X-nuca League web pre-game guide write-up

First off

The review code found a hidden connection, access, flag flashed over. Open Burpsuite, set up the agent, and then revisit, in history to find the corresponding reply package, get flag.

Second Pass

Review element Modify button for available capture a post package

But the data item is a problematic "q1=2015&q2=lol+&q3=22&success=false"
Submit Show fail

The page does give a q1q2q3, the label is Q1q2q4, and JS will change LOL to lol+
Change back Q1=2016&q2=lol&q3=22&success=true Submit

Third off

is already the admin Note member parameter to Base64 decryption is ordinary to change to admin after Base64 encryption

Four-off
Construction bypasses V1 very simple 5 bit like "2017X" string V2 requires a multidimensional array V3 with%00 truncation
Five-off
After landing in the first two people read the page parameter is MD5 value to do understand bob317 sam429 guess password is name + 3 digits
C language wrote a program generated 1000 hash dictionaries put into burpsuite brute force hack
Valid values: e0abf23f3c6783eb43992635dfbe0d8f
There's flag in the package.

Six off
Referer injection Sqlmap Run "sqlmap-u-level 3-p referer" plus exposure to the table column commands, table many, suggest running separately.

Seventh Pass

Upload, burp pay attention to change the content just fine
Eighth Pass
Enter the level behind the tag there is a JS as follows:
P= "60,105,102,114,97,109,101,32,104,101,105,103,104,116,61,48,32,119,105,100,116,104,61,48,32,115,114,
99,61,34,46,47,

102,108,48,97,46,112,104,112,34,62 "
P=eval ("String.fromCharCode (" +p+ ")");
document.write (P);

Convert,
Access http://218.76.35.75:20123/fl0a.php Tips flag is $flag
$flag is a PHP variable argument is the post mode parameter to go to the packet inside to find the agent grab bag
There is a flag parameter in the cookie field

Nineth Pass

Variable overrides. Directly in the URL to pass the parameter, note the quotation marks are limited, do not take.
Tenth Pass

Burp caught the submitted content will go to an IMG tag to close the tag with Onerror=alert () pop-up do not appear in quotation marks or bounce

11th Pass
Contains vulnerability/flag should be a file page parameter to/flag after access to say flag is not here debug next page has prompt flag in
62a72cb2f3d5e7fc0284da9f21e66c9f.php
Get flag after visit
12th Pass
Send a packet containing the user=bob&guess=990 hint to use admin to throw user=admin guess parameter into burp inside run all 3-digit combination A reply package is flag
13th Pass
Simple social Work mind guess the tables and columns and here's the blind wish format.

Http://218.76.35.75:20101/?name=guest ' UNION all SELECT null,null,concat (Database (), 0x3a,user ())---

Construct a query, and flag will come out.
14th Pass
Picture of the horse synthesis to pass up just fine
15th Pass

Exposed Directory Access flag files can only be used | and &

Question 16th

Audit JS pay particular attention to this point urlkey hint hidden a file JS is directly accessible to this ternary group is the scoreboard display content specific debugging will be able to get the file name and then pop up flag
};
This.mayadd = function (a) {
if (This.scores.length < this.maxscores) return 1E6 < a && (a = new P, A.set ("Urlkey",
"Webqwer" [1] + "100.js", 864E5),
!0;
for (var b = this.scores.length-1; 0 <= b;--b) if (This.scores[b].score < a) return 1E6
< a && (a = new P, A.set ("Urlkey", "Webqwer" [1] + "100.js", 864E5)),
!0;
Return! 1
};

Question 17th

Grab packet get password is a hash to decrypt and then commit when the note: XFF is forged IP, referer falsified source, data parameters to decrypt

Question 18th
kindeditor4.1.7 a loophole with the exposed path
file_manager_json.php exposure path access to the specified file get flag
Question 19th

The brain hole is really big AH!! Awvs exposed the web directory to have a. git folder after downloading the source code found that hack.php are not closed complete later remembered if this is changed to be recorded in the Git record to download the contents of the objects by viewing the change record flag

Question 20th
Flask SSTI Vulnerability can use built-in functions or call other available modules specific Baidu "Flask SSTI" and reference function manual

Http://218.76.35.75:20102/?data={{help ()}} error then the page echoes the flag file and then calls the file with the built-in file to get flag

X-nuca League web pre-game guide write-up