bookmark_borderCC7F Round 1., during Hacktivity 2021

In a joint project we step to the next level with two rounds of CCTF. Harder challenges and highers prices wait for the players.

You can read more about us in the media:

https://finance.yahoo.com/news/cctf-organizers-awalcon-cryptall-partner-131600682.html

https://markets.businessinsider.com/news/stocks/cctf-organizers-awalcon-and-cryptall-partner-with-ecox-to-host-the-largest-blockchain-hacking-event-so-far-1030838702

bookmark_borderCCTF4 Hacktivity Writeups 3. (Final)

Foxy challenge

The data given was printable ASCII, which implied a fair chance that it was encrypted (or obfuscated) with a cipher that always outputs such characters. Two obvious suggestions come to mind: base64 and rot13. However, the ciphertext didn’t exactly look like any mainstream base64 output, nor the rot13 of anything reasonable; what other similar ciphers (or encodings) are there?

The key giveaway was the hint of “!47 -> 42”. The main part of the solution was to take the rot42 of the reverse rot47 of the data. This produced what looked like base64 output. It was the base64 of the flag.

Author: Mr. SI

Ethereum VM bytecode challenge

The task was to uncover the flag from a thing that looked like 0x6080… To those familiar with Ethereum smart contract programming, this thing is obviously Ethereum VM bytecode; for others, as a starting point: the problem said “sometimes the code is 404”.

Decompiling the bytecode using an Ethereum VM decompiler <https://ethervm.io/decompile>, we could discover the following:

1. The constructor is uninteresting, it just sets up the contract’s long-term code.
2. The reverse engineered long-term code contains:
function getflag() {
storage[0x01] = 0x0b47326dc54f49d6f674;
}
which looks like a giveaway.

But actually “0x0b47326dc54f49d6f674” wasn’t accepted as the flag. Unfortunately, the bytes therein don’t appear to encode anything sensible either. However:

3. The rest of the long-term code is also not really interesting: it has methods to plainly store and retrieve data.
4. There was no inclination about any deployments of this smart contract.

So one ought to have been baffled: the flag must really be somehow in that outstanding constant. It turns out that the number 0x0b47326dc54f49d6f674 was indeed the flag, but the system accepted it only in decimal format.

Author: Mr. SI

bookmark_borderCCTF4 Hacktivity Writeups 2.

Don’t be eval

The task was to somehow break a specified website. The HTML markup of the website contained the text “Figwheel”. A quick web search will reveal that Figwheel is a software package for developing websites — live¹ — in the Clojure programming language.

On the website, the only item of interest was the link anchored to the text “do you even REPL, bro?”: the URL contained an argument of “(cons 1 2)”, which looks like Clojure code (a lot like Lisp). Along with the challenge’s name of “Don’t be eval”, these all gave the suggestion that the web request’s single parameter was taken as Clojure code to be evaluated, and indeed it was.

Clojure has access to the full Java ecosystem, including IO functions. By sending in appropriate code snippets (in the URL parameter), it was possible to list the contents of the current directory; it contained a file called “flag.txt”. Then that file could be printed, which contained the flag.

¹ to get a feel for what raz, the creator of this challenge, does for a living, see https://www.youtube.com/watch?v=XSIy8gmjmgY#t=1204s

Author: Mr. SI

Pwncoin challenge

For this challenge, a host was specified, and it was suggested that one ought to use Netcat. It was also blatantly stated that one should try overflowing the “meaning of life” (i.e. 42). The solution was to send an arbitrary string exactly of length 43 (not more, which might be weird, but is realistic), over a plain TCP connection; this revealed the flag.

On top of that — and this is something that even the creator of this challenge didn’t think about —, one could discover that the service served at most 1 client at a time, denying other connections while one is open. This permitted a shrewd contestant to prevent other contestants from even attempting to solve this challenge thereafter, by leaving a connection to the server hanging without submitting anything — it wasn’t me! :trollface.jpg:

Note from six for this solution: it was a wargame! 🙂

Author: SI

Thank you SI for submitting the writeups!

bookmark_borderCCTF 4 Hacktivity Writeups 1.

We have received many requests for the CCTF game writeups. Here is the first one, the challenge was called “BIPolognese”. Be careful, spoilers follow.

Challenge: BIPolognese

BIPolognese (100 points)
Crypto Wojack (beginner)

Crypto Wojack was considerate again and made a cold backup of his wallet seed so Bogdanoff can't hak it again.
Meanwhile, he was lost in eating ₿10.000 pizza.

Look at that picture! Can you get the account address?

The hints

  1. The challenge’s name itself suggests a BIP seed
  2. Cold backup
    • These are copied somewhere offline, but before it is shown on the screen
  3. Doing something during eating
    • Crypto Wojack is doing something with the BIP seed and a wallet
  4. Look at the picture
    • You will find the BIP seed on the right laptop’s screen

The solution

Note the BIP44 seed words from the screen, open a web browser, install MetaMask.

After you have installed it, this screen will appear:

Choose the “Import wallet” option and use the seed phrase from the picture.

You find that the wallet it empty, but the flag is the first address as mentioned in the Rules.

Writeup by: six