-
GPN CTF 2024 - todo - web
The challenge is a simple express app with a bot and a very strict Content Security Policy (CSP), which allows only for injected in-line javascript within <script></script> tags, and script from the same origin. The bot visits the page, types in our HTML input, submits it and takes the screenshot...
-
GPN CTF 2024 - never-gonna-tell-a-lie-and-type-you - web
Based on the attached Dockerfile, we know that the flag is at /flag.txt, and the app is a simple php login riddle: <?php ini_set("display_errors",1); error_reporting(E_ALL); //we tought about using passwords but you see everyone says they are insecure thus we came up with our own riddle. function securePassword($user_secret){ if ($user_secret...
-
GPN CTF 2024 - inspect-element - web
Dockerfile is running chrome with the debugging port open. In order to connect to the debugging port, I had to use the command from hint: socat TCP-LISTEN:1336,fork OPENSSL:positions--ariana-grande-8298.ctf.kitctf.de:443 Then I could go to chrome://inspect/#devices and connect to the remote debugging port using localhost:1336 as the address. In order to properly...
-
HTB - Pod Diagnostics - web - hard
In order to get the flag we need RCE to call /readflag and get the output. The PDF generating server has Access-Control-Allow-Origin set to * so we can make a request from any server to use it, similarly the stats server. The stats server calls different stats commands: exec("uptime") readFile("/proc/stat",...
-
HTB - JS Calc - web - easy
Our input is passed directly to eval in challenge/helpers/calculatorHelper.js:5. The following payload will return to us 1 in the message and console.log in the node environment console: { "formula": "(() => {console.log(1); return 1;})()" } This input results in the following interpolated string: eval(`(function() { return (() => {console.log(1); return...