Grey Cat The Flag 2023 Qualifiers Writeup

CTFTime event link: https://ctftime.org/event/1938

Writeups

• Web:
  1. Fetus Web
  2. Login Bot
  3. Microservices
  4. Microservices Revenge
  5. 100 Questions
  6. Baby Web
  7. View My Albums
  8. Sort It Out (Unsolved)
• Misc:
  1. CrashPython
  2. Gotcha

Background

• Starts: 19 May 2023, 22:00 SGT
• Ends: 21 May 2023, 22:00 SGT

Grey Cat The Flag is a jeopardy-style CTF organized by NUS Greyhats (https://nusgreyhats.org/) and National Cybersecurity R&D Labs (https://ncl.sg/).

We will host the onsite finals at the National University of Singapore (NUS), to which the top 5 international teams and the top 10 Singapore teams from the qualifiers will be invited. Each team may send up to 6 people for the finals, and accommodation in Singapore will be provided for the international teams.

Categories:

• Rev
• Web
• Misc
• Pwn
• Crypto

Overview

• Team: JHDiscord
• Team Member: @siunam, @7777777, @awesome10billion, @oldschool125, @goldenturtle, @moreoflore, @Peace, @sdj04, @pho3nix, @fire
• Team Solves: 15/34
• Individual Solves: 6/34
• Score: 980
• Rank: 60/454
• Overall Difficulty To Me: ★★★★★☆☆☆☆☆

What I’ve learned in this CTF

• Web:
  1. Inspecting Source Page (Fetus Web)
  2. Exploiting Open Redirect Vulnerability To Leak Credentials (Login Bot)
  3. Exploiting HTTP Parameter Pollution In Flask & FastAPI To Bypass Validation (Microservices)
  4. Exploiting RCE Via SSTI With Filter Bypass (Microservices Revenge)
  5. Exploiting Blind SQL Injection With Conditional Responses (100 Questions)
  6. Leaking Cookies Via Reflected XSS (Baby Web)
  7. Exploiting PHP Insecure Deserialization With Custom Gadget Chain (View My Albums)
  8. Sort It Out (Unsolved)
• Misc:
  1. Crashing Python With Segmentation Fault Via ctypes Library (CrashPython)
  2. Writing A Script To Solve Captcha With OCR (Gotcha)