Interactive Coloring

drag iconDrag any color from the left toolbar to an area or text in the page. A blue outline will indicate a droppable element.

drag iconOn mobile, wait a tiny bit until you drag the color drop.

Wargames.MY December 2018 – aes-ecb-magic

We’re given the source of the encryption program and notice that the padding block size is hidden

And it’s using character “A” (0x41) as the padding.

The Flag is added to the input before encryption and there doesn’t seem to be any other leading or trailing text to the input besides the flag.

While we might not be able to retrieve the key but we can still retrieve the flag.

First we must figure out the block size.

We can start by incrementing the input size by 1 each time until a new block is generated

We see a new block of ciphertext generated upon entering the 10thCharacter and again at the 26thcharacter

Subtracting the two gives us our block length, in this case 26-10 = 16 bytes.
Considering we start off with three blocks, this gives us a little hint about the size of the flag.
3 blocks is 49 bytes, after removing our padding the flag is 39 characters.

Because of the nature of ECB, we know that identical blocks of plaintext will give us identical blocks of ciphertext and we can use this to our advantage.

To test our theory, we start off by inputting padding of one character less than the block length.
In this case that is 15 A’s.

The 16thcharacter slot should have been occupied by the first character of the flag when it was encrypted. So no we try different characters in that position until we receive an identical first block of ciphertext.

When we try ‘g’ the ciphertext is clearly different, but what happens when we try ‘w’

Bingo!.. It’s a match, and that’s the first character of our flag. We can proceed similarly to find the next character and so forth.

Once you’ve used up your padding, you can add more and use the existing characters of the flag you’ve discovered and continue on, except you’ll be comparing the next block of ciphertext. Until you reach the end.

That question mark gives us hope that it’s nearing the end of the flag a few guesses later.

Flag: wgmy{–ecb_1s_n0t_th4t_s3cure_right?–}

Now you should be able to do this in a way more elegant fashion using a padbuster script. But we did what needed to be done to get the flag… even if that meant doing it manually 😛

POC:

First block of the flag

 

References:

https://zachgrace.com/posts/attacking-ecb/

Wargames.MY December 2018 – Business Proposal

Dear Business person ; This letter was specially selected to be sent to you . If you no longer wish to receive our publications simply reply with a Subject: of “REMOVE” and you will immediately be removed from our club . This mail is being sent in compliance with Senate bill 2516 , Title 6 , Section 301 . THIS IS NOT A GET RICH SCHEME ! Why work for somebody else when you can become rich inside 47 weeks ! Have you ever noticed how long the line-ups are at bank machines and nearly every commercial on television has a .com on in it ! Well, now is your chance to capitalize on this ! We will help you deliver goods right to the customer’s doorstep and increase customer response by 170% ! The best thing about our system is that it is absolutely risk free for you . But don’t believe us . Prof Simpson who resides in Maryland tried us and says “I was skeptical but it worked for me” ! We are licensed to operate in all states ! We IMPLORE you – act now . Sign up a friend and you’ll get a discount of 30% . God Bless ! Dear Cybercitizen ; You made the right decision when you signed up for our mailing list . If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail . This mail is being sent in compliance with Senate bill 2116 , Title 9 , Section 301 . This is a ligitimate business proposal . Why work for somebody else when you can become rich as few as 97 months . Have you ever noticed people love convenience plus society seems to be moving faster and faster ! Well, now is your chance to capitalize on this ! WE will help YOU deliver goods right to the customer’s doorstep & turn your business into an E-BUSINESS . The best thing about our system is that it is absolutely risk free for you ! But don’t believe us . Ms Anderson of Hawaii tried us and says “I was skeptical but it worked for me” ! We are licensed to operate in all states ! We BESEECH you – act now ! Sign up a friend and you get half off ! God Bless .

So text recognized as spam mail.

Simply use Spammic to decode
http://www.spammimic.com/

Flag : wgmy:{spam_spam_spam}

NanoSec x Wargames.MY CTF – Super Next Generation WAF

It’s too late for me to submit the flag..lol!

So the challenge is:

So I heard you're hacker. I setup Super Next Gen. AumWAF to protect my l33t website.
Please hack my website.

Thanked!

http://supernext-gen-aumwaf.wargames.my/

Webpage:

supernextgenerationwaf

sql.php page:

hackme

As expected, any sql injection attempt will return error message as below:

sqlinjectionattempt

Nmap result: Noticed that “/*.bak” in robots.txt

Let’s try to see if there is a backup file exist: sql.php.bak -> Yes!! it does exist!!

PHP file source code:

First, I noticed $_REQUEST[‘id’] was sent to filter, but $_GET[‘id’] was sent to the a function. After some research I learnt that $_REQUEST gets values from $_GET, $_POST, $_COOKIE respectively. This is the default order defined in php.ini file and can be changed. [seriously i copy this info from somewhere]

The idea is changing request from GET to POST while keeping the GET parameters in the url. Since $_POST[‘id’] will overwrite $_REQUEST[‘id’] and our $_GET[‘id’] parameter will become free from the filter.

So, to get the flag (+ hint was provided):

 

Flag: wgmy{aumwaf_1z_th3_b3st_w4f}
Credit:
1. https://www.pwndiary.com/write-ups/sec-t-ctf-2017-naughty-ads-write-up-web200/
2. Ramadhan -> improvised my curl request.

[THE END]

Hackthebox Olympus Walkthrough

Initial Foothold – Crete Island

Nmap result:

Port 80 enumeration
– Dirbuster: no interesting page/directory.
– Nikto: found uncommon header xdebug 2.5.5
– Xdebug is an extension for PHP to assist with debugging and development.
– Xdebug < 2.5.5 suffer from unauthenticated os command execution
– Exploit: https://github.com/vulhub/vulhub/blob/master/php/xdebug-rce/exp.py

Continue reading

This website use cookies to ensure that you have the best experience on this website.