Posts List

NuitDuHack 2014 Web Write Ups

Web 100: Abitol This is a simple web app where you can register and login to see an articles page, a photo gallery, a flag page and an admin contact page. Visiting the flag page give us a Nice try, did you really think it would be that easy? ;) but the photo gallery is vulnerable to XSS: http://abitbol.nuitduhack.com/zoom.php?image=1%3E%3Cscript%3Ealert%281%29%3C/script%3E Now, we dont know how the admin contact will be visualized in the viewer page, but we can try to send him a message with an iframe pointing to the vulnerable page so we can send his session ID to our cookie catcher or use XHR to request the flag.

#hackyou2014 Web400 write-up

I did not solve this level during the CTF, but found it so interesting reading Xelenonz write-up that I couldnt help trying it myself just for the fun and since this blog is my personal notes, I decided to write it here for future reference, but all credits go to Xelenonz. We are given the code of a Image hostig web app. Reading the code we see how it handle the requests:

#hackyou2014 Web100 write-up

In this level we are presented with some logos we can vote. If we look at the source code we can see an interesting comment: ... <!-- TODO: remove index.phps --> ... We can grab the source code: <?php include 'db.php'; session_start(); if (!isset($_SESSION['login'])) { $_SESSION['login'] = 'guest'.mt_rand(1e5, 1e6); } $login = $_SESSION['login']; if (isset($_POST['submit'])) { if (!isset($_POST['id'], $_POST['vote']) || !is_numeric($_POST['id'])) die('Hacking attempt!'); $id = $_POST['id']; $vote = (int)$_POST['vote']; if ($vote > 5 || $vote < 1) $vote = 1; $q = mysql_query("INSERT INTO vote VALUES ({$id}, {$vote}, '{$login}')"); $q = mysql_query("SELECT id FROM vote WHERE user = '{$login}' GROUP BY id"); echo '<p><b>Thank you!

#hackyou2014 Web200 write-up

In this level we are presented with a typical Snake game. I spent a couple of hours deofuscating the javascript code until I was capable of submitting any score. Nice but useless. I also found out that I could fake the IP associated to the score using the X-Forwarded-For header. That was pretty much it until the CTF was about to finish when I was given the hint: “../”. I could use it to locate a LFI vulnerability that was affecting the index.

#hackyou2014 Web300 write-up

In this [level]() we were presented with an online shop: The task name was “AngryBird” and this was very relevant to solve the challange! It actually comes down to two parts: Finding a hidden admin area Exploiting a blind SQLi to get credentials Finding the hidden admin area We were given the following description: Some web-developers still host their sites on Windows platform, and think that it is secure enough