After almost two years of fanatically playing in CTF competitions ourselves, the moment has finally come… Eindbazen is organizing their own CTF!
We invite all of you to come play our CTF titled “ebCTF” held during the biggest quadrennial (every 4 years) Dutch hacker gathering OHM2013 (predecessors are HIP1997, HAL2001, WTH2005 and HAR2009). For the unfortunate ones who cannot make it to the camping site in the Netherlands we of course offer the ability to play online/remotely as well!
My friend is in my D&D campaign – could you get me his character name? He administrates this site.
This challenge is a very simple SQL injection, asking for the character name.
I can’t figure out how to read the flag ssh to 22.214.171.124
The secure_reader program can read the flag, but can only be invoked from the reader program.
Question: Where does The Plague hide his money?
This question is clearly a reference to the movie Hackers, we’ve immediately watched the movie on youtube and skipped to the referenced part in the NSA interview room scene.
This is a very simple network service which will overflow a stack buffer if you send it too much data. The stack is non-executable, which we can get around using Return-Oriented Programming (which is pretty much given away by the challenge name of course). Then the only tricky bit is that ASLR is enabled, which means that libc (which contains all of the interesting functions like system()) will be at a different address each time we connect.
Cone is an obfuscated binary which reads a key from stdin and either approves
it or denies it. After reading our magic instruction trace we found out that
the underlying algorithm of this binary consists of only a few operations. The
following is a representation of the algorithm in Python.
We’ve been reading about bitcoins.
We were given a service that asked us to provide an input that would result in an md5 with a given prefix of 52-bits. At first we were looking at modifying an existing GPU cracker to find input resulting in the given prefix. Luckily one of our team members tried a few hashes against a wordlist and noticed he could find some of the in the wordlist.
You get arbitrary code execution…. as long as it’s code we approve of.
This challenge consisted of a service which allowed running arbitrary python code, as long as you had a valid RSA signature for it…
For those who didn’t play plaidCTF 2012: “supercomputer” was a reversing
challenge that computed flags using really silly math (like adding in a loop
instead of mulitplication). hypercomputer is easier… if you do it right
We remembered the supercomputer challenge from last year, when we solved parts of it using a hex editor. Since at some point that got really tricky we decided to use a different approach this year. With this new approach we had more luck and
awesomeness this year!
We did not solve this challenge in time, despite spending a lot of time on it. If we had we would have taken 1st place, but of course there’s always that one challenge you wish you had solved…
Still, it was a really cool challenge and we solved the first part pretty well before getting stuck. And that part deserves a writeup at least.
This challenge consisted of a server that read a string from the user, removed most interesting characters from it, and then ran it through python’s eval and exec. The goal was to get a shell using only the very limited remaining character set and a maximum of 1900 characters, and while having a very stripped down environmen.