Justin Ong (Page 2)

Justin Ong

ångstromCTF 2019

Writeup of challenges I solved for angstromCTF 2019

PlaidCTF 2019

Can You Guess Me Given the following application: from secret import secret_value_for_password, flag, exec ... val= 0 inp = input("Input value: ") count_digits = len(set(inp)) if count_digits <= 10: # Make sure it is a number val = eval(inp) else: raise if val == secret_value_for_password: print(

WPICTF 2019

Bogged This challenge involves issuing "bad" commands that have to be authenticated by a token generated through the following "leaked" source code: import hashlib secret = "" def generate_command_token(command, secret): hashed = hashlib.sha1(secret+command).hexdigest() return hashed def validate_input(command, token_in): token = hash_command(command, secret)

Singapore Robotic Games 2019

On a whim, I decided to participate in the Sumo categories in SRG 2019. This post aims to document and explain the design decisions for my robot, which had to fit within 20cm x 20cm and weigh less than 3kg. Most parts were bought from Taobao. You can find the

SwampCTF 2019

Future Fun This reversing challenge dropped a nearly 10MB binary on us. Given that I had no intention of reversing this mess, I took another route to solve this problem. The challenge description has interesting bits in it though: Deep on the web, I discovered a secret key validation. It

boot2root 2019

EasyPhp This challenge was split into 3 parts - one had to give inputs to fulfill all 3 parts before getting the full flag.

Sunshine CTF 2019

Wrestler Name Generator At first glance, a standard XXE exploit document.getElementById("button").onclick = function() { var firstName = document.getElementById("firstName").value; var lastName = document.getElementById("lastName").value; var input = btoa("" + firstName + "" + lastName+ ""); window.location.href = "/generate.php?input="+encodeURIComponent(input); }; However, after fetching

Securinets Prequals 2019

There were 3 challenges that I found really interesting - Welcome, because after getting the flag, I realised that the method I took was probably...not the right one. Useless Admin, while crib-dragging is a huge pain to execute as one has to guess words that are present in the