WICS and Sans Bootup CTF Web Challenges Writeup

Abdelhameed Ghazy
6 min readNov 15, 2020

--

Hello EveryOne Iam AbdoGhazy From 0xLaugh Team ,
Alhamudllah We Got The Second Place At The WICS SANS Bootup CTF :) 3>
Today I wil explain to you how we solve the web Challeges 3>
i will not explain the all things because now i was traveled to another city and i don’t have my laptop :(

The First Challenge : WE-01
it was a very very easy challenge
when i entered the challege i found this gif :

and as usual i do directory bruteforcing and i found a path called /security/
when i entered it i found a flag as you see :)

The Second Challenge : We-02
at first i found simple login form :

first i tried to enter default login and sqli but unfortunately i didn’t get any thing so i started looking at the source code if i found any interested data
and i found this :

there is two scripts on of them is hex encoded so , at first i tried to decoded it but i failed :(
so i start looking at the second script and at the end of it i found that there is a function checks if the username= root and password = d
( d ) is a variable has some operation from another variables so i understand that if i want to reduce the time i will need a js compiler to get the value of the variable d
so iam opening the browser console :D
and copied the code from the source and alert the value of the d as you see :

then i tooked it and set user name to root and password to this value : aVHtf0Myk5RDpbW
and i got the flag Alhamdullah :)

The Third Challenge : We-03
it was a very very very very very very eeasyyyyyyyyyyy

so i started to do directory brute forcing and i found scurity path also but it didn’t change any thing
so i think to open robots.txt and i found this :

so let’s open this path and see what’s inside xD

as you see it’s a flag :)

so let’s Continue to the forth Challenge :

as you see in the decription we can you username : bill & password : gates

so let’s login :)

once you login you will get the cookie with name login and value {“id”: 82, “data”: {“username”: “bill”, “privilege”: “user”}}
so as you see it’s a json data so the first thing i tried to change the username to admin and privileges to admin also
{“id”: 82, “data”: {“username”: “admin”, “privilege”: “admin”}} but that’s the result and unfortunately there’s no flag :(

so let’s take a look into the source code we will find an interesting code :

simply it’s take the id parameter and send post request to an api in the json data
so let’s open the api and send the request
sorry , i don’t have any photos because iam using my friend laptop and he didn’t have burp suite and i can’t download it sorry :(
so the api takes the id of the user and returns some information about him
so let’s generate numbers from 0 to 100 and maybe we will find information about the admin , actually i thinked it will be with id 0 or 1 but unfortunately it’s not :(
then i send the request to the burp intruder and get some information
and alhamudllah i found the admin data at id 71 and got the flag also xD

The Fifth Challenge : wm02

as you see it’s take an input from us and do some things i don’t know :( and gives us time
so i tried to get sql injection or xss but nothing worked :(
so i started testing rce or command injection :)
when i added semicolon to break the command and add whomai and Alhamdullah it’s worked :)

so i tried to ls -lah and i found hidden file : .flag.txt

so let’s read it by cat .flag.txt and get the flag :)

The Sixth : Wh01
it’s The Same of the fifth challenge but with some filters

as you see it’s filtered the simicolon so we can replace it with &&
so let’s do some commands like whoami

so Alhamdullah We baypassed the First Filter and Could Execute Command :)
after this i tried to do ls -lah but unfortenetly it didn’t work and i recognized that he filter the space so i asked My Team Mate Mahmoud Joo
and He Told Me That I Could Used ${IFS} and insted of the space and Alhamdullah It’s Worked

as you see there is a folder called …
so i enterd it and read the flag by this command :)
1349361711.169942&&cd${IFS}…&&cat${IFS}flag.txt

The Last Challenge Was Solved By My Team Mate Mahmoud Joo : Wx-01
there is an input asked us to enter my name so when i entered abdo it’s reflected into the page

so as every one would think it’s an xss
so i tried simple xss payload : <img src=1 onerror=alert(1) />
and the site printed : reload to see your message
after reloaded the xss alert appeard but there is no flag and i noticed that there’s cookie has base64 encodded value when i decoded it i got pickle data
after get back into the decreption and read it
i think it’s told us there is a variable called flag xD
after searching about pickle exploits i found theses awesome articles and finally i got this exploit
import pickle
import base64

class RCE(object):
def __reduce__(self):
return (globals, () )

class RCEStr(object):
def __reduce__(self):
return (str, (RCE(), ) )

pickle_data = pickle.dumps({‘name’: RCEStr()})
payload = base64.urlsafe_b64encode(pickle_data)
print(payload.decode(‘utf-8’))

so let’s run this python code and get the final exploit :)
gASVPAAAAAAAAAB9lIwEbmFtZZSMCGJ1aWx0aW5zlIwDc3RylJOUjAhidWlsdGluc5SMB2dsb2JhbHOUk5QpUpSFlFKUcy4=

it will retrieve all global variables from the program ;)

so, if we put it in userdata cookie we will got the flag :)

--

--

No responses yet