0CTF/TCTF 2020 Quals

For the next CTF, I joined the We_0wn_Y0u team from Vienna, and we had a lot of fun! 0CTF/TCTF was on June 27-28. We managed to solve 5 challenges and took 36th place. Below are the solutions to the hardest challenges: Web / easyphp [59 pts, 175 solved]Misc / Cloud Computing [211 pts, 42 solved]Misc

Crypto @ IJCTF

These solutions do not pretend to be fully mathematically or algorithmically correct nor they are optimal. They just worked at the moment when IJCTF was conducted. Also, I tried to describe my way of thoughts during solving challenges. Plain-t.. uh Image Here is the challenge file flag.jpg.enc. From file extension, we know it is a

Fun on the aircraft

What can you do on a flight? Well, you can take a nap or read an onboard magazine. One of not so obvious options is to connect to internal aircraft Wi-Fi and check which resources you can access without paying anything. On one of the latest flights, I clicked here and there and found API endpoint, which looks like this: https://www.airline-flynet.com/fapi/flightData (airline name was changed, just in case). On this endpoint, we have quite a lot of interesting data in JSON format. The most exciting thing about this data is the fact it is available only when you’re onboard, and is not available from the “everyday” internet.

Solving flAWS

There is quite interesting “always open” CTF challenge, wherein one should use AWS specific security mistakes (flaws) to solve it. Funny enough, its name is flAWS. There are 6 total levels with increasing difficulty. Each level contains several hints for those who stuck. Below are my steps of trying to solve the flAWS challenge.

Pentest Cyprus 3.0

In October 8, there was a PentestCyprus 3.0, a CTF competition in Larnaca, where I participated and won it.
There were total 25 tasks in 6 categories: Web, Cryptography, Forensics, Reverse Engineering, PWN and Miscellaneous. First, I will tell about tasks I’ve managed to do in 3 hours of contest. If I will have free time, I will try to solve the rest and publish solutions to them.

Vulnerable Docker VM

In the information security world, there are so called CTF (Capture The Flag) challenges. This is mind sport, where you should hack or somehow extract the information from computer systems, in most cases connected with the internet or other network. Strangely, but I never participated in this kind of stuff. Several days ago the company named NotSoSecure posted the CTF challenge called Vulnerable Docker VM. Docker becomes widespread these days, so I decided to try out both Docker and that CTF thing. The quest itself was not competitive — there are no winners or losers, no time limit, so there was no pressure, what is good for beginners like me. VirtualBox image with some Docker infrastructure is provided for you. The goal is to gain control over host system and to find 3 flags. I managed to find only 2 flags and escape from Docker. Below you will find the solution, so if you want to try the challenge yourself, then stop here.