What a CTF on IRC looks like — IRCPuzzles AFPC 2022

IRCPuzzles is an IRC-based puzzle game hosted every year on April 1st. The event lasts for several days. The answers are keys to channels and contestants progress from the first level to the final level. The levels usually get progressively harder. Each level is solvable with the original clue alone, but additional hints are added later if the contestants are stuck on a level for long. Picture showing a jigsaw puzzle map, with one piece missing Since I enjoy solving puzzles and challenges, I usually participate in this event every year....

May 18, 2022 · 38 min · Amal Murali

An Image Speaks a Thousand RCEs: The Tale of Reversing an ExifTool CVE

A tweet showing an RCE in ExifTool popped up on my feed; it looked interesting — maybe a little scary. But what good is an RCE on a demo video? I wanted more; I wanted it to pop my calculator.exe, to rm -rf my home directory; heck, it could even Rick Roll me. However, like with all things in life, there was no publicly-available proof-of-concept. So I decided to make my own....

May 18, 2021 · 15 min · Amal Murali

Solving Intigriti Challenge using… Content Injection!

Intigriti releases cool challenges every once in a while, and this was no exception. I love a good challenge. Every time I solve an Intigriti challenge, I learn something new. Motivated by that, I wanted to crack this one too. As usual, there were many dead-ends, moments of frustration and head-scratches. However, I’ll save your scalp from the scratching and walk you through this challenge. The Challenge Right after the tweet, I opened up the challenge link:...

April 20, 2020 · 8 min · Amal Murali

h1–702 CTF — Web Challenge Write Up

This writeup has since won the H1–702 challenge. Read HackerOne blog here: https://www.hackerone.com/blog/H1-702-CTF-Winners-Announced When you open the challenge link, you’re presented with this: Instructions can be found on the web challenge site: http://159.203.178.9/ Open the link in your browser and you’re greeted with a normal-looking HTML page: Notes RPC CTF homepage It sounds like there is a secret endpoint somewhere that allows you to store notes. The title indicates that it has something to do with RPC....

July 1, 2018 · 13 min · Amal Murali

Solving the Dog Problem — Google CTF 2018 Quals Write Up

Solving the Dog Problem — Google CTF 2018 Quals Write Up Challenge Description Cat Chat app popup Getting familiarized When you open the link, it redirects you to a chat room with a random UUID which is probably the chat room ID. Challenge homepage This looks like a chat application built with NodeJS where anyone can join and chat with each other. If you use /name bob, your display name gets changed to that....

June 8, 2018 · 11 min · Amal Murali