Pwnium wins a slot to compete at CSAW CTF 2016 Finals

After participating in qualifying round wihch lasted 48 hours, Pwnium won a slot over more than 2000 teams in the world to compete at CSAW Finals.

Cyber Security Awareness Week  (CSAW) is the largest student-run cyber security event. It will be held this year November 10,12 2016. Student teams from India, the Middle East and North Africa, and the United States will compete simultaneously  at NYU Tandon in Downtown Brooklyn, NYU Abu Dhabi and the Indian Institute of Technology Kanpur.

Students will tackle problems in a series of real-world scenarios modeling various computer security problems. To succeed, teams must demonstrate a profound understanding of the roles and ramifications of cyber security in these situations.

Because the challenges are designed to teach, CTF requires contestants to integrate concepts, develop skills and learn to hack as they go. Finalists will compete on-site for cash prizes, where their performance will be judged by a panel of technical experts.

HackIt 2016 CTF: Kenya – T2Yh4RD Pwn200 writeup


This writeup will be quick and dirty. The idea behind the challenge is about guessing a random generated password to win the game and get a shell. You lose the game after 3 bad tries.

I spent much time reversing the binary, to figure out how the password is generated, because this is the first time I deal with a Position Independent Executables.

Well, to solve the task all what we need is to guess the value used to seeds the random number generator. Like this we can determine the generated password.

The seed is calculated based on current time stamp and current process id.  We don’t know the pid. We have to bruteforce it. But we have only 3 tries !. Easy ! just overflow the “tries” variable buffer in stack to get infinite tries.  That’s all !

Here is the exploit. Don’t ask me why I wrote it in C !


After few seconds I got the flag.  h4ck1t{S0M3tiM35_n33D_b2UtEf02c3}

HackIt 2016: L4bR4t-France Reverse 375 writeup


In this task we were given a shared library “” and a zip file containing encrypted and plain jpeg files.

Here is task description:

There was some photos of unknown experiment taken in a secret lab-X for they internal archive. After that the device from which the shot was made, immediately load crypto-trigger, whose function – to ensure the confidentiality of image data (this is exactly how it should be in a super-secret laboratories?).

It is known that, due to some floating code errors, the trigger has not completed his work and not all the photos was encrypted.

We managed to get a binary, which has something to do with that crypto-trigger software.

And now we have a good chance to find out what secrets hides laboratory-X.

The first step I did is printing the symbol table of the shared library to figure out what functions are exported.

By running objdump -T I got mangled symbols name. De-mangling can be done using nm -C.

SuperSecretLabCryptor2000 class exports all methods requested to perform encryption/decryption.

It is obvious that CBC is used as mode of operation.

Still need to figure out what Cryptographic algorithm, Key length, IV and Key were used.

Before to go deeper in analysis, I would to like to mention at this level that the shared object is a white-box cryptography implementation.

How ? CryptFile method takes as argument only filename, no encryption key is specified. The key is instantiated at runtime.

What is white-box cryptography?

In few words, white-box cryptography is aimed at protecting secret keys from being disclosed in a software implementation.

The main idea is to rewrite a key-instantiated version so that all information related to the key is “hidden”.

More details in this paper:

What encryption algorithm is implemented ?

By getting a look at substitution box (SBox) you can determine that it is related to AES.

What is the Key length ?

Can be determined by looking at CryptFile(char*) method disassembly. The key length is passed as argument to key_setup method.

The key length is 256 bits.

What are the initialization vector (IV) and the Key ?

To make life easier for me I chose to use the library to extract the (IV, Key) rather than reversing the key_init, iv_init and setup_key functions.

Following is general overview of the encryption process.

The constructor does the following operations:

-Initializes a timestamp attribute through time function.
-Initializes key attribute through init_key method. The timestamp attribute is used here to add randomness to resulted key.
-Initializes the IV attribute using init_iv method. IV depends on initialized Key (xoring with first 16 bytes of key).

CryptFile method reads the provdied file and calls key_setup method. key_setup takes the initialized key and the key length as argument and generates the final key to be used in encryption.

The content encryption is done by invoking encrypt_cbc method which takes as argument, respectively, input buffer, buffer length, output buffer, key, key length and iv.

Finally the result is written back to the file.

To perform encryption, I wrote the following C code. It is based on the provided library. It simulates SuperSecretLabCryptor2000 object creation and calls the CryptFile method.

I did it with C not with C++ ! This is ugly but for sure there is a way to import a C++ class from a shared object and use it with no header file provided.

The code also prints out the Key and IV.

But stop ! how can you get the correct key to decrypt the pictures ? In other words, what is the value of the correct timestamp used to generate the correct key and iv ?

I assumed that the timestamp used to encrypt the files is simply the last modification time of the encrypted file !

By runnuing:

All encrypted files have the same last modification time. Using 1469990552 in my C code does not give a valid (Key, IV) !

By opening a plain picture with a hex editor I noticed that there is Fri, 17 Jun 2016 04:01:17 as creation date in exif metadtas in addition to XCryptoPicture as software.

Running the the code with this timestamp gave the same encrypted header as the other encrypted pictures. It is the good one !

