This is a challenge old-02 from webhacking.kr. I was stuck trying to understand how people were discovering this SQLi vulnerability through a cookie, as no blog posts explained why the attack was effective. This wasn’t a typical SQLi challenge that I’m used to, so I really wanted to know why it worked the way it did. The goal of this challenge is to figure out the password used for the admin.php page (mentioned in the HTML comment). ...

Hacking a JavaScript Game Referring to this video. Examination This is a web-based game, so we begin by inspecting the game page using the browser’s developer tools. Inspecting the Game Open the browser’s developer tools and navigate to the debugger section. This section displays all the files associated with the page you are inspecting. You can view the HTML source code of the Elf Connect game here: ...

Trickster Author: Junias Bonou Description I found a web app that can help process images: PNG images only! Try it here! When I attempted to upload some random files, I got the following error message: Error: File name does not contain '.png'. This suggests that the app strictly checks for .png extensions. To dig deeper, we can perform a directory search to see if we can find anything useful. A tool like gobuster is perfect for this kind of task. ...

Description Can you use the portals to get to the right place? You are provided with a 32-bit executable: └─$ file portal portal: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, BuildID[sha1]=2777afda2049624cbbecde55650e58f347efcd29, for GNU/Linux 3.2.0, not stripped Using checksec on this binary reveals that there are no security defenses enabled: [*] '/home/kali/ctf/uscctf2024/pwn/portal/portal' Arch: i386-32-little RELRO: No RELRO Stack: No canary found NX: NX unknown - GNU_STACK missing PIE: No PIE (0x8048000) Stack: Executable RWX: Has RWX segments Stripped: No This is a straightforward “return-to-win” challenge. Upon inspecting the binary with objdump, you can see that the function win is the goal: ...

The search bar didn’t seem to be a viable target for XSS injection because either it simply echoes the search query or it sanitizes/blocks the payloads I tested (for example, the payloads generated by XSStrike didn’t work). Next, I explored the “Leave a Comment” section, which includes multiple input fields. When posting a comment, I noticed that the inputs aren’t reflected directly back on the page. Searching for a comment only shows the search result, not the actual comment content, which means we need to identify which input area, if any, is vulnerable. ...

A challenge about SLQi that uses Union injection technique. What is convenient about this challenge is it shows the query that is used to pull the data from the database. I used these SQL injection cheat sheet that is from the SQLi fundamental module from the HTB academy: cn' UNION select 1,database(),2,3-- - Current database name cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- - List all databases cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - List all tables in a specific database cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- - List all columns in a specific table Steps I took based on the cheat sheet from the HTB Academy: ...

This is a challenge from webhacking.kr. As the name of the website suggests, it is about SQL injection. You can check the source code of the page: <?php if($_GET['no']){ $db = dbconnect(); if(preg_match("/ |\/|\(|\)|\||&|select|from|0x/i",$_GET['no'])) exit("no hack"); $result = mysqli_fetch_array(mysqli_query($db,"select id from chall18 where id='guest' and no=$_GET[no]")); // admin's no = 2 if($result['id']=="guest") echo "hi guest"; if($result['id']=="admin"){ solve(18); echo "hi admin!"; } } ?> Our goal seems to be creating a payload that would make the id value admin and also make the no value 2. So, let’s assume that there is no filter so we can enter anything as a payload. When we enter 2 as our input, you will see something like this: ...

Identifying the Local File Inclusion (LFI) Vulnerability While working on the skills assessment for the File Inclusion module, I first checked whether the target website was vulnerable to Local File Inclusion (LFI). The website had a query parameter called page in the URL, as shown below: http://<IP>/index.php?page=<page name> When I attempted to traverse directories using relative paths, like ../../../../etc/passwd, I encountered an error message: “Invalid input detected!”. Directory Enumeration with ffuf To explore available pages on the site, I used the ffuf tool to fuzz the directories: ...

Page Source Inspection The actual functionality of uploading and downloading files weren’t working so I looked at the page source. I saw this portion of the source: const searchFile = async () => { let formData = new FormData(searchForm); console.log([...formData][0]); let response = await fetch('/search/' + [...formData][0][1], { method: 'GET', }); searchWrapper.hidden = false; if (response.status === 200) { searchMessage.innerHTML = 'File found. Download link: <a href="/download/' + [...formData][0][1] + '">Download</a>'; } else { searchMessage.innerHTML = 'File not found.'; } } If we look closer, once a file is found from the search bar (or the search functionality), there will be a linked provided by the site that accesses the path of that file: ...

Beginner pwn: First challenge #include <stdio.h> #include <stdlib.h> #include <string.h> int main() { char command[110] = "cowsay \""; char message[100]; printf("Give me a message to say!\n"); fflush(stdout); fgets(message, 0x100, stdin); strncat(command, message, 98); strncat(command, "\"", 2); system(command); It has been a while since I have done any CTFs! So I struggled a little bit looking at the code and what they do. When I pass 109 A’s, it still runs the cowsay bin. When you pass in 113 A’s, the output starts to show a single ‘A’: ...