Press "Enter" to skip to content

Black Technology Royal Posts

[HKUSpaceCTF] Official Reverse Write-up

Hello – 100 You can easily find that there has variable call flag Go to hex view   Hidden password – 100 After type whatever password you like, you can use cheat engine to search the process Answer is? – 100 Same with previous question   Shield – 150   HelloRevenge – 200 Just a simple memory search skills. Input Please give me the flag , and search 1 in cheat engine. keep increase the solved times, and search the value in cheat engine. Finally, we got HelloRevenge.vmp.exe+1F2E0 save the solved times. We can change the value to 13333337, and input Please give me the flag one more times, and you will get the flag.   Unbreakable shell – 225 We can see that the program are protected by UPX. But it is such a weak protection. You can download the tools to unpack :!OAx0wL7K!gLPZh7pkMv7d8as5serOmg!XdphxZiS After unpack, you can see the real entry point is in 0x00401280, so, we can set a break point in that address, and run the program. After that, we can unpack the shell. And you are able to search strings now. After have some analysis, i think that 0x40138e is the main comparison point. So, i decide to try patch jnz to jz. And set a break point here to see the effect.

Leave a Comment

[HKUSpaceCTF] Official Web Write-up

Web Sanity Check – 25

Easy Black Flag (index page) – 50 The wired JavaScript can decrypt by After decrypt, we got:

You can paste this to the chrome console and call getFlag_10571305(), you will get the flag. C00k13s 4 you – 50

NotHere – 50

Web3 – 75 View source, you will find that the website contains one image. Access the folder of that image. And you will find that there has an image which named dnRjdGZ7ZjB.jpg. This is the flag image. m4TH – 100 All you need to do is answer the question 100 times. After that the website will give you the flag.

L0gic4l – 125 Hint:Oh forgot to say, backup is very important, so i zipped my website and put it in everywhere~ based on the hint, you may guess the whole website are zipped with name in root of the website. After have some review on the code, you may found that it use == to compare two md5 hash. So, based on the weak comparison  on php, we can use 240610708 and QNKCDZO as the password and super-secure-password. Rough – 150 Just brute force the 4 digital number.

Null – 200 Just use union select to make a fake row to bypass the authentication.

Simple PHP Jail – 500 View source, you will find that

So, you can view the source code here:

You will found that the source will receive variable cmd and…

Leave a Comment

[CodeBlue 2017] Common Modulus 2


  Solution Compare with v1, v2 just make changed in exponent. So, what we need to do is only find the root after get the result.

Leave a Comment

[CodeBlue 2017]Common Modulus 1




Leave a Comment

[SEC-T] Naughty ads


So, maybe we can read the source code through ??

We can see that there has a very secure filter for $_REQUEST[‘id’] , but not for $_GET[‘id’]. It do nothing and parse $_GET[‘id’] to the function. So, we can bypass the filter like this

Finally, i got the username and password. Username:webmasterofdoom3755 Password:5ebe2294ecd0e0f08eab7690d2a6ee69 Reverse the md5 here: And found that the real password is secret. Use this identity to login into the website, and fill in the phone number for submit the form, and then the website will give you the flag.

Leave a Comment

[SEC-T] Sprinkler system

Solution Firstly, we can take a look at robots.txt:

And i found that there are contains test-cgi in cgi-bin folder. After have some research, i have found that test-cgi have vulnerability. And it seems that it is able to list directory through this vulnerability. Exploit Url:* Output:

It works!!. So, i change the parameter to “*”. Which means list all the fire in current directory. Url:* Output:

Finally, we access . And it print flag.

Leave a Comment

[CSAW2017] baby_crypt

Solution In this question, the socket service will be based on our input and append the flag in the end to do aes cbc encryption.   In AES ecb mod encryption, each block is 16bytes (32 hex). For example: Block1 Block2 Block3 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb cccccccccccccccc   If there are not 16 bytes, it will use the padding to fill in. For example: Block1 Block2 Block3 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb ccccccccc0000000   In this question, the blocks will be like this: Block1 Block2 Block3 inputinputinputi flag{xxxxxxxxxx xxxxxxxxxxxxxxx}   So we can control the value of block1. What if we just input 15 character as out input? The first character of flag will be stored in Block1: Block1 Block2 Block3 inputinputinputf lag{xxxxxxxxxxx xxxxxxxxxxxxxx}0   So, we can make the block like this to brute force the flag: Block1 Block2 Block3 … aaaaaaaaaaaaaaaX aaaaaaaaaaaaaaaf lag{xxxxxxxxxxx … Block1 Block2 Block3 … aaaaaaaaaaaaaafX aaaaaaaaaaaaaafl ag{xxxxxxxxxxxx … Block1 Block2 Block3 … aaaaaaaaaaaaaflX aaaaaaaaaaaaafla g{xxxxxxxxxxxxx …   To test all printable value in X. If Block1 equals to Block2. Which means the first characters are correct. Based on this concept, i wrote a script to test it automatically.

Leave a Comment

[CSAW2017] – Missed Registration

Solution: We can take a look in the first HTTP packet: The value of parameter x are start with 424d , It is header of bmp file. But there’re a lot of http packet. So my idea is to write a script to extract all the value out.   Solution Script


Leave a Comment

[CSAW2017] – CVV

Solution There have 7 case: Generate MasterCard Generate Visa Generate Discover Generate American Express Generate the card start with xxx Generate the card end with xxx To check the credit card is valid or not. Solution Script

Leave a Comment

[CSAW2017] – tablEZ

Solution The first step is to decompile the given binary. Main




After have some analysis we know: 1. The program will based on the input to perform table lookup 2. The table format are 00 xx 01 xx 02 xx 03 xx 3. The main encrypt function are get_tbl_entry So, based on this information, we can write the code to get the flag.

Output: flag{t4ble_l00kups_ar3_b3tter_f0r_m3}

Leave a Comment