Cyber Defenders Discovery Camp 2015 – Post-Analysis

Disclaimer: The opinions expressed in this post belongs to me alone and are not representative of anyone else. Introduction   In our previous post, we delved deeply into the technical details of the NUS Greyhats’¬†strategy and our developed technology for the Cyber Defenders Discovery Camp 2015. In this post, we will focus on performing a…

Read More

X-CTF Qualifiers 2016 – The Snek (Web)

Breedom ain’t bree. OK. The world gonna be litterd with the sneks. Praise snek.   I designed this challenge for the Qualifying CTF for X-CTF 2016, a CTF aimed at inter-varsity competition. This actually went unsolved so here’s the intended solution ūüôā First, let’s visit the website.     Clicking on the link below…

Read More

HackIM 2016 Case Study

Introduction The Dystopian Narwhals played in the HackIM 2016 CTF organised by Nullcon the last weekend and I must say, it was the most controversial ones I’ve ever experienced. In this post, I will briefly describe the competition format, the controversies, and provide an analysis of the overall experience from the point of view of…

Read More

32C3CTF – Kummerkasten (Web 300)

Our Admin is a little sad this time of the year. Maybe you can cheer him up at this site Please note: This challenge does not follow the flag format. When navigating to the website, we are shown a message about the depressed admin and a form to send him messages. Turns out, the website…

Read More

32C3CTF – Gurke (Misc 300)

Non-standard gurke: Talk to it via HTTP on We are given a vulnerable python script here:

What this script does is: Initialise a variable¬† flag¬†over a socket. Apply seccomp rules to restrict syscalls. This is particularly important to note because we now do not have the option of connecting to the server to…

Read More

32C3CTF – TinyHosting (Web 250)

A new file hosting service for very small files. could you pwn it? In the comments, there is a hint to use ./?src  to obtain the source code to the index.php.

From the returned source, we get some very interesting PHP code:

What the code does is: Create a¬† $savepath¬†variable that is derived…

Read More

32C3CTF – Teufel (Pwn 200)

teufel is running at Da ist der Teufel los If you look at the disassembly of the binary, you can see that it is very tiny and possibly handcrafted.

What this does is create a new mapping in the virtual address space with the mmap call. It creates a mapping of size 0x3000…

Read More

32C3CTF – Readme (Pwn 200)

Can you read the flag?

Let’s run the binary locally first:

Looks like we enter input in two places: When it asks for your name. When it asks you to overwrite the flag. Let’s take a look at what’s going on under the hood:

For the name prompt, the standard ‘gets()’ is…

Read More

32C3CTF – Forth (Pwn 150)

Connect to and get a shell. When we connect to the IP address given, we are greeted by a Forth interpreter.

We can execute system commands in yForth with ‘system’ so we can get a shell pretty easily:

From here, we explore the file system and read the flag:

Flag: 32C3_a8cfc6174adcb39b8d6dc361e888f17b

Read More CTF 2015 – Creative Cheating (Crypto 150)

150 (+60) Points by 0ne (Crypto) Mr. Miller suspects that some of his students are cheating in an automated computer test. He captured some traffic between crypto nerds Alice and Bob. It looks mostly like garbage but maybe you can figure something out. He knows that Alice’s RSA key is (n, e) = (0x53a121a11e36d7a84dde3f5d73cf, 0x10001)…

Read More

HITCON 2015 Qualifiers – Piranha Gun (Stego)

The Piranha Gun is a post-Plantera Hardmode ranged weapon that fires a single, returning “piranha” projectile that costs no ammunition. nc 10004   In this challenge, we get a server to netcat into. Netcatting into the server drops us into a shell.  

There was a README in the home directory.  

Read More