MMA CTF 2016::Judgement::Pwn-50

Posted by and filed under MMA CTF 2016.

After opening the binary up in IDA, it was pretty obvious that we needed to exploit a format string vulnerability. It looks like the flag was declared as a global variable, which means it will have a static address in the .bss Section. This definitely makes our lives easier. See the full writeup here.

CSAW 2015 Finals: Blox (Pwn Adventure Z RE250)

Posted by and filed under CSAW Finals 2015.

This year at CSAW Finals, Vector35 contributed an entire NES/Famicom RPG as a challenge category. One challenge was solving the puzzle of the mysterious “Blox Cave” – a room of 24 urns that need to be activated in a certain combination in order to open the door to the flag.

BKP CTF 2015 :: School Bus 200 :: Riverside

Posted by and filed under Boston Key Party CTF 2015.

This challenge consists of a capture file containing USB packet. We notice that one of the USB devices floods most of the capture with several hundred packets per second. The device uses the address 12, and hence can be filtered using:

Hack.LU 2014 :: Web 150 :: Hidden in Plain Sight

Posted by and filed under Hack.LU 2014.

For this challenge, we are given the service code to review and find the vulnerability. We locate the function that is generating the sha256 hash: At first glance, this is random and there is no chance we are going to guess it. But on closer inspection, the 3rd line has something strange about the… Read more »

D-CTF 2014 :: Exploit 400 :: Paranormal Activity

Posted by and filed under D-CTF 2014.

####disclaimer: this CTF involved a lot of guessing, and please note that other challenges were of far lower quality. reader beware. To start this challenge, you had to solve Exploitation 300. 300 consisted of googling a public webapp vulnerability. Once you’ve got a shell as the web user, you’ll see e4.hint in the root dir…. Read more »

D-CTF 2014 :: Bonus 200 :: Final

Posted by and filed under D-CTF 2014.

For this challenge, we were presented with a website made from the ApPHP Microblog CMS. A quick search on Exploit-DB revealed that there was an existing RCE bug. PHP disable_functions seemed to have an extensive list since exec, shell_exec, and system were all disabled. This leaves only a few commands left to use. It… Read more »

ASIS 2014 :: Web 100 :: Lottery

Posted by and filed under ASIS 2014.

For this challenge, you visit the website At the website, there is a basic message about being a specific visitor to win the prize: After checking the cookies, there is a specific value that is written: This value ends with the entity %3D, which is =, meaning that the value is base64. After… Read more »

CSAW 2014 :: Exploitation 400 :: greenhornd.exe

Posted by and filed under CSAW 2014.

[gfm] For this challenge, we’re given an .exe file and a server that it’s running on. Running strings on the binary, we see that there’s a lot of text in the program. It’s all instructions on how to get started with Windows exploitation. One block that is particularly interesting is: ~~~ VULNERABLE FUNCTION ——————- Send… Read more »

CSAW 2014 :: Forensics 300 :: Fluffy No More

Posted by and filed under CSAW 2014.

I think forensics challenges are generally horrible no fun zones, but Fluffy No More is actually a fun little scavenger hunt through a filesystem. @brad_anton gives us a tarball of the relevant parts of a compromised webserver – a MySQL database dump, /var/log/ , /var/www/ , and all of /etc/. Co-credit for this challenge goes to Alex… Read more »