DEV Community: VaiTon

[Boost]

VaiTon — Tue, 08 Jul 2025 00:18:38 +0000

Bronze Medal for Team Unibo at CyberChallenge.IT 2025

VaiTon for Ulisse ・ Jul 8

Bronze Medal for Team Unibo at CyberChallenge.IT 2025

VaiTon — Tue, 08 Jul 2025 00:17:30 +0000

Months of intense preparation have culminated in an extraordinary achievement: Team Unibo has secured the bronze medal at the CyberChallenge.IT 2025 finals, held on July 6th and 7th at the International Training Centre of the ILO (ITCILO) in Turin.

The six-member team—Federico Bosi, Giuseppe Aiello, Mattia Ronchi, Marco Balducci, Davide Fiocchi, and Emanuele Argonni—stood out in this elite competition. Competing against 40 teams from across Italy, the University of Bologna representatives showcased not only exceptional technical expertise but also remarkable teamwork and resilience under pressure.

The competition followed a Capture The Flag Attack/Defence format, challenging participants with realistic cybersecurity scenarios and complex technical puzzles. This demanding format requires far more than technical knowledge—it demands strategic thinking, seamless coordination, and the ability to adapt rapidly to evolving threats.

The team's success represents the culmination of a training journey that began in February within the classrooms of the University of Bologna. This path was made possible thanks to the valuable support of professors Prof. Marco Prandini and Prof. Andrea Melis from the Department of Computer Science and Engineering (DISI), who were able to guide and motivate the participants from the earliest stages of preparation.

A fundamental role in the team's formation was played by the tutors Pietro Bertozzi, Giacomo Boschi, Alan Davide Bovo, Karina Chichifoi, Davide Gianessi, Eyad Issa, Luca Lombardi, Renato Marziano, and Elia Soldati, who shared their experience and expertise throughout the preparation process.

Tutors Pietro Bertozzi and Renato Marziano accompanied the team to Turin, alongside Prof. Marco Prandini, providing crucial support throughout the high-stakes competition weekend.

The July 7th award ceremony brought together key figures from Italy's cybersecurity community, including Prof. Alessandro Armando, director of the CINI Cybersecurity National Lab, Prof. Ginevra Cerrina Feroni, Vice President of the Italian Data Protection Authority, and Dr. Bruno Frattasi, Director of the National Cybersecurity Agency. Their presence underscored the competition's significance in Italy's cybersecurity education landscape.

The CyberChallenge.IT experience represents not only a moment of competition, but a unique opportunity for professional and personal growth. Participants had the chance to interact with peers from all over Italy, sharing knowledge and creating a network of contacts that will prove valuable in their professional future.

This result confirms the excellence of the University of Bologna in training cybersecurity professionals and represents a source of pride for the entire university. The bronze medal is the tangible recognition of a constant commitment and dedication that has characterized the entire journey, from theoretical classroom training to the final challenge in the field.

Perfect Bird - TRX CTF 2025 Writeup

VaiTon — Sun, 02 Mar 2025 01:43:01 +0000

Cover image: Asian pied starlings (Gracupica contra) - CC-BY-SA 4.0

Challenge description

As a bird soaring through the sky, you seek the perfect language, and then... you find this

Writeup

Opening the chall.db3 file, I come across a weird programming language that looks kind of like JavaScript. The code is full of strange symbols and conventions, and without a guide, it’s pretty hard to figure out what it does.

My go-to move is always to check the challenge description for hints. Here, the words bird and perfect language are italicized, which seems important. So, I search for "bird perfect language programming" online.

The first result is a video by the streamer ThePrimeTime, where he talks about this exact programming language.

From the video's description, I find my way back to the GitHub repository that explains this language: https://github.com/TodePond/GulfOfMexico.

It looks like it was originally called "DreamBerd," but now it goes by "GulfOfMexico."

DreamBerd - A Perfect Language

Be bold! End every statement with an exclamation mark!
print("Hello world")!

I start thinking about ways to decipher the code and come up with the idea of writing a script to rewrite it into an existing language (one with an existing interpreter!).