The correct Key and IV are printed also.

Finally put all together in one python script.

Now we are able to decrypt the jpeg files and see the flag.

flag: h4ck1t{CrYp70_3xxP3R1m3N75_VV0n7_4LVV4Y5_3ND_VV3ll}

Cheers 😀

Backdoor CTF 2016 Writeup


This is a quick and dirty writeup for Backdoor CTF 2016 tasks.

I played with my colleague Chaker within our team SpectriX which finished #13 in this CTF.

Parts of this writeup are shared between us.


WIRED-AUTH – Web 200

The /e modifier in preg_replace() is deprecated
I just tell the auth script that the match text should be evalued as code after performing the replacement
password = “/.\b/e”
key = “p(\$f)”

This will ouput
PHP Notice: Undefined variable: fields_string in /root/backdoor/submit.php on line 9
4lw4y5_74k3_c4r3_wh1l3_u51n6_pr36_r3pl4c3_07h3rw153_v4mp1r3_5h4ll_f1nd_y0u!You must enter the correct password to get the flag!<br />daf88b

The flag is 4lw4y5_74k3_c4r3_wh1l3_u51n6_pr36_r3pl4c3_07h3rw153_v4mp1r3_5h4ll_f1nd_y0u!



It is a pyjail task
get the name of the running script

read its content


Nothing special
List env variables

{‘SHLVL’: ‘1’, ‘HOSTNAME’: ‘9da6525eaa81’, ‘PWD’: ‘/scripts’, ‘_F_L_A_G_’: “‘SHA256(w3_mu57_d357r0y_7h3_3nv10rnm3n7_70_637_r1d_0f_n00b5)'”, ‘HOME’: ‘/root’, ‘PATH’: ‘/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin’, ‘_’: ‘./’}

flag: w3_mu57_d357r0y_7h3_3nv10rnm3n7_70_637_r1d_0f_n00b5

MINBLOWN – Crypto 150

PBKDF2 collision with HMAC-SHA1.

username = chintu
password = e6~n22k81<[p”k5hhV6*


Flag: 56490776814fdd91c81309b95fd11dbc8750a6a7f275e712550db6c34a901c62

BUSYBEE – Forensic 150

2 busybox copies one renamed to “[” and the other to “cat”
I renamed them to busybox1 and busybox2
One infected busybox binary
2 busy box binaries
just diff them


< 00fbc50: 0000 0000 0000 000a 0a0a 0a54 4849 5320 ………..THIS
< 00fbc60: 4953 2057 4841 5420 594f 5520 4152 4520 IS WHAT YOU ARE
< 00fbc70: 4c4f 4f4b 494e 4720 464f 523a 2020 2020 LOOKING FOR:
< 00fbc80: 306e 335f 6e30 3062 5f72 7531 6e35 5f30 0n3_n00b_ru1n5_0
< 00fbc90: 6e33 5f68 756e 6472 3364 5f70 7230 3500 n3_hundr3d_pr05.

flag 0n3_n00b_ru1n5_0n3_hundr3d_pr05

DTUNE – Misc 70

Just read the DTMF tones and replace the mobile phone key codes with the corresponding letter (T9 Cipher)


Submit the link
Content of r.txt
Cookie: flag=e30524a77d014c2cba94e9f0c04e01e0c083a7388a16d3fc60f8d9c731dc8ac9 <br />
host: <br />
Connection: close <br />
Flag is e30524a77d014c2cba94e9f0c04e01e0c083a7388a16d3fc60f8d9c731dc8ac9

DEBUG – Rev 30

Can be solved statically

Flag is i_has_debugger_skill

LOSELESS – Stego 100

Calculate the diff between the encrypted and the original picture

This gives a 49×7 matrix


Each column corresponds to one char of the flag


That’s all 🙂

Pwnium CTF 2014 Tasks and Writeups


Here is a list of links to tasks writeups from Pwnium CTF 2014.
If you want to try the tasks locally, please take a look at the links I’ve included in this post below.
Note that during the CTF, 2362 flags have been validated.


Crackme Fast(Prog300) 79 validations[Pwnium_CTF]_Crackme_fast_by_Skuater,_Longinos_&_Nox__[amn3s1a_team].pdf

ROT(Prog300) 82 validations

2048 (Prog 200) 45 validations



Find the owner(for100) 111 validations

USB is fun(for100) 245 validations



Breakpoints (re300) 35 validations

NoDebug(re200) 14 validations

Kernel Land(re150)  65 validations[Pwnium_CTF]_Crackme_fast_by_Skuater,_Longinos_&_Nox__[amn3s1a_team].pdf

Old World(re100) 11 validations

Baybe Crackme(re10) 220 validations


Remote KG (misc250) 0 validation

Numbers and sh*t(misc200) 15 validations

So basic(misc75) 204 validations

Problem ?( Hidden 100) 5 validations

Look Closer(misc50) 325 validations

Altered Code (misc150)  71 validations

is_empty?(misc100) 27 validations


Be a Robot(pwn200) 85 validations



Guest Book(web200) 85 validations


Break Me(Crypt100) 167 validations


Any missed task or task writeup could be found here
or here

Cheers !