2 This CTF was not really fun. It felt like _a lot_ of guesswork (at least the web challenges that I attempted).
4 At first I tried chicken together with @theguy, but the obvious vulnerability did not help us to find anything. Instead we wasted a few hours trying to find a hint in the filesystem. In total I spent about 2 hours.
6 On the second day I tried to help with bathhouse. @lavish and @smashing already did most of the interesting stuff (SQLi and PDF writer exploitation). It seemed like the challenge is almost done and one just needs to find the next hint in the filesystem (again...). However, I spent around 5 hours finding nothing of interest until @lavish used `dirbuster` to find the next hint... After we had the correct paths it took about 30 minutes to find the next and final hint.
10 Given is a django-based webpage of a bathhouse. One can book a bathhouse by filling out a form. The form consists of a radio button selector, a hours number field, a phone number fild and a username text field.
13 The username field allows for SQL to be injected. @lavish created a script to run a blind SQLi and found a table called `backup` which contains the columns `username` and `password`. The only row contained `main_admin_user` and `njafnGAJNSGAkn123`. These credentials can be used to login at `http://web-bathhouse.ctfz.one/set_price/`. This page can be found in the `robots.txt` which contains
18 When logged in one sees the last request submitted through the booking form including all the given information. Additionally, a number input is given where the admin can set the price for the request. On submission of the price a PDF booking confirmation is generated using `wkhtmltopdf 0.12.1`. Instead of a price one can inject HTML which will be rendered in the PDF. Therefore, it is possible to include JavaScript to read local files.
23 document.write(this.responseText)
25 x.open("GET","file:///etc/passwd");
29 However, reading directories is not possible. How can one find an interesting file to read? Well after spending hours searchin for the next hint, @lavish found the `http://web-bathhouse.ctfz.one/status/` page by using `dirbuster`.The page has the following contents which hint at interesting directories:
33 Web app folder: /opt/project/
34 Submodules: task, calculate
36 Everything works correctly (200)
38 The project is implemented in a typical django fashion. The next hint is included in `/opt/project/calculate/views.py`. Apart from the other views, the file includes the following comments
40 # def sync(request): # Get sync data by http request. #syncData('http://syncdata/sync.html')
42 Curiously enough, using the above script does not work for fetching `http://syncdata/sync.html`. However, an iframe works
44 <div><p>Report Heading</p><iframe src=http://syncdata/sync.html height="500" width="500">
46 which yields the flag.
50 Given is a webpage of a chicken farm. One page shows their hens and for every hen there is a link to its passport, e.g. `web-chicken.ctfz.one/File/Download?filename=My50eHQ=`.
52 Furthermore, there is a contact page which contains an e-mail `admin@chicken.ctf.zone`. However, sending a mail to it does not work according to @theguy.
54 Additionally, there is a login form.
57 The URL contains the filename in base64 encoding at the end. Any arbitrary path can be read by encoding the path in base64. The website sets the cookie `.AspNetCore.Antiforgery.9TtSrW0hzOs` which confirms that the webpage is created using ASP.NETcore. The directory structure is approximately this:
88 _CookieConsentPartial.cshtml
93 e.g. `../../etc/passwd` allows one to read `passwd` (which contains nothing interesting).
95 Interestingly enough, one cannot read `*.cs` source code files. It seems like that certain files or filetypes are filtered and not readable. Therefore, we cannot read the important part of the website's source code.
97 After trying to find interesting files for hours we gave up.
SomeNet / public repos / pub / jan / ctf-seminar.git / blob