simon/CTF
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

downloaded challenges

Browse Source 
didnt know they would publish everything
This commit is contained in:
Simon
2023-09-04 22:08:12 +02:00
parent fb0e5711a0
commit 9d960e60ac
17 changed files with 503 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
DownUnderCTF 2023/beginner/complementary/ape.py Normal file
View File

@@ -0,0 +1,16 @@
import math
ctf = b"DUCTF{"
ctf = int.from_bytes(ctf)
# 0x44554354467b
# 0x3bd4fca9d0d3e400000000000000000000000
# 6954494065942554678316751997792528753841173212407363342283423753536991947310058248515278
crypt = 6954494065942554678316751997792528753841173212407363342283423753536991947310058248515278
print(hex(int(math.sqrt(crypt))))
ctf2 = 0x44554354467b0000000000000000000000000
print(int(crypt / ctf2))

14
DownUnderCTF 2023/beginner/complementary/complementary.py Normal file
View File

@@ -0,0 +1,14 @@
import math
flag = open('./flag.txt', 'rb').read().strip()
m1 = int.from_bytes(flag[:len(flag)//2])
m2 = int.from_bytes(flag[len(flag)//2:])
print(flag[:len(flag)//2], flag[len(flag)//2:])
print(m1, m2)
print(hex(m1), hex(m2))
n = m1 * m2
print(n)
print("SOLVING!")
sq = int(math.sqrt(n))
print(hex(sq))

1
DownUnderCTF 2023/beginner/complementary/flag.txt Normal file
View File

@@ -0,0 +1 @@
DUCTF{NOTAFLAG}

1
DownUnderCTF 2023/beginner/complementary/output.txt Normal file
View File

@@ -0,0 +1 @@
6954494065942554678316751997792528753841173212407363342283423753536991947310058248515278

45
DownUnderCTF 2023/beginner/confusing/README.md Normal file
View File

@@ -0,0 +1,45 @@
# confusing
```
Types can be very confusing.
Author: joseph
nc 2023.ductf.dev 30024
```
## Source
```c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void init() {
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 2, 0);
}
int main() {
init();
short d;
double f;
char s[4];
int z;
printf("Give me d: ");
scanf("%lf", &d);
printf("Give me s: ");
scanf("%d", &s);
printf("Give me f: ");
scanf("%8s", &f);
if(z == -1 && d == 13337 && f == 1.6180339887 && strncmp(s, "FLAG", 4) == 0) {
system("/bin/sh");
} else {
puts("Still confused?");
}
}
```

34
DownUnderCTF 2023/beginner/confusing/ape.py Normal file
View File

@@ -0,0 +1,34 @@
import sys
import angr
import claripy
import time
# compiled on ubuntu 18.04 system:
# https://github.com/b01lers/b01lers-ctf-2020/tree/master/rev/100_little_engine
success = 0x0010133c
fail = 0x00101343
def main(argv):
path_to_binary = argv[1] # :string
project = angr.Project(path_to_binary)
# Start in main()
initial_state = project.factory.entry_state()
# Start simulation
simulation = project.factory.simgr(initial_state)
simulation.explore(find=success, avoid=fail)
# If found a way to reach the address
if simulation.found:
solution_state = simulation.found[0]
# Print the string that Angr wrote to stdin to follow solution_state
print(solution_state.posix.dumps(sys.stdin.fileno()))
else:
raise Exception('Could not find the solution')
if __name__ == '__main__':
main(sys.argv)

BIN
DownUnderCTF 2023/beginner/confusing/confusing Executable file
View File

Binary file not shown.

32
DownUnderCTF 2023/beginner/confusing/confusing.c Normal file
View File

@@ -0,0 +1,32 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void init() {
setvbuf(stdout, 0, 2, 0);
setvbuf(stdin, 0, 2, 0);
}
int main() {
init();
short d;
double f;
char s[4];
int z;
printf("Give me d: ");
scanf("%lf", &d);
printf("Give me s: ");
scanf("%d", &s);
printf("Give me f: ");
scanf("%8s", &f);
if(z == -1 && d == 13337 && f == 1.6180339887 && strncmp(s, "FLAG", 4) == 0) {
system("/bin/sh");
} else {
puts("Still confused?");
}
}

