baby bonechewercon

The devil is enticing us to commit some sandboxed SSTI feng shui, would you be interested in doing so? Category: web Solver: davex, shm0sby Flag: HTB{b3nt_tw1g_t0_my_will!} Writeup The task was very simple. We had the source code of the challenge and we knew there was /flag which might contain our flag. ;) The challenge used Symfony as application framework and Twig as templating engine. We simply had to use basic injection on Twig which could be found in [1]....

March 24, 2021 · 1 min · davex, shm0sby

one line php challenge

Just some not so regular disable_functions / open_basedir PHPfu. Category: web Solver: davex, shm0sby, lmarschk Flag: HTB{iconv_r34lly_b3_d01ng_us_lik3_th4t} Writeup The challenge php file was quite simple itself, it was a Docker container with some further configs. The configs were the more interesting thing. The php file only included an GET-parameter which then has been sent to an eval()-call. Also we know there is a file called /readflag which obviously prints the flag....

March 24, 2021 · 5 min · davex, shm0sby, lmarschk

WafWaf

Who let the blacklists out? Category: web Solver: davex, shm0sby Flag: HTB{wh0_l3t_th3_w4fs_0ut?!..w00f..w00f.w00f!} Writeup When you entered the site of the challenge the site directly gives you the source of the challenge. <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) ....

March 24, 2021 · 3 min · davex, shm0sby

Cached Web

I made a service for people to cache their favourite websites, come and check it out! But don’t try anything funny, after a recent incident we implemented military grade IP based restrictions to keep the hackers at bay… Category: web Solver: davex, lmarschk Writeup The first look at the challenge already gave an intuition how the solution looks like. The title of the web page was Rebind Me. This hints that the solution might be a DNS Rebind attack....

3 min · davex, lmarschk

Gunship

A classmate was assigned with developing a website using a prototype-based language called Javascript. Now we have Gunship, a tribute page to the legendary synthwave band.. what could possibly go wrong? Solver: davex Category: web Walktthrough The first look at the challenge already hinted at a part of the solution. The title of the challenge webpage is This hints that AST injections will be part of this challenge. Furthermore, the first look into the sourcecode of the challenge gave a huge hint for the solution...

5 min · davex