TAMUctf Writeup
Team member: Dingsu Wang, Owen England, Wenhe Li
Web
Science
This website takes to arguments as input and gives back a gif. And this web indicates it is a flask app which is important in the solution!
Originally, I thought it is about SQL injection or blind injection. While I tried commands like:
' OR 1=1; -- !
It does not give feedback but return the input directly. And we noticed the result page will print our input without any modified. We found a potential chance to do Xss
. While doing such Xss
will only work on client side which seems to be not helpful of finding flag.
After a while, we finally noticed that it is a flask app and using some HTML template
which means we can inject python code using special template syntax. The next thing is determine which template engine it is using, so we input:
{{ 7 * '7' }}
If the output is 49
it is using Twig, if its output is 7777777
then it uses jinja.
After we got the template engine is jinja, we firstly wanted to direct inject python commands like:
open('flag.txt', 'r').read()
os.system('ls')
subprocess
While none of the above works, it's probably due to a limit on namespace. Then we found out by calling config.items()[4][1].__class__.__mro__[2].__subclasses__()
, we can get all the modules loaded in the currently namespace.
And we can think it as a list contains all the object, we just need to find one that can read/write or call command-line. So we tried subprocess.Popen
to run command-line, while we found it is not possible to get the output unless we have subprocess.PIPEP
in the environment. Since we can not get the direct output from command, we also tried curl
, rsync
or wget
to send flag file to our personal server. While it turns out that none of the commands are in the environment. So we looked back to the modules they had, we found the had a module called click
that can run commands and read file. So finally, by calling:
lazyFile('flag.txt').open().read()
We can get the flag.
Buckets
In the description, it indicated us to deal with the buckets
. And its url is clearly from Amazon Aws, so we know that we need to deal with aws in this problem. After searching on the buckets SDK, we found that we can run command line like ls
using aws cli
.
aws s3 ls --recursive tamuctf --no-sign-request --region us-west-2
And just access the flag file with URI, we can get it.
Crypto
-.-
This task gives us a txt
file in the following format, with a hint says it is a classical cipher:
dah-dah-dah-dah-dah dah-di-di-dah di-di-di-di-dit
First come to our mind is that this is a random combination of di
, dah
and dit
, which sounds like music. It is nothing but indeed contains some information. Look back at the title of the problem: -.-
, which is a combination of -
and .
. It's MORSE CODE and it really makes sense that di
stands for the short one unit while dah
stands for the long three units.
We use python to transfer the txt
file to the following sequence of number:
0X57702A6C58744751386538716E6D4D59552A737646486B6A49742A5251264A705A766A6D2125254B446B6670235E4E39666B346455346C423372546F5430505A516D4351454B5942345A4D762A21466B386C25626A716C504D6649476D612525467A4720676967656D7B433169634B5F636C31434B2D7930755F683476335F6D3449317D20757634767A4B5A7434796F6D694453684C6D385145466E5574774A404E754F59665826387540476E213125547176305663527A56216A217675757038426A644E49714535772324255634555A4F595A327A37543235743726784C40574F373431305149
Because of it starts with 0X
, we assume it is a hex and translate it into string. We find the flag in the string!
RSAaaay
This problems gives use a tuple of two integers and a secret message consist of secrets in the following screenshot:
From the tile of the problem, it is obvious that this message use a ciphter method called RSA
. However, there is one trick that Python
does not have large numbers and we are not able to use it to make the computation. Following the algorithm, we use Wolframalpha
which the tool to compute to get a sequence of number such as 103 105103
. Since there have two 103
at the beginning of the number which match the format of the flag. We know this is the ASCII
number of each characters and translate it into stirng and it is the flag.
Misc
I heard you like files
We are given a png file in this problem:
and here is the description of the problem:
Bender B. Rodriguez was caught with a flash drive with only a single file on it. We think it may contain valuable information. His area of research is PDF files, so it's strange that this file is a PNG.
It is interesting that it mentions the guy is a researcher about PDF
and it is strange to have a PNG
. The first thing we thought was to change the file type from .png
to .pdf
.
Aha! It works and here is the last few lines of the .pdf
file:
It is interesting that all the content in the file is non-sense word and only this two lines have some information. Unfortunately, there is no flag in it. :(
The title once again gives us some hint about files
! We have the idea that the file may be changed to other types. Then, we tried file types like .txt / .word / .xml / .zip
and only .zip
works.
Here is the content of the zip:
There is a txt file that says, the flag
is not here. Dissapointed but still eager to explore, we check every folder and file and find another file image1.png
in the word/media
folder:
Interesting! We change its file type to .pdf
once again, but still has no flag in it. Here it is:
Emmm... polyception! Another try failed. :( Angrily and desperately, we tried to figure out what actually was hidden in this file since it is polyception! We use the following cammand in linux in order to detemine the content of this .png
file.
strings -a image1.png
The result seems to contain no useful information, BUT the last line is quite different compared to others:
ZmxhZ3tQMGxZdEByX0QwX3kwdV9HM3RfSXRfTjB3P30K
There is no slash and punctuations in the string and it looks like a base64
encoded message. With the last hope, we try to change it into string. :) BINGO!!! It is the flag.
Hello World
In this problem, we are given a c++
file and not much description which only says My first program!
.
Wait... Only the last few lines is the c++
code which prints out the string Hello, Worlds!
. What are the other empyt spaces for? We are frustrated, but we find that the whitespaces actually are in certain format:
By googling, we notice there is a programming language called whitespaces and it looks much like what we have now. There are numerous online compilers about the whitespaces
programming language, and here is the one that we use whitespaces IDE. Here is the result of what we have:
Well sweet golly gee, that sure is a lot of whitespace!
Unfortunately, the flag is not here. While exploring around on the website, we find in the console memory
there is a stack:
Stack: [103, 105, 103, 101, 109, 123, 48, 104, 95, 109, 121, 95, 119, 104, 52, 116, 95, 115, 112, 52, 99, 49, 110, 103, 95, 121, 48, 117, 95, 104, 52, 118, 51, 125]
Once again, two 103
occured at the beginning of the stack. It's ASCII
, and we find the flag.