GuidePoint Security Oct 27 2022 Writeups

CTF event link: https://www.guidepointsecurity.com/resources/guidepoint-security-capture-the-flag-october-27/

Writeups

• Web
  • Arbit
  • Brute
  • Rogue One
  • All Inclusive
  • Calc
  • Deprecated
  • Chess
  • Dev Admin
  • Responsive
  • Figgis
  • SSH Brute
• Pwnables:
  • Alphabet

Background

• Starts: Thursday, October 27th – 8:00 am EDT
• Ends: Sunday, October 30th – 5:00 pm EDT

Glad to see you’re ready to register for our latest [and greatest] Capture the Flag challenge.

Foster and enhance your knowledge and interest in cybersecurity, train up your creative thinking, and learn new skills with original content built on a capture-the-flag framework created by security and privacy experts at GuidePoint Security.

Our hands-on practical challenges take place on Thursday, October 27 @ 8am EDT and end on Sunday, October 30 @ 5pm EDT. And when you play, you can win a $100 gift card.

Overview

• Solved: 12
• Points: 3000
• Rank: 11st/200
• Total Players: 200
• Overall Difficulty To Me: Medium

What I’ve learned in this CTF

• Web:
  1. Exploiting Weborf 0.12.2 Directory Traversal (Arbit)
  2. Brute Forcing HTTP Login Page via hydra (Brute)
  3. Sending GET Requests in Python (Rogue One)
  4. Exploiting Local File Inclusion (LFI) (All Inclusive)
  5. Exploiting Command Injection (Calc)
  6. Remote Code Execution in PHP preg_replace() (Deprecated)
  7. Uploading File in a Web page? (Chess)
  8. Authentication Bypass via Weak Cookie Value (Dev Admin)
  9. Authentication Bypass via NoSQL Injection (Responsive)
  10. Exploiting Command Injection (Figgis)
  11. Enumerating SSH Username and Brute Forcing SSH Password via hydra (SSH Brute)
• Pwnables:
  1. Decoding Custom Base64 Alphabet (Alphabet)