Hackappatoi CTF ’23 write ups
6 min readDec 10, 2023
Hey you, these are the challenges I solved:
- The four horsemen (REV)
- The first horseman (REV)
- The second horseman (REV)
- The third horseman (OSINT)
- The final horseman (REV)
1. The four horsemen
- here I didn’t even bother to open ghidra to understand how the program is working, i ran
strings thefourhorsemenand I found this :
- Which looks like a flag and since the
{}characters aren’t changed to something else, I thought this might be rot13, and it was - I cleaned the encoded string and used cyber chef to decode the rot13
Flag : hctf{youre_ready_to_stop_the_apocalypse}
2. The first horseman
- This challenge was pyc file
- so I used a tool called
pycdc thefirst.pycto decompile the pyc file, and I got this code
from time import sleep
import codecs
print("You've inserted the key you found on the mysterious Laptop and you've been teleported to a place you don't know.")
print('All you can see is an enormous door keeping a castle safe. You approach it and with a bit of fear proceed to open it.')
print('In the middle of the hall you see a funny man, it seems the court jester, but still he scares you.')
print("'SHISH, SHISH' is the only thing he says, and now you realize he is the first horseman, ready to stop you from reaching further in your mission.")
print('The man walks towards you and tries to hit you multiple times! Avoid his punches!\n')
def shish():
exit("The funny man manages to hit you. You fall on the ground.\nYou don't remember anything. All you know now is a word...\nSHISH\n")
f = [
'r3st',
'4s_a',
'b3_c',
'm4tt',
'l3t_']
l = [
'4ll0',
'30_1',
'7t3_',
'jkin',
'p1ck']
a = [
'5_th',
'3_4n',
'1t_1',
'00p5',
'1n_1']
g = [
'p1_7',
'3_w0',
't0g3',
'00_k',
'n0th']
s = [
'ear5',
'k!1!',
'1n6!',
'33p5',
'rd_!']
counter = 0
indexes = []
def print_flag():
flag = ''
flag += f[indexes[0]]
flag += l[indexes[1]]
flag += a[indexes[2]]
flag += g[indexes[3]]
flag += s[indexes[4]]
flag = 'upgs{' + flag + '}'
flag = codecs.encode(flag, 'rot13')
print(flag)
try:
for t in range(1, 6):
print(f'''{t}...''')
counter = t
sleep(1)
shish()
finally:
pass
except KeyboardInterrupt:
if counter == 4:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f'''{t}...''')
counter = t
sleep(1)
shish()
finally:
pass
except KeyboardInterrupt:
if counter == 2:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f'''{t}...''')
counter = t
sleep(1)
shish()
finally:
pass
except KeyboardInterrupt:
if counter == 1:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f'''{t}...''')
counter = t
sleep(1)
shish()
finally:
pass
except KeyboardInterrupt:
if counter == 2:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
try:
for t in range(1, 6):
print(f'''{t}...''')
counter = t
sleep(1)
shish()
finally:
pass
except KeyboardInterrupt:
if counter == 5:
print('\nYou dodged it\n')
indexes.append(counter - 1)
else:
shish()
print('The man is tired, he just hands you a slip of paper, to open the next door.\nThis is what you read')
print_flag()
print("The man then says his last words...\n 'https://youtu.be/XH0CSzdHwg0?si=DOwRhOnorrc-WWIx'")- Things to understand about this code :
- it is appending values <int> to the indexes list
- it is using rot13 to encode the data
try and exceptpart of the code seems to be appending value to the indexes list, which they are :[3,1,0,1,4]
- I wrote this code to get the flag
import codecs
f = [
'r3st',
'4s_a',
'b3_c',
'm4tt',
'l3t_']
l = [
'4ll0',
'30_1',
'7t3_',
'jkin',
'p1ck']
a = [
'5_th',
'3_4n',
'1t_1',
'00p5',
'1n_1']
g = [
'p1_7',
'3_w0',
't0g3',
'00_k',
'n0th']
s = [
'ear5',
'k!1!',
'1n6!',
'33p5',
'rd_!']
counter = 0
indexes = []
def print_flag():
flag = ''
flag += f[indexes[0]]
flag += l[indexes[1]]
flag += a[indexes[2]]
flag += g[indexes[3]]
flag += s[indexes[4]]
flag = 'upgs{' + flag + '}'
flag = codecs.encode(flag, 'rot13')
print(flag)
indexes = [3,1,0,1,4]
print_flag()Flag : hctf{z4gg30_15_gu3_j0eq_!}
3. The second horseman
- I found some cool stuff in the strings
- I wrote this script to try them all
for i in $(strings thesecondhorseman | egrep "hctf.*") ; do
echo $i | ./thesecondhorseman
done- here i went to ghidra to understand what is going on
- I found the entry then the main and from the main I found a function that I called
checkthat checks if the user input is correct or not
local_7c8was the strings we found earlier, so i wrote this script to solve the challenge
with open("flags.txt", 'r') as f:
flags = f.readlines()
flags = "".join(flags)
for i in range(41):
print(flags[ 5 + i * 48 ], end="")we got this What_future_do_you_w/sh_for_our_children?
Flag : hctf{www.youtube.com/watch?v=hnBuaJDNagU}
4. The third horseman
- We got this photo and the challenge was to find the name of the place, so after some google reverse image search I found this :
and after searching for this pic on google maps i found that its name is : Villa San Martino
flag : hctf{villa_san_martino}
5. The final horseman
- Here I used ghidra, I went from the entry to the main function
- The main function is just printing some strings and then exiting the program, and that is a hint for you to start looking for another function, and that is what I did
- After reading some of the functions I found that some of these functions are just printing a character and then calling another function that does the same, here i went to gdb to jump to the function that prints the first character
start
breakrva 0x1849
jump *(0x555555555849)
c- start the program and break the base address of the function that calls the first character then we get that address and then we jump to it, continue the program and you’ll get the flag (I’m using pwngdb btw)
Flag : hctf{https://youtu.be/vXejrAXXmkU}
Thanks for reading, hope you learn something :3
