Simple buffer overflow with ret2win.
Description This should take about 1337 seconds to solve. nc dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io 7480 Preface We get a simple binary, with simple input and output. Overview Looking at the binary in ghidra, I found these functions. void vuln(void) { char local_48 [60]; int local_c; puts("tell me a joke"); fgets(local_48,0x100
Buffer overflow to overwrite variable
Description This should be easy! nc dctf1-chall-pinch-me.westeurope.azurecontainer.io 7480 Preface We got a binary file which asked us Am I dreaming? and with basic input prints then Pinch me! Overview Loading the binary into ghidra we can see, that the interaction happens in the function vuln void vuln(void) { char local_28 [24]; int local_10; int local_c
Format String to dump the memory and get flag.
Description Read me to get the flag. nc dctf-chall-readme.westeurope.azurecontainer.io 7481 Preface We get a binary which asks for our name and then prints hello + input. But in order for the binary to run, a file flag.txt needs to be created in the working directoy. Overview Decompiling the binary in ghidra, we see a function vuln where the logic happens. The decompiled function with some renaming of the variables looks like this: void vuln(void) {
XSS, CSP bypass, Character Encoding Issues, Unintended Vulnerability
Overview What's your IKEA name? Mine is SORPOÄNGEN. http://ikea-name-generator.chal.perfect.blue/ By: corb3nik One of the most useful applications seen on a CTF so far, a name generator to dive into the Swedish culture: a must have for all the people shopping at IKEA like lavish today, see below. The application provides an input field where users are supposed to insert their name. After clicking on the submit button, an Ikea-like name is displayed. The report page allows...
Read MoreSolve a Memory Maze by leaking info on mapped memory from /proc/self/map_files
Overview The challenge description goes as follows: Miscellaneous, 287 pts Difficulty: medium (26 solvers) Can you escape my memory maze? Treasure awaits at the end! nc memorymaze.hackable.software 1337 Download
pwn, custom heap implementation
Overview Featuring custom heap management, this Pwn challenge lets us embark on a quest to hack into a CLI theme park designer to free the alligator Lil Chompys from the clutches of BSides Orlando. We are given the binary together with its c source code, containing the application as well as a custom heap implementation. A theme park planner First off, the program presents us with a password check. Looking at the source code reveals... int
Ghostcat with RCE
Task Another telecom provider. Hope these guys prepared well enough for the network load... netcorp.q.2020.volgactf.ru Analysis The website is just a plain static site without any interesting content. The only action that you can do is click on the Complaint button, but that leads just to a 404 error page. Using a directory fuzzing tool to check if there is anything of interest not linked to be found, we stumble upon the /docs/ path. It contains a standard public documentation...
Read MoreUnicode Normalization leads to bad things
Overview scavengepad was a ASP .NET Core 2.2 web service, using Entity Framework Core with PostgreSQL for data storage and a Redis instance for session storage. It allows its users to create shared operations and objectives, collaboratively edit associated markdown documents and upload files. 1st vuln: RNG thread-safety (saarsec) Members of the saarsec CTF team have written an excellent writeup of the service and the vulnerability they found – a problem...
Read Moredotnet-jwt-xxe
About Household is a website which manages cooking recipes. A user can register for an account, either as a cook or as a customer. A cook can: Add products Import prodcuts Add a dish containing a recipe Add a menu Most of that information entered can also be viewed on the website, but sometimes the site just asks to user to call the API instead. User registration and login is done with OpenID Connect (OIDC). The website uses cookies for authorization, the API a...
Read MoreSSI injection, connect back to local MySQL, second order blind SQLi
Description We are TreesForFuture. We actively work towards getting more trees onto this planet. Recently we hired a contractor to create a website for us. While we still need to fill it with content in some places, you can already look at it http://31.22.123.49:1908. Preface Having scored the first blood and with only 2 teams solving the challenge, I thought it was almost mandatory to publish a write-up. I have to say that I really liked it,...
Read More