HeroCTF v5 Writeup

CTFTime event link: https://ctftime.org/event/1951

Writeups

• Forensic:
  1. dev.corp 1/4
• Misc:
  1. PyJail
• Prog:
  1. Math Trap
• Reverse:
  1. Give My Money Back
• Sponsors:
  1. Open your eyes 1/5
• Steganography:
  1. PDF-Mess
  2. PNG-G
• System:
  1. Chm0d
  2. SUDOkLu
  3. IMF#1: Bug Hunting
  4. Drink from my Flask#2
• Web:
  1. Best Schools
  2. Referrrrer
  3. Drink from my Flask#1
  4. Blogodogo 1/2 (Unsolved)

Background

• Starts: 12 May 2023, 21:00 UTC+2
• Ends: 14 May 2023, 23:00 UTC+2

HeroCTF is an online cybersecurity competition for beginners and advanced players.

Team up to 5 players. Join us on Discord https://discord.gg/R3tdPvDcNN

Categories:

• Blockchain
• Crypto
• Forensic
• Misc
• OSINT
• Prog
• Pwn
• Reverse
• Sponsors
• Steganography
• System
• Web

Overview

• Solves: 16
• Score: 1532
• Rank: 125/1085
• Overall Difficulty To Me: ★★★★★☆☆☆☆☆

What I’ve learned in this CTF

• Forensic:
  1. HTTP Access Log Forensic (dev.corp 1/4)
• Misc:
  1. Python Jail Escape (PyJail)
• Prog:
  1. Using Python To Solve Math Problems (Math Trap)
• Reverse:
  1. Manually Deobfuscating VBScript Code (Give My Money Back)
• Sponsors:
  1. Dynamically Deobfuscating JavaScript Code (Open your eyes 1/5)
• Steganography:
  1. Extracting Embedded File In PDF (PDF-Mess)
  2. Extracting Hidden Frames In PNG (PNG-G)
• System:
  1. Modifiying File Permission Using Perl (Chm0d)
  2. Horizontal Privilege Escalation Via Misconfigurated /usr/bin/socket Sudo Permission (SUDOkLu)
  3. Port Forwarding With chisel & Enumerating YouTrack (IMF#1: Bug Hunting)
  4. Werkzeug Debug Console PIN Code Bypass With Extra Hardening, Horizontal Privilege Escalation Via Werkzeug Debug Console (Drink from my Flask#2)
• Web:
  1. Exploiting GraphQL Batching Attack (Best Schools)
  2. Exploiting Referer-based Access Control In Node.js Express (Referrrrer)
  3. Cracking JWT Secret & Exploiting RCE Via SSTI (Drink from my Flask#1)
  4. Blogodogo 1/2 (Unsolved)