Real World CTF 2023: Happy-Card Writeup

Real World CTF 2023 was a jeopardy-style capture-the-flag event. We participated as part of the Sauercloud CTF-team.

How Solve? Where Exploit?

• Google for java card stuff
• Find some usable tooling to build your own applets
• Enable EEPROM dumping in cref (-o /upload/eeprom)
• Stumble upon Sergei Volokitin’s Master’s Thesis for an overview of vulnerabilities
  • Try multiple, but be caught by byte code verification/type checking
• Stumble upon PhiAttack
  • Needs older sdk
  • Implement simple type confusion between Object and byte[]
• Be confused why some casts work and others don’t
  • reverse cref __saload and __baload read checks
• Use type confusion to cast an Object to a byte[] array with arbitrary length
• Read EEPROM data using (now no longer) out-of-bounds read on byte[]
• Read flag