0xL4ughCTF-write-up

Hi , My name is Ahmed Magdy

I would like to thank all the organizers for this CTF

Let’s go solving the web challenge

1- Challenge Name : cake

To solve the challenge we need buy the flag cake

When i check the sourse code i don’t find anything so I check in case i find the cookies

I find this cookies
GMYDAMBQGA%3D%3D%3D%3D%3D%3D

cyber chef

It is same Balance i have so add some Balance and return it to Base32 and URL Encode

cyber chef

Add the new cookies to buy the flag cake

Save the cookies and reload the page and buy it

Flag: 0xL4ugh{baSe_32_Cook!es_ArE_FuNny}

2 - Challenge Name : sad_agent

I don’t find anything in source code and I check in case i find the cookies i don’t find anything again so

So click in chek it is echo USER_AGENT

Open burp-suite and intercept is off

burp-suite

with burp-suite the

url=ZWNobyAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107

it is base 64 >> echo $_SERVER[‘HTTP_USER_AGENT’];

so check this command >> show_source(‘index.php’); but return it base64

cyber chef

Flag: 0xL4ugh{S@dC0d3r_M3mbe3r_1n_0xL4ugh_&_sad_W0rld}

3 - Challenge Name : Easy_Blog

Check the sourse code i find the user and pass = admin in there in a HTML comment

user and pass = admin
anything to test

Check the sourse code again i find the hint in there in a HTML comment

So we need to inject HTML into the Blog as

<script>document.getElementById(‘main’).setAttribute(‘id’,’flagHunt’);</script>

In the Your Blog section

<script>document.getElementById(‘main’).setAttribute(‘id’,’flagHunt’);</script>

When post we get this

And are requested to check the console

Flag:0xL4ugh{N0_Syst3m_1s_S@f3_3v3n_Y0u}

Flag:0xL4ugh{N0_Syst3m_1s_S@f3_3v3n_Y0u}

4 - Challenge Name : Cats

I don’t find anything in source code

Let’s see what is in it robots.txt

/flag.txt

So go to the /flag.txt

When open the /flag.txt it is 404 Not Found but it is Nginx/1.19.6 server

nginx/1.19.6

I think it Path traversal misconfigured NGINX

Path traversal misconfigured NGINX
cats../flag.txt

Flag: 0xL4ugh{N1C3_Y0U_F1ND_MY_CATS}

5 - Challenge Name : Embedding

I don’t find anything in source code and I check in case i find the cookies i don’t find anything again so

So add anything and click in submit Query

We tried to input anything bad Lol we hacker 3:)

We have some filters and some commands not run as a cat

Bad Character Detected or you Break The Limit

So will write the source code

we have more Way to solve it
1.the way to solve it >> Iam
2. the way to solve it >> Abdalla Tarek

Flag:0xL4ugh{Z!90o_S@y_W3lC0m3}

6 - Challenge Name : Dark Login

The longest challenge it has faced to this day.
I was bored for his height, but it’s a good challenge.
There are some new ideas that I encountered in it

Add anything to login i find it

Check the sourse code i find the hint in there in a HTML comment

<! — LnR4dA==→ base64 as .txt

Let’s see what is in it robots.txt

/flag.php

When open it is Forbidden so i will bypass it with curl

curl -X POST 40.112.217.104/Dark Login/flag.php

It is Fake Fl@g and flag.GIF

Looool Fake Fl@g :(

With dirb i find the dir KEY.txt

user
pass

user = admin@DarkLogin.death …. pass = W3@llL1k3D@rkn3ss

When I tried Injecting XSS Payload into the field as

<script> alert(1)</script>

:)(:

Looking at the page’s source code

Try To Access Element main An Inject HTML On It

I tried Injecting XSS Payload with hint as <script>document.getElementById('main').setAttribute('id','flag');</script>

see the console

Download the file from this link

796f754e6f774d650a.php

Go to the pastebin.com i find the file need pass

So go to the 796f754e6f774d650a.php when open it it is Forbidden

403 Forbidden

Looking at the page’s source code

I Also Like The Parameters Specially If Its Value Was false

This clip caught my attention I Also Like The Parameters Specially If Its Value Was false

So i think try any Parameters with Value false when try it i find the

http://40.112.217.104/DarkLogin/796f754e6f774d650a.php?id=false

Your Password Is :- dac64421e6d507ef3817b661943ad3b3

In the end, I got the flag

Flag: 0xL4ugh{M1nd_Bl0w1ng_15_C00l}

The longest challenge it has faced to this day.

7 - Challenge Name : Evil Panel

note > It's a Real Example Challenge , Try to use your brain to get the admin panel note : automated tools won’t help you

0xl4ugh Team

I don’t find anything in source code and I check in case i find the cookies i don’t find anything and check in robots.txt again don’t find anything so

Go to the dirb and again don’t find anything important except

http://40.70.205.250/Evil_Panel/images/

http://40.70.205.250/Evil_Panel/images/

But need the page upload to upload my shell :(

So ask for hint The response was try with word list others to find the page login in end find the new dir :)

/evil_admin.php

I find the login page so try the admin : admin

Your Entered Username/Password do not match with our database so please enter Right info…

Try the SQL Inject

‘ or 1=1;
Fatal error:

We have Fatal error so try anther SQL inject

‘ or ‘1’=’1;
Welcome Admin ….

Welcome Admin ….

Upload your File

Will Upload shell

Have filter but bypass it with Big letters in File extension > ِِAhmed.PHP

It is work but i cant find the dire the shell :(

Go to the dir http://40.70.205.250/Evil_Panel/images/

I find my shell

but i cannot run my command :(

After CTF end i ask friend about it The response it is windows server not Linux Server

Flag: null :(

End the web challenge…… I solve it :)

Think you for your time :)

I would like to thank all the organizers for this CTF again:)

And finally, Thank you to read this write-up :)

I need to join a new team to play CTF with them

Contact me if you want : Ahmed Magdy :)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Magdy

Interested in infosec || CTF Player || Pentester || Bug Hunter || Security Researcher