Skip to content

2023

  • in writeups
  • 7 min read

CyberSci Regionals 2023: Defence Challenges

This year at CyberSci Regionals, I competed along with the rest of the Shell We Hack? team. The organizers decided to introduce a new category - Defence. In this category, you are tasked with fixing vulnerabilities some given source code. This is very similar to what was seen at CyberSci Nationals 2023 (the summer before this competition).

There were a total of five challenges covering two services. The services were:

A user interface was provided, which allowed us to launch the attacks one-by-one. This gave us the ability to search logs to help determine where the vulnerability was.

Note: I do not remember the exact order of the challenges, so if you were a competitor, sorry :P

Working Away

  • in writeups
  • 5 min read

DownUnderCTF 2023: baby ruby / real baby ruby writeups

Prompt (baby ruby):

How well do you know your Ruby?

The flag is at /chal/flag.

Author: hashkitten

nc 2023.ductf.dev 30028

Prompt (real baby ruby):

How well do you really know your Ruby?

The flag is at /chal/flag.

Author: hashkitten

nc 2023.ductf.dev 30031

Hint: ARGF is a stream designed for use in scripts that process files given as command-line arguments or passed in via STDIN.

Difficulty: Medium

Attachments: baby.rb, real-baby.rb

CyberSci Hardware Challenge

A copy of this writeup is written in the UNBCTF's writeups repository.

Difficulty: Medium/Hard

The objective of the challenge is to dump the firmware from the provided hardware badge and reverse engineer it. In theory this is quite easy, however it took quite some time to get familiar with the AVR architecture and instruction set.

Hints: If you're just starting out, ask Jeff Bezos for help. If you're near the end, ask Jeff Bezos for help.

Attachments: flash.hex, sram.hex, eeprom.hex

(these attachments were not provided, and had to be recovered as part of the challenge)

Solution: asd.py

The Badge

Front of hardware badge