feat: added 0xL4ugh CTF 2024

main
daffainfo 2024-02-11 08:53:00 +07:00
parent 8588406750
commit 8dbfb74c94
21 changed files with 235 additions and 3 deletions

View File

@ -11,4 +11,4 @@ CTF writeup for The HTB Business CTF 2023 The Great Escape. I took part in this
| Crypto | [Initialization](/2023/Business%20CTF%202023%20The%20Great%20Escape/Initialization/) | Crypto | [Initialization](/2023/Business%20CTF%202023%20The%20Great%20Escape/Initialization/)
| Reversing | [DrillingPlatform](/2023/Business%20CTF%202023%20The%20Great%20Escape/DrillingPlatform/) | Reversing | [DrillingPlatform](/2023/Business%20CTF%202023%20The%20Great%20Escape/DrillingPlatform/)
> I didn't create the writeup for cloud and fullpwn because i don't have an access to the chall again > I didn't create the writeup for the `cloud` and `fullpwn` challenge because i don't have an access to the challenge again

View File

@ -7,4 +7,4 @@ CTF writeup for The CSAW CTF Qualification Round 2023. I took part in this CTF c
| Misc | [Discord Admin Bot](/2023/CSAW%20CTF%20Qualification%20Round%202023/Discord%20Admin%20Bot/) | Misc | [Discord Admin Bot](/2023/CSAW%20CTF%20Qualification%20Round%202023/Discord%20Admin%20Bot/)
| Misc | [AndroidDropper](/2023/CSAW%20CTF%20Qualification%20Round%202023/AndroidDropper/) | Misc | [AndroidDropper](/2023/CSAW%20CTF%20Qualification%20Round%202023/AndroidDropper/)
> I didn't create a writeup for `stonk` and `Philantrophy` chall > I didn't create a writeup for the `stonk` and `Philantrophy` challenge

View File

@ -12,4 +12,4 @@ CTF writeup for The NewportBlakeCTF 2023. I took part in this CTF competition (S
| Misc | [do you hear that?](/2023/NewportBlakeCTF%202023/do%20you%20hear%20that/) | Misc | [do you hear that?](/2023/NewportBlakeCTF%202023/do%20you%20hear%20that/)
| Misc | [not accepted](/2023/NewportBlakeCTF%202023/not%20accepted/) | Misc | [not accepted](/2023/NewportBlakeCTF%202023/not%20accepted/)
> I didn't create a writeup for OSINT chall > I didn't create a writeup for the `OSINT` challenge

View File

@ -0,0 +1,77 @@
# GitMeow-Revenge
> Just another annoying git challenge, without grep :)
> Updated blacklist on remote server
> BLACKLIST = ["|", "\"", "'", ";", "$", "\\", "#", "*", "(", ")", "&", "^", "@", "!", "<", ">", "%", ":", ",", "?", "{", "}", "`","diff","/dev/null","patch","./","alias","push","grep","f4k3","fl4g","f0r","n00b5","flag","work"]
## About the Challenge
We got a server to connect and source code (You can download the source code [here](gitmeow-misc.zip)). If we check the source code:
```python
import os
from banner import monkey
BLACKLIST = ["|", "\"", "'", ";", "$", "\\", "#", "*", "(", ")", "&", "^", "@", "!", "<", ">", "%", ":", ",", "?", "{", "}", "`","diff","/dev/null","patch","./","alias","push","grep","f4k3","fl4g","f0r","n00b5","flag","work"]
def is_valid_utf8(text):
try:
text.encode('utf-8').decode('utf-8')
return True
except UnicodeDecodeError:
return False
def get_git_commands():
commands = []
print("Enter git commands (Enter an empty line to end):")
while True:
try:
user_input = input("")
except (EOFError, KeyboardInterrupt):
break
if not user_input:
break
if not is_valid_utf8(user_input):
print(monkey)
exit(1337)
for command in user_input.split(" "):
for blacklist in BLACKLIST:
if blacklist in command:
print(monkey)
exit(1337)
commands.append("git " + user_input)
return commands
def execute_git_commands(commands):
for command in commands:
output = os.popen(command).read()
if "{f4k3_fl4g_f0r_n00b5}" in output:
print(monkey)
exit(1337)
else:
print(output)
commands = get_git_commands()
execute_git_commands(commands)
```
We only need to obtain the flag using the git command
![preview](images/preview.png)
## How to Solve?
In this case im using `git show --name-status` command in order to read the flag (I believe this is unintended, because someone already put the flag in the commit)
![flag](images/flag.png)
```
0xL4ugh{GiT_D0c3_F0r_Th3_WiN_Gr3p_R3v3ng3!}
```

Binary file not shown.

Binary file not shown.

After

Width:  |  Height:  |  Size: 180 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 110 KiB

View File

@ -0,0 +1,40 @@
# Library-Revenge
> Built a book library, however my friend says that i made a really nasty mistake!
## About the Challenge
We got a server to connect and a source code (You can download the source code [here](Library-revenge-misc.zip))
This program has many functions. For example, we can add a member, search for a book, etc
![preview](images/preview.png)
## How to Solve?
This program is vulnerable to format string vulnerability where we can access other attributes (You can check more about the vulnerability [here](https://podalirius.net/en/articles/python-format-string-vulnerabilities/))
```python
elif choice == "7":
choice = console.input("\n[bold blue]Book Manager:[/bold blue]\n1. Save Existing\n2. Create new book\n[bold blue]Enter your choice (1-2): [/bold blue]")
if choice == "1":
title = console.input("[bold blue]Enter Book title to save: [/bold blue]").strip()
file = SaveFile(library.display_books(title=title))
save_book(file.file, content="Hello World")
else:
save_file = SaveFile()
title = console.input("[bold blue]Enter book title: [/bold blue]").strip()
author = console.input("[bold blue]Enter book author: [/bold blue]")
isbn = console.input("[bold blue]Enter book ISBN: [/bold blue]")
num_copies = int(console.input("[bold blue]Enter number of copies: [/bold blue]"))
title = title.format(file=save_file)
book = Book(title,author, isbn)
isbn_to_book[isbn] = book
library.add_book(book, num_copies)
save_book(title)
```
So, if we input `{file.__init__.__globals__}` in the book title, we can read the value of the `FLAG` variable.
![flag](images/flag.png)
```
0xL4ugh{TrU5t_M3_LiF3_I5_H4rD3r_Wi7h0u7_4_W1f3!}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 322 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 75 KiB

Binary file not shown.

View File

@ -0,0 +1,36 @@
# Library
> Built a book library, however my friend says that i made a nasty mistake!
## About the Challenge
We got a server to connect and a source code (You can download the source code [here](Library-misc.zip))
This program has many functions. For example, we can add a member, search for a book, etc
![preview](images/preview.png)
## How to Solve?
This website is vulnerable to argument injection in the `check_file_presence()` function, and there's a `print(result)` code, so we can see the command output here
```python
def check_file_presence():
book_name = shlex.quote(console.input("[bold blue]Enter the name of the book (file) to check:[/bold blue] "))
command = "ls " + book_name
try:
result = os.popen(command).read().strip()
print(result)
if result == book_name:
console.print(f"[bold green]The book is present in the current directory.[/bold green]")
else:
console.print(f"[bold red]The book is not found in the current directory.[/bold red]")
except Exception as e:
console.print(f"[bold red]Error: {e}[/bold red]")
```
To obtain the flag I just using `-la` command (I believe this is unintended because someone has already placed the flag in the same directory as this program)
![flag](images/flag.png)
```
0xL4ugh{TrU5t_M3_LiF3_I5_H4rD3r!}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 180 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 75 KiB

View File

@ -0,0 +1,11 @@
# 0xL4ugh CTF 2024
CTF writeup for 0xL4ugh CTF 2024. I took part in this CTF competition with the HCS team and secured the 17th place out of 1428 teams
| Category | Challenge |
| --- | --- |
| Misc | [Library](/2024/TetCTF%202024/TET%20&%204N6/)
| Misc | [Library-Revenge](/2024/TetCTF%202024/TET%20&%204N6/)
| Misc | [GitMeow-Revenge](/2024/TetCTF%202024/TET%20&%204N6/)
| Web | [Library](/2024/TetCTF%202024/TET%20&%204N6/)
> I didn't write a write-up for the `Forensic` challenge

View File

@ -0,0 +1,66 @@
# Simple WAF
> i whitelisted input values so, i think iam safe : P
## About the Challenge
We got a website and the source code (You can download the source code [here](simple_waf_togive.zip)). The source code is pretty simple:
```php
require_once("db.php");
function waf($input)
{
if(preg_match("/([^a-z])+/s",$input))
{
return true;
}
else
{
return false;
}
}
if(isset($_POST['login-submit']))
{
if(!empty($_POST['username'])&&!empty($_POST['password']))
{
$username=$_POST['username'];
$password=md5($_POST['password']);
if(waf($username))
{
die("WAF Block");
}
else
{
$res = $conn->query("select * from users where username='$username' and password='$password'");
if($res->num_rows ===1)
{
echo "0xL4ugh{Fake_Flag}";
}
else
{
echo "<script>alert('Wrong Creds')</script>";
}
}
}
else
{
echo "<script>alert('Please Fill All Fields')</script>";
}
}
```
This website is vulnerable to SQL injection, but there's a waf() function that we need to bypass in order to perform SQL injection
![previwe](images/preview.png)
## How to Solve?
We need to overflow the `preg_match` function by supplying a lot of characters, followed by an SQL injection payload (e.g., `' or true-- -`)
![flag](images/flag.png)
```
0xL4ugh{0ohh_You_Brok3_My_Wh1te_List!!!}
```

Binary file not shown.

After

Width:  |  Height:  |  Size: 299 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 182 KiB

Binary file not shown.

View File

@ -46,6 +46,8 @@ List of CTF events that i have joined before
| KnightCTF 2024 | Yes | [Link](/2024/KnightCTF%202024/) | | KnightCTF 2024 | Yes | [Link](/2024/KnightCTF%202024/) |
| Mapna CTF 2024 | No | - | | Mapna CTF 2024 | No | - |
| TetCTF 2024 | Yes | [Link](/2024/TetCTF%202024/) | | TetCTF 2024 | Yes | [Link](/2024/TetCTF%202024/) |
| L3HCTF 2024 | No | - |
| 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
### Local Events ### Local Events
| Event Name | Writeup Available? | Writeup Link | | Event Name | Writeup Available? | Writeup Link |