DragonSec CTF 2022

I touched my keyfob for free bubblegum and they stole my flag :( Files keyfob.trace What’s going on? We have keyfob.trace, which is a log file. Firstly, we saw a rfid challenge tag, and we understood what was going on: RFID (radio frequency identification) is a form of wireless communication that incorporates the use of electromagnetic or electrostatic coupling in the radio frequency portion of the electromagnetic spectrum to uniquely identify an object, animal or person. ...

The Bookstore.java challenge stated that: Web developer left the company becouse he was not being paid. He left some hidden features for him, to bypass security. Can you find the vunerability? http://book-store.dragonsec.si And gave us a book_store.jar file. The Log4Book If we open the jarfile with a decompiler (like JD-GUI) we can see that there is a vulnerability in the log analyzer. Pattern pattern2 = Pattern.compile("get\\{.*\\}salt=" + System.getenv("SALT")); Matcher matcher2 = pattern2.matcher(mssg); String substring2 = null; if (matcher2.find()) { substring2 = matcher2.group(); } if (substring2 != null) { downloadFile(substring2.substring(substring2.indexOf(123) + 1, substring2.indexOf(125))); } If the log string contains the template get{...}salt= plus the env var SALT the program tries to send an HTTP request to the url between {...} with the header Not-Found: and the env var NOT_FOUND as the value. ...

This is Codechain’s older brother, Codechainz What’s going on? This is what we get if we run the program: Hey, this is an epic memory saver. #saved Because of COVID-19 restrictions, we can only do memory saving of programming languages. We apologize for the inconvenience. Preparing the memory space... Memory space is ready for storing data. DISCLAIMER: All your memories will be saved at 0x7fd43dc5f000. Here are your options. Choose one: 1 Make a new memory 2 View a memory 3 Delete a memory 4 Exit > Apparently it leaks an address and allows us to make, view and delete a memory (which should be saved at the aforementioned address). ...

Someone who doesn’t care about bandwidth usage decided to package both the server and client binaries in a single file… The server of course is meant to run on linux, and the client on Windows. We get a PowerShell file eulers_license.ps1 that contains: a binary_linux var containing the server code encoded in base64. a binary_win var containing the client code also encoded in base64. The linux binary The linux binary is very easy to reverse. In fact by decoding it we get a python server which has a huge SQLi vuln: ...

The flag is in format dctf{7_4_2_3_7_4} where numbers represent number of characters between underscores. For clarification: you will get the whole flag as a result, including the dctf{} part. Files cfg.zip What’s going on? We have cfg.zip, which contains 2134 folders. An example of the structure is shown below: Image not found! Some folders contain only subfolders. Subfolders name is not random: subfolders have the same name of a folder from the upper layer. Some folders contain only <letter>.txt files. Some folders contain both txt files and subfolders. Between challenge tags, we saw context-free-grammar. In order to make the solution more understandable, we briefly introduce what a context free grammar is. ...

In this challenge we were given a python jail (with source code) where all __builtins__ were removed apart from print, exec, int, type, insert missing and the code was executed in an exec with a modified context. There was also a filter on ', ", + and all __xxx__ apart from __closure__,__code__,__doc__ and insert missing In order to create strings we abused already existing strings taken from the __doc__ of accessibile builtins such as int.to_bytes.__doc__ in order to create needed strings. Since we did not have access to + we used casting from int to bytes and then calling the decode() method in order to create strings. ...