* [Forensic - Petite frappe 2](#forensic---petite-frappe-2)
* [Intro - Babel](#intro---babel)
* [Intro - SuSHi](#intro---sushi)
* [Intro - Tarte Tatin](#intro---tarte-tatin)
* [Intro - Sbox](#intro---sbox)
* [Intro - Le Rat Conteur](#intro---le-rat-conteur)
<!--more-->
### WEB - EnterTheDungeon
The source code of the check_secret.php is given at `view-source:challenges2.france-cybersecurity-challenge.fr:5002/check_secret.txt`. The following code is stripped to keep only the interesting part.
We can clearly see it is about PHP Type Juggling since we are comparing `md5($_GET['secret'])` with its value.
In PHP a value starting with **0e** and followed by numbers is considered as a float, and some MD5(value) will also result in **0e[0-9]{30}**. The comparison will then occured on two float numbers, since the code is using **==** instead of **===**, PHP will only check the object type and not the value.
We can validate the challenge using the value **0e1137126905** : http://challenges2.france-cybersecurity-challenge.fr:5002/check_secret.php?secret=0e1137126905
This challenge is a basic GraphQL injection, first we see a request is made to **http://challenges2.france-cybersecurity-challenge.fr:5006/index.php?search=[BASE64]**.
Since most of the tools doesn't allow to interact with base64 I opted to build to simple proxy in Python using Flask.
Now every request fired to `/graphl?query=[SOMETHING]` will be "converted" for the challenge, and the result will be displayed in the page. We can now use every tools to ease our work, I like to use Altair as it's really beautiful :)
We can send the instrospection query in order to discover the schema of the GraphQL : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/GraphQL%20Injection#enumerate-database-schema-via-introspection.
It looks like that, once converted : [CLICK ME](http://challenges2.france-cybersecurity-challenge.fr:5006/index.php?search=ZnJhZ21lbnQgRnVsbFR5cGUgb24gX19UeXBlIHsKICBraW5kCiAgbmFtZQogIGRlc2NyaXB0aW9uCiAgZmllbGRzKGluY2x1ZGVEZXByZWNhdGVkOiB0cnVlKSB7CiAgICBuYW1lCiAgICBkZXNjcmlwdGlvbgogICAgYXJncyB7CiAgICAgIC4uLklucHV0VmFsdWUKICAgIH0KICAgIHR5cGUgewogICAgICAuLi5UeXBlUmVmCiAgICB9CiAgICBpc0RlcHJlY2F0ZWQKICAgIGRlcHJlY2F0aW9uUmVhc29uCiAgfQogIGlucHV0RmllbGRzIHsKICAgIC4uLklucHV0VmFsdWUKICB9CiAgaW50ZXJmYWNlcyB7CiAgICAuLi5UeXBlUmVmCiAgfQogIGVudW1WYWx1ZXMoaW5jbHVkZURlcHJlY2F0ZWQ6IHRydWUpIHsKICAgIG5hbWUKICAgIGRlc2NyaXB0aW9uCiAgICBpc0RlcHJlY2F0ZWQKICAgIGRlcHJlY2F0aW9uUmVhc29uCiAgfQogIHBvc3NpYmxlVHlwZXMgewogICAgLi4uVHlwZVJlZgogIH0KfQpmcmFnbWVudCBJbnB1dFZhbHVlIG9uIF9fSW5wdXRWYWx1ZSB7CiAgbmFtZQogIGRlc2NyaXB0aW9uCiAgdHlwZSB7CiAgICAuLi5UeXBlUmVmCiAgfQogIGRlZmF1bHRWYWx1ZQp9CmZyYWdtZW50IFR5cGVSZWYgb24gX19UeXBlIHsKICBraW5kCiAgbmFtZQogIG9mVHlwZSB7CiAgICBraW5kCiAgICBuYW1lCiAgICBvZlR5cGUgewogICAgICBraW5kCiAgICAgIG5hbWUKICAgICAgb2ZUeXBlIHsKICAgICAgICBraW5kCiAgICAgICAgbmFtZQogICAgICAgIG9mVHlwZSB7CiAgICAgICAgICBraW5kCiAgICAgICAgICBuYW1lCiAgICAgICAgICBvZlR5cGUgewogICAgICAgICAgICBraW5kCiAgICAgICAgICAgIG5hbWUKICAgICAgICAgICAgb2ZUeXBlIHsKICAgICAgICAgICAgICBraW5kCiAgICAgICAgICAgICAgbmFtZQogICAgICAgICAgICAgIG9mVHlwZSB7CiAgICAgICAgICAgICAgICBraW5kCiAgICAgICAgICAgICAgICBuYW1lCiAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgICB9CiAgICAgICAgfQogICAgICB9CiAgICB9CiAgfQp9CgpxdWVyeSBJbnRyb3NwZWN0aW9uUXVlcnkgewogIF9fc2NoZW1hIHsKICAgIHF1ZXJ5VHlwZSB7CiAgICAgIG5hbWUKICAgIH0KICAgIG11dGF0aW9uVHlwZSB7CiAgICAgIG5hbWUKICAgIH0KICAgIHR5cGVzIHsKICAgICAgLi4uRnVsbFR5cGUKICAgIH0KICAgIGRpcmVjdGl2ZXMgewogICAgICBuYW1lCiAgICAgIGRlc2NyaXB0aW9uCiAgICAgIGxvY2F0aW9ucwogICAgICBhcmdzIHsKICAgICAgICAuLi5JbnB1dFZhbHVlCiAgICAgIH0KICAgIH0KICB9Cn0K) also Altair provide a simple listing of the "object" and can build a query for you.
From there it was easy to click on the "Altair Button" to ask for the flag :P
![GraphQL]({{ site.baseurl }}/images/FCSC/graphql1simple.png "Ask for the flag"){: .center-image }
### WEB - Rainbow Pages v2
Another iteration of the GraphQL challenge available at http://challenges2.france-cybersecurity-challenge.fr:5007/. We can reuse our python proxy.
It appears we were inside a query instead of sending the full query like in the 1st challenge. Let's fuzz the input to see if we can trigger some errors to help understand where we are injecting.
![Fuzzing GraphQL input]({{ site.baseurl }}/images/FCSC/graphql2leakquery.png "Fuzzing the input"){: .center-image }
The blockstring `"""` helps us discover part of the query, we are inside a weird filter like the following request.
Now we can try to recreate the end of the query, and add our evil payload. At first I tried to replicate a GraphQL query using **OR** in the previous challenge thanks to the proxy.
Then we can try to request the flag, however it is not labelled like the other challenge, but the errors are quite straightforward and will suggest the correct name.
Bestiary was a classic Local File Inclusion, abusing the session to execute arbitrary commands on the server.
First we can grab the source code by using a PHP filter : `challenges2.france-cybersecurity-challenge.fr:5004/index.php?monster=php://filter/convert.iconv.utf-8.utf-16/resource=index.php`. It will be displayed as UTF16 thus not being interpreted as a PHP code. Here is a curated extract of the code.
We want to include the content of **flag.php** and bypass the filter `strpos($monster, "flag")` which denies us to directly use our wrapper to access flag.php.
The PHP code is changing the default path to save temporary file used to store PHP sessions. In PHP when you have a cookie `PHP_SESSID=3ba53bc0ae7fea081347b3f1f8cf0c41` there is a file named `sessions/sess_3ba53bc0ae7fea081347b3f1f8cf0c41` containing a "serialized" version of the cookie.
1. First we need to put our payload inside our session file : `http://challenges2.france-cybersecurity-challenge.fr:5004/index.php?monster=<?php%20echo%20file_get_contents(%27fl%27.%27ag.php%27);%20?>`.
2. Then we include our session file `http://challenges2.france-cybersecurity-challenge.fr:5004/index.php?monster=/var/www/html/sessions/sess_3ba53bc0ae7fea081347b3f1f8cf0c41`