PatriotCTF'23 on 404Unfound

[PatriotCTF'23] WPA

Thu, 14 Sep 2023 23:00:02 +0800

Patriot CTF: WPA

This was an easy wifi hacking challenge which required the use of a dictionary attack to find out the password of a wifi password. The challenge pcap file can be found here

The Challenge

I really need to get on my friends WiFi, but he won't give me the password. I think he thinks I'll mess around on his network. I started a packet capture and left it running a while, I think someone connected to the network before I stopped the capture. Can you help me?

Looking at the pcap file, there were 888 packets with the 802.11 protocol, which is the WLAN protocol.

[PatriotCTF'23] ReReCaptcha

Tue, 12 Sep 2023 21:29:34 +0800

Patriot CTF: ReReCaptcha

This was an RSA challenge which required the use of OCR (Optical character recognition - converting an image of text into text format).

The Challenge

The challenge had a zip file containing four images:

CT.png:

E.png:

P.png:

Q.png:

In RSA (and here),

CT - Ciphertext / Encrypted Message
E - Public Exponent (Part of Public Key) that is relatively prime (share no common factors other than 1) to the product of P-1 and Q-1 which is represented by phi
P and Q - (Part of private key) Distinct, large prime numbers used in the generation of the RSA key pair.

Retrieving Values

To retrieve the values from the image, what we had to do was to use OCR to get the values from the image. I used a free OCR tool and uploaded the files.

[PatriotCTF'23] Bookshelf

Tue, 12 Sep 2023 19:52:02 +0800

Bookshelf

This pwn challenge involved the use of return-oriented programming to call system and spawn a shell.

Description

Just finished up my project based around books! Hope you enjoy reading…

You can download the binary here and the corresponding libc here.

Part I: Getting the address of puts

When we connect to the server, we see that there are multiple options to choose from. Lets take a look at option 2.

[PatriotCTF'23] Flower Shop

Tue, 12 Sep 2023 12:15:01 +0800

Flower Shop

This web challenge involves exploiting a exec statement in a vulnerable PHP script. Apparently this solution was unintended, but it made the challenge a whole lot easier as the intended solution was almost impossible to solve.

Description

Flowers!

The files for this challenge can be found here.

Overview

Upon visiting the site, we see that there are fields to sign up, login, and reset one’s password. The login and signup functionalities seem to function normally and do not seem vulnerable to SQL injections. However, when looking through the source for password reset, I came across an exec statement.

[PatriotCTF'23] Printshop

Mon, 11 Sep 2023 15:37:38 +0800

Printshop

This pwn challenge involved exploiting a printf format string vulnerability to overwrite the exit function in the GOT table to point to the win function, which prints the flag.

Description

That print shop down the road is useless, can you make it do something interesting?

You can get the challenge file here.

Overview

Upon dumping the binary into a disassembler (in my case I use Binary Ninja), we see that there are 2 functions, main and win. However, main does not ever call win which means that we somehow have to control the instruction pointer to jump to the address of win.

[PatriotCTF'23] Breakfast club

Mon, 11 Sep 2023 13:49:34 +0800

Patriot CTF: Breakfast club

This was a cryptography challenge focused on hash cracking. The challenge involved various hashing algorithms, and each character in the flag was hashed using a different algorithm. The objective was to crack the hash for each algorithm to retrieve the flag.

The Challenge

As the sysadmin for your college, you're responsible for overseeing the security of all the clubs. One of the on campus orginizations is a breakfast club with their own personal website that the leader assured you was "unhackable". He was so sure of this, that he sent you an example of how hashes are stored in the database, something about "changing the hash type multiple times for each password" or something like that. Can you crack the password and prove him wrong?

Text file:

[PatriotCTF’23] My phone!

Mon, 11 Sep 2023 13:44:46 +0800

Patriot CTF: My phone!

This was a simple Crypto challenge where we had to figure out the location of a phone thief, that was encrypted by a odd cipher.

The Challenge

Some weird triangle man stole my phone, he taunted me by sending me his location but it seems to be encrypted with some odd cipher I've never seen before, could you please help me get my phone back?

[PatriotCTF'23] Pick Your Starter

Mon, 11 Sep 2023 10:50:04 +0800

Pick Your Starter

This was a web challenge that involves the use of exploiting Jinja2 SSTI and navigating around filters to gain remote code execution to read the flag.

Description

Picking a starter is hard, I hope you can do it.

Overview

When we go to the site, we are greeted with pictures of the 3 starter pokemons, and when we click on them, we are redirected to /{pokemon name}.

[PatriotCTF'23] Guessinggame

Mon, 11 Sep 2023 10:03:06 +0800

Guessing Game

Description

No one seems to be able to guess my favorite animal… Can you?

You can download the source file here

Decompilation

First, let’s disassemble the file and have a look inside.

At first glance, it seems like the correct answer is Giraffe. However, if we continue reading, we see that no matter what input we give, it will always reject our input 😢

Solution

In the decompilation output above, we can see that the program is using gets to retrieve user input. gets may vulnerable to a buffer overflow attack as it does not perform any sort of bounds checking, allowing us to write beyond the memory we are allocated.

[PatriotCTF'23] Rouge Access Point

Sun, 10 Sep 2023 17:30:34 +0800

Patriot CTF: Rouge Access Point

This was an OSINT challenge where we had to find the SSID of an access point, given the BSSID.

The Challenge

We've received a notice from our companies EDR software that a laptop was attacked while they were on WFH. The employee says they were at home when it happened, but we suspect they were using public wifi. Our EDR software managed to capture the BSSID of the wifi (46:D1:FA:63:BC:66) network before it got disconnected, but not the SSID. Can you still find the network they were connected to?

From here, we have one important piece of information, which was the BSSID of the wifi 46:D1:FA:63:BC:66.

[PatriotCTF'23] Unsupported Format

Sun, 10 Sep 2023 17:12:34 +0800

Patriot CTF: Unsupported Format

This was an image fixing forensics challenge, where they gave a corrupted image file. The point was to fix the image and retrieve the flag.

The Challenge

My friend sent me a picture of his brand new computer, but something strange happened to it and now it says "Unsupported Format" when I try to open it. Can you try to help me recover the image?

Trying to open the attached challenge image file would result in something like this: