Restructure writeups

alternate-navbar
Maik de Kruif 3 years ago
parent 9c2dd10082
commit a77980dafe
Signed by: maik
GPG Key ID: 44A55AD1F0673FA6
  1. 4
      config.toml
  2. 5
      content/writeups/adventofctf/2020/challenge_0.md
  3. 5
      content/writeups/adventofctf/2020/challenge_1.md
  4. 5
      content/writeups/adventofctf/2020/challenge_10.md
  5. 5
      content/writeups/adventofctf/2020/challenge_11.md
  6. 5
      content/writeups/adventofctf/2020/challenge_12.md
  7. 5
      content/writeups/adventofctf/2020/challenge_13.md
  8. 5
      content/writeups/adventofctf/2020/challenge_14.md
  9. 7
      content/writeups/adventofctf/2020/challenge_15.md
  10. 7
      content/writeups/adventofctf/2020/challenge_16.md
  11. 13
      content/writeups/adventofctf/2020/challenge_17.md
  12. 5
      content/writeups/adventofctf/2020/challenge_18.md
  13. 7
      content/writeups/adventofctf/2020/challenge_19.md
  14. 5
      content/writeups/adventofctf/2020/challenge_2.md
  15. 5
      content/writeups/adventofctf/2020/challenge_20.md
  16. 5
      content/writeups/adventofctf/2020/challenge_21.md
  17. 5
      content/writeups/adventofctf/2020/challenge_22.md
  18. 9
      content/writeups/adventofctf/2020/challenge_23.md
  19. 5
      content/writeups/adventofctf/2020/challenge_24.md
  20. 5
      content/writeups/adventofctf/2020/challenge_3.md
  21. 5
      content/writeups/adventofctf/2020/challenge_4.md
  22. 5
      content/writeups/adventofctf/2020/challenge_5.md
  23. 5
      content/writeups/adventofctf/2020/challenge_6.md
  24. 5
      content/writeups/adventofctf/2020/challenge_7.md
  25. 5
      content/writeups/adventofctf/2020/challenge_8.md
  26. 5
      content/writeups/adventofctf/2020/challenge_9.md
  27. 3
      content/writeups/adventofctf/2020/intro.md
  28. 4
      content/writeups/google-ctf/2021/beginners-quest/1.md
  29. 0
      static/img/writeups/adventofctf/2020/080b5d5fcaf13167d2e7e8871fdc8ded.png
  30. 0
      static/img/writeups/adventofctf/2020/16/ssti_graph.png
  31. 0
      static/img/writeups/adventofctf/2020/23/breakpoint.png
  32. 0
      static/img/writeups/adventofctf/2020/23/websocket.png
  33. 0
      static/img/writeups/adventofctf/2020/246397ca184f8b03ac8fecf50ee1051e.png
  34. 0
      static/img/writeups/adventofctf/2020/24e9ce8f146f70b4189f1d2532a75208.png
  35. 0
      static/img/writeups/adventofctf/2020/3542630bd0bb5141d94e4b40930bd69d.png
  36. 0
      static/img/writeups/adventofctf/2020/3f12301d8715a1371d2d776d25ea6ab6.png
  37. 0
      static/img/writeups/adventofctf/2020/497784f7a3314f8aa5b8464432e30bbe.png
  38. 0
      static/img/writeups/adventofctf/2020/4f5cc0afbb9e7ec6a57cdd68a92b9213.png
  39. 0
      static/img/writeups/adventofctf/2020/6c0810c1568645bcf58da67a1db6e3e7.png
  40. 0
      static/img/writeups/adventofctf/2020/8717d728f2de96beb8123c0cca28a728.png
  41. 0
      static/img/writeups/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png
  42. 0
      static/img/writeups/adventofctf/2020/973ded4b2381c28af6c24d3d670303c6.png
  43. 0
      static/img/writeups/adventofctf/2020/9c6afd807a15973b962cf3aee3dbe836.png
  44. 0
      static/img/writeups/adventofctf/2020/9fac6046540f4972c60f458b94aacb1d.png
  45. 0
      static/img/writeups/adventofctf/2020/a4afd1fffb0b662d849a6907767f0625.png
  46. 0
      static/img/writeups/adventofctf/2020/advent_of_ctf_coming_soon.png
  47. 0
      static/img/writeups/adventofctf/2020/af3424cd215a6459494ae07eab33cb35.png
  48. 0
      static/img/writeups/adventofctf/2020/b915cb528c4b3d6fc4644f73ba8b829d.png
  49. 0
      static/img/writeups/adventofctf/2020/ba15475608ea3f8313825eec5dceac06.png
  50. 0
      static/img/writeups/adventofctf/2020/be40bcd25e7487440a64b13cd32049b2.png
  51. 0
      static/img/writeups/adventofctf/2020/c1f93b6ee2e1cd25ea02f9a78c364b12.png
  52. 0
      static/img/writeups/adventofctf/2020/c366d63edd4a35c9f8bea89e57401fef.png
  53. 0
      static/img/writeups/adventofctf/2020/d80f13d1ab714f7864c2a9ef56c5f767.png
  54. 0
      static/img/writeups/adventofctf/2020/da781419d6bf02d0a580e48414b9cbde.png
  55. 0
      static/img/writeups/adventofctf/2020/dd04640480d764ab09eea047cde749cd.png
  56. 0
      static/img/writeups/adventofctf/2020/f1d6ca5572e0c012239bcf4a8f797be1.png
  57. 0
      static/img/writeups/adventofctf/2020/f90b2bf3f08ee628c09505ff309018ed.png
  58. 0
      static/img/writeups/google-ctf/2021/beginners-quest/1/cctv.png
  59. 0
      static/img/writeups/google-ctf/2021/beginners-quest/1/cover.png
  60. 36
      themes/maik-blog/layouts/writeups/rss.xml
  61. 166
      themes/maik-blog/layouts/writeups/single.html

@ -192,3 +192,7 @@ googleAnalytics = "UA-136337666-1"
identifier = "posts" identifier = "posts"
name = "Posts" name = "Posts"
url = "posts/" url = "posts/"
[[menu.main]]
identifier = "writeups"
name = "Writeups"
url = "writeups/"

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 0 - AdventOfCTF" title = "Challenge 0"
subtitle = "Challenge 0 - AdventOfCTF"
date = 2020-12-02T17:20:28+01:00 date = 2020-12-02T17:20:28+01:00
description = "A writeup for challenge 0 of AdventOfCTF." description = "A writeup for challenge 0 of AdventOfCTF."
cover = "img/adventofctf/2020/f90b2bf3f08ee628c09505ff309018ed.png" cover = "img/writeups/adventofctf/2020/f90b2bf3f08ee628c09505ff309018ed.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 1 - AdventOfCTF" title = "Challenge 1"
subtitle = "Challenge 1 - AdventOfCTF"
date = 2020-12-02T17:27:25+01:00 date = 2020-12-02T17:27:25+01:00
description = "A writeup for challenge 1 of AdventOfCTF." description = "A writeup for challenge 1 of AdventOfCTF."
cover = "img/adventofctf/2020/3f12301d8715a1371d2d776d25ea6ab6.png" cover = "img/writeups/adventofctf/2020/3f12301d8715a1371d2d776d25ea6ab6.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 10 - AdventOfCTF" title = "Challenge 10"
subtitle = "Challenge 10 - AdventOfCTF"
date = 2020-12-11T22:12:42+01:00 date = 2020-12-11T22:12:42+01:00
description = "A writeup for challenge 10 of AdventOfCTF." description = "A writeup for challenge 10 of AdventOfCTF."
cover = "img/adventofctf/2020/ba15475608ea3f8313825eec5dceac06.png" cover = "img/writeups/adventofctf/2020/ba15475608ea3f8313825eec5dceac06.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 11 - AdventOfCTF" title = "Challenge 11"
subtitle = "Challenge 11 - AdventOfCTF"
date = 2020-12-11T23:45:32+01:00 date = 2020-12-11T23:45:32+01:00
description = "A writeup for challenge 11 of AdventOfCTF." description = "A writeup for challenge 11 of AdventOfCTF."
cover = "img/adventofctf/2020/3542630bd0bb5141d94e4b40930bd69d.png" cover = "img/writeups/adventofctf/2020/3542630bd0bb5141d94e4b40930bd69d.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 12 - AdventOfCTF" title = "Challenge 12"
subtitle = "Challenge 12 - AdventOfCTF"
date = 2020-12-14T15:55:21+01:00 date = 2020-12-14T15:55:21+01:00
description = "A writeup for challenge 12 of AdventOfCTF." description = "A writeup for challenge 12 of AdventOfCTF."
cover = "img/adventofctf/2020/af3424cd215a6459494ae07eab33cb35.png" cover = "img/writeups/adventofctf/2020/af3424cd215a6459494ae07eab33cb35.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 13 - AdventOfCTF" title = "Challenge 13"
subtitle = "Challenge 13 - AdventOfCTF"
date = 2020-12-14T18:48:28+01:00 date = 2020-12-14T18:48:28+01:00
description = "A writeup for challenge 13 of AdventOfCTF." description = "A writeup for challenge 13 of AdventOfCTF."
cover = "img/adventofctf/2020/24e9ce8f146f70b4189f1d2532a75208.png" cover = "img/writeups/adventofctf/2020/24e9ce8f146f70b4189f1d2532a75208.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 14 - AdventOfCTF" title = "Challenge 14"
subtitle = "Challenge 14 - AdventOfCTF"
date = 2020-12-14T19:45:51+01:00 date = 2020-12-14T19:45:51+01:00
description = "A writeup for challenge 14 of AdventOfCTF." description = "A writeup for challenge 14 of AdventOfCTF."
cover = "img/adventofctf/2020/dd04640480d764ab09eea047cde749cd.png" cover = "img/writeups/adventofctf/2020/dd04640480d764ab09eea047cde749cd.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 15 - AdventOfCTF" title = "Challenge 15"
subtitle = "Challenge 15 - AdventOfCTF"
date = 2020-12-31T22:34:24+01:00 date = 2020-12-31T22:34:24+01:00
description = "A writeup for challenge 15 of AdventOfCTF." description = "A writeup for challenge 15 of AdventOfCTF."
cover = "img/adventofctf/2020/9c6afd807a15973b962cf3aee3dbe836.png" cover = "img/writeups/adventofctf/2020/9c6afd807a15973b962cf3aee3dbe836.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",
@ -58,7 +59,7 @@ Besides this code, we also get an input field for the contents of the `flag` par
When scanning this code, we see that `$flag` is compared to our input. It firstly does a `strcmp`, and, if it is not `0`, it checks if the `sha1` hashes of both variables are equal. When scanning this code, we see that `$flag` is compared to our input. It firstly does a `strcmp`, and, if it is not `0`, it checks if the `sha1` hashes of both variables are equal.
The thing with PHP and `strcmp` is that PHP will do some type juggling before checking the values. You can read more about PHP type juggling in the [writeup of yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_14.md" %}}#type-juggling). The thing with PHP and `strcmp` is that PHP will do some type juggling before checking the values. You can read more about PHP type juggling in the [writeup of yesterday's challenge]({{% ref "writeups/adventofctf/2020/challenge_14.md" %}}#type-juggling).
## Exploit ## Exploit

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 16 - AdventOfCTF" title = "Challenge 16"
subtitle = "Challenge 16 - AdventOfCTF"
date = 2021-01-01T01:44:45+01:00 date = 2021-01-01T01:44:45+01:00
description = "A writeup for challenge 16 of AdventOfCTF." description = "A writeup for challenge 16 of AdventOfCTF."
cover = "img/adventofctf/2020/246397ca184f8b03ac8fecf50ee1051e.png" cover = "img/writeups/adventofctf/2020/246397ca184f8b03ac8fecf50ee1051e.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",
@ -56,7 +57,7 @@ SSTI occurs when an attacker is able to use native template syntax to inject a m
An easy way to check for SSTI is by using the following graph from PortSwigger: An easy way to check for SSTI is by using the following graph from PortSwigger:
{{< figure src="/img/adventofctf/2020/16/ssti_graph.png" title="SSTI Graph (by PortSwigger)" >}} {{< figure src="/img/writeups/adventofctf/2020/16/ssti_graph.png" title="SSTI Graph (by PortSwigger)" >}}
So I followed this graph and got the following results: So I followed this graph and got the following results:

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 17 - AdventOfCTF" title = "Challenge 17"
subtitle = "Challenge 17 - AdventOfCTF"
date = 2021-01-06T22:51:23+01:00 date = 2021-01-06T22:51:23+01:00
description = "A writeup for challenge 17 of AdventOfCTF." description = "A writeup for challenge 17 of AdventOfCTF."
cover = "img/adventofctf/2020/8717d728f2de96beb8123c0cca28a728.png" cover = "img/writeups/adventofctf/2020/8717d728f2de96beb8123c0cca28a728.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",
@ -48,13 +49,13 @@ function send() {
## Finding the vulnerability ## Finding the vulnerability
The description makes a reference to [yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}) so we probably have to use the same concept. The description makes a reference to [yesterday's challenge]({{% ref "writeups/adventofctf/2020/challenge_16.md" %}}) so we probably have to use the same concept.
Let's verify it by trying the following input: `{{7*7}}`. It returned `49` so we can continue with the next step. Let's verify it by trying the following input: `{{7*7}}`. It returned `49` so we can continue with the next step.
## Exploit ## Exploit
Just like [yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}), we start by trying to get the config like so: `{{config.items()}}`. Sadly, we get an error message: "You entered an emoji that is on my deny list". Just like [yesterday's challenge]({{% ref "writeups/adventofctf/2020/challenge_16.md" %}}), we start by trying to get the config like so: `{{config.items()}}`. Sadly, we get an error message: "You entered an emoji that is on my deny list".
### Blacklist ### Blacklist
@ -134,7 +135,7 @@ Here we find an encrypted flag again: `'flag': "C\x1eS\x1dwsef}j\x057i\x7fo{D)'d
## Decrypting the flag ## Decrypting the flag
Just like [yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}), the flag is encrypted and we probably have to get the source again to get the key used to encrypt the flag. To get the source we first need arbitrary code execution. Just like [yesterday's challenge]({{% ref "writeups/adventofctf/2020/challenge_16.md" %}}), the flag is encrypted and we probably have to get the source again to get the key used to encrypt the flag. To get the source we first need arbitrary code execution.
### Arbitrary Code Execution (ACE) ### Arbitrary Code Execution (ACE)
@ -732,7 +733,7 @@ if __name__ == '__main__':
## Magic function ## Magic function
Just like [yesterday]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}), we find a magic function. It looks like it's the same just with a different key so let's decrypt it using the new key (`46e505c983433b7c8eefb953d3ffcd196a08bbf9`): Just like [yesterday]({{% ref "writeups/adventofctf/2020/challenge_16.md" %}}), we find a magic function. It looks like it's the same just with a different key so let's decrypt it using the new key (`46e505c983433b7c8eefb953d3ffcd196a08bbf9`):
```text ```text
Python 3.6.9 (default, Nov 7 2019, 10:44:02) Python 3.6.9 (default, Nov 7 2019, 10:44:02)

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 18 - AdventOfCTF" title = "Challenge 18"
subtitle = "Challenge 18 - AdventOfCTF"
date = 2021-01-06T23:04:52+01:00 date = 2021-01-06T23:04:52+01:00
description = "A writeup for challenge 18 of AdventOfCTF." description = "A writeup for challenge 18 of AdventOfCTF."
cover = "img/adventofctf/2020/be40bcd25e7487440a64b13cd32049b2.png" cover = "img/writeups/adventofctf/2020/be40bcd25e7487440a64b13cd32049b2.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 19 - AdventOfCTF" title = "Challenge 19"
subtitle = "Challenge 19 - AdventOfCTF"
date = 2021-02-25T23:18:28+01:00 date = 2021-02-25T23:18:28+01:00
description = "A writeup for challenge 19 of AdventOfCTF." description = "A writeup for challenge 19 of AdventOfCTF."
cover = "img/adventofctf/2020/d80f13d1ab714f7864c2a9ef56c5f767.png" cover = "img/writeups/adventofctf/2020/d80f13d1ab714f7864c2a9ef56c5f767.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",
@ -58,7 +59,7 @@ function send() {
As the description tells us it's a calculator, let's try entering `3+4` in the input field. It will make a `POST` request to `/calc`, which will return `7`. As the description tells us it's a calculator, let's try entering `3+4` in the input field. It will make a `POST` request to `/calc`, which will return `7`.
The description also states it was possible to enter javascript code, which we saw in the [previous challenge]({{% ref "posts/adventofctf/2020/challenge_18.md" %}}), but that it has been fixed now. The description also states it was possible to enter javascript code, which we saw in the [previous challenge]({{% ref "writeups/adventofctf/2020/challenge_18.md" %}}), but that it has been fixed now.
## Finding the vulnerability ## Finding the vulnerability

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 2 - AdventOfCTF" title = "Challenge 2"
subtitle = "Challenge 2 - AdventOfCTF"
date = 2020-12-02T17:30:25+01:00 date = 2020-12-02T17:30:25+01:00
description = "A writeup for challenge 2 of AdventOfCTF." description = "A writeup for challenge 2 of AdventOfCTF."
cover = "img/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png" cover = "img/writeups/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 20 - AdventOfCTF" title = "Challenge 20"
subtitle = "Challenge 20 - AdventOfCTF"
date = 2021-02-26T00:11:35+01:00 date = 2021-02-26T00:11:35+01:00
description = "A writeup for challenge 20 of AdventOfCTF." description = "A writeup for challenge 20 of AdventOfCTF."
