i love cat

about

ProfileName : 오승주 (as3617)Education :KAIST (Undergraduated) - 2023.02 ~Korea Digital Media High School (Graduated) - 2019.03 ~ 2022.02Team : Defenit / CodeRed / Super GuesserAwards20192019, Hacking Championship Junior Quals 1st2019, Cyberoc Quals 4rd2019, Hacking Championship Junior FInals 4th20202020, Cyberoc Quals 3rd2020, Cyberoc Finals 3rd2020, HackTM Finals 2nd (Team ROK YoungBloods)2021202..

aboutme · 2025. 9. 1. 09:52

Codegate 2024 quals - Cha's Wall writeup

go multipart parser와 php의 multipart parser의 서로 다른 구현을 악용하여 waf를 우회, 이후 CVE-2022-31628를 이용하여 dos를 발생시켜 웹쉘을 업로드하고RCE를 하면 되는 문제이다.if r.Method == "POST" { mr, err := r.MultipartReader() if err != nil { r.Body.Close() fmt.Println("Http request is corrupted.") return } else { var b bytes.Buffer w := multipart.NewWriter(&b) reuseBody ..

web hacking · 2025. 9. 1. 09:50

Codegate 2025 quals - Cha's point writeup

markdown을 이용한 ppt 제작 기능을 지원하는 서비스다.주어진 파일의 app.js에서 Global filter, routing을 확인할 수 있다.app.use((req, res, next) => { if (req.session.userid || req.path.startsWith("/auth/")) return next(); return res.redirect("/auth/login");});app.use((req, res, next) => { if (req.method === "POST") { for (const key in req.body) { if (req.body[key] && typeof req.body[key] !== "string") {..

web hacking · 2025. 9. 1. 09:47

Kaspersky{CTF} - Bubble: rerevenge, Peach Investor writeup

Bubble: ReRevengeVulnerabilityClient Side Path Traversale and t are controlled by Path parameters.As shown in the picture above, we can manipulate the api requested path using path traversal.Self XSSWhen writing a post, self-xss occurs in the preview function.ChainningAdmin bot works as follows.Registeradd post with flagvisit postwrite comment with post's author nameback to dashboard, and write ..

ctf writeup · 2025. 9. 1. 09:42

DiceCTF 2023 - unfinished

오랜만에 ctf 뛰었는데 재밌게 풀었다. const crypto = require("crypto"); const app = db.getSiblingDB('app'); app.users.insertOne({ user: crypto.randomBytes(8).toString("hex"), pass: crypto.randomBytes(64).toString("hex") }); const secret = db.getSiblingDB('secret'); secret.flag.insertOne({ flag: process.env.FLAG || "dice{test_flag}" }); nodejs로 구현된 웹서버인데 flag는 다른 컨테이너에서 돌아가고 있는 mongodb에 있다. app.post("/api/login..

ctf writeup · 2023. 2. 6. 17:07

Balsn CTF 2022 2linenodejs writeup

#!/usr/local/bin/nodeprocess.stdin.setEncoding('utf-8');process.stdin.on('readable', () => { try{ console.log('HTTP/1.1 200 OK\nContent-Type: text/html\nConnection: Close\n'); const json = process.stdin.read().match(/\?(.*?)\ /)?.[1]; console.log(json) obj = JSON.parse(json); console.log(`JSON: ${json}, Object:`, require('./index')(obj, {})); }catch(error){ require('./usage')..

ctf writeup · 2022. 9. 7. 00:23

2022 Fall GoN Open Qual CTF writeup

보호되어 있는 글입니다.

ctf writeup · 2022. 9. 1. 18:33

url parser confusing