From 579858d572528015b82e3babea0e16c95ba9f6b6 Mon Sep 17 00:00:00 2001 From: sumhack Date: Tue, 7 Jan 2020 17:43:17 +0100 Subject: [PATCH] Add time estimations to writeups --- writeups/sumhack/seccon19.md | 6 ++++++ writeups/sumhack/tasteless19.md | 2 ++ 2 files changed, 8 insertions(+) diff --git a/writeups/sumhack/seccon19.md b/writeups/sumhack/seccon19.md index 6d34166..34e3fb3 100644 --- a/writeups/sumhack/seccon19.md +++ b/writeups/sumhack/seccon19.md @@ -4,6 +4,8 @@ This was my first real "timeboxed" CTF. I spent the whole afternoon doing challe ## hakinowa-pay +**Time spent**: ~4 hours + The first challenge I tried was hakinowa-pay. It consisted of an .exe file which allows users to transfer and request money via QR codes. When opening the program, the user "@ymzkei5" tells us that he will give us the flag if we manage to take 7777 yen from him, after which he sends a QR code where he requests 10 yen from us. The app also had an "Upload QR code" feature, so the first thing I tried was read the QR code that ymzkei sent me. It was this: `HAKONIWA-PAY:REQ:d8d0f4c7-5c09-4b74-8a0a-1900ab540afd:67e47ea5-9f9a-4f63-949d-6923f77d2cf9:10:Hey! May I ask for help?` @@ -18,6 +20,8 @@ As a next step, I downloaded a .NET deobfuscator which supported the majority of ## web-fileserver +**Time spent**: ~5 hours + The next challenge involved a web fileserver written in Ruby using WEBrick. Looking at the source code of the app (app.rb), it seemed to perform some validation on the input path, and if everything was "fine", it would either load a directory listing (if it was a directory) or the file. The interesting part was at the top of the file: It showed that there existed a file `/tmp/flags/<32 random alphanumeric characters>.txt`. So, the first step was to get to the directory to find out how the file was called: `fileserver.chal.seccon.jp:9292/../../tmp/flags/` It worked! However, it gave me an empty file listing. After digging through the server code, I found out that it always does that when the path ends with a slash. That means, I have actually found an empty folder. I tried going folders back further and further: `fileserver.chal.seccon.jp:9292/../../../../../../tmp/flags/` to no avail. @@ -38,6 +42,8 @@ Luckily, this URL worked and it gave us the flag: `SECCON{You_are_the_Globbin'_S ## SPA +**Time spent**: ~2 hours + This challenge consisted of a vuejs single page application which loaded the page content through a json which depended on the anchor tag in the URL. It would parse whatever was in the anchor tag dynamically (i.e. on every change) and load the JSON file from `/.json` to update the data in the view. The challenge was to craft an XSS URL which would be sent to the admin to reveal his cookie. I found out pretty quickly that I can force the JSON to be loaded from an absolute URL rather than relatively: `#/mysite.com/aaaa` would load `mysite.com/aaaa.json` rather than `/mysite.com/aaaa.json`. So, using this, I was able to inject whatever JSON I wanted. I replicated the JSON that would normally be there and tried to perform the usual XSS attacks, however, vuejs sanitized them all away. diff --git a/writeups/sumhack/tasteless19.md b/writeups/sumhack/tasteless19.md index 5a70fe6..a94c8db 100644 --- a/writeups/sumhack/tasteless19.md +++ b/writeups/sumhack/tasteless19.md @@ -2,6 +2,8 @@ This CTF felt very unusual for me because the challenges weren't released all at once, but rather over time. While briefly trying out the crypto-babypad, it got solved by another teammate so I started looking at the web-gabbr challenge together with @chgue, @stiefel40k and @pH. After 5 hours of tirelessly trying out different ways, solutions and workarounds, we were awarded with the satisfying feeling of receiving the flag as the second of 6 teams who solved the challenge. I spent more time on this challenge than I had "reserved" for participating at this CTF, but it was definitely worth it. +**Time spent**: ~6 hours + The exploitation part of this writeup was composed together with @chgue, so all that follows will be identical with his writeup. ## Overview -- 2.43.0