Merge branch 'develop' into 'master'

Develop

See merge request CampusCyberSecurityTeam/ctfs!24

participations.md

 # List of our participations and results
 
 The list won't be complete though, so it would be better to check out our team's
-[ctftime.org profile](https://ctftime.org/team/31301). Any ctf listed here is
-guaranteed to have some writeups though.
+[ctftime.org profile](https://ctftime.org/team/31301). 
 
 Most recent participations are at the top.
 
+
+## 2019 
+
+| Date | CTF | Type | Result (Rank / points) | Writeups |
+|------|-----|------|----------------------|---------------|
+| April, 9th - 26th |[ångstromCTF 2019](https://2019.angstromctf.com/) | Jeopardy | 104/1140 | [Writeup](/writeups/2019/angstromctf2019.md) |
+| April, 12th - | [WPICTF 2019](https://wpictf.xyz/) | Jeopardy | 113/ 481 | [Writeup](/writeups/2019/wpictf2019.md) |
+| March, 29th-31st | [VolgaCTF 2019 Qualifier](https://q.2019.volgactf.ru)| Jeopardy | 407/50 | [Writeup](/writeups/2019/volgaqualifier2019.md) |
+| March, 23rd-25th | [0CTF/TCTF 2019 Quals](https://ctf.0ops.sjtu.cn) | Jeopardy | 900/1 | n.a. | 
+| March, 14th-17th | [Pragyan CTF](https://ctf.pragyan.org)| Jeopardy | 93/1075 | [Writeup](/writeups/2019/pragyanctf2019.md) |
+| February/March, 22nd - 3rd | [TAMUctf 19](https://tamuctf.com/) | Jeopardy | 216 / 7720 | [Writeup](/writeups/2019/tamuctf2019.md) |
+| Jan/Feb, 31th -3rd| [NeverLAN CTF 2019](https://ctf.neverlanctf.com/) | Jeopardy | 143 / 4240 | [Writeup](/writeups/2019/neverlan2019.md) |
+
+
+
+## 2018
+
+| CTF | Type | Result (Rank / points) | Documentation |
+|-----|------|----------------------|---------------|
+Security Fest CTF | Jeopardy | 351/51 |	n.a. |
+PlaidCTF 2018  | Jeopardy | 652/1 | n.a. |
+Sunshine CTF 2018 | Jeopardy |	363 /151 | n.a. |
+INS'hAck 2018 | Jeopardy | 240/120 | n.a. |
+angstromCTF 2018 | Jeopardy | 622/520 | n.a. |
+Pragyan CTF 2018 | Jeopardy | 299/400.0000 | n.a. |
+
 ## 2017
 
