GPN CTF 2025

I’ve just bought this property in a very priviledged part of the system. But there seem to be(e) awfully many bees around. I just hope I can find a way out of this thing the developer has constructed here before I get stung… Category: rev Solver: computerdores, sohn123 Flag: GPNCTF{on_a_scale_from_1_to_10_h0w_WOULd_yOU_r4t3_yOUr_t00lIN6?} Writeup Run Script The first thing we can look at is the running.md and the run.sh: #!/bin/bash set +m pgid=$(ps -o pgid= $$ | xargs) sleep infinity & sleeppid=$! trap "kill $sleeppid" SIGUSR1 run_governor() { java --enable-native-access=ALL-UNNAMED -jar $1 "$sleeppid" "-$pgid" } run_governor "$1" & waitpid $sleeppid echo "Enter your favourite way of printing your flag" TARGET=flag while :; do read -n 1 direction echo case $direction in h) head $TARGET & ;; t) tail $TARGET & ;; c) cat $TARGET & ;; b) base64 $TARGET | base64 -d & ;; *) echo "Invalid" kill -9 -- "-$pgid" ;; esac done From the running.md we know that the run.sh is supposed to be invoked with honeypot.jar as its first parameter. Looking at the run.sh we can see that it first invokes the honeypot.jar as a background process and then waits for another process to be killed. After the process has been killed, the script then repeatedly asks the user to select one out of four programs to be executed on the flag file (head, tail, cat, or base64). ...

Why even bother writing secure code when you can just enable sanitizers? Category: pwn Solver: nh1729 Flag: GPNCTF{all_wRI7Es_aR3_pR07Ec7Ed_By_asaN_oNLy_iN_yOUR_DR34MS_9438} Challenge Overview The challenge came with a source C file, a compiled binary and a Dockerfile. $ pwn checksec nasa [*] 'nasa' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled FORTIFY: Enabled ASAN: Enabled SHSTK: Enabled IBT: Enabled Stripped: No Debuginfo: Yes The code in nasa.c is simple enough, we can interact with the program and repeatedly read/write 8 bytes at arbitrary addresses. ...

I’ve only heard bad things about nc so I banned it. Category: pwn Solver: nh1729 Flag: GPNCTF{uP_AND_doWN_4Ll_aRound_GoE5_TH3_N_dIMEnSI0naL_CIrc1E_WTF_I5_tHis_f1ag} Challenge Overview The challenge consists of a small c file that basically accepts a string from stdin and uses it as the path of a file to dump. The flag is compiled as a string into the binary itself, which is named nc. Further, The read file name as c string must not include any character of ./nc. ...

The web guys always have these note apps, why not use this terminal based one instead. Category: pwn Solver: nh1729 Flag: GPNCTF{now_Y0u_SUr31Y_4RE_RE4dy_7o_pWN_LAdyBIRD!} Challenge Overview The challenge came with source C files, a compiled binary and a Dockerfile. $ pwn checksec chall [*] 'chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Stripped: No The challenge is an interactive note editor for a single note with basic capabilities: ...

YAML is the best javascript object notation. So I made a blog hoster with YAML + JS! Category: Web Solver: nh1729 Flag: GPNCTF{yet_ano7hER_misT4ke_Lan6UAGe} Challenge Overview The challenge is a small nodejs project hosting an express web server. It exposes routes to register users, edit blogs and blog posts associated with them and to read blog posts by name, all stored in-memory. Each user can have multiple named blogs and each blog has a list of posts, each with a content. The posts can be accessed by the blog name and post index. ...

YAML is the best javascript object notation. So I made a blog hoster with YAML + JS! The haters keep saying that YAML is “so unsafe” and “a bad language” so I added a CSP to my Node.js app to make it super secure! Category: web Solver: nh1729 Flag: GPNCTF{7uRn5_Ou7_NODE_h4s_4_c5P_r1poff} Challenge Overview The challenge is identical to yavascript-blog, except for one line: $ diff -r yavascript-blog yavascript-blog-csp diff '--color=auto' -r yavascript-blog/Dockerfile yavascript-blog-csp/Dockerfile 11c11 < CMD ["node", "."] --- > CMD ["node", "--disallow-code-generation-from-strings", "."] Overview yavascript-blog This section is identical to the overview in our writeup of yavascript-blog ...

I know where your house lives. The flag lives in /flag not ./flag, not /flag.txt Category: Misc Solver: superfrogemperor & Likedaeler Flag: GPNCTF{yOUr_H0USE_l1VEs_4T_google.com/maps/place/neapolis.11.polignano} Scenario We have a website which displays our IP address on top of a video containing a broccoli in a hot tub Analysis After inspecting the website, we can deduce, that the js snippet responsible for After inspecting the website, we can deduce that the js snippet responsible for getting the IP address is ...

We have probable intel that our target tried to prove their flag?! As you can see in the leaked sources, the admin user placed a flag into a model. It is vital that you get access to their account and recover the flag. We are also very excited to tell you that our agents are certain that you don’t have to touch anything related to the prover itself, just recover the flag and get out of this hell as quickly as possible! ...

This writeup was originally published on the author’s website and is added here for completeness. Everbody can exploit oracles. Do you have what it takes to exploit a restricted oracle? If you do you might find a flag between all the German words I placed in there. Category: crypto Solver: lapesi, SchizophrenicFish2nds Flag: GPNCTF{niC3_gUESsInG_PADDing_15_fUN} Walkthrough We are provided with an archive containing some source code and a command to spawn an instance: ...

In the spirit of open source I publish my code, though I wish there existed a better version control than project-latest-final-final-2.tar.zst. I love checking out what other people do with my code, but in this cruel world you need to take precautions. Therefore, I only check out the good code I have written myself. Looking forward to your submissions! Category: misc Solver: sohn123 Flag: GPNCTF{8rAnch,7Ag,comM17, BrAncH,Tag,comMI7, I5 7hE w4y oF THE gi7} ...

While writing another challenge, I accidentally beheaded my editor :( Can you geit gud and put it’s head back on? Or just get the flag… Category: misc Solver: sohn123, nh1729 Flag: GPNCTF{WOW_4pP4r3n7Ly_Y0U_rEAlly_gO7_g0Od!} Writeup In this challenge there is a webservice written in go that clones a repository. Afterwards the repository is opened in neovim where the extension for lazygit is installed. As a user you can only control the name/directory path where the repository is cloned to. Because of this we looked at where the path is used. ...

GO DIRECTLY TO JAIL DO NOT PASS GO, DO NOT COLLECT $200. Category: misc Solver: sohn123 Flag: GPNCTF{AlMI6h7Y_GLob_oP3R4ToR_s7RIKe5_AgAin!} Writeup Understanding where we are We have no files for this challenge we can just connect via netcat. When we enter random input we sometimes get error messages. For example when entering d we get for example dc: stack empty. When googling that error we found out that we are in the linux tool dc which is a calculator. The relevant documentation with all commands can be found here. We ssee that we can execute system commands using !. ...