DUMB-DISCORD #

Proof of flag #

ctf{1b8fa7f33da67dfeb1d5f79850dcf13630b5563e98566bf7b76281d409d728c6}

Summary of the vulnerabilities identified #

Invite the bot to a Discord server, give it the ‘dctf2020.cyberedu.ro’ role, use the payload ‘/s基ay //getflaggetflag’ to get the encoded flag and then decode it.

Proof of solving #

First off, we need to decompile the binary using ‘uncompyle6’ and look at the code. But before I copy paste all the code we need to replace the obfuscated strings. A simple xor encoding is used, and we can use the included decoding function to replace them with the real strings. And we end up with this:

HTTP-FOR-PROS #

Proof of flag #

CTF{75df3454a132fcdd37d94882e343c6a23e961ed70f8dd88195345aa874c63e63}

Summary of the vulnerabilities identified #

The application is vulnerable to Server Side Template Injection via the content GET parameter and can be used to get code execution on the system. It is not very straightforward since there is also a Web Application Firewall that is filtering our requests and looking for forbidden words in our requests. The solution is to use Python String formatting in order to split the forbidden words so that they won’t be matched.

KALF GAME #

Proof of flag #

01660706613050         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         000007061         00007061         00007061

Bodderfore:304-3]         Cold XHF from from from SoftWork:34x3 () 0x560706423648         1.5 0x04111           SoftWork:31xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

msderodec3865f (dby)]         20           coderodec3865f (dby)]         20           coderodec3865f (dby)]         20           msderodec3865f (dby)]         21           msderodec3865f (dby)]         21           msderodec3865f (dby)]         21           msderodec3865f (dby)         21           msderodec3865f (dby)         21           msderodec3865f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21

0x560706c35072 [dbt]           0x560706c35072 [dbt]           0x560706c35072 (dbt]           0x560706c35072 488040377640. tea rax, [sym.care::ptr::drop_(n_place::h14b254b3868f5bb2]           0x560706c35092 48804c34083. tea rdx, [var_s607]           0x560706c35092 48804c34083. tea rdx, [var_s607]           0x560706c35092 6000 [m 0 000676c35685

0.569760:35685 [of:a]
; (OCS.3985 Trom from, from, 507.562786233867
scientifications: ebility jup exclamation ebility

:> dso ctf{ddba6614a32 hit breakpoint :>

ctf{ddba6614a32456631c125eb1a4327c52686c71d909a92ec05ea5eb510eae81d9}

Summary of the vulnerabilities identified #

The game is a basic snake game(which is the best game of snake I ever played, thank you Lucian, you made my day happier) and hides the flag using strings that are stored on the stack and a cool function like rot13, and the best thing it was written in rust which is the best language so far for humanity.

MODERN LOGIN Proof of flag

ctf{356c5e791de08610b8e9cb00a64d16c2cfc2be00b133fdfa5198420214909cc1}

Summary of the vulnerabilities identified #

Challenge APK file can be easily decompiled using online services, scrolling through source files and assets we notice a mp3 which is not playable. Running file command on it we observe it is an archive, we decompress it and find obfuscated Python code. Cleaning up the code we start decoding the obfuscated strings in it and one of them is our flag.

QR-MANIA #

Proof of flag #

CTF{2b2e8580cdf35896d75bfc4b1bafff6ee90f6c525da3b9a26dd7726bf2171396}

Summary of the vulnerabilities identified #

Inspecting the pcap file with wireshark I found HTTP responses with png images, each one containing a qr code, which decodes to a single character. The position of each character is inside the exif data of the corresponding image.

Proof of solving #

Extract HTTP objects with wireshark from the provided .pcap file: