picoCTF Solutions

picoCTF 2022 Binary Exploitation Medium

CVE-XXXX-XXXX picoCTF 2022 Solution

Published: July 20, 2023

Description

The prompt only describes the first Windows Print Spooler remote code execution vulnerability disclosed in 2021. Identify the matching CVE and submit it in the picoCTF flag format.

Setup

View CVE-2021-34527

The challenge prompt asks: "Can you reproduce the CVE for the first Windows Print Spooler Remote Code Execution Vulnerability of 2021?"

Search the literal phrasing of the prompt - every result references PrintNightmare.

Open the CVE database entry to verify the identifier CVE-2021-34527.

Wrap that ID in the picoCTF format: picoCTF{CVE_2021_34527} (underscores, not dashes).

Solution

Walk me through it

Step 1Pivot on the clue
Search the literal prompt. Every top result names PrintNightmare; cross-check against MITRE/cve.org to confirm CVE-2021-34527.
Learn more
Sample search verification. Querying "Windows Print Spooler RCE 2021" returns Microsoft Security Update Guide, Project Zero, CISA, and most major vendors - all naming the bug PrintNightmare and pointing at CVE-2021-34527. Multiple independent sources naming the same CVE is the signal that you have the right one (not a related but distinct bug like CVE-2021-1675, which was the partial fix that didn't actually fix it).
CVE (Common Vulnerabilities and Exposures) is the public catalog maintained by MITRE. Each entry has a unique CVE-YEAR-NUMBER ID. PrintNightmare(CVE-2021-34527) hit the Windows Print Spooler service - which runs as SYSTEM and is enabled by default - allowing unauthenticated remote code execution. It became notorious because a PoC leaked before Microsoft's patch.
The skill being tested is OSINT: given a description, find the canonical identifier. This is what defenders do daily when correlating threat intel against scanner output.
Step 2Submit the CVE
Wrap the ID in the picoCTF format using underscores in place of dashes: picoCTF{CVE_2021_34527}.
Learn more
The CVE ID lives directly in the URL path on cve.org: https://www.cve.org/CVERecord?id=CVE-2021-34527. Pull the value of the id query parameter and you have your answer. NVD does the same: https://nvd.nist.gov/vuln/detail/CVE-2021-34527.
Resources for CVE work: cve.org (the canonical MITRE list), nvd.nist.gov(adds CVSS scores), and vendor advisories (Microsoft's Security Update Guide for this one). CVSS rates severity 0-10; PrintNightmare scored 8.8 to 9.8 depending on attack vector. Defenders patch the 9.x scores first.
Other high-profile CVEs worth recognizing: Log4Shell (CVE-2021-44228), EternalBlue (CVE-2017-0144), Heartbleed (CVE-2014-0160).

Flag

picoCTF{CVE_2021_34527}

This is the PrintNightmare vulnerability affecting the Windows Print Spooler service. The CVE ID appears in the cve.org URL path.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022 Full library

Tools used in this challenge

Cyclic Pattern GeneratorGenerate de Bruijn cyclic patterns and find buffer overflow offsets. The browser equivalent of pwntools cyclic and cyclic_find.

Related reading

What to try next