```             ███                   █████
░░░                   ░░███
████████   ████   █████   ██████  ░███████    ██████   █████ ████
░░███░░███ ░░███  ███░░   ███░░███ ░███░░███  ░░░░░███ ░░███ ░███
░███ ░███  ░███ ░░█████ ░███ ░░░  ░███ ░███   ███████  ░███ ░███
░███ ░███  ░███  ░░░░███░███  ███ ░███ ░███  ███░░███  ░███ ░███
████ █████ █████ ██████ ░░██████  ████ █████░░████████ ░░███████
░░░░ ░░░░░ ░░░░░ ░░░░░░   ░░░░░░  ░░░░ ░░░░░  ░░░░░░░░   ░░░░░███
███ ░███
░░██████
░░░░░░
```

Houseplant CTF

Description: TODO

I was able to solve 8/10 of these challs, so that’s kinda nice.

Fragile

Question

Can you help me move my stuff? This one’s fragile!

Writeup

This is the important code:

``````public static boolean check(String input){
boolean h = false;
String flag = "h1_th3r3_1ts_m3";
String theflag = "";
if(input.length() != flag.length()){
return false;
}
for(int i = 0; i < flag.length(); i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i)));
}
return theflag.equals("ÐdØÓ^y§å^rÍaèÒÁ¡^w");
}
``````

Here, we can see that `theflag.equals()` doesn’t really have ASCII codes. Therefore, it’d be better to get the values as properly as possible. Therefore, I switched to Kate and copied the final `theflag` value. The final value of `theflag` is `ÐdØÓ§åÍaèÒÁ¡`.

This function is basically adding every char in `input` to the corresponding character in `flag` and checking if it is `ÐdØÓ§åÍaèÒÁ¡`. Therefore, we just need to subtract.

Exploit

``````thefinalflag = "ÐdØÓ§åÍaèÒÁ¡"
flag = "h1_th3r3_1ts_m3"

for i in range(len(flag)):
print(chr(ord(thefinalflag[i])-ord(flag[i])),end='')
``````

This gives out: `h3y_1ts_n0t_b4d`

Flag

`rtcp{h3y_1ts_n0t_b4d}`

Breakable

Question

Okay…this one’s better, but still be careful!

Writeup

This is the checker function:

``````public static boolean check(String input){
boolean h = false;
String flag = "k33p_1t_in_pl41n";
String theflag = "";
int i = 0;
if(input.length() != flag.length()){
return false;
}
for(i = 0; i < flag.length()-2; i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+2)));
}
for(i = 2; i < flag.length(); i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-2)));
}
String[] flags = theflag.split("");
for(; i < (int)((flags.length)/2); i++){
flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20));
}
return theflag.equals("Ò^rdÝ¾¤¤¾Ùà^oåÐ^scÝÆ^p¥ÌÈá^oÏÜ¦aã");
}
``````

Again, let’s get the real value of theflag. The real value of theflag is `ÒdÝ¾¤¤¾ÙàåÐcÝÆ¥ÌÈáÏÜ¦aã`.

Now, we need to reverse it. The last for loop seems to go from i=2 to flag.length and the first for loop goes from 0 to flag.length-2. Therefore, we know that theflag has input[2:] in the latter half of it, and it has input[:-2] in the first half.

Therefore, we need to reverse those two things to get the flag.

Exploit

``````realflag = ['0' for i in range(16)]
flag = "k33p_1t_in_pl41n"
for i in range(0,len(flag)-2):
realflag[i+2] = chr(ord(a[i]) - ord(flag[i]))
for i in range(2,len(flag)):
realflag[i-2] = chr(ord(a[i+len(flag)-4]) - ord(flag[i]))
print("rtcp{"+''.join(realflag)+"}")
``````

Flag

`rtcp{0mg_1m_s0_pr0ud_}`

Bendy

Question

I see you’ve found my straw collection…(this is the last excessive for loop one i swear)

