Teaser CTF 2015 writeup(So easy, power level)

Categories Uncategorized

Teaser CTF is launched by Dragon Sector, is a Polish security Capture The Flag team. It was created in February 2013 and currently has 13 active members.

I solved two challenge in the first evening(so easy, power level) and tried to solves the pwnable challenge quine on Sunday Morning but failed, I found a write-any-where vulnerability but I didn’t see how to exploit.

1. power level (50 points)

This is a cryptography challenge, the encryption algorithm and the cipher text is given. The first 4 input character will be used as parameter of a polynomial which decides which encryption routine will be used for each characters to calculate an output.

So the complexity of brute forcing the key is (127-32)^4  ≈ 2^24 which is fairly weak, and we can brute force this deterministic encryption algorithm.

the following is part of the brute forcing code:

After get the keys(first four bytes), we can make a table for each ascii code and decrypt the cipher text.

PS: the encryption is not a one-to-one map and we need to resolver some hash collision.

The flag is:


2. So easy(100 points)

This is a Reverse engineering challenge. The program get a input string, flip the upper/lower case and compare it to DrgnS{ThisWasSoEasy} and if equals it will call printf("Congratulations") . However, this is not correct flag. After some search I found that before calling the main function, the program calls sub_80488BE()  which calls many __cxa_atexit()  functions. These function passed into atexit  functions will be called after exit()  in reverse order, after some analysis, the input string is actually compared to the following string:


for more writeups please refer to:


No Comments

Leave a Reply