circusmonkey404's Security Site

Ringzero - Java Script - Client side validation is bad! Objective Get the flag Solution: so the first thing I did here was check the source code to see if  I could find the user/pass validation I found this section <script> // Look's like weak JavaScript auth script :) $(".c_submit").click(function(event) { event.preventDefault() var u = $("#cuser").val(); var p = $("#cpass").val(); if(u == "admin" && p == String.fromCharCode(74,97,118,97,83,99,114,105,112,116,73,115,83,101,99,117,114,101)) { if(document.location.href.indexOf("?p=") == -1) { document.location = document.location.href + "?p=" + p; } } else { $("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>"); } }); </script> So here is a script that checks to see if the user name is admin and the password equals a c

RingZeroCTF - Forensics - I made a dd of Agent Smith usb key Objective Get Flag Solution: I loaded the DD file up in autopsy to look at deleted files Started a generic case added the DD  I chose analyze to let autopsy do the dirty work now I checked the deleted files found the flag in the first orphaned file

Ringzer0CTF – Forensics - Dr. Pouce Objective: Find in which city DR Pouce is keeped ! Then find who is the evil man? answer format : cityfirstnamelastname Solution: So this is a zip file that contains two files. We are just going to use meta data to find the answer to these two questions. The first question: In which city is Dr. Pouce being kept? We will use the jpg file to see if there is any geo-location data I the jpg Cool there is some geo data let's open it up in openstreet to see where it is Downtown Halifax https://www.openstreetmap.org/?mlat=44.646231&mlon=-63.573287&zoom=15#map=15/44.6462/-63.5733 now I poked around to see if there was info In jpg about who took the picture but there wasn't so I opened the  PDF and looked at the Document properties there it was Author: Steve Finger so HalifaxSteveFinger is the flag

RingZeroCTF – Cyrpto – Can you understand this sentence Objective : get the flag Solution: Bubble Babble I had to google around on this one a bit to figure out that it was a bubble babble. I had never heard of it but it is just essentially another way of encoding HEX so that it looks at bit more palatable to the human eye. I tried my Google-Fu to find an online decrypter/Deoder but didn’t find anything, I did however find this site with a PHP script that can both endcode and decode bubble babble http://bohwaz.net/p/Bubble-Babble-CLI-encoder-decoder I downloaded the bubblebabble.php I dumped the message into a text file to feed into the PHP script root@kali:~/Downloads# echo "xipak-comok-repuk-vanik-dytuk-dimyk-sinyx" >> bubble.txt Then I pushed that through the PHP decoding script root@kali:~/Downloads# php ./bubblebabble.php   -d bubble.txt hackingbubble

Ringzer0CTF – Linux – Level2 Objective: Get the flag…… I don’t know what else to put here Find architect password User: morpheus Password: VNZDDLq2x9qXCzVdABbR1HOtz ssh challenges.ringzer0team.com port 10148 Solution: Ok so we login with the same user/pass of the last level and now need to find another password So this one took a bit of time for a refresher for me. First I tried the same process we did for the last level to see if we could find a command running with the password like we did for trinity…. Nope Ok so Let’s just search the entire files system for “architect” Lets get to / Cd ../ morpheus@lxc-sysadmin:/$ ls backup   bin   boot   dev   etc   home   lib   lib64   media   mnt   nohup.out   opt   proc   root   run   sbin   srv   sys   tmp   usr   var ok now my first iteration here was just grep -r “architect” That gave me way to many things…. Ok how do we filter out permission denied lets start there. We

Ringzer0CTF – Linux – Level1 Objective: Get the flag…… I don’t know what else to put here Solution: Find Trinity password User: morpheus Password: VNZDDLq2x9qXCzVdABbR1HOtz ssh challenges.ringzer0team.com port 10089 ok let’s start by connecting via ssh using the provided creds   morpheus@lxc-sysadmin:~$ lets start by checking the home directory morpheus@lxc-sysadmin:~$ ls -al total 20 dr-x------ 2 morpheus morpheus 4096 Oct 17   2018 . drwxr-xr-x 8 root      root      4096 May 30   2018 .. lrwxrwxrwx 1 root      root         9 May 30   2018 .bash_history -> /dev/null -r-x------ 1 morpheus morpheus   220 Aug 31   2015 .bash_logout -r-x------ 1 morpheus morpheus 3771 Jun   2   2018 .bashrc lrwxrwxrwx 1 root      root         9 Oct 17   2018 .mysql_history -> /dev/null -r-x------ 1 morpheus morpheus   655 May 16   2017 .profile Nothing there… Lets look at the passwd file to see if trinity exists on the system, so we

Ringzer0CTF – Web – Looking for password file Objective: Get the flag…… I don’t know what else to put here Solution: so we are looking for a password file this is the challenge site http://challenges.ringzer0team.com:10075/?page=lorem.php it looks like its using php to load up a page named lorem.php - the little "?" in the URL is what makes me think its php The first thing I think of when I see a URL like this is directory traversal let’s check and see if this is exploitable using directory traversal Let’s try ../ instead of lorem.php to see if it will try to read it from the next directory above where its currently looking http://challenges.ringzer0team.com:10075/?page=../ Warning : require(/var/www): failed to open stream: No such file or directory in  /var/www/html/index.php  on line  43 Fatal error : require(): Failed opening required '../' (include_path='.:/usr/share/php:/usr/share/pear') in  /var/www/html/i