finally add corCTF2022 challenges

Author: strellic

README.md

@@ -54,4 +54,16 @@ This was a CTF I wrote challenges for, hosted by Intigriti. I forgot to record s
 
 | Name                                                | Category      | Solves | Difficulty | Keywords                                                     |
 | --------------------------------------------------- | --------- | ---------- | ---------- | ------------------------------------------------------------ |
-| [payment-pal](DiceCTF-at-HOPE-2022/payment-pal) | web | 3 | ★★★☆☆ | prototype pollution, caching, xss, history, aes |
+| [payment-pal](DiceCTF-at-HOPE-2022/payment-pal) | web | 3 | ★★★☆☆ | prototype pollution, caching, xss, history, aes |
+
+## corCTF 2022
+
+| Name                                                | Category      | Solves | Difficulty | Keywords                                                     |
+| --------------------------------------------------- | --------- | ---------- | ---------- | ------------------------------------------------------------ |
+| [jsonquiz](corCTF-2022/web/jsonquiz) | web | 573 | ★☆☆☆☆ | baby, POST request |
+| [simplewaf](corCTF-2022/web/simplewaf) | web | 28 | ★★☆☆☆ | WAF bypass, NodeJS source reading |
+| [rustshop](corCTF-2022/web/simplewaf) | web | 13 | ★★★☆☆ | Rust, Axum library, deserialization |
+| [modernblog](corCTF-2022/web/modernblog) | web | 1 | ★★★★★ | React, CSS injection, novel DOM clobbering |
+| [babypwn](corCTF-2022/pwn/babypwn) | pwn | 114 | ★☆☆☆☆ | Rust, unsafe, printf, ret2libc |
+| [solidarity](corCTF-2022/pwn/solidarity) | pwn | 6 | ★★☆☆☆ | baby solana, account confusion, missing checks |
+| [sbxcalc](corCTF-2022/pwn/solidarity) | pwn | 11 | ★★★☆☆ | vm2, js calculator, proxy, golf |

corCTF-2022/misc/sbxcalc/README.md

@@ -0,0 +1,9 @@
+Solves: 11
+
+Author: strellic
+
+Description:
+
+Yet another sandboxed JavaScript calculator... have fun :)
+
+Flag: `corctf{d0nt_you_just_l0ve_j4vascript?}`

corCTF-2022/misc/sbxcalc/task/Dockerfile

@@ -0,0 +1,7 @@
+FROM node:18.1.0-bullseye-slim
+WORKDIR /app
+COPY package.json ./
+COPY views ./views
+RUN npm i
+COPY app.js .
+CMD ["node", "app.js"]

corCTF-2022/misc/sbxcalc/task/app.js

@@ -0,0 +1,60 @@
+const express = require("express");
+const vm2 = require("vm2");
+
+const PORT = process.env.PORT || "4000";
+
+const app = express();
+
+app.set("view engine", "hbs");
+
+// i guess you can have some Math functions...
+let sandbox = Object.create(null);
+["E", "PI", "sin", "cos", "tan", "log", "pow", "sqrt"].forEach(v => sandbox[v] = Math[v]);
+
+// oh, and the flag too i guess...
+sandbox.flag = new Proxy({ FLAG: process.env.FLAG || "corctf{test_flag}" }, {
+    get: () => "nope" // :')
+});
+
+// no modifying the sandbox, please
+sandbox = Object.freeze(sandbox);
+
+app.get("/", (req, res) => {
+    let output = "";
+    let calc = req.query.calc;
+
+    if (calc) {
+        calc = `${calc}`;
+
+        if(calc.length > 75) {
+            output = "Error: calculation too long";
+        }
+
+        let whitelist = /^([\w+\-*/() ]|([0-9]+[.])+[0-9]+)+$/; // this is a calculator sir
+        if(!whitelist.test(calc)) {
+            output = "Error: bad characters in calculation";
+        }
+
+        if(!output) {
+            try {
+                const vm = new vm2.VM({
+                    timeout: 100,
+                    eval: false,
+                    sandbox,
+                });
+                output = `${vm.run(calc)}`;
+                if (output.includes("corctf")) {
+                    output = "Error: no.";
+                }
+            }
+            catch (e) {
+                console.log(e);
+                output = "Error: error occurred";
+            }
+        }
+    }
+
+    res.render("index", { output, calc });
+});
+
+app.listen(PORT, () => console.log(`sbxcalc listening on ${PORT}`));

corCTF-2022/misc/sbxcalc/task/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "sbxcalc",
+  "version": "1.0.0",
+  "description": "",
+  "main": "app.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "strellic",
+  "license": "ISC",
+  "dependencies": {
+    "express": "^4.18.1",
+    "hbs": "^4.2.0",
+    "vm2": "^3.9.10"
+  }
+}

