{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-wanictf-2023-en","result":{"data":{"markdownRemark":{"id":"20287bbb-677e-52c8-999c-8afe928f2094","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-wanictf-2023\">original page</a>.</p>\n</blockquote>\n<p>I participated in WaniCTF 2023 (held starting May 4, 2023) with team 0nePadding.</p>\n<p>We solved all Rev and Forensic challenges and finished 39th out of 1110 teams.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/44c0b16fefaba7b0dc5a54f6aaf0381e/42de8/image-20230506151024667.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 49.583333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAACeUlEQVQozz2SS0hUcRTGp0WbNr7GZu7/Pub90mkcHWfUbHybr1BKA5l8RaWLiLKsDEmCMTOlFuUqd+16QqGoYBAmWJt2tSto3cqgQAh+/e8dc/FxLud/z3e+c85nU1UVXdf3oWnafgwEAkSjUWKxmBXL43FCwQBmjflu/ety7dcKIbCZSVXVLei6gcdwYZg5+eh2u/F6vfh8Pvx+Hy6PD0X3WPn/0Ox2dKFgSGKzkc2pCCpjQRKlASorg4RjYUqTURKpuOyYU++RhfbDgu50mJv9CRTNJRt58HjdlE1M4a9vQnc6UKUQm1BUwkc8REI+4r23uNg9QF8sjh4sw9A1DMPA7/OSbxdMZSrYnGskr1hIVRpKoZO6zc+UDJ1DKyxAlc33RlZI3nhCw8Iu62dm+DXSQn9LCcVODbfLkGrcHCxwcPV0nPVsA/mFgpJUgPKOEmpXNomcGbZGtwiF/Ai2ttP64ydHV3d4eXmav0vNvJttxqnkFIb8XibLkjweqmH5bj0HbEU0jVcxutVDzdsPRDIDiLxDe4RFRYQ6T9D8fYeub2ssfhlk52sf75+2o0hC3dAJy5E/tnTy7HwdL+6kmbxexYVHjWTedFH9ao3EtYfE2yblDuVRNFVI5gCdz6e4vTvCxJ9BNn4Pc2U8hd2uyusZROSFt5s7eD1Wbyn8tN1DdrmLzLpUuLJB7f1VGi5tSULTNnLxmlywP6TQNn2M3qXjVGfiqI7cuJocI+Bxs1iTJnsqxexoioX5Os5m03TMN5K494CKsRmSJ+cQUpzN9I6pQlMNnPkCR56CYiqTZBb0XBSmcTXDgqJI3wrpWwlD+tWQRIZUZ3L9Aw8lVbe7qpVvAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/44c0b16fefaba7b0dc5a54f6aaf0381e/8ac56/image-20230506151024667.webp 240w,\n/static/44c0b16fefaba7b0dc5a54f6aaf0381e/d3be9/image-20230506151024667.webp 480w,\n/static/44c0b16fefaba7b0dc5a54f6aaf0381e/e46b2/image-20230506151024667.webp 960w,\n/static/44c0b16fefaba7b0dc5a54f6aaf0381e/de74f/image-20230506151024667.webp 1033w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/44c0b16fefaba7b0dc5a54f6aaf0381e/8ff5a/image-20230506151024667.png 240w,\n/static/44c0b16fefaba7b0dc5a54f6aaf0381e/e85cb/image-20230506151024667.png 480w,\n/static/44c0b16fefaba7b0dc5a54f6aaf0381e/d9199/image-20230506151024667.png 960w,\n/static/44c0b16fefaba7b0dc5a54f6aaf0381e/42de8/image-20230506151024667.png 1033w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/44c0b16fefaba7b0dc5a54f6aaf0381e/d9199/image-20230506151024667.png\"\n            alt=\"image-20230506151024667\"\n            title=\"image-20230506151024667\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>As usual I focused on Reversing and managed to clear everything, so here are writeups for selected problems.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#javersingrev\">javersing (Rev)</a></li>\n<li><a href=\"#luarev\">Lua (Rev)</a></li>\n<li><a href=\"#theseusrev\">theseus (Rev)</a></li>\n<li><a href=\"#web_assemblyrev\">web_assembly (Rev)</a></li>\n<li><a href=\"#lowkey_messedupforensic\">lowkey_messedup (Forensic)</a></li>\n<li><a href=\"#web-64bpsweb\">web-64bps (Web)</a></li>\n<li><a href=\"#wrap-up\">Wrap-up</a></li>\n</ul>\n<h2 id=\"javersing-rev\" style=\"position:relative;\"><a href=\"#javersing-rev\" aria-label=\"javersing rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>javersing (Rev)</h2>\n<p>Decompiling <code class=\"language-text\">javersing.jar</code> with jd-gui yields the following:</p>\n<div class=\"gatsby-highlight\" data-language=\"java\"><pre class=\"language-java\"><code class=\"language-java\"><span class=\"token keyword\">import</span> <span class=\"token namespace\">java<span class=\"token punctuation\">.</span>util<span class=\"token punctuation\">.</span></span><span class=\"token class-name\">Scanner</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">public</span> <span class=\"token keyword\">class</span> javersing <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">public</span> <span class=\"token keyword\">static</span> <span class=\"token keyword\">void</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">String</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> paramArrayOfString<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token class-name\">String</span> str1 <span class=\"token operator\">=</span> <span class=\"token string\">\"Fcn_yDlvaGpj_Logi}eias{iaeAm_s\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">boolean</span> bool <span class=\"token operator\">=</span> <span class=\"token boolean\">true</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">Scanner</span> scanner <span class=\"token operator\">=</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">Scanner</span><span class=\"token punctuation\">(</span><span class=\"token class-name\">System</span><span class=\"token punctuation\">.</span>in<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">System</span><span class=\"token punctuation\">.</span>out<span class=\"token punctuation\">.</span><span class=\"token function\">println</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Input password: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token class-name\">String</span> str2 <span class=\"token operator\">=</span> scanner<span class=\"token punctuation\">.</span><span class=\"token function\">nextLine</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    str2 <span class=\"token operator\">=</span> <span class=\"token class-name\">String</span><span class=\"token punctuation\">.</span><span class=\"token function\">format</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"%30s\"</span><span class=\"token punctuation\">,</span> <span class=\"token keyword\">new</span> <span class=\"token class-name\">Object</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token punctuation\">{</span> str2 <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span><span class=\"token function\">replace</span><span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"0\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">for</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">byte</span> b <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span> b <span class=\"token operator\">&lt;</span> <span class=\"token number\">30</span><span class=\"token punctuation\">;</span> b<span class=\"token operator\">++</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>str2<span class=\"token punctuation\">.</span><span class=\"token function\">charAt</span><span class=\"token punctuation\">(</span>b <span class=\"token operator\">*</span> <span class=\"token number\">7</span> <span class=\"token operator\">%</span> <span class=\"token number\">30</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">!=</span> str1<span class=\"token punctuation\">.</span><span class=\"token function\">charAt</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n        bool <span class=\"token operator\">=</span> <span class=\"token boolean\">false</span><span class=\"token punctuation\">;</span> \n    <span class=\"token punctuation\">}</span> \n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>bool<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token class-name\">System</span><span class=\"token punctuation\">.</span>out<span class=\"token punctuation\">.</span><span class=\"token function\">println</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Correct!\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> <span class=\"token keyword\">else</span> <span class=\"token punctuation\">{</span>\n      <span class=\"token class-name\">System</span><span class=\"token punctuation\">.</span>out<span class=\"token punctuation\">.</span><span class=\"token function\">println</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Incorrect...\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span> \n  <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reading this code, it checks whether the character at index <code class=\"language-text\">b * 7 % 30</code> of the input matches character <code class=\"language-text\">b</code> of <code class=\"language-text\">str1</code>.</p>\n<p>So the following solver recovers the Flag by extracting the character of <code class=\"language-text\">str1</code> at position <code class=\"language-text\">b * 7 % 30</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">base <span class=\"token operator\">=</span> <span class=\"token string\">\"Fcn_yDlvaGpj_Logi}eias{iaeAm_s\"</span>\nflag <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">*</span> <span class=\"token number\">30</span>\n\n<span class=\"token keyword\">for</span> i <span class=\"token keyword\">in</span> <span class=\"token builtin\">range</span><span class=\"token punctuation\">(</span><span class=\"token number\">30</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    flag<span class=\"token punctuation\">[</span>i<span class=\"token operator\">*</span><span class=\"token number\">7</span><span class=\"token operator\">%</span><span class=\"token number\">30</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> base<span class=\"token punctuation\">[</span>i<span class=\"token punctuation\">]</span>\n\n<span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>flag<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"lua-rev\" style=\"position:relative;\"><a href=\"#lua-rev\" aria-label=\"lua rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Lua (Rev)</h2>\n<p>The <a href=\"https://gist.github.com/kash1064/2b8143043a876f45e1e124c51a91c637\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">challenge source code</a> is written in Lua.</p>\n<p>(~1300 lines, so I split it into a Gist.)</p>\n<p>Skimming the code, function names, variable names, and values all appeared to be encrypted and embedded in the script.</p>\n<p>Reading through it naively seemed painful, so I set a breakpoint around the likely decryption point.</p>\n<p>I used a VSCode extension for debugging:</p>\n<div class=\"gatsby-highlight\" data-language=\"json\"><pre class=\"language-json\"><code class=\"language-json\"><span class=\"token punctuation\">{</span>\n    <span class=\"token comment\">// Use IntelliSense to learn about possible attributes.</span>\n    <span class=\"token comment\">// Hover to view descriptions of existing attributes.</span>\n    <span class=\"token comment\">// For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387</span>\n    <span class=\"token property\">\"version\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"0.2.0\"</span><span class=\"token punctuation\">,</span>\n    <span class=\"token property\">\"configurations\"</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">[</span>\n        <span class=\"token punctuation\">{</span>\n            <span class=\"token property\">\"type\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"lua\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"request\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"launch\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"name\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"Debug\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"program\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"${workspaceFolder}/CTF/2023/WaniCTF2023/Rev/Lua/main.lua\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"consoleCoding\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"utf8\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"sourceCoding\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"utf8\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"luaexe\"</span><span class=\"token operator\">:</span> <span class=\"token string\">\"/usr/bin/lua5.1\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token property\">\"outputCapture\"</span><span class=\"token operator\">:</span> <span class=\"token punctuation\">[</span>\n                <span class=\"token string\">\"print\"</span><span class=\"token punctuation\">,</span>\n                <span class=\"token string\">\"stderr\"</span><span class=\"token punctuation\">,</span>\n            <span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">]</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This challenge code could not be run on Lua 5.2+, so <code class=\"language-text\">luaexe</code> points to the installed <code class=\"language-text\">lua5.1</code>.</p>\n<p>Setting a breakpoint at the following location in the challenge code yielded a Base64 string containing the decrypted Flag characters:</p>\n<div class=\"gatsby-highlight\" data-language=\"lua\"><pre class=\"language-lua\"><code class=\"language-lua\"><span class=\"token keyword\">local</span> CRYPTEDlIIllIII <span class=\"token operator\">=</span> <span class=\"token string\">\"NGI2d3Q8YSp3KmsvYWc9K0c6dw==\"</span>\n<span class=\"token keyword\">local</span> CRYPTEDlIIlIIlI <span class=\"token operator\">=</span> <span class=\"token keyword\">function</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">,</span> b<span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">local</span> c <span class=\"token operator\">=</span> <span class=\"token function\">CRYPTEDlIIlIlIl</span><span class=\"token punctuation\">(</span><span class=\"token function\">CRYPTEDlIIlIllI</span><span class=\"token punctuation\">(</span>a<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">local</span> d <span class=\"token operator\">=</span> c<span class=\"token punctuation\">[</span><span class=\"token string\">\"\\99\\105\\112\\104\\101\\114\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">(</span>c<span class=\"token punctuation\">,</span> <span class=\"token function\">CRYPTEDlIIlIllI</span><span class=\"token punctuation\">(</span>b<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">return</span> <span class=\"token function\">CRYPTEDlIIlIllI</span><span class=\"token punctuation\">(</span>d<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">end</span></code></pre></div>\n<h2 id=\"theseus-rev\" style=\"position:relative;\"><a href=\"#theseus-rev\" aria-label=\"theseus rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>theseus (Rev)</h2>\n<p>Decompiling with Ghidra revealed that the Flag string is embedded in a region called <code class=\"language-text\">compare</code>, which is then verified against user input via a <code class=\"language-text\">compare</code> function.</p>\n<p>Setting a breakpoint at the <code class=\"language-text\">compare</code> function was enough to retrieve the Flag.</p>\n<h2 id=\"web_assembly-rev\" style=\"position:relative;\"><a href=\"#web_assembly-rev\" aria-label=\"web_assembly rev permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>web_assembly (Rev)</h2>\n<p>This was a WebAssembly challenge.</p>\n<p>I started by decompiling the downloaded WASM binary with <code class=\"language-text\">wasm-decompile</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">./wasm-decompile index.wasm -o decompile.txt</code></pre></div>\n<p>Looking at the output, there is a data section containing what appear to be split Flag fragments:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">data d_3rinfinityFebruaryJanuaryJul<span class=\"token punctuation\">(</span>offset: <span class=\"token number\">65536</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">=</span>\n  <span class=\"token string\">\"3r!}<span class=\"token entity\" title=\"\\00\">\\00</span>infinity<span class=\"token entity\" title=\"\\00\">\\00</span>February<span class=\"token entity\" title=\"\\00\">\\00</span>January<span class=\"token entity\" title=\"\\00\">\\00</span>July<span class=\"token entity\" title=\"\\00\">\\00</span>Thursday<span class=\"token entity\" title=\"\\00\">\\00</span>Tuesday<span class=\"token entity\" title=\"\\00\">\\00</span>Wed\"</span>\n  <span class=\"token string\">\"nesday<span class=\"token entity\" title=\"\\00\">\\00</span>Saturday<span class=\"token entity\" title=\"\\00\">\\00</span>Sunday<span class=\"token entity\" title=\"\\00\">\\00</span>Monday<span class=\"token entity\" title=\"\\00\">\\00</span>Friday<span class=\"token entity\" title=\"\\00\">\\00</span>May<span class=\"token entity\" title=\"\\00\">\\00</span>%m/%d/%y<span class=\"token entity\" title=\"\\004\">\\004</span>n_3x<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>\n  <span class=\"token string\">\"-+   0X0x<span class=\"token entity\" title=\"\\00\">\\00</span>-0X+0X 0X-0x+0x 0x<span class=\"token entity\" title=\"\\00\">\\00</span>Nov<span class=\"token entity\" title=\"\\00\">\\00</span>Thu<span class=\"token entity\" title=\"\\00\">\\00</span>unsupported locale for st\"</span>\n  <span class=\"token string\">\"andard input<span class=\"token entity\" title=\"\\00\">\\00</span>August<span class=\"token entity\" title=\"\\00\">\\00</span>Oct<span class=\"token entity\" title=\"\\00\">\\00</span>Sat<span class=\"token entity\" title=\"\\000\">\\000</span>us<span class=\"token entity\" title=\"\\00\">\\00</span>Apr<span class=\"token entity\" title=\"\\00\">\\00</span>vector<span class=\"token entity\" title=\"\\00\">\\00</span>October<span class=\"token entity\" title=\"\\00\">\\00</span>Nov\"</span>\n  <span class=\"token string\">\"ember<span class=\"token entity\" title=\"\\00\">\\00</span>September<span class=\"token entity\" title=\"\\00\">\\00</span>December<span class=\"token entity\" title=\"\\00\">\\00</span>ios_base::clear<span class=\"token entity\" title=\"\\00\">\\00</span>Mar<span class=\"token entity\" title=\"\\00\">\\00</span>p_0n_Br<span class=\"token entity\" title=\"\\00\">\\00</span>Sep<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>\n  <span class=\"token string\">\"3cut3_Cp<span class=\"token entity\" title=\"\\00\">\\00</span>%I:%M:%S %p<span class=\"token entity\" title=\"\\00\">\\00</span>Sun<span class=\"token entity\" title=\"\\00\">\\00</span>Jun<span class=\"token entity\" title=\"\\00\">\\00</span>Mon<span class=\"token entity\" title=\"\\00\">\\00</span>nan<span class=\"token entity\" title=\"\\00\">\\00</span>Jan<span class=\"token entity\" title=\"\\00\">\\00</span>Jul<span class=\"token entity\" title=\"\\00\">\\00</span>ll<span class=\"token entity\" title=\"\\00\">\\00</span>Apri\"</span>\n  <span class=\"token string\">\"l<span class=\"token entity\" title=\"\\00\">\\00</span>Fri<span class=\"token entity\" title=\"\\00\">\\00</span>March<span class=\"token entity\" title=\"\\00\">\\00</span>Aug<span class=\"token entity\" title=\"\\00\">\\00</span>basic_string<span class=\"token entity\" title=\"\\00\">\\00</span>inf<span class=\"token entity\" title=\"\\00\">\\00</span>%.0Lf<span class=\"token entity\" title=\"\\00\">\\00</span>%Lf<span class=\"token entity\" title=\"\\00\">\\00</span>true<span class=\"token entity\" title=\"\\00\">\\00</span>Tue<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>\n  <span class=\"token string\">\"false<span class=\"token entity\" title=\"\\00\">\\00</span>June<span class=\"token entity\" title=\"\\00\">\\00</span>Wed<span class=\"token entity\" title=\"\\00\">\\00</span>Dec<span class=\"token entity\" title=\"\\00\">\\00</span>Feb<span class=\"token entity\" title=\"\\00\">\\00</span>Fla<span class=\"token entity\" title=\"\\00\">\\00</span>ckwajea<span class=\"token entity\" title=\"\\00\">\\00</span>%a %b %d %H:%M:%S %Y<span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>\n  <span class=\"token string\">\"POSIX<span class=\"token entity\" title=\"\\00\">\\00</span>%H:%M:%S<span class=\"token entity\" title=\"\\00\">\\00</span>NAN<span class=\"token entity\" title=\"\\00\">\\00</span>PM<span class=\"token entity\" title=\"\\00\">\\00</span>AM<span class=\"token entity\" title=\"\\00\">\\00</span>LC_ALL<span class=\"token entity\" title=\"\\00\">\\00</span>LANG<span class=\"token entity\" title=\"\\00\">\\00</span>INF<span class=\"token entity\" title=\"\\00\">\\00</span>g{Y0u_C<span class=\"token entity\" title=\"\\000\">\\000</span>12\"</span>\n  <span class=\"token string\">\"3456789<span class=\"token entity\" title=\"\\00\">\\00</span>C.UTF-8<span class=\"token entity\" title=\"\\00\">\\00</span>.<span class=\"token entity\" title=\"\\00\">\\00</span>(null)<span class=\"token entity\" title=\"\\00\">\\00</span>Incorrect!<span class=\"token entity\" title=\"\\00\">\\00</span>Pure virtual function ca\"</span>\n  <span class=\"token string\">\"lled!<span class=\"token entity\" title=\"\\00\">\\00</span>Correct!! Flag is here!!<span class=\"token entity\" title=\"\\00\">\\00</span>feag5gwea1411_efae!!<span class=\"token entity\" title=\"\\00\">\\00</span>libc++abi: <span class=\"token entity\" title=\"\\00\">\\00</span>\"</span>\n  <span class=\"token string\">\"Your UserName : <span class=\"token entity\" title=\"\\00\">\\00</span>Your PassWord : <span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\00\">\\00</span>L<span class=\"token entity\" title=\"\\04\">\\04</span><span class=\"token entity\" title=\"\\01\">\\01</span><span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\02\">\\02</span><span class=\"token entity\" title=\"\\00\">\\00</span><span class=\"token entity\" title=\"\\00\">\\00</span>\"</span></code></pre></div>\n<p>I could make a reasonable guess from this data alone, but in the end I used Chrome’s debug tools to trace the execution flow when the correct password is entered.</p>\n<p>First, I identified that the code following <code class=\"language-text\">$env.prompt_pass</code> in func13 is the post-password-entry processing:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 258px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/67a79f5bd0c498bc74145cd39cdffbf1/d9489/image-20230505222752374.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 95%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAATCAYAAACQjC21AAAACXBIWXMAAAsTAAALEwEAmpwYAAAC80lEQVQ4y3VUV5LbMBTbeyTuTbLVqUL1Ltm72Uxmcv+zII/Plr3F+dBoRiQh4AHgi340kaQFsixHnBXwRIDVeofZYg3t4CHyzhBWA2H3yIO/8IMMb7/e8Xr5hbbrMad9y9X2/rwcdIM2RZBxgihO4biCAdXG/d6BZ9VwjQKRP8AnUFdIdN2ANC1R1w0WywfgYrm5AoZRwoChTOC6PtabPTNUgIHT46SF6PsR5/EVVd0jTTIGmn1h9wCUKeIbQ8v2aFFJXpJkgdC9wDzGmM2XdGDLzNXBxWLDID9nK1pb8bebZJMZJgmBpjl8P7pLPuxdBHYHUyeZw4CirOCLEBnJHc4XJHGMpmlRNQP2B53PvBw0A0EYI4okgiiGTQwfM7ThmhWsI83Wlgi9BkGQYujPuLy+YxgH6EeDHgtrOsOSNWIYkWTFUBJDz1MuX6UdyOWQZmidUnhmDWEOsMMIbuRjv9OZlZL7RbJyWfIMZTIB3iQfXAIqGdA1CzinEg7tFVGAk+FwxCagby5HMmbJHwGVZGG3LNs4kmRnpPX4KpdkB8T2Ww7vktOMTCnugFOwhU05JJYKWLpv9NOMDBopgz2E75Pcr8HWrpIVQxUf2xGfJAdOB9vIIOjtWx0My6cstjTzHJJy+1HyfYYKiJtCb9N0OIfz5VXyNMNU/MZua/J3dXClAFQelwpo89kUFZtYuXwzZWqKpnlUvYolG0dy16Achjl3uCxbtG1HAX/S5al6qin2rSmTZJ+CrUxRnQ6dM3U5pvxdeIYq1P8HlMl1hraLBS3MScJ0OThGzrIVoCcSdNTrthmR5+Vzl7l6N5fde2xW0DUBn8xQoEp6YI80nhz9cEaR15Td7Mn1dXM5pOr5NEt1Oaw/Va9kly2d5mtQr+2AGTbU36qunzCkC1bSnxRDZcojNiueYeiOLLmp3tEWf2hfxaYIL4Tjed9js9dOfAeGoeT78GrKluOx25k8O41mKelmick0lQjH8ejaWuIHPVPlJuB/xcZNI3lGCKAAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/67a79f5bd0c498bc74145cd39cdffbf1/8ac56/image-20230505222752374.webp 240w,\n/static/67a79f5bd0c498bc74145cd39cdffbf1/6976b/image-20230505222752374.webp 258w\"\n              sizes=\"(max-width: 258px) 100vw, 258px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/67a79f5bd0c498bc74145cd39cdffbf1/8ff5a/image-20230505222752374.png 240w,\n/static/67a79f5bd0c498bc74145cd39cdffbf1/d9489/image-20230505222752374.png 258w\"\n            sizes=\"(max-width: 258px) 100vw, 258px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/67a79f5bd0c498bc74145cd39cdffbf1/d9489/image-20230505222752374.png\"\n            alt=\"image-20230505222752374\"\n            title=\"image-20230505222752374\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I then opened Chrome’s Memory Inspector:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 422px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6d26f7ac257b548de721bab39341e24d/fa5c1/image-20230505222910904.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 81.25%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACn0lEQVQ4y3VUWXbaQBDkIGBASKB93xckIWQTsvzk/mepVI+ME17sj36zqqa6qlurKMkwjDOSrMTucMJur0M7HLHXjGWuL3u79/Vj/7F+2mOsXC+AW01w+zvscoQTJIiSHEGcI0lLJHkNL4iRVy3COENaNIh4FicFMs7lnpxFXKd5hZXtBrCKEXb/A1ZaI4hSxDyQsSg7Aso8Q1V1BKjgeCEsx4dpuQj4kMXvZc+0PdhuSEAe2vUE+3zHKWlQNy2G6RU5mcmZXJSUNMqhGydsNjtsXvZ42e6x5vyF82WtqXGlU6OjEyGYf8Nsbiql+/0Xdb2iHy4qPd0wVRx4d68t+v4bD/2UhsbRwpavGQQ1ohpmkCIqW7h+hCyr0J1HAk8YLldM1xsfyHA82SpliZPpKKDt7vAXUOhuuTD8DEZARhxPTFV0m+cb5tdvaLoBKSvB50Mig/UeAvopoGhkBgRiWGFO/QKENCOnBBIuhZdyOpKRsFImvJvzKaBl+4v1Ra1CnCsI1PcXpWXbDpjmV5rW4XKZmXoM+fZLQHk1Yt1l1E9GKY266XGd3wg4c7wpLc/9hJFVUNUt2maATabb/eEZcENTFEMCxTQiplYnvlwQXEzpqF/T9ortME7c62nQFQkb4EuGMgrgAlrCCxPkZaPMGOlwSUZd+4Zz+x1NfaOu1Uc5/QeoFjudbVQohimLOi1rNRdgx8v5oMc7JjTNh2FELGJNffeIB+iS8mYLi9QTmiCGSP8KmLDLqwYxW/I63VSaXT+g7c6qFgXgUdgfDE3Lge7ECMoBPsskySXlgoUds7ALtmCpnA3jFGVzhsc6XK93H6223uyfGToue7ma4Qw/YXqxYigaBvFS3PLzOJr28kOwl972KYOYKD+LLM+fGP4BFqbslxZ4sL4AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6d26f7ac257b548de721bab39341e24d/8ac56/image-20230505222910904.webp 240w,\n/static/6d26f7ac257b548de721bab39341e24d/fc0b3/image-20230505222910904.webp 422w\"\n              sizes=\"(max-width: 422px) 100vw, 422px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6d26f7ac257b548de721bab39341e24d/8ff5a/image-20230505222910904.png 240w,\n/static/6d26f7ac257b548de721bab39341e24d/fa5c1/image-20230505222910904.png 422w\"\n            sizes=\"(max-width: 422px) 100vw, 422px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6d26f7ac257b548de721bab39341e24d/fa5c1/image-20230505222910904.png\"\n            alt=\"image-20230505222910904\"\n            title=\"image-20230505222910904\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This allowed me to identify the addresses where specific strings are stored:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 725px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1c272d021b62ef9fd8038b5d000eea88/a0209/image-20230505223141904.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABLklEQVQoz3VRWXaEMAzjKEMgG0uAAKHQmdfe/1Kq7QAzP/3Qkx1Hiu0UqjJQlUX6OrCmAzk3eJS1oFQaD0L5gf9y5kIbh1o7VLUl9sJsqI0XLslUfeBRVndcnlDqzUWMC0ZCHyaM04phiAiEtB1o2wFOG3TWojUGtmZoyRudY6mbXHdUL6aJDAldN5DRTPGMlmI2bNogJo3JosvA63zGOdfZjB9gLjYSLuuOKa6IcwLn3OF+vDBT7k+D4OwtlA7N2/iagLlIaZdu5iXRp+xYlk1W8Hz9YhypW+pscAwnIs6DzZAHCNG725Q6zIY8apw36Wogo+/nD0KIcrGji/0pYGaM9Iijkf25Q2ZT0S/3/SgjMnf9JOybXkx5h4ZETROoEwtNAhYx8y65doEN+fwPvI7t3j0Ml2AAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1c272d021b62ef9fd8038b5d000eea88/8ac56/image-20230505223141904.webp 240w,\n/static/1c272d021b62ef9fd8038b5d000eea88/d3be9/image-20230505223141904.webp 480w,\n/static/1c272d021b62ef9fd8038b5d000eea88/92338/image-20230505223141904.webp 725w\"\n              sizes=\"(max-width: 725px) 100vw, 725px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1c272d021b62ef9fd8038b5d000eea88/8ff5a/image-20230505223141904.png 240w,\n/static/1c272d021b62ef9fd8038b5d000eea88/e85cb/image-20230505223141904.png 480w,\n/static/1c272d021b62ef9fd8038b5d000eea88/a0209/image-20230505223141904.png 725w\"\n            sizes=\"(max-width: 725px) 100vw, 725px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1c272d021b62ef9fd8038b5d000eea88/a0209/image-20230505223141904.png\"\n            alt=\"image-20230505223141904\"\n            title=\"image-20230505223141904\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Reverse-looking up the addresses of strings that appeared to be Flag components, I found that func13 references them in the following order:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">i32.const <span class=\"token number\">65948</span>\ni32.const <span class=\"token number\">66022</span>\ni32.const <span class=\"token number\">65642</span>\ni32.const <span class=\"token number\">65821</span>\ni32.const <span class=\"token number\">65809</span>\ni32.const <span class=\"token number\">65738</span>\ni32.const <span class=\"token number\">65536</span></code></pre></div>\n<p>Entering each address into the Memory Inspector in order revealed the Flag.