Skip to main content

Posts

Showing posts from October, 2019

Ringzer0CTF – Linux – Level2

Ringzer0CTF – Linux – Level2 Objective: Get the flag…… I don’t know what else to put here Find architect password User: morpheus Password: VNZDDLq2x9qXCzVdABbR1HOtz ssh challenges.ringzer0team.com port 10148 Solution: Ok so we login with the same user/pass of the last level and now need to find another password So this one took a bit of time for a refresher for me. First I tried the same process we did for the last level to see if we could find a command running with the password like we did for trinity…. Nope Ok so Let’s just search the entire files system for “architect” Lets get to / Cd ../ morpheus@lxc-sysadmin:/$ ls backup   bin   boot   dev   etc   home   lib   lib64   media   mnt   nohup.out   opt   proc   root   run   sbin   srv   sys   tmp   usr   var ok now my first iteration here was just grep -r “architect” That gave me way to many things…. Ok how do we filter out permission denied lets start there. We

Ringzer0CTF – Linux – Level1

Ringzer0CTF – Linux – Level1 Objective: Get the flag…… I don’t know what else to put here Solution: Find Trinity password User: morpheus Password: VNZDDLq2x9qXCzVdABbR1HOtz ssh challenges.ringzer0team.com port 10089 ok let’s start by connecting via ssh using the provided creds   morpheus@lxc-sysadmin:~$ lets start by checking the home directory morpheus@lxc-sysadmin:~$ ls -al total 20 dr-x------ 2 morpheus morpheus 4096 Oct 17   2018 . drwxr-xr-x 8 root      root      4096 May 30   2018 .. lrwxrwxrwx 1 root      root         9 May 30   2018 .bash_history -> /dev/null -r-x------ 1 morpheus morpheus   220 Aug 31   2015 .bash_logout -r-x------ 1 morpheus morpheus 3771 Jun   2   2018 .bashrc lrwxrwxrwx 1 root      root         9 Oct 17   2018 .mysql_history -> /dev/null -r-x------ 1 morpheus morpheus   655 May 16   2017 .profile Nothing there… Lets look at the passwd file to see if trinity exists on the system, so we

Ringzer0CTF – Web – Looking for password file

Ringzer0CTF – Web – Looking for password file Objective: Get the flag…… I don’t know what else to put here Solution: so we are looking for a password file this is the challenge site http://challenges.ringzer0team.com:10075/?page=lorem.php it looks like its using php to load up a page named lorem.php - the little "?" in the URL is what makes me think its php The first thing I think of when I see a URL like this is directory traversal let’s check and see if this is exploitable using directory traversal Let’s try ../ instead of lorem.php to see if it will try to read it from the next directory above where its currently looking http://challenges.ringzer0team.com:10075/?page=../ Warning : require(/var/www): failed to open stream: No such file or directory in  /var/www/html/index.php  on line  43 Fatal error : require(): Failed opening required '../' (include_path='.:/usr/share/php:/usr/share/pear') in  /var/www/html/i

Ringzer0CTF – Web – Big Brother is watching

Ringzer0CTF – Web – Big Brother is watching Objective: Get the flag…… I don’t know what else to put here Hint: Even Google can’t find this one Solution: So that’s a pretty big hint. What can’t google see with its web crawlers? Robots.txt This is a config file you can place on your website that directs google or any other web crawler to not index certain directories or files Here is some info from google about robots.txt https://support.google.com/webmasters/answer/6062608?hl=en Let’s check the robots.txt file for this site to see what google is not allowed to index https://ringzer0ctf.com/robots.txt User-agent: * Disallow: /16bfff59f7e8343a2643bdc2ee76b2dc/ Just one folder that google should index. Lets see what’s in there https://ringzer0ctf.com//16bfff59f7e8343a2643bdc2ee76b2dc/ FLAG-G5swO95w0c7R5fq0sa85nVs5dK49O04i   There is our Flag

Ringzer0CTF – Cryptography – I lost MY password Can you find it?

