I heard you like flags, so I launched Chrome with a lot of flags again so you can get your flag! This time the flag is localhost:1337/flag, and the bot will visit your URL! Category: Web Solver: lukasrad02, Liekedaeler Flag: GPNCTF{WHY_D0_50M3_0F_TH353_FL4G5_3V3N_3X15T} Scenario As the name of the challenge suggests, this challenge is a follow-up on So many flags, so it might make sense to read the writeup for that challenge first. As a quick wrap-up: ...
I heard supply-chain security is all the rage now, after a weird XY problem. Not sure what they were up about, but I was probably not asking the correct questions… Undeterred, I went shopping in some poor PhD student’s lab and found this lovely contraption, ending this problem once and for all: As soon as evil code will be executed, your VM will be killed mercilessly. I even built a really cute application for cooking up your cyber recipes to try it out! ...
On your never ending search for flags you stumle into a deep swamp. Suddenly, in front of you, you find a weird little green stanger standing. “I am wondering, why are you here”, the creature asks you. “I am looking flags” you answer. “Looking for flags? Found something else, you have, I would say, hmmm?” “Look, I’m really sorry but I need to get back to solving challenges or I’ll never get my full solve”, you say as you try to push the creature out of your way. “No! No, no! Stay and help you, I will. Find your banner, hmm?”, the creature says and won’t get out of your way. “I’m not looking for a banner, I’m looking for a flag!” you dement. “Oohhh, Flag. Challenge. Solve. You need to solve a challenge”. “Do you have a flag?” “A flag? Perhaps… Hmmm, give you a challenge, I can. Solve it you must” and with that the little creature scurries away and returns after a while with a mysterious little box. ...
Can you get this program to do what you want? Category: pwn Solver: jogius Flag: GPNCTF{G00d_n3w5!_1t_l00ks_l1ke_y0u_r3p41r3d_y0ur_disk...} This challenge provides us with four files: song_rater.c and a corresponding binary song_rater, as well as a run.sh script and the Dockerfile used for the server. Let’s take a look at the Dockerfile first. Dockerfile At first glance, this doesn’t really do anything interesting - the file simply defines two containers, one for compiling song_rater.c and one for serving the binary. Nothing about the package installation and serving really jumps out to me, so let’s take a look at the gcc line for compilation. ...
from longnight import nosleep When I run it I get b"m'7Y\xcaZ\xb4\x06\xbd\x92\xae\xf1B\x15\xd1IP1a\xdcs\xde&\xadWz\xb4\x12\xab\xa5]\x1e\x83\x98\xc6\xa9\x89\t\xa9\tNW\x9c\xe0\n\x9f\x11\x83\xa1\xd1\x03\xad" Category: Reversing Solver: MarDN, Liekedaeler Flag: GPNCTF{wHy_1s_th3re_pyTHon_in_my_c_ahHh1!} Writeup The challenge consists of a simple python script which imports an encoding function enc from a library called script. A dummy flag gets read in and encoded with the enc function and there is a comment which contains the encoded real flag. Additionally, script is given as a shared object compiled with CPython for x86-64 with debug information. ...
I got a bit too excited when I started my newest knitting project and accidentally turned my challenge flag into a knitting pattern. Category: misc Solver: MarDN, linaScience Flag: GPNCTF{Congr4tulati0ns-Y0u-h4v3-Fr0gged-H0urs-Of-My-W0rk-for-Th1s-Fl4g!} Writeup This challenge consists of a description of a knitting project, indicating a pattern of knit and purl stitches. There is also a note that the piece is knitted flat and that odd rows show the right side of the project. ...
https://www.letras.com/rick-astley/2341/ Category: misc Solver: MarDN, linaScience Flag: GPNCTF{We're no strangers to loveYou know the rules and so do IA full commitment's what I'm thinking ofYou wouldn't get this from any other guyI just wanna tell you how I'm feelingGotta make you understandNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youWe've known each other for so longYour heart's been achingBut you're too shy to say itInside we both know what's been going onWe know the game and we're gonna play itAnd if you ask me how I'm feelingDon't tell me you're too blind to seeNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youOoh (give you up)Ooh (give you up)Never gonna give, never gonna give (ooh, give you up)Never gonna give, never gonna give (ooh, give you up)We've known each other for so longYour heart's been achingBut you're too shy to say itInside we both know what's been going onWe know the game and we're gonna play itI just wanna tell you how I'm feelingGotta make you understandNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt youNever gonna give you upNever gonna let you downNever gonna turn around and desert youNever gonna make you cryNever gonna say goodbyeNever gonna tell a lie and hurt you} ...
I swear this isn’t crypto. Pinky promise. And you don’t have to bruteforce anything. Category: misc Solver: linaScience, MarDN, t0b1, Liekedaeler Flag: GPNCTF{TH3_S_1N_S3TU1D_5T4ND5_F0R_S3CUR1TY} Writeup Guessing the date On the server, we have the following files: ctf@sweet-dreams-are-made-of-this--micar-7714:/app$ ls -liash ls -liash total 32K 100824878 0 drwxr-xr-x 1 root root 45 May 29 01:31 . 101555908 0 dr-xr-xr-x 1 root root 28 Jun 8 14:26 .. 100824879 20K -rwsr-xr-x 1 root root 17K May 29 01:31 cli 68506109 4.0K -rw------- 1 root root 1.3K May 28 20:43 cli.c 68506110 4.0K -rw------- 1 root root 98 May 28 20:43 encrypt.sh 100824881 4.0K -rwx------ 1 root root 90 May 29 01:31 flag.enc Oddly enough, we only have read and execute rights for the cli binary as we are the user ctf and not root. So, let’s have a look at the no-crypto.tar.gz that was provided before we take a further look at the server. In the tar, we get a Dockerfile, an encrypt.sh as well as the cli.c for the server. ...
All my friends warned me about xss, so I created this note taking app that only accepts “refined” Notes. Category: Web Solver: lukasrad02, aes Flag: GPNCTF{3nc0d1ng_1s_th3_r00t_0f_4ll_3v1l} Scenario This challenge features a minimalistic note-taking app. We can enter a note into a text box, click a button to save it and it becomes available under an URL with the UUID of the note. ...
These XSS vectors are getting ridiculous! So I made a secure note app. The only NPM dependency is DOMPurify, and I directly store the output of DOMPurify.sanitize and serve that back, so it has to be secure, right? It’s barely 16 LoC! Category: Web Solver: aes, lukasrad02 Flag: GPNCTF{UN1C0D3_15_4_N34T_4TT4CK_V3CT0R} Writeup As the challenge description suggests, the code for this challenge is indeed pretty compact. Thus, we can even take a look at it here in this writeup: ...
We want this CTF to be perfect! As we hope you all know this requires us, as good software engineers, to design a specification we can devolop challenges against. So we started meticulously crafting documents for our scope statements and product requirements. Somehow this got a little out of hand (we really don’t know how. We set a timeline and used a strict waterfall model. Theoretically this should have worked out perfectly…) so we need your help to finish the requirements document before it’s to late… Specifically I have a problem with the The root of all evil challenge. I designed a beautiful solve script sequence diagram to prove this challenge is solvable. Since I didn’t want to type the flag out I just shoved a piece of paper into the disk drive and somehow this mess appeared in my diagram… Tragically, before I could save it, my cat ate the original piece of paper with the flag I need. But I have a feeling this weird assortment of symbols contains some info about the flag. Could you please recover it for me? I desperately need it to check the solutions to the challenge. If it helps: I used PlantUML for my diagram Please help me!!!! ...
I have developed a new, revolutionary cipher that is not constrained to one block cipher. It is safe and secure. If you are not convinced, I will provide a flag to anyone who manages to win the ‘In No Desirable Case Attacks Possible’ (IND-CPA) mode. Category: Crypto Solver: Greenscreen23, SchizophrenicFish2nds Flag: GPNCTF{stop_breaking_it_It_is_even_called_safe} Writeup Context We are presented with an IND-CPA game for an AES cipher with a custom block mode. ...
Somewhere under a big pile of paper I found some notes about this really cool encryption algorithm. I updated it to the digital age in the hope that it is much safer now. Category: Crypto Solver: Greenscreen23 Flag: GPNCTF{itturnsoutthatbitsdonotmakecolumnartransposedifficultenoughatleastifyouencodeitwithasciigjnogoandbreakdoppelwuerfeltheflagendshereenjoyreadingsomemoretextihopeyoulikedthechallenge} Writeup Context We are given a rust file that encrypts the bits of the flag using a transposition cipher with a random key. The flag bits are split into blocks of an unknown key length, which are arranged as rows in a table, without any padding in the last row. The columns of the table are then permuted according to the key and concatinated column by column. This ciphertext is given. ...