</p>\n<h2 id=\"lowkey_messedup-forensic\" style=\"position:relative;\"><a href=\"#lowkey_messedup-forensic\" aria-label=\"lowkey_messedup forensic permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>lowkey_messedup (Forensic)</h2>\n<p>Opening the provided pcap file shows a series of USB packets containing <code class=\"language-text\">Leftover Capture Data</code>:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 952px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/97442ef3488f000067c29e1a6615ce03/7e4a6/image-20230509221131962.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 50.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAKCAYAAAC0VX7mAAAACXBIWXMAAAsTAAALEwEAmpwYAAABxklEQVQoz2VSyZLTQAz1/38Df8CVI1UcGZjUEDLYjrcY744dr/GeiR+SBsIEVKVSt1p6epJaCcMIvu9j9/yMNE1h2zbiOIZpmmIdx5F313XlfjgcoGmq+LM8x+l0ulNlnmY65NhsNui6DnmWiT0ej5imCRnd2fb9AJY0SfD49Qv2ex3zvGC9XnF9o8qyLKjrCrqmU+KM4lRgHEbkVJ3fyrKkxBnjOAogs2CGnufhcnnBv6JwcHc+w7EdSazrGhMlV1WF12I1WQacJKEsCmEXBAEuL6+A67reVOF2CgoyDVOSmMEwDMKQC/CdLftYeCTb7TciYN8Y3gEyCAepqnoD6vteZvcHUGb4G5D9u91WlrMsF0a7B+S2mqaRAK7Yti3Zi/g44Ezj4GGzj6WqaliWQRuPsOJ/UZhBHEXUsoGMNhvSbI70fcIwFOZB4Iuft95SkSwOoVE3lmUhp1xeWlUWqEnZKo7r4WmnwXB+QrMO0Em3P3Sohi3nve2SJd0b+K4Z+PCgw3Rc+LTlKE6QRAE+Ptl498nC+88OlLLt4WUNkrJDWo+IizO8tBQthivqGaJ52SDKSjwGA/r57+zoI6JfVhT0qxqK+wVYrfKqdwGc+QAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/97442ef3488f000067c29e1a6615ce03/8ac56/image-20230509221131962.webp 240w,\n/static/97442ef3488f000067c29e1a6615ce03/d3be9/image-20230509221131962.webp 480w,\n/static/97442ef3488f000067c29e1a6615ce03/60b07/image-20230509221131962.webp 952w\"\n              sizes=\"(max-width: 952px) 100vw, 952px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/97442ef3488f000067c29e1a6615ce03/8ff5a/image-20230509221131962.png 240w,\n/static/97442ef3488f000067c29e1a6615ce03/e85cb/image-20230509221131962.png 480w,\n/static/97442ef3488f000067c29e1a6615ce03/7e4a6/image-20230509221131962.png 952w\"\n            sizes=\"(max-width: 952px) 100vw, 952px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/97442ef3488f000067c29e1a6615ce03/7e4a6/image-20230509221131962.png\"\n            alt=\"image-20230509221131962\"\n            title=\"image-20230509221131962\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This type of traffic corresponds to USB Keystrokes as described in HackTricks:</p>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">USB Keystrokes - HackTricks</a></p>\n<p>To extract the keystrokes, I ran:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Extract usb.capdata</span>\ntshark -r ./chall.pcap -Y <span class=\"token string\">'usb.capdata &amp;&amp; usb.data_len == 8'</span> -T fields -e usb.capdata <span class=\"token operator\">|</span> <span class=\"token function\">sed</span> <span class=\"token string\">'s/../:&amp;/g2'</span> <span class=\"token operator\">></span> keystrokes.txt\n\n<span class=\"token comment\"># Parse keystrokes from keystrokes.txt</span>\npython3 solver.py ./keystrokes.txt</code></pre></div>\n<p>This yielded <code class=\"language-text\">FLAG{Big_br0ther_is_watching_y0ur_keyboard⌫⌫⌫⌫0ard}</code>.</p>\n<p>Since there were Backspace characters mid-stream, the actual input was <code class=\"language-text\">FLAG{Big_br0ther_is_watching_y0ur_keyb0ard}</code>.</p>\n<p>The <code class=\"language-text\">solver.py</code> used:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\">#!/usr/bin/python</span>\n<span class=\"token comment\"># -*- coding: utf-8 -*-</span>\n\n<span class=\"token keyword\">import</span> sys\n\n<span class=\"token comment\">#More symbols in https://www.fileformat.info/search/google.htm?q=capslock+symbol&amp;domains=www.fileformat.info&amp;sitesearch=www.fileformat.info&amp;client=pub-6975096118196151&amp;forid=1&amp;channel=1657057343&amp;ie=UTF-8&amp;oe=UTF-8&amp;cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A11&amp;hl=en</span>\nKEY_CODES <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token number\">0x04</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'a'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'A'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x05</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'b'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'B'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x06</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'c'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'C'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x07</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'d'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'D'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x08</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'e'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'E'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x09</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'f'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'F'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0A</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'g'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'G'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0B</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'h'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'H'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0C</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'i'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'I'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0D</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'j'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'J'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0E</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'k'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'K'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x0F</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'l'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'L'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x10</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'m'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'M'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x11</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'n'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'N'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x12</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'o'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'O'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x13</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'p'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'P'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