From ebb26ae709570a84004c27f34e9307c33ac6b000 Mon Sep 17 00:00:00 2001 From: Louis Burda Date: Fri, 19 Apr 2024 00:55:07 +0200 Subject: Add Solution --- solve/notes | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 solve/notes (limited to 'solve/notes') diff --git a/solve/notes b/solve/notes new file mode 100644 index 0000000..dd7661c --- /dev/null +++ b/solve/notes @@ -0,0 +1,14 @@ +Literally RCE as a service with training wheels. + +Get to dynamically dispatch a C# function from JSON descripiton. + +Even the type string is returned to you in the service exception output. + +Once you have code execution its a matter of making the flag accessible +through another endpoint, since the program expects an Image return type, +but GetUser returns a String, so an exception is thrown, preventing +you from getting the output directly in the HTTP response. + +We move the flag to wwwroot/js/flag.js. Need the extension, since +otherwise the strict web router will not allow us to download it. + -- cgit v1.2.3-71-gd317