Hi everyone! NahamCon CTF 2022 was held from 29/4-30/4. This Personnel challenge is on REGEX injection to leak the flag. Let’s get started!
Files provided
Outlook of the website
We can see there is a search bar for us to input stuff.
Looking at the HTML source code, we can see the form will send two parameters, “name”, and “setting”.
If we look at the source code, app.py, we can see that it will take in the input from “name” parameter via POST request, and process the value if the first character is an uppercase letter. The remaining letters will be processed (see red arrow). This means we have to and we can use any uppercase letters.
Based on the green arrow, we can see the remaining letters in the name variable will be used in REGEX to list all users (see green arrow). The list of users includes the flag as shown on line 13.
However, we need to bypass the REGEX as the REGEX preset query string already has “[A-Z]” at the start which will omit our flag which first’s letter is probably a lower case. Therefore, we can play around using https://regex101.com/ to test our REGEX bypass.
To bypass, we just need to use the OR operator to omit “[A-Z]” from the first half of the query so that our flag can still pass the REGEX condition. Next, we will need “.+” to ensure our flag will be matched due to curly brackets and possible numbers in the flag.
Now that we know “|.+” will help to match our flag, we can use the value below to submit as the name to get our flag.
A|.+
Our flag should be at the bottom of the page as it was appended to the list.
I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂
Lamecarrot 