So there’s been something of a hubbub about Valve and Bethesda’s new announcement to monetize workshop content, it’s since already started as seen below
This is just something i did in my down time I figured I’d share, because I hate how I solved it, but hey, works pretty nicely.
MaxMind’s databases can be found here, I only wanted to find out a country a specific IP is in, so I didn’t bother with the city-specific database. The method for converting that probably isn’t too far off, though.
You’ll want the GeoLite2-Country-Blocks-IPv4.csv and GeoLite2-Country-Locations-en.csv (or whatever language you choose, really)
First you make a new table in your database for each (tables should be named same as the filenames minus the file extension, you can rename them later if you choose) Read more
Pretty simple bug bounty example, but it was my first and I got a bit excited. I can’t name the company because disclosure hasn’t been granted, but it was from a bounty.
I’m not going to disclose the impacted URL, or the amount I’ve gotten for it either. I will however say that the issue has been resolved on their end so there’s no chance the URL I’ve reported can be used for the same attack. It’s been nuked. That all being the case, I’ve made a sort of recreation of the problem.
I’m mostly writing this blog post because I didn’t know the functionality existed and I’m sure a bunch of other developers also aren’t aware. Learn something new every day. It’s probably WebSec 101 but at least as far as PHP is concerned I fail to see the point of leaving this feature enabled.
There was a file somewhere on (Company)’s network that would load a URL specified by a parameter, and simply echo it’s contents.
Anyway, here is an example of what it would look like:
|PHP |||copy code |||?|
$ch = curl_init();
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $_GET['url']));
$data = curl_exec($ch);
Okay, so for this one we’re just given a URL and not much more.
I started burpsuite and started playing around. Read more
For this one, took some trial and error.
You’re presented with a heartbleed testing engine
So the first part of this puzzle is to find out what’s wrong with this, first thing I do is utilize a valid host (cloudflarechallenge.com aka 188.8.131.52).
It responds with (image not available as it seems it has stopped returning this result?):
DATABASE ERROR!!! near “re”: syntax error
select time from results where result=’Connecting… Sending Client Hello… Waiting for Server Hello… … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 24, ver = 0301, length = 249 … received message: type = 22, ver = 0301, length = 1 Sending heartbeat request… … received message: type = 24, ver = 0301, length = 249 Received heartbeat response: 09809*)(*)(76&^%&(*&^7657332 Hi there! Your scan has been logged! Have no fear, this is for research only — We’re never gonna give you up, never gonna let you down! WARNING: server returned more data than it should – server is vulnerable! ‘;
Well, it’s obvious SQL is the culprit here. Let’s honeypot! Read more
I connected using FlashFXP, this is important for later as I explain how somebody else solved it.
You’re tasked to connect to ftpsv.quals.seccon.jp:21 and just sort of figure it out, it accepts my connection over FTP but many things fail. Read more
First write-up of new CTF! This time I played for KnightSec and we gained 59th place. Not bad I suppose
So, you know, I’m an idiot still using PHP. That means I’m an oddball especially in the security community, which seems to favor python. Keep it in mind because you’ll be seeing it a lot.
For Reverse It, I fed the file given to the script below
|PHP |||copy code |||?|
$fp1 = fopen('Reverseit', 'r');
$fp2 = fopen('Reverseit_out', 'a+');
$fp1s = filesize('Reverseit');
$buffer = fread($fp1, $fp1s);
$buffer = unpack('H*', $buffer);
$buffer = strrev($buffer);
$buffer = pack('H*', $buffer);
Another day, another challenge. This one was for hack.lu (hosted by fluxfingers) 2014, also known as “WildWildWeb”!
The link brings you here.
The first thing we see is a Captcha, which you can solve manually. However, it doesn’t give you the key so easily.
Going off of the hints given in the challenge text, I can assume they want us to make an automated method to solve the captcha.
Taking a peek at the source code… Read more
First of all this is the first CTF that OpenToAll has actually won first place in
Though it was a student CTF and not widely publicized I’m still happy.
Anyway, this is a write-up for the ECTF 2014 challenge “The annoying admin”. The description is below, and please note that we solved it before the hint was provided!
The chat feature was added to Facelook website and to test it, founder of the company had sent a message in chat to the admin. Admin reads all the chat messages, but does not reply to anyone. Try to get that chat message and earn the bounty.
Hint: Admin likes to visit some links which he recieves from people
This write-up will be a little rougher on newbies because there won’t be any C++ or hex-rays here.
re300 (Breakpoints) is an x64 ELF binary which I had to boot up my VM to solve!
If you want to play along, download the binary here, get the disassembler of your choice and GDB ready and let’s have a go.
|ASM |||copy code |||?|
.text:0000000000400550 start proc near
.text:0000000000400550 xor ebp, ebp
.text:0000000000400552 mov r9, rdx
.text:0000000000400555 pop rsi
.text:0000000000400556 mov rdx, rsp
.text:0000000000400559 and rsp, 0FFFFFFFFFFFFFFF0h
.text:000000000040055D push rax
.text:000000000040055E push rsp
.text:000000000040055F mov r8, offset nullsub_1
.text:0000000000400566 mov rcx, offset sub_4066B0
.text:000000000040056D mov rdi, offset main
.text:0000000000400574 call ___libc_start_main
.text:0000000000400579 start endp