Simple buffer overflow with ret2win.
Description This should take about 1337 seconds to solve. nc dctf-chall-pwn-sanity-check.westeurope.azurecontainer.io 7480 Preface We get a simple binary, with simple input and output. Overview Looking at the binary in ghidra, I found these functions. void vuln(void) { char local_48 [60]; int local_c; puts("tell me a joke"); fgets(local_48,0x100
Format String to dump the memory and get flag.
Description Read me to get the flag. nc dctf-chall-readme.westeurope.azurecontainer.io 7481 Preface We get a binary which asks for our name and then prints hello + input. But in order for the binary to run, a file flag.txt needs to be created in the working directoy. Overview Decompiling the binary in ghidra, we see a function vuln where the logic happens. The decompiled function with some renaming of the variables looks like this: void vuln(void) {
Read number and run throught known function
Description Blaise's friends like triangles too! nc dctf-chall-bell.westeurope.azurecontainer.io 5311 Preface The function gives us a number and then waits for multiple inputs. Overview Loading the file into ghidra we can take a look at what happens. undefined8 main(void) { int iVar1; uint uVar2; time_t tVar3; tVar3 = time((time_t
ROP chain with multiple function and then ret2win
Description They say programmers' dream is California. And because they need somewhere to stay, we've built a hotel! nc dctf1-chall-hotel-rop.westeurope.azurecontainer.io 7480 Preface We got a binary file with simple input and some output related to hotel checkIn. Overview Based on the name of the challenge, we can be certain, that some sort of rop is needed. Loading the binary into ghidra we can see our function vuln. void vuln(void) { char
XSS, CSP bypass, Character Encoding Issues, Unintended Vulnerability
Overview What's your IKEA name? Mine is SORPOÄNGEN. http://ikea-name-generator.chal.perfect.blue/ By: corb3nik One of the most useful applications seen on a CTF so far, a name generator to dive into the Swedish culture: a must have for all the people shopping at IKEA like lavish today, see below. The application provides an input field where users are supposed to insert their name. After clicking on the submit button, an Ikea-like name is displayed. The report page allows...
Read MoreSolve a Memory Maze by leaking info on mapped memory from /proc/self/map_files
Overview The challenge description goes as follows: Miscellaneous, 287 pts Difficulty: medium (26 solvers) Can you escape my memory maze? Treasure awaits at the end! nc memorymaze.hackable.software 1337 Download
pwn, custom heap implementation
Overview Featuring custom heap management, this Pwn challenge lets us embark on a quest to hack into a CLI theme park designer to free the alligator Lil Chompys from the clutches of BSides Orlando. We are given the binary together with its c source code, containing the application as well as a custom heap implementation. A theme park planner First off, the program presents us with a password check. Looking at the source code reveals... int
Ghostcat with RCE
Task Another telecom provider. Hope these guys prepared well enough for the network load... netcorp.q.2020.volgactf.ru Analysis The website is just a plain static site without any interesting content. The only action that you can do is click on the Complaint button, but that leads just to a 404 error page. Using a directory fuzzing tool to check if there is anything of interest not linked to be found, we stumble upon the /docs/ path. It contains a standard public documentation...
Read MoreUnicode Normalization leads to bad things
Overview scavengepad was a ASP .NET Core 2.2 web service, using Entity Framework Core with PostgreSQL for data storage and a Redis instance for session storage. It allows its users to create shared operations and objectives, collaboratively edit associated markdown documents and upload files. 1st vuln: RNG thread-safety (saarsec) Members of the saarsec CTF team have written an excellent writeup of the service and the vulnerability they found – a problem...
Read Moredotnet-jwt-xxe
About Household is a website which manages cooking recipes. A user can register for an account, either as a cook or as a customer. A cook can: Add products Import prodcuts Add a dish containing a recipe Add a menu Most of that information entered can also be viewed on the website, but sometimes the site just asks to user to call the API instead. User registration and login is done with OpenID Connect (OIDC). The website uses cookies for authorization, the API a...
Read More