CTF | Some CTF write up | Hacking library
kandi X-RAY | CTF Summary
kandi X-RAY | CTF Summary
Some CTF write up.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
- Put heapinfo info
- Print fastbin information
- Return the index of the given size
- Get the current architecture
- Read memory
- Get a value by index
- Set storage value
- Format chain
- Format a character
- Go to Mango
- Tries to poke
- Edit a book page
- Allocate a space of the given type
- Get the value of a storage index
- Register credentials
- Scrip a drug
- Format a character character
- Find pattern in gdb
- Creates a germline device
- Create a new patient
- Exploit a password
- Create SOP packet
- Open a new SSH session
- Constructs a SOP32 frame
- Generate the struct
- Create a Pill
- Upload data to given address
- Get matplotlib plot
CTF Key Features
CTF Examples and Code Snippets
Community Discussions
Trending Discussions on CTF
QUESTION
I need to generate weak certificate for CTF challenge using RSA and small modulus so it's factorable. It should be about 64 bits.
I've tried to generate that using OpenSSL as I would the normal one, but it forbids creating certificate with modulus lower than 512 bits for security reasons. So I've changed the source files of OpenSSL so it doesn't checks the bit length and recompiled that again. I was then able to create private key using smaller modulus, but trying to create certificate using that key (or new small one) evoked new error which I don't fully understand. I even wanted to evade the OpenSSL problem at all using Python, but that just showed that it uses OpenSSL too and had exactly same problems.
Generating small private key:
...ANSWER
Answered 2022-Apr-09 at 20:17I need to generate weak certificate for CTF challenge using RSA and small modulus so it's factorable. It should be about 64 bits.
It's impossible to do that as a self-signed certificate, because proper RSA signing can't work with keys that small.
RSA-SSA-PKCS1_v1.5 is the shortest structured RSA signature padding, and it's structured as (per https://datatracker.ietf.org/doc/html/rfc8017#section-9.2):
QUESTION
I'm building an application that fetches an API and fills a DB with the obtained data.
I'm trying to save to DB for each JSON row processed. When I call obj_to_insert.save()
at the end, I get an error: geotrek.trekking.models.DoesNotExist: POI matching query does not exist.
POI
is one of my models, it's correctly defined and imported. Topology
is another one of them, and I believe it's the relation between them two that I don't handle well.
Here are their classes:
ANSWER
Answered 2022-Mar-29 at 14:01The problem was my processing order. As POI
is a child of Topology
, I can't create a POI
object and link it to a POI
object created afterwards. As I switch my app from SQLAlchemy, the logic for this kind of things is different.
QUESTION
im doing a ctf challenge about an SSTI. The solution payload is
...ANSWER
Answered 2022-Mar-20 at 15:26-1
is just the value of subprocess.PIPE
QUESTION
i'm currently learning about buffer overflows in c, and i'm following this video as a tutorial.
So I have the following code:
...ANSWER
Answered 2022-Jan-30 at 19:40Stack smashing is when you overwrite the special values (return address, previous ebp
register value) on your function's stack frame.
This is is a common bug and is a security flaw. Most compilers now add a simple check in your function prologue and epilogue to check whether the values changed. This is the stack smashing error you are causing.
To prevent the copmiler from inserting the stack-smashing check, use the -fno-stack-protector
compiler flag. (as @Grazosi suggested).
This will cause you program to use a (probably) invalid return address, and will cause a segmentation fault (invalid memory access)
QUESTION
I'm doing a few integer for myself, where I'm trying to fully understand integer overflow.
I kept reading about how it can be dangerous to mix integer types of different sizes. For that reason i wanted to have an example where a short would overflow much faster than a int. Here is the snippet:
...ANSWER
Answered 2021-Dec-26 at 23:49It is called an implicit conversion.
From C standard:
Several operators convert operand values from one type to another automatically. This subclause specifies the result required from such an implicit conversion, as well as those that result from a cast operation (an explicit conversion ). The list in 6.3.1.8 summarizes the conversions performed by most ordinary operators; it is supplemented as required by the discussion of each operator in 6.5
Every integer type has an integer conversion rank defined as follows:
- No two signed integer types shall have the same rank, even if they have the same representation.