cover = "img/adventofctf/2020/c1f93b6ee2e1cd25ea02f9a78c364b12.png" cover = "img/writeups/adventofctf/2020/c1f93b6ee2e1cd25ea02f9a78c364b12.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 21 - AdventOfCTF" title = "Challenge 21"
subtitle = "Challenge 21 - AdventOfCTF"
date = 2021-02-26T11:45:53+01:00 date = 2021-02-26T11:45:53+01:00
description = "A writeup for challenge 21 of AdventOfCTF." description = "A writeup for challenge 21 of AdventOfCTF."
cover = "img/adventofctf/2020/a4afd1fffb0b662d849a6907767f0625.png" cover = "img/writeups/adventofctf/2020/a4afd1fffb0b662d849a6907767f0625.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 22 - AdventOfCTF" title = "Challenge 22"
subtitle = "Challenge 22 - AdventOfCTF"
date = 2021-03-04T01:24:34+01:00 date = 2021-03-04T01:24:34+01:00
description = "A writeup for challenge 22 of AdventOfCTF." description = "A writeup for challenge 22 of AdventOfCTF."
cover = "img/adventofctf/2020/6c0810c1568645bcf58da67a1db6e3e7.png" cover = "img/writeups/adventofctf/2020/6c0810c1568645bcf58da67a1db6e3e7.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 23 - AdventOfCTF" title = "Challenge 23"
subtitle = "Challenge 23 - AdventOfCTF"
date = 2021-03-16T20:52:38+01:00 date = 2021-03-16T20:52:38+01:00
description = "A writeup for challenge 23 of AdventOfCTF." description = "A writeup for challenge 23 of AdventOfCTF."
cover = "img/adventofctf/2020/497784f7a3314f8aa5b8464432e30bbe.png" cover = "img/writeups/adventofctf/2020/497784f7a3314f8aa5b8464432e30bbe.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",
@ -58,7 +59,7 @@ $(function () {
From the JavaScript code we can see that the chat uses WebSockets. To take a deeper look at it, let's switch over to the network tab in Chrome and click on the request with the type "websocket". From the JavaScript code we can see that the chat uses WebSockets. To take a deeper look at it, let's switch over to the network tab in Chrome and click on the request with the type "websocket".
{{< figure src="/img/adventofctf/2020/23/websocket.png" title="Websocket in Chrome DevTools" >}} {{< figure src="/img/writeups/adventofctf/2020/23/websocket.png" title="Websocket in Chrome DevTools" >}}
If we click on it, a tab with the messages sent on the websocket will open. We can see some numbers here, these are just heartbeat packets to keep the connection alive. Now, let's send a new message and have a look at what it actually sends/receives. If we click on it, a tab with the messages sent on the websocket will open. We can see some numbers here, these are just heartbeat packets to keep the connection alive. Now, let's send a new message and have a look at what it actually sends/receives.
@ -75,7 +76,7 @@ We can see the message contains two parts; the event name and the message itself
In Chrome (to my knowledge) we can't easily send a message on a websocket. We could use Burp Suit to do it but for this writeup I'll stick with Chrome. To send a message on the websocket, we need the `socket` variable from the javascript code. To get it, go to the `Sources` tab and click on `(index)`. Now click on line number 28 to add a breakpoint there. We choose this place as it will trigger a breakpoint just before a message gets sent and we thus have access to the socket variable. In Chrome (to my knowledge) we can't easily send a message on a websocket. We could use Burp Suit to do it but for this writeup I'll stick with Chrome. To send a message on the websocket, we need the `socket` variable from the javascript code. To get it, go to the `Sources` tab and click on `(index)`. Now click on line number 28 to add a breakpoint there. We choose this place as it will trigger a breakpoint just before a message gets sent and we thus have access to the socket variable.
{{< figure src="/img/adventofctf/2020/23/breakpoint.png" title="Javascipt breakpoint in Chrome" >}} {{< figure src="/img/writeups/adventofctf/2020/23/breakpoint.png" title="Javascipt breakpoint in Chrome" >}}
Now if we try to send a message, chrome will pause the page. The console will now also have the scope of the piece of code at the breakpoint. This means that if we enter `socket` in the console, will get the socket object back: Now if we try to send a message, chrome will pause the page. The console will now also have the scope of the piece of code at the breakpoint. This means that if we enter `socket` in the console, will get the socket object back:

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 24 - AdventOfCTF" title = "Challenge 24"
subtitle = "Challenge 24 - AdventOfCTF"
date = 2021-09-22T12:12:12+01:00 date = 2021-09-22T12:12:12+01:00
description = "A writeup for challenge 24 of AdventOfCTF." description = "A writeup for challenge 24 of AdventOfCTF."
