# TSG CTF 2021 Beginner's Web 2021 Writeup ## Challenge Summary You are given a website. It is doing some weird job. First, it constructs routes object based on the salt parameter and store it to the session. ```javascript= const setRoutes = async (session, salt) => { const index = await fs.readFile('index.html'); session.routes = { flag: () => '*** CENSORED ***', index: () => index.toString(), scrypt: (input) => crypto.scryptSync(input, salt, 64).toString('hex'), base64: (input) => Buffer.from(input).toString('base64'), set_salt: async (salt) => { session.routes = await setRoutes(session, salt); session.salt = salt; return 'ok'; }, [salt]: () => salt, }; return session.routes; }; ``` Then, it will render the page based on the routes object. ```javascript= app.get('/', async (request, reply) => { // omitted const {action, data} = request.query || {}; let route; switch (action) { case 'Scrypt': route = 'scrypt'; break; case 'Base64': route = 'base64'; break; case 'SetSalt': route = 'set_salt'; break; case 'GetSalt': route = session.salt; break; default: route = 'index'; break; } reply.type('text/html') return session.routes[route](data); }); ``` ## Solution ![](https://i.imgur.com/8q7R2If.gif) The flag is in the `flag` route, so you will want to set `session.salt = 'flag'`, but by doing so, `flag` route will be overwritten by `[salt]` end point and you will lose access to it. So, what we want to achieve is the following session state. ```javascript session = { routes: { flag: ..., index: ..., ... [salt]: ..., // salt is anything different from 'flag' }, salt: 'flag', } ``` ### 1st request First, you have to send `GET /?action=SetSalt&data=flag` to set `salt = 'flag'`. The session will be the following structure. ```javascript session = { routes: { flag: ..., // this route is overwritten and not accessible index: ..., ... flag: ..., }, salt: 'flag', } ``` ### 2nd request Second is the most important part. Now we want to recover `session.routes` so that we can access the `flag` route, but we don't want to update `salt`. The key is `set_salt` function. Normally, it updates routes and salt together. ```javascript= set_salt: async (salt) => { session.routes = await setRoutes(session, salt); session.salt = salt; return 'ok'; }, ``` What if line 2 is executed but line 3 is NEVER executed? It is possible. In line 2, we are `await`-ing the execution of `setRoutes` function. Do you know `async`/`await` in ECMAScript is just a syncax sugar of `Promise`? So, we can transform this function to the following equivalent code. ```javascript= set_salt: (salt) => { return setRoutes(session, salt).then((result) => { session.routes = result; session.salt = salt; return 'ok'; }); }, ``` The key is that the code is calling the chained method `then()` from the returned value of `setRoutes` function. What is the return value of this function? ```javascript= const setRoutes = async (session, salt) => { const index = await fs.readFile('index.html'); session.routes = { // omitted [salt]: () => salt, }; return session.routes; }; ``` It is returning the result of `session.routes`. This is unnecessary since the assignment to `session.route` is already done. Okay, we can control this value by `salt` parameter. What if we set `salt = 'then'`? It will return the following object. ```javascript { // omitted then: () => salt, } ``` As you can infer from the above code, this `then` method will be called with callback function as an argument. If the function is called, the returned value is considered to be `resolve`-ed and the process continues. But, this `then()` method is just ignoring the argument and the function is never called. So, by setting `salt = 'then'`, the assignment to `session.routes` happens inside `setRoutes` function, but `setRoute` function is not resolved and the assignment to `session.salt` never happens. So, send `GET /?action=SetSalt&data=then` to server and this will result in the following session state. ```javascript session = { routes: { flag: ..., index: ..., ... then: ..., }, salt: 'flag', } ``` This is what we want to achieve! ### 3rd request Now, just request the salt and it will print the flag! `GET /?action=GetSalt` ```javascript= return session.routes[route](data); // route = session.salt here ``` ### Appendix In technical term, this is called [Thenable Object](https://masteringjs.io/tutorials/fundamentals/thenable). ## Only 1 solve during contest? Why the fuck is this beginner???? Several reasons. * This challenge does not require experience in CTF. It consists of the combination of some logical errors in the code and knowledge of JavaScript itself. * A member of TSG, who is actually a beginner of CTF, could solve this challenge in just 3 hours. * ~~I thought more people solve this challenge honestly~~
Last changed by  
Koki Takahashi
1593

Read more

Learning with Exploitation author's writeup

[*** 暗号化]0または1を要素に持つベクトル [$ \bm{r}] を生成する。このとき平文 [$ m\in{0,1}] に対応する暗号文は、[$ (\bm{u},v)=(\bm{r}\cdot\bm{A},\bm{r}\cdot\bm{t}+mq)]となる。ただし [$ q:=\lceil \frac{p}{2}\rceil][$ \bm{r}] は破棄する。

11/8/2023
BSides Ahmedabad CTF 2021 Writeup - SSSS.RNG, floorsa, Roda

SSSS.RNG $p$を512bitの素数、$a,b,x$を$p$未満のランダムな数とする。 以下すべて$\mathbb{Z}/p\mathbb{Z}$上の演算として、 $$ \begin{aligned} g_1&=ax+b\ g_2&=ag_1+b\ g_3&=ag_2+b\

11/7/2021
TSG CTF 2021 Giita Writeup

Challenge Summary You can create blog post. It is accepting an arbitrary HTML, but it is correctly escaped and sanitized by DOMPurify. const body = document.getElementById('body'); body.innerHTML = DOMPurify.sanitize(body.textContent); hljs.highlightAll(); The goal is to obtain the cookie of admin.

10/4/2021
LINE CTF 2021 Writeup - Team TSG

Welcome @moratorium08 :) babycrypto1 @hakatashi We can encode arbitrary block with chosen IV, so we can extend the given block with arbitrary content. from ptrlib import Socket, logger from base64 import b64encode, b64decode from Crypto.Cipher import AES

3/23/2021
Read more from Koki Takahashi
Published on HackMD