Hi 👋

Intro I had a quite large (~363MB) CherryTree database that I wanted to convert to Trilium. I stumbled upon the cherrytreetomarkdown project, modified it a bit and used it alongside trilium-py to suit my needs. This project may or may not lack some migration features, but it allowed me to successfully migrate my CherryTree database to Trilium and I figured out it might help others too. The project is available here....

Overview Can you one shoot me? Solves: 10 1. General Analysis The application is written in Python and uses Flask. Each time the bot is called, it will create an account with random credentials, log in, create a new note with the target flag in its content, and then visit our note. The endpoint to display a note /display/<string:doc_id> only requires that we’re logged in, but as long as we know its id we can view any note....

Overview They begged me not to do it, but I had to. Can you bring PwnSec’s Police Department to a clojure? Challenge author: aelmo Solves: 2 1. General Analysis The application is written in Clojure, however the challenge doesn’t involve anything specific to it. The flag is located in the admin bot’s journal. It’s not protected by any auth check - all we have to do is learn the admin’s user id....

Overview Please note that this challenge has no outgoing network access. Challenge author: irogir Solves: 3 Fun challenge focused mostly on RCE via HQL. 1. General Analysis The challenge deployment consists of 3 containers: order_service, authn_service containing the flag, mysql We can reach any container from within another, but only order_service is exposed externally. Both order_service and authn_service are Java applications that use HQL to query the underlying databases; however, order_service uses mysql from another container, while authn_service opted for an in-memory H2 db....

Overview In the dawning age of the ARPANET’s gleam A simple idea, a persistent dream From a humble note, in ‘69 it came Steve Crocker wrote it, and whispered its name A “Request for Comments,” a title so grand To build the foundation across the land From a simple memo, a legacy grew To connect the world, for me and for you. Solves: 10 This write-up describes a series of vulnerabilities in the r3note application that, when chained together, lead to XSS....

Intro This post covers Free C Compiler Online from BuckeyeCTF 2024. The description of the challenge is as follows: It is free of charge, but is it free of bugs? No, it’s not. Analyzing The Source Code The following is the source code of the application: from flask import ( Flask, json, jsonify, request, render_template, ) from pathlib import Path from uuid import uuid4, UUID import os from werkzeug.exceptions import NotFound, BadRequest, Forbidden import subprocess app = Flask(__name__) storage_path = Path(__file__)....

Intro This post covers Abnormal Maybe Illegal from PatriotCTF 2024. The description of the challenge is: We have recently discovered tons of traffic leaving our network. We have reason to believe they are using an abnormal method. Can you figure out what data they are exfiltrating? Furthermore, two additional hints were released throughout the competition: TCP packets are constructed in a way, where certain combinations are possible/(legal) and others should raise alerts/(illegal)...

Intro This post covers both Literally 1984 and Mystery as they’re related to each other. The description of Literally 1984 is: An artist by the name of ‌ made a cover of a song I liked, but I don’t remember the original composer of that song. Could you help me find the original composer? Flag Format: csawctf{Firstname_Lastname} (replace all spaces with _ ) and the description of Mystery is: Remember the composer from Literally 1984?...

Intro For this challenge we’re only given the link https://bucketwars.ctf.csaw.io and the description: let’s keep our storage simple – and remember we don’t make mistakes in these parts. Enumerating the Website Upon visiting the website, we notice the current version Version: 5.0.0 and the versions page. When we visit a page that doesn’t exist, it tells us that the 404.jpg is missing from an S3 bucket https://s3.us-east-2.amazonaws.com/bucketwars.ctf.csaw.io. We try accessing index....

Initial Code Analysis First thing that catches our eye is the old version 2.3.0 of PyJWT used in the application. In order to access the flag, we need to view kings_lair.html which requires sending a JWT with specific CURRENT_DATE and ROLE. The scarab room seems vulnerable to SSTI via name POST param. app.route('/scarab_room', methods=['GET', 'POST']) def scarab_room(): try: if request.method == 'POST': name = request.form.get('name') if name: kings_safelist = ['{','}', '𓁹', '𓆣','𓀀', '𓀁', '𓀂', '𓀃', '𓀄', '𓀅', '𓀆', '𓀇', '𓀈', '𓀉', '𓀊', '𓀐', '𓀑', '𓀒', '𓀓', '𓀔', '𓀕', '𓀖', '𓀗', '𓀘', '𓀙', '𓀚', '𓀛', '𓀜', '𓀝', '𓀞', '𓀟', '𓀠', '𓀡', '𓀢', '𓀣', '𓀤', '𓀥', '𓀦', '𓀧', '𓀨', '𓀩', '𓀪', '𓀫', '𓀬', '𓀭', '𓀮', '𓀯', '𓀰', '𓀱', '𓀲', '𓀳', '𓀴', '𓀵', '𓀶', '𓀷', '𓀸', '𓀹', '𓀺', '𓀻'] name = ''....