https://neg9.org/writeups/Recent content in Writeups on Negative Nine SecurityHugo -- gohugo.ioen-us<a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a>Mon, 26 Apr 2021 12:54:00 +0000https://neg9.org/writeups/tamuctf-2021-ring-of-fire-solution/Mon, 26 Apr 2021 12:54:00 +0000https://neg9.org/writeups/tamuctf-2021-ring-of-fire-solution/TAMUctf 2021 Ring Of Fire - 100 points For none and none, there is always none For none and one, there can be only one For one and one, there is nothing but none codeFile.txt Sometimes, I sing to myself Love is a burning thing And it makes a firery ring Bound by wild desire I fell in to a ring of fire Ring Of Fire is a fairly straightforward crypto problem.https://neg9.org/writeups/tamuctf-2021-simple_cipher-solution/Mon, 26 Apr 2021 12:33:00 +0000https://neg9.org/writeups/tamuctf-2021-simple_cipher-solution/TAMUctf 2021 simple_cipher - 150 points We have a flag encrypted using this program. Can you figure out what it is? simple_cipher flag.enc This is a very interesting cipher. By testing values you can understand how to attack it correctly. This is the tactic I used after Angr refused to give me a good answer. ./simple_cipher gigem{zbcdefghijklmnopqrst} |hexdump -C 00000000 61 9e df d4 f7 3d 62 31 f0 79 |a.https://neg9.org/writeups/tamuctf-2021-unzip-solution/Mon, 26 Apr 2021 12:02:00 +0000https://neg9.org/writeups/tamuctf-2021-unzip-solution/TAMUctf 2021 Unzip - 100 points Hey, can you unzip this for me? chall.zip Step 1: Convert the zip file to a file that John can crack. Note that this is a pretty standard tool&hellip; zip2john ~/Downloads/chall.zip &gt;~/altsci/tamuctf/chall.txt chall.txt: chall.zip/flag.txt:$pkzip2$1*2*2*0*30*24*75c0f8c7*0*42*0*30*75c0*b004*e980ad8b1ffd804291d329b24794613bf3484fa6292fd97a57836440dfce9ce753a89d0ad9a8b16b042ecee459ed1274*$/pkzip2$:flag.txt:chall.zip::/home/jvoss/Downloads/chall.zip Step 2: Crack the password. john --format=raw-sha256 --rules --wordlist=crack/ai3words_order.txt ~/altsci/tamuctf/chall.txt John cracks it pretty quickly with a simple wordlist but I chose to use the AI3 wordlist which you can download with my DNSSEC research.https://neg9.org/writeups/tamuctf-2021-spectral-imaging-solution/Mon, 26 Apr 2021 11:54:00 +0000https://neg9.org/writeups/tamuctf-2021-spectral-imaging-solution/TAMUctf 2021 Spectral Imaging - 100 points Some things are meant to be heard but not seen. This sounds like it&rsquo;s meant to be seen, not heard. audio.wav Spectral Imaging is just a simple spectrogram problem which I&rsquo;ve seen many times before. Open the file in Audacity, switch to spectrogram. Set the settings to high top frequency and that&rsquo;s all. This can probably also be solved with sox.https://neg9.org/writeups/tamuctf-2021-encoding-solution/Mon, 26 Apr 2021 11:39:00 +0000https://neg9.org/writeups/tamuctf-2021-encoding-solution/TAMUctf 2021 Encoding - 100 points This is literally the flag but obfuscated through tons of different encoding schemes. data.txt Step 1: Convert from a string of integers separated by spaces to a list of integers. a = open(&#39;encoding_data.txt&#39;, &#39;r&#39;).read() b = [chr(int(x)) for x in a.split()] b = [int(x) for x in a.split()] c = bytes(b) Step 2: Try to see if it&rsquo;s using UTF-16. c.decode(&#39;utf-16&#39;) &#39;ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿ꪆ㰿ꪆ㰿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㴿ꪆ㰿ꪆ㴿&#39; c.https://neg9.org/writeups/tamuctf-2021-handshake-solution/Mon, 26 Apr 2021 11:39:00 +0000https://neg9.org/writeups/tamuctf-2021-handshake-solution/TAMUctf 2021 Handshake - 150 points Attack this binary and get the flag! handshake openssl s_client -connect tamuctf.com:443 -servername handshake -quiet Handshake is a standard i686 Linux binary with NX but no PIE. There&rsquo;s a stack buffer overflow which is easy enough to exploit. Without PIE, ROP is available. Because Handshake provides a win function, it makes sense that is the way to get the flag without getting full code execution with a ROP chain.https://neg9.org/writeups/tamuctf-2021-pancake-solution/Mon, 26 Apr 2021 11:39:00 +0000https://neg9.org/writeups/tamuctf-2021-pancake-solution/TAMUctf 2021 Pancake - 100 points Attack this binary to get the flag! pancake openssl s_client -connect tamuctf.com:443 -servername pancake -quiet Pancake is an easy exploitation challenge I think. I decided to use angr and was pleasantly surprised that it solved it quite rapidly. It uses the standard format for angr solutions that I&rsquo;ve been using for years. I don&rsquo;t know what the exploit payload does. It&rsquo;s not clear at all to me what is going on except that the exploit must have been pretty straightforward.https://neg9.org/writeups/tamuctf-2021-tictactoe-solution/Mon, 26 Apr 2021 11:39:00 +0000https://neg9.org/writeups/tamuctf-2021-tictactoe-solution/TAMUctf 2021 TicTacToe - 150 points Hey, I made a tic tac toe game! If you can beat me enough times I&rsquo;ll give you a flag. tictactoe openssl s_client -connect tamuctf.com:443 -servername tictactoe -quiet I tried to solve this without looking at the source code for a while. Spoiler, this is not easy to solve without looking at the source code or at least knowing the vulnerability involved.https://neg9.org/writeups/tamuctf-2021-nx-oopsie-solution/Mon, 26 Apr 2021 11:03:00 +0000https://neg9.org/writeups/tamuctf-2021-nx-oopsie-solution/TAMUctf 2021 NX Oopsie - 100 points Attack this binary and get the flag! nx-oopsie openssl s_client -connect tamuctf.com:443 -servername nx-oopsie -quiet I spent way too much time on this problem, stopping to work on other problems and coming back time and time again. This is a simple stack overflow on x86-64 with NX and PIE. How do you exploit it? It uses musl libc so running it on a normal Linux machine doesn&rsquo;t work.https://neg9.org/writeups/tamuctf-2021-pybox-solution/Mon, 26 Apr 2021 10:56:00 +0000https://neg9.org/writeups/tamuctf-2021-pybox-solution/TAMUctf 2021 pybox - 150 points We spun up a server for you to execute your python code! For security reasons, we&rsquo;ve disabled a few syscalls, but you can do all the computation you&rsquo;d like! restricted_python/src/main.rs openssl s_client -connect tamuctf.com:443 -servername pybox -quiet This challenge was remarkably easy. They use seccomp to disable reading from a file. That&rsquo;s not nearly enough to stop a hacker from accessing a flag.