Houseplant CTF
Description: TODO
I was able to solve 8/10 of these challs, so that’s kinda nice.
Fragile
Question
Can you help me move my stuff? This one’s fragile!
Writeup
This is the important code:
public static boolean check(String input){
boolean h = false;
String flag = "h1_th3r3_1ts_m3";
String theflag = "";
if(input.length() != flag.length()){
return false;
}
for(int i = 0; i < flag.length(); i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i)));
}
return theflag.equals("ÐdØÓ^y§å^rÍaèÒÁ¡^w");
}
Here, we can see that theflag.equals()
doesn’t really have ASCII codes. Therefore, it’d be better to get the values as properly as possible. Therefore, I switched to Kate and copied the final theflag
value.
The final value of theflag
is ÐdØÓ§åÍaèÒÁ¡
.
This function is basically adding every char in input
to the corresponding character in flag
and checking if it is ÐdØÓ§åÍaèÒÁ¡
.
Therefore, we just need to subtract.
Exploit
thefinalflag = "ÐdØÓ§åÍaèÒÁ¡"
flag = "h1_th3r3_1ts_m3"
for i in range(len(flag)):
print(chr(ord(thefinalflag[i])-ord(flag[i])),end='')
This gives out: h3y_1ts_n0t_b4d
Flag
rtcp{h3y_1ts_n0t_b4d}
Breakable
Question
Okay…this one’s better, but still be careful!
Writeup
This is the checker function:
public static boolean check(String input){
boolean h = false;
String flag = "k33p_1t_in_pl41n";
String theflag = "";
int i = 0;
if(input.length() != flag.length()){
return false;
}
for(i = 0; i < flag.length()-2; i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+2)));
}
for(i = 2; i < flag.length(); i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-2)));
}
String[] flags = theflag.split("");
for(; i < (int)((flags.length)/2); i++){
flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20));
}
return theflag.equals("Ò^rdݾ¤¤¾Ùà^oåÐ^scÝÆ^p¥ÌÈá^oÏܦaã");
}
Again, let’s get the real value of theflag. The real value of theflag is Òdݾ¤¤¾ÙàåÐcÝÆ¥ÌÈáÏܦaã
.
Now, we need to reverse it. The last for loop seems to go from i=2 to flag.length and the first for loop goes from 0 to flag.length-2. Therefore, we know that theflag has input[2:] in the latter half of it, and it has input[:-2] in the first half.
Therefore, we need to reverse those two things to get the flag.
Exploit
realflag = ['0' for i in range(16)]
flag = "k33p_1t_in_pl41n"
for i in range(0,len(flag)-2):
realflag[i+2] = chr(ord(a[i]) - ord(flag[i]))
for i in range(2,len(flag)):
realflag[i-2] = chr(ord(a[i+len(flag)-4]) - ord(flag[i]))
print("rtcp{"+''.join(realflag)+"}")
Flag
rtcp{0mg_1m_s0_pr0ud_}
Bendy
Question
I see you’ve found my straw collection…(this is the last excessive for loop one i swear)
Writeup
public static boolean check(String input){
boolean h = false;
String flag = "r34l_g4m3rs_eXclus1v3";
String theflag = "";
int i = 0;
if(input.length() != flag.length()){
return false;
}
for(i = 0; i < flag.length()-14; i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+8)));
}
for(i = 10; i < flag.length()-6; i++){
theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-8)));
}
for(; i < flag.length(); i++){
theflag += (char)((int)(flag.charAt(i-3)) + (int)(input.charAt(i)));
}
//Ò^rdݾ¤¤¾Ùà^oåÐ^scÝÆ^p¥ÌÈá^oÏܦaã
String[] flags = theflag.split("");
for(i=0; i < (int)((flags.length)/2); i++){
flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20));
}
theflag = theflag.substring(flags.length/2);
for(int k = 0; k < ((flags.length)/2); k++){
theflag += flags[k];
}
return theflag.equals("ÄÑÓ¿ÂÒêáøz§è§ñy÷¦");
}
(This chall is the old version, btw)
The first for loop will encode (sort of) input[:6], and the second loop will encode [2:7] and the third one encodes input[15:].
