tl;dr

• Challenge is a VM implemented over signals and ptrace
• Reverse Instruction types and implementation
• Use gdb scripting to find the executed code and get the pseudo VM code
• Reverse the VM functionality (Hill cipher) for flag and profit

tl;dr

1. Open a raw socket.
2. Craft the outgoing packets with the byte order of S-PORT, D-PORT, SEQ, ACK reversed.
3. Establish the three way handshake in this fashion.
4. Send “GET_FLAG” to the server.

tl;dr - Volatility + Corrupted file analysis
Full solution of Easy Husky challenge from ISITDTU Quals 2019.

Full solution of Acronym challenge from ISITDTU Quals 2019.
tl;dr - Steganography

tl;dr

Out of bounds write in trustlet ‘1’, allows us to write random bytes at an address of
our choice. We can write our shellcode to an rwx region with this, without any bruteforce.

Note: During the CTF we used a 1 byte brute-force to get write shellcode in the rwx segment and get shell. It was only afterwards that we realised that no bruteforce was required!

tl;dr

• You need to pass 999 levels to get the flag.
• Each of the levels involves multiple checks on input characters.
• Each check happens in seperate functions which are decrypted during runtime.
• Extract function order and arguments.
• Automate finding input for each check.

tl;dr

1. Find Elliptic Curve parameters from given points on the curve
2. Find x-coordinate of 2*P, given y-coordinate of 2*P
3. Invert 2 over mod (P.order()) and multiply the result with 2*P to get P
4. Submit ASIS{P.x} as the flag

Full solution of EZDSA challenge from MidnightSun CTF Quals 2019.

tl;dr retrieving key using Euler’s Criterion to break signature authentication

tl;dr solving RSA Digital Signature using it’s homomorphic property:

1. Calculate the signature of factors of message M to be signed, separately
2. Combine them by multiplication over modulus to get the signature of M

tl;dr Coppersmith’s Attack to recover RSA primes