June 2nd, 2019


HackerOne CTF Hello World!

On this CTF you face a "What is your name?" and an option to download the binary. 

After downloading it and Ghidra, we open it up and see the name goes into a 0x20 buffer on the stack.   Ok, we should be able to overrun it and overwrite the return value.   After plopping in some characters it looks like I can enter 40 and on next one I get a 'segmentation fault' message.

Well, I dump the ROP gadgets, using 'ROPgadget --binary vulnerable-bin' command in Kali and take a further look.  Ok.. digging further into the binary, I see a 'print flag' function.  Ok, may not need the gadgets.

I just need to convert the address to the right order.   Basically, take 0x004006ee and convert to a 64 bit pointer that is url encoded.    %ee%06%40%00%00%00%00%00

Boom, it prints the flag.

HackerOne CTF Postbook

Postbook... 7 flags at 4 points each.

The page looks like it can have a post timeline for posts you create, a way to sign in, sign up, etc.   After creating an account I can see the other posts and see there are users 'user' and 'admin'. 

First flag... log in as 'user'.  Brute force it a bit.. password is super simple.

Second flag... This involves checking post IDs that are not yours..   eg 0, 1, ...   Number 2 reveals a secret post and flag.

Third Flag.. you find by looking at the source when making a new post.   There is a hidden parameter to the post to set the user id.   Alter it so it doesn't match and boom.   Third flag.

Fourth flag... This one really needs a hint... 189*5 was what they gave.   Basically had to check that really high post number and boom.  Flag.

Fifth Flag... edit a post and then alter the parameters to specify someone else's post.   Flag.

Sixth Flag... This one and the next depend on you noticing that the posts and such use a sequence of funny hashes.   That those are always in the same order.   You can set your own cookie to another of the hashes in order to be signed in as another user. 

Seventh Flag
When you create a post and then delete it, it passes in some kind of oddball number, "a87ff679a2f3e71d9181a67b7542122c".   If you check a few single digits as MD5 sum you find '4' hashes to that one.