How to Pwn? - A workflow for solving pwn challenges

Pwn is one of the more difficult categories to get started with. This is partially due to the setup required in order to efficiently solve pwn challenges. This post aims to introduce a workflow you can use for solving any pwn challenge.

HTB 2021 Uni CTF Quals - Mechanical madness

This challenge consists of an assembly program and simulated CPU with the goal of running the program on the CPU. But we had no way to assemble the program. So we first had to write an assembler for it.

HTB 2021 Uni CTF Quals - Epsilon writeup

Epsilon was a medium Cloud challenge. It starts with an exposed git repository that contained AWS credentials. With this you can discover a lambda function that contains the JWT secret. Now you can authenticate with the website at port 5000 and use a Server Side Template Injection to get a shell and the flag.

HTB 2021 Uni CTF Quals - GoodGames writeup

Use SQL Injection and Server Side Template Injection to get the user. Use the mounted home directory and a mknod privilege escalation with Docker to get the root flag.

HTB 2021 Uni CTF Quals - SteamCoin writeup

TL;DR: Abuse JKU claim misuse in combination with unrestricted file upload to gain admin access. Perform request smuggling to bypass HAproxy ACL rules and use XSS to let puppeteer retrieve admin secret from CouchDB REST API.

RedPwn 2021 Notes Writeup

Writeup for the RedPwn 2021 Notes challenge (click on the title to read the post)