circusmonkey404's Security Site

PicoCTF2018 – Web – The Vault Objective: There is a website running at http://2018shell.picoctf.com:64349 (link [1] ). Try to see if you can login! Solution: Ok this site is nice enough to give us the code for login.php Looking in the code you can see there is an attempt to sanitize inputs using regular expressions It creates a variable named pattern which is a regex used to match against the variables //validation check   $pattern ="/.*['\"].*OR.*/i";   $user_match = preg_match($pattern, $username);   $password_match = preg_match($pattern, $username);   if($user_match + $password_match > 0)   {     echo "<h1>SQLi detected.</h1>";   }   else {     $result = $con->query($query);     $row = $result->fetchArray();         if ($row) {       echo "<h1>Logged in!</h1>";       echo "<p>Your flag is: $FLAG</p>";     } else {       echo &quo

PicoCTF2018 – Web – Buttons Objective: There is a website running at http://2018shell.picoctf.com:18342 (link [1] ). Try to see if you can push their buttons. Hints:                 What's different about the two buttons? Solution: Okay let’s walk through this site and see what we see. The first page is a button, not anything interesting in the source code The second page is a hyperlink named button2 pointing to button2.php You did it! Try the next button: <a href =" button2.php "> Button2 </a> This button loads up a page named boo.html which loads a rickroll But there is a message saying FORM DISABLED. THIS INCIDENT HAS BEEN LOGGED AND REPORTED TO /dev/null Lets look in the source here This looks interesting <form action =" button2.php " method =" POST "> Button2.php method post Let’s load up burp suite and see what we can see The site map for button2.php is using get

PicoCTF2018 – Web – Secret Agent Objective: Here's a little website that hasn't fully been finished. But I heard google gets all your info anyway. http://2018shell.picoctf.com:3827 (link [1] ) Hints: (             How can your browser pretend to be something else? Solution: Ok so this one looks like its referencing a user agent, which is what your browser tells the website about your computer. Such as OS and browser So if you click on the flag button in the website and you get this error message. “Your’re not google!” That is a clue we are looking for, its checking to see if the user agent is google. I used a chrome extension called “User-Agent Swticher” to change my user agent to replicate that of   the Googlebot – which is google spider agent Tried the flag button again and got the flag Flag :  picoCTF{s3cr3t_ag3nt_m4n_12387c22}

PicoCTF2018 – Web – No Login Objective: Looks like someone started making a website but never got around to making a login, but I heard there was a flag if you were the admin. http://2018shell.picoctf.com:33889 (link [1] ) Hints: (             What is it actually looking for in the cookie? Solution: So the hint says its looking for a cookie, but this site is not creating any cookies. So lets help it out. I used the Cookie-Editor extension in firefox. Based on the similar earlier level I created a cookie named Admin with a value of 1 Click the flag button and bang Got the flag picoCTF{n0l0g0n_n0_pr0bl3m_260181a}

picoCTF2018 – web – Mr. Robots Objective: Do you see the same things I see? The glimpses of the flag hidden away? http://2018shell.picoctf.com:10157 (link [1] ) Hints: (1)     What part of the website could tell you where the creator doesn't want you to look? Solution: So the name and hints are telling use to look at robots.txt which is a file that is used to have search engines not scan certain directories Lets check the robots.txt for this site http://2018shell.picoctf.com:10157/robots.txt User-agent: * Disallow: /143ce.html Ok they don’t want the robots to look at 143ce.html http://2018shell.picoctf.com:10157/143ce.html So much depends upon a red flag picoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_143ce}

picoCTF2018 – Web – Irish Name Repo Objective : There is a website running at http://2018shell.picoctf.com:52012 (link [1] ). Do you think you can log us in? Try to see if you can login! Solution: So here is the thing Found the login page http://2018shell.picoctf.com:52012/login.html in inspector I see a value named Debug set to 0 I changed it to 1 and input a username/password Look at that the debug shows the SQL statement that ran when I hit login username: user password: user SQL query: SELECT * FROM users WHERE name='user' AND password='user' Login failed. So let’s write a little sql injection to pass the second part of the condition We want to modify the condition after the end to include an OR statement so that we can pass the authentication. So for user name I put in admin And for password I did    *'or'1'='1 Which made the sql statement    SQL query: SELECT * FROM users WHERE name='admin

picoCTF2018 – Web – Logon Objective: I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. http://2018shell.picoctf.com:62746 (link [1] ) Solution: So there doesn’t appear to be any check on the actually login here to make sure the user/pass is real I punched in doug for the username and as;ldkjfa;lsdkj for the password After getting past the login screen I check on the cookies and sure enough there is a session cookie named admin which has the value set to false. I just changed it to true and reloaded the page picoCTF{l0g1ns_ar3nt_r34l_92020990}

picoCTF2018 – Web – Client side is still bad Objective : I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8249 (link [1] ) Solution : Looked at the HTML code and found this interesting bit function verify() { checkpass = document.getElementById("pass").value; split = 4; if (checkpass.substring(split*7, split*8) == '}') { if (checkpass.substring(split*6, split*7) == '17e9') { if (checkpass.substring(split*5, split*6) == 'd_91') { if (checkpass.substring(split*4, split*5) == 's_ba') { if (checkpass.substring(split*3, split*4) == 'nt_i') { if (checkpass.substring(split*2, split*3) == 'clie') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass.substring(0,split) == 'pico')

picoCTF2018 – Web – Inspect Me Objective: Inspect this code! http://2018shell.picoctf.com:28831 (link [1] ) Solution: I loaded up the website and looked at the source code pretty quickly found this <!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe --> But its only 1/3 of the flag… It looks like there is a css and js refreced in the code lets check those out. Mycss.css Here is part 2/3 in the css /* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_b4887011} */ Here is part 3/3 in the java /* I learned JavaScript! Here's part 3/3 of the flag:   */ *** there really isn’t anything in here so let’s just combine the two parts we found picoCTF{ur_4_real_1nspe ct0r_g4dget_b4887011}