Logo

Posts

GuidePoint Security CTF 2021 - Calc (web)

1 minute read Published:

Writeup for the Guidepoint 2021 CTF Calc web challenge
Guidepoint Security CTF 2021 - Calc (web) This is a basic OS command injection challenge. The web page for the challenge shows two input boxes for numbers it will then add together for you. The page submits the two values you pass to it as the x and y GET parameters (http://10.10.100.200:38271/index.php?x=1&y=2) but these parameters are passed to an underlying OS command and are not escaped properly. By adding a ; we can break out of the command context and inject our own commands, we just have to make sure we URL encode any special characters that will otherwise mess up the URL.

GuidePoint Security CTF 2021 - Corona (web)

5 minute read Published:

Writeups for the Guidepoint 2021 CTF Corona part 1 and 2 web challenges
Guidepoint Security CTF 2021 - Corona (web) Corona 1 The page for this challenge is a limesurvey instance. I’m not very familiar with limesurvey, but from the design it looked like it might be a pretty old version of the application, hinting that there might be a known bug with this application. A quick searchsploit limesurvey showed a bunch of known flaws for older versions, but at this point we were not entirely sure what version was running yet.

GuidePoint Security CTF 2021 - GoFaster (misc)

1 minute read Published:

Writeup for the Guidepoint 2021 CTF GoFaster misc challenge
Guidepoint Security CTF 2021 - GoFaster (misc) For this challenge we get a large file with a lot of lines that appear to be HEX encoded data. Decoding this data it looked like there would be additional steps of decoding required since the resulting data appeared to be Base64 or Base62 encoded, but inspecting the output of just hex decoding each line we already find our flag: data = File.readlines('GOFASTER.txt') data.

GuidePoint Security CTF 2021 - Hackback (pwn)

5 minute read Published:

Writeup for the Guidepoint 2021 CTF Hackback 2 pwn challenge
Guidepoint Security CTF 2021 - Hackback (1 &) 2 (pwn) This challenge is a little odd for me since I found the flag for part 2 but despite spending considerable time, never found the flag for part 1 of this challenge. For this challenge we get a .doc file (So ye olde MS Word format, none of that fancy new .docx stuff.) as well as a web page, which does not seem to do much for us yet.

GuidePoint Security CTF 2021 - Half (crypto)

3 minute read Published:

Writeup for the Guidepoint 2021 CTF Half crypto challenge
Guidepoint Security CTF 2021 - Half (crypto) For this challenge we get some encoded/encrypted string and the python script that was used to produce it. 3539333437353461373137333532333833333333333933303335333036383639dcb33a3cca39412b58f4095cbc30faf95f72c9c1e71c01aa0a1b0f89c11f03b751dccaa5bb3ec011cc0a40a08ba87827071e1fb52716c891a1263a53af721a18 from Crypto.PublicKey import RSA from Crypto.Cipher import PKCS1_OAEP, AES from Crypto import Random # May be able to get rid of from random import choice, shuffle from OpenSSL import crypto import binascii import base64 pub = crypto.load_publickey(crypto.FILETYPE_PEM, base64.b64decode('LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF0YmEwY2x2RWllS3A0MUtYaGlpUwpqWnluc2E5RlQzTmpVUE1ZaVBVLzN5L2IySU8zcnFaZmh5RTRCNlAzYXpueDRZMkRoYVVVZFNnN0V5OHJzZ29jCis0dzlIdDYwSTdEWWUxblVKeUt1ekZyTDZESmdxSFR6Sml3SHBCWFNTVnVhaU5KY2NRVXJKMWNaRzdTVG44YmcKbzBCdHNGT0tyVzVzTzNyOGxNWitxWDVldXNZWW9UMDd6U0p5T1V4WVNJcWlwUVpPcEc3Y2JNYVhQZlZaaERDbwpyOW9UVFZaUFA1ZzlqOHNoSmdDVnJLeXE4V2dQTk1sWDRBMVhKQnpIcXFZN2RTK2NZRFhuMmc2dmxOa2RESXpmCjd6U1ZxL0NWZzA1MG1CdXZYdTVWaWVheHhZQnREb0xUQ0JWMmcyYXlOY2pac2tJVmhFbXpvTjNveEd5dFFVNFIKUXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==')) pubkey = crypto.dump_publickey(crypto.FILETYPE_PEM, pub) def random_string(size, chars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"): return ''.

GuidePoint Security CTF 2021 - Netcatter (pwn)

3 minute read Published:

Writeup for the Guidepoint 2021 CTF Netcatter pwn challenge
Guidepoint Security CTF 2021 - Netcatter (pwn) For this challenge we get ssh access to a docker container as a regular user. We don’t really get any clues as to what we are looking for so we start by exploring the machine a little. Under running processes we see the following process that stands out: root 1 /bin/sh -c /etc/init.d/ssh start && while true; do ./netcatter files ; sleep 60; done We do a find to see where this netcatter file located and notice that it is a SUID binary and is owned by the user target.

GuidePoint Security CTF 2021 - SHA-512 (misc)

1 minute read Published:

Writeup for the Guidepoint 2021 CTF SHA-512 misc challenge
Guidepoint Security CTF 2021 - SHA-512 (misc) For this challenge we are given a truecrypt container to which we do not know the password. We only need to run truecrack on it to get the password and mount the container to get the flag. kali@kali:~/ctf/sha512$ truecrack -t secret.tc -k sha512 -w /usr/share/wordlists/rockyou.txt TrueCrack v3.6 Website: https://github.com/lvaccaro/truecrack Found password: "gigabyte" Password length: "9" Total computations: "28354"

GuidePoint Security CTF 2021 - Ssxor (crypto)

2 minute read Published:

Writeup for the Guidepoint 2021 CTF Ssxor crypto challenge
Guidepoint Security CTF 2021 - Ssxor (crypto) For this challenge we get an encrypted string and the python script that was used to generate it: 2e1209315c05627148004b3b46160a565858560a16463b4b00487162055c3109122e import binascii flag = 'StormCTF{Crypto4:blahblahblah}' flag_rev = list(flag[::-1]) stuff = zip(flag, flag_rev) x = lambda x,y: chr(ord(x) ^ ord(y)) out = list() out += [x(s[0],s[1]) for s in stuff] final = [str(b, 'ascii') for b in [binascii.hexlify(bytes(x, 'utf-8')) for x in out]] print(''.join(final)) stuff = zip(flag_rev, out) out = list() out += [x(s[0],s[1]) for s in stuff] print(''.

GuidePoint Security CTF 2021 - Sub (crypto)

2 minute read Published:

Writeup for the Guidepoint 2021 CTF Sub crypto challenge
Guidepoint Security CTF 2021 - Sub (crypto) This challenge is a substitution cipher. We are given the output text as well as the substitution key so it’s just a matter of reversing the operations. Our given data: key = {'1': 'j', '0': 'X', '3': 'F', '2': 'o', '5': 'T', '4': 'x', '7': '0', '6': 'P', '9': '}', '8': 'J', ':': 'b', 'A': 'c', 'C': 'p', 'B': 'q', 'E': '7', 'D': 'a', 'G': 'v', 'F': '3', 'I': '5', 'H': '1', 'K': 'O', 'J': 'K', 'M': 'g', 'L': '2', 'O': 'n', 'N': '8', 'Q': 'y', 'P': 'E', 'S': 'e', 'R': 'R', 'U': 'h', 'T': 'W', 'W': 'N', 'V': 'm', 'Y': '9', 'X': 'G', 'Z': 'S', 'a': 'k', 'c': 't', 'b': 'd', 'e': '{', 'd': '4', 'g': 'C', 'f': 'L', 'i': '6', 'h': 'l', 'k': 'Z', 'j': 'z', 'm': 'U', 'l': 's', 'o': 'B', 'n': 'M', 'q': 'I', 'p': 'i', 's': ':', 'r': 'Q', 'u': 'Y', 't': 'r', 'w': 'V', 'v': 'H', 'y': 'D', 'x': 'A', '{': 'f', 'z': 'w', '}': 'u'} encrypted = 'erBQUpW3fpQDirBFb7c}}FdPT0}x0jdLcokk}xq7jaT3Lpqkju' To reverse it we swap the keys and values and do the substitution again;

Callboy - Hack.lu 2020 Writeups

1 minute read Published:

Writeup for Callboy challenge of Hack.lu CTF 2020
Callboy Description Have you ever called a Callboy? No!? Then you should definitely try it. To make it a pleasant experience for you, we have recorded a call with our Callboy to help you get started, so that there is no embarrassing silence between you. PS: do not forget the to wrap flag{} around the secret Write-Up For this challenge we get a network packet capture. The challenge name and description strongly hint at some VoIP call being in the traffic.