At first, I consider converting it to Python, but then I realize JavaScript would be a better choice since it’s closer to the original language.

So, I write a Python script to convert the code to JavaScript and run it to see the output.

Converting DreamBerd to JavaScript

The key here is that we don’t need a perfect (pun intended) conversion—just something accurate enough to run the challenge code.
It doesn’t have to handle every possible DreamBerd program, just this one.

The first thing we need to do is to fix the lifetimes in the code.

Gulf of Mexico has a built-in garbage collector that will automatically clean
up unused variables. However, if you want to be extra careful, you can specify a
lifetime for a variable, with a variety of units.

In particular, the one bit we cannot tollerate are negative lifetimes:

Variable hoisting can be achieved with this neat trick. Specify a negative
lifetime to make a variable exist before its creation, and disappear after its
creation.
print(name)! //Luke
const const name<-1> = "Luke"!

#!/bin/env python3
import sys
import re

def fix_lifetimes(lines):
    new_lines = []

    for i, line in enumerate(lines):
        match = re.match(r".+<(.+)>.+", line)
        if not match:
            new_lines.append(line)
            continue

        lifetime = match.group(1)

        if lifetime == "Infinity":
            new_lines.append(line)
            continue

        lifetime = int(lifetime)

        if lifetime >= 0:
            line = line.replace(f"<{lifetime}>", "")
            new_lines.append(line)
            continue

        new_pos = max(len(new_lines) + lifetime, 0)

        # remove the invalid lifetime
        line = line.replace(f"<{lifetime}>", "")
        new_lines.insert(new_pos, line)

        print(f"Moved line {i + 1} -> {new_pos + 1}", file=sys.stderr)

    return new_lines

lines = sys.stdin.readlines()
program = fix_lifetimes(lines)
program = "".join(program)

Then we need to replace each "strange lang" construct with the corresponding JavaScript construct.

! -> nothing

  program = re.sub(r"!+", "", program)

; -> !

  for i in range(1, 100):
      program = re.sub(r";([\w|!|(|)]+)", r"!(\1)", program)

Every kind of variable declaration is replaced with let.

  program = program.replace("const const const", "let")
  program = program.replace("const const", "let")
  program = program.replace("const var", "let")
  program = program.replace("var var", "let")

The variable 42 (which is an invalid identifier in JavaScript) is replaced with var_42.

  program = re.sub(r"let (\d+)", r"let var_\1", program)

Every usage of 42 is replaced with var_42.

  program = program.replace("42 +=", "var*42 +=")
  program = program.replace("42 -=", "var_42 -=")
  program = program.replace("42 *=", "var*42 *=")
  program = program.replace("42 ^ ", "var*42 ^ ")
  program = program.replace("42 = ", "var_42 = ")
  program = program.replace("42 * ", "var*42 * ")
  program = program.replace("42 / ", "var_42 / ")
  program = program.replace("42 % ", "var_42 % ")
  program = program.replace("42 + ", "var_42 + ")
  program = program.replace("42 - ", "var_42 - ")
  program = program.replace("!42", "!var_42")

Remove Infinity lifetimes.

  program = re.sub("<Infinity>", "", program)

Replace functi with function.

  program = re.sub(r"functi (.+?) \(\) =>", r"function \1()", program)

Replace print with console.log.

  program = re.sub(r"print", "console.log", program)

Fix array starting convention, as in DreamBerd arrays start at -1 (oh, the horror).

  # arrays start at -1 ...
  program = re.sub(r"(\w+)\[(.+)\]", r"\1[\2 + 1]", program)

Finally, we print the program.

print(program)

Then we use the script to convert the code to JavaScript.

cat chall.db3 | python3 invertlines.py > chall_ok.js

And we then run the code with Node.js.

$ node chall_ok.js
[
    84, 82, 88, 123, 116, 72, 105, 53, 95,
    73, 53, 95, 116, 104, 51, 95, 80, 51,
    114, 102, 51, 99, 116, 95, 108, 52, 110,
    71, 85, 52, 103, 51, 33, 33, 33, 33,
    33, 33, 125
]

The result we get is an array of integers.
We can convert it to ASCII to get the flag.

