[Day 1] Web Exploitation: A Christmas Crisis [encoding]

  1. Register and log in
  2. Check cookies
  3. Decode using Cyberchef
  4. Recognise format
  5. Adjust username and re-encode using Cyberchef
  6. Replace cookie value and refresh page
  7. Turn everything on → success!

[Day 2] Web Exploitation: The Elf Strikes Back! [file upload]

  1. Create exploit script as described
  2. Go to URL including GET request
  3. Check source code for upload types
  4. Rename script to bypass filter
  5. Upload file. Simple message "File received successfully!"
    1. Check Burp Suite history - the POST was to /upload, so perhaps /uploads/? Test: http://10.10.35.237/uploads/ → success!
    2. Also checked page source, find http://10.10.35.237/assets/js/upload.js. It's obfuscated, but so use https://beautifier.io/ and http://jsnice.org/ to make sense of it. However, doesn't seem to give much.
    3. Hints suggest using a directory brute-forcer
  6. Set up netcat listener: $ sudo nc -lvnp 443
  7. Click file from http://10.10.35.237/uploads/, or visit full URL http://10.10.35.237/uploads/php-reverse-shell.jpg.php
  8. Check netcat, find shell
  9. sh-4.4$ cat /var/www/flag.txt → success!

[Day 3] Web Exploitation: Christmas Chaos [brute force]