This is the write-up for Treebox, one of the easier Sandbox Escape challenges from Google CTF 2022.

The challenge statement says, “I think I finally got Python sandboxing right.”, and we’re provided with a hostname/port pair and (conveniently) the source code of the sandbox. The flag is in a file called flag in the current working directory of the sandbox process.

It is that time of the year again. Or, to be precise, it is 51 days after that time of last year. I’ve been remiss in my schedule for these posts. But it is the time when I reflect upon my growth in tech over the past year. Like last years post, this one goes over what I learned, some of the opinions I formed, what I could have done better, and what I think I should focus on in 2022.

While I do this primarily to track my progress, I do hope that those who read about my growth find it instructive, and walk away having gained something from it. With that happy thought, let’s get started.

What programming language should you learn first? Back in University, juniors who wanted to get on the programming roller coaster often asked me this. After much deliberation, I think I have my answer. In this post I express why I think a lot of conventional wisdom here isn’t the best, and what I suggest as the first language for getting started with coding.

For a little while now I’ve had this itch with pdb that I’ve been wanting to scratch. I wanted a limited version of the hooks feature from gdb so that I can automatically execute debugger commands each time execution stops. Today, I ended up scratching that itch by extending Pdb and coding in the functionality I needed. This post talks about how I did so and also covers a loosely organized collection of related Python debugger tricks that you may find useful (or at least fascinating).

Whether you’re starting out in a new job or team, or if you’re trying to contribute to a Open Source project that you’re new to, having to familiarise yourself with an alien codebase is something a software dev will have to do at some point in their lives. You won’t start all projects from scratch. This isn’t easy by any measure (at least not for me), but I try to share some of the tricks that I’ve picked up to get up to speed with a new codebase in this post.

2020 has easily been the most profound year for me as a tech enthusiast. I graduated with a CS degree, got an amazing job, picked up 2 new languages (Go and Clojure), revisited 2 other langauges that I thought I knew but clearly didn’t (C and Rust), and explored many new domains (most notably cybersecurity and cloud engineering). This post is a loosely organized collection of my thoughts and experiences related to each of these items, as well as some insight into how I achieved some of the things I achieved this year.

So if you’re going to be kind enough to indulge me, let’s start talking!

This is the writeup for the “Deep Web Blog” web challenge from SquareCTF 2020, which was worth 200 points and involved a Blind NoSQL Injection attack.

Challenge statement: A secret informant has tipped us off that hackers on the deep web have been plotting an attack on Square to steal our treasured Bitcoins…

Time to find what their plans are. http://challenges.2020.squarectf.com:9541

This is a write-up for the “Password Here Please” reverse engineering challenge from MetaCTF CyberGames 2020, which was worth 325 points.

Challenge statement: I forgot my bank account password! Luckily for me, I wrote a program that checks if my password is correct just in case I forgot which password I used, so this way I don’t lock myself out of my account. Unfortunately, I seem to have lost my password list as well… Could you take a look and see if you can find my password for me? Part 3 requires some math skills. To solve it, think about what is being done by the exponentiation step. Try rewriting the large number in base 257.

This is the write-up for the “Open Thermal Exhaust Port” forensics challenge from MetaCTF CyberGames 2020, which was worth 275 points.

Challenge statement: Our TCP connect Nmap scan found some open ports it seems. We may only have a pcap of the traffic, but I’m sure that won’t be a problem! Can you tell us which ones they are? The flag will be the sum of the open ports. For example, if ports 25 and 110 were open, the answer would be MetaCTF{135}.

Following up on the first article which introduces dotfiles, this one dives into the common challenges to managing dotfiles effectively. We look at approaches to organizing them, techniques to keep them in sync, bootstrapping fresh systems, committing them to version control, etc.