#!/bin/env python3
m=[
   84,  82,  88, 123, 116, 72, 105, 53,  95,
   73,  53,  95, 116, 104, 51,  95, 80,  51,
  114, 102,  51,  99, 116, 95, 108, 52, 110,
   71,  85,  52, 103,  51, 33,  33, 33,  33,
   33,  33, 125
]

for i in range(0, len(m)):
    print(chr(m[i]), end="")

$ python3 decode.py
TRX{tHi5_I5_th3_P3rf3ct_l4nGU4g3!!!!!!}

Ulisse @ CyberChallenge.IT 2024

VaiTon — Mon, 15 Jul 2024 20:17:37 +0000

Once again this year, the University of Bologna took part in CyberChallenge.IT, the national cybersecurity competition organised by the Cybersecurity National Lab.

After a training course that lasted several months, a team of students from the Ulisse lab took part in the final competition, which was held from 3 to 6 July 2024 at the International Training Centre of the International Labour Organisation (ITC-ILO) in Turin.

The team, made up of Alan Davide Bovo, Giacomo Boschi, Davide Gianessi, Renato Eugenio Maria Marziano, Elia Soldati and Simone Mazzacano (from left to right in the photo), faced 42 other teams from all over Italy in an 8-hour CTF Attack/Defense competition, from 10:00 to 18:00 on 4 July.

Thanks to their dedication and expertise, the team secured an impressive 3rd place with a score of 108,631 points, ranking just behind PoliTo and Sapienza.

Congratulations to all participants, especially our students, for their remarkable achievement! See you next year for the next edition of CyberChallenge.IT!

Acknowledgements

We would like to express our gratitude to Prof. Marco Prandini for his support and coordination, as well as to Eyad Issa, Andrea Melis, Francesco Apollonio, Santo Cariotti, Samuele Musiani, Lorenzo Rinieri, and all the tutors of the Ulisse lab for their contributions to the CyberChallenge 2024 training course. We also extend our thanks to the Cybersecurity National Lab and all the national sponsors who made our participation in the competition possible.

A special thanks to our local sponsors: Cyberloop, EETECH SRLS, Imola Informatica and Laboratori Guglielmo Marconi S.p.A.

Workshop

In addition to the competition, the team also delivered two presentations at the CyberChallenge.IT 2024 Workshop. During these presentations, they showcased the tools developed by the game team and used during the competition, highlighting how these tools provided a significant advantage.

In the spirit of sharing and collaboration that characterizes the Ulisse lab, we are providing the slides from the presentations and the GitHub repositories of the projects developed:

Title	Author	Slides	GitHub Repository
A/D traffic analysis with PCAP-over-IP	Eyad Issa	PDF	GitHub
Fingerprinting TCP/IP	Renato Eugenio Maria Marziano	PDF	GitHub

More information

CyberChallenge.IT is a national cybersecurity training and competition program organized by the Cybersecurity National Lab, targeting students aged 16 to 25. The program features a series of training events culminating in a final competition held annually in July.

If you want to learn more about CyberChallenge.IT, visit the official website and the registration page for the next edition.

If you would like to join our team, participate in our events and activities, contact us Discord.

ez-class

VaiTon — Mon, 20 Mar 2023 17:46:12 +0000

Originally written by Max

First analysis

It seems we can write a class to a file, and open that class.
But we also have restrictions on what we can write that are applied when input gets validated by get_legal_code.
When running and selecting 1. Write new class we are prompted with

{class name}
{parent}
{number of methods}
for each method:
- {name{i}}
- {params{i}}
- {body{i}}

and out class will look like:

class {class name}({parent}):
  def {name{1}}({params{1}}):
    {body{1}}

  def {name{2}}({params{2}}):
    {body{2}}
  ...

In exec_class() our class gets printed, so my_class.__repr__() gets run to get it's string representation.

