GPN CTF 2025

Please don’t ask how this relates to Christmas, you wouldn’t get it. It’s inspired by some real code I found in a project. Category: Web Solver: Liekedaeler Flag v1: GPNCTF{Af7Er_cHRiSTmAs_Is_8ASiC4L1y_b3FORE_CHRistmAS_so_17_1s_a1W4ys_ChR1STma5_Qed} Flag v2: GPNCTF{d1d_you_r3ad_maNY_c0MmEn7S_wh1lE_re4Din6_fUnny_rFC5?} Scenario In this challenge we are given source code for a web application that uses graphql. The flag can only be accessed by users who are active, admin and have been registered more than 20 seconds ago. So that has to be our goal. We’ll be looking at both versions of the challenge as they share the same objective and the second simply makes it slightly harder. ...

Description for v1: Do you like to pay for hosting? No. I have the perfect solution for you! Free Parking Network is a globally distributed, free hosting service that allows you to host your websites without any cost. It is designed to be easy to use and provides a simple interface for deploying your websites now. LEGAL: After a thorough review from our legal team your websites will be served to the world. We reserve the right to remove your website at any time without notice. We are not responsible for any content that you host on our platform. By using Free Parking Network, you agree to our terms and conditions. ...

I’ve just bought this property in a very priviledged part of the system. But there seem to be(e) awfully many bees around. I just hope I can find a way out of this thing the developer has constructed here before I get stung… Category: rev Solver: computerdores, sohn123 Flag: GPNCTF{on_a_scale_from_1_to_10_h0w_WOULd_yOU_r4t3_yOUr_t00lIN6?} Writeup Run Script The first thing we can look at is the running.md and the run.sh: #!/bin/bash set +m pgid=$(ps -o pgid= $$ | xargs) sleep infinity & sleeppid=$! trap "kill $sleeppid" SIGUSR1 run_governor() { java --enable-native-access=ALL-UNNAMED -jar $1 "$sleeppid" "-$pgid" } run_governor "$1" & waitpid $sleeppid echo "Enter your favourite way of printing your flag" TARGET=flag while :; do read -n 1 direction echo case $direction in h) head $TARGET & ;; t) tail $TARGET & ;; c) cat $TARGET & ;; b) base64 $TARGET | base64 -d & ;; *) echo "Invalid" kill -9 -- "-$pgid" ;; esac done From the running.md we know that the run.sh is supposed to be invoked with honeypot.jar as its first parameter. Looking at the run.sh we can see that it first invokes the honeypot.jar as a background process and then waits for another process to be killed. After the process has been killed, the script then repeatedly asks the user to select one out of four programs to be executed on the flag file (head, tail, cat, or base64). ...

Why even bother writing secure code when you can just enable sanitizers? Category: pwn Solver: nh1729 Flag: GPNCTF{all_wRI7Es_aR3_pR07Ec7Ed_By_asaN_oNLy_iN_yOUR_DR34MS_9438} Challenge Overview The challenge came with a source C file, a compiled binary and a Dockerfile. $ pwn checksec nasa [*] 'nasa' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled FORTIFY: Enabled ASAN: Enabled SHSTK: Enabled IBT: Enabled Stripped: No Debuginfo: Yes The code in nasa.c is simple enough, we can interact with the program and repeatedly read/write 8 bytes at arbitrary addresses. ...

I’ve only heard bad things about nc so I banned it. Category: pwn Solver: nh1729 Flag: GPNCTF{uP_AND_doWN_4Ll_aRound_GoE5_TH3_N_dIMEnSI0naL_CIrc1E_WTF_I5_tHis_f1ag} Challenge Overview The challenge consists of a small c file that basically accepts a string from stdin and uses it as the path of a file to dump. The flag is compiled as a string into the binary itself, which is named nc. Further, The read file name as c string must not include any character of ./nc. ...

The web guys always have these note apps, why not use this terminal based one instead. Category: pwn Solver: nh1729 Flag: GPNCTF{now_Y0u_SUr31Y_4RE_RE4dy_7o_pWN_LAdyBIRD!} Challenge Overview The challenge came with source C files, a compiled binary and a Dockerfile. $ pwn checksec chall [*] 'chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Stripped: No The challenge is an interactive note editor for a single note with basic capabilities: ...

YAML is the best javascript object notation. So I made a blog hoster with YAML + JS! Category: Web Solver: nh1729 Flag: GPNCTF{yet_ano7hER_misT4ke_Lan6UAGe} Challenge Overview The challenge is a small nodejs project hosting an express web server. It exposes routes to register users, edit blogs and blog posts associated with them and to read blog posts by name, all stored in-memory. Each user can have multiple named blogs and each blog has a list of posts, each with a content. The posts can be accessed by the blog name and post index. ...

