feat: added incognito 5.0

2024-04-17 07:39:15 +07:00 · 2024-04-17 07:39:15 +07:00 · 0dbb29af50
parent 04bb2b032b
commit 0dbb29af50
12 changed files with 122 additions and 1 deletions
--- a/game/README.md
+++ b/game/README.md
@ -0,0 +1,54 @@
+# Doodle game
+> How good are you in python?
+
+## About the Challenge
+We got a server to connect and also the source code. Here is the content of the website
+
+```python
+#!/usr/bin/python
+import time
+import unicodedata
+
+blacklist = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789[]{}<>/_'!"
+
+def isSafe(cmd):
+    for i in cmd:
+        if i in blacklist:
+            return(0)
+    return(1)
+
+def main():
+    cmd = input(">> ")
+    normalized_cmd = unicodedata.normalize('NFKD', cmd).encode('ASCII', 'ignore').decode()
+    if(isSafe(normalized_cmd)):
+        try:
+            if(eval(normalized_cmd) == 17592186044416):
+                print(open("flag").readline())
+            else:
+                print(eval(normalized_cmd))
+        except:
+            print("An exception occurred")
+
+    else:
+        print("Not allowed!")
+
+main()
+```
+
+So, this script takes user input, checks if it's safe by removing non-ASCII characters and those in a `blacklist` variable, then "eval"ing the input. If the evaluated result equals a `17592186044416` or 2^44, it will print the flag
+
+## How to Solve?
+Because the goal of this challenge is to achieve `17592186044416`, you can use this payload:
+
+```
+((()==())+(()==()))**((()==())+(()==()))**((()==())+(()==()))**((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))*((()==())+(()==()))
+```
+
+`() == ()` equals True. So, if there are `(() == ()) + (() == ())`, it means True + True equals 2, and then we can use the power operator (**) in python 44 times to achieve `17592186044416`
+
+
+![flag](images/flag.png)
+
+```
+ictf{L0nG_L1v3_7H3_B00L34N5}
+```
--- a/2024/Incognito
+++ b/2024/Incognito
--- a/Flow/README.md
+++ b/Flow/README.md
@ -0,0 +1,32 @@
+# Embed Flow
+> This guy wants you to guess his favorite programming language, but missed setting up the pattern correctly.
+
+## About the Challenge
+We got a website and this website is using Sinatara (Ruby). Here is the preview of the challenge
+
+![preview](images/preview.png)
+
+If we try to input `'` character, we'll get an error message like this:
+
+![testing-phase](images/testing-phase.png)
+
+## How to Solve?
+After seeing the regex pattern, I immediately knew this was similar to a HTB challenge called `Neonify` (https://blog.devops.dev/ssti-bypass-filter-0-9a-z-i-08a5b3b98def). So I used the same payload to read the flag :D
+
+```
+test
+<%= File.open('flag.txt').read %>
+test
+```
+
+And then encode it using urlencode and it will become
+
+```
+test%0A%3C%25=%20File.open('flag.txt').read%20%25%3E%0Atest
+```
+
+![flag](images/flag.png)
+
+```
+ictf{ruby_r3g3x_n3w_l1n3_4l3rt}
+```
--- a/Flow/images/flag.png
+++ b/Flow/images/flag.png
--- a/Flow/images/preview.png
+++ b/Flow/images/preview.png
--- a/Flow/images/testing-phase.png
+++ b/Flow/images/testing-phase.png
--- a/Tale/README.md
+++ b/Tale/README.md
@ -0,0 +1,26 @@
+# Fairy Tale
+> Type in your favorite hero and let Fairy Tale spin a unique story for you.
+
+## About the Challenge
+We got a server to connect without a source. Here is the preview of the challenge
+
+![preview](images/preview.png)
+
+If we try to input `'`, we'll get an error message like this:
+
+![testing-phase](images/testing-phase.png)
+
+It seems like our input is being passed into the `ast.literal_eval()` function
+
+## How to Solve?
+To solve this chall, im calling `breakpoint()` function and then call `/bin/sh` by importing `os` package
+
+```
+' + breakpoint() + '
+```
+
+![flag](images/flag.png)
+
+```
+ictf{b3_C4r3full_1n_3rr0r5}
+```
--- a/Tale/images/flag.png
+++ b/Tale/images/flag.png
--- a/Tale/images/preview.png
+++ b/Tale/images/preview.png
--- a/Tale/images/testing-phase.png
+++ b/Tale/images/testing-phase.png
--- a/2024/Incognito
+++ b/2024/Incognito
@ -0,0 +1,8 @@
+# Incognito 5.0
+CTF writeup for The Incognito 5.0. I took part in this CTF competition with the Heroes Cyber Security team and secured the 1st place out of 275 teams
+
+| Category | Challenge |
+| --- | --- |
+| Web | [Embed Flow](/2024/Incognito%205.0/Embed%20Flow/)
+| Misc | [Doodle game](/2024/Incognito%205.0/Doodle%20game/)
+| Misc | [Fairy Tale](/2024/Incognito%205.0/Fairy%20Tale/)
--- a/README.md
+++ b/README.md
@ -11,7 +11,8 @@ There are __553__ CTF writeups that have been made in this repository

 | Event Name | Team | Ranking |
 | ---------- | ---- | ------- |
-| Wayne State University - CTF24 | 1 |
+| Incognito 5.0 | Heroes Cyber Security | 1 |
+| Wayne State University - CTF24 | Heroes Cyber Security | 1 |
 | KnightCTF 2024 | Heroes Cyber Security | 1 |
 | DeconstruCT.F 2023 | aseng_fans_club | 1 |
 | The Odyssey CTF | aseng_fans_club | 1 |