This is a truely unbreakable, genuine, RFC-compliant memcached implementation. Find it running at 188.8.131.52:1024
This challenge consists of a 32-bit executable providing a memcached implementation. It allows us to store and retrieve data.
Never let your customers miss an important security update! Buy this update server and you even get admin rights! Running on 184.108.40.206 1024
Update server is a utility that can be used by programs to check whether a new update is available.
A program can send its current version number, and the utility will indicate if it is up to date or if an update is available.
It is also possible to update the version information, if a valid admin password is provided.
Proxy is an authenticated http proxy (but a very simple one). It uses the system’s PAM authentication to verify username/password, so unless you already have a valid login on the server you won’t be able to give it a correct password. this probably means the vulnerability is somewhere before the authentication check.
And in fact, there is indeed a nice overflow in the http parsing code:
8049035: 89 44 24 08 mov DWORD PTR [esp+0x8],eax 8049039: 8b 85 b4 fb ff ff mov eax,DWORD PTR [ebp-0x44c] 804903f: 89 44 24 04 mov DWORD PTR [esp+0x4],eax 8049043: 8d 85 17 fc ff ff lea eax,[ebp-0x3e9] ; ebp-0x3e9 = auth str buf 8049049: 89 04 24 mov DWORD PTR [esp],eax 804904c: e8 af fa ff ff call 8048b00 <strncpy@plt>
Description: Oh god, I can’t wait for my flag… (https://29c3ctf.aachen.ccc.de/static/dl/algo.rar)
The ‘Find the key’ challenge is an ELF file (algo) which is a simple emulator which supports the instructions addition, subtraction, multiplication, division and modulo. After verifying all related functions and the fact that this is in fact what it’s capable of, we continued by analyzing the main routine.
The main routine starts by initializing some values. It then enters a loop in which it continuously does various operations. There’s a global table of length five, which contains the function addresses of the five instructions we mentioned earlier.
No space left on brain? Store all your passwords and other secrets here and you will never forget your birthday again 🙂 (http://220.127.116.11/)
The website in this challenge allowed us to create an user and use it to access the website. On the website information could be stored. There also seemed to be a /admin/ which would give the message “Access denied, only user admin has access”. While analyzing the website we found a really long session Cookie we would receive from the webserver. It seems this Cookie consisted of 3 separate MD5 hashes in one string. After looking in to these hashes a bit more and when they would change we found out that the MD5s were made of:
Leaks… Even the flag for this challenge got leaked to them… To the shop…
The shop challenge consists of a webshop page with two items, a very cheap item and an item that costs 1337 euro. From the challenge description it is obvious that we need to buy the most expensive one to obtain the flag.
Description: http://18.104.22.168/ (https://29c3ctf.aachen.ccc.de/static/dl/web42.tar)
class str(str) This is an rce challenge type(settings.SECRET_KEY)
For the web42 challenge we are given an archive containing some python files which form a django site. Almost all the pages are in the form of .py source, except for the settings file, which is given in the form of a .pyc bytecode file.