Questions tagged [ctf]
Capture the Flag (CTF) is a form of hacking competition. Use for questions about the design and operation of such contests. Do not use for questions asking for help with winning contests.
103 questions
0
votes
1
answer
82
views
jwt authentication
This is regarding a jwt challenge at root-me.org
The webserver source code is available:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, request, jsonify
from ...
- 113
0
votes
0
answers
84
views
Why does phpinfo() execute but system("ls -la") does not when using preg_replace with /e in PHP?
I'm experimenting with old PHP (5.3.10) code that uses the now-deprecated /e modifier in preg_replace. I understand /e evaluates the replacement string as PHP code.
Example
<?php
$string = 'phpinfo(...
- 1
1
vote
1
answer
79
views
Payload doesnt fires up outside gdb?
I'm very beginner in exploitation, I'm stuck in rather very famous why my exploit works in gdb but not in terminal?
Context: I'm using Qemu emulator, using Qcow2 image of amd64 https://exploit....
- 21
1
vote
0
answers
417
views
CTF finding flag in an image [closed]
I'm trying to solve this ctf challenge: (Category - Misc), Description:
"In the neon-soaked streets of Helix City, an underground courier
group called the Neon Runners uses glitched billboards ...
- 11
2
votes
0
answers
210
views
How to do a bufferoverflow attack for a simple C program?
Consider the following simple C program that asks the user for to input their user name and password in order to get access to some website. (The correct username is supposed to be "admin" ...
- 121
2
votes
1
answer
476
views
Ret2libc exploit not working but it seems correct in GDB
I am currently trying to perform a return-to-libc attack against a locally run program. Here are the steps I did:
I calculated the bytes needed to overwrite the saved return address
I used a buffer ...
- 21
0
votes
1
answer
1k
views
Simple Buffer Overflow (Function Call) Problem
I'm trying to develop a simple buffer overflow CTF challenge inspired by the "Csaw 2016 Quals Warmup" challenge, here. I've managed to replicate the source code:
#include <stdio.h>
#...
0
votes
0
answers
308
views
Hydra says different passwords with are correct each run, but only one works
I am doing CTF 'Skynet' from THM and came across this problem.
Enumerating SMB, I gathered credentials 'milesdyson' and a list of passwords 'log1.txt'.
I figured that I could try to brute force ...
0
votes
0
answers
453
views
Encoding shellcode to hide in filename / directory
Working on a CTF challenge and the coordinators hint suggests that one of the vectors to inject shellcode is via pathing. Looking at debugging prints does show the cwd and filename are passed onto the ...
- 1
0
votes
1
answer
367
views
Exporting shellcode to environment variable doesn't work as expected
(This is a question regarding a challenge in a wargame on overthewire.org called Narnia similar to Shellcode does not execute as the owner )
When exporting shellcode to EGG environment variable
export ...
0
votes
0
answers
187
views
What type of token is this?
I started noticing this kind of token in a lot of CTF tasks from different authors:
eyJlbWFpbCI6ImVtYWlsQG1haWxib3guZG9tYWluIiwiaWQiOjN9.ZLNCAQ.MxwKVKj_dramWyfT5XxT6g9U3xk
The structure is as follows:
...
- 3
1
vote
1
answer
664
views
AES ECB cookie bypass
I am currently participating in a CTF Challenge and have reached a stage where I discovered a "log_admin" page. This page generates a cookie that is encrypted using AES 128 ECB. I obtained ...
- 11
3
votes
0
answers
396
views
PHP CTF: Vulnerabilities in PHP before 2007?
I came across a CTF that i'm trying to solve, the goal is fairly simple: Bypass the authentication form and access the admin-restricted area. You can find the code snippet below.
Things to consider:
...
user291842
33
votes
1
answer
6k
views
Crashing the sha1() function in PHP?
I am working on the following war game from Defend The Web, which requires me to do a source code review to login as the user memtash. The code is on GitLab here.
Here is my methodology:
Reset the ...
- 813
1
vote
1
answer
1k
views
How long would this take to bruteforce?
I am working on the following war game from Defend The Web, which requires me to do a source code review to login as the user memtash. The code is on GitLab here.
Having inspected the source code ...
- 813
2
votes
1
answer
232
views
Void pointer and their attribute constructor
I am supposed to find the vulnerability in the code (as a part of a ctf) and I feel it's hidden either in the __attribute__((constructor)) or the pointer.
