Adams Write-ups and References

Summary We are working on this amazing new task manager app called Taskist Pro. Our devs claim the app is secure, we want you to take a look at it and see if you can leak the flag hidden inside the admin account. Taskist 001 I navigated to the site http://taskist.pwn.site:1337/ and registered my own account. I navigated to each area of the application and created a new task. After reviewing the history in the proxy I noticed when a user navigates to the /dashboard endpoint, here is an api call to /api/tasks/{userid}.

Continue reading 

Summary WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature. An attacker can host a malicious payload and perform a test mapping pointing to the attacker’s file, and the result will render on the Matched page in the Body area, resulting in the execution of the payload. This occurs because the response body is not validated or sanitized. Tested Versions 3.2.0.0 3.

Continue reading 

Summary Author: @JohnHammond It's babel! Just a bunch of gibberish, right? Steps This challenge gives us a C++ source code file. Looking at the file the variable pTIxJTjYJE looks like it has a base64 encoded string. This string alone cannot be decoded as its not a valid string. The next part of the code defines a another variable YKyumnAOcgLjvK and this looks like its being used a key to replace characters from pTIxJTjYJE with characters from YKyumnAOcgLjvK.

Continue reading 

Summary Author: Adam Rice You've probably seen Splunk being used for good, but have you seen it used for evil? **NOTE: the focus of this challenge should be on the downloadable file below. It uses the dynamic service that is started, but you must put the puzzle pieces together to be retrieve the flag. The connection error to the container is part of the challenge.** **Download the file(s) below and press the `Start` button on the top-right to begin this challenge.

Continue reading 

Summary Author: @JohnHammond Do you know how to make cookies? How about HTTP flavored? Steps I started the challenge docker instance and navigated to the url. I’m presented with a six functions on the website that will “bake” within a given period of time. When clicking on the cook function a POST request is sent for the corresponding recipe and the timer starts on the oven. on the POST request, I noticed the Cookie value is base63 encoded and the decoded value includes the recipe and time.

Continue reading 