Adams Write-ups and References

Summary Uh Oh it seems a few bad fish got into the fish tank! Can you find them all? Zip Password: bAdFi5h DISCLAIMER: Flag will start with the number of the challenge it belongs to. Badfish 002 I first started by mounting the img file. sudo mount -o loop,offset=$((2048 * 512)) badfish.img /mnt/bf Next, I started to enumerate the the files and discovered the second flag in /home/nemo/.bashrc. Badfish 003 Moving forward, I discovered the third flag ini the /usr/bin/ directory as a suspected binary called 3_5tr1nGs_r_BaD_4_f15H.

Continue reading 

Summary Hey check out this awesome gif I found! Steps The gif file has one image that contains a flag near the top right corner, but as you see its quite difficult to see without modification. I used the utility covert from ImageMagick to expand the gif into individual images. I used the following syntax to achieve this. convert chall.gif chall.png Now, I had multiple chall.png files for each frame of the gif.

Continue reading 

Summary We heard you like JavaScript? So we scrambled some nice JavaScript ☕ code for you to review! Review the provided code snippet and send appropriate API request to get the flag! JavaScript 001 Using the provided javascript I used the browsers console to help piece together the string. As we see in the screenshot, the value for "b" + "a" + +"a" + "a" is equals to baNaNa. This happens because the javascript is processing the space and reporting it as NaN (Not-a-Number).

Continue reading 

Summary We are working on this amazing new task manager app called Taskist Pro. Our devs claim the app is secure, we want you to take a look at it and see if you can leak the flag hidden inside the admin account. Taskist 001 I navigated to the site http://taskist.pwn.site:1337/ and registered my own account. I navigated to each area of the application and created a new task. After reviewing the history in the proxy I noticed when a user navigates to the /dashboard endpoint, here is an api call to /api/tasks/{userid}.

Continue reading 

Summary WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature. An attacker can host a malicious payload and perform a test mapping pointing to the attacker’s file, and the result will render on the Matched page in the Body area, resulting in the execution of the payload. This occurs because the response body is not validated or sanitized. Tested Versions 3.2.0.0 3.

Continue reading 