Dragon CTF 2020 Scratchpad

Scratchpad is Web challenge implementing a simple note taking application where you can authenticate, register, create/delete/edit and report a note composed of a title and a description. The application source code is available here: sources Reporting a note will make the admin authenticate with his credentials and consume the note with a firefox browser: const driver = new Builder() .forBrowser("firefox") .setFirefoxOptions( new firefox.Options() .headless() .setAlertBehavior(UserPromptHandler.DISMISS) as firefox.Options ) .build(); try { console.
Read full post

Balsn Ctf 2020 TPC

TPC (web, 310p, 33 solves) Description The challenge implements a simple python application taking an URL as parameter. It allows us to perform SSRF and local file disclosure. Reading a file on the server is as simple as: $ curl -s --output - 'http://35.194.175.80:8000/query?site=file:///etc/passwd' root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin [...] We first needed to be sure what the python code does. To find this out, we tried to find where it was located:
Read full post

ByteBandits 2020 Notes App

For this task, a very simple Python application and its source code is provided. Sources Analysis The application let us register, login, submit a link and edit a single field “note” that will be displayed on /profile. The application code is pretty straightforward and allows us to insert markdown on our own profile page. The python code responsible for markdown rendering (md2html) is the following: @app.route("/update_notes", methods=["POST"]) @login_required def update_notes(): # markdown support!
Read full post