Cyberpeace 2022 - Crysys (Pwn)
Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...
TetCTF 2022 - Newbie (Pwn)
Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...
TetCTF 2022 - EzFlag (Web/Pwn)
Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...
Sieberrsec 3.0 CTF (2021) - Turbo Fast Crypto (Crypto/Pwn)
Summary: An insecurely implemented Python native library allows for an attacker to exfiltrate the XOR key used to ‘encrypt’ arbitrary data as well as contain...
Sieberrsec 3.0 CTF (2021) - totallyfoolproofcrypto (Crypto)
Summary: Standard byte-by-byte ECB oracle decryption.
Sieberrsec 3.0 CTF (2021) - Malloc (Pwn)
Summary: Control of the size parameter to malloc and a subsequent lack of checking that the returned pointer is not 0 leads to an arbitrary null byte write t...
Sieberrsec 3.0 CTF (2021) - Digging in the Dump (Forensics)
Summary: A dump of a Windows user’s AppData containing Google Chrome library data files and Windows DPAPI master key files can be used in conjunction with th...
Sieberrsec 3.0 CTF (2021) - Diffie’s Key Exchange 2 (Crypto)
Summary: Applying the small subgroup attack in a pseudo Diffie Hellman key exchange scheme that does not give the public A value allows for an attacker to co...
Sieberrsec 3.0 CTF (2021) - Can You Math It? (Misc)
Summary: Typical math scripting challenge. Just providing the solution for a safeeval version to avoid insecure evaluation of untrusted inputs.
HXP 2021 - unzipper (Web)
Summary: The PHP function realpath can be tricked to allow other protocol wrappers to be used in readfile by specially crafting the directories in an unzippe...
HXP 2021 - Log 4 Sanity Check (Misc)
Summary: Exploit log4j vulnerability to leak environment variables.
HXP 2021 - Gipfel (Crypto)
Summary: Choosing the value of the prime modulus - 1 as the base in a pseudo Diffie Hellman key exchange scheme allows setting a shared value to 1. When this...
HXP 2021 - brie man (Misc)
Summary: Sagemath contains sinks that allow for the arbitrary execution of Python code when converting from user input to math objects.
VULNCON CTF 2021
Summary: I played VULNCON CTF 2021 for a couple of hours and solved a few challenges. Here are the quick solutions to the few challenges that were solved.
ASEAN Cyber SEA Game 2021
Summary: The Singapore team competed at the ASEAN Cyber SEA Game 2021 organised by the ASEAN-Japan Cybersecurity Capacity Building Centre (AJCCBC) and achiev...
TISC 2021 - 1865 Text Adventure (Creator’s Writeup)
This challenge was created for The InfoSecurity Challenge (TISC) 2021 organised by the Centre for Strategic Infocomm Technologies (CSIT). It was the 9th leve...
BALSN CTF 2021 - Metaeasy (Misc)
Summary: Bypass the restrictions of a Python jail to gain access to a get flag function within an impossible-to-instantiate metaclass class.
STACK 2020 - Third Place and Writeups
Summary: Our team achieved third place in the GovTech organised STACK 2020 competition.
STACK 2020 - Walking Down Memory Lane (Forensics)
Summary: Analysing the provided memory dump yields a hosted PNG file containing a steganographic message.
STACK 2020 - The Suspicious Frequency Monitoring Alert (IOT)
Summary: Malformed IEEE 802.11 RSN tags within select beacon frames are used as a means of encoding hidden data.
STACK 2020 - IOT RSA Token (IOT)
Summary: An I2C trace of a probed 16x2 LCD screen is provided in which credentials containing a usernames, passwords, and a SecurID key can be extracted.
STACK 2020 - I Smell Updates (IOT)
Summary: An ARM crackme is transferred over Bluetooth. Extracting the binary allows us to apply angr to it to automatically find the flag.
STACK 2020 - FWO FWF (Misc)
Summary: Three different individual messages are encoded within HTML via their classes and their styled visibilities.
STACK 2020 - Emmel (Misc)
Summary: Provide an image that satisfies an image classifier to obtain the flag.
STACK 2020 - Corrupted Hive (Forensics)
Summary: Data hdiden within a corrupt Windows registry hive contains an Base64-encoded guessable flag.
STACK 2020 - Beta Reporting (Pwn)
Summary: A format string attack allows us to overwrite an entry in the GOT to redirect execution to a print flag function.
CSIT - The InfoSecurity Challenge (TISC) 2020 Writeups
Writeups for the TISC 2020 CTF organised by CSIT.
BSides SF CTF 2018 - Rotaluklak (Pwn)
Escape python jail.
BSides SF CTF 2018 - Gorribler (Pwn)
Execute arbitrary shellcode by writing to the buffer by calculating values that provide the right values when simulating a projectile’s trajectory.
