Writeup for QR Generator (Web)

Apr 27, 2020 · 2 min read

This was by far one of the most enjoyable as well as most informative CTF me and Team ZH3R0 has played yet. This part will cover the Forensics Challenge from HouseplantCTF organized by RiceTeaCatPanda CTF team. Hope you learn from this post! [edit:-u aint doing a forensics so change it to web and if u arent doing another part then u try removing the part keyword for better clarity.]

QR Generator — Web Challenge 2

This was an easy challenge yet it takes time to do it manually. You have an input box and the program will generate a QR code based on your input. Give the input as “AAAA” and scan the outcoming QR code. I used my phone to scan the QR code, It was a convenient way to solve the challenge for me.

But we only got the first character(“A”). Further looking at the source code confirmed that the output contains only the first character.

<! — TODO: Fix bug where the QR code only contains 1 character -->

But we can run Linux commands in the program using backticks. So we will try to execute “cat flag.txt” this time.

`cat flag.txt | cut -c 1`

We get “r” the first character of the flag (Flag format : rtcp{}). So we need to read the flag letter by letter. Doing it manually is a time consuming task.

Payload : `cat flag.txt | cut -c {index}`


Bytes to Freedom….The Vulnerability of Security…..