Information#
Version#
| By | Version | Comment |
|---|---|---|
| noraj | 1.0 | Creation |
CTF#
- Name : Harekaze CTF 2018
- Website : harekaze.com
- Type : Online
- Format : Jeopardy
- CTF Time : link
30 - easy problem - WarmUp#
Do you know ROT13? Can you decode this text?
UnerxnmrPGS{Uryyb, jbeyq!}
Here is my Ruby script for Caesar cipher, here we already know it is ROT13
#!/usr/bin/env ruby
# from https://gist.github.com/matugm/db363c7131e6af27716c
def caesar_cipher(string, shift = 1)
alphabet = Array('a'..'z')
encrypter = Hash[alphabet.zip(alphabet.rotate(shift))]
# " " => c because I don't want to void non-letters chars
string.chars.map { |c| encrypter.fetch(c, c) }
end
text = 'UnerxnmrPGS{Uryyb, jbeyq!}'
text.downcase! # put lowercase
(1..25).each do |i|
puts "#{i}: " + caesar_cipher(text, i).join + "\n\n"
endThe flag is harekazectf{hello, world!}.
40 - recursive zip - WarmUp#
Do you know unzip?
I made a dirty script in ruby to recursively unzip the archive:
require 'archive/zip'
require 'fileutils'
filename = 'flag.zip'
basename = filename.chomp('.zip')
extract_folder = basename + '/'
while true
FileUtils::mkdir_p extract_folder
Archive::Zip.open(filename) do |z|
z.extract(extract_folder, flatten: true)
end
Dir.chdir extract_folder
# dirty, wait for 'No such file or directory @ rb_sysopen - flag.zip (Errno::ENOENT)'
endAs the script preserves the file tree, make a recursive ls to find the last directory : ls -R.
Then display the flag.txt: HarekazeCTF{(\lambda f. (\lambda x. f (x x)) (\lambda x . f (x x))) zip}.
100 - Sokosoko Secure Uploader - Web#
I encrypted my file by using this service. Attachment is the encrypted file, but I accidentally deleted the UUID of the file. All I remember is the UUID starts with 9e5a :(
The website looks like this:
Let's read the source code.
In decrypt.php, we can see the SQL query is injactable:
$pdo = new PDO('sqlite:key.db');
$stmt = $pdo->query("SELECT key FROM decryption_key WHERE id = '$uuid'");
$res = $stmt->fetch();
if ($res === false) {
die('key not found');
}So our entry point is the UUID provided by the user. But the UUID must match two conditions:
$uuid = $_POST['uuid'];
if (!is_string($uuid) || !is_uuid($uuid)) {
die('invalid UUID');
}Firstly, UUID needs to be a string, easy for us. Secondly, UUID needs that is_uuid() returns true.
I took a look in functions.php to find is_uuid():
function is_uuid($str) {
if (strlen($str) !== 36) {
return false;
}
if ($str[8] !== '-' or $str[13] !== '-' or $str[18] !== '-' or $str[23] !== '-') {
return false;
}
return true;
}So the UUID must be 36 char long and needs to have the - char at some specific places.
Here, the exploitation will be more challenging as our payload will need to look something like xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
Then I used sqlitebrowser to create a test SQLite database and try some payloads.
We need to respect the xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx format and to make a valid SQL payload for this query SELECT key FROM decryption_key WHERE id = '$uuid'.
I found that operators like OR can be stuck to a quote like this 'OR and that C-style inline comments can't split a keyword so SEL/* bla */ECT is not valid but SELECT/* bla */key FROM is.
So I managed to generate the final payload 'OR id/*-*//*-*//*-*//*-*/LIKE '9e5%. Submitting this as the UUID and the encrypted image gave me back the decrypted image containing the flag HarekazeCTF{k41k4n_j1kk4n_j1n615uk4n}.