Hkcert20 on

HKCert CTF 2020 Writeup » Conversion Center 轉換中心

Wed, 30 Apr 2025 00:23:00 +0800

Web Exploitation 網站保安 / Conversion Center

Challenges - 468 Pts(Init: 500 Pts) - 5 Solved

Author 作者：VXRL

Description 描述:

The author is lazy. He just randomly copied a webservice called gotenberg and put a flag inside the container. Can you find the flag?

作者懶。他隨便複製了一個名為 gotenberg 的網絡服務，並在其容器內放置了一個旗子。你能找到旗子嗎？

http://secondary.pwnable.hk:50008/

Hint:

The flag is located in "/gotenberg/flag".

旗子位於 "/gotenberg/flag" 中。

Solve:

this Challenges is actually referenced to thecodingmachine/gotenberg:

You can see the official documentation at here

this Docker API do thing like converting HTML/MarkDown and Offic Documents to PDF by sening the file with POST request

it provides endpoint /convert/url, /convert/markdown, /convert/office but the one that got me is convert/url and convert/html

first of all, i tried to search critical vulnerability for gotenberg, since i saw this issue:

i though this might require you to execute ACE for a while( since no one solved it, it should (has to be very hard) , but this is going no where, after an while, i Decided to take a look about the documentation

and then i start sending some POST request just to see how gotenberg handle those request

after few attempt, i noticed that convert/url unable to leak the flags

My attempt URL:

http://secondary.pwnable.hk:50008/convert/url?multipart/form-data=localhost:50008/gotenberg/flag

But it return:

{
 "message": "Unsupported Media Type"
}

and then i tired to use html and notice that you can Run JavaScript From the html, then So that diden work out, after an few googling and view the Docs more precisely, i notice an query parameter that called remoteURL

but after few attempt, i gaved up, so i tired to use JavaScript to leak the flag

first of all, i tried to leak the current locateion of the gotenberg with this html:

<h1 id=demo>
 PWNED!
</h1>
<script>
 var loc = window.location.pathname;
 document.getElementById("demo").innerHTML = loc.substring(0, loc.lastIndexOf('/'))
</script>

it will cause it return an PDF with this set of data:

then I changed the code little, this time, I added an “iframe” to read(leak) the flag for us

<h1 id=demo>
 CTF is my life :D!
</h1>
<script>
 var loc = window.location.pathname;
 document.getElementById("demo").innerHTML = loc.substring(0, loc.lastIndexOf('/'))
</script>
<iframe src="/gotenberg/flag"></iframe>

There is the Flags!

Flags:

hkcert20{Did_u_reaD_the_freaking_manual }

HKCert CTF 2020 Writeup » Rickroll

Wed, 30 Apr 2025 00:21:00 +0800

Web Exploitation 網站保安 / Rickroll

Challenges - 498 Pts(Init: 500 Pts) - 2 Solved

Author 作者：blackb6a

Description 描述：

Victoria, a friend of Dr Ke, is trying to build a new website.
She is not familiar with it and didn't set any password protection yet. Can you find Victoria's secret?

維多利亞是奇異博士的朋友。她正在建設一個新的網站但未有設立密碼。你能找到維多利亞的秘密嗎？

In case of any discrepancy between the English version and the Chinese version, the English version shall prevail.

中文譯本僅供參考，文義如與英文有歧異，概以英文本為準。

http://secondary.pwnable.hk:50007

Hint:

Did you pay attention in Dr Ke class on 31st October?

提示： 你在十月三十一日有專心上奇異博士的課堂嗎？

Solve:

so we can see that http://secondary.pwnable.hk:50007/ redirect you to Rick Astley - Never Gonna Give You Up (Video)

then we goto /robots.txt, we could see that it Disallow the /b5HCLDptFQ6ZIZzw/flag.php. That the Flags!

User-agent: *
Disallow: /b5HCLDptFQ6ZIZzw/
Disallow: /b5HCLDptFQ6ZIZzw/flag.php

so we go [/5HCLDptFQ6ZIZzw/flag.php] and we can see this:

but since we have no idea the password and username, so i tired many common password like admin, root, pass, user, victoria or something like that, but it return 500 Internal Server Error

at the first time, i though the server overloaded or something, but i saw this message

so i decided to connect by using cURL with different http request Method

i tired POST, GET, PUT, PATCH, DELETE, then it got me thinking, what if i tired to use some Method that not commonly used?

and then i typed:

curl -X COPY http://secondary.pwnable.hk:50007/b5HCLDptFQ6ZIZzw/flag.php

and then.. i got the Flag!

Congraulations! You get the flag.<br>hkcert{misc0nfiguration_0f_htacc3ss_is_fata1}
<script>
setTimeout(function () {
window.location.href= 'https://www.youtube.com/watch?v=gkTb9GP9lVI&ab_channel=JwHDify';
}, 5000);
</script>

Flags:

hkcert{misc0nfiguration_0f_htacc3ss_is_fata1}

HKCert CTF 2020 Writeup

Wed, 30 Apr 2025 00:02:00 +0800

Warning

This writeup is originally hosted on github, and is now archived here instead.

HKCERT CTF 2020 was my first CTF competition, and i was fortunate enough to won a prize in this competition.

information

Type: On-line, Jeopardy

A HKCERT CTF event.
Official URL: https://www.hkcert.org/my_url/en/event/20110801
Event organizers: HKCERT
CTFTime.org event URL: here
Date: 6 November 2020, 6:00PM to 8 November 2020, 6:00PM (HKT)

Writeup

Conversion Center 轉換中心

作者懶。他隨便複製了一個名為 gotenberg 的網絡服務，並在其容器內放置了一個旗子。你能找到旗子嗎？

More…

Rickroll

維多利亞是奇異博士的朋友。她正在建設一個新的網站但未有設立密碼。你能找到維多利亞的秘密嗎？

More…