circusmonkey404's Security Site

PicoCTF2018 – Web – No Login Objective: Looks like someone started making a website but never got around to making a login, but I heard there was a flag if you were the admin. http://2018shell.picoctf.com:33889 (link [1] ) Hints: (             What is it actually looking for in the cookie? Solution: So the hint says its looking for a cookie, but this site is not creating any cookies. So lets help it out. I used the Cookie-Editor extension in firefox. Based on the similar earlier level I created a cookie named Admin with a value of 1 Click the flag button and bang Got the flag picoCTF{n0l0g0n_n0_pr0bl3m_260181a}

picoCTF2018 – web – Mr. Robots Objective: Do you see the same things I see? The glimpses of the flag hidden away? http://2018shell.picoctf.com:10157 (link [1] ) Hints: (1)     What part of the website could tell you where the creator doesn't want you to look? Solution: So the name and hints are telling use to look at robots.txt which is a file that is used to have search engines not scan certain directories Lets check the robots.txt for this site http://2018shell.picoctf.com:10157/robots.txt User-agent: * Disallow: /143ce.html Ok they don’t want the robots to look at 143ce.html http://2018shell.picoctf.com:10157/143ce.html So much depends upon a red flag picoCTF{th3_w0rld_1s_4_danger0us_pl4c3_3lli0t_143ce}

picoCTF2018 – Web – Irish Name Repo Objective : There is a website running at http://2018shell.picoctf.com:52012 (link [1] ). Do you think you can log us in? Try to see if you can login! Solution: So here is the thing Found the login page http://2018shell.picoctf.com:52012/login.html in inspector I see a value named Debug set to 0 I changed it to 1 and input a username/password Look at that the debug shows the SQL statement that ran when I hit login username: user password: user SQL query: SELECT * FROM users WHERE name='user' AND password='user' Login failed. So let’s write a little sql injection to pass the second part of the condition We want to modify the condition after the end to include an OR statement so that we can pass the authentication. So for user name I put in admin And for password I did    *'or'1'='1 Which made the sql statement    SQL query: SELECT * FROM users WHERE name='admin

picoCTF2018 – Web – Logon Objective: I made a website so now you can log on to! I don't seem to have the admin password. See if you can't get to the flag. http://2018shell.picoctf.com:62746 (link [1] ) Solution: So there doesn’t appear to be any check on the actually login here to make sure the user/pass is real I punched in doug for the username and as;ldkjfa;lsdkj for the password After getting past the login screen I check on the cookies and sure enough there is a session cookie named admin which has the value set to false. I just changed it to true and reloaded the page picoCTF{l0g1ns_ar3nt_r34l_92020990}

picoCTF2018 – Web – Client side is still bad Objective : I forgot my password again, but this time there doesn't seem to be a reset, can you help me? http://2018shell.picoctf.com:8249 (link [1] ) Solution : Looked at the HTML code and found this interesting bit function verify() { checkpass = document.getElementById("pass").value; split = 4; if (checkpass.substring(split*7, split*8) == '}') { if (checkpass.substring(split*6, split*7) == '17e9') { if (checkpass.substring(split*5, split*6) == 'd_91') { if (checkpass.substring(split*4, split*5) == 's_ba') { if (checkpass.substring(split*3, split*4) == 'nt_i') { if (checkpass.substring(split*2, split*3) == 'clie') { if (checkpass.substring(split, split*2) == 'CTF{') { if (checkpass.substring(0,split) == 'pico')

picoCTF2018 – Web – Inspect Me Objective: Inspect this code! http://2018shell.picoctf.com:28831 (link [1] ) Solution: I loaded up the website and looked at the source code pretty quickly found this <!-- I learned HTML! Here's part 1/3 of the flag: picoCTF{ur_4_real_1nspe --> But its only 1/3 of the flag… It looks like there is a css and js refreced in the code lets check those out. Mycss.css Here is part 2/3 in the css /* I learned CSS! Here's part 2/3 of the flag: ct0r_g4dget_b4887011} */ Here is part 3/3 in the java /* I learned JavaScript! Here's part 3/3 of the flag:   */ *** there really isn’t anything in here so let’s just combine the two parts we found picoCTF{ur_4_real_1nspe ct0r_g4dget_b4887011}

PicoCTF2018 - Forensics - What's My Name? Objective : Say my name, say my name [1] . Hints: (1) If you visited a website at an IP address, how does it know the name of the domain? Solution so the hint is point us to DNS, since that is the service that translates names to ip so I just filtered the pcap for DNS  There are only two DNS packets in the capture the first is a a query to dns to find out the ip for thisismyname.com 55 1418.342859 192.168.2.12 192.168.2.1 DNS 316 Standard query response 0xaaa0 ANY thisismyname.com A 192.168.2.13 CNAME myname.com MX 5 myname.com MX 10 mx2.myname.com MX 20 mx3.myname.com NS ns1.myname.com NS ns2.myname.com TXT SOA ns1.thisismyname.com The second is the server's response here is the result of following the UDP ... .........thisismyname.com.......)............... .....thisismyname.com..............,..... .........,. .myname...........,.....>.........,... .mx2.>.........,.....mx3.>........Q....n