35
DownUnderCTF 2023/beginner/confusing/confusing.py Normal file
View File

@@ -0,0 +1,35 @@
from pwn import *
import os
os.environ["PWNLIB_DEBUG"] = "1"
gs = '''
unset env LINES
unset env COLUMNS
set follow-fork-mode child
# br *main+78 # first scanf
br *main+160
br *main+170
br *main+220
c
'''
elf = ELF(os.getcwd()+"/confusing")
def start():
if args.GDB:
return gdb.debug(elf.path, gs)
if args.REMOTE:
return remote("2023.ductf.dev", 30024)
else:
return process(elf.path)
while True:
io = start()
print(io.recvuntil(b"Give me d: "))
io.sendline(b"7")
print(io.recvuntil(b"Give me s: "))
io.sendline(b"FLAG")# + b"\xff"*4)
print(io.recvuntil(b"Give me f: "))
io.sendline(b"2")
io.interactive()

4
DownUnderCTF 2023/beginner/xxd-server/xxd_server/.htaccess Executable file
View File

@@ -0,0 +1,4 @@
# Everything not a PHP file, should be served as text/plain
<FilesMatch "\.(?!(php)$)([^.]*)$">
ForceType text/plain
</FilesMatch>

6
DownUnderCTF 2023/beginner/xxd-server/xxd_server/Dockerfile Executable file
View File

@@ -0,0 +1,6 @@
FROM php:8.1-apache
COPY index.php .htaccess /var/www/html/
COPY flag /
RUN sed -i 's/AllowOverride None/AllowOverride All/g' /etc/apache2/apache2.conf
RUN mkdir -p /var/www/html/uploads && chmod 1333 /var/www/html/uploads

110
DownUnderCTF 2023/beginner/xxd-server/xxd_server/index.php Executable file
View File

@@ -0,0 +1,110 @@
<?php
// Emulate the behavior of command line 'xxd' tool
function xxd(string $s): string {
$out = '';
$ctr = 0;
foreach (str_split($s, 16) as $v) {
$hex_string = implode(' ', str_split(bin2hex($v), 4));
$ascii_string = '';
foreach (str_split($v) as $c) {
$ascii_string .= $c < ' ' || $c > '~' ? '.' : $c;
}
$out .= sprintf("%08x: %-40s %-16s\n", $ctr, $hex_string, $ascii_string);
$ctr += 16;
}
return $out;
}
$message = '';
// Is there an upload?
if (isset($_FILES['file-upload'])) {
$upload_dir = 'uploads/' . bin2hex(random_bytes(8));
$upload_path = $upload_dir . '/' . basename($_FILES['file-upload']['name']);
mkdir($upload_dir);
$upload_contents = xxd(file_get_contents($_FILES['file-upload']['tmp_name']));
if (file_put_contents($upload_path, $upload_contents)) {
$message = 'Your file has been uploaded. Click <a href="' . htmlspecialchars($upload_path) . '">here</a> to view';
} else {
$message = 'File upload failed.';
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>xxd-server</title>
<style>
body {
background-color: #fff;
color: #000;
font-family: Arial, sans-serif;
height: 100vh;
display: flex;
justify-content: center;
align-items: center;
}
.container {
text-align: center;
border: 2px solid #000;
padding: 20px;
border-radius: 10px;
}
h1 {
color: #000;
}
#file-upload {
display: none; /* hide the actual input */
}
/* Style the label to look like a button */
label[for="file-upload"] {
display: inline-block;
background-color: #000;
color: #fff;
padding: 10px 20px;
cursor: pointer;
transition: background-color 0.3s;
}
label[for="file-upload"]:hover {
background-color: #666;
}
#submit-button {
margin-top: 20px;
background-color: #000;
color: #fff;
border: none;
padding: 10px 20px;
cursor: pointer;
transition: background-color 0.3s;
}
#submit-button:hover {
background-color: #666;
}
</style>
</head>
<body>
<div class="container">
<h1>xxd-server</h1>
<p>Our patented hex technology&trade; allows you to view the binary data of any file. Try it here!</p>
<form action="/" method="POST" enctype="multipart/form-data">
<input type="file" id="file-upload" name="file-upload">
<label for="file-upload">Select File</label>
<br>
<input type="submit" id="submit-button" value="Upload">
</form>
<?= $message ? '<p>' . $message . '</p>' : ''; ?>
</div>
</body>
</html>

11
DownUnderCTF 2023/web/actually-proxed/actually-proxed/Dockerfile Normal file
View File

@@ -0,0 +1,11 @@
FROM golang:1.20-alpine3.17
WORKDIR /app
COPY . ./
RUN go build -o out/ ./...
USER 1000:1000
EXPOSE 8080
ENTRYPOINT [ "./docker-entrypoint.sh" ]

131
DownUnderCTF 2023/web/actually-proxed/actually-proxed/cmd/proxy/main.go Normal file
View File

@@ -0,0 +1,131 @@
package main
import (
"bufio"
"bytes"
"flag"
"fmt"
"io"
"log"
"net"
"net/http"
"net/url"
"strings"
)
func main() {
targetUrlFlag := flag.String("target", "http://localhost:8081", "Target URL")
port := flag.Int("port", 8080, "The port to listen on")
flag.Parse()
targetUrl, err := url.Parse(*targetUrlFlag)
if err != nil {
log.Fatalf("Error parsing target URL: %s", err)
}
ln, err := net.Listen("tcp", fmt.Sprintf(":%d", *port))
log.Printf("Listening on port %d\n", *port)
if err != nil {
log.Fatalf("Error listening: %s", err)
}
defer ln.Close()
for {
conn, err := ln.Accept()
if err != nil {
log.Printf("Error accepting connection: %s", err)
continue
}
go func() {
defer conn.Close()
scanner := bufio.NewScanner(conn)
var rawRequest bytes.Buffer
for scanner.Scan() {
line := scanner.Text()
if line == "" {
break
}
fmt.Fprintf(&rawRequest, "%s\r\n", line)
}
if err := scanner.Err(); err != nil {
log.Printf("Error reading request: %s", err)
return
}
clientIP := strings.Split(conn.RemoteAddr().String(), ":")[0]
request, err := parseRequest(rawRequest.Bytes(), clientIP, targetUrl.Host)
if err != nil {
log.Printf("Error parsing request: %s", err)
return
}
client := http.Client{}
resp, err := client.Do(request)
if err != nil {
log.Printf("Error proxying request: %s", err)
return
}
defer resp.Body.Close()
// Write the response to the connection
writer := bufio.NewWriter(conn)
resp.Write(writer)
writer.Flush()
}()
}
}
func parseRequest(raw []byte, clientIP, targetHost string) (*http.Request, error) {
var method, path, version string
headers := make([][]string, 0)
reader := bytes.NewReader(raw)
scanner := bufio.NewScanner(reader)
scanner.Scan()
fmt.Sscanf(scanner.Text(), "%s %s %s", &method, &path, &version)
for scanner.Scan() {
line := scanner.Text()
if line == "" {
break
}
parts := strings.SplitN(line, ":", 2)
if len(parts) == 2 {
headers = append(headers, []string{strings.TrimSpace(parts[0]), strings.TrimSpace(parts[1])})
}
}
for i, v := range headers {
if strings.ToLower(v[0]) == "x-forwarded-for" {
headers[i][1] = fmt.Sprintf("%s, %s", v[1], clientIP)
break
}
}
headerMap := make(map[string][]string)
for _, v := range headers {
value := headerMap[v[0]]
if value != nil {
value = append(value, v[1])
} else {
value = []string{v[1]}
}
headerMap[v[0]] = value
}
request := &http.Request{
Method: method,
URL: &url.URL{Scheme: "http", Host: targetHost, Path: path},
Proto: version,
ProtoMajor: 1,
ProtoMinor: 1,
Header: headerMap,
Body: io.NopCloser(reader),
ContentLength: int64(reader.Len()),
}
return request, nil
}

43
DownUnderCTF 2023/web/actually-proxed/actually-proxed/cmd/secret_server/main.go Normal file
View File

@@ -0,0 +1,43 @@
package main
import (
"flag"
"fmt"
"log"
"net/http"
"os"
"strings"
)
var (
port = flag.Int("port", 8081, "port to listen on")
)
func main() {
flag.Parse()
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
xff := r.Header.Values("X-Forwarded-For")
ip := strings.Split(r.RemoteAddr, ":")[0]
if xff != nil {
ips := strings.Split(xff[len(xff)-1], ", ")
ip = ips[len(ips)-1]
ip = strings.TrimSpace(ip)
}
// 1337 hax0rz 0nly!
if ip != "31.33.33.7" {
message := fmt.Sprintf("untrusted IP: %s", ip)
http.Error(w, message, http.StatusForbidden)
return
} else {
w.Write([]byte(os.Getenv("FLAG")))
}
})
log.Printf("Listening on port %d", *port)
log.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", *port), nil))
}

17
DownUnderCTF 2023/web/actually-proxed/actually-proxed/docker-entrypoint.sh Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/sh
# https://docs.docker.com/config/containers/multi-service_container/
cd /app/out
# Start the proxy
./proxy &
# Start the web server
./secret_server &
# Wait for any process to exit
wait -n
# Exit with status of process that exited first
exit $?

3
DownUnderCTF 2023/web/actually-proxed/actually-proxed/go.mod Normal file
View File

@@ -0,0 +1,3 @@
module github.com/DownUnderCTF/actually-proxed
go 1.20