Here I can make out that it's a void pointer ...
- 23
0
votes
1
answer
513
views
64-bit ROP-based Buffer Overflow Attack
I am facing a CTF challenge in which I have to conduct an attack using a ROP chain on this program below:
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <sys/...
0
votes
0
answers
715
views
Flask URL Vulnerabilities
I am doing a CTF-style assignment and I am confronted with a web site created in Flask. This web site appears fairly unremarkable - it has 4 pages and no log-in/authentication functionality, nor does ...
2
votes
2
answers
2k
views
Abusing Shell Feature for Privilege Escalation
This was covered in Linux PrivEsc, task 15, in this TryHackMe room.
I am having trouble understanding how this debugging mode is executing the commands in the PS4 variable, and why I must put /usr/...
- 231
0
votes
0
answers
255
views
CTF Crypto question
The question in a CTF was this:
They used two hydrogen atoms (H2) from the SHA-256 molecule to encrypt
in some form of AES, and the result was as follows:
{mIT+GVt+p0YfgfOltHgqoetTS6h8bRSAScAGKrBE+...
- 101
0
votes
1
answer
310
views
How does this PortSwigger lab's XSS work?
I was doing the following PortSwigger Lab on cross site scripting (XSS).
The following payload works perfectly.
http://foo?'-alert(1)-'
Which is input into the following section of ...
- 231
0
votes
0
answers
372
views
I cannot make a reverse connection
I am playing with a Linux CTF server and came across a kind of reverse connection block. I uploaded a php webshell, gained control of www-data user and tried to make a reverse shell.
Possible a UFW ...
1
vote
1
answer
973
views
Why does this SQL injection have an equals symbol?
I was reading into the basics of SQL injection attacks on w3schools here.
In the second example, I was curious as to why the equal sign was used. I have quoted within the line below.
" or "&...
- 231
0
votes
0
answers
686
views
Metasploit module for NULL LDAP credentials
This article covers the solution for the LDAP challenges on a capture the flag.
I understand how the first example works, using the NULL value for the username and password to authenticate to the LDAP ...
- 231
1
vote
1
answer
2k
views
Why when i nmap scan a machine i get the port 554 (RTSP) open?
I train on vulnerable boxes and during my recon phase, I use nmap to collect info on open ports.
I use the command nmap -sS [IP|URL] and no matter the machine, I get the result that port 554 - RTSP ...
- 11
0
votes
0
answers
399
views
How to perform php post request attack with javascript sanitization?
The following code demonstrates the source code of this challenge and basically, I need to send a post request with arbitrary code to execute on the server. However, after multiple attempts Im unable ...
- 9
1
vote
0
answers
501
views
C - Remote string format attack exploit - %n Does not seem to write anything on the stack
[As part of a ctf] I am trying to exploit a remote server through a tcp connection. The server is using snprintf() and provides user input as the formatting string. My goal is to dump the stack. ...
- 111
1
vote
1
answer
7k
views
Payload uploaded but error : "no session was created"
I'm doing a capture-the-flag challenge (similar to HackTheBox) and I can't figure it out despite looking at many workarounds how to solve my issue.
I did:
nmap --> got port 8080
firefox -> 10....
- 113
0
votes
0
answers
177
views
Is it possible to create an NTFS partition having only the $MFT and $J tables ? Forensics CTF
This is the third part of a forensics challenge in a European CTF, and it is apparently the most difficult one because only three people flagged it among 700 participating.
I'm only here for guidance ...
0
votes
1
answer
2k
views
Some introductory reverse engineering help on finding a string
I understand the crackme I am researching is from 2007, however this was the point in my life when I initially became interested in reverse engineering and wish to complete it for nostalgia sake. ...
- 231
0
votes
1
answer
826
views
Segfault after reaching system
I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle.
I first got the entire attack working with my local version of libc, then I used the version of libc provided by the ...
- 111
0
votes
0
answers
975
views
Sudo -l systemctl bypass
I am trying to privilege escalate a vulnerable box and I've stuck with this output:
sudo -l
Matching Defaults entries for charlie on sewers:
env_reset, mail_badpass,
secure_path=/usr/local/...