 | Date | CTF | Type | Result (Rank / points) | Documentation |

writeups/2019/volgaqualifier2019.md

+# VolgaCTF 2019 Qualifier
+Fr, 29. März, 15:00 – So, 31. März, 15:00 (UTC -> unsre Zeit: UTC + 2h wegen der Sommerzeit)
+Format: Jeopardy
+URL: https://q.2019.volgactf.ru
+
+Flag format: Flags match /VolgaCTF{[\x20-\x7F]+}/ unless stated otherwise.
+    
+    
+## Crypto
+
+### Blind
+
+Pull the flag...if you can.
+
+nc blind.q.2019.volgactf.ru 7070
+
+server.py
+
+
+* Downloaded server.py
+  Inside server.py is a signature scheme, which should be meallable because of missing padding
+  
+      class RSA:
+        def __init__(self, e, d, n):
+            self.e = e
+            self.d = d
+            self.n = n
+
+        def sign(self, message):
+            message = int(message.encode('hex'), 16)
+            return pow(message, self.d, self.n)
+
+        def verify(self, message, signature):
+            message = int(message.encode('hex'), 16)
+            verify = pow(signature, self.e, self.n)
+            return message == verify
+
+
+        """
+            Keys
+        """
+
+        n = 26507591511689883990023896389022361811173033984051016489514421457013639621509962613332324662222154683066173937658495362448733162728817642341239457485221865493926211958117034923747221236176204216845182311004742474549095130306550623190917480615151093941494688906907516349433681015204941620716162038586590895058816430264415335805881575305773073358135217732591500750773744464142282514963376379623449776844046465746330691788777566563856886778143019387464133144867446731438967247646981498812182658347753229511846953659235528803754112114516623201792727787856347729085966824435377279429992530935232902223909659507613583396967
+        e = 65537
+
+* each sended command needs to have a signature in first place, except `ls`,`dir` and `sign`, in that cases value can be anything
+
+
+        nc blind.q.2019.volgactf.ru 7070
+        Enter your command:
+        1111111111111111111 ls
+        flag
+        private_key.py
+        server.py
+
+* Thought about to sign head command
+
+        nc blind.q.2019.volgactf.ru 7070
+        Enter your command:
+        11111111111 sign
+        Enter your command to sign:
+        head
+        20275069071548779572208893615644419624451615369191362966175846926294259506016811799699644144920562599576055644778712159879054253852115822451424065292290985812759628808077017944182253104278384050341704729064006033921374111969188527405978968604384720551978024971337535214404185920849345756995157341066226332818964615115606350373558744365405655549553298399046132897296617579125282522286703000455614201337358481434013829599993141748694427274500341628982048229159095971462179588601354418476986721406159707190169758576045885261085168988093325435224556510189756850935569260144361567755271205114770079424962203808900221280764
+
+
+
+        Enter your command:
+        20275069071548779572208893615644419624451615369191362966175846926294259506016811799699644144920562599576055644778712159879054253852115822451424065292290985812759628808077017944182253104278384050341704729064006033921374111969188527405978968604384720551978024971337535214404185920849345756995157341066226332818964615115606350373558744365405655549553298399046132897296617579125282522286703000455614201337358481434013829599993141748694427274500341628982048229159095971462179588601354418476986721406159707190169758576045885261085168988093325435224556510189756850935569260144361567755271205114770079424962203808900221280764 head flag
+        Unknown command head
+Seems that we need to use the cd and cat command.
+
+* new idea BLIND: seems we cannot get a signature for cat because of:
+
+        if sign_cmd not in ['cat', 'cd']:
+             sgn = signature.sign(sign_cmd)
+            send_message(str(sgn))
+                        
+  But RSA signatures can be blinded
+```python  
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+
+"""
+    Signature
+"""
+import gmpy2
+
+
+class RSA:
+    def __init__(self, e, d, n):
+        self.e = e
+        self.d = d
+        self.n = n
+
+    def sign(self, message):
+        message = int(message.encode('hex'), 16)
+        print("rsamsg:",message)
+        return pow(message, self.d, self.n)
+
+    def verify(self, message, signature):
+        message = int(message.encode('hex'), 16)
+        verify = pow(signature, self.e, self.n)
+        return message == verify
+
+    
+"""
+    TEST
+"""
+p=21563957808398119329545349513312897291720371794644161565433575994922624494866014735925135594671402533520230648695949559828278766299067426136066601816643711
+q=22708406967509416561081471369947020796745437757938294005271339336356008357234294069698063747451399564794968797317330497407167861251551902204973484175503837
+
+n=p*q