Ringzer0CTF – Cryptography – I lost MY password Can you find it? Objective : Get the flag…… I don’t know what else to put here Solution : So this level give you a tar file I downloaded the tar and unzipped it There is a policies folder with the following folders inside 02/06/2014   09:20 AM     <DIR>           . 02/06/2014   09:20 AM     <DIR>           .. 02/05/2014   03:59 PM     <DIR>           {31B2F340-016D-11D2-945F-00C04FB984F9} 02/05/2014   03:59 PM     <DIR>           {6AC1786C-016F-11D2-945F-00C04fB984F9} 02/06/2014   09:22 AM     <DIR>           {75DE8F0A-DEC0-441F-AE29-90DFAFCF632B} 02/06/2014   08:20 AM     <DIR>           {874C2133-64E1-4F2C-8BD8-71D9BD59643D} 02/06/2014   08:29 AM      <DIR>           {C7BD6C6D-A1C8-4C23-815E-3D8D4187640F}                0 File(s)               0 bytes                7 Dir(s)   326,238,683,136 bytes free I poked through the directory and found an i

SmashTheStack.org – BlackBox – Level 1

SmashTheStack.org – BlackBox – Level 1 Objective: Get the pass for level 2 Solution: So this is the first level for smashthestack.org blackbox. You are given the user/pass for level one and need to get the level 2 pass So first things first let’s ssh putty.exe -ssh level1@blackbox.smashthestack.org 2225   Using username "level1". level1@blackbox.smashthestack.org's password: lets start with ls to see where we landed and what there level1@blackbox:~$ ls -al total 24 drwxr-x---   2 root    level1 4096 Oct 23   2016 . drwxr-xr-x 17 root    root    4096 Mar 22   2012 .. lrwxrwxrwx   1 root    root       9 Sep 13   2016 .bash_history -> /dev/null -rw-r--r--   1 level1 gamers    35 Sep   3   2016 .bashrc -rw-------   1 root    gamers 1170 Oct 23   2016 .viminfo -rwxr-xr-x   1 level2 level1 7591 Apr 22   2017 login2   Cool There is a file called login2 that we have access to lets see what kind of file it is

RingZer0CTF - Web - Area 51

Ringzer0CTF – Web – Area 51 Objective: Get that flag  Solution: On this challenge we get this message Access to this area is restricted using some secure .htaccess So .htaccess  so from there I started just by googling .htaccess ( I’ve heard of this before but never really dealt with apache servers) Ok next I googled .htaccess bypass I found a forum that says to get around this sometime its just as simple as using PUT instead of get. https://security.stackexchange.com/questions/177279/how-to-bypass-htaccess-protection So I fired up YARC(Yet another REST client) and sent a PUT instead of a GET to the site Now I get this < div class = "challenge-wrapper" > < br /> < span class = "red" > AREA 51 </ span > The origin of the Area 51 name is unclear? Alien? < br /> < div class = "alert alert-info" role = "alert" > FLAG-w4KRr557y626izv567758O52 <

Ringzer0CTF – Web – Headache

Ringzer0CTF – Web – Headache Objective: Get that flag son Solution: So this challenge is called headache and we get this as a hint Answer is closer than you think! So lets look at the response header to see what we see. I loaded the Yet Another REST Client into my chome and pointed it at the challenge. I had to do some research on REST because I wasn’t too familiar with it. SO I loaded up the challenge in YARC and under response headers we see the flage Top of Form Authentication Send Request Bottom of Form Response 200 Request URL:   https://ringzer0ctf.com/challenges/43 Request Method:  GET Response Time:  0.465 seconds Response Status:  200 - OK {   "date": "Wed, 16 Oct 2019 15:21:20 GMT" ,   "content-encoding": "gzip" ,   "x-content-type-options": "nosniff" ,   "age": "0" ,   "flag": "FLAG-365m4fU5p2DVEQbfrptDE5Ru&quo

Ringzer0 CTF – Web - Words mean something?

Ringzer0 CTF – Web   - Words mean something? Objective: Find that flag yo Just a bunch of what looks like Latin Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aliquam commodo risus lobortis diam molestie, varius vestibulum lacus condimentum. Phasellus fringilla, leo at ornare tristique, est elit lobortis dolor, a placerat tortor eros nec elit. Suspendisse feugiat, enim ac hendrerit malesuada, libero lectus rutrum tellus, ut faucibus sem odio non nunc. Vestibulum dignissim magna et felis laoreet viverra. Integer sodales tellus molestie suscipit feugiat. Praesent quis elit tristique nisl laoreet elementum eu nec felis. Fusce nunc enim, rhoncus at metus sed, accumsan accumsan augue. Nunc venenatis tempor mi sit amet tempus. Maecenas luctus lacus mi, id pretium magna feugiat eu. Aenean euismod ante at neque rhoncus, eget dapibus nisi lacinia. Aenean vulputate risus id velit interdum vulputate. Mauris id rhoncus dolor. Solution: So my first thought was that