Resolution

Since we can not write parentheses we want to highjack some.
If we can remove def in def {name{2}}({params{2}}): we would get closer to calling any funciton with any parameter.
Fortunatley there are multiline strings, so now our payload looks like:

class MyClass():
  def __repr__(self): # gets called when `exec_class` is called
    a="""

  def """;exec({params{2}}):
    {body{2}}

We still have a problem:
the colon at the end of def {name{2}}({params{2}}): gives us a syntax error since it is not valid python code.
This can be fixed by making it look like we are using that result to index an array, since [][f(x):2] is valid python code

class MyClass():
  def __repr__(self): # gets called when `exec_class` is called
    a="""

  def """;[][exec({params{2}}):
    2]

great, we can call any function!
now we just put "print(open('/tmp/flag.txt').readlines())" as a hexstring into {params{2}} to avoid parentheses invalidating our payload and we have our evil class

class MyClass():
  def __repr__(self): # gets called when `exec_class` is called
    a="""

  def """;[][exec("\x70\x72\x69\x6e\x74\x28\x6f\x70\x65\x6e\x28\x27\x2f\x74\x6d\x70\x2f\x66\x6c\x61\x67\x2e\x74\x78\x74\x27\x29\x2e\x72\x65\x61\x64\x6c\x69\x6e\x65\x73\x28\x29\x29"):
    2]

By writing such class, then selecting 2. Run class and providing the class name we get the __repr__ method to be run that in turn runs the exec which prints the file and we get the flag!

chicago

VaiTon — Mon, 20 Mar 2023 17:42:43 +0000

Challenge description

Keygenme...sort of

Author: akhbaar

The keygen

As usual, we start by trying to run the executable.

./chicago

but unfortunately, we get

... Bad lenght! ...

Opening the file with ghidra, we see that the file is a rust compiled executable, with A TON of functions (I suppose from the rust standard library). After some time we find the main, with an interesting portion of code:

if (local_1a8 < 10) {
    FUN_00107480("Bad length ...

So the length of the input must be at least 10.
Also, after some analysis and variable renaming, we find that

actual_num = input[i] - 0x30; // 0x30 is the ascii code for '0'

So every character of the input must be a digit.

if (((i & 1) != 0) && (actual_num = actual_num * 2, L'4' < (uint)input[i])) {
    actual_num = (uint)(byte)((char)(actual_num & 0xff) + (char)((actual_num & 0xff) / 10) * -9);
}

So if the index of the character is odd, we multiply it by 2.
Also, if the original number is greater than 4, we replace it with $x + x / 10 * -9$, where $x$ is the original number.

Then, at least that's what I thought, it gets compared to the first character of the input, and if it's equal we get the flag.

The real keygen

After spending much more time than I should have, and after writing a python script to bruteforce the flag, I was so surprised when the first number it tried checked all the conditions.

As you could have guessed, the first and most obvious string that my script tried was 0000000000, and it worked 😭.

To get the flag, I then just had to run the program with ./chicago 0000000000.

padlock

VaiTon — Mon, 20 Mar 2023 17:11:38 +0000

Challenge description

Mindblown by ioccc? How can someone write programs like this... Anyway, try open this padlock :)

Author: bronson113

First analysis

The source code is a C program that prints itself.
It's a quine, a program that prints its own source code.

If we compile the program and run it, we are welcomed by a

zsh: segmentation fault  ./quine

Maybe it needs some arguments? Let's try with ./quine 1:

//X
...

I won't repeat the program source code here, but keep in mind that when I put ... it means that the source code of the program is repeated.

Let's try with a bigger number, like ./quine 1000:

//XXXX
...

So the program does print a variable number of Xs somewhat depending on the argument.
Let's try with ./quine abcd:

//XXXX
...

The output is the same, so the number of Xs depends only on the length of the argument.

With the help of a little python, we can find that sometimes, instead of an X, the program prints an O.
For example, with ./quine b:

// O

The first idea was to bruteforce the flag, but as the number of Xs and Os could be > 10, it could take a long time.
So I decided to try to find a pattern in the output.

Finding the pattern

I wrote a python script that prints the output of the program for strings of N chars made of the same char, for every char.

$ ./quine aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
//XXXXXXXXXXXXXXXXXXOXXXXXXXXXXX
...

