# [JustCTF](https://2020.justctf.team/)
This competition was on 30 - 31 January 2021. We placed 90th/804.
## Sanity Check <a name="sanity-check"></a>
The Sanity Check was slightly tricky. The challenge had to do something with the CTF website itself as the description said. So at the challenge URL, I went to the Network tab under Chrome Dev Tools and hit the record button. I reloaded the challenge to load the network requests and pressed ctrl-f to search for the flag format (`justCTF`) among the requests.
The flag was in the first request, `justCTF{something_h3re!}`.
## Forgotten name
I googled `secret domain name ctf` and came across two relevant writeups, [writeup 1](https://jaimelightfoot.com/blog/ooo-def-con-ctf-2019-quals-cant-even-unplug-it/) and [writeup 2](https://ctftime.org/writeup/15274).
I used the tool described in writeup 1, the Google Transparency Report, to find other possible subdomains under `2020.justctf.team`.
From [the search result](https://transparencyreport.google.com/https/certificates?hl=en&cert_search_auth=&cert_search_cert=p:MjAyMC5qdXN0Y3RmLnRlYW06dHJ1ZTpmYWxzZTo6RUFFPQ&cert_search=include_subdomains:false;domain:2020.justctf.team&lu=cert_search_cert), I saw
I enumerated domains related to `jctf.pro` and discovered `http://6a7573744354467b633372545f6c34616b735f6f3070737d.web.jctf.pro/`. I converted `6a...` from hex to ascii and got the flag
## That's not crypto
We were given a `pyc` file, which is the bytecode of a Python file. Using the command `uncompyle6 checker.pyc > checker.py` (you can install uncompyle6 using pip), I converted it to a Python file which is hosted as [checker.py](https://gist.github.com/lucaschen1000/5f5f916fd750aeff7f75c9af8ff18d6c) due to the line limits here.
Analyzing the `poly` function, I found that `poly(a, x)` is equal to $a_{i}x^n + a_{i-1}x^{n-1} + ... + a_{0}$, where $a$ and $x$ are both arrays and $n$ is the length of $a$. We're given both $a$ and the result of the polynomial, $24196561$, so all I had to do was run a polynomial solver and other basic reversing tricks to get the original value of the flag. The solution, written in SageMath, is [sol.sage](https://gist.github.com/lucaschen1000/5f5f916fd750aeff7f75c9af8ff18d6c#file-sol-sage).
Flag: `justCTF{this_is_very_simple_flag_afer_so_big_polynomails}`
## My Little Pwny
I was given access to a server and port. Upon connecting, I tried inputting random characters to see what they would do. Some would be rejected, and others would be echoed. A particular character, the backtick, would make the program display an error message. I realized that this occurs when you write unsanitized bash that doesn't escape the backtick.
The original program must have looked like ``echo your_input ``. When you escape out of this context, you can force the command to be whatever you want. For example, `` echo `ls` `` will execute `ls` only.
I tried `` `cat flag` `` but that wouldn't work. I googled `bash jail escape ctf` and found [this article](http://blog.dornea.nu/2016/06/20/ringzer0-ctf-jail-escaping-bash/).
## 25519 - Solved
Sign in with Wallet
Connect another wallet