Skip to content

Instantly share code, notes, and snippets.

@kaitorque
Last active December 6, 2020 17:58
Show Gist options
  • Save kaitorque/1a1fca1908d7a7908bfcffca72c536a1 to your computer and use it in GitHub Desktop.
Save kaitorque/1a1fca1908d7a7908bfcffca72c536a1 to your computer and use it in GitHub Desktop.

Writeup for Wargames.my 2020

Category: Cryptography - Long Crypto Guessing


In the question, we are given nc address and the python source code for the server.

https://gist.github.com/aa3bb2f846543954afff657311fed813

Reading through the code, the code give first 3 random number to the user then the user need to enter (guess/predict) the next number(remainder of divide by 10000) that the server generated correctly for 1000 times consecutively.

In PRNG(pseudo random generator) class it generate a random a, b and given p value, also it has state value initialize through object creation. After that function next is to create calculate the next number using the number before. Therefore, the function is a type of linear function. This specific generator are called Linear Congruential Generator(LCG)

https://gist.github.com/fa1afc77ea32143f8f4390208c0c512d

In here, the server will generate random number that will become the seeds of the PRNG object, then it will generate next 3 number and print to users Since it is type of linear function.

Therefore **seeds** is `state` or first term of the equation, we are gonna call it T:
Then it will generate next 3 term:
In LCG it has 3 integer: - Multiplier `a` - Increment `b` - Modulus `p`

p is given in the source code 11760071327054544317, So we need to find a and b to predict/solve the next number. Since we have 2 equation and 2 unknown a and b, we can solve the equation. Here are detail explaination of finding the missing Multiplier and Increment, also contains different ways to crack LCG. Once we find out the a and b, we can find out next number using script below.

https://gist.github.com/5752782d601fc02fdfd56cfc3e1bcab6

By implement some of his code to find a and b then we write the script to answer 1000 consecutive number correctly until it return a flag.


Category: Mobile - SpeedyQuizzy


Given APK file SpeedyQuizy.apk

Using online apk decompiler, we can decompile the file.

Inside source code StartQuiz.java, below some snippet of the code

https://gist.github.com/cca286dcd130460695baad1c88c69d1b

We know that it used socket to connect to the server, therefore we can just use nc in terminal to the server www2.wargames.my with port 8080. In terminal we nc www2.wargames.my 8080

https://gist.github.com/33a059dcdbbf12a0746240ed05ae6987

Typing ok will lead to question

https://gist.github.com/9b2136180b6ac1b07926591900e7a417

But the question are randomly select from a set of question. Therefore we need to fetch some of the question so we can create script to answer it.

Using script below we can fetch some of the question. Credits to H0j3n

https://gist.github.com/77b617fe370682b801b4389d24e1b4d9

Below is list of some of the question

https://gist.github.com/79899fd7fc6540d4329ba550e85de056

Script below will automatically answer the question:

https://gist.github.com/9935f1ec2a31afbd59ae6ae2aadf8e87


Category: Steganography - Nuisance


Given file nuisance.arc

Open file using HxD to look for signature file, Quick Google of .arc file type signature found 41 72 43 01 which is a FreeArc compress file.

Download FreeArc software, In the software we cannot extract the file due to it is corrupted. But the software has the ability to repair the damaged achive.

After repairing and extract, we still cannot open flag.palm file. So, we did a quick google on .palm file and found some information and it says that the file is an image file of Palm OS Bitmap Image that can be open with application ImageDisk. Download ImageDisk and open the file using it:


Category: Miscellaneous - Defuse The Bomb!


Given file bomb.zip. The file is a Zip bomb which contain file that have multiple time been compress. Open it using Winrar

We can see that one of the zip is contains file size and CRC32 that is diffrent, so we just click it to reveal another of the same situation. so we just click all zip file that is different until it reach to flag.txt

The we just extract the flag.txt file, but the file is 2GB. So cannot open with any normal text editor, but HxD can open it, then scroll down to find the flag.


Scoreboard


Thank you, Wargames.my for the competetion & question and thank you my team H0j3n.

Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment