Put all adventofctf files in a directory of that years edition

alternate-navbar
Maik de Kruif 3 years ago
parent dd55721211
commit b1fb5072db
Signed by: maik
GPG Key ID: 44A55AD1F0673FA6
  1. 2
      content/posts/adventofctf/2020/challenge_0.md
  2. 2
      content/posts/adventofctf/2020/challenge_1.md
  3. 2
      content/posts/adventofctf/2020/challenge_10.md
  4. 2
      content/posts/adventofctf/2020/challenge_11.md
  5. 2
      content/posts/adventofctf/2020/challenge_12.md
  6. 2
      content/posts/adventofctf/2020/challenge_13.md
  7. 2
      content/posts/adventofctf/2020/challenge_14.md
  8. 4
      content/posts/adventofctf/2020/challenge_15.md
  9. 4
      content/posts/adventofctf/2020/challenge_16.md
  10. 10
      content/posts/adventofctf/2020/challenge_17.md
  11. 2
      content/posts/adventofctf/2020/challenge_18.md
  12. 4
      content/posts/adventofctf/2020/challenge_19.md
  13. 2
      content/posts/adventofctf/2020/challenge_2.md
  14. 2
      content/posts/adventofctf/2020/challenge_20.md
  15. 2
      content/posts/adventofctf/2020/challenge_21.md
  16. 2
      content/posts/adventofctf/2020/challenge_22.md
  17. 6
      content/posts/adventofctf/2020/challenge_23.md
  18. 2
      content/posts/adventofctf/2020/challenge_24.md
  19. 2
      content/posts/adventofctf/2020/challenge_3.md
  20. 2
      content/posts/adventofctf/2020/challenge_4.md
  21. 2
      content/posts/adventofctf/2020/challenge_5.md
  22. 2
      content/posts/adventofctf/2020/challenge_6.md
  23. 2
      content/posts/adventofctf/2020/challenge_7.md
  24. 2
      content/posts/adventofctf/2020/challenge_8.md
  25. 2
      content/posts/adventofctf/2020/challenge_9.md
  26. 2
      content/posts/adventofctf/2020/intro.md
  27. 0
      static/img/adventofctf/2020/080b5d5fcaf13167d2e7e8871fdc8ded.png
  28. 0
      static/img/adventofctf/2020/16/ssti_graph.png
  29. 0
      static/img/adventofctf/2020/23/breakpoint.png
  30. 0
      static/img/adventofctf/2020/23/websocket.png
  31. 0
      static/img/adventofctf/2020/246397ca184f8b03ac8fecf50ee1051e.png
  32. 0
      static/img/adventofctf/2020/24e9ce8f146f70b4189f1d2532a75208.png
  33. 0
      static/img/adventofctf/2020/3542630bd0bb5141d94e4b40930bd69d.png
  34. 0
      static/img/adventofctf/2020/3f12301d8715a1371d2d776d25ea6ab6.png
  35. 0
      static/img/adventofctf/2020/497784f7a3314f8aa5b8464432e30bbe.png
  36. 0
      static/img/adventofctf/2020/4f5cc0afbb9e7ec6a57cdd68a92b9213.png
  37. 0
      static/img/adventofctf/2020/6c0810c1568645bcf58da67a1db6e3e7.png
  38. 0
      static/img/adventofctf/2020/8717d728f2de96beb8123c0cca28a728.png
  39. 0
      static/img/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png
  40. 0
      static/img/adventofctf/2020/973ded4b2381c28af6c24d3d670303c6.png
  41. 0
      static/img/adventofctf/2020/9c6afd807a15973b962cf3aee3dbe836.png
  42. 0
      static/img/adventofctf/2020/9fac6046540f4972c60f458b94aacb1d.png
  43. 0
      static/img/adventofctf/2020/a4afd1fffb0b662d849a6907767f0625.png
  44. 0
      static/img/adventofctf/2020/advent_of_ctf_coming_soon.png
  45. 0
      static/img/adventofctf/2020/af3424cd215a6459494ae07eab33cb35.png
  46. 0
      static/img/adventofctf/2020/b915cb528c4b3d6fc4644f73ba8b829d.png
  47. 0
      static/img/adventofctf/2020/ba15475608ea3f8313825eec5dceac06.png
  48. 0
      static/img/adventofctf/2020/be40bcd25e7487440a64b13cd32049b2.png
  49. 0
      static/img/adventofctf/2020/c1f93b6ee2e1cd25ea02f9a78c364b12.png
  50. 0
      static/img/adventofctf/2020/c366d63edd4a35c9f8bea89e57401fef.png
  51. 0
      static/img/adventofctf/2020/d80f13d1ab714f7864c2a9ef56c5f767.png
  52. 0
      static/img/adventofctf/2020/da781419d6bf02d0a580e48414b9cbde.png
  53. 0
      static/img/adventofctf/2020/dd04640480d764ab09eea047cde749cd.png
  54. 0
      static/img/adventofctf/2020/f1d6ca5572e0c012239bcf4a8f797be1.png
  55. 0
      static/img/adventofctf/2020/f90b2bf3f08ee628c09505ff309018ed.png

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 0 - AdventOfCTF"
date = 2020-12-02T17:20:28+01:00
description = "A writeup for challenge 0 of AdventOfCTF."
cover = "img/adventofctf/f90b2bf3f08ee628c09505ff309018ed.png"
cover = "img/adventofctf/2020/f90b2bf3f08ee628c09505ff309018ed.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 1 - AdventOfCTF"
date = 2020-12-02T17:27:25+01:00
description = "A writeup for challenge 1 of AdventOfCTF."
cover = "img/adventofctf/3f12301d8715a1371d2d776d25ea6ab6.png"
cover = "img/adventofctf/2020/3f12301d8715a1371d2d776d25ea6ab6.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 10 - AdventOfCTF"
date = 2020-12-11T22:12:42+01:00
description = "A writeup for challenge 10 of AdventOfCTF."
cover = "img/adventofctf/ba15475608ea3f8313825eec5dceac06.png"
cover = "img/adventofctf/2020/ba15475608ea3f8313825eec5dceac06.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 11 - AdventOfCTF"
date = 2020-12-11T23:45:32+01:00
description = "A writeup for challenge 11 of AdventOfCTF."
cover = "img/adventofctf/3542630bd0bb5141d94e4b40930bd69d.png"
cover = "img/adventofctf/2020/3542630bd0bb5141d94e4b40930bd69d.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 12 - AdventOfCTF"
date = 2020-12-14T15:55:21+01:00
description = "A writeup for challenge 12 of AdventOfCTF."
cover = "img/adventofctf/af3424cd215a6459494ae07eab33cb35.png"
cover = "img/adventofctf/2020/af3424cd215a6459494ae07eab33cb35.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 13 - AdventOfCTF"
date = 2020-12-14T18:48:28+01:00
description = "A writeup for challenge 13 of AdventOfCTF."
cover = "img/adventofctf/24e9ce8f146f70b4189f1d2532a75208.png"
cover = "img/adventofctf/2020/24e9ce8f146f70b4189f1d2532a75208.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 14 - AdventOfCTF"
date = 2020-12-14T19:45:51+01:00
description = "A writeup for challenge 14 of AdventOfCTF."
cover = "img/adventofctf/dd04640480d764ab09eea047cde749cd.png"
cover = "img/adventofctf/2020/dd04640480d764ab09eea047cde749cd.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 15 - AdventOfCTF"
date = 2020-12-31T22:34:24+01:00
description = "A writeup for challenge 15 of AdventOfCTF."
cover = "img/adventofctf/9c6afd807a15973b962cf3aee3dbe836.png"
cover = "img/adventofctf/2020/9c6afd807a15973b962cf3aee3dbe836.png"
tags = [
"AdventOfCTF",
"challenge",
@ -58,7 +58,7 @@ Besides this code, we also get an input field for the contents of the `flag` par
When scanning this code, we see that `$flag` is compared to our input. It firstly does a `strcmp`, and, if it is not `0`, it checks if the `sha1` hashes of both variables are equal.
