https://unigiri.gitlab.io/en/tags/ctf/ Recent content in CTF on Unigiri https://unigiri.gitlab.io/images/unigiri.png https://unigiri.gitlab.io/images/unigiri.png Hugo en Wed, 19 Dec 2018 08:54:08 +0900 https://unigiri.gitlab.io/en/posts/google-ctf-2018-beginners-quest/ Wed, 19 Dec 2018 08:54:08 +0900 https://unigiri.gitlab.io/en/posts/google-ctf-2018-beginners-quest/ <hr> <p>This article was machine-translated from the Japanese version.</p> <hr> <p>This article is for day 19 of the <a href="https://adventar.org/calendars/3210">CTF Advent Calendar 2018</a>. Day 18 was mage_1868&rsquo;s <a href="https://gist.github.com/m---/262d66e0163d42030d9ce1c272e6f65e">MortAl mage aGEnts write-up</a>.</p> <p>As a CTF beginner, I&rsquo;ve been working through the <a href="https://capturetheflag.withgoogle.com/#beginners/">Google CTF 2018 Beginners Quest</a>, and I&rsquo;m putting together the write-ups I&rsquo;ve been writing in my <a href="https://unigiri.gitlab.io/diary">Diary</a>. I haven&rsquo;t finished them all yet, so I&rsquo;ll add the rest as soon as I solve them.</p> <p>I was planning to write about the tools I used as well, but since it would get too long, I&rsquo;ll save that for another time. If you have any comments, please reach out on Twitter or Mastodon.</p> https://unigiri.gitlab.io/en/posts/seccon-beginners-2018-nagoya-ctf-writeups/ Sat, 24 Nov 2018 20:51:48 +0900 https://unigiri.gitlab.io/en/posts/seccon-beginners-2018-nagoya-ctf-writeups/ <hr> <p>This article was machine-translated from the Japanese version.</p> <hr> <p>7th place out of 60+N people. The problems have not been made public.</p> <h2 id="calc">Calc</h2> <p>An HTML version of &ldquo;Te-Keisan Extremes&rdquo; from SECCON Beginners CTF 2018. However, there is no time limit for the answers.</p> <p>Get the mathematical expression and POST the result. Don&rsquo;t forget to set the cookie for user identification.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">urllib.request</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">urllib.parse</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">bs4</span> <span class="kn">import</span> <span class="n">BeautifulSoup</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">http.cookiejar</span> <span class="kn">import</span> <span class="n">CookieJar</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">url</span> <span class="o">=</span> <span class="s2">&#34;http://10.2.6.1:8080/index.php&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">opener</span> <span class="o">=</span> <span class="n">urllib</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">build_opener</span><span class="p">(</span><span class="n">urllib</span><span class="o">.</span><span class="n">request</span><span class="o">.</span><span class="n">HTTPCookieProcessor</span><span class="p">(</span><span class="n">CookieJar</span><span class="p">()))</span> </span></span><span class="line"><span class="cl"><span class="n">res</span> <span class="o">=</span> <span class="n">opener</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="n">url</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">html</span> <span class="o">=</span> <span class="n">res</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&#34;utf-8&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">html</span><span class="p">,</span> <span class="s2">&#34;html.parser&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">exp</span> <span class="o">=</span> <span class="n">soup</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="s2">&#34;div&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">text</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">100</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">data</span> <span class="o">=</span> <span class="n">urllib</span><span class="o">.</span><span class="n">parse</span><span class="o">.</span><span class="n">urlencode</span><span class="p">({</span><span class="s1">&#39;answer&#39;</span><span class="p">:</span><span class="nb">eval</span><span class="p">(</span><span class="n">exp</span><span class="p">)})</span><span class="o">.</span><span class="n">encode</span><span class="p">(</span><span class="s1">&#39;utf-8&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">res</span> <span class="o">=</span> <span class="n">opener</span><span class="o">.</span><span class="n">open</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">data</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">html</span> <span class="o">=</span> <span class="n">res</span><span class="o">.</span><span class="n">read</span><span class="p">()</span><span class="o">.</span><span class="n">decode</span><span class="p">(</span><span class="s2">&#34;utf-8&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="n">html</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">soup</span> <span class="o">=</span> <span class="n">BeautifulSoup</span><span class="p">(</span><span class="n">html</span><span class="p">,</span> <span class="s2">&#34;html.parser&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">exp</span> <span class="o">=</span> <span class="n">soup</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="s2">&#34;div&#34;</span><span class="p">)</span><span class="o">.</span><span class="n">text</span> </span></span></code></pre></div><h2 id="do-alert">do alert</h2> <p>Inject <code>&lt;script&gt;alert(0)&lt;/script&gt;</code> into the provided form and reload.</p>