Security

Security (Translated by ChatGPT)

This year’s DEF CON CTF qualifier is similar to last year’s, with mostly binary-related problems, and this year requires a lot of reverse knowledge. As someone who basically doesn’t know how to reverse, I can only sit on the sidelines and cheer on my teammates.

However, the only web problem this year (called Discoteq) was quite interesting. The difficulty was not high, but it tested debugging skills, observation skills, and the ability to quickly learn something new. I think it tested basic skills rather than knowledge of a particular language or framework, which was great.

Since this was the only problem that was easy to solve this year, I decided to write about it in a different way. I will write about my thought process for solving the problem based on the timeline. The time stamp indicates how long it took from the release of the problem.

Read More

Security (Translated by ChatGPT)

I originally planned to write a more detailed post, but I realized that it might take a long time to publish. So I decided to write a brief version first.

I solved the following four web challenges:

  1. Fancy Notes
  2. Dumb Forum
  3. LESN
  4. ptMD

Here are some keywords that might be helpful for future reference:

  1. Length extension attack
  2. SSTI
  3. Mutation XSS <svg><style>
  4. <meta name="referrer" content="unsafe-url" />
  5. <meta http-equiv="refresh" content="3;url">
  6. Puppeteer’s click behavior is to capture the element position and then click the coordinates.

Read More

Security (Translated by ChatGPT)

Recently, I was looking at some WordPress plugins and found that it was a good place to practice because there are many plugins there, and each one has source code that can be viewed. You can do black-box or white-box testing, and installation is also very convenient.

This article will discuss a vulnerability I found a while ago, which uses the most basic and classic attack method, file upload leading to RCE.

Vulnerability ID: CVE-2022-27862
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.5.3 - Arbitrary File Upload leading to RCE

Read More

Security (Translated by ChatGPT)

I couldn’t participate on the first day of the competition due to some personal matters. When I joined on the second day, I found out that my teammates had already solved most of the web challenges, so there were many challenges that I didn’t get to see.

Since I love JavaScript and XS-leak, I will only write about the two challenges that I found most interesting:

  1. web/Sustenance
  2. misc/CaaSio PSE

(I may write about another challenge that involves DOMPurify + marked bypass XSS in the future)

Read More

Security

I didn’t check all the challenges this time because when I joined the competition, most of the challenges already solved by my teammates lol

I love JavaScript(yep, including those weird features) and XS-leak, so this writeup will talk about only two challenges:

  1. web/Sustenance
  2. misc/CaaSio PSE

Read More

Security

Among the many web vulnerabilities, my favorite is prototype pollution. It can be powerful sometimes when you find a script gadget.

So, I decided to make an XSS challenge about prototype pollution.

In April, the challenge I made was released on Intigriti, if you haven’t checked that one, here is the link: https://challenge-0422.intigriti.io/

Making a good challenge is hard.

I made a few mistakes. With the bugs I made, the challenge became much easier. To make up for it, I decided to make another one, called “The Revenge of Intigriti 0422 Challenge”.

Below is the intended solution to the revenge challenge.

Challenge URL: https://aszx87410.github.io/xss-challenge/revenge-of-intigriti-0422

Read More