rev: add a few more challenges

2024-09-02 20:19:47 +02:00 · 2024-09-02 20:19:47 +02:00 · dc6284f487
parent 1ca81359ba
commit dc6284f487
25 changed files with 1474 additions and 0 deletions
--- a/rev/bloat_py/bloat.flag.py
+++ b/rev/bloat_py/bloat.flag.py
@ -0,0 +1,41 @@
+import sys
+a = "!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ"+ \
+            "[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~ "
+def arg133(arg432):
+  if arg432 == a[71]+a[64]+a[79]+a[79]+a[88]+a[66]+a[71]+a[64]+a[77]+a[66]+a[68]:
+    return True
+  else:
+    print(a[51]+a[71]+a[64]+a[83]+a[94]+a[79]+a[64]+a[82]+a[82]+a[86]+a[78]+\
+a[81]+a[67]+a[94]+a[72]+a[82]+a[94]+a[72]+a[77]+a[66]+a[78]+a[81]+\
+a[81]+a[68]+a[66]+a[83])
+    sys.exit(0)
+    return False
+def arg111(arg444):
+  return arg122(arg444.decode(), a[81]+a[64]+a[79]+a[82]+a[66]+a[64]+a[75]+\
+a[75]+a[72]+a[78]+a[77])
+def arg232():
+  return input(a[47]+a[75]+a[68]+a[64]+a[82]+a[68]+a[94]+a[68]+a[77]+a[83]+\
+a[68]+a[81]+a[94]+a[66]+a[78]+a[81]+a[81]+a[68]+a[66]+a[83]+\
+a[94]+a[79]+a[64]+a[82]+a[82]+a[86]+a[78]+a[81]+a[67]+a[94]+\
+a[69]+a[78]+a[81]+a[94]+a[69]+a[75]+a[64]+a[70]+a[25]+a[94])
+def arg132():
+  return open('flag.txt.enc', 'rb').read()
+def arg112():
+  print(a[54]+a[68]+a[75]+a[66]+a[78]+a[76]+a[68]+a[94]+a[65]+a[64]+a[66]+\
+a[74]+a[13]+a[13]+a[13]+a[94]+a[88]+a[78]+a[84]+a[81]+a[94]+a[69]+\
+a[75]+a[64]+a[70]+a[11]+a[94]+a[84]+a[82]+a[68]+a[81]+a[25])
+def arg122(arg432, arg423):
+    arg433 = arg423
+    i = 0
+    while len(arg433) < len(arg432):
+        arg433 = arg433 + arg423[i]
+        i = (i + 1) % len(arg423)        
+    return "".join([chr(ord(arg422) ^ ord(arg442)) for (arg422,arg442) in zip(arg432,arg433)])
+arg444 = arg132()
+arg432 = arg232()
+arg133(arg432)
+arg112()
+arg423 = arg111(arg444)
+print(arg423)
+sys.exit(0)
+
--- a/rev/bloat_py/clean-bloat.flag.py
+++ b/rev/bloat_py/clean-bloat.flag.py
@ -0,0 +1,39 @@
+#!/usr/bin/env python3
+
+import sys
+
+def arg133(arg432):
+  if arg432 == "happychance":
+    return True
+  else:
+    print("That password is incorrect")
+    sys.exit(0)
+    return False
+
+def arg111(arg444):
+  return arg122(arg444.decode(), "rapscallion")
+
+def arg232():
+  return input("Please enter correct password for flag:")
+
+def arg132():
+  return open('flag.txt.enc', 'rb').read()
+
+def arg112():
+  print("Welcome back... your flag, user:")
+
+def arg122(arg432, arg423):
+    arg433 = arg423
+    i = 0
+    while len(arg433) < len(arg432):
+        arg433 = arg433 + arg423[i]
+        i = (i + 1) % len(arg423)
+    return "".join([chr(ord(arg422) ^ ord(arg442)) for (arg422,arg442) in zip(arg432,arg433)])
+
+arg444 = arg132()
+arg432 = arg232()
+arg133(arg432)
+arg112()
+arg423 = arg111(arg444)
+print(arg423)
+sys.exit(0)
--- a/rev/bloat_py/flag.txt.enc
+++ b/rev/bloat_py/flag.txt.enc
--- a/rev/bloat_py/output.txt
+++ b/rev/bloat_py/output.txt
@ -0,0 +1,4 @@
+$ ./clean-bloat.flag.py
+Please enter correct password for flag:happychance
+Welcome back... your flag, user:
+picoCTF{d30bfu5c4710n_f7w_5e14b257}
--- a/rev/file_run1/run
+++ b/rev/file_run1/run
--- a/rev/file_run2/output.txt
+++ b/rev/file_run2/output.txt
@ -0,0 +1,2 @@
+$ ./run 'Hello!'
+The flag is: picoCTF{F1r57_4rgum3n7_f65ed63e}%
--- a/rev/file_run2/run
+++ b/rev/file_run2/run
--- a/rev/fresh_java/KeygenMe.class
+++ b/rev/fresh_java/KeygenMe.class
--- a/rev/fresh_java/decompiled.java
+++ b/rev/fresh_java/decompiled.java
@ -0,0 +1,152 @@
+// NOTE: Decompiled with JD-GUI
+
+import java.util.Scanner;
+
+public class KeygenMe {
+  public static void main(String[] paramArrayOfString) {
+    Scanner scanner = new Scanner(System.in);
+    System.out.println("Enter key:");
+    String str = scanner.nextLine();
+    if (str.length() != 34) {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(33) != '}') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(32) != '9') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(31) != '8') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(30) != 'c') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(29) != 'a') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(28) != 'c') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(27) != '8') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(26) != '3') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(25) != '7') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(24) != '_') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(23) != 'd') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(22) != '3') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(21) != 'r') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(20) != '1') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(19) != 'u') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(18) != 'q') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(17) != '3') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(16) != 'r') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(15) != '_') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(14) != 'g') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(13) != 'n') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(12) != '1') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(11) != 'l') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(10) != '0') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(9) != '0') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(8) != '7') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(7) != '{') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(6) != 'F') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(5) != 'T') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(4) != 'C') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(3) != 'o') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(2) != 'c') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(1) != 'i') {
+      System.out.println("Invalid key");
+      return;
+    }
+    if (str.charAt(0) != 'p') {
+      System.out.println("Invalid key");
+      return;
+    }
+    System.out.println("Valid key");
+  }
+}
--- a/rev/fresh_java/flag.txt
+++ b/rev/fresh_java/flag.txt
@ -0,0 +1 @@
+picoCTF{700l1ng_r3qu1r3d_738cac89}
--- a/rev/patchme_py/flag.txt.enc
+++ b/rev/patchme_py/flag.txt.enc
@ -0,0 +1,3 @@
+
+* '	UYX+
CR1@
+6U]WVM
--- a/rev/patchme_py/output.txt
+++ b/rev/patchme_py/output.txt
@ -0,0 +1,4 @@
+$ python patchme.flag.py
+Please enter correct password for flag: ak98-=90adfjhgj321sleuth9000
+Welcome back... your flag, user:
+picoCTF{p47ch1ng_l1f3_h4ck_c4a4688b}
--- a/rev/patchme_py/patchme.flag.py
+++ b/rev/patchme_py/patchme.flag.py
@ -0,0 +1,31 @@
+### THIS FUNCTION WILL NOT HELP YOU FIND THE FLAG --LT ########################
+def str_xor(secret, key):
+    #extend key to secret length
+    new_key = key
+    i = 0
+    while len(new_key) < len(secret):
+        new_key = new_key + key[i]
+        i = (i + 1) % len(key)        
+    return "".join([chr(ord(secret_c) ^ ord(new_key_c)) for (secret_c,new_key_c) in zip(secret,new_key)])
+###############################################################################
+
+
+flag_enc = open('flag.txt.enc', 'rb').read()
+
+
+
+def level_1_pw_check():
+    user_pw = input("Please enter correct password for flag: ")
+    if( user_pw == "ak98" + \
+                   "-=90" + \
+                   "adfjhgj321" + \
+                   "sleuth9000"):
+        print("Welcome back... your flag, user:")
+        decryption = str_xor(flag_enc.decode(), "utilitarian")
+        print(decryption)
+        return
+    print("That password is incorrect")
+
+
+
+level_1_pw_check()
--- a/rev/reverse/ret
+++ b/rev/reverse/ret
--- a/rev/reverse/solve.sh
+++ b/rev/reverse/solve.sh
@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash binutils
+
+strings ./ret | grep -o "picoCTF{.*}"
--- a/rev/safe_opener/SafeOpener.java
+++ b/rev/safe_opener/SafeOpener.java
@ -0,0 +1,42 @@
+import java.io.*;
+import java.util.*;
+public class SafeOpener {
+    public static void main(String args[]) throws IOException {
+        BufferedReader keyboard = new BufferedReader(new InputStreamReader(System.in));
+        Base64.Encoder encoder = Base64.getEncoder();
+        String encodedkey = "";
+        String key = "";
+        int i = 0;
+        boolean isOpen;
+
+
+        while (i < 3) {
+            System.out.print("Enter password for the safe: ");
+            key = keyboard.readLine();
+
+            encodedkey = encoder.encodeToString(key.getBytes());
+            System.out.println(encodedkey);
+
+            isOpen = openSafe(encodedkey);
+            if (!isOpen) {
+                System.out.println("You have  " + (2 - i) + " attempt(s) left");
+                i++;
+                continue;
+            }
+            break;
+        }
+    }
+
+    public static boolean openSafe(String password) {
+        String encodedkey = "cGwzYXMzX2wzdF9tM18xbnQwX3RoM19zYWYz";
+
+        if (password.equals(encodedkey)) {
+            System.out.println("Sesame open");
+            return true;
+        }
+        else {
+            System.out.println("Password is incorrect\n");
+            return false;
+        }
+    }
+}
--- a/rev/safe_opener/a.out
+++ b/rev/safe_opener/a.out
--- a/rev/safe_opener/flag.txt
+++ b/rev/safe_opener/flag.txt
@ -0,0 +1,3 @@
+# NOTE: password in source code is base64 encoded
+
+picoCTF{pl3as3_l3t_m3_1nt0_th3_saf3}
--- a/rev/safe_opener_2/SafeOpener.class
+++ b/rev/safe_opener_2/SafeOpener.class
--- a/rev/safe_opener_2/solve.sh
+++ b/rev/safe_opener_2/solve.sh
@ -0,0 +1,4 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p bash binutils
+
+strings ./SafeOpener.class | grep -o "picoCTF{.*}"
--- a/rev/speeds_and_feeds/flag.txt
+++ b/rev/speeds_and_feeds/flag.txt
@ -0,0 +1,3 @@
+# NOTE: open the file in FreeCAD
+
+picoCTF{num3r1cal_c0ntr0l_84d2d117}
--- a/rev/speeds_and_feeds/output.nc
+++ b/rev/speeds_and_feeds/output.nc
--- a/rev/unpackme_py/unpackme.flag.py
+++ b/rev/unpackme_py/unpackme.flag.py
@ -0,0 +1,15 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i python3 -p python3 python3Packages.cryptography
+
+import base64
+from cryptography.fernet import Fernet
+
+payload = b'gAAAAABkzWGWvEp8gLI9AcIn5o-ahDUwkTvM6EwF7YYMZlE-_Gf9rcNYjxIgX4b0ltY6bcxKarib2ds6POclRwCwhsRb1LOXVt4Q3ePtMY4BmHFFZlIHLk05CjwigT7hiI9p3sH9e7Cpk1uO90xbHbuy-mfi3nkmn411aBgwxyWpJvykpkuBIG_nty6zbox3UhbB85TOis0TgM0zG4ht0-GUW4wTq2_5-wkw3kV1ZAisLJHzF-Z9oLMmwFZU0UCAcHaBTGDF5BnVLmUeCGTgzVLSNn6BmB61Yg=='
+
+key_str = 'correctstaplecorrectstaplecorrec'
+key_base64 = base64.b64encode(key_str.encode())
+f = Fernet(key_base64)
+plain = f.decrypt(payload)
+
+print(plain.decode())
+# exec(plain.decode())
--- a/rev/vault_door_training/VaultDoorTraining.java
+++ b/rev/vault_door_training/VaultDoorTraining.java
@ -0,0 +1,26 @@
+import java.util.*;
+
+class VaultDoorTraining {
+    public static void main(String args[]) {
+        VaultDoorTraining vaultDoor = new VaultDoorTraining();
+        Scanner scanner = new Scanner(System.in); 
+        System.out.print("Enter vault password: ");
+        String userInput = scanner.next();
+	String input = userInput.substring("picoCTF{".length(),userInput.length()-1);
+	if (vaultDoor.checkPassword(input)) {
+	    System.out.println("Access granted.");
+	} else {
+	    System.out.println("Access denied!");
+	}
+   }
+
+    // The password is below. Is it safe to put the password in the source code?
+    // What if somebody stole our source code? Then they would know what our
+    // password is. Hmm... I will think of some ways to improve the security
+    // on the other doors.
+    //
+    // -Minion #9567
+    public boolean checkPassword(String password) {
+        return password.equals("w4rm1ng_Up_w1tH_jAv4_eec0716b713");
+    }
+}
--- a/rev/vault_door_training/flag.txt
+++ b/rev/vault_door_training/flag.txt
@ -0,0 +1 @@
+picoCTF{w4rm1ng_Up_w1tH_jAv4_eec0716b713}