top of page
Search
Writer's pictureOrel Gispan

UofTCTF 2024 Writeups

This time we reached the 83rd place out of 1225 teams, which is a really nice score.

Although it wasn't a very hard CTF, I found it fun and some of the challenges were challenging.



 

Voice Changer - Web



This challenge provided a link to a voice changer web application.



The request contained parameters that were related to the pitch and the uploaded recording.

In the server's response we can see that the web application used ffmpeg command which is a video/audio handling software, in the operating system shell.



After I analyzed the web app behavior, I noticed it used the 'pitch' parameter as ffmpeg command argument, I tried breaking out of the command execution context and running an additional command.




uoftctf{Y0UR Pitch IS 70O H!9H}


 

The Varsity - Web



In this challenge, we got a website that allows the reading of newspapers, but some of the newspapers are for subscribers.

We also got the source code.




We can see that article 10 is only for subscribers.

I could not find a way to be a subscriber (bypassing the voucher option in the registration form) so I checked for business logic related bugs.




If we enter '9' (which is actually the 10th issue) as the issue number, the code will enter the second 'if' statement and will return an error.

However, if we enter '9;' as the issue number, it will not enter the second 'if' statement because

issue >= 9

returns 'false' as '9;' cannot be parsed as a number.


After that, the string '9;' enters:

issue = parseInt(issue);

The 'issue' variable value will be 9 because parseInt() function parses all the input until the first non-numerical character.


Now, since the 'issue' variable is integer and is in the articles range, it will not enter the next if statement:

if (Number.isNaN(issue) || issue > articles.length - 1) {

And then it retrieves issue number 9 that contains the flag:

return res.json(articles[issue]);


uoftctf{w31rd_b3h4v10r_0f_parseInt()!}

 

No Code - Web




We received a link and a source code of a web application.

It contains the POST /execution route.

Using regex, the code checks if the value at the beginning of our string is in the range of the ASCII characters. If the value is within the ASCII range, the program returns an error; otherwise, it executes the code.


We can see that by forming a POST request and send our code, it returns an error because the characters are within the ASCII range.



However, by adding a newline (using its URL encoded value) at the beginning of our code, it passes the regex check and runs the code.



uoftctf{r3g3x_3p1c_f41L_XDDD}

 

Guestbook - Web



In this challenge we got an HTML File. I opened it in the browser and in VS code. Note that the sheetID is exposed and we can view only the last entries.




By Googling/using ChatGPT, I understood that I could try accessing a certain sheet using its sheet ID with the following URL: https://docs.google.com/spreadsheets/d/[sheetID}/edit


I entered this link using the sheet ID in the code and I retrieved the flag.



uoftctf{@PP_5cRIP7_!5_s0_coOL}


 

Hourglass - Forensics



This challenge provided an OVA file of Windows 10. According to the description we need to find something suspicious in the system.

I searched in different areas that might contain interesting or suspicious data.


I did not find anything until I entered the Task Scheduler and noticed a suspicious task that mention some path (C:\Windows\DiagTrack\Settings\settings.txt)


Here we can see the 'txt' file mentioned in the suspicious task, which looks like a Base64 encoded string.


This is the decoded string, which is the flag:


uoftctf{T4sK_Sch3Dul3r_FUN}


 

Flying High - Osint



So, according to the description, we had to find the airport, airline of the rightmost airplane, and airplane model.


This is the image we got:



By zooming in we can see that there is some kind of hangar with 'NOVESPACE' written on it.



Googling 'novespace airports' result in this web page. It says that this company operates mainly for scientific and technical research programs and it's based in Bordeaux-Mérignac Airport.



After searching this airport in Google Maps, we can notice that there is a place called Novespace. By clicking on it, we arrive the the same place as in the image.

We can notice that this image if from July 2012.



Regarding the airline company, it was pretty easy to find it by google searching its logo description.


For the aircraft model, I tried all of the current aircrafts they use unsuccessfully, but then I remembered that the photo was taken in 2012 so I searched in the former fleet section. I tried a couple of models that were used in 2012 until I got the correct one.



Thank you for reading. I hope you learned something new.

Orel 🪷

421 views2 comments

Recent Posts

See All

2 comentários


Nice write up! I like the Voice Changer challenge :)

Curtir
Orel Gispan
Orel Gispan
27 de jan.
Respondendo a

Thank you so much! I'm glad you liked it.

Curtir
bottom of page