Exploit
start_junk = "ÄÑÓ¿ÂÒêáøz§è§ñy÷¦"
med_junk = ""
for i in range(len(start_junk)//2,len(start_junk)):
med_junk += chr(ord(start_junk[i])-20)
med_junk += start_junk[:len(start_junk)//2]
print(med_junk)
flag = "r34l_g4m3rs_eXclus1v3"
ree = ['/' for i in range(21)]
ree_count = 0
for i in range(0,len(flag)-14):
print(ree_count)
ree[i+8] = chr(ord(med_junk[ree_count]) - ord(flag[i]))
ree_count += 1
for i in range(10,len(flag)-6):
ree[i-8] = chr(ord(med_junk[ree_count]) - ord(flag[i]))
ree_count += 1
for i in range(len(flag)-6, len(flag)):
ree[i] = chr(ord(med_junk[ree_count]) - ord(flag[i-3]))
ree_count += 1
print(''.join(ree))
(sorry for the variable names, I was frustrated)
Also you need to guess some of the flag.
Flag
rtcp{h0p3_y0ur3_h4v1ng_fun}
EZ
Question
I made a password system, bet you can’t get the flag
Writeup
The flag is in a comment. Honestly.
Flag
rtcp{tH1s_i5_4_r3aL_fL4g_s0_Do_sUbm1T_1t!}
PZ
Question
Ok, I think I made it slightly better. Now you won’t get the flag this time!
Writeup
Again, literally in the code.
Output
(Because of course I want to show uwuspeak).
[kek@tlh PZ]$ python pass1.py
Enter the password: rtcp{iT5_s1mPlY_1n_tH3_C0d3}
Unlocked. The flag is the password.
b-but i wunna show off my catswpeak uwu~... why wont you let me do my nya!!
LEMON
Question
Fine. I made it a bit more secure by not just leaving it directly in the code.
Writeup
Build together the loose bits.
Flag
rtcp{y34H_tHiS_a1nT_sEcuR3}
SQUEEZY
Question
Ok this time, you aren’t getting anywhere near anything.
Writeup
This XOR’s every element in key, with userinput.
Exploit
a = "\x1f\x11\x0c\x07\x15\x00Q\x18:#D\x08->\x14U\x1a%1\x01Q\x1f:$D\x17&\x03(\r^\x19*X\x1c"
key = "meownyameownyameownyameownyameownya"
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(a,key)))
Flag
rtcp{y0u_L3fT_y0uR_x0r_K3y_bEh1nD!}
thedanzman
Question
Fine. I made it even harder. It is now no longer “ez”, “pz”, “lemon” or “squeezy”. You will never get the flag this time.
Writeup
This chall does the following things:
- Take user input.
- use a key.
- encode key with rot_13
- xor every part of input with rot_13’d key
- base64 encode the result
- rot_13 it
- reverse it
- check if it is equal to “‘=ZkXipjPiLIXRpIYTpQHpjSQkxIIFbQCK1FR3DuJZxtPAtkR’o”
Therefore we need to do the exact reverse of it.
Exploit
import codecs
given_bytes = "'=ZkXipjPiLIXRpIYTpQHpjSQkxIIFbQCK1FR3DuJZxtPAtkR'o"[::-1]
given_bytes = codecs.decode(given_bytes,'rot_13')
given_str = codecs.decode(bytes(given_bytes[2:-1],'ascii'),'base64').decode('ascii')
key = codecs.encode("nyameowpurrpurrnyanyapurrpurrnyanya",'rot_13')
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(key,given_str)))
Flag
rtcp{n0w_tH4T_w45_m0r3_cH4lL3NgiNG}