-
GPN CTF 2024 - never-gonna-tell-a-lie-and-type-you - web
Based on the attached Dockerfile, we know that the flag is at /flag.txt, and the app is a simple php login riddle: <?php ini_set("display_errors",1); error_reporting(E_ALL); //we tought about using passwords but you see everyone says they are insecure thus we came up with our own riddle. function securePassword($user_secret){ if ($user_secret...
-
GPN CTF 2024 - inspect-element - web
Dockerfile is running chrome with the debugging port open. In order to connect to the debugging port, I had to use the command from hint: socat TCP-LISTEN:1336,fork OPENSSL:positions--ariana-grande-8298.ctf.kitctf.de:443 Then I could go to chrome://inspect/#devices and connect to the remote debugging port using localhost:1336 as the address. In order to properly...
-
HTB - Pod Diagnostics - web - hard
In order to get the flag we need RCE to call /readflag and get the output. The PDF generating server has Access-Control-Allow-Origin set to * so we can make a request from any server to use it, similarly the stats server. The stats server calls different stats commands: exec("uptime") readFile("/proc/stat",...
-
HTB - JS Calc - web - easy
Our input is passed directly to eval in challenge/helpers/calculatorHelper.js:5. The following payload will return to us 1 in the message and console.log in the node environment console: { "formula": "(() => {console.log(1); return 1;})()" } This input results in the following interpolated string: eval(`(function() { return (() => {console.log(1); return...
-
HTB - Insomnia - web - easy
This challenge is a huge bootstrap app written in PHP. Insomnia/app/Controllers/ProfileController.php contains the following: $token = (string) $_COOKIE["token"] ?? null; $flag = file_get_contents(APPPATH . "/../flag.txt"); if (isset($token)) { $key = (string) getenv("JWT_SECRET"); $jwt_decode = JWT::decode($token, new Key($key, "HS256")); $username = $jwt_decode->username; if ($username == "administrator") { return view("ProfilePage", [ "username"...