HKCERT CTF 2024 Writeup

Writeup

• Web
  1. Mystiz’s Mini CTF (1)
  2. Mystiz’s Mini CTF (2)
  3. Webpage to PDF (2)
  4. JSPyaml

Background

• Starts: 08 Nov. 2024, 10:00 UTC
• Ends: 10 Nov. 2024, 10:00 UTC

HKCERT Capture The Flag 2024,” organised by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and the Hong Kong Productivity Council (HKPC), is now in its fifth edition. It is one of the largest cybersecurity competitions in Hong Kong, featuring four categories: Secondary School, Tertiary, Open, and International.

This year there will be an online Jeopardy CTF (qualifying round) and a physical King-of-the-Hill style CTF (Final round).

Categories:

• Web
• Crypto
• Reverse
• Pwn
• Misc
• Forensic

Overview

• Team: NuttyShell Red
• Team Solves: 31/58
• Individual Solves: 5/58
• Score: 4470
• Global Rank: 29/829
• Tertiary Division Rank: 6/64
• Overall Difficulty To Me: ★★★★★☆☆☆☆☆

What I’ve learned in this CTF

• Web
  1. Mystiz’s Mini CTF (1) - Leaking ORM model attributes
  2. Mystiz’s Mini CTF (2) - Mass assignment
  3. Webpage to PDF (2) - Python pdfkit Local File Inclusion via <meta> tag
  4. JSPyaml - Client-side YAML deserialization to server-side YAML deserialization via Pyodide