BreizhCTF is the largest physical CTF in France and gathered 600 participants the 17th may 2024.

This post is the write-up of 3 excellent challenges written by Worty: 2 mobile challs on “OwnApp” and 1 web on Popup Creator.

I’d like to thank all BreizhCTF team for the great work they are doing each year so that this event is a success: BDI, Kaluche, Saax, Icodia, and all the challs creators from ESNA! In particular, thank you Worty for the great work and discussion we had during this conference :)

A little challenge was introduced on twitter to win a ticket to Unlock Your Brain 2022 conference. This article is a write-up of the solution and explores the implementation of Java Random PRNG.

Disclaimer: I am not a cryptographic expert, just a security enthousiast.

The conference

The conference Unlock Your Brain Harden Your System aka “Unlock” or #UYBHYS is organized since 2015 by the Cantine numérique Brest and DIATEAM in Brest (France). During 2 days, participants will have the opportunity to attend to a day of conferences, 2 to 4 workshops and a 4 hours CTF, most of the time attack-defense style on Sea surf monsters theme. Last time, it was an OSINT CTF.

An unrestricted file upload in Wordpress Tatsubuilder plugin version <= 3.3.11 enables an unauthenticated attacker to perform a remote code execution (RCE) on the server host due to multiple weaknesses in font import feature and put 100,000 websites at risk.

The add_custom_font action can be used by anonymous users to upload a rogue zip file which is uncompressed under the public wordpress upload directory. By adding a PHP shell to the zip, with a filename starting with a dot “.”, an attacker can bypass the plugin’s extension control. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.