pwn


CybHer CTF.

Welcome!

This dojo contains several challenges focused on topics common to reverse engineering. Some of these challenges will be modified to work with fewer steps, while others will (hopefully) challenge your skills. We hope you enjoy!


Challenges

Challenge Description

Software vulnerabilities are everywhere! Don't let the futuristic date of 2025 mislead you; headlines abound of software vulnerabliities plaguing even the most advanced companies. This challenge will introduce you to the humble buffer overflow, but don't let its simplicty fool you! It is the bread and butter of even sophisticated attacks used today.

How it Works

Run the program buffer_overflow and follow the prompts. You will need to enter a very specific number of characters to cause the buffer overflow to occur. This program is written so that once you reach the correct number of characters, it will automatically trigger the vulnerability: no debuggers necessary for this one! In "the real world" entering the correct number of characters would only be the first step, then you'd have to find the memory address you want to go to; but that is a challenge for a different day.

When You're Done

You are done when the buffer_overflow program emits a string; there will be no mistaking what is the correct string. When you've received it, copy the string and run python verify and paste the value at the prompt. You will receive a flag that you will use in pwn.college to complete the challenge.

Challenge Steps

  1. Open a terminal in the Desktop
  2. Navigate to the /challenge directory (Hint: Type cd /challenge and press Enter)
  3. Use the ls command to find the challenge file (Hint: it is NOT the DESCRIPTION.md file)
  4. To run the challenge, type the filename and press Enter!
  5. Submit your flag!

Challenge Description

This challenge contains four different numbers that are randomly chosen as the 'secret' number. Each execution of the program chooses a different one of the four as the 'secret' number. The goal of this challenge is to enter the correct 'secret' number and retrieve the token. There are several techniques you can use to get the correct number(s), which one you learn is up to you!

How it Works

Run the program magic_numbers and you will see the prompt Please guess the number between 1 and 1000:. Enter a number and you will either have guessed correctly or incorrectly! Guessing correctly will result in a token printing to the screen that you must use to retrieve the token. And remember, each time you run the program it will select a different number! So be persistent! You could have the right number, but it wasn't selected this time.

Strings

One of the easiest ways to retrieve information from a program in Linux is to use the command line tool strings. This command analyzes the program and prints all of the strings to the screen: but beware! What a computer thinks is a string isn't always what humans think of as strings. To use this command you must provide the program to retrieve strings from: strings magic_numbers for example. This challenge not only contains four different numbers, but it also contains strings that represent those numbers. For example, if the four numbers were 0, 1, 2, 3 there would be four strings zero, one, two thee in the output from strings. But there are lots of other 'strings' in the program too, so it will take some time to find the correct values.

GNU Debugger

One of the more challenging, but precise, ways to solve this challenge is to use a debugger. Debuggers are very sophisticated and complex tools that allow people to see exactly how a program makes decisions. Using debuggers requires a level of knowledge that is not within the scope of this training, but can with a little know-how quickly find the solution. GDB is a debugger available in Linux that can inspect magic_numbers and find the exact function call that selects and returns one of the 'secret' numbers. A very basic introduction can be found here.

Debuggers are very powerful tools. Using a debugger you can look at the code for the entire program, not just the code executing. In this way, you could find the token that is displayed when you enter the correct number, even if you didn't!

When You're Done

You are done when the magic_numbers program emits a string; there will be no mistaking what is the correct string. When you've received it, copy the string and run python verify and paste the value at the prompt. You will receive a flag that you will use in pwn.college to complete the challenge.

Challenge Steps

  1. Open a terminal in the Desktop
  2. Navigate to the /challenge directory (Hint: Type cd /challenge and press Enter)
  3. Use the ls command to find the challenge file (Hint: it is NOT the DESCRIPTION.md file)
  4. To run the challenge, type the filename and press Enter!
  5. Submit your flag!

Challenge Description

This challenge focuses on your ability to follow the program's call structure and identify the final password. You have access to the source code of this python program, so the challenge is not deciphering the output, but understanding the source code.

How it Works

There are four functions utilized in this program to generate the password. Each function uses some variation of the two lists (alphabet and special_char) to create the password. Attention to detail is the key to solving this challenge! You can run the program to see what the initial word lists look like.

When You're Done

When you have finished your analysis, follow the steps in the Challenge Steps section below.

Challenge Steps

  1. Select the "VSCode Workspace" option from the challenge menu.
  2. Open a file by pressing ctrl+o and in the text field type /challenge/plaintextPassword.py.
  3. Read the source code to identify the password.
  4. When you have the password open a terminal by pressing ctrl+~ and in the terminal type cd /challenge.
  5. Run python verify and enter the password to retrieve the flag.

Challenge Description

This challenge is very similar to reversePassword.py but with an added twist. You must follow the program's call structure again (remember to pay attention to details) but a new wrinkle is introduced.

How it Works

Again there are functions that you must analyze to find the password, however the lists containing the characters are occasionally reversed! In Python this is represented by the syntax [::-1]. This is used to reverse the contents of a list; an example is shown below.

# The list is first created
myList = list((1, 2, 3))
>>> [1, 2, 3]

# Then the list is reversed
myList[::-1]
>>> [3, 2, 1]

# The revered contents can be stored in a new variable
reversedList = myList[::-1]
reversedList
>>> [3, 2, 1]

There are four functions utilized in this program to generate the password. Each function uses some variation of the two lists (alphabet and special_char) to create the password. Once again, attention to detail is the key to solving this challenge. Running the program will output the starting lists.

When You're Done

When you have finished your analysis, follow the steps in the Challenge Steps section below.

Challenge Steps

  1. Select the "VSCode Workspace" option from the challenge menu.
  2. Open a file by pressing ctrl+o and in the text field type /challenge/backwardPassword.py.
  3. Read the source code to identify the password.
  4. When you have the password open a terminal by pressing ctrl+~ and in the terminal type cd /challenge.
  5. Run python verify and enter the password to retrieve the flag.

Challenge Description

This challenge is more complex than the other reversing password challenges. This time a cipher alphabet is used to encipher a plaintext phrase. Your challenge is to identify what cipher alphabet was used to generate the cipher text and discover the plaintext phrase. This phrase is used to retrieve the flag.

How it Works

Substitution ciphers are one of the oldest ways to encode text. This challenges uses a simple rotation of the alphabet to generate a 'cipher'bet that encodes plaintext to generate ciphertext. This challenge provides a way to generate alphabets to decipher the ciphertext back into plaintext. It also allows you to play with different substitution ciphers and see how different plaintext is encoded into ciphertext.

Steps To Substitution

First you must have an alphabet to generate text from. This can be the standard 26-letter alphabet taught in the U.S., or it can be expanded to include special characters like '*', '?', or '}': the sky is the limit to what constitutes an alphabet! The important thing is that the same alphabet used to generate your plaintext must be used in the enciphering and deciphering phases, discussed later.

Lets assume you want to encipher the phrase "hello world!". The letters that must constitute your alphabet are: 'd', 'e', 'h', 'l', 'o', 'r', 'w', '!', ' '. Notice how every letter used in the phrase "hello world!" appears exactly once in the alphabet, including spaces. We will use the full alphabet, and add the special characters to the end for simplicity. This results in the alphabet: 'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',' ','!'

If we wanted to create a cipher, we can rotate our alphabet by a number to generate a new alphabet, the cipherbet, that we can use to generate our ciphertext. Lets say we rotate our alphabet to the right by 2, this would generate the cipherbet ' ','!','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'. Notice how the last 2 characters rotate around to the front: this is very important! No letters can be lost otherwise we couldn't encipher them!

With the cipherbet generated, we can generate our ciphertext. Simply line up the two alphabets, and follow the plaintext letter down to find its cipherbet counterpart. In this way, "h" in the alphabet translates to "f" in the cipherbet, "e" to "c", and so on until you get the ciphertext "fcjjmyumpjbz".

alphabet:  'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',' ','!'
                            |           |
                            2           1
                            |           |
cipherbet: ' ','!','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'

To go from the ciphertext to the plaintext, you must know the number of rotations used to generate the cipherbet. If you don't, you must guess-and-check until you find the correct cipherbet. Then the process works in reverse. Line up the two alphabets and go from the cipherbet letter to the alphabet letter until you get the plaintext.

When You're Done

Your goal is to identify how many times the alphabet must be rotated to generate the correct cipherbet, which is then used to decode the ciphertext. The ciphertext is comprised of human-readable text: there will be no mistaking the correct passphrase when it is retrieved. Once you have obtained the plaintext passphrase, enter it into the verify.py script to retrieve the flag.

Challenge Steps

  1. Open a terminal in the Desktop
  2. Navigate to the /challenge directory (Hint: Type cd /challenge and press Enter)
  3. Use the ls command to find the challenge file (Hint: it is NOT the DESCRIPTION.md file)
  4. To run the challenge, type the filename and press Enter.
  5. Submit your flag!


30-Day Scoreboard:

This scoreboard reflects solves for challenges in this module after the module launched in this dojo.

7-Day | 30-Day | All-Time

Rank Hacker Badges Score