Writeups

We participated in FAUST CTF 2024 under the pseudonym “TeamCalabria” (unfortunately stolen on CTFTime by some CTFTime point hoarders). Our member Speedy11CZ managed to first blood the “Floppcraft” challenge. Floppcraft allows users to upload pictures. It also contains some other “secret” endpoints. There are two services: Frontend - Flask application, serves content and generates pages. KeyServer - Generates secrets for signing JWT tokens inside Frontend application. Flags are stored inside Frontend service in “intel” category of requests. It is possible to login using uploading image with “Floppyeti” payload in EXIF data. Flags can be obtained with level 2 permissions. Error in the KeyServer SQL table There was a invalid SQL table in the KeyServer service. Because of this, status code 500 was returned when generating tokens in the KeyServer. KeyServer would correctly return a number to use as the seed of the random generator, but in this case -1 was used as the seed due to an error and poorly written function. ...

We participated in FAUST CTF 2024 under the pseudonym “TeamCalabria” (unfortunately stolen on CTFTime by some CTFTime point hoarders). Our member Hackrrr managed to first blood the “QuickR Maps” challenge. QuickR Maps service allows users to store and share locations on map. There are two instances hidden behind one frontend/proxy - public and private. Public instance shows all stored locations to everyone, private instace shows only locations accessible to you (that are either yours locations or locations explicitly shared with you). ...

We participated in FAUST CTF 2024 under the pseudonym “TeamCalabria” (unfortunately stolen on CTFTime by some CTFTime point hoarders). Our member Greenscreener managed to first blood the “Todo List” challenge. You can also read the writeup on his blog An extremely feature-rich service written in C# (like srsly, why would you implement 2FA for an A/D service and then never use it?). We identified two different vulnerabilities, one based in the generation of user IDs and the other one caused by an unsafe Newtonsoft.Json configuration. The one we found first and was used for the first blood was the former. ...