- 1
1
vote
0
answers
239
views
ctf kernel challenges does not work [closed]
I'm trying to learn and solve some 'kernel related' ctf challenges (reading writups to try to run same environment and achieve root using one of the kernel-pwn technique...).
I'm using Ubuntu 20 VM ...
- 11
1
vote
2
answers
2k
views
Cracking diffie-hellman public key to obtain shared key
I'm given 2 prime numbers, g and n, as well 2 public keys, ga mod n and gb mod n, as part of a leaked Diffie hellman key exchange. I need to derive the shared key gab mod n using the given information....
- 11
0
votes
1
answer
614
views
how to do a pentest to /assets/js/login.js [closed]
Hey guys this is my first question in this kind of platform. I made a pentest a vulnerable machine this is like a web page video content there are not much target vectors. In my attack a detect only ...
- 1
0
votes
2
answers
3k
views
Is union based mysql injection able to read files outside database?
Can files outside database which are not part of any tables in database be read via union based SQL injection? For eg
http://xyz.com/fetch?id=3
Consider id parameter is used at server side by cursor ...
- 11
1
vote
0
answers
485
views
2
votes
1
answer
2k
views
Exploit apache2 service as member of www-data group
I am attempting to solve a CTF challenge where I am logged in as a member of the www-data group and the apache2 service is misconfigured and can be run as sudo without a password. What I am attempting ...
- 21
0
votes
1
answer
1k
views
Steganography CTF question
I have recently participated in a CTF competition and failed in the following stage where the solution was never revealed.
After a really hard job I got access to a text file that contains a really ...
0
votes
0
answers
506
views
how to hack rbash --?
I'm solving CTF challenge, and have to escalate the privilege from user1 to user2, $HOME is read-only, so i can't change $HOME/.bashrc.
sudo -l shows (user2) NOPASSOWRD: /usr/rbash -- i can't write ...
- 103
0
votes
0
answers
182
views
How to secure home environment when testing vulnerable VMs
I'd like to practice CTFs and cyber attacks on vulnerable VMs downloaded from seemingly reputable sources.
Which are the basic guidelines for securing the environment and avoid that malware (if any) ...
- 139
2
votes
0
answers
1k
views
How to fix TCP stream in Wireshark with spurious retransmission?
This was for a CTF (it ended yesterday, so I'm not cheating), but I've spent so many hours on it that I really just want to understand what I should have done.
Here is the PasteBin Hex Dump. I ...
- 121
0
votes
0
answers
433
views
How can I use nohup command to get root access of the target machine?
I am playing ctf and I have gained access to the target machine but not as root. I can see nohup utility has root access on the machine and I used this command to get the root access but that did not ...
- 1
2
votes
1
answer
3k
views
CTF setup for debugging heap exploits
I'm currently studying binary heap exploitation (mainly the glibc (ptmalloc2) implementation), for CTF competitions. The problem I'm facing is debugging challenges designed for a certain glibc version....
0
votes
0
answers
247
views
URL Encoding leading to invalid flag
I'm currently completing an XSS challenge in a CTF. I successfully redirect the admin cookie to my request bin, but the flag is said to be invalid.
I am told this is because the flag string gets ...
- 1
4
votes
3
answers
1k
views
Break out or bypass php functions
I'm currently doing an online CTF and I have LFI an can read the source code of the upload function. In there I see the following line:
shell_exec('rm -rf ' . directory/ . '*.p*');
So anytime I ...
- 191
2
votes
1
answer
11k
views
XXE - possible to read directories?
I have come across XXE on a CTF a while ago and I can't get my head around where to go from where I am.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "php:...
- 307
0
votes
1
answer
1k
views
Using GET request to find html file
I'm doing a basic CTF at the moment. Using,
GET / HTTP/1.1
Host: subdomain.domain.com
I am getting the response:
<a href="/c98efc0d-5c3f-45ec-996a-2cb82d35ed26.html">follow this link to get ...
- 1
6
votes
4
answers
3k
views
What is hacking hackable virtual machines useful for? [closed]
I was watching an ethical hacking course where the tutor taught me to hack into different virtual machines and also machines from Hack The Box.
In the real world, how are these practices of hacking ...
user235696
0
votes
0
answers
287
views
how to check offset for a program on remote server
I am solving pwn problems in CTF challenges. my exploits are working in the local system but it doesn't work on the remote server when connecting using Netcat. The issue was that even the function ...
- 101