BugPoC's LFI challenge writeup

This is a write-up for an LFI Challenge by `BugPoC`, Buggy Social Media sharer ( that popped out on Twitter recently ( link ) This is a website for writing a text (post), for which website generates several links to post it in different social media platforms. As common it supports the URL card generating using API server. Which then leads to SSRF, then to LFI. Buggy Social Media sharer Given a website : The Goal of the challenge is to achieve LFI and steal /etc/passwd It's a striaght forwarding challenge, by going through the Js, we can see URL card generating functionality function processUrl(e) { requestTime =, url = ""; var t = new XMLHttpRequest; t.onreadystatechange = function() { 4 == t.readyState && 200 == t.status ? (response = JSON.parse(

Tokyo Westerns CTF 2020 - writeups.

[*]-challenges     [+] (Rev - 126 pts) Reversing iS Amazing     [+] (Rev - 224 pts) Tamarin Our Team Invaders ended up at 21th position in `Tokyo Westerns CTF 2020` conducted by ` TokyoWesterns team `. [Rev] Reversing iS Amazing It is a warmup chall, Given a rsa file, a 64 bit executable. Decompiled the executable with ghidra. As the binary is dynamically linked, we still have the external library function calls. BIO_new_mem_buf d2i_PrivateKey_bio EVP_PKEY_get1_RSA RSA_private_encrypt Those are openssl library API calls, by going through the documentation and code. in the binary it has an EVP key, Cipher text. The binary is creating a RSA private key from EVP Key , then encrypting our input and checking with cipher text. Dumped the EVP Key, Cipher text from the binary. Written a decrypting code with same api calls (as we have

Alles CTF 2020 Writeups

[*]-challenges     [+] (Rev - 137 pts) Flag Service Revolution     [+] (Rev - 113 pts) prehistoric mario Our Team Invaders ended up at 21th position in `Alles CTF - 2020` conducted by ` Alles team `. The Reverse challs are interesting First one is Nintendo GameCube file, second one is a Apk game [Rev] Flag Service Revolution Given a boot.dol file, a Nintendo GameCube file. Opened it with the dolphin-emu. Then searched how we can disassemble the .dol files and found this used ghidra This is a stripped and statically linked binary, it's hard to trace the functions. Searched for strings appearing on app -> `Cross References` - `main function FUN_8003d4c4 `. The decompiled code of ghidra is too messy with the stripped func names, var names. An