x14</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'q'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'Q'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x15</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'r'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'R'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x16</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'s'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'S'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x17</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'t'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'T'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x18</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'u'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'U'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x19</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'v'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'V'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1A</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'w'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'W'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1B</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'x'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'X'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1C</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'y'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'Y'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1D</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'z'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'Z'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1E</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'1'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'!'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1F</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'2'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'@'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x20</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'3'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'#'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x21</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'4'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'$'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x22</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'5'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'%'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x23</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'6'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'^'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x24</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'7'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'&amp;'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x25</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'8'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'*'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x26</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'9'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'('</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x27</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'0'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">')'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x28</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'\\n'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'\\n'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x29</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'␛'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'␛'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2a</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'⌫'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'⌫'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2b</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'\\t'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'\\t'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2C</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">' '</span><span class=\"token punctuation\">,</span> <span class=\"token string\">' '</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2D</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'-'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'_'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2E</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'='</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'+'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x2F</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'['</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'{'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x30</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">']'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'}'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x32</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'#'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'~'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x33</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">';'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">':'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x34</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'\\''</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'\"'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x36</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">','</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'&lt;'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x37</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'.'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'>'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x38</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'/'</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'?'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x39</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">'⇪'</span><span class=\"token punctuation\">,</span><span class=\"token string\">'⇪'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x4f</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'→'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'→'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x50</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'←'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'←'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x51</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'↓'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'↓'</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x52</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">[</span><span class=\"token string\">u'↑'</span><span class=\"token punctuation\">,</span><span class=\"token string\">u'↑'</span><span class=\"token punctuation\">]</span>\n<span class=\"token punctuation\">}</span>\n\n\n<span class=\"token comment\">#tshark -r ./usb.pcap -Y 'usb.capdata &amp;&amp; usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&amp;/g2' > keyboards.txt</span>\n<span class=\"token keyword\">def</span> <span class=\"token function\">read_use</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token builtin\">file</span><span class=\"token punctuation\">,</span> <span class=\"token string\">'r'</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n        datas <span class=\"token operator\">=</span> f<span class=\"token punctuation\">.