Posts

Showing posts from March, 2019

2019 Stonecutters - Fink Does Yoga

Image
The "Fink Does Yoga" website was a very basic login form to schedule a yoga class. No matter what you entered as credentials, the username was reflected back to the user on the next page that loaded and the password given didn't really seem to matter. I started this challenge fuzzing bad characters to find some kind of injection vulnerability.

I found that entering a "<" as the username gave me an interesting error. Seen below is the complete response:

Warning: DOMDocument::loadXML(): StartTag: invalid element name in Entity, line: 1 in /app/web/login.php on line 22
Warning: simplexml_import_dom(): Invalid Nodetype to import in /app/web/login.php on line 24 Hi there, ! Welcome back. Calendar No spots are available at the moment. Please check back later. 
I noticed XML errors in this output so I tried the following XXE injection attack against the username field:
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT f…

2019 Stonecutters - Easy Drinking Duff

Image
Easy Drinking Duff was the first and easiest web app challenge that the Stonecutters had on the board. By the time I got around to it, it was only worth 75 points and it had the most solves of all the web app challenges.

In order to access the challenge, I needed to register my SSH key with the scoring server and run a provided SSH command to access the challenge. I was then able to load the following site by pointing my browser to 127.0.0.1:8080:

Easy Drinking Duff

I then sorted the data set by year by clicking on the "Year" column header which sent a request for: http://127.0.0.1:8080/index.php?s=year
This just screamed database, so I entered a ' at the end of year to see what would happen and I saw the following error message:

SQL Error
This indicated a SQLi vulnerability so I ran sqlmap, as seen below, to validate the finding by checking who the current-user was:

# sqlmap -u "127.0.0.1:8080/index.php?s=year*" --current-user
<snip>
[13:57:38] [INFO] the b…