304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

LASACTF 2016 Write-Ups (Part 2)

Here continues part 2 of my LASACTF 2016 write-ups!

For reference, I have part 1 of the write-ups here.

Helpful – 60 XP

I can’t Really C, I wonder who could help me out? I would really like their full name.”

Hints: [“zartik”, “You can solve this from any channel on freenode; aka no googling required!”]


While I wasn’t able to get the actual command (/help credits I believe) to work, I found a screenshot of the Freenode help credits.

LASACTF 2016 - Helpful

The flag was just zartik’s name, which is Daniel Hemmerich.

Client Side – 70 XP

“Kyle didn’t think his login form was secure enough, so he added Javascript! Smart Right?“,

LASACTF 2016 - Client Side


Taking a look at the source of the page, I saw that there was some form of validation on POST.

LASACTF 2016 - Client Side source

Viewing the login.php source showed that some simple SQL injection was likely in $query.

LASACTF 2016 - Login SQL

Attempting a standard SQL injection (admin // ‘ or 1=1 — -) in the login page returned an error, presumably from the previously mentioned validation.

LASACTF 2016 - Client Side validation

That said, throwing the payload into Burp logged me in and got the flag.

LASACTF 2016 - Login injection


Pixels – 90 XP

“We intercepted these images: QR1.png and QR2.png, but we don’t know how they go together! Figure out the hidden message!”


I first tried various QR software, as well as inverting the images, but nothing seemed to work.

After a bit more research, I decided to try to find the differences between the two images.

[email protected]:~/lasactf# convert QR1.png QR2.png \
> \( -clone 0 -clone 1 -compose difference -composite -threshold 0 \) \
> -delete 1 -alpha off -compose copy_opacity -composite -trim \
> QR.png

Once I ran the command, I was able to view my newly combined QR image with my barcode scanner.



Shiftier Letters – 120 XP

“There is a service running on, figure out how to talk to it.”


After connecting to the server a few times, I noticed that it would return a Caeser cipher with a random shift for each letter.

I tried to send the responses manually, but the server cut off after about ten seconds.

I wrote a quick and dirty Python script with a dictionary lookup to find real words in the plaintext.


import enchant
import socket
import string
from time import sleep

def caesar_letter(symbol, key):
    if symbol in string.ascii_lowercase:
        return string.ascii_lowercase[(string.ascii_lowercase.find(symbol) - key) % 26]
        return symbol

def caesar(msg, key):
    return ''.join(caesar_letter(l, key) for l in msg.lower())
def main():   
    #dictionary = enchant.Dict("en_US")
    dictionary = enchant.request_pwl_dict("wordlist.txt")
    s = socket.socket()
    host = ""
    port = 4056
    s.connect((host, port))
    while True:
        cipher = s.recv(1024)
        print cipher
        if cipher =="Incorrect" or cipher == "":
        for key in range(26):
            code = caesar(cipher, key)
            d = code.split()
            for word in d:
                if len(word) > 4:
                    if dictionary.check(word):
if __name__=="__main__":

Pointing this at the server, I was able to (after a few tries) get through the right number of challenges and receive the flag.

You made it to the end! lasactf{shif73d-3n0ugh-ar3-we}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.