32C3CTF - TinyHosting (Web 250)
A PHP service that allows uploading of small files (<= 7 bytes) with arbitrary filenames within a browsable path.
Posts by Tags
32c3
32C3CTF - Teufel (Pwn 200)
Exploit a tiny binary with an extremely customised memory mapping with an infoleak leading to libc disclosure and jump to magic shell address.
32C3CTF - Readme (Pwn 200)
Abuse the stack smashing protector infoleak vulnerability to leak the flag.
32C3CTF - Kummerkasten (Web 300)
Steal the password and TOTP token from an admin using cross-site scripting.
32C3CTF - Gurke (Misc 300)
Remote code execution in a seccomp protected python service requiring manipulating python internals to retrieve the flag in memory.
32C3CTF - Forth (Pwn 150)
Remote code execution with a code injection vulnerability in a Forth interpreter.
94472014
aes
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
arm
STACK 2020 - I Smell Updates (IOT)
Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.
asan
Bugs that Address Sanitizer Does Not Detect
A lab for school required us to design 3 examples of memory bugs that are not detected by Address Sanitizer. I thought it was a pretty informative exercise s...
asean
ASEAN Cyber SEA Game 2021
Summary: The Singapore team competed at the ASEAN Cyber SEA Game 2021 organised by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and achiev...
asisfinals2015
ASIS CTF Finals 2015 - Shop 1 (Pwn)
An off-by-one error allows an attacker to leak return codes from memcmp to determine the difference in the supplied byte and the compared byte to leak the fl...
ASIS CTF Finals 2015 - Myblog (Web)
Server-side request forgery in a PDF page printer service in PHP leading to disclosure of secrets in a server-side PHP source code.
ASIS CTF Finals 2015 - Impossible (Web)
Type juggling in PHP’s weak comparison operator (==) allows an attacker to generate passwords to an administrator account and bypass the original MD5 hashing...
ASIS CTF Finals 2015 - Flag Hunter (Misc)
Use of the X-Forwarded-For header allows an attacker to fake country of origin to collect flags.
ASIS CTF Finals 2015 - Bodu (Crypto)
Use the Boneh-Durfee attack on low private exponents to recover the original two prime factors comprising the private key and decrypt an encrypted flag.
balsn
BALSN CTF 2021 - Metaeasy (Misc)
Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.
bluetooth
STACK 2020 - I Smell Updates (IOT)
Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.
bruteforce
Wargames.my 2015 - Foo Soo Rah (Brute)
We are given an IP address:port pair and told to bruteforce smartly.
bsidessf2018
BSides SF CTF 2018 - Rotaluklak (Pwn)
Escape python jail.
BSides SF CTF 2018 - Gorribler (Pwn)
Execute arbitrary shellcode by writing to the buffer by calculating values that provide the right values when simulating a projectile’s trajectory.
byte by byte
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
cddc2015
NUS Greyhats at CDDC 2015 and (Almost) Epic Mass Exploitation
The Cyber Defenders Discovery Camp 2015 is an introductory computer security workshop slash competition targeted at students at the JC and IHL levels. This i...
chrome
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
codegate
Codegate 2012: Forensics 200
This was a CTF challenge solved by Hiromi in Codegate 2012.
Codegate 2012: Forensics 100
This was a CTF challenge solved by Hiromi in Codegate 2012.
crypto
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
HXP 2021 - Gipfel (Crypto)
Summary: Choosing the value of the prime modulus - 1 as the base in a pseudo Diffie Hellman key exchange scheme allows setting a shared value to 1. When this...
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
PoliCTF 2015 - Exorcise (Crypto 50)
Simple challenge involving XORing.
cryptography
CTF(x) 2016 - Custom Auth (Crypto)
A cookie using ECB mode encryption allows an attacker to forge admin privileges by rearranging encrypted blocks for decryption.
Hack.lu CTF 2015 - Creative Cheating (Crypto 150)
Analyse a given PCAP for some secret communication between Alice and Bob and determine which messages contain a valid signature.
ASIS CTF Finals 2015 - Bodu (Crypto)
Use the Boneh-Durfee attack on low private exponents to recover the original two prime factors comprising the private key and decrypt an encrypted flag.
TrendMicro CTF 2015 - Crypto 200
Recover the IV of an AES operation by utilising imperfect knowledge of the key and encrypted output.
SECCON CTF 2014 - Easy Cipher (Crypto)
The flag was embedded in a message that was encoded into different number bases from ASCII.
CSCAMP CTF 2014 - Logic (Crypto)
Message encoded in a seven segment display LED format.
CSCAMP CTF 2012 - Crypto 400
This is the solution script:
Hack You CTF 2012 - Schneier’s Algorithm (CRY100)
We didn’t solve this puzzle and submit the flag in time, but when we did… well it was a huge reminder not to overthink things.
cscamp2012
CSCAMP CTF 2012 - Exploit 400
We solved the post-patch version of this binary.
CSCAMP CTF 2012 - Exploit 200
This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argum...
CSCAMP CTF 2012 - Exploit 100
This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the...
CSCAMP CTF 2012 - Web300
In this challenge, an image divided into blocks has its blocks scrambled not unlike a sliding block puzzle (http://en.wikipedia.org/wiki/Sliding_puzzle). The...
CSCAMP CTF 2012 - Web200
In this puzzle, you had to evaluate an equation encoded in base64 in an array structure consisting of values and operands hidden in a custom header. The obje...
CSCAMP CTF 2012 - Web100
This challenge required you to log in as any valid account.
CSCAMP CTF 2012 - Crypto 400
This is the solution script:
cscamp2014
CSCAMP CTF 2014 - Logic (Crypto)
Message encoded in a seven segment display LED format.
CSCAMP CTF 2014 - I Hate Time (Web)
Remote code execution by injecting python code into a Python WSGI server.
CSCAMP CTF 2014 - 7amama Book (Web)
Insecure direct object reference allows changing of password of another user.
CSCAMP CTF 2014 - ELF2 (Reversing 100)
We are given the following binary to reverse: elf2. (It’s a zipped file)
CSCAMP 2014 - netcat, cryptcat Who cares? (STG100)
the solution is the md5 of the decrypted file
ctf-review
Hack You CTF 2012 Writeups
The CTF was really enjoyable. Really great casual atmosphere to it. Too bad we only really caught the last couple of days. Really looking forward to the next...
ctfx2016
CTF(x) 2016 - North Korea (Web)
Fake an originating IP address from North Korea using the X-Forwarded-For header.
CTF(x) 2016 - Harambe Hub (Web)
Use of String.match as opposed to String.equals in Java allows an attacker to recover sensitive input such as an admin username character by character with r...
CTF(x) 2016 - guesslength (Binary)
Overwriting a null byte in a buffer causes printf to print sensitive struct data.
CTF(x) 2016 - Dat Boinary (Binary)
Off-by-one error allows overwrite of a null byte that allows for a struct to be completely filled with non-null bytes which tricks strlen into returning a la...
CTF(x) 2016 - Custom Auth (Crypto)
A cookie using ECB mode encryption allows an attacker to forge admin privileges by rearranging encrypted blocks for decryption.
cve
CVE-2016-10190 Detailed Writeup
FFmpeg is a popular free software project that develops libraries and programs for manipulating audio, video, and image data. The vulnerability exists in the...
defconquals2015
DEFCON CTF Qualifiers 2015 - MathWhiz (Baby’s First)
Simple programming challenge in which you had to solve equations in different formats.
DEFCON CTF Qualifiers 2015 - Access Control (Reversing)
Reverse engineer a server binary to determine how to interact with it and write a client.
denial-of-service
Denial of Service Vulnerability in Libprocess (CVE-2017-9790)
A vulnerability in the libprocess dependency of Mesos allows a remote attacker to cause a crash in any Mesos component that includes the library. The bug res...
Denial of Service Vulnerability in Libprocess (CVE-2017-7687)
A vulnerability in the libprocess dependency of Mesos allows a remote attacker to cause a crash in any Mesos component that includes the library. The bug res...
GraphicsMagick NULL Pointer Dereference in DICOM Decoder (CVE-2017-14994)
A null pointer dereference vulnerability in the GraphicsMagick DICOM image decoder allows an attacker to cause a denial-of-service condition or other unspeci...
diffie hellman
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
dpapi
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
ecb
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
eval
Sieberrsec 3.0 CTF (2021) - Can You Math It? (Misc)
Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.
filters
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
forensics
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
STACK 2020 - Walking Down Memory Lane (Forensics)
Summary: Analysing the provided memory dump yields a hosted PNG file containing a steganographic message.
STACK 2020 - Corrupted Hive (Forensics)
Summary: Data hdiden within a corrupt Windows registry hive contains an Base64-encoded guessable flag.
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
HITBGSEC CTF 2017 - flying high (Misc)
UBIFS images are recovered from a crashed drone and the flag is included in the video of the drone’s last moments.
HITBGSEC CTF 2017 - arrdeepee (Misc)
Extracting the private key into a PEM file from a PKCS12 file transmitted over UDP allows the investigator to decrypt an RDP session and recover some secret ...
PoliCTF 2015 - It’s Hungry (Forensics 100)
A troll challenge that required you to transcribe a melody on a hidden area of the website.
Codegate 2012: Forensics 200
This was a CTF challenge solved by Hiromi in Codegate 2012.
Codegate 2012: Forensics 100
This was a CTF challenge solved by Hiromi in Codegate 2012.
format string
STACK 2020 - Beta Reporting (Pwn)
Summary: A format string attack allows us to overwrite an entry in the GOT to redirect execution to a print flag function.
graphicsmagick
GraphicsMagick Information Disclosure when Describing IPTC Profile (CVE-2017-16353)
A heap-based buffer overread in the code responsible for printing IPTC information verbosely allows an attacker to leak sensitive information by supplying a ...
GraphicsMagick Heap Overflow when Describing Directories (CVE-2017-16352)
An unsafe call to strncpy in magick/describe.c causes a heap overflow when describing images with overly long directories. The vulnerable code path can be tr...
GraphicsMagick NULL Pointer Dereference in DICOM Decoder (CVE-2017-14994)
A null pointer dereference vulnerability in the GraphicsMagick DICOM image decoder allows an attacker to cause a denial-of-service condition or other unspeci...
hackim2016
HackIM 2016 Case Study
The Dystopian Narwhals played in the HackIM 2016 CTF organised by Nullcon the last weekend and I must say, it was the most controversial ones I’ve ever exper...
hacklu2012
Hack.lu CTF 2012 - Big Zombie Business
It’s a disaster! Not only that these useless piles of rotten meat obfuscate all their stupid code, they have also lost our precious root password, or “Flag” ...
Hack.lu CTF 2012 - Zombie AV
Some people try to fight the zombie apocalypse by selling pseudo antidote. We need the secret formula in config.php to destroy their snake oil business…
Hack.lu CTF 2012 - Nerd Safehouse
“Try solving the annoying puzzle at https://ctf.fluxfingers.net:2074/ or zombies will eat your soul!”
Hack.lu CTF 2012 - Mini Zombie Business
As time passes by and the zombie apocalypse seems to stay for a while businesses have to adapt to survive. Food store chains offer brains and biscuits for th...
hacklu2015
Hack.lu CTF 2015 - Creative Cheating (Crypto 150)
Analyse a given PCAP for some secret communication between Alice and Bob and determine which messages contain a valid signature.
hackyou2012
Hack You CTF 2012 Writeups
The CTF was really enjoyable. Really great casual atmosphere to it. Too bad we only really caught the last couple of days. Really looking forward to the next...
Hack You CTF 2012 - Pentagon (WEB100)
Note: images and files are missing in this blogpost. To solve the puzzle, we had to obtain the password to a ‘Pentagon’ site relying on Javascript authentica...
Hack You CTF 2012 - Halloween (STG200)
Note: images are missing in this blog post. The only piece of the puzzle we were given was an image file. The distinguishing feature for this picture is that...
Hack You CTF 2012 - Stego 100
In this challenge, we were given the a large amount of text in a file. The entire text may be found at the end of this blog post.
Hack You CTF 2012 - Reverse 200
A zip file containing an ELF binary and Windows executable file was given to us. We need not care about the Windows executable as both the ELF binary and the...
Hack You CTF 2012 - Reverse 100
In this puzzle, a C source file was given to us.
Hack You CTF 2012 - Packets 200
In this task, we are supposed to answer the question: “What’s the md5 of the file being transferred?”. We are given another capture file, this time containin...
Hack You CTF 2012 - Packets 100
We are given an objective for the packets series: “Part 1. Find the secret link in this conversation.” We have a .pcap capture file and we simply apply a fil...
Hack You CTF 2012 - Schneier’s Algorithm (CRY100)
We didn’t solve this puzzle and submit the flag in time, but when we did… well it was a huge reminder not to overthink things.
Hack You CTF 2012 - HugeCaptcha (PPC100)
PPC100 is a puzzle that requires some degree of scripting. To obtain the flag, we have to add up the two large numbers given and submit the result through PO...
heapoverflow
GraphicsMagick Heap Overflow when Describing Directories (CVE-2017-16352)
An unsafe call to strncpy in magick/describe.c causes a heap overflow when describing images with overly long directories. The vulnerable code path can be tr...
historical
HITB 2012 Kuala Lumpur CTF
In 2012, the team Nandy Narwhals consisting of Hiromi and I competed at the Hack in the Box 2012 CTF in Kuala Lumpur. Our team managed a decent 3rd position ...
hitb
HITB 2012 Kuala Lumpur CTF
In 2012, the team Nandy Narwhals consisting of Hiromi and I competed at the Hack in the Box 2012 CTF in Kuala Lumpur. Our team managed a decent 3rd position ...
hitbgsec2017
HITBGSEC CTF 2017
I participated with the NUS Greyhats in this year’s HITBGSEC CTF 2017. It was organised by the HITB Netherlands CTF team and the XCTF League crew. It ran ext...
HITBGSEC CTF 2017 - Pasty (Web)
JSON Web Tokens have no means of authenticating the header and thus can be abused to manipulate the server into verifying a forged signed message with a key ...
HITBGSEC CTF 2017 - flying high (Misc)
UBIFS images are recovered from a crashed drone and the flag is included in the video of the drone’s last moments.
HITBGSEC CTF 2017 - arrdeepee (Misc)
Extracting the private key into a PEM file from a PKCS12 file transmitted over UDP allows the investigator to decrypt an RDP session and recover some secret ...
HITBGSEC CTF 2017 - 1000levels (Pwn)
Uninitialised variable usage allows for reliable exploitation of a classic stack overflow on a NX and PIE enabled binary using gadgets from the vsyscall page...
hitbgsecquals2018
HITB GSEC Qualifiers 2018 - Upload (Web)
The FindFirstFile() function in the Windows API can cause odd behaviour in PHP applications running on Windows. We leverage this to leak information about th...
HITB GSEC Qualifiers 2018 - Read File (Misc)
Arbitrary shell commands can be created by using only punctuation in a service that filters all characters except for punctuation.
HITB GSEC Qualifiers 2018 - Baby Pwn (Pwn)
Using a format string attack on a remote server, an attacker can leverage certain data structures present in a running Linux process to ascertain key address...
HITB GSEC Qualifiers 2018 - Baby Nya (Web)
An exposed Apache JServ Protocol server allows an attacker to proxy requests to Tomcat server running Jolokia. The Jolokia instance allows the attacker to cr...
HITB GSEC Qualifiers 2018 - Baby Baby (Web)
An exposed Kubelets port in a vulnerable deployment allows an attacker to run commands without authentication remotely within containers.
hitconquals2015
HITCON 2015 Qualifiers - Piranha Gun (Stego)
Directory contents are hidden with a mount.
HITCON 2015 Qualifiers - Hard to Say (Misc)
Execute arbitrary non-alphanumeric ruby code with length limitations.
html
STACK 2020 - FWO FWF (Misc)
Summary: Three different individual messages are encoded within HTML via their classes and their styled visibilities.
hxp
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
HXP 2021 - Log 4 Sanity Check (Misc)
Summary: Exploit log4j vulnerability to leak environment variables.
HXP 2021 - Gipfel (Crypto)
Summary: Choosing the value of the prime modulus - 1 as the base in a pseudo Diffie Hellman key exchange scheme allows setting a shared value to 1. When this...
HXP 2021 - brie man (Misc)
Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.
i2c
STACK 2020 - IOT RSA Token (IOT)
Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.
infoleak
GraphicsMagick Information Disclosure when Describing IPTC Profile (CVE-2017-16353)
A heap-based buffer overread in the code responsible for printing IPTC information verbosely allows an attacker to leak sensitive information by supplying a ...
integeroverflow
MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587)
A vulnerability in mutools PDF parsing functionality allows an attacker to write controlled data to an arbitrary location in memory due to an integer overflo...
iot
STACK 2020 - The Suspicious Frequency Monitoring Alert (IOT)
Summary: Malformed IEEE 802.11 RSN tags within select beacon frames are used as a means of encoding hidden data.
STACK 2020 - IOT RSA Token (IOT)
Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.
STACK 2020 - I Smell Updates (IOT)
Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.
java
HXP 2021 - Log 4 Sanity Check (Misc)
Summary: Exploit log4j vulnerability to leak environment variables.
lcd
STACK 2020 - IOT RSA Token (IOT)
Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.
log4j
HXP 2021 - Log 4 Sanity Check (Misc)
Summary: Exploit log4j vulnerability to leak environment variables.
machine learning
STACK 2020 - Emmel (Misc)
Summary: Provide an image that satisfies an image classifier to obtain the flag.
magic
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
malloc
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
memory dump
STACK 2020 - Walking Down Memory Lane (Forensics)
Summary: Analysing the provided memory dump yields a hosted PNG file containing a steganographic message.
mesos
Denial of Service Vulnerability in Libprocess (CVE-2017-9790)
A vulnerability in the libprocess dependency of Mesos allows a remote attacker to cause a crash in any Mesos component that includes the library. The bug res...
Denial of Service Vulnerability in Libprocess (CVE-2017-7687)
A vulnerability in the libprocess dependency of Mesos allows a remote attacker to cause a crash in any Mesos component that includes the library. The bug res...
metaclasses
BALSN CTF 2021 - Metaeasy (Misc)
Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.
midnightsun2018
Midnight Sun 2018 - Jeil (Pwn)
Javascript jail challenge that filters most Javascript special symbols and alphabets.
Midnight Sun 2018 - Botpanel (Pwn)
Multiple vulnerabilties involving formats strings and unsafe threaded access to shared variables in a 32 bit ELF binary allows an attacker to obtain remote c...
Midnight Sun 2018 - Babyshells (Pwn)
Exploiting the same ‘vulnerable’ binary on three different architectures: x86, ARM, MIPS.
mimikatz
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
misc
Sieberrsec 3.0 CTF (2021) - Can You Math It? (Misc)
Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.
HXP 2021 - Log 4 Sanity Check (Misc)
Summary: Exploit log4j vulnerability to leak environment variables.
HXP 2021 - brie man (Misc)
Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
BALSN CTF 2021 - Metaeasy (Misc)
Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.
STACK 2020 - FWO FWF (Misc)
Summary: Three different individual messages are encoded within HTML via their classes and their styled visibilities.
STACK 2020 - Emmel (Misc)
Summary: Provide an image that satisfies an image classifier to obtain the flag.
HITB GSEC Qualifiers 2018 - Read File (Misc)
Arbitrary shell commands can be created by using only punctuation in a service that filters all characters except for punctuation.
32C3CTF - Gurke (Misc 300)
Remote code execution in a seccomp protected python service requiring manipulating python internals to retrieve the flag in memory.
HITCON 2015 Qualifiers - Hard to Say (Misc)
Execute arbitrary non-alphanumeric ruby code with length limitations.
ASIS CTF Finals 2015 - Flag Hunter (Misc)
Use of the X-Forwarded-For header allows an attacker to fake country of origin to collect flags.
PoliCTF 2015 - Hard Interview (Grab Bag 50)
Simulated shell environment lets you pretend to be Hugh Jackman in Swordfish.
Wargames.my 2015 - Slice of Life (Misc)
The challenge site returns a HTTP response containing an SVG. The HTTP response is reversed.
SECCON CTF 2014 - Welcome to SECCON (Start)
Sanity check challenge.
QIWICTF 2014 - Stolen Prototype (Misc100)
This is a stolen application of super-duper payment system. But this is broken piece of cake, completely broken =(
PoliCTF 2012 - Grab Bag 300
Find the key.
miscellaneous
Singapore Cyber Conquest 2017 - Jail (Misc)
Simple ruby jail challenge with a failing blacklist that deletes common methods that allow for arbitrary command execution.
mupdf
MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587)
A vulnerability in mutools PDF parsing functionality allows an attacker to write controlled data to an arbitrary location in memory due to an integer overflo...
network
Hack You CTF 2012 - Packets 200
In this task, we are supposed to answer the question: “What’s the md5 of the file being transferred?”. We are given another capture file, this time containin...
Hack You CTF 2012 - Packets 100
We are given an objective for the packets series: “Part 1. Find the secret link in this conversation.” We have a .pcap capture file and we simply apply a fil...
null dereference
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
outofboundswrite
MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587)
A vulnerability in mutools PDF parsing functionality allows an attacker to write controlled data to an arbitrary location in memory due to an integer overflo...
partial write
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
php
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
polictf2012
PoliCTF 2012 - Grab Bag 300
Find the key.
PoliCTF 2012 - Bin-Pwn 400
Alien Technologies.
