There are a number of supporting files, such as: names.txt lists the names of the CTF organizing team and for each there is a .txt and a .bmp file with their bios. Contact: 070-8864-1337. These cookies track visitors across websites and collect information to provide customized ads. However, you may visit "Cookie Settings" to provide a controlled consent. The name suggests it is an LZMA-compressed block which was encrypted some way. Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. Huge success! , 2. 414, Teheran-ro, Gangnam-gu, Seoul, Republic of Korea, 5th Floor | WriteUp, mic check 1 Still, with the source code for SeaBIOS we can identify a fair chunk of the code with relative ease. DEF CON CTF 2022Team Enu() This ticket and the flag are traceable to your team. Oh, no, not again. 12345678910111213141516171819202122232425262728293031import core.widgets;import core.material;import local;widget root = Container( child: Column( children: [ Row( children: [ Text( text: 'pewpew' ), Expanded( child: Text( text: data.author.user, style: { color: 4278230474 } ) ) ] ), Row( children: [ ApiMapper( url: "@example.ngrok.io/json", jsonKey: "a", dataKey: "a", onLoaded: set state.abc = 'abc' ) ] ) ] )); ApiMapper GET request POST source code , source code rfw , poll widget event api_post POST request, 12345678910111213Row( children: [ ApiMapper( url: "@example.ngrok.io/json", jsonKey: "a", dataKey: "a", onLoaded: event "api_post" { path: "@example.ngrok.io/test", body: "bodytest" } ) ] ), POST request response, app, GET API /api/token token ApiMapper data ApiMapper event "api_post" admin token, , ApiMapper onloaded event "api_post" poll switch, rfw codehttps://github.com/flutter/packages/blob/main/packages/rfw/lib/src/dart/text.dart#L479. WriteUp(https://github.com/Nautilus-Institute/quals-2022 ) , DEF CON CTF 2022CTF, , , "simple-service-c45xrrmhuc5su.shellweplayaga.me", # 2= eval, https://github.com/Nautilus-Institute/quals-2022, 2Software Design (), 2Software Design (). It turned out that the correct flag is, in fact, Descent ][ Rules, which this particular font does not make easy to see. 1234567891011121314151617181920212223242526272829303132333435widget root { loaded: 1 } = Container( child: Column( children: [ Row( children: [ Text( text: "test" ), switch state.loaded { 2: ApiMapper( url: "@example.ngrok.io/json", jsonKey: "a", dataKey: "b", onLoaded: event "api_post" { path: "@example.ngrok.io/send", body: { "token": data.new_token } }, ), 1: ApiMapper( url: "/api/token", jsonKey: "new_token", dataKey: "new_token", onLoaded: set state.loaded = 2, ), default: Text( text: 'yo' ) } ] ) ] )); 123456789101112131415161718192021222324252627282930313233343536373839import core.widgets;import core.material;import local;widget root { loaded: 1 } = Container( child: Column( children: [ Row( children: [ Text( text: "test" ), ApiMapper( url: "@example.ngrok.io/json", jsonKey: "a", dataKey: "b", onLoaded: event "api_post" { path: "@example.ngrok.io/send", body: { "token": data.new_token } }, ), switch state.loaded { 1: ApiMapper( url: "/api/token", jsonKey: "new_token", dataKey: "new_token", onLoaded: set state.loaded = 2, ), default: Text( text: 'yo' ) } ] ) ] )); ApiMapper server 3 onLoaded token response data.new_token token server , flutter/dart/rfw , poll widget decode , DEF CON CTF binary CTF pwn reverse , LOL, Update your browser to view this website correctly. This cookie is set by GDPR Cookie Consent plugin. A quick search later we learn about the APF image format developed by Doug Rattmann at Aperture Laboratories in 1985. ) ! You can find the solution for this years Hashit challenge and a write up of last years DEF CON CTF Quals here. QEMU, the open source machine emulator can load custom BIOS images, so lets give that a try: The BIOS code itself displays the bios of the CTF organizers (pun most definitely intended). Binjitsu by ddtek ( 2012)Legitimate Business Syndicate (2013 2017)Order of the Overflow (2018 2021)Nautilus Institute (2022 ?). These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc. The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. This will slow execution down enough for us to be able to type in what is needed before the splash screen disappears. 12345678910111213141516171819202122widget root = Container({ child: Column({ children: [Row({ children: [Text({ text: From }), Expanded({ child: Text({ text: data.author.user, style: { color: 4278230474 } }) })] }), Row({ children: [Expanded({ child: Text({ text: data.data.message }) })] })] })}); 12345678import 'dart:io';import 'package:rfw/formats.dart';void main () async { final File currentFile = File('chatmessage'); print(decodeLibraryBlob(await currentFile.readAsBytes()));}, XSS flutter widget, flutter HTML flutter React/Vue , HTML JS iframe library, HTML/JS , decode poll widget. , 28 5 2022, 09:00 UTC+9 , 30 5 2022, 09:00 UTC+9 ().
