待续。

Misc

Serial

1	nc misc.chal.csaw.io 4239

考察数据奇偶校验。nc连上后，如下：

root@chybeta:~/Desktop/test# nc misc.chal.csaw.io 4239
8-1-1 even parity. Respond with '1' if you got the byte, '0' to retransmit.
00110010001
0 # ps: 这是我发送的
00100011001

初次连上后，会给出一个字符串 00110010001，根据偶校验，选择发送是0还是1，然后服务器端会再返回下一个字符串。

从给出的提示信息，以及结合串口通信标准来看，每次我们收到的字符串总共是11位，其中第一位都是0，表示数据的开始，剩下的数据满足8-1-1，是指有8位数据位，1位校检位，以及1位的停止位。

比如说：00110010001

起始位	数据位	奇偶校验位	停止位
0	01100100	0	1

这里数据位中1的个数是3，为奇数，奇偶校验位本应该为1，但接受的数据的奇偶校验位为0，说明发生了错误。根据题目的信息：

1	Respond with '1' if you got the byte, '0' to retransmit.

我们要返回一个 0。

最后的脚本如下：

from pwn import *
r = remote("misc.chal.csaw.io",4239)
r.recvuntil("Respond with '1' if you got the byte, '0' to retransmit.\n")
flag = ""
while True:
	try:
		s = r.recv()
		data = s[1:9]
		even = s[9]
		end = s[10]
		num = 0
		for i in  data:
			if i == '1':
				num = num + 1
		if (num % 2 == 0  and even == "0") or (num % 2 != 0 and even == "1") :
			r.sendline("1")
			flag += chr(int(data,2))
			# print(chr(int(data,2)))
			log.info(flag)
		else:
			r.sendline("0")
	except:
		break
log.success("The flag : " + flag)

最后得到的flag：

1	flag{@n_int3rface_betw33n_data_term1nal_3quipment_and_d@t@_circuit-term1nating_3quipment}

CVV

1 2	Hey fam, you got CVV? I need some CVV! nc misc.chal.csaw.io 8308

Twitch Plays Pwnable

1
2
3

How long does it take several thousand hackers to exploit a buffer overflow?
https://twitch.tv/csawtv
UPDATE 8:03 Eastern: Apparently the answer is ~10 hours to not exploit the overflow.

Forensics

Missed Registration

It's registration day! These forms just seem longer and longer...
UPDATE 10:44 Eastern: New pcap that should be a bit easier to work with.
UPDATE 2:58 Eastern: We're regenerating due to flag leaks, submissions disabled until then. Please be patient.
Update 3:31 Eastern: Updated pcap with new flag after leak. Please re-run your solutions on the file!

追踪TCP流看一下。

Forensics

Best Router
http://forensics.chal.csaw.io:3287
NOTE: This will expand to ~16GB!
19:00 Eastern: updated. Old flags have been removed.