https://dothidden.xyz/Recent content on .hiddenHugo -- gohugo.ioen-us.hiddenWed, 29 Apr 2026 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0f/Wed, 29 Apr 2026 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0f/ Title Speaker Place Datetime Slides Open Discussion on AI in The Context of Cybersecurity Honesty & mehanix Room 701 @ PBT 29 Apr 2026 18:00 N/A Notes on EternalBlue sunbather Room 701 @ PBT 29 Apr 2026 18:00 N/A A Hacker’s Curiosity: Program Internals zenbassi Room 701 @ PBT 29 Apr 2026 18:00 N/Ahttps://dothidden.xyz/events/seminar_0x0e/Wed, 25 Mar 2026 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0e/ Title Speaker Place Datetime Slides WannaCry: How to steal and use NSA exploits for fun and profit. Mega & MettleSphee Room 701 @ PBT 25 Mar 2026 18:00 Linkhttps://dothidden.xyz/events/seminar_0x0d_lightning_talks/Wed, 17 Dec 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0d_lightning_talks/Join us for the Christmas Edition of the .hidden seminar! If you wish to give a short talk on a technical subject of your choosing, send us a message. It can be as short as you like (even 1 minute), and as long as 20 minutes. Complexity does not matter and it doesn’t have to be security related. Title Speaker Place Datetime Slides Companies hate me for presenting this amazing idea MettleSphee Room 512 @ PBT 17 Dec 2025 18:00 Link Securing your Router sunbather Room 512 @ PBT 17 Dec 2025 18:00 Link Indie Web - Quickstart Guide mehanix Room 512 @ PBT 17 Dec 2025 18:00 Link When you’re a hammer, Everything looks like a nail Mega Room 512 @ PBT 17 Dec 2025 18:00 Linkhttps://dothidden.xyz/ctfs/ctf-usv_2025/squidgame/Thu, 27 Nov 2025 23:00:00 +0300https://dothidden.xyz/ctfs/ctf-usv_2025/squidgame/Summary The engagement targeted a multi-service CTF environment that emulates the “Squid Game” infrastructure. Four main services (ports 8080, 8081, 8082, and 3000) plus auxiliary binaries were assessed. Critical issues were identified in every reachable component: insecure file upload logic, server-side template injection, JWT handling flaws, SQL injection, and weak protection of a native mobile secret. Attack Surface Overview Port Service / Purpose Notes 8080 PHP “Game board” Vulnerable to SSTI, exposes DB creds 8081 VIP/Admin portal Authenticated file uploads with predictable names 8082 Blood Cross (React + Spring Boot) JWT-based backend with SQLi 3000 VIP messaging API Protected by bearer token embedded inside VIPs.https://dothidden.xyz/events/seminar_0x0c/Wed, 26 Nov 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0c/ Title Speaker Place Datetime Slides When Functionality Becomes a Backdoor: Remote Code Execution in OT Environments Dragos Ionica Amf. 703 @ PBT 26 Nov 2025 18:00 TBAhttps://dothidden.xyz/events/seminar_0x0b/Wed, 29 Oct 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0b/ Title Speaker Place Datetime Slides Fantastic CVEs and Where to Find Them Mal Amf. Titeica @ PBT 29 Oct 2025 18:00 TBAhttps://dothidden.xyz/ctfs/flareon12_2025/1-drill_baby_drill/Wed, 01 Oct 2025 18:42:50 +0200https://dothidden.xyz/ctfs/flareon12_2025/1-drill_baby_drill/The first challenge in Flare-On starts with a game where the source code is provided. This game is written in PyGame. It is about a baby trying to drill to recover its lost teddy bears. The source code is provided, along with a runnable PyInstaller EXE file. When running the game, we can see that we control a baby who can move horizontally and drill downward. If we hit a rock with the drill, it’s game over.https://dothidden.xyz/ctfs/flareon12_2025/2-project_chimera/Wed, 01 Oct 2025 18:42:50 +0200https://dothidden.xyz/ctfs/flareon12_2025/2-project_chimera/For the second challenge we receive a python file only. The file is pretty small: # These are my encrypted instructions for the Sequencer. encrypted_sequencer_data = b'x\x9cm\x96K\xcf\xe2\xe6\x15.....' # this is longer print(f"Booting up {f"Project Chimera"} from Dr. Khem's journal...") # apperently this exists to indicate that a version of Python 3.12+ should be used, I didn't have this issue though # Activate the Genetic Sequencer. From here, the process is automated.https://dothidden.xyz/ctfs/flareon12_2025/3-pretty_devilish_file/Wed, 01 Oct 2025 18:42:50 +0200https://dothidden.xyz/ctfs/flareon12_2025/3-pretty_devilish_file/I didn’t really enjoy this challenge since it was pretty guessy. In this challenge we only receive a PDF file. To analyse it I used pdf-parser.py and pdfid.py. By running pdfid.py we get the information that the pdf has an encrypted section. I initially thought that this was the goal of the challenge but after spending quite some time to understand how that section works I gave up since I couldn’t extract anything usefull from it.https://dothidden.xyz/ctfs/flareon12_2025/4-unholydragon/Wed, 01 Oct 2025 18:42:50 +0200https://dothidden.xyz/ctfs/flareon12_2025/4-unholydragon/Cheese For this challenge we get a Windows executable (UnholyDragon-150.exe). The first thing we can observe is that the header is malformed (the first byte is incorrect). This is easily fixed in a hex editor (I used HxD) by changing the first byte to 0x4D (M). We can also use Detect It Easy to analyze the binary. After patching the executable, I decided to do some dynamic analysis with Procmon first.https://dothidden.xyz/ctfs/flareon12_2025/5-ntfsm/Wed, 01 Oct 2025 18:42:50 +0200https://dothidden.xyz/ctfs/flareon12_2025/5-ntfsm/We get a really big Windows executable in this challenge. It’s most likely this big because of the jump table: Initially I found it pretty difficult to RE statically altough dynamic analysis definitely helped a lot. Through dynamic analysis you can see that the binary writes to some ADS streams (hence the ntfs from the challenge name). These are: state : represents the index in the jump table. It specifies which branch to jump to.https://dothidden.xyz/ctfs/flareon12_2025/6-chain_of_demands/Wed, 01 Oct 2025 18:42:50 +0200https://dothidden.xyz/ctfs/flareon12_2025/6-chain_of_demands/While I didn’t solve this challenge, I feel I was pretty close but got sidetracked down a rabbit hole. For this challenge we get a Linux executable. When running it we get a console application that acts as a chat client. The most important part of this is that we have a Last Convo button which displays the following: [ { "conversation_time": 0, "mode": "LCG-XOR", "plaintext": "Hello", "ciphertext": "e934b27119f12318fe16e8cd1c1678fd3b0a752eca163a7261a7e2510184bbe9" }, { "conversation_time": 4, "mode": "LCG-XOR", "plaintext": "How are you?https://dothidden.xyz/events/seminar_0x0a/Wed, 24 Sep 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x0a/ Title Speaker Place Datetime Slides Nostalgic times in modern days: A short visit from the ghost of technology’s past MettleSphee Amf Pompeiu @ PBT 24 Sep 2025 18:00 Linkhttps://dothidden.xyz/ctfs/l3akctf_2025/flag_l3ak/Mon, 14 Jul 2025 21:45:51 +0300https://dothidden.xyz/ctfs/l3akctf_2025/flag_l3ak/Challenge Description What’s the name of this CTF? Yk what to do 😉 We are greeted by a blog page, with a search bar and a few posts. One post in particular, titled “Not the flag?” claims to have the flag hidden inside it. Intuition Looking at the code we see it is an expressjs application, with public pages and 2 endpoints of interest:\ '/api/search' '/api/posts' Search is of particular interest for us because the lookup happens before the flag gets overwritten.https://dothidden.xyz/ctfs/l3akctf_2025/safe_gets/Mon, 14 Jul 2025 21:42:41 +0300https://dothidden.xyz/ctfs/l3akctf_2025/safe_gets/Challenge Description I think I found a way to make gets safe. Intuition If we take a look at it with Ghidra 004011a5 48 8d 85 LEA RAX=>local_118,[RBP + -0x110] f0 fe ff ff 004011ac 48 89 c7 MOV RDI,RAX 004011af b8 00 00 MOV EAX,0x0 00 00 004011b4 e8 e7 fe CALL FUN_004010a0 undefined FUN_004010a0() ff ff Where FUN_004010a0 is just gets, we are given the entry point for a ROP exploit.https://dothidden.xyz/ctfs/l3akctf_2025/the_goose/Mon, 14 Jul 2025 21:39:11 +0300https://dothidden.xyz/ctfs/l3akctf_2025/the_goose/Challenge Description When the honking gets tough, you better brush up on your basics We are greeted by a goose, that asks us to guess a number. If we guess correctly we get to write a message to the world. Intuition The protections enabled on the binary tell us that we probably are expected to execute a shell payload from the stack. RELRO: Partial RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: PIE enabled Stack: Executable RWX: Has RWX segments Stripped: No Solution Sifting through the code with Ghidra we see that highscore is an interesting functionhttps://dothidden.xyz/events/seminar_0x09/Wed, 25 Jun 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x09/ Title Speaker Place Datetime Slides From Payload to Payback: Dissecting and Deceiving C2 Infrastructures Levi Amf Pompeiu @ FMI 25 Jun 2025 18:00 N/Ahttps://dothidden.xyz/events/seminar_0x08/Wed, 28 May 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x08/ Title Speaker Place Datetime Slides Recovering Lost Media - Tools, Techniques, and a Personal Case Study Johnson Amf Pompeiu @ FMI 28 May 2025 18:00 Link Finding Backdoors in Android Apps: Chinese Edition sunbather Amf Pompeiu @ FMI 28 May 2025 18:00 Linkhttps://dothidden.xyz/events/seminar_0x07/Wed, 30 Apr 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x07/ Title Speaker Place Datetime Slides Bad Binder - Exploiting an Android Kernel Vulnerability zenbassi Amf Pompeiu @ FMI 30 Apr 2025 18:00 N/Ahttps://dothidden.xyz/ctfs/swamp_ctf_2025/notecard/Sun, 30 Mar 2025 23:02:58 +0300https://dothidden.xyz/ctfs/swamp_ctf_2025/notecard/Challenge Description I wrote a service that allows students to create and retrieve their own notecards! What do you think? Intuition The program is basically a note taking program. Here is the main() function: undefined8 main(void) { long lVar1; undefined8 uVar2; long in_FS_OFFSET; lVar1 = *(long *)(in_FS_OFFSET + 0x28); setbuf(_stdin,(char *)0x0); setbuf(_stdout,(char *)0x0); printf("Welcome to Note! Your one stop shop for all notecard needs!\n"); uVar2 = alloc(); FUN_001013f0(uVar2); if (*(long *)(in_FS_OFFSET + 0x28) == lVar1) { return 0; } __stack_chk_fail(); } Firstly, the alloc() function allocates some memory on the heap for the notes.https://dothidden.xyz/ctfs/swamp_ctf_2025/oh_my_buffer/Sun, 30 Mar 2025 22:47:05 +0300https://dothidden.xyz/ctfs/swamp_ctf_2025/oh_my_buffer/Challenge Description I may have messed up my I/O calls, but it doesn’t matter if everything sensitive has been erased, right? Intuition Open the binary in Ghidra: void main(void) { int fd_devnull; __pid_t _Var1; int tmp; int tmp2; int tmp3; long in_FS_OFFSET; char local_71; int fd_stdout; int opt; FILE *local_68; FILE *devnull; char flag [72]; undefined8 local_10; local_10 = *(undefined8 *)(in_FS_OFFSET + 0x28); local_68 = fopen("flag.txt","r"); fgets(flag,0x40,local_68); fclose(local_68); devnull = fopen("/dev/null","w"); fd_stdout = dup(1); fd_devnull = fileno(devnull); dup2(fd_devnull,1); puts("Here\'s the flag, too bad we don\'t let you see this:"); fflush(stdout); fputs(flag,stdout); memset(flag,0,0x40); dup2(fd_stdout,1); close(fd_stdout); fclose(devnull); _Var1 = fork(); if (_Var1 == 0) { while( true ) { do { while( true ) { write(1,"===================\n",0x14); write(1,"Welcome to the box!https://dothidden.xyz/ctfs/swamp_ctf_2025/tinybrain/Sun, 30 Mar 2025 18:09:17 +0300https://dothidden.xyz/ctfs/swamp_ctf_2025/tinybrain/Challenge Description Optimized for the minimum footprint… if you ignore the jump tables… Note: bf should be called with a file. The remote runs a script that is not provided, of which makes a file from your input. Intuition We’re given a brainfuck interpreter that takes interprets the program found in the filename passed as its first argument. Let’s look at it dynamically: $ gdb --args bf payload pwndbg> start 0x401000 lea r13, [0x403800] R13 => 0x403800 ◂— 0 0x401008 xor r14, r14 R14 => 0 0x40100b mov rdi, qword ptr [rsp + 0x10] RDI, [0x7fffffffdef0] => 0x7fffffffe270 ◂— 0x64616f6c796170 /* 'payload' */ 0x401010 mov eax, 2 EAX => 2 0x401015 xor esi, esi ESI => 0 0x401017 xor edx, edx EDX => 0 0x401019 syscall <SYS_open> 0x40101b mov r12, rax 0x40101e call 0x40102a <0x40102a> 0x401023 jmp qword ptr [rax*8 + 0x402000] 0x40102a inc r14 We can see that the our file “payload” is opened through the open() syscall.https://dothidden.xyz/ctfs/swamp_ctf_2025/greeting_as_a_service/Sun, 30 Mar 2025 17:34:37 +0300https://dothidden.xyz/ctfs/swamp_ctf_2025/greeting_as_a_service/Challenge Description A friend of mine set up a greeting as a service server. He gave me a core dump of it to play around with but won’t give me source. Find anything useful? Intuition We get a coredump of the remote service. A coredump can’t be explored by executing instructions, but the memory can be examined. Based on the backtrace, I guess we are in some kind of main() function:https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/tales_for_the_brave/Sat, 29 Mar 2025 20:52:57 +0200https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/tales_for_the_brave/Challenge Description In Eldoria, a once-innocent website called “Tales for the Brave” has become the focus of unsettling rumors. Some claim it may secretly trap unsuspecting visitors, leading them into a complex phishing scheme. Investigators report signs of encrypted communications and stealthy data collection beneath its friendly exterior. You must uncover the truth, and protect Eldoria from a growing threat. When debugging JavaScript, ensure you use a Firefox-based browser.https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/contractor/Sat, 29 Mar 2025 20:14:26 +0200https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/contractor/Challenge Description Sir Alaric calls upon the bravest adventurers to join him in assembling the mightiest army in all of Eldoria. Together, you will safeguard the peace across the villages under his protection. Do you have the courage to answer the call? Intuition Decompiled main is shown in the following listing: undefined8 main(void) { undefined8 uVar1; char *pcVar2; int iVar3; char *pcVar4; int *piVar5; long in_FS_OFFSET; int choice; int local_24; char *local_20; char local_14 [4]; long cookie; cookie = *(long *)(in_FS_OFFSET + 0x28); for (piVar5 = &choice; piVar5 !https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/crossbow/Sat, 29 Mar 2025 19:09:45 +0200https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/crossbow/Challenge Description Sir Alaric’s legendary shot can pierce through any enemy! Join his training and hone your aim to match his unparalleled precision. Intuition The following is the decompiled code for the training() and the target_dummy() functions, which are the vulnerable functions: void training(void) { char *local_28 [4]; printf("%s\n[%sSir Alaric%s]: You only have 1 shot, don\'t miss!!