This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ok, so in this level we're dealing with a unique social network. We have to find a way to view the other user’s user_info page to see their password. If you started posting some of your own posts you would find that it is susceptible to Cross-Site Scripting. So we need to find a way to get the user to view their user_info page, and then post the results so that we can view them. | |
We are limited to not using the single-quote and double-quote characters (‘ and “), but everything else is pretty much legal, so we can take use of JavaScript’s String.fromCharCode() and once again JQuery! We'll have to break out of their script tags, then inject our code, but we also need to make sure the code doesn't launch until the entire page has been loaded. They have a csrf token, but it's poorly implemented, seeing that we can use the current JavaScript code that's already on the page. Another issue that you will run into is that the results from the user_info page have characters that are not allowed, so we will escape() the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This level was a slight twist, you'll actually be doing an attack on their crypto. Looking at the code you'll see that they're using SHA1 hashes that are composed of the raw request that you made plus your secret. We also need to be making a request as a premium user. If you attempted to order a waffle, you'll receive a confirmation number--in this case if you order the premium waffle, the confirmation number will be your password to Level8. | |
Here is the block of code that verifies the signature... this is how we know how it is built and that it is sha1 | |
def verify_signature(user_id, sig, raw_params): | |
# get secret token for user_id | |
try: | |
row = g.db.select_one('users', {'id': user_id}) | |
except db.NotFound: | |
raise BadSignature('no such user_id') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# | |
# Bubba's Stripe CTF v2 Level 8 Chunk Cracker | |
# (c) 2012 Signature Tech Studio | |
# | |
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, | |
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY | |
# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
# |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Look through the code and see what's happening: | |
creates $filename storing 'secret-combination.txt' | |
extract $_GET (all GET parameters supplied by the user) | |
if $attempt is set: | |
declare $combination with the trim()'d contents of $filename | |
if $attempt and $combination are equal | |
print contents of 'level02-password.txt' | |
else | |
print incorrect |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<title>Bubba Hacks Level 2 Server</title> | |
</head> | |
<body> | |
<h1>Your Level 3 Password</h1> | |
<?php echo file_get_contents('../password.txt'); ?> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ok, so let’s look at some important parts. We know it's sqlite3 again and how it is setup: | |
# CREATE TABLE users ( | |
# id VARCHAR(255) PRIMARY KEY AUTOINCREMENT, | |
# username VARCHAR(255), | |
# password_hash VARCHAR(255), | |
# salt VARCHAR(255) | |
# ); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
namespace H57\Util; | |
class Serializor { | |
/** | |
* Converts the Doctrine Entity into a JSON Representation | |
* | |
* @param object $object The Object (Typically a Doctrine Entity) to convert to an array |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$exclusions = array('/\.gitignore/', | |
'/.*\.svn.*/', | |
'/.*\.bak.*/', | |
'/backups/', | |
'/readme.txt/', | |
'/generic/', | |
'/orig.css/' | |
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$exclusions = array('/\.gitignore/', | |
'/.*\.svn.*/', | |
'/.*\.bak.*/', | |
'/backups/', | |
'/readme.txt/', | |
'/generic/', | |
'/orig.css/' | |
); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
body { | |
padding:0; | |
font:15px/1.4 Arial, sans-serif; | |
background:#e5e5e5; | |
} | |
p { | |
margin:1.4em 0 0; | |
} | |
ol { | |
margin-left: 1em; |