This is a write-up for turing-complete, turing-incomplete, and turing-incomplete64 from the BSides San Francisco 2024 CTF!
turing-complete is a 101-level reversing challenge, and turing-incomplete is a much more difficult exploitation challenge with a very similar structure. turing-incomplete64 is a 64-bit version of turing-incomplete, which isn’t necessarily harder, but is different.
Let’s look at the levels!
Continue readingSlay the Spider is a Minesweeper-like game where the user and computer try to uncover a spider. The challenge name and trappings are based on Slay the Spire, which is one of my favourite games.
Continue readingThis is a write-up for Safer Streets. I apparently wrote this in more “note to self” style, not blog style, so enjoy!
Continue readingNo Tools is a fairly simple terminal challenge, something for new players to chew on.
I suspect there are several different ways to solve it, but the basic idea is to read a file using only built-in functions from sh.
The premise of the three challenges cant-give-in, cant-give-in-secure, and cant-give-in-securer are to learn how to exploit and debug compiled code that’s loaded as a CGI module. You might think that’s unlikely, but a surprising number of enterprise applications (usually hardware stuff - firewalls, network “security” appliances, stuff like that) is powered by CGI scripts. You never know!
This challenge was inspired by one of my co-workers at GreyNoise asking how to debug a CGI script. I thought it’d be cool to make a multi-challenge series in case others didn’t know!
This write-up is intended to be fairly detailed, to help new players understand their first stack overflow!
Continue reading