Dragon CTF 2020 Scratchpad

Scratchpad is Web challenge implementing a simple note taking application where you can authenticate, register, create/delete/edit and report a note composed of a title and a description. The application source code is available here: sources Reporting a note will make the admin authenticate with his credentials and consume the note with a firefox browser: const driver = new Builder() .forBrowser("firefox") .setFirefoxOptions( new firefox.Options() .headless() .setAlertBehavior(UserPromptHandler.DISMISS) as firefox.Options ) .build(); try { console.
Read full post

Balsn Ctf 2020 TPC

TPC (web, 310p, 33 solves) Description The challenge implements a simple python application taking an URL as parameter. It allows us to perform SSRF and local file disclosure. Reading a file on the server is as simple as: $ curl -s --output - 'http://35.194.175.80:8000/query?site=file:///etc/passwd' root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin [...] We first needed to be sure what the python code does. To find this out, we tried to find where it was located:
Read full post

DefconQualifier 2020 Babymaze

The flag is on the wings of the flying plane. It is possible to get the flag without instrumenting or modifying the binary. Tested on Ubuntu 16.04, Ubuntu 18.04, and Ubuntu 20.04. You should use a system able to run the game at approximately 60 fps. It requires: sudo apt-get install freeglut3 nc babymaze.challenges.ooo 7777 Files: BabyMaze 4d7aabfb62d46ea98379254a62023f178c1922c0908f3ff19634ca8c22f97cef Overview This challenge is about a game binary communication with a classic TCP server.
Read full post

ByteBandits 2020 Notes App

For this task, a very simple Python application and its source code is provided. Sources Analysis The application let us register, login, submit a link and edit a single field “note” that will be displayed on /profile. The application code is pretty straightforward and allows us to insert markdown on our own profile page. The python code responsible for markdown rendering (md2html) is the following: @app.route("/update_notes", methods=["POST"]) @login_required def update_notes(): # markdown support!
Read full post

VolgaCTF 2020 DotNetMe

Introduction DotNetMe is obviously a Windows reverse task. Two binaries are provided: A PE32+ executable file (console) Another PE32+ DLL Both binary are .NET binaries are expected and are heavily obfuscated. Technical details At first, we could see that both of the binaries are obfuscated and hard to read: In fact, the symbol names are displayed in some kind of Unicode and all the logic is behind a “state machine”.
Read full post

[UIUCTF] 2017 REV400 Scratches

States: nc challenge.uiuc.tf 11347 every day I do 100 push ups 100 sit ups 100 squats 100 crackmes ALL YOUR SOLUTIONS SHOULD BE ASCII https://www.youtube.com/watch?v=ElGLWB5ffGk Hello everyone ! This one was a bit tricky, since the gloal was to break 100 crackmes. At connection, the TCP service send you a huge base64 string, which is an ELF encoded binary then asking you for a flag .. Like this: [BASE64] What is the flag ?
Read full post

[SharifCTF] REV300 Catch Me If You Can

This challenge was pretty intresting since I didn’t foud the flag in the first 30 seconds like the 3 previous one. Okay, first things ou can download the sample here : Login.apk.tar.xz Right, an APK ! an Android Package ! Thirst thing I did i to disassemble it, with dex2jar and jd-gui. So get a look at the first class ( you can see the ): package sharif.cert.ctf; import android.view.View; import android.
Read full post
FLAG{123456}