amon (j. heng)

amon (j. heng)

The Potatosploiter. Pirate of the Seven Proxseas.

CSCAMP CTF 2012 - Web200

less than 1 minute read

In this puzzle, you had to evaluate an equation encoded in base64 in an array structure consisting of values and operands hidden in a custom header. The objective is to return the results of the evaluation in a timely manner.

The exploit (solvew200.py):

import requests, base64, re

def main():
chalurl = "http://176.9.193.13/ASmallCalculationChal411A784Y.php"
chal_r = requests.get(chalurl)
cookie = chal_r.cookies['x0x']
eq = chal_r.headers['Eq']
print "Got page (cookies: %s)" % cookie

eq_l = base64.decodestring(eq)

r=re.compile("(d) => '?(.+?)'?,")
eq_d = dict((int(i), v) for i,v in r.findall(eq_l))
print "".join(eq_d.values())
toexec = "total=%s" % "".join(eq_d.values())
exec toexec in globals(), locals()

print "Total is %d." % total
cookies = dict(x0x=cookie)
payload = {'result': str(total)}
chal_p = requests.post(chalurl, data=payload, cookies=cookies)
print chal_p.text

if __name__ == "__main__":
    main()

TODO: Update with demonstration of script once tasks are online.

Leave a Comment

You May Also Enjoy

Cyberpeace 2022 - Crysys (Pwn)

5 minute read

Summary: A minimal binary with only the read libc function and containing a standard stack overflow can be exploited by leveraging a common add-what-where ga...

TetCTF 2022 - Newbie (Pwn)

6 minute read

Summary: An ELF binary contains functionality to generate a ‘hashed’ identifier from two bytes of memory at an offset specified by the user. This ‘hashed’ id...

TetCTF 2022 - EzFlag (Web/Pwn)

14 minute read

Summary: In this two part challenge, flawed filename logic allows an attacker to write arbitrary Python files that are executed as a CGI script. Once the att...