ENOJAIL

We launched a new service today. It’s called ENOJAIL™ and gives the user access to an unlimited IPython shell. Sadly, management decided we need to leave our valuable flag.txt on the server, so naturally, engineering had to lock it back down a bit. But we are sure you will still enjoy all of the possibilities, such as.. Calculating 5/5 fully interactively, evaluating ‘1’, and so much more! What’s going on? It’s all about a broken iPython Shell. We observed that some characters were not allowed. So we tried to print’em all, and got the whitelisted characters: ...

3 min · Ulisse

Magic Words

Give me a sign for the magic words and the flag is yours. What’s going on? This service is using gmp, a library for arbitrary precision arithmetic in C. A brief code explanation: The target string is created by appending magic words in a random order. We’re told that string and asked for its signature. A simple modular exponentiation is performed ($m \equiv sig^3 \pmod n$) m is converted to a string and compared against our previous target string using strcmp. If 0 is returned we get the flag. Aside from the main, there’s just a single function that converts an integer to a string (a sequence of bytes to be honest). If you’re familiar with PyCyptodome, it works like Crypto.Util.number.long_to_bytes. ...

3 min · Ulisse

Swarm Mind

My brother went to NullCon and all I got was this lousy number. He was supposed to bring me a picture of the flag. So let me shout out to the Swarm. Maybe they can help. The solution Convert the number to binary, paste it in an editor with line-wrap enabled and play around with the window size until you see the flag show up. The first line of thought we followed for solving this challenge was that the number might be the raw binary data of a picture. We interpreted the number as raw bytes (we converted it to hex first, then we used this website to get back a file with the raw hex data in it). We analyzed the file using file and binwalk and we found out that it was of no known file format. We then used CyberChef to check for the file entropy. We noticed that the entropy was lower than what we would expect from a compressed image (such as a jpg or png image). This meant that either the data was of an uncompressed image, or it was something different. Here the name of the challenge threw us off: we thought that “swarm” might refer to a swarm of insects/birds in $2D$ / $3D$ space, and we tried interpreting each pair/triple of bytes as $x$, $y$ / $x$, $y$, $z$ coordinates. Sadly, we found out that the number of bytes was odd and not divisible by three. We figured out this was a dead end. Since the number of bytes was not divisible by three, we assumed that the file did not contain data in rgb triples. We then made the assumption that each byte represented the brightness of a pixel in the final image. From this point on, we went back to working with the number converted in hex form. The reasoning behind this was that if our assumption were correct, we should have been able to see some recognizable patterns in the hex data. We pasted the hex number in a text editor with line wraps enabled, and we actually did notice some patterns form: Image not found! ...

3 min · Ulisse

Texnology

Online LaTeX editors are quite famous now, but are the associated risks as well? Hint: The flag is at /FLAG. What’s going on? We have this website, which compiles LaTeX code from the text area and executes it on a remote server. If the syntax is valid, a link with the compiled PDF appears on the website. The solution We googled LaTeX command injection and we found out this interesting website, which shows some ways to do command injection. We also discovered LaTeX is a Turing complete programming language and it allows us to perform operations, e.g. File I/O. Some operations were blacklisted (e.g. \immediate), but we tried other operations, like this one, which worked: ...

1 min · Ulisse