deadface ctf 2021 writeups

The coolest part of this blog post may be the CTF art! DEADFACE CTF was great, with many of the challenges being a mixture of things to do. The CTF had this phased thing going on, so challenges were gradually released in 5 phases. I wasn’t too fond of that, especially as a non-US player where our prime time often had no challenges left. Here are some of the challenges I solved playing for Hack South, where we managed to get 11th place out of 1195 teams that scored. ...

October 17, 2021 · 6 min · Leon Jacobs

hackthebox business ctf 2021 writeups

The HackTheBox Business CTF 2021 ran this weekend, and I played with a few colleagues at Orange Cyberdefense / SensePost. We managed to score 5th place amongst 374 other teams! The team consisted of (those with twitterz!): felmoltor, JCoertze, TH3_GOAT_FARM3R, Titanex8, _cablethief, gav1no_ and GMILTE. ...

July 26, 2021 · 18 min · Leon Jacobs

DawgCTF 2021

foreword DawgCTF 20201 was the first CTF I played together with some local people much smarter than me over at Hack South. We managed to grab 28th place too. I only solved three challenges with the time I had in the morning (of which one was a dupe because reading is hard :P). solutions reversing - calculator Category: Reversing Points: 50 Files: Windows PE This was the duplicate challenge, but I’m writing up how I did it anyways....

May 9, 2021 · 5 min · Leon Jacobs

hack the box - cyber apocalypse ctf '21

foreword The HTB Cyber Apocalypse 2021 event was a nice and polished CTF. Apart from the usual start time load issues, everything ran pretty smoothly with nearly zero issues my side. Kudo’s HTB! Here are the solutions for the ~20 challenges I managed to solve. solutions category - web - BlitzProp Category: Web Difficulty: 1/4 Files: Web app source & build env The challenge landing page already had a hint in the “ASTa la vista baby” song....

April 24, 2021 · 19 min · Leon Jacobs

NahamCon2021 CTF - IoT Itchy & Scratchy SecureIoT Co

category iot - hard solution unfortunately the infra was down by the time I got to the writeup We’re given an IP and credentials, along with a reference to mosquito. There was also a URL that accepted a username, a password and OTP. I used MQTT Explorer to connect to the mosquito server. With a bit of patience, an office topic received a message with a “u” and “p” flag, base64 encoded....

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Microscopium

category mobile - medium solution This was a fun one. We get an .apk to download. Open it in jadx and quickly see this is a React App. package com.microscopium; import com.facebook.react.ReactActivity; public class MainActivity extends ReactActivity { /* access modifiers changed from: protected */ @Override // com.facebook.react.ReactActivity public String getMainComponentName() { return "Microscopium"; } } Being React, I expected a large chunk of the logic to be in a JavaScript file, which could be found in the resources section....

March 15, 2021 · 2 min · Leon Jacobs

NahamCon2021 CTF - Resourceful

category mobile - easy solution We get an .apk to download. Open it in jadx. And check the com.congon4tor.resourceful.FlagActivity class. There is a reference to the string flag{ and resource called md5. Checking out the resources section, the md5 is revealed to complete the flag.

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Andra

category mobile - easy solution We get an .apk to download. Open it in jadx. And check the com.example.hack_the_app.MainActivity class. Run the app in a simulator (or a phone whatever you want), enter the credentials and find the flag.

March 15, 2021 · 1 min · Leon Jacobs

NahamCon2021 CTF - Ret2basic

category binary exploitation - easy solution The file we download is a ELF executable. $ file ret2basic ret2basic: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, BuildID[sha1]=3ca85eae693fed659275c0eed9c313e7f0083b85, for GNU/Linux 4.4.0, not stripped Running it hints the vuln. $ ./ret2basic Can you overflow this?: AAAA Nope :( $ $ ./ret2basic Can you overflow this?: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA [1] 9615 segmentation fault ./ret2basic $ Disassembling the binary, we find that main() eventually calls vuln where the overflow exists....

March 15, 2021 · 2 min · Leon Jacobs

NahamCon2021 CTF - Asserted

category web - medium solution The challenge URL dropped us on a page related to fitness, with not a lot of interesting interactions. Navigating the pages you’d see a URL scheme where a page parameter is set. Eg: page=about. An about.php also exists, so this was potentially vuln to LFI. Using .. in the page parameter resulted in a warning message indicating that some filtering was taking place....

March 15, 2021 · 2 min · Leon Jacobs