Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 12/06/20 in all areas

  1. Dragos
    Platforma Intranet In momentul in care accesam pagina challenge-ului, vedem in footer ca putem folosi credentialele guest:guest. Dupa ce ne-am logat in platforma, avem in sidebar optiunea “Administrare”. Accesand pagina, primim urmatorul mesaj de eroare Mergand inapoi la pagina de acasa, vedem cateva informatii despre ultimele update-uri. Ceea ce ne intereseaza este urmatoarea parte: - created a new logic that would verify the JWTs automatically using the following steps: - verifies the JWT structure - checks for the algorithm to be exactly RS256 - checks IAT and EXP claims to that JWT is in proper boundaries - takes the signing keys (n and e) based on the issuer present in JWT - verifies the signature based on the signing keys received Pe scurt, JWT-ul este verificat in functie de issuer-ul prezent in token. Dupa o delogare, deschidem Network tab si urmarim request-urile trimise pentru login. Vom vedea ca aplicatia foloseste implicit flow pentru a cere un access token care este trimis pe login.php. Pentru a simula acelasi request, am creat un tenant similar pe care il utilizeaza si aplicatia si folosit un request identic pentru a genera urmatorul JWT care are userul asteptat de aplicatie: eyJraWQiOiJ4VWhFTzFzYVhqSTJaM2M3a08tZ3hTMjlfQWtNa202QlNsNXRXY1pPbmVzIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULll6d1JYaG0wQVNHQWRtVmxBanFZcHlfWjJOank5MXhOUTJHUU4wMktrN0kiLCJpc3MiOiJodHRwczovL2RyYWdvcy5va3RhLmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2MDYxMjYzNjYsImV4cCI6MTYwNjEyNjY2NiwiY2lkIjoiMG9hMmZhdHg3MEpHaVUyVEEycDciLCJ1aWQiOiIwMHVvemJnYzAzd3pxb2FYcDJwNiIsInNjcCI6WyJvcGVuaWQiLCJlbWFpbCJdLCJzdWIiOiJpdEBhd2Vzb21lY29tcGFueS5jb20ifQ.IkdKksUZvOJeyKpCY2obaOQbTSri7PQ0460YF0qgl8lWy_Pv2HzDx2-tj_w626TJfeSlwe6AzEK6WFtSfMeOY8qTMK5bp0uv9nZ0HAooxyGoXD2NQFZdXtTjGhtwjGFhB6ay1RN9iYd70dZCRbS21OHM6ExT75dyeZk9oPZ7g9D8JwtnC6xz4-Se2A0KQ7lL6TRNePuu0pkcXIuuz4bQpWc-KfW-TEVLzWkFK4f9mKxglAZY6SyXfxtsr1gm4qATjAmlFdJiwqx1Ts7-i-dcT29ypOYQKDnMXiGU1f_Aidy3BvPqDWJAW1muezEbGk1hOFYth1zrZKOv3I5IQ3DDGg Dupa ce am injectat token-ul pe login.php, platforma ne conecteaza cu succes. Navigand in pagina Administrare, vedem ca suntem conectati cu userul it@awesomecompany.com. Uitandu-ne in sursa paginii, gasim si flag-ul.
