add cybersci regionals 2022

crimist · crimist · commit 4d7dce37761d · 2022-11-08T21:34:31.000-08:00
diff --git a/.template.md b/.template.md
@@ -0,0 +1,7 @@
+# chall_name
+
+## Challenge
+
+## Walkthrough
+
+## Solve
diff --git a/README.md b/README.md
@@ -4,6 +4,7 @@ A collection of my CTF writeups.
 
 ## 2022
 
+* [CyberSci Regionals 2022](cybersci_regionals2022/README.md)
 * [SekaiCTF 2022](sekaictf2022/README.md)
 * [0CTF 2022](0ctf2022/README.md)
 * [CSAW 2022](csaw2022/README.md)
diff --git a/cybersci_regionals2022/README.md b/cybersci_regionals2022/README.md
@@ -0,0 +1,13 @@
+# CyberSci Regionals 2022
+
+[1st place!](https://ctftime.org/event/1805)
+
+I need to remember to save more for my write-ups though...
+
+## warmup
+
+* [warmups](./warmups/README.md)
+
+## crypto?
+
+* [vault.dat](./vault/README.md)
diff --git a/cybersci_regionals2022/vault/README.md b/cybersci_regionals2022/vault/README.md
@@ -0,0 +1,44 @@
+# Vault
+
+## Challenge
+
+We we're given the file `vault.dat` with an unknown encryption scheme and challenged to decode it - if it was possible...
+
+## Walkthrough
+
+Inspecting the vault showed that there was a binary system with only 2 possible uint8 combos.
+
+```bash
+$ hexdump -C vault.dat
+00028a90  20 20 09 09 20 09 09 20  20 09 09 20 20 09 09 20  |  .. ..  ..  .. |
+00028aa0  20 20 09 09 20 09 09 09  20 20 09 09 20 09 09 20  |  .. ...  .. .. |
+00028ab0  20 20 09 09 20 09 09 20  20 20 09 09 20 09 20 09  |  .. ..   .. . .|
+00028ac0  20 20 09 09 20 09 09 20  20 09 09 20 20 09 20 20  |  .. ..  ..  .  |
+00028ad0  20 20 09 09 20 09 09 20  20 20 09 09 20 20 09 20  |  .. ..   ..  . |
+...
+```
+
+Decoding `0x20` as 1 and `0x09` as 0 resulted in ASCII hex characters and decoding these gave us our flag.
+
+Credits to [@rctcwyvrn](https://github.com/rctcwyvrn) for her script. We worked on this chall together.
+
+```py
+from Crypto.Util.number import long_to_bytes
+
+f = open("vault.dat")
+contents = f.read()
+
+test = b""
+with open("layer.out", "wb") as f:
+    for b_start in range(0, len(contents), 16):
+        b = ["1" if x == "\x20" else "0" for x in contents[b_start:b_start+16]]
+        sliced = b[4:8] + b[12:16]
+        b = long_to_bytes(int("".join(sliced), 2))
+        print(test)
+        test += b
+        f.write(b)
+```
+
+## Solve
+
+`Encryption key 1: 1a54a7c80123f8f23711f9572f0e9798`
diff --git a/cybersci_regionals2022/warmups/README.md b/cybersci_regionals2022/warmups/README.md
@@ -0,0 +1,24 @@
+# Warmups
+
+## Challenge
+
+We were given an IP and flag format. No other info.
+
+## Walkthrough
+
+The only warmup worth talking about was a classic vhost issue.
+
+Inspecting the certificate for the webserver running on `10.0.2.21` showed that the certificate was signed for 2 domains: `warmup.nuber.int` and `internal.nuber.int`. As such I tried setting the `Host` header and voila, the flag.
+
+```py
+import httpx
+
+r = httpx.get('https://10.0.2.21/', headers={'Host': 'internal.nuber.int'}, verify=False)
+print(r.status_code, r.text)
+```
+
+I actually solved this 3 mins after the CTF ended because I couldn't get it working. Turns out using `http` instead of `https` was the culprit :|
+
+## Solve
+
+`SERVERADMIN-sX2dq4Cmrv1HcmGDYbTa3vIav8GB_erLz3Eo0A7psQ0`
