{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-imctf-2021-en","result":{"data":{"markdownRemark":{"id":"6904ce45-fc76-594c-9540-608bc26edb46","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-imctf-2021\">original page</a>.</p>\n</blockquote>\n<p>I participated in <a href=\"https://imctf.net/about\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">IMCTF 2021</a>, which was held on December 18-19, 2021.</p>\n<p>We were aiming for a top-three finish, but unfortunately our team ended up in 4th place.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1674d13f0fee37a72f47729d30a3252f/1b19f/unknown.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 95.83333333333334%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAACPUlEQVQ4y6VU2Y7aQBDk/38oUn4iynukSCyrAMbn3DO2K1UDmKDVbrLKQNNzmOrq6h7v1nWFhvyyPJuOQog4nc44Hk9IKdfn5mXZbJGfF54l+hk73IZzHt5HHhSkmBFjQsz0mZ4PCzgEzmU8SzHSx7qvtYAVbAOcpomHAavYrYxaZiyxYDYF2RZEOyOMBYX78zLDh1xB+Ad+lzsMdveUjTE1osYcZ8QuwfUFv/aJ6SYYZ9GGEZOfMJgB1g+IZYIpPXw2lZ0+G6BzrupgxoS2CTh1Dj8PI350Fi8vLV7bDq2LGE3CYCOszbCukEgm26IqVM03QE/A89jhdOyxPxJob3BoBrTdCNcFpLxQy4y05Jte14Jc030UdgOcrMErK+kaj/PBo9k3GLqB+qkQEW3bIkQCswDW2rrWXLr3fU9ty1XDiswg1jBlphSoY2J1Q7JMZ4JP3JMUk6NmhekFeAIbgs4smqpsp6tcFTDzz4oYgsdnh/PuWunbqCkLcGTLND0rxl6svXXvsZt/b95cLpjUHemaem1sRdDGYAMc6WtTehT594znem4YWTDv643RnrB2mkiPzrH3ykotHkw+MmnWsRiSS3PtVYZCF93jty84ff9aGcwfsbuZnpFU3oe3DBXlcmkwDe3/MxSqp3Yu6Y6uW/SPbGNIDWsx7gxVZU107Vr20mj9pxi2XVf1f9aQP4oyOr6Scnli8DeGw58Mud4YSofzYD/FUNbyheG9f8vQMuXJPxj+q6nKuhj3tW7Kb90LzElXcfnsAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1674d13f0fee37a72f47729d30a3252f/8ac56/unknown.webp 240w,\n/static/1674d13f0fee37a72f47729d30a3252f/d3be9/unknown.webp 480w,\n/static/1674d13f0fee37a72f47729d30a3252f/e46b2/unknown.webp 960w,\n/static/1674d13f0fee37a72f47729d30a3252f/5e0bb/unknown.webp 991w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1674d13f0fee37a72f47729d30a3252f/8ff5a/unknown.png 240w,\n/static/1674d13f0fee37a72f47729d30a3252f/e85cb/unknown.png 480w,\n/static/1674d13f0fee37a72f47729d30a3252f/d9199/unknown.png 960w,\n/static/1674d13f0fee37a72f47729d30a3252f/1b19f/unknown.png 991w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1674d13f0fee37a72f47729d30a3252f/d9199/unknown.png\"\n            alt=\"https://cdn.discordapp.com/attachments/920303989021634560/921959829734588476/unknown.png\"\n            title=\"https://cdn.discordapp.com/attachments/920303989021634560/921959829734588476/unknown.png\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Not having anyone dedicated to Crypto was especially rough, haha.</p>\n<p>The Misc challenges were also very interesting, including ones themed around real-world vulnerabilities.</p>\n<p>As usual, I am going to write up the challenges where I learned something.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li>\n<p><a href=\"#nin-nin-pdf-rev\">nin nin pdf (Rev)</a></p>\n<ul>\n<li><a href=\"#pdf-basics\">PDF basics</a></li>\n<li><a href=\"#pdf-file-format\">PDF file format</a></li>\n</ul>\n</li>\n<li><a href=\"#emoixl\">E・Mo・I・XL</a></li>\n<li><a href=\"#made-of-honey-misc\">made of honey (Misc)</a></li>\n<li><a href=\"#printtext-misc\">printtext (Misc)</a></li>\n<li><a href=\"#summary\">Summary</a></li>\n<li><a href=\"#notes-other-impressive-challenges\">Notes: Other impressive challenges</a></li>\n</ul>\n<h2 id=\"nin-nin-pdf-rev\" style=\"position:relative;\"><a href=\"#nin-nin-pdf-rev\" aria-label=\"nin nin pdf rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>nin nin pdf (Rev)</h2>\n<p>You are given a PDF with the flag embedded in it.</p>\n<p>Naturally, I could not read it as-is, so I analyzed it using <a href=\"http://sandsprite.com/blogs/index.php?pid=57&#x26;uid=7\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PDF Stream Dumper</a>.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">R/S/Span/<span class=\"token function\">Type</span><span class=\"token operator\">/</span>StructElem/ActualText<span class=\"token punctuation\">(</span>tycan you see ? <span class=\"token operator\">!</span>’ aW1jdGZ7bmlucG91X2tha3VyZW1pX25vX2p5dXR1fQ== <span class=\"token operator\">!</span>?can you see ?<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Decoding this Base64-encoded string yields the flag.</p>\n<h3 id=\"pdf-basics\" style=\"position:relative;\"><a href=\"#pdf-basics\" aria-label=\"pdf basics permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>PDF basics</h3>\n<p>Let me step back and talk about what a PDF actually is.</p>\n<p>PDF stands for <code class=\"language-text\">Portable Document Format</code>, a format for displaying documents without depending on a particular OS or device.</p>\n<p>It was developed by Adobe and standardized as <code class=\"language-text\">ISO32000-2</code>.</p>\n<p>As usual, the English Wikipedia article was quite detailed.</p>\n<p>Reference: <a href=\"https://en.wikipedia.org/wiki/PDF\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PDF - Wikipedia</a></p>\n<p>PDFs are composed of text, vector graphics, images, and other multimedia.</p>\n<p>In PDFs, layout and graphics are generated using a graphics-oriented programming language called <a href=\"https://en.wikipedia.org/wiki/PostScript\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PostScript</a>.</p>\n<p>They are also built on a storage system that structures and compresses content such as fonts and embedded documents.</p>\n<h3 id=\"pdf-file-format\" style=\"position:relative;\"><a href=\"#pdf-file-format\" aria-label=\"pdf file format permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>PDF file format</h3>\n<p>The following was helpful for understanding the PDF file format.</p>\n<blockquote>\n<p>This format is a subset of the COS (“Carousel” Object Structure) format.</p>\n<p>A COS tree file primarily consists of objects, of which there are nine types.</p>\n<ul>\n<li>Boolean values representing true or false</li>\n<li>Real numbers</li>\n<li>Integers</li>\n<li>Strings enclosed in parentheses (<code class=\"language-text\">(...)</code>). Strings may contain 8-bit characters.</li>\n<li>Names beginning with a slash (<code class=\"language-text\">/</code>)</li>\n<li>Arrays, ordered collections of objects enclosed in square brackets (<code class=\"language-text\">[...]</code>)</li>\n<li>Dictionaries, collections of objects indexed by names and enclosed in double angle brackets (<code class=\"language-text\">&lt;&lt;...>></code>)</li>\n<li>Streams, which usually contain large amounts of optionally compressed binary data, are preceded by a dictionary, and are enclosed by the keywords <code class=\"language-text\">stream</code> and <code class=\"language-text\">endstream</code></li>\n<li>The null object</li>\n</ul>\n<p>In addition, there may be comments introduced by a percent sign (<code class=\"language-text\">%</code>). Comments may contain 8-bit characters.</p>\n<p>Reference: <a href=\"https://en.wikipedia.org/wiki/PDF\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PDF - Wikipedia</a></p>\n</blockquote>\n<p>Quite interestingly, PDFs can sometimes contain malicious programs.</p>\n<p>Looking at the following cheat sheet, it seems that various malicious objects can be embedded, such as tags, scripts, shellcode, macros, and JavaScript.</p>\n<p>Reference: <a href=\"https://zeltser.com/analyzing-malicious-documents/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Analyzing Malicious Documents Cheat Sheet</a></p>\n<p>Reference: <a href=\"https://www.sans.org/blog/how-to-extract-flash-objects-from-malicious-pdf-files/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SANS Digital Forensics and Incident Response Blog | How to Extract Flash Objects from Malicious PDF Files | SANS Institute</a></p>\n<p>At that point, to analyze a malicious PDF, you use a PDF parser such as <a href=\"http://sandsprite.com/blogs/index.php?pid=57&#x26;uid=7\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PDF Stream Dumper</a>.</p>\n<p>This challenge was similar: by breaking down the PDF structure and analyzing the text and scripts inside, I was able to obtain the flag.</p>\n<h2 id=\"emoixl\" style=\"position:relative;\"><a href=\"#emoixl\" aria-label=\"emoixl permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>E・Mo・I・XL</h2>\n<p>You are given a suspicious Excel file.</p>\n<p>You can get the flag by analyzing the VBA script in this Excel file.</p>\n<p>I had used it in WaniCTF 2021 Autumn as well, but this time too I used <code class=\"language-text\">olevba</code> to extract the VBA script from the Excel file.</p>\n<p>Here is the script I obtained.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># olevba E・mo・XL.xlsm </span>\n\nolevba <span class=\"token number\">0.60</span> on Python <span class=\"token number\">2.7</span>.18 - http://decalage.info/python/oletools\n<span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">==</span><span class=\"token operator\">=</span>\nFILE: E・mo・XL.xlsm\nType: OpenXML\nWARNING  For now, VBA stomping cannot be detected <span class=\"token keyword\">for</span> <span class=\"token for-or-select variable\">files</span> <span class=\"token keyword\">in</span> memory\n-------------------------------------------------------------------------------\nVBA MACRO ThisWorkbook.cls \n<span class=\"token keyword\">in</span> file: xl/vbaProject.bin - OLE stream: u<span class=\"token string\">'VBA/ThisWorkbook'</span>\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \nPrivate Sub Workbook_Open<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    Module1.GetPayload\nEnd Sub\n-------------------------------------------------------------------------------\nVBA MACRO Sheet1.cls \n<span class=\"token keyword\">in</span> file: xl/vbaProject.bin - OLE stream: u<span class=\"token string\">'VBA/Sheet1'</span>\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \n<span class=\"token punctuation\">(</span>empty macro<span class=\"token punctuation\">)</span>\n-------------------------------------------------------------------------------\nVBA MACRO Module1.bas \n<span class=\"token keyword\">in</span> file: xl/vbaProject.bin - OLE stream: u<span class=\"token string\">'VBA/Module1'</span>\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \nSub GetPayload<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nDim payload As String: payload <span class=\"token operator\">=</span> vbNullString\nDim ws As Worksheet\nSet ws <span class=\"token operator\">=</span> ThisWorkbook.Worksheets<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\nWith ThisWorkbook\n    With .BuiltinDocumentProperties\n        payload <span class=\"token operator\">=</span> payload + .Item<span class=\"token punctuation\">(</span>ws.Cells<span class=\"token punctuation\">(</span><span class=\"token number\">1048573</span>, <span class=\"token number\">16384</span><span class=\"token punctuation\">)</span>.Value<span class=\"token punctuation\">)</span>\n        payload <span class=\"token operator\">=</span> payload + .Item<span class=\"token punctuation\">(</span>ws.Cells<span class=\"token punctuation\">(</span><span class=\"token number\">1048574</span>, <span class=\"token number\">16384</span><span class=\"token punctuation\">)</span>.Value<span class=\"token punctuation\">)</span>\n        payload <span class=\"token operator\">=</span> payload + .Item<span class=\"token punctuation\">(</span>ws.Cells<span class=\"token punctuation\">(</span><span class=\"token number\">1048572</span>, <span class=\"token number\">16384</span><span class=\"token punctuation\">)</span>.Value<span class=\"token punctuation\">)</span>\n        payload <span class=\"token operator\">=</span> payload + .Item<span class=\"token punctuation\">(</span>ws.Cells<span class=\"token punctuation\">(</span><span class=\"token number\">1048575</span>, <span class=\"token number\">16384</span><span class=\"token punctuation\">)</span>.Value<span class=\"token punctuation\">)</span>\n        payload <span class=\"token operator\">=</span> payload + .Item<span class=\"token punctuation\">(</span>ws.Cells<span class=\"token punctuation\">(</span><span class=\"token number\">1048576</span>, <span class=\"token number\">16384</span><span class=\"token punctuation\">)</span>.Value<span class=\"token punctuation\">)</span>\n    End With\nEnd With\npayload <span class=\"token operator\">=</span> _\n<span class=\"token string\">\"p\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"w\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"s\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"h\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\" \"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"-\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"n\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"o\"</span> <span class=\"token operator\">&amp;</span> _\n<span class=\"token string\">\"p\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\" \"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"-\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"e\"</span> <span class=\"token operator\">&amp;</span> _\n<span class=\"token string\">\"p\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\" \"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"B\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"y\"</span> <span class=\"token operator\">&amp;</span> _\n<span class=\"token string\">\"p\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"a\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"s\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"s\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\" \"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"-\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\"e\"</span> <span class=\"token operator\">&amp;</span> <span class=\"token string\">\" \"</span> + _\npayload\nCreateObject<span class=\"token punctuation\">(</span><span class=\"token string\">\"WScript.Shell\"</span><span class=\"token punctuation\">)</span>.Run payload\nEnd Sub\n\n+----------+--------------------+---------------------------------------------+\n<span class=\"token operator\">|</span>Type      <span class=\"token operator\">|</span>Keyword             <span class=\"token operator\">|</span>Description                                  <span class=\"token operator\">|</span>\n+----------+--------------------+---------------------------------------------+\n<span class=\"token operator\">|</span>AutoExec  <span class=\"token operator\">|</span>Workbook_Open       <span class=\"token operator\">|</span>Runs when the Excel Workbook is opened       <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>Suspicious<span class=\"token operator\">|</span>CreateObject        <span class=\"token operator\">|</span>May create an OLE object                     <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>Suspicious<span class=\"token operator\">|</span>Shell               <span class=\"token operator\">|</span>May run an executable <span class=\"token function\">file</span> or a system       <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>          <span class=\"token operator\">|</span>                    <span class=\"token operator\">|</span><span class=\"token builtin class-name\">command</span>                                      <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>Suspicious<span class=\"token operator\">|</span>WScript.Shell       <span class=\"token operator\">|</span>May run an executable <span class=\"token function\">file</span> or a system       <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>          <span class=\"token operator\">|</span>                    <span class=\"token operator\">|</span><span class=\"token builtin class-name\">command</span>                                      <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>Suspicious<span class=\"token operator\">|</span>Run                 <span class=\"token operator\">|</span>May run an executable <span class=\"token function\">file</span> or a system       <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>          <span class=\"token operator\">|</span>                    <span class=\"token operator\">|</span><span class=\"token builtin class-name\">command</span>                                      <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>Suspicious<span class=\"token operator\">|</span>Hex Strings         <span class=\"token operator\">|</span>Hex-encoded strings were detected, may be    <span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>          <span class=\"token operator\">|</span>                    <span class=\"token operator\">|</span>used to obfuscate strings <span class=\"token punctuation\">(</span>option --decode to<span class=\"token operator\">|</span>\n<span class=\"token operator\">|</span>          <span class=\"token operator\">|</span>                    <span class=\"token operator\">|</span>see all<span class=\"token punctuation\">)</span>                                     <span class=\"token operator\">|</span>\n+----------+--------------------+---------------------------------------------+</code></pre></div>\n<p>Via WSH, it appears to pass a command called <code class=\"language-text\">payload</code> to PowerShell and execute it.</p>\n<p><code class=\"language-text\">payload</code> is generated by the following script.