| #include <initializer_list> | |
| #include <vector> | |
| #include <iostream> | |
| #include <cmath> | |
| #include <limits> | |
| template <typename T> | |
| class Matrix | |
| { | |
| public: |
| #include <initializer_list> | |
| #include <vector> | |
| #include <iostream> | |
| #include <cmath> | |
| #include <limits> | |
| template <typename T> | |
| class Matrix | |
| { | |
| public: |
| #include <initializer_list> | |
| #include <vector> | |
| #include <iostream> | |
| #include <cmath> | |
| #include <limits> | |
| template <typename T> | |
| class Matrix | |
| { | |
| public: |
| import math | |
| import random | |
| import sys | |
| def main(): | |
| num = int(sys.argv[1]) | |
| points_in = 0 | |
| for _ in range(num): | |
| px, py = random.random() * 2 - 1, random.random() * 2 - 1 | |
| if (px**2 + py**2) <= 1: |
| from google.protobuf.internal.decoder import _DecodeVarint | |
| from google.protobuf.internal.encoder import _VarintBytes | |
| import datapoint_pb2 | |
| def read_message(buf): # buf is a bytestring | |
| pos = 0 # Start of varint32 | |
| value, new_pos = _DecodeVarint(buf, pos) | |
| msg = datapoint_pb2.DataPoint() | |
| msg.ParseFromString(buf[new_pos:new_pos+value]) |
| From f1dd0199cd7bc2e3b5b579852d96d505f731cb7a Mon Sep 17 00:00:00 2001 | |
| From: Samuel Damashek <samuel.damashek@invincea.com> | |
| Date: Wed, 6 Jul 2016 11:41:52 -0400 | |
| Subject: [PATCH] Fix for self-modifying writes across page boundaries. | |
| As it currently stands, QEMU does not properly handle self-modifying code | |
| when the write is unaligned and crosses a page boundary. The procedure | |
| for handling a write to the current translation block is to write-protect | |
| the current translation block, catch the write, split up the translation | |
| block into the current instruction (which remains write-protected so that |
This problem was pretty simple - even though uname and pswd were filtered through mysql_real_escape_string(), the NO_BACKSLASH_ESCAPES option essentially negated that protection.
So to ignore the password field, use the username admin";# and you'll get the flag: Your flag is: bobby_tables_little
This key was generated on a Debian system with the weak random seed vulnerability, where the only seed of randomness was the process ID. Looking at the fingerprint,
samuel@samaritan ~/projects/pactf % ssh-keygen -lf notso.pem
2048 SHA256:nvIH90xVEyG7AlAhLbmpzthDpjQPTkOIAF6q2k/Iruw no comment (RSA)
So the solution was to generate keys on a system with weak Debian binaries for all possible process IDs, and compare this fingerprint to the produced fingerprints. Below is the script to do so, using a pre-existing LD_PRELOADable library which overrides getpid to the content of the MAGICPID env variable:
The main idea behind this one was that we could encrypt any message we want, and then send it to the decryption service to be decrypted, unless that message was the encrypted flag.
Basically all we had to do was multiply the ciphertext by 2^e (where e is the public exponent), and then C^d = [f^e*2^e] = f^ed * 2^ed = 2f mod n, so the result of that decryption will be double the flag (see http://www.dtc.umn.edu/~odlyzko/doc/arch/rsa.attack.pdf).
First, getting the information about the public key:
samuel@samaritan ~/projects/pactf % openssl rsa -in pub.a82ac1b8c0d1.pem -pubin -noout -text
For this challenge we were given a pretty basic python script. The script contained two functions: s, which approximates the derivative of the function f at point x, and encrypt, which calculates the value of f(a) and f(m), as well as the approximate derivative of f at both a and m. It then does some manipulation of these numbers to return a tuple.
Essentially what we had to do was figure out what secret_func (f) was, so that we could calculate encrypt for all possible ascii values, then map the resulting encrypted tuples to the given encrypted message to find the decrypted flag.
We're given: