tuxCTFV2
TuxGallery
to start the challenge, in a terminal run: docker run -p 8000:8000 h0t0/tuxgallery:latest
then go to http://localhost:8000/. at the bottom of the page you can find Visit The Tux Gallery
. if you click on any of the buttons on the left you can see the url changing, for example: http://127.0.0.1:8000/gallery?file=img/tux3.jpg
it indicates that there is an lfi vulnerability! example payload: http://127.0.0.1:8000/gallery?file=../../../../etc/passwd
but the challenge doesnt end here, if we check the website backend tech:
search for werkzeug vulnerabilities
we can find : https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/werkzeug in hacktricks:
we go to http://localhost:8000/console ,indeed its protcted by a pin and we have lfi vulnerability. to get the pin: public bits:
private bits: http://127.0.0.1:8000/gallery?file=../../../../proc/sys/kernel/random/boot_id --> machine id http://127.0.0.1:8000/gallery?file=../../../../sys/class/net/eth0/address -->
--> mac address
put your values in the script in the site: each pin is different to each user, and on each run it changes, mine was: 891-324-969
the flag was supposed to be tuxCTF{w$g1?_wH4t$_th@t?}
, but for bash problems it was changed to tuxCTF{w?_wH4t@t?}
Chatbot
This challenge mocks a 'sofisticated' AI chatbot, so we enter the url and we are greeted by this page:
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252FEqtljfJLA2hL8WLRTtDB%252Fimage.png%3Falt%3Dmedia%26token%3D01e35643-f00a-4708-9493-e55afc81cd57&width=768&dpr=4&quality=100&sign=f6b174c5&sv=2)
we enter a username and start chatting with the bot.
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252Ff9NcYrcN1DQHDsPnW3Li%252Fimage.png%3Falt%3Dmedia%26token%3Df5598e8c-ff7f-42c1-b6e6-4d02dc069eff&width=768&dpr=4&quality=100&sign=feb78214&sv=2)
we can notice the responses are in json format.
in the page source we find a file called script.js
we notice that it gets the message by sending it to an api!
so its sending it to another server on port 3001, we can go to /api
and try to send a request there.
this is not an ssrf but it acts like one, so we will use it to find if there is anyother server.
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252FDAwA5MpgmUxEsvSoF81G%252Fimage.png%3Falt%3Dmedia%26token%3De4fceeaa-c128-4dcb-928a-cefed2fcd9dc&width=768&dpr=4&quality=100&sign=e3816b87&sv=2)
we can use burp intruder to brute-force the port:
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252FSkkzvhDy6WcwIKV00Rrp%252Fimage.png%3Falt%3Dmedia%26token%3Db9aa9d57-93d9-41cf-b564-546560ee5b47&width=768&dpr=4&quality=100&sign=f79046ed&sv=2)
response:
we can notice in the original request was sent the path was random-message
which indicates that the backend already added the slash for us!
request:
response:
twig is a template engine for php, in hacktricks we can find alot of payloads to exploit it.
request:
response:
to get the flag:
request:
response:
the flag: tuxCTF{avG_l@mE_D3V}
Terminal 1 & 2
in both you can list the directory usin dir, to solve the first one you will use more or less
more flag.txt
flag: tuxCTF{LE$S_i$_m0r3}
in termianal 2 you can use nl (intended) or tac (not indented)
nl flag.txt
flag: tuxCTF{n0_n3eD_foR_BIn@r1e5}
Pyjail
to access the challenge you have to use netcat:
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252FYcFADvxHwn44dn1PMfAR%252Fimage.png%3Falt%3Dmedia%26token%3Db48a99e5-0111-4f3f-b65e-b41a9fcb3406&width=768&dpr=4&quality=100&sign=4c8cef8b&sv=2)
pyjails are python sandboxes with restrictions, you have to find a way out to escape and achieve command execution.
in python we can access other classes by going back to the root of the object,
example payload:
()._class_._bases_[0]._subclasses_()
if we enter it in the pyjail and enter exit it will execute.
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252FDnhTh8fwW6MQcnu73iAy%252Fimage.png%3Falt%3Dmedia%26token%3D1f426e98-1a89-4c02-8cef-171d0220e3c7&width=768&dpr=4&quality=100&sign=2f46aebb&sv=2)
we get a list of all subclasses accessable, but only one of them is not blocked and useful, which is <class '_frozen_importlib_external.FileLoader'>
.
to find the subclass index you can use an ai tool do a python script or by sorting them in vim, for me it was number 100, index 99, ()._class_._bases_[0]._subclasses_()[99]
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252Fft82b6SxctZL7j7kuYIB%252Fimage.png%3Falt%3Dmedia%26token%3D14859cad-5af0-4d49-b45d-0337ea21e162&width=768&dpr=4&quality=100&sign=38d17613&sv=2)
![](https://h0t.gitbook.io/~gitbook/image?url=https%3A%2F%2F421213191-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FfUOAAeVs9eihqxcrtvIC%252Fuploads%252Fxw4ccZANMbT8GwFVPm6J%252Fimage.png%3Falt%3Dmedia%26token%3Dcdb7ce85-e7f4-4f7f-90a6-3869fb8b765a&width=768&dpr=4&quality=100&sign=955c08b&sv=2)
payload to get the flag:
flag: tuxCTF{yOU_woN7_35c@Pe_@g@iN}
Happy Pwning : )
Last updated