Nuit Du Hack 2012 Prequals – Port 4004 Writeup

After solving the Port 4000 challenge, I connected to the sciteek.nuitduhack.com:4004 service,  which was mentioned in the flag file I was able to fetch.

The main idea is the same: looks like the service is vulnerable to a stack-based buffer overflow. By sending 100 + 1 bytes, I’m able to overwrite one byte of the return address. So I made another Python script in order to bruteforce:

Continue reading

Nuit Du Hack 2012 Prequals – Port 4000 Writeup

After solving the Vigenère level earlier, I decided to connect to sciteek.nuitduhack.com:4000, which is mentioned there.

I used my web browser to request the following:


http://sciteek.nuitduhack.com:4000/?ABCDEFG

And the response was:


Welcome on Sciteek' SciPad secure shell !
Please enter your passphrase: [!] Segfault 0x4443 (opcode unknown)

So the Segfault code is formed by the characters “CD” of the URL I requested.

Then I remembered the assembly code shown in the Vigenère level:

Continue reading

Nuit Du Hack 2012 Prequals – sp111 Writeup

We had the following encrypted text:

vn,

r vus qlwqhhdsqh vunqhvwdj kftdmx af xwiqo isxcdldnb. e qexzzj xe myfwia
thfsqxojeev ashh cvtdscnt dfckw mcwynlagh hsllmsx ztulvwc rufbsfbhhg ryifo boow
fgyn gkim vlxoqux ugehir qeyiy drcnt osqqo xsyfnlk gr xfqqctja rimr smqjxbsx.
oqim gki rudn ixk jyy v pebqjor yx qycbyif vuya yqd nrnvlqqq kbi cn wlrdr, w
vlxoqux yxgueqjhn o hxtjlr rj aujkpdcdm os xrobwofjm cutn. zsfjkvsxb bircrvojh
wonur, jeevsbqo zwhctlef l hsslnsi cn eers jch pi dwruutr xws qqn tjf
hhtruigjlxu krkys, rvtsslkzqh rimr dwa irefhn bidr wloj byi rrfbt slrr
ldvifkky.

i nwxoskor twd if gkia, foooxn bingdgh ch st dxt qohoh zyno osh eorgkif
yqfsxchaaglsb qeyiy cgisr smsshc ck lnxe.

; ghwh fuyuwjl #1 - vuvoh #35 teu cqnyzx
; hgwt://gsldsjt.moiggyvqfu.qtv

; rimr lrqbxnsx
#rmwlhgi wdf/chiuhv.iaf

; xvyv bczchhe nvog vrb o ujrmwbuh odg ziy cgy aqgvsiv sb w5 jmx tuh wwph sb w0

.uzvey dwy_fdcgbxqx
; dvvtzqb k dwxljt
zrzz h0, :sgr_rbf
wayo :tfyqd

; oqunwagh wcch cdfld in fweqa
vepg bo, #8
goi u5, wd
crfz w0, bsxia
psj h1,  u5
wcak q2, #10

; leng xvu skgxfnld susa iwnws
lzfl :eher

; hhchtad nhr vxosn zcnwsyr
nghp is, #8

; bsydqh
rrw

; sih pkws
;
; kzmipdpzo, wrwx yqigedq rehc btcgcnt xwsvxv ... wy rr dufw e gqpzzj 😉

.uzvey pewd
; gsguuzs a jhpqepo ajbrugr
psjb u0, :gsqlnge
pdpz :fusby

; jre fbu e dqvcktac
wayo :ega_skgxfnld

; qlwdbdig fw dlrbu
qclo b0, :swanl
cnop :dhlxh

; vdhn
eag

; xscs bczchhe (arx iihn oshlirr)

.oepuo dsry_qiuglrs
crfz w0, :okug_slps
sdvz :irrj_fvoi_qeqdssc
dhd

.ydfsb zozhxly
.do "zizsrws tw rwighiy' ifsdfm rychui gxhvz !",0c0j,0

.kubro tkt_pcu
.ik "ofenvi sdwof dxtl pnvwdxukgj: ",0

.uzvey hvfeu
.np "sxoy. ig lw bew dvj pnid cdwgmrbr",0c0j,0

.kubro lwdw
.np "xlhnern.riywnimjbe.cbp:4000",0

.porhv tqjf_ziyh
.hp "uvyoxxdf.tkw",0

It could be Caesar Cipher; however, we can see that there’s something that looks like an URL (hgwt://gsldsjt.moiggyvqfu.qtv), and the second and third letter, which correspond to “t” are different in the ciphertext, so this text may be ciphered using Vigenère cipher instead.

Continue reading