From 4968332255f1655467a157f6e245e09c60d94036 Mon Sep 17 00:00:00 2001 From: homic Date: Sat, 18 Jan 2020 17:35:20 +0100 Subject: [PATCH] added writeups --- writeups/smashing/asis19.md | 20 ++++++++ writeups/smashing/ctfzone19.md | 25 ++++++++++ writeups/smashing/seccon19.md | 86 ++++++++++++++++++++++++++++++++++ 3 files changed, 131 insertions(+) create mode 100644 writeups/smashing/asis19.md create mode 100644 writeups/smashing/ctfzone19.md create mode 100644 writeups/smashing/seccon19.md diff --git a/writeups/smashing/asis19.md b/writeups/smashing/asis19.md new file mode 100644 index 0000000..affb680 --- /dev/null +++ b/writeups/smashing/asis19.md @@ -0,0 +1,20 @@ +# Retrospective +Sadly i was not able to spend that much time on this CTF and therefore i was only able to work on one challenge actively. This challenge was somewhat okay-ish due to the fact that some guessing was needed to get the structure of the filesystem without the second version. Due to his the challenge took way longer that it should have been. + +Time spent: ~10 hours +# protected area (solved) +## Overview +The website shows a welcome text and another line of text which looks like a todo list. + +## Approach +First we checked the source of the website which revealed some methods to interact with an api to read files from a server. The two most important functions for us in this case are `file_check(file)` which checks if a file exists and `file_read(file)` which eventually reads a file and returns its contents. + +Since `file_check` internally checks if the returned value equals `True` we assumed that the backend was written in Python which turned out to be true later. + +Trying some stuff we found out that it is possible to traverse the path. The backend seems to replace `../` only once so we can bypass this by nesting another `../` resulting in `....//`. Also the backends response was `security` if the file did not end with `.txt` which later turned out to be wrong since its only checking if the whole query ends with `.txt`. + +Unfortunately we were still missing the structure of the filesystem therefore we did not know where we should look for our flag. After some time a second version of the challenge was revealed which provided the used docker template and we were able to extract the source code of the backend. + +Knowing the basic structure of flask apps we were able to find an endpoint called `/protected_area_0098` which hold the flag. This page was protected with a password which we were able to extract from the config. + +Eventually we were able to access the endpoint which revealed the flag: `ASIS{f70a0203d638a0c90a490ad46a94e394}` \ No newline at end of file diff --git a/writeups/smashing/ctfzone19.md b/writeups/smashing/ctfzone19.md new file mode 100644 index 0000000..339e6a3 --- /dev/null +++ b/writeups/smashing/ctfzone19.md @@ -0,0 +1,25 @@ +# Retrospective +The goal of this CTF was to be as realistic as possible. I think they met their goal somehow but the web challenges were really not enjoyable due to a lot of guesswork. Especially the `bathhouse` which was a multi-stage challenge lead from one guessing part to another. + +Time spent: ~15 hours +# bathhouse (solved) +## Overview +A user can book an appointment for a bathhouse and needs to provide some data like the phone number and the amount of time to be there. + +## Approach +The form was vulnerable to SQLi which allowed us to dump the database. The dumped database contained an `username` and `password` which is needed to login under `/set_price` found in the `robots.txt`. There we were able to change the price of a receipt which was generated with `wkhtmltopdf 0.12.1`. This version of `wkhtmltopdf` was vulnerable to file inclusion and therefore we were able to include data from the system. After messing around with different inclusion techniques we found that `wkhtmltopdf` executes JS which allowed us to read files from the system and include its content into the generated pdf. +``` + +``` +From this one an unnecessary search for the flag begun since the flag was not in an usual location like e.g. `/flag` and the structure of the project was unknown. After digging around on the server and looking for anything which could give a hint @lavish tried to find additional routes with `DirBuster` and eventually found another endpoint `/status/` containing the path to the app and used modules. + +Afterwards we were able to extract the source code of the app which and one of the views yielded another hint to `http://syncdata/sync.html`. Unfortunately this path was not fetchable with our previous approach and again some time passed looking for other possible hints. +Eventually `syncdata` actually contained the flag but was only accessible via an iframe which did not work for the other files on the filesystem. +Finally `

Report Heading