For this challenge, we are given the service code to review and find the vulnerability. We locate the function that is generating the sha256 hash: var HMAC_SECRET = ” for (var i=0; i<20; i++) { HMAC_SΕCRET = HMAC_SECRET + (Math.random()+”).substr(2) } function hmac_sign(path) { var hmac = crypto.createHmac(‘sha256’, HMAC_SECRET) hmac.update(path) return hmac.digest(‘hex’) } At first… Read more »
####disclaimer: this CTF involved a lot of guessing, and please note that other challenges were of far lower quality. reader beware. To start this challenge, you had to solve Exploitation 300. 300 consisted of googling a public webapp vulnerability. Once you’ve got a shell as the web user, you’ll see e4.hint in the root dir…. Read more »
For this challenge, we were presented with a website made from the ApPHP Microblog CMS. A quick search on Exploit-DB revealed that there was an existing RCE bug. http://www.exploit-db.com/exploits/33030/ PHP disable_functions seemed to have an extensive list since exec, shell_exec, and system were all disabled. This leaves only a few commands left to use. It… Read more »
For this challenge, you visit the website http://asis-ctf.ir:12437/. At the website, there is a basic message about being a specific visitor to win the prize: After checking the cookies, there is a specific value that is written: Visitor=MTUyNDo0NzFjNzVlZTY2NDNhMTA5MzQ1MDJiZGFmZWUxOThmYg%3D%3D This value ends with the entity %3D, which is =, meaning that the value is base64. After… Read more »
Trivia 25: 4046925: How much the exact IM per year? Credit for this challenge goes to Jon singer (@jonathansinger)!
[gfm] For this challenge, we’re given an `.exe` file and a server that it’s running on. Running strings on the binary, we see that there’s a lot of text in the program. It’s all instructions on how to get started with Windows exploitation. One block that is particularly interesting is: ~~~ VULNERABLE FUNCTION ——————- Send… Read more »
I think forensics challenges are generally horrible no fun zones, but Fluffy No More is actually a fun little scavenger hunt through a filesystem. @brad_anton gives us a tarball of the relevant parts of a compromised webserver – a MySQL database dump, /var/log/ , /var/www/ , and all of /etc/. Co-credit for this challenge goes to Alex… Read more »
For this challenge, we are given a ZIP archive containing a Mozilla Firefox memory dump. We unzip the archive and search the printable text for our flag: [ [email protected]: ~/csaw/forensics100 ]$ unzip firefox.mem.zip Archive: firefox.mem.zip inflating: firefox.mem creating: __MACOSX/ inflating: __MACOSX/._firefox.mem [ [email protected]: ~/csaw/forensics100 ]$ strings firefox.mem | grep flag{ ZZZZZZZZflag{cd69b4957f06cd818d7bf3d61980e291} [ [email protected]: ~/csaw/forensics100 ]$… Read more »
For this challenge we must “Find a picture of me that’s from before I was a high school student.” We start by looking through his photos on Facebook and LinkedIn but came up empty. We turned to Google to find out more. We found his website, twitter, and github but they didn’t provide any useful… Read more »
For this challenge, we are given a PDF file named pdf.pdf. We check out the printable characters of the PDF file and notice that streams are being used. We attempt to decode the stream objects but shifted toward another approach when we realize that document objects (images, textboxes, etc.) could be stacked. Using Adobe Acrobat… Read more »