Category: Crypto Points: 10,10,30,40 Solves: 436,381,224,63 Description:

Decrypt 4 flags.

In this challenge we're given 4 encrypted flags, and ask to decrypt them. They get successively more difficult, with the last one only having 63 successful solves. For each encrypted blob we were given a corresponding URL containing the encryption engine that would allow us to input anything and get back the corresponding output.

From a cryptography perspective, this means that for each of the flags we have at least two types of attacks. We have a chosen plain text attack in which we can decide what to encrypt and look at the results. We also have a known plain text since each flag is of the form "MMA{<values>}". Using these two types of attacks we can solve each of the challenges.

The other day I was looking into creating transparent tunneling using my router (with dd-wrt version 24 sp 2) and ProXPN. This would be handy in any number of situations to include the ability to proxy those devices which don't naturally have that ability (i.e.: the internet of things). Sadly, there seems to be a dearth of information regarding how to set this up, so after some research and floundering on my own, here's how I've gotten it to work.

Category: Reversing Points: 200 Solves: 29 Description:

Find valid credentials for the registration server keycheck running on 10114


Running this program, we get:


$ ./keycheck
Enter username: User
Enter key: Password
Registration data invalid.


As the title suggests, the goal is to find a username and key that will allow successful registration. Running strings on the binary doesn't tell us too much, but does show a reference to python2. Let's ease our way into this problem by using ltrace to show what libraries and system calls are performed.

Category: Web Points: 75 Solves: 22 Description:

    What does this service do? It hides a flag!


Navigating to the website, we see an input box and a query button. The first thing to do is throw some data at it and see what happens:


RESPONSE: 61008ce2,CAMP15_silverneedle
RESPONSE: 61010292,CAMP15_silverneedle
SENT: ab
RESPONSE: 61626b8f,CAMP15_silverneedle
RESPONSE: 6162dc3f,CAMP15_silverneedle
SENT: abc
RESPONSE: not found

PicoCTF is a Capture the Flag event focused on teaching skills, rather than being primarily a competition. This means that the challenges are written in a way to teach the person playing something and since there are different levels, many will learn something new during the CTF.


Here's the challenge:

"Daedalus Corp's spy in Thyrin Labs seems to sometimes use an encrypted drop box for their messages. We intercepted one of their messages, but we don't seem to be able to decrypt it. Fortunately, we have the source and the address of their key generation server: maybe there's a way to use that to decrypt their message? Unfortunately, we don't have their list of cached primes...

Their source, and our intercepted message, are here. The key generation service is running at"