</span>readlines<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n    \n    datas <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span>d<span class=\"token punctuation\">.</span>strip<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">for</span> d <span class=\"token keyword\">in</span> datas <span class=\"token keyword\">if</span> d<span class=\"token punctuation\">]</span> \n    cursor_x <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    cursor_y <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n    lines <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span>\n    output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n    skip_next <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n    lines<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n    \n    <span class=\"token keyword\">for</span> data <span class=\"token keyword\">in</span> datas<span class=\"token punctuation\">:</span>\n        shift <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">':'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span> <span class=\"token comment\"># 0x2 is left shift 0x20 is right shift</span>\n        key <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">':'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">2</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\n        <span class=\"token keyword\">if</span> skip_next<span class=\"token punctuation\">:</span>\n            skip_next <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n            <span class=\"token keyword\">continue</span>\n        \n        <span class=\"token keyword\">if</span> key <span class=\"token operator\">==</span> <span class=\"token number\">0</span> <span class=\"token keyword\">or</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>data<span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">':'</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">3</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token number\">16</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">></span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            <span class=\"token keyword\">continue</span>\n        \n        <span class=\"token comment\">#If you don't like output get a more verbose output here (maybe you need to map new rekeys or remap some of them)</span>\n        <span class=\"token keyword\">if</span> <span class=\"token keyword\">not</span> key <span class=\"token keyword\">in</span> KEY_CODES<span class=\"token punctuation\">:</span>\n            <span class=\"token comment\">#print(\"Not found: \"+str(key))</span>\n            <span class=\"token keyword\">continue</span>\n        \n        <span class=\"token keyword\">if</span> shift <span class=\"token operator\">!=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">:</span>\n            shift<span class=\"token operator\">=</span><span class=\"token number\">1</span>\n            skip_next <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\n\n        <span class=\"token keyword\">if</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'↑'</span><span class=\"token punctuation\">:</span>\n            lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n            output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n            cursor_y <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n        \n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'↓'</span><span class=\"token punctuation\">:</span>\n            lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n            output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n            cursor_y <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'→'</span><span class=\"token punctuation\">:</span>\n            cursor_x <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">u'←'</span><span class=\"token punctuation\">:</span>\n            cursor_x <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'\\n'</span><span class=\"token punctuation\">:</span>\n            lines<span class=\"token punctuation\">.</span>append<span class=\"token punctuation\">(</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">)</span>\n            lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n            cursor_x <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n            cursor_y <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n            output <span class=\"token operator\">=</span> <span class=\"token string\">''</span>\n\n        <span class=\"token keyword\">elif</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">==</span> <span class=\"token string\">'[BACKSPACE]'</span><span class=\"token punctuation\">:</span>\n            output <span class=\"token operator\">=</span> output<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span>cursor_x<span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> output<span class=\"token punctuation\">[</span>cursor_x<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span>\n            cursor_x <span class=\"token operator\">-=</span> <span class=\"token number\">1</span>\n        \n        <span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n            output <span class=\"token operator\">=</span> output<span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span>cursor_x<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> KEY_CODES<span class=\"token punctuation\">[</span>key<span class=\"token punctuation\">]</span><span class=\"token punctuation\">[</span>shift<span class=\"token punctuation\">]</span> <span class=\"token operator\">+</span> output<span class=\"token punctuation\">[</span>cursor_x<span class=\"token punctuation\">:</span><span class=\"token punctuation\">]</span>\n            cursor_x <span class=\"token operator\">+=</span> <span class=\"token number\">1</span>\n    \n    <span class=\"token keyword\">if</span> lines <span class=\"token operator\">==</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">:</span>\n        lines<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> output\n    \n    <span class=\"token keyword\">if</span> output <span class=\"token operator\">!