apoirrier/CTFs-writeups

Writeups for various CTFs competitions

CTFs-writeups

Writeups for various CTFs competitions.

On this page you can find links to writeups for the following categories:

• Blockchain
• Cryptography
• Forensics
• Cheating in games
• Miscellaneous
• OSINT
• Pwn
• Brute-forcing passwords
• Quantum cryptography
• Reverse engineering
• Web

You can also find a list of useful CTF tools.

Example of writeups

Blockchain

Eth

• Blockchain transactions are public (ETH)
• Reentrancy exploit
• Set up of environment, underflow and reentrancy

Bitcoin

• Bitcoin transaction vulnerability

Cryptography

Easy crypto

• OTP reuse
• Morse from audio
• Enigma
• Enigma avec IC
• Lot of guessy ciphertexts without knowledge of cipher
• Hill cipher

General crypto

• Double DES

AES

• Malleability of the first block in AES-CBC
• Padding oracle attack on AES-CBC
• IV recovery with partially known plaintext, ciphertext and key in AES-CBC
• Exploiting predictable IV in AES-CBC
• Differential Power Analysis on first round of AES

RSA

• RSA with ciphertext super small
• Attacks on RSA: Wiener, sexy primes, LSB oracle, partial private key leaked
• Multi-primes RSA
• Fixed point in RSA
• RSA full oracle

Hashes

• Hash length extension attack
• Find a preimage for the Python hash function

Cryptography in subgroups of Z or Z*

• DLP, order of N has small factors
• ElGamal signature scheme without hash existential forgery
• Break DH key exchange with Pohlig-Hellman attack for DLP
• Oracle for finding secret exponent
• Shamir polynomial with linked coefficients

Elliptic curves

• CRT on EC points
• Nonce reuse in ECDSA signature

Bad randomness

• Retrieve state of java.util.Random PRNG
• Solve system of integer inequalities - java.util.Random calls

Esoteric

• Custom VHDL cipher on FPGA
• Hardware AES key, CRT, Galois fields
• Encryption oracle with plaintext compressed
• Example in RUST

Forensics

Images

• Broken JPEG header
• Broken PNG image
• Broken BMP header
• Flag hidden in bit plane of image
• Image manipulation with PIL
• Hidden flag in PNG (zsteg)
• Hidden flag in scanline filter of PNG
• Code128
• Piet

Audio

• binwalk and flag hidden in spectrogram of audio file
• UART
• SSTV
• Some signal analysis (Winlink)
• WAV file is an oscilloscope input

PDF

• PDF recover streams and CMap

Network files

• Scapy to read pcap
• Extract TFTP files

Dump files

• Android dump position history
• Arduino
• Analyse dump file with volatility
• Analyse Windows file with volatility
• Windows recurring task
• Repair RAID files
• Backdoor in service (systemd)
• ELF Core dump

Signal in a wire

• Keypad sniffer
• EEPROM Arduino eletrical circuit VCD file
• 8b10b
• Non Return to Zero Inverted

Esoteric

• Polyglotte files
• Hidden flag in RSA parameter
• Detect falsified data with Benford's law
• Automating decompression with password cracking
• Read sparse files
• Color hex values
• Sound keylogger
• Elastic search
• Log4Shell

Games

• Cheat in WASM games
• Modify client of Godot scripts MMORPG game to cheat

Misc

• Bypass float comparison in Python
• Read QR code with Python
• Python bytecode
• Create Signal with a given frequency
• Homoglyphes
• Reverse gzdeflate
• Captcha brute force
• Become root in VM

OSINT

• Github older commit
• Old version of pip library
• Find password of an employee in social network
• Old version of website

PWN

Buffer overflow

• Simple buffer overflow
• 32 bits ROP chain buffer overflow
• NX disabled
• Write shellcodes with restrictions
• Get a shell using dup2 and execv with ROP

Simple format string

• Format string vulnerability to bypass canary and PIE for buffer overflow
• GOT override with format string vulnerability (no PIE)

ret2lib

• 32 bit ret2lib with buffer overflow
• 64 bit ret2lib with buffer overflow
• ret2lib with ASLR and PIE with only format string vulnerabilities

File Struct Oriented Programming

• FSOP par heap overflow
• Guide FSOP
• Autre guide

Break PRNG

• Guess randomness of rand with srand(time)

Privilege escalation

• Privilege escalation on Linux machine, exit rbash
• Open tty shell to exploit less for privilege escalation
• Read file in restricted bash
• Read execute-only binary with LD_PRELOAD

Heap exploitation

• Reallocate chosen freed block from tcache
• Use-after-free

Python

• Python 2 input
• Python string equal bypass before int

Java

• log4shell

Password cracking

• Simple john
• Salted hash
• Custom List
• KDBX
• ZIP
• KDBX with key file
• Similar password