</p>\n<div class=\"gatsby-highlight\" data-language=\"powershell\"><pre class=\"language-powershell\"><code class=\"language-powershell\">With ThisWorkbook\n    With <span class=\"token punctuation\">.</span>BuiltinDocumentProperties\n        payload = payload <span class=\"token operator\">+</span> <span class=\"token punctuation\">.</span>Item<span class=\"token punctuation\">(</span>ws<span class=\"token punctuation\">.</span>Cells<span class=\"token punctuation\">(</span>1048573<span class=\"token punctuation\">,</span> 16384<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Value<span class=\"token punctuation\">)</span>\n        payload = payload <span class=\"token operator\">+</span> <span class=\"token punctuation\">.</span>Item<span class=\"token punctuation\">(</span>ws<span class=\"token punctuation\">.</span>Cells<span class=\"token punctuation\">(</span>1048574<span class=\"token punctuation\">,</span> 16384<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Value<span class=\"token punctuation\">)</span>\n        payload = payload <span class=\"token operator\">+</span> <span class=\"token punctuation\">.</span>Item<span class=\"token punctuation\">(</span>ws<span class=\"token punctuation\">.</span>Cells<span class=\"token punctuation\">(</span>1048572<span class=\"token punctuation\">,</span> 16384<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Value<span class=\"token punctuation\">)</span>\n        payload = payload <span class=\"token operator\">+</span> <span class=\"token punctuation\">.</span>Item<span class=\"token punctuation\">(</span>ws<span class=\"token punctuation\">.</span>Cells<span class=\"token punctuation\">(</span>1048575<span class=\"token punctuation\">,</span> 16384<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Value<span class=\"token punctuation\">)</span>\n        payload = payload <span class=\"token operator\">+</span> <span class=\"token punctuation\">.</span>Item<span class=\"token punctuation\">(</span>ws<span class=\"token punctuation\">.</span>Cells<span class=\"token punctuation\">(</span>1048576<span class=\"token punctuation\">,</span> 16384<span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>Value<span class=\"token punctuation\">)</span>\n    <span class=\"token keyword\">End</span> With\n<span class=\"token keyword\">End</span> With</code></pre></div>\n<p><code class=\"language-text\">ws.Cells(1048573, 16384).Value</code> contained the names of property elements such as <code class=\"language-text\">category / text / title / subtitle</code>.</p>\n<p>Also, <code class=\"language-text\">ThisWorkbook.BuiltinDocumentProperties.Item(ws.Cells(1048574, 16384).Value)</code> retrieved the file’s property information based on those property element names and concatenated it into <code class=\"language-text\">payload</code>.</p>\n<p>The script below is what I got after decoding the extracted <code class=\"language-text\">payload</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token variable\">$txt</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>System.Convert<span class=\"token punctuation\">]</span>::FromBase64String<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>\n            @<span class=\"token punctuation\">(</span><span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"74\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"31\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"30\"</span>, <span class=\"token string\">\"61\"</span>, <span class=\"token string\">\"57\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"75\"</span>, <span class=\"token string\">\"58\"</span>, <span class=\"token string\">\"32\"</span>, <span class=\"token string\">\"4a\"</span>, <span class=\"token string\">\"35\"</span>, <span class=\"token string\">\"58\"</span>, <span class=\"token string\">\"32\"</span>, <span class=\"token string\">\"4e\"</span>, <span class=\"token string\">\"68\"</span>, <span class=\"token string\">\"63\"</span>, <span class=\"token string\">\"6d\"</span>, <span class=\"token string\">\"78\"</span>, <span class=\"token string\">\"35\"</span>, <span class=\"token string\">\"58\"</span>, <span class=\"token string\">\"33\"</span>, <span class=\"token string\">\"4a\"</span>, <span class=\"token string\">\"68\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"71\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"58\"</span>, <span class=\"token