bi0s
  •  Home
  •  Categories
  •  Archives
  •  Tags
  •  Home
  •  Categories
  •  Archives
  •  Tags

GateKeeping - CSAW '21 Qualifier

Sayooj B Kumar
2021-09-14
Web Exploitation

tl;dr

  • Bypass nginx’s DENY ALL using SCRIPT_NAME
  • Calculate key_id uploading flag.txt.enc
  • Leak the key and decrypt flag.txt.enc
Read More
CSAW Quals Nginx

Shisui - Fword CTF 2021

Yadhu Krishna M
2021-08-30
Web Exploitation

tl;dr

  • XSS using DOM Clobbering
  • <a id="showInfos"></a><a id="SETTINGS" name=check data-timezone="aaa" data-location="eval(window.name)"><a id="SETTINGS" name="x">
  • Bypass CSRF protection to execute XSS and read flag.
Read More
FwordCTF XSS DOM Clobbering

Notepad Series - InCTF Internationals 2021

Az3z3l
2021-08-16
Web Exploitation

tl;dr

  • Notepad 1 - Use Set-Cookie header to get XSS on the Admin
  • Notepad 1.5 - CRLF on the name parameter of Golang’s Header().Set() method
  • Notepad 2 - Xsleaks using Timing-Allow-Origin header
Read More
InCTFi CRLF XSS Xsleaks

Json Analyser - InCTF Internationals 2021

1nt3rc3pt0r
2021-08-15
Web Exploitation

tl;dr

  • Json_Interoperability - /verify_roles?role=supersuperuseruser\ud800","name":"admin
  • Prototype_Pollution - {"constructor":{"prototype":{"test":"123"}}} in config-handler
Read More
InCTFi Prototype_Pollution Json_Interoperability

MD-Notes - InCTF Internationals 2021

Yadhu Krishna M
2021-08-14
Web Exploitation

tl;dr

  • Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
  • Create an XSS payload to read /api/flag and send it to attacker server.
Read More
InCTFi XSS JavaScript

illusion - pwn2win 2021

Sayooj B Kumar
2021-06-03
Web Exploitation

tl;dr

  • Using Prototype pollution vulnerablity in fast-json-patch pollute value in outputFunctionName
  • Get a shell as the flag can only be obtained using binary file
Read More
RCE Prototype pollution

Waffle Write-up - m0leCon CTF 2021 Teaser

Yadhu Krishna M
2021-05-16
Web Exploitation

tl;dr

  • Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token.
  • Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag.
Read More
SQLi JSON Interoperability

Jason - Angstrom CTF 2021

Az3z3l
2021-04-08
Web Exploitation

tl;dr

  • Intended: Append ; secure; samesite=none to cookie. Now, <script src="https://jason.2021.chall.actf.co/flags?callback=load"></script> would retrieve the flag.
  • Unintended: Append .actf.co as domain to cookie using CSRF -> Setup a xss payload in reaction.py challenge -> Log in to this using CSRF -> Payload in Reaction.py exfiltrates document.cookie
Read More
AngstromCTF XSS CSRF Cookies

Web IDE - DiceCTF 2021

Yadhu Krishna M
2021-02-09
Web Exploitation

tl;dr

  • Unintended Solution: Cookie Path Restriction bypass using pop-up windows + JS Sandbox Escape
  • Intended Solution: Service Workers + JS Sandbox Escape
Read More
XSS DiceCTF JavaScript Sandbox Escape

Build A Better Panel - Dice CTF 2021

Az3z3l
2021-02-09
Web Exploitation

tl;dr

  • Payload: {"widgetName":"constructor","widgetData":"{\"prototype\":{\"srcdoc\":\"<script src='/admin/debug/add_widget?panelid=star7rix&widgetname=test123&widgetdata=%27%29%2C%28%27star7rix%27%2C+%28select+flag+from+flag%29%2C+%27%7B%22type%22%3A%22test123%22%7D%27%29+--'></script>\"}}"}
Read More
XSS Prototype Pollution CSP DiceCTF

1 / 2

 Next 

Official blog of team bi0s

  Projects
  •   bi0s-wargame
    (Unraveling)
  •   bi0s-wiki
    (Free Encyclopedia)
  •   InCTF
    (Nationals CTF)
  •   InCTFj
    (Juniors CTF)

Made With Love and Coffee



Blog content follows the Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) License

Use Material X as theme, total visits times.