In this question, we were given an URL http://expression.2018.ctf.kaspersky.com/ and we were asked to be find the flag from that URL.

When I opened that website on Firefox this page welcomed me.

Image for post
Image for post

I tried some XSS and some SQL-injection payloads but I thought I was going into the rabbit hole. After some time my teammates suggested that try to divide 1 by 0. Then I did that (:

Image for post
Image for post

After that error, I started to playing with the token. It was kind a base64 encoded json data.

O:10:"Expression":3:{s:14:"Expressionop";s:3:"div";s:18:"Expressionparams";a:2:{i:0;d:1;i:1;d:0;}s:9:"stringify";s:5:"1 / 0";}

I realized that this question is about PHP serialization stuff. I did some search on Google and I read an article about that topic[1]. Then I tried to execute a command by just changing some parts of that json data. …


Making a VPN access point by using a Raspberry Pi 3

The Raspberry Pi 3 full of capabilities and fun. You can do anything you want with a raspberry. In this case we are going to build a VPN access point(hotspot). What I mean is that we are going to create a wifi network which automatically redirects our normal traffic into the VPN network.

I tried to make a network topology in order to explain it visually.

Image for post
Image for post

Requirements

  • Raspberry Pi 3 Model B (installed Raspbian Stretch Lite image and SSH is activated)
  • Ethernet cable
  • A computer in order to setup raspberry via ssh
  • A subscription of an VPN service provider which supports OpenVPN or just a OpenVPN config file(.ovpn) …


Image for post
Image for post

Her zaman olduğu gibi nmap ile servis taraması yaptım.

Image for post
Image for post

Standart tarama üç tane açık port buldu. Bunlar sırasıyla 53, 80 ve 2222 numaralı portlar. HTTP portunu açık görünce hemen tarayıcıda açtım.

Image for post
Image for post

Tarayıcıda anlamlı bir şeyler göremedim bu yüzden dirbuster ve nikto gibi araçlarla ilginç bir şey var mı diyerek bir tarama başlattım. Dirbuster sonuç vermese de nikto da xdebug isminde enteresan bir header olduğunu gördüm.

Image for post
Image for post

Biraz google araştırması yaptıktan sonra bununla metasploit üzerinde ilgili bir exploit olduğunu gördüm.

Image for post
Image for post

Gerekli ayarları yaptıktan sonra exploit komutuyla reverse shell almayı denedim ve sonuç başarılıydı.

Image for post
Image for post

Hemen home dizinine giderek puan için gerekli olan user.txt dosyasına ulaşmak istedim ancak dosya orada yoktu onun yerine airgeddon isimli bir araca ait olduğunu düşündüğüm dosyalar bulunmaktaydı. …

About

Mustafa Çalap

Computer Science - https://calap.co

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store