YAML is the best javascript object notation. So I made a blog hoster with YAML + JS! The haters keep saying that YAML is “so unsafe” and “a bad language” so I added a CSP to my Node.js app to make it super secure! Category: web Solver: nh1729 Flag: GPNCTF{7uRn5_Ou7_NODE_h4s_4_c5P_r1poff} Challenge Overview The challenge is identical to yavascript-blog, except for one line: $ diff -r yavascript-blog yavascript-blog-csp diff '--color=auto' -r yavascript-blog/Dockerfile yavascript-blog-csp/Dockerfile 11c11 < CMD ["node", "."] --- > CMD ["node", "--disallow-code-generation-from-strings", "."] Overview yavascript-blog This section is identical to the overview in our writeup of yavascript-blog ...

I know where your house lives. The flag lives in /flag not ./flag, not /flag.txt Category: Misc Solver: superfrogemperor & Likedaeler Flag: GPNCTF{yOUr_H0USE_l1VEs_4T_google.com/maps/place/neapolis.11.polignano} Scenario We have a website which displays our IP address on top of a video containing a broccoli in a hot tub Analysis After inspecting the website, we can deduce, that the js snippet responsible for After inspecting the website, we can deduce that the js snippet responsible for getting the IP address is ...

We have probable intel that our target tried to prove their flag?! As you can see in the leaked sources, the admin user placed a flag into a model. It is vital that you get access to their account and recover the flag. We are also very excited to tell you that our agents are certain that you don’t have to touch anything related to the prover itself, just recover the flag and get out of this hell as quickly as possible! ...

This writeup was originally published on the author’s website and is added here for completeness. Everbody can exploit oracles. Do you have what it takes to exploit a restricted oracle? If you do you might find a flag between all the German words I placed in there. Category: crypto Solver: lapesi, SchizophrenicFish2nds Flag: GPNCTF{niC3_gUESsInG_PADDing_15_fUN} Walkthrough We are provided with an archive containing some source code and a command to spawn an instance: ...

In the spirit of open source I publish my code, though I wish there existed a better version control than project-latest-final-final-2.tar.zst. I love checking out what other people do with my code, but in this cruel world you need to take precautions. Therefore, I only check out the good code I have written myself. Looking forward to your submissions! Category: misc Solver: sohn123 Flag: GPNCTF{8rAnch,7Ag,comM17, BrAncH,Tag,comMI7, I5 7hE w4y oF THE gi7} ...

While writing another challenge, I accidentally beheaded my editor :( Can you geit gud and put it’s head back on? Or just get the flag… Category: misc Solver: sohn123, nh1729 Flag: GPNCTF{WOW_4pP4r3n7Ly_Y0U_rEAlly_gO7_g0Od!} Writeup In this challenge there is a webservice written in go that clones a repository. Afterwards the repository is opened in neovim where the extension for lazygit is installed. As a user you can only control the name/directory path where the repository is cloned to. Because of this we looked at where the path is used. ...

GO DIRECTLY TO JAIL DO NOT PASS GO, DO NOT COLLECT $200. Category: misc Solver: sohn123 Flag: GPNCTF{AlMI6h7Y_GLob_oP3R4ToR_s7RIKe5_AgAin!} Writeup Understanding where we are We have no files for this challenge we can just connect via netcat. When we enter random input we sometimes get error messages. For example when entering d we get for example dc: stack empty. When googling that error we found out that we are in the linux tool dc which is a calculator. The relevant documentation with all commands can be found here. We ssee that we can execute system commands using !. ...

“You reached Free Parking” - sadly we ran out of money, but here have a free flag instead. Category: Web Solver: Liekedaeler Flag: GPNCTF{just_php_d01ng_php_th1ng5_abM2zz} Scenario While this web challenge does not come with downloadable source code on the challenge platform, you’ll be greeted by its source code as soon as you navigate to it. It’s just a few lines of PHP, so we don’t have many options. All we can do is post a string to it. ...

You have technicians here, making noise, they are not artists because no one has submitted any art yet. Which is exactly what you need to do: submit a banger image and win the flag. Sadly, the image contest doesn’t end until the end of the CTF, so you will need to expedite the process. Category: Web Solver: Liekedaeler Flag: GPNCTF{WhAt_a_B4N63R_I_dEc14R3_yOU_wiNn3r!} Scenario This is a web challenge without source code, so we’ll have to approach it blindly. So let’s take a quick look at the website. ...