miscProhard

EvilBabyKalmarCTF

kalmarctf

Task: CTFd with scraper bot running ctfd-download from /tmp. Solution: Chain CTFd RCE to serve malicious Python via Jinja2 template override, exploit markdown image path traversal to write tqdm.py to /tmp, hijack Python import to exfiltrate flag via notifications API.

$ ls tags/ techniques/

path_traversal ctfd python_module_hijacking scraper ctfd_download markdown_image sys_path tqdm jinja2_template_override api_token_exfil

markdown_image_path_traversalctfd_zip_import_path_traversalpython_pth_rcejinja2_template_overridepython_sys_path_hijackingapi_token_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]RootBabyKalmarCTF— kalmarctf
[web][free]Trust Issues— tjctf
[web][Pro]Zip slip— web-kids20
[forensics][Pro]Evil Matryoshka— taipanbyte
[web][free]chained— tjctf