Okay honestly I don’t know how I can possibly justify this. Either this is hard or I fucked up spectacular. No this challenges has not been playtested. But a solve script exists. Note from the infra team: No authors were hurt in the making of this CTF. They were insane already… Category: Crypto Solver: Greenscreen23, SchizophrenicFish2nds, 3mb0 Flag: GPNCTF{F1eLd_Th30ry_is_fun!11_05ba} Writeup Disclaimer: We are not mathematicians and many of these terms were new to us. This writeup therefore will include no proof but rather observations we had. We will also try to explain concepts we feel are beneficial to understanding the challenge (and sage code). ...
I found this funny multi-arch music software but I can’t remember my license key. Can you recover it for me? Category: rev Solver: computerdores Flag: GPNCTF{W0nd3rful!_Y0u're_2_cl3ver_f0r_th4t_l1cens3_ch3ck!_W3ll_d0ne_<3} Writeup For this Challenge we got a binary called chal and a Dockerfile. Loading the binary into Ghidra and taking a look at the main function, we can see that it asks for a license key, reads 24 characters of input and passes it to a function. ...
I thought of this really cool collision free hash function and hashed the flag with it. Theoretically you shouldn’t be able to reverse it… Category: rev Solver: computerdores Flag: GPNCTF{W41t,_h0w_d1d_y0u_s0lv3_th1s?_I_th0ught_1t_w45_4_g00d_h45h} Writeup For this Challenge we got a file called hash that contains a hex string and a binary called hasher. Opening the hasher binary in ghidra, we can see that the main method accepts a string as a parameter to the binary and “hashes” it with the following loop: ...
I removed the flag :P Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{1_L0V3_L3G4CY_F34TUR3S} Writeup This challenge — like a few other web challenges in this CTF — is a nodeJS- and express-based web application. It has four routes that we should examine further. First off, there are the / and /removeFlag.js HTTP GET routes. These only serve static strings but their responses will become important later. There also is an admin bot that can be triggered via the /admin POST route. We can provide an HTML string that is passed into a form field in the home page’s HTML along with the flag in another field. When these two values have been entered, the admin bot’s browser is redirected to the /chal page we will look at later. After the redirect to the page, the browser waits five seconds and then waits for the successful execution of a small JavaScript snippet. Afterwards, it takes a screenshot and returns it to us. ...
todo Category: Web Solver: lukasrad02 Flag: GPNCTF{1_4M_50_C0NFU53D_R1GHT_N0W} Scenario The challenge consists of a web application powered by a single PHP script that receives data from the HTTP POST parameter data and then does a couple of things: The string from the data parameter is parsed as JSON and stored as $user_input. The user agent of the request is compared against the string "friendlyHuman" and requests with any other user agent are aborted. The $user_input->{'user'} property is compared to "admin🤠" and non-admins receive a landing page with a greeting. The $user_input->{'password'} property is passed to a securePassword function and the result is compared to the original password. If the two values don’t match, an error message is returned. If all checks were successful, $user_input->{'command'} is executed in a shell and the output is sent back to the user. The code of the securePassword function is as follows: ...
I wanted to build an intro rev challenge but it didn’t work as intended when I deployed it to my Rocky 9 server. Maybe you can work around the issue and leak the flag in /flag Category: misc Solver: rgw, aes Flag: GPNCTF{D1d_y0u_st4rt_4_vm_0r_4_b4r3_m3t4l_r0cky_k3rn3l?} Writeup The setup is similar to “A full solve is what I’m thinking of”. However, there is no /catflag binary. Therefore, we don’t have a binary that we can use as the interpreter for an uploaded ELF binary. ...
It would be a shame if you could exploit this sleepy binary. Category: pwn, misc Solver: rgw, abc013, Liekedaeler, MarDN Flag: GPNCTF{sh0rt_she11c0de_1s_c00l} Writeup We are given a compiled binary dream and its source code dream.c: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <sys/mman.h> #include <string.h> #define ROTL(X, N) (((X) << (N)) | ((X) >> (8 * sizeof(X) - (N)))) #define ROTR(X, N) (((X) >> (N)) | ((X) << (8 * sizeof(X) - (N)))) unsigned long STATE; unsigned long CURRENT; char custom_random(){ STATE = ROTL(STATE,30) ^ ROTR(STATE,12) ^ ROTL(STATE,42) ^ ROTL(STATE,4) ^ ROTR(STATE,5); return STATE % 256; } void* experience(long origin){ char* ccol= mmap (0,1024, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); size_t k = 0; while(k<106){ *(ccol+k) = 0x90; //nop just in case; k++; } k=16; *((int*)ccol) = origin; while(k<100){ *(ccol+k)=custom_random(); k++; } return ccol; } void sleepy(void * dream){ int (*d)(void) = (void*)dream; d(); } void win(){ execv("/bin/sh",NULL); } void setup(){ setvbuf(stdin, NULL, _IONBF, 0); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); } int main(){ setup(); long seed=0; printf("the win is yours at %p\n", win); scanf("%ld",&seed); STATE = seed; printf("what are you thinking about?"); scanf("%ld",&seed); sleepy(experience(seed)); } During execution, we are given the address of the win function that calls execv("/bin/sh",NULL). In experience(), an RWX segment is allocated using mmap. We can supply two values for this segment: ...