+phi=(p-1)*(q-1)
+e = (1 << 16) + 1
+d = gmpy2.invert(e, phi)
+print(e,d,n)
+ 
+signature = RSA(e, d, n)
+
+#generate sig for cat
+msg="cat"
+catsig=signature.sign(msg)
+print("catsig:",int(catsig))
+print(signature.verify(msg,int(catsig)))
+
+#generate a blinding factor r^e
+r=3
+r_blind=pow(r, e, n)
+
+# extract blind message m'=m*r^e
+msg_int=int(msg.encode('hex'), 16)
+msgblind_int=gmpy2.mpz(msg_int*r_blind%n)
+print("msgblind_int:",msgblind_int)
+#msgblindhex=int_to_str(msgblind_int)
+msgblindhex=msgblind_int.digits(16) 
+print("msgblindhex:",msgblindhex)
+msgblind=msgblindhex.decode('hex')
+print("msgblind:",msgblind)
+
+#generate sig for blindmsg s'=m'^d
+msgblindsig=signature.sign(msgblind)
+print("msgblind:",msgblind)
+
+# generate inverse r^-1
+blindinv=gmpy2.invert(r,n)
+
+# recalculate signature s=s'*r^-1
+testsig=msgblindsig*blindinv%n
+print("msgblind:",testsig)
+print(signature.verify(msg,int(testsig)))
+```
+
+* but there is still a problem with shlex.split(msgblind) at the ctf server like `No closing quotation` or the `Signature verification check failed`. 
+
+
+```python
+...
+n = 26507591511689883990023896389022361811173033984051016489514421457013639621509962613332324662222154683066173937658495362448733162728817642341239457485221865493926211958117034923747221236176204216845182311004742474549095130306550623190917480615151093941494688906907516349433681015204941620716162038586590895058816430264415335805881575305773073358135217732591500750773744464142282514963376379623449776844046465746330691788777566563856886778143019387464133144867446731438967247646981498812182658347753229511846953659235528803754112114516623201792727787856347729085966824435377279429992530935232902223909659507613583396967
+e = 65537
+
+
+for r in range(2,1000000):
+    r_blind=pow(r, e, n)
+    #msg="cat"
+    msg="cd"
+    # extract blind message m'=m*r^e
+    msg_int=int(msg.encode('hex'), 16)
+    msgblind_int=gmpy2.mpz(msg_int*r_blind%n)
+    msgblindhex=msgblind_int.digits(16) 
+    try:
+        msgblind=msgblindhex.decode('hex')
+    except:
+        continue
+    msgblindsend=msgblind.encode("base64")
+    cmd_l=[]
+    try:
+        cmd_l = shlex.split(msgblind)
+        print(len(cmd_l))
+        print(cmd_l[0])
+    except:
+        continue
+    if len(cmd_l)==1:
+            print(r,"msgblind:",msgblind)
+            print("msgblindsend: ",msgblindsend)
+            print (r)
+            break
+
+r_cd=r
+
+# generate inverse r^-1
+blindinv=gmpy2.invert(r_cd,n)
+
+
+#catblindsig=
+#cdblindsig=
+
+# recalculate signature s=s'*r^-1
+#catsig=int(catblindsig)*blindinv%n
+#cdsig=int(cdblindsig)*blindinv%n
+#print("catsig:",int(catsig))
+#print("cdsig:",int(cdsig))
+
+```
+
+
+
+
+## PWN
+
+
+warm
+
+How fast can you sove it? nc warm.q.2019.volgactf.ru 443
+
+warm
+
+* Downloaded warm
+
+        file warm
+        warm: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=c549628c0b3841a5fd9a23f0faaf6b51eb858e94, stripped
+
+seems to run on ARM architecture and is stripped
+
+* strings
+
+        _ITM_registerTMCloneTable
+        H	KxD	J{D
+        J{DzD
+        x`xh
+        x{h	3
+        {h	3
+        x`9`{h
+        :h !
+        x`9`.L|D.K
+        'K{D
+        8a;i
+        ?JFAF8F
+        FLAG_FILE
+        flag
+        Incorrect! Try again!
+        Unable to open file
+        Unable to open %.*s file!
+        Unknown error
+        Hi there! I've been waiting for your password!
+        
+## Web [100]
+
+Shop
+Our famous shop is back!
+
+You can sign up with any username and password and get 100 free credits. It is possible to buy stuff. One of which is the flag that costs 1337 -> we somehow have to modify our credits.
+
+
+
+        
+## Antifake [50 SOLVED]
+
+Horrible retelling
+Someone sent us the news for publication. It seems an actual error, except for spelling.
+
+"Scientists found the oldest telescope This tool was used by seafarers from Portuge. British researchers report that scientists explore Arabian sea bottom. There are a lot of wrecks. Last week one of the Scientist journal published an article about discovering a special device. It’s looks like big coin with a hole in its centre. Historians classed it as an oldest device of its tipe. Researchers suggest that it was used in middle ages or mayby earlier. One of the most special detail of telescope is a pattern rounds telescope. It includes a Picture of the Earth. At the turn of the Middle ages that was associated with a Portuguese king. There is only one same devise has been fond before. But researchers don’t sure about age of it. Altogether there are more tahn hundred same artifacts. New one isn’t most old. But its’s unique with its decoration. Besides in the latest Middle ages navigator sed more precise devices"
+
+solution: **Astrolabe**
+
+