[ASIS CTF Finals 2019] Andex

We start off with a single apk given. Running this through jadx-gui, we quickly find a list of API endpoints (some without the actual URL) in APIInterface and a base URL of http://66.172.33.148:5000/ (found in Utils): PostUserProf: no url yet getConf: api/get_config/{rolid} getDex: api/get_dex/{dex} getReg: api/userClass/register/{name} getShopItem: no url yet getShopOrder: no url yet getShopOrderD: no url yet getUserProf: no url yet Following through the logic for SplashScreen, we register a user for ourselves, and receive an encryption key, a role id and a uuid which serves as our authentication token.

[Insomni’Hack 2019] Phuck3 (500, php) / Bypassing open_basedir with two simple lines of php.

(Note: I wasn’t able to solve this challenge during the CTF, but I solved it afterwards) The challenge description gives us a webserver address and a text, that we should use only the php inbuilt functions to get the /flag and show the webmaster that the php builtin functions are insecure as well. Upon loading the website address, we are immediately greeted with an image as well as - presumably - the code for the index.