0x0 Before all
I don't like this ctf. And most of challenge is not worth to craft a writeup.
all files can be found in https://github.com/infosec-ucalgary/magpieCTF-2023
0x1 [PWN] no-password-here
scanf("%s")
buffer overflow
1 | char Test[20]; |
payload: 'A'*40
flag: magpie{5c4nf_n07_54f3}
0x2 [PWN] no-password-here
ret2win. fill stack with 56 + 4 padding. then overwrite eip
1 | void win(){ |
flag: magpie{0mn1_fl4g_3v3rywh3r3}
0x3 [Web] education-comes-first
call hex2a
in web console
1 | hex2a('6d61677069657b57335f525f5337314c4c5f483352337d') |
flag: magpie{W3_R_S71LL_H3R3}
0x4 [Forensic] there-is-no-flag
- binwalk to extract Flag.PNG
- recover modify png header
- read flag
flag: magpie{m15510n_c0mpl373_w17h_r35p3c7}
0x5 [Network] eavesdropper
- open .pcapng file
- find http request with largest request body, flag is in the http body
flag: magpie{chOc0LatE_Ch1p_c0Ok1e5}
0x5 [Network] knock-knock-anyone-there
- bypass waf using
printf cmd_in_base_64 | base64 -d | sh
- setting up reverse shell
- find password of user sappheiros using
cat /opt/backup/*
(5up32_53cu23_p455w02d123
) su sappheiros
- first half flag is in
cat /home/sappheiros/message.txt
tcpdump -nnA host 172.16.238.30
- second half flag is hidden inside ids of icmp packets.
1 | from scapy.all import * |
flag: magpie{y0u_h4v3_7h3_p0w32_70_54v3_7h3_w021d}