\n",&DAT_0040b4a8,&DAT_0040b00e, &DAT_0040b4a8); target_dummy(local_28); printf("%s\n[%sSir Alaric%s]: That was quite a shot!!\n\n",&DAT_0040b4a8,&DAT_0040b00e, &DAT_0040b4a8); return; } void target_dummy(char **param_1) { int iVar1; long lVar2; char *pcVar3; int input; printf("%s\n[%sSir Alaric%s]: Select target to shoot: ",&DAT_0040b4a8,&DAT_0040b00e,&DAT_0040b4a8); iVar1 = scanf("%d%*c",&input); if (iVar1 !https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/laconic/Sat, 29 Mar 2025 18:36:19 +0200https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/laconic/Challenge Description Sir Alaric’s struggles have plunged him into a deep and overwhelming sadness, leaving him unwilling to speak to anyone. Can you find a way to lift his spirits and bring back his courage? Intuition Super small binary, written directly in assembly. Here is the disassembly: $ objdump -d laconic -M intel laconic: file format elf64-x86-64 Disassembly of section .shellcode: 0000000000043000 <__start>: 43000: 48 c7 c7 00 00 00 00 mov rdi,0x0 43007: 48 89 e6 mov rsi,rsp 4300a: 48 83 ee 08 sub rsi,0x8 4300e: 48 c7 c2 06 01 00 00 mov rdx,0x106 43015: 0f 05 syscall 43017: c3 ret 43018: 58 pop rax 43019: c3 ret The syscall instruction is executing a read (rax = 0x0, you can see it dynamically).https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/quack_quack/Sat, 29 Mar 2025 18:19:13 +0200https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/quack_quack/Challenge Description On the quest to reclaim the Dragon’s Heart, the wicked Lord Malakar has cursed the villagers, turning them into ducks! Join Sir Alaric in finding a way to defeat them without causing harm. Quack Quack, it’s time to face the Duck! Intuition We can open the binary in Ghidra and see that the main() function calls an interesting duckling() function. Here is the latter’s decompiled code, comments added by me:https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/twin_oracles/Thu, 27 Mar 2025 19:00:25 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/twin_oracles/Challenge Description A powerful artifact—meant to generate chaos yet uphold order—has revealed its flaw. A misplaced rune, an unintended pattern, an oversight in the design. The one who understands the rhythm of its magic may predict its every move and use it against its creators. Will you be the one to claim its secrets? Intuition We are given this file (server.py): from Crypto.Util.number import * FLAG = bytes_to_long(open('flag.txt', 'rb').read()) MENU = ''' The Seers await your command: 1.https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/hourcle/Thu, 27 Mar 2025 18:33:57 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/hourcle/Challenge Description A powerful enchantment meant to obscure has been carelessly repurposed, revealing more than it conceals. A fool sought security, yet created an opening for those who dare to peer beyond the illusion. Can you exploit the very spell meant to guard its secrets and twist it to your will? Intuition We are given this file (server.py): from Crypto.Cipher import AES from Crypto.Util.Padding import pad import os, string, random, re KEY = os.https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/prelim/Thu, 27 Mar 2025 17:57:30 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/prelim/Challenge Description Cedric has now found yet another secret message, but he dropped it on the floor and it got all scrambled! Do you think you can find a way to undo it? Intuition We are given 2 files: souce.py: from random import shuffle from hashlib import sha256 from Crypto.Cipher import AES from Crypto.Util.Padding import pad n = 0x1337 e = 0x10001 def scramble(a, b): return [b[a[i]] for i in range(n)] def super_scramble(a, e): b = list(range(n)) while e: if e & 1: b = scramble(b, a) a = scramble(a, a) e >>= 1 return b message = list(range(n)) shuffle(message) scrambled_message = super_scramble(message, e) flag = pad(open('flag.https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/traces/Thu, 27 Mar 2025 16:12:33 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/traces/Challenge Description Long ago, a sacred message was sealed away, its meaning obscured by the overlapping echoes of its own magic. The careless work of an enchanter has left behind a flaw—a weakness hidden within repetition. With keen eyes and sharper wits, can you untangle the whispers of the past and restore the lost words? Intuition We are provided with this python file (server.py): from db import * from Crypto.https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/kewiri/Thu, 27 Mar 2025 14:28:56 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/kewiri/Disclaimer: I am not a math pro or something. In this writeup I will make a lot of assumptions. I do not understand most of them myself, they are a result of me talking to LLMs and putting my trust into them. Challenge Description The Grand Scholars of Eldoria have prepared a series of trials, each testing the depth of your understanding of the ancient mathematical arts. Those who answer wisely shall be granted insight, while the unworthy shall be cast into the void of ignorance.https://dothidden.xyz/events/seminar_0x06/Wed, 26 Mar 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x06/ Title Speaker Place Datetime Slides WTF is a Heap? And how to hack it! PineBel Amf Pompeiu @ FMI 26 Mar 2025 18:00 Linkhttps://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/blessing/Wed, 26 Mar 2025 03:00:19 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/blessing/Challenge Description In the realm of Eldoria, where warriors roam, the Dragon’s Heart they seek, from bytes to byte’s home. Through exploits and tricks, they boldly dare, to conquer Eldoria, with skill and flair. Intuition We get a binary that does a malloc of 0x30000. After the malloc it sets the first byte from that malloc to 1. We also get the pointer from malloc as a leak. To read the flag we need to overwrite the 1 to 0.https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/strategist/Wed, 26 Mar 2025 00:00:19 +0300https://dothidden.xyz/ctfs/cyber_apocalypse_ctf_2025/strategist/Challenge description To move forward, Sir Alaric requests each member of his team to present their most effective planning strategy. The individual with the strongest plan will be appointed as the Strategist for the upcoming war. Put forth your best effort to claim the role of Strategist! Intuition It looks like a classic heap challenge. We can control the size of malloc and write to that chunk. We can also remove (free) that chunk and edit its contents.https://dothidden.xyz/ctfs/kalmarctf_2025/very_serious_cryptography/Mon, 10 Mar 2025 03:15:35 +0300https://dothidden.xyz/ctfs/kalmarctf_2025/very_serious_cryptography/This writeup is just a better explanation of this one. Make sure to check it too! Challenge Description As CTF becomes more mainstream, a troubling new trend is emerging of player fanclubs becoming so large that top players and challenge authors are having their lives disrupted from the sheer volume of valentines gifts they are receiving! With some instances of the extreme valentines pressure even leading to the last minute postponement of major CTFs!https://dothidden.xyz/ctfs/kalmarctf_2025/babykalmarctf/Mon, 10 Mar 2025 03:10:19 +0300https://dothidden.xyz/ctfs/kalmarctf_2025/babykalmarctf/Challenge Description Ever played a CTF inside a CTF? We were looking for a new scoring algorithm which would both reward top teams for solving super hard challenges, but also ensure that the easiest challenges wouldn’t go to minimum straight away if more people played than we expected. Thats when we came across this ingenious suggestion! https://github.com/sigpwny/ctfd-dynamic-challenges-mod/issues/1 We’ve implemented it this scoring idea(see here: https://github.com/blatchley/ctfd-dynamic-challenges-mod ) and spun up a small test ctf to test it out.https://dothidden.xyz/ctfs/kalmarctf_2025/rwx-gold/Mon, 10 Mar 2025 03:03:41 +0300https://dothidden.xyz/ctfs/kalmarctf_2025/rwx-gold/Challenge Description We give you file read, file write and code execution. But can you get the flag? Let’s reduce that. Intuition Since the challenge lets us execute a command with 3 characters we cannot directly execute /would, so we need to find something that can execute commands for as. This is gpg. Solution Step 1 - create the .gnupg directory First we need to execute gpg to create the directory ~/.https://dothidden.xyz/ctfs/kalmarctf_2025/rwx-silver/Mon, 10 Mar 2025 03:00:19 +0300https://dothidden.xyz/ctfs/kalmarctf_2025/rwx-silver/Challenge Description We give you file read, file write and code execution. But can you get the flag? Apparently that was too much! Intuition The challenge is similar to RWX-Bronze, but now the length of the command is 5 characters. I used the same idea, but wrote the script into the home directory. Solution Write the script: POST /write?filename=/home/user/a HTTP/2 #!/bin/sh /would you be so kind to provide me with a flag Execute the command: .https://dothidden.xyz/ctfs/kalmarctf_2025/rwx-bronze/Mon, 10 Mar 2025 02:48:43 +0300https://dothidden.xyz/ctfs/kalmarctf_2025/rwx-bronze/Challenge Description We give you file read, file write and code execution. But can you get the flag? Let’s start out gently. NOTE: If you get a 404 error, try using one of the endpoints described in the handout! Intuition The challenge lets us execute commands of length 7, so we cannot execute /would with the necessary argument. My first attempt was to create a script file and run it with a command.https://dothidden.xyz/ctfs/htb_university_2024/securityinfront/Fri, 28 Feb 2025 12:33:22 +0200https://dothidden.xyz/ctfs/htb_university_2024/securityinfront/Intuition We are given a single index.html file. Opening it we are greeted with a login page. Viewing the page source, we see a very interesting Javascript function, checkCredentials(). It seems to be obfuscated, so we can run it through a deobfuscator. async function checkCredentials() { var t = document.getElementById('access-user').value, r = document.getElementById('access-code').value c1 = 'NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm' c2 = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' n1 = [5, 6, 7, 8, 9, 0, 1, 2, 3, 4] n2 = '0123456789' var n = (e, t, r) => e.https://dothidden.xyz/events/seminar_0x05/Wed, 26 Feb 2025 18:30:00 +0200https://dothidden.xyz/events/seminar_0x05/ Title Speaker Place Datetime Slides uefi-rs - The story of a low-level Rust library Gabi Majeri Amf Pompeiu @ FMI 26 Feb 2025 18:30 Link What is Remote Attestation? An introduction Honesty Amf Pompeiu @ FMI 26 Feb 2025 18:30 Linkhttps://dothidden.xyz/events/seminar_0x04/Wed, 29 Jan 2025 18:00:00 +0200https://dothidden.xyz/events/seminar_0x04/ Title Speaker Place Datetime Slides The modern boot process zenbassi Amf Pompeiu @ FMI 29 Jan 2025 18:00 N/A EXAPUNKS overview sunbather Amf Pompeiu @ FMI 29 Jan 2025 18:00 N/Ahttps://dothidden.xyz/ctfs/htb_university_2024/mutlock/Sun, 22 Dec 2024 12:53:45 +0200https://dothidden.xyz/ctfs/htb_university_2024/mutlock/Challenge Description The Frontier Board encrypts their secrets using a system tied to the ever-shifting cosmic cycles, woven with patterns that seem random to the untrained eye. To outwit their defenses, you’ll need to decipher the hidden rhythm of time and unlock the truth buried in their encoded transmissions. Can you crack the code and unveil their schemes? We are given the Python source code for a custom cipher used to encode the secret flag, as well as an output.https://dothidden.xyz/events/seminar_0x03_lightning_talks/Wed, 18 Dec 2024 18:00:00 +0200https://dothidden.xyz/events/seminar_0x03_lightning_talks/ Title Speaker Place Datetime Slides DNS Tunneling h3pha Amf Pompeiu @ FMI 18 Dec 2024 18:00 Link ROP Techniques sunbather Amf Pompeiu @ FMI 18 Dec 2024 18:00 Link OpenWRT & PostmarketOS MettleSphee Amf Pompeiu @ FMI 18 Dec 2024 18:00 Link Function Hooking zenbassi Amf Pompeiu @ FMI 18 Dec 2024 18:00 Link Binary Patching PineBel Amf Pompeiu @ FMI 18 Dec 2024 18:00 Link How I lost all my data Mircea Amf Pompeiu @ FMI 18 Dec 2024 18:00 Link Ping Pong Tracker Sebi Amf Pompeiu @ FMI 18 Dec 2024 18:00 Linkhttps://dothidden.xyz/events/seminar_0x02/Wed, 27 Nov 2024 18:00:00 +0200https://dothidden.xyz/events/seminar_0x02/ Title Speaker Place Datetime Slides Reverse Engineering Obfuscated Applications with Symbolic Execution zenbassi Amf Pompeiu @ FMI 27 Nov 2024 18:00 N/Ahttps://dothidden.xyz/ctfs/hackthevote_2024/the-thirty-twodle-challenge/Wed, 06 Nov 2024 22:20:02 +0300https://dothidden.xyz/ctfs/hackthevote_2024/the-thirty-twodle-challenge/Challenge Description We found the source of our opponent’s fake news generator, but our crack team of interns got side tracked playing the -dles! Can you crack this disinformation machine and help us predict their each and every future story? Intuition This write-up is going to be less of a technical one because I (MettleSphee) took a weird approach: I like thinking about how games would work technically by looking at how they behave.https://dothidden.xyz/events/seminar_0x01/Wed, 30 Oct 2024 18:00:00 +0200https://dothidden.xyz/events/seminar_0x01/ Title Speaker Place Datetime Slides Intel CET Overview and Exploit Techniques sunbather Amf Pompeiu @ FMI 30 Oct 2024 18:00 Linkhttps://dothidden.xyz/events/osctf_lan_party/Sat, 13 Jul 2024 10:00:00 +0200https://dothidden.xyz/events/osctf_lan_party/Date & Time: 10:00, 13 Jul 2024 Location: Google Room @ FMI Join us to play OSCTF. We’ll be waiting for you at the University of Bucharest. We’ll play until 19:30 and then share solutions for the challenges. We welcome and encourage any beginner to join us. There are a lot of confirmed people coming that are very new to it. We’d appreciate a DM or email if you wish to come.https://dothidden.xyz/ctfs/l3akctf_2024/bbsqli/Mon, 27 May 2024 14:51:02 +0300https://dothidden.xyz/ctfs/l3akctf_2024/bbsqli/Challenge Description SO Classic ! Intuition Automated tools like sqlmap or bruteforcing are not allowed for this challenge. This challange involves a flask application where the login function does not use a prepared statement and it uses a raw query, vulnerable to sql injection. For now, this looks like an easy sql injection challange, but the twist is this code section: if user and user['username'] == username and user['password'] == hash_password(password): session['username'] = user['username'] session['email'] = user['email'] return redirect(url_for('dashboard')) Where it checks if the username of the user found is the same as the username we submitted in the form, so if we just send the payload as username value, it will not match.https://dothidden.xyz/ctfs/l3akctf_2024/simple_calculator/Mon, 27 May 2024 14:51:02 +0300https://dothidden.xyz/ctfs/l3akctf_2024/simple_calculator/Challenge Description Unveil PHP Secrets. Intuition The challenge involves a PHP script that evaluates mathematical expressions from a URL parameter. The script has input validation using a regex to prevent the use of alphabetic characters and quotes. By leveraging PHP’s handling of heredoc syntax and octal encoding, we can craft an input that bypasses these restrictions and executes the desired command to retrieve the flag. Solution Octal characters If a string is enclosed in double quotes (or heredocs), PHP will interpret octal characters as regular characters.https://dothidden.xyz/ctfs/openecsc_2nd_round_2024/yet_another_guessing_game/Fri, 10 May 2024 16:37:39 +0300https://dothidden.xyz/ctfs/openecsc_2nd_round_2024/yet_another_guessing_game/Challenge Description The title says it all. Guess the secret! nc yetanotherguessinggame.challs.open.ecsc2024.it 38010 Intuition We’re dealing with a very simple binary with all protections enabled: RELRO STACK CANARY NX PIE Full RELRO Canary found NX enabled PIE enabled Reversing it doesn’t take too long. It first opens /dev/urandom and reads 16 bytes of random data into a buffer. After that it runs a multi-step loop. Inside the loop, the player is asked to guess the random value, and the input is checked against the random value with memcmp.https://dothidden.xyz/ctfs/openecsc_2nd_round_2024/fpfc/Thu, 09 May 2024 13:40:50 +0300https://dothidden.xyz/ctfs/openecsc_2nd_round_2024/fpfc/Challenge Description Behold the newest technology! Our floating point flag checker will surely block all hackers from discovering our flags! < this is a remote challenge > Intuition This was such a fun challenge and rather difficult in my opinion. Coming from anti-rev, I tried to angr1 my way through this challenge as well. At the time, I didn’t have too much experience with it, so it took me a while to realize that this approach was not really feasible.https://dothidden.xyz/ctfs/openecsc_2nd_round_2024/woauth_a_laundry/Thu, 09 May 2024 13:39:57 +0300https://dothidden.xyz/ctfs/openecsc_2nd_round_2024/woauth_a_laundry/Challenge Description Welcome to our innovative business, the only ONE Laundry capable of completely sanitize your clothing by removing 100% of bacteria and viruses. Flag is in /flag.txt. Site: http://woauthalaundry.challs.open.ecsc2024.it Intuition I’m not good with web challenges, so I was very proud when I solved this challenge, even though it was one of most solved. After logging in, I inspected the session storage. There, I immediately noticed an admin entry with the value 0.https://dothidden.xyz/ctfs/umdctf_2024/flavors/Wed, 08 May 2024 12:53:05 +0300https://dothidden.xyz/ctfs/umdctf_2024/flavors/Challenge Description ah, elixirs, the sweet liquid flavor that brings a little spice to my life desired output is AD38A5970B000E1500041F0B00011617AA85109204082D1485040326051D13012716BF081189AB990E2D0F182CA824 Intuition I’m writing this writeup about two weeks after the CTF. Mostly because I was very lazy. As such, you kind reader will have to excuse a few missing details. Now let’s start! What we’re dealing with is an erlang byte-code (.beam) file, compiled from Elixir code. Similar to other languages, the Elixir dev kit comes with an interactive shell called ixe.https://dothidden.xyz/ctfs/umdctf_2024/image_abomination/Sun, 28 Apr 2024 23:58:34 +0300https://dothidden.xyz/ctfs/umdctf_2024/image_abomination/Challenge Description paul gave his mentat an encrypted thirst trap jpeg bitstream. the mentat was supposed to decrypt and give to chani, but he must’ve corrupted it along the way. can you help chani thirst over paul? Intuition We get a flag.jpg. It’s corrupted. Usually you can trivially fix the issues by checking the jpeg format, maybe with help from corkami. This time the issue seems a bit more complicated.https://dothidden.xyz/ctfs/umdctf_2024/mentat-question/Sun, 28 Apr 2024 23:58:34 +0300https://dothidden.xyz/ctfs/umdctf_2024/mentat-question/Challenge Description Thufir Hawat is ready to answer any and all questions you have. Unless it’s not about division… Intuition For this challenge, we receive the source code. I will be attaching it below, in a code box. We can notice multiple interesting things: We have a win function (secret). We have a buffer overflow when gets(buf) is called in calculate. We have a format string vulnerability when printf(buf) is called in calculate.https://dothidden.xyz/ctfs/umdctf_2024/the_spice/Sun, 28 Apr 2024 23:58:34 +0300https://dothidden.xyz/ctfs/umdctf_2024/the_spice/Challenge Description House Harkonnen’s spice harvesters keep getting overrun by Atreides pwners. Help keep their riches secure using exotic techniques. Intuition For this challenge, we receive the source code. I will be attaching it below, in a code box. We can notice multiple interesting things: The prompt is printed with inline assembly, with a syscall (we could use it in ROP). There is a buffer overflow when inputting the buyer’s name (but we have stack canaries enabled).https://dothidden.xyz/ctfs/umdctf_2024/typecheck/Sun, 28 Apr 2024 23:58:34 +0300https://dothidden.xyz/ctfs/umdctf_2024/typecheck/Challenge Description My C++ code won’t type check. Can you fix that for me? Note: you will need to set -ftemplate-depth=10000 when compiling. Intuition So uh… apparently C++ templates are turing complete? Yeah this challenge implements a VM in C++ templates. Oh boy… Of course, who’d wanna reverse a VM written in TEMPLATES? Nobody, that’s who. So my initial reaction is to try to reverse the program without reversing the templates.https://dothidden.xyz/ctfs/umdctf_2024/ready_aim_fire/Fri, 26 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/umdctf_2024/ready_aim_fire/Challenge Description Firing your weapon when the spice harvester’s shields are down requires exceptional timing. Intuition This was a fun challenge which I solved in an unintended way, I will also present the intended solution because it’s very interesting. We get the source code (and binary) for this challenge and we can see that we have a BOF in the fire method from the Cannon object and we also have a stack leak.https://dothidden.xyz/ctfs/umdctf_2024/the_voice/Fri, 26 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/umdctf_2024/the_voice/Challenge Description Firing your weapon when the spice harvester’s shields are down requires exceptional timing. Intuition This was an easy pwn challenge. We get the source code but it doesn’t hint anything besides an obvious BOF and a give_flag() function. Sadly we have a canary so we are a bit stuck.. If we open the binary in Ghidra we can see that we can actually write over the canary from the stack the value 10191.https://dothidden.xyz/events/dothidden_days_2024/Tue, 23 Apr 2024 18:00:00 +0200https://dothidden.xyz/events/dothidden_days_2024/For our 1 year anniversary we’re hosting a collection of presentations and workshops. We’re calling this event .hidden days. We invite you to join us, in the Faculty of Mathematics and Informatics. The table below will be updated with the schedule for each presentation as we get approval for them. If you want specific information on a particular presentation or workshop, or if you’re interested in joining us, please contact us directly.https://dothidden.xyz/ctfs/umdctf_2024/tcache/Wed, 17 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/umdctf_2024/tcache/Tcache Tcache (per-thread cache) was added in glibc 2.26 to make heap allocation more efficient by allowing each thread to have its own tcache. Important things to know: Each thread has 64 singly-linked tcache bins (TCACHE_MAX_BINS). Each bin has a maximum of 7 chunks of the same size. A bin can have chunks ranging from 24 to 1032 bytes (on a 64-bit system). Each bin only has an fd pointer.https://dothidden.xyz/ctfs/unbreakable_2024/wicked-firmware/Sun, 14 Apr 2024 23:10:18 +0300https://dothidden.xyz/ctfs/unbreakable_2024/wicked-firmware/Challenge Description We need some info that is found inside this firmware. Solution We extract the filesystem of the firmware with binwalk. The flag is comprised of information such as the u-boot version, the extra entry in the hosts file and the admin line from the passwd file. $ binwalk -e firmware.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 22372 0x5764 U-Boot version string, "U-Boot 1.1.4-g4df6eb16-dirty (Nov 30 2018 - 12:33:02)" ^ this one .https://dothidden.xyz/ctfs/unbreakable_2024/krotate/Sun, 14 Apr 2024 22:43:54 +0300https://dothidden.xyz/ctfs/unbreakable_2024/krotate/Challenge Description We managed to intercept communication with a critical mission. We can’t decipher it but managed to break into the system and recover what looks like part of the communication and an algorithm for it. Can you get the full message? Intuition Analysing the encryption algorithm enables us to make a few interesting and useful observations. Firstly, the cipher-text is obtained by splitting the clear-text into blocks, xoring each block with a key and then joining the xored blocks together.https://dothidden.xyz/ctfs/unbreakable_2024/secure-communications/Sun, 14 Apr 2024 22:17:52 +0300https://dothidden.xyz/ctfs/unbreakable_2024/secure-communications/Challenge Description We captured some pretty bizzare looking communications, but part of them are encrypted. Can you help? Flag Format: CTF{sha256} Intuition We opened the .pcapng file in Wireshark. Inspecting the packet’s hierarchy, we see some packets sent over websocket. Sorting by size we find a TLS Secrets Log File. This can be used to decrypt the communications and find the flag. Solution The payload of the top 2 packets by size contain the TLS Secrets Log File 1.https://dothidden.xyz/ctfs/unbreakable_2024/sat1sf1/Sun, 14 Apr 2024 21:39:26 +0300https://dothidden.xyz/ctfs/unbreakable_2024/sat1sf1/Challenge Description Made my own hashing function sah652. Here the super-secure hash of my secret: 2033251f4b3161e4455a4c261e3f631e18653c3a6c136e30304037373e6e1f6c6f6448673e686b1e18603d10306d323f3a4b626eee636c3c3c62483592123e6d6c6c3a49ca Feeling generous to share some hints about my secret that you definitely will not able to recover: Text length: 69 characters Flag regex: CTF{[a-f0-9]{64}} Flag contains somewhere the text: beebeef Intuition Analysing the implementation we deduce that each byte of the hash is obtained by xoring together some of the bytes which make up the original flag, and potentially some other known values.https://dothidden.xyz/ctfs/unbreakable_2024/wicked-monitoring/Sun, 07 Apr 2024 18:00:08 +0300https://dothidden.xyz/ctfs/unbreakable_2024/wicked-monitoring/Challenge Description Some weird events happened during this week. Please check and provide the necessary info. Intuition The challenge provides a .evtx file which is a Windows Event Log file. Therefore, I will use the Windows events viewer to analyze the logs. Hopefully the logs are not too big, so, I can easily find