cover = "img/adventofctf/2020/b915cb528c4b3d6fc4644f73ba8b829d.png" cover = "img/writeups/adventofctf/2020/b915cb528c4b3d6fc4644f73ba8b829d.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 3 - AdventOfCTF" title = "Challenge 3"
subtitle = "Challenge 3 - AdventOfCTF"
date = 2020-12-03T09:29:12+01:00 date = 2020-12-03T09:29:12+01:00
description = "A writeup for challenge 3 of AdventOfCTF." description = "A writeup for challenge 3 of AdventOfCTF."
cover = "img/adventofctf/2020/4f5cc0afbb9e7ec6a57cdd68a92b9213.png" cover = "img/writeups/adventofctf/2020/4f5cc0afbb9e7ec6a57cdd68a92b9213.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 4 - AdventOfCTF" title = "Challenge 4"
subtitle = "Challenge 4 - AdventOfCTF"
date = 2020-12-04T09:58:46+01:00 date = 2020-12-04T09:58:46+01:00
description = "A writeup for challenge 4 of AdventOfCTF." description = "A writeup for challenge 4 of AdventOfCTF."
cover = "img/adventofctf/2020/f1d6ca5572e0c012239bcf4a8f797be1.png" cover = "img/writeups/adventofctf/2020/f1d6ca5572e0c012239bcf4a8f797be1.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 5 - AdventOfCTF" title = "Challenge 5"
subtitle = "Challenge 5 - AdventOfCTF"
date = 2020-12-05T08:57:31+01:00 date = 2020-12-05T08:57:31+01:00
description = "A writeup for challenge 5 of AdventOfCTF." description = "A writeup for challenge 5 of AdventOfCTF."
cover = "img/adventofctf/2020/080b5d5fcaf13167d2e7e8871fdc8ded.png" cover = "img/writeups/adventofctf/2020/080b5d5fcaf13167d2e7e8871fdc8ded.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 6 - AdventOfCTF" title = "Challenge 6"
subtitle = "Challenge 6 - AdventOfCTF"
date = 2020-12-06T15:24:45+01:00 date = 2020-12-06T15:24:45+01:00
description = "A writeup for challenge 6 of AdventOfCTF." description = "A writeup for challenge 6 of AdventOfCTF."
cover = "img/adventofctf/2020/c366d63edd4a35c9f8bea89e57401fef.png" cover = "img/writeups/adventofctf/2020/c366d63edd4a35c9f8bea89e57401fef.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 7 - AdventOfCTF" title = "Challenge 7"
subtitle = "Challenge 7 - AdventOfCTF"
date = 2020-12-07T16:43:23+01:00 date = 2020-12-07T16:43:23+01:00
description = "A writeup for challenge 7 of AdventOfCTF." description = "A writeup for challenge 7 of AdventOfCTF."
cover = "img/adventofctf/2020/9fac6046540f4972c60f458b94aacb1d.png" cover = "img/writeups/adventofctf/2020/9fac6046540f4972c60f458b94aacb1d.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 8 - AdventOfCTF" title = "Challenge 8"
subtitle = "Challenge 8 - AdventOfCTF"
date = 2020-12-08T09:34:24+01:00 date = 2020-12-08T09:34:24+01:00
description = "A writeup for challenge 8 of AdventOfCTF." description = "A writeup for challenge 8 of AdventOfCTF."
cover = "img/adventofctf/2020/da781419d6bf02d0a580e48414b9cbde.png" cover = "img/writeups/adventofctf/2020/da781419d6bf02d0a580e48414b9cbde.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Challenge 9 - AdventOfCTF" title = "Challenge 9"
subtitle = "Challenge 9 - AdventOfCTF"
date = 2020-12-11T21:24:52+01:00 date = 2020-12-11T21:24:52+01:00
description = "A writeup for challenge 9 of AdventOfCTF." description = "A writeup for challenge 9 of AdventOfCTF."
cover = "img/adventofctf/2020/973ded4b2381c28af6c24d3d670303c6.png" cover = "img/writeups/adventofctf/2020/973ded4b2381c28af6c24d3d670303c6.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -1,9 +1,10 @@
+++ +++
author = "Maik de Kruif" author = "Maik de Kruif"
title = "Intro to AdventOfCTF" title = "Intro to AdventOfCTF"
subtitle = "AdventOfCTF"
date = 2020-12-02T17:10:12+01:00 date = 2020-12-02T17:10:12+01:00
description = "Challenge 0 of AdventOfCTF." description = "Challenge 0 of AdventOfCTF."
