VolgaCTF Quals - Netcorp

Ghostcat with RCE

Task Another telecom provider. Hope these guys prepared well enough for the network load... netcorp.q.2020.volgactf.ru Analysis The website is just a plain static site without any interesting content. The only action that you can do is click on the Complaint button, but that leads just to a 404 error page. Using a directory fuzzing tool to check if there is anything of interest not linked to be found, we stumble upon the /docs/ path. It contains a standard public documentation...

Read More
ENOWARS 3 - scavengepad

Unicode Normalization leads to bad things

Overview scavengepad was a ASP .NET Core 2.2 web service, using Entity Framework Core with PostgreSQL for data storage and a Redis instance for session storage. It allows its users to create shared operations and objectives, collaboratively edit associated markdown documents and upload files. 1st vuln: RNG thread-safety (saarsec) Members of the saarsec CTF team have written an excellent writeup of the service and the vulnerability they found – a problem...

Read More
RuCTFE 2019 - Household

dotnet-jwt-xxe

About Household is a website which manages cooking recipes. A user can register for an account, either as a cook or as a customer. A cook can: Add products Import prodcuts Add a dish containing a recipe Add a menu Most of that information entered can also be viewed on the website, but sometimes the site just asks to user to call the API instead. User registration and login is done with OpenID Connect (OIDC). The website uses cookies for authorization, the API a...

Read More
hack.lu 2019 - Trees For Future

SSI injection, connect back to local MySQL, second order blind SQLi

Description We are TreesForFuture. We actively work towards getting more trees onto this planet. Recently we hired a contractor to create a website for us. While we still need to fill it with content in some places, you can already look at it http://31.22.123.49:1908. Preface Having scored the first blood and with only 2 teams solving the challenge, I thought it was almost mandatory to publish a write-up. I have to say that I really liked it,...

Read More
Tasteless 2019 - Gabbr

CSP, CSS

Overview gabbr is an online chatroom service. Upon loading the page, one joins a chatroom specified in the anchor part of the URL e.g. https://gabbr.hitme.tasteless.eu/#8f332afe-8f1d-411f-80f3-44bb2302405d. If no name is specified, a random UUID is generated upon join. The main functionality is to send messages in the chatroom. Furthermore, one can change the username to another randomly generated one, join a new random chatroom and report the chatroom to an admin. Upon reporting an admin joins the...

Read More
hack.lu 2019 - Car Repair Shop

prototype pollution, URL regex bypass, DOM-XSS

Challenge Description "Your Car broke down?! Come to our shop, we repair all cars! Even very old ones." Enter the Shop Analysis After accessing the URL of the challenge description the following page showed up: Here we can see several buttons which will execute certain functions when clicked. Below there is a message box which gets updated after some function was executed. At the bottom there was another button named Get your cookie! which lead to...

Read More
SECCON 2018 Quals - Special instructions

reversing

General problem description We were given a moxie ELF-Binary which was implementing the xorshift32 PRNG algorithm. The flag and some additional random values were hard-coded into the elf. Solution Similar to the Special device file challenge the binary took the flag xored with a random value hard-coded into to binary and xored again with a value taken from the xorshift32 algorithm. The catch was again, that we didn't know the correct configuration of the algorithm only the seed and...

Read More
SECCON 2018 Quals - Runme

reversing

General problem description Given was a Windows binary, which was apparently waiting to be started with the correct cmd arguments. Solution The binary checked character by character the cmd arguments with a hard-coded value which was: "C:\\Temp\\SECCON2018Online.exe" SECCON{Runn1n6_P47h} The flag was: SECCON{Runn1n6_P47h}...

Read More
SECCON 2018 Quals - Special device file

reversing

General problem description We were given a arm64 ELF-Binary which was accessing a special device named xorshift64. The flag and some additional random values were hard-coded into the elf. Solution The ELF does more-or-less the same as this pseudocode: # init device #with open('/dev/xorshift64', 'r') as d: d.write(0x139408fcbbf7a44) # decode flag with open('/dev/xorshift64', 'r') as d: for i Read More


SECCON 2018 Quals - Needle in a haystack

Media

General problem description We got a 9 hours long video captured with a webcam on the top of a tall building in Tokyo(?). Find the flag. Solution First our guess was, that there will be a single frame which shows the flag, but fast-forwarding the video did not reveal anything like that. The next idea was to export every frame and use fuzzy hashing to find very different frames. While the script was doing the exporting we were fast-forwarding the...

Read More
Navigation