The thing with PHP and `strcmp` is that PHP will do some type juggling before checking the values. You can read more about PHP type juggling in the [writeup of yesterday's challenge]({{% ref "posts/adventofctf/challenge_14.md" %}}#type-juggling).
The thing with PHP and `strcmp` is that PHP will do some type juggling before checking the values. You can read more about PHP type juggling in the [writeup of yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_14.md" %}}#type-juggling).
## Exploit

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 16 - AdventOfCTF"
date = 2021-01-01T01:44:45+01:00
description = "A writeup for challenge 16 of AdventOfCTF."
cover = "img/adventofctf/246397ca184f8b03ac8fecf50ee1051e.png"
cover = "img/adventofctf/2020/246397ca184f8b03ac8fecf50ee1051e.png"
tags = [
"AdventOfCTF",
"challenge",
@ -56,7 +56,7 @@ SSTI occurs when an attacker is able to use native template syntax to inject a m
An easy way to check for SSTI is by using the following graph from PortSwigger:
{{< figure src="/img/adventofctf/16/ssti_graph.png" title="SSTI Graph (by PortSwigger)" >}}
{{< figure src="/img/adventofctf/2020/16/ssti_graph.png" title="SSTI Graph (by PortSwigger)" >}}
So I followed this graph and got the following results:

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 17 - AdventOfCTF"
date = 2021-01-06T22:51:23+01:00
description = "A writeup for challenge 17 of AdventOfCTF."
cover = "img/adventofctf/8717d728f2de96beb8123c0cca28a728.png"
cover = "img/adventofctf/2020/8717d728f2de96beb8123c0cca28a728.png"
tags = [
"AdventOfCTF",
"challenge",
@ -48,13 +48,13 @@ function send() {
## Finding the vulnerability
The description makes a reference to [yesterday's challenge]({{% ref "posts/adventofctf/challenge_16.md" %}}) so we probably have to use the same concept.
The description makes a reference to [yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}) so we probably have to use the same concept.
Let's verify it by trying the following input: `{{7*7}}`. It returned `49` so we can continue with the next step.
## Exploit
Just like [yesterday's challenge]({{% ref "posts/adventofctf/challenge_16.md" %}}), we start by trying to get the config like so: `{{config.items()}}`. Sadly, we get an error message: "You entered an emoji that is on my deny list".
Just like [yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}), we start by trying to get the config like so: `{{config.items()}}`. Sadly, we get an error message: "You entered an emoji that is on my deny list".
### Blacklist
@ -134,7 +134,7 @@ Here we find an encrypted flag again: `'flag': "C\x1eS\x1dwsef}j\x057i\x7fo{D)'d
## Decrypting the flag
Just like [yesterday's challenge]({{% ref "posts/adventofctf/challenge_16.md" %}}), the flag is encrypted and we probably have to get the source again to get the key used to encrypt the flag. To get the source we first need arbitrary code execution.
Just like [yesterday's challenge]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}), the flag is encrypted and we probably have to get the source again to get the key used to encrypt the flag. To get the source we first need arbitrary code execution.
### Arbitrary Code Execution (ACE)
@ -732,7 +732,7 @@ if __name__ == '__main__':
## Magic function
Just like [yesterday]({{% ref "posts/adventofctf/challenge_16.md" %}}), we find a magic function. It looks like it's the same just with a different key so let's decrypt it using the new key (`46e505c983433b7c8eefb953d3ffcd196a08bbf9`):
Just like [yesterday]({{% ref "posts/adventofctf/2020/challenge_16.md" %}}), we find a magic function. It looks like it's the same just with a different key so let's decrypt it using the new key (`46e505c983433b7c8eefb953d3ffcd196a08bbf9`):
```text
Python 3.6.9 (default, Nov 7 2019, 10:44:02)

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 18 - AdventOfCTF"
date = 2021-01-06T23:04:52+01:00
description = "A writeup for challenge 18 of AdventOfCTF."
