Posts

License To Rev We were trying to get the flag from this binary we purchased a few months ago, but we lost the license, maybe you can help? Initial recon Quick analysis of the file with file, checksec, and strings: $ file license_to_rev license_to_rev: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=57b17cbf053e49beb230558396cb8f08f90e7daa, for GNU/Linux 4.4.0, not stripped $ checksec license_to_rev [*] Checking for new versions of pwntools To disable this functionality, set the contents of /home/kali/.cache/.pwntools-cache-3.13/update to 'never' (old way). Or add the following lines to ~/.pwn.conf or ~/.config/pwn.conf (or /etc/pwn.conf system-wide): [update] interval=never [*] A newer version of pwntools is available on pypi (4.14.1 --> 4.15.0). Update with: $ pip install -U pwntools [*] '/home/kali/metactf_ctf 2026 feb/license_to_rev' Arch: amd64-64-little RELRO: Partial RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled Stripped: No $ strings license_to_rev ... Error: invalid embedded license archive. That is not the correct license. Invalid license. This license has expired. Please contact support for a new license. EXPIRY_DATE= license.txt= license.txtPK EMBEDDED_ZIP ENCRYPTED_MESSAGE ... $ ./license_to_rev Usage: ./license_to_rev <license-file> A license file is required to use this product. Each copy is individually licensed. Please provide the path to your license file. Without a valid license, the program cannot continue. Key observations: ...

The challenge Quinn was ecstatic when she received a invitation to “A Haunting Halloween Bash!” The design was perfectly eerie, and she saved it immediately. But the spooky fun didn’t stop there. A few hours later, her computer started acting strangely. Her cursor flickered, and she could swear she heard faint, ghostly whispers coming from her speakers. The final chilling event occurred when her desktop wallpaper suddenly changed to a glitched, haunting version. Is her computer just getting into the spirit of the season, trying to cosplay for Halloween? Or is there something more sinister lurking… ...

NOThing to C Here Move along, NOThing to see here, no flags in sight… Running file against the executable: └─$ file NothingToC NothingToC: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d1f89a3ac713a435ad3b35e178b2d49548640c86, for GNU/Linux 4.4.0, stripped The binary provided with the challenge is a 64-bit, dynamically linked, PIE-enabled, stripped of debug info. Executing the binary: └─$ ./NothingToC === NOTing To C Flag Checker === Ready to check your flag? Let's see what you've got! Enter the flag to check: AAAA Oops! Your flag is 4 characters long, but I'm looking for exactly 28 characters. Maybe count your characters next time? Hmm... that does NOT look right... It appears that the executable expects the flag as input and requires it to be 28 characters long. ...

MetaCTF February 2025 Flash CTF consists of 5 challenges. Cookie Crackdown We’re auditing some websites to check if they’re GDPR compliant, and I’m pretty sure this site isn’t… Upon loading the site, we are presented with a modal requiring us to consent to cookies. From the challenge description and the web page, we can assume that the flag is probably stored as a cookie. Pressing F12 will bring up the Developer menu. Navigating to the Application tab and then selecting Cookies will reveal a cookie conveniently named flag. ...

MetaCTF November 2024 Flash CTF consists of 5 challenges. Slithering Security Help me test my sssecurity, can you get the flag from this ssssecure sssscript? Download the challenge file here. We are provided with a small Python script that prompts the user for a password. If the correct password is entered, the script reveals the flag. Here’s the code: #!/usr/bin/env python3 SECRET_FLAG=b"\x54\x57\x56\x30\x59\x55\x4e\x55\x52\x6e\x74\x6b\x4d\x47\x34\x33\x58\x7a\x64\x79\x64\x58\x4d\x33\x58\x32\x4e\x73\x4d\x57\x34\x33\x63\x31\x39\x33\x61\x54\x64\x6f\x58\x33\x4d\x7a\x59\x33\x49\x7a\x4e\x33\x4e\x7a\x63\x33\x4e\x7a\x63\x33\x4e\x39" HASHED_PASSWORD = b'\x12\x1eW\x98\x00\xc1C\xff\xe3\xa9\x15\xde\xd9\x00\x9b\xc9' from base64 import b64decode from hashlib import md5 def check_password(password): m = md5() m.update(password) return m.digest() == HASHED_PASSWORD def main(): while True: inp = input("Please enter your passssssword: ").encode() if check_password(inp): print(f"Well done, your flag isssssss {b64decode(SECRET_FLAG).decode()}") exit() else: print("Passsssssword incorrect, please try again.") if __name__ == "__main__": main() Both the password and the flag are represented in hexadecimal format, but the flag is further encoded in Base64. To extract the flag, we can use CyberChef or the terminal. Using awk, we can strip out the \x delimiters, convert the hexadecimal to ASCII, and then pipe the result into base64 for decoding. ...