KuK Hofhackerei collaboration for DEF CON CTF Qualifiers 2024
Last weekend we grouped up with our esteemed friends from other Austrian CTF teams
and participated in this year's DEF CON CTF Qualifiers under the KuK Hofhackerei mantle.
The event was again hosted by nautilus.institute. Thanks for many fun challenges. In the end we were able to reach the 21st place.
This year we tried a hybrid approach, with teams meeting up in Graz, Linz and Vienna and collaborating through Discord, which worked surprisingly well.
In Vienna we met up again at SBA Research. Some people even had the motivation and stayed there for the whole event, which took 48 hours from Saturday 02:00 to Monday 02:00 CEST. Hat's off to that.
Introduction The service image-galoisry is a flask web server accompanied by a web GUI. On the website, users can create new image galleries, which are safeguarded by a password. Following gallery creation, users have the option to upload images, with each image undergoing encryption with AES. Notably, these galleries, while publicly accessible, only display encrypted files for download. However, should a user possess the password for a specific gallery, they have the option to instruct the...
Write an oldschool keygen for an oldschool login interface.
Google CTF 2022 presented us with oldschool, a typical, as the name suggests, oldschool crackme with an ncurses terminal interface. The goal of the challenge was to write a keygen, which would be able to generate keys for a list of users provided by the CTF organizers. The official and detailed writeup is available here, which goes through the intended solution of manually reverse engineering the key verification algorithm. However, since we are researchers (and most importantly, too lazy to manually...
TL;DR chess.rs is a pwn(/web) challenge using Rust with WebAssembly. The goal is to extract the cookies of the admin browser bot. We have a rust webserver providing two pages index.html (graphical frontend) and engine.html ("backend", runs the wasm logic). index.html loads engine.html as an iframe. They send messages through .postMessage and receive them through the window.onmessage event listener. There is a hidden parameter in the init function on engine.html that allows setting a custom board position...
Trick Captcha to believe a dog is actually a cat and let it into the catclub
The challenge catclub is written in Python and offers the service shadymail that can be accessed after an image captcha is solved and the hidden catclub page where various pictures of random cats can be seen. Service Overview The home page which consists of a captcha where all images of an specific animal must be selected to proceed.(/) The shadymail service which can be accessed after completing a captcha (/shadymail/home) The catclub page where random cat images from the...
Description This should take about 1337 seconds to solve. nc dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io 7480 Preface We get a simple binary, with simple input and output. Overview Looking at the binary in ghidra, I found these functions. void vuln(void) { char local_48 [60]; int local_c; puts("tell me a joke"); fgets(local_48,0x100Read More
Description They say programmers' dream is California. And because they need somewhere to stay, we've built a hotel! nc dctf1-chall-hotel-rop.westeurope.azurecontainer.io 7480 Preface We got a binary file with simple input and some output related to hotel checkIn. Overview Based on the name of the challenge, we can be certain, that some sort of rop is needed. Loading the binary into ghidra we can see our function vuln. void vuln(void) { char Read More
Description Blaise's friends like triangles too! nc dctf-chall-bell.westeurope.azurecontainer.io 5311 Preface The function gives us a number and then waits for multiple inputs. Overview Loading the file into ghidra we can take a look at what happens. undefined8 main(void) { int iVar1; uint uVar2; time_t tVar3; tVar3 = time((time_tRead More
Description It's just another bof. nc dctf-chall-baby-bof.westeurope.azurecontainer.io 7481 Preface We got a simple binary with output plz don't rop me and after our input plz don't rop me Also we got a Dockerfile, which showed us the used image was Ubuntu:20.04 Overview Based on the output, we know it was a rop challenge. Also checksec baby_bof gave us. Arch: amd64-64-little RELRO: Partial RELRO Read More