string\">\"42\"</span>, <span class=\"token string\">\"7a\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"57\"</span>, <span class=\"token string\">\"34\"</span>, <span class=\"token string\">\"3d\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span>\n            ForEach-Object <span class=\"token punctuation\">{</span> <span class=\"token punctuation\">[</span>char<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>byte<span class=\"token punctuation\">]</span><span class=\"token string\">\"0x<span class=\"token variable\">$_</span>\"</span> <span class=\"token punctuation\">}</span>\n        <span class=\"token punctuation\">)</span> -join <span class=\"token string\">\"\"</span>\n    <span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$txt2</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>System.Text.Encoding<span class=\"token punctuation\">]</span>::Default.GetString<span class=\"token punctuation\">(</span>\n    <span class=\"token punctuation\">[</span>System.Convert<span class=\"token punctuation\">]</span>::FromBase64String<span class=\"token punctuation\">(</span>\n        <span class=\"token punctuation\">(</span>\n            @<span class=\"token punctuation\">(</span><span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"6d\"</span>, <span class=\"token string\">\"78\"</span>, <span class=\"token string\">\"68\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"79\"</span>, <span class=\"token string\">\"41\"</span>, <span class=\"token string\">\"36\"</span>, <span class=\"token string\">\"49\"</span>, <span class=\"token string\">\"47\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"74\"</span>, <span class=\"token string\">\"59\"</span>, <span class=\"token string\">\"33\"</span>, <span class=\"token string\">\"52\"</span>, <span class=\"token string\">\"6d\"</span>, <span class=\"token string\">\"65\"</span>, <span class=\"token string\">\"30\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"66\"</span>, <span class=\"token string\">\"63\"</span>, <span class=\"token string\">\"6d\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"68\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"47\"</span>, <span class=\"token string\">\"78\"</span>, <span class=\"token string\">\"35\"</span>, <span class=\"token string\">\"58\"</span>, <span class=\"token string\">\"33\"</span>, <span class=\"token string\">\"4a\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"59\"</span>, <span class=\"token string\">\"57\"</span>, <span class=\"token string\">\"78\"</span>, <span class=\"token string\">\"73\"</span>, <span class=\"token string\">\"65\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"79\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"57\"</span>, <span class=\"token string\">\"46\"</span>, <span class=\"token string\">\"73\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"48\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"66\"</span>, <span class=\"token string\">\"63\"</span>, <span class=\"token string\">\"6d\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"68\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"47\"</span>, <span class=\"token string\">\"78\"</span>, <span class=\"token string\">\"35\"</span>, <span class=\"token string\">\"58\"</span>, <span class=\"token string\">\"33\"</span>, <span class=\"token string\">\"4a\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"59\"</span>, <span class=\"token string\">\"57\"</span>, <span class=\"token string\">\"78\"</span>, <span class=\"token string\">\"73\"</span>, <span class=\"token string\">\"65\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"79\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"57\"</span>, <span class=\"token string\">\"46\"</span>, <span class=\"token string\">\"73\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"48\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"66\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"47\"</span>, <span class=\"token string\">\"6c\"</span>, <span class=\"token string\">\"72\"</span>, <span class=\"token string\">\"5a\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"39\"</span>, <span class=\"token string\">\"35\"</span>, <span class=\"token string\">\"62\"</span>, <span class=\"token string\">\"33\"</span>, <span class=\"token string\">\"56\"</span>, <span