GPN CTF 2024

I removed the flag :P Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{1_L0V3_L3G4CY_F34TUR3S} Writeup This challenge — like a few other web challenges in this CTF — is a nodeJS- and express-based web application. It has four routes that we should examine further. First off, there are the / and /removeFlag.js HTTP GET routes. These only serve static strings but their responses will become important later. There also is an admin bot that can be triggered via the /admin POST route. We can provide an HTML string that is passed into a form field in the home page’s HTML along with the flag in another field. When these two values have been entered, the admin bot’s browser is redirected to the /chal page we will look at later. After the redirect to the page, the browser waits five seconds and then waits for the successful execution of a small JavaScript snippet. Afterwards, it takes a screenshot and returns it to us. ...

todo Category: Web Solver: lukasrad02 Flag: GPNCTF{1_4M_50_C0NFU53D_R1GHT_N0W} Scenario The challenge consists of a web application powered by a single PHP script that receives data from the HTTP POST parameter data and then does a couple of things: The string from the data parameter is parsed as JSON and stored as $user_input. The user agent of the request is compared against the string "friendlyHuman" and requests with any other user agent are aborted. The $user_input->{'user'} property is compared to "admin🤠" and non-admins receive a landing page with a greeting. The $user_input->{'password'} property is passed to a securePassword function and the result is compared to the original password. If the two values don’t match, an error message is returned. If all checks were successful, $user_input->{'command'} is executed in a shell and the output is sent back to the user. The code of the securePassword function is as follows: ...

I wanted to build an intro rev challenge but it didn’t work as intended when I deployed it to my Rocky 9 server. Maybe you can work around the issue and leak the flag in /flag Category: misc Solver: rgw, aes Flag: GPNCTF{D1d_y0u_st4rt_4_vm_0r_4_b4r3_m3t4l_r0cky_k3rn3l?} Writeup The setup is similar to “A full solve is what I’m thinking of”. However, there is no /catflag binary. Therefore, we don’t have a binary that we can use as the interpreter for an uploaded ELF binary. ...

It would be a shame if you could exploit this sleepy binary. Category: pwn, misc Solver: rgw, abc013, Liekedaeler, MarDN Flag: GPNCTF{sh0rt_she11c0de_1s_c00l} Writeup We are given a compiled binary dream and its source code dream.c: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/mman.h> #include <string.h> #define ROTL(X, N) (((X) << (N)) | ((X) >> (8 * sizeof(X) - (N)))) #define ROTR(X, N) (((X) >> (N)) | ((X) << (8 * sizeof(X) - (N)))) unsigned long STATE; unsigned long CURRENT; char custom_random(){ STATE = ROTL(STATE,30) ^ ROTR(STATE,12) ^ ROTL(STATE,42) ^ ROTL(STATE,4) ^ ROTR(STATE,5); return STATE % 256; } void* experience(long origin){ char* ccol= mmap (0,1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); size_t k = 0; while(k<106){ *(ccol+k) = 0x90; //nop just in case; k++; } k=16; *((int*)ccol) = origin; while(k<100){ *(ccol+k)=custom_random(); k++; } return ccol; } void sleepy(void * dream){ int (*d)(void) = (void*)dream; d(); } void win(){ execv("/bin/sh",NULL); } void setup(){ setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); } int main(){ setup(); long seed=0; printf("the win is yours at %p\n", win); scanf("%ld",&seed); STATE = seed; printf("what are you thinking about?"); scanf("%ld",&seed); sleepy(experience(seed)); } During execution, we are given the address of the win function that calls execv("/bin/sh",NULL). In experience(), an RWX segment is allocated using mmap. We can supply two values for this segment: ...