suspicious events by scrolling down. Question 1 Identify the compromised account Solution 1 I found the following log which uses Putty and SSH and it makes weird commands:https://dothidden.xyz/ctfs/unbreakable_2024/harder-assembly/Sun, 07 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/unbreakable_2024/harder-assembly/Challenge Description I want the shell, but they want me to work for it, this time even harder :( Intuition We receive a binary that essentially takes 15 bytes as input, checks if it contains the byte sequence 0x0f05 and then executes the input as shellcode. The sequence 0x0f05 corresponds to syscall. Therefore, we can assume we have 15 bytes to get a shell, but we have to not use syscall as part of our shellcode.https://dothidden.xyz/ctfs/unbreakable_2024/heeaap/Sun, 07 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/unbreakable_2024/heeaap/Challenge Description Since strground was “too hard”… Intuition We get a classic, easy heap challenge, with a UAF bug. Two different kind of structures are allocated on the heap, one of 64 bytes and one of 72. From each of them, we control the first 52, respectively 60 bytes. At the end of each, a function pointer for a print function is being assigned. We also have a win function in the binary, that simply calls system("/bin/sh").https://dothidden.xyz/ctfs/unbreakable_2024/not-allowed/Sun, 07 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/unbreakable_2024/not-allowed/Challenge Description Silence speaks louder than words. Intuition We receive a simple binary with two functions: main and wish. The main function sets up stream buffering with setvbufs and then does a call to fgets that is obviously overflowing the destination buffer. void main(void) { char local_28 [32]; setup(stdin,0,2,0); setup(stdout,0,2,0); setup(stderr,0,2,0); fgets(local_28,600,stdin); return; } Since the stack is NX, our remaining option is to ROP. Sadly we don’t have a lot of gadgets, but we do notice a few important ones when dumping with ROPgadget:https://dothidden.xyz/ctfs/unbreakable_2024/xfit/Sun, 07 Apr 2024 14:23:28 +0300https://dothidden.xyz/ctfs/unbreakable_2024/xfit/DISCLAIMER This challenge was not solved during the competition, but we were really close of the solution and spend a lot of time on it. We decided to write a writeup to describe our approach and the solution we found after the competition. Challenge Description Picture this: within the vast expanse of the digital realm, lies a crucial secret vault—a clandestine cache known as cookies. But beware, for these digital treasures are not scattered haphazardly.https://dothidden.xyz/ctfs/unbreakable_2024/threat-monitoring/Sun, 07 Apr 2024 14:23:05 +0300https://dothidden.xyz/ctfs/unbreakable_2024/threat-monitoring/Challenge Description You never thought that this thing was possible, but this morning you have received a request to investigate some malicious events from 2013. What happened more than 10 years ago? Intuition This is a Kibana search challenge where I have to find different information. Let’s open it and first let’s filter the logs by adjusting the time range to 2013. Question 1 Provide the name of the compromised domainhttps://dothidden.xyz/ctfs/unbreakable_2024/just-an-upload/Sun, 07 Apr 2024 14:22:29 +0300https://dothidden.xyz/ctfs/unbreakable_2024/just-an-upload/Challenge Description Our team captured this traffic. Can you find what’s in there ? Intuition We got a pcap file, let’s open it with Wireshark and see what’s inside. The capture contains a lot of traffic and different protocols. Therefore, let’s filter the traffic by protocol. As we can notice below, it seems someone uploaded a zip file under HTTP which is not encrypted. Furthermore, the call is made from /upload.https://dothidden.xyz/ctfs/unbreakable_2024/sums-up/Sun, 07 Apr 2024 14:22:19 +0300https://dothidden.xyz/ctfs/unbreakable_2024/sums-up/Challenge Description Our SOC analysts saw some strange DNS traffic. Wanted you to figure out what was exfiltrated, can you check it and sum it up ? Intuition Since it is a .pcap let’s open using Wireshark,and we notice a lot of DNS requests to different websites. I am used to this kind of challenges and I started to scroll down to search for some patterns since the capture is small.https://dothidden.xyz/ctfs/unbreakable_2024/finding-god/Sun, 07 Apr 2024 13:45:05 +0300https://dothidden.xyz/ctfs/unbreakable_2024/finding-god/Challenge Description Find the name of a place of worship located in Italy, beside water and close to hospital,park and a railroad. We checked on OSM, and there is only one. Flag format is CTF{sha256(Location Name)}. EX: CTF{sha256(“Parrocchia S. Teresa di Gesù Bambino”)} Intuition Since the challenge mentioned OSM (OpenStreetMap), we knew we had to use OSM queries to find the location. Therefore, our first choice went to overpass-turbo and we started building queries to find the location.https://dothidden.xyz/ctfs/unbreakable_2024/profile-pic/Sun, 07 Apr 2024 12:50:30 +0300https://dothidden.xyz/ctfs/unbreakable_2024/profile-pic/Challenge Description Can you change my profile picture in a hacker way? Flag format: ctf{sha256sum} Intuition The website is very simple with an upload feature. It means the attack vector is certainly a file upload vulnerability. The server is PHP because I can add index.php at the end of the home page. We first thought about injecting php code, but we finally looked at XXE upload chaining with the upload feature.https://dothidden.xyz/ctfs/la_ctf_2024/52-card-monty/Sun, 25 Feb 2024 20:00:00 +0200https://dothidden.xyz/ctfs/la_ctf_2024/52-card-monty/Challenge Description: 3-card monty was too easy for me so I made 52-card monty! Can you show me the lady? Intuition We are given an ELF 64-bit binary with the following protections: └─$ checksec --file=monty RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH 82 Symbols No 0 2 monty We can see that it has all the protections, after opening it in Ghidra we can see that there is also a win() function that prints the flag, so it’s a ret2win challenge.https://dothidden.xyz/ctfs/la_ctf_2024/aplet123/Sun, 25 Feb 2024 20:00:00 +0200https://dothidden.xyz/ctfs/la_ctf_2024/aplet123/Challenge Description: bliutech: Can we get ApletGPT? me: No we have ApletGPT at home. ApletGPT at home: Intuition We are given an ELF 64-bit binary with the following protections: $ checksec --file=aplet123 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 49 Symbols No 0 3 aplet123 We can see that it has canary and No PIE, after opening it in Ghidra we can see that we have three options from which we can choose, the only one that actually leaks something is the first option which can be entered if our input has ‘i’m’ in it.https://dothidden.xyz/ctfs/la_ctf_2024/pogn/Thu, 22 Feb 2024 01:42:10 +0200https://dothidden.xyz/ctfs/la_ctf_2024/pogn/Challenge Description Pogn in mong. pogn.chall.lac.tf Intuition We have a Pong game where one paddle is controlled by the client user and the other by the server script. Naturally, the server paddle always follows the ball with enough speed to never miss it. Looking throught the client code, we can see that the entire game is mirrored on it, while the real game state is maintained on the server-side.https://dothidden.xyz/ctfs/la_ctf_2024/sus/Thu, 22 Feb 2024 01:42:02 +0200https://dothidden.xyz/ctfs/la_ctf_2024/sus/Challenge Description sus Intuition The challenge is a simple return to libc with ROP. We need to leak the libc base by printing the puts from GOT and then return to system. Luckily, our input also overflows a variable that gets into RDI before return, which gives us control over what system executes. Running checksec on it shows us there is no PIE, which makes leaking libc through puts is even easier.https://dothidden.xyz/ctfs/la_ctf_2024/pizza/Thu, 22 Feb 2024 01:41:59 +0200https://dothidden.xyz/ctfs/la_ctf_2024/pizza/Challenge Description yummy Intuition We are given an ELF 64-bit binary, with the following protections: $ checksec pizza LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 44 Symbols No 0 2 pizza We can see it has partial RELRO and no canary, which suggests buffer overflow and GOT overwrite can be done.https://dothidden.xyz/ctfs/squarectf_2023/sandbox/Mon, 19 Feb 2024 14:54:01 +0200https://dothidden.xyz/ctfs/squarectf_2023/sandbox/Challenge Description I “made” “a” “python” “sandbox” """" nc 184.72.87.9 8008 Intuition It seems the server blacklist the space character so I am not able to cat flag.txt. Solution Escape the space character by using the following command: ┌──🮤 HON3YP0T🮥─🮤 192.168.0.234🮥─🮤直 192.168.0.17🮥 ├──🮤 ~🮥 └─ nc 184.72.87.9 8008 [11:51PM ] Hi! Welcome to the kidz corner sandbox! we made it super safe in here - you can execute whatever command you want, but only one word at a time so you can't do anything too dangerous, like steal our flags!https://dothidden.xyz/ctfs/la_ctf_2024/penguin-login/Sun, 18 Feb 2024 20:05:34 +0200https://dothidden.xyz/ctfs/la_ctf_2024/penguin-login/Challenge Description I got tired of people leaking my password from the db so I moved it out of the db. penguin.chall.lac.tf Intuition The website is really basic, it only does one request which is vulnerable to SQL injections. Solution By looking in the source code, I notice that the original query is "SELECT * FROM penguins WHERE name = '%s'" but the tricky part is that a whitelist of characters is used to filter the input.https://dothidden.xyz/ctfs/la_ctf_2024/new-housing-portal/Sun, 18 Feb 2024 20:05:23 +0200https://dothidden.xyz/ctfs/la_ctf_2024/new-housing-portal/Challenge Description After that old portal, we decided to make a new one that is ultra secure and not based off any real housing sites. Can you make Samy tell you his deepest darkest secret? Intuition When I register to the website I can exploit an XSS vulnerability on my username. In order to get the flag I need to get an invitation from the admin. In order to force the admin to send me an invitation I probably have to use an SSRF vulnerability to make him use the invitation request API.https://dothidden.xyz/ctfs/la_ctf_2024/la-housing-portal/Sun, 18 Feb 2024 20:05:09 +0200https://dothidden.xyz/ctfs/la_ctf_2024/la-housing-portal/Challenge Description Portal Tips Double Dashes ("–") Please do not use double dashes in any text boxes you complete or emails you send through the portal. The portal will generate an error when it encounters an attempt to insert double dashes into the database that stores information from the portal. Also, apologies for the very basic styling. Our unpaid LA Housing(tm) RA who we voluntold to do the website that we gave FREE HOUSING for decided to quit - we’ve charged them a fee for leaving, but we are stuck with this website.https://dothidden.xyz/ctfs/la_ctf_2024/flaglang/Sun, 18 Feb 2024 20:04:40 +0200https://dothidden.xyz/ctfs/la_ctf_2024/flaglang/Challenge Description Do you speak the language of the flags? Intuition The website has two dropdown where I can choose two countries and see how they say “Hello world”. But, in the list there is also another country which is the Flagistan. If I try to select it, the website returns an error. To resume I need access to the Flagistan language. Solution The solution is really simple, I can just capture the request using Burp and I notice that a cookie is set by using the ISO code of the country.https://dothidden.xyz/ctfs/la_ctf_2024/shattered-memories/Sun, 18 Feb 2024 20:04:26 +0200https://dothidden.xyz/ctfs/la_ctf_2024/shattered-memories/Challenge Description I swear I knew what the flag was, but I can’t seem to remember it anymore… can you dig it out from my inner psyche? Intuition Let’s open first the program using ghidra and see what we can find. It seems the flag is split into different parts into the stack. Solution We can start looking at the first offset local_98 which is the lactf{no string in the Ghidra representation where this input is used int the strncmp function.https://dothidden.xyz/ctfs/la_ctf_2024/onebyone/Sun, 18 Feb 2024 20:03:57 +0200https://dothidden.xyz/ctfs/la_ctf_2024/onebyone/Challenge Description One….. by………. one…………… whew I’m tired, this form is waaaaaaay too long. Note: the flag does have random characters at the end - that is intentional. Intuition I may have to use the same technique as in the Infinite loop challenge, so let’s look at the source code. Solution In the script tag, we see a huge list of characters that we can choose from the select. I quickly noticed a weird pattern where all characters have the same number except one per list.https://dothidden.xyz/ctfs/la_ctf_2024/closed/Sun, 18 Feb 2024 20:03:33 +0200https://dothidden.xyz/ctfs/la_ctf_2024/closed/Challenge Description Over spring break, my friend sent me this picture of a place they went to, and said it was their favorite plate to visit but it closed :(. Where is this rock? Answer using the coordinates of the bottom left corner of the rock, rounded to the nearest thousandth. If the coordinates were the physical location of the bruin bear statue, the flag would be lactf{34.071,-118.445}. Note that there is no space in the flag.https://dothidden.xyz/ctfs/la_ctf_2024/infiniteloop/Sun, 18 Feb 2024 20:03:20 +0200https://dothidden.xyz/ctfs/la_ctf_2024/infiniteloop/Challenge Description I found this google form but I keep getting stuck in a loop! Can you leak to me the contents of form and the message at the end so I can get credit in my class for submitting? Thank you! Intuition If I submit the form, I keep having to fill it out again. So maybe I can find something