class=\"token string\">\"39\"</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span>\n            ForEach-Object <span class=\"token punctuation\">{</span> <span class=\"token punctuation\">[</span>char<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>byte<span class=\"token punctuation\">]</span><span class=\"token string\">\"0x<span class=\"token variable\">$_</span>\"</span> <span class=\"token punctuation\">}</span>\n        <span class=\"token punctuation\">)</span> -join <span class=\"token string\">\"\"</span>\n    <span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span>\n<span class=\"token variable\">$isPassed</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$password</span> -eq <span class=\"token variable\">$txt</span><span class=\"token punctuation\">)</span>\nWrite-Host <span class=\"token punctuation\">(</span><span class=\"token variable\">$isPassed</span> ? <span class=\"token string\">\"good you are passed\"</span> <span class=\"token builtin class-name\">:</span> <span class=\"token string\">\"incorrect password\"</span><span class=\"token punctuation\">)</span> -ForegroundColor <span class=\"token punctuation\">(</span><span class=\"token variable\">$isPassed</span> ? <span class=\"token string\">\"Green\"</span> <span class=\"token builtin class-name\">:</span> <span class=\"token string\">\"Red\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token variable\">$isPassed</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    Write-Host <span class=\"token variable\">$txt2</span> -ForegroundColor Blue\n<span class=\"token punctuation\">}</span>\n<span class=\"token variable\">$host</span>.UI.RawUI.ReadKey<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">|</span> Out-Null</code></pre></div>\n<p>From the above, I was able to obtain the flag by extracting the values of <code class=\"language-text\">$txt</code> and <code class=\"language-text\">$txt2</code> respectively.</p>\n<h2 id=\"made-of-honey-misc\" style=\"position:relative;\"><a href=\"#made-of-honey-misc\" aria-label=\"made of honey misc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>made of honey (Misc)</h2>\n<p>A challenge about analyzing the following hashes (?).</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">word1:1002:NO PASSWORD*********************:29F98734E7AA3DF2454621FF3928D121:::\nword2:1003:NO PASSWORD*********************:2A8CCE5C056D50FAA808457D0F229212:::\nword3:1004:NO PASSWORD*********************:E694D490564D15954D68DE40B14F7BFE:::</code></pre></div>\n<p>At first, I thought they were MD5 based on the length, but that was wrong.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">hash-identifier -h</code></pre></div>\n<p>I used <code class=\"language-text\">hash-identifier</code> to infer the type, assumed it was NTLM, and cracked it with hashcat.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">hashcat -a <span class=\"token number\">0</span> -m <span class=\"token number\">1000</span> <span class=\"token string\">'29F98734E7AA3DF2454621FF3928D121'</span> /usr/share/wordlists/rockyou.txt\nhashcat -a <span class=\"token number\">0</span> -m <span class=\"token number\">1000</span> <span class=\"token string\">'2A8CCE5C056D50FAA808457D0F229212'</span> /usr/share/wordlists/rockyou.txt \nhashcat -a <span class=\"token number\">0</span> -m <span class=\"token number\">1000</span> 'E694D490564D</code></pre></div>\n<p>This gives the flag.</p>\n<h2 id=\"printtext-misc\" style=\"position:relative;\"><a href=\"#printtext-misc\" aria-label=\"printtext misc permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>printtext (Misc)</h2>\n<p>This was a challenge I could not solve during the event.</p>\n<p>The program is driven by the following script, and the goal is to use the whitelist cleverly so that arbitrary code can be passed to <code class=\"language-text\">eval</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">import</span> os\n<span class=\"token keyword\">import</span> sys\n\nos<span class=\"token punctuation\">.</span>environ<span class=\"token punctuation\">[</span><span class=\"token string\">\"PAGER\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"cat\"</span> <span class=\"token comment\">#No hitchhike :)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token triple-quoted-string string\">\"\"\"            _       _    __  _            _    __\n _ __  _ __(_)_ __ | |_ / / | |_ _____  _| |_  \\ \\\\\n| '_ \\| '__| | '_ \\| __| |  | __/ _ \\ \\/ / __|  | |\n| |_) | |  | | | | | |_| |  | ||  __/>  &lt;| |_   | |\n| .