Press "Enter" to skip to content

Author: SaBeLa

[SEC-T] Naughty ads

Solution http://naughtyads.alieni.se/

So, maybe we can read the source code through http://naughtyads.alieni.se/index.phps ??

We can see that there has a very secure filter for $_REQUEST[‘id’] , but not for $_GET[‘id’]. It do nothing and parse $_GET[‘id’] to the function. So, we can bypass the filter like this

Finally, i got the username and password. Username:webmasterofdoom3755 Password:5ebe2294ecd0e0f08eab7690d2a6ee69 Reverse the md5 here: https://md5.gromweb.com/?md5=5ebe2294ecd0e0f08eab7690d2a6ee69 And found that the real password is secret. Use this identity to login into the website, and fill in the phone number for submit the form, and then the website will give you the flag.

Leave a Comment

[SEC-T] Sprinkler system

Solution Firstly, we can take a look at robots.txt:

And i found that there are contains test-cgi in cgi-bin folder. After have some research, i have found that test-cgi have vulnerability. And it seems that it is able to list directory through this vulnerability. Exploit Url: http://sprinklers.alieni.se/cgi-bin/test-cgi?/* Output:

It works!!. So, i change the parameter to “*”. Which means list all the fire in current directory. Url: http://sprinklers.alieni.se/cgi-bin/test-cgi?* Output:

Finally, we access http://sprinklers.alieni.se/cgi-bin/enable_sprinkler_system . And it print flag.

Leave a Comment

[CSAW2017] baby_crypt

Solution In this question, the socket service will be based on our input and append the flag in the end to do aes cbc encryption.   In AES ecb mod encryption, each block is 16bytes (32 hex). For example: Block1 Block2 Block3 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb cccccccccccccccc   If there are not 16 bytes, it will use the padding to fill in. For example: Block1 Block2 Block3 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb ccccccccc0000000   In this question, the blocks will be like this: Block1 Block2 Block3 inputinputinputi flag{xxxxxxxxxx xxxxxxxxxxxxxxx}   So we can control the value of block1. What if we just input 15 character as out input? The first character of flag will be stored in Block1: Block1 Block2 Block3 inputinputinputf lag{xxxxxxxxxxx xxxxxxxxxxxxxx}0   So, we can make the block like this to brute force the flag: Block1 Block2 Block3 … aaaaaaaaaaaaaaaX aaaaaaaaaaaaaaaf lag{xxxxxxxxxxx … Block1 Block2 Block3 … aaaaaaaaaaaaaafX aaaaaaaaaaaaaafl ag{xxxxxxxxxxxx … Block1 Block2 Block3 … aaaaaaaaaaaaaflX aaaaaaaaaaaaafla g{xxxxxxxxxxxxx …   To test all printable value in X. If Block1 equals to Block2. Which means the first characters are correct. Based on this concept, i wrote a script to test it automatically.

Leave a Comment

[CSAW2017] – Missed Registration

Solution: We can take a look in the first HTTP packet: The value of parameter x are start with 424d , It is header of bmp file. But there’re a lot of http packet. So my idea is to write a script to extract all the value out.   Solution Script

Output

Leave a Comment

[CSAW2017] – CVV

Solution There have 7 case: Generate MasterCard Generate Visa Generate Discover Generate American Express Generate the card start with xxx Generate the card end with xxx To check the credit card is valid or not. Solution Script

Leave a Comment

[CSAW2017] – tablEZ

Solution The first step is to decompile the given binary. Main

  Main_asm

get_tbl_entry

byte_201281

After have some analysis we know: 1. The program will based on the input to perform table lookup 2. The table format are 00 xx 01 xx 02 xx 03 xx 3. The main encrypt function are get_tbl_entry So, based on this information, we can write the code to get the flag.

Output: flag{t4ble_l00kups_ar3_b3tter_f0r_m3}

Leave a Comment

[CSAW2017] Orange v1

Question I wrote a little proxy program in NodeJS for my poems folder. Everyone wants to read flag.txt but I like it too much to share. http://web.chal.csaw.io:7311/?path=orange.txt   Solution Based on the challenge name. It seems the concept are based on the presentation of Orange Tsai on DEFCON25. About uri handling in node.js. If \xff are exists in uri, it will throw it away. What if we input %EF%BC%AE%EF%BC%AE/ ? %EF%BC%AE is ‘Full Width Latin Capital Letter N ‘. And it’s Unicode is \uFF2E. So, if N appears in URL, node.js will delete \xff. So \x2e will be translated to “.”. Buf after have some try, %EF%BC%AE%EF%BC%AE/ is not work for this question. So i try to change one %EF%BC%AE to “.”. And it works.   Finally payload: http://web.chal.csaw.io:7311/?path=.%EF%BC%AE/flag.txt     Reference https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Orange-Tsai-A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages.pdf http://bobao.360.cn/learning/detail/4183.html http://www.fileformat.info/info/unicode/char/ff2e/index.htm

Leave a Comment

[VXCTF2017] RPG World

Although i didn’t solve the challenge, but still share my work here.

Leave a Comment

[VXCTF2017] BLueBLood

Solution My solution is extract the archive.rpa first.

BLueBLood-98

get options.rpy define gui.about = “vxctf{{1stBL00d_w1th_hi-hi_5p33d}” Before doing following question, extract all the rpyc first.

  BLueBLood-55 , 56 ,  33 , 0f , f9 , a2 , 4c Just simply open script.rpy and you will see something like that

Just find out the value of the variable, and fill in into the formula. Such as

BLueBLood-1c

Leave a Comment

[VXCTF2017] Real Random

Question

Solution It use system current time as the seed to generate random number. Maybe we are just brute force it?

Leave a Comment