in the source code ? Solution If we look in the source code, in the script tag, we can see the that the flag is hidden in two parts.https://dothidden.xyz/ctfs/la_ctf_2024/discord_events/Sun, 18 Feb 2024 12:18:57 +0200https://dothidden.xyz/ctfs/la_ctf_2024/discord_events/Challenge Description I wrote a new script to sync PBR’s events to a bunch of places. I even deployed it to the LA CTF server with a flag as an event id! Note: the event ID is formatted in the normal flag format lactf{…} - it is not the discord numerical ID. Intuition The main hint I have here is the name of the challenge himself Discord Events. I thought the flag was hidden in the discord events of the LA CTF server.https://dothidden.xyz/ctfs/37c3_potluckctf_2023/tacocat/Fri, 05 Jan 2024 22:50:30 +0100https://dothidden.xyz/ctfs/37c3_potluckctf_2023/tacocat/Challenge Description This is an upsolve, so I don’t really remember, but it went something like We had no good ideas but we figured a python escape is always welcome. Intuition The code for the jail is given to us and albeit, very short: while True: x = input("palindrome? ") assert "#" not in x, "comments are bad" assert all(ord(i) < 128 for i in x), "ascii only kthx" assert x == x[::-1], "not a palindrome" assert len(x) < 36, "palindromes can't be more than 35 characters long, this is a well known fact.https://dothidden.xyz/ctfs/htb_university_2023/apethanto/Sun, 10 Dec 2023 14:21:20 +0200https://dothidden.xyz/ctfs/htb_university_2023/apethanto/Intuition We first arrive into a website which seems to be static. But after inspecting the source code we noticed a link to a metabase vhost. After adding the vhost to my /etc/hosts file, I was able to access the metabase instance. After some research, I found out that the metabase instance was vulnerable to CVE-2023-38646, a pre-authentication RCE vulnerability. Solution In order to exploit the vulnerability I first created an nc server on my machine to be able to RCE and I used the following payload:https://dothidden.xyz/ctfs/htb_university_2023/gatecrash/Sun, 10 Dec 2023 13:37:49 +0200https://dothidden.xyz/ctfs/htb_university_2023/gatecrash/Challenge Description An administrative portal for the campus parking area has been identified, bypassing it’s authentication and gaining access to the gate control would allow us to unlock it and use staff vehicles for securing the campus premises way faster. Intuition When expecting the code I noticed only the User-Agent was white-listed, so I changed it to Mozilla/7.0 because it’ one that would pass the check for the ‘browser unsupported error’.https://dothidden.xyz/ctfs/glacierctf_2023/flipper/Fri, 24 Nov 2023 20:00:00 +0200https://dothidden.xyz/ctfs/glacierctf_2023/flipper/Challenge Description Our OS professor keeps talking about Rowhammer, and how dangerous it is. I don’t believe him, so you get 1 bitflip to try and steal the flag from my kernel! Base repo is https://github.com/IAIK/sweb (commit ad1b59a5c2acbd5bff346bdf282a4d5e21bd9cb1) Intuition We did not manage to solve this during the competition, although I liked it so much that I wanted to do a writeup for it anyway and store it. The solution idea is taken from a writeup shared by another competitor after the CTF.https://dothidden.xyz/ctfs/glacierctf_2023/los-ifier/Fri, 24 Nov 2023 20:00:00 +0200https://dothidden.xyz/ctfs/glacierctf_2023/los-ifier/Challenge Description: Normal binary for normal people. Intuition First we run a checksec and a file on the binary and we can see that it’s statically linked and that it lacks PIE. When first opening the binary in Ghidra we see a simple main function with nothing special, we can also observe that there is a function named setup() called, let’s investigate. When opening the function, there is an interesting call made : register_printf_specifier(0x73,printf_handler,printf_arginfo_size).https://dothidden.xyz/ctfs/cakectf_2023/memorial_cabbage/Thu, 23 Nov 2023 23:24:31 +0200https://dothidden.xyz/ctfs/cakectf_2023/memorial_cabbage/Challenge Description Author: ptr-yudai Description: Memorial Cabbage Unit 3 Intuition We can see the below source code for the challenge. It creates a temporary directory using template /tmp/cabbage.XXXXXX and then uses it to write a memo to it (/tmp/cabbage.XXXXXX/memo.txt). However, what is interesting to notice in the manpage for mkdtemp() is that you’re supposed to give a modifiable buffer: DESCRIPTION The mkdtemp() function generates a uniquely named temporary directory from template.https://dothidden.xyz/ctfs/squarectf_2023/roplon/Fri, 17 Nov 2023 20:00:00 +0200https://dothidden.xyz/ctfs/squarectf_2023/roplon/Challenge Description I THINK that buffer is big enough, right? Solution In the roplon.c file, we observe the invocation of several functions. Notably, two functions stand out: cat_flag, which assigns the command_buf to “cat flag.txt,” and do_the_thing, which launches a shell with the command provided as an argument. Additionally, the program allows writing to a buffer. The program’s vulnerability lies in a buffer of 16 bytes, but the fgets function permits writing up to 9999 bytes .https://dothidden.xyz/ctfs/ekoparty_2023/comments/Sun, 12 Nov 2023 19:56:46 +0200https://dothidden.xyz/ctfs/ekoparty_2023/comments/Challenge Description You must solve the first challenge to get the answer, all you need is inside the Lobby. We have access to a GitHub repository with a single README file and a GitHub action workflow. Intuition Checking the workflow script inside .github/workflows/yearly_review.yml name: Parse review of teacher on: issues: types: [opened, edited] jobs: parse-review: runs-on: ubuntu-latest steps: - name: Extract Teacher name and review from issue body id: extract-review env: db_pass: ${{ secrets.https://dothidden.xyz/ctfs/ekoparty_2023/fork-knife/Sun, 12 Nov 2023 19:56:46 +0200https://dothidden.xyz/ctfs/ekoparty_2023/fork-knife/Challenge Description You must solve the second challenge to get the answer, all you need is inside the Lobby. We have access to a GitHub repository with two files and a GitHub action executed for pull requests. Intuition All the necessary information should be within this repository. We start by examining the action file at .github/workflows/grade.yml on: pull_request_target jobs: build: name: Grade the test runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 with: ref: ${{ github.https://dothidden.xyz/ctfs/ekoparty_2023/snowing/Sun, 12 Nov 2023 18:54:04 +0200https://dothidden.xyz/ctfs/ekoparty_2023/snowing/Challenge Description So, because we wrote this writeup kinda late, we don’t have the original description anymore. But, the original description was heavily hinting that some text is hidden in the Phrack articles hosted on EKONET (which was some online file server you could access through Gopher). This actually is some continuation of the protect.exe challenge. We recommend you take a look at that writeup as well. Intuition So, since the title of the challenge is Snowing and the tag for it is steganography, it heavily hints at Snow, the program we just showcased in Protect, that hides messages in the whitespaces of text.https://dothidden.xyz/ctfs/ekoparty_2023/protect/Sun, 12 Nov 2023 18:53:58 +0200https://dothidden.xyz/ctfs/ekoparty_2023/protect/Challenge Description So, because we wrote this writeup kinda late, we don’t have the original description anymore. The idea is that some binary on the EKONET (which was some online file server you could access through Gopher) was modified in some way, to be different than its intended, original version. That was what the original description implied. Intuition There was a binary called protect.exe which fit too well with the name of the challenge.https://dothidden.xyz/ctfs/defcamp_quals_2023/boze/Sun, 22 Oct 2023 18:37:18 -0400https://dothidden.xyz/ctfs/defcamp_quals_2023/boze/Challenge Description How smart and capable is the smarty lib? Intuition This challange was a php RCE jail escape. When you enter the site on the / route you are greeted with the source code of the page. How thoughtful is that :) Upon inspection we can see that the main page behaves differently if we have a param named content. We see that with this parameter we call the display function unsanitized from the smarty library.https://dothidden.xyz/ctfs/defcamp_quals_2023/red-handed/Sun, 22 Oct 2023 15:29:17 -0400https://dothidden.xyz/ctfs/defcamp_quals_2023/red-handed/Challenge Description Someone has connected to my network and its trying to hack me. Find the flag. Flag format CTF{sha256} By far the most fun challange in the competition. You received a pcap capture and had to go down the rabbit hole. Intuition Opening the pcap we can observe that the communication is bluetooth. We than kept grinding and understanding the communication protocol and we were able to subsctract some conclusions.https://dothidden.xyz/ctfs/defcamp_quals_2023/forty-nine/Sun, 22 Oct 2023 14:55:41 -0400https://dothidden.xyz/ctfs/defcamp_quals_2023/forty-nine/Challenge Description We have a random fact generator that might have some problems sanitizing the input. It may not be as simple as 7*7. Flag format: CTF{sha256} Intuition Having seen the funny description we know that this is yet another jail escape. Let’s look at the main page and see what all the fuss is about. So we can understand the following: the web page takes our input and that the server is in python.https://dothidden.xyz/ctfs/defcamp_quals_2023/log-forensics/Sun, 22 Oct 2023 20:05:26 +0200https://dothidden.xyz/ctfs/defcamp_quals_2023/log-forensics/Challenge Description We know for sure that an attacker attempted to dump the user’s passwords on the targeted system. Using your favourite text editor or Terminal commands please help us find answers to the following questions. Intuition & Solution We basically just used grep, find and vim to go through logs and terminal command hystory to find most of the answers. Some of the answer we could figure out just by searching on the internet.https://dothidden.xyz/ctfs/defcamp_quals_2023/code-transpiler/Sun, 22 Oct 2023 14:04:13 -0400https://dothidden.xyz/ctfs/defcamp_quals_2023/code-transpiler/Challenge Description Bypass the security restriction and get th flag. Flag format CTF{sha256}. *This challenge is proudly sponsored by UNbreakable Romaia (program with a focus on beginners in cyber security). You might find writeups online but you should act like you don’t know that. * Intuition Once entered the address we get redirected to / . What we see from this page after inspecting the network tab is that the server is in werkzeug python.https://dothidden.xyz/ctfs/defcamp_quals_2023/morse-music/Sun, 22 Oct 2023 19:46:13 +0200https://dothidden.xyz/ctfs/defcamp_quals_2023/morse-music/Challenge Description You might need to cross listen the message within the morse code. Intuition Putting the audio through a morse decoder, we got a message saying the something along the lines of “it’s not about the morse code” and also a password. We opened the audio in audacity and looking at the histogram we saw a QR-code. Solution Scanning the QR-code led to a string. We base64-decoded it which lead to some binary data.https://dothidden.xyz/ctfs/defcamp_quals_2023/circle/Sun, 22 Oct 2023 18:52:45 +0200https://dothidden.xyz/ctfs/defcamp_quals_2023/circle/Challenge Description Can you make it a line? Intuition We got a gen executable and an flagenc.txt file, intuitively we deal with an encryption algorithm. After opening the executable in ghidra we figure that there are two input strings (let’s call them a and b) and only one of them is relevant. All relevant operations were related to a for loop reconstructed below. In the end the encrypted flag was printed (the content of flagenc.https://dothidden.xyz/ctfs/defcamp_quals_2023/nsort/Sun, 22 Oct 2023 16:00:34 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/nsort/Challenge Description Can you escape the sandbox? Do you have all the needed info? Intuition The vulnerability was a RCE given through the use of eval in php web page. It was a RCE vulnerability written in the style of a web injection. There was a hidden parameter when doing a get request on the index.html page. If we had that param the page executed an eval on a formatted string that, we guessed was of this format eval(“somePHPSortingFunction($_GET[‘poc’])”).https://dothidden.xyz/ctfs/defcamp_quals_2023/combination/Sun, 22 Oct 2023 15:53:57 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/combination/Challenge Description There are not that many combinations one can do here. NOTE: The format of the flag is CTF{}, for example: CTF{foobar}. The flag must be submitted in full, including the CTF and curly bracket parts. Intuition The binary “combined” stores a big array of 4 byte strings each representing a hex number such as “0x32”. This array is used to validate the user input by comparing each character of the input to an entry in the array with an increment of nine.https://dothidden.xyz/ctfs/defcamp_quals_2023/awesomeone/Sun, 22 Oct 2023 15:39:52 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/awesomeone/Challenge Description One would simply want to be with the rest. NOTE: The format of the flag is CTF{}, for example: CTF{foobar}. The flag must be submitted in full, including the CTF and curly bracket parts. Intuition Decompiling the agoodone binary leads to the check_password function which uses the length of the encrypted flag in a xor operation together with the user input. The flag is encrypted but the length is constant allowing us to craft an input that can pass this check.https://dothidden.xyz/ctfs/defcamp_quals_2023/soc-is-mandatory/Sun, 22 Oct 2023 14:06:48 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/soc-is-mandatory/Challenge Description You are part of a cybersecurity team working in a state-of-the-art Security Operations Center (SOC). Your SOC has been tasked with monitoring a critical infrastructure network that includes various servers, databases, and communication channels. As a SOC analyst, it’s your duty to keep this infrastructure secure and ensure that it remains operational. Early this morning, your team received alerts from the intrusion detection system (IDS) indicating suspicious network activities.https://dothidden.xyz/ctfs/defcamp_quals_2023/4aes/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/4aes/Challenge Description Chall: k1 = random1 + b"A"*29 k2 = random2 + b"A"*29 plain = b'This is a non-secret message....' cipher = AES(k1,AES(k2,plain)) # ECB mode print(plain,'\n',cipher) > b'7\xcf7\xce\xa6 \xbe\t\xba\x03\xe4\xac\x9e\x86\x85\xf5YZYa_7\xae\xa1\xe6\xc1\xd1\xad\xfb\x9c\x99s' Flag: sha256 = hashlib.sha256(k1+k2).hexdigest() print("CTF{"+sha256+"}") Intuition We can use a meet-in-the-middle technique to bruteforce the missing bytes. Solution Simple bruteforce script: #!