niedziela, 29 listopada 2015

[CTF] 9447 CTF web200 "nicklesndimes" write-up

That was really cool challenge on 9447 CTF from Web category. Task description:

Nick's been eating your grandmother's strombomi. Head over to Gain access to his admin account.

So the task is to takeover admin account with user_id = 1.

We are able to register new accounts and login (with Remember me functionality) or request for password reset. After digging a bit with password reset I noticed, that reset token is the same for my userid... and it's md5 hash for my team name ;-)

00:31 zoczus@ropchain[~]$ echo -n "zoczus" | md5sum
5580aed6ac917f2cd6fc08c9581e1ca2  -

So we can simply create password reset link for admin user this way:

And first problem - we know team name, but what's e-mail to login? Answer can be found by clicking small icon near to Users, which responds with json with scores, and near our admin account we can find additional field called admin_contact ;) Link was:

Got e-mail, got password, challenge solved... nope!

Tried X-Forwarded-for, X-Real-IP for , (from e-mail headers), etc... and then my team mate (thanks Dawid!) gave me idea to try this one:

00:38 zoczus@ropchain[~]$ host has address has address

Setting X-Forwarded-For to gave me this result after login: 

29 komentarzy:

  1. sex hoc sinh , sinh vien viet lam tinh , clip sex nu sinh

    clip lam tinh moi nhat

  2. Our Plumber services In Hyderabad point is to give top notch Plumbing Services, best case scenario cost and on concurred time. Every one of our experts are foundation checked, affirmed and exceptionally experienced experts. Plumber services In Hyderabad
    We covers a wide range of Plumbing establishments and repair works. Would you be able to ever think about a working without a pipes benefit done? Appropriate pipes is significant for any structure to offer the occupants a sterile and clean condition. Issues in the pipes framework will undoubtedly happen at some point at some point or another in private units. Remembering this, Adelaide Plumber Services offer you a free pipes review to assess the pipes circumstance at your home.

  3. Awesome and informative article!
    Just do check out -
    VivaVideo Pro Apk by Apk Hx

  4. Looking to find a plumber in Chennai to fit an appliance or repair a leak? Magicfinger is the one of Best and leading Plumbing service in Chennai.Book online Electrical Services in Chennai for Home at best price. Plumbers In Chennai

  5. Thanks for sharing this post, it was great reading this article! would like to know more! keep in touch and stay connected
    Lucky Patcher
    whatsapp plus

  6. Specializes in providing all kinds of aluminum production machines, two-head aluminum cutting machines, puzzle milling machines, angle presses, punching machines ...

    visit my website

  7. nice course. thanks for sharing this post this post harried me a lot.
    RHCE Training institute in Delhi

  8. A befuddling web diary I visit this blog, it's incredibly grand. Strangely, in this present blog's substance made motivation behind fact and sensible. The substance of information is instructive
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

  9. Uitstekende blog. Bedankt voor het delen van dit informatieve blog. Als u van plan bent om naar India, Vietnam, Sri Lanka, Turkije te reizen, helpen onze experts u om online een visum te krijgen. Neem contact op met onze experts om een visum aan te vragen.

    online visum india
    visum india aanvragen
    visumaanvraag india
    online visum vietnam
    visum vietnam aanvragen
    visumaanvraag vietnam
    online visum sri lanka
    visum sri lanka aanvragen 
    visumaanvraag sri lanka
    online visum Turkije
    visum Turkije aanvragen
    visumaanvraag Turkije

  10. Ten komentarz został usunięty przez autora.