Page Menu
Home
desp's stash
Search
Configure Global Search
Log In
Files
F374802
ductf22.md
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
890 B
Subscribers
None
ductf22.md
View Options
###
slash
flag
eyy
first
flag
in
a
month
or
so
after
the
def
con
+
maplectf
organizing
drain
only
organizers
can
use
the
discord
bot
,
but
turns
out
we
can
just
invite
(
using
universal
invite
link
+
bot
id
)
and
name
our
own
role
as
organizers
to
bypass
it
after
reading
the
[
repo
](
https
:
//github.com/solopie/storage-bot) in about me
the
gist
is
they
are
doing
bash
operations
,
but
in
all
uppercase
but
it
turns
out
create
has
unsanitized
input
for
file
name
(
`
echo
'
${
text
}
'
>
${
filename
}
`
),
and
with
that
we
can
chain
multiple
commands
`
{
VAR
,,}
`
in
bash
allows
turning
into
lower
case
so
this
means
we
can
finally
run
commands
(
since
bash
commands
are
case
sensitive
)
so
we
can
just
run
`
TEST
;
A
=
'
EVAL
ECHO
$(
CAT
/
FLAG
/
FLAG
.
TXT
)
'
;
${
A
,,}
>
STHDIFF
`
then
verify
with
/
list
and
we
can
see
sthdiff
is
created
read
it
with
/
open
and
we
get
the
flag
`
DUCTF
{/
flag_didn
'
t_work_for_me
...}
`
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Aug 4, 9:20 PM (19 h, 42 m)
Storage Engine
local-disk
Storage Format
Raw Data
Storage Handle
de/45/453bce5136b033716ce61f6bff0b
Attached To
rCTFD CTF diary
Event Timeline
Log In to Comment