
UIUCTF 2020: Bot Protection IV
In this challenge, we have a website with captcha. Base on the question, we need to solve 500 captcha within 10 minutes. Very easy right?...
In this challenge, we have a website with captcha. Base on the question, we need to solve 500 captcha within 10 minutes. Very easy right?...
Update: It was assigned as CVE-2020-14343 after the contest. This was a fun challenge exploiting a deserialize service in Python. The server is using pyYAML and Flask, with the source code below: from flask import Flask, session, request, make_response import yaml import re import os app = Flask(__name__) app.secret_key = os.urandom(16) @app.route('/', methods=["POST"]) def pwnme(): if not re.fullmatch(b"^[\n --/-\]a-}]*$", request.data, flags=re.MULTILINE): return "Nice try!", 400 return yaml.load(request.data) if __name__ == '__main__': app....
Challenge Summary Tom Nook is testing a new encryption scheme for nookphones, but it seems to be a bit faulty... can you break it? nookcrypt is a netcat service that have no source code released. There are two functions exposed: Gets an encrypted copy of the flag (and the message hello world). Encrypts an arbitrary message. For example, this is what I had when trying out the options:...
In this CTF Question, author introduced a OOB read and arbitary write to the Array.fill of the V8 engine. So, our exploitation will be very straightforward. First, we will set up an array of BitInts with 0x33313131 as marking for arbitary write after we collect sufficient primitive with the OOB....
Pass the Hash (Warmup/Learning; 50 points) Solved by Mystiz. Challenge Summary We are given a peculiar hash algorithm that generates 64-byte long hashes, which wraps of sha0, sha1, sha256 and ripemd160. The hash takes two arguments, salt (20 bytes) and password (22 bytes). We are allowed to control the salt, whilst the goal is to find the password within 1024 queries. Hash construction We are given a peculiar hash algorithm that generates 64-byte long hashes, which wraps of sha0, sha1, sha256 and ripemd160....