Add files via upload

tr4l · web-flow · commit 8abe2d80ebcc · 2022-06-26T17:47:31.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,25 @@
+FROM node:18.3.0
+ARG FLAG=DOCKER_DUMMY_FLAG
+ARG PORT=8082
+
+# Get random image
+WORKDIR /usr/src/pt/public
+COPY getImg.sh /usr/src/pt/public/getImg.sh
+RUN /usr/src/pt/public/getImg.sh
+RUN rm /usr/src/pt/public/getImg.sh
+
+# Prepare node server
+WORKDIR /usr/src/pt
+COPY package*.json ./
+RUN npm install
+COPY app.js .
+COPY index.html .
+
+# Set env variable for the application
+ENV PT_FLAG=${FLAG}
+ENV PT_PORT=${PORT}
+
+EXPOSE ${PORT}/tcp
+
+ENTRYPOINT ["node", "app.js"]
+
diff --git a/README.md b/README.md
@@ -0,0 +1,25 @@
+# PetiteTete
+
+## FR
+* Name: PetiteTete
+* Author: Zmx / Tian
+* Type: Stega
+* Difficulty: 2/5
+* Hint
+    * Hint 1
+    * Hint 2
+* Flag: <To_Be_Defined> 
+* Provide to challenger: only the service url.
+
+Une stéga pour les petites tetes :)
+
+
+### Build
+
+```
+docker build -t ctf/petite-tete .
+docker run -p8082:8082 -e "PT_FLAG=JESUISUNFLAG" ctf/petite-tete:latest
+```
+
+### Solution
+cat solve.py
diff --git a/app.js b/app.js
@@ -0,0 +1,56 @@
+const express = require('express');
+
+const app = express();
+const FLAG = process.env.PT_FLAG || "NodeDummyFlag";
+const PORT = process.env.PT_PORT || 8080;
+
+
+app.disable('x-powered-by');
+
+let headers =['Access-control-Allow-Credentials: true',
+  'Access-control-Allow-Origin: *',
+  'Cache-control: max-age=0',
+  'Content-language: en',
+  'Content-security-policy: default-src \'self\'; upgrade-insecure-requests; referrer no-referrer',
+  'Referrer-policy: no-referrer',
+  'X-content-Type-Options: nosniff',
+  'X-frame-Options: SAMEORIGIN'];
+
+function setHeader(res,id){
+  var chr = "\x00";
+  if (id != null && id >= 0 && id < FLAG.length) {
+    chr = FLAG[id];
+  }
+  var bin = chr.charCodeAt().toString(2);
+  bin = Array(8-bin.length+1).join("0") + bin;
+
+  for (var i = 0; i < headers.length; i++ ) {
+    var hs = headers[i];
+    var aHs = hs.split(":");
+    if (bin[i] == "0") {
+      res.set(aHs[0], aHs[1]);
+    }else{
+      var minus = aHs[0].indexOf("-");
+      var customH = aHs[0].slice(0,minus+1) + aHs[0][minus+1].toUpperCase() + aHs[0].slice(minus+2);
+      res.set(customH, aHs[1]);
+    }
+  }
+}
+app.get('/', function(req, res) {
+    res.sendFile(__dirname + '/index.html');
+
+});
+
+app.get('/thumb', async (req, res) => {
+	try {
+        var id = req.query.id;
+	setHeader(res, parseInt(id));
+	res.sendFile(__dirname + '/public/stega-'+parseInt(id)+'.jpg');//If id is not an int, we will have NaN
+	}catch (e) {
+        	console.log(e);
+	        return res.end('error');
+    }
+});
+
+app.listen(PORT);
+console.log("Started on " + PORT);
diff --git a/getImg.sh b/getImg.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+for i in {0..50}
+do
+   wget "https://picsum.photos/100" -O stega-$i.jpg
+done
diff --git a/index.html b/index.html
@@ -0,0 +1,38 @@
+<html>
+	<head>
+		<style>
+			body {
+				background:#5352ed;
+				display:flex;
+				flex-direction: column;
+				margin:0;
+			}
+			#main {
+				display:grid;
+				grid-template-columns:repeat(4, 5fr);
+				grid-row-gap: 10px;
+				margin-top:50px;
+			}
+			.gallery {
+				margin:auto;
+				position:relative;
+			}
+			.gallery img {
+				max-width:315px;
+				max-height:250px;
+			}
+		</style>
+	</head>
+	<body>
+		<div id="main">
+		</div>
+	</body>
+</html>
+        <script>
+        var thumb = 0;
+        while (thumb < 40) {
+                var img = `<div class="gallery"><img src="/thumb?id=${thumb++}"/></div>`;
+                document.getElementById("main").innerHTML = img + document.getElementById("main").innerHTML;
+        }
+        </script>
+
diff --git a/package.json b/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "PetiteTete",
+  "version": "1.0.0",
+  "description": "",
+  "main": "app.js",
+  "dependencies": {
+    "express": "^4.17.1"
+  },
+  "devDependencies": {},
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC"
+}
diff --git a/solve.py b/solve.py
@@ -0,0 +1,25 @@
+import requests 
+
+debug = 0;
+URL = "http://127.0.0.1:8082/thumb?id="
+thumb = 0
+flag ="";
+finish = False;
+
+while (finish == False) :
+  r = requests.get(url = URL + str(thumb))
+
+  count = 0;
+  binary = "";
+  for key in r.headers.keys():
+      if (count >= debug and count < (8 + debug)):
+        binary += "1" if key.split("-")[1][0].isupper() else "0"
+      count = count + 1;
+  print (binary);
+  as_integer = int(binary, 2)
+  as_char = chr(as_integer)
+  flag = flag + as_char
+  thumb = thumb + 1
+  if (binary == "00000000"):
+    finish = True
+print (flag)