A gift from the king. Category: pwn Solver: t0b1, c0mpb4u3r, nh1729 Flag: GPNCTF{new_stuff_and_constraints_a29kd33} Writeup Challenge setup The challenge consists of an x86_64 assembly file gift.s and supporting Makefile and Dockerfile. We have access to the input and output of the compiled assembly via TCP, the flag is in the file /app/flag.txt The challenge binary has only two functions and no linked libraries: .section .text .global _start read_input: # Read 314 bytes + 16 free bytes from stdin to the stack sub $314, %rsp # Make room for the input mov $0, %rax # System call number for read mov $0, %rdi # File descriptor for stdin mov %rsp, %rsi # Address of the stack mov $330, %rdx # Number of bytes to read syscall # Call the kernel add $314, %rsp # Restore the stack pointer ret _start: # Print the message to stdout mov $1, %rax # System call number for write mov $1, %rdi # File descriptor for stdout mov $message, %rsi # Address of the message string mov $message_len, %rdx # Length of the message string syscall # Call the kernel call read_input # Exit the program mov $60, %rax # System call number for exit xor %rdi, %rdi # Exit status 0 xor %rsi, %rsi # I like it clean xor %rdx, %rdx # I like it clean syscall # Call the kernel message: .asciz "Today is a nice day so you get 16 bytes for free!\n" message_len = . - message Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable The read_input can overflow a stack buffer of size 314 with 330 bytes, hence the “16 bytes for free”, setting us up for a 2-pointer ROP chain. Since this is no PIE, we can use gadgets from the tiny binary. ...

I picked the wrong path at Cyber Security Rumble 2024’s polypwn challenge and failed. Can you do it with more time and a win function? NOTE: Knowledge of polypwn is not required! Credit to @LevitatingLion for the original challenge and part of the code. Category: pwn Solver: nh1729 Flag: GPNCTF{line_breaks_in_addresses_make_me_sad_a39d9} Writeup Challenge Setup This is a binary exploitation challenge. We get the source of the program to pwn composer.c and a python wrapper composer.py. The program prints a menu to either echo back a line or exit. The twist for this challenge is that the program has been compiled for 5 different architectures: s390x, aarch64, arm, riscv64 and x86_64. ...

Category: rev Solver: rgw, 3mb0, Greenscreen23, SchizophrenicFish2nds Flag: GPNCTF{B4CKD00R3D_4G41N_d2d4ebde} Writeup This challenge is about a modified version of the XZ backdoor. There is a remote server with its SSH port exposed. We get a modified version of xz version 5.6.0. We first check which files are different between the original xz and the modified version: $ diff -r xz-old/xz-5.6.0/ xz-safe/xz-5.6.0/ Binary files xz-old/xz-5.6.0/tests/files/good-large_compressed.lzma and xz-safe/xz-5.6.0/tests/files/good-large_compressed.lzma differ We follow the writeup at [1] to reverse engineer the backdoor. ...

I heard you like flags, so I launched Chrome with a lot of flags so you can get your flag! The flag is in /flag.txt, and the bot will visit the HTML file you uploaded! Category: web Solver: aes, lukasrad02, Liekedaeler Flag: GPNCTF{CL1_FL4G5_4R3_FL4G5_T00} Writeup This challege allows us as the attacker to upload an HTML file to the server. The description already tells us that the server will visit the file we upload and that the flag is located at /flag.txt in the target system. ...

I made a JS API! Sadly I had no time to finish it :( Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{N0_C0MM3NT_b7c62b1e} Writeup We are given the source code of a Node.JS web application. Looking around, we see that the source code consists of a server.js file that runs on the server and a script.js file that is served to the client by the server. Taking a closer look at the server code, we find four HTTP routes that are defined. Let’s take a look at them one after another! ...

I made a JS API! Sadly I had no time to finish it :( But I had time to make it harder! Category: web Solver: aes, rgw, lukasrad02 Flag: GPNCTF{TH4T_W45_D3F1N1T3LY_N0T_4N_0V3RS1GHT} Writeup This challenge is extremely similar to the todo challenge in this CTF. To be exact, the two challenges are only different by two lines, precisely the following in the server.js file: // NEW: run JS to replace the flag with "nope" await page.evaluate((flag) => { document.body.outerHTML = document.body.outerHTML.replace(flag, "nope") }, flag) We are working based on the knowledge gained from the todo challenge, so have a look at that writeup here. ...

Old software, good software: Clone and pwn: https://github.com/FirebaseExtended/firepad Category: Web Solver: 3mb0, mp455 Flag: GPNCTF{fun_w1th_0p3n_s0urc3} Scenario The challenge links to the open source software FirePad which is a Collaborative Text Editor Powered by Firebase. Additionally, the challenge provides a simple HTTP instance with the text No admin running at the moment. Start (120s timeout) and the Start link. The link redirects to an intermediate page Your pad link: admin starting up, check back in a moment and after refreshing provides a link to a pad on the public firepad demo site Your pad link: https://demo.firepad.io/#lAAYHJ0FCw. ...