These are the problems I helped solve.

binary leetness 200

This was a FreeBSD binary with only the hint “Running on”.

mantis had the key insight about what hash function we were facing and how to find collisions. He found the hash function by doing a web search on constants in the code.

Summary: Find a collision in the Tangle hash function.

The program requires a user named "grease" to exist. The then does a
chroot into grease's home directory. It starts listening on port 18703.

The program then does four 4-byte reads, each time interpreting the read
bytes as a pointer and passing it to free. The frees and mallocs appear
to be red herrings. The pointer values are then compared against magic
constants or the program exits.

The program then reads a 4-byte length. This will be the length of two
following strings to be read in. It reads the two strings of the given
length, and checks that they are not equal. It then calls the Tangle
function on both of them and compares the hashes. If the hashes are the
same, it spits out the key.

A paper on Tangle collisions is at
It comes with a link to source code:
It has to be compiled with source files from the reference
implementation, available here:

$ gcc -o tangle-coll tangle-coll.c tangle-ref.c
$ ./tangle-coll
Collision found in Tangle-256

Message 1:
Hash of message 1:
Message 2:
Hash of message 2:
XOR of hashes:

Put these strings in your message and you're done.

$ perl -e 'print "\x94\xa4\xc2\x65\xfe\x73\x2d\x6f\xee\xf8\x14\xcb\x6e\xc8\xa1\x26" . "\x28\x00\x00\x00" . "\xc8\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" . "\xc8\x19\x00\x80\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80";' | nc 18703

/urandom 200

The hint was, “crack Al Qaeda's new ‘Frogg cipher’. user:dolly password:ihavethreemoms”. There was a link to, which appeared to be a mirror of saved by Firefox.

We tried the obvious forensics things like examining all the image and JavaScript files. Comparing Wget mirrors of the original and DDTEK sites didn't show anything suspicious.

Summary: Sending different Accept-Language headers causes different
fragments of a secret message to be mixed in the HTML of the main page.

The key was noticing that when looking at the page in a browser, there
was an extra "!!" at the bottom that was not in the mirror I made with
Wget. I tried deleting headers from what my browser sent until the "!!"
disappeared, and it turned out to be controlled by the Accept-Language

I grabbed some codes from here:
And made langs-short.txt. Then did a loop like
for a in $(cat langs-short.txt); do echo -n "$a	"; wget http://dolly:ihavethreemoms@ -O - --header "Accept-Language: $a" -q | md5sum; done
which makes output like

fon     25a23ddbd88a2d9578b2b0311b728289  -
fr      e98b2c552c4d15a0226656234c204068  -
frm     e98b2c552c4d15a0226656234c204068  -
fro     e98b2c552c4d15a0226656234c204068  -
fur     25a23ddbd88a2d9578b2b0311b728289  -
hz      25a23ddbd88a2d9578b2b0311b728289  -
hil     15c9b9bfab1068a8650f422f45f8d7ee  -
him     15c9b9bfab1068a8650f422f45f8d7ee  -
hi      15c9b9bfab1068a8650f422f45f8d7ee  -
ho      25a23ddbd88a2d9578b2b0311b728289  -

I found a handful of languages that provided something other than the
25a2... hash and diffed them against en. They made diffs like this:

$ diff -u index.none.html
--- index.none.html     2012-06-02 21:40:08.000000000 -0700
+++       2012-06-02 21:21:03.000000000 -0700
@@ -76,7 +76,7 @@
 source for homeland security news
 and information.
 Al Qaeda Claims To Be Holding U.S. Hostage In Pakistan

Each language that differs, has two extra characters inserted somewhere
on the page. The samples I found were:

fr     an
it     ha
hi     ez
jp     er
en-us  !!

From here I guessed the missing letters to get "icanhazcheezburger!!".


Also notable: It looks like a ddtek guy left some Google Account
detritus attached to the +1 button in the deployed web site at first. A
diff between two Wget mirrors taken hours apart gave stuff like this:

-window.__SSR = {c: 1.0 ,si:1,su:1,e:'',dn:'Tim Vidas'
+window.__SSR = {c: 1.0 ,si:1,su:1,e:'',dn:'Hugo Chaveeez'

/urandom 300


ur final exam for Stanford's online algorithms class may be found here:
Password: d0d2ac189db36e15

Being someone studying algorithms at Stanford, I couldn't turn this down. Connecting to the address gives

Password: Here come 100000 uint16_t, please tell me how to sort them into
ascending order by sending me pairs of indicies to exchange, one
per line, in the format: :
For example to exchange elements 123 and 9821 you should send:
Valid indicies are in the range 0..99999 inclusive. Send a blank
line when you are done. If you correctly sort the array in
sufficiently few moves I will give you a key!
You have about 10 seconds to finish, and a 5 minute wait between
successive connections.
followed by the aforementioned 100,000 uint16_ts. program.

Summary: Decompose into cycles, send k − 1 swaps for each length-k

I had to do this from a Linode because my home DSL connection couldn't
upload fast enough.

My first try was to write quicksort and just record the swaps. I don't
know if that failed because it used too many swaps or because I couldn't
upload them quickly enough.

$ ./nmap/ncat/ncat 5601 --sh-exec "./" -vvv
Ncat: Version 6.01 ( )
NSOCK (0.0010s) TCP connection requested to (IOD #1) EID 8
NSOCK (0.0330s) Callback: CONNECT SUCCESS for EID 8 []
Ncat: Connected to
NCAT DEBUG: Executing with shell: ./
Congratulations, your final array is sorted correctly.
Here is your key: a7482ddfb82601fdc392b67836883dcc