added byuctf24 writeups

content/ctf-writeups/_index.md

@@ -4,7 +4,8 @@ toc: true
 ---
 
 {{< cards >}}
+  {{< card link="byu-ctf" title="BYUCTF'24" icon="pencil" >}}
+  {{< card link="bo1lers-ctf" title="Bo1lersCTF'24" icon="pencil" >}}
+  {{< card link="amateur-ctf" title="AmateurCTF'24" icon="pencil" >}}
   {{< card link="backdoor-weekly" title="BackdoorWeekly" icon="pencil" >}}
-  {{< card link="amateur-ctf" title="AmateurCTF24" icon="pencil" >}}
-  {{< card link="bo1lers-ctf" title="Bo1lersCTF24" icon="pencil" >}}
 {{< /cards >}}

content/ctf-writeups/byu-ctf/aresa.md

@@ -0,0 +1,66 @@
+---
+layout: post
+title: BYUCTF 2024 | Are S A?-writeup
+date: 2024-05-23
+tags: ['BYUCTF24']
+---
+
+# crypto/Are S A? [353 Solves]
+
+## Challenge Description
+> Found these keys... wonder what they do...
+### Challenge Author
+> Author: overllama
+---
+
+## Challenge Files
+we are provided with a text file 
+```txt
+n =  128393532851463575343089974408848099857979358442919384244000744053339479654557691794114605827105884545240515605112453686433508264824840575897640756564360373615937755743038201363814617682765101064651503434978938431452409293245855062934837618374997956788830791719002612108253528457601645424542240025303582528541
+e =  65537
+c =  93825584976187667358623690800406736193433562907249950376378278056949067505651948206582798483662803340120930066298960547657544217987827103350739742039606274017391266985269135268995550801742990600381727708443998391878164259416326775952210229572031793998878110937636005712923166229535455282012242471666332812788
+```
+## Solution
+we are provided with a text file that contains three parameters `n, e, c` without context. guessing from the challenge name, we could assume these to be the parameters of the RSA cryptosystem. therefore, we could conclude the goal of this challenge to retrieve the plaintext `m`.
+
+the very first intuition i had was perhaps `n` is a prime? we could quickly test this using the following script
+
+```py 
+from Crypto.Util.number import *
+
+n =  128393532851463575343089974408848099857979358442919384244000744053339479654557691794114605827105884545240515605112453686433508264824840575897640756564360373615937755743038201363814617682765101064651503434978938431452409293245855062934837618374997956788830791719002612108253528457601645424542240025303582528541
+
+print(isPrime(n))
+```
+and the result is 
+```bash
+fooker@fooker:~/byuctf-2024/crypto/Are_SA?$ python3 solve.py
+True
+````
+the result is positive which implies we can compute the reverse of the encryption function
+## Decryption
+the encryption scheme could be mathematically represented as 
+$$
+c \equiv m^e \pmod{n}
+$$
+since we can know compute `d` such that $ed = 1 \pmod{n - 1}$
+$$
+\implies c^d \equiv (m^e)^d \equiv m^{ed} \equiv m \pmod{n} 
+$$
+which computes the plaintext that we require!
+
+## Solve Script
+```py
+from Crypto.Util.number import *
+
+n =  128393532851463575343089974408848099857979358442919384244000744053339479654557691794114605827105884545240515605112453686433508264824840575897640756564360373615937755743038201363814617682765101064651503434978938431452409293245855062934837618374997956788830791719002612108253528457601645424542240025303582528541
+e =  65537
+c =  93825584976187667358623690800406736193433562907249950376378278056949067505651948206582798483662803340120930066298960547657544217987827103350739742039606274017391266985269135268995550801742990600381727708443998391878164259416326775952210229572031793998878110937636005712923166229535455282012242471666332812788
+
+print(long_to_bytes(pow(c, pow(e, -1, n - 1), n)))
+```
+and that gives us the flag 
+```bash
+fooker@fooker:~/byuctf-2024/crypto/Are_SA?$ python3 solve.py
+b'byuctf{d1d_s0m3_rs4_stuff...m1ght_d3l3t3_l4t3r}'
+```

content/ctf-writeups/byu-ctf/arguments.md

@@ -0,0 +1,94 @@
+---
+layout: post
+title: BYUCTF 2024 | arguments-writeup
+date: 2024-05-23
+tags: ['BYUCTF24']
+---
+
+# web/arguments-writeup
+
+## Challenge Description
+
+We are given a website that basically perform 2 tasks:
+
+- Uploading files
+- Downloading the tar of all uploaded files
+
+the source code of both these functionalities are as given:
+```python
+# upload file
+@app.route('/api/upload', methods=['POST'])
+def upload():
+    file = request.files.get('file', None)
+    if file is None:
+        return 'No file provided', 400
+
+    # check for path traversal
+    if '..' in file.filename or '/' in file.filename:
+        return 'Invalid file name', 400
+
+    # check file size
+    if len(file.read()) > 1000:
+        return 'File too large', 400
+
+    file.save(f'uploads/{g.uuid}/{file.filename}')
+    return 'Success! <script>setTimeout(function() {window.location="/"}, 3000)</script>', 200
+
+
+# download file
+@app.route('/api/download', methods=['GET'])
+def download():
+    @after_this_request
+    def remove_file(response):
+        os.system(f"rm -rf uploads/{g.uuid}/out.tar")
+        return response
+
+    # make a tar of all files
+    os.system(f"cd uploads/{g.uuid}/ && tar -cf out.tar *")
+
+    # send tar to user
+    return send_file(f"uploads/{g.uuid}/out.tar", as_attachment=True, download_name='download.tar', mimetype='application/octet-stream')
+
+```
+
+## Solution
+
+We tried fuzzing with the filename parameter and zip slips to read server files but with no success. Also, only been able to read server files would have been a waste because we didn't knew the name of the flag as it was randomized ( in Dockerfile):
+
+```Dockerfile
+RUN mv /flag.txt /flag_$(cat /dev/urandom | tr -dc a-f0-9 | fold -w32 | head -n1)
+```
+
+So what we actually needed was RCE. Learning about various vulnerabilities that could give us RCE, we discovered that the command
+```python
+os.system(f"cd uploads/{g.uuid}/ && tar -cf out.tar *")
+```
+was actually vulnerable to `TAR Command Execution`, which could give us RCE.
+Upon learning about the `TAR Command Execution`, we found out that 
+
+ `By using tar with –checkpoint-action options, a specified action can be used after a checkpoint`. 
+
+![Image 1](./assets/arg1.png)
+
+ Upon looking for payloads, we found this on PayloadOfAllThings:
+
+ ```
+ --checkpoint=1
+--checkpoint-action=exec=sh shell.sh
+shell.sh   (your exploit code is here)
+```
+
+After that we tried uploading files with these name 
+`--checkpoint-action=exec=python3 -c "import os;x = chr(47);os.system(f'cp {x}flag* .')"` and `--checkpoint=1`. It should have basically copied the flag to this current directory when  `tar * ` command is run, but this resulted in internal server error. 
+
+The error didn't occured when we uploaded an arbitriary file before these files. After we hit the download button we recieved only the arbitriary file we uploaded. But after refreshing the page, file listing showed an additional file named `flag_89bb6db3a579141b2cd5c7d01fedf863` 
+.
+
+![](./assets/arg2.png)
+
+
+After downloading the tar again and reading the `flag_89bb6db3a579141b2cd5c7d01fedf863` file, we get the flag:
+
+
+
+`byuctf{argument_injection_stumped_me_the_most_at_D3FC0N_last_year}`

content/ctf-writeups/byu-ctf/austen_supremacy.md

@@ -0,0 +1,30 @@
+---
+layout: post
+title: BYUCTF 2024 | Austen Supremacy-writeup
+date: 2024-05-23
+tags: ['BYUCTF24']
+---
+
+# crypto/Austen Supremacy
+
+## Description
+
+Lydia loves Jane Austen. In fact, her favorite book is Pride and Prejudice. Her and her friends like to talk about the book together, but recently Lydia has started encoding her messages. Unfortunately Lydia's friends don't understand her secret code -- could you help them out and identify the secret message?
+
+Flag format -byuctf{secretmessage}
+
+```1.1.1 8.9.8 10.2.11 4.14.28 61.2.4 47.10.3 23.7.37 41.12.4 17.6.10 1.1.21```
+
+## Author:cybercomet
+
+## Solution
+
+As the description it looks like the book cipher from the book Pride and Prejudice
+https://www.gutenberg.org/files/1342/old/pandp12p.pdf
+
+Than I thought that it be either chapter.sentence.word or chapter.paragraph.word But none made sense 
+Than we thought maybe chap para letter or page para letter 
+And after trying Chapter.Para.letter we got a meaningful word
+Ilovedarcy
+So,
+```flag : byuctf{Ilovedarcy}```

content/ctf-writeups/byu-ctf/didnobody.md

@@ -0,0 +1,26 @@
+---
+layout: post
+title: BYUCTF 2024 | Did Nobody See?-writeup
+date: 2024-05-23
+tags: ['BYUCTF24']
+---
+
+# Forensics/Did Nobody See? Writeup -->
+
+## Challenge Description 
+>We recently obtained a triage image from a Windows laptop belonging to a suspected ransomware operator. The suspect used several anti-forensic techniques and managed to erase any form of web history. We suspect that we may be able to use data from DNS servers as evidence to tie the suspect to the operation. Unfortunately, the suspect was using a VPN. Can you find any DNS servers used during the VPN connection?
+
+## Solution 
+Here we need to find the ip address used to make connection with Windows laptop and as we are given the triage image we have the access to all the registry hives stored under 
+
+`did-nobody-see\Windows\System32\config` and the fact we would use is that all the IP addresses of the various network interfaces are stored under:
+
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces`
+
+so we extract the Sytem regitsry from the folder and use a famous tool known as `Registry Explorer` [tool](https://ericzimmerman.github.io/#!index.md) by Eric Zimmerman  to parse the registry and go to the desired location and we find 
+
+![alt text](./assets/didnobody.png)
+
+We can find 2 ip associated with the connected name server and anyone of them is the correct flag so the flag for the challenge was
+
+`byuctf{162.252.172.57}` or `byuctf{149.154.159.92}`