corCTF-2022/misc/sbxcalc/task/views/index.hbs

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <title>sbxcalc</title>
+        <link rel="stylesheet" href="https://unpkg.com/[email protected]/build/pure-min.css" integrity="sha384-Uu6IeWbM+gzNVXJcM9XV3SohHtmWE+3VGi496jvgX1jyvDTXfdK+rfZc8C1Aehk5" crossorigin="anonymous">
+    </head>
+    <body>
+        <div style="margin: 4rem">
+            <h1>sbxcalc</h1>
+
+            {{#if output}}
+            <h3>result: <output>{{output}}</output></h3>
+            {{/if}}
+
+            <form method="GET" class="pure-form">
+                <input type="text" name="calc" value="{{calc}}" placeholder="calculator" />
+                <input type="submit" class="pure-button pure-button-primary" />
+            </form>
+        </div>
+    </body>
+</html>

corCTF-2022/pwn/babypwn/README.md

@@ -0,0 +1,9 @@
+Solves: 114
+
+Author: strellic
+
+Description:
+
+Just another one of those typical intro babypwn challs... wait, why is this in Rust?
+
+Flag: `corctf{why_w4s_th4t_1n_rust???}`

corCTF-2022/pwn/babypwn/src/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "babypwn"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+libc = "0.2.126"
+libc-stdhandle = "0.1.0"

corCTF-2022/pwn/babypwn/src/src/main.rs

@@ -0,0 +1,41 @@
+use libc;
+use libc_stdhandle;
+
+fn main() {
+    unsafe {
+        libc::setvbuf(libc_stdhandle::stdout(), &mut 0, libc::_IONBF, 0);
+
+        libc::printf("Hello, world!\n\0".as_ptr() as *const libc::c_char);
+        libc::printf("What is your name?\n\0".as_ptr() as *const libc::c_char);
+
+        let text = [0 as libc::c_char; 64].as_mut_ptr();
+        libc::fgets(text, 64, libc_stdhandle::stdin());
+        libc::printf("Hi, \0".as_ptr() as *const libc::c_char);
+        libc::printf(text);
+
+        libc::printf("What's your favorite :msfrog: emote?\n\0".as_ptr() as *const libc::c_char);
+        libc::fgets(text, 128, libc_stdhandle::stdin());
+        
+        libc::printf(format!("{}\n\0", r#"
+          .......           ...----.
+        .-+++++++&&&+++--.--++++&&&&&&++.
+       +++++++++++++&&&&&&&&&&&&&&++-+++&+
+      +---+&&&&&&&@&+&&&&&&&&&&&++-+&&&+&+-
+     -+-+&&+-..--.-&++&&&&&&&&&++-+&&-. ....
+    -+--+&+       .&&+&&&&&&&&&+--+&+... ..
+   -++-.+&&&+----+&&-+&&&&&&&&&+--+&&&&&&+.
+ .+++++---+&&&&&&&+-+&&&&&&&&&&&+---++++--
+.++++++++---------+&&&&&&&&&&&&@&&++--+++&+
+-+++&&&&&&&++++&&&&&&&&+++&&&+-+&&&&&&&&&&+-
+.++&&++&&&&&&&&&&&&&&&&&++&&&&++&&&&&&&&+++-
+ -++&+&+++++&&&&&&&&&&&&&&&&&&&&&&&&+++++&&
+  -+&&&@&&&++++++++++&&&&&&&&&&&++++++&@@&
+   -+&&&@@@@@&&&+++++++++++++++++&&&@@@@+
+    .+&&&@@@@@@@@@@@&&&&&&&@@@@@@@@@@@&-
+      .+&&@@@@@@@@@@@@@@@@@@@@@@@@@@@+
+        .+&&&@@@@@@@@@@@@@@@@@@@@@&+.
+          .-&&&&@@@@@@@@@@@@@@@&&-
+             .-+&&&&&&&&&&&&&+-.
+                 ..--++++--."#).as_ptr() as *const libc::c_char);
+    }
+}

corCTF-2022/pwn/babypwn/task/Dockerfile

@@ -0,0 +1,4 @@
+FROM pwn.red/jail:0.3.0
+COPY --from=ubuntu:20.04 / /srv
+COPY babypwn /srv/app/run
+COPY flag.txt /srv/app

corCTF-2022/pwn/babypwn/task/babypwn

@@ -0,0 +1 @@
+corctf{why_w4s_th4t_1n_rust???}

corCTF-2022/pwn/babypwn/task/flag.txt

@@ -0,0 +1,9 @@
+Solves: 6
+
+Author: strellic
+
+Description:
+
+The Crusaders of Rust CTF team stands in solidarity... with otters?
+
+Flag: `corctf{solid4rity_for_the_ott3r_cause}`

corCTF-2022/pwn/babypwn/task/libc.so.6

@@ -0,0 +1,15 @@
+[package]
+name = "solidarity"
+version = "1.0.0"
+edition = "2021"
+
+[features]
+no-entrypoint = []
+
+[dependencies]
+borsh = "0.9.3"
+borsh-derive = "0.9.3"
+solana-program = "1.8.14"
+
+[lib]
+crate-type = ["cdylib", "lib"]

corCTF-2022/pwn/solidarity/README.md

@@ -0,0 +1,4 @@
+.PHONY: build
+build:
+	cargo build-bpf
+	cp ./target/deploy/solidarity.so ../challenge

