challenges from UgraCTF

Written by: Jan Fok

UgraCTF logo

Musical five minutes

Category: Steganography

We were provided an audio file. Downloading the file and playing it in a media player, we could see that the flag was on the image track.




Category: Cryptography

A text file encrypted using a ROT13 cypher was provided to us. I used the following bash script to decode the text to obtain the flag:

cat ciphertext.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' | awk '/ugra/{print $13}'




Category: Miscellaneous

We are given a text file which contains many long lines of unicode. When I use cat to display the file, a series of characters would flash across the terminal very quickly.

I used a screen recorder to record the flashing characters and watched the playback. Turns out, the flashing characters form the flag.




Category: PWN

We are supposed to use nc to connect to a remote host which is running program. We are provided the source code to the program which is written in C.

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>

struct SafeString {
  char *ptr;
  size_t size;

void set(struct SafeString s, size_t pos, char c) {
  if (pos >= 0 && pos < s.size) {
    s.ptr[pos] = c;

void safeGets(struct SafeString s, size_t size) {
  for (size_t readed = 0; readed < size; readed++) {
    char c = fgetc(stdin);
    if (c == '\n') {
      set(s, readed, '\0');
    } else {
      set(s, readed, c);
  set(s, size, '\0');

void writeKey(struct SafeString s);

int main() {
  char *buf = (char *)malloc(512);
  struct SafeString s = {buf, 256};
  struct SafeString flag = {buf + s.size, 512 - s.size};

  size_t size = 0;
  printf("Enter input size: ");
  scanf("%lu", &size);
  fgetc(stdin); // skip newline
  if (size > s.size) {
    puts("Size is too big");
    return 0;

  printf("Enter string: ");
  safeGets(s, size);

  printf("You entered: %s\n", s.ptr);

As we can see from the source code, the flag is located right after the buffer for the string. Since strings are terminated with a null byte, if we can fill the string buffer with characters that isn’t null, the printf function would print the input string along with the flag.

Therefore, we would input a string with a size of 256 when prompted. This would cause the buffer to fill up.

The set command at the end of the safeGets function where it tries to set the 256th character with a null byte would not execute as the set command would not run if the position of the character is more than or equal to the size of the struct.

I used perl to produce the input string.

$ perl -e 'print "A" x256'