typos and formatting

Pharisaeus · Pharisaeus · commit 891edbce8e29 · 2015-11-20T18:46:41.000+01:00
diff --git a/2015-11-20-dctffinals/crypto300/README.md b/2015-11-20-dctffinals/crypto300/README.md
@@ -55,7 +55,7 @@ The task was to revert given algorithm, implemented in javascript, for given cip
 Ciphertext: `51136f3b763d7d5e5910106d423f0908093931284bc6eda1a4ffa595c390b390ef89a4a08ffb9797a2b797f5af92b7a0aaac9cf2dbf9ccecd5c8b3cbb9fffefa4fcf0c26d761f9145793fb6a44ed048cb92a1c0f420e3af756d66f2d1ee94414ed335f180b34fca1fda4f9698a23287ca9e9acb2e8b7c0216c132c078c93a438217e0927ce1afbcf016fd7cc6b1f8b903ec3c0a19f723ae5c0fa46679ded50d17259f89688a5ff4340784a155d`
 
 The analysis of the code showed us that every byte in the encoded text is a result of XOR operations on 3 values: byte from input, byte from special table with values 0-128 and byte from key.
-If the the key was too short, it was extended byt duing a left bitshift, the some more bit operations and in the end it was appended to the original key.
+If the the key was too short, it was extended by doing a left bitshift, the some more bit operations and in the end it was appended to the original key.
 Shifting bits of element of the key in order to get a new element of the key means that for sufficiently large text some bytes will be xored with original key, next bytes with shifted key etc.
 Out of those 3 elements xored to get the ciphertext/plaintext only the key could have a lighted higest bit, since when the key was "extended" it was shifting bits to the left. This means that we could check if the higest bit of ciphertext is lighted or not and based on that decide if the highest bit of the key was lighted or not.
 
diff --git a/2015-11-20-dctffinals/web200/README.md b/2015-11-20-dctffinals/web200/README.md
@@ -2,6 +2,8 @@
 
 ### PL
 
+[ENG](#eng-version)
+
 W zadaniu dostajemy link do webowego uploadera plików, oraz informacje, że mamy wyciągnąć jakieś informacje z tabeli `flag`.
 Analiza uploadera oraz jego działania pozwala zauważyć, że uploader po załadowaniu pliku pobiera z niego dane `exif` a następnie na podstawie pola `exif.primary.Software` wyszukuje w bazie danych oraz wyświetla zdjęcia utworzone tym samym oprogramowaniem.
 
@@ -22,14 +24,14 @@ W związku z tym postanowiliśmy wykorzystać atak `remote timing` na bazę dany
 benchmark(~-((select*from flag)like'%" + window + "%'),1)
 ```
 
-Funkcja benchmark wykonuje podany kod tyle razy ile wynosi pierwszy argument. W naszym przypadku wartość boolean jest zamieniana na liczbę za pomocą unarnego minusa a następnie bity są negowane. Problem z tym roziązaniem polegał na tym, że taki benchmark wykonuje się bardzo (!) długo a w naszym kodzie uruchamiamy go dla każdego nie pasującego symbolu, więc dla każdego zgadywanego znaku pesymistycznie prawie 40 razy.
+Funkcja benchmark wykonuje podany kod tyle razy ile wynosi pierwszy argument. W naszym przypadku wartość boolean jest zamieniana na liczbę za pomocą unarnego minusa a następnie bity są negowane. Problem z tym rozwiązaniem polegał na tym, że taki benchmark wykonuje się bardzo (!) długo a w naszym kodzie uruchamiamy go dla każdego nie pasującego symbolu, więc dla każdego zgadywanego znaku pesymistycznie prawie 40 razy.
 
 Skutek był taki, że położyliśmy serwer 5 razy uzyskując raptem 2/3 flagi a organizatorzy postanowili zablokować funkcję benchmark.
 
 Nasze drugie podejście wykorzystało inny sposób - logowanie błędów mysql. Użyliśmy zapytania:
 
