Title : Quick Writeups CTF IT RACE lvl 3, Author Pwnium
Released : 2016-10-18 16:31:40 -0400
Viewed : 741

Title : Lorem is not Ipsum

Point : 13
Category : #forensic #warmup
Solution: The idea is just diff files and get the added words.
My script:

fname = ".loremipsum"
flag = ""
for i in range(63):
     with open(str(i)+fname) as f1:
         with open(str(i+1)+fname) as f2:
             s1 = f1.read().split()
             s2 = f2.read().split()
             for w1 in s1:
                 if w1 not in s2 and len(w1) < 3:
print flag 

You get:
so finally you found the pattern... ITRACE{similiriti_similikiti}

Title : Brute Self

Point : 35
Category : #reversing

#gdb password
gdb-peda$ b *0x4011df
gdb-peda$ r $(python -c 'print "A"*32')
gdb-peda$ x/s $rsp+0x20
0x7fffffffeb20: "KVTCEG}d6fae2f57aj3f3p8a3Par6em\177"
gdb-peda$ r $(python -c 'print "".join([chr(ord(c)-2) for c in "KVTCEG}d6fae2f57aj3f3p8a3Par6em\177"])')

Flag: ITRACE{b4d_c0d35_h1d1n6_1N_p4ck}

Title : module_2

Point : 90
Category : #reversing
Solution: Use the same cookie (sent by module 0) for each new request.
Delete function.js:57
Sign the apk, install it and run it again.
Flag: ITRACE{nev3r_tru5t_us3r_n0r_53rv3r}
Title : Square Them
Point : 60
Category : #web #ppc
This task is about Magic Squares (https://en.wikipedia.org/wiki/Magic_square)
We are given the sum of each column/row and we need to find the elements of the square.
The solution is to take the square that produces a sum of 15 (the example from WikiPedia) and add
a certain delta to all its elements:
delta = (sum-15)/3
The service is a web service, so we used 'requests' module in python to build a solver.
Flag: ITRACE{m4g1c_squ4r3_is_s0_m4th}

Title : Scazzy

Point : 88
Category : #ppc
This task is about using a client for Telegram in order to create a solver.
We used this python client: https://github.com/luckydonald/pytg
The bot asks us to evaluate some integer equations like:
01100011 add 10110001 x 96 ÷ 10111010 ÷ 0xCC - 45 - 0xE5 - 0x51 ÷ 11010010
We do this in three steps:
1) Replace the operators used (add, -, x, ÷) by python operators (+, -, *, /)
2) Add '0b' to binary numbers, these are the ones that are 8 characters long.
3) Use 'eval' function to get the result.
Flag: ITRACE{b0t_tele6r4m_i5_m0d3rn_typ3_0f_ircs_b0t}

Title : Not Heart Bleed

Point : 43
Category : #web
In this task we are provided with a web service, when we display the page in a browser we get a JSON response:
    "method": "POST",
    "param-required": "request",
    "request": "",
    "Accept-Charset": "UTF-8",
    "Content-Length": 0,
    "Respond-Text": "This server ONLY response to UTF-8 Charset. Else will be converted. Max length contents are 64 bytes."
When we try to send some data in a POST request we get this JSON response:
    "method": "POST",
    "request": "abcd",
    "Accept-Charset": "UTF-8",
    "Content-Length": 64,
    "Respond-Text": "abcd............................................................"
If we send 32 unicode characters we get this response: 0x4c 0x4f 0x4f 0x4b 0x49 0x4e 0x47 0x20 0x46 0x4f 0x52 0x20 0x41 0x20 0x46 0x4c 0x41 0x47 0x3f 0x20 0x54 0x48 0x45 0x4e 0x20 0x54 0x48 0x49 0x53 0x20 0x49 0x53 0x20 0x46 0x4f 0x52 0x20 0x59 0x4f 0x55 0x3a 0x20 0x49 0x54 0x52 0x41 0x43 0x45 0x7b 0x59 0x34 0x59 0x5f 0x54 0x4f 0x5f 0x33 0x34 0x35 0x59 0x7d 0x0 0x0 0x0


import requests, json
url = 'http://task-00001110.itrace.systems/request.php'
s = requests.session()
s.headers['User-Agent'] = 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0'
# r = s.get(url)
r = s.post(url, {'request': u'\u0207'*32})
print json.loads(r.text[5:])['Respond-Text']
print json.loads(r.text[5:])['Respond-Text'].replace(' 0x0', ' 0x00').replace('0x', '').replace(' ', '').decode('hex')

Flag: ITRACE{Y4Y_TO_345Y}

Title : Print The Flag

Point : 21
Category : #misc
In this task we are provided with a corrupted PrintTheFlag.class (JAVA) file.
We can run this file on the server ( to get it to print the content of flag.txt
After reading this: https://en.wikipedia.org/wiki/Java_class_file, we noticed that the magic number has been changed.
So, we open the file PrintTheFlag.class in a hex editor and change the first 4 bytes to: CAFEBABE
We save the file and upload it, we get the flag.
Flag: ITRACE{s0m3t1m35_j4v4_is_s0_t3xty}

Title : Pixel Racist

Point : 70
Category : #ppc
In this task we are provided with an image that has random colors.
We need to find the color that appears the least.
Using the python modules 'requests' and 'PIL' we can easily write a solver.
Here is the function in python to get the least color of an image:

def leastColor(img):
    arr = {}
    width, height = img.size
    pix = img.load()
    for i in range(width):
        for j in range(height):
            color = '%02x%02x%02x' % pix[i,j]
            if color in arr:
                arr[color] += 1
                arr[color] = 1
    return min(arr, key=arr.get) 

Flag: ITRACE{y0u_6uy5_4r3_4wes0m3}


Point : 25
Category : #web
In this task we are asked to use the command 'flag' in the plateform's console.
When we run it we see this output: "Did you see it coming?"
Examining the AJAX request in Developer Tools, we see that the JSON response:

{ "command": "flag", "flag": "Congratulations. This is your flag: ITRACE{Asynchronous_Javascript_And_XML}", "errmsg":Did you see it coming?" }

Flag: ITRACE{Asynchronous_Javascript_And_XML}

Title : Ping Me

Point : 50.1
Category : #recon
In this task we need to search for the CTF author in Google.
His full name is "Muhammad Muzammil", in Google that finds us a different person :(
Looking the "about" command in the plateform's console, I see a link to this Facebook page:
Which has the link to the website: http://cafelinux.info/
When we click on "About" we get to a "pingme" page: http://cafelinux.info/pingme
Yes, it contained the flag!
Flag: ITRACE{http_www.cafelinux.info_ping.me}

Title : Binary Typ0

Point : 45
Category : #forensic

files = 'this15falg'
out = ""
n = 0
for f in files:
    s = open(f, 'rb').read()
    s = s.split(' ')
    for c in s:
            out += "%02x"%int(c, 16)
            print c

print n
open('out.jpg', 'wb').write(out.decode('hex'))