Thumbnail: jekyll

Infosec Institute CTF writeup lvl 1- 6

on under jekyll
3 minute read

Level 1

For this level we are already told that we have to exploit an XSS and pop an alert containing "Ex1". So the basic payload to do that looks like this:
We can't just post this because some validation are made on both parameters. I choose to attack the url parameter but you could attack the other one it's basically the same thing.
This is the code of the url element:

<input type="text" placeholder="Name of site" maxsize="10" class="form-control" pattern="[A Za-z]+" required="" name="name">  

So I removed pattern="[A Za-z] which makes the input only accept uppercase or lowercase characters and also changed the type value from "url" to "text".So now we can post stuff! But still no alert. I took a look at the javascript and noticed this:

var siteName = $(".ex1input[type='text']").val().trim().replace(/</g,"&lt;").replace(/>/g, "&gt;");

What it's doing is replacing < and > with their html code, which is not what we want. So there in chrome I just removed the .replace(), hit ctrl+s and voilĂ 

Level 2

The page showed a calculator and we were asked to inject the PHP statement shat shows informations about Apache etc which is basicaly phpinfo();. I quickly noticed that the two inputs were verified. You could only enter numbers and nothing on the frontend to bypass that. That leaves us with the only other thing can we're sending: the operator.
I modified the operator value like this:
<option value=";phpinfo();">+</option> so basically when you send 1+1 it would translate to valid php code: 1;phpinfo();1;

Level 3

First thing is to create an account, then after login I could see 'role:normal' which was a hint. So the delimiter is ":" to separate key/value and I guessed that it would have a newline after that.
So my idea was to insert something like someName\nrole:adminbut I couldn't just do this in the form. The easiest way I found to do it is to change the input type to "textarea", that allows you to input a new line and role:admin in it. Otherwhise you can intercept the request with burpsuite for example and modify it there

Level 4

You are confronted with a website that loads some .txt files to display content for its pages. You are thinking that it may be vulnerable. You aim to load a nice file from a remote server and share the link with unsuspecting visitors. Your task is to successfully load a PHP file located in the root of The file should not exist but you must load it without getting errors and it must have the PHP file extension.

The url looked like: So from the instruction and the url we can deduce we can use RFI here. And if you read carrefuly the instruction (unlike me at first) you know that the root is and not ../../ of course...
From there we got this error message:

That's right. So somehow the website detected we entered an url. There must some regex behind that. Earlier I did a bit of fuzzing on the file attribute and noted that I got different error message if I used upper or lower case. So this is how I got the flag, bypassing the regex:

Level 5

It seems you have encountered a page which requires users to login before viewing. Do some magic without having to log in. The login button didn't work

I intercept a request with burpsuite and changed the refer to login.html which I got from the source code. It tricks the browser to think we're coming from the login page

Level 6

It seems you have landed on a site that takes HTML tags for article's comments. You want to exploit this by making the users perform an action on the bank.php file in the root of, if they are logged in there. You want users browsers to load that page and execute the query string transferTo with the number 555 as a parameter. Go ahead.

Well this was just about reading the instructions.

ctf, writeup, infosec
comments powered by Disqus