extract() Variable覆盖: Related Functions: extract(): Imports variables from an array into the current symbol table. Array keys become variable names and array values become variable values. When duplicate keys exist, the later value overwrites the previous one by default. trim(): Strips whitespace or...
Solving MISC Challenges in Capture The Flag Competitions 1. Basic Flag Format Most flags in CTF competitions follow the format flag{xxxxx}. This first challenge introduces the fundamental concept of finding hidden flags within challenges. The solution for this challenge is: flag{th1s_!s_a_d4m0_4la9}...
Miscellaneous Which Element A PCAPNG file named Element.pcapng was provided. Extracting a TCP stream revealed four files. The password hint led to a Hexahue cipher decoder. The decoded password 3.1415 unlocked flag.zip, containing three files: flag1.png, flag2.png, and hint.txt. The file sizes sugge...
Miscellaneous Challenges Initial Access via Social Media The first step involves following the official public account and sending a specific keyword to receive a token. Virtual Machine Forensics Import the provided .ovf file into virtualization software. Once the system boots, launch the Edge brows...
GWCTF 2019 - mypassword Challenge Walkthrough Challenge Overview The challenge presents a login interface with registration functionality. Upon logging in, a message indicates that SQL injection is not the intended attack vector. The interface includes a feedback submission form. Initial Analysis Th...
Introduction The Venus VM is suitable for beginners starting CTF and wanting to practice Linux skills. Target URL: https://hackmyvm.eu/venus/ There are 50 missions, submitting these 50 flags counts as completion. (Currently, the top-ranked player has submitted 58 flags.) Login: ssh hacker@venus.hack...
Competition Overview The Hackpack 2023 CTF featured several reverse engineering challenges available at https://ctf2023.hackpack.club/challenges. This writeup covers two main challenge categories: the Speed-Rev series and a WebAssembly challenge. Speed-Rev Challenge Analysis The Speed-Rev challenge...
The web aplication exposes a /read endpoint that accepts a url parameter and fetches its content using urllib.urlopen. Direct use of file:// is blocked by a regex that matches strings starting with file, but the scheme local_file:// bypasses this filter because the check uses ^file.* without conside...
Deploy the target OVA in VirtualBox and configure the attacker environment using Kali Linux on the same internal network segment. After booting, identify the target's assigned IP through network scanning: arp-scan -l Once the target is identified (e.g., 10.0.2.15), perform aggressive service enumera...
Examination of the source code reveals a Flask application exposing a deserialization endpoint vulnerable to remote code execution. The application restricts specific modules and filters payload content, requiring a customized approach to bypass security controls. import builtins import io import sy...
