I like CTFs. Admittedly, I’m not particularly good at them. I try my best and learn from other people’s solutions to unique challenges after the end of a competition. I also like my roommate who I’ve known for several years now. And even though he’s a magnificent problem solver, at least in my opinion, I’m yet to convince him to team up and play some CTFs together. It was his birthday very recently and I prefer experiences as gifts as opposed to materialistic things. So I cobbled together a relatively simple CTF-style challenge for him. In this article, I want to outline a couple interesting bits here and there that I learned in the process of creating a custom challenge. Maybe you’ll find yourself inspired to create a simple challenge of your own.
Dave’s Blog is a room over at TryHackMe with a hard difficulty rating. Dave is ready to show his blog to the world, but he forgot to properly secure his super secret admin panel. After some NoSQL injection to bypass the admin login page, we’re able to send off code that is executed by a Node.JS runtime hosted on the server. The final step to root involves exploiting a binary in one of many possible ways thanks to return-oriented programming.
Recently I had the pleasure of helping with a research project based around machine learning that was in the final stages of development. To test the implementation, I was asked to transfer roughly 30,000 training and test images to a storage server. The server is running a MinIO instance which, for the uninitiated, is basically an open source equivalent to Amazon S3 providing a high availability, high performance object storage. I had already worked with MinIO before and I was comfortable using it, but I was provided with a helper script written by someone in the research group that’d take care of uploading a large amount of images from a directory. Thinking that I didn’t need to spend time coming up with my own solution, I quickly got to work and expected to spend maybe half an hour figuring out how the script works and uploading all images.