Justin Ong

Writeup of challenges I solved for angstromCTF 2019

Can You Guess Me Given the following application: from secret import secret_value_for_password, flag, exec ... val= 0 inp = input("Input value: ") count_digits = len(set(inp)) if count_digits <= 10: # Make sure it is a number val = eval(inp) else: raise if val == secret_value_

Bogged This challenge involves issuing "bad" commands that have to be authenticated by a token generated through the following "leaked" source code: import hashlib secret = "" def generate_command_token(command, secret): hashed = hashlib.sha1(secret+command).hexdigest() return hashed def validate_input(command, token_

Future Fun This reversing challenge dropped a nearly 10MB binary on us. Given that I had no intention of reversing this mess, I took another route to solve this problem. The challenge description has interesting bits in it though: Deep on the web, I discovered a secret key validation. It

EasyPhp This challenge was split into 3 parts - one had to give inputs to fulfill all 3 parts before getting the full flag. <?php include "flag.php"; highlight_file(__FILE__); error_reporting(0); $str1 = $_GET['1']; if(isset($_GET['1'])){ if($str1

There were 3 challenges that I found really interesting - Welcome, because after getting the flag, I realised that the method I took was probably...not the right one. Useless Admin, while crib-dragging is a huge pain to execute as one has to guess words that are present in the