Bubba bubba-h57

## gist:3528157
Ok, so in this level we're dealing with a unique social network. We have to find a way to view the other user’s user_info page to see their password. If you started posting some of your own posts you would find that it is susceptible to Cross-Site Scripting. So we need to find a way to get the user to view their user_info page, and then post the results so that we can view them.

We are limited to not using the single-quote and double-quote characters (‘ and “), but everything else is pretty much legal, so we can take use of JavaScript’s String.fromCharCode() and once again JQuery! We'll have to break out of their script tags, then inject our code, but we also need to make sure the code doesn't launch until the entire page has been loaded. They have a csrf token, but it's poorly implemented, seeing that we can use the current JavaScript code that's already on the page. Another issue that you will run into is that the results from the user_info page have characters that are not allowed, so we will escape() the

## gist:3528206
This level was a slight twist, you'll actually be doing an attack on their crypto. Looking at the code you'll see that they're using SHA1 hashes that are composed of the raw request that you made plus your secret. We also need to be making a request as a premium user. If you attempted to order a waffle, you'll receive a confirmation number--in this case if you order the premium waffle, the confirmation number will be your password to Level8.

Here is the block of code that verifies the signature... this is how we know how it is built and that it is sha1

def verify_signature(user_id, sig, raw_params):
    # get secret token for user_id
    try:
        row = g.db.select_one('users', {'id': user_id})
    except db.NotFound:
        raise BadSignature('no such user_id')

## attack.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Bubba's Stripe CTF v2 Level 8 Chunk Cracker
# (c) 2012 Signature Tech Studio
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
#

## gist:3528313
Look through the code and see what's happening:

creates $filename storing 'secret-combination.txt'
extract $_GET (all GET parameters supplied by the user)
if $attempt is set:
declare $combination with the trim()'d contents of $filename
if $attempt and $combination are equal
print contents of 'level02-password.txt'
else
print incorrect

## fetch.php
<html>
<head>
<title>Bubba Hacks Level 2 Server</title>
</head>
<body>
<h1>Your Level 3 Password</h1>
<?php echo file_get_contents('../password.txt'); ?>
</body>
</html>

## gist:3528356
Ok, so let’s look at some important parts. We know it's sqlite3 again and how it is setup:

# CREATE TABLE users (
#   id VARCHAR(255) PRIMARY KEY AUTOINCREMENT,
#   username VARCHAR(255),
#   password_hash VARCHAR(255),
#   salt VARCHAR(255)
# );


## Serializor.php
<?php

namespace H57\Util;

class Serializor {

	/**
	 * Converts the Doctrine Entity into a JSON Representation
	 *
	 * @param object $object The Object (Typically a Doctrine Entity) to convert to an array

## RecursiveMoveExample.php
<?php
$exclusions = array('/\.gitignore/',
  		'/.*\.svn.*/',
		'/.*\.bak.*/',
		'/backups/',
		'/readme.txt/',
		'/generic/',
		'/orig.css/'
);

## RecursiveCopyExample.php
<?php
$exclusions = array('/\.gitignore/',
    	'/.*\.svn.*/',
		'/.*\.bak.*/',
		'/backups/',
		'/readme.txt/',
		'/generic/',
		'/orig.css/'
);


## fiddle.css
body {
    padding:0;
    font:15px/1.4 Arial, sans-serif;
    background:#e5e5e5;
}
p {
    margin:1.4em 0 0;
}
ol {
    margin-left: 1em;
	Ok, so in this level we're dealing with a unique social network. We have to find a way to view the other user’s user_info page to see their password. If you started posting some of your own posts you would find that it is susceptible to Cross-Site Scripting. So we need to find a way to get the user to view their user_info page, and then post the results so that we can view them.

	We are limited to not using the single-quote and double-quote characters (‘ and “), but everything else is pretty much legal, so we can take use of JavaScript’s String.fromCharCode() and once again JQuery! We'll have to break out of their script tags, then inject our code, but we also need to make sure the code doesn't launch until the entire page has been loaded. They have a csrf token, but it's poorly implemented, seeing that we can use the current JavaScript code that's already on the page. Another issue that you will run into is that the results from the user_info page have characters that are not allowed, so we will escape() the
	This level was a slight twist, you'll actually be doing an attack on their crypto. Looking at the code you'll see that they're using SHA1 hashes that are composed of the raw request that you made plus your secret. We also need to be making a request as a premium user. If you attempted to order a waffle, you'll receive a confirmation number--in this case if you order the premium waffle, the confirmation number will be your password to Level8.

	Here is the block of code that verifies the signature... this is how we know how it is built and that it is sha1

	def verify_signature(user_id, sig, raw_params):
	# get secret token for user_id
	try:
	row = g.db.select_one('users', {'id': user_id})
	except db.NotFound:
	raise BadSignature('no such user_id')
	#!/usr/bin/env python
	# -- coding: utf-8 --
	#
	# Bubba's Stripe CTF v2 Level 8 Chunk Cracker
	# (c) 2012 Signature Tech Studio
	#
	# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
	# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
	# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	#
	Look through the code and see what's happening:

	creates $filename storing 'secret-combination.txt'
	extract $_GET (all GET parameters supplied by the user)
	if $attempt is set:
	declare $combination with the trim()'d contents of $filename
	if $attempt and $combination are equal
	print contents of 'level02-password.txt'
	else
	print incorrect
	<html>
	<head>
	<title>Bubba Hacks Level 2 Server</title>
	</head>
	<body>
	<h1>Your Level 3 Password</h1>
	<?php echo file_get_contents('../password.txt'); ?>
	</body>
	</html>
	Ok, so let’s look at some important parts. We know it's sqlite3 again and how it is setup:

	# CREATE TABLE users (
	# id VARCHAR(255) PRIMARY KEY AUTOINCREMENT,
	# username VARCHAR(255),
	# password_hash VARCHAR(255),
	# salt VARCHAR(255)
	# );
	<?php

	namespace H57\Util;

	class Serializor {

	/**
	* Converts the Doctrine Entity into a JSON Representation
	*
	* @param object $object The Object (Typically a Doctrine Entity) to convert to an array
	<?php
	$exclusions = array('/\.gitignore/',
	'/.\.svn./',
	'/.\.bak./',
	'/backups/',
	'/readme.txt/',
	'/generic/',
	'/orig.css/'
	);
	body {
	padding:0;
	font:15px/1.4 Arial, sans-serif;
	background:#e5e5e5;
	}
	p {
	margin:1.4em 0 0;
	}
	ol {
	margin-left: 1em;