Software Developer / Cyber Security Lover.
Trying to get every thing and how it works, and miss with it lil bit.
VaultDoors Writeups
Quick Summary
hey here is my write-up for all the java challenges in pico ctf...hope you like it.
VaultDoor0 (50 point)
ok this one is like saying hi to u XD .... as you can see if we opened the code in VaultDoorTraining file
as we can see we got to enter password which the script pass it to method called checkPassword() which checks if our input eqals
w4rm1ng_Up_w1tH_jAv4_ca5ae7fcc95
so the flag is:
picoCTF{w4rm1ng_Up_w1tH_jAv4_ca5ae7fcc95}
VaultDoor1 (100 points)
now let's get another one ... let's get to the code :
as we can see here this time the method checks 2 things ... first is the length of the password is 32 char and checks specific chars in order.....so let's reverse this by this script:
which writes the elements of the array that contains the password and returns our flag:
picoCTF{d35cr4mbl3_tH3_cH4r4cT3r5_1122d9}
VaultDoor3 (200 points)
so it's so easy till now... this time if you tried to solve it manually it will take some time... i think xD:
so the method do some basic checks such that the password is a shuffle of the flag so we just need to reverse this shuffling .. so i did it using this script:
it's like we need to check if 'x' is in the 'c' place in the password .... so what i did is .... (put x in c) so we got the flag:
picoCTF{jU5t_a_s1mpl3_an4gr4m_4_u_150a16}
VaultDoor4 (250 points)
easy....let's see, when we open the code file we got:
which check each byte in the password and compare it with corresponding byte in the array.... so i just rewrote the byte array and converted it to chars:
so we got this flag:
picoCTF{jU5t_4_bUnCh_0f_bYt3s_f26a898151}
VaultDoor5 (300 points)
where is the reverse xD !, in this one after a good look at the code:
which simplly encoding password 2 times and checks the output .... GoF(password) = output |where 'G' is base64 encode and 'F' is url Encode| ...so i just made it FoG(output) = password
i used Base64decode to decode the base64:
JTYzJTMwJTZlJTc2JTMzJTcyJTc0JTMxJTZlJTY3JTVmJTY2JTcyJTMwJTZkJTVmJTYyJTYxJTM1JTY1JTVmJTM2JTM0JTVmJTYzJTMxJTM0JTYzJTYzJTY1JTMxJTMx
so we got the urlencoded password :
%63%30%6e%76%33%72%74%31%6e%67%5f%66%72%30%6d%5f%62%61%35%65%5f%36%34%5f%63%31%34%63%63%65%31%31
so i used urldecoder to get the password : c0nv3rt1ng_fr0m_ba5e_64_c14cce11
picoCTF{c0nv3rt1ng_fr0m_ba5e_64_c14cce11}
VaultDoor6 (350 points)
so now let;s have a look at this code:
this one needs a little math help ... we got an equation which is '(b ^ 0x55) - q = 0' |where b is the i'th byte in the password and q is the q'th byte in array myBytes[]|
so we need to get b one equation one unkown ... the inverse of the '^' if we got z = x ^ y so 'x = z^y' and 'y = z^x'
so the x represent the b in our equation which we need to find and z = (0 + q) .... so it will be q ^ 0x55 :
so we got our flag: n0t_mUcH_h4rD3r_tH4n_x0r_4ddee2b
picoCTF{n0t_mUcH_h4rD3r_tH4n_x0r_4ddee2b}
VaultDoor7 (400 points)
after having a good look at the code:
after understanding the code we fint the this file is using 2 methods ... the first one is doing some shifting on the password and the other is checking
so let's see the first method
we can see that the method is splitting the password into 8 pieces each piece is 4 chars and shifting every char
and the check nethod checks if every piece is equal to decimal number
so i created a wordlist have all permutaions on four chars that can be created and started to test every decimal number:
which gaved me:
after rearranging it we got the flag:
picoCTF{A_b1t_0f_b1t_sh1fTiNg_7390724aab}
VaultDoor8 (450 points)
now the last one , let's have a look at the code:
>shift) | rest);
return result;
}
public boolean checkPassword(String password) {
char[] scrambled = scramble(password);
char[] expected = {
0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4,
0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86,
0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xA4,
0xF1, 0x94, 0xC1, 0xC0, 0xE1, 0xC1, 0xD1, 0x85 };
return Arrays.equals(scrambled, expected);
}
}
now this is nice one ... this code have 3 methods ... the first one scramble which is calling another method
called switchBits which do some stuff and finally we got encrypted thing out after these opperations and compair each byte with the corresponding byte in
checkPassword method
now we need to know that we cannot reverse the first 2 methods ......... but instead of this we know that each byte is representing char in our password
so what i simplly did is brute force all the chars 'a-z , A-Z, 0-9, _' and used it as input to the 2 methods and compare the output with the corresponding byte in
the checkPassword method
so we are not going to decrypt .... we are going to reduce our bruteforce instead of 32 chars permutation which can take for ever ...... to just 1 char xD:
>shift) | rest);
return result;
}
public boolean checkPassword(char[] password) {
char[] scrambled = password;
char[] expected = {
0xF4, 0xC0, 0x97, 0xF0, 0x77, 0x97, 0xC0, 0xE4,
0xF0, 0x77, 0xA4, 0xD0, 0xC5, 0x77, 0xF4, 0x86,
0xD0, 0xA5, 0x45, 0x96, 0x27, 0xB5, 0x77, 0xA4,
0xF1, 0x94, 0xC1, 0xC0, 0xE1, 0xC1, 0xD1, 0x85 };
return Arrays.equals(scrambled, expected);
}
}
picoCTF{s0m3_m0r3_b1t_sh1fTiNg_b7a40645d}
i hope you guys liked my write-up ... it was a nice ctf.....we got the 23'th place globally
iam really proud of this team and very gratefull that i had this opportunity to participate ...... special thanks to (Ahmed Hesham aka 0xrick) for letting me steal his website design xD