• Home

  • Documents

  • Web Exploitation - FLAY.IO...4/11 admin/admin yields a login failed, so I head back to the support...
11
1/11 Web Exploitation Inspect Me - Points: 125 - (Solves: 1407) Web Exploitation - Unsolved Inpect this code! http://2018shell2.picoctf.com:47428 (link) Looking at the source it reveals: The hotkey for 'viewing source' in firefox is Ctrl+U Since there's nothing else here, I check the content on the site. The about page hints the following ``` : These are the web skills I've been practicing: HTML CSS JS (JavaScript) ``` Since We already got HTML, let's look for CSS elements containing hints before moving onto JS. Sure enough using developer tools within firefox and loading the 'style editor' (where CSS files are specified) we find the following Inspecting the element I see a js script located at: http://2018shell2.picoctf.com:47428/myjs.js Navigating to that uri allows me to view the source for the script which reads:

Web Exploitation - FLAY.IO...4/11 admin/admin yields a login failed, so I head back to the support page. Immediately I'm given an enormous hint. This implies that there's no input

  • Upload
    others

  • View
    4

  • Download
    0

Embed Size (px)

Citation preview

  • 1/11

    Web ExploitationInspect Me - Points: 125 - (Solves: 1407)Web Exploitation - Unsolved

    Inpect this code! http://2018shell2.picoctf.com:47428 (link)

    Looking at the source it reveals:

    The hotkey for 'viewing source' in firefox is Ctrl+U

    Since there's nothing else here, I check the content on the site. The about page hints the following

    ```: These are the web skills I've been practicing: HTML CSS JS (JavaScript) ```

    Since We already got HTML, let's look for CSS elements containing hints before moving onto JS.Sure enough using developer tools within firefox and loading the 'style editor' (where CSS files are specified) we find the following

    Inspecting the element I see a js script located at: http://2018shell2.picoctf.com:47428/myjs.js

    Navigating to that uri allows me to view the source for the script which reads:

  • 2/11

    function openTab(tabName,elmnt,color) { var i, tabcontent, tablinks; tabcontent = document.getElementsByClassName("tabcontent"); for (i = 0; i < tabcontent.length; i++) {

    tabcontent[i].style.display = "none"; } tablinks = document.getElementsByClassName("tablink"); for (i = 0; i < tablinks.length; i++) {

    tablinks[i].style.backgroundColor = ""; } document.getElementById(tabName).style.display = "block"; if(elmnt.style != null) {

    elmnt.style.backgroundColor = color; }}

    window.onload = function() { openTab('tabintro', this, '#222');}

    /* I learned JavaScript! Here's part 3/3 of the flag: */

    The 3rd component contains nothing, which is a good reminder that sometimes not everything in a CTF makes sense.

    Flag: picoCTF{ur_4_real_1nspect0r_g4dget_e96dd105}

    Irish Name Repo - Points: 200 - (Solves: 2753) There is a website running at http://2018shell2.picoctf.com:52135 (link). Do you think you can log us in? Try to see if you can login!

    Solution: This loads a silly website full of irish people.

  • 3/11

    There's a sidebar containing a support link which is interesting. (Often in CTF's, the problem makers are responsible for the creation of everything you see, as many of thesechallenges are fully custom. Someone decided to include a support page purposefully) as well as an admin login.

    The admin panel link redirects to: http://2018shell2.picoctf.com:52135/login.php and lists a generic login

  • 4/11

    admin/admin yields a login failed, so I head back to the support page. Immediately I'm given an enormous hint.

    This implies that there's no input sanitization being done on characters like the apostrophe in Conans conjunctive surname.

    I try to replicate this by feeding in Conan's name, but the login fails. I replay using Burp and find an interesting value being passed in addition to my username and passwordcombination.

    I change the debug value to be debug=1 and the login.php loads the following page:

    This of course contains a discrete SQL query, so the obvious goal is to use SQLi.

    I refresh the page and within burp use the action ‘Send to repeater’ in order to replay the values and toggle the values if needed.

    I craft an sqli which url-decodes to. Note: If you want to use the url encode-decode functions in burp you can highlight the text and use ctrl + shift + u or ctrl + u to decode/encode text.

    and am happily greeted with the following response:

  • 5/11

    Mr. Robots - Points: 200 - (Solves: 2800)Do you see the same things I see? The glimpses of the flag hidden away? http://2018shell2.picoctf.com:10157 (link)

    Solution:

    The first thing I notice is that this file entitled, ‘mr robots’, which leads me to believe that I'll need the robot.txt file common on most websites. This file exists to give search enginespiders instructions on how to navigate their page.

    Loading the page reveals:

    Even though I'm confident in my theory, I look at the page source anyways. Red herrings are common, and one of the best ways to waste a ton of time on a CTF challenge, isproceeding on assumptions without doing appropriate recon.

    That said, I navigate to: http://2018shell2.picoctf.com:10157/robots.txt and am greeted with the contents of the robots.txt file revealing:

    Naturally, I navigate to : 2018shell2.picoctf.com:10157/143ce.html and am greeted with the flag:

    No Login - Points: 200 - (Solves: 1819) Looks like someone started making a website but never got around to making a login, but I heard there was a flag if you were the admin. http://2018shell2.picoctf.com:33889 (link)

    Solution: Immediately I just navigate to the site and am greeted with the following.

  • 6/11

    Trying to ‘reveal’ the flag yields:

    First I have a brief look at the page source, revealing unimplemented sign-in/sign-out functions.My next course of action is to start up my proxy of choice (burpsuite) and look at what is going back and forth.

    I see a session token, but no user-specific headers being passed, so with burpsuite, under the proxy mode with intercept on, I add my own

    After I forward the header containing the modified cooking (Containing admin=True), I'm greeted with the flag.

  • 7/11

    Secret Agent - Points: 200 - (Solves: 2049) Here's a little website that hasn't fully been finished. But I heard google gets all your info anyway. http://2018shell2.picoctf.com:60372 (link)

    Solution: Visiting this page shows a similar looking app to the one in the previous challenge with similar source as well. The problem title is called, ‘secret agent’, and hints thatgoogle has all of our info anyways. This is an indication to me that the problem expects me to change the my ‘agent’ string from Mozilla/5.0xxxx (A piece of data identifying therequesting browser type) to match that of a google search crawler. I google for ‘Google user agents' and find that User-agent: Googlebot is an appropriate response.

    I visit the page and press the ‘flag’ button, replacing my default mozilla useragent with the googlebot one.

    Here's the full request captured in burp via intercept mode:

    Buttons - Points: 250 - (Solves: 2333)

  • 8/11

    There is a website running at http://2018shell2.picoctf.com:7949 (link). Try to see if you can push their buttons.

    Solution:

    Loading the page shows:http://2018shell2.picoctf.com:7949/

    Note: there's text laid in the backround. Pressing that proceeds to the next

    Then: http://2018shell2.picoctf.com:7949/button1.php

    Pressing button2 progresses to: http://2018shell2.picoctf.com:7949/boo.html which predictably loads an mp4. The site was going very slowly, so I actually downloaded the source filedirectly. Of course, once the page loaded, I was met with a predictably suave Rick Astley.

    I don't see anything springing out in the source, but I notice that any subsequent press of the button doesn't even pass a value in burp. I realize that the button isn't actually postingany form data. I go back to the first button, grab the values and using firefox developer tools embed them in the page on ‘boo’

  • 9/11

    Pressing the button after making this change directs me to the button2.php resource, which loads the flag.

    The Vault - Points: 250 - (Solves: 1780)There is a website running at http://2018shell2.picoctf.com:22430 (link). Try to see if you can login!

    Solution:Heading to the resource loads the following.

    Given that they're providing us with the login source code, there must be some programming issue within the source shown below:

  • 10/11

    It looks like another SQLi challenge which is doing some light sql sanitization.

    I send head to the login and send the request over to burp repeater, which is best at this sort of repititous work. Rather than trying to trick their sanitization with encodings or escapeschemas, I just introduce a ‘ which within the query closes the username value, then add an, “--” which is how comments are done. This truncates the interpreted SQL query fromchecking username & password to a query checking only for a user whose name is admin.

  • 11/11


Acupuncture Hint

Acupuncture Hint

Documents
There's More There's More to a Solar Eclipse Than …...There's More There's More to a Solar Eclipse Than Darkness Sponsored by the Office of Research and Graduate Programs. Title

There's More There's More to a Solar Eclipse Than …...There's More There's More to a Solar Eclipse Than Darkness Sponsored by the Office of Research and Graduate Programs. Title

Documents
GulfJobPaper - Naukri Hint Naukri Hint

GulfJobPaper - Naukri Hint Naukri Hint

Documents
Xavier University · typing isn't such a very difficult art after all, by glancing through its pages, there's just a chance YOU may come across an odd hint or two helping YOU to Contents:

