This week, we have teamed up as @blackb6a to play CONFidence 2020 CTF. We end up ranked 15, but we are more proud of ourselves able to solve a reversing challenge called Team Trees (395 points, 5 solves). In particular, we are the first-to-solve to the challenge. It took us around two hours to win the flag. This writeup is written by @harrier_lcc and @mystiz613. Challenge Summary We wanted to plant a lot of trees, but it's going kinda slow....

I was teamed-up with @blackb6a on Google CTF this time. I have solved 7 challenges alone and 3 challenges with my teammates. In particular, Oracle is a crypto challenge with 13 solves. It has got me spending 12 hours. All in all, it was a great experience in terms of learning, but my liver hurts. This piece of writeup may be very computation intensive, just because I would like to make everything clear....

reporter (Web; 498 points) Solved by apple. Author: rekter0 Reporter is an online markdown reporting tool. it's free to use for everyone. there's a secret report we need located here source Walkthrough The application provide markdown hosting service and it will automatically download and embed external images (or any files) to the 'report'. There are 4 buttons on the interface: Edit, Preview, Save, and Deliver. The first target of the challenge is to access the secret_report....

In this challenge, we have a website with captcha. Base on the question, we need to solve 500 captcha within 10 minutes. Very easy right?...

Update: It was assigned as CVE-2020-14343 after the contest. This was a fun challenge exploiting a deserialize service in Python. The server is using pyYAML and Flask, with the source code below: from flask import Flask, session, request, make_response import yaml import re import os app = Flask(__name__) app.secret_key = os.urandom(16) @app.route('/', methods=["POST"]) def pwnme(): if not re.fullmatch(b"^[\n --/-\]a-}]*$", request.data, flags=re.MULTILINE): return "Nice try!", 400 return yaml.load(request.data) if __name__ == '__main__': app....

Challenge Summary Tom Nook is testing a new encryption scheme for nookphones, but it seems to be a bit faulty... can you break it? nookcrypt is a netcat service that have no source code released. There are two functions exposed: Gets an encrypted copy of the flag (and the message hello world). Encrypts an arbitrary message. For example, this is what I had when trying out the options:...

In this CTF Question, author introduced a OOB read and arbitary write to the Array.fill of the V8 engine. So, our exploitation will be very straightforward. First, we will set up an array of BitInts with 0x33313131 as marking for arbitary write after we collect sufficient primitive with the OOB....

Pass the Hash (Warmup/Learning; 50 points) Solved by Mystiz. Challenge Summary We are given a peculiar hash algorithm that generates 64-byte long hashes, which wraps of sha0, sha1, sha256 and ripemd160. The hash takes two arguments, salt (20 bytes) and password (22 bytes). We are allowed to control the salt, whilst the goal is to find the password within 1024 queries. Hash construction We are given a peculiar hash algorithm that generates 64-byte long hashes, which wraps of sha0, sha1, sha256 and ripemd160....