TokyoWesterns CTF 6th 2020 Writeup

urlcheck v1 (Web, 98 points) Solved by Ozetta. Objective: SSRF http://127.0.0.1/admin-status The input needs to fulfil the pattern '\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z' and the first octet cannot be 0 or 127, and some other patterns for internal IP addresses. For some reason, int("0177") is still 177 instead of 127 in Python, so we can use http://0177.0.0.1/admin-status urlcheck v2 (Web, 128 points) Solved by Ozetta. Objective: SSRF http://localhost/admin-status Standard TOCTOU bug, just use DNS rebinding to get access: http://23bbd91c....

October 9, 2020 · cire meat pop, harrier, Ozetta, Mystiz

CONFidence 2020 CTF: Team Trees

This week, we have teamed up as @blackb6a to play CONFidence 2020 CTF. We end up ranked 15, but we are more proud of ourselves able to solve a reversing challenge called Team Trees (395 points, 5 solves). In particular, we are the first-to-solve to the challenge. It took us around two hours to win the flag. This writeup is written by @harrier_lcc and @mystiz613. Challenge Summary We wanted to plant a lot of trees, but it's going kinda slow....

September 8, 2020 · Mystiz, harrier

Google CTF 2020: Oracle

I was teamed-up with @blackb6a on Google CTF this time. I have solved 7 challenges alone and 3 challenges with my teammates. In particular, Oracle is a crypto challenge with 13 solves. It has got me spending 12 hours. All in all, it was a great experience in terms of learning, but my liver hurts. This piece of writeup may be very computation intensive, just because I would like to make everything clear....

August 25, 2020 · Mystiz

3kCTF-2020 Writeup

reporter (Web; 498 points) Solved by apple. Author: rekter0 Reporter is an online markdown reporting tool. it's free to use for everyone. there's a secret report we need located here source Walkthrough The application provide markdown hosting service and it will automatically download and embed external images (or any files) to the 'report'. There are 4 buttons on the interface: Edit, Preview, Save, and Deliver. The first target of the challenge is to access the secret_report....

July 28, 2020 · apple, cire meat pop, eriri, Mystiz, ozetta

UIUCTF 2020: Bot Protection IV

In this challenge, we have a website with captcha. Base on the question, we need to solve 500 captcha within 10 minutes. Very easy right?...

July 22, 2020 · wwkenwong

UIUCTF 2020: deserializeme

Update: It was assigned as CVE-2020-14343 after the contest. This was a fun challenge exploiting a deserialize service in Python. The server is using pyYAML and Flask, with the source code below: from flask import Flask, session, request, make_response import yaml import re import os app = Flask(__name__) app.secret_key = os.urandom(16) @app.route('/', methods=["POST"]) def pwnme(): if not re.fullmatch(b"^[\n --/-\]a-}]*$", request.data, flags=re.MULTILINE): return "Nice try!", 400 return yaml.load(request.data) if __name__ == '__main__': app....

July 22, 2020 · harrier, ozetta

UIUCTF 2020: nookcrypt

Challenge Summary Tom Nook is testing a new encryption scheme for nookphones, but it seems to be a bit faulty... can you break it? nookcrypt is a netcat service that have no source code released. There are two functions exposed: Gets an encrypted copy of the flag (and the message hello world). Encrypts an arbitrary message. For example, this is what I had when trying out the options:...

July 22, 2020 · Mystiz

CONFidence 2020 Teaser CTF: Chromatic Aberration

In this CTF Question, author introduced a OOB read and arbitary write to the Array.fill of the V8 engine. So, our exploitation will be very straightforward. First, we will set up an array of BitInts with 0x33313131 as marking for arbitary write after we collect sufficient primitive with the OOB....

July 1, 2020 · wwkenwong

PwnThyBytes CTF 2019 Writeup

Pass the Hash (Warmup/Learning; 50 points) Solved by Mystiz. Challenge Summary We are given a peculiar hash algorithm that generates 64-byte long hashes, which wraps of sha0, sha1, sha256 and ripemd160. The hash takes two arguments, salt (20 bytes) and password (22 bytes). We are allowed to control the salt, whilst the goal is to find the password within 1024 queries. Hash construction We are given a peculiar hash algorithm that generates 64-byte long hashes, which wraps of sha0, sha1, sha256 and ripemd160....

October 2, 2019 · Mystiz, harrier