LetzPwn trains A/D for the ECSC

On July 9th 2022, the LetzPwn team participated in the FaustCTF 2022 competition.

This event is, similarly to SaarCTF, an Attack-Defense CTF competition and is organised by the Friedrich-Alexander Universität (Erlangen-Nürnberg) Security Team, or FAUST for short

The FaustCTF has been organised for the seventh time in 2022 and is a renowned competition, popular among many good teams. The difficulty is accordingly advanced. FaustCTF 2022 was comprised of 8 challenges, named Ghost, Digital Seconds Ago, AdminCrashBoard, Docs Notebook, Notes from the Future, Flux Mail, FittyFit and compiler60.

We only participated with around 4 people and managed to exploit one service (AdminCrashBoard). The vulnerability for this one consisted of Command Injection. We also looked at the FittyFit service, which we were not able to solve. Afterwards, we checked the intended solution, which consisted either (1) of a login bypass because of a cryptographic failure in the cookie creation or (2) using a pretty advanced attack chain (for a one-day A/D CTF) consisting of finding that the version of a dependency was vulnerable to XXE, crafting a malicious pdf with it and then using some service logic to being able to access the uploaded malicious pdf to trigger the XXE.

Overall, we placed 64th out of 91 participating teams.