betrisey

Ghost - BlazCTF

6/2/2024 "Memory cannot be defined, yet it defines mankind."

Author: Robert Chen (OtterSec) @notdeghost

EVM,RE / 13 solves / 274 pts

Challenge contract

betrisey

Sharer World

SXG

Extension=( 1.3.6.1.4.1.11129.2.1.22 )
====Critical=NO
====Data=05 00

The certificate used by the challenge has an extra extension allowing SXG

betrisey

from pwn import *

while True:
    io = connect('coinflip.ctf.zone', 80)

    io.send("""POST /flip HTTP/1.1
Host: coinflip.ctf.zone
Content-Length: 5
Content-Type: text/plain
Connection: close

betrisey

Keybase proof

I hereby claim:

• I am betrisey on github.
• I am samb (https://keybase.io/samb) on keybase.
• I have a public key whose fingerprint is 807D 9CDB DBA2 10C7 BD67 5505 909D 8097 2D5E AD4E

To claim this, I am signing this object:

betrisey

Verifying I am +samninja on my passcard. https://onename.com/samninja

betrisey

Keybase proof

I hereby claim:

• I am betrisey on github.
• I am samb (https://keybase.io/samb) on keybase.
• I have a public key whose fingerprint is 6B83 B6AA B348 C278 46E1 7F50 BDFD 1E3E 86C6 369F

To claim this, I am signing this object:

betrisey

1. Get your cookie. Either proxy your iPhone/iPod/iPad and record the cookie using the proxy server of your choice or capture the request using your AP with Wireshark or similar

2. Make sure you have a cookie like token=expires=1409714101~access=/auth/*~md5=2d4466c1...

3. Find the day of the artist you want to load (e.g. 01, 02, 10, 25) Find the artist on iTunes https://itunes.apple.com/us/artist/*deadmau5*/id*78011850* and take its ID and its name. Add an underscore between these two. (e.g. 78011850_deadmau5)

4. Launch the script: sh itunes-festival.sh cookie day id_artist

   sh itunes-festival.sh "token=expires=1409714101~access=/auth/*~md5=2d4466c1" 01 78011850_deadmau5

5. Have fun.