So we accidentally discovered a flag submission bug in the ATAST 2012 flag submission system after I submitted the first 20 point flag for web100 (23a952b7674e0c2d602bde4ba6367b93), not knowing that club member Jonathan Singer submitted it earlier.
For this 29c3 CTF challenge, we are given a WAV. Upon first listening, one can hear DTMF tones, phone tones. There is still an abundance of high pitched noise too. First check with Audacity in the spectrogram:
This challenge gave the description: Ever played Googlewhack? Well, this is a bit easier and gives you more power, enjoy. Googlewhack is when only one result comes up from two words being searched. In this case, they have their own database of strings and we can search to find something that returns only one result.
Pwn300 was a Python Twisted site that served a page with a single form to kill, arrest, or bankrupt the kids of South Park. The organizers provided the source code for the challenge, which included the web service and a compiled Python module. The source to the page tells us that the flag is in… Read more »
This challenge asked us to transfer $2000 to an account when all new accounts are created with only $1000.
This was a fun challenge. We are given “I am lost” and a remote host to connect to. Connecting via netcat gives us Hi there! Stupid CAPTCHA: enter your name, user40319 Entering the username gives us a bunch of mazes in this format…
This problem is not immediately visible. Upon viewing the page for it, this is all you’re given:
At the beginning of this problem, we’re given a Windows binary(.exe). Running it gives some inane output about a username and product key. This is a clue that it could be a keygenme or something more difficult(but it isn’t, yay!) So, we open the executable up in IDA. Taking a quick look at the string… Read more »
The trick here was to spot the vulnerability. The scripts loads html from a controlled webpage with @file_get_contents(). It then parses the html for forms with regex to solves a basic math problem, with unescaped eval(). Finally the page submits a post request to the controlled webpage with file_get_contents(). With that information determined from the… Read more »