feat: added 0xL4ugh CTF 2024
|
@ -11,4 +11,4 @@ CTF writeup for The HTB Business CTF 2023 The Great Escape. I took part in this
|
||||||
| Crypto | [Initialization](/2023/Business%20CTF%202023%20The%20Great%20Escape/Initialization/)
|
| Crypto | [Initialization](/2023/Business%20CTF%202023%20The%20Great%20Escape/Initialization/)
|
||||||
| Reversing | [DrillingPlatform](/2023/Business%20CTF%202023%20The%20Great%20Escape/DrillingPlatform/)
|
| Reversing | [DrillingPlatform](/2023/Business%20CTF%202023%20The%20Great%20Escape/DrillingPlatform/)
|
||||||
|
|
||||||
> I didn't create the writeup for cloud and fullpwn because i don't have an access to the chall again
|
> I didn't create the writeup for the `cloud` and `fullpwn` challenge because i don't have an access to the challenge again
|
|
@ -7,4 +7,4 @@ CTF writeup for The CSAW CTF Qualification Round 2023. I took part in this CTF c
|
||||||
| Misc | [Discord Admin Bot](/2023/CSAW%20CTF%20Qualification%20Round%202023/Discord%20Admin%20Bot/)
|
| Misc | [Discord Admin Bot](/2023/CSAW%20CTF%20Qualification%20Round%202023/Discord%20Admin%20Bot/)
|
||||||
| Misc | [AndroidDropper](/2023/CSAW%20CTF%20Qualification%20Round%202023/AndroidDropper/)
|
| Misc | [AndroidDropper](/2023/CSAW%20CTF%20Qualification%20Round%202023/AndroidDropper/)
|
||||||
|
|
||||||
> I didn't create a writeup for `stonk` and `Philantrophy` chall
|
> I didn't create a writeup for the `stonk` and `Philantrophy` challenge
|
|
@ -12,4 +12,4 @@ CTF writeup for The NewportBlakeCTF 2023. I took part in this CTF competition (S
|
||||||
| Misc | [do you hear that?](/2023/NewportBlakeCTF%202023/do%20you%20hear%20that/)
|
| Misc | [do you hear that?](/2023/NewportBlakeCTF%202023/do%20you%20hear%20that/)
|
||||||
| Misc | [not accepted](/2023/NewportBlakeCTF%202023/not%20accepted/)
|
| Misc | [not accepted](/2023/NewportBlakeCTF%202023/not%20accepted/)
|
||||||
|
|
||||||
> I didn't create a writeup for OSINT chall
|
> I didn't create a writeup for the `OSINT` challenge
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
# GitMeow-Revenge
|
||||||
|
> Just another annoying git challenge, without grep :)
|
||||||
|
|
||||||
|
> Updated blacklist on remote server
|
||||||
|
|
||||||
|
> BLACKLIST = ["|", "\"", "'", ";", "$", "\\", "#", "*", "(", ")", "&", "^", "@", "!", "<", ">", "%", ":", ",", "?", "{", "}", "`","diff","/dev/null","patch","./","alias","push","grep","f4k3","fl4g","f0r","n00b5","flag","work"]
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We got a server to connect and source code (You can download the source code [here](gitmeow-misc.zip)). If we check the source code:
|
||||||
|
|
||||||
|
```python
|
||||||
|
import os
|
||||||
|
from banner import monkey
|
||||||
|
|
||||||
|
BLACKLIST = ["|", "\"", "'", ";", "$", "\\", "#", "*", "(", ")", "&", "^", "@", "!", "<", ">", "%", ":", ",", "?", "{", "}", "`","diff","/dev/null","patch","./","alias","push","grep","f4k3","fl4g","f0r","n00b5","flag","work"]
|
||||||
|
|
||||||
|
def is_valid_utf8(text):
|
||||||
|
try:
|
||||||
|
text.encode('utf-8').decode('utf-8')
|
||||||
|
return True
|
||||||
|
except UnicodeDecodeError:
|
||||||
|
return False
|
||||||
|
|
||||||
|
def get_git_commands():
|
||||||
|
commands = []
|
||||||
|
print("Enter git commands (Enter an empty line to end):")
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
user_input = input("")
|
||||||
|
except (EOFError, KeyboardInterrupt):
|
||||||
|
break
|
||||||
|
|
||||||
|
if not user_input:
|
||||||
|
break
|
||||||
|
|
||||||
|
if not is_valid_utf8(user_input):
|
||||||
|
print(monkey)
|
||||||
|
exit(1337)
|
||||||
|
|
||||||
|
for command in user_input.split(" "):
|
||||||
|
for blacklist in BLACKLIST:
|
||||||
|
if blacklist in command:
|
||||||
|
print(monkey)
|
||||||
|
exit(1337)
|
||||||
|
|
||||||
|
|
||||||
|
commands.append("git " + user_input)
|
||||||
|
|
||||||
|
return commands
|
||||||
|
|
||||||
|
def execute_git_commands(commands):
|
||||||
|
for command in commands:
|
||||||
|
output = os.popen(command).read()
|
||||||
|
if "{f4k3_fl4g_f0r_n00b5}" in output:
|
||||||
|
print(monkey)
|
||||||
|
exit(1337)
|
||||||
|
else:
|
||||||
|
print(output)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
commands = get_git_commands()
|
||||||
|
execute_git_commands(commands)
|
||||||
|
```
|
||||||
|
|
||||||
|
We only need to obtain the flag using the git command
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
In this case im using `git show --name-status` command in order to read the flag (I believe this is unintended, because someone already put the flag in the commit)
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
0xL4ugh{GiT_D0c3_F0r_Th3_WiN_Gr3p_R3v3ng3!}
|
||||||
|
```
|
After Width: | Height: | Size: 180 KiB |
After Width: | Height: | Size: 110 KiB |
|
@ -0,0 +1,40 @@
|
||||||
|
# Library-Revenge
|
||||||
|
> Built a book library, however my friend says that i made a really nasty mistake!
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We got a server to connect and a source code (You can download the source code [here](Library-revenge-misc.zip))
|
||||||
|
|
||||||
|
This program has many functions. For example, we can add a member, search for a book, etc
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
This program is vulnerable to format string vulnerability where we can access other attributes (You can check more about the vulnerability [here](https://podalirius.net/en/articles/python-format-string-vulnerabilities/))
|
||||||
|
|
||||||
|
```python
|
||||||
|
elif choice == "7":
|
||||||
|
choice = console.input("\n[bold blue]Book Manager:[/bold blue]\n1. Save Existing\n2. Create new book\n[bold blue]Enter your choice (1-2): [/bold blue]")
|
||||||
|
if choice == "1":
|
||||||
|
title = console.input("[bold blue]Enter Book title to save: [/bold blue]").strip()
|
||||||
|
file = SaveFile(library.display_books(title=title))
|
||||||
|
save_book(file.file, content="Hello World")
|
||||||
|
else:
|
||||||
|
save_file = SaveFile()
|
||||||
|
title = console.input("[bold blue]Enter book title: [/bold blue]").strip()
|
||||||
|
author = console.input("[bold blue]Enter book author: [/bold blue]")
|
||||||
|
isbn = console.input("[bold blue]Enter book ISBN: [/bold blue]")
|
||||||
|
num_copies = int(console.input("[bold blue]Enter number of copies: [/bold blue]"))
|
||||||
|
title = title.format(file=save_file)
|
||||||
|
book = Book(title,author, isbn)
|
||||||
|
isbn_to_book[isbn] = book
|
||||||
|
library.add_book(book, num_copies)
|
||||||
|
save_book(title)
|
||||||
|
```
|
||||||
|
|
||||||
|
So, if we input `{file.__init__.__globals__}` in the book title, we can read the value of the `FLAG` variable.
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
0xL4ugh{TrU5t_M3_LiF3_I5_H4rD3r_Wi7h0u7_4_W1f3!}
|
||||||
|
```
|
After Width: | Height: | Size: 322 KiB |
After Width: | Height: | Size: 75 KiB |
|
@ -0,0 +1,36 @@
|
||||||
|
# Library
|
||||||
|
> Built a book library, however my friend says that i made a nasty mistake!
