The source code is provided. It’s an application that uses Flask (Python). The first thing to do is to look at the installed libraries. They are in the requirements.txt file. pydash==5.1.2 flask A google search allows us to determine that pydash is a library that allows manipulation of arrays, strings, and dictionaries (https://pydash.readthedocs.io/en/latest/). The app.py file contains interesting information. It is quickly noticed that the Flask secret is hardcoded in the source code....

This challenge is client-side, which means that we will have to play with the Javascript code to retrieve the flag ! The goal is to beat the score of the pro player Eteck in order to obtain the flag. His score is set to 1337420, which doesn’t seem easy to beat. There are 2 ways to retrieve the flag. The first one is to practice and be better than him in order to beat him fairly....

The provided file is a dump of a network capture, which we can analyze using Wireshark. ➜ file kNOCk_kNOCk kNOCk kNOCk: pcapng capture file - version 1.0 Wireshark allows us to display the hierarchy of protocols present in the pcap file (Statistics -> Protocol Hierarchy). We can see that most of the exchanges are TCP. We can also display the objects that were transferred during the HTTP exchanges. File -> Export Objects -> HTTP We can see that a file named MalPack....

The source code was provided. The challenge is based on the NestJS JavaScript framework (https://nestjs.com/). The file app.controller.ts contains the different routes of the application : auth/register auth/login infos exec The function that seems interesting is executeCodeSafely() because it calls the safeEval() function which allows evaluating code in a sandbox. However, a CVE allows bypassing the sandbox and executing code directly on the host : https://security.snyk.io/vuln/SNYK-JS-SAFEEVAL-3373064 @UseGuards(JwtAuthGuard) @Post('exec') executeCodeSafely(@Request() req, @Body('code') code: string) { if (req....

For this challenge, the source code was provided. The web application uses Javascript technology with NodeJS and the EJS templating system (https://ejs.co/). Let’s start by analyzing the code to find the vulnerability that will allow us to retrieve the flag. We observe 2 routes : / /generate app.get('/', async (req, res) => { res.render('index'); }); app.post('/generate', async (req, res) => { const { value } = req.body; try { let newQrCode; // If the length is too long, we use a default according to the length if (value....

The provided file is an image of a flash drive that probably contains a malware. The goal is to find the C2 website. ➜ file drive.img drive.img: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 128, sectors 4194288 (volumes > 32 MB), FAT (32 bit), sectors/FAT 4088, reserved 0x1, serial number 0xcc9e321, unlabeled We can extract the contents of the image using the testdisk tool....

This challenge is a memory analysis challenge. After an infection, a memory dump was taken. The goal is to find the flag. To analyze the memory, we will use Volatility. First, we need to determine the profile that we will need to use. A big thanks to @Skyf0l who created the profile (https://github.com/skyf0l). ➜ strings output.lime | grep "^BOOT_IMAGE=" BOOT_IMAGE=/vmlinuz-4.2.6-200.fc22.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/swap rd.lvm.lv=fedora/root rhgb quiet LANG=fr_BE.UTF-8 ➜ strings output.lime | grep "Linux version" Linux version 4....

The only functionality of the website is to specify a path to a directory on the server, which then returns its contents to us. A button allows us to view the source code of this PHP website. We notice the use of the shell_exec() function, which allows the execution of system commands (https://www.php.net/manual/en/function.shell-exec.php). The server will concatenate the ls string with the user input, which will be parsed beforehand by a filter....