Skip to content

Instantly share code, notes, and snippets.

View CSRessel's full-sized avatar

Clifford Ressel CSRessel

10 followers · 9 following
View GitHub Profile
@CSRessel
CSRessel / gist:5b7867b9702d967df984
Last active August 29, 2015 14:10
Steve's List

Steve’s List

Summary

Hash extension allows us to enter whatever cookies we choose, without knowledge of the secret, and still pass the website’s checks. Since the cookie is unserialized, we can inject arbitrary php objects into the server. By injecting a Post object, we know it’s destroy method will be called. This method has been redefined to output the Post’s fields in HTML comments after parsing them with the class Filter. The Filter operates by running the given text through preg_replace calls with stored params for match and substitution. As we have injected the object, we have complete control over these stored params, and can thus call the preg_replace with the ‘e’ flag, allowing us to do arbitrary command execution. By catting the necessary file at /home/daedalus/flag.txt, and substituting all of the Post’s text with the file’s contents, we can print the file’s contents in an HTML comment, and thus get the flag.

The Hash Extension

Examination

@CSRessel
CSRessel / gist:2f592ae696cccbcc1ad7
Last active August 29, 2015 14:10

secure_page_service

Summary

This problem is a simple XSS challenge. Using persistent XSS in a newly created page, we can steal the admin’s cookies should they choose to visit the page. The “Report to Moderator” button says, “Report this page, and a moderator will personally review it in the next few minutes!” so it is a safe assumption that we can have an admin view our injected code.

Recon

The first thing we need is an account on the challenge’s site. The home page allows anyone to register. After an account is made, two actions are available: create a page, and view a page. Attempting to view the page asked for in the problem shows it is password protected. A couple quick queries show it is not vulnerable to SQL injection; another route is necessary.

@CSRessel
CSRessel / gist:0631bd5e6d1e9604922d
Last active August 29, 2015 14:10

Injection 2

Summary

By unioning hard coded values with the prewritten select statement, we can manually control exactly what data the query returns, and thus meet the program’s requirements.

SELECT * FROM users WHERE username='asdf' UNION SELECT 1337 AS a, 1337 AS b, 1337 AS c, 1337 AS d, 1337 AS e LIMIT 1 -- '

(with “1337” entered as the password)

@CSRessel
CSRessel / keybase.md
Created August 12, 2014 20:03

Keybase proof

I hereby claim:

  • I am CSRessel on github.
  • I am CSRessel (https://keybase.io/csressel) on keybase.
  • I have a public key whose fingerprint is 5149 B12C 20E6 0008 F156 D949 75E4 519B E2D9 7E7C

To claim this, I am signing this object: