21
Apr
2014

PlaidCTF 2014 – harry_potter [300]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The harry_potter pwnable is a network service that does not appear to do a whole lot:

$ nc 54.198.150.4 666
If you guess the password, I will give you a reward!

Running the binary in strace shows what is going on:
{Read More}

21
Apr
2014

PlaidCTF 2014 – PolygonShifter [100]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The Plague has purchased the newest invention, Polygon Shifter to protect his website. This cutting edge technology is made available by Polygon Security, and they have a demo page on their website. They claim bots can no longer attack the website protected by the Polygon Shifter. Do we need to manually bruteforce the credentials?

On the Polygonshift website is a live demo form where you can login as user test/test or as user admin/?????. After logging in as user admin with password: a’ OR 1=1 and username=’admin’# we get the message
Hello, admin!! My password is the flag!
. So, we have a blind SQLi and the goal is to get the password of the admin user.
{Read More}

21
Apr
2014

PlaidCTF 2014 – Kappa [275]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

Kappa is a network service that is a very basic text-based pokemon game. In the end we found multiple bugs in the service, but the one we used was so cleanly exploitable that we think this was probably the intended solution.

When you connect, you get this menu:
{Read More}

13
Oct
2013

ebCTF: PWN100 “Step by step”

We found this server with two open ports. Can you find out what these ports do and login to the server? It is advisable to use a seperate VM for this challenge.

Nmap scan report (54.216.75.14)
Host is up (0.026s latency).
PORT STATE SERVICE
22/tcp open ssh
8140/tcp open unknown

This challenge was ment to be an easy multi stage challenge, but was apparently a lot harder than intended, cause it only had 7 solves. The challenge contains three levels which require shell access. Since we didn’t want to have hundreds of logins on the system, we created an extra step to get access to the system.
{Read More}

13
Oct
2013

ebCTF: NET200 “Who’s there”

We found this strange website. (http://54.216.81.14/)

For this challenge we only get a website with a sum on it.

112 + 386 + 712 + 1398 + 8771 + 11982 + 15397 + 23984 = 51037

This doesn’t give us much information. How about we look at the headers.
{Read More}

13
Oct
2013

ebCTF: NET100 “index.php?-s”

OMG, Eindbazen got hacked. Can you figure out what this evil hacker did?

This was an easy challenge, and pretty straight forward what to do. It was meant to be solved by a lot of teams, and they did, 145 teams managed to solve it. There are a lot of write-ups for this challenge, so I will explain in short what was the intended solution.
{Read More}

13
Oct
2013

ebCTF: WEB100 “Tulip Shop”

We designed a new login procedure for our Online Tulip Shop. Can you test if it is hacker proof?

The WEB100 challenge was apparently harder than expected with only 10 solves. The goal of this challenge was to grep the admin password from the sqlite database with a SQL injection. The SQL injection however was not in one of the normal places, but in the key name of the password field.
{Read More}

13
Oct
2013

ebCTF: CRY100 “Classic”

We found some crypto ciphers on our attic. Can you decipher all text and put together the flag?

This challenge was meant to be a simple task, but which required a lot of work. It gave you six encrypted messages which you need to decrypt to get parts of the key .
{Read More}

23
Sep
2013

CSAW CTF 2013 – Exploitation 400 – GameMan

nc 128.238.66.223 1025 < hello_world.gbc

We are given a GameBoy (Color) ROM file and a server address + port.

When sending the original hello_world.gbc to the server we are greeted with some output:

$ nc -vvv 128.238.66.223 1025 < hello_world.gbc
Connection to 128.238.66.223 1025 port [tcp/*] succeeded!
Insert Cartridge... 
Loaded: CSAW CTF 2013
OK
OK
OK
Hello World!

{Read More}

05
May
2013

pCTF 2013 – usbdude (for 350)

For this challenge we’re given a pcap file containing USB traffic. Initial inspection learns us this is a dump of an AVRISP mkII USB programmer for 8-bit AVR microcontrollers.
{Read More}