Hi 👋

Overview Please note that this challenge has no outgoing network access. Challenge author: irogir Solves: 3 Fun challenge focused mostly on RCE via HQL. 1. General Analysis The challenge deployment consists of 3 containers: order_service, authn_service containing the flag, mysql We can reach any container from within another, but only order_service is exposed externally. Both order_service and authn_service are Java applications that use HQL to query the underlying databases; however, order_service uses mysql from another container, while authn_service opted for an in-memory H2 db....

Overview In the dawning age of the ARPANET’s gleam A simple idea, a persistent dream From a humble note, in ‘69 it came Steve Crocker wrote it, and whispered its name A “Request for Comments,” a title so grand To build the foundation across the land From a simple memo, a legacy grew To connect the world, for me and for you. Solves: 10 This write-up describes a series of vulnerabilities in the r3note application that, when chained together, lead to XSS....

Intro This post covers Free C Compiler Online from BuckeyeCTF 2024. The description of the challenge is as follows: It is free of charge, but is it free of bugs? No, it’s not. Analyzing The Source Code The following is the source code of the application: from flask import ( Flask, json, jsonify, request, render_template, ) from pathlib import Path from uuid import uuid4, UUID import os from werkzeug.exceptions import NotFound, BadRequest, Forbidden import subprocess app = Flask(__name__) storage_path = Path(__file__)....

Intro This post covers Abnormal Maybe Illegal from PatriotCTF 2024. The description of the challenge is: We have recently discovered tons of traffic leaving our network. We have reason to believe they are using an abnormal method. Can you figure out what data they are exfiltrating? Furthermore, two additional hints were released throughout the competition: TCP packets are constructed in a way, where certain combinations are possible/(legal) and others should raise alerts/(illegal)...

Intro This post covers both Literally 1984 and Mystery as they’re related to each other. The description of Literally 1984 is: An artist by the name of ‌ made a cover of a song I liked, but I don’t remember the original composer of that song. Could you help me find the original composer? Flag Format: csawctf{Firstname_Lastname} (replace all spaces with _ ) and the description of Mystery is: Remember the composer from Literally 1984?...

Intro For this challenge we’re only given the link https://bucketwars.ctf.csaw.io and the description: let’s keep our storage simple – and remember we don’t make mistakes in these parts. Enumerating the Website Upon visiting the website, we notice the current version Version: 5.0.0 and the versions page. When we visit a page that doesn’t exist, it tells us that the 404.jpg is missing from an S3 bucket https://s3.us-east-2.amazonaws.com/bucketwars.ctf.csaw.io. We try accessing index....

Initial Code Analysis First thing that catches our eye is the old version 2.3.0 of PyJWT used in the application. In order to access the flag, we need to view kings_lair.html which requires sending a JWT with specific CURRENT_DATE and ROLE. The scarab room seems vulnerable to SSTI via name POST param. app.route('/scarab_room', methods=['GET', 'POST']) def scarab_room(): try: if request.method == 'POST': name = request.form.get('name') if name: kings_safelist = ['{','}', '𓁹', '𓆣','𓀀', '𓀁', '𓀂', '𓀃', '𓀄', '𓀅', '𓀆', '𓀇', '𓀈', '𓀉', '𓀊', '𓀐', '𓀑', '𓀒', '𓀓', '𓀔', '𓀕', '𓀖', '𓀗', '𓀘', '𓀙', '𓀚', '𓀛', '𓀜', '𓀝', '𓀞', '𓀟', '𓀠', '𓀡', '𓀢', '𓀣', '𓀤', '𓀥', '𓀦', '𓀧', '𓀨', '𓀩', '𓀪', '𓀫', '𓀬', '𓀭', '𓀮', '𓀯', '𓀰', '𓀱', '𓀲', '𓀳', '𓀴', '𓀵', '𓀶', '𓀷', '𓀸', '𓀹', '𓀺', '𓀻'] name = ''....

Source Code Analysis The goal is to access the GET /flag endpoint which calls an executable that prints out the flag. It’s guarded by 2 checks: if session[:user] == "admin" if req.ip == "127.0.0.1" There’s also an interesting POST /download endpoint. It accepts any session but is also guarded by the if req.ip == "127.0.0.1" check. It serves a file based on filename from our request, which leads to LFI....

Initial Inspection After loading the page we’re greeted with an upload form for zip archives. We’re informed that after uploading we can access the files by appending a filename to a generated UUID. We inspect the code and learn that our uploaded archive will be unzipped using unzip. Zip With a Symlink We can use the zip command to create an archive that’ll preserve symlinks by using the -y option....

Source Code Analysis The aim of the challenge is to call the POST /feature which contains a command injection vulnerability. As we can see, we need a valid signed access_token that contains the string access_granted. There’s GET /release endpoint that’ll do exactly that if we pass the validate_server(...) check. Interestingly, if we set a query param debug=true, we can control the validation server address. The validate_server(validation_server) method does the following:...