# s/&lt;script&gt;//gi (misc, 115 teams solved) ###### tags: `SECCON CTF 2021` ## Overview > Can you figure out why `s/<script>//gi` is insufficient for sanitizing? > This can be bypassed with `<scr<script>ipt>`. > > Remove `<script>` (case insensitive) from the input until the input contains no `<script>`. In this problem, we are required to speed up collect sanitizing since the size of flag.txt is 64 MiB. ## Bad approach We can do that with `sed` or favorite programming languages. ``` $ echo 'S3CC0N{dum<scr<script>ipt>my}' | sed -e ':loop; s/<script>//gi; tloop' S3CC0N{dummy} $ cat small.txt | sed -e ':loop; s/<script>//gi; tloop' S3CC0N{dummy_flag>_<_pt>>PT><sCRIp<scr<scr<scr!pt>ipt>ipt>} ``` However, for flag.txt, this approach takes very long time and will not finish before the end of the CTF. ``` $ cat flag.txt | sed -e ':loop; s/<script>//gi; tloop' ``` Let $n$ be the size of input. Removing `<script>` once takes $O(n)$. We have to remove `<script>` at most $O(n)$ times. So, overall execution time is $O(n^2)$, which is too long for 64 MiB. ## Good approach To reduce the time complexity, we can use a [stack](https://en.wikipedia.org/wiki/Stack_\(abstract_data_type\)). Push each character of the input and if the top of the stack is `<script>`, pop it. What is left in the stack will be the answer. Since push and pop take $O(1)$ time, overall execution time is $O(n)$. Note that `stack` must be a `list`, not a `string`. If `stack` is `string`, a single instruction `stack = stack[-8:]` takes $O(n)$ time. ```python= import sys with open(sys.argv[1]) as f: data = f.read()[:-1] stack = [] for i, c in enumerate(data): if i%0x10000==0: print(f"{i/len(data)*100:6.2f} %") stack += [c] if "".join(stack[-8:]).lower()=="<script>": for i in range(8): stack.pop() print("".join(stack)) ``` ``` $ time python3 solve.py flag.txt 0.00 % 0.10 % 0.20 % 0.29 % : 99.71 % 99.80 % 99.90 % 100.00 % SECCON{sanitizing_is_not_so_good><_escaping_is_better_iPt><SCript<ScrIpT<scRIp<scRI<Sc<scr!pt>} real 0m27.691s user 0m27.424s sys 0m0.140s ```
Last changed by  
kusano
834

Read more

constellations (reversing, 17 teams solved)

Overview As stated in the problem description, the given binary is a x64 ELF file written in Go(lang). The program starts printing the flag and slows down. $ ./constellations SECCON{N33d_m0r3_sp33d_vo6Rg The task is to speed it up. Solution

12/24/2021
qchecker (misc, 14 teams solved)

Overview eval$uate=%w(a=%(eval$uate=%w(#{$uate})*"");Bftjarzs=b=->a{a.split(?+).map{|b|b.to_i(36)}};c=b["awyiv4fjfkuu2pkv+awyiv4f v ut 71 6g 3j +a x c e5e4pxrogszr3+5i0o mfd5dm9xf9q7+axce5 e4khrz21ypr+5htqqi 9iasvmjri7+axcc76i 03zrn7gu7+cbt4 m8 xybr3cb27+1ge6 s n jex10w3si9+1k8vdb4 fzcys2yo0"];d,e,f, g,h,i=b["0+0+zeexa xq012eg+k2htkr1ola j6+3cbp5mnkzll t3 +2qpvamo605t7j " ] ;(j=eval(?A<<82<<7 1<<86)[0])&&d==0&& (e+=1;k=2**64;l=-> (a,b){(a-j.ord)*25 6.pow(b-2,b)%b }; f=l[f,k+13];g= l [ g, k+ 37];h=l[h,k+51];i= l[i,k+81];j==?}&&( d=e==32&&f+g+h +i ==0?2:1);a.sub ! (/"0.*?"/,'"0'+[d ,e ,f,g,h,i].map{|x|x .to_s(36)}*?+<<34) );srand(f);k=b["7a cw+jsjm+46d84" ]; l=d==2?7:6;m=[ ? #*(l*20)<<10]*11* "" ;l.times{|a|b=d==0 &&e!=0?rand(4):0;9 .times{|e|9.times{ |f|(c[k[d]/10* *a %10]>>(e*9+f)& 1

12/21/2021
Vulnerabilities (web, 94 teams solved)

Overview This application shows the logo and the URL of the past named vulnerabilities. There is an endpoint /api/vulnerability. $ curl -d '{"Name": "Heartbleed"}' https://vulnerabilities.quals.seccon.jp/api/vulnerability {"Logo":"/images/heartbleed.png","URL":"https://heartbleed.com/"} Source code:

12/20/2021
sed programming (reversing, 14 teams solved)

Overview The main theme of this challenge is "Substitution is Turing-complete". $ echo "SECCON{dummy}" | sed -f checker.sed WRONG checker.sed: #!/bin/sed -f

12/20/2021
Read more from kusano
Published on HackMD