Little Bai Yiduo -- Analysis of Several ssctf questions

Source: Internet
Author: User

Little Bai Yiduo -- Analysis of Several ssctf questions

Brother Two said that he came from wooyun and returned to wooyun. Web400 comes from this and should be back to this. If you have any shortcomings, please note.

0x00 Web200

Let's take a look at the xss of web200.

Url: xss = xxx "> Xss = xxx

Obviously, the xss parameter is payload. First, let's take a look at what is filtered out at a glance.

You can find that the angle brackets and colons are filtered into underscores, and you cannot bypass them after trying several poses.

Let's look at other filtering rules.

Basically all of them are filtered out, and there is only one single one left.

The wonderful payload mentioned in web Front-end security was sacrificed, and The on in onerror was eaten.

It is useless to connect multiple on statements. Considering the previous experience of playing SQL injection, oonn can be used to play on statements. Seeing the result, I suddenly felt hope.



It seems that this form is very close, but the underline Of the evil cannot be solved, and it was once killed.

Later, the students said that they should take a closer look at the source code. Who wrote the web page, he may be able to see what.

I noticed that I did not write the first sentence as usual. I noticed that the page had css, so I ran away from the, but it seemed useless. Baidu gave the first sentence.

!!? Identify and load, and try again.

AngularJS expressions are written in double braces:{{ expression }}.


After confirming the version number, the teammates will find a payload.

Processed:{{'a'.coonnstructor.prototype.charAt=[].join;$evevalal('x=1} } };aleonrt(1)//');}}


Bounce :)

0x01 Misc: famine _ MC

Before web400, I would like to mention misc's famine _ MC. This is one of the most interesting ctf questions I have ever seen. I have heard that websocket has also seen the instance for the first time.

It seems to be a small game.

Generally, games that appear in ctf cannot be ignored.

Level 1: All levels are peaceful and pass through level 2.

Second, it seems that you need to find a key for customs clearance. The Key is nothing, and only the space is a function button, then run the full graph first. After running for a while, I felt too tired. I asked my teammates to write a key-pushing genie to simulate it.

However, even if this figure is not completed, I want to see if the key is on the first level. I need to know that this kind of game has never been played by common sense.

I started to run the first level, and suddenly a wonderful thing happened, and a card suddenly sent to a strange place.

It seems that for unknown reasons, I suddenly jumped to the third level. (Maybe time competition ?)

The third level is a tree cutting function. Because the key-pushing wizard has already been connected to the two levels, the idea has been fixed. I have no idea what to say about js local debugging, and I jumped into the trap without hesitation. I want to cut 9999 wood to make a wooden pick (Everything starts with wood). I found that I had to hold down the space for one second before I could cut a wood. It seems wrong, but I still need to find something and press the space... It wasn't until five minutes later that the Administrator had kicked off that it was a pitfall. I had to open the js Code. Fortunately, I took a look at "js-dom programming art" during the winter vacation.


The parameter has an isReady parameter. Only full images can be loaded for operation. Open firebug, save the image as, place it in the corresponding location, and write an html file to call game. js (just file on the webpage)

Suddenly, the perspective of God was turned on, and you did not hesitate to jump to level 4, but found that the server prompts you where the gem sword is? Then you are kicked. After observing the code, it seems that there should be a boss.

This is probably the case.

Observe the code

I can't do it. I will summon a boss and capture the packet and change the player to a boss. But it seems useless. It should be verified on the server.

Notice several images of hero.


It seems that I have never seen these two states, and I feel that they are not correct. I will study the code again.


There was a diamond lock under the wood, and the last one seemed to have killed myself at two points. Fortunately, there was no past. (The front door of level 2 is a fake door, and there is no key at all)

Find the wood collection function and modify it.

Directly 9999, get with a wooden pick.

Go to Diamond

This seems to be similar to the wood function. (The image has been modified)

Of course, it seems that 50 is the limit when I try it. The next step is 200, and I feel that there is still a limit on the upload time, so I opened the reluctant buttons. Although it is slow, the task can still be completed within 1 or 2 minutes.

I finally got the diamond sword. Now I am invincible. Let's go and poke the boss.

System prompt.

If you want to hack a boss under 15 times or kill five people, as a wow pve casual player, I certainly choose to hack a boss under 15 times (pay attention to the short-distance weapon sentence, and combine the points of suicide with the bow and arrow ).

However, I was lying down when I found my boss was close to each other, and the remote blood deduction made pvp very difficult (unless we were given a head off ). After several rounds, I finally felt that the speed of the key-pushing genie was not enough for me (I found that I got the diamond sword right next to me ). I commented out the conditions and found that the upload speed was no longer slow, but it was still too annoying to press 200, and finally opened the Button wizard. (Here we can actually write a loop, which is terrible about the mindset ).


Now that the attack range is nearly one second away, I modified the boss image to facilitate targeting.

This is probably the case. Unfortunately, the pve casual players are no longer good enough for me to hit it 15 times.

Finally, the students finally suddenly realized the data interaction.

Change the attack address directly to the boss address, and find a dark and small corner.

0x02 Web400

Finally came to web400, page open a look (url: /)

A github icon and a prompt not to crack it. Click it to open a third-party authorization page on github. It should not be a github-certified vulnerability.

After binding, it looks like this: A github Avatar image, the github uid, does not know why the name is none at first, combined with find flag man, I guess the final flag should be output at the name location, and the network only requests an image.



I don't know what to do.

When we knew that burp had captured the packet, we removed all the cookies and found this.

Flask seems a little familiar. I thought I had seen it, so I rummaged through it.

In an article published a few days ago in the wooyun knowledge base, the article mentions controlling the template content for arbitrary code execution. Looking at the page, it seems like this is indeed the case. The content in the template is on github, so the next step is to find a controllable point to call python. Next, I thought the picture was controllable, but it was useless after a long time. Later, I opened github and suddenly realized why the name was none.

Because I didn't set the name Orz at all. Set the name to {7*7 }}.

Found to be parsed (similar to the xss method ).

The original author's payload cannot be used directly, and he is not familiar with python built-in functions. He has to read the official manual.

After finding the method to open the file, I felt this was reliable. I tried it and it seemed that it was useless. So I searched for the built-in method on github.



Too many problems could not be solved at once. I noticed that 10 users used this wonderful name and opened it.

!! I found out what I found, and copied a sentence that looked pleasing to the eye, it burst into a flag.

This should be an official benefit. After all, no one will write payload.

Above, complete. There is not much technical expertise, and it is basically a self-hyped documentary. No matter the review has not passed, record it as worth it.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.