SekaiCTF 2024 writeups


My writeups for SekaiCTF 2024 CalcQL Use CodeQL to find the function that returns 42. Author: irogir Nice, a chance to use CodeQL. Challenge Write a CodeQL query that detects functions that return 42. The CodeQL query must run on Sekai’s challenge platform over 2 files, that are randomly generated and ~3500 lines long. The backend codebase and Dockerfile were provided to the participants for simplicity’s sake, and CodeQL is available publicly if you dare to install it.…
Read more ⟶

Using structural directives


Today, I finally got a chance to explore structural directives in Angular. It’s actually really nice to use for any kind of DOM insertion/adjustment purposes :) How structural directives work Create an Angular directive At construction time, you will be able to use DI to get a ViewContainerRef and a TemplateRef At some point, you should call viewContainerRef.createEmbeddedView(templateRef) to put the element into the DOM At any point, you can also call viewContainerRef.…
Read more ⟶

How semver makes sense in my head


Current descriptions of semver, e.g. in https://semver.org, focus heavily on the change that you made rather than what you’re communicating to your library consumers. I think that needs to change. How I explain semver I’ve explained semver within my team in a different way: MAJOR versions mean that you have to do extra work to update to the latest version MINOR versions mean that you have to do extra work to downgrade from the latest version PATCH versions mean you don’t have to do extra work to upgrade or downgrade.…
Read more ⟶

You can detect password managers with mutation observers


You can detect password managers with mutation observers. Makes sense, since they have to insert their UI into the DOM next to the password fields. <script> new MutationObserver((mutationList) => { const has1password = mutationList .filter(event => event.type === 'childList') .map(event => [...event.addedNodes]) .flat(1) .some(node => node.nodeName === 'COM-1PASSWORD-BUTTON'); if (has1password) { console.log("hello 1password"); } }).observe(document.body, { childList: true, subtree: true }); </script> …
Read more ⟶

KalmarCTF 2023 - EZ Web - Writeup


I participated in KalmarCTF as part of team Kassipojad :cat2:. One of the best CTFs I’ve ever played!! Here’s a writeup of the EZ Web task, or rather a dump of the notes I took: What do we know? URL https://www.caddy.chal-kalmarc.tf/flag.txt returns 403 https://php.caddy.chal-kalmarc.tf/flag.txt https://php.caddy.chal-kalmarc.tf/index.php https://static.caddy.chal-kalmarc.tf/logo_round.svg Source is included compose file includes some backup step Backups folder includes the host cp -r *.caddy.chal-kalmarc.tf backups/ && rm php.caddy.chal-kalmarc.tf/flag.txt && sleep 1 && caddy run Can use slashes in host Caddy v1 has an admin API on a separate port Caddy matchers (respond /flag.…
Read more ⟶

KalmarCTF 2023 - Invoiced - Writeup


Final working payload Name: a</title><meta http-equiv="Refresh" content="0; url='http://127.0.0.1:5000/orders'" /> Others: empty What we know Download source Read files: payments.js - get discount code FREEZTUFSSZ1412 app.js - get the implementation GET /cart => show form to post to checkout POST /checkout => visit url, turn to pdf pdf impl: open puppeteer, visit /renderInvoice?name=…, wait for networkidle0, bake to pdf GET /renderInvoice => replace variables in template URL parameters are rendered without escaping => XSS GET /orders => return flag Find unique safety features: /renderInvoice has: CSP default-src unsafe-inline maxcdn.…
Read more ⟶

KalmarCTF 2023 - kalmarunionen-fun - Writeup


Learnings Don’t overthink it - we were about to cross reference Harry Potter spells Keep your old code around - my renderer was based on a 2014 project which really sped up the prototyping Live for this moment: Writeup We found a bunch of data of a rumored accelerometer My first instinct was to render it Maybe my first instinct should’ve been to make a kalman filter to smooth out the true position… I rendered it It was really painful to watch 2.…
Read more ⟶

KalmarCTF 2023 - renaissance-flag-music - writeup


What we did It was mostly google-fu or having sufficient previous background knowledge (e.g. someone who has studied music or has played guitar) Detect that WeirdTable.png maps chords to letters Detect that FlagMusic.png is some musical notation … renaissance music? … look up renaissance notation => find French lute tablature so it’s essentially a French lute tab empty=X, A=open, B=1st fret, C=2nd, … ok so… what is the tuning? French lutes are tuned how?…
Read more ⟶

Tartu CTF 2018 - Writeup


I participated in a cybersecurity contest called a CTF (for capture the flag). It’s a format of a security game where contestants have to attack a web or other type of server, and to prove their progress in breaking the server, they submit text strings called “flags” found at various steps of progress. In the Tartu CTF 2018, we were playing the Game of Thrones CTF. At the start of the contest, we were given an IP address and nothing else.…
Read more ⟶

Hack The Box: Poison - Writeup


NOTE: we did that in CyberCamp 2018. Just re-solving it. IP: 10.10.10.84 nmap Scanning 10.10.10.84 [65536 ports] Discovered open port 80/tcp on 10.10.10.84 Discovered open port 22/tcp on 10.10.10.84 Web server Web server has a bunch of “testing PHP scripts”. One of the scripts is called listfiles.php, which lists the folder. Among the PHP files there’s also a file called pwdbackup.txt: This password is secure, it's encoded atleast 13 times.. what could go wrong really.…
Read more ⟶