Description
With a whole scan of 192.168.20.0/24 I found 4 servers.
This is the write-up for the server 192.168.20.10, called “Level 1”.
Continue reading [eCSI 2015] Level 1 User Write-up
With a whole scan of 192.168.20.0/24 I found 4 servers.
This is the write-up for the server 192.168.20.10, called “Level 1”.
Continue reading [eCSI 2015] Level 1 User Write-up
./newboy
Hey, im newboy, nice to meet you!
Tell me, who am I speaking to? 0x90r00t
My pleasure, 0x90r00t 🙂
newboy.zip
Continue reading [Cybercamp 2015] [Exploit 1] Write Up
On the index page, we got a form asking us the hour in seconds, and an html frame pointing to a cgi script, which shows us the hour in letters.
Our first idea was to make a script which will synchronize with the hour printed by the CGI, in order to have the exact hour at the good time, but this leads to just nothing.
Our second idea were really better. We looked for a vulnerability, isn’t it? And we have a CGI script, isn’t it? What if this challenge was an exploitation of our pretty shellshock?
On the index page, we can see a form containing many fields: first name, age, and a picture field containing a list of image files.
Once this form validated, we see a summary of what we entered previously, and our image, base64 encoded, into an <img> tag. So far, nothing weird.
But, by looking the webpage URL, we could find some datas which could be a serialized PHP object.
http://challenge.cybercamp.es:8092/show.php?u="O:4:"User":3{s:3:"age";s:6:"sdvsdv";s:4:"name";s:6:"dsvsdv";s:7:"picture";s:8:"cat5.png";}"
Why did not try to modify this cat5.png by something else than an image, as show.php for example ? 🙂
On the main page, we see what seems to be a website thumbail generator. A form allows us to generate a thumbnail with the URL of our choice.
First test: failed. When we try to put the http://google.com URL, the next page shows us an error message…
Second test: we try to load a website that we owned, in order to check the access.log. Nothing, there wasn’t any connection from the thumbnail generator to our own server. The script didn’t even tried to connect to our website, which gaves us the conclusion that only a local URL should be loaded.
Others tests : we tried with http://localhost, http://localhost:8097, http://127.0.0.1 … But the tool was continuously saying that these URL weren’t allowed. And if we we’re close to something interesting?
Continue reading [Cybercamp 2015] [Web 17 – Url Thumbs] Write Up