Skip to content

Instantly share code, notes, and snippets.

@shouc

shouc/PyCrypto Writeup.md

Last active July 5, 2020 17:25
Show Gist options
  • Save shouc/f6271dc4b3329e6bf2cc494a61657775 to your computer and use it in GitHub Desktop.
Save shouc/f6271dc4b3329e6bf2cc494a61657775 to your computer and use it in GitHub Desktop.
Download ZIP
ASIS CTF 2020 PyCrypto Writeup
Raw
PyCrypto Writeup.md

PyCrypto Writeup

To begin with, there is a very easy crypto chall. By solving it with collision, we can get:

key = "ASIS2020_W3bcrypt_ChAlLeNg3!@#%^"

Then, leverage this vuln (trentm/python-markdown2#348) to make /ticket to have XSS.

Finally, since we can only submit URL starts with 76.74.170.201, an iframe of http://127.0.0.1:8080/ticket could be injected to /ticket to get to make sure we are at same origin with http://127.0.0.1:8080/flag. Yet, /ticket prevents any connection on 127.0.0.1. So we can conduct DNS rebinding:

[DOMAIN] => [127.0.0.1, 76.74.170.201]

Now using http://[DOMAIN]/ticket could get the flag.

ASIS{Y0U_R3binded_DN5_f0r_SSRF}

Didn't get up early enough to solve the last part before it ends : (

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment