paul-axe

event0

We got file with sequence recorded from /dev/input/event* file. It's easy to replay events from file using following command

# sleep 3; cat event0 > /dev/input/by-path/platform-i8042-serio-0-event-kbd

After that switch to another terminal window or text editor and we will se following commands

vim key.txt
32ix^[o^[5if ^[Icde^[A653^[BBi3333^[BBicdef87236363^[llr2elr20elxlxlxhi3^[A64^[kdd:wq

paul-axe

h4x0rs.club 2

Application was built from 2 parts - frontend page (https://h4x0rs.club/game/) and backend page (https://backend.h4x0rs.club/backend_www/), communicating via postMessage. There were several issues:

1. Stored XSS on user profile page.

It's also possible to make victim browser trigger a click on injected element

if(location.hash.slice(1) == 'report'){
            document.getElementById('report-btn').click();

paul-axe

There was 2 security issues in application:

1. WAF stored blocked users IP in mysql database, while application used postgresql database.

The problem is in max_allowed_packet option in my.cnf. Mysql will discard all packets larger than value of this option. So it's possible to bypass WAF using big payload in first argument sent to server.

2. Vulnerable postgresql library.

The vulnerability is described here: https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability.

paul-axe

1. XSS in feedback form. Got access to moderator account. Nothing useful here though, except the list of approved accounts.
2. Trying to register own team - got password to email. Password is 4 digits, so can be easily bruteforced.
3. Login form is protected with simple captcha. Wrote simple script using pytesseract https://github.com/madmaze/pytesseract to recognize captcha and bruteforce login form. After 10 minutes got password for one of approved team account.

import sys                                                                 
import io                   
import re                     
import requests                     
import pytesseract