Foreword

This team I participated with a team of Year 4 friends of mine in NUS Greyhats. Biggest thanks to mechfrog88, davidtan0527 and DarkPermafrost for basically carrying me through this.

Qualifiers

A bit rough for us here. One crypto challenge got the flag leaked, hence all teams solved it. I managed to solve one misc challenge about finding the kth digit after the decimal point of a fraction a/b with a, b, k being very large integers.

Misc challenge

The StackOverflow article mentions on how to solve this problem. The answer to this got some mistakes that we have to fix, but eventually we arrive at this solution:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

from pwn import *

def solve(a, b, k):
    c = pow(10, k - 1, b)
    return 10 * ((a * c) % b) // b 

io = remote("20.195.26.61", 1337)
io.recvline()

while True:
    lmao = io.recvline()
    try:
        a, b, k = lmao.decode().strip().split(" ")
    except:
        print(lmao)
    a = int(a)
    b = int(b)
    k = int(k)
    io.sendline(str(solve(a, b, k)).encode())

For 2

I finally solve a Docker forensics challenge.

This just requires me just to look at the Docker image file for a long while to see where the flag is stored in the file system. A neater solution, written in Vietnamese, can be found here.

secbiz_library

We were pretty close in this challenge. We notice immediately that there is some LFI exploitation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

debug_mode = request.args.get('DEBUG_MODE_ENABLED', None)
BASE_DIR = os.environ['BASE_DIR']

# Joining the base and the requested path
abs_path = os.path.join(BASE_DIR, req_path.replace('../', ''))

...

return render_template_string("""
    <h1>Welcome to Secbiz library</h1>
    <ul>
    {% for file in files %}
    <li>
    <a href="{{ (request.path + '/' if request.path != '/' else '') + file }}">
        {{ (request.path + '/' if request.path != '/' else '') + file }}
    </a>
    </li>
    {% endfor %}
    </ul>
    """,
files=files)

Hence, this is vulnerable to a very simple LFI payload, such as http://45.77.33.129:5000/....//?DEBUG_MODE_ENABLED=true. We can easily dump the flag locally but for some reason this does not work on the server.

Later, from another writeup by IU-Security-Club, apparently we need to take advantage of SSTI to dump the content of the flag. And apparently the flag is in a different location from what we have locally.

Attempted challenges

I attempted another forensics challenge, and actually got kinda far in the solution (arriving at the Powershell reversing part), but did not manage to solve it as I struggle a lot continuing from the Powershell deobfuscation. A great Vietnamese writeup for this challenge is at this link.

The last web challenge is about CVE-2023-27524 in Apache Superset. The hint to solve this challenge is literally on the server, and it takes a bit of Googling to get the script. The payload, which is solved by DarkPermafrost is http://171.244.62.13:5000/static/styles/flag.txt/eyJfdXNlcl9pZCI6MSwidXNlcl9pZCI6MX0.ZTyISQ.chVrzpRwPqXOmAHwPc3jrdZXM-8

Finals

We got top 21 in the Qualifiers, and only the first 20 teams proceed to the next round, thus we thought our journey in the CTF was over. To our surprise, in some ruling details, apparently some teams got eliminated because they are from the same institution, hence we got into the finals as the 18th team.

The finals format is Attack-Defense, but we only have access to a proxy server that connects to our service. We do not have any access to the actual service server to patch the services. Hence, we have to basically implement a reverse proxy with a firewall to block the attacks.

The actual finals is not so interesting. No teams manage to solve anything in the span of 5 hours, and even when the organizers change the format such that the first team to score the flag wins, there is no solve. The competition goes to a stalemate, and another finals was held the next 2 weeks.

The next finals was again not so interesting. This “filtering” format makes it easy to defend pwn, what we pretty much need to do is to block payload greater than some length. For web services it is literally to block the new payload that the other teams attack us, like XInclude (which is one of the payload in the web service). There is not much flavor in the web payload though, as some must “execute” some important features for it to work. Another example is some really long PHP chains from other teams, which was a bit tricky at first, but we only need to block the first few characters to render any other attacks with similar idea useless.

All in all, this format just requires us to have good monitoring - using Tulip and stealing other teams’ payloads and study them.