Posts List

NuitDuHack 2014 Web Write Ups

Web 100: Abitol This is a simple web app where you can register and login to see an articles page, a photo gallery, a flag page and an admin contact page. Visiting the flag page give us a Nice try, did you really think it would be that easy? ;) but the photo gallery is vulnerable to XSS: Now, we dont know how the admin contact will be visualized in the viewer page, but we can try to send him a message with an iframe pointing to the vulnerable page so we can send his session ID to our cookie catcher or use XHR to request the flag.

Olympic CTF CURLing500 Write Up

We didnt have time to finish this task during the game since we decided to finish Freestyle 400 (scored in the last minute) but as I foound out later, we were close to finish it. In this level we were presented with a login form vulnerable to user enumeration. It was easy to see that admin was a valid user but we could not guess the password. After trying with other “normal” accounts like guest, dev and so on, we found that debug was a valid account and the password was debug.

Olympic CTF CURLing tasks

I had the honour to participate with int3pids in the #Olympic CTF and these are the write ups of the Web tasks we solved. CURLing 200: Xnginx In this level we were presented with a simple web site where we could check some news First thing to notice is that the news URL is vulnerable to path transversal: Since the name of the task was xnginx I looked for the nginx configuration file:

#hackyou2014 Web200 write-up

In this level we are presented with a typical Snake game. I spent a couple of hours deofuscating the javascript code until I was capable of submitting any score. Nice but useless. I also found out that I could fake the IP associated to the score using the X-Forwarded-For header. That was pretty much it until the CTF was about to finish when I was given the hint: “../”. I could use it to locate a LFI vulnerability that was affecting the index.

#hackyou2014 Web300 write-up

In this [level]() we were presented with an online shop: The task name was “AngryBird” and this was very relevant to solve the challange! It actually comes down to two parts: Finding a hidden admin area Exploiting a blind SQLi to get credentials Finding the hidden admin area We were given the following description: Some web-developers still host their sites on Windows platform, and think that it is secure enough