Quantum

• Quantum key distribution

Reversing

Java and Android

• Java decompiler

Python

• Python bytecode reverse
• PYC reverse

Assembly

• Assembly reversing
• ARMv8 assembly reversing
• Portable executable compiled with Cosmopolitain
• In-memory loading technique
• vTable hook

Micro-controllers and circuits

• Arduino Intel HEX format
• Logic gates

Other static analysis

• Extract data from ELF
• Packed malware

Static analysis

• Use angr to crack password
• Use claripy to solve a set of constraints

Dynamic analysis

• Use gdb to debug child after fork
• Reverse OS launched with qemu
• Example of reversing using OllyDbg and Ghidra
• Brute force password on Android app

Web

Language vulnerabilities

• PHP injection with eval used
• Exploit javascript equality check to bypass hash collision
• PHP deserialize
• Another PHP deserialize
• .Net core C# getters and setters exploits
• PHP extract

SQL attacks

• Blind SQLi, path transversal
• Another blind SQLi
• SQL union attack, weak new password procedure
• Blind SQLi: guessing tables and finding flag
• MySQL UNION attack with some filters

Session tokens

• disable JWT signing
• JWT with RS256 and weak RSA key
• Flask cookies
• exploit redirect parameter in OAuth to steal access token

RCE with SSTI

• Jinja2 SSTI

XSS

• Reflected XSS
• Reflected XSS with older version of browser (SameSite=None)
• Bypass WAF for reflected XSS
• Use javascript: URL scheme to provoke XSS

XXE

• Custom Wordpress vulnerability

Proxy stuff

• Bypass nginx deny-all when nginx is a proxy before Gunicorn
• Exploit SSRF to access intranet

WASM

• Disassemble WASM

CVE

• Apache CVE example
• Gitlab CVE example
• Laravel (PHP) LFI leading to RCE due to CVE in dependency
• RCE on Covenant

Tools for CTF

Here is a list to various useful tools for CTF competitions.

Network

• Wireshark to analyze network connections

Web

• Postman to make HTTP requests
• OWASP ZAP for analysing website security. Features include requests analysis and forgery, fuzzing, etc...
• sqlmap for automatic SQL injection
• webhook for receiving requests. See Internal Support for an example of XSS attack.
• See UpCredit for an example of CSRF attack (without csrf token).
• flask-unsign for decoding, cracking and forging Flask cookies.

Reverse engineering

• Ghidra to decompile c code.
• Java decompiler
• gdb a C debugger and its additional functionalities gef
• OllyDbg a debugger for Windows programs
• Android studio to edit and analyse APK files and emulate APK
• Apktool for reversing APK files
• angr for symbolic execution. See writeup.

PWN

• pwntools a Python library for PWN
• pwninit for automatically starting pwn challenges.
• ROPGadget search for gadget and ROP chain generation
• lib search database for ret2lib. See also writeup 32 bits and writeup 64 bits.
• shellcodes

Steganography

• file to determine file type
• strings to print all ASCII strings in file
• binwalk to find embedded files
• StegSolve an image solver
• Steg online for images
• Morse decoder
• MMSSTV for HAM transmissions
• Digital Invisible Ink Toolkit for images
• DeepSound for sound files
• Raw Pixels an online RAW image viewer
• Hexed.it to edit the bytes of a file
• zsteg for images

Forensics

• Autopsy for device analysis
• Acoustic keylogger
• Sigidwiki a signal identification guide
• volatility

Cryptography

• https://www.dcode.fr/en It knows a lot of common cypher methods and does automatic uncyphering
• hlextend a Python library for length extension attacks on Merkle-Damgård hash functions
• Factorize big integers with http://factordb.com/
• Reverse seeds given inequality constraints for Java random: JavaRandomReverser
• Solve integer inequalities with CSP

Password cracking

• JohntheRipper

OSINT

• Sherlock to scrap information on social media
• Wayback Machine
• Webpage archive

Misc

• If you know the format of the flag, you can use flag_converter.py to quickly have the most common encoding of the flag, so you know what to look for during the competition ;)
• https://www.asciitohex.com/ For quick conversion between ASCII, decimal, base64, binary, hexadecimal and URL
• https://gchq.github.io/CyberChef/ Same as asciitohex but more complete, with magic wand.
• https://upload.wikimedia.org/wikipedia/commons/d/dd/ASCII-Table.svg: An Ascci to decimal, hexadecimal, binary and octal table
• Deal with images in Python using PIL. See example writeup
• Cheat in WASM games: Cetus
• Decompiler for GDScripts