Add source code for SECCON CTF 2022 Finals

Author: arkark

README.md

@@ -45,11 +45,11 @@ Sat, 11 Feb. 2023, 01:00 UTC — Sun, 12 Feb. 2023, 09:00 UTC
 
 |Challenge|Category|Solved / 10<br>(International)|Solved / 12<br>(Domestic)|Difficulty|Writeup|Keywords|
 |:-:|:-:|:-:|:-:|:-:|:-:|:-:|
-|[babybox](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/babybox)|web|6|4|★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-100-babybox)|prototype pollution|
-|[easylfi2](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/easylfi2)|web|10|8|★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-200-easylfi2)|LFI, curl|
-|[MaaS](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/maas)|web|3|1|★★★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-MaaS)|newline normalization, CSP bypass|
-|[light-note](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/light-note)|web|0|0|★★★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-light-note)|DOM clobbering, Sanitizer API|
-|[dark-note](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/dark-note)|web|0|0|★★★★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-500-dark-note)|time-based oracle|
+|[babybox](challenges/202302_SECCON_CTF_2022_Finals/web/babybox)|web|6|4|★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-100-babybox)|prototype pollution|
+|[easylfi2](challenges/202302_SECCON_CTF_2022_Finals/web/easylfi2)|web|10|8|★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-200-easylfi2)|LFI, curl|
+|[MaaS](challenges/202302_SECCON_CTF_2022_Finals/web/maas)|web|3|1|★★★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-MaaS)|newline normalization, CSP bypass|
+|[light-note](challenges/202302_SECCON_CTF_2022_Finals/web/light-note)|web|0|0|★★★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-300-light-note)|DOM clobbering, Sanitizer API|
+|[dark-note](challenges/202302_SECCON_CTF_2022_Finals/web/dark-note)|web|0|0|★★★★|[link](https://blog.arkark.dev/2023/02/17/seccon-finals/#web-500-dark-note)|time-based oracle|
 
 ## SECCON CTF 2022 Quals
 

challenges/202302_SECCON_CTF_2022_Finals/data.ts

@@ -32,7 +32,7 @@ const ctf: Ctf = {
   ],
   challenges: [
     [
-      "[babybox](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/babybox)",
+      "[babybox](challenges/202302_SECCON_CTF_2022_Finals/web/babybox)",
       "web",
       "6",
       "4",
@@ -41,7 +41,7 @@ const ctf: Ctf = {
       "prototype pollution",
     ],
     [
-      "[easylfi2](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/easylfi2)",
+      "[easylfi2](challenges/202302_SECCON_CTF_2022_Finals/web/easylfi2)",
       "web",
       "10",
       "8",
@@ -50,7 +50,7 @@ const ctf: Ctf = {
       "LFI, curl",
     ],
     [
-      "[MaaS](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/maas)",
+      "[MaaS](challenges/202302_SECCON_CTF_2022_Finals/web/maas)",
       "web",
       "3",
       "1",
@@ -59,7 +59,7 @@ const ctf: Ctf = {
       "newline normalization, CSP bypass",
     ],
     [
-      "[light-note](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/light-note)",
+      "[light-note](challenges/202302_SECCON_CTF_2022_Finals/web/light-note)",
       "web",
       "0",
       "0",
@@ -68,7 +68,7 @@ const ctf: Ctf = {
       "DOM clobbering, Sanitizer API",
     ],
     [
-      "[dark-note](https://github.com/SECCON/SECCON2022_final_CTF/tree/main/jeopardy/web/dark-note)",
+      "[dark-note](challenges/202302_SECCON_CTF_2022_Finals/web/dark-note)",
       "web",
       "0",
       "0",

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/README.md

@@ -0,0 +1,34 @@
+# [web] babybox
+
+## Description
+
+Can you hack this sandbox?
+
+- `http://babybox.seccon.games:3000`
+
+[babybox](files/babybox)
+
+## Usage
+
+Launch a challenge server:
+
+```
+cd build
+docker compose up
+```
+
+Run the author's solver:
+
+```
+docker run -it \
+    -e SECCON_HOST=localhost \
+    -e SECCON_PORT=3000 \
+    --network=host \
+    (docker build -q ./solver)
+```
+
+## Flag
+
+```
+SECCON{pr0totyp3_po11ution_iS_my_friend}
+```

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/build/docker-compose.yml

@@ -0,0 +1,9 @@
+version: "3"
+services:
+  web:
+    build: ./web
+    restart: always
+    ports:
+      - "3000:3000"
+    environment:
+      - PORT=3000

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/build/web/Dockerfile

@@ -0,0 +1,12 @@
+FROM node:19.6.0-slim
+ENV NODE_ENV=production
+WORKDIR /app
+
+COPY ["package.json", "package-lock.json", "./"]
+RUN npm install --omit=dev
+COPY . .
+RUN mv flag.txt /flag-$(md5sum flag.txt | cut -c-32).txt
+
+USER 404:404
+
+CMD ["node", "index.js"]

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/build/web/calc.js

@@ -0,0 +1,4 @@
+const { Parser } = require("expr-eval");
+
+const expr = process.argv[2].trim();
+console.log(new Parser().evaluate(expr));

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/build/web/flag.txt

@@ -0,0 +1 @@
+SECCON{pr0totyp3_po11ution_iS_my_friend}

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/build/web/index.html

@@ -0,0 +1,41 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="UTF-8">
+  <link rel="stylesheet" href="https://unpkg.com/simpledotcss/simple.min.css">
+  <title>Math Calculator</title>
+</head>
+<body>
+  <h1>Math Calculator</h1>
+  <p>Expression:</p>
+  <input type="text" id="expr" placeholder="1 + 2 + 3"></input>
+  <button id="calc" type="button">Evaluate</button>
+  <article>
+    <p>Result:</p>
+    <p id="result" style="text-align: center; font-size: 3rem;"></p>
+  </article>
+  <script>
+    document.getElementById("calc").addEventListener("click", async () => {
+      const expr = document.getElementById("expr").value.trim();
+      if (!expr) return;
+      try {
+        const res = await fetch("/calc", {
+          method: "POST",
+          headers: {
+            'Content-Type': 'application/json'
+          },
+          body: JSON.stringify({ expr }),
+        });
+        const text = await res.text();
+        if (res.status !== 200) {
+          alert(text);
+        } else {
+          document.getElementById("result").textContent = text;
+        }
+      } catch (err) {
+        alert(err);
+      }
+    });
+  </script>
+</body>
+</html>

challenges/202302_SECCON_CTF_2022_Finals/web/babybox/build/web/index.js

@@ -0,0 +1,24 @@
+const fastify = require("fastify")();
+const fs = require("node:fs").promises;
+const execFile = require("util").promisify(require("child_process").execFile);
+
+const PORT = process.env.PORT ?? "3000";
+
+fastify.get("/", async (req, reply) => {
+  const html = await fs.readFile("index.html");
+  return reply.type("text/html; charset=utf-8").send(html);
+});
+
+fastify.post("/calc", async (req, reply) => {
+  const { expr } = req.body;
+  try {
+    const result = await execFile("node", ["./calc.js", expr.toString()], {
+      timeout: 1000,
+    });
+    return result.stdout;
+  } catch (err) {
+    return reply.code(500).send(err.killed ? "Timeout" : err);
+  }
+});
+
+fastify.listen({ port: PORT, host: "0.0.0.0" });