Quick Intro #
CTFTime • CTF Page • Hosted by NYUSEC
This was the first CTF I participated in for this semester, it was super fun!
My team managed to place #37 / #1098 (top ~3%), so that’s pretty good! That’ll set a nice tempo going forward. Also, seems like we got a few strong CTF players joining the club as well, so I’m really looking forward to working with them 🔥
Intro #
my_first_pwnie #
Input is passed into eval, flag is in /flag.txt, thus we can give it something like
__import__('os').system('cat flag.txt')
Then eval will print us the flag.
🚩 csawctf{neigh______}
Baby’s First #
Flag is given in source code.
🚩 csawctf{w3_411_star7_5om3wher3}
target_practice #
The binary takes a hex value, and jumps to that address, so we just provide the start of the function cat_flag which is 400717.
🚩 csawctf{y0ure_a_m4s7er4im3r}
Baby’s Third #
The flag string can be found via running strings on the binary.
🚩 csawctf{st1ng_th30ry_a1nt_so_h4rd}
puffin #
Simple buffer overflow to overwrite the variable secret_value on the stack.
🚩 csawctf{m4ybe_i_sh0u1dve_co113c73d_mor3_rock5_7o_impr355_her....}
whataxor #
Our input is converted to hex and XOR’d with the key 0xAA. So all we need to do is to XOR the values in the array being compared with our input with 0xAA (read up on XOR cipher properties if you’re not sure why) and we’ll get the original flag.
🚩 csawctf{0ne_sheeP_1wo_sheWp_2hree_5heeks_____z___zzz_____zzzzzz____xor}
Misc #
r u alive? #
Flag is in the rules in Discord.
🚩 csawctf{and_fr0m_humb1e_b3gining5_we_ri5e}
AndroidDropper #
Decompile the APK using JADX, then find the MainActivity in com.example.dropper. Here we see that it decodes and saves a base64 string as a .dex file, and it tries to run the getFlag method imported from the .dex class.
We then decode and save the .dex file ourselves and add to JADX for further analysis. The .dex file presents another entry point on the server where we receive a base64 string and must run it through the obf() function. The function simply xor’s each character with it’s third parameter, which we see is 42 from the decompilation. Therefore, decode the base64 response and xor each character with 42, and you’ll get the flag.
🚩 csawctf{dyn4m1c_lo4deRs_r_fuN!}
Discord Admin Bot #
This challenge is divided into 2 parts: obtaining admin_flag = true and an easy pyjail.
The first part requires the user to have one of the ‘admin’ roles, which is hinted to be named ‘admin’. To do this, you just need the bot’s ID and replace it in the following invite template:
https://discord.com/oauth2/authorize?client_id=your-bot-id&scope=bot&permissions=8
Now you’re able to invite the bot to your private server and add the role to yourself. After !flag, you’ll find !add and !sub, which will run eval on our input but will error out if one of the many shell functions are found in our input. To bypass that, simply split the violating strings into 2. Here’s an example payload:
!add "__imp\" + \"ort__(\'os\').system(\'cat flag.txt\')"
🚩 csawctf{Y0u_4r3_th3_fl4g_t0_my_pyj4il_ch4ll3ng3}
Linear Agressor #
This is a linear model which makes it easy to steal. First set all input to 0 to get the constant b. To get the first weight, set the first input to 1 and the rest to 0, then minus the output by b. Repeat with every position and you’ll get an array of ASCII values convertable to the flag.
🚩 csawctf{m0d31_5t341ing_i5_b4d}
stonk #
When the server is throttled, it ignores buys and sells, however trade requests are still handled, coupled with the fact that once throttled, the server restores the account portfolio to a previous state, we can introduce a racing condition to duplicate our stocks.
- Buy a stock, the server will now have this “restore point” in the database.
- Overload the server with a bunch of buy/sell requests
- Continue overloading the server, however, add in trade commands between them so that the trade will be completed and your original stock drops to 0.
- The next buy/sell request during throttling will cause the server to reset our original stock count to 1. Now we have 1 of the traded stock and our original stock still in tact.
- Wait for the server throttling to go away
- Sell both your stocks for infinite money!
🚩 csawctf{R_Yu0_7h3_w0lf_0f_w4ll_57r337}
Forensics #
1black0white #
Convert each number to its binary representation, padding 0 in front if needed so the length of the binary is equal to the number of lines in the file.
Convert this binary sequence to an image (1 for black pixel, 0 for white pixel). You will end up with a QR code of the flag.
🚩 csawctf{1_d1dnt_kn0w_th1s_w0uld_w0rk}
Rev #
Rebug 1 #
The loop iterator increases with the string length, and returns the flag if loop iterator is 12. Submit a 12 character string.
🚩 csawctf{c20ad4d76fe97759aa27a0c99bff6710}
Rebug 2 #
Baed on Ghidra output, we see the processing of a hardcoded string through local_28 and local_20. In the loop every 2 char is sent through the printbinchar method, with the exception of the first one. Convert both variable to type char and you’ll find these characters are being sent:
AY7Cw
printbinchar basically converts the character’s representation to binary, and XORing splits the binary and XOR them with each other.
A = XOR(0100, 0001) = 0101
Y = XOR(0101, 1001) = 1100
7 = XOR(0011, 0111) = 0100
C = XOR(0100, 0011) = 0111
w = XOR(0111, 0111) = 0000
You’ll have the output: 01011100010001110000
🚩 csawctf{01011100010001110000}
Impossibrawler! #
- Decompile with gdre
- Open project with GoDot 3.5 (Important!)
- Edit the Player script to not take damage and Enemy script to call death on spawn (or take damage)
- Play and win!
🚩 csawctf{302e323032323732}
Shoutouts #
These are the challenges I wasn’t able to solve but I thought they deserve a shout out for being fun and unique!
- crypto | lottery: based on this video
- web | rainbow_notes: utilizing DOM clobbering to overwrite functions and mess up control flow