cover = "img/adventofctf/2020/advent_of_ctf_coming_soon.png" cover = "img/writeups/adventofctf/2020/advent_of_ctf_coming_soon.png"
tags = [ tags = [
"AdventOfCTF", "AdventOfCTF",
"challenge", "challenge",

@ -4,7 +4,7 @@ title = "Novosibirsk Chemical plant"
subtitle = "Beginners Quest 1 - Google CTF" subtitle = "Beginners Quest 1 - Google CTF"
date = 2021-09-22T14:26:25+01:00 date = 2021-09-22T14:26:25+01:00
description = "A writeup for challenge 1 of the beginners quests of the Google CTF." description = "A writeup for challenge 1 of the beginners quests of the Google CTF."
cover = "img/google-ctf/2021/beginners-quest/1/cover.png" cover = "img/writeups/google-ctf/2021/beginners-quest/1/cover.png"
tags = [ tags = [
"Google CTF", "Google CTF",
"Beginners Quest", "Beginners Quest",
@ -96,6 +96,6 @@ This prints the following result: `GoodPassword`.
If we enter the password (`GoodPassword`), we get redirected to this page: If we enter the password (`GoodPassword`), we get redirected to this page:
{{< figure src="/img/google-ctf/2021/beginners-quest/1/cctv.png" title="CCTV" >}} {{< figure src="/img/writeups/google-ctf/2021/beginners-quest/1/cctv.png" title="CCTV" >}}
Here we can find the flag in the bottom left. Here we can find the flag in the bottom left.

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Before

Width:  |  Height:  |  Size: 143 KiB

After

Width:  |  Height:  |  Size: 143 KiB

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 69 KiB

@ -0,0 +1,36 @@
<rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:media="http://search.yahoo.com/mrss/" version="2.0">
<channel>
<title>XXX {{ if eq .Title .Site.Title }}{{ .Site.Title }}{{ else }}{{ with .Title }}{{.}} on {{ end }}{{ .Site.Title }}{{ end }}</title>
<link>{{ .Permalink }}</link>
<description>Recent content {{ if ne .Title .Site.Title }}{{ with .Title }}in {{.}} {{ end }}{{ end }}on {{ .Site.Title }}</description>
{{- with .Site.LanguageCode }}
<language>{{.}}</language>
{{- end }}
{{- with .Site.Author.email }}
<managingEditor>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</managingEditor>
{{- end }}
{{- with .Site.Author.email }}
<webMaster>{{.}}{{ with $.Site.Author.name }} ({{.}}){{end}}</webMaster>
{{- end }}
{{- with .Site.Copyright }}
<copyright>{{.}}</copyright>
{{- end }}
{{- if not .Date.IsZero }}
<lastBuildDate>{{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}</lastBuildDate>
{{- end }}
{{- with .OutputFormats.Get "RSS" -}}
{{ printf "<atom:link href=%q rel=\"self\" type=%q />" .Permalink .MediaType | safeHTML }}
{{- end }}
{{ range .Pages }}
<item>
<title>{{ .Title }}</title>
<link>{{ .Permalink }}</link>
<pubDate>{{ .Date.Format "Mon, 02 Jan 2006 15:04:05 -0700" | safeHTML }}</pubDate>
<author>{{ .Params.author }}</author>
<guid isPermaLink="true">{{ .Permalink }}</guid>
<description>{{ printf `<![CDATA[%s]]>` .Params.description | safeHTML }}</description>
<content:encoded type="html">{{ printf `<![CDATA[%s]]>` .Content | safeHTML }}</content:encoded>
</item>
{{ end }}
</channel>
</rss>

@ -0,0 +1,166 @@
{{ define "main" }}
<main class="post">
<div class="post-info">
<p>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
class="feather feather-clock">
<circle cx="12" cy="12" r="10"></circle>
<polyline points="12 6 12 12 16 14"></polyline>
</svg>
{{ i18n "readingTime" .Page.ReadingTime }}
{{- if .IsTranslated }} | {{ i18n "postAvailable" }}
{{- range .Translations }}
<a href="{{ .Permalink }}"><span
class="flag flag-icon flag-icon-{{ index $.Site.Data.langFlags (.Lang) }} flag-icon-squared"></span></a>
{{- end}}
{{- end }}
</p>
</div>
<article>