- The rank of a signed integer type shall be greater than the rank of any signed integer type with less precision.
- The rank of long long int shall be greater than the rank of long int, which shall be greater than the rank of int, which shall be greater than the rank of short int, which shall be greater than the rank of signed char.
- The rank of any unsigned integer type shall equal the rank of the corresponding signed integer type, if any.
- The rank of any standard integer type shall be greater than the rank of any extended integer type with the same width.
- The rank of char shall equal the rank of signed char and unsigned char.
- The rank of _Bool shall be less than the rank of all other standard integer types.
- The rank of any enumerated type shall equal the rank of the compatible integer type (see 6.7.2.2).
- The rank of any extended signed integer type relative to another extended signed integer type with the same precision is implementation-defined, but still subject to the other rules for determining the integer conversion rank.
- For all integer types T1, T2, and T3, if T1 has greater rank than T2 and T2 has greater rank than T3, then T1 has greater rank than T3.
- The following may be used in an expression wherever an int or unsigned int may be used: — An object or expression with an integer type (other than int or unsigned int) whose integer conversion rank is less than or equal to the rank of int and unsigned int.
- A bit-field of type _Bool, int, signed int, or unsigned int. If an int can represent all v alues of the original type (as restricted by the width, for a bit-field), the value is converted to an int; otherwise, it is converted to an unsigned int. These are called the integer promotions.58) All other types are unchanged by the integer promotions.
- The integer promotions preserve value including sign. As discussed earlier, whether a ‘‘plain’’ char is treated as signed is implementation-defined.
You cant avoid implicit conversion but you can cast the result of the operation to the required type
QUESTION
I'm doing the ctf challenge from 247CTF "impossible numbers". The challenge is about integer overflow, and consists of the following file:
...ANSWER
Answered 2021-Dec-19 at 19:24As has been noted in the comments, signed integer overflow is undefined behavior in C.
The game's version of the program was apparently built with a compiler that handles it naively: by actually adding 1 to impossible_number
(using ordinary two's-complement addition), then comparing the result with impossible_number
and executing the fopen
if it's less. In that case inputting 2147483647 works, as you saw. In my tests, clang without optimizations behaves like this.
But there are other possibilities. For instance, recent versions of GCC, even with -O0
, notice that the test can't be true in any case when overflow doesn't occur. And if overflow does occur, the behavior is undefined, and so the compiler is at perfect liberty to do whatever it likes in that case. So it is allowed to assume that the test can't ever be true, and that's what it does: it optimizes away the entire if
block, including the test itself which is now redundant. Try on godbolt; note that the generated assembly contains no call to fopen
at all. So this program compiled with GCC is not vulnerable. The same is true for clang if optimizations are enabled (-O1
or higher).
(You can force the "naive" behavior in either compiler by compiling with -fwrapv
. There is also -ftrapv
which forces the program to abort if signed integer overflow ever occurs; it has a substantial runtime performance cost, but might be desirable when security is critical.)
Thus for an attack like this, you have to not only read the source code of the vulnerable program, but also be able to discover or guess what is in the compiled code that the victim is actually using.
QUESTION
I'm trying to check for a certain chain of events in an LTTNG event log using Babeltrace 1. The LTTNG log is loaded using a Babeltrace collection:
...ANSWER
Answered 2021-Dec-16 at 14:34Babeltrace co-maintainer here.
Indeed, Babeltrace 1 reuses the same event record object for each iteration step. This means you cannot keep an "old" event record alive as its data changes behind the scenes.
The Python bindings of Babeltrace 1 are rudimental wrappers of the library objects. This means the same constraints apply. Also, Babeltrace 1 doesn't offer any event record object copying function, so anything like copy.copy()
will only copy internal pointers which will then exhibit the same issue.
Babeltrace (1 and 2) iterators cannot go backwards for performance reasons (more about this below).
The only solution I see is making your own event record copying function, keeping what's necessary in another instance of your own class. After all, you probably only need the name, timestamp, and some first-level fields of the event record.
But Babeltrace 2 is what you're looking for, especially since we don't maintain Babeltrace 1 anymore (except for critical/security bug fixes).
