We are given access to a page and its source code:
<?php if (isset($_GET['view-source'])) { show_source(__FILE__); exit(); } include("./inc.php"); // key & database config function err($str){ die("<script>alert(\"$str\");window.location.href='./';</script>"); } $nonce = mt_rand(); extract($_GET); // this is my backdoor :) if (empty($_POST['key'])) { err("Parameter Missing!"); } if ($_POST['key'] !== $key) { err("You Are Not Authorized!"); } $conn = mysql_connect($host, $user, $pass); if (!$conn) { err("Database Error, Please Contact with GameMaster!"); } $query = isset($_POST['query']) ?
In this task we have to win a lottery game:
Basically each coupon costs $5 and we have $100 to spend. If we try to withdraw our money we get the amount of money we need to get our flag:
To show they are playing fairly, the give you a verification id that its the value you have to guess concatenated with a random salt to reach the AES 16 bytes block that is used to encrypt the string.
This was the task that most player solved (89). We were given a PDF with a Lorem ipsum text. Using PeePDF from @EternalTodo we can easily analyze the PDF.
The info command shows two suspicious sectors:
But the metadata one shows more interesting stuff:
It seems there may be a morse code hidden in the PDF. Looking around different PFD objects we see something interesting in object 8:
If we treat A’s and B’s as dots and dashes we get the following texts:
Remote code execution 0 day in up-to-date Struts 2 applications: Some months ago Struts2 announced a security vulnerability S2-020 that allowed ClassLoader manipulation and that could be used to get Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to forbid the (.*\.|^)class\..* regex from action parameters. However a bypass was made public that basically consists in changing the dot notation for the square bracket notation.
I played with Fusion level05 for a couple of days last Xmas and although I found how to smash the stack, I couldn’t find any reliable way of leaking the .text base address to bypass PIE protection so I left it there. Yesterday, a tweet from @Newlog_ got me thinking it could be a good idea to post what I’ve done so far in case anyone wants to pick it from there and help solving the level.
Carbonara We are given the following ciphertext:
%96 7=28 7@C E9:D 492= :D iQx>A6C2E@C xF=:FD r26D2C s:GFDQ]
A simple shift shows interesting results:
ciphertext = "%96 7=28 7@C E9:D 492= :D iQx>A6C2E@C xF=:FD r26D2C s:GFDQ]" size = len(ciphertext) for i in range(0,100): result="" for c in ciphertext: if ord(c) > 126 or ord(c) < 33: result += c else: first = ord(c)+i if first > 90: first = 64 + (first - 90) result += chr(first) print(result) Here is were the history classes prove valuable, flag is:
Web 100: Abitol This is a simple web app where you can register and login to see an articles page, a photo gallery, a flag page and an admin contact page.
Visiting the flag page give us a Nice try, did you really think it would be that easy? ;) but the photo gallery is vulnerable to XSS:
http://abitbol.nuitduhack.com/zoom.php?image=1%3E%3Cscript%3Ealert%281%29%3C/script%3E
Now, we dont know how the admin contact will be visualized in the viewer page, but we can try to send him a message with an iframe pointing to the vulnerable page so we can send his session ID to our cookie catcher or use XHR to request the flag.
This blog was published in the HP Security research blog but publishing it here for greater dissemination:
Advisory overview Restlet is a lightweight Java framework for building RESTful APIs. It comes in different flavors (Java SE, Java EE, Android, Google Web Toolkit and Google App Engine) and is composed of a core API and different extensions that provide additional functionality.
While adding support for the Restlet API to HP Fortify SCA, the Software Security Research group discovered that the XStream extension prior to 2.
In this level we are presented with a connect 4 game written with ncurses. After playing a couple of times we find a combination to win: DHHDLLDHDDDLDD
Nothing happens though so lets fire up Hopper and take a look at the code. A good place to start is by analyzing the code around the you win and you lose exit strings and actually, after priting the you win string we can find an interesting piece of code before the call to exit()
This is an easy pwnable level but very interesting since there are many ways to exploit it so lets start checking the binary protections:
Not bad, ASLR and NX enabled and the stack is protected with a Canary. Lets analyze what does it do … Running the binary opens a socket in port 8888 which we can connect to and receive a menu with options to attack Doraemon:
Normally I play with the binary and try to get a crash which is simple in this case, but this time I decided to do some Reversing that payed off very well, I found the following vulnerabilities: