21
Apr
2014

PlaidCTF 2014 – harry_potter [300]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The harry_potter pwnable is a network service that does not appear to do a whole lot:

$ nc 54.198.150.4 666
If you guess the password, I will give you a reward!

Running the binary in strace shows what is going on:
{Read More}

21
Apr
2014

PlaidCTF 2014 – PolygonShifter [100]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

The Plague has purchased the newest invention, Polygon Shifter to protect his website. This cutting edge technology is made available by Polygon Security, and they have a demo page on their website. They claim bots can no longer attack the website protected by the Polygon Shifter. Do we need to manually bruteforce the credentials?

On the Polygonshift website is a live demo form where you can login as user test/test or as user admin/?????. After logging in as user admin with password: a’ OR 1=1 and username=’admin’# we get the message
Hello, admin!! My password is the flag!
. So, we have a blind SQLi and the goal is to get the password of the admin user.
{Read More}

21
Apr
2014

PlaidCTF 2014 – Kappa [275]

For PlaidCTF2014, Eindbazen and fail0verflow joined forces as 0xffa, the Final Fail Alliance. Don’t miss out on other write-ups at fail0verflow’s site!

Kappa is a network service that is a very basic text-based pokemon game. In the end we found multiple bugs in the service, but the one we used was so cleanly exploitable that we think this was probably the intended solution.

When you connect, you get this menu:
{Read More}

26
Apr
2013

pCTF 2013 – cat_rar (forensics 150)

So, among all the binaries Plaidctf also followed the tradition in CTF to hide a stego as a forensics challenge. We had a challenge with this description:

cat_rar
150
forensics
“Meow meow mw mw m.
cat.rar

In the cat.rar file we found two files:

  • a cat.rar.jpg which seems to be an image of a cat.
  • a cat.rar.bin which seems to be an x64 ELF binary

{Read More}

02
May
2012

Plaid CTF 2012 – Mess

The biggest event of the robot year is happening this week! Robot invitations are cool in that they are just a password that validates at the door. We acquired the validator to be used. Can you find an invitation for us in time?

In this challenge we’re given an ELF binary which asks for a password. Disassembly in IDA quickly shows what the mess is all about – function pointers, lots of them.

{Read More}

02
May
2012

Plaid CTF 2012 – The Game

Robots enjoy some strange games and we just can’t quite figure this one out.
Maybe you will have better luck than us.
Title: The Game (100)
Category: Potpourri

The challenge consisted of a game we could play by connecting to a service running on port 6969.
The game provided two hex strings, and our job was to find out which one was the biggest.
To get the key, we had to win 75 runs in a row.

{Read More}

02
May
2012

Plaid CTF 2012 – RSA

We recently intercepted a plethora of robot transmissions but they are all encrypted with some strange scheme we just can’t quite figure out. Can you crack it?
200 points, Password Guessing, 6 teams solved this

A very cool and surprisingly easy crypto challenge: all you have to do is break 4096-bit RSA!

Of course, there are some special circumstances which make solving this possible at all. We have two files, one is the encrypted data (presumably, it is named enc.dat and looks like random data) and the other is a RSA public key in PEM format. Let’s list the details of this public key:
{Read More}

02
May
2012

Plaid CTF 2012 – Chest

Robots are running secret service that aims to mill down diamonds into fairy dust, and use it to take over our world! Help us please!
300 points, Pwnables, 18 teams solved this

This is one of those challenges where just playing around with it turned out to be faster than actually figuring out what was going on.

This was a remote exploit challenge. The service in question allows you to create “chests” (or data stores) which can hold a certain amount of data. If you add more data, the chest is deleted (“blows up”). You can also destroy a chest yourself. It is possible to access a chest from more than one connection at a time, leading us to suspect a synchronization issue.
{Read More}

02
May
2012

Plaid CTF 2012 – Format

Format is exactly what you’d expect: a remote format string exploit. To get to the format string takes a little bit of reversing first, but it’s not too hard.

{Read More}

02
May
2012

Plaid CTF 2012 – Paste

Robot hackers, like their human counter parts, have a largely unmet need to dump large amounts of text to their peers. We recently got access to one of their servers and are providing you with the files. What have they been talking about?
Title: Paste (100)
Category: Practical Packets

This challenge is a webapplication, a pastebin for robot hackers. Luckily the humans got the source code. It contains an admin cookie employing the well known ‘security by obscurity’ method, a questionable preg_replace statement using eval mode and an unchecked require. What can we do with those?
{Read More}