This year, I managed to win TISC again š
Last year many brave agents showed the world what they could do against PALINDROMEās custom TPM chips. Their actions sent chills down the spines of all those who seek to do us harm. This year, we managed to exfiltrate an entire STM32-based system and its firmware from within SPECTRE. You...
Welcome to the VirusVault, the most secure way to store dangerous viruses. Surely nothing can go wrong storing them this way! http://chals.tisc25.ctf.sg:26182 Attached files: virus_vault.zip Finally, a web challenge with source! This is a pretty straightforward PHP challenge and a refreshing change of pace from the Cloud challenge. The PHP...
This seemingly innocent site may be hiding something deeper ā a covert cloud operations backend. Scratch beneath the surface. Unravel the yarn of lies. Every cat may hold a clue. http://santa-claws.chals.tisc25.ctf.sg After completing Level 6, players are given the option to pick between a Web-oriented route and a Rev-oriented route...
This service is open for anyone to sign up as a user. All you need is a unique username of your choosing, and passkey. Go toĀ https://passkey.chals.tisc25.ctf.sgĀ to begin. This is a blackbox web challenge involving passkeys. Passkeys are a pretty new authentication method. They replace traditional passwords, using biometrics (e.g. Windows...
Your task is to investigate the SYNTRA and see if you can find any leads. http://chals.tisc25.ctf.sg:57190/ Attached files: syntra-server The website is designed to simulate a radio, with various dials and knobs. Letās look at the provided server binary to figure out what it does. Opening it in IDA, we...
šØ ALERT: A mutated AI known as āSpectreLLMā has started hallucinating strange signatures. Your task is to identify and neutralise its embedded payload before its spread. http://chals.tisc25.ctf.sg:35189 Another LLM challenge! We are given a web platform where we can submit text input and image input to the LLM. Direct requests...
Weāve recovered a file from an SD card. It seems important, can you find the hidden content? Attached: rotary-precision.txt In this challenge, we are given a G-Code file. G-Code is a programming language that contains instructions for CNC machines like 3D printers. We can view the model online using NC...
Just before the rise of SPECTRE, our agents uncovered a few rogue instances of a bot running at http://chals.tisc25.ctf.sg:38163, http://chals.tisc25.ctf.sg:38164 and http://chals.tisc25.ctf.sg:38165. These instances were found to be running the identical services of the bot. Your mission is to analyse this botās code, uncover the hidden paths, and trace its...
This is a V8 n-day challenge. It was intended for the player to write the whole exploit chain themselves. Unfortunately, by the time TISC rolled around, the PoC for the original vulnerability had been made public. Thus, the challenge was a lot easier than intended. We are given a patch...
This is a 3-part challenge that requires chaining of exploits from each part to get to the final flag. Part 1 is a typical PHP/Redis web challenge. Part 2 is an n-day challenge on a GeoServer web server. Part 3 is a novel Java deserialization gadget chain exploit. The challenge...
Deep within Mount Countle, thousands of expert gophers have constructed what is believed to be an impenetrable vault for SPECTREās most classified secrets. Recent intel has revealed blueprints for an adjacent āadmin_botā service, but the inner workings of āCountle Secured Storageā remains shrouded in mystery. http://chals.tisc25.ctf.sg:23196 Attached files: countle-secured-storage.zip This...
One of our U2 spy planes spotted Spectre units around the area surrounding these lakes. However we lost location metadata while collecting huge amounts of imagery. Can you help us find the name of the lake marked by the target reference point ā+ā symbol? https://satellites.pro/ might be useful to compare...
This is the final part of my TISC write-ups, detailing my solutions to level 10-12. Level 10: Diffuse (Misc) Level 11: Sandboxed Notes App (Pwn) Level 12: Revenge of the Dragon (Pwn) Diffuse This is a puzzle-type challenge. Each individual step is easy; the difficulty lies in finding every clue...
This is a continuation of my TISC writeups. This post will cover stage 6-9. Level 6: Noncevigator (Web3) Level 7: Baby Flagchecker (Web3/Rev) Level 8: Wallfacer (Rev) Level 9: Imphash (Pwn) Noncevigator We are given a Solidity smart contract Noncevigator.sol, with the challenge description: 1 2 3 It seems like...
Over the past week or so, I have been playing TISC, CSITās annual CTF. I managed to solve all 12 challenges in 11 days, coming in 1st. TISC is an individual CTF hosted by CSIT that is open to all Singaporeans. The challenges roughly get progressively more difficult. You must...
This was a pwn challenge from the recent Amateurs CTF that I first-blooded. The challenge utilised an internal VM from a Solana validator client, Firedancer, and involved finding vulnerabilities in the VM implementation. Interestingly, Firedancer is a clone of the Rust Solana rbpf library but re-written in C! To temper...
Palindrome, everyoneās favourite cybercrime syndicate, is back for TISC 2023. I managed to solve all 10 challenges this year and clinch 2nd place. Here are my write-ups for all 10 levels. Level 1: Disk Archaeology Level 2: XIPHEREHPIXās Reckless Mistake Level 3: KPA Level 4: Really Unfair Battleships Game Level...
Over the weekend, I played DownUnderCTF with my team, Social Enginner Experts, placing 6th overall.
This weekend, Social Engineering Experts (SEE) held its inaugural SEETF. Here are my write-ups for the challenges I authored. I am aware of the (multiple) unintended solutions, but thought it would be good to document my intended solutions. Thanks to everyone who played!
Over the weekend, I played GreyCTF with Social Engineering Experts, placing 1st locally and 8th internationally. Having not touched CTFs for ages due to NS, I was a bit rusty, but luckily the challenges were nice twists on simple concepts, offering a pleasant mix of difficulty. I focused on the...
I participated in JadeCTF over the weekend. Having put CTFs on hold for some time for school, these challenges were a nice refresher for me. For these write-ups, I wonāt be diving too deep into the details. Instead, Iāll mainly be focusing on the high-level method used to solve the...
TISC (The InfoSecurity Challenge) 2022, organised by CSIT, was a CTF held over 17 days. Eager to escape my exam prep, I spent the first few days trying the challenges :) I solved the first 6 challenges in the first week before deciding to resume my studyingā¦ The challenges are...
I felt that these ringās challenges were quite fun, requiring some creative thinking to solve. There was one last challenge in this category which my team didnāt manage to solve (blackbox FSB pwn). You can find the relevant binaries in this repo.
These 3 challenges had a wide variation in difficulty, but were all worth 100 points each (static scoring). You can find the relevant binaries in this repo.
In the recent Cyber Defenders Discovery Camp (CDDC) organised by DSTA, my team āAvocado_Milkā came in 4th with an overall score of 6180 - maybe one day Iāll get that podium finish :). Here are the write-ups for the challenges I solved during the CTF. Iāll be releasing my rev...