███                   █████                          
            ░░░                   ░░███                           
 ████████   ████   █████   ██████  ░███████    ██████   █████ ████
░░███░░███ ░░███  ███░░   ███░░███ ░███░░███  ░░░░░███ ░░███ ░███ 
 ░███ ░███  ░███ ░░█████ ░███ ░░░  ░███ ░███   ███████  ░███ ░███ 
 ░███ ░███  ░███  ░░░░███░███  ███ ░███ ░███  ███░░███  ░███ ░███ 
 ████ █████ █████ ██████ ░░██████  ████ █████░░████████ ░░███████ 
░░░░ ░░░░░ ░░░░░ ░░░░░░   ░░░░░░  ░░░░ ░░░░░  ░░░░░░░░   ░░░░░███ 
                                                         ███ ░███ 
                                                        ░░██████  
                                                         ░░░░░░

Houseplant CTF

TODO

I was able to solve 8/10 of these challs, so that’s kinda nice.

Fragile

Question

Can you help me move my stuff? This one’s fragile!

Writeup

This is the important code:

public static boolean check(String input){
        boolean h = false;
        String flag = "h1_th3r3_1ts_m3";
        String theflag = "";
        if(input.length() != flag.length()){
            return false;
        }
        for(int i = 0; i < flag.length(); i++){
            theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i)));
        }
        return theflag.equals("ÐdØÓ^y§å^rÍaèÒÁ¡^w");
    }

Here, we can see that theflag.equals() doesn’t really have ASCII codes. Therefore, it’d be better to get the values as properly as possible. Therefore, I switched to Kate and copied the final theflag value. The final value of theflag is ÐdØә§å’ÍaèÒÁ¡—.

This function is basically adding every char in input to the corresponding character in flag and checking if it is ÐdØә§å’ÍaèÒÁ¡—. Therefore, we just need to subtract.

Exploit

thefinalflag = "ÐdØÓ§åÍaèÒÁ¡"
flag = "h1_th3r3_1ts_m3"

for i in range(len(flag)):
	print(chr(ord(thefinalflag[i])-ord(flag[i])),end='')

This gives out: h3y_1ts_n0t_b4d

Flag

rtcp{h3y_1ts_n0t_b4d}

Breakable

Question

Okay…this one’s better, but still be careful!

Writeup

This is the checker function:

public static boolean check(String input){
        boolean h = false;
        String flag = "k33p_1t_in_pl41n";
        String theflag = "";
        int i = 0;
        if(input.length() != flag.length()){
            return false;
        }
        for(i = 0; i < flag.length()-2; i++){
            theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+2)));
        }
        for(i = 2; i < flag.length(); i++){
            theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-2)));
        }
        String[] flags = theflag.split("");
        for(; i < (int)((flags.length)/2); i++){
            flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20));
        }
        return theflag.equals("Ò^rdݾ¤¤¾Ùà^oåÐ^scÝÆ^p¥ÌÈá^oÏܦaã");
    }

Again, let’s get the real value of theflag. The real value of theflag is Ғdݾ¤¤¾ÙàåГcÝƐ¥ÌÈáÏܦaã.

Now, we need to reverse it. The last for loop seems to go from i=2 to flag.length and the first for loop goes from 0 to flag.length-2. Therefore, we know that theflag has input[2:] in the latter half of it, and it has input[:-2] in the first half.

Therefore, we need to reverse those two things to get the flag.

Exploit

realflag = ['0' for i in range(16)]
flag = "k33p_1t_in_pl41n"
for i in range(0,len(flag)-2):
	realflag[i+2] = chr(ord(a[i]) - ord(flag[i]))
for i in range(2,len(flag)):
	realflag[i-2] = chr(ord(a[i+len(flag)-4]) - ord(flag[i]))
print("rtcp{"+''.join(realflag)+"}")

Flag

rtcp{0mg_1m_s0_pr0ud_}

Bendy

Question

I see you’ve found my straw collection…(this is the last excessive for loop one i swear)

Writeup

    public static boolean check(String input){
        boolean h = false;
        String flag = "r34l_g4m3rs_eXclus1v3";
        String theflag = "";
        int i = 0;
        if(input.length() != flag.length()){
            return false;
        }
        for(i = 0; i < flag.length()-14; i++){
            theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i+8)));
        }
        for(i = 10; i < flag.length()-6; i++){
            theflag += (char)((int)(flag.charAt(i)) + (int)(input.charAt(i-8)));
        }
        for(; i < flag.length(); i++){
            theflag += (char)((int)(flag.charAt(i-3)) + (int)(input.charAt(i)));
        }
        //Ò^rdݾ¤¤¾Ùà^oåÐ^scÝÆ^p¥ÌÈá^oÏܦaã
        String[] flags = theflag.split("");
        for(i=0; i < (int)((flags.length)/2); i++){
            flags[i] = Character.toString((char)((int)(flags[i].charAt(0)) + 20));
        }
        theflag = theflag.substring(flags.length/2);
        for(int k = 0; k < ((flags.length)/2); k++){
            theflag += flags[k];
        }
        return theflag.equals("ÄѓӿÂÒêáøz§è§ñy÷¦");
    }

(This chall is the old version, btw)

The first for loop will encode (sort of) input[:6], and the second loop will encode [2:7] and the third one encodes input[15:].

Exploit

start_junk = "ÄÑÓ¿ÂÒêáøz§è§ñy÷¦"
med_junk = ""
for i in range(len(start_junk)//2,len(start_junk)):
	med_junk += chr(ord(start_junk[i])-20)
med_junk += start_junk[:len(start_junk)//2]
print(med_junk)
flag = "r34l_g4m3rs_eXclus1v3"
ree = ['/' for i in range(21)]
ree_count = 0
for i in range(0,len(flag)-14):
	print(ree_count)
	ree[i+8] = chr(ord(med_junk[ree_count]) - ord(flag[i]))
	ree_count += 1
for i in range(10,len(flag)-6):
	ree[i-8] = chr(ord(med_junk[ree_count]) - ord(flag[i]))
	ree_count += 1
for i in range(len(flag)-6, len(flag)):
	ree[i] = chr(ord(med_junk[ree_count]) - ord(flag[i-3]))
	ree_count += 1
print(''.join(ree))

(sorry for the variable names, I was frustrated)

Also you need to guess some of the flag.

Flag

rtcp{h0p3_y0ur3_h4v1ng_fun}

EZ

Question

I made a password system, bet you can’t get the flag

Writeup

The flag is in a comment. Honestly.

Flag

rtcp{tH1s_i5_4_r3aL_fL4g_s0_Do_sUbm1T_1t!}

PZ

Question

Ok, I think I made it slightly better. Now you won’t get the flag this time!

Writeup

Again, literally in the code.

Output

(Because of course I want to show uwuspeak).

[kek@tlh PZ]$ python pass1.py 
Enter the password: rtcp{iT5_s1mPlY_1n_tH3_C0d3}
Unlocked. The flag is the password.
b-but i wunna show off my catswpeak uwu~... why wont you let me do my nya!!

LEMON

Question

Fine. I made it a bit more secure by not just leaving it directly in the code.

Writeup

Build together the loose bits.

Flag

rtcp{y34H_tHiS_a1nT_sEcuR3}

SQUEEZY

Question

Ok this time, you aren’t getting anywhere near anything.

Writeup

This XOR’s every element in key, with userinput.

Exploit

a = "\x1f\x11\x0c\x07\x15\x00Q\x18:#D\x08->\x14U\x1a%1\x01Q\x1f:$D\x17&\x03(\r^\x19*X\x1c"
key = "meownyameownyameownyameownyameownya"
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(a,key)))

Flag

rtcp{y0u_L3fT_y0uR_x0r_K3y_bEh1nD!}

thedanzman

Question

Fine. I made it even harder. It is now no longer “ez”, “pz”, “lemon” or “squeezy”. You will never get the flag this time.

Writeup

This chall does the following things:

  1. Take user input.
  2. use a key.
  3. encode key with rot_13
  4. xor every part of input with rot_13’d key
  5. base64 encode the result
  6. rot_13 it
  7. reverse it
  8. check if it is equal to “‘=ZkXipjPiLIXRpIYTpQHpjSQkxIIFbQCK1FR3DuJZxtPAtkR’o”

Therefore we need to do the exact reverse of it.

Exploit

import codecs

given_bytes = "'=ZkXipjPiLIXRpIYTpQHpjSQkxIIFbQCK1FR3DuJZxtPAtkR'o"[::-1]
given_bytes = codecs.decode(given_bytes,'rot_13')
given_str = codecs.decode(bytes(given_bytes[2:-1],'ascii'),'base64').decode('ascii')
key = codecs.encode("nyameowpurrpurrnyanyapurrpurrnyanya",'rot_13')
print(''.join(chr(ord(a)^ord(b)) for a,b in zip(key,given_str)))

Flag

rtcp{n0w_tH4T_w45_m0r3_cH4lL3NgiNG}

Contact me