a binary is provided by the challenge. Once you run it basically it forks itself where the child exit with some useless text and the father stops for input on __isoc99_scanf(). Now 0x8048788 it checks that our input (contained in $eax) is equal to the one in $esp+0x20 which keeps change every so for avoid boring guessing just do a : set $eax=(value in $esp+0x20). After this on 0x80486b7 there is another check that validate if $ebp-0xc is equal to 0x01. Since its will never be 0x01 we just set it with gdb: set *(address of $ebp-0xc)=0x1. The just set another breakpoint on 0x80486cc and go throught the task to see the flag:

0004| 0xbffff284 --> 0xbffff295 ("dignige01")

“dignige” dignige is the flag.


A txt file with RGB color pixel list is provided. Just set them into an image and the flag will appear:

import Image
in_file = open("flag.txt","r")
text =
splitted=text.split( )
img = 'RGB', (503,122), "black")
pixels = img.load()
for i in range(img.size[0]):
for j in range(img.size[1]):
pixels[i,j] = tuple(map(int,(splitted[index].split(','))))


This challenge link us on google searching for ‘Yashin Mehaboobe’ aka sp3ctr3 which is one of the staff’s memeber of this CTF. Googling a bit it pointed out that he has a github account and browsing his projects we found the flag here (on 3rd post):

Flag is djangounchained


The challenge give us a zip file protected by a password. The password is basically the name of the file which is containted in the zip. The file that will be extracted is another zip. For extract it just do what I said before. A script is coded for this boring part:

for i in {0..1519};do
pwd=`unzip -v $start | awk '{print $8}' | grep zip | sed 's/\.zip//'`
unzip -P $pwd $start
rm $start
echo $start

We have now a zip: which we have to bruteforce the password for extract the content:

./fcrackzip -u -c a1 -l 1-6

password is b0yzz

Ok now just extract it and disturbed wav file comes up. Just open it with Audacity and go throught the spectogram for the flag: BallsRealBolls

Razor4x, nurfed