Skip to content
This repository was archived by the owner on Jun 7, 2025. It is now read-only.

Commit f9e4fb8

Browse files
crimistcrimist
committed
sapling2023: add writeups and links
1 parent ecf8def commit f9e4fb8

File tree

1 file changed

+27
-2
lines changed

1 file changed

+27
-2
lines changed

sapling2023/README.md

Lines changed: 27 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,30 @@
11
# SaplingCTF 2023
22

3-
I will be an author for this years SaplingCTF!
3+
I was a challenge author for SaplingCTF 2023!
44

5-
Will publish my challenges source after it ends.
5+
My challenges and their solutions can be found at the following links:
6+
7+
* [Pager](https://github.com/ubcctf/sapling-ctf-2023-public/tree/main/web/pager)
8+
* [BeeHive](https://github.com/ubcctf/sapling-ctf-2023-public/tree/main/web/beehive)
9+
10+
I also tested and wrote solve scripts for some of my teammates challenges.
11+
12+
* [El-pajaro](https://github.com/ubcctf/sapling-ctf-2023-public/blob/main/web/el-pajaro/solve/solve.py)
13+
* [El-zorro](https://github.com/ubcctf/sapling-ctf-2023-public/blob/main/web/el-zorro/solve/solve.py)
14+
* [La-culebra](https://github.com/ubcctf/sapling-ctf-2023-public/blob/main/web/la-culebra/solve/solve.py)
15+
16+
## BeeHive (easy)
17+
18+
This challenge was modeled after an exploit I found worked on my high schools routers. Unfortunately, after responsibility disclosing it to my school boards IT they were very displeased with 14 year old me. Regardless, I thought it made a good beginner challenge.
19+
20+
The challenge consists of a login page in which your login attempts are logged to a file in the same directory. Each login attempts includes the username and whether the login succeeded. The PHP code also uses the `include` directive to direct whether a user is to be on the login page or has logged in and can access the dashboard.
21+
22+
To get the flag, you must log in with a username that contains a php payload such as `<?php system('cat /flag')>` and then pass the log into the include directive like `index.php?file=login.log`. Your PHP payload will then be executed printing the flag!
23+
24+
## Pager (medium)
25+
26+
I wanted to experiment with request smuggling so I went digging for a request smuggling exploit. I found CVE-2019-20372, a request smuggling exploit in NGINX and decided to model a challenge around that.
27+
28+
The details of CVE-2019-20372 are well described [here](https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf) but in the case of this specific challenge it allows users to bypass the vhost restriction and access the backend vhost that evaluates a POST parameter.
29+
30+
More detail on this challenge can be found in it's [README](https://github.com/ubcctf/sapling-ctf-2023-public/blob/main/web/pager/README.md).

0 commit comments

Comments
 (0)