SecurityFest CTF writeup

This time I was participating with no time and no team so not much that can be done, but at least you get a short writeup.

#Makeircgreatagain:

This was a simple one, after connecting to the IRC channel, the channel topic had the key. CODE{h3lp_m3_pl34s3}

Flux:

The file was a python compiled file. Checking the magic bytes (first four bytes) with the “file” utility told me it was a python 2.7 file. Using uncompyle6 from pip on the file resulted in the original code (more or less) which allowed me to easily decrypt the flag by xoring the embedded array with the element position.

Space xss:

This was an easy XSS you just needed to end the string with “; and then do the alert and close the script tag. Using: http://xss1.zpuoznbj3die.co.uk/?xss=stuff?xss=%22;alert%281%29%3C/script%3E solved the issue for me and gave me the flag.

Space XSS II

This was an XSS where you could only use uppercase characters and special chars. In my case I just encoded alert(1) using http://utf-8.jp/public/jjencode.html and then url encoded the payload. This resulted on a working XSS.

Space XSS III

I didn’t solve that one, all I could figure out was that you needed a base64 encoded payload without lowercase. Saddly my JS skills aren’t good enough to prepare such payload.

JSploit:

This was an obfuscate javascript. Slowly replacing the found variables to track down the input led me to a specific version of the securityfest variable. Using the firefox console I echoed the variable and after putting it in the input I got the flag.

QRack

This is the one I got asked the most for. Using file I found that was a raw ext4 partition with console QR codes gzip encoded and then base64 encoded. I tried listing the characters in the original order but that didn’t help out much (ls -U IIRC). eventually I opened the image with less and started doing forensics. There I found a reference for something called all. Using extundelete I could recover it from the ext4 partition and after running the output through b64decode and then gzip I got a long list of QR codes.

An hour later after scaning the QR codes for each letter with my phone I got the flag and submitted it.

2 Replies to “SecurityFest CTF writeup”

Comments are closed.