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We got a server to connect and a source code (You can download the source code [here](Library-misc.zip))
|
||||||
|
|
||||||
|
This program has many functions. For example, we can add a member, search for a book, etc
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
This website is vulnerable to argument injection in the `check_file_presence()` function, and there's a `print(result)` code, so we can see the command output here
|
||||||
|
|
||||||
|
```python
|
||||||
|
def check_file_presence():
|
||||||
|
book_name = shlex.quote(console.input("[bold blue]Enter the name of the book (file) to check:[/bold blue] "))
|
||||||
|
command = "ls " + book_name
|
||||||
|
|
||||||
|
try:
|
||||||
|
result = os.popen(command).read().strip()
|
||||||
|
print(result)
|
||||||
|
if result == book_name:
|
||||||
|
console.print(f"[bold green]The book is present in the current directory.[/bold green]")
|
||||||
|
else:
|
||||||
|
console.print(f"[bold red]The book is not found in the current directory.[/bold red]")
|
||||||
|
except Exception as e:
|
||||||
|
console.print(f"[bold red]Error: {e}[/bold red]")
|
||||||
|
```
|
||||||
|
|
||||||
|
To obtain the flag I just using `-la` command (I believe this is unintended because someone has already placed the flag in the same directory as this program)
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
0xL4ugh{TrU5t_M3_LiF3_I5_H4rD3r!}
|
||||||
|
```
|
After Width: | Height: | Size: 180 KiB |
After Width: | Height: | Size: 75 KiB |
|
@ -0,0 +1,11 @@
|
||||||
|
# 0xL4ugh CTF 2024
|
||||||
|
CTF writeup for 0xL4ugh CTF 2024. I took part in this CTF competition with the HCS team and secured the 17th place out of 1428 teams
|
||||||
|
|
||||||
|
| Category | Challenge |
|
||||||
|
| --- | --- |
|
||||||
|
| Misc | [Library](/2024/TetCTF%202024/TET%20&%204N6/)
|
||||||
|
| Misc | [Library-Revenge](/2024/TetCTF%202024/TET%20&%204N6/)
|
||||||
|
| Misc | [GitMeow-Revenge](/2024/TetCTF%202024/TET%20&%204N6/)
|
||||||
|
| Web | [Library](/2024/TetCTF%202024/TET%20&%204N6/)
|
||||||
|
|
||||||
|
> I didn't write a write-up for the `Forensic` challenge
|
|
@ -0,0 +1,66 @@
|
||||||
|
# Simple WAF
|
||||||
|
> i whitelisted input values so, i think iam safe : P
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We got a website and the source code (You can download the source code [here](simple_waf_togive.zip)). The source code is pretty simple:
|
||||||
|
|
||||||
|
```php
|
||||||
|
require_once("db.php");
|
||||||
|
|
||||||
|
function waf($input)
|
||||||
|
{
|
||||||
|
if(preg_match("/([^a-z])+/s",$input))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
if(isset($_POST['login-submit']))
|
||||||
|
{
|
||||||
|
if(!empty($_POST['username'])&&!empty($_POST['password']))
|
||||||
|
{
|
||||||
|
$username=$_POST['username'];
|
||||||
|
$password=md5($_POST['password']);
|
||||||
|
if(waf($username))
|
||||||
|
{
|
||||||
|
die("WAF Block");
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$res = $conn->query("select * from users where username='$username' and password='$password'");
|
||||||
|
|
||||||
|
if($res->num_rows ===1)
|
||||||
|
{
|
||||||
|
echo "0xL4ugh{Fake_Flag}";
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
echo "<script>alert('Wrong Creds')</script>";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
echo "<script>alert('Please Fill All Fields')</script>";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
This website is vulnerable to SQL injection, but there's a waf() function that we need to bypass in order to perform SQL injection
|
||||||
|
|
||||||
|
![previwe](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
We need to overflow the `preg_match` function by supplying a lot of characters, followed by an SQL injection payload (e.g., `' or true-- -`)
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
0xL4ugh{0ohh_You_Brok3_My_Wh1te_List!!!}
|
||||||
|
```
|
After Width: | Height: | Size: 299 KiB |
After Width: | Height: | Size: 182 KiB |
|
@ -46,6 +46,8 @@ List of CTF events that i have joined before
|
||||||
| KnightCTF 2024 | Yes | [Link](/2024/KnightCTF%202024/) |
|
| KnightCTF 2024 | Yes | [Link](/2024/KnightCTF%202024/) |
|
||||||
| Mapna CTF 2024 | No | - |
|
| Mapna CTF 2024 | No | - |
|
||||||
| TetCTF 2024 | Yes | [Link](/2024/TetCTF%202024/) |
|
| TetCTF 2024 | Yes | [Link](/2024/TetCTF%202024/) |
|
||||||
|
| L3HCTF 2024 | No | - |
|
||||||
|
| 0xL4ugh CTF 2024 | Yes |[Link](/2024/0xL4ugh%20CTF%202024/) |
|
||||||
|
|
||||||
### Local Events
|
### Local Events
|
||||||
| Event Name | Writeup Available? | Writeup Link |
|
| Event Name | Writeup Available? | Writeup Link |
|
||||||
|
|