<h1 class="post-title">
<a href="{{ .Permalink }}">{{ .Title | markdownify }}</a>
</h1>
{{- with .Params.Subtitle }}
<p class="post-subtitle">{{ . | markdownify }}</p>
{{- end }}
{{- if .Params.toc }}
<hr />
<aside id="toc">
<div class="toc-title">{{ i18n "tableOfContents" }}</div>
{{ .TableOfContents }}
</aside>
<hr />
{{- end }}
{{- if .Params.Cover }}
{{ $img := imageConfig (printf "static/%s" .Params.Cover) }}
<img src="/{{ .Params.Cover }}" class="post-cover" alt="{{ .Title | plainify | default " " }}"
width="{{ $img.Width }}" height="{{ $img.Height }}" />
{{- end }}
<div class="post-content">
{{ .Content }}
</div>
</article>
<hr />
<div class="post-info">
{{- with .Params.tags }}
<p>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
class="feather feather-tag meta-icon">
<path d="M20.59 13.41l-7.17 7.17a2 2 0 0 1-2.83 0L2 12V2h10l8.59 8.59a2 2 0 0 1 0 2.82z"></path>
<line x1="7" y1="7" x2="7" y2="7"></line>
</svg>
{{- range . -}}
<span class="tag"><a href="{{ "tags/" | absLangURL }}{{ . | urlize }}/">{{.}}</a></span>
{{- end }}
</p>
{{- end }}
<p>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
class="feather feather-file-text">
<path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"></path>
<polyline points="14 2 14 8 20 8"></polyline>
<line x1="16" y1="13" x2="8" y2="13"></line>
<line x1="16" y1="17" x2="8" y2="17"></line>
<polyline points="10 9 9 9 8 9"></polyline>
</svg>
{{ i18n "wordCount" .Page.WordCount }}
</p>
<p>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
class="feather feather-calendar">
<rect x="3" y="4" width="18" height="18" rx="2" ry="2"></rect>
<line x1="16" y1="2" x2="16" y2="6"></line>
<line x1="8" y1="2" x2="8" y2="6"></line>
<line x1="3" y1="10" x2="21" y2="10"></line>
</svg>
{{- if .Site.Params.dateformNumTime }}
{{ dateFormat .Site.Params.dateformNumTime .Date.Local }}
{{- else }}
{{ dateFormat "2006-01-02 15:04 -0700" .Date.Local }}
{{- end }}
</p>
{{- if .GitInfo }}
<p>
<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"
class="feather feather-git-commit">
<circle cx="12" cy="12" r="4"></circle>
<line x1="1.05" y1="12" x2="7" y2="12"></line>
<line x1="17.01" y1="12" x2="22.96" y2="12"></line>
</svg>
<a href="{{ .Site.Params.gitUrl -}}{{ .GitInfo.Hash }}" target="_blank"
rel="noopener">{{ .GitInfo.AbbreviatedHash }}</a>
{{- " @ " -}}
{{- if .Site.Params.dateformNum -}}
{{ dateFormat .Site.Params.dateformNum .GitInfo.AuthorDate.Local }}
{{- else -}}
{{ dateFormat "2006-01-02" .GitInfo.AuthorDate.Local }}
{{- end }}
</p>
{{- end }}
</div>
{{- if .Site.Params.EnableSharingButtons }}
<hr />
<div class="sharing-buttons">
{{ partial "sharing-buttons.html" . }}
</div>
{{- end }}
{{- if and (not $.Site.Params.DisableReadOtherPosts) (or .NextInSection .PrevInSection) }}
<div class="pagination">
<div class="pagination__title">
<span class="pagination__title-h">{{ .Site.Params.ReadOtherPosts }}</span>
<hr />
</div>
<div class="pagination__buttons">
{{- if .NextInSection }}
<span class="button previous">
<a href="{{ .NextInSection.Permalink }}">
<span class="button__icon"></span>
<span class="button__text">{{ .NextInSection.Title }}</span>
</a>
</span>
{{- end }}
{{- if .PrevInSection }}
<span class="button next">
<a href="{{ .PrevInSection.Permalink }}">
<span class="button__text">{{ .PrevInSection.Title }}</span>
<span class="button__icon"></span>
</a>
</span>
{{- end }}
</div>
</div>
{{- end }}
{{- if .Site.DisqusShortname }}
{{- if not (eq .Params.Comments "false") }}
<div id="comments">
{{ template "_internal/disqus.html" . }}
</div>
{{- end }}
{{- end }}
</main>
{{ end }}
Loading…
Cancel
Save