After opening the binary up in IDA, it was pretty obvious that we needed to exploit a format string vulnerability. It looks like the flag was declared as a global variable, which means it will have a static address in the .bss Section. This definitely makes our lives easier. See the full writeup here.
This year at CSAW Finals, Vector35 contributed an entire NES/Famicom RPG as a challenge category. One challenge was solving the puzzle of the mysterious “Blox Cave” – a room of 24 urns that need to be activated in a certain combination in order to open the door to the flag.
This challenge consists of a capture file containing USB packet. We notice that one of the USB devices floods most of the capture with several hundred packets per second. The device uses the address 12, and hence can be filtered using:usb.device_address == 12
For this challenge, we are given the service code to review and find the vulnerability. We locate the function that is generating the sha256 hash: var HMAC_SECRET = ” for (var i=0; i<20; i++) { HMAC_SΕCRET = HMAC_SECRET + (Math.random()+”).substr(2) } function hmac_sign(path) { var hmac = crypto.createHmac(‘sha256’, HMAC_SECRET) hmac.update(path) return hmac.digest(‘hex’) } At first… Read more »
####disclaimer: this CTF involved a lot of guessing, and please note that other challenges were of far lower quality. reader beware. To start this challenge, you had to solve Exploitation 300. 300 consisted of googling a public webapp vulnerability. Once you’ve got a shell as the web user, you’ll see e4.hint in the root dir…. Read more »
For this challenge, we were presented with a website made from the ApPHP Microblog CMS. A quick search on Exploit-DB revealed that there was an existing RCE bug. http://www.exploit-db.com/exploits/33030/ PHP disable_functions seemed to have an extensive list since exec, shell_exec, and system were all disabled. This leaves only a few commands left to use. It… Read more »
For this challenge, you visit the website http://asis-ctf.ir:12437/. At the website, there is a basic message about being a specific visitor to win the prize: After checking the cookies, there is a specific value that is written: Visitor=MTUyNDo0NzFjNzVlZTY2NDNhMTA5MzQ1MDJiZGFmZWUxOThmYg%3D%3D This value ends with the entity %3D, which is =, meaning that the value is base64. After… Read more »
Trivia 25: 4046925: How much the exact IM per year? Credit for this challenge goes to Jon singer (@jonathansinger)!
[gfm] For this challenge, we’re given an `.exe` file and a server that it’s running on. Running strings on the binary, we see that there’s a lot of text in the program. It’s all instructions on how to get started with Windows exploitation. One block that is particularly interesting is: ~~~ VULNERABLE FUNCTION ——————- Send… Read more »
I think forensics challenges are generally horrible no fun zones, but Fluffy No More is actually a fun little scavenger hunt through a filesystem. @brad_anton gives us a tarball of the relevant parts of a compromised webserver – a MySQL database dump, /var/log/ , /var/www/ , and all of /etc/. Co-credit for this challenge goes to Alex… Read more »