Hi 👋

Intro This post covers Free C Compiler Online from BuckeyeCTF 2024. The description of the challenge is as follows: It is free of charge, but is it free of bugs? No, it’s not. Analyzing The Source Code The following is the source code of the application: from flask import ( Flask, json, jsonify, request, render_template, ) from pathlib import Path from uuid import uuid4, UUID import os from werkzeug.exceptions import NotFound, BadRequest, Forbidden import subprocess app = Flask(__name__) storage_path = Path(__file__)....

Intro This post covers Abnormal Maybe Illegal from PatriotCTF 2024. The description of the challenge is: We have recently discovered tons of traffic leaving our network. We have reason to believe they are using an abnormal method. Can you figure out what data they are exfiltrating? Furthermore, two additional hints were released throughout the competition: TCP packets are constructed in a way, where certain combinations are possible/(legal) and others should raise alerts/(illegal)...

Intro This post covers both Literally 1984 and Mystery as they’re related to each other. The description of Literally 1984 is: An artist by the name of ‌ made a cover of a song I liked, but I don’t remember the original composer of that song. Could you help me find the original composer? Flag Format: csawctf{Firstname_Lastname} (replace all spaces with _ ) and the description of Mystery is: Remember the composer from Literally 1984?...

Intro For this challenge we’re only given the link https://bucketwars.ctf.csaw.io and the description: let’s keep our storage simple – and remember we don’t make mistakes in these parts. Enumerating the Website Upon visiting the website, we notice the current version Version: 5.0.0 and the versions page. When we visit a page that doesn’t exist, it tells us that the 404.jpg is missing from an S3 bucket https://s3.us-east-2.amazonaws.com/bucketwars.ctf.csaw.io. We try accessing index....

Initial Code Analysis First thing that catches our eye is the old version 2.3.0 of PyJWT used in the application. In order to access the flag, we need to view kings_lair.html which requires sending a JWT with specific CURRENT_DATE and ROLE. The scarab room seems vulnerable to SSTI via name POST param. app.route('/scarab_room', methods=['GET', 'POST']) def scarab_room(): try: if request.method == 'POST': name = request.form.get('name') if name: kings_safelist = ['{','}', '𓁹', '𓆣','𓀀', '𓀁', '𓀂', '𓀃', '𓀄', '𓀅', '𓀆', '𓀇', '𓀈', '𓀉', '𓀊', '𓀐', '𓀑', '𓀒', '𓀓', '𓀔', '𓀕', '𓀖', '𓀗', '𓀘', '𓀙', '𓀚', '𓀛', '𓀜', '𓀝', '𓀞', '𓀟', '𓀠', '𓀡', '𓀢', '𓀣', '𓀤', '𓀥', '𓀦', '𓀧', '𓀨', '𓀩', '𓀪', '𓀫', '𓀬', '𓀭', '𓀮', '𓀯', '𓀰', '𓀱', '𓀲', '𓀳', '𓀴', '𓀵', '𓀶', '𓀷', '𓀸', '𓀹', '𓀺', '𓀻'] name = ''....

Source Code Analysis The goal is to access the GET /flag endpoint which calls an executable that prints out the flag. It’s guarded by 2 checks: if session[:user] == "admin" if req.ip == "127.0.0.1" There’s also an interesting POST /download endpoint. It accepts any session but is also guarded by the if req.ip == "127.0.0.1" check. It serves a file based on filename from our request, which leads to LFI....

Initial Inspection After loading the page we’re greeted with an upload form for zip archives. We’re informed that after uploading we can access the files by appending a filename to a generated UUID. We inspect the code and learn that our uploaded archive will be unzipped using unzip. Zip With a Symlink We can use the zip command to create an archive that’ll preserve symlinks by using the -y option....

Source Code Analysis The aim of the challenge is to call the POST /feature which contains a command injection vulnerability. As we can see, we need a valid signed access_token that contains the string access_granted. There’s GET /release endpoint that’ll do exactly that if we pass the validate_server(...) check. Interestingly, if we set a query param debug=true, we can control the validation server address. The validate_server(validation_server) method does the following:...

Source Code Analysis At first glance, I thought the intended vulnerability was a race condition. However, upon closer examination I noticed a suspicious unset($_SESSION['username']); in logout.php. The correct answer for each question is random, but it’s generated in advance both at the beginning of the quiz and upon submitting an answer. The if (intval($answer) === $next_correct) {...} is the essential part of the challenge. Regardless if our answer is correct or wrong, it’ll call htmlspecialchars($_SESSION['username']), which will throw an exception if username is unset in the session....

Source Code Analysis Upon inspecting the code, we find that there’s /ai/run path that sounds like it could let us execute something. It’s “guarded” by middleware that inspects whether host in the uri or the request header ‘host’ starts with 127.0.01. Afterwards, the execution is passed to handle_cmd which can execute one of 6 commands. For us, the intereting ones are displaying env vars And running a .bat script with an argument passed by us....