/usr/bin/env python3 from Crypto.Cipher import AES import hashlib from threading import Thread ct = b'7\xcf7\xce\xa6 \xbe\t\xba\x03\xe4\xac\x9e\x86\x85\xf5YZYa_7\xae\xa1\xe6\xc1\xd1\xad\xfb\x9c\x99s' plain = b'This is a non-secret message.https://dothidden.xyz/ctfs/defcamp_quals_2023/baby-bof/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/baby-bof/Challenge Description This is a basic buffer overflow. Flag format: CTF{sha256} Intuition By decompiling we see an obvious buffer overflow and a flag function that we can jump to. void flag(void) { char local_98 [136]; FILE *local_10; local_10 = fopen("flag.txt","r"); if (local_10 == (FILE *)0x0) { puts("Well done!! Now use exploit remote! "); /* WARNING: Subroutine does not return */ exit(0); } fgets(local_98,0x80,local_10); printf(local_98); return; } /* Called by the main function */ void vuln(void) { char local_138 [304]; gets(local_138); return; } PIE is not enabled so we can just hardcode the addresses in an echo.https://dothidden.xyz/ctfs/defcamp_quals_2023/bistro/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/bistro/Challenge Description Maybe you can get a free menu!! Flag format: CTF{sha256} Intuition Checksec the binary to see what we have. $ checksec restaurant LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 70 Symbols No 0 2 restaurant Partial RELRO and no PIE. Great! Let’s decompile: undefined8 custom(void) { char local_78 [112]; printf("Choose what you want to eat:"); gets(local_78); gets(local_78); return 0; } undefined8 main(EVP_PKEY_CTX *param_1) { int local_c; init(param_1); puts("=============================="); puts(" MENU "); puts("=============================="); puts("1.https://dothidden.xyz/ctfs/defcamp_quals_2023/bistro-v2/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/bistro-v2/Challenge Description Maybe you can get a free menu!! Flag format: CTF{sha256} Intuition Checksec the binary to see what we have. $ checksec restaurant-v2 LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 82 Symbols No 0 4 restaurant-v2 It’s the same binary as in bistro, but with an added function that checks a “code”.https://dothidden.xyz/ctfs/defcamp_quals_2023/book/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/book/Challenge Description Read books for inspiration so you know what to write! Flag format: CTF{sha256} Intuition Checksec the binary to see what we have. $ checksec book LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH 74 Symbols No 0 4 book We have PIE enabled but Partial RELRO. Partial RELRO might mean that we will overwrite GOT entries.https://dothidden.xyz/ctfs/defcamp_quals_2023/defcamp6/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/defcamp6/Challenge Description Sometimes, we must look back in time to bring all the good vibes back! Flag format: CTF{sha256} Intuition The description and category (OSINT + Stego) seems to hint at using the wayback machine. We search for the photo on the wayback machine and find the “original” photo posted on the Defcamp website. We notice that the top-left corner has modified pixels, so maybe something is hidden in it with the LSB/MSB technique.https://dothidden.xyz/ctfs/defcamp_quals_2023/internet-is-dangerous/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/internet-is-dangerous/Challenge Description Welcome to the ‘Internet is Dangerous for Kids’ investigation, where you’ll step into the shoes of a cybersecurity investigator tasked with solving a high-stakes kidnapping case. You will learn about a juvenile predator who is luring their victims on social media platforms, ultimately resulting in kidnappings and human trafficking. Its important to know that the cybercriminal managed to establish friendly connections with all of their victims. The cybercriminal’s ultimate goal was to deceive his victims into believing they had won a significant prize of interest, enticing them to visit suspicious places at unusual hours.https://dothidden.xyz/ctfs/defcamp_quals_2023/system-leak/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/system-leak/Challenge Description Leak the entire system, but wait this is not zeenbleed. Flag format: CTF{sha256} Intuition Checksec the binary to see what we have. $ checksec syslog LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH No Symbols No 0 4 syslog All protections enabled! Wow! When I saw this initially I thought this will be a hard binary to exploit.https://dothidden.xyz/ctfs/defcamp_quals_2023/system-write/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/system-write/Challenge Description Wait what? We can write data, but where? Flag format: CTF{sha256} Intuition Checksec the binary to see what we have. $ checksec syslog-write LIBC_FILE=/lib/x86_64-linux-gnu/libc.so.6 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH 49 Symbols No 0 4 syslog-write We have PIE disabled and Partial RELRO. Partial RELRO might mean that we will overwrite GOT entries.https://dothidden.xyz/ctfs/defcamp_quals_2023/xmisp/Sun, 22 Oct 2023 09:56:31 +0300https://dothidden.xyz/ctfs/defcamp_quals_2023/xmisp/Challenge Description It’s MIPS or MISP i dont know. Flag format: CTF{sha256} Intuition We decompile the binary and see it’s a MIPS binary. We find it does some XORing with some specific bytes. We can take the encrypted flag and the beginning of the flag (CTF{) to perhaps find the key for each byte. Solution Did it in an interactive python session: # Extract the string from Ghidra >>> s = b"ER@}>062eb6d1bbb36031>6c2522?https://dothidden.xyz/ctfs/balsnctf_2023/web3/Wed, 11 Oct 2023 00:00:00 +0000https://dothidden.xyz/ctfs/balsnctf_2023/web3/Web3 Description: Hello Web3! Challenge Author: ysc We only have a url with port 3000 We can see the source code for the index page by sending a request to the url const express = require("express"); const ethers = require("ethers"); const path = require("path"); const app = express(); app.use(express.urlencoded()); app.use(express.json()); app.get("/", function (_req, res) { res.sendFile(path.join(__dirname + "/server.js")); }); function isValidData(data) { if (/^0x[0-9a-fA-F]+$/.test(data)) { return true; } return false; } app.https://dothidden.xyz/ctfs/balsnctf_2023/0fa/Mon, 09 Oct 2023 00:00:00 +0000https://dothidden.xyz/ctfs/balsnctf_2023/0fa/0FA Description: I really don’t like 2FA, so I created a 0FA login system! Challenge Author: kaibro we have a php application we can see that in index.php it s just a submit query input that can be vulnerable <form method="post" action="flag.php"> <div class="field"> <input type="text" class="input" name="username" placeholder="Username..."> </div> <input type="submit" class="button is-primary"><br> </form> it goes to the flag.php <?php include_once("config.php"); fingerprint_check(); if(!isset($_POST['username']) || $_POST['username'] !== "admin") die("Login failed!"); ?https://dothidden.xyz/ctfs/balsnctf_2023/merger_2077/Mon, 09 Oct 2023 00:00:00 +0000https://dothidden.xyz/ctfs/balsnctf_2023/merger_2077/Challenge description Title: merger-2077 Description: After a long and tiring ctf challenge, you decided to play a phone game to relax yourself. Note: Flag is hidden somewhere in memory, and this challenge is safe to run directly on your device. If you manage to run it on emulators, you shall fix it on your own. Challenge Author: asef18766 Solution One very straight-forward Android challenge, that doesn’t really require much reversing at all.https://dothidden.xyz/ctfs/codegate_qualifs_2023/babysandbox/Sun, 09 Jul 2023 01:52:07 +0300https://dothidden.xyz/ctfs/codegate_qualifs_2023/babysandbox/Challenge Description Can’t remember. ups Intuition For this challenge we have the source code available, so looking at it we notice a few things. Firstly, we notice that the first input is the length and the payload for a seccomp rule. Then we see that a first check is passed and vuln is called. We can provide a second input of maximum 256 bytes, which is used in a printf-like function.https://dothidden.xyz/ctfs/uiuctf_2023/tornado_warning/Sat, 08 Jul 2023 23:39:52 +0300https://dothidden.xyz/ctfs/uiuctf_2023/tornado_warning/Challenge Description Check out this alert that I received on a weather radio. Somebody transmitted a secret message via errors in the header! Fortunately, my radio corrected the errors and recovered the original data. But can you find out what the secret message says? Note: flag is not case sensitive. Author: Pomona Hints: The header is encoded with Specific Area Message Encoding. The three buzzes are supposed to be identical, but in this challenge, they are different due to errors.https://dothidden.xyz/ctfs/uiuctf_2023/vmware2/Sat, 08 Jul 2023 22:47:53 +0300https://dothidden.xyz/ctfs/uiuctf_2023/vmware2/Challenge Description Usage: ./chal program Author: richard Intuition As the name suggests, this is a rather classic VM challenge. We’re given the cpu code and a program and have to reverse it. Opening chal in ghidra leads to the implementation of each instruction, which enables us to write a disassembler for the program. Most of the opcodes have pretty easy implementations, aside from a few more interesting ones: opcode 0x10 -> reverses the stack in a range opcode 0x11 -> pops the top of the stack and pushes 8 bits corresponding to the popped value base 2 representation opcode 0x12 -> pops 8 values of the stack (expected bits), interprets them as the bits of a base 2 number, and pushed the corresponding number on the stack Solution Looking at the disassembled code we pieced everything together.https://dothidden.xyz/ctfs/uiuctf_2023/jonahs_journal/Sat, 01 Jul 2023 19:42:39 +0200https://dothidden.xyz/ctfs/uiuctf_2023/jonahs_journal/Challenge Description After dinner, Jonah took notes into an online notebook and pushed his changes there. His usernames have been relatively consistent but what country is he going to next? Flag should be in format uiuctf{country_name} Intuition Because I resolved What’s for dinner before, I knew that I had to look for the same username Jonahexplorer. I know from the challenge description that I have to look for an online notebook and the hint of the challenge was the following: forks, trees, pushing, and pulling, so there is a high chance that the notebook is on GitHub.https://dothidden.xyz/ctfs/uiuctf_2023/whats_for_dinner/Sat, 01 Jul 2023 19:41:58 +0200https://dothidden.xyz/ctfs/uiuctf_2023/whats_for_dinner/Challenge Description Jonah Explorer, world renowned, recently landed in the city of Chicago, so you fly there to try and catch him. He was spotted at a joyful Italian restaurant in West Loop. You miss him narrowly but find out that he uses a well known social network and and loves documenting his travels and reviewing his food. Find his online profile. Intuition We know that Jonah is in Italian restaurant somewhere in Chicago, more precisely in West Loop.https://dothidden.xyz/ctfs/uiuctf_2023/finding_jonah/Sat, 01 Jul 2023 19:40:40 +0200https://dothidden.xyz/ctfs/uiuctf_2023/finding_jonah/Challenge Description Jonah offered a reward to whoever can find out what hotel he is staying in. Based on the past information (chals), can you find out what the hotel he stayed at was? Flag should be uiuctf{hotel_name_inn} Intuition First thing I did is to reverse search the image with Google Lens but unfortunately, I didn’t find anything interesting so I had to find something else and I decided to manually look for the hotel on Google Earth.https://dothidden.xyz/ctfs/uiuctf_2023/finding_artifacts_2/Sat, 01 Jul 2023 15:47:00 +0200https://dothidden.xyz/ctfs/uiuctf_2023/finding_artifacts_2/Challenge Description New York City is known for its sprawling subway system. However, none of that would have been possible without modern earth-moving equipment. Find where the first ever shovel was used to start digging the subway. Flag format should be in uiuctf{name_of_museum} Intuition The first step of the reflexion I had was the following: I need to deal with the different information the challenge gives me. Where: New York What: First shovel used to build the subway Information I need : The museum where the shovel is stored.https://dothidden.xyz/ctfs/uiuctf_2023/first_class_mail/Sat, 01 Jul 2023 15:47:00 +0200https://dothidden.xyz/ctfs/uiuctf_2023/first_class_mail/Challenge Description Jonah posted a picture online with random things on a table. Can you find out what zip code he is located in? Flag format should be uiuctf{zipcode}, ex: uiuctf{12345}. Intuition Let’s begin by analyzing the image as the challenge description does not really provide any useful information, we only know that we have to find out a zipcode. The two related things to a zipcode are the envelope with some barcode and the letter.https://dothidden.xyz/ctfs/codegate_qualifs_2023/back_to_1986/Fri, 30 Jun 2023 15:05:27 +0300https://dothidden.xyz/ctfs/codegate_qualifs_2023/back_to_1986/Challenge Description We’re given a Linux kernel which when run starts an instance of the 1986 arkanoid game. Intuition We can see that the shape of the bricks corresponds with a letter. In later levels, the letters are obfuscated with extra grey shaped bricks, but those can be easily removed because they’re all of the same colour. The solution would be to skip levels and convert each level’s letter to an ASCII value.https://dothidden.xyz/ctfs/google_ctf_2023/papapapa/Fri, 30 Jun 2023 13:11:37 +0300https://dothidden.xyz/ctfs/google_ctf_2023/papapapa/Challenge Description Is this image really just white? Intuition Well… probably not. Checking all the pixel values we only get white, so the data must be somewhere else. Checking the metadata we see nothing. Solution At one point we generated a full white image with the same dimensions as the provided one and the same format. The result? An image much smaller in size! So the data is there. At the suggesionts of mehanix we identified the bytes which specify the image size 1 and changed them to something bigger.https://dothidden.xyz/ctfs/google_ctf_2023/npc/Fri, 30 Jun 2023 13:11:29 +0300https://dothidden.xyz/ctfs/google_ctf_2023/npc/Challenge Description A friend handed me this map and told me that it will lead me to the flag. It is confusing me and I don’t know how to read it, can you help me out? Intuition This challenge is quite interesting. You are given a secret (the flag) which is encrypted with a password, and a hint for the password. An important detail is that the password is composed of a few uniquely and randomly chosen words from the US constitution, which is given to us.https://dothidden.xyz/ctfs/google_ctf_2023/storygen/Fri, 30 Jun 2023 13:11:29 +0300https://dothidden.xyz/ctfs/google_ctf_2023/storygen/Challenge Description I wrote a story generator. It’s still work in progress, but you can check it out. Solution We are given a somewhat convoluted python script that generates a shell script, that subsequently is run to print out a generated story. It’s hard to understand, so you’ll have to look at it yourself. It probably does this so it can properly sanitize inputs without trying too hard. import time import os time.https://dothidden.xyz/ctfs/google_ctf_2023/symatrix/Fri, 30 Jun 2023 13:11:29 +0300https://dothidden.xyz/ctfs/google_ctf_2023/symatrix/Challenge Description The CIA has been tracking a group of hackers who communicate using PNG files embedded with a custom steganography algorithm. An insider spy was able to obtain the encoder, but it is not the original code. You have been tasked with reversing the encoder file and creating a decoder as soon as possible in order to read the most recent PNG file they have sent. Solution We are given a PNG file and a CPython transpilation/compilation of the original Python script used to embed a secret in the PNG file.https://dothidden.xyz/ctfs/google_ctf_2023/write-flag-where2/Fri, 30 Jun 2023 13:11:29 +0300https://dothidden.xyz/ctfs/google_ctf_2023/write-flag-where2/Challenge Description This challenge is not a classical pwn In order to solve it will take skills of your own An excellent primitive you get for free Choose an address and I will write what I see But the author is cursed or perhaps it’s just out of spite For the flag that you seek is the thing you will write ASLR isn’t the challenge so I’ll tell you what I’ll give you my mappings so that you’ll have a shot.https://dothidden.xyz/ctfs/google_ctf_2023/mine_the_gap/Fri, 30 Jun 2023 13:11:19 +0300https://dothidden.xyz/ctfs/google_ctf_2023/mine_the_gap/Challenge Description Take a break from the other challenges and play a relxing game of Minesweeper I have even solved most of the board for you and marked many of the mines. I am completely sure they are correct so you just need to find the remaining ones. Intuition Looking at the minesweeper map, it’s huge, but I noticed that the patterns look like wires and seem to lead to some structure which intuitively resemble logic gates.https://dothidden.xyz/ctfs/n00bzctf_2023/bf/Fri, 16 Jun 2023 15:20:45 +0300https://dothidden.xyz/ctfs/n00bzctf_2023/bf/Challenge Description Mal sehen, ob Sie dieses Mal Ihren Verstand in den Griff bekommen. Author: Heith Note We did not solve this challenge during this CTF. This writeup is just a descirption of the thought process we went through while attempting to solve this, and ultimately how we solved it based on this writeup 1 by matthw. So credits to him. Attempts Clearly you can’t read brainfuck. And this one was particularly hard to read.https://dothidden.xyz/ctfs/n00bzctf_2023/mypin/Thu, 15 Jun 2023 12:43:32 +0300https://dothidden.xyz/ctfs/n00bzctf_2023/mypin/Challenge Description I made a safe with a pin of only two digits. Author: Heith First steps We’re provided with a .jar, so we are are working with Java. My tool of choice for this has been jadx-gui, which decompiles Java bytecode pretty nicely (be careful that it can misinterpret sometimes. Ghidra is an alternative for such cases). Pulling up the disassembled code, we see two buttons, listeners, and some processing based on single digit (0 or 1) input from the two buttons.https://dothidden.xyz/ctfs/n00bzctf_2023/vm/Thu, 15 Jun 2023 12:16:46 +0300https://dothidden.xyz/ctfs/n00bzctf_2023/vm/Challenge Description Ever tried reversing a VM? Here’s a simple one! Author: NoobHacker Analyzing in Ghidra Opening the vm in ghidra, we can that each byte from the code is checked and interpreted accordingly. There are not too many possible instructions. Based on the decompilation we create a disassembler in python and parse the code with it. Snippet from the python disassembler: f = open("./code", "rb") instructions = f.read() i = 0 while i < len(instructions): op = instructions[i] if op == 0: print('nop') elif op == 1: r = instructions[i + 1] print(f'push r{r}') i += 1 elif op == 2: r = instructions[i + 1] print(f'pop r{r}') i += 1 elif op == 3: r1 = instructions[i + 1] r2 = instructions[i + 2] print(f'mov r{r1} <- r{r2}') i += 2 .https://dothidden.xyz/ctfs/n00bzctf_2023/asm/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/asm/Description of the challenge What can I say except, “You’re welcome” :) Author: NoobHacker Solution The binary name issrop_me, so we can assume this is an srop challenge. The binary is so small we can just objdump it. Seems like the source code was written in assembly. srop_me: file format elf64-x86-64 Disassembly of section .text: 0000000000401000 <vuln>: 401000: b8 01 00 00 00 mov eax,0x1 401005: bf 01 00 00 00 mov edi,0x1 40100a: 48 be 00 20 40 00 00 movabs rsi,0x402000 401011: 00 00 00 401014: ba 0f 00 00 00 mov edx,0xf 401019: 0f 05 syscall 40101b: 48 83 ec 20 sub rsp,0x20 40101f: b8 00 00 00 00 mov eax,0x0 401024: bf 00 00 00 00 mov edi,0x0 401029: 48 89 e6 mov rsi,rsp 40102c: ba 00 02 00 00 mov edx,0x200 401031: 0f 05 syscall 401033: 48 83 c4 20 add rsp,0x20 401037: c3 ret 0000000000401038 <_start>: 401038: e8 c3 ff ff ff call 401000 <vuln> 40103d: b8 3c 00 00 00 mov eax,0x3c 401042: bf 00 00 00 00 mov edi,0x0 401047: 0f 05 syscall 401049: c3 ret Disassembly of section .https://dothidden.xyz/ctfs/n00bzctf_2023/damn/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/damn/Description Damn bro, Dam! – Note: Find out the city that this dam is in. Flag format is n00bz{City_Name} Author: NoobMaster Solution The challenge provides us with the following image: This was probably the easiest OSINT challenge we resolved, because we do not have a lot of information the best thing to do here is to reverse search the image using Google Lens and check the source of it.https://dothidden.xyz/ctfs/uiuctf_2023/geoguesser/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/uiuctf_2023/geoguesser/Description of the challenge We are given a compiled binary of the janet-lang interpreter, along with a “compiled” script written in janet-lang. Solution So I’ll start off by saying that we work cooperatively on some challenges. For example, zenbassi also worked heavily on this one. So the writeup author is usually not the only one to credit for the challenge. We run the challenge and it asks us to input some coordinates.https://dothidden.xyz/ctfs/n00bzctf_2023/johndoesstrikesagain/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/johndoesstrikesagain/Description John Doe has escaped our high secruity1 prison again! We managed to intercept an xor key that he uses to send encrypted messages to people! Your aim is to find classified information on his top secret website! Start with the encrypted message -b'\x13\x00\x1d-A*!\x00Q\x16R\x02\x12\x07\n\x1b>\x0e\x06\x1a~O-D CU\t\x0e\x06 E2\n\x17bA#\x0b\t>O\x11\x011O\tH*\x1b\x10-\x08\x00)E\x02\nMck~)\x07"\x01H*+\n_\x01\x00\x00\x00c\n\x00!\x12V\r\x1d4A\x19\x16\x0b"O!N(\x00\x13Dy\x02\x000\x08\rn\x16\x19E\x16,\x0fS\x17H+\x1c\x03N)\nEU1\x0e\x01c\x10\x1b+\x16\x02\x0c\x1d-A\x11\x15\r8\x16H\x0f#\x0e\x0cOx' and the secret key -YouCanNeverCatchJohnDoe!We also intercepted the name of his account -31zdugxvkayexc4hzqhixxcfxb4y Author: NoobMaster Solution Let’s start by decrypting the message provided with the key YouCanNeverCatchJohnDoe!https://dothidden.xyz/ctfs/n00bzctf_2023/lost/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/lost/Description I got lost. Help me find out where I am. Flag format is n00bz{Name_Of_Pin_On_Google_Maps}. Author: Spectral Solution First of all, let’s open the image where.png which is given by the challenge. We can see a bridge and a city in the background and the image seems to have a filter on it because the red and purple colors are more present than the others. Furthermore, some elements of the image are duplicated (same effect as beeing drunk).https://dothidden.xyz/ctfs/n00bzctf_2023/maas/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/maas/Description of the challenge Welcome to MaaS - Modulo as a Service! Author: NoobMaster Solution We are presented with the following challenge: #!/usr/bin/python3 import random from Crypto.Util.number import * flag = open('flag.txt').read() alpha = 'abcdefghijklmnopqrstuvwxyz'.upper() to_guess = '' for i in range(16): to_guess += random.choice(alpha) for i in range(len(to_guess)): for j in range(3): inp = int(input(f'Guessing letter {i}, Enter Guess: ')) guess = inp << 16 print(guess % ord(to_guess[i])) last_guess = input('Enter Guess: ') if last_guess == to_guess: print(flag) else: print('Incorrect!https://dothidden.xyz/ctfs/n00bzctf_2023/missionmoon/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/missionmoon/Description A mission, had planned to land on the moon. Can you find where it planned to land on the moon and the name of the lander and rover? Flag is latitude longitude upto one decimal place. Note: Flag format n00bz{Lander_Rover_latitude_longitude} for eg - n00bz{Examplelander_Examplerover_12.3_45.6}. Also note that flag is case sensitive! Note: Due to a quite big range of answers, to narrow down your search, use the latitude and longitude provided from this site: blog.https://dothidden.xyz/ctfs/n00bzctf_2023/pwn1/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/pwn1/Description of the challenge Welcome to the series of 3 pwn challenges! Author: NoobMaster Solution We open the binary in Ghidra and instantly notice the buffer overflow on fgets. It reads 0x50 (80) bytes into a 64 bytes buffer. Given the name of the local variable local_48, it means we have 0x48 bytes until the return address. So, we have 8 bytes of the return address to work with. void main(EVP_PKEY_CTX *param_1) { char local_48 [64]; init(param_1); puts("Would you like a flag?https://dothidden.xyz/ctfs/n00bzctf_2023/pwn2/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/pwn2/Description of the challenge There is no win function this time! Author: NoobMaster Solution Running checksec on the binary, we notice the lack of canary and PIE. $ checksec pwn2 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 42 Symbols No 0 1 pwn2 When we open the binary in Ghidra, we are greeted with the following main function:https://dothidden.xyz/ctfs/n00bzctf_2023/pwn3/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/pwn3/Description of the challenge This time you have nothing! Can you still exploit this? Author: NoobMaster Solution Running checksec on the binary, we notice the lack of canary and PIE, just like the ones before it. $ checksec pwn3 RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE Partial RELRO No canary found NX enabled No PIE No RPATH No RUNPATH 41 Symbols No 0 1 pwn3 Open the binary in Ghidra:https://dothidden.xyz/ctfs/n00bzctf_2023/rsa/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/rsa/Description of the challenge Good old RSA! Author: NoobMaster Solution When connecting to the remote server, we are given a ciphertext, and the public key (e, N) for it. Presumably, this ciphertext is encrypted with textbook RSA and it’s probably the flag. Knowing e = 17 for every connection, we can attempt a Hastad Broadcast attack. Basically, by capturing x ciphertexts, encrypted with the same e, where x >= e, one can find the original plaintext using the Chinese Remainder Theorem.https://dothidden.xyz/ctfs/n00bzctf_2023/strings/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/strings/Description of the challenge I love Strings! Do you? Let me know! Author: NoobMaster Solution Decompiling the binary - we can first see a clear format string vulnerability. We get to read into a buffer that then gets printed directly with printf. Perhaps we can use it to leak an address, or write to somewhere with the %n format string. void main(EVP_PKEY_CTX *param_1) { long in_FS_OFFSET; char local_78 [104]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); init(param_1); puts("Do you love strings?https://dothidden.xyz/ctfs/n00bzctf_2023/theonlineodyssey/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/theonlineodyssey/Description My friend blackhat_abhinav gave me a ctf challenge and told me that the challenge is full of mystery and he wanted me to solve the mystery and get the flag. Can you help me to get the flag? Flag format:- n00bz{fl4g_h3r3} Solution The most important information we have is the username blackhat_abhinav so let’s start our research with this username. When I have to work with username I really appreciate to use the following website: https://whatsmyname.https://dothidden.xyz/ctfs/n00bzctf_2023/tryhackme/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/tryhackme/Description of the challenge My friend brayannoob gave me a ctf challenge and told me Try to hack me. Author: noob_abhinav Solution First, let’s start our research with the username brayannoob. When I have to work with username I really appreciate to use the following website: https://whatsmyname.app/. Let’s check the results I got for the username brayannoob: When dealing with username I always start with social network such as Instagram, Twitter, Facebook and GitHub so let’s open the GitHub account we found.https://dothidden.xyz/ctfs/n00bzctf_2023/zzz/Sat, 10 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/n00bzctf_2023/zzz/Description of the challenge 3z Author: NoobHacker Solution This is obviously a z3 challenge. We can open the binary in Ghidra and see various constraints. Instead of solving them manually, let’s just try some angr magic. I won’t even attempt to add the constraints. I’ll just add the beginning of the flag. #!/usr/bin/env python3 import angr import claripy import sys def is_successful(state): #Successful print stdout_output = state.posix.dumps(sys.stdout.fileno()) return b'You got it!https://dothidden.xyz/ctfs/dantectf_2023/demonic_navigation_skills/Thu, 08 Jun 2023 22:42:49 +0300https://dothidden.xyz/ctfs/dantectf_2023/demonic_navigation_skills/Description A friend told me that they are creating a new celestial network, way better than our Internet even though it is based on some long forgotten tech. Do you have the skills to find the Holy Record? Start your search at gates.hell.dantectf. Solution We were given an ip address running a udp service. A quick internet search confirms that DNS runs on udp so we try to dig the domain.https://dothidden.xyz/ctfs/dantectf_2023/almost_perfect_remote_signing/Thu, 08 Jun 2023 21:51:59 +0300https://dothidden.xyz/ctfs/dantectf_2023/almost_perfect_remote_signing/Description I c4n’t re?d you Are_you a beacon fAom 1200 0r smthing? Solution We were provided with a .wav file. Listening to it, the only thing you could hear was a nondescript noise. After a bit of digging for the name of the file (aprs), we find that APRS is an Automatic Position Reporting System used by hams1. It uses packet radio to send GPS tracking information among other things.https://dothidden.xyz/ctfs/dantectf_2023/imago/Thu, 08 Jun 2023 15:11:49 +0300https://dothidden.xyz/ctfs/dantectf_2023/imago/Description A wondrous electromagnetic wave was captured by a metal-stick-handed devil. “But.. What? No, not this way. Maybe, if I turn around like this… Aha!” Key observation Doing some reasearch on the file name we find out that this is a raw gqrx IQ radio file. Solution Open the file in gqrx (link here) and play the file. Flag DANTE{n3w_w4v35_0ld_5ch00l}https://dothidden.xyz/ctfs/dantectf_2023/dirty_checkerboard/Thu, 08 Jun 2023 14:51:29 +0300https://dothidden.xyz/ctfs/dantectf_2023/dirty_checkerboard/Challenge Description I bought a new chessboard but every time I use it I have this feeling… Like it’s dirty or something. Key observation Notice a set of weird pixels in the bottom left side of the image. Solution Crop the image and interpret the data as bytes. im = Image.open("./cropped_dirty.bmp").tobytes() s = im.decode() print(s) Result jefotulktcya hbwdtvpbk, tog-3mi yes./ fiue calu r:caloo mDkgkst /obo ^ rnuaA_i ra/mmo ssgN0csaitg/aki eiTukh c ijg ni cEt}onkhtwiojfik{_ w ^ ^ ^ ^ ^ i thicue m!https://dothidden.xyz/ctfs/dantectf_2023/piedpic/Thu, 08 Jun 2023 12:43:14 +0300https://dothidden.xyz/ctfs/dantectf_2023/piedpic/Description Dante took many pictures of his journey to the afterlife. They contain many revelations. I’ll give you one of these pictures if you’ll give me one of yours! Key observations Looking at the code we notice 2 things: pixels are xored with 255 (aka bitwise reversed) for each odd bit among the 3 least significant bits of the key at that index pixels are scrambled based on $k_i$ (mod 6) Knowing this, we conclude that the relevant part of the key is a tuple $(kl_i, km_i)$, where $kl_i$ holds the 3-lsb of $k_i$ and $km_i$ holds $k_i % 6$.https://dothidden.xyz/ctfs/dantectf_2023/soulcode/Mon, 05 Jun 2023 23:11:16 +0300https://dothidden.xyz/ctfs/dantectf_2023/soulcode/Soulcode The challenge consisted of bypassing various filters to run a shellcode. Main function decompiled bool main(void) { int iVar1; long lVar2; undefined8 *puVar3; byte bVar4; undefined8 local_208; undefined8 local_200; undefined8 local_1f8 [62]; bVar4 = 0; puts("Before you leave the realm of the dead you must leave a message for posterity!"); setvbuf(stdin,(char *)0x0,2,0); setvbuf(stderr,(char *)0x0,2,0); setvbuf(stdout,(char *)0x0,2,0); local_208 = 0; local_200 = 0; puVar3 = local_1f8; for (lVar2 = 0x3c; lVar2 !https://dothidden.xyz/ctfs/dantectf_2023/strangebytes/Mon, 05 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/dantectf_2023/strangebytes/Disclaimer: This challenge was resolved after the end of the CTF, so it doesn’t count for the final ranking. Description of the challenge I got hacked by a ransomware, and it encrypted some important files. Some crypto analyst told me they were encrypted using AES CBC, but there is something strange in them which can probably be exploited. I don’t have enough money to give the job to proper crypto analysts, could you decrypt them for me please?https://dothidden.xyz/ctfs/dantectf_2023/routesmarkthespot/Fri, 02 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/dantectf_2023/routesmarkthespot/Description of the challenge Aha, the little spirit says that the human became more ingenious! What a weird way to transmit something, though. Solution We are provided with a pcap file, let’s open it with Wireshark. Let’s go trough the different packets and see if we can find something unusual into the info column. From packet number 66 we start to see some more data in the hexdump of the packets but if we go to the packet number 88, we can see that the protocol used is IPv6 and the hexdump looks like:https://dothidden.xyz/ctfs/dantectf_2023/whocanhazflag/Fri, 02 Jun 2023 00:00:00 +0000https://dothidden.xyz/ctfs/dantectf_2023/whocanhazflag/Description of the challenge A little spirit spied on this mortal transmission. He noticed that the human was after something, but what was it ? Solution The challenge provide a Wireshark capture, let’s open it first. By the name of the challenge we can guess that the flag might be related to the ARP or DNS protocol because those protocols are used to translate a domain into IP address in the case of DNS and for ARP we send request in order to identify a device based on his IP address.https://dothidden.xyz/ctfs/stranger_case/report/Sat, 27 May 2023 23:11:16 +0300https://dothidden.xyz/ctfs/stranger_case/report/Mission A guy named Eric EDURT is missing our goal is to find out what happened to him by using all open source intelligence tools available. Sockpuppet used to investigate Please see the Sockpuppet page for more information. Investigation Subject Details Name: Eric Surname: EDURT Time of disappearance: Night between 1st and 2nd of May 2023 Alias: eedurt Occupation: CEO at Copprethia Profile picture: Social Media Email: eric.edurt@gmail.com LinkedIn: https://fr.https://dothidden.xyz/ctfs/stranger_case/sockpuppet/Sat, 27 May 2023 23:11:16 +0300https://dothidden.xyz/ctfs/stranger_case/sockpuppet/Sockpuppet used to investigate Subject Details Name: Alexis Surname: DEBEATE Age: 41 Birthdate: 18/02/1982 Alias: Alexis DEBEATE Nationality: French Living in: Paris, France Profile picture: Social Media Facebook: https://www.facebook.com/profile.php?id=100092937765609 Instagram: https://www.instagram.com/alexisdebeate/ Email: alexis.debeate@gmail.com Twitter: https://twitter.com/ADebeate LinkedIn: https://www.linkedin.com/in/alexis-debeate-3a790a278/ Account was banned Discord: aleXbeast#5001 TikTok: https://www.tiktok.com/@alexisdebeate Other The sockpuppet has a Clash of Clans account: alexisss Background To be determined.https://dothidden.xyz/ctfs/unbreakable_2023/network_detective/Wed, 24 May 2023 22:17:09 +0300https://dothidden.xyz/ctfs/unbreakable_2023/network_detective/ Open the network-detective capture with wireshark Open the HTTP packet We know that HTTP does not encrypt data we should see the following result: The X-HERE header is an unusual header furthermore we notice that the data is quiet suspicious and looks like a ROT encryption because if we shift from 1 to right, DUG gave is CTF which is the flag format. Go to rot-cipher and enter the data string Select ROT 1 (which is equal to shift one to right) Select full ASCII table Here you go :)https://dothidden.xyz/ctfs/unbreakable_2023/do_you_hunt_2/Wed, 24 May 2023 22:15:11 +0300https://dothidden.xyz/ctfs/unbreakable_2023/do_you_hunt_2/def convert_to_ascii(file_path): with open(file_path, 'r') as file: data = file.read() numbers = [int(line.split('#')[-1]) for line in data.split('\n') if '#' in line] ascii_chars = [chr(num) for num in numbers] result = ''.join(ascii_chars) print(result) # Provide the path to the text file file_path = 'do-you-hunt2-final' convert_to_ascii(file_path)https://dothidden.xyz/ctfs/unbreakable_2023/ipv6_evil/Wed, 24 May 2023 22:00:43 +0300https://dothidden.xyz/ctfs/unbreakable_2023/ipv6_evil/ Open the ipv6Evil capture with wireshark The challenge description and title give us good hints: DNS Buffer Overflow is not for everyone ! Ipv6 evil We can deduce that we need to look to a bad ipv6 request that causes DNS buffer overflow Use the filter ipv6 and sort the result by size ( a buffer overflow packet is supposed to have a large and unusual size due to the added padding Check every result by starting from the heaviest packet Check the ASCII result of each packet you should see some unusual results with a lot of “A” Unfortunately the first one is not the right flag see image Continue to check the others By going from the heaviest to the lightest packet we notice some other unusual strings: If we concate all those strings we get: We_Ar3_N0t_th3_Same what makes sense Now do not forget to encrypt it with sha256 and now you got the flaghttps://dothidden.xyz/ctfs/unbreakable_2023/hidden_wave/Wed, 24 May 2023 21:53:09 +0300https://dothidden.xyz/ctfs/unbreakable_2023/hidden_wave/The file looked perfectly normal and sounded perfectly normal. Extracting the LSB is quite a common technique to try and was fortunately successful. # Use wave package (native to Python) for reading the received audio file import wave # Read file as binary stream do not forget to change the file name song = wave.open("hidden-wave.wav", mode='rb') # Convert audio to byte array frame_bytes = bytearray(list(song.readframes(song.getnframes()))) # Extract the LSB of each byte extracted = [frame_bytes[i] & 1 for i in range(len(frame_bytes))] # Convert byte array back to string string = "".https://dothidden.xyz/ctfs/unbreakable_2023/hidden_art/Wed, 24 May 2023 21:44:04 +0300https://dothidden.xyz/ctfs/unbreakable_2023/hidden_art/import heapq import pickle # We use a huffman tree because we have a dict whith the char frequency class Node: def __init__(self, char, freq, left_node=None, right_node=None): self.char = char self.freq = freq self.left_node = left_node self.right_node = right_node def __lt__(self, other): return self.freq < other.freq def generate_huffman_tree(freq_dict): # Create a priority queue from the frequency dictionary priority_queue = [Node(char, freq) for char, freq in freq_dict.items()] heapq.heapify(priority_queue) # Iteratively combine the two nodes with the lowest frequencies while len(priority_queue) > 1: low_node = heapq.https://dothidden.xyz/about/Tue, 23 May 2023 21:16:14 +0300https://dothidden.xyz/about/About the team .hidden is a community of students from the University of Bucharest, passionate about hacking and cybersecurity. We formed the team on the 28th of April 2023, once we randomly decided to take part in a CTF competition. It all took off from there. Our goal is to contribute to the local CTF and hacking scene by learning and sharing our experiences with students of the University, as well as anyone else that wants to join in on the fun.