Page MenuHomedesp's stash
Files F703091

ductf22.md
No OneTemporary
Actions

ductf22.md
View Options

### slash flag
eyy first flag in a month or so after the def con + maplectf organizing drain
only organizers can use the discord bot, but turns out we can just invite (using universal invite link + bot id) and name our own role as organizers to bypass it after reading the [repo](https://github.com/solopie/storage-bot) in about me
the gist is they are doing bash operations, but in all uppercase
but it turns out create has unsanitized input for file name (`echo '${text}' > ${filename}`), and with that we can chain multiple commands
`{VAR,,}` in bash allows turning into lower case so this means we can finally run commands (since bash commands are case sensitive)
so we can just run `TEST; A='EVAL ECHO $(CAT /FLAG/FLAG.TXT)'; ${A,,} > STHDIFF` then verify with /list and we can see sthdiff is created
read it with /open and we get the flag `DUCTF{/flag_didn't_work_for_me...}`

File Metadata

Mime Type
text/plain
Expires
Mon, Jun 8, 6:29 PM (1 d, 18 h)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
97/27/0f2a55e6467fb0f08e53d2001a2b

Event Timeline

Back to Main Site