Despite having an entire category of materials devoted to electronics, making logic circuits in The Powder Toy is surprisingly hacky - although definitely possible! Here’s a demo I made where the flag only lights up for input 0100111. Let’s go through some tricks to make your own … Make sure you understand what logic gates are and how they work before continuing! Also, familiarise yourself with these handy Powder Toy shortcuts....

We’re presented with a largely static, single-page site - save for one input field that doesn’t seem to be processed on the client side. The challenge description also draws special attention to ‘columns’ and ’tables’. Given that there aren’t any HTML tables in the source, instinct says this might involve a database. If we try a classic single-quote injection (') we see the quote suspiciously disappear. Adding on both a semi-colon to terminate the SQL statement and a comment afterwards ('; -- ) we see that vanish as well!...

Based on the description, you may have determined that we are dealing with an autostereogram, better known as a magic eye puzzle. As such, you can theoretically just stare at the picture with great intensity until the flag reveals itself to you. If you did manage to solve this challenge with only your eyes then you are amazing. Discerning simple shapes is difficult, let alone a short sentence. If you are a mere mortal, an alternative way to solve this challenge is to use any of the online stereogram-solving tools that exist (this one’s pretty good)....

While running the image through stegsolve/stegonline or manipulating the pixels in your favourite image editor won’t work, a hex editor should show you that the data portion of the bitmap contains more than two distinct hex values. Checking the image properties should also indicate that ishihara.bmp is a 16-color bitmap image, and as such, each hex value denotes a different colour. Hence, we know that the image contains a wider range of colours than are being shown....

Trying a variety of inputs over netcat, you’ll quickly discover two key pieces of information from the error messages: The characters ‘f’, ’l’, ‘a’, ‘g’, ‘.’, ’t’, ‘x’, ’t’, and ‘`’ are all blocked Our input can’t have more than eight distinct characters We can infer that our goal is something to the effect of making a system call like cat flag.txt in eight or fewer characters. Looking through Ruby’s pre-defined variables, we can see that $" denotes a long list of module names (loaded by require) which we can potentially character index and frankenstein together to write out “flag....

It turns out that in Python 3, attempting to write non-ASCII characters to a file without using ‘binary mode’ (a mode which deals with ’non-textual data’, hence the name of the challenge) has some less-than-ideal results. Indeed, if you tried providing your plain text to xor.py you might have noticed that there are somehow more bytes in the cypher-text after XORing that you started with in your plaintext. Ultimately, it appears that the write....

Looking at the .mem file extension, memory forensics - and more specifically volatility - seems like it’s going to be our friend here. Starting with volatility -f image.mem imageinfo we get Win7SP1x64 as our top suggested image profile (also confirming that we’ve got a valid dump). Using one of volatility’s coolest features we can use mkdir shots && volatility -f image.mem --profile=Win7SP1x64 screenshot --dump-dir=shots to get the following wire-frame screenshot from memory....

The challenge description starts ‘My buddies Whitfield and Martin were trying to share a secret key’, so googling something like ‘Whitfield Martin cypher’ seems like a good place to begin. Immediately we get results for the Diffie–Hellman key exchange, which fortunately can be described in terms of A, B, p, g, and s (the value of the secret key we need). Scripts to brute-force this secret key are easy to find on GitHub....

We’re given the encrypted flag wmysau{foeim_Tfusoli} along with some additional encrypted text to help us ‘Hkgxologflutleiaymt xgf Azutgkrftmtf ltmntf ERW wfr ELW wfmtk Rkweq’. Some familiarity with common cyphers, along with the hint ‘This is a substitution cypher’, give us a pretty good direction to pursue so we decided to use this online tool for brute-forcing the solution. However, trying brute-forcing the text rendered nothing more decipherable than the initial text....

Browser Bias This challenge gives us very little information, just a URL to a site that tells us Sorry, this site is only optimized for browsers that run on commodo 64. However, this also narrows our focus down to a singular goal - trying to convince the website that we are accessing it from whatever a ‘commodo 64’ is. The first thing we need to know is how the browser can determine what type of client is making a request to it....