A quick look around the strings in the file reveals that this image is based on version 1.16.0 of SeaBIOS, the open source BIOS.
The cookies is used to store the user consent for the cookies in the category "Necessary".
Prompt CTF . Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance.
This year, we participated in the DEF CON CTF Quals. Privacy Policy. Follow @CTFtime !function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs"); All tasks and writeups are copyrighted by their respective authors. Were making a note here; String references in functions often give strong clues about their function and make it easy to match them to the source code. Business number: 2021--05520 |
Email: dreamhack@dreamhack.io |
We are looking for the free() call right after decryption, located at 0xFFFFB992 in our disassembly. Placing the breakpoint is a bit tricky because the BIOS code is relocated at runtime, so the offset seen in the disassembly does not always match what is in the memory.
Necessary cookies are absolutely essential for the website to function properly. , , 1. oVice 00110000 3 append n k (0011000000110000.) 3n basis d + span(kernel) = k + span(basis) kernel basis linear system sol[:dim(kernel)] * kernel + d alphanumeric crc , reverse binary input bytes hash hash byte shellcode hash md5, sha1, sha256, sha512 shellcode input bytes , Flutter Web/Desktop admin (bot) desktop . Binary strings are rich sources of information for reverse engineering.
Good news, there are a ton of challenges at all skill levels available during the qualifiers. This was a triumph, At the GDB prompt we connect and start the program: Now we only need a breakpoint right after the decryption and a way to enter the password and seed fast enough. We quickly spot references to NAUTILUS INSTITUTE BIOS OF BIO'S which is the part where the main menu is built for example. Files with a .lzma suffix are LZMA compressed, and one file stands out from the rest: flag.lzma.enc. /// This signature is automatically added by [encodeLibraryBlob] and is checked. DCTF 2022 - 1200 19 2Time's up. Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features. This challenge requires a ticket to connect. We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. Clearly, this bit of code is here to show how the decryption is performed. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. Analytical cookies are used to understand how visitors interact with the website. The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". There are no checks and the decrypted data is not used for anything. Once the breakpoint hits, it is time to get our prize: Now, with the decrypted block in place, we can try and decompress it: Uh-oh, looks bad! https://github.com/flutter/packages/blob/main/packages/rfw/lib/src/dart/binary.dart#L32, https://github.com/flutter/packages/blob/main/packages/rfw/lib/src/dart/text.dart#L479, remote widget ApiMapper api_post , widget ApiMapper token api_post . The five-digit number means that there are only 100,000 possible seeds which makes this problem easy to brute-force. We are faced with two options: a) implement our own APF converter or b) use an existing one. , (?
The seed finder completes very quickly and yields a number of hits: 31337, we should have seen that coming . Hayyim CTF 2022 - 300 15 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758widget root = Container({ child: Column({ children: [Row({ children: [Text({ text: From }), Text({ text: data.author.user, style: { color: 4278230474 } })] }), Padding({ padding: [0.0, 5.0, 0.0, 0.0], child: Text({ text: data.data.title }) }), switch state.loaded { true: Column({ children: [ for loop in data.poll_options: Row({ children: [Padding({ child: ElevatedButton({ child: Text({ text: loop0.text }), onPressed: event api_post { path: data.data.apiVote, body: { selection: loop0.text } } }), padding: [0.0, 5.0, 10.0, 0.0] }), Text({ text: loop0.count })] }), TextButton({ child: Text({ text: Refresh, style: { color: 4294942366 } }), onPressed: set state.loaded = false }) ] }), null: ApiMapper({ url: data.data.apiGet, jsonKey: options, dataKey: poll_options, onLoaded: set state.loaded = true }) } ] })}); ApiMapper API API , local build widget, local build import local, build ApiMapper widget.
