CTFtime.org / COMPFEST CTF 2020 / super-judge / Writeup

# Super judge

## Enumeration

We find a website where you can upload files. It specifies its a python emulator.

![index.html](index.png)

Thereafter if you upload a file succesfully it will give you a response with hello ordinary user.

![first upload](uploading.png)

Afterwards I looked around and by going to random links i saw that 1. its a django application and 2. the routes which it checks for. So now I know that there is an admin page, index page and result page. The index being the page where you can upload, the result page being the page you are redirected to when you have uploaded a file.

![debugging in prod is bad](debug.png)

So by playing around with uploading python files I found that it runs the python script. So I guessed that I could possibly affect the django application and by using the assigned script I was able to create an admin account for myself. See solution.py

Once uploaded I went to the admin login page

![admin page](admin.png)

Logged in with my new credentials

![logged in](logged_in.png)

As seen in the result.html file which was provided in the task, the flag is on this page. So go to /result and voila

![flag](flag.png)

Original writeup (https://github.com/Andyandpandy/write-ups/tree/master/compfest-2020/super-judge).

super-judge

Comments

Sign in with