## TrollcatCTF Writeup

I participated in TrollCAT CTF with my team, Pwnzorz, this weekend, and we placed 2nd! Considering that this was our first CTF in quite a while, we did really well, thanks to my amazing teammates Aayushman, Nils, and Uzay-G. Here are the writeups for the challenges I completed.

### Reversing - Solver

The challenge, archived here, says can you guess the password? and gives you a binary to reverse. Using ghidra, we get the following disassembly:

  1 2 3 4 5 6 7 8 9 10  if ((int)input + (int)*input == 100) { if ((int) input[0x12] + (int) input == 0xd6) { if ((int) input + (int) input == 0xb2) { if ((char) (input ^ input) == 0x4c) { if ((int) input - (int) input == 0x11) { if ((int) input - (int) input == 0x3b) { if (((int) input[0xb] + (int) input[0xc]) - (int) input[0xd] == 0x45) { if (((int) input[0xe] + (int) input[0xf]) - (int) input[0x10] == 0x1f) { if (((int) input[0x11] + (int) input[0x10]) - (int) input[0x12] == 0x58) { if ((char) (input[0x15] ^ input[0x13] ^ input[0x14]) == 0x45) {

Now, you could be smart, and know that you are supposed to use the z3 solver, or you could be me. I thought that it did not look very complex, so I got a pen and paper and started solving it manually. For example, the first line wants the sum of the fourth and first characters to be 100. So, I just assumed both of them to equal 50, which is 2 in ASCII. Similarly, I solved all of them manually in about 30 minutes. Finally, one input satisfying all the conditions is 2lY2Y4xAR?zEEE@@aajEEE. Finally, after connecting to the server using nc, we are asked the key. Giving it 2lY2Y4xAR?zEEE@@aajEEE gives us the flag!

### Web - Nested Exploration

The challenge is a link, and a hint saying something nice happens when we submit 69 times.

Looking at the requests in devtools, we can see that a POST request is made, followed by a GET request. The response of the POST request is empty, and the response of the GET request is the webpage with n forms, where n is the number of times we have submitted the form. I noticed that the request parameter has a number, and tried changing it to 69. However, this still gave me the same response. Then, I tried to look at the cookies set by the website. Sure enough, there was a cookie with a number that increased every time I submitted the form. I just set this to 68 and submitted the form, and sure enough, the flag was in a div in the end.

Share on WRITTEN BY