corCTF-2022/pwn/solidarity/src/program/Cargo.toml

@@ -0,0 +1,14 @@
+#![cfg(not(feature = "no-entrypoint"))]
+
+use solana_program::{
+  account_info::AccountInfo, entrypoint, entrypoint::ProgramResult, pubkey::Pubkey,
+};
+
+entrypoint!(process_instruction);
+fn process_instruction(
+  program_id: &Pubkey,
+  accounts: &[AccountInfo],
+  instruction_data: &[u8],
+) -> ProgramResult {
+  crate::processor::process_instruction(program_id, accounts, instruction_data)
+}

corCTF-2022/pwn/solidarity/src/program/Makefile

@@ -0,0 +1,118 @@
+mod entrypoint;
+pub mod processor;
+
+use borsh::{
+  BorshDeserialize,
+  BorshSerialize,
+};
+
+use solana_program::{
+  instruction::{
+    AccountMeta,
+    Instruction,
+  },
+  pubkey::Pubkey,
+  system_program,
+
+};
+
+use std::mem::size_of;
+
+#[derive(BorshDeserialize, BorshSerialize)]
+pub enum SolInstruction {
+  Initialize,
+  Propose { proposal_id: u32 },
+  Vote { proposal_id: u32, amount: u32 },
+  Withdraw { amount: u64 }
+}
+
+#[repr(C)]
+#[derive(BorshSerialize, BorshDeserialize)]
+pub struct Config {
+  pub admin: Pubkey,
+  pub total_balance: u64
+}
+
+#[repr(C)]
+#[derive(BorshSerialize, BorshDeserialize)]
+pub struct Proposal {
+  pub creator: Pubkey, 
+  pub balance: u32,
+  pub proposal_id: u32
+}
+
+pub const CONFIG_SIZE: usize = size_of::<Config>();
+pub const PROPOSAL_SIZE: usize = size_of::<Proposal>();
+
+pub fn get_config(program: Pubkey) -> (Pubkey, u8) {
+  Pubkey::find_program_address(&["CONFIG".as_bytes()], &program)
+}
+pub fn get_vault(program: Pubkey) -> (Pubkey, u8) {
+  Pubkey::find_program_address(&["VAULT".as_bytes()], &program)
+}
+pub fn get_proposal(program: Pubkey, proposal_id: u32) -> (Pubkey, u8) {
+  Pubkey::find_program_address(&["PROPOSAL".as_bytes(), &proposal_id.to_be_bytes()], &program)
+}
+
+pub fn initialize(program: Pubkey, user: Pubkey) -> Instruction {
+  let (config, _) = get_config(program);
+  let (vault, _) = get_vault(program);
+  Instruction {
+    program_id: program,
+    accounts: vec![
+      AccountMeta::new(config, false),
+      AccountMeta::new(vault, false),
+      AccountMeta::new(user, true),
+      AccountMeta::new_readonly(system_program::id(), false),
+    ],
+    data: SolInstruction::Initialize.try_to_vec().unwrap(),
+  }
+}
+
+pub fn propose(program: Pubkey, user: Pubkey, creator: Pubkey, proposal_id: u32) -> Instruction {
+  let (config, _) = get_config(program);
+  let (proposal, _) = get_proposal(program, proposal_id);
+  Instruction {
+    program_id: program,
+    accounts: vec![
+      AccountMeta::new(config, false),
+      AccountMeta::new(user, true),
+      AccountMeta::new(creator, true),
+      AccountMeta::new(proposal, false),
+      AccountMeta::new_readonly(system_program::id(), false),
+    ],
+    data: SolInstruction::Propose{ proposal_id }.try_to_vec().unwrap(),
+  }
+}
+
+pub fn vote(program: Pubkey, user: Pubkey, proposal_id: u32, amount: u32) -> Instruction {
+  let (config, _) = get_config(program);
+  let (vault, _) = get_vault(program);
+  let (proposal, _) = get_proposal(program, proposal_id);
+  Instruction {
+    program_id: program,
+    accounts: vec![
+      AccountMeta::new(config, false),
+      AccountMeta::new(vault, false),
+      AccountMeta::new(user, true),
+      AccountMeta::new(proposal, false),
+      AccountMeta::new_readonly(system_program::id(), false),
+    ],
+    data: SolInstruction::Vote{ proposal_id, amount }.try_to_vec().unwrap(),
+  }
+}
+
+pub fn withdraw(program: Pubkey, user: Pubkey, amount: u64) -> Instruction {
+  let (config, _) = get_config(program);
+  let (vault, _) = get_vault(program);
+  Instruction {
+    program_id: program,
+    accounts: vec![
+      AccountMeta::new(config, false),
+      AccountMeta::new(vault, false),
+      AccountMeta::new(user, true),
+      AccountMeta::new_readonly(system_program::id(), false),
+    ],
+    data: SolInstruction::Withdraw{ amount }.try_to_vec().unwrap(),
+  }
+}