Babeltrace 2 offers a rich and consistent C API where many objects have a reference count and therefore can live as long as you like. The Babeltrace 2 Python bindings wrap this C API so that you can benefit from the same features.
While the C API documentation is complete, unfortunately the Python bindings one is not. However, we have this, which at least shows some examples to get you started.
About your comment:
since it seems the events are a kind of linked list where one could walk backward
No, you cannot. This is to accomodate limitations of some trace formats, in particular CTF (the format which LTTng uses). A CTF packet is a sequence of serialized binary event records: to decode event record N, you need to decode event record N - 1 first, and so on. A CTF packet can contain thousands of contiguous event records like this, CTF data streams can contain thousands of packets, and a CTF trace can contain many data streams. Knowing this, there would be no reasonable way to store the offsets of all the encoded CTF event records so that you can iterate backwards without heavy object copies.
What you can do however with Babeltrace 2 is keep the specific event record objects you need, without any copy.
In the future, we'd like a way to copy a message iterator, duplicating all its state and what's needed to continue behind the scenes. This would make it possible to keep "checkpoint iterators" so that you can go back to previous event records if you can't perform your analysis in one pass for some reason.
Note that you can also make a message iterator seek a specific timestamp, but "fast" seeking is not implemented as of this date in the ctf
plugin (the iterator seeks the beginning of the message sequence and then advances until it reaches the requested timestamp, which is not efficient).
QUESTION
I'm doing a CTF activity that I have been working on for the past week and I cannot seem to figure out what is going wrong. To break it down it goes something like this:
- It is an application that consist of 3 tabs, "Balances", "Transactions", and "Payments"
- Everytime you click on one of those tabs, information is displayed which comes from an API.
- But the API call for "Balances" is broken, when it is requested, nothing shows up under the Balance tab and it returns a 404 resource not found error.
So far I've used cURL to try and talk to the API through that and made sure there was no errors in the spelling of the requested site but still no luck.
I would appreciate it if someone could guide me in the right direction or maybe suggest an approach to take instead of giving out what to do step for step which would be much appreciated :).
Edit: The API call is intentionally broken, the challenge is to figure out why it is broken and how to fix it.
Thanks!
...ANSWER
Answered 2021-Nov-14 at 04:58kek just solved this very challenge.
Have you considered that the "Cyber Gang" (context of the challenge) may have changed the endpoint from balances to something else?
Considering that you get a 404 balance from curling get-balances, perhaps you could figure out a way to find other subdomains :)
QUESTION
Recently I came past this write up of a CTF on hackerone. In this writeup part of completing the challenge was to perform a timing attack. It spiked my interest and I wanted to create a webite that would be prone to a timing attack.
To do this I decided on nodejs, as that is what I am most familiar with. However, I was not able to replicate it, so I had to create my own strcmp
function and induce time difference inside that function. For now the code looks like this
ANSWER
Answered 2021-Oct-20 at 10:49I would imagine that the time required to set up and process an HTTP POST request is much greater than the time taken to compare two characters in a string.
Try aggregating the time required for multiple calls with the same value. Perhaps then you'll see a difference:
QUESTION
I am doing a CTF challenge. I open a broken BMP image file with a hex editor (HexFiend). I highlight 4 bytes in hex 8E262C00
. In the bottom, HexFiend shows their value in decimal 2893454
. However, I use online hex to decimal converting tool, their value is 2384866304
.
Do anyone know how HexFiend comes up with 2893454
?. I believe it is a correct answer, because that is the size of the file.
ANSWER
Answered 2021-Aug-17 at 07:03It's the endianness of the file.
A binary encoded file can be encoded with small or big endian. The difference is which succession the single bytes have, i.e. if you read them from left or from right. Note that the order of bits almost always is big endian. The natural way of reading is big ending; the bytes are stores as you would expect it. 8E262C00
becomes 8E 26 2C 00
. This file, however, seems to be stored in small endian format. The order is flipped. In other words; 8E262C00
now becomes 00 2C 26 8E
which then results in the decimal representation of 2893454
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install CTF
You can use CTF like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page