Challenge by: realansgar
Writeup by: rebane2001
The challenge consists of a simple Flask webapp that lets you eval arbitrary Python code in a jail in order to evaluate your solution to a leetcode-style programming challenge. The flag can be retrieved by running the /readflag setuid program. The source code was provided.
| #!/bin/sh | |
| # Make /bin/sh point to bash | |
| echo dash dash/sh boolean false | debconf-set-selections -v | |
| DEBIAN_FRONTEND=noninteractive dpkg-reconfigure dash |
The set lines
set -euxo pipefail is short for:set -e
set -u
| import json | |
| import sys | |
| if len(sys.argv) < 2: | |
| print("infojsonredact - A simple script to redact private information from ytdl info.json files") | |
| print("Output will be saved in info.json.redacted files") | |
| print("Usage: infojsonredact.py file1.info.json [file2.info.json, file3.info.json...]") | |
| sys.exit(2) | |
| redacted = ["url","manifest_url","fragment_base_url","fragments","http_headers","User-Agent","Accept-Charset","Accept","Accept-Encoding","Accept-Language","player_url","playlist","playlist_id","playlist_title","playlist_uploader","playlist_uploader_id","playlist_index","thumbnail","_filename","downloader_options","http_chunk_size","initialization_url","annotations", "playlist_count","version","_version","repository","release_git_head","filesize_approx","_format_sort_fields"] |
| <!doctype html> | |
| <html lang="et"> | |
| <head> | |
| <meta charset="utf-8"> | |
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | |
| <title>Salasõna-pulpulaator | rabool-js</title> | |
| <style> | |
| html { | |
| background-color: #fafafa | |
| } |
| 安装方式: | |
| 下载解压文件至 ---> /usr/bin/ 目录 | |
| 给予执行权限 | |
| chmod +x /usr/bin/fclone | |
| 使用方式与 gclone / rclone 相同 | |
| 满足拥有2000有效可用SA请尝试以下 flag | |
| flag 1)::低配VPS推荐 | |
| --drive-server-side-across-configs --stats=1s --stats-one-line -vP --checkers=128 --transfers=128 --drive-pacer-min-sleep=1ms --check-first |
| /* | |
| * John Conway's Game of Life. | |
| * | |
| * This is written for POSIX, using Curses. Resizing of the terminal is not | |
| * supported. | |
| * | |
| * By convention in this program, x is the horizontal coordinate and y is | |
| * vertical. There correspond to the width and height respectively. | |
| * The current generation number is illustrated when show_generation is set. | |
| * |
Firstly run the following command with the appropriate privilege:
sudo pacman -S linux-zen linux-zen-headers
When asked for confirmation, type 'y', press ENTER
Now the kernel is installed on your system. We need to tell systemd-boot to boot with the newly kernel installed.
| :: | |
| :: This script installs wormhole (https://github.com/warner/magic-wormhole) and | |
| :: its prerequisites. Run this as an administrator. | |
| :: | |
| :: Install chocolatey. | |
| @"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin" | |
| :: Install Python 3. Python3.8 has removed time.clock which breaks autobahn on which wormhole relies | |
| choco install -y python3 --version=3.7 --allow-downgrade |
| Base64 Code | Mnemonic Aid | Decoded* | Description |
|---|---|---|---|
JAB |
🗣 Jabber | $. |
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env: |
TVq |
📺 Television | MZ |
MZ header |
SUVY |
🚙 SUV | IEX |
PowerShell Invoke Expression |
SQBFAF |
🐣 Squab favorite | I.E. |
PowerShell Invoke Expression (UTF-16) |
SQBuAH |
🐣 Squab uahhh | I.n. |
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz |
PAA |
💪 "Pah!" | <. |
Often used by Emotet (UTF-16) |