Xavier University · typing isn't such a very difficult art after all, by glancing through its pages, there's just a chance YOU may come across an odd hint or two helping YOU to Contents:

Documents
Facebook Ads - Where There's a Will, There's a Way | PPC Hero 2014

Facebook Ads - Where There's a Will, There's a Way | PPC Hero 2014

Documents
Warm Up Hint: GCF first.. Then SUM of CUBES Hint: Grouping Hint: Diff of squares

Warm Up Hint: GCF first.. Then SUM of CUBES Hint: Grouping Hint: Diff of squares

Documents
Where There's Smoking, There's Fire: The Effects of ... · Where There's Smoking, There's Fire: The Effects of Smoking Policies on the Incidence of Fires in the United States. Sara

Where There's Smoking, There's Fire: The Effects of ... · Where There's Smoking, There's Fire: The Effects of Smoking Policies on the Incidence of Fires in the United States. Sara

Documents
There's a new.chick.in.town

There's a new.chick.in.town

Entertainment & Humor
THERE'S TREASURE EVERYWHERE

THERE'S TREASURE EVERYWHERE

Documents
Next Back Exit Explanation/Hint Practice Game Hint

Next Back Exit Explanation/Hint Practice Game Hint

Documents
Where there's muck, there's money

Where there's muck, there's money

Documents
There's No Bussiness

There's No Bussiness

Documents
Mark Hint GPS Tracking

Mark Hint GPS Tracking

Documents
Where there's a will there's a way - Cutty Sark #Reborn2Sailcutty-sark.org/uploads/Cutty-Sark-2Sail-Booklet.pdf · Where there's a will there's a way CUTTY SARK REBORN 2SAIL ‘Cutty

Where there's a will there's a way - Cutty Sark #Reborn2Sailcutty-sark.org/uploads/Cutty-Sark-2Sail-Booklet.pdf · Where there's a will there's a way CUTTY SARK REBORN 2SAIL ‘Cutty

Documents
Where There's a Spill, There's a Way

Where There's a Spill, There's a Way

Documents
Where there's muck, there's brass

Where there's muck, there's brass

Documents
WRITE DOWN EVERYTHING IN BOLD Hint Hint : By Krystal, Aimee, Karisma…. And Tyler

WRITE DOWN EVERYTHING IN BOLD Hint Hint : By Krystal, Aimee, Karisma…. And Tyler

Documents
Where there's community, there's home

Where there's community, there's home

Social Media
Where There's a Will, There's a Way

Where There's a Will, There's a Way

Documents
Matlab Image hint

Matlab Image hint

Documents
RMSWebApp Interactive StartStart Intro Login Create User Admin Applications How To:IntroLoginCreate UserAdminApplicationsHow To: START Hint: Click on the

RMSWebApp Interactive StartStart Intro Login Create User Admin Applications How To:IntroLoginCreate UserAdminApplicationsHow To: START Hint: Click on the

Documents
samantha chalker - Lake Bled - Slovenia Lake Skadar ......Croatia's best kept secret (hint - there's no beach) Europe's lesser-known (but totally must-see) hotspots 6 places in Europe

samantha chalker - Lake Bled - Slovenia Lake Skadar ......Croatia's best kept secret (hint - there's no beach) Europe's lesser-known (but totally must-see) hotspots 6 places in Europe

Documents
Where There's Smoke, There's Ire!

Where There's Smoke, There's Ire!

Documents
RMSWebApp Interactive173.233.93.145/Apps/(X(1)S(jifvgcj0skcr53... · RMSWebApp Interactive Start Intro Login Create User Admin Applications How To: START Hint: Click on the RMSWebApp

RMSWebApp Interactive173.233.93.145/Apps/(X(1)S(jifvgcj0skcr53... · RMSWebApp Interactive Start Intro Login Create User Admin Applications How To: START Hint: Click on the RMSWebApp

Documents
Where There's Smoke

Where There's Smoke

Documents
Mar08 Martin Hint Program

Mar08 Martin Hint Program

Documents
What is pictured below? Hint: It has to do with Literature. Hint: It is NOT a triangle. Hint: It starts with a P. Hint: It has to do with fictional stories

What is pictured below? Hint: It has to do with Literature. Hint: It is NOT a triangle. Hint: It starts with a P. Hint: It has to do with fictional stories

Documents
Optimizer hint

Optimizer hint

Technology
A hint of_mint

A hint of_mint

Education
Adventure Games' Hint Book

Adventure Games' Hint Book

Documents