Midnight Sun 2018 - Jeil (Pwn)
Javascript jail challenge that filters most Javascript special symbols and alphabets.
Midnight Sun 2018 - Botpanel (Pwn)
Multiple vulnerabilties involving formats strings and unsafe threaded access to shared variables in a 32 bit ELF binary allows an attacker to obtain remote c...
Midnight Sun 2018 - Babyshells (Pwn)
Exploiting the same ‘vulnerable’ binary on three different architectures: x86, ARM, MIPS.
HITB GSEC Qualifiers 2018 - Upload (Web)
The FindFirstFile() function in the Windows API can cause odd behaviour in PHP applications running on Windows. We leverage this to leak information about th...
HITB GSEC Qualifiers 2018 - Read File (Misc)
Arbitrary shell commands can be created by using only punctuation in a service that filters all characters except for punctuation.
HITB GSEC Qualifiers 2018 - Baby Pwn (Pwn)
Using a format string attack on a remote server, an attacker can leverage certain data structures present in a running Linux process to ascertain key address...
HITB GSEC Qualifiers 2018 - Baby Nya (Web)
An exposed Apache JServ Protocol server allows an attacker to proxy requests to Tomcat server running Jolokia. The Jolokia instance allows the attacker to cr...
HITB GSEC Qualifiers 2018 - Baby Baby (Web)
An exposed Kubelets port in a vulnerable deployment allows an attacker to run commands without authentication remotely within containers.
Singapore Cyber Conquest 2017
The NUS Greyhats played in the Singapore Cyber Conquest 2017 held at the GovWare 2017 conference as part of the Singapore International Cyber week. Two of ou...
Singapore Cyber Conquest 2017 - Web 3 (Web)
Using the SQL injection vulnerability to write a PHP file to the disk and executing it with a local file inclusion vulnerability gives remote code execution.
Singapore Cyber Conquest 2017 - Web 2 (Web)
Standard SQL injection challenge in which dumping out the data in the database reveals the flag.
Singapore Cyber Conquest 2017 - Web 1 (Web)
Loose comparisons in PHP allow an attacker to bypass authentication.
Singapore Cyber Conquest 2017 - REV1 (Reversing)
Simple crackme style binary solved with a simple angr script.
Singapore Cyber Conquest 2017 - Jail (Misc)
Simple ruby jail challenge with a failing blacklist that deletes common methods that allow for arbitrary command execution.
Singapore Cyber Conquest 2017 - Case Converter (Pwn)
Simple stack overflow with a statically compiled binary can be exploited with a generated execve ROP chain. The ROP chain has to be split up into multiple st...
HITBGSEC CTF 2017
I participated with the NUS Greyhats in this year’s HITBGSEC CTF 2017. It was organised by the HITB Netherlands CTF team and the XCTF League crew. It ran ext...
HITBGSEC CTF 2017 - Pasty (Web)
JSON Web Tokens have no means of authenticating the header and thus can be abused to manipulate the server into verifying a forged signed message with a key ...
HITBGSEC CTF 2017 - flying high (Misc)
UBIFS images are recovered from a crashed drone and the flag is included in the video of the drone’s last moments.
HITBGSEC CTF 2017 - arrdeepee (Misc)
Extracting the private key into a PEM file from a PKCS12 file transmitted over UDP allows the investigator to decrypt an RDP session and recover some secret ...
HITBGSEC CTF 2017 - 1000levels (Pwn)
Uninitialised variable usage allows for reliable exploitation of a classic stack overflow on a NX and PIE enabled binary using gadgets from the vsyscall page...
CTF(x) 2016 - North Korea (Web)
Fake an originating IP address from North Korea using the X-Forwarded-For header.
CTF(x) 2016 - Harambe Hub (Web)
Use of String.match as opposed to String.equals in Java allows an attacker to recover sensitive input such as an admin username character by character with r...
CTF(x) 2016 - guesslength (Binary)
Overwriting a null byte in a buffer causes printf to print sensitive struct data.
CTF(x) 2016 - Dat Boinary (Binary)
Off-by-one error allows overwrite of a null byte that allows for a struct to be completely filled with non-null bytes which tricks strlen into returning a la...
CTF(x) 2016 - Custom Auth (Crypto)
A cookie using ECB mode encryption allows an attacker to forge admin privileges by rearranging encrypted blocks for decryption.
X-CTF 2016 - The Snek (Web)
PHP local file inclusion vulnerability leads to source code disclosure revealing python code vulnerable to a hash extension attack allowing an attacker to fa...
32C3CTF - TinyHosting (Web 250)
A PHP service that allows uploading of small files (<= 7 bytes) with arbitrary filenames within a browsable path.
32C3CTF - Teufel (Pwn 200)
Exploit a tiny binary with an extremely customised memory mapping with an infoleak leading to libc disclosure and jump to magic shell address.
32C3CTF - Readme (Pwn 200)
Abuse the stack smashing protector infoleak vulnerability to leak the flag.
32C3CTF - Kummerkasten (Web 300)
Steal the password and TOTP token from an admin using cross-site scripting.
32C3CTF - Gurke (Misc 300)
Remote code execution in a seccomp protected python service requiring manipulating python internals to retrieve the flag in memory.
32C3CTF - Forth (Pwn 150)
Remote code execution with a code injection vulnerability in a Forth interpreter.
Hack.lu CTF 2015 - Creative Cheating (Crypto 150)
Analyse a given PCAP for some secret communication between Alice and Bob and determine which messages contain a valid signature.
HITCON 2015 Qualifiers - Piranha Gun (Stego)
Directory contents are hidden with a mount.
HITCON 2015 Qualifiers - Hard to Say (Misc)
Execute arbitrary non-alphanumeric ruby code with length limitations.
ASIS CTF Finals 2015 - Shop 1 (Pwn)
An off-by-one error allows an attacker to leak return codes from memcmp to determine the difference in the supplied byte and the compared byte to leak the fl...
ASIS CTF Finals 2015 - Myblog (Web)
Server-side request forgery in a PDF page printer service in PHP leading to disclosure of secrets in a server-side PHP source code.
ASIS CTF Finals 2015 - Impossible (Web)
Type juggling in PHP’s weak comparison operator (==) allows an attacker to generate passwords to an administrator account and bypass the original MD5 hashing...
ASIS CTF Finals 2015 - Flag Hunter (Misc)
Use of the X-Forwarded-For header allows an attacker to fake country of origin to collect flags.
ASIS CTF Finals 2015 - Bodu (Crypto)
Use the Boneh-Durfee attack on low private exponents to recover the original two prime factors comprising the private key and decrypt an encrypted flag.
TrendMicro CTF 2015 - Crypto 200
Recover the IV of an AES operation by utilising imperfect knowledge of the key and encrypted output.
PoliCTF 2015 - John Pastry Shop (Pwnable 100)
Fake a valid cake object containing arbitrary ingredients to a bakery service by modifying decompiled Java bytecode and resigning the JAR with spoofed creden...
PoliCTF 2015 - It’s Hungry (Forensics 100)
A troll challenge that required you to transcribe a melody on a hidden area of the website.
PoliCTF 2015
Dystopian Narwhals participated in PoliCTF 2015, and it was a lot of fun. The challenges were challenging, yet engaging and we ended up with a score of 1258 ...
PoliCTF 2015 - Hard Interview (Grab Bag 50)
Simulated shell environment lets you pretend to be Hugh Jackman in Swordfish.
PoliCTF 2015 - Hanoi as a Service (Pwnable 50)
Remote prolog application to solve the Tower of Hanoi problem is vulnerable to remote code execution by injecting Prolog code.
PoliCTF 2015 - Exorcise (Crypto 50)
Simple challenge involving XORing.
Wargames.my 2015 - Trivia
We are given an image of TV5 Monde.
Wargames.my 2015 - Slice of Life (Misc)
The challenge site returns a HTTP response containing an SVG. The HTTP response is reversed.
Wargames.my 2015 - Foo Soo Rah (Brute)
We are given an IP address:port pair and told to bruteforce smartly.
DEFCON CTF Qualifiers 2015 - MathWhiz (Baby’s First)
Simple programming challenge in which you had to solve equations in different formats.
DEFCON CTF Qualifiers 2015 - Access Control (Reversing)
Reverse engineer a server binary to determine how to interact with it and write a client.
SECCON CTF 2014 - Welcome to SECCON (Start)
Sanity check challenge.
SECCON CTF 2014 - Easy Cipher (Crypto)
The flag was embedded in a message that was encoded into different number bases from ASCII.
9447 CTF 2014 - No Strings Attached (Reversing)
A crack me that decrypts the password into a wide length string in memory.
9447 CTF 2014 - insanity check (Reversing)
Simple sanity check reversing challenge with flag in strings.
CSCAMP CTF 2014 - Logic (Crypto)
Message encoded in a seven segment display LED format.
CSCAMP CTF 2014 - I Hate Time (Web)
Remote code execution by injecting python code into a Python WSGI server.
CSCAMP CTF 2014 - 7amama Book (Web)
Insecure direct object reference allows changing of password of another user.
CSCAMP CTF 2014 - ELF2 (Reversing 100)
We are given the following binary to reverse: elf2. (It’s a zipped file)
CSCAMP 2014 - netcat, cryptcat Who cares? (STG100)
the solution is the md5 of the decrypted file
QIWICTF 2014 - Stolen Prototype (Misc100)
This is a stolen application of super-duper payment system. But this is broken piece of cake, completely broken =(
QIWICTF 2014 - Bajutsu (Pwn100)
cat flag on port 2222 at qiwictf2014.ru
TKBCTF 4 - rand
First Javascript challenge released out of 2 Javascript challenges.
TKBCTF 4 - Monochrome Bar
The only steganography challenge in TKBCTF4 and its only worth 100 points.
TKBCTF 4 - Just Do It
We were given a x86-64 Windows PE binary to reverse.
TKBCTF 4 - args
Second javascript challenge for the CTF. Similar in concept to the previous javascript challenge, rand, you are given a Sandboxed node.js REPL to play with.
PoliCTF 2012 - Grab Bag 300
Find the key.
PoliCTF 2012 - Bin-Pwn 400
Alien Technologies.
PoliCTF 2012 - Bin-Pwn 200
Play with this amazing calculator: calc.challenges.polictf.it:4000
PoliCTF 2012 - Bin-Pwn 100
Retrieve the key.
CSCAMP CTF 2012 - Exploit 400
We solved the post-patch version of this binary.
CSCAMP CTF 2012 - Exploit 200
This binary is vulnerable to a buffer overflow in the strncpy function called in the main function with user supplied input. It takes in two arguments, argum...
CSCAMP CTF 2012 - Exploit 100
This was more of a reversing puzzle than an exploitation one. The binary accepts a parameter as a password. It checks if the password is correct and cats the...
CSCAMP CTF 2012 - Web300
In this challenge, an image divided into blocks has its blocks scrambled not unlike a sliding block puzzle (http://en.wikipedia.org/wiki/Sliding_puzzle). The...
CSCAMP CTF 2012 - Web200
In this puzzle, you had to evaluate an equation encoded in base64 in an array structure consisting of values and operands hidden in a custom header. The obje...
CSCAMP CTF 2012 - Web100
This challenge required you to log in as any valid account.
CSCAMP CTF 2012 - Crypto 400
This is the solution script:
Hack.lu CTF 2012 - Big Zombie Business
It’s a disaster! Not only that these useless piles of rotten meat obfuscate all their stupid code, they have also lost our precious root password, or “Flag” ...
Hack.lu CTF 2012 - Zombie AV
Some people try to fight the zombie apocalypse by selling pseudo antidote. We need the secret formula in config.php to destroy their snake oil business…
Hack.lu CTF 2012 - Nerd Safehouse
“Try solving the annoying puzzle at https://ctf.fluxfingers.net:2074/ or zombies will eat your soul!”
Hack.lu CTF 2012 - Mini Zombie Business
As time passes by and the zombie apocalypse seems to stay for a while businesses have to adapt to survive. Food store chains offer brains and biscuits for th...
Hack You CTF 2012 Writeups
The CTF was really enjoyable. Really great casual atmosphere to it. Too bad we only really caught the last couple of days. Really looking forward to the next...
Hack You CTF 2012 - Pentagon (WEB100)
Note: images and files are missing in this blogpost. To solve the puzzle, we had to obtain the password to a ‘Pentagon’ site relying on Javascript authentica...
Hack You CTF 2012 - Halloween (STG200)
Note: images are missing in this blog post. The only piece of the puzzle we were given was an image file. The distinguishing feature for this picture is that...
Hack You CTF 2012 - Stego 100
In this challenge, we were given the a large amount of text in a file. The entire text may be found at the end of this blog post.
Hack You CTF 2012 - Reverse 200
A zip file containing an ELF binary and Windows executable file was given to us. We need not care about the Windows executable as both the ELF binary and the...
Hack You CTF 2012 - Reverse 100
In this puzzle, a C source file was given to us.
Hack You CTF 2012 - Packets 200
In this task, we are supposed to answer the question: “What’s the md5 of the file being transferred?”. We are given another capture file, this time containin...
Hack You CTF 2012 - Packets 100
We are given an objective for the packets series: “Part 1. Find the secret link in this conversation.” We have a .pcap capture file and we simply apply a fil...
Hack You CTF 2012 - Schneier’s Algorithm (CRY100)
We didn’t solve this puzzle and submit the flag in time, but when we did… well it was a huge reminder not to overthink things.
Hack You CTF 2012 - HugeCaptcha (PPC100)
PPC100 is a puzzle that requires some degree of scripting. To obtain the flag, we have to add up the two large numbers given and submit the result through PO...
Codegate 2012: Forensics 200
This was a CTF challenge solved by Hiromi in Codegate 2012.
Codegate 2012: Forensics 100
This was a CTF challenge solved by Hiromi in Codegate 2012.