PoliCTF 2012 - Bin-Pwn 200
Play with this amazing calculator: calc.challenges.polictf.it:4000
PoliCTF 2012 - Bin-Pwn 100
Retrieve the key.
polictf2015
PoliCTF 2015 - John Pastry Shop (Pwnable 100)
Fake a valid cake object containing arbitrary ingredients to a bakery service by modifying decompiled Java bytecode and resigning the JAR with spoofed creden...
PoliCTF 2015 - It’s Hungry (Forensics 100)
A troll challenge that required you to transcribe a melody on a hidden area of the website.
PoliCTF 2015
Dystopian Narwhals participated in PoliCTF 2015, and it was a lot of fun. The challenges were challenging, yet engaging and we ended up with a score of 1258 ...
PoliCTF 2015 - Hard Interview (Grab Bag 50)
Simulated shell environment lets you pretend to be Hugh Jackman in Swordfish.
PoliCTF 2015 - Hanoi as a Service (Pwnable 50)
Remote prolog application to solve the Tower of Hanoi problem is vulnerable to remote code execution by injecting Prolog code.
PoliCTF 2015 - Exorcise (Crypto 50)
Simple challenge involving XORing.
programming
Wargames.my 2015 - Foo Soo Rah (Brute)
We are given an IP address:port pair and told to bruteforce smartly.
DEFCON CTF Qualifiers 2015 - MathWhiz (Baby’s First)
Simple programming challenge in which you had to solve equations in different formats.
Hack You CTF 2012 - HugeCaptcha (PPC100)
PPC100 is a puzzle that requires some degree of scripting. To obtain the flag, we have to add up the two large numbers given and submit the result through PO...
pwn
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
STACK 2020 - Beta Reporting (Pwn)
Summary: A format string attack allows us to overwrite an entry in the GOT to redirect execution to a print flag function.
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
BSides SF CTF 2018 - Rotaluklak (Pwn)
Escape python jail.
BSides SF CTF 2018 - Gorribler (Pwn)
Execute arbitrary shellcode by writing to the buffer by calculating values that provide the right values when simulating a projectile’s trajectory.
Midnight Sun 2018 - Jeil (Pwn)
Javascript jail challenge that filters most Javascript special symbols and alphabets.
Midnight Sun 2018 - Botpanel (Pwn)
Multiple vulnerabilties involving formats strings and unsafe threaded access to shared variables in a 32 bit ELF binary allows an attacker to obtain remote c...
Midnight Sun 2018 - Babyshells (Pwn)
Exploiting the same ‘vulnerable’ binary on three different architectures: x86, ARM, MIPS.
HITB GSEC Qualifiers 2018 - Baby Pwn (Pwn)
Using a format string attack on a remote server, an attacker can leverage certain data structures present in a running Linux process to ascertain key address...
Bypassing ASLR/NX with Ret2Libc and Named Pipes
This writeup describes my solution to an assignment for school requiring us to exploit a classic buffer overflow to gain a shell using return-to-libc techniq...
Singapore Cyber Conquest 2017 - Case Converter (Pwn)
Simple stack overflow with a statically compiled binary can be exploited with a generated execve ROP chain. The ROP chain has to be split up into multiple st...
HITBGSEC CTF 2017 - 1000levels (Pwn)
Uninitialised variable usage allows for reliable exploitation of a classic stack overflow on a NX and PIE enabled binary using gadgets from the vsyscall page...
CTF(x) 2016 - guesslength (Binary)
Overwriting a null byte in a buffer causes printf to print sensitive struct data.
CTF(x) 2016 - Dat Boinary (Binary)
Off-by-one error allows overwrite of a null byte that allows for a struct to be completely filled with non-null bytes which tricks strlen into returning a la...
32C3CTF - Teufel (Pwn 200)
Exploit a tiny binary with an extremely customised memory mapping with an infoleak leading to libc disclosure and jump to magic shell address.
32C3CTF - Readme (Pwn 200)
Abuse the stack smashing protector infoleak vulnerability to leak the flag.
32C3CTF - Forth (Pwn 150)
Remote code execution with a code injection vulnerability in a Forth interpreter.
ASIS CTF Finals 2015 - Shop 1 (Pwn)
An off-by-one error allows an attacker to leak return codes from memcmp to determine the difference in the supplied byte and the compared byte to leak the fl...
PoliCTF 2015 - John Pastry Shop (Pwnable 100)
Fake a valid cake object containing arbitrary ingredients to a bakery service by modifying decompiled Java bytecode and resigning the JAR with spoofed creden...
PoliCTF 2015 - Hanoi as a Service (Pwnable 50)
Remote prolog application to solve the Tower of Hanoi problem is vulnerable to remote code execution by injecting Prolog code.
QIWICTF 2014 - Bajutsu (Pwn100)
cat flag on port 2222 at qiwictf2014.ru
PoliCTF 2012 - Bin-Pwn 400
Alien Technologies.
PoliCTF 2012 - Bin-Pwn 200
Play with this amazing calculator: calc.challenges.polictf.it:4000
PoliCTF 2012 - Bin-Pwn 100
Retrieve the key.
CSCAMP CTF 2012 - Exploit 400
We solved the post-patch version of this binary.
CSCAMP CTF 2012 - Exploit 200
This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argum...
CSCAMP CTF 2012 - Exploit 100
This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the...
python
BALSN CTF 2021 - Metaeasy (Misc)
Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.
python native
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
qiwictf2014
QIWICTF 2014 - Stolen Prototype (Misc100)
This is a stolen application of super-duper payment system. But this is broken piece of cake, completely broken =(
QIWICTF 2014 - Bajutsu (Pwn100)
cat flag on port 2222 at qiwictf2014.ru
rce
HXP 2021 - brie man (Misc)
Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.
realpath
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
registry
STACK 2020 - Corrupted Hive (Forensics)
Summary: Data hdiden within a corrupt Windows registry hive contains an Base64-encoded guessable flag.
return-to-libc
Bypassing ASLR/NX with Ret2Libc and Named Pipes
This writeup describes my solution to an assignment for school requiring us to exploit a classic buffer overflow to gain a shell using return-to-libc techniq...
reverse
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
reverse engineering
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
reversing
Singapore Cyber Conquest 2017 - REV1 (Reversing)
Simple crackme style binary solved with a simple angr script.
DEFCON CTF Qualifiers 2015 - Access Control (Reversing)
Reverse engineer a server binary to determine how to interact with it and write a client.
9447 CTF 2014 - No Strings Attached (Reversing)
A crack me that decrypts the password into a wide length string in memory.
9447 CTF 2014 - insanity check (Reversing)
Simple sanity check reversing challenge with flag in strings.
CSCAMP CTF 2014 - ELF2 (Reversing 100)
We are given the following binary to reverse: elf2. (It’s a zipped file)
TKBCTF 4 - Just Do It
We were given a x86-64 Windows PE binary to reverse.
Hack You CTF 2012 - Reverse 200
A zip file containing an ELF binary and Windows executable file was given to us. We need not care about the Windows executable as both the ELF binary and the...
Hack You CTF 2012 - Reverse 100
In this puzzle, a C source file was given to us.
review
HackIM 2016 Case Study
The Dystopian Narwhals played in the HackIM 2016 CTF organised by Nullcon the last weekend and I must say, it was the most controversial ones I’ve ever exper...
rop
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
sage
HXP 2021 - brie man (Misc)
Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.
scc2017
Singapore Cyber Conquest 2017
The NUS Greyhats played in the Singapore Cyber Conquest 2017 held at the GovWare 2017 conference as part of the Singapore International Cyber week. Two of ou...
