Writeups

Please don’t ask how this relates to Christmas, you wouldn’t get it. It’s inspired by some real code I found in a project. Category: Web Solver: Liekedaeler Flag v1: GPNCTF{Af7Er_cHRiSTmAs_Is_8ASiC4L1y_b3FORE_CHRistmAS_so_17_1s_a1W4ys_ChR1STma5_Qed} Flag v2: GPNCTF{d1d_you_r3ad_maNY_c0MmEn7S_wh1lE_re4Din6_fUnny_rFC5?} Scenario In this challenge we are given source code for a web application that uses graphql. The flag can only be accessed by users who are active, admin and have been registered more than 20 seconds ago. So that has to be our goal. We’ll be looking at both versions of the challenge as they share the same objective and the second simply makes it slightly harder. ...

Description for v1: Do you like to pay for hosting? No. I have the perfect solution for you! Free Parking Network is a globally distributed, free hosting service that allows you to host your websites without any cost. It is designed to be easy to use and provides a simple interface for deploying your websites now. LEGAL: After a thorough review from our legal team your websites will be served to the world. We reserve the right to remove your website at any time without notice. We are not responsible for any content that you host on our platform. By using Free Parking Network, you agree to our terms and conditions. ...

I’ve just bought this property in a very priviledged part of the system. But there seem to be(e) awfully many bees around. I just hope I can find a way out of this thing the developer has constructed here before I get stung… Category: rev Solver: computerdores, sohn123 Flag: GPNCTF{on_a_scale_from_1_to_10_h0w_WOULd_yOU_r4t3_yOUr_t00lIN6?} Writeup Run Script The first thing we can look at is the running.md and the run.sh: #!/bin/bash set +m pgid=$(ps -o pgid= $$ | xargs) sleep infinity & sleeppid=$! trap "kill $sleeppid" SIGUSR1 run_governor() { java --enable-native-access=ALL-UNNAMED -jar $1 "$sleeppid" "-$pgid" } run_governor "$1" & waitpid $sleeppid echo "Enter your favourite way of printing your flag" TARGET=flag while :; do read -n 1 direction echo case $direction in h) head $TARGET & ;; t) tail $TARGET & ;; c) cat $TARGET & ;; b) base64 $TARGET | base64 -d & ;; *) echo "Invalid" kill -9 -- "-$pgid" ;; esac done From the running.md we know that the run.sh is supposed to be invoked with honeypot.jar as its first parameter. Looking at the run.sh we can see that it first invokes the honeypot.jar as a background process and then waits for another process to be killed. After the process has been killed, the script then repeatedly asks the user to select one out of four programs to be executed on the flag file (head, tail, cat, or base64). ...

Why even bother writing secure code when you can just enable sanitizers? Category: pwn Solver: nh1729 Flag: GPNCTF{all_wRI7Es_aR3_pR07Ec7Ed_By_asaN_oNLy_iN_yOUR_DR34MS_9438} Challenge Overview The challenge came with a source C file, a compiled binary and a Dockerfile. $ pwn checksec nasa [*] 'nasa' Arch: amd64-64-little RELRO: Full RELRO Stack: Canary found NX: NX enabled PIE: PIE enabled FORTIFY: Enabled ASAN: Enabled SHSTK: Enabled IBT: Enabled Stripped: No Debuginfo: Yes The code in nasa.c is simple enough, we can interact with the program and repeatedly read/write 8 bytes at arbitrary addresses. ...

I’ve only heard bad things about nc so I banned it. Category: pwn Solver: nh1729 Flag: GPNCTF{uP_AND_doWN_4Ll_aRound_GoE5_TH3_N_dIMEnSI0naL_CIrc1E_WTF_I5_tHis_f1ag} Challenge Overview The challenge consists of a small c file that basically accepts a string from stdin and uses it as the path of a file to dump. The flag is compiled as a string into the binary itself, which is named nc. Further, The read file name as c string must not include any character of ./nc. ...

The web guys always have these note apps, why not use this terminal based one instead. Category: pwn Solver: nh1729 Flag: GPNCTF{now_Y0u_SUr31Y_4RE_RE4dy_7o_pWN_LAdyBIRD!} Challenge Overview The challenge came with source C files, a compiled binary and a Dockerfile. $ pwn checksec chall [*] 'chall' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX enabled PIE: No PIE (0x400000) Stripped: No The challenge is an interactive note editor for a single note with basic capabilities: ...

YAML is the best javascript object notation. So I made a blog hoster with YAML + JS! Category: Web Solver: nh1729 Flag: GPNCTF{yet_ano7hER_misT4ke_Lan6UAGe} Challenge Overview The challenge is a small nodejs project hosting an express web server. It exposes routes to register users, edit blogs and blog posts associated with them and to read blog posts by name, all stored in-memory. Each user can have multiple named blogs and each blog has a list of posts, each with a content. The posts can be accessed by the blog name and post index. ...

YAML is the best javascript object notation. So I made a blog hoster with YAML + JS! The haters keep saying that YAML is “so unsafe” and “a bad language” so I added a CSP to my Node.js app to make it super secure! Category: web Solver: nh1729 Flag: GPNCTF{7uRn5_Ou7_NODE_h4s_4_c5P_r1poff} Challenge Overview The challenge is identical to yavascript-blog, except for one line: $ diff -r yavascript-blog yavascript-blog-csp diff '--color=auto' -r yavascript-blog/Dockerfile yavascript-blog-csp/Dockerfile 11c11 < CMD ["node", "."] --- > CMD ["node", "--disallow-code-generation-from-strings", "."] Overview yavascript-blog This section is identical to the overview in our writeup of yavascript-blog ...

I know where your house lives. The flag lives in /flag not ./flag, not /flag.txt Category: Misc Solver: superfrogemperor & Likedaeler Flag: GPNCTF{yOUr_H0USE_l1VEs_4T_google.com/maps/place/neapolis.11.polignano} Scenario We have a website which displays our IP address on top of a video containing a broccoli in a hot tub Analysis After inspecting the website, we can deduce, that the js snippet responsible for After inspecting the website, we can deduce that the js snippet responsible for getting the IP address is ...

We have probable intel that our target tried to prove their flag?! As you can see in the leaked sources, the admin user placed a flag into a model. It is vital that you get access to their account and recover the flag. We are also very excited to tell you that our agents are certain that you don’t have to touch anything related to the prover itself, just recover the flag and get out of this hell as quickly as possible! ...

This writeup was originally published on the author’s website and is added here for completeness. Everbody can exploit oracles. Do you have what it takes to exploit a restricted oracle? If you do you might find a flag between all the German words I placed in there. Category: crypto Solver: lapesi, SchizophrenicFish2nds Flag: GPNCTF{niC3_gUESsInG_PADDing_15_fUN} Walkthrough We are provided with an archive containing some source code and a command to spawn an instance: ...

In the spirit of open source I publish my code, though I wish there existed a better version control than project-latest-final-final-2.tar.zst. I love checking out what other people do with my code, but in this cruel world you need to take precautions. Therefore, I only check out the good code I have written myself. Looking forward to your submissions! Category: misc Solver: sohn123 Flag: GPNCTF{8rAnch,7Ag,comM17, BrAncH,Tag,comMI7, I5 7hE w4y oF THE gi7} ...

While writing another challenge, I accidentally beheaded my editor :( Can you geit gud and put it’s head back on? Or just get the flag… Category: misc Solver: sohn123, nh1729 Flag: GPNCTF{WOW_4pP4r3n7Ly_Y0U_rEAlly_gO7_g0Od!} Writeup In this challenge there is a webservice written in go that clones a repository. Afterwards the repository is opened in neovim where the extension for lazygit is installed. As a user you can only control the name/directory path where the repository is cloned to. Because of this we looked at where the path is used. ...

GO DIRECTLY TO JAIL DO NOT PASS GO, DO NOT COLLECT $200. Category: misc Solver: sohn123 Flag: GPNCTF{AlMI6h7Y_GLob_oP3R4ToR_s7RIKe5_AgAin!} Writeup Understanding where we are We have no files for this challenge we can just connect via netcat. When we enter random input we sometimes get error messages. For example when entering d we get for example dc: stack empty. When googling that error we found out that we are in the linux tool dc which is a calculator. The relevant documentation with all commands can be found here. We ssee that we can execute system commands using !. ...

“You reached Free Parking” - sadly we ran out of money, but here have a free flag instead. Category: Web Solver: Liekedaeler Flag: GPNCTF{just_php_d01ng_php_th1ng5_abM2zz} Scenario While this web challenge does not come with downloadable source code on the challenge platform, you’ll be greeted by its source code as soon as you navigate to it. It’s just a few lines of PHP, so we don’t have many options. All we can do is post a string to it. ...

You have technicians here, making noise, they are not artists because no one has submitted any art yet. Which is exactly what you need to do: submit a banger image and win the flag. Sadly, the image contest doesn’t end until the end of the CTF, so you will need to expedite the process. Category: Web Solver: Liekedaeler Flag: GPNCTF{WhAt_a_B4N63R_I_dEc14R3_yOU_wiNn3r!} Scenario This is a web challenge without source code, so we’ll have to approach it blindly. So let’s take a quick look at the website. ...

Oh no! Something awfull happened and we let too many cooks cook up this challenge. I hope you can still get something edible out of it… Category: pwn Solver: computerdores, hack_the_kitty Flag: GPNCTF{4aahhh_th3_l33k_t4st3_0f_v1ct0ry!} Writeup The challenge binary presents you with a menu to select from. One can select a main dish and a desert. Welcome to our dining hall! Please select a dish: -[pizza] A nice and fresh pizza -[gulasch] It's GPN, it's night and I'm programming. The only thing missing is a hot plate of gulasch! -[burger] Borgir! -[leek_soup] A deliciously hearty leek soup. Yum! -[desert] Give me my dessert! \o/ Selecting pizza, for example, you’ll be greeted by a nice ASCII art pizza: ...

I have no clue of rust and no clue of crypto, but then with no challenge I stood crying in the rain and rusted. Category: Crypto Solver: SchizophrenicFish2nds, Greenscreen23 Flag: GPNCTF{backp4ck_r4p_crap,_yap-yap,_yack1ty-yack} Writeup Context We are given a file with Rust source code and an output file. To get around my limited Rust knowledge, I asked ChatGPT to translate the challenge source doe into Python [4]. Here we can more easily see that the output consists of a subset sum problem, more precisely it closely resembles a Merkle-Hellman scheme. ...

Exciting news! Our chief scientists found a way to do frequency analysis on binary files. Surprinsingly it isn’t just changing the file ending to .mp3 and putting it into Audacity. Have a try for yourself below! Note: The binary /catflag prints the flag Category: misc Solver: linaScience, MarDN, t0b1 Flag: GPNCTF{L00ks_l1k3_y0u_h1t_th3_r1ght_tun3} Writeup In this challenge we have no source code :( and are only presented with the following simple website: ...

There’s this cool new forward compatible ISA. I created an online emulator so that you can try it out! Category: pwn Solver: t0b1 Flag: GPNCTF{Ar3_y0u_Re4dy_for_th3_re4l_Chal1eng3?_ee9d22353e82} Writeup In this challenge, we are provided with a Dockerfile, an app.py, a forw binary and an instruction_list.csv. It is primarily a warm-up challenge to play with the ForwardCom ecosystem. Overview We first look at the Dockerfile to find out more about the setup of the challenge: ...

You know when they say the preimages of a hashfunction should be hard to compute and than they choose some weak primitive recursive function. I present to you a revolutionary solution that builds upon (quite literally) one of the largest problems of computer science. Try bruteforcing this. Category: Crypto Solver: SchizophrenicFish2nds, Greenscreen23 Flag: GPNCTF{I_H0pe_y0u_d1d_N0T_BrUT3F0RC3_Th15?_D1d_Y0U!!_3s2l1j} Writeup Context In this challenge, we are given the source code to generate “hashes” of the secret flag, and the outputs of several execution of this code. The flag is split into 4 byte chunks, then processed using the chain() and keyedAck() functions. ...

You read the title and thought Blockchain? You were successfully baited. Like the people before you, you now have to solve this challenge. Category: Crypto Solver: SchizophrenicFish2nds Flag: GPNCTF{One_T1me_p4ds_m4y_n3v3r_b3_r3u53d!!!} Writeup We are given a ciphertext that was produced as $ C = P \oplus K $ for some random, repeating 5 byte key $K$. Since we know several letters of the plaintext, we can compute the key as $ K = P \oplus C $ for the first 5 bytes, then perform the encryption operation to get $ C \oplus K = P \oplus K \oplus K = P \oplus 0 = P$ ...

Now you have two problems. Category: pwn Solver: c0mpb4u3r, t0b1 Flag: GPNCTF{On3_d0es_Not_s1mply_Jump_int0_th3_m1ddle_of_4n_instruct1ion!!1} Introduction Imagine you want to allow users to execute their code on your server. There are a few reasonable options, like WebAssembly for instance. However, you could just write a Perl program that reads arbitrary bytes from stdin and tries to execute them directly on the host CPU. So let’s write some Perl… # Assume we have our code in $p # Mark memory as executable. syscall(10, $p, $s, 4); # Execute this memory region. &{DynaLoader::dl_install_xsub("", $p)}; Looks sketchy, doesn’t it? ...

I picked the wrong path at Cyber Security Rumble 2024’s polypwn challenge and failed. Can you do it with more time and a win function? NOTE: Knowledge of polypwn is not required! Credit to @LevitatingLion for the original challenge and part of the code. Category: pwn Solver: nh1729 Flag: GPNCTF{you_re_lucky_that_i_scr4pped_one_arch_11dda4} Writeup Challenge Setup This is the hard version of polyrop-warmup. To summarize: It is a binary exploitation challenge. We get the source of the program to pwn composer.c and a python wrapper composer.py. The program prints a menu to either echo back a line or exit. The program has been compiled for 5 different architectures: s390x, aarch64, arm, riscv64 and x86_64. ...

Maybe using Inspect Element will help you! Small hint: If you’re struggling with reproducing it on remote, you can use socat to proxy the remote instance to localhost:1337 like this: socat TCP-LISTEN:1337,fork OPENSSL:xxx--xxx-1234.ctf.kitctf.de:443 and it should behave exactly like a locally running docker container. Category: web Solver: aes, Liekedaeler, lukasrad02 Flag: GPNCTF{D4NG3R0U5_D3BUGG3R} Writeup In this challenge, all we get is a Dockerfile. Given what the other web challenges looked like, this is quite strange. However, after taking a look at the Dockerfile, it’s quite clear why this is the case. It has one very interesting line, which is this one: google-chrome --remote-debugging-port=13370 --disable-gpu --headless=new --no-sandbox google.com This starts google chrome with a remote debugging port. We’ve seen chrome used in other challenges, but the remote debugging port thing is new. So the challenge has to somehow revolve around it. ...