1 of 6

Scripting

Misdirection

So uh will noticed that each of the urls it redirects you to has a character of the flag in the http body so just script grabbing the urls and then script curling them

import os
import re
url = "http://jh2i.com:50011/site/flag.php"
urls = []
while 'sorry' not in url:
    data = os.popen(f"curl -Is {url}").read()
    url = "http://jh2i.com:50011" + re.findall("Location: (.*)",data)[0]
    print(url)
    urls.append(url)
print(urls)
flag = ''
for url in urls:
    data = os.popen(f"curl {url} 2>/dev/null").read()
    if data:
        flag += data[-2]
        print(flag)

Flag: flag{http_302_point_you_in_the_right_redirection}

Rescue Mission

Idk how this is scripting? We get a powershell shell.

gci -r shows us the path of flag.png

[Convert]::ToBase64String([IO.File]::ReadAllBytes("/c_drive/stuck_in/the_ocean/flag.png"))

Just load that into cyberchef, decode, and render image

Flag:flag{thanks_you_saved_me}

Hashbrown Casserole

When we connect, we are given a hashsum (sha1/md5) and asked to send data, that when hashed, begins with a particular few bytes.

We have to bruteforce a value to create this, 50 times

from pwn import *
from pwnlib.util.iters import mbruteforce

from hashlib import md5, sha1
methods = {"md5sum":md5, "sha1sum":sha1}
host = ("jh2i.com", 50005)
r = remote(*host)
for x in range(50):
    r.recvuntil('Enter the data required for the first part of the ')

    method = r.recvuntil(' ')[:-1]
    sum = methods[method]
    r.recvuntil(': ')
    hash = r.recvline().strip()
    import string
    #chars = string.printable
    chars = [chr(c) for c in range(256)]
    chars.remove('\r')
    chars.remove('\n')
    def checkhash(string):
        if sum(string).hexdigest().startswith(hash):
            return True
        return False

    print("Goal: " + hash)
    print("Method: " + method)
    key = mbruteforce(checkhash, chars, 5, method = 'upto')
    print(list(key))
    r.clean()
    r.sendline(key)
    print(r.recvline(timeout=0.5))
print(r.clean(timeout=0.5))

Flag:flag{warm_casseroles_for_breakfast!!!}

Flushed

We get a shell, and get the output in large ascii text. There's a PNG of the flag. Here's my script (stupid probably). I got 1/3 of the image and guessed the rest lol

from pwn import *
host = ("jh2i.com", 50015)

import string
mapc = {}

r = remote(*host)

def runCmd(cmd):
    r.clean()
    r.sendline(cmd)
    return r.clean(timeout=0.3).split(b"\r\n")[2:8]


for c in string.printable:
    mapc[c] = runCmd(f"echo '{c}'")

def lookup(val):
    for k, v in mapc.items():
        if v == val:
            return k


def readOutput(cmd):
    template = "expr substr $({}) {} 1"
    output = ""
    pos = 1
    for c in range(1, 9293):
        out = runCmd(template.format(cmd, c))
        char = lookup(out)
        print(char, end='')
        output += char
    return output

print(readOutput("base64 flag.png -w0"))

Flag:flag{flushed_down_the_toilet_but_rescued_again}

Tony's challenge afterthoughts:

OH MY GOD I COULD HAVE CHEESED IT

ONLY STDOUT IS ASCII-ARTED

base64 -w0 flag.png 1>&2

FUCKING YEAH DOES IT REEEEEEEEEEEEEEEEEEEEEEEEEE

Tootsie Pop

Yeah, it's another one of those nested compression challenges. Inside of the zip is a gzip compressed file, which has a compressed file of a compressed file, etc. etc. etc.

Anyway, all of the archive types it uses are extractable using 7z e

So I just used a script to continuously extract the current archive and then remove it until it could not be extracted anymore. Then, you can simply cat the last file left to get the flag, flag{the_answer_is_1548_licks}

NOTE: My script was called popper.py, you'll have to replace popper.py in the script with whatever you call your script.

import os
def getnext(cur):
    code = os.system(f"7z e {cur} >/dev/null")
    if code:
        print("Extraction error... quitting!")
        quit()
    files = os.listdir('.')
    files.remove(cur)
    files.remove("popper.py")
    print(files[0])
    os.system(f"rm {cur}")
    return files[0]
cur = "pop.zip"
while True:
    cur = getnext(cur)

Flag: flag{the_answer_is_1548_licks}