Writeup

``````    public static boolean check(String input){
boolean h = false;
String flag = "r34l_g4m3rs_eXclus1v3";
String theflag = "";
int i = 0;
if(input.length() != flag.length()){
return false;
}
for(i = 0; i < flag.length()-14; i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+8)));
}
for(i = 10; i < flag.length()-6; i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-8)));
}
for(; i < flag.length(); i++){
theflag += (char)((int)(flag.charAt(i-3)) + (int)(input.charAt(i)));
}
//Ò^rdÝ¾¤¤¾Ùà^oåÐ^scÝÆ^p¥ÌÈá^oÏÜ¦aã
String[] flags = theflag.split("");
for(i=0; i < (int)((flags.length)/2); i++){
flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20));
}
theflag = theflag.substring(flags.length/2);
for(int k = 0; k < ((flags.length)/2); k++){
theflag += flags[k];
}
return theflag.equals("ÄÑÓ¿ÂÒêáøz§è§ñy÷¦");
}
``````

(This chall is the old version, btw)

The first for loop will encode (sort of) input[:6], and the second loop will encode [2:7] and the third one encodes input[15:].

Exploit

``````start_junk = "ÄÑÓ¿ÂÒêáøz§è§ñy÷¦"
med_junk = ""
for i in range(len(start_junk)//2,len(start_junk)):
med_junk += chr(ord(start_junk[i])-20)
med_junk += start_junk[:len(start_junk)//2]
print(med_junk)
flag = "r34l_g4m3rs_eXclus1v3"
ree = ['/' for i in range(21)]
ree_count = 0
for i in range(0,len(flag)-14):
print(ree_count)
ree[i+8] = chr(ord(med_junk[ree_count]) - ord(flag[i]))
ree_count += 1
for i in range(10,len(flag)-6):
ree[i-8] = chr(ord(med_junk[ree_count]) - ord(flag[i]))
ree_count += 1
for i in range(len(flag)-6, len(flag)):
ree[i] = chr(ord(med_junk[ree_count]) - ord(flag[i-3]))
ree_count += 1
print(''.join(ree))
``````

(sorry for the variable names, I was frustrated)

Also you need to guess some of the flag.

Flag

`rtcp{h0p3_y0ur3_h4v1ng_fun}`

EZ

Writeup

The flag is in a comment. Honestly.

Flag

`rtcp{tH1s_i5_4_r3aL_fL4g_s0_Do_sUbm1T_1t!}`

PZ

Question

Ok, I think I made it slightly better. Now you won’t get the flag this time!

Writeup

Again, literally in the code.

Output

(Because of course I want to show uwuspeak).

``````[kek@tlh PZ]\$ python pass1.py
Unlocked. The flag is the password.
b-but i wunna show off my catswpeak uwu~... why wont you let me do my nya!!
``````

LEMON

Question

Fine. I made it a bit more secure by not just leaving it directly in the code.

Writeup

Build together the loose bits.

Flag

`rtcp{y34H_tHiS_a1nT_sEcuR3}`

SQUEEZY

Question

Ok this time, you aren’t getting anywhere near anything.

Writeup

This XOR’s every element in key, with userinput.

Exploit

``````a = "\x1f\x11\x0c\x07\x15\x00Q\x18:#D\x08->\x14U\x1a%1\x01Q\x1f:\$D\x17&\x03(\r^\x19*X\x1c"
key = "meownyameownyameownyameownyameownya"
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(a,key)))
``````

Flag

`rtcp{y0u_L3fT_y0uR_x0r_K3y_bEh1nD!}`

thedanzman

Question

Fine. I made it even harder. It is now no longer “ez”, “pz”, “lemon” or “squeezy”. You will never get the flag this time.

Writeup

This chall does the following things:

1. Take user input.
2. use a key.
3. encode key with rot_13
4. xor every part of input with rot_13’d key
5. base64 encode the result
6. rot_13 it
7. reverse it
8. check if it is equal to “‘=ZkXipjPiLIXRpIYTpQHpjSQkxIIFbQCK1FR3DuJZxtPAtkR’o”

Therefore we need to do the exact reverse of it.

Exploit

``````import codecs

given_bytes = "'=ZkXipjPiLIXRpIYTpQHpjSQkxIIFbQCK1FR3DuJZxtPAtkR'o"[::-1]
given_bytes = codecs.decode(given_bytes,'rot_13')
given_str = codecs.decode(bytes(given_bytes[2:-1],'ascii'),'base64').decode('ascii')
key = codecs.encode("nyameowpurrpurrnyanyapurrpurrnyanya",'rot_13')
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(key,given_str)))
``````

Flag

`rtcp{n0w_tH4T_w45_m0r3_cH4lL3NgiNG}`