Search results

retro-serve SRC: https://library.m0unt41n.ch/challenges/retro-server This challs service allows execution of a list of commands... the way its check is kinda flawed tho it checks if the commands are within the commands... so if we craft a malicious command including an allowed command and chain...

containment SRC: https://library.m0unt41n.ch/challenges/containment The challenge exposes a /rename and /status endpoint in a minimal container environment running a Rocket-based Rust server. We leveraged the fact that certain files like /containment or /.dockerenv are always executable, even...

infinite_decoding_odyssey SRC: https://library.m0unt41n.ch/challenges/infinite-decoding-odyssey This rev chall is pretty straight forward, with have a encryption or lets say a lil scrambling function which we should reverse. We have a scramble flag...

post-webapp SRC: https://library.m0unt41n.ch/challenges/post-webapp By abusing alternate loopback notations like 127.1 or 0x7f000001, we glide past the naive filter without raising alarms. The server then fetches our crafted URL from 127.0.0.1, so the admin route trusts the request and happily...

cyberpunk-weather-app SRC: https://library.m0unt41n.ch/challenges/cyberpunk-weather-app This challenge display weather data and uses an templating engine. During building of a string a command injection vuln was created within the else block.. we can inject python code and therefore obtained...

dotcom SRC: https://library.m0unt41n.ch/challenges/dotcom Solved this chall locally, submitted publicly shared flag. (hope thats fine) Reported chall as broken and fixed it. There is a .NET server and a BOT component, we need to make the bot write the flag into a textArea and somehow exfil...

sleepy-sql SRC: https://library.m0unt41n.ch/challenges/sleepy-sql This challenge is pretty obvious that we have to perform sql inejction, the hard part is exfiltration tho, there is not reflection allowing us too read any data (like the flag). So we have to work with what we got, time. We can...

legal-complaint-form SRC: https://library.m0unt41n.ch/challenges/legal-complaint-form Okay first of all, i consider myself a PHP pro, but damn i h8 apache... my main stack is using nginx as webserver... This chall requires two main steps. 1. First of all there is a malicious fileupload vuln...

pollpals SRC: https://library.m0unt41n.ch/challenges/pollpals Typical JWT misconfiguration or lets call it completly fucked up flow/logic/implementation. The isAdmin function in auth.js has no signature check for the JWT, it just accept any JWT and extracts its info... const parts =...

time-share SRC: https://library.m0unt41n.ch/challenges/time-share Pretty easy beginner challenge wich teaches an important lesson... ^^ The code has a logic flaw... it doesnt check if the user/admin_token is an actual admin token.. within the JWT there is no indication is_admin or anything...

knowledge-archive SRC:https://library.m0unt41n.ch/challenges/knowledge-archive Holy, this one is easy but took some time. I first was a lil sussed out about the AI Reable Data stuff (a hmac using flag as key) and all the file read/writes or even the popen & glob usage... but this was all a red...

labyrinth SRC: https://library.m0unt41n.ch/challenges/labyrinth This is quiet the easy challenge, with multiple solutions... the most interesting exploitation path is bypassing the admin permission check too the abuse the SQL injection within admin_search. So theres 3 interesting functions...

centralized-identity SRC: https://library.m0unt41n.ch/challenges/centralized-identity This challenge consists of multiple steps, our main goal is too obtain the flag via the backend service API. 1. Within our IDP entrypoint.sh we can find credentials to login into our frontend. email...

blahajs SRC: https://library.m0unt41n.ch/challenges/blahajs The only real discoverable functionality in this challenge is the image display via a GET parameter name and endpoint /image. The rest of the challenge is just displaying of said images and its sourceless. Soo i first tried a directory...

airsmeller SRC: https://library.m0unt41n.ch/challenges/air-smeller This challenge had a bot component and a leave a review component. It was quiet clear the goal was to achieve XSS, but the inputs were sanitized using DomPurify v19.0.0. At first glance i spent a ton of time looking for other...

flagkeeper SRC: https://library.m0unt41n.ch/challenges/flagkeeper This challenge required us too access the admin's flag in database. It had a fully fletched API worked out, and the main way too obtain the flag would be to use admin's API token to request /api/flag for the flag. So i skimmed...

sentry-as-navigation SRC: https://library.m0unt41n.ch/challenges/sentry-as-navigation This challenge provides a tool too fetch and display certificate information. There is a clear and easy too find vulnerability in the code wich allows to RCE. for entry in san_entries: match =...

lost-pass SRC: https://library.m0unt41n.ch/challenges/lost-pass This challenges requires us to auth as admin, too obtain the flag within the dashboard page. After skimming the code we can see JWT session tokens, a not visible in frontend registration function and so on. This misslead me to...

i SRC: https://library.m0unt41n.ch/challenges/i In this challenge we are very obviously able to inject code into a style tag of the page. Our goal is to obtain an admin session/username to make the server display the flag. The challenge includes a bot, which we can control (make him visit...

office-press SRC: https://library.m0unt41n.ch/challenges/office-press Basically just a normal wordpress installation with a vulnerable plugin installed. Google: CVE-2023-6553 Exploit Find -> https://github.com/Chocapikk/CVE-2023-6553 When working with wp, wp-scan is a great tool, get an api key...