$ ./quine bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
//OXXXXXXXXXXXXXXXXXXOXXXXXXXXXX
...

The pattern starts to emerge. We get an O when the char is the same as the flag char on that position. We get an X when the char is different from the flag char on that position.

Finding the flag

Now that we know the pattern, we can find the flag. We just need to bruteforce every letter and keep the one in the positions where we get an O.

import subprocess
import string

CHAR_N = 70
flag = [""] * CHAR_N

for ch in string.printable:
    proc = subprocess.Popen(
        ["./quine", ch * CHAR_N], stdin=subprocess.PIPE, stdout=subprocess.PIPE
    )
    (stdout, stderr) = proc.communicate()

    line = stdout.decode().split("\n")[0][2:]
    print(line)

    for i, x in enumerate(line):
        if x == "O":
            flag[i] = ch

flag = "".join(flag)
print(flag)

and we get the flag:
bctf{qu1n3_1s_4ll_ab0ut_r3p371t10n_4nD_m4n1pul4710n_OwO_OuO_UwU}

Blacklist

VaiTon — Mon, 20 Mar 2023 14:25:53 +0000

Writeup of the Blacklist challenge from B01lers CTF 2023
Originally written by Lombax

Challenge description

you can run anything on this! please dont hack me

Source code

blacklist = "._0x/|?*[]{}<>\"'=()\\\t "
blacklist2 = ['eval', 'exec', 'compile', 'import', 'os', 'sys', 'cat', 'ls', 'exit', 'list', 'max', 'min', 'set', 'tuple']

def validate(code):
    for char in blacklist:
        if char in str(code):
            return False
    for word in blacklist2:
        if word in str(code):
            return False
    return True

if __name__ == '__main__':
    print("------------------------------")
    print("Welcome to my very cool python interpreter! \nI hope I blacklisted enough... \nYou can never be too careful with these things...")
    print("Send an empty line to run!")
    print("------------------------------")
    safe_code = ""
    while (True):
        unsafe_code = input(">>> ")
        if (unsafe_code == ""):
            try:
                exec(safe_code)
            except:
                print("Error executing!")
            break
        unsafe_code = unsafe_code.replace("open", "")
        unsafe_code = unsafe_code.replace("print", "")
        if (not validate(unsafe_code)):
            print("Invalid code!")
            continue
        safe_code += str(unsafe_code)+ "\n"

First analysis

In this challenge we had to read the flag.txt file. The script let us upload python code trough the while loop, blacklisting a number of characters. Most notably:

dots and underscore (so no __builtins__)
any kind of parenthesis (so no functions, at least in the canonical sense, see later...)
and no space (wtf man, even the spaces?)

Note that open and print are not blacklisted, they just get replaced with an empty string.

Resolution

First rule don't panic, what can we use? open and print can actually be used, we just need to send something like oopenpen that get sanitized to open so that's good, but how do we call a function without parenthesis?
Let's introduce python decorators!

@print
@input
class A:pass

We create a class that does nothing and invoke the function input with the class name as parameter and then the function print on the result of input.
This is the same as running

print(input(...))

We don't care about the argument of the input, as it gets stringified and then used as the string printed before the prompt.

Since @ are not blacklisted we are golden. What we can do then is something similar to:

@pprintrint
@sorted
@oopenpen
@input
class A:pass

and give as input: flag.txt to print it.
@sorted is necessary because open returns a file object and not the file content itself, other alternatives would have been list, next or similar.

But we need the space between class and A and there is nothing much we can do about it.
We need to input a separator that is ignored by the blacklist. We have 2 options:

we encode the payload so that there aren't blacklisted chars included the space
we use a different separator that doesn't make our payload explode within the exec

Since exec doesn't seem to respect different encoding even when the #coding:blabla header is defined we went for the second options.
After many test the only character we found was Form feed (ASCII 0x0c)

Final Payload

@pprintrint
@sorted
@oopenpen
@input
class<\x0c>A:pass

We then proceed to use pwntools to send the payload in bytes (so that we can handle for the the special character correctly) and it's done!

