Healthy Calc chall overview Dockerfile: COPY flag /flag COPY readflag.c /readflag.c RUN gcc /readflag.c -o /readflag RUN chown root:root /flag && chmod 400 /flag RUN chown root:root /readflag && chmod 4755 /readflag From the dockerfile it’s obvious we need to rce, let’s have a look at chall.py: OPERATION_SYMBOLS = {"add": "+", "sub": "-", "mult": "*"} OPERATIONS = { "add": lambda lhs, rhs: cache_lookup(_add, lhs, rhs), "sub": lambda lhs, rhs: cache_lookup(_sub, lhs, rhs), "mult": lambda lhs, rhs: cache_lookup(_mult, lhs, rhs), } application = Flask(__name__) bp = Blueprint("routes", __name__) celery = Celery(__name__) @bp.

web metaverse core codes const flag = process.env.FLAG; accounts.set("admin", { password: adminpw, displayName: flag, posts: [], friends: [], }); app.get("/post/:id", (req, res) => { if (posts.has(req.params.id)) { res.type("text/html").send(postTemplate.replace("$CONTENT", () => posts.get(req.params.id))); } else { res.status(400).type("text/html").send(postTemplate.replace("$CONTENT", "post not found :(")); } }); app.post("/friend", needsAuth, (req, res) => { res.type("text/plain"); const username = req.body.username.trim(); if (!accounts.has(username)) { res.status(400).send("Metauser doesn't metaexist"); } else { const user = accounts.get(username); if (user.friends.includes(res.locals.user)) { res.status(400).send("Already metafriended"); } else { user.

This challenge is quite like a python version of prototype pollution, you can also say that it uses some idea from pyjail, over all, it’s a really interesting one. Let’s have a look of the source: app.py from flask import Flask, render_template, request, redirect from taskmanager import TaskManager import os app = Flask(__name__) @app.before_first_request def init(): if app.env == 'yolo': app.add_template_global(eval) @app.route("/<path:path>") def render_page(path): if not os.path.exists("templates/" + path): return "not found", 404 return render_template(path) @app.

For this challenge, we must get rce using ([.^])',, but in php8. Even more, warning is not allowed which means we couldn’t use something like [].''. So, the first thing I do is to figure out how many chars can we get and how many functions can we use: In [206]: mapping = {} ...: for a, b in combinations('[(,.^)]', 2): ...: x = chr(ord(a) ^ ord(b)) ...: if x in mapping: .