Posts: 6 Threads: 0 Joined: N/A October 25, 2022 at 4:15 AM thank you Posts: 5 Threads: 0 Joined: N/A October 25, 2022 at 4:34 AM (October 24, 2022, 01:50 PM)Hacker2222 Wrote: plz discuss here
reversing challenge:
thanks @HTBContestant Thanks Posts: 21 Threads: 0 Joined: N/A October 25, 2022 at 6:20 AM tesekkur ederim ! Posts: 4 Threads: 0 Joined: N/A October 25, 2022 at 6:23 AM thanks Posts: 3 Threads: 0 Joined: N/A October 25, 2022 at 6:43 AM thanks Posts: 28 Threads: 0 Joined: N/A October 25, 2022 at 7:23 AM (October 24, 2022, 02:12 PM)Meep Wrote: Pwn challenge looks like shellcode.
local_a8 = 0;
local_a0 = 0;
local_98 = 0;
local_90 = 0;
local_88 = 0;
local_80 = 0;
local_78 = 0;
local_70 = 0;
local_68 = 0;
local_60 = 0;
local_58 = 0;
local_50 = 0;
local_48 = 0;
local_40 = 0;
local_38 = 0;
local_30 = 0;
local_28 = 0;
local_20 = 0;
local_18 = 0;
local_14 = 0;
read(0,&local_a8,0x95);
(*(code *)&local_a8)();
Also NX not set meaning its capable of it (no protection). Did not get it working yet. any luck? Posts: 2 Threads: 0 Joined: N/A October 25, 2022 at 7:57 AM (October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...
basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)
In other words:
You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin
If you really want to understand all the logic behind this SQLi, I recommend you to read this
https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t
Here's the high level SQLi Thanks :) Posts: 28 Threads: 0 Joined: N/A October 25, 2022 at 8:06 AM (October 24, 2022, 06:00 PM)killerbee Wrote: (October 24, 2022, 05:47 PM)lollole Wrote: (October 24, 2022, 02:32 PM)killerbee Wrote: for crypto compute the gcd of c1 -c2 and N is p
then compute c1 - p ^e1mod N
it is indeed the flag
the gcd of (c1,c2) is 1, what did I get wrong and why N is p?
gcd of (c1 - c2 , N) == p
this is because p | N
and the forms of c1 and c2 leads to haveing c1-c2 = p ^e1 - p^e2 mod N
so you can inverse encryption by the formula c1 - p ^e1 = m mod N can you plz show steps for coding this up? Posts: 15 Threads: 0 Joined: N/A October 25, 2022 at 8:07 AM (October 24, 2022, 09:46 PM)lnf02 Wrote: Hey guys @Hacker2222, I found the solution for this Web challenge, doesn't seem to be like a "easy" challenge, more like a medium challenge...
basically you need to work with nested queries, the register API is vulnerable, due to the fact that is using "insert" without any sanitization on the user's input, so... you need to bypass the "user already exists" check, and after that nest your real query. The thing is, you should be able to manipulate almost perfectly the password column but is useless... BUT SQL has a built-in function to UPDATE the field where there's a "duplicated" field... Maybe you are understanding what I'm talking about, maybe you are just looking for the god dam flag (script kiddie xD)
In other words:
You need to create a query that is able to bypass the "username already exist" check and after that, check for a duplicated value with the username=admin
If you really want to understand all the logic behind this SQLi, I recommend you to read this
https://www.w3schools.com/sql/sql_union.asp
https://stackoverflow.com/questions/8043908/how-do-i-force-an-insert-into-a-table-with-a-unique-key-if-its-already-in-the-t
Here's the high level SQLi Thanks a lot Posts: 74 Threads: 0 Joined: N/A October 25, 2022 at 8:12 AM (October 25, 2022, 08:06 AM)deer Wrote: (October 24, 2022, 06:00 PM)killerbee Wrote: (October 24, 2022, 05:47 PM)lollole Wrote: (October 24, 2022, 02:32 PM)killerbee Wrote: for crypto compute the gcd of c1 -c2 and N is p
then compute c1 - p ^e1mod N
it is indeed the flag
the gcd of (c1,c2) is 1, what did I get wrong and why N is p?
gcd of (c1 - c2 , N) == p
this is because p | N
and the forms of c1 and c2 leads to haveing c1-c2 = p ^e1 - p^e2 mod N
so you can inverse encryption by the formula c1 - p ^e1 = m mod N
can you plz show steps for coding this up? p = gmpy2.gcd(c1-c2, N)
m = (c1 - pow(p, e1, N))
print(long_to_bytes(m).decode('utf-8'))
|