Notifiche via [matrix] e webhook

VaiTon — Tue, 07 Feb 2023 15:40:15 +0000

You can read this article in english here

Hai mai avuto la necessità di ricevere delle notifiche per un processo di lunga durata o per monitorare qualcosa e non avevi voglia di tirare su un MTA?

Le email sono utili, non lo metto in dubbio, ma a volte è giusto chiedersi se tirare su postfix (o exim4 che sia), setuppare smarthost e bla bla bla non sia un po' overkill per inviare delle semplici notifiche quando un job è concluso o quando qualcosa è andato storto.

In questa breve guida, utilizzeremo la potenza dei webhook e del network [matrix] per fare esattamente ciò.

1. Creare un webhook

Innanzitutto è necessario creare una stanza [matrix]. Assicurati di averla creata come non-crittografata, altrimenti i bridge di t2bot.io potrebbero non funzionare.

Una volta creata la stanza, segui la documentazione di t2bot.io su come create un webhook:

Invita @_webhook:t2bot.io nella tua stanza Matrix.

Invia nella stanza il messaggio !webhook

Il bridge genererà ed invierà un URL da utilizzare, insieme a semplici istruzioni su come usarlo.

2. Creare lo script

Crea un file chiamato notifyMatrix.py (o come vuoi tu) e incolla questo blocco di codice:

(Utilizzo python per semplicità, ma puoi utilizzare qualsiasi cosa, anche fare una semplice curl)

#!/bin/env python3
import requests
import sys

args = " ".join(sys.argv[1:])

WEBHOOK = "..."
BOTNAME = "..."

requests.post(WEBHOOK, 
    json={"text": args, "format": "plain", "displayName": BOTNAME})

WEBHOOK deve essere impostato all'URL che il bot ha inviato nella stanza appena creata.
BOTNAME deve essere impostato ad una stringa qualsiasi. Verrà utilizzato come nome dell'"utente" (tra virgolette perchè in realtà non è un vero utente) che invierà il msg nella stanza specificata.

Lo script prende gli argomenti da riga di comando successivi al primo (che è sempre il nome dello script), li concatena in una stringa separati da spazi e li invia via webhook all'url fornito.

Adesso, se provi ad eseguire

./notifyMatrix.py ciao!

dovresti ricevere un nuovo messaggio nella stanza che hai appena creato con il testo ciao!.

Se tutto ha funzionato, sei riuscito nell'impresa di tirare su in meno di 5 minuti un servizio di notifiche su matrix!

3. Utilizzo

Puoi utilizzare questo script dove vuoi. Per esempio, per monitorare un sistema RAID software gestito da MDADM, basta inserire nel file /etc/mdadm/mdadm.conf

...
PROGRAM /root/notifyMatrix.py
...

e hai fatto!

Crediti

Se ti è piaciuta questa guida e/o l'hai trovata utile considera di donare a t2bot.io e alla fondazione matrix!

Notification service via [matrix] and WebHooks

VaiTon — Tue, 07 Feb 2023 10:53:56 +0000

Questo articolo è disponibile anche in italiano

Have you ever wanted to set up a notification service for your long standing process / monitoring and didn't know how to do it without setting up an MTA?

Don't get me wrong, emails are good, but sometimes you need a faster approach than setting up postfix (or exim4) with a smarthost and bla bla bla when you just need to be able to recieve a notification when something goes wrong!

In this guide we leverage the power of webhooks and the matrix network to do exactly that.

1. Create a webhook

First, create a new Matrix room. Be sure to make it unencrypted, as t2bot.io webhooks bridge still doesn't support encrypted rooms.

Then, follow t2bot.io documentation for creating a webhook:

Invite @_webhook:t2bot.io to your Matrix room.

Send the message !webhook

The bridge will send you a URL to use alongside simple instructions on how to use it.

2. Create the script

Create a file named notifyMatrix.py and paste this snippet:

(I'm using python for simplicity, but you could also do a simple curl!)

#!/bin/env python3
import requests
import sys

args = " ".join(sys.argv[1:])

WEBHOOK = "..."
BOTNAME = "..."

requests.post(WEBHOOK, 
    json={"text": args, "format": "plain", "displayName": BOTNAME})

WEBHOOK should be set to the URL that the bot gave you previously.
BOTNAME can be set to anything. It will be used as the username that sends the message to the Matrix room.

