Tag: CTF
TI-1337 Plus CE: Abusing CPython internals
Feb. 7, 2021
I wrote a pyjail for DiceCTF this weekend that I was pretty proud of. 7 teams (out of over 1,000) solved it, all using unintended but very cool solutions. I’ll go over my approach, and briefly describe the others when relevant.
Initial analysis
Texas Instruments just released the latest iteration of their best-selling TI-1337 series: the TI-1337 Plus Color Edition!
nc dicec.tf 31337
A custom version of CPython is compiled with some randomized secrets passed to the C preprocessor after applying a patch.
Google CTF 2019
Jun. 24, 2019
I played Google CTF as a part of the team pearl this past weekend. We did okay, placing 50th (obviously not a high school CTF). I solved one web challenge that I really liked — gLotto.
gLotto
22 solves, 288 points
Are you lucky?
Analysis
The link goes to a “lottery” website, with tables of past winning tickets and an option to check your ticket. At the bottom of the page, there is a link to show the source.
ångstromCTF 2019
Apr. 24, 2019
This was my second year organizing ångstromCTF. Compared to last year, I wrote a lot more challenges and did a lot more work on the platform. Despite some site stability issues, we still ended up with over 1,300 scoring teams. Here are the challenges I wrote (this is going to be a long post):
- Aquarium, 50 points
- Pie Shop, 100 points
- Returns, 160 points
- Server, 180 points
- Weeb Hunting, 180 points
- TI-1337, 250 points
- Bugger, 200 points
- Control You, 20 points
- DOM Validator, 130 points
- NaaS, 140 points
- GiantURL, 190 points
TJCTF 2018
Aug. 12, 2018
I played TJCTF as part of the team pearl, and we solved every challenge, placing second overall. The Abyss was a Python jail challenge worth 160 points — since I really enjoy this type of challenge, I figured it was worth writing up.
The Abyss
You are able to netcat to a server where you get a Python prompt that execs whatever you enter. However, what you can run is heavily filtered and dangerous functions are filtered from builtins.
The biggest restriction is nothing with __, which prevents most Python jail escapes from working. The solution involves creating a code object, and using that to create a function object that you can run to get the flag.
ångstromCTF 2018
Mar. 22, 2018
I helped organize ångstromCTF this past week, and it was a huge success with over 1,500 scoring teams. Here are the challenges I wrote:
- Sequel, 50 points
- Weird Message, 100 points
- File Storer, 160 points
- The Best Website, 230 points
- ssh, 150 points (co-wrote with defund, check his writeup repository)
Takoma Park CTF
Feb. 5, 2018
I ran TPCTF with a couple friends back in 2017, when I was in middle school. The challenges were pretty bad, but somehow we managed to get 500 teams to play. If you’re interested, you can view the archived website, challenges, and community-created writeups.
