目錄

imaginary-notes

certificate

codenames-1

passwordless

pearl

---

imaginary-notes

I made a new note taking app using Supabase! Its so secure, I put my flag as the password to the "admin" account. I even put my anonymous key somewhere in the site. The password database is called, "users".?

點擊注冊登錄功能，抓到幾個nosql查詢的包

根據題目提示改包拿到flag

/rest/v1/users?select=password&username=eq.admin

certificate

As a thank you for playing our CTF, we're giving out participation certificates! Each one comes with a custom flag, but I bet you can't get the flag belonging to Eth007!

直接改username為Eth007會被ban

注意到生成證書bp是沒法抓到包的，應該是純前端

看看js，一眼頂針了

codenames-1

I hear that multilingual codenames is all the rage these days. Flag is in?/flag.txt.

讀取文件路徑存在字符拼接，但waf了'.'，不能目錄穿越

os.path.join有一個逆天特性

當遇到絕對路徑時，會丟棄之前的所有路徑組件

將language改為/flag

贏了

passwordless

Didn't have time to implement the email sending feature but that's ok, the site is 100% secure if nobody knows their password to sign in!

這題是bcrypt算法的問題

python如

import bcryptdef hash_password(password: str) -> bytes:"""對密碼進行 bcrypt 哈希"""# 生成鹽（工作因子默認是 12，可調）salt = bcrypt.gensalt(rounds=12)# 生成哈希hashed = bcrypt.hashpw(password.encode('utf-8'), salt)return hashed
print(hash_password("test"))

node的實現也是截取72字節

https://www.npmjs.com/package/bcrypt?activeTab=code

這里要讓req.body.email長度為72，且nEmail長度 ≤ 64

來看normalizeEmail的實現

https://www.npmjs.com/package/normalize-email

其實就是把.給去掉

構造payload

用這個郵箱注冊

Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3@gmail.com

再用這套賬密登錄

Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3r4y.Z3@gmail.com
Z3r4yZ3r4yZ3r4yZ3r4yZ3r4yZ3r4yZ3r4yZ3r4yZ3r4yZ3r4yZ3@gmail.com

pearl

I used perl to make my pearl shop. Soon, we will expand to selling?Perler bead?renditions of?Perlin noise.

perl的open可以RCE

https://www.shlomifish.org/lecture/Perl/Newbies/lecture4/processes/opens.html

open的參是$fullpath，拼接出來的，$path可控

可以用%0a多行執行

payload

/%0acat+/f*|