First of all, i would like to express my gratitude to the organizer and sponsors (NanoSec Asia,Project18 VFP, MyCERT, ASK Pentest and Securelytics). This is the first… Read more “Wargames.MY CTF 2018: Just Valid It! Writeup”
Author: Kaizen69
Wargames.MY CTF 2018: Business ProposalWriteup
We was trolled by the organizer at first. Initially we thought this is the correct flag wgmy{do_you_wanna_play_a_game} but when we try submit , server refusing to accept… Read more “Wargames.MY CTF 2018: Business ProposalWriteup”
Wargames.MY CTF 2018: babypwn2.0 Writeup
We need to use 10 bytes shellcode to read more shellcode to buffer contained in rdx Code we use during the challenge We get this, just cat… Read more “Wargames.MY CTF 2018: babypwn2.0 Writeup”
Wargames.MY CTF 2018: PHP Sandbox Writeup
At first we had a difficult time solving this challenge due to function blacklist. Since this is PHP challenge. We then try to look into scandir Our… Read more “Wargames.MY CTF 2018: PHP Sandbox Writeup”
Wargames.MY CTF 2018: You Math Bro? Writeup
Who else love meth? math..This question is quite straight forward, no bullshit. You just need brain & python basic to solve this. So this is the python… Read more “Wargames.MY CTF 2018: You Math Bro? Writeup”
Wargames.MY CTF 2018: aes-ecb-magic Writeup
We were given a python code in this challenge So we wrote a python script to get the flag. I forgot to screenshot the flag during the… Read more “Wargames.MY CTF 2018: aes-ecb-magic Writeup”
Wargames.MY CTF 2018: satu doc Writeup
This is one of the easiest question. We were give a docx file named 1.docx. Set font color to black + font size to 1, this looks… Read more “Wargames.MY CTF 2018: satu doc Writeup”
Wargames.MY CTF 2018: QuickMEH Writeup
QuickMEH.exe: https://www.dropbox.com/s/gb1279diou0ixbh/quickmeh.exe?dl=0 Hash: F55AEF2B0C5E5CD2FE89CE0556832D19750B11CF58ABCA02169D4F496C372287 First we check exe in exeinfope and we found no packer. Then we run the exe and see the text “quickmeh.exe flag ”… Read more “Wargames.MY CTF 2018: QuickMEH Writeup”
Wargames.MY CTF 2018: WASM Writeup
Write-up:
We were given a html file containing javascript code. That seems interesting, so we take a further look into it.
var bin = new Uint8Array([0,97,115,109,1,0,0,0,1,138,128,128,128,0,2,96,0,1,127,96,1,127,1,127,3,131,128,128,128,0,2,0,1,4,132,128,128,128,0,1,112,0,0,5,131,128,128,128,0,1,0,1,6,129,128,128,128,0,0,7,163,128,128,128,0,3,6,109,101,109,111,114,121,2,0,14,103,101,116,73,110,83,116,114,79,102,102,115,101,116,0,0,5,109,111,114,112,104,0,1,10,148,129,128,128,0,2,132,128,128,128,0,0,65,16,11,133,129,128,128,0,1,6,127,2,64,32,0,65,1,72,13,0,65,0,33,3,3,64,32,3,65,208,0,106,34,1,32,3,65,16,106,45,0,0,34,4,58,0,0,2,64,32,3,65,1,72,13,0,65,0,33,5,32,3,33,6,2,64,3,64,32,4,32,6,65,15,106,45,0,0,115,33,4,32,6,65,2,72,13,1,32,6,65,127,106,33,6,32,5,65,4,72,33,2,32,5,65,1,106,33,5,32,2,13,0,11,11,32,1,32,4,58,0,0,11,32,3,65,1,106,34,3,32,0,71,13,0,11,11,65,208,0,11]); var m = new WebAssembly.Instance(new WebAssembly.Module(bin)); var offset = m.exports.getInStrOffset(); var flag = prompt("teh flag?"); var strBuf = new TextEncoder().encode(flag.slice(0, 64)); var inBuf = new Uint8Array(m.exports.memory.buffer, offset, strBuf.length); for (let i = 0; i < strBuf.length; i++) { inBuf[i] = strBuf[i]; } var morph = m.exports.morph(strBuf.length); var outBuf = new Uint8Array(m.exports.memory.buffer, morph, strBuf.length); if (btoa(new TextDecoder().decode(outBuf)) === "dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ") { document.write("congratz!"); } else { document.write("nope!"); }
We can see that the code compare the base64 encoded of the output buffer to a string "dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ". So let decode the base64 to see what we have. We use this :
var decc = new TextEncoder().encode(atob(“dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ”));
document.write(decc)
We got this : “119,16,125,4,127,17,85,19,10,27,83,79,35,117,50,56,84,72,39,34,78,108,6,93,94,65,124,13,65,9”
Hmmmh interesting so we compare that to the output buffer generated base on the flag we type in.
We know that the flag format is “wgmy{}” so the outbuf is “119,16,125,4,127,2”
We notice that the first 5 character have the same number as decoded base64
So we know that we can brute force it. And we got the flag: wgmy{n3!th3r_w3b_n0r_@553mb1y}
#6 Astro :Another Open Redirection Bug
In Previous Post i already disclosed an open url redirection bug in Astro’s official website . So today, I decided to take a look again in another Astro sub domain… Read more “#6 Astro :Another Open Redirection Bug”