Crypto botscanning a qr code
When you first visit the website, you can only access a login and registration page. Registering an account gives you a 2-factor TOTP key. After logging into the website, the first thing I want to do is start looking at how it handles authentication.
When a user logs into an account, a "session" cookie is created. Sometimes you can tell the infrastructure the server is running on based on the name or value format of the cookie. This cookie appears to be a custom format, so it's likely part of the challenge. The first thing I tried is changing "5" to "donaldtrump". After refreshing the index page, I noticed I was logged in as donaldtrump.
Using one of the solves submitted by the H5SC Minichallenge 3, I was able to construct a payload that utilized the googleapis. My mistake at this point was assuming XSS was part of this challenge. After I sent the private message, no one ever loaded it. I should have verified that part first.
There's a user icon form that allows you to input an image URL. The server saves the URL you supply. The image is not getting processed or uploaded to the server. I decided to put in a logging script just to see if there is a bot scanning for changes crypto botscanning a qr code the user search page. Seeing that the script loading the URL is using Python's module urllibI started to mess with the uri protocol file: Although I initially failed, I was getting error messages that crypto botscanning a qr code me I was on the right path.
Looking at the urllib specthe first arg is netloc, so I need to first supply a URL:. Now that I have a local file include LFI vulnerability, I need to start guessing for files containing information to move forward. A good starting point is getting the website source code.
Knowing that it is probably a Python web service, I need to locate the folder containing the Python web service script and the script's name.
There may have been an easier way to do this, but I tried a bunch of common file location and names until I found this:. From here I went through the source code looking for the flag, additional file names, and new application vulnerabilities. Knowing that there is no reference to a flag and I haven't discovered a secret file on the server, it appeared I only have two options left.
Look through the template files and try to get access to the database. I quickly discovered the template files contained nothing interesting, so that left me with getting access to the database. That means the only option left is code injection or a SQL injection. I decided to look for a SQL injection first by reviewing the source code I collected.
After reading through all of the queries on the util. There's a function for getting the CSP violation reports. I had not seen this endpoint when I first went through the website. This one character mistake makes it vulnerable to a SQL injection attack.
One thing I would like to note at this point is that you would have been able to find this without source code access.
Because this server is configured to send violations to a specific endpoint, I should have monitored my traffic to see what it is sending and responding with. If you look at the code:. This is a valuable lesson for web bounty hunters and professional application pen. CSP violation reporting is an additional endpoint that is worth exploring for vulnerabilities.
I don't have a lot of information on the database because I can crypto botscanning a qr code see some column and table names from the Python server code. I can now enumerate queries one result at crypto botscanning a qr code time. This is the part where most people run sqlmap, but I figure it's probably unnecessary and overkill for this CTF challenge.
It's using the username and the client's IP address at time of registration to generate the seed. That seed is used to generate pseudo-random numbers. Using "donaldtrump" and " Now that we have the TOTP key, we just need the donaldtrump account's plaintext password to get the flag. I figured the sha hash was basic enough and ran it through the hash bruteforcer hashcat.
After a little bit of time, hashcat successfully bruteforced the password hash: That means donaldtrump's password is 'zebra'. Unfortunately for us, that means they're taking more safety measures and only using secure websites. We have some suspicions that Donald Trump is using a new dating site called "weebdate" and also selling cocaine to fund his presidential campaign.
We need you to get both his password and his 2 factor TOTP key so we can break into his profile and investigate. My username is 5, but 5 could be anything.
I created a new account just to verify that the first crypto botscanning a qr code of the cookie is username. Looking at the rest of the site, there are only a handful of pages: Moving on from private messages, I looked at the edit profile page. I ended up getting a result and I was actually surprised by this: Looking at the urllib specthe first arg is netloc, so I need to first supply a URL: Crypto botscanning a qr code may have been an easier way to do this, but I tried a bunch of common file location and names until I found this: The Python server is using Flask.
A lot of the important logic is in a file named util. All SQL queries seem crypto botscanning a qr code be parameterized correctly. I put together the necessary code to generate a valid cookie for the donaldtrump user: Bad news, there's no flag to be found. Looking at the server.
If you look at the code: Moving on -- a simple test reveals that it is crypto botscanning a qr code vulnerable to SQLi.
There's a crypto botscanning a qr code XML File called EXCHANGER. The sudden drop in bitcoin price on Tuesday caused some brows to get a bit sweaty, but its successful stability in the light of one account' s dump suggests that the worst is over for the cryptocurrency market' s leader.
Today I want to release the first ever version of this lending bot to.