Published
- 4 min read
Hac-Sec 2021 Web Challenges Writeup
Hac-Sec 2021 Web Challenges Writeup
Hello Every One, I hope all is well with you :) I’m Abdelhameed Ghazy A Core member of 0xL4ugh Team 3> and there is my writeup for all web challenges in HAC-SEC CTF In Fact The Web challenges Was So Easy And The Last one Is amazing 3>.
The First challenge called easy and when you open the link and view the source and search for the flag format you will find it :)
The Second challenge Called guess and when you entered it you will see that :
so let’s give it a get parameter called guess as you see alhamdullah we are in the right path :) so to show the flag we must give guess parameter a number with this conditions : 1- greater than 2000 2- it’s hexadecimal is greater than AF0 Which Equal 2800 3- it’s binary equal 101011111001 (2809) so let’s get the flag by 2809
The Third Challenge Called Wish As I remembered
when you entered the challenge it was a race xD you will see that you are in a loop redirected from 1.php to 18.php and every page print single character so let’s intercept the request with burp suite and see each single page like that : assets/img/writeups/hac-sec/wish.png so after collect the 17 part of the flag we will see that’s a fake flag :) but the good thing that we find at 14.php there is a base64 comment assets/img/writeups/hac-sec/wish1.png so after decoding it we will get : (/genie.php grants anything that you “wish” for) so let’s open the genie.php and give him or wish (flag) :) after visit genie.php?wish=flag it will give us assets/img/writeups/hac-sec/wish2.png so let’s give it a key parameter and also it must have some rules : 1- it must be a number 2- maximum length is 3 3- more than 9999 and it’s must be more than 999 so lst’s try exponential :) and we will git flag at 9e3
The Forth Challenge and the Amazing One is Called Include :)
when we enter it we will see a button and when we click on it
it will set get parameter called view with a value
(“/var/www/html/”) and prints some words in the page
so from the challenge name and the parameter view
we will understand that we are in LFI Challenge
after trying much payloads and no thing worked :(
but i recognized that there is a filter shown an error
so i decided to get back and understand the challenge logic
i tried to put normal characters and numbers in the view parameter
but it also give us an error so i understand that there is a validation
for /var/www/html so the first thing i thinked is to include the logs of the apache server
and put our php code there but for sorry i couldn’t
then i tried to upload the php code in my site and include it
so i upload a file in http://abdelhameedghazy.com/var/www/html/abdo.txt
and alhamdullah there is no error but also there is no output
so let’s get back again and try to see the source of the file by using php wrappers
and alhamdullah i could get the souce by this payload :
php://filter/convert.base64-encode/resource=/var/www/html/index
after doing some code review i understand that there is another
get parameter called ext when it’s not set the extention of the file will be php
and when it exist it the value will be the extention of the file
so now i know why when i try to include from my website it didn’t work
so let’s put it and do path traversal to get the flag
our payload becomes :
?view=/var/www/html&ext=../../../../../../etc/flag
the location of the flag is in robots.txt :)