theeternalwanderer Posted June 23, 2015 Report Posted June 23, 2015 Dupa succesul lui N00B CTF, cei de la InfoSec Institute au mai scos un CTF.EnjoyPractical Website Hacking Quote
mah_one Posted June 24, 2015 Report Posted June 24, 2015 (edited) I will start with Level 13.At Level 13 I have to redirect the user to another website using the URL: http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ex13-task.php//EditedThe problem is that you can't use "http://" at the beginning of the word you send as value to parameter "redirect". Most probably there is a blacklist and I have to bypass it.There is a quick solution to bypass this inconvenient, but I will let others to think at it.I choose to explain a method to redirect anyone to anything using ftp wrapper. After several attempts to bypass the mechanism that prevents me from using certain words I managed to find that I can use "ftp" wrapper. So here's my writeup.If I load the link:http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ftp://attackerwebsite.com/fileThe web application redirects me at ftp://attackerwebsite.com/file.From the ftp page I have to make another redirect to a webserver "http://attackerwebsite.com/".For doing this I used a script made in python to emulate an ftp server and for any request to the ftp server the script will return same file always without authentication.Start the python script:Having the ftp server up, the question is what should I return back in the victim browser?On a page that loads an ftp file, the browser will not execute javascript like <script>JAVASCRIPT CODE THAT REDIRECTS THE VICTIM ON ANOTHER PAGE</script>, but will interpret html tags.To make another redirection from ftp page to attackerwebsite.com I have to use the following html code inside of '/tmp/test' file:<html><meta http-equiv="refresh" content="0;URL='http://attackerwebsite.com/'" /></html> Having all ready let's try to make an redirection on https://attackerwebsite.com/Load in a tab the following link:http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=ftp://1758432401/fileftp://1758432401/file is same with http://104.207.140.145/ (dword representation)My python script responded with the file located in '/tmp/test'"[i 15-06-24 07:46:38] x.x.104.6:20970-[anonymous] RETR /tmp/test completed=1 bytes=301 seconds=0.002"In browser the html code <html><meta http-equiv="refresh" content="0;URL='http://attackerwebsite.com/'" /></html> redirected me to attackerwebsite.com Edited July 18, 2015 by mah_one Quote
mirrorer Posted June 24, 2015 Report Posted June 24, 2015 Niste hinturi pentru levele mai mici ? ( rezolvari ca hinturi sunt deja .. ) Quote
Amidamaru Posted June 24, 2015 Report Posted June 24, 2015 Nice description mah_one but somehow you've spoiled the beauty of that level Quote
Stealth Posted June 25, 2015 Report Posted June 25, 2015 (edited) bla bla Edited June 25, 2015 by Stealth Quote
mah_one Posted June 25, 2015 Report Posted June 25, 2015 (edited) Nice description mah_one but somehow you've spoiled the beauty of that level There are other ways to solve that challenge, like Stealth said in the replay above, there is a way to inject \r\n.That challenge is very easy, more easy than I or Stealth explained.Keep looking, the easiest solution wasn't spoiled so far. Edited June 25, 2015 by mah_one Quote
Stealth Posted June 25, 2015 Report Posted June 25, 2015 (edited) Adic? a?a:http://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=//http://slacker.ro Edited June 25, 2015 by Stealth Quote
TheTime Posted June 25, 2015 Report Posted June 25, 2015 (edited) Deci rezolvarea era: %0d%0a%20http://slacker.rohttp://ctf.infosecinstitute.com/ctf2/exercises/ex13.php?redirect=%0d%0a%20http://slacker.roVa fi asta un redirect valid cand va face plopu' pere. E hilar sa vezi pe cate unu' care se umfla in pene si se da prea destept, dar o da cu nuca-n perete. Rezolvare simpla: Practical Website Hacking - Exercise 12Redirect pe bune: GoogleIn fine, subtilitati... Edited June 25, 2015 by TheTime Quote
Stealth Posted June 25, 2015 Report Posted June 25, 2015 (edited) Da a?a este. Edited June 25, 2015 by Stealth Quote
aelius Posted June 25, 2015 Report Posted June 25, 2015 (edited) @Stealth: A drequ carnea pe tine. Repede ai gasit tu un motiv sa-i dai peste nas lui mah_one. Lasa omu sa-si faca treaba. Mie mi se pare ca explica destul de bine si stie ce face. // edit: Ti-ai sters postul bre ? Hahahah Edited June 25, 2015 by aelius Quote
TheTime Posted June 25, 2015 Report Posted June 25, 2015 Stai pu?in m? prietene c? nu în?eleg aluzia. Cum adic? nu este un redirect valid? D? ?i o explica?ie dac? e?ti ?i tu a?a h4ck3r ca mah_one.Ma asteptam sa nu intelegi. Pe scurt, dupa newline trebuia fie sa adaugi un nou header care sa iti faca redirect-ul, fie sa mai adaugi un newline si un body cu un javascript care sa faca redirect-ul.Raspunsul dat de tine rezolva problema lor, dar nu este un redirect pe bune. Intre timp au modificat ei ceva pe server si nu mai merge nici primul tau raspuns, nici rezolvarea mea simpla. In fine, subtilitati... si nu are rost. Quote
Stealth Posted June 25, 2015 Report Posted June 25, 2015 @TheTime: Mi-am editat postul anterior c? am mai verificat înc? odat? ce ?i cum. Quote
