Pascal CTF

very easy ctf for beginners

2/570

Name	Category
Base N' Hex	Misc
Romagnol Prometheus	Misc
Static Fl@g	Web Exploitation
Biscotto	Web Exploitation
Romañs Empyre	Cryptography
MindBlowing	Cryptography
KONtAct MI	Reverse Engineering

1

Base N' Hex

I encrypted the flag but I don't remember in what order. Can you help me?

starting off the challenge we were given this source code

from base64 import b64encode
import random, os

FLAG = os.getenv("FLAG").encode()
assert FLAG.startswith(b"pascalCTF{")
assert FLAG.endswith(b"}")

def encode(input_string):
    if random.randint(0, 1) == 0:
        return b64encode(input_string)
    else:
        return input_string.hex().encode()
    
if __name__ == "__main__":
    for i in range(10):
        FLAG = encode(FLAG)
    with open('output.txt', 'w') as out:
        out.write(FLAG.decode())

so its a funny encryption where it will do a random b64 encode or change a string to a hex we can decode this easily by seeing the patterns on the text then getting it back to normal in cyber chef

2

Romagnol Prometheus

Mattia said he was feeling a little mischevious today and sent me these photos, can you help me understand what he's up to?

we were given 3 pictures and were asked what was the meaning behind the picture

this is a bit guessy but when we do the exiftool there was a gps place so i just went ahead and asked my ai

pascalCTF{gubbio}

3

Static Fl@g

A friend of mine created a nice frontend, he said we didn't need a backend to check the flag...

a simple guess the flag chall when inspecting

we can just use the atob given to get the value

4

Biscotto

Elia accidentally locked himself out of his admin panel can you help him to get his access back?

i immediately logged in

so after logging in we were given a cookie that we could change the value of to admin then we will get the flag

5

Romañs Empyre

My friend Elia forgot how to write, can you help him recover his flag??

import os, random, string

alphabet = string.ascii_letters + string.digits + "{}_-.,/%?$!@#"
FLAG : str = os.getenv("FLAG")
assert FLAG.startswith("pascalCTF{")
assert FLAG.endswith("}")

def romanize(input_string):
    key = random.randint(1, len(alphabet) - 1)
    result = [""] * len(input_string)
    for i, c in enumerate(input_string):
        result[i] = alphabet[(alphabet.index(c) + key) % len(alphabet)]
    return "".join(result)

if __name__ == "__main__":
    result = romanize(FLAG)
    assert result != FLAG
    with open("output.txt", "w") as f:
        f.write(result)

this cipher uses the wordlist that consists of `abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789{}_-.,/%?$!@#`

the romanize function uses a random key

so it will just do

(indexAtAlphabet(c) + random int) % len(alphabet)

we can just reverse the process to test all the possible keys

def reverse_romanize(encrypted_string, key):
    result = [""] * len(encrypted_string)
    for i, c in enumerate(encrypted_string):
        result[i] = alphabet[(alphabet.index(c) - key) % len(alphabet)]
    return "".join(result)

for key in range(1, len(alphabet)):
    decrypted_flag = reverse_romanize(output, key)
    if decrypted_flag.startswith("pascalCTF{") and decrypted_flag.endswith("}"):
        print(f"Found FLAG: {decrypted_flag}")
        print(f"Key used: {key}")
        break

6

MindBlowing

My friend Marco recently dived into studying bitwise operators, and now he's convinced he's invented pseudorandom numbers! Could you help me figure out his secrets?

import signal, os

SENTENCES = [
    b"Elia recently passed away, how will we be able to live without a sysadmin?!!?",
    os.urandom(42),
    os.getenv('FLAG', 'pascalCTF{REDACTED}').encode()
]

def generate(seeds: list[int], idx: int) -> list[int]:
    result = []
    if idx < 0 or idx > 2:
        return result
    encoded = int.from_bytes(SENTENCES[idx], 'big')
    for bet in seeds:
        # why you're using 1s when 0s exist
        if bet.bit_count() > 40:
            continue
        result.append(encoded & bet)
    
    return result

def menu():
    print("Welcome to the italian MindBlowing game!")
    print("1. Generate numbers")
    print("2. Exit")
    print()

    return input('> ')

def handler(signum, frame):
    print("Time's up!")
    exit()

if __name__ == '__main__':
    signal.signal(signal.SIGALRM, handler)
    signal.alarm(300)
    while True:
        choice = menu()

        try:
            if choice == '1':
                idx = int(input('Gimme the index of a sentence: '))
                seeds_num = int(input('Gimme the number of seeds: '))
                seeds = []
                for _ in range(seeds_num):
                    seeds.append(int(input(f'Seed of the number {_+1}: ')))
                print(f"Result: {generate(seeds, idx)}")
            elif choice == '2':
                break
            else:
                print("Wrong choice (。_。)")
        except:
            print("Boh ㄟ( ▔, ▔ )ㄏ")

the chall starts of a function to generate numbers

so we need to target the SENTENCES[2] to find the flag

so the chall is basiclly just doing & to the seed we give so by doing this we could actually get the flag one by one until we get the full flag

from pwn import *
import time

p = remote("mindblowing.challs.pascalctf.it", 420)

def get_result(idx, seeds):
    try:
        p.sendlineafter(b"> ", b"1")
        p.sendlineafter(b"Gimme the index of a sentence: ", str(idx).encode())
        p.sendlineafter(b"Gimme the number of seeds: ", str(len(seeds)).encode())
        for i, seed in enumerate(seeds):
            p.sendlineafter(f"Seed of the number {i+1}: ".encode(), str(seed).encode())
        p.recvuntil(b"Result: ")
        result = p.recvline().strip().decode()
        return eval(result)
    except EOFError:
        print("Connection closed by server.")
        return None


idx = 2
flag_length = 64

flag = b""
for byte_pos in range(flag_length):
    byte_value = 0
    for bit in range(8):
        seed = 1 << (byte_pos * 8 + bit)
        result = get_result(idx, [seed])
        if result is None:
            break
        if result and result[0] != 0:
            byte_value |= 1 << bit
    else:
        flag += bytes([byte_value])
        print(f"Reconstructed so far: {flag}")
        time.sleep(0.1)
        continue
    break

flag = flag[::-1]
print("FLAG:", flag.decode())

pascalCTF{m4by3_1_sh0uld_ch3ck_th3_t0t4l_numb3r_0f_ONES}

7

KONtAct MI

I've beaten this stupid game many times, but I never got to the real final. I've also asked the admin about it, but he keeps saying I have something called 'Skill issue'.

this is a very easy re challenge

there was nothing interesting in the source code other than the part where it will do a curl to an api

the api will take json data it seems

when curling seems like that response is the goal of the chall

curl -X POST https://kontactmi.challs.pascalctf.it/adminSupport -H "Content-Type: application/json" -d '{"code":"up-up-down-down-left-right-left-right-B-A"}'