H@cktivityCon 2021 CTF

I participated in the H@cktivityCon 2021 CTF alongside some talented hackers - we placed 57th out of over 2,000 participating teams.

My contributions weren't that big - but I did learn a lot. Most of the challenges I solved were easy.

Bad Words

The general aim of Bad Words was to circumvent the "bad word" filter. I solved this by using the environment variable for a shell ($SHELL)to escape the filter completely. Then, it was trivial to climb the directory to reach the flag. $SHELL is, by default, equal to /bin/bash.

This strategy worked for another challenge, Shelle. In Shelle, the "shell" we're provided with only has a few commands enabled. However, using $SHELL again bypassed the filters and let us open an unrestricted shell. It's a bit odd that 3x more people solved Bad Words than Shelle when the same trick could be used twice. There were more challenges that I solved but they were too easy and don't deserve a mention here.

Jed Sheeran

The description states:

Oh we have another fan with a budding music career! Jed Sheeran is seemingly trying to produce new songs based off of his number one favorite artist... but it doesn't all sound so good. Can you find him?

By searching for "Jed Sheeran" on Soundcloud, we are presented with a profile that has a picture of Ed Sheeran's face imposed onto bread (Bread Sheeran). Navigating to the description of the only song listed yielded the flag.

Other challenges

I contributed in small parts to other challenges in the CTF, which I will link below. They were my teammates and they are all highly skilled in their own right.

ECSC 2021

Recently, I qualified for the 10-person-strong Irish team that will compete in the European Cybersecurity Challenge at the end of this month in Prague. Participating in H@cktivityCon 2021 CTF was brilliant practice for it.

Although I'm not mentioned by name, the team was featured in an article by SiliconRepublic here.

Discord

As usual, I encourage anyone interested in security to join the Bug Bounty Discord server here.