CSCAMP CTF Quals 2014 - I hate Time writeup
In this task a web page was given: http://220.127.116.11:8081/ which displays a regex.
After some fuzz we found this http://18.104.22.168:8081/images/now . This image is displayed along the 404 error message and it’s content is the current time. The webserver is a python-based one as hinted from the HTTP headers. The authors of the challenge released then a hint which basically told us that we should try to guess the time function used to generate the image and append it in the URL. So did we. Since the web-server was python we struggled with basically all the functions that return the time as output and eventually found the correct one which was **ctime **(http://22.214.171.124:8081/images/now/ctime). The hint said that we should try to inject our code appending it to the URL. After some tests we finally managed to bypass the regex we found at the start , which validates our argument, and grab the flag by concatenating the output of ctime and the one of readlines():
http://126.96.36.199:8081/images/now/ctime() %2b(open(chr(47)%2b"flag.txt","r")).readlines() or 1%23