justinsteven

picoCTF 2024 was held from 12-26 March 2024, and while pico is largely a beginner-friendly event, some of the challenges were devilishly difficult. This is a writeup of our solution for Elements, a wicked hard XSS and CSP bypass challenge. We ended up solving in an unintended way that we think was quite novel.

Every year I look forward to DownUnderCTF, a 2-day CTF put on by some of the nicest and brightest folks from around Australia. This was my third year participating, and IMO the crew once again outdid themselves. I decided this year to do a writeup for Smooth Jazz, another devilishly difficult SQL injection challenge by hashkitten. It involves the threading of three separate needles, and some creative format string wrangling.

I recently upgraded from Debian 10 (Buster) to Debian 11 (Bullseye). I have a unique networking setup that allows VirtualBox VMs to hang off of non-bridged (bridge_ports none) bridge interfaces, allowing NAT and firewalling to be handled by my hosts’s iptables/nftables. Upgrading to Debian 11 caused this setup to mysteriously break. Hunting down the solution was super difficult, so this is a short post that’ll hopefully make it near to the top of Google results for things like “debian 11 virtualbox bridge no carrier” so the next person doesn’t have to suffer quite as many pages of purple links as I did 🤞

@hash_kitten wrote an absolute cracker of an SQL injection challenge for DownUnderCTF 2022 involving Python’s repr(), Python format string exploitation, and the use of an SQL quine. This is the story of our pain and suffering solving it.

DownUnderCTF 2021 was held the weekend of September 25, 2021. bullet hell was an interesting reversing challenge. It was essentially an ASCII game in which the player was required to dodge an onslaught of bullets, reminiscent of a “bullet hell” video game. The only thing is, the bullets were invisible.

Maybe it would be a stretch to say I’ve been busy since 2016, but I haven’t been doing nothing. Here are links to things I’ve been doing.

SecTalks Brisbane recently hosted a CTF, and lxb’s Crypto challenge particularly tickled me.

This weekend was the Insomni’hack 2016 Teaser CTF with a bunch of IoT-themed challenges. This is a writeup of the smartcat1 and smartcat2 Web challenges.