A gift from the king. Category: pwn Solver: t0b1, c0mpb4u3r, nh1729 Flag: GPNCTF{new_stuff_and_constraints_a29kd33} Writeup Challenge setup The challenge consists of an x86_64 assembly file gift.s and supporting Makefile and Dockerfile. We have access to the input and output of the compiled assembly via TCP, the flag is in the file /app/flag.txt The challenge binary has only two functions and no linked libraries: .section .text .global _start read_input: # Read 314 bytes + 16 free bytes from stdin to the stack sub $314, %rsp # Make room for the input mov $0, %rax # System call number for read mov $0, %rdi # File descriptor for stdin mov %rsp, %rsi # Address of the stack mov $330, %rdx # Number of bytes to read syscall # Call the kernel add $314, %rsp # Restore the stack pointer ret _start: # Print the message to stdout mov $1, %rax # System call number for write mov $1, %rdi # File descriptor for stdout mov $message, %rsi # Address of the message string mov $message_len, %rdx # Length of the message string syscall # Call the kernel call read_input # Exit the program mov $60, %rax # System call number for exit xor %rdi, %rdi # Exit status 0 xor %rsi, %rsi # I like it clean xor %rdx, %rdx # I like it clean syscall # Call the kernel message: .asciz "Today is a nice day so you get 16 bytes for free!\n" message_len = . - message Arch: amd64-64-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x400000) Stack: Executable The read_input can overflow a stack buffer of size 314 with 330 bytes, hence the “16 bytes for free”, setting us up for a 2-pointer ROP chain. Since this is no PIE, we can use gadgets from the tiny binary. ...
I picked the wrong path at Cyber Security Rumble 2024’s polypwn challenge and failed. Can you do it with more time and a win function? NOTE: Knowledge of polypwn is not required! Credit to @LevitatingLion for the original challenge and part of the code. Category: pwn Solver: nh1729 Flag: GPNCTF{line_breaks_in_addresses_make_me_sad_a39d9} Writeup Challenge Setup This is a binary exploitation challenge. We get the source of the program to pwn composer.c and a python wrapper composer.py. The program prints a menu to either echo back a line or exit. The twist for this challenge is that the program has been compiled for 5 different architectures: s390x, aarch64, arm, riscv64 and x86_64. ...
Category: rev Solver: rgw, 3mb0, Greenscreen23, SchizophrenicFish2nds Flag: GPNCTF{B4CKD00R3D_4G41N_d2d4ebde} Writeup This challenge is about a modified version of the XZ backdoor. There is a remote server with its SSH port exposed. We get a modified version of xz version 5.6.0. We first check which files are different between the original xz and the modified version: $ diff -r xz-old/xz-5.6.0/ xz-safe/xz-5.6.0/ Binary files xz-old/xz-5.6.0/tests/files/good-large_compressed.lzma and xz-safe/xz-5.6.0/tests/files/good-large_compressed.lzma differ We follow the writeup at [1] to reverse engineer the backdoor. ...
I heard you like flags, so I launched Chrome with a lot of flags so you can get your flag! The flag is in /flag.txt, and the bot will visit the HTML file you uploaded! Category: web Solver: aes, lukasrad02, Liekedaeler Flag: GPNCTF{CL1_FL4G5_4R3_FL4G5_T00} Writeup This challege allows us as the attacker to upload an HTML file to the server. The description already tells us that the server will visit the file we upload and that the flag is located at /flag.txt in the target system. ...
I made a JS API! Sadly I had no time to finish it :( Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{N0_C0MM3NT_b7c62b1e} Writeup We are given the source code of a Node.JS web application. Looking around, we see that the source code consists of a server.js file that runs on the server and a script.js file that is served to the client by the server. Taking a closer look at the server code, we find four HTTP routes that are defined. Let’s take a look at them one after another! ...