Articles

BSidesSF 2018 CTF – goribble.c

Last month was BSidesSF 2018. This was my first BSides and I’ll say I thought the con was really well done. The location was cool, the vendor area had plenty of free goodies, and the CTF was a lot of fun. There were quite a few people from Dark Corner

Read More »

Natas Level 27

All the sql code in this level is there to throw us off.  If you pull off a SQL injection on this level let me know, because AFAIK it is not possible.  The trick to beating this level is in the comments at the top of the page. They’re telling

Read More »

Natas Level 26

Today we’ll be exploiting the unserialize() function in PHP.  The major lesson here is to NEVER unserialize() user input, and I’ll show you why. PHP.net describes the serialize() function as follows: “Generates a storable representation of a value.  This is useful for storing or passing PHP values around without losing

Read More »

Natas Level 25

This one is one of the most involved levels so far, as there are multiple pieces to the puzzle.  Let’s jump right in: First we can see they are making an awful lot of effort to prevent us from including arbitrary files via the $filename variable.  This is a big

Read More »

Natas Level 24

To win this level it would appear that we need to get $_REQUEST[“passwd”] to match the value of “censored”.  Maybe there is another way though.  Let’s see what the comments on php.net have to say about the strcmp() function. As it turns out !strcmp(“foo”, array()) returns “1” AKA “true”, For

Read More »

Natas Level 23

So we need to get $_REQUEST[“passwd”] to be greater than 10, AND strstr($_REQUEST[“passwd”],”iloveyou”) to evaluate to true.  Let’s examine the behavior of the PHP “>” operator: According to php.net “If you compare a number with a string or the comparison involves numerical strings, then each string is converted to a

Read More »

Natas Level 22

If you though the last level was easy, this one is even easier. Alls we have to do is set revelio=1 for the win:

Read More »

Natas Level 21

This one was really easy: Alls we have to do is set admin=1 for the win.  Let’s try: Well that didn’t work.  What’s up with this experimenter thing anyway?  I wonder what would happen if we used the PHPSESSID from that and made the same request?   Oh…that’s what happens.

Read More »

Natas Level 20

There is a lot of code in this one so lets focus in on the some of the more important parts: Line 23 tells us we need to set $_SESSION[“admin”] == 1. for the win.  We don’t have direct control over the $_SESSION array, but the following code offers an

Read More »