0xL4ughCTF-write-up
Hi , My name is Ahmed Magdy
I would like to thank all the organizers for this CTF
Let’s go solving the web challenge
1- Challenge Name : cake
To solve the challenge we need buy the flag cake
When i check the sourse code i don’t find anything so I check in case i find the cookies
I find this cookies
GMYDAMBQGA%3D%3D%3D%3D%3D%3D
It is same Balance i have so add some Balance and return it to Base32 and URL Encode
Add the new cookies to buy the flag cake
Save the cookies and reload the page and buy it
Flag: 0xL4ugh{baSe_32_Cook!es_ArE_FuNny}
2 - Challenge Name : sad_agent
I don’t find anything in source code and I check in case i find the cookies i don’t find anything again so
So click in chek it is echo USER_AGENT
Open burp-suite and intercept is off
with burp-suite the
url=ZWNobyAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107
it is base 64 >> echo $_SERVER[‘HTTP_USER_AGENT’];
so check this command >> show_source(‘index.php’); but return it base64
Flag: 0xL4ugh{S@dC0d3r_M3mbe3r_1n_0xL4ugh_&_sad_W0rld}
3 - Challenge Name : Easy_Blog
Check the sourse code i find the user and pass = admin in there in a HTML comment
Check the sourse code again i find the hint in there in a HTML comment
So we need to inject HTML into the Blog as
<script>document.getElementById(‘main’).setAttribute(‘id’,’flagHunt’);</script>
In the Your Blog section
When post we get this
And are requested to check the console
Flag:0xL4ugh{N0_Syst3m_1s_S@f3_3v3n_Y0u}
4 - Challenge Name : Cats
I don’t find anything in source code
Let’s see what is in it robots.txt
So go to the /flag.txt
When open the /flag.txt it is 404 Not Found but it is Nginx/1.19.6 server
I think it Path traversal misconfigured NGINX
Flag: 0xL4ugh{N1C3_Y0U_F1ND_MY_CATS}
5 - Challenge Name : Embedding
I don’t find anything in source code and I check in case i find the cookies i don’t find anything again so
So add anything and click in submit Query
We tried to input anything bad Lol we hacker 3:)
We have some filters and some commands not run as a cat
So will write the source code
we have more Way to solve it
1.the way to solve it >> Iam
2. the way to solve it >> Abdalla TarekFlag:0xL4ugh{Z!90o_S@y_W3lC0m3}
6 - Challenge Name : Dark Login
The longest challenge it has faced to this day.
I was bored for his height, but it’s a good challenge.
There are some new ideas that I encountered in it
Add anything to login i find it
Check the sourse code i find the hint in there in a HTML comment
Let’s see what is in it robots.txt
When open it is Forbidden so i will bypass it with curl
It is Fake Fl@g and flag.GIF
Looool Fake Fl@g :(
With dirb i find the dir KEY.txt
user = admin@DarkLogin.death …. pass = W3@llL1k3D@rkn3ss
When I tried Injecting XSS Payload into the field as
<script> alert(1)</script>
Looking at the page’s source code
I tried Injecting XSS Payload with hint as <script>document.getElementById('main').setAttribute('id','flag');</script>
Download the file from this link
Go to the pastebin.com i find the file need pass
So go to the 796f754e6f774d650a.php when open it it is Forbidden
Looking at the page’s source code
This clip caught my attention I Also Like The Parameters Specially If Its Value Was false
So i think try any Parameters with Value false when try it i find the
http://40.112.217.104/DarkLogin/796f754e6f774d650a.php?id=false
In the end, I got the flag
Flag: 0xL4ugh{M1nd_Bl0w1ng_15_C00l}
The longest challenge it has faced to this day.
7 - Challenge Name : Evil Panel
note > It's a Real Example Challenge , Try to use your brain to get the admin panel note : automated tools won’t help you
I don’t find anything in source code and I check in case i find the cookies i don’t find anything and check in robots.txt again don’t find anything so
Go to the dirb and again don’t find anything important except
But need the page upload to upload my shell :(
So ask for hint The response was try with word list others to find the page login in end find the new dir :)
I find the login page so try the admin : admin
Try the SQL Inject
We have Fatal error so try anther SQL inject
Welcome Admin ….
Will Upload shell
Have filter but bypass it with Big letters in File extension > ِِAhmed.PHP
It is work but i cant find the dire the shell :(
Go to the dir http://40.70.205.250/Evil_Panel/images/
I find my shell
but i cannot run my command :(
After CTF end i ask friend about it The response it is windows server not Linux Server
Flag: null :(
End the web challenge…… I solve it :)
Think you for your time :)
I would like to thank all the organizers for this CTF again:)
And finally, Thank you to read this write-up :)
I need to join a new team to play CTF with them
Contact me if you want : Ahmed Magdy :)