Hack.LU 2014 :: Web 150 :: Hidden in Plain Sight

Posted by and filed under Hack.LU 2014.

For this challenge, we are given the service code to review and find the vulnerability. We locate the function that is generating the sha256 hash: var HMAC_SECRET = ” for (var i=0; i<20; i++) { HMAC_SΕCRET = HMAC_SECRET + (Math.random()+”).substr(2) } function hmac_sign(path) { var hmac = crypto.createHmac(‘sha256’, HMAC_SECRET) hmac.update(path) return hmac.digest(‘hex’) } At first… Read more »

D-CTF 2014 :: Exploit 400 :: Paranormal Activity

Posted by and filed under D-CTF 2014.

####disclaimer: this CTF involved a lot of guessing, and please note that other challenges were of far lower quality. reader beware. To start this challenge, you had to solve Exploitation 300. 300 consisted of googling a public webapp vulnerability. Once you’ve got a shell as the web user, you’ll see e4.hint in the root dir…. Read more »

D-CTF 2014 :: Bonus 200 :: Final

Posted by and filed under D-CTF 2014.

For this challenge, we were presented with a website made from the ApPHP Microblog CMS. A quick search on Exploit-DB revealed that there was an existing RCE bug. http://www.exploit-db.com/exploits/33030/ PHP disable_functions seemed to have an extensive list since exec, shell_exec, and system were all disabled. This leaves only a few commands left to use. It… Read more »

ASIS 2014 :: Web 100 :: Lottery

Posted by and filed under ASIS 2014.

For this challenge, you visit the website http://asis-ctf.ir:12437/. At the website, there is a basic message about being a specific visitor to win the prize: After checking the cookies, there is a specific value that is written: Visitor=MTUyNDo0NzFjNzVlZTY2NDNhMTA5MzQ1MDJiZGFmZWUxOThmYg%3D%3D This value ends with the entity %3D, which is =, meaning that the value is base64. After… Read more »

CSAW 2014 :: Exploitation 400 :: greenhornd.exe

Posted by and filed under CSAW 2014.

[gfm] For this challenge, we’re given an `.exe` file and a server that it’s running on. Running strings on the binary, we see that there’s a lot of text in the program. It’s all instructions on how to get started with Windows exploitation. One block that is particularly interesting is: ~~~ VULNERABLE FUNCTION ——————- Send… Read more »

CSAW 2014 :: Forensics 300 :: Fluffy No More

Posted by and filed under CSAW 2014.

I think forensics challenges are generally horrible no fun zones, but Fluffy No More is actually a fun little scavenger hunt through a filesystem. @brad_anton gives us a tarball of the relevant parts of a compromised webserver – a MySQL database dump, /var/log/ , /var/www/ , and all of /etc/. Co-credit for this challenge goes to Alex… Read more »

CSAW 2014 :: Forensics 100 :: dumpster diving

Posted by and filed under CSAW 2014.

For this challenge, we are given a ZIP archive containing a Mozilla Firefox memory dump. We unzip the archive and search the printable text for our flag: [ [email protected]: ~/csaw/forensics100 ]$ unzip firefox.mem.zip Archive: firefox.mem.zip inflating: firefox.mem creating: __MACOSX/ inflating: __MACOSX/._firefox.mem [ [email protected]: ~/csaw/forensics100 ]$ strings firefox.mem | grep flag{ ZZZZZZZZflag{cd69b4957f06cd818d7bf3d61980e291} [ [email protected]: ~/csaw/forensics100 ]$… Read more »

CSAW 2014 :: Recon 100 :: Kevin Chung

Posted by and filed under CSAW 2014.

For this challenge we must “Find a picture of me that’s from before I was a high school student.” We start by looking through his photos on Facebook and LinkedIn but came up empty. We turned to Google to find out more. We found his website, twitter, and github but they didn’t provide any useful… Read more »

CSAW 2014 :: Forensics 200 :: Obscurity

Posted by and filed under CSAW 2014.

For this challenge, we are given a PDF file named pdf.pdf. We check out the printable characters of the PDF file and notice that streams are being used. We attempt to decode the stream objects but shifted toward another approach when we realize that document objects (images, textboxes, etc.) could be stacked. Using Adobe Acrobat… Read more »