The script simply takes the last $n - 1$ arguments, creates a string by joining them (with a space in between each) and sends it to the specified webhook.

Now try running

./notifyMatrix.py ciao!

and you should get a message in the room you created with the content ciao!.

If everything went well, you should have your notification service up and running, and it took only a couple of minutes!

3. Usage

You can now use the script wherever you want, for example in a system with a software RAID controlled by MDADM:

In /etc/mdadm/mdadm.conf

...
PROGRAM /root/notifyMatrix.py
...

and you're done!

Credits

If you enjoyed this guide and/or found it useful, consider donating to t2bot.io and to the matrix foundation!

How to enable auto dark mode (night theme) in KDE Plasma

VaiTon — Mon, 01 Aug 2022 15:55:00 +0000

Disclaimer!

The method described in this post only works if your cron handles delayed jobs (for when your PC is sleeping/powered off and the job should run).

I got different results from different OS so YMMV!

Intro

Auto dark mode is new feature that has been gaining a lot of popularity in these years.

That's because, with its introduction in Android 10 people have begun to appreciate its benefits, including:

Can reduce power usage by a significant amount (depending on the device’s screen technology).
Improves visibility for users with low vision and those who are sensitive to bright light.
Makes it easier for anyone to use a device in a low-light environment.

For GNOME, this shell extension exists: Night Theme Switcher.

For KDE Plasma though, unfortunately, the only automatic way I could find to accomplish this is by using this project on github which is not supported on every distro (although recently added to the OBS).

Despite this, for users that do not want to install something from a PPA / User repository / Source code, another solution exists, and it leverages the plasma plasma-apply-colorscheme command.

How To

First, open up a terminal and write

plasma-apply-colorscheme --list-schemes

to see which color scheme you have installed on your system.

(You can always install more using your distro package manager or the Plasma Settings.)

After locating the two color themes that we want to use for the day theme and the night theme, let's open up the user crontab manager with

crontab -e

and let's create two cronjob by using this website, one that will run when we want to switch to the day theme and the other one when we want to switch to the night theme.

The input command will be

plasma-apply-colorscheme <colorscheme>

For me they will be openSUSE from 07:00 till 20:00 and BreezeDark for the rest of the day, so the two cronjobs will be:

0 20 * * * plasma-apply-colorscheme BreezeDark >/dev/null 2>&1
0  7 * * * plasma-apply-colorscheme openSUSE   >/dev/null 2>&1

And that's all! Let's close the crontab (Esc -> :wq -> Enter) and enjoy the automatic switch!

Eulers license - DCTF 22

VaiTon — Mon, 18 Apr 2022 23:05:15 +0000

I took part to the DCTF 2022 with the team Ulisse of the University of Bologna.

The Bookstore.java challenge stated that:

Someone who doesn't care about bandwidth usage decided to package both the server and client binaries in a single file... The server of course is meant to run on linux, and the client on Windows.

We get a PowerShell file eulers_license.ps1 that contains:

a binary_linux var containing the server code encoded in base64.
a binary_win var containing the client code also encoded in base64.

The linux binary

The linux binary is very easy to reverse. In fact by decoding it we get a python server which has a huge SQLi vuln:

lice = request.args.get("license_key")
query = "SELECT * FROM license_keys WHERE license_key = '" + lice + "';"

we can proceed with a basic SQLi like ' OR 1=1 -- and get the first part of the flag (which is the second one really):

_python_is_easy_to_reverse}

The windows binary

The windows exe is a little bit harder to reverse. By looking at it with ghidra we understand that it must be:

a 10 digits number
a prime number
it has something to do with Euler

By a combination of chance and testing we come across the number 2147483647 which is a prime number discovered by Euler.

Providing this input to the client gives us the output:

Enter eulers license key: 2147483647
dctf{2147483647
Failed to contact euler.dragonsec.si for license confirmation...

dctf{2147483647_python_is_easy_to_reverse}