kmh's blog

TI-1337 Plus CE: Abusing CPython internals

Feb. 7, 2021

I wrote a pyjail for DiceCTF this weekend that I was pretty proud of. 7 teams (out of over 1,000) solved it, all using unintended but very cool solutions. I’ll go over my approach, and briefly describe the others when relevant.

Initial analysis

Texas Instruments just released the latest iteration of their best-selling TI-1337 series: the TI-1337 Plus Color Edition!

nc dicec.tf 31337

ti1337plusce.tar.gz

A custom version of CPython is compiled with some randomized secrets passed to the C preprocessor after applying a patch.

Continue Reading »

Repl.it XSS

Jun. 26, 2019

I recently found a rather interesting, non-traditional XSS vulnerability in repl.it. I was inspired to try this after reading a writeup for Pastetastic from Google CTF 2019, which showed off some really cool cross-origin stuff with iframes.

In case you’re not familiar with repl.it, it’s basically an online IDE with tons of features, including website hosting. Each program you make runs in its own environment called a “repl” (it’s a lot more than just a read-eval-print loop).

While messing around with how different features worked, I discovered that repls for static sites (HTML, CSS, JS) were previewed in a few nested iframes. Specifically, the site preview consisted of an iframe of https://replbox.repl.it/public/secure/, which contained a blank iframe manipulated by its parent, which was modified to contain an iframe pointing to the URL where the static files are hosted:

https://replbox.repl.it/data/web_hosting_1/<username>/<repl_name>/

Continue Reading »

Google CTF 2019

Jun. 24, 2019

I played Google CTF as a part of the team pearl this past weekend. We did okay, placing 50th (obviously not a high school CTF). I solved one web challenge that I really liked — gLotto.

gLotto

22 solves, 288 points

Are you lucky?

https://glotto.web.ctfcompetition.com/

Analysis

The link goes to a “lottery” website, with tables of past winning tickets and an option to check your ticket. At the bottom of the page, there is a link to show the source.

Continue Reading »

ångstromCTF 2019

Apr. 24, 2019

This was my second year organizing ångstromCTF. Compared to last year, I wrote a lot more challenges and did a lot more work on the platform. Despite some site stability issues, we still ended up with over 1,300 scoring teams. Here are the challenges I wrote (this is going to be a long post):

Continue Reading »

TJCTF 2018

Aug. 12, 2018

I played TJCTF as part of the team pearl, and we solved every challenge, placing second overall. The Abyss was a Python jail challenge worth 160 points — since I really enjoy this type of challenge, I figured it was worth writing up.

The Abyss

You are able to netcat to a server where you get a Python prompt that execs whatever you enter. However, what you can run is heavily filtered and dangerous functions are filtered from builtins.

The biggest restriction is nothing with __, which prevents most Python jail escapes from working. The solution involves creating a code object, and using that to create a function object that you can run to get the flag.

Continue Reading »

ångstromCTF 2018

Mar. 22, 2018

I helped organize ångstromCTF this past week, and it was a huge success with over 1,500 scoring teams. Here are the challenges I wrote:

Continue Reading »

Takoma Park CTF

Feb. 5, 2018

I ran TPCTF with a couple friends back in 2017, when I was in middle school. The challenges were pretty bad, but somehow we managed to get 500 teams to play. If you’re interested, you can view the archived website, challenges, and community-created writeups.

Continue Reading »