 ```sql
-rlike(if(mid((select*from flag),"+NUMER_ZNAKU+",1)='"+ZNAK+"','',1))
+rlike(if(mid((select*from flag),"+CHARACTER_INDEX+",1)='"+CHARACTER+"','',1))
 ```
 
 Dzięki czemu w zależności od spełnienia warunku skrypt wykonywał się poprawnie lub zgłaszał błąd składniowy.
@@ -55,12 +57,10 @@ A jego wynik:
 
 `DCTF{09D5D8300A7ADC45C5D434BB467F2A85}`
 
-[ENG](#eng-version)
-
 ### ENG version
 
-In the task we get a link to a web file upoloader and an information tha we need to extract some data from `flag` table.
-Analysis of the uploader and its behaviour reveales that the uploader, after loading the file, collected `exif` data and then based on `exif.primary.Software` finds and displays other pictures made with the same software.
+In the task we get a link to a web file upoloader and an information that we need to extract some data from `flag` table.
+Analysis of the uploader and its behaviour reveals that the uploader, after loading the file, collected `exif` data and then based on `exif.primary.Software` finds and displays other pictures made with the same software.
 
 We used `SQL Injection` via exif field using script:
 
@@ -70,7 +70,7 @@ We used `SQL Injection` via exif field using script:
     img.writeFile('file.jpg')
 ```
 
-This script was adding the query to the file and preparing it for execution. The query was then placed in `where` clause, right after the comparison with a string. Unformtunately we hade a hard limit of 50 characters for the query, which was a strong limiting factor. On top of that it was impossible to use `union` and the table on which the selection was executed had 0 rows.
+This script was adding the query to the file and preparing it for execution. The query was then placed in `where` clause, right after the comparison with a string. Unfortunately we hade a hard limit of 50 characters for the query, which was a strong limiting factor. On top of that it was impossible to use `union` and the table on which the selection was executed had 0 rows.
 
 Therefore we decided to use `remote timing` attack on the database with testing single character of the sole element of flags table (where we expected to find the flag) - using short-circuit AND operator and if the condition was not matching we were executing a long running task (sleep was unavailable). Since the characters number limitation we could not use `substring` or `mid` functions and we had to relay on a moving window with known flag prefix/suffix. The SQL code was:
 
@@ -85,7 +85,7 @@ As a result we crashed the server 5 times and still got only 2/3 of the flag and
 Our second attempt was using a different approach - exploiting errors in mysql. We used:
 
 ```sql
-rlike(if(mid((select*from flag),"+NUMER_ZNAKU+",1)='"+ZNAK+"','',1))
+rlike(if(mid((select*from flag),"+CHARACTER_INDEX+",1)='"+CHARACTER+"','',1))
 ```
 
 And therefore the script would execute normally or crash with a syntax error, depending on the condition value.
diff --git a/README.md b/README.md
@@ -1,5 +1,6 @@
 # CTF writeups from P4 Team
 
+* [2015.11.20 **Defcamp CTF Finals 2015** (11th place / 15 teams out of 378 teams)](2015-11-20-dctffinals)
 * [2015.10.22 **Ekoparty CTF 2015** (28th place / 356 teams)](2015-10-22-ekoparty)
 * [2015.10.20 **Hack.lu CTF 2015** (17th place / 248 teams)](2015-10-20 hacklu)
 * [2015.10.18 **Hitcon CTF 2015** (22th place / 382 teams)](2015-10-18-hitcon)
@@ -8,7 +9,6 @@
 * [2015.09.26 **Trend Micro CTF Asia Pacific & Japan 2015 Online Qualifier 2015** (81st place / 359 teams)](2015-09-26-trendmicro)
 * [2015.09.16 **CSAW CTF Qualification Round 2015** (48th place / 1364 teams)](2015-09-16-csaw)
 * [2015.09.05 **MMA CTF 1st 2015** (49th place / 672 teams)](2015-09-01-mma)
-* [2015.09.05 **Defcamp CTF Finals 2015** (11th place / 378 teams)](2015-11-20-dctffinals)
 
 ![](./logo-small.png)
 