Singapore Cyber Conquest 2017 - Web 3 (Web)
Using the SQL injection vulnerability to write a PHP file to the disk and executing it with a local file inclusion vulnerability gives remote code execution.
Singapore Cyber Conquest 2017 - Web 2 (Web)
Standard SQL injection challenge in which dumping out the data in the database reveals the flag.
Singapore Cyber Conquest 2017 - Web 1 (Web)
Loose comparisons in PHP allow an attacker to bypass authentication.
Singapore Cyber Conquest 2017 - REV1 (Reversing)
Simple crackme style binary solved with a simple angr script.
Singapore Cyber Conquest 2017 - Jail (Misc)
Simple ruby jail challenge with a failing blacklist that deletes common methods that allow for arbitrary command execution.
Singapore Cyber Conquest 2017 - Case Converter (Pwn)
Simple stack overflow with a statically compiled binary can be exploited with a generated execve ROP chain. The ROP chain has to be split up into multiple st...
scriptingforctfs
Scripting for CTFs - Basic File Operations
Reading, writing, and some in-between.
Scripting for CTFs - A New Tutorial Series
A new tutorial series to teach useful programming skills for CTFs.
seccon2014
SECCON CTF 2014 - Welcome to SECCON (Start)
Sanity check challenge.
SECCON CTF 2014 - Easy Cipher (Crypto)
The flag was embedded in a message that was encoded into different number bases from ASCII.
sieberrsec
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
Sieberrsec 3.0 CTF (2021) - Can You Math It? (Misc)
Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.
sieberrsec3.0
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
Sieberrsec 3.0 CTF (2021) - Can You Math It? (Misc)
Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.
singapore
ASEAN Cyber SEA Game 2021
Summary: The Singapore team competed at the ASEAN Cyber SEA Game 2021 organised by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and achiev...
small subgroup attack
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
srand
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
stack
STACK 2020 - Third Place and Writeups
Summary: Our team achieved third place in the GovTech organised STACK 2020 competition.
STACK 2020 - Walking Down Memory Lane (Forensics)
Summary: Analysing the provided memory dump yields a hosted PNG file containing a steganographic message.
STACK 2020 - The Suspicious Frequency Monitoring Alert (IOT)
Summary: Malformed IEEE 802.11 RSN tags within select beacon frames are used as a means of encoding hidden data.
STACK 2020 - IOT RSA Token (IOT)
Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.
STACK 2020 - I Smell Updates (IOT)
Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.
STACK 2020 - FWO FWF (Misc)
Summary: Three different individual messages are encoded within HTML via their classes and their styled visibilities.
STACK 2020 - Emmel (Misc)
Summary: Provide an image that satisfies an image classifier to obtain the flag.
STACK 2020 - Corrupted Hive (Forensics)
Summary: Data hdiden within a corrupt Windows registry hive contains an Base64-encoded guessable flag.
STACK 2020 - Beta Reporting (Pwn)
Summary: A format string attack allows us to overwrite an entry in the GOT to redirect execution to a print flag function.
stack canary
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
steganography
STACK 2020 - Walking Down Memory Lane (Forensics)
Summary: Analysing the provided memory dump yields a hosted PNG file containing a steganographic message.
HITCON 2015 Qualifiers - Piranha Gun (Stego)
Directory contents are hidden with a mount.
CSCAMP 2014 - netcat, cryptcat Who cares? (STG100)
the solution is the md5 of the decrypted file
TKBCTF 4 - Monochrome Bar
The only steganography challenge in TKBCTF4 and its only worth 100 points.
Hack You CTF 2012 - Halloween (STG200)
Note: images are missing in this blog post. The only piece of the puzzle we were given was an image file. The distinguishing feature for this picture is that...
Hack You CTF 2012 - Stego 100
In this challenge, we were given the a large amount of text in a file. The entire text may be found at the end of this blog post.
sticky
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
NUS Greyhats at CDDC 2015 and (Almost) Epic Mass Exploitation
The Cyber Defenders Discovery Camp 2015 is an introductory computer security workshop slash competition targeted at students at the JC and IHL levels. This i...
tetctf
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
tetctf2022
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
tisc
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
tkbctf4
TKBCTF 4 - rand
First Javascript challenge released out of 2 Javascript challenges.
TKBCTF 4 - Monochrome Bar
The only steganography challenge in TKBCTF4 and its only worth 100 points.
TKBCTF 4 - Just Do It
We were given a x86-64 Windows PE binary to reverse.
TKBCTF 4 - args
Second javascript challenge for the CTF. Similar in concept to the previous javascript challenge, rand, you are given a Sandboxed node.js REPL to play with.
trendmicro2015
TrendMicro CTF 2015 - Crypto 200
Recover the IV of an AES operation by utilising imperfect knowledge of the key and encrypted output.
trivia
Wargames.my 2015 - Trivia
We are given an image of TV5 Monde.
tutorial
Scripting for CTFs - Basic File Operations
Reading, writing, and some in-between.
Scripting for CTFs - A New Tutorial Series
A new tutorial series to teach useful programming skills for CTFs.
vulncon
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
vulnresearch
GraphicsMagick Information Disclosure when Describing IPTC Profile (CVE-2017-16353)
A heap-based buffer overread in the code responsible for printing IPTC information verbosely allows an attacker to leak sensitive information by supplying a ...
GraphicsMagick Heap Overflow when Describing Directories (CVE-2017-16352)
An unsafe call to strncpy in magick/describe.c causes a heap overflow when describing images with overly long directories. The vulnerable code path can be tr...
MuPDF mutools Out-of-Bounds Write Vulnerability (CVE-2017-15587)
A vulnerability in mutools PDF parsing functionality allows an attacker to write controlled data to an arbitrary location in memory due to an integer overflo...
Denial of Service Vulnerability in Libprocess (CVE-2017-9790)
A vulnerability in the libprocess dependency of Mesos allows a remote attacker to cause a crash in any Mesos component that includes the library. The bug res...
Denial of Service Vulnerability in Libprocess (CVE-2017-7687)
A vulnerability in the libprocess dependency of Mesos allows a remote attacker to cause a crash in any Mesos component that includes the library. The bug res...
GraphicsMagick NULL Pointer Dereference in DICOM Decoder (CVE-2017-14994)
A null pointer dereference vulnerability in the GraphicsMagick DICOM image decoder allows an attacker to cause a denial-of-service condition or other unspeci...
Bypassing ASLR/NX with Ret2Libc and Named Pipes
This writeup describes my solution to an assignment for school requiring us to exploit a classic buffer overflow to gain a shell using return-to-libc techniq...
Bugs that Address Sanitizer Does Not Detect
A lab for school required us to design 3 examples of memory bugs that are not detected by Address Sanitizer. I thought it was a pretty informative exercise s...
CVE-2016-10190 Detailed Writeup
FFmpeg is a popular free software project that develops libraries and programs for manipulating audio, video, and image data. The vulnerability exists in the...
wargamesmy2016
Wargames.my 2015 - Trivia
We are given an image of TV5 Monde.
Wargames.my 2015 - Slice of Life (Misc)
The challenge site returns a HTTP response containing an SVG. The HTTP response is reversed.
Wargames.my 2015 - Foo Soo Rah (Brute)
We are given an IP address:port pair and told to bruteforce smartly.
web
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
HITB GSEC Qualifiers 2018 - Upload (Web)
The FindFirstFile() function in the Windows API can cause odd behaviour in PHP applications running on Windows. We leverage this to leak information about th...
HITB GSEC Qualifiers 2018 - Baby Nya (Web)
An exposed Apache JServ Protocol server allows an attacker to proxy requests to Tomcat server running Jolokia. The Jolokia instance allows the attacker to cr...
HITB GSEC Qualifiers 2018 - Baby Baby (Web)
An exposed Kubelets port in a vulnerable deployment allows an attacker to run commands without authentication remotely within containers.
Singapore Cyber Conquest 2017 - Web 3 (Web)
Using the SQL injection vulnerability to write a PHP file to the disk and executing it with a local file inclusion vulnerability gives remote code execution.
Singapore Cyber Conquest 2017 - Web 2 (Web)
Standard SQL injection challenge in which dumping out the data in the database reveals the flag.
Singapore Cyber Conquest 2017 - Web 1 (Web)
Loose comparisons in PHP allow an attacker to bypass authentication.
HITBGSEC CTF 2017 - Pasty (Web)
JSON Web Tokens have no means of authenticating the header and thus can be abused to manipulate the server into verifying a forged signed message with a key ...
CTF(x) 2016 - North Korea (Web)
Fake an originating IP address from North Korea using the X-Forwarded-For header.
CTF(x) 2016 - Harambe Hub (Web)
Use of String.match as opposed to String.equals in Java allows an attacker to recover sensitive input such as an admin username character by character with r...
X-CTF 2016 - The Snek (Web)
PHP local file inclusion vulnerability leads to source code disclosure revealing python code vulnerable to a hash extension attack allowing an attacker to fa...
32C3CTF - TinyHosting (Web 250)
A PHP service that allows uploading of small files (<= 7 bytes) with arbitrary filenames within a browsable path.
32C3CTF - Kummerkasten (Web 300)
Steal the password and TOTP token from an admin using cross-site scripting.
ASIS CTF Finals 2015 - Myblog (Web)
Server-side request forgery in a PDF page printer service in PHP leading to disclosure of secrets in a server-side PHP source code.
ASIS CTF Finals 2015 - Impossible (Web)
Type juggling in PHP’s weak comparison operator (==) allows an attacker to generate passwords to an administrator account and bypass the original MD5 hashing...
CSCAMP CTF 2014 - I Hate Time (Web)
Remote code execution by injecting python code into a Python WSGI server.
CSCAMP CTF 2014 - 7amama Book (Web)
Insecure direct object reference allows changing of password of another user.
TKBCTF 4 - rand
First Javascript challenge released out of 2 Javascript challenges.
TKBCTF 4 - args
Second javascript challenge for the CTF. Similar in concept to the previous javascript challenge, rand, you are given a Sandboxed node.js REPL to play with.
CSCAMP CTF 2012 - Web300
In this challenge, an image divided into blocks has its blocks scrambled not unlike a sliding block puzzle (http://en.wikipedia.org/wiki/Sliding_puzzle). The...
CSCAMP CTF 2012 - Web200
In this puzzle, you had to evaluate an equation encoded in base64 in an array structure consisting of values and operands hidden in a custom header. The obje...
CSCAMP CTF 2012 - Web100
This challenge required you to log in as any valid account.
Hack.lu CTF 2012 - Big Zombie Business
It’s a disaster! Not only that these useless piles of rotten meat obfuscate all their stupid code, they have also lost our precious root password, or “Flag” ...
Hack.lu CTF 2012 - Zombie AV
Some people try to fight the zombie apocalypse by selling pseudo antidote. We need the secret formula in config.php to destroy their snake oil business…
Hack.lu CTF 2012 - Nerd Safehouse
“Try solving the annoying puzzle at https://ctf.fluxfingers.net:2074/ or zombies will eat your soul!”
Hack.lu CTF 2012 - Mini Zombie Business
As time passes by and the zombie apocalypse seems to stay for a while businesses have to adapt to survive. Food store chains offer brains and biscuits for th...
Hack You CTF 2012 - Pentagon (WEB100)
Note: images and files are missing in this blogpost. To solve the puzzle, we had to obtain the password to a ‘Pentagon’ site relying on Javascript authentica...
website
The Nandy Narwhals Blog Gets Another New Look!
We’ve moved from our old Wordpress blog to a new one hosted on Github Pages powered by Jekyll and Minimal Mistakes!
NUS Greyhats at CDDC 2015 and (Almost) Epic Mass Exploitation
The Cyber Defenders Discovery Camp 2015 is an introductory computer security workshop slash competition targeted at students at the JC and IHL levels. This i...
Scripting for CTFs - Basic File Operations
Reading, writing, and some in-between.
Scripting for CTFs - A New Tutorial Series
A new tutorial series to teach useful programming skills for CTFs.
New Look for Nandy Narwhals!
Nandy Narwhals gets a new look! We should be putting out tutorials in addition to our write-ups very soon!
Hello World!
Back in May 2012, the first post by Hiromi was “NANDNANDNANDNAND”.
windows
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
wlan
STACK 2020 - The Suspicious Frequency Monitoring Alert (IOT)
Summary: Malformed IEEE 802.11 RSN tags within select beacon frames are used as a means of encoding hidden data.
writeup
Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
Sieberrsec 3.0 CTF (2021) - Can You Math It? (Misc)
Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
HXP 2021 - Log 4 Sanity Check (Misc)
Summary: Exploit log4j vulnerability to leak environment variables.
HXP 2021 - Gipfel (Crypto)
Summary: Choosing the value of the prime modulus - 1 as the base in a pseudo Diffie Hellman key exchange scheme allows setting a shared value to 1. When this...
HXP 2021 - brie man (Misc)
Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
ASEAN Cyber SEA Game 2021
Summary: The Singapore team competed at the ASEAN Cyber SEA Game 2021 organised by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and achiev...
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
BALSN CTF 2021 - Metaeasy (Misc)
Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.
STACK 2020 - Third Place and Writeups
Summary: Our team achieved third place in the GovTech organised STACK 2020 competition.
STACK 2020 - Walking Down Memory Lane (Forensics)
Summary: Analysing the provided memory dump yields a hosted PNG file containing a steganographic message.
STACK 2020 - The Suspicious Frequency Monitoring Alert (IOT)
Summary: Malformed IEEE 802.11 RSN tags within select beacon frames are used as a means of encoding hidden data.
STACK 2020 - IOT RSA Token (IOT)
Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.
STACK 2020 - I Smell Updates (IOT)
Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.
STACK 2020 - FWO FWF (Misc)
Summary: Three different individual messages are encoded within HTML via their classes and their styled visibilities.
STACK 2020 - Emmel (Misc)
Summary: Provide an image that satisfies an image classifier to obtain the flag.
STACK 2020 - Corrupted Hive (Forensics)
Summary: Data hdiden within a corrupt Windows registry hive contains an Base64-encoded guessable flag.
STACK 2020 - Beta Reporting (Pwn)
Summary: A format string attack allows us to overwrite an entry in the GOT to redirect execution to a print flag function.
