Infosec Institute CTF Writeup lvl 7 - 13
You have some kind of a login form. You want to make a prank on Twitter. You want to add a h1 to the page and share it with your Twitter followers so they can see that you can modify the page as it pleases you. You do not really want to cause harm. Do some magic and add
<h1>YOUR NAME HERE</h1>in a way that people who visit the link you provide will the heading.
There was an hidden field on the page and it was pretty clear that this page was making request on it's own. So we have to exploit the PHP_SELF vulnerability here. This is how I injected the code closing the input tag:
Your task is to penetrate this site. You need to take advantage of the image upload and execute a JS script with an alert somehow through a file. Godspeed!
The first thing I did was to upload a regular image file. Then I clicked on the "Editor's choice" and from there I knew were were stored the images:
Ok, so I tried to upload a html file but got an error. This was easy to bypass using burpsuite I just changed the extension from .jpg to .html and it worked (:
Unfortunately I couldn't access it like the other images. I got an error because the server is trying to load an image but our file isn't a valid images. So I thought maybe If I increased the id in attachment_id then my file should be referenced but nope... After some fuzzing I found out I was right about the referencing:
First thing I did was to open Cookie Manager and check the cookie. I saw a string which looked like b64 in the content value and I was right. The decoded b64 looks like this:
JOHN+DOE, alright.. So
MARY+JANE in b64 is
A game... Ew I hate games, I didn't even wanted to play it to hack it, sorry
It seems you have been blacklisted. Knowing what websites typically use to identify their users - try to get rid of that ban
First thing I did was to connect to my vpn to see if I see any change but nope. So I check the cookie and
content value was 'no" so I just said 'yes'
Your task is to crack the password of the user called admin. Use whatever tool you like but we would recommend entering Google and searching for filetype:lst password in order to perform a dictionary attack.
Again I skipped this one because they pretty much give it away. They give the worlist and the attack... So just use your favorite http form bruteforer like wpfuzz, medusa, hydra, patator...
Hmm, it seems that level thirteen is redirecting to this page. Why do not you analyze the redirect and search if the redirect is validated thoroughly. If not, you want to redirect to a page on a remote server and send links to people fooling them to think they are accessing a different domain.
It took me a while to figure this on because I was jumping levels and ex13.php was a different page than the real challenge. But when I clicked on it and got the real page the solution was pretty obvious. It's just and insecure redirect:
Thx to byt3me who helped me in some of the challenges,you can checkout his writups which are more detailed than mine on SecNotes<
Let me know what you think of this article on twitter @misterch0c or leave a comment below!