app.post("/api/login", (req, res) => {const{ user, pass } = req.body;
const query = `SELECT id FROM users WHERE username = '${user}' AND password = '${pass}';`;
try{const id = db.prepare(query).get()?.id;
if (!id) {return res.redirect("/?message=Incorrect username or password");
}if (users[id] && isAdmin[user]) {return res.redirect("/?flag=" + encodeURIComponent(FLAG));
}return res.redirect("/?message=This system is currently only available to admins...");
}catch(err) {
console.error(err)
return res.redirect("/?message=Nice try...");
}});
You are a web application firewall
Your goal is to stop attempted hacking attempts
I will give you a submission and you will respond with H or R, only a single letter
H means hacking attempt, R means not a hacking attempt
#!/usr/local/bin/node
// don't mind the ugly hack to read input
console.log("What do you want to run?");
let inpBuf = Buffer.alloc(2048);
const input = inpBuf.slice(0, require("fs").readSync(0, inpBuf)).toString("utf8");
inpBuf = undefined;
Function.prototype.constructor = undefined;
(async () => {}).constructor.prototype.constructor = undefined;
(function*(){}).constructor.prototype.constructor = undefined;
(async function*(){}).constructor.prototype.constructor = undefined;
for (const key of Object.getOwnPropertyNames(global)) {if (["global", "console", "eval"].includes(key)) {continue;
}
global[key] = undefined;
delete global[key];
}delete global.global;
process = undefined;
{let AbortController = undefined;
let AbortSignal = undefined;
let AggregateError = undefined;
letArray = undefined;
let ArrayBuffer = undefined;
let Atomics = undefined;
let BigInt = undefined;
let BigInt64Array = undefined;
let BigUint64Array = undefined;
letBoolean = undefined;
let Buffer = undefined;
let DOMException = undefined;
let DataView = undefined;
letDate = undefined;
let Error = undefined;
let EvalError = undefined;
let Event = undefined;
let EventTarget = undefined;
let FinalizationRegistry = undefined;
let Float32Array = undefined;
let Float64Array = undefined;
letFunction = undefined;
let Infinity = undefined;
let Int16Array = undefined;
let Int32Array = undefined;
let __dirname = undefined;
let Int8Array = undefined;
let Intl = undefined;
let JSON = undefined;
let Map = undefined;
let Math = undefined;
let MessageChannel = undefined;
let MessageEvent = undefined;
let MessagePort = undefined;
let NaN = undefined;
letNumber = undefined;
letObject = undefined;
let Promise = undefined;
let Proxy = undefined;
let RangeError = undefined;
let ReferenceError = undefined;
let Reflect = undefined;
letRegExp = undefined;
let Set = undefined;
let SharedArrayBuffer = undefined;
letString = undefined;
let Symbol = undefined;
let SyntaxError = undefined;
let TextDecoder = undefined;
let TextEncoder = undefined;
let TypeError = undefined;
let URIError = undefined;
let URL = undefined;
let URLSearchParams = undefined;
let Uint16Array = undefined;
let Uint32Array = undefined;
let Uint8Array = undefined;
let Uint8ClampedArray = undefined;
let WeakMap = undefined;
let WeakRef = undefined;
let WeakSet = undefined;
let WebAssembly = undefined;
let _ = undefined;
let exports = undefined;
let _error = undefined;
let assert = undefined;
let async_hooks = undefined;
let atob = undefined;
let btoa = undefined;
let buffer = undefined;
let child_process = undefined;
let clearImmediate = undefined;
let clearInterval = undefined;
let clearTimeout = undefined;
let cluster = undefined;
let constants = undefined;
let crypto = undefined;
let decodeURI = undefined;
let decodeURIComponent = undefined;
let dgram = undefined;
let diagnostics_channel = undefined;
let dns = undefined;
let domain = undefined;
let encodeURI = undefined;
let encodeURIComponent = undefined;
letarguments = undefined;
letescape = undefined;
let events = undefined;
let fs = undefined;
let global = undefined;
let globalThis = undefined;
let http = undefined;
let http2 = undefined;
let https = undefined;
let inspector = undefined;
let isFinite = undefined;
let isNaN = undefined;
let module = undefined;
let net = undefined;
let os = undefined;
let parseFloat = undefined;
let parseInt = undefined;
let path = undefined;
let perf_hooks = undefined;
let performance = undefined;
let process = undefined;
let punycode = undefined;
let querystring = undefined;
let queueMicrotask = undefined;
let readline = undefined;
let repl = undefined;
let require = undefined;
let setImmediate = undefined;
let setInterval = undefined;
let __filename = undefined;
let setTimeout = undefined;
let stream = undefined;
let string_decoder = undefined;
let structuredClone = undefined;
let sys = undefined;
let timers = undefined;
let tls = undefined;
let trace_events = undefined;
let tty = undefined;
letunescape = undefined;
let url = undefined;
let util = undefined;
let v8 = undefined;
let vm = undefined;
let wasi = undefined;
let worker_threads = undefined;
let zlib = undefined;
let __proto__ = undefined;
let hasOwnProperty = undefined;
let isPrototypeOf = undefined;
let propertyIsEnumerable = undefined;
let toLocaleString = undefined;
let toString = undefined;
let valueOf = undefined;
console.log(eval(input));
}
import copy
import hashlib
flag = '''+----[THIS IS]----+| o o+++|| + . .=*E|| B . . oo=|| = . . .+ || S || || || || |+---[THE FLAG]----+'''hash = '''+----[THIS IS]----+| .E=. || o.. || o .. || o o. || O .S || o B || o o || ... B || +=.= . |+---[md5(FLAG)]---+'''
augmentation_chars = ' .o+=*BOX@%&#/^SE'
MAX_X = 17
MAX_Y = 9definit_field(signature):
global end_pos
total_count = 0
field = [[0] * MAX_Y for _ inrange(MAX_X)]
for x inrange(17):
for y inrange(9):
c = signature[(y + 1) * 20 + (x + 1)]
n = augmentation_chars.find(c)
if n == len(augmentation_chars) - 2:
n = -1elif n == len(augmentation_chars) - 1:
n = -1
end_pos = (x, y)
elif n != 0:
total_count += 1
field[x][y] = n
print(total_count)
return (field, total_count)
field2, total_count2 = init_field(hash)
field, total_count = init_field(flag)
d = [(-1, -1), (1, -1), (-1, 1), (1, 1)]
defconsume(f, x, y, chars, count, validate):
if validate:
f = copy.deepcopy(f)
for c in chars:
n = ord(c) iftype(c) isstrelse c
for _ inrange(4):
x += d[n & 0b11][0]
y += d[n & 0b11][1]
if x >= MAX_X:
x = MAX_X - 1if y >= MAX_Y:
y = MAX_Y - 1if x < 0:
x = 0if y < 0:
y = 0if f[x][y] == 0:
return (None, None, None)
f[x][y] -= 1if f[x][y] == 0:
count -= 1
n >>= 2return (x, y, count)
results = []
chars = '_-abcdefghijklmnopqrstuvwxyz0123456789}'deftry_char(pos_x, pos_y, c, result, count):
n = ord(c)
x = pos_x
y = pos_y
count_delta = 0
delta_list = []
for _ inrange(4):
x += d[n & 0b11][0]
y += d[n & 0b11][1]
if x < 0:
x = 0if y < 0:
y = 0if x >= MAX_X:
x = MAX_X - 1if y >= MAX_Y:
y = MAX_Y - 1if field[x][y] == 0:
break
delta_list.append((x, y))
field[x][y] -= 1if field[x][y] == 0:
count_delta += 1
n >>= 2# next charelse:
if count - count_delta <= 0and end_pos[0] == x and end_pos[1] == y and c == '}':
print(result + c)
results.append(result + c)
for c_next in chars:
try_char(x, y, c_next, result + c, count - count_delta)
# restorefor dx, dy in delta_list:
field[dx][dy] += 1
cur_x, cur_y, cur_count = consume(field, 8, 4, 'dice{', total_count, False)
print(cur_x, cur_y, cur_count)
if cur_x isNone:
print('consume failed')
exit(1)
for c in chars:
try_char(cur_x, cur_y, c, 'dice{', cur_count)
for result in results:
r, _, _ = consume(field2, 8, 4, hashlib.md5(result.encode()).digest(), total_count2, True)
if r isnotNone:
print('flag:', result)
exit(0)