    3 points
  2. Dragos
    Aresty File Uploader Analizand sursa HTML a paginii, vedem ca formularul de incarcare al fisierului nu contine enctype="multipart/form-data", asa ca renuntam la ideea de a incarca un fisier pe server. Challenge-ul presupune accesarea fisierului “flag.php”, asa ca putem incerca un LFI clasic file://flag.php care ne va da flag-ul:
    2 points
  3. Dragos
    Ceainicul In momentul in care accesam URL-ul challenge-ului, primim un JSON cu un mesaj de eroare: [dragos@localhost ~]$ curl --location --request GET 'http://vps-f9a499e6.vps.ovh.net/' {"raspuns":400,"mesaj":"Alegeti optiunile corecte pentru cafea."} Dupa ce schimbam verb-ul in OPTIONS, primim un nou mesaj: [dragos@localhost ~]$ curl --location --request OPTIONS 'http://vps-f9a499e6.vps.ovh.net/' {"raspuns":418,"mesaj":"Eu sunt un ceainic. Tu esti un ceainic?"} Una din cele mai simple modalitati pentru a trimite identitatea clientului este prin header-ul User-Agent, asa ca il adaugam la request si primim un nou mesaj: [dragos@localhost ~]$ curl --location --request OPTIONS 'http://vps-f9a499e6.vps.ovh.net/' --header 'User-Agent: ceainic' {"raspuns":400,"mesaj":"Nu ai adaugat corect ingredientul pentru cafea sau l-ai adaugat incorect. Foloseste Accept pentru a-l adauga."} Adaugam header-ul Accept la request si primim un alt mesaj: [dragos@localhost ~]$ curl --location --request OPTIONS 'http://vps-f9a499e6.vps.ovh.net/' --header 'User-Agent: ceainic' --header 'Accept: e' {"raspuns":200,"mesaj":"Esti aproape, literele introduse sunt in ingredient."} Dupa diferite incercari, gasim flag-ul corect: [dragos@localhost ~]$ curl --location --request OPTIONS 'http://vps-f9a499e6.vps.ovh.net/' --header 'User-Agent: ceainic' --header 'Accept: RST{eeff5afef66df62b9aac370c3f3b9b7c16e7e3c809297092b461b5718497f077}' {"raspuns":201,"mesaj":"Cafeaua este gata."}
    2 points
  4. Dragos
    Liftul Challenge-ul ne ofera trei seturi de numere binare care pot fi scrise unul sub altul, in forma urmatoare: 1010101001101010 0110110010101001 0000100000101000 Fiind trei randuri si un numar par de cifre pe fiecare rand, putem incerca sa vedem daca textul este Braille. Folosind tabelul urmator si separand numerele in grupuri de cate 2 cifre si trei randuri, ajungem la rezultatul urmator: 10 10 10 10 01 10 10 10 01 10 11 00 10 10 10 01 00 00 10 00 00 10 10 00 e b r a i l l e Urmarind nota din descrierea challenge-ului, codam textul “ebraille” in SHA256 si adaugam RST{ si }, obtinand flag-ul RST{5bf2896f28f6fe0d66d5e52e3d239de5a86252e8cbf027bb911b3bb84a683282}.
    2 points
  5. fallen_angel
    Da
    2 points
  6. Kev
    Diggy is an incredibly powerful, beautiful, easy to use notebook with the SciPy stack preinstalled that works right in your browser without relying on server-side code. Surely, it's free. Our mission is to create the most powerful learning platform accessible to everyone. We are confident that teachers, students, and scientists deserve a better platform. Whether you are researching for an academic essay, a professional report or just for fun, Diggy lets you bring out the best in your data analytics, prepare gorgeous visualization in just about any way you can imagine. And thanks to its intuitive and accessible design, Diggy is delightfully easy to use — whether you’re just starting out with data analysis or you’re a seasoned pro. Our goal is to make coding magnitudes easier, which we believe will allow millions of people to learn and start using Python in daily life. Learn more Diggy Notebook Diggy, like Jupyter is a computational environment that is made up of small blocks called cells. Together they form a notebook. Reactive Programming Diggy is reactive. Meaning that it doesn’t run cells from top to bottom, instead Diggy maintains a special data structure called direct acyclic graph (DAG) that calculates the execution order. When you change a variable, Diggy automatically re-evaluates all its dependencies. Thus, there’s no hidden, no mutable state. It’s always up-to-date, you don’t have to restart & run all cells to make sure that all cells are aligned. Python 3 Diggy runs Python 3. In fact, it runs CPython which is a reference implementation of the Python programming language. No server-side All Diggy notebooks could be edited, written and executed entirely in your browser. There’s no server-side component to execute your code. Therefore, your code could react to user interaction within milli- and nanoseconds. Simplicity in mind There’s only one kind of cell. All cells in Diggy contain Python code; for example, if you need to render a markdown or HTML, there’re special helper functions. The result of evaluation is always based on cell’s type. Secure The browser sandbox lets you run Python code safely, it won’t be able to open a file in your file system or open a TCP socket. Try it out Source
    1 point
  7. gigiRoman
    Rubber ducky fake update ;)))) https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload---Fake-Update-Prank
    1 point
  8. Wav3
    Am inteles nimic. Care e problema? Nu stiai ca trebuie sa dai buletinul cand votezi, sau ce?
    1 point
  9. Dragos
    Iti iau CI-ul in schimbul buletinului de vot si a stampilei si sa ti-l dau inapoi doar dupa ce ai bagat buletinul de vot in cutie si ai predat stampila.
    1 point
×
×
  • Create New...