
JustCTF 2020 Writeup & 复现笔记
体验超好, 学到很多
这才是高质量的比赛嘛
Really a nice game!
太菜了没做出来几个题qwq
MyLittlePwny (PWN, MISC) (EASY)
Forgotten name (MISC, WEB)(EASY)
search jctf.pro
on crt.sh
D0cker (PWN, MISC)(MEDIUM)
First blood :)
回答问题给The Oracle
- CPU:
cat /proc/cpuinfo
- Own container ID:
basename $(cat /proc/1/cpuset)
- Secret file: Crtl-Z (
stty -echo raw;nc xxxx port
when starting nc) - Real path:
mount
- Other's ID: Just start another instance ==
The Oracle's ID:
ls -alc /sys/kernel/slab/sock_inode_cache/cgroup/ | grep -E -o '[0-9a-f]{64}'
How I found it:
find / | grep -E '[0-9a-f]{64}'
, andmount
sayscgroup
is a mount so it may contains something outside the container.Or just
find / | grep -E {your container id}
.
接下来就是我没做出来的了 qaq
↓ Unsolved :(
Remote Password Manager (FORE, MISC) (MEDIUM)
Dump mstsc.exe
from the image to extract the screen;

but I failed running volatility imageinfo
...
Go-fs (WEB)(MEDIUM)
GO-FS - intended solution was https://github.com/golang/go/issues/40940
GO-FS - unintended:
I have'nt understand the intended solution :(
The unintended solution is from a feature from net/http/server.go
njs (WEB)(MEDIUM)
A 0-day?!
Right, a 0-day. I got [function Function]
with:
but it's disabled by njs engine for security.
So this is a bypass, or, a bug.
Exp:
From https://github.com/nginx/njs/blob/f5d710bdc0cd4ab51fb26302a6e391c2d17dbb5b/src/njs_function.c#L914 :
There's a string concat:
So make a Function
with "){code})
can bypass the limit and create a function. Then just execute this[result]
.
There're 7 teams solved this, orz :
Baby CSP
code:
Dockerfile
shows this runs php-7.4
with php.ini-development
, which enables Warning.
Obviously ?user
has an XSS. We can get a XSS within 23 bytes like:
but it seems impossible to insert a nonce then.
PHP output buffer
PHP has a default output buffer size with 4096 bytes. If this buffer got full it will be printed.
And after an output header()
will fail.
with a invalid $_GET['alg']
, hash()
will show a warning like:
So we can fill the buffer with $_GET['alg']
:
Really a nice challenge.
Computeration Fixed (WEB)(HARD)
A totally offline app?
It's not a xss challenge.
No server, not URL reflect...then how to get a data from this page?
After a short view I noticed the RegExp search.
Like SQL blind injection
and XML DoS
, RegExp
can also lead to dos like:
Details of the Cloudflare outage on July 2, 2019
An available payload for ECMAScript Engine can be
^[flag_prefix].*.*.*.*.*.*.*.*.*X$
change src
of iframe
to trigger onhashchange
, we can get a ReDOS.
And the next problem is how to measure the execution time.
My approach
In chrome, iframe in another domain will use another process, so we can occupy multiple cores to 100%, then benchmark before and during the redos.
It turned out to work! But it's late in UTC+8 and i went sleep after I tried this(subdomains do not count) ::
Poc:
The server has 8 cores so I need more domains to occupy CPU. Onmy machine it works.

Official WriteUp
Busy Event Loop (A nice article!)
onhashchange
event blocks page load, so measure time using onload
can get the execution time.
code from official writeup:
Learned a lot. Thanks to justCatTheFish team for such a high-quality game!
This work is licensed under
Creative Commons Attribution-NonCommercial 4.0 International
![]()
![]()
![]()