Skip to main content

Posts

Capture the Ether - Lotteries write-up

Capture the Ether is a "Capture the Flag" style game in which you hack Ethereum smart contracts to learn about security. Spoiler Alert ! In this write-up, I will go through the first four challenges in the category labeled "Lotteries". Each of these challenges has its own difficulty level and reward points. Basically you can solve them by "guessing?" the right value of a variable in a given smart contract. Guess the number The smart contract for this challenge looks like this: It has three functions : GuessTheNumberChallenge() : a payable constructor that tells you how much Ether is required when deploying the smart contract. isComplete() : it returns true when the smart contract's balance is equal to 0. guess(uint8 n) : It takes a uint8 as an argument and compares it with the variable declared in line 4. If the numbers are equal, you will have your Ethers sent back to your address. Note that this function is payable and req
Recent posts

Hijacking phpLDAPadmin account using a Cross-site scripting vulnerability (CVE-2017-11107)

Software Description phpLDAPadmin is an web-based LDAP adminstration interface for viewing and manipulating LDAP information. Vulnerability Description $request['form'] and $request['rdn'] parameters in file htdocs/entry_chooser.php aren't properly sanitized before being displayed to the user, which allows a remote attacker to inject arbitrary HTML/Javascript code in a user's context. This vulnerability, if successfully exploited, can lead to data manipulation or information leakage as it is demonstrated in this PoC video. Proof of Concept (PoC) XSS via the 'form' parameter: http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form%22).base;%27);}%20alert(1);%20function%20lol()%20{%20isNaN(%27&element=base&rdn=test XSS via the 'rdn' parameter (needs Chrome's XSS Auditor bypass): http://localhost:8888/phpldapadmin/entry_chooser.php?form=advanced_search_form&element=base&rdn=test%22%

Pwning Windows 7 with ETERNALBLUE & DOUBLEPULSAR (Metasploit)

Thanks to @UnaPibaGeek & @pablogonzalezpe for their efforts to develop the Metasploit modules. Modules can be found here (Scanner + Exploit) : https://packetstormsecurity.com/files/142181/Microsoft-Windows-MS17-010-SMB-Remote-Code-Execution.html https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit This vulnerability affects Windows 2000, Windows XP, Windows 7, Windows 8, Windows Server 2000 up to 2012 R2. How to protect yourself If you still haven't updated your system, you should probably do it right away. If for some reason you aren't able to apply updates, Consider disabling SMB protocols. To disable SMBv1, SMBv2 and SMBv3 under Windows 8 and Windows Server 2012, run the following cmdlets (powershell commands) : Set-SmbServerConfiguration -EnableSMB1Protocol $false Set-SmbServerConfiguration -EnableSMB2Protocol $false For Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008, you should use these: Set-Ite

CSAW CTF 2015 : Forensics 100 - Transfer write-up

Category : Forensics  Points : 100 Challenge Description : I was sniffing some web traffic for a while, I think I finally got something interesting. Help me find flag through all these packets. net_756d631588cb0a400cc16d1848a5f0fb.pcap Opening it up with Wireshark gives some few HTTP packets. After looking through those packets, I noticed that one of them contains the word FLAG. The start of the conversation contains a python script and some random padding at the end which was more likely to be the script's output. Looking through the python script we notice there is a variable called FLAG (censored) that gets encoded with Base64 then looped through one of the following ciphers ROT13, ROT3 and Base64 (randomly chosen).  One thing to mention is that the script keeps the cipher index attached to the encrypted string, this will make it easier for us to reverse the whole thing. I wrote a quick python script to do the decryption : Executi

SU-CTF write-up - steganography 100 challenge

Category : Steganography Points : 100 The description of the challenge was: Hear With Your Eyes In this challenge, we were given a wav file which we somehow had to decrypt to get the flag. This was a pretty easy one to be honest. After hearing the audio, the first thing that came up to my mind was to use a signal analyser. For this matter I used baudline. The output was as follow : The flag was : e5353bb7b575578bd4da1c898a8e2d7667