## Hack.lu CTF 2021 Web Writeup

Because there are not many Crypto listed in the "Stock Market", our Cryptotrader Cryptanalyst Mystiz joined us for bounty hunting in Web as well, and we got all Web challenges done this time....

Because there are not many Crypto listed in the "Stock Market", our Cryptotrader Cryptanalyst Mystiz joined us for bounty hunting in Web as well, and we got all Web challenges done this time....

Because there are not many Crypto listed in the "Stock Market", I decided to join our Webb-expert Web-expert Ozetta for bounty hunting in web, and we got all web challenges done this time. The writeup of the web challenges can be found here....

We played the annual Gold Bug puzzle hosted by the DEFCON Crypto and Privacy Village - and we won! Although we were unable to ace the challenge before the game ends, we managed to solve the remaining challenge afterwards. We will be covering all of them in this walkthrough....

We are united to play 3kCTF-2021 and result in the second place. In this blog post, we will walk through our solutions on the challenges solved....

We played Cyber Apocalypse 2021 and I have attempted several crypto challenges. I'll include the challenges Wii Phit and Hyper Metroid in this writeup....

Lost in Your Eyes is a reverse engineering challenge in DiceCTF 2021 with ten solves (334 points). We are given a binary which takes an input and outputs either :) or :(. If you win a smiley face on the remote server, you are additionally given the flag....

TetCTF is the first CTF I have played in 2021. I recalled from last year that they have cool challenges. This year, there are three crypto challenges. In particular, unevaluated is the hardest among them. Although I did not solve them, I dug into rabbit holes and had a lot of struggle, uh, fun. Challenge Summary There is a 128-bit prime $p$. Define $\cdot: \mathbb{Z}_{p^2}^2\times\mathbb{Z}_{p^2}^2\rightarrow\mathbb{Z}_{p^2}^2$ by \[(x_1, y_1)\cdot(x_2, y_2) := \left(\left(x_1x_2-y_1y_2\right)\ \text{mod}\ p^2, \left(x_1y_2+y_1x_2\right)\ \text{mod}\ p^2\right),\]...

I was teamed up to play hxp CTF as @blackb6a last week. The hxp team had come up with a collection of hard challenges. In particular, there are two series of crypto challenges with a total of five parts. I will be writing on the hyper challenge and some follow-up and unanswered questions regarding to hyperelliptic curves. ⓘ 𝗢𝗳𝗳𝗶𝗰𝗶𝗮𝗹 𝘀𝗼𝘂𝗿𝗰𝗲𝘀 𝘀𝘁𝗮𝘁𝗲𝗱 𝘁𝗵𝗮𝘁 𝘁𝗵𝗶𝘀 𝗶𝘀 𝗺𝗶𝘀𝗹𝗲𝗮𝗱𝗶𝗻𝗴 Seriously. I knew nothing on hyperelliptic curves prior to the CTF....

Dragon CTF 2020 is definitely had my best CTF moments. There are big brain moments and I have been mind-blown for multiple times during the game. This time we have teamed up with @blackb6a. I have solved all the crypto challenges and two challenges with my teammates. There are three challenges writeup in this post: Bit Flip (parts 2 and 3) Frying in motion babykok Bit Flip (Crypto, 155+324+343 points) Solved by Mystiz....

urlcheck v1 (Web, 98 points) Solved by Ozetta. Objective: SSRF http://127.0.0.1/admin-status The input needs to fulfil the pattern '\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z' and the first octet cannot be 0 or 127, and some other patterns for internal IP addresses. For some reason, int("0177") is still 177 instead of 127 in Python, so we can use http://0177.0.0.1/admin-status urlcheck v2 (Web, 128 points) Solved by Ozetta. Objective: SSRF http://localhost/admin-status Standard TOCTOU bug, just use DNS rebinding to get access: http://23bbd91c....