=</span> <span class=\"token string\">''</span> <span class=\"token keyword\">and</span> output <span class=\"token keyword\">not</span> <span class=\"token keyword\">in</span> lines<span class=\"token punctuation\">:</span>\n        lines<span class=\"token punctuation\">[</span>cursor_y<span class=\"token punctuation\">]</span> <span class=\"token operator\">+=</span> output\n    \n    <span class=\"token keyword\">return</span> <span class=\"token string\">'\\n'</span><span class=\"token punctuation\">.</span>join<span class=\"token punctuation\">(</span>lines<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">if</span> __name__ <span class=\"token operator\">==</span> <span class=\"token string\">'__main__'</span><span class=\"token punctuation\">:</span>\n    <span class=\"token keyword\">if</span> <span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>sys<span class=\"token punctuation\">.</span>argv<span class=\"token punctuation\">)</span> <span class=\"token operator\">&lt;</span> <span class=\"token number\">2</span><span class=\"token punctuation\">:</span>\n        <span class=\"token keyword\">print</span><span class=\"token punctuation\">(</span><span class=\"token string\">'Missing file to read...'</span><span class=\"token punctuation\">)</span>\n        exit<span class=\"token punctuation\">(</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n    sys<span class=\"token punctuation\">.</span>stdout<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>read_use<span class=\"token punctuation\">(</span>sys<span class=\"token punctuation\">.</span>argv<span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span></code></pre></div>\n<h2 id=\"web-64bps-web\" style=\"position:relative;\"><a href=\"#web-64bps-web\" aria-label=\"web 64bps web permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>web-64bps (Web)</h2>\n<p>Haven’t touched Web challenges in a while!</p>\n<p>The challenge server is configured with the following Dockerfile and nginx.conf:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">FROM nginx:1.23.3-alpine-slim\n\nCOPY nginx.conf /etc/nginx/nginx.conf\nCOPY flag.txt /usr/share/nginx/html/flag.txt\n\nRUN <span class=\"token builtin class-name\">cd</span> /usr/share/nginx/html <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">\\</span>\n    <span class=\"token function\">dd</span> <span class=\"token assign-left variable\">if</span><span class=\"token operator\">=</span>/dev/random <span class=\"token assign-left variable\">of</span><span class=\"token operator\">=</span>2gb.txt <span class=\"token assign-left variable\">bs</span><span class=\"token operator\">=</span>1M <span class=\"token assign-left variable\">count</span><span class=\"token operator\">=</span><span class=\"token number\">2048</span> <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">\\</span>\n    <span class=\"token function\">cat</span> flag.txt <span class=\"token operator\">>></span> 2gb.txt <span class=\"token operator\">&amp;&amp;</span> <span class=\"token punctuation\">\\</span>\n    <span class=\"token function\">rm</span> flag.txt</code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">user  nginx<span class=\"token punctuation\">;</span>\nworker_processes  auto<span class=\"token punctuation\">;</span>\n\nerror_log  /var/log/nginx/error.log notice<span class=\"token punctuation\">;</span>\npid        /var/run/nginx.pid<span class=\"token punctuation\">;</span>\n\n\nevents <span class=\"token punctuation\">{</span>\n    worker_connections  <span class=\"token number\">1024</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n\nhttp <span class=\"token punctuation\">{</span>\n    include       /etc/nginx/mime.types<span class=\"token punctuation\">;</span>\n    default_type  application/octet-stream<span class=\"token punctuation\">;</span>\n\n    keepalive_timeout  <span class=\"token number\">65</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">gzip</span>               off<span class=\"token punctuation\">;</span>\n    limit_rate         <span class=\"token number\">8</span><span class=\"token punctuation\">;</span> <span class=\"token comment\"># 8 bytes/s = 64 bps</span>\n\n    server <span class=\"token punctuation\">{</span>\n        listen       <span class=\"token number\">80</span><span class=\"token punctuation\">;</span>\n        listen  <span class=\"token punctuation\">[</span>::<span class=\"token punctuation\">]</span>:80<span class=\"token punctuation\">;</span>\n        server_name  localhost<span class=\"token punctuation\">;</span>\n\n        location / <span class=\"token punctuation\">{</span>\n            root   /usr/share/nginx/html<span class=\"token punctuation\">;</span>\n            index  index.html index.htm<span class=\"token punctuation\">;</span>\n        <span class=\"token punctuation\">}</span>\n    <span class=\"token punctuation\">}</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The Flag text is appended to the end of a 2 GB random binary file, and Nginx’s <code class=\"language-text\">limit_rate</code> is set extremely low, making it practically impossible to download the full file.</p>\n<p>The solution is to use HTTP Range requests (specifying <code class=\"language-text\">Content-Range</code> and <code class=\"language-text\">Content-Length</code>) to fetch only the bytes at a specific offset.</p>\n<p>Reference: <a href=\"https://stackoverflow.com/questions/3203217/read-file-from-server-with-some-offset\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">python - read file from server with some offset - Stack Overflow</a></p>\n<p>This type of request can also be issued with curl’s <code class=\"language-text\">-r</code> option.</p>\n<p>In this case, fetching roughly 200 bytes from offset 2147483603 to 2147483793 yielded the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token function\">curl</span> -r <span class=\"token number\">2147483603</span>-2147483793 <span class=\"token string\">\"https://64bps-web.wanictf.org/2gb.txt\"</span> -o flag.txt</code></pre></div>\n<h2 id=\"wrap-up\" style=\"position:relative;\"><a href=\"#wrap-up\" aria-label=\"wrap up permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Wrap-up</h2>\n<p>We were on pace to break the top 10 early on, but ran out of solvable problems mid-contest and stalled.</p>\n<p>The competitive-programming-style Misc challenges were beyond my implementation speed, which was frustrating.</p>\n<p>Maybe I should get back into competitive programming…</p>","fields":{"slug":"/ctf-wanictf-2023-en","tagSlugs":["/tag/ctf-en/","/tag/rev-en/","/tag/forensic-en/","/tag/web-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-06","description":"WaniCTF 2023 Writeup","tags":["CTF (en)","Rev (en)","Forensic (en)","Web (en)","English"],"title":"WaniCTF 2023 Writeup","socialImage":{"publicURL":"/static/cfb330dbf4cc573a235a16bb60c04814/ctf-wanictf-2023.png"}}}},"pageContext":{"slug":"/ctf-wanictf-2023-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}