__/|_|  |_|_| |_|\\__| |   \\__\\___/_/\\_\\\\__|  | |\n|_|                     \\_\\                    /_/\nCan you evaluate `print(text)`?\nThey don't seem to have the flag.\n\"\"\"</span><span class=\"token punctuation\">)</span>\n\ntext <span class=\"token operator\">=</span> <span class=\"token string\">\"I don't have the flag.\"</span>\n\nallow_list <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"allow_list> \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token number\">9</span><span class=\"token punctuation\">]</span>\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"your allow_list: </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token builtin\">list</span><span class=\"token punctuation\">(</span>allow_list<span class=\"token punctuation\">)</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">)</span>\neval_code <span class=\"token operator\">=</span> <span class=\"token builtin\">input</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"eval_code> \"</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">for</span> c <span class=\"token keyword\">in</span> eval_code<span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> c <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> allow_list<span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"Hi, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>c<span class=\"token punctuation\">}</span></span><span class=\"token string\">!\"</span></span><span class=\"token punctuation\">)</span>\n        sys<span class=\"token punctuation\">.</span>exit<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Let’s roll!!\"</span><span class=\"token punctuation\">)</span>\n<span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>eval_code<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Because you can specify at most nine kinds of characters in the whitelist, it was extremely difficult to embed a script.</p>\n<p>As a solution, it seems you can obtain the flag by using the <code class=\"language-text\">chr</code> method as shown below to bypass the character-set restriction and feed an arbitrary string into <code class=\"language-text\">eval</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token builtin\">eval</span><span class=\"token punctuation\">(</span>\n    <span class=\"token builtin\">chr</span><span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token operator\">+</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Genius.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>Although it billed itself as a beginner-friendly CTF, it had quite a few fairly difficult problems, so it was a CTF I learned a lot from.</p>\n<p>We did not make the top three, but it was a lot of fun.</p>\n<p>Thanks to the organizers.</p>\n<h2 id=\"notes-other-impressive-challenges\" style=\"position:relative;\"><a href=\"#notes-other-impressive-challenges\" aria-label=\"notes other impressive challenges permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Notes: Other impressive challenges</h2>\n<p>I thought the authors were geniuses when I read the writeups.</p>\n<p>I want to get to the point where I can breeze through things like this.</p>\n<p>Reference: <a href=\"https://github.com/satoki/imctf_2021_satoki_writeups/tree/main/web/DoScript\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">imctf<em>2021</em>satoki<em>writeups/web/DoScript at main · satoki/imctf</em>2021<em>satoki</em>writeups</a></p>\n<p>Reference: <a href=\"https://github.com/satoki/imctf_2021_satoki_writeups/tree/main/web/Num-restaurant\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">imctf<em>2021</em>satoki<em>writeups/web/Num-restaurant at main · satoki/imctf</em>2021<em>satoki</em>writeups</a></p>","fields":{"slug":"/ctf-imctf-2021-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/misc-en/","/tag/english/"]},"frontmatter":{"date":"2021-12-19","description":"A writeup from IMCTF 2021 (Dec 18–19). We aimed for top 3 but finished 4th.","tags":["CTF (en)","Reversing (en)","Misc (en)","English"],"title":"IMCTF 2021 Writeup","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-imctf-2021-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}