cover = "img/adventofctf/be40bcd25e7487440a64b13cd32049b2.png"
cover = "img/adventofctf/2020/be40bcd25e7487440a64b13cd32049b2.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 19 - AdventOfCTF"
date = 2021-02-25T23:18:28+01:00
description = "A writeup for challenge 19 of AdventOfCTF."
cover = "img/adventofctf/d80f13d1ab714f7864c2a9ef56c5f767.png"
cover = "img/adventofctf/2020/d80f13d1ab714f7864c2a9ef56c5f767.png"
tags = [
"AdventOfCTF",
"challenge",
@ -58,7 +58,7 @@ function send() {
As the description tells us it's a calculator, let's try entering `3+4` in the input field. It will make a `POST` request to `/calc`, which will return `7`.
The description also states it was possible to enter javascript code, which we saw in the [previous challenge]({{% ref "posts/adventofctf/challenge_18.md" %}}), but that it has been fixed now.
The description also states it was possible to enter javascript code, which we saw in the [previous challenge]({{% ref "posts/adventofctf/2020/challenge_18.md" %}}), but that it has been fixed now.
## Finding the vulnerability

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 2 - AdventOfCTF"
date = 2020-12-02T17:30:25+01:00
description = "A writeup for challenge 2 of AdventOfCTF."
cover = "img/adventofctf/948b1eb046c96865a05808660ee99e10.png"
cover = "img/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 20 - AdventOfCTF"
date = 2021-02-26T00:11:35+01:00
description = "A writeup for challenge 20 of AdventOfCTF."
cover = "img/adventofctf/c1f93b6ee2e1cd25ea02f9a78c364b12.png"
cover = "img/adventofctf/2020/c1f93b6ee2e1cd25ea02f9a78c364b12.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 21 - AdventOfCTF"
date = 2021-02-26T11:45:53+01:00
description = "A writeup for challenge 21 of AdventOfCTF."
cover = "img/adventofctf/a4afd1fffb0b662d849a6907767f0625.png"
cover = "img/adventofctf/2020/a4afd1fffb0b662d849a6907767f0625.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 22 - AdventOfCTF"
date = 2021-03-04T01:24:34+01:00
description = "A writeup for challenge 22 of AdventOfCTF."
cover = "img/adventofctf/6c0810c1568645bcf58da67a1db6e3e7.png"
cover = "img/adventofctf/2020/6c0810c1568645bcf58da67a1db6e3e7.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 23 - AdventOfCTF"
date = 2021-03-16T20:52:38+01:00
description = "A writeup for challenge 23 of AdventOfCTF."
cover = "img/adventofctf/497784f7a3314f8aa5b8464432e30bbe.png"
cover = "img/adventofctf/2020/497784f7a3314f8aa5b8464432e30bbe.png"
tags = [
"AdventOfCTF",
"challenge",
@ -58,7 +58,7 @@ $(function () {
From the JavaScript code we can see that the chat uses WebSockets. To take a deeper look at it, let's switch over to the network tab in Chrome and click on the request with the type "websocket".
{{< figure src="/img/adventofctf/23/websocket.png" title="Websocket in Chrome DevTools" >}}
{{< figure src="/img/adventofctf/2020/23/websocket.png" title="Websocket in Chrome DevTools" >}}
If we click on it, a tab with the messages sent on the websocket will open. We can see some numbers here, these are just heartbeat packets to keep the connection alive. Now, let's send a new message and have a look at what it actually sends/receives.
@ -75,7 +75,7 @@ We can see the message contains two parts; the event name and the message itself
In Chrome (to my knowledge) we can't easily send a message on a websocket. We could use Burp Suit to do it but for this writeup I'll stick with Chrome. To send a message on the websocket, we need the `socket` variable from the javascript code. To get it, go to the `Sources` tab and click on `(index)`. Now click on line number 28 to add a breakpoint there. We choose this place as it will trigger a breakpoint just before a message gets sent and we thus have access to the socket variable.
{{< figure src="/img/adventofctf/23/breakpoint.png" title="Javascipt breakpoint in Chrome" >}}
{{< figure src="/img/adventofctf/2020/23/breakpoint.png" title="Javascipt breakpoint in Chrome" >}}
Now if we try to send a message, chrome will pause the page. The console will now also have the scope of the piece of code at the breakpoint. This means that if we enter `socket` in the console, will get the socket object back:

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 24 - AdventOfCTF"
date = 2021-09-22T12:12:12+01:00
description = "A writeup for challenge 24 of AdventOfCTF."
cover = "img/adventofctf/b915cb528c4b3d6fc4644f73ba8b829d.png"
cover = "img/adventofctf/2020/b915cb528c4b3d6fc4644f73ba8b829d.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 3 - AdventOfCTF"
date = 2020-12-03T09:29:12+01:00
description = "A writeup for challenge 3 of AdventOfCTF."
cover = "img/adventofctf/4f5cc0afbb9e7ec6a57cdd68a92b9213.png"
cover = "img/adventofctf/2020/4f5cc0afbb9e7ec6a57cdd68a92b9213.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 4 - AdventOfCTF"
date = 2020-12-04T09:58:46+01:00
description = "A writeup for challenge 4 of AdventOfCTF."
cover = "img/adventofctf/f1d6ca5572e0c012239bcf4a8f797be1.png"
cover = "img/adventofctf/2020/f1d6ca5572e0c012239bcf4a8f797be1.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 5 - AdventOfCTF"
date = 2020-12-05T08:57:31+01:00
description = "A writeup for challenge 5 of AdventOfCTF."
cover = "img/adventofctf/080b5d5fcaf13167d2e7e8871fdc8ded.png"
cover = "img/adventofctf/2020/080b5d5fcaf13167d2e7e8871fdc8ded.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 6 - AdventOfCTF"
date = 2020-12-06T15:24:45+01:00
description = "A writeup for challenge 6 of AdventOfCTF."
cover = "img/adventofctf/c366d63edd4a35c9f8bea89e57401fef.png"
cover = "img/adventofctf/2020/c366d63edd4a35c9f8bea89e57401fef.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 7 - AdventOfCTF"
date = 2020-12-07T16:43:23+01:00
description = "A writeup for challenge 7 of AdventOfCTF."
cover = "img/adventofctf/9fac6046540f4972c60f458b94aacb1d.png"
cover = "img/adventofctf/2020/9fac6046540f4972c60f458b94aacb1d.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 8 - AdventOfCTF"
date = 2020-12-08T09:34:24+01:00
description = "A writeup for challenge 8 of AdventOfCTF."
cover = "img/adventofctf/da781419d6bf02d0a580e48414b9cbde.png"
cover = "img/adventofctf/2020/da781419d6bf02d0a580e48414b9cbde.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Challenge 9 - AdventOfCTF"
date = 2020-12-11T21:24:52+01:00
description = "A writeup for challenge 9 of AdventOfCTF."
cover = "img/adventofctf/973ded4b2381c28af6c24d3d670303c6.png"
cover = "img/adventofctf/2020/973ded4b2381c28af6c24d3d670303c6.png"
tags = [
"AdventOfCTF",
"challenge",

@ -3,7 +3,7 @@ author = "Maik de Kruif"
title = "Intro to AdventOfCTF"
date = 2020-12-02T17:10:12+01:00
description = "Challenge 0 of AdventOfCTF."
cover = "img/adventofctf/advent_of_ctf_coming_soon.png"
cover = "img/adventofctf/2020/advent_of_ctf_coming_soon.png"
tags = [
"AdventOfCTF",
"challenge",

Before

Width:  |  Height:  |  Size: 34 KiB

After

Width:  |  Height:  |  Size: 34 KiB

Before

Width:  |  Height:  |  Size: 143 KiB

After

Width:  |  Height:  |  Size: 143 KiB

Before

Width:  |  Height:  |  Size: 69 KiB

After

Width:  |  Height:  |  Size: 69 KiB

Loading…
Cancel
Save