\" data-id=\"412943a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span lang=\"en-GB\">To make program work properly, we have to prepare our input file with expressions in right way:<br \/>Every value has to be separated from any other character by space. Here\u2019s the example of first few lines with expressions from our challenge:<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d35662a elementor-widget elementor-widget-code-highlight\" data-id=\"d35662a\" data-element_type=\"widget\" data-widget_type=\"code-highlight.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"prismjs-default copy-to-clipboard \">\n\t\t\t<pre data-line=\"\" class=\"highlight-height language-javascript line-numbers\">\n\t\t\t\t<code readonly=\"true\" class=\"language-javascript\">\n\t\t\t\t\t<xmp>(( bytes[36] ^ bytes[2] * 7 ^ ~ bytes[4] + 13 ) & 0xFF ) == 0x67\r\n(( bytes[34] ^ bytes[23] * 7 ^ ~ bytes[36] + 13 ) & 0xFF ) == 0xB6\r\n(( bytes[37] ^ bytes[10] * 7 ^ ~ bytes[21] + 13 ) & 0xFF ) == 0xDF\r\n(( bytes[24] ^ bytes[23] * 7 ^ ~ bytes[19] + 13 ) & 0xFF ) == 0xCD\r\n(( bytes[25] ^ bytes[13] * 7 ^ ~ bytes[23] + 13 ) & 0xFF ) == 0x\r\n\r\n\u2026\r\n\r\n#java_input file<\/xmp>\n\t\t\t\t<\/code>\n\t\t\t<\/pre>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-655145f elementor-widget elementor-widget-text-editor\" data-id=\"655145f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p><span lang=\"en-GB\">Flag: lactf{1_d0nt_see_3_b1ll10n_s0lv3s_y3t}<\/span><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>hike to where? In this challenge we have to find a location where the photo in attachment was taken. Unfortunately, exiftool doesn&#8217;t help us here, so we have to do some research. The name of person is easy to find &#8211; he&#8217;s one of the speakers on our ctf event! As we know the name &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/putrequest.put.poznan.pl\/index.php\/2023\/03\/13\/764\/\"> <span class=\"screen-reader-text\">hike to where, discord l34k and 3 more writeups<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"","footnotes":""},"categories":[16,14],"tags":[],"class_list":["post-764","post","type-post","status-publish","format-standard","hentry","category-lactf-2023-writeup-2","category-writeup-2"],"_links":{"self":[{"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/posts\/764","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/comments?post=764"}],"version-history":[{"count":19,"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/posts\/764\/revisions"}],"predecessor-version":[{"id":798,"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/posts\/764\/revisions\/798"}],"wp:attachment":[{"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/media?parent=764"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/categories?post=764"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/putrequest.put.poznan.pl\/index.php\/wp-json\/wp\/v2\/tags?post=764"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}