0x00 Challenge Info Obviously, it’s an LFI vuln. The web application can read the local file to response the different page. 0x01 Reconnaissance We can found that the file can be read by such as page=file:///etc/passwd. 0x02 Exploit Use the file:///flag.txt to read the flag.txt in the root path. 0x03 Pwned

Prologue This is the first time I have won a place in a CTF contest. Following are the score board and my score over time. Web Ave Mujica After some recons, I found the web server is built by gunicorn, and the web looks like having a directory traversal to LFI vulnerability. After I go do some research, I tried some LFI wordlist and finally got the flag by reading the /proc/self/environ. The PoC is as follows. curl 'http://172.31.3.2:168/image?name=../../../../proc/self/environ' --output flag. ...

Easy Crack Open IDA and find the check password function (you can use a string to find it). I will put the decompiled function below. int __cdecl sub_401080(HWND hDlg) { CHAR String[97]; // [esp+4h] [ebp-64h] BYREF __int16 v3; // [esp+65h] [ebp-3h] char v4; // [esp+67h] [ebp-1h] memset(String, 0, sizeof(String)); v3 = 0; v4 = 0; GetDlgItemTextA(hDlg, 1000, String, 100); if ( String[1] != 'a' || strncmp(&String[2], Str2, 2u) || strcmp(&String[4], aR3v ...

0x00 Challenge Info A test! Getting onto the team is one thing, but you must prove your skills to be chosen to represent the best of the best. They have given you the classic - a restricted environment, devoid of functionality, and it is up to you to see what you can do. Can you break open the chest? Do you have what it takes to bring humanity from the brink? 0x01 Reconnaissance This challenge is a Python jail (Pyjail). Let’s check the challenge code first. banner = r""" .____ ...

Prologue Fermat’s Little Theorem is quite often seen in the CTF contests, so let’s dive in to this article to know more about it! Math is powerful! Required Knowledge a≡b(modk)⇔k∣(a−b)a\equiv{b}\pmod{k}\Leftrightarrow{k}\mid(a-b)a≡b(modk)⇔k∣(a−b) a≡b(modk)andc≡d(modk)⇔a+c≡b+c(modk)a\equiv{b}\pmod{k}\quad\text{and}\quad c\equiv{d}\pmod{k}\Leftrightarrow a+c\equiv b+c\pmod{k}a≡b(modk)andc≡d(modk)⇔a+c≡b+c(modk) a≡b(modk)andc≡d(modk)⇔ac≡bd(modk)a\equiv{b}\pmod{k}\quad\text{and}\quad c\equiv{d}\pmod ...

0x00 Challenge Info Gotta collect them all. 0x01 Reconnaissance We have a zip file, and after we unzip the file, we got an executable file called HackTheBox CubeMadness1.exe. First, we can run the file to see what’s going on and what is this game about. In this game, we can use left/right arrow to control the white cube (?) and use space to jump, and it also allows jumping in the air. The challenge description said that we should collect all the cubes, but when we try to get all of them by pl ...

Prologue I decided to write this to help myself to better understand the attacks in RSA or other crypto system. And if this can help you, that would be my honor! Also, all the code in this note will in Python since it’s the most used exploit script language in CTFs. Let’s start! Euclidean Algorithm Intro It’s an algorithm to calculate the GCD (Greatest Common Divisor) between 2 numbers, and in Chinese, it’s called 輾轉相除法 BTW. Principles It’s an recursive algorithm, so every step’s output is the i ...