- task.pcap
- the flag is in flag{...} format.
- As said in the description, this is NOT a write-up, there are many online that get straight to the point (what is required to solve the challenge) which unfortunately this gist is not 📚
- I didn't solve the challenge mainly because I got ahead of myself and missed a crucial detail in one of the many approcahes I took, in a sense I dived too deep down a rabbit hole which closed me off from the real answer, while I was digging deeper for one that simply wasn't there
- natas15 is a
Blind SQL Injection
challenge, which I did not have knowledge of before (but I do now), in fact the only SQLi I knew of before this was the simple auto bypass method (basically' OR 1=1; --
), so I'm actually glad I did this challenge til the very end because I ended up learning a lot !
- It's basically an SQL Injection but under the circumstances where the results aren't returned directly to you
- More often than not you will only get responses along the
This problem is so easy, it can be solved in a matter of seconds. Connect to c1.easyctf.com:12482.
So the moment I read the title and description I knew it was something like a Time-Based Blind SQL Injection
I began experimenting with different values to see if I could find a pattern ...
- It seems that when the character is wrong, the time taken for the reply is short
Target: https://smartcontracts.dev1-x.ns.agency/contract.php
A user is able to access local files present on the server without any access controls, enabling them to view sensitive information such as the /etc/passwd
file
- Enter
file:///etc/passwd
into the search bar - the
/etc/passwd
file will then be returned, a comment at the bottom can be found stating that the flag is at/flag
Target: https://ssrfsquared.ns.agency/
- Intercept the requests made between the front and back end of the site during the initial load
- Notice that there is a request for
https://ssrfsquared.ns.agency/static?r=http%3A%2F%2F127.0.0.1%3A9447%2Fstyles.css
, which can also be confirmed by viewing the source of the page - This becomes an entry point for an attacker to probe the internal network
- Some files return the same content when accessed externally or internally such as
index.html
orstyles.css
- When viewing
https://ssrfsquared.ns.agency/static?r=http://127.0.0.1:9447/styles.css
there is a hint that something else is on the server
Intro
(no 6843 lecture)
Break 1: *.nsnagency
(Solution)
#!/usr/bin/python | |
from os import getpid | |
from re import search | |
from time import sleep | |
from random import randint | |
from selenium import webdriver | |
from pyvirtualdisplay import Display | |
from selenium.webdriver.common.by import By | |
from selenium.webdriver.common.keys import Keys |
#!/usr/bin/php | |
<?php /* install php and php-curl */ | |
if($argc != 2) { | |
fwrite(STDERR, "Usage: ".$argv[0]." <path to image>\n"); | |
die(); | |
} | |
$image = $argv[1]; | |
if(! file_exists($image)) { fwrite(STDERR, "Not an image!\n"); die(); } |
I played in picoCTF again this year, and I think I performed a lot better than I did last year, especially in web, I wanted to share this writeup because I think I did a good job being the 75th person (out of like 5000 other players) to solve the final part of this series of web challenges.
- Flaskcards (350 pts)
- Flaskcards Skeleton Key (600 pts)
- Flaskcards and Freedom [Highest point web challenge] (900 points)