LA CTF 2024 Writeup

CTFTime event link: https://ctftime.org/event/2102

Writeup

• web:
  • terms-and-conditions
  • flaglang
  • la housing portal
  • new-housing-portal
  • pogn
  • penguin-login
  • jason-web-token

Background

• Starts: 17 February 2024, 04:00 UTC
• Ends: 18 February 2024, 22:00 UTC

LA CTF is an annual Capture the Flag (CTF) cybersecurity competition hosted by ACM Cyber at UCLA & Psi Beta Rho. LA CTF is open to all skill levels of cybersecurity! Whether you are tackling your first exploit or have professional experience, there will be challenges just right for you! There will be a variety of events ranging from the competition containing jeopardy-style cybersecurity challenges to talks from UCLA professors to fun events such as typing competitions! If you are interested in attending, join the Discord to stay up to date with the latest information about LA CTF!

Categories:

• crypto
• misc
• pwn
• rev
• web
• welcome

Overview

• Team: ARESx
• Team Solves: 34/53
• Individual Solves: 2/53
• Score: 11030
• Global Rank: 26/1074
• Overall Difficulty To Me: ★★★★☆☆☆☆☆☆

What I’ve learned in this CTF

• web:
  1. Debugging via browser console (terms-and-conditions)
  2. Bypassing restriction with no cookies (flaglang)
  3. SQLite Union-based SQL injection with filter bypass (la housing portal)
  4. Stored XSS chained with CSRF (new-housing-portal)
  5. Exploiting WebSocket (pogn)
  6. PostgreSQL Blind-based SQL injection with conditional responses and filter bypass (penguin-login)
  7. Floating point confusion (jason-web-token)