tomek7667

  • HTB - JS Calc - web - easy

    Our input is passed directly to eval in challenge/helpers/calculatorHelper.js:5. The following payload will return to us 1 in the message and console.log in the node environment console: { "formula": "(() => {console.log(1); return 1;})()" } This input results in the following interpolated string: eval(`(function() { return (() => {console.log(1); return...

  • HTB - Insomnia - web - easy

    This challenge is a huge bootstrap app written in PHP. Insomnia/app/Controllers/ProfileController.php contains the following: $token = (string) $_COOKIE["token"] ?? null; $flag = file_get_contents(APPPATH . "/../flag.txt"); if (isset($token)) { $key = (string) getenv("JWT_SECRET"); $jwt_decode = JWT::decode($token, new Key($key, "HS256")); $username = $jwt_decode->username; if ($username == "administrator") { return view("ProfilePage", [ "username"...

  • HTB - Why Lambda - web - hard

    The challenge have flag.txt referenced nowhere so either LFI or RCE. App has backend in flask and front in vue. The app has a bot and its password is ungettable afaik. When bot -> XSS. So I looked into vue XSS examples and all showed just v-html as the equivalent...

  • PlaidCTF 2023 - subs - web

    Cache Poisoning in GraphQL The flag is accessible for admin only, admin is a bot verified based on window.localStorage.token. In order to communicate the client and the server make use of linked apollo graphql. Client Written in a React frontend web app, had some dangerouslySetInnerHTML in few places, but not...

  • PlaidCTF 2023 - Davy Jones' Putlocker - web - part 1

    PlaidCTF 2023 - Davy Jones’ Putlocker - web - part 1 justCatTheFish write-up Challenge meta Name: Dubs Solves: 67 Reward: 350 Description: When I not be plunderin’ the high seas, I be watchin’ me favorite shows. Like any self-respectin’ pirate, I don’t be payin’ for my media. But I’ll be...