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
BSides SF CTF 2018 - Rotaluklak (Pwn)
Escape python jail.
BSides SF CTF 2018 - Gorribler (Pwn)
Execute arbitrary shellcode by writing to the buffer by calculating values that provide the right values when simulating a projectile’s trajectory.
Midnight Sun 2018 - Jeil (Pwn)
Javascript jail challenge that filters most Javascript special symbols and alphabets.
Midnight Sun 2018 - Botpanel (Pwn)
Multiple vulnerabilties involving formats strings and unsafe threaded access to shared variables in a 32 bit ELF binary allows an attacker to obtain remote c...
Midnight Sun 2018 - Babyshells (Pwn)
Exploiting the same ‘vulnerable’ binary on three different architectures: x86, ARM, MIPS.
HITB GSEC Qualifiers 2018 - Upload (Web)
The FindFirstFile() function in the Windows API can cause odd behaviour in PHP applications running on Windows. We leverage this to leak information about th...
HITB GSEC Qualifiers 2018 - Read File (Misc)
Arbitrary shell commands can be created by using only punctuation in a service that filters all characters except for punctuation.
HITB GSEC Qualifiers 2018 - Baby Pwn (Pwn)
Using a format string attack on a remote server, an attacker can leverage certain data structures present in a running Linux process to ascertain key address...
HITB GSEC Qualifiers 2018 - Baby Nya (Web)
An exposed Apache JServ Protocol server allows an attacker to proxy requests to Tomcat server running Jolokia. The Jolokia instance allows the attacker to cr...
HITB GSEC Qualifiers 2018 - Baby Baby (Web)
An exposed Kubelets port in a vulnerable deployment allows an attacker to run commands without authentication remotely within containers.
Singapore Cyber Conquest 2017
The NUS Greyhats played in the Singapore Cyber Conquest 2017 held at the GovWare 2017 conference as part of the Singapore International Cyber week. Two of ou...
Singapore Cyber Conquest 2017 - Web 3 (Web)
Using the SQL injection vulnerability to write a PHP file to the disk and executing it with a local file inclusion vulnerability gives remote code execution.
Singapore Cyber Conquest 2017 - Web 2 (Web)
Standard SQL injection challenge in which dumping out the data in the database reveals the flag.
Singapore Cyber Conquest 2017 - Web 1 (Web)
Loose comparisons in PHP allow an attacker to bypass authentication.
Singapore Cyber Conquest 2017 - REV1 (Reversing)
Simple crackme style binary solved with a simple angr script.
Singapore Cyber Conquest 2017 - Jail (Misc)
Simple ruby jail challenge with a failing blacklist that deletes common methods that allow for arbitrary command execution.
Singapore Cyber Conquest 2017 - Case Converter (Pwn)
Simple stack overflow with a statically compiled binary can be exploited with a generated execve ROP chain. The ROP chain has to be split up into multiple st...
HITBGSEC CTF 2017
I participated with the NUS Greyhats in this year’s HITBGSEC CTF 2017. It was organised by the HITB Netherlands CTF team and the XCTF League crew. It ran ext...
HITBGSEC CTF 2017 - Pasty (Web)
JSON Web Tokens have no means of authenticating the header and thus can be abused to manipulate the server into verifying a forged signed message with a key ...
HITBGSEC CTF 2017 - flying high (Misc)
UBIFS images are recovered from a crashed drone and the flag is included in the video of the drone’s last moments.
HITBGSEC CTF 2017 - arrdeepee (Misc)
Extracting the private key into a PEM file from a PKCS12 file transmitted over UDP allows the investigator to decrypt an RDP session and recover some secret ...
HITBGSEC CTF 2017 - 1000levels (Pwn)
Uninitialised variable usage allows for reliable exploitation of a classic stack overflow on a NX and PIE enabled binary using gadgets from the vsyscall page...
CTF(x) 2016 - North Korea (Web)
Fake an originating IP address from North Korea using the X-Forwarded-For header.
CTF(x) 2016 - Harambe Hub (Web)
Use of String.match as opposed to String.equals in Java allows an attacker to recover sensitive input such as an admin username character by character with r...
CTF(x) 2016 - guesslength (Binary)
Overwriting a null byte in a buffer causes printf to print sensitive struct data.
CTF(x) 2016 - Dat Boinary (Binary)
Off-by-one error allows overwrite of a null byte that allows for a struct to be completely filled with non-null bytes which tricks strlen into returning a la...
CTF(x) 2016 - Custom Auth (Crypto)
A cookie using ECB mode encryption allows an attacker to forge admin privileges by rearranging encrypted blocks for decryption.
X-CTF 2016 - The Snek (Web)
PHP local file inclusion vulnerability leads to source code disclosure revealing python code vulnerable to a hash extension attack allowing an attacker to fa...
32C3CTF - TinyHosting (Web 250)
A PHP service that allows uploading of small files (<= 7 bytes) with arbitrary filenames within a browsable path.
32C3CTF - Teufel (Pwn 200)
Exploit a tiny binary with an extremely customised memory mapping with an infoleak leading to libc disclosure and jump to magic shell address.
32C3CTF - Readme (Pwn 200)
Abuse the stack smashing protector infoleak vulnerability to leak the flag.
32C3CTF - Kummerkasten (Web 300)
Steal the password and TOTP token from an admin using cross-site scripting.
32C3CTF - Gurke (Misc 300)
Remote code execution in a seccomp protected python service requiring manipulating python internals to retrieve the flag in memory.
32C3CTF - Forth (Pwn 150)
Remote code execution with a code injection vulnerability in a Forth interpreter.
Hack.lu CTF 2015 - Creative Cheating (Crypto 150)
Analyse a given PCAP for some secret communication between Alice and Bob and determine which messages contain a valid signature.
HITCON 2015 Qualifiers - Piranha Gun (Stego)
Directory contents are hidden with a mount.
HITCON 2015 Qualifiers - Hard to Say (Misc)
Execute arbitrary non-alphanumeric ruby code with length limitations.
ASIS CTF Finals 2015 - Shop 1 (Pwn)
An off-by-one error allows an attacker to leak return codes from memcmp to determine the difference in the supplied byte and the compared byte to leak the fl...
ASIS CTF Finals 2015 - Myblog (Web)
Server-side request forgery in a PDF page printer service in PHP leading to disclosure of secrets in a server-side PHP source code.
ASIS CTF Finals 2015 - Impossible (Web)
Type juggling in PHP’s weak comparison operator (==) allows an attacker to generate passwords to an administrator account and bypass the original MD5 hashing...
ASIS CTF Finals 2015 - Flag Hunter (Misc)
Use of the X-Forwarded-For header allows an attacker to fake country of origin to collect flags.
ASIS CTF Finals 2015 - Bodu (Crypto)
Use the Boneh-Durfee attack on low private exponents to recover the original two prime factors comprising the private key and decrypt an encrypted flag.
TrendMicro CTF 2015 - Crypto 200
Recover the IV of an AES operation by utilising imperfect knowledge of the key and encrypted output.
PoliCTF 2015 - John Pastry Shop (Pwnable 100)
Fake a valid cake object containing arbitrary ingredients to a bakery service by modifying decompiled Java bytecode and resigning the JAR with spoofed creden...
PoliCTF 2015 - It’s Hungry (Forensics 100)
A troll challenge that required you to transcribe a melody on a hidden area of the website.
PoliCTF 2015
Dystopian Narwhals participated in PoliCTF 2015, and it was a lot of fun. The challenges were challenging, yet engaging and we ended up with a score of 1258 ...
PoliCTF 2015 - Hard Interview (Grab Bag 50)
Simulated shell environment lets you pretend to be Hugh Jackman in Swordfish.
PoliCTF 2015 - Hanoi as a Service (Pwnable 50)
Remote prolog application to solve the Tower of Hanoi problem is vulnerable to remote code execution by injecting Prolog code.
PoliCTF 2015 - Exorcise (Crypto 50)
Simple challenge involving XORing.
Wargames.my 2015 - Trivia
We are given an image of TV5 Monde.
Wargames.my 2015 - Slice of Life (Misc)
The challenge site returns a HTTP response containing an SVG. The HTTP response is reversed.
Wargames.my 2015 - Foo Soo Rah (Brute)
We are given an IP address:port pair and told to bruteforce smartly.
DEFCON CTF Qualifiers 2015 - MathWhiz (Baby’s First)
Simple programming challenge in which you had to solve equations in different formats.
DEFCON CTF Qualifiers 2015 - Access Control (Reversing)
Reverse engineer a server binary to determine how to interact with it and write a client.
SECCON CTF 2014 - Welcome to SECCON (Start)
Sanity check challenge.
SECCON CTF 2014 - Easy Cipher (Crypto)
The flag was embedded in a message that was encoded into different number bases from ASCII.
9447 CTF 2014 - No Strings Attached (Reversing)
A crack me that decrypts the password into a wide length string in memory.
9447 CTF 2014 - insanity check (Reversing)
Simple sanity check reversing challenge with flag in strings.
CSCAMP CTF 2014 - Logic (Crypto)
Message encoded in a seven segment display LED format.
CSCAMP CTF 2014 - I Hate Time (Web)
Remote code execution by injecting python code into a Python WSGI server.
CSCAMP CTF 2014 - 7amama Book (Web)
Insecure direct object reference allows changing of password of another user.
CSCAMP CTF 2014 - ELF2 (Reversing 100)
We are given the following binary to reverse: elf2. (It’s a zipped file)
CSCAMP 2014 - netcat, cryptcat Who cares? (STG100)
the solution is the md5 of the decrypted file
QIWICTF 2014 - Stolen Prototype (Misc100)
This is a stolen application of super-duper payment system. But this is broken piece of cake, completely broken =(
QIWICTF 2014 - Bajutsu (Pwn100)
cat flag on port 2222 at qiwictf2014.ru
TKBCTF 4 - rand
First Javascript challenge released out of 2 Javascript challenges.
TKBCTF 4 - Monochrome Bar
The only steganography challenge in TKBCTF4 and its only worth 100 points.
TKBCTF 4 - Just Do It
We were given a x86-64 Windows PE binary to reverse.
TKBCTF 4 - args
Second javascript challenge for the CTF. Similar in concept to the previous javascript challenge, rand, you are given a Sandboxed node.js REPL to play with.
PoliCTF 2012 - Grab Bag 300
Find the key.
PoliCTF 2012 - Bin-Pwn 400
Alien Technologies.
PoliCTF 2012 - Bin-Pwn 200
Play with this amazing calculator: calc.challenges.polictf.it:4000
PoliCTF 2012 - Bin-Pwn 100
Retrieve the key.
CSCAMP CTF 2012 - Exploit 400
We solved the post-patch version of this binary.
CSCAMP CTF 2012 - Exploit 200
This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argum...
CSCAMP CTF 2012 - Exploit 100
This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the...
CSCAMP CTF 2012 - Web300
In this challenge, an image divided into blocks has its blocks scrambled not unlike a sliding block puzzle (http://en.wikipedia.org/wiki/Sliding_puzzle). The...
CSCAMP CTF 2012 - Web200
In this puzzle, you had to evaluate an equation encoded in base64 in an array structure consisting of values and operands hidden in a custom header. The obje...
CSCAMP CTF 2012 - Web100
This challenge required you to log in as any valid account.
CSCAMP CTF 2012 - Crypto 400
This is the solution script:
Hack.lu CTF 2012 - Big Zombie Business
It’s a disaster! Not only that these useless piles of rotten meat obfuscate all their stupid code, they have also lost our precious root password, or “Flag” ...
Hack.lu CTF 2012 - Zombie AV
Some people try to fight the zombie apocalypse by selling pseudo antidote. We need the secret formula in config.php to destroy their snake oil business…
Hack.lu CTF 2012 - Nerd Safehouse
“Try solving the annoying puzzle at https://ctf.fluxfingers.net:2074/ or zombies will eat your soul!”
Hack.lu CTF 2012 - Mini Zombie Business
As time passes by and the zombie apocalypse seems to stay for a while businesses have to adapt to survive. Food store chains offer brains and biscuits for th...
Hack You CTF 2012 Writeups
The CTF was really enjoyable. Really great casual atmosphere to it. Too bad we only really caught the last couple of days. Really looking forward to the next...
Hack You CTF 2012 - Pentagon (WEB100)
Note: images and files are missing in this blogpost. To solve the puzzle, we had to obtain the password to a ‘Pentagon’ site relying on Javascript authentica...
Hack You CTF 2012 - Halloween (STG200)
Note: images are missing in this blog post. The only piece of the puzzle we were given was an image file. The distinguishing feature for this picture is that...
Hack You CTF 2012 - Stego 100
In this challenge, we were given the a large amount of text in a file. The entire text may be found at the end of this blog post.
Hack You CTF 2012 - Reverse 200
A zip file containing an ELF binary and Windows executable file was given to us. We need not care about the Windows executable as both the ELF binary and the...
Hack You CTF 2012 - Reverse 100
In this puzzle, a C source file was given to us.
Hack You CTF 2012 - Packets 200
In this task, we are supposed to answer the question: “What’s the md5 of the file being transferred?”. We are given another capture file, this time containin...
Hack You CTF 2012 - Packets 100
We are given an objective for the packets series: “Part 1. Find the secret link in this conversation.” We have a .pcap capture file and we simply apply a fil...
Hack You CTF 2012 - Schneier’s Algorithm (CRY100)
We didn’t solve this puzzle and submit the flag in time, but when we did… well it was a huge reminder not to overthink things.
Hack You CTF 2012 - HugeCaptcha (PPC100)
PPC100 is a puzzle that requires some degree of scripting. To obtain the flag, we have to add up the two large numbers given and submit the result through PO...
Codegate 2012: Forensics 200
This was a CTF challenge solved by Hiromi in Codegate 2012.
Codegate 2012: Forensics 100
This was a CTF challenge solved by Hiromi in Codegate 2012.
writeup-list
Hack You CTF 2012 Writeups
The CTF was really enjoyable. Really great casual atmosphere to it. Too bad we only really caught the last couple of days. Really looking forward to the next...
xctf2016
X-CTF 2016 - The Snek (Web)
PHP local file inclusion vulnerability leads to source code disclosure revealing python code vulnerable to a hash extension attack allowing an attacker to fa...
xor
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
xss
32C3CTF - Kummerkasten (Web 300)
Steal the password and TOTP token from an admin using cross-site scripting.
zip
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...