This was a challenge to demonstrate how the content-type header can be used to fool the browser into treating the HTTP response body in unexpected ways.
As the harder solution works for both, heres source:
php
#!/bin/bash | |
# Written by Frans Rosén (twitter.com/fransrosen) | |
_debug="$2" #turn on debug | |
_timeout="20" | |
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
_aws_key="AKIA..." | |
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
During the C-Days18 conference André (@0xACB) and Zé (@JLLiS) CTF junkies teased me to participate in H1CTF18. At first, I wasn't entirely convinced since it had already been running for a few days. Nevertheless, I decided to have a crack at it.
The web challenge starts with a simple visit to an endpoint on http://159.203.178.9/ that is running a webpage with the following title "Notes RPC Capture The Flag" and in the body " ...somewhere on this server, a service can be found that allows a user to securely stores notes. In one of the notes, a flag is hidden."
Without a shadow of a doubt; I must find a way to interact with that note service.
As always recon is the first thing to do. I started with the browser. After opening the page, I turned to the network tab on the Developer Tools and went through to the response headers, where I got "Apache/2.4.18 (Ubuntu)".
My first attempt was looking for "/server-status/" since the ([status
#!/usr/bin/env python2 | |
# -*- coding: utf-8 -*- | |
# The 300 challenge was a heap challenge that allowed you to make allocations of size 0x300. | |
# You could free allocations and read/write to them even after they got freed. | |
# The tricky part about the challenge was that you don't control the size and can't for example use the usual fastbin techniques. | |
# This exploit overwrites the check_action variable so that the libc doesn't abort on errors anymore. | |
# Afterwards we can get a write-what-where primitive using unsafe unlink. |